R70-GetStartGuide_N450000861r001

  • View
    177

  • Download
    7

Embed Size (px)

Text of R70-GetStartGuide_N450000861r001

Check Point for Nokia IPSO Getting Started Guide and Release NotesCheck Point Suite R70 Nokia IPSO 6.0.7

Part No. N450000861 Rev 001 Published March 2009

COPYRIGHT 2009 Nokia. All rights reserved. Rights reserved under the copyright laws of the United States. RESTRICTED RIGHTS LEGEND Use, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013. Notwithstanding any other license agreement that may pertain to, or accompany the delivery of, this computer software, the rights of the United States Government regarding its use, reproduction, and disclosure are as set forth in the Commercial Computer Software-Restricted Rights clause at FAR 52.227-19. IMPORTANT NOTE TO USERS This software and hardware is provided by Nokia Inc. as is and any express or implied warranties, including, but not limited to, implied warranties of merchantability and fitness for a particular purpose are disclaimed. In no event shall Nokia, or its affiliates, subsidiaries or suppliers be liable for any direct, indirect, incidental, special, exemplary, or consequential damages (including, but not limited to, procurement of substitute goods or services; loss of use, data, or profits; or business interruption) however caused and on any theory of liability, whether in contract, strict liability, or tort (including negligence or otherwise) arising in any way out of the use of this software, even if advised of the possibility of such damage. Nokia reserves the right to make changes without further notice to any products herein. TRADEMARKS Nokia is a registered trademark of Nokia Corporation. Other products mentioned in this document are trademarks or registered trademarks of their respective holders.

090101

2

Check Point for Nokia IPSO Getting Started Guide

Nokia Contact Information Corporate Headquarters Web Site Telephone http://www.nokia.com 1 914 368 0400

Mail Address Nokia Inc. 102 Corporate Park Drive White Plains, NY 10604 USA

Regional Contact Information Americas Nokia Inc. 102 Corporate Park Drive White Plains, NY 10604 USA Tel: 1 877 997 9199 E-mail: usa@nokiaforbusiness.com

Europe, Nokia House, Summit Avenue Middle East, Southwood, Farnborough and Africa Hampshire GU14 ONG UK Asia-Pacific 438B Alexandra Road #07-00 Alexandra Technopark Singapore 119968

Tel: (UK) 44 161 601 8908 Tel: (France) 33 170 708 166 Tel: (Middle East, Africa, Dubai) 971 4 3697600 E-mail: europe@nokiaforbusiness.com E-mail: mea@nokiaforbusiness.com Tel: 603 9145 1032 E-mail: asia@nokiaforbusiness.com

Nokia Global Technical Assistance Center Web Site Voice https://support.nokia.com Americas Europe, Middle East, Africa Asia-Pacific International 1 888 361 5030 44 1252 868900 65 6723 2999 1 613 271 6721

Non-Technical Support For non-technical support issues, including your Nokia Support Agreement, licensing, and Web site access, use the following contact information: E-mail: es.service@nokia.com 080919

Check Point for Nokia IPSO Getting Started Guide

3

4

Check Point for Nokia IPSO Getting Started Guide

Contents

About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 In This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Conventions This Guide Uses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Text Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 7 8 8 8 9

Preparing for Installation and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Basic Check Point Security Gateway Components . . . . . . . . . . . . . . . . . . . . . . . . . Installation and Configuration Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Basic Steps for Installing and Configuring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Determining Nokia IPSO and Check Point Software Versions. . . . . . . . . . . . . . . . . Checking the Nokia IPSO Version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Checking the Installed Check Point Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . Preparing the Nokia IP Security Platform. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Preparing the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Obtaining Check Point Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 12 13 13 14 14 14 15 15

2

Installing Check Point R70 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Before You Start. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Downloading R70 for Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installing the R70 Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installing HotFix Accumulators on Flash-based Platforms . . . . . . . . . . . . . . . . . . . . 17 17 18 21

3

Performing the Initial Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Using the Check Point Configuration Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . About the Initial Firewall Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Before You Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring a Standalone Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring a Distributed Deployment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enabling SecureXL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 23 24 25 26 30

Check Point for Nokia IPSO Getting Started Guide

5

4 5

Installing SmartConsole . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Upgrading to R70 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Overview of the Upgrade Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Obtaining the Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Upgrading Security Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installing HotFix Accumulators on Flash-based Platforms . . . . . . . . . . . . . . . . . . . Reverting to Previous Check Point Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 36 36 38 39

6

Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Managing Packages Page Shows Blank Row . . . . . . . . . . . . . . . . . . . . . . . . . . Wrapper Package is Not Automatically Deleted . . . . . . . . . . . . . . . . . . . . . . . . . SecureXL Acceleration Stops After Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . ISP Redundancy Not Supported in Clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . Overlapping NAT Does Not Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enabling IPv6 Interfaces Requires a Reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . Misleading Firewall Error Message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Firewall Drops Large ICMP Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VPN Traffic Handled By a Single Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Error Message When Deleting Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Disabling Blocked Non-MD5 Authenticated OSPF Connections Fails . . . . . . . . RTM Fails with CoreXL Enabled . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Nokia Horizon Manager is not Supported . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SecureClient Fails with Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring Visitor Mode with IP Clustering . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 41 42 42 42 42 42 43 43 43 43 43 44 44 44

6

Check Point for Nokia IPSO Getting Started Guide

About This Guide

This guide describes how to install, initially configure, and upgrade to Check Point R70 on a Nokia IP security platform. This guide is not intended to be a complete guide to configuring or managing Check Point services. For information about these subjects, see the Check Point Getting Started Guide and additional documentation available from the Check Point Web site. This preface provides the following information: In This Guide Conventions This Guide Uses Related Documentation

In This GuideThis guide is organized into the following chapters: Chapter 1, Preparing for Installation and Configuration, provides an overview of the installation process and describes how to prepare to install and configure R70. Chapter 2, Installing Check Point R70, describes how to use Nokia Network Voyager or the newpkg IPSO command to install the Check Point applications on your platform. Chapt