Check Point QUANTUM SPARK 1600, Administration Manual

Page 1: ...Models V 80 V 80W V 81 V 81W V 81WL V 81WD V 81R V 81WLR V 82 V 83 Classification Protected 18 April 2021 QUANTUM SPARK 1500 1600 AND 1800 APPLIANCE SERIES R80 20 25 Locally Managed Administration Guide ...

Page 2: ... without prior written authorization of Check Point While every precaution has been taken in the preparation of this book Check Point assumes no responsibility for errors or omissions This publication and features described herein are subject to change without notice RESTRICTED RIGHTS LEGEND Use duplication or disclosure by the government is subject to restrictions as set forth in subparagraph c 1...

Page 3: ... and evolving attacks Certifications For third party independent certification of Check Point products see the Check Point Certifications page Check Point R80 20 25 For more about this release see the R80 20 25 home page Latest Version of this Document in English Open the latest version of this document in a Web browser Download the latest version of this document in PDF format Feedback Check Poin...

Page 4: ...s 17 Deploying the Configuration File Initial Configuration 18 Deploying the Configuration File Existing Configuration 19 Viewing Configuration Logs 19 Troubleshooting Configuration Files 20 Configuration File Error 20 Suggested Workflow Configuration File Error 20 Sample Configuration Log with Error 21 Using the set property Command 21 Configuration and Upgrade Scenarios 22 Configuring Cloud Serv...

Page 5: ...r 30 Configuring QoS 32 Enabling VoIP Traffic 33 Introduction 33 Configuration 33 Appliance Configuration 34 The Home Tab 35 Viewing System Information 35 Controlling and Monitoring Software Blades 36 Setting the Management Mode 38 Configuring Cloud Services 40 Managing Licenses 43 Viewing the Site Map 45 Notifications 45 Managing Active Devices 46 Viewing Monitoring Data 48 Network 48 Troubleshoo...

Page 6: ...nitor Mode 73 Physical Interfaces 74 Bridge 75 VLANs 76 Alias IP 77 VPN Tunnel VTI 78 Virtual Access Point VAP 78 BOND 80 Configuring a Hotspot 82 Configuring the Routing Table 85 Configuring MAC Filtering 88 Configuring the DNS Server 89 Configuring the Proxy Server 90 Backup Restore Upgrade and Other System Operations 91 Using the Software Upgrade Wizard 93 Welcome 93 Upload Software 94 Upgrade ...

Page 7: ...ettings 117 Managing the Access Policy 150 Configuring the Firewall Access Policy and Blade 150 Firewall Policy 151 Application URL Filtering 152 Updates 153 User Awareness 154 Tracking 155 More Information 155 Working with the Firewall Access Policy 156 Firewall Policy 156 Configuring Access Rules 159 Updatable Objects 161 Customizing Messages 161 Defining Firewall Servers 163 Defining NAT Contro...

Page 8: ...e IPS Protections List 196 Advanced Threat Prevention Engine Settings 197 IPS 197 Anti Virus 197 Anti Bot 199 Threat Emulation 200 User Messages 201 Configuring the Anti Spam Blade Control 203 Configuring Anti Spam Exceptions 205 Managing VPN 206 Configuring the Remote Access Blade 206 Configuring Remote Access Users 209 Remote Access Connected Remote Users 214 Configuring Remote Access Authentica...

Page 9: ... Users and User Groups 244 Configuring Local and Remote System Administrators 246 Managing Authentication Servers 252 Managing Applications URLs 256 Managing System Services 258 Managing Service Groups 261 Managing Network Objects 263 Managing Network Object Groups 266 Logs and Monitoring 267 Viewing Security Logs 267 Viewing System Logs 269 Configuring External Log Servers 270 External Check Poin...

Page 10: ...ing Data 276 Viewing Reports 276 Using System Tools 276 SNMP 277 SNMP Traps Receivers 278 SNMP Traps 278 SNMP Traps for VPN Tunnels 278 SNMP Traps for Hardware Sensors 278 Advanced Configuration 280 Upgrade Using a USB Drive 280 Upgrade Using an SD Card 281 Boot Loader 282 Upgrade Using Boot Loader 283 Restoring Factory Defaults 284 ...

Page 11: ... networks 4G LTE Internet connectivity multiple Internet connections more than 2 in High Availability or Load Sharing mode Policy Based Routing and DDNS support Quick deployment with USB is supported for all appliances and with SD card and Dual SIM card for the 1570 1590 appliances For more information see the 1500 appliance series product page This guide describes all aspects that apply to the Qu...

Page 12: ...1R V 81WLR sk166654 1600 V 82 wired only sk168880 1800 V 83 wired only sk168880 For front side and back panel details for each appliance see the relevant Getting Started Guide Review these materials before doing the procedures in this guide n R80 20 25 SMB Release Notes n Known Limitations n Resolved Issues n Getting Started Guide n Small Business Security video channel See the SMB R80 20 25 home ...

Page 13: ...on Guide 13 Setting up the Quantum Spark Appliance To set up the Quantum Spark 1530 1550 1570 1590 1570R 1600 and 1800 Appliance 1 Remove the Quantum Spark Appliance from the shipping carton and place it on a tabletop 2 Identity the network interface marked as LAN1 This interface is preconfigured with the IP address 192 168 1 1 ...

Page 14: ...appliance is ready for login Note The LED is red if there is an alert or error n If you use an external modem Connect the Ethernet cable to the WAN port on the appliance back panel and plug it into your external modem or router s PC LAN network port The Internet LED on the appliance front panel lights up when the Ethernet is connected n If you do not use an external modem Connect the telephone cab...

Page 15: ...ere are different options for first time deployment of your Small and Medium Business SMB gateways n First Time Configuration Wizard For more information see the Getting Started Guide for your appliance model n Zero Touch Cloud Service on page 16 n Deploying from a USB Drive or SD Card on page 17 Note SD card deployment is supported only in 1570 1590 appliances ...

Page 16: ...the Internet Connection settings and then fetch the settings from the Zero Touch server To connect to the Zero Touch server from the First Time Configuration Wizard 1 In the Welcome page of the First Time Configuration Wizard click Fetch Settings from the Cloud 2 In the window that opens click Yes to confirm that you want to proceed 3 The Internet connection page of the First Time Configuration Wi...

Page 17: ...Rome Stockholm Vienna set ntp server primary 10 1 1 10 set ntp server secondary set user admin type admin password aaaa set interface WAN ipv4 address 10 1 1 134 subnet mask 255 255 255 192 default gw 10 1 1 129 delete interface LAN1_Switch set dhcp server interface LAN1 disable set interface LAN1 ipv4 address 10 4 6 3 subnet mask 255 255 255 0 add interface LAN1 vlan 2 set dhcp server interface L...

Page 18: ...ation error To deploy the configuration file from a USB drive for the initial configuration 1 Insert the USB drive into a Quantum Spark Appliance n Quantum Spark Appliance is OFF Turn on the appliance The Power LED is red when the appliance is first turned on It blinks blue while the boot is in progress and then turns solid blue when the process is complete n Quantum Spark Appliance is ON The appl...

Page 19: ...onfigured appliance 1 From the CLI enter the command set property USB_auto_configuration once The appliance is set to use a configuration script from a USB drive 2 Insert the USB drive in the appliance the appliance automatically detects the USB drive The USB LED comes on and is a constant orange 3 The appliance locates the USB configuration file and begins to run the script The USB LED blinks blu...

Page 20: ... a partially configured appliance before you use the First Time Configuration Wizard to ensure that the appliance is configured correctly Suggested Workflow Configuration File Error This section contains a suggested workflow that explains what to do if there is an error with the configuration file on a USB drive Use the set property USB_auto_configuration command when you run a configuration file ...

Page 21: ...configuration script that fails set hostname Demo1 set hostname Setting hostname to Demo1 OK set interface WAN internet primary ipv4 address 66 66 66 11 Error missing argument subnet mask for a new connection Autoconfiguration CLI script failed clish return code 1 Using the set property Command The set property CLI command controls how the Quantum Spark Appliance runs configuration scripts from a ...

Page 22: ...cally connects to Cloud Services Or n The Service Center IP address the Quantum Spark Appliance gateway ID and the registration key Use these details to connect manually your Quantum Spark Appliance to Cloud Services To automatically connect to Cloud Services 1 Make sure the Quantum Spark Appliance was configured with the First Time Configuration Wizard See the relevant Getting Started Guide 2 In ...

Page 23: ...se interfaces Configuration 1 Go to Device Wireless Network 2 Click Guest and follow the wizard instructions See Configuring Wireless Network on page 65 n Set the network protection unprotected or protected network n Set the access and log policy options in the Access Policy tab 3 Make sure that the Use Hotspot checkbox is selected in the wizard 4 Make sure you defined the network interfaces for H...

Page 24: ...te Access users by default option l To select the applicable connection methods For more details see Configuring the Remote Access Blade on page 206 n If the gateway uses a dynamic IP address we recommend you use the DDNS feature See Configuring DDNS and Access Service on page 106 n For the Check Point VPN client or Mobile client method make sure that the applicable client is installed on the host...

Page 25: ...nfigure to add a RADIUS server See Configuring Remote Access Authentication Servers on page 215 3 Click permissions for RADIUS users to set access permissions To configure AD users 1 Go to VPN Authentication Servers and click New to add an AD domain See Configuring Remote Access Authentication Servers on page 215 2 Click permissions for Active Directory users to set access permissions L2TP VPN Cli...

Page 26: ...itoring To make sure the VPN is working 1 Send traffic between the local and peer gateway 2 Go to VPN VPN Tunnels to monitor the tunnel status See Viewing VPN Tunnels on page 231 Configuring Site to Site VPN with a Certificate Introduction In this Site to Site VPN configuration method a certificate is used for authentication Prerequisites n Make sure the Site to Site VPN blade is set to On and All...

Page 27: ...hange CAs between gateways Click Add to add the Trusted CA of the peer gateway This makes sure the CA is uploaded on both the local and peer gateways See Managing Trusted CAs on page 235 Sign a request using one of the gateway s CAs You create a request from one gateway that must be signed by the peer gateway s CA 1 Use the New Signing Request option in Managing Installed Certificates on page 108 ...

Page 28: ...e certificate with the Upload Signed Certificate or Upload P12 Certificate option See Managing Installed Certificates on page 108 2 Make sure that the 3rd party CA is installed on both of the gateways Use the Add option in Managing Trusted CAs on page 235 To authenticate with an existing 3rd party certificate 1 Create a P12 certificate for the local and peer gateway 2 Upload the P12 certificate us...

Page 29: ...switch on LAN ports checkbox 2 Configure network settings on the appliance that is the primary active member 3 Connect a sync cable between the appliances 4 Configure the active member 5 Configure the standby member Prerequisites n In WebUI Device Local Network delete bridge and switch configurations before you start to configure a cluster n The appliances in a cluster must have the same hardware ...

Page 30: ...is done through the active member The WebUI of the standby cluster member only has one tab Device To show the status of the cluster member Go to Device High Availability Upgrading a Cluster When you upgrade a cluster member you can maintain network connectivity during an upgrade One member of the cluster remains active while the other cluster member is upgraded The system is always active and ther...

Page 31: ... To upgrade a cluster member manually 1 On the Device System Operations page click Manual Upgrade The Upgrade Software Wizard opens 2 Follow the Wizard instructions to upgrade the cluster member The upgrade process automatically reboots the member To see the status of each cluster member Go to Device High Availability ...

Page 32: ...r upload speeds You get the speed information from your ISP QoS policy rules apply separately on each configured Internet connection Prerequisites In Access Policy QoS Blade Control make sure the QoS blade is turned on Configuration 1 In Device Internet select an Internet connection and click Edit 2 In the Advanced tab edit the QoS Settings These values are used as a 100 percent baseline when you ...

Page 33: ... 1 Go to Users Objects Services 2 Edit the SIP_UDP and SIP_TCP built in services by enabling SIP inspection on both services Clear the Disable inspection for this service checkbox in each service object For more details see Viewing System Information on page 35 To allow the SIP server to connect to internal phones from the Internet 1 Go to Access Policy Policy 2 Add a rule to the Incoming Internal...

Page 34: ... in you can select the Save user name checkbox to save the administrator s user name The name is saved until you clear the browser s cookies When you log in correctly the WebUI opens to Home System The left pane lets you navigate between the different pages of each of these tabs n Home n Device n Access Policy n Threat Prevention n VPN n Users Objects n Logs Monitoring To log in to the WebUI in a ...

Page 35: ...and wireless network radio status If applicable click the links to configure Internet and Wireless options n Statistics Shows live data graphs of packet rate and throughput To monitor your device s internet connection from your mobile device you must first configure this on the WebUI Home System page To configure connection monitoring 1 In the WebUI go to Home System Internet connections and click...

Page 36: ...figured in the WebUI n Access Policy Contains the Firewall Application URL Filtering User Awareness and QoS blades n Threat Prevention Contains the Intrusion Prevention IPS Anti Virus Anti Bot Threat Emulation and Anti Spam blades n VPN Contains the Remote Access and Site to Site VPN blades It also contains certificate options You can click the tab name link or Software Blade link to access the ta...

Page 37: ... bar graph icon The blade statistics window opens 2 If the blade is turned on n View the graph and details n To go to other blade statistics click the arrows in the header 3 If the blade is turned off n Click View demo to see an example of the statistics shown n Click the X icon to close the demo To view an alert 1 Hover over the alert triangle 2 Click the applicable link ...

Page 38: ... the Security Management Server section click Settings to adjust trust settings or Setup to initialize a connection The Welcome to the Security Management Server Configuration Wizard opens Click Next 2 In the One Time Password SIC page select an option for authenticating trusted communication n Initiate trusted communication securely by using a one time password The one time password is used to au...

Page 39: ... the policy you can investigate the issue with the Security Management Server administrator When the issue is resolved click the Fetch Policy button that shows instead of the Connect button n To connect to the Security Management Server later select Connect to the Security Management Server later 4 Click Finish To reinitialize trusted communication with the Security Management Server 1 In the Secu...

Page 40: ...he MAC address of the Quantum Spark Appliance n At the top of the WebUI application near the search box The name of your Quantum Spark Appliance These are the sections on this page n Cloud Services This section shows Cloud Services details l The Configure option lets you configure initial connectivity l When connected you can click Details to see connectivity details and Fetch now to get updated a...

Page 41: ... to Cloud Services 1 Connect to Cloud Services Provider and establish a secure connection Make sure the gateway registration information is correct 2 Get the security policy and settings 3 Install the security policy and settings When you connect for the first time the appliance must verify the certificate of the Cloud Services Provider against its trusted Certificate Authority list If verificatio...

Page 42: ...test connectivity to the Cloud Services 1 Open a console connection 2 Log in 3 Run this CLI command test cloud connectivity service center addr addr To get an updated security policy activated blades and service settings Click Fetch now The appliance gets the latest policy activated blades and service settings from Cloud Services ...

Page 43: ...ctivate the license it may be because n There is a connectivity issue such as a proxy between your appliance and the Internet Or n Your appliance is not registered If there is a proxy between your appliance and the Internet you must configure the proxy details before you can activate your license To configure the proxy details 1 Click Set proxy 2 Select Use proxy server and enter the proxy server ...

Page 44: ...ed and click Import The activation process starts The region is set when the license is installed The region determines the wireless frequency and parameters as the regulations vary according to region If you are using a trial license only basic radio settings are allowed in all zones A warning that selected wireless radio settings are not applied shows on the Summary page of the First Time Config...

Page 45: ...ws events in a table For each event n Time n Severity Type of event such as Security Alert Attention Required or Informative Event n Subject n Message To filter Enter text in the search filter To view details of a security event Click the event row in the table and click View Details To set the notification setting 1 Click Settings The Notifications Settings windows opens 2 Under Mobile notificati...

Page 46: ...age 163 opens Enter the information in the fields and click Apply Use these objects to reserve IP addresses to MAC addresses in the DHCP server and also add this object name as a device in the local DNS service Network objects and server objects can be used in the security configurations for example in the Access Policy and IPS exceptions A server object also allows you to configure access and NAT...

Page 47: ...istration Guide 47 To revoke the Hotspot access 1 Click the record for the relevant device 2 Click Revoke Hotspot Access The access for that device is revoked You must log in again through the Hotspot to reconnect the device to the gateway Note This page is available from the Home and Logs Monitoring tabs ...

Page 48: ...r At one minute intervals For example if you generate a report at 10 15 45 AM the report represents data from 9 15 to 10 15 AM Last day At hourly intervals For example if you generate a report at 10 15 AM the report represents data from the last 24 hours ending at 10 00 AM of the current day n Bandwidth Usage The doughnut chart shows the top 10 applications or users that consumed the most bandwidt...

Page 49: ...e most used high risk applications l The top users of high risk applications You can click Applications Blade Control to open the Access Policy Firewall Blade Control page to see Applications and URL Filtering settings n Security events Shows the number of l Anti Bot Malwares detected by the Security Gateway l Anti Virus Malwares detected by the Security Gateway l Threat Emulation Malicious files ...

Page 50: ...t at 11 15 AM the report represents data from the last month ending at 08 00 AM of the current day System Reboot In the first 24 hour cycle after an appliance starts up after installation or an update the system adds one more time interval to the delta of the next applicable report interval For example for weekly reports that are generated at pair hour intervals the appliance requires 1 more hours...

Page 51: ...th consuming statistics by category site and user You can click the Top category Top site or Top user link to get to the applicable report page It also shows Bandwidth Usage by Applications statistics for the top 5 applications in a doughnut chart and total traffic received and sent n The number of infected devices servers and recently active infected devices n The number of high risk applications...

Page 52: ...c and without cache memory This gives a more accurate picture of the actual memory usage in the appliance but it may differ from figures you receive from Linux tools The information is automatically refreshed n Disk Usage click the Refresh button for the most updated disk usage information 2 Click Close to return to the Tools page To show the routing table 1 Click Show Routing Table The output app...

Page 53: ...etwork list 2 Click Start and then Stop when you want to stop packet capturing 3 Click Download File to view or save the capture file You can activate packet capture and go to other WebUI application pages while the packet capture runs in the background However the packet capture stops automatically if the WebUI session ends Make sure you return to the packet capture page stop and download the cap...

Page 54: ...tion and edit delete or disable existing connections n Monitor the servers and internet connections see Monitoring on page 63 We recommend you contact your local Internet Service Provider ISP to understand how to configure your specific internet connection Notes n IPv6 is not currently supported n ADSL VDSL settings are relevant only for devices that have a DSL port In 1570 1590 appliances you can...

Page 55: ...ing the network throughput and bandwidth A WAN or LAN bond can act like a regular internet connection in the cluster flow A WAN bond in a cluster can be a monitoring interface n USB Serial is for cellular modems n ADSL VDSL If you select the ADSL VDSL interface you must select one of these for the connection type PPPoE IPoE static IP or IPoE dynamic IP You can create a maximum of 32 internet conne...

Page 56: ...HCP n IPoE static IP DSL The Internet IP of the appliance is determined statically You must enter the IP address the subnet mask default gateway and DNS Server Settings n PPTP The Point to Point Tunneling Protocol PPTP uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets n L2TP Layer 2 Tunneling Protocol L2TP is a tunneling protocol It does not provide any encrypti...

Page 57: ... there is an interface or link failure If you select this mode you must select a Master i e the primary default port for the traffic 6 Select the Connection type 7 In the Advanced tab select the Mii interval The Mii interval is the frequency in ms that the system polls the Media Independent Interface Mii the standard interface for fast Ethernet to get status 8 If you selected 802 3ad or XOR as you...

Page 58: ...als to connect to the appliance 6 Configure the Connection Monitoring and Advanced tabs as for other interface connections 7 Click Apply Note The Cellular tab is disabled unless you select Cellular for the interface name Only appliances that have an internal LTE modem show the Cellular tab For Security Gateways with cellular Internet connections you can switch the active image between carrier appr...

Page 59: ...the modem 3 Click Apply On the Internet page the Status changes to Connecting with the message Switching carrier configuration package This may take a few minutes To disable image switching In the Cellular tab for each SIM select None for the Carrier configuration package For PPPoE over ATM over VDSL ADSL or IPoE over ATM over VDSL ADSL or for an ADSL interface Enter the VPI number and VCI number ...

Page 60: ...tions still appear even though they are not used to open an internet connection The Connection Monitoring tab n Automatically detect loss of connectivity to the default gateway Select this option to detect connectivity loss by sending ARP requests pinging to the default gateway and expecting responses Note If you use Dynamic Routing you must clear this box to prevent probing of the default gateway...

Page 61: ...red If manually configured enter the IP address l In WAN IP assignment select if the WAN IP address is obtained automatically or manually configured If manually configured enter the IP address Subnet mask and Default gateway n Service Provider Settings In Service enter a service name optional and select the Authentication method n Connect on demand Select the Connect on demand checkbox if necessar...

Page 62: ... the modem has a PPPoE connection set the MTU in the gateway to 1492 or lower n MAC address clone If you select Override default MAC address you can override the default MAC address used by the Internet connection This is useful when the appliance replaces another device and wants to mimic its MAC address n n n Link Speed If necessary select Disable auto negotiation This lets you manually define t...

Page 63: ...e connection Lower priority connections are only used if higher priority connections are unavailable n Load Balancing Weight The traffic to the Internet is divided between all available connections based on their weights NAT Settings If the gateway s global hide NAT is turned on in the Access Policy NAT page you can disable NAT settings for specified internet connections To disable NAT settings 1 ...

Page 64: ...oring tab select both check boxes n Automatically detect loss of connectivity to the default gateway n Monitor connection state by sending probe packets to one or more servers on the Internet 3 For Connection probing method select ping addresses 4 Under Advanced Probing Settings use the default values or enter new ones for n Recovery time in seconds n Max latency allowed milliseconds n Probing fre...

Page 65: ...dit the clone To clone a VAP Select the relevant VAP and click Clone When you clone a VAP it receives a new name which is displayed in the table The IP address and range of the clone is different than the original To edit a VAP 1 Double click the relevant VAP or select the VAP name and click Edit The Edit window opens Note The wireless radio transmitter is the main VAP 2 In the Configuration tab s...

Page 66: ...elect the correct Operation mode Channel Channel width and Transmitter power 3 Click Advanced to set the Guard Interval and Antenna control 4 Click Apply This configuration is global for all wireless networks Some options may not be available or allowed depending on your country s wireless standards 1530 1550 appliances only The wireless client search options depend on the frequency that the appli...

Page 67: ...n as WPA Personal The RADIUS servers Enterprise mode option requires defining RADIUS servers in the Users Objects Authentication Servers page Each user that tries to connect to the wireless network is authenticated through the RADIUS server This option is also known as WPA Enterprise n Network password When authenticating using a password enter a password or click Generate for an automatically gen...

Page 68: ...sabled Access Policy tab These options create automatic rules that are shown in the Access Policy Firewall Policy page n Allow access from this network to local networks Wireless network is trusted n Log traffic from this network to local networks Advanced tab Click the checkbox to exclude from DNS proxy DNS Server Settings For DHCPv4 These settings are effective only if a DHCPv4 server is enabled...

