check point 61000 security system getting started guide ......apr 30, 2018 · check point 61000...

30 April 2018

Getting Started Guide

CHECK POINT 61000 SECURITY SYSTEM

R75.40VS FOR 61000

Prot

ecte

d

© 2018 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:

Refer to the Copyright page http://www.checkpoint.com/copyright.html for a list of our trademarks.

Refer to the Third Party copyright notices http://www.checkpoint.com/3rd_party_copyright.html for a list of relevant copyrights and third-party licenses.

http://www.checkpoint.com/copyright.html

http://www.checkpoint.com/3rd_party_copyright.html

Important Information Latest Software

We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks.

Latest Documentation

The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=20444

To learn more, visit the Check Point Support Center http://supportcenter.checkpoint.com.

For more about this release, see the R75.40VS for 61000 home page https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk89900.

Revision History

Date Description

30 April 2018 Updated: Installing the SGM with Snapshot Import (on page 55).

05 November 2017 Updated: General updates.

23 January 2014 Added: Health and Safety Information in French ("Informations relatives à la santé et à la sécurité" on page 9).

Improved: Formatting and document layout.

Added: SGM260 LEDs support information.

16 September 2013 Added: After configuring a Security Gateway, verify the configuration by running asg diag ("Confirming the Security Gateway Software Configuration" on page 63).

9 July 2013 Corrected: Syntax of asg monitor command ("Monitoring Chassis and Component Status (asg monitor)" on page 73).

Corrected: Examples of asg search command ("Searching for a Connection (asg search)" on page 83).

21 March 2013 Added: Before creating the VSX Gateway, if the management interface is not eth1-Mgmt4, see sk92556 ("Configuring a VSX Gateway" on page 64).

10 February 2013 First release of this document.

http://supportcontent.checkpoint.com/documentation_download?ID=20444

http://supportcenter.checkpoint.com/

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk89900

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk89900

Feedback

Check Point is engaged in a continuous effort to improve its documentation.

Please help us by sending your comments mailto:[email protected]?subject=Feedback on R75.40VS Check Point 61000 Security System Getting Started Guide.

mailto:[email protected]?subject=Feedback%20on%20R75.40VS%20Check%20Point%2061000%20Security%20System%20Getting%20Started%20Guide

mailto:[email protected]?subject=Feedback%20on%20R75.40VS%20Check%20Point%2061000%20Security%20System%20Getting%20Started%20Guide

Contents Important Information ................................................................................................... 3 Health and Safety Information ...................................................................................... 7 Informations relatives à la santé et à la sécurité .......................................................... 9 Introduction ................................................................................................................. 12

Overview of Check Point 61000 Security Systems ................................................... 12 Check Point Virtual Systems ................................................................................... 13 In this Document ..................................................................................................... 14 Shipping Carton Contents ....................................................................................... 14

Hardware Components ............................................................................................... 16 61000 Security System Front Panel Modules .......................................................... 16 Security Switch Module ........................................................................................... 18

SSM160 Security Switch Module .................................................................................... 19 SSM60 Security Switch Module ...................................................................................... 21 Security Switch Module LEDs ........................................................................................ 22

Security Gateway Module (SGM) ............................................................................. 23 SGM260 LEDs ................................................................................................................ 23 SGM220 LEDs ................................................................................................................ 26

AC Power Supply Units (PSUs) ................................................................................ 27 AC Power Cords ...................................................................................................... 29 DC Power Entry Modules (PEMs) ............................................................................ 31

PEM Panel and LED Indicators ...................................................................................... 31 Fan Trays ................................................................................................................ 33 Chassis Management Modules................................................................................ 34 Blank Filler Panels for Airflow Management .......................................................... 36

Front Blank Panels with Air Baffles............................................................................... 36 Step 1: Site Preparation .............................................................................................. 37

Rack Mounting Requirements ................................................................................. 37 Required Tools ........................................................................................................ 37

Step 2: Installing the Chassis in a Rack ....................................................................... 38 Step 3: Installing Hardware Components and Connecting Power Cables ................... 39

Inserting AC Power Supply Units ............................................................................ 40 Inserting Fan Trays ................................................................................................. 41 Inserting Chassis Management Modules ................................................................ 42 Inserting Security Switch Modules .......................................................................... 43 Inserting Security Gateway Modules ....................................................................... 44 Inserting Transceivers ............................................................................................ 45

Inserting Twisted Pair Transceivers .............................................................................. 46 Inserting Fiber Optic Transceivers ................................................................................ 47 Inserting QSFP Splitters ................................................................................................ 47

Inserting Front Blank Panels .................................................................................. 48 Connecting DC Power .............................................................................................. 48 Connecting a Second Chassis .................................................................................. 50

Step 4: Turning on the System .................................................................................... 51 Step 5: Dual Chassis System Validation ...................................................................... 52 Step 6: Installing the Software .................................................................................... 53

Before Installing SSM160 Firmware and Software ................................................. 53

Installing the SGM Image ........................................................................................ 55 Installing the SGM with Snapshot Import ...................................................................... 55 Installing the SGM Image from Removable Media ......................................................... 55

Step 7: Connecting to the Network .............................................................................. 58 Step 8: Initial Software Configuration ......................................................................... 59

Connecting a Console .............................................................................................. 59 Running the Initial Setup ......................................................................................... 60

Step 9: SmartDashboard Configuration ...................................................................... 62 Defining a Security Gateway .................................................................................... 62

Confirming the Security Gateway Software Configuration ............................................. 63 Configuring a VSX Gateway ..................................................................................... 64

Wizard Step 1: Defining VSX Gateway General Properties ............................................. 65 Wizard Step 2: Selecting Virtual Systems Creation Templates ...................................... 65 Wizard Step 3: Establishing SIC Trust............................................................................ 65 Wizard Step 4: Defining Physical Interfaces .................................................................. 65 Virtual Network Device Configuration ........................................................................... 66 Wizard Step 6: VSX Gateway Management ..................................................................... 67 Completing the VSX Wizard ........................................................................................... 67 Confirming the VSX Gateway Software Configuration .................................................... 67

Basic Configuration Using gclish ................................................................................ 69 Licensing and Registration .......................................................................................... 71 Monitoring and Configuration ..................................................................................... 72

Showing Chassis and Component States (asg stat)................................................. 72 Monitoring Chassis and Component Status (asg monitor) ...................................... 73 Monitoring Performance Indicators and Statistics (asg perf) ................................. 75 Monitoring Hardware Components (asg hw_monitor) ............................................ 77 Monitoring SGM Resources (asg resource) ............................................................. 81 Searching for a Connection (asg search) ................................................................ 83 Configuring Alerts for SGM and Chassis Events (asg alert) .................................... 85 Monitoring the System with SNMP .......................................................................... 88

SNMP in a VSX Gateway ................................................................................................. 89 Troubleshooting .......................................................................................................... 90

Collecting System Diagnostics (asg diag)................................................................ 90 Error Types.................................................................................................................... 95 Changing Compliance Thresholds ................................................................................. 95

Health and Safety Information

Check Point 61000 Security System Getting Started Guide R75.40VS for 61000 | 7

Health and Safety Information Read these warnings before setting up or using the appliance.

Warning -

• Do not block air vents. This is to ensure sufficient airflow for the individual SGMs in the Chassis.

• This appliance does not contain any user-serviceable parts. Do not remove any covers or attempt to gain access to the inside of the product. Opening the device or modifying it in any way has the risk of personal injury and will void your warranty. The following instructions are for trained service personnel only.

Handle SGM system parts carefully to prevent damage. These measures are sufficient to protect your equipment from static electricity discharge:

• When handling components (Fans, CMMS, SGMS, PSUs, SSMs) use a grounded wrist-strap designed for static discharge elimination.

• Touch a grounded metal object before removing the board from the anti-static bag.

• Hold the board by its edges only. Do not touch its components, peripheral chips, memory modules or gold contacts.

• When holding memory modules, do not touch their pins or gold edge fingers.

• Restore SGMs to the anti-static bag when they are not in use or not installed in the Chassis. Some circuitry on the SGM can continue operating after the power is switched off.

• Do not let the lithium battery cell (used to power the real-time clock on the CMM) short. The battery can heat up and become a burn hazard.

Warning -

• DANGER OF EXPLOSION IF BATTERY IS INCORRECTLY REPLACED. REPLACE ONLY WITH SAME OR EQUIVALENT TYPE RECOMMENDED BY CHECK POINT SUPPORT.

• DISCARD USED BATTERIES ACCORDING TO INSTRUCTIONS FROM CHECK POINT.

• Do not operate the processor without a thermal solution. Damage to the processor can occur in seconds.

• Before you install or remove a chassis, or work near power supplies, turn off the power and unplug the power cord.

For California:

Perchlorate Material - special handling can apply. See http://www.dtsc.ca.gov/hazardouswaste/perchlorate

The foregoing notice is provided in accordance with California Code of Regulations Title 22, Division 4.5, Chapter 33. Best Management Practices for Perchlorate Materials. This product, part, or both may include a lithium manganese dioxide battery, which contains a perchlorate substance.

Proposition 65 Chemical

Health and Safety Information


Chemicals identified by the State of California, pursuant to the requirements of the California Safe Drinking Water and Toxic Enforcement Act of 1986, California Health & Safety Code s. 25249.5, et seq. ("Proposition 65"), that is "known to the State to cause cancer or reproductive toxicity" (see http://www.calepa.ca.gov)

WARNING:

Handling the cord on this product will expose you to lead, a chemical known to the State of California to cause cancer, and birth defects or other reproductive harm. Wash hands after handling.

Federal Communications Commission (FCC) Statement:

Note: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference in which case the user will be required to correct the interference at his own expense.

Information to user:

The user's manual or instruction manual for an intentional or unintentional radiator shall caution the user that changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate the equipment. In cases where the manual is provided only in a form other than paper, such as on a computer disk or over the Internet, the information required by this section may be included in the manual in that alternative form, provided the user can reasonably be expected to have the capability to access information in that form.

Canadian Department Compliance Statement:

This Class A digital apparatus complies with Canadian ICES-003. Cet appareil numérique de la classe A est conforme à la norme NMB-003 du Canada.

Japan Class A Compliance Statement:

European Union (EU) Electromagnetic Compatibility Directive

This product is herewith confirmed to comply with the requirements set out in the Council Directive on the Approximation of the Laws of the Member States relating to Electromagnetic Compatibility Directive (2004/108/EC).

This product is in conformity with Low Voltage Directive 2006/95/EC, and complies with the requirements in the Council Directive 2006/95/EC relating to electrical equipment designed for use within certain voltage limits and the Amendment Directive 93/68/EEC.

Informations relatives à la santé et à la sécurité


Product Disposal

This symbol on the product or on its packaging indicates that this product must not be disposed of with your other household waste. Instead, it is your responsibility to dispose of your waste equipment by handing it over to a designated collection point for the recycling of waste electrical and electronic equipment. The separate collection and recycling of your waste equipment at the time of disposal will help to conserve natural resources and ensure that it is recycled in a manner that protects human health and the environment. For more information about where you can drop off your waste equipment for recycling, please contact your local city office or your household waste disposal service.


Avant de mettre en place ou d'utiliser l'appareil, veuillez lire ces avertissements.

Avertissement :

• Ne pas obturer les aérations. Les SGM dans le châssis doivent disposer d'une aération suffisante.

• Cet appareil ne contient aucune pièce remplaçable par l'utilisateur. Ne pas retirer de capot ni tenter d'atteindre l'intérieur. L'ouverture ou la modification de l'appareil peut traîner un risque de blessure et invalidera la garantie. Les instructions suivantes sont réservées à un personnel de maintenance formé.

Manipulez avec précautions les pièces du SGM pour ne pas les endommager. Les mesures suivantes sont suffisantes pour protéger votre équipement contre les décharges d'électricité statique :

• Avant de manipuler un composant (ventilateur, CMM, SGM, PSU, SSM), portez au poignet un bracelet antistatique relié à la terre.

• Touchez un objet métallique relié à la terre avant de retirer la carte de son sachet antistatique.

• Ne tenez la carte que par ses bords. Ne touchez aucun composant, puce périphérique, module mémoire ou contact plaqué or.

• Lorsque vous manipulez des modules mémoire, ne touchez pas leurs broches ou les pistes de contact dorées.



• Remettez dans leur sachet antistatique les SGM lorsqu'ils ne sont pas utilisés ou installés dans le châssis. Certains circuits du SGM peuvent continuer de fonctionner même si l'appareil est éteint.

• Il ne faut jamais court-circuiter la pile au lithium (qui alimente l'horloge temps-réel du CMM). Elle pourrait chauffer et déclencher un incendie.

Avertissement :

• DANGER D'EXPLOSION SI LA PILE N'EST PAS CORRECTEMENT REMPLACÉE. NE REMPLACER QU'AVEC UN TYPE IDENTIQUE OU ÉQUIVALENT, RECOMMANDÉ PAR L'ASSISTANCE CHECKPOINT.

• LES PILES DOIVENT ÊTRE MISES AU REBUT CONFORMÉMENT AUX INSTRUCTIONS DE CHECKPOINT.

• Ne pas faire fonctionner le processeur sans refroidissement. Le processeur peut être endommagé en quelques secondes.

• Avant de manipuler une appliance ou ses blocs d’alimentations, l’éteindre et débrancher son câble électrique.

Pour la Californie :

Matériau perchloraté : manipulation spéciale potentiellement requise. Voir http://www.dtsc.ca.gov/hazardouswaste/perchlorate

L'avis suivant est fourni conformément au California Code of Regulations, titre 22, division 4.5, chapitre 33. Meilleures pratiques de manipulation des matériaux perchloratés. Ce produit, cette pièce ou les deux peuvent contenir une pile au dioxyde de lithium manganèse, qui contient une substance perchloratée.

Produits chimiques « Proposition 65 »

Les produits chimiques identifiés par l'état de Californie, conformément aux exigences du California Safe Drinking Water and Toxic Enforcement Act of 1986 du California Health & Safety Code s. 25249.5, et seq. (« Proposition 65 »), qui sont « connus par l'état pour causer le cancer ou être toxiques pour la reproduction » (voir http://www.calepa.ca.gov)

AVERTISSEMENT :

La manipulation de ce cordon vous expose au contact du plomb, un élément reconnue par l'état de Californie pour causer de cancer, des malformations à la naissance et autres dommages relatifs à la reproduction. Se laver les mains après toute manipulation.

