61000

Check Point 61000
Security System
R75.40VS for 61000
Getting Started Guide
23 January 2014
Protected
Downloaded from www.Manualslib.com manuals search engine
2014 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under
licensing restricting their use, copying, distribution, and decompilation. No part of this product or related
documentation may be reproduced in any form or by any means without prior written authorization of Check
Point. While every precaution has been taken in the preparation of this book, Check Point assumes no
responsibility for errors or omissions. This publication and features described herein are subject to change
without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph
(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR
52.227-19.
TRADEMARKS:
Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.
Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of
relevant copyrights and third-party licenses.
Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-date with the latest functional
improvements, stability fixes, security enhancements and protection against new and evolving attacks.
Latest Documentation
The latest version of this document is at:
(http://supportcontent.checkpoint.com/documentation_download?ID=20444)
To learn more, visit the Check Point Support Center (http://supportcenter.checkpoint.com).
For more about this release, see the R75.40VS for 61000 home page
(https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutio
nid=sk89900).
Revision History
Date
Description
23 January 2014
Added Health and Safety Information in French ("Informations

relatives la sant et la scurit" on page 6).
Improved formatting and document layout.
Added SGM240 LEDs support information.
16 September 2013
Added: After configuring a Security Gateway, verify the

configuration by running asg diag ("Confirming the Security
Gateway Software Configuration" on page 54).
9 July 2013
Corrected syntax of asg monitor command ("Monitoring

Chassis and Component Status (asg monitor)" on page 61).
Corrected examples of asg search command ("Searching

for a Connection (asg search)" on page 70).
21 March 2013
Added: Before creating the VSX Gateway, if the management

interface is not eth1-Mgmt4, see sk92556 ("Configuring a VSX
Gateway" on page 54).
10 February 2013
First release of this document.
Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments
(mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on R75.40VS Check Point 61000
Security System Getting Started Guide).
Health and Safety Information

Read these warnings before setting up or using the appliance.
Warning
Do not block air vents. This is to ensure sufficient airflow for the individual SGMs in
the Chassis.
This appliance does not contain any user-serviceable parts. Do not remove any
covers or attempt to gain access to the inside of the product. Opening the device or
modifying it in any way has the risk of personal injury and will void your warranty.
The following instructions are for trained service personnel only.
Handle SGM system parts carefully to prevent damage. These measures are sufficient to protect your
equipment from static electricity discharge:
When handling components (Fans, CMMS, SGMS, PSUs, SSMs) use a grounded wrist-strap designed
for static discharge elimination.
Touch a grounded metal object before removing the board from the anti-static bag.
Hold the board by its edges only. Do not touch its components, peripheral chips, memory modules or
gold contacts.
When holding memory modules, do not touch their pins or gold edge fingers.
Restore SGMs to the anti-static bag when they are not in use or not installed in the Chassis. Some
circuitry on the SGM can continue operating after the power is switched off.
Do not let the lithium battery cell (used to power the real-time clock on the CMM) short. The battery can
heat up and become a burn hazard.
Warning
DANGER OF EXPLOSION IF BATTERY IS INCORRECTLY REPLACED.

REPLACE ONLY WITH SAME OR EQUIVALENT TYPE RECOMMENDED BY
CHECK POINT SUPPORT.
DISCARD USED BATTERIES ACCORDING TO INSTRUCTIONS FROM CHECK

POINT.
Do not operate the processor without a thermal solution. Damage to the processor can occur in
seconds.
Before you install or remove a chassis, or work near power supplies, turn off the power and unplug the
power cord.
For California:
Perchlorate Material - special handling can apply. See http://www.dtsc.ca.gov/hazardouswaste/perchlorate
The foregoing notice is provided in accordance with California Code of Regulations Title 22, Division 4.5,
Chapter 33. Best Management Practices for Perchlorate Materials. This product, part, or both may include a
lithium manganese dioxide battery which contains a perchlorate substance.
Proposition 65 Chemical
Chemicals identified by the State of California, pursuant to the requirements of the California Safe Drinking
Water and Toxic Enforcement Act of 1986, California Health & Safety Code s. 25249.5, et seq. ("Proposition
65"), that is "known to the State to cause cancer or reproductive toxicity" (see http://www.calepa.ca.gov)
WARNING:
Handling the cord on this product will expose you to lead, a chemical known to the State of California to
cause cancer, and birth defects or other reproductive harm. Wash hands after handling.
Check Point Chassis Security System Getting Started Guide R75.40VS for 61000 | 4
Federal Communications Commission (FCC) Statement:

Note: This equipment has been tested and found to comply with the limits for a Class A digital device,
pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against
harmful interference when the equipment is operated in a commercial environment. This equipment
generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with
the instruction manual, may cause harmful interference to radio communications. Operation of this
equipment in a residential area is likely to cause harmful interference in which case the user will be required
to correct the interference at his own expense.
Information to user:
The user's manual or instruction manual for an intentional or unintentional radiator shall caution the user that
changes or modifications not expressly approved by the party responsible for compliance could void the
user's authority to operate the equipment. In cases where the manual is provided only in a form other than
paper, such as on a computer disk or over the Internet, the information required by this section may be
included in the manual in that alternative form, provided the user can reasonably be expected to have the
capability to access information in that form.
Canadian Department Compliance Statement:

This Class A digital apparatus complies with Canadian ICES-003. Cet appareil numrique de la classe A est
conforme la norme NMB-003 du Canada.
Japan Class A Compliance Statement:
European Union (EU) Electromagnetic Compatibility Directive

This product is herewith confirmed to comply with the requirements set out in the Council Directive on the
Approximation of the Laws of the Member States relating to Electromagnetic Compatibility Directive
(2004/108/EC).
This product is in conformity with Low Voltage Directive 2006/95/EC, and complies with the requirements in
the Council Directive 2006/95/EC relating to electrical equipment designed for use within certain voltage
limits and the Amendment Directive 93/68/EEC.
Product Disposal
This symbol on the product or on its packaging indicates that this product must not be disposed of with your
other household waste. Instead, it is your responsibility to dispose of your waste equipment by handing it
over to a designated collection point for the recycling of waste electrical and electronic equipment. The
separate collection and recycling of your waste equipment at the time of disposal will help to conserve
natural resources and ensure that it is recycled in a manner that protects human health and the
environment. For more information about where you can drop off your waste equipment for recycling, please
contact your local city office or your household waste disposal service.
Informations relatives la sant et la scurit
Informations relatives la sant et

la scurit
Avant de mettre en place ou d'utiliser l'appareil, veuillez lire ces avertissements.
Avertissement :
Ne pas obturer les arations. Les SGM dans le chssis doivent disposer d'une
aration suffisante.
Cet appareil ne contient aucune pice remplaable par l'utilisateur. Ne pas retirer de
capot ni tenter d'atteindre l'intrieur. L'ouverture ou la modification de l'appareil peut
traner un risque de blessure et invalidera la garantie. Les instructions suivantes
sont rserves un personnel de maintenance form.
Manipulez avec prcautions les pices du SGM pour ne pas les endommager. Les mesures suivantes sont
suffisantes pour protger votre quipement contre les dcharges d'lectricit statique :
Avant de manipuler un composant (ventilateur, CMM, SGM, PSU, SSM), portez au poignet un bracelet
antistatique reli la terre.
Touchez un objet mtallique reli la terre avant de retirer la carte de son sachet antistatique.
Ne tenez la carte que par ses bords. Ne touchez aucun composant, puce priphrique, module mmoire
ou contact plaqu or.
Lorsque vous manipulez des modules mmoire, ne touchez pas leurs broches ou les pistes de contact
dores.
Remettez dans leur sachet antistatique les SGM lorsqu'ils ne sont pas utiliss ou installs dans le
chssis. Certains circuits du SGM peuvent continuer de fonctionner mme si l'appareil est teint.
Il ne faut jamais court-circuiter la pile au lithium (qui alimente l'horloge temps-rel du CMM). Elle pourrait
chauffer et dclencher un incendie.
Avertissement :
DANGER D'EXPLOSION SI LA PILE N'EST PAS CORRECTEMENT

REMPLACE. NE REMPLACER QU'AVEC UN TYPE IDENTIQUE OU
QUIVALENT, RECOMMAND PAR L'ASSISTANCE CHECKPOINT.
LES PILES DOIVENT TRE MISES AU REBUT CONFORMMENT AUX

INSTRUCTIONS DE CHECKPOINT.
Ne pas faire fonctionner le processeur sans refroidissement. Le processeur peut tre endommag en
quelques secondes.
Avant de manipuler une appliance ou ses blocs dalimentations, lteindre et dbrancher son cble
lectrique.
Pour la Californie :
Matriau perchlorat : manipulation spciale potentiellement requise. Voir
http://www.dtsc.ca.gov/hazardouswaste/perchlorate
L'avis suivant est fourni conformment au California Code of Regulations, titre 22, division 4.5, chapitre 33.
Meilleures pratiques de manipulation des matriaux perchlorats. Ce produit, cette pice ou les deux
peuvent contenir une pile au dioxyde de lithium manganse, qui contient une substance perchlorate.
Produits chimiques Proposition 65
Les produits chimiques identifis par l'tat de Californie, conformment aux exigences du California Safe
Drinking Water and Toxic Enforcement Act of 1986 du California Health & Safety Code s. 25249.5, et seq.
( Proposition 65 ), qui sont connus par l'tat pour causer le cancer ou tre toxiques pour la
reproduction (voir http://www.calepa.ca.gov)
AVERTISSEMENT :
La manipulation de ce cordon vous expose au contact du plomb, un lment reconnue par l'tat de
Californie pour causer de cancer, des malformations la naissance et autres dommages relatifs la
reproduction. Se laver les mains aprs toute manipulation.
Dclaration la Federal Communications Commission (FCC) :

Remarque : Cet quipement a t test et dclar conforme aux limites pour appareils numriques de
classe A, selon la section 15 des rglements de la FCC. Ces limitations sont conues pour fournir une
protection
raisonnable contre les interfrences nocives dans un environnement commercial. Cet
appareil gnre, et peut diffuser des frquences radio et, dans le cas dune installation et dune utilisation
non conformes aux instructions, il peut provoquer des interfrences nuisibles aux communications radio. Le
fonctionnement de cet quipement dans une zone rsidentielle engendrera vraisemblablement des
perturbations prjudiciables, auquel cas lutilisateur sera tenu dliminer ces perturbations sa charge.
Information l'intention de l'utilisateur :
Le manuel utilisateur ou le manuel d'instruction d'un dispositif rayonnant (intentionnel ou non) doit avertir
que toute modification non approuve expressment par la partie responsable de la conformit peut annuler
le droit de faire fonctionner l'quipement. Si le manuel n'est pas fourni sous forme imprime (par exemple
sur le disque d'un ordinateur ou via Internet), les informations requises par cette section doivent tre
incluses dans ces versions du manuel, sous rserve que l'utilisateur soit raisonnablement capable d'y
accder.
Dclaration de conformit du dpartement canadien :

This Class A digital apparatus complies with Canadian ICES-003. appareil numrique de la classe A est
conforme la norme NMB-003 du Canada.
Dclaration de conformit de classe A pour le Japon :
Directive de l'Union europenne relative la compatibilit lectromagntique

Ce produit est certifi conforme aux exigences de la directive du Conseil concernant concernant le
rapprochement des lgislations des tats membres relatives la directive sur la compatibilit
lectromagntique (2004/108/CE).
Ce produit est conforme la directive basse tension 2006/95/CE et satisfait aux exigences de la directive
2006/95/CE du Conseil relative aux quipements lectriques conus pour tre utiliss dans une certaine
plage de ensions, selon les modifications de la directive 93/68/CEE.
Mise au rebut du produit
Ce symbole appos sur le produit ou son emballage signifie que le produit ne doit pas tre mis au rebut
avec les autres dchets mnagers. Il est de votre responsabilit de le porter un centre de collecte dsign
pour le recyclage des quipements lectriques et lectroniques. Le fait de sparer vos quipements lors de
la mise au rebut, et de les recycler, contribue prserver les ressources naturelles et s'assure qu'ils sont
recycls d'une faon qui protge la sant de l'homme et l'environnement. Pour obtenir plus d'informations
sur les lieux o dposer vos quipements mis au rebut, veuillez contacter votre municipalit ou le service de
gestion des dchets.
Contents
Important Information ............................................................................................................ 3
Health and Safety Information .............................................................................................. 4
Informations relatives la sant et la scurit ................................................................. 6
Introduction .......................................................................................................................... 11
Overview of Check Point 61000 Security Systems ............................................................ 11
Check Point Virtual Systems ............................................................................................. 11
In this Document ............................................................................................................... 13
Shipping Carton Contents.................................................................................................. 13
Hardware Components ........................................................................................................ 14
61000 Security System Front Panel Modules .................................................................... 14
Security Switch Module (SSM) .......................................................................................... 16
SSM160 Security Switch Module .................................................................................. 17
SSM60 Security Switch Module .................................................................................... 18
Security Switch Module LEDs ....................................................................................... 19
Security Gateway Module (SGM) ...................................................................................... 20
SGM260 LEDs .............................................................................................................. 20
SGM SGM220 LEDs ..................................................................................................... 22
AC Power Supply Units (PSUs) ......................................................................................... 23
AC Power Cords ................................................................................................................ 24
DC Power Entry Modules (PEMs) ...................................................................................... 26
PEM Panel and LED Indicators..................................................................................... 26
Fan Trays .......................................................................................................................... 27
Chassis Management Modules.......................................................................................... 27
Blank Filler Panels for Airflow Management ...................................................................... 29
Front Blank Panels with Air Baffles ............................................................................... 29
Step 1: Site Preparation....................................................................................................... 30
Rack Mounting Requirements ........................................................................................... 30
Required Tools .................................................................................................................. 30
Step 2: Installing the Chassis in a Rack ............................................................................. 31
Step 3: Installing Components and Connecting Power Cables ........................................ 32
Inserting AC Power Supply Units ....................................................................................... 32
Inserting Fan Trays............................................................................................................ 33
Inserting Chassis Management Modules ........................................................................... 34
Inserting Security Switch Modules ..................................................................................... 35
Inserting Security Gateway Modules ................................................................................. 36
Inserting Transceivers ....................................................................................................... 37
Inserting Twisted Pair Transceivers .............................................................................. 37
Inserting Fiber Optic Transceivers ................................................................................ 38
Inserting QSFP Splitters ............................................................................................... 39
Inserting Front Blank Panels .............................................................................................. 39
Connecting AC Power Cables ........................................................................................... 39
Connecting DC Power ....................................................................................................... 39
Connecting a Second Chassis ........................................................................................... 41
Step 4: Turning on the 61000 Security System .................................................................. 42
Step 5: Validating Chassis ID on a Dual Chassis Configuration ...................................... 43
Step 6: Software Installation ............................................................................................... 44
Before Installing Firmware and Software ........................................................................... 44
Installing SSM160 Firmware .............................................................................................. 45
Installing the SGM Image .................................................................................................. 47
Installing the SGM Using snapshot import .................................................................... 47
Installing the SGM Image Using Removable Media ...................................................... 47
Step 7: Connecting to the Network ..................................................................................... 49
Step 8: Initial Software Configuration ................................................................................ 50

