VPN-1 Virtual Edition Admin Guide

VPN-1 VE Administration Guide
December 18, 2008
In This Document
Introduction page 2
Deploying VPN-1 VE Machines page 7
Known Limitations page 14
Deployment Scenarios page 15
Deploying ClusterXL on VMware page 21
Advanced Deployment: Protecting More Than 3 Virtual Networks page 27
FAQs and Troubleshooting page 33
Documentation Feedback page 36
Copyright © 2008 Check Point Software Technologies, Ltd. All rights reserved 1
Introduction
Introduction
In This Section
VPN-1 VE Overview page 2

Virtualization Overview page 2
Example of VPN-1 VE Deployment page 3
Key Benefits page 3
ESX Server Security Considerations page 4
VPN-1 VE System Requirements page 4
Licensing Information page 5
Related Documentation page 6
VPN-1 VE Overview
VPN-1 NGX R65 VE (Virtual Edition) is a security and VPN solution, designed to harness the power
of network virtualization. VPN-1 VE provides the identical security protections and VPN features as
physical VPN-1 gateways. It securely connects these gateways and SmartCenters on virtual
machines to shared resources, such as the Internet and DMZs, and allows them to safely interact
with each other and the outside world. All VPN-1 security features such as SmartDefense, Web
Intelligence, Application Intelligence, Anti-virus, Anti-spam, and so on, are available on VPN-1 VE.
This guide provides the conceptual framework for VPN-1 VE. It also provides detailed instructions
for importing and configuring Check Point VPN-1 products on virtual machines by using VPN-1 VE
or by manually installing VPN-1 NGX R65 for VMware.
This guide assumes that the reader has a thorough understanding of VMware® ESX Server 3.x
concepts, procedures and terminology. Furthermore this guide assumes that the reader is familiar
with Check Point VPN-1 concepts and procedures.
As used in this document, the term VPN-1 applies to VPN-1 Power, VPN-1 UTM, and VPN Power
UTM.
Virtualization Overview
Virtualization of hardware resources represents the cutting edge of today’s computing technology,
providing cost-effective, scalable solutions for dynamic network environments. Virtualization allows
you to create multiple “virtual” computers on a single hardware platform. With VPN-1 VE, Check
Point brings its state of the art security solutions to the virtualized world.
VMware ESX Server 3.x “virtualizes” hardware resources including CPU, RAM, hard disks, network
adapters, and the operating system. This technology allows you to create functional virtual
machines that host organization resources such as Web servers, email servers, databases, and so
on. Using VMware ESX Server 3.x, you can define Virtual Networks comprised of virtual machines,
virtual switches, and interfaces to provide the functionality of their physical network counterparts.
VPN-1 VE supplies the comprehensive protection required to secure your virtual networks. VPN-1
NGX R65 VE, VPN-1 NGX R65 for VMware machines, and physical gateways can be managed by
the same unified central management, thus enabling a consistent, enforceable security policy
across all physical and virtual networks.
VPN-1 VE Administration Guide 2

Introduction
How Do I Get Started?

The VPN-1 VE enables you to easily deploy VPN-1 as a virtual machine that is already configured
and optimized for a VMware ESX environment. A virtual machine created using the VPN-1 VE runs
on Check Point’s SecurePlatform and includes the following components: 1 CPU, 512MB of
allocated memory, 12GB of disk capacity that can be extended, and four virtual network interfaces.
To use VPN-1 VE, you import a file to the ESX server and add it to your virtual machine inventory.
Once you log in to the VPN-1 VE, the configuration wizard guides you through the initial
configuration.
Example of VPN-1 VE Deployment

Figure 1 illustrates a VPN-1 environment on a VMware ESX host.
Figure 1 Example of a VPN-1 VE Deployment
In this simple example, a standalone VPN-1 gateway and SmartCenter server combination protects
three virtual switches leading to networks containing several different types of servers. All traffic
that flows between the virtual networks, for example between the Web Servers Network and the
Database Server, or from a host on the external LAN to the Email Server is inspected by the VPN-1 VE
machine.
Administrators manage network security using SmartDashboard from any client having connectivity
with the SmartCenter server. Virtual machines and all other VMware objects are managed using
Virtual Infrastructure Client.
VPN-1 VE protects the virtual machines in the ESX server, but it does not protect the VMkernel.
Key Benefits
VPN-1 VE allows you to use Check Point security solutions, when using an ESX Server, to
implement virtual network security and to deploy application servers on virtual machines. VPN-1
VE offers the following advantages:
• Adds a security layer that protects resources residing on virtual machines from external threats
and threats from other virtual machines.

Introduction
• Provides unified management as VPN-1 VE gateways and physical VPN-1 gateways can be
managed by the same SmartCenter. Thus security policies can be consistently enforced on
every part of the network - physical and virtual.
• Provides a scalable solution for growing enterprises by providing protection for additional
virtual network resources without the need for additional hardware investment, maintenance,
energy, and site costs.
• Simplifies configuration by eliminating the need to provision additional virtual and physical
switches in order to protect virtual resources.
• Simplifies disaster recovery scenarios.
• Lower Total Cost of Ownership.
• Certified by VMware for optimal use with ESXi and ESX Servers.
• Machines are pre-configured and ready to use in just a few steps.
ESX Server Security Considerations

VPN-1 VE machines protect packets and networks and do not protect the ESX Server itself from
possible VMkernel vulnerabilities. VMotion and VMkernel traffic cannot be inspected by VPN-1 VE
and it is recommended to use secured networks for this traffic.
We recommend that you refer to the VMware Best Practices - Security Hardening document for
additional suggestions for securing your ESX Server platform.
VPN-1 VE System Requirements

This section presents the minimum hardware, operating system, and software requirements for
using VPN-1 VE.
Supported Check Point Products

VPN-1 VE currently supports the following Check Point products:
• VPN-1 Power NGX R65
VPN-1 Power security gateways provide an active defense that enables you to secure your most
demanding sites - such as core networks or data centers.
• VPN-1 UTM NGX R65
VPN-1 UTM consolidates proven security functions including firewall, intrusion prevention,
antivirus, antispyware, Web application firewall, and both IPSec and SSL VPN, within a single
integrated solution.
• VPN-1 UTM Power NGX R65
VPN-1 UTM Power security gateways provide the accelerated security found in VPN-1 Power
combined with the simplicity of the next generation UTM features found in VPN-1 UTM.
• SmartCenter NGX R65
SmartCenter solutions enable organizations to perform all aspects of security management via a
single, unified console.
• ClusterXL NGX R65
Cluster XL provides high availability and load sharing to keep businesses running.

