In This Section: |
This section describes how to set up and manage your Check Point Appliance.
The Device > Internet page shows how the Check Point Appliance connects to the Internet. You can configure a single Internet connection or multiple connections in High Availability or Load Balancing configurations. When multiple Internet connections are defined, the page shows them in a table. You can add a new connection and edit, delete, or disable existing connections. When there are multiple Internet connections, you can select which mode to use - High Availability or Load Balancing.
We recommend you contact your local Internet Service Provider (ISP) to understand how to configure your specific Internet connection.
Note - ADSL/VDSL settings are relevant only for devices that have a DSL port.
To configure Internet connectivity:
The New or Edit Internet Connection window opens.
Configuration tab
Note - When you change the connection type, the appliance may disconnect from the Internet.
You can create a maximum of 32 internet connections.
Unassigned LAN ports use case - If your company is in a region where internet connections supplied by ISPs are unreliable and experience multiple disconnections, you can connect your appliances to multiple internet connections from different ISPs.
IPv4 connection types:
Note - If you use an analog modem through the serial port, you cannot connect to the appliance with the serial port or get terminal server functionality. For more on the terminal server, go to Device > Advanced Settings.
Fill in the fields that are shown for the connection type.
Note - You cannot use these characters when you enter a password or shared secret: { } [ ] ` ~ | ' " # + \
IPv6 connection types:
Note - The device can have only a single IPv6 Internet connection.
For PPPoE over ATM over VDSL/ADSL or IPoE over ATM over VDSL/ADSL or for an ADSL interface:
Enter the VPI number and VCI number you received from your service provider, and the Encapsulation type (LLC or VC_MUX).
For WAN/DMZ interfaces and static, DHCP, PPPoE, PPTP, and L2TP connection types
Or
For VDSL/ADSL interfaces and IPoE - dynamic IP and IPoE - static IP connection types over PTM:
If you are in an Annex L system, in Advanced Settings, you must enable the Annex L and disable the Annex J/M.
If you are in an Annex M system, in Advanced Settings, you must enable Annex J/M and disable the Annex L. In all other Annex systems, no changes are needed to the default configuration.
Notes:
Connection Monitoring tab
Advanced tab
For PPPoE
For PPTP and L2TP
Port Settings
Note - For a DMZ interface the MTU value is applied to all LAN ports.
To avoid fragmentation (which slows transmission), set the MTU according to the smallest MTU of all the network devices between your gateway and the packet destination.
For static and DHCP mode, set MTU to 1500 or lower.
For PPPoE connections, set MTU to 1492 or lower.
Note - When the gateway is behind a modem that works as a NAT device, the MTU value of the gateway must be the same value as in the modem. If the modem has a PPPoE connection, set the MTU in the gateway to 1492 or lower.
QoS Settings (bandwidth control) - supported in IPv4 connections only
To enable QoS bandwidth control for download and upload for this specified connection, select the applicable Enable QoS (download) and/or Enable QoS (upload) checkboxes. Enter the maximum Kbps rates for the selected options as provided by your ISP for the Internet upload and download bandwidth.
Make sure that the QoS blade is turned on. You can do this from Home > Security Dashboard > QoS > ON.
Note - QoS is not implemented for VDSL/ADSL interfaces.
ISP Redundancy - supported in IPv4 connections only
Multiple Internet connections can be configured in High Availability or Load Sharing modes. When you configure more than one Internet connection, the Device > Internet page lets you toggle between these options. The Advanced setting of each Internet connection lets you configure each connection's priority or weights based on the set mode.
NAT Settings
If the gateway's global hide NAT is turned on in the Access Policy > NAT page, you can disable NAT settings for specified internet connections.
To disable NAT settings:
The Edit Internet Connection window opens.
The Device > Wireless page shows the wireless network settings (if applicable). You can configure your main wireless network and also additional guest or standard wireless networks (VAPs - Virtual Access Points).
To delete the wireless network, go to Device > Local Network.
If multiple wireless networks (VAPs) are defined, the page shows them in a table, where you can add a new guest or standard wireless network and edit, delete, or disable existing ones.
To turn the Wireless network on or off:
To edit the radio settings:
This configuration is global for all wireless networks. Some options may not be available or allowed depending on your country's wireless standards.
1430/1450 appliances only: The wireless client search options depend on the frequency that the appliance is set to. The Check Point Appliance can be configured to only one frequency at a time and is set to 2.4 GHz by default. If you change the radio settings to 802.11 ac or 802.11 ac/n, the frequency automatically changes to 5 GHz. The Home > System page shows the wireless radio status.
1470/1490 appliances only: There are two radio transmitters: 2.4 GHz and 5 GHz. Each network is configured separately under a specified transmitter.
Dynamic Frequency Selection (DFS) detects radar signals that must be protected against interference from 5.0 GHz (802.11ac/n) radios. When these signals are detected, the operating frequency of the 5.0 GHz (802.11ac/n) radio switches to one that does not interfere with the radar systems. DFS is enabled by default.
To edit a wireless network:
Click Edit Settings.
The Edit window opens in the Configuration tab.
Configuration tab
Configure the fields in these tabs:
Wireless Security
The Password option allows a single password for all users. This option is known as WPA Personal.
The RADIUS servers (Enterprise mode) option requires defining RADIUS servers in the Users & Objects > Authentication Servers page. Each user that tries to connect to the wireless network is authenticated through the RADIUS server. This option is also known as WPA Enterprise.
Advanced Settings
Wireless Network tab
Interface Configuration
DHCPv4 Server section
Select one of the options:
IPv6 Auto Assignment section
Select one of the options:
Access Policy tab
These options create automatic rules that are shown in the Access Policy > Firewall Policy page.
Advanced tab
Click the checkbox to exclude from DNS proxy.
Advanced IPv6 Settings
Configure the Router Advisement fields.
DHCP/SLAAC Settings tab
Note - In IPv4-only mode, this tab is called DHCPv4 Settings.
The values for the DHCP options configured on this tab will be distributed by the DHCP server to the DHCP clients.
DNS Server Settings (For DHCPv6/SLAAC)
Select one of these options:
DNS Server Settings (For DHCPv4)
These settings are effective only if a DHCPv4 server is enabled.
Select one of these options:
Default Gateway
Select one of these options:
WINS
Select one of these options:
Lease
Other Settings
You can optionally configure these additional parameters so they will be distributed to DHCP clients:
Custom Options
Lets you add custom options that are not listed above. For each custom option, you must configure the name, tag, type, and data fields.
When you finish editing the network, click Apply.
The Device > Local Network page lets you set and enable the local network connections, switches, bridge or wireless network (on wireless devices only).
Note - 1400 appliances support both IPv4 and IPv6 addresses.
The Network table shows all available network connections.
The page also lets you:
There are two radio transmitters: 2.4 GHz and 5 GHz. Each network is configured separately under a specified transmitter.
You can also use unassigned LAN ports to create an internet connection. In the table, these ports have the status Assigned to Internet.
Notes:
To create any of the above options:
Click New and choose the option you want.
To edit/delete/enable/disable any of the above options:
Select the relevant row and click Edit/Delete/Enable/Disable.
Notes:
To create/edit a switch:
Note - Between the LAN ports of a switch, traffic is not monitored or inspected. MAC filtering is disabled.
Configure the fields in the tabs:
Configuration tab
Select one of the options:
IPv6 Auto Assignment for IPv6 configurations:
Note - The common use case is a prefix length of 64. If you change it from 64, make sure the internal hosts support the new length.
Monitor Mode
Security Gateways can monitor traffic from a Mirror Port or Span Port on a switch.
With Monitor Mode, the appliance uses Automatic Learning or user-defined networks to identify internal and external traffic, and to enforce policy.
Automatic Learning - The appliance automatically recognizes external networks by identifying the default gateway's network from requests to the Internet (specifically, requests to Google). The rest of the networks are considered internal.
User-Defined Networks - You can manually define internal networks. If a network is not defined as internal, it is considered external.
In both Automatic Learning and user-defined networks:
To configure monitor mode in the WebUI:
The Edit window opens in the Configuration tab.
The Manually define internal networks checkbox shows.
The network definition features and table show.
The Internal network you defined (with Monitor Mode in the name) shows in the list of interfaces.
Note - You can configure multiple local networks to be in monitor mode at the same time.
After you configure monitor mode:
To configure monitor mode in CLI:
<portName>> set interface
monitor-mode
> set monitor-mode-configuration use-defined-networks false
<IP>> add monitor-mode-network ipv4-address
subnet-mask <mask> > set monitor-mode-configuration use-defined-networks true
> show monitor-mode-network
> set antispoofing advanced-settings global-activation false
If you do not see the Monitor Mode option:
set monitor-mode-configuration allow-monitor-mode true
Monitor Mode is now added to the options list.
For more information on monitor mode, see sk112572.
