Print Download PDF Send Feedback

Previous

Next

Managing the Device

In This Section:

Internet

Wireless Network

Local Network

Hotspot

Routing

MAC Filtering

DNS

Proxy

System Operations

Administrators

Administrator Access

Device Details

Date and Time

DDNS & Device Access

Using System Tools

Certificates - Installed Certificates

Certificates - Internal Certificates

High Availability

Configuring Advanced Settings

This section describes how to set up and manage your Check Point Appliance.

Internet

The Device > Internet page shows how the Check Point Appliance connects to the Internet. You can configure a single Internet connection or multiple connections in High Availability or Load Balancing configurations. When multiple Internet connections are defined, the page shows them in a table. You can add a new connection and edit, delete, or disable existing connections. When there are multiple Internet connections, you can select which mode to use - High Availability or Load Balancing.

We recommend you contact your local Internet Service Provider (ISP) to understand how to configure your specific Internet connection.

Note - ADSL/VDSL settings are relevant only for devices that have a DSL port.

To configure Internet connectivity:

  1. Click Configure Internet (if not configured at all), Add (for another Internet connection), or Edit.

    The New or Edit Internet Connection window opens.

  2. Configure the fields in the tabs:

Configuration tab

Note - When you change the connection type, the appliance may disconnect from the Internet.

You can create a maximum of 32 internet connections.

Unassigned LAN ports use case - If your company is in a region where internet connections supplied by ISPs are unreliable and experience multiple disconnections, you can connect your appliances to multiple internet connections from different ISPs.

IPv4 connection types:

For PPPoE over ATM over VDSL/ADSL or IPoE over ATM over VDSL/ADSL or for an ADSL interface:

Enter the VPI number and VCI number you received from your service provider, and the Encapsulation type (LLC or VC_MUX).

For WAN/DMZ interfaces and static, DHCP, PPPoE, PPTP, and L2TP connection types

Or

For VDSL/ADSL interfaces and IPoE - dynamic IP and IPoE - static IP connection types over PTM:

If you are in an Annex L system, in Advanced Settings, you must enable the Annex L and disable the Annex J/M.

If you are in an Annex M system, in Advanced Settings, you must enable Annex J/M and disable the Annex L. In all other Annex systems, no changes are needed to the default configuration.

Notes:

Connection Monitoring tab

Advanced tab

For PPPoE

For PPTP and L2TP

Port Settings

QoS Settings (bandwidth control) - supported in IPv4 connections only

To enable QoS bandwidth control for download and upload for this specified connection, select the applicable Enable QoS (download) and/or Enable QoS (upload) checkboxes. Enter the maximum Kbps rates for the selected options as provided by your ISP for the Internet upload and download bandwidth.

Make sure that the QoS blade is turned on. You can do this from Home > Security Dashboard > QoS > ON.

Note - QoS is not implemented for VDSL/ADSL interfaces.

ISP Redundancy - supported in IPv4 connections only

Multiple Internet connections can be configured in High Availability or Load Sharing modes. When you configure more than one Internet connection, the Device > Internet page lets you toggle between these options. The Advanced setting of each Internet connection lets you configure each connection's priority or weights based on the set mode.

NAT Settings

If the gateway's global hide NAT is turned on in the Access Policy > NAT page, you can disable NAT settings for specified internet connections.

To disable NAT settings:

  1. Go to Device > Internet.
  2. Select an internet connection and click Edit.

    The Edit Internet Connection window opens.

  3. Click Advanced > NAT Settings.
  4. Select Do not hide internal networks behind this internet connection.
  5. Click Apply.

Wireless Network

The Device > Wireless page shows the wireless network settings (if applicable). You can configure your main wireless network and also additional guest or standard wireless networks (VAPs - Virtual Access Points).

To delete the wireless network, go to Device > Local Network.

If multiple wireless networks (VAPs) are defined, the page shows them in a table, where you can add a new guest or standard wireless network and edit, delete, or disable existing ones.

To turn the Wireless network on or off:

To edit the radio settings:

  1. Click Radio settings.
  2. Select the correct Operation mode, Channel, Channel width, and Transmitter power.
  3. Click Advanced to set the Guard Interval and Antenna control.
  4. Click Apply.

    This configuration is global for all wireless networks. Some options may not be available or allowed depending on your country's wireless standards.

    1430/1450 appliances only: The wireless client search options depend on the frequency that the appliance is set to. The Check Point Appliance can be configured to only one frequency at a time and is set to 2.4 GHz by default. If you change the radio settings to 802.11 ac or 802.11 ac/n, the frequency automatically changes to 5 GHz. The Home > System page shows the wireless radio status.

    1470/1490 appliances only: There are two radio transmitters: 2.4 GHz and 5 GHz. Each network is configured separately under a specified transmitter.

Dynamic Frequency Selection (DFS) detects radar signals that must be protected against interference from 5.0 GHz (802.11ac/n) radios. When these signals are detected, the operating frequency of the 5.0 GHz (802.11ac/n) radio switches to one that does not interfere with the radar systems. DFS is enabled by default.

To edit a wireless network:

Click Edit Settings.

The Edit window opens in the Configuration tab.

Configuration tab

Configure the fields in these tabs:

Wireless Security

Advanced Settings

Wireless Network tab

Interface Configuration

DHCPv4 Server section

Select one of the options:

IPv6 Auto Assignment section

Select one of the options:

Access Policy tab

These options create automatic rules that are shown in the Access Policy > Firewall Policy page.

Advanced tab

Click the checkbox to exclude from DNS proxy.

Advanced IPv6 Settings

Configure the Router Advisement fields.

DHCP/SLAAC Settings tab

Note - In IPv4-only mode, this tab is called DHCPv4 Settings.

The values for the DHCP options configured on this tab will be distributed by the DHCP server to the DHCP clients.

DNS Server Settings (For DHCPv6/SLAAC)

Select one of these options:

DNS Server Settings (For DHCPv4)

These settings are effective only if a DHCPv4 server is enabled.

Select one of these options:

Default Gateway

Select one of these options:

WINS

Select one of these options:

Lease

Other Settings

You can optionally configure these additional parameters so they will be distributed to DHCP clients:

Custom Options

Lets you add custom options that are not listed above. For each custom option, you must configure the name, tag, type, and data fields.

When you finish editing the network, click Apply.

Local Network

The Device > Local Network page lets you set and enable the local network connections, switches, bridge or wireless network (on wireless devices only).

Note - 1400 appliances support both IPv4 and IPv6 addresses.

The Network table shows all available network connections.

The page also lets you:

You can also use unassigned LAN ports to create an internet connection. In the table, these ports have the status Assigned to Internet.

Notes:

To create any of the above options:

Click New and choose the option you want.

To edit/delete/enable/disable any of the above options:

Select the relevant row and click Edit/Delete/Enable/Disable.

Notes:

To create/edit a switch:

Note - Between the LAN ports of a switch, traffic is not monitored or inspected. MAC filtering is disabled.

Configure the fields in the tabs:

Configuration tab

  1. In Switch Configuration, select or clear the interfaces you want to be part of the switch. The table shows you which interfaces are already part of the switch (shown with checkmarks in the table) and which interfaces are not assigned yet and can be added to the switch (empty checkboxes in the table). For example, if LAN8 is already part of another switch, it does not show in this table.
  2. From Assigned to, select an option:
    • Unassigned - The switch is not part of any network and cannot be used
    • Separate network - When you select a separate network, configure the settings for the switch
    • Monitor Mode - See below
  3. Choose the IP address and Subnet mask the switch uses.
  4. Use Hotspot - Select this checkbox to redirect users to the Hotspot portal before allowing access from this interface. Hotspot configuration is defined in the Device > Hotspot page.
  5. In DHCP Server:

Select one of the options:

IPv6 Auto Assignment for IPv6 configurations:

Monitor Mode

Security Gateways can monitor traffic from a Mirror Port or Span Port on a switch.

With Monitor Mode, the appliance uses Automatic Learning or user-defined networks to identify internal and external traffic, and to enforce policy.

Automatic Learning - The appliance automatically recognizes external networks by identifying the default gateway's network from requests to the Internet (specifically, requests to Google). The rest of the networks are considered internal.

User-Defined Networks - You can manually define internal networks. If a network is not defined as internal, it is considered external.

In both Automatic Learning and user-defined networks:

To configure monitor mode in the WebUI:

  1. Go to Device > Local Network.
  2. Select an interface and double-click.

    The Edit window opens in the Configuration tab.

  3. In the Assigned To drop-down menu, select Monitor Mode.

    The Manually define internal networks checkbox shows.

  4. To use Automatic Learning, do not select Manually define internal networks and click Apply.
  5. To use your own network definitions, select Manually define internal networks.

    The network definition features and table show.

  6. Click New.
  7. Enter the network IP address.
  8. Enter the subnet. An internal network can be a 255.255.255.255 subnet, for one host. For example, to monitor the traffic after the router, enter the IP address of the Default Gateway and the 255.255.255.255 subnet.
  9. Click Apply.

    The Internal network you defined (with Monitor Mode in the name) shows in the list of interfaces.

Note - You can configure multiple local networks to be in monitor mode at the same time.

After you configure monitor mode:

  1. Go to Device > Advanced Settings.
  2. Turn off Anti-Spoofing.

To configure monitor mode in CLI:

  1. To define a port for Monitor Mode:

    > set interface <portName> monitor-mode

  2. To configure Monitor Mode Automatic Learning, disable user-defined networks:

    > set monitor-mode-configuration use-defined-networks false

  3. To configure Monitor Mode with user-defined networks:

    > add monitor-mode-network ipv4-address <IP> subnet-mask <mask> > set monitor-mode-configuration use-defined-networks true

  4. To see user-defined Internal networks:

    > show monitor-mode-network

  5. To disable Anti-Spoofing:

    > set antispoofing advanced-settings global-activation false

If you do not see the Monitor Mode option:

  1. Run this CLI command:

    set monitor-mode-configuration allow-monitor-mode true

  2. Select an interface and click Edit.

    Monitor Mode is now added to the options list.

For more information on monitor mode, see sk112572.

To edit a physical interface:

Configure the fields in the tabs. Note that for the DMZ there is an additional tab Access Policy:

Configuration tab

Note - When you create a switch, you cannot remove the first interface inside unless you delete the switch.

Advanced tab

The options that are shown vary based on interface type and status. Configure the options that are applicable:

Access Policy tab (only for DMZ)

These options create automatic rules that are shown in the Access Policy > Firewall Policy page.

To create/edit a tag based VLAN:

You can create a new VLAN only if you have at least one physical interface that is not part of an existing network (switch or bridge).

Note - For more information on the maximum number of VLANs that you can configure for each appliance, refer to sk113247.

Configure the fields in the tabs:

Configuration tab

To create/edit a VPN Tunnel (VTI):

A Virtual Tunnel Interface (VTI) is a virtual interface on a Security Gateway that is related to an existing, Route Based VPN tunnel. The Route Based VPN tunnel works as a point-to-point connection between two peer Security Gateways in a VPN community. Each peer Security Gateway has one VTI that connects to the tunnel.

The VPN tunnel and its properties are defined by the VPN community that contains the two gateways. You must define the VPN community and its member Security Gateways before you can create a VTI.

Configure the fields in the tab:

Configuration tab

To create/edit a bridge:

Configure the fields in the tabs:

Configuration tab

Advanced tab

Advanced IPv6 Settings

Configure the Router Advisement fields.

To create/edit a Virtual Access Point (VAP):

See the Device > Wireless Network help page.

DHCP/SLAAC Settings tab

Note - In IPv4-only mode, this tab is called DHCPv4 Settings.

The values for the DHCP options configured on this tab will be distributed by the DHCP server to the DHCP clients.

