IBM Proventia IPS and Check Point VPN-1 VSX NGX R65

Deploying Multiple Security Services on the Crossbeam X-Series Platform
Using IBM Proventia Network IPS 2.0 for Crossbeam and Check Point VPN-1 Power VSX NGX R65
Part Number 05233A May 2008
Copyright and Trademark Information

Copyright 2008 by Crossbeam Systems Boxborough, MA, USA All Rights Reserved The products, specifications, and other technical information regarding the products contained in this document are subject to change without notice. All information in this document is believed to be accurate and reliable, but is presented without warranty of any kind, expressed or implied, and users must take full responsibility for their application of any products specified in this document. Crossbeam Systems disclaims responsibility for errors that may appear in this document, and it reserves the right, in its sole discretion and without notice, to make substitutions and modifications in the products and practices described in this document. This material is protected by the copyright and trade secret laws of the United States and other countries. It may not be reproduced, distributed, or altered in any fashion by any entity (either internal or external to Crossbeam Systems), except in accordance with applicable agreements, contracts, or licensing, without the express written consent of Crossbeam Systems. For permission to reproduce or distribute please contact your Crossbeam Systems account executive. This product includes software developed by the Apache Software Foundation: www.apache.org. Crossbeam, Crossbeam Systems, iBeam, X40, X45, X80 and any logos associated therewith are trademarks or registered trademarks of Crossbeam Systems, Inc. in the U.S. Patent and Trademark Office, and several international jurisdictions. All other product names mentioned in this manual may be trademarks or registered trademarks of their respective companies.
Contents
Chapter 1: About This Guide
Intended Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Crossbeam Systems Documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Other Documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Typographical Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Cautions, Warnings, and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Crossbeam Systems Customer Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 5 5 5 6 6 7 8
Chapter 1: Introduction
Serialization and Secure Flow Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Applications Used in this Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Serialized Application Topology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Chapter 2: Configuring Serialization

Requirements To Support this Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . X-Series Module Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Application Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Proventia Network IPS Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Check Point VPN-1 Power VSX NGX R65 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Serialization Using Single Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Create VAP Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ISS VAP Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VSX VAP Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configure Circuits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Bridge Circuit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Internal Circuit for Serialization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . WAN Circuit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Internal Circuit for Synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Shared Management Circuit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configure the Physical Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Group Interface Bridge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . WAN Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Management Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Next Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configure the MLT Group Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . LAN Template Circuit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . LAN MLT Group Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MLT Group Interface Bridge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . WAN MLT Group Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Management Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Next Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 11 11 12 12 12 12 14 14 16 17 17 19 21 22 23 25 26 28 29 30 31 32 33 35 37 38 38
Chapter 3: Application Installation

Installation Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Install and Configure Proventia Network IPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Application Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installing Proventia Network IPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Install the Application onto a VAP Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Interview Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 39 39 39 39 40
Configure Proventia Network IPS Using Proventia Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . Install and Configure Check Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Application Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installing the Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Install the Application onto a VAP Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Interview Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Create Virtual Devices and Circuits Using the VSX GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
40 41 41 41 41 41 43
Chapter 4: Advanced Configurations

IPS to VSX NGX R65 to IPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Individual Management Circuits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Multi-System High Availability Using VRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configure the Remote System ID and IP Address. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Assign a Physical Interface to the Internal Synchronization Circuit . . . . . . . . . . . . . . . . . . . . . . . . . Configure the VRRP Failover Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enable VRRP on the VAP Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configure Next Hop Health Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 49 49 50 51 51 53 54
Chapter 5: Troubleshooting
Configuration Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Application Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Management Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VAP Traffic Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Troubleshooting from the Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 57 57 58 58 59
Appendix A: Sample Configurations

Configuration of the Single Physical Interface Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Configuration of the MLT Group Interface Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
About This Guide

This guide provides information for configuring the X-Series platform to run multiple applications in series. This guide assumes that you have already installed the X-Series platform hardware, and that you have a basic understanding of how the X-Series platform is designed and operates.
Intended Audience
This guide is intended for system integrators and other qualified service personnel responsible for installing, configuring, and managing the Crossbeam X-Series platform.
Related Documentation
Crossbeam Systems Documentation
These documents are provided on the Crossbeam Systems Documentation CD and are available through the Crossbeam Systems support Web site located at http://www.crossbeam.com/services/online_support.php. X40-X80 Security Switch Hardware Installation Guide X45 Security Switch Hardware Installation Guide XOS Configuration Guide Deploying Multiple Security Services on the Crossbeam X-Series Platform Using IBM Proventia Network IPS 2.0 for Crossbeam and Check Point VPN-1 Power NGX R65 Deploying Multiple Security Services on the Crossbeam X-Series Platform Using IBM Proventia Network IPS 2.0 for Crossbeam and Check Point VPN-1 Power VSX NGX R65 with Bridged Virtual Systems Deploying Multiple Security Services on the Crossbeam X-Series Platform Using IBM Proventia Network IPS 2.0 for Crossbeam and Check Point Layer-2 Firewall XOS V8.1 Command Reference Guide Install Server User Guide XOS V8.1 Release Notes
Other Documentation
Installation and Configuration for IPS Deployments of IBM Proventia Network Intrusion Prevention System on Crossbeam X-Series Systems located at http://www.iss.net/support/documentation Check Point VPN-1 Power VSX NGX R65 Installation and Configuration for Crossbeam X-Series System
Conventions
Typographical Conventions
For paragraph text conventions, see Table 1 on page 6. For command-line text conventions, see Table 2 on page 7.
Table 1. Typographical Conventions Used in Paragraph Text

Typographical Convention Bold Types of Information Elements on the graphical user interface. Usage Examples In the IP Address field, type the IP address of the first VAP in the group. Click OK to close the dialog. Select the Print to File check box. Courier Keys on the keyboard. File names, folder names, and command names. Any information that you must type exactly as shown. Program output text. Courier Italic File names, folder names, command names, or other information that you must supply. A sequence of commands from the task bar or menu bar. Press Esc to return to the main menu. Save the user.txt file in the user_install directory. Use the start command to start the application. In the Username field, type Administrator. The XOS CLI show calendar command displays the system calendar: Fri Mar 7 13:32:03 2008
In the Version Number field, type 8.1.patch_number.
>
From the taskbar, choose Start > Run. From the main menu, choose File > Save As... Right-click on the desktop and choose Arrange Icons By > Name from the pop-up menu.
Table 2. Typographical Conventions Used in Command-Line Text

Typographical Convention Courier Types of Information User prompts and program output text. Usage Examples CBS# show calendar Fri Mar 7 13:32:03 2008 [root@xxxxx]# md crossbeam
Courier Bold Information that you must type in exactly as shown. <Courier Italic> Angle brackets surrounding Courier italic text indicate file names, folder names, command names, or other information that you must supply. Square brackets contain optional information that may be supplied with a command. Separates two or more mutually exclusive options. Braces contain two or more mutually exclusive options from which you must choose one.
[root@xxxxx]# md <your_folder_name>
[]
[root@xxxxx]# dir [drive:] [path] [<filename>] [/P] [/W] [/D].
[root@xxxxx]# verify [ON|OFF]
{}
CBS# configure vap-group <vap_group_name> CBS(config-vap-grp)# raid {0|1}
Cautions, Warnings, and Notes

Caution: Lists precautions that you must take to avoid temporary data loss or data unavailability. Warning: Lists precautions that you must take to avoid personal injury, permanent data loss, or equipment damage.
IMPORTANT: Lists important steps that you must perform properly or important information that you must take into consideration to avoid performing unnecessary work. NOTE: Provides special information or tips that help you properly understand or carry out a task.
Crossbeam Systems Customer Support

Crossbeam Systems offers a variety of service plans designed to meet your specific technical support requirements. For information on purchasing a service plan for your organization, please contact your account representative or refer to http://www.crossbeam.com/services/support_overview.php. If you have purchased a Crossbeam Systems product service plan and need technical assistance, you can report issues by telephone: United States: +1 800-331-1338 OR +1 978-318-7595 EMEA: + 33 4 8986 0400 (during normal working hours) +1 978-318-7595 (out of office and public holidays, if applicable) Asia Pacific: +1 978-318-7595 You can also report issues via E-mail to support@crossbeamsystems.com. In addition, all of our service plans include access to the Crossbeam Online Support Web site located at http://www.crossbeam.com/services/online_support.php. The Crossbeam Online Support Web site provides you with access to a variety of resources, including Customer Support Knowledge base articles, technical bulletins, product documentation, and release notes. You can also access our real-time problem reporting application, which lets you submit new technical support requests and view all your open requests. Crossbeam Systems also offers extensive customer training on all of its products. Please refer to the Crossbeam Training and Education Web site located at http://www.crossbeam.com/services/training_education.php for current course offerings and schedules.
1
Introduction
This book is intended to provide information specific to the process of connecting IBM Proventia Network Intrusion Prevention System and Check Point VPN-1 Power VSX NGX R65 in series. It is expected that you have read or are familiar with the information in the XOS Configuration Guide, the Installation and Configuration for IPS Deployments of IBM Proventia Network Intrusion Prevention System on Crossbeam X-Series Systems, and the Check Point VPN-1 Power VSX NGX R65 Installation and Configuration for Crossbeam X-Series System. This chapter provides a brief overview of Serialization and Secure Flow Processing. It provides information to help you understand the benefits of serialized applications, the specific applications used in this scenario, and a simple diagram of the serial topology.
Serialization and Secure Flow Processing