Introduction
Users of VPN-1 products prior to version NGX R65 must upgrade their products and licenses to
R65 before using VPN-1 VE. Please refer to the NGX R65 Upgrade Guide for detailed instructions
regarding upgrading Check Point products to version NGX R65. For more information see
http://support.checkpoint.com.
Supported Hotfix Accumulators (HFAs)

VPN-1 VE is compatible with regular VPN-1 Hotfix Accumulators (HFAs) starting from HFA 30.
HFAs can be found on the Check Point Support Website, http://support.checkpoint.com.
Supported VMware Products

VPN-1 VE supports the following VMware ESX Server versions: 3.0.2, 3.0.3, 3.5, or ESXi 3.5.
Please refer to http://support.checkpoint.com for updates on supported VMware products and
versions.
Hardware Requirements
Virtual Machine Requirements for VPN-1 VE
Virtual machines created for use as VPN-1 gateways or SmartCenter servers must meet the
following minimum resource requirements:
• Allocated Memory: 512 MB
• Disk Space: 12 GB
VMware Hardware Requirements

For the latest hardware requirements for your version of VMware ESX Server and other VMware
products, refer to the VMware ESX Server Installation and Upgrade Guide.
For information regarding compatible I/O devices, please refer to the I/O Compatibility Guide For
ESX Server 3.x at http://www.vmware.com/pdf/vi3_io_guide.pdf
Licensing Information
Each VPN-1 gateway product and SmartCenter server installed on a virtual machine requires a
license, in the same manner as a physical product. Each VPN-1 VE gateway requires a VPN-1 VE
license. SmartCenters require a standard VPN-1 SmartCenter license. Licenses are associated with
the gateway or SmartCenter server IP address. Check Point add-on licenses, such as SmartDefense
Services, are equally applicable to products installed on virtual machines.

Introduction
Related Documentation
We recommend that the you refer to the Check Point documentation packages referenced in the
table below, in addition to this document. All documents can be found at
Title Description
Internet Security Product Contains an overview of NGX R65 together with step-by-step
Suite Getting Started Guide product installation procedures. This document also provides
information regarding what’s new in the current release,
licensing, minimum hardware and software requirements, etc.
Upgrade Guide Explains the available upgrade paths to NGX R65 for Check
Point products from VPN-1/FireWall-1 version NG and higher.
Firewall & SmartDefense Describes how to manage network access; establish network
Administration Guide connectivity; use SmartDefense to protect against network and
application level threats; use Web Intelligence to protect Web
servers and applications; use Content Vectoring Protocol (CVP)
applications for anti-virus protection, use URL Filtering (UF)
applications for restricting access to web sites; and secure VoIP
traffic.
SmartCenter Administration Describes Check Point SmartCenter Management applications,
Guide which provide solutions for configuring, managing, and
monitoring network security deployments.
Cluster XL Administration Describes the ClusterXL clustering solution, including concepts
Guides and configuration procedures.
SecurePlatform Explains how to install and configure SecurePlatform. This
Administration Guide guide also explains how to manage SecurePlatform and explains
the Dynamic Routing (Unicast and Multicast) protocols.
Virtual Private Networks Describes the major components of a VPN environment and
Administration Guide presents procedures for securing and configuring the
environment using VPN-1.
We recommend that you familiarize yourself with the following VMware documentation before using
this product:
Title Description
Introduction to VMware Provides a detailed, conceptual overview of the ESX Server
Infrastructure product, including its architecture, features, and functionality.
Installation and Upgrade Describes the VMware ESX Server 3.x system and licensing
Guide requirements, and provides detailed instructions for installing
and upgrading the product.
Quick Start Guide Serves as a quick reference to product installation, virtual
machine provisioning and management, and the GUI.
Basic System Administration Detailed documentation for using VMware ESX Server 3.x. This
is the primary reference guide for system administrators and
users.
Server Configuration Guide Describes the tasks you need to configure ESX Server host
networking, storage, and security. In addition, it provides
overviews, recommendations, and conceptual discussions to
help you understand these tasks and how to deploy an ESX
Server host to meet your needs.

Deploying VPN-1 VE Machines

In This Section
Introduction page 7
VMware Terminology page 7
Deployment Planning page 8
Importing and Configuring VPN-1 VE page 9
Introduction
This section provides instructions for Importing and Configuring VPN-1 VE machines. VMware
terminology is also included for easy reference, as well as information on planning your VPN-1 VE
deployment.
The instructions assume that you are familiar with VMware ESX Server 3.x and that the appropriate
VMware software is installed. This document does not attempt to serve as a general VMware
tutorial. For further information regarding VMware ESX Server 3.x procedures and features, refer to
the VMware ESX Server Getting Started and Basic System Administration guides.
VMware Terminology
This section presents a glossary of VMware terms used in this guide or that you are likely to
encounter in references to VMware documentation contained in this document.
Term Description
Virtual Machine (VM) Software based abstraction of a physical computer, including CPUs,
memory, disk storage, network interfaces, ports, guest operating
system, and application software. In a VPN-1 VE environment, a virtual
machine provides the functionality of a VPN-1 gateway or SmartCenter
server.
Virtual Switch (vSwitch) A virtual switch works similarly to a physical Ethernet switch. It detects
which virtual machines are logically connected to each of its virtual
ports and uses that information to forward traffic to the correct virtual
machines. A vSwitch can be connected to physical switches using
physical network adapters to join virtual networks with physical
networks.
Virtual Interface (vNIC) Software based abstraction of a physical interface that provides
network connectivity for virtual machines.
Port Group A port group specifies port configuration options such as bandwidth
limitations and VLAN tagging policies for each port. Network services
connect to vSwitches through port groups. Port groups define how a
connection is made through the vSwitch to the network.
Virtual Network A network of virtual machines running on a single physical machine
that are connected logically to each other so that they can send and
receive data from each other. Virtual networks do not depend on
physical network interfaces.
Guest Operating System Operating system installed on a virtual machine
Host Physical machine using VMware to host one or more virtual machines
and other virtual objects. The host provides the physical resources
shared by virtual machines, such as CPUs, memory, disk storage
access, network interfaces, etc.
Datacenter Collection of hosts and their associated virtual machines and Datastore.

