vpn-1 virtual edition admin guide
Post on 08-Apr-2018
240 Views
Preview:
TRANSCRIPT
-
8/7/2019 VPN-1 Virtual Edition Admin Guide
1/36
-
8/7/2019 VPN-1 Virtual Edition Admin Guide
2/36
Introduction
VPN-1 VE Administration Guide 2
Introduction
In This Section
VPN-1 VE Overview
VPN-1 NGX R65 VE (Virtual Edition) is a security and VPN solution, designed to harness the power
of network virtualization. VPN-1 VE provides the identical security protections and VPN features as
physical VPN-1 gateways. It securely connects these gateways and SmartCenters on virtual
machines to shared resources, such as the Internet and DMZs, and allows them to safely interact
with each other and the outside world. All VPN-1 security features such as SmartDefense, Web
Intelligence, Application Intelligence, Anti-virus, Anti-spam, and so on, are available on VPN-1 VE.
This guide provides the conceptual framework for VPN-1 VE. It also provides detailed instructions
for importing and configuring Check Point VPN-1 products on virtual machines by using VPN-1 VE
or by manually installing VPN-1 NGX R65 for VMware.
This guide assumes that the reader has a thorough understanding of VMware ESX Server 3.x
concepts, procedures and terminology. Furthermore this guide assumes that the reader is familiarwith Check Point VPN-1 concepts and procedures.
As used in this document, the term VPN-1 applies to VPN-1 Power, VPN-1 UTM, and VPN Power
UTM.
Virtualization Overview
Virtualization of hardware resources represents the cutting edge of todays computing technology,
providing cost-effective, scalable solutions for dynamic network environments. Virtualization allows
you to create multiple virtual computers on a single hardware platform. With VPN-1 VE, Check
Point brings its state of the art security solutions to the virtualized world.
VMware ESX Server 3.x virtualizes hardware resources including CPU, RAM, hard disks, network
adapters, and the operating system. This technology allows you to create functional virtual
machines that host organization resources such as Web servers, email servers, databases, and so
on. Using VMware ESX Server 3.x, you can define Virtual Networks comprised of virtual machines,
virtual switches, and interfaces to provide the functionality of their physical network counterparts.
VPN-1 VE supplies the comprehensive protection required to secure your virtual networks. VPN-1
NGX R65 VE, VPN-1 NGX R65 for VMware machines, and physical gateways can be managed by
the same unified central management, thus enabling a consistent, enforceable security policy
across all physical and virtual networks.
VPN-1 VE Overview page 2
Virtualization Overview page 2Example of VPN-1 VE Deployment page 3
Key Benefits page 3
ESX Server Security Considerations page 4
VPN-1 VE System Requirements page 4
Licensing Information page 5
Related Documentation page 6
-
8/7/2019 VPN-1 Virtual Edition Admin Guide
3/36
Introduction
VPN-1 VE Administration Guide 3
How Do I Get Started?
The VPN-1 VE enables you to easily deploy VPN-1 as a virtual machine that is already configured
and optimized for a VMware ESX environment. A virtual machine created using the VPN-1 VE runs
on Check Points SecurePlatform and includes the following components: 1 CPU, 512MB of
allocated memory, 12GB of disk capacity that can be extended, and four virtual network interfaces.
To use VPN-1 VE, you import a file to the ESX server and add it to your virtual machine inventory.Once you log in to the VPN-1 VE, the configuration wizard guides you through the initial
configuration.
Example of VPN-1 VE Deployment
Figure 1 illustrates a VPN-1 environment on a VMware ESX host.
Figure 1 Example of a VPN-1 VE Deployment
In this simple example, a standalone VPN-1 gateway and SmartCenter server combination protects
three virtual switches leading to networks containing several different types of servers. All traffic
that flows between the virtual networks, for example between the Web Servers Network and the
Database Server, or from a host on the external LAN to the Email Server is inspected by the VPN-1 VE
machine.
Administrators manage network security using SmartDashboard from any client having connectivitywith the SmartCenter server. Virtual machines and all other VMware objects are managed using
Virtual Infrastructure Client.
VPN-1 VE protects the virtual machines in the ESX server, but it does not protect the VMkernel.
Key Benefits
VPN-1 VE allows you to use Check Point security solutions, when using an ESX Server, to
implement virtual network security and to deploy application servers on virtual machines. VPN-1
VE offers the following advantages:
Adds a security layer that protects resources residing on virtual machines from external threatsand threats from other virtual machines.
http://-/?-http://-/?- -
8/7/2019 VPN-1 Virtual Edition Admin Guide
4/36
Introduction
VPN-1 VE Administration Guide 4
Provides unified management as VPN-1 VE gateways and physical VPN-1 gateways can be
managed by the same SmartCenter. Thus security policies can be consistently enforced on
every part of the network - physical and virtual.
Provides a scalable solution for growing enterprises by providing protection for additional
virtual network resources without the need for additional hardware investment, maintenance,
energy, and site costs.
Simplifies configuration by eliminating the need to provision additional virtual and physical
switches in order to protect virtual resources.
Simplifies disaster recovery scenarios.
Lower Total Cost of Ownership.
Certified by VMware for optimal use with ESXi and ESX Servers.
Machines are pre-configured and ready to use in just a few steps.
ESX Server Security Considerations
VPN-1 VE machines protect packets and networks and do not protect the ESX Server itself frompossible VMkernel vulnerabilities. VMotion and VMkernel traffic cannot be inspected by VPN-1 VE
and it is recommended to use secured networks for this traffic.
We recommend that you refer to the VMware Best Practices - Security Hardeningdocument for
additional suggestions for securing your ESX Server platform.
VPN-1 VE System Requirements
This section presents the minimum hardware, operating system, and software requirements for
using VPN-1 VE.
Supported Check Point Products
VPN-1 VE currently supports the following Check Point products:
VPN-1 Power NGX R65
VPN-1 Power security gateways provide an active defense that enables you to secure your most
demanding sites - such as core networks or data centers.
VPN-1 UTM NGX R65
VPN-1 UTM consolidates proven security functions including firewall, intrusion prevention,
antivirus, antispyware, Web application firewall, and both IPSec and SSL VPN, within a single
integrated solution.
VPN-1 UTM Power NGX R65
VPN-1 UTM Power security gateways provide the accelerated security found in VPN-1 Power
combined with the simplicity of the next generation UTM features found in VPN-1 UTM.
SmartCenter NGX R65
SmartCenter solutions enable organizations to perform all aspects of security management via a
single, unified console.
ClusterXL NGX R65
Cluster XL provides high availability and load sharing to keep businesses running.
-
8/7/2019 VPN-1 Virtual Edition Admin Guide
5/36
Introduction
VPN-1 VE Administration Guide 5
Users of VPN-1 products prior to version NGX R65 must upgrade their products and licenses to
R65 before using VPN-1 VE. Please refer to the NGX R65Upgrade Guidefor detailed instructions
regarding upgrading Check Point products to version NGX R65. For more information see
http://support.checkpoint.com.
