Professional Documents
Culture Documents
Security System
R75.40VS for 61000
Getting Started Guide
23 January 2014
Protected
Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-date with the latest functional
improvements, stability fixes, security enhancements and protection against new and evolving attacks.
Latest Documentation
The latest version of this document is at:
(http://supportcontent.checkpoint.com/documentation_download?ID=20444)
To learn more, visit the Check Point Support Center (http://supportcenter.checkpoint.com).
For more about this release, see the R75.40VS for 61000 home page
(https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutio
nid=sk89900).
Revision History
Date
Description
23 January 2014
16 September 2013
9 July 2013
21 March 2013
10 February 2013
Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments
(mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on R75.40VS Check Point 61000
Security System Getting Started Guide).
Do not block air vents. This is to ensure sufficient airflow for the individual SGMs in
the Chassis.
This appliance does not contain any user-serviceable parts. Do not remove any
covers or attempt to gain access to the inside of the product. Opening the device or
modifying it in any way has the risk of personal injury and will void your warranty.
The following instructions are for trained service personnel only.
Handle SGM system parts carefully to prevent damage. These measures are sufficient to protect your
equipment from static electricity discharge:
When handling components (Fans, CMMS, SGMS, PSUs, SSMs) use a grounded wrist-strap designed
for static discharge elimination.
Touch a grounded metal object before removing the board from the anti-static bag.
Hold the board by its edges only. Do not touch its components, peripheral chips, memory modules or
gold contacts.
When holding memory modules, do not touch their pins or gold edge fingers.
Restore SGMs to the anti-static bag when they are not in use or not installed in the Chassis. Some
circuitry on the SGM can continue operating after the power is switched off.
Do not let the lithium battery cell (used to power the real-time clock on the CMM) short. The battery can
heat up and become a burn hazard.
Warning
Do not operate the processor without a thermal solution. Damage to the processor can occur in
seconds.
Before you install or remove a chassis, or work near power supplies, turn off the power and unplug the
power cord.
For California:
Perchlorate Material - special handling can apply. See http://www.dtsc.ca.gov/hazardouswaste/perchlorate
The foregoing notice is provided in accordance with California Code of Regulations Title 22, Division 4.5,
Chapter 33. Best Management Practices for Perchlorate Materials. This product, part, or both may include a
lithium manganese dioxide battery which contains a perchlorate substance.
Proposition 65 Chemical
Chemicals identified by the State of California, pursuant to the requirements of the California Safe Drinking
Water and Toxic Enforcement Act of 1986, California Health & Safety Code s. 25249.5, et seq. ("Proposition
65"), that is "known to the State to cause cancer or reproductive toxicity" (see http://www.calepa.ca.gov)
WARNING:
Handling the cord on this product will expose you to lead, a chemical known to the State of California to
cause cancer, and birth defects or other reproductive harm. Wash hands after handling.
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 4
Product Disposal
This symbol on the product or on its packaging indicates that this product must not be disposed of with your
other household waste. Instead, it is your responsibility to dispose of your waste equipment by handing it
over to a designated collection point for the recycling of waste electrical and electronic equipment. The
separate collection and recycling of your waste equipment at the time of disposal will help to conserve
natural resources and ensure that it is recycled in a manner that protects human health and the
environment. For more information about where you can drop off your waste equipment for recycling, please
contact your local city office or your household waste disposal service.
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 5
Ne pas obturer les arations. Les SGM dans le chssis doivent disposer d'une
aration suffisante.
Cet appareil ne contient aucune pice remplaable par l'utilisateur. Ne pas retirer de
capot ni tenter d'atteindre l'intrieur. L'ouverture ou la modification de l'appareil peut
traner un risque de blessure et invalidera la garantie. Les instructions suivantes
sont rserves un personnel de maintenance form.
Manipulez avec prcautions les pices du SGM pour ne pas les endommager. Les mesures suivantes sont
suffisantes pour protger votre quipement contre les dcharges d'lectricit statique :
Avant de manipuler un composant (ventilateur, CMM, SGM, PSU, SSM), portez au poignet un bracelet
antistatique reli la terre.
Touchez un objet mtallique reli la terre avant de retirer la carte de son sachet antistatique.
Ne tenez la carte que par ses bords. Ne touchez aucun composant, puce priphrique, module mmoire
ou contact plaqu or.
Lorsque vous manipulez des modules mmoire, ne touchez pas leurs broches ou les pistes de contact
dores.
Remettez dans leur sachet antistatique les SGM lorsqu'ils ne sont pas utiliss ou installs dans le
chssis. Certains circuits du SGM peuvent continuer de fonctionner mme si l'appareil est teint.
Il ne faut jamais court-circuiter la pile au lithium (qui alimente l'horloge temps-rel du CMM). Elle pourrait
chauffer et dclencher un incendie.
Avertissement :
Ne pas faire fonctionner le processeur sans refroidissement. Le processeur peut tre endommag en
quelques secondes.
Avant de manipuler une appliance ou ses blocs dalimentations, lteindre et dbrancher son cble
lectrique.
Pour la Californie :
Matriau perchlorat : manipulation spciale potentiellement requise. Voir
http://www.dtsc.ca.gov/hazardouswaste/perchlorate
L'avis suivant est fourni conformment au California Code of Regulations, titre 22, division 4.5, chapitre 33.
Meilleures pratiques de manipulation des matriaux perchlorats. Ce produit, cette pice ou les deux
peuvent contenir une pile au dioxyde de lithium manganse, qui contient une substance perchlorate.
Produits chimiques Proposition 65
Les produits chimiques identifis par l'tat de Californie, conformment aux exigences du California Safe
Drinking Water and Toxic Enforcement Act of 1986 du California Health & Safety Code s. 25249.5, et seq.
( Proposition 65 ), qui sont connus par l'tat pour causer le cancer ou tre toxiques pour la
reproduction (voir http://www.calepa.ca.gov)
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 6
AVERTISSEMENT :
La manipulation de ce cordon vous expose au contact du plomb, un lment reconnue par l'tat de
Californie pour causer de cancer, des malformations la naissance et autres dommages relatifs la
reproduction. Se laver les mains aprs toute manipulation.
Ce symbole appos sur le produit ou son emballage signifie que le produit ne doit pas tre mis au rebut
avec les autres dchets mnagers. Il est de votre responsabilit de le porter un centre de collecte dsign
pour le recyclage des quipements lectriques et lectroniques. Le fait de sparer vos quipements lors de
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 7
la mise au rebut, et de les recycler, contribue prserver les ressources naturelles et s'assure qu'ils sont
recycls d'une faon qui protge la sant de l'homme et l'environnement. Pour obtenir plus d'informations
sur les lieux o dposer vos quipements mis au rebut, veuillez contacter votre municipalit ou le service de
gestion des dchets.
