Advanced Settings

The Device > Advanced Settings page is for advanced administrators or Check Point Support. You can configure values for multiple advanced settings for the various blades.

Important - Changing these advanced settings without fully understanding them can be harmful to the stability, security, and performance of this appliance. Continue only if you are certain that you understand the required changes.

For further details regarding the attributes, consult with Check Point Support when necessary.

To filter the list of attributes:

  1. Enter text in the Type to filter field.

    The search results are dynamically shown as you type.

  2. To cancel the filter, click X next to the search string.

To configure the appliance attributes:

  1. Select an attribute.

  2. Click Edit.

    The attribute window opens.

  3. Configure the settings, or click Restore Defaults to reset the attribute to the default settings. For more details on the attributes, see the next sections. 

  4. Click Apply.

To reset all the appliance attributes to the default settings:

  1. From the Advanced Settings window, click Restore Defaults.

    The Confirm window opens.

  2. Click Yes.

All appliance attributes are reset to the default settings.

Table: Administrator Lockout Attribute

Administrator Lockout Attribute

Description

Admin Lockout - Mobile application session timeout

Allowed mobile application session before automatic logout is executed (in days)

Default is 30.

Table: Administrator RADIUS authentication Attributes

Administrator RADIUS authentication Attribute

Description

Local authentication (RADIUS server)

Perform local administrator authentication only if RADIUS server is not configured or is inaccessible.

Table: Aggressive Aging Attributes

Aggressive Aging Attribute

Description

Multiple parameters

Aggressive Aging helps manage the connections table capacity and memory consumption of the firewall to increase durability and stability.

Aggressive Aging introduces a new set of short timeouts called aggressive timeouts. When a connection is idle for more than its aggressive timeout it is marked as "eligible for deletion". When the connections table or memory consumption reaches the user defined threshold, Aggressive Aging begins to delete "eligible for deletion" connections, until memory consumption or connections capacity decreases back to the desired level.

Aggressive Aging allows the gateway machine to handle large amounts of unexpected traffic, especially during a Denial of Service attack.

If the defined threshold is exceeded, each incoming connection triggers the deletion of ten connections from the "eligible for deletion" list. An additional ten connections are deleted with every new connection until the memory consumption or the connections capacity falls below the enforcement limit. If there are no "eligible for deletion" connections, no connections are deleted at that time, but the list is checked after each subsequent connection that exceeds the threshold.

Timeout settings are a key factor in memory consumption configuration. When timeout values are low, connections are deleted faster from the table, enabling the firewall to handle more connections concurrently. When memory consumption exceeds its threshold, it is best to work with shorter timeouts that can maintain the connectivity of the vast majority of the traffic.

The major benefit of Aggressive Aging is that it starts to operate when the machine still has available memory and the connections table is not entirely full. This way, it reduces the chances of connectivity problems that might have occurred under low-resource conditions.

 

To configure Aggressive Aging:

  1. Select Enable Aggressive Aging of connections when appliance is under load.

  2. To log Aggressive Aging events, select Log Aggressive Aging events. The logs are shown in Logs & Monitoring > Security Logs under the IPS blade.

  3. Select the checkboxes of the Aggressive Aging Timeouts that you want to enforce and enter the Aggressive Aging timeout. Make sure that the Aggressive timeouts are lower than the default timeouts.

    The default timeouts can be viewed and configured in the Device > Advanced Settings > Stateful Inspection attributes.

To configure when the Aggressive Aging timeouts are enforced:

  1. Under Aggressive Aging Timeouts are enforced when section, select whether they are enforced if the connections table exceeds a limit, if memory exceeds a limit, or if both exceed their limits.

  2. Enter the percentage that you want to define as the limit to either connections table or memory consumption. If you select both, the values in the percentage fields of the other options are applied. Default is 80%, with connections from the "eligible for deletion" list being deleted if either the connections table or memory consumption passes this limit.

Table: Anti ARP Spoofing Attributes

Anti ARP spoofing Attribute

Description

Anti ARP spoofing mode

Mode for Anti ARP spoofing protection. The protection can be turned off, on, or in detect only mode.

Detection window time to indicate attack

Time period (in seconds) during which IP addresses, assigned to the same MAC address, indicate an ARP spoofing attack.

Number of IP addresses to indicate attack

The number of IP addresses assigned to the same MAC address during the Detection window time that will an indicate an ARP spoofing attack.

Suspicious MAC block period

Time period (in seconds) during which suspicious MAC addresses are kept in the blocked list.

Table: Anti-Spam policy Attributes

Anti-Spam Policy Attributes

Description

All mail track

Tracking options for emails that are not considered spam or suspected spam. Tracking such emails can have a performance impact.

Allowed mail track

Tracking options for emails that are manually allowed in the Threat Prevention > Anti-Spam Exceptions page.

Content based Anti-Spam timeout

Indicates the timeout (in seconds) to wait for an answer from the cloud during content-based Anti-Spam inspection.

E-mail size scan

Indicates the maximal size of an email's content to scan (in KB)

IP reputation fail open

Indicates the action to take upon an internal error during Anti-Spam IP reputation test.

IP reputation timeout

Indicates the timeout (in seconds) to wait for an IP reputation test result.

Scan outgoing emails

Scan the content of emails which are sent from the local network to the Internet.

Transparent proxy

Use a transparent proxy for inspected email connections. When disabled, configuration of the proxy address and port is required on client machines.

Table: Anti-Spoofing Attributes

Anti-Spoofing Attribute

Description

Enable global Anti-Spoofing

Indicates if Anti-Spoofing is enabled automatically on all interfaces according to their zone.

Table: Application & URL Filtering Attributes

Application & URL Filtering Attribute

Description

Block when service is unavailable

Indicates if web requests are blocked when the Check Point categorization and widget definitions Online Web Service is unavailable.

Categorize cached and translated pages

Indicates if to perform URL categorization of cached pages and translated pages created by search engines.

Custom App over HTTPS

Indicates whether custom URLs and applications will be matched over HTTPS traffic using SNI field. Important note: as SNI field in HTTPS traffic is browser-dependent and promiscuous, it does not guarantee 100% match.

