SP OS deployment

Owned by Hawkeye Parker (Unlicensed)
Last updated: Dec 27, 2019 by Shay Naveh (Deactivated)
4 min read

Deploy an SP setup

The lab includes two chassis with two SSM and one SGM modules on each chassis.

SGM - the special Check Point modules-blades with FW or VSX instance. Important to know that ALL the SGM modules-blades from the same "Security Group" on ALL chassis from the setup will have a copy of

the same FW/VSX instance and will be reachable through the same SMO IP address of the Active SGM module-blade. The license of the SGM is the Check Point CARRIER license.

SSM - the special Check Point Switch to synchronize configuration between SGM modules and external traffic. SSM switches have a special license (CPMP-MEDIA-1-NGX or CPMP-EVAL-NGX) that should be asked from Check Point.

Note: we can use clones of the same SSM switches on any SP setup because they located in the isolated network environment.



Topology:

Infrastructure requirements:

Open IT ticket at Jira for new Virtual Switches and Port Groups for SP platform.

Create vSwitch and his port groups as below.

Please ensure that Security Permissions (Promiscuous, MAC address changes, Forged transmits) are permitted, and VLAN All (4095) on all the vSwitch and Port Groups.

Note: You cannot use the vSwitch and the Port Groups in another setup.

Name convention of vSwitch:

CP-<version>SP-<FW/VSX>-VSW

Name convention of the Port Groups:

CP-<version>SP-PXE-<FW/VSX>-PG
CP-<version>SP-<FW/VSX>-PG
CP-<version>SP-<FW/VSX>-SSM11_B11-PG
CP-<version>SP-<FW/VSX>-SSM12_B11-PG
CP-<version>SP-<FW/VSX>-SSM21_B21-PG
CP-<version>SP-<FW/VSX>-SSM22_B21-PG
CP-<version>SP-<FW/VSX>-SYNC1-PG
CP-<version>SP-<FW/VSX>-SYNC2-PG



SSM

Open a ticket with IT to create 4 VMs for SSM: you can clone an existing SSM VM or create new.

Ask Check Point for the special SSM license CPMP-MEDIA-1-NGX or CPMP-EVAL-NGX for each SSM module.

Link to VM and ESXi config files on S3:

https://indeni-devices-files.s3-eu-west-1.amazonaws.com/CheckPoint/61K+Lab/SSM-disk1.vmdk

https://indeni-devices-files.s3-eu-west-1.amazonaws.com/CheckPoint/61K+Lab/SSM.mf

https://indeni-devices-files.s3-eu-west-1.amazonaws.com/CheckPoint/61K+Lab/SSM.ovf



CHASSIS 1:

Name convention: CP-<version>SP-<FW/VSX>-SSM1-1

Network adapter1: CP-<version>SP-PXE-<FW/VSX>-PG

Network adapter2: CP-<version>SP-<FW/VSX>-SSM11_B11-PG

Network adapter3: Not active

Network adapter4: Not active

Network adapter5: CP-<version>SP-<FW/VSX>-SYNC1-PG



Name convention: CP-<version>SP-<FW/VSX>-SSM1-2

Network adapter1: CP-<version>SP-PXE-<FW/VSX>-PG

Network adapter2: CP-<version>SP-<FW/VSX>-SSM12_B11-PG

Network adapter3: Not active

Network adapter4: Not active

Network adapter5: CP-<version>SP-<FW/VSX>-SYNC2-PG



CHASSIS 2:

Name convention: CP-<version>SP-<FW/VSX>-SSM2-1

Network adapter1: CP-<version>SP-PXE-<FW/VSX>-PG

Network adapter2: CP-<version>SP-<FW/VSX>-SSM21_B21-PG

Network adapter3: Not active

Network adapter4: Not active

Network adapter5: CP-<version>SP-<FW/VSX>-SYNC1-PG



Name convention: CP-<version>SP-<FW/VSX>-SSM2-2

Network adapter1: CP-<version>SP-PXE-<FW/VSX>-PG

Network adapter2: CP-<version>SP-<FW/VSX>-SSM22_B21-PG

Network adapter3: Not active

Network adapter4: Not active

Network adapter5: CP-<version>SP-<FW/VSX>-SYNC2-PG



SSM Setup:

Login (admin/admin)

From ESXi console connection, run in CLISH:
>set interface eth0 ipv4-address <SSM IP> mask-length <mask> - this IP should belong to your management network

>set interface eth0 ipv4-address <SSM IP> state on

>set static-route default nexthop gateway address <default gateway> on

>save config

c. Enable License: (Use CPMP-MEDIA-1-NGX or CPMP-EVAL-NGX get from Check Point)

d. In the Expert shell, run "setup" and follow the instructions (for Advanced Mode use 'ssmconfig -a'), choose 0-General option during the setup.
Note: During the setup, you will be required to provide last octet of your SMO IP (for example if SMO IP 10.11.94.100, you should use 100), make sure that this indeed gonna be the last octet of the SMO IP that you're going
to configure later on.
e. After SSMs return from reboot run "fwaccel stat" and verify SecureXL is enabled
f. run "fw getifs" and verify that you have both eth0 and eth0.4090 configured as following:
[Expert@Gaia]# fw getifs
localhost eth0 172.23.52.221 255.255.255.0 ===> your IP address to reach the SSM from your workstation
localhost eth0.4090 220.0.0.101 255.255.255.0 ===> back plane connectivity with the SGMs: <last_octet_of_SMO>.0.0.<chassis_id-blade-id>

From CLISH change admin password and add indeni user:

>set user admin shell /bin/bash
>set user admin password
>add user indeni uid 0 homedir /home/indeni
>set user indeni shell /bin/bin

>set user indeni password

>save config



SMO/SGM VMs:

Open a ticket with IT to create 2 VMs for SMO and SGM.

Link to R80.20SP SMO/SGM ISO file on S3:

https://indeni-devices-files.s3-eu-west-1.amazonaws.com/CheckPoint/61K+Lab/Check_Point_R80.20SP_Gaia.iso

Prepare ONE Check Point CARRIER license assigned to the SMO IP - all the blades will use the same IP, they're clones of SMO.



Name convention (the name will be the same for all SGMs, chassis automatically will add identification to each blade in the same Security Group such as "ch01-1" for chassis #1 blade #1) : CP-<version>SP-SGM



VM SMO Network Adapters:

Network adapter 1: Checkpoint Vlan

Network adapter 2: CP-<version>SP-PXE-<FW/VSX>-PG

Network adapter 3: CP-<version>SP-<FW/VSX>-SSM11_B11-PG

Network adapter 4: CP-<version>SP-<FW/VSX>-SSM11_B12-PG



VM SGM Network Adapters:

Network adapter 1: Checkpoint Vlan

Network adapter 2: CP-<version>SP-PXE-<FW/VSX>-PG

Network adapter 3: CP-<version>SP-<FW/VSX>-SSM21_B21-PG

Network adapter 4: CP-<version>SP-<FW/VSX>-SSM22_B21-PG



1. SMO Configuration:

From ESXi console connection, run in CLISH:

Login (admin/admin)

Run "#pre_sysconfig" on SMO (This simulates Chassis 1 and SGM ID 1_1)

On SMO config interface eth1-Mgmt4 with IP on the management network. You will establish SIC using this IP address from Smart Dashboard connected to your

Management Server. And configure the default gateway.

>set interface eth1-Mgmt4 ipv4-address <mgmt ip> mask-length <mask>

>set interface eth1-Mgmt4 state on

>set static-route default nexthop gateway address <default gateway IP> on

>save config



Connect to SMO via WebUI https://<mgmt IP> (user name admin/admin) and run First time Wizard.

Create VSX/FW object in Smart Dashboard - SMO IP ONLY.

Install policy (Member should turn to ACTIVE state at this point)

Add members to the security group on GCLISH:

> add smo security-group <members ids> (2_1 - in case we have chassis #2 with SGTM blade #1)



2. SGM Configuration:

From ESXi console connection, run in CLISH:

Login (admin/admin)

Run "#pre_sysconfig" on the second SGM and configure chassis # 2and blade #1 (This simulates Chassis 2 and SGM ID 2_1)

If the configuration and SSM switches configured and connected properly, after around 30 minutes and a few reboots SGM 2_1 will have the same configuration as SMO.



3. Run “#asg monitor” on SMO and SMG to verify chassis HA status.