VPN-1 Virtual Edition Admin Guide

8/7/2019 VPN-1 Virtual Edition Admin Guide

1/36


2/36

Introduction

VPN-1 VE Administration Guide 2

Introduction

In This Section

VPN-1 VE Overview

VPN-1 NGX R65 VE (Virtual Edition) is a security and VPN solution, designed to harness the power

of network virtualization. VPN-1 VE provides the identical security protections and VPN features as

physical VPN-1 gateways. It securely connects these gateways and SmartCenters on virtual

machines to shared resources, such as the Internet and DMZs, and allows them to safely interact

with each other and the outside world. All VPN-1 security features such as SmartDefense, Web

Intelligence, Application Intelligence, Anti-virus, Anti-spam, and so on, are available on VPN-1 VE.

This guide provides the conceptual framework for VPN-1 VE. It also provides detailed instructions

for importing and configuring Check Point VPN-1 products on virtual machines by using VPN-1 VE

or by manually installing VPN-1 NGX R65 for VMware.

This guide assumes that the reader has a thorough understanding of VMware ESX Server 3.x

concepts, procedures and terminology. Furthermore this guide assumes that the reader is familiarwith Check Point VPN-1 concepts and procedures.

As used in this document, the term VPN-1 applies to VPN-1 Power, VPN-1 UTM, and VPN Power

UTM.

Virtualization Overview

Virtualization of hardware resources represents the cutting edge of todays computing technology,

providing cost-effective, scalable solutions for dynamic network environments. Virtualization allows

you to create multiple virtual computers on a single hardware platform. With VPN-1 VE, Check

Point brings its state of the art security solutions to the virtualized world.

VMware ESX Server 3.x virtualizes hardware resources including CPU, RAM, hard disks, network

adapters, and the operating system. This technology allows you to create functional virtual

machines that host organization resources such as Web servers, email servers, databases, and so

on. Using VMware ESX Server 3.x, you can define Virtual Networks comprised of virtual machines,

virtual switches, and interfaces to provide the functionality of their physical network counterparts.

VPN-1 VE supplies the comprehensive protection required to secure your virtual networks. VPN-1

NGX R65 VE, VPN-1 NGX R65 for VMware machines, and physical gateways can be managed by

the same unified central management, thus enabling a consistent, enforceable security policy

across all physical and virtual networks.

VPN-1 VE Overview page 2

Virtualization Overview page 2Example of VPN-1 VE Deployment page 3

Key Benefits page 3

ESX Server Security Considerations page 4

VPN-1 VE System Requirements page 4

Licensing Information page 5

Related Documentation page 6


3/36

Introduction


How Do I Get Started?

The VPN-1 VE enables you to easily deploy VPN-1 as a virtual machine that is already configured

and optimized for a VMware ESX environment. A virtual machine created using the VPN-1 VE runs

on Check Points SecurePlatform and includes the following components: 1 CPU, 512MB of

allocated memory, 12GB of disk capacity that can be extended, and four virtual network interfaces.

To use VPN-1 VE, you import a file to the ESX server and add it to your virtual machine inventory.Once you log in to the VPN-1 VE, the configuration wizard guides you through the initial

configuration.

Example of VPN-1 VE Deployment

Figure 1 illustrates a VPN-1 environment on a VMware ESX host.

Figure 1 Example of a VPN-1 VE Deployment

In this simple example, a standalone VPN-1 gateway and SmartCenter server combination protects

three virtual switches leading to networks containing several different types of servers. All traffic

that flows between the virtual networks, for example between the Web Servers Network and the

Database Server, or from a host on the external LAN to the Email Server is inspected by the VPN-1 VE

machine.

Administrators manage network security using SmartDashboard from any client having connectivitywith the SmartCenter server. Virtual machines and all other VMware objects are managed using

Virtual Infrastructure Client.

VPN-1 VE protects the virtual machines in the ESX server, but it does not protect the VMkernel.

Key Benefits

VPN-1 VE allows you to use Check Point security solutions, when using an ESX Server, to

implement virtual network security and to deploy application servers on virtual machines. VPN-1

VE offers the following advantages:

Adds a security layer that protects resources residing on virtual machines from external threatsand threats from other virtual machines.
http://-/?-http://-/?-


4/36

Introduction


Provides unified management as VPN-1 VE gateways and physical VPN-1 gateways can be

managed by the same SmartCenter. Thus security policies can be consistently enforced on

every part of the network - physical and virtual.

Provides a scalable solution for growing enterprises by providing protection for additional

virtual network resources without the need for additional hardware investment, maintenance,

energy, and site costs.

Simplifies configuration by eliminating the need to provision additional virtual and physical

switches in order to protect virtual resources.

Simplifies disaster recovery scenarios.

Lower Total Cost of Ownership.

Certified by VMware for optimal use with ESXi and ESX Servers.

Machines are pre-configured and ready to use in just a few steps.

ESX Server Security Considerations

VPN-1 VE machines protect packets and networks and do not protect the ESX Server itself frompossible VMkernel vulnerabilities. VMotion and VMkernel traffic cannot be inspected by VPN-1 VE

and it is recommended to use secured networks for this traffic.

We recommend that you refer to the VMware Best Practices - Security Hardeningdocument for

additional suggestions for securing your ESX Server platform.

VPN-1 VE System Requirements

This section presents the minimum hardware, operating system, and software requirements for

using VPN-1 VE.

Supported Check Point Products

VPN-1 VE currently supports the following Check Point products:

VPN-1 Power NGX R65

VPN-1 Power security gateways provide an active defense that enables you to secure your most

demanding sites - such as core networks or data centers.

VPN-1 UTM NGX R65

VPN-1 UTM consolidates proven security functions including firewall, intrusion prevention,

antivirus, antispyware, Web application firewall, and both IPSec and SSL VPN, within a single

integrated solution.

VPN-1 UTM Power NGX R65

VPN-1 UTM Power security gateways provide the accelerated security found in VPN-1 Power

combined with the simplicity of the next generation UTM features found in VPN-1 UTM.

SmartCenter NGX R65

SmartCenter solutions enable organizations to perform all aspects of security management via a

single, unified console.

ClusterXL NGX R65

Cluster XL provides high availability and load sharing to keep businesses running.