Connecting a Console ....................................................................................................... 50
Working on the Initial Setup ............................................................................................... 50
Step 9: SmartDashboard Configuration ............................................................................. 53
Configuring a Security Gateway ........................................................................................ 53
Confirming the Security Gateway Software Configuration ............................................. 54
Configuring a VSX Gateway .............................................................................................. 54
Wizard Step 1: Defining VSX Gateway General Properties ........................................... 55
Wizard Step 2: Selecting Virtual Systems Creation Templates ..................................... 55
Wizard Step 3: Establishing SIC Trust .......................................................................... 55
Wizard Step 4: Defining Physical Interfaces .................................................................. 56
Wizard Step 5: Virtual Network Device Configuration.................................................... 56
Wizard Step 6: VSX Gateway Management .................................................................. 56
Wizard Step 7: Completing the VSX Wizard ................................................................. 56
Confirming the VSX Gateway Software Configuration................................................... 57
Basic Configuration Using gclish ....................................................................................... 58
Licensing and Registration ................................................................................................. 60
Monitoring and Configuration Commands......................................................................... 61
Showing Chassis and Component State (asg stat) ............................................................ 61
Monitoring Chassis and Component Status (asg monitor) ................................................. 61
Monitoring Performance Indicators and Statistics (asg perf) .............................................. 63
Monitoring Hardware Components (asg hw_monitor) ........................................................ 64
Monitoring SGM Resources (asg resource) ....................................................................... 68
Searching for a Connection (asg search)........................................................................... 70
Configuring Alerts for SGM and Chassis Events (asg alert) ............................................... 71
Monitoring the System using SNMP .................................................................................. 73
SNMP in a VSX Gateway ............................................................................................. 73
Troubleshooting Commands .............................................................................................. 75
Collecting System Diagnostics (asg diag) .......................................................................... 75
Error Types ................................................................................................................... 79
Changing Compliance Thresholds ................................................................................ 79
Introduction
Introduction
Thank you for choosing Check Points 61000 Security System. We hope that you will be satisfied with this
system and our support services. Check Point products supply your business with the most up to date and
secure solutions available today.
Check Point also delivers worldwide technical services including educational, professional and support
services through a network of Authorized Training Centers, Certified Support Partners and Check Point
technical support personnel to ensure that you get the most out of your security investment.
For additional information on the Internet Security Product Suite and other security solutions, refer to the
Check Point Web site (http://www.checkpoint.com), or call Check Point at 1(800) 429-4391. For additional
technical information about Check Point products, consult the Check Point Support Center
(http://supportcenter.checkpoint.com).
Welcome to the Check Point family. We look forward to meeting all of your current and future network,
application and management security needs.
Overview of Check Point 61000 Security Systems

The Check Point 61000 Security System is a high performance, scalable, carrier class solution for Service
Providers and high-end data centers. The system gives advanced Security Gateway functionality to meet
your dynamically changing security needs. Supported Security Gateway Software Blades include: Firewall,
IPS, Application Control, Identity Awareness, URL Filtering, IPSec VPN, Anti-Bot, and Anti-Virus.
The Check Point 61000 Security System is a 14-15U Chassis and includes:
Component(s)
Function
Up to 12 Security Gateway Modules

(SGMs)
Runs a high performance Firewall, and other

Software Blades.
2 Security Switch Modules (SSMs)
Distributes network traffic to SGMs.
2 Chassis Management Modules (CMMs) Monitors the Chassis, the SSMs and the SGMs with
zero downtime.
The 61000 Security System:
Is highly fault tolerant, and provides redundancy between Chassis modules, power supplies and fans.
For extra redundancy, you can install a Dual Chassis deployment.
Has NEBS-ready and Non-NEBS versions. The Network Equipment Building Systems (NEBS) certificate
ensures that 61000 Security System meets the environmental and spatial requirements for products
used in telecommunications networks.
Includes a rich variety of CLI monitoring and management tools. The system can be centrally managed
from Check Point Security Management Server or a Multi-Domain Security Management.
Lets you install different numbers of SGMs to match the processing needs of your network.
You can operate the 61000 Security System as a Security Gateway or as a VSX Gateway for Check Point
Virtual Systems.
Check Point Virtual Systems

With Check Point Virtual Systems you can consolidate infrastructure by creating multiple virtualized security
gateways on the 61000 Security System, delivering deep cost savings, seamless security and infrastructure
consolidation. Based on proven virtualized security design and the extensible Software Blade Architecture,
Virtual Systems provide best-in-class customized security protections to multiple networks and simplify
enterprise-wide policy by creating tailored policies for each network.
Introduction
Administrators can replicate conventional physical security gateways with Virtual Systems to deliver
advanced protection to multiple networks and network segments. Up to 250 fully independent Virtual
Systems can be supported on the 61000 Security System, delivering scalability, availability and performance
while dramatically reduce hardware investment, space requirements and maintenance costs. The latest
Check Point technologies ensure the best performance for virtualized security; CoreXL technology utilizes
multi-core processors to increase throughput, 64-bit Gaia OS allows a significantly increased number of
concurrent connections.
Complete virtualization of network infrastructure allows easy deployment and configuration of network
topology with simpler inter-VS communication. Save the costs of external network routers and switches by
using integrated virtual routers, switches and links to direct traffic to their intended destinations.
KEY FEATURES
Consolidate up to 250 gateways in a single device
Software Blade Architecture
Gaia 64-bit operating system
Separation of management duties
Customized security policies per Virtual System
Per Virtual System Monitoring of resource usage
KEY BENEFITS
Easily add virtual systems to a security gateway
Reduce hardware cost and simplified network policy by consolidating multiple gateways into a single
device
Stronger performance and manageability enable enterprises to better leverage their investment
More granularity and greater manageability with customizable policies per Virtual System
Better usage-based resource planning with per Virtual System monitoring
Boost performance with Multi-core CoreXL technology
Introduction
In this Document
A brief overview of necessary 61000 Security System concepts and features
A step by step guide to getting the 61000 Security System up and running
Note - Screen shots in this guide may apply only to the highest model
to which this guide applies.
Shipping Carton Contents

This section describes the contents of the shipping carton.
Item
Description
Check Point 61000 Security

System
A single 61000 Security System Chassis
61000 Security System

components
2 to 12 Security Gateway Modules
2 Security Switch Modules
2 Chassis Management Modules
Power Supplies (preinstalled)
Documentation
5 AC Power Supply Units (PSUs) or
1 to 2 DC Power Entry Modules (PEMs)
6 Fans (preinstalled)
Power cord set
EULA
Welcome document
Obligatory Hardware Purchases

Transceivers are not included in the shipping carton and must be purchased separately.
SSM60 Transceivers
Ports
Required Transceivers
Network and Synchronization
Fiber transceiver for 10GbE XFP ports (SR/LR)
Management and log
Fiber transceiver for 1GbE SFP ports (SX/LR)
Twisted-pair transceiver for 1GbE SFP ports
Fiber transceiver for 10GbE XFP ports (SR/LR)
SSM160 Transceivers
Ports
Network and Synchronization
SFP+ (10GbE) Fiber transceiver for SFP+ ports (SR/LR)
SFP (1GbE) Fiber transceiver for SFP+ ports (SX/LX)
Twisted pair (1GbE) transceiver for SFP+ ports
QSFP transceiver for 40GbE ports (SR/LR)
QSFP splitter for 40GbE ports
Hardware Components
Ports
Management and log
Fiber/Twisted pair transceiver for 1GbE SFP+ ports (SX/LX)
SFP+ (10GbE) Fiber transceiver for SFP+ ports (SR/LR)
Hardware Components
This section is about the hardware components of the 61000 Security System.
61000 Security System Front Panel Modules
Item
Description
The Security Gateway Modules (SGMs) in the Chassis work together as a single, high
performance Security Gateway or VSX Gateway. Adding a Security Gateway Module scales
the performance of the system. A Security Gateway Module can be added and removed
without losing connections. If an SGM is removed or fails, traffic is distributed to the other
active SGMs.
Security Gateway Module slots are numbered 1 to 12, left to right. Slot 7 for example,
(labeled [7] in the diagram) is the slot that is immediately to the right of the two Security
Switch Module slots.
Hardware Components
Item
Description
Console port, for a serial connection to a specific SGM using a terminal emulation program.
USB port, for a connection to external media, such as a DVD drive.
The Security Switch Module (SSM) distributes network traffic to the Security Gateway
Modules and forwards traffic from the Security Gateway Modules. Two are inserted in a
chassis. Two SSM versions are available:
SSM60
Not supported in a VSX Gateway
Not supported for SGM240
SSM160
For more about each port, see Security Switch Module Ports ("Security Switch Module
(SSM)" on page 16).
5
The Chassis Management Module (CMM) monitors the status of the chassis hardware
components. It also supplies the DC current to the cooling fan trays.
If the Chassis Management Module fails or is removed from the chassis, the 61000 Security
System continues to forward traffic. However, hardware monitoring is not available. Adding
or removing a Security Gateway Module to or from the chassis is not recognized. if the two
CMMs are removed, the cooling fans stop working.
Warning - There must be at least one CMM in the chassis.
A second Chassis Management Module can be used to supply CMM High Availability.
In the CLI output, the lower slot is listed bay 1. The upper slot is listed as bay2.
Power:
AC Power Supply Units (PSUs)
100 VAC to 240 VAC
3-5 PSUs
Or:
DC Power Entry Modules (PEMs)
48 VDC to 60 VDC
2 PEMs
Field-replaceable and hot-swappable

In the CLI output:
Upper slots are for DC PEMs. They are listed as bay 1 and bay 2, numbered right to
left.
Lower slots are for AC PSUs. They are listed as bay 1 to bay 5, numbered right to left.
Hardware Components
Security Switch Module (SSM)

The Security Switch Module (SSM) distributes network traffic to the Security Gateway Modules and forwards
traffic from the Security Gateway Modules. Two are inserted in a chassis. Two SSM versions are available:
SSM60
Not supported in a VSX Gateway
Not supported for SGM240
SSM160
Hardware Components
SSM160 Security Switch Module

Security Switch Modules
Item
Description
(1)
1 port for direct access through LAN
1 port for direct access through console (serial)
2 x 40GbE QSFP data ports.

In the initial setup program, the interface names
are:
(2)
(3)
(4)
(5)
Left Security Switch Module:

eth1-09, eth1-13
Right Security Switch Module:

eth2-09, eth2-13
Use a QSFP splitter to split each of the two QSFP

ports to 4 x 10GbE.
When using a QSFP splitter the interface names
are:
Left Security Switch Module upper QSFP port:

eth1-09 to eth1-12
Left Security Switch Module lower QSFP port:

eth1-13 to eth1-16
Right Security Switch Module upper QSFP port:

eth2-09 to eth2-12
Right Security Switch Module lower QSFP port:

eth2-13 to eth2-16
7 x 10GbE SFP+ data ports
Can use 1GbE or 10GbE transceivers
In the initial setup program, the interface names

are:
Left Security Switch Module:

eth1-01, eth1-02, ... eth1-07
Right Security Switch Module:

eth2-01, eth2-02, ... eth2-07
In SmartDashboard, define used interfaces as

internal or external.
1 synchronization port for connecting to and

synchronizing with another 61000 appliance that
functions as a high availability peer.
10 GbE SFP+ port
Interface names are eth1-Sync in the left and

eth2-sync on the right.
Management and logging ports. Connect these ports to

the management/logging network. Security
Management Server or dedicated logging servers
should be accessible from these interfaces.
2x 10GbE SFP+ port
In the 61000 appliance initial setup program, these

interfaces are labeled:
On the left SSM: eth1-Mgmt1, eth1-Mgmt2
On the right SSM: eth2-Mgmt1, eth2Mgmt2
Hardware Components
(6)
Management and logging ports. Connect these ports to

the management/logging network. Security
Management Server or dedicated logging servers
should be accessible from these interfaces.
2 x 1GbE SFP port
In the 61000 appliance initial setup program, these

interface are labeled
On the left SSM: eth1-Mgmt3, eth1-Mgmt4
On the right SSM: eth2-Mgmt3, eth2Mgmt4
SSM60 Security Switch Module

Item
(1)
5 x 10GbE XFP data ports in each Security Switch

Module. These data ports are the network interfaces
of the 61000 Security System.
In the initial setup program, the interfaces in the
Left Security Switch Module are named:

eth1-01, eth1-02, ... eth1-05
Right Security Switch Module are named:

eth2-01, eth2-02, ... eth2-05
In SmartDashboard, define used interfaces as

internal or external.
(2)
1 synchronization port on each SSM for connecting

to and synchronizing with another 61000 Security
System that functions as a high availability peer.
(3)
4 ports for management and logging on each SSM.
2 Upper ports: 1GbE SFP
2 Lower ports: 10GbE XFP
Connect these ports to the management/logging

network. Security Management Server or dedicated
logging servers should be accessible from these
interfaces.
In the initial setup program, the interfaces are named:
On Left SSM:
eth1-Mgmt1, eth1-Mgmt2, ... eth1-Mgmt4
On the right SSM:

eth2-Mgmt1, eth2-Mgmt2, ... eth2-Mgmt4
Hardware Components
Security Switch Module LEDs

Item
LED
Status
Description
Out of
service
Red
SSM out of service
Off (Normal) SSM hardware is normal

2
Power
Hot-swap
On (Normal) Power on
Off
Power off
Blue
SSM can be safely

removed
Blue
blinking
SSM is going to Standby

mode. Do not remove
Off (Normal) SSM is Active. Do not

remove
4
SYN ACT On (Normal) Normal operation
Link
Off
N/A
On
Link enabled
Yellow
blinking
Link is active
Off
Link is disabled
Hardware Components
Security Gateway Module (SGM)

The Security Gateway Modules (SGMs) in the Chassis work together as a single, high performance Security
Gateway or VSX Gateway. Adding a Security Gateway Module scales the performance of the system. A
Security Gateway Module can be added and removed without losing connections. If an SGM is removed or
fails, traffic is distributed to the other active SGMs.
These SGM versions are available:
SGM220
SGM220T (for NEBS)
SGM240
The SGM240 has more powerful CPUs and uses a more advanced technology. It also has a different front
panel layout and different LEDs.
SGM260 LEDs
Item
LED
Status
Description
Out of
service
Red
SGM out of service
Off (Normal)
SGM hardware is
normal
Green
(Normal)
SGM core operating

system is active
Green
blinking
SGM core operating

system is partially
active
Off
SGM operating system

is in standby mode
Blue
SGM can be safely

removed
Blue blinking
SGM is going to
standby mode. Do not
remove
Off (Normal)
SGM is active. Do not

remove
CTRL
Link 1
CTRL
Link 2
Health
Hot-swap
SSM1 and
Yellow
SSM2
management
ports
Yellow
blinking
Off
CTRL SSM1 and

Yellow
SPEED SSM2
1
management Green
ports
CTRL
Off
Link enabled
Link is active
Link is disabled
10 Gbps
1 Gbps
100 Mbps
Hardware Components
SPEED
2
Traffic
On
Data and sync traffic in

SSM1, SSM2, SS3,
SSM4
L2
Off
Not used
L1
Red. Lower
Right
Installation started
Red blink, in
sequence
Installation in progress
Red. All
Installation failure
Yellow.Left
Installation completed
Green. Right
SGM is being
configured. (Using First
Time Configuration
Wizard or adding a
new SGM into a
Chassis)
Off
SGM is configured and

ready
2
3
4
Hardware Components
SGM SGM220 LEDs

Item
LED
Status
Description
Out of
service
Red
SGM out of service
Off (Normal)
SGM hardware is normal
Green
(Normal)
SGM core operating system

is active
Green
blinking
SGM core operating system

is partially active
Off
SGM operating system is in

Standby mode
Blue
SGM can be safely

removed
Blue blinking
SGM is going to Standby

mode. Do not remove
Off (Normal)
SGM is active. Do not

remove
Yellow
Link enabled
Yellow
blinking
Link is active
Off
Link is disabled
Yellow
10 Gbps
Green
1 Gbps
Off
100 Mbps
Health
Hot-swap
Link
Data port
speed
Management Yellow
port speed
Green
1 Gbps
100 Mbps
Off
10 Mbps
LEDs 2 and 4
- Green
SGM is being configured.

