Connectra Appliance - Check Point...

Connectra ApplianceGetting Started Guide

NGX R66

702365 November 5, 2008

Health and Safety InformationRead the following warnings before setting up or using the appliance.

To prevent damage to any system board, it is important to handle it with care. The following measures are generally sufficient to protect your equipment from static electricity discharge:

• When handling the board, to use a grounded wrist strap designed for static discharge elimination.

• Touch a grounded metal object before removing the board from the antistatic bag.

• Handle the board by its edges only. Do not touch its components, peripheral chips, memory modules or gold contacts.

• When handling processor chips or memory modules, avoid touching their pins or gold edge fingers.

• Restore the communications appliance system board and peripherals back into the antistatic bag when they are not in use or not installed in the chassis. Some circuitry on the system board can continue operating even though the power is switched off.

• Under no circumstances should the Lithium battery cell used to power the real-time clock be allowed to short. The battery cell may heat up under these conditions and present a burn hazard.

Warning - Do not block air vents. A minimum 1/2-inch clearance is

required.

Warning - This appliance does not contain any user-serviceable parts.

Do not remove any covers or attempt to gain access to the inside of the

product. Opening the device or modifying it in any way has the risk of

personal injury and will void your warranty. The following instructions

are for trained service personnel only.

Warning - DANGER OF EXPLOSION IF BATTERY IS INCORRECTLY

REPLACED. REPLACE ONLY WITH SAME OR EQUIVALENT TYPE

RECOMMENDED BY THE MANUFACTURER. DISCARD USED

BATTERIES ACCORDING TO THE MANUFACTURER'S INSTRUCTIONS

• Disconnect the system board power supply from its power source before you connect or disconnect cables or install or remove any system board components. Failure to do this can result in personnel injury or equipment damage.

• Avoid short-circuiting the lithium battery; this can cause it to superheat and cause burns if touched.

• Do not operate the processor without a thermal solution. Damage to the processor can occur in seconds.

5

© 2003-2008 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:

Please refer to http://www.checkpoint.com/copyright.html for a list of our trademarks.

For third party notices, see http://www.checkpoint.com/3rd_party_copyright.html.

http://www.checkpoint.com/copyright.html

http://www.checkpoint.com/3rd_party_copyright.html

7

Contents

Chapter 1 Introduction to Connectra

Welcome.................................................................................12Overview .................................................................................13Shipping Carton Contents .........................................................14Terminology ............................................................................15

Chapter 2 Deploying Connectra

Deployment Overview ...............................................................18Deploying Connectra in the DMZ ...............................................19Deploying Connectra on a LAN..................................................20Deploying a Connectra Cluster...................................................21

Chapter 3 Installing and Configuring Connectra

Installation and Configuration Workflow .....................................24Installation and Initial Configuration Stages ...................... 24

Installation and Initial Configuration Procedures .........................26Step 1: Preparing for Centrally Managed Connectra............ 26Step 2: Installing Connectra............................................. 28Step 3: Identifying the Default Management Interface........ 31Step 4: Connecting the Cables and Turning On.................. 31Step 5: Connecting to the Administration User Interface..... 32Step 6: Running the First Time Configuration Wizard ......... 34Step 7: Installing the SmartConsole GUI Clients ................ 36Step 8: Logging In for the First Time ................................ 37Step 9: Defining Connectra Objects (Centrally Managed Connectra) ..................................................................... 38

8

Post-Installation Procedures......................................................41Step 10: Connecting Connectra to the Network .................. 41Step 11: Configuring Access Control ................................. 41Step 12: Performing a SmartDefense Update (Locally Managed Connectra)...................................................................... 43Step 13: Checking Your Setup.......................................... 44

Installing the NGX R66 Plug-in .................................................45Installing the Plug-in on a SmartCenter ............................. 45Installing the Plug-in on Provider-1/SiteManager-1 ............. 47Uninstalling Connectra Plug-ins........................................ 50

Cluster Configuration—Deployment Tips ....................................51SSL Acceleration Card Installation.............................................53

Enabling the Card ........................................................... 53Disabling the Card........................................................... 53SSL Acceleration Card Command Syntax ........................... 54

Further Information ..................................................................55

Chapter 4 Connectra Hardware

Overview .................................................................................57Front Panel Components .................................................. 58Rear Panel Components................................................... 64

Customer Replaceable Parts......................................................66Power Supply.................................................................. 67Cooling Fan .................................................................... 68Expansion Line Card........................................................ 69Hard Disk Drive............................................................... 71

Restoring Factory Defaults ........................................................74Restoring Using the WebUI .............................................. 74Restoring Using the Console Boot Menu ............................ 75Restoring Using the LCD Panel......................................... 77

Table of Contents 9

Chapter 5 Upgrading Connectra

Introduction to Advanced Upgrade ............................................ 82Advanced Upgrade to Locally Managed R66 .............................. 83

Preparing for Advanced Upgrade to Locally Managed R66 .. 83Advanced Upgrade Procedure to Locally Managed R66 ...... 83Completing the Advanced Upgrade to R66........................ 85

Upgrade to Centrally Managed R66 from R61/62/62CM ............. 87Setting Up the SmartCenter and Installing the R66 Plug-in 87Setting Up SIC Trust ...................................................... 90Installing Policy ............................................................. 91Completing the Upgrade by Merging Manual Changes ........ 91

Upgrading a Connectra Cluster to R66 ...................................... 92

Chapter 6 Uninstalling Connectra Plug-ins

Overview ................................................................................ 93Uninstalling the R66 Plug-in for Central Management ................ 94

Before Uninstalling the R66 Plug-in:................................ 94Uninstalling the R66 Plug-in ........................................... 94Removing the R66 Compatibility Package......................... 95

Uninstalling the Connectra NGX R62CM Plug-in ........................ 97Removing the R62CM Compatibility Package.................... 98

Uninstalling Plug-ins in Provider-1............................................ 99Deactivating Plug-ins on the MDS.................................... 99Uninstalling the R62CM Plug-in in Provider-1................... 99

Chapter 7 Registration and Support

Registration .......................................................................... 101For Connectra Cluster Users .......................................... 101

10

Support.................................................................................102Where To From Here? .............................................................103

Chapter 8 Notes

My Connectra Appliance .........................................................105

Index .................................................................. 109

11

Chapter 1Introduction to Connectra

In This Chapter

Welcome page 12

Overview page 13

Shipping Carton Contents page 14

Terminology page 15

Welcome

12

WelcomeThank you for choosing Check Point’s Connectra appliance. We hope that you will be satisfied with this solution and our support services. Check Point products provide your business with the most up to date and secure solutions available today.

Check Point also delivers worldwide technical services including educational, professional and support services through a network of Authorized Training Centers, Certified Support Partners and Check Point technical support personnel to ensure that you get the most out of your security investment.

For additional information on the NGX Internet Security Product Suite and other security solutions, refer to: http://www.checkpoint.com or call Check Point at 1(800) 429-4391. For additional technical information, refer to: http://support.checkpoint.com.

Welcome to the Check Point family. We look forward to meeting all of your current and future network, application, and management security needs.

http://www.checkpoint.com

http://www.checkpoint.com

http://support.checkpoint.com



Overview

Chapter 1 Introduction to Connectra 13

OverviewCheck Point Connectra is a comprehensive and unified remote access solution that makes corporate applications and network resources securely available to mobile and remote users. With Connectra NGX R66, remote and mobile employees, contractors, business partners, and customers can access network resources and applications through either a lightweight VPN client or simply through a Web browser. By unifying SSL and IPSec VPN technologies into a single gateway and management console, Connectra provides flexible access for end users and simple, streamlined deployment for the IT organization.

Connectra offers administrators tight access controls to help ensure that only authorized users using clean hosts will gain access to corporate resources. To that end Connectra features multiple strong authentication methods and tight integration with directory services. Comprehensive endpoint security capabilities enable malware scans, compliance checks. A virtual Secure Workspace provides session confidentiality on both managed and unmanaged endpoints, such as laptops, home PCs, internet kiosks, and more.

Connectra can be deployed as either a turnkey appliance, as software on open servers, or as a virtual machine on VMware ESX Server. Connectra gateways can be managed either locally or centrally through a single Check Point SMART management console, reducing the administration time required to configure, monitor, update, and audit remote access policies.

Shipping Carton Contents

14

Shipping Carton ContentsThis section describes the contents of the shipping carton.

Table 1-1 Contents of the Shipping Carton

Item Description

Appliance A single Connectra appliance:• Connectra 3070 or• Connectra 270 or• Connectra 9072

Rack Mounting Accessories Hardware mounting kit.

