CP 12000 GettingStartedGuide

7/23/2019 CP 12000 GettingStartedGuide

http://slidepdf.com/reader/full/cp-12000-gettingstartedguide 1/51

3 July 2012

Getting Started Guide

Check Point 12000Appliances

Models: P-210, 220,and P-230

Classification: [Protected] | P/N: 704878



© 2012 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright anddistributed under licensing restricting their use, copying, distribution, and decompilation. No

part of this product or related documentation may be reproduced in any form or by any meanswithout prior written authorization of Check Point. While every precaution has been taken in thepreparation of this book, Check Point assumes no responsibility for errors or omissions. Thispublication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth insubparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at

DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:

Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of ourtrademarks.

Refer to the Third Party copyright notices(http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses.

http://www.checkpoint.com/copyright.html



http://www.checkpoint.com/3rd_party_copyright.html







Important InformationLatest Software

We recommend that you install the most recent software release to stay up-to-date with thelatest functional improvements, stability fixes, security enhancements and protection againstnew and evolving attacks.

Latest Documentation

The latest version of this document is at:http://supportcontent.checkpoint.com/documentation_download?ID=12687

For additional technical information, visit the Check Point Support Center(http://supportcenter.checkpoint.com).

For more about this appliance, see the Check Point 12000 Appliances home page(http://supportcontent.checkpoint.com/solutions?id=sk68700).

Revision History

Date Description

03 July 2012 Added First Time Wizard for Gaia

Deleted Customer Replaceable Parts

29 November 2011 Updated Flow Control settings in Connecting to the CLI (on page

34) and Restoring Using the Console Boot Menu (on page 44)

15 August 2011 First release of this document

Feedback

Check Point is engaged in a continuous effort to improve its documentation.

Please help us by sending your comments(mailto:[email protected]?subject=Feedback on Check Point 12000 Appliances Getting Started Guide).

http://supportcontent.checkpoint.com/documentation_download?ID=12687


http://supportcenter.checkpoint.com/



http://supportcontent.checkpoint.com/solutions?id=sk68700



mailto:[email protected]?subject=Feedback%20on%20Check%20Point%2012000%20Appliances%20%20Getting%20Started%20Guide











Safety, Environmental, and Electronic Emissions Notices

4 | Check Point 12000 Appliances Getting Started Guide

Safety, Environmental, andElectronic Emissions NoticesRead the following warnings before setting up or using the appliance.

Warning - Do not block air vents. A minimum 1/2-inch clearance is

required.

Warning - This appliance does not contain any user-serviceable parts. Donot remove any covers or attempt to gain access to the inside of theproduct. Opening the device or modifying it in any way has the risk ofpersonal injury and will void your warranty. The following instructions are for

trained service personnel only.

To prevent damage to any system board, it is important to handle it with care. The followingmeasures are generally sufficient to protect your equipment from static electricity discharge:

When handling the board, to use a grounded wrist strap designed for static dischargeelimination.

Touch a grounded metal object before removing the board from the antistatic bag.

Handle the board by its edges only. Do not touch its components, peripheral chips, memorymodules or gold contacts.

When handling processor chips or memory modules, avoid touching their pins or gold edgefingers.

Restore the communications appliance system board and peripherals back into theantistatic bag when they are not in use or not installed in the chassis. Some circuitry on thesystem board can continue operating even though the power is switched off.

Under no circumstances should the lithium battery cell used to power the real-time clock beallowed to short. The battery cell may heat up under these conditions and present a burnhazard.

Warning - DANGER OF EXPLOSION IF BATTERY IS INCORRECTLYREPLACED. REPLACE ONLY WITH SAME OR EQUIVALENT TYPERECOMMENDED BY THE MANUFACTURER. DISCARD USEDBATTERIES ACCORDING TO THE MANUFACTURER’S INSTRUCTIONS.

Disconnect the system board power supply from its power source before you connect ordisconnect cables or install or remove any system board components. Failure to do this canresult in personnel injury or equipment damage.




Check Point 12000 Appliances Getting Started Guide | 5

Avoid short-circuiting the lithium battery; this can cause it to superheat and cause burns iftouched.

Do not operate the processor without a thermal solution. Damage to the processor can

occur in seconds.

Class 1 Laser Product Warning

Rack Mount Instructions

The following or similar rack-mount instructions are included with the installation instructions:

1. Elevated Operating Ambient - If installed in a closed or multi-unit rack assembly, the

operating ambient temperature of the rack environment may be greater than room ambient.Therefore, consideration should be given to installing the equipment in an environmentcompatible with the maximum ambient temperature specified by the manufacturer.

2. Reduced Air Flow - Installation of the equipment in a rack should be such that the amountof air flow required for safe operation of the equipment is not compromised.

3. Mechanical Loading - Mounting of the equipment in the rack should be such that ahazardous condition is not achieved due to uneven mechanical loading.

4. Circuit Overloading - Consideration should be given to the connection of the equipment tothe supply circuit and the effect that overloading of the circuits might have on over currentprotection and supply wiring. Appropriate consideration of equipment nameplate ratingsshould be used when addressing this concern.

5. Reliable Earthing - Reliable earthing of rack-mounted equipment should be maintained.Particular attention should be given to supply connections other than direct connections tothe branch circuit (e.g. use of power strips).

For California:Perchlorate Material - special handling may apply. Seehttp://www.dtsc.ca.gov/hazardouswaste/perchlorate

The foregoing notice is provided in accordance with California Code of Regulations Title 22,Division 4.5, Chapter 33. Best Management Practices for Perchlorate Materials. This product,part, or both may include a lithium manganese dioxide battery which contains a perchloratesubstance.

