check point 防火墙安装配置资料

来源：小侦探旅游网

Check Point for Nokia IPSO

Getting Started Guide

Check Point NGX R60Nokia IPSO 3.9 and later

Part No. N450000199 Rev 001

Published April 2006

Rights reserved under the copyright laws of the United States.RESTRICTED RIGHTS LEGEND

Use, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS252.227-7013.

Notwithstanding any other license agreement that may pertain to, or accompany the delivery of, this computer software, the rights of the United States Government regarding its use, reproduction, and disclosure are as set forth in the Commercial Computer Software-Restricted Rights clause at FAR52.227-19.IMPORTANT NOTE TO USERS

This software and hardware is provided by Nokia Inc. as is and any express or implied warranties, including, but not limited to, implied warranties of merchantability and fitness for a particular purpose are disclaimed. In no event shall Nokia, or its affiliates, subsidiaries or suppliers be liable for any direct, indirect, incidental, special, exemplary, or

consequential damages (including, but not limited to, procurement of substitute goods or services; loss of use, data, or profits; or business interruption) however caused and on any theory of liability, whether in contract, strict liability, or tort (including negligence or otherwise) arising in any way out of the use of this software, even if advised of the possibility of such damage.

Nokia reserves the right to make changes without further notice to any products herein.TRADEMARKS

Nokia is a registered trademark of Nokia Corporation. Other products mentioned in this document are trademarks or registered trademarks of their respective holders.

060101

2Check Point for Nokia IPSO Getting Started Guide

Nokia Contact InformationCorporate HeadquartersWeb SiteTelephoneFaxMail Address

http://www.nokia.com1-888-477-4566 or 1-650-625-20001-650-691-2170

Nokia Inc.

313 Fairchild Drive

Mountain View, California94043-2215 USA

Regional Contact Information Americas

Tel: 1-877-997-9199Nokia Inc.

Outside USA and Canada: +1 512-437-7089313 Fairchild Drive

Mountain View, CA 94043-2215email: info.ipnetworking_americas@nokia.comUSA

Tel: UK: +44 161 601 8908Tel: France: +33 170 708 166

email: info.ipnetworking_emea@nokia.comTel: +65 6588 3364

email: info.ipnetworking_apac@nokia.com

Nokia House, Summit AvenueEurope,

Middle East, Southwood, Farnborough

Hampshire GU14 ONG UKand Africa

Asia-Pacific438B Alexandra Road

#07-00 Alexandra TechnoparkSingapore 119968Nokia Customer SupportWeb Site:Email:

https://support.nokia.com/tac.support@nokia.com

Americas EuropeVoice:Fax:Asia-PacificVoice:Fax:

+65-67232999+65-67232897

050602

1-888-361-5030 or 1-613-271-67211-613-271-8782

Voice:Fax:

+44 (0) 125-286-8900+44 (0) 125-286-5666

Check Point for Nokia IPSO Getting Started Guide3

4Check Point for Nokia IPSO Getting Started Guide

Contents

About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7In This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Conventions This Guide Uses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Text Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Preparing for Installation and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . .11Basic VPN-1 Pro and Check Point Express Components . . . . . . . . . . . . . . . . . . . . 11Using Nokia Horizon Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Installation and Configuration Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Basic Steps for Installing and Configuring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Determining Nokia IPSO and Check Point Software Versions. . . . . . . . . . . . . . . . . 14Checking the Nokia IPSO Version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Checking the Installed Check Point Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Preparing the Nokia IP Security Platform. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Preparing an IP265 Security Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Preparing the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Obtaining Check Point Licensing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

Installing Check Point NGX R60 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19Before You Start. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Downloading NGX R60 Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Installing the NGX R60 Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Installing HotFix Accumulators on Flash-based Platforms. . . . . . . . . . . . . . . . . . . . 243

Performing the Initial Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25Using Nokia Horizon Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Using the Check Point Configuration Tool. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25About the Initial Firewall Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Before You Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Configuring a Standalone Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Configuring a Distributed Deployment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Enabling SecureXL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Check Point for Nokia IPSO Getting Started Guide5

Installing SmartConsole NGX R60 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33Upgrading to Check Point NGX R60. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37Upgrade Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Obtaining the Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Upgrading Security Platforms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Expanding the IP265 Flash Memory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Installing HotFix Accumulators on Flash-based Platforms . . . . . . . . . . . . . . . . . . . 43Reverting to Previous Check Point Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

6Check Point for Nokia IPSO Getting Started Guide

About This Guide

This guide describes how to install, initially configure, and upgrade to Check Point NGX R60 on a Nokia IP security platform running IPSO 3.9 or later. This guide is not intended to be a

complete guide to configuring or managing Check Point services. For information about these subjects, see the Check Point Getting Started Guide and additional documentation available from the Check Point Web site.

At the time of this document’s publication, NGX R60 is supported on IPSO 3.9, 4.0, 4.0.1, and 4.1. For the latest information on which IPSO releases are supported with Check Point NGX R60, see the Nokia support Web site.

This preface provides the following information:

󰂄󰂄󰂄

In This Guide

Conventions This Guide UsesRelated Documentation

In This Guide

This guide is organized into the following chapters:

󰂄

Chapter 1, “Preparing for Installation and Configuration,” provides an overview of the installation process and describes how to prepare to install and configure NGX R60.Chapter 2, “Installing Check Point NGX R60,” describes how to use Nokia Network Voyager or the newpkg IPSO command to install the Check Point applications on your platform.

Chapter 3, “Performing the Initial Configuration,” describes how to use the cpconfig utility to perform the initial configuration.

Chapter 4, “Installing SmartConsole NGX R60,” describes how to install the Check Point SmartConsole, the SmartCenter GUI clients, on a Microsoft Windows system.

Chapter 5, “Upgrading to Check Point NGX R60,” describes how to upgrade to Check Point NGX R60 from Check Point NG with Application Intelligence or Check Point NG.

To perform a new installation and configuration of NGX R60 on a Nokia platform, read all of the chapters in this guide except Chapter 5. If your Nokia platform comes with NGX R60 installed, you can skip Chapter 2. If you are upgrading to NGX R60 from an earlier version of the Check Point software, you can skip directly to Chapter 5.

Check Point for Nokia IPSO Getting Started Guide7

Note

If you do not know which version of Check Point software is installed on your platform, see “Determining Nokia IPSO and Check Point Software Versions” on page14.

Conventions This Guide Uses

The following sections describe the conventions this guide uses, including notices, text conventions, and command-line conventions.

Notices

Note

Notes provide information of special interest or recommendations.

Text Conventions

The following table describes the text conventions this guide uses.

Convention

Description

Indicates command syntax, or represents computer or screen output, for example:

monospace fontLog error 12453bold monospace font

Key names

Indicates text you enter or type, for example:

# cpconfig

Keys that you press simultaneously are linked by a plus sign (+):Press Ctrl + Alt + Del.

