Scribd Logo
Upload

Welcome to Scribd!

  • Check Point R76SP.50 MSG Technical Presentation

    Uploaded by

    Oinotna Rj Pisi
    10 views33 pages

    Original Title

    Check_Point_R76SP.50_MSG_Technical_Presentation

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    10 views33 pages

    Check Point R76SP.50 MSG Technical Presentation

    Uploaded by

    Oinotna Rj Pisi

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 33

    MULTIPLE SECURITY GROUPS

    Data Center Security Appliances


    41000/44000/61000/64000

    ©2018 Check Point


    ©2018 Software
    Check Point Technologies Ltd.
    Software Technologies Ltd. 1
    Acronyms and definitions

    • Chassis:
    ̶ Housing for mounting SGMs
    • SGM (Security Gateway Module):
    ̶ Line card host running Gaia operating system
    • SG (Security Group):
    ̶ A group of SGMs that acts as a single Gateway
    • SSM (Security Switch Module):
    ̶ Front switches which load balance traffic among SGMs

    ©2018 Check Point Software Technologies Ltd. 2


    Motivation

    • Multiple systems (SGs) on top of a single physical setup


    ̶ Each Security Group runs an independent SMO
    ̶ Each Security Group linked to a different SmartDashboard object
    ̶ Each Security Group has its own software version
    ̶ Each Security Group has its own configuration (SGW/VSX)

    • Shared hardware
    ̶ Different systems (Security Groups) shares the same hardware components
    (Chassis, SSMs, CMMs)

    ©2018 Check Point Software Technologies Ltd. 3


    Single Chassis, more opportunities
    Mgmt A Mgmt B

    • Hybrid Gateway Mode configuration


    ̶ Different Security Groups (SG1 & SG2)
    ̶ SG 1 is VSX Gateway
    ̶ SG 2 is Security-Gateway
    • Different Management servers (optional)
    SG 1 SG 2
    • Same hardware VSX - VSLS SGW

    ©2018 Check Point Software Technologies Ltd. 4


    Dual Chassis, even more

    • Up to 12 Security Groups
    • Dual Chassis for extra
    redundancy
    Chassis 1 Chassis 2

    11 22 33 44 55 66 77 77 77 88 88 88

    Standby
    Standby

    Standby
    Standby
    Standby

    Standby
    Standby
    Standby

    Standby

    Standby
    Standby

    Standby
    Active
    Active

    Active

    Active
    Active

    Active

    Active
    Active

    Active
    Active

    Active
    Active
    ©2018 Check Point Software Technologies Ltd. 5
    Dual Chassis, even more

    • Up to 12 Security Groups
    • Dual Chassis for extra
    redundancy Chassis 1 Chassis 2
    • Security Group redundancy
    1 2 3 4 5 6 7 7 7 8 8 8 1 2 3 4 5 6 7 7 7 8 8 8

    Standby
    Standby

    Standby
    Standby

    Standby
    Standby

    Standby
    Standby

    Standby

    Standby

    Standby
    Standby

    Standby
    Active

    Active

    Active
    Active

    Active

    Active

    Active
    Active

    Active

    Active
    Active
    Active

    Active
    Active

    Active
    Active
    Down

    Down
    Down
    ©2018 Check Point Software Technologies Ltd. 6
    Dual Chassis, even more

    • Up to 12 Security Groups
    • Dual Chassis for extra
    redundancy Chassis 1 Chassis 2
    • Security Group redundancy
    • All SGs have visibility to the 1 2 3 4 5 6 7 7 7 8 8 8 1 2 3 4 5 6 7 7 7 8 8 8

    chassis hardware health

    Standby
    Standby

    Standby
    Standby

    Standby
    Standby

    Standby
    Standby

    Standby

    Standby
    Standby

    Standby
    Active

    Active
    Active
    • In case of chassis hardware

    Active

    Active
    Active

    Active
    Active

    Active

    Active
    Active
    Active

    Active
    Active

    Active
    Active

    Active
    Active
    Down
    Down
    Down
    Down
    Down

    Down

    Down
    Down

    Down

    Down

    Down
    Down
    failure, each Security Group
    acts accordingly

    ©2018 Check Point Software Technologies Ltd. 7


    Design overview

    • SG independent redundancy mode (HA/VSLS)


