connectra appliance - check point...
TRANSCRIPT
Connectra ApplianceGetting Started Guide
NGX R66
702365 November 5, 2008
Health and Safety InformationRead the following warnings before setting up or using the appliance.
To prevent damage to any system board, it is important to handle it with care. The following measures are generally sufficient to protect your equipment from static electricity discharge:
• When handling the board, to use a grounded wrist strap designed for static discharge elimination.
• Touch a grounded metal object before removing the board from the antistatic bag.
• Handle the board by its edges only. Do not touch its components, peripheral chips, memory modules or gold contacts.
• When handling processor chips or memory modules, avoid touching their pins or gold edge fingers.
• Restore the communications appliance system board and peripherals back into the antistatic bag when they are not in use or not installed in the chassis. Some circuitry on the system board can continue operating even though the power is switched off.
• Under no circumstances should the Lithium battery cell used to power the real-time clock be allowed to short. The battery cell may heat up under these conditions and present a burn hazard.
Warning - Do not block air vents. A minimum 1/2-inch clearance is
required.
Warning - This appliance does not contain any user-serviceable parts.
Do not remove any covers or attempt to gain access to the inside of the
product. Opening the device or modifying it in any way has the risk of
personal injury and will void your warranty. The following instructions
are for trained service personnel only.
Warning - DANGER OF EXPLOSION IF BATTERY IS INCORRECTLY
REPLACED. REPLACE ONLY WITH SAME OR EQUIVALENT TYPE
RECOMMENDED BY THE MANUFACTURER. DISCARD USED
BATTERIES ACCORDING TO THE MANUFACTURER'S INSTRUCTIONS
• Disconnect the system board power supply from its power source before you connect or disconnect cables or install or remove any system board components. Failure to do this can result in personnel injury or equipment damage.
• Avoid short-circuiting the lithium battery; this can cause it to superheat and cause burns if touched.
• Do not operate the processor without a thermal solution. Damage to the processor can occur in seconds.
5
© 2003-2008 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.
TRADEMARKS:
Please refer to http://www.checkpoint.com/copyright.html for a list of our trademarks.
For third party notices, see http://www.checkpoint.com/3rd_party_copyright.html.
6
7
Contents
Chapter 1 Introduction to Connectra
Welcome.................................................................................12Overview .................................................................................13Shipping Carton Contents .........................................................14Terminology ............................................................................15
Chapter 2 Deploying Connectra
Deployment Overview ...............................................................18Deploying Connectra in the DMZ ...............................................19Deploying Connectra on a LAN..................................................20Deploying a Connectra Cluster...................................................21
Chapter 3 Installing and Configuring Connectra
Installation and Configuration Workflow .....................................24Installation and Initial Configuration Stages ...................... 24
Installation and Initial Configuration Procedures .........................26Step 1: Preparing for Centrally Managed Connectra............ 26Step 2: Installing Connectra............................................. 28Step 3: Identifying the Default Management Interface........ 31Step 4: Connecting the Cables and Turning On.................. 31Step 5: Connecting to the Administration User Interface..... 32Step 6: Running the First Time Configuration Wizard ......... 34Step 7: Installing the SmartConsole GUI Clients ................ 36Step 8: Logging In for the First Time ................................ 37Step 9: Defining Connectra Objects (Centrally Managed Connectra) ..................................................................... 38
8
Post-Installation Procedures......................................................41Step 10: Connecting Connectra to the Network .................. 41Step 11: Configuring Access Control ................................. 41Step 12: Performing a SmartDefense Update (Locally Managed Connectra)...................................................................... 43Step 13: Checking Your Setup.......................................... 44
Installing the NGX R66 Plug-in .................................................45Installing the Plug-in on a SmartCenter ............................. 45Installing the Plug-in on Provider-1/SiteManager-1 ............. 47Uninstalling Connectra Plug-ins........................................ 50
Cluster Configuration—Deployment Tips ....................................51SSL Acceleration Card Installation.............................................53
Enabling the Card ........................................................... 53Disabling the Card........................................................... 53SSL Acceleration Card Command Syntax ........................... 54
Further Information ..................................................................55
Chapter 4 Connectra Hardware
Overview .................................................................................57Front Panel Components .................................................. 58Rear Panel Components................................................... 64
Customer Replaceable Parts......................................................66Power Supply.................................................................. 67Cooling Fan .................................................................... 68Expansion Line Card........................................................ 69Hard Disk Drive............................................................... 71
Restoring Factory Defaults ........................................................74Restoring Using the WebUI .............................................. 74Restoring Using the Console Boot Menu ............................ 75Restoring Using the LCD Panel......................................... 77
Table of Contents 9
Chapter 5 Upgrading Connectra
Introduction to Advanced Upgrade ............................................ 82Advanced Upgrade to Locally Managed R66 .............................. 83
Preparing for Advanced Upgrade to Locally Managed R66 .. 83Advanced Upgrade Procedure to Locally Managed R66 ...... 83Completing the Advanced Upgrade to R66........................ 85
Upgrade to Centrally Managed R66 from R61/62/62CM ............. 87Setting Up the SmartCenter and Installing the R66 Plug-in 87Setting Up SIC Trust ...................................................... 90Installing Policy ............................................................. 91Completing the Upgrade by Merging Manual Changes ........ 91
Upgrading a Connectra Cluster to R66 ...................................... 92
Chapter 6 Uninstalling Connectra Plug-ins
Overview ................................................................................ 93Uninstalling the R66 Plug-in for Central Management ................ 94
Before Uninstalling the R66 Plug-in:................................ 94Uninstalling the R66 Plug-in ........................................... 94Removing the R66 Compatibility Package......................... 95
Uninstalling the Connectra NGX R62CM Plug-in ........................ 97Removing the R62CM Compatibility Package.................... 98
Uninstalling Plug-ins in Provider-1............................................ 99Deactivating Plug-ins on the MDS.................................... 99Uninstalling the R62CM Plug-in in Provider-1................... 99
Chapter 7 Registration and Support
Registration .......................................................................... 101For Connectra Cluster Users .......................................... 101
10
Support.................................................................................102Where To From Here? .............................................................103
Chapter 8 Notes
My Connectra Appliance .........................................................105
Index .................................................................. 109
11
Chapter 1Introduction to Connectra
In This Chapter
Welcome page 12
Overview page 13
Shipping Carton Contents page 14
Terminology page 15
Welcome
12
WelcomeThank you for choosing Check Point’s Connectra appliance. We hope that you will be satisfied with this solution and our support services. Check Point products provide your business with the most up to date and secure solutions available today.
Check Point also delivers worldwide technical services including educational, professional and support services through a network of Authorized Training Centers, Certified Support Partners and Check Point technical support personnel to ensure that you get the most out of your security investment.
For additional information on the NGX Internet Security Product Suite and other security solutions, refer to: http://www.checkpoint.com or call Check Point at 1(800) 429-4391. For additional technical information, refer to: http://support.checkpoint.com.
Welcome to the Check Point family. We look forward to meeting all of your current and future network, application, and management security needs.
Overview
Chapter 1 Introduction to Connectra 13
OverviewCheck Point Connectra is a comprehensive and unified remote access solution that makes corporate applications and network resources securely available to mobile and remote users. With Connectra NGX R66, remote and mobile employees, contractors, business partners, and customers can access network resources and applications through either a lightweight VPN client or simply through a Web browser. By unifying SSL and IPSec VPN technologies into a single gateway and management console, Connectra provides flexible access for end users and simple, streamlined deployment for the IT organization.
Connectra offers administrators tight access controls to help ensure that only authorized users using clean hosts will gain access to corporate resources. To that end Connectra features multiple strong authentication methods and tight integration with directory services. Comprehensive endpoint security capabilities enable malware scans, compliance checks. A virtual Secure Workspace provides session confidentiality on both managed and unmanaged endpoints, such as laptops, home PCs, internet kiosks, and more.
Connectra can be deployed as either a turnkey appliance, as software on open servers, or as a virtual machine on VMware ESX Server. Connectra gateways can be managed either locally or centrally through a single Check Point SMART management console, reducing the administration time required to configure, monitor, update, and audit remote access policies.
Shipping Carton Contents
14
Shipping Carton ContentsThis section describes the contents of the shipping carton.
Table 1-1 Contents of the Shipping Carton
Item Description
Appliance A single Connectra appliance:• Connectra 3070 or• Connectra 270 or• Connectra 9072
Rack Mounting Accessories Hardware mounting kit.
Cables • Power cable/s • 1 for Connectra 3070 or 270• 2 for Connectra 9072
• 1 Standard RJ-45 network cable• 1 Serial console cable• 1 RJ-45 loopback plug
CD Includes the following:• Getting Started Guide• Connectra Local Management
Administration Guide• Connectra Central Management
Administration Guide• Connectra Appliance Administration
Guide Supplement
Certifications, Regulations and Documentation
Certification data sheet and user license agreement.
