Had a question from a customer last week. They had a bunch of R65 SPlat gateways out in the field. In past they were just passing BGP and OSPF, and they now wanted some of them to participate in dynamic routing. To do this they would need to updgrade to SPlat Pro. The concern was that they would have to rebuild all the firewalls. Not true. You do not have to re-install any software on an existing Check Point gateway to enable SPlat Pro: it is already installed and just needs to be enabled.

There are two things that you need to get started on SPlat Pro:

  1. SPlat Pro license
  2. Enable SPlat Pro from command line

For licensing you simply add up the amount of gateways that you want SPlat Pro enabled on. Licenses come in bundles of 1, 5, 25, 50, and 100. The licenses are additive. When you see the license in your UserCenter, you will license it to the IP of the SmartCenter. For Provider-1 users it is licensed to the IP of the CMA.

The next part is to enable SPlat Pro. You will need to SSH out to the gateways and from the CPshell or ‘expert mode’ type:

pro enable

Pretty simple. Reboot and you will now have support for: RIP v.1 and v.2, OSPF, BGP, IGMP, PIM-SM and PIM-DM. Remember this support allows the gateway to participate in the routing. You do not need SPlat Pro to pass this traffic, but it seems more and more environments are looking to include the firewalls in dynamic routing.

After you reboot, SSH back to the gateway, type ‘router’ and you will enter a Cisco-like CLI environment. You will see commands like “enable”, “conf t”, “set” , “show”, etc.: all the stuff you learned while studying for the CCNA 😉

If you want to test SPlat Pro, get in touch with a reseller or Check Point engineer and ask them to put a ‘CPOS-EVAL-SPRO‘ eval license into your User Center.

Enabling SPlat Pro after installation

One thought on “Enabling SPlat Pro after installation

  • July 21, 2008 at 5:10 am
    Permalink

    How do you pass OSPF traffic through a SPLAT GW? Do the routers still peer with each other even when not on the same subnet? I’ve never seen that done before could you possibly explain the situation please?

    Excellent blog btw, been reading it for a while! 🙂

    Ian

Leave a Reply

Your email address will not be published. Required fields are marked *