Smart-1 50/150 Getting Started Guide Models: S-30, S-40 23 February 2011
© 2011 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions.
Important Information Latest Documentation The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=10948 For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com).
Welcome Health and Safety Information Read the following warnings before setting up or using the appliance. Warning - Do not block air vents. A minimum 1/2-inch clearance is required. Warning - This appliance does not contain any user-serviceable parts. Do not remove any covers or attempt to gain access to the inside of the product. Opening the device or modifying it in any way has the risk of personal injury and will void your warranty. The following instructions are for trained service personnel only.
Welcome Federal Communications Commission (FCC) Statement: Note: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment.
Contents Important Information .............................................................................................3 Health and Safety Information ...............................................................................4 Introduction .............................................................................................................8 Welcome ............................................................................................................. 8 Smart-1 Overview ..............
Restoring Factory Defaults ..................................................................................38 Restoring Factory Defaults using the WebUI ......................................................38 Restoring Factory Defaults using the Console ....................................................38 Restoring Using the LCD Panel ..........................................................................39 Lights Out Management .......................................................................
Chapter 1 Introduction In This Chapter Welcome Smart-1 Overview Shipping Carton Contents Terminology 8 8 9 9 Welcome Thank you for choosing Check Point’s Smart-1. We hope that you will be satisfied with this solution and our support services. Check Point products provide your business with the most up to date and secure solutions available today.
Shipping Carton Contents Security Management Software Blades Smart-1 Appliances includes the following Security Management Software Blades: Network Policy Management Endpoint Policy Management Logging & Status SmartProvisioning Monitoring User Directory Management Portal SmartEvent (IPS Event Analysis, Reporting and Event Correlation) Multi-Domain Security Management SmartEvent Smart-1 includes SmartEvent, which is made up of IPS Event Analysis, Reporting and Event Corre
Terminology Security Management server: The server used by the system administrator to manage the security policy. The organization’s databases and security policies are stored on the Security Management server and downloaded to the gateway. Smart-1 is a Security Management server. SmartConsole: GUI applications that are used to manage various aspects of security policy enforcement. For example, SmartView Tracker is a SmartConsole application that manages logs.
Terminology Name Before R75 Name Starting with R75 (Used in this Guide) Multi-domain server (MDS) Multi-Domain Server Customer Domain Customer Management Add-on (CMA) Domain Management Server Customer Log Module (CLM) Domain Log Server Multi-Domain Log Module (MLM) Multi-Domain Log Server Introduction Page 11
Chapter 2 Rack Mounting Smart-1 50/150 These instructions show how to install Smart-1 50 and 150 in a standard 19 inch rack.
Rack Mounting Hardware and Tools Important - The Smart-1 appliance is very heavy. To lift and install it: Two people are required for Smart-1 50. Three people are required for Smart-1 150. The distance from the center of any hole to the center of the third hole above it is equivalent to 1U. The mounting holes in a standard 19-inch (482.6 mm) server rack rail are arranged as follows: When installing appliances, start measuring from the center of the two holes with closer spacing.
Disconnecting the Appliance Rail from the Mounting Bracket Key Description Qty. Use (1) Appliance rail 2 Attaches to the Smart-1 50/150 appliance. Both rails are identical. (2) Mounting Bracket 2 Attaches to the rack vertical rails. Both brackets are identical. (3) Screws for Rack Mounting 8 Secures the mounting bracket to the rack vertical rails (4) Square washers for rack mounting screws 8 Secures the mounting bracket to the rack vertical rails.
Attaching the Appliance Rails to the Appliance 2. Press plastic release catch in the direction of the arrow to disconnect the appliance rail from the mounting bracket. Attaching the Appliance Rails to the Appliance Attach the Appliance Rails to the Appliance. Use the same appliance rails for Smart-1 50 and for Smart-1 150. You don't need to do this in the server room. 1. Identify the front of an appliance rail. One end of the rail is marked with FRONT. 2.
Attaching the Mounting Brackets to the Rack You can also use the appliance ear brackets to prevent the appliance from sliding in and out of the rack, by attaching the bracket ears to the rack vertical rail. You don't need to be in the server room to attach the appliance handles or ear brackets to the appliance. To connect the appliance bracket ears or handles to the front of the appliance: 1. Attach the appliance ear bracket to one side of the appliance. For Smart-1 50 use three screws.
Installing Smart 1 50/150 In the Rack 4. Attach the mounting bracket to the rack vertical rail at the back using the same number of screws and washers. Tighten the two screws normally. 5. Go the front of the rack. 6. Tighten the two screws that attach the mounting bracket to the rack vertical rail. 7. Repeat for the other side of the rack: Attach the mounting bracket to the other side of the rack. Installing Smart 1 50/150 In the Rack Carefully install the Smart-1 50/150 in the rack.
