Advanced Settings

The Device > Advanced Settings page is for advanced administrators or Check Point Support. You can configure values for multiple advanced settings for the various blades.

Important - Changing these advanced settings without fully understanding them can be harmful to the stability, security, and performance of this appliance. Continue only if you are certain that you understand the required changes.

For further details regarding the attributes, consult with Check Point Support when necessary.

To filter the list of attributes:

Enter text in the Type to filter field.

The search results are dynamically shown as you type.
To cancel the filter, click X next to the search string.

To configure the appliance attributes:

Select an attribute.
Click Edit.

The attribute window opens.
Configure the settings, or click Restore Defaults to reset the attribute to the default settings. For more details on the attributes, see the next sections.
Click Apply.

To reset all the appliance attributes to the default settings:

From the Advanced Settings window, click Restore Defaults.

The Confirm window opens.
Click Yes.

All appliance attributes are reset to the default settings.

Table: Administrator Lockout Attribute
Administrator Lockout Attribute	Description
Admin Lockout - Mobile application session timeout	Allowed mobile application session before automatic logout is executed (in days) Default is 30.

Table: Administrator RADIUS authentication Attributes
Administrator RADIUS authentication Attribute	Description
Local authentication (RADIUS server)	Perform local administrator authentication only if RADIUS server is not configured or is inaccessible.

Table: Aggressive Aging Attributes
Aggressive Aging Attribute	Description
Multiple parameters	Aggressive Aging helps manage the connections table capacity and memory consumption of the firewall to increase durability and stability. Aggressive Aging introduces a new set of short timeouts called aggressive timeouts. When a connection is idle for more than its aggressive timeout it is marked as "eligible for deletion". When the connections table or memory consumption reaches the user defined threshold, Aggressive Aging begins to delete "eligible for deletion" connections, until memory consumption or connections capacity decreases back to the desired level. Aggressive Aging allows the gateway machine to handle large amounts of unexpected traffic, especially during a Denial of Service attack. If the defined threshold is exceeded, each incoming connection triggers the deletion of ten connections from the "eligible for deletion" list. An additional ten connections are deleted with every new connection until the memory consumption or the connections capacity falls below the enforcement limit. If there are no "eligible for deletion" connections, no connections are deleted at that time, but the list is checked after each subsequent connection that exceeds the threshold. Timeout settings are a key factor in memory consumption configuration. When timeout values are low, connections are deleted faster from the table, enabling the firewall to handle more connections concurrently. When memory consumption exceeds its threshold, it is best to work with shorter timeouts that can maintain the connectivity of the vast majority of the traffic. The major benefit of Aggressive Aging is that it starts to operate when the machine still has available memory and the connections table is not entirely full. This way, it reduces the chances of connectivity problems that might have occurred under low-resource conditions.
	To configure Aggressive Aging: Select Enable Aggressive Aging of connections when appliance is under load. To log Aggressive Aging events, select Log Aggressive Aging events. The logs are shown in Logs & Monitoring > Security Logs under the IPS blade. Select the checkboxes of the Aggressive Aging Timeouts that you want to enforce and enter the Aggressive Aging timeout. Make sure that the Aggressive timeouts are lower than the default timeouts. The default timeouts can be viewed and configured in the Device > Advanced Settings > Stateful Inspection attributes. To configure when the Aggressive Aging timeouts are enforced: Under Aggressive Aging Timeouts are enforced when section, select whether they are enforced if the connections table exceeds a limit, if memory exceeds a limit, or if both exceed their limits. Enter the percentage that you want to define as the limit to either connections table or memory consumption. If you select both, the values in the percentage fields of the other options are applied. Default is 80%, with connections from the "eligible for deletion" list being deleted if either the connections table or memory consumption passes this limit.

Table: Anti ARP Spoofing Attributes
Anti ARP spoofing Attribute	Description
Anti ARP spoofing mode	Mode for Anti ARP spoofing protection. The protection can be turned off, on, or in detect only mode.
Detection window time to indicate attack	Time period (in seconds) during which IP addresses, assigned to the same MAC address, indicate an ARP spoofing attack.
Number of IP addresses to indicate attack	The number of IP addresses assigned to the same MAC address during the Detection window time that will an indicate an ARP spoofing attack.
Suspicious MAC block period	Time period (in seconds) during which suspicious MAC addresses are kept in the blocked list.

Table: Anti-Spam policy Attributes
Anti-Spam Policy Attributes	Description
All mail track	Tracking options for emails that are not considered spam or suspected spam. Tracking such emails can have a performance impact.
Allowed mail track	Tracking options for emails that are manually allowed in the Threat Prevention > Anti-Spam Exceptions page.
Content based Anti-Spam timeout	Indicates the timeout (in seconds) to wait for an answer from the cloud during content-based Anti-Spam inspection.
E-mail size scan	Indicates the maximal size of an email's content to scan (in KB)
IP reputation fail open	Indicates the action to take upon an internal error during Anti-Spam IP reputation test.
IP reputation timeout	Indicates the timeout (in seconds) to wait for an IP reputation test result.
Scan outgoing emails	Scan the content of emails which are sent from the local network to the Internet.
Transparent proxy	Use a transparent proxy for inspected email connections. When disabled, configuration of the proxy address and port is required on client machines.

Table: Anti-Spoofing Attributes
Anti-Spoofing Attribute	Description
Enable global Anti-Spoofing	Indicates if Anti-Spoofing is enabled automatically on all interfaces according to their zone.