DNS Server Settings (For DHCPv6/SLAAC)

Select one of these options:

DNS Server Settings (For DHCPv4)

These settings are effective only if a DHCPv4 server is enabled.

Select one of these options:

Default Gateway

Select one of these options:

WINS

Select one of these options:

Lease section

Other Settings

You can optionally configure these additional parameters so they will be distributed to DHCP clients:

Custom Options

Lets you add custom options that are not listed above. For each custom option, you must configure the name, tag, type, and data fields.

Hotspot

In the Device > Hotspot page you can configure:

If no network interface was defined for the Hotspot, click Configure in Local Network.

In the Access section of the page, you can configure if authentication is required and allow access to all users or to a specified user group (Active Directory, RADIUS or local).

Hotspot is automatically activated in the system.

To turn off Hotspot:

  1. Go to Device > Advanced Settings.
  2. Search for Hotspot and double-click the entry.
  3. Select Disabled.
  4. Click Apply.

To configure Hotspot for an interface:

  1. Click Configure in Local Network.

    The Local Network window opens.

  2. Select interface and click Edit.

    The Edit <interface> window opens.

  3. Select Use Hotspot.
  4. Click Apply.

Any user that browses from configured interfaces is redirected to the Check Point Hotspot portal.

To configure Hotspot exceptions:

  1. Click Manage Exceptions.

    The Manage Hotspot Network Objects Exceptions window opens.

  2. Select the objects to add as exceptions.

    The Selected Network Objects window shows the selected objects. To remove an object from the list, click the x next to it.

  3. To filter the object list, enter the filter value. The list shows the objects that match the filter.
  4. If necessary, click New to add new objects to the list. For information on how to create a new object, see the Users & Objects > Network Objects page.
  5. Click Apply.

    The added objects are excluded from the Hotspot.

To require user authentication:

  1. Select the Require Authentication checkbox.
  2. You can allow access to All users or to a Specific user group.
  3. If you selected Specific user group, enter the group's name in the text box.
  4. Click Apply.

    Any user/user group that browses from configured interfaces is redirected to the Check Point Hotspot portal and must enter authentication credentials.

To configure the session timeout:

  1. In Session timeout, enter the number of minutes that defines how long a user stays logged in to the session before it is ends.
  2. Click Apply.

To customize the portal appearance:

  1. Click Customize Hotspot portal.
  2. For Portal title - Keep the default or enter a different title.
  3. For Portal message - Keep the default or enter a different message.
  4. For Terms of use - Select this checkbox to add an "I agree with the following terms and conditions" checkbox on the Hotspot portal page. Enter the terms and conditions text in the text box. When users click the "terms and conditions" link, this text shows.
  5. To customize a logo for all portals shown by the appliance (Hotspot and captive portal used by User Awareness), click Upload, browse to the logo file and click Apply. If necessary, click Use Default to revert to the default logo.
  6. Click Apply.

To prevent simultaneous login to the Hotspot portal:

  1. Go to Device > Advanced Settings.
  2. Select Hotspot.
  3. Click Edit.

    The Hotspot window opens.

  4. Click the checkbox for Prevent simultaneous login.
  5. Click Apply.

    The same user cannot log in to the Hotspot portal from more than one computer at a time.

On the Active Devices page (available through the Home and Logs & Monitoring tabs), you can revoke Hotspot access for connected users.

Routing

The Device > Routing page shows routing tables with the routes added on your appliance.

On this page:

For every route:

Table Columns

Description

Destination

The route rule applies only to traffic whose destination matches the destination IP address/network.

Source

IPv4 only. The route rule applies only to traffic whose source matches the source IP address/network

Service

IPv4 only. The route rule applies only to traffic whose service matches the service IP protocol and ports or service group.

Next Hop

The next hop gateway for this route, with these options:

  • Specified IP address of the next hop gateway
  • Specified Internet connection from the connections configured in the appliance
  • Specified VPN Tunnel Interface (VTI)

Metric

Determines the priority of the route. If multiple routes to the same destination exist, the route with the lowest metric is selected.

To add a new static route (IPv4 addresses):

  1. In Device > Routing, above the Routing Table, click New.

    The New Routing Rule window opens with this message: Traffic from any source to any destination that belongs to any service should be routed through the next hop.

  2. Click next hop and select an option in the new window that opens:
    • IP Address - Enter the IP address.
    • Internet connection - Select an internet connection.
    • VPN Tunnel (VTI) - Select the VPN Tunnel.
  3. Click OK.
  4. Click any source and select an option in the new window that opens:
    • Any
    • Specified IP address - Enter the IP Address and Mask
  5. Click any destination and select an option in the new window that opens:
    • Any
    • Specified IP address - Enter the IP Address and Mask
  6. Click OK.
  7. Click any service and select a service name or enter a service name in the search field. You can create a new service or service group.

    Note - Static routes are not supported for source based or service based routes using VTI (VPN).

  8. Optional - Enter a comment.
  9. Enter a Metric between 0 and 100. The default is 0.
  10. Click Apply.

To configure a default route:

  1. Go to Device > Local Network page.
  2. Select an interface and click Edit.

    The Edit window opens in the Configuration tab.

  3. Click the DHCP Server options tab.
  4. In the Default Gateway section,
    • Click Use this gateway's IP address as the default gateway.

      Or

    • Select Use the following IP address and enter an IP address.
  5. Click Apply.

To edit a default route:

  1. In Device > Internet, click the Internet connection.
  2. Click Edit.

    The Edit Internet Connection window opens in the Configuration tab.

  3. Set the Default gateway (next hop) to a different IP address.
  4. Click Apply.

When no default route is active, this message shows: "Note - No default route is configured. Internet connections might be down or not configured."

For Internet Connection High Availability, the default route changes automatically on failover (based on the active Internet connection).

When a network interface is disabled, all routes that lead to it show as inactive in the routing page. A route automatically becomes active when the interface is enabled. Traffic for an inactive route is routed based on active routing rules (usually to the default route).

The edit, delete, enable, and disable options (on the Device > Local Network page) are only available for manually defined routing rules created on this page. You cannot edit, delete, enable, and disable routing rules created by the operating system for directly attached networks or rules defined by the dynamic routing protocol.

To edit an existing route:

Select the route and click Edit.

To delete an existing route:

Select the route and click Delete.

To enable/disable an existing route:

Select the route and click Enable or Disable.

MAC Filtering

MAC Filtering

MAC Filtering lets you manage a whitelist of MAC addresses that can access the LAN. All others are blocked. The list is global for all interfaces defined on physical LAN ports.

To enable MAC filtering:

  1. Turn the slider to ON.
  2. Add a MAC address to the LAN MAC Filter whitelist.

    Note - MAC filtering is not active when no MAC addresses are defined.

After MAC filtering is enabled, you can disable the feature for specified networks.

To edit the LAN MAC Filter whitelist:

  1. Go to Device > MAC Filtering > LAN MAC Filter.
  2. To add a new MAC Address, click Add > New.
  3. To select MAC addresses from the list of Active Devices, click Add > Select.
  4. To edit a MAC address, select it from the list and click Edit.
  5. To delete a MAC address, select it from the list and click Delete.

To disable MAC filtering for a specific interface:

  1. Go to Device > Local Network.
  2. Select a LAN interface and click Edit

    The Edit LAN window opens.

  3. Click Advanced.
  4. Select Disable MAC filtering.

    To enable, clear this option.

  5. Click Apply.

Limitations:

802.1x Authentication Protocol

IEEE 802.1x is a port-based network access protocol that provides an authentication mechanism for devices that are physically attached to the network.

802.1x authentication is enabled only when you define a LAN or a DMZ network as a separate network and a RADIUS server is defined.

Workflow:

  1. Configure a RADIUS Server. See Managing Authentication Servers.
  2. Define it on the appliance
  3. Activate 802.1x authentication on a separate LAN interface (includes the DMZ when not used as an internet connection), or a tag-based VLAN interface defined on one of the LAN physical ports.

If you configure a physical switch (port-based VLAN) between multiple LAN ports, you cannot activate the 802.1x protocol on this network. Replace the switch with a bridge configuration.

To enable 802.1x authentication on a separate LAN interface:

  1. Go to Device > Local Network.
  2. Select the LAN interface and click Edit.

    The Edit window opens in the Configuration tab.

  3. For Assigned to: select Separate network.
  4. In the Advanced tab, select Activate 802.1x authentication.
  5. Enter a time for Re-authentication frequency (in seconds).
  6. Click Apply.

To enable 802.1x authentication on a tag based VLAN interface:

  1. Go to Device > Local Network.
  2. Select the LAN and click New > VLAN.

    The New VLAN window opens in the Configuration tab.

  3. For Assigned to: select the LAN ID.
  4. In the Advanced tab, select Activate 802.1x authentication.
  5. Enter a time for Re-authentication frequency (in seconds).
  6. Click Apply.

To disable 802.1x authentication on an interface:

  1. Go to Device > Local Network.

    Select the LAN interface and click Edit.

  2. The Edit window opens in the Configuration tab.
  3. Click the Advanced tab.
  4. Clear Activate 802.1x authentication.
  5. Click Apply.

To configure logging for MAC filtering and 802.1x authentication:

  1. Go to Device > Advanced Settings.
  2. Set the value of the MAC Filtering settings - Log blocked MAC addresses attribute to
    • Enabled - To enable logging
    • Disabled - To disable logging.

    Note - This attribute is available only in Locally Managed mode. In Centrally Managed mode, configure logging with CLI.

  3. Optional -
    • To reduce the number of logs, specify the value of the MAC Filtering settings - Log suspension attribute in seconds.
    • To show all logs, set the value to “0”.

Note - Traffic dropped in the WiFi driver is not logged.

DNS

In the Device > DNS page you can configure the DNS server configuration and define the domain name.

To configure DNS:

  1. Select to define up to three DNS servers which is applied to all Internet connections or use the DNS configuration provided by the active Internet connection (Primary).

    If you select Configure DNS servers, make sure that you enter valid IP addresses.

    Use the first option if your DNS servers are located in the headquarters office. In this case, all DNS requests from this branch office are directed to these DNS servers.

    The second option allows a more dynamic definition of DNS servers. The gateway uses the DNS settings of the currently-active Internet connection (in case of static IP – the DNS manually provided under "Internet connection"-> Edit, in case of DHCP / Dialers – the DNS automatically provided by the ISP). If Internet Connection High Availability is enabled, the DNS servers switch automatically upon failover.

  2. By default, the Check Point Appliance functions as your DNS proxy and provides DNS resolving services to internal hosts behind it (network objects). This option is global and applies to all internal networks.

    To get IP addresses directly from the DNS servers defined above, clear the Enable DNS Proxy checkbox.

    When DNS proxy is enabled, Resolve Network Objects controls if the DNS proxy treats the local network objects as a hosts list. When selected, the local DNS servers resolves network object names to their IP addresses for internal network clients.

  3. Enter a Domain Name. There are two separate uses of the domain name:
    • Local hosts (the Security Gateway and network objects) are optionally appended with the domain name when DNS resolving is performed.
    • DNS queries that do not contain a domain name are automatically appended with the domain name.

    Note these syntax guidelines:

    • The domain name must start and end with an alphanumeric character.
    • The domain name can contain periods, hyphens, and alphanumeric characters.
  4. Click Apply.

Proxy

In the Device > Proxy page, you can configure a proxy server to use to connect to the Check Point update and license servers.

To configure a proxy server:

  1. Select Use a proxy server.
  2. Enter a Host name or IP address.
  3. Enter a Port.
  4. Click Apply.

System Operations

In the Device > System Operations page you can:

To reboot the appliance:

  1. Click Reboot.
  2. Click OK in the confirmation message.

    The appliance reboots.