Déclaration à la Federal Communications Commission (FCC) :

Remarque : Cet équipement a été testé et déclaré conforme aux limites pour appareils numériques de classe A, selon la section 15 des règlements de la FCC. Ces limitations sont conçues pour fournir une protection raisonnable contre les interférences nocives dans un environnement commercial. Cet appareil génère, et peut diffuser des fréquences radio et, dans le cas d’une installation et d’une utilisation non conformes aux instructions, il peut provoquer des interférences nuisibles aux communications radio. Le fonctionnement de cet équipement dans une zone résidentielle engendrera vraisemblablement des perturbations préjudiciables, auquel cas l’utilisateur sera tenu d’éliminer ces perturbations à sa charge.

Information à l'intention de l'utilisateur :

Le manuel utilisateur ou le manuel d'instruction d'un dispositif rayonnant (intentionnel ou non) doit avertir que toute modification non approuvée expressément par la partie responsable de la



conformité peut annuler le droit de faire fonctionner l'équipement. Si le manuel n'est pas fourni sous forme imprimée (par exemple sur le disque d'un ordinateur ou via Internet), les informations requises par cette section doivent être incluses dans ces versions du manuel, sous réserve que l'utilisateur soit raisonnablement capable d'y accéder.

Déclaration de conformité du département canadien :

This Class A digital apparatus complies with Canadian ICES-003. appareil numérique de la classe A est conforme à la norme NMB-003 du Canada.

Déclaration de conformité de classe A pour le Japon :

Directive de l'Union européenne relative à la compatibilité électromagnétique

Ce produit est certifié conforme aux exigences de la directive du Conseil concernant concernant le rapprochement des législations des États membres relatives à la directive sur la compatibilité électromagnétique (2004/108/CE).

Ce produit est conforme à la directive basse tension 2006/95/CE et satisfait aux exigences de la directive 2006/95/CE du Conseil relative aux équipements électriques conçus pour être utilisés dans une certaine plage de ensions, selon les modifications de la directive 93/68/CEE.

Mise au rebut du produit

Ce symbole apposé sur le produit ou son emballage signifie que le produit ne doit pas être mis au rebut avec les autres déchets ménagers. Il est de votre responsabilité de le porter à un centre de collecte désigné pour le recyclage des équipements électriques et électroniques. Le fait de séparer vos équipements lors de la mise au rebut, et de les recycler, contribue à préserver les ressources naturelles et s'assure qu'ils sont recyclés d'une façon qui protège la santé de l'homme et l'environnement. Pour obtenir plus d'informations sur les lieux où déposer vos équipements mis au rebut, veuillez contacter votre municipalité ou le service de gestion des déchets.


CHAPTE R 1

Introduction In This Section:

Overview of Check Point 61000 Security Systems ...................................................... 12

Check Point Virtual Systems ........................................................................................ 13

In this Document ........................................................................................................... 14

Shipping Carton Contents ............................................................................................ 14

Thank you for choosing the Check Point 61000 Security System. We hope that you will be satisfied with this system and our support services. Check Point products supply your business with the most up to date and secure solutions available today.

Check Point also delivers worldwide technical services including educational, professional and support services through a network of Authorized Training Centers, Certified Support Partners and Check Point technical support personnel to ensure that you get the most out of your security investment.

For additional information on the Internet Security Product Suite and other security solutions, refer to the Check Point Web site (http://www.checkpoint.com), or call Check Point at 1(800) 429-4391. For additional technical information about Check Point products, consult the Check Point Support Center http://supportcenter.checkpoint.com.

Welcome to the Check Point family. We look forward to meeting all of your current and future network, application and management security needs.

Overview of Check Point 61000 Security Systems The Check Point 61000 Security System is a high performance, scalable, carrier class solution for Service Providers and high-end data centers. The system gives advanced Security Gateway functionality to meet your dynamically changing security needs. Supported Security Gateway Software Blades include: Firewall, IPS, Application Control, Identity Awareness, URL Filtering, IPSec VPN, Anti-Bot, and Anti-Virus.

The Check Point 61000 Security System is a 14-15U Chassis and includes:

Component(s) Function

Up to 12 Security Gateway Modules (SGMs)

Runs a high performance Firewall, and other Software Blades.

2 Security Switch Modules (SSMs) Distributes network traffic to SGMs.

2 Chassis Management Modules (CMMs) Monitors the Chassis, the SSMs and the SGMs with zero downtime.

http://www.checkpoint.com/

http://supportcenter.checkpoint.com/

Introduction


The 61000 Security System:

• Is highly fault tolerant, and provides redundancy between Chassis modules, power supplies and fans. For extra redundancy, you can install a Dual Chassis deployment.

• Has NEBS-ready and Non-NEBS versions. The Network Equipment Building Systems (NEBS) certificate ensures that 61000 Security System meets the environmental and spatial requirements for products used in telecommunications networks.

• Includes a rich variety of CLI monitoring and management tools. The system can be centrally managed from Check Point Security Management Server or a Multi-Domain Security Management.

• Lets you install different numbers of SGMs to match the processing needs of your network.

You can operate the 61000 Security System as a Security Gateway or as a VSX Gateway for Check Point Virtual Systems.

Check Point Virtual Systems Administrators can replicate physical security gateways with Virtual Systems with advanced protection for many networks and network segments. Virtual Systems can support up to 250 Virtual Systems on a 61000 Security System. This gives you scalability, availability, reliability and optimal performance while minimizing hardware investment, space requirements and maintenance costs.

Network virtualization supports easy deployment and configuration of network topology with simple inter-Virtual System communication. Integrated Virtual Switches and direct links to destinations eliminate the requirement for external network switches.

KEY FEATURES

• Consolidate many Security Gateways on one 61000 Security System

• Software Blade Architecture

• Gaia 64-bit operating system

• Separation of management duties

• Customized security policies per Virtual System

• Per Virtual System Monitoring of resource usage

KEY BENEFITS

• Easily add virtual systems to a security gateway

• Decreased hardware cost and simplified network policy

• High performance

• Granularity with customizable policies for each Virtual System

• Better usage-based resource planning with per Virtual System monitoring

• Better performance with Multi-core CoreXL technology

Introduction


In this Document • A brief overview of necessary 61000 Security System concepts and features

• A step by step guide to getting the 61000 Security System up and running

Note - Many examples in this guide show the largest model available at the time of publication. The concepts and procedures are applicable to all models.

Shipping Carton Contents This section describes the contents of the shipping carton.

Item Description

Check Point 61000 Security System

A single 61000 Security System Chassis

61000 Security System components

• 2 to 12 Security Gateway Modules

• 2 Security Switch Modules

• 2 Chassis Management Modules

• Power Supplies (preinstalled)

• 5 AC Power Supply Units (PSUs) or

• 1 to 2 DC Power Entry Modules (PEMs)

• 6 Fans (preinstalled)

• Power cord set

Documentation • EULA

• Welcome document

Obligatory Hardware Purchases

Transceivers are not included in the shipping carton and must be purchased separately.

SSM60 Transceivers

Ports Required Transceivers

Network and Synchronization Fiber transceiver for 10GbE XFP ports (SR/LR)

Management and log • Fiber transceiver for 1GbE SFP ports (SX/LR)

• Twisted-pair transceiver for 1GbE SFP ports

• Fiber transceiver for 10GbE XFP ports (SR/LR)

Introduction


SSM160 Transceivers

Ports Required Transceivers

Network and Synchronization • SFP+ (10GbE) Fiber transceiver for SFP+ ports (SR/LR)

• SFP (1GbE) Fiber transceiver for SFP+ ports (SX/LX)

• Twisted pair (1GbE) transceiver for SFP+ ports

• QSFP transceiver for 40GbE ports (SR/LR)

• QSFP splitter for 40GbE ports

Management and log • Fiber/Twisted pair transceiver for 1GbE SFP+ ports (SX/LX)

• SFP+ (10GbE) Fiber transceiver for SFP+ ports (SR/LR)


CHAPTE R 2

Hardware Components In This Section:

61000 Security System Front Panel Modules ............................................................. 16

Security Switch Module ................................................................................................ 18

Security Gateway Module (SGM) .................................................................................. 23

AC Power Supply Units (PSUs) .................................................................................... 27

AC Power Cords ............................................................................................................ 29

DC Power Entry Modules (PEMs) ................................................................................. 31

Fan Trays ....................................................................................................................... 33

Chassis Management Modules .................................................................................... 34

Blank Filler Panels for Airflow Management ............................................................. 36

This section shows the hardware components of the 61000 Security System.

61000 Security System Front Panel Modules

Hardware Components


Item Description

1 The Security Gateway Modules (SGMs) in the Chassis work together as a single, high performance Security Gateway or VSX Gateway. Adding a Security Gateway Module improves system performance. A Security Gateway Module can be added or removed without losing connections. If an SGM is removed or fails, traffic is sent to the other active SGMs.

Security Gateway Module slots are numbered 1 to 12, left to right. Slot 7 for example, (labeled [7] in the diagram) is the slot that is immediately to the right of the two Security Switch Module slots.

2 Console port, for a serial connection to a specific SGM using a terminal emulation program.

3 USB port, for a connection to external media, such as a DVD drive.

4 The Security Switch Module (SSM) distributes network traffic to the Security Gateway Modules and forwards traffic from the Security Gateway Modules. Two are inserted in a chassis. Two SSM versions are available:

• SSM60

• Not supported in a VSX Gateway

• SSM160

For more about each port, see Security Switch Module Ports ("Security Switch Module" on page 18).

5 The Chassis Management Module (CMM) monitors the status of the chassis hardware components. It also supplies DC current to the cooling fan trays.

If the Chassis Management Module fails or is removed from the chassis, the 61000 Security System continues to forward traffic. However, hardware monitoring is not available. Adding or removing a Security Gateway Module to or from the chassis is not recognized. If the two CMMs are removed, the cooling fans stop working.

Warning - There must be at least one CMM in the chassis.

A second Chassis Management Module can be used to supply CMM High Availability.

In the CLI output, the lower slot is listed bay 1. The upper slot is listed as bay2.

Hardware Components


Item Description

6 Power:

• AC Power Supply Units (PSUs)

• 100 VAC to 240 VAC

• 3-5 PSUs

Or:

• DC Power Entry Modules (PEMs)

• 48 VDC to 60 VDC

• 2 PEMs

Field-replaceable and hot-swappable

In the CLI output:

• Upper slots are for DC PEMs. They are listed as bay 1 and bay 2, numbered right to left.

• Lower slots are for AC PSUs. They are listed as bay 1 to bay 5, numbered right to left.

Security Switch Module The Security Switch Module (SSM) distributes network traffic to the Security Gateway Modules and forwards traffic from the Security Gateway Modules. Two are inserted in a Chassis. Two SSM versions are available:

• SSM60

• Not supported in a VSX Gateway

• SSM160

Hardware Components


SSM160 Security Switch Module Item Description

1 • 1 port for direct access through LAN

• 1 port for direct access through console (serial)

2 • 2 x 40GbE QSFP data ports. In the initial setup program, the interface names are:

• Left Security Switch Module: eth1-09, eth1-13

• Right Security Switch Module: eth2-09, eth2-13

• Use a QSFP splitter to split each of the two QSFP ports to 4 x 10GbE. When using a QSFP splitter the interface names are:

• Left Security Switch Module upper QSFP port: eth1-09 to eth1-12

• Left Security Switch Module lower QSFP port: eth1-13 to eth1-16

• Right Security Switch Module upper QSFP port: eth2-09 to eth2-12

• Right Security Switch Module lower QSFP port: eth2-13 to eth2-16

3 • 7 x 10GbE SFP+ data ports

• Can use 1GbE or 10GbE transceivers

• In the initial setup program, the interface names are:

• Left Security Switch Module: eth1-01, eth1-02, ... eth1-07

• Right Security Switch Module: eth2-01, eth2-02, ... eth2-07

• In SmartDashboard, define used interfaces as internal or external.

4 • 1 synchronization port for connecting to and synchronizing with another 61000 appliance that functions as a high availability peer.

• 10 GbE SFP+ port

• Interface names are eth1-Sync in the left and eth2-sync on the right.

5 Management and logging ports. Connect these ports to the management/logging network. Security Management Server or dedicated logging servers should be accessible from these interfaces.

• 2x 10GbE SFP+ port

• In the 61000 appliance initial setup program, these interfaces are labeled:

• On the left SSM: eth1-Mgmt1, eth1-Mgmt2

• On the right SSM: eth2-Mgmt1, eth2-Mgmt2

Hardware Components


6 Management and logging ports. Connect these ports to the management/logging network. Security Management Server or dedicated logging servers should be accessible from these interfaces.

• 2 x 1GbE SFP port

• In the 61000 appliance initial setup program, these interface are labeled

• On the left SSM: eth1-Mgmt3, eth1-Mgmt4

• On the right SSM: eth2-Mgmt3, eth2-Mgmt4

Hardware Components


SSM60 Security Switch Module Security Switch Modules Item

(1) 5 x 10GbE XFP data ports in each Security Switch Module. These data ports are the network interfaces of the 61000 Security System.

In the initial setup program, the interfaces in the

• Left Security Switch Module are named: eth1-01, eth1-02, ... eth1-05

• Right Security Switch Module are named: eth2-01, eth2-02, ... eth2-05

In SmartDashboard, define used interfaces as internal or external.

(2) 1 synchronization port on each SSM for connecting to and synchronizing with another 61000 Security System that functions as a high availability peer.

(3) 4 ports for management and logging on each SSM.

• 2 Upper ports: 1GbE SFP

• 2 Lower ports: 10GbE XFP

Connect these ports to the management/logging network. Security Management Server or dedicated logging servers should be accessible from these interfaces.

In the initial setup program, the interfaces are named:

• On Left SSM:

eth1-Mgmt1, eth1-Mgmt2, ... eth1-Mgmt4

• On the right SSM:

eth2-Mgmt1, eth2-Mgmt2, ... eth2-Mgmt4

Hardware Components


Security Switch Module LEDs

Item LED Status Description

1 Out of service

Red

SSM out of service

Off (Normal)

SSM hardware is normal

2 Power

On (Normal) Power on

Off Power off

3 Hot-swap

Blue SSM can be safely removed

Blue blinking

SSM is going to Standby mode. Do not remove

Off (Normal)

SSM is Active. Do not remove

4 SYN ACT On (Normal) Normal operation

Off N/A

5 Link On Link enabled

Yellow blinking

Link is active

Off Link is disabled

Hardware Components


Security Gateway Module (SGM) The Security Gateway Modules (SGMs) in the Chassis work together as a single, high performance Security Gateway or VSX Gateway. Adding a Security Gateway Module improves system performance. A Security Gateway Module can be added or removed without losing connections. If an SGM is removed or fails, traffic is sent to the other active SGMs.

These SGM versions are available:

• SGM220

• SGM220T (for NEBS)

• SGM260

The SGM260 has more powerful CPUs and uses a more advanced technology. It also has a different front panel layout and different LEDs.

