Print Download PDF Send Feedback

Previous

Next

Configuring a Single VSX Gateway in Monitor Mode

Important:

Workflow:

Note - This procedure applies to both Check Point Appliances and Open Servers.

  1. Install the VSX Gateway.
  2. Configure the Monitor Mode interface - in Gaia Portal, or Gaia Clish.
  3. Configure the VSX Gateway to process packets that arrive in the wrong order.
  4. Configure the VSX Gateway object in SmartConsole.
  5. Configure the Virtual System (and other Virtual Devices) in SmartConsole.
  6. Configure the required Global Properties for the Virtual System in SmartConsole.
  7. Configure the required Access Control policy for the Virtual System in SmartConsole.
  8. Make sure the VSX Gateway enabled the Monitor Mode for Software Blades.
  9. Connect the VSX Gateway to the switch.

Step 1 of 9: Install the VSX Gateway

Important - Make sure the VSX Gateway has enough physical interfaces.

Step

Description

1

Install the Gaia Operating System:

2

Run the Gaia First Time Configuration Wizard.

3

During the First Time Configuration Wizard, you must configure these settings:

  • In the Management Connection window, select the interface, through which you connect to Gaia operating system.
  • In the Internet Connection window, do not configure IP addresses.
  • In the Installation Type window, select Security Gateway and/or Security Management.
  • In the Products window:
    1. In the Products section, select Security Gateway only.
    2. In the Clustering section, clear Unit is a part of a cluster, type.
  • In the Dynamically Assigned IP window, select No.
  • In the Secure Internal Communication window, enter the desired Activation Key (between 4 and 127 characters long).

Step 2 of 9: Configure the Monitor Mode interface in Gaia Portal

Step

Description

1

In your web browser, connect to the Gaia Portal on the Security Gateway.

2

In the left navigation tree, click Network Management > Network Interfaces.

3

Select the applicable physical interface from the list and click Edit.

4

Select the Enable option to set the interface status to UP.

5

In the Comment field, enter the applicable comment text (up to 100 characters).

6

On the IPv4 tab, select Use the following IPv4 address, but do not enter an IPv4 address.

7

On the IPv6 tab, select Use the following IPv6 address, but do not enter an IPv6 address.

Important - This setting is available only after you enable the IPv6 Support in Gaia and reboot.

8

On the Ethernet tab:

  • Select Auto Negotiation, or select a link speed and duplex setting from the list.
  • In the Hardware Address field, enter the Hardware MAC address (if not automatically received from the NIC).

    Caution: Do not manually change the MAC address unless you are sure that it is incorrect or has changed. An incorrect MAC address can lead to a communication failure.

  • In the MTU field, enter the applicable Maximum Transmission Unit (MTU) value (minimal value is 68, maximal value is 16000, and default value is 1500).
  • Select Monitor Mode.

9

Click OK.

Step 2 of 9: Configure the Monitor Mode interface in Gaia Clish

Step

Description

1

Connect to the command line on the Security Gateway.

2

Log in to Gaia Clish.

3

Examine the configuration and state of the applicable physical interface:

show interface <Name of Physical Interface>

4

If the applicable physical interface has an IP address assigned to it, remove it:

delete interface <Name of Physical Interface> ipv4-address

delete interface <Name of Physical Interface> ipv6-address

5

Enable the Monitor Mode on the physical interface:

set interface <Name of Physical Interface> monitor-mode on

6

Configure other applicable settings on the Monitor Mode interface:

set interface <Name of Physical Interface>

auto-negotiation {on | off}

comments "Text"

link-speed {10M/half | 10M/full | 100M/half | 100M/full | 1000M/full}

mtu <68-16000 | 1280-16000>

rx-ringsize <0-4096>

tx-ringsize <0-4096>

7

Examine the configuration and state of the Monitor Mode interface:

show interface <Name of Physical Interface>

8

Save the configuration:

save config

Step 3 of 9: Configure the VSX Gateway to process packets that arrive in the wrong order

Step

Description

1

Connect to the command line on the Security Gateway.

2

Log in to the Expert mode.

3

Modify the $FWDIR/boot/modules/fwkern.conf file.

3A

Back up the current $FWDIR/boot/modules/fwkern.conf file:

cp -v $FWDIR/boot/modules/fwkern.conf{,_BKP}

Important - If this file does not exist, create it:

touch $FWDIR/boot/modules/fwkern.conf

3B

Edit the current $FWDIR/boot/modules/fwkern.conf file:

vi $FWDIR/boot/modules/fwkern.conf

Important - This configuration file does not support spaces or comments.

3C

Add this line to enable the Passive Streaming Layer (PSL) Tap Mode:

psl_tap_enable=1

3D

Add this line to enable the Firewall Tap Mode:

fw_tap_enable=1

3E

Save the changes in the file and exit the Vi editor.

4

Modify the $PPKDIR/conf/simkern.conf file.

4A

Back up the current $PPKDIR/conf/simkern.conf file:

cp -v $PPKDIR/conf/simkern.conf{,_BKP}

Important - If this file does not exist, create it:

touch $PPKDIR/conf/simkern.conf

4B

Edit the current $PPKDIR/conf/simkern.conf file:

vi $PPKDIR/conf/simkern.conf

Important - This configuration file does not support spaces or comments.

4C

Add this line to enable the Firewall Tap Mode:

fw_tap_enable=1

4D

Save the changes in the file and exit the Vi editor.

5

Reboot the Security Gateway.

6

Make sure the Security Gateway loaded the new configuration:

fw ctl get int psl_tap_enable

fw ctl get int fw_tap_enable

Notes:

Step 4 of 9: Configure the VSX Gateway object in SmartConsole

Step

Description

1

Connect with SmartConsole to the Security Management Server or Main Domain Management Server that should manage this VSX Gateway.

2

From the left navigation panel, click Gateways & Servers.

3

Create a new VSX Gateway object in one of these ways:

  • From the top toolbar, click the New (Star icon) > VSX > Gateway.
  • In the top left corner, click Objects menu > More object types > Network Object > Gateways and Servers > VSX > New Gateway.
  • In the top right corner, click Objects Pane > New > More > Network Object > Gateways and Servers > VSX > Gateway.

The VSX Gateway Wizard opens.

4

On the VSX Gateway General Properties (Specify the object's basic settings) page:

  1. In the Enter the VSX Gateway Name field, enter the desired name for this VSX Gateway object.
  2. In the Enter the VSX Gateway IPv4 field, enter the same IPv4 address that you configured on the Management Connection page of the VSX Gateway's First Time Configuration Wizard.
  3. In the Enter the VSX Gateway IPv6 field, enter the same IPv6 address that you configured on the Management Connection page of the VSX Gateway's First Time Configuration Wizard.
  4. In the Select the VSX Gateway Version field, select R80.20.
  5. Click Next.

5

On the Virtual Systems Creation Templates (Select the Creation Template most suitable for your VSX deployment) page:

  1. Select the applicable template.
  2. Click Next.

6A

On the VSX Gateway General Properties (Secure Internal Communication) page:

  1. In the Activation Key field, enter the same Activation Key you entered during the VSX Gateway's First Time Configuration Wizard.
  2. In the Confirm Activation Key field, enter the same Activation Key again.
  3. Click Initialize.
  4. Click Next.

6B

If the Trust State field does not show Trust established, perform these steps:

  1. Connect to the command line on the VSX Gateway.
  2. Make sure there is a physical connectivity between the VSX Gateway and the Management Server (for example, pings can pass).
  3. Run: cpconfig
  4. Enter the number of this option: Secure Internal Communication.
  5. Follow the instructions on the screen to change the Activation Key.
  6. On the VSX Gateway General Properties page, click Reset.
  7. Click Initialize.

7

On the VSX Gateway Interfaces (Physical Interfaces Usage) page:

  1. Examine the list of the interfaces - it must show all the physical interfaces on the VSX Gateway.
  2. If you plan to connect more than one Virtual System directly to the same physical interface, you must select VLAN Trunk for that physical interface.
  3. Click Next.

8

On the Virtual Network Device Configuration (Specify the object's basic settings) page:

  1. You can select Create a Virtual Network Device and configure the first desired Virtual Network Device at this time (we recommend to do this later) - Virtual Switch or Virtual Router.
  2. Click Next.

9

On the VSX Gateway Management (Specify the management access rules) page:

  1. Examine the default access rules.
  2. Select the applicable default access rules.
  3. Configure the applicable source objects, if needed.
  4. Click Next.

Important - These access rules apply only to the VSX Gateway (context of VS0), which is not intended to pass any "production" traffic.

10

On the VSX Gateway Creation Finalization page:

  1. Click Finish and wait for the operation to finish.
  2. Click View Report for more information.
  3. Click Close.

11

Examine the VSX configuration:

  1. Connect to the command line on the VSX Gateway.
  2. Log in to the Expert mode.
  3. Run: vsx stat -v

12

Install policy on the VSX Gateway object:

  1. Click Install Policy.
  2. In the Policy field, select the default policy for this VSX Gateway object.

    This policy is called: <Name of VSX Gateway object>_VSX.

