Documente Academic
Documente Profesional
Documente Cultură
Using IBM Proventia Network IPS 2.0 for Crossbeam and Check Point VPN-1 Power VSX NGX R65
Contents
Chapter 1: About This Guide
Intended Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Crossbeam Systems Documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Other Documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Typographical Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Cautions, Warnings, and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Crossbeam Systems Customer Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 5 5 5 6 6 7 8
Chapter 1: Introduction
Serialization and Secure Flow Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Applications Used in this Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Serialized Application Topology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Configure Proventia Network IPS Using Proventia Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . Install and Configure Check Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Application Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installing the Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Install the Application onto a VAP Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Interview Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Create Virtual Devices and Circuits Using the VSX GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
40 41 41 41 41 41 43
Chapter 5: Troubleshooting
Configuration Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Application Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Management Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VAP Traffic Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Troubleshooting from the Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 57 57 58 58 59
Intended Audience
This guide is intended for system integrators and other qualified service personnel responsible for installing, configuring, and managing the Crossbeam X-Series platform.
Related Documentation
Crossbeam Systems Documentation
These documents are provided on the Crossbeam Systems Documentation CD and are available through the Crossbeam Systems support Web site located at http://www.crossbeam.com/services/online_support.php. X40-X80 Security Switch Hardware Installation Guide X45 Security Switch Hardware Installation Guide XOS Configuration Guide Deploying Multiple Security Services on the Crossbeam X-Series Platform Using IBM Proventia Network IPS 2.0 for Crossbeam and Check Point VPN-1 Power NGX R65 Deploying Multiple Security Services on the Crossbeam X-Series Platform Using IBM Proventia Network IPS 2.0 for Crossbeam and Check Point VPN-1 Power VSX NGX R65 with Bridged Virtual Systems Deploying Multiple Security Services on the Crossbeam X-Series Platform Using IBM Proventia Network IPS 2.0 for Crossbeam and Check Point Layer-2 Firewall XOS V8.1 Command Reference Guide Install Server User Guide XOS V8.1 Release Notes
Other Documentation
Installation and Configuration for IPS Deployments of IBM Proventia Network Intrusion Prevention System on Crossbeam X-Series Systems located at http://www.iss.net/support/documentation Check Point VPN-1 Power VSX NGX R65 Installation and Configuration for Crossbeam X-Series System
Conventions
Typographical Conventions
For paragraph text conventions, see Table 1 on page 6. For command-line text conventions, see Table 2 on page 7.
>
From the taskbar, choose Start > Run. From the main menu, choose File > Save As... Right-click on the desktop and choose Arrange Icons By > Name from the pop-up menu.
Courier Bold Information that you must type in exactly as shown. <Courier Italic> Angle brackets surrounding Courier italic text indicate file names, folder names, command names, or other information that you must supply. Square brackets contain optional information that may be supplied with a command. Separates two or more mutually exclusive options. Braces contain two or more mutually exclusive options from which you must choose one.
[root@xxxxx]# md <your_folder_name>
[]
{}
1
Introduction
This book is intended to provide information specific to the process of connecting IBM Proventia Network Intrusion Prevention System and Check Point VPN-1 Power VSX NGX R65 in series. It is expected that you have read or are familiar with the information in the XOS Configuration Guide, the Installation and Configuration for IPS Deployments of IBM Proventia Network Intrusion Prevention System on Crossbeam X-Series Systems, and the Check Point VPN-1 Power VSX NGX R65 Installation and Configuration for Crossbeam X-Series System. This chapter provides a brief overview of Serialization and Secure Flow Processing. It provides information to help you understand the benefits of serialized applications, the specific applications used in this scenario, and a simple diagram of the serial topology.
Figure 1.
The steps and process provided in this guide allow you to construct a simple, working serialized configuration. The complete configuration is provided in Appendix A Sample Configurations on page 61. As an alternative to the single interface, configuration steps for an MLT group interface are provided in the section, Configure the MLT Group Interfaces on page 31. This topology can also be adapted for a network designed with multiple subnets, allowing you to configure security policies specific to each subnet. Since individual networks may have increased security requirements or traffic patterns, additional IPS systems may be added to handle these requirements. To accommodate these requirements, this topology can be configured using a third VAP group (a second instance of Proventia Network IPS). That full configuration is provided in Chapter 4 Advanced Configurations on page 45.
10
2
Configuring Serialization
This chapter provides information about the topology, and steps to configure serialization. General X-series prerequisites and configuration information is available in the XOS Configuration Guide. This chapter contains the following sections: Requirements To Support this Topology on page 11 Configuration Overview on page 12 Create VAP Groups on page 14 Configure Circuits on page 17 Configure the Physical Interfaces on page 25 Configure the MLT Group Interfaces on page 31
Application Requirements
This scenario uses the following two applications:
11
NOTE: RAID 0 and 1 configurations are supported with 2 SATA HDDs installed.
Configuration Overview
This section describes the process of configuring Proventia Network IPS to bridge traffic to Check Point VSX NGX R65 in series on an X-Series system. The configuration options covered in this chapter are: Single physical interfaces Multi-Link Trunk (MLT) interfaces This chapter provides detailed steps to configure two VAP groups, the associated circuits, and either single interfaces or MLT interfaces. The completed configuration for this process is provided in Appendix A. If you require a configuration comprised of three individual VAP groups (IPS / VSX / IPS), and are familiar with XOS serial configurations, Chapter 4 provides a completed configuration for that topology. If you are not yet familiar with configuring serialization, it is recommended that you reference both chapters 2 and 4 to complete this advanced configuration process. Multi-system high availability for the serialized topology is configured by creating nearly identical configurations on multiple systems. The systems are linked using a physical connection to the CPM through either the High Availability (HA) link or management port. For more information about mult-system high availability, see Multi-System High Availability Using VRRP on page 49.
