Check Point Connectra NGX R66 Getting Started Guide PDF

Connectra_gsg_dvd.
book Page 1 Tuesday, September 9, 2008 9:32 AM
TM
Connectra
Getting Started Guide
Version NGX R66
703140 September 9, 2008

Connectra_gsg_dvd.book Page 2 Tuesday, September 9, 2008 9:32 AM
Contents
Chapter 1
Introduction to Connectra
Introduction............................................................................ 10
In This Guide.......................................................................... 11
Key Features and Benefits ....................................................... 13
Secure Web-Based Connectivity ....................................... 13
Unified Security Management.......................................... 13
Comprehensive Endpoint Security .................................... 13
Integrated Intrusion Prevention........................................ 14
Easy Deployment............................................................ 14
Central Management....................................................... 14
Local Management ......................................................... 15
Flexible Deployment Options ........................................... 15
Advanced Authentication Options .................................... 15
Choosing the Correct CD .......................................................... 16
Procedure Quick Reference ...................................................... 17
Chapter 2
Deploying Connectra
Deployment Overview............................................................... 20
Deploying Connectra in the DMZ............................................... 21
Deploying Connectra on a LAN ................................................. 22
Deploying a Connectra Cluster .................................................. 23
Chapter 3
Connectra Requirements
Minimum Hardware Requirements ............................................ 26
Recommended Hardware ......................................................... 26
Hardware Compatibility Testing Tool ......................................... 27
Downloading and Preparing the CD .................................. 27
Preparing to Use the Compatibility Testing Tool ................. 28

Using the Hardware Compatibility Testing Tool................... 31
BIOS Security Configuration Recommendations ..........................32
Operating System Compatibility.................................................32
Browser Compatibility...............................................................33
Chapter 4
Installing and Configuring Connectra
Installation Procedure Quick Reference ......................................36
Installation and Configuration Workflow......................................37
Installation and Initial Configuration Stages....................... 37
Installation and Initial Configuration Procedures .........................39
Step 1: Planning the Deployment Topology ........................ 39
Step 2: Preparing for Centrally Managed Connectra ............ 39
Step 3: Installing Connectra Using the CD ......................... 42
Step 4: Connecting to the Administration User Interface ..... 45
Step 5: Running the First Time Configuration Wizard.......... 46
Step 6: Logging In for the First Time................................. 51
Step 7: Defining Connectra Objects (Centrally Managed
Connectra)...................................................................... 54
Post-Installation Procedures......................................................58
Step 8: Connecting Connectra to the Network .................... 58
Step 9: Backing Up the Configuration ............................... 58
Step 10: Configuring Access Control ................................. 59
Step 11: Performing a SmartDefense Update (Locally Managed
Connectra)...................................................................... 61
Step 12: Checking Your Setup.......................................... 61
Installing the NGX R66 Plug-in .................................................62
Installing the Plug-in on a SmartCenter ............................. 62
Installing the Plug-in on Provider-1/SiteManager-1 ............. 64
Uninstalling Connectra Plug-ins........................................ 68
Cluster ConfigurationDeployment Tips ....................................69
SSL Acceleration Card Installation .............................................71
Installing the Card........................................................... 71
Enabling the Card ........................................................... 71
Disabling the Card........................................................... 71
4
SSL Acceleration Card Command Syntax .......................... 72

Further Information ................................................................. 73
Chapter 5
Upgrading Connectra
Upgrade Procedure Quick Reference ......................................... 76
Preparing for the Upgrade to R66 ............................................. 78
Preserving Manual Changes on the Connectra Gateway....... 78
Preserving the Previous Connectra Configuration .............. 79
Upgrading to Locally Managed R66 from R61/R62..................... 81
Upgrading to Locally Managed R66 via the Command Line 81
Completing the Upgrade by Merging Manual Changes ........ 83
Upgrading to Centrally Managed R66 from R61/R62 .................. 84
Preserving Manual Changes and Previous Configuration ..... 84
Setting Up the SmartCenter ............................................ 84
Upgrading the Connectra Gateway via Command Line ........ 87
Upgrading the Connectra Gateway via SmartUpdate........... 89
Setting Up SIC Trust ...................................................... 90
Upgrading to Centrally Managed R66 from R62CM .................... 91
Preserving Manual Changes and the Previous Configuration 91
Setting Up the SmartCenter and Installing the R66 Plug-in 91
Upgrading the Connectra Gateway Using the Command Line 94
Upgrading the Connectra Gateway Using SmartUpdate ...... 96
Setting Up SIC Trust ...................................................... 96
Upgrading a Connectra Cluster to R66 ...................................... 98
Advanced Upgrade to R66 from R62......................................... 99
Introduction to Advanced Upgrade ................................... 99
Advanced Upgrade to Locally Managed R66 ..................... 99
Chapter 6
Reverting to a Previous Version of Connectra
Reverting to a Snapshot ......................................................... 103
Syntax ........................................................................ 103
Table of Contents 5
Uninstalling Connectra Plug-ins...............................................105

Uninstalling the R66 Plug-in for Central Management ...... 105
Uninstalling the Connectra NGX R62CM Plug-in .............. 107
Uninstalling Plug-ins in Provider-1.................................. 109
Chapter 7
License Installation and User Assistance
Installing Check Point Licenses ...............................................111
For Connectra Cluster Users ........................................... 112
Where To Go From Here? ........................................................114
6
2003-2008 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and
distributed under licensing restricting their use, copying, distribution, and decompilation. No part of
this product or related documentation may be reproduced in any form or by any means without prior
written authorization of Check Point. While every precaution has been taken in the preparation of
this book, Check Point assumes no responsibility for errors or omissions. This publication and
features described herein are subject to change without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in

subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS
252.227-7013 and FAR 52.227-19.
TRADEMARKS:
Please refer to http://www.checkpoint.com/copyright.html for a list of our trademarks.
For third party notices, see http://www.checkpoint.com/3rd_party_copyright.html.
7
8
Chapter 1
Introduction to Connectra
In This Chapter
Introduction page 10
In This Guide page 11
Key Features and Benefits page 13
Choosing the Correct CD page 16
Procedure Quick Reference page 17
9
Introduction
Introduction
Check Point Connectra is a comprehensive and unified remote access
solution that makes corporate applications and network resources
securely available to mobile and remote users. With Connectra NGX
R66, remote and mobile employees, contractors, business partners,
and customers can access network resources and applications through
either a lightweight VPN client or simply through a Web browser. By
unifying SSL and IPSec VPN technologies into a single gateway and
management console, Connectra provides flexible access for end
users and simple, streamlined deployment for the IT organization.
Connectra offers administrators tight access controls to help ensure
that only authorized users using clean hosts will gain access to
corporate resources. To that end Connectra features multiple strong
authentication methods and tight integration with directory services.
Comprehensive endpoint security capabilities enable malware scans,
compliance checks. A virtual Secure Workspace provides session
confidentiality on both managed and unmanaged endpoints, such as
laptops, home PCs, internet kiosks, and more.
Connectra can be deployed as either a turnkey appliance, as software
on open servers, or as a virtual machine on VMware ESX Server.
Connectra gateways can be managed either locally or centrally
through a single Check Point SMART management console, reducing
the administration time required to configure, monitor, update, and
audit remote access policies.
Note - Using different authentication schemes for Connectra

users and VPN-1 users in a centrally managed environment
may not be possible for every existing configuration. Visit
https://secureknowledge.checkpoint.com and review the
SecureKnowledge solution sk32656 for helpful information.
10
In This Guide
In This Guide
This guide has important information that you should read before
installing or upgrading Connectra.
Table 1-1
Chapter Description
Chapter 1, Introduces Connectra and describes
Introduction to its key features and benefits.
Connectra
Chapter 2, Discusses the various deployment
Deploying options: in the DMZ, in the LAN,
Connectra and as a ClusterXL gateway cluster.
Chapter 3, Provides the minimum hardware
Connectra requirements, recommended
Requirements hardware, hardware compatibility
testing tool, operating system and
browser compatibility, and license
requirements.
Chapter 4, Provides step-by-step instructions
Installing and for the installation and initial
Configuring configuration of Connectra.
Connectra
Chapter 1 Introduction to Connectra 11

In This Guide
Table 1-1
Chapter Description
Chapter 5, Provides instructions for upgrading
Upgrading Connectra using the CD or a
Connectra downloaded file.
Chapter 6, Provides instructions for reverting to
Reverting to a a previous Connectra version using
Previous Version of a snapshot image file, as well as for
Connectra uninstalling Connectra Plug-ins.
Chapter 7, License Discusses the license types and
Installation and User their installation, and provides
Assistance details on how to obtain further
assistance.
12
Key Features and Benefits

The following key features and benefits assure confident, flexible
remote access:
Secure Web-Based Connectivity

Increases productivity by allowing workers to work anywhere,
anytime.
Provides users with SSL VPN access to email, applications, and
shared files from a standard Web browser.
Enables network access for client/server applications through a
browser plug-in.
Delivers clientless SSL VPN access to enterprise resources.
Unified Security Management

Helps ensure business continuity.
Unified IPsec and SSL solution reduces Total Cost of Ownership
(TCO).
Provides secure and flexible remote access tailored to user
needs.
Includes tight, uniform access controls across all access
methods.
Comprehensive Endpoint Security

Detects malware and keyloggers on remote PCs.
Ensures session confidentiality using the Secure Workspace.
Enforces security policy compliance before granting remote
access.

Allows organizations to define endpoint security requirements to

access individual resources.
Safeguards confidentiality of corporate information.
Prevents identity, password, and data theft on remote endpoints.
Allows secure VPN access even on public or unmanaged PCs.
Integrated Intrusion Prevention

Protects internal networks and applications from attack.
Integrates Application Intelligence and Web Intelligence to
prevent attacks and malicious activity across SSL VPN.
Ensures the security of applications even when accessed from
insecure PCs.
Easy Deployment
Integrates with existing network and security infrastructure.
Enables quick and easy setup without requiring changes to
servers or network configuration.
Central Management
Connectra gateways can be managed from SmartCenter and
Provider-1/SiteManager-1.
Full leveraging of SmartCenter architecture:
Object sharing (for example, Network Objects,
Applications, Users, Services).
Same authentication settings, logs settings, and so on.
Configuration of multiple Connectra gateways and gateway
clusters from the same SmartDashboard.
14
Identical or different settings and policies for different

Connectra gateways.
Single point of administration for backup and
maintenance.
Redundant management infrastructure is possible.
Local Management
The Check Point SmartConsole suite is utilized for configuring,
monitoring, and tracking a single Connectra gateway.
SmartDashboard, SmartView Monitor, and SmartView Tracker are
tailored for a single Connectra gateway.
Flexible Deployment Options

Connectra is available as a turnkey appliance or as software.
Deployment scalability to meet the price and performance needs
of any sized organization.
New Connectra Virtual Appliance (VA) offering as Connectra
supports VMware ESX Server as a platform.
Advanced Authentication Options

Strong two factor authentication with an integrated SMS
One-Time Password.
Single sign-on for Web-based and HTTP -based authentication of
users using HTML forms.

