Network Management

This chapter includes configuration procedures and examples for network management.

Network Interfaces

Gaia supports these network interface types:

• Ethernet physical interfaces.
• Alias (Secondary IP addresses for different interface types).
• VLAN
• Bond
• Bridge
• Loopback
• 6in4 tunnel
• PPPoE

Interface Link Status

You can see the status of physical and logical interfaces by using the WebUI or the CLI.

To see interface status using the WebUI:

1. In the navigation tree, select Network Management > Network Interfaces.

   

2. Double-click an interface to see its parameters.

To see interface status using the CLI, run show interfaces all

Physical Interfaces

This section has configuration procedures and examples for defining different types of interfaces on a Gaia platform.

Gaia automatically identifies physical interfaces (NICs) installed on the computer. You cannot add or delete a physical interface using the WebUI or the CLI. You cannot add, change or remove physical interface cards while the Gaia computer is running.

To add or remove an interface card:

1. Turn off the computer.
2. Add, remove or replace the interface cards.
3. Start the computer.

Gaia automatically identifies the new or changed physical interfaces and assigns an interface name. The physical interfaces show in the list in the WebUI.

Configuring Physical Interfaces - WebUI

This section includes procedures for changing physical interface parameters using the WebUI.

To configure a physical interface:

1. In the navigation tree, select Network Management > Network Interfaces.
2. Select an interface from the list and click Edit.
3. Select the Enable option to set the interface status to UP.
4. On the IPv4 tab:
   • Select Obtain IPv4 address automatically to get the IP address from the DHCP server.

     Or

   • Enter the IP address and subnet mask in the applicable fields.
5. On the IPv6 tab:
   • Select Obtain IPv6 address automatically to get the IP address from the DHCP server.

     Or

   • Enter the IP address and mask length in the applicable fields.
6. On the Ethernet tab configure the link speed and duplex setting:
   • Select Auto Negotiation to automatically configure the link speed and duplex setting.

     Or

   • Select a link speed and duplex setting from the list.
7. Enter the hardware MAC address (if not automatically received from the NIC).

   Caution: Do not manually change the MAC address unless you are sure that it is incorrect or has changed. An incorrect MAC address can lead to a communication failure.

8. Enter a different Maximum Transmission Unit (MTU) value (minimum value=68 - default=1500).

Configuring Physical Interfaces - CLI (interface)

set interface <IF> 

   ipv4-address <IP>
       mask-length <Mask>

       subnet-mask <Mask>

   ipv6-address <IP> mask-length <Mask>

   ipv6-autoconfig <on | off>

   comments <Text>

   mac-addr <MAC>

   mtu <MTU setting>

   state <on | off>

   link-speed <Speed_Duplex>

   auto-negotiation <on | off>

show interfaces all

interface

<IP>

<IF>

<Mask>

<MAC>

<MTU Setting>

<Speed_Duplex>

set interface eth2 ipv4-address 40.40.40.1 subnet-mask 255.255.255.0

set interface eth2 mtu 1500
set interface eth2 state on

set interface eth2 link-speed 1000M/full

Aliases

Interface aliases let you assign more than one IPv4 address to physical or virtual interfaces (bonds, bridges, VLANS and loopbacks). This section shows you how to configure an alias using the WebUI and the CLI.

Configuration using the WebUI

To configure an interface alias using the WebUI:

1. In the navigation tree, select Interface Management > Network Interfaces.
2. Click Add > Alias. To change an existing alias interface, select an interface and then click Edit.
3. In the Add (or Edit) Alias window, select Enable to set the alias interface status to UP.
4. On the IPv4 tab, enter the IPv4 address and subnet mask.
5. On the Alias tab, select the interface to which this alias is assigned.
   You cannot change the interface for an existing alias definition.

The new alias interface name is automatically created by adding a sequence number to the interface name. For example, the name of first alias added to eth1 is eth1:0. She second alias added is eth1:1, and so on.

To delete an interface alias:

1. In the navigation tree, select Interface Management > Network Interfaces.
2. Select an interface alias and click Delete.
3. When the confirmation message shows, click OK

Configuring Aliases - CLI (interface)

add interface <IF> alias <IP>/<Mask>

delete interface <IF> alias <Alias IF>

add interface eth1 alias 10.10.99.1/24

delete interface eth1 alias eth1:2

VLAN Interfaces

You can configure virtual LAN (VLAN) interfaces on Ethernet interfaces. VLAN interfaces let you configure subnets with a secure private link to gateways and management servers using your existing topology. With VLAN interfaces, you can multiplex Ethernet traffic into many channels using one cable.

