Check Point VPN-1 Pro NGX IPv6Pack for Nokia Getting ... · 8 Check Point VPN-1 Pro NGX IPv6Pack for Nokia Getting Started Guide Management clients (Check Point SmartConsole)—provides

Part No. N450000141 Rev 001

Published March 2006

Check Point VPN-1 Pro NGXIPv6Pack for Nokia Getting

Started Guide

Check Point VPN-1 Pro NGX IPv6PackNokia IPSO 3.9 or 4.0

COPYRIGHT©2006 Nokia. All rights reserved.Rights reserved under the copyright laws of the United States.

RESTRICTED RIGHTS LEGENDUse, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013.

Notwithstanding any other license agreement that may pertain to, or accompany the delivery of, this computer software, the rights of the United States Government regarding its use, reproduction, and disclosure are as set forth in the Commercial Computer Software-Restricted Rights clause at FAR 52.227-19.

IMPORTANT NOTE TO USERS This software and hardware is provided by Nokia Inc. as is and any express or implied warranties, including, but not limited to, implied warranties of merchantability and fitness for a particular purpose are disclaimed. In no event shall Nokia, or its affiliates, subsidiaries or suppliers be liable for any direct, indirect, incidental, special, exemplary, or consequential damages (including, but not limited to, procurement of substitute goods or services; loss of use, data, or profits; or business interruption) however caused and on any theory of liability, whether in contract, strict liability, or tort (including negligence or otherwise) arising in any way out of the use of this software, even if advised of the possibility of such damage.

Nokia reserves the right to make changes without further notice to any products herein.

TRADEMARKS Nokia is a registered trademark of Nokia Corporation. Other products mentioned in this document are trademarks or registered trademarks of their respective holders.

060101

2 Check Point VPN-1 Pro NGX IPv6Pack for Nokia Getting Started Guide

Nokia Contact InformationCorporate Headquarters

Regional Contact Information

Nokia Customer Support

Web Site http://www.nokia.com

Telephone 1-888-477-4566 or 1-650-625-2000

Fax 1-650-691-2170

Mail Address

Nokia Inc.313 Fairchild DriveMountain View, California94043-2215 USA

Americas Nokia Inc.313 Fairchild DriveMountain View, CA 94043-2215USA

Tel: 1-877-997-9199Outside USA and Canada: +1 512-437-7089email: [email protected]

Europe, Middle East, and Africa

Nokia House, Summit AvenueSouthwood, FarnboroughHampshire GU14 ONG UK

Tel: UK: +44 161 601 8908Tel: France: +33 170 708 166email: [email protected]

Asia-Pacific 438B Alexandra Road#07-00 Alexandra TechnoparkSingapore 119968

Tel: +65 6588 3364email: [email protected]

Web Site: https://support.nokia.com/

Email: [email protected]

Americas Europe

Voice: 1-888-361-5030 or 1-613-271-6721

Voice: +44 (0) 125-286-8900

Fax: 1-613-271-8782 Fax: +44 (0) 125-286-5666

Asia-Pacific

Voice: +65-67232999

Fax: +65-67232897

050602

Check Point VPN-1 Pro NGX IPv6Pack for Nokia Getting Started Guide 3

http://www.nokia.com

mailto:[email protected]



https://support.nokia.com/



Contents

1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7About VPN-1 Pro NGX IPv6Pack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

VPN-1 Pro NGX IPv6Pack Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Deployment Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

For More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

2 Preparing for Installation and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Installation and Configuration Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Preparing the Nokia Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Preparing the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Obtaining Check Point Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Downloading NGX IPv6Pack Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

3 Installing VPN-1 Pro NGX IPv6Pack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Before You Start. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Installation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Installing the Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Installing the VPN-1 Pro NGX IPv6Pack Add On. . . . . . . . . . . . . . . . . . . . . . . . . . . 17Installing HotFix Accumulators on Flash-based Platforms . . . . . . . . . . . . . . . . . . . . 18

4 Configuring VPN-1 Pro/Express . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Using the Check Point Configuration Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

About the Initial Firewall Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Before You Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Configuring a Standalone Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Configuring a Distributed Deployment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Enabling SecureXL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Enabling IPv6 Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26


5 Installing SmartConsole NGX IPv6Pack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

6 Upgrading to VPN-1 Pro NGX IPv6Pack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Obtaining the Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32About Upgrading a Management Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33About Upgrading an Enforcement Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34About Upgrading SmartConsole . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Upgrading Using the Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Upgrading Using the NGX IPv6Pack Add On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Enabling IPv6 Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Installing HotFix Accumulators on Flash-based Platforms . . . . . . . . . . . . . . . . . . . 39Uninstalling the IPv6Pack Add On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Reverting to Previous Check Point Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39


1 Introduction

This guide is designed to help an administrator to install, initially configure, or upgrade to Check Point VPN-1 Pro NGX IPv6Pack for Nokia. It focuses on the steps required to bring up VPN-1 Pro NGX IPv6Pack on Nokia IP security platforms; it is not intended to be a complete guide to configuring or managing VPN-1 Pro NGX IPv6Pack services. For information on these subjects, see the IPv6 for Check Point Software for version VPN-1 Pro NGX IPv6Pack.If you are setting up a fresh installation of VPN-1 Pro NGX IPv6Pack, read the following chapters:

Chapter 1, “Introduction”Chapter 2, “Preparing for Installation and Configuration”Chapter 3, “Installing VPN-1 Pro NGX IPv6Pack.” Skip this chapter if your Nokia platform comes with VPN-1 Pro NGX IPv6Pack installed.Chapter 4, “Configuring VPN-1 Pro/Express”Chapter 5, “Installing SmartConsole NGX IPv6Pack”

If you are upgrading to VPN-1 Pro NGX IPv6Pack, skip the preceding chapters and read Chapter 6, “Upgrading to VPN-1 Pro NGX IPv6Pack.”

About VPN-1 Pro NGX IPv6Pack IPv6Pack is the latest release of Check Point VPN-1 Pro with advanced IPv6 capabilities. It has all the features of VPN-1 Pro NGX and is fully compatible with R60.For more information on the capabilities of VPN-1 Pro NGX IPv6Pack, see IPv6 for Check Point Software available from Check Point.

VPN-1 Pro NGX IPv6Pack ComponentsVPN-1 Pro NGX IPv6Pack consists of three components:

Enforcement module—consists of VPN-1 Pro with advanced IPv6 capabilities.Management server—maintains the databases of network object definitions, user definitions, policies, and log files for any number of enforcement modules.


1 Introduction

Management clients (Check Point SmartConsole)—provides GUI clients for managing different aspects of VPN-1 Pro NGX IPv6Pack. For example, the SmartDashboard client allows the administrator to define network objects, users, and security policies.