To restore factory default settings:

  1. Click Default Settings.
  2. Click OK in the confirmation message.

    The factory default settings are restored. The appliance reboots to complete the operation.

    Note - This does not change the software image. Only the settings are restored to their default values (IP address https://192.168.1.1:4434, the username: admin and password: admin).

To revert to the factory default image:

  1. Click Factory Defaults.
  2. Click OK in the confirmation message.

    The factory default settings are restored. The appliance reboots to complete the operation.

    Note - This restores the default software image which the appliance came with and also the default settings (IP address https://192.168.1.1:4434, the username: admin and password: admin).

To make sure you have the latest firmware version:

Click Check now.

To automatically upgrade your appliance firmware when Cloud Services is not configured:

  1. Click Configure automatic upgrades.

    The Automatic Firmware Upgrades window opens.

  2. Click Perform firmware upgrades automatically.
  3. Select the upgrade option to use when new firmware is detected:
    • Upgrade immediately

    Or

    • Upgrade according to this frequency.
  4. If you selected Upgrade according to this frequency, select one of the Occurs options:
    • Daily - Select the Time of day.
    • Weekly - Select the Day of week and Time of day.
    • Monthly - Select the Day of month and Time of day.
  5. Click Apply.

Notes:

To manually upgrade your appliance firmware:

  1. Click Manual Upgrade.

    The Upgrade Software Wizard opens.

  2. Follow the Wizard instructions.

    Note - The firewall remains active while the upgrade is in process. Traffic disruption can only be caused by:

    • Saving a local image before the upgrade (this causes the Firewall daemon to shut down). This may lead to disruption in VPN connections.
    • The upgrade process automatically reboots the appliance.

To revert to an earlier firmware image:

  1. Click Revert to Previous Image.
  2. Click OK in the confirmation message.

    The appliance reboots to complete the operation.

To backup appliance settings:

  1. Click Backup.

    The Backup Settings page opens.

  2. To encrypt the backup file, select the Use File Encryption checkbox. Set and confirm a password.
  3. To back up the security policy installed on the appliance, select the Backup Security Policy checkbox. You can add Comments about the specific backup file created.
  4. Click Save Backup. The File Download dialog box appears. The file name format is <current software version>-<YY-Month-day>-<HH_MM_Seconds>.zip
  5. Click Save and select a location.

To restore a backed up configuration:

  1. Click Restore. The Restore Settings page appears.
  2. Browse to the location of the backed up file.
  3. Click Upload File.

Important Notes

IPv6 Mode

To enable IPv6 networking and enforce IPv6 security:

  1. Click IPv6 Enforcement Settings.

    The IPv6 Enforcement Settings window opens.

  2. To enforce IPv6 security policy, click the checkbox.
  3. To enable IPv6 networking, click the checkbox.
  4. Click Apply.

    Note - This causes the appliance to reboot.

System Operations > Upgrade

Follow the instructions in each page of the Software Upgrade Wizard.

During the wizard click Cancel to quit the wizard.

Welcome

Click the Check Point Download Center link to download an upgrade package as directed. If you already downloaded the file, you can skip this step.

Upload Software

Click Browse to select the upgrade package file.

Click Upload. This may take a few minutes. When the upload is complete, the wizard automatically validates the image. A progress indicator at the bottom of the page tells you the percentage completed. When there is successful image validation, an "Upload Finished" status shows.

Upgrade Settings

The system always performs an upgrade on a separate flash partition and your current-running partition is not affected. You can always switch back to the current image if there is an immediate failure in the upgrade process. If the appliance does not come up properly from the boot, disconnect the power cable and reconnect it. The appliance automatically reverts to the previous image.

Click the Revert to Previous Image button on the System Operations page to return to an earlier image. The backup contains the entire image, including the firmware, all system settings and the current security policy.

When you click Next, the upgrade process starts.

Upgrading

The Upgrading page shows an upgrade progress indicator and checks off each step as it is completed.

System Operations > Backup

In the Device > System Operations page you can backup and restore system settings.

To create a backup file:

  1. Click Create Backup File.

    The Backup Settings window opens.

  2. To encrypt the file, click Use file encryption.

    If you select this option, you must enter and confirm a password.

  3. Optional - add a comment about the backup file.
  4. Click Create Backup.

    System settings are backed up.

The backup file includes all your system settings such as network settings and DNS configuration. The backup file also contains the Secure Internal Communication certificate and your license.

If you want to replace an existing appliance with another one, you can restore the settings of your previous appliance and re-activate your license (through License Page > Activate License).

If you want to duplicate an existing appliance, you can restore the settings of the original appliance on the new one. Make sure to change the IP address of the duplicated appliance (Device > Internet page) and generate a new license.

To configure a periodic backup to the FTP server:

  1. Go to Device > System Operations > Backup and Restore System Settings.
  2. Click Settings.

    The Periodic Backup Settings window opens.

  3. Click Enable scheduled backups.
  4. Configure the file storage destination (see below).
  5. Optional - Select Use file encryption.

    If you select this option, you must enter and confirm a password.

  6. In Schedule Periodic Backup, select frequency:
    • Daily - Select time of day (hour range).
    • Weekly - Select day of week and time of day.
    • Monthly - Select day of month and time of day. Note - If a month doesn't include the selected day, the backup is executed on the last day of the month.
  7. Click Apply.

To configure a file storage destination:

  1. In Device > System Operations > Backup and Restore System Settings, click Settings.

    The Periodic Backup Settings window opens.

  2. Click Enable scheduled backups.
  3. Enter a Backup server path.
  4. Enter a username and password.
  5. Click Apply.

Administrators

The Device > Administrators page lists the Check Point Appliance administrators and lets you:

Administrators can also be defined in a remote RADIUS server and you can configure the appliance to allow them access. Authentication of those remotely defined administrators is done by the same RADIUS server.

Administrator Roles:

Two administrators with write permissions cannot log in at the same time. If an administrator is already logged in, a message shows. You can choose to log in with Read-Only permission or to continue. If you continue the login process, the first administrator session ends automatically.

The correct Administrator Role must be configured to perform the operations listed below. If not, a Permission Error message shows.

To create a local administrator:

  1. Click New.

    The Add Administrator page opens.

  2. Configure the parameters (name, password, and password confirmation). The hyphen (-) character is allowed in the administrator name. You cannot use these characters when you enter a password or shared secret: { } [ ] ` ~ | ‘ " # + \
  3. Select the Administrator Role.
  4. Click Apply.

    The name and Administrator Role is added to the table. When logged in to the WebUI, the administrator name and role is shown at the top of the page.

To edit the details of locally defined administrators:

  1. Select the administrator from the table and click Edit.
  2. Make the relevant changes.
  3. Click Apply.

To delete a locally defined administrator:

  1. Select an administrator from the list.
  2. Click Delete.
  3. Click Yes in the confirmation message.

Note - You cannot delete an administrator who is currently logged in.

To allow access for administrators defined in a remote RADIUS server:

  1. Make sure administrators are defined in the remote RADIUS server.
  2. Make sure a RADIUS server is defined on the appliance. If there is no server, click the RADIUS configuration link at the top of this page. You must configure the IP address and shared secret used by the RADIUS server.
  3. When you have a configured RADIUS server, click edit permissions.

    The RADIUS Authentication window opens.

  4. Click the Enable RADIUS authentication for administrators checkbox.

    Use roles defined on RADIUS server is selected by default.

  5. Configure the role for each user on the RADIUS server. See additional details below.

    Note - A user without role definition will get a login error.

  6. If you select Use default role for RADIUS users, select the Administrators Role:
    • Super Admin
    • Read only
    • Networking Admin
  7. To define groups, click Use specific RADIUS groups only and enter the RADIUS groups separated by a comma.
  8. Click Apply.

To set the Session Timeout value for both local and remotely defined administrators:

  1. Click Security Settings.

    The Administrators Security Settings window opens.

  2. Configure the session timeout (maximum time period of inactivity in minutes). The maximum value is 999 minutes.
  3. To limit login failure attempts, click the Limit administrators login failure attempts checkbox.
  4. Enter the number of Maximum consecutive login attempts allowed before an administrator is locked out.
  5. In Lock period, enter the time (in seconds) that must pass before a locked out administrator can attempt to log in again.
  6. To enforce password complexity on administrators, click the checkbox and enter the number of days for the password to expire.
  7. Click Apply.

Note - This page is available from the Device and Users & Objects tabs.

To connect the mobile application with the appliance for the first time:

  1. Click Mobile Pairing Code.

    The Connect Mobile Device window opens.

  2. Select an administrator from the pull down menu.
  3. Click Generate.

    This generates a QR code to connect the Check Point WatchTower mobile application with the appliance for the first time.

For more information about the mobile application, see the Check Point SMB WatchTower App User Guide.

Configuring a RADIUS Server for non-local Check Point Appliance users:

Non-local users can be defined on a RADIUS server and not in the Check Point Appliance. When a non-local user logs in to the appliance, the RADIUS server authenticates the user and assigns the applicable permissions. You must configure the RADIUS server to correctly authenticate and authorize non-local users.

Note - The configuration of the RADIUS Servers may change according to the type of operating system on which the RADIUS Server is installed.

Note - If you define a RADIUS user with a null password (on the RADIUS server), the appliance cannot authenticate that user.

To configure a Steel-Belted RADIUS server for non-local appliance users:

  1. Create the dictionary file checkpoint.dct on the RADIUS server, in the default dictionary directory (that contains radius.dct). Add these lines to the file:

    @radius.dct

    MACRO CheckPoint-VSA(t,s) 26 [vid=2620 type1=%t% len1=+2 data=%s%]

    ATTRIBUTE CP-Gaia-User-Role CheckPoint-VSA(229, string) r
    ATTRIBUTE CP-Gaia-SuperUser-Access CheckPoint-VSA(230, integer) r

  2. Add the following lines to the vendor.ini file on RADIUS server (keep in alphabetical order with the other vendor products in this file):

    vendor-product = Check Point Appliance
    dictionary = nokiaipso
    ignore-ports = no
    port-number-usage = per-port-type
    help-id = 2000

  3. Add to the dictiona.dcm file the line:
    “@checkpoint.dct”
  4. Add this Check Point Vendor-Specific Attribute to users in your RADIUS server user configuration file:

    CP-Gaia-User-Role = <role>

    Where <role> allowed values are:

    Administrator Role

    Value

    Super Admin

    adminRole

    Read only

    monitorrole

    Networking Admin

    networkingrole

To configure a FreeRADIUS server for non-local appliance users:

  1. Create the dictionary file dictionary.checkpoint in /etc/freeradius/ on the RADIUS server:

    #
    # Check Point dictionary file for freeradius AAA server
    #
    VENDOR CheckPoint 2620
    ATTRIBUTE CP-Gaia-User-Role 229 string CheckPoint
    ATTRIBUTE CP-Gaia-SuperUser-Access 230 integer CheckPoint

  2. Add to /etc/freeradius/dictionary the line:
    “$INCLUDE dictionary.checkpoint”
  3. Add this Check Point Vendor-Specific Attribute to users in your RADIUS server user configuration file:

    CP-Gaia-User-Role = <role>

    Where <role> is the name of the administrator role that is defined in the WebUI.

    Administrator Role

    Value

    Super Admin

    adminRole

    Read only

    monitorrole

    Networking Admin

    networkingrole

To configure an OpenRADIUS server for non-local appliance users:

  1. Create the dictionary file dict.checkpoint in
    /etc/openradius/subdicts/
    on the RADIUS server:

    # Check Point Gaia vendor specific attributes
    # (Formatted for the OpenRADIUS RADIUS server.)
    # Add this file to etc/openradius/subdicts/ and add the line
    # "$include subdicts/dict.checkpoint" to etc/openradius/dictionaries
    # right after dict.ascend.

