Check Point NGX R66 Getting Started Manual
  1. Manuals
  2. Brands
  3. Check Point Manuals
  4. Network Hardware
  5. NGX R66
  6. Getting started manual
Check Point NGX R66 Getting Started Manual

Check Point NGX R66 Getting Started Manual

Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
Connectra Appliance
Getting Started Guide
NGX R66
702365
November 5, 2008

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the NGX R66 and is the answer not in the manual?

Questions and answers

Related Manuals for Check Point NGX R66

Summary of Contents for Check Point NGX R66

  • Page 1 Connectra Appliance Getting Started Guide NGX R66 702365 November 5, 2008...
  • Page 3 Health and Safety Information Read the following warnings before setting up or using the appliance. Warning - Do not block air vents. A minimum 1/2-inch clearance is required. Warning - This appliance does not contain any user-serviceable parts. Do not remove any covers or attempt to gain access to the inside of the product.
  • Page 4 • Disconnect the system board power supply from its power source before you connect or disconnect cables or install or remove any system board components. Failure to do this can result in personnel injury or equipment damage. • Avoid short-circuiting the lithium battery; this can cause it to superheat and cause burns if touched.
  • Page 5 Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.
  • Page 7 Contents Chapter 1 Introduction to Connectra Welcome................. 12 Overview ................. 13 Shipping Carton Contents ............14 Terminology ................15 Chapter 2 Deploying Connectra Deployment Overview ............... 18 Deploying Connectra in the DMZ ..........19 Deploying Connectra on a LAN ..........20 Deploying a Connectra Cluster...........
  • Page 8 Step 12: Performing a SmartDefense Update (Locally Managed Connectra)..............43 Step 13: Checking Your Setup.......... 44 Installing the NGX R66 Plug-in ..........45 Installing the Plug-in on a SmartCenter ......45 Installing the Plug-in on Provider-1/SiteManager-1 ..... 47 Uninstalling Connectra Plug-ins........50 Cluster Configuration—Deployment Tips ........51...

  • Page 9: Table Of Contents

    Chapter 5 Upgrading Connectra Introduction to Advanced Upgrade ..........82 Advanced Upgrade to Locally Managed R66 ......83 Preparing for Advanced Upgrade to Locally Managed R66 .. 83 Advanced Upgrade Procedure to Locally Managed R66 ..83 Completing the Advanced Upgrade to R66......85 Upgrade to Centrally Managed R66 from R61/62/62CM .....
  • Page 10 Support.................102 Where To From Here? .............103 Chapter 8 Notes My Connectra Appliance ............105 Index ..............
  • Page 11 Chapter Introduction to Connectra In This Chapter Welcome page 12 Overview page 13 Shipping Carton Contents page 14 Terminology page 15...
  • Page 12 Check Point at 1(800) 429-4391. For additional technical information, refer to: http://support.checkpoint.com. Welcome to the Check Point family. We look forward to meeting all of your current and future network, application, and management security needs.
  • Page 13 Overview Overview Check Point Connectra is a comprehensive and unified remote access solution that makes corporate applications and network resources securely available to mobile and remote users. With Connectra NGX R66, remote and mobile employees, contractors, business partners, and customers can access network resources and applications through either a lightweight VPN client or simply through a Web browser.
  • Page 14 Shipping Carton Contents Shipping Carton Contents This section describes the contents of the shipping carton. Table 1-1 Contents of the Shipping Carton Item Description Appliance A single Connectra appliance: • Connectra 3070 or • Connectra 270 or • Connectra 9072 Rack Mounting Accessories Hardware mounting kit.
  • Page 15 • Locally Managed Deployment: When all Check Point components responsible for both the management and enforcement of the access policy (the SmartCenter server and the gateway) are installed on the same machine.
  • Page 16 Terminology...
  • Page 17 Chapter Deploying Connectra In This Chapter Deployment Overview page 18 Deploying Connectra in the DMZ page 19 Deploying Connectra on a LAN page 20 Deploying a Connectra Cluster page 21...
  • Page 18 Deployment Overview Deployment Overview In general, it is recommended to deploy Connectra in the DMZ. Connectra can, however, also be deployed in other places, such as on the internal LAN. In both scenarios, SSL termination takes place at the Connectra Gateway. Web Intelligence, Application Intelligence, authentication, and authorization schemes on the Connectra Gateway are employed to protect the internal network and to inspect the traffic for harmful content before it reaches the internal servers.
  • Page 19 Deploying Connectra in the DMZ Deploying Connectra in the DMZ Figure 2-1 shows a typical Connectra deployment in the DMZ: Figure 2-1 Connectra Deployment in the DMZ When Connectra is placed in the DMZ, traffic initiated both from the Internet and from the LAN to Connectra is subject to firewall restrictions.
  • Page 20 Deploying Connectra on a LAN Deploying Connectra on a LAN Figure 2-2 shows how Connectra can be deployed on the LAN alongside the internal servers: Figure 2-2 Connectra Deployment in the LAN The remote user opens a browser and initiates an HTTPS request to the Connectra server.
  • Page 21 Deploying a Connectra Cluster Deploying a Connectra Cluster Figure 2-3 shows a two-member Connectra cluster. Typically, the cluster is deployed behind the DMZ interface of a firewall, with the application servers behind the firewall in the internal networks. Figure 2-3 Connectra Clustering Topology Example Each cluster member has two interfaces: one data interface leading to the organization and to the Internet, and a second interface for...
  • Page 22 Deploying a Connectra Cluster...
  • Page 23 In This Chapter Installation and Configuration Workflow page 24 Installation and Initial Configuration Procedures page 26 Post-Installation Procedures page 41 Installing the NGX R66 Plug-in page 45 Cluster Configuration — Deployment Tips page 51 SSL Acceleration Card Installation page 53 Further Information...

