IPv6Pack R70. Administration Guide

Transcription

1 IPv6Pack R70 Administration Guide 29 July 2010

2 2010 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS and FAR TRADEMARKS: Refer to the Copyright page ( for a list of our trademarks. Refer to the Third Party copyright notices ( for a list of relevant copyrights and third-party licenses.

3 Important Information Latest Version The latest version of this document is at: For additional technical information, visit the Check Point Support Center ( Revision History Date Description 07/29/2010 Initial version Feedback Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments (mailto:cp_techpub_feedback@checkpoint.com?subject=feedback on IPv6Pack R70 Administration Guide).

4 Contents Important Information... 3 The Check Point IPv6 Solution... 5 Dual Stack for IPv4 and IPv Accessing the IPv6 Kernel... 5 Working with IPv6 in SmartConsole... 6 Creating an IPv6 object... 7 Partial Address Based Filtering... 7 Partial-Destination-v Partial-Source-v IPv6 Rules... 8 IPv6 in SmartView Tracker... 8 IPv6 Services... 8 Predefined ICMPv6 Services... 8 IPv6 in IPv4 Intra Tunnel Inspection... 9 IPv6 Protocols vs. IPv4 Protocols Traceroute IPv IPv6 Extension Headers Disabling IPv Check Point Features for IPv Anti Spoofing IPv6 Addresses IPS and IPv Securing Sequence Verifier Securing Port Scanning Aggressive Aging IPv6 Security IPv6 Clustering ClusterXL High Availability Configuring IPv6 Clustering SecureXL for IPv Example: fwaccel6 stat Example: fwaccel6 templates Example: fwaccel6 stats CoreXL for IPv IPv6 Implementation of CoreXL Default Configuration of CoreXL Configuring CoreXL Checking the Status of CoreXL VPN for IPv IPSec and IKE Public Key Infrastructure Configuring VPN Domains Configuring VPN Communities Configuring Link Selection VPN Commands for IPv

5 Creating an IPv6 object The Check Point IPv6 Solution The Check Point architecture enables a smooth and secure migration to IPv6. Support for the firewall including platforms, features, and licenses has been enhanced to provide support for IPv6 integration and interoperability. Dual Stack for IPv4 and IPv6 Many networks still rely on IPv4, and certain applications cannot be upgraded to or modified for IPv6. It is therefore important that IPv6 s integration allows coexistence and support of IPv4 usage. For this reason, Dual Stack has been developed. Dual stack consists of both an IPv4 and an IPv6 stack in a router, host or in a network device. Dual Stack can simultaneously handle IPv4 and IPv6 traffic where communications are established on a per-connection basis. That is, when IPv6 support is activated on a Security Gateway it employs two different kernel filtering drivers: One for inspecting IPv4 traffic and the other for inspecting IPv6 traffic. In addition, it can also communicate with IPv6 hosts using IPv6 applications via the complete IPv6 stack that is part of the remote machine. With a host, an IPv6 compliant application communicates with IPv4 nodes through the IPv4 stack, or with IPv6 nodes through IPv6 stack. The stack is chosen according to the IPv4 or IPv6 destination address given by a user or by the result of a DNS resolution. With a router, IPv6 datagrams are forwarded (or dropped) by the IPv6 processes, and IPv4 datagrams are forwarded (or dropped) by the IPv4 processes. The central focus of Dual Stack is to enable coexistence of both IPv6 and IPv4 protocols, so that IPv6 can establish itself into a full IPv6 network while not changing existing IPv4 implementations. Accessing the IPv6 Kernel All regular fw commands communicate with the IPv4 kernel. To access the IPv6 kernel, use the fw6 command. Examples of such commands are fw6 ver, and fw6 tab. The following are examples of commands that support IPv6: fw6 ver Description Syntax Parameters This command displays the major and minor version number and build number. fw6 ver [-k][-f <filename>] Parameter -k Description Print the version name and build number of the Kernel module. -f <filename> Print the version name and build number to the specified file. fw6 tab Description The fw6 tab command enables you to view kernel table contents and change them (that is, only dynamic tables since the content of a static table is indeed static). The Check Point IPv6 Solution Page 5

