Advanced Settings
The Device > Advanced Settings page is for advanced administrators or Check Point Support. You can configure values for multiple advanced settings for the various blades.
|
Important - Changing these advanced settings without fully understanding them can be harmful to the stability, security, and performance of this appliance. Continue only if you are certain that you understand the required changes. |
For further details regarding the attributes, consult with Check Point Support when necessary.
To filter the list of attributes:
-
Enter text in the Type to filter field.
The search results are dynamically shown as you type.
-
To cancel the filter, click X next to the search string.
To configure the appliance attributes:
-
Select an attribute.
-
Click Edit.
The attribute window opens.
-
Configure the settings, or click Restore Defaults to reset the attribute to the default settings. For more details on the attributes, see the next sections.
-
Click Apply.
To reset all the appliance attributes to the default settings:
-
From the Advanced Settings window, click Restore Defaults.
The Confirm window opens.
-
Click Yes.
All appliance attributes are reset to the default settings.
Administrator Lockout Attribute |
Description |
---|---|
Admin Lockout - Mobile application session timeout |
Allowed mobile application session before automatic logout is executed (in days) Default is 30. |
Administrator RADIUS authentication Attribute |
Description |
---|---|
Local authentication (RADIUS server) |
Perform local administrator authentication only if RADIUS server is not configured or is inaccessible. |
Aggressive Aging Attribute |
Description |
---|---|
Multiple parameters |
Aggressive Aging helps manage the connections table capacity and memory consumption of the firewall to increase durability and stability. Aggressive Aging introduces a new set of short timeouts called aggressive timeouts. When a connection is idle for more than its aggressive timeout it is marked as "eligible for deletion". When the connections table or memory consumption reaches the user defined threshold, Aggressive Aging begins to delete "eligible for deletion" connections, until memory consumption or connections capacity decreases back to the desired level. Aggressive Aging allows the gateway machine to handle large amounts of unexpected traffic, especially during a Denial of Service attack. If the defined threshold is exceeded, each incoming connection triggers the deletion of ten connections from the "eligible for deletion" list. An additional ten connections are deleted with every new connection until the memory consumption or the connections capacity falls below the enforcement limit. If there are no "eligible for deletion" connections, no connections are deleted at that time, but the list is checked after each subsequent connection that exceeds the threshold. Timeout settings are a key factor in memory consumption configuration. When timeout values are low, connections are deleted faster from the table, enabling the firewall to handle more connections concurrently. When memory consumption exceeds its threshold, it is best to work with shorter timeouts that can maintain the connectivity of the vast majority of the traffic. The major benefit of Aggressive Aging is that it starts to operate when the machine still has available memory and the connections table is not entirely full. This way, it reduces the chances of connectivity problems that might have occurred under low-resource conditions. |
|
To configure Aggressive Aging:
To configure when the Aggressive Aging timeouts are enforced:
|
Anti ARP spoofing Attribute |
Description |
---|---|
Anti ARP spoofing mode |
Mode for Anti ARP spoofing protection. The protection can be turned off, on, or in detect only mode. |
Detection window time to indicate attack |
Time period (in seconds) during which IP addresses, assigned to the same MAC address, indicate an ARP spoofing attack. |
Number of IP addresses to indicate attack |
The number of IP addresses assigned to the same MAC address during the Detection window time that will an indicate an ARP spoofing attack. |
Suspicious MAC block period |
Time period (in seconds) during which suspicious MAC addresses are kept in the blocked list. |
Anti-Spam Policy Attributes |
Description |
---|---|
All mail track |
Tracking options for emails that are not considered spam or suspected spam. Tracking such emails can have a performance impact. |
Allowed mail track |
Tracking options for emails that are manually allowed in the Threat Prevention > Anti-Spam Exceptions page. |
Content based Anti-Spam timeout |
Indicates the timeout (in seconds) to wait for an answer from the cloud during content-based Anti-Spam inspection. |
E-mail size scan |
Indicates the maximal size of an email's content to scan (in KB) |
IP reputation fail open |
Indicates the action to take upon an internal error during Anti-Spam IP reputation test. |
IP reputation timeout |
Indicates the timeout (in seconds) to wait for an IP reputation test result. |
Scan outgoing emails |
Scan the content of emails which are sent from the local network to the Internet. |
Transparent proxy |
Use a transparent proxy for inspected email connections. When disabled, configuration of the proxy address and port is required on client machines. |
