Configuring Provisioning Settings on Security Gateways

In This Section: Security Gateway Provisioning Settings Small Office Appliance Settings

Security Gateway Provisioning Settings

This chapter describes how to configure the Provisioning settings that are common to all the Security Gateways assigned with a Provisioning Profile.

Before you begin, make sure that your administrator user name has Write permissions for SmartLSM Gateway Database.

Scheduling Backups of Security Gateways

You can set up a schedule for backups of the individual Security Gateway, or view how it is managed with the assigned Provisioning Profile.

You can select to use SmartProvisioning to manage the backup settings, or configure on the local appliance or server.

To manage the backup schedule on the appliance or server:

1. From the Devices pane, double-click the Security Gateway.

   The window opens and shows the General tab.

2. Click the Backup tab.
3. Click Manage settings locally on the device.
4. Click OK.

To enable SmartProvisioning to manage the backup schedule:

1. From the Devices pane, double-click the Security Gateway.

   The window opens and shows the General tab.

2. Click Backup.
3. Click Use the following settings.

   The backup schedule settings are shown.

4. Click Enable Backup.
5. To see how the backup schedule is configured by the Provisioning Profile, select Show profile settings.

   The Provisioning Profile settings are shown.

6. Define the schedule settings for the backup:
   • Start at: Set the starting hour and minute of the backup.
   • Recur every: Select Day of the month and provide a date, or select the day(s) of the week, to set how many times a week or month, and on which days, the backup will be performed.
7. To include product log files, select Include Check point products log files in the backup.

   Best Practice - If disk space is a problem for the appliance or server, make sure that this option is cleared.

8. To store the backup file on a server which is not the selected gateway, click Backup Target.

   The Backup Target window opens.

9. Configure the IP address or hostname for the server on which you want to store the backup.
10. Click OK.

    The Backup Target window closes.

11. Click OK.

Configuring DNS Servers

You can configure the DNS servers of the individual Security Gateway, or view how they are managed with the assigned Provisioning Profile.

You can select to use SmartProvisioning to manage the DNS settings, or configure on the local appliance or server.

To configure DNS servers with SmartProvisioning:

1. From the Devices pane, double-click the Security Gateway.

   The window opens and shows the General tab.

2. Click the DNS tab.
3. Click Use the following settings.
4. Enter the IP addresses of the First, Second, and Third DNS servers.

To manage the DNS servers on the appliance or server:

1. From the Devices pane, double-click the Security Gateway.

   The window opens and shows the General tab.

2. Click the DNS tab.
3. Click Manage settings locally on the device.
4. Click OK.

Configuring Hosts

You can set up the host list of the individual Security Gateway, or view how it is managed centrally with the assigned Provisioning Profile.

You can use SmartProvisioning to manage the host list, or configure it on the local appliance or server.

To configure the host list with SmartProvisioning:

1. From the Devices pane, double-click the Security Gateway.

   The window opens and shows the General tab.

2. Click the Hosts tab.
3. Click Use the following settings.
4. Click New.
5. Provide the Hostname and IP address.
6. Click OK.

To manage the host list on the appliance or server:

1. From the Devices pane, double-click the Security Gateway.

   The window opens and shows the General tab.

2. Click the Hosts tab.
3. Click Manage settings locally on the device.
4. Click OK.

Configuring Domain

You can set up the domain of the individual Security Gateway, or view how it is managed centrally with the assigned Provisioning Profile.

You can select to use SmartProvisioning to manage the domain settings, or configure on the local appliance or server.

To configure domain settings with SmartProvisioning:

1. From the Devices pane, double-click the Security Gateway.

   The window opens and shows the General tab.

2. Click the Domain Name tab.
3. Click Use the following settings.
4. Enter the Domain name.
5. Click OK.

To manage the domain settings on the appliance or server:

1. From the Devices pane, double-click the Security Gateway.

   The window opens and shows the General tab.