  • Page 24: Installation And Configuration Workflow

    For more information about Clusters, see “Cluster Configuration —Deployment Tips” on page 51. Note that Clusters are not supported in locally managed Connectra NGX R66. Installation and Initial Configuration Stages The installation and configuration of Connectra are performed in the...
  • Page 25 Installation and Initial Configuration Stages Connect to the Administration User Interface. Run the First Time Configuration Wizard and automatically install the Connectra package. Install the SmartConsole GUI Clients Log in to SmartDashboard for the first time. If you are installing centrally managed Connectra, define Connectra objects in SmartDashboard.

  • Page 26: Installation And Initial Configuration Procedures

    Connectra Step A: Setting Up SmartCenter and Installing the Plug-in (Centrally Managed Only) To set up the SmartCenter and install the NGX R66 Plug-in: Install or upgrade the SmartCenter server or Provider-1/SiteManager-1 CMA to version NGX R65. For a new installation of SmartCenter, install SmartDashboard on a SmartConsole client.
  • Page 27 Step 1: Preparing for Centrally Managed Connectra Figure 3-1 Rules for Deploying Connectra in the DMZ Rule Rule Source Rule Rule Source Source Source Destination Destination Destination Destination Service Service Service Service Action Action Action Action Comment Comment Comment Comment Admin Connectra HTTPS (TCP/4433) Accept Administrator access.
  • Page 28 Step 2: Installing Connectra • Connectra may need access to the SmartCenter Server or to a Customer Log Module (CLM), in order to send logs to a remote log server. • For authentication, Connectra may need access to LDAP, RADIUS and ACE servers. •...
  • Page 29 Step 2: Installing Connectra Place the side with four holes against the chassis. The side with two holes faces outward, as shown in Figure 3-3. Figure 3-3 Ear Mounts Retaining Screws Fasten the four retaining screws on each ear mount. Fasten the two screws which connect the earmount to the handle.
  • Page 30 Step 2: Installing Connectra Installing Connectra in the Rack Install the system in the rack with the network ports facing the front of the rack. Figure 3-4 Installing Connectra 9072...
  • Page 31 Step 3: Identifying the Default Management Interface Figure 3-5 Installing Connectra 3070 and 270 Step 3: Identifying the Default Management Interface Identify the default management interface marked as MGMT (Management) on Connectra 9072, and Internal on Connectra 3070 and 270. This interface is preconfigured with the IP address 192.168.1.1.
  • Page 32 Step 5: Connecting to the Administration User Interface On the back panel, turn on the Power button to start the appliance. Step 5: Connecting to the Administration User Interface Connect to the administration interface by connecting from a machine on the same network subnet (e.g., with IP address 192.168.1.x and netmask 255.255.255.0) to the administration interface via the LAN cable.
  • Page 33 Step 5: Connecting to the Administration User Interface Figure 3-6 The Login page Change the administrator password, as prompted. For security purposes, you must change it to a more secure password. In the Password recovery login token section, you can download a Login Token that can be used in the event a password is forgotten.
  • Page 34 Step 6: Running the First Time Configuration Wizard Step 6: Running the First Time Configuration Wizard First-Time Configuration Wizard begins to run. The Wizard presents a number of windows, in which you configure the Date and Time, Network Connections, Routing, DNS Servers, Host and Domain Name, and Deployment Type of Connectra.
