nokia ip290 series security platform installation guide · menu commands menu commands are...

Part No. N450000887 Rev 001

Published March 2009

Check PointIP290 Security Platform

Installation Guide

2 Check Point IP290 Security Platform Installation Guide

© 2003-2009 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:Please refer to http://www.checkpoint.com/copyright.html for a list of our trademarks.For third party notices, see http://www.checkpoint.com/3rd_party_copyright.html.

Check Point Contact InformationFor additional technical information about Check Point products, and for the latest version of this document, see the Check Point Support Center at http://support.checkpoint.com/.Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments to:

[email protected]

http://www.checkpoint.com/copyright.html

http://www.checkpoint.com/copyright.html

http://support.checkpoint.com/

mailto:[email protected]?subject=Check Point documentation feedback

Contents

Check Point Contact Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9In This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Conventions This Guide Uses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Command-Line Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Text Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13About the Check Point IP290 Security Platform. . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Check Point IP290 Appliance Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Built-in Gigabit Ethernet Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Console Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Auxiliary Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

System Status LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Site Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Product Disposal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Safety Warnings and Cautions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Managing Check Point IP290 Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

2 Installing the Check Point IP290 Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Removing the Securing Screws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Rack Mounting a Single Check Point IP290 Appliance . . . . . . . . . . . . . . . . . . . . . . 22Rack Mounting Two Check Point IP290 Appliances Side-by-Side. . . . . . . . . . . . . . 24

3 Performing the Initial Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Connecting to the Console Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Connecting Power and Turning the Power On. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Performing the Initial Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Connecting Network Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Using Check Point Network Voyager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Viewing Check Point IPSO Documentation by Using Check Point Network Voyager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Using the Command-Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Using Check Point Horizon Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Check Point IP290 Security Platform Installation Guide 3

4 About IP290 Appliance Network Interface Cards . . . . . . . . . . . . . . . . . . . . . . . . 39Two-Port Copper Gigabit Ethernet NIC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Copper Gigabit Ethernet NIC Features in the IP290 . . . . . . . . . . . . . . . . . . . . . . 40Copper Gigabit Ethernet NIC Connectors and Cables. . . . . . . . . . . . . . . . . . . . . 41

Two-Port Fiber-Optic Gigabit Ethernet NICs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Fiber-Optic Gigabit Ethernet NIC Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Fiber-Optic Gigabit Ethernet NIC Connectors and Cables. . . . . . . . . . . . . . . . . . 43

5 Installing and Replacing Network Interface Cards . . . . . . . . . . . . . . . . . . . . . . . 45Deactivating Configured Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Installing NICs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Configuring and Activating Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Monitoring Network Interface Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

6 Installing and Replacing Components Other than Network Interface Cards . . 53Installing a Hard-Disk Drive. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54Replacing or Upgrading Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Replacing a Check Point Encryption Accelerator Card. . . . . . . . . . . . . . . . . . . . . . 60

Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Configuring Software to Use Hardware Acceleration. . . . . . . . . . . . . . . . . . . . . . 64

Replacing the Battery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

7 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69General Troubleshooting Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

A Technical Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Physical Dimensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Space Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Other Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

B Compliance Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75Declaration of Conformity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75Compliance Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76FCC Notice (US) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79


Tables

Table 1 Command-Line Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Table 2 Text Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Table 3 Appliance Status LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Table 4 NIC PCI Frequency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39


Figures

Figure 1 Component Locations Front View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Figure 2 Component Locations Rear View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Figure 3 Built-In Gigabit Ethernet Interface Front Panel Details . . . . . . . . . . . . . 15Figure 4 Appliance Status LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Figure 5 Removing the Shipping Screw . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Figure 6 Installing the Mounting Brackets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Figure 7 Single Appliance Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Figure 8 Power Switch Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Figure 9 Check Point Network Voyager Reference Access Points . . . . . . . . . . . 35Figure 10 Two-Port Copper Gigabit Ethernet NIC Front Panel . . . . . . . . . . . . . . 40Figure 11 Gigabit Ethernet Cable Connector Pin Assignments . . . . . . . . . . . . . 41Figure 12 Gigabit Ethernet Crossover Cable Pin Connections . . . . . . . . . . . . . . 42Figure 13 PMC Two-Port Short-Range Gigabit Ethernet NIC . . . . . . . . . . . . . . . 43Figure 14 PMC Two-Port Long-Range Gigabit Ethernet NIC . . . . . . . . . . . . . . . 43Figure 15 DIMM Socket Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57


About This Guide

This guide describes how to install and use the Check Point IP290 security platform. Installation and maintenance should be performed by experienced technicians or Check Point-approved service providers only. This preface provides the following information:

In This GuideConventions This Guide Uses

In This GuideThis guide is organized into the following chapters and appendixes:

Chapter 1, “Overview” provides a general overview of the Check Point IP290 appliance.Chapter 2, “Installing the Check Point IP290 Appliance” describes how to rack mount the appliance and how to physically connect it to a network and power.Chapter 3, “Performing the Initial Configuration” describes how to make the appliance available on the network.Chapter 4, “About IP290 Appliance Network Interface Cards” describes how to connect to the supported Ethernet ports.Chapter 5, “Installing and Replacing Network Interface Cards” describes how to install and replace NICs in your Check Point IP290 appliance.Chapter 6, “Installing and Replacing Components Other than Network Interface Cards” describes how to install components other than NICs in your Check Point IP290 appliance.Chapter 7, “Troubleshooting” describes problems you might encounter and proposes solutions to these problems.Appendix A, “Technical Specifications” provides technical specifications such as interface characteristics.Appendix B, “Compliance Information” provides compliance and regulatory information.

Conventions This Guide UsesThe following sections describe the conventions this guide uses, including notices, text conventions, and command-line conventions.


NoticesWarnings advise the user that bodily injury might occur because of a physical hazard.Cautions indicate potential equipment damage, equipment malfunction, loss of performance, loss of data, or interruption of service.Notes provide information of special interest or recommendations.

Command-Line ConventionsTable 1 describes the elements of commands that are available in Check Point business security products. You might encounter one or more of the following elements in a command-line path.

Table 1 Command-Line Conventions

Convention Description

command A user-generated instruction typically sent using a console or terminal. The command statement and its associated syntax must be entered exactly as shown in lowercase letters.

italics Indicates a variable in a command that you must supply. For example:delete interface if_name

Supply an interface name in place of the variable. For example:delete interface nic1

angle brackets < > Indicates arguments for which you must supply a value:retry-limit <1–100>

Supply a value. For example:retry-limit 60

-flag A flag is usually an abbreviation for a function, menu, or option name, or for a compiler or preprocessor argument. You must enter a flag exactly as shown, including the preceding hyphen.

.ext A filename extension, such as .ext, might follow a variable that represents a filename. Type this extension exactly as shown, immediately after the name of the file. The extension might be optional in certain products.

( . , ; + * - / ) Punctuation and mathematical notations are literal symbols that you must enter exactly as shown.


Conventions This Guide Uses

Text ConventionsTable 2 describes the text conventions this guide uses.

Table 2 Text Conventions

Convention Description

monospace font Indicates command syntax, or represents computer or screen output, for example:Log error 12453

bold monospace font Indicates text you enter or type, for example:# configure nat

Key names Keys that you press simultaneously are linked by a plus sign (+):Press Ctrl + Alt + Del.

Menu commands Menu commands are separated by a greater than sign (>):Choose File > Open.

The words enter and type Enter indicates you type something and then press the Return or Enter key.Do not press the Return or Enter key when an instruction says type.

Italics • Emphasizes a point or denotes new terms at the place where they are defined in the text.

