How to Install a Check Point on a Blue Coat X-Series Chassis using an Installation Package (CBI) on a VAP Group

After discussing the creation of VAP groups and Circuits on Blue Coat’s X-Series under XOS in my previous posts, we can now install the application from a CBI.

The following steps are required for a Check Point installation. For this post I chose a standalone R67 VSX security gateway as an example.

Before installing the Check Point CBI, you should:

 

01-Crossbeam-Chassis-Show-Application

 

 

    1. Run the show-application command to view the available CBI files:
    2. Run the following command to start the installation of the application: application <application name from the selection above> vap-group <VAP_group_name> install
    3. The installation wizard prompts you to input the following information (Choose ‘y’ or ‘n’).
    4. Do you accept the license agreement?(Choose ‘y’ or ‘n’)
    5. Enter the interface name from which you want to manage the VSX system. Please make sure the corresponding circuit has a valid increment-per-vap IP address assigned to it.
    6. Enter the Secure Internal Communication (SIC) key below.
    7. Enter local license information (Local license info is the license for the module, by clicking on ‘n’ a trial license will be applied)? (Choose ‘y’ or ‘n’)
    8. Install Performance Pack?(Choose ‘y’ or ‘n’)
    9. Install Dynamic Routing? (Choose ‘y’ or ‘n’)
    10. Enable High Availability/State Synchronization? (Choose ‘y’ or ‘n’, for HA you will answer ‘y’ and be prompted to enter the synchronization circuit name.)
      02-Crossbeam-Chassis-application-VAP-group
    11. The installation process of VSX will begin:
    12. When the installation is finished, run the following command: reload vap-group <vap group name>
    13. Additional VSX configuration can be done using Check Point SmartDashboard with the Management IPs assigned to the VAP.
    14. To check the status of the applications running on VAP groups, the following command needs to be run: show application vap-group <VAP group name>
      03-Crossbeam-Chassis-the-installation-process-of-VSX
    15. The output of this command includes the status of the VAPs (Initializing, Up, Down, etc.):

And that’s it! In my next post, I will cover additional configuration of VSX using Check Point SmartDashboard.

Blue Coat Setting up VAPs Crossbeam

Recently I’ve invested some time integrating indeni with our newly supported Blue Coat’s X-series chassis (previously known as Crossbeam). So here are a few tips on setting up VAPs on Crossbeam. Blue Coat X-Series Chassis is designed to run applications from third-party security software vendors (for example, Check Point) on VAPs (Virtual Application Processes). A Blue Coat Chassis supports up to 14 VAPs and is divided into three types of hardware blades or modules:

  • Network Processor Module (NPM)
  • Control Processor Module (CPM)
  • Application Processor Module (APM)

The setup of the security models is managed by the CPM. The CPM CLI allows defining and running the security modules on the APMs through VAP (Virtual Application Processing) groups. These are essentially Security Software virtual modules that can be allocated to run on APMs dynamically.

 

Initial Setup to Create VAP Groups on Blue Coat

 

To create a VAP group in XOS using the CLI, run the following commands in sequence:

Configure vap-group <vap group name> <xslinux_v3/v5/v5_64/xsve>

 

There are 4 different Linux versions, make sure the Linux version is supported by the APM:

VersionSupported APMs
xslinux_v3APM-8600/8650
xslinux_v5APM-8600/8650, APM-9600
xslinux_v5_64 *APM-8600/8650, APM-9600
xsve **APM-9600

* The determination between xslinux_v5 and xslinux_v5_64 is based on the target application’s requirements and XOS will prompt you for the correct version when you install the application on the VAP Group.

** Platform that allows non-Linux based applications to run on APMs.

 

vap-count <count>

vap-count is the number of VAPs (APMs) in this group. For example, in Check Point (standalone) security gateway this would be set to 1; for a cluster it would be set to 2.

 

max-load-count <number of APMs to dynamically allocate to>

The maximum number of VAP members in the VAP group cannot exceed the vap-count.

 

ap-list <list of potential APMs ap1..ap14>

Assign APMs to support the VAP group. This command specifies the list of APMs to be loaded.

 

load-balance-vap-list <indexes 1..14>

This is a list of VAP indexes that the NPM uses to load balance new flows. By default, the NPM load balances over all the VAPs in the VAP group.

 

ip-flow-rule <flow rule name>

Create the load balancing flow rule for the VAP group.

 

action load-balance

Set flow rule action to load-balance traffic to all available VAP members.

 

activate

Set the activate flag to enable the action.

 

exit

 

Example for Initial Setup:

 

vap-group r7540cxl xslinux_v5_64 vap-count 2 max-load-count 2 ap-list ap1 ap2 ap3 ap4 ap5 ap6 ap7 ap8 ap9 ap10 load-balance-vap-list 1 2 3 4 5 6 7 8 9 10 ip-flow-rule r7540cxl_lb action load-balance activate

 

When you’ve finished configuring the VAPs, it is recommended that you save the config by running the following command:

copy running-config startup-config

 

To view the allocation of VAPs on the APMs, run the following command, which displays VAP group to APMs mapping. It will give you a quick indication of which VAP groups are running on which APMs:

show ap-vap-mapping

 

As part of indeni’s monitoring of Blue Coat’s XOS, we:

  • Compare the VAPs as defined under the vap-group section of the configuration with the output of show ap-vap-mapping. If indeni finds VAPs that are defined but not running, we alert you.
  • Run show application vap-group periodically for all the VAPs that are set up. If indeni finds VAPs that have a status different than ‘Up’, we alert you.