Supported Hotfix Accumulators (HFAs)
VPN-1 VE is compatible with regular VPN-1 Hotfix Accumulators (HFAs) starting from HFA 30.HFAs can be found on the Check Point Support Website, http://support.checkpoint.com.
Supported VMware Products
VPN-1 VE supports the following VMware ESX Server versions: 3.0.2, 3.0.3, 3.5, or ESXi 3.5.
Please refer to http://support.checkpoint.com for updates on supported VMware products and
versions.
Hardware Requirements
Virtual Machine Requirements for VPN-1 VE
Virtual machines created for use as VPN-1 gateways or SmartCenter servers must meet the
following minimum resource requirements:
Allocated Memory: 512 MB
Disk Space: 12 GB
VMware Hardware Requirements
For the latest hardware requirements for your version of VMware ESX Server and other VMware
products, refer to the VMware ESX Server Installation and Upgrade Guide.
For information regarding compatible I/O devices, please refer to the I/O Compatibility Guide For
ESX Server 3.xat http://www.vmware.com/pdf/vi3_io_guide.pdf
Licensing Information
Each VPN-1 gateway product and SmartCenter server installed on a virtual machine requires a
license, in the same manner as a physical product. Each VPN-1 VE gateway requires a VPN-1 VE
license. SmartCenters require a standard VPN-1 SmartCenter license. Licenses are associated with
the gateway or SmartCenter server IP address. Check Point add-on licenses, such as SmartDefense
Services, are equally applicable to products installed on virtual machines.
http://support.checkpoint.com/http://support.checkpoint.com/http://support.checkpoint.com/http://www.vmware.com/pdf/vi3_io_guide.pdfhttp://support.checkpoint.com/http://support.checkpoint.com/http://support.checkpoint.com/http://www.vmware.com/pdf/vi3_io_guide.pdf -
8/7/2019 VPN-1 Virtual Edition Admin Guide
6/36
Introduction
VPN-1 VE Administration Guide 6
Related DocumentationWe recommend that the you refer to the Check Point documentation packages referenced in the
table below, in addition to this document. All documents can be found at
http://support.checkpoint.com.
We recommend that you familiarize yourself with the following VMware documentation before using
this product:
Title Description
Internet Security Product
Suite Getting Started Guide
Contains an overview of NGX R65 together with step-by-step
product installation procedures. This document also provides
information regarding whats new in the current release,
licensing, minimum hardware and software requirements, etc.
Upgrade Guide Explains the available upgrade paths to NGX R65 for Check
Point products from VPN-1/FireWall-1 version NG and higher.
Firewall & SmartDefense
Administration Guide
Describes how to manage network access; establish network
connectivity; use SmartDefense to protect against network and
application level threats; use Web Intelligence to protect Web
servers and applications; use Content Vectoring Protocol (CVP)
applications for anti-virus protection, use URL Filtering (UF)
applications for restricting access to web sites; and secure VoIPtraffic.
SmartCenter Administration
Guide
Describes Check Point SmartCenter Management applications,
which provide solutions for configuring, managing, and
monitoring network security deployments.
Cluster XL Administration
Guides
Describes the ClusterXL clustering solution, including concepts
and configuration procedures.
SecurePlatform
Administration Guide
Explains how to install and configure SecurePlatform. This
guide also explains how to manage SecurePlatform and explains
the Dynamic Routing (Unicast and Multicast) protocols.
Virtual Private NetworksAdministration Guide Describes the major components of a VPN environment andpresents procedures for securing and configuring the
environment using VPN-1.
Title Description
Introduction to VMware
Infrastructure
Provides a detailed, conceptual overview of the ESX Server
product, including its architecture, features, and functionality.
Installation and Upgrade
Guide
Describes the VMware ESX Server 3.x system and licensing
requirements, and provides detailed instructions for installingand upgrading the product.
Quick Start Guide Serves as a quick reference to product installation, virtual
machine provisioning and management, and the GUI.
Basic System Administration Detailed documentation for using VMware ESX Server 3.x. This
is the primary reference guide for system administrators and
users.
Server Configuration Guide Describes the tasks you need to configure ESX Server host
networking, storage, and security. In addition, it provides
overviews, recommendations, and conceptual discussions to
help you understand these tasks and how to deploy an ESX
Server host to meet your needs.
http://support.checkpoint.com/http://support.checkpoint.com/ -
8/7/2019 VPN-1 Virtual Edition Admin Guide
7/36
Deploying VPN-1 VE Machines
VPN-1 VE Administration Guide 7
Deploying VPN-1 VE MachinesIn This Section
Introduction
This section provides instructions for Importing and Configuring VPN-1 VE machines. VMware
terminology is also included for easy reference, as well as information on planning your VPN-1 VE
deployment.
The instructions assume that you are familiar with VMware ESX Server 3.x and that the appropriate
VMware software is installed. This document does not attempt to serve as a general VMwaretutorial. For further information regarding VMware ESX Server 3.x procedures and features, refer to
the VMware ESX Server Getting Startedand Basic System Administrationguides.
VMware Terminology
This section presents a glossary of VMware terms used in this guide or that you are likely to
encounter in references to VMware documentation contained in this document.
Introduction page 7
VMware Terminology page 7Deployment Planning page 8
Importing and Configuring VPN-1 VE page 9
Term Description
Virtual Machine (VM) Software based abstraction of a physical computer, including CPUs,
memory, disk storage, network interfaces, ports, guest operating
system, and application software. In a VPN-1 VE environment, a virtual
machine provides the functionality of a VPN-1 gateway or SmartCenter
server.
Virtual Switch (vSwitch) A virtual switch works similarly to a physical Ethernet switch. It detects
which virtual machines are logically connected to each of its virtual
ports and uses that information to forward traffic to the correct virtual
machines. A vSwitch can be connected to physical switches using
physical network adapters to join virtual networks with physical
networks.
Virtual Interface (vNIC) Software based abstraction of a physical interface that provides
network connectivity for virtual machines.
Port Group A port group specifies port configuration options such as bandwidthlimitations and VLAN tagging policies for each port. Network services
connect to vSwitches through port groups. Port groups define how a
connection is made through the vSwitch to the network.
Virtual Network A network of virtual machines running on a single physical machine
that are connected logically to each other so that they can send and
receive data from each other. Virtual networks do not depend on
physical network interfaces.
Guest Operating System Operating system installed on a virtual machine
Host Physical machine using VMware to host one or more virtual machines
and other virtual objects. The host provides the physical resources
shared by virtual machines, such as CPUs, memory, disk storage
access, network interfaces, etc.
Datacenter Collection of hosts and their associated virtual machines and Datastore.
-
8/7/2019 VPN-1 Virtual Edition Admin Guide
8/36
Deploying VPN-1 VE Machines
VPN-1 VE Administration Guide 8
Deployment Planning
This section describes issues to consider when planning your VPN-1 VE deployment.