Enforce safe search

Indicates if the URL Filtering policy overrides the Safe Search settings in the user's browser. Regardless of what the user has selected, the strictest Safe Search settings are applied. Explicitly sexual content is filtered out of the search engine's results.

Fail mode

Indicates the action to take on traffic in case of an internal system error or overload.

Track browse time

Shows in logs the total time that users are connected to different sites and applications in an HTTP session

Use HTTP referer header

Indicates if the HTTP "referrer" header (originally a misspelling of referrer) is used by the inspection engine to improved application identification.

Web site categorization mode

Indicates the mode that is used for website categorization:

Background - Requests are allowed until categorization is complete. When a request cannot be categorized with a cached response, an uncategorized response is received. Access to the site is allowed. In the background, the Check Point Online Web Service continues the categorization procedure. The response is then cached locally for future requests (default). This option reduces latency in the categorization procedure.

Hold - Requests are blocked until categorization is complete.

When a request cannot be categorized with the cached responses, it remains blocked until the Check Point Online Web Service completes categorization.

Table: Capacity Optimization Attributes

Capacity Optimization Attribute

Description

Connections hash table size

Indicates the size of the connections hash table in bytes.

This value must be an integer that is an exponential power of two and approximately four times the maximum concurrent connections parameter.

Maximum concurrent connections

Indicates the overall maximum number of concurrent connections.

Table: Cloud Services Firmware Upgrade Attributes

Cloud Services Firmware Upgrade Attribute

Description

Service access maximum retries

Indicates the maximum number of retries when failing to upgrade using the service.

Service access timeout until retry

Indicates the time (in seconds) to wait when there is a connection failure to the service before the next retry.

Table: Cluster Attributes

Cluster Attribute

Description

Use virtual MAC

Indicates if a virtual MAC address is used by all members to allow a quicker failover by the network's switch.

Using the virtual MAC address:

  • Minimizes the potential traffic outage during fail-over.

  • Removes the need to use G-ARPs for NATed IP addresses.

Table: DDNS Attributes

DDNS Attribute

Description

Iterations

Number of DNS updates.

Table: DHCP Bridge Attribute

DHCP Bride Attribute

Description

MAC Assignment

Indicates whether the MAC address for the DHCP bridge is taken from an internal (LAN) or external port (WAN, DMZ).

Table: DHCP Relay Attributes

DHCP Relay Attribute

Description

Use internal IP addresses as source

Select Use internal IP addresses as source if DHCP relay packets from the appliance originate from internal IP addresses. This may be required if the DHCP server is located behind a remote VPN site.

Table: DSL Global Attributes

DSL Global Attribute

Description

DSL globals - VDSL2

Supports ITU G.993.2 VDSL2.

DSL globals - ADSL Dmt (G.992.1)

Supports ITU G.992.1 ADSL (G.dmt).

DSL globals - ADSL lite (G.992.2)

Supports ITU G.992.2 ADSL Lite (G.lite).

DSL globals - ADSL2 (G.992.2)

Supports ITU G.992.3 ADSL2.

DSL globals - ADSL2+ (G.992.5)

Supports ITU G.992.5 Annex M ADSL2+M.

DSL globals - T1.413

Supports ANSI T1.413-1998 Issue 2 ADSL.

DSL globals - Annex J/M

In an Annex A appliance: Combined with supported ADSL2+, it specifies Annex M ADSL2+. In an Annex B appliance: Combined with supported ADSL2, it specifies Annex J ADSL2.

DSL globals - Annex L

In an Annex A appliance: Combined with enabled ADSL2 (G.992.3) specifies support for Annex L.

DSL globals - 8a

Supports VDSL Profile 8a.

DSL globals - 8b

Supports VDSL Profile 8b.

DSL globals - 8c

Supports VDSL Profile 8c.

DSL globals - 8d

Supports VDSL Profile 8d.

DSL globals - 12a

Supports VDSL Profile 12a.

DSL globals - 12b

Supports VDSL Profile 12b.

DSL globals - 17a

Supports VDSL Profile 17a.

DSL globals - Seamless rate adaptation (SRA)

Enables seamless rate adaptation.

DSL globals - G.INP

Enhanced Impulse Noise Protection.

DSL globals - US0

Enables usage of first upstream band in VDSL.

Note - When all the ADSL standards are turned off in the Advanced Settings and you can only connect using the VDSL2 standard, the VPI, the VCI and the encapsulation options still appear even though they are not used to open an internet connection.

Table: Firewall Policy Attributes

Firewall Policy Attribute

Description

Blocked packets action

Action for blocked packets: Drop, reject or automatic (drop from external and reject from internal).

Log implied rules

Produce log records for connections that match implied rules.

Table: General Temporary Directory Size Attributes

General Temporary Directory Size Attribute

Description

General temporary directory size

Controls the size (in MB) of the general temporary directory.

System temporary directory size

Controls the size (in MB) of the temporary directory that is used by the system.

Table: Hardware Options Attributes

Hardware Options Attribute

Description

Reset to factory defaults timeout

The amount of time (in seconds) that you need to press and hold the factory defaults button on the appliances' back panel to restore to the factory defaults image.

Table: Hotspot Attributes

Hotspot Attribute

Description

Enable portal

Select Disabled to disable the hotspot feature entirely.

Prevent simultaneous log-in

The same user will not be allowed to login via hotspot portal from more than one machine in parallel.

Table: IP Fragments Parameters

IP Fragments Parameters Attribute

Description

Multiple parameters

These parameters let you configure how the appliance handles IP fragments.

It can either block fragmented IP packets or drop fragments when a configured threshold is reached.

Select one of these options:

  • Forbid IP Fragments - Fragmented IP packets are dropped.

  • Allow IP Fragments - Fragmented IP packets are allowed if they do not exceed a configured threshold. When selecting this option, you can configure the maximum number of accepted incomplete packets. You can also configure the timeout (in seconds) for holding unassembled fragmented packets before discarding them.

 

Table: IP Resolving Attributes

IP Resolving Attributes

Description

IP Resolving - IP Resolving Activation

Enable/Disable IP Resolving logs enrichment.