12
The following single interface topology is configured in the subsequent sections: Multiple VLANs configured in an 802.1q trunk ingress on a single physical interface, pass through the ISS bridge, and are split into individual circuits, one per VLAN, on the layer 3 device (VSX). Traffic exits to an external network through a separate physical interface. Management of the applications is done through a single physical interface that is split internally.
Figure 2.
Configuration Overview
VAP group, circuit, and interface names in this topology are used as examples, and are not required names. In most cases they are used to demonstrate the function of the circuit or interface. The complete configuration for this topology is provided in Appendix A Sample Configurations on page 61. The following steps are required to configure the X-series system. It is not necessary to complete both Section 3 Configure the Physical Interfaces, and Section 4 Configure the MLT Group Interfaces, for serialization. The sample topologies use one or the other. Create VAP Groups on page 14 ISS VAP Group on page 14 VSX VAP Group on page 16 Configure Circuits on page 17 Bridge Circuit on page 17 Internal Circuit for Serialization on page 19 WAN Circuit on page 21 Internal Circuit for Synchronization on page 22 Shared Management Circuit on page 23 Configure the Physical Interfaces on page 25 Group Interface Bridge on page 26 WAN Interface on page 28 Management Interface on page 29
13
Configure the MLT Group Interfaces on page 31 LAN Template Circuit on page 32 LAN MLT Group Interface on page 33 MLT Group Interface Bridge on page 35 WAN MLT Group Interface on page 37 Management Interface on page 38
1.1
Create a VAP group consisting of three APMs that support the installation of Proventia Network IPS (ISS). Name the VAP group iss.
Figure 3.
In the following section you will create this portion of the configuration. A complete configuration is available in Appendix A. To check your progress throughout the setup process, open a second CLI window and log into the CPM. From there, use show running-config to verify your work at any time. vap-group iss xslinux_v3 vap-count 3 max-load-count 3 ap-list ap3 ap4 ap5 ip-flow-rule iss_lb action load-balance activate
14
1.1.1
Create a VAP group named "iss" using the xslinux_v3 operating system. The v3 kernel is required by ISS. Command: CBS# configure vap-group iss xslinux_v3 Are you sure you want to create a new vap-group with OS version xslinux_v3? <Y or N> [Y]: Y Creating vap-group iss. May take several minutes....................... CBS(config-vap-grp)#
1.1.2
Create three VAP members for redundancy and additional capacity. Command: CBS(config-vap-grp)# vap-count 3 Are you sure you want to adjust vap-count to 3? <Y or N> [Y]: Y Adjusting vap-count. May take several minutes............................ CBS(config-vap-grp)#
1.1.3
This command specifies the list of APMs to be loaded. All VAP members should be identical APMs. Use show module status from the CLI to verify the configuration of each APM if necessary. Command: CBS(config-vap-grp)# ap-list ap3 ap4 ap5 CBS(config-vap-grp)#
1.1.4
Specify the maximum number of VAP members in the VAP group. In order to install Proventia Network IPS, the max load count must match the VAP count. Command: CBS(config-vap-grp)# max-load-count 3 CBS(config-vap-grp)#
1.1.5
Configure the default flow-rule for the VAP group and return to main CLI context
There are four steps to configure the load balancing flow rule. Create the load balancing flow rule for the ISS VAP group. Set flow rule action to load-balance ISS traffic to all available VAP members. Set the activate flag to enable the action. Return to main CLI context to prepare for the next step. CBS(config-vap-grp)# ip-flow-rule iss_lb CBS(ip-flow-rule)# action load-balance CBS(ip-flow-rule)# activate CBS(ip-flow-rule)# end CBS#
15
1.2
Create a VAP group consisting of three APMs that support the installation of Check Point VPN-1Power VSX NGX R65. Name the VAP group vsx.
Figure 4.
In the following section you will create this portion of the configuration. vap-group vsx xslinux_v3 vap-count 3 max-load-count 3 ap-list ap8 ap9 ap10
1.2.1
Create a VAP group named vsx using the xslinux_v3 operating system. The v3 kernel is required by VSX. Command: CBS# configure vap-group vsx xslinux_v3 Are you sure you want to create a new vap-group with OS version xslinux_v3? <Y or N> [Y]: Y Creating vap-group vsx. May take several minutes............................................................. CBS(config-vap-grp)#
16
1.2.2
Create three VAP members for redundancy and additional capacity. Command: CBS(config-vap-grp)# vap-count 3 Are you sure you want to adjust vap-count to 3? <Y or N> [Y]: Y Adjusting vap-count. May take several minutes.................................. CBS(config-vap-grp)#
1.2.3
This command specifies the list of APMs to be loaded. All VAP members should be identical APMs. Use show module status from the CLI to verify the configuration of each APM if necessary. Command: CBS(config-vap-grp)# ap-list ap8 ap9 ap10 CBS(config-vap-grp)#
1.2.4
Specify the number of active VAP members and return to the main CLI context
Specify the maximum number of VAP members in the VAP group. In order to install VSX, the max load count must match the VAP count. Return to main CLI context to prepare for the next step. NOTE: You do not have to manually configure a default flow-rule for VSX VAP groups. VSX configures a default flow rule as part of the application installation process. See the application installation guide for more information. Command: CBS(config-vap-grp)# max-load-count 3 CBS(config-vap-grp)# end CBS#
2.1
Bridge Circuit
The Layer 2 bridge circuit is a template circuit that must be in place prior to configuring the group interface bridge covered in Section 3.1, Section 3.1 Group Interface Bridge on page 26.
17
Figure 5.