To edit a physical interface:
Configure the fields in the tabs. Note that for the DMZ there is an additional tab Access Policy:
Configuration tab
Select one of the options:
Enabled - Enter the IP address range and if necessary the IP address exclude range. The appliance's own IP address is automatically excluded from this range. You can also exclude or reserve specific IP addresses by defining network objects in the Users & Objects > Network Objects page. Reserving specific IP addresses requires the MAC address of the device.
Relay - Enter the DHCP server IP address.
Disabled
Note - When you create a switch, you cannot remove the first interface inside unless you delete the switch.
Advanced tab
The options that are shown vary based on interface type and status. Configure the options that are applicable:
Best Practice - This is a rare configuration. Do not select this option unless you are sure you need it.
Access Policy tab (only for DMZ)
These options create automatic rules that are shown in the Access Policy > Firewall Policy page.
To create/edit a tag based VLAN:
You can create a new VLAN only if you have at least one physical interface that is not part of an existing network (switch or bridge).
Note - For more information on the maximum number of VLANs that you can configure for each appliance, refer to sk113247.
Configure the fields in the tabs:
Configuration tab
Select one of the options:
To create/edit a VPN Tunnel (VTI):
A Virtual Tunnel Interface (VTI) is a virtual interface on a Security Gateway that is related to an existing, Route Based VPN tunnel. The Route Based VPN tunnel works as a point-to-point connection between two peer Security Gateways in a VPN community. Each peer Security Gateway has one VTI that connects to the tunnel.
The VPN tunnel and its properties are defined by the VPN community that contains the two gateways. You must define the VPN community and its member Security Gateways before you can create a VTI.
Configure the fields in the tab:
Configuration tab
The VPN tunnel interface can be numbered or unnumbered. Select the applicable option:
To create/edit a bridge:
Configure the fields in the tabs:
Configuration tab
Select one of the options:
Advanced tab
Best Practice - This is a rare configuration. Do not select this option unless you are sure you need it.
Advanced IPv6 Settings
Configure the Router Advisement fields.
To create/edit a Virtual Access Point (VAP):
See the Device > Wireless Network help page.
DHCP/SLAAC Settings tab
Note - In IPv4-only mode, this tab is called DHCPv4 Settings.
The values for the DHCP options configured on this tab will be distributed by the DHCP server to the DHCP clients.
DNS Server Settings (For DHCPv6/SLAAC)
Select one of these options:
DNS Server Settings (For DHCPv4)
These settings are effective only if a DHCPv4 server is enabled.
Select one of these options:
Default Gateway
Select one of these options:
WINS
Select one of these options:
Lease section
Other Settings
You can optionally configure these additional parameters so they will be distributed to DHCP clients:
Custom Options
Lets you add custom options that are not listed above. For each custom option, you must configure the name, tag, type, and data fields.
In the Device > Hotspot page you can configure:
If no network interface was defined for the Hotspot, click Configure in Local Network.
In the Access section of the page, you can configure if authentication is required and allow access to all users or to a specified user group (Active Directory, RADIUS or local).
Hotspot is automatically activated in the system.
To turn off Hotspot:
To configure Hotspot for an interface:
The Local Network window opens.
The Edit <interface> window opens.
Any user that browses from configured interfaces is redirected to the Check Point Hotspot portal.
To configure Hotspot exceptions:
The Manage Hotspot Network Objects Exceptions window opens.
The Selected Network Objects window shows the selected objects. To remove an object from the list, click the x next to it.
The added objects are excluded from the Hotspot.
To require user authentication:
Any user/user group that browses from configured interfaces is redirected to the Check Point Hotspot portal and must enter authentication credentials.
To configure the session timeout:
To customize the portal appearance:
To prevent simultaneous login to the Hotspot portal:
The Hotspot window opens.
The same user cannot log in to the Hotspot portal from more than one computer at a time.
On the Active Devices page (available through the Home and Logs & Monitoring tabs), you can revoke Hotspot access for connected users.
The Device > Routing page shows routing tables with the routes added on your appliance.
On this page:
For every route:
Table Columns |
Description |
---|---|
Destination |
The route rule applies only to traffic whose destination matches the destination IP address/network. |
Source |
IPv4 only. The route rule applies only to traffic whose source matches the source IP address/network |
Service |
IPv4 only. The route rule applies only to traffic whose service matches the service IP protocol and ports or service group. |
Next Hop |
The next hop gateway for this route, with these options:
|
Metric |
Determines the priority of the route. If multiple routes to the same destination exist, the route with the lowest metric is selected. |
To add a new static route (IPv4 addresses):
The New Routing Rule window opens with this message: Traffic from any source to any destination that belongs to any service should be routed through the next hop.
Note - Static routes are not supported for source based or service based routes using VTI (VPN).
To configure a default route:
The Edit window opens in the Configuration tab.
Or
To edit a default route:
The Edit Internet Connection window opens in the Configuration tab.
When no default route is active, this message shows: "Note - No default route is configured. Internet connections might be down or not configured."
For Internet Connection High Availability, the default route changes automatically on failover (based on the active Internet connection).
When a network interface is disabled, all routes that lead to it show as inactive in the routing page. A route automatically becomes active when the interface is enabled. Traffic for an inactive route is routed based on active routing rules (usually to the default route).
The edit, delete, enable, and disable options (on the Device > Local Network page) are only available for manually defined routing rules created on this page. You cannot edit, delete, enable, and disable routing rules created by the operating system for directly attached networks or rules defined by the dynamic routing protocol.
To edit an existing route:
Select the route and click Edit.
To delete an existing route:
Select the route and click Delete.
To enable/disable an existing route:
Select the route and click Enable or Disable.
MAC Filtering
MAC Filtering lets you manage a whitelist of MAC addresses that can access the LAN. All others are blocked. The list is global for all interfaces defined on physical LAN ports.
To enable MAC filtering:
Note - MAC filtering is not active when no MAC addresses are defined.
After MAC filtering is enabled, you can disable the feature for specified networks.
To edit the LAN MAC Filter whitelist:
To disable MAC filtering for a specific interface:
The Edit LAN window opens.
To enable, clear this option.
Limitations:
802.1x Authentication Protocol
IEEE 802.1x is a port-based network access protocol that provides an authentication mechanism for devices that are physically attached to the network.
802.1x authentication is enabled only when you define a LAN or a DMZ network as a separate network and a RADIUS server is defined.
Workflow:
If you configure a physical switch (port-based VLAN) between multiple LAN ports, you cannot activate the 802.1x protocol on this network. Replace the switch with a bridge configuration.
To enable 802.1x authentication on a separate LAN interface:
The Edit window opens in the Configuration tab.
To enable 802.1x authentication on a tag based VLAN interface:
The New VLAN window opens in the Configuration tab.
To disable 802.1x authentication on an interface:
Select the LAN interface and click Edit.
To configure logging for MAC filtering and 802.1x authentication:
Note - This attribute is available only in Locally Managed mode. In Centrally Managed mode, configure logging with CLI.
Note - Traffic dropped in the WiFi driver is not logged.
In the Device > DNS page you can configure the DNS server configuration and define the domain name.
To configure DNS:
If you select Configure DNS servers, make sure that you enter valid IP addresses.
Use the first option if your DNS servers are located in the headquarters office. In this case, all DNS requests from this branch office are directed to these DNS servers.
The second option allows a more dynamic definition of DNS servers. The gateway uses the DNS settings of the currently-active Internet connection (in case of static IP – the DNS manually provided under "Internet connection"-> Edit, in case of DHCP / Dialers – the DNS automatically provided by the ISP). If Internet Connection High Availability is enabled, the DNS servers switch automatically upon failover.
To get IP addresses directly from the DNS servers defined above, clear the Enable DNS Proxy checkbox.
When DNS proxy is enabled, Resolve Network Objects controls if the DNS proxy treats the local network objects as a hosts list. When selected, the local DNS servers resolves network object names to their IP addresses for internal network clients.
Note these syntax guidelines:
In the Device > Proxy page, you can configure a proxy server to use to connect to the Check Point update and license servers.
To configure a proxy server:
In the Device > System Operations page you can:
To reboot the appliance:
The appliance reboots.
To restore factory default settings:
The factory default settings are restored. The appliance reboots to complete the operation.
Note - This does not change the software image. Only the settings are restored to their default values (IP address
, the username: admin and password: admin).https://192.168.1.1:4434
To revert to the factory default image:
The factory default settings are restored. The appliance reboots to complete the operation.
Note - This restores the default software image which the appliance came with and also the default settings (IP address
, the username: admin and password: admin).https://192.168.1.1:4434
To make sure you have the latest firmware version:
Click Check now.
To automatically upgrade your appliance firmware when Cloud Services is not configured:
The Automatic Firmware Upgrades window opens.
Or
Notes:
To manually upgrade your appliance firmware:
The Upgrade Software Wizard opens.
Note - The firewall remains active while the upgrade is in process. Traffic disruption can only be caused by:
To revert to an earlier firmware image:
The appliance reboots to complete the operation.