2. Click the Domain Name tab.
3. Click Manage settings locally on the device.
4. Click OK.

Configuring Host Name

You can see or change the host name of the individual Security Gateway in SmartProvisioning. You cannot use a Provisioning Profile to change the host name.

You can select to use SmartProvisioning to manage the host name settings, or configure on the local appliance or server.

To configure host name with SmartProvisioning:

1. From the Devices pane, double-click the Security Gateway.

   The window opens and shows the General tab.

2. Click the Host Name tab.
3. Click Use the following settings.
4. Enter the Hostname of the gateway.
5. Click OK.

To manage the host name on the appliance or server:

1. From the Devices pane, double-click the Security Gateway.

   The window opens and shows the General tab.

2. Click the Host Name tab.
3. Click Manage settings locally on the device.
4. Click OK.

Configuring Routing for Security Gateways

You can configure the routing settings of individual Security Gateways in the Devices pane in SmartProvisioning. You cannot configure these settings in a Provisioning Profile. You must configure the interfaces before the routes, because there are different types of routing configurations for different interfaces.

You can also configure the routing settings on the local appliance or server.

To configure the routing settings with SmartProvisioning:

1. From the Devices pane, double-click the Security Gateway.

   The window opens and shows the General tab.

2. Click the Routing tab.
3. Click Use the following settings.
4. Click Add.
5. Select a route type:
   • Network Route: Configure internal network routes.
   • Host Route: Configure access to a specific host.
   • Default Route: Configure the default route to access external destinations.

   A different Routing window opens for each type.

6. Enter the data and click OK.

   Some of the options are different for different appliances.

To manage the routing settings on the appliance or server:

1. From the Devices pane, double-click the Security Gateway.

   The window opens and shows the General tab.

2. Click the Routing tab.
3. Click Manage settings locally on the device.
4. Click OK.

Configuring Network Route

Configure these settings for the internal network routes:

• Destination IP Address: Destination IP address for this route (for example, the IP address of the CO gateway or the Security Management Server/Domain Management Server).
• Destination Netmask: Net mask of the destination network.
• Interface: Select a pre-configured interface for this route (UTM-1/Power-1/SecurePlatform Security Gateways).
• Gateway: IP address of the gateway which provides access to this route (for the Gaia gateways also assign a priority).
• Next Hop Type: For Gaia and the IP Appliances:
  • Normal: Allow traffic to the gateway.
  • Reject: Block traffic where the gateway is the destination, and acknowledge.
  • Black Hole: Block traffic without acknowledgment.

  For UTM-1/Power-1/SecurePlatform Security Gateways, the alternative to Next Hop Type is Metric. Metric is the Distance in hops to the destination (this value must be as accurate as possible: too low a value can cause lost communications with looping, too high a value can cause security issues).

Configuring Host Route

Configure these settings for host routes:

• Destination IP Address: IP address of the destination host.
• Interface: Select a pre-configured interface for this route.
• Gateway: IP address of the gateway providing access to this host.
• Metric: Distance in hops to the destination. If the host is on your local site, this must be a very low number. If the host is not behind routers, the metric must be zero.

Configuring Default Route

Configure these settings for default routes to external destinations:

• Gateway: IP address of the gateway providing access to the default external route.
• Metric: Distance in hops to the gateway (this value must be as accurate as possible: too low a value can cause lost communications with looping; too high a value may cause security issues). You can define only one default route per gateway.

Small Office Appliance Settings

For more about the Small Office Appliance settings, visit the Check Point Support Center and search for the appliance relevant to you.

Configuring DNS

To configure DNS:

1. From the Devices window, double-click the Small Office Appliance object.

   The Security Gateway window opens.

2. Select the DNS tab.
3. Select Use the following settings.

   The DNS settings open.

4. To manually configure the IP addresses:
   1. Select Set DNS server configuration.
   2. Enter the IP addresses for each DNS server which is used.
5. To use the DNS server of the ISP provider, select Use DNS configurations provided by the active Internet connection.
6. To use the Small Office Appliance as your default DNS proxy, select Enable DNS Proxy - resolves local DNS requests.
7. Click OK.

