Configuring Internet Connectivity

The Device > Internet page shows how the appliance connects to the internet.

On this page you can:

  • Configure a single internet connection or multiple connections in High Availability or Load Balancing configurations. When multiple internet connections are defined, the page shows them in a table.

  • Add a new connection and edit, delete, or disable existing connections.

  • Monitor the servers and internet connections (see Monitoring).

We recommend you contact your local Internet Service Provider (ISP) to understand how to configure your specific internet connection.

Notes - ADSL/VDSL settings are relevant only for devices that have a DSL port. . In 1570 / 1590 appliances, you can also configure a DSL connection over the DMZ port (see To configure an internet connection over the DMZ port:).

To configure an internet connection:

  1. Click Configure Internet (if not configured at all), Add (for another Internet connection), or Edit.

    The New or Edit Internet Connection window opens.

  2. Configure the fields in the tabs as described below.

The 'Configuration' tab

Note - When you change the connection type, the appliance may disconnect from the internet.

  • Connection name - Enter a name for the connection or leave the default "Internet<N>" label (where <N> indicates an incrementing number).

  • Interface name

  • WAN (IPv4 /IPv6) or DMZ is for most types of Internet connections.

    The DMZ port has 2 inputs: LAN (RJ45) and SFP. In non-VDSL 1570 / 1590 appliances, you can use an external DSL modem connected to the DMZ SFP port. Note - Only Check Point Branded SFP DSL is supported. Third party SFP DSL is not supported.

    Note - DMZ is not supported in 1530 / 1550 appliances.

  • LAN. You can also use unassigned LAN ports with no VLANs for internet connections. When you delete the internet connection, the port reverts to an unassigned LAN.

  • Link aggregation (Bond) - Create a link between two or more interfaces. This improves performance and redundancy by increasing the network throughput and bandwidth. A WAN or LAN bond can act like a regular internet connection in the cluster flow. A WAN bond in a cluster can be a monitoring interface.

  • USB/Serial is for cellular modems

  • ADSL/VDSL. If you select the ADSL/VDSL interface, you must select one of these for the connection type: PPPoE, IPoE - static IP, or IPoE - dynamic IP.

You can create a maximum of 32 internet connections. This includes alias IP connections.

Note - If you remove or disable a LAN, any assigned alias IPs are also removed.

Unassigned LAN ports use case - If your company is in a region where internet connections supplied by ISPs are unreliable and experience multiple disconnections, you can connect your appliances to multiple internet connections from different ISPs.

To configure an internet connection over the DMZ port:

  1. On the Configuring Internet Connectivity page, click New to create a new internet connection.

    The New Internet Connection window opens in the Configuration tab.

  2. For Interface, select DMZ.

    • For a DSL over DMZ Connection, select SFP-DSL.

    • For a non-DSL connection, select RJ45/SFP-Fiber.

  3. Click Apply.

Note – If the appliance has an internal modem, an external modem is not supported.

IPv4 connection types

Select the connection type:

  • DHCP - Dynamic Host Configuration Protocol (DHCP) automatically issues IP addresses within a specified range to devices on a network. The device retains the assigned address for a specified administrator-defined period. This does not apply to the ADSL/VDSL interface.

  • Static IP - A fixed (non-dynamic) IP address. You can configure multiple static IPs over the same WAN interface. Example: WAN and WAN:1 (WAN:1 is the alias IP).

  • PPPoE - A network protocol to encapsulate Point-to-Point Protocol (PPP) frames inside Ethernet frames. It is used mainly in DSL systems. PPPoE can run directly over the ADSL/VDSL interface as well as the DMZ interface with the SFP port. It can also run over WAN or DMZ interfaces that are typically connected to an external DSL modem. You must enter the IP address, the subnet mask, default gateway and DNS Server Settings.

  • IPoE - dynamic IP (DSL only) - The Internet IP of the appliance is imported through DHCP.

  • IPoE - static IP (DSL) - The Internet IP of the appliance is determined statically. You must enter the IP address, the subnet mask, default gateway and DNS Server Settings.

  • PPTP - The Point-to-Point Tunneling Protocol (PPTP) uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets.

  • L2TP - Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol. It does not provide any encryption or confidentiality but relies on an encryption protocol that it passes within the tunnel to provide privacy.

  • Bridge - Connects multiple network segments at the data link layer (Layer 2).

  • Bridge DHCP - The bridge is configured as a DHCP client and the DHCP settings (including IP and subnet) are removed.

  • Cellular - This is for appliances with an internal LTE modem. Both SIM cards are used for the internet connection with a failover between them. The cellular connection can be over IPv4 or IPv6 and is configured the same way in both.

  • Cellular Modem - Connect to the Internet with a cellular modem to the ISP through a 3G or 4G network. For this option, select the USB/Serial option in the Interface name.

    Note - Only one cellular modem is supported. Appliances with an internal LTE modem do not support an external USB modem.

Enter the relevant data for the connection type fields.

Note - You cannot use these characters in a password or shared secret: { } [ ] ` ~ | ‘ " \ Maximum number of characters: 255

IPv6 connection types

Note - The device can have only a single IPv6 Internet connection.

  • Static IPv6 - A fixed (non-dynamic) IP address.

  • Obtain automatically (DHCPv6/SLAAC) - In both Dynamic Host Configuration Protocol (DHCP) and Stateless Address Auto Configuration (SLAAC) the user does not set the IP as this is handled by the router/DHCP server. DHCPv6 issues a full IP address. SLAAC issues an IP address prefix, and the gateway completes the rest of the address according to discovery protocols.

  • PPPoE (IPv6 only) - A network protocol to encapsulate Point-to-Point Protocol (PPP) frames inside Ethernet frames. It is used mainly with DSL services where individual users connect to the DSL modem over Ethernet and Metro Ethernet networks.

  • PPPoE (IPv4/IPv6) - Same as PPPoE ( IPv6 only), but the user must first configure a type IPv4 PPPoE internet connection on the same interface. Use this option when the ISP provides both IPv4 and IPv6 addresses through the same PPPoE connection. This prevents the need to define the same dialer connection details more than once.

  • IPv6 Bridge - A Layer 2 bridge between internal and external networks, containing both IPv4 and IPv6 addresses (or just IPv6) to make the gateway reachable through the bridge in a dual stack/pure IPv6 network.

To configure a new internet connection (IPv4):

  1. In the Internet Connectivity page, click Add an IPv4 Internet connection....

    The New Internet Connection window opens.

  2. In the Configuration tab, enter the Connection name.

  3. Select the Interface.

  4. Select the Connection type.

  5. If relevant, select the checkbox Use connection as VLAN.

  6. Configure the fields in the Connection Monitoring tab (see below).

  7. Configure the relevant fields in the Advanced tab (based on the connection type).

  8. Click Apply.

To configure a new internet connection (IPv6):

  1. In the Internet Connectivity page, under IPv6 Internet connection is not configured, click Configure Internet.

    Note – You can have only one IPv6 connection at a time, but multiple IPv4 connections or a combination of IPv4 and IPv6.

    The New IPv6 Internet Connection window opens.

  2. Enter the Connection name.

  3. Select the Interface.

  4. Select the Connection type:

    • Obtain automatically (DHCPv6/SLAAC).

    • Static IPv6.

    • PPPoE (IPv6 only).

    • PPPoE (IPv6/IPv4).

    • IPv6 bridge – When an IPv6 bridge internet connection is defined, no additional internet connections can be defined.

  5. If you select IPv6 bridge:

    • Select the Bridge to.

    • Enter the Default gateway (IPv4) and Default gateway (IPv6).

    • Optional – Enter the DNS server settings.

  6. If relevant, select the checkbox Use connection as VLAN.

  7. Configure the fields in the Connection Monitoring tab (see below).

  8. Configure the relevant fields in the Advanced tab (based on the connection type).

  9. Click Apply.

Prefix Delegation (IPv6 only)

When an internet connection has prefix delegation enabled, the gateway can request a prefix (in addition to an IP address) from the server and configure an internal network DHCPv6 server that uses this prefix. Connected devices are then routable without the need to use NAT.

These connection types support prefix delegation:

  • PPPoE-IPv6

  • LAN-IPv6

  • VLAN

  • Switch

  • Bridge

To enable prefix delegation in an IPv6 connection:

  1. On the Internet Connectivity page, click New to create a new IPv6 connection.

    The New IPv6 Internet Connection window opens.

  2. In the Advanced tab, select the checkbox for Enable prefix delegation for this internet connection.

  3. Click Apply.

    Note – Configure the settings for this internet connection in the Configuration tab.

A network or bridge with prefix delegation enabled must have the IPv6 Auto Assignment set to SLAAC, DHCPv6, or Disabled.

For each delegated network, the behavior depends on the IPv6 Auto Assignment settings:

IPv6 Auto Assignment setting

Delegation Action

Disabled

Address range is set according to the prefix and subnet. The DHCPv6 server is automatically enabled when it recieves a prefix.

SLAAC

Addresses are provided via Stateless Address Auto Configuration, according to SLAAC rules. The prefix and subnet are provided.

DHCPv6

Address range is set according to the prefix and subnet.

DS-Lite (Dual Stack Lite, IPoE)

DS-Lite is a connection type used by ISPs to provide internet access to IPv4 networks and services. It can be WAN, DMZ, or an unassigned LAN port. You can use DS-Lite to carry IPv4 traffic over an IPv6 tunnel between the gateway and a server.

IPv6 connection types:

  • DHCPv6

  • PPPoE

  • Static IP - WAN, DMZ or unassigned LAN port.

The DS-Lite master WAN connection type must be one of these:

  • Dynamic IPv6

  • Static IPv6

  • PPPoEv6

  • Bridge IPv6

To enable DS-Lite:

  1. In the Configuring Internet Connectivity page, click New/Edit the IPv4 connection.

    The Edit Internet Connection window opens.

  2. For Connection type, select DS-Lite.

    Note - Make sure the interface type is the same for both IPv4 and IPv6. For example, if the IPv4 the interface is configured as WAN, the IPv6 interface must also be configured as WAN.

  3. The AFTR address field is displayed.

    Note - This field is not mandatory when the IPv6 connection type is DHCPv6.

  4. In the Linked connection field, select the IPv6 connection name.

  5. In the Advanced tab:

    • Set the default MTU of the DS-Lite interface to 1460 (IPv4 default = 1500)

    • Set the size of the IPv6 header to 40.

  6. Click Apply.

Creating a New Bond (WAN)

  1. In the Internet Connection page, to create a new internet connection, click Configure internet.

    The New Internet Connection window opens in the Configuration tab.

  2. Under Internet Configuration, enter the Connection name.

  3. For Interface, select New link aggregation (Bond).

  4. For Ports, select a minimum of 2 interfaces that are unassigned and disabled.

    Note - 1530 / 1550 appliances do not have a DMZ port.

  5. Select the Operation mode:

    • 802.3ad – Dynamically uses Active interfaces to share the traffic load.

    • Round Robin – Selects the Active interface sequentially.

    • XOR – All interfaces are Active for Load Sharing. Traffic is assigned to Active interfaces based on the transmit hash policy (Layer2 or Layer3+4).

    • High Availability (Active/Backup) – Gives redundancy when there is an interface or link failure. If you select this mode, you must select a Master i.e. the primary/default port for the traffic.

  6. Select the Connection type.

  7. In the Advanced tab, select the Mii interval. The Mii interval is the frequency (in ms) that the system polls the Media Independent Interface (Mii, the standard interface for fast Ethernet) to get status.

  8. If you selected 802.3ad or XOR as your operation mode, select the Hash policy from the dropdown menu.

    • Layer2

    • Layer2+3

    • Layer3+4

  9. Click Apply.

To add a Bond as an additional internet connection:

  1. In the Internet Connection page, click Add an internet connection...

    The New Internet Connection window opens in the Configuration tab.

  2. Configure the rest of the fields as for a new connection.

To configure a USB connection:

Note - This option exists for all appliances except for those with an internal cellular modem (LTE).

