Check Point NG[s]AI

The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the Ask the Author form. You will also  gain access to thousands of  other  FAQs at ITFAQnet.com.

1.  

If I want to install FloodGate-1 or other add-ons to my firewall, in what order should I install the packages?

2.  

I installed NG AI Primary SmartCenter on a Nokia appliance, but I can t log in with the Check Point NG management clients . What am I doing wrong?

3.  

I just upgraded one of my 4.1 firewall modules to NG AI, and it s not able to fetch a policy. What can I do?

4.  

It doesn t seem like my Nokia is forwarding packets. How do I enable IP forwarding on a Nokia?

5.  

What are the most important elements of a high-performance SecurePlatform configuration?

Answers

1.  

If installing from individual files, you should install the SVN foundation first, then VPN-1/FireWall-1 NG, and then FloodGate-1 NG or any other Check Point NG products. The wrapper handles this by presenting you with options in the correct order and installing them according to Check Point s recommendations.

2.  

Your SmartConsole clients must be on the same build as your SmartCenter Server. Verify that your IP address is listed in the gui-clients file and upgrade your GUI clients to NG with Application Intelligence. If you have applied a hotfix , an updated version of the SmartConsole clients may be required.

3.  

Verify that you have changed the module s version to NG in its workstation object, and that you have initialized SIC. You may have to push the policy the first time after an upgrade.

4.  

It should be enabled by default. If you believe that this may have been disabled, use the command ipsofwd on admin to enable IP forwarding in your Nokia. For help with the ipsofwd command, type ipsofwd “help to display the usage.

5.  

Of course, a fast CPU with ample cache (i.e. the Intel Xeon processor) is very important, but SecurePlatform can fully take advantage of multiple processors, so don t be afraid of installing two or more very fast processors. Extra memory is required for handling large numbers of connections. Most times, however, the limitation is the bus of the system. Multiple, fast PCI-X buses are the key to creating a very fast, high-throughput firewall. Refer to Check Point s Platform Selection Guide to view what different configurations of Dell, HP, IBM, and Sun systems running SecurePlatform yield with regards to throughput numbers . To get more out of your current Solaris or Linux installation, license and install the Performance Pack that will replace the stock kernel with a Check Point compiled (SunTone-Certified on the Solaris platform) kernel yielding tremendous gains in performance as well.

Категории