Configuring Interfaces

Configure the Small Office Appliance interfaces in the Interfaces tab in the Security Gateway window.

To configure the interfaces:

1. From the Devices window, double-click the Small Office Appliance object.

   The Security Gateway window opens.

2. Select the Interfaces tab.
3. Select Use the following settings.

   The interface settings open.

4. Select the interface and click Edit.

   The Edit window opens.

5. From the IP Assignment section, configure the IP address of the interface:
   1. Select Static IP.
   2. Enter the IP Address and Subnet Mask for the interface.
6. Select Enable Hotspot authentication to allow
7. To configure the DHCP settings for the interface:
   1. In the DHCP section, select Enabled.
   2. In DHCP IP range, enter the range of IP addresses that can be assigned to the DHCP clients.
   3. In Exclude IP range, enter the range of IP addresses that are not assigned to the DHCP clients.
   4. To configure an IP Relay agent, select Relay.
   5. Enter the IP address for the IP Relay agent.
8. To configure the advanced parameters for the interface:
   1. To assign a MAC address to the interface, select Override MAC Address.
   2. Enter the new MAC address value.
   3. From Link speed/Duplex, select the bandwidth for the interface.
9. Click OK.

   The Edit window closes.

10. Optional: In the Switch section > LAN Switch is active, click Activate to configure a LAN switch.
11. To configure the MTU (Maximum Transmission Unit) for all the interfaces that are not part of the LAN switch:
    • In the Advanced section, enter the new MTU value.
12. To enable the configured connection, select the interface and click Enable.

Adding a VLAN

You can add a new VLAN to a configured interface.

To create a VLAN (according to the IEEE 802.1q Standard) on one of the interfaces:

1. From the Devices window, double-click the Small Office Appliance object.

   The Security Gateway window opens.

2. Select the Interfaces tab.
3. Click New > New VLAN.

   The Add VLAN window opens.

4. From Interface, select the interface to which the new VLAN is added.
5. Enter these parameters from the new VLAN:
   • VLAN number
   • IP address
   • Subnet Mask
6. To configure the DHCP settings for the new VLAN:
   1. From the DHCP section, select Enabled.
   2. In DHCP IP range, enter the range of IP addresses that can be assigned to the DHCP clients.
   3. In DHCP Exclude IP range, enter the range of IP addresses that are not assigned to the DHCP clients.
   4. To configure an IP Relay agent for the new VLAN, select Relay.
   5. Enter the IP address for the IP relay.
7. Click OK.

   The new VLAN is added to the interface.

Configuring a LAN Switch

Configure the Small Office Appliance as a LAN switch in the Interfaces tab in the Security Gateway window.

To configure LAN switch parameters:

1. From the Devices window, double-click the Small Office Appliance.

   The Security Gateway window opens.

2. Select the Interfaces tab.
3. From the Switch section, click Activate.

   The Edit Switch window opens.

4. In the IP Assignment section, enter the IP address and Subnet Mask of the LAN switch.
5. To add an interface to the LAN switch:
   1. In the Interfaces section, select an interface from the Available Interfaces list.
   2. Click Add.
6. To configure the DHCP settings for the LAN switch:
   1. From the DHCP section, select Enabled.
   2. In DHCP IP range, enter the range of IP addresses that can be assigned to the DHCP clients.
   3. In DHCP Exclude IP range, enter the range of IP addresses that are not assigned to the DHCP clients.
   4. To configure an IP Relay agent for the new VLAN, select Relay.
   5. Enter the IP address for the IP Relay agent.
7. To assign a MAC address to the interface, in the Advanced section select Override MAC Address and enter the MAC address.
8. Click OK.

   The Edit Switch window closes and the switch is configured and activated.

9. The Switch section allows you to manage the LAN switch.
   • To disable the interfaces in the LAN switch, clear Enable Interfaces.
   • To deactivate the LAN switch, click Deactivate.

   Note - When the LAN switch is deactivated, the settings of all interfaces in the LAN switch are erased.