Terminology
Chapter 1 Introduction to Connectra 15
TerminologyThe following Connectra terms are used throughout this chapter:
• Gateway: The Connectra engine that enforces the organization’s access policy and acts as a remote access server.
• access Policy: The policy created by the system administrator that makes corporate applications and network resources securely available to mobile and remote users.
• SmartCenter Server: The server used by the system administrator to manage the access policy in a centrally managed deployment. The organization’s databases and access policies are stored on the SmartCenter server and downloaded to the gateway.
• SmartConsole: GUI applications that are used to manage various aspects of access policy enforcement. For example, SmartView Tracker is a SmartConsole application that manages logs.
• SmartDashboard: A SmartConsole GUI application that is used by the system administrator to create and manage the access policy.
• Locally Managed Deployment: When all Check Point components responsible for both the management and enforcement of the access policy (the SmartCenter server and the gateway) are installed on the same machine.
• Centrally Managed Deployment: When the gateway and the SmartCenter server are installed on separate machines.
• Management Plug-ins: Management plug-ins allow you to dynamically add new features and support for new products. Plug-ins supply new and separate packages that consist only of those components necessary for managing new gateway products or specific features, thus avoiding a full upgrade to the next release.
Terminology
16
17
Chapter 2Deploying Connectra
In This Chapter
Deployment Overview page 18
Deploying Connectra in the DMZ page 19
Deploying Connectra on a LAN page 20
Deploying a Connectra Cluster page 21
Deployment Overview
18
Deployment OverviewIn general, it is recommended to deploy Connectra in the DMZ. Connectra can, however, also be deployed in other places, such as on the internal LAN. In both scenarios, SSL termination takes place at the Connectra Gateway. Web Intelligence, Application Intelligence, authentication, and authorization schemes on the Connectra Gateway are employed to protect the internal network and to inspect the traffic for harmful content before it reaches the internal servers.
Connectra differs from other remote access solutions in that it has gateway based application-level and network-level protection. For example, it incorporates the Malicious Code Protector to protect against worms.
Deploying Connectra in the DMZ
Chapter 2 Deploying Connectra 19
Deploying Connectra in the DMZFigure 2-1 shows a typical Connectra deployment in the DMZ:Figure 2-1 Connectra Deployment in the DMZ
When Connectra is placed in the DMZ, traffic initiated both from the Internet and from the LAN to Connectra is subject to firewall restrictions. By deploying Connectra in the DMZ, the need to enable direct access from the Internet to the LAN is avoided. Remote users initiate an SSL connection to the Connectra Gateway. The firewall must be configured to allow traffic from the user to the Connectra server, where SSL termination, Web and Application Intelligence inspection, authentication, and authorization take place. Requests are then forwarded to the internal servers via the firewall. Administration traffic is always SSL encrypted.
Deploying Connectra on a LAN
20
Deploying Connectra on a LANFigure 2-2 shows how Connectra can be deployed on the LAN alongside the internal servers:Figure 2-2 Connectra Deployment in the LAN
The remote user opens a browser and initiates an HTTPS request to the Connectra server. The SSL connection is terminated within the LAN and the clear text requests are forwarded to the internal servers. The internal servers reply “in the clear” to Connectra, which encrypts the reply back to the remote user. In the scenario shown in Figure 2-2, the perimeter firewall must be configured to allow encrypted SSL traffic to Connectra.
In this scenario, the SSL VPN traffic passes through the Firewall as encrypted traffic, thus unavailable for inspection with traditional solutions. With Connectra, the network is fully protected with Application Intelligence and Web Intelligence.
Deploying a Connectra Cluster
Chapter 2 Deploying Connectra 21
Deploying a Connectra ClusterFigure 2-3 shows a two-member Connectra cluster. Typically, the cluster is deployed behind the DMZ interface of a firewall, with the application servers behind the firewall in the internal networks. Figure 2-3 Connectra Clustering Topology Example
Each cluster member has two interfaces: one data interface leading to the organization and to the Internet, and a second interface for synchronization. Each interface is on a different subnet.
• One subnet for data (in Figure 2-3, 10.0.0.1 for Member A and 10.0.0.2 for Member B).
• One subnet for synchronization (10.0.10.1 for Member A and 10.0.10.2 for Member B).
See “Cluster Configuration—Deployment Tips” on page 51 for more information about Connectra clusters.
Note - Clusters are not supported in locally managed R66.
Deploying a Connectra Cluster
22
23
Chapter 3Installing and Configuring Connectra
In This Chapter
Installation and Configuration Workflow page 24
Installation and Initial Configuration Procedures page 26
Post-Installation Procedures page 41
Installing the NGX R66 Plug-in page 45
Cluster Configuration—Deployment Tips page 51
SSL Acceleration Card Installation page 53
Further Information page 55
Installation and Configuration Workflow
24
Installation and Configuration Workflow
Getting started with Connectra involves installation and initial configuration, followed by detailed configuration to meet your needs.
The following workflow outline and detailed instructions apply to a:
• Centrally managed Connectra gateway, including those that will be part of Connectra Cluster.
• Locally managed Connectra gateway
To upgrade from a previous version, see chapter 5, “Upgrading Connectra” on page 81.
For more information about Clusters, see “Cluster Configuration—Deployment Tips” on page 51. Note that Clusters are not supported in locally managed Connectra NGX R66.
Installation and Initial Configuration Stages
The installation and configuration of Connectra are performed in the following stages:
Installation1. If you are installing centrally managed Connectra:
a. Install or upgrade the SmartCenter server or Provider-1/SiteManager-1 MDS to NGX R65 and install the Connectra R66 SmartCenter Plug-in using the CD.
b. Configure relevant firewall access rules.
2. Install Connectra.
3. identify the Default Management Interface.
4. Connect the cables and turn on.
Installation and Initial Configuration Stages
Chapter 3 Installing and Configuring Connectra 25
5. Connect to the Administration User Interface.
6. Run the First Time Configuration Wizard and automatically install the Connectra package.
7. Install the SmartConsole GUI Clients
8. Log in to SmartDashboard for the first time.
9. If you are installing centrally managed Connectra, define Connectra objects in SmartDashboard.
Post-Installation ProceduresAfter completing the installation, configure Connectra as follows:
10. Connect Connectra to the network.
11. Configure Access control.
12. If you are setting up locally managed Connectra, perform a SmartDefense Update.
13. Check your setup.
For Connectra 9072, you can also enable the SSL acceleration card. See “SSL Acceleration Card Installation” on page 53.
Installation and Initial Configuration Procedures
26
Installation and Initial Configuration Procedures
Step 1: Preparing for Centrally Managed Connectra
Step A: Setting Up SmartCenter and Installing the Plug-in (Centrally Managed Only)To set up the SmartCenter and install the NGX R66 Plug-in:
1. Install or upgrade the SmartCenter server or Provider-1/SiteManager-1 CMA to version NGX R65.
2. For a new installation of SmartCenter, install SmartDashboard on a SmartConsole client. For a new installation of Provider-1/SiteManager-1, install the Multi Domain GUI (MDG). It is recommended to use the latest MDG that is found on CD2 in the MDG directory
3. Install the Connectra NGX R66 Plug-in on version NGX R65 of the SmartCenter server or Provider-1/SiteManager-1 Multi Domain Server. See “Installing the NGX R66 Plug-in” on page 45.
Step B: Configuring Firewall Access RulesConfigure the firewall according to the chosen deployment. The exact set of rules depends on the selected setup and the services that Connectra will provide. A typical Security Rule Base configuration, on VPN-1 Pro, is described herein:
FireWall Rules for Connectra in a DMZ
The rules listed in Figure 3-1 apply to the deployment shown in Figure 2-1, “Connectra Deployment in the DMZ,” on page 19.
Step 1: Preparing for Centrally Managed Connectra
Chapter 3 Installing and Configuring Connectra 27
Figure 3-1 Rules for Deploying Connectra in the DMZ
You may need other rules, depending on your configuration:
• Connectra requires access to DNS servers, and possibly to WINS servers
• For backups, Connectra may need access to a TFTP or SCP server.
RuleRuleRuleRule SourceSourceSourceSource DestinationDestinationDestinationDestination ServiceServiceServiceService ActionActionActionAction CommentCommentCommentComment1 Admin
hostConnectra HTTPS (TCP/4433) Accept Administrator access.
(encrypted)2 Any Connectra HTTP (TCP/80),
HTTPS (TCP/443), SSL (TCP/444) (or port, on which the SSL Network Extender server is configured)], IKE_NAT_TRAVERSAL (UDP/4500)This is used by Endpoint
Accept End user access to portal: Web applications, File sharing Web mail. Sessions initiated using HTTP are redirected automatically to HTTPS. All actual communication is encrypted.
3 Connectra LAN HTTP (TCP/80), HTTPS (TCP/443), nbsession (TCP/139), microsoft-ds (TCP/445), nbdatagram (TCP/138), nbname (TCP/137), IMAP (TCP/143), SMTP (TCP/25) All additional Network applications that are made accessible, via the SSL Network Extender
Accept Connectra to LAN for: Web applications File sharing Web mail
Step 2: Installing Connectra
28
• Connectra may need access to the SmartCenter Server or to a Customer Log Module (CLM), in order to send logs to a remote log server.