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 8
Contents
Important Information ............................................................................................................ 3
Health and Safety Information .............................................................................................. 4
Informations relatives la sant et la scurit ................................................................. 6
Introduction .......................................................................................................................... 11
Overview of Check Point 61000 Security Systems ............................................................ 11
Check Point Virtual Systems ............................................................................................. 11
In this Document ............................................................................................................... 13
Shipping Carton Contents.................................................................................................. 13
Hardware Components ........................................................................................................ 14
61000 Security System Front Panel Modules .................................................................... 14
Security Switch Module (SSM) .......................................................................................... 16
SSM160 Security Switch Module .................................................................................. 17
SSM60 Security Switch Module .................................................................................... 18
Security Switch Module LEDs ....................................................................................... 19
Security Gateway Module (SGM) ...................................................................................... 20
SGM260 LEDs .............................................................................................................. 20
SGM SGM220 LEDs ..................................................................................................... 22
AC Power Supply Units (PSUs) ......................................................................................... 23
AC Power Cords ................................................................................................................ 24
DC Power Entry Modules (PEMs) ...................................................................................... 26
PEM Panel and LED Indicators..................................................................................... 26
Fan Trays .......................................................................................................................... 27
Chassis Management Modules.......................................................................................... 27
Blank Filler Panels for Airflow Management ...................................................................... 29
Front Blank Panels with Air Baffles ............................................................................... 29
Step 1: Site Preparation....................................................................................................... 30
Rack Mounting Requirements ........................................................................................... 30
Required Tools .................................................................................................................. 30
Step 2: Installing the Chassis in a Rack ............................................................................. 31
Step 3: Installing Components and Connecting Power Cables ........................................ 32
Inserting AC Power Supply Units ....................................................................................... 32
Inserting Fan Trays............................................................................................................ 33
Inserting Chassis Management Modules ........................................................................... 34
Inserting Security Switch Modules ..................................................................................... 35
Inserting Security Gateway Modules ................................................................................. 36
Inserting Transceivers ....................................................................................................... 37
Inserting Twisted Pair Transceivers .............................................................................. 37
Inserting Fiber Optic Transceivers ................................................................................ 38
Inserting QSFP Splitters ............................................................................................... 39
Inserting Front Blank Panels .............................................................................................. 39
Connecting AC Power Cables ........................................................................................... 39
Connecting DC Power ....................................................................................................... 39
Connecting a Second Chassis ........................................................................................... 41
Step 4: Turning on the 61000 Security System .................................................................. 42
Step 5: Validating Chassis ID on a Dual Chassis Configuration ...................................... 43
Step 6: Software Installation ............................................................................................... 44
Before Installing Firmware and Software ........................................................................... 44
Installing SSM160 Firmware .............................................................................................. 45
Installing the SGM Image .................................................................................................. 47
Installing the SGM Using snapshot import .................................................................... 47
Installing the SGM Image Using Removable Media ...................................................... 47
Step 7: Connecting to the Network ..................................................................................... 49
Introduction
Introduction
Thank you for choosing Check Points 61000 Security System. We hope that you will be satisfied with this
system and our support services. Check Point products supply your business with the most up to date and
secure solutions available today.
Check Point also delivers worldwide technical services including educational, professional and support
services through a network of Authorized Training Centers, Certified Support Partners and Check Point
technical support personnel to ensure that you get the most out of your security investment.
For additional information on the Internet Security Product Suite and other security solutions, refer to the
Check Point Web site (http://www.checkpoint.com), or call Check Point at 1(800) 429-4391. For additional
technical information about Check Point products, consult the Check Point Support Center
(http://supportcenter.checkpoint.com).
Welcome to the Check Point family. We look forward to meeting all of your current and future network,
application and management security needs.
Function
2 Chassis Management Modules (CMMs) Monitors the Chassis, the SSMs and the SGMs with
zero downtime.
The 61000 Security System:
Is highly fault tolerant, and provides redundancy between Chassis modules, power supplies and fans.
For extra redundancy, you can install a Dual Chassis deployment.
Has NEBS-ready and Non-NEBS versions. The Network Equipment Building Systems (NEBS) certificate
ensures that 61000 Security System meets the environmental and spatial requirements for products
used in telecommunications networks.
Includes a rich variety of CLI monitoring and management tools. The system can be centrally managed
from Check Point Security Management Server or a Multi-Domain Security Management.
Lets you install different numbers of SGMs to match the processing needs of your network.
You can operate the 61000 Security System as a Security Gateway or as a VSX Gateway for Check Point
Virtual Systems.
Introduction
Administrators can replicate conventional physical security gateways with Virtual Systems to deliver
advanced protection to multiple networks and network segments. Up to 250 fully independent Virtual
Systems can be supported on the 61000 Security System, delivering scalability, availability and performance
while dramatically reduce hardware investment, space requirements and maintenance costs. The latest
Check Point technologies ensure the best performance for virtualized security; CoreXL technology utilizes
multi-core processors to increase throughput, 64-bit Gaia OS allows a significantly increased number of
concurrent connections.
Complete virtualization of network infrastructure allows easy deployment and configuration of network
topology with simpler inter-VS communication. Save the costs of external network routers and switches by
using integrated virtual routers, switches and links to direct traffic to their intended destinations.
KEY FEATURES
KEY BENEFITS
Reduce hardware cost and simplified network policy by consolidating multiple gateways into a single
device
Stronger performance and manageability enable enterprises to better leverage their investment
More granularity and greater manageability with customizable policies per Virtual System
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 12
Introduction
In this Document
A step by step guide to getting the 61000 Security System up and running
Note - Screen shots in this guide may apply only to the highest model
to which this guide applies.
Description
Documentation
6 Fans (preinstalled)
EULA
Welcome document
Required Transceivers
SSM160 Transceivers
Ports
Required Transceivers
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 13
Hardware Components
Ports
Required Transceivers
Hardware Components
This section is about the hardware components of the 61000 Security System.
Item
Description
The Security Gateway Modules (SGMs) in the Chassis work together as a single, high
performance Security Gateway or VSX Gateway. Adding a Security Gateway Module scales
the performance of the system. A Security Gateway Module can be added and removed
without losing connections. If an SGM is removed or fails, traffic is distributed to the other
active SGMs.
Security Gateway Module slots are numbered 1 to 12, left to right. Slot 7 for example,
(labeled [7] in the diagram) is the slot that is immediately to the right of the two Security
Switch Module slots.
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 14
Hardware Components
Item
Description
Console port, for a serial connection to a specific SGM using a terminal emulation program.
The Security Switch Module (SSM) distributes network traffic to the Security Gateway
Modules and forwards traffic from the Security Gateway Modules. Two are inserted in a
chassis. Two SSM versions are available:
SSM60
SSM160
For more about each port, see Security Switch Module Ports ("Security Switch Module
(SSM)" on page 16).
5
The Chassis Management Module (CMM) monitors the status of the chassis hardware
components. It also supplies the DC current to the cooling fan trays.
If the Chassis Management Module fails or is removed from the chassis, the 61000 Security
System continues to forward traffic. However, hardware monitoring is not available. Adding
or removing a Security Gateway Module to or from the chassis is not recognized. if the two
CMMs are removed, the cooling fans stop working.
Warning - There must be at least one CMM in the chassis.
A second Chassis Management Module can be used to supply CMM High Availability.
In the CLI output, the lower slot is listed bay 1. The upper slot is listed as bay2.
Power:
3-5 PSUs
Or:
48 VDC to 60 VDC
2 PEMs
Upper slots are for DC PEMs. They are listed as bay 1 and bay 2, numbered right to
left.
Lower slots are for AC PSUs. They are listed as bay 1 to bay 5, numbered right to left.
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 15
Hardware Components
SSM60
SSM160
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 16
Hardware Components
Item
Description
(1)
(2)
(3)
(4)
(5)
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 17
Hardware Components
(6)
Item
(1)
(3)
On Left SSM:
eth1-Mgmt1, eth1-Mgmt2, ... eth1-Mgmt4
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 18
Hardware Components
LED
Status
Description
Out of
service
Red
Power
Hot-swap
On (Normal) Power on
Off
Power off
Blue
Blue
blinking
Link
Off
N/A
On
Link enabled
Yellow
blinking
Link is active
Off
Link is disabled
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 19
Hardware Components
SGM220
SGM240
The SGM240 has more powerful CPUs and uses a more advanced technology. It also has a different front
panel layout and different LEDs.