Cables • Power cable/s • 1 for Connectra 3070 or 270• 2 for Connectra 9072

• 1 Standard RJ-45 network cable• 1 Serial console cable• 1 RJ-45 loopback plug

CD Includes the following:• Getting Started Guide• Connectra Local Management

Administration Guide• Connectra Central Management

Administration Guide• Connectra Appliance Administration

Guide Supplement

Certifications, Regulations and Documentation

Certification data sheet and user license agreement.

Terminology

Chapter 1 Introduction to Connectra 15

TerminologyThe following Connectra terms are used throughout this chapter:

• Gateway: The Connectra engine that enforces the organization’s access policy and acts as a remote access server.

• access Policy: The policy created by the system administrator that makes corporate applications and network resources securely available to mobile and remote users.

• SmartCenter Server: The server used by the system administrator to manage the access policy in a centrally managed deployment. The organization’s databases and access policies are stored on the SmartCenter server and downloaded to the gateway.

• SmartConsole: GUI applications that are used to manage various aspects of access policy enforcement. For example, SmartView Tracker is a SmartConsole application that manages logs.

• SmartDashboard: A SmartConsole GUI application that is used by the system administrator to create and manage the access policy.

• Locally Managed Deployment: When all Check Point components responsible for both the management and enforcement of the access policy (the SmartCenter server and the gateway) are installed on the same machine.

• Centrally Managed Deployment: When the gateway and the SmartCenter server are installed on separate machines.

• Management Plug-ins: Management plug-ins allow you to dynamically add new features and support for new products. Plug-ins supply new and separate packages that consist only of those components necessary for managing new gateway products or specific features, thus avoiding a full upgrade to the next release.

Terminology

16

17

Chapter 2Deploying Connectra

In This Chapter

Deployment Overview page 18

Deploying Connectra in the DMZ page 19

Deploying Connectra on a LAN page 20

Deploying a Connectra Cluster page 21

Deployment Overview

18

Deployment OverviewIn general, it is recommended to deploy Connectra in the DMZ. Connectra can, however, also be deployed in other places, such as on the internal LAN. In both scenarios, SSL termination takes place at the Connectra Gateway. Web Intelligence, Application Intelligence, authentication, and authorization schemes on the Connectra Gateway are employed to protect the internal network and to inspect the traffic for harmful content before it reaches the internal servers.

Connectra differs from other remote access solutions in that it has gateway based application-level and network-level protection. For example, it incorporates the Malicious Code Protector to protect against worms.

Deploying Connectra in the DMZ

Chapter 2 Deploying Connectra 19

Deploying Connectra in the DMZFigure 2-1 shows a typical Connectra deployment in the DMZ:Figure 2-1 Connectra Deployment in the DMZ

When Connectra is placed in the DMZ, traffic initiated both from the Internet and from the LAN to Connectra is subject to firewall restrictions. By deploying Connectra in the DMZ, the need to enable direct access from the Internet to the LAN is avoided. Remote users initiate an SSL connection to the Connectra Gateway. The firewall must be configured to allow traffic from the user to the Connectra server, where SSL termination, Web and Application Intelligence inspection, authentication, and authorization take place. Requests are then forwarded to the internal servers via the firewall. Administration traffic is always SSL encrypted.

Deploying Connectra on a LAN

20

Deploying Connectra on a LANFigure 2-2 shows how Connectra can be deployed on the LAN alongside the internal servers:Figure 2-2 Connectra Deployment in the LAN

The remote user opens a browser and initiates an HTTPS request to the Connectra server. The SSL connection is terminated within the LAN and the clear text requests are forwarded to the internal servers. The internal servers reply “in the clear” to Connectra, which encrypts the reply back to the remote user. In the scenario shown in Figure 2-2, the perimeter firewall must be configured to allow encrypted SSL traffic to Connectra.

In this scenario, the SSL VPN traffic passes through the Firewall as encrypted traffic, thus unavailable for inspection with traditional solutions. With Connectra, the network is fully protected with Application Intelligence and Web Intelligence.

Deploying a Connectra Cluster

Chapter 2 Deploying Connectra 21

Deploying a Connectra ClusterFigure 2-3 shows a two-member Connectra cluster. Typically, the cluster is deployed behind the DMZ interface of a firewall, with the application servers behind the firewall in the internal networks. Figure 2-3 Connectra Clustering Topology Example

Each cluster member has two interfaces: one data interface leading to the organization and to the Internet, and a second interface for synchronization. Each interface is on a different subnet.

• One subnet for data (in Figure 2-3, 10.0.0.1 for Member A and 10.0.0.2 for Member B).

• One subnet for synchronization (10.0.10.1 for Member A and 10.0.10.2 for Member B).

See “Cluster Configuration—Deployment Tips” on page 51 for more information about Connectra clusters.

Note - Clusters are not supported in locally managed R66.

Deploying a Connectra Cluster

22

23

Chapter 3Installing and Configuring Connectra

In This Chapter

Installation and Configuration Workflow page 24

Installation and Initial Configuration Procedures page 26

Post-Installation Procedures page 41

Installing the NGX R66 Plug-in page 45

Cluster Configuration—Deployment Tips page 51

SSL Acceleration Card Installation page 53

Further Information page 55

Installation and Configuration Workflow

24

Installation and Configuration Workflow

Getting started with Connectra involves installation and initial configuration, followed by detailed configuration to meet your needs.

The following workflow outline and detailed instructions apply to a:

• Centrally managed Connectra gateway, including those that will be part of Connectra Cluster.

• Locally managed Connectra gateway

To upgrade from a previous version, see chapter 5, “Upgrading Connectra” on page 81.

For more information about Clusters, see “Cluster Configuration—Deployment Tips” on page 51. Note that Clusters are not supported in locally managed Connectra NGX R66.

Installation and Initial Configuration Stages

The installation and configuration of Connectra are performed in the following stages:

Installation1. If you are installing centrally managed Connectra:

a. Install or upgrade the SmartCenter server or Provider-1/SiteManager-1 MDS to NGX R65 and install the Connectra R66 SmartCenter Plug-in using the CD.

b. Configure relevant firewall access rules.

2. Install Connectra.

3. identify the Default Management Interface.

4. Connect the cables and turn on.

Installation and Initial Configuration Stages

Chapter 3 Installing and Configuring Connectra 25

5. Connect to the Administration User Interface.

6. Run the First Time Configuration Wizard and automatically install the Connectra package.

7. Install the SmartConsole GUI Clients

8. Log in to SmartDashboard for the first time.

9. If you are installing centrally managed Connectra, define Connectra objects in SmartDashboard.

Post-Installation ProceduresAfter completing the installation, configure Connectra as follows:

10. Connect Connectra to the network.

11. Configure Access control.

12. If you are setting up locally managed Connectra, perform a SmartDefense Update.

13. Check your setup.

For Connectra 9072, you can also enable the SSL acceleration card. See “SSL Acceleration Card Installation” on page 53.

Installation and Initial Configuration Procedures

26

Installation and Initial Configuration Procedures

Step 1: Preparing for Centrally Managed Connectra

Step A: Setting Up SmartCenter and Installing the Plug-in (Centrally Managed Only)To set up the SmartCenter and install the NGX R66 Plug-in:

1. Install or upgrade the SmartCenter server or Provider-1/SiteManager-1 CMA to version NGX R65.

2. For a new installation of SmartCenter, install SmartDashboard on a SmartConsole client. For a new installation of Provider-1/SiteManager-1, install the Multi Domain GUI (MDG). It is recommended to use the latest MDG that is found on CD2 in the MDG directory

3. Install the Connectra NGX R66 Plug-in on version NGX R65 of the SmartCenter server or Provider-1/SiteManager-1 Multi Domain Server. See “Installing the NGX R66 Plug-in” on page 45.

Step B: Configuring Firewall Access RulesConfigure the firewall according to the chosen deployment. The exact set of rules depends on the selected setup and the services that Connectra will provide. A typical Security Rule Base configuration, on VPN-1 Pro, is described herein:

FireWall Rules for Connectra in a DMZ

The rules listed in Figure 3-1 apply to the deployment shown in Figure 2-1, “Connectra Deployment in the DMZ,” on page 19.

Step 1: Preparing for Centrally Managed Connectra


Figure 3-1 Rules for Deploying Connectra in the DMZ

You may need other rules, depending on your configuration:

• Connectra requires access to DNS servers, and possibly to WINS servers

• For backups, Connectra may need access to a TFTP or SCP server.