• For authentication, Connectra may need access to LDAP, RADIUS and ACE servers.
• Connectra may need access to an NTP server for clock synchronization purposes.
FireWall Rule for Connectra in a LANIf you choose to deploy Connectra in the LAN, as in Figure 2-2, “Connectra Deployment in the LAN,” on page 20, rule 3 is not needed.
Step 2: Installing Connectra
Ear Mount InstallationThe Connectra appliance ships with two ear mount kits, and screws of the type shown in Figure 3-2:Figure 3-2 Ear Mount Screws
One ear mount fits on each side of the chassis.
To assemble the ear mounts:
1. Take out the L shape ear mount kits.
Step 2: Installing Connectra
Chapter 3 Installing and Configuring Connectra 29
2. Place the side with four holes against the chassis. The side with two holes faces outward, as shown in Figure 3-3.
Figure 3-3 Ear Mounts
3. Fasten the four retaining screws on each ear mount.
4. Fasten the two screws which connect the earmount to the handle.
Retaining Screws
Step 2: Installing Connectra
30
Installing Connectra in the RackInstall the system in the rack with the network ports facing the front of the rack. Figure 3-4 Installing Connectra 9072
Step 3: Identifying the Default Management Interface
Chapter 3 Installing and Configuring Connectra 31
Figure 3-5 Installing Connectra 3070 and 270
Step 3: Identifying the Default Management Interface
Identify the default management interface marked as MGMT (Management) on Connectra 9072, and Internal on Connectra 3070 and 270. This interface is preconfigured with the IP address 192.168.1.1.
Step 4: Connecting the Cables and Turning On
1. Connect the power cable.
2. Connect the standard cable to the management/internal port and to the PC.
Step 5: Connecting to the Administration User Interface
32
3. On the back panel, turn on the Power button to start the appliance.
Step 5: Connecting to the Administration User Interface
1. Connect to the administration interface by connecting from a machine on the same network subnet (e.g., with IP address 192.168.1.x and netmask 255.255.255.0) to the administration interface via the LAN cable. This can be changed later through the administration interface.
2. To access the administration interface, initiate a connection from a browser to the default administration IP address: https://192.168.1.1:4433.
3. The login page appears (Figure 3-6). Log in with the default system administrator login name/password: admin/admin, and click Login.
Note - Pop-ups must always be allowed on https://<appliance_ip_address>.
Step 5: Connecting to the Administration User Interface
Chapter 3 Installing and Configuring Connectra 33
Figure 3-6 The Login page
4. Change the administrator password, as prompted. For security purposes, you must change it to a more secure password.
In the Password recovery login token section, you can download a Login Token that can be used in the event a password is forgotten. It is highly recommended to save and store the password recovery login token file in a safe place.
Step 6: Running the First Time Configuration Wizard
34
Step 6: Running the First Time Configuration Wizard
1. The First-Time Configuration Wizard begins to run. The Wizard presents a number of windows, in which you configure the Date and Time, Network Connections, Routing, DNS Servers, Host and Domain Name, and Deployment Type of Connectra.
Click Next.
2. Configure date and time in the Appliance Date and Time Setup window. Click Apply.
Click Next.
3. Configure Network Connections in the Network Connections page.
You may modify the Management/Internal IP address and connectivity will be preserved. A secondary interface is created automatically to preserve connectivity. This interface can be removed after the wizard is completed in the Network > Network Connections page.
Click Next.
4. Configure Routing on the Routing Table page.
Click Next.
5. Set the Host and Domain on the Host and Domain Name page.
The host name must start with a letter and cannot be named Com1, Com2....Com9.
Set the DNS servers on the DNS Servers page.
Note - The features configured in the wizard are accessible after completing the wizard via the WebUI menu. The WebUI menu can be accessed by navigating to https://<appliance_ip_address>:4433.
Step 6: Running the First Time Configuration Wizard
Chapter 3 Installing and Configuring Connectra 35
Click Next.
6. Configure the Management type the Management Type page.Figure 3-7 Management Type page
Locally Managed Deployment - To configure locally managed Connectra, where Connectra manages itself.
a. Select Locally Managed and click Next.
b. Skip to step 7.
Centrally Managed Deployment - To configure Connectra that is managed centrally from a SmartCenter Console. Clusters are only supported in a centrally managed configuration.
a. Select Centrally Managed and click Next.
b. Configure the Web/SSH and GUI Clients Configuration window as described in step 7. Click Next.
c. Configure the Secure Internal Communication window: enter a SIC Activation Key and remember it, as you will enter it again when configuring the gateway object via SmartDashboard.
Note - In all deployments, SmartConsole can be downloaded and installed on any machine, unless stated otherwise.
Step 7: Installing the SmartConsole GUI Clients
36
d. Continue to “Step 7: Installing the SmartConsole GUI Clients” on page 36.
7. Configure the Web/SSH and GUI Clients Configuration window. Define which IP addresses will be allowed to connect using Web or SSH Clients. These clients will be able to manage the appliance using SmartConsole applications. Enter a comma-separated list of IP addresses from which you will manage Connectra using SmartConsole Applications. Type Any to manage Connectra from anywhere.
These and other advanced configuration options are available via the WebUI menu.
Click Next.
8. Connectra is managed through SmartConsole applications. If you do not have a SmartConsole package application installed, click Start Download and follow the on-screen instructions to download the SmartConsole.
9. Wait while the software is installed.
10. The Summary page appears.
Click Finish to complete the First-Time Configuration Wizard. The machine will automatically restart (this may take several minutes.
Step 7: Installing the SmartConsole GUI Clients
Connectra is managed through SmartConsole applications.
If SmartDashboard was downloaded during the First Time Configuration Wizard, skip to “Step 8: Logging In for the First Time” on page 37.
Step 8: Logging In for the First Time
Chapter 3 Installing and Configuring Connectra 37
To download SmartConsole:
1. Access the WebUI menu by navigating to https://<appliance_ip_address>:4433.
2. Login using the administrator username and password configured in step 4 on page 33.
3. Download the SmartConsole Installation package Product Configuration > Download SmartConsole > Download.
Step 8: Logging In for the First Time
Login ProcessAdministrators connect to Connectra through SmartDashboard using a process that is common to all SmartConsole clients. In this process, the administrator and Connectra are authenticated, and a secure channel of communication is negotiated.
Authenticating and Fingerprint Comparison1. Launch SmartDashboard.
2. Enter the administrator username, password, and IP address of Connectra.
3. Manually authenticate Connectra with the Fingerprint presented. This step only takes place during first-time login, since when Connectra is authenticated, the Fingerprint is saved on the SmartConsole machine. The Fingerprint is compared with the Connectra fingerprint which is located in the WebUI in Product Configuration > Certificate Authority.
Step 9: Defining Connectra Objects (Centrally Managed Connectra)
38
Step 9: Defining Connectra Objects (Centrally Managed Connectra)
If you are upgrading from a previous version of SmartCenter or Provider-1/SiteManager-1, any Connectra objects or references defined prior to upgrading the SmartCenter or the CMA become host objects and must be redefined after the upgrade.
Define and configure the topology for each gateway, cluster member, and Connectra cluster.
Defining a Connectra Gateway To define a Connectra gateway:
1. In SmartDashboard, select the Connectra tab.
2. In the Connectra Gateways window, click New and select Connectra Gateway.
The Connectra Properties window opens.
3. In the General Properties page, type the Name and IP Address of the Connectra Gateway that you installed.
4. Click Communication.
The Communication dialog box opens.
5. In the Activation Key field, type the activation key that you set during the Connectra initial configuration. Type it again in the Confirm Activation Key field, then click Initialize.
6. Wait while trust is initialized. The words Trust established appear in the Trust state field once trust is established. Click Close.
7. Make sure Connectra NGX R66 appears in the Version field and click OK.
Step 9: Defining Connectra Objects (Centrally Managed Connectra)
Chapter 3 Installing and Configuring Connectra 39
Configuring a Connectra Gateway’s TopologyEach Cluster member should have at least one cluster interface and one synchronization interface. For more information on configuring topology for cluster members, see “Cluster Configuration—Deployment Tips” on page 51 or the Connectra Gateway Clusters chapter of the Connectra Central Management Administration Guide.
To configure the topology of a Connectra gateway:
1. In the Connectra Properties dialog box, select Topology in the navigation tree.
The Topology page opens.
2. Click Get to automatically detect interfaces or Add to manually add interfaces.
When defining topology, the Get Interfaces operation does not return alias IP addresses for real interfaces. To add alias IP addresses to the object topology, define them manually. After manually adding alias IP addresses to the object topology, do not perform the Get Interfaces operation, as this will erase all manual changes to the object topology.
3. Click OK to return to the main Connectra window.
Defining a Connectra ClusterAfter defining each individual Connectra gateway, you can define Connectra Clusters. For more information on configuring topology for cluster members, see “Cluster Configuration—Deployment Tips” on page 51 or the Connectra Gateway Clusters chapter of the Connectra Central Management Administration Guide.