6 Creating an IPv6 object Description Syntax Parameters The fw6 tab command enables you to view kernel table contents and change them (that is, only dynamic tables since the content of a static table is indeed static). fw6 tab [-t <table>] [-s] -c] [-f] [-o <filename>] [-r] [-u -m <maxvals>] [[-x -a} -e entry] [-y] [hostname]* Parameter Description - t <table> Specifies a table for the command. -s Displays a short summary of the information in the kernel table(s). -y Specifies to not prompt a user before executing any commands. -f Displays a formatted version of the table content. Every table may have its own specific format style. -o <filename> Dumps CL formatted output to filename, which can later be read by fw log or any other entity that can read FW log formats. -c Displays formatted table information in common format. -r Resolves IP addresses in formatted output. -x, -a, -e [hostname] It is possible to add or remove an entry from an existing dynamic table by using the -a or the -x flags, respectively. These flags must be followed by the -e flag and an entry description (<entry>). A list of one or more targets. When not used, the local machine is used as the default target. Comments If table has the expire attribute, entries added using the -a flag will receive the default table time-out. This feature only works on local machine kernel tables and does not work on a remote machine s tables like additional fw tab commands. The -x flag can be used independently of the -e flag in which case the entire table content is deleted. This feature should only be used for debug purposes. It is not advisable to arbitrarily change the content of any kernel table since doing so may have unexpected results including unexpected security and connectivity impacts. Working with IPv6 in SmartConsole IPv6 host and network objects can be created in SmartDashboard, and used in the Rule Base as source and destination. Creating rules containing both IPv4 and IPv6 objects in the Source and Destination columns is supported. Creating and managing IPv6 objects is performed in a similar manner as for IPv4 network objects. Working with IPv6 in SmartConsole Page 6

7 Creating an IPv6 object Note - IPv6 objects can only be created if a valid IPv6 license is installed on the Security Management Server. Two types of IPv6 objects are supported: Host Network Creating an IPv6 object To create an IPv6 object: 1. If no IPv6 objects exists: In the objects tree, right click on Network Objects and select New > Others > IPv6 > IPv6 Host or IPv6 Network If an IPv6 object already exists: In the objects tree, right click on Network Objects and select New > IPv6 > IPv6 Host or IPv6 Network 2. For a Host object, enter the object name and the IPv6 address, (for example, IPv6 address: 2000::ab4:11) For a Network object, enter the network address and prefix length, (for example, IPv6 address: 2000::ab4:11 Prefix Length: 64). Note - All Check Point Gateways, including ones with IPv6 enabled, are defined using a regular IPv4 object. 3. Click OK to complete the process. The IPv6 object appears in the Network Objects tree. Partial Address Based Filtering Partial Address Based filtering filters an IPv6 address according to part of the address. That is, an IPv6 address is filtered according to an address value within a defined bit range in the IPv6 address. In order to use Partial Address Based Filtering, one or both of the following services of type Other should be applied to the relevant rules within the security policy: Partial-Source-v6 Partial-Destination-v6 Working with IPv6 in SmartConsole Page 7

8 IPv6 Rules These services allow filtering of source and destination addresses respectively, by defining the specification of an address, start offset and mask length in their advanced > match part. Partial-Destination-v6 The following Inspect macro can be found in the advanced > match part: PARTIAL_DST_ADDR_MATCH6(0x0,0x0,0x0,0x0,0,0) For example, if this specification is changed to PARTIAL_DST_ADDR_MATCH6(0x0,0x0,0x11aa22bb,0x0,64,32), the service will match connections with IP destination addresses with the value 0x11aa22bb in bits Partial-Source-v6 The following Inspect macro can be found in the advanced > match part: PARTIAL_SRC_ADDR_MATCH6(0x0,0x0,0x0,0x0,0,0) For example, if this specification is changed to PARTIAL_SRC_ADDR_MATCH6(0x0,0x0,0x11aa22bb,0x0,64,32), the service will match connections with IP source addresses with the value 0x11aa22bb in bits IPv6 Rules To create an IPv6 rule, simply use IPv6 object(s) in the rule in the same way you would with an IPv4 object. For example, to accept and log IPv6 FTP connections from host alice_v6 to host bob_v6, define the following rule: Figure 0-1 Rule: Accept and Log IPv6 Traffic Rules with Source or Destination that are defined as Any, apply to both IPv4 and IPv6 packets. For example the following rule will drop all IPv4 and IPv6 telnet packet: Figure 0-2 Rule: Drop IPv4 and IPv6 IPv6 in SmartView Tracker IPv6 logs can be viewed in SmartView Tracker and a predefined selection for IPv6 is also available. To see the IPv6 logs, select the IPv6 Source and IPv6 Destination addresses in the query properties. IPv6 Services Predefined ICMPv6 Services The following ICMPv6 services are defined by default under ICMP services: ICMPv6 echo-request6 ICMPv6 neighbor-advertisement ICMPv6 neighbor-solicitation ICMPv6 router- advertisement Working with IPv6 in SmartConsole Page 8