Table: Application & URL Filtering Attributes
Application & URL Filtering Attribute	Description
Block when service is unavailable	Indicates if web requests are blocked when the Check Point categorization and widget definitions Online Web Service is unavailable.
Categorize cached and translated pages	Indicates if to perform URL categorization of cached pages and translated pages created by search engines.
Custom App over HTTPS	Indicates whether custom URLs and applications will be matched over HTTPS traffic using SNI field. Important note: as SNI field in HTTPS traffic is browser-dependent and promiscuous, it does not guarantee 100% match.
Enforce safe search	Indicates if the URL Filtering policy overrides the Safe Search settings in the user's browser. Regardless of what the user has selected, the strictest Safe Search settings are applied. Explicitly sexual content is filtered out of the search engine's results.
Fail mode	Indicates the action to take on traffic in case of an internal system error or overload.
Track browse time	Shows in logs the total time that users are connected to different sites and applications in an HTTP session
Use HTTP referer header	Indicates if the HTTP "referrer" header (originally a misspelling of referrer) is used by the inspection engine to improved application identification.
Web site categorization mode	Indicates the mode that is used for website categorization: Background - Requests are allowed until categorization is complete. When a request cannot be categorized with a cached response, an uncategorized response is received. Access to the site is allowed. In the background, the Check Point Online Web Service continues the categorization procedure. The response is then cached locally for future requests (default). This option reduces latency in the categorization procedure. Hold - Requests are blocked until categorization is complete. When a request cannot be categorized with the cached responses, it remains blocked until the Check Point Online Web Service completes categorization.

Table: Capacity Optimization Attributes
Capacity Optimization Attribute	Description
Connections hash table size	Indicates the size of the connections hash table in bytes. This value must be an integer that is an exponential power of two and approximately four times the maximum concurrent connections parameter.
Maximum concurrent connections	Indicates the overall maximum number of concurrent connections.

Table: Cloud Services Firmware Upgrade Attributes
Cloud Services Firmware Upgrade Attribute	Description
Service access maximum retries	Indicates the maximum number of retries when failing to upgrade using the service.
Service access timeout until retry	Indicates the time (in seconds) to wait when there is a connection failure to the service before the next retry.

Table: Cluster Attributes
Cluster Attribute	Description
Use virtual MAC	Indicates if a virtual MAC address is used by all members to allow a quicker failover by the network's switch. Using the virtual MAC address: Minimizes the potential traffic outage during fail-over. Removes the need to use G-ARPs for NATed IP addresses.

Table: DDNS Attributes
DDNS Attribute	Description
Iterations	Number of DNS updates.

Table: DHCP Bridge Attribute
DHCP Bride Attribute	Description
MAC Assignment	Indicates whether the MAC address for the DHCP bridge is taken from an internal (LAN) or external port (WAN, DMZ).

Table: DHCP Relay Attributes
DHCP Relay Attribute	Description
Use internal IP addresses as source	Select Use internal IP addresses as source if DHCP relay packets from the appliance originate from internal IP addresses. This may be required if the DHCP server is located behind a remote VPN site.

Table: DSL Global Attributes
DSL Global Attribute	Description
DSL globals - VDSL2	Supports ITU G.993.2 VDSL2.
DSL globals - ADSL Dmt (G.992.1)	Supports ITU G.992.1 ADSL (G.dmt).
DSL globals - ADSL lite (G.992.2)	Supports ITU G.992.2 ADSL Lite (G.lite).
DSL globals - ADSL2 (G.992.2)	Supports ITU G.992.3 ADSL2.
DSL globals - ADSL2+ (G.992.5)	Supports ITU G.992.5 Annex M ADSL2+M.
DSL globals - T1.413	Supports ANSI T1.413-1998 Issue 2 ADSL.
DSL globals - Annex J/M	In an Annex A appliance: Combined with supported ADSL2+, it specifies Annex M ADSL2+. In an Annex B appliance: Combined with supported ADSL2, it specifies Annex J ADSL2.
DSL globals - Annex L	In an Annex A appliance: Combined with enabled ADSL2 (G.992.3) specifies support for Annex L.
DSL globals - 8a	Supports VDSL Profile 8a.
DSL globals - 8b	Supports VDSL Profile 8b.
DSL globals - 8c	Supports VDSL Profile 8c.
DSL globals - 8d	Supports VDSL Profile 8d.
DSL globals - 12a	Supports VDSL Profile 12a.
DSL globals - 12b	Supports VDSL Profile 12b.
DSL globals - 17a	Supports VDSL Profile 17a.
DSL globals - Seamless rate adaptation (SRA)	Enables seamless rate adaptation.
DSL globals - G.INP	Enhanced Impulse Noise Protection.
DSL globals - US0	Enables usage of first upstream band in VDSL.

Note - When all the ADSL standards are turned off in the Advanced Settings and you can only connect using the VDSL2 standard, the VPI, the VCI and the encapsulation options still appear even though they are not used to open an internet connection.

Table: Firewall Policy Attributes
Firewall Policy Attribute	Description
Blocked packets action	Action for blocked packets: Drop, reject or automatic (drop from external and reject from internal).
Log implied rules	Produce log records for connections that match implied rules.

Table: General Temporary Directory Size Attributes
General Temporary Directory Size Attribute	Description
General temporary directory size	Controls the size (in MB) of the general temporary directory.
System temporary directory size	Controls the size (in MB) of the temporary directory that is used by the system.

Table: Hardware Options Attributes
Hardware Options Attribute	Description
Reset to factory defaults timeout	The amount of time (in seconds) that you need to press and hold the factory defaults button on the appliances' back panel to restore to the factory defaults image.

Table: Hotspot Attributes
Hotspot Attribute	Description
Enable portal	Select Disabled to disable the hotspot feature entirely.
Prevent simultaneous log-in	The same user will not be allowed to login via hotspot portal from more than one machine in parallel.

Table: IP Fragments Parameters
IP Fragments Parameters Attribute	Description
Multiple parameters	These parameters let you configure how the appliance handles IP fragments. It can either block fragmented IP packets or drop fragments when a configured threshold is reached. Select one of these options: Forbid IP Fragments - Fragmented IP packets are dropped. Allow IP Fragments - Fragmented IP packets are allowed if they do not exceed a configured threshold. When selecting this option, you can configure the maximum number of accepted incomplete packets. You can also configure the timeout (in seconds) for holding unassembled fragmented packets before discarding them.

Table: IP Resolving Attributes
IP Resolving Attributes	Description
IP Resolving - IP Resolving Activation	Enable/Disable IP Resolving logs enrichment.
IP Resolving - IP Resolving TTL	The time (in seconds) for which the hostname resolution is used. Default is 3600.

