Configuring Internet Connectivity
The Device > Internet page shows how the Check Point Appliance connects to the Internet. You can configure a single Internet connection or multiple connections in High Availability or Load Balancing configurations. When multiple Internet connections are defined, the page shows them in a table. You can add a new connection and edit, delete, or disable existing connections. When there are multiple Internet connections, you can select which mode to use - High Availability or Load Balancing.
We recommend you contact your local Internet Service Provider (ISP) to understand how to configure your specific Internet connection.
Note - IPv6 is not currently supported.
To configure Internet connectivity:
-
Click Configure Internet (if not configured at all), Add (for another Internet connection), or Edit.
The New or Edit Internet Connection window opens.
-
Configure the fields in the tabs:
Configuration tab
Note - When you change the connection type, the appliance may disconnect from the Internet.
-
Connection name - Enter a name for the connection or leave the default "InternetN" label (where N indicates an incrementing number).
-
Interface name -
-
WAN or DMZ is for most types of Internet connections.
Note - DMZ is not supported in 1550 appliances.
-
LAN. You can also use unassigned LAN ports with no VLANs for Internet connections. When you delete the internet connection, the port reverts to an unassigned LAN.
- USB/Serial is for analog modems.
You can create a maximum of 32 internet connections.
Unassigned LAN ports use case - If your company is in a region where internet connections supplied by ISPs are unreliable and experience multiple disconnections, you can connect your appliances to multiple internet connections from different ISPs.
IPv4 connection types:
-
Connection type - Select the connection type:
-
DHCP - Dynamic Host Configuration Protocol (DHCP) automatically issues IP addresses within a specified range to devices on a network. The device retains the assigned address for a specified administrator-defined period.
-
Static IP - A fixed (non-dynamic) IP address.
-
PPPoE - A network protocol to encapsulate Point-to-Point Protocol (PPP) frames inside Ethernet frames. It is used mainly in DSL systems. PPPoE can run directly over the ADSL/VDSL interface. It can also run over WAN or DMZ interfaces that are typically connected to an external DSL modem. You must enter the IP address, the subnet mask, default gateway and DNS Server Settings.
-
PPTP - The Point-to-Point Tunneling Protocol (PPTP) uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets.
-
L2TP - Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol. It does not provide any encryption or confidentiality but relies on an encryption protocol that it passes within the tunnel to provide privacy.
-
Bridge - Connects multiple network segments at the data link layer (Layer 2).
-
Analog Modem - Connect to the Internet with an analog modem through a USB or serial port. For this option, select the USB/Serial option in Interface name.
Note - If you use an analog modem through the serial port, you cannot connect to the appliance with the serial port or get terminal server functionality. For more on the terminal server, go to Device > AdvancedSettings.
Fill in the fields that are shown for the connection type.
Note - You cannot use these characters when you enter a password or shared secret: { } [ ] ` ~ | ' " # + \
For PPPoE over ATM over VDSL/ADSL or IPoE over ATM over VDSL/ADSL or for an ADSL interface:
Enter the VPI number and VCI number you received from your service provider, and the Encapsulationtype (LLC or VC_MUX).
For WAN/DMZ interfaces and static, DHCP, PPPoE, PPTP, and L2TP connection types
If you are in an Annex L system, in Advanced Settings, you must enable the Annex L and disable the Annex J/M.
If you are in an Annex M system, in Advanced Settings, you must enable Annex J/M and disable the Annex L. In all other Annex systems, no changes are needed to the default configuration.
Connection Monitoring tab
-
Automatically detect loss of connectivity to the default gateway - Select this option to detect connectivity loss by sending ARP requests (pinging) to the default gateway and expecting responses.
-
Monitor connection state by sending probe packets to one or more servers on the Internet - Select this option to detect connectivity loss by using more methods and servers.
-
Connection probing method - Select one of the options.
-
Ping addresses - When you select this option, you can configure up to three servers by IP address or host name.
-
Probe DNS servers - When you select this option, the appliance probes the DNS servers as defined in the Internet connection and expects responses.
-
-
Advanced tab
For PPPoE
-
IP Address Assignment (PPPoE IPv4 only) - In Local tunnel IP address, select if the IP address is obtained automatically or manually configured. If manually configured, enter the IP address.
-
Service Provider Settings - In Service, enter a service name (optional) and select the Authentication method.
-
Connect on demand - Select the Connect on demand checkbox if necessary. This is relevant only when you are in high availability mode.
For PPTP and L2TP
-
IP Address Assignment -
-
In Local tunnel IP address, select if the IP address is obtained automatically or manually configured. If manually configured, enter the IP address.
-
In WAN IP assignment, select if the WAN IP address is obtained automatically or manually configured. If manually configured, enter the IP address, Subnet mask, and Default gateway.
-
-
Service Provider Settings - In Service, enter a service name (optional) and select the Authentication method.
-
Connect on demand - Select the Connect on demand checkbox if necessary. This is relevant only when you are in high availability mode.
Port Settings
-
If necessary, select Use custom MTU value and set the MTU size.
Note - For a DMZ interface the MTU value is applied to all LAN ports.
To avoid fragmentation (which slows transmission), set the MTU according to the smallest MTU of all the network devices between your gateway and the packet destination
For static and DHCP mode, set MTU to 1500 or lower.
For PPPoE connections, set MTU to 1492 or lower.
Note - When the gateway is behind a modem that works as a NAT device, the MTU value of the gateway must be the same value as in the modem. If the modem has a PPPoE connection, set the MTU in the gateway to 1492 or lower.
-
MAC address clone - If you select Override default MAC address, you can override the default MAC address used by the Internet connection. This is useful when the appliance replaces another device and wants to mimic its MAC address.
-
If necessary, select Disable auto negotiation. This lets you manually define the link speed of the Internet connection.
-
Select the Link Speed.
-
QoS Settings (bandwidth control) - supported in IPv4 connections only
To enable QoS bandwidth control for download and upload for this specified connection, select the applicable Enable QoS (download) and/or Enable QoS (upload) checkboxes. Enter the maximum Kbps rates for the selected options as provided by your ISP for the Internet upload and download bandwidth.
Make sure that the QoS blade is turned on. You can do this from Home > Security Dashboard > QoS > ON.
ISP Redundancy - supported in IPv4 connections only
Multiple Internet connections can be configured in High Availability or Load Sharing modes. When you configure more than one Internet connection, the Device > Internet page lets you toggle between these options. The Advanced setting of each Internet connection lets you configure each connection's priority or weights based on the set mode.
-
Clear the Route traffic through this connection by default checkbox when you do not want this Internet connection used as a default route for this gateway. The connection is used by the device only if specific, usually service-based, routing rules are defined for it. This is commonly used when you have a connection that is used for dedicated traffic. When you clear this option, this connection does not participate in High Availability or Load Balancing.
-
High Availability - Priority - Select the priority for the connection. Lower priority connections are only used if higher priority connections are unavailable.
-
Load Balancing - Weight - The traffic to the Internet is divided between all available connections based on their weights.
NAT Settings
If the gateway's global hide NAT is turned on in the Access Policy > NAT page, you can disable NAT settings for specified internet connections.
To disable NAT settings:
-
Go to Device > Internet.
-
Select an internet connection and click Edit.
The Edit Internet Connection window opens.
-
Click Advanced > NAT Settings.
-
Select Do not hide internal networks behind this internet connection.
-
Click Apply.