To backup appliance settings:
The Backup Settings page opens.
To restore a backed up configuration:
Important Notes
IPv6 Mode
To enable IPv6 networking and enforce IPv6 security:
The IPv6 Enforcement Settings window opens.
Note - This causes the appliance to reboot.
Follow the instructions in each page of the Software Upgrade Wizard.
During the wizard click Cancel to quit the wizard.
Welcome
Click the Check Point Download Center link to download an upgrade package as directed. If you already downloaded the file, you can skip this step.
Upload Software
Click Browse to select the upgrade package file.
Click Upload. This may take a few minutes. When the upload is complete, the wizard automatically validates the image. A progress indicator at the bottom of the page tells you the percentage completed. When there is successful image validation, an "Upload Finished" status shows.
Upgrade Settings
The system always performs an upgrade on a separate flash partition and your current-running partition is not affected. You can always switch back to the current image if there is an immediate failure in the upgrade process. If the appliance does not come up properly from the boot, disconnect the power cable and reconnect it. The appliance automatically reverts to the previous image.
Click the Revert to Previous Image button on the System Operations page to return to an earlier image. The backup contains the entire image, including the firmware, all system settings and the current security policy.
When you click Next, the upgrade process starts.
Upgrading
The Upgrading page shows an upgrade progress indicator and checks off each step as it is completed.
In the Device > System Operations page you can backup and restore system settings.
To create a backup file:
The Backup Settings window opens.
If you select this option, you must enter and confirm a password.
System settings are backed up.
The backup file includes all your system settings such as network settings and DNS configuration. The backup file also contains the Secure Internal Communication certificate and your license.
If you want to replace an existing appliance with another one, you can restore the settings of your previous appliance and re-activate your license (through License Page > Activate License).
If you want to duplicate an existing appliance, you can restore the settings of the original appliance on the new one. Make sure to change the IP address of the duplicated appliance (Device > Internet page) and generate a new license.
To configure a periodic backup to the FTP server:
The Periodic Backup Settings window opens.
If you select this option, you must enter and confirm a password.
To configure a file storage destination:
The Periodic Backup Settings window opens.
The Device > Administrators page lists the Check Point Appliance administrators and lets you:
Administrators can also be defined in a remote RADIUS server and you can configure the appliance to allow them access. Authentication of those remotely defined administrators is done by the same RADIUS server.
Administrator Roles:
Two administrators with write permissions cannot log in at the same time. If an administrator is already logged in, a message shows. You can choose to log in with Read-Only permission or to continue. If you continue the login process, the first administrator session ends automatically.
The correct Administrator Role must be configured to perform the operations listed below. If not, a Permission Error message shows.
To create a local administrator:
The Add Administrator page opens.
The name and Administrator Role is added to the table. When logged in to the WebUI, the administrator name and role is shown at the top of the page.
To edit the details of locally defined administrators:
To delete a locally defined administrator:
Note - You cannot delete an administrator who is currently logged in.
To allow access for administrators defined in a remote RADIUS server:
The RADIUS Authentication window opens.
Use roles defined on RADIUS server is selected by default.
Note - A user without role definition will get a login error.
To set the Session Timeout value for both local and remotely defined administrators:
The Administrators Security Settings window opens.
Note - This page is available from the Device and Users & Objects tabs.
To connect the mobile application with the appliance for the first time:
The Connect Mobile Device window opens.
This generates a QR code to connect the Check Point WatchTower mobile application with the appliance for the first time.
For more information about the mobile application, see the Check Point SMB WatchTower App User Guide.
Configuring a RADIUS Server for non-local Check Point Appliance users:
Non-local users can be defined on a RADIUS server and not in the Check Point Appliance. When a non-local user logs in to the appliance, the RADIUS server authenticates the user and assigns the applicable permissions. You must configure the RADIUS server to correctly authenticate and authorize non-local users.
Note - The configuration of the RADIUS Servers may change according to the type of operating system on which the RADIUS Server is installed.
Note - If you define a RADIUS user with a null password (on the RADIUS server), the appliance cannot authenticate that user.
To configure a Steel-Belted RADIUS server for non-local appliance users:
checkpoint.dct
on the RADIUS server, in the default dictionary directory (that contains radius.dct
). Add these lines to the file:
|
vendor.ini
file on RADIUS server (keep in alphabetical order with the other vendor products in this file):
|
dictiona.dcm
file the line: “@checkpoint.dct”
<role>CP-Gaia-User-Role =
Where <role> allowed values are:
Administrator Role |
Value |
---|---|
Super Admin |
|
Read only |
|
Networking Admin |
|
To configure a FreeRADIUS server for non-local appliance users:
dictionary.checkpoint
in /etc/freeradius/
on the RADIUS server:
|
/etc/freeradius/dictionary
the line: “$INCLUDE dictionary.checkpoint”
<role>CP-Gaia-User-Role =
Where <role> is the name of the administrator role that is defined in the WebUI.
Administrator Role |
Value |
---|---|
Super Admin |
|
Read only |
|
Networking Admin |
|
To configure an OpenRADIUS server for non-local appliance users:
dict.checkpoint
in /etc/openradius/subdicts/
|
$include subdicts/dict.checkpoint
/etc/openradius/dictionaries
dict.ascend
<role>CP-Gaia-User-Role =
Where <role> is the name of the administrator role that is defined in the WebUI.
Administrator Role |
Value |
---|---|
Super Admin |
|
Read only |
|
Networking Admin |
|
To log in as a Super User:
A user with super user permissions can use the Check Point Appliance shell to do system-level operations, including working with the file system.
Expert
The Device > Administrator Access page lets you configure the IP addresses and interface sources that administrators can use to access the Check Point Appliance. You can also configure the Web and SSH ports.
Note - 1400 appliances support both IPv4 and IPv6 addresses.
First set the interface sources from which allowed IP addresses can access the appliance.
To set the interface sources from which administrator access is allowed:
Select one or more of the options:
To allow administrator access from any IP address:
To allow administrator access from specified IP addresses:
The IP Address Configuration page shows.
The IP address is added to the table.
To allow administrator access from both specified and any IP addresses:
Select this option when it is necessary to allow administrator access from the Internet (you must define the specified IP addresses). Access from other sources is allowed from any IP address.
The IP Address Configuration page shows.
The IP address is added to the table.
To delete administrator access from a specific IP address:
Important Notes:
On the Device > Device Details page, you can:
Note - The appliance name can only contain alphanumeric characters and the hyphen character. Do not use the hyphen as the first or last character.
To assign a Web portal certificate:
The list of uploaded certificates shows.
Note - You cannot select the default VPN certificate.
The Device > Date and Time page shows the current system time and lets you define the Check Point Appliance date and time, optionally using NTP.
To manually configure date and time:
To use Network Time Protocol (NTP) to synchronize the clocks of computers on the network:
Time Zone
In the Device > DDNS & Device Access page, you can:
DDNS
When you configure DDNS, the appliance updates the provider with its IP addresses. Users can then connect to the device with a host name from the provider instead of IP addresses.
This is especially important for remote access users who connect to the device to the internal network through VPN.
To configure DDNS:
For more information about these details, refer to your provider's website.
Reach My Device
Reach My Device lets you remotely connect to the appliance from the Internet so that you can use the WebUI or CLI when necessary. This is done by tunneling the administrative UI or CLI connections through a Check Point Cloud Service. Such configuration is very useful in instances where the appliance is behind a NAT device or firewall, and cannot be reached directly. In addition, the feature makes it easier to access an appliance with a dynamically assigned IP address.
To register to the Reach My Device service:
The Reach My Device window opens.
The validation token, web link, and shell link are shown on the page.
When the gateway participates in VPN, you can exclude the WAN interface (or any other interface used for the Internet connection) from the encryption domain and use Reach My Device traffic without a VPN tunnel.
In the VPN Site to Site global settings Advanced Setting, enable "Do not encrypt connections originating from the local gateway."
How to access the gateway with the Reach My Device service:
When registration is complete, an outgoing tunnel to the Check Point Cloud Service is established with the appliance's IP address.
Remote Access to the WebUI
Web Link - Use this URL in a browser to remotely access the appliance. For example:
. When the login page shows, enter the applicable user name and password.https://my gateway-web.smbrelay.checkpoint.com
Remote Access to the CLI
Shell Link - Use this URL in a browser to open an SSH connection to the appliance to use CLI commands. For example:
. Enter the administrator credentials.https://mygateway-shell.smbrelay.checkpoint.com
See Using System Tools.
On the Installed Certificates page, you can create and manage appliance certificates or upload a P12 certificate. Uploaded certificates and the default certificates are displayed in a table. To see certificate details, click the certificate name.
You can upload a certificate signed by an intermediate CA or root CA. All intermediate and root CAs found in the P12 file are automatically uploaded to the trusted CAs list.