SGM260 LEDs
Item
LED
Status
Description
Out of
service
Red
Off (Normal)
SGM hardware is
normal
Green
(Normal)
Green
blinking
Off
Blue
Blue blinking
SGM is going to
standby mode. Do not
remove
Off (Normal)
CTRL
Link 1
CTRL
Link 2
Health
Hot-swap
SSM1 and
Yellow
SSM2
management
ports
Yellow
blinking
Off
Link enabled
Link is active
Link is disabled
10 Gbps
1 Gbps
100 Mbps
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 20
Hardware Components
SPEED
2
Traffic
On
L2
Off
Not used
L1
Red. Lower
Right
Installation started
Red blink, in
sequence
Installation in progress
Red. All
Installation failure
Yellow.Left
Installation completed
Green. Right
SGM is being
configured. (Using First
Time Configuration
Wizard or adding a
new SGM into a
Chassis)
Off
2
3
4
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 21
Hardware Components
LED
Status
Description
Out of
service
Red
Off (Normal)
Green
(Normal)
Green
blinking
Off
Blue
Blue blinking
Off (Normal)
Yellow
Link enabled
Yellow
blinking
Link is active
Off
Link is disabled
Yellow
10 Gbps
Green
1 Gbps
Off
100 Mbps
Health
Hot-swap
Link
Data port
speed
Management Yellow
port speed
Green
1 Gbps
100 Mbps
Off
10 Mbps
LEDs 2 and 4
- Green
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 22
Hardware Components
Each PSU is located on a tray that slides directly into the backplane.
The AC Power inlets are located in the rear of the Chassis. Each power supply has one power inlet.
Item
Extraction handle for holding the PSU during extraction and insertion
Power Requirements:
Each PSU supplies power at these values:
1500W at 220VAC
1200W at 110VAC
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 23
Hardware Components
Number of SGMs
10
12
AC Power Cords
The supplied AC power cords are specific to the geographical region. These are some of the available
power cords.
Region
PLUG
CONNECTOR
CABLE
EU
KC-015,
16A 250V
~
KC-003H, 10 A
250V~
H05RR-F,3G
0.75mm2
AUSTRALIA
KC-014,
10A 250V
KC-003H, 10 A
250V~
H05RR-F 3G
0.75mm2
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 24
Hardware Components
Region
PLUG
CONNECTOR
CABLE
UK
KC-039,
KC-003H, 10 A
13A 250V~ 250V~
H05RR-F 3G
0.75mm2
JP
KC-001,
15A 125V
KC-003H, 15A
125V
VCTF 3G
2.0mm2
US
KC-001,
15A 125V
KC-003H, 15A
125V
SJT 14/3C
75C
CHINA
KC-017N, KC-003H, 10 A
10A 250V~ 250V~
H05RR-F 3G
0.7mm2
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 25
Hardware Components
Item
Description
Handles. Used for holding the PEM during insertion and extraction.
Terminal blocks: -48/-60 VDC and Return. Each terminal block has 4 terminal studs.
Description
Status
Green: OK
Red: Failure
Green: OK
OFF: Working
Fault
HS
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 26
Hardware Components
Important Do not remove a PEM while an electrical charge remains in the wiring.
Before replacing a PEM, verify that power source is disconnected and isolated.
The PEMs circuit breaker has only one pole and disconnects only the -48V lead. The
48VDC RTN lead is always connected.
Fan Trays
The cooling system consists of three high performance fan trays. The fan trays are at the rear of the
Chassis. Each tray contains two fans that supply air volume and velocity for cooling front and rear Chassis
components. Air flows from the inside to the outside of the Chassis.
Item
Description
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 27
Hardware Components
Item
Description
General LEDs
Latch
Network port
Serial port
Alarm
Thumb screw
General LEDs
LED
Status
Meaning
ACT
Green
Red
Green blink
Green
Off
Steady blue
Blue blink
Off
PWR
HS (hot swap)
Status
Meaning
CRT (Critical)
Off
Normal operation
Red
Off
Normal operation
Red
Off
Normal operation
Red
MJR (Major)
MNR (Minor)
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 28
Hardware Components
Item
Description
Slot cover
Tightening screws
Air Baffles
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 29
The rack is sufficiently strong to support the weight of a fully loaded Security System
(http://www.checkpoint.com/products/downloads/datasheets/61000-security-system-datasheet.pdf).
The rack rails are spaced sufficiently wide to accommodate the system's external dimensions.
There is sufficient space at the front and rear of the Chassis to let service personnel to swap out
hardware components.
A readily accessible disconnect device is incorporated into the buildings wiring. The disconnect device
must be placed between the system's AC power inlet and the power source. The disconnect device
rating required must be determined by the nominal input voltage.
There are at least two inches of clearance at the air inlets and outlets to make sure there is sufficient
airflow.
You have eight M6x10 (or longer) screws to mount the Chassis on the rack.
Required Tools
To install the appliance in a standard 19" rack, these tools are required:
Wrench
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 30
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 31
Twisted pair and fiber optic transceivers into ports on the Security Switch Modules
Power cables
To Insert a Fan:
1. Slide the fan into the allocated space.
2. Tighten the locking captive screw.
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 33
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 34
Open the latches at the top and bottom of the Security Switch Module.
Slide the SSM into the allocated slot.
Fasten the latches.
Tighten the screws.
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 35
Open the latches at the top and bottom of the Security Gateway Module.
Make sure the SGM is located correctly on the Chassis rail.
Slide the Security Gateway Module into the allocated slot.
Fasten the latches.
Tighten the thumb screws.
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 36
Inserting Transceivers
For connecting different interface types to the 61000 Security System using SFP, SFP+, or XFP ports on the
SSM, Security Switch Modules support Twisted Pair and Fiber Optic transceivers.
The type and number of transceiver ports available depends on the SSM.
Note - Remember to select a transceiver that matches the speed of the designated port.
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 37
Slide the transceiver into the open Security Switch Module port.
Slide the transceiver into the open Security Switch Module port.
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 38
Connecting DC Power
Connect the DC PEMs in the 61000 Security System to an external battery power source. You must have a
mains DC power supply system that includes batteries and a branch circuit breaker of 125A for each PEM.
The DC PEM is described in DC Power Entry Modules (PEMs) (on page 26)
4 DC wire leads for each PEM, to connect the PEM to the DC power supply. Use 6AWG wires. There is
no standard for DC wire color coding. Therefore, use the color coding of the DC power source (battery)
for the DC wire leads.
4 lugs (Panduit LCD6-10A-L) for each PEM. For connecting the wire leads to the PEM terminal blocks.
Wire cutters.
Hexagonal-head socket wrench, or nut driver for tightening nuts to terminal studs on each PEM.
To connect DC power:
Note - These instructions assume that the PEMs are installed in the 61000 Security
System Chassis.
1.
2.
3.
4.
7. Make sure that you have correctly connected the battery to the PEM. Do this by using a multimeter to
measure the resistance between disconnected PEM wire leads and the Battery Return pole.
For all the PEM wired leads, one at a time:
a) At the battery, disconnect a PEM wire lead from the battery.
b) Connect one multimeter probe to the battery Return and the other probe to the PEM wire lead.