Term Description
Datastore Host-independent storage location for virtual machine files in ESX
Server systems, typically a system volume located on a physical disk,
RAID, SAN, or network file system.
Virtual Center Server Manages multiple hosts together with their associated virtual machines
and objects from a single GUI client. This is the central point for
provisioning and configuring all of your virtual machines, virtual
networks and their associated objects.
VMware Infrastructure Client GUI client used to manage virtual machines and associated objects. It
(VI Client) manages virtual machines much in the same way that SmartDashboard
manages VPN-1 gateways.
Deployment Planning
This section describes issues to consider when planning your VPN-1 VE deployment.
Management Deployment and Interfaces

VPN-1 VE can be installed using one the following deployment strategies:
• Standalone Deployment: A SmartCenter server and one VPN-1 gateway are installed on the same
virtual machine. Up to four interfaces are available for connections to virtual switches.
• Distributed Deployment with a Dedicated Management Interface: The SmartCenter server and
VPN-1 gateways are installed on separate virtual machines. One interface on each VPN-1
gateway must be used exclusively for communication with the SmartCenter server.
When using this option, you can protect up to three virtual switches.
• Distributed Deployment without a Dedicated Management Interface: The SmartCenter server and
VPN-1 gateways are installed on separate virtual machines. Management traffic between these
gateways and SmartCenters travels via an interface used for external connections.
When using this option, you can protect up to four virtual switches.
To learn about deployeing ClusterXL clusters on VMware, see “Deploying ClusterXL on VMware” on
page 21.
To learn about protecting more than four virtual switches, see “Advanced Deployment: Protecting
More Than 3 Virtual Networks” on page 27.
Network Adapters and Interfaces

For general reference, below is a table displaying which interfaces in SecurePlatform generally
correspond to which Ethernet Adapters in the Virtual Infrastructure Client. If the administrator
alters the interfaces in SecurePlatform, this may change.
Table 1 Interface to Network Adapter Correspondence
Interface in Network Adapter in

SecurePlatform Virtual Infrastructure
Client
eth0 Network Adapter 1

eth1 Network Adapter2

Importing and Configuring VPN-1 VE

The VPN-1 VE enables you to easily deploy VPN-1 as a virtual machine that is already configured
and optimized for VMware ESX environment. A virtual machine created using the VPN-1 VE runs on
Check Point’s SecurePlatform and includes the following components: 1 CPU, 512MB of allocated
memory, 12GB of disk capacity that can be extended, and four virtual network interfaces. To use
VPN-1 VE, you import it to the ESX Server and add it to your virtual machine inventory. Repeat this
process for each new machine you want to create.
Importing the VPN-1 VE OVF

If you are running a VMware ESXi 3.5 or ESX 3.5 Server, or using Virtual Center 2.5, import the
VPN-1 VE using the VPN-1_R65_VE_OVF.tgz file, as described below.
To import the VPN-1 VE machine to the ESX Server from the VPN-1_R65_VE_OVF.tgz file and create
a new machine:
1. Download the VPN-1_R65_VE_OVF.tgz file from the VMware Virtual Appliance Marketplace to
the machine where the VMware Virtual Infrastructure Client is installed.
2. Extract the VPN-1_R65_VE_OVF.tgz file to the new folder using tar (tar -zxvf
VPN-1_R65_VE_OVF.tgz), or any other decompression utility.
3. Open the VMware Virtual Infrastructure client.
4. Connect to the ESX Server where you want to deploy the VPN-1 VE machine.
5. In the Getting Started tab, in Basic Tasks, choose Import a Virtual Appliance.
6. Select Import from file, and choose the .ovf file from the folder from where you extracted the
.tgz file. Click Next.
7. View the Virtual Appliance Details. Click Next.
8. Type a name for the VPN-1 VE machine. Click Next.
9. Select the datastore where the VPN-1 VE machine files will be accumulated in the ESX Server.
Click Next.
10. In Network Mapping, select the proper Network portgroups according to your topology. Click
Next.
11. Click Finish to complete the Virtual Machine Wizard. It may take a few minutes for the new
machine to appear in the inventory.
12. Select the machine from the inventory and Power On the machine.

For optimal performance of your VPN-1 VE machine, we recommend reserving an additional 512
MB of memory. See“Enhancing Performance by Reserving Memory” on page 23.
Importing the VPN-1 VE to Earlier ESX Servers

If you are running a VMware ESX 3.0.x Server or using Virtual Center 2.0, import the VPN-1 VE
machine using the VPN-1_R65_VE.tgz file.
To import the VPN-1 VE machine to the ESX Server from the VPN-1_R65_VE.tgz file and create a
new machine:
1. Connect to the ESX Server using SSH. For more information see “How can I Connect to the
ESX Server Using SSH?” on page 33
2. Within the ESX Server, create a folder under /vmfs/volumes/<storage>/<folder name>/
where <folder name> and <storage> are folders that the administrator chooses.
3. Download the VPN-1_R65_VE.tgz file from the VMware Virtual Appliance Marketplace to the
ESX Server on which the virtual machines are housed.
4. Extract the .tgz file to the new folder using tar (tar -zxvf VPN-1_R65_VE.tgz).
5. Open the VMware Virtual Infrastructure Client and connect to the ESX Server or Virtual Center.
6. Select the desired ESX Server.
7. Click on the Summary tab. Within the Resources pane, under Datastore, double-click the
desired storage file, and browse to the location where you extracted the VPN-1_R65_VE.tgz file.

8. Right-click on the .vmx file and select Add to Inventory.
9. In the Add to Inventory Wizard, type a name for the new virtual machine. Click Next.
10. Select a Resource Pool to run the virtual machine. Selecting a Resource Pool allows you to
determine which resources a virtual machine is using. Click Next.
11. Click Finish to complete the Virtual Machine Wizard. It may take a few minutes for the new
machine to appear in the inventory.
12. Select the machine from the inventory and Power On the machine.
Configuring VPN-1 Gateways and SmartCenters

This section describes how to configure VPN-1 gateways and SmartCenters on VPN-1 VE machines
through the SecurePlatform command line. The procedures contained in this section are excerpted
from NGX R65 Getting Started Guide. For a complete presentation of NGX R65 installation and
configuration procedures, refer to the NGX R65 Internet Security Product Suite Getting Started Guide
and the Firewall and SmartDefense Administration Guide, found at http://support.checkpoint.com. If
there is a conflict between this document and these guides, follow the instructions in the guides.
Repeat the following processes on each virtual machine you want to configure.
Configuring Network and General Settings

To perform initial configuration of network and general settings:
1. In the Console tab, log in to the machine using admin as the username and adminadmin as
the password.
2. When prompted, change the default user name and password. Ensure that the new password
contains more than six characters and has a combination of upper and lower case letters and
numbers.
3. To enter the configuration wizard, run:
cpconfig

The configuration window opens and displays a welcome message.
4. Press n to continue.
5. Press the number corresponding to your keyboard type and then press n, or just press n to keep
the default US keyboard.
6. Press the number corresponding to the Ethernet connection that you want to set as your
management connection. When prompted, type the IP address attached to the Ethernet
connection, its subnet mask, and its broadcast address.
7. In the Network Configuration menu, use the menu option to configure the following:
• The host name
• The domain name and at least one DNS server (if required)
• The network interface IP addresses

• The default gateway (if required)
8. In the time and date configuration menu, use the menu options to configure the following:
• Time zone
• Date
• Local time
• Show date and time settings
n
10) Press n to continue. The Import Check Point Products Configuration screen appears.
Continue to follow to Check Point Wizard to install Check Point products on the virtual machine.
See the NGX R65 Internet Security Product Suite Getting Started Guide and the Firewall and
SmartDefense Administration Guide for more information.