Choosing the Correct CD
Choosing the Correct CD

The Connectra NGX R66 media pack contains two CDs. An additional
DVD contains Connectra Virtual Appliance for installing Connectra on
a VMware virtual machine. The following table explains the purpose of
CD1 and CD2, and on which machine to install each CD.
CD Use To Install on
1: R66 Install a locally managed New machine.
or centrally managed
Connectra gateway.
Upgrade from R61, R62 R61, R62, or R62CM
or R62CM to R66. Connectra gateway.
2: R66 Add central management NGX R66 SmartCenter
SmartCenter capabilities to the server or
Plug-in SmartCenter server or Provider-1/SiteManager-1
Provider-1/SiteManager-1 MDS.
MDS. Use this option for
creating Clusters.
Upgrade from R61, R62 NGX R66 SmartCenter
or R62CM to centrally server or
managed R66. Provider-1/SiteManager-1
MDS.
16
Procedure Quick Reference

This guide includes instructions for performing various installation
and upgrade procedures. The following table shows where in the
guide to find the instructions you need, and which CD you should
use.
I want to... Required CDs

Perform a new installation of locally 1: R66
managed R66.
See Installing and Configuring
Connectra on page 35.
Upgrade from R61 or R62 to R66 (local 1: R66
management)
See Upgrading Connectra on page 75.
Perform a new installation of centrally 1: R66
managed R66 2: R66 SmartCenter Plug-in
See Installing and Configuring
Upgrade from R61, R62, or R62CM to 1: R66
centrally managed R66 2: R66 SmartCenter Plug-in
See Upgrading Connectra on page 75.
Advanced upgrade to locally managed 1. R66
NGX R66 from R61 or R62
See Advanced Upgrade to R66 from
R62 on page 99.
Revert to a snapshot image None
See Reverting to a Previous Version of

18
Chapter 2
Deploying Connectra
In This Chapter
Deployment Overview page 20

Deploying Connectra in the DMZ page 21
Deploying Connectra on a LAN page 22
Deploying a Connectra Cluster page 23
19
Deployment Overview
Deployment Overview
In general, it is recommended to deploy Connectra in the DMZ.
Connectra can, however, also be deployed in other places, such as on
the internal LAN. In both scenarios, SSL termination takes place at
the Connectra Gateway. Web Intelligence, Application Intelligence,
authentication, and authorization schemes on the Connectra Gateway
are employed to protect the internal network and to inspect the traffic
for harmful content before it reaches the internal servers.
Connectra differs from other remote access solutions in that it has
gateway based application-level and network-level protection. For
example, it incorporates the Malicious Code Protector to protect
against worms.
20
Deploying Connectra in the DMZ
Deploying Connectra in the DMZ

Figure 2-1 shows a typical Connectra deployment in the DMZ:
Figure 2-1 Connectra Deployment in the DMZ
When Connectra is placed in the DMZ, traffic initiated both from the
Internet and from the LAN to Connectra is subject to firewall
restrictions. By deploying Connectra in the DMZ, the need to enable
direct access from the Internet to the LAN is avoided. Remote users
initiate an SSL connection to the Connectra Gateway. The firewall
must be configured to allow traffic from the user to the Connectra
server, where SSL termination, Web and Application Intelligence
inspection, authentication, and authorization take place. Requests are
then forwarded to the internal servers via the firewall. Administration
traffic is always SSL encrypted.
Chapter 2 Deploying Connectra 21

Deploying Connectra on a LAN
Deploying Connectra on a LAN

Figure 2-2 shows how Connectra can be deployed on the LAN
alongside the internal servers:
Figure 2-2 Connectra Deployment in the LAN
The remote user opens a browser and initiates an HTTPS request to

the Connectra server. The SSL connection is terminated within the
LAN and the clear text requests are forwarded to the internal servers.
The internal servers reply in the clear to Connectra, which encrypts
the reply back to the remote user. In the scenario shown in
Figure 2-2, the perimeter firewall must be configured to allow
encrypted SSL traffic to Connectra.
In this scenario, the SSL VPN traffic passes through the Firewall as
encrypted traffic, thus unavailable for inspection with traditional
solutions. With Connectra, the network is fully protected with
Application Intelligence and Web Intelligence.
22
Deploying a Connectra Cluster

Figure 2-3 shows a two-member Connectra cluster. Typically, the
cluster is deployed behind the DMZ interface of a firewall, with the
application servers behind the firewall in the internal networks.
Figure 2-3 Connectra Clustering Topology Example
Each cluster member has two interfaces: one data interface leading to
the organization and to the Internet, and a second interface for
synchronization. Each interface is on a different subnet.
One subnet for data (in Figure 2-3, 10.0.0.1 for Member A and
10.0.0.2 for Member B).
One subnet for synchronization (10.0.10.1 for Member A and
10.0.10.2 for Member B).
See Cluster Configuration Deployment Tips on page 69 for more
information about Connectra clusters.
Note - Clusters are not supported in locally managed R66.
Chapter 2 Deploying Connectra 23

24
Chapter 3
Connectra Requirements
In This Chapter
Minimum Hardware Requirements page 26

Recommended Hardware page 26
Hardware Compatibility Testing Tool page 27
BIOS Security Configuration Recommendations page 32
Operating System Compatibility page 32
Browser Compatibility page 33
25
Minimum Hardware Requirements
Minimum Hardware Requirements

The minimum requirements for Connectra are:
Intel Pentium III 300+ MHz or equivalent processor.
10 GB free disk space.
512 MB RAM.
One or more supported network adapter cards (two are required
for a cluster configuration).
CD-ROM drive (bootable).
1024 x 768 video adapter card.
If you have over 1 GB of RAM, you will need additional free disk
space. In this case, an additional 2 GB of free disk space should be
added for each additional 1 GB of RAM.
Recommended Hardware
Open servers and devices are tested on a regular basis by Check Point
for compatibility with Connectra. For an updated list of hardware that
is recommended for use with Connectra, see
http://www.checkpoint.com/services/techsupport/hcl/connectra.html.
Note that Connectra is also supported on VMware virtual machines.

See the Connectra NGX R66 Virtual Appliance Getting Started Guide for
detailed information regarding installing and configuring Connectra on
VMware.
26
Hardware Compatibility Testing Tool
Hardware Compatibility Testing Tool

The Hardware Compatibility Testing Tool enables you to determine
whether SecurePlatform, the Connectra operating system, is
supported on a specific hardware platform.
The tool detects all hardware components on the platform, checks
whether they are supported, and displays its conclusions: whether
Connectra can be installed on the machine (supported I/O devices
found, supported mass storage device was found), and the number of
supported and unsupported Ethernet controllers detected.
You can view detailed information on all the devices found on the
machine.
You can save the detailed information on a diskette, on a TFTP server,
or dump it via the serial port. This information can be submitted to
Check Point Support in order to add support for unsupported devices.
Run the Hardware Compatibility Testing Tool in the same way that you
would install Connectra on the hardware platform (for example, boot
from CD, boot from diskette, and installation through network).
Downloading and Preparing the CD

The Hardware Compatibility & Testing tool is available for download
as a CD ISO image (hw.iso) at
http://www.checkpoint.com/services/techsupport/hcl/testing_tool.html
As Connectra NGX R66 uses the SecurePlatform v26 operating
system, download the R66 with SecurePlatform v26 version of the
tool.
The ISO image can be burned on a blank CD-R or CD-RW media,
using a CD burning tool.
Note - You must specify that you are burning a CD image

and not a single file
Chapter 3 Connectra Requirements 27

Preparing to Use the Compatibility Testing Tool
Preparing to Use the Compatibility

Testing Tool
Run the tool either by booting from the CD that contains it, booting
from a disk and accessing a local CD, or booting from a diskette and
accessing the CD through the network.
If no keyboard and monitor are connected to the hardware platform,
the serial console can be used to perform the hardware detection.
Booting from the CD

To boot from the CD:
1. Configure the BIOS of the machine to boot from the CD drive.
2. Insert the CD into the drive.
3. Boot the machine.
Booting from a Diskette and Accessing a Local

CD
This option should be used when the hardware platform cannot be
configured to boot from the CD drive (but will boot from a diskette),
and has a CD drive.
To create a bootable diskette image and access a local CD:
1. Insert the CD into the CD drive.
2. Insert a diskette into the diskette drive.
3. Browse to your CDROM drive and select the
SecurePlatform/images folder.
4. Drop the boot.img file on the cprawrite executable.
28
Alternatively, using the NT command shell (cmd), run the

following command on a single line (where D: is the CD-ROM
drive):
D:\SecurePlatform\images\cprawrite.exe
D:\SecurePlatform\images\boot.img
Booting from a Diskette and Accessing the CD

over the Network
Use this option when the machine to be tested has no CD drive. In
this case, there will be two machines participating:
A machine that has a CD drive.
The machine on which you want to run the tool.
To boot from a diskette and access a CD over the network:
On the Machine with the CD Drive

Proceed as follows:
1. Insert the CD into the CD drive of a (Microsoft Windows-based)
machine.
2. Insert a diskette into the diskette drive.
3. Browse to the CD drive and select the
SecurePlatform/images folder.
4. Drop the bootnet.img file on the cprawrite executable.
Alternatively, using NT command shell (cmd), run the
following command on a single line (where D: is the
CD-ROM drive):
D:\SecurePlatform\images\cprawrite.exe
D:\SecurePlatform\images\bootnet.img

This step writes files to the diskette, which you will

transfer to the other machine (the machine on which the
tool will be run).
5. Make the contents available on the network, either by allowing
access to the CD drive, or by copying the CD to a hard disk and
enabling access to that disk (for example, by FTP, HTTP, or
NFS).
On the Machine You Are Testing

Proceed as follows:
1. Insert the diskette you created in Booting from a Diskette and
Accessing a Local CD on page 28, above, into the diskette
drive of the machine you are testing.
3. Configure the properties of the interface, through which this
machine is connected to the network, including its IP address,
Netmask, default gateway and DNS.
You can choose to configure this interface as a dynamic IP
address interface.
4. Enable access to the files on the machine with the CD drive (see
On the Machine with the CD Drive on page 29 above).
5. Specify the following settings for the other machine:
IP address, or hostname
Package Directory
User/password (if necessary)
30
Using the Hardware Compatibility Testing Tool
6. If you are installing using a serial console, instead of the

keyboard and monitor, make sure that your terminal emulation
software is configured as follows:
9600 Baud rate
8 data bits
No parity
No flow control
Using the Hardware Compatibility Testing

Tool
The hardware tool automatically tests the hardware for compatibility.
Note - A simple, nave detection tool is included on the

boot diskette. If for some reason, the complete detection tool
is unavailable (e.g., the CDR drive is not supported), you can
still use the simple tool to get some information on your
hardware. The simple tool is available from the Installation
Method screen, and is accessed by pressing the Probe Hardware
button.
When it finishes, the tool displays a summary page with the following
information:
Whether the platform is suitable for installing Connectra
Number of supported and unsupported mass storage devices
Number of supported and unsupported Ethernet Controllers
Additional information can be obtained by pressing the Devices button.
The devices information window lists all the devices, found on the
machine (grouped according to functionality).
Use the arrow keys to navigate through the list.

