Nokia IP560 Security Platform Installation Guide - Unisys · Check Point IP560 Security Platform Installation Guide 3 Contents ... This section defines the elements of commands that

Part No. N450000889 Rev 001

Published March 2009

Check PointIP560 Security Platform

Installation Guide

2 Check Point IP560 Security Platform Installation Guide

COPYRIGHT© 2003-2009 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:Please refer to http://www.checkpoint.com/copyright.html for a list of our trademarks.For third party notices, see http://www.checkpoint.com/3rd_party_copyright.html.

Check Point Contact InformationFor additional technical information about Check Point products, and for the latest version of this document, see the Check Point Support Center at http://support.checkpoint.com/.Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments to:[email protected]

http://support.checkpoint.com/

http://www.checkpoint.com/copyright.html

http://www.checkpoint.com/3rd_party_copyright.html

mailto:[email protected]?subject=Check Point documentation feedback

Contents

Check Point Contact Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

About this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11In this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Conventions this Guide Uses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Command-Line Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Text Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15About the Check Point IP560 Security Platform. . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Managing the Check Point IP560 Security Platform . . . . . . . . . . . . . . . . . . . . . . . . 16Check Point IP560 Security Platform Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Four-Port 10/100/1000 Ethernet NIC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18PMC Expansion Slots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Connecting to the Console or Auxiliary Port with the

Supplied Cable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Console Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Auxiliary Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21System Status LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Logging Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Power Supply and Fan Unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Power Supply . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Fan Unit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Site Requirements, Warnings, and Cautions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Product Disposal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

2 Installing the Check Point IP560 Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Rack-Mounting the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Check Point IP560 Security Platform Installation Guide 3

3 Performing the Initial Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Using a Console Connection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Connecting Power and Turning the Power On . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Performing the Initial Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Connecting Network Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Using Check Point Network Voyager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Viewing Check Point IPSO Documentation by Using Check Point Network Voyager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Using the Command-Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Using Check Point Horizon Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

4 Installing and Replacing Network Interface Cards . . . . . . . . . . . . . . . . . . . . . . . 43Deactivating Configured Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Installing NICs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Configuring and Activating Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Monitoring Network Interface Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

5 About IP560 Appliance Network Interface Cards . . . . . . . . . . . . . . . . . . . . . . . . 49Four-Port 10/100 Ethernet NIC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

10/100 Ethernet NIC Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50Ethernet NIC Connectors and Cables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Four-Port and Two-Port Copper Gigabit Ethernet NIC (10/100/1000). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Copper Gigabit Ethernet NIC Features in the IP560 . . . . . . . . . . . . . . . . . . . . . . 52Copper Gigabit Ethernet NIC Connectors and Cables. . . . . . . . . . . . . . . . . . . . . 55

Two-Port Fiber-Optic Gigabit Ethernet NICs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Fiber-Optic Gigabit Ethernet NIC Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Fiber-Optic Gigabit Ethernet NIC Connectors and Cables. . . . . . . . . . . . . . . . . . 57

6 Installing, Using, and Replacing ADP Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Installing and Replacing ADP Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60Check Point ADP Module LED Reference Information . . . . . . . . . . . . . . . . . . . . . . 68Configuring Check Point IPSO with IP560 ADP Interfaces. . . . . . . . . . . . . . . . . . . 69

Effect on Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69Check Point ADP Module Interface Names for IP560 Appliances . . . . . . . . . . . . 70Configuring Network Topology with an IP560 Appliance . . . . . . . . . . . . . . . . . . . 70Configuration Example with VRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Deleting VRRP Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72Reconfiguring Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Reconfiguring VRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76


7 Installing and Replacing Components Other than Network Interface Cards (NICs) and Accelerated Data Path (ADP) Services Modules . . . . . . . . . . . . . . . . . . . . . 79Replacing the Compact Flash Memory Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80Installing a PC Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82Installing or Replacing a Hard-Disk Drive. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84Configuring a Hard-Disk Drive for Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89Replacing or Upgrading Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92Replacing a Check Point Encryption Accelerator Card . . . . . . . . . . . . . . . . . . . . . . 95

Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95Configuring Software to Use Hardware Acceleration . . . . . . . . . . . . . . . . . . . . . . 98

Replacing a Fan Unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Replacing a Power Supply . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100Monitoring the IP560 Appliance Power Supply . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Replacing the Battery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

8 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107General Troubleshooting Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107Troubleshooting Routing Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

A Technical Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119Space Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

B Compliance Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121Declaration of Conformity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121Compliance Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123FCC Notice (US) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125



Figures

Figure 1 Component Locations Front View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Figure 2 Four-Port 10/100/1000 Ethernet PMC Details . . . . . . . . . . . . . . . . . . . . 18Figure 3 Pin Assignments for Console Connector and Console Cable . . . . . . . . . 20Figure 4 Pin Assignments for Auxiliary and Modem Cables . . . . . . . . . . . . . . . . . 21Figure 5 Check Point IP560 Security Platform System Status LEDs . . . . . . . . . . 22Figure 6 Power Supply and Fan Unit Locations . . . . . . . . . . . . . . . . . . . . . . . . . . 23Figure 7 Power Supply, Fan, and Power Switch Locations . . . . . . . . . . . . . . . . . . 23Figure 8 Fan Unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Figure 9 Rack-Mounting Screw Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Figure 10 Power Switch Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Figure 11 Check Point Network Voyager Reference Access Points . . . . . . . . . . . 40Figure 12 Four-Port 10/100 Ethernet NIC Front Panel Details . . . . . . . . . . . . . . . 50Figure 13 Output Connector for the Ethernet Cable . . . . . . . . . . . . . . . . . . . . . . . 51Figure 14 Ethernet Crossover-Cable Pin Connections . . . . . . . . . . . . . . . . . . . . . 52Figure 15 Gigabit Ethernet Crossover Cable Pin Connections . . . . . . . . . . . . . . . 52Figure 16 Four-Port Copper Gigabit Ethernet NIC Front Panel Details . . . . . . . . 53Figure 17 Two-Port Copper Gigabit Ethernet NIC Front Panel Details . . . . . . . . . 53Figure 18 Gigabit Ethernet Cable Connector Output Pin Assignments . . . . . . . . . 55Figure 19 Gigabit Ethernet Crossover Cable Pin Connections . . . . . . . . . . . . . . . 56Figure 20 PMC Two-Port Short-Range Gigabit Ethernet NIC . . . . . . . . . . . . . . . . 57Figure 21 PMC Two-Port Long-Range Gigabit Ethernet NIC . . . . . . . . . . . . . . . . 57Figure 22 Compact Flash Memory Card Slot . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80Figure 23 External PC Card Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83Figure 24 Location of Hard-Disk Drive on the Chassis Tray Assembly . . . . . . . . . 86Figure 25 DIMM Socket Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91Figure 26 Power Supply Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101



Tables

Table 1 Command-Line Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Table 2 Text Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Table 3 Check Point IP560 Security Platform Specifics . . . . . . . . . . . . . . . . . . . . 15Table 4 System Status LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Table 5 Power Supply Status LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Table 6 NIC PCI Frequency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49



About this Guide

This manual provides information for the installation and use of the Check Point IP560 security platforms. Installation and maintenance should be performed by experienced technicians or Check Point-approved service providers only. This preface provides the following information:

In this GuideConventions this Guide Uses060306

In this GuideThis guide is organized into the following chapters and appendixes:

Chapter 1, “Overview” presents a general overview of the Check Point IP560 security platform.Chapter 2, “Installing the Check Point IP560 Appliance” describes how to rack-mount the appliance.Chapter 3, “Performing the Initial Configuration” describes how to physically connect the Check Point IP560 security platform to a network and to a power source and how to make the security platform available on the network.Chapter 4, “Installing and Replacing Network Interface Cards” describes how to install, monitor, and replace network interface cards (NICs).Chapter 5, “About IP560 Appliance Network Interface Cards” describes how to connect to and use each of the supported NICs.Chapter 6, “Installing, Using, and Replacing ADP Modules” describes how to use Accelerated Data Path (ADP) services modules with your IP560 appliance.Chapter 7, “Installing and Replacing Components Other than Network Interface Cards (NICs) and Accelerated Data Path (ADP) Services Modules” describes how to install or replace memory, hard disk drives, the fan unit, power supply, battery, compact flash memory card, PC card, and the Check Point encryption accelerator card.Chapter 8, “Troubleshooting” discusses problems you might encounter and proposes solutions to these problems.Appendix A, “Technical Specifications” provides technical specifications such as interface characteristics.


Appendix B, “Compliance Information” provides compliance and regulatory information.

Conventions this Guide UsesThe following sections describe the conventions this guide uses, including notices, text conventions, and command-line conventions.

Notices

WarningWarnings advise the user that either bodily injury might occur because of a physical hazard, or that damage to a structure, such as a room or equipment closet, might occur because of equipment damage.

CautionCautions indicate potential equipment damage, equipment malfunction, loss of performance, loss of data, or interruption of service.

NoteNotes provide information of special interest or recommendations.

Command-Line ConventionsThis section defines the elements of commands that are available in Check Point Network Security Solutions products. You might encounter one or more of the following elements on a command-line path.


Conventions this Guide Uses

Table 1 Command-Line Conventions

Convention Description

command This required element is usually the product name or other short word that invokes the product or calls the compiler or preprocessor script for a compiled Check Point product. It might appear alone or precede one or more options. You must spell a command exactly as shown and use lowercase letters.

Italics Indicates a variable in a command that you must supply. For example:delete interface if_name

Supply an interface name in place of the variable. For example:delete interface nic1

angle brackets < > Indicates arguments for which you must supply a value:retry-limit <1–100>

Supply a value. For example:retry-limit 60

Square brackets [ ] Indicates optional arguments.delete [slot slot_num]

For example:delete slot 3

Vertical bars, also called a pipe (|)

Separates alternative, mutually exclusive elements. framing <sonet | sdh>

To complete the command, supply the value. For example:framing sonetorframing sdh

-flag A flag is usually an abbreviation for a function, menu, or option name, or for a compiler or preprocessor argument. You must enter a flag exactly as shown, including the preceding hyphen.

.ext A filename extension, such as .ext, might follow a variable that represents a filename. Type this extension exactly as shown, immediately after the name of the file. The extension might be optional in certain products.

( . , ; + * - / ) Punctuation and mathematical notations are literal symbols that you must enter exactly as shown.

' ' Single quotation marks are literal symbols that you must enter as shown.


1

Text ConventionsTable 2 describes the text conventions this guide uses.

060306

Table 2 Text Conventions

Convention Description

monospace font Indicates command syntax, or represents computer or screen output, for example:Log error 12453

bold monospace font Indicates text you enter or type, for example:# configure nat

Key names Keys that you press simultaneously are linked by a plus sign (+):Press Ctrl + Alt + Del.

Menu commands Menu commands are separated by a greater than sign (>):Choose File > Open.

The words enter and type Enter indicates you type something and then press the Return or Enter key.Do not press the Return or Enter key when an instruction says type.

Italics • Emphasizes a point or denotes new terms at the place where they are defined in the text.

• Indicates an external book title reference.• Indicates a variable in a command:

delete interface if_name


1 Overview

This chapter provides an overview of the Check Point IP560 security platform and the requirements for its use. The following topics are covered:

About the Check Point IP560 Security PlatformManaging the Check Point IP560 Security PlatformCheck Point IP560 Security Platform OverviewLogging OptionsPower Supply and Fan UnitSite Requirements, Warnings, and CautionsSoftware RequirementsProduct Disposal

About the Check Point IP560 Security PlatformThe Check Point IP560 security platform combines the power of the Check Point IPSO for IP appliances operating system with Check Point VPN-1 enterprise applications. The Check Point IP560 security platform is a mid-range, multi-port security platform that is ideally suited for the enterprise data center. Table 3 presents specifics about the IP560.

The IP560 is a one rack-unit disk-based or flash-based appliance that incorporates a serviceable slide-out tray into the chassis design. In its base configuration, the IP560 consists of:

Solid state IDE compact flash memory.In disk-based appliances, the IPSO operating system and Check Point application are stored on the hard drive, and the boot manager is stored in the flash memory.

Table 3 Check Point IP560 Security Platform Specifics

Platform Initial Memory Configuration Upgradeable RAM

Check Point IP560

1 GB 2 GB


1 Overview

In flash-based appliances, the IPSO operating system, Check Point application, and boot manager are stored in the flash memory.Hard-disk drive in disk-based appliances.1 GB system RAM.AC power supply.Fan unit.Encryption acceleration card to further enhance VPN performance.

The front panel of the IP560 security platform contains:Four PMC slots for network interfaces cards (NICs) and Check Point Accelerated Data Path (ADP) services modules for IP appliances, including:

a single-slot PCMCIA PMC option slot in slot 3a four-port Ethernet 10/100/1000 interface in slot 4

A console portAn auxiliary portFront-panel reset button

NoteAny slot can be used for an Ethernet NIC. The PCMCIA PC card carrier that comes preinstalled in slot 3 is removable; slot 3 can accept a Check Point-approved NIC. For ADP modules usage information, see Chapter 6, “Installing, Using, and Replacing ADP Modules.”

The network interfaces provide exceptional data forwarding and monitoring performance when used with Check Point and partner applications. The network interfaces are designated for management, monitoring, and high-availability traffic.For flash-based appliances, you can purchase optional 2.5-inch hard-disk drives to use for logging.The IP560 security platform is designed to meet other mid- to high-end availability requirements, including port density for connections to redundant internal, external, DMZ, and management networks. In addition, the IP560 security platform provides N + 1 cooling.As a network device, the IP560 security platform supports a comprehensive suite of IP-routing functions and protocols.The integrated router functionality eliminates the need for separate intranet and access routers in security applications.