    $add vendor 2620 CheckPoint

    $set default vendor=CheckPoint
    space=RAD-VSA-STD
    len_ofs=1 len_size=1 len_adj=0
    val_ofs=2 val_size=-2 val_type=String
    nodec=0 noenc=0

    $add attribute 229 CP-Gaia-User-Role
    $add attribute 230 CP-Gaia-SuperUser-Access val_type=Integer val_size=4

     

  2. Add the line
    $include subdicts/dict.checkpoint
    to
    /etc/openradius/dictionaries
    immediately after dict.ascend
  3. Add this Check Point Vendor-Specific Attribute to users in your RADIUS server user configuration file:

    CP-Gaia-User-Role = <role>

    Where <role> is the name of the administrator role that is defined in the WebUI.

    Administrator Role

    Value

    Super Admin

    adminRole

    Read only

    monitorrole

    Networking Admin

    networkingrole

To log in as a Super User:

A user with super user permissions can use the Check Point Appliance shell to do system-level operations, including working with the file system.

  1. Connect to the Check Point Appliance platform using an SSH client or serial console client.
  2. Log in to the Clish shell using your user name and password.
  3. Run Expert
  4. Enter the expert password.

Administrator Access

The Device > Administrator Access page lets you configure the IP addresses and interface sources that administrators can use to access the Check Point Appliance. You can also configure the Web and SSH ports.

Note - 1400 appliances support both IPv4 and IPv6 addresses.

First set the interface sources from which allowed IP addresses can access the appliance.

To set the interface sources from which administrator access is allowed:

Select one or more of the options:

To allow administrator access from any IP address:

  1. Select the Any IP address option. This option is less secure and not recommended. We recommend you allow access from the Internet to specific IP addresses only.
  2. Change the WEB Port (HTTPS) and/or SSH port if necessary.
  3. Click Apply. An administrator can access the Check Point Appliance using any IP address through the allowed interface sources.

To allow administrator access from specified IP addresses:

  1. Select the Specified IP addresses only option.
  2. Click New.

    The IP Address Configuration page shows.

  3. Select Type:
    • IPV4 address
    • IPv4 network
    • IPv6 address
    • IPv6 network
  4. Enter the IP address or click Get IP from My Computer.
  5. Click Apply.

    The IP address is added to the table.

  6. Change the WEB Port (HTTPS) and/or SSH port if necessary.
  7. Click Apply. An administrator can access the Check Point Appliance using the configured IP addresses through the allowed interface sources.

To allow administrator access from both specified and any IP addresses:

Select this option when it is necessary to allow administrator access from the Internet (you must define the specified IP addresses). Access from other sources is allowed from any IP address.

  1. Select the Internet source checkbox.
  2. Select the Specified IP addresses from the internet and any IP address from other sources option.
  3. Click New.

    The IP Address Configuration page shows.

  4. Select Type:
    • IPV4 address
    • IPv4 network
    • IPv6 address
    • IPv6 network
  5. Enter the IP address or click Get IP from My Computer.
  6. Click Apply.

    The IP address is added to the table.

  7. Change the WEB Port (HTTPS) and/or SSH port if necessary.
  8. Click Apply. An administrator can access the Check Point Appliance using the configured IP addresses through the allowed interface sources.

To delete administrator access from a specific IP address:

  1. Select the IP Address you want to delete from the IP Address table.
  2. Click Delete.

Important Notes:

Device Details

On the Device > Device Details page, you can:

To assign a Web portal certificate:

  1. Click the downward arrow next to the Web portal certificate field.

    The list of uploaded certificates shows.

  2. Select the desired certificate.

    Note - You cannot select the default VPN certificate.

  3. Click Apply.
  4. Reload the page.

Date and Time

The Device > Date and Time page shows the current system time and lets you define the Check Point Appliance date and time, optionally using NTP.

To manually configure date and time:

  1. Select the Set Date and Time Manually option.
  2. Enter the current Date and Time. Click the calendar icon to enter the date. Specify whether the time is AM or PM.
  3. Click Apply.

To use Network Time Protocol (NTP) to synchronize the clocks of computers on the network:

  1. Select the Set Date and Time Using a Network Time Protocol (NTP) Server option.
  2. Enter the Host name or IP addresses of the Primary NTP Server and Secondary NTP Server. If the Primary NTP Server fails to respond, the Secondary NTP Server is queried.
  3. Set the Update Interval (minutes) field.
  4. Select the NTP Authentication checkbox if you want to supply a Shared Secret and a Shared Secret Identifier (this is optional). You cannot use these characters when you enter a password or shared secret: { } [ ] ` ~ | ‘ " # + \
  5. Click Apply.

Time Zone

  1. From the Local Time Zone list, select the correct time zone option.
  2. Select the Automatically adjust clock for daylight saving changes checkbox to enable automatic daylight saving changes.
  3. Click Apply.

DDNS & Device Access

In the Device > DDNS & Device Access page, you can:

DDNS

When you configure DDNS, the appliance updates the provider with its IP addresses. Users can then connect to the device with a host name from the provider instead of IP addresses.

This is especially important for remote access users who connect to the device to the internal network through VPN.

To configure DDNS:

  1. Select Connect to the appliance by name from the Internet (DDNS).
  2. Enter the details of your account on the page:
    • Provider - Select the DDNS provider that you set up an account with.
    • User name - Enter the user name of the account.
    • Password - Enter the password of the account. You cannot use these characters when you enter a password or shared secret: { } [ ] ` ~ | ‘ " # + \
    • Host name - Enter your routable host name as defined in your DDNS account.

    For more information about these details, refer to your provider's website.

  3. Make sure Reinitialize internal certificates is selected. When you enable this feature or change settings, you must reinitialize the internal certificates for them to be valid for the new DNS.

Reach My Device

Reach My Device lets you remotely connect to the appliance from the Internet so that you can use the WebUI or CLI when necessary. This is done by tunneling the administrative UI or CLI connections through a Check Point Cloud Service. Such configuration is very useful in instances where the appliance is behind a NAT device or firewall, and cannot be reached directly. In addition, the feature makes it easier to access an appliance with a dynamically assigned IP address.

To register to the Reach My Device service:

  1. Click Register.

    The Reach My Device window opens.

  2. For Host Name, use the default host name or enter a name for this Check Point Appliance to enable remote access.
  3. If the host name was already defined, select Register with an existing homename and enter the Validation token of the gateway. This token verifies that an existing name belongs to this appliance owner.
  4. Click Apply.

    The validation token, web link, and shell link are shown on the page.

  5. Go to Device > Administrator Access. Configure Internet as a source for administrator access and set specified IP addresses.

When the gateway participates in VPN, you can exclude the WAN interface (or any other interface used for the Internet connection) from the encryption domain and use Reach My Device traffic without a VPN tunnel.

In the VPN Site to Site global settings Advanced Setting, enable "Do not encrypt connections originating from the local gateway."

How to access the gateway with the Reach My Device service:

When registration is complete, an outgoing tunnel to the Check Point Cloud Service is established with the appliance's IP address.

Remote Access to the WebUI

Web Link - Use this URL in a browser to remotely access the appliance. For example: https://my gateway-web.smbrelay.checkpoint.com. When the login page shows, enter the applicable user name and password.

Remote Access to the CLI

Shell Link - Use this URL in a browser to open an SSH connection to the appliance to use CLI commands. For example: https://mygateway-shell.smbrelay.checkpoint.com. Enter the administrator credentials.

Using System Tools

See Using System Tools.

Certificates - Installed Certificates

On the Installed Certificates page, you can create and manage appliance certificates or upload a P12 certificate. Uploaded certificates and the default certificates are displayed in a table. To see certificate details, click the certificate name.

You can upload a certificate signed by an intermediate CA or root CA. All intermediate and root CAs found in the P12 file are automatically uploaded to the trusted CAs list.

Note - This page is available from the Device and VPN tabs.

On the VPN Remote Access Blade Control page, after you enable the SSL VPN feature, you can select and assign a certificate from the list of the installed certificates (with the exception of the Default Web Portal certificate). You can also do this on the Remote Access Advanced tab.

On the Device > Device Details page, you can select and assign a Web portal certificate from the list of installed certificates (with the exception of the Default certificate).

Installed certificates are used in site-to-site VPN, SSL VPN, and the Web portal.

When Cloud Services is turned on and the appliance is configured by Cloud Services, the Cloud Services Provider certificate is downloaded automatically to the appliance. The Cloud Services Provider certificate is used by community members configured by Cloud Services. Note - If you turn Cloud Services off, the Cloud Services Provider certificate is removed.

These are the steps to create a signed certificate:

  1. Create a signing request.
  2. Export the signed request (download the signing request from the appliance).
  3. Send the signing request to the CA.
  4. When you receive the signed certificate from the CA, upload it to the appliance.

To create a new certificate to be signed by a CA:

  1. Click New Signing Request. The New Certificate Request window opens.
  2. Enter a Certificate name.
  3. In the Subject DN enter a distinguished name (e.g. CN=myGateway).
  4. Optional - to add alternate names for the certificate, click New. Select the Type and enter the Alternate name and click Apply.
  5. Click Generate.

    The new signing request is added to the table and the status shows "Waiting for signed certificate".

    Note - You cannot edit the request after it is created.

    If the new signing request is signed by the Internal CA and the Organization Name is not defined in the DN, the Internal CA automatically generates the Organization Name.

To export the signing request:

Click Export.

To upload the signed certificate when you receive the signed certificate from the CA:

  1. Select the signing request entry from the table.
  2. Click Upload Signed Certificate.
  3. Browse to the signed certificate file (*.crt).
  4. Click Complete.

    The status of the installed certificate record changes from "Waiting for signed certificate" to "Verified".

To upload a P12 file:

  1. Click Upload P12 Certificate.
  2. Browse to the file.
  3. Edit the Certificate name if necessary.
  4. Enter the certificate password.
  5. Click Apply.

Certificates - Internal Certificates

In the Certificates Internal Certificate page you can view details of an internal VPN certificate. You can also view and reinitialize the certificate used by the internal CA that signed the certificate and can be used to sign external certificates.

Note - This page is available from the Device and VPN tabs.

When you create an internal VPN certificate, when a certificate that is signed by the internal CA is used, the CA's certificate must be reinitialized when the Internet connection's IP addresses change.

To avoid constant reinitialization, we recommend you use the DDNS feature. See Device > DDNS. When DDNS is configured, you only need to reinitialize the certificate once. Changes in the DDNS feature configuration by default automatically reinitialize certificates.

To reinitialize certificates:

  1. Click Reinitialize Certificates.

    The Reinitialize Certificates window opens.

  2. Enter the Host/IP address.

    Normally, the device suggests its own host name (when DDNS is configured) or its external IP address. If you have multiple Internet connections configured, in load sharing mode, you can manually enter an accessible IP address for this appliance. This is used by remote sites to access the internal CA and check for certificate revocation.

  3. Select the number of years for which the Internal VPN Certificate is valid. The default is 3. The maximum value allowed is 20.
  4. Click Apply.

    Note - The internal VPN certificate expiration date cannot be later than the CA expiration date.

To replace an internal CA certificate:

  1. Click Replace Internal CA Certificate.

    The Upload a P12 Certificate window opens.

  2. Click Browse to select the CA certificate file that includes the private key.
  3. Enter the Certificate name and private key's password to allow the device to sign certificates with the uploaded CA.
  4. Enter the Host/IP address.

    Normally, the device suggests its own host name (when DDNS is configured) or its external IP address. If you have multiple Internet connections configured, in load sharing mode, you can manually enter an accessible IP address for this appliance. This is used by remote sites to access the internal CA and check for certificate revocation.