    • Global commands are applied on local SG
    • Network segregation
    ̶ Traffic is distributed according to incoming interface
    ̶ Traffic is distributed only to SGMs in SG that own incoming interface
    • Interface sharing
    • Multiple SGs can share the same physical ports (using VLANs)

    • SGs are sharing information via Sync network


    • Configured SGMs
    • Configured interfaces

    ©2018 Check Point Software Technologies Ltd. 8


    Use cases

    • Security Groups can be configured as SPAN port (mirroring) while other


    inspect production traffic

    • Flexible Security Groups configuration


    ̶ SG can be configured with SGMs from single chassis
    ̶ SG can be configured with SGMs from both chasses
    ̶ SG-A can be configured to use SGMs from Chassis 1 and 2, while SG-B use SGMs
    from Chassis1 only and SG-C use SGMs from chassis2

    ©2018 Check Point Software Technologies Ltd. 9


    Security Group operations

    • Security Group creation


    ̶ Security Group can be created on-the-fly without interrupting the rest of the
    system
    ̶ The creation done by running the “setup” process and going through short wizard
    ̶ New Security Group are assigned with a unique identifier (1-12)
    ̶ SGM can be added/removed from Security Groups on-the-fly

    ©2018 Check Point Software Technologies Ltd. 10


    Animation – 1st SG creation

    SGM 1_1 Console: Clean Chassis

    ©2018 Check Point Software Technologies Ltd. 11


    Demo – 1st SG creation
    Legend:
    Security Group 1

    SGM 1_1 Console:


    (SGW)

    ©2018 Check Point Software Technologies Ltd. 12


    Demo – 1st SG creation
    Legend:
    Security Group 1

    SGM 1_1 Console:


    (SGW)

    Now we may initiate


    Hello Security Group 1a SIC
    communication with the
    management server and
    create a firewall/VSX
    object
    ©2018 Check Point Software Technologies Ltd. 13
    Demo – Adding SGM to Security Group
    Legend:
    Security Group 1

    SGM 1_1 Console:


    (SGW)

    Let’s add SGM 1_2 to


    Security Group 1

    ©2018 Check Point Software Technologies Ltd. 14


    Demo – Adding SGM to Security Group
    Legend:
    Security Group 1

    SGM 1_1 Console:


    (SGW)

    Let’s add SGM 1_2 to


    Security Group 1

    ©2018 Check Point Software Technologies Ltd. 15


    Demo – Adding SGM to Security Group
    Legend:
    Security Group 1

    SGM 1_1 Console:


    (SGW)

    After few minutes…

    ©2018 Check Point Software Technologies Ltd. 16


    Demo – Create another Security Group
    Legend:
    Security Group 1
    (SGW)

    SGM 1_3 Console: Security Group 2


    (VSLS)

    Same as 1st Security


    Group

    ©2018 Check Point Software Technologies Ltd. 17


    Security Group operations

    • Security Group deletion


    ̶ Security group can be deleted from the system
    ̶ A new option in “asg security_group” utility that deletes the entire Security Group
    ̶ Deleting a Security Group will automatically release the Security Group resources
    ̶ Before deleting a Security Group, all the SGMs (except of one) must be removed
    from the Security Group

    ©2018 Check Point Software Technologies Ltd. 18


    Demo – Deleting a Security Group Legend:
    Security Group 1
    (SGW)
    Security Group 2

    SGM 1_1 Console: (VSLS)


    Security Group 3
    (VSX)

    First,
    Let’s
    Change we must
    delete
    SGM
    Let’s start remove
    Security
    with1_2 the
    Group
    state to
    removing
    SGMs from
    SGM 1
    Downthe
    1_2Security
    Group

    ©2018 Check Point Software Technologies Ltd. 19


    Demo – Deleting a Security Group Legend:
    Security Group 1
    (SGW)
    Security Group 2

    SGM 1_1 Console: (VSLS)


    Security Group 3
    (VSX)

    ©2018 Check Point Software Technologies Ltd. 20


    Demo – Deleting a Security Group Legend:
    Security Group 1
    (SGW)
    Security Group 2

    SGM 1_1 Console: (VSLS)


    Security Group 3
    (VSX)

    ©2018 Check Point Software Technologies Ltd. 21


    Demo – Deleting a Security Group Legend:
    Security Group 1
    (SGW)
    Security Group 2

    SGM 1_1 Console: (VSLS)