SGM260 LEDs


5 Out of service

Red SGM out of service.

Off (Normal) SGM hardware is normal.

6 Health

Green (Normal)

SGM core operating system is Active.

Green blinking SGM core operating system is partially Active.

Off SGM operating system is in Standby Mode.

7 Hot-swap

Blue SGM can be safely removed.

Blue blinking SGM is going to Standby Mode. Do not remove.

Off (Normal) SGM is active. Do not remove.

CTRL Link 1

CTRL

SSM1 and SSM2 management

Yellow Link enabled.

Hardware Components


Link 2 ports Yellow blinking

Link is Active.

Off Link is disabled.

CTRL SPEED 1

CTRL SPEED 2

SSM1 and SSM2 management ports

Yellow 10 Gbps

Green 1 Gbps

Off 100 Mbps

Traffic 1

2

3

4

On Data and Sync traffic in SSM1, SSM2, SS3, SSM4.

L2 Off Not used.

L1 Red. Lower Right

Installation started.

Red blinking, in sequence

Installation in progress.

Red. All

Installation failure.

Yellow. Left

Installation completed.

Hardware Components


Green. Right

SGM is being configured. (Using First Time Configuration Wizard or adding a new SGM into a Chassis).

Off SGM is configured and ready.

Hardware Components


SGM220 LEDs


1 Out of service

Red

SGM out of service

Off (Normal) SGM hardware is normal

2 Health

Green (Normal)

SGM core operating system is active

Green blinking

SGM core operating system is partially active

Off SGM operating system is in Standby mode

3 Hot-swap

Blue SGM can be safely removed

Blue blinking SGM is going to Standby mode. Do not remove

Off (Normal) SGM is active. Do not remove

4 Link Yellow Link enabled

Yellow blinking

Link is active

Off Link is disabled

5

Data port speed

Yellow 10 Gbps

Green 1 Gbps

Off 100 Mbps

Management port speed

Yellow 1 Gbps

Green 100 Mbps

Off 10 Mbps

6

L

LEDs 2 and 4 - Green

SGM is being configured. (Using First Time Wizard or adding a new SGM into a Chassis)

All LEDs - Off SGM is configured and ready

Hardware Components


AC Power Supply Units (PSUs) 5 Field replaceable and hot swappable 100 VAC to 240 VAC Power Supply Units (PSUs) supply :

• Power to the Chassis

• Power filtering and over-current protection.

Each PSU is located on a tray that slides directly into the backplane.

The AC Power inlets are located in the rear of the Chassis. Each power supply has one power inlet.

Item Description (AC Power Unit)

1 Air filter. Prevents dust entering the PSU.

2 Latch for extracting and inserting the PSU.

3 AC Power Supply LED

• Green: AC Power is OK.

• OFF: AC power is OFF

4 DC Power Supply LED

• Green: DC Power is OK.

• Red: DC power failure or Hot swap ready

5 Extraction handle for holding the PSU during extraction and insertion

Power Requirements:

Each PSU supplies power at these values:

1500W at 220VAC 1200W at 110VAC

Hardware Components


Power Consumption Data: • Chassis (constant) - 100W

• Fan - 240W maximum

• CMM - 10W maximum

• SGM - 300W maximum

• SSM- 300W maximum

Recommended quantity of PSUs

Important - One power supply cannot supply a fully loaded Chassis. This table shows how to calculate the recommended number of power supplies.

For a PSU that supplies 1500W Number of SGMs Minimum (N) Recommended (N+1)

2 2 3

4 2 3

6 3 4

8 3 4

10 4 5

12 4 5

Hardware Components


AC Power Cords The supplied AC power cords are specific to the geographical region. These are some of the available power cords.

Region PLUG CONNECTOR CABLE

EU KC-015, 16A 250V ~

KC-003H, 10 A 250V~

H05RR-F,3G 0.75mm2

AUSTRALIA KC-014, 10A 250V

KC-003H, 10 A 250V~

H05RR-F 3G 0.75mm2

UK KC-039, 13A 250V~

KC-003H, 10 A 250V~

H05RR-F 3G 0.75mm2

JP KC-001, 15A 125V

KC-003H, 15A 125V

VCTF 3G 2.0mm2

US KC-001, 15A 125V

KC-003H, 15A 125V

SJT 14/3C 75ºC

Hardware Components


Region PLUG CONNECTOR CABLE

CHINA KC-017N, 10A 250V~

KC-003H, 10 A 250V~

H05RR-F 3G 0.7mm2

Hardware Components


DC Power Entry Modules (PEMs) The 61000 Security System DC configuration includes two Power Entry Modules (PEMs), each with a rating of -48/-60VDC 125A. The PEMs supply DC power, EMC filtering and over-current protection for the Chassis. Each PEM can supply 100% of Chassis power. The PEM is a customer replaceable unit. The two-PEM configuration provides full redundancy. The PEMs are located in the bottom-rear of the Chassis.

The DC configuration does not have its own power source. You must supply a mains DC power system that includes an external battery and a branch circuit breaker of 125A for each PEM.

You must also supply lugs (Panduit LCD6-14A-L). Use them to connect wires to the terminal blocks of the PEMs.

PEM Panel and LED Indicators

Item Description

1 Locking captive screws. Secure the PEM in the Chassis.

2 Handles used for holding the PEM during insertion and extraction.

3 Terminal blocks: -48/-60 VDC and Return. Each terminal block has 4 terminal studs.

4 PEM Status LEDs.

5 Hot-Swap button used to start the hot swap sequence.

6 4 Circuit breakers. 50A per circuit breaker.

PEM Status LEDS

Item Description

Status • Green: OK

• Red: Failure

Fault • Green: OK

• Red: -48VDC is missing

Hardware Components


Item Description

HS • Blue steady: Powering up or ready for extraction

• Blue blinking: Hot swap process

• OFF: Working

Important -

Do not remove a PEM while it is connected to the power source.

Before replacing a PEM, verify that power source is disconnected and isolated.

The PEM circuit breaker has only one pole and only disconnects the -48V lead. The 48VDC RTN lead is always connected.

Hardware Components


Fan Trays The cooling system consists of three high performance fan trays. The fan trays are at the rear of the Chassis. Each tray contains two fans that supply air volume and velocity for cooling front and rear Chassis components. Air flows from the inside to the outside of the Chassis.

Item Description

1 Power fault LED

2 Locking captive screw

Three fan trays are preinstalled (6 fans).

Hardware Components


Chassis Management Modules The Chassis Management Module controls and monitors Chassis operation. This includes fan speed, Chassis and module temperature, and component hot-swapping.

Item Description

1 General LEDs

2 Telco Alarm LEDs

3 Application defined LEDs

4 Latch

5 Network port

6 Serial port

7 Alarm

8 Thumb screw

General LEDs

LED Status Meaning

ACT

Green Chassis Management Module is active

Red Chassis Management Module failure

Green blink Chassis Management Module inactive

PWR

Green Good local voltage supply on Chassis Management Module

Off Local voltage failure

HS (hot swap)

Steady blue Chassis Management Module is powering up or ready for extraction.

Blue blink Chassis Management Module is being hot swapped

Off Chassis Management Module in operation

Hardware Components


Telco Alarm LEDs

LED Status Meaning

CRT (Critical)

Off Normal operation

Red System alarm event

MJR (Major)


Red System Alarm event

MNR (Minor)


Red System alarm event

Hardware Components


Blank Filler Panels for Airflow Management Compliance with temperature specifications requires a stable air flow in the Chassis. To make sure that Chassis cooling is effective, add blank filler panels to all empty slots.

Two types of airflow-management panels are available for the empty slots on the Chassis:

• Front blank panels with air baffles

• Rear panel with air baffles

Front Blank Panels with Air Baffles

Item Description

1 Slot cover

2 Tightening screws

3 Air Baffles


CHAPTE R 3

Step 1: Site Preparation In This Section:

Rack Mounting Requirements ..................................................................................... 37

Required Tools .............................................................................................................. 37

Rack Mounting Requirements Before mounting the 61000 Security System in a standard 19" rack, make sure that:

• The rack is stable, level, and secured to the building.

• The rack is sufficiently strong to support the weight of a fully loaded Security System (https://www.checkpoint.com/downloads/product-related/datasheets/DS-41000-61000.pdf).

• The rack rails are spaced sufficiently wide to accommodate the system's external dimensions.

• The shelf is mounted on the rack.

• There is sufficient space at the front and rear of the Chassis to let service personnel to swap out hardware components.

• The rack has a sufficient supply of cooling air.

• The rack is correctly grounded.

• A readily accessible disconnect device is incorporated into the building’s wiring. The disconnect device must be placed between the system's AC power inlet and the power source. The disconnect device rating required must be determined by the nominal input voltage.

• There are at least two inches of clearance at the air inlets and outlets to make sure there is sufficient airflow.

• Hot exhaust air is not circulated back into the system.

• At least two persons are available to lift the Chassis.

Required Tools To install the appliance in a standard 19" rack, these tools are required:

• Standard Phillips (+) screwdriver set

• Wrench

• Electrostatic Discharge (ESD) grounding wrist strap

https://www.checkpoint.com/downloads/product-related/datasheets/DS-41000-61000.pdf


CHAPTE R 4

Step 2: Installing the Chassis in a Rack Before mounting the Chassis on the rack, attach the rear static grounding screws to the Chassis.

To install the Chassis on the Rack:

1. Set the Chassis in front of the rack, centering the Chassis in front the shelf.

2. Lift and slide the Chassis on to the rack shelf.

3. Make sure that the holes in the front mounting flanges of the Chassis align with the holes in the rack rails.

4. Insert mounting screws into the front mounting flanges aligned with the rack.

5. Secure the appliance by fastening the mounting screws to the rack.

The appliance must be level, and not positioned at an angle.

6. Attach grounding cables to the grounding screws on the Chassis.


CHAPTE R 5

Step 3: Installing Hardware Components and Connecting Power Cables

In This Section:

Inserting AC Power Supply Units ................................................................................. 40

Inserting Fan Trays ....................................................................................................... 41

Inserting Chassis Management Modules .................................................................... 42

Inserting Security Switch Modules .............................................................................. 43

Inserting Security Gateway Modules ........................................................................... 44

Inserting Transceivers ................................................................................................. 45

Inserting Front Blank Panels ....................................................................................... 48

Connecting DC Power ................................................................................................... 48

Connecting a Second Chassis ...................................................................................... 50

This section covers inserting:

• Chassis Management Modules

• Security Switch Modules

• Security Gateway Modules

• Twisted pair and fiber optic transceivers into ports on the Security Switch Modules

• Transceivers into the management ports on the Security Switch Modules

• Covers for blank slots

This section also covers:

• Backup Chassis in a dual Chassis environment

• Power cables



Inserting AC Power Supply Units AC Power Supply Units (AC only) are pre-installed in the Chassis.

You can swap in more units, or replace units, without interfering with the operation of the Scalable Platform.

Note - One AC PSU cannot supply sufficient power to support a fully populated Chassis.

To insert an AC Power Supply Unit:

1. Pull out the latch.

2. Push in the Power Supply until it locks in place.

3. Push in the Power Supply insertion latch.

4. Make sure that the DC LED show green.



Inserting Fan Trays When you insert a fan tray the Chassis, the fans start at full speed and then decrease by steps of 7%. Under normal operating conditions, the fans run at 21% of full speed. The lower speed reduces the noise and increases the longevity of the fans.

The speed of each individual fan is monitored. If the speed of one fan drops below the desired speed (i.e. fan failure), the other fans speed up.

Fans are pre-installed in the appliance. Manual replacement must be coordinated with Check Point Support.

To Insert a Fan:

1. Slide the fan into the allocated space.

2. Tighten the locking captive screw.



Inserting Chassis Management Modules

To insert a Chassis Management Module:

1. On the CMM, remove the tape on the battery.

This tape protects the battery life before installation.

2. Open the upper latch.

3. Insert the Chassis Management Module into the allocated slot.

Note - If you have only one CMM, we recommend inserting it into the lower Chassis slot.

4. Close the latch.

5. Tighten the two thumb screws.

6. After power up, all LEDs must light up for 1-2 seconds. The ACT and PWR LEDs continue to show green after the other LEDs turn off.



Inserting Security Switch Modules

To insert a Security Switch Module:

1. Open the latches at the top and bottom of the Security Switch Module.

2. Slide the SSM into the allocated slot.

3. Fasten the latches.

4. Tighten the screws.



Inserting Security Gateway Modules

To insert a Security Gateway Module:

1. Open the latches at the top and bottom of the Security Gateway Module.

2. Make sure the SGM is located correctly on the Chassis rail.

3. Slide the Security Gateway Module into the allocated slot.

4. Fasten the latches.

5. Tighten the thumb screws.



Inserting Transceivers For connecting different interface types to the 61000 Security System using SFP, SFP+, or XFP ports on the SSM, Security Switch Modules support Twisted Pair and Fiber Optic transceivers.

The type and number of transceiver ports available depends on the SSM.

Note - Remember to select a transceiver that matches the speed of the designated port.



Inserting Twisted Pair Transceivers Twisted pair transceivers can be inserted into:

• Data and management ports on the SSM160

• SFP management ports on the SSM60

Slide the transceiver into the open Security Switch Module port.



Inserting Fiber Optic Transceivers Fiber transceivers can be inserted into data and management ports on the SSM60 and SSM160 switch modules. The ports can be SFP, SFP+ or XFP.

Slide the transceiver into the open Security Switch Module port.

Inserting QSFP Splitters 1. Insert the QSFP transceiver into the Security Switch Module.

2. Insert the QSFP splitter cable into the transceiver.

This converts the 40GbE QSPF port to 4 x 10GbE ports.



Inserting Front Blank Panels Blank panels contain cooled air in the appliance. Use the blank panels to close open slots.

To insert a blank panel at the front:

1. Insert the blank panel into the open slot.

2. Tighten the two thumb screws.

Note - Rear blank panels are preinstalled on the Chassis.

Connecting DC Power Connect the DC PEMs in the 61000 Security System to an external battery power source. You must have a mains DC power supply system that includes batteries and a branch circuit breaker of 125A for each PEM.

The DC PEM is described in DC Power Entry Modules (PEMs) (on page 31)

Required Tools and Parts:

• 4 DC wire leads for each PEM that connects to the DC power supply. Use 6AWG wires. There is no standard for DC wire color coding. There is no standard for DC wire color coding. Use the color codes on the DC power source (battery) for the DC wire leads.

• 4 lugs (Panduit LCD6-10A-L) for each PEM connect he wire leads to the PEM terminal blocks.

• Crimping tool to connect the wire leads to the lugs.