To define a Connectra cluster:
1. In SmartDashboard, select the Connectra tab.
2. In the Connectra Gateways window, click New and select Connectra Cluster.
Step 9: Defining Connectra Objects (Centrally Managed Connectra)
40
The Connectra Properties window opens.
3. In the General Properties page, type the Name and IP Address (the virtual IP address of the Cluster interface) of the Connectra Cluster that you are defining.
4. In navigation tree, select Cluster Members.
5. In the Cluster Members pane, click Add to add each cluster member.
The Cluster Member Properties page opens.
6. Enter each Cluster Member’s Name and IP Address with the highest priority members at the top.
7. Click Communication.
The Communication dialog box opens.
8. In the Activation Key field, type the activation key that you set during the Connectra initial configuration. Type it again in the Confirm Activation Key field, then click Initialize. All cluster members can have the same activation key.
9. Wait while trust is initialized. The words Trust established appear in the Trust state field once trust is established. Click Close.
10. Make sure Connectra NGX R66 appears in the Version field and click OK.
Configuring Topology for a Connectra ClusterFor information and instructions on configuring topology for a Connectra Cluster, see the Connectra Cluster Topology Page section of the Connectra Gateway Clusters chapter of the Connectra Central Management Administration Guide.
For brief tips, see “Cluster Configuration—Deployment Tips” on page 51.
Post-Installation Procedures
Chapter 3 Installing and Configuring Connectra 41
Post-Installation Procedures
Step 10: Connecting Connectra to the Network
Connecting a Standalone ConnectraConnect the Connectra network interface to the switch on which the default gateway resides.
Connecting a Connectra Cluster Refer to Figure 2-3, “Connectra Clustering Topology Example,” on page 21.
When setting up a Connectra cluster, connect the cluster member data interfaces via a switch.
The synchronization network carries the most sensitive data in the organization. Keep it secure by connecting the synchronization interfaces using a cross cable, or a dedicated switch.
Make sure that each network is configured on a separate VLAN, switch or hub.
Step 11: Configuring Access ControlConfigure Access Control in Connectra using SmartDashboard.
Access management in Connectra is accomplished by defining users and assigning them to groups, and defining applications and associating them with the groups. In addition, Connectra associates each application with a protection level, a security requirement that the remote user must satisfy before being given access to the application.
Access Control is configured in the following stages:
Step 11: Configuring Access Control
42
1. Define applications
2. Define users
3. Define user groups
4. Associate users with groups
5. Associate applications with groups
6. Install the Access Policy
These tasks are described in detail in the Connectra Central Management Administration Guide and the Connectra Local Management Administration Guide. The following sections provide some useful background information.
Defining ApplicationsDefining an application is about deciding which internal LAN applications to expose to remote users. These typically include:
• Web applications
• File shares
• Native applications
• Citrix applications
• Mail services
Setting Protection Levels for ApplicationsConnectra associates each application with a protection level. The protection level is a security requirement that the remote user must satisfy before being given access to the application. For example, the user must be authenticated using a certificate.
Defining Users and GroupsAccess to internal corporate applications is based on group membership. To access a particular application, remote users must belong to a group with the relevant authorization (as well as satisfy
Step 12: Performing a SmartDefense Update (Locally Managed Connectra)
Chapter 3 Installing and Configuring Connectra 43
the security requirements of the application). These groups can be defined on Connectra’s internal user database, on LDAP or Radius servers. The LDAP group can be a branch in a tree, or an LDAP group that contains users from different branches.
Associating Applications With GroupsYou must associate the applications with groups. This association means authorizing certain user groups to use those applications.
Step 12: Performing a SmartDefense Update (Locally Managed Connectra)
SmartDefense updates add new defense mechanisms to the SmartDefense console, and bring existing defense mechanisms up-to-date.
To update SmartDefense:
1. In the SmartDefense tab, click Online Update.
The update begins and a dialog box notifies you that SmartDefense is being updated from one version number to another.
2. Click Continue to proceed with the update.
3. Enter your User Center username and password.
The available new updates are displayed.
4. Click Download Updates.
You are informed that the SmartDefense content was updated successfully.
Note - Perform a SmartDefense update immediately after installing Connectra so that the networks accessible through Connectra are fully protected.
Step 13: Checking Your Setup
44
5. Select Policy > Install Policy to apply the updates.
Step 13: Checking Your Setup1. After installing the Security Policy, browse to the User portal
and login using the credentials of the defined user. The user portal is at https://<IP address>
2. Verify that you can access the defined application.
Installing the NGX R66 Plug-in
Chapter 3 Installing and Configuring Connectra 45
Installing the NGX R66 Plug-in The Connectra NGX R66 Plug-in adds Connectra central management capabilities to an NGX R65 SmartCenter server or Provider-1/SiteManager-1. If you are working in a High Availability environment, install the Plug-in on each member.
Install the R66 Plug-in as part of the following procedures:
• “Installation and Initial Configuration Procedures”: “Step 1: Preparing for Centrally Managed Connectra” on page 26
• “Upgrade to Centrally Managed R66 from R61/62/62CM”: “Setting Up the SmartCenter and Installing the R66 Plug-in” on page 87
• “Upgrading a Connectra Cluster to R66” on page 92
The procedure for installing the R66 Plug-in varies slightly for each platform, but the overall workflow is the same.
Installing the Plug-in on a SmartCenterThe Plug-in for R66 can be installed on a SmartCenter, on the SecurePlatform, Windows, Linux, or Solaris platforms.
In This Section
Installing the Plug-in on a SecurePlatform SmartCenter To install the Plug-in on a SmartCenter on SecurePlatform:
1. Install SmartCenter server NGX R65.
Installing the Plug-in on a SecurePlatform SmartCenter page 45
Installing the Plug-in on a Windows SmartCenter page 46
Installing the Plug-in on a Linux or Solaris SmartCenter page 46
Installing the Plug-in on a SmartCenter
46
2. Log in to expert mode by running, expert and entering your password.
3. Install the Connectra Plug-in package:
a. Insert CD2 into the SmartCenter Server machine.
b. Mount the CD by running:
c. Go to the CD directory by running:
d. Run:
4. Reboot the machine.
Installing the Plug-in on a Windows SmartCenter To install the Plug-in on SmartCenter on the Windows platform:
1. Install SmartCenter server NGX R65.
2. Install the Connectra Plug-in package:
a. Insert CD2 into the SmartCenter Server machine.
b. From the root of the CD, run:
c. Follow the instructions in the wizard.
3. Reboot the machine.
Installing the Plug-in on a Linux or Solaris SmartCenterTo install the Plug-in on a SmartCenter on either Linux or SecurePlatform:
mount /dev/cdrom
cd /mnt/cdrom
./UnixInstallScript -splat
Setup.bat
Installing the Plug-in on Provider-1/SiteManager-1
Chapter 3 Installing and Configuring Connectra 47
1. Install SmartCenter server NGX R65.
2. Log in to expert mode by running, expert and entering your password.
3. Install the Connectra Plug-in package:
a. Insert CD2 into the SmartCenter Server machine.
b. Mount the CD by running:
c. Go to the CD directory by running:
d. Run:
4. Reboot the machine.
Installing the Plug-in on Provider-1/SiteManager-1
The Plug-in for R66 can be installed on Provider-1/SiteManager-1, on the SecurePlatform, Linux, or Solaris platforms.
In This Section
Installing the Plug-in on SecurePlatform Provider-1To install the Plug-in on Provider-1 on SecurePlatform:
mount /dev/cdrom
cd /mnt/cdrom
./UnixInstallScript
Installing the Plug-in on SecurePlatform Provider-1 page 47
Installing the Plug-in on Linux or Solaris Provider-1 page 48
Activating the Connectra Plug-in on the CMA page 49
Installing the Plug-in on Provider-1/SiteManager-1
48
1. Install NGX R65 on the Provider-1/SiteManager-1 Multi Domain Server.
2. Install the Connectra Plug-in package on the Multi-Domain Server:
a. Insert CD2 into the Provider-1/SiteManager-1 Multi Domain Server machine.
b. Mount the CD by running:
c. Go to the CD directory by running:
d. Run:
3. Reboot the machine.
4. For each CMA on which you want to manage Connectra gateways, you need to activate the Plug-in. See “Activating the Connectra Plug-in on the CMA” on page 49.
Installing the Plug-in on Linux or Solaris Provider-1To install the Plug-in on Provider-1 on Linux:
1. Install Provider-1/SiteManager-1 Multi Domain Server NGX R65.
2. Install the Connectra Plug-in package on the Multi-Domain Server:
a. Insert CD2 into the Provider-1/SiteManager-1 Multi Domain Server machine.
b. Run from the root of the CD:
3. Reboot the machine.
mount /dev/cdrom
cd /mnt/cdrom
./UnixInstallScript -splat
./UnixInstallScript
Installing the Plug-in on Provider-1/SiteManager-1
Chapter 3 Installing and Configuring Connectra 49
4. For each CMA on which you want to manage Connectra gateways, you need to activate the Plug-in. See “Activating the Connectra Plug-in on the CMA” on page 49.
