Check Point VPN-1 Power NGX R62 for

Crossbeam Security Switches

Installation and Configuration Guide
Check Point Version NGX R62
Crossbeam ADF Version 4.11.0

Part Number 004308A

November 2006
 © Copyright Crossbeam Systems, 2006, ALL RIGHTS RESERVED
The products, specifications, and other technical information regarding the products contained in this document are
subject to change without notice. All information in this document is believed to be accurate and reliable, but is
presented without warranty of any kind, expressed or implied, and users must take full responsibility for their
application of any products specified in this document. Crossbeam Systems disclaims responsibility for errors that
may appear in this document, and it reserves the right, in its sole discretion and without notice, to make substitutions
and modifications in the products and practices described in this document.
This material is protected by the copyright and trade secret laws of the United States and other countries. It may not
be reproduced, distributed, or altered in any fashion by any entity (either internal or external to Crossbeam Systems),
except in accordance with applicable agreements, contracts, or licensing, without the express written consent of
Crossbeam Systems.
For permission to reproduce or distribute please contact your Crossbeam Systems account executive.
This product includes software developed by the Apache Software Foundation
(www.apache.org/).
CROSSBEAM, CROSSBEAM SYSTEMS, X40, X45, X80, C2, C6, C10 C12, C25, C30, C30i, SecureShore and any
logos associated therewith are trademarks or registered trademarks of Crossbeam Systems, Inc. in the U.S. Patent and
Trademark Office, and several international jurisdictions.
All other product names mentioned in this manual may be trademarks or registered trademarks of their respective
companies.
 Contents
About This Guide
Related Documentation ......................................................................................................................................v
Crossbeam Systems Documentation ...........................................................................................................v
Check Point Documentation .........................................................................................................................v
Conventions ........................................................................................................................................................v
Support ..............................................................................................................................................................vi
Customer Comments .........................................................................................................................................vi

Chapter 1: Before Installing Check Point VPN-1 Power NGX R62

Supplied Application and RPM Name ............................................................................................................... 7
APM Hardware and Minimum Memory Requirements ...................................................................................... 7
VAP Configuration Considerations (X-Series Systems) .................................................................................... 7
Application Management Circuit Configuration ........................................................................................... 8
Managing Applications ...................................................................................................................................... 8
Monitoring Applications ..................................................................................................................................... 9

Chapter 2: Installing Check Point VPN-1 Power NGX

Software on an X-Series System
Prerequisites .................................................................................................................................................... 11
Loading the Application ................................................................................................................................... 11
Installing the Application onto a VAP Group .................................................................................................... 12
Verifying the Installation .................................................................................................................................. 13
Using VPN-1 Power State Synchronization ..................................................................................................... 13
Enabling Intra-Box VPN-1 Power Synchronization ................................................................................... 14
Enabling Inter-Box VPN-1 Power Synchronization ................................................................................... 15
Disabling Intra/Inter-Box VPN-1 Power Synchronization .......................................................................... 15
Configuring Check Point VPN-1 Power Load Balancing ................................................................................. 15
Configuring VPN Gateway Cluster ............................................................................................................ 16
VPN Load Balancing ....................................................................................................................................... 17
Uninstalling the Application ............................................................................................................................. 21

Chapter 3: Installing Check Point VPN-1 Power NGX

Software on a C-Series System
Prerequisites .................................................................................................................................................... 23
Installing VPN-1 Power NGX R62 ................................................................................................................... 23
Configuration Considerations .................................................................................................................... 24
Uninstalling the Application ............................................................................................................................. 24

iii
 About This Guide

This guide describes how to install and configure the Check Point VPN-1 Power NGX R62 application on X-
Series and C-Series security switches. For more information regarding the Check Point VPN-1 Power NGX R62
application, visit: (http://www.checkpoint.com/).
This guide is intended for system integrators and other qualified service personnel responsible for installing,
configuring, and managing the software on an X-Series or C-Series system.

Related Documentation

Crossbeam Systems Documentation

• X40 and X80 Hardware Installation Guide
• X45 Hardware Installation Guide
• XOS Configuration Guide
• XOS Commands Reference Guide
• Install Server Installation and Configuration Guide
• XOS Release Notes
• COS Release Notes
• COS Configuration Guide
• ADF Release Notes
Visit the Crossbeam Systems Customer Service FTP site (ftp://support.crossbeamsys.com) for the latest updates
to Crossbeam technical documentation.

Check Point Documentation

Visit the following site to access Check Point VPN-1 Power NGX R62 documents:
(http://www.checkpoint.com/support/technical/documents/docs_r62.html)

Conventions
The following conventions are used throughout this guide to emphasize certain information, such as, user input,
screen options and output, and menu selections.
italics − Indicates book and section titles.
Courier - Indicates user input and program output.
Courier italics - Indicates variables in commands.
Menu => − Indicates to select an Option from the menu pull-down.

Check Point NGX R62 for Crossbeam Security Switches Installation and Configuration Guide v
 Warnings, Cautions, and Notes indicate the following:

Warning: Warnings notify you to proceed carefully in order to avoid

personal harm.

Caution: Cautions notify you to proceed carefully in order to avoid

damaging equipment or losing data.

NOTE − Provides helpful suggestions or reference to materials not contained in this manual.

Support
Crossbeam Systems and our ISV (Independent Software Vendor) partners offer technical support. Support calls
for applications should be directed to the originating ISV. All other support calls should be directed to Crossbeam
Systems Customer Service.
For additional information, please contact your account representative or refer to www.crossbeamsystems.com.
Crossbeam Systems also offers customer training for our products. Refer to the web site for the course offering
and schedules.

Customer Comments
Customer comments are not only welcomed, they are encouraged. Please take a moment and let us know how we
are doing. To do this, respond in one of the following ways:
• E-mail your comments to documentation@crossbeamsystems.com.
• FAX your comments to 978-287-4210, attention Technical Publications.

vi Check Point NGX R62 for Crossbeam Security Switches Installation and Configuration Guide
 1
Before Installing Check Point VPN-1 Power NGX
R62

Crossbeam Systems provides industry-leading firewall solutions for a broad range of uses in both carrier and
enterprise networks. These solutions scale from 350Mbps of throughput up to 8G and offer a wide variety of
equipment options on both X-Series and C-Series equipment for perimeter, data center, network core and remote
office deployments. All Crossbeam Systems solutions, including the firewall functionality, can be deployed
either in standalone mode or as part of an integrated UTM configuration.

Supplied Application and RPM Name

To load the Check Point VPN-1 Power NGX R62 application on an X-Series system, use the following RPM file:
app-firewallng-NGXR62-1-4.11.0.5.7xXOS.i686.rpm

To load the Check Point VPN-1 Power NGX R62 application on a C-Series system under COS, use the following
RPM file:
app-firewallng-NGXR62-1-4.11.0.5.7xCOS.i686.rpm

APM Hardware and Minimum Memory Requirements

On an X-Series, Check Point VPN-1 Power NGX R62 will support the use of APM-8200 APMs (requiring 1GB
of memory); however, APM-8400s are recommended. Optional hardware includes Dual-CPU and local hard
drive options to run on an X-Series system. In addition, heavy traffic or a large sustained number of network
connections require more memory.
On a C-Series, Check Point VPN-1 Power NGX R62 requires a minimum of a single CPU with 512 MB RAM or
more. Dual CPUs configurations are supported.

VAP Configuration Considerations (X-Series Systems)

• Install one application on a VAP group at a time. Once the installation is complete, you can install the next
application.
• In most cases, when using an increment-per-vap circuit, you should enable the ip-flow-rule-no-failover
parameter. Enabling the ip-flow-rule-no-failover parameter is necessary if using an increment-per-vap
circuit for application management.
• Should you uninstall an application, you should not re-use the application’s VAP group for another
application. Instead, delete the old VAP group and create a new VAP group.
NOTE: It is recommended to run only one application per VAP group.

Check Point NGX R62 for Crossbeam Security Switches Installation and Configuration Guide 7
 Application Management Circuit Configuration
The application requires a circuit configured for managing the application. The circuit must be configured with
the ip-flow-rule-no-failover option. The circuit must also be configured with increment-per-vap parameter, even
if the VAP group contains only one VAP. For example:
circuit mgmt circuit-id
device-name mgmt
vap-group MyNet
ip-flow-rule-no-failover
ip 192.168.20.39/24 192.168.20.255 increment-per-vap 192.168.20.39

NOTE: Refer to the XOS Configuration Guide for more information about configuring a management circuit.

Managing Applications
Use the following commands at the XOS system prompt to perform basic application management:
NOTE: The VAP must be listed as “UP” for the following Start, Stop, and Restart commands to take effect.
• Start an application:
application <app-name> vap-group <vap-group-name> start

• Configure an application:
application <app-name> vap-group <vap-group-name> config

• Stop an application:
application <app-name> vap-group <vap-group-name> stop

• Restart an application:
application <app-name> vap-group <vap-group-name> restart

• Update VAPs. This command is used when the VAP count of the VAP group is incremented after the
application configuration. The update command installs the application on the newly created VAPs.
application-update vap-group <vap-group-name>

• Display all applications installed on all VAP groups or a specified VAP group:
show application [vap-group <vap-group-name>]

The following example shows the state of the application on a VAP group named FW-1:
VAP_Group = fw Application = FW1 Version = NGXR62
Admin State = ENABLED Application Monitoring = ENABLED
fw_1 Operational State = NOT RUNNING
fw_2 Operational State = NOT RUNNING
fw_3 Operational State = RUNNING
fw_4 Operational State = RUNNING

The Admin State shows whether the application will start during VAP boot (enabled) or not (disabled). The
Admin State is enabled at install time and when the user runs the application start CLI command.
Similarly, the Admin State is disabled when the user runs the application stop CLI command.
The Operational State shows the application’s status (running or not running) for each VAP in the VAP
group. The XOS health system will poll the application every five seconds to determine the application’s
state and report it to the CLI.

8 Before Installing Check Point VPN-1 Power NGX R62

Monitoring Applications
Application monitoring is configurable on an X-Series system during the installation process by using the
following command:
CBS# application <app-name> vap-group <vap-group-name> config

NOTE: On a XOS system, the XOS health system polls application processes on each VAP in the VAP group
every five seconds to make sure that they are running. If the application is not running on a VAP and application
monitoring is enabled, the health system notifies the NPM to stop new flows this VAP. This can be verified on
the CLI with the show flow-distribution command. This process is performed dynamically without modifying
the VAP group’s load balance list.
Application monitoring cannot detect process hangs. If the process is not functioning but is still running, the
XOS health system will continue to report the application as running.

Check Point NGX R62 for Crossbeam Security Switches Installation and Configuration Guide 9
 2
Installing Check Point VPN-1 Power NGX
Software on an X-Series System

This chapter describes how to install Check Point® VPN-1 Power NGX R62 on an X-Series system.
Only one FireWall application can be installed on any specific VAP group. Refer to the ADF Release Notes to
determine the minimum version of XOS required for each application.

Prerequisites
• For an X-Series system, use XOS V7.0.4 (or later).
• SIC activation key.
• Check Point VPN-1 Power NGX R62 requires XS Linux v3.

Loading the Application

Load the Check Point software onto the X-Series system as follows:
1. Log in to XOS as root.
CBS# unix su
Password:
[root@xxxxx admin]#

2. Go to the directory containing the RPMs:

[root@xxxxx admin]# cd /usr/os/rpm/

3. Execute the following command:

[root@xxxxx admin]# rpm -i <rpm-name>

The RPM name is:

app-firewallng-NGXR62-1-4.11.0.5.7xXOS.i686.rpm

Check Point FireWall-1 NGX R62 for Crossbeam Security Switches Installation and Configuration Guide
Installing the Application onto a VAP Group
After you have loaded the VPN-1 Power software, install the application onto the desired VAP groups as follows:
1. Exit from the root:
[root@xxxxx rpm]# exit

2. Display the loaded applications:

CBS# show application

The following is an example of this command:

Application = Snort Version = x.x
Application = FW1 Version = NGXR62
Application = Dragon Version = x.x

3. Execute the application install command, as follows:

CBS# application FW1 vap-group <vap-group-name> version NGXR62 install

NOTE: Depending on the FireWall application you chose, the installation script prompts you with various
questions. The following steps highlight some of the questions.
4. The End-user License Agreement appears. Enter 'y' to accept the license agreement and continue.
5. If you have previously installed VPN-1 Power on this VAP group, you are prompted to use an existing
configuration. You can choose to re-use or not use the older VPN-1 Power configuration. If you choose to
use the older configuration, it does not stop you from changing those settings during the configuration
questioning period.
6. When prompted, enter the SIC activation key.
7. When prompted to configure local license information, you need to enter the licensing information for each
VAP, along with the VAP management IP address. Alternatively you can configure licenses through
SmartUpdate. If you do not enter license information you will be granted a 15-day evaluation license.
The following is an example of the VAP licensing process. In this example, the strings used are not valid
Check Point strings.
Enter Check Point VPN-1 Power License Information>
Host ()> home
Date ()> 28May2006
String ()> xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx
Features ()> CPMP-EVAL-1-3DES-NG CK-CP

The license questions repeat for all VAPs partitioned on the CP module disk and may contain up to 10 VAPs.
It is also possible to use SmartUpdate to apply licenses from the management server. In order to do this,
select “No” when prompted to enter the licenses by the install script and then refer to the Check Point
documentation for steps on applying licenses using SmartUpdate after the install has completed.
8. If you choose to activate High-Availability (HA) and the mode (Re-Load Balancing or Switch Over) when
prompted, you will need to configure the firewalls as a cluster.
9. After Check Point VPN-1 Power is installed on all VAPs, you are prompted to reboot the APMs. Use the
reload vap-group vap-group-name CLI command to reboot all APMs that are a part of this VAP group.
The firewall should be running on all APMs at this time.
NOTE: With VPN-1 Power NGX R62, Floodgate and Smartview Monitor are also installed by default. As a
result, you may see messages that these applications are not started or disabled.

12 Installing Check Point VPN-1 Power NGX Software on an X-Series System

Verifying the Installation
Verify that Check Point VPN-1 Power is running:
show application [vap-group <vap-group-name>]

The following example shows the state of the application on a VAP group named fw:
VAP_Group = fw Application = FW1 Version = NGXR62 Admin State = ENABLED

fw_1 Operational State = RUNNING

fw_2 Operational State = RUNNING

Using VPN-1 Power State Synchronization

State Synchronization is essential for VPN-1 Power application redundancy to operate within the X-Series
system.
Service redundancy can be configured in three ways on a per VAP group basis:
• N-way VPN-1 Power Synchronization with Re-route to Backup VAP.
This mode of operation does not have any restrictions on the number of VAPs within a VAP group. There is
1:N association among N+1 VAPs for service redundancy. Each VAP synchronizes VPN-1 Power
connections with other VAPs in the VAP group, and adjacent VAPs act as backup VAPs for any VAP.
Initially, all traffic flows are load-balanced among VAPs in the VAP group. When a VAP fails, traffic flows
that were being processed on that VAP are either switched to the backup VAP or lost depending upon the
availability of the backup VAP. The backup VAP is randomly selected from the adjacent VAPs. If the failed
VAP becomes available for processing of flows later, then traffic flows that were switched to the backup
VAP are switched back to this VAP.
• N-way Synchronization with Re-load-balancing.
This mode of operation does not have any restrictions on the number of VAPs within a VAP group. Every
VAP synchronizes connections with other VAPs in the VAP group. However there are no backup VAPs.
When a VAP fails, traffic flows that were being processed on that VAP are re-load balanced among
remaining available VAPs in that VAP group. If the failed VAP becomes available for processing of flows
later, then traffic flows that were re-load balanced are not switched back to this VAP.
NOTE: Each synchronization circuit should be unique for each VAP group. You should not have a common
synchronization circuit between different firewall clusters on the same network.

Check Point FireWall-1 NGX R62 for Crossbeam Security Switches Installation and Configuration Guide
 Enabling Intra-Box VPN-1 Power Synchronization
After completing the VPN-1 Power installation, enable intra-box VPN-1 Power Synchronization as follows.
1. Enable VPN-1 Power Synchronization:
CBS# application FW1 vap-group <vapGroupName> version NGXR62 config

A display similar to the following displays:

Configuration Options:

----------------------

(1) Licenses
(2) Enable SNMP Extensions
(3) PKCS#11 Token
(4) Random Pool
(5) Secure Internal Communication
(6) Enable Check Point High Availability/State Synchronization
(7) Enable Check Point SecureXL
(8) Enable Advanced Routing
(9) Enable Application Monitoring
(10) Automatic start of Check Point FireWall-1
(11) Install Check Point packages
(12) Configure Check Point fwkern.conf file
(13) Configure Dynamic Routing

(14) Exit
Enter your choice (1-14) : 6

NOTE: Check Point Dynamic Routing is not supported in this release.

2. Choose “Enable Check Point High Availability/State Synchronization”. You are brought back to the VPN-1
Power interview process.
When exiting from this menu, the following question may appear depending upon whether VPN-1 Power is
already running or not:
You have changed VPN-1 & FireWall-1 Configuration. Would you like to restart
VPN-1 & FireWall-1 now so your changes can take affect? (y/n) [y]

3. Enter y to restart VPN-1 and FireWall-1 Power.

4. Create an internal circuit network for FW-1 synchronization purposes. Each VAP must have a unique IP
address, so the increment-per-vap and ip-flow-rule-no-failover options must be used. For
example:
circuit sync
vap-group fw1R62
ip-flow-rule-no-failover
ip 2.0.0.1/24 increment-per-vap 2.0.0.4
NOTE: An internal circuit used for VPN-1 Power synchronization, can not be used for any other application. If
other applications need to use an internal circuit, they must have their own internal circuit.
On the Check Point Management Station:
Enable VPN-1 Power Synchronization on the Check Point Management Station as follows:
1. Configure each VAP as the VPN-1 Power Gateway object.
2. Create a Gateway Cluster object and include each VAP as its member.

14 Installing Check Point VPN-1 Power NGX Software on an X-Series System

 3. Set the synchronization network to the X-Series system’s previously created internal circuit network.
4. Download policies to the Gateway Cluster object.
In NGX R62, Synchronization can be enabled directly from the Check Point SmartDashboard application by
selecting “Use State Synchronization” in the 3rd Party Configuration menu of the Gateway Cluster Properties.