A very large resistance (indicating an open circuit) shows that the wire lead is connected to
the PEM -48/-60VDC terminal.
A very low resistance (indicating a closed circuit) shows that the wire lead is connected to
the PEM Return terminal.
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 40
For the second Chassis, repeat Step 1: Site Preparation (on page 30) to Step 3: Installing Components
and Connecting Power Cables (on page 32)
On each SSM, connect the sync ports to the corresponding sync ports on the backup Chassis (eth1Sync in Chassis1 to eth1-Sync in Chassis2, eth2-Sync in Chassis1 to eth2-Sync in
Chassis2).
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 41
After 1-60 seconds, fan speed slows down until it reaches the optimum rate for cooling.
If the installation wizard (Step 5) has not yet run, release the levers on each SGM to shut them down
If the installation wizard has run, from gclish run: asg_hard_shutdown -b all
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 42
The CMMs on the same Chassis have the same Chassis ID.
Each pair of CMMs on the different Chassis have different Chassis ID.
The CMMs on Chassis <1> should include chassis_id <1> (SHMM_CHASSID=1). The CMMs on
Chassis <2> should include chassis_id <2> (SHMM_CHASSID=2).
Note - When a new CMM is added to the system, it is necessary to validate its
Chassis_ID. Make sure that Chassis for the new CMM is in Standby mode.
2. Open the outer box, and confirm that the stickers on the Chassis and the CMM blades are different for
each Chassis.
If the numbers are the same, contact Check Point Technical Support.
3. We recommend that you validate the CMM configured IDs.
a) Log in to the 61000 Security System.
(i) Connect the RJ-45 jack serial cable to the console port on CMM blade.
(ii) Connect the other end of the serial cable to the computer that you are using to do the initial
configuration of the 61000 Security System.
(iii) Connect to the 61000 Security System 160 using a terminal emulation application such as
PuTTY.
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 43
If you have a dual Chassis environment, connect only one Sync cable between the two Chassis.
Connect eth1-Sync on chassis1 to eth1-Sync on chassis2. (Connect the second sync cable
after installing software).
For IP management of the 61000 Security System, connect a cable to one of the management interfaces on
chassis1.
Connecting a Console
Use a console to configure a Security Group and an accessible management IP address on the 61000
Security System.
1. Connect the supplied DB9 serial cable to the console port on the front of the 61000 Security System.
2. Connect to the 61000 Security System using a terminal emulation program such as PuTTY or Microsoft
HyperTerminal.
3. Configure the terminal emulation program:
In PuTTY select the Serial connection type. Go to the Connection > Serial page.
In HyperTerminal Connect To window, select a port from the Connect using list.
Define the serial port settings: 9600 BPS, 8 bits, no parity, 1 stop bit. Flow control: None
4. Connect to the first SGM in the 61000 Security System.
5. Turn on the 61000 Security System.
6. Log in with username: admin and password: admin
By default, the SGM you are connected to belongs to the group: Chassis 1, SGM 1 (slot 1 in Chassis
1). For more about Security Gateway Module numbering, see 61000 Security System front panel
components ("61000 Security System Front Panel Modules" on page 14).
4. Select Network Connections.
For the management interface, configure:
An IP address
If you are directly connected to the management interface: Skip this step.
If you are not directly connected to the management interface: Define a route which will allow you to
access the 61000 Security System.
6. Click Next until you finish the installation wizard. At the Secure Internal Communication stage, enter a
dummy key.
Configuration settings are applied, and the Security Gateway Modules reboots. Other Security Gateway
Modules in the Security Group are installed automatically.
Run the asg monitor command. An initial policy must be installed on the local SGM after initial setup
completes and the SGM reboots.
2. Connect to one SGM, using the management IP address configured in the installation wizard.
3. Copy the SSM160 firmware file to the SGM using the scp command to the IP address of the
management interface, to the /home/admin directory. This copies the file to the left-most SGM on the
active Chassis.
4. From this SGM, copy the firmware file to the other SGMs in the Security Group. Run:
>asg_cp2blades b <blade_list> /home/admin/<file>
5. From this SGM, copy the firmware to the two SSMs in the Chassis. Run for each SSM:
scp -P 2024 2.4.B27.2.T-HUB4.tar.bz2 root@SSM[1|2]:/batm/current_version/
6. Enter the SCP password you received from Support.
You may see a read-only file system error. For example:
# scp -P 2024 2.4.B27.2.T-HUB4.tar.bz2 root@ssm2:/batm/current_version/
root@ssm2's password:
scp: /batm/current_version//2.4.B27.2.T-HUB4.tar.bz2: Read-only file system
If you see a read-only file system error do this:
a) Connect to the SSM via ssh. From the expert shell, run:
ssh ssm<1/2>
The password is admin
b) From default shell, run
unhide private
The password is private
c) Run the following commands:
#
#
#
#
For example:
blade 2_01
(Run exit to return to the previous SGM)
9. Repeat the firmware upgrade procedure on the two SSMs of the other Chassis.
Validation
To verify the upgrade, run
asg_version
All SSMs should have firmware version 2.4.B27.2.
Download the Check Point ISOmorphic utility to create a bootable USB device from the ISO. See
sk65205 (http://supportcontent.checkpoint.com/solutions?id=sk65205).
3. You can install many SGMs at one time. Copy the ISO image to many USB sticks or DVD drives.
Connect an external DVD drive to the USB port. Put the DVD with the ISO file in the DVD drive.
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 47
Item
Description
1
2
USB port
One of two latches for extracting and inserting the SGM.
2. Connect the supplied DB9 serial cable to the console port on the front of the upper SGM on the 61000
Security System.
3. Connect to the left-most SGM using a terminal emulation program.
4. Reboot the SGM by partially sliding it out and immediately pushing it back in place:
a) Loosen the thumb screws at the top and bottom of the SGM.
b) Open the latches at the top and bottom of the SGM.
c) Fasten the latches.
d) Tighten the thumb screws.
5. When the first screen shows, select Install Gaia on the system and press Enter.
6. You must press Enter in 60 seconds, or the computer will try to start from the hard drive. The timer
countdown stops once you press Enter. There is no time limit for the subsequent steps.
7. Press OK to continue with the installation.
After the installation, the 61000 Security System begins the boot process and status messages show in
the terminal emulation program.
8. Install the SGM image on the other SGMs. To install on one SGM at a time repeat all the steps for each
SGM. To install on many SGMs at one time:
a) Insert all the USB sticks or DVD drives into the USB ports of the other SGMs.
b) On one SGM at a time:
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 48
2. Connect the management ports on the Security Switch Modules to your network.
3. Connect the data ports on the Security Switch Modules to your network.
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 49
Connecting a Console
1. Connect the RJ-45 jack end of a serial cable to the console port on the upper 61000 Security System in
the Chassis.
2. Connect the other end of the serial cable to the computer that you will use to do the initial configuration
of the 61000 Security System.
3. On the configuration computer, connect to the 61000 Security System using a terminal emulation
application such as PuTTY.
No IP address is necessary
4. Log in with username: admin and password: admin.
By default, the SGM you are connected belongs to the group: Chassis 1, SGM 1 (slot 1 in Chassis
1). To define a fully populated dual Chassis system select all in the top and bottom lines. For more
about Security Gateway Module numbering, see 61000 Security System front panel components
("61000 Security System Front Panel Modules" on page 14).
