Configuring Internet Connectivity

The Device > Internet page shows how the appliance connects to the internet.

On this page you can:

  • Configure a single internet connection or multiple connections in High Availability or Load Balancing configurations. When multiple internet connections are defined, the page shows them in a table.

  • Add a new connection and edit, delete, or disable existing connections.

  • Monitor the servers and internet connections (see Monitoring).

We recommend you contact your local Internet Service Provider (ISP) to understand how to configure your specific internet connection.

Notes:

Configuring the Internet Connectivity

  1. Click Configure Internet (if not configured at all), Add (for another Internet connection), or Edit.

    The New or Edit Internet Connection window opens.

  2. Configure the fields in the tabs as described below.

The 'Configuration' tab

Note - When you change the connection type, the appliance may disconnect from the internet.

  • Connection name - Enter a name for the connection or leave the default "Internet<N>" label (where <N> indicates an incrementing number).

  • Interface name

  • WAN or DMZ is for most types of Internet connections.

    The DMZ port has 2 inputs: LAN (RJ45) and SFP. In non-VDSL 1570 / 1590 appliances, you can use an external DSL modem connected to the DMZ SFP port. Note - Only Check Point Branded SFP DSL is supported. Third party SFP DSL is not supported.

    Note - DMZ is not supported in 1530 / 1550 appliances.

  • LAN. You can also use unassigned LAN ports with no VLANs for internet connections. When you delete the internet connection, the port reverts to an unassigned LAN.

  • Link aggregation (Bond) - Create a link between two or more interfaces. This improves performance and redundancy by increasing the network throughput and bandwidth.

  • USB/Serial is for cellular modems

  • ADSL/VDSL. If you select the ADSL/VDSL interface, you must select one of these for the connection type: PPPoE, IPoE - static IP, or IPoE - dynamic IP.

You can create a maximum of 32 internet connections. This includes alias IP connections.

Note - If you remove or disable a LAN, any assigned alias IPs are also removed.

Unassigned LAN ports use case - If your company is in a region where internet connections supplied by ISPs are unreliable and experience multiple disconnections, you can connect your appliances to multiple internet connections from different ISPs.

To configure an internet connection over the DMZ port:

  1. On the Configuring Internet Connectivity page, click New to create a new internet connection.

    The New Internet Connection window opens in the Configuration tab.

  2. For Interface, select DMZ.

    • For a DSL over DMZ Connection, select SFP-DSL.

    • For a non-DSL connection, select RJ45/SFP-Fiber.

  3. Click Apply.

Note – If the appliance has an internal modem, an external modem is not supported.

IPv4 connection types

Select the connection type:

  • DHCP - Dynamic Host Configuration Protocol (DHCP) automatically issues IP addresses within a specified range to devices on a network. The device retains the assigned address for a specified administrator-defined period. This does not apply to the ADSL/VDSL interface.

  • Static IP - A fixed (non-dynamic) IP address.

  • PPPoE - A network protocol to encapsulate Point-to-Point Protocol (PPP) frames inside Ethernet frames. It is used mainly in DSL systems. PPPoE can run directly over the ADSL/VDSL interface as well as the DMZ interface with the SFP port. It can also run over WAN or DMZ interfaces that are typically connected to an external DSL modem. You must enter the IP address, the subnet mask, default gateway and DNS Server Settings.

  • IPoE - dynamic IP (DSL only) - The Internet IP of the appliance is imported through DHCP.

  • IPoE - static IP (DSL) - The Internet IP of the appliance is determined statically. You must enter the IP address, the subnet mask, default gateway and DNS Server Settings.

  • PPTP - The Point-to-Point Tunneling Protocol (PPTP) uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets.

  • L2TP - Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol. It does not provide any encryption or confidentiality but relies on an encryption protocol that it passes within the tunnel to provide privacy.

  • Bridge - Connects multiple network segments at the data link layer (Layer 2).

  • Bridge DHCP - The bridge is configured as a DHCP client and the DHCP settings (including IP and subnet) are removed.

  • Cellular - This is for appliances with an internal LTE modem. Both SIM cards are used for the internet connection with a failover between them.

  • Cellular Modem - Connect to the Internet with a cellular modem to the ISP through a 3G or 4G network. For this option, select the USB/Serial option in the Interface name.

    Note - Only one cellular modem is supported. Appliances with an internal LTE modem do not support an external USB modem.

Enter the relevant data for the connection type fields.

Note - You cannot use these characters in a password or shared secret: { } [ ] ` ~ | ‘ " \ Maximum number of characters: 255

Creating a New Bond (WAN)

  1. In the Internet Connection page, to create a new internet connection, click Configure internet.

    The New Internet Connection window opens in the Configuration tab.

  2. Under Internet Configuration, enter the Connection name.

  3. For Interface, select New link aggregation (Bond).

  4. For Ports, select a minimum of 2 interfaces that are unassigned and disabled.

    Note - 1530 / 1550 appliances do not have a DMZ port.

  5. Select the Operation mode:

    • 802.3ad – Dynamically uses Active interfaces to share the traffic load.

    • Round Robin – Selects the Active interface sequentially.

    • XOR – All interfaces are Active for Load Sharing. Traffic is assigned to Active interfaces based on the transmit hash policy (Layer2 or Layer3+4).

    • High Availability (Active/Backup) – Gives redundancy when there is an interface or link failure. If you select this mode, you must select a Master i.e. the primary/default port for the traffic.

  6. Select the Connection type.

  7. In the Advanced tab, select the Mii interval. The Mii interval is the frequency (in ms) that the system polls the Media Independent Interface (Mii, the standard interface for fast Ethernet) to get status.

  8. If you selected 802.3ad or XOR as your operation mode, select the Hash policy from the dropdown menu.

    • Layer2

    • Layer2+3

    • Layer3+4

  9. Click Apply.

To add a Bond as an additional internet connection:

  1. In the Internet Connection page, click Add an internet connection...

    The New Internet Connection window opens in the Configuration tab.

  2. Configure the rest of the fields as for a new connection.

Configuring a USB Connection

Note - This option exists for all appliances except for those with an internal cellular modem (LTE).

  1. Click Configure Internet (if not configured at all), Add (for another internet connection), or Edit.

    The New or Edit Internet Connection window opens.

  2. In the Configuration tab, select USB for Interface name.

  3. Click Apply.

    Note - This closes the Edit Internet Connection window.

    The remaining steps are optional additional settings and are not essential for configuration.

Configuring an LTE Internet Connection (WiFi-LTE models only)

  1. Click Configure Internet (if not configured at all), Add (for another internet connection), or Edit.

    The New or Edit Internet Connection window opens.

  2. In the Configuration tab, select Cellular for Interface name.

  3. Click Apply.

    Note - This closes the Edit Internet Connection window.

    The remaining steps are optional additional settings and are not essential for configuration.

  4. In the Cellular tab, under Cellular settings, select the Primary SIM and which SIM to disable: SIM 1, SIM 2 or Neither.

    • SIM 1 – Micro-SIM

    • SIM 2 – Nano-SIM

  5. For each SIM, enter the APN and PIN number.

    Note - Some cellular carriers require a password to access the cellular internet. In this case, the administrator must enter the credentials to connect to the appliance.

  6. Configure the Connection Monitoring and Advanced tabs as for other interface connections.

  7. Click Apply.

Note – The Cellular tab is disabled unless you select Cellular for the interface name. Only appliances that have an internal LTE modem show the Cellular tab.

For Security Gateways with cellular Internet connections, you can switch the active image between carrier-approved firmware configurations.

The image contains files used to configure the module for use with specific carriers. Multiple images can be stored on the device. During a firmware upgrade, you can add images packages to the module or replace an image with a newer version.

Note – You can only switch to an image already uploaded to the module.

The image package contains these files:

  • Firmware file – Contains the module's firmware.

  • Carrier Configuration file (the Product Release Information or PRI) – Contains custom settings for a specific carrier and is linked internally to a specific firmware file.

The module runs an active image which contains a single uncompressed copy of a firmware file and a single configuration file.

To see a list of available carriers and their image packages, go here.

  • EM7455 – Global region

  • EM7430 – APAC region

Use cases:

Some carriers require the module to run a specific carrier configuration file, and may also request this for the certification process. In addition, the carrier configuration file ensures the use of carrier-specific parameters when you register with that carrier.

To select an active image for a SIM:

  1. In Device > Internet, double click an existing cellular connection, or select the connection and click Edit. You can also click New to create a new cellular connection.

    The Edit Internet Connection window opens.

  2. In the Cellular tab, for each SIM, select the new Carrier configuration package from the list of supported image package names. Each SIM can have a different carrier.

    Note – This list dynamic, based on the valid installed packages on the modem.

  3. Click Apply.

On the Internet page, the Status changes to Connecting with the message:

Switching carrier configuration package. This may take a few minutes.

To disable image switching:

In the Cellular tab, for each SIM, select None for the Carrier configuration package.

 

For PPPoE over ATM over VDSL/ADSL or IPoE over ATM over VDSL/ADSL or for an ADSL interface:

Enter the VPI number and VCI number you received from your service provider, and the Encapsulation type (LLC or VC_MUX).

 

For WAN/DMZ interfaces and static, DHCP, PPPoE, PPTP, and L2TP connection types

Or

For VDSL/ADSL interfaces and IPoE - dynamic IP and IPoE - static IP connection types over PTM:

  • Use connection as VLAN - Select this checkbox to add a virtual Internet interface.

  • VLAN ID - Enter a VLAN ID between 1 and 4094.

 

If you are in an Annex L system, in Advanced Settings, you must enable the Annex L and disable the Annex J/M.

If you are in an Annex M system, in Advanced Settings, you must enable Annex J/M and disable the Annex L.

In all other Annex systems, no changes are needed to the default configuration.

Notes:

  • Multiple internet connections can be established over a single VDSL/ADSL connection carrying PTM traffic or in the case of WAN and DMZ interfaces.

  • Only one internet connection can be established over a VDSL/ADSL interface carrying ATM traffic or a USB interface.

  • One IPoE or PPPoE connection can be established over ATM running over the DSL interface.

  • A single IPoE connection or multiple PPPoE connections can be established over one untagged DSL interface carrying PTM traffic.

  • A single IPoE connection or multiple PPPoE connections can be established over one VLAN tagged DSL interface carrying PTM traffic.

  • A single DHCP or Static IP connection can be established over a USB interface.

  • A single DHCP or Static IP connection or multiple PPPoE connections can be established over one untagged or one VLAN tagged WAN or DMZ interface.

  • When all the ADSL standards are turned off in the Advanced Settings and you can only connect using the VDSL2 standard, the VPI, the VCI and the encapsulation options still appear even though they are not used to open an internet connection.

The 'Connection Monitoring' tab

  • Automatically detect loss of connectivity to the default gateway - Select this option to detect connectivity loss by sending ARP requests (pinging) to the default gateway and expecting responses.

  • Monitor connection state by sending probe packets to one or more servers on the Internet - Select this option to detect connectivity loss by using more methods and servers.

    • Connection probing method - Select one of the options.

      • Ping addresses - When you select this option, you can configure up to three servers by IP address or host name.

      • Probe DNS servers - When you select this option, the appliance probes the DNS servers as defined in the Internet connection and expects responses.

The 'Advanced' tab

For PPPoE

  • IP Address Assignment (PPPoE IPv4 only) - In Local tunnel IP address, select if the IP address is obtained automatically or manually configured. If manually configured, enter the IP address.

  • Service Provider Settings - In Service, enter a service name (optional) and select the Authentication method.

  • Connect on demand - Select the Connect on demand checkbox if necessary. This is relevant only when you are in high availability mode.

For PPTP and L2TP

  • IP Address Assignment -

    • In Local tunnel IP address, select if the IP address is obtained automatically or manually configured. If manually configured, enter the IP address.

    • In WAN IP assignment, select if the WAN IP address is obtained automatically or manually configured. If manually configured, enter the IP address, Subnet mask, and Default gateway.

  • Service Provider Settings - In Service, enter a service name (optional) and select the Authentication method.

  • Connect on demand - Select the Connect on demand checkbox if necessary. This is relevant only when you are in high availability mode.

Port Settings

  • If necessary, select Use custom MTU value and set the MTU size.

    Note - For a DMZ interface the MTU value is applied to all LAN ports.

    To avoid fragmentation (which slows transmission), set the MTU according to the smallest MTU of all the network devices between your gateway and the packet destination

    For static and DHCP mode, set MTU to 1500 or lower.