Managing the Check Point IP560 Security PlatformYou can manage the IP560 security platform by using the following interfaces:

Check Point Network Voyager for IP appliances—an SSL-secured, Web-based element management interface to Check Point IP security platforms. Check Point Network Voyager is preinstalled on the IP560 security platform and enabled through the IPSO operating


Check Point IP560 Security Platform Overview

system. With Network Voyager, you can manage, monitor, and configure the IP560 security platform from any authorized location within the network by using a standard Web browser. Use one of the four Ethernet ports to access the Network Voyager interface.For information about how to access Network Voyager and the related reference materials, see “Using Check Point Network Voyager” on page 38.The IPSO command-line interface (CLI)—an SSHv2-secured interface that enables you to easily configure Check Point IP security platforms from the command line. Everything that you can accomplish with Network Voyager—manage, monitor, and configure the IP560 security platform—you can also do with the CLI. For information about how to access the CLI, see the Check Point CLI Reference Guide for IPSO v3.6 or later.Check Point Horizon Manager for IP appliances—a secure GUI-based software image management application. With Horizon Manager, you can securely install and upgrade the Check Point proprietary IPSO operating system, plus hardware and third-party applications such as Check Point VPN-1. Horizon Manager can perform installations and upgrades on up to 2,500 Check Point IP security platforms, offering administrators the most rapid and dependable method to perform Check Point application upgrades.For information about how to obtain Horizon Manager, see the Check Point Web stie at www.checkpoint.com.

Check Point IP560 Security Platform OverviewFigure 1 shows the component locations for the IP560.

Figure 1 Component Locations Front View

00350

SLOT 1 SLOT 2 SLOT 3 SLOT 4

1234

IP560

System status LEDs

AUX portConsole port Four-port Ethernet 10/100/1000 (slot 4)

PC-card slot (slot 3)PMC NIC and ADP module slots(slots 1 and 2)—unpopulated in base bundle

Reset button


1 Overview

Four-Port 10/100/1000 Ethernet NICThe four-port 10/100/1000 Mbps Ethernet ports are located in slot 4. Figure 2 shows the layout of the Ethernet ports and link LEDs. The top link LED represents the left-most port (port 1). The remaining LEDs represent the remaining ports from top to bottom and left to right.

NoteThe Ethernet ports are intended for management or high-speed traffic.

Figure 2 Four-Port 10/100/1000 Ethernet PMC Details

CautionCables that connect to the Ethernet card must be compliant with IEEE 802.3ab, Cat 5E, or Cat 5 cables to prevent potential data loss.

PMC Expansion SlotsThe IP560 security platform provides two additional PMC expansion slots for NIC and ADP module options.For information about NICs, see Chapter 4, “Installing and Replacing Network Interface Cards” and Chapter 5, “About IP560 Appliance Network Interface Cards.”For information about ADP modules, see Chapter 6, “Installing, Using, and Replacing ADP Modules.”Check Point products only support NICS and ADP modules purchased from Check Point or Check Point-approved resellers. The Check Point Global Support Services group can only provide support for Check Point products that use Check Point-approved accessories. For sales or reseller information, see the Check Point Web site at www.checkpoint.com.

00120a

RJ-45 connectors

LInk LEDs (green)Port 2 Port 4Port 1 Port 3



Connecting to the Console or Auxiliary Port with the Supplied Cable

The cable that Check Point provides with IP560 appliances includes a latching mechanism used to secure the cable to the console port or auxiliary port of your appliance.

NoteTo use the cable for modem connections from the auxiliary port, you need to order a modem cable kit. For information about contacting Check Point to order the kit, see “For additional technical information about Check Point products, and for the latest version of this document, see the Check Point Support Center at http://support.checkpoint.com/.” on page 2.

NoteThe cable described in this section is a rollover cable, which is required for IP560 console and auxiliary port connections. You cannot use standard Ethernet cables for IP560 console and auxiliary connections.

To connect the cable, push the connector into the receptacle, as you would with other similar cables. To disconnect the cable, push the cable toward the appliance, pull back on the boot to release the latch, and pull the connector out of the receptacle.

1 + 2 =

2

1

00548a

Push cable

Pull boot

To connect the cable

To disconnect the cable


1 Overview

You can connect the other end of the cable to a DB-9 console connection (using the appliance console port and the DB-9 female adaptor) or to a DB-25 modem connection (using the appliance auxiliary port and the DB-25 male adaptor). The DB-9 adapter is provided with the cable. The DB-25 adaptor is provided with Check Point modem cable kits for the IP560.

Console PortThe default configuration of the serial ports are: 9600 baud, 8 bits, no parity, and 1 stop. Figure 3 provides pin assignment information for console connections. If you need to access the devices locally, you must use the console port.

Figure 3 Pin Assignments for Console Connector and Console Cable

The console cable provided with the IP560 is comprised of two parts:a 6-foot rollover cable with RJ-45 terminationsan RJ-45 to DB-9 adapter

00552DB-9 female adapter DB-25 male adapter

Console Port (DTE)

RJ-45 to RJ-45 Rollover Cable

RJ-45 to DB-9 Terminal Adapter Console Device

Signal RJ-45 Pin RJ-45 Pin DB-9 Pin Signal

RTS 1 8 8 CTS

DTR 2 7 6 DSR

TxD 3 6 2 RxD

GND 4 5 5 GND

GND 5 4 5 GND

RxD 6 3 3 TxD

DSR 7 2 4 DTR

CTS 8 1 7 RTS



On the opposite end of the console cable, connect the RJ-45 to the DB-9 adapter, which you can then connect to the host terminal.

Auxiliary PortUse the built-in serial (AUX) port, shown in Figure 1, to establish a modem connection for managing the appliance remotely or out-of-Band. The default configuration of the serial ports are: 9600 baud, 8 bits, no parity, and 1 stop. bit.Figure 4 provides pin assignment information for modem connections.

Figure 4 Pin Assignments for Auxiliary and Modem Cables

System Status LEDsYou can visually monitor the status of the IP560 security platform by checking the system status LEDs. The system status LEDs are located on the center of the front panel, as shown in Figure 5.

Auxiliary Port (DTE)

RJ-45 to RJ-45 Rollover Cable

RJ-45 to DB-25 Modem Adapter Modem

Signal RJ-45 Pin RJ-45 Pin DB-25 Pin Signal

RTS 1 8 4 RTS

DTR 2 7 20 DTR

TxD 3 6 3 TxD

GND 4 5 7 GND

GND 5 4 7 GND

RxD 6 3 2 RxD

DSR 7 2 8 DCD

CTS 8 1 5 CTS


1 Overview

Figure 5 Check Point IP560 Security Platform System Status LEDs

The location and definition of the status LEDs for the installed network interface cards (NICs) is described in Chapter 5, “About IP560 Appliance Network Interface Cards.”The location and definition of the status LEDs for ADP modules is described in Chapter 6, “Installing, Using, and Replacing ADP Modules.”

NoteThe symbols in Table 4 are visible only if there is an alarm condition, as specified.

Logging OptionsThe IP560 supports an option for storing local system log files, as described in “Configuring a Hard-Disk Drive for Logging” on page 89.

Table 4 shows the system status LEDs and describes their meaning.

Table 4 System Status LEDs

Status Indicator Definition Symbol

Solid yellow Appliance is experiencing an internal voltage problem.

Blinking yellow Appliance is experiencing a temperature problem.

Solid red One or more fans are not operating properly.Power supply over temperature fault.

Blinking green System activity indicator

00351

SLOT 2 SLOT 3 SLOT 4

1234

Fault (red)

Warning(yellow)

System OK (green)

!

!


Power Supply and Fan Unit

Power Supply and Fan UnitThe power supply and fan unit are located at the rear of the IP560 appliance, as shown in Figure 6.

Figure 6 Power Supply and Fan Unit Locations

Power SupplyThe IP560 supports one power supply. The power supply is autosensing and can accept input voltages between 47Hz-64Hz and 85VAC-264VAC. The power supply output is regulated to a tolerance of ± 5 percent of the specified output voltage.

Figure 7 Power Supply, Fan, and Power Switch Locations

For information about how to install or remove and replace a failed power supply, see “Replacing a Power Supply” on page 100.The power supply status LEDs provide the status of the power supply as described in Table 5.

00353

Power supply

Fan unit

00353

AC power receptacle

Integrated power supply cooling fan

Power supply switch

Power supply


1 Overview

Fan UnitThe IP560 fan is a single unit made up of four individual fans to provide the air flow required to maintain a proper operating temperature. The fan unit can provide proper airflow for a short time even if an individual fan fails.

Figure 8 Fan Unit

CautionIf an individual fan fails, replace the fan unit as soon as possible. For information about how to replace a failed fan unit, see “Replacing a Fan Unit” on page 99.

The system status LEDs on the front panel of the appliance show the status of the fan unit. For more information about the system status LEDs, see “System Status LEDs” on page 21.

Table 5 Power Supply Status LEDs

LED LED status Meaning

Fault Red Power supply has a voltage problem and power was turned off.orOne power supply in a redundant system is not turned on.

Over Temp Yellow Power supply has an internal temperature problem. All power to the unit is turned off. After the internal temperature returns to normal, power will be turned back on.

PWR OK Green Power is on and the power supply is functioning properly.

00362


Site Requirements, Warnings, and Cautions

Site Requirements, Warnings, and CautionsBefore you install a Check Point IP560 security platform, ensure that your computer room or wiring closet conforms to the environmental specifications listed in Appendix A, “Technical Specifications.”

WarningExcessive electromagnetic interference (EMI) can occur if you use controls, make performance adjustments, or follow procedures that are not described in this document.

WarningTo reduce the risk of fire, electric shock, and injury when you use telephone equipment, follow basic safety precautions. Do not use the product near water.

WarningOn Check Point IP560 security platforms intended for shipment outside of the United States, the cord set might be optional. If a cord set is not provided, use a power cord rated at 10A, 250V, maximum 15 feet long, made of HAR cordage and IEC fittings approved by the country of end use.

CautionReplace the battery only with the same or equivalent type battery recommended by the manufacturer. Dispose of used batteries according to the manufacturer's instructions.

CautionDo not block any of the ventilation holes on the appliance. The components might overheat and become damaged.

Software RequirementsThe Check Point IP560 security platform supports the following operating system and applications as of the publication date for this guide:

Check Point operating system software requirements—IPSO v4.0.1 or laterCheck Point VPN-1 versions compatible with the version of Check Point IPSO you are using

For information about updates to the software requirements or additional applications that have become available since this guide was published, see the Check Point Support Center at http://support.checkpoint.com.


1 Overview

Product Disposal

This symbol on the product or on its packaging indicates that this product must not be disposed of with your other household waste. Instead, it is your responsibility to dispose of your waste equipment by handing it over to a designated collection point for the recycling of waste electrical and electronic equipment. The separate collection and recycling of your waste equipment at the time of disposal will help to conserve natural resources and ensure that it is recycled in a manner that protects human health and the environment. For more information about where you can drop off your waste equipment for recycling, please contact your local city office or your household waste disposal service.


2 Installing the Check Point IP560 Appliance

This chapter describes how to install the IP560 appliance. The following topic is discussed:Before You BeginRack-Mounting the Appliance

Before You BeginTo rack-mount the appliance, you need:

Phillips-head screwdriverGrounding wrist strapSuitable, grounded work surface on which to place the chassis tray assembly

CautionTo help guard against electrostatic discharge damage, make sure you are properly grounded by using a grounding wrist strap and following the instructions provided with the wrist strap before you handle the components or open the appliance.

Rack-Mounting the ApplianceThe Check Point IP560 security platform mounts in a standard 19-inch equipment rack with four mounting screws, as Figure 9 shows.

NoteTo avoid damaging your equipment, Check Point recommends that you use all four rack-mounting bolts when you install your appliance on the rack.



Figure 9 Rack-Mounting Screw Locations

Two rack-mounting positions allow you to mount the appliance either flush with the rack, or two inches forward of the equipment rack. If the space behind the rack is insufficient, the rack-mounting brackets can be attached further back on the side of the appliance.

CautionDuring installation, do not block any ventilation openings. Doing so might result in damage to the appliance when it is turned on.

To rack-mount the appliance

CautionThe appliance is heavy. Use care when you remove it from the packaging.

1. Remove the appliance from the packaging.2. Optionally, remove the fan unit from the back of the appliance to lighten it.

a. Locate the fan unit and the two retaining screws that secure it on the back of the IP560.

b. Loosen the retaining screws by turning them counterclockwise.

00354


1234

IP560

Rack-mounting screw locations

00353

Fan unit


Rack-Mounting the Appliance

c. Slowly pull the fan unit out of the chassis toward the rear.

3. Optionally, remove the power supply from the rear of the appliance to lighten it, as shown in the illustration above.a. Locate the power supply on the back of the IP560 and the two screws that secure it.

b. Remove the two retaining screws.c. Use the handles to gently pull the power supply out of the chassis.

00363

0035300353

Power supply

00364



4. Optionally, remove the chassis tray assembly from the appliance.a. Loosen the two chassis tray assembly retaining screws from the front panel of the

appliance.

b. Press the latch on the right to release the chassis tray assembly.

c. Slide the chassis tray assembly forward and pull it entirely out of the appliance.

d. Place the chassis tray assembly on a properly grounded surface.5. Adjust the mounting brackets on the side of the appliance if necessary.

00354


1234

IP560

Chassis tray assembly retaining screws

SLOT 1

SLOT 2

SLOT 3

SLOT 4

1234

IP560

00520

SLOT 1

SLOT 2

SLOT 3

SLOT 4

1234

IP560

00360


Rack-Mounting the Appliance

6. Mount the appliance into a standard 19-inch rack by using the mounting screws located on the mounting brackets. You can also install the rear brackets for additional chassis support, as shown in the following figure.

7. Slide the chassis tray assembly back into the appliance until it clicks into place, and resecure the two chassis tray assembly retaining screws.

8. Reinstall the fan unit into the rear of the appliance.9. Reinstall the power supply.After you rack-mount the appliance, you can ground it by using the grounding lugs provided.

00554

SLOT 1

SLOT 2

SLOT 3

SLOT 4

1234

IP560

00359




3 Performing the Initial Configuration

The first time you turn on power to a Check Point IP560 security platform, the initial configuration process begins. This process enables you to configure the network settings and provides access to the admin account. You can perform the initial configuration in two ways:

Configure a DHCP server to provide the initial configuration information the first time the appliance is started. Perform the initial configuration manually by using a console connection.

This chapter describes how to perform the initial configuration manually by using a console connection. It includes the following sections:

Using a Console ConnectionConnecting Power and Turning the Power OnPerforming the Initial ConfigurationConnecting Network InterfacesUsing Check Point Network VoyagerUsing the Command-Line InterfaceUsing Check Point Horizon Manager

For information about how to use the DHCP client for initial configuration, see the Read Me First document, Using DHCP to Configure Your Appliance, included with the appliance.