  1. Click Configure Internet (if not configured at all), Add (for another internet connection), or Edit.

    The New or Edit Internet Connection window opens.

  2. In the Configuration tab, select USB for Interface name.

  3. Click Apply.

    Note - This closes the Edit Internet Connection window.

    The remaining steps are optional additional settings and are not essential for configuration.

To configure an LTE internet connection (WiFi-LTE models only):

Note - The gateway can connect through IPv4, IPv6 or a mixed IPv4v6 service.

  1. Click Configure Internet (if not configured at all), Add (for another internet connection), or Edit.

    The New or Edit Internet Connection window opens.

  2. In the Configuration tab, select Cellular for Interface name.

  3. Click Apply.

    Note - This closes the Edit Internet Connection window.

    The remaining steps are optional additional settings and are not essential for configuration.

  4. In the Cellular tab, under Cellular settings, select the Primary SIM and which SIM to disable: SIM 1, SIM 2 or Neither.

    • SIM 1 – Micro-SIM

    • SIM 2 – Nano-SIM

  5. For each SIM, enter the APN and PIN number.

    Note - Some cellular carriers require a password to access the cellular internet. In this case, the administrator must enter the credentials to connect to the appliance.

  6. For Connection Type, select one of these values:

    • IPv4 – Both SIMs are configured to IPv4 only

    • IPv6 – Both SIMs are configured to IPv6 only

    • IPv4v6 – There are two connections, one IPv4 and one IPv6. Select this if one of the SIM cards is configured as dual-stack, or if the two SIM cards are configured with different connection types

  7. Configure the Connection Monitoring and Advanced tabs as for other interface connections.

  8. Click Apply.

Note – The Cellular tab is disabled unless you select Cellular for the interface name. Only appliances that have an internal LTE modem show the Cellular tab.

For Security Gateways with cellular Internet connections, you can switch the active image between carrier-approved firmware configurations.

The image contains files used to configure the module for use with specific carriers. Multiple images can be stored on the device. During a firmware upgrade, you can add images packages to the module or replace an image with a newer version.

Note – You can only switch to an image already uploaded to the module.

The image package contains these files:

  • Firmware file – Contains the module's firmware.

  • Carrier Configuration file (the Product Release Information or PRI) – Contains custom settings for a specific carrier and is linked internally to a specific firmware file.

The module runs an active image which contains a single uncompressed copy of a firmware file and a single configuration file.

To see a list of available carriers and their image packages, go here.

  • EM7455 – Global region

  • EM7430 – APAC region

Use cases:

Some carriers require the module to run a specific carrier configuration file, and may also request this for the certification process. In addition, the carrier configuration file ensures the use of carrier-specific parameters when you register with that carrier.

To select an active image for a SIM:

  1. In Device > Internet, double click an existing cellular connection, or select the connection and click Edit. You can also click New to create a new cellular connection.

    The Edit Internet Connection window opens.

  2. In the Cellular tab, for each SIM, select the new Carrier configuration package from the list of supported image package names. Each SIM can have a different carrier.

    Note – This list dynamic, based on the valid installed packages on the modem.

  3. Click Apply.

On the Internet page, the Status changes to Connecting with the message:

Switching carrier configuration package. This may take a few minutes.

To disable image switching:

In the Cellular tab, for each SIM, select None for the Carrier configuration package.

 

For PPPoE over ATM over VDSL/ADSL or IPoE over ATM over VDSL/ADSL or for an ADSL interface:

Enter the VPI number and VCI number you received from your service provider, and the Encapsulation type (LLC or VC_MUX).

 

For WAN/DMZ interfaces and static, DHCP, PPPoE, PPTP, and L2TP connection types

Or

For VDSL/ADSL interfaces and IPoE - dynamic IP and IPoE - static IP connection types over PTM:

  • Use connection as VLAN - Select this checkbox to add a virtual Internet interface.

  • VLAN ID - Enter a VLAN ID between 1 and 4094.

 

If you are in an Annex L system, in Advanced Settings, you must enable the Annex L and disable the Annex J/M.