5/36

Introduction


Users of VPN-1 products prior to version NGX R65 must upgrade their products and licenses to

R65 before using VPN-1 VE. Please refer to the NGX R65Upgrade Guidefor detailed instructions

regarding upgrading Check Point products to version NGX R65. For more information see

http://support.checkpoint.com.

Supported Hotfix Accumulators (HFAs)

VPN-1 VE is compatible with regular VPN-1 Hotfix Accumulators (HFAs) starting from HFA 30.HFAs can be found on the Check Point Support Website, http://support.checkpoint.com.

Supported VMware Products

VPN-1 VE supports the following VMware ESX Server versions: 3.0.2, 3.0.3, 3.5, or ESXi 3.5.

Please refer to http://support.checkpoint.com for updates on supported VMware products and

versions.

Hardware Requirements

Virtual Machine Requirements for VPN-1 VE

Virtual machines created for use as VPN-1 gateways or SmartCenter servers must meet the

following minimum resource requirements:

Allocated Memory: 512 MB

Disk Space: 12 GB

VMware Hardware Requirements

For the latest hardware requirements for your version of VMware ESX Server and other VMware

products, refer to the VMware ESX Server Installation and Upgrade Guide.

For information regarding compatible I/O devices, please refer to the I/O Compatibility Guide For

ESX Server 3.xat http://www.vmware.com/pdf/vi3_io_guide.pdf

Licensing Information

Each VPN-1 gateway product and SmartCenter server installed on a virtual machine requires a

license, in the same manner as a physical product. Each VPN-1 VE gateway requires a VPN-1 VE

license. SmartCenters require a standard VPN-1 SmartCenter license. Licenses are associated with

the gateway or SmartCenter server IP address. Check Point add-on licenses, such as SmartDefense

Services, are equally applicable to products installed on virtual machines.
http://support.checkpoint.com/http://support.checkpoint.com/http://support.checkpoint.com/http://www.vmware.com/pdf/vi3_io_guide.pdfhttp://support.checkpoint.com/http://support.checkpoint.com/http://support.checkpoint.com/http://www.vmware.com/pdf/vi3_io_guide.pdf


6/36

Introduction


Related DocumentationWe recommend that the you refer to the Check Point documentation packages referenced in the

table below, in addition to this document. All documents can be found at


We recommend that you familiarize yourself with the following VMware documentation before using

this product:

Title Description

Internet Security Product

Suite Getting Started Guide

Contains an overview of NGX R65 together with step-by-step

product installation procedures. This document also provides

information regarding whats new in the current release,

licensing, minimum hardware and software requirements, etc.

Upgrade Guide Explains the available upgrade paths to NGX R65 for Check

Point products from VPN-1/FireWall-1 version NG and higher.

Firewall & SmartDefense

Administration Guide

Describes how to manage network access; establish network

connectivity; use SmartDefense to protect against network and

application level threats; use Web Intelligence to protect Web

servers and applications; use Content Vectoring Protocol (CVP)

applications for anti-virus protection, use URL Filtering (UF)

applications for restricting access to web sites; and secure VoIPtraffic.

SmartCenter Administration

Guide

Describes Check Point SmartCenter Management applications,

which provide solutions for configuring, managing, and

monitoring network security deployments.

Cluster XL Administration

Guides

Describes the ClusterXL clustering solution, including concepts

and configuration procedures.

SecurePlatform

Administration Guide

Explains how to install and configure SecurePlatform. This

guide also explains how to manage SecurePlatform and explains

the Dynamic Routing (Unicast and Multicast) protocols.

Virtual Private NetworksAdministration Guide Describes the major components of a VPN environment andpresents procedures for securing and configuring the

environment using VPN-1.

Title Description

Introduction to VMware

Infrastructure

Provides a detailed, conceptual overview of the ESX Server

product, including its architecture, features, and functionality.

Installation and Upgrade

Guide

Describes the VMware ESX Server 3.x system and licensing

requirements, and provides detailed instructions for installingand upgrading the product.

Quick Start Guide Serves as a quick reference to product installation, virtual

machine provisioning and management, and the GUI.

Basic System Administration Detailed documentation for using VMware ESX Server 3.x. This

is the primary reference guide for system administrators and

users.

Server Configuration Guide Describes the tasks you need to configure ESX Server host

networking, storage, and security. In addition, it provides

overviews, recommendations, and conceptual discussions to

help you understand these tasks and how to deploy an ESX

Server host to meet your needs.
http://support.checkpoint.com/http://support.checkpoint.com/


7/36

Deploying VPN-1 VE Machines


Deploying VPN-1 VE MachinesIn This Section

Introduction

This section provides instructions for Importing and Configuring VPN-1 VE machines. VMware

terminology is also included for easy reference, as well as information on planning your VPN-1 VE

deployment.

The instructions assume that you are familiar with VMware ESX Server 3.x and that the appropriate

VMware software is installed. This document does not attempt to serve as a general VMwaretutorial. For further information regarding VMware ESX Server 3.x procedures and features, refer to

the VMware ESX Server Getting Startedand Basic System Administrationguides.

VMware Terminology

This section presents a glossary of VMware terms used in this guide or that you are likely to

encounter in references to VMware documentation contained in this document.

Introduction page 7

VMware Terminology page 7Deployment Planning page 8

Importing and Configuring VPN-1 VE page 9

Term Description

Virtual Machine (VM) Software based abstraction of a physical computer, including CPUs,

memory, disk storage, network interfaces, ports, guest operating

system, and application software. In a VPN-1 VE environment, a virtual

machine provides the functionality of a VPN-1 gateway or SmartCenter

server.

Virtual Switch (vSwitch) A virtual switch works similarly to a physical Ethernet switch. It detects

which virtual machines are logically connected to each of its virtual

ports and uses that information to forward traffic to the correct virtual

machines. A vSwitch can be connected to physical switches using

physical network adapters to join virtual networks with physical

networks.

Virtual Interface (vNIC) Software based abstraction of a physical interface that provides

network connectivity for virtual machines.

Port Group A port group specifies port configuration options such as bandwidthlimitations and VLAN tagging policies for each port. Network services

connect to vSwitches through port groups. Port groups define how a

connection is made through the vSwitch to the network.

Virtual Network A network of virtual machines running on a single physical machine

that are connected logically to each other so that they can send and

receive data from each other. Virtual networks do not depend on

physical network interfaces.