Menu commands are separated by a greater than sign (>):Choose File > Open.

Enter indicates you type something and then press the Return or Enter key.

Do not press the Return or Enter key when an instruction says type.

•Emphasizes a point or denotes new terms at the place where they are defined in the text.

•Indicates an external book title reference.•Indicates a variable in a command: newpkg file_name.tgzMenu commands

The words enter and type

Italics

8Check Point for Nokia IPSO Getting Started Guide

Related Documentation

For more information about Check Point NGX R60, see the appropriate guides available at the Check Point Product Documentation Web site at http://www.checkpoint.com.

For more information about how to configure and manage a Nokia IP security platform, see:

󰂄󰂄󰂄󰂄

The IPxxx Series Installation Guide for your security platform

The Nokia Network Voyager Reference Guide for your IPSO releaseThe Getting Started Guide and Release Notes for your IPSO releaseThe CLI Reference Guide for your IPSO release

These documents are available at the Nokia Support site at http://support.nokia.com.

Check Point for Nokia IPSO Getting Started Guide9

10Check Point for Nokia IPSO Getting Started Guide

Preparing for Installation and Configuration

This chapter describes how to prepare for first-time installation and configuration of Check Point NGX R60 on a Nokia IP security platform. This chapter contains the following topics:

󰂄󰂄󰂄󰂄󰂄󰂄󰂄󰂄󰂄

Basic VPN-1 Pro and Check Point Express ComponentsUsing Nokia Horizon Manager

Installation and Configuration OverviewBasic Steps for Installing and Configuring

Determining Nokia IPSO and Check Point Software VersionsPreparing the Nokia IP Security PlatformPreparing an IP265 Security PlatformPreparing the Network

Obtaining Check Point Licensing

Basic VPN-1 Pro and Check Point Express Components

The Check Point NGX R60 applications include management products, gateway products, and client software. This guide focuses on the Check Point Enterprise/Pro and Check Point Express products, which consist of three main components:

󰂄

Enforcement module—the VPN-1 Pro gateway or VPN-1 Express gateway module that enforces the Check Point security policy.

Management server—the SmartCenter server that maintains the databases of network object definitions, user definitions, policies, and log files for any number of enforcement modules.

Note

You can manage VPN-1 gateways using either SmartCenter or Provider-1/SiteManager-1. This guide focuses on SmartCenter, which can be installed on a Nokia IP security platform. For information on installing and configuring Provider-1/SiteManager-1, see the Check Point documentation.

Check Point for Nokia IPSO Getting Started Guide11

1 Preparing for Installation and Configuration

󰂄

SmartConsole—contains GUI applications that manage different aspects of the security policy. SmartConsole includes the SmartDashboard, which provides a GUI interface for the administrator to define network objects, users, and policies.

VPN-1 Enterprise/Pro and Check Point Express were formerly known as VPN-1/FireWall-1. VPN-1 Enterprise/Pro is for companies with more than 500 employees. Check Point Express is for businesses with up to 500 employees and multiple sites. When you perform the initial configuration, you choose whether to install VPN-1 Enterprise/Pro or Check Point Express.This document describes how to install and initially configure the enforcement module, the SmartCenter server, or both on a Nokia platform. It also describes how to install the SmartConsole on a Microsoft Windows system.

Note

For information on how to install the Check Point components on other platforms, see the Check Point Getting Started Guide.

Using Nokia Horizon Manager

Nokia Horizon Manager is a secure GUI-based software-image management application. With Horizon Manager, you can securely install and upgrade the Nokia IPSO operating system and Check Point packages. Nokia Horizon Manager can perform installations and upgrades on up to 2,500 Nokia IP security platforms, offering administrators the most rapid and dependable upgrade to Check Point NGX R60.

If you plan to use Nokia Horizon Manager to install or upgrade and configure NGX R60, see the Nokia Horizon Manager documentation on the Nokia Support site: http://support.nokia.com.For information about how to obtain Nokia Horizon Manager, see the “Nokia Contact Information” on page3.

Installation and Configuration Overview

The order in which you install and configure components depends on whether you choose a distributed or a standalone deployment of the components:

󰂄

In a distributed deployment, the SmartCenter server and the enforcement modules are on separate nodes.

In a standalone deployment, the SmartCenter server and the enforcement module are on a single node.

Note

You must use a distributed deployment for Nokia platforms that are members of an IP cluster or VRRP virtual router. Only enforcement modules should be installed on these platforms.

Install and configure the components in the following order.

12Check Point for Nokia IPSO Getting Started Guide

Basic Steps for Installing and Configuring

Distributed Deployment:

1.Install and configure the SmartCenter server.2.Install SmartConsole on the Microsoft Windows hosts.3.Install and configure the enforcement module or modules.Standalone Deployment:

1.Install and configure the SmartCenter server and enforcement module on the same platform.2.Install the SmartConsole on the Microsoft Windows hosts.

The SmartCenter component and the VPN-1 Pro/Express enforcement component are installed using the same software package. If NGX R60 is already installed on your Nokia IP security platform, you do not need to install this package, but you do need to enable the package and perform the initial configuration. During the initial configuration, you specify which component is deployed on the platform.

These high-level steps are described in more detail in the rest of this guide.

Basic Steps for Installing and Configuring

Figure1 shows the main steps you take to install VPN-1 Enterprise/Pro or Check Point Express on your Nokia platform.

Check Point for Nokia IPSO Getting Started Guide13

1 Preparing for Installation and Configuration

Figure 1 Firewall Installation and Configuration Steps

After you finish the installation and configuration, you can use the SmartDashboard application to define the network objects, users, and Security Policy. For more information, see the Check Point documentation.

Determining Nokia IPSO and Check Point Software Versions

To run NGX R60, you must have Nokia IPSO 3.9 or later running on your Nokia platform. For current information on which IPSO versions are supported, see the Nokia support Web site. It is important to verify that you have the correct IPSO version before you perform the installation and configuration.

Your platform might have NGX R60, an earlier version of Check Point software, or no Check Point applications installed. The software on your platform determines whether you need to skip the NGX R60 installation steps or perform a new installation.

14Check Point for Nokia IPSO Getting Started Guide

Preparing the Nokia IP Security Platform

Checking the Nokia IPSO Version

To determine the IPSO version on your platform, log in to the platform by using Nokia Network Voyager. The Software Release field in the summary table on the home Network Voyager page shows the IPSO version your platform is running.

If your platform is not running IPSO 3.9 or later, upgrade the operating system or perform a fresh installation. For instructions on how to do so, see the Getting Started Guide and Release Notes for the IPSO version you are installing. The release notes are available on the Nokia Support site: http://support.nokia.com.