  5. Click Apply.

To export an internal CA certificate:

Click Export Internal CA Certificate to download the internal CA certificate.

To sign a remote site's certificate request by the internal CA:

  1. Click Sign a Request. A file upload window opens.
  2. Click Browse to upload the signing request file as created in the remote site. In third party appliances, make sure to look in its Administration Guide to see where signing requests are created.

    The file must be in a path accessible to the appliance. After you click OK in the file browsing window, the file is uploaded. If it is correctly formatted, it is signed by the Internal CA and the Download button is available.

  3. Click Download. The signed certificate is downloaded through your browser and is available to be imported to the remote site's certificates list.

High Availability

In the Device > High Availability page you can create a cluster of two appliances for high availability.

Note - You cannot create a cluster when you have a switch or bridge defined in your network settings on the appliance. If necessary, change network settings in the Device > Local Network page.

After you define a cluster, you can select to Enable or Disable the cluster.

The page shows the configured interfaces for monitoring or high availability enabled in a table, where you can edit them.

Interface options in cluster mode:

If you change configuration details of the cluster members, click Reinitialize Trust to reestablish trust between the members.

To reset configuration settings:

Click Reset Cluster Configuration.

Note - This deletes all configuration settings. You must run the wizard again to configure the cluster.

One member of the cluster is the primary active. The other member is the secondary inactive.

To failover from the primary to the other member:

  1. Click Force Member Down.

    A confirmation message shows.

  2. Click Yes.

    The primary gateway is now the inactive member of the cluster. The secondary gateway is now active.

If you want to disable the secondary gateway, you must failover to the primary.

Note - Only one member of a cluster can be down at a time. For the inactive member, the Force Member Down button is now Disable Force Member Down.

To failover to the original primary member:

  1. Click Disable Force Member Down.

    A confirmation message shows.

  2. Click Yes.

    The original primary member is now the active member of the cluster.

To see detailed information about the cluster status:

Click Diagnostics.

To create a cluster:

  1. Click Configure Cluster.

    The New Cluster Wizard opens.

  2. In Step 1: Gateway Priority, select one of the options:
    • Configure as primary member - If this appliance must be configured first.
    • Configure as secondary member - If a primary member is already configured and this appliance connects to it.
  3. Click Next.
  4. For a primary member:
    1. In Step 2: SIC Settings, enter a password and confirm it. This password is used for establishing trust between the members. You cannot use these characters when you enter a password or shared secret: { } [ ] ` ~ | ‘ " # + \
    2. The default Sync interface is LAN2. If it is necessary to change it, click Advanced and select a different Sync Interface. You can also change the predefined Sync IP Address and Sync IP Subnet.

      Note - Make sure that changes you make here are also made on the other cluster member.

    3. Click Next.
    4. In Step 3: Gateway Interfaces (1 out of N), you can define the cluster IP on the related interfaces. Enter the necessary details.

      By default, the appliance monitors the interface condition if the interface is enabled for high availability. If there is a failure, it automatically fails over to the secondary cluster member. When the interface is not enabled for high availability, you can select it for monitoring.

    5. Click Next. Do step d. again for all related interfaces in your network.

      Note - For Internet connections, you can only enable High Availability on Static IP Internet connections. Other types of Internet connections can be used for monitoring only.

  5. For a secondary member:
    1. In Step 2: SIC Settings, enter the Secure Internal Communication password.
    2. Click Establish Trust.
  6. Click Finish.

    When the cluster is successfully configured, you see the status of the members on this page.

After the cluster is configured, when you connect to the cluster IP address you are automatically redirected to the active cluster member. To log in to specified member, you must log in with the member's IP address.

Note that the WebUI of the secondary member (standby member) only has some options available for fine tuning. This is because all cluster management is done from the active member.

Upgrading a cluster member:

To manually upgrade a cluster:

  1. Go to Device > System Operations.
  2. Click Manual Upgrade.

    The Upgrade Software Wizard opens.

  3. Follow the wizard instructions.

Note - 1400 appliances support both IPv4 and IPv6 addresses. High Availability cluster only supports IPv6 in dual mode.

Configuring Advanced Settings

The Device > Advanced Settings page is for advanced administrators or Check Point support. You can configure values for multiple advanced settings for the various blades.

Important - Changing these advanced settings without fully understanding them can be harmful to the stability, security, and performance of this appliance. Continue only if you are certain that you understand the required changes.

For further details regarding the attributes, consult with Check Point support when necessary.

To filter the list of attributes:

  1. Enter text in the Type to filter field.

    The search results are dynamically shown as you type.

  2. To cancel the filter, click X next to the search string.

To configure the appliance attributes:

  1. Select an attribute.
  2. Click Edit.

    The attribute window opens.

  3. Configure the settings, or click Restore Defaults to reset the attribute to the default settings. For more details on the attributes, see the next sections.
  4. Click Apply.

To reset all the appliance attributes to the default settings:

  1. From the Advanced Settings window, click Restore Defaults.

    The Confirm window opens.

  2. Click Yes.

    All appliance attributes are reset to the default settings.

Administrators RADIUS authentication

Administrators RADIUS authentication Attribute

Description

Local authentication (RADIUS server)

Perform local administrator authentication only if RADIUS server is not configured or is inaccessible.

Aggressive Aging

Aggressive Aging Attributes

Description

Multiple parameters

Aggressive Aging helps manage the connections table capacity and memory consumption of the firewall to increase durability and stability.

Aggressive Aging introduces a new set of short timeouts called aggressive timeouts. When a connection is idle for more than its aggressive timeout it is marked as "eligible for deletion". When the connections table or memory consumption reaches the user defined threshold, Aggressive Aging begins to delete "eligible for deletion" connections, until memory consumption or connections capacity decreases back to the desired level.

Aggressive Aging allows the gateway machine to handle large amounts of unexpected traffic, especially during a Denial of Service attack.

If the defined threshold is exceeded, each incoming connection triggers the deletion of ten connections from the "eligible for deletion" list. An additional ten connections are deleted with every new connection until the memory consumption or the connections capacity falls below the enforcement limit. If there are no "eligible for deletion" connections, no connections are deleted at that time, but the list is checked after each subsequent connection that exceeds the threshold.

Timeout settings are a key factor in memory consumption configuration. When timeout values are low, connections are deleted faster from the table, enabling the firewall to handle more connections concurrently. When memory consumption exceeds its threshold, it is best to work with shorter timeouts that can maintain the connectivity of the vast majority of the traffic.

The major benefit of Aggressive Aging is that it starts to operate when the machine still has available memory and the connections table is not entirely full. This way, it reduces the chances of connectivity problems that might have occurred under low-resource conditions.

 

To configure Aggressive Aging:

  1. Select Enable Aggressive Aging of connections when appliance is under load.
  2. To log Aggressive Aging events, select Log Aggressive Aging events. The logs are shown in Logs & Monitoring > Security Logs under the IPS blade.
  3. Select the checkboxes of the Aggressive Aging Timeouts that you want to enforce and enter the Aggressive Aging timeout. Make sure that the Aggressive timeouts are lower than the default timeouts.
    The default timeouts can be viewed and configured in the Device > Advanced Settings > Stateful Inspection attributes.

To configure when the Aggressive Aging timeouts are enforced:

  1. Under Aggressive Aging Timeouts are enforced when section, select whether they are enforced if the connections table exceeds a limit, if memory exceeds a limit, or if both exceed their limits.
  2. Enter the percentage that you want to define as the limit to either connections table or memory consumption. If you select both, the values in the percentage fields of the other options are applied. Default is 80%, with connections from the "eligible for deletion" list being deleted if either the connections table or memory consumption passes this limit.

Anti ARP Spoofing

Anti ARP spoofing Attribute

Description

Anti ARP spoofing mode

Mode for Anti ARP spoofing protection. The protection can be turned off, on, or in detect only mode.

Detection window time to indicate attack

Time period (in seconds) during which IP addresses, assigned to the same MAC address, indicate an ARP spoofing attack.

Number of IP addresses to indicate attack

The number of IP addresses assigned to the same MAC address during the Detection window time that will an indicate an ARP spoofing attack.

Suspicious MAC block period

Time period (in seconds) during which suspicious MAC addresses are kept in the blocked list.

Anti-Spam policy

Anti-Spam Policy Attributes

Description

All mail track

Tracking options for emails that are not considered spam or suspected spam. Tracking such emails can have a performance impact.

Allowed mail track

Tracking options for emails that are manually allowed in the Threat Prevention > Anti-Spam Exceptions page.

Content based Anti-Spam timeout

Indicates the timeout (in seconds) to wait for an answer from the cloud during content-based Anti-Spam inspection.

E-mail size scan

Indicates the maximal size of an email's content to scan (in KB)

IP reputation fail open

Indicates the action to take upon an internal error during Anti-Spam IP reputation test.

IP reputation timeout

Indicates the timeout (in seconds) to wait for an IP reputation test result.

Scan outgoing emails

Scan the content of emails which are sent from the local network to the Internet.

Transparent proxy

Use a transparent proxy for inspected email connections. When disabled, configuration of the proxy address and port is required on client machines.

Anti-Spoofing

Anti-Spoofing Attribute

Description

Enable global Anti-Spoofing

Indicates if Anti-Spoofing is enabled automatically on all interfaces according to their zone.

Application & URL Filtering

Application & URL Filtering Attributes

Description

Block when service is unavailable

Indicates if web requests are blocked when the Check Point categorization and widget definitions Online Web Service is unavailable.

Categorize cached and translated pages

Indicates if to perform URL categorization of cached pages and translated pages created by search engines.

Custom App over HTTPS

Indicates whether custom URLs and applications will be matched over HTTPS traffic using SNI field. Important note: as SNI field in HTTPS traffic is browser-dependent and promiscuous, it does not guarantee 100% match.

Enforce safe search

Indicates if the URL Filtering policy overrides the Safe Search settings in the user's browser. Regardless of what the user has selected, the strictest Safe Search settings are applied. Explicitly sexual content is filtered out of the search engine's results.

Fail mode

Indicates the action to take on traffic in case of an internal system error or overload.

Track browse time

Shows in logs the total time that users are connected to different sites and applications in an HTTP session

Use HTTP referer header

Indicates if the HTTP "referer" header (originally a misspelling of referrer) is used by the inspection engine to improved application identification.

Web site categorization mode

Indicates the mode that is used for website categorization:

Background - Requests are allowed until categorization is complete. When a request cannot be categorized with a cached response, an uncategorized response is received. Access to the site is allowed. In the background, the Check Point Online Web Service continues the categorization procedure. The response is then cached locally for future requests (default). This option reduces latency in the categorization procedure.

Hold - Requests are blocked until categorization is complete.
When a request cannot be categorized with the cached responses, it remains blocked until the Check Point Online Web Service completes categorization.

Capacity Optimization

Capacity Optimization Attributes

Description

Connections hash table size

Indicates the size of the connections hash table in bytes.

This value must be an integer that is an exponential power of two and approximately four times the maximum concurrent connections parameter.

Maximum concurrent connections

Indicates the overall maximum number of concurrent connections.

Cloud Services Firmware Upgrade

Cloud Services Firmware Upgrade Attributes

Description

Service access maximum retries

Indicates the maximum number of retries when failing to upgrade using the service.

Service access timeout until retry

Indicates the time (in seconds) to wait when there is a connection failure to the service before the next retry.

Cluster

Cluster Attribute

Description

Use virtual MAC

Indicates if a virtual MAC address is used by all members to allow a quicker failover by the network's switch.

Using the virtual MAC address:

  • Minimizes the potential traffic outage during fail-over.
  • Removes the need to use G-ARPs for NATed IP addresses.

DDNS

DDNS Attribute

Description

Iterations

Number of DNS updates.