BIOS Security Configuration Recommendations
Pressing Enter on a specific device displays detailed information about

that device.
The detailed information can be saved to a diskette, to a TFTP Server,
or dumped through the Serial Console. This action may be required in
cases where some of the devices are not supported.
BIOS Security Configuration

Recommendations
The following are BIOS configuration recommendations:
Disable the boot from floppy option in the system BIOS, to
avoid unauthorized booting from a diskette and changing system
configuration.
Apply a BIOS password to avoid changing the BIOS
configuration. Make sure you memorize the password, or keep it
in a safe place.
Operating System Compatibility

For a list of the operating systems (Windows, Linux and MacOS-X)
that are compatible with each Connectra feature, see the latest
version of the Connectra release notes, available at
http://www.checkpoint.com/techsupport/downloads.jsp.
32
Browser Compatibility
For a list of the Web browsers (Internet Explorer, Mozilla Firefox, and
so on) that are compatible with each Connectra feature, see the latest
version of the Connectra release notes, available at
http://www.checkpoint.com/techsupport/downloads.jsp.

34
Chapter 4
Installing and Configuring
Connectra
In This Chapter
Installation Procedure Quick Reference page 36

Installation and Configuration Workflow page 37
Installation and Initial Configuration Procedures page 39
Post-Installation Procedures page 58
Installing the NGX R66 Plug-in page 62
Cluster Configuration Deployment Tips page 69
SSL Acceleration Card Installation page 71
Further Information page 73
35
Installation Procedure Quick Reference
Installation Procedure Quick

Reference
Table 4-1 indicates where in this chapter to find the procedures you
need, and which CD(s) you require.
Table 4-1 Installation Procedure Reference
I want to... Required CDs

Perform a new installation of (locally managed) 1. R66
NGX R66
See Installation and Configuration Workflow
on page 37.
Perform a new installation of (centrally 1. R66
managed) NGX R66 2. R66 SmartCenter
See Installation and Configuration Workflow Plug-in
on page 37.
Set up a Connectra NGX R66 Cluster 1. R66
See Cluster Configuration Deployment Tips 2. R66 SmartCenter
on page 69. Plug-in
Install an SSL Acceleration card None
See SSL Acceleration Card Installation on
page 71
36
Installation and Configuration Workflow
Installation and Configuration

Workflow
Getting started with Connectra involves installation and initial
configuration, followed by detailed configuration to meet your needs.
The following workflow outline and detailed instructions apply to a:
Centrally managed Connectra gateway, including those that will
be part of Connectra Cluster.
Locally managed Connectra gateway
To upgrade from a previous version, see chapter 5, Upgrading
For more information about Clusters, see Cluster
Configuration Deployment Tips on page 69. Note that Clusters are
not supported in locally managed Connectra NGX R66.
Installation and Initial Configuration

Stages
The installation and configuration of Connectra are performed in the
following stages:
Installation
1. Plan the deployment topology.
2. If you are installing centrally managed Connectra:
a. Add a NIC to the machine (for a Cluster Member only).
b. Install or upgrade the SmartCenter server or
Provider-1/SiteManager-1 MDS to NGX R65 and install the
Connectra R66 SmartCenter Plug-in using the CD.
c. Configure relevant firewall access rules.
3. Install Connectra using the CD.
Chapter 4 Installing and Configuring Connectra 37

Installation and Initial Configuration Stages
4. Connect to the administration user interface.

5. Run the First Time Configuration Wizard and automatically
install the Connectra package.
6. Log in to the SmartDashboard for the first time.
7. If you are installing centrally managed Connectra, define
Connectra objects in SmartDashboard.
Post-Installation Procedures
After completing the installation, configure Connectra as follows:
8. Connect Connectra to the network.
9. Connect to the local administration portal and back up the
configuration.
10. Perform detailed configuration via the SmartDashboard.
11. If you are setting up locally managed Connectra, perform a
SmartDefense Update.
12. Check your setup.
You can also install an SSL acceleration card. See SSL Acceleration
Card Installation on page 71.
38
Installation and Initial Configuration Procedures
Installation and Initial Configuration

Procedures
Step 1: Planning the Deployment
Topology
In general, it is recommended to deploy Connectra in the DMZ.
Connectra can, however, also be deployed in other places, such as in
the local area network (LAN). See chapter 2, Deploying Connectra
on page 19.
For locally managed Connectra, continue with Step 3: Installing
Connectra Using the CD on page 42.
Step 2: Preparing for Centrally Managed

Connectra
Step A: Adding a NIC (for a Cluster Member only)
If the Connectra server is to be part of a ClusterXL Load Sharing or
High Availability cluster, it requires two interfaces. If necessary, add a
network interface card.
Step B: Setting Up SmartCenter and Installing

the Plug-in (Centrally Managed Only)
To set up the SmartCenter and install the NGX R66 Plug-in:
1. Install or upgrade the SmartCenter server or
Provider-1/SiteManager-1 CMA to version NGX R65.

Step 2: Preparing for Centrally Managed Connectra
2. For a new installation of SmartCenter, install SmartDashboard

on a SmartConsole client. For a new installation of
Provider-1/SiteManager-1, install the Multi Domain GUI (MDG).
It is recommended to use the latest MDG that is found on CD2
in the MDG directory
3. Install the Connectra NGX R66 Plug-in on version NGX R65 of
the SmartCenter server or Provider-1/SiteManager-1 Multi
Domain Server. See Installing the NGX R66 Plug-in on
page 62.
Step C: Configuring Firewall Access Rules

Configure the firewall according to the chosen deployment. The exact
set of rules depends on the selected setup and the services that
Connectra will provide. A typical Security Rule Base configuration, on
VPN-1 Pro, is described herein:
FireWall Rules for Connectra in a DMZ

The rules listed in Figure 4-1 apply to the deployment shown in
Figure 2-1, Connectra Deployment in the DMZ, on page 21.
40
Step 2: Preparing for Centrally Managed Connectra
Figure 4-1 Rules for Deploying Connectra in the DMZ

Rule Source Destination Service Action Comment
1 Admin Connectra HTTPS (TCP/4433) Accept Administrator access.
host (encrypted)
2 Any Connectra HTTP (TCP/80), Accept End user access to
HTTPS (TCP/443), portal:
SSL (TCP/444) (or Web applications,
port, on which the File sharing
SSL Network Web mail.
Extender server is Sessions initiated using
configured)], HTTP are redirected
IKE_NAT_TRAVE automatically to
RSAL HTTPS. All actual
(UDP/4500)This is communication is
used by Endpoint encrypted.
3 Connectra LAN HTTP (TCP/80), Accept Connectra to LAN
HTTPS (TCP/443), for:
nbsession Web applications
(TCP/139), File sharing
microsoft-ds Web mail
(TCP/445),
nbdatagram
(TCP/138), nbname
(TCP/137), IMAP
(TCP/143), SMTP
(TCP/25) All
additional Network
applications that are
made accessible, via
the SSL Network
Extender
You may need other rules, depending on your configuration:

Connectra requires access to DNS servers, and possibly to WINS
servers
For backups, Connectra may need access to a TFTP or SCP
server.

Step 3: Installing Connectra Using the CD
Connectra may need access to the SmartCenter Server or to a

Customer Log Module (CLM), in order to send logs to a remote
log server.
For authentication, Connectra may need access to LDAP,
RADIUS and ACE servers.
Connectra may need access to an NTP server for clock
synchronization purposes.
FireWall Rule for Connectra in a LAN

If you choose to deploy Connectra in the LAN, as in Figure 2-2,
Connectra Deployment in the LAN, on page 22, rule 3 is not
needed.

To install the Connectra gateway:
1. Configure a designated machine to boot from the CD drive.
2. Place the CD into the CD ROM drive and boot.
The Pre-installation Message appears:
Figure 4-2 Pre-installation Message
3. Press Enter.
The Check Point Welcome Message appears:
42
Figure 4-3 Welcome Message
4. Use the Tab key to select OK.

The Keyboard Selection screen is displayed:
Figure 4-4 Keyboard Selection screen
5. Use the Tab and arrow keys to select an appropriate keyboard.

6. Click OK.
The Network Interface Configuration screen appears:

Figure 4-5 Network Interface Configuration screen
7. Enter the IP address of the administration interface. On a cluster

member, do not use the address of the synchronization
interface. Also specify the Netmask and the Default gateway. Select
OK.
8. When prompted to start the installation process, use the arrows

or the Tab key to select OK.
Note - This will ERASE all data on your hard drive.

9. Wait while the hard disk is completely formatted.
The Package Installation screen appears:
Figure 4-6 Package Installation screen
This is followed by instructions for connecting to the Web-based

administrative interface:
44
Step 4: Connecting to the Administration User Interface
Figure 4-7 Connection Instructions
Note - The default login name and password, and the URL for
the WebUI are displayed in the message box. Connect to the
WebUI only after the machine reboots.
10. Use the Tab key to select OK to reboot the machine.
11. Wait for SecurePlatform to complete booting.
Step 4: Connecting to the Administration

User Interface
You can connect to the Administration User Interface via the console,
an SSH connection, or a Web browser.
To connect to the WebUI using a Web browser:
1. When SecurePlatform has completed booting, open a supported
Web browser (see Browser Compatibility on page 33) on a
machine that has network connectivity to Connectra, and
connect to the administrative user interface. By default this
interface has the IP address configured earlier (in step 7), over
port 4433 (an SSL port). For example:
https://192.168.1.1:4433.
2. The End-User License Agreement opens. To accept its terms,
click I Accept.

Step 5: Running the First Time Configuration Wizard
Step 5: Running the First Time

Configuration Wizard
The First Time Configuration Wizard can be run in the console or the
WebUI.
Running the Wizard from the Console

To run the Wizard in the console:
1. Log in using the default system administrator
username/password (admin/admin).
2. Run: cpconfig.
3. Follow the on-screen instructions.
For more information about the on-screen options, see Running the
Wizard from the WebUI on page 46.
Running the Wizard from the WebUI

To run the First Time Configuration Wizard using the WebUI:
1. When the login window opens, enter the default system
administrator username/password (admin/admin), and click Login.
2. Change the administrator password, as prompted. The First-Time
Configuration Wizard begins to run. Click Next.
3. In the Network Connections page, define the network
connections. For centrally managed NGX R66, if the machine
will be a Connectra cluster member, define an IP address and
netmask for the synchronization network interface. Click Next.
4. In the Routing Table page configure routing. For centrally
managed NGX R66, if the machine will be a Connectra cluster
member, configure a default gateway on the subnet of the data
interface. Click Next.
5. In the Host, Domain Name, and DNS Servers page, set the
following:
46
Hostname: For example, Connectra1. If the host is to be

part of a cluster, ensure that all hostnames in the cluster
are unique.
Domain Name: For example, example.com. Although not
mandatory now, this parameter is important if you want the
device to be recognized within the domain.
DNS Servers: The DNS server to be used when downloading
SmartDefense updates and for mounting File Shares.
Connectra also uses DNS lookup for any hostname-style
HTTP link to an internal server, and for resolving other
servers (such as Citrix servers, or any other machine whose
DNS entry is properly configured on the LAN).
6. Click Next.
7. In the Device Date and Time Setup page, set the date and time.
Cluster member clocks must be synchronized to within a few
seconds. Time settings may also affect the behavior of certificate
validation. For a cluster, select Use a Network Time Protocol (NTP)
to synchronize the clock for reliable synchronization using a time
synchronization service. Set the following parameters:
Primary NTP Server: The hostname of the Primary NTP
Server you are using. For example, ntp.xyz.net
Secondary NTP Server (optional): The hostname of the
Secondary NTP Server you are using. For example,
ntp.abc.edu
Shared Secret (optional): The shared secret that cluster
members will be using for communication.
Synchronization period: The time, in seconds, after which
cluster members will periodically synchronize their internal
clocks with the NTP Server. For example, entering 60,
indicates that clocks should synchronize with the server
every minute.
Time Zone: The time zone in which the cluster member
machine is located.