Anti-Spoofing Attribute |
Description |
---|---|
Enable global Anti-Spoofing |
Indicates if Anti-Spoofing is enabled automatically on all interfaces according to their zone. |
Application & URL Filtering Attribute |
Description |
---|---|
Block when service is unavailable |
Indicates if web requests are blocked when the Check Point categorization and widget definitions Online Web Service is unavailable. |
Categorize cached and translated pages |
Indicates if to perform URL categorization of cached pages and translated pages created by search engines. |
Custom App over HTTPS |
Indicates whether custom URLs and applications will be matched over HTTPS traffic using SNI field. Important note: as SNI field in HTTPS traffic is browser-dependent and promiscuous, it does not guarantee 100% match. |
Enforce safe search |
Indicates if the URL Filtering policy overrides the Safe Search settings in the user's browser. Regardless of what the user has selected, the strictest Safe Search settings are applied. Explicitly sexual content is filtered out of the search engine's results. |
Fail mode |
Indicates the action to take on traffic in case of an internal system error or overload. |
Track browse time |
Shows in logs the total time that users are connected to different sites and applications in an HTTP session |
Use HTTP referer header |
Indicates if the HTTP "referrer" header (originally a misspelling of referrer) is used by the inspection engine to improved application identification. |
Web site categorization mode |
Indicates the mode that is used for website categorization: Background - Requests are allowed until categorization is complete. When a request cannot be categorized with a cached response, an uncategorized response is received. Access to the site is allowed. In the background, the Check Point Online Web Service continues the categorization procedure. The response is then cached locally for future requests (default). This option reduces latency in the categorization procedure. Hold - Requests are blocked until categorization is complete. When a request cannot be categorized with the cached responses, it remains blocked until the Check Point Online Web Service completes categorization. |
Capacity Optimization Attribute |
Description |
---|---|
Connections hash table size |
Indicates the size of the connections hash table in bytes. This value must be an integer that is an exponential power of two and approximately four times the maximum concurrent connections parameter. |
Maximum concurrent connections |
Indicates the overall maximum number of concurrent connections. |
Cloud Services Firmware Upgrade Attribute |
Description |
---|---|
Service access maximum retries |
Indicates the maximum number of retries when failing to upgrade using the service. |
Service access timeout until retry |
Indicates the time (in seconds) to wait when there is a connection failure to the service before the next retry. |
Cluster Attribute |
Description |
---|---|
Use virtual MAC |
Indicates if a virtual MAC address is used by all members to allow a quicker failover by the network's switch. Using the virtual MAC address:
|
DDNS Attribute |
Description |
---|---|
Iterations |
Number of DNS updates. |
DHCP Bride Attribute |
Description |
---|---|
MAC Assignment |
Indicates whether the MAC address for the DHCP bridge is taken from an internal (LAN) or external port (WAN, DMZ). |
DHCP Relay Attribute |
Description |
---|---|
Use internal IP addresses as source |
Select Use internal IP addresses as source if DHCP relay packets from the appliance originate from internal IP addresses. This may be required if the DHCP server is located behind a remote VPN site. |
DSL Global Attribute |
Description |
---|---|
DSL globals - VDSL2 |
Supports ITU G.993.2 VDSL2. |
DSL globals - ADSL Dmt (G.992.1) |
Supports ITU G.992.1 ADSL (G.dmt). |
DSL globals - ADSL lite (G.992.2) |
Supports ITU G.992.2 ADSL Lite (G.lite). |
DSL globals - ADSL2 (G.992.2) |
Supports ITU G.992.3 ADSL2. |
DSL globals - ADSL2+ (G.992.5) |
Supports ITU G.992.5 Annex M ADSL2+M. |
DSL globals - T1.413 |
Supports ANSI T1.413-1998 Issue 2 ADSL. |
DSL globals - Annex J/M |
In an Annex A appliance: Combined with supported ADSL2+, it specifies Annex M ADSL2+. In an Annex B appliance: Combined with supported ADSL2, it specifies Annex J ADSL2. |
DSL globals - Annex L |
In an Annex A appliance: Combined with enabled ADSL2 (G.992.3) specifies support for Annex L. |
DSL globals - 8a |
Supports VDSL Profile 8a. |
DSL globals - 8b |
Supports VDSL Profile 8b. |
DSL globals - 8c |
Supports VDSL Profile 8c. |
DSL globals - 8d |
Supports VDSL Profile 8d. |
DSL globals - 12a |
Supports VDSL Profile 12a. |
DSL globals - 12b |
Supports VDSL Profile 12b. |
DSL globals - 17a |
Supports VDSL Profile 17a. |
DSL globals - Seamless rate adaptation (SRA) |
Enables seamless rate adaptation. |
DSL globals - G.INP |
Enhanced Impulse Noise Protection. |
DSL globals - US0 |
Enables usage of first upstream band in VDSL. |
Note - When all the ADSL standards are turned off in the Advanced Settings and you can only connect using the VDSL2 standard, the VPI, the VCI and the encapsulation options still appear even though they are not used to open an internet connection.
Firewall Policy Attribute |
Description |
---|---|
Blocked packets action |
Action for blocked packets: Drop, reject or automatic (drop from external and reject from internal). |
Log implied rules |
Produce log records for connections that match implied rules. |
General Temporary Directory Size Attribute |
Description |
---|---|
General temporary directory size |
Controls the size (in MB) of the general temporary directory. |
System temporary directory size |
Controls the size (in MB) of the temporary directory that is used by the system. |
Hardware Options Attribute |
Description |
---|---|
Reset to factory defaults timeout |
The amount of time (in seconds) that you need to press and hold the factory defaults button on the appliances' back panel to restore to the factory defaults image. |
Hotspot Attribute |
Description |
---|---|
Enable portal |
Select Disabled to disable the hotspot feature entirely. |
Prevent simultaneous log-in |
The same user will not be allowed to login via hotspot portal from more than one machine in parallel. |
IP Fragments Parameters Attribute |
Description |
---|---|
Multiple parameters |
These parameters let you configure how the appliance handles IP fragments. It can either block fragmented IP packets or drop fragments when a configured threshold is reached. Select one of these options:
|
IP Resolving Attributes |
Description |
---|---|
IP Resolving - IP Resolving Activation |
Enable/Disable IP Resolving logs enrichment. |
IP Resolving - IP Resolving TTL |
The time (in seconds) for which the hostname resolution is used. Default is 3600. |
IPS Additional Parameters Attribute |
Description |
---|---|
Max ping limit |
Indicates the maximal ping packet size that are allowed when the 'Max Ping Size' protection is active. |
Non-standard HTTP ports |
Enable HTTP inspection on non-standard ports for the IPS blade. |
IPS Engine Settings Attribute |
Description |
---|---|
Allow protocol unknown commands |
Normally, the IPS engine blocks protocols (e.g. POP3, IMAP, ...) commands that it does not recognize. When the advanced setting is set to " |
Apply filter |
Filter IPS protections to improve performance. Type: Boolean Default: true |
Configure error page options for supported web protections - multiple parameters |
Some web based protections can show an error page upon detection. This error page is configurable. The protections that support the error page:
Select one of these options that applies to all such protections:
|
HTML error page configuration - multiple parameters |
These settings allow you to configure a pre-defined HTML error page that is seen when the error page advanced settings are set to Show pre-defined HTML error page. Select one of these options:
|
Internal Certificate Settings Attribute |
Description |
---|---|
Configure internal CA certificate expiration |
The number of years the internal CA certificate is valid. This applies the next time the certificate is re-initialized. |
Internet Attribute |
Description |
---|---|
Reset Sierra USB on LSI error |
Indicates whether Sierra type USB modems will be reset when they send an invalid LSI signal |
Path MTU Discovery Mode |
Select from these options:
|
Internet Connection Type |
Description |
---|---|
IPv4 over IPv6 (IPIP) |
Indicates whether IPv4 over IPv6 (IPIP) Internet connection is enabled. Default: false |
IoT Stats Attributes |
Description |
---|---|
IoT Stats Activation |
Enable/disable IoT collecting statistics. Default: Enabled |
MAC Filtering Attribute |
Description |
---|---|
MAC filtering state |
MAC filtering state |
Log blocked MAC addresses |
Indicates if blocked MAC addresses should be logged. |
Log suspension |
Indicates if an administrator can access the appliance from a remove Security Management Server without the need to enter an administrator name. |
Managed Services Attribute |
Description |
---|---|
Allow seamless administrator access from remote Management Server |
Indicates if an administrator can access the appliance from a remote Security Management Server without the need to enter an administrator user name and password. |
Show device details in Login |
Indicates if appliance details are shown when an administrator accesses the appliance. |
Mobile Settings Attribute |
Description |
---|---|
Mobile Settings - Notification cloud server URL |
Cloud server URL used for sending mobile notifications. |
Mobile Settings - Pairing code expiration |
Time (in hours) till pairing code is expired. Type: Integer |
Mobile Settings - Verify SSL certificate |
Verify SSL certificate when sending mobile notification to cloud server |
Multiple ISP Route Refresh Attribute |
Description |
---|---|
Multiple ISP Route Refresh mode |
Indicates whether acceleration will refresh route in multiple ISPs configuration. |
NAT Attribute |
Description |
---|---|
ARP manual file merge |
Indicates, when automatic ARP detection is enabled, to use the ARP definitions in a local file with higher priority. Manual proxy ARP configuration is required for manual Static NAT rules. If a manual ARP configuration is defined in the local.arp file and Automatic ARP configuration is enabled, both definitions are maintained. If there is a conflict between the definitions (the same NAT IP address appears in both), then the manual configuration is used. |
Multiple parameters - IP Pool NAT |
An IP Pool is a range of IP addresses (an Address Range, a network or a group of one of these objects) routable to the gateway. When a connection is opened to a server, the gateway substitutes an IP address from the IP Pool for the source IP address. Reply packets from the server return to the gateway, which restores the original source IP address and forwards the packets to the source. When using IP Pool NAT, select an existing IP address range object. It must be previously defined in the Users & Objects > Networks Objects page. The IP Pool NAT mechanism allocates IP addresses from this range.
|
Automatic ARP detection |
When internal devices in the local network are defined using static NAT, the appliance must make sure packets to the static NAT IP address reach it. This option enables the appliance to automatically respond to ARP requests for those IP addresses. |
Increase hide capacity |
Indicates if hide-NAT capacity is given additional space. |
NAT enable |
Indicates if the device's NAT capabilities are enabled. |
NAT cache expiration |
Indicates the expiration time in minutes for NAT cache entries. |
NAT cache number of entries |
Indicates the maximum number of NAT cache entries. |
NAT hash size |
Indicates the hash bucket size of NAT tables. |
NAT limit |
Indicates the maximum number of connections with NAT. |
Perform cluster hide fold |
Indicates if local IP addresses are hidden behind the cluster IP address when applicable, as opposed to being hidden behind each cluster member's physical IP address. |
Translate destination on client side |
Translates destination IP addresses on client side (for automatically generated NAT rules). |
Translate destination on client side (manual rules) |
Translates destination IP addresses on client side (for manually configured NAT rules). |
Notification Policy Attributes |
Description |
---|---|
Notification Language |
Notification language |
Notifications Policy - Send push notifications |
Indicates whether notifications are sent to mobile application. |
Notifications Policy - The maximum number of notifications sent per hour |
The maximum number of notifications sent to mobile devices per hour. |
Operating Systems Attributes |
Description |
---|---|
Operating system - operating system |
tmpDirSize |
Operating system - System temporary directory size |
Controls the size (in MB) of the temporary directory that is used by the system. |
OS advanced settings attributes |
Description |
---|---|
Cellular Backoff Algorithm Mode |
Set cellular backoff algorithm mode (auto, force-disable, or force-enable). When in auto mode, back-off algorithm will only work for Rogers cellular carrier. |
Disable transfer of DHCP options from WAN to LAN |
Specifies whether transfer of DHCP options from WAN to LAN is disabled. Type: Boolean Default: false |
Enable WAN on LAN |
Specifies whether LAN-on-WAN feature is on Type: Boolean Default: false. |
Enable WiFi Monitors |
Specifies whether WiFi monitors are on. Type: Boolean Default: false |
Enable automatic WiFi Channel Change |
Specifies whether WiFi switches channels automatically during operation. Type: Boolean Default: false |
Enable destination check on PPPoE |
Specifies whether PPP0E destination check is enabled. Type: Boolean Default: false |
Enable flow-control for network switch |
Indicates if flow-control is enabled for network switch. Type: Boolean Default: false |
Force cellular module to use 4G network |
When disabled, modem is using all available bands. When enabled, modem uses 4G bands only. Type: Boolean Default: false |
Privacy Settings Attributes |
Description |
---|---|
Help Check Point improve its products by sending data |
Customer consent |
Location Service requires sending your IP address to a 3rd party |
Using automatic timezone feature requires sending your location to 3rd party. |
QoS Blade Attribute |
Description |
---|---|
Logging |
Indicates if the appliance logs QoS events when the QoS blade is enabled. |
Reach My Device Attribute |
Description |
---|---|
Ignore SSL certificate |
Indicates if the SSL certificate should be ignored when running the access service. |
Server address |
Indicates the address of the remote server that allows administration access to the appliance from the Internet even when behind NAT. |
Report Settings Attributes |
Description |
---|---|
Report Settings - Max Period |
Maximum period to collect and monitor data. You must reboot the appliance to apply changes. |
Report Settings - Reports cloud server URL |
Reports cloud server URL used to generate report PDF. |
|
|
Rest API Attribute |
Description |
---|---|
Rest API mode |
Indicates where REST API is enable or not |
Serial Port Attribute |
Description |
---|---|
Multiple Parameters |
With the serial port parameters you can configure the console port on the back panel of the appliance. You can disable it completely (clear the Enable serial port checkbox) if necessary and configure port speed and flow control settings. Note that these settings must match the configuration of the device connected to the console port. There are three modes for working with this port:
To configure an implicit rule that allows traffic from any source to this port, make sure Implicitly allow traffic to this port is selected. If you do not create an implicit rule, you must manually define an access rule in the Firewall Rule Base. Two appliances, one in active mode and the other in passive mode, can allow a client to remotely connect to a console connected to the appliance in passive mode over the internet using a telnet connection. |
SSL Inspection Attribute |
Description |
---|---|
Additional HTTPS ports |
Additional HTTPS ports for SSL inspection (a comma separated list of ports/ranges). |
Log empty SSL connections |
Log connections that were terminated by the client before data was sent. This might indicate the client did not install the CA certificate. |
Retrieve intermediate CA certificates |
Indicates if the SSL inspection mechanism will perform its validations on all intermediate CA certificates in the certificate chain. |
Track validation errors |
Choose if the SSL Inspection validations are tracked. |
Validate CRL |
Indicates if the SSL inspection mechanism will drop connections that present a revoked certificate. |
Validate Expiration |
Indicates if the SSL inspection mechanism will drop connections that present an expired certificate. |
Validate unreachable CRL |
Indicates if the SSL inspection mechanism will drop connections that present a certificate with an unreachable CRL. |
Validate untrusted certificates |
Indicates if the SSL inspection mechanism will drop connections that present an untrusted server certificate. |
Stateful Inspection Attribute |
Description |
||
---|---|---|---|
Accept out of state TCP packets |
Indicates if TCP packets which are not consistent with the current state of the TCP connection are dropped (when set to 0) or accepted (when set to any other value). |
||
Accept stateful ICMP errors |
Accept ICMP error packets which refer to another non-ICMP connection (for example, to an ongoing TCP or UDP connection) that was accepted by the Rule Base. |
||
Accept stateful ICMP replies |
Accept ICMP reply packets for ICMP requests that were accepted by the Rule Base. |
||
Accept stateful UDP replies for unknown services |
Specifies if UDP replies are to be accepted for unknown services. In each UDP service object it is possible to configure whether UDP replies for it are accepted if the service is matched on a rule which accepts traffic. This parameter refers to all connections which are not covered by the service objects. |
||
Accept stateful other IP protocols replies for unknown services |
Accept stateful other IP protocols replies for unknown services. In each service object it is possible to configure whether replies for it are accepted if the service is matched on a rule which accepts traffic. This parameter refers to all no TCP/UDP connections which are not covered by the service objects. |
||
Allow LAN-DMZ DPI |
Allow Deep Packet Inspection in traffic between internal networks and the DMZ network.
