Introduction

The Nokia IPSO platform is a specialised hardware platform with a NetBSD-based Operating System, which can be combined with the Checkpoint VPN-1 software platform to deploy highly available firewall platforms. The Nokia platform portion of the solution deliveres a hardened OS, dedicated and accelerated hardware, clustering and redundancy, and advanced dynamic routing capability. The combination of Nokia IPSO technology and CheckPoint VSX is known as NMDS 5.0.

The IPSO platform was originally built to provide Layer 3 switching functionality, and was unsuccessful in competition with hardware solutions from vendors such as Cisco, but has since been architected to use these high-speed packet handling and switching capabilities to compliment the CheckPoint VPN-1 kernel architecture. This can best be seen in the flows technology which is discussed in the SecureXL topic below, and is discussed at length in the IPSO and CheckPoint Integration topic..

These pages primarily deal with CheckPoint NGX on the IPSO platform, and act as a kind of pocket reference guide for administrators who work with these appliances. The information on these pages is far from authoritative, butoften-times beats flicking through 600 page Nokia manuals!

Readme - Things you should know first

• VSX Dos and Don'ts - A general list of things you should keep in mind when working with VSX environments
• IPSO and CheckPoint Integration - Information on how the two platforms are linked together to provide high performance firewall appliances.

Administrative Processes

• installation - Installation of a new IPSO device for VSX
• reset - How to reset a VSX gateway (in case of configuration issue or conversion from standalone <-> VRRP)
• restoring a vsx gateway - Using the vsx_util reconfigure command to push a gateway configuration to a new (or re-installed) node

Administration and Debugging Tools

• bootmanager - Dealing with the IPSO boot manager
• clish - Very useful command-line shell for monitoring or modifying IPSO platform hardware and software.
• cpconfig - Checkpoint Configuration Tool - Add/remove licenses, enable SNMP, re-establish SIC, disable SecureXL
• dbset/dbget - Utilities for examining or modifying the IPSO configuration database (which is modified by Voyager)
• ipsctl - Debug IPSO Platform
• objectfiller - Using object filler and dbedit to script large object additions.
• vsx_config - Build a VSX Cluster, Create Virtual Switches, Configure VRRP, Clean VRRP off an interface.
• vsx_util - Using vsx_util to reinstall configuration and policy on new IPSO devices.
• Troubleshooting Commands - How to obtain system information or troubleshoot connectivity issues

Important Concepts

• SecureXL - CheckPoint's connection acceleration technology.
• Rulebase and Performance Optimisation - Best practises and tips on how to best optimise your firewall's performance
• NHM (Nokia Horizon Manager) - Management framework for configuration management, monitoring and deployment.

Testing

• SPLAT on VMware - How to do testing and proof of concept using SPLAT on VMWare

Questions

• Management
  • Why would I use Provider-1 over SmartCenter Server?
• Technical
• What specific limitations exist for diskless IPSO platforms?