8. Click Next.
9. In the Web/SSH Clients page, any Web or SSH client authorized
to access the Connectra WebUI is displayed. Click Add to add a
new host. Type any as a hostname to enable access from any
Web/SSH client. A hostname can also contain a wildcard or IP
address range.
10. When all desired hosts appear in the Web/SSH list, click Next.
11. Select the type of management configuration you want for
Connectra.
Locally: To configure locally managed Connectra, where
Connectra manages itself.
Centrally: To configure Connectra that is managed centrally
from a SmartCenter Console. Clusters are only supported in
a centrally managed configuration. For more information on
these configuration options see the Connectra Gateway
Clusters chapter of the Connectra NGX R65 Administrative
Guide.
Note - Once you select locally or centrally managed, switching

to the other option will require a new installation.
12. Click Next.
48
Locally Managed Connectra

13. If you are configuring locally managed Connectra the Connectra
GUI Clients page opens:
a. Hosts authorized to connect to Connectra are displayed.
Click Add to add a new host.
b. Type any as a hostname to enable a connection from any
GUI client. A hostname can also contain a wildcard or IP
address range.
c. When all desired hosts appear in the GUI Client list, click
Next.
d. Type a user name and password of the Connectra
Administrator.
e. Click Next.
Centrally Managed Connectra
14. If you are configuring centrally managed Connectra, the Secure
Internal Communication page opens:
Decide on a SIC Activation Key. Type it and then confirm
it. SIC certificates authenticate communication between
Check Point communicating components. You will need to
use the same Activation Key when defining the gateway in
SmartDashboard, on the same SmartCenter server where
you installed the Connectra NGX R66 Plug-in. You can use
the same Activation Key for all members of a cluster.
Note - Components can communicate with each other only

once the Certificate Authority is initialized and each
component has received a SIC certificate.
Both Locally and Centrally Managed:

15. If you do not already have SmartConsole NGX R65 installed on

your GUI client, in the Download SmartConsole Applications page,
click Download to download the SmartConsole. When prompted,
click Run.
The Check Point Installation Wizard opens.
Installing Check Point SmartConsole

To install the Check Point SmartConsole on the GUI client:
1. Click Next to proceed with the Check Point Installation Wizard
2. Follow the on-screen instructions to download the SmartConsole.
3. Wait while the software is installed.
4. Click Next to proceed from the Download SmartConsole
Applications page.
Completing the First Time Configuration

To complete the Connectra First Time configuration:
1. Click Finish to complete the First Time Configuration Wizard.
When prompted, click Yes to start the configuration process.
Wait for the Connectra configuration to be complete. A dialog
box opens stating that the Connectra initial device configuration
process is complete.
2. Click OK. The Device Status page opens, displaying information
about your device.
3. Click Close to exit the WebUI.
4. If you downloaded SmartConsole Applications, dialog boxes may
open telling you that SmartConsole is installing. Follow the
on-screen instructions to continue.
50
Step 6: Logging In for the First Time

The Login Process
For centrally managed Connectra, administrators connect to the
SmartCenter server through SmartDashboard using the same process
as SmartConsole clients. First authenticate the administrator and
SmartCenter server (to create a secure channel of communication),
and then the selected SmartConsole starts.
After the first login, the administrator can create a certificate for
subsequent logins.
For locally managed Connectra, connect directly to the Connectra
gateway.
Note - The first time that you start the SmartDashboard, you
may be prompted to download the SmartConsole Plug-in
pack. The file is approximately 70 MB in size, therefore we
advise that you connect for the first time from the LAN or via
high speed connection. You can also download
SmartDashboard from the Administrative WebUI or from the
First Time Wizard.
Authenticating the Administrator

To authenticate the administrator:
1. Open SmartDashboard by selecting Start > Programs > Check
Point SmartConsole NGX R65 > SmartDashboard.
2. Log in using the User Name and Password defined in the
Configuration Tools Administrators page during SmartCenter
server installation.
3. Specify the name or IP address of the target SmartCenter server
and click OK.

4. Manually authenticate the SmartCenter server using the

Fingerprint provided during the configuration process. You can
see this Fingerprint by connecting to your SmartCenter via SSH
and clicking on Product Configuration > Certificate Authority. When
you have confirmed that the two fingerprints match, click
Approve.
Note - This step is only necessary the first time you log in.
Once the SmartCenter server is authenticated, the Fingerprint
is saved in the SmartConsole machines registry.
Starting the SmartDashboard

To start SmartDashboard:
1. A dialog box may indicate that the SmartConsole has detected a
new Plug-in installed on the Management Server. Click Update to
update the SmartConsole.
2. Follow the on-screen prompts until the SmartDashboard opens.
Figure 4-8 shows SmartDashboard with locally managed
Connectra. Figure 4-9 shows Smart Dashboard with
centrally managed Connectra, including a tab for
Connectra.
52
Figure 4-8 SmartDashboard with Locally Managed Connectra

Step 7: Defining Connectra Objects (Centrally Managed Connectra)
Figure 4-9 SmartDashboard with Centrally Managed Connectra
Step 7: Defining Connectra Objects

(Centrally Managed Connectra)
If you are upgrading from a previous version of SmartCenter or
Provider-1/SiteManager-1, any Connectra objects or references
defined prior to upgrading the SmartCenter or the CMA become host
objects and must be redefined after the upgrade.
54
Define and configure the topology for each gateway, cluster member,
and Connectra cluster.
Defining a Connectra Gateway

To define a Connectra gateway:
1. In SmartDashboard, select the Connectra tab.
2. In the Connectra Gateways window, click New and select
Connectra Gateway.
The Connectra Properties window opens.
3. In the General Properties page, type the Name and IP Address of
the Connectra Gateway that you installed.
4. Click Communication.
The Communication dialog box opens.
5. In the Activation Key field, type the activation key that you set
during the Connectra initial configuration. Type it again in the
Confirm Activation Key field, then click Initialize.
6. Wait while trust is initialized. The words Trust established appear
in the Trust state field once trust is established. Click Close.
7. Make sure Connectra NGX R66 appears in the Version field and
click OK.
Configuring a Connectra Gateways Topology

Each Cluster member should have at least one cluster interface and
one synchronization interface. For more information on configuring
topology for cluster members, see Cluster
Configuration Deployment Tips on page 69 or the Connectra
Gateway Clusters chapter of the Connectra Central Management
Administration Guide.

To configure the topology of a Connectra gateway:

1. In the Connectra Properties dialog box, select Topology in the
navigation tree.
The Topology page opens.
2. Click Get to automatically detect interfaces or Add to manually
add interfaces.
When defining topology, the Get Interfaces operation does not
return alias IP addresses for real interfaces. To add alias IP
addresses to the object topology, define them manually. After
manually adding alias IP addresses to the object topology, do
not perform the Get Interfaces operation, as this will erase all
manual changes to the object topology.
3. Click OK to return to the main Connectra window.
Defining a Connectra Cluster

After defining each individual Connectra gateway, you can define
Connectra Clusters.For more information on configuring topology for
cluster members, see Cluster Configuration Deployment Tips on
page 69 or the Connectra Gateway Clusters chapter of the Connectra
Central Management Administration Guide.
To define a Connectra cluster:
1. In SmartDashboard, select the Connectra tab.
2. In the Connectra Gateways window, click New and select
Connectra Cluster.
The Connectra Properties window opens.
3. In the General Properties page, type the Name and IP Address (the
virtual IP address of the Cluster interface) of the Connectra
Cluster that you are defining.
4. In navigation tree, select Cluster Members.
5. In the Cluster Members pane, click Add to add each cluster
member.
56
The Cluster Member Properties page opens.

6. Enter each Cluster Members Name and IP Address with the
highest priority members at the top.
7. Click Communication.
The Communication dialog box opens.
8. In the Activation Key field, type the activation key that you set
during the Connectra initial configuration. Type it again in the
Confirm Activation Key field, then click Initialize. All cluster
members can have the same activation key.
9. Wait while trust is initialized. The words Trust established appear
in the Trust state field once trust is established. Click Close.
10. Make sure Connectra NGX R66 appears in the Version field and
click OK.
Configuring Topology for a Connectra Cluster

For information and instructions on configuring topology for a
Connectra Cluster, see the Connectra Cluster Topology Page section of
the Connectra Gateway Clusters chapter of the Connectra Central
Management Administration Guide.
For brief tips, see Cluster Configuration Deployment Tips on
page 69.

Step 8: Connecting Connectra to the
Network
Connecting a Standalone Connectra
Connect the Connectra network interface to the switch on which the
default gateway resides.
Connecting a Connectra Cluster

Refer to Figure 2-3, Connectra Clustering Topology Example, on
page 23.
When setting up a Connectra cluster, connect the cluster member
data interfaces via a switch.
The synchronization network carries the most sensitive data in the
organization. Keep it secure by connecting the synchronization
interfaces using a cross cable, or a dedicated switch.
Make sure that each network is configured on a separate VLAN,
switch or hub.
Step 9: Backing Up the Configuration

To connect to the WebUI and back up your system configuration:
1. From a Web browser, connect to the administration portal at
https://<IP address>:4433. The default IP address is
192.168.1.1.
2. For a cluster, set up all cluster members through the previous
steps, and then connect to the administration portal of the
primary member.
3. Log in using the administrator user name and password.
58
Step 10: Configuring Access Control
4. In the navigation pane, select Device > Backup.

5. On the Backup page, click Backup Now.
6. On the Backup to page, select where you want the backup file
sent. Click Apply.
7. When prompted, click Yes to continue.
8. Wait a few second and then click Refresh. You should see your
backup date and time in the Last successful backup field.
9. Click Close to exit the WebUI.
10. IMPORTANT It is also recommended to create an image of
the system using the snapshot command (See Preserving the
Previous Connectra Configuration on page 79). To revert to the
saved snapshot image, use the revert command. See
Reverting to a Previous Version of Connectra on page 103.

Configure Access Control in Connectra using SmartDashboard.
Access management in Connectra is accomplished by defining users
and assigning them to groups, and defining applications and
associating them with the groups. In addition, Connectra associates
each application with a protection level, a security requirement that
the remote user must satisfy before being given access to the
application.
Access Control is configured in the following stages:
1. Define applications
2. Define users
3. Define user groups
4. Associate users with groups
5. Associate applications with groups
6. Install the Security Policy

These tasks are described in detail in the Connectra Central

Management Administration Guide and the Connectra Local
Management Administration Guide.The following sections provide some
useful background information.
Defining Applications
Defining an application is about deciding which internal LAN
applications to expose to remote users. These typically include:
Web applications
File shares
Native applications
Citrix applications
Mail services
Setting Protection Levels for Applications

Connectra associates each application with a protection level. The
protection level is a security requirement that the remote user must
satisfy before being given access to the application. For example, the
user must be authenticated using a certificate.
Defining Users and Groups

Access to internal corporate applications is based on group
membership. To access a particular application, remote users must
belong to a group with the relevant authorization (as well as satisfy
the security requirements of the application). These groups can be
defined on Connectras internal user database, on LDAP or Radius
servers. The LDAP group can be a branch in a tree, or an LDAP group
that contains users from different branches.
Associating Applications With Groups

You must associate the applications with groups. This association
means authorizing certain user groups to use those applications.
60
Step 11: Performing a SmartDefense Update (Locally Managed Connectra)
Step 11: Performing a SmartDefense

Update (Locally Managed Connectra)
SmartDefense updates add new defense mechanisms to the
SmartDefense console, and bring existing defense mechanisms
up-to-date.
Note - Perform a SmartDefense update immediately after

installing Connectra so that the networks accessible through
Connectra are fully protected.
To update SmartDefense:
1. In the SmartDefense tab, click Online Update.
The update begins and a dialog box notifies you that
SmartDefense is being updated from one version number to
another.
2. Click Continue to proceed with the update.
3. Enter your User Center username and password.
The available new updates are displayed.
4. Click Download Updates.
You are informed that the SmartDefense content was updated
successfully.
5. Select Policy > Install Policy to apply the updates.
Step 12: Checking Your Setup

1. After installing the Security Policy, browse to the User portal
and login using the credentials of the defined user. The user
portal is at https://<IP address>
2. Verify that you can access the defined application.