Installing Smart 1 50/150 In the Rack 1. Line up the appliance rail on the appliance with the mounting bracket rails. 2. Carefully slide the appliance into the mounting bracket rails. 3. Push the appliance in until the appliance locks in the rails.
Chapter 3 Configuring Smart-1 The basic workflow for configuring Smart-1 is: 1. Connect the cables and power on. 2. Perform the initial configuration using the First Time Configuration Wizard. 3. Install the SmartConsole GUI clients. In This Chapter Connecting the Power Cables and Power On Using the First Time Configuration Wizard Installing the SmartConsole GUI Clients Advanced Configuration Migration from Existing Provider-1 Machines 19 19 25 26 26 Connecting the Power Cables and Power On 1.
Using the First Time Configuration Wizard The management interface is marked Mgmt. This interface is preconfigured with the IP address 192.168.1.1. 2. Connect to the management interface by connecting from a computer on the same network subnet as the management interface (for example, with IP address 192.168.1.x and netmask 255.255.255.0). This can be changed later through the management interface. 3.
Using the First Time Configuration Wizard Network Connections Configure Network Connections in the Network Connections page. You may modify the Mgmt IP address and connectivity will be preserved. A secondary interface is created automatically to preserve connectivity. This interface can be removed after the wizard is completed in the Network > Network Connections page. Routing Table Configure Routing on the Routing Table page.
Using the First Time Configuration Wizard In the Installation Type page: Security Management: Configure Smart-1 as a Security Management server with all the management Software Blades, including SmartEvent. Eventia Suite (SmartEvent and Reporter Suite): Configure Smart-1 as a dedicated server for SmartEvent, and no other Software Blade. SmartEvent and Reporter Suite contains SmartReporter Server, SmartEvent Server, and SmartEvent Correlation Unit.
Using the First Time Configuration Wizard SmartEvent and SmartReporter Suite Installation Type Configure the SmartEvent and Reporter Suite applications to run on the server. SmartEvent: A system that reads logs and generates events based on an Event Policy. An IPS event-only version is also available. SmartReporter is a system that reads logs and generates statistical and data reports.
Using the First Time Configuration Wizard Multi-Domain Security Management Settings The First Time Configuration Wizard screens in this section apply to a Smart-1 with a Multi-Domain Security Management image. Note - This section uses terminology introduced in R75 ("Multi-Domain Security Management/Provider-1 Terminology" on page 10). The instructions apply to all software versions.
Installing the SmartConsole GUI Clients Multi-Domain Server Configuration Primary Multi-Domain Server is the Multi-Domain Server that will normally be active. To set up an Multi-Domain Server in a non-High Availability deployment, choose this option. In a High Availability deployment, if the Primary Multi-Domain Server fails, a Secondary Multi-Domain Server will be available to resume management tasks.
Advanced Configuration 4. If Multi-Domain Security Management is deployed, follow the same procedure to download the SmartDomain Manager. You have now completed the Smart-1 configuration. To start working with your Smart-1 appliance as a Security Management Server refer to the Security Management Server Administration Guide. To start working with your Smart-1 appliance as Multi-Domain Security Management, refer to the MultiDomain Server Administration Guide.
Migration from Existing Provider-1 Machines # $MDS_SYSTEM/install/mds_import.sh 4. Start the mds. Note that the first start-up of the mds after import takes considerably longer than subsequent start-ups.
Chapter 4 Configuring SmartEvent This section explains how to get up and running with SmartEvent. In This Chapter Preparing SmartEvent on Security Management Server Preparing SmartEvent on the Multi-Domain Server Enabling Connectivity with Multi-Domain Security Management Configuring the SmartEvent Clients 28 28 29 29 Preparing SmartEvent on Security Management Server To configure SmartEvent, first establish connectivity between the components. 1. Launch SmartDashboard. 2.
Enabling Connectivity with Multi-Domain Security Management 2. In SmartDashboard, create a new host for each computer that contains a component of SmartEvent: a) Select Manage > Network Object > New > Check Point > Host b) In the General Properties window, click Communication and enter the activation key. Note - If the Multi-Domain Server and SmartEvent are installed on different sides of the firewall, add a rule that allows SIC traffic between them.
Configuring the SmartEvent Clients Defining Correlation Units and Log Servers for SmartEvent 1. From the Policy view of the SmartEvent Intro client, select General Settings > Initial Settings > Correlation Units. 2. Select Add. 3. Click the button of the Correlation Unit field. 4. In the Select Objects window, select a Correlation Unit. Note - In a Multi-Domain Security Management environment, add the log servers for each CMA. 5. Click OK. 6.
Chapter 5 Smart-1 Hardware This chapter provides instructions for installing and removing hardware components on the Smart-1 appliance.