RuleRuleRuleRule SourceSourceSourceSource DestinationDestinationDestinationDestination ServiceServiceServiceService ActionActionActionAction CommentCommentCommentComment1 Admin

hostConnectra HTTPS (TCP/4433) Accept Administrator access.

(encrypted)2 Any Connectra HTTP (TCP/80),

HTTPS (TCP/443), SSL (TCP/444) (or port, on which the SSL Network Extender server is configured)], IKE_NAT_TRAVERSAL (UDP/4500)This is used by Endpoint

Accept End user access to portal: Web applications, File sharing Web mail. Sessions initiated using HTTP are redirected automatically to HTTPS. All actual communication is encrypted.

3 Connectra LAN HTTP (TCP/80), HTTPS (TCP/443), nbsession (TCP/139), microsoft-ds (TCP/445), nbdatagram (TCP/138), nbname (TCP/137), IMAP (TCP/143), SMTP (TCP/25) All additional Network applications that are made accessible, via the SSL Network Extender

Accept Connectra to LAN for: Web applications File sharing Web mail

Step 2: Installing Connectra

28

• Connectra may need access to the SmartCenter Server or to a Customer Log Module (CLM), in order to send logs to a remote log server.

• For authentication, Connectra may need access to LDAP, RADIUS and ACE servers.

• Connectra may need access to an NTP server for clock synchronization purposes.

FireWall Rule for Connectra in a LANIf you choose to deploy Connectra in the LAN, as in Figure 2-2, “Connectra Deployment in the LAN,” on page 20, rule 3 is not needed.


Ear Mount InstallationThe Connectra appliance ships with two ear mount kits, and screws of the type shown in Figure 3-2:Figure 3-2 Ear Mount Screws

One ear mount fits on each side of the chassis.

To assemble the ear mounts:

1. Take out the L shape ear mount kits.



2. Place the side with four holes against the chassis. The side with two holes faces outward, as shown in Figure 3-3.

Figure 3-3 Ear Mounts

3. Fasten the four retaining screws on each ear mount.

4. Fasten the two screws which connect the earmount to the handle.

Retaining Screws


30

Installing Connectra in the RackInstall the system in the rack with the network ports facing the front of the rack. Figure 3-4 Installing Connectra 9072

Step 3: Identifying the Default Management Interface


Figure 3-5 Installing Connectra 3070 and 270

Step 3: Identifying the Default Management Interface

Identify the default management interface marked as MGMT (Management) on Connectra 9072, and Internal on Connectra 3070 and 270. This interface is preconfigured with the IP address 192.168.1.1.

Step 4: Connecting the Cables and Turning On

1. Connect the power cable.

2. Connect the standard cable to the management/internal port and to the PC.

Step 5: Connecting to the Administration User Interface

32

3. On the back panel, turn on the Power button to start the appliance.


1. Connect to the administration interface by connecting from a machine on the same network subnet (e.g., with IP address 192.168.1.x and netmask 255.255.255.0) to the administration interface via the LAN cable. This can be changed later through the administration interface.

2. To access the administration interface, initiate a connection from a browser to the default administration IP address: https://192.168.1.1:4433.

3. The login page appears (Figure 3-6). Log in with the default system administrator login name/password: admin/admin, and click Login.

Note - Pop-ups must always be allowed on https://<appliance_ip_address>.



Figure 3-6 The Login page

4. Change the administrator password, as prompted. For security purposes, you must change it to a more secure password.

In the Password recovery login token section, you can download a Login Token that can be used in the event a password is forgotten. It is highly recommended to save and store the password recovery login token file in a safe place.

Step 6: Running the First Time Configuration Wizard

34


1. The First-Time Configuration Wizard begins to run. The Wizard presents a number of windows, in which you configure the Date and Time, Network Connections, Routing, DNS Servers, Host and Domain Name, and Deployment Type of Connectra.

Click Next.

2. Configure date and time in the Appliance Date and Time Setup window. Click Apply.

Click Next.

3. Configure Network Connections in the Network Connections page.

You may modify the Management/Internal IP address and connectivity will be preserved. A secondary interface is created automatically to preserve connectivity. This interface can be removed after the wizard is completed in the Network > Network Connections page.

Click Next.

4. Configure Routing on the Routing Table page.

Click Next.

5. Set the Host and Domain on the Host and Domain Name page.

The host name must start with a letter and cannot be named Com1, Com2....Com9.

Set the DNS servers on the DNS Servers page.

Note - The features configured in the wizard are accessible after completing the wizard via the WebUI menu. The WebUI menu can be accessed by navigating to https://<appliance_ip_address>:4433.



Click Next.

6. Configure the Management type the Management Type page.Figure 3-7 Management Type page

Locally Managed Deployment - To configure locally managed Connectra, where Connectra manages itself.

a. Select Locally Managed and click Next.

b. Skip to step 7.

Centrally Managed Deployment - To configure Connectra that is managed centrally from a SmartCenter Console. Clusters are only supported in a centrally managed configuration.

a. Select Centrally Managed and click Next.

b. Configure the Web/SSH and GUI Clients Configuration window as described in step 7. Click Next.

c. Configure the Secure Internal Communication window: enter a SIC Activation Key and remember it, as you will enter it again when configuring the gateway object via SmartDashboard.

Note - In all deployments, SmartConsole can be downloaded and installed on any machine, unless stated otherwise.

Step 7: Installing the SmartConsole GUI Clients

36

d. Continue to “Step 7: Installing the SmartConsole GUI Clients” on page 36.

7. Configure the Web/SSH and GUI Clients Configuration window. Define which IP addresses will be allowed to connect using Web or SSH Clients. These clients will be able to manage the appliance using SmartConsole applications. Enter a comma-separated list of IP addresses from which you will manage Connectra using SmartConsole Applications. Type Any to manage Connectra from anywhere.

These and other advanced configuration options are available via the WebUI menu.

Click Next.

8. Connectra is managed through SmartConsole applications. If you do not have a SmartConsole package application installed, click Start Download and follow the on-screen instructions to download the SmartConsole.

9. Wait while the software is installed.

10. The Summary page appears.

Click Finish to complete the First-Time Configuration Wizard. The machine will automatically restart (this may take several minutes.

Step 7: Installing the SmartConsole GUI Clients

Connectra is managed through SmartConsole applications.

If SmartDashboard was downloaded during the First Time Configuration Wizard, skip to “Step 8: Logging In for the First Time” on page 37.

Step 8: Logging In for the First Time


To download SmartConsole:

1. Access the WebUI menu by navigating to https://<appliance_ip_address>:4433.

2. Login using the administrator username and password configured in step 4 on page 33.

3. Download the SmartConsole Installation package Product Configuration > Download SmartConsole > Download.

Step 8: Logging In for the First Time

Login ProcessAdministrators connect to Connectra through SmartDashboard using a process that is common to all SmartConsole clients. In this process, the administrator and Connectra are authenticated, and a secure channel of communication is negotiated.

Authenticating and Fingerprint Comparison1. Launch SmartDashboard.

2. Enter the administrator username, password, and IP address of Connectra.

3. Manually authenticate Connectra with the Fingerprint presented. This step only takes place during first-time login, since when Connectra is authenticated, the Fingerprint is saved on the SmartConsole machine. The Fingerprint is compared with the Connectra fingerprint which is located in the WebUI in Product Configuration > Certificate Authority.

Step 9: Defining Connectra Objects (Centrally Managed Connectra)

38


If you are upgrading from a previous version of SmartCenter or Provider-1/SiteManager-1, any Connectra objects or references defined prior to upgrading the SmartCenter or the CMA become host objects and must be redefined after the upgrade.

Define and configure the topology for each gateway, cluster member, and Connectra cluster.

Defining a Connectra Gateway To define a Connectra gateway:

1. In SmartDashboard, select the Connectra tab.

2. In the Connectra Gateways window, click New and select Connectra Gateway.

The Connectra Properties window opens.

3. In the General Properties page, type the Name and IP Address of the Connectra Gateway that you installed.

4. Click Communication.

The Communication dialog box opens.

5. In the Activation Key field, type the activation key that you set during the Connectra initial configuration. Type it again in the Confirm Activation Key field, then click Initialize.

6. Wait while trust is initialized. The words Trust established appear in the Trust state field once trust is established. Click Close.

7. Make sure Connectra NGX R66 appears in the Version field and click OK.



Configuring a Connectra Gateway’s TopologyEach Cluster member should have at least one cluster interface and one synchronization interface. For more information on configuring topology for cluster members, see “Cluster Configuration—Deployment Tips” on page 51 or the Connectra Gateway Clusters chapter of the Connectra Central Management Administration Guide.