Installing the NGX R66 Plug-in
Installing the NGX R66 Plug-in

The Connectra NGX R66 Plug-in adds Connectra central management
capabilities to an NGX R65 SmartCenter server or
Provider-1/SiteManager-1. If you are working in a High Availability
environment, install the Plug-in on each member.
Install the R66 Plug-in as part of the following procedures:
Installation and Initial Configuration Procedures: Step 2:
Preparing for Centrally Managed Connectra on page 39
Upgrading to Centrally Managed R66 from R61/R62: Setting
Up the SmartCenter on page 84
Upgrading to Centrally Managed R66 from R62CM: Setting
Up the SmartCenter and Installing the R66 Plug-in on page 91
Upgrading a Connectra Cluster to R66 on page 98
The procedure for installing the R66 Plug-in varies slightly for each
platform, but the overall workflow is the same.
Installing the Plug-in on a SmartCenter

The Plug-in for R66 can be installed on a SmartCenter, on the
SecurePlatform, Windows, Linux, or Solaris platforms.
In This Section
Installing the Plug-in on a SecurePlatform SmartCenter

page 63
Installing the Plug-in on a Windows SmartCenter page 63
Installing the Plug-in on a Linux or Solaris SmartCenter
page 64
62
Installing the Plug-in on a SmartCenter
Installing the Plug-in on a SecurePlatform

SmartCenter
To install the Plug-in on a SmartCenter on SecurePlatform:
1. Install SmartCenter server NGX R65.
2. Log in to expert mode by running, expert and entering your
password.
3. Install the Connectra Plug-in package:
a. Insert CD2 into the SmartCenter Server machine.
b. Mount the CD by running:
mount /dev/cdrom
c. Go to the CD directory by running:
cd /mnt/cdrom
d. Run:
./UnixInstallScript -splat
4. Reboot the machine.
Installing the Plug-in on a Windows

SmartCenter
To install the Plug-in on SmartCenter on the Windows platform:
b. From the root of the CD, run:
Setup.bat
c. Follow the instructions in the wizard.

Installing the Plug-in on Provider-1/SiteManager-1
Installing the Plug-in on a Linux or Solaris

SmartCenter
To install the Plug-in on a SmartCenter on either Linux or
SecurePlatform:
2. Log in to expert mode by running, expert and entering your
password.
mount /dev/cdrom

cd /mnt/cdrom
d. Run:
./UnixInstallScript
Installing the Plug-in on

Provider-1/SiteManager-1
The Plug-in for R66 can be installed on Provider-1/SiteManager-1, on
the SecurePlatform, Linux, or Solaris platforms.
In This Section
Installing the Plug-in on SecurePlatform Provider-1 page 65

Installing the Plug-in on Linux or Solaris Provider-1 page 65
Activating the Connectra Plug-in on the CMA page 66
64
Installing the Plug-in on SecurePlatform

Provider-1
To install the Plug-in on Provider-1 on SecurePlatform:
1. Install NGX R65 on the Provider-1/SiteManager-1 Multi Domain
Server.
2. Install the Connectra Plug-in package on the Multi-Domain
Server:
a. Insert CD2 into the Provider-1/SiteManager-1 Multi Domain
Server machine.
mount /dev/cdrom
cd /mnt/cdrom
d. Run:
./UnixInstallScript -splat
4. For each CMA on which you want to manage Connectra
gateways, you need to activate the Plug-in. See Activating the
Connectra Plug-in on the CMA on page 66.
Installing the Plug-in on Linux or Solaris

Provider-1
To install the Plug-in on Provider-1 on Linux:
1. Install Provider-1/SiteManager-1 Multi Domain Server NGX R65.
2. Install the Connectra Plug-in package on the Multi-Domain
Server:
a. Insert CD2 into the Provider-1/SiteManager-1 Multi Domain
Server machine.

b. Run from the root of the CD:

./UnixInstallScript

4. For each CMA on which you want to manage Connectra
gateways, you need to activate the Plug-in. See Activating the
Connectra Plug-in on the CMA on page 66.
Activating the Connectra Plug-in on the CMA

To activate the Connectra Plug-in, use one of the following
procedures:
66
Create a customer with a Plug-in. In the Add Customer Wizard, in

the Management Plug-ins page, activate the Plug-in.
In the MDG Customer Contents page, either right-click a customer

and select Configure Customer, or double-click the customer, go
to the Plug-ins tab, and select the Connectra Plug-in.
From the MDGs Management Plug-ins View, activate the Plug-in
in one of the following ways:
Right-click a customer and select Activate Plug-in on
Customers.
Right-click the PIConR66 and select Activate this Plug-in.
Select Activate Plug-in on Customers from the Plug-in menu.

Uninstalling Connectra Plug-ins
Click the Plug-in icon on the toolbar.

While Connectra R66 cannot be uninstalled from the Connectra
gateway machine, you can uninstall the central management
capabilities. To do this, you must uninstall both the R62CM Plug-in
(where relevant) and the R66 Plug-in for Central Management. See
Uninstalling Connectra Plug-ins on page 105.
68
Cluster ConfigurationDeployment Tips
Cluster Configuration Deployment

Tips
This section includes information that will help you understand the
process of configuring a Connectra gateway cluster, in order to make
it a successful and trouble free process.
The Connectra Central management Administration Guide includes full
details of setting up a Connectra cluster. It is strongly recommended
that you read the relevant guide before setting up your Connectra
cluster.
Install and configure the Connectra gateway cluster members, as
described in Installation and Configuration Workflow on
page 37.
Licensing
Ensure all cluster members are licensed for the same number of
users. They do not necessarily have to have identical licenses.
Connectra cluster members must run the same software version.
Cluster and Cluster Member Interfaces

Communication into the organization for users is done using the
virtual IP address of the Cluster Interface, and not the member
IP addresses.
To change the configuration of a cluster member, connect to it
directly using the IP address of the cluster member, and not to
the virtual IP address of the Cluster Interface.
Interface Configuration
The synchronization interfaces of the cluster members reside on
the SAME subnet.
The data interfaces of the cluster members must reside on the
SAME subnet, DIFFERENT from the synchronization subnet.

Cluster ConfigurationDeployment Tips
Use different interfaces for the data and synchronization

networks. The recommended setting is to use eth0 for data and
eth1 for synchronization.
Physical Connectivity
Synchronization in a two-member cluster can be done using a
cross-cable between the two members. A cluster with more than
two members requires a switch/hub for synchronization.
Configuration
Cluster member clocks must be synchronized. Use an NTP
server or manually synchronize the clocks.
Connectra clients access Connectra via two IP address/port
combinations: one for the Connectra portal and another for SSL
Network Extender. If you wish to use the same IP address for
both, configure the portal to listen on port 443 and SSL
Network Extender to listen on port 444.
Administration
Cluster members become active after the Security Policy is
installed.
70
SSL Acceleration Card Installation
SSL Acceleration Card Installation

A hardware-based SSL acceleration card is available to improve the
SSL performance of the Connectra gateway. The card speeds up the
SSL/TLS public key exchange, and reduces CPU utilization by
redirecting CPU-intensive calculations to dedicated hardware.
The acceleration card is pre-installed on Connectra 6000. Otherwise
it must be purchased and installed separately.
Installing the Card

For details on how to install the acceleration card, see the
documentation supplied with the card.
Enabling the Card

To enable the card on Connectra:
1. From the console, run:
cvpnstop
2. Run:
hw_acceleration start
3. Run:
cvpnstart
Disabling the Card

To disable the card:
1. From the console, run:
cvpnstop

SSL Acceleration Card Command Syntax
2. Run:
hw_acceleration stop
3. Run:
cpvnstart
SSL Acceleration Card Command Syntax

The following table lists the SSL Acceleration Card commands. The
card must be activated before running the diag and stat
parameters.
Syntax
hw_acceleration{ start | stop | diag | stat}
Table 4-2 SSL Acceleration Card Commands
Parameter Meaning
start Enable the card
stop Disable the card
diag Check if the card is installed and working properly
stat Get statistics of card activity
72
Further Information
Further Information
For further instructions on configuring the Connectra gateway or a
Connectra ClusterXL Load Sharing or High Availability cluster, refer to
the Connectra Administration Guide appropriate for your configuration,
or to the online help.

Further Information
74
Chapter 5
Upgrading Connectra
In This Chapter
Upgrade Procedure Quick Reference page 76

Preparing for the Upgrade to R66 page 78
Upgrading to Locally Managed R66 from R61/R62 page 81
Upgrading to Centrally Managed R66 from R61/R62 page 84
Upgrading to Centrally Managed R66 from R62CM page 91
Upgrading a Connectra Cluster to R66 page 98
Advanced Upgrade to R66 from R62 page 99
75
Upgrade Procedure Quick Reference

Table 5-1 indicates where in this chapter to find the procedures you
need, and which CD you should use.
Table 5-1 Upgrade Procedure Quick Reference
Upgrade Upgrade To Link to Procedure Required CD(s)

From
R61/R62 Locally Upgrade on the same 1. R66

managed R66 machine:Upgrading to
Locally Managed R66 from
R61/R62 on page 81
or
Upgrade across different
machines: Advanced
Upgrade to Locally Managed
R66 on page 99
R62CM Centrally Upgrading to Centrally 1. R66
managed R66 Managed R66 from R62CM 2. R66
on page 91 SmartCenter
Plug-in
R61/R62 Centrally Upgrading to Centrally 1. R66

managed R66 Managed R66 from 2. R66
R61/R62 on page 84 SmartCenter
Plug-in
Connectra Connectra Upgrading to Centrally 1. R66
Cluster on Cluster on Managed R66 from R62CM 2. R66
R61/R62/ R66 on page 91 SmartCenter
R62CM Plug-in
Table 5-2 lists the upgrade scenarios that are not supported by
Connectra NGX R66 and indicates the alternative upgrade paths.
76
Table 5-2 Upgrade Scenarios Not Supported with Connectra NGX R66
Upgrade Upgrade To Alternative Path See