Known Limitations
Known Limitations
Please refer to the current edition of the NGX R65 Release Notes, found at
http://support.checkpoint.com, for a complete list of known limitations for this major release. The
limitations listed below apply specifically to VPN-1 VE and are in addition to the VPN-1 NGX R65
release limitations.
1. The cloning and template features are supported for VPN-1 virtual machines (gateways and
SmartCenter) only under the following conditions:
a. The virtual machine must be a new VPN-1 VE machine or SecurePlatform installation
(immediately following the first reboot).
b. No Check Point products, such as SmartCenter or VPN-1, have been configured yet.
c. No configuration steps (sysconfig, cpconfig, etc.) have been performed.
2. Interface bonding on the virtual machine running the VPN-1 VE is not supported with
ClusterXL.
3. VMtools is not supported.
4. VPN-1 gateways in the Bridge Mode must have their internal and external interfaces connected
to port groups that are configured in promiscuous mode.
5. VPN-1 gateways in the Bridge Mode are not supported with ClusterXL.
6. The Performance Pack Heavy Load Quality of Service feature (HLQoS) feature is not
supported.
7. The Monitor Interface Link State feature is not supported on VPN-1 ClusterXL cluster members
on virtual machines.
8. Virtual machines may be connected to a maximum of four different virtual switches. This may
limit the number of virtual networks protected by a VPN-1 VE machine. This limitation can be
overcome using VLANs. See “Advanced Deployment: Protecting More Than 3 Virtual Networks”
on page 27.
9. VPN-1 VE supports MTU change only with pcnet32 network devices.
10. The ethtool utility does not recognize speed or duplex changes made to the virtual network
adapters.
11. NGX R65 HFA 01 and 02 are not supported. NGX R65 HFAs beginning with HFA 30 are
supported.
12. VPN-1 VE does not protect the VMkernel.

Deployment Scenarios
In This Section
Overview page 15
VPN-1 and SmartCenter Standalone Deployment page 16
VPN-1 Deployment using the Bridge Mode page 17
ClusterXL Deployment on a Single ESX Host page 18
ClusterXL Deployment Using Two ESX Hosts page 19
Overview
This section presents several sample deployments that illustrate the integration of VPN-1 NGX R65
solutions into virtual network deployments. While these examples are shown in simple, small-scale
environments, the concepts are applicable to larger, more complex deployments. Each scenario
includes a brief conceptual description, an illustrative diagram, notes and configuration
requirements, as appropriate.
These scenarios are intended to present conceptual examples of how VPN-1 VE may be deployed
on VMware ESX. They do not purport to provide solutions for specific applications or environments.
There are many different ways to use these concepts to tailor network virtualization to your specific
needs, only a few of which are suggested by these scenarios.

VPN-1 and SmartCenter Standalone Deployment

Figure 2 illustrates a small Web business, all on a single platform running VMware ESX Server. This
deployment is comprised of a standalone VPN gateway and SmartCenter on a single virtual
machine. The gateway inspects and protects all traffic passing between three virtual switches
leading to Web servers, SQL databases, and an email server from external threats as well as from
threats originating from other virtual machines.
Figure 2 Standalone SmartCenter Deployment
Notes for this Scenario

• The Web servers, database servers, email server and Gateway/SmartCenter standalone
deployments are defined as virtual machines on a single ESX host platform.
• Each virtual interface connects to a virtual switch configured for a separate subnet.
• The external virtual interface connects, via a virtual switch, to a physical interface on the ESX
host leading to a physical switch on the same subnet. A physical LAN connects to this switch.
• Both SmartDashboard and the Virtual Infrastructure Client connect via the LAN.
Special Configuration Requirements

The default gateway for each server virtual machine must be defined as the IP address assigned to
the VPN-1 gateway virtual interface leading to that particular server. For example, in the preceding
diagram, the Web server default gateways must be defined as 172.23.5.1.

VPN-1 Deployment using the Bridge Mode

Figure 3 demonstrates the use of VPN-1 gateways in the bridge mode. In this example, four VPN-1
gateway virtual machines protect individual security zones representing different departments for a
software development firm.
Each VPN-1 gateway virtual machine protects one or more network segments using a single virtual
interface connected to a port on a single virtual switch. The virtual switch must be connected to a
port group that is configured to accept the promiscuous mode. The SmartCenter server resides on
a separate virtual machine and communicates with gateways via dedicated management interfaces.
The advantage of using the virtual machines in bridge mode is that you can provision additional
gateways without affecting the existing IP topology. In this scenario, the entire virtual network must
reside on a single subnet.
Figure 3 VPN-1 Deployment Using Bridge Mode
Notes to This Scenario

• Each department network segment occupies one virtual machine interface.
• All protected networks must reside on the same subnet, in this example 172.23.0.0/16. For a
mid-sized deployment this should not result in a lack of available IP address.
• Using a separate virtual machine for the SmartCenter server avoids bandwidth degradation
issues while installing policies.
• Both SmartDashboard and the Virtual Infrastructure Client connect via the LAN.
Special Configuration Requirements

You must connect all internal and external interfaces for a virtual machine containing a VPN-1 VE
gateway in the bridge mode to a port group configured to accept the promiscuous mode. The
management interface may not be connected to a port group configured to accept the promiscuous
mode.
Warning - Never configure all port groups on a virtual switch to accept the promiscuous mode, as this is in
an unacceptable security risk. You should only configure the port group to which you connect VPN-1 virtual
machines to accept the promiscuous mode. Do not connect any other virtual machines to this port group.

Configuring Promiscuous Mode

To configure a port group to be in promiscuous mode:
1. In the Virtual Infrastructure Client, select a host in the Inventory pane and then select the
Summary Tab.
2. Right-click a port group in the Resources > Network section of the Information pane and select
Properties from the options menu.
3. In the Network Properties window, select the Security tab.