NoteCheck Point recommends that you physically install all NICs, ADP modules , and other hardware components before you perform the initial configuration procedure this chapter describes. For information about how to install NICs, see Chapter 4, “Installing and Replacing Network Interface Cards.” For information about how to install ADP modules, see Chapter 6, “Installing, Using, and Replacing ADP Modules.”For information about how to install other components, see Chapter 7, “Installing and Replacing Components Other than Network Interface Cards (NICs) and Accelerated Data Path (ADP) Services Modules.”



Using a Console ConnectionIf you do not use DHCP to perform the initial configuration of your Check Point IP560 security platform, you must use a serial console connection (cable included). After you perform the initial configuration, you no longer need the console connection.You can use any standard VT100-compatible terminal with an RS-232 data terminal equipment (DTE) interface or terminal-emulation program configured with the following settings for the console:

9600 bps8 data bitsNo parity1 stop bit

To connect to the console1. Connect the supplied null-modem cable (console cable) to the console port on the front

panel of the IP560.

NoteThe supplied console cable is Cisco compatible.

Use only the RJ-45 port labeled Console on the front panel; the serial (AUX) port is an auxiliary modem port.One RJ-45 termination has a retractable shroud that releases or secures the RJ-45 tab.

NoteFor information about using the cable Check Point supplies, see “Connecting to the Console or Auxiliary Port with the Supplied Cable” on page 19.

If you connect the console port to a data communications equipment (DCE) device, use a straight-through cable.

For cable pin assignments for the console connection, see “Console Port” on page 20.2. Connect the other end of the cable to the VT100 console or to a system running a terminal-

emulation program.

00350


1234

IP560

Console port


Connecting Power and Turning the Power On

Connecting Power and Turning the Power OnA power switch and a receptacle for the power cord are located on each power supply on the back of the appliance as shown in Figure 10.

Figure 10 Power Switch Location

CautionTo avoid potential service interruptions from momentary facility power interruptions and potential power spikes that might damage your equipment, Check Point strongly recommends that you use an uninterruptible power supply (UPS) with surge protection with your IP560.

To connect the power supply1. Connect the power cord securely into the power cord receptacle on the power supply. 2. Plug the other end of the power cord into a three wire grounded power strip or wall outlet.3. Toggle the 1/O power switch to the 1 position to provide power to the IP560.

The fan unit on the power supply turns on when you press the power switch. Verify that the power supply fans are running after you press the switch.

NoteThe IP560 power supply automatically detects the input voltage (115 VAC or 220 VAC [85 to 264]) and configures itself appropriately.

4. If the fans are not running, or if the power LED is not illuminated, make sure:The power cord is properly connected.The power supply switch is on.The chassis tray assembly is pushed all the way in from the front of the appliance.That power is turned on to the power strip or wall receptacle into which you plugged the appliance.

If the fans are still not running, contact your Check Point service provider or Check Point Support Center at http://support.checkpoint.com.

00353

Power cord receptaclePower switch

Power supply



Performing the Initial ConfigurationIf you do not use DHCP to perform the initial configuration of your Check Point IP560 security platform, you must use a serial console connection (cable included). After you perform the initial configuration, you no longer need the console connection.

To perform the initial configuration1. Press the power switch to the “on” position to turn on power to the appliance.

The fans on the back of the appliance turn on when you press the power switch. Verify that the fans are running after you press the switch.Check the power LED on the front panel of the appliance (the Check Point logo) to ensure that the power supply is operating correctly. The power LED should be illuminated. For more information about the system status LEDs, see “System Status LEDs” on page 21.If the power supply fans are not running, or if the power LED is not illuminated:

Check the power supply cord to make sure it is properly connected.Make sure the power switch is on.Make sure the chassis tray assembly is pushed all the way in from the front of the appliance and that the front panel retaining screws are tightened.Make sure that power is turned on to the power strip or wall receptacle you plugged the appliance in to.

If the fans are still not running, or if the power LED does not illuminate, contact your Check Point service provider as listed in “For additional technical information about Check Point products, and for the latest version of this document, see the Check Point Support Center at http://support.checkpoint.com/.” on page 2for technical support.

2. At the console a series of startup messages appears, then the console prompt appears.The prompt remains on the screen for about five seconds. If you type any character during this time, the appliance activates the Check Point IPSO boot manager.BOOTMGR[0]>

00353

Power supply

Fan unit


Performing the Initial Configuration

NoteFor information about using the boot manager, see the Check Point IPSO Boot Manager Reference Guide.

After some miscellaneous output, the following prompt appears:Hostname?

If the Hostname? prompt does not appear on the console, check the console port and console display connections to ensure that the serial cable is completely plugged in at both ends. If you verify the console connections and still do not see either the BOOTMGR> or Hostname? prompts, verify that the terminal or terminal emulator program settings are correct. If the settings are correct, contact your Check Point service provider as listed in “For additional technical information about Check Point products, and for the latest version of this document, see the Check Point Support Center at http://support.checkpoint.com/.” on page 2.

3. Respond to the Hostname? prompt within 30 seconds to prevent the DHCP client from starting.If the DHCP client starts, it might configure the appliance with an incorrect host name and IP address (this could happen if a DHCP server on your network is configured to respond to any request). To reset the incorrect host name and IP address:a. Establish a console connection to the appliance.b. Log into the system using the user name admin and the password password.c. Enter the following:

rm /config/active

ormv /config/active /config/active.old

d. Reboot the appliance.e. Respond to the Hostname? prompt within 30 seconds to prevent the DHCP client from

restarting.4. At each subsequent prompt, enter the requested configuration information.

For more information about how to respond to the prompts during the initial configuration process, see the release notes for the Check Point software release you are running.

5. To select an interface, enter the number adjacent to the physical ID in the list of connected interfaces.

NoteA physical ID identifies the interface type (nic_type) and provides information about its slot number (slot_num) and port number (port_num). The physical ID syntax is:

nic_type-sslot_num/pport_num



For example, the physical ID for the first port of a two-port Ethernet NIC in slot 1 would be:

eth-s1/p1

The Ethernet interface ports are numbered.

After you complete the initial configuration, you can use Check Point Network Voyager to configure the remaining network ports.

Connecting Network InterfacesConnect at least one network interface to the network to use as the Check Point Network Voyager system-management interface. This interface is configured during the initial configuration process, which is described in Chapter 3, “Performing the Initial Configuration.”You can also connect the remaining LAN interface cables at this point, although you are not required to do so.

NoteCheck Point recommends that you use one of the four front-panel Ethernet ports for this connection.

To connect Ethernet devices, use a straight-through RJ-45 cable to connect to a 10-Mbps or 100-Mbps or 1000-Mbps hub.

For details, see “Ethernet NIC Connectors and Cables” on page 51.To connect Gigabit Fiber Ethernet devices, use a fiber-optic cable with an LC connector for each interface. The destination end of the cable can be either LC or SC, depending on the type of connector required for the destination Gigabit Ethernet device.For details, see “Fiber-Optic Gigabit Ethernet NIC Features” on page 56.

Using Check Point Network VoyagerUse Check Point Network Voyager to configure and monitor your appliance.

To open Check Point Network Voyager1. Open a Web browser on the host you plan to use to configure or monitor your appliance.2. In the Location or Address field, enter the IP address of the initial interface you configured

for the appliance.You are prompted to enter the admin username and the password you entered when you performed the initial configuration.


Using Check Point Network Voyager

NoteIf the username login screen does not open, you might not have a physical network connection between the host and your appliance, or you might have a network routing problem. Confirm the information you entered during the initial configuration and check that all cables are firmly connected. For more information, see the troubleshooting section in the installation guide for your appliance.

Viewing Check Point IPSO Documentation by Using Check Point Network Voyager

The following documentation is available from the Check Point Network Voyager interface, as shown in Figure 11:

Network Voyager Reference Guide—This guide is the comprehensive reference source for Check Point Network Voyager. To access this source, look at the list in the navigation tree on the left side of the window (as shown in Figure 11).You can also access this guide and other Check Point IPSO documentation at the Check Point Support Center at http://support.checkpoint.com/. Network Voyager online help—You can access online help when you use Check Point Network Voyager. Online help is the context-sensitive information source for Check Point Network Voyager. To access online help for the window you are viewing, click Help. A Close button is available at the bottom of each online help window you view.





Figure 11 Check Point Network Voyager Reference Access Points

Using the Command-Line Interface You can also use the Check Point IPSO command-line interface (CLI) to manage and configure Check Point IP security appliances from the command line. Nearly everything that you can accomplish with Check Point Network Voyager you can also do with the CLI.

To access the command-line interface1. Log on to the appliance by using a command-line connection (SSH, console, or Telnet) over

a TCP/IP network as an admin, cadmin, or monitor user:If you log in as a cadmin (cluster administrator) user, you can change and view configuration settings on all the cluster nodes. For information about how to administer a cluster, see the traffic management commands section in the CLI Reference Guide for the version of Check Point IPSO you are using.

2. If you log in as a monitor user, you can execute only the show form of commands. That is, you can view configuration settings, but you cannot change them.

You can now execute CLI commands from the CLI shell and the Check Point IPSO shell. The Check Point IPSO shell is what you see when you initially log on to the appliance.

Link to complete user documentation

Link to online help (context sensitive help)


Using Check Point Horizon Manager

For more information about how to access and use the CLI, see the CLI Reference Guide for the version of Check Point IPSO you are using.

Using Check Point Horizon ManagerCheck Point Horizon Manager is an extension of the Check Point Network Voyager management functionality.While Check Point Network Voyager provides the device administrator access to network configuration tasks (such as interface configuration and routing configuration) and security configuration tasks (such as user configuration and access configuration), Check Point Horizon Manager concentrates on secure software image, inventory, and platform management of Check Point IP security platforms.Using Check Point Horizon Manager, an administrator can obtain configuration information, upgrade (or downgrade) the operating system, perform application installations, and distribute necessary licensing to multiple platforms simultaneously, thereby reducing potential human error and improving productivity.Using Check Point Horizon Manager, a network security professional can manage multiple devices simultaneously, perform parallel software upgrades, device verifications, device configuration, file backups, and more.Check Point Horizon Manager is designed to manage and configure a large number of Check Point IP security appliances that reside on a corporate enterprise, managed service provider (MSP), or hosted applications service provider network (ASP).For information about how to obtain Check Point Horizon Manager or to learn more about the Check Point Horizon Manager, see the Check Point Web site at www.checkpoint.com.

Execute from To Implement Purpose

Check Point IPSO command line

Enter the following command to invoke the CLI shell:clishThe prompt changes, and you can then enter CLI commands.

Enter any CLI commands in an interactive mode with help text and other helpful CLI features.

Check Point IPSO command line

Enterclish -c “cli-command”

Execute a single CLI command. You must place double-quotation marks around the CLI command.

Command files From inside the CLI shell, enter load commands filename

Load commands from a text file that contains commands. The argument must be the name of a regular file.


http://www.checkpoint.com/



4 Installing and Replacing Network Interface Cards

Your Check Point IP560 security platform comes with any network interface cards (NICs) and Accelerated Data Path (ADP) services modules you ordered already installed. All NICs and ADP modules installed in the appliance are housed in PMC expansion slots. You should have a working knowledge of networking equipment before you attempt to service a appliance.This chapter describes how to remove, add, or replace NICs later if it becomes necessary. For information about ADP modules, see Chapter 6, “Installing, Using, and Replacing ADP Modules.”The following topics are covered:

Deactivating Configured InterfacesInstalling NICsConfiguring and Activating InterfacesMonitoring Network Interface Cards

For detailed information on specific network interface cards, see Chapter 5, “About IP560 Appliance Network Interface Cards.”

CautionLimit service of the appliance to the procedures described in this chapter.


Deactivating Configured InterfacesIf you are removing or replacing an installed NIC, use Check Point Network Voyager to deactivate any configured ports on the NIC before removing it.

Deactivate all of the logical interfaces on the NIC.



Deactivate all of the physical interfaces on the NIC.If you do not deactivate the interfaces before removing the NIC, you may have to reinstall the NIC to deactivate its logical and physical interfaces in Network Voyager.For information about how to access Network Voyager, see “Using Check Point Network Voyager” on page 38.

Installing NICs

NoteBefore removing a configured network interface card with these instructions, you must deactivate the NIC by using Check Point Network Voyager. For additional information, see “Deactivating Configured Interfaces” on page 43.

Use these instructions to install a NIC in the IP560. Some steps are not applicable to all procedures. The instructions point out steps appropriate to each procedure.

Before You BeginTo install a Check Point NIC, you need the following:

A Phillips-head screwdriverPhysical access to the applianceAccess to the appliance by using Check Point Network Voyager or the CLIA suitable, grounded work surface A field replaceable unit kit, including the NIC

NoteYou do not need to manually disconnect power for this procedure. Any servicing of the appliance, however, should be completed with the chassis tray assembly fully removed from the appliance.

To install a network interface card1. Use Check Point Network Voyager or command-line interface (CLI) to perform an orderly

shutdown of the IP560 appliance. For information about how to access Network Voyager and the related reference materials, see “Using Check Point Network Voyager” on page 38.

2. Turn off the power to the IP560 appliance.


Installing NICs

3. Loosen the two front panel retaining screws.

4. Slide the chassis tray assembly forward, pressing the release tab on the right side of the assembly, and completely remove the chassis to expose the motherboard components.

5. Place the chassis tray assembly on a table top.

00354


1234

IP560


SLOT 1

SLOT 2

SLOT 3

SLOT 4

1234

IP560

00520



6. From underneath the chassis tray assembly, remove the bezel retaining screws.

If you are installing a NIC in an unoccupied slot, remove the blank bezel that occupies the space in the appliance front panel and retain it for future use.

7. Insert the new NIC.a. Insert the NIC bezel into the front panel.

b. Gently push the back of the NIC down toward the chassis tray assembly.

SLOT 1

SLOT 2

00440

SLOT 1

SLOT 2

00443


Installing NICs

Make sure that the NIC edge is completely seated into the connectors on the chassis tray assembly.

