Managing the Device

In This Section: Internet Wireless Network Local Network Hotspot Routing MAC Filtering DNS Proxy System Operations Administrators Administrator Access Device Details Date and Time DDNS & Device Access Using System Tools Certificates - Installed Certificates High Availability Configuring Advanced Settings

This section describes how to set up and manage your Check Point Appliance.

Internet

The Device > Internet page shows how the Check Point Appliance connects to the Internet. You can configure a single Internet connection or multiple connections in High Availability or Load Balancing configurations. When multiple Internet connections are defined, the page shows them in a table. You can add a new connection and edit, delete, or disable existing connections. When there are multiple Internet connections, you can select which mode to use - High Availability or Load Balancing.

We recommend you contact your local Internet Service Provider (ISP) to understand how to configure your specific Internet connection.

Note - ADSL/VDSL settings are relevant only for devices that have a DSL port.

To configure Internet connectivity:

1. Click Configure Internet (if not configured at all), Add (for another Internet connection), or Edit.

   The New or Edit Internet Connection window opens.

2. Configure the fields in the tabs:

Configuration tab

Note - When you change the connection type, the appliance may disconnect from the Internet.

• Connection name - Enter a name for the connection or leave the default "InternetN" label (where N indicates an incrementing number).
• Interface name -
  • WAN or DMZ is for most types of Internet connections.
  • USB/Serial is for cellular or analog modems.
  • ADSL is for 1100 appliances only. The connection type is PPPoE, PPPoA, or EoA.
  • ADSL/VDSL is for DSL (1430/1450) appliances only. If you select the VDSL interface, you must select one of these for the connection type: PPPoE, IPoE - static IP, or IPoE - dynamic IP.

IPv4 connection types (all appliances):

• Connection type - Select the connection type:
  • DHCP - Dynamic Host Configuration Protocol (DHCP) automatically issues IP addresses within a specified range to devices on a network. The device retains the assigned address for a specified administrator-defined period.
  • Static IP - A fixed (non-dynamic) IP address.
  • PPPoE - A network protocol to encapsulate Point-to-Point Protocol (PPP) frames inside Ethernet frames. It is used mainly in DSL systems. PPoE can run directly over the ADSL/VDSL interface. It can also run over WAN or DMZ interfaces that are typically connected to an external DSL modem. You must enter the IP address, the subnet mask, default gateway and DNS Server Settings.
  • IPoE - dynamic IP (1430/1450 appliances only) - The Internet IP of the appliance is imported through DHCP.
  • IPoE - static IP (1430/1450 appliances only) - The Internet IP of the appliance is determined statically. You must enter the IP address, the subnet mask, default gateway and DNS Server Settings.
  • PPTP - The Point-to-Point Tunneling Protocol (PPTP) uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets.
  • L2TP - Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol. It does not provide any encryption or confidentiality but relies on an encryption protocol that it passes within the tunnel to provide privacy.
  • Bridge - Connects multiple network segments at the data link layer (Layer 2).
  • Cellular Modem - Connect to the Internet with a cellular modem to the ISP through a 3G or 4G network. For this option, select the USB/Serial option in the Interface name.
  • Analog Modem - Connect to the Internet with an analog modem through a USB or serial port. For this option, select the USB/Serial option in Interface name.

    Note - If you use an analog modem through the serial port, you cannot connect to the appliance with the serial port or get terminal server functionality. For more on the terminal server, go to Device > Advanced Settings.

    Fill in the fields that are shown for the connection type.

    Note - You cannot use these characters when you enter a password or shared secret: { } [ ] ` ~ | ' " # + \

  IPv6 connection types (1200R and 1400 appliances only):

  Note - The device can have only a single IPv5 Internet connection.

  • Static IPv6 - A fixed (non-dynamic) IP address.
  • Obtain automatically (DHCPv6/SLAAC) - In both Dynamic Host Configuration Protocol (DHCP) and Stateless Address Auto Configuration (SLAAC) the user does not set the IP as this is handled by the router/DHCP server. DHCPv6 issues a full IP address. SLAAC issues an IP address prefix, and the gateway completes the rest of the address according to discovery protocols.
  • PPPoE (IPv6 only) - A network protocol to encapsulate Point-to-Point Protocol (PPP) frames inside Ethernet frames. It is used mainly with DSL services where individual users connect to the DSL modem over Ethernet and Metro Ethernet networks.
  • PPPoE (IPv4/IPv6) - Same as PPPoE ( IPv6 only), but the user must first configure a type IPv4 PPPoE internet connection on the same interface. Use this option when the ISP provides both IPv4 and IPv6 addresses through the same PPPoE connection. This prevents the need to define the same dialer connection details more than once.
  • IPv6 Bridge - A Layer 2 bridge between internal and external networks, containing both IPv4 and IPv6 addresses (or just IPv6) to make the gateway reachable through the bridge in a dual stack/pure IPv6 network.

For PPPoE over ATM over VDSL/ADSL or IPoE over ATM over VDSL/ADSL (1430/1450 appliances), or for an ADSL interface (1100 appliances):

Enter the VPI number and VCI number you received from your service provider, and the Encapsulation type (LLC or VC_MUX).

For WAN/DMZ interfaces and static, DHCP, PPPoE, PPTP, and L2TP connection types

Or

For VDSL/ADSL interfaces and IPoE - dynamic IP and IPoE - static IP connection types over PTM:

• Use connection as VLAN - Select this checkbox to add a virtual Internet interface.
• VLAN ID - Enter a VLAN ID between 1 and 4094.

If you are in an Annex L system, in Advanced Settings, you must enable the Annex L and disable the Annex J/M.

If you are in an Annex M system, in Advanced Settings, you must enable Annex J/M and disable the Annex L. In all other Annex systems, no changes are needed to the default configuration.

Notes:

• Multiple internet connections can be established over a single VDSL/ADSL connection carrying PTM traffic or in the case of WAN and DMZ interfaces.
• Only one internet connection can be established over a VDSL/ADSL interface carrying ATM traffic or a USB interface.
• One IPoE or PPPoE connection can be established over ATM running over the DSL interface.
• A single IPoE connection or multiple PPPoE connections can be established over one untagged DSL interface carrying PTM traffic.
• A single IPoE connection or multiple PPPoE connections can be established over one VLAN tagged DSL interface carrying PTM traffic.
• A single DHCP or Static IP connection can be established over a USB interface.
• A single DHCP or Static IP connection or multiple PPPoE connections can be established over one untagged or one VLAN tagged WAN or DMZ interface.
• When all the ADSL standards are turned off in the Advanced Settings and you can only connect using the VDSL2 standard, the VPI, the VCI and the encapsulation options still appear even though they are not used to open an internet connection.

Connection Monitoring tab

• Automatically detect loss of connectivity to the default gateway - Select this option to detect connectivity loss by sending ARP requests (pinging) to the default gateway and expecting responses.
• Monitor connection state by sending probe packets to one or more servers on the Internet - Select this option to detect connectivity loss by using more methods and servers.
  • Connection probing method - Select one of the options.
    • Ping addresses - When you select this option, you can configure up to three servers by IP address or host name.
    • Probe DNS servers - When you select this option, the appliance probes the DNS servers as defined in the Internet connection and expects responses.

Advanced tab

For PPPoE

• IP Address Assignment (PPPoE IPv4 only) - In Local tunnel IP address, select if the IP address is obtained automatically or manually configured. If manually configured, enter the IP address.
• Service Provider Settings - In Service, enter a service name (optional) and select the Authentication method.
• Connect on demand - Select the Connect on demand checkbox if necessary. This is relevant only when you are in high availability mode.

For PPTP and L2TP

• IP Address Assignment -
  • In Local tunnel IP address, select if the IP address is obtained automatically or manually configured. If manually configured, enter the IP address.
  • In WAN IP assignment, select if the WAN IP address is obtained automatically or manually configured. If manually configured, enter the IP address, Subnet mask, and Default gateway.
• Service Provider Settings - In Service, enter a service name (optional) and select the Authentication method.
• Connect on demand - Select the Connect on demand checkbox if necessary. This is relevant only when you are in high availability mode.

Port Settings

• If necessary, select Use custom MTU value and set the MTU size.

  Note - For a DMZ interface the MTU value is applied to all LAN ports.

  To avoid fragmentation (which slows transmission), set the MTU according to the smallest MTU of all the network devices between your gateway and the packet destination.

  For static and DHCP mode, set MTU to 1500 or lower.

  For PPPoE connections, set MTU to 1492 or lower.

  Note - When the gateway is behind a modem that works as a NAT device, the MTU value of the gateway must be the same value as in the modem. If the modem has a PPPoE connection, set the MTU in the gateway to 1492 or lower.