Guest Operating System Operating system installed on a virtual machine

Host Physical machine using VMware to host one or more virtual machines

and other virtual objects. The host provides the physical resources

shared by virtual machines, such as CPUs, memory, disk storage

access, network interfaces, etc.

Datacenter Collection of hosts and their associated virtual machines and Datastore.


8/36



Deployment Planning

This section describes issues to consider when planning your VPN-1 VE deployment.

Management Deployment and Interfaces

VPN-1 VE can be installed using one the following deployment strategies:

Standalone Deployment: A SmartCenter server and one VPN-1 gateway are installed on the same

virtual machine. Up to four interfaces are available for connections to virtual switches.

Distributed Deployment with a Dedicated Management Interface: The SmartCenter server and

VPN-1 gateways are installed on separate virtual machines. One interface on each VPN-1

gateway must be used exclusively for communication with the SmartCenter server.

When using this option, you can protect up to three virtual switches.

Distributed Deployment without a Dedicated Management Interface: The SmartCenter server and

VPN-1 gateways are installed on separate virtual machines. Management traffic between these

gateways and SmartCenters travels via an interface used for external connections.

When using this option, you can protect up to four virtual switches.

To learn about deployeing ClusterXL clusters on VMware, see Deploying ClusterXL on VMware on

page 21.

To learn about protecting more than four virtual switches, see Advanced Deployment: Protecting

More Than 3 Virtual Networks on page 27.

Network Adapters and Interfaces

For general reference, below is a table displaying which interfaces in SecurePlatform generally

correspond to which Ethernet Adapters in the Virtual Infrastructure Client. If the administrator

alters the interfaces in SecurePlatform, this may change.

Table 1 Interface to Network Adapter Correspondence

Datastore Host-independent storage location for virtual machine files in ESX

Server systems, typically a system volume located on a physical disk,

RAID, SAN, or network file system.

Virtual Center Server Manages multiple hosts together with their associated virtual machines

and objects from a single GUI client. This is the central point for

provisioning and configuring all of your virtual machines, virtualnetworks and their associated objects.

VMware Infrastructure Client

(VI Client)

GUI client used to manage virtual machines and associated objects. It

manages virtual machines much in the same way that SmartDashboard

manages VPN-1 gateways.

Term Description

Interface in

SecurePlatform

Network Adapter in

Virtual Infrastructure

Client

eth0 Network Adapter 1

eth1 Network Adapter2




9/36



Importing and Configuring VPN-1 VE

The VPN-1 VE enables you to easily deploy VPN-1 as a virtual machine that is already configured

and optimized for VMware ESX environment. A virtual machine created using the VPN-1 VE runs on

Check Points SecurePlatform and includes the following components: 1 CPU, 512MB of allocated

memory, 12GB of disk capacity that can be extended, and four virtual network interfaces. To use

VPN-1 VE, you import it to the ESX Server and add it to your virtual machine inventory. Repeat thisprocess for each new machine you want to create.

Importing the VPN-1 VE OVF

If you are running a VMware ESXi 3.5 or ESX 3.5 Server, or using Virtual Center 2.5, import the

VPN-1 VE using the VPN-1_R65_VE_OVF.tgz file, as described below.

To import the VPN-1 VE machine to the ESX Server from the VPN-1_R65_VE_OVF.tgz file and createa new machine:

1. Download the VPN-1_R65_VE_OVF.tgz file from the VMware Virtual Appliance Marketplace tothe machine where the VMware Virtual Infrastructure Client is installed.

2. Extract the VPN-1_R65_VE_OVF.tgz file to the new folder using tar (tar-zxvfVPN-1_R65_VE_OVF.tgz), or any other decompression utility.

3. Open the VMware Virtual Infrastructure client.

4. Connect to the ESX Server where you want to deploy the VPN-1 VE machine.

5. In the Getting Started tab, in Basic Tasks, choose Import a Virtual Appliance.

6. Select Import from file, and choose the .ovf file from the folder from where you extracted the.tgz file. Click Next.

7. View the Virtual Appliance Details. Click Next.

8. Type a name for the VPN-1 VE machine. Click Next.

9. Select the datastore where the VPN-1 VE machine files will be accumulated in the ESX Server.

Click Next.

10. In Network Mapping, select the proper Network portgroups according to your topology. Click

Next.

11. Click Finish to complete the Virtual Machine Wizard. It may take a few minutes for the newmachine to appear in the inventory.

12. Select the machine from the inventory and Power On the machine.


10/36



For optimal performance of your VPN-1 VE machine, we recommend reserving an additional 512

MB of memory. SeeEnhancing Performance by Reserving Memory on page 23.

Importing the VPN-1 VE to Earlier ESX Servers

If you are running a VMware ESX 3.0.x Server or using Virtual Center 2.0, import the VPN-1 VE

machine using the VPN-1_R65_VE.tgz file.

To import the VPN-1 VE machine to the ESX Server from the VPN-1_R65_VE.tgz file and create anew machine:

1. Connect to the ESX Server using SSH. For more information see How can I Connect to the

ESX Server Using SSH? on page 33

2. Within the ESX Server, create a folder under /vmfs/volumes///where and are folders that the administrator chooses.

3. Download the VPN-1_R65_VE.tgz file from the VMware Virtual Appliance Marketplace to theESX Server on which the virtual machines are housed.

4. Extract the .tgz file to the new folder using tar (tar -zxvf VPN-1_R65_VE.tgz).

5. Open the VMware Virtual Infrastructure Client and connect to the ESX Server or Virtual Center.

6. Select the desired ESX Server.

7. Click on the Summary tab. Within the Resources pane, under Datastore, double-click the

desired storage file, and browse to the location where you extracted the VPN-1_R65_VE.tgz file.


11/36



8. Right-click on the .vmx file and select Add to Inventory.

9. In the Add to Inventory Wizard, type a name for the new virtual machine. Click Next.

10. Select a Resource Pool to run the virtual machine. Selecting a Resource Pool allows you to

determine which resources a virtual machine is using. Click Next.

11. Click Finish to complete the Virtual Machine Wizard. It may take a few minutes for the new

machine to appear in the inventory.