Serialization refers to the flow of data traffic from one application, such as an IPS, to a second application, such as a firewall. You can configure multiple instances of each application on Crossbeams Application Processor Modules (APMs) and connect them internally, in series. Traffic passes from one application to the next, allowing multi-layered, in-depth inspection, consistent with a user defined security policy. See Figure 1. Serialized Application Topology on page 10 for an illustration of this scenario. Secure flow processing refers to the movement of traffic through an X-series chassis following the user defined security policy. A key Crossbeam innovation is the ability to logically sequence traffic flow (i.e. serialize) from one security application to another we call this secure flow processing. For example; Company X has a security policy that requires all traffic to go through an IPS (e.g. IBM Proventia Network IPS) for deep packet inspection, and then pass through a firewall with a separate rule set (e.g. Check Point). Secure flow processing enables this pattern as if switches, load balancers, and network cables were all physically installed between the IPS and firewall. The serialized traffic flow is all done at wire speed, internal to the X-series chassis, with active management of data and load balancing.
Applications Used in this Topology

Proventia Network IPS Proventia Network IPS employs multiple intrusion prevention technologies, all integrated to work in tandem, providing unprecedented correlation and protection mechanisms. These core technologies enable preemptive protection of the network against a wide variety of Internet threats. Check Point VPN-1 Power VSX NGX R65 Check Point VPN-1 Power VSX NGX R65 is a security gateway providing security systems, including firewall and VPN. By creating virtual networks within the application, you can create multiple security systems on a single hardware platform.
Serialized Application Topology

In this serialized topology, multiple VLANs configured in an 802.1q trunk ingress on a single physical interface, pass through the Proventia Network IPS bridge, and are split into individual circuits, one per VLAN, on Check Point VPN-1 Power VSX NGX R65. Traffic exits to an external network through a separate physical interface. Management of the applications is done through a single physical interface that is split internally.
Figure 1.
Serialized Application Topology
The steps and process provided in this guide allow you to construct a simple, working serialized configuration. The complete configuration is provided in Appendix A Sample Configurations on page 61. As an alternative to the single interface, configuration steps for an MLT group interface are provided in the section, Configure the MLT Group Interfaces on page 31. This topology can also be adapted for a network designed with multiple subnets, allowing you to configure security policies specific to each subnet. Since individual networks may have increased security requirements or traffic patterns, additional IPS systems may be added to handle these requirements. To accommodate these requirements, this topology can be configured using a third VAP group (a second instance of Proventia Network IPS). That full configuration is provided in Chapter 4 Advanced Configurations on page 45.
10
2
Configuring Serialization
This chapter provides information about the topology, and steps to configure serialization. General X-series prerequisites and configuration information is available in the XOS Configuration Guide. This chapter contains the following sections: Requirements To Support this Topology on page 11 Configuration Overview on page 12 Create VAP Groups on page 14 Configure Circuits on page 17 Configure the Physical Interfaces on page 25 Configure the MLT Group Interfaces on page 31
Requirements To Support this Topology

XOS Version 8.1 NPM-8600 This serialization scenario is supported on the following Crossbeam X-Series Platforms: X40 X80
X-Series Module Requirements

The specific scenario described in this guide was developed using the following modules on an X80 platform: Three APM-8600s for the ISS VAP group If you are configuring a second ISS VAP group for the advanced configuration, you will need three additional APM-8600s Three APM-8600s for the VSX VAP group Two NPM-8600s One CPM-8600 For the latest firmware information, please refer to the XOS 8.1 Release Notes.
Application Requirements
This scenario uses the following two applications:
11
Proventia Network IPS Requirements

The serialization scenario described in this guide supports IBM Proventia Network IPS and has the following APM requirements: Module APM-8600 CPU Single or Dual Disk Drive Required, in SATA-1 position Minimum Memory 2 GB Recommended Memory 4 GB
NOTE: RAID 0 and 1 configurations are supported with 2 SATA HDDs installed.
Check Point VPN-1 Power VSX NGX R65 Requirements

The serialization scenario described in this guide supports Check Point VPN-1 Power VSX NGX R65 and has the following APM requirements: Module APM-8600 CPU Single or Dual Disk Drive Not Required Minimum Memory 1 GB Recommended Memory 4 GB
Configuration Overview
This section describes the process of configuring Proventia Network IPS to bridge traffic to Check Point VSX NGX R65 in series on an X-Series system. The configuration options covered in this chapter are: Single physical interfaces Multi-Link Trunk (MLT) interfaces This chapter provides detailed steps to configure two VAP groups, the associated circuits, and either single interfaces or MLT interfaces. The completed configuration for this process is provided in Appendix A. If you require a configuration comprised of three individual VAP groups (IPS / VSX / IPS), and are familiar with XOS serial configurations, Chapter 4 provides a completed configuration for that topology. If you are not yet familiar with configuring serialization, it is recommended that you reference both chapters 2 and 4 to complete this advanced configuration process. Multi-system high availability for the serialized topology is configured by creating nearly identical configurations on multiple systems. The systems are linked using a physical connection to the CPM through either the High Availability (HA) link or management port. For more information about mult-system high availability, see Multi-System High Availability Using VRRP on page 49.
Serialization Using Single Interfaces

Sections 1 through 3 describe how to configure the circuits and interfaces for the serialized topology illustrated below. Each command is broken down and described in the following steps, explaining the configuration process. Optional topologies are built on this basic scenario using the same approach. Section 4 describes how to configure MLT interfaces for the same topology, and replaces Section 3, Configure the Physical Interfaces on page 25.
12
The following single interface topology is configured in the subsequent sections: Multiple VLANs configured in an 802.1q trunk ingress on a single physical interface, pass through the ISS bridge, and are split into individual circuits, one per VLAN, on the layer 3 device (VSX). Traffic exits to an external network through a separate physical interface. Management of the applications is done through a single physical interface that is split internally.
Figure 2.
Configuration Overview
VAP group, circuit, and interface names in this topology are used as examples, and are not required names. In most cases they are used to demonstrate the function of the circuit or interface. The complete configuration for this topology is provided in Appendix A Sample Configurations on page 61. The following steps are required to configure the X-series system. It is not necessary to complete both Section 3 Configure the Physical Interfaces, and Section 4 Configure the MLT Group Interfaces, for serialization. The sample topologies use one or the other. Create VAP Groups on page 14 ISS VAP Group on page 14 VSX VAP Group on page 16 Configure Circuits on page 17 Bridge Circuit on page 17 Internal Circuit for Serialization on page 19 WAN Circuit on page 21 Internal Circuit for Synchronization on page 22 Shared Management Circuit on page 23 Configure the Physical Interfaces on page 25 Group Interface Bridge on page 26 WAN Interface on page 28 Management Interface on page 29
13
Configure the MLT Group Interfaces on page 31 LAN Template Circuit on page 32 LAN MLT Group Interface on page 33 MLT Group Interface Bridge on page 35 WAN MLT Group Interface on page 37 Management Interface on page 38
1.0 Create VAP Groups