(Using First Time Wizard or
adding a new SGM into a
Chassis)
All LEDs - Off
SGM is configured and

ready
Hardware Components
AC Power Supply Units (PSUs)

5 Field replaceable and hot swappable 100 VAC to 240 VAC Power Supply Units (PSUs) supply :
Power to the Chassis
Power filtering and over-current protection.
Each PSU is located on a tray that slides directly into the backplane.
The AC Power inlets are located in the rear of the Chassis. Each power supply has one power inlet.
Item
Description (AC Power Unit)
Air filter. Prevents dust entering the PSU.
Latch for extracting and inserting the PSU.
AC Power Supply LED
Green: AC Power is OK.
OFF: AC power is OFF
DC Power Supply LED
Green: DC Power is OK.
Red: DC power failure or Hot swap ready
Extraction handle for holding the PSU during extraction and insertion
Power Requirements:
Each PSU supplies power at these values:
1500W at 220VAC
1200W at 110VAC
Hardware Components
Power Consumption Data:
Chassis (constant) - 100W
Fan - 240W maximum
CMM - 10W maximum
SGM - 300W maximum
SSM- 300W maximum
Recommended quantity of PSUs

Important - One power supply cannot supply a fully loaded Chassis. This table shows how to
calculate the recommended number of power supplies.
Number of SGMs
For a PSU that supplies 1500W

Minimum (N)
Recommended (N+1)
10
12
AC Power Cords
The supplied AC power cords are specific to the geographical region. These are some of the available
power cords.
Region
PLUG
CONNECTOR
CABLE
EU
KC-015,
16A 250V
~
KC-003H, 10 A
250V~
H05RR-F,3G
0.75mm2
AUSTRALIA
KC-014,
10A 250V
KC-003H, 10 A
250V~
H05RR-F 3G
0.75mm2
Hardware Components
Region
PLUG
CONNECTOR
CABLE
UK
KC-039,
KC-003H, 10 A
13A 250V~ 250V~
H05RR-F 3G
0.75mm2
JP
KC-001,
15A 125V
KC-003H, 15A
125V
VCTF 3G
2.0mm2
US
KC-001,
15A 125V
KC-003H, 15A
125V
SJT 14/3C
75C
CHINA
KC-017N, KC-003H, 10 A
10A 250V~ 250V~
H05RR-F 3G
0.7mm2
Hardware Components
DC Power Entry Modules (PEMs)

The DC 61000 Security System configuration includes two Power Entry Modules (PEMs), each with a rating
of -48/-60VDC 125A. The PEMs supply DC power, EMC filtering and over-current protection for the Chassis.
Each PEM can supply 100% of Chassis power. The PEM is a customer replaceable unit. The two-PEM
configuration provides full redundancy. The PEMs are located in the bottom-rear of the Chassis.
The DC configuration does not have its own power source. You must supply a mains DC power system that
includes an external battery and a branch circuit breaker of 125A for each PEM.
You must also supply lugs (Panduit LCD6-14A-L). Use them to connect wires to the terminal blocks of the
PEMs.
PEM Panel and LED Indicators
Item
Description
Locking captive screws. Secure the PEM in the Chassis.
Handles. Used for holding the PEM during insertion and extraction.
Terminal blocks: -48/-60 VDC and Return. Each terminal block has 4 terminal studs.
PEM Status LEDs.
Hot-Swap button. Used for evoking the hot swap sequence.
4 Circuit breakers. 50A per circuit breaker.
PEM Status LEDS

Item
Description
Status
Green: OK
Red: Failure
Green: OK
Red: -48VDC is missing
Blue steady: Powering up or ready for extraction
Blue blinking: Hot swap process
OFF: Working
Fault
HS
Hardware Components
Important Do not remove a PEM while an electrical charge remains in the wiring.
Before replacing a PEM, verify that power source is disconnected and isolated.
The PEMs circuit breaker has only one pole and disconnects only the -48V lead. The
48VDC RTN lead is always connected.
Fan Trays
The cooling system consists of three high performance fan trays. The fan trays are at the rear of the
Chassis. Each tray contains two fans that supply air volume and velocity for cooling front and rear Chassis
components. Air flows from the inside to the outside of the Chassis.
Item
Description
Power fault LED
Locking captive screw
Three fan trays are preinstalled (6 fans).
Chassis Management Modules

The Chassis Management Module controls controls and monitors Chassis operation. This includes fan
speed speed, Chassis and module temperature, and component hot-swapping.
Hardware Components
Item
Description
General LEDs
Telco Alarm LEDs
Application defined LEDs
Latch
Network port
Serial port
Alarm
Thumb screw
General LEDs
LED
Status
Meaning
ACT
Green
Chassis Management Module is active
Red
Chassis Management Module failure
Green blink
Chassis Management Module inactive
Green
Good local voltage supply on Chassis Management

Module
Off
Local voltage failure
Steady blue
Chassis Management Module is powering up or ready

for extraction.
Blue blink
Chassis Management Module is being hot swapped
Off
Chassis Management Module in operation
PWR
HS (hot swap)
Telco Alarm LEDs

LED
Status
Meaning
CRT (Critical)
Off
Normal operation
Red
System alarm event
Off
Normal operation
Red
System Alarm event
Off
Normal operation
Red
System alarm event
MJR (Major)
MNR (Minor)
Hardware Components
Blank Filler Panels for Airflow Management

Compliance with temperature specifications requires a stable air flow in the Chassis. To make sure that the
Chassis is correctly cooled, fully populate the Chassis or add blank filler panels to the empty slots.
Two types of airflow-management panels are available for the empty slots on the Chassis:
Front blank panels with air baffles
Rear panel with air baffles
Front Blank Panels with Air Baffles
Item
Description
Slot cover
Tightening screws
Air Baffles
Step 1: Site Preparation
Step 1: Site Preparation

This step covers preparing the site.
Rack Mounting Requirements

Before mounting the 61000 Security System in a standard 19" rack, make sure that:
The rack is stable, level, and secured to the building.
The rack is sufficiently strong to support the weight of a fully loaded Security System
(http://www.checkpoint.com/products/downloads/datasheets/61000-security-system-datasheet.pdf).
The rack rails are spaced sufficiently wide to accommodate the system's external dimensions.
The shelf is mounted on the rack.
There is sufficient space at the front and rear of the Chassis to let service personnel to swap out
hardware components.
The rack has a sufficient supply of cooling air.
The rack is correctly grounded.
A readily accessible disconnect device is incorporated into the buildings wiring. The disconnect device
must be placed between the system's AC power inlet and the power source. The disconnect device
rating required must be determined by the nominal input voltage.
There are at least two inches of clearance at the air inlets and outlets to make sure there is sufficient
airflow.
Hot exhaust air is not circulated back into the system.
At least two persons are available to lift the Chassis.
You have eight M6x10 (or longer) screws to mount the Chassis on the rack.
Required Tools
To install the appliance in a standard 19" rack, these tools are required:
Standard Philips (+) screwdriver set
Wrench
Electrostatic Discharge (ESD) grounding wrist strap
Step 2: Installing the Chassis in a Rack
Step 2: Installing the Chassis in a

Rack
Before mounting on rack, attach the rear-end static grounding screws to the Chassis.
To install the Chassis on the Rack:

1. Set the Chassis in front of the rack, centering the Chassis in front the shelf.
2. Lift and slide the Chassis on to the rack shelf.
3. Make sure that the holes in the front mounting flanges of the Chassis align with the holes in the rack
rails.
4. Insert mounting screws into the front mounting flanges aligned with the rack.
5. Secure the appliance by fastening the mounting screws to the rack
The appliance must be level, and not positioned at an angle.
6. Attach grounding cables to the grounding screws on the Chassis.
Step 3: Installing Components and Connecting Power Cables
Step 3: Installing Components and

Connecting Power Cables
This section covers inserting:
Chassis Management Modules
Security Gateway Modules
Twisted pair and fiber optic transceivers into ports on the Security Switch Modules
Transceivers into the management ports on the Security Switch Modules
Covers for blank slots
This section also covers:
Backup Chassis in a dual Chassis environment
Power cables
Inserting AC Power Supply Units

Power Supply Units (AC only) are inserted at the front of the Chassis. If you have one Power Supply Unit
already in place, other units can be swapped in and out without interfering with the operation of the 61000
Security System. Note that one PSU cannot supply sufficient power to support a fully populated Chassis.
To Insert a Power Supply Unit:

1.
2.
3.
4.
Pull out the latch.

Push in the Power Supply until it locks in place.
Push in the Power Supply insertion latch.
Make sure that the DC LED show green.
Inserting Fan Trays

When a fan tray is inserted into the Chassis, the fans start at full speed and then decrease by steps of 7%.
Under normal operating conditions, the fans run at 21% of full speed. The lower speed reduces the noise
and increases the longevity of the fans.
The speed of each individual fan is monitored. If the speed of one fan drops below the desired speed (i.e.
fan failure) , the other fans speed up.
Fans are pre-installed in the appliance. Manual replacement must be coordinated with Check Point Support.
To Insert a Fan:
1. Slide the fan into the allocated space.
2. Tighten the locking captive screw.
Inserting Chassis Management Modules
To insert a Chassis Management Module:

1. On the CMM, remove the tape on the battery.
This tape protects the battery life before installation.
2. Open the upper latch.
3. Insert the Chassis Management Module into the allocated slot.
Note - If you have only one CMM, we recommend inserting it into the lower Chassis slot.
4. Close the latch.
5. Tighten the two thumb screws.
6. After power up, all LEDs must light up for 1-2 seconds. The ACT and PWR LEDs continue to show
green after the other LEDs turn off.
Inserting Security Switch Modules
To insert a Security Switch Module:

1.
2.
3.
4.
Open the latches at the top and bottom of the Security Switch Module.
Slide the SSM into the allocated slot.
Fasten the latches.
Tighten the screws.
Inserting Security Gateway Modules
To insert a Security Gateway Module:

1.
2.
3.
4.
5.
Open the latches at the top and bottom of the Security Gateway Module.
Make sure the SGM is located correctly on the Chassis rail.
Slide the Security Gateway Module into the allocated slot.
Fasten the latches.
Tighten the thumb screws.
Inserting Transceivers
For connecting different interface types to the 61000 Security System using SFP, SFP+, or XFP ports on the
SSM, Security Switch Modules support Twisted Pair and Fiber Optic transceivers.
The type and number of transceiver ports available depends on the SSM.
Note - Remember to select a transceiver that matches the speed of the designated port.
Inserting Twisted Pair Transceivers

Twisted pair transceivers can be inserted into:
Data and management ports on the SSM160
SFP management ports on the SSM60
Slide the transceiver into the open Security Switch Module port.
Inserting Fiber Optic Transceivers

Fiber transceivers can be inserted into data and management ports on the SSM60 and SSM160 switch
modules. The ports can be SFP, SFP+ or XFP.
Slide the transceiver into the open Security Switch Module port.
Inserting QSFP Splitters

1. Insert the QSFP transceiver into the Security Switch Module.
2. Insert the QSFP splitter cable into the transceiver.
This converts the 40GbE QSPF port to 4 10GbE ports.
Inserting Front Blank Panels

Blank panels contain cooled air in the appliance. Use the blank panels to close open slots.
To insert a blank panel at the front:

1. Insert the blank panel into the open slot.
2. Tighten the two thumb screws.
Note - Rear blank panels are pre-installed on the Chassis.
Connecting AC Power Cables

To connect AC power:
1. Check circuit breaker at the mains is off.
2. Insert an AC power cable into each AC power inlet on the rear-bottom of the Chassis.
Connecting DC Power
Connect the DC PEMs in the 61000 Security System to an external battery power source. You must have a
mains DC power supply system that includes batteries and a branch circuit breaker of 125A for each PEM.
The DC PEM is described in DC Power Entry Modules (PEMs) (on page 26)
Tools and Parts Required
4 DC wire leads for each PEM, to connect the PEM to the DC power supply. Use 6AWG wires. There is
no standard for DC wire color coding. Therefore, use the color coding of the DC power source (battery)
for the DC wire leads.
4 lugs (Panduit LCD6-10A-L) for each PEM. For connecting the wire leads to the PEM terminal blocks.
Crimping tool to connect the wire leads to the lugs.
Wire cutters.
Hexagonal-head socket wrench, or nut driver for tightening nuts to terminal studs on each PEM.
To connect DC power:
Note - These instructions assume that the PEMs are installed in the 61000 Security
System Chassis.
1.
2.
3.
4.
Set the branch circuit breakers at the mains to OFF.

On the PEM, set all the circuit breakers to OFF.
Remove the protective plastic cover.
Where the PEM is marked -48/-60 VDC and Return, remove the nuts from the terminal studs. Use a
socket wrench or nut driver.
5. Connect the 48/-60 VDC cables to the battery:
a) Using the crimping tool, connect two 6 AWG wire leads to two lugs.
b) Attach the two wired lugs to the -48/-60 VDC terminal studs on the PEM. Use the socket wrench or
nut driver.
c) Connect the other ends of the two wires to the -48/-60VDC battery terminal.
6. Connect the Return cables to the battery:

a) Using the crimping tool, connect two 6 AWG wire leads to two lugs.
b) Attach the two wired lugs to the Return terminal studs on the PEM. Use the socket wrench or nut
driver.
c) Connect the other ends of the two wires to the Return battery terminal.
7. Make sure that you have correctly connected the battery to the PEM. Do this by using a multimeter to
measure the resistance between disconnected PEM wire leads and the Battery Return pole.
For all the PEM wired leads, one at a time:
a) At the battery, disconnect a PEM wire lead from the battery.
b) Connect one multimeter probe to the battery Return and the other probe to the PEM wire lead.
A very large resistance (indicating an open circuit) shows that the wire lead is connected to
the PEM -48/-60VDC terminal.
A very low resistance (indicating a closed circuit) shows that the wire lead is connected to
the PEM Return terminal.
c) Reconnect the PEM wire lead to the battery.