Table: IPS Additional Parameters
IPS Additional Parameters Attribute	Description
Max ping limit	Indicates the maximal ping packet size that are allowed when the 'Max Ping Size' protection is active.
Non-standard HTTP ports	Enable HTTP inspection on non-standard ports for the IPS blade.

Table: IPS Engine Settings
IPS Engine Settings Attribute	Description
Allow protocol unknown commands	Normally, the IPS engine blocks protocols (e.g. POP3, IMAP, ...) commands that it does not recognize. When the advanced setting is set to "`true`", IPS allows the traffic.
Apply filter	Filter IPS protections to improve performance. Type: Boolean Default: true
Configure error page options for supported web protections - multiple parameters	Some web based protections can show an error page upon detection. This error page is configurable. The protections that support the error page: Malicious Code protector Cross-Site Scripting LDAP Injection SQL Injection Command Injection Directory Traversal Directory Listing Error Concealment HTTP Format Sizes ASCII Only Request ASCII Only Response Headers HTTP Methods Select one of these options that applies to all such protections: Do not show Show pre-defined HTML error page - You can configure an HTML page that opens when an attack is detected. To configure the page, go to Advanced Settings > IPS engine settings > HTML error page configuration. Redirect to another URL - Enter a URL to which users are redirected when an attack is detected. You can also select to add an error code that provides more information about the detected attack. This is not recommended because the information can be misused by an attacker.
HTML error page configuration - multiple parameters	These settings allow you to configure a pre-defined HTML error page that is seen when the error page advanced settings are set to Show pre-defined HTML error page. Select one of these options: Logo URL - Optionally enter a URL that leads to your company logo. HTML error page configuration - Shows an error code that provides more information about the detected attack. This is not recommended because the information can be misused by an attacker. Send detailed error code - You can enter manually defined text that is shown in the HTML page. Enter the text in the Description box. For example, "Access denied due to IPS policy violation."

Table: Internal Certificates Setting Attributes
Internal Certificate Settings Attribute	Description
Configure internal CA certificate expiration	The number of years the internal CA certificate is valid. This applies the next time the certificate is re-initialized.

Table: Internet Attributes
Internet Attribute	Description
Reset Sierra USB on LSI error	Indicates whether Sierra type USB modems will be reset when they send an invalid LSI signal
Path MTU Discovery Mode	Select from these options: Disabled Run Once - Runs once after establishing internet connection and tries to detect path MTU. Run as a daemon - Runs in the background and tries to detect path MTU.

Table: Internet Connection Type
Internet Connection Type	Description
IPv4 over IPv6 (IPIP)	Indicates whether IPv4 over IPv6 (IPIP) Internet connection is enabled. Default: false

Table: IoT Stats Attributes
IoT Stats Attributes	Description
IoT Stats Activation	Enable/disable IoT collecting statistics. Default: Enabled

Table: MAC Filtering Attributes
MAC Filtering Attribute	Description
MAC filtering state	MAC filtering state
Log blocked MAC addresses	Indicates if blocked MAC addresses should be logged.
Log suspension	Indicates if an administrator can access the appliance from a remove Security Management Server without the need to enter an administrator name.

Table: Managed Service Attributes
Managed Services Attribute	Description
Allow seamless administrator access from remote Management Server	Indicates if an administrator can access the appliance from a remote Security Management Server without the need to enter an administrator user name and password.
Show device details in Login	Indicates if appliance details are shown when an administrator accesses the appliance.

Table: Mobile Setting Attributes
Mobile Settings Attribute	Description
Mobile Settings - Notification cloud server URL	Cloud server URL used for sending mobile notifications.
Mobile Settings - Pairing code expiration	Time (in hours) till pairing code is expired. Type: Integer
Mobile Settings - Verify SSL certificate	Verify SSL certificate when sending mobile notification to cloud server

Table: Multiple ISP Route Refresh Attributes
Multiple ISP Route Refresh Attribute	Description
Multiple ISP Route Refresh mode	Indicates whether acceleration will refresh route in multiple ISPs configuration.

Table: NAT Attributes
NAT Attribute	Description
ARP manual file merge	Indicates, when automatic ARP detection is enabled, to use the ARP definitions in a local file with higher priority. Manual proxy ARP configuration is required for manual Static NAT rules. If a manual ARP configuration is defined in the local.arp file and Automatic ARP configuration is enabled, both definitions are maintained. If there is a conflict between the definitions (the same NAT IP address appears in both), then the manual configuration is used.
Multiple parameters - IP Pool NAT	An IP Pool is a range of IP addresses (an Address Range, a network or a group of one of these objects) routable to the gateway. When a connection is opened to a server, the gateway substitutes an IP address from the IP Pool for the source IP address. Reply packets from the server return to the gateway, which restores the original source IP address and forwards the packets to the source. When using IP Pool NAT, select an existing IP address range object. It must be previously defined in the Users & Objects > Networks Objects page. The IP Pool NAT mechanism allocates IP addresses from this range. Use IP Pool NAT for VPN clients connections - Applies to connections from VPN remote access clients to the gateway. Use IP Pool NAT for gateway to gateway connections - Applies to site to site VPN connections. Prefer IP Pool NAT over Hide NAT - Specifies that IP Pool NAT has priority over Hide NAT, if both match the same connection. Hide NAT is only applied if the IP pool is used up. Reuse IP addresses from the Pool for different destinations - Select this option to reuse IP addresses from the Pool for different destinations. Unused addresses interval - Configure in minutes the time interval it takes for unused addresses to return to the IP addresses pool. Address exhaustion tracking - Specifies the type of log to issue if the IP Pool is exhausted. Address allocation and release tracking - Specifies whether to log each allocation and release of an IP address from the IP Pool.
Automatic ARP detection	When internal devices in the local network are defined using static NAT, the appliance must make sure packets to the static NAT IP address reach it. This option enables the appliance to automatically respond to ARP requests for those IP addresses.
Increase hide capacity	Indicates if hide-NAT capacity is given additional space.
NAT enable	Indicates if the device's NAT capabilities are enabled.
NAT cache expiration	Indicates the expiration time in minutes for NAT cache entries.
NAT cache number of entries	Indicates the maximum number of NAT cache entries.
NAT hash size	Indicates the hash bucket size of NAT tables.
NAT limit	Indicates the maximum number of connections with NAT.
Perform cluster hide fold	Indicates if local IP addresses are hidden behind the cluster IP address when applicable, as opposed to being hidden behind each cluster member's physical IP address.
Translate destination on client side	Translates destination IP addresses on client side (for automatically generated NAT rules).
Translate destination on client side (manual rules)	Translates destination IP addresses on client side (for manually configured NAT rules).