12. Select the machine from the inventory and Power On the machine.

Configuring VPN-1 Gateways and SmartCenters

This section describes how to configure VPN-1 gateways and SmartCenters on VPN-1 VE machines

through the SecurePlatform command line. The procedures contained in this section are excerpted

from NGX R65 Getting Started Guide. For a complete presentation of NGX R65 installation andconfiguration procedures, refer to the NGX R65 Internet Security Product Suite Getting Started Guide

and the Firewall and SmartDefense Administration Guide, found athttp://support.checkpoint.com. If

there is a conflict between this document and these guides, follow the instructions in the guides.

Repeat the following processes on each virtual machine you want to configure.

Configuring Network and General Settings

To perform initial configuration of network and general settings:

1. In the Console tab, log in to the machine using admin as the username and adminadmin as

the password.

2. When prompted, change the default user name and password. Ensure that the new passwordcontains more than six characters and has a combination of upper and lower case letters and

numbers.

3. To enter the configuration wizard, run:

cpconfig


12/36



The configuration window opens and displays a welcome message.

4. Press n to continue.

5. Press the number corresponding to your keyboard type and then press n, or just press n to keep

the default US keyboard.

6. Press the number corresponding to the Ethernet connection that you want to set as your

management connection. When prompted, type the IP address attached to the Ethernet

connection, its subnet mask, and its broadcast address.

7. In the Network Configuration menu, use the menu option to configure the following:

The host name

The domain name and at least one DNS server (if required)

The network interface IP addresses


13/36



The default gateway (if required)

8. In the time and date configuration menu, use the menu options to configure the following:

Time zone

Date

Local time

Show date and time settingsn

10) Press n to continue. The Import Check Point Products Configuration screen appears.

Continue to follow to Check Point Wizard to install Check Point products on the virtual machine.

See the NGX R65 Internet Security Product Suite Getting Started Guideand the Firewall and

SmartDefense Administration Guidefor more information.


14/36

Known Limitations


Known LimitationsPlease refer to the current edition of the NGX R65 Release Notes, found at

http://support.checkpoint.com, for a complete list of known limitations for this major release. The

limitations listed below apply specifically to VPN-1 VE and are in addition to the VPN-1 NGX R65

release limitations.

1. The cloning and template features are supported for VPN-1 virtual machines (gateways andSmartCenter) only under the following conditions:

a. The virtual machine must be a new VPN-1 VE machine or SecurePlatform installation

(immediately following the first reboot).

b. No Check Point products, such as SmartCenter or VPN-1, have been configured yet.

c. No configuration steps (sysconfig, cpconfig, etc.) have been performed.

2. Interface bonding on the virtual machine running the VPN-1 VE is not supported with

ClusterXL.

3. VMtools is not supported.

4. VPN-1 gateways in the Bridge Mode must have their internal and external interfaces connectedto port groups that are configured in promiscuous mode.

5. VPN-1 gateways in the Bridge Mode are not supported with ClusterXL.

6. The Performance Pack Heavy Load Quality of Service feature (HLQoS) feature is not

supported.

7. The Monitor Interface Link State feature is not supported on VPN-1 ClusterXL cluster members

on virtual machines.

8. Virtual machines may be connected to a maximum of four different virtual switches. This may

limit the number of virtual networks protected by a VPN-1 VE machine. This limitation can be

overcome using VLANs. See Advanced Deployment: Protecting More Than 3 Virtual Networks

on page 27.

9. VPN-1 VE supports MTU change only with pcnet32 network devices.

10. The ethtool utility does not recognize speed or duplex changes made to the virtual network

adapters.

11. NGX R65 HFA 01 and 02 are not supported. NGX R65 HFAs beginning with HFA 30 are

supported.

12. VPN-1 VE does not protect the VMkernel.


15/36

Deployment Scenarios


Deployment ScenariosIn This Section

Overview

This section presents several sample deployments that illustrate the integration of VPN-1 NGX R65

solutions into virtual network deployments. While these examples are shown in simple, small-scale

environments, the concepts are applicable to larger, more complex deployments. Each scenario

includes a brief conceptual description, an illustrative diagram, notes and configurationrequirements, as appropriate.

These scenarios are intended to present conceptual examples of how VPN-1 VE may be deployed

on VMware ESX. They do not purport to provide solutions for specific applications or environments.

There are many different ways to use these concepts to tailor network virtualization to your specific

needs, only a few of which are suggested by these scenarios.

Overview page 15

VPN-1 and SmartCenter Standalone Deployment page 16VPN-1 Deployment using the Bridge Mode page 17

ClusterXL Deployment on a Single ESX Host page 18

ClusterXL Deployment Using Two ESX Hosts page 19


16/36



VPN-1 and SmartCenter Standalone Deployment

Figure 2 illustrates a small Web business, all on a single platform running VMware ESX Server. This

deployment is comprised of a standalone VPN gateway and SmartCenter on a single virtual

machine. The gateway inspects and protects all traffic passing between three virtual switches

leading to Web servers, SQL databases, and an email server from external threats as well as from

threats originating from other virtual machines.Figure 2 Standalone SmartCenter Deployment

Notes for this Scenario

The Web servers, database servers, email server and Gateway/SmartCenter standalonedeployments are defined as virtual machines on a single ESX host platform.

Each virtual interface connects to a virtual switch configured for a separate subnet.

The external virtual interface connects, via a virtual switch, to a physical interface on the ESX

host leading to a physical switch on the same subnet. A physical LAN connects to this switch.

Both SmartDashboard and the Virtual Infrastructure Client connect via the LAN.

Special Configuration Requirements

The default gateway for each server virtual machine must be defined as the IP address assigned to

the VPN-1 gateway virtual interface leading to that particular server. For example, in the preceding

diagram, the Web server default gateways must be defined as 172.23.5.1.


17/36



VPN-1 Deployment using the Bridge Mode

Figure 3 demonstrates the use of VPN-1 gateways in the bridge mode. In this example, four VPN-1

gateway virtual machines protect individual security zones representing different departments for a

software development firm.

Each VPN-1 gateway virtual machine protects one or more network segments using a single virtual

interface connected to a port on a single virtual switch. The virtual switch must be connected to aport group that is configured to accept the promiscuous mode. The SmartCenter server resides on

a separate virtual machine and communicates with gateways via dedicated management interfaces.

The advantage of using the virtual machines in bridge mode is that you can provision additional

gateways without affecting the existing IP topology. In this scenario, the entire virtual network must

reside on a single subnet.

Figure 3 VPN-1 Deployment Using Bridge Mode

Notes to This Scenario

Each department network segment occupies one virtual machine interface.