8. At the PEM:
a) Attach the protective plastic cover.
b) Set all the circuit breakers to ON.
9. Do step 2 to step 8 for the second PEM.
10. Set the branch circuit breakers at the mains to ON.
Connecting a Second Chassis

If you have a dual Chassis environment (for Chassis high availability):
For the second Chassis, repeat Step 1: Site Preparation (on page 30) to Step 3: Installing Components
and Connecting Power Cables (on page 32)
Connect the second Chassis.
On each SSM, connect the sync ports to the corresponding sync ports on the backup Chassis (eth1Sync in Chassis1 to eth1-Sync in Chassis2, eth2-Sync in Chassis1 to eth2-Sync in
Chassis2).
Step 4: Turning on the 61000 Security System
Step 4: Turning on the 61000 Security

System
Connect the appliance to the power source. At power up:
Fan speed goes to maximum.
LEDs on the Chassis Management Module light up.
After 1-60 seconds, fan speed slows down until it reaches the optimum rate for cooling.
Chassis Management Module ACT and PWR LEDs show green.
Other LEDs turn off.
Turning off the 61000 Security System

1. Shutdown the SGMs:
If the installation wizard (Step 5) has not yet run, release the levers on each SGM to shut them down
If the installation wizard has run, from gclish run: asg_hard_shutdown -b all
2. Shutdown SSMs and CMMs by releasing the levers.

3. After the LEDs on SGMs, SSMs and CMMs (both Chassis) show a steady blue, unplug the power cords.
Step 5: Validating Chassis ID on a Dual Chassis Configuration
Step 5: Validating Chassis ID on a

Dual Chassis Configuration
When installing and configuring dual Chassis in high availability, make sure that:
The CMMs on the same Chassis have the same Chassis ID.
Each pair of CMMs on the different Chassis have different Chassis ID.
The CMMs on Chassis <1> should include chassis_id <1> (SHMM_CHASSID=1). The CMMs on
Chassis <2> should include chassis_id <2> (SHMM_CHASSID=2).
Note - When a new CMM is added to the system, it is necessary to validate its
Chassis_ID. Make sure that Chassis for the new CMM is in Standby mode.
To validate the Chassis IDs:

1. When you receive the shipment make sure that the stickers on the outer box are marked with numbers 1
and 2.
If the numbers are the same, contact Check Point Technical Support.
2. Open the outer box, and confirm that the stickers on the Chassis and the CMM blades are different for
each Chassis.
3. We recommend that you validate the CMM configured IDs.
a) Log in to the 61000 Security System.
(i) Connect the RJ-45 jack serial cable to the console port on CMM blade.
(ii) Connect the other end of the serial cable to the computer that you are using to do the initial
configuration of the 61000 Security System.
(iii) Connect to the 61000 Security System 160 using a terminal emulation application such as
PuTTY.
Make sure the Speed (baud rate) is set to 9600.

No IP address is necessary.
(i) Log in with username and password: admin/admin.

b) Verify that the CMM ID is correct. Run this command:
# cat /etc/shmm.cfg | grep CHASSID
This is a sample output from CMM 1: SHMM_CHASSID=1
c) Do these steps again to validate the CMM IDs on the other Chassis.
Step 6: Software Installation

You must install the SSM160 firmware and then install the SGM image.
Before Installing Firmware and Software

Installing Components and Connecting Cables:
Install all components in the Chassis (SGMs, SSMs and CMMs).
If you have a dual Chassis environment, connect only one Sync cable between the two Chassis.
Connect eth1-Sync on chassis1 to eth1-Sync on chassis2. (Connect the second sync cable
after installing software).
For IP management of the 61000 Security System, connect a cable to one of the management interfaces on
chassis1.
Connecting a Console
Use a console to configure a Security Group and an accessible management IP address on the 61000
Security System.
1. Connect the supplied DB9 serial cable to the console port on the front of the 61000 Security System.
2. Connect to the 61000 Security System using a terminal emulation program such as PuTTY or Microsoft
HyperTerminal.
3. Configure the terminal emulation program:
In PuTTY select the Serial connection type. Go to the Connection > Serial page.
In HyperTerminal Connect To window, select a port from the Connect using list.
Define the serial port settings: 9600 BPS, 8 bits, no parity, 1 stop bit. Flow control: None
4. Connect to the first SGM in the 61000 Security System.
5. Turn on the 61000 Security System.
6. Log in with username: admin and password: admin
Configuring a Security Group and a Management IP Address

1. Start the installation wizard. Run:
#setup
2. In the Welcome screen, press a key.
3. Select Set SGMs for Security Group
Define the SGMs that belong to the Security Group. There are two lines, one for Chassis 1, one for
Chassis 2.
In each line, you can enter:
all (same as 1-12)
A range, such as: 1-9
A number of comma-separated ranges, such as: 1-3,5-7
Single SGMS, such as: 1,4
A combination of single SGMs and ranges, such as: 10,2, 3-7.
By default, the SGM you are connected to belongs to the group: Chassis 1, SGM 1 (slot 1 in Chassis
1). For more about Security Gateway Module numbering, see 61000 Security System front panel
components ("61000 Security System Front Panel Modules" on page 14).
4. Select Network Connections.
For the management interface, configure:
An IP address
The Netmask length

5. Configure Routing.
If you are directly connected to the management interface: Skip this step.
If you are not directly connected to the management interface: Define a route which will allow you to
access the 61000 Security System.
6. Click Next until you finish the installation wizard. At the Secure Internal Communication stage, enter a
dummy key.
Configuration settings are applied, and the Security Gateway Modules reboots. Other Security Gateway
Modules in the Security Group are installed automatically.
Validating the Initial System Setup:

To make sure that the initial system setup is completed successfully:
Run the asg monitor command. An initial policy must be installed on the local SGM after initial setup
completes and the SGM reboots.
To monitor the automatic installation of other SGMs, run: tail -f /var/log/start_mbs.log.
Wait until the installation process is complete.

The installation process is complete when all the SGMs in the security group are UP and in the Initial
Policy state.
Installing SSM160 Firmware

You must install firmware on the Security Switch Module SSM160. There is no need to install firmware on
SSM60.
Installing the SSM160 Firmware

1. Download the SSM160 firmware from the R75.40VS for 61000 Home page
(http://supportcontent.checkpoint.com/solutions?id=sk89900).
2. Connect to one SGM, using the management IP address configured in the installation wizard.
3. Copy the SSM160 firmware file to the SGM using the scp command to the IP address of the
management interface, to the /home/admin directory. This copies the file to the left-most SGM on the
active Chassis.
4. From this SGM, copy the firmware file to the other SGMs in the Security Group. Run:
>asg_cp2blades b <blade_list> /home/admin/<file>
5. From this SGM, copy the firmware to the two SSMs in the Chassis. Run for each SSM:
scp -P 2024 2.4.B27.2.T-HUB4.tar.bz2 root@SSM[1|2]:/batm/current_version/
6. Enter the SCP password you received from Support.
You may see a read-only file system error. For example:
# scp -P 2024 2.4.B27.2.T-HUB4.tar.bz2 root@ssm2:/batm/current_version/
root@ssm2's password:
scp: /batm/current_version//2.4.B27.2.T-HUB4.tar.bz2: Read-only file system
If you see a read-only file system error do this:
a) Connect to the SSM via ssh. From the expert shell, run:
ssh ssm<1/2>
The password is admin
b) From default shell, run
unhide private
The password is private
c) Run the following commands:
#
#
#
#
show private shell

mount -rw -o remount /batm/
exit
logout
d) Run the firmware copy command for each SSM:

scp -P 2024 2.4.B27.2.T-HUB4.tar.bz2 root@ssm2:/batm/current_version/
e) Enter the SCP password you received from Support.
7. Activate the new firmware on the SSM. Do this for the two SSMs on the Standby Chassis:
a) Connect to the SSM via ssh. Run from expert shell:
ssh ssm<1/2>
The password is admin
b) Run
#file ls os-image
and copy to clipboard the name of the new image file
c) Run
#file activate-os-image 2.4.B27.2.T-HUB4.tar.bz2
d) Move to configuration shell. Run:
#config terminal
e) Reload the SSM with the new image. Run
#system reload manufacturing-defaults
Example:
T-HUB4#file activate-os-image 2.4.B27.2.T-HUB4.tar.bz2
Image file 2.4.B27.2.T-HUB4.tar.bz2 is tested for validity, please wait...
OK
Activating image 2.4.B27.2.T-HUB4.tar.bz2..
T-HUB4#config terminal
Entering configuration mode terminal
T-HUB4(config)#system reload manufacturing-defaults
Are you sure that you want to delete existing configuration and reload
manufacturing default configuration (yes/no)? yes
8. Connect to SGM on the other Chassis. From the Expert shell, run
blade <SGM>
For example:
blade 2_01
(Run exit to return to the previous SGM)
9. Repeat the firmware upgrade procedure on the two SSMs of the other Chassis.
Validation
To verify the upgrade, run
asg_version
All SSMs should have firmware version 2.4.B27.2.
Installing the SGM Image

Use one of these procedures to install an image on the Security Gateway Modules:
Using snapshot import
Using an ISO image on removable media: A DVD or USB stick
Installing the SGM Using snapshot import

1. Download the snapshot file with the SGM image from the R75.40VS for 61000 Security Systems
home page (http://supportcontent.checkpoint.com/solutions?id=sk89900).
2. Copy the snapshot file using the scp command to the IP address of the management interface, to the
/home/admin directory. This copies the file to the left-most SGM on the active Chassis.
3. Connect to the SGM via SSH or console
4. Copy the snapshot file to all SGMs, to the /var/log/ directory. Run:
asg_cp2blades b all /home/admin/<snapshot file> /var/log/<snapshot file>
5. Import the snapshot. From gclish, run:
set snapshot import <snapshot name, without tar> path /var/log/
6. Monitor snapshot import progress. From gclish, run:
show snapshots
7. After the snapshot import process has finished on all SGMs, revert to the snapshot. From gclish, run:
set snapshot revert <snapshot name>
The system is now installed with proper software and firmware
Installing the SGM Image Using Removable Media

You can install an ISO image on the Security Gateway Modules using a USB stick or DVD.
To copy the ISO image to the removable media:

1. Download the ISO file with the SGM image
2. Copy the file to removable media in one of these ways:
Burn the ISO file on a DVD.
Download the Check Point ISOmorphic utility to create a bootable USB device from the ISO. See
sk65205 (http://supportcontent.checkpoint.com/solutions?id=sk65205).
3. You can install many SGMs at one time. Copy the ISO image to many USB sticks or DVD drives.
To install an ISO image on the Security Gateway Modules:

1. Connect the removable media to the left-most Security Gateway Module in one of these ways:
Connect the USB stick to the USB port.
Connect an external DVD drive to the USB port. Put the DVD with the ISO file in the DVD drive.
Item
Description
1
2
USB port
One of two latches for extracting and inserting the SGM.
2. Connect the supplied DB9 serial cable to the console port on the front of the upper SGM on the 61000
Security System.
3. Connect to the left-most SGM using a terminal emulation program.
4. Reboot the SGM by partially sliding it out and immediately pushing it back in place:
a) Loosen the thumb screws at the top and bottom of the SGM.
b) Open the latches at the top and bottom of the SGM.
c) Fasten the latches.
d) Tighten the thumb screws.
5. When the first screen shows, select Install Gaia on the system and press Enter.
6. You must press Enter in 60 seconds, or the computer will try to start from the hard drive. The timer
countdown stops once you press Enter. There is no time limit for the subsequent steps.
7. Press OK to continue with the installation.
After the installation, the 61000 Security System begins the boot process and status messages show in
the terminal emulation program.
8. Install the SGM image on the other SGMs. To install on one SGM at a time repeat all the steps for each
SGM. To install on many SGMs at one time:
a) Insert all the USB sticks or DVD drives into the USB ports of the other SGMs.
b) On one SGM at a time:
Connect to the console.

Reboot the SGM by partially sliding it out and immediately pushing it back in place.
Select Install Gaia on the system and press Enter.
Step 7: Connecting to the Network
Step 7: Connecting to the Network

1. If you have a dual Chassis environment: Connect the second Sync cable between the two Chassis.
These are the Sync cable connections:
eth1-Sync on chassis1 to eth1-Sync on chassis2.
eth2-Sync on chassis1 to eth2-Sync on chassis2.
2. Connect the management ports on the Security Switch Modules to your network.
3. Connect the data ports on the Security Switch Modules to your network.
Step 8: Initial Software Configuration

When installing and configuring the 61000 Security System, start with the Security Gateway Module furthest
to the left in the Chassis. After the first SGM is configured, installation and configuration settings are
automatically propagated to all other SGMs in the defined security group. The Security Group is the group of
SGMs that make up the Security Gateway.
Note - In SmartDashboard, one Security Gateway object represents the SGMs in the
security group.
Connecting a Console
1. Connect the RJ-45 jack end of a serial cable to the console port on the upper 61000 Security System in
the Chassis.
2. Connect the other end of the serial cable to the computer that you will use to do the initial configuration
of the 61000 Security System.
3. On the configuration computer, connect to the 61000 Security System using a terminal emulation
application such as PuTTY.
Make sure the Speed (baud rate) is set to 9600
No IP address is necessary
4. Log in with username: admin and password: admin.
Working on the Initial Setup

1. To start the installation wizard run #setup
2. In the Welcome screen, press a key.
3. Select Set SGMs for Security Group
4. If installing a VSX Gateway: Choose only the current SGM
Chassis 1, SGM 1 (slot 1 in Chassis 1)
If installing a Security Gateway: Define the SGMs that belong to the Security Group. There are two
lines, one for Chassis 1, one for Chassis 2.
In each line, you can enter:
all (same as 1-12)
A range, such as: 1-9
A number of comma-separated ranges, such as: 1-3,5-7

Single SGMS, such as: 1,4
A combination of single SGMs and ranges, such as: 10,2, 3-7.
By default, the SGM you are connected belongs to the group: Chassis 1, SGM 1 (slot 1 in Chassis
1). To define a fully populated dual Chassis system select all in the top and bottom lines. For more
about Security Gateway Module numbering, see 61000 Security System front panel components
("61000 Security System Front Panel Modules" on page 14).
5. The subnet for internal communication in the Chassis is 192.0.2.0/24 by default. Change the IP address
if it conflicts with an existing subnet on your network.
6. Configure parameters for:
Host Name
Time and Date.

To configure the local time, choose the geographical area and city.
7. Select Network Connections.

Configure the management ports and the data ports of the Security Switch Module.
There are 4 management ports on each SSM. Only configure those ports you intend to use. To
associate port names with the physical ports, refer to Security Switch Module Ports ("Security
Switch Module (SSM)" on page 16). For each management port configure:
An IP address
The Netmask length
To associate data port names with the physical ports, refer to Security Switch Module Ports
("Security Switch Module (SSM)" on page 16). For each data port configure:
An IP address
The Netmask length

8. Configure Routing.
Note - Wait 10-20 seconds for routing information to be updated throughout the
system.
9. The Welcome to Check Point Suite screen shows. Wait for Check Point products packages to install.
10. Wait for the:
Installation Program Completed Successfully message to show
Check Point Configuration Program to start.

This program guides you through the configuration of Check Point products.
11. Configure Secure Internal Communication.