This section describes the creation of the ISS VAP group and the VSX VAP group. Each VAP group contains three individual instances of the specific application, or VAPs.
1.1
ISS VAP Group
Create a VAP group consisting of three APMs that support the installation of Proventia Network IPS (ISS). Name the VAP group iss.
Figure 3.
Configure the ISS VAP Group
In the following section you will create this portion of the configuration. A complete configuration is available in Appendix A. To check your progress throughout the setup process, open a second CLI window and log into the CPM. From there, use show running-config to verify your work at any time. vap-group iss xslinux_v3 vap-count 3 max-load-count 3 ap-list ap3 ap4 ap5 ip-flow-rule iss_lb action load-balance activate
14
1.1.1
Configure the ISS VAP Group
Create a VAP group named "iss" using the xslinux_v3 operating system. The v3 kernel is required by ISS. Command: CBS# configure vap-group iss xslinux_v3 Are you sure you want to create a new vap-group with OS version xslinux_v3? <Y or N> [Y]: Y Creating vap-group iss. May take several minutes....................... CBS(config-vap-grp)#
1.1.2
Configure three VAP members for the ISS VAP Group
Create three VAP members for redundancy and additional capacity. Command: CBS(config-vap-grp)# vap-count 3 Are you sure you want to adjust vap-count to 3? <Y or N> [Y]: Y Adjusting vap-count. May take several minutes............................ CBS(config-vap-grp)#
1.1.3
Configure the ISS VAP Group APM list
This command specifies the list of APMs to be loaded. All VAP members should be identical APMs. Use show module status from the CLI to verify the configuration of each APM if necessary. Command: CBS(config-vap-grp)# ap-list ap3 ap4 ap5 CBS(config-vap-grp)#
1.1.4
Specify the number of active VAP members
Specify the maximum number of VAP members in the VAP group. In order to install Proventia Network IPS, the max load count must match the VAP count. Command: CBS(config-vap-grp)# max-load-count 3 CBS(config-vap-grp)#
1.1.5
Configure the default flow-rule for the VAP group and return to main CLI context
There are four steps to configure the load balancing flow rule. Create the load balancing flow rule for the ISS VAP group. Set flow rule action to load-balance ISS traffic to all available VAP members. Set the activate flag to enable the action. Return to main CLI context to prepare for the next step. CBS(config-vap-grp)# ip-flow-rule iss_lb CBS(ip-flow-rule)# action load-balance CBS(ip-flow-rule)# activate CBS(ip-flow-rule)# end CBS#
15
1.2
VSX VAP Group
Create a VAP group consisting of three APMs that support the installation of Check Point VPN-1Power VSX NGX R65. Name the VAP group vsx.
Figure 4.
Configure the VSX VAP Group
In the following section you will create this portion of the configuration. vap-group vsx xslinux_v3 vap-count 3 max-load-count 3 ap-list ap8 ap9 ap10
1.2.1
Configure the VSX VAP Group
Create a VAP group named vsx using the xslinux_v3 operating system. The v3 kernel is required by VSX. Command: CBS# configure vap-group vsx xslinux_v3 Are you sure you want to create a new vap-group with OS version xslinux_v3? <Y or N> [Y]: Y Creating vap-group vsx. May take several minutes............................................................. CBS(config-vap-grp)#
16
1.2.2
Configure three VAP members for the VSX VAP Group
Create three VAP members for redundancy and additional capacity. Command: CBS(config-vap-grp)# vap-count 3 Are you sure you want to adjust vap-count to 3? <Y or N> [Y]: Y Adjusting vap-count. May take several minutes.................................. CBS(config-vap-grp)#
1.2.3
Configure the VSX VAP Group APM list
This command specifies the list of APMs to be loaded. All VAP members should be identical APMs. Use show module status from the CLI to verify the configuration of each APM if necessary. Command: CBS(config-vap-grp)# ap-list ap8 ap9 ap10 CBS(config-vap-grp)#
1.2.4
Specify the number of active VAP members and return to the main CLI context
Specify the maximum number of VAP members in the VAP group. In order to install VSX, the max load count must match the VAP count. Return to main CLI context to prepare for the next step. NOTE: You do not have to manually configure a default flow-rule for VSX VAP groups. VSX configures a default flow rule as part of the application installation process. See the application installation guide for more information. Command: CBS(config-vap-grp)# max-load-count 3 CBS(config-vap-grp)# end CBS#
2.0 Configure Circuits

This section describes how to configure the internal and external circuits connecting the VAP groups to each other and to the network. If you are configuring circuits in a topology using VLANs, VSX requires that the interfaces device-name not exceed 4 characters, and that the device-name cannot be vlan. VLAN is a Check Point reserved keyword.
2.1
Bridge Circuit
The Layer 2 bridge circuit is a template circuit that must be in place prior to configuring the group interface bridge covered in Section 3.1, Section 3.1 Group Interface Bridge on page 26.
17
Figure 5.
Layer 2 Bridge Circuit
In the following section you will create this portion of the configuration. circuit bridge device-name bridge vap-group iss promiscuous-mode active
2.1.1
Configure the bridge circuit required by the group interface
Create a circuit to bridge traffic on ISS. Command: CBS# configure circuit bridge CBS(conf-cct)
2.1.2
Assign a device name to the circuit
Assign a device name to the circuit. For clarity, the device name should be the same as, or based on the circuit name. Command: CBS(conf-cct)# device-name bridge CBS(conf-cct)#
2.1.3
Associate the circuit with ISS VAP group
Specify a VAP group to assign to this circuit. Command: CBS(conf-cct)# vap-group iss CBS(conf-cct-vapgroup)#
18
2.1.4
Set mode to promiscuous-mode active and return to the main CLI context
Setting promiscuous-mode to active allows the circuit to pass traffic. Command: CBS(conf-cct-vapgroup)# promiscuous-mode active CBS(conf-cct-vapgroup)# end CBS#
2.2
Internal Circuit for Serialization
This internal circuit connects the ISS VAP group to the VSX VAP group in series. It is a template circuit that must be in place prior to configuring the group interface bridge covered in Section 3.1 Group Interface Bridge on page 26.
Figure 6.
Serial Connection between VAP Groups
In the following section you will create this portion of the configuration. circuit SerialOne internal device-name Ser1 vap-group iss promiscuous-mode active vap-group vsx
2.2.1
Configure the circuit
Create an internal circuit, connecting the two VAP groups in series. Command: CBS# configure circuit SerialOne CBS(conf-cct)
19
2.2.2
Define the circuit as internal
Configure the circuit as internal. Command: CBS(conf-cct)# internal CBS(conf-cct)#
2.2.3
Assign a device name to the circuit. For clarity, the device name should be the same as, or based on the circuit name. When configuring circuits in a topology using VLANs, the device names for circuits that directly interface with VSX cannot exceed 4 characters. Command: CBS(conf-cct)# device-name Ser1 CBS(conf-cct)#
2.2.4
Associate the circuit with ISS VAP group
Assign the ISS VAP group to this circuit. Command: CBS(conf-cct)# vap-group iss CBS(conf-cct-vapgroup)#
2.2.5
Set mode to promiscuous-mode active and exit the ISS VAP group context
Any VAP-specific parameters must be configured on this circuit. In this case, the ISS parameter promiscuous-mode active must be configured here as well. Setting promiscuous-mode to active allows the circuit to pass traffic. Command: CBS(conf-cct-vapgroup)# promiscuous-mode active CBS(conf-cct-vapgroup)# exit CBS(conf-cct)#
2.2.6
Associate the circuit with the VSX VAP group and return to the main CLI context
Assigning the VSX VAP group to this circuit allows traffic to flow between the two VAP groups. Command: CBS(conf-cct)# vap-group vsx CBS(conf-cct-vapgroup)# end CBS#
20
2.3
WAN Circuit
WAN Circuit attached to the VSX VAP Group
Create the WAN circuit. This circuit interfaces with an external network.
Figure 7.
In the following section you will create this portion of the configuration. When configuring circuits in a topology using VLANs, the device names for circuits that interface with VSX cannot exceed 4 characters. circuit wan device-name wan vap-group vsx
2.3.1
Configure the WAN circuit
Create the wan circuit. Command: CBS# configure circuit wan CBS(conf-cct)
2.3.2
Assign a device name to the circuit. For clarity, the device name should be the same as, or based on the circuit name. When configuring circuits in a topology using VLANs, the device names for circuits that interface with VSX cannot exceed 4 characters. Command: CBS(conf-cct)# device-name wan CBS(conf-cct)#
21
2.3.3
Assign the circuit to the VSX VAP group and return to the main CLI context
Assigning the VSX VAP group to this circuit allows traffic to flow across the circuit. Command: CBS(conf-cct)# vap-group vsx CBS(conf-cct-vapgroup)# end CBS#
2.4
Internal Circuit for Synchronization
A synchronization circuit is an internal circuit that connects VSX VAP members. VSX uses this circuit to maintain state synchronization and communications between VSX cluster members.
Figure 8.
Sync Circuit between VSX VAP members
In the following section you will create this portion of the configuration. circuit sync internal device-name sync vap-group vsx
2.4.1
Configure the VSX synchronization circuit
Create a circuit for VSX synchronization. Command: CBS# configure circuit sync CBS(conf-cct)
22
2.4.2
Define the circuit as internal
Configure the circuit as internal. Command: CBS(conf-cct)# internal CBS(conf-cct)#
2.4.3
Assign a device name to the circuit. For clarity, the device name should be the same as, or based on the circuit name. Command: CBS(conf-cct)# device-name sync CBS(conf-cct)#
2.4.4
Assign the circuit to the VSX VAP group and return to the main CLI context
Assign the sync circuit to the VSX VAP group. Command: CBS(conf-cct)# vap-group vsx CBS(conf-cct-vapgroup)# end CBS#
2.5
Shared Management Circuit
Managing multiple applications installed on an X-Series system can be done using individual or shared connections to the modules. With serialized applications, it is often more efficient to manage VAP groups using a single physical interface, split internally. This topology creates a single shared circuit, which will later be assigned to a single physical interface (Section 3.3 Management Interface on page 29). If you expect a high level of log activity on your management circuit, consider creating individual management interfaces for each VAP group. For information on creating individual managment circuits and interfaces, see Individual Management Circuits on page 49.
23
Figure 9.
Shared Management Circuit
In the following section you will create this portion of the configuration. circuit mgmt device-name mgmt vap-group iss management-circuit ip 172.16.19.62/24 increment-per-vap 172.16.19.65 vap-group vsx
2.5.1
Create a management circuit for both applications, ISS & VSX
Create a management circuit, so that application management utilities can interface with the applications. Command: CBS# configure circuit mgmt CBS(conf-cct)
2.5.2
Assign a device name to the circuit. For clarity, the device name should be the same as, or based on the circuit name. Command: CBS(conf-cct)# device-name mgmt CBS(conf-cct)#
24
2.5.3
Assign the ISS VAP group to the circuit
Associate the ISS VAP group with a circuit. Designate this circuit as the management-circuit. NOTE: Proventia Network IPS requires that you specify a management circuit using the management-circuit parameter. Command: CBS(conf-cct)# vap-group iss CBS(conf-cct-vapgroup)# management-circuit CBS(conf-cct-vapgroup)#
2.5.4
Assign an IP address for ISS VAP group management
Use increment-per-vap to assign a unique IP-address per vap member, allowing individual management connections. When configuring the management IP addresses it is recommended to leave some unused IP addresses so that additional APMs and VAPs can be added as the system grows. Command: CBS(conf-cct-vapgroup)# ip 172.16.19.62/24 increment-per-vap 172.16.19.65 CBS(conf-cct-vapgroup-ip)#
2.5.5
Return to the configure circuit context
Using the exit command returns you to the proper context. Command: CBS(conf-cct-vapgroup-ip)# exit CBS(conf-cct-vapgroup)# exit CBS(conf-cct)#
2.5.6
Assign the VSX VAP group to the circuit and return to the main CLI context
Associate the VSX VAP group with the management circuit. Command: CBS(conf-cct)# vap-group vsx CBS(conf-cct-vapgroup)# end CBS# NOTE: An IP address for VSX VAP group management will automatically be assigned by VSX upon installation. You do not need to configure this manually.
3.0 Configure the Physical Interfaces