• Wire cutters.

• Hexagonal-head socket wrench, or nut driver for tightening nuts to terminal studs on each PEM.

To connect DC power:

Note - These instructions assume that the PEMs are installed in the 61000 Security System Chassis.

1. Set the branch circuit breakers at the mains to OFF.

2. On the PEM, set all the circuit breakers to OFF.

3. Remove the protective plastic cover.

4. Where the PEM is marked -48/-60 VDC and Return, remove the nuts from the terminal studs. Use a socket wrench or nut driver.

5. Connect the 48/-60 VDC cables to the battery:

a) Using the crimping tool, connect two 6 AWG wire leads to two lugs.

b) Attach the two wired lugs to the -48/-60 VDC terminal studs on the PEM. Use the socket wrench or nut driver.

c) Connect the other ends of the two wires to the -48/-60VDC battery terminal.



6. Connect the Return cables to the battery:

a) Using the crimping tool, connect two 6 AWG wire leads to two lugs.

b) Attach the two wired lugs to the Return terminal studs on the PEM. Use the socket wrench or nut driver.

c) Connect the other ends of the two wires to the Return battery terminal.

7. Make sure that you have correctly connected the battery to the PEM. Do this by using a

multimeter to measure the resistance between disconnected PEM wire leads and the Battery Return pole.

For all the PEM wired leads, one at a time:

a) At the battery, disconnect a PEM wire lead from the battery.

b) Connect one multimeter probe to the battery Return and the other probe to the PEM wire lead.

A very large resistance (indicating an open circuit) shows that the wire lead is

connected to the PEM -48/-60VDC terminal.

A very low resistance (indicating a closed circuit) shows that the wire lead is connected to the PEM Return terminal.

c) Reconnect the PEM wire lead to the battery.

8. At the PEM:

a) Attach the protective plastic cover.

b) Set all the circuit breakers to ON.

9. Do step 2 to step 8 for the second PEM.

10. Set the branch circuit breakers at the mains to ON.



Connecting a Second Chassis If you have a dual Chassis environment (for Chassis high availability):

1. For the second Chassis, repeat these steps:

a) Step 1: Site Preparation (on page 37)

b) Step 2: Installing the Chassis in a Rack (on page 38)

c) Step 3: Installing Components and Connecting Power Cables ("Step 3: Installing Hardware Components and Connecting Power Cables" on page 39)

2. Connect the second Chassis.

3. On each SSM, connect the sync ports to the corresponding sync ports on the backup Chassis:

• eth1-Sync in Chassis1 to eth1-Sync in Chassis2

• eth2-Sync in Chassis1 to eth2-Sync in Chassis2

4. Make sure to attach the RX cable to the RX ports and the TX cable to the TX ports.


CHAPTE R 6

Step 4: Turning on the System Turning on the Scalable Platform

Connect the appliance to the power source. At power up:

• Fan speed goes to maximum.

• LEDs on the Chassis Management Module light up.

• After 1-60 seconds, fan speed slows down until it reaches the optimum rate for cooling.

• Chassis Management Module ACT and PWR LEDs show green.

• Other LEDs turn off.

Turning off the Scalable Platform

1. Shutdown the SGMs:

• If the installation wizard (Step 5) has not yet run, release the levers on each SGM to shut them down

• If the installation wizard has run, from gclish run:

asg_hard_shutdown -b all

2. Shutdown the SSMs and CMMs by releasing the levers.

3. After the LEDs on SGMs, SSMs and CMMs (both Chassis) show a steady blue, unplug the power cords.


CHAPTE R 7

Step 5: Dual Chassis System Validation When you install and configure a dual Chassis deployment in high availability, make sure that all CMMs on each Chassis have the same Chassis ID.

The CMMs on Chassis 1 must include chassis_id 1 (SHMM_CHASSID=’1’).

The CMMs on Chassis 2 must include chassis_id 2 (SHMM_CHASSID=’2’).

Note - When you add a new CMM to a Chassis, you must validate the Chassis ID. Make sure that the Chassis is in the Standby mode when you do this.

Step 6: Installing the Software


CHAPTE R 8

Step 6: Installing the Software In This Section:

Before Installing SSM160 Firmware and Software .................................................... 53

Installing SSM160 Firmware ........................................................................................ 54

Installing the SGM Image ............................................................................................. 55

If you Scalable Platform is equipped with SSM160, you must install the SSM160 firmware. Then continue with Installing the SGM Image on page 55.

Before Installing SSM160 Firmware and Software Installing hardware components and connecting cables:

1. Install all hardware components into the Chassis (SGMs, SSMs and CMMs).

See Step 3: Installing Hardware Components and Connecting Power Cables (on page 39).

2. If you have a dual Chassis environment, connect one Sync cable between both Chassis:

• Connect eth1-Sync on chassis1 to eth1-Sync on chassis2.

3. For IP management of the 61000 Security System, connect a cable to one of the management interfaces on chassis1:

• Connect to the eth1-Mgmt1, if using a 10Gbps network

• Connect to the eth1-Mgmt4, if using a 1Gbps network

Connecting over Console (Serial)

See Connecting over Console (Serial) Port.

Configuring a Security Group and a Management IP Address

1. Start the installation wizard. Run: # setup

2. In the Welcome screen, press any key.

3. Select Set SGMs for Security Group

Define the SGMs that belong to the Security Group. There are two lines, one for Chassis 1, one for Chassis 2.

In each line, you can enter:

• all (same as 1-12)

• A range, such as: 1-9

• A number of comma-separated ranges, such as: 1-3,5-7

• Single SGMS, such as: 1,4

• A combination of single SGMs and ranges, such as: 10,2,3-7.

By default, the SGM you are connected to belongs to the group: Chassis 1, SGM 1 (Slot 1 in Chassis 1).

For more about Security Gateway Module numbering, see 61000 Security System Front Panel Modules (on page 16).



4. Select Network Connections.

For the management interface, configure:

An IP address

The net mask length

5. Configure Routing.

• If you are directly connected to the management interface: Skip this step.

• If you are not directly connected to the management interface: Define a route which will allow you to access the 61000 Security System.

6. Click Next until you finish the installation wizard. At the SIC stage, enter a dummy key.

Configuration settings are applied, and the Security Gateway Modules reboots. Other Security Gateway Modules in the Security Group are installed automatically.

Validating the Initial System Setup

To make sure that the initial system setup is completed successfully:

• Run the asg monitor command. An Initial Policy must be installed on the local SGM after initial setup completes and the SGM reboots.

• To monitor the automatic installation of other SGMs, run: # tail -f /var/log/start_mbs.log

• Wait until the installation process is complete.

The installation process is complete when all the SGMs in the security group are UP and in the Initial Policy state.

SCP password for SSM160 firmware installation

Contact Check Point Support https://www.checkpoint.com/support-services/contact-support/. All firmware installations should be performed with the assistance of the Check Point Support.

https://www.checkpoint.com/support-services/contact-support/



Installing the SGM Image Use one of these procedures to install an image on the Security Gateway Modules:

• Using a snapshot import

• Using an ISO image on removable media: DVD or USB

Installing the SGM with Snapshot Import 1. Obtain the snapshot file with the SGM image - see instructions on the R75.40VS for 61000

61000 Security Systems Home Page http://supportcontent.checkpoint.com/solutions?id=sk89900.

2. Connect to the Management Interface of the SGM and copy the file using SCP, to /home/admin directory.

3. Connect to the SGM via SSH or console.

4. Copy the snapshot file to all SGMs, to the /var/log/ directory. Run: asg_cp2blades –b all /home/admin/<snapshot file> /var/log/<snapshot file>

5. Import the snapshot. From gclish, run: set snapshot import <snapshot name, without .tar> path /var/log/

6. Monitor snapshot import progress. From gclish, run: show snapshots

7. After the snapshot import process has finished on all SGMs, revert to the snapshot. From gclish, run: set snapshot revert <snapshot name>

The system is now installed with the latest software and firmware.

Installing the SGM Image from Removable Media You can install an ISO image on the Security Gateway Modules from a USB stick or DVD.

To copy the ISO image to the removable media:

1. Obtain the ISO image file - see instructions on the R75.40VS for 61000 61000 Security Systems Home Page http://supportcontent.checkpoint.com/solutions?id=sk89900.

2. Copy the file to removable media with one of these steps:

• Burn the ISO file to a DVD.

• Download the Check Point ISOmorphic utility to create a bootable USB device from the ISO. See sk65205 http://supportcontent.checkpoint.com/solutions?id=sk65205.

Make sure that your USB device is compatible with ISOmorphic. See sk92423 for details.

3. You can install many SGMs at one time. Copy the ISO image to many USB sticks or DVD drives.

To install an ISO image on the Security Gateway Modules:

1. Connect the removable media to the left-most Security Gateway Module in one of these ways:

• Connect the USB stick to the USB port.

• Connect an external DVD drive to the USB port. Put the DVD with the ISO file in the DVD drive.

http://supportcontent.checkpoint.com/solutions?id=sk89900





Example:

Item Description

1

2

USB port

One of two latches for extracting and inserting the SGM.

2. Connect the supplied DB9 serial cable to the console port on the front of the left-most SGM on the 61000 Security System.

3. Connect to the left-most SGM using a terminal emulation program.

4. Reboot the SGM by partially sliding it out and immediately pushing it back in place:

a) Loosen the thumb screws at the top and bottom of the SGM.

b) Open the latches at the top and bottom of the SGM.

c) Fasten the latches.

d) Tighten the thumb screws.

5. When the first screen shows, select Install Gaia on the system and press Enter. 6. You must press Enter in 60 seconds, or the computer will try to start from the hard drive. The

timer countdown stops once you press Enter. There is no time limit for the subsequent steps.

7. Press OK to continue with the installation.

After the installation, the 61000 Security System begins the boot process and status messages show in the terminal emulation program.



8. Install the SGM image on the other SGMs. To install on one SGM at a time repeat all the steps for each SGM. To install on many SGMs at one time:

a) Insert all the USB sticks or DVD drives into the USB ports of the other SGMs.

b) Do this for one SGM at a time:

Connect to the console.

Reboot the SGM. Partially remove the SGM and then push it back in place.

Select Install Gaia on the system and press Enter.


CHAPTE R 9

Step 7: Connecting to the Network 1. Connect the serial cable to the applicable CMM console port on the Control Panel.

For more information, see:

• Control Panel for 64000 and 61000 N+N Security Systems

• Control Panel for 44000 Security System

2. Connect the management ports on the Security Switch Modules to your network.

3. Connect the data ports on the Security Switch Modules to your network.

For more information, see the front panel of your appliance ("Hardware Components" on page 16).


CHAPTE R 10

Step 8: Initial Software Configuration In This Section:

Connecting a Console ................................................................................................... 59

Running the Initial Setup .............................................................................................. 60

When you install and configure the 61000 Security System, start with the Security Gateway Module furthest to the left in the Chassis. After the first SGM is configured, installation and configuration settings are automatically propagated to all other SGMs in the defined security group. The Security Group is the group of SGMs that make up the Security Gateway.

Note - In SmartDashboard, one Security Gateway object represents all the SGMs in the security group.

Connecting a Console 1. Connect the RJ-45 jack end of a serial cable to the console port on the left-most 61000

Security System in the Chassis.

2. Connect the other end of the serial cable to the computer that you will use to do the initial

configuration of the 61000 Security System.

3. On the configuration computer, connect to the 61000 Security System using a terminal emulation application such as PuTTY.

• Make sure the Speed (baud rate) is set to 9600

• No IP address is necessary

4. Log in with username: admin and password: admin.

Step 8: Initial Software Configuration


Running the Initial Setup 1. To start the installation wizard run:

# setup

2. In the Welcome screen, press any key.

3. Select Set SGMs for Security Group.

4. Define the SGMs that belong to the Security Group.

There are two lines, one for Chassis 1, one for chassis 2. In each line, you can enter:

• all (same as 1-12)

• A range, such as: 1-9

• A number of comma-separated ranges, such as: 1-3,5-7

• Single SGMS, such as: 1,4

• A combination of single SGMs and ranges, such as: 10,2, 3-7.

By default, the SGM you are connected belongs to the group: Chassis 1, SGM 1 (slot 1 in chassis 1). To define a fully populated dual chassis system, select all in the top and bottom lines. For more about Security Gateway Module numbering, see the front panel of your appliance ("Hardware Components" on page 16).

5. The subnet for internal communication in the chassis is 192.0.2.0/24 by default. Change the IP address, if it conflicts with an existing subnet on your network.

6. Configure parameters for:

• Host Name

• Time and Date.

To configure the local time, choose the geographical area and city.

7. Select Network Connections.

Configure the management ports and the data ports of the Security Switch Module.

• There are 4 management ports on each SSM. Only configure those ports you intend to use. To associate port names with the physical ports, refer to Security Switch Module Ports ("Security Switch Module" on page 18). For each management port configure:

An IP address

The net mask length

• To associate data port names with the physical ports, refer to Security Switch Module Ports ("Security Switch Module" on page 18). For each data port configure:

An IP address

The net mask length

Step 8: Initial Software Configuration


8. Configure Routing.

Note - Wait 10-20 seconds for routing information to be updated throughout the system.

9. The Welcome to Check Point Suite screen shows. Wait for Check Point products packages to install.

10. Wait for the:

• Installation Program Completed Successfully message to show

• Check Point Configuration Program to start.

This program guides you through the configuration of Check Point products.

11. Configure Secure Internal Communication.

When prompted, enter and confirm the activation key. Remember this activation key. The same activation key is used for configuring the 61000 Security System object in SmartDashboard.

Configuration settings are applied, and the SGM reboots. The other Security Gateway Modules in the security group install automatically.

System Validation

To make sure that the initial system setup completed successfully:

• Run: # asg monitor

An Initial Policy must be installed on the local SGM after initial setup completes and the SGM reboots.

• To monitor the automatic installation of other SGMs, run: # tail -f /var/log/start_mbs.log

• After installation, all the SGMs in the security group must be in the Initial Policy state.


CHAPTE R 11

Step 9: SmartDashboard Configuration In This Section:

Defining a Security Gateway......................................................................................... 62

Configuring a VSX Gateway .......................................................................................... 64

The 61000 Security System can work as a Security Gateway or as a VSX Gateway. The Security Management Server must be NGX R65 or higher.

Important - R76 SmartDashboard is not supported. You must download and install the updated SmartDashboard as instructed. See sk98423 http://supportcontent.checkpoint.com/solutions?id=sk98423.

Do one of these procedures:

• Configuring a Security Gateway ("Defining a Security Gateway" on page 62).

• Configuring a VSX Gateway (on page 64).