Checking the Installed Check Point Packages

To determine what Check Point applications are installed on your platform, log in to the platform by using Network Voyager. Navigate to the Manage Packages page:IPSO 3.9: System Configuration > Manage Installed Packages

IPSO 4.0 or later: Configuration > System Configuration > Packages > Manage Packages.The Manage Packages page lists the installed packages and the version of each package. If no Check Point applications are listed, no Check Point products are installed on your platform.

Preparing the Nokia IP Security Platform

To prepare your Nokia IP security platform for Check Point NGX R60:

󰂄

If you did not already, configure the security platform initial interface and the network interfaces. For more information, see the IPxxx Series Installation Guide for your IP security platform.

Make sure you can access the security platform by using Nokia Network Voyager and by using a console or terminal connection.

If your security policy will block HTTP access while permitting HTTPS access, enable HTTPS access on the security platform. See the Nokia Network Voyager Reference Guide for information on how to do so and how to replace the default SSL certificate.

If you need to install NGX R60, ensure that you have at least 60 MB of free disk space in the /opt directory.

Confirm that you have a static host name associated with the external IP address of the security platform.

You cannot install a Check Point Enterprise/Pro or Check Point Express license unless the external interface has a static host name associated with it.

To add a static host name

1.Connect to the security platform by using Network Voyager.2.Navigate to the Host Address Assignment page:

󰂄

IPSO 3.9: System Configuration > Host Address Assignment

Check Point for Nokia IPSO Getting Started Guide15

1 Preparing for Installation and Configuration

󰂄

IPSO 4.0 or later: Configuration > System Configuration > Host Address

3.To add a new entry, type the desired name and click Apply. 4.Select on or off as desired; however, do not turn off localhost. 5.Specify the host IP address (for example, 192.169.11.45).6.Click Apply, then click Save to make the changes permanent.

Figure 2 Example Host Address Assignment

Preparing an IP265 Security Platform

Nokia recommends that you use the external flash-memory PC card supplied with your IP265 to store the Check Point packages. Doing so frees up internal memory for firewall use.To enable the IP265 to use the external flash card for the packages

1.If NGX R60 came installed on your platform, uninstall it. The pre-installed version does not

support using the external flash for packages.

a.On the Manage Packages page in Network Voyager, disable CPinfo and then VPN-1 Pro/Express.b.Click the link for Delete Packages and delete the VPN-1 Pro/Express package.2.Install your flash-memory PC card into PC-card slot 1 or 2. Make sure the card is fully

inserted by pressing gently on it.3.In Network Voyager, select the Optional Disk Configuration page (Configuration > System

Configuration > Optional Disk). 4.Click the radio button under Packages; then click Apply and Save.

5.Wait until you see a message telling you that you should reboot the system and then reboot

the system.You can now install NGX R60 as described in Chapter 2, “Installing Check Point NGX R60.”

Preparing the Network

Ensure your network is properly configured, with special emphasis on routing:

󰂄󰂄

Ensure that each of the internal networks and the gateway can see each other. Log on to each of the hosts and ping the other hosts in the internal networks.

16Check Point for Nokia IPSO Getting Started Guide

Obtaining Check Point Licensing

󰂄

If you plan to install the management server and enforcement module on separate platforms, ensure that the management server host can ping the external IP address of the enforcement module host, and the reverse.

For gateways that are members of a VRRP virtual router or an IP cluster, please see the Nokia Network Voyager Reference Guide for Check Point considerations when setting up virtual routers or IP clusters.

Obtaining Check Point Licensing

Obtain the appropriate Check Point Enterprise/Pro or Check Point Express license from Check Point or your vendor. Start this process several days before the anticipated installation or

upgrade. If you did not purchase the Check Point software, the software will work for 15 days. You must use the Check Point User Center to register your software.

Check Point for Nokia IPSO Getting Started Guide17

1 Preparing for Installation and Configuration

18Check Point for Nokia IPSO Getting Started Guide

Installing Check Point NGX R60

This chapter describes how to install Check Point NGX R60 on a Nokia IP security platform.

󰂄

If you already have NGX R60 installed, skip this chapter and proceed to Chapter 3, “Performing the Initial Configuration.”

If you have a previous version of Check Point NG installed and configured and want to perform an upgrade, skip this chapter and proceed to Chapter 5, “Upgrading to Check Point NGX R60.”

Before You Start

Before you start the installation, make sure that:

󰂄

The Nokia IPSO version on the platform is IPSO 3.9 or a later supported version. If it is not, upgrade the operating system image as described in the Getting Started Guide and Release Notes for your IPSO version.

You have prepared your platform and network as described in “Preparing the Nokia Platform” on page10 and “Preparing the Network” on page11.

Downloading NGX R60 Software

Check Point software, documentation, and release notes are available on the Check Point Web site at http://www.checkpoint.com.

Which installation packages you should download depends on your type of platform:

󰂄

Disk-based platforms—download the following:

󰂄Comprehensive R60 wrapper for Nokia IPSO (IPSO_wrapper_R60.tgz)

Use the comprehensive wrapper to install an enforcement module or a SmartCenter server (or both) on a disk-based platform.

󰂄

SmartConsole R60

Use this package to install the SmartConsole GUIs on Microsoft Windows hosts. The package is available under the Windows OS in the Check Point Download selector for NGX R60.

󰂄

Flash-based platforms other than the IP265—download the following:

Check Point for Nokia IPSO Getting Started Guide19

2 Installing Check Point NGX R60

󰂄

VPN-1 Pro/Express NGX R60 for flash-based platforms (fw1_R60_xxxxxxxx_x_IPSO.tgz)

Use this package to install an enforcement module on a flash-based platforms. You cannot install a SmartCenter server on a flash-based platform.

󰂄󰂄

CPinfo NGX R60 Tool for IPSO platformsSmartConsole R60

Use this package to install the SmartConsole GUIs on Microsoft Windows hosts. The package is available under the Windows OS in the Check Point Download selector for NGX R60.

󰂄

IP265—Download the following:

󰂄The latest NGX R60 HFA for the IP265.

Use this package to install an enforcement module on an IP265. You cannot install a SmartCenter server on a flash-based platform.

󰂄󰂄

CPinfo NGX R60 Tool for IPSO platformsSmartConsole R60

Use this package to install the SmartConsole GUIs on Microsoft Windows hosts. The package is available under the Windows OS in the Check Point Download selector for NGX R60.

Installing the NGX R60 Software

On disk-based platforms, install the comprehensive R60 wrapper. All of the Check Point packages required for enforcement modules and management server modules are contained within the comprehensive wrapper and are automatically installed when you install the wrapper. Table1 summarizes the packages installed by the wrapper.

Table 1 Packages Installed by the Comprehensive Wrapper

Package

Check Point VPN-1 Pro/Express NGX R60Check Point R55W Compatibility Package for NGXCheck Point CPinfo

R55 Compatibility Package for NGXCheck Point Eventia Reporter NGX R60Check Point UserAuthority Server NGX R60

StatusActiveNot activeActiveNot activeNot activeNot active

20Check Point for Nokia IPSO Getting Started Guide

Installing the NGX R60 Software

On flash-based platforms, fewer packages are required since flash-based platforms host enforcement modules only. Install the following individual packages in the following order:1.The VPN-1 Pro/Express package for flash-based platforms.