When prompted, enter and confirm the activation key. Remember this activation key. The same
activation key is used for configuring the 61000 Security System object in SmartDashboard.
Configuration settings are applied, and the SGM reboots. Other Security Gateway Modules in the Security
Group are installed automatically.
System Validation
Make sure that the initial system setup is completed successfully by:
Running the asg monitor command. An initial policy must be installed on the local SGM after initial
setup completes and the SGM reboots.
To monitor the automatic installation of other SGMs, run: tail -f /var/log/start_mbs.log.
After installation, all the SGMs in the security group must be UP and in the Initial Policy state.
Step 9: SmartDashboard Configuration
Step 9: SmartDashboard
Configuration
The 61000 Security System can work as a Security Gateway or as a VSX Gateway. The Security
Management Server must be R75.40VS for 61000 or higher.
Do one of these procedures:
Configuring a Security Gateway (on page 53).
Configuring a VSX Gateway (on page 54).
Configuring a Security Gateway

This procedure explains how to configure a Security Gateway in SmartDashboard.
Note - The Check Point Security Gateway Creation Wizard is version dependent. The steps may
vary slightly.
To configure a Security Gateway:

1. Open SmartDashboard.
2. Enter your credentials to connect to the Security Management Server.
3. Create the Check Point Security Gateway object.
In the Network Objects tree, right click and select New > Check Point > Security
Gateway/Management
The Check Point Security Gateway Creation wizard opens.
4. Select Wizard Mode or Classic Mode.
This procedure describes Wizard mode. If you choose Classic Mode, make sure you set all the
necessary configuration parameters.
5. In the General Properties screen, configure:
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
Gateway name
Gateway platform - Select Open server
Gateway IP address
Click Next.
In the Secure Internal Communication Initialization screen, enter the One-time password. This is
the same as the Activation Key you entered during the initial setup.
Click Next.
View the Configuration Summary.
Select Edit Gateway properties for further configuration.
Click Finish.
The General Properties page of the 61000 Security System object opens.
In the General Properties page, make sure the Version is correct.
Enable the Firewall Software Blade. If required, enable other supported Software Blades.
In the navigation tree, select Topology.
Configure:
Interfaces as Internal or External
Anti-Spoofing.
Note: Only data and management interfaces are shown in the list.
16. Click OK.

The Security Gateway object closes.
17. Install the Policy.
Confirming the Security Gateway Software Configuration

To make sure that the policy was successfully installed:
1. Connect to the appliance (through SSH or the serial console).
2. Run asg monitor.
3. Make sure that the status for SGMs is: Enforcing Security on the ACTIVE and STANDBY
Chassis.
4. Make sure the Policy Date matches the time that the policy was installed.
To verify the configuration:

After configuring the Security Gateway and installing the policy, validate the configuration using the asg
diag command ("Collecting System Diagnostics (asg diag)" on page 75). Use the command to collect and
show diagnostic information about the system.
If there is a problem, fix it before using the system.
Configuring a VSX Gateway

The 61000 Security System can work as a Security Gateway or as a VSX Gateway.
This procedure shows how to configure a VSX Gateway in SmartDashboard.
Before creating the VSX Gateway

Understand how VSX works, and the VSX architecture and concepts. Also, you should understand how to
deploy and configure your security environment using the VSX virtual devices:
Virtual System
Virtual System in Bridge Mode
Virtual Router
Virtual Switch
To learn about how VSX works, architecture, concepts and virtual devices, see the R75.40VS Check Point
VSX Administration Guide (http://supportcontent.checkpoint.com/solutions?id=sk76540).
The VSX Gateway Wizard

This section explains how to create a new VSX Gateway using the VSX Gateway Wizard.
The VSX Gateway in this example has one Virtual System (VS0) and one dedicated management interface.
After you complete the VSX Gateway Wizard, you can change the VSX Gateway definition from
SmartDashboard. For example, you can add Virtual Systems, add or delete interfaces, or configure existing
interfaces to support VLANs.
Note - The Check Point VSX Gateway Wizard is version dependent. The steps may vary slightly.
To start the VSX Gateway wizard:

1. Open SmartDashboard.
If you are using Multi-Domain Security Management, open SmartDashboard from the Domain
Management Server of the VSX Gateway.
2. From the Network Objects tree, right-click Check Point and select VSX > Gateway.
The General Properties page of the VSX Gateway Wizard opens.
Wizard Step 1: Defining VSX Gateway General Properties

The General Properties page contains basic identification properties for VSX Gateways.
VSX Gateway Name: Unique, alphanumeric for the VSX Gateway. The name cannot contain spaces or
special characters except the underscore.
VSX Gateway IP Address: Management interface IP address.
VSX Gateway Version: Select the VSX version installed on the VSX Gateway from the drop-down list.
Wizard Step 2: Selecting Virtual Systems Creation Templates

The Creation Templates page lets you provision predefined, default topology and routing definitions to
Virtual Systems. This makes sure Virtual Systems are consistent and makes the definition process faster.
You always have the option to override the default creation template when you create or change a Virtual
System.
The Creation Templates are:
Shared Interface - Not supported for the 61000 Security System.
Separate Interfaces: Virtual Systems use their own separate internal and external interfaces. This
template creates a Dedicated Management Interface (DMI) by default.
Custom Configuration: Define Virtual System, Virtual Router, Virtual Switch, and Interface
configurations.
For this example, choose Custom configuration.
Wizard Step 3: Establishing SIC Trust

Initialize Secure Internal Communication trust between the VSX Gateway and the management server. The
gateway and server cannot communicate without Trust.
Initializing SIC Trust

When you create a VSX Gateway, you must enter the Activation Key that you defined in the installation
wizard setup program ("Working on the Initial Setup" on page 50). Enter and confirm the activation key
and then click Initialize. If you enter the correct activation key, the Trust State changes to Trust
established.
For more about SIC trust, see the R75.40VS Check Point VSX Administration Guide
Wizard Step 4: Defining Physical Interfaces

In the VSX Gateway Interfaces window, you can define physical interfaces as VLAN trunks. The page
shows the interfaces currently defined on the VSX Gateway.
To define an interface as a VLAN trunk, select VLAN Trunk for the interface.
You can define VLAN trunks later. For this example, choose Next.
Wizard Step 5: Virtual Network Device Configuration

If you chose the Custom Configuration option, the Virtual Network Device Configuration window opens.
The options in this window are not supported for the 61000 Security System.
Click Next.
Wizard Step 6: VSX Gateway Management

In the VSX Gateway Management window, define security policy rules that protect the VSX Gateway. This
policy is installed automatically on the new VSX Gateway.
Note - This policy applies only to traffic destined for the VSX Gateway. Traffic destined for Virtual
Systems, other virtual devices, external networks, and internal networks is not affected by this
policy.
The security policy consists of predefined rules for these services:
UDP - SNMP requests
TCP - SSH traffic
ICMP - Echo-request (ping)
TCP - HTTPS traffic
To Modify the Gateway Security Policy

1. Allow: Select to pass traffic on the selected services. Clear this option to block traffic on this service. By
default, all services are blocked.
For example, to be able to ping the gateway from the management server, allow ICMP echo-request
traffic.
2. Source: Click the arrow and select a Source Object from the list.
The default value is *Any. Click New Source Object to define a new source.
You can modify the security policy rules that protect the VSX Gateway later.
Click Next.
Wizard Step 7: Completing the VSX Wizard

Click Next to continue and then click Finish to complete the VSX Gateway wizard.
This may take several minutes to complete.
If the process ends unsuccessfully, click View Report to see the error messages.
Confirming the VSX Gateway Software Configuration

To make sure that the policy was successfully installed:
1. Connect to the appliance (through SSH or the serial console).
2. Run asg monitor -vs all.
3. Make sure that the status for SGMs is: Enforcing Security on the Active and Standby Chassis, for
all Virtual Systems.
This shows the output for a dual Chassis VSX Gateway. Chassis 1 (Active) has 1 SGM in its Security
Group.
-------------------------------------------------------------------------------| Chassis 1
ACTIVE
|
-------------------------------------------------------------------------------| SGM
| 1
(local)
| |
|
-------------------------------------------------------------------------------| State
| UP
| |
|
-------------------------------------------------------------------------------| VS ID
|
-------------------------------------------------------------------------------|
0
| Enforcing Security | |
|
--------------------------------------------------------------------------------
You can now add more SGMs to the Security Group. Use the asg security_group tool.
Run asg monitor -vs all. After all SGMs are UP and enforcing Security, you can add Virtual Systems
to the VSX Gateway.
Basic Configuration Using gclish

Use the gclish shell for basic system configuration.
Virtual Context
To:
Run
Applicable
Modes
Move to a different
virtual context
# set Virtual-system <vsid>
VSX Gateway
Run
Applicable
Modes
Interfaces
To:
Set an IPv4 address on # set interface eth1-01 ipv4-address

192.0.20.10 mask-length 24
an interface
Security Gateway
Show the IPv4

interface address
# show interface eth1-01 ipv4-address
Delete the IPv4

address from an
interface
# delete interface eth1-01 ipv4-address
Security Gateway
To:
Run
Applicable
Modes
Set the hostname
# set hostname <security system name>
Security Gateway
Security Gateway
VSX Gateway
Hostname
(each SGM gets its local identity as suffix. For example VSX Gateway
gcp-X1000-ch01-04)
Show the hostname
# show hostname
Security Gateway
VSX Gateway
Routes
To:
Run
Applicable
Modes
Set a default route
# set static-route default nexthop

gateway address 192.0.20.1 on
Security Gateway
Show the route table
# show route
Security Gateway
VSX Gateway
Bonds
To:
Run
# add bonding group 1000 interface eth2Create a bond and

assign an interface to it 03
Applicable
Modes
Security Gateway
VSX Gateway
To:
Run
Applicable
Modes
Show existing bonds
# show bonding groups
Security Gateway
VSX Gateway
VLANs
To:
Run
Applicable
Modes
Add a VLAN interface
# add interface eth2-02 vlan 1023
Security Gateway
Show a VLAN interface # show interface eth2-02 vlans
Security Gateway
VSX Gateway
Image Management (Snapshots)

To:
Run
Applicable
Modes
Add a snapshot
add snapshot <snapshot name> desc

<description>
Security Gateway
set snapshot revert <snapshot name>
Security Gateway
Revert to a snapshot
VSX Gateway
VSX Gateway
Show snapshots and
monitor snapshot
progress
show snapshots
Security Gateway
VSX Gateway
Licensing and Registration
Licensing and Registration

The 61000 Security System has an initial 15-day evaluation license. After the evaluation license expires, you
must license and register the system.
Each chassis is licensed separately. If you have dual chassis system, you must install two licenses.
The license key (CK) is the Chassis serial number. The Chassis serial number is printed on the Chassis
sticker. You can also retrieve the Chassis serial number using gclish.
To retrieve the Chassis serial number (if a policy is installed on the SGM)
1. Open a command line window on one of the SGMs on the Chassis.
2. Run:
asg_serial_info
The output shows the Chassis Serial Number.
To retrieve the Chassis serial number (if no policy is installed on the SGM)
1. Connect to one of the SGMs on the Chassis
2. Connect to the Active CMM and run:
ssh 198.51.100.33
This is the permanent, static IP address of the Active CMM.
3. On the CMM, run: clia fruinfo 20 254.
The output shows the Chassis Serial Number.
To license and register the 61000 Security System

1. Open the User Center Registration page (http://register.checkpoint.com/cpapp ).
2. Search for the Chassis serial number.
3. Generate a license based on the IP address of the SSM interface connected to your Security
Management Server
Note - Because the 61000 Security System has single Management IP address, in
dual Chassis environments, the Active and Standby Chassis should be bound to the
same IP address in the license. Generate two licenses and enter the same IP
address in each license.
4. Install the license on the system.
If you use the cplic command, run it from gclish so that it applies to all SGMs. Run cplic twice
if you have a dual Chassis environment.
If using SmartUpdate, install the Policy.
Monitoring and Configuration Commands
Monitoring and Configuration

Commands
This section lists the most important gclish commands that you can use to monitor and configure the
61000 Security System.
Showing Chassis and Component State (asg stat)

Use this command to show the Chassis and hardware component state for single and dual Chassis
configurations. The command shows system:
Up-time
CPU load: average and current
Concurrent connections
Health
Use Verbose mode to show SGM state, process and policy

Syntax
asg stat
asg stat [-v] [-vs <vs_ids>] [-l]
Note -If you run this command in a VSX context, the output is for the applicable Virtual System.
Parameter
Description
None
Show a basic summary of the Chassis status.
-v
Show detailed Chassis status (verbose mode).
<vs_ids>
Shows the Chassis status of multiple Virtual systems. Specify the VS IDs. For
example 4, 7, 8, 10.
For a Chassis with more than 3 SGMs, the output has abbreviations to make
the output more compact.
-l
Show the meaning of the abbreviations in the output for a Chassis with more
than 3 SGMs.
Monitoring Chassis and Component Status (asg monitor)

Use this command to continuously monitor Chassis and component status. This command shows the same
information as asg stat, but the information stays on the screen and refreshes at user-specified intervals
(default = 1 second). To end the monitor session, press Ctrl-c.
Note - If you run this command in a Virtual System context, you will see only the output for that Virtual
System. You can also specify the Virtual System as a command parameter.
Syntax
asg
asg
asg
asg
asg
monitor
monitor
monitor
monitor
monitor
-h
[-v] [interval]
all [interval]
[-vs <vs_ids>]
-l
Parameter
Description
None
Show summary SGM and Chassis status with data refresh every
second.
-h
Show the command syntax and help information.
interval
Set the data refresh interval (in seconds) for the current session.
-v
Show detailed (verbose) component status without SGM status.
all
show
-vs <vs_ids> Shows the component status for one or more Virtual Systems in a
comma-separated list. You can also specify all to show all Virtual
Systems.
For a Chassis with more than 3 SGMs, the output has abbreviations
to make the output more compact.
all
Shows all SGMs and all Chassis components status.
-l
Shows legend of column title abbreviations.
Examples
> asg monitor
---------------------------------------------------------------------------| VS ID: 0
VS Name: Athens
|
---------------------------------------------------------------------------| Chassis 1
STANDBY
|
---------------------------------------------------------------------------| SGM ID
State
Process
Policy Date
|
| 1
DOWN
Inactive
NA
|
| 2
UP
Enforcing Security
12Jan14 14:44
|
| 3
UP
Enforcing Security
12Jan14 14:44
|
| 4
UP
Enforcing Security
12Jan14 14:44
|
| 5
UP
Enforcing Security
12Jan14 14:44
|
---------------------------------------------------------------------------| Chassis 2
ACTIVE
|
---------------------------------------------------------------------------| SGM ID
State
Process
Policy Date
|
| 1 (local)
UP
Enforcing Security
12Jan14 14:44
|
| 2
UP
Enforcing Security
12Jan14 14:44
|
| 3
UP
Enforcing Security
12Jan14 14:44
|
| 4
UP
Enforcing Security
12Jan14 14:44
|
| 5
UP
Enforcing Security
12Jan14 14:44
|
---------------------------------------------------------------------------| Chassis HA mode:
Active Up
|
---------------------------------------------------------------------------This example shows the SGM and Chassis HA status.
> asg monitor vs 3
-------------------------------------------------------------------------------| Chassis 1
ACTIVE
|
-------------------------------------------------------------------------------|SGM
|1 (l)|2
|3
|4
| - | - | - | - | - | - | - | - |
--------------------------------------------------------------------------------

|State | UP | UP | UP | DWN | - | - | - | - | - | - | - | - |
-------------------------------------------------------------------------------| VS ID
|
-------------------------------------------------------------------------------| 3
| ES | ES | ES | IAC | - | - | - | - | - | - | - | - |
--------------------------------------------------------------------------------
This example shows the status of the SGMS and Virtual System 3.
Monitoring Performance Indicators and Statistics (asg

perf)
Use this command to continuously monitor key performance indicators and load statistics.
Syntax
asg perf [-b <SGM_string>] [-vs <VS_string>] [-v] [-p] [-a]
[-k[-last|--hist]] [-e]
Parameter
Description
-b <SGM_string>
Shows results for SGMs and/or Chassis as specified by

<SGM_string>.
The <SGM_string> can be:
No <SGM_string> or all - Shows all SGMs and Chassis
One SGM
A comma-separated list of SGMs (1_1,1_4)
A range of SGMs (1_1-1_4)
One Chassis (Chassis1 or Chassis2)
The active Chassis (chassis_active)
-vs <VS_string>
For VSX Gateway only: List of Virtual Systems. For example:

1
VS 1
1,3-5 VS 1,2,4,5
all
All VSs
Note: In a VSX Gateway, if no vs option is specified , the

command runs in the context of the current VS.
-v
Verbose mode: Per-SGM display.