This section shows you how to configure VLAN interfaces using the WebUI and the CLI.

Configuring VLAN Interfaces - WebUI

To configure a VLAN interface using the WebUI:

1. In the WebUI navigation tree, select Interface Management > Network Interfaces.
2. Click Add > VLAN. To change an existing VLAN interface, select an interface and then click Edit.
3. In the Add (or Edit) VLAN window, select the Enable option to set the VLAN interface to UP.
4. IPv4 and IPv6 tabs, enter the IP addresses and subnet information as necessary. You can optionally select the Obtain IP Address automatically option.
5. On the VLAN tab, enter or select a VLAN ID (VLAN tag) between 2 and 4094.

   

6. In the Member Of field, select the physical interface related to this VLAN.

Configuration Using the CLI

This section is a reference for the VLAN interface commands.

add interface <IF> vlan <VLAN ID>

set interface <IF> <VLAN ID>

   ipv4-address <IP> mask-length <Length>|subnet-mask<Mask>

   ipv6-address <IP> mask-length <Length>

   ipv6-autoconfig

delete interface <IF> vlan <VLAN ID>

add interface vlan eth1

set interface eth1.99 ipv4-address 99.99.99.1 subnet-mask 255.255.255.0

set interface eth1.99 ipv6-address 209:99:1 mask-length 64 

delete interface eth1 vlan 99

CLI Procedures

To add a new VLAN interface:

Run add interface <IF Name> vlan <VLAN ID>

• <IF Name> - Physical interface associated with this VLAN
• <VLAN ID> - VLAN ID (VLAN tag)

Example:

add interface eth1 vlan 10

To add IP addresses to a VLAN interface:

Run:
set interface <IF Name>.<VLAN ID> ipv4-address <IPv4 Address> [ipv6-address <IPv6 Address>]

• <IF Name> - Physical interface associated with this VLAN
• <VLAN ID> - VLAN ID (VLAN tag)
• <IPv4 Address> - Interface IPv4 address and the subnet in CIDR notation (xxx.xxx.xxx.xxx/xx)
• <IPv6-address> - Interface IPv6 address and the prefix (only if you are using IPv6)

Examples:

set interface eth1.99 ipv4-address 99.99.99.1 subnet-mask 255.255.255.0

set interface eth1.99 ipv6-address 209:99:1 mask-length 64 

To delete a VLAN Interface:

Run:
delete interface <IF Name> vlan <VLAN ID>

Example:
delete interface eth1 vlan 10

Bond Interfaces (Link Aggregation)

Check Point security devices support Link Aggregation, a technology that joins multiple physical interfaces into one virtual interface, known as a bond interface. The bond interface gives fault tolerance and increases throughput by sharing the load among many interfaces. Check Point devices support the IEEE 802.3ad Link Aggregation Control Protocol (LCAP) for dynamic link aggregation.

A bond interface (also known as a bonding group or bond) is identified by its Bond ID (for example: bond1) and is assigned an IP address. The physical interfaces included in the bond are called slaves and do not have IP addresses.

You can define bond interfaces using one of these functional strategies:

• High Availability (Active/Backup): Gives redundancy when there is an interface or link failure. This strategy also supports switch redundancy. You can configure High Availability to work one of in these modes:
  • Round Robin - Selects the active slave interface sequentially.
  • Active/Backup - If the active slave interface goes down, the connection automatically fails over to the primary slave interface. If the primary slave interface is not available, the connection fails over to a different slave.
• Load Sharing (Active/Active): Slave interfaces are active simultaneously. Traffic is distributed among the slave interfaces to maximize throughput. Load Sharing does not support switch redundancy. You can configure load sharing using one of these modes:
  • Round Robin - Selects the active slave interface sequentially.
  • 802.3ad - Dynamically uses active slaves to share the traffic load using the LACP protocol. This protocol enables full interface monitoring between the gateway and a switch.
  • XOR - Selects the algorithm for slave selection according to the TCP/IP layer.

Configuring Bond Interfaces - WebUI

To configure a bond interface using the WebUI:

1. Make sure that the slave interfaces do not have IP addresses.
2. On the WebUI Network Interfaces page, click Enable.
3. For a new bond interface, select Add > Bond. For an existing Bond interface, double-click the bond interface.
4. Select the Enable option to activate the bond interface.
5. On the Ipv4 and IPv6 tabs (optional), enter the IP address information.
6. On the Bond tab, select or enter a Bond Group name. This parameter is an integer between 1 and 1024.
7. Select slave interfaces from the Available Interfaces list and then click Add.
8. Select an Operation Mode (Round Robin is the default).
9. On the Advanced tab, select a Link Monitoring option and its frequency in milliseconds:
   • Media Monitoring Interval - This sets the frequency of requests sent to the Media Independent Interface (MMI) to confirm that a slave interface is up. The valid range is 1-5000 ms and the default is 100 ms.
   • ARP Monitoring - This defines the frequency of ARP requests sent to confirm that a slave interface is up. ARP requests are sent to as many as five external MAC addresses.