From
Version R66 First upgrade to Connectra NGX R61

older than Connectra NGX R61. Getting Started Guide
R61
R61 or Locally Upgrade to centrally Connectra NGX
R62 with managed R66 managed R66 with R62CM Getting
Clusters with Clusters Clusters. To do this, Started Guide;
you must first fully Upgrading a
upgrade to Connectra Connectra Cluster to
NGX R62CM. R66 on page 98
R61/62 Centrally First fully upgrade to Connectra NGX
managed R66 Connectra NGX R62CM Getting
R62CM, then upgrade Started Guide;
to centrally managed Upgrading to
R66. Centrally Managed
R66 from R61/R62
on page 84
R62CM Advanced Perform an upgrade on Upgrading to
upgrade to the same machine Centrally Managed
centrally instead of across R66 from R62CM
managed R66 different machines. on page 91
R61/62/ R66 locally or Use the instructions Upgrade Procedure
62CM centrally provided in this Getting Quick Reference on
managed Started Guide for an page 76
using the alternative scenario.
WebUI
Chapter 5 Upgrading Connectra 77

Preparing for the Upgrade to R66
Preparing for the Upgrade to R66

In This Section
Preserving Manual Changes on the Connectra Gateway page 78

Preserving the Previous Connectra Configuration page 79
Preserving Manual Changes on the

Connectra Gateway
The upgrade process retains all configuration settings and end-user
settings from the previous installation that were made via the
Connectra administration portal or SmartDashboard. Nonetheless,
certain manually configured changes are not preserved following the
upgrade, and so must be saved before the upgrade, and manually
restored after the upgrade.
During the lifetime of a Connectra installation, several configuration
changes may be manually applied using the SSH command shell.
Such changes may include:
Changes to Connectra configuration files (*.conf files) made to
configure the Apache Web server or for debugging purposes.
Replacement of Connectra binary files or libraries (Support
Hotfixes).
Changes to Connectra scripts (such as File Share
implementation, certificate creation, and cvpnstop/cvpnstart).
To preserve manually configured changes made before the upgrade,
back up the following files on the Connectra gateway:
$CVPNDIR/conf/*
$CVPNDIR/var/*
$CVPNDIR/htdocs/Mail/data
$CVPNDIR/htdocs/Mail/attachments
$WEBISDIR/conf/*
78
Preserving the Previous Connectra Configuration
Preserving the Previous Connectra

Configuration
Note - The NGX R66 package cannot be uninstalled. To make
it possible to revert to a previous version, create a snapshot
image before installing the package. You can then use the
revert command to revert to the previous Connectra version.
See Reverting to a Previous Version of Connectra on
page 103.
Creating a Snapshot Image

Before upgrading to a new version, it is recommended that you create
an image of the entire system using the snapshot tool, either locally
or on a TFTP or SCP server. This feature greatly reduces the risks of
configuration changes.
With a snapshot image you can restore the installation to the state
before the upgrade, using the revert command. At boot time you are
given the option of booting from any of the available snapshots.
Running the snapshot command without any additional flags uses
default backup settings and creates a local snapshot.
Create a Snapshot image via the Command line.
Snapshot Command Syntax

snapshot [-h] [-d]
[[--tftp <ServerIP> <Filename>]
|[--scp <ServerIP> <Username> <Password>
<Filename>]
|[--file <Filename>]]

Preserving the Previous Connectra Configuration
Table 5-3 Snapshot command parameters
Parameter Meaning
-h Obtain usage.
-d Generate debug information.
--tftp IP address and TFTP server from which

<ServerIP> the snapshot is made as well as the
snapshots filename.
<Filename>
--scp IP address of SCP server from which the
<ServerIP> snapshot is made, the username and
password used to access the SCP Server,
<Username>
and the filename of the snapshot.
<Password>
<Filename>
--file When the snapshot is made locally,
<Filename> specify a filename.
80
Upgrading to Locally Managed R66 from R61/R62
Upgrading to Locally Managed R66

from R61/R62
In This Section
Upgrading to Locally Managed R66 via the Command Line

page 81
Completing the Upgrade by Merging Manual Changes page 83
Note - You must upgrade to locally managed R66 using the

command line. Upgrades are not supported by the WebUI.
Upgrading to Locally Managed R66 via

the Command Line
Before upgrading, follow the procedures in Preserving Manual
Changes on the Connectra Gateway on page 78.
Upgrading to Connectra NGX R66 involves installing a package file.
To upgrade from Version NGX R61 or R62 to NGX R66 via the
command line:
1. Insert CD1 into the CDROM drive of the Connectra machine and
mount the CD by typing:
mount /dev/cdrom
2. To enter the cpshell (this is only necessary if the shell has been
manually changed from the default), type:
cpshell
3. Type:
patch add cd

Upgrading to Locally Managed R66 via the Command Line
4. When prompted, Choose a patch to install, type 1 to choose the

Connectra NGX R66 Upgrade Package.
5. When prompted, type Y to confirm the MD5 checksum that
appears on the screen.
6. You are prompted to select a management option. Note that this
step determines whether you upgrade to locally or centrally
managed Connectra R66. Type 1 to choose Locally managed.
7. When prompted, type a new Administrator name and Password.
8. Type W and then Y to give the new administrator read/write
access and permission to manage other administrators.
9. You are prompted to create a backup image for automatic revert.
This snapshot captures a current picture of your operating
system and Connectra configuration. Type Y to create a snapshot
that you can revert to if necessary.
Note - The upgrade to R66 is not reversible and replaces your

entire operating system. We highly recommend creating a
snapshot at this time to preserve your current settings. See
Reverting to a Previous Version of Connectra page 103 for
instructions on how to revert to a snapshot image if
necessary.
10. Wait while the operating system upgrades. This takes
approximately ten minutes.
11. When prompted that the upgrade has finished successfully,
remove the CD from the CDROM drive.
12. Reboot your system to complete the upgrade.
82
Completing the Upgrade by Merging Manual Changes
Completing the Upgrade by Merging

Manual Changes
If you made configuration changes by manually editing configuration
files before the upgrade:
1. Verify that the functionality of the manual change works properly
after the upgrade.
2. If necessary, merge the changes back to the same locations in
the upgraded installation.

Upgrading to Centrally Managed R66 from R61/R62
Upgrading to Centrally Managed R66

from R61/R62
In This Section
Preserving Manual Changes and Previous Configuration page 84

Setting Up the SmartCenter page 84
Upgrading the Connectra Gateway via Command Line page 87
Upgrading the Connectra Gateway via SmartUpdate page 89
Setting Up SIC Trust page 90
Note - You must upgrade to centrally managed R66 using the

command line or SmartUpdate. Upgrades are not supported
by the WebUI.
Preserving Manual Changes and Previous

Configuration
Follow all the procedures in Preserving Manual Changes on the
Connectra Gateway on page 78.
Setting Up the SmartCenter

Upgrading to R62CM and Importing Previous
Configuration
The SmartCenter must have the Connectra R62CM Plug-in installed
and be fully upgraded to R62CM before you install the R66 Plug-in
for Central Management. This includes using Connectras
Configuration Import Utility to import your R61/62 management
84
configuration to the SmartCenter. For instructions on upgrading to

R62CM from R61 or R62, see the Connectra R62CM Getting Started
Guide. The R62CM Plug-in and Compatibility Package can be
downloaded from the Check Point Download Center or found on the
NGX R66 CD2 under /Utilities/R62CM/.
Note - We recommend creating a database revision before

installing the Connectra NGX R66 Plug-in. See the Check
Point R65 SmartCenter Administration Guide for more
information.
To install the R66 Plug-in on the R65 SmartCenter or

Provider-1/SiteManager-1 CMA:
If upgrading, the SmartDashboard or MDG will automatically
update during the first connection to a SmartCenter with the
Plug-in installed.
3. Install the R62CM Plug-in and Compatibility Package found on
NGX R66 CD2 under /Utilities/R62CM/. Follow the
instructions for upgrading to R62CM in the Connectra R62CM
Getting Started Guide.
4. Import your R61/62 management configuration to the
SmartCenter using R62CMs Connectra Configuration Import
Utility. Follow the instructions in the Connectra R62CM Getting
Started Guide.
5. Reboot SmartCenter or Provider-1/SiteManager-1.

Installing the R66 Plug-in

1. Install the R66 Plug-in on version R65 of the SmartCenter
server or Provider-1/SiteManager-1 Multi Domain Server. See
Installing the NGX R66 Plug-in on page 62.
3. After the reboot, open SmartDashboard. SmartDashboard may
update itself; It then displays an additional tab for Connectra.
Figure 5-1 Smart Dashboard with Centrally Managed Connectra
4. In SmartDashboard, switch to the Connectra tab.
86
Upgrading the Connectra Gateway via Command Line
5. If Connectra objects were already defined prior to upgrading

SmartCenter or the CMA:
After the upgrade of SmartCenter or the CMA, Connectra objects
and references in SmartDashboard become host objects and
must be redefined.
6. Define the Connectra objects. (Do not set up Secure Internal
Communication (SIC) at this point):
a. Create the Connectra gateway or gateway cluster object.
b. For a Connectra gateway cluster, define cluster members.
If there is SIC trust with the cluster members, reset SIC.
c. Define the topology. When defining topology, the Get
Interfaces operation does not return alias IP addresses for
real interfaces. To add alias IPs to the object topology,
define them manually. After manually adding alias IP
addresses to the object topology, do not perform the Get
Interfaces operation, as this will erase all manual changes
to the object topology.
When defining topology for a Connectra cluster, it is very
important that the topology is complete. Make sure you
have selected at least one cluster interface and one
synchronization interface, and that each cluster member
has its interfaces defined.
Upgrading the Connectra Gateway via

Command Line
Upgrading to Connectra NGX R66 involves installing a package file on
the Connectra gateway machine. Perform this update using the
command line or SmartUpdate.
To upgrade an existing Connectra NGX R61, R62, or R62CM gateway
to NGX R66 via the command line:

Upgrading the Connectra Gateway via Command Line
1. Prepare the SmartCenter and R66 Plug-in as described in

Setting Up the SmartCenter on page 84.
mount /dev/cdrom
cpshell
4. Type:
patch add cd

7. You are prompted to select a management option. Note that this
step determines whether you upgrade to locally or centrally
managed Connectra R66. Type 2 to choose Centrally managed.
8. Type Y to confirm the upgrade.

Reverting to a Previous Version of Connectra page 103for
necessary.
88
Upgrading the Connectra Gateway via SmartUpdate
10. Enter and re-enter a SIC shared secret that you will confirm later
when logging in to the SmartDashboard.
11. Wait while the operating system upgrades. This takes
13. Reboot your system.
Upgrading the Connectra Gateway via

SmartUpdate
to NGX R66 via SmartUpdate:
2. Insert CD1 into the CDROM Drive of your Connectra machine.
3. From the SmartDashboard, click Window > SmartUpdate.
4. Add the package for Connectra NGX R66 to the SmartUpdate
Repository by clicking Packages > Add > From CD.
5. Type your User Center username and password.
6. Select the package for Connectra NGX R66.
7. Click OK.
8. Install the Connectra NGX R66 package. Right-click the target
Connectra gateway object and select Upgrade all to upgrade all
gateways at once.
9. If you made manual configuration changes, continue with
Completing the Upgrade by Merging Manual Changes.

Setting Up SIC Trust

You must set up a SIC connection between Connectra and the
SmartCenter in order for them to communicate.
To set up SIC between the Connectra gateway and the SmartCenter:
1. Connect to the Connectra gateway in one of the following ways:
Via the Web GUI: Open a Web browser on a machine that
has network connectivity to the Connectra, and browse to
https://<machine_IP>:4433.
From the command line: Open an SSH connection to
Connectra, or connect to it via a console.
2. Reset SIC (if there was a prior SIC trust) and enter a shared
secret. Do this in either of the following ways:
Via the Web GUI, go to Product Configuration > SIC, enter
the Activation Key and click Initialize.
From the command line, run cpconfig. Type 6 to select
Secure Internal Communication.
3. Complete the SIC trust establishment. Open the Connectra
gateway or gateway cluster object in SmartDashboard, In the
General Properties page, in the Communication window, enter the
same one time password supplied in the gateway side.