    Security Group 3
    (VSX)

    Now we
    RIPcan delete the
    – Security Group 1
    Security Group

    ©2018 Check Point Software Technologies Ltd. 22


    Summary – Security Group operations

    • In order to create a new Security Group, first run “setup” and go through
    the wizard
    • After completing the setup, the Security Group is ready to be
    authenticated with the Management server
    • Adding/removing SGMs from the Security Group is via “asg
    security_group” util
    • Deleting a Security Group is via “asg security_group” util

    ©2018 Check Point Software Technologies Ltd. 23


    Failovers

    • Failovers are per Security Group


    • Failovers does not affect the rest of the Security Groups

    ©2018 Check Point Software Technologies Ltd. 24


    Demo 1 – Chassis Failover
    Legend: Chassis 1 Chassis 2
    Security Group 1
    (SGW)
    Security Group 2
    (VSX)
    Standb
    • SGM 1_1 failed y
    • SG 1 perform chassis Active

    fail-over
    Active
    Down Standb
    Active
    • SG 2 is not y
    affected

    ©2018 Check Point Software Technologies Ltd. 25


    Demo 2 – VS Failover
    Legend: Chassis 1 Chassis 2
    Security Group 1
    (SGW)
    Security Group 2
    (VSLS) Active Standb
    VS1 y VS1
    Standby Active
    • VS4 on Chassis 1 state VS2 VS2
    changed to Down Active Standb
    y
    VS3
    • VS4 failover to Chassis 2 Standby VS3
    Active
    • SG2 is not affected VS4 VS4
    Active
    Down Standby
    Active

    ©2018 Check Point Software Technologies Ltd. 26


    Network configurations

    • SSM front panel Ethernet port types:


    ̶ Management
    ̶ Data
    ̶ Sync

    SSM:

    ©2018 Check Point Software Technologies Ltd. 27


    Network configurations – Mgmt ports

    • Management ports are shared among the Security Groups:


    ̶ Multiple Security Groups can use the same Mgmt port and configure a different IP
    address on it
    ̶ Example:
    ̶ SG1: eth1-Mgmt1 192.168.15.100/24
    ̶ SG2: eth1-Mgmt1 192.168.15.101/24
    ̶ It is also allowed to configure different subnets on the same Mgmt port on
    different Security groups.
    ̶ Example:
    ̶ SG1 eth1-Mgmt2 192.168.15.100/24
    ̶ SG2 eth1-Mgmt2 172.16.16.100/24

    ©2018 Check Point Software Technologies Ltd. 28


    Demo – configuring a data port

    SG1 SSH:
    Let’s take over interface
    eth1-01
    Other
    Now tointerface
    Security
    Security GroupsGroup
    are 1not
    eth1-01 SG 1 SG 2
    allowed to take
    belongs eth1-01
    to SG 1 SGW VSX

    ©2018 Check Point Software Technologies Ltd. 29


    Demo – configuring a data port

    SG 2 SmartDashboard
    Let’s Try to add eth1-01 to
    Push configuration failed with the
    SG we’ll
    Now 2 VSX
    following object
    error:
    try to take a free interface SG 1 SG 2

    (eth1-02)
    Action is not permitted: eth1-01 belongs to a different SGW VSX
    Security Group (ID: 1)

    ©2018 Check Point Software Technologies Ltd. 30


    Demo – configuring a data port

    SG 2 SSH
    Lastly, let’s try to take over
    eth1-02 in SG1 SG 1 SG 2

    SGW VSX

    ©2018 Check Point Software Technologies Ltd. 31


    Network configurations – VLAN Trunks

    • Different Security Groups are allowed to create different VLANs on the


    same shared VLAN Trunk
    • Shared Trunk interface attributes (MTU, speed, etc.) are global, and
    propagated to all Security Groups that share the same Trunk
    ̶ Example:
    ̶ eth1-01 is configured as a VLAN trunk
    ̶ eth1-01 MTU is 1500
    ̶ SG1 is using eth1-01.100
    ̶ SG2 is using eth1-01.200
    ̶ SG1 modified MTU value to 9000. SG2 modified its MTU to 9000 as well

    ©2018 Check Point Software Technologies Ltd. 32


    THANK YOU

    ©2018 Check Point


    ©2018 Software
    Check Point Technologies Ltd.
    Software Technologies Ltd. 33

    You might also like