8. From the top of the chassis tray assembly, screw the NIC retaining screws into the standoffs on the back of the NIC.

9. From beneath the chassis tray assembly, screw in the bezel retaining screws.

10. Insert and close the chassis tray assembly until it clicks into place.

The Check Point IPSO operating system automatically recognizes the NIC and applies the original configuration to the new NIC.

SLOT 1

SLOT 2

00441

SLOT 1

SLOT 2

SLOT 3

SLOT 4

1234

IP560

00519



11. Tighten the retaining screws that hold the chassis tray assembly.

12. Turn the power on.

Configuring and Activating InterfacesThe IP560 appliance automatically detects any new NIC when the appliance is restarted. Use Check Point Network Voyager to configure and activate the logical and physical interfaces on the NIC.For information about how to access Network Voyager and the related reference materials, see “Using Check Point Network Voyager” on page 38.

Monitoring Network Interface CardsYou can asses the general operating condition of the NICs in your appliance by looking at the LED status indicators on the NICs. The status indicators for each NIC are explained in the NIC reference chapter.For the status indicator information for the built-in 10/100/1000 Ethernet ports, see “Four-Port 10/100/1000 Ethernet NIC” on page 18.For the status indicator information for the four-port 10/100 Ethernet NIC, see “Four-Port 10/100 Ethernet NIC” on page 50.For the status indicator information for the built-in Ethernet ports or the two-port copper Gigabit Ethernet NIC, see “Four-Port and Two-Port Copper Gigabit Ethernet NIC (10/100/1000)” on page 52.For the status indicator information for the built-in Ethernet ports or the two-port fiber-optic Gigabit Ethernet NIC, see “Two-Port Fiber-Optic Gigabit Ethernet NICs” on page 56.Use Network Voyager to access detailed port information. For information about accessing Network Voyager, see “Using Check Point Network Voyager” on page 38. You can also use the IPSO tcpdump command to examine the track on a specific port.

00354


1234

IP560



5 About IP560 Appliance Network Interface Cards

This chapter describes the network interface cards available for the Check Point IP560 security platform and how to connect those NICs to your network. The following NICs are described:

Four-Port 10/100 Ethernet NICFour-Port and Two-Port Copper Gigabit Ethernet NIC (10/100/1000)Two-Port Fiber-Optic Gigabit Ethernet NICs

For instructions about how to add or replace NICs, see Chapter 4, “Installing and Replacing Network Interface Cards.”The NICs supported in the Check Point IP560 security platform operate at the peripheral component interconnect (PCI) frequency listed in Table 6.

CautionTo protect the IP560 and the memory modules from electrostatic discharge damage, make sure you are properly grounded before you touch these components. Use a grounding wrist strap and follow the instructions provided with the wrist strap before you handle the components or open the appliance.

Table 6 NIC PCI Frequency

NIC or interface port Maximum PCI operation supported

Four-port 10/100 Ethernet 133 MHz

Four-port copper Gigabit Ethernet (10/100/1000)Two-port copper Gigabit Ethernet (10/100/1000)

133 MHz133 MHz

Two-port fiber-optic Gigabit Ethernet 133 MHz



Four-Port 10/100 Ethernet NICThe IP560 supports Check Point-approved, four-port UTP5 dual-mode (10-Mbps and 100-Mbps) Ethernet NICs installed in a PMC expansion slot. When you purchase a 10/100 Ethernet NIC with your IP560, the NIC is installed before the appliance is delivered to you. For information about how to add or replace a NIC, see Chapter 4, “Installing and Replacing Network Interface Cards.”

10/100 Ethernet NIC FeaturesThe four-port 10/100 Ethernet NIC supports PCI operation at 133 MHz and runs on Check Point IPSO v4.0.1 or higher.In the IP560, the four-port Ethernet NIC supports the following features:

Tracing through tcpdumpHigh bandwidthFull-duplex mode operation up to 100 Mbps Link speed auto advertising (10/100)PCI operation at 133 MHzCompliance with IEEE 802.3ab Gigabit Ethernet specifications

You can configure and monitor Ethernet NIC interfaces by using Check Point Network Voyager. Specifically, you set the port speed and full-duplex or half-duplex mode with Network Voyager. For information about how to access Network Voyager and the related reference materials, see “Using Check Point Network Voyager” on page 38.

Figure 12 Four-Port 10/100 Ethernet NIC Front Panel Details

After the power is turned on and the cables are connected, the Ethernet link LEDs on both the IP560 and on the remote equipment illuminate to indicate the connection. As data is transmitted, the activity LEDs on the appliance illuminate.

00641

3211234

4

1000 BaseT

Link LEDs (solid green)Activity LEDs (blinking green)

Ports


Four-Port 10/100 Ethernet NIC

Ethernet NIC Connectors and CablesThe Ethernet connectors on the four-port 10/100 Ethernet NICs are RJ-45 connectors. Use a straight-through cable to connect the NIC to a 10-Mbps or 100-Mbps hub or switch, or a crossover cable to connect directly to a host. Use ANSI TIA/EIA-568-A/B compliant (Cat 5 or Cat 5e) unshielded twisted pair cable. You can order appropriate adapter cables separately from a cable vendor of your choice.

CautionCables that connect to the Ethernet card must be ANSI TIA/EIA-568-A/B compliant (Cat 5 or Cat 5e) to prevent potential data loss.

Figure 13 shows the pin assignments for the RJ-45 cable. The connector is numbered from right to left, with the copper tabs facing up and toward you.

Figure 13 Output Connector for the Ethernet Cable

00270

Pin Assignment

1 TX +

2 TX -

3 RX +

4

5

6 RX -

7

8

8 1



Figure 14 shows the pin assignments for the RJ-45 cross-over cable.

Figure 14 Ethernet Crossover-Cable Pin Connections

You can also use cables intended for Gigabit Ethernet NIC connections for your Ethernet NIC connections, as shown in Figure 15.

Figure 15 Gigabit Ethernet Crossover Cable Pin Connections

Four-Port and Two-Port Copper Gigabit Ethernet NIC (10/100/1000)

The Check Point IP560 security platform supports Check Point-approved, four-port and two-port copper Gigabit Ethernet NICs installed on a PMC expansion slot. The IP560 can accommodate up to four Gigabit Ethernet NICs.

When you purchase a copper Gigabit Ethernet NIC with your IP560, the NIC is installed before the appliance is delivered to you. For information about how to add or replace a NIC, see Chapter 4, “Installing and Replacing Network Interface Cards.”

Copper Gigabit Ethernet NIC Features in the IP560The copper Gigabit Ethernet NIC supports:

Tracing through tcpdump

00017.1

12345678

12345678

00020

12345678

12345678



High bandwidthFull-duplex mode operation up to 1 Gbps Link speed auto advertising (10/100/1000)PCI operation at 133 MHz on the IP560Compliance with IEEE 802.3ab Gigabit Ethernet specifications

The copper Gigabit NICs in the IP560 run on Check Point IPSO v4.0.1 or higher.You can configure and monitor Gigabit Ethernet NIC interfaces with Check Point Network Voyager. Specifically, you can use Network Voyager to set the port speed and full-duplex mode to 1000, 100, or 10 Mbps.For information about how to access Network Voyager and the related reference materials, see “Using Check Point Network Voyager” on page 38.

Figure 16 Four-Port Copper Gigabit Ethernet NIC Front Panel Details

Figure 17 Two-Port Copper Gigabit Ethernet NIC Front Panel Details

NoteThe two-port copper Gigabit Ethernet NIC you use in IP560 appliance must be the Version 2 type, as indicated on the right end of the NIC faceplate. These NICs are sold by Check Point under the order code NIF4425.

00641

3211234

4

1000 BaseT

Link LEDs (solid green)Activity LEDs (blinking green)

Ports

00386.5

LINK

ACT

V2LINK

ACT

1000BaseT

Link LEDs (green or yellow)Activity LEDs (yellow)

Ports



After you turn on the appliance, the Ethernet link LEDs on both the appliance and on the remote equipment illuminate to indicate the connection. As data is transmitted or received, the activity LEDs on the appliance illuminate.

NoteThe Link LED on the NIC is bicolored. A green LED indicates a 1 Gbps link speed, and a yellow LED indicates a 10/100 Mbps link speed. As the NIC transmits data, the activity LEDs on the appliance illuminate.



Copper Gigabit Ethernet NIC Connectors and CablesThe copper Gigabit Ethernet NIC receptacles are for RJ-45 connectors.

CautionCables that connect to the Gigabit Ethernet card must be ANSI TIA/EIA-568-A/B compliant (Cat 5 or Cat 5e) to prevent potential data loss.

To connect to a 1-Gbps hub, switch, or router, use a straight-through RJ-45 cable (Cat 5 or Cat 5e type cable, or as required by your network configuration).In Figure 18, the RJ-45 cable output connector is numbered from right to left, with the copper pins facing up and toward you.

Figure 18 Gigabit Ethernet Cable Connector Output Pin Assignments

To connect directly to a host, use an RJ-45 crossover cable wired as Figure 19 shows.

00270

8 1

Pin#1000 Mbps Assignment

10/100 MbpsAssignment

1 BI_DA+ TX+

2 BI_DA- TX-

3 BI_DB+ RX+

4 BI_DC+

5 BI_DC-

6 BI_DB- RX-

7 BI_DD+

8 BI_DD-



Figure 19 Gigabit Ethernet Crossover Cable Pin Connections

To connect the IP560 to other network components, you can order appropriate adapter cables separately from a cable vendor of your choice.

Two-Port Fiber-Optic Gigabit Ethernet NICsThe IP560 supports Check Point-approved, two-port, fiber-optic Gigabit Ethernet NICs installed on a PMC expansion slot. The IP560 can accommodate up to four Gigabit Ethernet NICs.When you purchase a Gigabit Ethernet NIC with your IP560, the NIC is installed before the appliance is delivered to you. For information about how to add or replace a NIC, see Chapter 4, “Installing and Replacing Network Interface Cards.”

Fiber-Optic Gigabit Ethernet NIC FeaturesThe short-range and long-range fiber-optic Gigabit Ethernet NICs support:

High bandwidthFull-duplex mode operation up to 1 Gbps (no half-duplex support)Link speed auto advertisingTracing through tcpdumpCompliance with IEEE 802.3z Gigabit Ethernet specification

The short-range multi-mode fiber (MMF) fiber-optic Gigabit Ethernet NICs in the IP560 run on Check Point IPSO v4.0.1 or higher.The long-range single-mode fiber (SMF) fiber-optic Gigabit Ethernet NICs in the IP560 run on Check Point IPSO v4.2 or higher.You can configure and monitor Gigabit Ethernet NIC interfaces with Check Point Network Voyager. Specifically, you set the port speed and full-duplex mode with Network Voyager. For information about how to access Network Voyager and the related reference materials, see “Using Check Point Network Voyager” on page 38.

00020

12345678

12345678


Two-Port Fiber-Optic Gigabit Ethernet NICs

Figure 20 shows the front panel details for the two-port short-range (1000 BASE-SX) fiber-optic Gigabit Ethernet NIC you can use in IP560 appliance.

Figure 20 PMC Two-Port Short-Range Gigabit Ethernet NIC

Figure 21 shows the front panel details for the two-port long-range (1000 BASE-LX) fiber-optic Gigabit Ethernet NIC you can use in your IP560.

Figure 21 PMC Two-Port Long-Range Gigabit Ethernet NIC

After the power is turned on and the cables are connected, the Ethernet link LEDs on both the IP560 and on the remote equipment illuminate to indicate the connection. As data is transmitted, the activity LEDs on the appliance illuminate.

Fiber-Optic Gigabit Ethernet NIC Connectors and CablesFor short-range NICs, to connect the fiber-optic Gigabit Ethernet NIC to other network components, use a multi-mode, fiber-optic cable with an LC connector for each NIC interface. You can use either 50 or 62.5 micron cable; 50 micron-type cable provides longer transmission reach. For long-range NICs, to connect the fiber-optic Gigabit Ethernet NIC to other network components, use a single-mode, fiber-optic cable with an LC connector for each NIC interface.The destination end of the cable can be either LC or SC, depending on the type of connector required for the destination Gigabit Ethernet device. You can also use a half-duplex LC-to-LC cable to loop back the transmit port of an interface to the receiver port. LC and SC define the fiber-optic connector types; LC connectors are smaller than SC connectors.

00206

GIG

E

Link LEDs (solid green)Activity LEDs (blinking amber)

Ports

00555

LINK

ACT1000B-LX

Link LEDs (solid green)Activity LEDs (blinking amber)

Ports



CautionDepending on the product you order, one or more LC-to-SC cables are included with fiber-optic Gigabit Ethernet NICs. You can order additional cables from a cable vendor of your choice.Cables that connect to the Gigabit Ethernet NIC must be IEEE 802.3z compliant to prevent potential data loss.


6 Installing, Using, and Replacing ADP Modules

This chapter describes the Accelerated Data Path (ADP) services modules available for the Check Point IP560 appliance and how to connect those modules to your network. It includes the following sections:

Installing and Replacing ADP ModulesCheck Point ADP Module LED Reference InformationConfiguring Check Point IPSO with IP560 ADP Interfaces

Effect on InterfacesCheck Point ADP Module Interface Names for IP560 AppliancesConfiguring Network Topology with an IP560 ApplianceConfiguration Example with VRRP

NoteIn this chapter, network interface cards (NICs) refer to any installable PMC interface devices other than ADP modules.

Check Point IP560 ADP modules help to accelerate firewall and VPN throughput. ADP is a technology designed to forward packets at the highest possible rate. Check Point ADP modules provide this technology by offloading processing from the CPU to network processors.For IP560 appliances, ADP is implemented with a single module providing a total of eight ports. The ADP use swappable small form-factor pluggable (SFP) transceivers to provide Gigabit Ethernet copper, Gigabit Ethernet short-range fiber, and Gigabit Ethernet long-range fiber interface options. Check Point ADP module transceivers are hot swappable.

NoteCheck Point supports only ADP modules and transceivers sold by Check Point. For further information, contact your Check Point representative.



Installing and Replacing ADP Modules

NoteBefore you begin this procedure, you should review all ADP module information in the Getting Started Guide and Release Notes for the version of Check Point IPSO you are using and refer to both of these documents as needed as you complete the installation and configuration process.

Use these instructions to install an ADP module in your appliance.

