Bypass Support
Feature Overview
August 2012
Threat Prevention Team
[Restricted] ONLY for designated groups and individuals
©2012 Check Point Software Technologies Ltd.
Agenda
1
Feature Highlights
2
Feature Description
3
Installation Overview
4
Traffic loss scenarios in case of failure
5
Notes
[Restricted] ONLY for designated groups and individuals
©2012 Check Point Software Technologies Ltd.
2
Feature Highlights
Project Goals
Providing network bypass capabilities upon
software or hardware failure
September 30th 2012, R75.40 on GAIA
Target Release Date
IPS
DLP
APPI, URLF
AB & AV
Related Product
Supported Bypass
Cards



4200
4400
4600
4800
12200
12400
12600
1GbE Copper, 4 port
1GbE SFP, 4 Port (short and long range)
10GbE SFP+, 2 Port (short and long range)
[Restricted] ONLY for designated groups and individuals
©2012 Check Point Software Technologies Ltd.
3
Feature Description

The internal bypass card is to ensure that network traffic
continues to flow if the appliance fails or loses power.

This feature is only supported for Gaia in a non-cluster
configuration.

Bypass Card Architecture
The appliance enters Bypass Mode if one of the following occurs:
•There is a power loss.
•The appliance is overloaded, it enters bypass mode for at least 1 minute.
•There is a system failure, it enters bypass mode for at least 5 minutes.
•The appliance stops responding for 60 seconds.
[Restricted] ONLY for designated groups and individuals
©2012 Check Point Software Technologies Ltd.
4
Bypass Card Installation Overview
1. Install the Bypass card in the
appliance.
2. Install the R75.40 bypass hotfix
on the appliance.
3. Use the Gaia WebUI to enable
and configure it.
4. Configure the appliance in
SmartDashboard.
5. Install the policy and reboot the
appliance.
Specific Installation Instructions will
be provided with an SK for this Hotfix.
[Restricted] ONLY for designated groups and individuals
©2012 Check Point Software Technologies Ltd.
5
Traffic loss scenarios in case of failure
When the Bypass card return from fail-open state, there
could be a delay of 15-40 seconds before the link is reestablished.
 The delay is due to Linux Bridge forwarding mechanism to allow STP
Protocol (running on Switches) enough time for listening and learning
the network topology and block switch ports in case a loop is identified.
 This is an expected behavior for Bypass cards solutions.
 A possible way to reduce the delay is to configure the switches not use
auto negotiation.
 There exist some workarounds for the delay (for example disable STP
on the interface ports of your switch or enable Port-fast in spanning
tree settings). However, this may cause severe impact to network
behavior and should be carefully considered.
[Restricted] ONLY for designated groups and individuals
©2012 Check Point Software Technologies Ltd.
6
Limitations
 Only for non-clustering Environments.
 The following features will not be supported:
– HTTPS Inspection.
– Anti Spam.
– Traditional Anti-Virus in proactive mode.
– FTP Inspection for DLP SW Blade.
– Header Spoofing Protection for IPS SW Blade.
If one of the following features is enabled, severe network
issues could result.
[Restricted] ONLY for designated groups and individuals
©2012 Check Point Software Technologies Ltd.
7
Notes
 In order to have access to the machine during bypass
state, It is required to use the dedicated management
interface on the appliance.
[Restricted] ONLY for designated groups and individuals
©2012 Check Point Software Technologies Ltd.
8