Troubleshooting guide
Chapter 4 Troubleshooting Routers and Embedded Systems Introduction
Advanced Technical Reference Guide 4.1 • June 2000 30
Troubleshooting Routers and Embedded Systems
Introduction
A VPN-1/FireWall-1 enforcement point is a machine or device that enforces at least some part of the Security
Policy. An enforcement point can be a workstation, router, switch or any machine that can be managed by a
Management Module by installing a Security Policy or an Access List.
This chapter provides additional information about routers and embedded systems, not covered in the User
Guides.
VPN-1/FireWall-1 can communicate with Nortel and Xylan routers. This section of this chapter dealing with
Nortel concentrates on how to operate and debug Nortel routers, and the related VPN-1/FireWall-1 commands.
The smaller section on Xylan routers offers some solutions to common problems.
Management Server Architecture
The Check Point Management Server Architecture can centrally manage multiple platforms and Embedded
Systems simultaneously. The interaction of the Router/switch with the Management Server (or Control Module)
is very important. The Security Policy is compiled on the management server, and downloaded to the Firewall
Module located on the Router/switch.
Firewall
Router/switch
Firewall
(SUN)
Firewall
(HP)
GUI Client GU I Client GUI Client G UI Client
FW M Process talks to G U I Clients
Management Server Architecture
FW D Process talks to firew alls
• User and NetworkDatabases
•Download Rulebase
• Log Files
GUI
Client
•
•
•
•
•
•
Firewall
(Windows NT)
Bay Networks
Site Manager
Figure 1. General architecture of the interaction between Management Server (Control Module) and the
Firewall Module on the Embedded System
Management Server to Embedded Firewall Communications
• S/Key Authentication scheme between Management Server and Embedded System
• Router (Embedded System) sends log file information back to Management Server on port 257
• Management Server Downloads Rule Base to Embedded System on Port 256