Proposition 65 Chemical

Chemicals identified by the State of California, pursuant to the requirements of the CaliforniaSafe Drinking Water and Toxic Enforcement Act of 1986, California Health & Safety Code s.25249.5, et seq. ("Proposition 65"), that is "known to the State to cause cancer or reproductivetoxicity" (see http://www.calepa.ca.gov)

WARNING:

Handling the cord on this product will expose you to lead, a chemical known to the State ofCalifornia to cause cancer, and birth defects or other reproductive harm. Wash hands afterhandling.





Federal Communications Commission (FCC) Statement:

For a Class A digital device or peripheral

Note: This equipment has been tested and found to comply with the limits for a Class A digitaldevice, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonableprotection against harmful interference when the equipment is operated in a commercialenvironment. This equipment generates, uses, and can radiate radio frequency energy and, ifnot installed and used in accordance with the instruction manual, may cause harmfulinterference to radio communications. Operation of this equipment in a residential area is likelyto cause harmful interference in which case the user will be required to correct the interferenceat his own expense.

For a Class B digital device or peripheral

NOTE: This equipment has been tested and found to comply with the limits for a Class B digitaldevice, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonableprotection against harmful interference in a residential installation. This equipment generates,uses and can radiate radio frequency energy and, if not installed and used in accordance withthe instructions, may cause harmful interference to radio communications. However, there is no

guarantee that interference will not occur in a particular installation. If this equipment doescause harmful interference to radio or television reception, which can be determined by turningthe equipment off and on, the user is encouraged to try to correct the interference by one ormore of the following measures:

Reorient or relocate the receiving antenna.

Increase the separation between the equipment and receiver.

Connect the equipment into an outlet on a circuit different from that to which the receiver isconnected.

Consult the dealer or an experienced radio/TV technician for help.

Information to user:

The user's manual or instruction manual for an intentional or unintentional radiator shall cautionthe user that changes or modifications not expressly approved by the party responsible for

compliance could void the user's authority to operate the equipment. In cases where themanual is provided only in a form other than paper, such as on a computer disk or over theInternet, the information required by this section may be included in the manual in thatalternative form, provided the user can reasonably be expected to have the capability to accessinformation in that form.

Canadian Department Compliance Statement:

This Class A digital apparatus complies with Canadian ICES-003. Cet appareil numérique de la

classe A est conforme à la norme NMB-003 du Canada.

This Class B digital apparatus complies with Canadian ICES-003. Cet appareil numérique de laclasse B est conforme à la norme NMB-003 du Canada.





Japan Compliance Statement:

Class A

Class B

European Union (EU) Electromagnetic Compatibility Directive

This product is herewith confirmed to comply with the requirements set out in the CouncilDirective on the Approximation of the Laws of the Member States relating to ElectromagneticCompatibility Directive (2004/108/EC). For the evaluation regarding the ElectromagneticCompatibility (2004/108/EC)

This product is in conformity with Low Voltage Directive 2006/95/EC, and complies with therequirements in the Council Directive 2006/95/EC relating to electrical equipment designed foruse within certain voltage limits and the Amendment Directive 93/68/EEC.





Product Disposal

This symbol on the product or on its packaging indicates that this product must not be disposedof with your other household waste. Instead, it is your responsibility to dispose of your waste

equipment by handing it over to a designated collection point for the recycling of wasteelectrical and electronic equipment. The separate collection and recycling of your wasteequipment at the time of disposal will help to conserve natural resources and ensure that it isrecycled in a manner that protects human health and the environment. For more informationabout where you can drop off your waste equipment for recycling, please contact your local cityoffice or your household waste disposal service.



Contents

Important Information ............................................................................................. 3

Safety, Environmental, and Electronic Emissions Notices .................................. 4

Introduction ........................................................................................................... 11

Welcome ............................................................................................................11

Check Point 12000 Appliances Overview ...........................................................11 Upgrading the Appliance ................................................................................12

Shipping Carton Contents...................................................................................13

Terminology........................................................................................................13

Rack Mounting ...................................................................................................... 15

Sliding Rails Hardware .......................................................................................15

Attaching the Appliance Rails .............................................................................16

Preparing Round-Hole Rack Rails ......................................................................17

Attaching the Rack Rails ....................................................................................18

Installing the Appliance in the Rack ....................................................................20

Removing the Appliance .....................................................................................20

Appliance Air Vents ............................................................................................21

Configuring Check Point 12000 Appliances ....................................................... 23

Powering On.......................................................................................................23

Available Software Images .................................................................................24

Initial Configuration .............................................................................................24 Using the First Time Configuration Wizard on Gaia ............................................25

Starting the Gaia First Time Configuration Wizard .........................................25

Welcome ........................................................................................................25

Available Releases ........................................................................................26

Authentication Details ....................................................................................26

Date and Time Setup .....................................................................................26

Device Name .................................................................................................26

Network Connection.......................................................................................27

Products ........................................................................................................27

Security Management Administrator ..............................................................28

Security Management GUI Clients .................................................................28

License Activation ..........................................................................................29

Dynamically Assigned IP ...............................................................................29

Secure Internal Communication (SIC) ............................................................29

Summary .......................................................................................................29 Using the First Time Configuration Wizard on SecurePlatform ...........................30

Starting the First Time Configuration Wizard ..................................................30



Welcome ....................................................................................................... 31

Appliance Date and Time Setup .................................................................... 31

Network Connections ..................................................................................... 31

Routing Table ................................................................................................ 31

Host, Domain Settings, and DNS Servers ...................................................... 31

Management Type ......................................................................................... 32

Summary ....................................................................................................... 33

Creating the Network Object .............................................................................. 34

Advanced Configuration ..................................................................................... 34

Connecting to the CLI .................................................................................... 34

Check Point 12000 Appliances Hardware ........................................................... 35

Front Panel Components .................................................................................... 35 Check Point 12200 Front Panel ..................................................................... 35