To install VPN-1 Pro/Express:

󰂄󰂄

IP265—Use the latest HFA for the IP265

All other flash-based platforms—Use the VPN-1 Pro/Express NGX R60 for flash-based platforms package

2.The CPinfo package

You can use the newpkg command, the Nokia CLI, or Nokia Network Voyager to install the Check Point packages. The steps for doing so are the same for any IPSO package. You can also use Nokia Horizon Manager to automate the installation process.

This section contains detailed procedures for installing the Check Point packages using either the newpkg command or Network Voyager. For information on using the Nokia CLI, see the CLI Reference Guide. For information on using Nokia Horizon Manager, see the Nokia Horizon Manager documentation.

To install using the newpkg command

Note

On flash-based platforms:

If you plan to install from the local filesystem (that is, download the package to the platform first and then install from that directory), Nokia recommends that you use /var/tmp or a directory you create in /var as your installation directory. The installation files will be automatically deleted when you reboot the system, freeing up space in flash memory. If you plan to install from an FTP server, Nokia recommends that you delete the contents of/preserve/opt/tmp before and after you perform the installation. newpkg uses this directory to store packages while installing them. Use the following command to delete the directory contents:

rm -R /preserve/opt/tmp

1.Log in to the platform with a console connection.2.Enter newpkg to start the package installation script.

The following options appear:

1. Install from CD-ROM.

2. Install from anonymous FTP server.

3. Install from FTP server with user and password.4. Install from local filesystem.5. Exit new package installation.

3.Enter the number (1 through 4) next to the installation method to use, or enter 5 to exit.

Check Point for Nokia IPSO Getting Started Guide21

2 Installing Check Point NGX R60

If you are installing from your current working directory in the local filesystem, you can enter a period (.) when asked for the pathname to the packages.

4.The installation script guides you through the rest of the installation process.

5.On flash-based platforms, repeat steps 2 through 4 to install CPinfo after you have installed

VPN-1 Pro/Express.6.Log off the platform and then log back in.

When newpkg installs and enables packages, it sets new shell environmental variables that are necessary for executing firewall commands. However, they do not take effect until the next time you log on. For this reason, you need to log off and then log back in again before you can run cpconfig as described in the next chapter.

7.To make sure the NGX R60 packages are installed correctly, see “To confirm the

installation” on page23.To install using Nokia Network Voyager

1.In the Network Voyager navigation tree, navigate as follows:

IPSO 3.9: System Configuration > Manage Installed Packages > FTP and Install PackagesIPSO 4.0 or later: Configuration > System Configuration > Packages > Install Package2.Enter the host name or IP address of the FTP site where you downloaded the wrapper.3.Enter the directory name where the files reside on the FTP site.

4.Enter the user account and password to use when you connect to the FTP site.

If you leave these fields empty, the anonymous account is used.

Note

If you specify a user account and password, you must re-enter the password whenever you change the FTP site, FTP directory, or FTP user on future requests.

5.Click Apply.

A list of files from the specified FTP directory appears in the Site Listing field.6.Select the package from Site Listing, then click Apply.

After the download completes, the package appears in the Select a Package to Unpack box.7.Select the package, then click Apply.

The package is unpacked into the local file system.

Note

The version field in the package information always shows 3.9 regardless of the IPSO version installed.

8.Click the link: Click here to install/upgrade /opt/packages/packagename.

22Check Point for Nokia IPSO Getting Started Guide

Installing the NGX R60 Software

9.Click Yes next to Install and click Apply.

Wait until Network Voyager refreshes this page with a link to the Manage Installed Packages screen.

10.Click the link to return to the Manage Packages screen.

If you are installing the comprehensive wrapper, the installation of the applications within the comprehensive wrapper can take several minutes to complete: as long as 10 to 20 minutes on some platforms.

During the initial installation phase, the wrapper appears under the Security Applications heading. If you wait several minutes and click Apply, a warning message appears telling you that the installation is still in progress. The wrapper continues to unpack and install the Check Point applications in the package.

You can click Apply to refresh the page and monitor the installation process. When the installation is complete, the warning message disappears and the Check Point NGX R60 application packages appear in the installed packages section.

If you are installing individual packages on a flash-based platform, repeat steps 1 through 9 to install CPinfo after you install VPN-1 Pro/Express.

11.Confirm that the installation was successful, following the steps in “To confirm the

installation” on page23.The following figure shows an example of the Manage Packages page after a new installation of NGX R60 wrapper on a disk-based platform running IPSO 4.0 or later.

To confirm the installation

1.On the Manage Packages page in Network Voyager, confirm that the Check Point VPN-1

Pro/Express NGX R60 package appears under Security Applications and is enabled.2.If the package is not enabled, click On, and then click Apply and then Save.

Check Point for Nokia IPSO Getting Started Guide23

2 Installing Check Point NGX R60

3.Enable any of the other Check Point packages you want to have enabled and click Apply and

then Save.4.If you enabled packages and are logged onto the platform with a IPSO shell session, log off

and then log on again to set the environmental variables.

Note

Although you have enabled the Check Point VPN-1 Pro/Express package, firewall services do not start until you have run cpconfig, as described in the next chapter, and rebooted the platform.

After you run cpconfig and reboot, enabling/disabling the Check Point VPN-1 Pro/Express package on the Manage Packages page starts and stops the firewall services.

You are now ready to configure Check Point Enterprise/Pro or Check Point Express.

Installing HotFix Accumulators on Flash-based Platforms

Nokia recommends you follow these guidelines when installing HFAs on flash-based platforms:

󰂄

Do not download the HFAs to your home directory. Files in user home directories are

preserved after reboots and consume valuable space in flash memory. Instead, download to /var/tmp or create a directory in /var and install the HFA from there. The installation files will be automatically deleted when you reboot after installing the HFA.

After you extract the HFA files from the archive .tgz file, delete the archive file and then install the HFA as described in the HFA release notes.

24Check Point for Nokia IPSO Getting Started Guide

Performing the Initial Configuration

You must perform an initial configuration of Check Point NGX R60 before Check Point VPN-1 services are available. During this initial configuration, you:

󰂄󰂄

󰂄

Specify whether this is a Check Point Enterprise/Pro or Check Point Express installationSpecify which components to deploy on the platform you are configuring and provide some administrative information about the components you have selected

Provide information used to enable secure internal communication (SIC) between components

You can use Nokia Horizon Manager or the Check Point configuration tool, cpconfig, to perform the initial configuration.This chapter describes:

󰂄󰂄󰂄

Using Nokia Horizon Manager

Using the Check Point Configuration ToolEnabling SecureXL

Using Nokia Horizon Manager

Nokia Horizon Manager can perform the initial configuration of Check Point NGX R60

applications on multiple Nokia IP security platforms simultaneously. Nokia Horizon Manager also exchanges information with Check Point SmartCenter server to keep the Check Point database current with information about the newly added platforms.