The following section provides steps for configuring the single physical interfaces for the connection to the client subnet, an external network (the Internet), and management. It is not necessary to complete both Section 3 Configure the Physical Interfaces, and Section 4 Configure the MLT Group Interfaces, for serialization. The sample topologies use one or the other. MLT interfaces are configured in a separate section. If you are configuring MLT interfaces, skip this section and go to Configure the MLT Group Interfaces on page 31.
25
3.1
Group Interface Bridge
The group interface bridge includes the physical interface, the ISS bridge circuit (bridge), and the internal circuit used for serialization, (Ser1). Name this group interface bridge L2Br.
Figure 10.
Group Interface Bridge
In the following section you will create this portion of the configuration. group-interface L2Br interface-type gigabitethernet mode transparent circuit bridge interface-internal circuit SerialOne interface 1/1 device-name LAN
3.1.1
Create the group interface
Configure a group interface. Command: CBS# configure group-interface L2Br CBS(conf-group-intf)#
3.1.2
Configure the interface type and return to interface configuration mode
Specify the interface type as gigabitethernet or 10gigabitethernet, and then exit the interface type mode. Exiting returns you to the interface configuration context and prepares you for the next step. Command: CBS(conf-group-intf)# interface-type gigabitethernet CBS(conf-grp-intf-gig)# exit CBS(conf-group-intf)#
26
3.1.3
Set mode to transparent
Transparent mode allows ISS to provide the bridging mechanism. Command: CBS(conf-group-intf)# mode transparent circuit bridge CBS(conf-group-intf)#
3.1.4
Associate the internal circuit with the group interface
Associates the internal circuit and group interface. Command: CBS(conf-group-intf)# interface-internal circuit SerialOne CBS(conf-group-intf)#
3.1.5
Configure the physical interface and return to the main CLI context
Name and configure the physical interface. Be sure to associate a device name with the interface. This avoids the potential confusion of a system generated interface name. Command: CBS(conf-group-intf)# interface 1/1 CBS(conf-grp-intf-intf)# device-name LAN CBS(conf-grp-intf-intf)# end CBS#
27
3.2
WAN Interface
WAN Interface
Create the WAN interface for the VSX VAP group, and attach a physical interface to the wan circuit.
Figure 11.
In the following section you will create this portion of the configuration. interface gigabitethernet 1/2 logical wan circuit wan
3.2.1
Define a physical interface
Define the physical interface to be assigned to the circuit. Command: CBS# configure interface gigabitethernet 1/2 CBS(conf-intf-gig)#
3.2.2
Define the logical interface for the wan circuit
Define the logical interface for the physical interface specified in the previous step. For clarity, the logical name should be the same as, or based on the circuit name. Command: CBS(conf-intf-gig)# logical wan CBS(intf-gig-logical)#
28
3.2.3
Assign the circuit to the logical and physical interface and return to the main CLI context
Assign the circuit to the interface. Command: CBS(intf-gig-logical)# circuit wan CBS(intf-gig-logical)# end CBS#
3.3
Management Interface
Assign the physical interface used by the management circuit.
Figure 12.
In the following section you will create this portion of the configuration. interface gigabitethernet 1/5 logical mgmt circuit mgmt
3.3.1
Define the physical interface
Define the physical interface to be used by the management circuit. Command: CBS# configure interface gigabitethernet 1/5 CBS(conf-intf-gig)#
29
3.3.2
Define the logical interface for the management circuit
Define the logical interface for the physical interface specified in the previous step. Command: CBS(conf-intf-gig)# logical mgmt CBS(intf-gig-logical)#
3.3.3
Assign the circuit to the logical and physical interfaces and return to the main CLI context
Assign the circuit to the logical and physical interfaces specified above. For clarity, the logical name should be the same as, or based on the circuit name. Command: CBS(intf-gig-logical)# circuit mgmt CBS(intf-gig-logical)# end CBS#
Next Steps
Configuration of the serialized topology using a single physical interface is complete. Go to Chapter 3 Application Installation on page 39 for information about installing the applications onto each VAP group.
30
4.0 Configure the MLT Group Interfaces

This section provides the steps necessary to configure MLT in a serial topology. These steps replace Section 3.0 Configure the Physical Interfaces on page 25. It is not necessary to complete both Section 3 Configure the Physical Interfaces, and Section 4 Configure the MLT Group Interfaces, for serialization. The sample topologies use one or the other. A multi-link trunk (MLT) aggregates multiple physical interfaces to form one logical channel, allowing the X-Series system to treat these interfaces as a single logical interface. This section describes the process for configuring XOS to handle the interface. In the following topology, multiple VLANs ingress on an aggregated physical interface, and are delivered to the Layer 2 bridge via an 802.1q trunk. Traffic passes through the Proventia Network IPS application and over an internal circuit for serialization. Upon reaching the VPN-1 Power VSX NGX R65 application, the 802.1q trunk is split into individual circuits, one per VLAN, and processed. If the traffic passes inspection, it flows out of the application to another MLT interface. If the traffic does not pass inspection, it is dropped. VLAN configuration is performed using the VSX application, and is outside the scope of this document. See the Check Point VPN-1 Power VSX NGX R65 documentation for more information. NOTE: When you are configuring an interface to pass VLANs to the VSX NGX R65 application, the interfaces device-name must not exceed 4 characters. The device-name cannot be vlan. VLAN is a Check Point reserved keyword.
Figure 13.
MLT Group Interfaces in the Serial Topology
31
4.1
LAN Template Circuit
The LAN circuit is a template circuit that must be in place prior to configuring the MLT group interface. This circuit is only used for the MLT group interface. The other circuits used in the MLT interface configuration were created in Section 2.
Figure 14.
LAN Template Circuit
In the following section you will create this portion of the configuration. circuit LAN device-name LAN vap-group iss promiscuous-mode active
4.1.1
Configure the LAN circuit required by the group interface
Create a template circuit to be used by the MLT group interface. Command: CBS# configure circuit LAN CBS(conf-cct)
4.1.2
Assign a device name to the circuit. For clarity, the device name should be the same as, or based on the circuit name. Command: CBS(conf-cct)# device-name LAN CBS(conf-cct)#
32
4.1.3
Associate the circuit with the ISS VAP group
Assign a VAP group to this circuit. Command: CBS(conf-cct)# vap-group iss CBS(conf-cct-vapgroup)#
4.1.4
Set mode to promiscuous-mode active and return to the main CLI context
Setting promiscuous-mode to active allows the circuit to pass all traffic. Command: CBS(conf-cct-vapgroup)# promiscuous-mode active CBS(conf-cct-vapgroup)# end CBS#
4.2
LAN MLT Group Interface
The LAN MLT group interface attaches physical interfaces to the lan template circuit, and is defined as a multi-link circuit.
Figure 15.
LAN MLT Group Interface
In the following section you will create this portion of the configuration. group-interface LAN interface-type gigabitethernet mode multi-link circuit LAN interface 1/1 interface 1/2 interface 1/3
33
4.2.1
Create the group interface
Configure a group interface. Command: CBS# configure group-interface LAN CBS(conf-group-intf)#
4.2.2
Configure the interface type and return to the interface configuration context
Define the interface type as gigabitethernet or 10gigabitethernet, and return to the interface configuration context. Command: CBS(conf-group-intf)# interface-type gigabitethernet CBS(conf-grp-intf-intf)# exit CBS(conf-group-intf)#
4.2.3
Define the interface mode
Define the interface mode as multi-link, and assign the circuit. Command: CBS(conf-group-intf)# mode multi-link circuit LAN CBS(conf-group-intf)#
4.2.4
Configure the physical interfaces and return to the main CLI context
Assign interfaces to the MLT group interface and exit the configuration mode. Using end returns you to the main CLI context, and prepares you for the next step. Command: CBS(conf-group-intf)# interface 1/1 CBS(conf-grp-intf-intf)#exit CBS(conf-group-intf)# interface 1/2 CBS(conf-grp-intf-intf)#exit CBS(conf-group-intf)# interface 1/3 CBS(conf-grp-intf-intf)# end CBS# NOTE: To prevent a loss of traffic to the VAP groups, consider spreading MLT interfaces across more than one NPM. In the case of an NPM failure, traffic can continue to flow on other NPMs.
34
4.3
MLT Group Interface Bridge
The MLT group interface bridge connects the Layer 2 bridge and the internal circuit for serialization, and then attaches to the LAN MLT group interface.
Figure 16.
Create the Group Interface Bridge
In the following section you will create this portion of the configuration. group-interface bridge interface-type gigabitethernet mode transparent circuit bridge interface-internal circuit SerialOne group LAN
4.3.1
Configure the group interface bridge to use MLT
Configure a group interface bridge using MLT. Command: CBS# configure group-interface bridge CBS(conf-group-intf)#
4.3.2
Match interface types to the group interface MLT
Define the interface type as gigabitethernet or 10gigabitethernet. Command: CBS(conf-group-intf)# interface-type gigabitethernet CBS(conf-grp-intf-gig)# exit CBS(conf-group-intf)#
35
4.3.3
Define the mode for the bridge
Transparent mode allows ISS to provide the bridging mechanism. Command: CBS(conf-group-intf)# mode transparent circuit bridge CBS(conf-group-intf)#
4.3.4
Associate the internal circuit with the group interface bridge
Connect the group interface bridge with the internal circuit for serialization. Command: CBS(conf-group-intf)# interface-internal circuit SerialOne CBS(conf-group-intf-intf)# exit CBS(conf-group-intf)#
4.3.5
Associate the MLT group with the group interface bridge and return to the main CLI context
The group interface bridge is attached to the MLT group interface, LAN. Command: CBS(conf-group-intf)# group LAN CBS(conf-group-intf)#end CBS#
36
4.4
WAN MLT Group Interface

WAN MLT Group Interface
The WAN group interface attaches physical interfaces to the wan circuit, and is defined as a multi-link circuit.
Figure 17.
In the following section you will create this portion of the configuration. group-interface wan interface-type gigabitethernet mode multi-link circuit wan interface 2/1 interface 2/2 interface 2/3
4.4.1
Create the WAN MLT group interface
Define the wan interface as a group interface. Command: CBS# configure group-interface wan CBS(conf-group-intf)#
4.4.2
Configure the interface type and return to the interface configuration context
Define the interface type as gigabitethernet or 10gigabitethernet, and return to the interface configuration context. Command: CBS(conf-group-intf)# interface-type gigabitethernet CBS(conf-grp-intf-gig)# exit CBS(conf-group-intf)#
37
4.4.3
Define the interface mode
Define the interface mode as multi-link, and assign the circuit. Command: CBS(conf-group-intf)# mode multi-link circuit wan CBS(conf-group-intf)#
4.4.4
Configure the physical interfaces and return to main CLI context
Assign interfaces to the wan group interface and exit the configuration mode. Using end returns you to the top level of the CLI, and prepares you for the next step. Command: CBS(conf-group-intf)# interface 2/1 CBS(conf-grp-intf-intf)# exit CBS(conf-group-intf)# interface 2/2 CBS(conf-grp-intf-intf)# exit CBS(conf-group-intf)# interface 2/3 CBS(conf-grp-intf-intf)# end CBS# NOTE: To prevent a loss of traffic to the VAP groups, consider spreading MLT interfaces across more than one NPM. In the case of an NPM failure, traffic can continue to flow on other NPMs.
4.5
Refer to Management Interface on page 29 to configure a physical interface for the shared management circuit. As an alternative, see Individual Management Circuits on page 45 for instructions on how to split the management circuits into individual interfaces.
Next Steps
Configuration of the serialized topology using MLT interfaces is complete. Go to Chapter 3 Application Installation on page 39 for information about installing the applications onto each VAP group.
38
3
Application Installation
After completing the XOS configuration steps, you can install the individual applications. We recommend installing the applications in the order presented here. Installation Considerations on page 39 Install and Configure Proventia Network IPS on page 39 Install and Configure Check Point on page 41
Installation Considerations
In addition to the Application Requirements on page 11, you should be aware of the following APM considerations: Max Load and VAP count must be the same. In order to install Proventia Network IPS, the max load count must match the VAP count. Module must be in the Up state. IPS management interfaces must be Up.
Install and Configure Proventia Network IPS

The following section discusses the installation and configuration of Proventia Network IPS in a serial topology.
Application Prerequisites
Please refer to the IBM Proventia Network IPS documentation for a complete list of prerequisites and restrictions.
Installing Proventia Network IPS

Place the CBI (Crossbeam Installer) onto the X-series system as described in the Installation and Configuration for IPS Deployments of IBM Proventia Network Intrusion Prevention System on Crossbeam X-Series Systems.
Install the Application onto a VAP Group

After copying the CBI to the X-Series system, install the application onto one or more VAP Groups.
39
At the XOS CLI prompt, enter the following command to run the Proventia Network IPS application CBI and begin the installation procedure: CBS# application issprovg vap-group iss install
Interview Process
The ISS CBI displays the interview program and begins the installation. Below are example answers based on the serial topology described in this book. Complete the questions in the interview to install Proventia Network IPS. If necessary, refer to the Installation and Configuration for IPS Deployments of IBM Proventia Network Intrusion Prevention System on Crossbeam X-Series Systems. This example interview installs Proventia Network IPS using the specified agent name iss, in protection mode (p) and defines the management circuit as the shared management circuit (mgmt). CBS# application issprovg vap-group iss install IBM Internet Security Systems, IBM Proventia Network IPS 2.0 release 1 Checking Bundle Integrity: [####################] 100% [ ok ] Checking Dependencies: [####################] 100% [ ok ] International Program License Agreement Part 1 - General Terms <License Disclaimer Here> Press ENTER to read or 'q' to quit: q Accept the license agreement? [n]: y ============================================================================ Answer the questions below to configure this application. Type '?' for help. Change password for Proventia Manager user 'admin': Password: Confirm Password: Agent Name? [Proventia_GC1200]: iss Adapter Mode Configuration? [s]: p Management Port Interface? [provgmgmt]: mgmt Are any changes needed? [n]: ============================================================================ ** A vap-group reload is required for the change(s) to take affect. ** Extracting Bundle: [####################] 100% [ ok ] Installing issprovg on VAP iss: [######## ] Once the installation is complete, you must reload the ISS VAP group. CBS# reload vap-group iss Proceed with reload? <Y or N> [Y]:Y
Configure Proventia Network IPS Using Proventia Manager

Use a Web browser and the IP address assigned to the management interface for the ISS VAP to log into Proventia Manager. Once you have logged in, you can configure the application and register with SiteProtector. For more information about accessing Proventia Manager, see Chapter 8 of the Installation and Configuration Guide for IPS Deployments of IBM Proventia Network IPS on Crossbeam X-Series Systems.
40
Install and Configure Check Point

The following section discusses the installation and configuration of Check Point VPN-1 Power VSX NGX R65 in a serial topology.
Application Prerequisites
Please refer to the Check Point documentation for a complete list of prerequisites and restrictions.
Installing the Application

Load the application as described in the Check Point VPN-1 Power VSX NGX R65 Installation and Configuration for Crossbeam X-Series System.
Install the Application onto a VAP Group