Table: Notification Policy Attributes
Notification Policy Attributes	Description
Notification Language	Notification language
Notifications Policy - Send push notifications	Indicates whether notifications are sent to mobile application.
Notifications Policy - The maximum number of notifications sent per hour	The maximum number of notifications sent to mobile devices per hour.

Table: Operating Systems Attributes
Operating Systems Attributes	Description
Operating system - operating system	tmpDirSize
Operating system - System temporary directory size	Controls the size (in MB) of the temporary directory that is used by the system.

Table:OS advanced settings
OS advanced settings attributes	Description
Cellular Backoff Algorithm Mode	Set cellular backoff algorithm mode (auto, force-disable, or force-enable). When in auto mode, back-off algorithm will only work for Rogers cellular carrier.
Disable transfer of DHCP options from WAN to LAN	Specifies whether transfer of DHCP options from WAN to LAN is disabled. Type: Boolean Default: false
Enable WAN on LAN	Specifies whether LAN-on-WAN feature is on Type: Boolean Default: false.
Enable WiFi Monitors	Specifies whether WiFi monitors are on. Type: Boolean Default: false
Enable automatic WiFi Channel Change	Specifies whether WiFi switches channels automatically during operation. Type: Boolean Default: false
Enable destination check on PPPoE	Specifies whether PPP0E destination check is enabled. Type: Boolean Default: false
Enable flow-control for network switch	Indicates if flow-control is enabled for network switch. Type: Boolean Default: false
Force cellular module to use 4G network	When disabled, modem is using all available bands. When enabled, modem uses 4G bands only. Type: Boolean Default: false

Table: Privacy Settings
Privacy Settings Attributes	Description
Help Check Point improve its products by sending data	Customer consent
Location Service requires sending your IP address to a 3rd party	Using automatic timezone feature requires sending your location to 3rd party.

Table: QoS Blade Attributes
QoS Blade Attribute	Description
Logging	Indicates if the appliance logs QoS events when the QoS blade is enabled.

Table: Reach My Device Attributes
Reach My Device Attribute	Description
Ignore SSL certificate	Indicates if the SSL certificate should be ignored when running the access service.
Server address	Indicates the address of the remote server that allows administration access to the appliance from the Internet even when behind NAT.

Table: Report Settings Attributes
Report Settings Attributes	Description
Report Settings - Max Period	Maximum period to collect and monitor data. You must reboot the appliance to apply changes.
Report Settings - Reports cloud server URL	Reports cloud server URL used to generate report PDF.

Table: Rest API Attribute
Rest API Attribute	Description
Rest API mode	Indicates where REST API is enable or not

Table: Serial Port Attributes
Serial Port Attribute	Description
Multiple Parameters	With the serial port parameters you can configure the console port on the back panel of the appliance. You can disable it completely (clear the Enable serial port checkbox) if necessary and configure port speed and flow control settings. Note that these settings must match the configuration of the device connected to the console port. There are three modes for working with this port: Console - This is the default mode configured. The port is used to access the appliance's console. Active - Instead of connecting through the port to the appliance's console, the data is relayed to a specified telnet server which can now be viewed through this port. Enter the Server TCP port of the telnet server and the IP address of the server. Two different IP server IP addresses can be configured (Primary server and Secondary server). Passive - In this mode the flow of data is reversed and the appliance connects through the serial port to the console of the connected device. This console is accessible through a telnet connection to a configured port on the appliance. In Listen on TCP port, enter the port number. To configure an implicit rule that allows traffic from any source to this port, make sure Implicitly allow traffic to this port is selected. If you do not create an implicit rule, you must manually define an access rule in the Firewall Rule Base. Two appliances, one in active mode and the other in passive mode, can allow a client to remotely connect to a console connected to the appliance in passive mode over the internet using a telnet connection.

Table: SSL Inspection Attributes
SSL Inspection Attribute	Description
Additional HTTPS ports	Additional HTTPS ports for SSL inspection (a comma separated list of ports/ranges).
Log empty SSL connections	Log connections that were terminated by the client before data was sent. This might indicate the client did not install the CA certificate.
Retrieve intermediate CA certificates	Indicates if the SSL inspection mechanism will perform its validations on all intermediate CA certificates in the certificate chain.
Track validation errors	Choose if the SSL Inspection validations are tracked.
Validate CRL	Indicates if the SSL inspection mechanism will drop connections that present a revoked certificate.
Validate Expiration	Indicates if the SSL inspection mechanism will drop connections that present an expired certificate.
Validate unreachable CRL	Indicates if the SSL inspection mechanism will drop connections that present a certificate with an unreachable CRL.
Validate untrusted certificates	Indicates if the SSL inspection mechanism will drop connections that present an untrusted server certificate.

Table: Stateful Inspection Attributes

Stateful Inspection Attribute

Description

Accept out of state TCP packets

Indicates if TCP packets which are not consistent with the current state of the TCP connection are dropped (when set to 0) or accepted (when set to any other value).

Accept stateful ICMP errors

Accept ICMP error packets which refer to another non-ICMP connection (for example, to an ongoing TCP or UDP connection) that was accepted by the Rule Base.

Accept stateful ICMP replies

Accept ICMP reply packets for ICMP requests that were accepted by the Rule Base.