DHCP relay

DHCP Relay Attribute

Description

Use internal IP addresses as source

Select Use internal IP addresses as source if DHCP relay packets from the appliance originate from internal IP addresses. This may be required if the DHCP server is located behind a remote VPN site.

DSL Globals

DSL Global Attribute

Description

DSL globals - VDSL2

Supports ITU G.993.2 VDSL2.

DSL globals - ADSL Dmt (G.992.1)

Supports ITU G.992.1 ADSL (G.dmt).

DSL globals - ADSL lite (G.992.2)

Supports ITU G.992.2 ADSL Lite (G.lite).

DSL globals - ADSL2 (G.992.2)

Supports ITU G.992.3 ADSL2.

DSL globals - ADSL2+ (G.992.5)

Supports ITU G.992.5 Annex M ADSL2+M.

DSL globals - T1.413

Supports ANSI T1.413-1998 Issue 2 ADSL.

DSL globals - Annex J/M

In an Annex A appliance: Combined with supported ADSL2+, it specifies Annex M ADSL2+. In an Annex B appliance: Combined with supported ADSL2, it specifies Annex J ADSL2.

DSL globals - Annex L

In an Annex A appliance: Combined with enabled ADSL2 (G.992.3) specifies support for Annex L.

DSL globals - 8a

Supports VDSL Profile 8a.

DSL globals - 8b

Supports VDSL Profile 8b.

DSL globals - 8c

Supports VDSL Profile 8c.

DSL globals - 8d

Supports VDSL Profile 8d.

DSL globals - 12a

Supports VDSL Profile 12a.

DSL globals - 12b

Supports VDSL Profile 12b.

DSL globals - 17a

Supports VDSL Profile 17a.

DSL globals - Seamless rate adaptation (SRA)

Enables seamless rate adaptation.

DSL globals - G.INP

Enhanced Impulse Noise Protection.

DSL globals - US0

Enables usage of first upstream band in VDSL.

Note - When all the ADSL standards are turned off in the Advanced Settings and you can only connect using the VDSL2 standard, the VPI, the VCI and the encapsulation options still appear even though they are not used to open an internet connection.

Firewall Policy

Firewall Policy Attribute

Description

Blocked packets action

Action for blocked packets: Drop, reject or automatic (drop from external and reject from internal).

Log implied rules

Produce log records for connections that match implied rules.

General Temporary Directory Size

General Temporary Directory Size Attributes

Description

General temporary directory size

Controls the size (in MB) of the general temporary directory.

System temporary directory size

Controls the size (in MB) of the temporary directory that is used by the system.

Hardware Options

Hardware Options Attribute

Description

Reset to factory defaults timeout

The amount of time (in seconds) that you need to press and hold the factory defaults button on the appliances' back panel to restore to the factory defaults image.

Hotspot

Hotspot Attribute

Description

Enable portal

Select Disabled to disable the hotspot feature entirely.

Prevent simultaneous log-in

The same user will not be allowed to login via hotspot portal from more than one machine in parallel.

IP Fragments Parameters

IP Fragments Parameters Attributes

Description

Multiple parameters

These parameters let you configure how the appliance handles IP fragments.

It can either block fragmented IP packets or drop fragments when a configured threshold is reached.

Select one of these options:

  • Forbid IP Fragments - Fragmented IP packets are dropped.
  • Allow IP Fragments - Fragmented IP packets are allowed if they do not exceed a configured threshold. When selecting this option, you can configure the maximum number of accepted incomplete packets. You can also configure the timeout (in seconds) for holding unassembled fragmented packets before discarding them.

IPS Additional Parameters

IPS Additional Parameters Attribute

Description

Max ping limit

Indicates the maximal ping packet size that are allowed when the 'Max Ping Size' protection is active.

Non-standard HTTP ports

Enable HTTP inspection on non-standard ports for the IPS blade.

IPS Engine Settings

IPS Engine Settings Attributes

Description

Configure error page options for supported web protections - multiple parameters

Some web based protections can show an error page upon detection. This error page is configurable.

The protections that support the error page:

  • Malicious Code protector
  • Cross-Site Scripting
  • LDAP Injection
  • SQL Injection
  • Command Injection
  • Directory Traversal
  • Directory Listing
  • Error Concealment
  • HTTP Format Sizes
  • ASCII Only Request
  • ASCII Only Response Headers
  • HTTP Methods

Select one of these options that applies to all such protections:

  • Do not show
  • Show pre-defined HTML error page - You can configure an HTML page that opens when an attack is detected. To configure the page, go to Advanced Settings > IPS engine settings > HTML error page configuration.
  • Redirect to another URL - Enter a URL to which users are redirected when an attack is detected. You can also select to add an error code that provides more information about the detected attack. This is not recommended because the information can be misused by an attacker.

HTML error page configuration - multiple parameters

These settings allow you to configure a pre-defined HTML error page that is seen when the error page advanced settings are set to Show pre-defined HTML error page. Select one of these options:

  • Logo URL - Optionally enter a URL that leads to your company logo.
  • HTML error page configuration - Shows an error code that provides more information about the detected attack. This is not recommended because the information can be misused by an attacker.
  • Send detailed error code - You can enter manually defined text that is shown in the HTML page. Enter the text in the Description box. For example, "Access denied due to IPS policy violation."

Internal Certificates Settings

Internal Certificate Settings Attributes

Description

Configure internal CA certificate expiration

The number of years the internal CA certificate is valid. This applies the next time the certificate is re-initialized.

Internet

Internet Attributes

Description

Reset Sierra USB on LSI error

Indicates whether Sierra type USB modems will be reset when they send an invalid LSI signal

MAC Filtering

MAC Filtering Attributes

Description

MAC filtering state

MAC filtering state

Log blocked MAC addresses

Indicates if blocked MAC addresses should be logged.

Log suspension

Indicates if an administrator can access the appliance from a remove Security Management Server without the need to enter an administrator name.

Managed Services

Managed Services Attributes

Description

Allow seamless administrator access from remote Management Server

Indicates if an administrator can access the appliance from a remote Security Management Server without the need to enter an administrator user name and password.

Show device details in Login

Indicates if appliance details are shown when an administrator accesses the appliance.

Mobile Settings

Mobile Settings Attributes

Description

Mobile Settings - Notification cloud server URL

Cloud server URL used for sending mobile notifications.

Mobile Settings - Pairing code expiration

Time (in hours) till pairing code is expired.

Type: Integer

Mobile Settings - Verify SSL certificate

Verify SSL certificate when sending mobile notification to cloud server

NAT

NAT Attributes

Description

ARP manual file merge

Indicates, when automatic ARP detection is enabled, to use the ARP definitions in a local file with higher priority. Manual proxy ARP configuration is required for manual Static NAT rules. If a manual ARP configuration is defined in the local.arp file and Automatic ARP configuration is enabled, both definitions are maintained. If there is a conflict between the definitions (the same NAT IP address appears in both), then the manual configuration is used.

Multiple parameters - IP Pool NAT

An IP Pool is a range of IP addresses (an Address Range, a network or a group of one of these objects) routable to the gateway. When a connection is opened to a server, the gateway substitutes an IP address from the IP Pool for the source IP address. Reply packets from the server return to the gateway, which restores the original source IP address and forwards the packets to the source.

When using IP Pool NAT, select an existing IP address range object. It must be previously defined in the Users & Objects > Networks Objects page. The IP Pool NAT mechanism allocates IP addresses from this range.

Use IP Pool NAT for VPN clients connections - Applies to connections from VPN remote access clients to the gateway.

Use IP Pool NAT for gateway to gateway connections - Applies to site to site VPN connections.

Prefer IP Pool NAT over Hide NAT - Specifies that IP Pool NAT has priority over Hide NAT, if both match the same connection. Hide NAT is only applied if the IP pool is used up.

Reuse IP addresses from the Pool for different destinations - Select this option to reuse IP addresses from the Pool for different destinations.

Unused addresses interval - Configure in minutes the time interval it takes for unused addresses to return to the IP addresses pool.

Address exhaustion tracking - Specifies the type of log to issue if the IP Pool is exhausted.

Address allocation and release tracking - Specifies whether to log each allocation and release of an IP address from the IP Pool.

Automatic ARP detection

When internal devices in the local network are defined using static NAT, the appliance must make sure packets to the static NAT IP address reach it. This option enables the appliance to automatically respond to ARP requests for those IP addresses.

Increase hide capacity

Indicates if hide-NAT capacity is given additional space.

NAT enable

Indicates if the device's NAT capabilities are enabled.

NAT cache expiration

Indicates the expiration time in minutes for NAT cache entries.

NAT cache number of entries

Indicates the maximum number of NAT cache entries.

NAT hash size

Indicates the hash bucket size of NAT tables.

NAT limit

Indicates the maximum number of connections with NAT.

Perform cluster hide fold

Indicates if local IP addresses are hidden behind the cluster IP address when applicable, as opposed to being hidden behind each cluster member’s physical IP address.

Translate destination on client side

Translates destination IP addresses on client side (for automatically generated NAT rules).

Translate destination on client side (manual rules)

Translates destination IP addresses on client side (for manually configured NAT rules).

Notification Policy

Notification Policy Attributes

Description

Notification Language

Notification language

Privacy Settings

Privacy Settings Attribute

Description

Help Check Point improve its products by sending data

Customer consent.

QoS Blade

QoS Blade Attributes

Description

Logging

Indicates if the appliance logs QoS events when the QoS blade is enabled.

Reach My Device

Reach My Device Attributes

Description

Ignore SSL certificate

Indicates if the SSL certificate should be ignored when running the access service.

Server address

Indicates the address of the remote server that allows administration access to the appliance from the Internet even when behind NAT.

Report Settings

Report Settings Attributes

Description

Max Period

Maximum period to collect and monitor data. You must reboot the appliance to apply changes.

Serial Port

Serial Port Attributes

Description

Multiple Parameters

With the serial port parameters you can configure the console port on the back panel of the appliance.

You can disable it completely (clear the Enable serial port checkbox) if necessary and configure port speed and flow control settings. Note that these settings must match the configuration of the device connected to the console port.

There are three modes for working with this port:

  • Console - This is the default mode configured. The port is used to access the appliance's console.
  • Active - Instead of connecting through the port to the appliance's console, the data is relayed to a specified telnet server which can now be viewed through this port. Enter the Server TCP port of the telnet server and the IP address of the server. Two different IP server IP addresses can be configured (Primary server and Secondary server).
  • Passive - In this mode the flow of data is reversed and the appliance connects through the serial port to the console of the connected device. This console is accessible through a telnet connection to a configured port on the appliance. In Listen on TPC port, enter the port number.

To configure an implicit rule that allows traffic from any source to this port, make sure Implicitly allow traffic to this port is selected. If you do not create an implicit rule, you must manually define an access rule in the Firewall rule base.

Two appliances, one in active mode and the other in passive mode, can allow a client to remotely connect to a console connected to the appliance in passive mode over the internet using a telnet connection.

SSL Inspection

SSL Inspection Attributes

Description

Additional HTTPS ports

Additional HTTPS ports for SSL inspection (a comma separated list of ports/ranges).

Log empty SSL connections

Log connections that were terminated by the client before data was sent. This might indicate the client did not install the CA certificate.

Retrieve intermediate CA certificates

Indicates if the SSL inspection mechanism will perform its validations on all intermediate CA certificates in the certificate chain.

Track validation errors

Choose if the SSL Inspection validations are tracked.

Validate CRL

Indicates if the SSL inspection mechanism will drop connections that present a revoked certificate.

Validate Expiration

Indicates if the SSL inspection mechanism will drop connections that present an expired certificate.

Validate unreachable CRL

Indicates if the SSL inspection mechanism will drop connections that present a certificate with an unreachable CRL.