After loading the application, install VSX onto one or more VAP Groups, as follows: 1. 2. Enter the following XOS CLI command to display the loaded applications: CBS# show application Enter the following XOS CLI command to install the application on the VAP group you created: CBS# application vsx vap-group vsx install
Interview Process
Starting the application install displays the VSX interview program. Below are example answers based on the serial topology in the previous chapter. Complete the interview questions to successfully install the application. The following example installs VPN-1 Power VSX NGX R65 with the following information: Specify the shared management circuit as mgmt, and the IP that will be put under the management circuit definition. The IPs will be automatically calculated by incrementing the management IP by one. The starting IP used in this configuration example is 172.16.19.66. You will need to specify the name of the synchronization circuit you configured; sync. CBS# application vsx vap-group vsx install This program will help you install Check Point Software Technologies Ltd. (TM)VPN-1 Power VSX NGX R65 (R) software on the X-series platforms Press Enter to continue ... This End-user License Agreement... <License Disclaimer Here> Do you accept this license agreement? (y/n) [n]: y Welcome to the Check Point VPN-1 Power VSX NGX R65 Configuration Program for the X Series platforms. ========================================================================= This program will allow you to install VPN-1 Power VSX NGX R65 Enforcement Module on X Series platforms.
41
Checking available options. Please wait... Configuring VAP Group "vsx" with VAPs: 1 2 3 Enter the interface name from which you want to manage the VSX system (): mgmt Will this interface be used in non-DMI configuration, managed by a Remote CMA? (y/n) [n] n VPN-1 Power VSX NGX R65 VAP Group vsx, VAP1==>> Enter the IP address that will be used to manage the first cluster member [NOTE: Because of increment-per-vap order restriction, IP addresses on management interface for remaining cluster members will be based on this IP address] (): 172.16.19.66 VPN-1 Power VSX NGX R65 VAP Group vsx, VAP2==>> IP address for the management interface on this cluster member [NOTE: Make sure this IP address is available ] (172.16.19.67): VPN-1 Power VSX NGX R65 VAP Group vsx, VAP3==>> IP address for the management interface on this cluster member [NOTE: Make sure this IP address is available ] (172.16.19.68): Enter the netmask for the management interface (): 255.255.255.0 Enter the name of the interface that will be used for synchronization with other cluster members (): sync Please wait ... You will now be prompted to enter a one time 'Activation Key' that will be used to establish trust with the Check Point Management Server NOTE: This Activation Key will be used for all VAPs in the VAP Group Enter SIC Activation Key> Again SIC Activation Key> Central license information can be downloaded from the Management station. Do you want to enter Local license information at this time ? (y/n) n Do you want to Enable Check Point SecureXL? (y/n) y Do you want to Enable High Availability/State Synchronization? (y/n) y ****************************************************************** * * * At the Check Point Management Station, make sure that each VAP * * from this VAP Group is in the same VSX Cluster * * * ****************************************************************** ================================================== Setup configuration is complete. Do you wish to modify the configured settings? (y/n) n -----------------------------------------------------------Performing System Checks vsx_1: Validated. System Ready for VPN-1 Power VSX NGX R65 Installation
42
vsx_2: Validated. System Ready for VPN-1 Power VSX NGX R65 Installation vsx_3: Validated. System Ready for VPN-1 Power VSX NGX R65 Installation ================================================================== VPN-1 Power VSX NGX R65 will be installed/configured on the following vaps: 1 2 ================================================================= If all VAPs are not reported as Validated above, then this is an opportunity to exit this script by choosing 'n' below. Then fix the problems reported above and restart this script again. Continue (y/n) ?: y Once the installation has completed, you must reload the VSX VAP group. CBS# reload vap-group vsx Proceed with reload? <Y or N> [Y]:Y
Create Virtual Devices and Circuits Using the VSX GUI

The creation of VSX virtual devices and circuits is performed from the GUI. Please refer to the Check Point documentation for configuration information.
43
44
4
Advanced Configurations
This chapter provides the following advanced serial configuration information: IPS to VSX NGX R65 to IPS on page 45, which includes adding a second ISS VAP group and a third MLT interface. Individual Management Circuits on page 49 provides information for configuring individual management circuits for each VAP group. Multi-System High Availability Using VRRP on page 49 is a stepped procedure to configure Multi-System High Availability.
IPS to VSX NGX R65 to IPS

The configuration below defines three individual VAP Groups: A single Check Point VSX NGX R65 VAP between two separate Proventia Network IPS VAP groups, and adding a third MLT interface. Configuring Proventia Network IPS and VSX NGX R65 in this manner helps ensure that any client to client communication is inspected by both applications and their security policies. See Figure 18 on page 46 for a high level diagram of this topology.
45
Figure 18.
IPS to VSX to IPS
The configuration is provided, rather than broken into individual steps. If you need information about how to perform a specific configuration task, see the relevant section in Chapter 2. vap-group iss xslinux_v3 vap-count 3 max-load-count 3 ap-list ap3 ap4 ap5 load-balance-vap-list 1 2 3 ip-flow-rule iss_lb action load-balance activate vap-group vsx xslinux_v3 vap-count 3 max-load-count 3 ap-list ap7 ap8 ap9 load-balance-vap-list 1 2 3 vap-group iss2 xslinux_v3 vap-count 2 max-load-count 2 ap-list ap6 ap10 load-balance-vap-list 1 2
46
ip-flow-rule iss2_lb action load-balance activate # circuit mgtvsx device-name mgtvsx vap-group vsx circuit mgtiss device-name mgtiss vap-group iss management-circuit ip 192.168.0.49/24 192.168.0.255 increment-per-vap 192.168.0.50 vap-group iss2 management-circuit ip 192.168.0.51/24 192.168.0.255 increment-per-vap 192.168.0.52 circuit sync internal device-name sync vap-group vsx circuit lan device-name lan vap-group iss promiscuous-mode active circuit wan device-name wan vap-group vsx circuit dmz device-name dmz vap-group iss2 circuit bridge1 device-name bridge1 vap-group iss promiscuous-mode active circuit bridge2 device-name bridge2 vap-group iss2 promiscuous-mode active circuit SerialOne internal device-name Ser1 vap-group vsx vap-group iss promiscuous-mode active circuit SerialTwo internal device-name Ser2 vap-group vsx vap-group iss2 promiscuous-mode active # interface gigabitethernet 1/1 logical mgtiss circuit mgtiss interface gigabitethernet 4/1 logical mgtvsx circuit mgtvsx #
47
group-interface lan interface-type gigabitethernet mode multi-link circuit lan interface 1/2 interface 1/3 interface 4/2 interface 4/3 group-interface wan interface-type gigabitethernet mode multi-link circuit wan interface 1/6 interface 1/7 interface 4/6 interface 4/7 group-interface dmz interface-type gigabitethernet mode multi-link circuit dmz interface 1/4 interface 1/5 interface 2/4 interface 2/5 group-interface bridge1 interface-type gigabitethernet mode transparent circuit bridge1 interface-internal circuit SerialOne group lan group-interface bridge2 interface-type gigabitethernet mode transparent circuit bridge2 interface-internal circuit SerialTwo group dmz # ip route 10.0.0.0/8 192.168.0.1 vap-group iss circuit mgtiss ip route 192.168.0.0/16 192.168.0.1 vap-group iss circuit mgtiss ip route 10.0.0.0/8 192.168.0.1 vap-group iss2 circuit mgtiss ip route 192.168.0.0/16 192.168.0.1 vap-group iss2 circuit mgtiss
48
Individual Management Circuits

Managing of multiple VAPs is often done using individual physical connections to the modules. With serialized applications it is often more efficient to manage both VAP groups using a single physical interface split internally. However, if you expect a high level of log activity on your management circuit, you can choose to define separate physical management circuits. The following examples create individual management circuits for each VAP group. NOTE: VSX automatically assigns the ip address for the management circuit during application install. circuit mgmtiss device-name mgmtiss vap-group iss management-circuit ip 172.16.19.62/24 increment-per-vap 172.16.19.65 circuit mgmtvsx device-name mgmtvsx vap-group vsx
Multi-System High Availability Using VRRP

Multi-system high availability for the serialized topology is configured by creating nearly identical configurations on multiple systems. The only differences will be the ip addresses and the priority value of the failover group. The systems are linked using a physical connection to the CPM through either the High Availability (HA) link or management port. IMPORTANT: For a high availability configuration to function, you must create identical VAP group and IP flow rule configurations on each X-Series System. In addition, each circuit must use the same circuit name, device name, and interface name on each system. When circuits are related to the ISS VAP group, the circuit IDs must also match on both systems. To configure high availability with Check Point VPN-1 Power VSX NGX R65 as part of a serialized topology on an X-Series platform, we will use Virtual Router Redundancy Protocol (VRRP). The information provided in this section is built upon the configurations already described in this guide. The steps in sections 5.1 through 5.4 should be performed during the configuration process (either single interface or MLT) provided in Chapter 2. The final section, Configure Next Hop Health Check on page 54, must be completed after the installation and configuration of the VSX application, since it is dependent on VSX-named circuit information. The configuration steps in this chapter are specific to configuring two systems for dual-box high availability (DBHA). Configure the Remote System ID and IP Address on page 50. Assign a Physical Interface to the Internal Synchronization Circuit on page 51, so that the two VSX VAP groups can communicate from one system to the other through a synchronized network. Configure the VRRP Failover Groups on page 51. Create a failover group on each system. Enable VRRP on the VAP Group on page 53. Enable VRRP and set the priority delta. Configure Next Hop Health Check on page 54. Once the Check Point VPN-1 Power VSX NGX R65 application has been installed and configured, set the next hop health check. For additional information about VRRP and High availability, see Chapter 12 Multi-System High Availability in the XOS Configuration Guide.
49
Figure 19.
Dual-Box High Availability
5.1
Configure the Remote System ID and IP Address
From each system, configure the remote system ID and IP address. The remote system ID is specific to the system, and in this example is 20. The IP to be used is the address of the CPM on the other system. Return to main CLI context after completing the command. IMPORTANT: When configuring multiple systems for high availability, it is important that each system have a unique ID. If systems are configured with duplicate IDs, you run the risk of having identical mac-addresses on any given circuit. Command: CBS# configure remote-box 20 172.16.1.20 CBS(conf-remote-box)# end CBS#
50
5.2
Assign a Physical Interface to the Internal Synchronization Circuit