Deployment OptionsYou can deploy VPN-1 Pro NGX IPv6Pack on individual platforms as follows:

Standalone deployment—the management server module and the enforcement module are installed on the same platform.Distributed deployment—the management server module and the enforcement modules are installed on different platforms.

This manual describes how to install a standalone deployment or a distributed deployment on a Nokia IP security platform. For installation instructions for other platforms, such as Check Point SecurePlatform, see the Check Point Getting Started Guide for VPN-1 Pro NGX IPv6Pack.

For More InformationFor more information about VPN-1 Pro NGX IPv6Pack, see the following Check Point documents:

IPv6 for Check Point Software for VPN-1 Pro NGX IPv6PackGetting Started Guide for VPN-1 Pro NGX IPv6Pack Check Point VPN-1 Pro NGX IPv6Pack Upgrade Guide

These guides are available at the Check Point Product Documentation Web site.For more information about how to configure and manage a Nokia IP Security Platform, see:

The IPxxx Series Installation Guide for your platform.The Nokia Network Voyager Reference Guide for your IPSO release.

The preceding documents are available at the Nokia support Web site.


2 Preparing for Installation and Configuration

This chapter describes how to prepare for first-time installation and configuration of VPN-1 Pro NGX IPv6Pack. The major topics covered are:

Installation and Configuration OverviewPreparing the Nokia PlatformPreparing the NetworkObtaining Check Point LicensingDownloading NGX IPv6Pack Software

Installation and Configuration OverviewNokia recommends that you install and configure the three modules that comprise VPN-1 Pro NGX IPv6Pack in this order: 1. Install (if needed) and configure the management server:

For information on installing on a Nokia platform, see Chapter 3, “Installing VPN-1 Pro NGX IPv6Pack.” If NGX IPv6Pack comes installed on your platform, skip this chapter.For information on configuring the management server on a Nokia platform, see Chapter 4, “Configuring VPN-1 Pro/Express.”For information on installing and configuring the management server on other supported platforms, see the Check Point Getting Started Guide for NGX IPv6Pack.

2. Install the SmartConsole management clients. You install the SmartConsole clients on Windows platforms. For information, see Chapter 5, “Installing SmartConsole NGX IPv6Pack.”

3. Install (if needed) and configure the enforcement modules:For information on how to install an enforcement module on a Nokia platform, see Chapter 3, “Installing VPN-1 Pro NGX IPv6Pack.” If NGX IPv6Pack comes installed on your platform, skip this chapter.For information on how to configure the enforcement module on a Nokia platform, see Chapter 4, “Configuring VPN-1 Pro/Express.”



For information on installing and configuring the enforcement module on other supported platforms, see the Check Point Getting Started Guide for VPN-1 Pro NGX IPv6Pack.

You can install both a management server and an enforcement module on the same platform for a standalone configuration.

After you finish installation and configuration, you can begin to define the network objects, users, and the security policy. For more information, see the Check Point IPv6 for Check Point Software for VPN-1 Pro NGX IPv6Pack.

Preparing the Nokia PlatformTo prepare your Nokia platform for VPN-1 Pro NGX IPv6Pack:

If your Nokia platform is not running IPSO 3.9 or 4.0, upgrade the operating system or perform a fresh installation. For instructions on how to do so, see the Getting Started Guide and Release Notes for the IPSO version you are installing, which is available on the Nokia support Web site, http://support.nokia.com. The Nokia support Web site also contains the most recent information on which IPSO versions are supported. If you did not do so already, configure the platform initial interface and the network interfaces. For more information, see the IPxxx Series Installation Guide for your platform. If your security policy will block HTTP access while permitting HTTPS access, enable HTTPS access on the platform. See the Nokia Network Voyager Reference Guide for information on how to enable HTTPS access and how to replace the default SSL certificate.If you need to install the VPN-1 Pro NGX IPv6Pack software, ensure you have at least 60 MB of free disk space in the /opt directory.Confirm that you have a static host name associated with the platform external IP address. You cannot install a NGX IPv6Pack license unless you have static host name assigned.

To add a host name1. Connect to the platform by using Nokia Network Voyager.2. Navigate to the Host Address Assignment page:

IPSO 4.0 or later: Configuration > System Configuration > Host AddressIPSO 3.9: System Configuration > Host Address Assignment

By default, an entry for localhost exists. If it is the only entry, you need to add a host name for the platform.

3. To add a new entry, type in the desired name and click Apply. 4. Select on or off as desired. However, do not turn off localhost. 5. Specify the host IP address (for example, 192.168.11.45).6. Click Apply.7. Click Save to make changes permanent.


http://support.nokia.com

http://support.nokia.com

Preparing the Network

Figure 1 Example Host Address Assignment (IPSO 4.0)

Preparing the NetworkEnsure your network is properly configured, with special emphasis on routing:

Ensure that the internal networks and the gateway can communicate with each other. Log on to each of the hosts and PING the other hosts in the internal networks.Ensure the management server host can PING the external IP address of each enforcement module host, and vice-versa.

Obtaining Check Point LicensingYou must obtain an NGX license from Check Point. Start this process several days before the anticipated installation or upgrade. See the Check Point Getting Started Guide for VPN-1 Pro NGX IPv6Pack for information on how to obtain a license.

Downloading NGX IPv6Pack SoftwareBefore you begin the installation, download the NGX IPv6Pack software from the Check Point Downloads Web site to an FTP server that is accessible from your platform. The IPv6Pack software for IPSO is not available on CD and can be obtained only from the Check Point Downloads Web site.Information on NGX IPv6Pack for Nokia and a link to the Check Point Downloads Web site are available in Solution ID 1610195 at the Nokia Support site at http://support.nokia.com. Which Check Point packages you should download depends on whether NGX R60 is already installed on your platform and on your type of platform:

If your disk-based platform already has NGX R60 installed, you need to download only the NGX IPv6Pack Add On.If your disk-based platform that do not have NGX R60 installed, download the NGX IPv6Pack wrapper. The wrapper automatically installs NGX R60 and then the NGX IPv6Pack Add On.If your flash-based platform already has NGX R60 installed, download the NGX IPv6Pack Add On and the IPv6Pack bootstrap replacement fix.



If your flash-based platform does not have NGX R60 installed, do not use the NGX IPv6Pack wrapper. Instead, download the latest VPN-1 NGX R60 package for flash-based platforms (not the NGX R60 comprehensive package), the NGX IPv6Pack Add On, and the IPv6Pack replacement bootstrap fix. Nokia recommends that you also download and install CPInfo NGX R60.Regardless of Check Point installation or platform type, download SmartConsole NGX IPv6Pack.