9 IPv6 Services ICMPv6 router- solicitation Define an ICMPv6 Service To report errors encountered when processing packets, and to perform other Internet-layer functions (for example, diagnostics) define an ICMPv6 service as follows: 1. Select Services > New > ICMP service > ICMPv6. The following screen appears: 2. Enter the relevant information and click OK. Inspection of Unknown ICMPv6 Codes By default, the Security Gateway inspects only a set of known ICMPv6 services. Inspection of unknown ICMPv6 codes can be enabled by setting the Security Gateway kernel parameter fw_allow_unknown_icmpv6 to 1, then defining them in the rule base. To set the fw_allow_unknown_icmpv6 parameter to 1, run: fw6 ctl set fw_allow_unknown_icmpv6 1 Note - To permanently add a parameter in Linux so that it survives reboot: add "param_name=1" to the $FWDIR/modules/fwkern.conf file. Create the file if it does not exist. It is possible to allow ICMP services in the security rule-base using the ICMPv6 service type. This service type allows filtering ICMPv6 services based on type and code specification. To use the ICMPv6 service in the rule-base, simply drag and drop it in the Service column associated with the rule that you would like to affect. IPv6 in IPv4 Intra Tunnel Inspection R70 IPv6Pack allows for Full Intra Tunnel Inspection of SIT (IPv4 protocol 41) traffic. This means that IPv6 data encapsulated inside IPv4 SIT packets is fully inspected by the Firewall engine. The IPv6 encapsulated packets pass a full Firewall Rule Base policy and an IPS Policy. This is done by decapsulating the SIT packet to reveal the internal IPv6 packet and re-injecting the de-capsulated IPv6 packet into the Firewall-1 engine. This process is enabled by the SIT_with_Intra_Tunnel_Inspection service found in SmartDashboard > Services > Other. Working with IPv6 in SmartConsole Page 9

10 IPv6 Services When using the SIT_with_Intra_Tunnel_Inspection service in a SmartDashboard rule, IPv6 traffic is inspected. Therefore IPv6 internal traffic will go through the rule base again. For this reason, you can define IPv6 rules in the same rule base. The following is an example of such a rule base: If the SIT service is used instead of the SIT_with_Intra_Tunnel_Inspection service, the IPv6 packet will not be inspected. IPv6 Protocols vs. IPv4 Protocols Where an IP protocol number should be allowed for IPv6, but not for IPv4 or vice versa, the macros IPV4_MATCH and IPV6_MATCH can be used in the Match field of the Other service. For example, to restrict protocol number 100 for IPv6 only, write IPV6_MATCH in the Match field. Traceroute IPv6 Create a new service, of type other, IP protocol 17, and match string IPV6_MATCH, uh_dport > 33000, ip_ttl6 < 30. IPv6 Extension Headers By default, only fragmentation headers are supported. It is possible to allow the following extension headers, however no content inspection whatsoever will be performed on the extension headers themselves (that is, inspection will be performed on the next protocol as usual). 1. EXTHDR_ROUTING EXTHDR_HOPOPTS 0 3. EXTHDR_DSTOPTS EXTHDR_AH EXTHDR_MOBILE 135 To allow any of the extension headers above, edit the file $FWDIR/lib/table.def from the CLI on the management server,and comment out (remove the "/*" and "*/") and edit the following line: /* allowed_ipv6_extension_headers = { <EXTHDR_ROUTING>, <EXTHDR_HOPOPTS>, <EXTHDR_DSTOPTS>, <EXTHDR_AH>, <EXTHDR_MOBILE> };*/ Install the policy after saving the edited file. Disabling IPv6 To disable IPv6 on an IPv6 enabled Security Gateway: 1. Run: $FWDIR/scripts/fwipv6_enable off 2. Delete the S11ipv6 file from /etc/rc.d/rc3.d. 3. Reboot Disabling IPv6 Page 10