Horizon Manager and Check Point Guide available on the Nokia Support Web site for more information.

If you are using Nokia Horizon Manager to perform the initial configuration, see the Nokia

Using the Check Point Configuration Tool

This section describes how to use the Check Point configuration tool, cpconfig, to perform the initial configuration. It provides detailed steps for configuring both standalone and distributed deployments.

Check Point for Nokia IPSO Getting Started Guide25

3 Performing the Initial Configuration

About the Initial Firewall Policy

After you use cpconfig to configure a VPN-1 Enterprise/Pro or VPN-1 Express enforcement module and reboot the platform, an initial firewall policy is loaded. This policy is based on a default filter that blocks all inbound access to the platform. While this policy is in force, you cannot access the platform remotely through a terminal connection or Nokia Network Voyager. Only SmartConsole clients are permitted access to the platform through the management server.You can use one of the following ways to regain remote terminal or web access to the platform:

󰂄

Use SmartDashboard to create and install a policy that permits the desired remote connections to the platform.

Note

Make sure that the desired access methods have also been enabled on the platform. HTTPS, for example, is disabled by default.

󰂄

From a console connection, enter the cpstop command.This stops firewall services, allowing you access to the platform with Network Voyager. When you have finished your administrative tasks, start the firewall services again with the cpstart command.

Before you run cpconfig, change the default filter on which the initial policy is based to one that permits SSH or HTTPS connections or both. Table2 shows the available default filters.

Table 2 Default Filters

Filter Filedefaultfilter.boot

Filter Description

Allows outbound traffic (originating from the firewall) and

broadcast traffic only. This is the filter used by the default initial policy.

Allows outbound traffic, broadcast traffic, and DHCPDrops all traffic in and out of the gateway

Allows inbound SSH, HTTPS, and ICMP (PING) traffic and all outbound traffic

Allows inbound SSH and ICMP traffic and all outbound trafficAllows inbound HTTPS and ICMP traffic and all outbound traffic

defaultfilter.dagdefaultfilter.dropdefaultfilter.ipso

defaultfilter.ipso_sshdefaultfilter.ipso_ssl

26Check Point for Nokia IPSO Getting Started Guide

Using the Check Point Configuration Tool

To change the default filter used by the initial policy

Enter the following sequence of commands at a console or remote terminal connection. If you want to use a default filter other than defaultfilter.ipso, then replace defaultfilter.ipso in the first command with the name of the filter you want to use.

cp $FWDIR/lib/defaultfilter.ipso $FWDIR/conf/defaultfilter.pffw defaultgencp $FWDIR/state/default.bin $FWDIR/bootIf you use defaultfilter.ipso or defaultfilter.ipso_ssl, make sure that HTTPS has been enabled on the platform.

Before You Start

Before you start the initial configuration:

󰂄

Make sure the Check Point VPN-1 Pro/Express NGX R60 package is enabled.

If it is not, enable it. For details, see “To confirm the installation” on page23. If you have an active command line session, log off after you enable the package.

󰂄

If you want to install and manage the Check Point license locally, have the license

information available. If you plan to use SmartUpdate to manage your licenses centrally, as recommended by Check Point, you do not need the information now.If you are configuring a SmartCenter server, be ready to supply:󰂄An initial administrator username and password.

󰂄The IP address or name of at least one SmartDashboard host.

Configuring a Standalone Deployment

In a standalone deployment, a SmartCenter management server and a VPN-1 Pro/Express enforcement module are deployed on the same security platform.

Note

A gateway that is a member of a VRRP virtual router or an IP cluster cannot be configured as a standalone deployment. It must have an enforcement module only installed on it. See “To install a VPN-1 Pro/Express enforcement module” on page31.

Note

Standalone deployments are not supported on flash-based (diskless) platforms.

To configure a standalone deployment

1.Log in to the host from a console or remote terminal connection.2.At the command prompt, enter cpconfig.

Check Point for Nokia IPSO Getting Started Guide27

3 Performing the Initial Configuration

The following text appears:

Welcome to Check Point Configuration Program=================================================Please read the following license agreement.Hit 'ENTER' to continue...Note

If the text does not appear when you enter cpconfig, you might need to log out of the command-line session and then log back in to set the environmental variables.

3.Press Enter to read the license agreement, and then enter y to accept it.

4.Specify which product you are installing: Check Point Enterprise/Pro (VPN-1 Pro) or Check

Point Express.5.Enter the appropriate number to select a standalone installation: 1 for Check Point

Enterprise/Pro installations or 3 for Check Point Express installations.6.Enter y to add a license and fill in the license information, or enter n to complete the license

information later.7.Define an initial administrator name and password.

The initial administrator name and password you enter here allows you to log in to the SmartCenter server from the SmartDashboard. This administrator has full read/write permissions, allowing you to further add or modify administrators using the SmartDashboard.

Administrators you define with the SmartDashboard can be issued a certificate for authentication, which provides a more secure means of authentication than the simple

username used for the initial administrator. Check Point recommends that once you log on to the SmartDashboard, you create a new administrator with full read/write permissions, generate a certificate for the new administrator, and delete the initial administrator created by cpconfig.

8.Identify the SmartConsole hosts that can access the SmartCenter server.

You can have as many SmartConsole clients on as many desktops as you desire. However, you need to provide the IP address or name of each client host to cpconfig before the clients can access the SmartCenter server.

Specify at least one SmartConsole host. You can rerun cpconfig at any time to add additional client hosts.

9.Specify the name of a group for which you want to grant permissions. Enter return to specify

no group.10.As part of configuring the internal certificate authority, type random text at a random pace

until you hear a beep.

The timing latency between your keystrokes is used to generate cryptographic data. The VPN-1 Pro and VPN-1 Express gateways use certificates for secure internal communication (SIC) between the SmartCenter server and the enforcement modules.

28Check Point for Nokia IPSO Getting Started Guide

Using the Check Point Configuration Tool

11.Choose whether to save the fingerprint of the SmartCenter server to a file.

To save the fingerprint, type y and provide the name of the file.

The SmartCenter server fingerprint will be displayed the first time a user logs into the SmartCenter server from a particular SmartDashboard host. By comparing the fingerprint displayed with the fingerprint you saved at this step, the user can authenticate the identity of the SmartCenter server.

12.When cpconfig asks if you want to reboot the system, enter y.

After the system reboots, an initial firewall policy is installed. Unless you previously modified the initial policy, all remote access to the platform is blocked, except for Check Point SmartConsole clients. For information on how to regain remote terminal access or Network Voyager access, see “About the Initial Firewall Policy” on page26.