IP Resolving - IP Resolving TTL

The time (in seconds) for which the hostname resolution is used.

Default is 3600.

Table: IPS Additional Parameters

IPS Additional Parameters Attribute

Description

Max ping limit

Indicates the maximal ping packet size that are allowed when the 'Max Ping Size' protection is active.

Non-standard HTTP ports

Enable HTTP inspection on non-standard ports for the IPS blade.

Table: IPS Engine Settings

IPS Engine Settings Attribute

Description

Allow protocol unknown commands

Normally, the IPS engine blocks protocols (e.g. POP3, IMAP, ...) commands that it does not recognize.

When the advanced setting is set to "true", IPS allows the traffic.

Apply filter

Filter IPS protections to improve performance.

Type: Boolean

Default: true

Configure error page options for supported web protections - multiple parameters

Some web based protections can show an error page upon detection. This error page is configurable.

The protections that support the error page:

  • Malicious Code protector

  • Cross-Site Scripting

  • LDAP Injection

  • SQL Injection

  • Command Injection

  • Directory Traversal

  • Directory Listing

  • Error Concealment

  • HTTP Format Sizes

  • ASCII Only Request

  • ASCII Only Response Headers

  • HTTP Methods

Select one of these options that applies to all such protections:

  • Do not show

  • Show pre-defined HTML error page - You can configure an HTML page that opens when an attack is detected. To configure the page, go to Advanced Settings > IPS engine settings > HTML error page configuration.

  • Redirect to another URL - Enter a URL to which users are redirected when an attack is detected. You can also select to add an error code that provides more information about the detected attack. This is not recommended because the information can be misused by an attacker.

HTML error page configuration - multiple parameters

These settings allow you to configure a pre-defined HTML error page that is seen when the error page advanced settings are set to Show pre-defined HTML error page. Select one of these options:

  • Logo URL - Optionally enter a URL that leads to your company logo.

  • HTML error page configuration - Shows an error code that provides more information about the detected attack. This is not recommended because the information can be misused by an attacker.

  • Send detailed error code - You can enter manually defined text that is shown in the HTML page. Enter the text in the Description box. For example, "Access denied due to IPS policy violation."

Table: Internal Certificates Setting Attributes

Internal Certificate Settings Attribute

Description

Configure internal CA certificate expiration

The number of years the internal CA certificate is valid. This applies the next time the certificate is re-initialized.

Table: Internet Attributes

Internet Attribute

Description

Reset Sierra USB on LSI error

Indicates whether Sierra type USB modems will be reset when they send an invalid LSI signal

Path MTU Discovery Mode

Select from these options:

  • Disabled

  • Run Once - Runs once after establishing internet connection and tries to detect path MTU.

  • Run as a daemon - Runs in the background and tries to detect path MTU.

Table: Internet Connection Type

Internet Connection Type

Description

IPv4 over IPv6 (IPIP)

Indicates whether IPv4 over IPv6 (IPIP) Internet connection is enabled.

Default: false

Table: IoT Stats Attributes

IoT Stats Attributes

Description

IoT Stats Activation

Enable/disable IoT collecting statistics.

Default: Enabled

Table: MAC Filtering Attributes

MAC Filtering Attribute

Description

MAC filtering state

MAC filtering state

Log blocked MAC addresses

Indicates if blocked MAC addresses should be logged.

Log suspension

Indicates if an administrator can access the appliance from a remove Security Management Server without the need to enter an administrator name.

Table: Managed Service Attributes

Managed Services Attribute

Description

Allow seamless administrator access from remote Management Server

Indicates if an administrator can access the appliance from a remote Security Management Server without the need to enter an administrator user name and password.

Show device details in Login

Indicates if appliance details are shown when an administrator accesses the appliance.

Table: Mobile Setting Attributes

Mobile Settings Attribute

Description

Mobile Settings - Notification cloud server URL

Cloud server URL used for sending mobile notifications.

Mobile Settings - Pairing code expiration

Time (in hours) till pairing code is expired.

Type: Integer

Mobile Settings - Verify SSL certificate

Verify SSL certificate when sending mobile notification to cloud server

Table: Multiple ISP Route Refresh Attributes

Multiple ISP Route Refresh Attribute

Description

Multiple ISP Route Refresh mode

Indicates whether acceleration will refresh route in multiple ISPs configuration.

Table: NAT Attributes

NAT Attribute

Description

ARP manual file merge

Indicates, when automatic ARP detection is enabled, to use the ARP definitions in a local file with higher priority. Manual proxy ARP configuration is required for manual Static NAT rules. If a manual ARP configuration is defined in the local.arp file and Automatic ARP configuration is enabled, both definitions are maintained. If there is a conflict between the definitions (the same NAT IP address appears in both), then the manual configuration is used.

Multiple parameters - IP Pool NAT

An IP Pool is a range of IP addresses (an Address Range, a network or a group of one of these objects) routable to the gateway. When a connection is opened to a server, the gateway substitutes an IP address from the IP Pool for the source IP address. Reply packets from the server return to the gateway, which restores the original source IP address and forwards the packets to the source.

When using IP Pool NAT, select an existing IP address range object. It must be previously defined in the Users & Objects > Networks Objects page. The IP Pool NAT mechanism allocates IP addresses from this range.

  • Use IP Pool NAT for VPN clients connections - Applies to connections from VPN remote access clients to the gateway.

  • Use IP Pool NAT for gateway to gateway connections - Applies to site to site VPN connections.

  • Prefer IP Pool NAT over Hide NAT - Specifies that IP Pool NAT has priority over Hide NAT, if both match the same connection. Hide NAT is only applied if the IP pool is used up.

  • Reuse IP addresses from the Pool for different destinations - Select this option to reuse IP addresses from the Pool for different destinations.

  • Unused addresses interval - Configure in minutes the time interval it takes for unused addresses to return to the IP addresses pool.

  • Address exhaustion tracking - Specifies the type of log to issue if the IP Pool is exhausted.

  • Address allocation and release tracking - Specifies whether to log each allocation and release of an IP address from the IP Pool.