Check Point 12400 Front Panel ..................................................................... 36

Check Point 12600 Front Panel ..................................................................... 37

Check Point 12000 Appliances Expansion Line Cards ................................... 38

Lights Out Management................................................................................. 38

Rear Panel Components .................................................................................... 39

Check Point 12200 Rear Panel ...................................................................... 39

Check Point 12400 and 12600 Rear Panel .................................................... 40

Replacing and Upgrading Components .............................................................. 40

Using the LCD Panel .......................................................................................... 41

Restoring Factory Defaults .................................................................................. 43

Restoring Using the WebUI ................................................................................ 43

Gaia ............................................................................................................... 43

SecurePlatform .............................................................................................. 44

Restoring Using the Console Boot Menu ............................................................ 44 Restoring Using the LCD Panel .......................................................................... 45

Registration and Support ..................................................................................... 47

Registration ........................................................................................................ 47

Support .............................................................................................................. 47

Where To From Here?........................................................................................ 47

Compliance Information ....................................................................................... 49

Declaration of Conformity ................................................................................... 49




Chapter 1

Introduction

In This Chapter

Welcome 11

Check Point 12000 Appliances Overview 11

Shipping Carton Contents 13

Terminology 13

WelcomeThank you for choosing Check Point 12000 Appliances. We hope that you will be satisfied withthis system and our support services. Check Point products provide your business with themost up to date and secure solutions available today.

Check Point also delivers worldwide technical services including educational, professional andsupport services through a network of Authorized Training Centers, Certified Support Partners

and Check Point technical support personnel to ensure that you get the most out of yoursecurity investment.

For additional information on the Internet Security Product Suite and other security solutions,refer to the Check Point Web site (http://www.checkpoint.com), or call Check Point at 1(800)429-4391. For additional technical information about Check Point products, consult the CheckPoint Support Center (http://supportcenter.checkpoint.com).

Welcome to the Check Point family. We look forward to meeting all of your current and future

network, application and management security needs.

Check Point 12000 Appliances OverviewThe Check Point 12000 Appliances enables organizations to maximize security in high-performance environments such as large campuses or data centers. Combining integratedfirewall, IPsec VPN, and intrusion prevention with advanced acceleration technologies, Check

Point 12000 Appliances delivers a high-performance security platform that can blockapplication layer threats. Even as new threats appear, Check Point 12000 Appliancesmaintains or increases performance while protecting the network against attacks.

http://www.checkpoint.com/










Introduction


This appliance supports SecurePlatform and Gaia Operating Systems. Gaia is a single, unifiednetwork security Operating System that combines the best of Check Point's SecurePlatformand IPSO, the operating system from the Nokia security products. Gaia supports the fullportfolio of Check Point Software Blades, Security Gateway and Security Managementproducts.

Key Features:

Proven, enterprise-class firewall, VPN, and intrusion prevention

Accelerated security performance, that includes SecureXL and CoreXL technologies

Integrated load balancing and dynamic routing for data center reliability levels

Centrally managed from Security Management Server/Check Point 12000 Appliances or asa standalone device

Automatic security protection updates from Check Point

This document provides:

A brief overview of essential Check Point 12000 Appliances concepts and features

A step by step guide to getting Check Point 12000 Appliances up and running

Note - Screenshots in this guide may apply only to the highest modelto which this guide applies.

Upgrading the Appl iance

You can upgrade these components of the Check Point 12000 Appliances:

Memory DIMMs

LOM card

Appliance firmware

Important - You cannot upgrade the appliance firmware while using the 15 days triallicense.

For more information about upgrading the appliance, see the applicable documentation.

12200 Appliance Installing and Removing Memory



4800 and 12000 Appliances Installing and Removing a LOM Card

12000 Appliances Image Management



Introduction


Shipping Carton ContentsThis section describes the contents of the shipping carton.

Item Description

Appliance Check Point 12000 appliance

Rack Mounting Accessories Rack mounting hardware kit

Cables 1 power cable (12200 appliance)

2 power cables (12400 and 12600 appliances)

1 standard RJ-45 network cable

1 serial console cable

Documentation Getting Started Guide

Quick Start Guide

Image Management Guide User license agreement

TerminologyThe following terms are used in this guide:

Gateway: The security engine that enforces the organization’s security policy and acts as asecurity enforcement point.

Security Policy: The policy created by the system administrator that regulates the flow ofincoming and outgoing communication.

Security Management Server : The server used by the system administrator to managethe security policy. The organization’s databases and security policies are stored on theSecurity Management Server and downloaded to the gateway.

SmartConsole: GUI applications that are used to manage various aspects of securitypolicy enforcement. For example, SmartView Tracker is a SmartConsole application thatmanages logs.

SmartDashboard: A SmartConsole GUI application that is used by the systemadministrator to create and manage the security policy.

Locally Managed Deployment: When all Check Point components responsible for boththe management and enforcement of the security policy (the Security Management Server

and the gateway) are installed on the same machine.

Centrally Managed Deployment: When the gateway and the Security ManagementServer are installed on separate machines.



Introduction





Chapter 2

Rack Mounting

In This Chapter

Sliding Rails Hardware 15

Attaching the Appliance Rails 16

Preparing Round-Hole Rack Rails 17

Attaching the Rack Rails 18

Installing the Appliance in the Rack 20

Removing the Appliance 20

Appliance Air Vents 21

This chapter describes how to mount the appliance in a rack.

Important - Two people are required to install the appliance in a rack in order to preventany possible damage.

Sliding Rails Hardware



Rack Mounting


Item Hardware Description Qty. Use

1 Appliance rail 2 Attaches to the sides of the appliance.

Flat-head screws 6 Attaches the appliance rails to the appliance.

