Académique Documents
Professionnel Documents
Culture Documents
U-40, P-20
Warning - This appliance does not contain any user-serviceable parts. Do not remove any covers or attempt to gain access to the inside of the product. Opening the device or modifying it in any way has the risk of personal injury and will void your warranty. The following instructions are for trained service personnel only. To prevent damage to any system board, it is important to handle it with care. The following measures are generally sufficient to protect your equipment from static electricity discharge: When handling the board, to use a grounded wrist strap designed for static discharge elimination. Touch a grounded metal object before removing the board from the antistatic bag. Handle the board by its edges only. Do not touch its components, peripheral chips, memory modules or gold contacts. When handling processor chips or memory modules, avoid touching their pins or gold edge fingers. Restore the communications appliance system board and peripherals back into the antistatic bag when they are not in use or not installed in the chassis. Some circuitry on the system board can continue operating even though the power is switched off. Under no circumstances should the Lithium battery cell used to power the real-time clock be allowed to short. The battery cell may heat up under these conditions and present a burn hazard. Warning - DANGER OF EXPLOSION IF BATTERY IS INCORRECTLY REPLACED. REPLACE ONLY WITH SAME OR EQUIVALENT TYPE RECOMMENDED BY THE MANUFACTURER. DISCARD USED BATTERIES ACCORDING TO THE MANUFACTURER'S INSTRUCTIONS
Disconnect the system board power supply from its power source before you connect or disconnect cables or install or remove any system board components. Failure to do this can result in personnel injury or equipment damage. Avoid short-circuiting the lithium battery; this can cause it to superheat and cause burns if touched. Do not operate the processor without a thermal solution. Damage to the processor can occur in seconds.
Contents
Chapter 1 Introduction
Welcome................................................................................... 9 VSX-1 Overview ....................................................................... 11 Shipping Carton Contents ......................................................... 13 VSX-1 3070 ................................................................... 13 VSX-1 9070 ................................................................... 14 VSX-1 9090 ................................................................... 15 Terminology ............................................................................ 16
Rear Panel Components ................................................... 38 Customer Replaceable Parts......................................................40 Power Supply.................................................................. 40 Cooling Fan .................................................................... 42 Expansion Line Card........................................................ 43 Hard Disk Drive............................................................... 45
Chapter Introduction
In This Chapter
Welcome VSX-1 Overview Shipping Carton Contents Terminology
1
page 9 page 11 page 13 page 16
Welcome
Thank you for choosing Check Points VSX-1 appliance. We hope that you will be satisfied with this solution and our support services. Check Point products provide your business with the most up to date and secure solutions available today. Check Point also delivers worldwide technical services including educational, professional and support services through a network of Authorized Training Centers, Certified Support Partners and Check Point technical support personnel to ensure that you get the most out of your security investment.
Welcome For additional information on the NGX Internet Security Product Suite and other security solutions, refer to: http://www.checkpoint.com or call Check Point at 1(800) 429-4391. For additional technical information, refer to: http://support.checkpoint.com. Welcome to the Check Point family. We look forward to meeting all of your current and future network, application and management security needs.