Accept stateful UDP replies for unknown services

Specifies if UDP replies are to be accepted for unknown services. In each UDP service object it is possible to configure whether UDP replies for it are accepted if the service is matched on a rule which accepts traffic. This parameter refers to all connections which are not covered by the service objects.

Accept stateful other IP protocols replies for unknown services

Accept stateful other IP protocols replies for unknown services. In each service object it is possible to configure whether replies for it are accepted if the service is matched on a rule which accepts traffic. This parameter refers to all no TCP/UDP connections which are not covered by the service objects.

Allow LAN-DMZ DPI

Allow Deep Packet Inspection in traffic between internal networks and the DMZ network.

Note - DMZ is not supported in 1530 / 1550 appliances.

Allow LAN-LAN DPI

Allow Deep Packet Inspection in traffic between internal networks.

Drop out of state ICMP packets

Drop ICMP packets which are not in the context of a "virtual session".

ICMP virtual session timeout

An ICMP virtual session is considered to have timed out after this time period (in seconds).

Log dropped out of state ICMP packets

Indicates if dropped out of state ICMP packets generate a log. See the "Drop out of state ICMP packets" parameter.

Log dropped out of state TCP packets

Indicates if dropped out of state TCP packets generate a log. See the "Accept out of state TCP packets" parameter.

Other IP protocols virtual session timeout

A virtual session of services which are not TCP, UDP or ICMP is considered to have timed out after this time period (in seconds).

TCP end timeout

Indicates the timeout (in seconds) for TCP session end. A TCP session is considered as "ended" following two FIN packets, one in each direction, or an RST packet.

TCP session timeout

Indicates the timeout (in seconds) for TCP sessions. A TCP session times out if the connection remains idle after this time period (in seconds).

TCP start timeout

Indicates the timeout (in seconds) for TCP session start. A TCP connection times out if the interval between the arrival of the first packet and establishment of the connection (TCP three-way handshake) exceeds this time period (in seconds).

UDP virtual session timeout

A UDP virtual session is timed out after this time period (in seconds).

Table: Streaming Engine Setting Attributes
Streaming Engine Settings Attribute	Description
Multiple parameters	These settings determine how the TCP streaming engine used by the various deep inspection blades (IPS, Application Control, Anti-Bot, Anti-Virus, etc.) handles protocol violations and events that prevent the streaming engine from further inspection. We highly recommend that these settings always be in prevent mode. Using these settings in detect mode may significantly lower security as inspection stops when the event or violation occurs. When the configuration is set to log such events, the logs are shown in Logs & Monitoring > Security Logs under the IPS blade. For each violation or event configure the action and tracking mode.
TCP Segment Limit Enforcement	For every TCP segment that passes through the gateway, the gateway retains a copy of the segment until it receives an acknowledgment that the segment was received. This buffered data occupies space in the gateway's memory. This enforces a limit on the number and size of buffered segments per connection. When a connection reaches one of these limits, the gateway does not accept new segments for this connection until buffered segments are acknowledged.
TCP Out of Sequence	The receiving host of a TCP stream buffers segments and retains only those segments within a specified window. Segments outside this window are not processed by the receiving host. TCP segments which are outside the TCP receiving window should not be processed by the gateway. All data from TCP segments that are outside of the window is either dropped or removed. If the segment is near the window, data is stripped. If the segment is far from the window, the segment is dropped.
TCP Invalid Retransmission	For every TCP segment that passes through the gateway, the gateway retains a copy of the segment until the gateway receives an acknowledgment that the segment was received. If no acknowledgment is received, the source machine sends the segment again, which the gateway compares to its copy to verify that the new packet matches the original. Passing a retransmission that differs from the original allows uninspected data to reach the destination application. This can block segment retransmissions which differ from the original segments, and this assures that the gateway inspects all data that is processed by the receiving application. When set to detect, such retransmissions causes the traffic to bypass deep inspection blades.
TCP Invalid Checksum	The gateway does not need to inspect packets with an invalid TCP checksum because these packets are dropped by the receiving host's TCP stack. This blocks TCP packets with an invalid checksum. Due to malfunctioning networking equipment, it is normal to see some packets with an incorrect checksum on the network. This does not indicate an attempted attack and for this reason, the default is to NOT log such events.
TCP SYN Modified Retransmission	A TCP SYN packet may be retransmitted with a changed sequence number in an attempt to initiate a connection that IPS does not inspect. This blocks a SYN retransmission where the sequence number has been modified. When set to detect, such retransmissions cause the traffic to bypass deep inspection blades.
TCP Urgent Data Enforcement	Some TCP protocols, such as Telnet, send out-of-band data using the TCP URG bit as part of the protocol syntax, whereas most protocols don't use the TCP out-of-band functionality. Allowing packets with the URG bit may prevent the gateway from determining what data would be processed by the receiving application. This could lead to a situation where the data inspected by the gateway is not what the receiving application processes, thus allowing IPS protections to be bypassed. When a packet with the URG bit is received in a protocol that does not support out-of-band functionality, the gateway cannot determine whether the receiving application processes the data. This removes the URG bit from TCP segments with the URG bit set in protocols which do not support the TCP out-of-band functionality. When set to detect, usage of the URG bit causes the traffic to bypass deep inspection blades.
Stream Inspection Timeout	A connection being inspected by a dedicated process may be delayed until inspection is completed. If inspection is not completed within a time limit, the connection is dropped so that resources are not kept open. This blocks connections whose inspection timeout has expired. When set to detect, exceeding the timeout causes the traffic to bypass deep inspection blades.

Table: Threat Prevention Anti-Bot Policy Attributes
Threat Prevention Anti-Bot Policy Attribute	Description
Resource classification mode	Indicates the mode used by the Anti-Bot engine for resource classification: Hold - Connections are blocked until classification is complete. When a connection cannot be classified with the cached responses, it remains blocked until the Check Point Online Web Service completes classification. Background - Connections are allowed until classification is complete. When a connection cannot be classified with a cached response, an uncategorized response is received. The connection is allowed. In the background, the Check Point Online Web Service continues the classification procedure. The response is then cached locally for future requests. This option reduces latency in the classification process.

