High-End Security Product Suite
Getting Started Guide
Version NGX R65
702024
January 30, 2008
CheckPoint_R65_HighEnd_Security_Products_GettingStarted.book Page 1 Wednesday, January 30, 2008 2:53 PM
CheckPoint_R65_HighEnd_Security_Products_GettingStarted.book Page 2 Wednesday, January 30, 2008 2:53 PM
3
© 2003-2007 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and
distributed under licensing restricting their use, copying, distribution, and decompilation. No part of
this product or related documentation may be reproduced in any form or by any means without prior
written authorization of Check Point. While every precaution has been taken in the preparation of
this book, Check Point assumes no responsibility for errors or omissions. This publication and
features described herein are subject to change without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in
subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS
252.227-7013 and FAR 52.227-19.
TRADEMARKS:
©2003-2008 Check Point Software Technologies Ltd. All rights reserved. Check Point, AlertAdvisor,
Application Intelligence, Check Point Endpoint Security, Check Point Express, Check Point Express
CI, the Check Point logo, ClusterXL, Confidence Indexing, ConnectControl, Connectra, Connectra
Accelerator Card, Cooperative Enforcement, Cooperative Security Alliance, CoreXL, CoSa,
DefenseNet, Dynamic Shielding Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia
Suite, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid Detection
Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity Clientless Security, Integrity
SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG, NGX, Open Security Extension, OPSEC,
OSFirewall, Pointsec, Pointsec Mobile, Pointsec PC, Pointsec Protector, Policy Lifecycle
Management, Provider-1, PureAdvantage, PURE Security, the puresecurity logo, Safe@Home,
Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlatform, SecurePlatform

Feedback ................................................................................ 10
Chapter 2
Introduction
Overview ................................................................................. 11
For New Check Point Customers................................................ 12
What's New in the High-End Security Suite ................................ 13
Provider-1/SiteManager-1 ................................................ 13
VPN-1 Power VSX ........................................................... 14
Management Plug-Ins...................................................... 15
Chapter 3
Getting Started
Provider-1 Terminology............................................................. 18
VSX Terminology...................................................................... 20
High-End System Requirements ................................................ 21
Compatibility Table.................................................................. 21
Supported Upgrade Paths and Interoperability............................24
Upgrading Management Servers ....................................... 24
Backward Compatibility For Gateways ............................... 25
Licensing ................................................................................ 27
Licensing Provider-1/SiteManager-1 ................................. 28
VSX-CMA Bundle Licenses............................................... 29
CheckPoint_R65_HighEnd_Security_Products_GettingStarted.book Page 5 Wednesday, January 30, 2008 2:53 PM
6
For More Information....................................................... 30
Upgrading Licenses......................................................... 30
Chapter 4
Performing a New Installation
Overview .................................................................................31
Installing and Configuring Provider-1/SiteManager-1 ...................32
Overview......................................................................... 32

Thank you for choosing the Check Point High-End Security Suite. We
hope that you will be satisfied with this security solution and the
service that Check Point provides.
Check Point delivers Worldwide Technical Services including
educational, professional and support services, through a network of
authorized training centers, certified support partners, and a variety of
Check Point resources.
In order to extend your security infrastructure as your network and
application security requirements grow, Check Point recommends
using OPSEC (Open Platform for Security), the industry leader in
open, multi-vendor security frameworks. OPSEC has over 350
partners and guarantees the widest range of best-of-breed integrated
applications and deployment platforms.
To obtain more information about this and other security solutions,
refer to: or call us at 1(800) 429-4391.
For additional technical information, refer to:
.
Welcome to the Check Point family. We look forward to meeting all of
your current and future network and application security and
management needs.
CheckPoint_R65_HighEnd_Security_Products_GettingStarted.book Page 8 Wednesday, January 30, 2008 2:53 PM
In This Guide
Chapter 1 High-End Security Suite 9
In This Guide
This guide provides:
• A brief overview of the High-End Security Suite applications
• Installation procedures
Documentation
Technical documentation is available on your distribution CD-ROM at:
CD2\Docs\CheckPoint_Suite

enforcement points. This enhanced functionality provides IT
organizations and executive management with full visibility
over their entire security environment.
The current version includes expanded intelligent inspection
technologies in VPN-1 Power, which incorporate additional
application support into state-of-the-art Stateful-Inspection
and Application Intelligence technologies.
Overview page 11
For New Check Point Customers page 12
What's New in the High-End Security Suite page 13
CheckPoint_R65_HighEnd_Security_Products_GettingStarted.book Page 11 Wednesday, January 30, 2008 2:53 PM
For New Check Point Customers
12
For New Check Point Customers
For new Check Point customers, the Check Point User Center can
help you:
• Manage Users & Accounts
• Activate Products
• Get Support Offers
• Open Service Requests
• Search the Technical Knowledge Base
To access the Check Point User Center, go to:
/>CheckPoint_R65_HighEnd_Security_Products_GettingStarted.book Page 12 Wednesday, January 30, 2008 2:53 PM
What's New in the High-End Security Suite
Chapter 2 Introduction 13
What's New in the High-End Security
Suite
The following sections offer a brief overview of the advancements
offered by NGX R65.
In This Section:

account in the MDG. With access to Global SmartDashboard, a
Global Manager is capable of managing global policies and
global objects. For a Global Manager to have additional access
to CMA policies, read-write or partial access rights must be
specifically assigned.
VPN-1 Power VSX
VPN-1 Power VSX provides the ability to:
• Distribute Virtual Systems on different members of a cluster,
effectively spreading the Virtual System traffic load within the
cluster, with Cluster XL Virtual System Load Sharing.
• Manage the processing power of a VSX machine, with Resource
Control.
• Control the network quality of service in the VSX network
environment, with Check Point Lightweight QoS Enforcement.
It also initiates support for a range of network interface cards and
servers.
For complete details on what’s new in this version, and for the latest
technical information, refer to the VPN-1 Power VSX NGX Scalability
Pack Release Notes, available at:
/>CheckPoint_R65_HighEnd_Security_Products_GettingStarted.book Page 14 Wednesday, January 30, 2008 2:53 PM
Management Plug-Ins
Chapter 2 Introduction 15
Management Plug-Ins
NGX R65 introduces an additional infrastructure that enables the use
of management plug-ins. The new plug-ins architecture introduces the
ability to dynamically add new features and support for new products.
Management plug-ins offer central management of gateways and
features not supported by your current NGX R65 SmartCenter or
Provider-1/SiteManager-1. Management plug-ins supply new and
separate packages that consist only of those components necessary

whose networks are protected by VPN-1 gateways, VPN-1 UTM
Edge appliances or other Check Point compatible firewalls.
Customer security policies and network access are managed
using Provider-1/SiteManager-1.
• Customer Log Module (CLM): A log server for a single customer.
• Customer Management Add-On (CMA): The Provider-1
equivalent of the SmartCenter server for a single customer.
Through the CMA, an administrator creates security policies and
manages the customer gateways.
•GUI Client: A computer running one or more of the
SmartConsole applications, for example, the Provider-1 MDG.
• Internal Certificate Authority (ICA): The component that creates
and manages X.509 compliant certificates for Secure Internal
Communication (SIC), site-to-site VPN communication (between
VPN-1 gateways), and the authentication of administrators and
users.
• The MDS has an ICA that secures the Multiple Domain
Server (MDS) domain.
• Each CMA has its own ICA to secure its customer’s
management domain.
• Multi-Domain Server (MDS): The MDS houses Provider-1 system
information including details of the Provider-1 deployment, its
administrators and customer management datum. There are two
types of MDSes: the Manager, which runs the Provider-1
deployment, and the Container, which holds the Customer
CheckPoint_R65_HighEnd_Security_Products_GettingStarted.book Page 18 Wednesday, January 30, 2008 2:53 PM
Provider-1 Terminology
Chapter 3 Getting Started 19
Management Add-Ons (CMA). The Manager is the
administrator’s entry point into the Provider-1 environment. An

20
VSX Terminology
The following VPN-1 Power VSX (VPN-1 Power VSX NGX Scalability
Pack) terms are used throughout this manual:
• Virtual Router: An independent routing domain within a VSX
gateway that functions like a physical router. It is used to direct
packets arriving at the VSX gateway through a shared interface
to the relevant Virtual System or to direct traffic arriving from
Virtual Systems to a shared interface or other Virtual Systems.
•Virtual Switch: A virtual entity that provides layer-2 connectivity
between Virtual Systems and connectivity to a shared interface.
As with a physical switch, each Virtual Switch maintains a
forwarding table with a list of MAC addresses and their
associated ports.
• Virtual System: A routing and security domain featuring firewall
and VPN capabilities. Multiple Virtual Systems can run
concurrently on a single VSX gateway, isolated from one another
by their use of separate system resources and data storage.
CheckPoint_R65_HighEnd_Security_Products_GettingStarted.book Page 20 Wednesday, January 30, 2008 2:53 PM
High-End System Requirements
Chapter 3 Getting Started 21
High-End System Requirements
For Provider-1/SiteManager-1 and VPN-1 Power VSX NGX hardware
and software system requirements, see the R65 Release notes at:
/>Compatibility Table
If the existing Check Point implementation contains products that are
not supported by NGX, the NGX installation process terminates.
Table 3-1 and Ta ble 3-2 list the NGX R65 supported Check Point
products and clients by platform.
CheckPoint_R65_HighEnd_Security_Products_GettingStarted.book Page 21 Wednesday, January 30, 2008 2:53 PM

(SP1-4)
2000
Profes-
sional
(SP1-4)
XP Home
& Profes-
sional
kernel
2.4.21
Secure
Platform
IPSO
4.1 -
4.2
VPN-1 Po wer / UTM X XXX X
X
1
X
2
SmartCenter Serve r X XXX XX
X
3
Provider-1/SiteManager-1
.Server (MDS)
X
X
4
X
VPN-1 Power VSX


X
12
VPN-1 Accelerator Driver III X XXX XX
VPN-1 Accelerator Driver IV X X X
Advanced Routing X
X
13
Performance Pack XX
X
14
SecureXL Turbocard

X
15
OSE Supported Routers Nortel Ve rsions: 7.x, 8.x, 9.x, 10.x, 11.x, 12.x, 13, 14
Cisco OS Versions: 9.x, 10.x, 11.x, 12.x
Microsoft Windows
Platform and Operating System
CheckPoint_R65_HighEnd_Security_Products_GettingStarted.book Page 22 Wednesday, January 30, 2008 2:53 PM
Compatibility Table
Chapter 3 Getting Started 23
5. VPN-1 Power VSX gateways are also supported on Crossbeam
Systems X-Series Security Services Switches.
6. Eventia Suite includes Eventia Reporter Server, Eventia Analyzer
Server, and the Eventia Analyzer Correlation Unit.
7. UserAuthority is not supported on Nokia flash-based platforms.
8. The following SmartConsole clients are not supported on Solaris
UltraSPARC platforms: SmartView Monitor, SmartLSM, Eventia
Reporter Client, Eventia Analyzer Client, and the SecureClient

SecuRemote X X X
SecureClient X X X X
SecureClient Mobile X
SSL Network Extender X XX
Windows
Operating System
CheckPoint_R65_HighEnd_Security_Products_GettingStarted.book Page 23 Wednesday, January 30, 2008 2:53 PM
Supported Upgrade Paths and Interoperability
24
Supported Upgrade Paths and
Interoperability
Management servers and gateways exist in a wide variety of
deployments. Consult Table 3-3 and Ta ble 3-4 to determine which
versions of your management server and gateways can be upgraded to
NGX R65.
Upgrading Management Servers
Table 3-3 The following MDS versions can be upgraded to NGX R65:
Release Version
VPN-1 Power/UTM NGX R62
VPN-1 Pro/Express NGX R61
VPN-1 Pro/Express NGX R60A
VPN-1 Pro/Express NGX R60
VPN-1 Pro NG R55W
VPN-1 Pro/Express NG With Application Intelligence R55
VPN-1 Pro/Express NG With Application Intelligence R54
NGX
NG
CheckPoint_R65_HighEnd_Security_Products_GettingStarted.book Page 24 Wednesday, January 30, 2008 2:53 PM
Backward Compatibility For Gateways
Chapter 3 Getting Started 25

CheckPoint_R65_HighEnd_Security_Products_GettingStarted.book Page 25 Wednesday, January 30, 2008 2:53 PM