Note - This page is available from the Device and VPN tabs.
On the VPN Remote Access Blade Control page, after you enable the SSL VPN feature, you can select and assign a certificate from the list of the installed certificates (with the exception of the Default Web Portal certificate). You can also do this on the Remote Access Advanced tab.
On the Device > Device Details page, you can select and assign a Web portal certificate from the list of installed certificates (with the exception of the Default certificate).
Installed certificates are used in site-to-site VPN, SSL VPN, and the Web portal.
When Cloud Services is turned on and the appliance is configured by Cloud Services, the Cloud Services Provider certificate is downloaded automatically to the appliance. The Cloud Services Provider certificate is used by community members configured by Cloud Services. Note - If you turn Cloud Services off, the Cloud Services Provider certificate is removed.
These are the steps to create a signed certificate:
To create a new certificate to be signed by a CA:
The new signing request is added to the table and the status shows "Waiting for signed certificate".
Note - You cannot edit the request after it is created.
If the new signing request is signed by the Internal CA and the Organization Name is not defined in the DN, the Internal CA automatically generates the Organization Name.
To export the signing request:
Click Export.
To upload the signed certificate when you receive the signed certificate from the CA:
The status of the installed certificate record changes from "Waiting for signed certificate" to "Verified".
To upload a P12 file:
In the Certificates Internal Certificate page you can view details of an internal VPN certificate. You can also view and reinitialize the certificate used by the internal CA that signed the certificate and can be used to sign external certificates.
Note - This page is available from the Device and VPN tabs.
When you create an internal VPN certificate, when a certificate that is signed by the internal CA is used, the CA's certificate must be reinitialized when the Internet connection's IP addresses change.
To avoid constant reinitialization, we recommend you use the DDNS feature. See Device > DDNS. When DDNS is configured, you only need to reinitialize the certificate once. Changes in the DDNS feature configuration by default automatically reinitialize certificates.
To reinitialize certificates:
The Reinitialize Certificates window opens.
Normally, the device suggests its own host name (when DDNS is configured) or its external IP address. If you have multiple Internet connections configured, in load sharing mode, you can manually enter an accessible IP address for this appliance. This is used by remote sites to access the internal CA and check for certificate revocation.
Note - The internal VPN certificate expiration date cannot be later than the CA expiration date.
To replace an internal CA certificate:
The Upload a P12 Certificate window opens.
Normally, the device suggests its own host name (when DDNS is configured) or its external IP address. If you have multiple Internet connections configured, in load sharing mode, you can manually enter an accessible IP address for this appliance. This is used by remote sites to access the internal CA and check for certificate revocation.
To export an internal CA certificate:
Click Export Internal CA Certificate to download the internal CA certificate.
To sign a remote site's certificate request by the internal CA:
The file must be in a path accessible to the appliance. After you click OK in the file browsing window, the file is uploaded. If it is correctly formatted, it is signed by the Internal CA and the Download button is available.
In the Device > High Availability page you can create a cluster of two appliances for high availability.
Note - You cannot create a cluster when you have a switch or bridge defined in your network settings on the appliance. If necessary, change network settings in the Device > Local Network page.
After you define a cluster, you can select to Enable or Disable the cluster.
The page shows the configured interfaces for monitoring or high availability enabled in a table, where you can edit them.
Interface options in cluster mode:
Note - In this cluster solution, each interface has a local IP address in addition to the shared single virtual IP address.
If you change configuration details of the cluster members, click Reinitialize Trust to reestablish trust between the members.
To reset configuration settings:
Click Reset Cluster Configuration.
Note - This deletes all configuration settings. You must run the wizard again to configure the cluster.
One member of the cluster is the primary active. The other member is the secondary inactive.
To failover from the primary to the other member:
A confirmation message shows.
The primary gateway is now the inactive member of the cluster. The secondary gateway is now active.
If you want to disable the secondary gateway, you must failover to the primary.
Note - Only one member of a cluster can be down at a time. For the inactive member, the Force Member Down button is now Disable Force Member Down.
To failover to the original primary member:
A confirmation message shows.
The original primary member is now the active member of the cluster.
To see detailed information about the cluster status:
Click Diagnostics.
To create a cluster:
The New Cluster Wizard opens.
Note - Make sure that changes you make here are also made on the other cluster member.
By default, the appliance monitors the interface condition if the interface is enabled for high availability. If there is a failure, it automatically fails over to the secondary cluster member. When the interface is not enabled for high availability, you can select it for monitoring.
Note - For Internet connections, you can only enable High Availability on Static IP Internet connections. Other types of Internet connections can be used for monitoring only.
When the cluster is successfully configured, you see the status of the members on this page.
After the cluster is configured, when you connect to the cluster IP address you are automatically redirected to the active cluster member. To log in to specified member, you must log in with the member's IP address.
Note that the WebUI of the secondary member (standby member) only has some options available for fine tuning. This is because all cluster management is done from the active member.
Upgrading a cluster member:
To manually upgrade a cluster:
The Upgrade Software Wizard opens.
Note - 1400 appliances support both IPv4 and IPv6 addresses. High Availability cluster only supports IPv6 in dual mode.
The Device > Advanced Settings page is for advanced administrators or Check Point support. You can configure values for multiple advanced settings for the various blades.
Important - Changing these advanced settings without fully understanding them can be harmful to the stability, security, and performance of this appliance. Continue only if you are certain that you understand the required changes. |
For further details regarding the attributes, consult with Check Point support when necessary.
To filter the list of attributes:
The search results are dynamically shown as you type.
To configure the appliance attributes:
The attribute window opens.
To reset all the appliance attributes to the default settings:
The Confirm window opens.
All appliance attributes are reset to the default settings.
Administrators RADIUS authentication Attribute |
Description |
---|---|
Local authentication (RADIUS server) |
Perform local administrator authentication only if RADIUS server is not configured or is inaccessible. |
Aggressive Aging Attributes |
Description |
---|---|
Multiple parameters |
Aggressive Aging helps manage the connections table capacity and memory consumption of the firewall to increase durability and stability. Aggressive Aging introduces a new set of short timeouts called aggressive timeouts. When a connection is idle for more than its aggressive timeout it is marked as "eligible for deletion". When the connections table or memory consumption reaches the user defined threshold, Aggressive Aging begins to delete "eligible for deletion" connections, until memory consumption or connections capacity decreases back to the desired level. Aggressive Aging allows the gateway machine to handle large amounts of unexpected traffic, especially during a Denial of Service attack. If the defined threshold is exceeded, each incoming connection triggers the deletion of ten connections from the "eligible for deletion" list. An additional ten connections are deleted with every new connection until the memory consumption or the connections capacity falls below the enforcement limit. If there are no "eligible for deletion" connections, no connections are deleted at that time, but the list is checked after each subsequent connection that exceeds the threshold. Timeout settings are a key factor in memory consumption configuration. When timeout values are low, connections are deleted faster from the table, enabling the firewall to handle more connections concurrently. When memory consumption exceeds its threshold, it is best to work with shorter timeouts that can maintain the connectivity of the vast majority of the traffic. The major benefit of Aggressive Aging is that it starts to operate when the machine still has available memory and the connections table is not entirely full. This way, it reduces the chances of connectivity problems that might have occurred under low-resource conditions. |
|
To configure Aggressive Aging:
To configure when the Aggressive Aging timeouts are enforced:
|
Anti ARP spoofing Attribute |
Description |
---|---|
Anti ARP spoofing mode |
Mode for Anti ARP spoofing protection. The protection can be turned off, on, or in detect only mode. |
Detection window time to indicate attack |
Time period (in seconds) during which IP addresses, assigned to the same MAC address, indicate an ARP spoofing attack. |
Number of IP addresses to indicate attack |
The number of IP addresses assigned to the same MAC address during the Detection window time that will an indicate an ARP spoofing attack. |
Suspicious MAC block period |
Time period (in seconds) during which suspicious MAC addresses are kept in the blocked list. |
Anti-Spam Policy Attributes |
Description |
---|---|
All mail track |
Tracking options for emails that are not considered spam or suspected spam. Tracking such emails can have a performance impact. |
Allowed mail track |
Tracking options for emails that are manually allowed in the Threat Prevention > Anti-Spam Exceptions page. |