Before You BeginTo install a Check Point ADP module, you need the following:

A Phillips-head screwdriverPhysical access to the applianceAccess to the appliance by using Check Point Network Voyager or the CLIA suitable, grounded work surface The ADP module kit

NoteYou do not need to manually disconnect power for this procedure. Any servicing of the appliance, however, should be completed with the chassis tray assembly fully removed from the appliance.

To install an ADP module in IP560 appliances1. You cannot preserve the configuration for slot 2 of your appliance when you replace your

PMC NICs with an ADP module or, conversely, when you replace your ADP module with PMC NICs due to interface naming convention differences. Therefore, you need to delete all existing configurations associated with slot 2.

NoteYou do not need to delete the slot 1 configuration for the first 4 ports, as the naming conventions for the first 4 ports for Slot 1 remain the same when you use an ADP module rather than a NIC. Naming conventions for slots and ports are provided in “Check Point ADP Module Interface Names for IP560 Appliances” on page 70.

2. Upgrade the Check Point IPSO software to the required version as described in the Getting Started Guide and Release Notes that you received with your appliance.

3. Use Network Voyager or the command-line interface (CLI) to perform an orderly shutdown of the IP560 appliance.



For information about how to use Network Voyager or the CLI, see the Network Voyager Reference Guide or CLI Reference Guide for the version of Check Point IPSO you are using.

4. Turn off the power to the IP560 appliance.5. Loosen the two front panel retaining screws.

6. Slide the chassis tray assembly forward, pressing the release tab on the right side of the assembly, and, taking care not to damage any internal components, completely remove the chassis to expose the motherboard.


00354


1234

IP560


SLOT 1

SLOT 2

SLOT 3

SLOT 4

1234

IP560

00520



8. From underneath the chassis tray assembly, remove the four bezel retaining screws.

If the slots you are using for the ADP module are unoccupied, remove the filler panels that occupy the spaces in the appliance front panel and retain them for future use.If the slots you are using for the ADP module are occupied, remove the NICs or ADP modules that occupy the spaces in the appliance front panel and retain them for future use.

NoteRemove any SFP transceivers that are installed in an ADP module first to make the procedure easier.

9. Remove the two screws that secure the left air baffle and remove the baffle. Retain the baffle for future use. Reinstall the two baffle screws to secure the motherboard.

SLOT 1

SLOT 2

00440a

Remove the four bezel screws, and filler panels, installed PMC NICs, or ADP modules



NoteIt is important that you reinstall the two baffle screws for proper motherboard operation.

SLOT 1

SLOT 2

00648

Remove the two baffle screws and baffle, and reinstall the two screws



10. If a FIPS screen is installed, note the position of the screen, as it must be reinstalled the same way. Remove the two screws that secure the screen, and remove the screen.

11. Insert the ADP module.

NoteRemove any SFP transceivers that are installed in the ADP module first to make the procedure easier.

a. Angling the ADP module at a 45-degree angle to ensure that the rubber EMI gaskets seat properly and don’t roll back, insert the module bezel into the front panel. As you lower

SLOT 1

SLOT 2

00649

Remove the two FIPS screen screws and the screen



the back of the module down, you should detect little or no resistance; if you do, check to ensure that the EMI gaskets have not rolled back.

b. Gently push the back of the ADP module down toward the motherboard being sure to push down only where the module connectors are located. Be sure that the module is completely seated into both connectors on the motherboard.

12. If the ADP module memory card is installed, you should remove it to provide access the retaining screw hole at the right side of the module.

13. From the top of the chassis tray assembly, screw the two retaining screws into the standoffs on the back of the module.

NoteExtra screws are included in your ADP module kit in case you don’t have appropriate screws on hand.

SLOT 1

SLOT 2

00443a

1000BaseX

1234

1000BaseX

1234

00650

1000BaseX

1234

1000BaseX

1234

Take care that the EMI gaskets don’t roll back during ADP module installations

Arrows indicate locations where gaskets might roll back

Push down only at these two points and ensure that both connectors are completely seated

Memory card location



14. From beneath the chassis tray assembly, screw in the bezel retaining screws.

15. If you removed the FIPS screen, reinstall it in the same position it was previously installed in and secure the two screen screws.

16. Reinstall the ADP module memory card.

17. Using care to ensure that the top edge of the enclosure does not interfere with the ADP module heat sink, slide the chassis tray assembly into the chassis until it clicks into place.

18. Tighten the retaining screws that secure the chassis tray assembly.

19. Turn the power on.20. Use either Network Voyager or the CLI to delete the old interfaces and configure the new

ADP interfaces as described in “Configuring Check Point IPSO with IP560 ADP Interfaces” on page 69. Note the interface naming conventions in “Check Point ADP Module Interface Names for IP560 Appliances” on page 70.

SLOT 1

SLOT 2

00441a

1000BaseX

1234

1000BaseX

1234

ADP module heat sink

Reinstall the two retaining screws

Reinstall the four bezel screws

Memory card must be removed at this stage



The following figure shows the IP560 ADP module front panel details.

To install or remove transceivers in a Check Point ADP moduleFor ADP modules that require transceivers, refer to the following figure, which shows how to install or remove the transceivers. Transceivers are hot swappable as are the interface cables you use with them. Rotate the latch levers up or down to secure transceivers, or to release them for removal. You do not need to change the interface type in Network Voyager or the CLI, as the system makes the configuration changes automatically.To identify whether a fiber transceiver you are using is short-range or long-range, refer to the color of the latch lever as follows:

To install an ADP transceiver:

Type Latch lever color

Short-range Beige

Long range Blue

1000BaseX

1234

00605a

1000BaseX

5678

1000BaseT1 2 3 4 5 6 7 8

1000BaseT

1234

5678

00660

ADP module with ports for transceivers

ADP module with fixed RJ-45 ports

Link and Activity LEDs

00652

1234

1234Latch lever

Flip latch lever down before inserting the ADP transceiver



Push the transceiver into an available port in the ADP module.Rotate the transceiver latch lever down to secure the transceiver in the ADP module.

NoteDepending on the design of your transceiver, you might need to rotate the latch lever upward to release the device.

Insert an appropriate interface cable into the transceiver. To remove an ADP transceiver:

Remove the cable.Release the transceiver by rotating the latch lever.Pull out the transceiver.

Note that if you install any ADP transceivers that are not supported by Check Point, they are not recognized by Check Point IPSO; the system rejects the transceivers and includes them in a list of rejected interfaces on the Interface Configuration page in Check Point Network Voyager, as shown in the following figure.

NoteThe Non-Supported SFP Components table appears only if you have ADP transceivers installed that are not supported by Check Point.

Check Point ADP Module LED Reference InformationAll Check Point IP560 ADP modules provide a single LED for each port. The LED illuminates solid green for Link status and blinks green to indicate Activity.


Configuring Check Point IPSO with IP560 ADP Interfaces

Configuring Check Point IPSO with IP560 ADP InterfacesThis section includes information about configuring Check Point IPSO to use the interfaces on a Check Point ADP module. To help you understand the implications of installing an ADP module, it provides an example of the steps you might perform to install an ADP module in an IP560 appliance running the Virtual Router Redundancy Protocol (VRRP).

Effect on InterfacesWhen you install ADP modules, Check Point IPSO automatically creates interface names for the ADP interfaces and changes the existing interface names and configuration information, as explained below:

If you install an ADP module in an IP560 appliance, the names and configuration information for the interfaces previously installed in slot 2 become invalid.The interface names of the interfaces installed in slot 1 of an IP560 appliance do not change.

These changes can affect any features or protocols that use the existing interfaces or their addresses, including the following:

Dynamic routing protocolsMulticast routing protocolsStatic routing configurationVRRPIP clusteringTransparent modeLink aggregationLink redundancyTraffic management/QoS

NoteAfter you install an ADP module, reconfigure any protocols and features that used removed interfaces to use the ADP interfaces. Reassign IP addresses from the removed interfaces to the ADP interfaces as appropriate.



Check Point ADP Module Interface Names for IP560 AppliancesADP module interface naming conventions differ from those for PMC NICs.IP560 appliances support one ADP module which occupies both slots 1 and 2. However, the ADP module appears to the host as though it logically occupies only slot 1 of the appliance. The eight ports on your ADP module are named as follows:eth-s1p1, eth-s1p2, eth-s1p3, eth-s1p4, eth-s1p5, eth-s1p6, eth-s1p7, eth-s1p8Since the ADP interface names are not exactly the same as other PMC NIC interface names, you need to reconfigure your appliance when you replace PMC NICs with an ADP module or an ADP module with PMC NICs.

Configuring Network Topology with an IP560 ApplianceThere are several constraints that are relevant to your network topology after you install an ADP module in an IP560 appliance that are also relevant to the interaction of ADP interfaces and NIC interfaces. When you install an ADP module in an IP560 appliance, Check Point recommends that you configure your network so that your appliance does not forward traffic between ADP interfaces and PMC NIC interfaces even if the NIC interfaces are Gigabit Ethernet. Using a configuration of this type can significantly degrade throughput.When you install an ADP module in an IP560 appliance, the network processor in the module performs all VPN encryption and decryption, even for VPN packets that are sent through PMC NIC interfaces. The built-in Check Point encryption accelerator continues to accelerate IKE traffic but does not perform any other processing. If VPN traffic ingresses or egresses through a NIC interface, throughput is negatively affected because the packets must transit the IP560 appliance backplane to reach the network processor in the ADP module. Check Point recommends that you configure your VPNs to use only ADP interfaces to avoid this performance loss.



Configuration Example with VRRPThis example describes the steps required to install an ADP module in an IP560 appliance with VRRP configured. The following figure shows the Interface Configuration page of the appliance before an ADP module is installed. Interfaces are installed in slots 1, 2, and 4.

For this example, legacy monitored-circuit VRRP is enabled and configured with these settings:Interface eth-s2p1c0 is assigned the IP address 10.1.1.1 and uses 10.1.1.99 as the VRRP backup address. Interface eth-s2p2c0 backs up interface eth-s2p1c0.



The following figure shows the VRRP configuration:

The rest of this section describes how to reconfigure the interfaces and VRRP to accommodate the ADP interfaces.

Deleting VRRP ConfigurationsAfter you physically remove PMC NICs that you are replacing with ADP modules, you need to delete the configuration information for those interfaces. If VRRP is active at that time, you will not be able to delete the configuration information for the interfaces used by VRRP. Therefore, you should begin by deleting the existing VRRP configuration.



NoteIt is best to perform the procedures in this section on the VRRP backup system first. When the installation is complete, the upgraded system can become the new master while you upgrade the original master.

Reconfiguring InterfacesAfter you install the ADP module, you need to reconfigure interface information as described below.

To reconfigure interfaces for ADP modules1. Log into the appliance using Check Point Network Voyager.2. Navigate to the Interface Configuration page.

Notice that the names of the interfaces in slot 1 have not changed. Any configuration information for these interfaces is unchanged as well.The interfaces in slot 2 have been replaced by the ADP interfaces named eth-s1p5 through eth-s1p8.



The interfaces you removed from slot 2 are still listed on this page, and you see a blue indicator next to each of them in the Up column.

3. Delete the interface names and configuration information for the interfaces you removed from slot 2 by following the remaining steps in this procedure.



NoteTo delete an interface used by VRRP or IP clustering, you must first disable the feature that uses the interface. This is why you deleted the VRRP configuration before you installed the ADP module.

4. Click a physical interface name. Network Voyager displays the Physical Configuration page for that interface.

5. In the Physical Status area, click the Delete check box.

6. Click Apply.7. Delete the configuration information for the rest of interfaces that you removed by restarting

this procedure at step 2.8. When you have deleted the configuration information for all the interfaces that you

removed, click Save.



The following figure shows the example system after the configuration information for all of the removed interfaces has been deleted:

9. If appropriate, configure the ADP interfaces to use the IP addresses previously assigned to the removed interfaces. In this example, you need to assign the address 10.1.1.1 to the new interface eth-s1p5c0.

Reconfiguring VRRPAfter you finish reconfiguring interfaces, you need to reconfigure any protocols and features that used the removed interfaces to use the ADP interfaces.



In this example, you need to recreate the VRRP configuration using the new interfaces eth-s1p5c0 and eth-s1p6c0. The following figure shows the example system after you recreate the VRRP configuration using the new interfaces:




7 Installing and Replacing Components Other than Network Interface Cards (NICs) and Accelerated Data Path (ADP) Services Modules

This chapter provides information about how to install or replace orderable parts other than network interface cards (NICs) and Accelerated Data Path (ADP) services modules in your Check Point IP560 appliance. The following topics are covered:

Replacing the Compact Flash Memory CardInstalling a PC CardInstalling or Replacing a Hard-Disk DriveConfiguring a Hard-Disk Drive for LoggingReplacing or Upgrading MemoryReplacing a Check Point Encryption Accelerator CardReplacing a Fan UnitReplacing a Power SupplyReplacing the Battery

For information about how to add or replace NICs, see Chapter 4, “Installing and Replacing Network Interface Cards.”For information about how to add or replace Accelerated Data Path (ADP) services modules, see Chapter 6, “Installing, Using, and Replacing ADP Modules.”You should have a working knowledge of networking equipment before you attempt to service an IP560 appliance. Limit service of the appliance to the procedures described in this chapter.

NoteTo protect the IP560 appliance and the memory modules from electrostatic discharge damage, make sure you are properly grounded before you touch these components. Use a grounding wrist strap and follow the instructions provided with the wrist strap before you handle the components or open the appliance.


7 Installing and Replacing Components Other than Network Interface Cards (NICs) and Accelerated Data Path

Replacing the Compact Flash Memory CardIn flash-based IP560 appliances, the compact flash card stores the Check Point IPSO operating system, Check Point application, and boot manager. In disk-based IP560 appliances, the compact flash card stores only the boot manager, and the Check Point IPSO operating system and the Check Point application are stored on the hard-disk drive. Use the internal compact flash to boot the system and install the Check Point IPSO operating system on the disk. The compact flash card is located on the motherboard in a slot in front of the two hard-disk drive locations.Figure 22 shows the location of the compact flash memory card.

Figure 22 Compact Flash Memory Card Slot

CautionTo protect the appliance and the compact flash memory from electrostatic discharge damage, make sure you are properly grounded before you touch these components. Use a grounding wrist strap and follow the instructions provided with the wrist strap before you handle the components or open the appliance. If you do not have a grounding wrist strap, make sure you are properly grounded before you touch any electronic component.

You must perform an orderly shutdown of the appliance and turn the power off whenever you remove the chassis tray assembly to service internal components.

SLOT 1

SLOT 2

SLOT 3

SLOT 4

1234

IP560

00523


Replacing the Compact Flash Memory Card

CautionYou risk damage to the appliance or loss of data if you do not use the following procedure when you replace the compact flash memory.

1. Use Check Point Network Voyager or the command-line interface (CLI) to perform an orderly shutdown of the IP560 appliance.

For information about how to access Network Voyager and the related reference materials, see “Using Check Point Network Voyager” on page 38.


NoteMake sure you turn off the power supply.




00354


1234

IP560


SLOT 1

SLOT 2

SLOT 3

SLOT 4

1234

IP560

00520



6. Locate and remove the existing compact flash card from the slot by gently sliding it out of the slot.

7. Gently insert the new compact flash card into the slot.

8. Slide the chassis tray assembly back into the appliance until it clicks into place.

9. Resecure the two chassis tray assembly retaining screws.10. Turn on the power supply at the back of the appliance.

Installing a PC CardAfter you install a single-slot PCMCIA carrier card, which you can purchase from Check Point, the IP560 supports a PC card with 1-GB flash memory that Check Point offers with or without system software included. The supported slot is labeled Slot 3 and is located on the front panel of the appliance, as Figure 23 shows.

SLOT 1

SLOT 2

SLOT 3

SLOT 4

1234

IP560

00522

SLOT 1

SLOT 2

SLOT 3

SLOT 4

1234

IP560

00359


Installing a PC Card

You can use the PC card flash memory to store local system logs. See “Configuring a Hard-Disk Drive for Logging” on page 89 for information about configure the PC card for logging.Check Point supports only PC cards purchased from Check Point or Check Point-approved resellers. For more information, contact the appropriate Check Point customer support site listed in “For additional technical information about Check Point products, and for the latest version of this document, see the Check Point Support Center at http://support.checkpoint.com/.” on page 2.

Figure 23 External PC Card Location

To install the PC card1. Insert the PC card into the PC card slot until it snaps in place.2. Press gently on the card until it is firmly seated in the slot.

The eject button to the left of the slot should be flush with the card.If you want to remove a PC card that was configured as an optional disk, you must turn it off as an optional disk and then perform an orderly system shutdown before you remove it, as described in the following procedure. You do not need to turn off the power.

CautionIf you do not perform this procedure before removing a PC card that is configured as an optional disk, system processes randomly fail because the system tries to find a /var directory on the optional disk. The resulting error messages indicate that some files in the /var directory are not available.

To remove a PC card in an IP5601. If you are using the PC card as an optional disk for logging, perform one of the following:

In Network Voyager, access Optional Disks and unselect the PC card as an optional disk.Using the CLI, enter the command:set optional-disk device-id <1 | 2> off

where the number 1 or 2 indicates the PC-card slot.2. Perform a system shutdown by using Network Voyager or the CLI halt command.3. Press the eject button to remove the PC card.

00350


1234

IP560

PCMCIA PC card slot

Eject button



CautionTo prevent the card from ejecting too quickly, hold the PC card while you push the eject button.

4. Reboot the appliance.

Installing or Replacing a Hard-Disk DriveThe disk-based IP560 comes with one hard-disk drive, and supports a second optional drive and disk-mirroring starting with Check Point IPSO 4.1, Build 016. For information about disk mirroring, see the document Important Information: Regarding Disk Mirroring, which is available on the Check Point support site.The flash-based IP560 also supports one optional hard-disk drive that you can use for logging.

NoteStarting with Check Point IPSO 4.1, one or two hard drives are supported. However, you can use only one disk for logging in flash-based IP560 appliances.

When you purchase your IP560, you can order optional hard-disk drives for factory installation, or you can order them later and install them yourself, as described in this chapter. Disk-based appliances use the disk for Check Point IPSO and the Check Point application; the compact flash memory contains only the boot manager.You can use a hard-disk drive for storing log files. See “Configuring a Hard-Disk Drive for Logging” on page 89 for information about configure the hard-disk drive for logging on flash-based IP560 appliances. For the disk-based IP560, you do not need to configure the hard-disk drive for logging.This section describes how to install or replace a hard-disk drive.

Before You Begin

CautionHard-disk drives are susceptible to damage from shock. Handle them with care.

CautionTo help guard against electrostatic discharge damage, make sure you are properly grounded by using a grounding wrist strap and following the instructions provided with the wrist strap before you handle the components or open the appliance or gateway. If


Installing or Replacing a Hard-Disk Drive

you do not have a grounding wrist strap, make sure you are properly grounded before you touch any electronic component.

To install or replace a hard-disk drive, you need:Physical access to the appliance or gatewayCheck Point hard-disk drive kit and accompanying supplementA Phillips-head screwdriver

The following procedure requires removing the chassis tray assembly from the chassis.

CautionMake sure you perform an orderly shut down of the appliance before attempting to remove the chassis tray assembly.

You must replace the hard-disk drive with a drive that has a capacity equal to or larger than the drive you are replacing. Back up your hard-disk drive files to a remote system on a regular basis.

To remove a hard-disk driveUse the following procedure if you currently have one or more hard-disk drives in your appliance that you are replacing.

CautionIf you fail to use the following procedure when you remove the hard-disk drive, the drive might become damaged or you might lose data.

1. If you are using the hard-disk drive as an optional disk for logging, perform one of the following:

In Network Voyager, access Optional Disks and unselect the hard-disk drive as an optional disk.Using the CLI, enter the command:set optional-disk device-id <1 | 2> off

where the number 1 or 2 indicates the hard-disk drive slot.2. Use Check Point Network Voyager or the command-line interface (CLI) to perform an

orderly shutdown of the IP560 appliance. For information about how to access Network Voyager and the related reference materials, see “Using Check Point Network Voyager” on page 38.







Figure 24 Location of Hard-Disk Drive on the Chassis Tray Assembly

00354


1234

IP560


SLOT 1

SLOT 2

SLOT 3

SLOT 4

1234

IP560

00520

00352

SLOT 1

SLOT 2

SLOT 3

SLOT 4

1234

IP560

Slot 1

Slot 2


Installing or Replacing a Hard-Disk Drive

NoteIn single hard-drive configurations, install the hard-disk in Slot 1 first.

7. Remove the four screws from the base of the hard-disk drive and remove the hard-disk drive.

00445



To install or a hard-disk drive1. Slide the new hard-disk drive onto the mounting locations.

2. Replace the four screws.

00355

00445


Configuring a Hard-Disk Drive for Logging


4. Resecure the two chassis tray assembly retaining screws.

Configuring a Hard-Disk Drive for LoggingOn the flash-based IP560, you can save log files locally by installing and configuring an optional hard-disk drive. The Network Voyager Reference Guide and the CLI Reference Guide contain instructions for configuring a Check Point appliance to store Check Point IPSO log messages on the disk. This section explains how to configure an optional disk and configure it to store Check Point log messages on an IP560.If you perform all the procedures explained in this document, you must reboot your appliance several times.

To install and configure an optional disk in an IP5601. If necessary, install the optional disk in the appliance as described in “Installing or

Replacing a Hard-Disk Drive” on page 84.2. Restart the appliance if appropriate.3. Start Check Point Network Voyager.4. Navigate to the Optional Disk configuration page.

Network Voyager displays information about the device you installed.5. Select the device in the Choose column.6. Click Apply.7. Wait until you see a message indicating that you should reboot the appliance.

There is a short delay (possibly a few minutes) before the message appears. The delay is longer with devices of larger capacity.

8. When the message appears, click Reboot, Shutdown System. 9. Reboot the appliance.10. When the appliance has rebooted, log into it and start Check Point Network Voyager.

SLOT 1

SLOT 2

SLOT 3

SLOT 4

1234

IP560

00359



11. Navigate to the System Logging configuration page.12. Select the option Logging to Optional Disk.

The other options on this page do not apply to Check Point logging.13. Click Apply.14. Click Save.

NoteThe appliance can use only one local logging device at a time.

If you are using Check Point IPSO 4.0.1, and you add a second optional disk, Check Point IPSO automatically chooses the hard-disk drive, and you cannot control this selection. To ensure that log messages are stored on a specific device, install only one optional disk in the appliance.If you are using Check Point IPSO 4.1 or later, and you add a second optional disk, you have the option to choose between the two optional disks.For more information about storing Check Point IPSO system logs, see the Network Voyager Reference Guide or the CLI Reference Guide for the version of Check Point IPSO you are using.For more information about storing Check Point log messages, see Important Information: Storing Check Point Log Messages on Flash-Based Platforms.

Replacing or Upgrading MemoryThe appliance has four dual inline memory-module (DIMM) sockets that are double data rate (DDR2), which perform at high speed. This section describes how to upgrade or replace the memory by using a Check Point-approved memory upgrade kit.The IP560 comes with 1 GB of RAM in two 512 MB DIMMs and can be upgraded to 2 GB of RAM by the addition of a pair of 512 MB DIMMs.

NoteYou must upgrade the memory in pairs of 512 MB DIMMs.

Check Point products support only memory kits purchased from Check Point or Check Point-approved resellers. For further information, contact the appropriate Check Point customer support site listed in “For additional technical information about Check Point products, and for the latest version of this document, see the Check Point Support Center at http://support.checkpoint.com/.” on page 2.The DIMM sockets are located on the left rear of the IP560 appliance motherboard, as you look at the appliance from the front, as Figure 25 shows.


Replacing or Upgrading Memory

Figure 25 DIMM Socket Locations

NoteYou must install DIMMs in pairs starting from the left. Insert a pair of DIMMS into adjacent slots J1/J2 and/or J3/J4, otherwise the DIMMS do not work. You can also use all four slots at one time.

SLOT 1

SLOT 2

SLOT 3

SLOT 4

1234

IP560

00418

DIMM sockets



Before You BeginTo upgrade or replace your appliance memory, you need:

Physical access to the applianceCheck Point memory upgrade kit and accompanying supplementAccess to the appliance by using Check Point Network Voyager or command-line interface (CLI)A Phillips-head screwdriverGrounding wrist strap

CautionTo protect the IP560 and the memory modules from electrostatic discharge damage, make sure you are properly grounded before you touch these components. Use a grounding wrist strap and follow the instructions provided with the wrist strap before you handle the components or open the appliance.

NoteYou do not need to manually disconnect power for this procedure. Any servicing of the appliance should be completed with the chassis tray assembly fully removed from the appliance.

To replace DIMMs1. Use Check Point Network Voyager or the command-line interface (CLI) to perform an

orderly shutdown of the appliance.For information about how to access Network Voyager and the related reference materials, see “Using Check Point Network Voyager” on page 38.

2. Turn off power to the IP560 appliance.3. Loosen the two front panel retaining screws.

00354


1234

IP560



Replacing or Upgrading Memory


5. Remove the DIMM by pressing the two retaining clips outward and carefully pulling each DIMM upward. You might need to pull opposite ends of the DIMM alternately to gradually free it from the contact pins.

6. Press the new DIMM into the socket until it clicks into place.

SLOT 1

SLOT 2

SLOT 3

SLOT 4

1234

IP560

00520

SLOT 1

SLOT 2

SLOT 3

SLOT 4

1234

IP560

00469



The top of the DIMM is smooth. The bottom edge has two different-length sets of contacts, which mate with the slots on the socket. Be sure the contacts and slots are properly aligned before you insert the DIMM.The retaining clips move into the lock position as you press the DIMM into place.


8. Resecure the two chassis tray assembly retaining screws.9. Turn on the power.The IP560 appliance automatically recognizes the new memory configuration. You can verify the configuration by using Check Point Network Voyager or the CLI.

SLOT 1

SLOT 2

SLOT 3

SLOT 4

1234

IP560

00511

SLOT 1

SLOT 2

SLOT 3

SLOT 4

1234

IP560

00359


Replacing a Check Point Encryption Accelerator Card

Replacing a Check Point Encryption Accelerator CardThe IP1560 comes with the Check Point encryption accelerator card preinstalled as part of its base bundle to further enhance VPN performance. The accelerator card provides high-speed cryptographic processing that enhances VPN performance.The IP560 appliance uses a PMC format accelerator card. The accelerator card has no external connections and requires no cables. The accelerator card software package is part of IPSO, so the appliance automatically detects and configures the card.Use Check Point Network Voyager to configure your software applications to make use of the available hardware accelerator. For information about how to configure software applications, see “Configuring Software to Use Hardware Acceleration” on page 98.This section describes how to replace a previously installed accelerator card.

Before You BeginTo replace the accelerator card, you need:

Physical access to the applianceThe Check Point encryption accelerator card and installation kitPhillips-head screwdriverFour screws (included in kit)Grounding wrist strap (included in kit)


NoteYou do not need to manually disconnect power for this procedure. Any servicing of the appliance should be completed with the chassis tray assembly fully removed from the appliance.

To replace the accelerator card1. Use Check Point Network Voyager or the command-line interface (CLI) to perform an

orderly shutdown of the IP560. For information about how to access Network Voyager and the related reference materials, see “Using Check Point Network Voyager” on page 38.




3. Loosen the two chassis tray assembly retaining screws.


5. Locate the PMC encryption accelerator card on the motherboard. The encryption card is located on the back left side of the motherboard.

00354


1234

IP560


SLOT 1

SLOT 2

SLOT 3

SLOT 4

1234

IP560

00520

SLOT 1

SLOT 2

SLOT 3

SLOT 4

1234

IP560

00361


Replacing a Check Point Encryption Accelerator Card

6. Loosen the four retaining screws and remove the card.

CautionDo not use the PMC connectors located at the front of the motherboard for the acceleration card. Those connectors are for NICs and ADP modules.

7. Position the three male PMC connectors on the card over the three female PMC connectors on the motherboard.The two sets of connectors should be aligned with each other. The four screw holes and four standoffs should also be aligned with each other.

8. Push down on the card until it is properly seated on the motherboard.

00517

00518



9. Place the screws through the standoff holes on the card and into the standoffs on the motherboard.

10. Turn each screw clockwise to attach the card to the standoffs. Do not overtighten.Make sure that all four standoff connections are properly aligned before tightening the screws completely.