Page 69: ...er Settings You can optionally configure these additional parameters so they will be distributed to DHCP clients n Time servers n Call manager n TFTP server n TFTP boot file n X Window display manager n Avaya IP phone n Nortel IP phone n Thomson IP phone Custom Options Lets you add custom options that are not listed above For each custom option you must configure the name tag type and data fields ...

Page 70: ...ork device can have multiple connections to a network n Create and configure VPN tunnels VTI which can be used to create routing rules which determine which traffic is routed through the tunnel and therefore also encrypted Route based VPN n Create a BOND Link Aggregation between two or more interfaces This improves performance and redundancy by increasing the network throughput and bandwidth The L...

Page 71: ...able connection status of each physical interface that is enabled Otherwise it shows disabled l Wireless networks Shows if the wireless network is up or disabled Reserved IP Address for Specific MAC You can configure your network so that IP addresses are assigned only for known hosts Known hosts are already defined as network objects and a specific MAC address is assigned to the IP Other hosts DHC...

Page 72: ...ded from this range You can also exclude or reserve specified IP addresses if you define network objects in the Users Objects Network Objects page To reserve specified IP addresses you must have the device MAC address n Relay Enter the DHCP server IP address n Disabled WAN as LAN In 1570RAppliances the two SFP ports are associated with DMZ and WAN DMZ can already be used for an internal network bu...

Page 73: ...e n Traffic to external hosts is inspected by the Outgoing Rule Base n Threat prevention s default configuration is optimized to inspect suspicious traffic from external hosts to internal hosts To configure monitor mode in the WebUI 1 Go to Device Local Network 2 Select an interface and double click The Edit window opens in the Configuration tab 3 In the Assigned To drop down menu select Monitor M...

Page 74: ... configuration use defined networks true 4 To see user defined Internal networks show monitor mode network 5 To disable Anti Spoofing set antispoofing advanced settings global activation false If you do not see the Monitor Mode option 1 Run this command in Gaia Clish set monitor mode configuration allow monitor mode true 2 Select an interface in WebUI and click Edit Monitor Mode is now added to th...

Page 75: ...ote that in the Quantum Spark Appliance the value is global for all physical LAN and DMZ ports n Disable auto negotiation Select this option to configure manually the link speed of the interface n Override default MAC address This option is for local networks except those on VLANs and wireless networks Use this option to override the default MAC address of the network s interface l When the device...

Page 76: ...ly excluded from this range You can also exclude or reserve specific IP addresses by defining network objects in the Users Objects Network Objects page Reserving specific IP addresses requires the MAC address of the device l Relay Enter the DHCP server IP address l Disabled The Advanced tab n MTU size Configure the Maximum Transmission Unit size for an interface n Disable auto negotiation Select t...

Page 77: ...addresses requires the MAC address of the device l Relay Enter the DHCP server IP address l Disabled Alias IP With an alias IP you can associate more than one IP address to a network interface n A single network device can have multiple connections to a network n A specific port is used by more than one network All devices are on the same network even though they show different IPs For example LAN...

Page 78: ... gateways You must define the VPN community and its member Security Gateways before you can create a VTI Configure the fields in the tabs The Configuration tab n VPN Tunnel ID A number identifying the VTI n Peer The name of the remote VPN site See Configuring VPN Sites on page 224 The VPN tunnel interface can be numbered or unnumbered Select the applicable option n Numbered VTI You configure a loc...

Page 79: ...s for the First DNS server Second DNS server and Third DNS server Default Gateway Select one of these options n Use this gateway s IP address as the default gateway n Use the following IP address Enter an IP address to use as the default gateway WINS Select one of these options n Use the WINS servers configured for the internet connection n Use the following WINS servers Enter the IP addresses of ...

Page 80: ...b under BOND configuration select a minimum of 2 LANs that are unassigned and disabled Note You cannot select LAN interfaces that have a VLAN assigned to them 3 Select the Operation mode n 802 3ad Dynamically uses Active interfaces to share the traffic load Traffic is assigned to Active interfaces based on the transmit hash policy Layer2 or Layer3 4 n Round Robin Selects the Active interface seque...

Page 81: ...liance Series R80 20 25 Locally Managed Administration Guide 81 7 If you selected 802 3ad or XOR as your operation mode select the Hash policy from the dropdown menu Layer2 or Layer3 4 8 Click Apply To create a WAN BOND see Configuring Internet Connectivity on page 54 ...

Page 82: ...de from the Hotspot If no network interface was defined for the Hotspot click Configure in Local Network In the Access section of the page you can configure if authentication is required and allow access to all users or to a specified user group Active Directory RADIUS or local Hotspot is automatically activated in the system To disable Hotspot 1 Go to Device Advanced Settings 2 Search for Hotspot...

Page 83: ...c user group enter the group s name in the text box 4 Click Apply Any user user group that browses from configured interfaces is redirected to the Check Point Hotspot portal and must enter authentication credentials To configure the session timeout 1 In Session timeout enter the number of minutes that defines how long a user stays logged in to the session before it is ends 2 Click Apply To customi...

Page 84: ...al 1 Go to Device Advanced Settings 2 Select Hotspot 3 Click Edit The Hotspot window opens 4 Click the checkbox for Prevent simultaneous login 5 Click Apply The same user cannot log in to the Hotspot portal from more than one computer at a time On the Active Devices page available through the Home and Logs Monitoring tabs you can revoke Hotspot access for connected users ...

Page 85: ...ute rule applies only to traffic whose service matches the service IP protocol and ports or service group Next Hop The next hop gateway for this route with these options n Specified IP address of the next hop gateway n Specified Internet connection from the connections configured in the appliance n Specified VPN Tunnel Interface VTI Metric Determines the priority of the route If multiple routes to...

Page 86: ...earch field You can create a new service or service group Note Static routes are not supported for source based or service based routes using VTI VPN 8 Optional Enter a comment 9 Enter a Metric between 0 and 100 The default is 0 10 Click Apply To configure a default route 1 Go to Device Local Network page 2 Select an interface and click Edit The Edit window opens in the Configuration tab 3 Click t...

Page 87: ...ve Internet connection When a network interface is disabled all routes that lead to it show as inactive in the routing page A route automatically becomes active when the interface is enabled Traffic for an inactive route is routed based on active routing rules usually to the default route The edit delete enable and disable options on the Device Local Network page are only available for manually de...

Page 88: ... After MAC filtering is enabled you can disable the feature for specified networks To edit the LAN MAC Filter whitelist 1 Go to Device MAC Filtering LAN MAC Filter 2 To add a new MAC Address click Add New 3 To select MAC addresses from the list of Active Devices click Add Select 4 To edit a MAC address select it from the list and click Edit 5 To delete a MAC address select it from the list and cli...

Page 89: ...ically provided by the ISP If Internet Connection High Availability is enabled the DNS servers switch automatically upon failover 2 By default the appliance functions as your DNS proxy and provides DNS resolving services to internal hosts behind it network objects This option is global and applies to all internal networks To get IP addresses directly from the DNS servers defined above clear the En...

Page 90: ...anaged Administration Guide 90 Configuring the Proxy Server In the Device Proxy page you can configure a proxy server to use to connect to the Check Point update and license servers To configure a proxy server 1 Select Use a proxy server 2 Enter a Host name or IP address 3 Enter a Port 4 Click Apply ...

Page 91: ...The factory default settings are restored The appliance reboots to complete the operation Note This does not change the software image Only the settings are restored to their default values IP address 192 168 1 1 WebUI address https 192 168 1 1 4434 the username admin and the password admin To revert to the factory default image 1 Click Factory Defaults 2 Click OK in the confirmation message The f...

Page 92: ...o upgrade it immediately or click More Information to see what is new in the firmware version n If the gateway is configured by Cloud Services automatic firmware upgrades are locked They can only be set by Cloud Services To upgrade your appliance firmware manually 1 Click Manual Upgrade The Upgrade Software Wizard opens 2 Follow the Wizard instructions Note The firewall remains active while the up...

Page 93: ...the backed up file 3 Click Upload File Important Notes n To replace an existing appliance with another one for example upon hardware failure you can restore the settings saved on your previous appliance and reactivate your license through Device License n To duplicate an existing appliance you can restore the settings of the original appliance on the new one n Restoring settings of a different ver...

Page 94: ...mage including the firmware all system settings and the current security policy When you click Next the upgrade process starts Upgrading The Upgrading page shows an upgrade progress indicator and checks off each step as it is completed n Initializing upgrade process n Installing new image Backing up the System To create a backup file 1 Click Create Backup File The Backup Settings window opens 2 To...

Page 95: ...s 3 Configure the file storage destination a Select FTP or STP server b Enter a Backup server path c Enter a username and password d Click Apply 4 Optional Select Use file encryption If you select this option you must enter and confirm a password 5 In Schedule Periodic Backup select frequency n Daily Select time of day hour range n Weekly Select day of week and time of day n Monthly Select day of ...

Page 96: ...rators can update or modify operating system settings They can select a service or network object but cannot create or modify it n Mobile Administrator Mobile administrators are allowed all networking operations on all interfaces They can change their own passwords generate reports reboot change events and mobile policy active hosts operations and pairing They cannot login from or access the WebUI...

Page 97: ...ake sure a RADIUS server is defined on the appliance If there is no server click the RADIUS configuration link at the top of this page You must configure the IP address and shared secret used by the RADIUS server 3 When you have a configured RADIUS server click Edit permissions The RADIUS Authentication window opens 4 Click the Enable RADIUS authentication for administrators checkbox Use roles def...

Page 98: ...ck Mobile Pairing Code The Connect Mobile Device window opens 2 Select an administrator from the pull down menu 3 Click Generate This generates a QR code to connect the Check Point WatchTower mobile application with the appliance for the first time For more information about the mobile application see the Check Point SMB WatchTower App User Guide Configuring a RADIUS Server for non local Quantum S...

Page 99: ...d 2000 3 Add this line in the dictiona dcm file checkpoint dct 4 Add this Check Point Vendor Specific Attribute to users in your RADIUS server user configuration file CP Gaia User Role role Where role allowed values are Administrator Role Value Super Admin adminRole Read only monitorrole Networking Admin networkingrole Mobile Admin mobilerole Configuring a FreeRADIUS server for non local appliance...

Page 100: ...irectory on the RADIUS server Check PointGaia vendor specific attributes Formatted for the OpenRADIUS RADIUS server Add this file to etc openradius subdicts and add the line include subdicts dict checkpoint to etc openradius dictionaries right after dict ascend add vendor 2620 CheckPoint set default vendor CheckPoint space RAD VSA STD len_ofs 1 len_size 1 len_adj 0 val_ofs 2 val_size 2 val_type St...

Page 101: ...le Networking Admin networkingrole Mobile Admin mobilerole To log in as a Super User A user with super user permissions can use the Quantum Spark Appliance shell to do system level operations including working with the file system 1 Connect to the Quantum Spark Appliance platform over SSH or serial console 2 Log in to the Gaia Clish shell with your user name and password 3 Run expert 4 Enter the E...

Page 102: ...access client n Internet Clear traffic from the Internet not recommended to allow access from all IP addresses To allow administrator access from any IP address 1 Select the Any IP address option This option is less secure and not recommended We recommend you allow access from the Internet to specific IP addresses only 2 Change the WEB Port HTTPS and or SSH port if necessary 3 Click Apply An admin...

Page 103: ...the WEB Port HTTPS and or SSH port if necessary 8 Click Apply An administrator can use the configured IP addresses to access the appliance through the allowed interface sources To delete administrator access from a specific IP address 1 Select the IP Address you want to delete from the IP Address table 2 Click Delete Important Notes n Configuring different access permissions for LAN and Internet i...