See Table 1 summarizes what to download for installation on your platform.

Table 1 Check Point Software to Download

NGX R60 Installed? Type of Platform

Check Point Softwareto Download Description

Yes Disk-Based IPv6Pack Add On Upgrades NGX R60 to NGX IPv6Pack

Flash-Based IPv6Pack Add OnIPv6Pack Bootstrap Fix

Upgrades NGX R60 to NGX IPv6PackEnables IPv6 features on flash-based platforms

No Disk-Based NGX IPv6Pack Wrapper Installs NGX R60 and the IPv6Pack Add On

Flash-Based VPN-1 NGX R60 for flash-basedIPv6Pack Add OnIPv6Pack Bootstrap FixCPInfo NGX R60

Installs NGX R60Upgrades NGX R60 to NGX IPv6PackEnables IPv6 features on flash-based platformsInstalls the CPInfo tool


3 Installing VPN-1 Pro NGX IPv6Pack

This chapter describes how to perform a fresh installation of VPN-1 Pro NGX IPv6Pack on a Nokia IP security platform.

If you already have VPN-1 Pro NGX IPv6Pack installed, skip this chapter and proceed to Chapter 4, “Configuring VPN-1 Pro/Express.” If you have a previous Check Point installation that you want to upgrade to VPN-1 Pro NGX IPv6Pack, skip this chapter and proceed to Chapter 6, “Upgrading to VPN-1 Pro NGX IPv6Pack.”

Before You StartBefore you start the installation, make sure that:

The Nokia IPSO version on the platform is IPSO 3.9 or 4.0. (For the latest information on which IPSO releases are supported, see the Nokia support Web.) If it is not, upgrade the operating system image as described in the Getting Started Guide and Release Notes for your IPSO version. You have prepared your platform and network as described in “Preparing the Nokia Platform” on page 10 and “Preparing the Network” on page 11.You have downloaded the required Check Point packages to an FTP server as described in “Downloading NGX IPv6Pack Software” on page 11.

Installation OverviewThe exact installation steps you take depend on what you have installed on your platform and the type of platform you have:

If your platform came with NGX R60 pre-installed, install VPN-1 Pro NGX IPv6Pack by installing the NGX IPv6Pack Add On as described in “Installing the VPN-1 Pro NGX IPv6Pack Add On” on page 17.If your platform is disk-based and does not have NGX R60 preinstalled, install VPN-1 Pro NGX IPv6Pack by using the NGX IPv6Pack wrapper, as described in “Installing the Package” on page 14.The NGX IPv6Pack wrapper first installs NGX R60 and then the NGX IPv6Pack Add On.



If your platform is flash-based and does not have NGX R60 preinstalled:1. Install NGX R60 first. Do not use the NGX R60 comprehensive package to do so;

instead use the VPN-1 NGX R60 package for Nokia flash-based platforms.2. Install CPInfo NGX R60.3. Configure VPN-1 Pro/Express with cpconfig, as described in the next chapter.4. Install the NGX IPv6Pack Add On, as described in “Installing the VPN-1 Pro NGX

IPv6Pack Add On” on page 17.

Installing the PackageThis section describes how to install:

The NGX IPv6Pack wrapper on disk-based platformsThe VPN-1 NGX R60 package on flash-based platforms

This section contains detailed procedures for installing the package using either the newpkg command or Nokia Network Voyager. For information on using the Nokia CLI, see the CLI Reference Guide. Table 2 lists the Check Point products installed by the NGX IPv6Pack wrapper. The table also shows the status of the package (active or not active) after installation.

Table 2 Products Installed by the Wrapper

NoteVPN-1 Pro NGX IPv6Pack has the same package names as NGX R60 and installs into the NGX R60 directories.

The VPN-1 NGX R60 package for flash-based platforms installs only Check Point VPN-1 Pro/Express. Nokia recommends that you also obtain CPinfo, available from the Check Point Downloads site, and install it as well.

Package Status

Check Point VPN-1 Pro/Express NGX R60 Active

Check Point R55W Compatibility Package for NGX Not active

Check Point CPinfo Active

R55 Compatibility Package for NGX Not active

Check Point Eventia Reporter NGX R60 Not active

Check Point UserAuthority Server NGX R60 Not active


Installing the Package

To install using the newpkg command

NoteOn flash-based platforms:

If you plan to install from the local filesystem (that is, download the package to the platform first and then install from that directory), Nokia recommends that you use /var/tmp or a directory you create in /var as your installation directory. The installation files will be automatically deleted when you reboot the system, freeing up space in flash memory.

If you plan to install from an FTP server, Nokia recommends that you delete the contents of/preserve/opt/tmp before and after you perform the installation. newpkg uses this directory to store packages while installing them. Use the following command to delete the directory contents:

rm -R /preserve/opt/tmp

1. Log in to the platform with a remote terminal or console connection.2. Enter newpkg to start the package installation script.

The following options appear:1. Install from CD-ROM.2. Install from anonymous FTP server.3. Install from FTP server with user and password.4. Install from local filesystem.5. Exit new package installation.

3. Enter the number (1 through 4) next to the installation method to use, or enter 5 to exit.4. The installation script guides you through the rest of the installation process.

If you are installing from your current working directory in the local filesystem, you can enter a period (.) when asked for the pathname to the packages.

5. Log off the platform and then log back on. When newpkg installs and enables packages, it sets new shell environmental variables that are necessary for executing firewall commands. However, they do not take effect until the next time you log on. For this reason, you need to log off and then log back on again before you can run cpconfig as described in the next chapter.

6. To make sure the applications are installed correctly, see “To confirm the installation” on page 16.

To install using Nokia Network Voyager1. In the Network Voyager, navigate as follows:

IPSO 3.9: System Configuration > Manage Installed Packages > FTP and Install PackagesIPSO 4.0: Configuration > System Configuration > Packages > Install Package.

2. Enter the host name or IP address of the FTP site where you downloaded the wrapper.



3. Enter the directory name where the files reside on the FTP site.4. Enter the user account and password to use when you connect to the FTP site.

If you leave these fields empty, the anonymous account is used.

NoteIf you specify a user account and password, you must re-enter the password whenever you change the FTP site, FTP directory, or FTP user on future requests.

5. Click Apply. A list of files from the specified FTP directory appears in the Site Listing field.

6. Select the package from Site Listing, then click Apply.After the download completes, the package appears in the Select a Package to Unpack box.

7. Select the package, then click Apply.The package is unpacked into the local file system.

8. Click the link: Click here to install/upgrade packagename.9. Click Yes next to Install and click Apply.

Wait until Network Voyager refreshes this page with a link to the Manage Installed Packages page.