• MAC address clone - If you select Override default MAC address, you can override the default MAC address used by the Internet connection. This is useful when the appliance replaces another device and wants to mimic its MAC address.
• If necessary, select Disable auto negotiation. This lets you manually define the link speed of the Internet connection.
  • Select the Link Speed.

QoS Settings (bandwidth control) - supported in IPv4 connections only

To enable QoS bandwidth control for download and upload for this specified connection, select the applicable Enable QoS (download) and/or Enable QoS (upload) checkboxes. Enter the maximum Kbps rates for the selected options as provided by your ISP for the Internet upload and download bandwidth.

Make sure that the QoS blade has been turned on. You can do this from Home > Security Dashboard > QoS > ON.

Note - QoS is not implemented for VDSL/ADSL interfaces.

ISP Redundancy - supported in IPv4 connections only

Multiple Internet connections can be configured in High Availability or Load Sharing modes. When you configure more than one Internet connection, the Device > Internet page lets you toggle between these options. The Advanced setting of each Internet connection lets you configure each connection's priority or weights based on the set mode.

• Clear the Route traffic through this connection by default checkbox when you do not want this Internet connection used as a default route for this gateway. The connection is used by the device only if specific, usually service-based, routing rules are defined for it. This is commonly used when you have a connection that is used for dedicated traffic. When you clear this option, this connection does not participate in High Availability or Load Balancing.
• High Availability - Priority - Select the priority for the connection. Lower priority connections are only used if higher priority connections are unavailable.
• Load Balancing - Weight - The traffic to the Internet is divided between all available connections based on their weights.

NAT Settings

If the gateway's global hide NAT is turned on in the Access Policy > NAT page, you can disable NAT settings for specified internet connections.

To disable NAT settings:

1. Go to Device > Internet.
2. Select an internet connection and click Edit.

   The Edit Internet Connection window opens.

3. Click Advanced > NAT Settings.
4. Select Do not hide internal networks behind this internet connection.
5. Click Apply.

Wireless Network

The Device > Wireless page shows the wireless network settings (if applicable). You can configure your main wireless network and also additional guest or standard wireless networks (VAPs - Virtual Access Points).

• Guest wireless network - Uses hotspot by default and is unprotected (no password required).
• Standard wireless network - Is a protected wireless network that requires a password and does not use a hotspot by default.

To delete the wireless network, go to Device > Local Network.

If multiple wireless networks (VAPs) are defined, the page shows them in a table, where you can add a new guest or standard wireless network and edit, delete, or disable existing ones.

To turn the Wireless network on or off:

• Move the slider to select the On or Off option. If you configured multiple VAPs, selecting Off turns them all off.
  Note- If you turn off the wireless radio and then turn it back on, the VAPs remain disabled. To enable the VAPs, you must select the relevant entries in the table and click Enable.
• To disable or enable the Wireless network, click Disable/Enable.

To edit the radio settings:

1. Click Radio settings.
2. Select the correct Operation mode, Channel, Channel width, and Transmitter power.
3. Click Advanced to set the Guard Interval and Antenna control.
4. Click Apply.

   This configuration is global for all wireless networks. Some options may not be available or allowed depending on your country's wireless standards.

   1100 appliances only: The wireless client search options depend on the frequency that the appliance is set to. The Check Point Appliance can be configured to only one frequency: 2.4 GHz. The Home > System page shows the wireless radio status.

   1430/1450 appliances only: The wireless client search options depend on the frequency that the appliance is set to. The Check Point Appliance can be configured to only one frequency at a time and is set to 2.4 GHz by default. If you change the radio settings to 802.11 ac or 802.11 ac/n, the frequency automatically changes to 5 GHz. The Home > System page shows the wireless radio status.

   1470/1490 appliances only: There are two radio transmitters: 2.4 GHz and 5 GHz. Each network is configured separately under a specified transmitter.

Dynamic Frequency Selection (DFS) detects radar signals that must be protected against interference from 5.0 GHz (802.11ac/n) radios. When these signals are detected, the operating frequency of the 5.0 GHz (802.11ac/n) radio switches to one that does not interfere with the radar systems. DFS is enabled by default.

To edit a wireless network:

Click Edit Settings.

The Edit window opens in the Configuration tab.

Configuration tab

• Network name (SSID) - Enter a name for the wireless network or use the default name. This is the name shown to clients that look for access points in the transmission area.
• Use Hotspot - Select this checkbox to redirect users to the Hotspot portal before allowing access from this interface. Hotspot configuration is defined in the Device > Hotspot page.

Wireless Security

• Protected network (recommended) - This is the recommended wireless security setting.
  • Security type - Select the security technology used in your wireless network. WPA/WPA2 is the most compatible option. WPA2 is the most secure.
  • Encryption type - Select the encryption method.
  • Authenticate using - Select Password or RADIUS server (Enterprise mode) to determine how the users authenticate.

    The Password option allows a single password for all users. This option is known as WPA Personal.

    The RADIUS servers (Enterprise mode) option requires defining RADIUS servers in the Users & Objects > Authentication Servers page. Each user that tries to connect to the wireless network is authenticated through the RADIUS server. This option is also known as WPA Enterprise.

  • Network password - When authenticating using a password, enter a password or click Generate for an automatically generated password.
    • Show - To see the password, select this option. To hide it, clear the checkbox.
• Unprotected network (not recommended) - Without a password, any wireless client can connect to this network. This option is not recommended.

Advanced Settings

• Hide the Network Name (SSID) - When selected, this wireless network name is not automatically shown to users scanning for them. Connecting to the wireless network can be done manually by adding the specified network name.
• Allow Station-to-Station Traffic - When selected, allows wireless stations on this network to communicate with each other. When cleared, traffic between wireless stations is blocked.
• Enable MAC address filtering - When selected, by default, all wireless devices are not allowed to connect to the wireless network. To allow a specific device to connect, add a new MAC address to the table. Click New, enter the device's MAC address and click Apply.

Wireless Network tab

Interface Configuration

• Assigned to - Select Separate network or one of the existing configured networks. When selecting a separate network configure this information:
  • IP address

    Note - 1100 appliances only support IPv4 addresses. 1200R and 1400 appliances support both IPv4 and IPv6 addresses.

  • Subnet mask - for IPv4 addresses
  • Prefix length - for IPv6 addresses

DHCPv4 Server section

Select one of the options:

• Enabled - Enter the IP address range and if necessary the IP address exclude range. The appliance's own IP address is automatically excluded from this range. You can also exclude or reserve specific IP addresses by defining network objects in the Users & Objects > Network Objects page. Reserving specific IP addresses requires the MAC address of the device.
• Relay - Enter the DHCP server IP address.
• Disabled

IPv6 Auto Assignment section

Select one of the options:

• SLAAC (Stateless Address Autoconfiguration)
• DHCPv6 Server - Enter the IP address range and the IP addresses exclude range
• DHCPv6 Server Relay - Enter the DHCPv6 server IP address and the Secondary DHCPv6 server IP address

Access Policy tab

These options create automatic rules that are shown in the Access Policy > Firewall Policy page.

• Allow access from this network to local networks (Wireless network is trusted)
• Log traffic from this network to local networks

Advanced tab

Click the checkbox to exclude from DNS proxy.

Advanced IPv6 Settings

Configure the Router Advisement fields.

DHCP/SLAAC Settings tab

Note - In IPv4-only mode, this tab is called DHCP4 Settings.

The values for the DHCP options configured on this tab will be distributed by the DHCP server to the DHCP clients.

DHCP Server Settings (For DHCPv6/SLAAC)

Select one of these options:

• Auto - Use the DNS configuration of the device.
• Use the following IP addresses - Enter the first, second and third DNS servers.

DNS Server Settings (For DHCPv4)

These settings are effective only if a DHCPv4 server is enabled.

Select one of these options:

• Auto - This uses the DNS configuration of the appliance as configured in the Device > DNS and Device > Internet pages.
• Use the following IP addresses - Enter the IP addresses for the First DNS server, Second DNS server, and Third DNS server.

Default Gateway

Select one of these options:

• Use this gateway's IP address as the default gateway
• Use the following IP address - Enter an IP address to use as the default gateway.

WINS

Select one of these options:

• Use the WINS servers configured for the internet connection
• Use the following WINS servers - Enter the IP addresses of the First and Second WINS servers.

Lease

• Lease time - Configure the timeout in hours for a single device to retain a dynamically acquired IP address.

Other Settings

You can optionally configure these additional parameters so they will be distributed to DHCP clients:

• Time servers
• Call manager
• TFTP server
• TFTP boot file
• X-Windows display manager
• Avaya IP phone
• Nortel IP phone
• Thomson IP phone

Custom Options

Lets you add custom options that are not listed above. For each custom option, you must configure the name, tag, type, and data fields.