Table: Threat Prevention Anti-Virus Policy Attributes
Threat Prevention Anti-Virus Policy Attribute	Description
File scan size limit	Indicates the size limit (in KB) of a file scanned by Anti-Virus engine. To specify no limit, set to 0.
MIME maximum nesting level	For emails that contain nested MIME content, set the maximum number of levels that the ThreatSpect engine scans in the email.
MIME nesting level exceeded action	If there are more nested levels of MIME content than the configured amount, select to Block or Allow the email file.
Priority scanning	Scan according to security and performance priorities for maximum optimization.
Resource classification mode	Indicates the mode used by the Anti-Virus engine for resource classification: Hold - Connections are blocked until classification is complete. When a connection cannot be classified with the cached responses, it remains blocked until the Check Point Online Web Service completes classification. Background - Connections are allowed until classification is complete. When a connection cannot be classified with a cached response, an uncategorized response is received. The connection is allowed. In the background, the Check Point Online Web Service continues the classification procedure. The response is then cached locally for future requests. This option reduces latency in the classification process.

Table: Threat Prevention Threat Emulation Policy Attributes
Threat Prevention Threat Emulation Policy Attribute	Description
Emulation connection handling mode - IMAP	Indicates the strictness mode of the Threat Emulation engine over IMAP: Background - Connections are allowed while the file emulation runs (if needed) until emulation handling is complete. Hold - Connections are blocked until the file emulation is completed
Emulation connection handling mode - POP3	Indicates the strictness mode the Threat Emulation engine over POP3: Background - Connection are allowed while the file runs (if needed) Hold - Connections are blocked until the file emulation is completed.
Emulation connection handling mode - SMTP	Indicates the strictness mode of the Threat Emulation engine over SMTP: Background - Connections are allowed while the file emulation runs (if needed) Hold - Connections are blocked until the file emulation is completed.
Emulation location	Indicates if emulation is done on Public ThreatCloud or on remote (private) SandBlast.
Primary emulation gateway	The IP address of the primary remote emulation gateway.

Table: Threat Prevention Policy Attributes
Threat Prevention Policy Attribute	Description
Block when service is unavailable	Block web requests traffic when the Check Point ThreatCloud online web service is unavailable.
Fail mode	Indicates the action to take (Allow all requests or Block all requests) on traffic in case of an internal system error or overload.
File inspection size limit	Indicates the size limit (in KB) of a file inspected by Threat Prevention engines. Note - A limit too low may have an impact on the functionality of the Application Control blade. To specify no limit, set to 0.
Method for skipping HTTP inspection	Warning: Changing the setting to Full has a severe security impact. An HTTP connection can be made up of many sessions. A file that is part of an HTTP connection passes in one HTTP session. If a non-zero File inspection size limit is configured, the Default setting of Method for skipping HTTP inspection is that file inspection is skipped to the end of the session, and resumes in the next HTTP session. If a non-zero File inspection size limit is configured and the Method for skipping HTTP inspection is changed to Full, file inspection is skipped to the end of the connection and resumes in the next connection. This improves performance because the remaining part of the connection is fully accelerated. However, changing the setting to Full is not recommended because of a severe security impact: The remaining sessions of the connection are not inspected.
Threat Prevention policy - Update Threat Prevention With Full Packages	Update Threat Prevention with the most up to date packages.
Allow me to view attack statistics in my User Center account	Allow viewing attack statistics in your User Center Account. For more information, see Threat Prevention - Infinity SOC.
Allow IP address information in attack statistics	Optional: Enable the real IP address information in the attack reports (see sk164332 - section "De-obfuscate the real IP of the victim"):

Table: USB Modem Watchdog Attributes
USB Modem Watchdog Attribute	Description
Interval	Indicates how often (in minutes) the USB modem watchdog probes the internet.
Mode	Indicates if the USB modem watchdog is enabled when internet probing is enabled, and the reset type. To enable USB modem watchdog when internet probing indicates there is no internet access, select one of these reset options: Disabled - Default. Hard reset - Shuts down the power for the USB modem and turns it on again. Gateway reset - Restarts the appliance. Hard Gateway reset - First reboot the gateway and if that is not successful, restart the appliance.
USB only	Monitor only USB modem connection and not other internet connections. In this mode, when monitoring other internet connections, gateway reset only occurs when probing fails on all internet connections (and not just USB modem). Type: Boolean

Table: Update services schedule Attributes
Update Services Schedule Attribute	Description
Maximum number of retries	Indicates the maximum number of retries for a single update when the cloud is unavailable
Timeout until retry	Indicates the timeout (in seconds) until update retry.

Table: User Awareness Attributes
User Awareness Attribute	Description
Active Directory association timeout	Indicates the timeout (in minutes) for caching an association between a user and an IP address.
Allow DNS for unknown users	Indicates that DNS traffic from unauthenticated users is not be blocked when Block unauthenticated users when the captive portal is not possible is selected in Users & Objects > User Awareness > Browser-Based Authentication > Identification tab. Without DNS traffic, the browsers of end users, may not show the Captive Portal.
Assume single user per IP address	When Active Directory Queries is enabled in Users & Objects > User Awareness the parameter indicates that only one user can be identified from a single device. When two or more users connect from a device, only the last user to log on is identified.
Log blocked unknown users	Indicates if unauthenticated users that are blocked are logged when Block unauthenticated users when the captive portal is not possible is selected in Users & Objects > User Awareness > Browser-Based Authentication > Identification tab.

Table: User Management Attributes
User Management Attribute	Description
Automatically delete expired local users	Automatically delete all expired local users every 24 hours (after midnight).

Table: VPN Remote Access Attributes
VPN Remote Access Attribute	Description
Allow clear Traffic while disconnected	Indicates if traffic to the VPN domain is handled when the Remote Access VPN client is not connected to the site is sent without encryption (clear) or dropped.
Allow simultaneous login	Indicates if a user can log in to multiple sessions. If the option is disabled, and a user logs in a second time with the same credentials, the previous session is disconnected.
Authentication timeout	Indicates the amount of time (in minutes) the remote client's password remains valid if timeout is enabled.
Authentication timeout enable	Indicates if the remote client's password remains valid only for a configured amount of time (Authentication timeout attribute).
Auto-disconnect in VPN domain	Indicates if the client disconnects automatically to save resources when it connects from inside the secured internal network (local encryption domain).
Back connections enable	Enable back connections from the encryption domain behind the gateway to the client.
Back connections keep-alive interval	Indicates the interval (in seconds) between keep-alive packets to the gateway required for gateway to client back connections.
Enable Visitor Mode on All Interfaces Enable Visitor Mode on This Interface	This dialog box lets you configure a specified interface for visitor mode. Visitor mode allows the appliance to listen for TCPT traffic on a specified port (by default port 443) as backup to IKE connections from the remote access client. This mode is normally used to allow VPN remote access connections from behind restrictive environments such as hotels. Modifying visitor mode to be enabled only on a specific interface is not recommended.
Encrypt DNS traffic	Indicates if DNS queries sent by the remote client to a DNS server located in the encryption domain are passed through the VPN tunnel.
Encryption Method	Indicates which IKE encryption method (version) is used for IKE phase 1 and 2.
Endpoint Connect re-authentication timeout	Indicates the time (in minutes) until the Endpoint Connect user's credentials are resent to the gateway to verify authorization.
IKE IP Compression Support	Indicates if IPSec packets from remote access clients is compressed.
IKE Over TCP	Enables support of IKE over TCP.
IKE restart recovery	When dealing with Remote Access clients, the appliance cannot initiate an IKE phase 1 negotiation because the client address is unknown. If the appliance has an active SA with a Remote Access client and it restarts, the SA is lost, and the appliance cannot initiate IKE phase 1. But, if the restart option is selected, the appliance saves the tunnel details every minute. When the first encrypted packet arrives after the appliance restarts, the appliance sends a Delete SA message. This causes the remote client to discard the old SA and initiate IKE phase 1 to reopen the tunnel.
Legacy NAT traversal	Indicates if the Check Point proprietary NAT traversal mechanism (UDP encapsulation) is enabled for SecureClient.
Match on Internal Rule Base only	Traffic from Remote Access clients will always be matched on the Incoming/Internal/VPN rulebase, including traffic to the Internet
Minimum TLS version support in the SSL VPN portal	Indicates the minimum TLS protocol version which the SSL VPN portal supports. For security reasons, we recommend to support TLS 1.2 and above.
Office Mode Enable With Multiple Interfaces	Indicates if a mechanism (with a performance impact) to improve connectivity between remote access client and an appliance with multiple external interfaces is enabled.
Office Mode Perform Anti-Spoofing Single Office Mode Per Site	Office Mode Perform Anti-Spoofing - If this option is selected, VPN verifies that packets whose encapsulated IP address is an Office Mode IP address are indeed coming from an address of a client working in Office Mode. If the addresses are allocated by a DHCP server, VPN must know the range of allocated addresses from the DHCP scope for the Anti-Spoofing feature to work. Define a Network object that represents the DHCP scope and select it here. Single Office Mode Per Site - After a remote user connects and receives an Office Mode IP address from a gateway, every connection to that gateways encryption domain goes out with the Office Mode IP as the internal source IP. The Office Mode IP is what hosts in the encryption domain recognize as the remote user's IP address. The Office Mode IP address assigned by a specific gateway can be used in its own encryption domain and in neighboring encryption domains as well. The neighboring encryption domains should reside behind gateways that are members of the same VPN community as the assigning gateway. As the remote hosts connections are dependent on the Office Mode IP address it received, should the gateway that issued the IP become unavailable, all the connections to the site terminate.
Office Mode allocate from RADIUS	Indicates if the Office Mode allocated IP addresses are taken from the RADIUS server used to authenticate the user.
Office Mode disable	Indicates if Office Mode (allocating IP addresses for Remote Access clients) is disabled. This is not recommended.
Passwords caching on client	Indicates if password caching is used. This means that re-authentication is not necessary when the client tries to access more than one gateway.
Prevent IP NAT Pool	Prevent IP Pool NAT configuration from being applied to Office Mode users. This is needed when using SecureClient as well as other VPN clients (see sk20251).
Radius retransmit timeout	Timeout interval (in seconds) for each RADIUS server connection attempt.
Remote Access port Reserve port 443 for port forwarding	The default remote access port is port 443. If there is a conflict with another server using this port number, configure a different Remote access port. You must change the default remote access port if the Check Point VPN client, Mobile client, or SSL VPN remote access methods are enabled as they use port 443 by default. If you change the default port number 443, make sure to select Reserve port 443 for port forwarding.
SNX keep-alive interval	Indicates the time (in seconds) between the SSL Network Extender client keep-alive packets.
SNX re-authentication timeout	Indicates the time (in minutes) between re-authentication of SSL Network Extender remote access users.
SNX support 3DES	Indicates if the 3DES encryption algorithm will be supported in SSL clients as well as the default algorithms.
SNX support RC4	Indicates if the RC4 encryption algorithm is supported in SSL clients as well as the default algorithms.
SNX uninstall	This parameter lets you configure under which conditions the SSL Network Extender client uninstalls itself. The options are: Do not uninstall automatically (recommended default), always uninstall upon disconnection, and ask the user upon disconnection.
SNX upgrade	This parameter lets you configure under which conditions the SSL Network Extender client installs itself. The options are: Do not upgrade automatically, always upgrade, and ask the user (default).
Topology updates manual interval	Indicates the manually configured interval (in hours) for topology updates to the clients. Applicable only if the override settings is set to true.
Topology updates override	Indicates if the configured topology updates settings override the default 'once a week' policy.
Topology updates upon startup only	Indicates if topology updates occur only when the client starts. Applicable only if the override settings is set to true.
Verify device certificate	The remote access client verifies the device's certificate against revocation list.
block user if belongs to at least one group without permission	Indicates if strict group permissions are enabled - user will not have remote access permission if belongs to at least one group without remote access permission.