Content based Anti-Spam timeout |
Indicates the timeout (in seconds) to wait for an answer from the cloud during content-based Anti-Spam inspection. |
E-mail size scan |
Indicates the maximal size of an email's content to scan (in KB) |
IP reputation fail open |
Indicates the action to take upon an internal error during Anti-Spam IP reputation test. |
IP reputation timeout |
Indicates the timeout (in seconds) to wait for an IP reputation test result. |
Scan outgoing emails |
Scan the content of emails which are sent from the local network to the Internet. |
Transparent proxy |
Use a transparent proxy for inspected email connections. When disabled, configuration of the proxy address and port is required on client machines. |
Anti-Spoofing Attribute |
Description |
---|---|
Enable global Anti-Spoofing |
Indicates if Anti-Spoofing is enabled automatically on all interfaces according to their zone. |
Application & URL Filtering Attributes |
Description |
---|---|
Block when service is unavailable |
Indicates if web requests are blocked when the Check Point categorization and widget definitions Online Web Service is unavailable. |
Categorize cached and translated pages |
Indicates if to perform URL categorization of cached pages and translated pages created by search engines. |
Custom App over HTTPS |
Indicates whether custom URLs and applications will be matched over HTTPS traffic using SNI field. Important note: as SNI field in HTTPS traffic is browser-dependent and promiscuous, it does not guarantee 100% match. |
Enforce safe search |
Indicates if the URL Filtering policy overrides the Safe Search settings in the user's browser. Regardless of what the user has selected, the strictest Safe Search settings are applied. Explicitly sexual content is filtered out of the search engine's results. |
Fail mode |
Indicates the action to take on traffic in case of an internal system error or overload. |
Track browse time |
Shows in logs the total time that users are connected to different sites and applications in an HTTP session |
Use HTTP referer header |
Indicates if the HTTP "referer" header (originally a misspelling of referrer) is used by the inspection engine to improved application identification. |
Web site categorization mode |
Indicates the mode that is used for website categorization: Background - Requests are allowed until categorization is complete. When a request cannot be categorized with a cached response, an uncategorized response is received. Access to the site is allowed. In the background, the Check Point Online Web Service continues the categorization procedure. The response is then cached locally for future requests (default). This option reduces latency in the categorization procedure. Hold - Requests are blocked until categorization is complete. |
Capacity Optimization Attributes |
Description |
---|---|
Connections hash table size |
Indicates the size of the connections hash table in bytes. This value must be an integer that is an exponential power of two and approximately four times the maximum concurrent connections parameter. |
Maximum concurrent connections |
Indicates the overall maximum number of concurrent connections. |
Cloud Services Firmware Upgrade Attributes |
Description |
---|---|
Service access maximum retries |
Indicates the maximum number of retries when failing to upgrade using the service. |
Service access timeout until retry |
Indicates the time (in seconds) to wait when there is a connection failure to the service before the next retry. |
Cluster Attribute |
Description |
---|---|
Use virtual MAC |
Indicates if a virtual MAC address is used by all members to allow a quicker failover by the network's switch. Using the virtual MAC address:
|
DDNS Attribute |
Description |
---|---|
Iterations |
Number of DNS updates. |
DHCP Relay Attribute |
Description |
---|---|
Use internal IP addresses as source |
Select Use internal IP addresses as source if DHCP relay packets from the appliance originate from internal IP addresses. This may be required if the DHCP server is located behind a remote VPN site. |
DSL Global Attribute |
Description |
---|---|
DSL globals - VDSL2 |
Supports ITU G.993.2 VDSL2. |
DSL globals - ADSL Dmt (G.992.1) |
Supports ITU G.992.1 ADSL (G.dmt). |
DSL globals - ADSL lite (G.992.2) |
Supports ITU G.992.2 ADSL Lite (G.lite). |
DSL globals - ADSL2 (G.992.2) |
Supports ITU G.992.3 ADSL2. |
DSL globals - ADSL2+ (G.992.5) |
Supports ITU G.992.5 Annex M ADSL2+M. |
DSL globals - T1.413 |
Supports ANSI T1.413-1998 Issue 2 ADSL. |
DSL globals - Annex J/M |
In an Annex A appliance: Combined with supported ADSL2+, it specifies Annex M ADSL2+. In an Annex B appliance: Combined with supported ADSL2, it specifies Annex J ADSL2. |
DSL globals - Annex L |
In an Annex A appliance: Combined with enabled ADSL2 (G.992.3) specifies support for Annex L. |
DSL globals - 8a |
Supports VDSL Profile 8a. |
DSL globals - 8b |
Supports VDSL Profile 8b. |
DSL globals - 8c |
Supports VDSL Profile 8c. |
DSL globals - 8d |
Supports VDSL Profile 8d. |
DSL globals - 12a |
Supports VDSL Profile 12a. |
DSL globals - 12b |
Supports VDSL Profile 12b. |
DSL globals - 17a |
Supports VDSL Profile 17a. |
DSL globals - Seamless rate adaptation (SRA) |
Enables seamless rate adaptation. |
DSL globals - G.INP |
Enhanced Impulse Noise Protection. |
DSL globals - US0 |
Enables usage of first upstream band in VDSL. |
Note - When all the ADSL standards are turned off in the Advanced Settings and you can only connect using the VDSL2 standard, the VPI, the VCI and the encapsulation options still appear even though they are not used to open an internet connection.
Firewall Policy Attribute |
Description |
---|---|
Blocked packets action |
Action for blocked packets: Drop, reject or automatic (drop from external and reject from internal). |
Log implied rules |
Produce log records for connections that match implied rules. |
General Temporary Directory Size Attributes |
Description |
---|---|
General temporary directory size |
Controls the size (in MB) of the general temporary directory. |
System temporary directory size |
Controls the size (in MB) of the temporary directory that is used by the system. |
Hardware Options Attribute |
Description |
---|---|
Reset to factory defaults timeout |
The amount of time (in seconds) that you need to press and hold the factory defaults button on the appliances' back panel to restore to the factory defaults image. |
Hotspot Attribute |
Description |
---|---|
Enable portal |
Select Disabled to disable the hotspot feature entirely. |
Prevent simultaneous log-in |
The same user will not be allowed to login via hotspot portal from more than one machine in parallel. |
IP Fragments Parameters Attributes |
Description |
---|---|
Multiple parameters |
These parameters let you configure how the appliance handles IP fragments. It can either block fragmented IP packets or drop fragments when a configured threshold is reached. Select one of these options:
|
IPS Additional Parameters Attribute |
Description |
---|---|
Max ping limit |
Indicates the maximal ping packet size that are allowed when the 'Max Ping Size' protection is active. |
Non-standard HTTP ports |
Enable HTTP inspection on non-standard ports for the IPS blade. |
IPS Engine Settings Attributes |
Description |
---|---|
Configure error page options for supported web protections - multiple parameters |
Some web based protections can show an error page upon detection. This error page is configurable. The protections that support the error page:
Select one of these options that applies to all such protections:
|
HTML error page configuration - multiple parameters |
These settings allow you to configure a pre-defined HTML error page that is seen when the error page advanced settings are set to Show pre-defined HTML error page. Select one of these options:
|
Internal Certificate Settings Attributes |
Description |
---|---|
Configure internal CA certificate expiration |
The number of years the internal CA certificate is valid. This applies the next time the certificate is re-initialized. |
Internet Attributes |
Description |
---|---|
Reset Sierra USB on LSI error |
Indicates whether Sierra type USB modems will be reset when they send an invalid LSI signal |
MAC Filtering Attributes |
Description |
---|---|
MAC filtering state |
MAC filtering state |
Log blocked MAC addresses |
Indicates if blocked MAC addresses should be logged. |
Log suspension |
Indicates if an administrator can access the appliance from a remove Security Management Server without the need to enter an administrator name. |
Managed Services Attributes |
Description |
---|---|
Allow seamless administrator access from remote Management Server |
Indicates if an administrator can access the appliance from a remote Security Management Server without the need to enter an administrator user name and password. |
Show device details in Login |
Indicates if appliance details are shown when an administrator accesses the appliance. |
Mobile Settings Attributes |
Description |
---|---|
Mobile Settings - Notification cloud server URL |
Cloud server URL used for sending mobile notifications. |
Mobile Settings - Pairing code expiration |
Time (in hours) till pairing code is expired. Type: Integer |
Mobile Settings - Verify SSL certificate |
Verify SSL certificate when sending mobile notification to cloud server |
NAT Attributes |
Description |
---|---|
ARP manual file merge |
Indicates, when automatic ARP detection is enabled, to use the ARP definitions in a local file with higher priority. Manual proxy ARP configuration is required for manual Static NAT rules. If a manual ARP configuration is defined in the local.arp file and Automatic ARP configuration is enabled, both definitions are maintained. If there is a conflict between the definitions (the same NAT IP address appears in both), then the manual configuration is used. |
Multiple parameters - IP Pool NAT |