Enabling Inter-Box VPN-1 Power Synchronization

To enable inter-box VPN-1 Power Synchronization complete the following.
On the X-Series system:
1. Create VAP groups with the same name and same number of VAPs on all XOS systems.
2. Enable FW-1 Sync at each box as described above.
On the Check Point Management Station:
1. Create a Gateway Cluster object including all VAPs in all VAP groups.
2. Download policies to the Gateway Cluster object.

Disabling Intra/Inter-Box VPN-1 Power Synchronization

To disable intra-box VPN-1 Power Synchronization complete the following:
On the Security Services Switch:
Choose “Disable Check Point High Availability/State Synchronization”. You are returned to the VPN-1 Power
interview process. When exiting from this menu, the following question may appear depending upon whether
VPN-1 Power is already running or not:
You have changed VPN-1 & FireWall-1 Configuration. Would you like to restart
VPN-1 & FireWall-1 now so your changes can take affect? (y/n) [y]

Enter y to restart VPN-1 and FireWall-1 Power.

On the Check Point Management Station:
1. Remove all VAPs from the Gateway Cluster object.
2. Delete the Gateway Cluster object.
3. Download policies to VAPs within the VAP group.

Configuring Check Point VPN-1 Power Load Balancing

This section describes the configuration and operation of Check Point VPN-1 Power using the X-Series system
as the gateway. Before you begin the configuration, review the Check Point Users Guide for your VPN-1 Power
application and consider the following when installing the VPN-1 Power software (used in a VPN setup) onto the
XOS X-Series system.
The enforcement modules must be identified with their un-trusted (external) interface IP address. This changes
the way you identify a VAP with an IP address. Before, you could identify a VAP (firewall gateway) with any of
its IP addresses. Check Point currently supports the following types of VPN:
• SecuRemote/SecureClient-to-gateway VPN.
• Gateway-to-gateway VPN.

Check Point FireWall-1 NGX R62 for Crossbeam Security Switches Installation and Configuration Guide
 The Check Point Cluster XL solution is not supported or needed on the XOS X-Series system, as the XOS
X-Series system has built in High Availability and Load Balancing capabilities.
To configure a VPN Gateway Cluster on a XOS X-Series system from within the Check Point Management
Server configure a gateway cluster containing the following:
• All VAPs in the XOS X-Series system’s VAP groups.
• Desired VPN configuration including the VPN domain, and a synchronization network.
The X-Series system can be used in both Single Entry Point (SEP), as well as, Multi Entry Point (MEP) VPNs.
Refer to the Check Point VPN-1 Users Guide for additional information.

Configuring VPN Gateway Cluster

All members of the VAP group that perform VPN tunnel termination are configured such that they have a unique
IP address on their un-trusted side. These members can have one common alias IP address so that traffic can be
load balanced between them. To configure a single gateway cluster with high availability and load balancing in
either an SEP or MEP environment, complete the following:
On the X-Series system:
1. Install the Check Point VPN-1 Power software on the desired VAP group per the instructions at the
beginning of this chapter. While installing Check Point VPN-1 Power, enter yes for Check Point High
Availability/State Synchronization.
2. Create an internal circuit. This circuit is assigned to only the VAP group that has the Check Point VPN-1
Power installed. Once the internal circuit is configured, you can use the internal circuit to carry the
synchronization traffic.
3. Create VAPs, each with a minimum of two unique IP addresses: the un-trusted IP address and the trusted IP
address. To achieve this, configure the circuits for the VAP group using increment-per-vap IP addresses.
Note that you need to also enable the ip-flow-rule-no-failover parameter when using an
increment-per-vap circuit for intra-vap-group communication.
4. Create an alias on the un-trusted circuit. This alias is the external Cluster IP address and is used by the
remote gateways or clients to connect them.
5. Configure reclassify-nat-flows on trusted circuits.
On the Check Point VPN-1 Power Management Station:
1. Check the routing parameters to ensure that the Management Station can communicate to the VAPs using its
external (un-trusted) IP address.
2. Create gateway objects corresponding to VAPs using their external (un-trusted) IP addresses. Make sure that
the Management Station can reach these IP addresses. Establish SIC and download licenses if required.
3. Populate the topology. The un-trusted interfaces should be set to External, the trusted interfaces to
Internal.
4. Create a new gateway cluster object, defining it using the Virtual IP address from the un-trusted side of the
network (the alias configured on the un-trusted circuit). Within the General Properties tab, check VPN-1
Power (do not check ClusterXL).
5. Add the VAP gateway objects as members of this cluster.
6. Within the Topology tab of the cluster object, add the internal and external cluster IP addresses. The Internal
Cluster IP is the trusted circuit’s shared IP address and the External Cluster IP is the alias configured in Step
4 of the XOS Switch configuration. Define its VPN domain and make it exportable for SecuRemote, if
required.