To configure the topology of a Connectra gateway:

1. In the Connectra Properties dialog box, select Topology in the navigation tree.

The Topology page opens.

2. Click Get to automatically detect interfaces or Add to manually add interfaces.

When defining topology, the Get Interfaces operation does not return alias IP addresses for real interfaces. To add alias IP addresses to the object topology, define them manually. After manually adding alias IP addresses to the object topology, do not perform the Get Interfaces operation, as this will erase all manual changes to the object topology.

3. Click OK to return to the main Connectra window.

Defining a Connectra ClusterAfter defining each individual Connectra gateway, you can define Connectra Clusters. For more information on configuring topology for cluster members, see “Cluster Configuration—Deployment Tips” on page 51 or the Connectra Gateway Clusters chapter of the Connectra Central Management Administration Guide.

To define a Connectra cluster:

1. In SmartDashboard, select the Connectra tab.

2. In the Connectra Gateways window, click New and select Connectra Cluster.

http://downloads.checkpoint.com/dc/download.htm?ID=8397


40

The Connectra Properties window opens.

3. In the General Properties page, type the Name and IP Address (the virtual IP address of the Cluster interface) of the Connectra Cluster that you are defining.

4. In navigation tree, select Cluster Members.

5. In the Cluster Members pane, click Add to add each cluster member.

The Cluster Member Properties page opens.

6. Enter each Cluster Member’s Name and IP Address with the highest priority members at the top.

7. Click Communication.

The Communication dialog box opens.

8. In the Activation Key field, type the activation key that you set during the Connectra initial configuration. Type it again in the Confirm Activation Key field, then click Initialize. All cluster members can have the same activation key.

9. Wait while trust is initialized. The words Trust established appear in the Trust state field once trust is established. Click Close.

10. Make sure Connectra NGX R66 appears in the Version field and click OK.

Configuring Topology for a Connectra ClusterFor information and instructions on configuring topology for a Connectra Cluster, see the Connectra Cluster Topology Page section of the Connectra Gateway Clusters chapter of the Connectra Central Management Administration Guide.

For brief tips, see “Cluster Configuration—Deployment Tips” on page 51.

Post-Installation Procedures


Post-Installation Procedures

Step 10: Connecting Connectra to the Network

Connecting a Standalone ConnectraConnect the Connectra network interface to the switch on which the default gateway resides.

Connecting a Connectra Cluster Refer to Figure 2-3, “Connectra Clustering Topology Example,” on page 21.

When setting up a Connectra cluster, connect the cluster member data interfaces via a switch.

The synchronization network carries the most sensitive data in the organization. Keep it secure by connecting the synchronization interfaces using a cross cable, or a dedicated switch.

Make sure that each network is configured on a separate VLAN, switch or hub.

Step 11: Configuring Access ControlConfigure Access Control in Connectra using SmartDashboard.

Access management in Connectra is accomplished by defining users and assigning them to groups, and defining applications and associating them with the groups. In addition, Connectra associates each application with a protection level, a security requirement that the remote user must satisfy before being given access to the application.

Access Control is configured in the following stages:

Step 11: Configuring Access Control

42

1. Define applications

2. Define users

3. Define user groups

4. Associate users with groups

5. Associate applications with groups

6. Install the Access Policy

These tasks are described in detail in the Connectra Central Management Administration Guide and the Connectra Local Management Administration Guide. The following sections provide some useful background information.

Defining ApplicationsDefining an application is about deciding which internal LAN applications to expose to remote users. These typically include:

• Web applications

• File shares

• Native applications

• Citrix applications

• Mail services

Setting Protection Levels for ApplicationsConnectra associates each application with a protection level. The protection level is a security requirement that the remote user must satisfy before being given access to the application. For example, the user must be authenticated using a certificate.

Defining Users and GroupsAccess to internal corporate applications is based on group membership. To access a particular application, remote users must belong to a group with the relevant authorization (as well as satisfy

Step 12: Performing a SmartDefense Update (Locally Managed Connectra)


the security requirements of the application). These groups can be defined on Connectra’s internal user database, on LDAP or Radius servers. The LDAP group can be a branch in a tree, or an LDAP group that contains users from different branches.

Associating Applications With GroupsYou must associate the applications with groups. This association means authorizing certain user groups to use those applications.

Step 12: Performing a SmartDefense Update (Locally Managed Connectra)

SmartDefense updates add new defense mechanisms to the SmartDefense console, and bring existing defense mechanisms up-to-date.

To update SmartDefense:

1. In the SmartDefense tab, click Online Update.

The update begins and a dialog box notifies you that SmartDefense is being updated from one version number to another.

2. Click Continue to proceed with the update.

3. Enter your User Center username and password.

The available new updates are displayed.

4. Click Download Updates.

You are informed that the SmartDefense content was updated successfully.

Note - Perform a SmartDefense update immediately after installing Connectra so that the networks accessible through Connectra are fully protected.

Step 13: Checking Your Setup

44

5. Select Policy > Install Policy to apply the updates.

Step 13: Checking Your Setup1. After installing the Security Policy, browse to the User portal

and login using the credentials of the defined user. The user portal is at https://<IP address>

2. Verify that you can access the defined application.

Installing the NGX R66 Plug-in


Installing the NGX R66 Plug-in The Connectra NGX R66 Plug-in adds Connectra central management capabilities to an NGX R65 SmartCenter server or Provider-1/SiteManager-1. If you are working in a High Availability environment, install the Plug-in on each member.

Install the R66 Plug-in as part of the following procedures:

• “Installation and Initial Configuration Procedures”: “Step 1: Preparing for Centrally Managed Connectra” on page 26

• “Upgrade to Centrally Managed R66 from R61/62/62CM”: “Setting Up the SmartCenter and Installing the R66 Plug-in” on page 87

• “Upgrading a Connectra Cluster to R66” on page 92

The procedure for installing the R66 Plug-in varies slightly for each platform, but the overall workflow is the same.

Installing the Plug-in on a SmartCenterThe Plug-in for R66 can be installed on a SmartCenter, on the SecurePlatform, Windows, Linux, or Solaris platforms.

In This Section

Installing the Plug-in on a SecurePlatform SmartCenter To install the Plug-in on a SmartCenter on SecurePlatform:

1. Install SmartCenter server NGX R65.

Installing the Plug-in on a SecurePlatform SmartCenter page 45

Installing the Plug-in on a Windows SmartCenter page 46

Installing the Plug-in on a Linux or Solaris SmartCenter page 46

Installing the Plug-in on a SmartCenter

46

2. Log in to expert mode by running, expert and entering your password.

3. Install the Connectra Plug-in package:

a. Insert CD2 into the SmartCenter Server machine.

b. Mount the CD by running:

c. Go to the CD directory by running:

d. Run:

4. Reboot the machine.

Installing the Plug-in on a Windows SmartCenter To install the Plug-in on SmartCenter on the Windows platform:




b. From the root of the CD, run:

c. Follow the instructions in the wizard.


Installing the Plug-in on a Linux or Solaris SmartCenterTo install the Plug-in on a SmartCenter on either Linux or SecurePlatform:

mount /dev/cdrom

cd /mnt/cdrom

./UnixInstallScript -splat

Setup.bat

Installing the Plug-in on Provider-1/SiteManager-1



2. Log in to expert mode by running, expert and entering your password.





d. Run:



The Plug-in for R66 can be installed on Provider-1/SiteManager-1, on the SecurePlatform, Linux, or Solaris platforms.

In This Section

Installing the Plug-in on SecurePlatform Provider-1To install the Plug-in on Provider-1 on SecurePlatform:

mount /dev/cdrom

cd /mnt/cdrom

./UnixInstallScript

Installing the Plug-in on SecurePlatform Provider-1 page 47

Installing the Plug-in on Linux or Solaris Provider-1 page 48

Activating the Connectra Plug-in on the CMA page 49


48

1. Install NGX R65 on the Provider-1/SiteManager-1 Multi Domain Server.

2. Install the Connectra Plug-in package on the Multi-Domain Server:

a. Insert CD2 into the Provider-1/SiteManager-1 Multi Domain Server machine.



d. Run:


4. For each CMA on which you want to manage Connectra gateways, you need to activate the Plug-in. See “Activating the Connectra Plug-in on the CMA” on page 49.