5. The subnet for internal communication in the Chassis is 192.0.2.0/24 by default. Change the IP address
if it conflicts with an existing subnet on your network.
6. Configure parameters for:
Host Name
There are 4 management ports on each SSM. Only configure those ports you intend to use. To
associate port names with the physical ports, refer to Security Switch Module Ports ("Security
Switch Module (SSM)" on page 16). For each management port configure:
An IP address
To associate data port names with the physical ports, refer to Security Switch Module Ports
("Security Switch Module (SSM)" on page 16). For each data port configure:
An IP address
System Validation
Make sure that the initial system setup is completed successfully by:
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 51
Running the asg monitor command. An initial policy must be installed on the local SGM after initial
setup completes and the SGM reboots.
After installation, all the SGMs in the security group must be UP and in the Initial Policy state.
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 52
Step 9: SmartDashboard
Configuration
The 61000 Security System can work as a Security Gateway or as a VSX Gateway. The Security
Management Server must be R75.40VS for 61000 or higher.
Do one of these procedures:
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
Gateway name
Gateway IP address
Click Next.
In the Secure Internal Communication Initialization screen, enter the One-time password. This is
the same as the Activation Key you entered during the initial setup.
Click Next.
View the Configuration Summary.
Select Edit Gateway properties for further configuration.
Click Finish.
The General Properties page of the 61000 Security System object opens.
In the General Properties page, make sure the Version is correct.
Enable the Firewall Software Blade. If required, enable other supported Software Blades.
In the navigation tree, select Topology.
Configure:
Anti-Spoofing.
Note: Only data and management interfaces are shown in the list.
4. Make sure the Policy Date matches the time that the policy was installed.
Virtual System
Virtual Router
Virtual Switch
To learn about how VSX works, architecture, concepts and virtual devices, see the R75.40VS Check Point
VSX Administration Guide (http://supportcontent.checkpoint.com/solutions?id=sk76540).
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 54
The VSX Gateway in this example has one Virtual System (VS0) and one dedicated management interface.
After you complete the VSX Gateway Wizard, you can change the VSX Gateway definition from
SmartDashboard. For example, you can add Virtual Systems, add or delete interfaces, or configure existing
interfaces to support VLANs.
Note - The Check Point VSX Gateway Wizard is version dependent. The steps may vary slightly.
VSX Gateway Name: Unique, alphanumeric for the VSX Gateway. The name cannot contain spaces or
special characters except the underscore.
VSX Gateway Version: Select the VSX version installed on the VSX Gateway from the drop-down list.
Separate Interfaces: Virtual Systems use their own separate internal and external interfaces. This
template creates a Dedicated Management Interface (DMI) by default.
Custom Configuration: Define Virtual System, Virtual Router, Virtual Switch, and Interface
configurations.
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 55
You can now add more SGMs to the Security Group. Use the asg security_group tool.
Run asg monitor -vs all. After all SGMs are UP and enforcing Security, you can add Virtual Systems
to the VSX Gateway.
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 57
Virtual Context
To:
Run
Applicable
Modes
Move to a different
virtual context
VSX Gateway
Run
Applicable
Modes
Interfaces
To:
Security Gateway
Security Gateway
To:
Run
Applicable
Modes
Security Gateway
Security Gateway
VSX Gateway
Hostname
(each SGM gets its local identity as suffix. For example VSX Gateway
gcp-X1000-ch01-04)
Show the hostname
# show hostname
Security Gateway
VSX Gateway
Routes
To:
Run
Applicable
Modes
Security Gateway
# show route
Security Gateway
VSX Gateway
Bonds
To:
Run
Applicable
Modes
Security Gateway
VSX Gateway
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 58
To:
Run
Applicable
Modes
Security Gateway
VSX Gateway
VLANs
To:
Run
Applicable
Modes
Security Gateway
Security Gateway
VSX Gateway
Run
Applicable
Modes
Add a snapshot
Security Gateway
Security Gateway
Revert to a snapshot
VSX Gateway
VSX Gateway
Show snapshots and
monitor snapshot
progress
show snapshots
Security Gateway
VSX Gateway
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 59
To retrieve the Chassis serial number (if a policy is installed on the SGM)
1. Open a command line window on one of the SGMs on the Chassis.
2. Run:
asg_serial_info
The output shows the Chassis Serial Number.
To retrieve the Chassis serial number (if no policy is installed on the SGM)
1. Connect to one of the SGMs on the Chassis
2. Connect to the Active CMM and run:
ssh 198.51.100.33
This is the permanent, static IP address of the Active CMM.
3. On the CMM, run: clia fruinfo 20 254.
The output shows the Chassis Serial Number.
If you use the cplic command, run it from gclish so that it applies to all SGMs. Run cplic twice
if you have a dual Chassis environment.
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 60
Up-time
Concurrent connections
Health
Description
None
-v
<vs_ids>
Shows the Chassis status of multiple Virtual systems. Specify the VS IDs. For
example 4, 7, 8, 10.
For a Chassis with more than 3 SGMs, the output has abbreviations to make
the output more compact.
-l
Show the meaning of the abbreviations in the output for a Chassis with more
than 3 SGMs.
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 61
Syntax
asg
asg
asg
asg
asg
monitor
monitor
monitor
monitor
monitor
-h
[-v] [interval]
all [interval]
[-vs <vs_ids>]
-l
Parameter
Description
None
Show summary SGM and Chassis status with data refresh every
second.
-h
interval
Set the data refresh interval (in seconds) for the current session.
-v
all
show
-vs <vs_ids> Shows the component status for one or more Virtual Systems in a
comma-separated list. You can also specify all to show all Virtual
Systems.
For a Chassis with more than 3 SGMs, the output has abbreviations
to make the output more compact.
all
-l
Examples
> asg monitor
---------------------------------------------------------------------------| VS ID: 0
VS Name: Athens
|
---------------------------------------------------------------------------| Chassis 1
STANDBY
|
---------------------------------------------------------------------------| SGM ID
State
Process
Policy Date
|
| 1
DOWN
Inactive
NA
|
| 2
UP
Enforcing Security
12Jan14 14:44
|
| 3
UP
Enforcing Security
12Jan14 14:44
|
| 4
UP
Enforcing Security
12Jan14 14:44
|
| 5
UP
Enforcing Security
12Jan14 14:44
|
---------------------------------------------------------------------------| Chassis 2
ACTIVE
|
---------------------------------------------------------------------------| SGM ID
State
Process
Policy Date
|
| 1 (local)
UP
Enforcing Security
12Jan14 14:44
|
| 2
UP
Enforcing Security
12Jan14 14:44
|
| 3
UP
Enforcing Security
12Jan14 14:44
|
| 4
UP
Enforcing Security
12Jan14 14:44
|
| 5
UP
Enforcing Security
12Jan14 14:44
|
---------------------------------------------------------------------------| Chassis HA mode:
Active Up
|
---------------------------------------------------------------------------This example shows the SGM and Chassis HA status.
> asg monitor vs 3
-------------------------------------------------------------------------------| Chassis 1
ACTIVE
|
-------------------------------------------------------------------------------|SGM
|1 (l)|2
|3
|4
| - | - | - | - | - | - | - | - |
--------------------------------------------------------------------------------
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 62
This example shows the status of the SGMS and Virtual System 3.
Syntax
asg perf [-b <SGM_string>] [-vs <VS_string>] [-v] [-p] [-a]
[-k[-last|--hist]] [-e]
Parameter
Description
-b <SGM_string>
-vs <VS_string>
VS 1
1,3-5 VS 1,2,4,5
all
All VSs
-p
-a
-k
-h
Display usage.