11. Slide the chassis tray assembly back into the appliance until it clicks into place resecure the two retaining screws.

12. Configure your software to use hardware acceleration by following the instructions in “Configuring Software to Use Hardware Acceleration” on page 98.

Configuring Software to Use Hardware AccelerationThe Check Point encryption accelerator software package is part of the Check Point IPSO operating system, so the appliance automatically detects and configures the Check Point encryption accelerator card.For the Check Point IP560 appliances, SecureXL is on by default. After you install the Check Point encryption accelerator card and reboot the appliance, SecureXL automatically uses the Check Point encryption accelerator card for encryption acceleration. If you do not want to use SecureXL for encryption acceleration, use the Check Point cpconfig utility to disable SecureXL.

00175.1

Screw

Accelerator cardStandoff hole

Motherboard standoff

SLOT 1

SLOT 2

SLOT 3

SLOT 4

1234

IP560

00359


Replacing a Fan Unit

You can also configure the IP560 appliances to use the Check Point encryption accelerator card for IKE acceleration. When you enable IKE acceleration, the Check Point encryption accelerator card performs cryptographic operations for IPsec tunnel negotiation.

To enable IKE acceleration1. From the Network Voyager home page, click Security and Access Configuration, then click

IKE Acceleration. For information about how to access Network Voyager and the related reference materials, see “Using Check Point Network Voyager” on page 38.

2. On the IKE Acceleration page, click Register the module.3. Click Apply.The PKCS#11 token that enables IKE acceleration is registered with the Check Point software on your appliance. After you register the module, you must install the Check Point security policy on the firewall for the Check Point encryption accelerator card to perform IKE acceleration.

Replacing a Fan UnitThe appliance fan unit is a single unit made up of four individual fans to provide the air flow required to maintain a proper operating temperature. The fan unit can provide proper airflow for a short time even if an individual fan fails.Before you replace a fan unit, you must first turn off power to the appliance.

Before You BeginTo replace a fan unit, you need:

Physical access to the IP560 applianceReplacement fan unit kit and appropriate supplementA Phillips-head screwdriver

CautionComponents inside the appliance can overheat if they are not cooled even for a short period of time. If you are replacing a failed fan unit, you must completely remove power to the appliance.

To replace a fan unit1. Use Check Point Network Voyager or the command-line interface (CLI) to perform an




2. Turn off power to the IP560 appliance.3. Locate the fan unit on the back of the IP560 appliance and the two retaining screws that

secure it.

4. Loosen the retaining screws by turning them counterclockwise.5. Slowly pull the fan unit out of the chassis toward the rear.

6. Insert the new fan unit into the chassis.7. Tighten the two retaining screws on the new fan unit.8. Turn on the power.

Replacing a Power SupplyThe appliance or gateway supports one 225-watt power supply. The power supply is autosensing and can accept input voltages between 47Hz-64Hz and 85VAC-264VAC. The power supply output is regulated to a tolerance of ± 5 percent of the specified output voltage.

Before You BeginTo install or replace a power supply, you need:

Physical access to the appliance or gateway

00353

Retaining screws

00363


Replacing a Power Supply

A Phillips-head screwdriverA replacement power supply and appropriate supplement

Figure 26 Power Supply Location

CautionYou should have working knowledge of networking equipment before you attempt to service an appliance or gateway. Limit service to the procedures described in this document.

CautionProtect your appliance or gateway and other electronic equipment from electrostatic discharge damage by making sure you are properly grounded before you touch any component.

To replace a power supply1. Use Check Point Network Voyager or command-line interface (CLI) to perform an orderly

shutdown of the IP560 appliance. For information about how to access Network Voyager, see Using Check Point Network Voyager on page 38.

2. Locate the power supply on the back of the appliance or gateway and the two retaining screws that secure it

3. Turn off the power to the power supply.4. Remove the power cord.5. Loosen the two retaining screws.

00353

AC power receptacle

Integrated power supply cooling fan Power supply switch

Power supply

Grounding

00353Retaining screws

lug posts



6. Remove the grounding cable if one is in use.7. Use the handles to gently pull the power supply out of the chassis.

8. Insert the new power supply into the empty bay.

9. Replace the grounding cable if being used.10. Reinstall the two retaining screws.11. Turn on the power.

Monitoring the IP560 Appliance Power SupplyYou can monitor the status of the IP560 appliance power supply with Check Point Network Voyager. Similarly, you can also use the command-line interface (CLI). For information about the CLI, see the CLI Reference Guide. For more information about Network Voyager, see the Check Point Network Voyager Reference Guide or use the Network Voyager inline help.

To monitor the IP560 appliance power supply by using Check Point Network Voyager1. Log on to the IP560 appliance with Network Voyager.2. Click Monitor.3. Click Hardware Monitoring > System Status.

00364

00521


Replacing the Battery

To the right of the Power Supply link, the status indicator is green for normal and red for fault.

4. For more detailed information about the power supply status, click Power Supply.

Replacing the BatteryTo replace the battery, you need the following:

The appropriate Check Point battery replacement kit for your appliancePhysical access to the applianceA Phillips-head screwdriverA grounding wrist strap(Optional) Safety glasses

WarningRisk of explosion if battery is replaced by an incorrect type. Replace the battery only with the same or equivalent type that the manufacturer recommends. Dispose of used batteries according to the manufacturer's instructions.

WarningMake certain to remove the power cord from the appliance before you proceed with any of the following steps. Failure to do so could cause electric shock with burns or death resulting for the user.

CautionMake certain that you are properly grounded when you handle components internal to the appliance to protect against electrostatic discharge damage to the appliance. Use the grounding strap included in the battery replacement kit.

To install the battery, perform the following tasks:1. Use Check Point Network Voyager or the command-line interface (CLI) to perform an


2. Turn off the power to the IP560 appliance.3. Loosen the front panel retaining screws.




5. Place the chassis tray assembly on a table top.6. Locate the battery on the motherboard.

The battery is in a black battery holder secured with a battery retaining pin.

7. Remove the old battery. Use a small nonconductive device, such as a plastic probe, to slide the battery out of the battery holder through the cutout in the holder. To properly dispose of the battery, see “060306” on page 14.

8. With the positive side facing up, slide the new battery through the cutout in the battery holder.

SLOT 1

SLOT 2

SLOT 3

SLOT 4

1234

IP560

00520

00446

SLOT 1

SLOT 2

SLOT 3

SLOT 4

1234

IP560


Replacing the Battery

CautionYou must place the new battery into the battery holder observing the correct polarity. The positive terminal of the battery must be facing up.


10. Resecure the chassis tray assembly retaining screws.11. Turn on the power supply at the back of the appliance.

The appliance should start up normally with the new battery installed. If it does not, repeat step 1 through step 11. If the appliance does not start up normally after that, contact your Check Point service provider. For more information, see “For additional technical information about Check Point products, and for the latest version of this document, see the Check Point Support Center at http://support.checkpoint.com/.” on page 2.

12. Reset the appliance date and time information by using Check Point Network Voyager or the command-line interface. The battery is required to maintain the date and time whenever you shut down the appliance.

SLOT 1

SLOT 2

SLOT 3

SLOT 4

1234

IP560

00359




8 Troubleshooting

This chapter provides troubleshooting tips, problems, and solutions related to IP560 installations.

General Troubleshooting InformationThe information in this section relates to non-routing problems. For information about how to troubleshoot routing problems, see “Troubleshooting Routing Problems” on page 115.

Unable to Log in to the Console Port—No Error MessageTwo laptop computers (using terminal emulation programs) or terminals should be able to communicate back to back in the same way that the terminal communicates with the IP560. If this is not possible using your laptop computer or terminal, the problem is with the terminal or cable and not the appliance.

Problem You do not have a console connection to the IP560.Solution For information about how to create a console connection, see “Using a Console Connection” on page 34.

Problem Not connected with a null-modem cable. Solution Verify that you are using a null-modem cable. For pinout information, see “Using a Console Connection” on page 34.

Problem Wrong terminal settings.Solution Verify terminal settings: 8 data, 1 stop, no parity, 9600 bps.

Problem Terminal set for flow control.Solution The IP560 does not use flow control. The terminal should be set for no flow control.


8 Troubleshooting

Problem Defective IP560 or file system.Solution Contact the Check Point customer support site listed in “For additional technical information about Check Point products, and for the latest version of this document, see the Check Point Support Center at http://support.checkpoint.com/.” on page 2.

Problem Database is corrupt.Solution Return to default settings according to the instructions included in the instructions for resetting the default password, or contact the Check Point customer support site listed in “For additional technical information about Check Point products, and for the latest version of this document, see the Check Point Support Center at http://support.checkpoint.com/.” on page 2.

Login Prompt Appears, But Password Not Accepted

Problem Entered wrong password.Solution Obtain a valid password or set the password to a default value.


General Troubleshooting Information

To reset the admin password to a default value

NoteYou must have local serial access to your appliance console to perform this procedure. With a keyboard and monitor directly connected to the appliance, the boot: prompt does not appear, and you cannot perform this procedure.

1. Boot up the appliance in single-user mode by restarting or power cycling the appliance.When the boot: prompt appears, enter -s before the appliance goes into multiuser mode; you have about 10 seconds to do this.

2. After the appliance boots up, the following text appears:Enter pathname of shell or RETURN for sh:

Press Enter.3. Type /etc/overpw at the # prompt.

When the response asks if you want to continue, type y.4. The admin password defaults to no password for admin.

Continue to boot to multiuser mode.5. Reconfigure the password as you normally would.

NoteBlank passwords are not accepted in Network Voyager. In such cases, enter the following command to reset the password from the command line using a blank password:dbpasswd admin newpassword ""The two double quotation marks at the end of the command properly indicate a blank password.After you execute this command, the system reports that the password was not successfully changed. However, the password is changed and is now newpassword.

Finally, return the entire database to its default settings and bring up the new system-startup procedure. The new system-startup procedure is described in Chapter 3, “Performing the Initial Configuration”.

To reset the default database settings1. Log in to the IP560 as admin by using Network Voyager.

For information about how to access Network Voyager and the related reference materials, see “Using Check Point Network Voyager” on page 38.

2. Under Configuration Database Management (Config > System Configuration > Manage Configuration Sets), choose the option to create a new factory default configuration.

3. Create the new default configuration.


8 Troubleshooting

Do Not Get a Login Prompt—Error Messages Appear

Problem The IP560 is defective, or the file system on the IP560 is defective.Solution Contact the Check Point customer support site listed in “For additional technical information about Check Point products, and for the latest version of this document, see the Check Point Support Center at http://support.checkpoint.com/.” on page 2.

NoteUse the full installation procedure to install a new system. The new system completely replaces the contents of the drive and might be needed to restore or reload an IP560. This procedure erases any configuration database on the appliance. For information about how to complete the full installation procedure, see the current release notes. The release notes are located on the Check Point customer support Web site as listed in the “For additional technical information about Check Point products, and for the latest version of this document, see the Check Point Support Center at http://support.checkpoint.com/.” on page 2.

Unable to Connect to Network Voyager Using the Ethernet Port, But Console Access Works

Problem Using the wrong Ethernet cable.Solution Use a crossover Ethernet cable if you are connecting directly to the computer. Use a straight-through cable if you are connecting to a hub. For cabling information, see “Connecting Network Interfaces” on page 38.

Problem Port is not configured as active. Solution Use the CLI over the console connection to verify the interface configuration and fix it if necessary.

Problem Host port configuration is incorrect.Solution Use the CLI over the console connection to verify the interface configuration and fix it if necessary.

Problem Wrong link speed.Solution Use the CLI over the console connection to verify the interface configuration and fix it if necessary.



Do Not See Interfaces that Should be Present

Problem Local IP560 ports do not appear. Solution Your NIC, card carrier, or ADP module might be defective. Contact the appropriate Check Point customer support site as listed in “For additional technical information about Check Point products, and for the latest version of this document, see the Check Point Support Center at http://support.checkpoint.com/.” on page 2.

Common Ethernet Problems—Connectivity with Attached Device

Problem No link light. Solution You might have used the wrong cable. Use a crossover cable between an IP560 and a host, and a straight-through cable between an appliance and a hub.

Problem Solid data and activity LED. Solution You might have set the wrong speed. Verify that the speeds match on each end of the Ethernet connection (10 Mbps or 100Mbps).

Problem Port not enabled.Solution Verify from the Interface page in Network Voyager that the interface port is configured as active.

Problem High collision rate on the hub. Solution Disconnect connections one at a time until the problem is localized to one computer and troubleshoot further.

Unable to Ping Through Appliance—No Connectivity Between Ports This section covers connectivity issues that are isolated within an IP560 or network.Localize the problem by issuing pings to various network interfaces. Use tcpdump to help isolate the problem. Use tcpdump to verify that a packet is leaving or entering a port.

Problem Interfaces not up. Solution Ensure that all interfaces are up and active, as described in Chapter 3, “Performing the Initial Configuration.”

Problem No route to network. Solution Check the routing table to see if a route exists to the network where the interface is located. If no route exists, see “Troubleshooting Routing Problems” on page 115.


8 Troubleshooting

Problem Attached device does not have proper default route or routing information. Solution If a local computer is unable to ping through an attached appliance, the computer might contain either an invalid default route or invalid routing information.If you are using default routes from a computer, ensure that the local interface is the default route for that computer.

Problem The ARP table has old information. Solution If the ARP table has an old or invalid entry for the device associated with the IP address you are attempting to ping, use Network Voyager to delete the invalid entry.For information about how to access Network Voyager and the related reference materials, see “Using Check Point Network Voyager” on page 38.

To delete the invalid entry1. Click Config.2. Click ARP in the Interfaces section.3. Click Display or Remove Dynamic ARP Entries.

4. Click Delete for the entry you want to delete.5. Click Apply.

Problems with MulticastUse tcpdump to view packets. To display packets for a specific interface, use the following command: tcpdump -i interface proto igmp. For more information about how to use the tcpdump command, see the Check Point Network Voyager Reference Guide.Under Routing Options in the Routing Configuration section in Network Voyager, you can also enable several types of trace options for DVMRP. These traces are logged into /var/tmp/ipsrd.log.For information about how to access Network Voyager and the related reference materials, see “Using Check Point Network Voyager” on page 38.