   

10. Select the UP and Down intervals in milliseconds. This parameter defines the waiting time, in milliseconds, to confirm the slave interface status before taking the specified action.
11. Select the Primary Interface (for Active/Backup bonds only).
12. Select the Transmit Hash Policy (XOR only). This parameter selects the algorithm for slave selection according to the specified TCP/IP layer.
13. Select the LACP Rate. This parameter sets the LACPDU packet transmission rate.

Configuring Bond Interfaces - CLI

When using the CLI, bond interfaces are known as bonding groups.

When using the CLI to create a bond interface, do these procedures in order:

1. Create the bond interface.
2. Define the slave interfaces and set them to the UP (on) State.
3. Define the bond operating mode.
4. Define other bond parameters as necessary.
5. Make sure that the bond interface is working correctly.

Link Aggregation - CLI (bonding)

This section is a quick reference for link aggregation commands. The next sections include procedures for different tasks, including explanations of the configuration options.

add bonding group <Bond ID> interface <Slave>

delete bonding group <Bond ID> interface <Slave>

set bonding group <Bond ID>

   primary VALUE

   mii-interval VALUE 

   up-delay VALUE 

   down-delay VALUE 

   arp-polling-interval VALUE 

   mode VALUE

   lacp-rate VALUE 

   xmit-hash-policy VALUE 

show bonding group <Bond ID>
show bonding groups

<Bond ID>

<Slave>

set bonding group 666 20 eth2

show bonding groups

Bonding Interface: 20

    Bond Configuration

        xmit_hash_policy Not configured

        down-delay 200

        primary Not configured

        mode round-robin

        up-delay 200

        mii-interval 100

        lacp_rate Not configured

        arp-polling-interval 0

        Bond Interfaces

            eth2

            eth3

Creating or Deleting a Bond Interface

To add a new bond interface:

Run add bonding group <Bond_id>.

<Bond ID> - Bond name (integer between 1 and 1024)

Example:

add bonding group 777

To delete a bond interface:

1. Make sure that you remove all slave interfaces from the bond.
2. Run delete bonding group <bond_id>.

   Important - After using CLI commands to add, configure or delete features, you must run the save config command. This makes sure that the new configuration settings remain after reboot.

Defining the Bond Operating Mode

You can define bond interfaces using one of these operating modes:

• Round Robin - Selects the active slave interface sequentially.
• Active/Backup - If the active slave interface goes down, the connection automatically fails over to the primary slave interface. If the primary slave interfaces is not available, the connection fails over to a different slave.
• 802.3ad - Dynamically uses active slaves to share the traffic load using the LACP protocol. This protocol enables full interface monitoring between the gateway and a switch.
• XOR - Selects the algorithm for slave selection according to the TCP/IP layer.

To define the bond operating mode:

Run set bonding group <Bond_id> mode <mode>.

• Bond ID - Bond name
• Mode - One of these key words:
  • round-robin (default)
  • active-backup
  • xor
  • 8023AD

Example:

set bonding group 777 mode round-robin

Defining Slave Interfaces

A bond interface typically contains between two and eight slave interfaces. This section shows how to add and remove a slave interface. The slave interface must not have IP addresses assigned to it.

To add a slave interface to a bond, run:

add bonding group <Bond ID> interface <IF Name>

• Bond ID - Bond name
• IF Name - Slave interface name

Example:

add bonding group 777 interface eth4

To delete a slave interface from a bond, run:

delete bonding group <Bond ID> interface <IF Name>

Example:

delete bonding group 777 interface eth4

Defining the Primary Slave Interface

When using the Active/Backup operating mode, the system automatically fails over to the primary slave interface, if available. If the primary interface is not available, the system fails over to a different slave interface. By default, the first slave interface that you define is the primary interface. You must define the slave interfaces and set the operating mode as Active/Backup before doing this procedure.

To define the primary slave interface, run:

set bonding group <Bond ID> primary <IF>

• Bond ID - Bond name
• IF - Interface name

Example

set bonding group 777 primary eth4

Defining the Media Monitoring Interval

This sets the frequency of requests sent to the Media Independent Interface (MMI) to confirm that a slave interface is up. The valid range is 1-5000 ms and the default is 100 ms.