11 IPv6 Services To disable IPv6 functionality completely, remove the IPv6 license from the Security Management Server and disable IPv6 on all IPv6 enabled Security Gateways. Disabling IPv6 Page 11

12 Anti Spoofing IPv6 Addresses Check Point Features for IPv6 Check Point technology has expanded its security solutions to address the demand for Internet Protocol version 6 (IPv6). This demand is driven by the growing number of devices connected to the Internet, combined with projections for the future. Check Point offers a comprehensive security solution that enables a smooth and secure migration to IPv6. This chapter provides an overview of the Check Point features that support IPv6. Anti Spoofing IPv6 Addresses Anti-spoofing verifies that packets are coming from the correct interfaces on the gateway. It confirms that packets claiming to be from an internal network are actually coming from the internal network interface. A packet coming from an external interface that has a spoofed internal IP address is blocked because the anti-spoofing protection detects that the packet arrived from the wrong interface. When Anti Spoofing is implemented, implicit Anti Spoofing instructions are added to the security policy. To enable spoofing protection on an external interface, Anti Spoofing is performed based on an interface topology. When spoofed packets are detected by the firewall they can be tracked and logged and an alert can be issued. For additional information about Anti Spoofing refer to the Firewall R70 Administration Guide ( Anti Spoofing supports and is compatible with IPv6 addresses. To enable Anti Spoofing with IPv6, IPv6 objects must be placed in the topology. 1. Select the Gateway object in the Network Object tree, right click, and select Edit. 2. Select Topology 3. In the Topology page, select an interface, and click Edit. Check Point Features for IPv6 Page 12

13 Anti Spoofing IPv6 Addresses The Interface Properties window appears. 4. Add the IPv6 address information. Check Point Features for IPv6 Page 13

14 IPS and IPv6 5. Select the Topology tab. 6. Define the IPv6 topology associated with this interface. If you select External the resulting topology will contain all the addresses that are not specified in the Internal interfaces topologies. If you select Internal > Network defined by the Interface IP and Net Mask the resulting topology will be calculated according to the IPv6 and IPv4 interface addresses specified in the General tab. If you select Internal > Specific you should select the group that contains all the network objects behind this interface (that is, those that include both IPv4 and IPv6 networks). 7. Enable Anti Spoofing. 8. Click OK. IPS and IPv6 When IPv6Pack is enabled, some IPS protections offer additional protection specifically for IPv6 traffic. Securing Sequence Verifier The Sequence Verifier protection is enforced on both IPv6 and IPv4 TCP connections as part of the Dual- Stack architecture. Securing Port Scanning IPS has three levels of port scan detection sensitivity. Each level represents the amount of inactive ports scanned during a certain amount of time. The Port Scan detection feature is an example of abnormal Check Point Features for IPv6 Page 14

15 IPv6 Clustering behavior analysis. When enabled, IPS senses when its ports are being scanned, logs the activity and can be configured to issue an alert. All IPS Port Scan protections support and are compatible with IPv6. Aggressive Aging R70 IPv6Pack supports Aggressive Aging for IPv6 connections. This allows you to better manage the capacity of the connections table and the firewall's memory consumption, thereby increasing its durability and stability. This method is similar to the one used for IPv4. IPv6 Security Max Ping Size Limit The PING (ICMP echo request) program uses an ICMP protocol. PING is used to check whether a remote machine is up. A request is sent by the client and the server responds with a reply echoing the client's data. For IPv6, PING6 ((ICMPv6 echo request) is the corresponding program. An attacker might echo the client with large data, trying to compromise the security of the client's machine (for example causing a buffer overflow). R70 IPv6Pack allows you to limit the maximum allowed data size for an echo request for both ICMP and ICMPv6. Small PMTU The small PMTU is a bandwidth attack discussed in various security mailing lists. In this attack, the client fools the server into sending large amounts of data using small packets. Each packet has a large overhead that creates a "bottleneck" on the server. Small PMTU supports and is compatible with IPv6. To protect against Small PMTU attacks, R70 IPv6Pack: let you: Limit the MSS (Maximum Transmission Unit) in TCP traffic Limit the allowed MTU published in the ICMPv6 error PACKET TOO BIG. IPv6 Clustering R70 IPv6Pack supports High Availability clustering. All IPv6 state information is synchronized. As a result, during failover events the IPv6 clustering mechanism is activated. When you use R70 IPv6Pack (as with IPv4), ClusterXL does both state synchronization and clustering. In SmartDashboard, you must o define IPv6 cluster addresses for each interface that is clustered. ClusterXL High Availability When using R70 IPv6Pack (as with IPv4) both state synchronization and High Availability clustering is performed by the ClusterXL firewall gateway cluster. During failovers, a High Availability cluster usually sends gratuitous ARP request packets to update an ARP cache of hosts/routers connected to the cluster interfaces, by advertising the new MAC address for the virtual cluster IPv4 addresses. R70 IPv6Pack adds the ability to update the IPv6 network during failovers. Cluster XL with IPv6 functionality sends Neighbor Advertisement messages to update the neighbor cache (which is equivalent to the ARP cache in IPv4) by advertising the new MAC address for the virtual cluster IPv6 address. In addition, ClusterXL will reply to any Neighbor Solicitation with a target address equal to the Virtual Cluster IPv6 address. Check Point Features for IPv6 Page 15