In the following section you will create this portion of the configuration. circuit bridge device-name bridge vap-group iss promiscuous-mode active
2.1.1
Create a circuit to bridge traffic on ISS. Command: CBS# configure circuit bridge CBS(conf-cct)
2.1.2
Assign a device name to the circuit. For clarity, the device name should be the same as, or based on the circuit name. Command: CBS(conf-cct)# device-name bridge CBS(conf-cct)#
2.1.3
Specify a VAP group to assign to this circuit. Command: CBS(conf-cct)# vap-group iss CBS(conf-cct-vapgroup)#
18
2.1.4
Set mode to promiscuous-mode active and return to the main CLI context
Setting promiscuous-mode to active allows the circuit to pass traffic. Command: CBS(conf-cct-vapgroup)# promiscuous-mode active CBS(conf-cct-vapgroup)# end CBS#
2.2
This internal circuit connects the ISS VAP group to the VSX VAP group in series. It is a template circuit that must be in place prior to configuring the group interface bridge covered in Section 3.1 Group Interface Bridge on page 26.
Figure 6.
In the following section you will create this portion of the configuration. circuit SerialOne internal device-name Ser1 vap-group iss promiscuous-mode active vap-group vsx
2.2.1
Create an internal circuit, connecting the two VAP groups in series. Command: CBS# configure circuit SerialOne CBS(conf-cct)
19
2.2.2
2.2.3
Assign a device name to the circuit. For clarity, the device name should be the same as, or based on the circuit name. When configuring circuits in a topology using VLANs, the device names for circuits that directly interface with VSX cannot exceed 4 characters. Command: CBS(conf-cct)# device-name Ser1 CBS(conf-cct)#
2.2.4
Assign the ISS VAP group to this circuit. Command: CBS(conf-cct)# vap-group iss CBS(conf-cct-vapgroup)#
2.2.5
Set mode to promiscuous-mode active and exit the ISS VAP group context
Any VAP-specific parameters must be configured on this circuit. In this case, the ISS parameter promiscuous-mode active must be configured here as well. Setting promiscuous-mode to active allows the circuit to pass traffic. Command: CBS(conf-cct-vapgroup)# promiscuous-mode active CBS(conf-cct-vapgroup)# exit CBS(conf-cct)#
2.2.6
Associate the circuit with the VSX VAP group and return to the main CLI context
Assigning the VSX VAP group to this circuit allows traffic to flow between the two VAP groups. Command: CBS(conf-cct)# vap-group vsx CBS(conf-cct-vapgroup)# end CBS#
20
2.3
WAN Circuit
WAN Circuit attached to the VSX VAP Group
Create the WAN circuit. This circuit interfaces with an external network.
Figure 7.
In the following section you will create this portion of the configuration. When configuring circuits in a topology using VLANs, the device names for circuits that interface with VSX cannot exceed 4 characters. circuit wan device-name wan vap-group vsx
2.3.1
Create the wan circuit. Command: CBS# configure circuit wan CBS(conf-cct)
2.3.2
Assign a device name to the circuit. For clarity, the device name should be the same as, or based on the circuit name. When configuring circuits in a topology using VLANs, the device names for circuits that interface with VSX cannot exceed 4 characters. Command: CBS(conf-cct)# device-name wan CBS(conf-cct)#
21
2.3.3
Assign the circuit to the VSX VAP group and return to the main CLI context
Assigning the VSX VAP group to this circuit allows traffic to flow across the circuit. Command: CBS(conf-cct)# vap-group vsx CBS(conf-cct-vapgroup)# end CBS#
2.4
A synchronization circuit is an internal circuit that connects VSX VAP members. VSX uses this circuit to maintain state synchronization and communications between VSX cluster members.
Figure 8.
In the following section you will create this portion of the configuration. circuit sync internal device-name sync vap-group vsx
2.4.1
Create a circuit for VSX synchronization. Command: CBS# configure circuit sync CBS(conf-cct)
22
2.4.2
2.4.3
Assign a device name to the circuit. For clarity, the device name should be the same as, or based on the circuit name. Command: CBS(conf-cct)# device-name sync CBS(conf-cct)#
2.4.4
Assign the circuit to the VSX VAP group and return to the main CLI context
Assign the sync circuit to the VSX VAP group. Command: CBS(conf-cct)# vap-group vsx CBS(conf-cct-vapgroup)# end CBS#
2.5
Managing multiple applications installed on an X-Series system can be done using individual or shared connections to the modules. With serialized applications, it is often more efficient to manage VAP groups using a single physical interface, split internally. This topology creates a single shared circuit, which will later be assigned to a single physical interface (Section 3.3 Management Interface on page 29). If you expect a high level of log activity on your management circuit, consider creating individual management interfaces for each VAP group. For information on creating individual managment circuits and interfaces, see Individual Management Circuits on page 49.
23
Figure 9.
In the following section you will create this portion of the configuration. circuit mgmt device-name mgmt vap-group iss management-circuit ip 172.16.19.62/24 increment-per-vap 172.16.19.65 vap-group vsx
2.5.1
Create a management circuit, so that application management utilities can interface with the applications. Command: CBS# configure circuit mgmt CBS(conf-cct)
2.5.2
Assign a device name to the circuit. For clarity, the device name should be the same as, or based on the circuit name. Command: CBS(conf-cct)# device-name mgmt CBS(conf-cct)#
24
2.5.3
Associate the ISS VAP group with a circuit. Designate this circuit as the management-circuit. NOTE: Proventia Network IPS requires that you specify a management circuit using the management-circuit parameter. Command: CBS(conf-cct)# vap-group iss CBS(conf-cct-vapgroup)# management-circuit CBS(conf-cct-vapgroup)#
2.5.4
Use increment-per-vap to assign a unique IP-address per vap member, allowing individual management connections. When configuring the management IP addresses it is recommended to leave some unused IP addresses so that additional APMs and VAPs can be added as the system grows. Command: CBS(conf-cct-vapgroup)# ip 172.16.19.62/24 increment-per-vap 172.16.19.65 CBS(conf-cct-vapgroup-ip)#
2.5.5
Using the exit command returns you to the proper context. Command: CBS(conf-cct-vapgroup-ip)# exit CBS(conf-cct-vapgroup)# exit CBS(conf-cct)#
2.5.6
Assign the VSX VAP group to the circuit and return to the main CLI context
Associate the VSX VAP group with the management circuit. Command: CBS(conf-cct)# vap-group vsx CBS(conf-cct-vapgroup)# end CBS# NOTE: An IP address for VSX VAP group management will automatically be assigned by VSX upon installation. You do not need to configure this manually.