interface gigabitethernet 4/2 logical sync circuit sync
In the following section you will create this portion of the configuration.
This physical interface provides an external link to the internal synchronization circuits within the VSX VAPs. It is this connection that allows the VSX vap groups on separate systems to communicate with one another. Return to main CLI context after completing the command. Command: CBS# configure interface gigabitethernet 4/2 CBS(conf-intf-gig)# logical sync CBS(intf-gig-logical)# circuit sync CBS(intf-gig-logical)# end
5.3
Configure the VRRP Failover Groups
A failover group is a grouping of one or more virtual routers. A virtual router (VR) identifies the circuits and their associated VAP groups for high availability. Only a failover group, not the entire system or an individual VAP group, can fail over to a standby failover group on another system. In the following section you will create this portion of the configuration on each system. vrrp failover-group vrrp_vsx failover-group-id 200 priority 200 monitor-interface gigabitethernet 1/1 virtual-router vrrp-id 10 circuit wan priority-delta 2 mac-usage vrrp-mac vap-group vsx virtual-router vrrp-id 20 circuit SerialOne priority-delta 2 mac-usage vrrp-mac vap-group vsx Configure the VRRP failover groups on each system. The configurations should be identical, except for the priority value. The system with the lower value will assume the backup status.
5.3.1
Create the failover group vrrp_vsx
Create the failover group by assigning it a name (vrrp_vsx) and ID. The ID must be unique on this system, and must be the same on its counterpart failover group on the other system. Command: CBS# configure vrrp failover-group vrrp_vsx failover-group-id 200 CBS(conf-vrrp-failover-group)#
51
5.3.2
Set the VRRP priority
Set the VRRP priority. Valid values are 1 to 255. Default is 100. The chassis that has the failover group with the highest priority becomes the master for this failover group. Certain events, such as a link failure or a change in VAP Group member count, will decrement the priority. A chassis failover will occur if a failover groups priority drops below the priority of the failover group on the other chassis Command: CBS(conf-vrrp-failover-group)# priority 200 CBS(conf-vrrp-failover-group)#
5.3.3
Determine which interface to monitor and set a priority-delta for each one
Determine which interface to monitor and set the priority-delta. In this serialized topology, the interface used in the group-interface mode bridge is specified. If there are additional group interface mode bridges, they should be specified here. The priority-delta decrements the failover groups VRRP priority whenever the interface fails. Command: CBS(conf-vrrp-failover-group)# monitor-interface gigabitethernet 1/1 CBS(conf-vrrp-failover-group)#
5.3.4
Create a virtual router template
Create a virtual router, assign an ID, and attach it to an existing circuit. VSX will use this template for creating and configuring virtual routers. Command: CBS(conf-vrrp-failover-group)# virtual-router vrrp-id 10 circuit wan CBS(conf-vrrp-failover-group)#
5.3.5
Specify MAC usage on the VRRP virtual router (VR)
Specify MAC usage for VRRP. CBS(conf-vrrp-failover-group-virtual-router)# mac-usage vrrp-mac CBS(conf-vrrp-failover-group-virtual-router)#
5.3.6
Assign a priority-delta to the virtual router
Assign a priority-delta to the VR. The priority-delta decrements the failover groups VRRP priority whenever an interface on the VR fails. The priority-delta can be 1 to 255. Default is 1. The priority-delta is added back to the priority when the interface returns to the Up state. CBS(conf-vrrp-failover-group-virtual-router)# priority-delta 2 CBS(conf-vrrp-failover-group-virtual-router)#
52
5.3.7
Specify the VAP group of the VR
Specify the VAP group of the VR. The circuit, named in 4.3.4 above, must already be mapped to the VAP group. Then exit the context to prepare for the next step. CBS(conf-vrrp-failover-group-virtual-router)# vap-group vsx CBS(conf-vrrp-failover-group-virtual-router)# exit CBS(conf-vrrp-failover-group)#
5.3.8
Configure the internal circuit for serialization as part of the failover group
virtual-router vrrp-id 20 circuit SerialOne priority-delta 2 mac-usage vrrp-mac vap-group vsx
Repeat steps 5-8 to include the internal circuit for serialization in the failover group.
5.4
Enable VRRP on the VAP Group

vrrp vap-group vsx failover-group-list vrrp_vsx hold-down-timer 60 priority-delta 50
Once the failover group is configured and the VAP group is added to the failover list, configure the VAP group for High Availability.
5.4.1
Configure the VSX VAP group for failover
Enable VRRP on the vsx VAP group. CBS# configure vrrp vap-group vsx CBS(conf-vrrp vap-group)#
5.4.2
Specify the failover group list
Assign the failover group to a failover group list CBS(conf-vrrp vap-group)# failover-group-list vrrp_vsx CBS(conf-vrrp vap-group)#
5.4.3
Set the hold down timer
Use hold-down-timer to have a VAP group wait between 1 to 3600 seconds before becoming the VRRP Master. This can prevent an application from dropping connections should a rapid failover occur from a Master to Backup and back to Master. CBS(conf-vrrp vap-group)# hold-down-timer 60 CBS(conf-vrrp vap-group)#
53
5.4.4
Set the priority delta for the group and return to the main CLI context
Assign a priority-delta to the VR circuit. The priority-delta decrements the failover groups VRRP priority whenever an interface on the VR circuit fails. The priority-delta can be 1 to 255. Default is 1. The priority-delta is added back to the priority when the interface returns to the Up state. 50 is used here as an example. CBS(conf-vrrp vap-group)# priority-delta 50 CBS(conf-vrrp vap-group)# end CBS# NOTE: Before continuing to the next step, you must complete the installation and configuration of Check Point VPN-1 Power VSX NGX R65.
5.5
Configure Next Hop Health Check

vrrp failover-group vrrp_vsx failover-group-id 200 virtual-router vrrp-id 22 circuit vsx_ckt_vsx_internal_ser1_3001 vap-group vsx verify-next-hop 10.10.1.10
In order for the VSX VAP group to use VRRP, the application must be able to monitor the physical interfaces on either end of the topology.The VSX VAP group can monitor the physical interface to which it is attached. The ability to monitor the physical interface connected to the ISS VAP group was configured in step 4.3.3. The next hop health check is an optional setting to verify IP connectivity from the VSX VAP group, through the ISS VAP group, and out to the next hop gateway. It is highly recommended to use both physical interface monitoring and the next hop health check. After installing and configuring Check Point VPN-1 Power VSX NGX R65 application, return to the command line interface. To configure Next Hop Health Check, perform the following tasks.
5.5.1
View the VSX VAP group
Use the show run command to display the APM running configuration. To configure the Next Hop Health Check you will need information about the internal circuit for serialization between the VSX VAP group and the ISS VAP group. Command: CBS# show run
5.5.2
Select the internal circuit that connects the two VAP groups
Under the VRRP failover group configured previously, find the internal circuit that connects the VSX VAP group and the ISS VAP Group. NOTE: The Check Point application appends information to the circuit name for internal identification. Identify a usable circuit by looking for the following: The name of the VSX application VAP group (in this guide, the VAP group is vsx) The name of the internal circuit for serialization (in this guide, the internal circuit for serialization is ser1) The vlan id you assigned to the circuit using the VSX GUI during application installation and configuration process (in this example, the vlan id used is 3001)
54
In this sample configuration copied from the running configuration, the listed items are in bold below. virtual-router vrrp-id 22 circuit vsx_ckt_vsx_internal_ser1_3001 priority-delta 2 mac-usage vrrp-mac backup-stay-up vap-group vsx ip 10.10.1.1 255.255.255.0 10.10.1.255
5.5.3
Configure the next hop health check and return to the main CLI context
Use the virtual router identified above to configure the next hop health check. CBS# configure vrrp failover-group vrrp_vsx failover-group-id 200 CBS(conf-vrrp-group)#
5.5.4
Specify the VRRP failover group
Specify the VRRP failover group. Command: CBS(conf-vrrp-group)# virtual-router vrrp-id 22 circuit vsx_ckt_vsx_internal_ser1_3001 CBS(conf-vrrp-failover-vr)#
5.5.5
Change context to configure the next hop health check
Change context to prepare for the next step. Command: CBS(conf-vrrp-failover-vr)# vap-group vsx
5.5.6
Configure the next hop IP, and return to the main CLI context
Configure the next hop IP check. Specify the IP of an external host (external to the X-Series platform) and return to the main CLI context. 10.10.1.10 is used here as an example. Command: CBS(conf-vrrp-vr-vapgroup)# verify-next-hop-ip 10.10.1.10 CBS(conf-vrrp-vr-vapgroup)# end CBS#
55
56
5
Troubleshooting
This chapter provides information to help you optimize the configuration process and troubleshoot minor issues.
Configuration Tips
Determine your Requirements Determine your specific topology requirements prior to beginning configuration. Multiple CLI Sessions You may find it useful to have multiple CLI sessions running on the CPM during the configuration process. Use one window to create the configuration, and validate your input by using the show running-config command in the other. Tab key Validation Use the Tab key to validate your command syntax. Type a few letters of the command and press the Tab key to complete the command. If the command is not available or is mis-typed, pressing Tab key will not complete the command. [no] parameter Use the [no] parameter to delete erroneous configuration entries. Verify Your Configuration Use the show running-config command to verify your configuration at any point during the process. It is useful to review the config for transposed letters or numbers. These errors are easily overlooked and can cause unpredictable results. Context Sensitive Help For context sensitive help, use the question mark from the command line to view the previously configured options. For example, use configure circuit ? to view all previously configured circuits and command options.
Troubleshooting
Any time you open a support case with Crossbeam Technical Support, make sure you run the command show tech-support and have the results available.
Application Installation
Some things to check if you are having application install issues. With Proventia Network IPS:
57
Make sure the correct APMs are being used (see requirements Proventia Network IPS Requirements on page 12). Verify that the ISS management circuit exists and is correctly configured (see Step 2.5.3 on page 25). With VSX NGX R65: Verify that the management circuit exists and is correctly configured (see Step 2.5.1 on page 24). Use show circuit <name> to verify the internal sync circuit is correctly configured (see Internal Circuit for Synchronization on page 22).
Management Communications
If there are issues with the management communications from the VAPs, verify that the appropriate routing is in place, and that if a domain name server (DNS) is needed, that it is in place and all configuration information is correct.
VAP Traffic Issues