16 IPv6 Clustering Note - ClusterXL failover event detection is based on IPv4 probing. During state transition the IPv4 driver instructs the IPv6 driver to reestablish IPv6 network connectivity to the HA cluster. Configuring IPv6 Clustering Using SmartDashboard, the administrator is required to define IPv6 cluster addresses for each interface that is clustered in order to have IPv6 Clustering functionality. IPv6 addresses must be configured for cluster interfaces and cluster members. In an IPv6 network you must configure IPv6 and IPv4 addresses to have IPv6 functionality for SYNC and cluster interfaces. Note - The sync mechanism is based on IPv4 (includes sync for IPv6). Therefore, a sync-only interface can only be configured with an IPv4 address. To configure IPv6 addresses for cluster interfaces and cluster members: 1. Create or open a Cluster object. 2. Select CheckPoint ClusterXL High Availability solution. 3. Click Topology > Edit Topology > Add Network. The ClusterXL Edit Topology window appears. 4. Fill in the relevant cluster interface and cluster member information in the fields provided (that is, IPv4 address, Netmask, IPv6 address, Prefix length). To enter information into a specific cell, select the cell and click Edit. Note - Cluster members must have the same IPv6 address prefix as the cluster interface and different subnets are not supported. 5. Once you have entered all the relevant information click OK to save your changes. With IPv6 clustering it is now possible to have dual stack cluster interfaces or IPv4 only cluster interfaces. It is not possible to only have an IPv6 cluster interface. Note - A SYNC (only) interface must be configured with only an IPv4 address. ClusterXL Commands such as cphaprob stat or cphaprob -a if will only show IPv4 addresses, since the ClusterXL mechanism is based on IPv4. If cphaprob stat shows that IPv4 address is up and active, it is possible to conclude that the IPv6 address is also up and active since both are on the same interface. Check Point Features for IPv6 Page 16

17 SecureXL for IPv6 When working with ClusterXL in bridge mode, the cluster sync mode must be broadcast, not multicast. To verify the sync mode, use the command cphaprob -a if SecureXL for IPv6 SecureXL accelerates IPv6 traffic as well as IPv4, thereby providing your organization with the best security and the best performance available Performance Pack is supported on SecurePlatform. Performance Pack is a software acceleration product installed as an add-on to Check Point Security Gateway. Performance Pack significantly enhances and improves the performance of Security Gateway. Performance Pack uses Check Point's SecureXL technology and other innovative network acceleration techniques, to deliver wire-speed performance for Security Gateways. The fwaccel commands communicate with the IPv4 kernel. To access the IPv6 kernel, use the fwaccel6 command. fwaccel6 Description Syntax Parameters The fwaccel6 utility allows you to enable or disable acceleration dynamically while Security Gateway is running. The default setting is determined by the setting configured with cpconfig. This setting reverts to the default after reboot. fwaccel6 [on off stat stats conns templates] Parameter on Explanation Start IPv6 acceleration off stat stats stats -s conns conns -s Stop IPv6 acceleration Display the acceleration device status and the status of the Connection Templates on the local Security Gateway. Displays acceleration statistics. Displays more summarized statistics. Displays all IPv6 connections. Displays the number of IPv6 connections currently defined in the accelerator. conns -m <max_entries > Limits the number of IPv6 connections displayed by the conns command to the number entered in the variable max_entries. templates templates -m max_entries Display all IPv6 connection templates. Limits the number of templates displayed by the templates command to the number entered in the variable max_entries. templates -s Displays the number of templates currently defined in the accelerator. Check Point Features for IPv6 Page 17