Page 104: ...ters and the hyphen character Do not use the hyphen as the first or last character n For wireless devices only Configure the Country The allowed wireless radio settings vary based on the standards in each country n Assign a Web portal certificate To assign a Web portal certificate 1 Click the downward arrow next to the Web portal certificate field The list of uploaded certificates shows 2 Select t...

Page 105: ...on the network 1 Select the Set Date and Time Using a Network Time Protocol NTP Server option 2 Enter the Host name or IP addresses of the Primary NTP Server and Secondary NTP Server If the Primary NTP Server fails to respond the Secondary NTP Server is queried 3 Set the Update Interval minutes field 4 Select the NTP Authentication checkbox if you want to supply a Shared Secret and a Shared Secret...

Page 106: ...vider Select the DDNS provider that you set up an account with n User name Enter the user name of the account n Password Enter the password of the account Note You cannot use these characters in a password or shared secret Maximum number of characters 255 n Host name Enter your routable host name as defined in your DDNS account For more information about these details refer to your provider s webs...

Page 107: ...ates in VPN you can exclude the WAN interface or any other interface used for the Internet connection from the encryption domain and use Reach My Device traffic without a VPN tunnel In the VPN Site to Site global settings Advanced Setting enable Do not encrypt connections originating from the local gateway How to access the gateway with the Reach My Device service When registration is complete an ...

Page 108: ...o site VPN SSL VPN and the Web portal When Cloud Services is turned on and the appliance is configured by Cloud Services the Cloud Services Provider certificate is downloaded automatically to the appliance The Cloud Services Provider certificate is used by community members configured by Cloud Services Note If you turn Cloud Services off the Cloud Services Provider certificate is removed These are...

Page 109: ... the CA 1 Select the signing request entry from the table 2 Click Upload Signed Certificate 3 Browse to the signed certificate file crt 4 Click Complete The status of the installed certificate record changes from Waiting for signed certificate to Verified To upload a P12 file 1 Click Upload P12 Certificate 2 Browse to the file 3 Edit the Certificate name if necessary 4 Enter the certificate passwo...

Page 110: ...S is configured or its external IP address If you have multiple Internet connections configured in load sharing mode you can manually enter an accessible IP address for this appliance This is used by remote sites to access the internal CA and check for certificate revocation 3 Select the number of years for which the Internal VPN Certificate is valid The default is 3 The maximum value allowed is 2...

Page 111: ...mote site In third party appliances make sure to look in its Administration Guide to see where signing requests are created The file must be in a path accessible to the appliance After you click OK in the file browsing window the file is uploaded If it is correctly formatted it is signed by the Internal CA and the Download button is available 3 Click Download The signed certificate is downloaded t...

Page 112: ... IP address n Sync Two physical interfaces must be defined as Sync interfaces and connected between the members to allow proper failover as needed The default is to use LAN2 Sync physical port n Non HA also called private The physical interface in this member does not participate in High Availability functions n Monitored also called private monitored The physical interface in this member is not c...

Page 113: ...the cluster To see detailed information about the cluster status Click Diagnostics To create a cluster 1 Click Configure Cluster The New Cluster Wizard opens 2 In Step 1 Gateway Priority select one of the options n Configure as primary member If this appliance must be configured first n Configure as secondary member If a primary member is already configured and this appliance connects to it 3 Clic...

Page 114: ...er the Secure Internal Communication password b Click Establish Trust 6 Click Finish When the cluster is successfully configured you see the status of the members on this page After the cluster is configured when you connect to the cluster IP address you are automatically redirected to the active cluster member To log in to specified member you must log in with the member s IP address Note that th...

Page 115: ...dresses of each interface Select Enable High Availability on interface and enter the networking details for both member gateways and the cluster entity Note This step is divided into several sub steps one for each interface 8 Click Finish 9 Log in to the WebUI of the other cluster member 10 Under Device High Availability click Configure Cluster The New Cluster Wizard opens 11 Select Configure as s...

Page 116: ...r individually n Start with the standby member n After upgrade the appliance automatically reboots n Only manual upgrade is supported To upgrade a cluster manually 1 Go to Device System Operations 2 Click Manual Upgrade The Upgrade Software Wizard opens 3 Follow the wizard instructions IPv6 addresses are currently not supported High Availability cluster only supports IPv6 in dual mode ...

Page 117: ...Enter text in the Type to filter field The search results are dynamically shown as you type 2 To cancel the filter click X next to the search string To configure the appliance attributes 1 Select an attribute 2 Click Edit The attribute window opens 3 Configure the settings or click Restore Defaults to reset the attribute to the default settings For more details on the attributes see the next secti...

Page 118: ...to handle large amounts of unexpected traffic especially during a Denial of Service attack If the defined threshold is exceeded each incoming connection triggers the deletion of ten connections from the eligible for deletion list An additional ten connections are deleted with every new connection until the memory consumption or the connections capacity falls below the enforcement limit If there ar...

Page 119: ...limit if memory exceeds a limit or if both exceed their limits 2 Enter the percentage that you want to define as the limit to either connections table or memory consumption If you select both the values in the percentage fields of the other options are applied Default is 80 with connections from the eligible for deletion list being deleted if either the connections table or memory consumption pass...

Page 120: ...on timeout Indicates the timeout in seconds to wait for an IP reputation test result Scan outgoing emails Scan the content of emails which are sent from the local network to the Internet Transparent proxy Use a transparent proxy for inspected email connections When disabled configuration of the proxy address and port is required on client machines Table Anti Spam policy Attributes Anti Spoofing At...

Page 121: ... inspection engine to improved application identification Web site categorization mode Indicates the mode that is used for website categorization Background Requests are allowed until categorization is complete When a request cannot be categorized with a cached response an uncategorized response is received Access to the site is allowed In the background the Check Point Online Web Service continue...

Page 122: ...s to allow a quicker failover by the network s switch Using the virtual MAC address n Minimizes the potential traffic outage during fail over n Removes the need to use G ARPs for NATed IP addresses Table Cluster Attributes DDNS Attribute Description Iterations Number of DNS updates Table DDNS Attributes DHCP Bride Attribute Description MAC Assignment Indicates whether the MAC address for the DHCP ...

Page 123: ...x J M In an Annex A appliance Combined with supported ADSL2 it specifies Annex M ADSL2 In an Annex B appliance Combined with supported ADSL2 it specifies Annex J ADSL2 DSL globals Annex L In an Annex A appliance Combined with enabled ADSL2 G 992 3 specifies support for Annex L DSL globals 8a Supports VDSL Profile 8a DSL globals 8b Supports VDSL Profile 8b DSL globals 8c Supports VDSL Profile 8c DS...

Page 124: ...reject from internal Log implied rules Produce log records for connections that match implied rules Table Firewall Policy Attributes General Temporary Directory Size Attribute Description General temporary directory size Controls the size in MB of the general temporary directory System temporary directory size Controls the size in MB of the temporary directory that is used by the system Table Gene...

Page 125: ...ts Fragmented IP packets are allowed if they do not exceed a configured threshold When selecting this option you can configure the maximum number of accepted incomplete packets You can also configure the timeout in seconds for holding unassembled fragmented packets before discarding them Table IP Fragments Parameters IP Resolving Attributes Description IP Resolving IP Resolving Activation Enable D...

Page 126: ... can configure an HTML page that opens when an attack is detected To configure the page go to Advanced Settings IPS engine settings HTML error page configuration n Redirect to another URL Enter a URL to which users are redirected when an attack is detected You can also select to add an error code that provides more information about the detected attack This is not recommended because the informati...

Page 127: ...nal Path MTU Discovery Mode Select from these options n Disabled n Run Once Runs once after establishing internet connection and tries to detect path MTU n Run as a daemon Runs in the background and tries to detect path MTU Table Internet Attributes IoT Stats Attributes Description IoT Stats Activation Enable disable IoT collecting statistics Default Disabled Table IoT Stats Attributes MAC Filteri...

Page 128: ...e in hours till pairing code is expired Type Integer Mobile Settings Verify SSL certificate Verify SSL certificate when sending mobile notification to cloud server Table Mobile Setting Attributes Multiple ISP Route Refresh Attribute Description Multiple ISP Route Refresh mode Indicates whether acceleration will refresh route in multiple ISPs configuration Table Multiple ISP Route Refresh Attribute...

Page 129: ...or different destinations Select this option to reuse IP addresses from the Pool for different destinations n Unused addresses interval Configure in minutes the time interval it takes for unused addresses to return to the IP addresses pool n Address exhaustion tracking Specifies the type of log to issue if the IP Pool is exhausted n Address allocation and release tracking Specifies whether to log ...

Page 130: ...hether notifications are sent to mobile application Notifications Policy The maximum number of notifications sent per hour The maximum number of notifications sent to mobile devices per hour Table Notification Policy Attributes Operating Systems Attributes Description Operating system operating system tmpDirSize Operating system System temporary directory size Controls the size in MB of the tempor...

Page 131: ...ontrol for network switch Indicates if flow control is enabled for network switch Type Boolean Default false Force cellular module to use 4G network When disabled modem is using all available bands When enabled modem uses 4G bands only Type Boolean Default false Table OS advanced settings continued Privacy Settings Attributes Description Help Check Point improve its products by sending data Custom...

Page 132: ...er that allows administration access to the appliance from the Internet even when behind NAT Table Reach My Device Attributes Report Settings Attributes Description Report Settings Max Period Maximum period to collect and monitor data You must reboot the appliance to apply changes Report Settings Reports cloud server URL Reports cloud server URL used to generate report PDF Table Report Settings At...

Page 133: ...ects through the serial port to the console of the connected device This console is accessible through a telnet connection to a configured port on the appliance In Listen on TCP port enter the port number To configure an implicit rule that allows traffic from any source to this port make sure Implicitly allow traffic to this port is selected If you do not create an implicit rule you must manually ...

Page 134: ...another non ICMP connection for example to an ongoing TCP or UDP connection that was accepted by the Rule Base Accept stateful ICMP replies Accept ICMP reply packets for ICMP requests that were accepted by the Rule Base Accept stateful UDP replies for unknown services Specifies if UDP replies are to be accepted for unknown services In each UDP service object it is possible to configure whether UDP...

Page 135: ... protocols virtual session timeout A virtual session of services which are not TCP UDP or ICMP is considered to have timed out after this time period in seconds TCP end timeout Indicates the timeout in seconds for TCP session end A TCP session is considered as ended following two FIN packets one in each direction or an RST packet TCP session timeout Indicates the timeout in seconds for TCP session...

Page 136: ...pecified window Segments outside this window are not processed by the receiving host TCP segments which are outside the TCP receiving window should not be processed by the gateway All data from TCP segments that are outside of the window is either dropped or removed If the segment is near the window data is stripped If the segment is far from the window the segment is dropped TCP Invalid Retransmi...

Page 137: ... URG bit set in protocols which do not support the TCP out of band functionality When set to detect usage of the URG bit causes the traffic to bypass deep inspection blades Stream Inspection Timeout A connection being inspected by a dedicated process may be delayed until inspection is completed If inspection is not completed within a time limit the connection is dropped so that resources are not k...

Page 138: ...sification is complete When a connection cannot be classified with the cached responses it remains blocked until the Check Point Online Web Service completes classification n Background Connections are allowed until classification is complete When a connection cannot be classified with a cached response an uncategorized response is received The connection is allowed In the background the Check Poi...

Page 139: ...emulation is completed Emulation location Indicates if emulation is done on Public ThreatCloud or on remote private SandBlast Primary emulation gateway The IP address of the primary remote emulation gateway Table Threat Prevention Threat Emulation Policy Attributes continued Threat Prevention Policy Attribute Description Block when service is unavailable Block web requests traffic when the Check P...