• Indicates an external book title reference.• Indicates a variable in a command: delete interface if_name


1


1 Overview

This chapter provides an overview of the Check Point IP290 security platform and the requirements for using the appliances. The following topics are covered:

About the Check Point IP290 Security Platform on page 13Check Point IP290 Appliance Overview on page 13System Status LEDs on page 16Site Requirements on page 17Product Disposal on page 17Safety Warnings and Cautions on page 17Managing Check Point IP290 Appliances on page 18

About the Check Point IP290 Security PlatformThe Check Point IP290 security platform combines the power of Check Point IPSO for IP appliances software with your choice of firewall and VPN applications.The IP290 appliances are ideally suited for growing companies and satellite offices that want high-performance IP routing combined with the industry-leading Check Point VPN-1/FireWall-1 enterprise security suite. The small size of the IP290 appliances makes them ideal for installations that need to conserve space.As network devices, the IP290 appliances support a comprehensive suite of IP-routing functions and protocols. The integrated router functionality eliminates the need for separate intranet and access routers in security applications.For more information and technical specifications, see Appendix A, “Technical Specifications.”.

Check Point IP290 Appliance OverviewThe following figures show component locations for Check Point IP290 appliances.


1 Overview

Figure 1 Component Locations Front View

Figure 2 Component Locations Rear View

Built-in Gigabit Ethernet PortsFigure 3 shows the layout of the six built-in 10/100/1000 Ethernet ports and their LEDs.

00557

IP290

STATUS

SLOT 1 AUX

RESET1000BaseT

1 3 5

2 4 6CONSOLE

POWER FAULT

LINK

ACT

LINK

ACT

Built-in Gigabit Ethernet ports(10/100/1000 Mbps)

Status LEDs

Auxiliary (AUX) port

PMC slot 1

Reset switch Console port

00558

Power plug

Power switchFan vent


Check Point IP290 Appliance Overview

Figure 3 Built-In Gigabit Ethernet Interface Front Panel Details

NoteThe Link LED is bicolored. A green LED indicates a 1 Gbps link speed, and an orange LED indicates a 10/100 Mbps link speed.

Console PortUse the built-in console port, shown in Figure 1, to make a local connection to the appliance and to supply the initial configuration information that makes the appliance available on the network. For more information on how to make a console connection to the appliance, see “Connecting to the Console Port” on page 29.

CautionCheck Point recommends that you use the console cable that was delivered with your appliance for your console connection. Otherwise, ensure that the pin assignments for your cable match those provided in.

Auxiliary PortUse the built-in serial (AUX) port, shown in Figure 1, to establish a modem connection for managing the appliance remotely or out-of-band. Use USB cables with a standard USB A-style connector and pinout for the AUX port. For Check Point approved modem connections, you will need a USB to RS232 adaptor.

1 3 5

2 4 6

00610

Link LED (green for 1000 Mbps or orange for 10/100 Mbps)

Activity LED (orange)

RJ-45 connectors


1 Overview

NoteThe only modem approved for use with Check Point security appliances with USB AUX ports is the Radicom model V92MB-U-E, and you must be using Check Point IPSO 6.1 or greater.

System Status LEDsYou can monitor the basic operation of Check Point IP290 appliances by checking their status LEDs. The system status LEDs are located on the front panel of the appliance, as Figure 4 shows.

Figure 4 Appliance Status LEDs

Figure 3 describes the status conditions for each of the LEDs for all indications they might display.

Table 3 Appliance Status LEDs

Indicator Color Description

Caution None (off)

Yellow (steady)

Yellow (blinking)

Normal

Initial boot flash activityorInternal voltage problem

Temperature fault

00557

IP290

STATUS

SLOT 1 AUX

RESET1000BaseT

1 3 5

2 4 6CONSOLE

POWER FAULT

LINK

ACT

LINK

ACT

CriticalPower or Status

Caution


Site Requirements

Site RequirementsBefore you install a Check Point IP290 appliance, ensure that your computer room or wiring closet conforms to the environmental specifications listed in Appendix A, “Technical Specifications.”

Product Disposal

Safety Warnings and Cautions

WarningTo reduce the risk of fire, electric shock, and injury when you use telephone equipment, follow basic safety precautions. Do not use the product near water.

Power or Status

None (off)

Blue

Power off

Power on

Critical None (off)

Red

Normal

One or more fans are defective.orNo recognizable boot device with a valid kernel found.orKernel panic (followed in 20 seconds by CPU reset).

Table 3 Appliance Status LEDs (continued)

Indicator Color Description

This symbol on the product or on its packaging indicates that this product must not be disposed of with your other household waste. Instead, it is your responsibility to dispose of your waste equipment by handing it over to a designated collection point for the recycling of waste electrical and electronic equipment. The separate collection and recycling of your waste equipment at the time of disposal will help to conserve natural resources and ensure that it is recycled in a manner that protects human health and the environment. For more information about where you can drop off your waste equipment for recycling, please contact your local city office or your household waste disposal service.


1 Overview

WarningRisk of explosion if battery is replaced by an incorrect type. Replace the battery only with the same or equivalent type that the manufacturer recommends. Dispose of used batteries according to the manufacturer's instructions.

WarningTo reduce the risk of fire, electric shock, and injury, disconnect the power cord and any cables that connect to the appliance or gateway before you open the chassis and expose internal components. Even though the power switch is turned off, power is still present inside the appliance or gateway.

CautionDo not place objects over the ventilation holes on the IP290 appliance. The components might overheat and become damaged.

CautionFor IP290 appliances intended for shipment outside of the United States, the power cord might not be included. If a power cord is not provided, use a power cord rated at 6A, 250V, maximum 15 feet long, made of HAR cordage and IEC fittings approved by the country of end use.

Managing Check Point IP290 AppliancesYou can manage Check Point IP290 appliances by using one of the following interfaces:

Check Point Network Voyager—an SSL-secured, Web-based element management interface to Check Point IP security platforms. Voyager is preinstalled on the IP290 appliance and enabled through the IPSO operating system. With Voyager, you can manage, monitor, and configure the IP290 appliance from any authorized location within the network by using a standard Web browser.For information about how to access Network Voyager and the related reference materials, see “Using Check Point Network Voyager” on page 34.The Check Point IPSO command-line interface (CLI)—an SSHv2-secured interface that enables you to configure Check Point IP security platforms from the command line. Most tasks that you can accomplish with Check Point Network Voyager—to manage and configure the IP290 appliance—you can also do with the CLI. For information about how to access the CLI, see the CLI Reference Guide for the version of IPSO you are using.Check Point Horizon Manager for IP appliances—a secure GUI-based software image management application. With Check Point Horizon Manager, you can securely install and


Managing Check Point IP290 Appliances

upgrade the proprietary Check Point IPSO operating system, plus hardware and third-party applications such as Check Point FireWall-1. Horizon Manager can perform installations and upgrades on up to 2,500 Check Point IP security platforms, offering administrators the most rapid and dependable upgrade to Check Point NG.For information about how to obtain Horizon Manager, see “For additional technical information about Check Point products, and for the latest version of this document, see the Check Point Support Center at http://support.checkpoint.com/.” on page 2.


1 Overview


2 Installing the Check Point IP290 Appliance

You can rack mount Check Point IP290 appliances in the following ways:A single appliance in a one-unit space (1U) or in a two-appliance shell with the second appliance space covered by a filler panel.Two appliances in a 1U space in a two-appliance shell.

This section describes how to perform both of these installations.

Removing the Securing ScrewsBefore you rack mount your IP290, remove the screw from the back of the appliance as shown in Figure 5. The screw is required only for shipping, and leaving it in prevents you from sliding the chassis assembly tray out. If you have two appliances in a two-appliance shell, you need to remove one screw from each appliance.



Figure 5 Removing the Shipping Screw

Rack Mounting a Single Check Point IP290 ApplianceBefore you mount the appliance on the rack, install the two side brackets with four screws on each side as shown in Figure 6. The brackets and screws are included with the materials you receive with the appliance.Two mounting positions allow you to mount the appliance either flush with the rack (bracket position A), or two inches forward of the rack (bracket position B).

00614a

IP290

STATUS

AUXRESET

1

3

5

2

4

6

CONSOLE

POWER

FAULT

1000BaseT

LINK

ACT

LINK

ACT

SLOT 1

IP290

STATUS

SLOT 1

AUXRESET

1

3

5

2

4

6

CONSOLE

POWER

FAULT

1000BaseT

LINKACT

LINKACT


Rack Mounting a Single Check Point IP290 Appliance

Figure 6 Installing the Mounting Brackets

You can mount IP290 appliances in a standard 19-inch rack with four mounting screws as Figure 7 shows.

00559

IP290

STATUS

SLOT 1

AUXRESET

1

3

5

2

4

6

CONSOLE

POWER

FAULT

IP290

STATUS

SLOT 1

AUXRESET

1

3

5

2

4

6

CONSOLE

POWER

FAULT

1000BaseT

LINKACT

LINKACT

1000BaseT

LINKACT

LINKACT

Bracket position A

Bracket position B



Figure 7 Single Appliance Installation

Rack Mounting Two Check Point IP290 Appliances Side-by-Side

The following procedure describes how to install two Check Point IP290 appliances in a 1U rack space.This method does not allow you to change the position of the mounting brackets, as you can when you use the single-appliance installation method.

To install two IP290 appliances side-by-side in a 1U space1. Secure the rack-mountable shell on the rack with two screws on each side.

NoteTo avoid damaging your equipment, Check Point recommends that you use all four rack-mounting screws when you install your appliance on the rack.

00560

IP290

STATUS

AUXRESET

1

3

5

2

4

6

CONSOLE

POWER

FAULTSLOT 1

1000BaseT

LINKACT

LINKACT

Mounting screws



NoteThe procedure assumes that you are using an empty shell, but it might be populated with one or two appliances when you receive your product depending on what was ordered from the factory.

2. For each appliance you are installing into the shell, use a screwdriver to rotate both locking latches on the appliance counterclockwise until locking arms completely clear the sides of the shell to prevent damage during the installation.

00427a

Mounting Screws

IP290

STATUS

SLOT 1 AUX

RESET

1 3 5

2 4 6CONSOLE

POWER FAULT

00565

1000BaseT

LINK

ACT

LINK

ACT



3. Slide one or two appliances into the shell openings.

4. Secure each appliance to the shell by using a screwdriver to turn the locking latch clockwise until you cannot turn it with light force.To remove the appliance, use a screwdriver to turn the locking latch counterclockwise until you cannot turn it with light force.

00563

IP290

STATUS

AUXRESET

1

3

5

2

4

6

CONSOLE

POWER

FAULTSLOT 1

1000BaseT

LINKACT

LINKACT

Filler panel

3

5

4

6

3

5

4

6

00562

To secure the appliance To release the appliance



The following figure shows how the installation appears if you are using two appliances side-by-side in a 1U space.

00564

IP290

STATUS

SLOT 1

AUXRESET

1

3

5

2

4

6

CONSOLE

POWER

FAULT

IP290

STATUS

SLOT 1

AUXRESET

1

3

5

2

4

6

CONSOLE

POWER

FAULT

1000BaseT

LINK

ACT

LINK

ACT

1000BaseT

LINK

ACT

LINK

ACT


3 Performing the Initial Configuration

The first time you turn on power to a Check Point IP290 appliance, the initial configuration process begins. This process enables you to configure the network settings and provides access to the admin account. You can perform the initial configuration in two ways:

Configure a DHCP server to provide the initial configuration information the first time the appliance is started. Perform the initial configuration manually by using a console connection.

This chapter describes how to perform the initial configuration manually by using a console connection. It includes the following sections:

Connecting to the Console PortConnecting Power and Turning the Power OnPerforming the Initial ConfigurationConnecting Network InterfacesUsing Check Point Network VoyagerUsing the Command-Line InterfaceUsing Check Point Horizon Manager

NoteCheck Point recommends that you physically install all hardware components before you perform the initial configuration procedure this chapter describes. For information about how to install other components, see Chapter 6, “Installing and Replacing Components Other than Network Interface Cards.”

Connecting to the Console Port If you do not use DHCP to perform the initial configuration of your Check Point IP290 appliance, you must use a serial console connection (RJ-45 null-modem cable included). After you perform the initial configuration, the console connection is no longer required.



You can use any standard VT100-compatible terminal with an RS-232 data terminal equipment (DTE) interface or terminal-emulation program configured with the following settings for the console:

9600 bps8 data bitsNo parity1 stop bit

To connect to the console port1. Connect the supplied null-modem cable (console cable) to the console port on the front

panel of the IP290 appliance.Use only the RJ-45 port labeled Console on the front panel; the serial USB port (AUX) is an auxiliary port.If you connect the console port to a data communications equipment (DCE) device, use a straight-through cable.

2. Connect the other end of the cable to the VT100 console or to a system running a terminal-emulation program.

Connecting Power and Turning the Power OnA power switch and a receptacle for the power cord are located on the power on the back of the appliance as shown in Figure 8.

00557

IP290

STATUS

SLOT 1 AUX

RESET1000BaseT

1 3 5

2 4 6CONSOLE

POWER FAULT

LINK

ACT

LINK

ACT

Console port


Connecting Power and Turning the Power On

Figure 8 Power Switch Location

To connect the power supply1. Attach the retaining clip included with your IP290 appliance to the power cord receptacle on

the back of the appliance.2. Connect the power cord securely into the power cord receptacle, and secure the clip to the

cord.

3. Plug the other end of the power cord into a grounded power strip or wall outlet.4. Toggle the power switch to the On position to provide power to the IP290 appliance.

CautionTo reduce stress on the power supply, after you turn the appliance on, wait at least ten seconds before you turn it off. Likewise, after you turn the power supply off, wait at least ten seconds before you turn it back on.

00558

Power switch

Power cord receptacle

00576



NoteThe IP290 appliance power supply automatically detects the input voltage (115 VAC or 220 VAC) and configures itself appropriately.

5. Check the power LED on the front panel of the appliance to ensure that the power supply is operating correctly.

If the fan is not running, or if the power LED is not illuminated, make sure that:The power cord is properly connected.The power supply switch is on.Power is turned on to the power strip or wall receptacle into which you plugged the appliance.

If the fan is still not running, or if the power LED does not illuminate, contact your Check Point service provider as listed in “For additional technical information about Check Point products, and for the latest version of this document, see the Check Point Support Center at http://support.checkpoint.com/.” on page 2 for technical support.

Performing the Initial ConfigurationThe initial configuration allows you to assign a hostname, create the admin password, and configure the management interface.

To perform the initial configuration1. Press the power switch to the “on” position to turn on power to the appliance.

The fan on the back of the appliance turns on when you press the power switch. Verify that the fan is running after you press the switch.Check the power LED on the front panel of the appliance to ensure that the power supply is operating correctly. The power LED should be illuminated. For more information about the system status LEDs, see “System Status LEDs” on page 16.If the fan is not running, or if the power LED is not illuminated:

Check the power supply cord to make sure it is properly connected.Make sure the power switch is on.Make sure the chassis tray assembly is pushed all the way in from the front of the appliance and that the front panel retaining screws are tightened.Make sure that power is turned on to the power strip or wall receptacle you plugged the appliance in to.

If the fan is still not running, or if the power LED does not illuminate, contact the Check Point Support Center at http://support.checkpoint.com/.

2. At the console a series of startup messages appears, then the console prompt appears.




Performing the Initial Configuration

The prompt remains on the screen for about five seconds. If you type any character during this time, the appliance activates the Check Point IPSO boot manager.BOOTMGR[0]>

NoteFor information about using the boot manager, see the IPSO Boot Manager Reference Guide.

After some miscellaneous output, the following prompt appears:Hostname?

If the Hostname? prompt does not appear on the console, check the console port and console display connections to ensure that the serial cable is completely plugged in at both ends. If you verify the console connections and still do not see either the BOOTMGR> or Hostname? prompts, verify that the terminal or terminal emulator program settings are correct. If the settings are correct, contact the Check Point Support Center at http://support.checkpoint.com/..

3. Respond to the Hostname? prompt within 30 seconds to prevent the DHCP client from starting.If the DHCP client starts, it might configure the appliance with an incorrect host name and IP address (this could happen if a DHCP server on your network is configured to respond to any request). To reset the incorrect host name and IP address:a. Establish a console connection to the appliance.b. Log into the system using the user name admin and the password password.c. Enter the following:

rm /config/active

ormv /config/active /config/active.old

d. Reboot the appliance.e. Respond to the Hostname? prompt within 30 seconds to prevent the DHCP client from

restarting.4. At each subsequent prompt, type the requested configuration information and then press

Enter.For more information about how to respond to the prompts during the initial configuration process, see the Getting Started Guide and Release Notes for the version of IPSO you are using.

5. After you complete the initial configuration, you can use Check Point Network Voyager to configure the remaining network ports.






Connecting Network InterfacesConnect at least one network interface to the network to use as the Check Point Network Voyager system-management interface.You can also connect the remaining interface cables at this point, although you are not required to do so.For details about cables and other related information, see Chapter 4, “About IP290 Appliance Network Interface Cards.”You can use Check Point Network Voyager or the command-line interface (CLI) to configure the remaining network ports on your Check Point IP290 appliance. Details about how to use Network Voyager, the CLI, and Check Point Horizon Manager are provided in the following sections.

Using Check Point Network VoyagerUse Check Point Network Voyager to configure and monitor your appliance.

To open Check Point Network Voyager1. Open a Web browser on the host you plan to use to configure or monitor your appliance.2. In the Location or Address field, enter the IP address of the initial interface you configured

for the appliance.You are prompted to enter the admin username and the password you entered when you performed the initial configuration.

NoteIf the username login screen does not open, you might not have a physical network connection between the host and your appliance, or you might have a network routing problem. Confirm the information you entered during the initial configuration and check that all cables are firmly connected. For more information, see the troubleshooting section in the installation guide for your appliance.

Viewing Check Point IPSO Documentation by Using Check Point Network Voyager

The following documentation is available from the Check Point Network Voyager interface, as shown in Figure 9:

Network Voyager Reference Guide—This guide is the comprehensive reference source for Check Point Network Voyager. To access this source, look at the list in the navigation tree on the left side of the window (as shown in Figure 9).You can also access this guide and other Check Point IPSO documentation at the Check Point Support Center at http://support.checkpoint.com/.




Using the Command-Line Interface

Network Voyager online help—You can access online help when you use Check Point Network Voyager. Online help is the context-sensitive information source for Check Point Network Voyager. To access online help for the window you are viewing, click Help. A Close button is available at the bottom of each online help window you view.

Figure 9 Check Point Network Voyager Reference Access Points

Using the Command-Line Interface You can also use the Check Point IPSO command-line interface (CLI) to manage and configure Check Point IP security appliances from the command line. Nearly everything that you can accomplish with Check Point Network Voyager you can also do with the CLI.

To access the command-line interface1. Log on to the appliance by using a command-line connection (SSH, console, or Telnet) over

a TCP/IP network as an admin, cadmin, or monitor user:If you log in as a cadmin (cluster administrator) user, you can change and view configuration settings on all the cluster nodes. For information about how to administer a cluster, see the traffic management commands section in the CLI Reference Guide for the version of Check Point IPSO you are using.

Link to complete user documentation

Link to online help (context sensitive help)



2. If you log in as a monitor user, you can execute only the show form of commands. That is, you can view configuration settings, but you cannot change them.

You can now execute CLI commands from the CLI shell and the Check Point IPSO shell. The Check Point IPSO shell is what you see when you initially log on to the appliance.

For more information about how to access and use the CLI, see the CLI Reference Guide for the version of Check Point IPSO you are using.

Using Check Point Horizon ManagerCheck Point Horizon Manager is an extension of the Check Point Network Voyager management functionality.While Check Point Network Voyager provides the device administrator access to network configuration tasks (such as interface configuration and routing configuration) and security configuration tasks (such as user configuration and access configuration), Check Point Horizon Manager concentrates on secure software image, inventory, and platform management of Check Point IP security platforms.Using Check Point Horizon Manager, an administrator can obtain configuration information, upgrade (or downgrade) the operating system, perform application installations, and distribute necessary licensing to multiple platforms simultaneously, thereby reducing potential human error and improving productivity.Using Check Point Horizon Manager, a network security professional can manage multiple devices simultaneously, perform parallel software upgrades, device verifications, device configuration, file backups, and more.Check Point Horizon Manager is designed to manage and configure a large number of Check Point IP security appliances that reside on a corporate enterprise, managed service provider (MSP), or hosted applications service provider network (ASP).

Execute from To Implement Purpose

Check Point IPSO command line

Enter the following command to invoke the CLI shell:clishThe prompt changes, and you can then enter CLI commands.

Enter any CLI commands in an interactive mode with help text and other helpful CLI features.

Check Point IPSO command line

Enterclish -c “cli-command”

Execute a single CLI command. You must place double-quotation marks around the CLI command.

Command files From inside the CLI shell, enter load commands filename

Load commands from a text file that contains commands. The argument must be the name of a regular file.


Using Check Point Horizon Manager

For information about how to obtain Check Point Horizon Manager or to learn more about the Check Point Horizon Manager, see the Check Point Web site at www.checkpoint.com.


http://www.checkpoint.com/

4 About IP290 Appliance Network Interface Cards

This chapter describes the network interface cards (NICs) available for the Check Point IP290 appliance and how to connect those NICs to your network. The following NICs are described:

Two-Port Copper Gigabit Ethernet NICTwo-Port Fiber-Optic Gigabit Ethernet NICs

For instructions about how to add or replace NICs, see Chapter 5, “Installing and Replacing Network Interface Cards.”The NICs supported in the Check Point IP290 appliance operate at the peripheral component interconnect (PCI) frequency listed in Table 4.

CautionTo protect the IP290 appliance and the memory modules from electrostatic discharge damage, make sure you are properly grounded before you touch these components. Use a grounding wrist strap and follow the instructions provided with the wrist strap before you handle the components or open the appliance.

Two-Port Copper Gigabit Ethernet NICThe Check Point IP290 appliance supports Check Point-approved, two-port copper Gigabit Ethernet NICs installed on a PMC expansion slot. The IP290 appliance can accommodate one Gigabit Ethernet NIC.

Table 4 NIC PCI Frequency

NIC or interface portMaximum PCI operation supported

Two-port copper Gigabit Ethernet (10/100/1000 Mbps)

66 MHz

Two-port fiber-optic Gigabit Ethernet(1000 Mbps)

66 MHz



When you purchase a copper Gigabit Ethernet NIC with your IP290 appliance, the NIC is installed before the appliance is delivered to you. For information about how to add or replace a NIC, see Chapter 5, “Installing and Replacing Network Interface Cards.”

Copper Gigabit Ethernet NIC Features in the IP290The copper Gigabit Ethernet NIC supports:

Tracing through tcpdumpHigh bandwidthFull-duplex mode operation up to 1 Gbps Link speed auto advertising (10/100/1000)PCI operation at 66 MHz on the IP290Compliance with IEEE 802.3ab Gigabit Ethernet specifications

The copper Gigabit NICs installed in IP290 appliances run on IPSO v4.2 or later.You can configure and monitor Gigabit Ethernet NIC interfaces by using Check Point Network Voyager. Specifically, you can use Network Voyager to set the port speed and full-duplex mode to 1000, 100, or 10 Mbps.For information about how to access Network Voyager and the related reference materials, see “Using Check Point Network Voyager” on page 34.

Figure 10 Two-Port Copper Gigabit Ethernet NIC Front Panel

\

NoteThe two-port copper Gigabit Ethernet NIC you use in IP290 appliances must be the Version 2 type, as indicated on the right end of the NIC faceplate. These NICs are sold by Check Point under the order code NIF4425.

After the power is turned on and the cables are connected, the Ethernet Link LEDs on both the appliance and on the remote equipment illuminate to indicate the connection.

00386.5

LINK

ACT

V2LINK

ACT

1000BaseT

Link LEDs (green for 10/100 Mbps, or orange for 1000 Mbps)Activity LEDs (orange)

Ports


Two-Port Copper Gigabit Ethernet NIC

NoteThe Link LED on the NIC is bicolored. A green LED indicates a 1 Gbps link speed, and a yellow LED indicates a 10/100 Mbps link speed. As the NIC transmits data, the activity LEDs on the appliance illuminate.

Copper Gigabit Ethernet NIC Connectors and CablesThe copper Gigabit Ethernet NIC receptacles are for RJ-45 connectors.

CautionCables that connect to the Gigabit Ethernet card must be ANSI TIA/EIA-568-A/B compliant (Cat 5 or Cat 5e) to prevent potential data loss.

To connect to a 1-Gbps hub, switch, or router, use a straight-through RJ-45 cable (Cat 5 or Cat 5e type cable, or as required by your network configuration).In Figure 11, the RJ-45 cable output connector is numbered from right to left, with the copper pins facing up and toward you.

Figure 11 Gigabit Ethernet Cable Connector Pin Assignments

00270

8 1

Pin#1000 Mbps Assignment

10/100 MbpsAssignment

1 BI_DA+ TX+

2 BI_DA- TX-

3 BI_DB+ RX+

4 BI_DC+

5 BI_DC-

6 BI_DB- RX-

7 BI_DD+

8 BI_DD-



To connect directly to a host, use an RJ-45 crossover cable wired as Figure 12 shows.

Figure 12 Gigabit Ethernet Crossover Cable Pin Connections

NoteAfter you turn on the appliance, the Ethernet Link LEDs on both the appliance and on the remote equipment illuminate to indicate the connection. As data is transmitted or received, the activity LEDs on the appliance illuminate.

To connect the appliance to other network components, you can order appropriate adapter cables separately from a cable vendor of your choice.

Two-Port Fiber-Optic Gigabit Ethernet NICsThe IP290 appliance supports Check Point-approved, two-port, fiber-optic Gigabit Ethernet NICs installed in the PMC expansion slot. The IP290 appliance can accommodate one Gigabit Ethernet NIC.When you purchase a Gigabit Ethernet NIC with your IP290 appliance, the NIC is installed before the appliance is delivered to you. For information about how to add or replace a NIC, see Chapter 5, “Installing and Replacing Network Interface Cards.”

Fiber-Optic Gigabit Ethernet NIC FeaturesThe short-range and long-range fiber-optic Gigabit Ethernet NICs support:

High bandwidthFull-duplex mode operation up to 1 Gbps (no half-duplex support)Link speed auto advertisingTracing through tcpdumpCompliance with IEEE 802.3z Gigabit Ethernet specification

The short-range multi-mode fiber (MMF) fiber-optic Gigabit Ethernet NICs in the IP290 run on IPSO v4.0.1 or higher.

00020

12345678

12345678


Two-Port Fiber-Optic Gigabit Ethernet NICs

The long-range single-mode fiber (SMF) fiber-optic Gigabit Ethernet NICs in the IP290 run on IPSO v4.2 or higher.You can configure and monitor Gigabit Ethernet NIC interfaces with Check Point Network Voyager. Specifically, you set the port speed and full-duplex mode with Network Voyager. For information about how to access Network Voyager and the related reference materials, see “Using Check Point Network Voyager” on page 34.Figure 13 shows the front panel details for the two-port short-range (1000 BASE-SX) fiber-optic Gigabit Ethernet NIC you can use in IP290 appliance.

Figure 13 PMC Two-Port Short-Range Gigabit Ethernet NIC

Figure 14 shows the front panel details for the two-port long-range (1000 BASE-LX) fiber-optic Gigabit Ethernet NIC you can use in your IP290.

Figure 14 PMC Two-Port Long-Range Gigabit Ethernet NIC

After the power is turned on and the cables are connected, the Ethernet link LEDs on both the IP290 and on the remote equipment illuminate to indicate the connection. As data is transmitted, the activity LEDs on the appliance illuminate.

Fiber-Optic Gigabit Ethernet NIC Connectors and CablesFor short-range NICs, to connect the fiber-optic Gigabit Ethernet NIC to other network components, use a multi-mode, fiber-optic cable with an LC connector for each NIC interface. You can use either 50 or 62.5 micron cable; 50 micron-type cable provides longer transmission reach.

00206

GIG

E

Link LEDs (solid green)Activity LEDs (blinking amber)

Ports

00555

LINK

ACT1000B-LX

Link LEDs (solid green)Activity LEDs (blinking amber)

Ports



For long-range NICs, to connect the fiber-optic Gigabit Ethernet NIC to other network components, use a single-mode, fiber-optic cable with an LC connector for each NIC interface.The destination end of the cable can be either LC or SC, depending on the type of connector required for the destination Gigabit Ethernet device. You can also use a half-duplex LC-to-LC cable to loop back the transmit port of an interface to the receiver port. LC and SC define the fiber-optic connector types; LC connectors are smaller than SC connectors.

CautionDepending on the product you order, one or more LC-to-SC cables are included with fiber-optic Gigabit Ethernet NICs. You can order additional cables from a cable vendor of your choice.Cables that connect to the Gigabit Ethernet NIC must be IEEE 802.3z compliant to prevent potential data loss.


5 Installing and Replacing Network Interface Cards

Your Check Point IP290 appliance comes with any network interface cards (NICs) you ordered already installed. All NICs installed in the appliance are housed in PMC expansion slots. You should have a working knowledge of networking equipment before you attempt to service a appliance.This chapter describes how to remove, add, or replace NICs later if it becomes necessary. The following topics are covered:

Deactivating Configured InterfacesInstalling NICsConfiguring and Activating InterfacesMonitoring Network Interface Cards

For detailed information on specific network interface cards, see Chapter 4, “About IP290 Appliance Network Interface Cards.”

CautionLimit service of the appliance to the procedures described in this chapter.

CautionTo help guard against electrostatic discharge damage, make sure you are properly grounded by using a grounding wrist strap and following the instructions provided with the wrist strap before you handle the components or open the appliance.

Deactivating Configured InterfacesIf you are removing or replacing an installed NIC, use Check Point Network Voyager to deactivate any configured ports on the NIC before removing it.

Deactivate all of the logical interfaces on the NIC.Deactivate all of the physical interfaces on the NIC.



If you do not deactivate the interfaces before removing the NIC, you may have to reinstall the NIC to deactivate its logical and physical interfaces in Network Voyager.For information about how to access Network Voyager, see “Using Check Point Network Voyager” on page 34.

Installing NICs

NoteBefore removing a configured network interface card with these instructions, you must deactivate the NIC by using Check Point Network Voyager. For additional information, see “Deactivating Configured Interfaces” on page 45.

Use these instructions to install a NIC in the IP290 appliance. Some steps are not applicable to all procedures. The instructions point out steps appropriate to each procedure.

Before You BeginTo install a Check Point NIC, you need the following:

A Phillips-head screwdriverPhysical access to the applianceAccess to the appliance by using Check Point Network Voyager or the CLIA suitable, grounded work surface A field replaceable unit kit, including the NIC

NoteYou do not need to manually disconnect power for this procedure. Any servicing of the appliance should be completed with the chassis tray assembly fully removed from the appliance.

To install a network interface card1. Use Check Point Network Voyager or command-line interface (CLI) to perform an orderly

shutdown of the IP290 appliance. For information about how to access Voyager and the related reference materials, see “Using Check Point Network Voyager” on page 34.

2. Turn off the power to the IP290 appliance.3. Remove the power cord.


Installing NICs

4. Loosen the two front panel retaining screws.

5. Slide the chassis tray assembly forward, and completely remove the chassis to expose the motherboard components.

6. Place the chassis tray assembly on a table top.

IP290

STATUS

SLOT 1 AUX

RESET

1 3 5

2 4 6CONSOLE

POWER FAULT

00565

1000BaseT

LINK

ACT

LINK

ACT

Chassis tray assembly retaining screws

00563

IP290

STATUS

AUXRESET

1

3

5

2

4

6

CONSOLE

POWER

FAULTSLOT 1

1000BaseT

LINKACT

LINKACT



7. From underneath the chassis tray assembly, remove the retaining screws.

If you are installing a NIC in an unoccupied slot, remove the blank bezel that occupies the space in the appliance front panel and retain it for future use.

00570

IP290

STATUS

SLOT 1

AUXRESET

1

3

5

2

4

6

CONSOLE

POWER

FAULT


Installing NICs

8. Insert the new NIC.a. Insert the NIC bezel into the front panel.b. Gently push the back of the NIC down toward the chassis tray assembly.