Defining a Security Gateway

Note - There can be some variations in the Creation Wizard steps due to release updates. In these cases, do the instructions on the screen.

To configure a Security Gateway:

1. Open SmartDashboard.

2. When prompted, enter your credentials to connect for the Security Management Server.

3. Create a Security Gateway object.

In the Network Objects tree, right click Check Point and then select New > Check Point > Security Gateway/Management The Check Point Security Gateway Creation wizard opens.

4. Select Wizard Mode or Classic Mode.

This procedure uses the Wizard mode. If you choose Classic Mode, make sure you set all the necessary configuration parameters.

5. In the General Properties screen, configure:

• Gateway name

• Gateway platform - Select 61000 Appliance.

• Gateway IP address

6. Click Next. 7. In the Secure Internal Communication Initialization screen, enter the One-time password.

This is the same as the Activation Key you entered during the initial setup procedure.

8. Click Next. 9. View the Configuration Summary.

10. Select Edit Gateway properties for further configuration.


Step 9: SmartDashboard Configuration


11. Click Finish.

The General Properties page of the 61000 Security System object opens.

12. In the General Properties page, make sure the Version is correct.

13. Enable the Firewall Software Blade. Enable other supported Software Blades as necessary.

14. In the navigation tree, select Topology.

15. Configure:

• Interfaces as Internal or External

• Anti-Spoofing.

Note: Only data and management interfaces show in the list.

16. Click OK.

The Security Gateway object closes.

17. Install the Policy.

Confirming the Security Gateway Software Configuration

To make sure that the policy was successfully installed:

1. Connect to the appliance with SSH or a serial console.

2. Run: # asg monitor

3. Make sure that the SGM status is Enforcing Security on the ACTIVE and STANDBY Chassis.

4. Make sure the Policy Date matches the date and time the policy was installed.

To verify the configuration:

After configuring the Security Gateway and installing the policy, validate the configuration using the asg diag command ("Collecting System Diagnostics (asg diag)" on page 90). Use the command to collect and show diagnostic information about the system.

If there is a problem, fix it before using the system.



Configuring a VSX Gateway The 61000 Security System can work as a Security Gateway or as a VSX Gateway.

This procedure shows how to configure a VSX Gateway in SmartDashboard.

Before creating the VSX Gateway

Understand how VSX works, and the VSX architecture and concepts. Also, you should understand how to deploy and configure your security environment using the VSX Virtual Devices:

• Virtual System

• Virtual System in Bridge Mode

• Virtual Router

• Virtual Switch

To learn about how VSX works, architecture, concepts and Virtual Devices, see the R75.40VS Check Point VSX Administration Guide http://supportcontent.checkpoint.com/solutions?id=sk76540.

The VSX Gateway Wizard

This section explains how to create a new VSX Gateway using the VSX Gateway Wizard.

The VSX Gateway in this example has one Virtual System (VS0) and one dedicated management interface.

After you complete the VSX Gateway Wizard, you can change the VSX Gateway definition from SmartDashboard. For example, you can add Virtual Systems, add or delete interfaces, or configure existing interfaces to support VLANs.

Note - The Check Point VSX Gateway Wizard is version dependent. The steps may vary slightly.

To start the VSX Gateway wizard:

1. Open SmartDashboard.

If you are using Multi-Domain Security Management, open SmartDashboard from the Domain Management Server of the VSX Gateway.

2. From the Network Objects tree, right-click Check Point and select VSX > Gateway.

The General Properties page of the VSX Gateway Wizard opens.




Wizard Step 1: Defining VSX Gateway General Properties The General Properties page contains basic identification properties for VSX Gateways.

• VSX Gateway Name: Unique, alphanumeric for the VSX Gateway. The name cannot contain spaces or special characters except the underscore.

• VSX Gateway IP Address: Management interface IP address.

• VSX Gateway Version: Select the VSX version installed on the VSX Gateway from the drop-down list.

Wizard Step 2: Selecting Virtual Systems Creation Templates The Creation Templates page lets you configure predefined, default topology and routing definitions for Virtual Systems. This makes sure that Virtual Systems are consistent and makes the definition process faster. You always have the option to override the default creation template when you create or change a Virtual System.

The Creation Templates are:

• Shared Interface - Not supported for the Scalable Platform.

• Separate Interfaces: Virtual Systems use their own separate internal and external interfaces. This template creates a Dedicated Management Interface (DMI) by default.

• Custom Configuration: Define Virtual System, Virtual Switch, and Interface configurations.

For this example, choose Custom configuration.

Wizard Step 3: Establishing SIC Trust Initialize SIC trust between the VSX Gateway and the management server. The gateway and server cannot communicate without Trust.

Initializing SIC Trust When you create a VSX Gateway, you must enter the Activation Key that you defined in the installation wizard setup program ("Running the Initial Setup" on page 60). Enter and confirm the activation key and then click Initialize. If you enter the correct activation key, the Trust State changes to Trust established.

For more about SIC trust, see the R75.40VS VSX Administration Guide http://supportcontent.checkpoint.com/documentation_download?ID=16383.

Wizard Step 4: Defining Physical Interfaces In the VSX Gateway Interfaces window, define physical interfaces as VLAN trunks. The window shows the interfaces currently defined on the VSX Gateway.

To define an interface as a VLAN trunk, select VLAN Trunk for the interface.

http://supportcontent.checkpoint.com/documentation_download?ID=16383



Virtual Network Device Configuration If you chose the Custom Configuration option, the Virtual Network Device Configuration window opens. In this window, define a Virtual Device with an interface shared with the VSX Gateway. If you do not want to define a Virtual Device at this time, click Next to continue.

To define a Virtual Device with a shared interface:

1. Select Create a Virtual Device.

2. Select the Virtual Network Device type (Virtual Router or Virtual Switch).

3. Select the shared physical interface to define a non-DMI gateway.

Do not select the management interface if you want to define a Dedicated Management Interface (DMI) gateway. If you do not define a shared Virtual Device, a DMI gateway is created by default.

Important - This setting cannot be changed after you complete the VSX Gateway Wizard. If you define a non-DMI gateway, you cannot change it to a DMI gateway later.

4. Define the IP address and Net Mask for a Virtual Router.

These options are not available for a Virtual Switch.

5. Optional: Define a Default Gateway for a Virtual Router (DMI only).



Wizard Step 6: VSX Gateway Management In the VSX Gateway Management window, define security policy rules that protect the VSX Gateway. This policy is installed automatically on the new VSX Gateway.

Note - This policy applies only to traffic destined for the VSX Gateway. Traffic destined for Virtual Systems, other Virtual Devices, external networks, and internal networks is not affected by this policy.

The security policy consists of predefined rules for these services:

• UDP - SNMP requests

• TCP - SSH traffic

• ICMP - Echo-request (ping)

• TCP - HTTPS traffic

To Modify the Gateway Security Policy

1. Allow: Select to pass traffic on the selected services. Clear this option to block traffic on this service. By default, all services are blocked.

For example, to be able to ping the gateway from the management server, allow ICMP echo-request traffic.

2. Source: Click the arrow and select a Source Object from the list.

The default value is *Any. Click New Source Object to define a new source.

You can modify the security policy rules that protect the VSX Gateway later.

3. Click Next.

Completing the VSX Wizard Click Next to continue and then click Finish to complete the VSX Gateway wizard.

This may take several minutes to complete. A message shows successful or unsuccessful completion of the process.

If the process ends unsuccessfully, click View Report to see the error messages. See the Troubleshooting chapter.

Confirming the VSX Gateway Software Configuration

To make sure that the policy was successfully installed:

1. Connect to the appliance with an SSH client or the serial console.

2. Run: # asg monitor -vs all

3. Make sure that the status for SGMs is Enforcing Security on the Active and Standby Chassis, for all Virtual Systems.



This example shows the output for a dual Chassis VSX Gateway. Chassis 1 (Active) has 1 SGM in its Security Group. -------------------------------------------------------------------------------- | Chassis 1 ACTIVE | -------------------------------------------------------------------------------- | SGM | 1 (local) | - | - | -------------------------------------------------------------------------------- | State | UP | - | - | -------------------------------------------------------------------------------- | VS ID | -------------------------------------------------------------------------------- | 0 | Enforcing Security | - | - | --------------------------------------------------------------------------------

4. You can now add more SGMs to the Security Group. Run: # asg security_group

5. After all SGMs are UP and enforcing Security, you can add Virtual Systems to the VSX Gateway.

Basic Configuration Using gclish


Basic Configuration Using gclish Use the gclish shell for basic system configuration.

Virtual Context

To: Run Applicable Modes

Move to a different virtual context

# set virtual-system <vsid> VSX Gateway

Interfaces


Set an IPv4 address on an interface

# set interface eth1-01 ipv4-address 192.0.20.10 mask-length 24

Security Gateway

Show the IPv4 interface address

# show interface eth1-01 ipv4-address Security Gateway

VSX Gateway

Delete the IPv4 address from an interface

# delete interface eth1-01 ipv4-address Security Gateway

Hostname


Set the hostname # set hostname <security system name>

Each SGM gets its local identity as suffix. For example: gcp-X1000-ch01-04

Security Gateway

VSX Gateway

Show the hostname # show hostname Security Gateway

VSX Gateway

Routes


Set a default route # set static-route default nexthop gateway address 192.0.20.1 on

Security Gateway

Show the route table # show route Security Gateway

VSX Gateway

Basic Configuration Using gclish


Bonds


Create a bond and assign an interface to it

# add bonding group 1000 interface eth2-03 Security Gateway

VSX Gateway

Show existing bonds # show bonding groups Security Gateway

VSX Gateway

VLANs


Add a VLAN interface # add interface eth2-02 vlan 1023 Security Gateway

Show a VLAN interface # show interface eth2-02 vlans Security Gateway

VSX Gateway

Image Management (Snapshots)


Add a snapshot # add snapshot <snapshot name> desc <description>

Security Gateway

VSX Gateway

Revert to a snapshot # set snapshot revert <snapshot name> Security Gateway

VSX Gateway

Show snapshots and monitor snapshot progress

# show snapshots Security Gateway

VSX Gateway


CHAPTE R 12

Licensing and Registration 61000 Security Systems have an initial 15-day evaluation license. After the evaluation license expires, you must license and register the system.

Each chassis is licensed separately. If you have dual chassis system, you must install two licenses.

The license key (CK) is the chassis serial number. The chassis serial number is printed on the chassis sticker. You can also retrieve the chassis serial number from the CMM.

To retrieve the serial number from the CMM:

1. Connect to one of the SGMs on the chassis over SSH or console.

2. Get the IP address of the CMM by running (from gclish): gaia> show chassis id all module CMM1 ip

3. Using the IP address, open an SSH connection to the CMM:

# ssh <IP Address of CMM>

Log in with these credentials:

• Username: admin

• Password: admin

4. On the CMM, run: # clia fruinfo 20 254

5. The output shows the Chassis Serial Number.

To register the 61000 Security System

1. Log in to the User Center https://usercenter.checkpoint.com.

2. In the applicable account, search for the chassis serial number.

3. Generate a license based on the IP address of the SSM interface connected to your Security Management Server.

Note - Because the 61000 Security System has a single Management IP address, in dual chassis environments, the Active and Standby chassis should be bound to the same IP address in the license. Generate two licenses and enter the same IP address in each license.

4. Install the license on the system.

• If you use the cplic put command, run it from gclish, so that it applies to all SGMs.

• Run the cplic put command twice, if you have a dual chassis environment.

https://usercenter.checkpoint.com/


CHAPTE R 13

Monitoring and Configuration In This Section:

Showing Chassis and Component States (asg stat) ................................................... 72

Monitoring Chassis and Component Status (asg monitor) ........................................ 73

Monitoring Performance Indicators and Statistics (asg perf) .................................... 75

Monitoring Hardware Components (asg hw_monitor) ............................................... 77

Monitoring SGM Resources (asg resource) ................................................................ 81

Searching for a Connection (asg search) .................................................................... 83

Configuring Alerts for SGM and Chassis Events (asg alert)....................................... 85

Monitoring the System with SNMP .............................................................................. 88

This section lists the most important gclish commands that you can use to monitor and configure the Scalable Platform.

Showing Chassis and Component States (asg stat) Use this command to show the Chassis and hardware component state for single and dual Chassis configurations. The command shows system:

• Up-time

• CPU load: average and current

• Concurrent connections

• Health

Use Verbose mode to show SGM state, process and policy.

Syntax > asg stat [-v] [-vs <vs_ids>] [-l]

Note - If you run this command in a VSX context, the output is for the applicable Virtual System.

Parameter Description

-v Show detailed Chassis status (verbose mode).

-vs <vs_ids> Shows the Chassis status of Virtual Systems.

<vs_ids> can be:

• No <vs_ids> (default) - Shows the current Virtual System context.

• One Virtual System.

• A comma-separated list of Virtual Systems (1, 2, 4, 5).

• A range of Virtual Systems (VS 3-5).

• all - Shows all Virtual Systems.

Note: This parameter is only relevant in a VSX environment.

For a Chassis with more than 3 SGMs, the output uses abbreviations to make the output more compact.

Monitoring and Configuration



-l Show the meaning of the abbreviations in the output for a Chassis with more than 3 SGMs.

Monitoring Chassis and Component Status (asg monitor)

Use this command to continuously monitor Chassis and component status. This command shows the same information as asg stat, but the information stays on the screen and refreshes at user-specified intervals (default = 1 second). To stop the monitor session, press Ctrl-c.

Note - If you run this command in a Virtual System context, you see only the output for that Virtual System. You can also specify the Virtual System as a command parameter.

Syntax > asg monitor > asg monitor [-v|-all] [-amw] [-vs <vs_ids>] <interval> > asg monitor -l > asg monitor -h


No parameters Shows the SGM status.

-h Shows the command syntax and help information.

-amw Shows the Anti-Malware policy date instead of the Firewall policy date.

-v Shows only Chassis component status.

-all Shows both SGM and Chassis component status.

<interval> Sets the data refresh interval (in seconds) for this session.

-vs <vs_ids> Shows the component status for one or more Virtual Systems. <vs_ids> can be:

• No <vs_ids> (default) - Shows the current Virtual System context.

• One Virtual System.

• A comma-separated list of Virtual Systems (1, 2, 4, 5).

• A range of Virtual Systems (VS 3-5).

• all - Shows all Virtual Systems.

Note: This parameter is only relevant in a VSX environment.

For a Chassis with more than 3 SGMs, the output has abbreviations to make the output more compact.

-l Shows legend of column title abbreviations.

-h Shows the command syntax and help information.



Examples

This example shows the SGM status with the Anti-Malware policy date.