10. Click the link to return to the Manage Packages page.The installation of the applications within the wrapper package can take several minutes to complete: as long as 10 to 20 minutes on some platforms.During the initial installation phase, the wrapper package appears under the Security Applications heading. If you wait several minutes and click Apply, a warning message appears telling you that the installation is still in progress. The wrapper continues to unpack and install the Check Point applications in the package.You can click Apply to refresh the page and monitor the installation process. When the installation is complete, the warning message disappears and the application packages appear in the installed packages section.

11. Confirm that the installation was successful by following the steps in “To confirm the installation.”

To confirm the installation1. On the Manage Packages page in Network Voyager, confirm that the Check Point VPN-1

Pro/Express NGX R60 package appears under Security Applications and is enabled.2. If the package is not enabled, click On, and then click Apply and then Save.3. Enable any of the other Check Point packages you want to have enabled and click Apply and

then Save.


Installing the VPN-1 Pro NGX IPv6Pack Add On

4. If you enabled packages and are logged onto the platform with a IPSO shell session, log off and then log on again to set the environmental variables.

You are now ready to configure VPN-1 Pro/Express with cpconfig, as described in Chapter 4, “Configuring VPN-1 Pro/Express.”

NoteAlthough the Check Point VPN-1 Pro/Express package is enabled, firewall services do not start until you have run cpconfig, as described in Chapter 4, and rebooted the platform.

After you run cpconfig and reboot, enabling/disabling the Check Point VPN-1 Pro/Express package on the Manage Packages page starts and stops the firewall services.

Installing the VPN-1 Pro NGX IPv6Pack Add OnYou must have NGX R60 installed and enabled before you can install the VPN-1 Pro NGX IPv6Pack Add On. On flash-based platforms, you must have also configured NGX R60 with cpconfig, as described in Chapter 4, before you install the NGX IPv6Pack Add On.

To install the NGX IPv6 Add On1. Download the NGX IPv6Pack Add On to your platform.

NoteNokia recommends that on flash-based platforms, you do not download the IPv6Pack Add On to your home directory in /var. Files in user home directories are preserved after reboots and consume valuable space in flash memory. Instead, download to /var/tmp or create a directory in /var and install the IPvPack Add On from there. The installation files will be automatically deleted when you reboot.

2. Change your working directory to the directory containing the IPv6Pack Add On package.3. Extract the files from the archive file.4. Execute the IPv6Pack Add On file:

./fw1_HOTFIX_Dimona_596000082_1

5. Reboot the platform.6. Configure VPN-1 Pro/Express with cpconfig, as described in the next chapter, if you have

not already done so.



Installing HotFix Accumulators on Flash-based PlatformsNokia recommends you follow these guidelines when installing HFAs on flash-based platforms:

Do not download the HFAs to your home directory. Files in user home directories are preserved after reboots and consume valuable space in flash memory. Instead, download to /var/tmp or create a directory in /var and install the HFA from there. The installation files will be automatically deleted when you reboot after installing the HFA.After you extract the HFA files from the archive .tgz file, delete the archive file and then install the HFA as described in the HFA release notes.


4 Configuring VPN-1 Pro/Express

You must perform an initial configuration of Check Point VPN-1 Pro/Express before firewall or management server services are available. During this initial configuration, you:

Specify whether this is a Check Point Enterprise/Pro or Check Point Express installationSpecify which components to deploy on the platform you are configuring and provide some administrative information about the components you have selectedProvide information used to enable secure internal communication (SIC) between components

This chapter describes:Using the Check Point Configuration ToolEnabling SecureXLEnabling IPv6 Support

Using the Check Point Configuration ToolYou use the Check Point configuration tool, cpconfig, to perform the initial configuration. This section describes how to configure both standalone and distributed deployments.

About the Initial Firewall PolicyAfter you use cpconfig to configure an enforcement module and reboot the platform, an initial firewall policy is loaded. This policy is based on a default filter that blocks all inbound access to the platform. While this policy is in force, you cannot access the platform remotely through a terminal connection or Nokia Network Voyager. Only SmartConsole clients are permitted access to the platform through the management server.You can use one of the following ways to regain remote terminal or Network Voyager access to the platform:

Use SmartDashboard to create and install a security policy that permits the desired remote connections to the platform.



NoteMake sure that the desired access methods have also been enabled on the platform. HTTPS, for example, is disabled by default.

From a console connection, enter the cpstop command.This stops firewall services, allowing you access to the platform with Network Voyager. When you have finished your administrative tasks, start the firewall services again with the cpstart command.Before you run cpconfig, change the default filter on which the initial policy is based to one that permits SSH or HTTPS connections or both. Table 3 shows the available default filters.

To change the default filter used by the initial policy1. Enter the following sequence of commands at a console or remote terminal connection. If

you want to use a default filter other than defaultfilter.ipso, then replace defaultfilter.ipso in the first command with the name of the filter you want to use.cp $FWDIR/lib/defaultfilter.ipso $FWDIR/conf/defaultfilter.pf

fw defaultgen

cp $FWDIR/state/default.bin $FWDIR/boot

2. If you use defaultfilter.ipso or defaultfilter.ipso_ssl, make sure that HTTPS is enabled on the platform.

Table 3 Default Filters

Filter File Filter Description

defaultfilter.boot Allows outbound traffic (originating from the firewall) and broadcast traffic only. This is the filter used by the default initial policy.

defaultfilter.dag Allows outbound traffic, broadcast traffic, and DHCP

defaultfilter.drop Drops all traffic in and out of the gateway

defaultfilter.ipso Allows inbound SSH, HTTPS, and ICMP (PING) traffic and all outbound traffic

defaultfilter.ipso_ssh Allows inbound SSH and ICMP traffic and all outbound traffic

defaultfilter.ipso_ssl Allows inbound HTTPS and ICMP traffic and all outbound traffic


Using the Check Point Configuration Tool

Before You StartBefore you start the initial configuration:

Make sure the Check Point VPN-1 Pro/Express NGX R60 package is enabled.If it is not, enable it. For details, see “To confirm the installation” on page 22. If you have an active command line session, log off after you enable the package.If you want to install and manage the Check Point license locally, have the license information available. If you plan to use SmartUpdate to manage your licenses centrally, as recommended by Check Point, you do not need the information now.If you are configuring a SmartCenter server, be ready to supply:

An initial administrator username and password.The IP address or name of at least one SmartDashboard host.

Configuring a Standalone Deployment In a standalone deployment, a SmartCenter management server and an enforcement module are deployed on the same security platform.