• .
4. Enable the Promiscuous Mode option and then select Accept from the list.
5. Click OK to complete the definition. The reconfiguration process may take a few moments to
complete.
ClusterXL Deployment on a Single ESX Host

Figure 4 illustrates the use of a VPN-1 gateway in a ClusterXL deployment contained on a single
ESX host that provides redundancy at the virtual machine level. Two SmartCenter servers, a primary
and a secondary, reside on separate virtual machines to provide SmartCenter redundancy (the
SmartCenter Cluster is optional). VPN-1 requires ClusterXL to provide clustering functionality.
Failover ensures continuous service if an active ClusterXL cluster member becomes unavailable for
any reason. In this case, the standby Cluster member immediately takes over the tasks of
inspecting traffic from the unavailable machine. This scenario does not provide high availability
protection in the event that the ESX host itself becomes unavailable. For more information on
creating this deployment, see “Deploying ClusterXL on VMware” on page 21.

The following diagram illustrates a simplified network deployment using this scenario.
Figure 4 ClusterXL Deployment on a Single ESX Host
This example deployment includes Web and database servers hosted on virtual machines protected
by the clustered VPN-1 gateway. Also included in this deployment are primary and secondary
SmartCenter servers on virtual machines connected to the gateways using a non-dedicated
management interface.
The VPN-1 gateway and the SmartCenter servers, connect to the external LAN and the Internet by
means of a virtual switch connecting to a physical switch via the ESX host interface. The gateway
ClusterXL cluster connects to the internal virtual network, containing the Web and Database
servers, via a virtual switch.
State synchronization is handled by a dedicated connection between members using one of the
virtual machine interfaces. The SmartCenter connects to the gateways via the internal network.

• All servers protected by the ClusterXL cluster must reside on the same network
• VPN-1 gateways in the bridge mode are not supported in cluster deployments
• Both SmartDashboard and the Virtual Infrastructure Client connect via the LAN
ClusterXL Deployment Using Two ESX Hosts

Figure 5 illustrates ClusterXL deployment with two ESX hosts to provide redundancy and/or load
sharing for the VPN-1 gateway’s physical database servers. Each VPN-1 virtual machine serves as a
ClusterXL cluster member and is state synchronized with its peer on the other cluster member.
VPN-1 virtual machines require ClusterXL to provide clustering functionality.
High availability ensures failover redundancy for the VPN-1 gateway virtual machine in the event
that an ESX host becomes unavailable. Furthermore, failover of an individual virtual machine
occurs if it becomes unavailable.
Load sharing allows you to distribute traffic amongst the members to maximize throughput and
eliminate bottlenecks. When using load sharing, failover also occurs at the ESX host and virtual
machine levels. For more information on creating this deployment, see “Deploying ClusterXL on
VMware” on page 21.

The following diagram illustrates this ESX host clustered environment.

Figure 5 ClusterXL Deployment on Two ESX Hosts
In this deployment, the VPN-1 gateway connects to protected networks using a virtual switch that
passes through to a host interface and a physical switch. The VPN-1 gateway and the SmartCenter
server connect to the external LAN and the Internet via a virtual switch passing through a host
interface and a physical switch.
The VPN-1 gateway virtual machine maintains a synchronization connection via a virtual switch
leading to a dedicated physical interface on the host member. The interface connects to its
counterpart on the other member by means of a physical switch or cross cable. Management traffic
between the gateway and the SmartCenter server also uses this connection.

• This scenario provides SmartCenter redundancy by means of a primary server on one member
and a secondary server on the other.
• In this scenario VPN-1 gateways cannot protect resources such, as Web servers and databases,
that are hosted by virtual machines located on the same host as a gateway. Non-protected
virtual machines may also reside on the same host as a gateway virtual machine.
• Both SmartDashboard and the Virtual Infrastructure Client connect via the LAN

Deploying ClusterXL on VMware

In This Section
ClusterXL Clusters on VMware page 21

Deploying a ClusterXL Machine page 21
Installing ClusterXL on VMware page 24
Defining a ClusterXL Cluster page 25
ClusterXL Clusters on VMware

VPN-1 VE supports ClusterXL clusters for high availability Unicast mode and/or load sharing modes
running SecurePlatform. Other cluster solutions are not supported. This section summarizes the
requirements and procedures for defining a ClusterXL cluster with VPN-1 gateways or SmartCenter
servers on virtual machines.
You can create a ClusterXL cluster within a single ESX Host that ensures failover in case a virtual
machine hosting a VPN-1 component encounters problems or is powered off.
You can also create a ClusterXL cluster, consisting of two or more ClusterXL members, each on a
different ESX host. This ensures failover in the event that an ESX host becomes unavailable or in
case a ClusterXL member becomes unavailable. Furthermore, load sharing allows you to distribute
traffic amongst ESX hosts in addition to ensuring for failover.
Please note that VMware High Availability and other VMware clustering solutions are not
appropriate for use with virtual machines hosting VPN-1 gateways or SmartCenter servers. These
products cannot provide the state synchronization required for VPN-1 clusters. You can, however,
use VMware High Availability or other solutions to provide failover support for virtual machines
hosting your own servers, databases, applications and other resources.
To create ClusterXL clusters on VMware, you must set up the virtual machine manually and then
install VPN-1. Manually creating the machine allows you to change its components and include two
CPUs, as required for Cluster XL clusters. To run Cluster XL, you must also have VPN-1 NGX HFA
30 or above installed on all cluster members.
Deploying a ClusterXL Machine

To deploy a ClusterXL machine:
1. Select the desired host in the Inventory panel and then click the icon on the toolbar.
Alternatively, you can right-click on the host and select New Virtual Machine from the option
menu. The New Virtual Machine wizard appears.

2. Select either the Typical or Custom option and click Next. The Name and Folder page appears.
3. Enter a unique name for the virtual machine in the appropriate field and select a location for
the new machine in the lower section of the page.
4. On the Datastore page, select the desired datastore location from the list.
5. On the Guest Operating System page, select Linux and then select Red Hat Enterprise Linux 3.
6. On the CPUs page, select the number of virtual CPUs required for this virtual machine.
Machines that will be ClusterXL cluster members require 2 CPUs.
7. On the Memory page, allocate at least 512 MB for VPN-1 gateways and SmartCenter servers.
We also recommended that you guarantee that at least 512 MB is always available by reserving
512 MB. You can perform this action after completing the virtual machine definition process,
as described in “Enhancing Performance by Reserving Memory” on page 23.