  3. Click Install.

13

Examine the VSX configuration:

  1. Connect to the command line on the VSX Gateway.
  2. Log in to the Expert mode.
  3. Run: vsx stat -v

Step 5 of 9: Configure the Virtual System (and other Virtual Devices) in SmartConsole

Step

Description

1

Connect with SmartConsole to the Security Management Server, or each Target Domain Management Server that should manage each Virtual Device.

2

Configure the desired Virtual System (and other Virtual Devices) on this VSX Gateway.

When you configure this Virtual System, for the Monitor Mode interface, add a regular interface. In the IPv4 Configuration section, enter a random IPv4 address.

Important - This random IPv4 address must not conflict with existing IPv4 addresses on your network.

3

Examine the VSX configuration.

  1. Connect to the command line on the VSX Gateway.
  2. Log in to the Expert mode.
  3. Run: vsx stat -v

4

Disable the Anti-Spoofing on the Monitor Mode interface:

  1. In the SmartConsole, open the Virtual System object.
  2. Click the Topology page.
  3. Select the Monitor Mode interface and click Edit.

    The Interface Properties window opens.

  4. Click the General tab.
  5. In the Security Zone field, select None.
  6. Click the Topology tab.
  7. In the Topology section, make sure the settings are Internal (leads to the local network) and Not Defined.
  8. In the Anti-Spoofing section, clear Perform Anti-Spoofing based on interface topology.
  9. Click OK to close the Interface Properties window.
  10. Click OK to close the Virtual System Properties window.
  11. The Management Server pushes the VSX Configuration.

Step 6 of 9: Configure the required Global Properties for the Virtual System in SmartConsole

Step

Description

1

Connect with SmartConsole to the Security Management Server or Target Domain Management Server that manages this Virtual System.

2

In the top left corner, click Menu > Global properties.

3A

Click the Stateful Inspection pane.

3B

In the Default Session Timeouts section:

  1. Change the value of the TCP session timeout from the default 3600 to 60 seconds.
  2. Change the value of the TCP end timeout from the default 20 to 5 seconds.

3C

In the Out of state packets section, you must clear all the boxes.

Otherwise, the Virtual System drops the traffic as out of state (because the traffic does not pass through the Virtual System, it does not record the state information for the traffic).

4A

Click the Advanced page > Configure button.

4B

Click FireWall-1 > Stateful Inspection.

4C

Clear reject_x11_in_any.

4D

Click OK to close the Advanced Configuration window.

5

Click OK to close the Global Properties window.

6

Publish the SmartConsole session.

Step 7 of 9: Configure the required Access Control policy for the Virtual System in SmartConsole

Step

Description

1

Connect with SmartConsole to the Security Management Server or Target Domain Management Server that manages this Virtual System.

2

From the left navigation panel, click Security Policies.

3

Create a new policy and configure the applicable layers:

  1. At the top, click the + tab (or press CTRL T).
  2. On the Manage Policies tab, click Manage policies and layers.
  3. In the Manage policies and layers window, create a new policy and configure the applicable layers.
  4. Click Close.
  5. On the Manage Policies tab, click the new policy you created.

4

Create the Access Control rule that accepts all traffic:

  • Source - *Any
  • Destination - *Any
  • VPN - *Any
  • Services & Applications - *Any
  • Action - Accept
  • Install On - Object of Security Gateway in Monitor Mode

5

We recommend these Aggressive Aging settings for the most common TCP connections:

  1. In the SmartConsole, click Objects menu > Object Explorer.
  2. Open Services and select TCP.
  3. Search for the most common TCP connections in this network.
  4. Double-click the applicable TCP service.
  5. From the left tree, click Advanced.
  6. At the top, select Override default settings (on Domain Management Server, select Override global domain settings).
  7. Select Match for 'Any'.
  8. In the Aggressive aging section:

    Select Enable aggressive aging.

    Select Specific and enter 60.

  9. Click OK.
  10. Close the Object Explorer.

6

Publish the SmartConsole session.

7

Install the Access Control Policy on the Virtual System object.

  1. Click Install Policy.
  2. In the Policy field, select the applicable policy for this Virtual System object.
  3. Click Install.

8

Examine the VSX configuration.

  1. Connect to the command line on the VSX Gateway.
  2. Log in to the Expert mode.
  3. Run: vsx stat -v

Step 8 of 9: Make sure the VSX Gateway enabled the Monitor Mode for Software Blades

Step

Description

1

Connect to the command line on the VSX Gateway.

2

Log in to the Expert mode.

3

Make sure the parameter fw_span_port_mode is part of the installed policy:

grep -A 3 -r fw_span_port_mode $FWDIR/state/local/*

The returned output must show :val (true).

Step 9 of 9: Connect the VSX Gateway to the switch

Connect the Monitor Mode interface of the VSX Gateway to the mirror or SPAN port on the switch.

For more information, see the: