Professional Documents
Culture Documents
In This Document
Introduction page 2
Deploying VPN-1 VE Machines page 7
Known Limitations page 14
Deployment Scenarios page 15
Deploying ClusterXL on VMware page 21
Advanced Deployment: Protecting More Than 3 Virtual Networks page 27
FAQs and Troubleshooting page 33
Documentation Feedback page 36
Copyright © 2008 Check Point Software Technologies, Ltd. All rights reserved 1
Introduction
Introduction
In This Section
VPN-1 VE Overview
VPN-1 NGX R65 VE (Virtual Edition) is a security and VPN solution, designed to harness the power
of network virtualization. VPN-1 VE provides the identical security protections and VPN features as
physical VPN-1 gateways. It securely connects these gateways and SmartCenters on virtual
machines to shared resources, such as the Internet and DMZs, and allows them to safely interact
with each other and the outside world. All VPN-1 security features such as SmartDefense, Web
Intelligence, Application Intelligence, Anti-virus, Anti-spam, and so on, are available on VPN-1 VE.
This guide provides the conceptual framework for VPN-1 VE. It also provides detailed instructions
for importing and configuring Check Point VPN-1 products on virtual machines by using VPN-1 VE
or by manually installing VPN-1 NGX R65 for VMware.
This guide assumes that the reader has a thorough understanding of VMware® ESX Server 3.x
concepts, procedures and terminology. Furthermore this guide assumes that the reader is familiar
with Check Point VPN-1 concepts and procedures.
As used in this document, the term VPN-1 applies to VPN-1 Power, VPN-1 UTM, and VPN Power
UTM.
Virtualization Overview
Virtualization of hardware resources represents the cutting edge of today’s computing technology,
providing cost-effective, scalable solutions for dynamic network environments. Virtualization allows
you to create multiple “virtual” computers on a single hardware platform. With VPN-1 VE, Check
Point brings its state of the art security solutions to the virtualized world.
VMware ESX Server 3.x “virtualizes” hardware resources including CPU, RAM, hard disks, network
adapters, and the operating system. This technology allows you to create functional virtual
machines that host organization resources such as Web servers, email servers, databases, and so
on. Using VMware ESX Server 3.x, you can define Virtual Networks comprised of virtual machines,
virtual switches, and interfaces to provide the functionality of their physical network counterparts.
VPN-1 VE supplies the comprehensive protection required to secure your virtual networks. VPN-1
NGX R65 VE, VPN-1 NGX R65 for VMware machines, and physical gateways can be managed by
the same unified central management, thus enabling a consistent, enforceable security policy
across all physical and virtual networks.
In this simple example, a standalone VPN-1 gateway and SmartCenter server combination protects
three virtual switches leading to networks containing several different types of servers. All traffic
that flows between the virtual networks, for example between the Web Servers Network and the
Database Server, or from a host on the external LAN to the Email Server is inspected by the VPN-1 VE
machine.
Administrators manage network security using SmartDashboard from any client having connectivity
with the SmartCenter server. Virtual machines and all other VMware objects are managed using
Virtual Infrastructure Client.
VPN-1 VE protects the virtual machines in the ESX server, but it does not protect the VMkernel.
Key Benefits
VPN-1 VE allows you to use Check Point security solutions, when using an ESX Server, to
implement virtual network security and to deploy application servers on virtual machines. VPN-1
VE offers the following advantages:
• Adds a security layer that protects resources residing on virtual machines from external threats
and threats from other virtual machines.
• Provides unified management as VPN-1 VE gateways and physical VPN-1 gateways can be
managed by the same SmartCenter. Thus security policies can be consistently enforced on
every part of the network - physical and virtual.
• Provides a scalable solution for growing enterprises by providing protection for additional
virtual network resources without the need for additional hardware investment, maintenance,
energy, and site costs.
• Simplifies configuration by eliminating the need to provision additional virtual and physical
switches in order to protect virtual resources.
• Simplifies disaster recovery scenarios.
• Lower Total Cost of Ownership.