When you finish editing the network, click Apply.

Local Network

The Device > Local Network page lets you set and enable the local network connections, switches, bridge or wireless network (on wireless devices only).

Note - 1100 appliances only support IPv4 addresses. 1200R and 1400 appliances support both IPv4 and IPv6 addresses.

The Network table shows all available network connections.

The page also lets you:

• Configure multiple switches (port based VLANs) between the available local LAN interfaces and wireless networks. Between the LAN ports of a switch, traffic is not monitored or inspected. Note - MAC filtering is disabled on switch networks. To enforce MAC filtering on a network with several ports, use bridge.
• Configure multiple bridges between interfaces. Traffic in a bridge is always monitored and inspected by the appliance.
• Create and configure tag based VLANs (802.1q) on any of the LAN interfaces or DMZ.
• Create and configure VPN tunnels (VTI) which can be used to create routing rules which determine which traffic is routed through the tunnel and therefore also encrypted (Route based VPN).
• On wireless devices - Add new wireless networks (Virtual Access Points). This can also be done through the Device > Wireless page.

  1400 appliances only: There are two radio transmitters: 2.4 GHz and 5 GHz. Each network is configured separately under a specified transmitter.

To create any of the above options:

Click New and choose the option you want.

To edit/delete/enable/disable any of the above options:

Select the relevant row and click Edit/Delete/Enable/Disable.

Notes:

• Physical interfaces cannot be deleted.
• Editing an interface that is part of a switch or a bridge lets you remove it from the switch or bridge.
• When a LAN or DMZ interface is part of an Internet connection, it is still visible on this page, but can be only be configured through the Device > Internet page.
• For each network, the table on this page shows you:
  • Name - Name of the network, interfaces that participate (if there are multiple interfaces), and a description (optional)
  • Local IP Address
  • Subnet Mask
  • MAC Address
  • Status - Shows a status for physical interfaces and wireless networks:
    • Physical interfaces - Shows cable connection status of each physical interface that is enabled. Otherwise, it shows disabled.
    • Wireless networks - Shows if the wireless network is up or disabled.

To create/edit a switch:

Note - Between the LAN ports of a switch, traffic is not monitored or inspected. MAC filtering is disabled.

Configure the fields in the tabs:

Configuration tab

1. In Switch Configuration, select or clear the interfaces you want to be part of the switch. The table shows you which interfaces are already part of the switch (shown with checkmarks in the table) and which interfaces are not assigned yet and can be added to the switch (empty checkboxes in the table). For example, if LAN8 is already part of another switch, it does not show in this table.
2. From Assigned to, select an option:
   • Unassigned - The switch is not part of any network and cannot be used
   • Separate network - When you select a separate network, configure the settings for the switch
   • Monitor Mode - See below
3. Choose the IP address and Subnet mask the switch uses.
4. Use Hotspot - Select this checkbox to redirect users to the Hotspot portal before allowing access from this interface. Hotspot configuration is defined in the Device > Hotspot page.
5. In DHCP Server:

Select one of the options:

• Enabled - Enter the IP address range and if necessary the IP address exclude range. The appliance's own IP address is automatically excluded from this range. You can also exclude or reserve specified IP addresses if you define network objects in the Users & Objects > Network Objects page. To reserve specified IP addresses, you must have the device MAC address.
• Relay - Enter the DHCP server IP address.
• Disabled

IPv6 Auto Assignment for IPv6 configurations:

• SLAAC (Stateless Address Autoconfiguration) - The host selects its own full IPv6 address after it receives the IPv6 address prefix from the gateway. The appliance cannot reserve an IPv6 address for a specific host (Mac Address).

  Note - The common use case is a prefix length of 64. If you change it from 64, make sure the internal hosts support the new length.

• DHCPv6 Server - Same as the DHCPv4. You can reserve an IP address for a specified host.
• DHCPv6 Server Relay - Same as in IPv4.
• Disabled (Static)

Monitor Mode

Security Gateways can monitor traffic from a Mirror Port or Span Port on a switch.

With Monitor Mode, the appliance uses Automatic Learning or user-defined networks to identify internal and external traffic, and to enforce policy.

Automatic Learning - The appliance automatically recognizes external networks by identifying the default gateway's network from requests to the Internet (specifically, requests to Google). The rest of the networks are considered internal.

User-Defined Networks - You can manually define internal networks. If a network is not defined as internal, it is considered external.

In both Automatic Learning and user-defined networks:

• Traffic to internal hosts is inspected by the Incoming/Internal/VPN Rule Base.
• Traffic to external hosts is inspected by the Outgoing Rule Base.
• Threat prevention's default configuration is optimized to inspect suspicious traffic from external hosts to internal hosts.

To configure monitor mode in the WebUI:

1. Go to Device > Local Network.
2. Select an interface and double-click.

   The Edit window opens in the Configuration tab.

3. In the Assigned To drop-down menu, select Monitor Mode.

   The Manually define internal networks checkbox shows.

4. To use Automatic Learning, do not select Manually define internal networks and click Apply.
5. To use your own network definitions, select Manually define internal networks.

   The network definition features and table show.

6. Click New.
7. Enter the network IP address.
8. Enter the subnet. An internal network can be a 255.255.255.255 subnet, for one host. For example, to monitor the traffic after the router, enter the IP address of the Default Gateway and the 255.255.255.255 subnet.
9. Click Apply.

   The Internal network you defined (with Monitor Mode in the name) shows in the list of interfaces.

Note - You can configure multiple local networks to be in monitor mode at the same time (1400 appliances only).

After you configure monitor mode:

1. Go to Device > Advanced Settings.
2. Turn off Anti-Spoofing.

To configure monitor mode in CLI:

1. To define a port for Monitor Mode:

   > set interface <portName> monitor-mode

2. To configure Monitor Mode Automatic Learning, disable user-defined networks:

   > set monitor-mode-configuration use-defined-networks false

3. To configure Monitor Mode with user-defined networks:

   > add monitor-mode-network ipv4-address <IP> subnet-mask <mask> > set monitor-mode-configuration use-defined-networks true

4. To see user-defined Internal networks:

   > show monitor-mode-network

5. To disable Anti-Spoofing:

   > set antispoofing advanced-settings global-activation false

If you do not see the Monitor Mode option:

1. Run this CLI command:

   set monitor-mode-configuration allow-monitor-mode true

2. Select an interface and click Edit.

   Monitor Mode is now added to the options list.

For more information on monitor mode, see sk112572.

To edit a physical interface:

Configure the fields in the tabs. Note that for the DMZ there is an additional tab Access Policy:

Configuration tab

• Assigned to - Select the required option:
  • Unassigned - The physical interface is not part of any network and cannot be used.
  • One of the existing configured switches or bridges
  • Separate network - When selecting a separate network configure this information:
    • IP address
    • Subnet mask
    • DHCP Server settings

    Select one of the options:

    Enabled - Enter the IP address range and if necessary the IP address exclude range. The appliance's own IP address is automatically excluded from this range. You can also exclude or reserve specific IP addresses by defining network objects in the Users & Objects > Network Objects page. Reserving specific IP addresses requires the MAC address of the device.

    Relay - Enter the DHCP server IP address.

    Disabled

Note - When you create a switch, you cannot remove the first interface inside unless you delete the switch.

Advanced tab

The options that are shown vary based on interface type and status. Configure the options that are applicable:

• Description - Enter an optional description. The description is shown in the local network table next to the name.
• MTU size - Configure the Maximum Transmission Unit size for an interface. Note that in the Check Point Appliance, the value is global for all physical LAN and DMZ ports.
• Disable auto negotiation - Select this option to manually configure the link speed of the interface.
• Override default MAC address – This option is for local networks except those on VLANs and wireless networks. Use this option to override the default MAC address of the network’s interface, when the device has two separate local networks connected to the same external switch.

  Best Practice - This is a rare configuration. Do not select this option unless you are sure you need it.

  Note - This option is not supported in 1100 appliances.

• Exclude from DNS proxy – Select this checkbox for any network that you do not want exposed to internal domains. In guest VAPs (wireless network for guests), this is selected by default.

Access Policy tab (only for DMZ)

These options create automatic rules that are shown in the Access Policy > Firewall Policy page.

• Allow access from this network to local networks
• Log traffic from this network to local networks

To create/edit a tag based VLAN:

You can create a new VLAN only if you have at least one physical interface that is not part of an existing network (switch or bridge).

Note - For more information on the maximum number of VLANs that you can configure for each appliance, refer to sk113247.