NoteA gateway that is a member of a VRRP virtual router or an IP cluster cannot be configured in a standalone deployment. It must have an enforcement module only installed on it.

NoteStandalone deployments are not supported on flash-based platforms.

To configure a standalone deployment1. Log in to the host from a console or remote terminal connection.2. At the command prompt, enter cpconfig.

The following text appears:Welcome to Check Point Configuration Program

=================================================

Please read the following license agreement.Hit 'ENTER' to continue...

NoteIf the text does not appear when you enter cpconfig, you might need to log out of the command-line session and then log back in to set the environmental variables.

3. Press Enter to read the license agreement, and then enter y to accept it.



4. Specify which product you are installing: Check Point Enterprise/Pro or Check Point Express.

5. Enter the appropriate number to select a standalone installation: 1 for Check Point Enterprise/Pro installations or 3 for Check Point Express installations.

6. Enter y to add a license and fill in the license information, or enter n to complete the license information later.

7. Define an initial administrator name and password. The initial administrator name and password you enter here allows you to log in to the SmartCenter server from the SmartDashboard. This administrator has full read/write permissions, allowing you to further add or modify administrators using the SmartDashboard. Administrators you define with the SmartDashboard can be issued a certificate for authentication, which provides a more secure means of authentication than the simple username used for the initial administrator. Check Point recommends that once you log on to the SmartDashboard, you create a new administrator with full read/write permissions, generate a certificate for the new administrator, and delete the initial administrator created by cpconfig.

8. Identify the SmartConsole hosts that can access the SmartCenter server. You can have as many SmartConsole clients on as many desktops as you desire. However, you need to provide the IP address or name of each client host to cpconfig before the clients can access the SmartCenter server.Specify at least one SmartConsole host. You can rerun cpconfig at any time to add additional client hosts.

9. Specify the name of a group for which you want to grant permissions. Enter return to specify no group.

10. As part of configuring the internal certificate authority, type random text at a random pace until you hear a beep. The timing latency between your keystrokes is used to generate cryptographic data. Certificates are used for secure internal communication (SIC) between the SmartCenter server and the enforcement modules.

11. Choose whether to save the fingerprint of the SmartCenter server to a file. To save the fingerprint, type y and provide the name of the file.The SmartCenter server fingerprint will be displayed the first time a user logs into the SmartCenter server from a particular SmartDashboard host. By comparing the fingerprint displayed with the fingerprint you saved at this step, the user can authenticate the identity of the SmartCenter server.

12. When cpconfig asks if you want to reboot the system, enter y.After the system reboots, an initial firewall policy is installed. Unless you previously modified the initial policy, all remote access to the platform is blocked, except for SmartConsole clients. For information on how to regain remote terminal access or Nokia Network Voyager access, see “About the Initial Firewall Policy” on page 19.



Configuring a Distributed DeploymentIn a distributed deployment, the SmartCenter server and the enforcement modules are installed on separate platforms.

To install a SmartCenter server

NoteYou cannot deploy a SmartCenter server on a flash-based platform.

1. Log in to the host from a console or remote terminal connection.2. At the command prompt, enter cpconfig.


=================================================



3. Press Enter to read the license agreement, and then enter y to accept it. 4. Specify which product you are installing: Check Point Enterprise/Pro or Check Point

Express.5. Enter the appropriate number to select a management-server installation:

For Check Point Express, enter 2 to select SmartCenter Express.For Check Point Enterprise/Pro, enter 2 to select the distributed option.

6. (Check Point Enterprise/Pro only) Enter 2 to select Enterprise SmartCenter.7. (Check Point Enterprise/Pro only) Specify whether this management server will be the

primary or secondary server. Enter 1 for primary if you:

Are not using the Check Point Management High Availability feature.Are using the Check Point Management High Availability feature and this is the first SmartCenter server you are installing.

Enter 2 for secondary if you are using Check Point Management High Availability feature and this is the second SmartCenter server you are installing. This server will take over from the primary server should the primary server fail.




9. Define an initial administrator name and password. The initial administrator name and password you enter here allows you to log in to the SmartCenter server from the SmartDashboard. This administrator has full read/write permissions, allowing you to further add or modify administrators using the SmartDashboard. Administrators you define with the SmartDashboard can be issued a certificate for authentication, which provides a more secure means of authentication than the simple username used for the initial administrator. Check Point recommends that once you log on to the SmartDashboard, you create a new administrator with full read/write permissions, generate a certificate for the new administrator, and delete the initial administrator created by cpconfig.

10. Identify the SmartConsole hosts that can access the SmartCenter server. You can have as many SmartConsole clients on as many desktops as you desire. However, you need to provide the IP address or name of each client host to cpconfig before the clients can access the SmartCenter server.Specify at least one SmartConsole host. You can rerun cpconfig at any time to add additional client hosts.


12. As part of configuring the internal certificate authority, type random text at a random pace until you hear a beep. The timing latency between your keystrokes is used to generate cryptographic data. Certificates are used for secure internal communication (SIC) between the SmartCenter server and the enforcement modules.

13. Choose whether to save the fingerprint of the SmartCenter server to a file. To save the fingerprint, type y and provide the name of the file.The SmartCenter server fingerprint will be displayed the first time a user logs into the SmartCenter server from a particular SmartDashboard host. By comparing the fingerprint displayed with the fingerprint you saved at this step, the user can authenticate the identity of the SmartCenter server.

14. When cpconfig asks if you want to start the installed products, enter y.The SmartCenter server will be started, along with the other Check Point applications you enabled in Network Voyager.

To install a VPN-1 Pro NGX IPv6Pack enforcement module1. Log in to the host from a console or remote terminal connection.2. At the command prompt, enter cpconfig.




=================================================



3. Press Enter to read the license agreement, and then enter y to accept it.If you are installing the enforcement module on a flash-based platform, skip to step 7.

4. Specify which product you are installing: Check Point Enterprise/Pro or Check Point Express.

5. Enter the appropriate number to select a enforcement module installation: For Check Point Express, enter 1 to select VPN-1 Express Gateway.For Check Point Enterprise/Pro, enter 2 to select the distributed option.

6. (Check Point Enterprise/Pro installations only) Enter 1 to select VPN-1 Pro Gateway or 5 to select VPN-1 Pro Gateway and Enterprise Log Server.

7. Enter y or n to the prompt:Is this a Dynamically Assigned IP Address gateway installation ? (y/n) [n] ?

8. If the gateway is a VRRP virtual router member or IP cluster member, enter y in response to the following prompt:Would you like to install a Check Point clustering product (CPHA, CPLS or State Synchronization)? (y/n) [n] ?



11. As part of configuring the certificate authority, type random text at a random pace until you hear a beep. The timing latency between your keystrokes is used to generate cryptographic data. Certificates are used for secure internal communication (SIC) between the management server and the enforcement modules.

12. Enter an activation key of your own choosing that will be used to establish secure internal communication between the management server and this enforcement module. The activation key must be longer than four characters.



When you use the SmartDashboard to initialize secure internal communications between the management server and this enforcement module, you will be asked to provide this activation key.

13. When cpconfig asks if you want to reboot the system, enter y.After the system reboots, an initial firewall policy is installed. Unless you previously modified the initial policy, all remote access to the platform is blocked, except for the management server. For information on how to regain remote terminal access or Network Voyager access, see “About the Initial Firewall Policy” on page 19.

Enabling SecureXLFor all Nokia IP security platforms except the IP2250, SecureXL is disabled by default. Rerun the cpconfig utility to enable SecureXL.

To enable SecureXL1. Log in to the host from a remote terminal or console connection.2. At the command prompt, enter cpconfig. 3. Enter the number next to Enable Check Point SecureXL.4. Enter y to enable SecureXL.

Enabling IPv6 SupportIf you have IPv6 addresses already configured when you install NGX IPv6Pack, IPv6 support is automatically enabled on disk-based platforms. On flash-based platforms, you must install the IPv6Pack bootstrap replacement fix to enable IPv6 support.For information on manually enabling/disabling IPv6 support and on installing the IPv6Pack bootstrap replacement fix on flash-based platforms, see IPv6 for Check Point Software for VPN-1 Pro NGX IPv6Pack.


5 Installing SmartConsole NGX IPv6Pack

This chapter describes how to install Check Point SmartConsole NGX IPv6Pack on a Microsoft Windows system. You can install SmartConsole on as many systems as you desire.

NoteYou must use SmartConsole NGX IPv6Pack to manage VPN-1 Pro NGX IPv6Pack gateways. You cannot use SmartConsole NGX R60.

SmartConsole is a collection of clients. The clients include:SmartDashboard—used by the system administrator to define and manage the security policy. From this SmartConsole you can access many Check Point features and add-ons.SmartView Tracker—used for managing and tracking logs and alerts throughout the system.SmartView Monitor—used to monitor and generate reports on traffic on interfaces, VPN-1 Pro and QoS modules, as well as on other Check Point system counters.SmartUpdate—used to manage and maintain a license repository.SecureClient Packaging Tool—used to define user profiles for SecuRemote/SecureClient clients.Eventia Reporter—used to generate reports for different aspects of network activity.SmartLSM—used for managing large numbers of ROBO Gateways using SmartCenter server.

To install SmartConsole NGX IPv6Pack on a Windows platform1. Close any Check Point applications running on the Windows platform.2. Download the SmartConsole NGX IPv6Pack software into a temporary folder on the

Windows computer. The SmartConsole software is available at the Check Point Downloads Web site at http://www.checkpoint.com.

3. Unzip the file, and double-click setup.exe.The Installation Wizard opens. Click Next on each screen to accept the default values.

After you install SmartConsole, make sure that the SmartDashboard can connect to the SmartCenter server.


http://www.checkpoint.com



To test the connection1. Double click on the SmartDashboard icon.

The following login window appears:

2. Enter the administrator username and password you specified when you configured the SmartCenter server with cpconfig.

3. In the SmartCenter server field, enter the IP address of the SmartCenter server.Select the Read Only option if you want to allow others access to the SmartCenter server while you view information.

4. Click OK.SmartDashboard connects to the SmartCenter server. Because this is the first time SmartDashboard has connected from this Windows host, it displays a Fingerprint Verification window:


5. Compare the fingerprint shown with the fingerprint displayed by cpconfig during the initial configuration of the SmartCenter server.

6. Click Approve if the fingerprints match.Refer to the SmartCenter User Guide, available at the Check Point Documentation Downloads site at www.checkpoint.com, for more information on how to use SmartDashboard for creating managed objects, such as gateways, networks, and services, for creating policies, and for installing policies on VPN-1 Pro NGX IPv6Pack gateways.


www.checkpoint.com



6 Upgrading to VPN-1 Pro NGX IPv6Pack

This chapter describes how to upgrade a Nokia platform to VPN-1 Pro NGX IPv6Pack from an existing Check Point installation. You can upgrade from the following Check Point versions:

VPN-1 Pro NGX (R60)VPN-1 Pro NG for IPSO 3.8 (R55p)VPN-1 Pro NG (R55W)VPN-1 Pro NG with Application Intelligence (R55)VPN-1/FireWall-1 NG with Application Intelligence (R54)NG FP3

For information on how to upgrade to VPN-1 Pro NGX IPv6Pack on other platforms, see the Check Point VPN-1 Pro NGX IPv6Pack Upgrade Guide.The major topics in this chapter are:

Obtaining the SoftwareAbout Upgrading a Management ServerAbout Upgrading an Enforcement ModuleAbout Upgrading SmartConsoleUpgrading Using the PackageUpgrading Using the NGX IPv6Pack Add OnEnabling IPv6 SupportInstalling HotFix Accumulators on Flash-based PlatformsUninstalling the IPv6Pack Add OnReverting to Previous Check Point Versions



Obtaining the SoftwareBefore you begin the upgrade, download the necessary software:

Your platform must be running IPSO 3.9 or 4.0. If it is not, you can find the latest builds of IPSO, along with their release notes and user documentation, at the Nokia support Web site.Later versions of IPSO might also be supported. See the Nokia support Web site for the latest information on which IPSO releases are supported.

NoteOn flash-based platforms, you can have a maximum of two IPSO images installed at a time.

The Check Point software, documentation, and release notes are available in the Downloads section of the Check Point Web site at http://www.checkpoint.com. What Check Point packages you should download depends on what version of Check Point you are currently running and what kind of platform you have:

If your disk-based platform is already running NGX R60, you need to download only the NGX IPv6Pack Add On.If your disk-based platform running a version previous to NGX R60, download the NGX IPv6Pack wrapper. The wrappedr automatically installs NGX R60 and then the NGX IPv6Pack Add On.If your flash-based platform is already running NGX R60, download the NGX IPv6Pack Add On and the IPv6Pack bootstrap replacement fix.If your flash-based platform is running a version previous to NGX R60, do not use the NGX IPv6Pack wrapper. Instead, download the VPN-1 NGX R60 package for flash-based platforms (not the NGX R60 comprehesive package), the NGX IPv6Pack Add On, and the IPv6Pack bootstrap replacement fix. Nokia recommends you also download and install CPInfo NGX R60.Regardless of Check Point installation or platform type, download SmartConsole NGX IPv6Pack.