2 Rack rail 2 Attaches to the rack.

Round-head screws 4 Attaches the rack rails to the racks.

3 Round-hole rack plates 4 For use with round-hole racks.

Attaches the rack rails to racks with round-holes.

Large round-head screws 12 Attaches the round-hole rack plates to the racks.

Rack Mounting Tools

Philips screwdriver. We recommend a screwdriver with a magnetic head to hold screws andretrieve dropped screws.

Attaching the Appliance RailsUse three flat-head screws to attach each appliance rail to the side of the appliance.

The appliance rail for the right-side of the appliance is marked RH.



Rack Mounting


The appliance rail for the left-side of the appliance is marked LH.

Item Description

1 End of appliance rail with round hole.

2 Front of appliance.

To attach the appliance rails:

1. Set the right-side appliance rail on the right-side of the appliance.

The flatter side of the appliance rail faces the appliance.

The end of the appliance rail with the round hole points away from the appliance.

For a 2U appliance, the appliance rail uses the lower row of holes on the appliance.

2. Use three flat-head screws to attach the appliance rail to the appliance.

3. Do steps 1 and 2 again for the left side of the appliance.

Preparing Round-Hole Rack RailsUse the four round-hole rack plates to attach the rack rail to the rack.

To attach the round-hole rack plates:

1. Align the round-hole rack plate on the rack.



Rack Mounting


Make sure that the round holes face the rack.

2. Use three large round-head screws to attach the round-hole rack plate to the rack.Make sure that you use the same rack number for all the round-hole rack plates.

3. Do steps 1 - 2 again for the other round-hole rack plates.

Attaching the Rack Rails Attach the rack rails to the rack. If you are using round-hole racks, make sure that the round-

hole rack plates are attached. For more about attaching round-hole rack plates, see PreparingRound-Hole Rack Rails (on page 17).

The rack rail for the left-side of the rack is marked LH.

The rack rail for the right-side of the rack is marked RH.



Rack Mounting


Item Description

1 Inner clips. Press on these clips to detach the rack rail from the rack.

2 Yellow locking piece. When engaged, locks the front of the rack rail and you cannotdetach it from the rack.

Note - Disengage the yellow locking piece before you attach the rack rails to the rack.When this piece is engaged, you cannot insert the front of the rack rail into the rack.

To attach the rack rails to the rack:

1. From the front left-side of the rack, align the front of the left rack rail with the rack number. The front of the rack rail is marked with the word FRONT.

Make sure that the sliding rail faces the inside of the rack.

To detach the rack rail from the rack, use your thumbs to press the inner clips andmove the rack rail away from the rack.

2. Insert the front of the left rack rail into the rack until it clicks into place.

3. From the rear of the rack, align the rear of the rack rail with the same rack number.

The rear of the rack rail is marked with the word REAR.

4. Insert the rear of the left rack rail into the rack until it clicks into place.



Rack Mounting


5. From the rear of the rack, use a round-head screw to secure the rack rail to the rack.

6. From the front of the rack, do these steps.

a) Use a round-head screw to secure the rack rail to the rack.

b) Slide the yellow locking piece toward the front of the rack.

This piece locks the inner clips and does not let you detach the front of the rack railfrom the rack.

7. Do steps 1 through 6 again for the right rack rail.

Installing the Appliance in the RackInstall the appliance in the sliding rails in the rack.

Important - The appliance is heavy and it is necessary to use two people to hold and installthe appliance in the rack to prevent personal injury and damage to the appliance.

To install the appliance in the rack:1. Set the appliance until the appliance rails are level with the rack rails.

2. Move the appliance into the rack until the sliding rails click.

The sliding rails are locked.

Removing the ApplianceUnlock the sliding rails to remove the appliance from the rack.

R k M ti



Rack Mounting


Important - The appliance is heavy and it is necessary to use two people to hold and installthe appliance in the rack to prevent personal injury and damage to the appliance.

Item Description

1 Release clip

2 Rear of rack rail

To remove the appliance from the rack:

1. Move the appliance away from the rack as far as possible.

2. On the appliance rail, push the release lever and move the appliance away from the rackrail.

3. Push the release clips and move the rack rails into the rack as far as possible.

Appliance Air VentsMake sure that the appliance air vents have sufficient airflow when the appliance is mounted ina rack.

Important - If the appliance vents are blocked, the appliance can become too hot andcan be damaged.

Rack Mounting



Rack Mounting


The rails do not block air flow to the appliance. These appliances are specifically designed toinstall with these rails. They have been tested in extreme conditions and meet all specificationsand requirements.




Chapter 3

Configuring Check Point 12000Appliances

In This Chapter

Powering On 23

Available Software Images 24

Initial Configuration 24

Using the First Time Configuration Wizard on Gaia 25

Using the First Time Configuration Wizard on SecurePlatform 30

Creating the Network Object 34

Advanced Configuration 34

The workflow for configuring Check Point 12000 Appliances is:

1. Connect the cables and power on the appliance.

2. Use the First Time Configuration Wizard to configure the appliance.

3. Add the Check Point 12000 Appliances object in SmartDashboard and install a policy.

Powering OnTo power on Check Point 12000 Appliances:

1. Connect the power cable.2. On the back panel, turn on the Power button to start the appliance.

Note -When a power supply fails or is not connected to the outlet, analarm sounds continuously. If you hear the alarm, replace the faultypower supply immediately, and connect the new unit to an A/C outlet.

Configuring Check Point 12000 Appliances





3. Wait for the appliance to initialize and boot. The status of the appliance appears on theLCD screen:

The appliance is ready to use when the model number is displayed.

Available Software ImagesThe Check Point 12000 Appliances comes with multiple software images. Select the softwareimage you want to use.

Reverting to a different software image takes a few minutes. To follow progress and see whenthe appliance is ready, connect to the appliance using a serial console.