All protected networks must reside on the same subnet, in this example 172.23.0.0/16. For a

mid-sized deployment this should not result in a lack of available IP address.

Using a separate virtual machine for the SmartCenter server avoids bandwidth degradation

issues while installing policies.

Both SmartDashboard and the Virtual Infrastructure Client connect via the LAN.

Special Configuration Requirements

You must connect all internal and external interfaces for a virtual machine containing a VPN-1 VE

gateway in the bridge mode to a port group configured to accept the promiscuous mode. The

management interface may not be connected to a port group configured to accept the promiscuous

mode.

Warning - Never configure all port groups on a virtual switch to accept the promiscuous mode, as this is inan unacceptable security risk. You should only configure the port group to which you connect VPN-1 virtualmachines to accept the promiscuous mode. Do not connect any other virtual machines to this port group.


18/36



Configuring Promiscuous Mode

To configure a port group to be in promiscuous mode:

1. In the Virtual Infrastructure Client, select a host in the Inventory pane and then select the

Summary Tab.

2. Right-click a port group in the Resources > Network section of the Information pane and select

Properties from the options menu.

3. In the Network Properties window, select the Security tab. .

4. Enable the Promiscuous Mode option and then select Accept from the list.

5. Click OK to complete the definition. The reconfiguration process may take a few moments to

complete.

ClusterXL Deployment on a Single ESX Host

Figure 4 illustrates the use of a VPN-1 gateway in a ClusterXL deployment contained on a single

ESX host that provides redundancy at the virtual machine level. Two SmartCenter servers, a primary

and a secondary, reside on separate virtual machines to provide SmartCenter redundancy (the

SmartCenter Cluster is optional). VPN-1 requires ClusterXL to provide clustering functionality.

Failover ensures continuous service if an active ClusterXL cluster member becomes unavailable for

any reason. In this case, the standby Cluster member immediately takes over the tasks of

inspecting traffic from the unavailable machine. This scenario does not provide high availability

protection in the event that the ESX host itself becomes unavailable. For more information oncreating this deployment, see Deploying ClusterXL on VMware on page 21.


19/36



The following diagram illustrates a simplified network deployment using this scenario.

Figure 4 ClusterXL Deployment on a Single ESX Host

This example deployment includes Web and database servers hosted on virtual machines protected

by the clustered VPN-1 gateway. Also included in this deployment are primary and secondary

SmartCenter servers on virtual machines connected to the gateways using a non-dedicated

management interface.

The VPN-1 gateway and the SmartCenter servers, connect to the external LAN and the Internet by

means of a virtual switch connecting to a physical switch via the ESX host interface. The gateway

ClusterXL cluster connects to the internal virtual network, containing the Web and Database

servers, via a virtual switch.

State synchronization is handled by a dedicated connection between members using one of the

virtual machine interfaces. The SmartCenter connects to the gateways via the internal network.


All servers protected by the ClusterXL cluster must reside on the same network

VPN-1 gateways in the bridge mode are not supported in cluster deployments

Both SmartDashboard and the Virtual Infrastructure Client connect via the LAN

ClusterXL Deployment Using Two ESX Hosts

Figure 5 illustrates ClusterXL deployment with two ESX hosts to provide redundancy and/or load

sharing for the VPN-1 gateways physical database servers. Each VPN-1 virtual machine serves as a

ClusterXL cluster member and is state synchronized with its peer on the other cluster member.

VPN-1 virtual machines require ClusterXL to provide clustering functionality.

High availability ensures failover redundancy for the VPN-1 gateway virtual machine in the event

that an ESX host becomes unavailable. Furthermore, failover of an individual virtual machine

occurs if it becomes unavailable.

Load sharing allows you to distribute traffic amongst the members to maximize throughput and

eliminate bottlenecks. When using load sharing, failover also occurs at the ESX host and virtual

machine levels. For more information on creating this deployment, see Deploying ClusterXL on

VMware on page 21.


20/36



The following diagram illustrates this ESX host clustered environment.

Figure 5 ClusterXL Deployment on Two ESX Hosts

In this deployment, the VPN-1 gateway connects to protected networks using a virtual switch that

passes through to a host interface and a physical switch. The VPN-1 gateway and the SmartCenter

server connect to the external LAN and the Internet via a virtual switch passing through a host

interface and a physical switch.

The VPN-1 gateway virtual machine maintains a synchronization connection via a virtual switch

leading to a dedicated physical interface on the host member. The interface connects to its

counterpart on the other member by means of a physical switch or cross cable. Management traffic

between the gateway and the SmartCenter server also uses this connection.


This scenario provides SmartCenter redundancy by means of a primary server on one member

and a secondary server on the other.

In this scenario VPN-1 gateways cannot protect resources such, as Web servers and databases,

that are hosted by virtual machines located on the same host as a gateway. Non-protected

virtual machines may also reside on the same host as a gateway virtual machine.

Both SmartDashboard and the Virtual Infrastructure Client connect via the LAN


21/36

Deploying ClusterXL on VMware



In This Section

ClusterXL Clusters on VMware

VPN-1 VE supports ClusterXL clusters for high availability Unicast mode and/or load sharing modes

running SecurePlatform. Other cluster solutions are not supported. This section summarizes the

requirements and procedures for defining a ClusterXL cluster with VPN-1 gateways or SmartCenter

servers on virtual machines.

You can create a ClusterXL cluster within a single ESX Host that ensures failover in case a virtualmachine hosting a VPN-1 component encounters problems or is powered off.

You can also create a ClusterXL cluster, consisting of two or more ClusterXL members, each on a

different ESX host. This ensures failover in the event that an ESX host becomes unavailable or in

case a ClusterXL member becomes unavailable. Furthermore, load sharing allows you to distribute

traffic amongst ESX hosts in addition to ensuring for failover.

Please note that VMware High Availability and other VMware clustering solutions are not

appropriate for use with virtual machines hosting VPN-1 gateways or SmartCenter servers. These

products cannot provide the state synchronization required for VPN-1 clusters. You can, however,

use VMware High Availability or other solutions to provide failover support for virtual machines

hosting your own servers, databases, applications and other resources.