Management Deployment and Interfaces
VPN-1 VE can be installed using one the following deployment strategies:
Standalone Deployment: A SmartCenter server and one VPN-1 gateway are installed on the same
virtual machine. Up to four interfaces are available for connections to virtual switches.
Distributed Deployment with a Dedicated Management Interface: The SmartCenter server and
VPN-1 gateways are installed on separate virtual machines. One interface on each VPN-1
gateway must be used exclusively for communication with the SmartCenter server.
When using this option, you can protect up to three virtual switches.
Distributed Deployment without a Dedicated Management Interface: The SmartCenter server and
VPN-1 gateways are installed on separate virtual machines. Management traffic between these
gateways and SmartCenters travels via an interface used for external connections.
When using this option, you can protect up to four virtual switches.
To learn about deployeing ClusterXL clusters on VMware, see Deploying ClusterXL on VMware on
page 21.
To learn about protecting more than four virtual switches, see Advanced Deployment: Protecting
More Than 3 Virtual Networks on page 27.
Network Adapters and Interfaces
For general reference, below is a table displaying which interfaces in SecurePlatform generally
correspond to which Ethernet Adapters in the Virtual Infrastructure Client. If the administrator
alters the interfaces in SecurePlatform, this may change.
Table 1 Interface to Network Adapter Correspondence
Datastore Host-independent storage location for virtual machine files in ESX
Server systems, typically a system volume located on a physical disk,
RAID, SAN, or network file system.
Virtual Center Server Manages multiple hosts together with their associated virtual machines
and objects from a single GUI client. This is the central point for
provisioning and configuring all of your virtual machines, virtualnetworks and their associated objects.
VMware Infrastructure Client
(VI Client)
GUI client used to manage virtual machines and associated objects. It
manages virtual machines much in the same way that SmartDashboard
manages VPN-1 gateways.
Term Description
Interface in
SecurePlatform
Network Adapter in
Virtual Infrastructure
Client
eth0 Network Adapter 1
eth1 Network Adapter2
eth2 Network Adapter 3
eth3 Network Adapter 4
-
8/7/2019 VPN-1 Virtual Edition Admin Guide
9/36
Deploying VPN-1 VE Machines
VPN-1 VE Administration Guide 9
Importing and Configuring VPN-1 VE
The VPN-1 VE enables you to easily deploy VPN-1 as a virtual machine that is already configured
and optimized for VMware ESX environment. A virtual machine created using the VPN-1 VE runs on
Check Points SecurePlatform and includes the following components: 1 CPU, 512MB of allocated
memory, 12GB of disk capacity that can be extended, and four virtual network interfaces. To use
VPN-1 VE, you import it to the ESX Server and add it to your virtual machine inventory. Repeat thisprocess for each new machine you want to create.
Importing the VPN-1 VE OVF
If you are running a VMware ESXi 3.5 or ESX 3.5 Server, or using Virtual Center 2.5, import the
VPN-1 VE using the VPN-1_R65_VE_OVF.tgz file, as described below.
To import the VPN-1 VE machine to the ESX Server from the VPN-1_R65_VE_OVF.tgz file and createa new machine:
1. Download the VPN-1_R65_VE_OVF.tgz file from the VMware Virtual Appliance Marketplace tothe machine where the VMware Virtual Infrastructure Client is installed.
2. Extract the VPN-1_R65_VE_OVF.tgz file to the new folder using tar (tar-zxvfVPN-1_R65_VE_OVF.tgz), or any other decompression utility.
3. Open the VMware Virtual Infrastructure client.
4. Connect to the ESX Server where you want to deploy the VPN-1 VE machine.
5. In the Getting Started tab, in Basic Tasks, choose Import a Virtual Appliance.
6. Select Import from file, and choose the .ovf file from the folder from where you extracted the.tgz file. Click Next.
7. View the Virtual Appliance Details. Click Next.
8. Type a name for the VPN-1 VE machine. Click Next.
9. Select the datastore where the VPN-1 VE machine files will be accumulated in the ESX Server.
Click Next.
10. In Network Mapping, select the proper Network portgroups according to your topology. Click
Next.
11. Click Finish to complete the Virtual Machine Wizard. It may take a few minutes for the newmachine to appear in the inventory.
12. Select the machine from the inventory and Power On the machine.
-
8/7/2019 VPN-1 Virtual Edition Admin Guide
10/36
Deploying VPN-1 VE Machines
VPN-1 VE Administration Guide 10
For optimal performance of your VPN-1 VE machine, we recommend reserving an additional 512
MB of memory. SeeEnhancing Performance by Reserving Memory on page 23.
Importing the VPN-1 VE to Earlier ESX Servers
If you are running a VMware ESX 3.0.x Server or using Virtual Center 2.0, import the VPN-1 VE
machine using the VPN-1_R65_VE.tgz file.
To import the VPN-1 VE machine to the ESX Server from the VPN-1_R65_VE.tgz file and create anew machine:
1. Connect to the ESX Server using SSH. For more information see How can I Connect to the
ESX Server Using SSH? on page 33
2. Within the ESX Server, create a folder under /vmfs/volumes///where and are folders that the administrator chooses.
3. Download the VPN-1_R65_VE.tgz file from the VMware Virtual Appliance Marketplace to theESX Server on which the virtual machines are housed.
4. Extract the .tgz file to the new folder using tar (tar -zxvf VPN-1_R65_VE.tgz).
5. Open the VMware Virtual Infrastructure Client and connect to the ESX Server or Virtual Center.
6. Select the desired ESX Server.
7. Click on the Summary tab. Within the Resources pane, under Datastore, double-click the
desired storage file, and browse to the location where you extracted the VPN-1_R65_VE.tgz file.
-
8/7/2019 VPN-1 Virtual Edition Admin Guide
11/36
Deploying VPN-1 VE Machines
VPN-1 VE Administration Guide 11
8. Right-click on the .vmx file and select Add to Inventory.
9. In the Add to Inventory Wizard, type a name for the new virtual machine. Click Next.
10. Select a Resource Pool to run the virtual machine. Selecting a Resource Pool allows you to
determine which resources a virtual machine is using. Click Next.
11. Click Finish to complete the Virtual Machine Wizard. It may take a few minutes for the new
machine to appear in the inventory.
12. Select the machine from the inventory and Power On the machine.
Configuring VPN-1 Gateways and SmartCenters
This section describes how to configure VPN-1 gateways and SmartCenters on VPN-1 VE machines
through the SecurePlatform command line. The procedures contained in this section are excerpted
from NGX R65 Getting Started Guide. For a complete presentation of NGX R65 installation andconfiguration procedures, refer to the NGX R65 Internet Security Product Suite Getting Started Guide
and the Firewall and SmartDefense Administration Guide, found athttp://support.checkpoint.com. If
there is a conflict between this document and these guides, follow the instructions in the guides.
Repeat the following processes on each virtual machine you want to configure.
Configuring Network and General Settings
To perform initial configuration of network and general settings:
1. In the Console tab, log in to the machine using admin as the username and adminadmin as
the password.