25
3.1
The group interface bridge includes the physical interface, the ISS bridge circuit (bridge), and the internal circuit used for serialization, (Ser1). Name this group interface bridge L2Br.
Figure 10.
In the following section you will create this portion of the configuration. group-interface L2Br interface-type gigabitethernet mode transparent circuit bridge interface-internal circuit SerialOne interface 1/1 device-name LAN
3.1.1
3.1.2
Specify the interface type as gigabitethernet or 10gigabitethernet, and then exit the interface type mode. Exiting returns you to the interface configuration context and prepares you for the next step. Command: CBS(conf-group-intf)# interface-type gigabitethernet CBS(conf-grp-intf-gig)# exit CBS(conf-group-intf)#
26
3.1.3
Transparent mode allows ISS to provide the bridging mechanism. Command: CBS(conf-group-intf)# mode transparent circuit bridge CBS(conf-group-intf)#
3.1.4
Associates the internal circuit and group interface. Command: CBS(conf-group-intf)# interface-internal circuit SerialOne CBS(conf-group-intf)#
3.1.5
Configure the physical interface and return to the main CLI context
Name and configure the physical interface. Be sure to associate a device name with the interface. This avoids the potential confusion of a system generated interface name. Command: CBS(conf-group-intf)# interface 1/1 CBS(conf-grp-intf-intf)# device-name LAN CBS(conf-grp-intf-intf)# end CBS#
27
3.2
WAN Interface
WAN Interface
Create the WAN interface for the VSX VAP group, and attach a physical interface to the wan circuit.
Figure 11.
In the following section you will create this portion of the configuration. interface gigabitethernet 1/2 logical wan circuit wan
3.2.1
Define the physical interface to be assigned to the circuit. Command: CBS# configure interface gigabitethernet 1/2 CBS(conf-intf-gig)#
3.2.2
Define the logical interface for the physical interface specified in the previous step. For clarity, the logical name should be the same as, or based on the circuit name. Command: CBS(conf-intf-gig)# logical wan CBS(intf-gig-logical)#
28
3.2.3
Assign the circuit to the logical and physical interface and return to the main CLI context
Assign the circuit to the interface. Command: CBS(intf-gig-logical)# circuit wan CBS(intf-gig-logical)# end CBS#
3.3
Management Interface
Management Interface
Figure 12.
In the following section you will create this portion of the configuration. interface gigabitethernet 1/5 logical mgmt circuit mgmt
3.3.1
Define the physical interface to be used by the management circuit. Command: CBS# configure interface gigabitethernet 1/5 CBS(conf-intf-gig)#
29
3.3.2
Define the logical interface for the physical interface specified in the previous step. Command: CBS(conf-intf-gig)# logical mgmt CBS(intf-gig-logical)#
3.3.3
Assign the circuit to the logical and physical interfaces and return to the main CLI context
Assign the circuit to the logical and physical interfaces specified above. For clarity, the logical name should be the same as, or based on the circuit name. Command: CBS(intf-gig-logical)# circuit mgmt CBS(intf-gig-logical)# end CBS#
Next Steps
Configuration of the serialized topology using a single physical interface is complete. Go to Chapter 3 Application Installation on page 39 for information about installing the applications onto each VAP group.
30
Figure 13.
31
4.1
The LAN circuit is a template circuit that must be in place prior to configuring the MLT group interface. This circuit is only used for the MLT group interface. The other circuits used in the MLT interface configuration were created in Section 2.
Figure 14.
In the following section you will create this portion of the configuration. circuit LAN device-name LAN vap-group iss promiscuous-mode active
4.1.1
Create a template circuit to be used by the MLT group interface. Command: CBS# configure circuit LAN CBS(conf-cct)
4.1.2
Assign a device name to the circuit. For clarity, the device name should be the same as, or based on the circuit name. Command: CBS(conf-cct)# device-name LAN CBS(conf-cct)#
32
4.1.3
Assign a VAP group to this circuit. Command: CBS(conf-cct)# vap-group iss CBS(conf-cct-vapgroup)#
4.1.4
Set mode to promiscuous-mode active and return to the main CLI context
Setting promiscuous-mode to active allows the circuit to pass all traffic. Command: CBS(conf-cct-vapgroup)# promiscuous-mode active CBS(conf-cct-vapgroup)# end CBS#
4.2
The LAN MLT group interface attaches physical interfaces to the lan template circuit, and is defined as a multi-link circuit.
Figure 15.
In the following section you will create this portion of the configuration. group-interface LAN interface-type gigabitethernet mode multi-link circuit LAN interface 1/1 interface 1/2 interface 1/3
33
4.2.1
4.2.2
Configure the interface type and return to the interface configuration context
Define the interface type as gigabitethernet or 10gigabitethernet, and return to the interface configuration context. Command: CBS(conf-group-intf)# interface-type gigabitethernet CBS(conf-grp-intf-intf)# exit CBS(conf-group-intf)#
4.2.3
Define the interface mode as multi-link, and assign the circuit. Command: CBS(conf-group-intf)# mode multi-link circuit LAN CBS(conf-group-intf)#
4.2.4
Configure the physical interfaces and return to the main CLI context
Assign interfaces to the MLT group interface and exit the configuration mode. Using end returns you to the main CLI context, and prepares you for the next step. Command: CBS(conf-group-intf)# interface 1/1 CBS(conf-grp-intf-intf)#exit CBS(conf-group-intf)# interface 1/2 CBS(conf-grp-intf-intf)#exit CBS(conf-group-intf)# interface 1/3 CBS(conf-grp-intf-intf)# end CBS# NOTE: To prevent a loss of traffic to the VAP groups, consider spreading MLT interfaces across more than one NPM. In the case of an NPM failure, traffic can continue to flow on other NPMs.