10
VSX-1 Overview
VSX-1 Overview
The VSX-1 (Virtual System eXtension) appliance is a security and VPN solution, designed to meet the demands of large-scale environments. Based on the proven security of VPN-1, VSX provides comprehensive protection for multiple networks or VLANs within complex infrastructures. It securely connects them to shared resources such as the Internet and DMZs, and allows them to safely interact with each other. VSX is supported by SmartDefense Services, which provide up-to-date preemptive security. VSX incorporates the same patented Stateful Inspection and Application Intelligence technologies used in the Check Point VPN-1 product line. It runs on high speed platforms (known as VSX gateways) to deliver superior performance in high-bandwidth environments. Administrators manage VSX via a SmartCenter server or a Provider-1 Multi-Domain Server (MDS), delivering a unified management architecture that supports enterprises and service providers. A VSX gateway contains a complete set of virtual devices that function as physical network components, such as VPN-1 gateways (firewalls), routers, switches, interfaces, and even network cables. Centrally managed, and incorporating key network resources internally, VSX allows businesses to deploy comprehensive firewall and VPN functionality, while reducing hardware investment and improving efficiency. Key Features: Combines Virtual Firewall, VPN, and IPS Consolidates Up to 250 Security Gateways Onto a Single Hardware Platform Includes Virtualized Networking Components- Virtual routers, Virtual switches & Virtual cabling Wire-Speed Security for Gigabit Networks High Availability with Linear Growth Clustering Chapter 1 Introduction 11
VSX-1 Overview Bridge Mode Support for Transparent Internal Firewalls Flexible Virtual Network Design SmartDefense Services Updates URL Filtering
This document provides: A brief overview of essential VSX-1 appliance concepts and features A step by step guide to getting VSX-1 appliance up and running
12
VSX-1 3070
Table 1-1 Item Appliance Rack Mounting Accessories Cables Contents of the VSX-1 3070 Shipping Carton Description A single VSX-1 3070 appliance Hardware mounting kit 1 1 1 1 Power cable Standard RJ-45 network cable Serial console cable RJ-45 loopback plug
2 CDs
Includes the following: CD1: VSX-1 Installation CD2: VSX-1 Getting Started Guide VSX NGX R65 documentation
Chapter 1
Introduction
13
VSX-1 9070
Table 1-2 Item Appliance Rack Mounting Accessories Cables Contents of the VSX-1 9070 Shipping Carton Description A single VSX-1 9070 appliance Hardware mounting kit 2 1 1 1 Power cables Standard RJ-45 network cable Serial console cable RJ-45 loopback plug
2 CDs
Includes the following: CD1: VSX-1 Installation CD2: VSX-1 Getting Started Guide VSX NGX R65 documentation
14
VSX-1 9090
Table 1-3 Item Appliance Rack Mounting Accessories Cables Contents of the VSX-1 9090 Shipping Carton Description Two VSX-1 9070 appliances Hardware mounting kit 4 2 2 2 Power cables Standard RJ-45 network cable Serial console cable RJ-45 loopback plug
2 CDs
Includes the following: CD1: VSX-1 Installation CD2: VSX-1 Getting Started Guide VSX NGX R65 documentation
Chapter 1
Introduction
15
Terminology
Terminology
The following VSX terms are used throughout this chapter: Gateway: The VPN-1 engine that enforces the organizations security policy and acts as a security enforcement point. Security Policy: The policy created by the system administrator that regulates the flow of incoming and outgoing communication. SmartCenter Server: The server used by the system administrator to manage the security policy. The organizations databases and security policies are stored on the SmartCenter server and downloaded to the gateway. SmartConsole: GUI applications that are used to manage various aspects of security policy enforcement. For example, SmartView Tracker is a SmartConsole application that manages logs. SmartDashboard: A SmartConsole GUI application that is used by the system administrator to create and manage the security policy. Centrally Managed Deployment: When the gateway and the SmartCenter server are installed on separate machines. Virtual Routers: Independent routing domains within a VSX Gateway that function like physical routers. Virtual System: A routing and security domain featuring firewall and VPN capabilities supported by a standard Check Point Gateway. Multiple Virtual Systems can run concurrently on a single VSX Gateway, isolated from one another by their use of separate system resources and data storage. VSX Clustering: The connection of two or more VSX Gateways in such a way that if one fails, another immediately takes its place. A single VSX Gateway contains multiple Virtual Routers and Virtual Systems.
16
Note - A SmartCenter or Provider-1 Server is not installed locally on the VSX-1 appliance. VSX-1 appliance is only supported in a centrally managed environment.
17
One ear mount fits on each side of the chassis. To assemble the ear mounts: 1. 2. Take out the L shape ear mount kits. Place the side with four holes against the chassis. The side with two holes faces outward, as shown in Figure 2-2.
18
Retaining Screws
3. 4.
Fasten the four retaining screws on each ear mount. Fasten the two screws that connect the ear mount to the handle.
Chapter 2
19
20
Note - When a power supply fails or is not connected to the outlet, an alarm sounds continuously. If you hear the alarm, replace the faulty power supply immediately, and connect the new unit to an A/C outlet. See Removing the Power Supply on page 41 for more information. 3. Wait for the appliance to initialize and boot. The status of the appliance appears on the LCD screen:
Chapter 2
21
The appliance is ready for use when the model number is displayed. The example shown above is specific to VSX-1 9070.