For more about software images, see the Check Point 12000 Appliances home page(http://supportcontent.checkpoint.com/solutions?id=sk68700).

Note - Gaia is available for R75.40 and higher.

Initial ConfigurationDo the initial configuration of the appliance with the First Time Configuration Wizard.

There are different First Time Configuration Wizard options for the Gaia and theSecurePlatform operating system.

Go to the applicable section:

Using the First Time Configuration Wizard on Gaia (on page 25)

Using the First Time Configuration Wizard on SecurePlatform (on page 30)








g g pp


Using the First Time Configuration Wizard on Gaia

Use the First Time Configuration Wizard to do the initial configuration of the Gaia appliance.

Note - The pages that you see in the wizard depend on thesoftware image and the options you select. You will not seeall the pages that are in this section.

Start ing the Gaia First Time Config uration Wizard

To start the First Time Configuration Wizard:

1. Connect a standard network cable to the appliance management interface and to yourmanagement network.

The management interface is marked MGMT. This interface is preconfigured with the IP

address 192.168.1.1.

2. Connect to the management interface from a computer on the same network subnet.

For example: IP address 192.168.1.x and net mask 255.255.255.0. This can be

changed in the WebUI, after you complete the First Time Configuration Wizard.

3. To access the management interface, open a connection from a browser to the default

management IP address: https://192.168.1.1

4. The login page opens. Log in to the system using the default username and password:

admin and admin

5. Click Login.

Note - The features configured in the First TimeConfiguration Wizard are accessible after completing thewizard using the WebUI menu. The WebUI menu can beaccessed by navigating to

https://<appliance_ip_address>.

6. The First Time Configuration Wizard runs.

Welcome

The Welcome page introduces the product.





Available Releases

The appliance comes with different software images. Select the software image that you wantto install. You can change to another software image after the First Time Configuration Wizard

is completed.

If you select a SecurePlatform software image, use the SecurePlatform First TimeConfiguration Wizard to configure the appliance.

Au thent icat ion Details

The default password gives you access to the appliance. For security purposes, change it to amore secure password.

Date and Time Setup

Set the system time and date for the appliance:

Manually

From a time server, using Network Time Protocol (NTP)

Device Name

Set the host name, domain name, and DNS servers for IPv4 addresses. The host name muststart with a letter and cannot be named com1, com2....com9.

You can use the Gaia WebUI to configure IPv6 DNS servers.





Network Connect ion

Connection Information - Configure the IPv4 interface information for the managementinterface. You can change the Management IP address. Connectivity is maintained with anautomatically created secondary interface. After you complete the First Time ConfigurationWizard, you can remove this interface in the Interface Management > Network Interfaces page.

DHCP Server - You can configure the Gaia appliance to be a Dynamic Host ConfigurationProtocol (DHCP) server.

To define a DHCP server on the Gaia appliance MGMT interface:

1. In DHCP Server , select Enabled.

2. Define the IP Pool. This is the range of IPv4 addresses that the server assigns to hosts.

Products

Products

Select the Gaia products that are installed on the appliance.

Advanced

Use these options to configure an appliance that is a cluster member or in a High Availabilitydeployment.

Unit is part of a cluster - the options are:





ClusterXL - For more about ClusterXL configurations, see the applicable version of the ClusterXL Administration Guide.

VRRP - For more about VRRP clusters, see the applicable version of the Gaia Administration Guide.

Define Security Management as - In a Management High Availability deployment, definethis Security Management server as Primary or Secondary . For more about ManagementHigh Availability, see the applicable version of the Security Management AdministrationGuide.

Search for these guides in the Support Center(http://supportcontent.checkpoint.com/solutions?id=sk67581).

Securi ty Management Adm inistrator

Note - You only see this page when the Gaia appliance is a

Security Management server.

Define the name and password of an administrator that can connect to the SecurityManagement server using SmartConsole clients.

Secu ri ty Management GUI Clients

Note - You see this page when the appliance is a SecurityManagement.









Define the clients that are allowed to connect to the appliance using a web browser or SSHclient. These clients can manage the appliance using a web or SSH connection. For securityreasons, we recommend that you do not use the Any IP address option.

License Ac t ivat ion

If you have a license for the appliance, you can automatically add the license to the appliance.If you need to obtain a license, visit the User Center (https://usercenter.checkpoint.com).

Select Activate later to use the limited trial license. This license is not permanent and expires.

To activate a license:

1. For a Security Gateway in a distributed configuration, enter the IP address of the SecurityManagement server.

2. If there is a proxy server, select Use a proxy server and enter the settings.

3. Click Activate License.

Dynamical ly Assigned IP

Note - You see this page when the appliance is a SecurityGateway.

A Dynamically Assigned IP (DAIP) gateway is a gateway where the external interface IPaddress is assigned dynamically by the ISP.

Select this option if this Security Gateway uses dynamically assigned IP addresses.

Secu re Internal Commun ication (SIC)

Define the Secure Internal Communication (SIC) Activation Key. The same key is used by thegateway object in SmartDashboard.

Summary

Click Finish to complete the First Time Configuration Wizard and configure the appliance. Youcan log in to the WebUI after some minutes.

Note - We recommend that you back up the system

configuration. You can use the Gaia add backup

command.


https://usercenter.checkpoint.com/







Using the First Time Configuration Wizard on

SecurePlatformDo the initial configuration of the SecurePlatform appliance with the First Time ConfigurationWizard.

Note - The pages that you see in the wizard depend on thesoftware image and the options you select. You will not seeall the pages that are in this section.

Start ing the First Time Con figurat ion W izard

To start the First Time Configuration Wizard:

1. Connect a standard network cable to the appliance's management interface and to your

management network.The management interface is marked MGMT. This interface is preconfigured with the IP

address 192.168.1.1.