16 Installing Check Point VPN-1 Power NGX Software on an X-Series System

 7. Within the Synchronization tab, check State Synchronization and select the X-Series system’s internal
circuit network for synchronization traffic.
8. On the 3rd party configuration Tab, select Load Sharing and check Support non-sticky connections.
9. Define the appropriate users, user groups and encryption rules, and download the policy to the cluster.

VPN Load Balancing

This section describes how VPN load balancing operates on a X-Series system running XOS.
Configuring the X-Series system for VPN load balancing of VPN traffic is similar to load balancing normal
firewall traffic. Only the use of “increment-per-vap” circuits and “reclassify-nat-flows” are explained in more
detail.
All members of the VAP group that perform VPN must have a unique IP address on their un-trusted side. One
common alias IP address is configured so that traffic can be load balanced between them. Load-balancing VPN
traffic means load balancing VPN tunnels. Traffic within a given tunnel is not load-balanced, that is, all traffic
from one tunnel is always going to the same VAP.
Check Point synchronization is very important when load balancing VPN traffic. By synchronizing VPN
gateways in a cluster (all VAPs in a VAP group), not only session states but also all VPN tunnels (IKE and IPsec
Security Associations) are synchronized as well.
A VPN tunnel is established towards the Cluster IP address. The NP module load balances the IKE traffic and
picks the least loaded VAP to handle the tunnel setup.
As a result of synchronization, this same tunnel is “active” on all VAPs. So every VAP in the VAP group has a
tunnel toward the remote gateway.
Obviously, tunnel traffic is decrypted/encrypted only by one of the VAPs based on NP module load balancing
decisions for IPsec traffic, which is commonly the same VAP as the VAP receiving the IKE traffic.
Consider the VPN shown in the following figure, where Alice and Bob are located in a remote site. This site is
connected to the Intranet using a VPN tunnel between the Gateway and Cluster. The Intranet contains a server
named “Zen”.
The VPN-1 Power/VPN-1 software is installed on a VAP group named “vpn” and contains 3 VAPs.

Zen

Check Point FireWall-1 NGX R62 for Crossbeam Security Switches Installation and Configuration Guide
 In this example:
Flows initiated from the Site Encryption Domain
When the tunnel is established, all traffic for that tunnel (IKE and IPsec traffic) is load balanced to one VAP in
the VAP group. When “Alice” communicates with server “Zen” over the encrypted tunnel, there are two flows:
• The encrypted tunnel traffic flow between Gateway 66.1.1.2 and the Cluster 172.168.1.100.
• The flow after decryption, which is the flow between Alice (20.20.20.25) and the Server Zen (192.168.2.9).
The IPsec (and IKE) flow is received by the NP module and consequently an entry in the Active Flow Table
(AFT) is created, as follows:
CBS# sho flow active destination-address-low 172.168.1.100

Module Source Destination Protocol TTL

np1 66.1.1.2: 500 172.168.1.100: 500 17 1m 0s
Rx Modules vpn_2
Bi-directional, Ageout 1, Skip Ports, Skip Protocol
np1 66.1.1.2: 0 172.168.1.100: 0 50 0m 45s
Rx Modules vpn_2
Bi-directional, Ageout 1, Skip Ports, Skip Protocol

NOTE: In the above example, both IKE (500) and IPsec (50) traffic is load-balanced to VAP vpn_2. It is
common, but not required, that IKE and IPsec traffic are load-balanced using the same VAP.
The second (decrypted) flow is not in the Active Flow Table (AFT), since it is not originated by the VAP and
there is no outbound classification.
Return packets (packets from Server to Alice) are classified by the NP module as a new flow and may be load
balanced to a different VAP other than the originating VAP. These packets may be dropped by the firewall
because they are of “out-of-state”:
CBS# sho flow active destination-address-low 172.168.1.100

Module Source Destination Protocol TTL

np1 66.1.1.2: 0 172.168.1.100: 0 50 0m 45s
Rx Modules vpn_2
Bi-directional, Ageout 1, Skip Ports, Skip Protocol
np1 192.168.2.9: 3004 20.20.20.25: 5001 6 0m 45s
Rx Modules vpn_3
Bi-directional, Ageout 1, Skip Ports, Skip Protocol

Note that the different VAPs are reported for the flows, illustrating a possible “out -of-state” situation.