> asg monitor -amw --------------------------------------------------------------------------- | Chassis 1 ACTIVE | --------------------------------------------------------------------------- | SGM ID State Process AMW Policy Date | | 1 UP Enforcing Security 10Feb14 19:56 | | 2 (local) UP Enforcing Security 10Feb14 19:56 | | 3 UP Enforcing Security 10Feb14 19:56 | | 4 UP Enforcing Security 10Feb14 19:56 | --------------------------------------------------------------------------- | Chassis 2 STANDBY | --------------------------------------------------------------------------- | SGM ID State Process AMW Policy Date | | 1 UP Enforcing Security 10Feb14 19:56 | | 2 UP Enforcing Security 10Feb14 19:56 | | 3 UP Enforcing Security 10Feb14 19:56 | | 4 UP Enforcing Security 10Feb14 19:56 | --------------------------------------------------------------------------- | Chassis HA mode: Active Up | ---------------------------------------------------------------------------

This example shows the Chassis component status.

> asg monitor -v ----------------------------------------------------------------------------- | Chassis Parameters | ----------------------------------------------------------------------------- | Unit Chassis 1 Chassis 2 Unit Weight | | | | SGMs 4 / 4 3 / 4 (!) 6 | | Ports | | Standard 2 / 2 2 / 2 11 | | Bond 2 / 2 2 / 2 11 | | Mgmt 1 / 1 1 / 1 11 | | Other 0 / 0 0 / 0 6 | | Sensors | | Fans 4 / 6 (!) 6 / 6 5 | | SSMs 2 / 2 2 / 2 11 | | CMMs 2 / 2 2 / 2 6 | | Power Supplies 3 / 5 (!) 3 / 5 (!) 6 | | | | Chassis Grade 157 / 173 155 / 173 - | ----------------------------------------------------------------------------- | Minimum grade gap for chassis failover: 200 | | Synchronization | | Within chassis: Enabled (Default) | | Between chassis: Enabled (Default) | | Exception Rules: (Default) | ----------------------------------------------------------------------------- | Chassis HA mode: Primary Up (Chassis 1) | -----------------------------------------------------------------------------



This example shows the status of the SGMs and Virtual System 3. > asg monitor –vs 3 -------------------------------------------------------------------------------- | Chassis 1 ACTIVE | -------------------------------------------------------------------------------- |SGM |1 (l)|2 |3 |4 | - | - | - | - | - | - | - | - | -------------------------------------------------------------------------------- |State | UP | UP | UP | DWN | - | - | - | - | - | - | - | - | -------------------------------------------------------------------------------- | VS ID | -------------------------------------------------------------------------------- | 3 | ES | ES | ES | IAC | - | - | - | - | - | - | - | - | --------------------------------------------------------------------------------

Monitoring Performance Indicators and Statistics (asg perf)

Use this command to continuously monitor key performance indicators and load statistics.

Syntax asg perf [-b <SGM_string>] [-vs <VS_string>] [-v] [-p] [-a] [-k[–-last|--hist]] [-e]


-b <SGM_string> Shows results for SGMs and/or Chassis as specified by <SGM_string>.

The <SGM_string> can be:

No <SGM_string> or all - Shows all SGMs and Chassis

One SGM

A comma-separated list of SGMs (1_1,1_4)

A range of SGMs (1_1-1_4)

One Chassis (Chassis1 or Chassis2)

The active Chassis (chassis_active)

-vs <VS_string> For VSX Gateway only: List of Virtual Systems. For example:

1 VS 1

1,3-5 VS 1,2,4,5

all All VSs

Note: In a VSX Gateway, if no –vs option is specified , the command runs in the context of the current VS.

-v Verbose mode: Per-SGM display.

Show performance statistics (including load and acceleration load) on the Active Chassis.



-p Show detailed statistics and traffic distribution between these paths on the Active Chassis:

• Acceleration path (Performance Pack).

• Medium path (PXL).

• Slow path (Firewall).

-a Show absolute values.

-k Shows peak values for connection rate, concurrent connections and throughput.

-h Display usage.

Example

If no SGMs are specified, the command shows performance statistics for the Active Chassis:

> asg perf -v

Output

Notes:

Load Average = CPU load.



Monitoring Hardware Components (asg hw_monitor) Use this command to show per-Chassis hardware information and thresholds for monitored components:

• Security Gateway Module - CPU temperature per socket

• Chassis fan speeds

• Security Switch Module - Throughput rates

• Power consumption per Chassis

• Power Supply Unit: Whether installed or not, and PSU fan speed

• Chassis Management Module - Installed, Active or Standby

Syntax asg hw_monitor [-v] [-f <filter>]


-v Show detailed component status report (verbose)

-f Show status of one or more specified (filtered) components

<filter> One or more of these component types, in a comma separated list:

CMM CPUtemp Fan PowerConsumption PowerUnit SSM

Sample Output for the 61000 Security System # asg hw_monitor -v ------------------------------------------------------------------------------ | Hardware Monitor | ------------------------------------------------------------------------------ | Sensor | Location | Value | Threshold | Units | State| ------------------------------------------------------------------------------ | Chassis 1 | ------------------------------------------------------------------------------ | CMM | bay 1 | 1 | 0 | <S,D>/<A> | 1 | | CMM | bay 2 | 0 | 0 | <S,D>/<A> | 1 | | CPUtemp | blade 1, CPU0 | 45 | 65 | Celsius | 1 | | CPUtemp | blade 1, CPU1 | 39 | 65 | Celsius | 1 | | CPUtemp | blade 2, CPU0 | 44 | 65 | Celsius | 1 | | CPUtemp | blade 2, CPU1 | 39 | 65 | Celsius | 1 | | CPUtemp | blade 3, CPU0 | 44 | 65 | Celsius | 1 | | CPUtemp | blade 3, CPU1 | 38 | 65 | Celsius | 1 | | CPUtemp | blade 4, CPU0 | 47 | 65 | Celsius | 1 | | CPUtemp | blade 4, CPU1 | 42 | 65 | Celsius | 1 | | CPUtemp | blade 5, CPU0 | 46 | 65 | Celsius | 1 | | CPUtemp | blade 5, CPU1 | 47 | 65 | Celsius | 1 | | CPUtemp | blade 6, CPU0 | 0 | 65 | Celsius | 0 | | CPUtemp | blade 6, CPU1 | 0 | 65 | Celsius | 0 | | CPUtemp | blade 7, CPU0 | 0 | 65 | Celsius | 0 | | CPUtemp | blade 7, CPU1 | 0 | 65 | Celsius | 0 | | CPUtemp | blade 8, CPU0 | 0 | 65 | Celsius | 0 | | CPUtemp | blade 8, CPU1 | 0 | 65 | Celsius | 0 | | CPUtemp | blade 9, CPU0 | 0 | 65 | Celsius | 0 | | CPUtemp | blade 9, CPU1 | 0 | 65 | Celsius | 0 |



| CPUtemp | blade 10, CPU0 | 0 | 65 | Celsius | 0 | | CPUtemp | blade 10, CPU1 | 0 | 65 | Celsius | 0 | | CPUtemp | blade 11, CPU0 | 0 | 65 | Celsius | 0 | | CPUtemp | blade 11, CPU1 | 0 | 65 | Celsius | 0 | | CPUtemp | blade 12, CPU0 | 0 | 65 | Celsius | 0 | | CPUtemp | blade 12, CPU1 | 0 | 65 | Celsius | 0 | | Fan | bay 1, fan 1 | 3 | 11 | Speed Level | 1 | | Fan | bay 1, fan 2 | 3 | 11 | Speed Level | 1 | | Fan | bay 2, fan 1 | 3 | 11 | Speed Level | 1 | | Fan | bay 2, fan 2 | 3 | 11 | Speed Level | 1 | | Fan | bay 3, fan 1 | 3 | 11 | Speed Level | 1 | | Fan | bay 3, fan 2 | 3 | 11 | Speed Level | 1 | | PowerConsumption | N/A | 2711 | 4050 | Watts | 1 | | PowerUnit(AC) | bay 1 | 0 | 0 | NA | 1 | | PowerUnit(AC) | bay 2 | 0 | 0 | NA | 1 | | PowerUnit(AC) | bay 3 | 0 | 0 | NA | 1 | | PowerUnit(AC) | bay 4 | 0 | 0 | NA | 0 | | PowerUnit(AC) | bay 5 | 0 | 0 | NA | 0 | | PowerUnitFan | bay 1, fan 1 | 0 | 0 | NA | 1 | | PowerUnitFan | bay 1, fan 2 | 0 | 0 | NA | 1 | | PowerUnitFan | bay 2, fan 1 | 0 | 0 | NA | 1 | | PowerUnitFan | bay 2, fan 2 | 0 | 0 | NA | 1 | | PowerUnitFan | bay 3, fan 1 | 0 | 0 | NA | 1 | | PowerUnitFan | bay 3, fan 2 | 0 | 0 | NA | 1 | | PowerUnitFan | bay 4, fan 1 | 0 | 0 | NA | 0 | | PowerUnitFan | bay 4, fan 2 | 0 | 0 | NA | 0 | | PowerUnitFan | bay 5, fan 1 | 0 | 0 | NA | 0 | | PowerUnitFan | bay 5, fan 2 | 0 | 0 | NA | 0 | | SSM | bay 1 | 0 | 0 | Mbps | 1 | | SSM | bay 2 | 0 | 0 | Mbps | 1 | ------------------------------------------------------------------------------ | Chassis 2 | ------------------------------------------------------------------------------ | CMM | bay 1 | 1 | 0 | <S,D>/<A> | 1 | | CMM | bay 2 | 0 | 0 | <S,D>/<A> | 1 | | CPUtemp | blade 1, CPU0 | 46 | 65 | Celsius | 1 | | CPUtemp | blade 1, CPU1 | 46 | 65 | Celsius | 1 | | CPUtemp | blade 2, CPU0 | 48 | 65 | Celsius | 1 | | CPUtemp | blade 2, CPU1 | 49 | 65 | Celsius | 1 | | CPUtemp | blade 3, CPU0 | 46 | 65 | Celsius | 1 | | CPUtemp | blade 3, CPU1 | 47 | 65 | Celsius | 1 | | CPUtemp | blade 4, CPU0 | 46 | 65 | Celsius | 1 | | CPUtemp | blade 4, CPU1 | 50 | 65 | Celsius | 1 | | CPUtemp | blade 5, CPU0 | 50 | 65 | Celsius | 1 | | CPUtemp | blade 5, CPU1 | 49 | 65 | Celsius | 1 | | CPUtemp | blade 6, CPU0 | 0 | 65 | Celsius | 0 | | CPUtemp | blade 6, CPU1 | 0 | 65 | Celsius | 0 | | CPUtemp | blade 7, CPU0 | 0 | 65 | Celsius | 0 | | CPUtemp | blade 7, CPU1 | 0 | 65 | Celsius | 0 | | CPUtemp | blade 8, CPU0 | 0 | 65 | Celsius | 0 | | CPUtemp | blade 8, CPU1 | 0 | 65 | Celsius | 0 | | CPUtemp | blade 9, CPU0 | 0 | 65 | Celsius | 0 | | CPUtemp | blade 9, CPU1 | 0 | 65 | Celsius | 0 | | CPUtemp | blade 10, CPU0 | 0 | 65 | Celsius | 0 | | CPUtemp | blade 10, CPU1 | 0 | 65 | Celsius | 0 | | CPUtemp | blade 11, CPU0 | 0 | 65 | Celsius | 0 | | CPUtemp | blade 11, CPU1 | 0 | 65 | Celsius | 0 | | CPUtemp | blade 12, CPU0 | 0 | 65 | Celsius | 0 | | CPUtemp | blade 12, CPU1 | 0 | 65 | Celsius | 0 | | Fan | bay 1, fan 1 | 5 | 11 | Speed Level | 1 | | Fan | bay 1, fan 2 | 5 | 11 | Speed Level | 1 | | Fan | bay 2, fan 1 | 5 | 11 | Speed Level | 1 | | Fan | bay 2, fan 2 | 5 | 11 | Speed Level | 1 | | Fan | bay 3, fan 1 | 5 | 11 | Speed Level | 1 |



| Fan | bay 3, fan 2 | 5 | 11 | Speed Level | 1 | | PowerConsumption | N/A | 2711 | 4050 | Watts | 1 | | PowerUnit(AC) | bay 1 | 0 | 0 | NA | 1 | | PowerUnit(AC) | bay 2 | 0 | 0 | NA | 1 | | PowerUnit(AC) | bay 3 | 0 | 0 | NA | 1 | | PowerUnit(AC) | bay 4 | 0 | 0 | NA | 0 | | PowerUnit(AC) | bay 5 | 0 | 0 | NA | 0 | | PowerUnitFan | bay 1, fan 1 | 0 | 0 | NA | 1 | | PowerUnitFan | bay 1, fan 2 | 0 | 0 | NA | 1 | | PowerUnitFan | bay 2, fan 1 | 0 | 0 | NA | 1 | | PowerUnitFan | bay 2, fan 2 | 0 | 0 | NA | 1 | | PowerUnitFan | bay 3, fan 1 | 0 | 0 | NA | 1 | | PowerUnitFan | bay 3, fan 2 | 0 | 0 | NA | 1 | | PowerUnitFan | bay 4, fan 1 | 0 | 0 | NA | 0 | | PowerUnitFan | bay 4, fan 2 | 0 | 0 | NA | 0 | | PowerUnitFan | bay 5, fan 1 | 0 | 0 | NA | 0 | | PowerUnitFan | bay 5, fan 2 | 0 | 0 | NA | 0 | | SSM | bay 1 | 0 | 0 | Mbps | 1 | | SSM | bay 2 | 0 | 0 | Mbps | 1 | ------------------------------------------------------------------------------