To configure the MMI, run:

set bonding group <Bond ID> mii-interval <Interval>

• Bond ID - Bond name
• Interval - Frequency range (1-5000 ms default = 100 ms)

Example:

set bonding group 777 mii-interval 500

To disable MMI monitoring, run:

set bonding group <Bond ID> mii-interval 0

Defining the ARP monitoring interval

This defines the frequency of ARP requests sent to confirm that a slave interface is up. ARP requests are sent to as many as five external MAC addresses.

To configure the ARP interval, run:

set bonding group <Bond ID> arp-polling-interval <Interval>

• Bond ID - Bond name
• Interval - Frequency (1-5000 ms default = 100 ms)

Example:

Set bonding group 777 arp-polling-interval 500

To disable the ARP interval, run:

set bonding group <Bond ID> arp-polling-interval 0

Defining the UP and Down Delay Times

This parameter defines the waiting time, in milliseconds, to confirm the slave interface status before taking the specified action.

To configure the UP and Down delay times, run:

set bonding group <Bond ID> down-delay <Delay time>

set bonding group <Bond ID> up-delay <Delay time>

• Bond ID - Bond name
• Delay Time - Delay (0-5000 ms default = 200 ms)

Example:

set bonding group 777 down-delay 500

Defining Load Sharing Parameters

When using load sharing modes (XOR or 802.3ad), you can configure these parameters:

• LACP Rate - This parameter sets the LACPDU packet transmission rate.
• Transmit Hash Policy (802.3ad only) - This parameter selects the algorithm for slave selection according to the specified TCP/IP layer.

To set the LACP rate, run

set bonding group <Bond ID> lacp-rate [slow | fast]

• Bond ID - Bond name
• Fast - LACPDU packets sent every second
• Slow - LACPDU packets sent every 30 seconds

Example:

set bonding group 777 lacp-rate 

To set the Transmit Hash Policy, run:

set bonding group <Bond ID> xmit-hash-policy <layer>

• Bond ID - Bond name
• Layer - TCP/IP layer
  • layer2 - Uses XOR of the physical interface MAC address
  • layer3+4 - Uses upper layer protocol information

Example:

set bonding group 777 xmit-hash-policy layer2

Making Sure that Link Aggregation is Working

To make sure that a link aggregation is working for a specified bond interface, run this command from the expert mode:

cat /proc/net/bonding/<Bond ID>

Example with output:

cat /proc/net/bonding/bond666

Ethernet Channel Bonding Driver: v3.2.4 (January 28, 2008)

Bonding Mode: fault-tolerance (active-backup)

Primary Slave: None

Currently Active Slave: eth2

MII Status: up

MII Polling Interval (ms): 100

Up Delay (ms): 100

Down Delay (ms): 200

Slave Interface: eth2

MII Status: up

Link Failure Count: 2

Permanent HW addr: 00:50:56:94:11:de

Bridge Interfaces

Check Point security devices support bridge interfaces that implement native, Layer-2 bridging. Configuring an interface as a bridge lets network administrators deploy security devices in an existing topology without reconfiguring the existing IP routing scheme. This is an important advantage for large-scale, complex environments. Gaia does not support Spanning Tree Protocol (STP) bridges.

You configure Ethernet interfaces (including aggregated interfaces) on your Check Point security device to work like ports on a physical bridge. The interfaces then send traffic using Layer-2 addressing. You can configure some interfaces as bridge interfaces, while other interfaces on the same device work as layer-3 devices. Traffic between bridge interfaces is inspected at Layer-2. Traffic between two Layer-3 interfaces, or between a bridge interface and a Layer-3 interface is inspected at Layer-3.

This section shows you how to configure bridge interfaces using the WebUI and the CLI.

Configuring Bridge Interfaces - WebUI

To configure a bridge interface in the WebUI:

1. In the WebUI navigation tree, select Network Interfaces.
2. Click Add > Bridge, or select an interface and click Edit.

   The Add (or Edit) Bridge window opens.

3. On the Bridge tab, enter or select a Bridge Group ID (unique integer between 1 and 1024).
4. Select the interfaces from the Available Interfaces list and then click Add.
5. Click the IPv4 or IPv6 tabs, and then enter the IP addresses and subnet.

   Or click Obtain IP Address automatically.