Manual Changes
after the upgrade.
90
Upgrading to Centrally Managed R66 from R62CM
Upgrading to Centrally Managed R66

from R62CM
In This Section
Preserving Manual Changes and Previous Configuration page 84

Setting Up the SmartCenter page 84
Upgrading the Connectra Gateway via Command Line page 87
Upgrading the Connectra Gateway via SmartUpdate page 89
Setting Up SIC Trust page 90
Note - You must upgrade to centrally managed R66 using the

command line or SmartUpdate. Upgrades are not supported
by the WebUI.
Preserving Manual Changes and the

Previous Configuration
Follow all the procedures in Preserving Manual Changes on the
Connectra Gateway page 78.
Setting Up the SmartCenter and Installing

the R66 Plug-in
Important: The SmartCenter should have the Connectra R62CM
Plug-in installed and be fully upgraded to R62CM before installing
the R66 Plug-in for Central Management. This includes using
Connectras Configuration Import Utility to import your management
configuration to the SmartCenter. For instructions on upgrading to
R62CM from R61 or R62, see the Connectra R62CM Getting Started

Setting Up the SmartCenter and Installing the R66 Plug-in
Guide. The R62CM Plug-in and Compatibility Package can be

downloaded from the Check Point Download Center or found on the
NGX R66 CD2 under /Utilities/R62CM/.
Note - We recommend creating a database revision before

installing the Connectra NGX R66 Plug-in. See the Check
Point R65 SmartCenter Administration Guide for more
information.
To install the R66 Plug-in on the R66 SmartCenter or

Provider-1/SiteManager-1 CMA:
If upgrading, the SmartDashboard or MDG will automatically
update in order to manage Connectra.
3. Install the R66 Plug-in on version R65 of the SmartCenter
server or Provider-1/SiteManager-1 Multi Domain Server. See
Installing the NGX R66 Plug-in on page 62.
Note - If your SmartCenter is not already upgraded to R62CM,

you must upgrade it before upgrading to centrally managed
R66. See important above.
5. After the reboot, open SmartDashboard. SmartDashboard
displays an additional tab for Connectra.
92
Setting Up the SmartCenter and Installing the R66 Plug-in
Figure 5-2 Smart Dashboard with Centrally Managed Connectra
6. In SmartDashboard, switch to the Connectra tab.

7. If Connectra objects were already defined prior to upgrading
SmartCenter or the CMA:
After the upgrade of SmartCenter or the CMA, Connectra objects
and references in SmartDashboard become host objects and
must be redefined.
8. Define the Connectra objects. (Do not set up Secure Internal
Communication (SIC) at this point):

Upgrading the Connectra Gateway Using the Command Line
a. Create the Connectra gateway or gateway cluster object.

b. For a Connectra gateway cluster, define cluster members.
If there is SIC trust with the cluster members, reset SIC.
c. Define the topology. When defining topology, the Get
Interfaces operation does not return alias IP addresses for
real interfaces. To add alias IP addresses to the object
topology, define them manually. After manually adding
alias IPs to the object topology, do not perform the Get
Interfaces operation, as this will erase all manual changes
to the object topology.
When defining topology for a Connectra cluster, it is very
important that the topology is complete. Make sure you
have selected at least one cluster interface and one
synchronization interface, and that each cluster member
has its interfaces defined.
Upgrading the Connectra Gateway Using

the Command Line
to NGX R66 via the command line:
mount /dev/cdrom
94
Upgrading the Connectra Gateway Using the Command Line
cpshell
4. Type:
patch add cd

7. When prompted, type Y to confirm that you want to perform the
upgrade.

Reverting to a Previous Version of Connectra page 103for
necessary.
9. Enter and re-enter a SIC shared secret that you will confirm later
when logging in to SmartDashboard.
10. Wait while the operating system upgrades. This will take
12. Reboot your system.
13. Repeat the steps above on each gateway that must be updated.

Upgrading the Connectra Gateway Using SmartUpdate
Upgrading the Connectra Gateway Using

SmartUpdate
command line or SmartUpdate. Using SmartUpdate, you can upgrade
all Connectra gateways at once.
to NGX R66 via SmartUpdate:
1. From SmartDashboard, click Window > SmartUpdate.
2. Add the package for Connectra NGX R66 to the SmartUpdate
Repository by clicking Packages > Add > From CD.
3. Enter your User Center username and password.
4. Select the package for Connectra NGX R66.
5. Click Download.
6. Install the Connectra NGX R66 package. Right-click the target
Connectra gateway object and select Upgrade all to upgrade all
gateways at the same time.
7. If you made manual configuration changes, continue with
Completing the Upgrade by Merging Manual Changes.
8. The first time that you start the SmartDashboard, you are
prompted to download the SmartConsole Plug-in pack. The files
size is approximately 50 MB, therefore we advise attempting the
first connection from the LAN or via high speed connection.

You must set up a SIC connection between Connectra and the
SmartCenter in order for them to communicate.
96
Completing the Upgrade by Merging Manual Changes
To set up SIC between the Connectra gateway and the SmartCenter:

1. Connect to the Connectra gateway in one of the following ways:
Via the Web GUI: Open a Web browser on a machine that
has network connectivity to the Connectra, and browse to
https://<machine_IP >:4433.
From the command line: Open an SSH connection to
Connectra, or connect to it via a console.
2. Reset SIC (if there was a prior SIC trust) and enter a one time
password. Do this in one of two ways:
Via the Web GUI, go to Product Configuration > SIC, enter
the Activation Key and click Initialize.
From the command line, run cpconfig. Type 6 to select
Secure Internal Communication.
3. Complete the SIC trust establishment. Open the Connectra
gateway or gateway cluster object in SmartDashboard. In the
General Properties page, in the Communication window, enter the
same one-time password supplied in the gateway side.

Manual Changes
after the upgrade.

Upgrading a Connectra Cluster to R66
Upgrading a Connectra Cluster to R66

Connectra Clusters are only supported on centrally managed R66. If
you have R61 or R62 and wish to upgrade to centrally managed R66,
you must first upgrade the Cluster members Connectra gateways and
SmartCenter server to R62CM For instructions on upgrading to
R62CM, see the Connectra R62CM Getting Started Guide. The R62CM
Plug-in and Compatibility Package can be downloaded from the Check
Point Download Center or found on the NGX R66 CD2 under
/Utilities/R62CM/
If you currently have locally supported clusters, see For Connectra
Cluster Users on page 112 for licensing information.
To upgrade a Connectra cluster from NGX R62CM to NGX R66:
1. Install the R66 Plug-in on the NGX R65 SmartCenter. See
2. Upgrade each Connectra gateway, as described in Upgrading to
Centrally Managed R66 from R62CM on page 91.
3. Define each cluster member in SmartDashboard. See Step 7:
Defining Connectra Objects (Centrally Managed Connectra) on
page 54 and Cluster Configuration Deployment Tips on
page 69.
98
Advanced Upgrade to R66 from R62
Advanced Upgrade to R66 from R62

In This Section
Introduction to Advanced Upgrade page 99

Advanced Upgrade to Locally Managed R66 page 99
Introduction to Advanced Upgrade

Perform an advanced upgrade from Connectra NGX R62 to Connectra
NGX R66 in order to:
Migrate to a new Connectra server.
Avoid risking the production server in case the upgrade fails.
The advanced upgrade procedure involves two machines. The first
machine is the working production machine. Connectra is installed
from scratch on the second machine and the configuration of the first
machine is imported to it.
Advanced upgrade is only supported when upgrading from locally
managed Connectra R62 to locally managed Connectra NGX R66.
Advanced Upgrade to Locally Managed

R66
Preparing for Advanced Upgrade to Locally
Managed R66
Prepare a new machine, to which the Connectra configuration will be
imported.
The following conditions must be met:
IP addresses on the new and old machines must match.

Advanced Upgrade to Locally Managed R66
NIC configuration on new and old machines must match.

The following are not preserved in the upgrade. Be sure to track them
so you can re-apply them after Connectra is upgraded:
Manual changes to Connectra configuration files. See
Preserving Manual Changes on the Connectra Gateway on
page 78.
All settings in the Device menu of the administrator portal.
The Internal Certificate Authority (ICA).
Advanced Upgrade Procedure to Locally

Managed R66
To perform an advanced upgrade from Connectra NGX R62 to locally
managed NGX R66:
1. Insert CD1 into the original machine.
2. Type:
mount/dev/cdrom
3. On the CD, browse to the location of the export utility. Locate

the upgrade_export tools in:
/linux/Utilities/UpgradeTools/
4. Create an exportable configuration file by running the command:

upgrade_export <path_&_filename_of_tgz>
where <path_and_filename_of_tgz> is the destination path

of the configuration (.tgz) file.
5. Wait while the database files are exported.
6. Install new NGX R66 machine as per Installation and Initial
Configuration Procedures on page 39.
The new machine must have the same IP address as the old
machine. The IP address can be changed later.
100
7. Copy the exported .tgz file via FTP in binary mode to any
location on the new Connectra machine.
8. On the new Connectra machine, go to:
$FWDIR/bin/upgrade_tools
9. Run:
upgrade_import -n <path_&_filename_of_tgz>
<connectra_object_name>
where <path_and_filename_of_tgz> is the destination path of

the configuration (.tgz) file and <connectra_object_name> is the
name of your Connectra gateway.
Note - The configuration (.tgz) file contains your Connectra

configuration. It is recommended to back it up on a different
machine and delete it from the Connectra machine after
completing the import process.
10. Reboot.
Completing the Advanced Upgrade to R66

after the upgrade.
Reapply all settings under the Device menu of the administrator portal
(including administrator settings and routing) from the old machine to
the new machine.
If there was a mismatch in the primary or secondary IP addresses of
the NICs, between the two machines, you must reconfigure IP address
assignments for the Portal and SSL Network Extender.