2. Connect to the management interface, from a computer on the same network subnet as themanagement interface.

For example: IP address 192.168.1.x and netmask 255.255.255.0. This can be

changed in the WebUI.

3. To access the management interface, open a connection from a browser to the defaultmanagement IP address: https://192.168.1.1:4434.

Note - Pop-ups must always be allowed on

https://<appliance_ip_address>.

The login page opens.

4. Log in to the system using the default login name/password: admin/admin and click Login.

Note - The features configured in the wizard areaccessible after completing the wizard via theWebUI menu. The WebUI menu can be accessedby navigating to

https://<appliance_ip_address>:4434 .

5. Change the administrator password, as prompted. The default password gives you accessto the appliance. For security purposes, you must change it to a more secure password.

In the Password recovery login token section, download a Login Token to use if you forgetthe password. We recommend that you save the password recovery login token file in asafe storage.





6. The First Time Configuration Wizard runs.

Welcome

The Welcome page summarizes the steps of the First Time Configuration Wizard.

Appl iance Date and Time Setup

Configure date and time in the Date and Time Setup page. Click Apply.

Network Connect ionsConfigure the network connections in the Network Connections page.

You can change the Management IP address. Connectivity is maintained with an automaticallycreated secondary interface. You can remove this interface after you complete the First TimeConfiguration Wizard in the Network > Network Connections page.

Routing TableConfigure the routing settings on the Routing Table page.

Host, Domain Sett ing s, and DNS Servers

Set the Host, Domain and DNS Servers in the Host, Domain Settings, and DNS Servers page.

The host name must start with a letter and cannot be named com1, com2....com9.

In the DNS section, set the DNS servers for the appliance.





Management Type

Set how the appliance is managed in the Management Type page.

Locally Managed Deployment: The appliance is a Security Gateway and a SecurityManagement server. The Security Management server manages the Security Policy that isenforced by the Security Gateway.

Centrally Managed Deployment: The appliance is a Security Gateway, without a SecurityManagement server. The Security Gateway is managed by a remote Security Managementserver.

Locally Managed Deployment

This section describes how to configure the appliance for locally managed deployment.

Check Point Cluster

Configure the cluster type. If you select This appliance is part of a Check Point 12000Appliances Cluster , the options are:

Primary cluster member

Secondary cluster member

For information about clusters, see the ClusterXL Administration Guide (http://supportcenter.checkpoint.com) for your Check Point version.

Web/SSH and GUI Clients Configu rat ion

Define the clients that are allowed to connect to the appliance using a web browser or SSHclient. These clients can manage the appliance using a web or SSH connection.

You can define a Host according to Hostname or IP address. Enter a comma-separated list of

IP addresses from which you manage the appliance. Enter Any to manage the appliance from

anywhere.

Note - Do not use the Any value for security reasons.

After you complete the First Time Configuration Wizard, more options are available using theWebUI menu.

Download SmartConsole Appl icat ions

Configuring a security policy for a Locally Managed Check Point 12000 Appliances(configured in the Management Type page) requires you to install the SmartConsoleapplications. In the Download SmartConsole Applications window, you can downloadSmartConsole and install it on Windows machines.









The release notes of your Check Point version in the Check Point Support Center(http://supportcenter.checkpoint.com), lists compatible Windows operating systems forSmartConsole.

Centrally Managed Deployment

This section describes how to configure the appliance for centrally managed deployment.

Gateway Type

Configure the gateway type for a Centrally Managed Check Point 12000 Appliances.

Web/SSH and GUI Clients Configu rat ion

Define the clients that are allowed to connect to the appliance using a web browser or SSHclient. These clients can manage the appliance using a web or SSH connection.

You can define a Host according to Hostname or IP address. Enter a comma-separated list of

IP addresses from which you manage the appliance. Enter Any to manage the appliance from

anywhere.

Note - Do not use the Any value for security reasons.

After you complete the First Time Configuration Wizard, more options are available using theWebUI menu.

SIC Setup

Configure the SIC (Secure Internal Communication) settings for a Centrally Managed

appliance. Enter a SIC Activation Key. The same key is used by the gateway object inSmartDashboard.

Summary

The Summary page opens.

Click Finish to complete the First Time Configuration Wizard. You can log in to the appliance

after some minutes.

Note - You should back up the system configuration. Openthe WebUI interface and go to Appliance > Backup andRestore.









Creating the Network ObjectConfigure the Check Point 12000 Appliances as a gateway object in the Security ManagementServer database.

To create the network object in SmartDashboard:

1. Launch SmartDashboard.

2. Configure a new gateway object for the appliance.

3. Enter the IP address for the appliance.

4. For a centrally managed installation, establish Secure Internal Communication (SIC) usingthe activation key entered in the First Time Configuration Wizard.

5. Configure the topology.6. Install the security policy.

Advanced Configuration

Advanced configuration on Gaia

Advanced configuration on Gaia can be done using the WebUI or the CLI.

Advanced configuration on SecurePlatform

Advanced configuration on SecurePlatform can be done using the sysconfig menu from the

CLI.

Note - The sysconfig menu is only available after running

the First Time Configuration Wizard in the WebUI.

Connect ing to the CLI

After you complete the First Time Configuration Wizard, you can connect to the CLI (commandline interface) of a Check Point 12000 Appliances using:

The provided serial console cable (DTE to DTE)

Terminal emulation software such as HyperTerminal and PuTTY (from Windows), orMinicom (from Unix/Linux systems).

Connection parameters for the appliance are: 9600 bps, no parity, 1 stop bit (8N1).

Set the Flow Control to None.

An SSH connection to the management interface (if SSHD is configured).