For traffic issues with the Proventia Network IPS VAP: Proventia Network IPS has a special tcpdump: /etc/iss/usr/sbin/tcpdump -i provg_1. IMPORTANT: This will perform a tcpdump on all vlans and all bridges of the IPS blade. In a busy environment, this will have a significant impact on the system. The use of tcpdump filtering is highly recommended. Run the command ifconfig and review the statistics. Check LMI/SP for drops. Use the Proventia Manager to check for dropped traffic. For traffic issues with VSX NGX R65 VAP: Perform a regular tcpdump on each interface. NOTE: VSX uses Checkpoint Secure XL, which may prevent traffic from being seen on the egress interfaces. Should tcpdump be required on a given VS, perform fw accel vs x off before the tcpdump. Any time you perform VAP group troubleshooting, make sure to be in the right VS context (vsx set_x). Make sure the correct policy is installed (vsx stat -v). Review the FW log for dropped traffic.
58
Troubleshooting from the Command Line

Use these show commands to validate your configuration and pinpoint trouble areas. show show show show show show show show show show show show show show show chassis module status <ap> [disk/memory/etc] ap-vap-mapping vap-group <name> application vap-group <name> run flow active source-address <address> flow-path active verbose source-address <address> flow distribution interface <name> group-interface <name> alarms logging console level <name> cp-redundancy redundancy-interface
59
60
Appendix A
Sample Configurations
This appendix provides the configuration generated by following the steps in Chapter 2. Use this appendix for reference, or in place of the steps.
Configuration of the Single Physical Interface Topology

This section provides the full configuration using the single physical interface steps described in Chapter 2. # vap-group iss xslinux_v3 vap-count 3 max-load-count 3 ap-list ap3 ap4 ap5 load-balance-vap-list 1 2 3 4 5 6 7 8 9 10 ip-flow-rule iss_lb action load-balance activate vap-group vsx xslinux_v3 vap-count 3 max-load-count 3 ap-list ap8 ap9 ap10 load-balance-vap-list 1 2 3 4 5 6 7 8 9 10 # circuit bridge device-name bridge vap-group iss promiscuous-mode active circuit SerialOne internal device-name Ser1 vap-group iss promiscuous-mode active vap-group vsx circuit wan device-name wan vap-group vsx circuit sync internal device-name sync vap-group vsx circuit mgmt device-name mgmt vap-group iss ip 172.16.19.62/24 increment-per-vap 172.16.19.65 vap-group vsx #
61
interface gigabitethernet 1/2 logical wan circuit wan interface gigabitethernet 1/5 logical mgmt circuit mgmt # group-interface L2Br interface-type gigabitethernet mode transparent circuit bridge interface-internal circuit SerialOne interface 1/1 device-name lan #
Configuration of the MLT Group Interface Topology

This section provides the full configuration using the MLT group interface steps described in Chapter 2, Section 4.0 Configure the MLT Group Interfaces on page 31. # vap-group iss xslinux_v3 vap-count 3 max-load-count 3 ap-list ap3 ap4 ap5 load-balance-vap-list 1 2 3 4 5 6 7 8 9 10 ip-flow-rule iss_lb action load-balance activate vap-group vsx xslinux_v3 vap-count 3 max-load-count 3 ap-list ap8 ap9 ap10 load-balance-vap-list 1 2 3 4 5 6 7 8 9 10 # circuit lan device-name lan vap-group iss promiscuous-mode active circuit bridge device-name bridge vap-group iss promiscuous-mode active circuit SerialOne internal device-name Ser1 circuit wan device-name wan vap-group vsx circuit sync internal device-name sync vap-group vsx
62
circuit mgmt device-name mgmt vap-group iss ip 172.16.19.62/24 increment-per-vap 172.16.19.65 vap-group vsx # group-interface lan interface-type gigabitethernet mode multi-link circuit lan interface 1/1 interface 1/2 interface 1/3 group-interface bridge interface-type gigabitethernet mode transparent circuit bridge interface-internal circuit SerialOne group lan group-interface wan interface-type gigabitethernet mode multi-link circuit wan interface 2/1 interface 2/2 interface 2/3 #
63
64

IBM Proventia IPS and Check Point VPN-1 VSX NGX R65

Încărcat de

Informații document

Descriere originală:

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

IBM Proventia IPS and Check Point VPN-1 VSX NGX R65

Încărcat de

Drepturi de autor:

Formate disponibile

Deploying Multiple Security Services on the Crossbeam X-Series Platform

Part Number 05233A May 2008

Copyright and Trademark Information

Chapter 2: Configuring Serialization

Chapter 3: Application Installation

Chapter 4: Advanced Configurations

Appendix A: Sample Configurations

About This Guide

Deploying Multiple Security Services on the Crossbeam X-Series Platform

Table 1. Typographical Conventions Used in Paragraph Text

In the Version Number field, type 8.1.patch_number.

Table 2. Typographical Conventions Used in Command-Line Text

[root@xxxxx]# dir [drive:] [path] [<filename>] [/P] [/W] [/D].

[root@xxxxx]# verify [ON|OFF]

CBS# configure vap-group <vap_group_name> CBS(config-vap-grp)# raid {0|1}

Cautions, Warnings, and Notes

Deploying Multiple Security Services on the Crossbeam X-Series Platform

Crossbeam Systems Customer Support

Serialization and Secure Flow Processing

Applications Used in this Topology

Deploying Multiple Security Services on the Crossbeam X-Series Platform

Serialized Application Topology

Serialized Application Topology

Requirements To Support this Topology

X-Series Module Requirements

Deploying Multiple Security Services on the Crossbeam X-Series Platform

Proventia Network IPS Requirements

Check Point VPN-1 Power VSX NGX R65 Requirements

Serialization Using Single Interfaces

Deploying Multiple Security Services on the Crossbeam X-Series Platform

1.0 Create VAP Groups

ISS VAP Group

Configure the ISS VAP Group

Configure the ISS VAP Group

Configure three VAP members for the ISS VAP Group

Configure the ISS VAP Group APM list

Specify the number of active VAP members

Deploying Multiple Security Services on the Crossbeam X-Series Platform

VSX VAP Group

Configure the VSX VAP Group

Configure the VSX VAP Group

Configure three VAP members for the VSX VAP Group

Configure the VSX VAP Group APM list

2.0 Configure Circuits

Deploying Multiple Security Services on the Crossbeam X-Series Platform

Layer 2 Bridge Circuit

Configure the bridge circuit required by the group interface

Assign a device name to the circuit

Associate the circuit with ISS VAP group

Internal Circuit for Serialization

Serial Connection between VAP Groups

Configure the circuit

Deploying Multiple Security Services on the Crossbeam X-Series Platform

Define the circuit as internal

Configure the circuit as internal. Command: CBS(conf-cct)# internal CBS(conf-cct)#

Assign a device name to the circuit

Associate the circuit with ISS VAP group

Configure the WAN circuit

Assign a device name to the circuit

Deploying Multiple Security Services on the Crossbeam X-Series Platform

Internal Circuit for Synchronization

Sync Circuit between VSX VAP members

Configure the VSX synchronization circuit