    For PPPoE connections, set MTU to 1492 or lower.

    Note - When the gateway is behind a modem that works as a NAT device, the MTU value of the gateway must be the same value as in the modem. If the modem has a PPPoE connection, set the MTU in the gateway to 1492 or lower.

  • MAC address clone - If you select Override default MAC address, you can override the default MAC address used by the Internet connection. This is useful when the appliance replaces another device and wants to mimic its MAC address.

  • If necessary, select Disable auto negotiation. This lets you manually define the link speed of the Internet connection.

    • Select the Link Speed.

QoS Settings (bandwidth control) - supported in IPv4 connections only

To enable QoS bandwidth control for download and upload for this specified connection, select the applicable Enable QoS (download) and/or Enable QoS (upload) checkboxes. Enter the maximum Kbps rates for the selected options as provided by your ISP for the Internet upload and download bandwidth.

Make sure that the QoS blade is turned on. You can do this from Home > Security Dashboard > QoS > ON.

ISP Redundancy - supported in IPv4 connections only

Multiple Internet connections can be configured in High Availability or Load Sharing modes. When you configure more than one Internet connection, the Device > Internet page lets you toggle between these options. The Advanced setting of each Internet connection lets you configure each connection's priority or weights based on the set mode.

  • Clear the Route traffic through this connection by default checkbox when you do not want this Internet connection used as a default route for this gateway. The connection is used by the device only if specific, usually service-based, routing rules are defined for it. This is commonly used when you have a connection that is used for dedicated traffic. When you clear this option, this connection does not participate in High Availability or Load Balancing.

  • High Availability - Priority - Select the priority for the connection. Lower priority connections are only used if higher priority connections are unavailable.

  • Load Balancing - Weight - The traffic to the Internet is divided between all available connections based on their weights.

NAT Settings

If the gateway's global hide NAT is turned on in the Access Policy > NAT page, you can disable NAT settings for specified internet connections.

To disable NAT settings:

  1. Go to Device > Internet.

  2. Select an internet connection and click Edit.

    The Edit Internet Connection window opens.

  3. Click Advanced > NAT Settings.

  4. Select Do not hide internal networks behind this internet connection.

  5. Click Apply.

DHCP Settings

Hostname via WAN DHCP

When you edit or add a new Internet connection, you can select to get the hostname from your WAN DHCP. This means you do not configure the gateway name. Instead, it is dynamic, assigned by another DHCP which also provides an IP address upon request.

To get a Hostname via WAN DHCP:

  1. In the New Internet Connection page > Configuration tab, select DHCP for the connection type.

  2. In the Advanced tab, click the checkbox for Hostname via DHCP.

Monitoring

On the Internet Connectivity page, the configured connections show in a table:

  • Interface name

  • Type - WAN or LAN

  • Status - Connected or disconnected. If connected, shows percent failures and latency (how much time it takes for a data packet to get from one designated point to another).

  • IP address

  • Duration – The amount of time the connection is up.

Probing provides information about the quality of an internet connection and what action to take if there is no connectivity. You can configure separate probing settings for each internet connection.

To configure probing for an internet connection (pings):

  1. In the Internet Connectivity page, select a connection and click Connection Monitoring.

    The Edit Internet Connection window opens.

  2. In the Connection Monitoring tab, select both check boxes:

    • Automatically detect loss of connectivity to the default gateway.

    • Monitor connection state by sending probe packets to one or more servers on the Internet.

  3. For Connection probing method, select ping addresses.

  4. Under Advanced Probing Settings, use the default values or enter new ones for:

    • Recovery time (in seconds)

    • Max latency allowed (milliseconds)

    • Probing frequency (seconds)

    • Window size (pings)

    • Failover pings (percent failures)

  5. Click Apply.

To monitor a connection by DNS probe:

  1. In the Connection Monitoring tab, select Monitor connection state by sending probe packets to one of more servers on the Internet.

  2. For Connection probing method, select DNS probe.

  3. Click Apply.

For Cellular connections (internal LTE modem) only: Click the Monitor cellular modem link to see this information in the Cellular Modem Monitoring window:

  • Cellular radio

  • Cellular modem

  • Operator

  • SIM cards - Which SIM is active, primary or disabled.