Chapter 4

Check Point 12000 AppliancesHardware

In This Chapter

Front Panel Components 35

Rear Panel Components 39

Replacing and Upgrading Components 40

Using the LCD Panel 41

Front Panel ComponentsThe section describes the hardware on the front panel of the appliance.

Check Poin t 12200 Fron t Panel

Item Component Description

1 Expansion line card Expansion slot

2 LOM Port LOM (Light Out Management) port for the optional LOM card

3 Built in Ethernet ports ETH1 - ETH7

Check Point 12000 Appliances Hardware

It C t D i ti





4 Managementconfiguration port

Ethernet connection to a remote management workstation

5 USB ports

6 Console port A serial connection to the appliance using a terminalemulation program such as HyperTerminal or PuTTY

7 System LEDs System power, system status, and hard disk activity

8 LCD display screen

9 Keypad Perform basic management operations ("Using the LCDPanel" on page 41)



1 2 Hard disk drives When monitoring the disks using the raid_diagnostic

command, DiskID 0 is the top disk, and DiskID 1 is the

bottom disk


3 LCD screen







4 Keypad Perform basic management operations ("Using the LCD Panel" on page 41)

5 Console port For a serial connection to the appliance using a terminalemulation program such as HyperTerminal

6 Management port For an Ethernet connection to a remote management computer

7 LOM port LOM (Light Out Management) port for the optional LOM card

8 Expansion line card 8 Port 10/100/1000Base-T RJ-45. Model: CPAP-ACC-8-1C

9 USB ports

10 Synchronizationport

For synchronizing with cluster members or a high availability peer










1 2 Hard disk drives When monitoring the disks using the raid_diagnostic


bottom disk


3 LCD screen

4 Keypad Perform basic management operations ("Using the LCD Panel" on page 41)

5 Console port For a serial connection to the appliance using a terminalemulation program such as HyperTerminal

6 Management port For an Ethernet connection to a remote management computer

7 LOM port LOM (Light Out Management) port for the optional LOM card


9 USB ports

10 Synchronizationport

For synchronizing with cluster members or a high availability peer



Check Point 12000 App l iances Expansion Line Cards

There are different expansion line cards that you can use with the appliance. For more aboutthe expansion line cards, see the Check Point 12000 Appliances home page

(http://supportcontent.checkpoint.com/solutions?id=sk68700).

Ligh ts Out Management

The Check Point Lights Out Management (LOM) is an optional card that you can use withCheck Point appliances. You can remotely control Check Point appliances using a dedicatedmanagement channel. Lights Out Management can also work when the appliance is turned offor not responding.

For more about using Lights Out Management, see the 4800 and 12000 Appliances Lights OutManagement Administration Guide (http://supportcenter.checkpoint.com).













Rear Panel Components

This section describes the hardware on the rear panel of the appliance.

Check Poin t 12200 Rear Panel

Item Component Description1 Power supply unit If a power supply fails or is not connected to the outlet, an alarm

sounds continuously.

2 Power supplyplaceholder unit

For appliances that are provisioned with one power supply unit,the placeholder unit is used in the other power supply slot.

If both power supply slots are not populated, a continuous alarm

sounds.

3 Main power switch

4 Hard disk drives When monitoring the disks using the raid_diagnostic


bottom disk.


Check Poin t 12400 and 12600 Rear Panel




Check Poin t 12400 and 12600 Rear Panel


1 Main power switch

2 Power supply units If a power supply fails or is not connected to the outlet, an alarmsounds continuously

Replacing and Upgrading ComponentsThe Check Point 12000 Appliances has parts that you can easily replace to minimizedowntime. There are also upgrade components that you can install on the appliance. These arethe parts and components that can be used with the appliance:

Telescoping rails

Line cards

Power supplies

Hard disk drives

System memory

LOM card

For more information about installing these parts and components, see the appliance homepage (http://supportcontent.checkpoint.com/solutions?id=sk68700).

Unless directed to do so by Check Point technical support, you are prohibited by warranty andsupport agreements from replacing any parts.


Using the LCD Panel








Using the LCD PanelThe appliance has an LCD panel that you can use to do basic management operations. Youcan enable DHCP. You can configure the management IP address, netmask, and default

gateway of the appliance. You can reboot the appliance.

Menu Options

Menu Sub-menu Purpose

Network

DHCP Enable or disable DHCP for the management interface.

Set Mgmt IP Set the management interface IP address.

Set Netmask Set the management interface network mask.

Set Default GW Set the management interface default gateway.

System

Reboot Reboot the appliance.

LCD Panel Keys

To Press

Enter the main menu

Navigate the menu

or

Change a number

or

Select a menu option

Go back to previous menu


When Entering an IP Address




To Press

Enter the grub menu

or

Move to the next digit

Move back to the previous digit

Approve the changewhen the cursor is located on the last digit

Cancel the IP change

when the cursor is located on the first digit

Change current digit

or

Ch t 5




Chapter 5

Restoring Factory Defaults

In This Chapter

Restoring Using the WebUI 43

Restoring Using the Console Boot Menu 44

Restoring Using the LCD Panel 45

If necessary, restore the appliance to its factory default settings.

Important - If you restore factory defaults, all information on theappliance is deleted.

Restoring Using the WebUI

Use the WebUI of the applicable operating system to restore the appliance to the factorydefault settings. You can select one of the software images that are available on the appliance.

Gaia

Use the Gaia WebUI to restore the default factory settings.

To restore a Gaia appliance with the WebUI:

1. Open an Internet browser to the management IP address,https://<appliance_ip_address>

2. Log in to the WebUI of the appliance using the administrator username and password.

3. In the WebUI, click Maintenance > Factory Defaults.

The Factory Defaults window opens.

4. Select the image version that you are restoring.

5. Click Apply.


SecurePlatform




Use the SecurePlatform WebUI to restore the default factory settings.