An IP Pool is a range of IP addresses (an Address Range, a network or a group of one of these objects) routable to the gateway. When a connection is opened to a server, the gateway substitutes an IP address from the IP Pool for the source IP address. Reply packets from the server return to the gateway, which restores the original source IP address and forwards the packets to the source. When using IP Pool NAT, select an existing IP address range object. It must be previously defined in the Users & Objects > Networks Objects page. The IP Pool NAT mechanism allocates IP addresses from this range. Use IP Pool NAT for VPN clients connections - Applies to connections from VPN remote access clients to the gateway. Use IP Pool NAT for gateway to gateway connections - Applies to site to site VPN connections. Prefer IP Pool NAT over Hide NAT - Specifies that IP Pool NAT has priority over Hide NAT, if both match the same connection. Hide NAT is only applied if the IP pool is used up. Reuse IP addresses from the Pool for different destinations - Select this option to reuse IP addresses from the Pool for different destinations. Unused addresses interval - Configure in minutes the time interval it takes for unused addresses to return to the IP addresses pool. Address exhaustion tracking - Specifies the type of log to issue if the IP Pool is exhausted. Address allocation and release tracking - Specifies whether to log each allocation and release of an IP address from the IP Pool. |
Automatic ARP detection |
When internal devices in the local network are defined using static NAT, the appliance must make sure packets to the static NAT IP address reach it. This option enables the appliance to automatically respond to ARP requests for those IP addresses. |
Increase hide capacity |
Indicates if hide-NAT capacity is given additional space. |
NAT enable |
Indicates if the device's NAT capabilities are enabled. |
NAT cache expiration |
Indicates the expiration time in minutes for NAT cache entries. |
NAT cache number of entries |
Indicates the maximum number of NAT cache entries. |
NAT hash size |
Indicates the hash bucket size of NAT tables. |
NAT limit |
Indicates the maximum number of connections with NAT. |
Perform cluster hide fold |
Indicates if local IP addresses are hidden behind the cluster IP address when applicable, as opposed to being hidden behind each cluster member’s physical IP address. |
Translate destination on client side |
Translates destination IP addresses on client side (for automatically generated NAT rules). |
Translate destination on client side (manual rules) |
Translates destination IP addresses on client side (for manually configured NAT rules). |
Notification Policy Attributes |
Description |
---|---|
Notification Language |
Notification language |
Privacy Settings Attribute |
Description |
---|---|
Help Check Point improve its products by sending data |
Customer consent. |
QoS Blade Attributes |
Description |
---|---|
Logging |
Indicates if the appliance logs QoS events when the QoS blade is enabled. |
Reach My Device Attributes |
Description |
---|---|
Ignore SSL certificate |
Indicates if the SSL certificate should be ignored when running the access service. |
Server address |
Indicates the address of the remote server that allows administration access to the appliance from the Internet even when behind NAT. |
Report Settings Attributes |
Description |
---|---|
Max Period |
Maximum period to collect and monitor data. You must reboot the appliance to apply changes. |
Serial Port Attributes |
Description |
---|---|
Multiple Parameters |
With the serial port parameters you can configure the console port on the back panel of the appliance. You can disable it completely (clear the Enable serial port checkbox) if necessary and configure port speed and flow control settings. Note that these settings must match the configuration of the device connected to the console port. There are three modes for working with this port:
To configure an implicit rule that allows traffic from any source to this port, make sure Implicitly allow traffic to this port is selected. If you do not create an implicit rule, you must manually define an access rule in the Firewall rule base. Two appliances, one in active mode and the other in passive mode, can allow a client to remotely connect to a console connected to the appliance in passive mode over the internet using a telnet connection. |
SSL Inspection Attributes |
Description |
---|---|
Additional HTTPS ports |
Additional HTTPS ports for SSL inspection (a comma separated list of ports/ranges). |
Log empty SSL connections |
Log connections that were terminated by the client before data was sent. This might indicate the client did not install the CA certificate. |
Retrieve intermediate CA certificates |
Indicates if the SSL inspection mechanism will perform its validations on all intermediate CA certificates in the certificate chain. |
Track validation errors |
Choose if the SSL Inspection validations are tracked. |
Validate CRL |
Indicates if the SSL inspection mechanism will drop connections that present a revoked certificate. |
Validate Expiration |
Indicates if the SSL inspection mechanism will drop connections that present an expired certificate. |
Validate unreachable CRL |
Indicates if the SSL inspection mechanism will drop connections that present a certificate with an unreachable CRL. |
Validate untrusted certificates |
Indicates if the SSL inspection mechanism will drop connections that present an untrusted server certificate. |
Stateful Inspection Attributes |
Description |
---|---|
Accept out of state TCP packets |
Indicates if TCP packets which are not consistent with the current state of the TCP connection are dropped (when set to 0) or accepted (when set to any other value). |
Accept stateful ICMP errors |
Accept ICMP error packets which refer to another non-ICMP connection (for example, to an ongoing TCP or UDP connection) that was accepted by the Rule Base. |
Accept stateful ICMP replies |
Accept ICMP reply packets for ICMP requests that were accepted by the Rule Base. |
Accept stateful UDP replies for unknown services |
Specifies if UDP replies are to be accepted for unknown services. In each UDP service object it is possible to configure whether UDP replies for it are accepted if the service is matched on a rule which accepts traffic. This parameter refers to all connections which are not covered by the service objects. |
Accept stateful other IP protocols replies for unknown services |
Accept stateful other IP protocols replies for unknown services. In each service object it is possible to configure whether replies for it are accepted if the service is matched on a rule which accepts traffic. This parameter refers to all no UDP/TCP connections which are not covered by the service objects. |
Allow LAN-DMZ DPI |
Allow Deep Packet Inspection in traffic between internal networks and the DMZ network. |
Allow LAN-LAN DPI |
Allow Deep Packet Inspection in traffic between internal networks. |
Drop out of state ICMP packets |
Drop ICMP packets which are not in the context of a "virtual session". |
ICMP virtual session timeout |
An ICMP virtual session is considered to have timed out after this time period (in seconds). |
Log dropped out of state ICMP packets |
Indicates if dropped out of state ICMP packets generate a log. See the "Drop out of state ICMP packets" parameter. |
Log dropped out of state TCP packets |
Indicates if dropped out of state TCP packets generate a log. See the "Accept out of state TCP packets" parameter. |
Other IP protocols virtual session timeout |
A virtual session of services which are not TCP, UDP or ICMP is considered to have timed out after this time period (in seconds). |
TCP end timeout |
Indicates the timeout (in seconds) for TCP session end. A TCP session is considered as "ended" following two FIN packets, one in each direction, or an RST packet. |
TCP session timeout |
Indicates the timeout (in seconds) for TCP sessions. A TCP session times out if the connection remains idle after this time period (in seconds). |
TCP start timeout |
Indicates the timeout (in seconds) for TCP session start. A TCP connection times out if the interval between the arrival of the first packet and establishment of the connection (TCP three-way handshake) exceeds this time period (in seconds). |
UDP virtual session timeout |
A UDP virtual session is timed out after this time period (in seconds). |
Streaming Engine Settings Attributes |
Description |
---|---|
Multiple parameters |
These settings determine how the TCP streaming engine used by the various deep inspection blades (IPS, Application Control, Anti-Bot, Anti-Virus, etc.) handles protocol violations and events that prevent the streaming engine from further inspection. It is highly recommended that these settings always be in prevent mode. Using these settings in detect mode may significantly lower security as inspection stops when the event or violation occurs. When the configuration is set to log such events, the logs are shown in Logs & Monitoring > Security Logs under the IPS blade. For each violation or event configure the action and tracking mode. |
TCP Segment Limit Enforcement |
For every TCP segment that passes through the gateway, the gateway retains a copy of the segment until it receives an acknowledgment that the segment was received. This buffered data occupies space in the gateway's memory. This enforces a limit on the number and size of buffered segments per connection. When a connection reaches one of these limits, the gateway does not accept new segments for this connection until buffered segments are acknowledged. |
TCP Out of Sequence |
The receiving host of a TCP stream buffers segments and retains only those segments within a specified window. Segments outside this window are not processed by the receiving host. TCP segments which are outside the TCP receiving window should not be processed by the gateway. All data from TCP segments that are outside of the window is either dropped or removed. If the segment is near the window, data is stripped. If the segment is far from the window, the segment is dropped. |
TCP Invalid Retransmission |
For every TCP segment that passes through the gateway, the gateway retains a copy of the segment until the gateway receives an acknowledgment that the segment was received. If no acknowledgment is received, the source machine resends the segment, which the gateway compares to its copy to verify that the new packet matches the original. Passing a retransmission that differs from the original allows uninspected data to reach the destination application. This can block segment retransmissions which differ from the original segments, and this assures that the gateway inspects all data that is processed by the receiving application. When set to detect, such retransmissions causes the traffic to bypass deep inspection blades. |
TCP Invalid Checksum |
The gateway does not need to inspect packets with an invalid TCP checksum because these packets are dropped by the receiving host's TCP stack. This blocks TCP packets with an invalid checksum. Due to malfunctioning networking equipment, it is normal to see some packets with an incorrect checksum on the network. This does not indicate an attempted attack and for this reason, the default is to NOT log such events. |