Automatic ARP detection

When internal devices in the local network are defined using static NAT, the appliance must make sure packets to the static NAT IP address reach it. This option enables the appliance to automatically respond to ARP requests for those IP addresses.

Increase hide capacity

Indicates if hide-NAT capacity is given additional space.

NAT enable

Indicates if the device's NAT capabilities are enabled.

NAT cache expiration

Indicates the expiration time in minutes for NAT cache entries.

NAT cache number of entries

Indicates the maximum number of NAT cache entries.

NAT hash size

Indicates the hash bucket size of NAT tables.

NAT limit

Indicates the maximum number of connections with NAT.

Perform cluster hide fold

Indicates if local IP addresses are hidden behind the cluster IP address when applicable, as opposed to being hidden behind each cluster member's physical IP address.

Translate destination on client side

Translates destination IP addresses on client side (for automatically generated NAT rules).

Translate destination on client side (manual rules)

Translates destination IP addresses on client side (for manually configured NAT rules).

Table: Notification Policy Attributes

Notification Policy Attributes

Description

Notification Language

Notification language

Notifications Policy - Send push notifications

Indicates whether notifications are sent to mobile application.

Notifications Policy - The maximum number of notifications sent per hour

The maximum number of notifications sent to mobile devices per hour.

Table: Operating Systems Attributes

Operating Systems Attributes

Description

Operating system - operating system

tmpDirSize

Operating system - System temporary directory size

Controls the size (in MB) of the temporary directory that is used by the system.

Table:OS advanced settings

OS advanced settings attributes

Description

Cellular Backoff Algorithm Mode

Set cellular backoff algorithm mode (auto, force-disable, or force-enable). When in auto mode, back-off algorithm will only work for Rogers cellular carrier.

Disable transfer of DHCP options from WAN to LAN

Specifies whether transfer of DHCP options from WAN to LAN is disabled.

Type: Boolean

Default: false

Enable WAN on LAN

Specifies whether LAN-on-WAN feature is on

Type: Boolean

Default: false.

Enable WiFi Monitors

Specifies whether WiFi monitors are on.

Type: Boolean

Default: false

Enable automatic WiFi Channel Change

Specifies whether WiFi switches channels automatically during operation.

Type: Boolean

Default: false

Enable destination check on PPPoE

Specifies whether PPP0E destination check is enabled.

Type: Boolean

Default: false

Enable flow-control for network switch

Indicates if flow-control is enabled for network switch.

Type: Boolean

Default: false

Force cellular module to use 4G network

When disabled, modem is using all available bands. When enabled, modem uses 4G bands only.

Type: Boolean

Default: false

 

Table: Privacy Settings

Privacy Settings Attributes

Description

Help Check Point improve its products by sending data

Customer consent

Location Service requires sending your IP address to a 3rd party

Using automatic timezone feature requires sending your location to 3rd party.

Table: QoS Blade Attributes

QoS Blade Attribute

Description

Logging

Indicates if the appliance logs QoS events when the QoS blade is enabled.

Table: Reach My Device Attributes

Reach My Device Attribute

Description

Ignore SSL certificate

Indicates if the SSL certificate should be ignored when running the access service.

Server address

Indicates the address of the remote server that allows administration access to the appliance from the Internet even when behind NAT.

Table: Report Settings Attributes

Report Settings Attributes

Description

Report Settings - Max Period

Maximum period to collect and monitor data. You must reboot the appliance to apply changes.

Report Settings - Reports cloud server URL

Reports cloud server URL used to generate report PDF.

 

 

Table: Rest API Attribute

Rest API Attribute

Description

Rest API mode

Indicates where REST API is enable or not

Table: Serial Port Attributes

Serial Port Attribute

Description

Multiple Parameters

With the serial port parameters you can configure the console port on the back panel of the appliance.

You can disable it completely (clear the Enable serial port checkbox) if necessary and configure port speed and flow control settings. Note that these settings must match the configuration of the device connected to the console port.

There are three modes for working with this port:

  • Console - This is the default mode configured. The port is used to access the appliance's console.

  • Active - Instead of connecting through the port to the appliance's console, the data is relayed to a specified telnet server which can now be viewed through this port. Enter the Server TCP port of the telnet server and the IP address of the server. Two different IP server IP addresses can be configured (Primary server and Secondary server).

  • Passive - In this mode the flow of data is reversed and the appliance connects through the serial port to the console of the connected device. This console is accessible through a telnet connection to a configured port on the appliance. In Listen on TCP port, enter the port number.

To configure an implicit rule that allows traffic from any source to this port, make sure Implicitly allow traffic to this port is selected. If you do not create an implicit rule, you must manually define an access rule in the Firewall Rule Base.

Two appliances, one in active mode and the other in passive mode, can allow a client to remotely connect to a console connected to the appliance in passive mode over the internet using a telnet connection.

Table: SSL Inspection Attributes

SSL Inspection Attribute

Description

Additional HTTPS ports

Additional HTTPS ports for SSL inspection (a comma separated list of ports/ranges).

Log empty SSL connections

Log connections that were terminated by the client before data was sent. This might indicate the client did not install the CA certificate.

Retrieve intermediate CA certificates

Indicates if the SSL inspection mechanism will perform its validations on all intermediate CA certificates in the certificate chain.

Track validation errors

Choose if the SSL Inspection validations are tracked.

Validate CRL

Indicates if the SSL inspection mechanism will drop connections that present a revoked certificate.

Validate Expiration

Indicates if the SSL inspection mechanism will drop connections that present an expired certificate.

Validate unreachable CRL

Indicates if the SSL inspection mechanism will drop connections that present a certificate with an unreachable CRL.

Validate untrusted certificates

Indicates if the SSL inspection mechanism will drop connections that present an untrusted server certificate.

Table: Stateful Inspection Attributes

Stateful Inspection Attribute

Description

Accept out of state TCP packets

Indicates if TCP packets which are not consistent with the current state of the TCP connection are dropped (when set to 0) or accepted (when set to any other value).

Accept stateful ICMP errors

Accept ICMP error packets which refer to another non-ICMP connection (for example, to an ongoing TCP or UDP connection) that was accepted by the Rule Base.