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 63
Example
If no SGMs are specified, the command shows performance statistics for the Active Chassis:
> asg perf -v
Output
Notes:
Load Average = CPU load.
Power Supply Unit: Whether installed or not, and PSU fan speed
Syntax
asg hw_monitor [-v] [-f <filter>]
Parameter
Description
none
-v
-f
<filter>
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 64
| CPUtemp
| blade 1, CPU0 | 46
| 65
| Celsius
| 1
|
| CPUtemp
| blade 1, CPU1 | 46
| 65
| Celsius
| 1
|
| CPUtemp
| blade 2, CPU0 | 48
| 65
| Celsius
| 1
|
| CPUtemp
| blade 2, CPU1 | 49
| 65
| Celsius
| 1
|
| CPUtemp
| blade 3, CPU0 | 46
| 65
| Celsius
| 1
|
| CPUtemp
| blade 3, CPU1 | 47
| 65
| Celsius
| 1
|
| CPUtemp
| blade 4, CPU0 | 46
| 65
| Celsius
| 1
|
| CPUtemp
| blade 4, CPU1 | 50
| 65
| Celsius
| 1
|
| CPUtemp
| blade 5, CPU0 | 50
| 65
| Celsius
| 1
|
| CPUtemp
| blade 5, CPU1 | 49
| 65
| Celsius
| 1
|
| CPUtemp
| blade 6, CPU0 | 0
| 65
| Celsius
| 0
|
| CPUtemp
| blade 6, CPU1 | 0
| 65
| Celsius
| 0
|
| CPUtemp
| blade 7, CPU0 | 0
| 65
| Celsius
| 0
|
| CPUtemp
| blade 7, CPU1 | 0
| 65
| Celsius
| 0
|
| CPUtemp
| blade 8, CPU0 | 0
| 65
| Celsius
| 0
|
| CPUtemp
| blade 8, CPU1 | 0
| 65
| Celsius
| 0
|
| CPUtemp
| blade 9, CPU0 | 0
| 65
| Celsius
| 0
|
| CPUtemp
| blade 9, CPU1 | 0
| 65
| Celsius
| 0
|
| CPUtemp
| blade 10, CPU0 | 0
| 65
| Celsius
| 0
|
| CPUtemp
| blade 10, CPU1 | 0
| 65
| Celsius
| 0
|
| CPUtemp
| blade 11, CPU0 | 0
| 65
| Celsius
| 0
|
| CPUtemp
| blade 11, CPU1 | 0
| 65
| Celsius
| 0
|
| CPUtemp
| blade 12, CPU0 | 0
| 65
| Celsius
| 0
|
| CPUtemp
| blade 12, CPU1 | 0
| 65
| Celsius
| 0
|
| Fan
| bay 1, fan 1
| 5
| 11
| Speed Level | 1
|
| Fan
| bay 1, fan 2
| 5
| 11
| Speed Level | 1
|
| Fan
| bay 2, fan 1
| 5
| 11
| Speed Level | 1
|
| Fan
| bay 2, fan 2
| 5
| 11
| Speed Level | 1
|
| Fan
| bay 3, fan 1
| 5
| 11
| Speed Level | 1
|
| Fan
| bay 3, fan 2
| 5
| 11
| Speed Level | 1
|
| PowerConsumption | N/A
| 2711 | 4050
| Watts
| 1
|
| PowerUnit(AC)
| bay 1
| 0
| 0
| NA
| 1
|
| PowerUnit(AC)
| bay 2
| 0
| 0
| NA
| 1
|
| PowerUnit(AC)
| bay 3
| 0
| 0
| NA
| 1
|
| PowerUnit(AC)
| bay 4
| 0
| 0
| NA
| 0
|
| PowerUnit(AC)
| bay 5
| 0
| 0
| NA
| 0
|
| PowerUnitFan
| bay 1, fan 1
| 0
| 0
| NA
| 1
|
| PowerUnitFan
| bay 1, fan 2
| 0
| 0
| NA
| 1
|
| PowerUnitFan
| bay 2, fan 1
| 0
| 0
| NA
| 1
|
| PowerUnitFan
| bay 2, fan 2
| 0
| 0
| NA
| 1
|
| PowerUnitFan
| bay 3, fan 1
| 0
| 0
| NA
| 1
|
| PowerUnitFan
| bay 3, fan 2
| 0
| 0
| NA
| 1
|
| PowerUnitFan
| bay 4, fan 1
| 0
| 0
| NA
| 0
|
| PowerUnitFan
| bay 4, fan 2
| 0
| 0
| NA
| 0
|
| PowerUnitFan
| bay 5, fan 1
| 0
| 0
| NA
| 0
|
| PowerUnitFan
| bay 5, fan 2
| 0
| 0
| NA
| 0
|
| SSM
| bay 1
| 0
| 0
| Mbps
| 1
|
| SSM
| bay 2
| 0
| 0
| Mbps
| 1
|
------------------------------------------------------------------------------
| CPUtemp
| blade 3, CPU1 | 45
| 65
| Celsius
| 1
|
| CPUtemp
| blade 4, CPU0 | 45
| 65
| Celsius
| 1
|
| CPUtemp
| blade 4, CPU1 | 46
| 65
| Celsius
| 1
|
| Fan
| bay 1, fan 1
| 4
| 11
| Speed Level | 1
|
| Fan
| bay 1, fan 2
| 4
| 11
| Speed Level | 1
|
| Fan
| bay 1, fan 3
| 4
| 11
| Speed Level | 1
|
| Fan
| bay 1, fan 4
| 4
| 11
| Speed Level | 1
|
| Fan
| bay 1, fan 5
| 4
| 11
| Speed Level | 1
|
| Fan
| bay 1, fan 6
| 4
| 11
| Speed Level | 1
|
| Fan
| bay 1, fan 7
| 4
| 11
| Speed Level | 1
|
| Fan
| bay 1, fan 8
| 4
| 11
| Speed Level | 1
|
| Fan
| bay 1, fan 9
| 4
| 11
| Speed Level | 1
|
| Fan
| bay 1, fan 10 | 4
| 11
| Speed Level | 1
|
| Fan
| bay 2, fan 1
| 4
| 11
| Speed Level | 1
|
| Fan
| bay 2, fan 2
| 4
| 11
| Speed Level | 1
|
| Fan
| bay 2, fan 3
| 4
| 11
| Speed Level | 1
|
| Fan
| bay 2, fan 4
| 4
| 11
| Speed Level | 1
|
| Fan
| bay 2, fan 5
| 4
| 11
| Speed Level | 1
|
| Fan
| bay 2, fan 6
| 4
| 11
| Speed Level | 1
|
| Fan
| bay 2, fan 7
| 4
| 11
| Speed Level | 1
|
| Fan
| bay 2, fan 8
| 4
| 11
| Speed Level | 1
|
| Fan
| bay 2, fan 9
| 4
| 11
| Speed Level | 1
|
| Fan
| bay 2, fan 10 | 4
| 11
| Speed Level | 1
|
| PowerConsumption | N/A
| 1894 | 4050
| Watts
| 1
|
| PowerUnit(AC)
| bay 1
| 0
| 0
| NA
| 1
|
| PowerUnit(AC)
| bay 2
| 0
| 0
| NA
| 1
|
| PowerUnit(AC)
| bay 3
| 0
| 0
| NA
| 1
|
| PowerUnitFan
| bay 1, fan 1
| 0
| 0
| NA
| 1
|
| PowerUnitFan
| bay 1, fan 2
| 0
| 0
| NA
| 1
|
| PowerUnitFan
| bay 2, fan 1
| 0
| 0
| NA
| 1
|
| PowerUnitFan
| bay 2, fan 2
| 0
| 0
| NA
| 1
|
| PowerUnitFan
| bay 3, fan 1
| 0
| 0
| NA
| 1
|
| PowerUnitFan
| bay 3, fan 2
| 0
| 0
| NA
| 1
|
| SSM
| bay 1
| 40
| 0
| Mbps
| 1
|
| SSM
| bay 2
| 0
| 0
| Mbps
| 1
|
-----------------------------------------------------------------------------| Chassis 2
|
-----------------------------------------------------------------------------| CMM
| bay 1
| 1
| 0
| <S,D>/<A>
| 1
|
| CMM
| bay 2
| 0
| 0
| <S,D>/<A>
| 1
