Checkpoint防火墙测试用例

Checkpoint R65 Test Plan

Revision 0.1

2009-10-14

Author: Peng Gong

Revision History

1‘FW MONITOR’ USAGE (7)

2TEST SUITES (7)

2.1R65I NSTALL &U NINSTALL (7)

2.1.1Create a v3 vap-group with vap-count/max-load-count set >1, Confirm R65 and related HFA could be

installed on all vap within vap-group successfully (7)

2.1.2Create a v4 vap-group, confirm XOS would prompt correctly message and failure install would cause

unexpected issue to system (9)

2.1.3Create a v5 vap-group, confirm XOS would prompt correctly message and failure install would cause

unexpected issue to system (10)

2.1.4Create a v5_64 vap-group, confirm XOS would prompt correctly message and failure install would

cause unexpected issue to system (11)

2.1.5Try to install R65 on a v3 vap-group and abort the install process, confirm nothing is left afterwards12

2.1.6Reduce max-load-count down to 1, confirm only one Vap is allowed to run R65 accordingly (13)

2.1.7Increase vap-count and max-load-count to maximum vap count and executing "application-update",

confirm all the Vap are running R65 properly (14)

2.1.8Reduce vap-count to 3, Confirm the surplus Vap is stopped from running R65 and related partitions

are removed from CPM (15)

2.1.9Enable/Disable IPv6 in vap-group and w/o ipv6-forwarding, confirm R65 wouldn't be affected. (16)

2.1.10Confirm the installed R65 could be stopped through CLI (17)

2.1.11Confirm the installed R65 could be started through CLI (18)

2.1.12Confirm the installed R65 could be restarted through CLI (18)

2.1.13Confirm the installed R65 could be reconfigured through CLI (19)

2.1.14Confirm checkpoint could be upgraded to R70 by CLI: application-upgrade (19)

2.1.15Confirm R65 could run properly while reload vap-group totally (20)

2.1.16Confirm R65 could run properly while reload all chassis totally (20)

2.1.17Create 2 vap groups, install R65 on both. Confirm R65 are running on both vap-groups without any

mutual impact. (21)

2.1.18Confirm configure operation couldn't be allowed if some Vap don't run R65 properly. (23)

2.1.19Confirm uninstall/Configure operation couldn't be allowed if some Vap don't run properly. (24)

2.1.20Confirm start/stop/restart operation could works prope rly if R65 doesn’t run properly on some

Vaps.25

2.1.21Confirm configure operation couldn't be allowed if vap-count>max-load-count causing some Vap

don't run properly (26)

2.1.22Confirm uninstall operation couldn't be allowed if vap-count>max-load-count causing some Vap

don't run properly (27)

2.1.23Confirm start/stop/restart operation couldn't be allowed if vap-count>max-load-count causing

some Vap don't run properly (28)

2.1.24Confirm R65 could be uninstalled from vap-group (29)

2.1.25Confirm R65 installation package could be remove from XOS by CLI: application-remove (30)

2.2C HECKPOINT F EATURES (31)

2.2.1Create GW and Set SIC, get topology from Smart Dashboard (31)

2.2.2Configure Policy and push policy (31)

2.2.3Confirm R65 could be started/stoped/restarted by cp-command (32)

2.2.4Confirm different kinds of rule actions could work - allow/drop/reject (33)

2.2.5Verify different kinds of tracking actions could work properly - log/alert/account (33)

2.2.6Verify static NAT and hide NAT work properly (34)

2.2.7Verify default license is installed automatically (34)

2.2.8Verify some usual fw commands output - fw ver -k/ fw ctl pstat/ fw tab/ fw stat/ cphaprob stat /fw

fetch /fw unloadlocal / fwaccel stat (34)

2.2.9Verify SXL status if enable/disable it (36)

2.2.10Verify the log information in SmartViewer are displayed correctly. (37)

2.2.11Verify the GW and its member information in SmartViewer are displayed correctly (37)

2.2.12Define a VPN Community between two GW; Confirm traffic can pass (37)

2.2.13Create a VPN client tunnel, make sure client can login and traffic is encrypted as it should (38)

2.2.14Enabling/Disabling SXL during connections (39)

2.2.15Fail over the active member during connections (39)

2.3I NTERFACE T EST-T RAFFIC MIXED WITH IPV6 AND IPV4 (39)

2.3.1Verify traffic pass through the interface without SXL - non vlan<--->vlan (tcp+udp+icmp) (39)