18 SecureXL for IPv6 Example: fwaccel6 stat Description Example Output The fwaccel6 stat command displays the acceleration device status and the status of the Connection Templates on the local Security Gateway. fwaccel6 stat Accelerator Status : on Accept Templates : enabled Accelerator Features : Accounting, NAT, Routing, HasClock, Templates, Synchronous, IdleDetection, Sequencing, TcpStateDetect, AutoExpire, DelayedNotif, TcpStateDetectV2, CPLS, WireMode, DropTemplates Example: fwaccel6 templates Description Example Output The fwaccel6 templates command displays all the connection templates fwaccel6 templates Source SPort Destination DPort PR Flags LCT DLY C2S i/f S2C i/f :b:0:0:0:0:0:10 * 9999:b:0:0:0:0:0: Lan5/Lan1 Lan1/Lan5 Example: fwaccel6 stats Description Example The fwaccel6 stats command displays acceleration statistics fwaccel6 stats Check Point Features for IPv6 Page 18

19 CoreXL for IPv6 Description Output The fwaccel6 stats command displays acceleration statistics Name Value Name Value conns created 11 conns deleted 7 temporary conns 0 templates 1 nat conns 0 accel packets 2 accel bytes 96 F2F packets 39 ESP enc pkts 0 ESP enc err 0 ESP dec pkts 0 ESP dec err 0 ESP other err 0 espudp enc pkts 0 espudp enc err 0 espudp dec pkts 0 espudp dec err 0 espudp other err 0 AH enc pkts 0 AH enc err 0 AH dec pkts 0 AH dec err 0 AH other err 0 memory used 0 free memory 0 acct update interval 3600 current total conns 4 TCP violations 0 conns from templates 0 TCP conns 0 delayed TCP conns 0 non TCP conns 4 delayed nontcp conns 0 F2F conns 3 F2F bytes 2848 crypt conns 0 enc bytes 0 dec bytes 0 partial conns 0 anticipated conns 0 dropped packets 0 dropped bytes 0 nat templates 0 port alloc templates 0 conns from nat tmpl 0 port alloc conns 0 port alloc f2f 0 CoreXL for IPv6 CoreXL is a performance-enhancing technology for Security Gateways on multi-core processing platforms. CoreXL enhances Security Gateway performance by enabling the processing cores to concurrently perform multiple tasks. CoreXL provides almost linear scalability of performance, according to the number of processing cores on a single machine. The increase in performance is achieved without requiring any changes to management or to network topology. CoreXL joins ClusterXL Load Sharing and SecureXL as part of Check Point's fully complementary family of traffic acceleration technologies. In a CoreXL gateway, the firewall kernel is replicated multiple times. Each replicated copy, or instance, of the firewall kernel runs on one processing core. The instances handle traffic concurrently, and each instance is a complete and independent inspection kernel. Regarding network topology, management configuration, and security policies, a CoreXL gateway functions as a regular Security Gateway. All of the kernel instances of a gateway handle traffic going through the same gateway interfaces and apply the same gateway security policy. IPv6 Implementation of CoreXL R70 IPv6Pack utilizes multiple cores for IPv6 traffic as well. For each firewall kernel instance that handles the IPv4 traffic there is a corresponding firewall kernel instance that handles the IPv6 traffic. Both instances run on the same core. Check Point Features for IPv6 Page 19