10. Click OK.

Configuring Internet Connection Types

You must configure a primary Internet connection, and you can configure a secondary one. When High Availability is activated, if there is a failover on the primary Internet connection, then the Small Office Appliance starts to use the secondary Internet connection.

These are the Internet connections:

• Static IP - A fixed (non-dynamic) IP address.
• DHCP - Dynamic Host Configuration Protocol (DHCP) automatically issues IP addresses within a specified range to devices on a network.
• PPPoE - A network protocol for encapsulating Point-to-Point Protocol (PPP) frames inside Ethernet frames. It is used mainly with DSL services where individual users connect to the DSL modem over Ethernet and in plain Metro Ethernet networks.
• PPTP - The Point-to-Point Tunneling Protocol (PPTP) is a method for implementation of virtual private networks. PPTP uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets.
• L2TP - Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs). It does not provide any encryption or confidentiality by itself. It relies on an encryption protocol that it passes within the tunnel to provide privacy.

When you have enabled both Internet connections, you can configure High Availability to revert back to the primary Internet connection.

Configuring a Static Internet Connection

You can configure an Internet connection with a static IP address.

To configure a static IP Internet connection:

1. From the Devices window, double-click the Small Office Appliance network object.

   The Security Gateway window opens.

2. Select the Internet tab.
3. Select Use the following settings. The Internet connection settings open.
4. Configure the primary Internet connection type:
   1. Select Enable Primary Internet Connection.
   2. Select whether the primary Internet connection is on the WAN or DMZ.
   3. From Connection Type, select Static IP.
5. Click Configure.

   The Primary Internet Configuration window for the Static IP Internet connection type opens.

6. In the IP Settings section, enter these IP address parameters:
   • IP Address
   • Subnet Mask
   • Default Gateway
7. In the DNS section, enter the IP addresses for the DNS servers.
8. In the WAN Port Settings section, enter these interface settings:
   • To configure the MTU (Maximum Transmission Unit) for the Internet connection, enter the new MTU value.

   Note - For a DMZ interface, the MTU value is applied to all LAN ports.

   • To assign a MAC address to the Internet connection, select Override MAC Address and enter the MAC address.
   • To configure the bandwidth for the Internet connection, select the appropriate option from Link speed/Duplex.
9. From the Advanced section, you can select Use ICMP to monitor connection status.
10. Click OK.

Configuring a DHCP Internet Connection

You can configure an Internet connection that uses DHCP to automatically assign IP addresses.

To configure a DHCP Internet connection:

1. From the Devices window, double-click the Small Office Appliance network object.

   The Security Gateway window opens.

2. Select the Internet tab.
3. Select Use the following settings. The Internet connection settings open.
4. Configure the primary Internet connection type:
   1. Select Enable Primary Internet Connection.
   2. Select whether the primary Internet connection is on the WAN or DMZ.
   3. From Connection Type, select Obtain IP Address Automatically (DHCP).
5. Click Configure.

   The Primary Internet Configuration window for the DHCP Internet connection type opens.

6. In the WAN Port Settings section, enter these interface settings:
   • To configure the MTU (Maximum Transmission Unit) for the Internet connection, enter the new MTU value.

   Note - For a DMZ interface, the MTU value is applied to all LAN ports.

   • To assign a MAC address to the Internet connection, select Override MAC Address and enter the MAC address.
   • To configure the bandwidth for the Internet connection, select the appropriate option from Link speed/Duplex.
7. From the Advanced section, you can select Use ICMP to monitor connection status.
8. Click OK.

Configuring a PPPoE Internet Connection

You can configure an Internet connection that uses PPPoE protocol.

To configure a PPPoE Internet connection:

1. From the Devices window, double-click the Small Office Appliance network object.

   The Security Gateway window opens.

2. Select the Internet tab.
3. Select Use the following settings. The Internet connection settings open.
4. Configure the primary Internet connection type:
   1. Select Enable Primary Internet Connection.
   2. Select whether the primary Internet connection is on the WAN or DMZ.
   3. From Connection Type, select Point-to-Point Protocol over Ethernet (PPPoE).
5. Click Configure.