Sample Output for 41000 Security System ------------------------------------------------------------------------------ | Hardware Monitor | ------------------------------------------------------------------------------ | Sensor | Location | Value | Threshold | Units | State| ------------------------------------------------------------------------------ | Chassis 1 | ------------------------------------------------------------------------------ | CMM | bay 1 | 0 | 0 | <S,D>/<A> | 1 | | CMM | bay 2 | 1 | 0 | <S,D>/<A> | 1 | | CPUtemp | blade 1, CPU0 | 47 | 65 | Celsius | 1 | | CPUtemp | blade 1, CPU1 | 46 | 65 | Celsius | 1 | | CPUtemp | blade 2, CPU0 | 46 | 65 | Celsius | 1 | | CPUtemp | blade 2, CPU1 | 44 | 65 | Celsius | 1 | | CPUtemp | blade 3, CPU0 | 46 | 65 | Celsius | 1 | | CPUtemp | blade 3, CPU1 | 45 | 65 | Celsius | 1 | | CPUtemp | blade 4, CPU0 | 45 | 65 | Celsius | 1 | | CPUtemp | blade 4, CPU1 | 46 | 65 | Celsius | 1 | | Fan | bay 1, fan 1 | 4 | 11 | Speed Level | 1 | | Fan | bay 1, fan 2 | 4 | 11 | Speed Level | 1 | | Fan | bay 1, fan 3 | 4 | 11 | Speed Level | 1 | | Fan | bay 1, fan 4 | 4 | 11 | Speed Level | 1 | | Fan | bay 1, fan 5 | 4 | 11 | Speed Level | 1 | | Fan | bay 1, fan 6 | 4 | 11 | Speed Level | 1 | | Fan | bay 1, fan 7 | 4 | 11 | Speed Level | 1 | | Fan | bay 1, fan 8 | 4 | 11 | Speed Level | 1 | | Fan | bay 1, fan 9 | 4 | 11 | Speed Level | 1 | | Fan | bay 1, fan 10 | 4 | 11 | Speed Level | 1 | | Fan | bay 2, fan 1 | 4 | 11 | Speed Level | 1 | | Fan | bay 2, fan 2 | 4 | 11 | Speed Level | 1 | | Fan | bay 2, fan 3 | 4 | 11 | Speed Level | 1 | | Fan | bay 2, fan 4 | 4 | 11 | Speed Level | 1 | | Fan | bay 2, fan 5 | 4 | 11 | Speed Level | 1 | | Fan | bay 2, fan 6 | 4 | 11 | Speed Level | 1 | | Fan | bay 2, fan 7 | 4 | 11 | Speed Level | 1 | | Fan | bay 2, fan 8 | 4 | 11 | Speed Level | 1 | | Fan | bay 2, fan 9 | 4 | 11 | Speed Level | 1 | | Fan | bay 2, fan 10 | 4 | 11 | Speed Level | 1 | | PowerConsumption | N/A | 1894 | 4050 | Watts | 1 | | PowerUnit(AC) | bay 1 | 0 | 0 | NA | 1 | | PowerUnit(AC) | bay 2 | 0 | 0 | NA | 1 | | PowerUnit(AC) | bay 3 | 0 | 0 | NA | 1 |



| PowerUnitFan | bay 1, fan 1 | 0 | 0 | NA | 1 | | PowerUnitFan | bay 1, fan 2 | 0 | 0 | NA | 1 | | PowerUnitFan | bay 2, fan 1 | 0 | 0 | NA | 1 | | PowerUnitFan | bay 2, fan 2 | 0 | 0 | NA | 1 | | PowerUnitFan | bay 3, fan 1 | 0 | 0 | NA | 1 | | PowerUnitFan | bay 3, fan 2 | 0 | 0 | NA | 1 | | SSM | bay 1 | 40 | 0 | Mbps | 1 | | SSM | bay 2 | 0 | 0 | Mbps | 1 | ------------------------------------------------------------------------------ | Chassis 2 | ------------------------------------------------------------------------------ | CMM | bay 1 | 1 | 0 | <S,D>/<A> | 1 | | CMM | bay 2 | 0 | 0 | <S,D>/<A> | 1 | | CPUtemp | blade 1, CPU0 | 47 | 65 | Celsius | 0 | | CPUtemp | blade 1, CPU1 | 51 | 65 | Celsius | 0 | | CPUtemp | blade 2, CPU0 | 46 | 65 | Celsius | 1 | | CPUtemp | blade 2, CPU1 | 56 | 65 | Celsius | 1 | | CPUtemp | blade 3, CPU0 | 49 | 65 | Celsius | 1 | | CPUtemp | blade 3, CPU1 | 51 | 65 | Celsius | 1 | | CPUtemp | blade 4, CPU0 | 0 | 65 | Celsius | 0 | | CPUtemp | blade 4, CPU1 | 0 | 65 | Celsius | 0 | | Fan | bay 1, fan 1 | 3 | 11 | Speed Level | 1 | | Fan | bay 1, fan 2 | 3 | 11 | Speed Level | 1 | | Fan | bay 1, fan 3 | 3 | 11 | Speed Level | 1 | | Fan | bay 1, fan 4 | 3 | 11 | Speed Level | 1 | | Fan | bay 1, fan 5 | 3 | 11 | Speed Level | 1 | | Fan | bay 1, fan 6 | 3 | 11 | Speed Level | 1 | | Fan | bay 1, fan 7 | 3 | 11 | Speed Level | 1 | | Fan | bay 1, fan 8 | 3 | 11 | Speed Level | 1 | | Fan | bay 1, fan 9 | 3 | 11 | Speed Level | 1 | | Fan | bay 1, fan 10 | 3 | 11 | Speed Level | 1 | | Fan | bay 2, fan 1 | 3 | 11 | Speed Level | 1 | | Fan | bay 2, fan 2 | 3 | 11 | Speed Level | 1 | | Fan | bay 2, fan 3 | 3 | 11 | Speed Level | 1 | | Fan | bay 2, fan 4 | 3 | 11 | Speed Level | 1 | | Fan | bay 2, fan 5 | 3 | 11 | Speed Level | 1 | | Fan | bay 2, fan 6 | 3 | 11 | Speed Level | 1 | | Fan | bay 2, fan 7 | 3 | 11 | Speed Level | 1 | | Fan | bay 2, fan 8 | 3 | 11 | Speed Level | 1 | | Fan | bay 2, fan 9 | 3 | 11 | Speed Level | 1 | | Fan | bay 2, fan 10 | 3 | 11 | Speed Level | 1 | | PowerConsumption | N/A | 1624 | 4050 | Watts | 1 | | PowerUnit(AC) | bay 1 | 0 | 0 | NA | 1 | | PowerUnit(AC) | bay 2 | 0 | 0 | NA | 1 | | PowerUnit(AC) | bay 3 | 0 | 0 | NA | 0 | | PowerUnitFan | bay 1, fan 1 | 0 | 0 | NA | 1 | | PowerUnitFan | bay 1, fan 2 | 0 | 0 | NA | 1 | | PowerUnitFan | bay 2, fan 1 | 0 | 0 | NA | 1 | | PowerUnitFan | bay 2, fan 2 | 0 | 0 | NA | 1 | | PowerUnitFan | bay 3, fan 1 | 0 | 0 | NA | 0 | | PowerUnitFan | bay 3, fan 2 | 0 | 0 | NA | 0 | | SSM | bay 1 | 2 | 0 | Mbps | 1 | | SSM | bay 2 | 0 | 0 | Mbps | 1 | ------------------------------------------------------------------------------



Notes

Column Meaning

Location To identify the location, see the 61000 Security System Front Panel ("61000 Security System Front Panel Modules" on page 16).

Value Threshold Units

Most components have a defined threshold value. The threshold gives an indication of the health and functionality of the component. When the value of the resource is greater than the threshold, an alert is sent ("Configuring Alerts for SGM and Chassis Events (asg alert)" on page 85).

State 0 = Component not installed 1 = Component is installed

Monitoring SGM Resources (asg resource) Use this command to show SGM resource usage and thresholds for the entire 61000 Security System.

Syntax > asg resource [-b <sgm_ids>] > asg resource -h


-b <sgm_ids> Works with SGMs and/or Chassis as specified by <sgm_ids>.

<sgm_ids> can be:

• No <sgm_ids> specified or all shows all SGMs and Chassis

• One SGM

• A comma-separated list of SGMs (1_1,1_4)

• A range of SGMs (1_1-1_4)

• One Chassis (Chassis1 or Chassis2)

• The active Chassis (chassis_active)

-h Shows usage and exits

Example > asg resource +-----------------------------------------------------------------------------------+ |Resource Table | +------------+-------------------------+------------+------------+------------------+ |SGM ID |Resource Name |Usage |Threshold |Total | +------------+-------------------------+------------+------------+------------------+ |1_01 |Memory |31% |50% |31.3G | | |HD: / |30% |80% |19.4G | | |HD: /var/log |3% |80% |58.1G | | |HD: /boot |19% |80% |288.6M | +------------+-------------------------+------------+------------+------------------+ |1_02 |Memory |31% |50% |31.3G | | |HD: / |30% |80% |19.4G | | |HD: /var/log |2% |80% |58.1G | | |HD: /boot |19% |80% |288.6M | +------------+-------------------------+------------+------------+------------------+ |1_03 |Memory |31% |50% |31.3G | | |HD: / |30% |80% |19.4G | | |HD: /var/log |2% |80% |58.1G | | |HD: /boot |19% |80% |288.6M | +------------+-------------------------+------------+------------+------------------+



|1_04 |Memory |30% |50% |31.3G | | |HD: / |29% |80% |19.4G | | |HD: /var/log |2% |80% |58.1G | | |HD: /boot |19% |80% |288.6M | +------------+-------------------------+------------+------------+------------------+ |2_01 |Memory |31% |50% |31.3G | | |HD: / |30% |80% |19.4G | | |HD: /var/log |2% |80% |58.1G | | |HD: /boot |19% |80% |288.6M | +------------+-------------------------+------------+------------+------------------+ |2_02 |Memory |31% |50% |31.3G | | |HD: / |30% |80% |19.4G | | |HD: /var/log |2% |80% |58.1G | | |HD: /boot |19% |80% |288.6M | +------------+-------------------------+------------+------------+------------------+ |2_03 |Memory |31% |50% |31.3G | | |HD: / |30% |80% |19.4G | | |HD: /var/log |3% |80% |58.1G | | |HD: /boot |19% |80% |288.6M | +------------+-------------------------+------------+------------+------------------+ |2_04 |Memory |31% |50% |31.3G | | |HD: / |30% |80% |19.4G | | |HD: /var/log |1% |80% |58.1G | | |HD: /boot |19% |80% |288.6M | +------------+-------------------------+------------+------------+------------------+

Notes

• The SGM column shows the SGM ID.

• The Resource column identifies the resource. There are four types of resources:

• Memory

• HD – Hard drive space (/)

• HD: /var/log – Space on hard drive committed to log files

• HD: /boot - Location of the kernel

• The Usage column shows the percentage of the resource in use.

• The Threshold gives an indication of the health and functionality of the component. When the value of the resource is greater than the threshold, an alert is sent. The threshold can be modified in gclish.

• The Total column is the total absolute value in units

For example, the first row shows that SGM1 on Chassis 1 has 31.3 GB of memory, 31% of which is used. An alert is sent if the usage is greater than 50%.



Searching for a Connection (asg search) Description

Use this command to:

• Search for a connection.

• Find out which SGM handles the connection (actively or as backup), and which Chassis.

Syntax asg search asg search <src> <dst> <dport> <ipp> <sport> asg search -v asg search -help


asg search Run in interactive mode. In this mode you are asked to enter the 5 tuples of the connection parameters. Each parameter can be a wildcard. Press enter for wildcard.

asg search <src> <dst> <dport> <ipp> <sport>

Run in command line. Each parameter can be replaced by * for wildcard. If you specify only few parameters, the wildcard is used for the others.

-v Verbose mode

-help Display usage

Example 1 asg search <source IP> <Destination IP> asg search 10.33.86.2 10.33.87.101

Output Lookup for conn: <10.33.86.2, *, 10.33.87.101, *, *>, may take few seconds... <10.33.86.2, 2686, 10.33.87.101, 22, tcp> -> [1_01 A, 1_03 B, 2_01 B] Legend: A - Active SGM B - Backup SGM

Comments Searching for connections from 10.33.86.2 to 10.33.87.101 shows one SSH connection:

<10.33.86.2, 2686, 10.33.87.101, 22, tcp>

This connection is handled by SGM 1 in Chassis 1. The connection has a backup on SGM 3, and another backup in Chassis 2 on SGM 1.

Example 2 asg search 10.33.86.2 \* 8080 tcp

Output Lookup for conn: <10.33.86.2, *, *, 8080, tcp>, may take few seconds... <10.33.86.2, 49581, 194.29.36.43, 8080, tcp> -> [1_01 A, 1_07 B, 2_01 B] <10.33.86.2, 49600, 194.29.36.43, 8080, tcp> -> [1_01 A, 1_07 B, 2_01 B] <10.33.86.2, 49601, 194.29.36.43, 8080, tcp> -> [1_01 A, 1_07 B, 2_01 B] Legend: A - Active SGM B - Backup SGM



Comments Searching for tcp connection with source IP address 10.33.86.2 and destination port 8080.

The output shows three connections handled on SGM 1_01 with a backup on SGM 1_07 and 2_01.



Configuring Alerts for SGM and Chassis Events (asg alert)

Use asg alert an interactive wizard to configure alerts for SGM and Chassis events. Chassis events include hardware failure, recovery, and performance related events, and you can create other, general events.

An alert is sent when an event occurs, for example, when the value of a hardware resource is greater than the threshold. The alert message includes the Chassis ID, SGM ID and/or unit ID.

The wizard includes these options:

Option Description

Full Configuration Wizard Create a new alert

Edit Configuration Change an existing alert

Show Configuration Show existing alert configurations

Run Test Run a test simulation to make sure that the alert works correctly

To create or change an alert:

1. Run: > asg alert

2. Select and configure these parameters as prompted by the wizard:

• Alert type and related parameters

• Event type

• Alert mode

Alert Parameters

• SMS alert parameters

• SMS Provider URL - Fully qualified URL to your SMS provider.

• HTTP proxy and port (optional) – Necessary only if your Security Gateway requires a proxy server to reach the SMS provider.

• SMS rate limit - Maximum number of SMS messages sent per hour. When there are too many messages, other messages may be combined together in one message.

• SMS user text - Custom prefix for SMS messages.

• Email alert configuration

• SMTP server IP - One or more SMTP servers to which the email alerts are sent.

• Email recipient addresses - One or more recipient email addresses for each SMTP server.

• Periodic connectivity checks - Run tests periodically to confirm connectivity with the SNMP servers. If there is no connectivity, alert messages are saved and sent in one email when connectivity is restored.

• Interval - Interval, in minutes, between connectivity tests.

• Sender email address - Sender email address for email alerts.

• Subject - Subject header text for the email alert.

• Body text - User-defined text for the alert message.



• SNMP alert parameters

Define one or more SNMP managers to get SNMP traps sent from the Security Gateway. For each manager, configure these parameters as prompted:

• SNMP manager name - Name for your SNMP manager (unique).

• SNMP manager IP - Manager IP address (trap receiver).

• SNMP version - SNMP version to use (v2cv3).

• SNMP v3 user name - If using SNMP v3 authentication, you must configure this.

• SNMP v3 engine ID - Unique SNMP v3 engine ID used by your system. Default = [0x80000000010203EA].

• SNMP v3 authentication protocol - MD5 or SHA.

• SNMP v3 authentication password - Privacy password.