Installing the Plug-in on Linux or Solaris Provider-1To install the Plug-in on Provider-1 on Linux:

1. Install Provider-1/SiteManager-1 Multi Domain Server NGX R65.

2. Install the Connectra Plug-in package on the Multi-Domain Server:

a. Insert CD2 into the Provider-1/SiteManager-1 Multi Domain Server machine.

b. Run from the root of the CD:


mount /dev/cdrom

cd /mnt/cdrom

./UnixInstallScript -splat

./UnixInstallScript



4. For each CMA on which you want to manage Connectra gateways, you need to activate the Plug-in. See “Activating the Connectra Plug-in on the CMA” on page 49.

Activating the Connectra Plug-in on the CMATo activate the Connectra Plug-in, use one of the following procedures:

• Create a customer with a Plug-in. In the Add Customer Wizard, in the Management Plug-ins page, activate the Plug-in.

• In the MDG Customer Contents page, either right-click a customer and select Configure Customer, or double-click the customer, go to the Plug-ins tab, and select the Connectra Plug-in.

Uninstalling Connectra Plug-ins

50

• From the MDG’s Management Plug-ins View, activate the Plug-in in one of the following ways:

• Right-click a customer and select Activate Plug-in on Customers.

• Right-click the PIConR66 and select Activate this Plug-in.

• Select Activate Plug-in on Customers from the Plug-in menu.

• Click the Plug-in icon on the toolbar.

Uninstalling Connectra Plug-insWhile Connectra R66 cannot be uninstalled from the Connectra gateway machine, you can uninstall the central management capabilities. To do this, you must uninstall both the R62CM Plug-in (where relevant) and the R66 Plug-in for Central Management. See Chapter 6, “Uninstalling Connectra Plug-ins”.

Cluster Configuration—Deployment Tips



This section includes information that will help you understand the process of configuring a Connectra gateway cluster, in order to make it a successful and trouble free process.

The Connectra Central Management Administration Guide includes full details of setting up a Connectra cluster. It is strongly recommended that you read the relevant guide before setting up your Connectra cluster.

• Install and configure the Connectra gateway cluster members, as described in “Installation and Configuration Workflow” on page 24.

Licensing

• Ensure all cluster members are licensed for the same number of users. They do not necessarily have to have identical licenses.

• Connectra cluster members must run the same software version.

Cluster and Cluster Member Interfaces

• Communication into the organization for users is done using the virtual IP address of the Cluster Interface, and not the member IP addresses.

• To change the configuration of a cluster member, connect to it directly using the IP address of the cluster member, and not to the virtual IP address of the Cluster Interface.

• In some setups, ClusterXL may wait to disable Network Interfaces that are not in use. For more information see SecureKnowledge solution sk30060.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk30060




52

Interface Configuration

• The synchronization interfaces of the cluster members reside on the SAME subnet.

• The data interfaces of the cluster members must reside on the SAME subnet, DIFFERENT from the synchronization subnet.

• Use different interfaces for the data and synchronization networks.

• On Connectra 3070 and Connectra 270, the recommended setting for the data network is to use External, and for synchronization use Sync/Lan1.

• On Connectra 9072, the recommended setting for the data network is to use Lan1, and for synchronization use Sync.

Physical Connectivity

• Synchronization in a two-member cluster can be done using a cross-cable between the two members. A cluster with more than two members requires a switch/hub for synchronization.

Configuration

• Cluster member clocks must be synchronized. Use an NTP server or manually synchronize the clocks.

• Connectra clients access Connectra via two IP address/port combinations: one for the Connectra portal and another for SSL Network Extender. If you wish to use the same IP address for both, configure the portal to listen on port 443 and SSL Network Extender to listen on port 444.

Administration

• Cluster members become active after the Access Policy is installed.

SSL Acceleration Card Installation


SSL Acceleration Card InstallationA hardware-based SSL acceleration card is available to improve the SSL performance of the Connectra gateway. The card speeds up the SSL/TLS public key exchange, and reduces CPU utilization by redirecting CPU-intensive calculations to dedicated hardware.

Enabling the CardTo enable the card on Connectra:

1. From the console, run:

2. Run:

3. Run:

Disabling the CardTo disable the card:

1. From the console, run:

2. Run:

Note - The acceleration card is pre-installed on Connectra 9072. It is not available on other Connectra appliances.

cvpnstop

hw_acceleration start

cvpnstart

cvpnstop

hw_acceleration stop

SSL Acceleration Card Command Syntax

54

3. Run:

SSL Acceleration Card Command SyntaxThe following table lists the SSL Acceleration Card commands. The card must be activated before running the diag and stat parameters.

Syntaxhw_acceleration{ start | stop | diag | stat}

Table 3-1 SSL Acceleration Card Commands

cpvnstart

Parameter Meaning

start Enable the card

stop Disable the card

diag Check if the card is installed and working properly

stat Get statistics of card activity

Further Information


Further InformationFor further instructions on configuring the Connectra gateway or a Connectra ClusterXL Load Sharing or High Availability cluster, refer to the Connectra Central Management Administration Guide or Connectra Local Management Administration Guide according to your configuration, or to the online help.




Further Information

56

57

Chapter 4 Connectra Hardware

In This Chapter:

This chapter provides instructions for installing and removing hardware components on the Connectra appliance.

Overview

This section discusses the hardware components comprising the Connectra appliance.

Overview page 57

Customer Replaceable Parts page 66

Restoring Factory Defaults page 74

Front Panel Components page 58

Rear Panel Components page 64

Overview

58

Front Panel Components

This section describes the features and components located on the appliance front panel.

Connectra 270 page 59



LCD Display Screen page 62

Expansion Line Card page 62

Hard Disk Drives page 63

Overview

Chapter 4 Connectra Hardware 59

Connectra 270

Table 4-1 Connectra 270 Front Panel Description

Key Description

1 Internal connection port - Ethernet connection to a remote management workstation

2 External connection port - Ethernet connection to connect outside the organization

3 DMZ connection port - Ethernet connection to the DMZ

4 Sync/Lan1 port- for synchronizing with cluster members or a high availability peer

5 Console port - for a serial connection to the appliance using a terminal emulation program such as Hyperterminal.

6 USB ports

7 Power indicator LED

8 LCD screen

9 Screen operation keys

Overview

60

Connectra 3070


Key Description

1 LCD screen



4 USB ports


6 Internal connection port - Ethernet connection to a remote management workstation

7 External connection port - Ethernet connection to connect outside the organization

8 DMZ connection port - Ethernet connection to the DMZ

9 Sync/Lan1 port- for synchronizing with cluster members or a high availability peer

10 Built in ethernet ports (Lan2 - Lan7)

Overview


Connectra 9072


Key Description

1 LCD display screen

2 Management connection port - Ethernet connection to a remote management workstation

3 Synchronization port - for synchronizing with cluster members or a high availability peer


5 USB ports



8 Future expansion slot

9 Expansion line card exp1 (2 or 4 ports)

10 Built in ethernet ports (Lan1 - Lan8)

11 Expansion line card exp2 (2 or 4 ports)

12 Hard disk drive

Overview

62

LCD Display ScreenLocated on the front of the appliance, the LCD panel displays the model of the unit.

The arrow keys scroll the display up and down. The ENTER and ESC keys are intended for future functionality.

Expansion Line CardThe Connectra 9072 appliance contains two optional expansion slots that accommodate two cold-swappable network line cards.

The expansion line card contains two or four ports. The following types of expansion line card are currently available for Connectra 9072:

Table 4-2 Expansion Cards Available for Connectra 9072

Model Description

CPPWR-ACC-4-1C 1000BaseT line card

CPPWR-ACC-4-1SRF 1GbE Multi-mode SR fiber optic line card

CPPWR-ACC-4-1LRF 1GbE Single-mode LR fiber optic line card

Overview


Hard Disk DrivesConnectra 3070 and 270 contain one hard disk drive. Connectra 9072 contains two redundant hard disk drives (RAID1).

Figure 4-1 Hard Disk Drives

Hard disk drives are not hot-swappable. You must power the appliance off before attempting to remove or install a hard disk drive.

RAID1 Mirroring

Implemented by a dedicated RAID controller, the Connectra 9072 model performs RAID1 mirroring across two hard disk drives. Mirror rebuild is automatic.

Overview

64

Rear Panel ComponentsThis section describes components located on the rear panel of the appliance.

Main Power SwitchThe main power switch controls power to the entire unit.

Redundant Power Supply UnitsLocated at the right rear of the 9072 appliance, two hot-swappable power supply units provide built-in power redundancy. Each power supply connects to an electric outlet.

Figure 4-2 Redundant Power Supply Units (Connectra 9072 only)

When a power supply fails or is not connected to the outlet, an alarm sounds continuously.

