Tuesday, May 25, 2010

Installing and Configuring Checkpoint VSX Firewall Gateway

What is VSX:
VSX stands for Virtualized Security gateway. Ideal for ISP's, VSX allows many virtual firewalls to reside on a single hardware appliance (or several in the case of an HA environment). Though VSX is supported on many platforms, including SPLAT and Nokia, this guide is specific to VSX on Crossbeam X series firewalls.
Terminology:
VAP – Virtual Application Processor. Represents the resources and operating environment allocated for the APM
APM- Application Processor Module is where the applications reside, such as Checkpoint, content filtering, and IPS (including Proventia G).
VAP Group- A group of APMs used for load balancing.
Root shell- Crossbeam has both a Unix Root Shell and a CPM. The Root shell is accessed by typing "unix su" from the command line.
CPM- Control Processor Module is the managing environment for the Crossbeam. This manages most appliance functions and global configurations.
Installing VSX for the first time:
unix su
Copy the rpm for VSX to /usr/os/rpm
cd /usr/os/rpm
ls app*
rpm -i app-firewallvsx-NGX*-XXXXXXXXX-*.*.*.*.7xXOS.i686.rpm
Install to VAP group
At crossbeam prompt (not unix):
show application
Displays loaded applications
application VSX vsp-group version NGX install
Will be prompted to use existing settings if there is an existing configuration, select the management interface, and provide licensing information.
If the VAP group load count was set to 0 run the following command:
configure vap-group max-load-count
Next all modules need to be reloaded. If you are unsure of the slot number run the following command:
show ap-vap-mapping
reload module []
Reboot the module
Next reload the vap group:
reload vap-group
This reboots all APMs associated with this VAP group
In order to check the status of VSX, Application monitoring must be enabled.
application vsx vap-group <vap_group_name> configure
To check the status of the VAP group:
show application vap-group fw
Upgrading VSX NG to NGX:
1. First upgrade Checkpoint to NGX
2. Upgrade the modules/clusters; vsx_util upgrade
3. Remove VSX from the VSX VAP group: application VSX vap-group version NGAI uninstall
4. log in as root: unix su
5. Uninstall VSX Application:rpm –e app-firewallvsx-NGAI-Bx.x.x.x.7xXOS
6. Upgrade XOS (see the XOS guide)
7. Install VSX for NGX: rpm –i app-firewallvsx-NGX-x.x.x.x.7xXOS.i686.rpm
Log into the CPM and apply VSX to the VAP group: CBS#application VSX vap-group version NGX install
CBS# reload vap-group
8. On the VSX Management Station, run vsx_util reconfigure. Connect to the CMA which holds the cluster
configuration. Complete the reconfiguration. This will push the configuration/policies to the newly created
modules.
  1. Reload the Vap group:
reload vap-group
Configuring Checkpoint Firewall components on VSX:
Install the application to the VAP group:
From the CPM enter show application
This will show installed applications.
application VSX vap-group version NGX install
Activate the VAP group:
configure vap-group max-load-count
Next reload the modules associated with the VAP group:
reload module [] -R61
reload vap-group -R65
If you are unsure of the module:
show ap-vap-mapping
Configuring VSX:
Configuring Single System Application Synchronization (SBHA) (Active/Passive) and Dual System Application Synchronization (Active/Active):
State synchronization (HA) VSX is used to backup to other VAPs and load balanced. Circuits are configured for synchronization and should be unique for each VAP group.
application VSX vap-group group1 versionNGX_EC config
Enabled synchronization. Select "Enable Check Point High Availability/State Sync"
May require a reboot
Create an internal circuit for the cluster:
config circuit internal
config circuit vap-group ip increment-per-vap
Eth0 and Eth1 cannot be used for the sync network.
To send broadcast sync packets, add the following line to the $FWDIR/boot/modules/fwkern.conf to each
VAP in the VAP group.
fw_sync_broadcast_ack=1
On the CMA:
Create a VSX Gateway Cluster object and include each VAP as its member.
Set the synchronization network.
Download policies to the VSX Gateway Cluster object..
Disabling Application Synchronization:
application VSX vap-group group1 version NGX_EC config
In the Configuration Options menu, choose to disable Check Point High Availability/State
Synchronization.
May require a reboot.
On the CMA remove all VAPs from the Gateway object.
Adding cluster members:
Increase the Max and Vap counts:
configure vap-group vap-count
configure vap-group max-load-count
Install VSX to the new VAP
application-update vap-group
Enter the management IP address and license information for the new cluster member.
Reboot the new VAP after the installation completes.
Add a new member. From VSX Management station (Provider-1 or SmartCenter), use one of the following
commands:
Backup of VSX configurations:
Copy running-config
Or to backup a specific VSX configuration:
application VSX vap-group config
select the option to backup the VSX configuration.
Restore:
1. If restoring a VSX configuration in Dual Box High Availability (DBHA) setup, make sure that every
failover group using the VSX VAP group is disabled by using the configure vrrp failover-group no
enable command.
2. If necessary, move the backup file to the backup directory on the respective VAP, for example:
mv /tftpboot/_1/usr/vsx-backup
3. Launch the application configuration program, using the following command:
CBS# application VSX vap-group <vap-group-name> config
4. In the Configuration Options menu, select the option to restore the VSX configuration.
5. When prompted, choose the option to cleanup before restore.
6. After the VSX restore, reload the VAP group.
7. If you disabled any failover groups, you need to re-enable them.
Troubleshooting:
VSX considerations:
The VSX application supports up to five members in a VSX cluster.
If Static NAT (Automatic or Manual) is defined for an IP address in the Security Policy of a Virtual System,
a route to that IP needs to be added to any Virtual Router connected to that Virtual System. This should be
done by adding the following "dummy" route on the NATing VS and propagating it to the EVR/VR:
destination , next hop .
Using SNMP to retrieve status information on the VSX gateway is supported only for the Management VS.
To activate Hub-mode for a Virtual System, you must edit the objects_5_0.C file using dbedit and set the
allow_VPN_routing_from_SR attribute on that Virtual System to true.
Before changing the VLAN ID of an interface configured in the Virtual System (VS) using
SmartDashboard, use the XOS CLI to delete all manual configurations associated with the VS circuit. For
example, if you bind an ARP entry to a VS circuit, you must manually remove the entry before changing the
VLAN ID.
By default every circuit created by VSX is placed into a different domain, which could have an effect on
performance. The VSX configuration option, Disable Overlapping IP Support, allows you to disable
overlapping IP Support and place every circuit into a single domain.
If configuring a bridge where a different VLAN is on each side of the bridge, use hide-vlan-header on the
firewall VAP group.
Deleting the VSX object from SmartDashboard removes the VSX object and its related Virtual Systems
from the SmartCenter management only. The Virtual Systems are not deleted from the VSX gateway/
cluster. To re-use the VAP group, run the reset_ gw command on each cluster member. This clears the VSX
configuration and prepares the modules for the new VSX installation.
• SmartConsole's revision control is not supported.
Verifying VSX status:
show application vap-group
A large CPD.elg file may prevent VSX changes.
Start/stop/configure VSX:
application VSX vap-group vap-group-nameversion start
application VSX vap-group vap-group-nameversion config
application VSX vap-group vap-group-nameversion stop
application VSX vap-group vap-group-nameversion restart
application VSX vap-group vap-group-nameversion uninstall

No comments: