Configuring Internet Connectivity

The Device > Internet page shows how the Check Point Appliance connects to the internet.

On this page you can:

  • Configure a single internet connection or multiple connections in High Availability or Load Balancing configurations. When multiple internet connections are defined, the page shows them in a table.

  • Add a new connection and edit, delete, or disable existing connections.

  • Monitor the servers and internet connections (see Monitoring).

We recommend you contact your local Internet Service Provider (ISP) to understand how to configure your specific internet connection.

Notes:

  • IPv6 is not currently supported.

  • ADSL/VDSL settings are relevant only for devices that have a DSL port.

To configure internet connectivity:

  1. Click Configure Internet (if not configured at all), Add (for another internet connection), or Edit.

    The New or Edit Internet Connection window opens.

  2. Configure the fields in the tabs:

Configuration tab

Note - When you change the connection type, the appliance may disconnect from the internet.

  • Connection name - Enter a name for the connection or leave the default "InternetN" label (where N indicates an incrementing number).

  • Interface name

  • WAN or DMZ is for most types of Internet connections.

    Note - DMZ is not supported in 1530 / 1550 appliances.

  • LAN. You can also use unassigned LAN ports with no VLANs for internet connections. When you delete the internet connection, the port reverts to an unassigned LAN.

  • Link aggregation (Bond) - Create a link between two or more interfaces. This improves performance and redundancy by increasing the network throughput and bandwidth.

  • ADSL/VDSL. If you select the ADSL/VDSL interface, you must select one of these for the connection type: PPPoE, IPoE - static IP, or IPoE - dynamic IP.

You can create a maximum of 32 internet connections. This includes alias IP connections.

Note - If you remove or disable a LAN, any assigned alias IPs are also removed.

Unassigned LAN ports use case - If your company is in a region where internet connections supplied by ISPs are unreliable and experience multiple disconnections, you can connect your appliances to multiple internet connections from different ISPs.

IPv4 connection types:

Select the connection type:

  • DHCP - Dynamic Host Configuration Protocol (DHCP) automatically issues IP addresses within a specified range to devices on a network. The device retains the assigned address for a specified administrator-defined period. This does not apply to the ADSL/VDSL interface.

  • Static IP - A fixed (non-dynamic) IP address. You can configure multiple static IPs over the same WAN interface. Example: WAN and WAN:1 (WAN:1 is the alias IP).

  • PPPoE - A network protocol to encapsulate Point-to-Point Protocol (PPP) frames inside Ethernet frames. It is used mainly in DSL systems. PPPoE can run directly over the ADSL/VDSL interface. It can also run over WAN or DMZ interfaces that are typically connected to an external DSL modem. You must enter the IP address, the subnet mask, default gateway and DNS Server Settings.

  • IPoE - dynamic IP (DSL only) - The Internet IP of the appliance is imported through DHCP.

  • IPoE - static IP (DSL) - The Internet IP of the appliance is determined statically. You must enter the IP address, the subnet mask, default gateway and DNS Server Settings.

  • PPTP - The Point-to-Point Tunneling Protocol (PPTP) uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets.

  • L2TP - Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol. It does not provide any encryption or confidentiality but relies on an encryption protocol that it passes within the tunnel to provide privacy.

  • Bridge - Connects multiple network segments at the data link layer (Layer 2).

  • Bridge DHCP - The bridge is configured as a DHCP client and the DHCP settings (including IP and subnet) are removed.

  • LTE - Both SIM cards are used for the internet connection with a failover between them.

  • Enter the relevant data for the connection type fields.

    Note - You cannot use these characters when you enter a password or shared secret: { } [ ] ` ~ | ‘ " # + \

To create a new BOND (WAN):

  1. In the Internet Connection page, to create a new internet connection, click Configure internet.

    The New Internet Connection window opens in the Configuration tab.

  2. Under Internet Configuration, enter the Connection name.

  3. For Interface, select New link aggregation (Bond).

  4. For Ports, select a minimum of 2 interfaces that are unassigned and disabled.

    Note - 1530 / 1550 appliances do not have a DMZ port.

  5. Select the Operation mode:

    • 802.3ad – Dynamically uses Active interfaces to share the traffic load.

    • Round Robin – Selects the Active interface sequentially.

    • XOR – All interfaces are Active for Load Sharing. Traffic is assigned to Active interfaces based on the transmit hash policy (Layer2 or Layer3+4).

    • High Availability (Active/Backup) – Gives redundancy when there is an interface or link failure. If you select this mode, you must select a Master i.e. the primary/default port for the traffic.

  6. Select the Connection type.

  7. In the Advanced tab, select the Mii interval. The Mii interval is the frequency (in ms) that the system polls the Media Independent Interface (Mii, the standard interface for fast Ethernet) to get status.

  8. If you selected 802.3ad or XOR as your operation mode, select the Hash policy from the dropdown menu.

    • Layer2

    • Layer2+3

    • Layer3+4

  9. Click Apply.

To add a Bond as an additional internet connection:

  1. In the Internet Connection page, click Add an internet connection...

    The New Internet Connection window opens in the Configuration tab.

  2. Configure the rest of the fields as for a new connection.

To configure LTE internet connection (LTE WiFi models only):

  1. Click Configure Internet (if not configured at all), Add (for another internet connection), or Edit.

    The New or Edit Internet Connection window opens.

  2. In the Configuration tab, select Cellular for Interface name.

  3. Click Apply.

    Note - This closes the Edit Internet Connection window.

    The remaining steps are optional additional settings and are not essential for configuration.

  4. In the Cellular tab, under Cellular settings, select the Primary SIM and which SIM to disable: SIM 1, SIM 2 or Neither.

    • SIM 1 – Micro-SIM

    • SIM 2 – Nano-SIM

  5. For each SIM, enter the APN and PIN number.

  6. Configure the Connection Monitoring and Advanced tabs as for other interface connections.

  7. Click Apply.

Note – The Cellular tab is disabled unless you select Cellular for the interface name. Only appliances that support LTE show the Cellular tab.

For PPPoE over ATM over VDSL/ADSL or IPoE over ATM over VDSL/ADSL or for an ADSL interface:

Enter the VPI number and VCI number you received from your service provider, and the Encapsulationtype (LLC or VC_MUX).

 

For WAN/DMZ interfaces and static, DHCP, PPPoE, PPTP, and L2TP connection types

Or

For VDSL/ADSL interfaces and IPoE - dynamic IP and IPoE - static IP connection types over PTM:

  • Use connection as VLAN - Select this checkbox to add a virtual Internet interface.

  • VLAN ID - Enter a VLAN ID between 1 and 4094.

 

If you are in an Annex L system, in Advanced Settings, you must enable the Annex L and disable the Annex J/M.

If you are in an Annex M system, in Advanced Settings, you must enable Annex J/M and disable the Annex L. In all other Annex systems, no changes are needed to the default configuration.

Notes:

  • Multiple internet connections can be established over a single VDSL/ADSL connection carrying PTM traffic or in the case of WAN and DMZ interfaces.

  • Only one internet connection can be established over a VDSL/ADSL interface carrying ATM traffic or a USB interface.

  • One IPoE or PPPoE connection can be established over ATM running over the DSL interface.

  • A single IPoE connection or multiple PPPoE connections can be established over one untagged DSL interface carrying PTM traffic.

  • A single IPoE connection or multiple PPPoE connections can be established over one VLAN tagged DSL interface carrying PTM traffic.

  • A single DHCP or Static IP connection can be established over a USB interface.

  • A single DHCP or Static IP connection or multiple PPPoE connections can be established over one untagged or one VLAN tagged WAN or DMZ interface.

  • When all the ADSL standards are turned off in the Advanced Settings and you can only connect using the VDSL2 standard, the VPI, the VCI and the encapsulation options still appear even though they are not used to open an internet connection.

Connection Monitoring tab

  • Automatically detect loss of connectivity to the default gateway - Select this option to detect connectivity loss by sending ARP requests (pinging) to the default gateway and expecting responses.

  • Monitor connection state by sending probe packets to one or more servers on the Internet - Select this option to detect connectivity loss by using more methods and servers.

    • Connection probing method - Select one of the options.

      • Ping addresses - When you select this option, you can configure up to three servers by IP address or host name.

      • Probe DNS servers - When you select this option, the appliance probes the DNS servers as defined in the Internet connection and expects responses.

Advanced tab

For PPPoE

  • IP Address Assignment (PPPoE IPv4 only) - In Local tunnel IP address, select if the IP address is obtained automatically or manually configured. If manually configured, enter the IP address.