• SNMP v3 privacy protocol - DES or AES.

• SNMP v3 privacy password - Privacy password.

• SNMP user text - Custom text for the SNMP trap messages.

• SNMP community string - Community string for the SNMP manager.

Note - Some parameters do not show, based on your settings.

• Log alert parameters

• There are no configurable parameters for log alerts.

Event types

You can select one or more event types:

• One event type.

• A comma-delimited list of more than one event type.

• all event types. ----------------------------------- 1 | SGM State 2 | Chassis State 3 | Port State 4 | Pingable Hosts State 5 | System Monitor Daemon 6 | Route State 7 | Diagnostics Hardware Monitor events: 8 | Fans 9 | SSM 10 | CMM 11 | Power Supplies 12 | CPU Temperature Performance events: 13 | Concurrent Connections 14 | Connection Rate 15 | Packet Rate 16 | Throughput 17 | CPU Load 18 | Hard Drive Utilization 19 | Memory Utilization

Alert Modes

• Enabled - An alert is sent for the selected events.

• Disabled - No alert is sent for the selected events.



• Monitor - A log entry is generated instead of an alert.



Monitoring the System with SNMP You can use SNMP to monitor different aspects of the 61000 Security System, including:

• Software versions

• Hardware status

• Key performance indicators

• Chassis high availability status

To monitor the system using SNMP:

1. Upload the Check Point MIB to your third-party SNMP monitoring software.

The SNMP MIB is located on each SGM under: $CPDIR/lib/snmp/chkpnt.mib

To monitor the 61000 Security System, the supported OIDs are under iso.org.dod.internet.private.enterprise.checkpoint.products.asg (OID 1.3.6.1.4.1.2620.1.48)

2. Enable the SNMP agent on the 61000 Security System.

In gclish, run: > set snmp agent on

SNMP Traps

The 61000 Security System supports this SNMP trap only:

iso.org.dod.internet.private.enterprise.checkpoint.products.asgTrap (OID 1.3.6.1.4.1.2620.1.2001)

The SNMP traps MIB is located on each SGM under: $CPDIR/lib/snmp/chkpnt-trap.mib

Note - The set snmp traps command is not supported. You must use the asg alert configuration wizard for this purpose.

To learn more about SNMP, see:

• Configuring asg alerts ("Configuring Alerts for SGM and Chassis Events (asg alert)" on page 85)

• The R75.40VS for 61000 61000 Security System Administration Guide http://downloads.checkpoint.com/dc/download.htm?ID=22941

• sk90860: How to configure SNMP on Gaia OS http://supportcontent.checkpoint.com/solutions?id=sk90860

http://downloads.checkpoint.com/dc/download.htm?ID=22941




SNMP in a VSX Gateway There are two SNMP modes for a Scalable Platform configured as a VSX Gateway:

Default Mode Monitor global SNMP data from the Scalable Platform. Data comes from all SGMs on all Virtual Systems.

VS Mode Monitor each Virtual System separately.

Note - SNMP traps are supported for VS0 only.

Supported SNMP Versions

SNMP VS mode uses SNMP version 3 to query the Virtual Systems. You can run remote SNMP queries on each Virtual System in the VSX Gateway.

For systems that only support SNMP versions 1 and 2:

• You cannot run remote SNMP queries for each Virtual System. You can only run a remote SNMP query on VS0.

• You can use the CLI to change the Virtual System context and then run a local SNMP query on a Virtual System.

To use SNMP in the Virtual System mode:

1. Configure an SNMP V3 user: add snmp usm user jon security-level authNoPriv authpass-phrase VALUE

2. Set the SNMP mode: set snmp mode vs or set snmp mode default

3. Start SNMP agent: set snmp agent on

VS Mode Example 1:

To run a Virtual System query for traffic throughput, from a remote Linux host:

[Expert@VSX:0] snmpwalk -m $CPDIR/lib/snmp/chkpnt.mib -n ctxname_vsid1 -v 3 -l authNoPriv -u jon -A mypassword 192.0.2.72 asgThroughput

VS Mode Example 2:

To run a Virtual System query for traffic throughput, from its virtual context:

1. Go to the Expert mode.

2. Go to the applicable Virtual System: vsenv <vs_id>

3. Run: # snmpwalk -m $CPDIR/lib/snmp/chkpnt.mib -v 2c -c public localhost asgThroughput


CHAPTE R 14

Troubleshooting In This Section:

Collecting System Diagnostics (asg diag) ................................................................... 90

This section lists the most important gclish commands that you can use to troubleshoot the Scalable Platform.

Collecting System Diagnostics (asg diag) Description Use this tool to show collect and show diagnostic information about the system.

This command runs a list of predefined diagnostics tools. The output shows the result of each test (Passed or Failed) and the location of the output log file.

Syntax asg diag list [[TestNum1][,TestNum2]...] asg diag verify [[TestNum1][,TestNum2]...] asg diag print [[TestNum1][,TestNum2]...] asg diag purge [Number of logs to keep]

Parameters Parameter Description list

Show the list of tests.

verify Run tests and show a summary of the results.

print Run tests and show the full output and a also summary of the results.

[[TestNum1][,TestNum2]...] Comma separated list of test IDs. To see the IDs of the tests, run asg diag list.

purge Delete the asg diag logs except for the newest.

[Number of logs to keep] The number of the newest logs to keep when deleting (purging) asg diag log files. The default is 5.

Example 1 asg diag list

Troubleshooting


Output 1 ------------------------------------------------------- | ID | Title | Command | ------------------------------------------------------- | System Components | ------------------------------------------------------- | 1 | System Health | asg stat -d | | 2 | Hardware | asg hw_monitor -q | | 3 | Resources | asg resource -q | | 4 | Software Versions | asg_version verify -v | | 5 | CPU Type | cpu_socket_verifier -v | | 6 | Media Details | transceiver_verifier -v | ------------------------------------------------------- | Policy and Configuration | ------------------------------------------------------- | 7 | Distribution Mode | dist_verify -d | | 8 | Policy | asg policy verify -a | | 9 | AMW Policy | asg policy verify_amw -a | | 10 | Installation | installation_verify | | 11 | Security Group | asg security_group diag | | 12 | Cores Distribution | cores_verifier | | 13 | SPI Affinity | spi_affinity_verifier -v | | 14 | Clock | clock_verifier -v | | 15 | Mgmt Monitor | mgmt_monitor snmp_verify | | 16 | Licenses | asg_license_verifier | | 17 | Hide NAT range | asg_hide_behind_range -v | ------------------------------------------------------- | Networking | ------------------------------------------------------- | 18 | MAC Setting | mac_verifier -v | | 19 | Interfaces | interface_verifier -q | | 20 | Bond | asg_bond_verifier -v | | 21 | Bridge | asg_br_verifier -v | | 22 | IPv4 Route | asg_route -q | | 23 | IPv6 Route | asg_route ipv6 -q | | 24 | Dynamic Routing | asg_dr_verifier | | 25 | Local ARP | asg_local_arp_verifier -v | | 26 | Port Speed | asg_port_speed verify | ------------------------------------------------------- | Misc | ------------------------------------------------------- | 27 | Core Dumps | core_dump_verifier -v | | 28 | Syslog | asg_syslog verify | -------------------------------------------------------

Comment The output shows that the Test with ID 1 is called System Health. This test runs the command asg stat –d to get the test status.

Example 2 asg diag verify

Troubleshooting


Output 2 -------------------------------------------------------------------------------- | Tests Status | -------------------------------------------------------------------------------- | ID | Title | Result | Reason | -------------------------------------------------------------------------------- | System Components | -------------------------------------------------------------------------------- | 1 | System Health | Failed | (1)Chassis 1 error | | 2 | Hardware | Failed | (1)Power unit is missing | | 3 | Resources | Failed | (1)Memory capacity | | | | | (2)Primary HD capacity | | | | | (3)Log HD capacity | | | | | (4)Boot HD capacity | | 4 | Software Versions | Failed | | | 5 | CPU Type | Failed | (1)Non-compliant CPU type | | 6 | Media Details | Passed | | -------------------------------------------------------------------------------- | Policy and Configuration | -------------------------------------------------------------------------------- | 7 | Distribution Mode | Passed | | | 8 | Policy | Passed | | | 9 | AMW Policy | Passed | | | 10 | Installation | Passed | | | 11 | Security Group | Passed | | | 12 | Cores Distribution | Passed | | | 13 | SPI Affinity | Passed | | | 14 | Clock | Passed | | | 15 | Mgmt Monitor | Passed | | | 16 | Licenses | Passed | | | 17 | Hide NAT range | Passed | | -------------------------------------------------------------------------------- | Networking | -------------------------------------------------------------------------------- | 18 | MAC Setting | Passed | | | 19 | Interfaces | Passed | | | 20 | Bond | Passed | | | 21 | Bridge | Passed | | | 22 | IPv4 Route | Passed | | | 23 | IPv6 Route | Passed | (1)Not configured | | 24 | Dynamic Routing | Failed | (1)BGP | | 25 | Local ARP | Passed | | | 26 | Port Speed | Passed | | -------------------------------------------------------------------------------- | Misc | -------------------------------------------------------------------------------- | 27 | Core Dumps | Passed | | | 28 | Syslog | Passed | | -------------------------------------------------------------------------------- | Tests Summary | -------------------------------------------------------------------------------- | Passed: 22/28 tests | | Run: "asg diag list 1,2,3,4,5,24" to view a complete list of failed tests | | Output file: /var/log/verifier_sum.1-28.2012-11-28_10-24-33.txt | --------------------------------------------------------------------------------

Example 2.1 Run the command suggested by the asg diag verify output to show the commands that failed.

asg diag list 1,2,3,4,5,24

Output 2.1 ------------------------------------------------------- | ID | Title | Command | ------------------------------------------------------- | System Components | ------------------------------------------------------- | 1 | System Health | asg stat -d | | 2 | Hardware | asg hw_monitor -q | | 3 | Resources | asg resource -q | | 4 | Software Versions | asg_version verify -v | | 5 | CPU Type | cpu_socket_verifier -v | ------------------------------------------------------- | Networking | ------------------------------------------------------- | 24 | Dynamic Routing | asg_dr_verifier | -------------------------------------------------------

Troubleshooting


Example 2.2 To find out why the System Health test failed, run asg stat –d or asg diag print 1. Here is a sample output of asg stat –d:

Output 2.2 -------------------------------------------------------------------------- | System Status | -------------------------------------------------------------------------- | Chassis 1 ACTIVE | -------------------------------------------------------------------------- | SGM ID State Process Policy Date | | 2 (local) UP Enforcing Security 01Jul12 14:54 | | 3 DOWN (Admin) Inactive NA | -------------------------------------------------------------------------- | Chassis Parameters | -------------------------------------------------------------------------- | Unit Chassis 1 Unit Weight | | | | SGMs 1 / 2 (!) 6 | | Ports | | Standard 2 / 2 11 | | Other 0 / 0 6 | | Sensors | | Fans 4 / 4 5 | | SSMs 2 / 2 11 | | CMMs 2 / 2 6 | | Power Supplies 6 / 6 6 | | | | Chassis Grade 118 / 124 - | -------------------------------------------------------------------------- | Synchronization | | Within chassis: Enabled (Default) | | Exception Rules: (Default) | | Distribution | | Control Blade: Disabled (Default) | --------------------------------------------------------------------------

Comment 2.2 The Chassis grade is 118/124 because one of the SGMs is in DOWN (Admin) state. Bringing the SGM up solves the problem. Alternatively, remove the SGM from the security group to suppress the alert.

Another way of debugging the issue is to open the output file in /var/log/. When you run asg diag verify or asg diag print, a log file is created which includes the full (verbose) output of each test.

Example 2.3 A sample full (verbose) output for the CPU Type test in the /var/log/ log file:

Output 2.3 ============================== CPU Type: ============================== Non-compliant cpu models found: ------------------------------------ model name : Intel(R) Xeon(R) CPU E5530 @ 2.40GHz Refer to /proc/cpuinfo for more information

Troubleshooting


Comment 2.3 This file shows that the E5530 CPU is not recognized by the CPU Type test as compliant with the current system. To make a CPU type recognized as compliant:

1. Edit the file asg_diag_config in the $FWDIR/conf directory.

2. Add the line Certified cpu=<value>

3. Replace <value> with the CPU type.

After solving the issues identified by asg diag verify, you can run a subset of the tests that failed to make sure that all issues have been solved. To run a subset of the tests, see example 3.

Example 3 To run a subset of the tests, run: asg diag verify 1,2,3,4,5,24

Output 3 -------------------------------------------------------------------------------- | Tests Status | -------------------------------------------------------------------------------- | ID | Title | Result | Reason | -------------------------------------------------------------------------------- | System Components | -------------------------------------------------------------------------------- | 1 | System Health | Passed | | | 2 | Hardware | Passed | | | 3 | Resources | Passed | | | 4 | Software Versions | Passed | | | 5 | CPU Type | Passed | | -------------------------------------------------------------------------------- | Networking | -------------------------------------------------------------------------------- | 24 | Dynamic Routing | Passed | | -------------------------------------------------------------------------------- | Tests Summary | -------------------------------------------------------------------------------- | Passed: 6/6 tests | | Output file: /var/log/verifier_sum.1-5.24.2012-11-28_10-37-36.txt | --------------------------------------------------------------------------------

Troubleshooting


Error Types This table shows some of the errors detected by asg diag verify.

Error Type Error Description

System health

Chassis <X> error The Chassis quality grade is less than the defined threshold. We recommend that you correct this issue immediately.

Hardware <Component> is missing The component is not installed in the Chassis.

<Component> is down The component is installed in the Chassis, but is inactive.

Resources <Resource> capacity The specified resource capacity is not sufficient. You can change the defined resource capacity.

<Resource> exceed threshold

The resource’s usage is greater than the defined threshold.

CPU type Non compliant CPU type At least one SGM CPU type is not configured in the list of compliant CPUs. You can define the compliant CPU types.

Security group

<Source> error The information collected from this source is different between the SGMs.

<Sources> differ The information collected from many sources is different.

Changing Compliance Thresholds You can change some compliance thresholds that define a healthy, working system. In $FWDIR/conf/asg_diag_config, change the threshold values.

These are the resources you can control:

Resource Description

Memory RAM memory capacity in GB.

HD: / Disk capacity in GB for <disk>:/ partition.

HD:/var/log Disk capacity in GB for the /var/log partition.

HD: /boot Disk capacity in GB for the /boot partition.

Skew The maximum permissible clock difference, in seconds, between the SGMs and SSMs.

Certified cpu Each line represents one compliant CPU type.

check point 61000 security system getting started guide ......apr 30, 2018 · check point 61000...

Documents