TCP SYN Modified Retransmission |
A TCP SYN packet may be retransmitted with a changed sequence number in an attempt to initiate a connection that IPS does not inspect. This blocks a SYN retransmission where the sequence number has been modified. When set to detect, such retransmissions cause the traffic to bypass deep inspection blades. |
TCP Urgent Data Enforcement |
Some TCP protocols, such as Telnet, send out-of-band data using the TCP URG bit as part of the protocol syntax, whereas most protocols don't use the TCP out-of-band functionality. Allowing packets with the URG bit may prevent the gateway from determining what data would be processed by the receiving application. This could lead to a situation where the data inspected by the gateway is not what the receiving application processes, thus allowing IPS protections to be bypassed. When a packet with the URG bit is received in a protocol that does not support out-of-band functionality, the gateway cannot determine whether the receiving application processes the data. This removes the URG bit from TCP segments with the URG bit set in protocols which do not support the TCP out-of-band functionality. When set to detect, usage of the URG bit causes the traffic to bypass deep inspection blades. |
Stream Inspection Timeout |
A connection being inspected by a dedicated process may be delayed until inspection is completed. If inspection is not completed within a time limit, the connection is dropped so that resources are not kept open. This blocks connections whose inspection timeout has expired. When set to detect, exceeding the timeout causes the traffic to bypass deep inspection blades. |
Threat Prevention Anti-Bot Policy Attribute |
Description |
---|---|
Resource classification mode |
Indicates the mode used by the Anti-Bot engine for resource classification:
|
Threat Prevention Anti-Virus Policy Attributes |
Description |
---|---|
File scan size limit |
Indicates the size limit (in KB) of a file scanned by Anti-Virus engine. To specify no limit, set to 0. |
MIME maximum nesting level |
For emails that contain nested MIME content, set the maximum number of levels that the ThreatSpect engine scans in the email. |
MIME nesting level exceeded action |
If there are more nested levels of MIME content than the configured amount, select to Block or Allow the email file. |
Priority scanning |
Scan according to security and performance priorities for maximum optimization. |
Resource classification mode |
Indicates the mode used by the Anti-Virus engine for resource classification:
|
Threat Prevention Threat Emulation Policy Attribute |
Description |
---|---|
Emulation connection handling mode - IMAP |
Indicates the strictness mode of the Threat Emulation engine over IMAP: Background - Connections are allowed while the file emulation runs (if needed) until emulation handling is complete. Hold - Connections are blocked until the file emulation is completed |
Emulation connection handling mode - POP3 |
Indicates the strictness mode the Threat Emulation engine over POP3: Background - Connection are allowed while the file runs (if needed) Hold - Connections are blocked until the file emulation is completed. |
Emulation connection handling mode - SMTP |
Indicates the strictness mode of the Threat Emulation engine over SMTP: Background - Connections are allowed while the file emulation runs (if needed) Hold - Connections are blocked until the file emulation is completed. |
Emulation location |
Indicates if emulation is done on Public ThreatCloud or on remote (private) SandBlast. |
Primary emulation gateway |
The IP address of the primary remote emulation gateway. |
Threat Prevention Policy Attributes |
Description |
---|---|
Block when service is unavailable |
Block web requests traffic when the Check Point ThreatCloud online web service is unavailable. |
Fail mode |
Indicates the action to take (Allow all requests or Block all requests) on traffic in case of an internal system error or overload. |
File inspection size limit |
Indicates the size limit (in KB) of a file inspected by Threat Prevention engines. |
Method for skipping HTTP inspection |
Warning: Changing the setting to Full has a severe security impact. An HTTP connection can be made up of many sessions. A file that is part of an HTTP connection passes in one HTTP session. If a non-zero File inspection size limit is configured, the Default setting of Method for skipping HTTP inspection is that file inspection is skipped to the end of the session, and resumes in the next HTTP session. If a non-zero File inspection size limit is configured and the Method for skipping HTTP inspection is changed to Full, file inspection is skipped to the end of the connection and resumes in the next connection. This improves performance because the remaining part of the connection is fully accelerated. However, changing the setting to Full is not recommended because of a severe security impact: The remaining sessions of the connection are not inspected. |
USB Modem Watchdog Attributes |
Description |
|
---|---|---|
Interval |
Indicates how often (in minutes) the USB modem watchdog probes the internet. |
|
Mode |
Indicates if the USB modem watchdog is enabled when internet probing is enabled, and the reset type. To enable USB modem watchdog when internet probing indicates there is no internet access, select one of these reset options:
|
|
USB only |
Monitor only USB modem connection and not other internet connections. In this mode, when monitoring other internet connections, gateway reset only occurs when probing fails on all internet connections (and not just USB modem). Type: Boolean |
Update Services Schedule Attributes |
Description |
---|---|
Maximum number of retries |
Indicates the maximum number of retries for a single update when the cloud is unavailable |
Timeout until retry |
Indicates the timeout (in seconds) until update retry. |
User Awareness Attributes |
Description |
---|---|
Active Directory association timeout |
Indicates the timeout (in minutes) for caching an association between a user and an IP address. |
Allow DNS for unknown users |
Indicates that DNS traffic from unauthenticated users is not be blocked when Block unauthenticated users when the captive portal is not possible is selected in Users & Objects > User Awareness > Browser-Based Authentication > Identification tab. Without DNS traffic, the browsers of end users, may not show the Captive Portal. |
Assume single user per IP address |
When Active Directory Queries is enabled in Users & Objects > User Awareness the parameter indicates that only one user can be identified from a single device. When two or more users connect from a device, only the last user to log on is identified. |
Log blocked unknown users |
Indicates if unauthenticated users that are blocked are logged when Block unauthenticated users when the captive portal is not possible is selected in Users & Objects > User Awareness > Browser-Based Authentication > Identification tab. |
User Management Attribute |
Description |
---|---|
Automatically delete expired local users |
Automatically delete all expired local users every 24 hours (after midnight). |
VPN Remote Access Attributes |
Description |
---|---|
Allow clear Traffic while disconnected |
Indicates if traffic to the VPN domain is handled when the Remote Access VPN client is not connected to the site is sent without encryption (clear) or dropped. |
Allow simultaneous login |
Indicates if a user can log in to multiple sessions. If the option is disabled, and a user logs in a second time with the same credentials, the previous session is disconnected. |
Authentication timeout |
Indicates the amount of time (in minutes) the remote client's password remains valid if timeout is enabled. |
Authentication timeout enable |
Indicates if the remote client's password remains valid only for a configured amount of time (Authentication timeout attribute). |
Auto-disconnect in VPN domain |
Indicates if the client disconnects automatically to save resources when it connects from inside the secured internal network (local encryption domain). |
Back connections enable |
Enable back connections from the encryption domain behind the gateway to the client. |
Back connections keep-alive interval |
Indicates the interval (in seconds) between keep-alive packets to the gateway required for gateway to client back connections. |
Enable Visitor Mode on All Interfaces Enable Visitor Mode on This Interface |
This dialog box lets you configure a specified interface for visitor mode. Visitor mode allows the appliance to listen for TCPT traffic on a specified port (by default port 443) as backup to IKE connections from the remote access client. This mode is normally used to allow VPN remote access connections from behind restrictive environments such as hotels. Modifying visitor mode to be enabled only on a specific interface is not recommended. |
Encrypt DNS traffic |
Indicates if DNS queries sent by the remote client to a DNS server located in the encryption domain are passed through the VPN tunnel. |
Encryption Method |
Indicates which IKE encryption method (version) is used for IKE phase 1 and 2. |
Endpoint Connect re-authentication timeout |
Indicates the time (in minutes) until the Endpoint Connect user's credentials are resent to the gateway to verify authorization. |
IKE IP Compression Support |
Indicates if IPSec packets from remote access clients is compressed. |
IKE Over TCP |
Enables support of IKE over TCP. |
IKE restart recovery |
When dealing with Remote Access clients, the appliance cannot initiate an IKE phase 1 negotiation because the client address is unknown. If the appliance has an active SA with a Remote Access client and it restarts, the SA is lost, and the appliance cannot initiate IKE phase 1. But, if the restart option is selected, the appliance saves the tunnel details every minute. When the first encrypted packet arrives after the appliance restarts, the appliance sends a Delete SA message. This causes the remote client to discard the old SA and initiate IKE phase 1 to reopen the tunnel. |
Legacy NAT traversal |
Indicates if the Check Point proprietary NAT traversal mechanism (UDP encapsulation) is enabled for SecureClient. |
Minimum TLS version support in the SSL VPN portal |
Indicates the minimum TLS protocol version which the SSL VPN portal supports. For security reasons, we recommend to support TLS 1.2 and above. |
Office Mode Enable With Multiple Interfaces |
Indicates if a mechanism (with a performance impact) to improve connectivity between remote access client and an appliance with multiple external interfaces is enabled. |