NoteOn flash-based platforms, you can have a maximum of two Check Point versions installed at a time.

Table 4 summarizes what to download for installation on your platform.



About Upgrading a Management Server

..

About Upgrading a Management ServerThe following instructions apply to upgrading a Nokia platform hosting a management server, either in a standalone or distributed deployment.If you are upgrading a SmartCenter high availability deployment, see the Check Point VPN-1 Pro NGX IPv6Pack Upgrade Guide for information on how to synchronize the servers during the upgrade.

NoteWhen you upgrade a standalone deployment, the default security policy will be loaded after the upgrade. The default policy blocks all remote access to the host, except by the SmartCenter server. You must push your security policy to the host after the upgrade to regain access to it.

To regain Network Voyager or SSH access to the host before you push the security policy, see “About the Initial Firewall Policy” on page 19.

1. If the platform is not already running IPSO 3.9 or 4.0, you must upgrade your IPSO image. You can obtain the release notes and the .tgz file for the IPSO version you choose from the Nokia support Web site. The release notes contain instructions for upgrading the IPSO image.

2. If you are upgrading from a release prior to NGX R60, upgrade your license before you upgrade to NGX IPv6Pack. For details, see “Upgrading VPN-1 Pro/Express Licenses” in The Upgrade Guide for NGX R60 from Check Point.

3. Upgrade to NGX IPv6Pack as follows:If you are upgrading from NGX R60, install the NGX IPv6Pack Add On, as described in “Upgrading Using the NGX IPv6Pack Add On” on page 38

Table 4 Check Point Software to Download

NGX R60 Installed? Type of Platform

Check Point Softwareto Download Description

Yes Disk-Based IPv6Pack Add On Upgrades NGX R60 to NGX IPv6Pack

Flash-Based IPv6Pack Add OnIPv6Pack Bootstrap Fix

Upgrades NGX R60 to NGX IPv6PackEnables IPv6 features on flash-based platforms

No Disk-Based NGX IPv6Pack Wrapper Upgrades to NGX R60 and to NGX IPv6Pack

Flash-Based VPN-1 Pro/Express NGX R60IPv6Pack Add OnIPv6Pack Bootstrap FixCPInfo NGX R60

Upgrades to NGX R60Upgrades NGX R60 to NGX IPv6PackEnables IPv6 features on flash-based platformsInstalls the CPInfo tool.



If you are upgrading from a version previous to NGX R60, install the IPv6Pack wrapper as described in “Upgrading Using the Package” on page 35.

About Upgrading an Enforcement ModuleThe following instructions apply to upgrading a Nokia platform hosting an enforcement module only.You can upgrade an enforcement module by either:

Performing a fresh installation of NGX IPv6Pack. Instructions for performing a fresh install are in Chapter 3, “Installing VPN-1 Pro NGX IPv6Pack.”Upgrading the existing Check Point installation. How you do so differs according to the type of platform, disk-based or flash-based, as described in the following two procedures.

If you have a clustered deployment and need to perform the upgrade with zero downtime, see The Upgrade Guide for NGX R60 for information on how to do so.

NoteWhen you upgrade an enforcement module, the default security policy will be loaded after the upgrade. The default policy blocks all remote access to the host, except by the SmartCenter server. You must push your security policy to the host after the upgrade to regain access to it.

To regain Network Voyager or SSH access to the host before you push the security policy, see “About the Initial Firewall Policy” on page 19.

To upgrade a disk-based platform1. If the platform is not already running IPSO 3.9 or 4.0, you must upgrade your IPSO image.

You can obtain the release notes and the .tgz file for the IPSO version you choose from the Nokia support Web site. The release notes contain instructions for upgrading the IPSO image.

2. Upgrade to NGX IPv6Pack as follows:If you are upgrading from NGX R60, install the NGX IPv6Pack Add On, as described in “Upgrading Using the NGX IPv6Pack Add On” on page 38.If you are upgrading from a version previous to NGX R60, install the IPv6Pack wrapper package as described in “Upgrading Using the Package” on page 35.


About Upgrading SmartConsole

To upgrade a flash-based platform1. If the platform is not already running IPSO 3.9 or 4.0, you must upgrade your IPSO image.

You can obtain the release notes and the .tgz file for the IPSO version you choose from the Nokia support Web site. The release notes contain instructions for upgrading the IPSO image.

2. If your platform is already running NGX R60, skip to step 3.Upgrade your platform to NGX R60 by installing the VPN-1 NGX R60 package for flash-base platforms, as described in “Upgrading Using the Package” on page 35.

3. Install the NGX IPv6Pack Add On, as described in “Upgrading Using the NGX IPv6Pack Add On” on page 38.

About Upgrading SmartConsoleYou must install the NGX IPv6Pack version of the SmartConsole. You cannot use the standard Check Point NGX R60 SmartConsole to manage VPN-1 Pro NGX IPv6Pack gateways. For information on how to install SmartConsole, see Chapter 5, “Installing SmartConsole NGX IPv6Pack.”After you install SmartConsole NGX IPv6Pack and upgrade the enforcement modules, update the version information for the upgraded enforcement modules as follows:1. Using SmartDashboard NGX IPv6Pack, log on to the SmartCenter server that controls the

upgraded enforcement module.2. Open the gateway object properties window for the upgraded enforcement module and

change the version to NGX R60.3. Perform a policy install on the enforcement module.

Upgrading Using the PackageThis section describes how to install:

The NGX IPv6Pack wrapper on disk-based platformsThe VPN-1 NGX R60 package on flash-based platforms

To upgrade by using newpkg

NoteOn flash-based platforms:

If you plan to install from the local filesystem (that is, download the package to the platform first and then install from that directory), Nokia recommends that you use /var/tmp or a directory you create in /var as your installation directory. The installation files will be automatically deleted when you reboot the system, freeing up space in flash memory.



If you plan to install from an FTP server, Nokia recommends that you delete the contents of/preserve/opt/tmp before and after you perform the installation. newpkg uses this directory to store packages while installing them. Use the following command to delete the directory contents:

rm -R /preserve/opt/tmp

1. Log in to the platform with a console connection.2. Enter newpkg to start the package installation script.

The following options appear:1. Install from CD-ROM.2. Install from anonymous FTP server.3. Install from FTP server with user and password.4. Install from local filesystem.5. Exit new package installation.

3. Enter the number (1 through 4) next to the installation method to use, or enter 5 to exit.4. The installation script guides you through the rest of the upgrade process.