Accept stateful ICMP replies

Accept ICMP reply packets for ICMP requests that were accepted by the Rule Base.

Accept stateful UDP replies for unknown services

Specifies if UDP replies are to be accepted for unknown services. In each UDP service object it is possible to configure whether UDP replies for it are accepted if the service is matched on a rule which accepts traffic. This parameter refers to all connections which are not covered by the service objects.

Accept stateful other IP protocols replies for unknown services

Accept stateful other IP protocols replies for unknown services. In each service object it is possible to configure whether replies for it are accepted if the service is matched on a rule which accepts traffic. This parameter refers to all no TCP/UDP connections which are not covered by the service objects.

Allow LAN-DMZ DPI

Allow Deep Packet Inspection in traffic between internal networks and the DMZ network.

Note - DMZ is not supported in 1530 / 1550 appliances.

Allow LAN-LAN DPI

Allow Deep Packet Inspection in traffic between internal networks.

Drop out of state ICMP packets

Drop ICMP packets which are not in the context of a "virtual session".

ICMP virtual session timeout

An ICMP virtual session is considered to have timed out after this time period (in seconds).

Log dropped out of state ICMP packets

Indicates if dropped out of state ICMP packets generate a log. See the "Drop out of state ICMP packets" parameter.

Log dropped out of state TCP packets

Indicates if dropped out of state TCP packets generate a log. See the "Accept out of state TCP packets" parameter.

Other IP protocols virtual session timeout

A virtual session of services which are not TCP, UDP or ICMP is considered to have timed out after this time period (in seconds).

TCP end timeout

Indicates the timeout (in seconds) for TCP session end. A TCP session is considered as "ended" following two FIN packets, one in each direction, or an RST packet.

TCP session timeout

Indicates the timeout (in seconds) for TCP sessions. A TCP session times out if the connection remains idle after this time period (in seconds).

TCP start timeout

Indicates the timeout (in seconds) for TCP session start. A TCP connection times out if the interval between the arrival of the first packet and establishment of the connection (TCP three-way handshake) exceeds this time period (in seconds).

UDP virtual session timeout

A UDP virtual session is timed out after this time period (in seconds).

Table: Streaming Engine Setting Attributes

Streaming Engine Settings Attribute

Description

Multiple parameters

These settings determine how the TCP streaming engine used by the various deep inspection blades (IPS, Application Control, Anti-Bot, Anti-Virus, etc.) handles protocol violations and events that prevent the streaming engine from further inspection.

We highly recommend that these settings always be in prevent mode. Using these settings in detect mode may significantly lower security as inspection stops when the event or violation occurs.

When the configuration is set to log such events, the logs are shown in Logs & Monitoring > Security Logs under the IPS blade.

For each violation or event configure the action and tracking mode.

TCP Segment Limit Enforcement

For every TCP segment that passes through the gateway, the gateway retains a copy of the segment until it receives an acknowledgment that the segment was received. This buffered data occupies space in the gateway's memory. This enforces a limit on the number and size of buffered segments per connection. When a connection reaches one of these limits, the gateway does not accept new segments for this connection until buffered segments are acknowledged.

TCP Out of Sequence

The receiving host of a TCP stream buffers segments and retains only those segments within a specified window. Segments outside this window are not processed by the receiving host. TCP segments which are outside the TCP receiving window should not be processed by the gateway. All data from TCP segments that are outside of the window is either dropped or removed. If the segment is near the window, data is stripped. If the segment is far from the window, the segment is dropped.

TCP Invalid Retransmission

For every TCP segment that passes through the gateway, the gateway retains a copy of the segment until the gateway receives an acknowledgment that the segment was received. If no acknowledgment is received, the source machine sends the segment again, which the gateway compares to its copy to verify that the new packet matches the original. Passing a retransmission that differs from the original allows uninspected data to reach the destination application. This can block segment retransmissions which differ from the original segments, and this assures that the gateway inspects all data that is processed by the receiving application. When set to detect, such retransmissions causes the traffic to bypass deep inspection blades.

TCP Invalid Checksum

The gateway does not need to inspect packets with an invalid TCP checksum because these packets are dropped by the receiving host's TCP stack. This blocks TCP packets with an invalid checksum. Due to malfunctioning networking equipment, it is normal to see some packets with an incorrect checksum on the network. This does not indicate an attempted attack and for this reason, the default is to NOT log such events.

TCP SYN Modified Retransmission

A TCP SYN packet may be retransmitted with a changed sequence number in an attempt to initiate a connection that IPS does not inspect. This blocks a SYN retransmission where the sequence number has been modified. When set to detect, such retransmissions cause the traffic to bypass deep inspection blades.

TCP Urgent Data Enforcement

Some TCP protocols, such as Telnet, send out-of-band data using the TCP URG bit as part of the protocol syntax, whereas most protocols don't use the TCP out-of-band functionality. Allowing packets with the URG bit may prevent the gateway from determining what data would be processed by the receiving application. This could lead to a situation where the data inspected by the gateway is not what the receiving application processes, thus allowing IPS protections to be bypassed. When a packet with the URG bit is received in a protocol that does not support out-of-band functionality, the gateway cannot determine whether the receiving application processes the data. This removes the URG bit from TCP segments with the URG bit set in protocols which do not support the TCP out-of-band functionality. When set to detect, usage of the URG bit causes the traffic to bypass deep inspection blades.

Stream Inspection Timeout

A connection being inspected by a dedicated process may be delayed until inspection is completed. If inspection is not completed within a time limit, the connection is dropped so that resources are not kept open. This blocks connections whose inspection timeout has expired. When set to detect, exceeding the timeout causes the traffic to bypass deep inspection blades.

Table: Threat Prevention Anti-Bot Policy Attributes

Threat Prevention Anti-Bot Policy Attribute

Description

Resource classification mode

Indicates the mode used by the Anti-Bot engine for resource classification:

  • Hold - Connections are blocked until classification is complete.

    When a connection cannot be classified with the cached responses, it remains blocked until the Check Point Online Web Service completes classification.