Problem No IP connectivity. Solution Verify that you have IP connectivity; ping various hosts on each network.

Problem DVMRP is not enabled on the interfaces.Solution Verify that DVMRP is enabled on the interfaces in use.

Problem Exceeding TTL on clients.Solution Verify that the client is set up for the proper TTL number. Many clients are set to receive local traffic only one hop away.



Problems Interfacing to 1483 Devices (Classical IP)

Problem Remote and local devices are not configured for the same VC and VP value.Solution Set remote and local devices to the same VC and VP values. Consult your 1483 device documentation.

Problem Remote and local devices are not in the supported VC range of the network interface card.Solution Use ipsctl to determine the VC range. Enter the following command:ipsctl ifphys:logical interface:max_rxlabel

Problem Encapsulation is not set to LLC/SNAP.Solution Set encapsulation to LLC/SNAP. Consult your 1483 device documentation.

Problem The MTU size is not 1500 (for Ethernet interfaces) or 16018 (for Gigabit Ethernet interfaces).Solution The MTU size must be 1500 (for Ethernet interfaces) or 16018 (for Gigabit Ethernet interfaces). Check Point does not support larger MTU sizes.

Appliance Not Receiving Power

Problem Power cord is not properly plugged in.Solution Check cord. Make sure it is properly seated at both ends.

Problem Power supply not providing power.Solution Check power source. If there is no power at the source, take appropriate action such as inserting a new fuse or resetting circuit breaker.

Appliance Does Not Recognize New Memory Configuration

Problem DIMMs are not properly seated in DIMM sockets.Solution Repeat memory installation procedures. Make sure DIMMs are fully seated in sockets. Be sure DIMMs click into place.


8 Troubleshooting

Appliance locks up after you upgrade Check Point IPSO with a console connection. No error messages appear, but the appliance stops responding to console and network.

Problem During the upgrade process, some of the environment variables might not have updated correctly.Solution You can verify what the current boot manager settings are by issuing a printenv command at the boot manager prompt, as shown in this example:Loading boot manager ..

BOOTMGR[0]> printenv

Bootmgr Revision: 3.3,base kernel=3.5.1-fcs1

02.12-2001-102644

autoboot: NO

bootwait: 5

boot-file:

boot-flags:

boot-device:

No referenced boot-file or boot-device appears.Setting the boot manager to defaults causes the boot manager to determine that no environment variables are set, and it responds by importing the defaults from the binary file. To set the boot manager to defaults, issue the set-defaults command at the boot manager prompt as shown in this example:BOOTMGR> set-defaults

If you issue the printenv command again, the boot-file and boot-device entries are present, as shown in this example:For example:BOOTMGR[11]>printenv

Check PointIPSOBOOTMGRVERSION=4.0.1-DEV00110.18.2005-115113

autoboot:YES

testboot:NO

bootwait:3

boot-file:/image/current/kernel

boot-flags:

boot-device:wd0

vendor:Check Point

model:IP

bmslice:1

BOOTMGR[12]>


Troubleshooting Routing Problems

Troubleshooting Routing Problems Several useful tools are available to troubleshoot routing problems. The first tool is available from the Monitor page in Network Voyager, from which you display routing statistics and errors. You can access this information from the command-line interface using the ICLID (IPSRD command-line interface daemon) command. An example use of the ICLID command is shown below. For information about the ICLID command, see the Check Point Network Voyager Reference Guide. For information about how to access Network Voyager and the related reference materials, see “Using Check Point Network Voyager” on page 38.

NoteAdding a question mark (?) after any command provides additional command options. Typing a question mark (?) at a prompt provides a list of available commands.

hostname[admin]# iclid

hostname | IP address>

hostname | IP address> ?

exit get help quit show

hostname | IP address>

hostname | IP address> show ?

address bgp igmp iphelper mfc rip vrrp bootpgwigrpkrt ospf route inbound-filterdvmrpinterface memory resource version

hostname | IP address> show route ?

aggregate bgp igrp ospf static

all direct inactive rip summary

hostname | IP address> show route ospf

Codes: C - connected, S - static, I - IGRP, R - RIP,

B - BGP, O - OSPF, E - OSPF external, A - Aggregate,

K - Kernel Remnant, H - Hidden, S - Suppressed

The response to the preceding ICLID command is as follows:0 172.16/16 via 10.1.1.225, eith-sp4p1c0,cost 3, age 3111

In addition, several trace options are available. You can enable these options under the routing options in Network Voyager. When a trace is enabled the output appears in /var/tmp/ipsrd.log.

Common Problems with OSPF Use tcpdump to view routing information. Use the following command display routing updates for that interface:tcpdump -i interface proto ospf


8 Troubleshooting

For more information about how to use the tcpdump command, see the Check Point Network Voyager Reference Guide.Under routing options in Network Voyager, you can also enable several types of trace options for OSPF. These traces are logged in /var/tmp/ipsrd.log.For information about how to access Network Voyager and the related reference materials, see “Using Check Point Network Voyager” on page 38.

Problem OSPF is not configured. Solution Verify that OSPF is properly configured for all interfaces that are involved in OSPF routing. For more information, see Configuring OSPF from the Configuring Routing document page in Network Voyager. You can access the document page by pressing Doc.

Problem OSPF hello and dead timers are not the same on each interface for a given link.Solution Verify that the settings at the end of each link are identical.

Problem Attached devices do not support OSPF.Solution Ensure that the attached IP560 supports OSPF. If the attached appliance does not support OSPF, configure it with a protocol that the appliance supports and exchange routes with OSPF, or set a default or static route.

NoteYou can also use ICLID to display OSPF details.

Common Problems with RIP Use tcpdump to view routing information. Use the following command to display routing updates for a specific interface:tcpdump -i interface proto rip

For more information about how to use the tcpdump command, see the Check Point Network Voyager Reference Guide.Under routing options in Network Voyager, you can also enable several types of trace options for routing information protocol (RIP). These traces are logged in /var/tmp/ipsrd.log.For information about how to access Network Voyager and the related reference materials, see “Using Check Point Network Voyager” on page 38.

Problem Inconsistent subnet mask (netmask does not match the class of IP address for RIP v1).Solution RIP version 1 must use consistent subnet masks; change to RIP version 2 or OSPF to use inconsistent subnet masks.


Troubleshooting Routing Problems

Problem Number of networks exceeds the RIP limit.Solution RIP can span up to 16 networks. Verify that your network topology does not exceed this limit.

Common Problems Exchanging Routes Always enter a metric value if you are exporting routes from OSPF to RIP.

Problem Exchanging routes are not configured correctly.Solution Exchanging routes involves several configuration steps. Follow the tasks in the Check Point Network Voyager Reference Guide (online documentation) to ensure that you follow all steps. For information about how to access Network Voyager and the related reference materials, see “Using Check Point Network Voyager” on page 38.

Problem Routing protocol is not functioning properly.Solution to ensure that each routing protocol is functioning properly, see “Common Problems with OSPF” on page 115 and “Common Problems with RIP” on page 116.


8 Troubleshooting


A Technical Specifications

Dimensions Height: 3.5 in. (8.89 cm)

Width: 17 in. (44 cm)19 in. (48 cm) rack-mountable

Depth: 26 in. (53.34 cm)

Operational Temperature

0° C to +40° C (32° F to 104° F)Humidity 5% to 85%


A Technical Specifications

Space RequirementsThe Check Point IP560 security platform is designed for front-screw mounting in a 19-inch rack. Each IP560 requires the following space in a rack:

3.5 inches (8.89 centimeters) of vertical space 28 inches (71 centimeters) behind the front-panel of the rack 6 inches (15 centimeters) behind the IP560 to allow the back exit fan to move air through the appliances

CautionDo not block the ventilation holes on the IP560. The appliance might overheat and become damaged.


B Compliance Information

This appendix contains declaration of conformity, compliance, and related regulatory information.

Declaration of ConformityAccording to ISO/IEC 17050:

declares that the product:

conforms to the following standards:

Supplementary information:Pursuant to ISO/IEC 17050 this product complies with the requirements of the Low Voltage Directive 73/23/EEC and the EMC Directive 2004/108/EC.

Manufacturer’s Name: Nokia, Inc.

Manufacturer’s Address: 313 Fairchild DriveMountain View, CA 94043-2215USA

Product Name: IP560

Model Number: EM7800

Product Options: All

Serial Number: 1 to 100,000

Date First Applied: 2006

Safety: UL60950-1, First Edition:2003, CAN/CSA-C22.2 No 60950:2000, IEC60950-1: 2001, EN60950-1:2001+A11 with Japanese National Deviations

EMC: EN55024 1998, EN55022A 1998, EN61000-3-2, EN61000-3-3



Christopher SaleemCompliance & Reliability Engineering ManagerSecurity & Mobile Connectivity, Enterprise SolutionsMountain View, CaliforniaNovemeber 2005


Compliance Statements

Compliance StatementsThis hardware complies with the standards listed in this section.

Emissions Standards

Immunity Standards

Harmonics and Voltage Fluctuation

Safety Standards

FCC Notice (US)This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful

FCC Part 15 Subpart B Class A US/Canada

EN55022 (CISPR 22 Class A) European Community (CE)

EN55024 European Community (CE)

EN61000-4-2 European Community (CE)








UL60950/EN60950 US/European Community(CE)

CAN/CSA-C22.2 No.60950 Canada



interference in which case the user will be required to correct the interference at his own expense.

CautionAny changes or modifications not expressly approved by the grantee of this device could void the user’s authority to operate the equipment.

060425


Index

Numerics10/100 Ethernet NIC features 50

AAC power receptacle 23AC power supply 16accelerator card

replacing 95accessing and removing DIMMs 92activating interfaces 48appliance

configuring 33management 16overview 17rack-mounting 28

autosensing 23AUX port 17auxiliary cable

pin assignments 21auxiliary port 21auxiliary port, connecting to the 19

Bbase bundle 15battery

holder 104location 104replacing 103

blinking green LED 22blinking yellow LED 22

Ccaution notices 12Check Point Horizon Manager 17Check Point IPSO requirements 25Check Point Network Voyager 16

opening 38Check Point VPN-1

requirements 25commands

Check Point IP560 Security Platform Installation Guide

ICLID 115compact flash card 15

replacing 80compliance statements 123component locations 17configuring appliance 34configuring interfaces 48connecting network interfaces 38connecting to the auxiliary port 19connecting to the console port 19connections

copper Gigabit Ethernet NIC 55Ethernet NIC 51fiber-optic Gigabit Ethernet NIC 57modem 21power 35

connector pin assignments, EthernetNIC 51

console cable 34pin assignments 20

console port 16console port, connecting to the 19cooling 16copper Gigabit Ethernet NIC 52, 55cryptographic processing 95

Ddata communications equipment device 34DB-9 terminal adapter 20deactivating, network interface cards 43depth 119DHCP server 33dimensions 119DIMMs 90

accessing and removing 92adding 92retaining clips 94socket locations 91

DMZ 16document structure 11dual inline memory-module sockets (DIMMs) 90dual-port Ethernet network interface card 57

Index - 125

Eejector for PC card slot 83EMC standards 121emissions standards 123encryption accelerator card 16

location 96replacing 95

Ethernetcable output connector 51crossover-cable pin connections 52devices, connecting 38interface 16ports 18

expansion slots 18

Ffan unit 16

location 23overview 24replacing 99

fiber-optic cable 38fiber-optic Gigabit Ethernet NICs 57flash memory 82four-port copper Gigabit Ethernet NIC 52four-port Ethernet 10/100/1000 Base Tx NIC 18front panel 17

Ggreen LED 24grounding cable 102

HHAR cordage, power cord 25hard-disk drive 16

installing 84, 88location 86removing 85replacing 88storing log files 84

harmonics 123height 119host terminal 21

IICLID command 115IEC fittings, power cord 25IEEE 802.3ab 18, 53IEEE 802.3z 56

immunity standards 123initial memory configuration 15input voltage 23IP-routing 16IPSO

command-line interface 17

Llatch 30LC connector 38, 57LEDs

power supply 23system status 21

log files, storing 84logging 16

Mmanaging the appliance 16memory

capacity 90flash 82replacing or upgrading 90

monitoring 21power supply 102

mounting brackets 30multi-mode, fiber-optic cable 57

Nnetwork interface cards

deactivating 43dual-port Ethernet 57four-port copper Gigabit Ethernet 53installing 43list of available 49PCI operation 49two-port 10/100 Ethernet 53two-port copper Gigabit Ethernet 52two-port fiber-optic Gigabit Ethernet 56

network interfaces, connecting 38null-modem cable 34

Oopening Check Point Network Voyager 38operational temperature 119output connector, Ethernet cable 51output voltage 23

Index - 126 Check Point IP560 Security Platform Installation Guide

PPC card

flash memory 83installing and using 83removing 83

PCI operation of NICs 49PCMCIA slots 16physical dimensions 119pin assignments

auxiliary connection 21console connection 20modem connection 20, 21

PMC connector 97PMC expansion slots 43power connections 35power cord rating 25power supply 23

location 23replacing 100status LEDs 23

Rrack 31rack space 15rack-mounting 28random access memory 15, 90red LED 22, 24release tab 81reset button 16retaining clips, DIMM 94RJ-45

cable 38connector 20, 51, 52

RS-232 data terminal equipment 34

Ssafety standards 121serial port 16, 21signal, auxiliary port 21single-mode, fiber-optic cable 57site requirements 25slot identification 37slot numbering 37space requirements 120specifications, technical 119standoffs, motherboard 98system logging with hard-disk drive 89system status LEDs 21

Ttechnical specifications 119temperature 119troubleshooting 107two-port 10/100 Ethernet 53

Uupgrading memory 90UTP5 dual-mode Ethernet 50

Vventilation 25ventilation holes 120vertical space requirements 120voltage 23voltage fluctuation 123VPN performance 95VT100-compatible terminal 34

Wwarning notices 12width 119

Yyellow LED 22, 24

Check Point IP560 Security Platform Installation Guide Index - 127

Index - 128 Check Point IP560 Security Platform Installation Guide

Nokia IP560 Security Platform Installation Guide - Unisys · Check Point IP560 Security Platform Installation Guide 3 Contents ... This section defines the elements of commands that

Documents