To create ClusterXL clusters on VMware, you must set up the virtual machine manually and then

install VPN-1. Manually creating the machine allows you to change its components and include two

CPUs, as required for Cluster XL clusters. To run Cluster XL, you must also have VPN-1 NGX HFA

30 or above installed on all cluster members.

Deploying a ClusterXL Machine

To deploy a ClusterXL machine:

1. Select the desired host in the Inventory panel and then click the icon on the toolbar.

Alternatively, you can right-click on the host and select New Virtual Machine from the option

menu. The New Virtual Machine wizard appears.

ClusterXL Clusters on VMware page 21

Deploying a ClusterXL Machine page 21

Installing ClusterXL on VMware page 24

Defining a ClusterXL Cluster page 25


22/36



2. Select either the Typical or Custom option and click Next. The Name and Folder page appears.

3. Enter a unique name for the virtual machine in the appropriate field and select a location for

the new machine in the lower section of the page.

4. On the Datastore page, select the desired datastore location from the list.

5. On the Guest Operating System page, select Linux and then select Red Hat Enterprise Linux 3.

6. On the CPUs page, select the number of virtual CPUs required for this virtual machine.Machines that will be ClusterXL cluster members require 2 CPUs.

7. On the Memory page, allocate at least 512 MB for VPN-1 gateways and SmartCenter servers.We also recommended that you guarantee that at least 512 MB is always available by reserving

512 MB. You can perform this action after completing the virtual machine definition process,

as described in Enhancing Performance by Reserving Memory on page 23.


23/36



8. On the Network page, select the number of interfaces for this virtual machine. You can define

up to four virtual interfaces.

For each interface select the port group to which the interface connects. Always select the

Connect at Power On option.

For a VPN-1 gateway, at least one interface connects to an internal or external network

For SmartCenter servers, a management interface is required to connect to the gateways

9. On the I/O Adapter page, select the SCSI adaptor appropriate for your deployment.

10. On the Select a Disk page, select Create a new virtual disk.

11. On the Disk Capacity page, specify at least 12 GB. Select a storage location for this virtualmachine.

12. On the Advanced Options page, accept the default parameters unless you have a specific reason

to change them.

13. On the Ready to Complete page, click Finish to complete the process. It may take a few minutes

for the new virtual machine to appear in the inventory.

14. Connect to the ESX Machine using SSH. For more information, see How can I Connect to the

ESX Server Using SSH? on page 33.

15. Edit the virtual machines .vmx file as follows:

a. Browse to the directory where the .vmx file is: cd /vmfs/volume// where and are names you chose.

b. Open the .vmx file for editing. Under each line beginning with EthernetX (where X is anumber), add a new line that appears as follows:

c. Save the .vmx file and exit the editor.

16. Power On the virtual machine.

Enhancing Performance by Reserving Memory

VPN-1 gateway and SmartCenter virtual machines require at least 512 MB of allocated memory. In

addition, we recommend ensuring that at least 512 MB of allocated memory resources are always

available. This process is called reserving memory, and enhances performance when installingpolicies in environments with large databases and/or complex Rule Bases. If you imported the

VPN-1 VE machine using the VPN-1_R65_VE.tgz file, you already have the reserved memory and donot need to perform the steps below.

ethernetX.virtualDev=e1000


24/36



To modify a virtual machine definition to reserve memory resources for a virtual machine:

1. Right-click on the appropriate virtual machine in the Inventory page and select Edit Settings

from the option menu. The window opens.

2. Click the Resources tab to display the Resources page.

3. Click Memory to display the memory settings.

4. Enter at least 512 MB in the Reservation field.

5. Change other properties as required. Refer to the online help and the Basic System

Administrationguide for detailed information regarding the various properties.

Installing ClusterXL on VMware

Installing from Media Pack CDs

To install ClusterXL on VMware from a VPN-1 Media Pack CD, the virtual machine must have a CD

drive defined either as a client device (CD on the client PC) or as a host device (CD on the host

computer).

Installing from ISO Images

To install ClusterXL on VMware from a VPN-1 ISO file, you must first copy the ISO file to a location

in the datastore. The virtual machine must have a CD drive defined as the datastore path to this

ISO file.


25/36



Starting the Installation

To install ClusterXL on a new virtual machine:

1. If you are installing from the Media Pack CDs, insert CD 1 (SecurePlatform) into the CD drive.

If you are using ISO files, ensure that the virtual machine CD drive configuration points to the

path to the correct ISO file.

2. Select the Console tab for the virtual machine.

3. Power On the virtual machine. When the VMware welcome screen appears, press Esc to bring

up the BootMenu. Select CD-ROM drive from the BootMenu. The installation routine runsautomatically.

Installing SecurePlatform

To install SecurePlatform:

1. From the Welcome screen, click OK to install. The System Type screen appears.

2. On the System Type screen, select SecurePlatform.

3. On the Keyboard Selection menu, select a keyboard type.

4. On the Network Interface Configuration screen, enter the management interface IP address,netmask, and default gateway for the first network interface (eth0 on most systems).

5. On the HTTPS Server Configuration screen, enable web-based configuration and accept the

default port.

6. Click OK. A confirmation message appears. Click OK to format the virtual hard drive and install

SecurePlatform software components. The installation process may take several minutes to

complete.

7. Remove the installation CD from the drive.

8. Click OK (or press Enter) to reboot your system. The reboot occurs automatically.If you want to clone this virtual machine or to convert it to a template, do so at this time.

Continue with Configuring VPN-1 Gateways and SmartCenters on page 11.

Defining a ClusterXL Cluster

Before defining the ClusterXL cluster, configure the requisite number of interfaces on each ESX

host as required for your deployment, manually create each virtual machine and install VPN-1 for

VMware, and configure each gateway as described in previous sections.

To define a ClusterXL cluster in an ESX deployment:

1. Run cpconfig and activate clustering on each gateway.

2. Modify the value of each cluster members timer resolution to the value of 5 as follows (this

modification is required to prevent false failovers. As a result, detection of a member down

may take up to 5 seconds):

a. Open: $FWDIR/boot/modules/fwkern.conf (If this file does not exist, create it.)

b. Add: fwha_timer_cpha_res=5

c. Reboot each machine

3. Test connectivity between the ClusterXL cluster members and the SmartCenter server. Resolve

connectivity issues before proceeding.

4. Test connectivity between the ClusterXL cluster members and your internal networks, external

networks, and other virtual machines. Resolve connectivity issues before proceeding.