2. When prompted, change the default user name and password. Ensure that the new passwordcontains more than six characters and has a combination of upper and lower case letters and
numbers.
3. To enter the configuration wizard, run:
cpconfig
http://support.checkpoint.com/http://support.checkpoint.com/ -
8/7/2019 VPN-1 Virtual Edition Admin Guide
12/36
Deploying VPN-1 VE Machines
VPN-1 VE Administration Guide 12
The configuration window opens and displays a welcome message.
4. Press n to continue.
5. Press the number corresponding to your keyboard type and then press n, or just press n to keep
the default US keyboard.
6. Press the number corresponding to the Ethernet connection that you want to set as your
management connection. When prompted, type the IP address attached to the Ethernet
connection, its subnet mask, and its broadcast address.
7. In the Network Configuration menu, use the menu option to configure the following:
The host name
The domain name and at least one DNS server (if required)
The network interface IP addresses
-
8/7/2019 VPN-1 Virtual Edition Admin Guide
13/36
Deploying VPN-1 VE Machines
VPN-1 VE Administration Guide 13
The default gateway (if required)
8. In the time and date configuration menu, use the menu options to configure the following:
Time zone
Date
Local time
Show date and time settingsn
10) Press n to continue. The Import Check Point Products Configuration screen appears.
Continue to follow to Check Point Wizard to install Check Point products on the virtual machine.
See the NGX R65 Internet Security Product Suite Getting Started Guideand the Firewall and
SmartDefense Administration Guidefor more information.
-
8/7/2019 VPN-1 Virtual Edition Admin Guide
14/36
Known Limitations
VPN-1 VE Administration Guide 14
Known LimitationsPlease refer to the current edition of the NGX R65 Release Notes, found at
http://support.checkpoint.com, for a complete list of known limitations for this major release. The
limitations listed below apply specifically to VPN-1 VE and are in addition to the VPN-1 NGX R65
release limitations.
1. The cloning and template features are supported for VPN-1 virtual machines (gateways andSmartCenter) only under the following conditions:
a. The virtual machine must be a new VPN-1 VE machine or SecurePlatform installation
(immediately following the first reboot).
b. No Check Point products, such as SmartCenter or VPN-1, have been configured yet.
c. No configuration steps (sysconfig, cpconfig, etc.) have been performed.
2. Interface bonding on the virtual machine running the VPN-1 VE is not supported with
ClusterXL.
3. VMtools is not supported.
4. VPN-1 gateways in the Bridge Mode must have their internal and external interfaces connectedto port groups that are configured in promiscuous mode.
5. VPN-1 gateways in the Bridge Mode are not supported with ClusterXL.
6. The Performance Pack Heavy Load Quality of Service feature (HLQoS) feature is not
supported.
7. The Monitor Interface Link State feature is not supported on VPN-1 ClusterXL cluster members
on virtual machines.
8. Virtual machines may be connected to a maximum of four different virtual switches. This may
limit the number of virtual networks protected by a VPN-1 VE machine. This limitation can be
overcome using VLANs. See Advanced Deployment: Protecting More Than 3 Virtual Networks
on page 27.
9. VPN-1 VE supports MTU change only with pcnet32 network devices.
10. The ethtool utility does not recognize speed or duplex changes made to the virtual network
adapters.
11. NGX R65 HFA 01 and 02 are not supported. NGX R65 HFAs beginning with HFA 30 are
supported.
12. VPN-1 VE does not protect the VMkernel.
http://support.checkpoint.com/http://support.checkpoint.com/ -
8/7/2019 VPN-1 Virtual Edition Admin Guide
15/36
Deployment Scenarios
VPN-1 VE Administration Guide 15
Deployment ScenariosIn This Section
Overview
This section presents several sample deployments that illustrate the integration of VPN-1 NGX R65
solutions into virtual network deployments. While these examples are shown in simple, small-scale
environments, the concepts are applicable to larger, more complex deployments. Each scenario
includes a brief conceptual description, an illustrative diagram, notes and configurationrequirements, as appropriate.
These scenarios are intended to present conceptual examples of how VPN-1 VE may be deployed
on VMware ESX. They do not purport to provide solutions for specific applications or environments.
There are many different ways to use these concepts to tailor network virtualization to your specific
needs, only a few of which are suggested by these scenarios.
Overview page 15
VPN-1 and SmartCenter Standalone Deployment page 16VPN-1 Deployment using the Bridge Mode page 17
ClusterXL Deployment on a Single ESX Host page 18
ClusterXL Deployment Using Two ESX Hosts page 19
-
8/7/2019 VPN-1 Virtual Edition Admin Guide
16/36
Deployment Scenarios
VPN-1 VE Administration Guide 16
VPN-1 and SmartCenter Standalone Deployment
Figure 2 illustrates a small Web business, all on a single platform running VMware ESX Server. This
deployment is comprised of a standalone VPN gateway and SmartCenter on a single virtual
machine. The gateway inspects and protects all traffic passing between three virtual switches
leading to Web servers, SQL databases, and an email server from external threats as well as from
threats originating from other virtual machines.Figure 2 Standalone SmartCenter Deployment
Notes for this Scenario
The Web servers, database servers, email server and Gateway/SmartCenter standalonedeployments are defined as virtual machines on a single ESX host platform.
Each virtual interface connects to a virtual switch configured for a separate subnet.
The external virtual interface connects, via a virtual switch, to a physical interface on the ESX
host leading to a physical switch on the same subnet. A physical LAN connects to this switch.
Both SmartDashboard and the Virtual Infrastructure Client connect via the LAN.
Special Configuration Requirements
The default gateway for each server virtual machine must be defined as the IP address assigned to
the VPN-1 gateway virtual interface leading to that particular server. For example, in the preceding
diagram, the Web server default gateways must be defined as 172.23.5.1.
-
8/7/2019 VPN-1 Virtual Edition Admin Guide
17/36
Deployment Scenarios
VPN-1 VE Administration Guide 17
VPN-1 Deployment using the Bridge Mode
Figure 3 demonstrates the use of VPN-1 gateways in the bridge mode. In this example, four VPN-1
gateway virtual machines protect individual security zones representing different departments for a
software development firm.
Each VPN-1 gateway virtual machine protects one or more network segments using a single virtual
interface connected to a port on a single virtual switch. The virtual switch must be connected to aport group that is configured to accept the promiscuous mode. The SmartCenter server resides on
a separate virtual machine and communicates with gateways via dedicated management interfaces.
The advantage of using the virtual machines in bridge mode is that you can provision additional
gateways without affecting the existing IP topology. In this scenario, the entire virtual network must
reside on a single subnet.
Figure 3 VPN-1 Deployment Using Bridge Mode
Notes to This Scenario
Each department network segment occupies one virtual machine interface.
All protected networks must reside on the same subnet, in this example 172.23.0.0/16. For a
mid-sized deployment this should not result in a lack of available IP address.
Using a separate virtual machine for the SmartCenter server avoids bandwidth degradation
issues while installing policies.