18 Installing Check Point VPN-1 Power NGX Software on an X-Series System

The solution for this is when load balancing VPN traffic, make sure the circuit on the trusted side has the
“reclassify-nat-flows” option configured. The “reclassify-nat-flows” command forces the NP module to create
an outbound entry in the AFT for the flows exiting the VAP. The AFT contains an entry for the encrypted traffic
as shown below:
CBS# sho flow active destination-address-low 172.168.1.100

Module Source Destination Protocol TTL

np1 66.1.1.2: 0 172.168.1.100: 0 50 0m 45s
Rx Modules vpn_2
Bi-directional, Ageout 1, Skip Ports, Skip Protocol

CBS# sho flow active destination-address-low 20.20.20.25

Module Source Destination Protocol TTL

np1 192.168.2.9: 3449 20.20.20.25: 5001 6 0m 45s
Rx Modules vpn_2
Bi-directional, Ageout 1, Skip Ports, Skip Protocol

CBS# sho flow active destination-address-low 172.168.2.9

Module Source Destination Protocol TTL

np1 20.20.20.25 5001 192.168.2.9: 3994 6 1m 0s
Tx
Bi-directional, Ageout 1, Skip Ports, Skip Protocol

Flows initiated from the Cluster Encryption Domain

Now consider the situation that server “Zen” wants to establish a connection with Bob’s PC and Bob has never
established a connection to server “Zen” before. Alice however has already sessions open to Zen, so a tunnel to
the Cluster exists where all tunnel (IPsec) traffic is load balanced to VAP number 2.
The flow from “Zen” to “Bob” is classified by the NP module as a new flow, and it is possible that this flow is
load balanced to a different VAP, perhaps VAP number 3. After the first packet from Zen, the following entries
are in the AFT:
Module Source Destination Protocol TTL
np1 66.1.1.2: 0 172.168.1.100: 0 50 0m 45s
Rx Modules vpn_2
Bi-directional, Ageout 1, Skip Ports, Skip Protocol
np1 192.168.2.9: 3449 20.20.20.25: 5001 6 0m 45s
Rx Modules vpn_3
Bi-directional, Ageout 1, Skip Ports, Skip Protocol
np1 192.168.2.9: 3768 20.20.20.66: 5001 6 0m 45s
Rx Modules vpn_3
Bi-directional, Ageout 1, Skip Ports, Skip Protocol
np1 20.20.20.25 5001 192.168.2.9: 3449 6 1m 0s
Tx
Bi-directional, Ageout 1, Skip Ports, Skip Protocol

Check Point FireWall-1 NGX R62 for Crossbeam Security Switches Installation and Configuration Guide
 Bob’s response is sent over the existing tunnel, which traffic is received on VAP vpn_2. This packet may be
dropped by VPN-1 Power, because it is “out-of-state”. However, the packet is accepted and consequently
forwarded by the Firewall under the condition that all VAPs are fully synchronized.
As soon as the first response packet is received by the NP module, it detects that an AFT entry already exist for
this flow but on another VAP (vpn_3). The NP module clears this situation by updating the original AFT entry
with the new VAP index (vpn_3 -> vpn_2).
After the first response packet is detected by the NP module, the AFT has the following entries for the flows
between Alice and Zen and Bob and Zen:
Module Source Destination Protocol TTL
np1 66.1.1.2: 0 172.168.1.100: 0 50 0m 45s
Rx Modules vpn_2
Bi-directional, Ageout 1, Skip Ports, Skip Protocol
np1 192.168.2.9: 3449 20.20.20.25: 5001 6 0m 45s
Rx Modules vpn_3
Bi-directional, Ageout 1, Skip Ports, Skip Protocol
np1 20.20.20.66: 5001 192.168.2.9: 3449 6 1m 0s
Tx
Bi-directional, Ageout 1, Skip Ports, Skip Protocol
np1 192.168.2.9: 3768 20.20.20.66: 5001 6 0m 45s
Rx Modules vpn_2
Bi-directional, Ageout 1, Skip Ports, Skip Protocol
np1 20.20.20.66 5001 192.168.2.9: 3768 6 1m 0s
Tx
Bi-directional, Ageout 1, Skip Ports, Skip Protocol