26/36



5. Using SmartDashboard, create and configure your clusters and the required synchronization

networks. Refer to the ClusterXL Administration Guide, found at http://support.checkpoint.com

and the online help for details regarding this process.

6. Define and install security policies.

7. Test the policies and connectivity.


27/36

Advanced Deployment: Protecting More Than 3 Virtual Networks


Advanced Deployment: Protecting More Than 3Virtual Networks

Introduction

The deployments described in the previous section are limited in that each virtual machine has a

maximum of four interfaces. In a typical deployment, this means that a VPN-1 gateway can only

protect three virtual networks. This limitation, however, can be overcome using VLANs. Using

VLANs, you can divide traffic on one network adapter into multiple networks that can all be

protected by one VPN-1 VE gateway.

VLAN Deployment Example

Figure 6 illustrates an example of a deployment using VLANs. For detailed instructions on

configuring such a deployment, see Configuring VLAN Networks on page 29.

Figure 6 Deployment Using VLANs

This deployment is comprised of a standalone VPN gateway and SmartCenter on a single virtual

machine. The gateway inspects and protects all traffic passing through a virtual switch that is

provisioned with four different port groups, corresponding to four VLAN groups. Each VLAN group

leads to a different network, all of which are protected by the VPN-1 gateway from external threats

as well as from threats originating from other virtual machines.

With the use of VLANs, only two interface cards are being used by the VPN-1 VE to protect all fournetworks. While this example shows only four networks provisioned on one virtual switch, using

VLANs you can protect over four thousand networks with one interface.


28/36




All machines within a VLAN network must reside on the same subnet. For a mid-sized

deployment this should not result in a lack of available IP addresses.

Each host must be configured so that its default gateway is the respective VPN-1 VLAN

devices IP address. Each hosts routing table should direct all traffic to go through the default

gateway.

The switch port that is connected to the firewall, must be a VLAN trunk port and be configured

with VLAN ID 4095 to accept traffic from all VLANS. The VPN-1 machine must be the only

machine in this port group and the only machine with this VLAN ID.

Packets that travel between hosts with the same VLAN tag are not inspected by the VPN-1 VE.

While only four networks are shown connected to the virtual switch, over 4000 can be

provisioned on one switch.

There are potentially two remaining interfaces on the VPN-1 machine that can be used for

other purposes within the deployment.

The Path of a PacketFigure 7 shows the paths that packets may travel within the VLAN deployment scenario depicted

above.

Figure 7 Paths of Packets in a VLAN Deployment


29/36



If one host on a VLAN network sends a packet to a host on a different VLAN network, the packet

receives a VLAN tag from the virtual switch. It then travels to the VPN-1 firewall where the tag is

removed. Once the firewall inspects the packet, it re-tags it, based on the routing table, and sends

the packet to the virtual switch. The virtual switch strips the VLAN tag and sends the packet to the

correct host without a tag.

Packets coming from outside to a specific VLAN network pass through the VPN-1 firewall and are

inspected. They then follow the same route as a packet sent from one VLAN network to another.

Configuring VLAN Networks

Setting up the VLAN Networks involves configuring the following:

The virtual switch that will house the port groups and VLAN IDs

The VPN-1 machine that will protect the VLAN networks and virtual switch

The hosts to be protected by the VPN-1

Below are detailed instructions for setting up your deployment.

Configuring the Virtual Switch

To set up a VLAN configuration, you provision one port group on a virtual switch for each VLAN. All

packets intended for a specific host within a VLAN receive a VLAN tag and can only be received by

hosts on that VLAN network.

One interface of the VPN-1 VE machine is connected to the same virtual switch as the other port

groups. The VPN-1 machine has a separate port group of all to accept traffic from all other port

groups. All packets pass through the firewall and are then given a VLAN tag by the virtual switch

and sent to that VLAN network.

To add another port/VLAN ID Group to a virtual switch or to edit existing port groups:

1. From the Configuration tab of the ESX server, click Networking. The Networking page opensdisplaying your virtual switches.

1. Click Properties next to the virtual switch that you want to configure.

2. To add a new port group:


30/36



a. Click Add. The Add Network Wizard opens.

b. Select Virtual Machine and click Next. Continue with step 4.

3. To edit an existing port group:

a. Select a Virtual Machine Network (port group) from the list and click Edit.


31/36



4. Type a Network Label and type or select a VLAN ID to identify a port group on the switch. Click

Next. We recommend not using VLAN ID 1 as this may be the native VLAN ID on themachine and may cause connectivity problems.

5. Click Finish.

6. Repeat steps 2 through 5 for each port group/VLAN ID group you want to provision on the

virtual switch.

Add a Port Group/VLAN ID for the VPN-1 Machine

The VPN-1 machine must have a separate Port Group/VLAN ID of All to accept all packets. Follow

the steps in Configuring the Virtual Switch on page 29. In Step 4, type 4095 for the VLAN ID.

Configuring the VPN-1 Machine

Follow the instructions in Importing and Configuring VPN-1 VE on page 9 to import the VPN-1

VE machine and create a new VPN-1 machine. Configure it following the instructions in Known

Limitations on page 14. Refer to the NGX R65 Internet Security Product Suite Getting Started

Guide, found athttp://support.checkpoint.com, for additional configuration information.

Configuring VLANs on the VPN-1 Machine

When you configure the VLAN, it displays as ., for example, eth1.2.Make sure to configure the network adapter that connects the VPN-1 machine to the virtual switch

with VLAN groups.

To configure an IP address for each VLAN device

1. Run:

1. Type 1 to Add Connection.

2. Type 2 to select VLAN.

sysconfig


32/36



3. Select the network adapter that connects the VPN-1 machine to the virtual switch with VLAN

groups, for example, eth1.

4. Enter the VLAN ID, for example, 2.

5. Type the IP address specific to the VLAN, the desired netmask, and default broadcast.

The VLAN configuration will display.

6. Repeat the steps above for each VLAN.

Once the ESX server environment is fully configured, add the virtual switch and all of the hosts and

networks you want to protect as objects in the Smart Dashboard and set up a Rule Base. See the

NGX R65 Getting Started Guide for more information. For a complete presentation of NGX R65

installation and configuration procedures, refer to the NGX R65 Internet Security Product Suite

Getting Started Guideand the Firewall and SmartDefense Administration Guide, found at


Configuring Hosts

All hosts that will be on a VLAN and be protected by the VPN-1 gateway should be set up in your

ESX Server. Change the IP settings so that each hosts default gateway is on the same subnet asthe VLAN Devicess virtual IP address that you configured when setting up the VPN-1 machine. All

hosts within a VLAN must be on this same subnet.