22
Initial Configuration
Initial Configuration
In This Section
Logging in for the First Time Configuring the Management Interface Setting Network and Time/Date Properties Selecting Cluster Options Completing the Configuration page 23 page 25 page 27 page 27 page 28
Log in for the first time using admin as the default username and password. Follow the on-screen instructions to change the password, and optionally, to change the administrator username. Press Enter. The command prompt appears. Type: expert to enter the high privilege command line access. Log in to expert mode using the username and password set in step 2.
3. 4.
Chapter 2
23
Initial Configuration 5. 6. Follow the on-screen instructions to change the expert mode password. Run: sysconfig to begin the configuration A welcome screen opens.
7. 8.
Type n to continue the network configuration process. Follow the on-screen instructions to change the Host Name, Domain Name, and Domain Name Servers, as you choose based on your configuration.
See Configuring the Management Interface on page 25 for detailed instructions on changing the Management interface IP address from the pre-configured IP address to one that you choose.
24
Initial Configuration
2.
Type 2 to select Configure connection. The Choose a connection to configure screen opens.
The image above is from VSX-1 9070. The screen is slightly different for VSX-1 3070.
Chapter 2
25
Initial Configuration 3. Type the number corresponding to Mgmt on VSX-1 9070 or Internal on VSX-1 3070. This number may change according to your hardware configuration but is 13 in the example above. The Choose Mgmt/Internal item to configure screen opens.
4.
Type 1 to Change IP settings and then enter an IP address, network mask, and broadcast address for the Management interface. Return to the Network Configuration menu by typing e twice.
5.
6. 7. 8.
Type 5 to select Routing. The Routing screen opens. Type 1 to select Set Default Gateway and enter the default gateway according to your network configuration. Return to the Network Configuration menu by typing e and type n to continue to the time and date configuration menu.
26
Initial Configuration
2. 3.
Type n again to proceed to the Check Point Configuration Program. Read and type y to accept the license agreement and proceed to the clustering options.
2.
You are asked if you want to enable the Per Virtual System State. This feature is required for the Virtual System Load Sharing (VSLS) and Per Virtual System High Availability features.
Chapter 2
27
Initial Configuration Type y when prompted if you want to enable this feature. If you do not intend to use these features, type n. If you respond with n, a prompt appears, offering an option to enable the Active/Standby Bridge Mode. Type y to enable this feature or n to disable.
2.
3. 4.
To use VSX, you must configure and install a security policy. See the VSX NGX R65 Administration Guide for more information.
To add URL Filtering capabilities to your VSX-1 appliance, see the Web Filtering for VSX NGX R65 Hotfix.
28
2. 3. 4. 5.
Press Enter to start the installation. 6. 7. The installation automatically installs all required components and the progress of each stage is shown. When you see the message, You may safely reboot your system, reboot the appliance manually using the master power button. Turn the appliance off and disconnect the USB CD-ROM/DVD-ROM. After several seconds, press the master power button to turn on the appliance again.
Chapter 2
29
VSX Appliance Recovery To install the existing security policy and configuration on the recovered gateway or cluster members: 1. 2. From the command line of the SmartCenter server or MDS run: vsx_util reconfigure Enter the following information when prompted: a. b. c. d. SmartCenter server or primary CMA IP address Administrator username and password Gateway or member object name SIC activation key for the recovered gateway or cluster member
The VSX-1 appliance now contains the security policy and is part of the network configuration. Note - For more information about the vsx_util reconfigure command, see the VPN-1 Power VSX NGX R65 Administration Guide.
30
3
page 31 page 40
This chapter provides descriptions of the hardware components of the VSX-1 appliance and instructions for installing and removing the hardware.
Overview
Front Panel Components Rear Panel Components page 32 page 38
This section discusses the hardware components comprising the VSX-1 appliance.
31
Overview
This section describes the features and components located on the appliance front panel.