• Certified by VMware for optimal use with ESXi and ESX Servers.
• Machines are pre-configured and ready to use in just a few steps.
Users of VPN-1 products prior to version NGX R65 must upgrade their products and licenses to
R65 before using VPN-1 VE. Please refer to the NGX R65 Upgrade Guide for detailed instructions
regarding upgrading Check Point products to version NGX R65. For more information see
http://support.checkpoint.com.
Hardware Requirements
Virtual Machine Requirements for VPN-1 VE
Virtual machines created for use as VPN-1 gateways or SmartCenter servers must meet the
following minimum resource requirements:
• Allocated Memory: 512 MB
• Disk Space: 12 GB
Licensing Information
Each VPN-1 gateway product and SmartCenter server installed on a virtual machine requires a
license, in the same manner as a physical product. Each VPN-1 VE gateway requires a VPN-1 VE
license. SmartCenters require a standard VPN-1 SmartCenter license. Licenses are associated with
the gateway or SmartCenter server IP address. Check Point add-on licenses, such as SmartDefense
Services, are equally applicable to products installed on virtual machines.
Related Documentation
We recommend that the you refer to the Check Point documentation packages referenced in the
table below, in addition to this document. All documents can be found at
http://support.checkpoint.com.
Title Description
Internet Security Product Contains an overview of NGX R65 together with step-by-step
Suite Getting Started Guide product installation procedures. This document also provides
information regarding what’s new in the current release,
licensing, minimum hardware and software requirements, etc.
Upgrade Guide Explains the available upgrade paths to NGX R65 for Check
Point products from VPN-1/FireWall-1 version NG and higher.
Firewall & SmartDefense Describes how to manage network access; establish network
Administration Guide connectivity; use SmartDefense to protect against network and
application level threats; use Web Intelligence to protect Web
servers and applications; use Content Vectoring Protocol (CVP)
applications for anti-virus protection, use URL Filtering (UF)
applications for restricting access to web sites; and secure VoIP
traffic.
SmartCenter Administration Describes Check Point SmartCenter Management applications,
Guide which provide solutions for configuring, managing, and
monitoring network security deployments.
Cluster XL Administration Describes the ClusterXL clustering solution, including concepts
Guides and configuration procedures.
SecurePlatform Explains how to install and configure SecurePlatform. This
Administration Guide guide also explains how to manage SecurePlatform and explains
the Dynamic Routing (Unicast and Multicast) protocols.
Virtual Private Networks Describes the major components of a VPN environment and
Administration Guide presents procedures for securing and configuring the
environment using VPN-1.
We recommend that you familiarize yourself with the following VMware documentation before using
this product:
Title Description
Introduction to VMware Provides a detailed, conceptual overview of the ESX Server
Infrastructure product, including its architecture, features, and functionality.
Installation and Upgrade Describes the VMware ESX Server 3.x system and licensing
Guide requirements, and provides detailed instructions for installing
and upgrading the product.
Quick Start Guide Serves as a quick reference to product installation, virtual
machine provisioning and management, and the GUI.
Basic System Administration Detailed documentation for using VMware ESX Server 3.x. This
is the primary reference guide for system administrators and
users.
Server Configuration Guide Describes the tasks you need to configure ESX Server host
networking, storage, and security. In addition, it provides
overviews, recommendations, and conceptual discussions to
help you understand these tasks and how to deploy an ESX
Server host to meet your needs.
Introduction page 7
VMware Terminology page 7
Deployment Planning page 8
Importing and Configuring VPN-1 VE page 9
Introduction
This section provides instructions for Importing and Configuring VPN-1 VE machines. VMware
terminology is also included for easy reference, as well as information on planning your VPN-1 VE
deployment.
The instructions assume that you are familiar with VMware ESX Server 3.x and that the appropriate
VMware software is installed. This document does not attempt to serve as a general VMware
tutorial. For further information regarding VMware ESX Server 3.x procedures and features, refer to
the VMware ESX Server Getting Started and Basic System Administration guides.