To reconfigure IP address assignments for the Portal and SSL Network

Extender:
1. In SmartDashboard, select your Connectra Gateway and click
Edit.
2. Select Topology from the navigation tree in the Connectra
Properties page.
3. Click Portal Customization settings or VPN Clients settings and edit
the machines interface.
102
Chapter 6
Reverting to a Previous
Version of Connectra
In This Chapter
Reverting to a Snapshot page 103

Uninstalling Connectra Plug-ins page 105
Reverting to a Snapshot
Connectra NGX R66 cannot be uninstalled. To make it
possible to revert to a previous version, create a snapshot
image before installing. See Preserving the Previous
Connectra Configuration on page 79.
If the upgrade did not succeed, you can revert to a previous
installed state by rebooting the system from a snapshot file.
Running the revert command without any additional flags
uses default backup settings and reboots the system from a
local snapshot. The revert command functionality can also
be accessed from the Snapshot image management boot option.
Syntax
revert
[-h] [-d] [[--tftp <ServerIP> <Filename>] |
[--scp <ServerIP> <Username> <Password>
<Filename>] |
[--file <Filename>]]
103
Syntax
Table 6-1 Revert Command Parameters
Parameter Meaning
-h Obtain usage
-d Debug flag
--tftp <ServerIP> IP address and TFTP server from which

<Filename> the snapshot is rebooted, as well as the
filename of the snapshot.
--scp <ServerIP> IP address of SCP server from which the
<Username> snapshot is rebooted, the username and
password used to access the SCP Server,
<Password>
and the filename of the snapshot.
<Filename>
--file <Filename> When the snapshot is created locally,
specify a filename.
104

While the Connectra NGX R66 Gateway cannot be uninstalled, the
Plug-in for central management can be uninstalled. If you want to
uninstall Connectra NGX R66s central management capabilities, you
must uninstall both the R66 Plug-in for Central Management and the
R62CM Plug-in from your SmartCenter machines, Log Servers,
Eventia Reporter, and any remote objects on which the Plug-ins may
have been installed. In a High Availability environment, perform the
uninstallations on each member.
Uninstalling the R66 Plug-in for Central

Management
Before Uninstalling the R66 Plug-in:
If you have the Connectra NGX R66 Plug-in installed on a
SmartCenter, Log Server, Eventia Reporter, or other remote objects,
and you want to uninstall the Plug-in from them, you must first do
the following:
1. Delete all Connectra objects from SmartDashboard.
2. Synchronize the remote servers databases with the SmartCenter
by installing the Database on all remote objects that have the
Plug-in installed. In the SmartDashboard, select Policy > Install
Database for each remote object.
Note - If you do not install the Database, the Plug-in

uninstallation on these objects will fail, but it will succeed on
the SmartCenter. Therefore, you will not be able to install the
Database on the remote objects, nor will you be able to
remove the R66 Plug-in from the remote objects.
Chapter 6 Reverting to a Previous Version of Connectra 105

Uninstalling the R66 Plug-in for Central Management
Uninstalling the R66 Plug-in

1. From the command line, run the pre-uninstall verifier as follows:
In Linux, Solaris, or SecurePlatform:
a. Run:
cd /opt/CPPIconR66-R65/bin/
b. Run:
./plugin_preuninstall_verifier
c. Read the results. If it says you can remove the Plug-in,
proceed to step 2.
In Windows:
a. From c:\Program
Files\CheckPoint\PIconR66\R66\bin\
run:
plugin_preuninstall_verifier.exe
2. Remove the R66 Plug-in:

In Linux or SecurePlatform, run:
rpm e CPPIconR65-R66-00
In Solaris, run:
pkgrm
then choose the package number corresponding to

CPPIconR65-R66-00.
In Windows, use Add/Remove Programs to remove the Check
Point Connectra NGX R66 Plug-in.
3. Restart the system.
106
Uninstalling the Connectra NGX R62CM Plug-in
Removing the R66 Compatibility Package

Remove the Compatibility Package only after uninstalling the R66
Plug-in.
1. Remove the R66 Compatibility Package as follows:
rpm e CPCON65CMP-R66-00
In Solaris, run:
pkgrm
then choose the package number corresponding to
CPCON65CMP-R66-00.
Point NGX R66 Connectra Compatibility Package.
Uninstalling the Connectra NGX R62CM

Plug-in
To remove the Connectra NGX R62CM Plug-in:
1. From the command line, run the pre-uninstall verifier as follows:
In Linux, Solaris, or SecurePlatform:
a. Run:
cd /opt/CPPIconnectra-R65/bin/
b. Run:
./plugin_preuninstall_verifier
c. Read the results. If it says you can remove the Plug-in,

proceed to step 2.

Uninstalling the Connectra NGX R62CM Plug-in
In Windows:
a. Fromc:\Program
Files\CheckPoint\PIconnectra\R65\bin\ run:
plugin_preuninstall_verifier.exe
2. Remove the R62CM Plug-in:

rpm e CPPIconnectraR65-R65-00
In Solaris, run:
pkgrm
then choose the package corresponding to

CPPIconnectraR65-R65-00.
Point Connectra NGX R62A Plug-in. Also remove the Check
Point Plug-in NGX R65_HF_284 if relevant.
Removing the R62CM Compatibility Package

Remove the R62CM Compatibility Package only after uninstalling the
R62CM Plug-in.
1. Remove the R62CM Compatibility Package as follows:
rpm e CPCON62CMP-R65-00
In Solaris, run:
pkgrm
then choose the package corresponding to CPCON62CMP-R65.
Point NGX R62A Compatibility Package R65.
108
Uninstalling Plug-ins in Provider-1

Before uninstalling the R66 or R62CM Plug-ins on Provider-1, you
must first deactivate the Plug-ins on all customers of the MDS from
which you want to remove a Plug-in.
Deactivating Plug-ins on the MDS

To deactivate Plug-ins on the MDS:
1. Go to Management Plug-ins in the selection bar of the MDG.
2. Double-click on a customer.
3. Go to the Plug-ins tab.
4. Select the plug-in to deactivate: PIconR66-R65 for Connectra
NGX R66 or PIconnectra for Connectra NGX R62CM.
5. Click Remove.
6. Click OK.
7. Follow the steps in Uninstalling the R66 Plug-in for Central
Management on page 105 or Uninstalling the R62CM Plug-in
in Provider-1 on page 109.
Uninstalling the R62CM Plug-in in Provider-1

To remove the Connectra Central Management Plug-in in Provider-1:
1. In the Provider-1 MDS, deactivate the Connectra Central
Management Plug-in (PIConnectra) on all customers.
2. On the command line, run:
rm -f/opt/CPPIconnectra-R65/conf/
PluginTableTypePairs.conf ;
touch/opt/CPPIconnectra-R65/conf/PluginTableTypePai
rs.conf

3. Run the pre-uninstall verifier:

/opt/CPPIconnectra-R65/bin/plugin_preuninstall_veri
fier
4. Remove the Connectra Central Management Plug-in:
Use rpm -e CPPIconnectra-R65 on Linux and
SecurePlatform
pkgrm CPPIconnectra-R65 on Solaris
Use
5. Run mdsstop/mdsstart.
110
Chapter 7
License Installation and User
Assistance
In This Chapter
Installing Check Point Licenses page 111

Where To Go From Here? page 114
Installing Check Point Licenses

Check Point software is activated with a License Key. You can
obtain this License Key by registering the Certificate Key that
appears on the back of the software media pack, in the Check
Point User Center. Note that you may need multiple licenses
for different products included with Connectra NGX R66. The
Certificate Key is used to obtain a License Key for products
that you are evaluating.
To purchase the required Check Point products, contact your
reseller.
Note - Check Point software that has not yet been purchased,
will work for a period of 15 days. You are required to go
through the User Center in order to register this software.
111
For Connectra Cluster Users
If you are upgrading from a Connectra appliance to Connectra

software, you will not automatically get a 15 day trial on the software.
We recommend purchasing a license with the software in advance.
Alternatively, you can remove all licenses and then you will
automatically get a 15 day trial period.
Connectra enforces the license installed on the gateway by counting
the number of concurrent sessions taking place on the portal. If the
limit has been reached, warning messages are sent to the log.
Check Point products are activated as follows:
1. Activate the Certificate Key shown on the back of the media
pack via Check Point User Center.
http://www.checkpoint.com/usercenter
The Certificate Key activation process consists of:
Adding the Certificate Key
Activating the products
Choosing the type of license
Entering the software details
2. Once you have a new License Key, you can install it on the
Connectra machine.
3. Select Settings > Device > Licenses.
4. Click New. You can either enter the license details individually,
or paste them directly from the clipboard.

Unlike previous versions of Connectra, in Connectra NGX R66,
clusters can only be managed centrally, from an R65 SmartCenter or
Provider-1 with the Connectra R66 Plug-in.
112
Customers who:
a. currently have a Connectra High Availability product, or are
buying a new such product, and
b. are under a valid service agreement.
should find a new product and license named "SmartCenter for
Connectra Clusters" in their User Center account. If you are a
customer satisfying these two conditions but do not see this new
product in your User Center account, please contact Check Point's
account services.
This new license entitles customers to install a Check Point
SmartCenter R65 on a dedicated server and manage their Connectra
clusters from that server. For information on upgrading to centrally
managed Connectra R66, see Upgrading Connectra on page 75.
Chapter 7 License Installation and User Assistance 113

Where To Go From Here?
Where To Go From Here?

You have now learned the basics that you need to get started. The
next step is to obtain more detailed knowledge of your Check Point
products. For thorough information see the Connectra Central
Management Administration Guide, Version R66 or the Connectra Local
Management Administration Guide, Version R66.
Check Point documentation provides additional information and is
available in PDF format on the Check Point CD as well as on the
Technical Support download site at:
http://www.checkpoint.com/support/technical/documents.
See the Check Point Services website
http://www.checkpoint.com/techsupport/ or see the SecureKnowledge
self-service database of technical information at
http://support.checkpoint.com/.
114

Check Point Connectra NGX R66 Getting Started Guide PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Check Point Connectra NGX R66 Getting Started Guide PDF

Uploaded by

Copyright:

Available Formats

Connectra_gsg_dvd.

book Page 1 Tuesday, September 9, 2008 9:32 AM

703140 September 9, 2008

Preparing to Use the Compatibility Testing Tool ................. 28

SSL Acceleration Card Command Syntax .......................... 72

Uninstalling Connectra Plug-ins...............................................105

2003-2008 Check Point Software Technologies Ltd.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in

Please refer to http://www.checkpoint.com/copyright.html for a list of our trademarks.

For third party notices, see http://www.checkpoint.com/3rd_party_copyright.html.

Note - Using different authentication schemes for Connectra

Chapter 1 Introduction to Connectra 11

Key Features and Benefits

Key Features and Benefits

Secure Web-Based Connectivity

Unified Security Management

Comprehensive Endpoint Security

Chapter 1 Introduction to Connectra 13

Key Features and Benefits

Allows organizations to define endpoint security requirements to

Integrated Intrusion Prevention

Key Features and Benefits

Identical or different settings and policies for different

Flexible Deployment Options

Advanced Authentication Options

Chapter 1 Introduction to Connectra 15

Choosing the Correct CD

Choosing the Correct CD

Procedure Quick Reference

Procedure Quick Reference

I want to... Required CDs

Chapter 1 Introduction to Connectra 17

Procedure Quick Reference

Deployment Overview page 20

Deploying Connectra in the DMZ

Deploying Connectra in the DMZ

Chapter 2 Deploying Connectra 21

Deploying Connectra on a LAN

Deploying Connectra on a LAN

The remote user opens a browser and initiates an HTTPS request to

Deploying a Connectra Cluster

Deploying a Connectra Cluster

Note - Clusters are not supported in locally managed R66.

Chapter 2 Deploying Connectra 23

Deploying a Connectra Cluster

Minimum Hardware Requirements page 26

Minimum Hardware Requirements

Minimum Hardware Requirements

Note that Connectra is also supported on VMware virtual machines.

Hardware Compatibility Testing Tool

Hardware Compatibility Testing Tool

Downloading and Preparing the CD

Note - You must specify that you are burning a CD image

Chapter 3 Connectra Requirements 27

Preparing to Use the Compatibility Testing Tool

Preparing to Use the Compatibility

Booting from the CD

Booting from a Diskette and Accessing a Local

Preparing to Use the Compatibility Testing Tool

Alternatively, using the NT command shell (cmd), run the

Booting from a Diskette and Accessing the CD

On the Machine with the CD Drive