Page 140: ...esumes in the next connection This improves performance because the remaining part of the connection is fully accelerated However changing the setting to Full is not recommended because of a severe security impact The remaining sessions of the connection are not inspected Threat Prevention policy Update Threat Prevention With Full Packages Update Threat Prevention with the most up to date packages...

Page 141: ...set only occurs when probing fails on all internet connections and not just USB modem Type Boolean Table USB Modem Watchdog Attributes continued Update Services Schedule Attribute Description Maximum number of retries Indicates the maximum number of retries for a single update when the cloud is unavailable Timeout until retry Indicates the timeout in seconds until update retry Table Update service...

Page 142: ...ight Table User Management Attributes VPN Remote Access Attribute Description Allow clear Traffic while disconnected Indicates if traffic to the VPN domain is handled when the Remote Access VPN client is not connected to the site is sent without encryption clear or dropped Allow simultaneous login Indicates if a user can log in to multiple sessions If the option is disabled and a user logs in a se...

Page 143: ...or IKE phase 1 and 2 Endpoint Connect re authentication timeout Indicates the time in minutes until the Endpoint Connect user s credentials are resent to the gateway to verify authorization IKE IP Compression Support Indicates if IPSec packets from remote access clients is compressed IKE Over TCP Enables support of IKE over TCP IKE restart recovery When dealing with Remote Access clients the appli...

Page 144: ...ays encryption domain goes out with the Office Mode IP as the internal source IP The Office Mode IP is what hosts in the encryption domain recognize as the remote user s IP address The Office Mode IP address assigned by a specific gateway can be used in its own encryption domain and in neighboring encryption domains as well The neighboring encryption domains should reside behind gateways that are ...

Page 145: ...fault algorithms SNX uninstall This parameter lets you configure under which conditions the SSL Network Extender client uninstalls itself The options are Do not uninstall automatically recommended default always uninstall upon disconnection and ask the user upon disconnection SNX upgrade This parameter lets you configure under which conditions the SSL Network Extender client installs itself The op...

Page 146: ...ark to encrypted decrypted IPSec packet DPD triggers new IKE negotiation DPD triggers new IKE negotiation Delete IKE SAs from a dead peer Delete IKE SAs from a dead peer Delete IPsec SAs on IKE SA delete Delete IPsec SAs on IKE SA delete Delete tunnel SAs when Tunnel Test fails When permanent VPN tunnels are enabled and a Tunnel Test fails delete the relevant peer s tunnel SAs Do not encrypt conne...

Page 147: ...otential attackers IKE DoS from unknown sites protection Indicates if the IKE DoS from unidentified IP addresses protection is active and the method by which it detects potential attackers IKE Reply From Same IP Indicates if the source IP address used in IKE session is based on destination when replying to incoming connections or based on the general source IP address link selection configuration ...

Page 148: ...see the status of the VPN tunnel in the Logs and Monitoring tab Permanent tunnel down tracking Indicates how to log when the tunnel goes down Log don t log or alert Permanent tunnel up tracking Indicates how to log when the tunnel is up Log don t log or alert RDP packet reply timeout Timeout in seconds for an RDP packet reply Reply from incoming interface When tunnel is initiated from remote site ...

Page 149: ...tion over SIP traffic automatically accepts SIP connections to registered ports Table VoIP Attributes Web Interface Settings and Customizations Attribute Description Multiple parameters Select Use a company logo in the appliance s web interface to display a different logo not the Check Point default logo In Company logo click the Upload company logo link browse to the logo file and click Apply In ...

Page 150: ...ation URL Filtering Defines how to control Internet browsing and application usage The Access Policy Firewall Blade Control page lets you easily define the default policy for your organization In addition you can define and view the rule based policy in the Access Policy Firewall Policy page Configurations in the Firewall Blade Control page are shown as automatically generated system rules at the ...

Page 151: ...he Internet traffic from outside your organization to it The Standard policy option is the default level and is recommended for most cases Keep it unless you have a specified need for a higher or lower security level n Off Allows all traffic When the firewall is deactivated your network is not secured Manually defined rules are not applied Note When the blade is managed by Cloud Services a lock ic...

Page 152: ...m your organization to the Internet Application URL Filtering are service based features and require Internet connectivity to download the latest signature package for new applications and to contact the Check Point cloud for URL categorization This page lets you define the default policy for Application URL Filtering control It is recommended by default to block browsing to security risk categori...

Page 153: ...more granular policy go to the Access Policy Firewall Blade Control page n Limit bandwidth consuming applications Applications that use a lot of bandwidth can decrease performance necessary for important business applications This option gives accelerated QoS bandwidth control for applications When you select this option P2P file sharing media sharing and media streams are selected by default but ...

Page 154: ...gs and also configure user based Access Policy rules User recognition can be done seamlessly by the appliance using your organization s AD server The user database and authentication are all done through the AD server When a user logs in to the AD server the appliance is notified Users from the AD server can be used as the Source in Access Policy rules Alternatively or in addition users can be def...

Page 155: ...atabase contains more than 4 500 applications and about 96 million categorized URLs Each application has a description a category additional categories and a risk level You can include applications and categories in your Application Control and URL Filtering rules If your appliance is licensed for the Application Control URL Filtering blades the database is updated regularly with new applications ...

Page 156: ...as exceptions to the default policy You can also customize messages that are shown to users for specified websites when they are blocked or accepted by the Rule Base see below You can also use an Ask action for applications or URLs that lets the end user determine whether browsing is for work related purposes or not For example we recommend you add a rule that asks the users before browsing to unc...

Page 157: ...thing and you configure access only through manual rules Within each section there are these sections n Manual Rules Rules that you manually create n Auto Generated Rules Rules that the system determines based on the initial Firewall Policy mode Strict or Standard as explained above These rules are also influenced by other elements in the system For example when you add a server a corresponding ru...

Page 158: ...e Type of network service that is accepted or blocked Action Firewall action that is done when traffic matches the rule For outgoing traffic rules you can use the Customize messages option to configure Ask or Inform actions in addition to the regular Block or Accept actions The messages shown can be set for these action types Accept and Inform Block and Inform or Ask Ask action lets the end user d...

Page 159: ...cted or Under Selected The Add Rule window opens It shows the rule fields in two ways n A rule summary sentence with default values n A table with the rule base fields in a table 3 Click the links in the rule summary or the table cells to select network objects or options that fill out the rule base fields See the descriptions above Note The Application field is relevant only for outgoing rules In...

Page 160: ...ions for automatically generated rules 1 Select a rule and click Edit 2 Edit the fields as necessary 3 Click Apply To delete a rule 1 Select a rule and click Delete 2 Click Yes in the confirmation message To enable or disable a rule n To disable a manually defined rule that you have added to the rule base select the rule and click Disable n To enable a manually defined rule that you previously dis...

Page 161: ...8 Click Apply Customizing Messages You can customize messages to let the Security Gateway communicate with users This helps users understand that some websites are against the company s security policy It also tells users about the changing Internet policy for websites and applications When you configure such messages the user s Internet browser shows the messages in a new window when traffic is m...

Page 162: ...or is l If the Fallback action is Accept The user can access the website or application l If the Fallback action is Block The Security Gateway tries to show the notification in the application that caused the notification If it cannot the website or application is blocked and the user does not see a notification n Frequency You can set the number of times that users get notifications for accessing...

Page 163: ... link in the comment to open the Access tab in the Server Properties An easier way to define server objects is by detecting them in the Home Active Devices page and saving them as servers For example this option automatically detects the MAC address of the server making configuration easier During the wizard n Click Cancel to quit the wizard n Click Next to move to the next page of the wizard n Cl...

Page 164: ...evices page the MAC address is detected automatically Step 3 Access 1 Select the zones from which the server is accessible n All zones including the Internet Select this option to create a server that anyone from outside the organization can access This option requires configuring how the server is accessible through NAT in the next step n Only trusted zones my organization Select the applicable c...

Page 165: ...ly relevant if the Hide internal networks behind the Gateway s external IP address checkbox in the Access Policy NAT Control page is cleared see above for details It means there are no NAT rules on the server When you complete the wizard the server is added to the list of servers on the page and the automatically generated access rules are added to the Access Policy Firewall Policy Rule Base Note ...

Page 166: ...you configure servers that are accessible from the Internet even if they do not have a routable IP address You can also configure servers with NAT settings from this page To disable NAT for outgoing traffic Hide NAT By default NAT is configured for outgoing traffic If it is necessary to disable NAT make sure Hide internal networks behind the Gateway s external IP address is set to OFF Important In...

Page 167: ...ly relevant if the Hide internal networks behind the Gateway s external IP address checkbox in the Access Policy NAT Control page is cleared see above for details It means there are no NAT rules on the server 5 When you have multiple internal servers that use the same port select Redirect from port and enter a different port number that is used when you access this server from the Internet Traffic...

Page 168: ...ion The network object a specified IP address or network group object a specified IP address range that is the original destination of the connections to translate Original Service The original service used for the connections to translate Translated Source The network object or network group object that is the new source to which the original source is translated Translated Destination The networ...

Page 169: ...ource addresses if you want the original source to contain multiple IP addresses IP ranges networks etc and the translated source to be a single IP address When this option is not selected you can still use an IP range in the Original Source and a different IP range of the same size in the Translated Source This rule does the IP address translation from one range to another respectively the first ...

Page 170: ...able a manually defined rule that you have added to the rule base select the rule and click Disable 2 To enable a manually defined rule that you have previously disabled select the rule and click Enable To change the rule order Note You can only change the order of manually defined rules 1 Select the rule to move 2 Drag and drop it to the necessary position ...

Page 171: ...ields that manage the NAT rules Rule Base Field Description Original Source The network object a specified IP address or network group object a specified IP address range that is the original source of the connections to translate Original Destination The network object a specified IP address or network group object a specified IP address range that is the original destination of the connections t...

Page 172: ...ed source address es if you want the original source to contain multiple IP addresses IP ranges networks etc and the translated source to be a single IP address When this option is not selected you can still use an IP range in the Original Source and a different IP range of the same size in the Translated Source This rule does the IP address translation from one range to another respectively the f...

Page 173: ...Spark 1500 1600 and 1800 Appliance Series R80 20 25 Locally Managed Administration Guide 173 To change the rule order 1 Select the rule to move 2 Drag and drop it to the necessary position Note You can only change the order of manually defined rules ...

Page 174: ...rs before they can access network resources or the Internet When users try to access a protected resource they must log in to a web page to continue This is a method that identifies locally defined users or users that were not successfully identified by other methods You can configure the Browser Based Authentication to appear for all traffic but because this method of identification is not seamle...

Page 175: ...kbox Use user groups from specific branch only Click Add and enter a branch path in the AD Branch field 5 Click Apply You can also add a new AD Domain in the Users Objects Authentication Servers page For Browser Based Authentication 1 To block access for unauthenticated users when the portal is not available select Block unauthenticated users when the captive portal is not applicable This configur...

Page 176: ...the Captive Portal runs on the Check Point Appliance or enter a different portal address n Session timeout Sets for how long an authenticated user can access the network or Internet before they have to authenticate again n Enable Unregistered guests login Allow an unregistered guest user to be identified in the logs by name and not only by IP address An unregistered user is an unmanaged non AD use...

Page 177: ...ast one Internet connection to be configured with the maximum download and or upload speeds provided by your ISP For more information about your download and upload speeds contact your local ISP This page lets you configure a default simplified QoS policy You can configure a more advanced policy in the Access Policy QoS Policy page QoS policy applies to traffic over external interfaces only QoS Se...