Activating the Connectra Plug-in on the CMATo activate the Connectra Plug-in, use one of the following procedures:
• Create a customer with a Plug-in. In the Add Customer Wizard, in the Management Plug-ins page, activate the Plug-in.
• In the MDG Customer Contents page, either right-click a customer and select Configure Customer, or double-click the customer, go to the Plug-ins tab, and select the Connectra Plug-in.
Uninstalling Connectra Plug-ins
50
• From the MDG’s Management Plug-ins View, activate the Plug-in in one of the following ways:
• Right-click a customer and select Activate Plug-in on Customers.
• Right-click the PIConR66 and select Activate this Plug-in.
• Select Activate Plug-in on Customers from the Plug-in menu.
• Click the Plug-in icon on the toolbar.
Uninstalling Connectra Plug-insWhile Connectra R66 cannot be uninstalled from the Connectra gateway machine, you can uninstall the central management capabilities. To do this, you must uninstall both the R62CM Plug-in (where relevant) and the R66 Plug-in for Central Management. See Chapter 6, “Uninstalling Connectra Plug-ins”.
Cluster Configuration—Deployment Tips
Chapter 3 Installing and Configuring Connectra 51
Cluster Configuration—Deployment Tips
This section includes information that will help you understand the process of configuring a Connectra gateway cluster, in order to make it a successful and trouble free process.
The Connectra Central Management Administration Guide includes full details of setting up a Connectra cluster. It is strongly recommended that you read the relevant guide before setting up your Connectra cluster.
• Install and configure the Connectra gateway cluster members, as described in “Installation and Configuration Workflow” on page 24.
Licensing
• Ensure all cluster members are licensed for the same number of users. They do not necessarily have to have identical licenses.
• Connectra cluster members must run the same software version.
Cluster and Cluster Member Interfaces
• Communication into the organization for users is done using the virtual IP address of the Cluster Interface, and not the member IP addresses.
• To change the configuration of a cluster member, connect to it directly using the IP address of the cluster member, and not to the virtual IP address of the Cluster Interface.
• In some setups, ClusterXL may wait to disable Network Interfaces that are not in use. For more information see SecureKnowledge solution sk30060.
Cluster Configuration—Deployment Tips
52
Interface Configuration
• The synchronization interfaces of the cluster members reside on the SAME subnet.
• The data interfaces of the cluster members must reside on the SAME subnet, DIFFERENT from the synchronization subnet.
• Use different interfaces for the data and synchronization networks.
• On Connectra 3070 and Connectra 270, the recommended setting for the data network is to use External, and for synchronization use Sync/Lan1.
• On Connectra 9072, the recommended setting for the data network is to use Lan1, and for synchronization use Sync.
Physical Connectivity
• Synchronization in a two-member cluster can be done using a cross-cable between the two members. A cluster with more than two members requires a switch/hub for synchronization.
Configuration
• Cluster member clocks must be synchronized. Use an NTP server or manually synchronize the clocks.
• Connectra clients access Connectra via two IP address/port combinations: one for the Connectra portal and another for SSL Network Extender. If you wish to use the same IP address for both, configure the portal to listen on port 443 and SSL Network Extender to listen on port 444.
Administration
• Cluster members become active after the Access Policy is installed.
SSL Acceleration Card Installation
Chapter 3 Installing and Configuring Connectra 53
SSL Acceleration Card InstallationA hardware-based SSL acceleration card is available to improve the SSL performance of the Connectra gateway. The card speeds up the SSL/TLS public key exchange, and reduces CPU utilization by redirecting CPU-intensive calculations to dedicated hardware.
Enabling the CardTo enable the card on Connectra:
1. From the console, run:
2. Run:
3. Run:
Disabling the CardTo disable the card:
1. From the console, run:
2. Run:
Note - The acceleration card is pre-installed on Connectra 9072. It is not available on other Connectra appliances.
cvpnstop
hw_acceleration start
cvpnstart
cvpnstop
hw_acceleration stop
SSL Acceleration Card Command Syntax
54
3. Run:
SSL Acceleration Card Command SyntaxThe following table lists the SSL Acceleration Card commands. The card must be activated before running the diag and stat parameters.
Syntaxhw_acceleration{ start | stop | diag | stat}
Table 3-1 SSL Acceleration Card Commands
cpvnstart
Parameter Meaning
start Enable the card
stop Disable the card
diag Check if the card is installed and working properly
stat Get statistics of card activity
Further Information
Chapter 3 Installing and Configuring Connectra 55
Further InformationFor further instructions on configuring the Connectra gateway or a Connectra ClusterXL Load Sharing or High Availability cluster, refer to the Connectra Central Management Administration Guide or Connectra Local Management Administration Guide according to your configuration, or to the online help.
Further Information
56
57
Chapter 4 Connectra Hardware
In This Chapter:
This chapter provides instructions for installing and removing hardware components on the Connectra appliance.
Overview
This section discusses the hardware components comprising the Connectra appliance.
Overview page 57
Customer Replaceable Parts page 66
Restoring Factory Defaults page 74
Front Panel Components page 58
Rear Panel Components page 64
Overview
58
Front Panel Components
This section describes the features and components located on the appliance front panel.
Connectra 270 page 59
Connectra 3070 page 60
Connectra 9072 page 61
LCD Display Screen page 62
Expansion Line Card page 62
Hard Disk Drives page 63
Overview
Chapter 4 Connectra Hardware 59
Connectra 270
Table 4-1 Connectra 270 Front Panel Description
Key Description
1 Internal connection port - Ethernet connection to a remote management workstation
2 External connection port - Ethernet connection to connect outside the organization
3 DMZ connection port - Ethernet connection to the DMZ
4 Sync/Lan1 port- for synchronizing with cluster members or a high availability peer
5 Console port - for a serial connection to the appliance using a terminal emulation program such as Hyperterminal.
6 USB ports
7 Power indicator LED
8 LCD screen
9 Screen operation keys
Overview
60
Connectra 3070
Table 4-2 Connectra 3070 Front Panel Description
Key Description
1 LCD screen
2 Screen operation keys
3 Power indicator LED
4 USB ports
5 Console port - for a serial connection to the appliance using a terminal emulation program such as Hyperterminal.
6 Internal connection port - Ethernet connection to a remote management workstation
7 External connection port - Ethernet connection to connect outside the organization
8 DMZ connection port - Ethernet connection to the DMZ
9 Sync/Lan1 port- for synchronizing with cluster members or a high availability peer
10 Built in ethernet ports (Lan2 - Lan7)
Overview
Chapter 4 Connectra Hardware 61
Connectra 9072
Table 4-1 Connectra 9072 Front Panel Description
Key Description
1 LCD display screen
2 Management connection port - Ethernet connection to a remote management workstation
3 Synchronization port - for synchronizing with cluster members or a high availability peer
4 Console port - for a serial connection to the appliance using a terminal emulation program such as Hyperterminal.
5 USB ports
6 Screen operation keys
7 Power indicator LED
8 Future expansion slot
9 Expansion line card exp1 (2 or 4 ports)
10 Built in ethernet ports (Lan1 - Lan8)
11 Expansion line card exp2 (2 or 4 ports)
12 Hard disk drive
Overview
62
LCD Display ScreenLocated on the front of the appliance, the LCD panel displays the model of the unit.
The arrow keys scroll the display up and down. The ENTER and ESC keys are intended for future functionality.
Expansion Line CardThe Connectra 9072 appliance contains two optional expansion slots that accommodate two cold-swappable network line cards.
The expansion line card contains two or four ports. The following types of expansion line card are currently available for Connectra 9072:
Table 4-2 Expansion Cards Available for Connectra 9072
Model Description
CPPWR-ACC-4-1C 1000BaseT line card
CPPWR-ACC-4-1SRF 1GbE Multi-mode SR fiber optic line card
CPPWR-ACC-4-1LRF 1GbE Single-mode LR fiber optic line card
Overview
Chapter 4 Connectra Hardware 63
Hard Disk DrivesConnectra 3070 and 270 contain one hard disk drive. Connectra 9072 contains two redundant hard disk drives (RAID1).
Figure 4-1 Hard Disk Drives
Hard disk drives are not hot-swappable. You must power the appliance off before attempting to remove or install a hard disk drive.
RAID1 Mirroring
Implemented by a dedicated RAID controller, the Connectra 9072 model performs RAID1 mirroring across two hard disk drives. Mirror rebuild is automatic.
Overview
64
Rear Panel ComponentsThis section describes components located on the rear panel of the appliance.
Main Power SwitchThe main power switch controls power to the entire unit.
Redundant Power Supply UnitsLocated at the right rear of the 9072 appliance, two hot-swappable power supply units provide built-in power redundancy. Each power supply connects to an electric outlet.