Setting Up a Routing Table

The routing table of each host should be configured to direct all traffic from the host to go through

its default gateway, which is one of the VLAN Devicess virtual IP addresses. In this way you ensure

that all traffic to and from the host will be inspected by the VPN-1 VE machine. The routing table

within the VPN-1 machine itself is automatically configured after you set up the VLANs.

The steps needed to configure a routing table differ depending on your operating system. Below is

an example of how to set up the routing table in Linux.

To set up a routing table in a Linux machine:

1. From the console in a host, type:

where 184.23.5.3 is the default gateway of that particular host.

2. Repeat step 1 on every host.

route add default gw 184.23.5.3
http://support.checkpoint.com/http://support.checkpoint.com/http://support.checkpoint.com/http://support.checkpoint.com/


33/36

FAQs and Troubleshooting


FAQs and TroubleshootingBelow are some troubleshooting procedures for questions that may arise when working with VPN-1

VE.

How can I Connect to the ESX Server Using SSH?If you are not able to access the ESX Server via SSH, follow the following procedure:

1. Go to the service console on the physical Server and log in.

2. Run:

3. Change the line that says PermitRootLogin from no to yes.

4. Run:

What Should I Do if I Receive a UUID Warning Message?

When powering on your VPN-1 VE machine for the first time, you may get a Virtual Machine

Message stating that the virtual machines configuration file has changed. It will look like this:

Select Create and then click OK to start the machine.

Can I Change the MTU?

In order to change the MTU (Maximum Transmission Unit) your network adapter drivers must be

set to pcnet32.

To change the network adapter driver settings to pcnet32:

1. Connect to the ESX Server with SSH.

2. Change the directory to the virtual machine directory.

3. Edit the VPN-1_VE.vmx file as follows: Delete the lines stating ethernetX.virtualDev=e1000,where X is the relevant virtual network adapter.

vi/etc/ssh/sshd_config

service sshd restart

Note - If you wish to change your network adapter drivers back to e1000, you must change the

MTU to a value higher than 1000, using sysconfig.


34/36



Can I Enlarge the VPN-1 VE Hard Disk Drive?

You may want to enlarge the VPN-1 VE hard drive to allow more space for logs, especially if the

machine has a SmartCenter installed. You can add an additional hard drive in VMware. You then

configure the hard drive in SecurePlatform and direct logs to a new directory on the new hard

drive.

Creating a Second Hard Drive in VMware

To create a second hard drive:

1. Power Off the VPN-1 VE machine.

2. Right-click the machine and select Edit Settings.

3. Click Add and then select Hard Disk from the Add Hardware Wizard. Click Next.

4. Select Create a new virtual disk and click Next.

5. Type the Disk Size you want and click Next.

6. Keep the default settings by clicking Next.

7. The settings of the new disk are displayed. Click Finish.

Configure the New Hard Drive in SecurePlatform

Configuring the new hard drive involves creating an new partition, formatting the hard disk, and

mapping it to a new directory.

Creating a New Partition

To create a new partition:

1. Power on the VPN-1 VE machine.

2. Log in to expert mode.

3. Run:

4. Type n to add a new partition.

5. Type p to choose a primary partition.

6. Type 1 for the partition number.

7. Keep the defaults for the first and last cylinder.

8. Type t to change the partitions system ID.

9. Type the hex code 83.

10. Type w to write the table to disk and exit.

Creating the Volume Settings

To create the volume settings:

1. Verify that the new hard disk is properly configured and that dev/sdb1 is created by running:

where the lower case L stands for list partition table.

2. Initialize a physical volume by running:

fdisk /dev/sdb

fdisk -l

pvcreate /dev/sdb1


35/36



3. Optionally, check that the physical volume was created by running:

4. Create a volume group. Choose a name for the volume group that you will use in the command

when creating it, for example, mynew_vg:

5. Create a logical volume:

where 4000 is the size of the hard drive in MB, vol2 is a name that you assign to thelogical volume, and mynew_vg is the name of the volume group that you assigned in theprevious step.

Formatting and Mapping the Hard Drive

To format and map the hard drive:

1. Format the hard disk by using the names you created in Creating the Volume Settings on

page 34 and running:

2. Add the new hard disk to the SecurePlatform mapping tables as follows:

a. Run:

b. Add the following to the end of the line:

where exvar is the name you choose for the directory that the hard drive will be mapped to.

c. Run:

d. Add the following to the end of the line:

where exvar is the name you chose for the directory to which the hard drive will be mapped.

3. Create the directory to which the hard drive will be mapped, exvar according to thisexample and map the hard drive to this directory. Run:

Redirecting the Log Files to a Folder in the New Hard Drive

To redirect log files to the new hard drive:

1. Run:

2. Save the current log directory by running:

3. Create a new log directory, for example newlogs in the new hard disk with the name youchose in Formatting and Mapping the Hard Drive on page 35:

pvdisplay

vgcreate mynew_vg /dev/sdb1

lvcreate -L 4000 -n vol2mynew_vg

mkfs.ext3 -m 0 /dev/mynew_vg/vol2

vi /etc/mtab

/dev/mynew_vg/vol2 /exvar ext3 rw 0 0

vi /etc/fstab

/dev/mynew_vg/vol2 /exvar ext3 defaults 1 2

mkdir /exvar

mount -a

cpstop

mv $FWDIR/log $FWDIR/log.old

mkdir /exvar/newlogs


36/36

Documentation Feedback

4. Map logs to the new directory:

5. Start the machine using:

Documentation FeedbackCheck Point is engaged in a continuous effort to improve its documentation. Please help us by

sending your comments to:

[email protected]

ln s /exvar/newlogs $FWDIR/log

cpstart
mailto:[email protected]?subject=Check%20Point%20User%20Guide%20feedbackmailto:[email protected]?subject=Check%20Point%20User%20Guide%20feedback

Date post:	08-Apr-2018
Category:	Documents
Upload:	pra265
View:	233 times
Download:	0 times

VPN-1 Virtual Edition Admin Guide

Documents