  • Background - Connections are allowed until classification is complete. When a connection cannot be classified with a cached response, an uncategorized response is received. The connection is allowed. In the background, the Check Point Online Web Service continues the classification procedure. The response is then cached locally for future requests. This option reduces latency in the classification process.

Table: Threat Prevention Anti-Virus Policy Attributes

Threat Prevention Anti-Virus Policy Attribute

Description

File scan size limit

Indicates the size limit (in KB) of a file scanned by Anti-Virus engine. To specify no limit, set to 0.

MIME maximum nesting level

For emails that contain nested MIME content, set the maximum number of levels that the ThreatSpect engine scans in the email.

MIME nesting level exceeded action

If there are more nested levels of MIME content than the configured amount, select to Block or Allow the email file.

Priority scanning

Scan according to security and performance priorities for maximum optimization.

Resource classification mode

Indicates the mode used by the Anti-Virus engine for resource classification:

  • Hold - Connections are blocked until classification is complete.

    When a connection cannot be classified with the cached responses, it remains blocked until the Check Point Online Web Service completes classification.

  • Background - Connections are allowed until classification is complete. When a connection cannot be classified with a cached response, an uncategorized response is received. The connection is allowed. In the background, the Check Point Online Web Service continues the classification procedure. The response is then cached locally for future requests. This option reduces latency in the classification process.

Table: Threat Prevention Threat Emulation Policy Attributes

Threat Prevention Threat Emulation Policy Attribute

Description

Emulation connection handling mode - IMAP

Indicates the strictness mode of the Threat Emulation engine over IMAP:

  • Background - Connections are allowed while the file emulation runs (if needed) until emulation handling is complete.

  • Hold - Connections are blocked until the file emulation is completed

Emulation connection handling mode - POP3

Indicates the strictness mode the Threat Emulation engine over POP3:

  • Background - Connection are allowed while the file runs (if needed)

  • Hold - Connections are blocked until the file emulation is completed.

Emulation connection handling mode - SMTP

Indicates the strictness mode of the Threat Emulation engine over SMTP:

  • Background - Connections are allowed while the file emulation runs (if needed)

  • Hold - Connections are blocked until the file emulation is completed.

Emulation location

Indicates if emulation is done on Public ThreatCloud or on remote (private) SandBlast.

Primary emulation gateway

The IP address of the primary remote emulation gateway.

Table: Threat Prevention Policy Attributes

Threat Prevention Policy Attribute

Description

Block when service is unavailable

Block web requests traffic when the Check Point ThreatCloud online web service is unavailable.

Fail mode

Indicates the action to take (Allow all requests or Block all requests) on traffic in case of an internal system error or overload.

File inspection size limit

Indicates the size limit (in KB) of a file inspected by Threat Prevention engines.

Note - A limit too low may have an impact on the functionality of the Application Control blade. To specify no limit, set to 0.

Method for skipping HTTP inspection

Warning: Changing the setting to Full has a severe security impact.

An HTTP connection can be made up of many sessions. A file that is part of an HTTP connection passes in one HTTP session.

If a non-zero File inspection size limit is configured, the Default setting of Method for skipping HTTP inspection is that file inspection is skipped to the end of the session, and resumes in the next HTTP session.

If a non-zero File inspection size limit is configured and the Method for skipping HTTP inspection is changed to Full, file inspection is skipped to the end of the connection and resumes in the next connection. This improves performance because the remaining part of the connection is fully accelerated. However, changing the setting to Full is not recommended because of a severe security impact: The remaining sessions of the connection are not inspected.

Threat Prevention policy - Update Threat Prevention With Full Packages

Update Threat Prevention with the most up to date packages.

Allow me to view attack statistics in my User Center account

Allow viewing attack statistics in your User Center Account. For more information, see Threat Prevention - Infinity SOC.

Allow IP address information in attack statistics

Optional: Enable the real IP address information in the attack reports (see sk164332 - section "De-obfuscate the real IP of the victim"):

Table: USB Modem Watchdog Attributes

USB Modem Watchdog Attribute

Description

Interval

Indicates how often (in minutes) the USB modem watchdog probes the internet.

Mode

Indicates if the USB modem watchdog is enabled when internet probing is enabled, and the reset type.

To enable USB modem watchdog when internet probing indicates there is no internet access, select one of these reset options:

  • Disabled - Default.

  • Hard reset - Shuts down the power for the USB modem and turns it on again.

  • Gateway reset - Restarts the appliance.

  • Hard Gateway reset - First reboot the gateway and if that is not successful, restart the appliance.

USB only

Monitor only USB modem connection and not other internet connections.

In this mode, when monitoring other internet connections, gateway reset only occurs when probing fails on all internet connections (and not just USB modem).

Type: Boolean

Table: Update services schedule Attributes

Update Services Schedule Attribute

Description

Maximum number of retries

Indicates the maximum number of retries for a single update when the cloud is unavailable

Timeout until retry

Indicates the timeout (in seconds) until update retry.

Table: User Awareness Attributes

User Awareness Attribute

Description

Active Directory association timeout

Indicates the timeout (in minutes) for caching an association between a user and an IP address.

Allow DNS for unknown users

Indicates that DNS traffic from unauthenticated users is not be blocked when Block unauthenticated users when the captive portal is not possible is selected in Users & Objects > User Awareness > Browser-Based Authentication > Identification tab.

Without DNS traffic, the browsers of end users, may not show the Captive Portal.

Assume single user per IP address

When Active Directory Queries is enabled in Users & Objects > User Awareness the parameter indicates that only one user can be identified from a single device. When two or more users connect from a device, only the last user to log on is identified.

Log blocked unknown users

Indicates if unauthenticated users that are blocked are logged when Block unauthenticated users when the captive portal is not possible is selected in Users & Objects > User Awareness > Browser-Based Authentication > Identification tab.

Table: User Management Attributes

User Management Attribute

Description

Automatically delete expired local users

Automatically delete all expired local users every 24 hours (after midnight).

Table: VPN Remote Access Attributes

VPN Remote Access Attribute

Description

Allow clear Traffic while disconnected

Indicates if traffic to the VPN domain is handled when the Remote Access VPN client is not connected to the site is sent without encryption (clear) or dropped.