Smart-1 50 Front Panel Smart-1 50 Front Panel Key Description 1 LCD display screen 2 Screen operation keys 3 USB ports 4 Console port - for a serial connection to the appliance using a terminal emulation program such as HyperTerminal 5 LOM (Lights-out Management) port 6 Management configuration port 7 Built-in ethernet ports (Lan1-Lan3) 8 slot for optional fiber channel SAN card. For setup instructions see sk43364 (http://supportcontent.checkpoint.
Smart-1 150 Front panel Smart-1 150 Front panel Key Description 1 USB ports 2 LOM (Lights-out Management) port 3 Console port - for a serial connection to the appliance using a terminal emulation program such as HyperTerminal 4 Management configuration port 5 Built-in ethernet ports (Lan1-Lan3) 6 Slot for optional fiber channel SAN card. For setup instructions see sk43364 (http://supportcontent.checkpoint.com/solutions?id=sk43364).
Customer Replaceable Parts Menu Options Menu Sub-menu Purpose Set MGMT IP Set the management interface's IP address Set Netmask Set the management interface's network mask Set Default GW Set the management interface's default gateway Reboot Reboot the appliance Network System When Entering an IP Address To Press Move to the next digit Move back to the previous digit Approve the change when cursor is located on the last digit Cancel the IP change when cursor is located on the first digit
Customer Replaceable Parts Removing the Power Supply To remove a power supply unit: 1. If the power supply alarm sounds, press the red alarm button to the right of the power supply. This will stop the alarm. 2. Remove the power cord. 3. Loosen the retaining screw located above the power socket. 4. Pull the extraction handle to remove the power supply unit. Note - Use only the extraction handle to remove the power supply unit.
Customer Replaceable Parts Removing a Hard Drive Any single hard disk can be safely removed without risking the integrity of the RAID array or compromising the data. The hard disk drives are numbered 1-4 on Smart-1 50 from left to right, and 1-12 on Smart-1 150 from left to right, top to bottom. The upper left hard drive is #1, upper right hard drive is #4. On Smart-1 150 the lower right hard drive is #12.
Customer Replaceable Parts 5. Make sure that the additional hard drives have been inserted correctly and are recognized by the system by running the command /sbin/raidconfig status 6. Stop all Check Point processes by running cpstop or mdsstop 7. Stop all other processes that are using /var/log. To see a list of these processes, run lsof /var/log 8. Add the additional storage to the file system by running the command /sbin/raidconfig extendstorage In the event that the storage extension process fails: 1.
Chapter 6 Restoring Factory Defaults You may restore the factory default images on the appliance using the WebUI, a console connection application (such as HyperTerminal) or the LCD panel. Important - Restoring factory default images will delete all information on the appliance including images, backup files, and logs.
Restoring Using the LCD Panel Restoring Using the LCD Panel To restore the Smart-1 appliance to its default factory configuration using the LCD Panel keys: 1. Reboot or power on the appliance. 2. When the countdown begins, press any of the arrow keys. The Boot menu appears. 3. Using the arrow buttons, scroll to the relevant option: Reset to SMC FCD - for Security Management Server and then press the UP arrow. Reset to PV-1 FCD - for Multi-Domain Security Management and then press the UP arrow. 4.
Restoring Using the LCD Panel When the appliance has been restored to its default factory configuration, the appliance reboots and the Initializing message appears.
Chapter 7 Lights Out Management This chapter discusses the Lights-Out Management (LOM) integrated card that is supplied with the Smart-1 50/150 appliance and basic configuration options.
Basic Configuration Options Basic Configuration Options The options in the main menu on the LOM home page enable you to access the following basic configuration options: Remotely control the appliance Remotely control the power of the appliance Manage LOM card users Configure LOM keyboard/mouse settings Configure LOM network settings Set date and time Define a LOM login message Remotely Controlling the Appliance The Appliance Control menu option enables you to access the applian
Managing LOM Card Users Managing LOM Card Users You can create, modify, and delete users. You can also assign privileges to users. To create a user: 1. Click the LOM User Management menu option. The User Management page appears. 2. Select a row and click Create. The User Add dialog box appears. 3. Enter the following: User name: a user name up to fourteen characters) Password: a password for the login name. It must be at least 5 and no more than 14 characters long.
Configuring LOM Settings Relative (for Linux) 3. Click Apply Changes. Configuring LOM Settings The network settings option enables you to change the default IP address and other basic network settings of the LOM card. To configure LOM network settings: 1. Click the LOM Settings menu option and select Network. 2. Select Static and enter the following values. IP address: the IP address of the LOM. Subnet mask: the subnet mask of the LOM’s local network.
Chapter 8 Registration and Support In This Chapter Registration Support Where to From Here? 45 45 45 Registration Smart-1 requires a specific license to operate. Obtain a license and register (http://register.checkpoint.com/cpapp). The MAC address required to obtain a license is found on the Information > Appliance Status page of the WebUI. Support For additional technical information about Check Point products, consult the Check Point Support Center (http://supportcenter.checkpoint.com).