|
||
Allow LAN-LAN DPI |
Allow Deep Packet Inspection in traffic between internal networks. |
||
Drop out of state ICMP packets |
Drop ICMP packets which are not in the context of a "virtual session". |
||
ICMP virtual session timeout |
An ICMP virtual session is considered to have timed out after this time period (in seconds). |
||
Log dropped out of state ICMP packets |
Indicates if dropped out of state ICMP packets generate a log. See the "Drop out of state ICMP packets" parameter. |
||
Log dropped out of state TCP packets |
Indicates if dropped out of state TCP packets generate a log. See the "Accept out of state TCP packets" parameter. |
||
Other IP protocols virtual session timeout |
A virtual session of services which are not TCP, UDP or ICMP is considered to have timed out after this time period (in seconds). |
||
TCP end timeout |
Indicates the timeout (in seconds) for TCP session end. A TCP session is considered as "ended" following two FIN packets, one in each direction, or an RST packet. |
||
TCP session timeout |
Indicates the timeout (in seconds) for TCP sessions. A TCP session times out if the connection remains idle after this time period (in seconds). |
||
TCP start timeout |
Indicates the timeout (in seconds) for TCP session start. A TCP connection times out if the interval between the arrival of the first packet and establishment of the connection (TCP three-way handshake) exceeds this time period (in seconds). |
||
UDP virtual session timeout |
A UDP virtual session is timed out after this time period (in seconds). |
Streaming Engine Settings Attribute |
Description |
---|---|
Multiple parameters |
These settings determine how the TCP streaming engine used by the various deep inspection blades (IPS, Application Control, Anti-Bot, Anti-Virus, etc.) handles protocol violations and events that prevent the streaming engine from further inspection. We highly recommend that these settings always be in prevent mode. Using these settings in detect mode may significantly lower security as inspection stops when the event or violation occurs. When the configuration is set to log such events, the logs are shown in Logs & Monitoring > Security Logs under the IPS blade. For each violation or event configure the action and tracking mode. |
TCP Segment Limit Enforcement |
For every TCP segment that passes through the gateway, the gateway retains a copy of the segment until it receives an acknowledgment that the segment was received. This buffered data occupies space in the gateway's memory. This enforces a limit on the number and size of buffered segments per connection. When a connection reaches one of these limits, the gateway does not accept new segments for this connection until buffered segments are acknowledged. |
TCP Out of Sequence |
The receiving host of a TCP stream buffers segments and retains only those segments within a specified window. Segments outside this window are not processed by the receiving host. TCP segments which are outside the TCP receiving window should not be processed by the gateway. All data from TCP segments that are outside of the window is either dropped or removed. If the segment is near the window, data is stripped. If the segment is far from the window, the segment is dropped. |
TCP Invalid Retransmission |
For every TCP segment that passes through the gateway, the gateway retains a copy of the segment until the gateway receives an acknowledgment that the segment was received. If no acknowledgment is received, the source machine sends the segment again, which the gateway compares to its copy to verify that the new packet matches the original. Passing a retransmission that differs from the original allows uninspected data to reach the destination application. This can block segment retransmissions which differ from the original segments, and this assures that the gateway inspects all data that is processed by the receiving application. When set to detect, such retransmissions causes the traffic to bypass deep inspection blades. |
TCP Invalid Checksum |
The gateway does not need to inspect packets with an invalid TCP checksum because these packets are dropped by the receiving host's TCP stack. This blocks TCP packets with an invalid checksum. Due to malfunctioning networking equipment, it is normal to see some packets with an incorrect checksum on the network. This does not indicate an attempted attack and for this reason, the default is to NOT log such events. |
TCP SYN Modified Retransmission |
A TCP SYN packet may be retransmitted with a changed sequence number in an attempt to initiate a connection that IPS does not inspect. This blocks a SYN retransmission where the sequence number has been modified. When set to detect, such retransmissions cause the traffic to bypass deep inspection blades. |
TCP Urgent Data Enforcement |
Some TCP protocols, such as Telnet, send out-of-band data using the TCP URG bit as part of the protocol syntax, whereas most protocols don't use the TCP out-of-band functionality. Allowing packets with the URG bit may prevent the gateway from determining what data would be processed by the receiving application. This could lead to a situation where the data inspected by the gateway is not what the receiving application processes, thus allowing IPS protections to be bypassed. When a packet with the URG bit is received in a protocol that does not support out-of-band functionality, the gateway cannot determine whether the receiving application processes the data. This removes the URG bit from TCP segments with the URG bit set in protocols which do not support the TCP out-of-band functionality. When set to detect, usage of the URG bit causes the traffic to bypass deep inspection blades. |
Stream Inspection Timeout |
A connection being inspected by a dedicated process may be delayed until inspection is completed. If inspection is not completed within a time limit, the connection is dropped so that resources are not kept open. This blocks connections whose inspection timeout has expired. When set to detect, exceeding the timeout causes the traffic to bypass deep inspection blades. |
Threat Prevention Anti-Bot Policy Attribute |
Description |
---|---|
Resource classification mode |
Indicates the mode used by the Anti-Bot engine for resource classification:
|