Figure 4-2 Redundant Power Supply Units (Connectra 9072 only)
When a power supply fails or is not connected to the outlet, an alarm sounds continuously.
Overview
Chapter 4 Connectra Hardware 65
Cooling FansConnectra 9072 contains three replaceable cooling fans. Each cooling fan operates independently of the others, providing redundancy in the event of failure.
Figure 4-3 Cooling Fans in Connectra 9072
Connectra 3070 and Connectra 270 contain one cooling fan that is not replacable.
Customer Replaceable Parts
66
Customer Replaceable Parts
To ensure maximum availability and ease of maintenance, the Connectra appliance contains the following customer replaceable parts:
• Power supplies
• Two for Connectra 9072
• Single power supply for Connectra 3070 and Connectra 270
• Cooling Fans
• Three for Connectra 9072
• Single, non-replacable cooling fan for Connectra 3070 and Connectra 270
• Expansion Line cards (available on Connectra 9072 only)
• Hard Disk Drives
• Two for Connectra 9072
• Single hard drive for Connectra 3070 and Connectra 270
Unless directed to do so by Check Point technical support, customers are prohibited by warranty and support agreements from replacing any parts. Customers are prohibited from opening the Connectra case under any circumstances.
Power Supply page 67
Cooling Fan page 68
Expansion Line Card page 69
Hard Disk Drive page 71
Customer Replaceable Parts
Chapter 4 Connectra Hardware 67
Power SupplyThis section presents the procedures for removing and installing a power supply unit. Connectra 9072 contains two redundant power supplies.
Figure 4-4 Redundant Power Supply Units
Removing the Power SupplyTo remove a power supply unit:
1. If the alarm sounds, press the red alarm button to the right of the power supply. The alarm stops.
2. Remove the power cord.
3. Loosen the retaining screw located above the power socket.
4. Pull the extraction handle to remove the power supply unit.
Note - Use only the extraction handle to remove the power supply unit. To prevent damaging the power supply, do not pull on the retaining screw, power cord clip or any other part of the unit.
Customer Replaceable Parts
68
Installing the Power SupplyTo install a replacement power supply:
1. Insert the power supply into its slot and push firmly until it clicks into place.
2. Tighten the retaining screws.
3. Insert the power cord. Verify that the green LED is illuminated.
Cooling FanThis section presents the procedures for removing and installing a fan unit. The Connectra 9072 appliance contains three cooling fans. It is not necessary to power off the appliance before adding or removing a fan unit.
Figure 4-5 Cooling Fan
Customer Replaceable Parts
Chapter 4 Connectra Hardware 69
Removing Fan UnitsTo remove a fan unit:
1. Loosen the four retaining screws in the corners of the fan assembly.
2. Gently pull the fan unit out of the appliance.
Installing Fan UnitsTo install a fan unit:
1. Insert the fan unit into the appliance. Push firmly until it clicks into place.
2. Tighten the four retaining screws in the corners of the fan assembly.
Expansion Line CardThis section presents the procedures for removing and installing an expansion line card unit. The built-in ethernet ports (Lan1 Lan8) are not customer replaceable. For more information on expansion cards, see the Administration Guide Supplement for Connectra Appliances.
• Connectra 9072 has two slots for expansion line cards
Warning - Make certain that you are electromagnetically grounded when performing the following procedures. Static electricity can damage the appliance.
Customer Replaceable Parts
70
Figure 4-6 Expansion Line Card
Removing Expansion Line CardsTo remove an expansion line card:
1. Power off the appliance and remove the power cords from the power supply units.
2. Loosen the retaining screws on either side of the expansion line card.
3. Holding the screws, pull the expansion line card out of the slot.
Customer Replaceable Parts
Chapter 4 Connectra Hardware 71
Installing Expansion Line CardsTo install an expansion line card:
1. Power off the appliance and remove the power cords from the power supply units.
2. Insert the expansion line card into the slot.
3. Push until the card clicks into place.
4. Tighten the retaining crews on either side of the expansion line card.
Hard Disk DriveThis sections covers installing or removing a hard disk drive.
• Connectra 3070 and Connectra 270 contain one hard disk drive.
The Connectra 3070 and Connectra 270 hard disk drive is not hot-swappable. You must power the appliance off before attempting to remove or install the hard disk drive.
• Connectra 9072 contains two hot swappable (RAID-1) hard disk drives.
Customer Replaceable Parts
72
Figure 4-7 Hard Disk Drives
Removing a Hard Disk DriveTo remove a hard disk drive:
1. Power off the appliance and remove the power cords from the power supply units.
2. Using the key supplied in the toolkit, unlock the drive.
3. Slide the release latch toward the left. The extraction handle springs out.
4. Using the extraction handle, remove the drive from the slot.
Customer Replaceable Parts
Chapter 4 Connectra Hardware 73
Installing a Hard Disk DriveTo install a hard disk drive:
1. Power off the appliance and remove the power cords from the power supply units.
2. Slide the replacement hard disk drive into the slot.
3. Push the extraction handle until it closes and the drive clicks into place.
4. Using the key supplied in the toolkit, lock the new drive in place.
Restoring Factory Defaults
74
Restoring Factory DefaultsAs part of the troubleshooting process, it may be necessary to restore the Connectra appliance to its factory default settings.
A Connectra appliance can be restored to the factory default image:
• Using the WebUI
• Through the console boot menu
• Using the LCD panel
Restoring Using the WebUIThe Connectra appliance contains a default factory image of Connectra NGX R66.
To restore the Connectra appliance to its default factory configuration using the WebUI:
1. In the Connectra WebUI, click Appliance > Image Management.
The Image Management window opens:
Warning - Restoring factory defaults deletes all information on the appliance.
Restoring Factory Defaults
Chapter 4 Connectra Hardware 75
Figure 4-8 Image Management
2. Select the factory defaults image.
3. Click Revert.
Restoring Using the Console Boot MenuTo restore the Connectra appliance to its default factory configuration using the console boot menu:
1. Connect the supplied DB9 serial cable to the console port on the front of the appliance.
2. Connect to Connectra using a terminal emulation program such as Microsoft HyperTerminal, the program used here.
3. In the HyperTerminal Connect To window, select a port from the Connect using list. Define the port settings: 9600 BPS, 8 bits, no parity, 1 stop bit.
4. From the Flow control list, select Hardware.
5. Click, Call > Call to connect to the appliance.
Restoring Factory Defaults
76
6. Switch on Connectra. The appliance begins the boot process and status messages appear in HyperTerminal.
7. During the Connectra boot process, text similar to that shown below appears:
Figure 4-9 Activating the Boot menu in HyperTerminal
At this point, you have approximately four seconds to hit any key to activate the Boot menu.
Restoring Factory Defaults
Chapter 4 Connectra Hardware 77
8. The Boot menu opens. Scroll to the desired Reset to factory defaults image and press Enter.
Figure 4-10 Boot menu in HyperTerminal
Restoring Using the LCD PanelTo restore the appliance its default factory configuration using the LCD panel at the front of the appliance:
1. Reboot or power on the appliance.
2. When the countdown begins, press any of the four buttons to the right of the LCD panel:
The boot menu appears.
Restoring Factory Defaults
78
3. Using the arrow buttons, select the Reset to R66 option, and press ENTER:
4. Confirm the reset by pressing the Arrow Up button.
Pressing any other button causes the Action Canceled message to display:
At this point, pressing any key returns you to the boot menu.
5. If you confirmed the reset by pressing the Arrow Up button in step 4, wait for the appliance to restore the factory image.
As the appliance is restored to the R66 default image, a Loading message displays continuously:
Restoring Factory Defaults
Chapter 4 Connectra Hardware 79
When the appliance has been restored to its default factory configuration, the appliance reboots and the initializing message is displayed:
Restoring Factory Defaults
80
81
Chapter 5Upgrading Connectra
In This Chapter
Introduction to Advanced Upgrade page 82
Advanced Upgrade to Locally Managed R66 page 83
Upgrade to Centrally Managed R66 from R61/62/62CM page 87
Upgrading a Connectra Cluster to R66 page 92
Introduction to Advanced Upgrade
82
Introduction to Advanced UpgradePerform an advanced upgrade from Connectra NGX R62 to Connectra NGX R66 in order to migrate to a new Connectra server.
The advanced upgrade procedure involves two machines. The first machine is the working Connectra machine. The new Connectra appliance is the second machine and the configuration of the first machine is imported to it.
Advanced Upgrade to Locally Managed R66
Chapter 5 Upgrading Connectra 83
Advanced Upgrade to Locally Managed R66
Preparing for Advanced Upgrade to Locally Managed R66
Prepare the new Connectra appliance, to which the Connectra configuration will be imported.
The following conditions must be met:
• IP addresses on the new and old machines must match.
• NIC configuration on new and old machines must match.
The following are not preserved in the upgrade. Be sure to track them so you can re-apply them after Connectra is upgraded:
• Manual changes to Connectra configuration files.
• All settings in the Device menu of the administrator portal.
• The Internal Certificate Authority (ICA).