34
4.3
The MLT group interface bridge connects the Layer 2 bridge and the internal circuit for serialization, and then attaches to the LAN MLT group interface.
Figure 16.
In the following section you will create this portion of the configuration. group-interface bridge interface-type gigabitethernet mode transparent circuit bridge interface-internal circuit SerialOne group LAN
4.3.1
Configure a group interface bridge using MLT. Command: CBS# configure group-interface bridge CBS(conf-group-intf)#
4.3.2
Define the interface type as gigabitethernet or 10gigabitethernet. Command: CBS(conf-group-intf)# interface-type gigabitethernet CBS(conf-grp-intf-gig)# exit CBS(conf-group-intf)#
35
4.3.3
Transparent mode allows ISS to provide the bridging mechanism. Command: CBS(conf-group-intf)# mode transparent circuit bridge CBS(conf-group-intf)#
4.3.4
Connect the group interface bridge with the internal circuit for serialization. Command: CBS(conf-group-intf)# interface-internal circuit SerialOne CBS(conf-group-intf-intf)# exit CBS(conf-group-intf)#
4.3.5
Associate the MLT group with the group interface bridge and return to the main CLI context
The group interface bridge is attached to the MLT group interface, LAN. Command: CBS(conf-group-intf)# group LAN CBS(conf-group-intf)#end CBS#
36
4.4
The WAN group interface attaches physical interfaces to the wan circuit, and is defined as a multi-link circuit.
Figure 17.
In the following section you will create this portion of the configuration. group-interface wan interface-type gigabitethernet mode multi-link circuit wan interface 2/1 interface 2/2 interface 2/3
4.4.1
Define the wan interface as a group interface. Command: CBS# configure group-interface wan CBS(conf-group-intf)#
4.4.2
Configure the interface type and return to the interface configuration context
Define the interface type as gigabitethernet or 10gigabitethernet, and return to the interface configuration context. Command: CBS(conf-group-intf)# interface-type gigabitethernet CBS(conf-grp-intf-gig)# exit CBS(conf-group-intf)#
37
4.4.3
Define the interface mode as multi-link, and assign the circuit. Command: CBS(conf-group-intf)# mode multi-link circuit wan CBS(conf-group-intf)#
4.4.4
Assign interfaces to the wan group interface and exit the configuration mode. Using end returns you to the top level of the CLI, and prepares you for the next step. Command: CBS(conf-group-intf)# interface 2/1 CBS(conf-grp-intf-intf)# exit CBS(conf-group-intf)# interface 2/2 CBS(conf-grp-intf-intf)# exit CBS(conf-group-intf)# interface 2/3 CBS(conf-grp-intf-intf)# end CBS# NOTE: To prevent a loss of traffic to the VAP groups, consider spreading MLT interfaces across more than one NPM. In the case of an NPM failure, traffic can continue to flow on other NPMs.
4.5
Management Interface
Refer to Management Interface on page 29 to configure a physical interface for the shared management circuit. As an alternative, see Individual Management Circuits on page 45 for instructions on how to split the management circuits into individual interfaces.
Next Steps
Configuration of the serialized topology using MLT interfaces is complete. Go to Chapter 3 Application Installation on page 39 for information about installing the applications onto each VAP group.
38
3
Application Installation
After completing the XOS configuration steps, you can install the individual applications. We recommend installing the applications in the order presented here. Installation Considerations on page 39 Install and Configure Proventia Network IPS on page 39 Install and Configure Check Point on page 41
Installation Considerations
In addition to the Application Requirements on page 11, you should be aware of the following APM considerations: Max Load and VAP count must be the same. In order to install Proventia Network IPS, the max load count must match the VAP count. Module must be in the Up state. IPS management interfaces must be Up.
Application Prerequisites
Please refer to the IBM Proventia Network IPS documentation for a complete list of prerequisites and restrictions.
39
At the XOS CLI prompt, enter the following command to run the Proventia Network IPS application CBI and begin the installation procedure: CBS# application issprovg vap-group iss install
Interview Process
The ISS CBI displays the interview program and begins the installation. Below are example answers based on the serial topology described in this book. Complete the questions in the interview to install Proventia Network IPS. If necessary, refer to the Installation and Configuration for IPS Deployments of IBM Proventia Network Intrusion Prevention System on Crossbeam X-Series Systems. This example interview installs Proventia Network IPS using the specified agent name iss, in protection mode (p) and defines the management circuit as the shared management circuit (mgmt). CBS# application issprovg vap-group iss install IBM Internet Security Systems, IBM Proventia Network IPS 2.0 release 1 Checking Bundle Integrity: [####################] 100% [ ok ] Checking Dependencies: [####################] 100% [ ok ] International Program License Agreement Part 1 - General Terms <License Disclaimer Here> Press ENTER to read or 'q' to quit: q Accept the license agreement? [n]: y ============================================================================ Answer the questions below to configure this application. Type '?' for help. Change password for Proventia Manager user 'admin': Password: Confirm Password: Agent Name? [Proventia_GC1200]: iss Adapter Mode Configuration? [s]: p Management Port Interface? [provgmgmt]: mgmt Are any changes needed? [n]: ============================================================================ ** A vap-group reload is required for the change(s) to take affect. ** Extracting Bundle: [####################] 100% [ ok ] Installing issprovg on VAP iss: [######## ] Once the installation is complete, you must reload the ISS VAP group. CBS# reload vap-group iss Proceed with reload? <Y or N> [Y]:Y
40
Application Prerequisites
Please refer to the Check Point documentation for a complete list of prerequisites and restrictions.