20 CoreXL for IPv6 Default Configuration of CoreXL Upon installation of CoreXL, the number of kernel instances is derived from the total number of cores in the system, as follows: Number of Cores Number of Kernel Instances 1 CoreXL is disabled more than 8 number of cores, minus 4 Configuring CoreXL To enable/disable CoreXL: 1. Run the cpconfig command. 2. Select Configure Check Point CoreXL. 3. Choose whether to enable or disable CoreXL. 4. Reboot the gateway. To configure the number of instances: 1. Run the cpconfig command. 2. Select Configure Check Point CoreXL. 3. If CoreXL is enabled, choose to change the number of firewall instanced. If CoreXL is disabled, choose to enable CoreXL and then set the required number of firewall instances. 4. Reboot the gateway. Note - In a clustered deployment, changing the number of kernel instances should be treated as a version upgrade. See Command Line Reference in the CoreXL Administration section (page 193) of the R70 Firewall Administration Guide ( Checking the Status of CoreXL To check the status of CoreXL on your Security Gateway, use the command, fw6 ctl multik stat. The fw6 ctl multik stat (multi-kernel statistics) command displays IPv6 information for each kernel instance. The state and processing core number of each instance is displayed, along with: The number of connections currently being handled. The peak number of concurrent connections the instance has handled since its inception. Check Point Features for IPv6 Page 20

21 VPN for IPv6 VPN for IPv6 Virtual Private Networks (VPNs) can be configured for IPv6 networks as for IPv4. Only the features described in this guide are supported for IPv6. The following summarizes VPN support for IPv6: Supported Not supported Site to Site VPN Domain-based VPN Simplified Mode VPN Remote Access VPN Route-based VPN Traditional mode VPN For configuration instructions, refer to the R70 VPN Administration Guide ( IPSec and IKE IKE configuration is unchanged. However IKEv2 is used for IPv6 and IKEv1 for IPv4. Public Key Infrastructure There is no change in the way Public Key infrastructure (PKI) works for IPv6 networks. The procedures for configuring certificates and Certificate Authorities are the same as for IPv4. Configuring VPN Domains VPN Domains can include both IPv4 and IPv6 addresses. The VPN Domain is configured In the Topology page of a Check Point Gateway object, in the VPN Domain section. The options are: All IP Addresses behind Gateway Based on Topology information - If you select this and an IPv6 address is defined for a Gateway interface, then that address or network is included in the VPN Domain. IP Addresses for each interface are defined in the Interface Properties page. Check Point Features for IPv6 Page 21

22 VPN for IPv6 Manually Defined- If you select this option, you can then select a network or group that includes IPv4 and IPv6 addresses. Configuring VPN Communities When configuring a Meshed or Star VPN Community, in the Meshed Community Properties and the Star Community Properties, the following pages are supported for IPv6: General - Note that Accept all encrypted traffic is not supported for IPv6. Participating Gateways (in Meshed Community only). Center Gateways (in Star Community only). Satellite Gateways (in Star Community only). Check Point Features for IPv6 Page 22

23 VPN for IPv6 VPN Properties: IKE configuration is unchanged. However IKEv2 is used for IPv6 and IKEv1 for IPv4. Tunnel Management: VPN Tunnel Sharing only. Advanced Settings VPN Routing (in Star Community only) Excluded Services Shared Secret Advanced VPN Properties - Note that the setting, Disable NAT inside the VPN community, is not supported for IPv6. Configuring Link Selection Link selection is configured in the VPN > Link Selection page of the Gateway object. IP Selection by Remote Peer is supported for IPv6. Check Point Features for IPv6 Page 23

24 VPN for IPv6 Outgoing Route Selection: only the Operating system routing table method is supported for IPv6 traffic. The Route based probing method is not supported for IPv6 traffic. Configuring On Demand Links (ODL) requires Route based probing and is therefore not supported for IPv6 traffic. For any of the IP Selection by Remote peer options, the peer gateway chooses the IPv6 Address that is used for the IPv6 encrypted traffic in this way: 1. A IPv4 address is chosen according to the selected Link Selection method. 2. The IPv4 address is converted to an IPv6 address: If an IPv6 address is configured in the Topology > Interface Properties page of the chosen interface, it is used. If no IPv6 address is configured on the chosen interface, the IPv6 address of another external interface is used. The address of the Main IP address of the Gateway is preferred if it is external. VPN Commands for IPv6 Most VPN commands are supported for IPv6. VPN commands are documented in the R70 CLI Reference Guide ( IPv6-specific commands introduced in R70 IPv6Pack are: vpn6 drv (vpn drv is only for IPv4) vpn6 tu (vpn tu is only for IPv4) vpn6 ver (vpn ver is only for IPv4) The following VPN commands are not supported for IPv6: vpn accel Check Point Features for IPv6 Page 24

25 VPN for IPv6 vpn macutil vpn nssm_toplogy vpn overlap_encdom vpn sw_topology Check Point Features for IPv6 Page 25