Configure the fields in the tabs:

Configuration tab

• VLAN ID - Enter a number that is the virtual identifier.
• Assigned to - Select the physical interface where the new virtual network is created.
• IP address
• Subnet mask
• Use Hotspot - Select this checkbox to redirect users to the Hotspot portal before allowing access from this interface. Hotspot configuration is defined in the Device > Hotspot page.
• DHCP Server settings

  Select one of the options:

  • Enabled - Enter the IP address range and if necessary the IP address exclude range. The appliance's own IP address is automatically excluded from this range. You can also exclude or reserve specific IP addresses by defining network objects in the Users & Objects > Network Objects page. Reserving specific IP addresses requires the MAC address of the device.
  • Relay - Enter the DHCP server IP address.
  • Disabled

To create/edit a VPN Tunnel (VTI):

A Virtual Tunnel Interface (VTI) is a virtual interface on a Security Gateway that is related to an existing, Route Based VPN tunnel. The Route Based VPN tunnel works as a point-to-point connection between two peer Security Gateways in a VPN community. Each peer Security Gateway has one VTI that connects to the tunnel.

The VPN tunnel and its properties are defined by the VPN community that contains the two gateways. You must define the VPN community and its member Security Gateways before you can create a VTI.

Configure the fields in the tab:

Configuration tab

• VPN Tunnel ID - A number identifying the VTI.
• Peer - The name of the remote VPN site. See Configuring VPN Sites.

  The VPN tunnel interface can be numbered or unnumbered. Select the applicable option:

• Numbered VTI - You configure a local and remote IP address for a numbered VTI:
  • Local IPv4 address - The IP address to be used for the local point-to-point virtual interface.
  • Remote IP address - The IP address to be used at the peer gateway’s point-to-point virtual interface.
• Unnumbered VTI - When the VTI is unnumbered, it is not necessary to configure local and remote IP addresses. You define a local interface to use as the source IP address for outbound traffic.
  • Internet connection - Select from the list.
  • Local bridge interface - Select the local interface from the list.

To create/edit a bridge:

Configure the fields in the tabs:

Configuration tab

• In Bridge Configuration, select the networks you want to be part of the bridge.
• Enable Spanning Tree Protocol - When Spanning Tree Protocol (STP - IEEE 802.1d) is enabled, each bridge communicates with its neighboring bridges or switches to discover how they are interconnected. This information is then used to eliminate loops, while providing optimal routing of packets. STP also uses this information to provide fault tolerance, by re-computing the topology in the event that a bridge or a network link fails.
• Enter a Name for the bridge interface. Note that you can only enter "brN" where N is a number between 0 and 9. For example, br2.
• Choose the IP address and Subnet mask the switch uses.
• Use Hotspot - Select this checkbox to redirect users to the Hotspot portal before allowing access from this interface. Hotspot configuration is defined in the Device > Hotspot page.
• DHCP Server

  Select one of the options:

  • Enabled - Enter the IP address range and if necessary the IP address exclude range. The appliance's own IP address is automatically excluded from this range. You can also exclude or reserve specific IP addresses by defining network objects in the Users & Objects > Network Objects page. Reserving specific IP addresses requires the MAC address of the device.
  • Relay - Enter the DHCP server IP address.
  • Disabled

Advanced tab

• MTU size - Configure the Maximum Transmission Unit size for an interface.
• Disable auto negotiation - Select this option to manually configure the link speed of the interface.
• Override default MAC address – This option is for local networks except those on VLANs and wireless networks. Use this option to override the default MAC address used by the network’s interface, when the device has two separate local networks connected to the same external switch.

  Best Practice - This is a rare configuration. Do not select this option unless you are sure you need it.

  Note – This option is not supported in 1100 appliances

• Exclude from DNS proxy – Select this checkbox for any network that you do not want exposed to internal domains. In guest VAPs (wireless network for guests), this is selected by default.

Advanced IPv6 Settings

Configure the Router Advisement fields.

To create/edit a Virtual Access Point (VAP):

See the Device > Wireless Network help page.

DHCP/SLAAC Settings tab

Note - In IPv4-only mode, this tab is called DHCPv4 Settings.

The values for the DHCP options configured on this tab will be distributed by the DHCP server to the DHCP clients.

DNS Server Settings (For DHCPv6/SLAAC)

Select one of these options:

• Auto - Use the DNS configuration of the device.
• Use the following IP addresses - Enter the first, second and third DNS servers.

DNS Server Settings (For DHCPv4)

These settings are effective only if a DHCPv4 server is enabled.

Select one of these options:

• Auto - This uses the DNS configuration of the appliance as configured in the Device > DNS and Device > Internet pages.
• Use the following IP addresses - Enter the IP addresses for the First DNS server, Second DNS server, and Third DNS server.

Default Gateway

Select one of these options:

• Use this gateway's IP address as the default gateway
• Use the following IP address - Enter an IP address to use as the default gateway.

WINS

Select one of these options:

• Use the WINS servers configured for the internet connection
• Use the following WINS servers - Enter the IP addresses of the First and Second WINS servers.

Lease section

• Lease time - Configure the timeout in hours for a single device to retain a dynamically acquired IP address.

Other Settings

You can optionally configure these additional parameters so they will be distributed to DHCP clients:

• Time servers
• Call manager
• TFTP server
• TFTP boot file
• X-Windows display manager
• Avaya IP phone
• Nortel IP phone
• Thomson IP phone

Custom Options

Lets you add custom options that are not listed above. For each custom option, you must configure the name, tag, type, and data fields.

Hotspot

In the Device > Hotspot page you can configure:

• Guest access - A session is created for an IP address when a user accepts terms or authenticates in the Hotspot portal. The session expires after the configured timeout (240 minutes by default).
• Hotspot portal - Customize the portal's appearance.
• Hotspot exceptions - Define specified IP addresses, IP ranges or networks to exclude from the Hotspot.

If no network interface was defined for the Hotspot, click Configure in Local Network.

In the Access section of the page, you can configure if authentication is required and allow access to all users or to a specified user group (Active Directory, RADIUS or local).

Hotspot is automatically activated in the system.

To turn off Hotspot:

1. Go to Device > Advanced Settings.
2. Search for Hotspot and double-click the entry.
3. Select Disabled.
4. Click Apply.

To configure Hotspot for an interface:

1. Click Configure in Local Network.

   The Local Network window opens.

2. Select interface and click Edit.

   The Edit <interface> window opens.

3. Select Use Hotspot.
4. Click Apply.

Any user that browses from configured interfaces is redirected to the Check Point Hotspot portal.

To configure Hotspot exceptions:

1. Click Manage Exceptions.

   The Manage Hotspot Network Objects Exceptions window opens.

2. Select the objects to add as exceptions.

   The Selected Network Objects window shows the selected objects. To remove an object from the list, click the x next to it.

3. To filter the object list, enter the filter value. The list shows the objects that match the filter.
4. If necessary, click New to add new objects to the list. For information on how to create a new object, see the Users & Objects > Network Objects page.
5. Click Apply.

   The added objects are excluded from the Hotspot.

To require user authentication:

1. Select the Require Authentication checkbox.
2. You can allow access to All users or to a Specific user group.
3. If you selected Specific user group, enter the group's name in the text box.
4. Click Apply.

   Any user/user group that browses from configured interfaces is redirected to the Check Point Hotspot portal and must enter authentication credentials.

To configure the session timeout:

1. In Session timeout, enter the number of minutes that defines how long a user stays logged in to the session before it is ends.
2. Click Apply.

To customize the portal appearance:

1. Click Customize Hotspot portal.
2. For Portal title - Keep the default or enter a different title.
3. For Portal message - Keep the default or enter a different message.
4. For Terms of use - Select this checkbox to add an "I agree with the following terms and conditions" checkbox on the Hotspot portal page. Enter the terms and conditions text in the text box. When users click the "terms and conditions" link, this text shows.
5. To customize a logo for all portals shown by the appliance (Hotspot and captive portal used by User Awareness), click Upload, browse to the logo file and click Apply. If necessary, click Use Default to revert to the default logo.
6. Click Apply.

To prevent simultaneous login to the Hotspot portal:

1. Go to Device > Advanced Settings.
2. Select Hotspot.
3. Click Edit.

   The Hotspot window opens.

4. Click the checkbox for Prevent simultaneous login.
5. Click Apply.

   The same user cannot log in to the Hotspot portal from more than one computer at a time.

On the Active Computers page (available through the Home and Logs & Monitoring tabs), you can revoke Hotspot access for connected users.

Routing

The Device > Routing page shows routing tables with the routes added on your appliance.

Note - 1100 appliances support only IPv4 addresses. 1200R and 1400 appliances support both IPv4 and IPv6 IP addresses.

On this page:

• You can add or edit routes and configure manual routing rules. You cannot edit system defined routes.
• You can specify routes for and associate IP addresses with selected VPN tunnels. To add, delete, and modify the IP addresses, use dynamic routing protocols.