8. On the Network page, select the number of interfaces for this virtual machine. You can define
up to four virtual interfaces.
For each interface select the port group to which the interface connects. Always select the
Connect at Power On option.
• For a VPN-1 gateway, at least one interface connects to an internal or external network
• For SmartCenter servers, a management interface is required to connect to the gateways
9. On the I/O Adapter page, select the SCSI adaptor appropriate for your deployment.
10. On the Select a Disk page, select Create a new virtual disk.
11. On the Disk Capacity page, specify at least 12 GB. Select a storage location for this virtual
machine.
12. On the Advanced Options page, accept the default parameters unless you have a specific reason
to change them.
13. On the Ready to Complete page, click Finish to complete the process. It may take a few minutes
for the new virtual machine to appear in the inventory.
14. Connect to the ESX Machine using SSH. For more information, see “How can I Connect to the
ESX Server Using SSH?” on page 33.
15. Edit the virtual machine’s .vmx file as follows:
a. Browse to the directory where the .vmx file is: cd /vmfs/volume/<storage>/<virtual
machine> where <storage> and <virtual machine> are names you chose.
b. Open the .vmx file for editing. Under each line beginning with EthernetX (where X is a
number), add a new line that appears as follows:
ethernetX.virtualDev=”e1000”
c. Save the .vmx file and exit the editor.

16. Power On the virtual machine.
Enhancing Performance by Reserving Memory

VPN-1 gateway and SmartCenter virtual machines require at least 512 MB of allocated memory. In
addition, we recommend ensuring that at least 512 MB of allocated memory resources are always
available. This process is called reserving memory, and enhances performance when installing
policies in environments with large databases and/or complex Rule Bases. If you imported the
VPN-1 VE machine using the VPN-1_R65_VE.tgz file, you already have the reserved memory and do
not need to perform the steps below.

To modify a virtual machine definition to reserve memory resources for a virtual machine:
1. Right-click on the appropriate virtual machine in the Inventory page and select Edit Settings
from the option menu. The window opens.
2. Click the Resources tab to display the Resources page.

3. Click Memory to display the memory settings.
4. Enter at least 512 MB in the Reservation field.

5. Change other properties as required. Refer to the online help and the Basic System
Administration guide for detailed information regarding the various properties.
Installing ClusterXL on VMware

Installing from Media Pack CDs
To install ClusterXL on VMware from a VPN-1 Media Pack CD, the virtual machine must have a CD
drive defined either as a client device (CD on the client PC) or as a host device (CD on the host
computer).
Installing from ISO Images

To install ClusterXL on VMware from a VPN-1 ISO file, you must first copy the ISO file to a location
in the datastore. The virtual machine must have a CD drive defined as the datastore path to this
ISO file.

Starting the Installation

To install ClusterXL on a new virtual machine:
1. If you are installing from the Media Pack CDs, insert CD 1 (SecurePlatform) into the CD drive.
If you are using ISO files, ensure that the virtual machine CD drive configuration points to the
path to the correct ISO file.
2. Select the Console tab for the virtual machine.
3. Power On the virtual machine. When the VMware welcome screen appears, press Esc to bring
up the Boot Menu. Select CD-ROM drive from the Boot Menu. The installation routine runs
automatically.
Installing SecurePlatform
To install SecurePlatform:
1. From the Welcome screen, click OK to install. The System Type screen appears.
2. On the System Type screen, select SecurePlatform.
3. On the Keyboard Selection menu, select a keyboard type.
4. On the Network Interface Configuration screen, enter the management interface IP address,
netmask, and default gateway for the first network interface (eth0 on most systems).
5. On the HTTPS Server Configuration screen, enable web-based configuration and accept the
default port.
6. Click OK. A confirmation message appears. Click OK to format the virtual hard drive and install
SecurePlatform software components. The installation process may take several minutes to
complete.
7. Remove the installation CD from the drive.
8. Click OK (or press Enter) to reboot your system. The reboot occurs automatically.
If you want to clone this virtual machine or to convert it to a template, do so at this time.
Continue with “Configuring VPN-1 Gateways and SmartCenters” on page 11.
Defining a ClusterXL Cluster

Before defining the ClusterXL cluster, configure the requisite number of interfaces on each ESX
host as required for your deployment, manually create each virtual machine and install VPN-1 for
VMware, and configure each gateway as described in previous sections.
To define a ClusterXL cluster in an ESX deployment:
1. Run cpconfig and activate clustering on each gateway.
2. Modify the value of each cluster member’s timer resolution to the value of 5 as follows (this
modification is required to prevent false failovers. As a result, detection of a member down
may take up to 5 seconds):
a. Open: $FWDIR/boot/modules/fwkern.conf (If this file does not exist, create it.)
b. Add: fwha_timer_cpha_res=5
c. Reboot each machine
3. Test connectivity between the ClusterXL cluster members and the SmartCenter server. Resolve
connectivity issues before proceeding.
4. Test connectivity between the ClusterXL cluster members and your internal networks, external
networks, and other virtual machines. Resolve connectivity issues before proceeding.

5. Using SmartDashboard, create and configure your clusters and the required synchronization
networks. Refer to the ClusterXL Administration Guide, found at http://support.checkpoint.com
and the online help for details regarding this process.
6. Define and install security policies.
7. Test the policies and connectivity.

Advanced Deployment: Protecting More Than 3 Virtual Networks
Advanced Deployment: Protecting More Than 3

Virtual Networks
Introduction
The deployments described in the previous section are limited in that each virtual machine has a
maximum of four interfaces. In a typical deployment, this means that a VPN-1 gateway can only
protect three virtual networks. This limitation, however, can be overcome using VLANs. Using
VLANs, you can divide traffic on one network adapter into multiple networks that can all be
protected by one VPN-1 VE gateway.
VLAN Deployment Example

Figure 6 illustrates an example of a deployment using VLANs. For detailed instructions on
configuring such a deployment, see “Configuring VLAN Networks” on page 29.
Figure 6 Deployment Using VLANs
This deployment is comprised of a standalone VPN gateway and SmartCenter on a single virtual
machine. The gateway inspects and protects all traffic passing through a virtual switch that is
provisioned with four different port groups, corresponding to four VLAN groups. Each VLAN group
leads to a different network, all of which are protected by the VPN-1 gateway from external threats
as well as from threats originating from other virtual machines.
With the use of VLANs, only two interface cards are being used by the VPN-1 VE to protect all four
networks. While this example shows only four networks provisioned on one virtual switch, using
VLANs you can protect over four thousand networks with one interface.