Configuring a Distributed Deployment

In a distributed deployment, the SmartCenter server and the VPN-1 Pro/Express enforcement modules are installed on separate platforms.To install a Smart Center server

Note

You cannot deploy a SmartCenter server on a flash-based (diskless) platform.

1.Log in to the host from a console or remote terminal connection.2.At the command prompt, enter cpconfig.

The following text appears:

Welcome to Check Point Configuration Program=================================================Please read the following license agreement.Hit 'ENTER' to continue...Note

If the text does not appear when you enter cpconfig, you might need to log out of the command-line session and then log back in to set the environmental variables.

3.Press Enter to read the license agreement, and then enter y to accept it.

4.Specify which product you are installing: Check Point Enterprise/Pro (VPN-1 Pro) or Check

Point Express.5.Enter the appropriate number to select a management-server installation:

For Check Point Express, enter 2 to select SmartCenter Express.For Check Point Enterprise/Pro, enter 2 to select the distributed option.

Check Point for Nokia IPSO Getting Started Guide29

3 Performing the Initial Configuration

6.(Enterprise/Pro installations only) Enter 2 to select Enterprise SmartCenter.

7.(Enterprise/Pro installations only) Specify whether this management server will be the

primary or secondary server.

Enter 1 for primary if you:

󰂄󰂄

Are not using the Check Point Management High Availability feature.

Are using the Check Point Management High Availability feature and this is the first SmartCenter server you are installing.

Enter 2 for secondary if you are using Check Point Management High Availability feature and this is the second SmartCenter server you are installing. This server will take over from the primary server should the primary server fail.

8.Enter y to add a license and fill in the license information, or enter n to complete the license

information later.9.Define an initial administrator name and password.

Administrators you define with the SmartDashboard can be issued a certificate for authentication, which provides a more secure means of authentication than the simple

10.Identify the SmartConsole hosts that can access the SmartCenter server.

Specify at least one SmartConsole host. You can rerun cpconfig at any time to add additional client hosts.

11.Specify the name of a group for which you want to grant permissions. Enter return to specify

no group.12.As part of configuring the internal certificate authority, type random text at a random pace

until you hear a beep.

To save the fingerprint, type y and provide the name of the file.

The SmartCenter server fingerprint will be displayed the first time a user logs into the SmartCenter server from a particular SmartDashboard host. By comparing the fingerprint

30Check Point for Nokia IPSO Getting Started Guide

Using the Check Point Configuration Tool

displayed with the fingerprint you saved at this step, the user can authenticate the identity of the SmartCenter server.

14.When cpconfig asks if you want to start the installed products, enter y.

The SmartCenter server will be started, along with the other Check Point applications you enabled in Network Voyager.

To install a VPN-1 Pro/Express enforcement module1.Log in to the host from a console or remote terminal connection.2.At the command prompt, enter cpconfig.

The following text appears:

Welcome to Check Point Configuration Program=================================================Please read the following license agreement.Hit 'ENTER' to continue...Note

If the text does not appear when you enter cpconfig, you might need to log out of the command-line session and then log back in to set the environmental variables.

3.Press Enter to read the license agreement, and then enter y to accept it.

If you are installing the enforcement module on a flash-based platform, skip to step 7.4.Specify which product you are installing: Check Point Enterprise/Pro (VPN-1 Pro) or Check

Point Express.5.Enter the appropriate number to select a enforcement module installation:

For Check Point Express, enter 1 to select VPN-1 Express Gateway.For Check Point Enterprise/Pro, enter 2 to select the distributed option.

6.(Enterprise/Pro installations only) Enter 1 to select VPN-1 Pro Gateway or 5 to select VPN-1 Pro Gateway and Enterprise Log Server.7.Enter y or n to the prompt:

Is this a Dynamically Assigned IP Address gateway installation ? (y/n) [n] ?

8.If the gateway is a VRRP virtual router member or IP cluster member, enter y in response to

the following prompt:

Would you like to install a Check Point clustering product (CPHA, CPLS or State Synchronization)? (y/n) [n] ?

9.Enter y to add a license and fill in the license information, or enter n to complete the license

information later.10.Specify the name of a group for which you want to grant permissions. Enter return to specify

no group.

Check Point for Nokia IPSO Getting Started Guide31

3 Performing the Initial Configuration

11.As part of configuring the certificate authority, type random text at a random pace until you

hear a beep.

12.Enter an activation key of your own choosing that will be used to establish secure internal

communication between the management server and this enforcement module. The activation key must be longer than four characters.

When you use the SmartDashboard to initialize secure internal communications between the management server and this enforcement module, you will be asked to provide this activation key.

13.When cpconfig asks if you want to reboot the system, enter y.

After the system reboots, an initial firewall policy is installed. Unless you previously modified the initial policy, all remote access to the platform is blocked, except for Check Point SmartConsole clients through the management server. For information on how to regain remote terminal access or Nokia Network Voyager access, see “About the Initial Firewall Policy” on page26.

Note

On an IP265 with external flash configured to store packages, the first reboot after the Check Point packages are installed can take as long as 10 minutes. This is normal: do not reboot your platform again until the first reboot completes successfully.

Enabling SecureXL

For all Nokia IP security platforms except the IP2250, SecureXL is disabled by default. Rerun the cpconfig utility to enable SecureXL.To enable SecureXL

1.Log in to the host from a remote terminal or console connection.2.At the command prompt, enter cpconfig.

3.Enter the number next to Enable Check Point SecureXL.4.Enter y to enable SecureXL.

32Check Point for Nokia IPSO Getting Started Guide

Installing SmartConsole NGX R60

This chapter describes how to install Check Point SmartConsole NGX R60 (the SmartCenter GUI) on a Microsoft Windows system. You can install SmartConsole on as many systems as you desire.

SmartConsole is a collection of clients. The clients include:

󰂄

󰂄󰂄

SmartDashboard—used by the system administrator to define and manage the security policy. From this SmartConsole you can access many Check Point features and add-ons.SmartView Tracker—used for managing and tracking logs and alerts throughout the system.

SmartView Monitor—used to monitor and generate reports on traffic on interfaces, VPN-1 Pro and QoS modules, as well as on other Check Point system counters.SmartUpdate—used to manage and maintain a license repository.

SecureClient Packaging Tool—used to define user profiles for SecuRemote/SecureClient clients.

Eventia Reporter—used to generate reports for different aspects of network activity.SmartLSM—used for managing large numbers of ROBO Gateways using SmartCenter server.

To install SmartConsole NGX R60 on a Windows platform1.Close any Check Point applications running on the Windows platform.

2.Download the SmartConsole NGX R60 software into a temporary folder on the Windows

computer.