  • Page 35 Step 6: Running the First Time Configuration Wizard Click Next. Configure the Management type the Management Type page. Figure 3-7 Management Type page Locally Managed Deployment - To configure locally managed Connectra, where Connectra manages itself. Select Locally Managed and click Next. Skip to step Centrally Managed Deployment - To configure Connectra that is...
  • Page 36 Step 7: Installing the SmartConsole GUI Clients Continue to “Step 7: Installing the SmartConsole GUI Clients” on page Configure the Web/SSH and GUI Clients Configuration window. Define which IP addresses will be allowed to connect using Web or SSH Clients. These clients will be able to manage the appliance using SmartConsole applications.
  • Page 37 Step 8: Logging In for the First Time To download SmartConsole: Access the WebUI menu by navigating to https://<appliance_ip_address>:4433 Login using the administrator username and password configured in step 4 on page Download the SmartConsole Installation package Product Configuration > Download SmartConsole > Download. Step 8: Logging In for the First Time Login Process Administrators connect to Connectra through SmartDashboard using a...
  • Page 38 Confirm Activation Key field, then click Initialize. Wait while trust is initialized. The words Trust established appear in the Trust state field once trust is established. Click Close. Make sure Connectra NGX R66 appears in the Version field and click OK.
  • Page 39 Step 9: Defining Connectra Objects (Centrally Managed Connectra) Configuring a Connectra Gateway’s Topology Each Cluster member should have at least one cluster interface and one synchronization interface. For more information on configuring topology for cluster members, see “Cluster Configuration —Deployment Tips” on page 51 or the Connectra Gateway Clusters chapter of the Connectra Central Management...
  • Page 40 Wait while trust is initialized. The words Trust established appear in the Trust state field once trust is established. Click Close. 10. Make sure Connectra NGX R66 appears in the Version field and click OK. Configuring Topology for a Connectra Cluster...

  • Page 41: Post-Installation Procedures

    Post-Installation Procedures Post-Installation Procedures Step 10: Connecting Connectra to the Network Connecting a Standalone Connectra Connect the Connectra network interface to the switch on which the default gateway resides. Connecting a Connectra Cluster Refer to Figure 2-3, “Connectra Clustering Topology Example,” on page When setting up a Connectra cluster, connect the cluster member data interfaces via a switch.
  • Page 42 Step 11: Configuring Access Control Define applications Define users Define user groups Associate users with groups Associate applications with groups Install the Access Policy These tasks are described in detail in the Connectra Central Management Administration Guide and the Connectra Local Management Administration Guide.
  • Page 43 Step 12: Performing a SmartDefense Update (Locally Managed Connectra) the security requirements of the application). These groups can be defined on Connectra’s internal user database, on LDAP or Radius servers. The LDAP group can be a branch in a tree, or an LDAP group that contains users from different branches.
  • Page 44 Step 13: Checking Your Setup Select Policy > Install Policy to apply the updates. Step 13: Checking Your Setup After installing the Security Policy, browse to the User portal and login using the credentials of the defined user. The user portal is at https://<IP address>...

