Wednesday, May 07, 2008

Checkpoint SPLAT and hardware limitations

I'm just struggling through planning an implementation of Checkpoint VPN-1 on SecurePlatform & HP hardware. Unfortunately the quad-port NICs the customer used to use (PCIx NC340T) are no longer available for purchase. The only quad-ports that are available for purchase are the NC364T (a PCI express card) - but they are only supported in SecurePlatform 2.6 NGX R65 (as opposed to just SecurePlatform NGX R65). What's the difference? The newer one is a fork based on the Linux 2.6 kernel.
I found this useful summary from a Checkpoint forum post:

"The main point of moving to the 2.6 linux kernel is increased hardware compatibility. Check Point recommends that you stay on the standard R65 SecurePlatform unless you have hardware that is not supported by the standard R65 release. If you have hardware that is not supported by R65 standard, but is supported by the 2.6 kernel release, then use it.
See the Hardware Compatability List
Please note that there are a few systems not supported by the 2.6 release...
The initial SecurePlatform 2.6 release includes all standard release HFA 01 and HFA 02 fixes. Moving forward, the HFAs will be released separately - e.g., HFA 03 for R65 may be released in a month, and HFA 01 for SecurePlatform 2.6 may be released 3 months later. With different code trees, its recommended to stay with the "main branch" if you can. Same goes for the R65 management "plug-ins"... they're not available for SecurePlatform 2.6.
You cannot upgrade "in-place" from standard R65 to the 2.6 release, but you can upgrade in-place from prior versions. For standard R65 you can perform and export/import to move the SecurePlatform 2.6 release."

What a can of worms that is eh!

I also spotted this forum post which mentions he has the NC364Ts working with SPLAT 2.6 R65, so that's kind of reassuring. Funny though - the Release Notes for R65 mention nothing about all this - but I did find additional Release Notes for SPLAT 2.6 for R65 (which I found by searching - not listed in the documentation links).

Unfortunately that has caused me another problem:
"VPN-1 Accelerator Cards II, III, and IV are not supported in this release. They will be
supported with new drivers in the future."


1 comment:

Andrew Willy said...

Ran into this exact issue. I couldn't get our NC364Ts to work with SPLAT R65 and didn't find out it was a hardware support limitation until this morning (after two days of working with it.) The NICs seem to work, sort of anyway, so I was misled into thinking it was a configuration issue. I was down to wiresharking ARP traffic from the interfaces.

I'm doing a complete install and upgrade_import now.