Table: VPN Site to Site Global Setting Attributes
VPN Site to Site Global Settings Attribute	Description
Accept NAT Traversal	Indicates if industry standard NAT traversal (UDP encapsulation) is enabled. This enables VPN tunnel establishment even when the remote site is behind a NAT device.
Administrative notifications	Indicates how to log an administrative event (for example, when a certificate is about to expire)
Check validity of IPSec reply packets	Indicated whether to check the validity of IPSec reply packets.
Cluster SA sync packets threshold	Sync SA with other cluster members when the number of packets reaches this threshold.
Copy DiffServ mark from encrypted /decrypted IPSec packet	Copy DiffServ mark from encrypted/decrypted IPSec packet.
Copy DiffServ mark to encrypted/ decrypted IPSec packet	Copy DiffServ mark to encrypted/decrypted IPSec packet.
DPD triggers new IKE negotiation	DPD triggers new IKE negotiation.
Delete IKE SAs from a dead peer	Delete IKE SAs from a dead peer.
Delete IPsec SAs on IKE SA delete	Delete IPsec SAs on IKE SA delete.
Delete tunnel SAs when Tunnel Test fails	When permanent VPN tunnels are enabled and a Tunnel Test fails, delete the relevant peer's tunnel SAs.
Do not encrypt connections originating from the local gateway	Packets whose original source or destination IP address is the local gateway's Internet Connection IP address will not go through a VPN tunnel. This parameter may be useful when the gateway behind hide NAT.
Do not encrypt local DNS requests	When enabled, DNS requests originating from the appliance will not be encrypted. Relevant when a configured DNS server is in a VPN peer's encryption domain.
Enable encrypted packets rerouting	Indicates if encrypted packets are rerouted through the best interface according to the peer's IP address or probing. We do not recommend to change this value to false.
Grace Period after CRL is no longer valid	CRL grace period is required to resolve the issue of differing clock times between the appliance and the remote CA. A grace period permits a wider window for CRL validity. Indicates the time (in seconds) after which a revoked certificate of a remote site remains valid.
Grace Period before CRL is valid	CRL grace period is required to resolve the issue of differing clock times between the appliance and the remote CA. A grace period permits a wider window for CRL validity. Indicates the time window (in seconds) where a certificate is considered valid prior to the time set by the CA.
IKE DoS from known sites protection	Indicates if the IKE DoS from known IP addresses protection is active and the method by which it detects potential attackers.
IKE DoS from unknown sites protection	Indicates if the IKE DoS from unidentified IP addresses protection is active and the method by which it detects potential attackers.
IKE Reply From Same IP	Indicates if the source IP address used in IKE session is based on destination when replying to incoming connections, or based on the general source IP address link selection configuration.
Join adjacent subnets in IKE Quick Mode	Indicates if to join adjacent subnets in IKE Quick Mode.
Keep DF flag on packet	Indicates if the 'Don't Fragment' flag is kept on the packet during encryption/decryption.
Keep IKE SA Keys	Keep IKE SA keys.
Key exchange error tracking	Indicates how to log VPN configuration errors or key exchange errors.
Match Internet traffic on the Outgoing Rule Base	Traffic to the Internet from VPN peers that route all their traffic through this gateway will be matched on the Outgoing Rule Base.
Maximum concurrent IKE negotiations	Indicates the maximum number of concurrent VPN IKE negotiations.
Maximum concurrent tunnels	Indicates the maximum number of concurrent VPN tunnels.
Open SAs limit	Indicates the maximum number of open SAs per VPN peer.
Outgoing link tracking	Indicates how to log the outgoing VPN link: Log, don't log, or alert.
Override 'Route all traffic to remote VPN site' configuration for administrator access to the device	Select this option to prevent administrator access to this appliance from being routed to the remote site even when the "Route all traffic to remote VPN site" is configured.
Packet handling errors tracking	Indicates how to log the VPN packet handling errors: Log, don't log, or alert.
Perform Tunnel Tests using an internal IP Address	A Tunnel Test makes sure that the VPN tunnel between peer VPN Gateways is up. By default, the test is done by making sure there is a connection between all the external IP addresses of the peer VPN Gateways. You can configure this option to do the tunnel tests using the internal IP addresses of the Gateways that are part of the local encryption domain. You can see the status of the VPN tunnel in the Logs and Monitoring tab.
Permanent tunnel down tracking	Indicates how to log when the tunnel goes down: Log, don't log, or alert.
Permanent tunnel up tracking	Indicates how to log when the tunnel is up: Log, don't log, or alert.
RDP packet reply timeout	Timeout (in seconds) for an RDP packet reply.
Reply from incoming interface	When tunnel is initiated from remote site, reply from the same incoming interface when applicable (IKE and RDP sessions).
Successful key exchange tracking	Indicates how to log when there is a successful key exchange: Log, don't log, or alert.
Use cluster IP address for IKE	Indicates if IKE is performed using cluster IP address (when applicable).
Use internal IP address for encrypted connections from local gateway	Encrypted connections originating from the local gateway will use an internal interface's IP address as the connection source.
VPN tunnel sharing	Indicates under what conditions new tunnels are created: per host pair, per subnet (industry standard), or a single tunnel per remote site/gateway. This controls the number of tunnels that are created.

Table: VoIP Attributes
VoIP Attribute	Description
Accept MGCP connections to registered ports	Indicates if deep inspection over MGCP traffic automatically accepts MGCP connections to registered ports.
Accept SIP connections to registered ports	Indicates if deep inspection over SIP traffic automatically accepts SIP connections to registered ports.

Table: Web Interface Settings and Customization Attributes
Web Interface Settings and Customizations Attribute	Description
Multiple parameters	Select Use a company logo in the appliance's web interface to display a different logo (not the Check Point default logo). In Company logo, click the Upload company logo link, browse to the logo file, and click Apply. In Company URL, enter the company's URL. When you click the company logo in the web interface it opens this URL.