The SmartConsole software is available at the Check Point Downloads Web site at http://www.checkpoint.com. Select VPN-1 Pro/Express and NGX R60 in the Download Selector. Then select Windows OS.

3.Unzip the file, and double-click setup.exe.

The Installation Wizard opens. Click Next on each screen to accept the default values.After you install SmartConsole, make sure that the SmartDashboard can connect to the SmartCenter server.

Check Point for Nokia IPSO Getting Started Guide33

4 Installing SmartConsole NGX R60

To test connectivity

1.Double click on the SmartDashboard R60 icon.

The following login window appears:

2.Enter the administrator username and password you specified when you configured the

SmartCenter server with cpconfig.3.In the SmartCenter server field, enter the IP address of the SmartCenter server.

Select the Read Only option if you want to allow others access to the SmartCenter server while you view information.4.Click OK.

SmartDashboard connects to the SmartCenter server. Because this is the first time SmartDashboard has connected from this Windows host, it displays a Fingerprint Verification window:

34Check Point for Nokia IPSO Getting Started Guide

5.Compare the fingerprint shown with the fingerprint displayed by cpconfig during the initial

configuration of the SmartCenter server.6.Click Approve if the fingerprints match.

Refer to the SmartCenter User Guide, available at the Check Point Documentation Downloads site at www.checkpoint.com, for more information on how to use SmartDashboard for creating managed objects, such as gateways, networks, and services, for creating policies, and for installing policies on VPN-1 Pro or Check Point Express gateways.

Check Point for Nokia IPSO Getting Started Guide35

4 Installing SmartConsole NGX R60

36Check Point for Nokia IPSO Getting Started Guide

Upgrading to Check Point NGX R60

You can upgrade to Check Point NGX R60 from the following versions of Check Point NG software:

󰂄󰂄󰂄󰂄󰂄󰂄󰂄

NG with Application Intelligence (R55) for IPSO 3.8NG with Application Intelligence (R55W)NG with Application Intelligence (R55)NG with Application Intelligence (R54)NG FP3NG FP2NG FP1

Note

To upgrade to Check Point NGX R60, you must upgrade your Check Point licenses. Check Point recommends that you upgrade your licenses before you upgrade the software. See The Upgrade Guide for NGX R60 from Check Point for more information on how to upgrade your licenses.

Note

On flash-based platforms, you can have a maximum of two Check Point versions installed at a time.

Upgrade Overview

Upgrade the management server, GUI clients, and enforcement points in the following order:1.Upgrade the SmartCenter server.

2.Install SmartConsole NGX R60 on the Microsoft Windows hosts. For information on how to

install SmartConsole, see Chapter 4, “Installing SmartConsole NGX R60.”3.Upgrade the VPN-1 Pro or VPN-1 Express gateways.

This chapter describes how to update Nokia IP security platforms to NGX R60. For information on upgrading other platforms, including platforms hosting Provider-1, see the The Upgrade Guide from Check Point.

Check Point for Nokia IPSO Getting Started Guide37

5 Upgrading to Check Point NGX R60

If you are upgrading IP clusters or VRRP virtual routers and can afford some network downtime, you can upgrade each gateway individually as described in this chapter. If, however, you need to perform an upgrade with zero downtime, consult the “Upgrading ClusterXL” chapter in The Upgrade Guide from Check Point for information on performing a zero-downtime upgrade.

Obtaining the Software

Before you begin the upgrade, download Nokia IPSO, if needed, and the Check Point NGX R60 applications to an FTP server on your server.

The latest builds of IPSO, their documentation and their release notes are available at the Nokia support Web site. You must be running IPSO 3.9 or later to upgrade to NGX R60. See the Nokia support Web site for current information on which IPSO releases are supported.

Note

On flash-based platforms, you can have a maximum of two IPSO images installed at a time.

The Check Point software, documentation, and release notes are available in the Downloads section of the Check Point Web site at http://www.checkpoint.com.

Which Check Point installation packages you should download depends on your type of platform:

󰂄

Disk-based platforms—download the following:

󰂄Comprehensive R60 wrapper for Nokia IPSO (IPSO_wrapper_R60.tgz)

Use the comprehensive wrapper to upgrade an enforcement module or a SmartCenter server (or both) on a disk-based platform.

󰂄

SmartConsole R60

Use this package to install the SmartConsole GUIs on Microsoft Windows hosts. The package is available under the Windows OS in the Check Point Download selector for NGX R60.

󰂄

Flash-based platforms other than the IP265—download the following:

󰂄VPN-1 Pro/Express NGX R60 for flash-based platforms (fw1_R60_xxxxxxxx_x_IPSO.tgz)Use this package to upgrade an enforcement module on a flash-based platforms.

󰂄󰂄

CPinfo NGX R60 Tool for IPSO platformsSmartConsole R60

Use this package to install the SmartConsole GUIs on Microsoft Windows hosts. The package is available under the Windows OS in the Check Point Download selector for NGX R60.

󰂄

IP265—Download the following:

󰂄The latest NGX R60 HFA for the IP265.

38Check Point for Nokia IPSO Getting Started Guide

Upgrading Security Platforms

Use this package to upgrade an enforcement module on an IP265.

󰂄󰂄

CPinfo NGX R60 Tool for IPSO platformsSmartConsole R60

Use this package to install the SmartConsole GUIs on Microsoft Windows hosts. The package is available under the Windows OS in the Check Point Download selector for NGX R60.

Upgrading Security Platforms

To perform the upgrades, you can use:

󰂄

Nokia Horizon Manager.

If you are using Nokia Horizon Manager, skip the remainder of this chapter and consult the Nokia Horizon Manager documentation.

󰂄

Nokia Network Voyager, the Nokia CLI, or the newpkg command.This section contains detailed procedures for Network Voyager and the newpkg command. For the CLI, see the CLI Reference Guide for the IPSO version you are using.

To upgrade a security platform

1.Upgrade to Nokia IPSO 3.9 or later supported version. See the Getting Started Guide and

Release Notes for your IPSO version for information on how to upgrade IPSO.

Note

You cannot run Check Point NGX R60 on a version of Nokia IPSO that is earlier than IPSO 3.9.

2.Reboot the platform.

3.Make sure that the current version of Check Point NG or NGAI is enabled.4.Install the Check Point NGX R60 software as an upgrade.

󰂄󰂄

On disk-based platforms, install the comprehensive wrapper package.

On flash-based platforms, separately install the VPN-1 Pro/Express and CPinfo

packages, installing the VPN-1 Pro/Express package first. To install VPN-1 Pro/Express, use the:

󰂄VPN-1 Pro/Express NGX R60 for flash-based platforms on all flash-based platforms other than the IP265

󰂄The latest HFA for the IP265 on an IP265

5.Rerun cpconfig to add a local license if desired and to confirm no additional configuration is

required. 6.Reboot the security platform if it hosts an enforcement module.

Check Point for Nokia IPSO Getting Started Guide39

5 Upgrading to Check Point NGX R60

After you reboot, an initial firewall policy is loaded on platforms with enforcement modules. This policy blocks all remote access except for SmartConsole access through the

SmartCenter server. You can regain access by pushing your security policy to the platform from the SmartDashboard. For more information about the initial policy, see “About the Initial Firewall Policy” on page26.To upgrade by using newpkg

Note

On flash-based platforms:

rm -R /preserve/opt/tmp

1.Log in to the platform with a console connection.2.Enter newpkg to start the package installation script.

The following options appear:

1. Install from CD-ROM.

2. Install from anonymous FTP server.

3. Install from FTP server with user and password.4. Install from local filesystem.5. Exit new package installation.

3.Enter the number (1 through 4) next to the installation method to use, or enter 5 to exit.4.The installation script guides you through the rest of the upgrade process.

󰂄

If you are installing from your current working directory in the local filesystem, you can enter a period (.) when asked for the pathname to the packages.

Make sure that you select option 2 (Upgrade from an old package) when the name of your package is displayed.

5.On flash-based platforms, repeat steps 2 through 4 to install CPinfo after you have installed

VPN-1 Pro/Express.6.When the upgrade is finished, log off, then log back on to set the environmental variables.7.To confirm the upgrade, see the procedure “To confirm the installation” on page42.

40Check Point for Nokia IPSO Getting Started Guide

Upgrading Security Platforms

To upgrade by using the Nokia Network Voyager1.In the Network Voyager, navigate as follows:

IPSO 3.9: System Configuration > Manage Installed Packages > FTP and Install PackagesIPSO 4.0 or later: Configuration > System Configuration > Packages > Install Package2.Enter the host name or IP address of the FTP site where you downloaded the package.3.Enter the directory name where the files reside on the FTP site.

4.Enter the user account and password to use when you connect to the FTP site and click

Apply.

If you leave these fields empty, the anonymous account is used.

Note

If you specify a user account and password, you must re-enter the password whenever you change the FTP site, FTP directory, or FTP user on future requests.A list of files from the specified FTP directory appears in the Site Listing field.

5.Select a file from Site Listing, then click Apply.

After the download completes, the package appears in the Select a Package to Unpack box.6.Select the package, then click Apply.

The package is unpacked into the local file system.

Note

The version field in the package information always shows 3.9 regardless of the IPSO version installed.

7.Click the Click here to install/upgrade /opt/packages/packagename link.

8.Click the radio button next to Upgrade and then select the package to upgrade from. Click

Apply.

Wait until Network Voyager refreshes this page with a link to the Manage Packages screen.9.Click the link to return to the Manage Packages screen.

During the initial installation phase, the wrapper appears under the Security Applications heading. If you wait several minutes and click Apply, a warning message appears telling you that the installation is still in progress as the wrapper continues to unpack and install the Check Point applications in the package.

Check Point for Nokia IPSO Getting Started Guide41

5 Upgrading to Check Point NGX R60

If you are installing individual packages on a flash-based platform, repeat steps 1 through 9 to install CPinfo after you install VPN-1 Pro/Express.

10.Confirm the upgrade is correct as described in “To confirm the installation” on page42.To confirm the installation

1.On the Manage Packages page in Network Voyager, confirm that the Check Point VPN-1

Pro/Express NGX R60 package appears under Security Applications and is enabled.

If the package is not enabled, click On, and then click Apply and Save.2.Confirm that the Check Point CPinfo package under Applications is enabled.

If the package is not enabled, click On, and then click Apply and Save.

3.Enable any of the other Check Point packages you want to have enabled and click Apply and

Save.4.If you are logged onto the platform with a IPSO shell session, log off and then log on again.

When you enable the packages, Network Voyager sets new shell environmental variables that are necessary for executing firewall commands. However, they do not take effect until the next time you log on. For this reason, you need to log off after you enable the packages.5.Rerun cpconfig to confirm the installation and to add a new license, if desired.6.Reboot the platform if it hosts an enforcement module.

Note

Starting with NGX R60, the SVN Foundation, FloodGate-1, and Policy Server components are no longer installed as separate application packages. Instead, they are included as part of the VPN-1 Pro/Express package.

Expanding the IP265 Flash Memory

The following procedure configures your IP265 to use the external flash memory to store the Check Point packages, as recommended by Nokia. You must have installed the latest NGX R60 HFA for the IP265 for this procedure to work. To configure the IP265 external flash memory

1.Install your flash-memory PC card into PC-card slot 1 or 2. Make sure the card is fully

inserted by pressing gently on it.2.In Network Voyager, select the Optional Disk Configuration page (Configuration > System

Configuration > Optional Disk). 3.Click the radio button under Packages; then click Apply and Save.

4.Wait until you see a message telling you that you should reboot the system and then reboot

the system.

42Check Point for Nokia IPSO Getting Started Guide

Installing HotFix Accumulators on Flash-based Platforms

Note

The reboot immediately following enabling/disabling the Packages option will take a long time to complete, as much as 10 minutes. This is normal: do not reboot your platform again until the first reboot completes successfully.

Installing HotFix Accumulators on Flash-based Platforms

Nokia recommends you follow these guidelines when installing HFAs on flash-based platforms:

󰂄

Do not download the HFAs to your home directory. Files in user home directories are

After you extract the HFA files from the archive .tgz file, delete the archive file and then install the HFA as described in the HFA release notes.

Reverting to Previous Check Point Versions

If you need to revert to a previous Check Point version after upgrading to NGX R60, use the following procedure.

To revert to a previous version

1.On the IPSO Image Management page in Network Voyager, select the previous IPSO image

and reboot.

When you revert to the previous image, IPSO automatically reverts to using the saved configuration set associated with that image.

2.On the Manage Packages page, confirm that the previous versions of Check Point packages

are enabled and the NGX R60 versions are disabled.

Note

On flash-based platforms, the NGX R60 packages will no longer appear in the Manage Packages page since they were never part of the previous configuration set.

If, after downgrading, you wish to upgrade again to NGX R60, you will need to manually reselect the 4.0 configuration set as described in the following procedure.To upgrade again to NGX R60

1.On the IPSO Image Management page in Network Voyager, select the IPSO image that

support NGX R60 and reboot.2.On the Configuration Set Management page, select the configuration set associated with that

image and then click Save.

Check Point for Nokia IPSO Getting Started Guide43

5 Upgrading to Check Point NGX R60

Network Voyager logs you out and you will have to log in again.3.Reboot the platform.

4.On the Manage Packages page, confirm that the previous versions of Check Point packages

are disabled and the NGX R60 versions are enabled.

44Check Point for Nokia IPSO Getting Started Guide

因篇幅问题不能全部显示，请点此查看更多更全内容

查看全文

全部栏目

check point 防火墙 安装 配置 资料

check point 防火墙安装配置资料