In summary, flows initiated from within the cluster encryption domain and destined to a host in a remote
encryption domain could potentially be load-balanced to a VAP different from the VAP decrypting traffic for the
particular tunnel. In this scenario, the NP module reclassifies the outbound flow to the VAP receiving the
encrypted IPsec traffic for that tunnel as soon as the first return packet is received.
As previously mentioned, this requires all VAPs in the VAP group to be fully synchronized. However, the
returned packet may be received before the cluster is synchronized. In this scenario, the firewall drops the first
return packet because it is “out of state”. Depending on the protocol, packets are retransmitted until the cluster is
fully synchronized.
The time it takes to synchronize the session state tables depends largely on the number of connections going
through the firewall. To improve the synchronization time, only synchronize necessary traffic. For example, by
disabling the synchronization of http traffic, the size of the session state table and the consequent synchronization
time is reduced significantly.
If the protocol doesn’t support packet retransmission or if “out-of state” packet drops is undesirable, then the
cluster can be configured to wait, sending the first packet until all members are synchronized.
To enable this, check “support non-Sticky connections” in the “3rd party configuration” menu of the cluster
object. In pre-NG AI/R54 Firewall/1-VPN/1 versions, this could be controlled by setting the variable
“use_limited_flushnack” to true in $FWDIR/conf/Objects.C on the management server. It is recommended, that
you do not change this property, in order to gain the highest cluster performance.

20 Installing Check Point VPN-1 Power NGX Software on an X-Series System

Uninstalling the Application
Use the following procedure to uninstall the Check Point VPN-1 Power NGX R62 application on an X-Series
system:
1. At the XOS prompt, execute the following command to uninstall the application:
CBS# application FW1 vap-group <vap-group-name> uninstall

NOTE: If the Check Point VPN-1 Power NGX R62 application is installed on multiple VAP groups, repeat the
previous steps for each VAP group.
2. Uninstall the Check Point VPN-1 Power NGX R62 RPM file as follows:
[root@xxxxx admin]# rpm -e <app-rpm-name>

3. If using a CP redundancy configuration, you must uninstall the Check Point VPN-1 Power NGX R62 RPM
file from the secondary CPM.
NOTES: If you have a High Availability configuration with multiple X-Series systems, manage each system
separately. Therefore, to remove the application from multiple systems, repeat this procedure for each system. By
default, the disk swap space is equal to the amount of memory in the X-Series system. However, APMs with a
local disk drive are configured with two 2GB swap partitions, although disk swap space is not enabled.

Check Point FireWall-1 NGX R62 for Crossbeam Security Switches Installation and Configuration Guide
 3
Installing Check Point VPN-1 Power NGX
Software on a C-Series System

This chapter describes how to install the Check Point VPN-1 Power NGX R62 application on a C-Series Security
Switch. The Check Point NGX application includes the Policy Server and Real Time Monitor packages.

Prerequisites
• For a C-Series system, use COS 4.0.1 (or later). Note that the C25 requires COS 5.1.0 (or later) and that the
C12 requires COS 5.1.1 (or later).
• This application requires COS CS Linux v3.

Installing VPN-1 Power NGX R62

1. Log into COS and su to root.
[root@hostname admin]# su -

2. Use FTP to copy the application RPMs to the C-Series system. The default directory for these RPMs is:
/usr/os/apps/

3. Execute the following command at the admin prompt to display the Main Menu.
[root@hostname admin]# cos_config

4. Select the Application Install menu item.

5. From the next menu, select Install Application.
6. When prompted to enter the application RPMs directory, enter the complete path or accept the default.

7. You will be prompted to enable dynamic routing. Enter “N”. Check Point Dynamic Routing is not supported
in this release.
NOTES:
• For this release, the RPM name is:
app-firewallng-NGXR62-1-4.11.0.5.7xCOS.i686.rpm
• If multiple versions of the Check Point VPN-1 Power are present, you are prompted to pick one. Only one
variation of Check Point VPN-1 Power can be installed.

Check Point FireWall-1 NGX R62 for Crossbeam Security Switches Installation and Configuration Guide 23
 Configuration Considerations
The following section lists items that you need to be aware of when installing Check Point VPN-1 Power NGX
R62.
• If installing the FireWall application individually or as part of a software package, do not reboot the system
when prompted. Instead, choose to reboot at a later time. Otherwise, the rest of the COS installation script
will not be invoked.
• Requires COS CS Linux v3.
• Floodgate and Smartview Monitor are installed by default. As a result, you may see messages that these
applications are not started or disabled.

Uninstalling the Application

The option to uninstall applications provides stoppage of the application if it is running, uninstall of the vendor
package, and cleanup of the COS RPM. To uninstall any application:
1. Log into COS and su to root.
[root@xxxxx admin]# su - root

2. Execute the following command to display the Main Menu.

[root@hostname admin]# cos_config

3. Select the Application Install menu item.

4. From the next menu, select Uninstall Application.
5. From the next menu, choose to uninstall an individual application or all applications.
6. You are prompted to enter the application RPMs directory. Enter the complete path or accept the default.
7. Choose the application you wish to uninstall.

24 Installing Check Point VPN-1 Power NGX Software on a C-Series System