  • Service Provider Settings - In Service, enter a service name (optional) and select the Authentication method.

  • Connect on demand - Select the Connect on demand checkbox if necessary. This is relevant only when you are in high availability mode.

For PPTP and L2TP

  • IP Address Assignment -

    • In Local tunnel IP address, select if the IP address is obtained automatically or manually configured. If manually configured, enter the IP address.

    • In WAN IP assignment, select if the WAN IP address is obtained automatically or manually configured. If manually configured, enter the IP address, Subnet mask, and Default gateway.

  • Service Provider Settings - In Service, enter a service name (optional) and select the Authentication method.

  • Connect on demand - Select the Connect on demand checkbox if necessary. This is relevant only when you are in high availability mode.

Port Settings

  • If necessary, select Use custom MTU value and set the MTU size.

    Note - For a DMZ interface the MTU value is applied to all LAN ports.

    To avoid fragmentation (which slows transmission), set the MTU according to the smallest MTU of all the network devices between your gateway and the packet destination

    For static and DHCP mode, set MTU to 1500 or lower.

    For PPPoE connections, set MTU to 1492 or lower.

    Note - When the gateway is behind a modem that works as a NAT device, the MTU value of the gateway must be the same value as in the modem. If the modem has a PPPoE connection, set the MTU in the gateway to 1492 or lower.

  • MAC address clone - If you select Override default MAC address, you can override the default MAC address used by the Internet connection. This is useful when the appliance replaces another device and wants to mimic its MAC address.

  • If necessary, select Disable auto negotiation. This lets you manually define the link speed of the Internet connection.

    • Select the Link Speed.

QoS Settings (bandwidth control) - supported in IPv4 connections only

To enable QoS bandwidth control for download and upload for this specified connection, select the applicable Enable QoS (download) and/or Enable QoS (upload) checkboxes. Enter the maximum Kbps rates for the selected options as provided by your ISP for the Internet upload and download bandwidth.

Make sure that the QoS blade is turned on. You can do this from Home > Security Dashboard > QoS > ON.

ISP Redundancy - supported in IPv4 connections only

Multiple Internet connections can be configured in High Availability or Load Sharing modes. When you configure more than one Internet connection, the Device > Internet page lets you toggle between these options. The Advanced setting of each Internet connection lets you configure each connection's priority or weights based on the set mode.

  • Clear the Route traffic through this connection by default checkbox when you do not want this Internet connection used as a default route for this gateway. The connection is used by the device only if specific, usually service-based, routing rules are defined for it. This is commonly used when you have a connection that is used for dedicated traffic. When you clear this option, this connection does not participate in High Availability or Load Balancing.

  • High Availability - Priority - Select the priority for the connection. Lower priority connections are only used if higher priority connections are unavailable.

  • Load Balancing - Weight - The traffic to the Internet is divided between all available connections based on their weights.

NAT Settings

If the gateway's global hide NAT is turned on in the Access Policy > NAT page, you can disable NAT settings for specified internet connections.

To disable NAT settings:

  1. Go to Device > Internet.

  2. Select an internet connection and click Edit.

    The Edit Internet Connection window opens.

  3. Click Advanced > NAT Settings.

  4. Select Do not hide internal networks behind this internet connection.

  5. Click Apply.

DHCP Settings

Hostname via WAN DHCP

When you edit or add a new Internet connection, you can select to get the hostname from your WAN DHCP. This means you do not configure the gateway name. Instead, it is dynamic, assigned by another DHCP which also provides an IP address upon request.

To get a Hostname via WAN DHCP:

  1. In the New Internet Connection page > Configuration tab, select DHCP for the connection type.

  2. In the Advanced tab, click the checkbox for Hostname via DHCP.

Monitoring

Click the Monitor link to open the Monitoring Servers window. For each connection you configure, you can see the:

  • Server name

  • IP address

  • Packet loss

  • Failures

  • Latency - How much time it takes for a data packet to get from one designated point to another.

  • Jitter - The difference between the minimum and maximum latency results of a ping test. Can be used to determine network and broadband stability.

For Cellular connections only: Click the Monitor cellular modem link to open the Cellular Modem Monitoring window to see this information:

  • Cellular radio

  • Cellular modem

  • Operator

  • SIM cards - Which SIM is active, primary or disabled.