If you are in an Annex M system, in Advanced Settings, you must enable Annex J/M and disable the Annex L.

In all other Annex systems, no changes are needed to the default configuration.

Notes:

  • Multiple internet connections can be established over a single VDSL/ADSL connection carrying PTM traffic or in the case of WAN and DMZ interfaces.

  • Only one internet connection can be established over a VDSL/ADSL interface carrying ATM traffic or a USB interface.

  • One IPoE or PPPoE connection can be established over ATM running over the DSL interface.

  • A single IPoE connection or multiple PPPoE connections can be established over one untagged DSL interface carrying PTM traffic.

  • A single IPoE connection or multiple PPPoE connections can be established over one VLAN tagged DSL interface carrying PTM traffic.

  • A single DHCP or Static IP connection can be established over a USB interface.

  • A single DHCP or Static IP connection or multiple PPPoE connections can be established over one untagged or one VLAN tagged WAN or DMZ interface.

  • When all the ADSL standards are turned off in the Advanced Settings and you can only connect using the VDSL2 standard, the VPI, the VCI and the encapsulation options still appear even though they are not used to open an internet connection.

The 'Connection Monitoring' tab

  • Automatically detect loss of connectivity to the default gateway - Select this option to detect connectivity loss by sending ARP requests (pinging) to the default gateway and expecting responses.

    Note - If you use Dynamic Routing, you must clear this box to prevent probing of the default gateway.

  • Monitor connection state by sending probe packets to one or more servers on the Internet - Select this option to detect connectivity loss by using more methods and servers.

    Connection probing method - Select one of the options.

    • Ping addresses - When you select this option, you can configure up to three servers by IP address or host name.

    • Probe DNS servers - When you select this option, the appliance probes the DNS servers as defined in the Internet connection and expects responses.

The 'Advanced' tab

For PPPoE

  • IP Address Assignment (PPPoE IPv4 only) - In Local tunnel IP address, select if the IP address is obtained automatically or manually configured. If manually configured, enter the IP address.

  • Service Provider Settings - In Service, enter a service name (optional) and select the Authentication method.

  • Connect on demand - Select the Connect on demand checkbox if necessary. This is relevant only when you are in high availability mode.

For PPTP and L2TP

  • IP Address Assignment -

    • In Local tunnel IP address, select if the IP address is obtained automatically or manually configured. If manually configured, enter the IP address.

    • In WAN IP assignment, select if the WAN IP address is obtained automatically or manually configured. If manually configured, enter the IP address, Subnet mask, and Default gateway.

  • Service Provider Settings - In Service, enter a service name (optional) and select the Authentication method.

  • Connect on demand - Select the Connect on demand checkbox if necessary. This is relevant only when you are in high availability mode.

Port Settings

  • If necessary, select Use custom MTU value and set the MTU size.

    You can apply an MTU on:

    • LANs and DMZ – They must be separate networks, or assigned to a bridge network.

    • Switches - The MTU is assigned to the switch itself, not the LANs that are assigned to it.

    • Bonds

    • VLANs - The VLAN MTU must be lower or equal to its parent MTU.

    You can not apply an MTU on:

    • Interfaces assigned to switches or bonds.

    • Bridges - Configure the MTU separately for each of their children.

    • Aliases

    • Virtual access points

    To avoid fragmentation (which slows transmission), set the MTU according to the smallest MTU of all the network devices between your gateway and the packet destination

    For static and DHCP mode, set MTU to 1500 or lower.

    For PPPoE connections, set MTU to 1492 or lower.

    Note - When the gateway is behind a modem that works as a NAT device, the MTU value of the gateway must be the same value as in the modem. If the modem has a PPPoE connection, set the MTU in the gateway to 1492 or lower.

  • MAC address clone - If you select Override default MAC address, you can override the default MAC address used by the Internet connection. This is useful when the appliance replaces another device and wants to mimic its MAC address.

  • Link Speed

    If necessary, select Disable auto negotiation. This lets you manually define the link speed of the Internet connection.