Threat Prevention Anti-Virus Policy Attribute |
Description |
---|---|
File scan size limit |
Indicates the size limit (in KB) of a file scanned by Anti-Virus engine. To specify no limit, set to 0. |
MIME maximum nesting level |
For emails that contain nested MIME content, set the maximum number of levels that the ThreatSpect engine scans in the email. |
MIME nesting level exceeded action |
If there are more nested levels of MIME content than the configured amount, select to Block or Allow the email file. |
Priority scanning |
Scan according to security and performance priorities for maximum optimization. |
Resource classification mode |
Indicates the mode used by the Anti-Virus engine for resource classification:
|
Threat Prevention Threat Emulation Policy Attribute |
Description |
---|---|
Emulation connection handling mode - IMAP |
Indicates the strictness mode of the Threat Emulation engine over IMAP:
|
Emulation connection handling mode - POP3 |
Indicates the strictness mode the Threat Emulation engine over POP3:
|
Emulation connection handling mode - SMTP |
Indicates the strictness mode of the Threat Emulation engine over SMTP:
|
Emulation location |
Indicates if emulation is done on Public ThreatCloud or on remote (private) SandBlast. |
Primary emulation gateway |
The IP address of the primary remote emulation gateway. |
Threat Prevention Policy Attribute |
Description |
---|---|
Block when service is unavailable |
Block web requests traffic when the Check Point ThreatCloud online web service is unavailable. |
Fail mode |
Indicates the action to take (Allow all requests or Block all requests) on traffic in case of an internal system error or overload. |
File inspection size limit |
Indicates the size limit (in KB) of a file inspected by Threat Prevention engines. Note - A limit too low may have an impact on the functionality of the Application Control blade. To specify no limit, set to 0. |
Method for skipping HTTP inspection |
Warning: Changing the setting to Full has a severe security impact. An HTTP connection can be made up of many sessions. A file that is part of an HTTP connection passes in one HTTP session. If a non-zero File inspection size limit is configured, the Default setting of Method for skipping HTTP inspection is that file inspection is skipped to the end of the session, and resumes in the next HTTP session. If a non-zero File inspection size limit is configured and the Method for skipping HTTP inspection is changed to Full, file inspection is skipped to the end of the connection and resumes in the next connection. This improves performance because the remaining part of the connection is fully accelerated. However, changing the setting to Full is not recommended because of a severe security impact: The remaining sessions of the connection are not inspected. |
Threat Prevention policy - Update Threat Prevention With Full Packages |
Update Threat Prevention with the most up to date packages. |
Allow me to view attack statistics in my User Center account |
Allow viewing attack statistics in your User Center Account. For more information, see Threat Prevention - Infinity SOC. |
Allow IP address information in attack statistics |
Optional: Enable the real IP address information in the attack reports (see sk164332 - section "De-obfuscate the real IP of the victim"): |
USB Modem Watchdog Attribute |
Description |
---|---|
Interval |
Indicates how often (in minutes) the USB modem watchdog probes the internet. |
Mode |
Indicates if the USB modem watchdog is enabled when internet probing is enabled, and the reset type. To enable USB modem watchdog when internet probing indicates there is no internet access, select one of these reset options:
|
USB only |
Monitor only USB modem connection and not other internet connections. In this mode, when monitoring other internet connections, gateway reset only occurs when probing fails on all internet connections (and not just USB modem). Type: Boolean |
Update Services Schedule Attribute |
Description |
---|---|
Maximum number of retries |
Indicates the maximum number of retries for a single update when the cloud is unavailable |
Timeout until retry |
Indicates the timeout (in seconds) until update retry. |
User Awareness Attribute |
Description |
---|---|
Active Directory association timeout |
Indicates the timeout (in minutes) for caching an association between a user and an IP address. |
Allow DNS for unknown users |
Indicates that DNS traffic from unauthenticated users is not be blocked when Block unauthenticated users when the captive portal is not possible is selected in Users & Objects > User Awareness > Browser-Based Authentication > Identification tab. Without DNS traffic, the browsers of end users, may not show the Captive Portal. |
Assume single user per IP address |
When Active Directory Queries is enabled in Users & Objects > User Awareness the parameter indicates that only one user can be identified from a single device. When two or more users connect from a device, only the last user to log on is identified. |
Log blocked unknown users |
Indicates if unauthenticated users that are blocked are logged when Block unauthenticated users when the captive portal is not possible is selected in Users & Objects > User Awareness > Browser-Based Authentication > Identification tab. |
User Management Attribute |
Description |
---|---|
Automatically delete expired local users |
Automatically delete all expired local users every 24 hours (after midnight). |
VPN Remote Access Attribute |
Description |
---|---|
Allow clear Traffic while disconnected |
Indicates if traffic to the VPN domain is handled when the Remote Access VPN client is not connected to the site is sent without encryption (clear) or dropped. |
Allow simultaneous login |
Indicates if a user can log in to multiple sessions. If the option is disabled, and a user logs in a second time with the same credentials, the previous session is disconnected. |
Authentication timeout |
Indicates the amount of time (in minutes) the remote client's password remains valid if timeout is enabled. |
Authentication timeout enable |
Indicates if the remote client's password remains valid only for a configured amount of time (Authentication timeout attribute). |
Auto-disconnect in VPN domain |