Both SmartDashboard and the Virtual Infrastructure Client connect via the LAN.
Special Configuration Requirements
You must connect all internal and external interfaces for a virtual machine containing a VPN-1 VE
gateway in the bridge mode to a port group configured to accept the promiscuous mode. The
management interface may not be connected to a port group configured to accept the promiscuous
mode.
Warning - Never configure all port groups on a virtual switch to accept the promiscuous mode, as this is inan unacceptable security risk. You should only configure the port group to which you connect VPN-1 virtualmachines to accept the promiscuous mode. Do not connect any other virtual machines to this port group.
-
8/7/2019 VPN-1 Virtual Edition Admin Guide
18/36
Deployment Scenarios
VPN-1 VE Administration Guide 18
Configuring Promiscuous Mode
To configure a port group to be in promiscuous mode:
1. In the Virtual Infrastructure Client, select a host in the Inventory pane and then select the
Summary Tab.
2. Right-click a port group in the Resources > Network section of the Information pane and select
Properties from the options menu.
3. In the Network Properties window, select the Security tab. .
4. Enable the Promiscuous Mode option and then select Accept from the list.
5. Click OK to complete the definition. The reconfiguration process may take a few moments to
complete.
ClusterXL Deployment on a Single ESX Host
Figure 4 illustrates the use of a VPN-1 gateway in a ClusterXL deployment contained on a single
ESX host that provides redundancy at the virtual machine level. Two SmartCenter servers, a primary
and a secondary, reside on separate virtual machines to provide SmartCenter redundancy (the
SmartCenter Cluster is optional). VPN-1 requires ClusterXL to provide clustering functionality.
Failover ensures continuous service if an active ClusterXL cluster member becomes unavailable for
any reason. In this case, the standby Cluster member immediately takes over the tasks of
inspecting traffic from the unavailable machine. This scenario does not provide high availability
protection in the event that the ESX host itself becomes unavailable. For more information oncreating this deployment, see Deploying ClusterXL on VMware on page 21.
-
8/7/2019 VPN-1 Virtual Edition Admin Guide
19/36
Deployment Scenarios
VPN-1 VE Administration Guide 19
The following diagram illustrates a simplified network deployment using this scenario.
Figure 4 ClusterXL Deployment on a Single ESX Host
This example deployment includes Web and database servers hosted on virtual machines protected
by the clustered VPN-1 gateway. Also included in this deployment are primary and secondary
SmartCenter servers on virtual machines connected to the gateways using a non-dedicated
management interface.
The VPN-1 gateway and the SmartCenter servers, connect to the external LAN and the Internet by
means of a virtual switch connecting to a physical switch via the ESX host interface. The gateway
ClusterXL cluster connects to the internal virtual network, containing the Web and Database
servers, via a virtual switch.
State synchronization is handled by a dedicated connection between members using one of the
virtual machine interfaces. The SmartCenter connects to the gateways via the internal network.
Notes to This Scenario
All servers protected by the ClusterXL cluster must reside on the same network
VPN-1 gateways in the bridge mode are not supported in cluster deployments
Both SmartDashboard and the Virtual Infrastructure Client connect via the LAN
ClusterXL Deployment Using Two ESX Hosts
Figure 5 illustrates ClusterXL deployment with two ESX hosts to provide redundancy and/or load
sharing for the VPN-1 gateways physical database servers. Each VPN-1 virtual machine serves as a
ClusterXL cluster member and is state synchronized with its peer on the other cluster member.
VPN-1 virtual machines require ClusterXL to provide clustering functionality.
High availability ensures failover redundancy for the VPN-1 gateway virtual machine in the event
that an ESX host becomes unavailable. Furthermore, failover of an individual virtual machine
occurs if it becomes unavailable.
Load sharing allows you to distribute traffic amongst the members to maximize throughput and
eliminate bottlenecks. When using load sharing, failover also occurs at the ESX host and virtual
machine levels. For more information on creating this deployment, see Deploying ClusterXL on
VMware on page 21.
-
8/7/2019 VPN-1 Virtual Edition Admin Guide
20/36
Deployment Scenarios
VPN-1 VE Administration Guide 20
The following diagram illustrates this ESX host clustered environment.
Figure 5 ClusterXL Deployment on Two ESX Hosts
In this deployment, the VPN-1 gateway connects to protected networks using a virtual switch that
passes through to a host interface and a physical switch. The VPN-1 gateway and the SmartCenter
server connect to the external LAN and the Internet via a virtual switch passing through a host
interface and a physical switch.
The VPN-1 gateway virtual machine maintains a synchronization connection via a virtual switch
leading to a dedicated physical interface on the host member. The interface connects to its
counterpart on the other member by means of a physical switch or cross cable. Management traffic
between the gateway and the SmartCenter server also uses this connection.
Notes to This Scenario
This scenario provides SmartCenter redundancy by means of a primary server on one member
and a secondary server on the other.
In this scenario VPN-1 gateways cannot protect resources such, as Web servers and databases,
that are hosted by virtual machines located on the same host as a gateway. Non-protected
virtual machines may also reside on the same host as a gateway virtual machine.
Both SmartDashboard and the Virtual Infrastructure Client connect via the LAN
-
8/7/2019 VPN-1 Virtual Edition Admin Guide
21/36
Deploying ClusterXL on VMware
VPN-1 VE Administration Guide 21
Deploying ClusterXL on VMware
In This Section
ClusterXL Clusters on VMware
VPN-1 VE supports ClusterXL clusters for high availability Unicast mode and/or load sharing modes
running SecurePlatform. Other cluster solutions are not supported. This section summarizes the
requirements and procedures for defining a ClusterXL cluster with VPN-1 gateways or SmartCenter
servers on virtual machines.
You can create a ClusterXL cluster within a single ESX Host that ensures failover in case a virtualmachine hosting a VPN-1 component encounters problems or is powered off.
You can also create a ClusterXL cluster, consisting of two or more ClusterXL members, each on a
different ESX host. This ensures failover in the event that an ESX host becomes unavailable or in
case a ClusterXL member becomes unavailable. Furthermore, load sharing allows you to distribute
traffic amongst ESX hosts in addition to ensuring for failover.
Please note that VMware High Availability and other VMware clustering solutions are not
appropriate for use with virtual machines hosting VPN-1 gateways or SmartCenter servers. These
products cannot provide the state synchronization required for VPN-1 clusters. You can, however,
use VMware High Availability or other solutions to provide failover support for virtual machines
hosting your own servers, databases, applications and other resources.
To create ClusterXL clusters on VMware, you must set up the virtual machine manually and then
install VPN-1. Manually creating the machine allows you to change its components and include two
CPUs, as required for Cluster XL clusters. To run Cluster XL, you must also have VPN-1 NGX HFA
30 or above installed on all cluster members.
Deploying a ClusterXL Machine
To deploy a ClusterXL machine:
1. Select the desired host in the Inventory panel and then click the icon on the toolbar.
Alternatively, you can right-click on the host and select New Virtual Machine from the option
menu. The New Virtual Machine wizard appears.