Page 178: ... of traffic if needed and if necessary click the all services link to edit a list of selected guaranteed services This option adds a rule to the QoS Policy Rule Base n Limit Bandwidth Consuming Applications Applications that use a lot of bandwidth can decrease performance necessary for important business applications Click the Bandwidth Consuming Applications link to see the default applications c...

Page 179: ...ge the value click the percentage link You can view the QoS Policy Rule Base on this page For each rule you see these fields Rule Base Field Description No Rule number in the QoS policy Source Network object that starts the connection Destination Network object that completes the connection Service Type of network service for which bandwidth is adjusted based on weight limit and guarantee Guarante...

Page 180: ...ted two times the amount of bandwidth as the second when lines are congested To create a QoS rule 1 Click the arrow next to New 2 Click one of the available positioning options for the rule On Top On Bottom Above Selected or Under Selected The Add Rule window opens It shows the rule fields in two manners n A rule summary sentence with default values n A table with the rule base fields in a table 3...

Page 181: ... Click Apply To delete a QoS rule 1 Select a rule and click Delete 2 Click Yes in the confirmation message To enable or disable a QoS rule n To disable a manually defined rule that you have added to the Rule Base select the rule and click Disable n To enable a manually defined rule that you have previously disabled select the rule and click Enable To change the QoS rule order 1 Select the rule to ...

Page 182: ... Click Download CA Certificate to download the gateway s internal CA certificate Note The certificate is available for all users on the gateway You do not need administrator credentials If you do not have administrator credentials connect from an internal or wireless network to http my firewall ica or https IP_Address_of_ Appliance ica You must install this certificate on every client behind the g...

Page 183: ... all possible traffic regardless of its source and destination To configure more advanced exceptions go to the SSL Inspection Exceptions page To set the SSL inspection bypass policy n Wireless networks to bypass Select or clear which wireless networks to bypass Untrusted networks are selected by default Note Wireless networks must be assigned to Separate Network not switch or bridge n Categories S...

Page 184: ...ens 3 Configure the settings for URL Filtering Note HTTPS categorization only applies when the URL Filtering blade is turned on To disable SSL inspection and HTTPS categorization Select Off Upgrades in the SSL Bypass mechanism include n Stop the inspection of the first connection to bypassed sites n Allow bypass of Non Browser Applications connections n Allow Bypass of connections to servers that ...

Page 185: ... On the SSL Inspection Exceptions page you can define manual rules to configure exceptions to bypass SSL inspection for specific traffic You can configure more advanced exceptions with specific scope category and tracking options To add bypass exceptions 1 Click New 2 For each exception enter n Source n Destination n Category Custom Application n Track ...

Page 186: ...redefined list of trusted CAs based on the Mozilla LibCurl Trusted CA list Only a server certificate signed by one of those CAs is recognized as a valid certificate The table shows the list of trusted CAs Trusted CA types n Default from the gateway These CAs can be disabled but not deleted n Added by user These CAs can be deleted To add a CA manually to the trusted CA list 1 Click Add The Add a Tr...

Page 187: ...hreat Emulation Gives networks protection against unknown threats in files that are downloaded from the Internet or attached to emails In emulation the file is opened on more than one virtual computer with different operating system environments These virtual computers are closely monitored for unusual and malicious behavior Any malicious behavior is immediately logged and you can use Prevent mode...

Page 188: ...s n None Do not log n Log Create a log n Alert Log with an alert 3 Under Protection Activation for each confidence level High confidence Medium confidence and Low confidence select the applicable action from the list n Ask Traffic is blocked until the user confirms it is allowed n Prevent Blocks identified virus or bot traffic or identified malicious files from passing through the gateway n Detect...

Page 189: ...5 Locally Managed Administration Guide 189 To schedule updates 1 Click Schedule The Activate Automatic Updates window opens 2 Select the Software Blades to receive automatic updates n IPS n Anti Virus n Anti Bot n Application Control 3 Select the Recurrence and Time of day 4 Click Apply ...

Page 190: ...work select DMZ network and select the Any Scope except checkbox n Source Network object that initiates the connection n Destination Network object that is the target of the connection n Protection In the Blades tab select Any for all or for a specific blade In the IPS protections tab select a specific IPS protection from the list n Service Port Type of network service If you make an exception for...

Page 191: ... Prevention Infinity SOC The Check Point Infinity SOC sk164332 is supported from R80 20 25 in the Locally managed mode Infinity SOC enables cybersecurity teams to effectively and efficiently prevent detect and respond to all threats Infinity SOC doubles the effectiveness of SOC teams by automating time consuming tasks allowing security teams to focus on remediation and attack prevention You can en...

Page 192: ...ion in attack statistics see sk164332 section De obfuscate the real IP of the victim c Click Apply To enable the Infinity SOC feature in Gaia Clish run these commands 1 Allow the appliance to send data to Check Point set privacy settings advanced settings customer consent true 2 Allow viewing attack statistics in your User Center Account set threat prevention policy advanced settings allow attack ...

Page 193: ...lt in host or server infection For example l When you browse to an infected or a potentially unsafe Internet site there is a possibility that malware was installed l When you download an infected file there is a possibility that the file was opened or triggered and infected the host or server n Object name Shows the object name if the host or server was configured as a network object n IP MAC addr...

Page 194: ...k the links in the rule summary or the table cells to select network objects or options that fill out the exception rule fields n Scope Select either Any or a specific scope from the list If necessary you can create a New network object network object group or local user If it is necessary to negate a specified scope select the scope and select the Any Scope except checkbox For example if the scop...

Page 195: ...Managed Administration Guide 195 To view the logs of a specified entry 1 Select the list entry for which to view logs 2 Click Logs The Logs Monitoring Security Logs page opens and shows the logs applicable to the IP MAC address Note This page is available from the Home and Logs Monitoring tabs ...

Page 196: ...or manually configure a specific protection to override the general policy To search for a specified protection 1 Enter a name in the filter box 2 Scroll the pages with the next and previous page buttons at the bottom of the page To configure the IPS policy go to the Threat Prevention Threat Prevention Blade Control page You can see the details of each protection and also configure a manual overri...

Page 197: ...e instructions in the window that opens and click Apply Thresholds are configured for CPU Usage and Memory Usage There is always a high watermark and a low watermark Bypass occurs when the high watermark is exceeded and the IPS engine continues inspection when the load drops below the low watermark In this way when under load the IPS engine does not toggle between modes too frequently 3 In Bypass ...

Page 198: ...can incoming files l External and DMZ Files that originate from external and the DMZ interfaces are inspected Note DMZ is not supported in 1530 1550 appliances l External Files that originate from external interfaces are inspected l All Files transferred between all interfaces are inspected n Scan both incoming and outgoing files Files that originate from outside the organization and from within t...

Page 199: ... page for a description of the action types n URLs with malware Protections related to URLs that are used for malware distribution and malware infection servers n Viruses Real time protection from the latest malware and viruses by examining each file against the Check Point ThreatCloud database To enable Detect only mode Select the checkbox Anti Bot You can set policy overrides to override the gen...

Page 200: ... Access Policy SSL Inspection Policy 3 For file type policy n Process specific file type families Click Configure for a list of file types and set prescribed actions to take place when these files pass through the Threat Emulation engine To edit an action for a specified file type right click the row and click Edit You can also click the file type so it is selected and then Click Edit The availabl...

Page 201: ...on the Small Business Security video channel To enable Detect only mode Select the checkbox User Messages You can customize messages for protection types set with the Ask action When traffic is matched for a protection type that is set to Ask the user s internet browser shows the message in a new window These are the Ask options and their related notifications Option Anti Virus Notification Anti B...

Page 202: ...Accept for when the notification cannot be shown in the browser or application that caused the notification most notably in non web applications l If the Fallback action is Accept The user can access the website or application l If the Fallback action is Block The website or application is blocked and the user does not see a notification n Frequency You can set the number of times that the Anti Vi...

Page 203: ... checkbox to handle suspected spam separately see below To enable or disable Anti Spam 1 Select On or Off 2 Click Apply Note When the blade is managed by Cloud Services a lock icon is shown You cannot toggle between the on and off states If you change other policy settings the change is temporary Any changes made locally will be overridden in the next synchronization between the gateway and Cloud ...

Page 204: ...Handle suspected spam separately 2 Select an option block flag email subject or flag email header When selecting a flag option it is possible to modify the text string used to flag the suspected spam emails The default is SUSPECTED SPAM You can choose the flag option for Spam and for Suspected Spam Use this option to have a different string for the flag action 3 Select a tracking option 4 Click Ap...

Page 205: ... its own classification To block or allow by senders requires the Anti Spam engine to be configured to filter based on Email content in the Threat Prevention Anti Spam Blade Control page Note IP address exceptions are ignored for POP3 traffic To add a new sender domain IP address to the Allow or Block list 1 Click Add or New in the Allow or Block list 2 Enter the IP address or Sender Domain 3 Clic...

Page 206: ...tatic IP Internet connection on the appliance If you do not use a static IP your appliance s IP address can vary based on to your Internet Service Provider DDNS lets home users connect to the organization by name and not IP address that can change See Device DDNS for more details To configure DDNS click the DDNS link or the Internet link for static IP address To enable or disable VPN Remote Access...

Page 207: ...ese instructions by email 3 Close the window and click Apply To manage SSL VPN bookmarks 1 Select the SSL VPN checkbox 2 Click Apply 3 Click Manage SSL VPN bookmarks The VPN Advanced page opens 4 In SSL VPN bookmarks click New to create new bookmarks A new window opens 5 Enter these details n URL Note If you select Global bookmark all users see this bookmark n Type Link or RDP remote desktop proto...

Page 208: ... usage instructions 1 Click the How to connect link next to the relevant remote access method 2 Click the E mail these instructions to automatically open a pre filled email that contains the instructions 3 Click Close To change the Remote Access port settings If the default remote access port port 443 and a server use the same port a conflict message shows You must change the default remote access...

Page 209: ...ive Directory group If no authentication servers are defined click the Active Directory RADIUS server link to define them Note that when User Awareness is turned off there is no user identification based on Browser Based Authentication and Active Directory Queries To add a new local user with remote access permissions 1 Click Add New Local User 2 In the Remote Access tab in the window that opens e...

Page 210: ...ctory group 1 Click Add Active Directory Group 2 If no Active Directory was defined you are prompted to configure one For more information on configuring Active Directory see VPN Authentication Servers 3 When an Active Directory has been defined you see a list of available user groups defined in the server 4 Select one of the user groups 5 Click Apply The Active Directory group is added to the tab...

Page 211: ...r Select For specific RADIUS groups only and enter in the text field the names of the user groups separated by commas n To allow administrators with read only permissions to authenticate Select Read only Administrators 5 Click Apply The RADIUS server or specific users from the RADIUS server are added to the table on the page Two Factor Authentication Two Factor Authentication also called multi fac...

Page 212: ...nter the n DynamicID URL n Provider user name n Provider password n API ID n Message to display optional 7 In the Advanced tab under Dynamic ID Settings enter the n Length of the one time password n Amount of time in minutes until the password expires n Maximum number of retries 8 Under Country Code enter the Default country code 9 Click Apply To sign in with Two Factor Authentication 1 Connect to...

Page 213: ...ccess permissions 4 Click Apply To configure SSL VPN bookmarks 1 Click Add New Local User Users Group Active Directory Group SSL VPN Bookmarks tab A new window opens 2 Enter new bookmarks or select existing bookmarks Note If you select Global bookmark this bookmark is always shown 3 Click Apply To edit a user or group 1 Select the user or group from the list 2 Click Edit 3 Make the relevant change...

Page 214: ...00 Appliance Series R80 20 25 Locally Managed Administration Guide 214 Remote Access Connected Remote Users The VPN Remote Access Connected Remote Users page shows the currently connected remote users n Username n IP address n Connection Time n Next Authentication Time ...