If you are installing from your current working directory in the local filesystem, you can enter a period (.) when asked for the pathname to the packages.Make sure that you select option 2 (Upgrade from an old package) when the package name is displayed.

5. When the upgrade is finished, log off, then log back on to set the environmental variables.6. To confirm the upgrade, see the procedure “To confirm the upgrade” on page 37.

To upgrade using Nokia Network Voyager1. In Network Voyager, navigate as follows:

IPSO 3.9: System Configuration > Manage Installed Packages > FTP and Install PackagesIPSO 4.0: Configuration > System Configuration > Packages > Install Package.

2. Enter the host name or IP address of the FTP site where you downloaded the package.3. Enter the directory name where the files reside on the FTP site.4. Enter the user account and password to use when you connect to the FTP site and click

Apply.If you leave these fields empty, the anonymous account is used.

NoteIf you specify a user account and password, you must re-enter the password whenever you change the FTP site, FTP directory, or FTP user on future requests.A list of files from the specified FTP directory appears in the Site Listing field.

5. Select a file from Site Listing, then click Apply.


Upgrading Using the Package

After the download completes, the package appears in the Select a Package to Unpack box.6. Select the package, then click Apply.

The package is unpacked into the local file system.

NoteThe version field in the package information always shows 3.9, even when you are installing this package on a later IPSO version.

7. Click the Click here to install/upgrade /opt/packages/packagename link.8. Click the radio button next to Upgrade and then select the package to upgrade from. Click

Apply.Wait until Nokia Network Voyager refreshes this page with a link to the Manage Packages screen.

9. Click the link to return to the Manage Packages screen.The installation of the applications within the NGX IPv6Pack wrapper can take several minutes to complete: as long as 10 to 20 minutes on some platforms.During the initial installation phase, the wrapper appears under the Security Applications heading. If you wait several minutes and click Apply, a warning message appears telling you that the installation is still in progress as the wrapper continues to unpack and install the Check Point applications in the package.You can click Apply to refresh the page and monitor the installation process. When the installation is complete, the warning message disappears and the Check Point NGX R60 application packages appear in the installed packages section.

10. Confirm the upgrade is correct as described in “To confirm the upgrade.”.

To confirm the upgrade

NoteNGX IPv6Pack packages have the same names as the Check Point NGX R60 packages and are installed in the NGX R60 directories.

NoteStarting with NGX R60, the SVN Foundation, FloodGate-1, and Policy Server components are no longer installed as separate application packages. Instead, they are included as part of the VPN-1 Pro/Express package.

1. On the Manage Packages page in Network Voyager, confirm that the Check Point VPN-1 Pro/Express NGX R60 package appears under Security Applications and is enabled.If the package is not enabled, click On, and then click Apply and Save.



2. Enable any of the other Check Point packages you want to have enabled and click Apply and Save.

3. If you are logged onto the platform with console connection, log off and then log on again. When you enable the packages, Network Voyager sets new shell environmental variables that are necessary for executing firewall commands. However, they do not take effect until the next time you log on. For this reason, you need to log off after you enable the packages.

4. From a console connection to the platform, rerun cpconfig to ensure that the configuration has been maintained or to install a license, if desired.

5. Reboot the platform if it hosts an enforcement module.

Upgrading Using the NGX IPv6Pack Add OnYou must have NGX R60 installed and enabled before you can install the NGX IPv6Pack Add On.

To install the NGX IPv6 Add On1. Download the NGX IPv6Pack Add On to your platform.

NoteNokia recommends that on flash-based platforms, you do not download the IPv6Pack Add On to your home directory in /var. Files in user home directories are preserved after reboots and consume valuable space in flash memory. Instead, download to /var/tmp or create a directory in /var and install the IPvPack Add On from there. The installation files will be automatically deleted when you reboot.

2. Change your working directory to the directory containing the IPv6Pack Add On package.3. Extract the files from the archive file.4. Execute the IPv6Pack Add On file:

./fw1_HOTFIX_Dimona_596000082_1

5. Reboot the platform.

Enabling IPv6 SupportIf you have IPv6 addresses already configured when you install NGX IPv6Pack, IPv6 support is automatically enabled on disk-based platforms. On flash-based platforms, you must install the IPv6Pack bootstrap replacement fix to enable IPv6 support.For information on manually enabling/disabling IPv6 support and on installing the IPv6Pack bootstrap replacement fix on flash-based platforms, see IPv6 for Check Point Software for VPN-1 Pro NGX IPv6Pack.


Installing HotFix Accumulators on Flash-based Platforms

Installing HotFix Accumulators on Flash-based PlatformsNokia recommends you follow these guidelines when installing HFAs on flash-based platforms:

Do not download the HFAs to your home directory. Files in user home directories are preserved after reboots and consume valuable space in flash memory. Instead, download to /var/tmp or create a directory in /var and install the HFA from there. The installation files will be automatically deleted when you reboot after installing the HFA.After you extract the HFA files from the archive .tgz file, delete the archive file and then install the HFA as described in the HFA release notes.

Uninstalling the IPv6Pack Add OnTo uninstall the NGX IPv6Pack Add On, execute the following uninstall script:

/opt/CPsuite-R60/uninstall_fw1_HOTFIX_Dimona

NoteThe above procedure works on disk-based platforms only.

Reverting to Previous Check Point VersionsIf you need to revert to a previous Check Point version after upgrading to NGX IPv6Pack, use the following procedure.

To revert to a previous version1. From the IPSO Image Management page in Network Voyager, select the previous IPSO

image and reboot.When you revert to the previous image, IPSO automatically reverts to using the saved configuration set associated with that image.

2. On the Manage Packages page, confirm that the previous versions of Check Point packages are enabled and the NGX IPv6Pack versions are disabled.

NoteOn flash-based platforms, the NGX IPv6Pack packages will no longer appear in the Manage Packages page since they were never part of the previous configuration set.

If, after reverting, you wish to upgrade again to NGX IPv6Pack, you will need to manually reselect the correct configuration set as described in the following procedure.



To upgrade again to NGX IPv6Pack1. From the IPSO Image Management page in Network Voyager, select the IPSO 3.9 or later

image and reboot.2. Using the Configuration Set Management page, select the configuration set associated with

the image and then click Save.Network Voyager logs you out and you will have to log in again.

3. Reboot the platform.4. On the Manage Packages page, confirm that the previous versions of Check Point packages

are disabled and the NGX IPv6Pack versions are enabled.


Documents

Check Point VPN-1 Pro NGX IPv6Pack for Nokia Getting ... · 8 Check Point VPN-1 Pro NGX IPv6Pack for Nokia Getting Started Guide Management clients (Check Point SmartConsole)—provides