ClusterXL Clusters on VMware page 21
Deploying a ClusterXL Machine page 21
Installing ClusterXL on VMware page 24
Defining a ClusterXL Cluster page 25
-
8/7/2019 VPN-1 Virtual Edition Admin Guide
22/36
Deploying ClusterXL on VMware
VPN-1 VE Administration Guide 22
2. Select either the Typical or Custom option and click Next. The Name and Folder page appears.
3. Enter a unique name for the virtual machine in the appropriate field and select a location for
the new machine in the lower section of the page.
4. On the Datastore page, select the desired datastore location from the list.
5. On the Guest Operating System page, select Linux and then select Red Hat Enterprise Linux 3.
6. On the CPUs page, select the number of virtual CPUs required for this virtual machine.Machines that will be ClusterXL cluster members require 2 CPUs.
7. On the Memory page, allocate at least 512 MB for VPN-1 gateways and SmartCenter servers.We also recommended that you guarantee that at least 512 MB is always available by reserving
512 MB. You can perform this action after completing the virtual machine definition process,
as described in Enhancing Performance by Reserving Memory on page 23.
-
8/7/2019 VPN-1 Virtual Edition Admin Guide
23/36
Deploying ClusterXL on VMware
VPN-1 VE Administration Guide 23
8. On the Network page, select the number of interfaces for this virtual machine. You can define
up to four virtual interfaces.
For each interface select the port group to which the interface connects. Always select the
Connect at Power On option.
For a VPN-1 gateway, at least one interface connects to an internal or external network
For SmartCenter servers, a management interface is required to connect to the gateways
9. On the I/O Adapter page, select the SCSI adaptor appropriate for your deployment.
10. On the Select a Disk page, select Create a new virtual disk.
11. On the Disk Capacity page, specify at least 12 GB. Select a storage location for this virtualmachine.
12. On the Advanced Options page, accept the default parameters unless you have a specific reason
to change them.
13. On the Ready to Complete page, click Finish to complete the process. It may take a few minutes
for the new virtual machine to appear in the inventory.
14. Connect to the ESX Machine using SSH. For more information, see How can I Connect to the
ESX Server Using SSH? on page 33.
15. Edit the virtual machines .vmx file as follows:
a. Browse to the directory where the .vmx file is: cd /vmfs/volume// where and are names you chose.
b. Open the .vmx file for editing. Under each line beginning with EthernetX (where X is anumber), add a new line that appears as follows:
c. Save the .vmx file and exit the editor.
16. Power On the virtual machine.
Enhancing Performance by Reserving Memory
VPN-1 gateway and SmartCenter virtual machines require at least 512 MB of allocated memory. In
addition, we recommend ensuring that at least 512 MB of allocated memory resources are always
available. This process is called reserving memory, and enhances performance when installingpolicies in environments with large databases and/or complex Rule Bases. If you imported the
VPN-1 VE machine using the VPN-1_R65_VE.tgz file, you already have the reserved memory and donot need to perform the steps below.
ethernetX.virtualDev=e1000
-
8/7/2019 VPN-1 Virtual Edition Admin Guide
24/36
Deploying ClusterXL on VMware
VPN-1 VE Administration Guide 24
To modify a virtual machine definition to reserve memory resources for a virtual machine:
1. Right-click on the appropriate virtual machine in the Inventory page and select Edit Settings
from the option menu. The window opens.
2. Click the Resources tab to display the Resources page.
3. Click Memory to display the memory settings.
4. Enter at least 512 MB in the Reservation field.
5. Change other properties as required. Refer to the online help and the Basic System
Administrationguide for detailed information regarding the various properties.
Installing ClusterXL on VMware
Installing from Media Pack CDs
To install ClusterXL on VMware from a VPN-1 Media Pack CD, the virtual machine must have a CD
drive defined either as a client device (CD on the client PC) or as a host device (CD on the host
computer).
Installing from ISO Images
To install ClusterXL on VMware from a VPN-1 ISO file, you must first copy the ISO file to a location
in the datastore. The virtual machine must have a CD drive defined as the datastore path to this
ISO file.
-
8/7/2019 VPN-1 Virtual Edition Admin Guide
25/36
Deploying ClusterXL on VMware
VPN-1 VE Administration Guide 25
Starting the Installation
To install ClusterXL on a new virtual machine:
1. If you are installing from the Media Pack CDs, insert CD 1 (SecurePlatform) into the CD drive.
If you are using ISO files, ensure that the virtual machine CD drive configuration points to the
path to the correct ISO file.
2. Select the Console tab for the virtual machine.
3. Power On the virtual machine. When the VMware welcome screen appears, press Esc to bring
up the BootMenu. Select CD-ROM drive from the BootMenu. The installation routine runsautomatically.
Installing SecurePlatform
To install SecurePlatform:
1. From the Welcome screen, click OK to install. The System Type screen appears.
2. On the System Type screen, select SecurePlatform.
3. On the Keyboard Selection menu, select a keyboard type.
4. On the Network Interface Configuration screen, enter the management interface IP address,netmask, and default gateway for the first network interface (eth0 on most systems).
5. On the HTTPS Server Configuration screen, enable web-based configuration and accept the
default port.
6. Click OK. A confirmation message appears. Click OK to format the virtual hard drive and install
SecurePlatform software components. The installation process may take several minutes to
complete.
7. Remove the installation CD from the drive.
8. Click OK (or press Enter) to reboot your system. The reboot occurs automatically.If you want to clone this virtual machine or to convert it to a template, do so at this time.
Continue with Configuring VPN-1 Gateways and SmartCenters on page 11.
Defining a ClusterXL Cluster
Before defining the ClusterXL cluster, configure the requisite number of interfaces on each ESX
host as required for your deployment, manually create each virtual machine and install VPN-1 for
VMware, and configure each gateway as described in previous sections.
To define a ClusterXL cluster in an ESX deployment:
1. Run cpconfig and activate clustering on each gateway.
2. Modify the value of each cluster members timer resolution to the value of 5 as follows (this
modification is required to prevent false failovers. As a result, detection of a member down
may take up to 5 seconds):
a. Open: $FWDIR/boot/modules/fwkern.conf (If this file does not exist, create it.)
b. Add: fwha_timer_cpha_res=5
c. Reboot each machine
3. Test connectivity between the ClusterXL cluster members and the SmartCenter server. Resolve
connectivity issues before proceeding.
4. Test connectivity between the ClusterXL cluster members and your internal networks, external
networks, and other virtual machines. Resolve connectivity issues before proceeding.
-
8/7/2019 VPN-1 Virtual Edition Admin Guide
26/36
Deploying ClusterXL on VMware
VPN-1 VE Administration Guide 26
5. Using SmartDashboard, create and configure your clusters and the required synchronization
networks. Refer to the ClusterXL Administration Guide, found at http://support.checkpoint.com
and the online help for details regarding this process.