• All machines within a VLAN network must reside on the same subnet. For a mid-sized
deployment this should not result in a lack of available IP addresses.
• Each host must be configured so that its default gateway is the respective VPN-1 VLAN
device’s IP address. Each host’s routing table should direct all traffic to go through the default
gateway.
• The switch port that is connected to the firewall, must be a VLAN trunk port and be configured
with VLAN ID 4095 to accept traffic from all VLANS. The VPN-1 machine must be the only
machine in this port group and the only machine with this VLAN ID.
• Packets that travel between hosts with the same VLAN tag are not inspected by the VPN-1 VE.
• While only four networks are shown connected to the virtual switch, over 4000 can be
provisioned on one switch.
• There are potentially two remaining interfaces on the VPN-1 machine that can be used for
other purposes within the deployment.
The Path of a Packet

Figure 7 shows the paths that packets may travel within the VLAN deployment scenario depicted
above.
Figure 7 Paths of Packets in a VLAN Deployment

If one host on a VLAN network sends a packet to a host on a different VLAN network, the packet
receives a VLAN tag from the virtual switch. It then travels to the VPN-1 firewall where the tag is
removed. Once the firewall inspects the packet, it re-tags it, based on the routing table, and sends
the packet to the virtual switch. The virtual switch strips the VLAN tag and sends the packet to the
correct host without a tag.
Packets coming from outside to a specific VLAN network pass through the VPN-1 firewall and are
inspected. They then follow the same route as a packet sent from one VLAN network to another.
Configuring VLAN Networks

Setting up the VLAN Networks involves configuring the following:
• The virtual switch that will house the port groups and VLAN IDs
• The VPN-1 machine that will protect the VLAN networks and virtual switch
• The hosts to be protected by the VPN-1
Below are detailed instructions for setting up your deployment.
Configuring the Virtual Switch

To set up a VLAN configuration, you provision one port group on a virtual switch for each VLAN. All
packets intended for a specific host within a VLAN receive a VLAN tag and can only be received by
hosts on that VLAN network.
One interface of the VPN-1 VE machine is connected to the same virtual switch as the other port
groups. The VPN-1 machine has a separate port group of “all” to accept traffic from all other port
groups. All packets pass through the firewall and are then given a VLAN tag by the virtual switch
and sent to that VLAN network.
To add another port/VLAN ID Group to a virtual switch or to edit existing port groups:
1. From the Configuration tab of the ESX server, click Networking. The Networking page opens
displaying your virtual switches.
1. Click Properties next to the virtual switch that you want to configure.
2. To add a new port group:

a. Click Add. The Add Network Wizard opens.
b. Select Virtual Machine and click Next. Continue with step 4.

3. To edit an existing port group:
a. Select a Virtual Machine Network (port group) from the list and click Edit.

4. Type a Network Label and type or select a VLAN ID to identify a port group on the switch. Click
Next. We recommend not using VLAN ID “1” as this may be the native VLAN ID on the
machine and may cause connectivity problems.
5. Click Finish.
6. Repeat steps 2 through 5 for each port group/VLAN ID group you want to provision on the
virtual switch.
Add a Port Group/VLAN ID for the VPN-1 Machine

The VPN-1 machine must have a separate Port Group/VLAN ID of All to accept all packets. Follow
the steps in “Configuring the Virtual Switch” on page 29. In Step 4, type 4095 for the VLAN ID.
Configuring the VPN-1 Machine

Follow the instructions in “Importing and Configuring VPN-1 VE” on page 9 to import the VPN-1
VE machine and create a new VPN-1 machine. Configure it following the instructions in “Known
Limitations” on page 14. Refer to the NGX R65 Internet Security Product Suite Getting Started
Guide, found at http://support.checkpoint.com, for additional configuration information.
Configuring VLANs on the VPN-1 Machine

When you configure the VLAN, it displays as <Network Adapter>.<VLAN ID>, for example, eth1.2.
Make sure to configure the network adapter that connects the VPN-1 machine to the virtual switch
with VLAN groups.
To configure an IP address for each VLAN device
1. Run:
sysconfig
1. Type 1 to Add Connection.
2. Type 2 to select VLAN.

3. Select the network adapter that connects the VPN-1 machine to the virtual switch with VLAN
groups, for example, eth1.
4. Enter the VLAN ID, for example, 2.
5. Type the IP address specific to the VLAN, the desired netmask, and default broadcast.
The VLAN configuration will display.
6. Repeat the steps above for each VLAN.
Once the ESX server environment is fully configured, add the virtual switch and all of the hosts and
networks you want to protect as objects in the Smart Dashboard and set up a Rule Base. See the
NGX R65 Getting Started Guide for more information. For a complete presentation of NGX R65
installation and configuration procedures, refer to the NGX R65 Internet Security Product Suite
Getting Started Guide and the Firewall and SmartDefense Administration Guide, found at
Configuring Hosts
All hosts that will be on a VLAN and be protected by the VPN-1 gateway should be set up in your
ESX Server. Change the IP settings so that each hosts’ default gateway is on the same subnet as
the VLAN Devices’s virtual IP address that you configured when setting up the VPN-1 machine. All
hosts within a VLAN must be on this same subnet.
Setting Up a Routing Table

The routing table of each host should be configured to direct all traffic from the host to go through
its default gateway, which is one of the VLAN Devices’s virtual IP addresses. In this way you ensure
that all traffic to and from the host will be inspected by the VPN-1 VE machine. The routing table
within the VPN-1 machine itself is automatically configured after you set up the VLANs.
The steps needed to configure a routing table differ depending on your operating system. Below is
an example of how to set up the routing table in Linux.
To set up a routing table in a Linux machine:
1. From the console in a host, type:
route add default gw 184.23.5.3
where “184.23.5.3” is the default gateway of that particular host.

2. Repeat step 1 on every host.

FAQs and Troubleshooting

Below are some troubleshooting procedures for questions that may arise when working with VPN-1
VE.
How can I Connect to the ESX Server Using SSH?

If you are not able to access the ESX Server via SSH, follow the following procedure:
1. Go to the service console on the physical Server and log in.
2. Run:
vi/etc/ssh/sshd_config
3. Change the line that says PermitRootLogin from “no” to “yes”.
4. Run:
service sshd restart
What Should I Do if I Receive a UUID Warning Message?

When powering on your VPN-1 VE machine for the first time, you may get a Virtual Machine
Message stating that the virtual machine’s configuration file has changed. It will look like this:
Select Create and then click OK to start the machine.
Can I Change the MTU?