Validate untrusted certificates

Indicates if the SSL inspection mechanism will drop connections that present an untrusted server certificate.

Stateful Inspection

Stateful Inspection Attributes

Description

Accept out of state TCP packets

Indicates if TCP packets which are not consistent with the current state of the TCP connection are dropped (when set to 0) or accepted (when set to any other value).

Accept stateful ICMP errors

Accept ICMP error packets which refer to another non-ICMP connection (for example, to an ongoing TCP or UDP connection) that was accepted by the Rule Base.

Accept stateful ICMP replies

Accept ICMP reply packets for ICMP requests that were accepted by the Rule Base.

Accept stateful UDP replies for unknown services

Specifies if UDP replies are to be accepted for unknown services. In each UDP service object it is possible to configure whether UDP replies for it are accepted if the service is matched on a rule which accepts traffic. This parameter refers to all connections which are not covered by the service objects.

Accept stateful other IP protocols replies for unknown services

Accept stateful other IP protocols replies for unknown services. In each service object it is possible to configure whether replies for it are accepted if the service is matched on a rule which accepts traffic. This parameter refers to all no UDP/TCP connections which are not covered by the service objects.

Allow LAN-DMZ DPI

Allow Deep Packet Inspection in traffic between internal networks and the DMZ network.

Allow LAN-LAN DPI

Allow Deep Packet Inspection in traffic between internal networks.

Drop out of state ICMP packets

Drop ICMP packets which are not in the context of a "virtual session".

ICMP virtual session timeout

An ICMP virtual session is considered to have timed out after this time period (in seconds).

Log dropped out of state ICMP packets

Indicates if dropped out of state ICMP packets generate a log. See the "Drop out of state ICMP packets" parameter.

Log dropped out of state TCP packets

Indicates if dropped out of state TCP packets generate a log. See the "Accept out of state TCP packets" parameter.

Other IP protocols virtual session timeout

A virtual session of services which are not TCP, UDP or ICMP is considered to have timed out after this time period (in seconds).

TCP end timeout

Indicates the timeout (in seconds) for TCP session end. A TCP session is considered as "ended" following two FIN packets, one in each direction, or an RST packet.

TCP session timeout

Indicates the timeout (in seconds) for TCP sessions. A TCP session times out if the connection remains idle after this time period (in seconds).

TCP start timeout

Indicates the timeout (in seconds) for TCP session start. A TCP connection times out if the interval between the arrival of the first packet and establishment of the connection (TCP three-way handshake) exceeds this time period (in seconds).

UDP virtual session timeout

A UDP virtual session is timed out after this time period (in seconds).

Streaming Engine Settings

Streaming Engine Settings Attributes

Description

Multiple parameters

These settings determine how the TCP streaming engine used by the various deep inspection blades (IPS, Application Control, Anti-Bot, Anti-Virus, etc.) handles protocol violations and events that prevent the streaming engine from further inspection.

It is highly recommended that these settings always be in prevent mode. Using these settings in detect mode may significantly lower security as inspection stops when the event or violation occurs.

When the configuration is set to log such events, the logs are shown in Logs & Monitoring > Security Logs under the IPS blade.

For each violation or event configure the action and tracking mode.

TCP Segment Limit Enforcement

For every TCP segment that passes through the gateway, the gateway retains a copy of the segment until it receives an acknowledgment that the segment was received. This buffered data occupies space in the gateway's memory. This enforces a limit on the number and size of buffered segments per connection. When a connection reaches one of these limits, the gateway does not accept new segments for this connection until buffered segments are acknowledged.

TCP Out of Sequence

The receiving host of a TCP stream buffers segments and retains only those segments within a specified window. Segments outside this window are not processed by the receiving host. TCP segments which are outside the TCP receiving window should not be processed by the gateway. All data from TCP segments that are outside of the window is either dropped or removed. If the segment is near the window, data is stripped. If the segment is far from the window, the segment is dropped.

TCP Invalid Retransmission

For every TCP segment that passes through the gateway, the gateway retains a copy of the segment until the gateway receives an acknowledgment that the segment was received. If no acknowledgment is received, the source machine resends the segment, which the gateway compares to its copy to verify that the new packet matches the original. Passing a retransmission that differs from the original allows uninspected data to reach the destination application. This can block segment retransmissions which differ from the original segments, and this assures that the gateway inspects all data that is processed by the receiving application. When set to detect, such retransmissions causes the traffic to bypass deep inspection blades.

TCP Invalid Checksum

The gateway does not need to inspect packets with an invalid TCP checksum because these packets are dropped by the receiving host's TCP stack. This blocks TCP packets with an invalid checksum. Due to malfunctioning networking equipment, it is normal to see some packets with an incorrect checksum on the network. This does not indicate an attempted attack and for this reason, the default is to NOT log such events.

TCP SYN Modified Retransmission

A TCP SYN packet may be retransmitted with a changed sequence number in an attempt to initiate a connection that IPS does not inspect. This blocks a SYN retransmission where the sequence number has been modified. When set to detect, such retransmissions cause the traffic to bypass deep inspection blades.

TCP Urgent Data Enforcement

Some TCP protocols, such as Telnet, send out-of-band data using the TCP URG bit as part of the protocol syntax, whereas most protocols don't use the TCP out-of-band functionality. Allowing packets with the URG bit may prevent the gateway from determining what data would be processed by the receiving application. This could lead to a situation where the data inspected by the gateway is not what the receiving application processes, thus allowing IPS protections to be bypassed. When a packet with the URG bit is received in a protocol that does not support out-of-band functionality, the gateway cannot determine whether the receiving application processes the data. This removes the URG bit from TCP segments with the URG bit set in protocols which do not support the TCP out-of-band functionality. When set to detect, usage of the URG bit causes the traffic to bypass deep inspection blades.

Stream Inspection Timeout

A connection being inspected by a dedicated process may be delayed until inspection is completed. If inspection is not completed within a time limit, the connection is dropped so that resources are not kept open. This blocks connections whose inspection timeout has expired. When set to detect, exceeding the timeout causes the traffic to bypass deep inspection blades.

Threat Prevention Anti-Bot Policy

Threat Prevention Anti-Bot Policy Attribute

Description

Resource classification mode

Indicates the mode used by the Anti-Bot engine for resource classification:

  • Hold - Connections are blocked until classification is complete.
    When a connection cannot be classified with the cached responses, it remains blocked until the Check Point Online Web Service completes classification.
  • Background - Connections are allowed until classification is complete. When a connection cannot be classified with a cached response, an uncategorized response is received. The connection is allowed. In the background, the Check Point Online Web Service continues the classification procedure. The response is then cached locally for future requests. This option reduces latency in the classification process.

Threat Prevention Anti-Virus Policy

Threat Prevention Anti-Virus Policy Attributes

Description

File scan size limit

Indicates the size limit (in KB) of a file scanned by Anti-Virus engine. To specify no limit, set to 0.

MIME maximum nesting level

For emails that contain nested MIME content, set the maximum number of levels that the ThreatSpect engine scans in the email.

MIME nesting level exceeded action

If there are more nested levels of MIME content than the configured amount, select to Block or Allow the email file.

Priority scanning

Scan according to security and performance priorities for maximum optimization.

Resource classification mode

Indicates the mode used by the Anti-Virus engine for resource classification:

  • Hold - Connections are blocked until classification is complete.
    When a connection cannot be classified with the cached responses, it remains blocked until the Check Point Online Web Service completes classification.
  • Background - Connections are allowed until classification is complete. When a connection cannot be classified with a cached response, an uncategorized response is received. The connection is allowed. In the background, the Check Point Online Web Service continues the classification procedure. The response is then cached locally for future requests. This option reduces latency in the classification process.

Threat Prevention Threat Emulation Policy

Threat Prevention Threat Emulation Policy Attribute

Description

Emulation connection handling mode - IMAP

Indicates the strictness mode of the Threat Emulation engine over IMAP:

Background - Connections are allowed while the file emulation runs (if needed) until emulation handling is complete.

Hold - Connections are blocked until the file emulation is completed

Emulation connection handling mode - POP3

Indicates the strictness mode the Threat Emulation engine over POP3:

Background - Connection are allowed while the file runs (if needed)

Hold - Connections are blocked until the file emulation is completed.

Emulation connection handling mode - SMTP

Indicates the strictness mode of the Threat Emulation engine over SMTP:

Background - Connections are allowed while the file emulation runs (if needed)

Hold - Connections are blocked until the file emulation is completed.

Emulation location

Indicates if emulation is done on Public ThreatCloud or on remote (private) SandBlast.

Primary emulation gateway

The IP address of the primary remote emulation gateway.

Threat Prevention Policy

Threat Prevention Policy Attributes

Description

Block when service is unavailable

Block web requests traffic when the Check Point ThreatCloud online web service is unavailable.

Fail mode

Indicates the action to take (Allow all requests or Block all requests) on traffic in case of an internal system error or overload.

File inspection size limit

Indicates the size limit (in KB) of a file inspected by Threat Prevention engines.
Note - A limit too low may have an impact on the functionality of the Application Control blade. To specify no limit, set to 0.

Method for skipping HTTP inspection

Warning: Changing the setting to Full has a severe security impact.

An HTTP connection can be made up of many sessions. A file that is part of an HTTP connection passes in one HTTP session.

If a non-zero File inspection size limit is configured, the Default setting of Method for skipping HTTP inspection is that file inspection is skipped to the end of the session, and resumes in the next HTTP session.

If a non-zero File inspection size limit is configured and the Method for skipping HTTP inspection is changed to Full, file inspection is skipped to the end of the connection and resumes in the next connection. This improves performance because the remaining part of the connection is fully accelerated. However, changing the setting to Full is not recommended because of a severe security impact: The remaining sessions of the connection are not inspected.

USB Modem Watchdog

USB Modem Watchdog Attributes

Description

Interval

Indicates how often (in minutes) the USB modem watchdog probes the internet.

Mode

Indicates if the USB modem watchdog is enabled when internet probing is enabled, and the reset type.

To enable USB modem watchdog when internet probing indicates there is no internet access, select one of these reset options:

  • Disabled - Default.
  • Hard reset - Shuts down the power for the USB modem and turns it on again.
  • Gateway reset - Restarts the appliance.
  • Hard Gateway reset - First reboot the gateway and if that is not successful, restart the appliance.

USB only

Monitor only USB modem connection and not other internet connections.

In this mode, when monitoring other internet connections, gateway reset only occurs when probing fails on all internet connections (and not just USB modem).

Type: Boolean

Update services schedule

Update Services Schedule Attributes

Description

Maximum number of retries

Indicates the maximum number of retries for a single update when the cloud is unavailable

Timeout until retry

Indicates the timeout (in seconds) until update retry.

User Awareness

User Awareness Attributes

Description

Active Directory association timeout

Indicates the timeout (in minutes) for caching an association between a user and an IP address.

Allow DNS for unknown users

Indicates that DNS traffic from unauthenticated users is not be blocked when Block unauthenticated users when the captive portal is not possible is selected in Users & Objects > User Awareness > Browser-Based Authentication > Identification tab.

Without DNS traffic, the browsers of end users, may not show the Captive Portal.

Assume single user per IP address

When Active Directory Queries is enabled in Users & Objects > User Awareness the parameter indicates that only one user can be identified from a single device. When two or more users connect from a device, only the last user to log on is identified.

Log blocked unknown users

Indicates if unauthenticated users that are blocked are logged when Block unauthenticated users when the captive portal is not possible is selected in Users & Objects > User Awareness > Browser-Based Authentication > Identification tab.

User Management

User Management Attribute

Description

Automatically delete expired local users

Automatically delete all expired local users every 24 hours (after midnight).