Overview


Cooling FansConnectra 9072 contains three replaceable cooling fans. Each cooling fan operates independently of the others, providing redundancy in the event of failure.

Figure 4-3 Cooling Fans in Connectra 9072

Connectra 3070 and Connectra 270 contain one cooling fan that is not replacable.

Customer Replaceable Parts

66


To ensure maximum availability and ease of maintenance, the Connectra appliance contains the following customer replaceable parts:

• Power supplies

• Two for Connectra 9072

• Single power supply for Connectra 3070 and Connectra 270

• Cooling Fans

• Three for Connectra 9072

• Single, non-replacable cooling fan for Connectra 3070 and Connectra 270

• Expansion Line cards (available on Connectra 9072 only)

• Hard Disk Drives

• Two for Connectra 9072

• Single hard drive for Connectra 3070 and Connectra 270

Unless directed to do so by Check Point technical support, customers are prohibited by warranty and support agreements from replacing any parts. Customers are prohibited from opening the Connectra case under any circumstances.

Power Supply page 67

Cooling Fan page 68

Expansion Line Card page 69

Hard Disk Drive page 71



Power SupplyThis section presents the procedures for removing and installing a power supply unit. Connectra 9072 contains two redundant power supplies.

Figure 4-4 Redundant Power Supply Units

Removing the Power SupplyTo remove a power supply unit:

1. If the alarm sounds, press the red alarm button to the right of the power supply. The alarm stops.

2. Remove the power cord.

3. Loosen the retaining screw located above the power socket.

4. Pull the extraction handle to remove the power supply unit.

Note - Use only the extraction handle to remove the power supply unit. To prevent damaging the power supply, do not pull on the retaining screw, power cord clip or any other part of the unit.


68

Installing the Power SupplyTo install a replacement power supply:

1. Insert the power supply into its slot and push firmly until it clicks into place.

2. Tighten the retaining screws.

3. Insert the power cord. Verify that the green LED is illuminated.

Cooling FanThis section presents the procedures for removing and installing a fan unit. The Connectra 9072 appliance contains three cooling fans. It is not necessary to power off the appliance before adding or removing a fan unit.

Figure 4-5 Cooling Fan



Removing Fan UnitsTo remove a fan unit:

1. Loosen the four retaining screws in the corners of the fan assembly.

2. Gently pull the fan unit out of the appliance.

Installing Fan UnitsTo install a fan unit:

1. Insert the fan unit into the appliance. Push firmly until it clicks into place.

2. Tighten the four retaining screws in the corners of the fan assembly.

Expansion Line CardThis section presents the procedures for removing and installing an expansion line card unit. The built-in ethernet ports (Lan1 Lan8) are not customer replaceable. For more information on expansion cards, see the Administration Guide Supplement for Connectra Appliances.

• Connectra 9072 has two slots for expansion line cards

Warning - Make certain that you are electromagnetically grounded when performing the following procedures. Static electricity can damage the appliance.


70

Figure 4-6 Expansion Line Card

Removing Expansion Line CardsTo remove an expansion line card:

1. Power off the appliance and remove the power cords from the power supply units.

2. Loosen the retaining screws on either side of the expansion line card.

3. Holding the screws, pull the expansion line card out of the slot.



Installing Expansion Line CardsTo install an expansion line card:


2. Insert the expansion line card into the slot.

3. Push until the card clicks into place.

4. Tighten the retaining crews on either side of the expansion line card.

Hard Disk DriveThis sections covers installing or removing a hard disk drive.

• Connectra 3070 and Connectra 270 contain one hard disk drive.

The Connectra 3070 and Connectra 270 hard disk drive is not hot-swappable. You must power the appliance off before attempting to remove or install the hard disk drive.

• Connectra 9072 contains two hot swappable (RAID-1) hard disk drives.


72

Figure 4-7 Hard Disk Drives

Removing a Hard Disk DriveTo remove a hard disk drive:


2. Using the key supplied in the toolkit, unlock the drive.

3. Slide the release latch toward the left. The extraction handle springs out.

4. Using the extraction handle, remove the drive from the slot.



Installing a Hard Disk DriveTo install a hard disk drive:


2. Slide the replacement hard disk drive into the slot.

3. Push the extraction handle until it closes and the drive clicks into place.

4. Using the key supplied in the toolkit, lock the new drive in place.

Restoring Factory Defaults

74

Restoring Factory DefaultsAs part of the troubleshooting process, it may be necessary to restore the Connectra appliance to its factory default settings.

A Connectra appliance can be restored to the factory default image:

• Using the WebUI

• Through the console boot menu

• Using the LCD panel

Restoring Using the WebUIThe Connectra appliance contains a default factory image of Connectra NGX R66.

To restore the Connectra appliance to its default factory configuration using the WebUI:

1. In the Connectra WebUI, click Appliance > Image Management.

The Image Management window opens:

Warning - Restoring factory defaults deletes all information on the appliance.



Figure 4-8 Image Management

2. Select the factory defaults image.

3. Click Revert.

Restoring Using the Console Boot MenuTo restore the Connectra appliance to its default factory configuration using the console boot menu:

1. Connect the supplied DB9 serial cable to the console port on the front of the appliance.

2. Connect to Connectra using a terminal emulation program such as Microsoft HyperTerminal, the program used here.

3. In the HyperTerminal Connect To window, select a port from the Connect using list. Define the port settings: 9600 BPS, 8 bits, no parity, 1 stop bit.

4. From the Flow control list, select Hardware.

5. Click, Call > Call to connect to the appliance.


76

6. Switch on Connectra. The appliance begins the boot process and status messages appear in HyperTerminal.

7. During the Connectra boot process, text similar to that shown below appears:

Figure 4-9 Activating the Boot menu in HyperTerminal

At this point, you have approximately four seconds to hit any key to activate the Boot menu.



8. The Boot menu opens. Scroll to the desired Reset to factory defaults image and press Enter.

Figure 4-10 Boot menu in HyperTerminal

Restoring Using the LCD PanelTo restore the appliance its default factory configuration using the LCD panel at the front of the appliance:

1. Reboot or power on the appliance.

2. When the countdown begins, press any of the four buttons to the right of the LCD panel:

The boot menu appears.


78

3. Using the arrow buttons, select the Reset to R66 option, and press ENTER:

4. Confirm the reset by pressing the Arrow Up button.

Pressing any other button causes the Action Canceled message to display:

At this point, pressing any key returns you to the boot menu.

5. If you confirmed the reset by pressing the Arrow Up button in step 4, wait for the appliance to restore the factory image.

As the appliance is restored to the R66 default image, a Loading message displays continuously:



When the appliance has been restored to its default factory configuration, the appliance reboots and the initializing message is displayed:


80

81

Chapter 5Upgrading Connectra

In This Chapter

Introduction to Advanced Upgrade page 82

Advanced Upgrade to Locally Managed R66 page 83

Upgrade to Centrally Managed R66 from R61/62/62CM page 87

Upgrading a Connectra Cluster to R66 page 92

Introduction to Advanced Upgrade

82

Introduction to Advanced UpgradePerform an advanced upgrade from Connectra NGX R62 to Connectra NGX R66 in order to migrate to a new Connectra server.

The advanced upgrade procedure involves two machines. The first machine is the working Connectra machine. The new Connectra appliance is the second machine and the configuration of the first machine is imported to it.

Advanced Upgrade to Locally Managed R66

Chapter 5 Upgrading Connectra 83

Advanced Upgrade to Locally Managed R66

Preparing for Advanced Upgrade to Locally Managed R66

Prepare the new Connectra appliance, to which the Connectra configuration will be imported.

The following conditions must be met:

• IP addresses on the new and old machines must match.

• NIC configuration on new and old machines must match.

The following are not preserved in the upgrade. Be sure to track them so you can re-apply them after Connectra is upgraded:

• Manual changes to Connectra configuration files.

• All settings in the Device menu of the administrator portal.

• The Internal Certificate Authority (ICA).

Advanced Upgrade Procedure to Locally Managed R66

To perform an advanced upgrade from Connectra NGX R62 to locally managed NGX R66:

1. Insert CD1 into the original machine.

Preparing for Advanced Upgrade to Locally Managed R66 page 83

Advanced Upgrade Procedure to Locally Managed R66 page 83

Completing the Advanced Upgrade to R66 page 85

Advanced Upgrade Procedure to Locally Managed R66

84

2. Type:

3. On the CD, browse to the location of the export utility. Locate the upgrade_export tools in:

4. Create an exportable configuration file by running the command:

where <path_and_filename_of_tgz> is the destination path of the configuration (.tgz) file.