Page 215: ...he case additional configuration is necessary in the VPN Remote Access Users page To add a RADIUS server 1 Click Configure 2 In the Primary tab enter this information n IP address The IP address of the RADIUS server n Port The port number through which the RADIUS server communicates with clients The default is 1812 n Shared secret The secret pre shared information used for message encryption betwe...

Page 216: ...e access permissions for users defined in the RADIUS server 1 Click permissions for RADIUSusers 2 Select or clear the Enable RADIUS authentication for remote access users checkbox 3 When selected choose which users are given remote access permissions n To allow all users defined in the RADIUS server to authenticate Select All users defined on RADIUS server n Specific user groups defined in the RAD...

Page 217: ... the branch in the Branch full DN in the text field 4 Click Apply When an Active Directory is defined you can select it from the table and choose Edit or Delete when necessary When you edit note that the Domain information is read only and cannot be changed When you add a new Active Directory domain you cannot create another object using an existing domain To configure remote access permissions fo...

Page 218: ...pliance in all locations that this user database can be viewed For example the Users Objects Users page or the Source picker in the Firewall Rule Base in the Access Policy Firewall Policy page Note You cannot select a user from the Active Directory only an Active Directory user group You can select a local user 3 Click Apply To edit an Active Directory 1 Select the Active Directory from the list 2...

Page 219: ... IP addresses is configurable To configure the Office Mode network 1 Enter the Office Network address and Office Subnet Mask 2 Click Apply The default setting for office mode is 172 16 10 0 24 To assign a VPN certificate 1 Click the downward arrow next to the VPN Remote Access certificate field The list of uploaded certificates shows 2 Select the desired certificate Note You cannot select the defa...

Page 220: ...VPN Site to Site Blade Control page 1 Click on the local encryption domain link automatically according to topology or manually The link shown is a reflection of what is currently configured 2 Select Define local network topology manually 3 Click Select to show the full list of available networks and choose the relevant checkboxes 4 Click New if the existing list does not contain the networks you ...

Page 221: ...figure a manual DNS domain name 1 Click Configure manually 2 In DNS domain name enter the DNS domain name suffix to use 3 Click Apply To configure the DNS domain name to be the same as the defined DNS domain name 1 Click Configure automatically 2 Click Apply The DNS domain name shows the text Same as DNS domain name SSL VPN bookmarks To configure SSL VPN bookmarks 1 Click Add New Local User Users ...

Page 222: ... shown to all users n Type Link or RDP remote desktop protocol n Label The bookmark name n Tooltip Description 3 Click Apply If you select RDP as the bookmark type you must enter the user name and password in the RDP Advanced Settings These credentials are sent to the end user Note If Show characters is selected the password characters are shown You can also specify the screen size of the remote d...

Page 223: ... it is now VPN traffic To enable or disable the VPN Site to Site blade 1 Select On or Off 2 Click Apply Note When the blade is managed by Cloud Services a lock icon is shown You cannot toggle between the on and off states If you change other policy settings the change is temporary Any changes made locally will be overridden in the next synchronization between the gateway and Cloud Services A warni...

Page 224: ...ies to IPv4 addresses only n High Availability or Load Sharing Configure a list of backup IP addresses in case of failure High Availability or to distribute data Load Sharing The appliance uses probing to monitor the remote site s IP addresses In High Availability you can configure one of the IP addresses as the primary When you select this option you must configure a probing method on the Advance...

Page 225: ... routing rules is encrypted and routed to the remote site n Hidden behind external IP of the remote gateway If the remote site is behind NAT and traffic is initiated from behind the remote site to this gateway When you select this option it is not necessary to define an encryption domain 6 Exclude networks Select this option to exclude networks from the specified encryption domain This may be usef...

Page 226: ...a secondary identifier couple that is available in the Aggressive Mode The secondary identifier method is also available in IKEv2 l If you select Enable aggressive mode for IKEv1 o Use Diffie Hellman group Determines the strength of the shared DH key used in IKE phase 1 to exchange keys for IKE phase 2 A group with more bits ensures a stronger key but lower performance o Initiate VPN tunnel using ...

Page 227: ...onding The RDP probing is activated when a connection is opened and continues a background process o One time probing When a session is initiated all possible destination IP addresses receive an RDP session to test the route The first IP to respond is chosen and stays chosen until the VPN configuration changes Notes n For more information on installing the certificate see Managing Installed Certif...

Page 228: ...e Edit VPN Site window opens 3 In the Remote Site tab n For Connection type enter the IP address which is the public IP of the remote peer center gateway n In the Encryption domain select Route all traffic through this site 4 Click Apply This gateway is now designated as a satellite You can configure more than one satellite gateway to route all traffic through the center gateway If you try to conf...

Page 229: ...es Which type of VPN community is preferable A1 A star VPN community is preferable as every gateway does not have to create a VPN tunnel with all of the others Instead the 5 satellite peer gateways will each create one site to site star VPN community to the center gateway Only the star gateway center must create a site to site from itself to each of the remote peers Q2 A center gateway handles all...

Page 230: ...mmunity configured by the Cloud Services Provider n A table with the sites that are part of the community To test the VPN connection for a site 1 Select the site 2 Click Test If the test succeeds a success message is shown Click OK to close it If the test does not succeed click Details for more information If applicable click Retry To see the details of a site configured by Cloud Services Select a...

Page 231: ...stination gateway Community Name If the gateways are part of a community configured by Cloud Services the community name with which the tunnel is associated Status Indicates if a tunnel is up or is pending traffic to become active Phase 2 Methods Encryption and authentication methods used for the tunnel My encryption domain Indicates the tunnel s selectors subnets hosts allowed from the source gat...

Page 232: ...n domain and is transmitted to a different domain The local encryption domain defines n The internal networks that encrypted traffic from remote sites and networks can get access n That traffic from the encryption domain to remote sites is encrypted By default the local encryption domain is determined automatically by the appliance Networks behind LAN interfaces and trusted wireless networks are p...

Page 233: ...on select a method to specify the outgoing interface n According to the routing table The OS s routing table finds the interface link with the lowest metric highest priority through which to send traffic based on the remote site s IP addresses n Route based probing This method also consults the routing table for the link with the lowest metric But before choosing an interface link to send traffic ...

Page 234: ...nism is based on IKE encryption keys only The feature also allows you to monitor permanent tunnels based on DPD for both IKEv1 and IKEv2 In active mode a peer that is configured as DPD receives DPD Hello requests at regular intervals if there is no incoming IPSec traffic for 10 seconds To test if a VPN tunnel is active Select a Tunnel health monitoring method n Tunnel test Check Point Proprietary ...

Page 235: ...dd it to the other site s Trusted CA list When you use certificate based site to site VPN with multiple remote sites in a mesh configuration we recommend for all sites to use one CA to sign their internally used certificates on appliances that support creating signing requests You must also add the same CA to all sites Trusted CAs list That CA can be an external CA service like Verisign for a fee ...

Page 236: ...s you ve added to the list if necessary by selecting them and clicking Export To sign a remote site s certificate request by the Internal CA 1 Click Sign a Request 2 Click Browse to upload the signing request file as created in the remote site In third party appliances make sure to look in its Administration Guide to see where signing requests are created Note The file must be in a path accessible...

Page 237: ...site VPN SSL VPN and the Web portal When Cloud Services is turned on and the appliance is configured by Cloud Services the Cloud Services Provider certificate is downloaded automatically to the appliance The Cloud Services Provider certificate is used by community members configured by Cloud Services Note If you turn Cloud Services off the Cloud Services Provider certificate is removed These are t...

Page 238: ...he CA 1 Select the signing request entry from the table 2 Click Upload Signed Certificate 3 Browse to the signed certificate file crt 4 Click Complete The status of the installed certificate record changes from Waiting for signed certificate to Verified To upload a P12 file 1 Click Upload P12 Certificate 2 Browse to the file 3 Edit the Certificate name if necessary 4 Enter the certificate password...

Page 239: ...wn host name when DDNS is configured or its external IP address If you have multiple Internet connections configured in load sharing mode you can manually enter an accessible IP address for this appliance This is used by remote sites to access the internal CA and check for certificate revocation 3 Select the number of years for which the Internal VPN Certificate is valid The default is 3 The maxim...

Page 240: ...mote site In third party appliances make sure to look in its Administration Guide to see where signing requests are created The file must be in a path accessible to the appliance After you click OK in the file browsing window the file is uploaded If it is correctly formatted it is signed by the Internal CA and the Download button is available 3 Click Download The signed certificate is downloaded t...

Page 241: ...Authentication Uses a portal to authenticate either locally defined users or as a backup to other identification methods Browser Based Authentication uses a web interface to authenticate users before they can access network resources or the Internet When users try to access a protected resource they must log in to a web page to continue This is a method that identifies locally defined users or use...

Page 242: ...ents that user or enter the user DN manually 4 To select user groups from specific branches select the checkbox Use user groups from specific branch only Click Add and enter a branch path in the AD Branch field 5 Click Apply You can also add a new AD Domain in the Users Objects Authentication Servers page For Browser Based Authentication 1 To block access for unauthenticated users when the portal ...

Page 243: ...he Captive Portal runs on the Check Point Appliance or enter a different portal address n Session timeout Sets for how long an authenticated user can access the network or Internet before they have to authenticate again n Enable Unregistered guests login Allow an unregistered guest user to be identified in the logs by name and not only by IP address An unregistered user is an unmanaged non AD user...

Page 244: ...d can be up to 100 characters Note You cannot use these characters in a password or shared secret Maximum number of characters 255 3 For temporary or guest users click Temporary user Enter the expiration date and time 4 To give the user remote access permissions select Remote Access permissions 5 Click Apply The user is added to the table on the page To add a new local users group with remote acce...

Page 245: ...he User Management window opens 4 Click the checkbox for Automatically delete expired local users 5 Click Apply Expired local users are automatically deleted every 24 hours after midnight To edit a user or group 1 Select the user or group from the list 2 Click Edit 3 Make the relevant changes and click Apply To delete a user or group 1 Select the user or group from the list 2 Click Delete 3 Click ...

Page 246: ...rators can update or modify operating system settings They can select a service or network object but cannot create or modify it n Mobile Administrator Mobile administrators are allowed all networking operations on all interfaces They can change their own passwords generate reports reboot change events and mobile policy active hosts operations and pairing They cannot login from or access the WebUI...

Page 247: ...ake sure a RADIUS server is defined on the appliance If there is no server click the RADIUS configuration link at the top of this page You must configure the IP address and shared secret used by the RADIUS server 3 When you have a configured RADIUS server click Edit permissions The RADIUS Authentication window opens 4 Click the Enable RADIUS authentication for administrators checkbox Use roles def...

Page 248: ...ick Mobile Pairing Code The Connect Mobile Device window opens 2 Select an administrator from the pull down menu 3 Click Generate This generates a QR code to connect the Check Point WatchTower mobile application with the appliance for the first time For more information about the mobile application see the Check Point SMB WatchTower App User Guide Configuring a RADIUS Server for non local Quantum ...

Page 249: ...id 2000 3 Add this line in the dictiona dcm file checkpoint dct 4 Add this Check Point Vendor Specific Attribute to users in your RADIUS server user configuration file CP Gaia User Role role Where role allowed values are Administrator Role Value Super Admin adminRole Read only monitorrole Networking Admin networkingrole Mobile Admin mobilerole Configuring a FreeRADIUS server for non local applianc...