   The General tab of the Primary Internet Configuration window for the PPPoE Internet connection type opens.

6. Enter these settings for your Internet Service Provider:
   • User Name
   • Password
7. In the WAN Port Settings section, enter these interface settings:
   • To configure the MTU (Maximum Transmission Unit) for the Internet connection, enter the new MTU value.

   Note - For a DMZ interface, the MTU value is applied to all LAN ports.

   • To assign a MAC address to the Internet connection, select Override MAC Address and enter the MAC address.
   • To configure the bandwidth for the Internet connection, select the appropriate option from Link speed/Duplex.
8. Click OK.

PPPoE Advanced Settings

You can configure the advanced settings for a PPPoE Internet connection. The advanced settings allow you to configure:

• IP settings for the tunnel
• How the Internet connection is started and maintained

To configure PPPoE advanced settings:

1. From the Primary Internet Configuration window for PPPoE, select Advanced.

   The Advanced PPPoE window opens.

2. In the Local Tunnel IP Assignment section, enter these settings for the PPPoE tunnel:
   • Obtain IP Address Automatically - The IP address for the PPPoE tunnel is automatically configured (default setting).
   • Use the Following IP Address - Enter the static IP address that is used for the PPPoE tunnel.
3. In the Connection Method section, configure how the Small Office Appliance uses the PPPoE Internet connection:
   • Auto Connect - The Small Office Appliance automatically establishes a PPPoE connection to the Internet.
   • Connect on Demand - The Small Office Appliance Gateway establishes a PPPoE connection to the Internet when required.
   • Disconnect Idle Time - Enter the number of maximum number of idle minutes before the PPPoE Internet connection is disconnected.
4. In the Monitor Connections section, enter the PPPoE Echo requests settings:
   • Monitor Connection Status Every - Enter how often, in seconds, that PPPoE Echo requests are sent to the server.
   • Assume Connection is Down After - Enter the maximum number of failed PPPoE Echo requests before the PPPoE server is considered down.
   • From the Advanced section, you can select Use ICMP to monitor connection status.
5. Click OK.

Configuring a PPTP or L2TP Internet Connection

You can configure an Internet connection that uses PPTP or L2TP protocol.

To configure a PPTP Internet connection:

1. From the Devices window, double-click the Small Office Appliance network object.

   The Security Gateway window opens.

2. Select the Internet tab.
3. Select Use the following settings. The Internet connection settings open.
4. Configure the primary Internet connection type:
   1. Select Enable Primary Internet Connection.
   2. Select whether the primary Internet connection is on the WAN or DMZ.
   3. From Connection Type, select Point-to-Point Tunneling Protocol over Ethernet (PPTP) or Layer 2 Tunneling Protocol (L2TP).
5. Click Configure.

   The General tab of the Primary Internet Configuration window for the Internet connection type opens.

6. Enter these settings for your Internet Service Provider:
   • Server Host Name or IP Address
   • ISP Login User Name
   • ISP Login Password
7. In the WAN Port Settings section, enter these interface settings:
   • To configure the MTU (Maximum Transmission Unit) for the Internet connection, enter the new MTU value.

   Note - For a DMZ interface, the MTU value is applied to all LAN ports.

   • To assign a MAC address to the Internet connection, select Override MAC Address and enter the MAC address.
   • To configure the bandwidth for the Internet connection, select the appropriate option from Link speed/Duplex.
8. Click OK.

PPTP or L2TP Advanced Settings

You can configure the advanced settings for a PPTP or L2TP Internet connection. The advanced settings allow you to configure:

• IP settings for the tunnel and the WAN
• How the Internet connection is started and maintained

To configure PPTP or L2TP advanced settings:

1. From the Primary Internet Configuration window for PPTP or L2TP, select Advanced.

   The Advanced settings open.