32
Overview
VSX-1 9070
VSX-1 9070 Front Panel Description LCD display screen Management connection port - Ethernet connection to a remote management workstation Synchronization port - for synchronizing with cluster members or a high availability peer Console port - for a serial connection to the appliance using a terminal emulation program such as HyperTerminal. USB ports Screen operation keys Power indicator LED Future expansion slot Expansion line card exp1 (2 or 4 ports) Built in Ethernet ports (Lan1 - Lan8) Expansion line card exp2 (2 or 4 ports) Hard disk drive
5 6 7 8 9 10 11 12
Chapter 3
VSX-1 Hardware
33
Overview
VSX-1 3070
Table 3-2
l
VSX-1 3070 Front Panel Description LCD screen Screen operation keys Power indicator LED USB ports Console port - for a serial connection to the appliance using a terminal emulation program such as HyperTerminal. Internal connection port - Ethernet connection to a remote management workstation External connection port - Ethernet connection to connect outside the organization DMZ connection port - Ethernet connection to the DMZ Sync/Lan1 port- for synchronizing with cluster members in high availability mode, or Lan1 interface in Gateway mode Built in Ethernet ports (Lan2 - Lan7)
Key 1 2 3 4 5
6 7 8 9
10
34
Overview
or
The arrow keys scroll the display up and down. Use the ENTER button to make selections. The ESC button is intended for future functionality. All of the buttons on the LCD display are only functional while the count down to the booting process is displayed.
Chapter 3
VSX-1 Hardware
35
Overview According to type, each expansion line card contains two or four ports. The following types of expansion line card are currently available: Table 3-3 Model CPPWR-ACC-4-1C CPPWR-ACC-4-1SRF CPPWR-ACC-4-1LRF CPPWR-ACC-2-10SRF CPPWR-ACC-2-10LRF Expansion Cards Available for VSX-1 9070 Description 1000BaseT line card 1GbE Multi-mode SR fiber optic line card 1GbE Single-mode LR fiber optic line card 10GbE Multi-mode SR fiber optic line card 10GbE Single-mode LR fiber optic line card
36
Overview
RAID1 Mirroring
Implemented by a dedicated RAID controller, the VSX-1 9070 model performs RAID1 mirroring across two hard disk drives. Mirror rebuild is automatic.
VSX-1 3070 contains one hard disk drive that is not replaceable.
Chapter 3
VSX-1 Hardware
37
Overview
When a power supply fails or is not connected to the outlet, an alarm sounds continuously.
38
Overview
Cooling Fans
VSX-1 9070 contains three replaceable cooling fans. Each cooling fan operates independently of the others, providing redundancy in the event of failure. Figure 3-3 Cooling Fans in VSX-1 9070
Retaining Screws
Retaining Screws
VSX-1 3070 contains one cooling fan that is not replacable.
Chapter 3
VSX-1 Hardware
39
To ensure maximum availability and ease of maintenance, the VSX-1 9070 appliance contains the following customer replaceable parts: VSX-1 9070 Two power supplies Three cooling fans Dual expansion line card slots Two hard drives
Unless directed to do so by Check Point technical support, customers are prohibited by warranty and support agreements from replacing any parts. Customers are prohibited from opening the VSX-1 appliance case under any circumstances.
Power Supply
This section presents the procedures for removing and installing a power supply unit. VSX-1 9070 contains two redundant power supplies.
40
Note - Use only the extraction handle to remove the power supply unit. To prevent damaging the power supply, do not pull on the retaining screw, power cord clip or any other part of the unit.
Chapter 3
VSX-1 Hardware
41
Cooling Fan
This section presents the procedures for removing and installing a fan unit. VSX-1 9070 contains three cooling fans. It is not necessary to power off the appliance before adding or removing a fan unit. Figure 3-5 Cooling Fan
42
Chapter 3
VSX-1 Hardware
43
44
Customer Replaceable Parts 4. Tighten the retaining crews on either side of the expansion line card.
Figure 3-7
Chapter 3
VSX-1 Hardware
45
46
4
page 47 page 48 page 48
Registration
You must install a VSX-1 appliance license before operation. To obtain a license and register your appliance, please visit: http://register.checkpoint.com/cpapp if you are evaluating a VSX-1 appliance, you will have access to a 15-day evaluation license key. Note - The Management interface (Mgmt on VSX-1 9070 and Internal on VSX-1 3070) MAC address is required to obtain a license.
47
Support
Support
For further information about the VSX-1 appliance, visit: https://usercenter.checkpoint.com/usercenter/login/cpapp For technical assistance, contact CheckPoint 24 hours a day, seven days a week at: +1 972-444-6600 (Americas) +972 3-611-5100 (International) or visit: http://support.checkpoint.com
48