5. Wait while the database files are exported.

6. Install new NGX R66 machine as per “Installation and Initial Configuration Procedures” on page 26.

The new machine must have the same IP address as the old machine. The IP address can be changed later.

7. Copy the exported .tgz file via FTP in binary mode to any location on the new Connectra machine.

8. On the new Connectra machine, go to:

9. Run:

mount/dev/cdrom

/linux/Utilities/UpgradeTools/

upgrade_export <path_&_filename_of_tgz>

$FWDIR/bin/upgrade_tools

upgrade_import -n <path_&_filename_of_tgz> <connectra_object_name>

Completing the Advanced Upgrade to R66


where <path_and_filename_of_tgz> is the destination path of the configuration (.tgz) file and <connectra_object_name> is the name of your Connectra gateway.

10. Reboot.


If you made configuration changes by manually editing configuration files before the upgrade:

1. Verify that the functionality of the manual change works properly after the upgrade.

2. If necessary, merge the changes back to the same locations in the upgraded installation.

Reapply all settings under the Appliance menu of the administrator portal (including administrator settings and routing) from the old machine to the new machine.

If there was a mismatch in the primary or secondary IP addresses of the NICs, between the two machines, you must reconfigure IP address assignments for the Portal and SSL Network Extender.

To reconfigure IP address assignments for the Portal and SSL Network Extender:

1. In SmartDashboard, select your Connectra Gateway and click Edit.

2. Select Topology from the navigation tree in the Connectra Properties page.

Note - The configuration (.tgz) file contains your Connectra configuration. It is recommended to back it up on a different machine and delete it from the Connectra machine after completing the import process.


86

3. Click Portal Customization settings or VPN Clients settings and edit the machine’s interface.

Upgrade to Centrally Managed R66 from R61/62/62CM


Upgrade to Centrally Managed R66 from R61/62/62CM

Setting Up the SmartCenter and Installing the R66 Plug-in

Important: The SmartCenter should have the Connectra R62CM Plug-in installed and be fully upgraded to R62CM before installing the R66 Plug-in for Central Management. This includes using Connectra’s Configuration Import Utility to import your management configuration to the SmartCenter. For instructions on upgrading to R62CM from R61 or R62, see the Connectra R62CM Getting Started Guide. Follow this link to the Connectra NGX R62CM Upgrade Package or find it on the NGX R66 CD2 under /Utilities/R62CM/.

To install the R66 Plug-in on the R66 SmartCenter or Provider-1/SiteManager-1 CMA:

1. Install or upgrade the SmartCenter server or Provider-1/SiteManager-1 CMA to version NGX R65.

Setting Up the SmartCenter and Installing the R66 Plug-in page 87

Setting Up SIC Trust page 90

Installing Policy page 91

Completing the Upgrade by Merging Manual Changes page 91

Note - We recommend creating a database revision before installing the Connectra NGX R66 Plug-in. See the Check Point R65 SmartCenter Administration Guide for more information.



https://supportcenter.checkpoint.com/supportcenter/portal/role/supportcenterUser/page/default.psml/media-type/html?action=portlets.DCFileAction&eventSubmit_doGetdcdetails=&fileid=7300





88

2. For a new installation of SmartCenter, install SmartDashboard on a SmartConsole client. For a new installation of Provider-1/SiteManager-1, install the Multi Domain GUI (MDG). If upgrading, the SmartDashboard or MDG will automatically update in order to manage Connectra.

3. Install the R66 Plug-in on version R65 of the SmartCenter server or Provider-1/SiteManager-1 Multi Domain Server. See “Installing the NGX R66 Plug-in” on page 45.

4. Reboot SmartCenter or Provider-1/SiteManager-1.

5. After the reboot, open SmartDashboard. SmartDashboard displays an additional tab for Connectra.

Note - If your SmartCenter is not already upgraded to R62CM, you must upgrade it before upgrading to centrally managed R66. See “important” above.



Figure 5-1 Smart Dashboard with Centrally Managed Connectra

6. In SmartDashboard, switch to the Connectra tab.

7. If Connectra objects were already defined prior to upgrading SmartCenter or the CMA:

After the upgrade of SmartCenter or the CMA, Connectra objects and references in SmartDashboard become host objects and must be redefined.

8. Define the Connectra objects. (Do not set up Secure Internal Communication (SIC) at this point):

Setting Up SIC Trust

90

a. Create the Connectra gateway or gateway cluster object.

b. For a Connectra gateway cluster, define cluster members. If there is SIC trust with the cluster members, reset SIC.

c. Define the topology. When defining topology, the Get Interfaces operation does not return alias IP addresses for real interfaces. To add alias IP addresses to the object topology, define them manually. After manually adding alias IPs to the object topology, do not perform the Get Interfaces operation, as this will erase all manual changes to the object topology.

When defining topology for a Connectra cluster, it is very important that the topology is complete. Make sure you have selected at least one cluster interface and one synchronization interface, and that each cluster member has its interfaces defined.

Setting Up SIC TrustYou must set up a SIC connection between Connectra and the SmartCenter in order for them to communicate.

To set up SIC between the Connectra gateway and the SmartCenter:

1. Connect to the Connectra gateway in one of the following ways:

• Via the Web GUI: Open a Web browser on a machine that has network connectivity to the Connectra, and browse to https://<machine_IP >:4433.

• From the command line: Open an SSH connection to Connectra, or connect to it via a console.

2. Reset SIC (if there was a prior SIC trust) and enter a one time password. Do this in one of two ways:

• Via the Web GUI, go to Product Configuration > SIC, enter the Activation Key and click Initialize.

Installing Policy


• From the command line, run cpconfig. Type 6 to select Secure Internal Communication.

3. Complete the SIC trust establishment. Open the Connectra gateway or gateway cluster object in SmartDashboard. In the General Properties page, in the Communication window, enter the same one-time password supplied in the gateway side.

Installing PolicyAfter you have verified that the SmartCenter and Connectra machine are communicating, select File > Install Policy in SmartDashboard to install the Access policy on the Connectra machine.

Completing the Upgrade by Merging Manual Changes

If you made configuration changes by manually editing configuration files before the upgrade:

1. Verify that the functionality of the manual change works properly after the upgrade.

2. If necessary, merge the changes back to the same locations in the upgraded installation.

Upgrading a Connectra Cluster to R66

92

Upgrading a Connectra Cluster to R66 Connectra Clusters are only supported on centrally managed R66. If you have R61 or R62 and wish to upgrade to centrally managed R66, you must first upgrade the Cluster member’s Connectra gateways and SmartCenter server to R62CM. For instructions on upgrading to R62CM from R61 or R62, see the Connectra R62CM Getting Started Guide. Follow this link to the Connectra NGX R62CM Upgrade Package or find it on the NGX R66 CD2 under /Utilities/R62CM/

If you currently have locally supported clusters, see “For Connectra Cluster Users” on page 101 for licensing information.

To upgrade a Connectra cluster from NGX R62CM to NGX R66:

1. Install the R66 Plug-in on the NGX R65 SmartCenter. See “Setting Up the SmartCenter and Installing the R66 Plug-in” on page 87.

2. Upgrade each Connectra gateway, as described in “Upgrade to Centrally Managed R66 from R61/62/62CM” on page 87.

3. Define each cluster member in SmartDashboard. See “Step 9: Defining Connectra Objects (Centrally Managed Connectra)” on page 38 and “Cluster Configuration—Deployment Tips” on page 51.





93

Chapter 6Uninstalling Connectra Plug-ins

In This Chapter

OverviewWhile the Connectra NGX R66 Gateway cannot be uninstalled, the Plug-in for central management can be uninstalled. If you want to uninstall Connectra NGX R66’s central management capabilities, you must uninstall both the R66 Plug-in for Central Management and the R62CM Plug-in from your SmartCenter machines, Log Servers, Eventia Reporter, and any remote objects on which the Plug-ins may have been installed. In a High Availability environment, perform the uninstallations on each member.

Overview page 93

Uninstalling the R66 Plug-in for Central Management page 94

Uninstalling the Connectra NGX R62CM Plug-in page 97

Uninstalling Plug-ins in Provider-1 page 99

Uninstalling the R66 Plug-in for Central Management

94

Uninstalling the R66 Plug-in for Central Management

Before Uninstalling the R66 Plug-in:If you have the Connectra NGX R66 Plug-in installed on a SmartCenter, Log Server, Eventia Reporter, or other remote objects, and you want to uninstall the Plug-in from them, you must first do the following:

1. Delete all Connectra objects from SmartDashboard.

2. Synchronize the remote servers’ databases with the SmartCenter by installing the Database on all remote objects that have the Plug-in installed. In the SmartDashboard, select Policy > Install Database for each remote object.