  • Page 45: Installing The Ngx R66 Plug-In

    Installing the NGX R66 Plug-in Installing the NGX R66 Plug-in The Connectra NGX R66 Plug-in adds Connectra central management capabilities to an NGX R65 SmartCenter server or Provider-1/SiteManager-1. If you are working in a High Availability environment, install the Plug-in on each member.
  • Page 46 Installing the Plug-in on a SmartCenter expert Log in to expert mode by running, and entering your password. Install the Connectra Plug-in package: Insert CD2 into the SmartCenter Server machine. Mount the CD by running: mount /dev/cdrom Go to the CD directory by running: cd /mnt/cdrom Run: ./UnixInstallScript -splat...
  • Page 47 Installing the Plug-in on Provider-1/SiteManager-1 Install SmartCenter server NGX R65. expert Log in to expert mode by running, and entering your password. Install the Connectra Plug-in package: Insert CD2 into the SmartCenter Server machine. Mount the CD by running: mount /dev/cdrom Go to the CD directory by running: cd /mnt/cdrom Run:...
  • Page 48 Installing the Plug-in on Provider-1/SiteManager-1 Install NGX R65 on the Provider-1/SiteManager-1 Multi Domain Server. Install the Connectra Plug-in package on the Multi-Domain Server: Insert CD2 into the Provider-1/SiteManager-1 Multi Domain Server machine. Mount the CD by running: mount /dev/cdrom Go to the CD directory by running: cd /mnt/cdrom Run: ./UnixInstallScript -splat...
  • Page 49 Installing the Plug-in on Provider-1/SiteManager-1 For each CMA on which you want to manage Connectra gateways, you need to activate the Plug-in. See “Activating the Connectra Plug-in on the CMA” on page Activating the Connectra Plug-in on the CMA To activate the Connectra Plug-in, use one of the following procedures: •...

  • Page 50: Uninstalling Connectra Plug-Ins

    Uninstalling Connectra Plug-ins • From the MDG’s Management Plug-ins View, activate the Plug-in in one of the following ways: • Right-click a customer and select Activate Plug-in on Customers. • Right-click the PIConR66 and select Activate this Plug-in. • Select Activate Plug-in on Customers from the Plug-in menu. •...

  • Page 51: Cluster Configuration - Deployment Tips

    Cluster Configuration—Deployment Tips Cluster Configuration — Deployment Tips This section includes information that will help you understand the process of configuring a Connectra gateway cluster, in order to make it a successful and trouble free process. The Connectra Central Management Administration Guide includes full details of setting up a Connectra cluster.
  • Page 52 Cluster Configuration—Deployment Tips Interface Configuration • The synchronization interfaces of the cluster members reside on the SAME subnet. • The data interfaces of the cluster members must reside on the SAME subnet, DIFFERENT from the synchronization subnet. • Use different interfaces for the data and synchronization networks.

  • Page 53: Ssl Acceleration Card Installation

    SSL Acceleration Card Installation SSL Acceleration Card Installation A hardware-based SSL acceleration card is available to improve the SSL performance of the Connectra gateway. The card speeds up the SSL/TLS public key exchange, and reduces CPU utilization by redirecting CPU-intensive calculations to dedicated hardware. Note - The acceleration card is pre-installed on Connectra 9072.
  • Page 54 SSL Acceleration Card Command Syntax Run: cpvnstart SSL Acceleration Card Command Syntax The following table lists the SSL Acceleration Card commands. The diag stat card must be activated before running the parameters. Syntax hw_acceleration{ start | stop | diag | stat} Table 3-1 SSL Acceleration Card Commands Parameter...