Advanced Upgrade Procedure to Locally Managed R66
To perform an advanced upgrade from Connectra NGX R62 to locally managed NGX R66:
1. Insert CD1 into the original machine.
Preparing for Advanced Upgrade to Locally Managed R66 page 83
Advanced Upgrade Procedure to Locally Managed R66 page 83
Completing the Advanced Upgrade to R66 page 85
Advanced Upgrade Procedure to Locally Managed R66
84
2. Type:
3. On the CD, browse to the location of the export utility. Locate the upgrade_export tools in:
4. Create an exportable configuration file by running the command:
where <path_and_filename_of_tgz> is the destination path of the configuration (.tgz) file.
5. Wait while the database files are exported.
6. Install new NGX R66 machine as per “Installation and Initial Configuration Procedures” on page 26.
The new machine must have the same IP address as the old machine. The IP address can be changed later.
7. Copy the exported .tgz file via FTP in binary mode to any location on the new Connectra machine.
8. On the new Connectra machine, go to:
9. Run:
mount/dev/cdrom
/linux/Utilities/UpgradeTools/
upgrade_export <path_&_filename_of_tgz>
$FWDIR/bin/upgrade_tools
upgrade_import -n <path_&_filename_of_tgz> <connectra_object_name>
Completing the Advanced Upgrade to R66
Chapter 5 Upgrading Connectra 85
where <path_and_filename_of_tgz> is the destination path of the configuration (.tgz) file and <connectra_object_name> is the name of your Connectra gateway.
10. Reboot.
Completing the Advanced Upgrade to R66
If you made configuration changes by manually editing configuration files before the upgrade:
1. Verify that the functionality of the manual change works properly after the upgrade.
2. If necessary, merge the changes back to the same locations in the upgraded installation.
Reapply all settings under the Appliance menu of the administrator portal (including administrator settings and routing) from the old machine to the new machine.
If there was a mismatch in the primary or secondary IP addresses of the NICs, between the two machines, you must reconfigure IP address assignments for the Portal and SSL Network Extender.
To reconfigure IP address assignments for the Portal and SSL Network Extender:
1. In SmartDashboard, select your Connectra Gateway and click Edit.
2. Select Topology from the navigation tree in the Connectra Properties page.
Note - The configuration (.tgz) file contains your Connectra configuration. It is recommended to back it up on a different machine and delete it from the Connectra machine after completing the import process.
Completing the Advanced Upgrade to R66
86
3. Click Portal Customization settings or VPN Clients settings and edit the machine’s interface.
Upgrade to Centrally Managed R66 from R61/62/62CM
Chapter 5 Upgrading Connectra 87
Upgrade to Centrally Managed R66 from R61/62/62CM
Setting Up the SmartCenter and Installing the R66 Plug-in
Important: The SmartCenter should have the Connectra R62CM Plug-in installed and be fully upgraded to R62CM before installing the R66 Plug-in for Central Management. This includes using Connectra’s Configuration Import Utility to import your management configuration to the SmartCenter. For instructions on upgrading to R62CM from R61 or R62, see the Connectra R62CM Getting Started Guide. Follow this link to the Connectra NGX R62CM Upgrade Package or find it on the NGX R66 CD2 under /Utilities/R62CM/.
To install the R66 Plug-in on the R66 SmartCenter or Provider-1/SiteManager-1 CMA:
1. Install or upgrade the SmartCenter server or Provider-1/SiteManager-1 CMA to version NGX R65.
Setting Up the SmartCenter and Installing the R66 Plug-in page 87
Setting Up SIC Trust page 90
Installing Policy page 91
Completing the Upgrade by Merging Manual Changes page 91
Note - We recommend creating a database revision before installing the Connectra NGX R66 Plug-in. See the Check Point R65 SmartCenter Administration Guide for more information.
Setting Up the SmartCenter and Installing the R66 Plug-in
88
2. For a new installation of SmartCenter, install SmartDashboard on a SmartConsole client. For a new installation of Provider-1/SiteManager-1, install the Multi Domain GUI (MDG). If upgrading, the SmartDashboard or MDG will automatically update in order to manage Connectra.
3. Install the R66 Plug-in on version R65 of the SmartCenter server or Provider-1/SiteManager-1 Multi Domain Server. See “Installing the NGX R66 Plug-in” on page 45.
4. Reboot SmartCenter or Provider-1/SiteManager-1.
5. After the reboot, open SmartDashboard. SmartDashboard displays an additional tab for Connectra.
Note - If your SmartCenter is not already upgraded to R62CM, you must upgrade it before upgrading to centrally managed R66. See “important” above.
Setting Up the SmartCenter and Installing the R66 Plug-in
Chapter 5 Upgrading Connectra 89
Figure 5-1 Smart Dashboard with Centrally Managed Connectra
6. In SmartDashboard, switch to the Connectra tab.
7. If Connectra objects were already defined prior to upgrading SmartCenter or the CMA:
After the upgrade of SmartCenter or the CMA, Connectra objects and references in SmartDashboard become host objects and must be redefined.
8. Define the Connectra objects. (Do not set up Secure Internal Communication (SIC) at this point):
Setting Up SIC Trust
90
a. Create the Connectra gateway or gateway cluster object.
b. For a Connectra gateway cluster, define cluster members. If there is SIC trust with the cluster members, reset SIC.
c. Define the topology. When defining topology, the Get Interfaces operation does not return alias IP addresses for real interfaces. To add alias IP addresses to the object topology, define them manually. After manually adding alias IPs to the object topology, do not perform the Get Interfaces operation, as this will erase all manual changes to the object topology.
When defining topology for a Connectra cluster, it is very important that the topology is complete. Make sure you have selected at least one cluster interface and one synchronization interface, and that each cluster member has its interfaces defined.
Setting Up SIC TrustYou must set up a SIC connection between Connectra and the SmartCenter in order for them to communicate.
To set up SIC between the Connectra gateway and the SmartCenter:
1. Connect to the Connectra gateway in one of the following ways:
• Via the Web GUI: Open a Web browser on a machine that has network connectivity to the Connectra, and browse to https://<machine_IP >:4433.
• From the command line: Open an SSH connection to Connectra, or connect to it via a console.
2. Reset SIC (if there was a prior SIC trust) and enter a one time password. Do this in one of two ways:
• Via the Web GUI, go to Product Configuration > SIC, enter the Activation Key and click Initialize.
Installing Policy
Chapter 5 Upgrading Connectra 91
• From the command line, run cpconfig. Type 6 to select Secure Internal Communication.
3. Complete the SIC trust establishment. Open the Connectra gateway or gateway cluster object in SmartDashboard. In the General Properties page, in the Communication window, enter the same one-time password supplied in the gateway side.
Installing PolicyAfter you have verified that the SmartCenter and Connectra machine are communicating, select File > Install Policy in SmartDashboard to install the Access policy on the Connectra machine.
Completing the Upgrade by Merging Manual Changes
If you made configuration changes by manually editing configuration files before the upgrade:
1. Verify that the functionality of the manual change works properly after the upgrade.
2. If necessary, merge the changes back to the same locations in the upgraded installation.
Upgrading a Connectra Cluster to R66
92
Upgrading a Connectra Cluster to R66 Connectra Clusters are only supported on centrally managed R66. If you have R61 or R62 and wish to upgrade to centrally managed R66, you must first upgrade the Cluster member’s Connectra gateways and SmartCenter server to R62CM. For instructions on upgrading to R62CM from R61 or R62, see the Connectra R62CM Getting Started Guide. Follow this link to the Connectra NGX R62CM Upgrade Package or find it on the NGX R66 CD2 under /Utilities/R62CM/
If you currently have locally supported clusters, see “For Connectra Cluster Users” on page 101 for licensing information.
To upgrade a Connectra cluster from NGX R62CM to NGX R66:
1. Install the R66 Plug-in on the NGX R65 SmartCenter. See “Setting Up the SmartCenter and Installing the R66 Plug-in” on page 87.
2. Upgrade each Connectra gateway, as described in “Upgrade to Centrally Managed R66 from R61/62/62CM” on page 87.
3. Define each cluster member in SmartDashboard. See “Step 9: Defining Connectra Objects (Centrally Managed Connectra)” on page 38 and “Cluster Configuration—Deployment Tips” on page 51.
93
Chapter 6Uninstalling Connectra Plug-ins
In This Chapter
OverviewWhile the Connectra NGX R66 Gateway cannot be uninstalled, the Plug-in for central management can be uninstalled. If you want to uninstall Connectra NGX R66’s central management capabilities, you must uninstall both the R66 Plug-in for Central Management and the R62CM Plug-in from your SmartCenter machines, Log Servers, Eventia Reporter, and any remote objects on which the Plug-ins may have been installed. In a High Availability environment, perform the uninstallations on each member.