VPN Remote Access

VPN Remote Access Attributes

Description

Allow clear Traffic while disconnected

Indicates if traffic to the VPN domain is handled when the Remote Access VPN client is not connected to the site is sent without encryption (clear) or dropped.

Allow simultaneous login

Indicates if a user can log in to multiple sessions. If the option is disabled, and a user logs in a second time with the same credentials, the previous session is disconnected.

Authentication timeout

Indicates the amount of time (in minutes) the remote client's password remains valid if timeout is enabled.

Authentication timeout enable

Indicates if the remote client's password remains valid only for a configured amount of time (Authentication timeout attribute).

Auto-disconnect in VPN domain

Indicates if the client disconnects automatically to save resources when it connects from inside the secured internal network (local encryption domain).

Back connections enable

Enable back connections from the encryption domain behind the gateway to the client.

Back connections keep-alive interval

Indicates the interval (in seconds) between keep-alive packets to the gateway required for gateway to client back connections.

Enable Visitor Mode on All Interfaces

Enable Visitor Mode on This Interface

This dialog box lets you configure a specified interface for visitor mode. Visitor mode allows the appliance to listen for TCPT traffic on a specified port (by default port 443) as backup to IKE connections from the remote access client.

This mode is normally used to allow VPN remote access connections from behind restrictive environments such as hotels.

Modifying visitor mode to be enabled only on a specific interface is not recommended.

Encrypt DNS traffic

Indicates if DNS queries sent by the remote client to a DNS server located in the encryption domain are passed through the VPN tunnel.

Encryption Method

Indicates which IKE encryption method (version) is used for IKE phase 1 and 2.

Endpoint Connect re-authentication timeout

Indicates the time (in minutes) until the Endpoint Connect user's credentials are resent to the gateway to verify authorization.

IKE IP Compression Support

Indicates if IPSec packets from remote access clients is compressed.

IKE Over TCP

Enables support of IKE over TCP.

IKE restart recovery

When dealing with Remote Access clients, the appliance cannot initiate an IKE phase 1 negotiation because the client address is unknown. If the appliance has an active SA with a Remote Access client and it restarts, the SA is lost, and the appliance cannot initiate IKE phase 1. But, if the restart option is selected, the appliance saves the tunnel details every minute. When the first encrypted packet arrives after the appliance restarts, the appliance sends a Delete SA message. This causes the remote client to discard the old SA and initiate IKE phase 1 to reopen the tunnel.

Legacy NAT traversal

Indicates if the Check Point proprietary NAT traversal mechanism (UDP encapsulation) is enabled for SecureClient.

Minimum TLS version support in the SSL VPN portal

Indicates the minimum TLS protocol version which the SSL VPN portal supports. For security reasons, we recommend to support TLS 1.2 and above.

Office Mode Enable With Multiple Interfaces

Indicates if a mechanism (with a performance impact) to improve connectivity between remote access client and an appliance with multiple external interfaces is enabled.

Office Mode Perform Anti-Spoofing

Single Office Mode Per Site

 

Office Mode Perform Anti-Spoofing - If this option is selected, VPN verifies that packets whose encapsulated IP address is an Office Mode IP address are indeed coming from an address of a client working in Office Mode. If the addresses are allocated by a DHCP server, VPN must know the range of allocated addresses from the DHCP scope for the Anti-Spoofing feature to work. Define a Network object that represents the DHCP scope and select it here.

Single Office Mode Per Site - After a remote user connects and receives an Office Mode IP address from a gateway, every connection to that gateways encryption domain goes out with the Office Mode IP as the internal source IP. The Office Mode IP is what hosts in the encryption domain recognize as the remote user's IP address. The Office Mode IP address assigned by a specific gateway can be used in its own encryption domain and in neighboring encryption domains as well. The neighboring encryption domains should reside behind gateways that are members of the same VPN community as the assigning gateway. As the remote hosts connections are dependent on the Office Mode IP address it received, should the gateway that issued the IP become unavailable, all the connections to the site terminate.

Office Mode allocate from RADIUS

Indicates if the Office Mode allocated IP addresses are taken from the RADIUS server used to authenticate the user.

Office Mode disable

Indicates if Office Mode (allocating IP addresses for Remote Access clients) is disabled. This is not recommended.

Passwords caching on client

Indicates if password caching is used. This means that re-authentication is not necessary when the client tries to access more than one gateway.

Prevent IP NAT Pool

Prevent IP Pool NAT configuration from being applied to Office Mode users. This is needed when using SecureClient as well as other VPN clients (see sk20251).

Radius retransmit timeout

Timeout interval (in seconds) for each RADIUS server connection attempt.

Remote Access port

Reserve port 443 for port forwarding

The default remote access port is port 443. If there is a conflict with another server using this port number, configure a different Remote access port. You must change the default remote access port if the Check Point VPN client, Mobile client, or SSL VPN remote access methods are enabled as they use port 443 by default. If you change the default port number 443, make sure to select Reserve port 443 for port forwarding.

SNX keep-alive interval

Indicates the time (in seconds) between the SSL Network Extender client keep-alive packets.

SNX re-authentication timeout

Indicates the time (in minutes) between re-authentication of SSL Network Extender remote access users.

SNX support 3DES

Indicates if the 3DES encryption algorithm will be supported in SSL clients as well as the default algorithms.

SNX support RC4

Indicates if the RC4 encryption algorithm is supported in SSL clients as well as the default algorithms.

SNX uninstall

This parameter lets you configure under which conditions the SSL Network Extender client uninstalls itself. The options are: Do not uninstall automatically (recommended default), always uninstall upon disconnection, and ask the user upon disconnection.

SNX upgrade

This parameter lets you configure under which conditions the SSL Network Extender client installs itself. The options are: Do not upgrade automatically, always upgrade, and ask the user (default).

Topology updates manual interval

Indicates the manually configured interval (in hours) for topology updates to the clients. Applicable only if the override settings is set to true.

Topology updates override

Indicates if the configured topology updates settings override the default 'once a week' policy.

Topology updates upon startup only

Indicates if topology updates occur only when the client starts. Applicable only if the override settings is set to true.

Verify device certificate

The remote access client verifies the device's certificate against revocation list.

VPN Site to Site Global Settings

VPN Site to Site Global Settings Attributes

Description

Accept NAT Traversal

Indicates if industry standard NAT traversal (UDP encapsulation) is enabled. This enables VPN tunnel establishment even when the remote site is behind a NAT device.

Administrative notifications

Indicates how to log an administrative event (for example, when a certificate is about to expire)

Check validity of IPSec reply packets

Indicated whether to check the validity of IPSec reply packets.

Cluster SA sync packets threshold

Sync SA with other cluster members when the number of packets reaches this threshold.

Copy DiffServ mark from encrypted /decrypted IPSEC packet

Copy DiffServ mark from encrypted/decrypted IPSec packet.

Copy DiffServ mark to encrypted/ decrypted IPSEC packet

Copy DiffServ mark to encrypted/decrypted IPSec packet.

DPD triggers new IKE negotiation

DPD triggers new IKE negotiation.

Delete IKE SAs from a dead peer

Delete IKE SAs from a dead peer.

Delete IPsec SAs on IKE SA delete

Delete IPsec SAs on IKE SA delete.

Delete tunnel SAs when Tunnel Test fails

When permanent VPN tunnels are enabled and a Tunnel Test fails, delete the relevant peer's tunnel SAs.

Do not encrypt connections originating from the local gateway

Packets whose original source or destination IP address is the local gateway's Internet Connection IP address will not go through a VPN tunnel. This parameter may be useful when the gateway behind hide NAT.

Do not encrypt local DNS requests

When enabled, DNS requests originating from the appliance will not be encrypted. Relevant when a configured DNS server is in a VPN peer's encryption domain.

Enable encrypted packets rerouting

Indicates if encrypted packets are rerouted through the best interface according to the peer’s IP address or probing. We do not recommend to change this value to false.

Grace Period after CRL is no longer valid

CRL grace period is required to resolve the issue of differing clock times between the appliance and the remote CA.

A grace period permits a wider window for CRL validity.

Indicates the time (in seconds) after which a revoked certificate of a remote site remains valid.

Grace Period before CRL is valid

CRL grace period is required to resolve the issue of differing clock times between the appliance and the remote CA.

A grace period permits a wider window for CRL validity.

Indicates the time window (in seconds) where a certificate is considered valid prior to the time set by the CA.

IKE DoS from known sites protection

Indicates if the IKE DoS from known IP addresses protection is active and the method by which it detects potential attackers.

IKE DoS from unknown sites protection

Indicates if the IKE DoS from unidentified IP addresses protection is active and the method by which it detects potential attackers.

IKE Reply From Same IP

Indicates if the source IP address used in IKE session is based on destination when replying to incoming connections, or based on the general source IP address link selection configuration.

Join adjacent subnets in IKE Quick Mode

Indicates if to join adjacent subnets in IKE Quick Mode.

Keep DF flag on packet

Indicates if the 'Don't Fragment' flag is kept on the packet during encryption/decryption.

Keep IKE SA Keys

Keep IKE SA keys.

Key exchange error tracking

Indicates how to log VPN configuration errors or key exchange errors.

Maximum concurrent IKE negotiations

Indicates the maximum number of concurrent VPN IKE negotiations.

Maximum concurrent tunnels

Indicates the maximum number of concurrent VPN tunnels.

Open SAs limit

Indicates the maximum number of open SAs per VPN peer.

Outgoing link tracking

Indicates how to log the outgoing VPN link: Log, don't log, or alert.

Override 'Route all traffic to remote VPN site' configuration for admin access to the device

Select this option to prevent admin access to this appliance from being routed to the remote site even when the "Route all traffic to remote VPN site" is configured.

Packet handling errors tracking

Indicates how to log the VPN packet handling errors: Log, don't log, or alert.

Perform Tunnel Tests using an internal IP Address

 

A Tunnel Test makes sure that the VPN tunnel between peer VPN Gateways is up.

By default, the test is done by making sure there is a connection between all the external IP addresses of the peer VPN Gateways.

You can configure this option to do the tunnel tests using the internal IP addresses of the Gateways that are part of the local encryption domain.

You can see the status of the VPN tunnel in the Logs and Monitoring tab.

Permanent tunnel down tracking

Indicates how to log when the tunnel goes down: Log, don't log, or alert.

Permanent tunnel up tracking

Indicates how to log when the tunnel is up: Log, don't log, or alert.

RDP packet reply timeout

Timeout (in seconds) for an RDP packet reply.

Reply from incoming interface

When tunnel is initiated from remote site, reply from the same incoming interface when applicable (IKE and RDP sessions).

Successful key exchange tracking

Indicates how to log when there is a successful key exchange: Log, don't log, or alert.

Use cluster IP address for IKE

Indicates if IKE is performed using cluster IP address (when applicable).

Use internal IP address for encrypted connections from local gateway

Encrypted connections originating from the local gateway will use an internal interface's IP address as the connection source.

VPN tunnel sharing

Indicates under what conditions new tunnels are created: per host pair, per subnet (industry standard), or a single tunnel per remote site/gateway. This controls the number of tunnels that are created.

VoIP

VoIP Attributes

Description

Accept MGCP connections to registered ports

Indicates if deep inspection over MGCP traffic automatically accepts MGCP connections to registered ports.

Accept SIP connections to registered ports

Indicates if deep inspection over SIP traffic automatically accepts SIP connections to registered ports.

Web Interface Settings and Customizations

Web Interface Settings and Customizations Attributes

Description

Multiple parameters

Select Use a company logo in the appliance's web interface to display a different logo (not the Check Point default logo).

In Company logo, click the Upload company logo link, browse to the logo file, and click Apply.

In Company URL, enter the company's URL. When you click the company logo in the web interface it opens this URL.