|
| CPUtemp
| blade 1, CPU0 | 47
| 65
| Celsius
| 0
|
| CPUtemp
| blade 1, CPU1 | 51
| 65
| Celsius
| 0
|
| CPUtemp
| blade 2, CPU0 | 46
| 65
| Celsius
| 1
|
| CPUtemp
| blade 2, CPU1 | 56
| 65
| Celsius
| 1
|
| CPUtemp
| blade 3, CPU0 | 49
| 65
| Celsius
| 1
|
| CPUtemp
| blade 3, CPU1 | 51
| 65
| Celsius
| 1
|
| CPUtemp
| blade 4, CPU0 | 0
| 65
| Celsius
| 0
|
| CPUtemp
| blade 4, CPU1 | 0
| 65
| Celsius
| 0
|
| Fan
| bay 1, fan 1
| 3
| 11
| Speed Level | 1
|
| Fan
| bay 1, fan 2
| 3
| 11
| Speed Level | 1
|
| Fan
| bay 1, fan 3
| 3
| 11
| Speed Level | 1
|
| Fan
| bay 1, fan 4
| 3
| 11
| Speed Level | 1
|
| Fan
| bay 1, fan 5
| 3
| 11
| Speed Level | 1
|
| Fan
| bay 1, fan 6
| 3
| 11
| Speed Level | 1
|
| Fan
| bay 1, fan 7
| 3
| 11
| Speed Level | 1
|
| Fan
| bay 1, fan 8
| 3
| 11
| Speed Level | 1
|
| Fan
| bay 1, fan 9
| 3
| 11
| Speed Level | 1
|
| Fan
| bay 1, fan 10 | 3
| 11
| Speed Level | 1
|
| Fan
| bay 2, fan 1
| 3
| 11
| Speed Level | 1
|
| Fan
| bay 2, fan 2
| 3
| 11
| Speed Level | 1
|
| Fan
| bay 2, fan 3
| 3
| 11
| Speed Level | 1
|
| Fan
| bay 2, fan 4
| 3
| 11
| Speed Level | 1
|
| Fan
| bay 2, fan 5
| 3
| 11
| Speed Level | 1
|
| Fan
| bay 2, fan 6
| 3
| 11
| Speed Level | 1
|
| Fan
| bay 2, fan 7
| 3
| 11
| Speed Level | 1
|
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 67
| Fan
| bay 2, fan 8
| 3
| 11
| Speed Level | 1
|
| Fan
| bay 2, fan 9
| 3
| 11
| Speed Level | 1
|
| Fan
| bay 2, fan 10 | 3
| 11
| Speed Level | 1
|
| PowerConsumption | N/A
| 1624 | 4050
| Watts
| 1
|
| PowerUnit(AC)
| bay 1
| 0
| 0
| NA
| 1
|
| PowerUnit(AC)
| bay 2
| 0
| 0
| NA
| 1
|
| PowerUnit(AC)
| bay 3
| 0
| 0
| NA
| 0
|
| PowerUnitFan
| bay 1, fan 1
| 0
| 0
| NA
| 1
|
| PowerUnitFan
| bay 1, fan 2
| 0
| 0
| NA
| 1
|
| PowerUnitFan
| bay 2, fan 1
| 0
| 0
| NA
| 1
|
| PowerUnitFan
| bay 2, fan 2
| 0
| 0
| NA
| 1
|
| PowerUnitFan
| bay 3, fan 1
| 0
| 0
| NA
| 0
|
| PowerUnitFan
| bay 3, fan 2
| 0
| 0
| NA
| 0
|
| SSM
| bay 1
| 2
| 0
| Mbps
| 1
|
| SSM
| bay 2
| 0
| 0
| Mbps
| 1
|
------------------------------------------------------------------------------
Notes
Column
Meaning
Location
To identify the location, see the 61000 Security System Front Panel ("61000 Security
System Front Panel Modules" on page 14).
Value
Threshold
Units
Most components have a defined threshold value. The threshold gives an indication of the
health and functionality of the component. When the value of the resource is greater than
the threshold, an alert is sent ("Configuring Alerts for SGM and Chassis Events (asg alert)"
on page 71).
State
Syntax
asg resource [-b sgm]
Parameter
Description
-b sgm
-h
One SGM
Example
> asg resource [-b sgm]
+-----------------------------------------------------------------------------------+
|Resource Table
|
+------------+-------------------------+------------+------------+------------------+
|SGM ID
|Resource Name
|Usage
|Threshold
|Total
|
+------------+-------------------------+------------+------------+------------------+
|1_01
|Memory
|19%
|50%
|31.3G
|
|
|HD: /
|21%
|80%
|19.4G
|
|
|HD: /var/log
|1%
|80%
|58.1G
|
|
|HD: /boot
|19%
|80%
|288.6M
|
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 68
Notes
Column descriptions:
1. The Resource column identifies the resource. There are 4 kinds of resources:
Memory
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 69
Find out which SGM handles the connection (actively or as backup), and which Chassis.
Syntax
asg
asg
asg
asg
search
search <src> <dst> <dport> <ipp> <sport>
search -v
search -help
Parameter
Description
asg search
-v
Verbose mode
-help
Display usage
Example 1
Output
Comments
Lookup for conn: <10.33.86.2, *, 10.33.87.101, *, *>, may take few seconds...
<10.33.86.2, 2686, 10.33.87.101, 22, tcp> -> [1_01 A, 1_03 B, 2_01 B]
Legend:
A - Active SGM
B - Backup SGM
Example 2
Output
Comments
may take
[1_01 A,
[1_01 A,
[1_01 A,
few seconds...
1_07 B, 2_01 B]
1_07 B, 2_01 B]
1_07 B, 2_01 B]
Searching for tcp connection with source IP address 10.33.86.2 and destination port
8080.
The output shows three connections handled on SGM 1_01 with a backup on SGM
1_07 and 2_01.
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 70
Description
Edit Configuration
Show Configuration
Run Test
Event types
Alert mode
These sections include details about the alert parameters that you configure with the wizard.
SMS alert parameters
SMS Provider URL - Fully qualified URL to your SMS provider based on this syntax.
HTTP proxy and port (Optional) Necessary only if your Security Gateway requires a proxy server to
reach the SMS provider
SMS rate limit - Maximum number of SMS messages sent per hour. When there are too many
messages, the others are sent together as one message.
SMTP server IP - Configure one or more SMTP servers to which the email alerts will be sent.