Page 250: ...irectory on the RADIUS server Check PointGaia vendor specific attributes Formatted for the OpenRADIUS RADIUS server Add this file to etc openradius subdicts and add the line include subdicts dict checkpoint to etc openradius dictionaries right after dict ascend add vendor 2620 CheckPoint set default vendor CheckPoint space RAD VSA STD len_ofs 1 len_size 1 len_adj 0 val_ofs 2 val_size 2 val_type St...

Page 251: ...le Networking Admin networkingrole Mobile Admin mobilerole To log in as a Super User A user with super user permissions can use the Quantum Spark Appliance shell to do system level operations including working with the file system 1 Connect to the Quantum Spark Appliance platform over SSH or serial console 2 Log in to the Gaia Clish shell with your user name and password 3 Run expert 4 Enter the E...

Page 252: ...nfiguration is necessary in the VPN Remote Access Users page To add a RADIUS server 1 Click Configure 2 In the Primary tab enter this information n IP address The IP address of the RADIUS server n Port The port number through which the RADIUS server communicates with clients The default is 1812 n Shared secret The secret pre shared information used for message encryption between the RADIUS server ...

Page 253: ...a RADIUS server Click the Remove link next to the RADIUS server you want to delete The RADIUS server is deleted To configure remote access permissions for users defined in the RADIUS server 1 Click Permissions for RADIUS users 2 Select or clear the Enable RADIUS authentication for User Awareness Remote Access and Hotspot checkbox When selected for Remote Access select or clear to use specific RADI...

Page 254: ...ch in the Branch full DN in the text field 4 Click Apply When an Active Directory is defined you can select it from the table and choose Edit or Delete when necessary When you edit note that the Domain information is read only and cannot be changed When you add a new Active Directory domain you cannot create another object using an existing domain To configure remote access permissions for all use...

Page 255: ...in all locations that this user database can be viewed For example the Users Objects Users page or the Source picker in the Firewall Rule Base in the Access Policy Firewall Policy page Note You cannot select a user from the Active Directory only an Active Directory user group You can select a local user 3 Click Apply To edit an Active Directory 1 Select the Active Directory from the list 2 Click E...

Page 256: ... by the Check Point Cloud using the URL Filtering and can be matched to one or more built in categories for example phishing sites high bandwidth gambling or shopping etc The Application and Categories List A list of applications and categories is shown according to a filter that is shown above the list There are 4 filters n Common Commonly used applications custom applications and categories n Cu...

Page 257: ...nce will detect in the URL and then Click OK 6 Do step 5 to add more related strings or regular expressions The custom application will be matched if one of the strings or expressions is found 7 Click the Additional Categories tab to select more categories if necessary 8 Click Apply You can use the application in a rule To create a custom applications group 1 Select New Applications Group 2 Enter ...

Page 258: ...fields that apply to the type of service you select Note that not all fields may show n Name Enter the service s name n Type Select the service type from the list l TCP l UDP l ICMP Select this option if it is necessary to represent a specific option within the ICMP protocol Note that this is an advanced option l Other Select this option to represent any IP protocol other than TCP or UDP n Ports E...

Page 259: ...cluster are synchronized as they pass through the cluster By default all new and existing services are synchronized n Start synchronizing X seconds after the connection was initiated For TCP services enable this option to delay telling the Quantum Spark Appliance about a connection so that the connection is only synchronized if it still exists in X seconds after the connection is initiated Some TC...

Page 260: ...ring settings tab lets you categorize HTTPS sites by information in certificates n FTP The Firewall settings tab lets you configure how the firewall automatically detects data connections You can select one of these options l Any The Firewall detects and allows FTP data connections in all modes l Active The Firewall detects and allows FTP data connections in active mode only l Passive The Firewall...

Page 261: ... the inspection of the specific protocol To create a new service group 1 Click New The New Service Group window opens 2 Enter a Name for the group and Comments optional 3 Click Select to show the full list of available services and select the relevant checkboxes 4 Click New if the existing list does not contain the services you need For information on creating a new service object see the Users Ob...

Page 262: ...col Such system service groups cannot be deleted They contain a list of built in services which you can restore if you edit the content of such groups by clicking Reset Some system service groups have additional configuration which affect the way the deep inspection is performed DNS The Firewall settings tab lets you configure NAT support over DNS Note that this option affects the performance of D...

Page 263: ...ts a network n Domain Name Represents a Domain To create a Single IP network object 1 Click New The New Network Object window opens 2 In Type select Single IP 3 Enter an IP address and Object name 4 Select or clear these options as necessary n Allow DNS server to resolve this object name When the gateway is the DNS server for your internal networks the name of the server network object is translat...

Page 264: ...al DHCP service does not distribute the configured IP range to anyone 6 Click Apply Note Wildcard network objects that represent a series of non sequential IP addresses are supported To create a Network type network object 1 Click New The New Network Object window opens 2 In Type select Network 3 Enter a Network address and Subnet mask 4 Enter the Object name 5 Click Apply To create a Domain Name ...

Page 265: ...ide 265 To delete a network object 1 Select the network object from the list 2 Click Delete 3 Click Yes in the confirmation message To filter for a specified network object 1 In the Type to filter box enter the name of the network object or part of it 2 As you enter text the list is filtered and shows matching results ...

Page 266: ...e group and Comments optional 3 Click Select to show the full list of available network objects and choose the relevant checkboxes 4 Click New if the existing list does not contain the network object you need For information on creating a new network object see the Users Objects Network Objects page 5 Click Apply The New Network Object Group window opens and shows the services you selected 6 You c...

Page 267: ...rch one field at a time the logical operators AND and OR are not supported Use one of these syntaxes n IP_address n Column_Name Value Examples n 203 0 113 64 n action drop n source port 22 For more details click Query Syntax in the table header To see the security log record 1 Select a log entry from the list 2 Click View Details or double click the entry The log record opens To refresh the securi...

Page 268: ...ptions Eject SD card safely Note From R77 20 85 and higher SD cards are formatted with ext4 Older versions are formatted as FAT32 If you upgrade from a lower version to R77 20 85 or higher the SD card will remain with FAT32 for backward compatibility To delete logs from local log storage 1 In Logs Monitoring Logs Security Logs page click Clear logs A confirmation window opens 2 Click Yes to delete...

Page 269: ...ch as changes made by administrators date and time changes n Warning Logs that show a connectivity or possible configuration failure The problem is not critical but requires your attention n Error System errors that alert you to the fact that a specific feature is not working This can be due to misconfiguration or connectivity loss which requires the attention of your Internet Service Provider To ...

Page 270: ...rnal Check Point Log Server from this page in the WebUI 1 Identify the Log Server you want to send logs to 2 Identify the Security Management Server that manages the Log Server 3 Open SmartConsole on this Security Management Server 4 Run the Security Gateway wizard to define and create a Security Gateway object that represents this appliance with the these details In the General Properties window ...

Page 271: ...located on the Security Management Server select Log server uses different IP address and enter the IP address 6 Click Apply Important After successful configuration of the external log server any changes you make in the WebUI configuration on this page requires reinitialization of the SIC in SmartConsole If you do not reinitialize SIC in SmartConsole connectivity to the log server can fail To con...

Page 272: ...re Notes n Only one remote TLS server is supported n The server CA must be trusted by Check Point n The TLS server must be configured using its domain name Only UDP allows you to configure the server by IP address n The configured domain name must be identical to the domain name in the server s certificate n Only system logs are supported To configure additional syslog servers Click Add Syslog Ser...

Page 273: ...onitoring Wireless Active Devices page shows the devices connected to your gateway s wireless network Relevant information for each connected device s network usage includes n SSID Name of the WiFi network n Channel n Frequency n Signal Strength n RSSI Received Signal Strength n Bandwidth Paired Mobile Devices The Logs Monitoring Paired Mobile Devices shows the mobile devices paired to the gateway...

Page 274: ...stination gateway Community Name If the gateways are part of a community configured by Cloud Services the community name with which the tunnel is associated Status Indicates if a tunnel is up or is pending traffic to become active Phase 2 Methods Encryption and authentication methods used for the tunnel My encryption domain Indicates the tunnel s selectors subnets hosts allowed from the source gat...

Page 275: ...ctive Connections The Logs Monitoring Connections page shows a list of all active connections The list shows these fields n Protocol n Source Address n Source Port n Destination Address n Destination Port To filter the list In the Type to filter box enter the filter criteria The list is filtered To refresh the list Click the Refresh link ...

Page 276: ...es n Channel n Frequency n Security n Signal strength n Signal noise Use case Use this information to decide which network to connect to and change based on your needs In addition this page displays the current wireless radio frequency and channel in use and the wireless networks configured Viewing Monitoring Data See Viewing Monitoring Data on page 48 Viewing Reports See Viewing Reports on page 5...

Page 277: ...v3 users n Configure the settings for SNMP trap receivers n Enable or disable SNMP traps that are sent to the trap receivers SNMP must be set to ON to configure all SNMP settings users traps and trap receivers To enable or disable SNMP 1 Change the SNMP On Off slider position to ON or OFF 2 Click Apply To configure SNMP settings Click Configure The Configure SNMP General Settings window opens You ...

Page 278: ...rs Prerequisites SNMP and SNMP traps must be enabled on the appliance SNMP Traps for VPN Tunnels SNMP trap for VPN tunnels provides better monitoring of VPN tunnel status For this specific trap users are alerted when VPN tunnels go down Currently only VPN tunnels configured as Permanent Tunnels are monitored This feature is off by default When the feature is enabled the VPN tunnels status is perio...

Page 279: ...anaged Administration Guide 279 To edit an SNMP trap 1 Select the trap from the list and click Edit 2 Select the Enable trap option to enable the trap or clear it to disable the trap 3 If the trap contains a value you can edit the threshold value when necessary 4 Click Apply ...

Page 280: ...ettings and creates a new factory default image To upgrade to a new firmware image from a USB drive 1 Disconnect the Quantum Spark Appliance from the power source 2 Place the firmware image file on a USB drive in the top folder Do not rename the file 3 Make sure the top folder of the USB drive does not contain any previous Boot loader or Firmware images u boot bin files or fw1 img files 4 Connect ...

Page 281: ...n any previous Boot loader or firmware images u boot bin files or fwl gz files 3 Insert the SD card into the SD card slot on the Quantum Spark Appliance If the operation does not succeed this may be because the SD card slot does not recognize all devices 4 Connect the appliance to the power source The installation begins with the image file This takes several minutes If the file is valid the Power...

Page 282: ...nt s services are not active n Options 1 3 start the appliance l Normal mode is the default boot mode for the appliance l Debug mode boot gives printouts of processes that are initialized during boot l Maintenance mode boots the machine and gives access only to the file system network interfaces Check Point processes and the appliance s services are down Note During normal debug boot if there is a...

Page 283: ...ll Update Image Boot Loader from Network 3 You are asked if you want to load the image manually from a TFTP server or if you want to use automatic mode with a bootp server 4 If you select manual mode you are asked to fill in the IP of the Quantum Spark Appliance the IP of the TFTP server and the image name 5 If you select automatic mode the procedure starts automatically to search for the bootp se...

Page 284: ...e Configuration Wizard To restore factory defaults with the WebUI 1 In the Quantum Spark Appliance WebUI click Device System Operations The System Operations pane opens 2 In the Appliance section click Factory Defaults 3 In the pop up window that opens click OK 4 While factory defaults are restored the Power LED blinks blue to show progress This takes some minutes When this completes the appliance...

Page 285: ... press CTRL C The Gaia Embedded Boot Menu appears 3 Enter 4 to select Restore to Factory Defaults local 4 When the prompt appears Are you sure y n enter y to continue and restore the appliance to its factory defaults settings While factory defaults are restored the Power LED blinks blue to show progress This takes up to a few minutes When completed the appliance boots automatically To disable the ...