Office Mode Perform Anti-Spoofing Single Office Mode Per Site
|
Office Mode Perform Anti-Spoofing - If this option is selected, VPN verifies that packets whose encapsulated IP address is an Office Mode IP address are indeed coming from an address of a client working in Office Mode. If the addresses are allocated by a DHCP server, VPN must know the range of allocated addresses from the DHCP scope for the Anti-Spoofing feature to work. Define a Network object that represents the DHCP scope and select it here. Single Office Mode Per Site - After a remote user connects and receives an Office Mode IP address from a gateway, every connection to that gateways encryption domain goes out with the Office Mode IP as the internal source IP. The Office Mode IP is what hosts in the encryption domain recognize as the remote user's IP address. The Office Mode IP address assigned by a specific gateway can be used in its own encryption domain and in neighboring encryption domains as well. The neighboring encryption domains should reside behind gateways that are members of the same VPN community as the assigning gateway. As the remote hosts connections are dependent on the Office Mode IP address it received, should the gateway that issued the IP become unavailable, all the connections to the site terminate. |
Office Mode allocate from RADIUS |
Indicates if the Office Mode allocated IP addresses are taken from the RADIUS server used to authenticate the user. |
Office Mode disable |
Indicates if Office Mode (allocating IP addresses for Remote Access clients) is disabled. This is not recommended. |
Passwords caching on client |
Indicates if password caching is used. This means that re-authentication is not necessary when the client tries to access more than one gateway. |
Prevent IP NAT Pool |
Prevent IP Pool NAT configuration from being applied to Office Mode users. This is needed when using SecureClient as well as other VPN clients (see sk20251). |
Radius retransmit timeout |
Timeout interval (in seconds) for each RADIUS server connection attempt. |
Remote Access port Reserve port 443 for port forwarding |
The default remote access port is port 443. If there is a conflict with another server using this port number, configure a different Remote access port. You must change the default remote access port if the Check Point VPN client, Mobile client, or SSL VPN remote access methods are enabled as they use port 443 by default. If you change the default port number 443, make sure to select Reserve port 443 for port forwarding. |
SNX keep-alive interval |
Indicates the time (in seconds) between the SSL Network Extender client keep-alive packets. |
SNX re-authentication timeout |
Indicates the time (in minutes) between re-authentication of SSL Network Extender remote access users. |
SNX support 3DES |
Indicates if the 3DES encryption algorithm will be supported in SSL clients as well as the default algorithms. |
SNX support RC4 |
Indicates if the RC4 encryption algorithm is supported in SSL clients as well as the default algorithms. |
SNX uninstall |
This parameter lets you configure under which conditions the SSL Network Extender client uninstalls itself. The options are: Do not uninstall automatically (recommended default), always uninstall upon disconnection, and ask the user upon disconnection. |
SNX upgrade |
This parameter lets you configure under which conditions the SSL Network Extender client installs itself. The options are: Do not upgrade automatically, always upgrade, and ask the user (default). |
Topology updates manual interval |
Indicates the manually configured interval (in hours) for topology updates to the clients. Applicable only if the override settings is set to true. |
Topology updates override |
Indicates if the configured topology updates settings override the default 'once a week' policy. |
Topology updates upon startup only |
Indicates if topology updates occur only when the client starts. Applicable only if the override settings is set to true. |
Verify device certificate |
The remote access client verifies the device's certificate against revocation list. |
VPN Site to Site Global Settings Attributes |
Description |
---|---|
Accept NAT Traversal |
Indicates if industry standard NAT traversal (UDP encapsulation) is enabled. This enables VPN tunnel establishment even when the remote site is behind a NAT device. |
Administrative notifications |
Indicates how to log an administrative event (for example, when a certificate is about to expire) |
Check validity of IPSec reply packets |
Indicated whether to check the validity of IPSec reply packets. |
Cluster SA sync packets threshold |
Sync SA with other cluster members when the number of packets reaches this threshold. |
Copy DiffServ mark from encrypted /decrypted IPSEC packet |
Copy DiffServ mark from encrypted/decrypted IPSec packet. |
Copy DiffServ mark to encrypted/ decrypted IPSEC packet |
Copy DiffServ mark to encrypted/decrypted IPSec packet. |
DPD triggers new IKE negotiation |
DPD triggers new IKE negotiation. |
Delete IKE SAs from a dead peer |
Delete IKE SAs from a dead peer. |
Delete IPsec SAs on IKE SA delete |
Delete IPsec SAs on IKE SA delete. |
Delete tunnel SAs when Tunnel Test fails |
When permanent VPN tunnels are enabled and a Tunnel Test fails, delete the relevant peer's tunnel SAs. |
Do not encrypt connections originating from the local gateway |
Packets whose original source or destination IP address is the local gateway's Internet Connection IP address will not go through a VPN tunnel. This parameter may be useful when the gateway behind hide NAT. |
Do not encrypt local DNS requests |
When enabled, DNS requests originating from the appliance will not be encrypted. Relevant when a configured DNS server is in a VPN peer's encryption domain. |
Enable encrypted packets rerouting |
Indicates if encrypted packets are rerouted through the best interface according to the peer’s IP address or probing. We do not recommend to change this value to false. |
Grace Period after CRL is no longer valid |
CRL grace period is required to resolve the issue of differing clock times between the appliance and the remote CA. A grace period permits a wider window for CRL validity. Indicates the time (in seconds) after which a revoked certificate of a remote site remains valid. |
Grace Period before CRL is valid |
CRL grace period is required to resolve the issue of differing clock times between the appliance and the remote CA. A grace period permits a wider window for CRL validity. Indicates the time window (in seconds) where a certificate is considered valid prior to the time set by the CA. |
IKE DoS from known sites protection |
Indicates if the IKE DoS from known IP addresses protection is active and the method by which it detects potential attackers. |
IKE DoS from unknown sites protection |
Indicates if the IKE DoS from unidentified IP addresses protection is active and the method by which it detects potential attackers. |
IKE Reply From Same IP |
Indicates if the source IP address used in IKE session is based on destination when replying to incoming connections, or based on the general source IP address link selection configuration. |
Join adjacent subnets in IKE Quick Mode |
Indicates if to join adjacent subnets in IKE Quick Mode. |
Keep DF flag on packet |
Indicates if the 'Don't Fragment' flag is kept on the packet during encryption/decryption. |
Keep IKE SA Keys |
Keep IKE SA keys. |
Key exchange error tracking |
Indicates how to log VPN configuration errors or key exchange errors. |
Maximum concurrent IKE negotiations |
Indicates the maximum number of concurrent VPN IKE negotiations. |
Maximum concurrent tunnels |
Indicates the maximum number of concurrent VPN tunnels. |
Open SAs limit |
Indicates the maximum number of open SAs per VPN peer. |
Outgoing link tracking |
Indicates how to log the outgoing VPN link: Log, don't log, or alert. |
Override 'Route all traffic to remote VPN site' configuration for admin access to the device |
Select this option to prevent admin access to this appliance from being routed to the remote site even when the "Route all traffic to remote VPN site" is configured. |
Packet handling errors tracking |
Indicates how to log the VPN packet handling errors: Log, don't log, or alert. |
Perform Tunnel Tests using an internal IP Address
|
A Tunnel Test makes sure that the VPN tunnel between peer VPN Gateways is up. By default, the test is done by making sure there is a connection between all the external IP addresses of the peer VPN Gateways. You can configure this option to do the tunnel tests using the internal IP addresses of the Gateways that are part of the local encryption domain. You can see the status of the VPN tunnel in the Logs and Monitoring tab. |
Permanent tunnel down tracking |
Indicates how to log when the tunnel goes down: Log, don't log, or alert. |
Permanent tunnel up tracking |
Indicates how to log when the tunnel is up: Log, don't log, or alert. |
RDP packet reply timeout |
Timeout (in seconds) for an RDP packet reply. |
Reply from incoming interface |
When tunnel is initiated from remote site, reply from the same incoming interface when applicable (IKE and RDP sessions). |
Successful key exchange tracking |
Indicates how to log when there is a successful key exchange: Log, don't log, or alert. |
Use cluster IP address for IKE |
Indicates if IKE is performed using cluster IP address (when applicable). |
Use internal IP address for encrypted connections from local gateway |
Encrypted connections originating from the local gateway will use an internal interface's IP address as the connection source. |
VPN tunnel sharing |
Indicates under what conditions new tunnels are created: per host pair, per subnet (industry standard), or a single tunnel per remote site/gateway. This controls the number of tunnels that are created. |
VoIP Attributes |
Description |
---|---|
Accept MGCP connections to registered ports |
Indicates if deep inspection over MGCP traffic automatically accepts MGCP connections to registered ports. |
Accept SIP connections to registered ports |
Indicates if deep inspection over SIP traffic automatically accepts SIP connections to registered ports. |
Web Interface Settings and Customizations Attributes |
Description |
---|---|
Multiple parameters |
Select Use a company logo in the appliance's web interface to display a different logo (not the Check Point default logo). In Company logo, click the Upload company logo link, browse to the logo file, and click Apply. In Company URL, enter the company's URL. When you click the company logo in the web interface it opens this URL. |