To restore a SecurePlatform appliance with the WebUI:1. Open Internet Explorer and navigate to the management IP address,

https://<appliance_ip_address>:4434

2. Log in to the WebUI of the appliance using the administrator username and password.

3. In the WebUI, click Appliance > Image Management.

The Image Management window opens.

4. Select the image version that you are restoring.

5. Click Revert.

Restoring Using the Console Boot MenuTo restore the appliance to its default factory configuration using the consoleboot menu:

1. Connect the supplied DB9 serial cable to the console port on the front of the appliance.

2. Connect to the appliance using a terminal emulation program such as MicrosoftHyperTerminal or PuTTY.

3. Configure the terminal emulation program:

In the HyperTerminal Connect To window, select a port from the Connect using list.

In PuTTY select the Serial connection type.

4. Define the serial port settings: 9600 BPS, 8 bits, no parity, 1 stop bit.

5. From the Flow control list, select None.6. Connect to the appliance.

7. Turn on the appliance.


8. The appliance initializes and status messages are shown in the terminal emulationprogram.




program.

9. When this message is shown, you have approximately four seconds to hit any key toactivate the Boot menu.

10. From the Boot menu, select the relevant Reset to factory defaults image.

11. Press Enter .

Restoring Using the LCD PanelTo restore the appliance to its default factory configuration using the LCD Panelkeys:

1. Reboot or power on the appliance.

2. When the countdown begins, press any of the arrow keys.

The Boot menu appears.

3. Using the arrow buttons, scroll to the relevant default factory image.

4. Press .

5. Confirm the reset by pressing .


Pressing any other button causes the Action Canceled message to display:




At this point, pressing any key returns you to the boot menu.

6. Once you have confirmed the reset, wait for the appliance to restore the factory image.While the appliance is restored to the default image, this message is continuously

displayed: Reverting image don't turn off.

After the appliance is restored to its default factory configuration, the appliance reboots andthe initializing message appears.

Chapter 6




Chapter 6

Registration and Support

In This Chapter

Registration 47

Support 47

Where To From Here? 47

RegistrationThe appliance requires a product-specific Check Point license. Get a license and register at theCheck Point Appliance Registration site (http://register.checkpoint.com/cpapp).

Connect to the WebUI of the appliance to find the MAC address that is required to obtain alicense.

Gaia - From Advanced mode, select Maintenance > Licenses.

SecurePlatform - Select Information > Appliance Status.

SupportFor additional technical information about Check Point products, consult the Check PointSupport Center (http://supportcenter.checkpoint.com).

Where To From Here?You have the basics to get started. The next step is to get more advanced knowledge of yourCheck Point software.

Check Point documentation is available on the Check Point Support Center(http://supportcenter.checkpoint.com).

Be sure to also use the Online Help when you are working with the Check Point SmartConsole

clients.

http://register.checkpoint.com/cpapp














Appendix A




Appendix A

Compliance InformationThis appendix contains declaration of conformity, compliance, and related regulatoryinformation.

In This Appendix

Declaration of Conformity 49

Declaration of Conformity

Manufacturer’s Name: Check Point Software Technologies Ltd.

Manufacturer’s Address: 5 Ha'Solelim Street, Tel Aviv 67897, Israel

Declare that under our sole responsibility the products

Model Number: P-210, P-220, and P-230

Product Options: All

Date First Applied: July, 2011

Conforms to the following product specifications:

EMC FCC, 47 CFR, Part 15, Class

A

Information Technology Equipment - Radio Disturbance

Characteristics

VCCI V-3, Class A Information Technology Equipment - Radio DisturbanceCharacteristics

AS/NZS CISPR22, Class A Information Technology Equipment - Radio DisturbanceCharacteristics

ICES-003, Class A Information Technology Equipment - Radio DisturbanceCharacteristics

Compliance Information

CISPR22 Information Technology Equipment - Radio DisturbanceCharacteristics




EN55022, Class A Information Technology Equipment - Radio DisturbanceCharacteristics

EN 61000-3-2 Information Technology Equipment - HarmonicsCharacteristics

EN61000-3-3 Information Technology Equipment - FlickerCharacteristics

EN 55024 Information Technology Equipment - ImmunityCharacteristics

EN61000-4-2 Information Technology Equipment - ElectrostaticDischarge Immunity

EN61000-4-3 Information Technology Equipment - Radiated RFImmunity

EN61000-4-4 Information Technology Equipment - Fast TransientImmunity

EN61000-4-5 Information Technology Equipment - Surge Immunity

EN61000-4-6 Information Technology Equipment - Conducted RFImmunity

EN61000-4-11 Information Technology Equipment - Voltage Dips andShort Interruptions Immunity

Safety CAN/CSA, C22.2 No. 60950-

1-07

Safety of Information Technology Equipment

UL 60950-1:2007 secondedition

Safety of Information Technology Equipment

EN 60950-1:2006/A11:2009 Safety of Information Technology Equipment

The product herewith complies with the requirements of the EU Directive 2006/95/EC and the

EMC Directive 2004/108/EC

Date and Place of issue: July, 2011, Tel Aviv, Israel

Compliance Information

FCC Notice (US)

This equipment has been tested and found to comply with the limits for a Class A digital device,




q p p y g ,pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonableprotection against harmful interference when the equipment is operated in a commercialenvironment. This equipment generates, uses, and can radiate radio frequency energy and, ifnot installed and used in accordance with the instruction manual, may cause harmfulinterference to radio communications. Operation of this equipment in a residential area is likelyto cause harmful interference in which case the user will be required to correct the interferenceat his own expense.

Caution

Any changes or modifications not expressly approved by the grantee of this device could void

the user’s authority to operate the equipment.

CP 12000 GettingStartedGuide

Documents

Transcript of CP 12000 GettingStartedGuide