  • Page 55: Further Information

    Further Information Further Information For further instructions on configuring the Connectra gateway or a Connectra ClusterXL Load Sharing or High Availability cluster, refer to Connectra Central Management Administration Guide Connectra Local Management Administration Guide according to your configuration, or to the online help. Chapter 3 Installing and Configuring Connectra...
  • Page 56 Further Information...
  • Page 57 Chapter Connectra Hardware In This Chapter: Overview page 57 Customer Replaceable Parts page 66 Restoring Factory Defaults page 74 This chapter provides instructions for installing and removing hardware components on the Connectra appliance. Overview Front Panel Components page 58 Rear Panel Components page 64 This section discusses the hardware components comprising the Connectra appliance.
  • Page 58 Overview Front Panel Components Connectra 270 page 59 Connectra 3070 page 60 Connectra 9072 page 61 LCD Display Screen page 62 Expansion Line Card page 62 Hard Disk Drives page 63 This section describes the features and components located on the appliance front panel.

  • Page 59: Connectra 270

    Overview Connectra 270 Table 4-1 Connectra 270 Front Panel Description Description Internal connection port - Ethernet connection to a remote management workstation External connection port - Ethernet connection to connect outside the organization DMZ connection port - Ethernet connection to the Sync/Lan1 port- for synchronizing with cluster members or a high availability peer Console port - for a serial connection to the...

  • Page 60: Connectra 3070

    Overview Connectra 3070 Table 4-2 Connectra 3070 Front Panel Description Description LCD screen Screen operation keys Power indicator LED USB ports Console port - for a serial connection to the appliance using a terminal emulation program such as Hyperterminal. Internal connection port - Ethernet connection to a remote management workstation External connection port - Ethernet connection to connect outside the organization...

  • Page 61: Connectra 9072

    Overview Connectra 9072 Table 4-1 Connectra 9072 Front Panel Description Description LCD display screen Management connection port - Ethernet connection to a remote management workstation Synchronization port - for synchronizing with cluster members or a high availability peer Console port - for a serial connection to the appliance using a terminal emulation program such as Hyperterminal.

  • Page 62: Lcd Display Screen

    Overview LCD Display Screen Located on the front of the appliance, the LCD panel displays the model of the unit. The arrow keys scroll the display up and down. The ENTER and ESC keys are intended for future functionality. Expansion Line Card The Connectra 9072 appliance contains two optional expansion slots that accommodate two cold-swappable network line cards.

  • Page 63: Hard Disk Drives

    Overview Hard Disk Drives Connectra 3070 and 270 contain one hard disk drive. Connectra 9072 contains two redundant hard disk drives (RAID1). Figure 4-1 Hard Disk Drives Hard disk drives are not hot-swappable. You must power the appliance off before attempting to remove or install a hard disk drive.
  • Page 64 Overview Rear Panel Components This section describes components located on the rear panel of the appliance. Main Power Switch The main power switch controls power to the entire unit. Redundant Power Supply Units Located at the right rear of the 9072 appliance, two hot-swappable power supply units provide built-in power redundancy.
  • Page 65 Overview Cooling Fans Connectra 9072 contains three replaceable cooling fans. Each cooling fan operates independently of the others, providing redundancy in the event of failure. Figure 4-3 Cooling Fans in Connectra 9072 Connectra 3070 and Connectra 270 contain one cooling fan that is not replacable.
  • Page 66 Two for Connectra 9072 • Single hard drive for Connectra 3070 and Connectra Unless directed to do so by Check Point technical support, customers are prohibited by warranty and support agreements from replacing any parts. Customers are prohibited from opening...

  • Page 67: Power Supply

    Customer Replaceable Parts Power Supply This section presents the procedures for removing and installing a power supply unit. Connectra 9072 contains two redundant power supplies. Figure 4-4 Redundant Power Supply Units Removing the Power Supply To remove a power supply unit: If the alarm sounds, press the red alarm button to the right of the power supply.

  • Page 68: Cooling Fan

    Customer Replaceable Parts Installing the Power Supply To install a replacement power supply: Insert the power supply into its slot and push firmly until it clicks into place. Tighten the retaining screws. Insert the power cord. Verify that the green LED is illuminated.

  • Page 69: Expansion Line Card

    Customer Replaceable Parts Removing Fan Units To remove a fan unit: Loosen the four retaining screws in the corners of the fan assembly. Gently pull the fan unit out of the appliance. Installing Fan Units To install a fan unit: Insert the fan unit into the appliance.
  • Page 70 Customer Replaceable Parts Figure 4-6 Expansion Line Card Removing Expansion Line Cards To remove an expansion line card: Power off the appliance and remove the power cords from the power supply units. Loosen the retaining screws on either side of the expansion line card.

  • Page 71: Hard Disk Drive

    Customer Replaceable Parts Installing Expansion Line Cards To install an expansion line card: Power off the appliance and remove the power cords from the power supply units. Insert the expansion line card into the slot. Push until the card clicks into place. Tighten the retaining crews on either side of the expansion line card.
  • Page 72 Customer Replaceable Parts Figure 4-7 Hard Disk Drives Removing a Hard Disk Drive To remove a hard disk drive: Power off the appliance and remove the power cords from the power supply units. Using the key supplied in the toolkit, unlock the drive. Slide the release latch toward the left.
  • Page 73 Customer Replaceable Parts Installing a Hard Disk Drive To install a hard disk drive: Power off the appliance and remove the power cords from the power supply units. Slide the replacement hard disk drive into the slot. Push the extraction handle until it closes and the drive clicks into place.
  • Page 74 Warning - Restoring factory defaults deletes all information on the appliance. Restoring Using the WebUI The Connectra appliance contains a default factory image of Connectra NGX R66. To restore the Connectra appliance to its default factory configuration using the WebUI: In the Connectra WebUI, click Appliance > Image Management.
  • Page 75 Restoring Factory Defaults Figure 4-8 Image Management Select the factory defaults image. Click Revert. Restoring Using the Console Boot Menu To restore the Connectra appliance to its default factory configuration using the console boot menu: Connect the supplied DB9 serial cable to the console port on the front of the appliance.
  • Page 76 Restoring Factory Defaults Switch on Connectra. The appliance begins the boot process and status messages appear in HyperTerminal. During the Connectra boot process, text similar to that shown below appears: Figure 4-9 Activating the Boot menu in HyperTerminal At this point, you have approximately four seconds to hit any key to activate the Boot menu.
  • Page 77 Restoring Factory Defaults The Boot menu opens. Scroll to the desired Reset to factory defaults image and press Enter. Figure 4-10 Boot menu in HyperTerminal Restoring Using the LCD Panel To restore the appliance its default factory configuration using the LCD panel at the front of the appliance: Reboot or power on the appliance.
  • Page 78 Restoring Factory Defaults Using the arrow buttons, select the Reset to R66 option, and press ENTER: Confirm the reset by pressing the Arrow Up button. Pressing any other button causes the Action Canceled message to display: At this point, pressing any key returns you to the boot menu.
  • Page 79 Restoring Factory Defaults When the appliance has been restored to its default factory configuration, the appliance reboots and the initializing message is displayed: Chapter 4 Connectra Hardware...
  • Page 80 Restoring Factory Defaults...
  • Page 81 Chapter Upgrading Connectra In This Chapter Introduction to Advanced Upgrade page 82 Advanced Upgrade to Locally Managed R66 page 83 Upgrade to Centrally Managed R66 from R61/62/62CM page 87 Upgrading a Connectra Cluster to R66 page 92...

  • Page 82: Upgrading Connectra Introduction To Advanced Upgrade

    Introduction to Advanced Upgrade Perform an advanced upgrade from Connectra NGX R62 to Connectra NGX R66 in order to migrate to a new Connectra server. The advanced upgrade procedure involves two machines. The first machine is the working Connectra machine. The new Connectra appliance is the second machine and the configuration of the first machine is imported to it.

  • Page 83: Advanced Upgrade To Locally Managed R66

    All settings in the Device menu of the administrator portal. • The Internal Certificate Authority (ICA). Advanced Upgrade Procedure to Locally Managed R66 To perform an advanced upgrade from Connectra NGX R62 to locally managed NGX R66: Insert CD1 into the original machine. Chapter 5 Upgrading Connectra...
  • Page 84 (.tgz) file. Wait while the database files are exported. Install new NGX R66 machine as per “Installation and Initial Configuration Procedures” on page The new machine must have the same IP address as the old machine.