Overview page 93
Uninstalling the R66 Plug-in for Central Management page 94
Uninstalling the Connectra NGX R62CM Plug-in page 97
Uninstalling Plug-ins in Provider-1 page 99
Uninstalling the R66 Plug-in for Central Management
94
Uninstalling the R66 Plug-in for Central Management
Before Uninstalling the R66 Plug-in:If you have the Connectra NGX R66 Plug-in installed on a SmartCenter, Log Server, Eventia Reporter, or other remote objects, and you want to uninstall the Plug-in from them, you must first do the following:
1. Delete all Connectra objects from SmartDashboard.
2. Synchronize the remote servers’ databases with the SmartCenter by installing the Database on all remote objects that have the Plug-in installed. In the SmartDashboard, select Policy > Install Database for each remote object.
Uninstalling the R66 Plug-in1. From the command line, run the pre-uninstall verifier as follows:
In Linux, Solaris, or SecurePlatform:
a. Run:
b. Run:
Note - If you do not install the Database, the Plug-in uninstallation on these objects will fail, but it will succeed on the SmartCenter. Therefore, you will not be able to install the Database on the remote objects, nor will you be able to remove the R66 Plug-in from the remote objects.
cd /opt/CPPIconR66-R65/bin/
./plugin_preuninstall_verifier
Removing the R66 Compatibility Package
Chapter 6 Uninstalling Connectra Plug-ins 95
c. Read the results. If it says you can remove the Plug-in, proceed to step 2.
In Windows:
a. From c:\Program Files\CheckPoint\PIconR66\R66\bin\
run:
2. Remove the R66 Plug-in:
• In Linux or SecurePlatform, run:
• In Solaris, run:
then choose the package number corresponding to CPPIconR65-R66-00.
• In Windows, use Add/Remove Programs to remove the Check Point Connectra NGX R66 Plug-in.
3. Restart the system.
Removing the R66 Compatibility PackageRemove the Compatibility Package only after uninstalling the R66 Plug-in.
1. Remove the R66 Compatibility Package as follows:
• In Linux or SecurePlatform, run:
• In Solaris, run:
plugin_preuninstall_verifier.exe
rpm –e CPPIconR65-R66-00
pkgrm
rpm –e CPCON65CMP-R66-00
pkgrm
Removing the R66 Compatibility Package
96
then choose the package number corresponding to CPCON65CMP-R66-00.
• In Windows, use Add/Remove Programs to remove the Check Point NGX R66 Connectra Compatibility Package.
2. Restart the system.
Uninstalling the Connectra NGX R62CM Plug-in
Chapter 6 Uninstalling Connectra Plug-ins 97
Uninstalling the Connectra NGX R62CM Plug-in
To remove the Connectra NGX R62CM Plug-in:
1. From the command line, run the pre-uninstall verifier as follows:
In Linux, Solaris, or SecurePlatform:
a. Run:
b. Run:
c. Read the results. If it says you can remove the Plug-in, proceed to step 2.
In Windows:
a. From c:\Program Files\CheckPoint\PIconnectra\R65\bin\ run:
2. Remove the R62CM Plug-in:
• In Linux or SecurePlatform, run:
• In Solaris, run:
then choose the package corresponding to CPPIconnectraR65-R65-00.
• In Windows, use Add/Remove Programs to remove the Check Point Connectra NGX R62A Plug-in. Also remove the Check Point Plug-in NGX R65_HF_284 if relevant.
3. Restart the system.
cd /opt/CPPIconnectra-R65/bin/
./plugin_preuninstall_verifier
plugin_preuninstall_verifier.exe
rpm –e CPPIconnectraR65-R65-00
pkgrm
Removing the R62CM Compatibility Package
98
Removing the R62CM Compatibility Package
Remove the R62CM Compatibility Package only after uninstalling the R62CM Plug-in.
1. Remove the R62CM Compatibility Package as follows:
• In Linux or SecurePlatform, run:
• In Solaris, run:
then choose the package corresponding to CPCON62CMP-R65.
• In Windows, use Add/Remove Programs to remove the Check Point NGX R62A Compatibility Package R65.
2. Restart the system.
rpm –e CPCON62CMP-R65-00
pkgrm
Uninstalling Plug-ins in Provider-1
Chapter 6 Uninstalling Connectra Plug-ins 99
Uninstalling Plug-ins in Provider-1Before uninstalling the R66 or R62CM Plug-ins on Provider-1, you must first deactivate the Plug-ins on all customers of the MDS from which you want to remove a Plug-in.
Deactivating Plug-ins on the MDSTo deactivate Plug-ins on the MDS:
1. Go to Management Plug-ins in the selection bar of the MDG.
2. Double-click on a customer.
3. Go to the Plug-ins tab.
4. Select the plug-in to deactivate: PIconR66-R65 for Connectra NGX R66 or PIconnectra for Connectra NGX R62CM.
5. Click Remove.
6. Click OK.
7. Follow the steps in “Uninstalling the R66 Plug-in for Central Management” on page 94 or “Uninstalling the R62CM Plug-in in Provider-1” on page 99.
Uninstalling the R62CM Plug-in in Provider-1
To remove the Connectra Central Management Plug-in on Provider-1:
1. In the Provider-1 MDS, deactivate the Connectra Central Management Plug-in (PIConnectra) on all customers.
Uninstalling the R62CM Plug-in in Provider-1
100
2. On the command line, run:
3. Run the pre-uninstall verifier:
4. Remove the Connectra Central Management Plug-in:
• Use rpm -e CPPIconnectra-R65 on Linux and SecurePlatform
• Use pkgrm CPPIconnectra-R65 on Solaris
5. Run mdsstop/mdsstart.
rm -f/opt/CPPIconnectra-R65/conf/PluginTableTypePairs.conf ; touch/opt/CPPIconnectra-R65/conf/PluginTableTypePairs.conf
/opt/CPPIconnectra-R65/bin/plugin_preuninstall_verifier
101
Chapter 7 Registration and Support
In This Chapter
RegistrationConnectra requires a specific Check Point license. Obtain a license and register at:
http://register.checkpoint.com/cpapp
For Connectra Cluster UsersUnlike previous versions of Connectra, in Connectra NGX R66, clusters can only be managed centrally, from an R65 SmartCenter or Provider-1 with the Connectra R66 Plug-in.
Customers who:
a. currently have a Connectra High Availability product, or are buying a new such product, and
b. are under a valid service agreement.
Registration page 101
Support page 102
Where To From Here? page 103
Support
102
should find a new product and license named "SmartCenter for Connectra Clusters" in their User Center account. If you are a customer satisfying these two conditions but do not see this new product in your User Center account, please contact Check Point's account services.
This new license entitles customers to install a Check Point SmartCenter R65 on a dedicated server and manage their Connectra clusters from that server. For information on upgrading to centrally managed Connectra R66, see “Upgrading Connectra” on page 81.
SupportFor additional technical information about Check Point products, consult the Check Point Support Center at:
http://support.checkpoint.com
Where To From Here?
Chapter 7 Registration and Support 103
Where To From Here? You have now learned the basics that you need to get started. The next step is to obtain more advanced knowledge of your Check Point software.
See the Check Point Connectra Central Management Administration Guide or Connectra Local Management Administration Guide on the Media pack CD, or at http://www.checkpoint.com/techsupport/downloads.jsp (username and password required).
Check Point documentation elaborates on this information and is available in PDF format on the Check Point CD as well as on the Technical Support download site at: http://www.checkpoint.com/support/technical/documents.
Be sure to also use our Online Help when you are working with the Check Point SmartConsole clients.
Where To From Here?
104
105
Chapter 8Notes
The following pages provide space for notes and records related to your Connectra appliance and deployment.
My Connectra ApplianceHost name:
IP address(es):
Network mask:
Default gateway:
DNS servers:
Connectra appliance version:
Installed Hotfixes:
My Connectra Appliance
106
My Connectra Appliance
Chapter 8 Notes 107
My Connectra Appliance
108
109
109
Index
AAdditional Configuration via the
Administration Portal 41
CCentrally Managed
Deployment 15, 35Cluster configuration 51Configuration Workflow 24Configuring the Firewall Access
Rules 26Connectra 13
DDate and Time 34Defining Applications and
Associating them with Groups 42
Defining Users and Groups 42Deploying Connectra in the
DMZ 19Deploying Connectra on the
LAN 20DNS Server 34
FFingerprint 37Front Panel Components 58
GGateway definition 15
HHardware 57
Cooling Fans 64Expansion Line Cards 62Front Panel 58Hard Disk Drives 63LCD Display 62Power Switch 64RAID-1 Mirroring 63Redundant Power
Supplies 64Replaceable Parts 66
Host and Domain Name 34Hyperterminal 76
110 Index
IImplemented 63
LLocally Managed Deployment 15,
35
MManagement Type 35
NNetwork Connections 34
PPassword recovery login token 33
RRegistration 101Restoring Factory Defaults 74Restoring using Boot Menu 75Restoring Using WebUI 74Routing Table 34
SSecure Internal Communication
(SIC) 35Security Policy 15SmartCenter Server 15SmartConsole 15SmartDashboard 15SSL acceleration card 53Support 102
WWeb/SSH and GUI Clients 35, 36