Allow simultaneous login

Indicates if a user can log in to multiple sessions. If the option is disabled, and a user logs in a second time with the same credentials, the previous session is disconnected.

Authentication timeout

Indicates the amount of time (in minutes) the remote client's password remains valid if timeout is enabled.

Authentication timeout enable

Indicates if the remote client's password remains valid only for a configured amount of time (Authentication timeout attribute).

Auto-disconnect in VPN domain

Indicates if the client disconnects automatically to save resources when it connects from inside the secured internal network (local encryption domain).

Back connections enable

Enable back connections from the encryption domain behind the gateway to the client.

Back connections keep-alive interval

Indicates the interval (in seconds) between keep-alive packets to the gateway required for gateway to client back connections.

Enable Visitor Mode on All Interfaces

Enable Visitor Mode on This Interface

This dialog box lets you configure a specified interface for visitor mode. Visitor mode allows the appliance to listen for TCPT traffic on a specified port (by default port 443) as backup to IKE connections from the remote access client.

This mode is normally used to allow VPN remote access connections from behind restrictive environments such as hotels.

Modifying visitor mode to be enabled only on a specific interface is not recommended.

Encrypt DNS traffic

Indicates if DNS queries sent by the remote client to a DNS server located in the encryption domain are passed through the VPN tunnel.

Encryption Method

Indicates which IKE encryption method (version) is used for IKE phase 1 and 2.

Endpoint Connect re-authentication timeout

Indicates the time (in minutes) until the Endpoint Connect user's credentials are resent to the gateway to verify authorization.

IKE IP Compression Support

Indicates if IPSec packets from remote access clients is compressed.

IKE Over TCP

Enables support of IKE over TCP.

IKE restart recovery

When dealing with Remote Access clients, the appliance cannot initiate an IKE phase 1 negotiation because the client address is unknown. If the appliance has an active SA with a Remote Access client and it restarts, the SA is lost, and the appliance cannot initiate IKE phase 1. But, if the restart option is selected, the appliance saves the tunnel details every minute. When the first encrypted packet arrives after the appliance restarts, the appliance sends a Delete SA message. This causes the remote client to discard the old SA and initiate IKE phase 1 to reopen the tunnel.

Legacy NAT traversal

Indicates if the Check Point proprietary NAT traversal mechanism (UDP encapsulation) is enabled for SecureClient.

Match on Internal Rule Base only

Traffic from Remote Access clients will always be matched on the Incoming/Internal/VPN rulebase, including traffic to the Internet

Minimum TLS version support in the SSL VPN portal

Indicates the minimum TLS protocol version which the SSL VPN portal supports. For security reasons, we recommend to support TLS 1.2 and above.

Office Mode Enable With Multiple Interfaces

Indicates if a mechanism (with a performance impact) to improve connectivity between remote access client and an appliance with multiple external interfaces is enabled.

Office Mode Perform Anti-Spoofing

Single Office Mode Per Site

  • Office Mode Perform Anti-Spoofing - If this option is selected, VPN verifies that packets whose encapsulated IP address is an Office Mode IP address are indeed coming from an address of a client working in Office Mode. If the addresses are allocated by a DHCP server, VPN must know the range of allocated addresses from the DHCP scope for the Anti-Spoofing feature to work. Define a Network object that represents the DHCP scope and select it here.

  • Single Office Mode Per Site - After a remote user connects and receives an Office Mode IP address from a gateway, every connection to that gateways encryption domain goes out with the Office Mode IP as the internal source IP. The Office Mode IP is what hosts in the encryption domain recognize as the remote user's IP address. The Office Mode IP address assigned by a specific gateway can be used in its own encryption domain and in neighboring encryption domains as well. The neighboring encryption domains should reside behind gateways that are members of the same VPN community as the assigning gateway. As the remote hosts connections are dependent on the Office Mode IP address it received, should the gateway that issued the IP become unavailable, all the connections to the site terminate.

Office Mode allocate from RADIUS

Indicates if the Office Mode allocated IP addresses are taken from the RADIUS server used to authenticate the user.

Office Mode disable

Indicates if Office Mode (allocating IP addresses for Remote Access clients) is disabled. This is not recommended.

Passwords caching on client

Indicates if password caching is used. This means that re-authentication is not necessary when the client tries to access more than one gateway.

Prevent IP NAT Pool

Prevent IP Pool NAT configuration from being applied to Office Mode users. This is needed when using SecureClient as well as other VPN clients (see sk20251).

Radius retransmit timeout

Timeout interval (in seconds) for each RADIUS server connection attempt.

Remote Access port

Reserve port 443 for port forwarding

The default remote access port is port 443. If there is a conflict with another server using this port number, configure a different Remote access port. You must change the default remote access port if the Check Point VPN client, Mobile client, or SSL VPN remote access methods are enabled as they use port 443 by default. If you change the default port number 443, make sure to select Reserve port 443 for port forwarding.

SNX keep-alive interval

Indicates the time (in seconds) between the SSL Network Extender client keep-alive packets.

SNX re-authentication timeout

Indicates the time (in minutes) between re-authentication of SSL Network Extender remote access users.

SNX support 3DES

Indicates if the 3DES encryption algorithm will be supported in SSL clients as well as the default algorithms.

SNX support RC4

Indicates if the RC4 encryption algorithm is supported in SSL clients as well as the default algorithms.

SNX uninstall

This parameter lets you configure under which conditions the SSL Network Extender client uninstalls itself. The options are: Do not uninstall automatically (recommended default), always uninstall upon disconnection, and ask the user upon disconnection.

SNX upgrade

This parameter lets you configure under which conditions the SSL Network Extender client installs itself. The options are: Do not upgrade automatically, always upgrade, and ask the user (default).

Topology updates manual interval

Indicates the manually configured interval (in hours) for topology updates to the clients. Applicable only if the override settings is set to true.

Topology updates override

Indicates if the configured topology updates settings override the default 'once a week' policy.

Topology updates upon startup only

Indicates if topology updates occur only when the client starts. Applicable only if the override settings is set to true.