Indicates if the client disconnects automatically to save resources when it connects from inside the secured internal network (local encryption domain). |
Back connections enable |
Enable back connections from the encryption domain behind the gateway to the client. |
Back connections keep-alive interval |
Indicates the interval (in seconds) between keep-alive packets to the gateway required for gateway to client back connections. |
Enable Visitor Mode on All Interfaces Enable Visitor Mode on This Interface |
This dialog box lets you configure a specified interface for visitor mode. Visitor mode allows the appliance to listen for TCPT traffic on a specified port (by default port 443) as backup to IKE connections from the remote access client. This mode is normally used to allow VPN remote access connections from behind restrictive environments such as hotels. Modifying visitor mode to be enabled only on a specific interface is not recommended. |
Encrypt DNS traffic |
Indicates if DNS queries sent by the remote client to a DNS server located in the encryption domain are passed through the VPN tunnel. |
Encryption Method |
Indicates which IKE encryption method (version) is used for IKE phase 1 and 2. |
Endpoint Connect re-authentication timeout |
Indicates the time (in minutes) until the Endpoint Connect user's credentials are resent to the gateway to verify authorization. |
IKE IP Compression Support |
Indicates if IPSec packets from remote access clients is compressed. |
IKE Over TCP |
Enables support of IKE over TCP. |
IKE restart recovery |
When dealing with Remote Access clients, the appliance cannot initiate an IKE phase 1 negotiation because the client address is unknown. If the appliance has an active SA with a Remote Access client and it restarts, the SA is lost, and the appliance cannot initiate IKE phase 1. But, if the restart option is selected, the appliance saves the tunnel details every minute. When the first encrypted packet arrives after the appliance restarts, the appliance sends a Delete SA message. This causes the remote client to discard the old SA and initiate IKE phase 1 to reopen the tunnel. |
Legacy NAT traversal |
Indicates if the Check Point proprietary NAT traversal mechanism (UDP encapsulation) is enabled for SecureClient. |
Match on Internal Rule Base only |
Traffic from Remote Access clients will always be matched on the Incoming/Internal/VPN rulebase, including traffic to the Internet |
Minimum TLS version support in the SSL VPN portal |
Indicates the minimum TLS protocol version which the SSL VPN portal supports. For security reasons, we recommend to support TLS 1.2 and above. |
Office Mode Enable With Multiple Interfaces |
Indicates if a mechanism (with a performance impact) to improve connectivity between remote access client and an appliance with multiple external interfaces is enabled. |
Office Mode Perform Anti-Spoofing Single Office Mode Per Site |
|
Office Mode allocate from RADIUS |
Indicates if the Office Mode allocated IP addresses are taken from the RADIUS server used to authenticate the user. |
Office Mode disable |
Indicates if Office Mode (allocating IP addresses for Remote Access clients) is disabled. This is not recommended. |
Passwords caching on client |
Indicates if password caching is used. This means that re-authentication is not necessary when the client tries to access more than one gateway. |
Prevent IP NAT Pool |
Prevent IP Pool NAT configuration from being applied to Office Mode users. This is needed when using SecureClient as well as other VPN clients (see sk20251). |
Radius retransmit timeout |
Timeout interval (in seconds) for each RADIUS server connection attempt. |
Remote Access port Reserve port 443 for port forwarding |
The default remote access port is port 443. If there is a conflict with another server using this port number, configure a different Remote access port. You must change the default remote access port if the Check Point VPN client, Mobile client, or SSL VPN remote access methods are enabled as they use port 443 by default. If you change the default port number 443, make sure to select Reserve port 443 for port forwarding. |
SNX keep-alive interval |
Indicates the time (in seconds) between the SSL Network Extender client keep-alive packets. |
SNX re-authentication timeout |
Indicates the time (in minutes) between re-authentication of SSL Network Extender remote access users. |
SNX support 3DES |
Indicates if the 3DES encryption algorithm will be supported in SSL clients as well as the default algorithms. |
SNX support RC4 |
Indicates if the RC4 encryption algorithm is supported in SSL clients as well as the default algorithms. |
SNX uninstall |
This parameter lets you configure under which conditions the SSL Network Extender client uninstalls itself. The options are: Do not uninstall automatically (recommended default), always uninstall upon disconnection, and ask the user upon disconnection. |
SNX upgrade |
This parameter lets you configure under which conditions the SSL Network Extender client installs itself. The options are: Do not upgrade automatically, always upgrade, and ask the user (default). |
Topology updates manual interval |
Indicates the manually configured interval (in hours) for topology updates to the clients. Applicable only if the override settings is set to true. |
Topology updates override |
Indicates if the configured topology updates settings override the default 'once a week' policy. |
Topology updates upon startup only |
Indicates if topology updates occur only when the client starts. Applicable only if the override settings is set to true. |
Verify device certificate |
The remote access client verifies the device's certificate against revocation list. |
block user if belongs to at least one group without permission |
Indicates if strict group permissions are enabled - user will not have remote access permission if belongs to at least one group without remote access permission. |
VPN Site to Site Global Settings Attribute |
Description |
---|---|
Accept NAT Traversal |
Indicates if industry standard NAT traversal (UDP encapsulation) is enabled. This enables VPN tunnel establishment even when the remote site is behind a NAT device. |
Administrative notifications |
Indicates how to log an administrative event (for example, when a certificate is about to expire) |