For every route:

Table Columns	Description
Destination	The route rule applies only to traffic whose destination matches the destination IP address/network.
Source	IPv4 only. The route rule applies only to traffic whose source matches the source IP address/network
Service	IPv4 only. The route rule applies only to traffic whose service matches the service IP protocol and ports or service group.
Next Hop	The next hop gateway for this route, with these options: Specified IP address of the next hop gateway Specified Internet connection from the connections configured in the appliance Specified VPN Tunnel Interface (VTI)
Metric	Determines the priority of the route. If multiple routes to the same destination exist, the route with the lowest metric is selected.

To add a new static route (IPv4 addresses):

1. In Device > Routing, above the Routing Table, click New.

   The New Routing Rule window opens with this message: Traffic from any source to any destination that belongs to any service should be routed through the next hop.

2. Click next hop and select an option in the new window that opens:
   • IP Address - Enter the IP address.
   • Internet connection - Select an internet connection.
   • VPN Tunnel (VTI) - Select the VPN Tunnel.
3. Click OK.
4. Click any source and select an option in the new window that opens:
   • Any
   • Specified IP address - Enter the IP Address and Mask
5. Click any destination and select an option in the new window that opens:
   • Any
   • Specified IP address - Enter the IP Address and Mask
6. Click OK.
7. Click any service and select a service name or enter a service name in the search field. You can create a new service or service group.

   Note - Static routes are not supported for source based or service based routes.

8. Optional - Enter a comment.
9. Enter a Metric between 0 and 100. The default is 0.
10. Click Apply.

To configure a default route:

1. Go to Device > Local Network page.
2. Select an interface and click Edit.

   The Edit window opens in the Configuration tab.

3. Click the DHCP Server options tab.
4. In the Default Gateway section,
   • Click Use this gateway's IP address as the default gateway.

     Or

   • Select Use the following IP address and enter an IP address.
5. Click Apply.

To edit a default route:

1. In Device > Internet, click the Internet connection.
2. Click Edit.

   The Edit Internet Connection window opens in the Configuration tab.

3. Set the Default gateway (next hop) to a different IP address.
4. Click Apply.

When no default route is active, this message shows: "Note - No default route is configured. Internet connections might be down or not configured."

For Internet Connection High Availability, the default route changes automatically on failover (based on the active Internet connection).

When a network interface is disabled, all routes that lead to it show as inactive in the routing page. A route automatically becomes active when the interface is enabled. Traffic for an inactive route is routed based on active routing rules (usually to the default route).

The edit, delete, enable, and disable options (on the Device > Local Network page) are only available for manually defined routing rules created on this page. You cannot edit, delete, enable, and disable routing rules created by the operating system for directly attached networks or rules defined by the dynamic routing protocol.

To edit an existing route:

Select the route and click Edit.

To delete an existing route:

Select the route and click Delete.

To enable/disable an existing route:

Select the route and click Enable or Disable.

MAC Filtering

MAC Filtering

MAC Filtering lets you manage a whitelist of MAC addresses that can access the LAN. All others are blocked. The list is global for all interfaces defined on physical LAN ports.

To enable MAC filtering:

1. Turn the slider to ON.
2. Add a MAC address to the LAN MAC Filter whitelist.

   Note - MAC filtering is not active when no MAC addresses are defined.

After MAC filtering is enabled, you can disable the feature for specified networks.

To edit the LAN MAC Filter whitelist:

1. Go to Device > MAC Filtering > LAN MAC Filter.
2. To add a new MAC Address, click Add > New.
3. To select MAC addresses from the list of Active Computers, click Add > Select.
4. To edit a MAC address, select it from the list and click Edit.
5. To delete a MAC address, select it from the list and click Delete.

To disable MAC filtering for a specific interface:

1. Go to Device > Local Network.
2. Select a LAN interface and click Edit

   The Edit LAN window opens.

3. Click Advanced.
4. Select Disable MAC filtering.

   To enable, clear this option.

5. Click Apply.

Limitations:

• MAC filtering is not supported on external interfaces and over switches between physical LAN ports (port-based VLANs). If you configure a physical switch between multiple LAN ports, you cannot activate MAC filtering on this network. Replace the switch with a bridge configuration.
• To disable MAC filtering for a bridged LAN interface, you must reboot.
• Traffic from a remote encryption domain is not MAC filtered.
• Broadcast traffic such as ARP and DHCP is not blocked.
• To configure MAC filtering for a DMZ interface, you must use CLI. You cannot configure MAC filtering in the WebUI.

802.1x Authentication Protocol

IEEE 802.1x is a port-based network access protocol that provides an authentication mechanism for devices that are physically attached to the network.

802.1x authentication is enabled only when you define a LAN or a DMZ network as a separate network and a RADIUS server is defined.

Workflow:

1. Configure a RADIUS Server. See Managing Authentication Servers.
2. Define it on the appliance
3. Activate 802.1x authentication on a separate LAN interface (includes the DMZ when not used as an internet connection), or a tag-based VLAN interface defined on one of the LAN physical ports.

If you configure a physical switch (port-based VLAN) between multiple LAN ports, you cannot activate the 802.1x protocol on this network. Replace the switch with a bridge configuration.

To enable 802.1x authentication on a separate LAN interface:

1. Go to Device > Local Network.
2. Select the LAN interface and click Edit.

   The Edit window opens in the Configuration tab.

3. For Assigned to: select Separate network.
4. In the Advanced tab, select Activate 802.1x authentication.
5. Enter a time for Re-authentication frequency (in seconds).
6. Click Apply.

To enable 802.1x authentication on a tag based VLAN interface:

1. Go to Device > Local Network.
2. Select the LAN and click New > VLAN.

   The New VLAN window opens in the Configuration tab.

3. For Assigned to: select the LAN ID.
4. In the Advanced tab, select Activate 802.1x authentication.
5. Enter a time for Re-authentication frequency (in seconds).
6. Click Apply.

To disable 802.1x authentication on an interface:

1. Go to Device > Local Network.

   Select the LAN interface and click Edit.

2. The Edit window opens in the Configuration tab.
3. Click the Advanced tab.
4. Clear Activate 802.1x authentication.
5. Click Apply.

To configure logging for MAC filtering and 802.1x authentication:

1. Go to Device > Advanced Settings.
2. Set the value of the MAC Filtering settings - Log blocked MAC addresses attribute to
   • Enabled - To enable logging
   • Disabled - To disable logging.

   Note - This attribute is available only in Locally Managed mode. In Centrally Managed mode, configure logging with CLI.

3. Optional -
   • To reduce the number of logs, specify the value of the MAC Filtering settings - Log suspension attribute in seconds.
   • To show all logs, set the value to “0”.

Note - Traffic dropped in the WiFi driver is not logged.

DNS

In the Device > DNS page you can configure the DNS server configuration and define the domain name.

To configure DNS:

1. Select to define up to three DNS servers which is applied to all Internet connections or use the DNS configuration provided by the active Internet connection (Primary).

   If you select Configure DNS servers, make sure that you enter valid IP addresses.

   Use the first option if your DNS servers are located in the headquarters office. In this case, all DNS requests from this branch office are directed to these DNS servers.

   The second option allows a more dynamic definition of DNS servers. The gateway uses the DNS settings of the currently-active Internet connection (in case of static IP – the DNS manually provided under "Internet connection"-> Edit, in case of DHCP / Dialers – the DNS automatically provided by the ISP). If Internet Connection High Availability is enabled, the DNS servers switch automatically upon failover.

2. By default, the Check Point Appliance functions as your DNS proxy and provides DNS resolving services to internal hosts behind it (network objects). This option is global and applies to all internal networks.

   To get IP addresses directly from the DNS servers defined above, clear the Enable DNS Proxy checkbox.

   When DNS proxy is enabled, Resolve Network Objects controls if the DNS proxy treats the local network objects as a hosts list. When selected, the local DNS servers resolves network object names to their IP addresses for internal network clients.

3. Enter a Domain Name. There are two separate uses of the domain name:
   • Local hosts (the Security Gateway and network objects) are optionally appended with the domain name when DNS resolving is performed.
   • DNS queries that do not contain a domain name are automatically appended with the domain name.

   Note these syntax guidelines:

   • The domain name must start and end with an alphanumeric character.
   • The domain name can contain periods, hyphens, and alphanumeric characters.
4. Click Apply.

Proxy

In the Device > Proxy page, you can configure a proxy server to use to connect to the Check Point update and license servers.