  • Page 85: Completing The Advanced Upgrade To R66

    Completing the Advanced Upgrade to R66 <path_and_filename_of_tgz> where is the destination path of the configuration (.tgz) file and <connectra_object_name> is the name of your Connectra gateway. Note - The configuration (.tgz) file contains your Connectra configuration. It is recommended to back it up on a different machine and delete it from the Connectra machine after completing the import process.
  • Page 86 Completing the Advanced Upgrade to R66 Click Portal Customization settings or VPN Clients settings and edit the machine’s interface.

  • Page 87: Upgrade To Centrally Managed R66 From R61/62/62Cm

    Connectra R62CM Getting Started Guide. Follow this link to the Connectra NGX R62CM Upgrade Package or find it on the NGX R66 CD2 under /Utilities/R62CM/ Note - We recommend creating a database revision before installing the Connectra NGX R66 Plug-in. See the...
  • Page 88 Install the R66 Plug-in on version R65 of the SmartCenter server or Provider-1/SiteManager-1 Multi Domain Server. See “Installing the NGX R66 Plug-in” on page Note - If your SmartCenter is not already upgraded to R62CM, you must upgrade it before upgrading to centrally managed R66.
  • Page 89 Setting Up the SmartCenter and Installing the R66 Plug-in Figure 5-1 Smart Dashboard with Centrally Managed Connectra In SmartDashboard, switch to the Connectra tab. If Connectra objects were already defined prior to upgrading SmartCenter or the CMA: After the upgrade of SmartCenter or the CMA, Connectra objects and references in SmartDashboard become host objects and must be redefined.

  • Page 90: Setting Up The Smartcenter And Installing The R66 Plug-In 87 Setting Up Sic Trust

    Setting Up SIC Trust Create the Connectra gateway or gateway cluster object. For a Connectra gateway cluster, define cluster members. If there is SIC trust with the cluster members, reset SIC. Define the topology. When defining topology, the Get Interfaces operation does not return alias IP addresses for real interfaces.

  • Page 91: Installing Policy

    Installing Policy cpconfig • From the command line, run . Type 6 to select Secure Internal Communication. Complete the SIC trust establishment. Open the Connectra gateway or gateway cluster object in SmartDashboard. In the General Properties page, in the Communication window, enter the same one-time password supplied in the gateway side.

  • Page 92: Upgrading A Connectra Cluster To R66

    “For Connectra Cluster Users” on page 101 for licensing information. To upgrade a Connectra cluster from NGX R62CM to NGX R66: Install the R66 Plug-in on the NGX R65 SmartCenter. See “Setting Up the SmartCenter and Installing the R66 Plug-in” on...

  • Page 93: Overview

    Uninstalling Plug-ins in Provider-1 page 99 Overview While the Connectra NGX R66 Gateway cannot be uninstalled, the Plug-in for central management can be uninstalled. If you want to uninstall Connectra NGX R66’s central management capabilities, you must uninstall both the R66 Plug-in for...

  • Page 94: Uninstalling The R66 Plug-In For Central Management

    Central Management Before Uninstalling the R66 Plug-in: If you have the Connectra NGX R66 Plug-in installed on a SmartCenter, Log Server, Eventia Reporter, or other remote objects, and you want to uninstall the Plug-in from them, you must first do the following: Delete all Connectra objects from SmartDashboard.

  • Page 95: Removing The R66 Compatibility Package

    CPPIconR65-R66-00. • In Windows, use Add/Remove Programs to remove the Check Point Connectra NGX R66 Plug-in. Restart the system. Removing the R66 Compatibility Package Remove the Compatibility Package only after uninstalling the R66 Plug-in.
  • Page 96 Removing the R66 Compatibility Package then choose the package number corresponding to CPCON65CMP-R66-00. • In Windows, use Add/Remove Programs to remove the Check Point NGX R66 Connectra Compatibility Package. Restart the system.