6. Define and install security policies.
7. Test the policies and connectivity.
http://support.checkpoint.com/http://support.checkpoint.com/ -
8/7/2019 VPN-1 Virtual Edition Admin Guide
27/36
Advanced Deployment: Protecting More Than 3 Virtual Networks
VPN-1 VE Administration Guide 27
Advanced Deployment: Protecting More Than 3Virtual Networks
Introduction
The deployments described in the previous section are limited in that each virtual machine has a
maximum of four interfaces. In a typical deployment, this means that a VPN-1 gateway can only
protect three virtual networks. This limitation, however, can be overcome using VLANs. Using
VLANs, you can divide traffic on one network adapter into multiple networks that can all be
protected by one VPN-1 VE gateway.
VLAN Deployment Example
Figure 6 illustrates an example of a deployment using VLANs. For detailed instructions on
configuring such a deployment, see Configuring VLAN Networks on page 29.
Figure 6 Deployment Using VLANs
This deployment is comprised of a standalone VPN gateway and SmartCenter on a single virtual
machine. The gateway inspects and protects all traffic passing through a virtual switch that is
provisioned with four different port groups, corresponding to four VLAN groups. Each VLAN group
leads to a different network, all of which are protected by the VPN-1 gateway from external threats
as well as from threats originating from other virtual machines.
With the use of VLANs, only two interface cards are being used by the VPN-1 VE to protect all fournetworks. While this example shows only four networks provisioned on one virtual switch, using
VLANs you can protect over four thousand networks with one interface.
-
8/7/2019 VPN-1 Virtual Edition Admin Guide
28/36
Advanced Deployment: Protecting More Than 3 Virtual Networks
VPN-1 VE Administration Guide 28
Notes to This Scenario
All machines within a VLAN network must reside on the same subnet. For a mid-sized
deployment this should not result in a lack of available IP addresses.
Each host must be configured so that its default gateway is the respective VPN-1 VLAN
devices IP address. Each hosts routing table should direct all traffic to go through the default
gateway.
The switch port that is connected to the firewall, must be a VLAN trunk port and be configured
with VLAN ID 4095 to accept traffic from all VLANS. The VPN-1 machine must be the only
machine in this port group and the only machine with this VLAN ID.
Packets that travel between hosts with the same VLAN tag are not inspected by the VPN-1 VE.
While only four networks are shown connected to the virtual switch, over 4000 can be
provisioned on one switch.
There are potentially two remaining interfaces on the VPN-1 machine that can be used for
other purposes within the deployment.
The Path of a PacketFigure 7 shows the paths that packets may travel within the VLAN deployment scenario depicted
above.
Figure 7 Paths of Packets in a VLAN Deployment
-
8/7/2019 VPN-1 Virtual Edition Admin Guide
29/36
Advanced Deployment: Protecting More Than 3 Virtual Networks
VPN-1 VE Administration Guide 29
If one host on a VLAN network sends a packet to a host on a different VLAN network, the packet
receives a VLAN tag from the virtual switch. It then travels to the VPN-1 firewall where the tag is
removed. Once the firewall inspects the packet, it re-tags it, based on the routing table, and sends
the packet to the virtual switch. The virtual switch strips the VLAN tag and sends the packet to the
correct host without a tag.
Packets coming from outside to a specific VLAN network pass through the VPN-1 firewall and are
inspected. They then follow the same route as a packet sent from one VLAN network to another.
Configuring VLAN Networks
Setting up the VLAN Networks involves configuring the following:
The virtual switch that will house the port groups and VLAN IDs
The VPN-1 machine that will protect the VLAN networks and virtual switch
The hosts to be protected by the VPN-1
Below are detailed instructions for setting up your deployment.
Configuring the Virtual Switch
To set up a VLAN configuration, you provision one port group on a virtual switch for each VLAN. All
packets intended for a specific host within a VLAN receive a VLAN tag and can only be received by
hosts on that VLAN network.
One interface of the VPN-1 VE machine is connected to the same virtual switch as the other port
groups. The VPN-1 machine has a separate port group of all to accept traffic from all other port
groups. All packets pass through the firewall and are then given a VLAN tag by the virtual switch
and sent to that VLAN network.
To add another port/VLAN ID Group to a virtual switch or to edit existing port groups:
1. From the Configuration tab of the ESX server, click Networking. The Networking page opensdisplaying your virtual switches.
1. Click Properties next to the virtual switch that you want to configure.
2. To add a new port group:
-
8/7/2019 VPN-1 Virtual Edition Admin Guide
30/36
Advanced Deployment: Protecting More Than 3 Virtual Networks
VPN-1 VE Administration Guide 30
a. Click Add. The Add Network Wizard opens.
b. Select Virtual Machine and click Next. Continue with step 4.
3. To edit an existing port group:
a. Select a Virtual Machine Network (port group) from the list and click Edit.
-
8/7/2019 VPN-1 Virtual Edition Admin Guide
31/36
Advanced Deployment: Protecting More Than 3 Virtual Networks
VPN-1 VE Administration Guide 31
4. Type a Network Label and type or select a VLAN ID to identify a port group on the switch. Click
Next. We recommend not using VLAN ID 1 as this may be the native VLAN ID on themachine and may cause connectivity problems.
5. Click Finish.
6. Repeat steps 2 through 5 for each port group/VLAN ID group you want to provision on the
virtual switch.
Add a Port Group/VLAN ID for the VPN-1 Machine
The VPN-1 machine must have a separate Port Group/VLAN ID of All to accept all packets. Follow
the steps in Configuring the Virtual Switch on page 29. In Step 4, type 4095 for the VLAN ID.
Configuring the VPN-1 Machine
Follow the instructions in Importing and Configuring VPN-1 VE on page 9 to import the VPN-1
VE machine and create a new VPN-1 machine. Configure it following the instructions in Known
Limitations on page 14. Refer to the NGX R65 Internet Security Product Suite Getting Started
Guide, found athttp://support.checkpoint.com, for additional configuration information.
Configuring VLANs on the VPN-1 Machine
When you configure the VLAN, it displays as ., for example, eth1.2.Make sure to configure the network adapter that connects the VPN-1 machine to the virtual switch
with VLAN groups.
To configure an IP address for each VLAN device
1. Run:
1. Type 1 to Add Connection.
2. Type 2 to select VLAN.
sysconfig
http://support.checkpoint.com/http://support.checkpoint.com/ -
8/7/2019 VPN-1 Virtual Edition Admin Guide
32/36
Advanced Deployment: Protecting More Than 3 Virtual Networks
VPN-1 VE Administration Guide 32
3. Select the network adapter that connects the VPN-1 machine to the virtual switch with VLAN
groups, for example, eth1.
4. Enter the VLAN ID, for example, 2.
5. Type the IP address specific to the VLAN, the desired netmask, and default broadcast.
The VLAN configuration will display.