To configure a proxy server:

1. Select Use a proxy server.
2. Enter a Host name or IP address.
3. Enter a Port.
4. Click Apply.

System Operations

In the Device > System Operations page you can:

• Reboot
• Restore factory default settings
• Revert to the factory default image and settings
• Automatically or manually upgrade the appliance firmware to the latest Check Point version
• Revert to earlier firmware image
• Backup appliance settings to a file stored on your desktop computer
• Restore a backed up configuration
• Enable IPv6 networking and enforce IPv6 security (1200R and 1400 appliances only)

To reboot the appliance:

1. Click Reboot.
2. Click OK in the confirmation message.

   The appliance reboots.

To restore factory default settings:

1. Click Default Settings.
2. Click OK in the confirmation message.

   The factory default settings are restored. The appliance reboots to complete the operation.

   Note - This does not change the software image. Only the settings are restored to their default values (IP address https://192.168.1.1:4434, the username: admin and password: admin).

To revert to the factory default image:

1. Click Factory Defaults.
2. Click OK in the confirmation message.

   The factory default settings are restored. The appliance reboots to complete the operation.

   Note - This restores the default software image which the appliance came with and also the default settings (IP address https://192.168.1.1:4434, the username: admin and password: admin).

To make sure you have the latest firmware version:

Click Check now.

To automatically upgrade your appliance firmware when Cloud Services is not configured:

1. Click Configure automatic upgrades.

   The Automatic Firmware Upgrades window opens.

2. Click Perform firmware upgrades automatically.
3. Select the upgrade option to use when new firmware is detected:
   • Upgrade immediately

   Or

   • Upgrade according to this frequency.
4. If you selected Upgrade according to this frequency, select one of the Occurs options:
   • Daily - Select the Time of day.
   • Weekly - Select the Day of week and Time of day.
   • Monthly - Select the Day of month and Time of day.
5. Click Apply.

Notes:

• When a new firmware upgrade is available, a note shows the version number. Click Upgrade Now to upgrade it immediately, or click More Information to see what is new in the firmware version.
• If the gateway is configured by Cloud Services, automatic firmware upgrades are locked. They can only be set by Cloud Services.

To manually upgrade your appliance firmware:

1. Click Manual Upgrade.

   The Upgrade Software Wizard opens.

2. Follow the Wizard instructions.

   Note - The firewall remains active while the upgrade is in process. Traffic disruption can only be caused by:

   • Saving a local image before the upgrade (this causes the Firewall daemon to shut down). This may lead to disruption in VPN connections.
   • The upgrade process automatically reboots the appliance.

To revert to an earlier firmware image:

1. Click Revert to Previous Image.
2. Click OK in the confirmation message.

   The appliance reboots to complete the operation.

To backup appliance settings:

1. Click Backup.

   The Backup Settings page opens.

2. To encrypt the backup file, select the Use File Encryption checkbox. Set and confirm a password.
3. To back up the security policy installed on the appliance, select the Backup Security Policy checkbox. You can add Comments about the specific backup file created.
4. Click Save Backup. The File Download dialog box appears. The file name format is <current software version>-<YY-Month-day>-<HH_MM_Seconds>.zip
5. Click Save and select a location.

To restore a backed up configuration:

1. Click Restore. The Restore Settings page appears.
2. Browse to the location of the backed up file.
3. Click Upload File.

Important Notes

• To replace an existing appliance with another one (for example, upon hardware failure) you can restore the settings saved on your previous appliance and reactivate your license (through Device > License).
• To duplicate an existing appliance you can restore the settings of the original appliance on the new one.
• Restoring settings of a different version is supported, but not automatically between every two versions. If the restore action is not supported between two versions, the gateway does not allow you to restore the settings.

IPv6 Mode

To enable IPv6 networking and enforce IPv6 security (1200R and 1400 appliances only):

1. Click IPv6 Enforcement Settings.

   The IPv6 Enforcement Settings window opens.

2. To enforce IPv6 security policy, click the checkbox.
3. To enable IPv6 networking, click the checkbox.
4. Click Apply.

   Note - This causes the appliance to reboot.

System Operations > Upgrade

Follow the instructions in each page of the Software Upgrade Wizard.

During the wizard click Cancel to quit the wizard.

Welcome

Click the Check Point Download Center link to download an upgrade package as directed. If you already downloaded the file, you can skip this step.

Upload Software

Click Browse to select the upgrade package file.

Click Upload. This may take a few minutes. When the upload is complete, the wizard automatically validates the image. A progress indicator at the bottom of the page tells you the percentage completed. When there is successful image validation, an "Upload Finished" status shows.

Upgrade Settings

The system always performs an upgrade on a separate flash partition and your current-running partition is not affected. You can always switch back to the current image if there is an immediate failure in the upgrade process. If the appliance does not come up properly from the boot, disconnect the power cable and reconnect it. The appliance automatically reverts to the previous image.

Click the Revert to Previous Image button on the System Operations page to return to an earlier image. The backup contains the entire image, including the firmware, all system settings and the current security policy.

When you click Next, the upgrade process starts.

Upgrading

The Upgrading page shows an upgrade progress indicator and checks off each step as it is completed.

• Initializing upgrade process
• Installing new image

System Operations > Backup

In the Device > System Operations page you can backup and restore system settings.

To create a backup file:

1. Click Create Backup File.

   The Backup Settings window opens.

2. To encrypt the file, click Use file encryption.

   If you select this option, you must enter and confirm a password.

3. Optional - add a comment about the backup file.
4. Click Create Backup.

   System settings are backed up.

The backup file includes all your system settings such as network settings and DNS configuration. The backup file also contains the Secure Internal Communication certificate and your license.

If you want to replace an existing appliance with another one, you can restore the settings of your previous appliance and re-activate your license (through License Page > Activate License).

If you want to duplicate an existing appliance, you can restore the settings of the original appliance on the new one. Make sure to change the IP address of the duplicated appliance (Device > Internet page) and generate a new license.

To configure a periodic backup to the FTP server:

1. Go to Device > System Operations > Backup and Restore System Settings.
2. Click Settings.

   The Periodic Backup Settings window opens.

3. Click Enable scheduled backups.
4. Configure the file storage destination (see below).
5. Optional - Select Use file encryption.

   If you select this option, you must enter and confirm a password.

6. In Schedule Periodic Backup, select frequency:
   • Daily - Select time of day (hour range).
   • Weekly - Select day of week and time of day.
   • Monthly - Select day of month and time of day. Note - If a month doesn't include the selected day, the backup is executed on the last day of the month.
7. Click Apply.

To configure a file storage destination:

1. In Device > System Operations > Backup and Restore System Settings, click Settings.

   The Periodic Backup Settings window opens.

2. Click Enable scheduled backups.
3. Enter a Backup server path.
4. Enter a username and password.
5. Click Apply.

Administrators

The Device > Administrators page lists the Check Point Appliance administrators and lets you:

• Create new local administrators
• Configure the session timeout
• Limit login failure attempts

Administrators can also be defined in a remote RADIUS server and you can configure the appliance to allow them access. Authentication of those remotely defined administrators is done by the same RADIUS server.

Administrator Roles:

• Super Administrator - All permissions. Super Administrators can create new locally defined administrators and change permissions for others.
• Read Only Administrator - Limited permissions. Read Only Administrators cannot update appliance configuration but can change their own passwords or run a traffic monitoring report from the Tools page.
• Networking Administrator - Limited permissions. Networking Administrators can update or modify operating system settings. They can select a service or network object but cannot create or modify it.

Two administrators with write permissions cannot log in at the same time. If an administrator is already logged in, a message shows. You can choose to log in with Read-Only permission or to continue. If you continue the login process, the first administrator session ends automatically.

The correct Administrator Role must be configured to perform the operations listed below. If not, a Permission Error message shows.

To create a local administrator:

1. Click New.

   The Add Administrator page opens.

2. Configure the parameters (name, password, and password confirmation). The hyphen (-) character is allowed in the administrator name. You cannot use these characters when you enter a password or shared secret: { } [ ] ` ~ | ‘ " # + \
3. Select the Administrator Role.
4. Click Apply.

   The name and Administrator Role is added to the table. When logged in to the WebUI, the administrator name and role is shown at the top of the page.

To edit the details of locally defined administrators:

1. Select the administrator from the table and click Edit.
2. Make the relevant changes.
3. Click Apply.

To delete a locally defined administrator:

1. Select an administrator from the list.
2. Click Delete.
3. Click Yes in the confirmation message.

Note - You cannot delete an administrator who is currently logged in.

To allow access for administrators defined in a remote RADIUS server:

1. Make sure administrators are defined in the remote RADIUS server.
2. Make sure a RADIUS server is defined on the appliance. If there is no server, click the RADIUS configuration link at the top of this page. You must configure the IP address and shared secret used by the RADIUS server.

   Note - 1100 appliances only support IPv4 addresses. 1200R and 1400 appliances support both IPv4 and IPv6 addresses.