6. Click OK.

bridging group commands

This is a quick reference for bridge interface commands.

add bridging group <Group Name> [interface <interface>]

delete bridging group <Group Name> interface <interface>

show bridging group <Group Name>

<Group Name>

<interface>

add bridging group 56 interface eth1

Using the CLI

Bridge interfaces are known as Bridging Groups in Gaia clish commands. You can optionally assign an IPv4 or IPv6 address to a bridge interface.

To create a new bridge group:

Run:
> add bridging group <Group Name>

<Group Name> - Bridging Group name (unique integer between 0 and 1024)

To add an interface to the bridge group:

Run:
> add bridging group <Group Name> interface <interface>

<interface> - Physical interface name

Run this command once for each physical interface included in the bridge interface.

To delete an interface from the bridge group:

Run:
> delete bridging group <Group Name> interface <IF>.

Run this command once for each physical interface included in the bridge interface.

To delete a bridge group:

Run:
> delete bridging group <Group Name>.

To add or change a bridge interface IP address:

• For an IPv4 IP address, run
  > set interface <interface> ipv4-address <IP> subnet-mask <Mask>.
• For an IPv6 IP address, run
  > set interface <interface> ipv6-address <IP> mask-length <Prefix>.

  <interface> - Interface name

  <IP> - IP address - IPv4 or IPv6 as required

  <Mask> - IPv4 subnet mask in dotted decimal format

  <Prefix> - IPv6 prefix length

  Example:

  set interface eth 1 ipv6-address 3000:40::1 mask-length 64

Loopback Interfaces

You can define a virtual loopback interface by assigning an IPv4 or IPv6 address to the lo (local) interface. This can be useful for testing purposes or as a proxy interface for an unnumbered interface. This section shows you how to configure a loopback interface using the WebUI and the CLI.

Configuring Loopback Interfaces - WebUI

To configure a loopback interface using the WebUI:

1. In the navigation tree, select Interface Management > Network Interfaces.
2. Click Add > Alias. To change an existing loopback interface, select an interface and then click Edit.
3. In the Add (or Edit) window, select Enable to set the loopback interface status to UP.
4. On the IPv4 tab, enter the IPv4 address and subnet mask.
5. On the IPv6 tab, enter the IPv6 address and mask length.

The new loopback interface name is automatically created by adding a sequence number to the string 'loop'. For example, the name of first loopback interface is loop00. She second loopback interface is loop01, and so on.

To delete an interface alias:

1. In the navigation tree, select Interface Management > Network Interfaces.
2. Select an alias interface and click Delete.
3. When the confirmation message shows, click OK

Configuring Loopback Interfaces - CLI (interface)

add interface lo loopback <IP>/<Mask>

delete interface lo loopback <IF>

add interface lo loopback 10.10.99.1/24

add interface lo loopback 2010:10:99::1/64

delete interface lo loopback loop01

VPN Tunnel Interfaces

Virtual Tunnel Interface. A virtual interface that is a member of an existing, Route Based, VPN tunnel. Each peer Security Gateway has one VTI that connects to the tunnel.

The VPN tunnel and its properties are defined by the VPN community that contains the two gateways. You must define the VPN community and its member Security Gateways before you can create a VTI. To learn more about Route Based VPN, see Route Based VPN in the R76 VPN Administration Guide.

The procedure for configuring a VTI includes these steps:

1. Make sure that the VPN Software Blade is enabled and licensed on the applicable Security Gateways.
2. Create and configure the Security Gateways.
3. Define a VPN community in SmartDashboard that includes the two peer Security Gateways.
4. Make Route Based VPN the default option. Do this procedure one time for each Security Management Server.
5. Define the VTI using the WebUI or CLI.
6. Define Route Based VPN Rules.
7. Save the configuration and install the policy.

Defining the VPN Community

You must define the VPN Community and add the member Security Gateways to it before you configure a VPN Tunnel Interface. This section includes the basic procedure for defining a Site to Site VPN Community. To learn more about VPN communities and their definition procedures, see the R76 VPN Administration Guide.

To define a VPN Community for Site to Site VPN:

1. In SmartDashboard, click the VPN Communities tab in the navigation tree.
2. Right-click Site To Site and select New Site To Site > Meshed or Star.
3. In the Community Properties window General tab, enter the VPN community name.
4. Select Accept all encrypted traffic.

   This option automatically adds a rule to encrypt all traffic between gateways in a VPN community.

5. On the Participating Gateways tab, select member gateways from the list.

   For star communities, use the Center Gateways and Satellite Gateways tabs to do this.

6. Configure other community parameters as necessary.
7. Save your configuration to the database.

Making Route Based VPN the Default Option

When Domain Based VPN and Route Based VPN are defined for a Security Gateway, Domain Based VPN is active by default. You must do two short procedures to make sure that Route Based VPN is always active.

The first procedure defines an empty encryption domain group for your peer gateways. You do this step one time for each Security Management Server. The second step is to make Route Based VPN the default option for all Security Gateways.

To Define an empty group:

1. In the SmartDashboard navigation tree, right-click Groups and then select Groups > Simple Group.
2. In the Group Properties window, enter a group name in the applicable field.
   Do not add members to this group.

To make Route Based VPN the default choice:

1. In SmartDashboard, double-click the applicable Security Gateway.
2. In the Gateway window, click Topology.
3. In the VPN Domain section, select Manually define and then select the empty group.

Do these steps for each Security Gateway.

Configuring VPN Tunnel Interfaces

You can configure the VPN Tunnel Interfaces using Gaia WebUI or CLI.

Configuring VPN Tunnel Interfaces - WebUI

This section shows you how to configure a VPN Tunnel interface using the WebUI.

To configure a VPN Tunnel Interface:

1. In the Gaia WebUI, select Interface Management > Network Interfaces.
2. Click Add > VPN Tunnel to create a new interface.
   Double-click an existing VTI to change its parameters.
3. In the Add/Edit window, configure these parameters:
   • VPN Tunnel ID - Unique tunnel name (integer from 1 to 99)
     Gaia automatically adds the prefix 'vpnt' to the tunnel name.
   • Remote Peer Name- Remote peer name as defined in the VPN community. You must define the two peers in the VPN community before you can define the VTI. The Peer ID is an alpha-numeric character string.
   • VPN Tunnel Type - Select Numbered or Unnumbered.
   • Local Address - Defines the local peer IPv4 address (numbered VTI only).
   • Remote Address - Defines the remote peer IPv4 address (numbered VTI only).
   • Physical Device - Local peer interface name (unnumbered VTI only).

Configuring VPN Tunnel Interfaces - CLI (vpn tunnel)

This section shows the CLI commands used to add or delete VPN Tunnel Interfaces.

CLI Configuration Procedures for VPN Tunnel Interfaces

To add a numbered VPN Tunnel Interface:

Run:

add vpn tunnel <Tunnel ID> type numbered local <Local IP> remote <Remote IP>
peer <Peer ID>

• <Tunnel ID> - Unique tunnel name (integer from 1 to 99)
  Gaia automatically adds the prefix 'vpnt' to the tunnel name
• type numbered - Defines a numbered VTI that uses a specified, static IPv4 addresses for local and remote connections
• local <Local IP> - Local peer IPv4 address (numbered VTI only) in dotted decimal format
• remote <Remote IP> - Remote peer IPv4 address (numbered VTI only) in dotted decimal format
• peer <Peer ID> - Remote peer name as defined in the VPN community. You must define the two peers in the VPN community before you can define the VTI. The Peer ID is an alpha-numeric character string.

To add an unnumbered VPN Tunnel Interface:

Run:

add vpn tunnel <Tunnel ID> type unnumbered local peer <Peer ID>

• <Tunnel ID> - Unique tunnel name (integer from 1 to 99)
  Gaia automatically adds the prefix 'vpnt' to the tunnel name
• type unnumbered - Defines an unnumbered VTI that uses the interface and the remote peer name to get addresses
• peer <Peer ID> - Remote peer name as defined in the VPN community. You must define the two peers in the VPN community before you can define the VTI. The Peer ID is an alpha-numeric character string.
• dev <IF> - Local peer interface name (unnumbered VTI only)

To Delete a VPN Tunnel Interface

Run:

delete vpn tunnel <Tunnel ID>

• <Tunnel ID> - Unique tunnel name (integer from 1 to 99)
  Gaia automatically adds the prefix 'vpnt' to the tunnel name

Defining VPN Rules

To make sure that your security rules work correctly with Route Based VPN traffic, you must add directional matching conditions and allow OSPF traffic. This section includes procedures for configuring security rules to do this.

Defining Directional Matching VPN Rules

This section contains the procedure for defining directional matching rules. Directional matching is necessary for Route Based VPN when a VPN community is included in the VPN column in the rule. This is because without bi-directional matching, the rule only applies to connections between a community and an encryption domain (Domain Based Routing).

The directional rule must contain these directional matching conditions:

• Community > Community
• Community > Internal_Clear
• Internal_Clear > Community

MyIntranet is the name of a VPN Community. Internal_Clear refers to all traffic from IP addresses to and from the specified VPN community.

To enable VPN directional matching:

1. In SmartDashboard, go to Policy > Global Properties > VPN > Advanced.
2. Select the Enable VPN Directional Match in VPN Column option.
3. In SmartDashboard, double-click each member gateway and go to the Topology page.
   1. Click Get > Interfaces with Topology to update the topology, to include the newly defined VTIs.
   2. Click Accept.

To define a VPN directional matching rule:

1. Double-click the VPN cell in the applicable rule.
2. In the VPN Match Conditions window, select Match traffic in this direction only.
3. Click Add to define sets of matching conditions.
4. In the Direction VPN Match Condition window, select the source and destination matching conditions.

   Do this step for each set of matching conditions.

Defining Rules to Allow OSPF Traffic

One advantage of Route Based VPN is the fact that you can use dynamic routing protocols to distribute routing information between Security Gateways. The OSPF (Open Shortest Path First) protocol is commonly used with VTIs. This section shows you how to allow OSPF traffic in a VPN community.

To learn about configuring OSPF, see the R76 Gaia Advanced Routing Administration Guide.

To Allow OSPF traffic for a VPN Community:

1. Using the Gaia WebUI or CLI, add the applicable VPN Tunnel Interfaces to the OSPF configuration page.
2. In SmartDashboard, add a rule that allows traffic to the VPN community (or all communities) using the OSPF service.

Completing the VTI Configuration

You must save your configuration to the database and install policies to the Security Gateways before the VPN can be fully functional.

To complete the VTI configuration:

1. Save the configuration to the database.
2. Install the policy to the gateways.
3. Make sure that the VTI tunnel and the rules are working correctly.

ARP

The Address Resolution Protocol (ARP) allows a host to find the physical address of a target host on the same physical network using only the target’s IP address. ARP is a low-level protocol that hides the underlying network physical addressing and permits assignment of an arbitrary IP address to every machine. ARP is considered part of the physical network system and not as part of the Internet protocols.

Configuring ARP- WebUI

To show dynamic ARP entries

1. In the WebUI, go to the Interface Management > ARP page.
2. If you are in the Static Arp topic, click Related Topics: Dynamic ARP

To show static ARP entries

1. In the WebUI, go to the Interface Management > ARP page.
2. If you are in the Dynamic Arp topic, click Related Topics: Static ARP

To change Static and dynamic ARP parameters

1. In the WebUI, go to the Interface Management > ARP page.
2. If you are in the Dynamic Arp topic, click Related Topics: Static ARP
3. In the ARP Table Settings section:
   1. Enter the Maximum Entries. This is the maximum number of entries in the arp cache.
      
      Default: 1024, Range: 1024-16384
   2. Enter the Validity Timeout. This is the time, in seconds, to keep resolved dynamic ARP entries. If the entry is not referred to and is not used by traffic before the time elapses, it is deleted. Otherwise, a request will be sent to verify the MAC address.
      
      Default: 60 (seconds), Range: 60-86400 (24 hours)

To add a static ARP entry

1. In the WebUI, go to the Interface Management > ARP page.
2. If you are in the Dynamic Arp topic, click Related Topics: Static ARP
3. Click Add.
4. Enter the IP Address of the static ARP entry and the MAC Address used when forwarding packets to the IP address.
5. Click OK.

To delete a Static ARP entry

1. In the WebUI, go to the Interface Management > ARP page.
2. If you are in the Dynamic Arp topic, click Related Topics: Static ARP
3. Select a Static ARP entry
4. Click Remove.

To flush all dynamic ARP entries

1. In the WebUI, go to the Interface Management > ARP page.
2. If you are in the Static Arp topic, click Related Topics: Dynamic ARP
3. Click Flush All.

Configuring ARP - CLI (arp)

add arp static ipv4-address VALUE macaddress VALUE

delete arp dynamic all

delete arp static ipv4-address VALUE

set arp table validity-timeout VALUE

set arp table cache-size VALUE

show arp dynamic all

show arp static all

show arp table validity-timeout

show arp table cache-size

static

dynamic 

ipv4-address 

macaddress 

table validity-timeout

table cache-size

DHCP Server

You can configure the Gaia device to be a Dynamic Host Configuration Protocol (DHCP) server. The DHCP server allocates IP addresses and other network parameters to network hosts. DHCP makes it unnecessary to configure each host manually, and therefore reduces configuration errors.

You configure DHCP server subnets on the Gaia device interfaces. A DHCP subnet allocates these network parameters to hosts behind the Gaia interface:

• IPv4 address
• Default Gateway (optional)
• DNS parameters (optional):
  • Domain name
  • Primary, secondary and tertiary DNS server

This is the general workflow for allocating DHCP parameters to hosts (for the details, see the next section):

1. To define a DHCP subnet on a Gaia device interface:
   1. Enable DHCP on the Gaia network interface.
   2. Define the network IPv4 address of the subnet on the interface.
   3. Define an IPv4 address pool.
   4. Optional: Define routing and DNS parameters for hosts.
2. Define additional DHCP subnets on other Gaia interfaces, as needed.
3. Enable the DHCP server process.
4. Configure the network hosts to use the DHCP server.

Configuring a DHCP Server- WebUI

To allocate DHCP parameters to hosts

1. In the tree view, click Interface Management > DHCP Server.
2. In the DHCP Server Subnet Configuration section, click Add.

   The Add DHCP window opens. You now define a DHCP subnet on an Ethernet interface of the Gaia device. Hosts behind the Gaia interface get IPv4 addresses from address pools in the subnet.

3. Select Enable DHCP to enable DHCP for the subnet.
4. In the Subnet tab, enter the Network IP Address of the interface. Click Get from interface to do this automatically.
5. Enter the Subnet mask.
6. In the Address Pool section, click Add and define the range of IPv4 addresses that the server will assign to hosts.
7. Optional: Define a Default Lease in seconds, for host IPv4 addresses. This is applied only if clients do not request a unique lease time. If you do not enter a value, the configuration default is 43,200 seconds.
8. Optional: Define a Maximum Lease in seconds, for host IPv4 addresses. This is the longest lease available. If you do not enter a value, the configuration default is 86,400 seconds.
9. Optional: Click the Routing & DNS tab to define routing and DNS parameters for hosts:
   • Default Gateway. The IPv4 address of the default gateway for the network hosts
   • Domain Name. The domain name of the network hosts. For example, example.com.
   • Primary DNS Server. The DNS server that the network hosts use to resolve hostnames.
   • Secondary DNS Server. The DNS server that the network hosts use to resolve hostnames if the primary server does not respond.
   • Tertiary DNS Server. The DNS server that the network hosts use to resolve hostnames if the primary and secondary servers do not respond.
10. Click OK.
11. Optional: Define DHCP subnets on other Gaia interfaces, as needed.
12. In the main DHCP Server page, select Enable DHCP Server.
13. Click Apply.

The DHCP server on Gaia is now configured and enabled.

You can now configure your network hosts to get their network parameters from the DHCP server on Gaia.

Configuring a DHCP Server - CLI (dhcp)

add dhcp server subnet VALUE 

	netmask VALUE

	include-ip-pool start VALUE end VALUE

	exclude-ip-pool start VALUE end VALUE

set dhcp server subnet VALUE 

	enable

	disable

	include-ip-pool VALUE enable

	include-ip-pool VALUE disable

	exclude-ip-pool VALUE enable

	exclude-ip-pool VALUE disable

	default-lease VALUE

	max-lease VALUE

	default-gateway VALUE

	domain VALUE

	dns VALUE

delete dhcp server subnet VALUE 

	exclude-ip-pool VALUE

	include-ip-pool VALUE

set dhcp server 

	disable

	enable

show dhcp server 

	all

	status

	subnet VALUE ip-pools

	subnets

DHCP Server Enabled

DHCP-Subnet 192.0.2.0

    State           Enabled

    Net-Mask        24

    Maximum-Lease   86400

    Default-Lease   43200

    Domain          example.com

    Default Gateway 192.0.2.103

    DNS             192.0.2.101, 192.0.2.102, 192.0.2.103

    Pools (Include List)

        192.0.2.20-192.0.2.90           : enabled

        192.0.2.120-192.0.2.150         : disabled

    Pools (Exclude List)

        192.0.2.155-192.0.2.254         : enabled

DHCP-Subnet 192.0.2.155

    State           Disabled

    Net-Mask        24

    Maximum-Lease   86400

    Default-Lease   43200

    Pools (Include List)

        192.0.2.10-192.0.2.99           : enabled

DHCP-Subnet 192.0.2.200

    State           Disabled

    Net-Mask        24

    Maximum-Lease   86400

    Default-Lease   43200

Hosts and DNS

Host Name

You set the host name (system name) during initial configuration. You can change the name.

Configuring Host Name - WebUI

To show the host name

The host name is in the header of the WebUI.

To change the host name

1. Open the Interface Management > Host and DNS page.
2. In the System Name section, enter the
   • Host Name. The network name of the Gaia device.
   • Domain Name (optional). For example, example.com.

Configuring Host Name - CLI (hostname)

set hostname VALUE

show hostname