6. Repeat the steps above for each VLAN.
Once the ESX server environment is fully configured, add the virtual switch and all of the hosts and
networks you want to protect as objects in the Smart Dashboard and set up a Rule Base. See the
NGX R65 Getting Started Guide for more information. For a complete presentation of NGX R65
installation and configuration procedures, refer to the NGX R65 Internet Security Product Suite
Getting Started Guideand the Firewall and SmartDefense Administration Guide, found at
http://support.checkpoint.com.
Configuring Hosts
All hosts that will be on a VLAN and be protected by the VPN-1 gateway should be set up in your
ESX Server. Change the IP settings so that each hosts default gateway is on the same subnet asthe VLAN Devicess virtual IP address that you configured when setting up the VPN-1 machine. All
hosts within a VLAN must be on this same subnet.
Setting Up a Routing Table
The routing table of each host should be configured to direct all traffic from the host to go through
its default gateway, which is one of the VLAN Devicess virtual IP addresses. In this way you ensure
that all traffic to and from the host will be inspected by the VPN-1 VE machine. The routing table
within the VPN-1 machine itself is automatically configured after you set up the VLANs.
The steps needed to configure a routing table differ depending on your operating system. Below is
an example of how to set up the routing table in Linux.
To set up a routing table in a Linux machine:
1. From the console in a host, type:
where 184.23.5.3 is the default gateway of that particular host.
2. Repeat step 1 on every host.
route add default gw 184.23.5.3
http://support.checkpoint.com/http://support.checkpoint.com/http://support.checkpoint.com/http://support.checkpoint.com/ -
8/7/2019 VPN-1 Virtual Edition Admin Guide
33/36
FAQs and Troubleshooting
VPN-1 VE Administration Guide 33
FAQs and TroubleshootingBelow are some troubleshooting procedures for questions that may arise when working with VPN-1
VE.
How can I Connect to the ESX Server Using SSH?If you are not able to access the ESX Server via SSH, follow the following procedure:
1. Go to the service console on the physical Server and log in.
2. Run:
3. Change the line that says PermitRootLogin from no to yes.
4. Run:
What Should I Do if I Receive a UUID Warning Message?
When powering on your VPN-1 VE machine for the first time, you may get a Virtual Machine
Message stating that the virtual machines configuration file has changed. It will look like this:
Select Create and then click OK to start the machine.
Can I Change the MTU?
In order to change the MTU (Maximum Transmission Unit) your network adapter drivers must be
set to pcnet32.
To change the network adapter driver settings to pcnet32:
1. Connect to the ESX Server with SSH.
2. Change the directory to the virtual machine directory.
3. Edit the VPN-1_VE.vmx file as follows: Delete the lines stating ethernetX.virtualDev=e1000,where X is the relevant virtual network adapter.
vi/etc/ssh/sshd_config
service sshd restart
Note - If you wish to change your network adapter drivers back to e1000, you must change the
MTU to a value higher than 1000, using sysconfig.
-
8/7/2019 VPN-1 Virtual Edition Admin Guide
34/36
FAQs and Troubleshooting
VPN-1 VE Administration Guide 34
Can I Enlarge the VPN-1 VE Hard Disk Drive?
You may want to enlarge the VPN-1 VE hard drive to allow more space for logs, especially if the
machine has a SmartCenter installed. You can add an additional hard drive in VMware. You then
configure the hard drive in SecurePlatform and direct logs to a new directory on the new hard
drive.
Creating a Second Hard Drive in VMware
To create a second hard drive:
1. Power Off the VPN-1 VE machine.
2. Right-click the machine and select Edit Settings.
3. Click Add and then select Hard Disk from the Add Hardware Wizard. Click Next.
4. Select Create a new virtual disk and click Next.
5. Type the Disk Size you want and click Next.
6. Keep the default settings by clicking Next.
7. The settings of the new disk are displayed. Click Finish.
Configure the New Hard Drive in SecurePlatform
Configuring the new hard drive involves creating an new partition, formatting the hard disk, and
mapping it to a new directory.
Creating a New Partition
To create a new partition:
1. Power on the VPN-1 VE machine.
2. Log in to expert mode.
3. Run:
4. Type n to add a new partition.
5. Type p to choose a primary partition.
6. Type 1 for the partition number.
7. Keep the defaults for the first and last cylinder.
8. Type t to change the partitions system ID.
9. Type the hex code 83.
10. Type w to write the table to disk and exit.
Creating the Volume Settings
To create the volume settings:
1. Verify that the new hard disk is properly configured and that dev/sdb1 is created by running:
where the lower case L stands for list partition table.
2. Initialize a physical volume by running:
fdisk /dev/sdb
fdisk -l
pvcreate /dev/sdb1
-
8/7/2019 VPN-1 Virtual Edition Admin Guide
35/36
FAQs and Troubleshooting
VPN-1 VE Administration Guide 35
3. Optionally, check that the physical volume was created by running:
4. Create a volume group. Choose a name for the volume group that you will use in the command
when creating it, for example, mynew_vg:
5. Create a logical volume:
where 4000 is the size of the hard drive in MB, vol2 is a name that you assign to thelogical volume, and mynew_vg is the name of the volume group that you assigned in theprevious step.
Formatting and Mapping the Hard Drive
To format and map the hard drive:
1. Format the hard disk by using the names you created in Creating the Volume Settings on
page 34 and running:
2. Add the new hard disk to the SecurePlatform mapping tables as follows:
a. Run:
b. Add the following to the end of the line:
where exvar is the name you choose for the directory that the hard drive will be mapped to.
c. Run:
d. Add the following to the end of the line:
where exvar is the name you chose for the directory to which the hard drive will be mapped.
3. Create the directory to which the hard drive will be mapped, exvar according to thisexample and map the hard drive to this directory. Run:
Redirecting the Log Files to a Folder in the New Hard Drive
To redirect log files to the new hard drive:
1. Run:
2. Save the current log directory by running:
3. Create a new log directory, for example newlogs in the new hard disk with the name youchose in Formatting and Mapping the Hard Drive on page 35:
pvdisplay
vgcreate mynew_vg /dev/sdb1
lvcreate -L 4000 -n vol2mynew_vg
mkfs.ext3 -m 0 /dev/mynew_vg/vol2
vi /etc/mtab
/dev/mynew_vg/vol2 /exvar ext3 rw 0 0
vi /etc/fstab
/dev/mynew_vg/vol2 /exvar ext3 defaults 1 2
mkdir /exvar
mount -a
cpstop
mv $FWDIR/log $FWDIR/log.old
mkdir /exvar/newlogs
-
8/7/2019 VPN-1 Virtual Edition Admin Guide
36/36
Documentation Feedback
4. Map logs to the new directory:
5. Start the machine using:
Documentation FeedbackCheck Point is engaged in a continuous effort to improve its documentation. Please help us by
sending your comments to:
cp_techpub_feedback@checkpoint.com
ln s /exvar/newlogs $FWDIR/log
cpstart
mailto:cp_techpub_feedback@checkpoint.com?subject=Check%20Point%20User%20Guide%20feedbackmailto:cp_techpub_feedback@checkpoint.com?subject=Check%20Point%20User%20Guide%20feedback
top related