Interview Process
Starting the application install displays the VSX interview program. Below are example answers based on the serial topology in the previous chapter. Complete the interview questions to successfully install the application. The following example installs VPN-1 Power VSX NGX R65 with the following information: Specify the shared management circuit as mgmt, and the IP that will be put under the management circuit definition. The IPs will be automatically calculated by incrementing the management IP by one. The starting IP used in this configuration example is 172.16.19.66. You will need to specify the name of the synchronization circuit you configured; sync. CBS# application vsx vap-group vsx install This program will help you install Check Point Software Technologies Ltd. (TM)VPN-1 Power VSX NGX R65 (R) software on the X-series platforms Press Enter to continue ... This End-user License Agreement... <License Disclaimer Here> Do you accept this license agreement? (y/n) [n]: y Welcome to the Check Point VPN-1 Power VSX NGX R65 Configuration Program for the X Series platforms. ========================================================================= This program will allow you to install VPN-1 Power VSX NGX R65 Enforcement Module on X Series platforms.
41
Checking available options. Please wait... Configuring VAP Group "vsx" with VAPs: 1 2 3 Enter the interface name from which you want to manage the VSX system (): mgmt Will this interface be used in non-DMI configuration, managed by a Remote CMA? (y/n) [n] n VPN-1 Power VSX NGX R65 VAP Group vsx, VAP1==>> Enter the IP address that will be used to manage the first cluster member [NOTE: Because of increment-per-vap order restriction, IP addresses on management interface for remaining cluster members will be based on this IP address] (): 172.16.19.66 VPN-1 Power VSX NGX R65 VAP Group vsx, VAP2==>> IP address for the management interface on this cluster member [NOTE: Make sure this IP address is available ] (172.16.19.67): VPN-1 Power VSX NGX R65 VAP Group vsx, VAP3==>> IP address for the management interface on this cluster member [NOTE: Make sure this IP address is available ] (172.16.19.68): Enter the netmask for the management interface (): 255.255.255.0 Enter the name of the interface that will be used for synchronization with other cluster members (): sync Please wait ... You will now be prompted to enter a one time 'Activation Key' that will be used to establish trust with the Check Point Management Server NOTE: This Activation Key will be used for all VAPs in the VAP Group Enter SIC Activation Key> Again SIC Activation Key> Central license information can be downloaded from the Management station. Do you want to enter Local license information at this time ? (y/n) n Do you want to Enable Check Point SecureXL? (y/n) y Do you want to Enable High Availability/State Synchronization? (y/n) y ****************************************************************** * * * At the Check Point Management Station, make sure that each VAP * * from this VAP Group is in the same VSX Cluster * * * ****************************************************************** ================================================== Setup configuration is complete. Do you wish to modify the configured settings? (y/n) n -----------------------------------------------------------Performing System Checks vsx_1: Validated. System Ready for VPN-1 Power VSX NGX R65 Installation
42
vsx_2: Validated. System Ready for VPN-1 Power VSX NGX R65 Installation vsx_3: Validated. System Ready for VPN-1 Power VSX NGX R65 Installation ================================================================== VPN-1 Power VSX NGX R65 will be installed/configured on the following vaps: 1 2 ================================================================= If all VAPs are not reported as Validated above, then this is an opportunity to exit this script by choosing 'n' below. Then fix the problems reported above and restart this script again. Continue (y/n) ?: y Once the installation has completed, you must reload the VSX VAP group. CBS# reload vap-group vsx Proceed with reload? <Y or N> [Y]:Y
43
44
4
Advanced Configurations
This chapter provides the following advanced serial configuration information: IPS to VSX NGX R65 to IPS on page 45, which includes adding a second ISS VAP group and a third MLT interface. Individual Management Circuits on page 49 provides information for configuring individual management circuits for each VAP group. Multi-System High Availability Using VRRP on page 49 is a stepped procedure to configure Multi-System High Availability.
45
Figure 18.
The configuration is provided, rather than broken into individual steps. If you need information about how to perform a specific configuration task, see the relevant section in Chapter 2. vap-group iss xslinux_v3 vap-count 3 max-load-count 3 ap-list ap3 ap4 ap5 load-balance-vap-list 1 2 3 ip-flow-rule iss_lb action load-balance activate vap-group vsx xslinux_v3 vap-count 3 max-load-count 3 ap-list ap7 ap8 ap9 load-balance-vap-list 1 2 3 vap-group iss2 xslinux_v3 vap-count 2 max-load-count 2 ap-list ap6 ap10 load-balance-vap-list 1 2
46
ip-flow-rule iss2_lb action load-balance activate # circuit mgtvsx device-name mgtvsx vap-group vsx circuit mgtiss device-name mgtiss vap-group iss management-circuit ip 192.168.0.49/24 192.168.0.255 increment-per-vap 192.168.0.50 vap-group iss2 management-circuit ip 192.168.0.51/24 192.168.0.255 increment-per-vap 192.168.0.52 circuit sync internal device-name sync vap-group vsx circuit lan device-name lan vap-group iss promiscuous-mode active circuit wan device-name wan vap-group vsx circuit dmz device-name dmz vap-group iss2 circuit bridge1 device-name bridge1 vap-group iss promiscuous-mode active circuit bridge2 device-name bridge2 vap-group iss2 promiscuous-mode active circuit SerialOne internal device-name Ser1 vap-group vsx vap-group iss promiscuous-mode active circuit SerialTwo internal device-name Ser2 vap-group vsx vap-group iss2 promiscuous-mode active # interface gigabitethernet 1/1 logical mgtiss circuit mgtiss interface gigabitethernet 4/1 logical mgtvsx circuit mgtvsx #
47
group-interface lan interface-type gigabitethernet mode multi-link circuit lan interface 1/2 interface 1/3 interface 4/2 interface 4/3 group-interface wan interface-type gigabitethernet mode multi-link circuit wan interface 1/6 interface 1/7 interface 4/6 interface 4/7 group-interface dmz interface-type gigabitethernet mode multi-link circuit dmz interface 1/4 interface 1/5 interface 2/4 interface 2/5 group-interface bridge1 interface-type gigabitethernet mode transparent circuit bridge1 interface-internal circuit SerialOne group lan group-interface bridge2 interface-type gigabitethernet mode transparent circuit bridge2 interface-internal circuit SerialTwo group dmz # ip route 10.0.0.0/8 192.168.0.1 vap-group iss circuit mgtiss ip route 192.168.0.0/16 192.168.0.1 vap-group iss circuit mgtiss ip route 10.0.0.0/8 192.168.0.1 vap-group iss2 circuit mgtiss ip route 192.168.0.0/16 192.168.0.1 vap-group iss2 circuit mgtiss
48
49
Figure 19.