Check validity of IPSec reply packets |
Indicated whether to check the validity of IPSec reply packets. |
Cluster SA sync packets threshold |
Sync SA with other cluster members when the number of packets reaches this threshold. |
Copy DiffServ mark from encrypted /decrypted IPSec packet |
Copy DiffServ mark from encrypted/decrypted IPSec packet. |
Copy DiffServ mark to encrypted/ decrypted IPSec packet |
Copy DiffServ mark to encrypted/decrypted IPSec packet. |
DPD triggers new IKE negotiation |
DPD triggers new IKE negotiation. |
Delete IKE SAs from a dead peer |
Delete IKE SAs from a dead peer. |
Delete IPsec SAs on IKE SA delete |
Delete IPsec SAs on IKE SA delete. |
Delete tunnel SAs when Tunnel Test fails |
When permanent VPN tunnels are enabled and a Tunnel Test fails, delete the relevant peer's tunnel SAs. |
Do not encrypt connections originating from the local gateway |
Packets whose original source or destination IP address is the local gateway's Internet Connection IP address will not go through a VPN tunnel. This parameter may be useful when the gateway behind hide NAT. |
Do not encrypt local DNS requests |
When enabled, DNS requests originating from the appliance will not be encrypted. Relevant when a configured DNS server is in a VPN peer's encryption domain. |
Enable encrypted packets rerouting |
Indicates if encrypted packets are rerouted through the best interface according to the peer's IP address or probing. We do not recommend to change this value to false. |
Grace Period after CRL is no longer valid |
CRL grace period is required to resolve the issue of differing clock times between the appliance and the remote CA. A grace period permits a wider window for CRL validity. Indicates the time (in seconds) after which a revoked certificate of a remote site remains valid. |
Grace Period before CRL is valid |
CRL grace period is required to resolve the issue of differing clock times between the appliance and the remote CA. A grace period permits a wider window for CRL validity. Indicates the time window (in seconds) where a certificate is considered valid prior to the time set by the CA. |
IKE DoS from known sites protection |
Indicates if the IKE DoS from known IP addresses protection is active and the method by which it detects potential attackers. |
IKE DoS from unknown sites protection |
Indicates if the IKE DoS from unidentified IP addresses protection is active and the method by which it detects potential attackers. |
IKE Reply From Same IP |
Indicates if the source IP address used in IKE session is based on destination when replying to incoming connections, or based on the general source IP address link selection configuration. |
Join adjacent subnets in IKE Quick Mode |
Indicates if to join adjacent subnets in IKE Quick Mode. |
Keep DF flag on packet |
Indicates if the 'Don't Fragment' flag is kept on the packet during encryption/decryption. |
Keep IKE SA Keys |
Keep IKE SA keys. |
Key exchange error tracking |
Indicates how to log VPN configuration errors or key exchange errors. |
Match Internet traffic on the Outgoing Rule Base |
Traffic to the Internet from VPN peers that route all their traffic through this gateway will be matched on the Outgoing Rule Base. |
Maximum concurrent IKE negotiations |
Indicates the maximum number of concurrent VPN IKE negotiations. |
Maximum concurrent tunnels |
Indicates the maximum number of concurrent VPN tunnels. |
Open SAs limit |
Indicates the maximum number of open SAs per VPN peer. |
Outgoing link tracking |
Indicates how to log the outgoing VPN link: Log, don't log, or alert. |
Override 'Route all traffic to remote VPN site' configuration for administrator access to the device |
Select this option to prevent administrator access to this appliance from being routed to the remote site even when the "Route all traffic to remote VPN site" is configured. |
Packet handling errors tracking |
Indicates how to log the VPN packet handling errors: Log, don't log, or alert. |
Perform Tunnel Tests using an internal IP Address |
A Tunnel Test makes sure that the VPN tunnel between peer VPN Gateways is up. By default, the test is done by making sure there is a connection between all the external IP addresses of the peer VPN Gateways. You can configure this option to do the tunnel tests using the internal IP addresses of the Gateways that are part of the local encryption domain. You can see the status of the VPN tunnel in the Logs and Monitoring tab. |
Permanent tunnel down tracking |
Indicates how to log when the tunnel goes down: Log, don't log, or alert. |
Permanent tunnel up tracking |
Indicates how to log when the tunnel is up: Log, don't log, or alert. |
RDP packet reply timeout |
Timeout (in seconds) for an RDP packet reply. |
Reply from incoming interface |
When tunnel is initiated from remote site, reply from the same incoming interface when applicable (IKE and RDP sessions). |
Successful key exchange tracking |
Indicates how to log when there is a successful key exchange: Log, don't log, or alert. |
Use cluster IP address for IKE |
Indicates if IKE is performed using cluster IP address (when applicable). |
Use internal IP address for encrypted connections from local gateway |
Encrypted connections originating from the local gateway will use an internal interface's IP address as the connection source. |
VPN tunnel sharing |
Indicates under what conditions new tunnels are created: per host pair, per subnet (industry standard), or a single tunnel per remote site/gateway. This controls the number of tunnels that are created. |
VoIP Attribute |
Description |
---|---|
Accept MGCP connections to registered ports |
Indicates if deep inspection over MGCP traffic automatically accepts MGCP connections to registered ports. |
Accept SIP connections to registered ports |
Indicates if deep inspection over SIP traffic automatically accepts SIP connections to registered ports. |
Web Interface Settings and Customizations Attribute |
Description |
---|---|
Multiple parameters |
Select Use a company logo in the appliance's web interface to display a different logo (not the Check Point default logo). In Company logo, click the Upload company logo link, browse to the logo file, and click Apply. In Company URL, enter the company's URL. When you click the company logo in the web interface it opens this URL. |