Verify device certificate

The remote access client verifies the device's certificate against revocation list.

block user if belongs to at least one group without permission

Indicates if strict group permissions are enabled - user will not have remote access permission if belongs to at least one group without remote access permission.

Table: VPN Site to Site Global Setting Attributes

VPN Site to Site Global Settings Attribute

Description

Accept NAT Traversal

Indicates if industry standard NAT traversal (UDP encapsulation) is enabled. This enables VPN tunnel establishment even when the remote site is behind a NAT device.

Administrative notifications

Indicates how to log an administrative event (for example, when a certificate is about to expire)

Check validity of IPSec reply packets

Indicated whether to check the validity of IPSec reply packets.

Cluster SA sync packets threshold

Sync SA with other cluster members when the number of packets reaches this threshold.

Copy DiffServ mark from encrypted /decrypted IPSec packet

Copy DiffServ mark from encrypted/decrypted IPSec packet.

Copy DiffServ mark to encrypted/ decrypted IPSec packet

Copy DiffServ mark to encrypted/decrypted IPSec packet.

DPD triggers new IKE negotiation

DPD triggers new IKE negotiation.

Delete IKE SAs from a dead peer

Delete IKE SAs from a dead peer.

Delete IPsec SAs on IKE SA delete

Delete IPsec SAs on IKE SA delete.

Delete tunnel SAs when Tunnel Test fails

When permanent VPN tunnels are enabled and a Tunnel Test fails, delete the relevant peer's tunnel SAs.

Do not encrypt connections originating from the local gateway

Packets whose original source or destination IP address is the local gateway's Internet Connection IP address will not go through a VPN tunnel. This parameter may be useful when the gateway behind hide NAT.

Do not encrypt local DNS requests

When enabled, DNS requests originating from the appliance will not be encrypted. Relevant when a configured DNS server is in a VPN peer's encryption domain.

Enable encrypted packets rerouting

Indicates if encrypted packets are rerouted through the best interface according to the peer's IP address or probing. We do not recommend to change this value to false.

Grace Period after CRL is no longer valid

CRL grace period is required to resolve the issue of differing clock times between the appliance and the remote CA.

A grace period permits a wider window for CRL validity.

Indicates the time (in seconds) after which a revoked certificate of a remote site remains valid.

Grace Period before CRL is valid

CRL grace period is required to resolve the issue of differing clock times between the appliance and the remote CA.

A grace period permits a wider window for CRL validity.

Indicates the time window (in seconds) where a certificate is considered valid prior to the time set by the CA.

IKE DoS from known sites protection

Indicates if the IKE DoS from known IP addresses protection is active and the method by which it detects potential attackers.

IKE DoS from unknown sites protection

Indicates if the IKE DoS from unidentified IP addresses protection is active and the method by which it detects potential attackers.

IKE Reply From Same IP

Indicates if the source IP address used in IKE session is based on destination when replying to incoming connections, or based on the general source IP address link selection configuration.

Join adjacent subnets in IKE Quick Mode

Indicates if to join adjacent subnets in IKE Quick Mode.

Keep DF flag on packet

Indicates if the 'Don't Fragment' flag is kept on the packet during encryption/decryption.

Keep IKE SA Keys

Keep IKE SA keys.

Key exchange error tracking

Indicates how to log VPN configuration errors or key exchange errors.

Match Internet traffic on the Outgoing Rule Base

Traffic to the Internet from VPN peers that route all their traffic through this gateway will be matched on the Outgoing Rule Base.

Maximum concurrent IKE negotiations

Indicates the maximum number of concurrent VPN IKE negotiations.

Maximum concurrent tunnels

Indicates the maximum number of concurrent VPN tunnels.

Open SAs limit

Indicates the maximum number of open SAs per VPN peer.

Outgoing link tracking

Indicates how to log the outgoing VPN link: Log, don't log, or alert.

Override 'Route all traffic to remote VPN site' configuration for administrator access to the device

Select this option to prevent administrator access to this appliance from being routed to the remote site even when the "Route all traffic to remote VPN site" is configured.

Packet handling errors tracking

Indicates how to log the VPN packet handling errors: Log, don't log, or alert.

Perform Tunnel Tests using an internal IP Address

A Tunnel Test makes sure that the VPN tunnel between peer VPN Gateways is up.

By default, the test is done by making sure there is a connection between all the external IP addresses of the peer VPN Gateways.

You can configure this option to do the tunnel tests using the internal IP addresses of the Gateways that are part of the local encryption domain.

You can see the status of the VPN tunnel in the Logs and Monitoring tab.

Permanent tunnel down tracking

Indicates how to log when the tunnel goes down: Log, don't log, or alert.

Permanent tunnel up tracking

Indicates how to log when the tunnel is up: Log, don't log, or alert.

RDP packet reply timeout

Timeout (in seconds) for an RDP packet reply.

Reply from incoming interface

When tunnel is initiated from remote site, reply from the same incoming interface when applicable (IKE and RDP sessions).

Successful key exchange tracking

Indicates how to log when there is a successful key exchange: Log, don't log, or alert.

Use cluster IP address for IKE

Indicates if IKE is performed using cluster IP address (when applicable).

Use internal IP address for encrypted connections from local gateway

Encrypted connections originating from the local gateway will use an internal interface's IP address as the connection source.

VPN tunnel sharing

Indicates under what conditions new tunnels are created: per host pair, per subnet (industry standard), or a single tunnel per remote site/gateway. This controls the number of tunnels that are created.

Table: VoIP Attributes

VoIP Attribute

Description

Accept MGCP connections to registered ports

Indicates if deep inspection over MGCP traffic automatically accepts MGCP connections to registered ports.

Accept SIP connections to registered ports

Indicates if deep inspection over SIP traffic automatically accepts SIP connections to registered ports.

Table: Web Interface Settings and Customization Attributes

Web Interface Settings and Customizations Attribute

Description

Multiple parameters

Select Use a company logo in the appliance's web interface to display a different logo (not the Check Point default logo).

In Company logo, click the Upload company logo link, browse to the logo file, and click Apply.

In Company URL, enter the company's URL. When you click the company logo in the web interface it opens this URL.