Uninstalling the R66 Plug-in1. From the command line, run the pre-uninstall verifier as follows:

In Linux, Solaris, or SecurePlatform:

a. Run:

b. Run:

Note - If you do not install the Database, the Plug-in uninstallation on these objects will fail, but it will succeed on the SmartCenter. Therefore, you will not be able to install the Database on the remote objects, nor will you be able to remove the R66 Plug-in from the remote objects.

cd /opt/CPPIconR66-R65/bin/

./plugin_preuninstall_verifier

Removing the R66 Compatibility Package

Chapter 6 Uninstalling Connectra Plug-ins 95

c. Read the results. If it says you can remove the Plug-in, proceed to step 2.

In Windows:

a. From c:\Program Files\CheckPoint\PIconR66\R66\bin\

run:

2. Remove the R66 Plug-in:

• In Linux or SecurePlatform, run:

• In Solaris, run:

then choose the package number corresponding to CPPIconR65-R66-00.

• In Windows, use Add/Remove Programs to remove the Check Point Connectra NGX R66 Plug-in.

3. Restart the system.

Removing the R66 Compatibility PackageRemove the Compatibility Package only after uninstalling the R66 Plug-in.

1. Remove the R66 Compatibility Package as follows:



plugin_preuninstall_verifier.exe

rpm –e CPPIconR65-R66-00

pkgrm

rpm –e CPCON65CMP-R66-00

pkgrm

Removing the R66 Compatibility Package

96

then choose the package number corresponding to CPCON65CMP-R66-00.

• In Windows, use Add/Remove Programs to remove the Check Point NGX R66 Connectra Compatibility Package.


Uninstalling the Connectra NGX R62CM Plug-in


Uninstalling the Connectra NGX R62CM Plug-in

To remove the Connectra NGX R62CM Plug-in:

1. From the command line, run the pre-uninstall verifier as follows:

In Linux, Solaris, or SecurePlatform:

a. Run:

b. Run:

c. Read the results. If it says you can remove the Plug-in, proceed to step 2.

In Windows:

a. From c:\Program Files\CheckPoint\PIconnectra\R65\bin\ run:

2. Remove the R62CM Plug-in:



then choose the package corresponding to CPPIconnectraR65-R65-00.

• In Windows, use Add/Remove Programs to remove the Check Point Connectra NGX R62A Plug-in. Also remove the Check Point Plug-in NGX R65_HF_284 if relevant.


cd /opt/CPPIconnectra-R65/bin/

./plugin_preuninstall_verifier

plugin_preuninstall_verifier.exe

rpm –e CPPIconnectraR65-R65-00

pkgrm

Removing the R62CM Compatibility Package

98

Removing the R62CM Compatibility Package

Remove the R62CM Compatibility Package only after uninstalling the R62CM Plug-in.

1. Remove the R62CM Compatibility Package as follows:



then choose the package corresponding to CPCON62CMP-R65.

• In Windows, use Add/Remove Programs to remove the Check Point NGX R62A Compatibility Package R65.


rpm –e CPCON62CMP-R65-00

pkgrm

Uninstalling Plug-ins in Provider-1


Uninstalling Plug-ins in Provider-1Before uninstalling the R66 or R62CM Plug-ins on Provider-1, you must first deactivate the Plug-ins on all customers of the MDS from which you want to remove a Plug-in.

Deactivating Plug-ins on the MDSTo deactivate Plug-ins on the MDS:

1. Go to Management Plug-ins in the selection bar of the MDG.

2. Double-click on a customer.

3. Go to the Plug-ins tab.

4. Select the plug-in to deactivate: PIconR66-R65 for Connectra NGX R66 or PIconnectra for Connectra NGX R62CM.

5. Click Remove.

6. Click OK.

7. Follow the steps in “Uninstalling the R66 Plug-in for Central Management” on page 94 or “Uninstalling the R62CM Plug-in in Provider-1” on page 99.

Uninstalling the R62CM Plug-in in Provider-1

To remove the Connectra Central Management Plug-in on Provider-1:

1. In the Provider-1 MDS, deactivate the Connectra Central Management Plug-in (PIConnectra) on all customers.

Uninstalling the R62CM Plug-in in Provider-1

100

2. On the command line, run:

3. Run the pre-uninstall verifier:

4. Remove the Connectra Central Management Plug-in:

• Use rpm -e CPPIconnectra-R65 on Linux and SecurePlatform

• Use pkgrm CPPIconnectra-R65 on Solaris

5. Run mdsstop/mdsstart.

rm -f/opt/CPPIconnectra-R65/conf/PluginTableTypePairs.conf ; touch/opt/CPPIconnectra-R65/conf/PluginTableTypePairs.conf

/opt/CPPIconnectra-R65/bin/plugin_preuninstall_verifier

101

Chapter 7 Registration and Support

In This Chapter

RegistrationConnectra requires a specific Check Point license. Obtain a license and register at:

http://register.checkpoint.com/cpapp

For Connectra Cluster UsersUnlike previous versions of Connectra, in Connectra NGX R66, clusters can only be managed centrally, from an R65 SmartCenter or Provider-1 with the Connectra R66 Plug-in.

Customers who:

a. currently have a Connectra High Availability product, or are buying a new such product, and

b. are under a valid service agreement.

Registration page 101

Support page 102

Where To From Here? page 103

http://register.checkpoint.com/cpapp

Support

102

should find a new product and license named "SmartCenter for Connectra Clusters" in their User Center account. If you are a customer satisfying these two conditions but do not see this new product in your User Center account, please contact Check Point's account services.

This new license entitles customers to install a Check Point SmartCenter R65 on a dedicated server and manage their Connectra clusters from that server. For information on upgrading to centrally managed Connectra R66, see “Upgrading Connectra” on page 81.

SupportFor additional technical information about Check Point products, consult the Check Point Support Center at:



Where To From Here?

Chapter 7 Registration and Support 103

Where To From Here? You have now learned the basics that you need to get started. The next step is to obtain more advanced knowledge of your Check Point software.

See the Check Point Connectra Central Management Administration Guide or Connectra Local Management Administration Guide on the Media pack CD, or at http://www.checkpoint.com/techsupport/downloads.jsp (username and password required).

Check Point documentation elaborates on this information and is available in PDF format on the Check Point CD as well as on the Technical Support download site at: http://www.checkpoint.com/support/technical/documents.

Be sure to also use our Online Help when you are working with the Check Point SmartConsole clients.

http://www.checkpoint.com/techsupport/downloads.jsp

http://www.checkpoint.com/support/technical/documents



Where To From Here?

104

105

Chapter 8Notes

The following pages provide space for notes and records related to your Connectra appliance and deployment.

My Connectra ApplianceHost name:

IP address(es):

Network mask:

Default gateway:

DNS servers:

Connectra appliance version:

Installed Hotfixes:

My Connectra Appliance

106


Chapter 8 Notes 107


108

109

109

Index

AAdditional Configuration via the

Administration Portal 41

CCentrally Managed

Deployment 15, 35Cluster configuration 51Configuration Workflow 24Configuring the Firewall Access

Rules 26Connectra 13

DDate and Time 34Defining Applications and

Associating them with Groups 42

Defining Users and Groups 42Deploying Connectra in the

DMZ 19Deploying Connectra on the

LAN 20DNS Server 34

FFingerprint 37Front Panel Components 58

GGateway definition 15

HHardware 57

Cooling Fans 64Expansion Line Cards 62Front Panel 58Hard Disk Drives 63LCD Display 62Power Switch 64RAID-1 Mirroring 63Redundant Power

Supplies 64Replaceable Parts 66

Host and Domain Name 34Hyperterminal 76

110 Index

IImplemented 63

LLocally Managed Deployment 15,

35

MManagement Type 35

NNetwork Connections 34

PPassword recovery login token 33

RRegistration 101Restoring Factory Defaults 74Restoring using Boot Menu 75Restoring Using WebUI 74Routing Table 34

SSecure Internal Communication

(SIC) 35Security Policy 15SmartCenter Server 15SmartConsole 15SmartDashboard 15SSL acceleration card 53Support 102

WWeb/SSH and GUI Clients 35, 36

Connectra Appliance - Check Point...

Documents

Transcript of Connectra Appliance - Check Point...