    Select the Link Speed:

    • 1570 / 1590 and 1570RAppliances with a DMZ connection of type RJ43/SFP-Fiber. Options include 1/full and 100Base-FX.

    • 1570 / 1590 and 1570RAppliancesAppliances with a DMZ connection of type SFP-DSL. The link speed is restricted to only 1/full.

    • 1570RApplianceswith a WAN connection. Options include 1/full and 100Base-FX.

QoS Settings (bandwidth control) - supported in IPv4 connections only

To enable QoS bandwidth control for download and upload for this specified connection, select the applicable Enable QoS (download) and/or Enable QoS (upload) checkboxes. Enter the maximum Kbps rates for the selected options as provided by your ISP for the Internet upload and download bandwidth.

Make sure that the QoS blade is turned on. You can do this from Home > Security Dashboard > QoS > ON.

ISP Redundancy - supported in IPv4 connections only

Multiple Internet connections can be configured in High Availability or Load Sharing modes. When you configure more than one Internet connection, the Device > Internet page lets you toggle between these options. The Advanced setting of each Internet connection lets you configure each connection's priority or weights based on the set mode.

  • Clear the Route traffic through this connection by default checkbox when you do not want this Internet connection used as a default route for this gateway. The connection is used by the device only if specific, usually service-based, routing rules are defined for it. This is commonly used when you have a connection that is used for dedicated traffic. When you clear this option, this connection does not participate in High Availability or Load Balancing.

  • High Availability - Priority - Select the priority for the connection. Lower priority connections are only used if higher priority connections are unavailable.

  • Load Balancing - Weight - The traffic to the Internet is divided between all available connections based on their weights.

NAT Settings

If the gateway's global hide NAT is turned on in the Access Policy > NAT page, you can disable NAT settings for specified internet connections.

To disable NAT settings:

  1. Go to Device > Internet.

  2. Select an internet connection and click Edit.

    The Edit Internet Connection window opens.

  3. Click Advanced > NAT Settings.

  4. Select Do not hide internal networks behind this internet connection.

  5. Click Apply.

DHCP Settings

Hostname via WAN DHCP

When you edit or add a new Internet connection, you can select to get the hostname from your WAN DHCP. This means you do not configure the gateway name. Instead, it is dynamic, assigned by another DHCP which also provides an IP address upon request.

To get a Hostname via WAN DHCP:

  1. In the New Internet Connection page > Configuration tab, select DHCP for the connection type.

  2. In the Advanced tab, click the checkbox for Hostname via DHCP.

Monitoring

On the Internet Connectivity page, the configured connections show in a table:

  • Interface name

  • Type - WAN or LAN

  • Status - Connected or disconnected. If connected, shows percent failures and latency (how much time it takes for a data packet to get from one designated point to another).

  • IP address

  • Duration – The amount of time the connection is up.

Probing provides information about the quality of an internet connection and what action to take if there is no connectivity. You can configure separate probing settings for each internet connection.

To configure probing for an internet connection (pings):

  1. In the Internet Connectivity page, select a connection and click Connection Monitoring.

    The Edit Internet Connection window opens.

  2. In the Connection Monitoring tab, select both check boxes:

    • Automatically detect loss of connectivity to the default gateway.

    • Monitor connection state by sending probe packets to one or more servers on the Internet.

  3. For Connection probing method, select ping addresses.

  4. Under Advanced Probing Settings, use the default values or enter new ones for:

    • Recovery time (in seconds)

    • Max latency allowed (milliseconds)

    • Probing frequency (seconds)

    • Window size (pings)

    • Failover pings (percent failures)

  5. Click Apply.

To monitor a connection by DNS probe:

  1. In the Connection Monitoring tab, select Monitor connection state by sending probe packets to one of more servers on the Internet.

  2. For Connection probing method, select DNS probe.

  3. Click Apply.

For Cellular connections (internal LTE modem) only: Click the Monitor cellular modem link to see this information in the Cellular Modem Monitoring window:

  • Cellular radio

  • Cellular modem

  • Operator

  • SIM cards - Which SIM is active, primary or disabled.