3. When you have a configured RADIUS server, click edit permissions.

   The RADIUS Authentication window opens.

4. Click the Enable RADIUS authentication for administrators checkbox.

   Use roles defined on RADIUS server is selected by default.

5. Configure the role for each user on the RADIUS server. See additional details below.

   Note - A user without role definition will get a login error.

6. If you select Use default role for RADIUS users, select the Administrators Role:
   • Super Admin
   • Read only
   • Networking Admin
7. To define groups, click Use specific RADIUS groups only and enter the RADIUS groups separated by a comma.
8. Click Apply.

To set the Session Timeout value for both local and remotely defined administrators:

1. Click Security Settings.

   The Administrators Security Settings window opens.

2. Configure the session timeout (maximum time period of inactivity in minutes). The maximum value is 999 minutes.
3. To limit login failure attempts, click the Limit administrators login failure attempts checkbox.
4. Enter the number of Maximum consecutive login attempts allowed before an administrator is locked out.
5. In Lock period, enter the time (in seconds) that must pass before a locked out administrator can attempt to log in again.
6. To enforce password complexity on administrators, click the checkbox and enter the number of days for the password to expire.
7. Click Apply.

Note - This page is available from the Device and Users & Objects tabs.

Configuring a RADIUS Server for non-local Check Point Appliance users:

Non-local users can be defined on a RADIUS server and not in the Check Point Appliance. When a non-local user logs in to the appliance, the RADIUS server authenticates the user and assigns the applicable permissions. You must configure the RADIUS server to correctly authenticate and authorize non-local users.

Note - The configuration of the RADIUS Servers may change according to the type of operating system on which the RADIUS Server is installed.

Note - If you define a RADIUS user with a null password (on the RADIUS server), the appliance cannot authenticate that user.

To configure a Steel-Belted RADIUS server for non-local appliance users:

1. Create the dictionary file checkpoint.dct on the RADIUS server, in the default dictionary directory (that contains radius.dct). Add these lines to the file:

   @radius.dct MACRO CheckPoint-VSA(t,s) 26 [vid=2620 type1=%t% len1=+2 data=%s%] ATTRIBUTE CP-Gaia-User-Role CheckPoint-VSA(229, string) r ATTRIBUTE CP-Gaia-SuperUser-Access CheckPoint-VSA(230, integer) r

2. Add the following lines to the vendor.ini file on RADIUS server (keep in alphabetical order with the other vendor products in this file):

   vendor-product = Check Point Appliance dictionary = nokiaipso ignore-ports = no port-number-usage = per-port-type help-id = 2000

3. Add to the dictiona.dcm file the line:
   “@checkpoint.dct”
4. Add this Check Point Vendor-Specific Attribute to users in your RADIUS server user configuration file:

   CP-Gaia-User-Role = <role>

   Where <role> allowed values are:

   Administrator Role	Value
   Super Admin	adminrole
   Read only	monitorrole
   Networking Admin	networkingrole

To configure a FreeRADIUS server for non-local appliance users:

1. Create the dictionary file dictionary.checkpoint in /etc/freeradius/ on the RADIUS server:

   # # Check Point dictionary file for freeradius AAA server # VENDOR CheckPoint 2620 ATTRIBUTE CP-Gaia-User-Role 229 string CheckPoint ATTRIBUTE CP-Gaia-SuperUser-Access 230 integer CheckPoint

2. Add to /etc/freeradius/dictionary the line:
   “$INCLUDE dictionary.checkpoint”
3. Add this Check Point Vendor-Specific Attribute to users in your RADIUS server user configuration file:

   CP-Gaia-User-Role = <role>

   Where <role> is the name of the administrator role that is defined in the WebUI.

   Administrator Role	Value
   Super Admin	adminrole
   Read only	monitorrole
   Networking Admin	networkingrole

To configure an OpenRADIUS server for non-local appliance users:

1. Create the dictionary file dict.checkpoint in
   /etc/openradius/subdicts/
   on the RADIUS server:

   # Check Point Gaia vendor specific attributes # (Formatted for the OpenRADIUS RADIUS server.) # Add this file to etc/openradius/subdicts/ and add the line # "$include subdicts/dict.checkpoint" to etc/openradius/dictionaries # right after dict.ascend. $add vendor 2620 CheckPoint $set default vendor=CheckPoint space=RAD-VSA-STD len_ofs=1 len_size=1 len_adj=0 val_ofs=2 val_size=-2 val_type=String nodec=0 noenc=0 $add attribute 229 CP-Gaia-User-Role $add attribute 230 CP-Gaia-SuperUser-Access val_type=Integer val_size=4

2. Add the line
   $include subdicts/dict.checkpoint
   to
   /etc/openradius/dictionaries
   immediately after dict.ascend
3. Add this Check Point Vendor-Specific Attribute to users in your RADIUS server user configuration file:

   CP-Gaia-User-Role = <role>

   Where <role> is the name of the administrator role that is defined in the WebUI.

   Administrator Role	Value
   Super Admin	adminrole
   Read only	monitorrole
   Networking Admin	networkingrole

To log in as a Super User:

A user with super user permissions can use the Check Point Appliance shell to do system-level operations, including working with the file system.

1. Connect to the Check Point Appliance platform using an SSH client or serial console client.
2. Log in to the clish shell using your user name and password.
3. Run Expert
4. Enter the expert password.

Administrator Access

The Device > Administrator Access page lets you configure the IP addresses and interface sources that administrators can use to access the Check Point Appliance. You can also configure the Web and SSH ports.

Note - 1100 appliances support only IPv4 addresses. 1200R and 1400 appliances support both IPv4 and IPv6 addresses.

First set the interface sources from which allowed IP addresses can access the appliance.

To set the interface sources from which administrator access is allowed:

Select one or more of the options:

• LAN - All internal physical ports
• Trusted wireless - Wireless networks that are allowed access to the LAN by default (only in Wireless Network models.)
• VPN - Uses encrypted traffic through VPN tunnels from a remote site or uses a remote access client
• Internet - Clear traffic from the Internet (not recommended to allow access from all IP addresses)

To allow administrator access from any IP address:

1. Select the Any IP address option. This option is less secure and not recommended. We recommend you allow access from the Internet to specific IP addresses only.
2. Change the WEB Port (HTTPS) and/or SSH port if necessary.
3. Click Apply. An administrator can access the Check Point Appliance using any IP address through the allowed interface sources.

To allow administrator access from specified IP addresses:

1. Select the Specified IP addresses only option.
2. Click New.

   The IP Address Configuration page shows.

3. Select Type:
   • IPv4 address
   • IPv4 network
   • IPv6 address (1200R and 1400 appliances only)
   • IPv6 network (1200R and 1400 appliances only)
4. Enter the IP address or click Get IP from My Computer.
5. Click Apply.

   The IP address is added to the table.

6. Change the WEB Port (HTTPS) and/or SSH port if necessary.
7. Click Apply. An administrator can access the Check Point Appliance using the configured IP addresses through the allowed interface sources.

To allow administrator access from both specified and any IP addresses:

Select this option when it is necessary to allow administrator access from the Internet (you must define the specified IP addresses). Access from other sources is allowed from any IP address.

1. Select the Internet source checkbox.
2. Select the Specified IP addresses from the internet and any IP address from other sources option.
3. Click New.

   The IP Address Configuration page shows.

4. Select Type:
   • IPV4 address
   • IPv4 network
   • IPv6 address (1200R and 1400 appliances only)
   • IPv6 network (1200R and 1400 appliances only
5. Enter the IP address or click Get IP from My Computer.
6. Click Apply.

   The IP address is added to the table.

7. Change the WEB Port (HTTPS) and/or SSH port if necessary.
8. Click Apply. An administrator can access the Check Point Appliance using the configured IP addresses through the allowed interface sources.

To delete administrator access from a specific IP address:

1. Select the IP Address you want to delete from the IP Address table.
2. Click Delete.

Important Notes:

• Configuring different access permissions for LAN and Internet is not supported when your Internet Connection is configured in bridge mode (the option Allow administration access from does not show Internet or LAN).
• An automatic implied rule is defined to allow the access specified here. There is no need to add an explicit rule in the Access Policy page to allow this access.
• When you block the IP address or the interface group through which you are currently connected, you are not disconnected immediately. The access policy is applied immediately, but your current session remains active until you log out.

Device Details

In the Device > Device Details page, you can:

• Enter an Appliance Name for the appliance to identify the Check Point Appliance.

  Note - The appliance name can only contain alphanumeric characters and the hyphen character. Do not use the hyphen character as the first or last character.

  Important - If the gateway's Internet connection is assigned an IP address dynamically and the identifier option in SmartDashboard is set to Gateway name, the Appliance Name must be identical to the Check Point Appliance name defined for the Check Point Appliance object in SmartDashboard.