Make sure that the NIC edge is completely seated into the connectors on the chassis tray assembly.

00572

IP290

STATUS

SLOT 1

AUXRESET

1

3

5

2

4

6

CONSOLE

POWER

FAULT

LINK

ACT

LINK

ACT

1000BaseT



9. From the top of the chassis tray assembly, screw the NIC retaining screws into the standoffs on the back of the NIC.

10. From beneath the chassis tray assembly, screw in the bezel retaining screws.

11. Slide the chassis tray assembly back into the appliance.

00571

IP290

STATUS

SLOT 1

AUXRESET

1

3

5

2

4

6

CONSOLE

POWER

FAULT

1000BaseT

LINKACT

LINKACT


Configuring and Activating Interfaces

The Check Point IPSO operating system automatically recognizes the NIC and applies the original configuration to the new NIC.

12. Resecure the two chassis tray assembly retaining screws.13. Replace the power cord.14. Turn on the power.

Configuring and Activating InterfacesThe IP290 appliance automatically detects any new NIC when the appliance is restarted. Use Check Point Network Voyager to configure and activate the logical and physical interfaces on the NIC.For information about how to access Network Voyager and the related reference materials, see “Using Check Point Network Voyager” on page 34.

Monitoring Network Interface CardsYou can assess the general operating condition of the NICs in your appliance by looking at the LED status indicators on the NICs.For the status indicator information for the built-in Ethernet ports, see Figure 4 on page 16.For the status indicator information for the Gigabit Ethernet NICs, see Chapter 4, “About IP290 Appliance Network Interface Cards.”.Use Network Voyager to access detailed port information. For information about accessing Network Voyager, see “Using Check Point Network Voyager” on page 34. You can also use the IPSO tcpdump command to examine the track on a specific port.

00563

IP290

STATUS

AUXRESET

1

3

5

2

4

6

CONSOLE

POWER

FAULTSLOT 1

1000BaseT

LINKACT

LINKACT


6 Installing and Replacing Components Other than Network Interface Cards

This chapter provides information about how to install or replace components other than network interface cards (NICs) in your appliance. The following topics are covered:

Installing a Hard-Disk DriveReplacing or Upgrading MemoryReplacing a Check Point Encryption Accelerator CardReplacing the Battery

For information about how to add or replace NICs, see Chapter 5, “Installing and Replacing Network Interface Cards.”You should have a working knowledge of networking equipment before you attempt to service an IP290 appliance. Limit service of the appliance to the procedures described in this chapter.

NoteTo protect the IP290 appliance and the memory modules from electrostatic discharge damage, make sure you are properly grounded before you touch these components. Use a grounding wrist strap and follow the instructions provided with the wrist strap before you handle the components or open the appliance.

Installing a Hard-Disk DriveThe IP290 appliance is a flash-based appliance that also supports one optional hard-disk drive that plugs into connectors on the motherboard. The hard-disk drive provides 40 GB of storage space.The hard-disk drive is not included in the standard package. When you purchase your IP290 appliance, you can order one hard disk drive for factory installation or order one later and install it yourself.This section describes how to install a hard-disk drive.



Before You Begin

CautionHard-disk drives are susceptible to damage from shock. Handle them with care.

CautionTo help guard against electrostatic discharge damage, make sure you are properly grounded by using a grounding wrist strap and following the instructions provided with the wrist strap before you handle the components or open the appliance. If you do not have a grounding wrist strap, make sure you are properly grounded before you touch any electronic component.

To install or replace a hard-disk drive, you need:Physical access to the applianceCheck Point hard-disk drive kitA Phillips-head screwdriver

The following procedure requires removing the chassis tray assembly from the chassis.

CautionMake sure you perform an orderly shut down of the system before attempting to remove the chassis tray assembly.

You must replace the hard-disk drive with a drive that has a capacity equal to or larger than the drive you are replacing. Back up your hard-disk drive files to a remote system on a regular basis.

To remove or replace a hard-disk drive

CautionIf you fail to use the following procedure when you remove the hard-disk drive, the drive might become damaged or you might lose data.

1. Use Check Point Network Voyager or the command-line interface (CLI) to perform an orderly shutdown of the IP290 appliance. For information about how to access Network Voyager and the related reference materials, see “Using Check Point Network Voyager” on page 34.



Installing a Hard-Disk Drive



5. Slide the chassis tray assembly forward, and completely remove the chassis to expose the motherboard components.

NoteIf you are unable to slide out the chassis tray assembly, you might need to remove the shipping screw from the back of the appliance. For details, see Figure 5 on page 22.

6. Place the chassis tray assembly on a table top.

IP290

STATUS

SLOT 1 AUX

RESET

1 3 5

2 4 6CONSOLE

POWER FAULT

00565

1000BaseT

LINK

ACT

LINK

ACT


00563

IP290

STATUS

AUXRESET

1

3

5

2

4

6

CONSOLE

POWER

FAULTSLOT 1

1000BaseT

LINKACT

LINKACT



7. Remove the four screws from the base of the hard-disk drive and remove the hard-disk drive.

8. Slide the new hard-disk drive onto the mounting locations.9. Replace the four screws.10. Slide the chassis tray assembly back into the appliance.11. Resecure the two chassis tray assembly retaining screws.

NoteWhen you resecure the chassis tray assembly retaining screws, do not exceed a torque of 4.5 inch-pounds.

12. Replace the power cord.13. Turn on the power.

Replacing or Upgrading MemoryThe appliance has two dual inline memory-module (DIMM) sockets that are double data rate (DDR2), which perform at high speed. This section describes how to upgrade or replace the memory by using a Check Point-approved memory upgrade kit.

00575

IP290

STATUS

SLOT 1

AUXRESET

1

3

5

2

4

6

CONSOLE

POWER

FAULT

1000BaseT

LINKACT

LINKACT


Replacing or Upgrading Memory

The IP290 appliance comes with either 1 or 2 GB of RAM using 1-GB DIMMs, and a 1-GB system can be upgraded to 2 GB of RAM with the addition of a 1-GB DIMM.Check Point products support only memory kits purchased from Check Point or Check Point-approved resellers. For further information, contact the Check Point Support Center at http://support.checkpoint.com/.The DIMM sockets are located on the left rear of the IP290 appliance motherboard, as you look at the appliance from the front, as Figure 15 shows.

Figure 15 DIMM Socket Locations

Before You BeginTo upgrade or replace your appliance memory, you need:

Physical access to the applianceCheck Point memory upgrade kitAccess to the appliance by using Check Point Network Voyager or command-line interface (CLI)A Phillips-head screwdriverGrounding wrist strap

00569

IP290

STATUS

SLOT 1

AUXRESET

1

3

5

2

4

6

CONSOLE

POWER

FAULT

1000BaseT

LINKACT

LINKACT

DIMM sockets





CautionTo protect the IP290 appliance and the memory modules from electrostatic discharge damage, make sure you are properly grounded before you touch these components. Use a grounding wrist strap and follow the instructions provided with the wrist strap before you handle the components or open the appliance.

To replace DIMMs1. Use Check Point Network Voyager or the command-line interface (CLI) to perform an

orderly shutdown of the appliance.For information about how to access Network Voyager and the related reference materials, see “Using Check Point Network Voyager” on page 34.




5. Slide the chassis tray assembly forward and completely remove the chassis to expose the motherboard components.

00557

IP290

STATUS

SLOT 1 AUX

RESET1000BaseT

1 3 5

2 4 6CONSOLE

POWER FAULT

LINK

ACT

LINK

ACT



Replacing or Upgrading Memory


6. To remove a DIMM, push down on the two retaining clips, which allows you to gradually pull the DIMM out of its socket. You might need to pull up on one end of the DIMM and then the other in order to remove it.

7. To install DIMMS, press the new DIMM into the socket until it clicks into place.The top of the DIMM is smooth. The bottom edge has two different-length sets of contacts, which mate with the slots on the socket. Be sure the contacts and slots are properly aligned before you insert the DIMM.