VMware Terminology
This section presents a glossary of VMware terms used in this guide or that you are likely to
encounter in references to VMware documentation contained in this document.
Term Description
Virtual Machine (VM) Software based abstraction of a physical computer, including CPUs,
memory, disk storage, network interfaces, ports, guest operating
system, and application software. In a VPN-1 VE environment, a virtual
machine provides the functionality of a VPN-1 gateway or SmartCenter
server.
Virtual Switch (vSwitch) A virtual switch works similarly to a physical Ethernet switch. It detects
which virtual machines are logically connected to each of its virtual
ports and uses that information to forward traffic to the correct virtual
machines. A vSwitch can be connected to physical switches using
physical network adapters to join virtual networks with physical
networks.
Virtual Interface (vNIC) Software based abstraction of a physical interface that provides
network connectivity for virtual machines.
Port Group A port group specifies port configuration options such as bandwidth
limitations and VLAN tagging policies for each port. Network services
connect to vSwitches through port groups. Port groups define how a
connection is made through the vSwitch to the network.
Virtual Network A network of virtual machines running on a single physical machine
that are connected logically to each other so that they can send and
receive data from each other. Virtual networks do not depend on
physical network interfaces.
Guest Operating System Operating system installed on a virtual machine
Host Physical machine using VMware to host one or more virtual machines
and other virtual objects. The host provides the physical resources
shared by virtual machines, such as CPUs, memory, disk storage
access, network interfaces, etc.
Datacenter Collection of hosts and their associated virtual machines and Datastore.
Term Description
Datastore Host-independent storage location for virtual machine files in ESX
Server systems, typically a system volume located on a physical disk,
RAID, SAN, or network file system.
Virtual Center Server Manages multiple hosts together with their associated virtual machines
and objects from a single GUI client. This is the central point for
provisioning and configuring all of your virtual machines, virtual
networks and their associated objects.
VMware Infrastructure Client GUI client used to manage virtual machines and associated objects. It
(VI Client) manages virtual machines much in the same way that SmartDashboard
manages VPN-1 gateways.
Deployment Planning
This section describes issues to consider when planning your VPN-1 VE deployment.
6. Select Import from file, and choose the .ovf file from the folder from where you extracted the
.tgz file. Click Next.
7. View the Virtual Appliance Details. Click Next.
8. Type a name for the VPN-1 VE machine. Click Next.
9. Select the datastore where the VPN-1 VE machine files will be accumulated in the ESX Server.
Click Next.
10. In Network Mapping, select the proper Network portgroups according to your topology. Click
Next.
11. Click Finish to complete the Virtual Machine Wizard. It may take a few minutes for the new
machine to appear in the inventory.
12. Select the machine from the inventory and Power On the machine.
For optimal performance of your VPN-1 VE machine, we recommend reserving an additional 512
MB of memory. See“Enhancing Performance by Reserving Memory” on page 23.
9. In the Add to Inventory Wizard, type a name for the new virtual machine. Click Next.
10. Select a Resource Pool to run the virtual machine. Selecting a Resource Pool allows you to
determine which resources a virtual machine is using. Click Next.
11. Click Finish to complete the Virtual Machine Wizard. It may take a few minutes for the new
machine to appear in the inventory.
12. Select the machine from the inventory and Power On the machine.
cpconfig
4. Press n to continue.
5. Press the number corresponding to your keyboard type and then press n, or just press n to keep
the default US keyboard.
6. Press the number corresponding to the Ethernet connection that you want to set as your
management connection. When prompted, type the IP address attached to the Ethernet
connection, its subnet mask, and its broadcast address.
7. In the Network Configuration menu, use the menu option to configure the following:
• The host name
• The domain name and at least one DNS server (if required)
• The network interface IP addresses
8. In the time and date configuration menu, use the menu options to configure the following:
• Time zone
• Date
• Local time
• Show date and time settings
n
10) Press n to continue. The Import Check Point Products Configuration screen appears.
Continue to follow to Check Point Wizard to install Check Point products on the virtual machine.
See the NGX R65 Internet Security Product Suite Getting Started Guide and the Firewall and
SmartDefense Administration Guide for more information.
Known Limitations
Please refer to the current edition of the NGX R65 Release Notes, found at
http://support.checkpoint.com, for a complete list of known limitations for this major release. The
limitations listed below apply specifically to VPN-1 VE and are in addition to the VPN-1 NGX R65
release limitations.
1. The cloning and template features are supported for VPN-1 virtual machines (gateways and
SmartCenter) only under the following conditions:
a. The virtual machine must be a new VPN-1 VE machine or SecurePlatform installation
(immediately following the first reboot).
b. No Check Point products, such as SmartCenter or VPN-1, have been configured yet.
c. No configuration steps (sysconfig, cpconfig, etc.) have been performed.
2. Interface bonding on the virtual machine running the VPN-1 VE is not supported with
ClusterXL.
3. VMtools is not supported.
4. VPN-1 gateways in the Bridge Mode must have their internal and external interfaces connected
to port groups that are configured in promiscuous mode.
5. VPN-1 gateways in the Bridge Mode are not supported with ClusterXL.
6. The Performance Pack Heavy Load Quality of Service feature (HLQoS) feature is not
supported.
7. The Monitor Interface Link State feature is not supported on VPN-1 ClusterXL cluster members
on virtual machines.
8. Virtual machines may be connected to a maximum of four different virtual switches. This may
limit the number of virtual networks protected by a VPN-1 VE machine. This limitation can be
overcome using VLANs. See “Advanced Deployment: Protecting More Than 3 Virtual Networks”
on page 27.
9. VPN-1 VE supports MTU change only with pcnet32 network devices.
10. The ethtool utility does not recognize speed or duplex changes made to the virtual network
adapters.
11. NGX R65 HFA 01 and 02 are not supported. NGX R65 HFAs beginning with HFA 30 are
supported.
12. VPN-1 VE does not protect the VMkernel.
Deployment Scenarios
In This Section
Overview page 15
VPN-1 and SmartCenter Standalone Deployment page 16
VPN-1 Deployment using the Bridge Mode page 17
ClusterXL Deployment on a Single ESX Host page 18
ClusterXL Deployment Using Two ESX Hosts page 19
Overview
This section presents several sample deployments that illustrate the integration of VPN-1 NGX R65
solutions into virtual network deployments. While these examples are shown in simple, small-scale
environments, the concepts are applicable to larger, more complex deployments. Each scenario
includes a brief conceptual description, an illustrative diagram, notes and configuration
requirements, as appropriate.
These scenarios are intended to present conceptual examples of how VPN-1 VE may be deployed
on VMware ESX. They do not purport to provide solutions for specific applications or environments.
There are many different ways to use these concepts to tailor network virtualization to your specific
needs, only a few of which are suggested by these scenarios.
Warning - Never configure all port groups on a virtual switch to accept the promiscuous mode, as this is in
an unacceptable security risk. You should only configure the port group to which you connect VPN-1 virtual
machines to accept the promiscuous mode. Do not connect any other virtual machines to this port group.
4. Enable the Promiscuous Mode option and then select Accept from the list.
5. Click OK to complete the definition. The reconfiguration process may take a few moments to
complete.
The following diagram illustrates a simplified network deployment using this scenario.
Figure 4 ClusterXL Deployment on a Single ESX Host
This example deployment includes Web and database servers hosted on virtual machines protected
by the clustered VPN-1 gateway. Also included in this deployment are primary and secondary
SmartCenter servers on virtual machines connected to the gateways using a non-dedicated
management interface.
The VPN-1 gateway and the SmartCenter servers, connect to the external LAN and the Internet by
means of a virtual switch connecting to a physical switch via the ESX host interface. The gateway
ClusterXL cluster connects to the internal virtual network, containing the Web and Database
servers, via a virtual switch.
State synchronization is handled by a dedicated connection between members using one of the
virtual machine interfaces. The SmartCenter connects to the gateways via the internal network.
In this deployment, the VPN-1 gateway connects to protected networks using a virtual switch that
passes through to a host interface and a physical switch. The VPN-1 gateway and the SmartCenter
server connect to the external LAN and the Internet via a virtual switch passing through a host
interface and a physical switch.
The VPN-1 gateway virtual machine maintains a synchronization connection via a virtual switch
leading to a dedicated physical interface on the host member. The interface connects to its
counterpart on the other member by means of a physical switch or cross cable. Management traffic
between the gateway and the SmartCenter server also uses this connection.
2. Select either the Typical or Custom option and click Next. The Name and Folder page appears.
3. Enter a unique name for the virtual machine in the appropriate field and select a location for
the new machine in the lower section of the page.
4. On the Datastore page, select the desired datastore location from the list.
5. On the Guest Operating System page, select Linux and then select Red Hat Enterprise Linux 3.
6. On the CPUs page, select the number of virtual CPUs required for this virtual machine.
Machines that will be ClusterXL cluster members require 2 CPUs.
7. On the Memory page, allocate at least 512 MB for VPN-1 gateways and SmartCenter servers.
We also recommended that you guarantee that at least 512 MB is always available by reserving
512 MB. You can perform this action after completing the virtual machine definition process,
as described in “Enhancing Performance by Reserving Memory” on page 23.
8. On the Network page, select the number of interfaces for this virtual machine. You can define
up to four virtual interfaces.
For each interface select the port group to which the interface connects. Always select the
Connect at Power On option.
• For a VPN-1 gateway, at least one interface connects to an internal or external network
• For SmartCenter servers, a management interface is required to connect to the gateways
9. On the I/O Adapter page, select the SCSI adaptor appropriate for your deployment.
10. On the Select a Disk page, select Create a new virtual disk.
11. On the Disk Capacity page, specify at least 12 GB. Select a storage location for this virtual
machine.
12. On the Advanced Options page, accept the default parameters unless you have a specific reason
to change them.
13. On the Ready to Complete page, click Finish to complete the process. It may take a few minutes
for the new virtual machine to appear in the inventory.
14. Connect to the ESX Machine using SSH. For more information, see “How can I Connect to the
ESX Server Using SSH?” on page 33.
15. Edit the virtual machine’s .vmx file as follows:
a. Browse to the directory where the .vmx file is: cd /vmfs/volume/<storage>/<virtual
machine> where <storage> and <virtual machine> are names you chose.
b. Open the .vmx file for editing. Under each line beginning with EthernetX (where X is a
number), add a new line that appears as follows:
ethernetX.virtualDev=”e1000”
To modify a virtual machine definition to reserve memory resources for a virtual machine:
1. Right-click on the appropriate virtual machine in the Inventory page and select Edit Settings
from the option menu. The window opens.
Installing SecurePlatform
To install SecurePlatform:
1. From the Welcome screen, click OK to install. The System Type screen appears.
2. On the System Type screen, select SecurePlatform.
3. On the Keyboard Selection menu, select a keyboard type.
4. On the Network Interface Configuration screen, enter the management interface IP address,
netmask, and default gateway for the first network interface (eth0 on most systems).
5. On the HTTPS Server Configuration screen, enable web-based configuration and accept the
default port.
6. Click OK. A confirmation message appears. Click OK to format the virtual hard drive and install
SecurePlatform software components. The installation process may take several minutes to
complete.
7. Remove the installation CD from the drive.
8. Click OK (or press Enter) to reboot your system. The reboot occurs automatically.
If you want to clone this virtual machine or to convert it to a template, do so at this time.
Continue with “Configuring VPN-1 Gateways and SmartCenters” on page 11.
5. Using SmartDashboard, create and configure your clusters and the required synchronization
networks. Refer to the ClusterXL Administration Guide, found at http://support.checkpoint.com
and the online help for details regarding this process.
6. Define and install security policies.
7. Test the policies and connectivity.
This deployment is comprised of a standalone VPN gateway and SmartCenter on a single virtual
machine. The gateway inspects and protects all traffic passing through a virtual switch that is
provisioned with four different port groups, corresponding to four VLAN groups. Each VLAN group
leads to a different network, all of which are protected by the VPN-1 gateway from external threats
as well as from threats originating from other virtual machines.
With the use of VLANs, only two interface cards are being used by the VPN-1 VE to protect all four
networks. While this example shows only four networks provisioned on one virtual switch, using
VLANs you can protect over four thousand networks with one interface.
If one host on a VLAN network sends a packet to a host on a different VLAN network, the packet
receives a VLAN tag from the virtual switch. It then travels to the VPN-1 firewall where the tag is
removed. Once the firewall inspects the packet, it re-tags it, based on the routing table, and sends
the packet to the virtual switch. The virtual switch strips the VLAN tag and sends the packet to the
correct host without a tag.
Packets coming from outside to a specific VLAN network pass through the VPN-1 firewall and are
inspected. They then follow the same route as a packet sent from one VLAN network to another.
4. Type a Network Label and type or select a VLAN ID to identify a port group on the switch. Click
Next. We recommend not using VLAN ID “1” as this may be the native VLAN ID on the
machine and may cause connectivity problems.
5. Click Finish.
6. Repeat steps 2 through 5 for each port group/VLAN ID group you want to provision on the
virtual switch.
sysconfig
1. Type 1 to Add Connection.
2. Type 2 to select VLAN.
3. Select the network adapter that connects the VPN-1 machine to the virtual switch with VLAN
groups, for example, eth1.
4. Enter the VLAN ID, for example, 2.
5. Type the IP address specific to the VLAN, the desired netmask, and default broadcast.
The VLAN configuration will display.
6. Repeat the steps above for each VLAN.
Once the ESX server environment is fully configured, add the virtual switch and all of the hosts and
networks you want to protect as objects in the Smart Dashboard and set up a Rule Base. See the
NGX R65 Getting Started Guide for more information. For a complete presentation of NGX R65
installation and configuration procedures, refer to the NGX R65 Internet Security Product Suite
Getting Started Guide and the Firewall and SmartDefense Administration Guide, found at
http://support.checkpoint.com.
Configuring Hosts
All hosts that will be on a VLAN and be protected by the VPN-1 gateway should be set up in your
ESX Server. Change the IP settings so that each hosts’ default gateway is on the same subnet as
the VLAN Devices’s virtual IP address that you configured when setting up the VPN-1 machine. All
hosts within a VLAN must be on this same subnet.
vi/etc/ssh/sshd_config
3. Change the line that says PermitRootLogin from “no” to “yes”.
4. Run:
Note - If you wish to change your network adapter drivers back to e1000, you must change the
MTU to a value higher than 1000, using sysconfig.
where the lower case “L” stands for “list partition table”.
2. Initialize a physical volume by running:
pvcreate /dev/sdb1
4. Create a volume group. Choose a name for the volume group that you will use in the command
when creating it, for example, mynew_vg:
vgcreate mynew_vg /dev/sdb1
where “4000” is the size of the hard drive in MB, “vol2” is a name that you assign to the
logical volume, and “mynew_vg” is the name of the volume group that you assigned in the
previous step.
2. Add the new hard disk to the SecurePlatform mapping tables as follows:
a. Run:
vi /etc/mtab
where “exvar” is the name you choose for the directory that the hard drive will be mapped to.
c. Run:
vi /etc/fstab
where “exvar” is the name you chose for the directory to which the hard drive will be mapped.
3. Create the directory to which the hard drive will be mapped, “exvar” according to this
example and map the hard drive to this directory. Run:
mkdir /exvar
mount -a
3. Create a new log directory, for example “newlogs” in the new hard disk with the name you
chose in “Formatting and Mapping the Hard Drive” on page 35:
mkdir /exvar/newlogs
Documentation Feedback
Check Point is engaged in a continuous effort to improve its documentation. Please help us by
sending your comments to:
cp_techpub_feedback@checkpoint.com