• For wireless devices only - Configure the Country. The allowed wireless radio settings vary based on the standard of each country.
• Assign a Web portal certificate.

To assign a Web portal certificate:

1. Click the downward arrow next to the Web portal certificate field.

   The list of uploaded certificates shows.

2. Select the desired certificate.
3. Click Apply.
4. Reload the page.

Date and Time

The Device > Date and Time page shows the current system time and lets you define the Check Point Appliance date and time, optionally using NTP.

To manually configure date and time:

1. Select the Set Date and Time Manually option.
2. Enter the current Date and Time. Click the calendar icon to enter the date. Specify whether the time is AM or PM.
3. Click Apply.

To use Network Time Protocol (NTP) to synchronize the clocks of computers on the network:

1. Select the Set Date and Time Using a Network Time Protocol (NTP) Server option.
2. Enter the Host name or IP addresses of the Primary NTP Server and Secondary NTP Server. If the Primary NTP Server fails to respond, the Secondary NTP Server is queried.
3. Set the Update Interval (minutes) field.
4. Select the NTP Authentication checkbox if you want to supply a Shared Secret and a Shared Secret Identifier (this is optional). You cannot use these characters when you enter a password or shared secret: { } [ ] ` ~ | ‘ " # + \
5. Click Apply.

Time Zone

1. From the Local Time Zone list, select the correct time zone option.
2. Select the Automatically adjust clock for daylight saving changes checkbox to enable automatic daylight saving changes.
3. Click Apply.

DDNS & Device Access

In the Device > DDNS & Device Access page, you can:

• Configure DDNS account details in one of the supported providers.
• Configure a service that lets you remotely connect to the appliance in instances where it is behind NAT, a firewall, or has a dynamically assigned IP address.

DDNS

When you configure DDNS, the appliance updates the provider with its IP addresses. Users can then connect to the device with a host name from the provider instead of IP addresses.

This is especially important for remote access users who connect to the device to the internal network through VPN.

To configure DDNS:

1. Select Connect to the appliance by name from the Internet (DDNS).
2. Enter the details of your account on the page:
   • Provider - Select the DDNS provider that you set up an account with.
   • User name - Enter the user name of the account.
   • Password - Enter the password of the account. You cannot use these characters when you enter a password or shared secret: { } [ ] ` ~ | ‘ " # + \
   • Host name - Enter your routable host name as defined in your DDNS account.

   For more information about these details, refer to your provider's website.

3. Make sure Reinitialize internal certificates is selected. When you enable this feature or change settings, you must reinitialize the internal certificates for them to be valid for the new DNS.

Reach My Device

Reach My Device lets you remotely connect to the appliance from the Internet so that you can use the WebUI or CLI when necessary. This is done by tunneling the administrative UI or CLI connections through a Check Point Cloud Service. Such configuration is very useful in instances where the appliance is behind a NAT device or firewall, and cannot be reached directly. In addition, the feature makes it easier to access an appliance with a dynamically assigned IP address.

Item	Description
1	Register the Check Point Appliance to the Check Point Cloud Service - When you first enter the Device > DDNS & Device Access page you see a link to register the appliance. Use the procedure below to register the appliance to the service.
2	When registration is complete - An outgoing tunnel to the Check Point Cloud Service is established with the appliance's IP address. In the WebUI, the Device > DDNS & Device Access page shows: Validation token - A token you enter to make sure the host name is valid. This token verifies that an existing name belongs to this appliance owner. Web link - Use this URL in a browser to remotely access the appliance. For example: https://mygateway-web.smbrelay.checkpoint.com When the login page shows, enter the applicable user name and password. Shell link - Use this URL in a browser to open an SSH connection to the appliance to use CLI commands. For example: https://mygateway-shell.smbrelay.checkpoint.com Enter the administrator credentials.
3	When an administrator requires access to the WebUI or CLI, the applicable URL is entered in a browser and gets to the Web Service in the cloud.
4	The administrator gains access to the appliance WebUI or CLI through a pipe established by the Check Point Cloud Service to the appliance.

To register to allow connections to the appliance when it is unreachable from the Internet:

1. Click Register.

   The Reach My Device window opens.

2. In Host name, use the default host name or enter a name for this Check Point Appliance to enable remote access to it.
3. If the host name has already been defined, select Register with an existing home name and enter the Validation token of the gateway.
4. Click Apply.

   The validation token, web link, and shell link are shown on the DDNS & Appliance Access page.

5. Go to Device > Administrator Access. Configure Internet as a source for administrator access and set specified IP addresses.

Using System Tools

See Using System Tools.

Certificates - Installed Certificates

On the Installed Certificates page, you can create and manage appliance certificates or upload a P12 certificate. Uploaded certificates and the default certificates are displayed in a table. To see certificate details, click the certificate name.

On the Device > Device Details page, you can select and assign a Web portal certificate from the list of installed certificates.

Installed certificates are used in the Web portal.

These are the steps to create a signed certificate:

1. Create a signing request.
2. Export the signed request (download the signing request from the appliance).
3. Send the signing request to the CA.
4. When you receive the signed certificate from the CA, upload it to the appliance.

To create a new certificate to be signed by a CA:

1. Click New Signing Request. The New Certificate Request window opens.
2. Enter a Certificate name.
3. In the Subject DN enter a distinguished name (e.g. CN=myGateway).
4. Optional - to add alternate names for the certificate, click New. Select the Type and enter the Alternate name and click Apply.
5. Click Generate.

   The new signing request is added to the table and the status shows "Waiting for signed certificate". Note - You cannot edit the request after it is created.

To export the signing request:

Click Export.

To upload the signed certificate when you receive the signed certificate from the CA:

1. Select the signing request entry from the table.
2. Click Upload Signed Certificate.
3. Browse to the signed certificate file (*.crt).
4. Click Complete.

   The status of the installed certificate record changes from "Waiting for signed certificate" to "Verified".

To upload a P12 file:

1. Click Upload P12 Certificate.
2. Browse to the file.
3. Edit the Certificate name if necessary.
4. Enter the certificate password.
5. Click Apply.

High Availability

The Security Gateway is not part of a Security Cluster. To define it as a cluster member, define a Security Cluster object in your Security Management Server and install a security policy.

Note - A cluster in bridge in Active/Standby mode is supported in 1200R and 1400 appliances.

Configuring Advanced Settings

The Device > Advanced Settings page is for advanced administrators or Check Point support. You can configure values for multiple advanced settings for the various blades.

Important - Changing these advanced settings without fully understanding them can be harmful to the stability, security, and performance of this appliance. Continue only if you are certain that you understand the required changes.

For further details regarding the attributes, consult with Check Point support when necessary.

To filter the list of attributes:

1. Enter text in the Type to filter field.

   The search results are dynamically shown as you type.

2. To cancel the filter, click X next to the search string.

To configure the appliance attributes:

1. Select an attribute.
2. Click Edit.

   The attribute window opens.

3. Configure the settings, or click Restore Defaults to reset the attribute to the default settings. For more details on some of the attributes, see the below list of attributes.
4. Click Apply.

   The appliance attribute is configured.

To reset all the appliance attributes to the default settings:

1. From the Advanced Settings window, click Restore Defaults.

   The Confirm window opens.

2. Click Yes.

   All appliance attributes are reset to the default settings.

Additional Information for Attributes

Attribute		Description
DHCP relay	Use internal IP addresses as source	Select Use internal IP addresses as source if DHCP relay packets from the appliance will originate from internal IP addresses. This may be required if the DHCP server is located behind a remote VPN site.
Hotspot	Enable portal	Select Disabled to disable the hotspot feature entirely.
Serial port	Enable serial port Flow control Mode Port speed	With the serial port parameters you can configure the console port on the back panel of the appliance. You can disable it completely (clear the Enable serial port checkbox) if necessary and configure port speed and flow control settings. Note that these settings must match the configuration of the device connected to the console port. There are three modes for working with this port: Console - This is the default mode configured. The port is used to access the appliance's console. Active - Instead of connecting through the port to the appliance's console, the data is relayed to a specified telnet server which can now be viewed through this port. Enter the Server TCP port of the telnet server and the IP address of the server. Two different IP server IP addresses can be configured (Primary server and Secondary server). Passive - In this mode the flow of data is reversed and the appliance connects through the serial port to the console of the connected device. This console will be accessible through a telnet connection to a configured port on the appliance. In Listen on TPC port, enter the port number. You must manually define an access rule in the Firewall Rule Base in SmartDashboard. Two appliances, one in active mode and the other in passive mode, can allow a client to remotely connect to a console connected to the appliance in passive mode over the internet using a telnet connection.