2. In the Local Tunnel IP Assignment section, enter the settings for the tunnel:
   • Obtain IP Address Automatically - The IP address for the tunnel is automatically configured (default setting).
   • Use the Following IP Address - Enter the static IP address that is used for the tunnel.
3. In the WAN IP Assignment section, enter the IP address settings for the WAN:
   • Obtain IP Address Automatically - The IP address for the WAN is automatically configured (default setting).
   • Use the Following IP Address - Configure these settings for the WAN IP address:
     • IP Address
     • Subnet Mask
     • Default Gateway
4. In the Connection Method section, configure how Small Office Appliance uses the PPTP or L2TP Internet connection:
   • Auto Connect - Small Office Appliance automatically establishes a PPTP or L2TP connection to the Internet.
   • Connect on Demand - Small Office Appliance establishes a PPTP or L2TP connection to the Internet when required.
   • Disconnect Idle Time - Enter the number of maximum number of idle minutes before the PPTP or L2TP Internet connection is disconnected.
5. In the Monitor Connections section, enter the Echo request settings:
   • Monitor Connection Status Every - Enter how often (in seconds) that Echo requests are sent to the server.
   • Assume Connection is Down After - Enter the maximum number of failed Echo requests before the server is considered down.
   • From the Advanced section, you can select Use ICMP to monitor connection status.
6. Click OK.

Configuring ICMP

You can configure the ICMP (Internet Control Message Protocol) settings for the Internet connection. You can specify servers that receive ICMP requests to monitor the status of the Internet connection. If you enabled High Availability, the Small Office Appliance can activate the other Internet connection when necessary.

To configure the ICMP settings:

1. From the Devices window, double-click the Small Office Appliance.

   The Security Gateway window opens.

2. Select the Internet tab.
3. From the required Internet connection, click Configure.

   The Internet Configuration window is opens.

4. From the Advanced section or tab, select Use ICMP to monitor connection status.
5. Click Configure.

   The ICMP Settings window opens.

6. To monitor a server:
   1. Click Add.
   2. Enter the host name or IP address of the server.
   3. Repeat these steps for all the servers that are monitored.
   4. Select Send ICMP requests to the following servers.
7. To monitor the default gateway, select Send ICMP requests to default gateway.
8. Enter these ICMP connection monitoring settings:
   1. Interval Between - Enter the number of seconds between each ICMP request.
   2. Failover After - Enter the maximum number of failed ICMP requests. When High Availability is active, after an ICMP failover the other Internet connection becomes active.
   3. Resume Requests After - Enter the number of seconds after an ICMP failover that ICMP requests are resumed.
9. Click OK.

Configuring Routing Settings

You must configure Small Office Appliance interfaces before you configure the routing settings. The routing configurations are not the same for all interfaces.

You cannot add a default route from the Routing tab. The default route of the system is the same as the default gateway that is configured for the Internet connection. If Internet Connection High Availability is active, the default route automatically changes to the default gateway of the other Internet connection. When there is no active Internet connection and no default route is active, this message is displayed: Note: There is no default route since no Internet connection is enabled.

You can configure Small Office Appliance to automatically select the interface or gateway that is used for a route. You cannot select the Automatic option for both the interface and the gateway.

Configuring a Network Route

You can use SmartProvisioning to configure network routes for Small Office Appliances. Use a network route to configure routing for an internal network.

To configure a network route:

1. In the Devices window, double-click the Small Office Appliance.

   The Security Gateway window opens.

2. Select the Routing tab.
3. Select Use the following settings.

   The Routing settings open.

4. Click Add and select Network Route.

   The Routing window opens.

5. In Destination IP Address, enter the IP address of the network.
6. In Destination Netmask, enter the netmask for the destination IP address.
7. From Interface, select a configured interface for the route.
8. In Gateway, enter the IP address of the gateway that provides access to the route.
9. In Metric, enter the number of hops to the destination.

   Note - This value must be accurate. A metric that is too low can cause lost communications because of looping. A metric that is too high can cause security issues.