Email recipient addresses - Configure one or more recipient email addresses for each SMTP
servers.
Periodic connectivity checks - Run a periodic test to make sure that there is connectivity with the
SNMP servers. If there is no connectivity, alert messages are saved and sent in one email when
connectivity is restored.
Sender email address - Configure a sender email address for email alerts.
SNMP manager name - Configure a name for your SNMP manager (unique)
SNMP v3 user name - If using SNMP v3 authentication, you must configure this.
SNMP user text - Custom text for the SNMP trap messages.
SNMP community string - Configure the community string for the SNMP manager.
See SNMP for more information.
Log alert parameters
There are no configurable parameters for log alerts
Event types
You can select one or more event types:
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
Chassis States:
SGM State
Chassis State
Port State
Pingable Hosts State
Hardware Components:
Fans
SSM
CMM
Power Supplies
CPU Temperature
Performance Events:
Concurrent Connections
Connection Rate
Packet Rate
Throughput
CPU Load
Hard Drive Utilization
Memory Utilization
Alert Modes
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 72
Software versions
Hardware status
SNMP Traps
The 61000 Security System supports SNMP traps.
Configuring asg alerts ("Configuring Alerts for SGM and Chassis Events (asg alert)" on page 71)
Monitor global SNMP data from the 61000 Security System. Data is accumulated
from all SGMs for all Virtual Systems.
VS Mode -
You cannot run remote SNMP queries for each Virtual System. You can only run a remote SNMP query
on VS0.
You can use the CLI to change the Virtual System context and then run a local SNMP query on a Virtual
System.
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 73
VS Mode Example 1
To query a Virtual System for traffic throughput, from a remote Linux host:
[admin@linux-snmp] snmpwalk -m $CPDIR/lib/snmp/chkpnt.mib -n ctxname_vsid1 -v 3
-l authNoPriv -u jon -A mypassword 192.0.2.72 asgThroughput
VS Mode Example 2:
To query a Virtual System for traffic throughput, from its virtual context:
1. Enter expert mode.
2. Move to the Virtual System. Run
vsenv <vs_id>
3. Run
[Expert@VSX-Box:7] snmpwalk -m $CPDIR/lib/snmp/chkpnt.mib -v 2c -c public
localhost asgThroughput
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 74
Troubleshooting Commands
Troubleshooting Commands
This section lists the most important gclish commands that you can use to troubleshoot the 61000
Security System.
Parameters
asg
asg
asg
asg
diag
diag
diag
diag
list [[TestNum1][,TestNum2]...]
verify [[TestNum1][,TestNum2]...]
print [[TestNum1][,TestNum2]...]
purge [Number of logs to keep]
Parameter
list
Description
Show the list of tests.
verify
[[TestNum1][,TestNum2]...]
purge
Example 1
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 75
Troubleshooting Commands
Output 1
------------------------------------------------------| ID | Title
| Command
|
------------------------------------------------------| System Components
|
------------------------------------------------------| 1 | System Health
| asg stat -d
|
| 2 | Hardware
| asg hw_monitor -q
|
| 3 | Resources
| asg resource -q
|
| 4 | Software Versions | asg_version verify -v
|
| 5 | CPU Type
| cpu_socket_verifier -v
|
| 6 | Media Details
| transceiver_verifier -v
|
------------------------------------------------------| Policy and Configuration
|
------------------------------------------------------| 7 | Distribution Mode | dist_verify -d
|
| 8 | Policy
| asg policy verify -a
|
| 9 | AMW Policy
| asg policy verify_amw -a |
| 10 | Installation
| installation_verify
|
| 11 | Security Group
| asg security_group diag
|
| 12 | Cores Distribution | cores_verifier
|
| 13 | SPI Affinity
| spi_affinity_verifier -v |
| 14 | Clock
| clock_verifier -v
|
| 15 | Mgmt Monitor
| mgmt_monitor snmp_verify |
| 16 | Licenses
| asg_license_verifier
|
| 17 | Hide NAT range
| asg_hide_behind_range -v |
------------------------------------------------------| Networking
|
------------------------------------------------------| 18 | MAC Setting
| mac_verifier -v
|
| 19 | Interfaces
| interface_verifier -q
|
| 20 | Bond
| asg_bond_verifier -v
|
| 21 | Bridge
| asg_br_verifier -v
|
| 22 | IPv4 Route
| asg_route -q
|
| 23 | IPv6 Route
| asg_route ipv6 -q
|
| 24 | Dynamic Routing
| asg_dr_verifier
|
| 25 | Local ARP
| asg_local_arp_verifier -v |
| 26 | Port Speed
| asg_port_speed verify
|
------------------------------------------------------| Misc
|
------------------------------------------------------| 27 | Core Dumps
| core_dump_verifier -v
|
| 28 | Syslog
| asg_syslog verify
|
-------------------------------------------------------
Comment
The output shows that the Test with ID 1 is called System Health. This test runs the
command asg stat d to get the test status.
Example 2
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 76
Troubleshooting Commands
Output 2
Example 2.1
Run the command suggested by the asg diag verify output to show the commands
that failed.
asg diag list 1,2,3,4,5,24
Output 2.1
Example 2.2
------------------------------------------------------| ID | Title
| Command
|
------------------------------------------------------| System Components
|
------------------------------------------------------| 1 | System Health
| asg stat -d
|
| 2 | Hardware
| asg hw_monitor -q
|
| 3 | Resources
| asg resource -q
|
| 4 | Software Versions | asg_version verify -v
|
| 5 | CPU Type
| cpu_socket_verifier -v
|
------------------------------------------------------| Networking
|
------------------------------------------------------| 24 | Dynamic Routing
| asg_dr_verifier
|
-------------------------------------------------------
To find out why the System Health test failed, run asg stat d or
asg diag print 1. Here is a sample output of asg stat d:
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 77
Troubleshooting Commands
Output 2.2
Comment 2.2 The Chassis grade is 118/124 because one of the SGMs is in DOWN (Admin) state.
Bringing the SGM up solves the problem. Alternatively, remove the SGM from the
security group to suppress the alert.
Another way of debugging the issue is to open the output file in /var/log/. When you
run asg diag verify or asg diag print, a log file is created which includes the
full (verbose) output of each test.
Example
2.3
A sample full (verbose) output for the CPU Type test in the /var/log/ log file:
==============================
==============================
Non-compliant cpu models found:
-----------------------------------model name
: Intel(R) Xeon(R) CPU
E5530
@ 2.40GHz
Comment
2.3
This file shows that the E5530 CPU is not recognized by the CPU Type test as compliant
with the current system. To make a CPU type recognized as compliant:
1. Edit the file asg_diag_config in the $FWDIR/conf directory.
2. Add the line
Certified cpu=<value>
3. Replace <value> with the CPU type.
After solving the issues identified by asg diag verify, you can run a subset of the tests
that failed to make sure that all issues have been solved. To run a subset of the tests, see
example 3.
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 78
Troubleshooting Commands
Output 3
Error Types
These are some of the errors shown by asg diag verify and their meaning.
Error Type
Error
Description
Hardware
Resources
CPU type
<Component> is missing
<Component> is down
<Resource> capacity
<Resource> exceed
threshold
Description
Memory
HD: /
HD:/var/log
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 79
Troubleshooting Commands
Resource
Description
HD: /boot
Skew
The maximum permissible clock difference between the SGMs and SSMs, in
seconds.
Certified cpu
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 80