00563

IP290

STATUS

AUXRESET

1

3

5

2

4

6

CONSOLE

POWER

FAULTSLOT 1

1000BaseT

LINKACT

LINKACT

00612a



The retaining clips move into the lock position as you press the DIMM into place.

8. Slide the chassis tray assembly back into the appliance.9. Resecure the two chassis tray assembly retaining screws.


10. Replace the power cord.11. Turn on the power.The IP290 appliance automatically recognizes the new memory configuration. You can verify the configuration by using Check Point Network Voyager or the CLI.

Replacing a Check Point Encryption Accelerator CardYou can install an optional Check Point encryption accelerator card to further enhance VPN performance. The accelerator card provides high-speed cryptographic processing that enhances VPN performance.The IP290 appliance uses a PMC format accelerator card. The accelerator card has no external connections and requires no cables. The accelerator card software package is part of Check Point IPSO, so the appliance automatically detects and configures the card.Use Check Point Network Voyager to configure your software applications (IPSec or Check Point VPN) to make use of the available hardware accelerator. For information about how to configure software applications, see “Configuring Software to Use Hardware Acceleration” on page 64.This section describes how to replace a previously installed accelerator card.

00612


Replacing a Check Point Encryption Accelerator Card

Before You BeginTo install the accelerator card, you need:

Physical access to the applianceThe Check Point encryption accelerator card and installation kitPhillips-head screwdriverFour screws (included in kit)Grounding wrist strap (included in kit)

CautionTo help guard against electrostatic discharge damage, make sure you are properly grounded by using a grounding wrist strap and following the instructions provided with the wrist strap before you handle the components or open the appliance.

To install the accelerator card1. Use Check Point Network Voyager or the command-line interface (CLI) to perform an

orderly shutdown of the IP290 appliance. For information about how to access Network Voyager and the related reference materials, see “Using Check Point Network Voyager” on page 34.



4. Loosen the two chassis tray assembly retaining screws.


IP290

STATUS

SLOT 1 AUX

RESET

1 3 5

2 4 6CONSOLE

POWER FAULT

00565

1000BaseT

LINK

ACT

LINK

ACT





6. Locate the PMC encryption accelerator card connector on the motherboard. The connector is located on the middle, left side of the motherboard.

CautionDo not use the PMC connectors located at the front of the motherboard for the acceleration card. Those connectors are for the NICs.

7. Position the male PMC connector on the card over the female PMC connector on the motherboard.The connectors should be aligned with each other. The three screw holes and three standoffs should also be aligned with each other.

00563

IP290

STATUS

AUXRESET

1

3

5

2

4

6

CONSOLE

POWER

FAULTSLOT 1

1000BaseT

LINKACT

LINKACT


Replacing a Check Point Encryption Accelerator Card

8. Push down on the card until it is properly seated on the motherboard.

9. Place the screws through the standoff holes on the card and into the standoffs on the motherboard.

10. Turn each screw clockwise to attach the card to the standoffs. Do not overtighten.Make sure that all standoff connections are properly aligned before tightening the screws completely.



13. Replace the power cord.14. Turn on the power.15. Configure your software to use hardware acceleration by following the instructions in

“Configuring Software to Use Hardware Acceleration” on page 64.

00568

00175.1

Screw

Accelerator cardStandoff hole

Motherboard standoff



Configuring Software to Use Hardware AccelerationThe Check Point encryption accelerator software package is part of the Check Point IPSO operating system, so the appliance automatically detects and configures the Check Point encryption accelerator card.For the Check Point IP290 appliances, SecureXL is on by default. After you install the Check Point encryption accelerator card and reboot the appliance, SecureXL automatically uses the Check Point encryption accelerator card for encryption acceleration. If you do not want to use SecureXL for encryption acceleration, use the Check Point cpconfig utility to disable SecureXL.You can also configure the IP290 appliances to use the Check Point encryption accelerator card for IKE acceleration. When you enable IKE acceleration, the Check Point encryption accelerator card performs cryptographic operations for IPsec tunnel negotiation.

To enable IKE acceleration1. From the Network Voyager home page, click Security and Access Configuration, then click

IKE Acceleration. For information about how to access Network Voyager and the related reference materials, see “Using Check Point Network Voyager” on page 34.

2. On the IKE Acceleration page, click Register the module.3. Click Apply.The PKCS#11 token that enables IKE acceleration is registered with the Check Point software on your appliance. After you register the module, you must install the Check Point security policy on the firewall for the Check Point encryption accelerator card to perform IKE acceleration.

Replacing the BatteryTo replace the battery, you need the following:

The appropriate Check Point battery replacement kit for your appliancePhysical access to the applianceA Phillips-head screwdriverA grounding wrist strap(Optional) Safety glasses

WarningRisk of explosion if battery is replaced by an incorrect type. Replace the battery only with the same or equivalent type that the manufacturer recommends. Dispose of used batteries according to the manufacturer's instructions.


Replacing the Battery

WarningMake certain to remove the power cord from the appliance before you proceed with any of the following steps. Failure to do so could cause electric shock with burns or death resulting for the user.

CautionMake certain that you are properly grounded when you handle components internal to the appliance to protect against electrostatic discharge damage to the appliance. Use the grounding strap included in the battery replacement kit.

To install the battery1. Use Check Point Network Voyager or the command-line interface (CLI) to perform an

orderly shutdown of the IP290 appliance. For information about how to access Network Voyager and the related reference materials, see “Using Check Point Network Voyager” on page 34.





IP290

STATUS

SLOT 1 AUX

RESET

1 3 5

2 4 6CONSOLE

POWER FAULT

00565

1000BaseT

LINK

ACT

LINK

ACT





6. Locate the battery on the motherboard.

00563

IP290

STATUS

AUXRESET

1

3

5

2

4

6

CONSOLE

POWER

FAULTSLOT 1

1000BaseT

LINKACT

LINKACT


Replacing the Battery

The battery is in a battery holder to the side of the power supply.

7. To remove the old battery, hold on to the holder with one hand while you push the top of the battery toward the power supply to release it from the securing clips and lift the battery out of the holder

CautionReplace the battery only with the same or equivalent type battery recommended by the manufacturer. Dispose of used batteries according to the manufacturer's instructions.

8. With the positive side toward the power supply, and with the top of the battery angled toward the power supply, slide the bottom of the new battery into the battery holder, and then push the top of the battery firmly into the securing clips.

CautionYou must place the new battery into the battery holder observing the correct polarity.


00613

Power supply

Battery securing clips




11. Replace the power cord.12. Turn on the power.After you replace the battery, you need to reset the date and time using Network Voyager or the CLI.


7 Troubleshooting

This chapter provides troubleshooting tips, problems, and solutions related to Check Point IP290 appliance installations.

General Troubleshooting InformationThe information in this section relates to problems you might encounter during the Check Point IP290 appliance installation.

Appliance Not Receiving Power

Problem Power cord is not properly plugged in.Solution Check cord. Make sure it is properly seated at both ends.

Problem Power supply not providing power.Solution Check power source. If no power is present at the source, take appropriate action such as inserting a new fuse or resetting circuit breaker.

Unable to Log In to the Console Port—No Error MessageTwo laptop computers (using terminal emulation programs) or terminals should be able to communicate back to back in the same way that the terminal communicates with the IP290 appliance. If this is not possible with your laptop computer or terminal, the problem is with the terminal or cable and not with the appliance.

Problem No console connection to the IP290 appliance.Solution For information about how to create a console connection, see “To connect to the console port” on page 30.

Problem Not connected with a null-modem cable. Solution Verify that you are using a null-modem cable. For pinout information, see “To connect to the console port” on page 30.


7 Troubleshooting

Problem Wrong terminal settings.Solution Verify terminal settings: 8 data bits, 1 stop bit, no parity, 9600 bps.

Problem Terminal set for flow control.Solution The IP290 appliance does not use flow control. The terminal should be set for no flow control.

Problem Defective IP290 appliance or file system.Solution Contact the Check Point Support Center at http://support.checkpoint.com/.