Show performance statistics (including load and acceleration load)
on the Active Chassis.
-p
Show detailed statistics and traffic distribution between these paths

on the Active Chassis:
Acceleration path (Performance Pack).
Medium path (PXL).
Slow path (Firewall).
-a
Show absolute values.
-k
Shows peak values for connection rate, concurrent connections and

throughput.
-h
Display usage.
Example
If no SGMs are specified, the command shows performance statistics for the Active Chassis:
> asg perf -v
Output
Notes:
Load Average = CPU load.
Monitoring Hardware Components (asg hw_monitor)

Use this command to show per-Chassis hardware information and thresholds for monitored components:
Security Gateway Module - CPU temperature per socket
Chassis fan speeds
Security Switch Module - Throughput rates
Power consumption per Chassis
Power Supply Unit: Whether installed or not, and PSU fan speed
Chassis Management Module - Installed, Active or Standby
Syntax
asg hw_monitor [-v] [-f <filter>]
Parameter
Description
none
Show component status summary report
-v
Show detailed component status report (verbose)
-f
Show status of one or more specified (filtered) components
<filter>
One or more of these component types, in a comma separated list:

CMM
CPUtemp
Fan
PowerConsumption
PowerUnit
SSM
Sample Output for the 61000 Security System

# asg hw_monitor -v
------------------------------------------------------------------------------| Hardware Monitor
|
----------------------------------------------------------------------------| Sensor
| Location
| Value | Threshold | Units
| State|
-----------------------------------------------------------------------------| Chassis 1
|
-----------------------------------------------------------------------------| CMM
| bay 1
| 1
| 0
| <S,D>/<A>
| 1
|
| CMM
| bay 2
| 0
| 0
| <S,D>/<A>
| 1
|
| CPUtemp
| blade 1, CPU0 | 45
| 65
| Celsius
| 1
|
| CPUtemp
| 65
| Celsius
| 1
|
| CPUtemp
| 65
| Celsius
| 1
|
| CPUtemp
| 65
| Celsius
| 1
|
| CPUtemp
| 65
| Celsius
| 1
|
| CPUtemp
| 65
| Celsius
| 1
|
| CPUtemp
| 65
| Celsius
| 1
|
| CPUtemp
| 65
| Celsius
| 1
|
| CPUtemp
| 65
| Celsius
| 1
|
| CPUtemp
| 65
| Celsius
| 1
|
| CPUtemp
| blade 6, CPU0 | 0
| 65
| Celsius
| 0
|
| CPUtemp
| blade 6, CPU1 | 0
| 65
| Celsius
| 0
|
| CPUtemp
| blade 7, CPU0 | 0
| 65
| Celsius
| 0
|
| CPUtemp
| blade 7, CPU1 | 0
| 65
| Celsius
| 0
|
| CPUtemp
| blade 8, CPU0 | 0
| 65
| Celsius
| 0
|
| CPUtemp
| blade 8, CPU1 | 0
| 65
| Celsius
| 0
|
| CPUtemp
| blade 9, CPU0 | 0
| 65
| Celsius
| 0
|
| CPUtemp
| blade 9, CPU1 | 0
| 65
| Celsius
| 0
|
| CPUtemp
| 65
| Celsius
| 0
|
| CPUtemp
| 65
| Celsius
| 0
|
| CPUtemp
| 65
| Celsius
| 0
|
| CPUtemp
| 65
| Celsius
| 0
|
| CPUtemp
| 65
| Celsius
| 0
|
| CPUtemp
| 65
| Celsius
| 0
|
| Fan
| bay 1, fan 1
| 3
| 11
| Speed Level | 1
|
| Fan
| bay 1, fan 2
| 3
| 11
| Speed Level | 1
|
| Fan
| bay 2, fan 1
| 3
| 11
| Speed Level | 1
|
| Fan
| bay 2, fan 2
| 3
| 11
| Speed Level | 1
|
| Fan
| bay 3, fan 1
| 3
| 11
| Speed Level | 1
|
| Fan
| bay 3, fan 2
| 3
| 11
| Speed Level | 1
|
| PowerConsumption | N/A
| 2711 | 4050
| Watts
| 1
|
| PowerUnit(AC)
| bay 1
| 0
| 0
| NA
| 1
|
| PowerUnit(AC)
| bay 2
| 0
| 0
| NA
| 1
|
| PowerUnit(AC)
| bay 3
| 0
| 0
| NA
| 1
|
| PowerUnit(AC)
| bay 4
| 0
| 0
| NA
| 0
|
| PowerUnit(AC)
| bay 5
| 0
| 0
| NA
| 0
|
| PowerUnitFan
| bay 1, fan 1
| 0
| 0
| NA
| 1
|
| PowerUnitFan
| bay 1, fan 2
| 0
| 0
| NA
| 1
|
| PowerUnitFan
| bay 2, fan 1
| 0
| 0
| NA
| 1
|
| PowerUnitFan
| bay 2, fan 2
| 0
| 0
| NA
| 1
|
| PowerUnitFan
| bay 3, fan 1
| 0
| 0
| NA
| 1
|
| PowerUnitFan
| bay 3, fan 2
| 0
| 0
| NA
| 1
|
| PowerUnitFan
| bay 4, fan 1
| 0
| 0
| NA
| 0
|
| PowerUnitFan
| bay 4, fan 2
| 0
| 0
| NA
| 0
|
| PowerUnitFan
| bay 5, fan 1
| 0
| 0
| NA
| 0
|
| PowerUnitFan
| bay 5, fan 2
| 0
| 0
| NA
| 0
|
| SSM
| bay 1
| 0
| 0
| Mbps
| 1
|
| SSM
| bay 2
| 0
| 0
| Mbps
| 1
|
-----------------------------------------------------------------------------| Chassis 2
|
-----------------------------------------------------------------------------| CMM
| bay 1
| 1
| 0
| <S,D>/<A>
| 1
|
| CMM
| bay 2
| 0
| 0
| <S,D>/<A>
| 1
|
| CPUtemp
| 65
| Celsius
| 1
|
| CPUtemp
| 65
| Celsius
| 1
|
| CPUtemp
| 65
| Celsius
| 1
|
| CPUtemp
| 65
| Celsius
| 1
|
| CPUtemp
| 65
| Celsius
| 1
|
| CPUtemp
| 65
| Celsius
| 1
|
| CPUtemp
| 65
| Celsius
| 1
|
| CPUtemp
| 65
| Celsius
| 1
|
| CPUtemp
| 65
| Celsius
| 1
|
| CPUtemp
| 65
| Celsius
| 1
|
| CPUtemp
| blade 6, CPU0 | 0
| 65
| Celsius
| 0
|
| CPUtemp
| blade 6, CPU1 | 0
| 65
| Celsius
| 0
|
| CPUtemp
| blade 7, CPU0 | 0
| 65
| Celsius
| 0
|
| CPUtemp
| blade 7, CPU1 | 0
| 65
| Celsius
| 0
|
| CPUtemp
| blade 8, CPU0 | 0
| 65
| Celsius
| 0
|
| CPUtemp
| blade 8, CPU1 | 0
| 65
| Celsius
| 0
|
| CPUtemp
| blade 9, CPU0 | 0
| 65
| Celsius
| 0
|
| CPUtemp
| blade 9, CPU1 | 0
| 65
| Celsius
| 0
|
| CPUtemp
| 65
| Celsius
| 0
|
| CPUtemp
| 65
| Celsius
| 0
|
| CPUtemp
| 65
| Celsius
| 0
|
| CPUtemp
| 65
| Celsius
| 0
|
| CPUtemp
| 65
| Celsius
| 0
|
| CPUtemp
| 65
| Celsius
| 0
|
| Fan
| bay 1, fan 1
| 5
| 11
| Speed Level | 1
|
| Fan
| bay 1, fan 2
| 5
| 11
| Speed Level | 1
|
| Fan
| bay 2, fan 1
| 5
| 11
| Speed Level | 1
|
| Fan
| bay 2, fan 2
| 5
| 11
| Speed Level | 1
|
| Fan
| bay 3, fan 1
| 5
| 11
| Speed Level | 1
|
| Fan
| bay 3, fan 2
| 5
| 11
| Speed Level | 1
|
| 2711 | 4050
| Watts
| 1
|
| PowerUnit(AC)
| bay 1
| 0
| 0
| NA
| 1
|
| PowerUnit(AC)
| bay 2
| 0
| 0
| NA
| 1
|
| PowerUnit(AC)
| bay 3
| 0
| 0
| NA
| 1
|
| PowerUnit(AC)
| bay 4
| 0
| 0
| NA
| 0
|
| PowerUnit(AC)
| bay 5
| 0
| 0
| NA
| 0
|
| PowerUnitFan
| bay 1, fan 1
| 0
| 0
| NA
| 1
|
| PowerUnitFan
| bay 1, fan 2
| 0
| 0
| NA
| 1
|
| PowerUnitFan
| bay 2, fan 1
| 0
| 0
| NA
| 1
|
| PowerUnitFan
| bay 2, fan 2
| 0
| 0
| NA
| 1
|
| PowerUnitFan
| bay 3, fan 1
| 0
| 0
| NA
| 1
|
| PowerUnitFan
| bay 3, fan 2
| 0
| 0
| NA
| 1
|
| PowerUnitFan
| bay 4, fan 1
| 0
| 0
| NA
| 0
|
| PowerUnitFan
| bay 4, fan 2
| 0
| 0
| NA
| 0
|
| PowerUnitFan
| bay 5, fan 1
| 0
| 0
| NA
| 0
|
| PowerUnitFan
| bay 5, fan 2
| 0
| 0
| NA
| 0
|
| SSM
| bay 1
| 0
| 0
| Mbps
| 1
|
| SSM
| bay 2
| 0
| 0
| Mbps
| 1
|
------------------------------------------------------------------------------
Sample Output for 41000 Security System

-----------------------------------------------------------------------------| Hardware Monitor
|
-----------------------------------------------------------------------------| Sensor
| Location
| Value | Threshold | Units
| State|
-----------------------------------------------------------------------------| Chassis 1
|
-----------------------------------------------------------------------------| CMM
| bay 1
| 0
| 0
| <S,D>/<A>
| 1
|
| CMM
| bay 2
| 1
| 0
| <S,D>/<A>
| 1
|
| CPUtemp
| 65
| Celsius
| 1
|
| CPUtemp
| 65
| Celsius
| 1
|
| CPUtemp
| 65
| Celsius
| 1
|
| CPUtemp
| 65
| Celsius
| 1
|
| CPUtemp
| 65
| Celsius
| 1
|
| CPUtemp
| 65
| Celsius
| 1
|
| CPUtemp
| 65
| Celsius
| 1
|
| CPUtemp
| 65
| Celsius
| 1
|
| Fan
| bay 1, fan 1
| 4
| 11
| Speed Level | 1
|
| Fan
| bay 1, fan 2
| 4
| 11
| Speed Level | 1
|
| Fan
| bay 1, fan 3
| 4
| 11
| Speed Level | 1
|
| Fan
| bay 1, fan 4
| 4
| 11
| Speed Level | 1
|
| Fan
| bay 1, fan 5
| 4
| 11
| Speed Level | 1
|
| Fan
| bay 1, fan 6
| 4
| 11
| Speed Level | 1
|
| Fan
| bay 1, fan 7
| 4
| 11
| Speed Level | 1
|
| Fan
| bay 1, fan 8
| 4
| 11
| Speed Level | 1
|
| Fan
| bay 1, fan 9
| 4
| 11
| Speed Level | 1
|
| Fan
| bay 1, fan 10 | 4
| 11
| Speed Level | 1
|
| Fan
| bay 2, fan 1
| 4
| 11
| Speed Level | 1
|
| Fan
| bay 2, fan 2
| 4
| 11
| Speed Level | 1
|
| Fan
| bay 2, fan 3
| 4
| 11
| Speed Level | 1
|
| Fan
| bay 2, fan 4
| 4
| 11
| Speed Level | 1
|
| Fan
| bay 2, fan 5
| 4
| 11
| Speed Level | 1
|
| Fan
| bay 2, fan 6
| 4
| 11
| Speed Level | 1
|
| Fan
| bay 2, fan 7
| 4
| 11
| Speed Level | 1
|
| Fan
| bay 2, fan 8
| 4
| 11
| Speed Level | 1
|
| Fan
| bay 2, fan 9
| 4
| 11
| Speed Level | 1
|
| Fan
| bay 2, fan 10 | 4
| 11
| Speed Level | 1
|
| 1894 | 4050
| Watts
| 1
|
| PowerUnit(AC)
| bay 1
| 0
| 0
| NA
| 1
|
| PowerUnit(AC)
| bay 2
| 0
| 0
| NA
| 1
|
| PowerUnit(AC)
| bay 3
| 0
| 0
| NA
| 1
|
| PowerUnitFan
| bay 1, fan 1
| 0
| 0
| NA
| 1
|
| PowerUnitFan
| bay 1, fan 2
| 0
| 0
| NA
| 1
|
| PowerUnitFan
| bay 2, fan 1
| 0
| 0
| NA
| 1
|
| PowerUnitFan
| bay 2, fan 2
| 0
| 0
| NA
| 1
|
| PowerUnitFan
| bay 3, fan 1
| 0
| 0
| NA
| 1
|
| PowerUnitFan
| bay 3, fan 2
| 0
| 0
| NA
| 1
|
| SSM
| bay 1
| 40
| 0
| Mbps
| 1
|
| SSM
| bay 2
| 0
| 0
| Mbps
| 1
|
-----------------------------------------------------------------------------| Chassis 2
|
-----------------------------------------------------------------------------| CMM
| bay 1
| 1
| 0
| <S,D>/<A>
| 1
|
| CMM
| bay 2
| 0
| 0
| <S,D>/<A>
| 1
|
| CPUtemp
| 65
| Celsius
| 0
|
| CPUtemp
| 65
| Celsius
| 0
|
| CPUtemp
| 65
| Celsius
| 1
|
| CPUtemp
| 65
| Celsius
| 1
|
| CPUtemp
| 65
| Celsius
| 1
|
| CPUtemp
| 65
| Celsius
| 1
|
| CPUtemp
| blade 4, CPU0 | 0
| 65
| Celsius
| 0
|
| CPUtemp
| blade 4, CPU1 | 0
| 65
| Celsius
| 0
|
| Fan
| bay 1, fan 1
| 3
| 11
| Speed Level | 1
|
| Fan
| bay 1, fan 2
| 3
| 11
| Speed Level | 1
|
| Fan
| bay 1, fan 3
| 3
| 11
| Speed Level | 1
|
| Fan
| bay 1, fan 4
| 3
| 11
| Speed Level | 1
|
| Fan
| bay 1, fan 5
| 3
| 11
| Speed Level | 1
|
| Fan
| bay 1, fan 6
| 3
| 11
| Speed Level | 1
|
| Fan
| bay 1, fan 7
| 3
| 11
| Speed Level | 1
|
| Fan
| bay 1, fan 8
| 3
| 11
| Speed Level | 1
|
| Fan
| bay 1, fan 9
| 3
| 11
| Speed Level | 1
|
| Fan
| bay 1, fan 10 | 3
| 11
| Speed Level | 1
|
| Fan
| bay 2, fan 1
| 3
| 11
| Speed Level | 1
|
| Fan
| bay 2, fan 2
| 3
| 11
| Speed Level | 1
|
| Fan
| bay 2, fan 3
| 3
| 11
| Speed Level | 1
|
| Fan
| bay 2, fan 4
| 3
| 11
| Speed Level | 1
|
| Fan
| bay 2, fan 5
| 3
| 11
| Speed Level | 1
|
| Fan
| bay 2, fan 6
| 3
| 11
| Speed Level | 1
|
| Fan
| bay 2, fan 7
| 3
| 11
| Speed Level | 1
|
| Fan
| bay 2, fan 8
| 3
| 11
| Speed Level | 1
|
| Fan
| bay 2, fan 9
| 3
| 11
| Speed Level | 1
|
| Fan
| bay 2, fan 10 | 3
| 11
| Speed Level | 1
|
| 1624 | 4050
| Watts
| 1
|
| PowerUnit(AC)
| bay 1
| 0
| 0
| NA
| 1
|
| PowerUnit(AC)
| bay 2
| 0
| 0
| NA
| 1
|
| PowerUnit(AC)
| bay 3
| 0
| 0
| NA
| 0
|
| PowerUnitFan
| bay 1, fan 1
| 0
| 0
| NA
| 1
|
| PowerUnitFan
| bay 1, fan 2
| 0
| 0
| NA
| 1
|
| PowerUnitFan
| bay 2, fan 1
| 0
| 0
| NA
| 1
|
| PowerUnitFan
| bay 2, fan 2
| 0
| 0
| NA
| 1
|
| PowerUnitFan
| bay 3, fan 1
| 0
| 0
| NA
| 0
|
| PowerUnitFan
| bay 3, fan 2
| 0
| 0
| NA
| 0
|
| SSM
| bay 1
| 2
| 0
| Mbps
| 1
|
| SSM
| bay 2
| 0
| 0
| Mbps
| 1
|
------------------------------------------------------------------------------
Notes
Column
Meaning
Location
To identify the location, see the 61000 Security System Front Panel ("61000 Security
System Front Panel Modules" on page 14).
Value
Threshold
Units
Most components have a defined threshold value. The threshold gives an indication of the
health and functionality of the component. When the value of the resource is greater than
the threshold, an alert is sent ("Configuring Alerts for SGM and Chassis Events (asg alert)"
on page 71).
State
0 = Component not installed

1 = Component is installed
Monitoring SGM Resources (asg resource)

Use this commend to show the SGM resource usage and thresholds for the 61000 Security System.
Syntax
asg resource [-b sgm]
Parameter
Description
-b sgm
Shows results for SGMs and/or Chassis as specified by

<sgm_string>.
The <sgm_string> can be:
-h
No <sgm_string> or all - Shows all SGMs and Chassis
One SGM
A comma-separated list of SGMs (1_1,1_4)
A range of SGMs (1_1-1_4)
One Chassis (Chassis1 or Chassis2)
The active Chassis (chassis_active)
Shows usage and exits
Example
> asg resource [-b sgm]
+-----------------------------------------------------------------------------------+
|Resource Table
|
+------------+-------------------------+------------+------------+------------------+
|SGM ID
|Resource Name
|Usage
|Threshold
|Total
|
+------------+-------------------------+------------+------------+------------------+
|1_01
|Memory
|19%
|50%
|31.3G
|
|
|HD: /
|21%
|80%
|19.4G
|
|
|HD: /var/log
|1%
|80%
|58.1G
|
|
|HD: /boot
|19%
|80%
|288.6M
|

+------------+-------------------------+------------+------------+------------------+
|1_02
|Memory
|19%
|50%
|31.3G
|
|
|HD: /
|21%
|80%
|19.7G
|
|
|HD: /var/log
|1%
|80%
|58.1G
|
|
|HD: /boot
|19%
|80%
|288.6M
|
+------------+-------------------------+------------+------------+------------------+
|1_03
|Memory
|19%
|50%
|31.3G
|
|
|HD: /
|21%
|80%
|19.4G
|
|
|HD: /var/log
|1%
|80%
|58.1G
|
|
|HD: /boot
|19%
|80%
|288.6M
|
+------------+-------------------------+------------+------------+------------------+
|1_04
|Memory
|19%
|50%
|31.3G
|
|
|HD: /
|21%
|80%
|19.4G
|
|
|HD: /var/log
|1%
|80%
|58.1G
|
|
|HD: /boot
|19%
|80%
|288.6M
|
+------------+-------------------------+------------+------------+------------------+
|1_05
|Memory
|19%
|50%
|31.3G
|
|
|HD: /
|21%
|80%
|19.4G
|
|
|HD: /var/log
|1%
|80%
|58.1G
|
|
|HD: /boot
|19%
|80%
|288.6M
|
+------------+-------------------------+------------+------------+------------------+
|2_01
|Memory
|19%
|50%
|31.3G
|
|
|HD: /
|21%
|80%
|19.4G
|
|
|HD: /var/log
|1%
|80%
|58.1G
|
|
|HD: /boot
|19%
|80%
|288.6M
|
+------------+-------------------------+------------+------------+------------------+
|2_02
|Memory
|19%
|50%
|31.3G
|
|
|HD: /
|19%
|80%
|19.4G
|
|
|HD: /var/log
|1%
|80%
|58.1G
|
|
|HD: /boot
|19%
|80%
|288.6M
|
+------------+-------------------------+------------+------------+------------------+
|2_03
|Memory
|19%
|50%
|31.3G
|
|
|HD: /
|21%
|80%
|19.4G
|
|
|HD: /var/log
|1%
|80%
|58.1G
|
|
|HD: /boot
|19%
|80%
|288.6M
|
+------------+-------------------------+------------+------------+------------------+
|2_04
|Memory
|19%
|50%
|31.3G
|
|
|HD: /
|21%
|80%
|19.4G
|
|
|HD: /var/log
|1%
|80%
|58.1G
|
|
|HD: /boot
|19%
|80%
|288.6M
|
+------------+-------------------------+------------+------------+------------------+
|2_05
|Memory
|19%
|50%
|31.3G
|
|
|HD: /
|21%
|80%
|19.4G
|
|
|HD: /var/log
|1%
|80%
|58.1G
|
|
|HD: /boot
|19%
|80%
|288.6M
|
+------------+-------------------------+------------+------------+------------------+
Notes
Column descriptions:
1. The Resource column identifies the resource. There are 4 kinds of resources:
Memory
HD hard drive space (/)
HD: /var/log space on hard drive committed to log files
HD: /boot - location of the kernel
2. The Location column identifies the SGM with the resource.

3. The Usage column shows in percentage terms how much of the resource is in use.
4. The Threshold column is also expressed as a percentage. The threshold gives an indication of the
health and functionality of the component. When the value of the resource is greater than the threshold,
an alert is sent. The threshold can be modified in gclish.
5. The Total column is the total absolute value in units
6. The Units column shows the measurement type, Megabytes (M) or Gigabytes (G).
For example, the first row shows that SGM1 on Chassis 1 has 31.3 Gigabyte of memory, 19% of which is
used. An alert will be sent if the usage exceeds 80%.
Searching for a Connection (asg search)

Description
Use this command to:
Search for a connection.
Find out which SGM handles the connection (actively or as backup), and which Chassis.
Syntax
asg
asg
asg
asg
search
search <src> <dst> <dport> <ipp> <sport>
search -v
search -help
Parameter
Description
asg search
Run in interactive mode. In this mode you are asked to

enter the 5 tuples of the connection parameters. Each
parameter can be a wildcard. Press enter for wildcard.
asg search <src>

<dst> <dport> <ipp>
<sport>
Run in command line. Each parameter can be replaced

by * for wildcard. If you specify only few parameters,
the wildcard is used for the others.
-v
Verbose mode
-help
Display usage
Example 1
asg search <source IP> <Destination IP>

asg search 10.33.86.2 10.33.87.101
Output
Comments
Lookup for conn: <10.33.86.2, *, 10.33.87.101, *, *>, may take few seconds...
<10.33.86.2, 2686, 10.33.87.101, 22, tcp> -> [1_01 A, 1_03 B, 2_01 B]
Legend:
A - Active SGM
B - Backup SGM
Searching for connections from 10.33.86.2 to 10.33.87.101 shows one SSH

connection:
<10.33.86.2, 2686, 10.33.87.101, 22, tcp>
This connection is handled by SGM 1 in Chassis 1. The connection has a backup on
SGM 3, and another backup in Chassis 2 on SGM 1.
Example 2
Output
Comments
asg search 10.33.86.2 \* 8080 tcp

Lookup for conn: <10.33.86.2, *, *, 8080, tcp>,
<10.33.86.2, 49581, 194.29.36.43, 8080, tcp> ->
<10.33.86.2, 49600, 194.29.36.43, 8080, tcp> ->
<10.33.86.2, 49601, 194.29.36.43, 8080, tcp> ->
Legend:
A - Active SGM
B - Backup SGM
may take
[1_01 A,
[1_01 A,
[1_01 A,
few seconds...
1_07 B, 2_01 B]
1_07 B, 2_01 B]
1_07 B, 2_01 B]
Searching for tcp connection with source IP address 10.33.86.2 and destination port
8080.
The output shows three connections handled on SGM 1_01 with a backup on SGM
1_07 and 2_01.
Configuring Alerts for SGM and Chassis Events (asg alert)

The asg alert utility is an interactive wizard used to configure alerts for SGM and Chassis events. Event
types can include hardware failure, recovery, and performance related events. You can also create events
for other, general events.
An alert is sent when an event occurs. For example, an alert is generated when the value of a hardware
resource is greater than the threshold. The alert message includes the Chassis ID, SGM ID and/or unit ID,
as applicable.
The wizard includes these options:
Option
Description
Full Configuration Wizard
Create a new alert
Edit Configuration
Change an existing alert
Show Configuration
Show existing alert configurations
Run Test
Run a test simulation to make sure that the alert

works correctly
To create or change an alert:

1. Run:
> asg alert
2. Select and configure these parameters as prompted by the wizard:
Alert type and related parameters
Event types
Alert mode
These sections include details about the alert parameters that you configure with the wizard.
SMS alert parameters
SMS Provider URL - Fully qualified URL to your SMS provider based on this syntax.
HTTP proxy and port (Optional) Necessary only if your Security Gateway requires a proxy server to
reach the SMS provider
SMS rate limit - Maximum number of SMS messages sent per hour. When there are too many
messages, the others are sent together as one message.
SMS user text - Custom prefix for SMS messages

Email alert configuration:
SMTP server IP - Configure one or more SMTP servers to which the email alerts will be sent.
Email recipient addresses - Configure one or more recipient email addresses for each SMTP
servers.
Periodic connectivity checks - Run a periodic test to make sure that there is connectivity with the
SNMP servers. If there is no connectivity, alert messages are saved and sent in one email when
connectivity is restored.
Interval - Define the interval, in minutes, between connectivity tests.
Sender email address - Configure a sender email address for email alerts.
Subject - Subject header text for the email alert.
Body text - Enter user-defined text for the alert message. .
SNMP alert parameters

Define one or more SNMP managers to get SNMP traps sent from the Security Gateway. For each
manager, configure these parameters as prompted:
Note: Some parameters do not show, based on your settings.
SNMP manager name - Configure a name for your SNMP manager (unique)
SNMP manager IP - Configure the manager IP address (trap receiver)

SNMP version - Select the SNMP version to use (v2cv3)
SNMP v3 user name - If using SNMP v3 authentication, you must configure this.
SNMP v3 engine ID - Unique SNMP v3 engine ID used by your system. Default =

[0x80000000010203EA].
SNMP v3 authentication protocol - MD5 or SHA.
SNMP v3 authentication password - Enter a privacy password.
SNMP v3 privacy protocol - DES or AES.
SNMP v3 privacy password - Enter a privacy password.
SNMP user text - Custom text for the SNMP trap messages.
SNMP community string - Configure the community string for the SNMP manager.
See SNMP for more information.
Log alert parameters
There are no configurable parameters for log alerts
Event types
You can select one or more event types:
One event type
A comma-delimited list of more than one event type
all for all event types.
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
Chassis States:
SGM State
Chassis State
Port State
Pingable Hosts State
Hardware Components:
Fans
SSM
CMM
Power Supplies
CPU Temperature
Performance Events:
Concurrent Connections
Connection Rate
Packet Rate
Throughput
CPU Load
Hard Drive Utilization
Memory Utilization
Alert Modes
Enabled - An alert is sent for the selected events
Disabled - No alert is sent for the selected events
Monitor - A log entry is generated instead of an alert
Monitoring the System using SNMP

SNMP can be used to monitor various aspects of the 61000 Security System, including:
Software versions
Hardware status
Key performance indicators
Chassis high availability status
To monitor the system using SNMP

1. Upload the MIB to your third-party SNMP monitoring software.
The SNMP MIB is located on each SGM under: $CPDIR/lib/snmp/chkpnt.mib
For monitoring the 61000 Security System, the only supported OIDs are under
iso.org.dod.internet.private.enterprise.checkpoint.products.asg (OID
1.3.6.1.4.1.2620.1.48)
2. Enable the SNMP agent on the 61000 Security System.
In gclish, run: set snmp agent on
SNMP Traps
The 61000 Security System supports SNMP traps.
The SNMP traps MIB is located on each SGM under: $CPDIR/lib/snmp/chkpnt-trap.mib

iso.org.dod.internet.private.enterprise.checkpoint.products.chkpntTrap
(OID 1.3.6.1.4.1.2620.2000)
iso.org.dod.internet.private.enterprise.checkpoint.products.asgTrap
(OID 1.3.6.1.4.1.2620.2001)
To learn more about SNMP, see:
Configuring asg alerts ("Configuring Alerts for SGM and Chassis Events (asg alert)" on page 71)
The R75.40VS for 61000 Security System Administration Guide
SNMP in a VSX Gateway

There are two SNMP modes for a 61000 Security System that is configured as a VSX Gateway:
Default Mode -
Monitor global SNMP data from the 61000 Security System. Data is accumulated
from all SGMs for all Virtual Systems.
VS Mode -
Monitor each Virtual System separately.
Note - SNMP traps are supported for VS0 only.
Supported SNMP Versions

SNMP VS mode uses SNMP version 3 to query the Virtual Systems. You can run remote SNMP queries on
each Virtual System in the VSX Gateway.
For systems that only support SNMP versions 1 and 2:
You cannot run remote SNMP queries for each Virtual System. You can only run a remote SNMP query
on VS0.
You can use the CLI to change the Virtual System context and then run a local SNMP query on a Virtual
System.
Enabling the SNMP Mode

To use SNMP Per-VS (VS mode):
1. Configure an SNMP V3 user. Run:
add snmp usm user jon security-level authNoPriv authpass-phrase VALUE
2. Set the SNMP mode. Run:
set snmp mode vs
or
set snmp mode default
3. Start SNMP agent. Run:
set snmp agent on
VS Mode Example 1
To query a Virtual System for traffic throughput, from a remote Linux host:
[admin@linux-snmp] snmpwalk -m $CPDIR/lib/snmp/chkpnt.mib -n ctxname_vsid1 -v 3
-l authNoPriv -u jon -A mypassword 192.0.2.72 asgThroughput
VS Mode Example 2:
To query a Virtual System for traffic throughput, from its virtual context:
1. Enter expert mode.
2. Move to the Virtual System. Run
vsenv <vs_id>
3. Run
[Expert@VSX-Box:7] snmpwalk -m $CPDIR/lib/snmp/chkpnt.mib -v 2c -c public
localhost asgThroughput
Troubleshooting Commands
This section lists the most important gclish commands that you can use to troubleshoot the 61000
Security System.
Collecting System Diagnostics (asg diag)

Description Use this tool to show collect and show diagnostic information about the system.
This command runs a list of predefined diagnostics tools. The output shows the result of
each test (Passed or Failed) and the location of the output log file.
Syntax
Parameters
asg
asg
asg
asg
diag
diag
diag
diag
list [[TestNum1][,TestNum2]...]
verify [[TestNum1][,TestNum2]...]
print [[TestNum1][,TestNum2]...]
purge [Number of logs to keep]
Parameter
list
Description
Show the list of tests.
verify
Run tests and show a summary of the results.
print
Run tests and show the full output and a also

summary of the results.
[[TestNum1][,TestNum2]...]
purge
Delete the asg diag logs except for the

newest.
[Number of logs to keep]
Example 1
Comma separated list of test IDs. To see the

IDs of the tests, run asg diag list.
The number of the newest logs to keep when

deleting (purging) asg diag log files. The
default is 5.
asg diag list
Output 1
------------------------------------------------------| ID | Title
| Command
|
------------------------------------------------------| System Components
|
------------------------------------------------------| 1 | System Health
| asg stat -d
|
| 2 | Hardware
| asg hw_monitor -q
|
| 3 | Resources
| asg resource -q
|
| 4 | Software Versions | asg_version verify -v
|
| 5 | CPU Type
| cpu_socket_verifier -v
|
| 6 | Media Details
| transceiver_verifier -v
|
------------------------------------------------------| Policy and Configuration
|
------------------------------------------------------| 7 | Distribution Mode | dist_verify -d
|
| 8 | Policy
| asg policy verify -a
|
| 9 | AMW Policy
| asg policy verify_amw -a |
| 10 | Installation
| installation_verify
|
| 11 | Security Group
| asg security_group diag
|
| 12 | Cores Distribution | cores_verifier
|
| 13 | SPI Affinity
| spi_affinity_verifier -v |
| 14 | Clock
| clock_verifier -v
|
| 15 | Mgmt Monitor
| mgmt_monitor snmp_verify |
| 16 | Licenses
| asg_license_verifier
|
| 17 | Hide NAT range
| asg_hide_behind_range -v |
------------------------------------------------------| Networking
|
------------------------------------------------------| 18 | MAC Setting
| mac_verifier -v
|
| 19 | Interfaces
| interface_verifier -q
|
| 20 | Bond
| asg_bond_verifier -v
|
| 21 | Bridge
| asg_br_verifier -v
|
| 22 | IPv4 Route
| asg_route -q
|
| 23 | IPv6 Route
| asg_route ipv6 -q
|
| 24 | Dynamic Routing
| asg_dr_verifier
|
| 25 | Local ARP
| asg_local_arp_verifier -v |
| 26 | Port Speed
| asg_port_speed verify
|
------------------------------------------------------| Misc
|
------------------------------------------------------| 27 | Core Dumps
| core_dump_verifier -v
|
| 28 | Syslog
| asg_syslog verify
|
-------------------------------------------------------
Comment
The output shows that the Test with ID 1 is called System Health. This test runs the
command asg stat d to get the test status.
Example 2
asg diag verify
Output 2
Example 2.1
-------------------------------------------------------------------------------| Tests Status

|
-------------------------------------------------------------------------------| ID | Title
| Result | Reason
|
-------------------------------------------------------------------------------| System Components
|
-------------------------------------------------------------------------------| 1 | System Health
| Failed | (1)Chassis 1 error
|
| 2 | Hardware
| Failed | (1)Power unit is missing
|
| 3 | Resources
| Failed | (1)Memory capacity
|
|
|
|
| (2)Primary HD capacity
|
|
|
|
| (3)Log HD capacity
|
|
|
|
| (4)Boot HD capacity
|
| 4 | Software Versions | Failed |
|
| 5 | CPU Type
| Failed | (1)Non-compliant CPU type
|
| 6 | Media Details
| Passed |
|
-------------------------------------------------------------------------------| Policy and Configuration
|
-------------------------------------------------------------------------------| 7 | Distribution Mode | Passed |
|
| 8 | Policy
| Passed |
|
| 9 | AMW Policy
| Passed |
|
| 10 | Installation
| Passed |
|
| 11 | Security Group
| Passed |
|
| 12 | Cores Distribution | Passed |
|
| 13 | SPI Affinity
| Passed |
|
| 14 | Clock
| Passed |
|
| 15 | Mgmt Monitor
| Passed |
|
| 16 | Licenses
| Passed |
|
| 17 | Hide NAT range
| Passed |
|
-------------------------------------------------------------------------------| Networking
|
-------------------------------------------------------------------------------| 18 | MAC Setting
| Passed |
|
| 19 | Interfaces
| Passed |
|
| 20 | Bond
| Passed |
|
| 21 | Bridge
| Passed |
|
| 22 | IPv4 Route
| Passed |
|
| 23 | IPv6 Route
| Passed | (1)Not configured
|
| 24 | Dynamic Routing
| Failed | (1)BGP
|
| 25 | Local ARP
| Passed |
|
| 26 | Port Speed
| Passed |
|
-------------------------------------------------------------------------------| Misc
|
-------------------------------------------------------------------------------| 27 | Core Dumps
| Passed |
|
| 28 | Syslog
| Passed |
|
-------------------------------------------------------------------------------| Tests Summary
|
-------------------------------------------------------------------------------| Passed: 22/28 tests
|
| Run: "asg diag list 1,2,3,4,5,24" to view a complete list of failed tests
|
| Output file: /var/log/verifier_sum.1-28.2012-11-28_10-24-33.txt
|
--------------------------------------------------------------------------------
Run the command suggested by the asg diag verify output to show the commands
that failed.
asg diag list 1,2,3,4,5,24
Output 2.1
Example 2.2
------------------------------------------------------| ID | Title
| Command
|
------------------------------------------------------| System Components
|
------------------------------------------------------| 1 | System Health
| asg stat -d
|
| 2 | Hardware
| asg hw_monitor -q
|
| 3 | Resources
| asg resource -q
|
| 4 | Software Versions | asg_version verify -v
|
| 5 | CPU Type
| cpu_socket_verifier -v
|
------------------------------------------------------| Networking
|
------------------------------------------------------| 24 | Dynamic Routing
| asg_dr_verifier
|
-------------------------------------------------------
To find out why the System Health test failed, run asg stat d or
asg diag print 1. Here is a sample output of asg stat d:
Output 2.2
-------------------------------------------------------------------------| System Status

|
-------------------------------------------------------------------------| Chassis 1
ACTIVE
|
-------------------------------------------------------------------------| SGM ID
State
Process
Policy Date
|
| 2 (local)
UP
Enforcing Security
01Jul12 14:54
|
| 3
DOWN (Admin) Inactive
NA
|
-------------------------------------------------------------------------| Chassis Parameters
|
-------------------------------------------------------------------------| Unit
Chassis 1
Unit Weight
|
|
|
| SGMs
1 / 2 (!)
6
|
| Ports
|
|
Standard
2 / 2
11
|
|
Other
0 / 0
6
|
| Sensors
|
|
Fans
4 / 4
5
|
|
SSMs
2 / 2
11
|
|
CMMs
2 / 2
6
|
|
Power Supplies
6 / 6
6
|
|
|
| Chassis Grade
118 / 124
|
-------------------------------------------------------------------------| Synchronization
|
|
Within chassis:
Enabled
(Default)
|
|
Exception Rules:
(Default)
|
| Distribution
|
|
Control Blade:
Disabled
(Default)
|
--------------------------------------------------------------------------
Comment 2.2 The Chassis grade is 118/124 because one of the SGMs is in DOWN (Admin) state.
Bringing the SGM up solves the problem. Alternatively, remove the SGM from the
security group to suppress the alert.
Another way of debugging the issue is to open the output file in /var/log/. When you
run asg diag verify or asg diag print, a log file is created which includes the
full (verbose) output of each test.
Example
2.3
A sample full (verbose) output for the CPU Type test in the /var/log/ log file:
==============================
Output 2.3 CPU Type:
==============================
Non-compliant cpu models found:
-----------------------------------model name
: Intel(R) Xeon(R) CPU
E5530
@ 2.40GHz
Refer to /proc/cpuinfo for more information
Comment
2.3
This file shows that the E5530 CPU is not recognized by the CPU Type test as compliant
with the current system. To make a CPU type recognized as compliant:
1. Edit the file asg_diag_config in the $FWDIR/conf directory.
2. Add the line
Certified cpu=<value>
3. Replace <value> with the CPU type.
After solving the issues identified by asg diag verify, you can run a subset of the tests
that failed to make sure that all issues have been solved. To run a subset of the tests, see
example 3.
Example 3 To run a subset of the tests, run:

asg diag verify 1,2,3,4,5,24
Output 3
----------------------------------------------------------------------------| Tests Status

|
----------------------------------------------------------------------------| ID | Title
| Result | Reason
|
----------------------------------------------------------------------------| System Components
|
----------------------------------------------------------------------------| 1 | System Health
| Passed |
|
| 2 | Hardware
| Passed |
|
| 3 | Resources
| Passed |
|
| 4 | Software Versions | Passed |
|
| 5 | CPU Type
| Passed |
|
----------------------------------------------------------------------------| Networking
|
----------------------------------------------------------------------------| 24 | Dynamic Routing
| Passed |
|
----------------------------------------------------------------------------| Tests Summary
|
----------------------------------------------------------------------------| Passed: 6/6 tests
|
| Output file: /var/log/verifier_sum.1-5.24.2012-11-28_10-37-36.txt
|
-----------------------------------------------------------------------------
Error Types
These are some of the errors shown by asg diag verify and their meaning.
Error Type
Error
Description
System health Chassis <X> error
Hardware
Resources
CPU type
General error indicating that Chassis X grade is not

perfect.
<Component> is missing
The component is not found in the Chassis.
<Component> is down
The component is found in the Chassis but is inactive.
<Resource> capacity
The specified resource capacity is not as expected.

Expected capacity can be tuned.
<Resource> exceed
threshold
The resources usage exceeds the configured

threshold.
Non compliant CPU type
At least one SGM CPU type is not configured in the list

of compliant CPUs. Compliant CPU types can be
configured
Security group <Source> error

<Sources> differ
The information gathered from this source is different

between the SGMs.
The information gathered from several sources is
different.
Changing Compliance Thresholds

You can change some compliance thresholds that define a healthy working system. To do this, edit the asg
diag configuration file $FWDIR/conf/asg_diag_config and change the threshold values.
These are the resources you can control:
Resource
Description
Memory
RAM memory capacity in GB
HD: /
Disk capacity in GB for <disk>:/ partition.
HD:/var/log
Disk capacity in GB for the /var/log partition.
Resource
Description
HD: /boot
Disk capacity in GB for the /boot partition.
Skew
The maximum permissible clock difference between the SGMs and SSMs, in
seconds.
Certified cpu
Each line represents one compliant CPU type.

61000

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

61000

Uploaded by

Copyright:

Available Formats

Check Point 61000

Downloaded from www.Manualslib.com manuals search engine

2014 Check Point Software Technologies Ltd.

Downloaded from www.Manualslib.com manuals search engine

Added Health and Safety Information in French ("Informations

Added: After configuring a Security Gateway, verify the

Corrected syntax of asg monitor command ("Monitoring

Corrected examples of asg search command ("Searching

Added: Before creating the VSX Gateway, if the management

First release of this document.

Downloaded from www.Manualslib.com manuals search engine

Health and Safety Information

Health and Safety Information

DANGER OF EXPLOSION IF BATTERY IS INCORRECTLY REPLACED.

DISCARD USED BATTERIES ACCORDING TO INSTRUCTIONS FROM CHECK

Downloaded from www.Manualslib.com manuals search engine

Health and Safety Information

Federal Communications Commission (FCC) Statement:

Canadian Department Compliance Statement:

Japan Class A Compliance Statement:

European Union (EU) Electromagnetic Compatibility Directive

Downloaded from www.Manualslib.com manuals search engine

Informations relatives la sant et la scurit

Informations relatives la sant et

DANGER D'EXPLOSION SI LA PILE N'EST PAS CORRECTEMENT

LES PILES DOIVENT TRE MISES AU REBUT CONFORMMENT AUX

Downloaded from www.Manualslib.com manuals search engine

Informations relatives la sant et la scurit

Dclaration la Federal Communications Commission (FCC) :

Dclaration de conformit du dpartement canadien :

Dclaration de conformit de classe A pour le Japon :

Directive de l'Union europenne relative la compatibilit lectromagntique

Mise au rebut du produit

Downloaded from www.Manualslib.com manuals search engine

Informations relatives la sant et la scurit

Downloaded from www.Manualslib.com manuals search engine

Downloaded from www.Manualslib.com manuals search engine

Step 8: Initial Software Configuration ................................................................................ 50

Downloaded from www.Manualslib.com manuals search engine

Overview of Check Point 61000 Security Systems

Up to 12 Security Gateway Modules

Runs a high performance Firewall, and other

2 Security Switch Modules (SSMs)

Distributes network traffic to SGMs.

Check Point Virtual Systems

Downloaded from www.Manualslib.com manuals search engine

Consolidate up to 250 gateways in a single device

Software Blade Architecture

Gaia 64-bit operating system

Separation of management duties

Customized security policies per Virtual System

Per Virtual System Monitoring of resource usage

Easily add virtual systems to a security gateway

Better usage-based resource planning with per Virtual System monitoring

Boost performance with Multi-core CoreXL technology

Downloaded from www.Manualslib.com manuals search engine

A brief overview of necessary 61000 Security System concepts and features

Shipping Carton Contents

Check Point 61000 Security

A single 61000 Security System Chassis

61000 Security System

2 to 12 Security Gateway Modules

2 Security Switch Modules

2 Chassis Management Modules