5.1
From each system, configure the remote system ID and IP address. The remote system ID is specific to the system, and in this example is 20. The IP to be used is the address of the CPM on the other system. Return to main CLI context after completing the command. IMPORTANT: When configuring multiple systems for high availability, it is important that each system have a unique ID. If systems are configured with duplicate IDs, you run the risk of having identical mac-addresses on any given circuit. Command: CBS# configure remote-box 20 172.16.1.20 CBS(conf-remote-box)# end CBS#
50
5.2
In the following section you will create this portion of the configuration.
This physical interface provides an external link to the internal synchronization circuits within the VSX VAPs. It is this connection that allows the VSX vap groups on separate systems to communicate with one another. Return to main CLI context after completing the command. Command: CBS# configure interface gigabitethernet 4/2 CBS(conf-intf-gig)# logical sync CBS(intf-gig-logical)# circuit sync CBS(intf-gig-logical)# end
5.3
A failover group is a grouping of one or more virtual routers. A virtual router (VR) identifies the circuits and their associated VAP groups for high availability. Only a failover group, not the entire system or an individual VAP group, can fail over to a standby failover group on another system. In the following section you will create this portion of the configuration on each system. vrrp failover-group vrrp_vsx failover-group-id 200 priority 200 monitor-interface gigabitethernet 1/1 virtual-router vrrp-id 10 circuit wan priority-delta 2 mac-usage vrrp-mac vap-group vsx virtual-router vrrp-id 20 circuit SerialOne priority-delta 2 mac-usage vrrp-mac vap-group vsx Configure the VRRP failover groups on each system. The configurations should be identical, except for the priority value. The system with the lower value will assume the backup status.
5.3.1
Create the failover group by assigning it a name (vrrp_vsx) and ID. The ID must be unique on this system, and must be the same on its counterpart failover group on the other system. Command: CBS# configure vrrp failover-group vrrp_vsx failover-group-id 200 CBS(conf-vrrp-failover-group)#
51
5.3.2
Set the VRRP priority. Valid values are 1 to 255. Default is 100. The chassis that has the failover group with the highest priority becomes the master for this failover group. Certain events, such as a link failure or a change in VAP Group member count, will decrement the priority. A chassis failover will occur if a failover groups priority drops below the priority of the failover group on the other chassis Command: CBS(conf-vrrp-failover-group)# priority 200 CBS(conf-vrrp-failover-group)#
5.3.3
Determine which interface to monitor and set a priority-delta for each one
Determine which interface to monitor and set the priority-delta. In this serialized topology, the interface used in the group-interface mode bridge is specified. If there are additional group interface mode bridges, they should be specified here. The priority-delta decrements the failover groups VRRP priority whenever the interface fails. Command: CBS(conf-vrrp-failover-group)# monitor-interface gigabitethernet 1/1 CBS(conf-vrrp-failover-group)#
5.3.4
Create a virtual router, assign an ID, and attach it to an existing circuit. VSX will use this template for creating and configuring virtual routers. Command: CBS(conf-vrrp-failover-group)# virtual-router vrrp-id 10 circuit wan CBS(conf-vrrp-failover-group)#
5.3.5
5.3.6
Assign a priority-delta to the VR. The priority-delta decrements the failover groups VRRP priority whenever an interface on the VR fails. The priority-delta can be 1 to 255. Default is 1. The priority-delta is added back to the priority when the interface returns to the Up state. CBS(conf-vrrp-failover-group-virtual-router)# priority-delta 2 CBS(conf-vrrp-failover-group-virtual-router)#
52
5.3.7
Specify the VAP group of the VR. The circuit, named in 4.3.4 above, must already be mapped to the VAP group. Then exit the context to prepare for the next step. CBS(conf-vrrp-failover-group-virtual-router)# vap-group vsx CBS(conf-vrrp-failover-group-virtual-router)# exit CBS(conf-vrrp-failover-group)#
5.3.8
Configure the internal circuit for serialization as part of the failover group
virtual-router vrrp-id 20 circuit SerialOne priority-delta 2 mac-usage vrrp-mac vap-group vsx
Repeat steps 5-8 to include the internal circuit for serialization in the failover group.
5.4
In the following section you will create this portion of the configuration.
Once the failover group is configured and the VAP group is added to the failover list, configure the VAP group for High Availability.
5.4.1
Enable VRRP on the vsx VAP group. CBS# configure vrrp vap-group vsx CBS(conf-vrrp vap-group)#
5.4.2
Assign the failover group to a failover group list CBS(conf-vrrp vap-group)# failover-group-list vrrp_vsx CBS(conf-vrrp vap-group)#
5.4.3
Use hold-down-timer to have a VAP group wait between 1 to 3600 seconds before becoming the VRRP Master. This can prevent an application from dropping connections should a rapid failover occur from a Master to Backup and back to Master. CBS(conf-vrrp vap-group)# hold-down-timer 60 CBS(conf-vrrp vap-group)#
53
5.4.4
Set the priority delta for the group and return to the main CLI context
Assign a priority-delta to the VR circuit. The priority-delta decrements the failover groups VRRP priority whenever an interface on the VR circuit fails. The priority-delta can be 1 to 255. Default is 1. The priority-delta is added back to the priority when the interface returns to the Up state. 50 is used here as an example. CBS(conf-vrrp vap-group)# priority-delta 50 CBS(conf-vrrp vap-group)# end CBS# NOTE: Before continuing to the next step, you must complete the installation and configuration of Check Point VPN-1 Power VSX NGX R65.