Login Prompt Appears, But Password Not Accepted

Problem Database is corruptSolution Return to default settings or contact the Check Point Support Center at http://support.checkpoint.com/.

Problem Entered wrong password.Solution Obtain a valid password or set the password to a default value.

NoteYou must have local serial access to your appliance console to perform this procedure. With a keyboard and monitor directly connected to the appliance, the boot prompt does not appear, and you cannot perform this procedure.

For information about how to reset the admin password to a default value or how to reset the default database settings, see the Voyager Reference Guide or CLI Reference Guide for the version of IPSO you are using.

Do Not Receive a Login Prompt—Error Messages Appear

Problem The IP290 appliance is defective, or the file system on the appliance is defective.Solution Contact the Check Point Support Center at http://support.checkpoint.com/.

NoteUse the full installation procedure to install a new system. The new system completely replaces the contents of the drive and might be needed to restore or reload an IP290 appliance. This procedure erases any configuration database on the appliance. For information about how to complete the full installation procedure, see the current release notes.





General Troubleshooting Information

Not Able to Connect to Check Point Network Voyager Using the Ethernet Port, But Console Access Works

Problem Voyager access or Ethernet port disabled.Solution Use the CLI over the console connection to verify the interface configuration and modify the configuration as necessary. For more information, see the CLI Reference Guide for the version of IPSO you are using.

Do Not See Interfaces That Should be Present

Problem Local IP290 appliance ports do not appear. Solution Your IP290 appliance might be defective. Contact the Check Point Support Center at http://support.checkpoint.com/.

NoteThe problem could be with the Ethernet port. Try connecting the Ethernet cable to another port.

Common Ethernet Problems—Connectivity with Attached Device

Problem No link light. Solution You might have used the wrong cable. Use a crossover cable between the IP290 appliance and a host, and a straight-through cable between an appliance and a hub.

Problem Unblinking activity LED. Solution You might have set the wrong speed. Verify that the speeds match on each end of the Ethernet connection (10 or 100 Mbps).

Problem Port not enabled.Solution Verify from the Interface page in Network Voyager that the interface port is configured as active.

Problem High collision rate on the hub. Solution Disconnect connections one at a time until the problem is localized to one computer and troubleshoot further.




7 Troubleshooting


A Technical Specifications

Physical Dimensions

Space RequirementsCheck Point IP290 appliances are designed for front-screw mounting in a 19-inch rack. Each IP290 appliance requires the following space in a rack:

1.6 inches (4.1 centimeters) of vertical space for a single appliance1.7 inches (4.3 centimeters) of vertical space for appliances in a shell16.0 inches (40.6 centimeters) behind the front-panel of the rack plus 2.0 inches (5.1 centimeters) behind the appliance to allow the back exit fan to circulate air properly.2.0 inches (5.1 centimeters) at each side of the appliance to allow air circulation for the side vents.

CautionDo not place objects over the ventilation holes on the IP290 appliance. The appliance might overheat and become damaged.

For information about changes to the software requirements or additional applications that have become available since this guide was published, contact the Check Point Support Center at http://support.checkpoint.com/.

Dimensions Height: 1.7 in. (4.3 cm) in shell

Width: 8.5 in. (21.7 cm) single appliance without rack mounting brackets17.0 in. (43.2 cm) two appliances without rack mounting brackets19.0 in. (48.3 cm) shell with rack mounting brackets

Depth: 19.0 in (48.3 cm) including front handles

Weight9.1 lbs. (4.1kg) single base system with mounting brackets23.6 lbs. (10.7 kg) shell containing two base systems




A Technical Specifications

Other Specifications

Maximum altitude of operation To 10, 000 feet or 3300 meters above sea level

Operating temperature range 41 to 104° Fahrenheit5 to 40° Celsius

Input voltage requirement 115 VAC or 220 VAC, 50 or 60 Hz

Current 2A

Power consumption 35 watts


B Compliance Information

This appendix contains declaration of conformity, compliance, and related regulatory information.

Declaration of ConformityAccording to ISO/IEC 17050:

declares that the product:

conforms to the following standards:

Supplementary information:Pursuant to ISO/IEC 17050 this product complies with the requirements of the Low Voltage Directive 73/23/EEC and the EMC Directive 2004/108/EC.

Manufacturer’s Name: Nokia Inc.

Manufacturer’s Address: 313 Fairchild DriveMountain View, CA 94043-2215USA

Product Name: IP290

Model Number: IP290

Product Options: All

Serial Number: 1 to 100,000

Date First Applied: 2007

Safety: UL 60950-1CSA C22.2 No. 60950-1-03IEC 60950-1:2001EN 60950-1:2001+A11

EMC: EN55024 1998, EN55022A 1998, EN61000-3-2, EN61000-3-3



Compliance StatementsThis hardware complies with the standards listed in this section.

Emissions Standards

Immunity Standards

Harmonics and Voltage Fluctuation

Christopher SaleemCompliance & Reliability Engineering ManagerSecurity & Mobile Connectivity, Enterprise SolutionsMountain View, CaliforniaApril 2007

FCC Part 15 Subpart B Class A US/Canada

EN55022 (CISPR 22) Class A European Community (CE)

EN55024 European Community (CE)

EN61000-4-2

EN61000-4-3

EN61000-4-4

EN61000-4-5

EN61000-4-6

EN61000-4-11

EN61000-3-2 European Community (CE)

EN61000-3-3 European Community (CE)


FCC Notice (US)

Safety Standards

FCC Notice (US)This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference in which case the user will be required to correct the interference at his own expense.

CautionAny changes or modifications not expressly approved by the grantee of this device could void the user’s authority to operate the equipment.

050316

UL60950-1/EN60950-1 US/European Community(CE)

CAN/CSA-C22.2 No.60950-1 Canada


Index

Aaccessing and removing DIMMs 58activating interfaces 51appliance

components 13monitoring the IP290 16

AUX portmodem support 15

auxiliary port 15

Bbattery

location 67replacing 64

Ccables

console 30Check Point Network Voyager

opening 34components 13configuring console connection, using a 29configuring interfaces 51connecting

console, to the 30network interfaces 34

connectionscopper Gigabit Ethernet NIC 41fiber-optic Gigabit Ethernet NIC 43modem 15power 30

consolecable 30

console cable connection 30copper Gigabit Ethernet NIC 39, 41cryptographic processing 60

Ddata communications equipment device 30deactivating, network interface cards 45

Check Point IP290 Security Platform Installation Guide

DHCP server, initial configuration 29DIMMs 57

accessing and removing 58adding 58retaining clips 60socket locations 57

dual inline memory-module sockets (DIMMs) 56dual-port Ethernet network interface card 43

Eencryption accelerator card

installing an 60location 62replacing 60

end-of-life information 17

Ffiber-optic Gigabit Ethernet NICs 43

Hhard-disk drive

installing 53replacing 54

IIEEE 802.3ab 40IEEE 802.3z 42installing NICs 46interfaces

connecting network 34IP290 appliances

configuring 29monitoring 16

LLC connector 43, 44

Mmemory

Index - 79

capacity 56replacing or upgrading 56

modem support 15monitoring

NICs 51monitoring IP290 appliances 16multi-mode, fiber-optic cable 43

Nnetwork interface cards

deactivating 45dual-port Ethernet 43installing 45, 46list of available 39monitoring 51PCI operation 39two-port copper Gigabit Ethernet 39two-port fiber-optic Gigabit Ethernet 42two-port Gigabit Ethernet 40

network interfacesconnecting 34

network interfaces, connecting 34null-modem cable 30

PPCI operation of NICs 39PMC connector 62PMC expansion slots 45power connections 30

Rrandom access memory 57recycling retired equipment 17retaining clips, DIMM 60

Sserial port 15single-mode, fiber-optic cable 44specifications

space requirements 73standoffs, motherboard 63

Ttechnical specifications

See specificationstroubleshooting 69two-port Gigabit Ethernet 40

Uupgrading memory 56

VVPN performance 60

Index - 80 Check Point IP290 Security Platform Installation Guide

nokia ip290 series security platform installation guide · menu commands menu commands are...

Documents