10. Click OK.

Configuring a Host Route

You can use SmartProvisioning to configure host routes for Small Office Appliances. A host route configures access to a specific host.

To configure a host route:

1. In the Devices window, double-click the Small Office Appliance object.

   The Security Gateway window opens.

2. Select the Routing tab.
3. Select Use the following settings.

   The Routing settings open.

4. Click Add and select Host Route.

   The Routing window opens.

5. In Destination IP Address, enter the IP address of the host.
6. From Interface, select a configured interface for the route.
7. In Gateway, enter the IP address of the gateway that provides access to the host.
8. In Metric, enter number of hops to the destination host.

   Note - If the host is on your local site, the metric must be a low number. If the host is not behind routers, the metric must be zero.

9. Click OK.

Configuring Firmware Installation Settings

You can use SmartProvisioning to manage the firmware installation settings for Small Office Appliances.

You can select the firmware image to install on your Security Gateway. The firmware images that are shown in the list were uploaded through SmartUpdate. If firmware installation fails, the Security Gateway reverts to its state before installation. The list shows the details of the firmware image. These include the Name, Vendor, Major Version, Minor Version, Build Number, and Description.

You can install the firmware with one of these options:

• Immediately - Downloads and installs the firmware immediately after saving these settings in the next synchronization with a Security Gateway assigned to this profile.
• According to time ranges - You can define download and installation time ranges for the firmware image. You can limit the download and installation time to a specified list of time ranges in the week. They will start at the nearest time range after the firmware settings are applied. For example, if the firmware installation settings are applied on Sunday and there are two time ranges:
  • One range is set to Friday 00:00 to Saturday 00:00
  • One range is set to Wednesday 23:00 to Thursday 06:00

    The firmware will be installed between Wednesday 23:00 and Thursday 06:00.

    If that the Security Gateway fails to download and or install the firmware during the nearest time range, it tries again in the next time range.

To configure firmware installation settings:

1. In the Devices window, double-click the Small Office Appliance object.

   The Security Gateway window opens.

2. Select the Firmware tab.
3. Select Use the following settings.

   The Firmware settings open.

4. In Firmware image, click Select to select a firmware image that was uploaded through SmartUpdate.
5. In SmartLSM Profile after installation, select a related SmartLSM profile from the list that can be installed for the selected firmware image and its supported versions.
6. Select one of the options to install the firmware:
   1. Immediately
   2. According to these time ranges - Select to use the Security Gateway time or local time.
      • Add/Edit - Click Add or Edit to open the Time Range window to define or change the weekdays and times for download and installation of the firmware image. Select the days and times and click OK.
      • Remove - Select a range from the list and click Remove to delete a time range.
      • Download image immediately - Click this option to download the firmware image immediately but install the image during one of the set time ranges.
7. Click Show profile settings - to see the settings of the Provisioning Profile that this gateway references.
8. Click OK.

Configuring a RADIUS Server

You can configure the RADIUS server (Remote Authentication Dial In User Service) that provides authentication, authorization, and accounting for Small Office Appliance gateways. You can configure RADIUS in the Provisioning Profile once for all gateways assigned to this profile. The RADIUS server must be already defined as a SmartConsole object.

You can configure your appliance to contact more than one RADIUS server. If the first server in the list is unreachable, the next RADIUS server in the list is contacted to authenticate with. If the list is empty, the RADIUS option is turned off on the Security Gateway.

To configure RADIUS:

1. In the Devices window, double-click the Small Office Appliance object.

   The Security Gateway window opens.

2. Select the RADIUS tab.
3. Select Use the following settings.
4. Click Add to add RADIUS servers that were defined in SmartConsole, select a RADIUS server from the list and click OK.
5. To remove a server, select a server in the list and click Remove.
6. Use Up/Down to set the priority used for contacting RADIUS servers.
7. Click Allow administrators from specific RADIUS groups only (comma separated) to allow authentication from specified groups as defined on the RADIUS server. Only administrators which belong to those groups can get access.
8. Click OK.