  • Page 97: Uninstalling The Connectra Ngx R62Cm Plug-In

    Uninstalling the Connectra NGX R62CM Plug-in Uninstalling the Connectra NGX R62CM Plug-in To remove the Connectra NGX R62CM Plug-in: From the command line, run the pre-uninstall verifier as follows: In Linux, Solaris, or SecurePlatform: Run: cd /opt/CPPIconnectra-R65/bin/ Run: ./plugin_preuninstall_verifier Read the results. If it says you can remove the Plug-in, proceed to step In Windows:...

  • Page 98: Removing The R62Cm Compatibility Package

    Removing the R62CM Compatibility Package Removing the R62CM Compatibility Package Remove the R62CM Compatibility Package only after uninstalling the R62CM Plug-in. Remove the R62CM Compatibility Package as follows: • In Linux or SecurePlatform, run: rpm –e CPCON62CMP-R65-00 • In Solaris, run: pkgrm then choose the package corresponding to CPCON62CMP-R65.

  • Page 99: Uninstalling Plug-Ins In Provider-1

    Go to Management Plug-ins in the selection bar of the MDG. Double-click on a customer. Go to the Plug-ins tab. Select the plug-in to deactivate: PIconR66-R65 for Connectra NGX R66 or PIconnectra for Connectra NGX R62CM. Click Remove. Click OK. Follow the steps in “Uninstalling the R66 Plug-in for Central...
  • Page 100 Uninstalling the R62CM Plug-in in Provider-1 On the command line, run: rm -f/opt/CPPIconnectra-R65/conf/ PluginTableTypePairs.conf ; touch/opt/CPPIconnectra-R65/conf/PluginTableTypePai rs.conf Run the pre-uninstall verifier: /opt/CPPIconnectra-R65/bin/plugin_preuninstall_veri fier Remove the Connectra Central Management Plug-in: rpm -e CPPIconnectra-R65 • on Linux and SecurePlatform pkgrm CPPIconnectra-R65 • on Solaris mdsstop/mdsstart...

  • Page 101: Registration And Support

    Connectra requires a specific Check Point license. Obtain a license and register at: http://register.checkpoint.com/cpapp For Connectra Cluster Users Unlike previous versions of Connectra, in Connectra NGX R66, clusters can only be managed centrally, from an R65 SmartCenter or Provider-1 with the Connectra R66 Plug-in. Customers who:...

  • Page 102: Support

    Connectra Clusters" in their User Center account. If you are a customer satisfying these two conditions but do not see this new product in your User Center account, please contact Check Point's account services. This new license entitles customers to install a Check Point SmartCenter R65 on a dedicated server and manage their Connectra clusters from that server.

  • Page 103: Where To From Here

    (username and password required). Check Point documentation elaborates on this information and is available in PDF format on the Check Point CD as well as on the Technical Support download site at: http://www.checkpoint.com/support/technical/documents. Be sure to also use our Online Help when you are working with the Check Point SmartConsole clients.
  • Page 104 Where To From Here?

  • Page 105: My Connectra Appliance

    Chapter Notes The following pages provide space for notes and records related to your Connectra appliance and deployment. My Connectra Appliance Host name: IP address(es): Network mask: Default gateway: DNS servers: Connectra appliance version: Installed Hotfixes:...
  • Page 106 My Connectra Appliance...
  • Page 107 My Connectra Appliance Chapter 8 Notes 107...
  • Page 108 My Connectra Appliance...

  • Page 109: Index

    Index Additional Configuration via the Fingerprint 37 Administration Portal 41 Front Panel Components 58 Centrally Managed Gateway definition 15 Deployment 15, 35 Cluster configuration 51 Configuration Workflow 24 Configuring the Firewall Access Rules 26 Hardware 57 Connectra 13 Cooling Fans 64 Expansion Line Cards 62 Front Panel 58 Hard Disk Drives 63...
  • Page 110 Implemented 63 Secure Internal Communication (SIC) 35 Security Policy 15 SmartCenter Server 15 SmartConsole 15 SmartDashboard 15 Locally Managed Deployment 15, SSL acceleration card 53 Support 102 Management Type 35 Web/SSH and GUI Clients 35, 36 Network Connections 34 Password recovery login token 33 Registration 101 Restoring Factory Defaults 74 Restoring using Boot Menu 75...

Table of Contents