In order to change the MTU (Maximum Transmission Unit) your network adapter drivers must be
set to pcnet32.
To change the network adapter driver settings to pcnet32:
1. Connect to the ESX Server with SSH.
2. Change the directory to the virtual machine directory.
3. Edit the VPN-1_VE.vmx file as follows: Delete the lines stating ethernetX.virtualDev=”e1000”,
where X is the relevant virtual network adapter.
Note - If you wish to change your network adapter drivers back to e1000, you must change the
MTU to a value higher than 1000, using sysconfig.

Can I Enlarge the VPN-1 VE Hard Disk Drive?

You may want to enlarge the VPN-1 VE hard drive to allow more space for logs, especially if the
machine has a SmartCenter installed. You can add an additional hard drive in VMware. You then
configure the hard drive in SecurePlatform and direct logs to a new directory on the new hard
drive.
Creating a Second Hard Drive in VMware

To create a second hard drive:
1. Power Off the VPN-1 VE machine.
2. Right-click the machine and select Edit Settings.
3. Click Add and then select Hard Disk from the Add Hardware Wizard. Click Next.
4. Select Create a new virtual disk and click Next.
5. Type the Disk Size you want and click Next.
6. Keep the default settings by clicking Next.
7. The settings of the new disk are displayed. Click Finish.
Configure the New Hard Drive in SecurePlatform

Configuring the new hard drive involves creating an new partition, formatting the hard disk, and
mapping it to a new directory.
Creating a New Partition

To create a new partition:
1. Power on the VPN-1 VE machine.
2. Log in to expert mode.
3. Run:
fdisk /dev/sdb
4. Type n to add a new partition.

5. Type p to choose a primary partition.
6. Type 1 for the partition number.
7. Keep the defaults for the first and last cylinder.
8. Type t to change the partition’s system ID.
9. Type the hex code 83.
10. Type w to write the table to disk and exit.
Creating the Volume Settings

To create the volume settings:
1. Verify that the new hard disk is properly configured and that dev/sdb1 is created by running:
fdisk -l
where the lower case “L” stands for “list partition table”.
2. Initialize a physical volume by running:
pvcreate /dev/sdb1

3. Optionally, check that the physical volume was created by running:

pvdisplay
4. Create a volume group. Choose a name for the volume group that you will use in the command
when creating it, for example, mynew_vg:
vgcreate mynew_vg /dev/sdb1
5. Create a logical volume:

lvcreate -L 4000 -n vol2 mynew_vg
where “4000” is the size of the hard drive in MB, “vol2” is a name that you assign to the
logical volume, and “mynew_vg” is the name of the volume group that you assigned in the
previous step.
Formatting and Mapping the Hard Drive

To format and map the hard drive:
1. Format the hard disk by using the names you created in “Creating the Volume Settings” on
page 34 and running:
mkfs.ext3 -m 0 /dev/mynew_vg/vol2
2. Add the new hard disk to the SecurePlatform mapping tables as follows:
a. Run:
vi /etc/mtab
b. Add the following to the end of the line:

/dev/mynew_vg/vol2 /exvar ext3 rw 0 0
where “exvar” is the name you choose for the directory that the hard drive will be mapped to.
c. Run:
vi /etc/fstab
d. Add the following to the end of the line:

/dev/mynew_vg/vol2 /exvar ext3 defaults 1 2
where “exvar” is the name you chose for the directory to which the hard drive will be mapped.
3. Create the directory to which the hard drive will be mapped, “exvar” according to this
example and map the hard drive to this directory. Run:
mkdir /exvar
mount -a
Redirecting the Log Files to a Folder in the New Hard Drive

To redirect log files to the new hard drive:
1. Run:
cpstop
2. Save the current log directory by running:

mv $FWDIR/log $FWDIR/log.old
3. Create a new log directory, for example “newlogs” in the new hard disk with the name you
chose in “Formatting and Mapping the Hard Drive” on page 35:
mkdir /exvar/newlogs

Documentation Feedback
4. Map logs to the new directory:

ln –s /exvar/newlogs $FWDIR/log
5. Start the machine using:

cpstart
Documentation Feedback
Check Point is engaged in a continuous effort to improve its documentation. Please help us by
sending your comments to:
cp_techpub_feedback@checkpoint.com

VPN-1 Virtual Edition Admin Guide

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

VPN-1 Virtual Edition Admin Guide

Uploaded by

Copyright:

Available Formats

VPN-1 VE Administration Guide

December 18, 2008

VPN-1 VE Overview page 2

VPN-1 VE Administration Guide 2

How Do I Get Started?

Example of VPN-1 VE Deployment

VPN-1 VE Administration Guide 3

ESX Server Security Considerations

VPN-1 VE System Requirements

Supported Check Point Products

VPN-1 VE Administration Guide 4

Supported Hotfix Accumulators (HFAs)

Supported VMware Products

VMware Hardware Requirements

VPN-1 VE Administration Guide 5

VPN-1 VE Administration Guide 6

Deploying VPN-1 VE Machines

VPN-1 VE Administration Guide 7

Management Deployment and Interfaces

Network Adapters and Interfaces

Interface in Network Adapter in

eth0 Network Adapter 1

VPN-1 VE Administration Guide 8

Importing and Configuring VPN-1 VE

Importing the VPN-1 VE OVF

VPN-1 VE Administration Guide 9

Importing the VPN-1 VE to Earlier ESX Servers

VPN-1 VE Administration Guide 10

8. Right-click on the .vmx file and select Add to Inventory.

Configuring VPN-1 Gateways and SmartCenters

Configuring Network and General Settings

VPN-1 VE Administration Guide 11

The configuration window opens and displays a welcome message.

VPN-1 VE Administration Guide 12

• The default gateway (if required)

VPN-1 VE Administration Guide 13

VPN-1 VE Administration Guide 14

VPN-1 VE Administration Guide 15

VPN-1 and SmartCenter Standalone Deployment

Notes for this Scenario

Special Configuration Requirements

VPN-1 VE Administration Guide 16

VPN-1 Deployment using the Bridge Mode

Notes to This Scenario

Special Configuration Requirements

VPN-1 VE Administration Guide 17

Configuring Promiscuous Mode

3. In the Network Properties window, select the Security tab.

ClusterXL Deployment on a Single ESX Host

VPN-1 VE Administration Guide 18

Notes to This Scenario

ClusterXL Deployment Using Two ESX Hosts

VPN-1 VE Administration Guide 19

The following diagram illustrates this ESX host clustered environment.

Notes to This Scenario

VPN-1 VE Administration Guide 20

Deploying ClusterXL on VMware

ClusterXL Clusters on VMware page 21

ClusterXL Clusters on VMware

Deploying a ClusterXL Machine

VPN-1 VE Administration Guide 21

VPN-1 VE Administration Guide 22

c. Save the .vmx file and exit the editor.