5.5
In the following section you will create this portion of the configuration.
In order for the VSX VAP group to use VRRP, the application must be able to monitor the physical interfaces on either end of the topology.The VSX VAP group can monitor the physical interface to which it is attached. The ability to monitor the physical interface connected to the ISS VAP group was configured in step 4.3.3. The next hop health check is an optional setting to verify IP connectivity from the VSX VAP group, through the ISS VAP group, and out to the next hop gateway. It is highly recommended to use both physical interface monitoring and the next hop health check. After installing and configuring Check Point VPN-1 Power VSX NGX R65 application, return to the command line interface. To configure Next Hop Health Check, perform the following tasks.
5.5.1
Use the show run command to display the APM running configuration. To configure the Next Hop Health Check you will need information about the internal circuit for serialization between the VSX VAP group and the ISS VAP group. Command: CBS# show run
5.5.2
Select the internal circuit that connects the two VAP groups
Under the VRRP failover group configured previously, find the internal circuit that connects the VSX VAP group and the ISS VAP Group. NOTE: The Check Point application appends information to the circuit name for internal identification. Identify a usable circuit by looking for the following: The name of the VSX application VAP group (in this guide, the VAP group is vsx) The name of the internal circuit for serialization (in this guide, the internal circuit for serialization is ser1) The vlan id you assigned to the circuit using the VSX GUI during application installation and configuration process (in this example, the vlan id used is 3001)
54
In this sample configuration copied from the running configuration, the listed items are in bold below. virtual-router vrrp-id 22 circuit vsx_ckt_vsx_internal_ser1_3001 priority-delta 2 mac-usage vrrp-mac backup-stay-up vap-group vsx ip 10.10.1.1 255.255.255.0 10.10.1.255
5.5.3
Configure the next hop health check and return to the main CLI context
Use the virtual router identified above to configure the next hop health check. CBS# configure vrrp failover-group vrrp_vsx failover-group-id 200 CBS(conf-vrrp-group)#
5.5.4
Specify the VRRP failover group. Command: CBS(conf-vrrp-group)# virtual-router vrrp-id 22 circuit vsx_ckt_vsx_internal_ser1_3001 CBS(conf-vrrp-failover-vr)#
5.5.5
Change context to prepare for the next step. Command: CBS(conf-vrrp-failover-vr)# vap-group vsx
5.5.6
Configure the next hop IP, and return to the main CLI context
Configure the next hop IP check. Specify the IP of an external host (external to the X-Series platform) and return to the main CLI context. 10.10.1.10 is used here as an example. Command: CBS(conf-vrrp-vr-vapgroup)# verify-next-hop-ip 10.10.1.10 CBS(conf-vrrp-vr-vapgroup)# end CBS#
55
56
5
Troubleshooting
This chapter provides information to help you optimize the configuration process and troubleshoot minor issues.
Configuration Tips
Determine your Requirements Determine your specific topology requirements prior to beginning configuration. Multiple CLI Sessions You may find it useful to have multiple CLI sessions running on the CPM during the configuration process. Use one window to create the configuration, and validate your input by using the show running-config command in the other. Tab key Validation Use the Tab key to validate your command syntax. Type a few letters of the command and press the Tab key to complete the command. If the command is not available or is mis-typed, pressing Tab key will not complete the command. [no] parameter Use the [no] parameter to delete erroneous configuration entries. Verify Your Configuration Use the show running-config command to verify your configuration at any point during the process. It is useful to review the config for transposed letters or numbers. These errors are easily overlooked and can cause unpredictable results. Context Sensitive Help For context sensitive help, use the question mark from the command line to view the previously configured options. For example, use configure circuit ? to view all previously configured circuits and command options.
Troubleshooting
Any time you open a support case with Crossbeam Technical Support, make sure you run the command show tech-support and have the results available.
Application Installation
Some things to check if you are having application install issues. With Proventia Network IPS:
57
Make sure the correct APMs are being used (see requirements Proventia Network IPS Requirements on page 12). Verify that the ISS management circuit exists and is correctly configured (see Step 2.5.3 on page 25). With VSX NGX R65: Verify that the management circuit exists and is correctly configured (see Step 2.5.1 on page 24). Use show circuit <name> to verify the internal sync circuit is correctly configured (see Internal Circuit for Synchronization on page 22).
Management Communications
If there are issues with the management communications from the VAPs, verify that the appropriate routing is in place, and that if a domain name server (DNS) is needed, that it is in place and all configuration information is correct.
58
59
60
Appendix A
Sample Configurations
This appendix provides the configuration generated by following the steps in Chapter 2. Use this appendix for reference, or in place of the steps.
61
interface gigabitethernet 1/2 logical wan circuit wan interface gigabitethernet 1/5 logical mgmt circuit mgmt # group-interface L2Br interface-type gigabitethernet mode transparent circuit bridge interface-internal circuit SerialOne interface 1/1 device-name lan #
62
circuit mgmt device-name mgmt vap-group iss ip 172.16.19.62/24 increment-per-vap 172.16.19.65 vap-group vsx # group-interface lan interface-type gigabitethernet mode multi-link circuit lan interface 1/1 interface 1/2 interface 1/3 group-interface bridge interface-type gigabitethernet mode transparent circuit bridge interface-internal circuit SerialOne group lan group-interface wan interface-type gigabitethernet mode multi-link circuit wan interface 2/1 interface 2/2 interface 2/3 #
63
64