Quantum CHECK POINT SPARK 1500 Series, Administration Manual

Page 1: ...Models V 80 V 80W V 81 V 81W V 81WL V 81WD V 81R V 81WLR V 82 V 83 Classification Protected 12 April 2022 QUANTUM SPARK 1500 1600 AND 1800 APPLIANCE SERIES R80 20 40 Locally Managed Administration Guide ...

Page 2: ... without prior written authorization of Check Point While every precaution has been taken in the preparation of this book Check Point assumes no responsibility for errors or omissions This publication and features described herein are subject to change without notice RESTRICTED RIGHTS LEGEND Use duplication or disclosure by the government is subject to restrictions as set forth in subparagraph c 1...

Page 3: ...tection against new and evolving attacks Certifications For third party independent certification of Check Point products see the Check Point Certifications page Check Point R80 20 40 For more about this release see the R80 20 40 home page Latest Version of this Document in English Open the latest version of this document in a Web browser Download the latest version of this document in PDF format ...

Page 4: ...l Configuration 19 Deploying the Configuration File Existing Configuration 20 Viewing Configuration Logs 20 Troubleshooting Configuration Files 21 Configuration File Error 21 Suggested Workflow Configuration File Error 21 Sample Configuration Log with Error 22 Using the set property Command 22 Configuration and Upgrade Scenarios 23 Configuring Cloud Services 23 Configuring a Guest Network 24 Confi...

Page 5: ...ting the Management Mode 38 Configuring Cloud Services 40 Managing Licenses 43 Viewing the Site Map 45 Notifications 45 Managing Active Devices 46 Viewing Monitoring Data 48 Network 48 Troubleshooting 49 Viewing Reports 50 Using System Tools 52 Managing the Device 54 Configuring Internet Connectivity 54 The Configuration tab 55 Prefix Delegation IPv6 only 58 Neighbor Discover Protocol ND Proxy IPv...

Page 6: ...unnel VTI 85 Virtual Access Point VAP 86 BOND 87 Configuring a Hotspot 89 Configuring the Routing Table 92 Configuring MAC Filtering 95 802 1x Authentication Protocol 96 Configuring the DNS Server 98 Configuring the Proxy Server 99 Backup Restore Upgrade and Other System Operations 100 Using the Software Upgrade Wizard 102 Welcome 102 Upload Software 103 Upgrade Settings 103 Upgrading 103 Backing ...

Page 7: ...and Blade 158 Firewall Policy 159 Application URL Filtering 160 Updates 161 User Awareness 162 Tracking 163 More Information 163 Working with the Firewall Access Policy 164 Firewall Policy 164 Configuring Access Rules 167 Updatable Objects 169 Customizing Messages 169 Defining Firewall Servers 171 Defining NAT Control 174 Advanced Creating and Editing NAT Rules 179 Inspecting VoIP Traffic 181 Intr...

Page 8: ...gs 208 IPS 208 Anti Virus 208 Anti Bot 210 Threat Emulation 211 User Messages 212 Configuring the Anti Spam Blade Control 214 Configuring Anti Spam Exceptions 216 Managing VPN 217 Configuring the Remote Access Blade 217 Configuring Remote Access Users 220 Two Factor Authentication 222 Remote Access Connected Remote Users 225 Configuring Remote Access Authentication Servers 226 Configuring Advanced...

Page 9: ...rators 255 Managing Authentication Servers 261 Managing Applications URLs 265 Managing System Services 267 Managing Service Groups 270 Managing Network Objects 272 Managing Network Object Groups 275 Logs and Monitoring 276 Viewing Security Logs 276 Viewing System Logs 278 Configuring External Log Servers 279 External Check Point Log Server 279 Syslog Server Configuration 280 Secured Syslog 281 Not...

Page 10: ...ps for Hardware Sensors 287 Advanced Configuration 289 Upgrade Using a USB Drive 289 Upgrade Using an SD Card 290 Boot Loader 291 Upgrade Using Boot Loader 292 Restoring Factory Defaults 293 RESTful API 295 Enabling and disabling the REST API 295 Request Structure 295 Response Structure 296 Versioning 296 REST API Commands 297 1 Login 297 2 Logout 298 3 Generate Report 298 4 Run Clish Command 299 ...

Page 11: ...s 4G LTE Internet connectivity multiple Internet connections more than 2 in High Availability or Load Sharing mode Policy Based Routing and DDNS support Quick deployment with USB is supported for all appliances and with SD card and Dual SIM card for the 1570 1590 appliances For more information see the 1500 appliance series product page This guide describes all aspects that apply to the Quantum Sp...

Page 12: ...1R V 81WLR sk166654 1600 V 82 wired only sk168880 1800 V 83 wired only sk168880 For front side and back panel details for each appliance see the relevant Getting Started Guide Review these materials before doing the procedures in this guide n R80 20 40 SMB Release Notes n Known Limitations n Resolved Issues n Getting Started Guide n Small Business Security video channel See the SMB R80 20 40 home ...

Page 13: ...570 1590 Appliances n Getting Started Guide for 1570R Appliances n Getting Started Guide for 1600 1800 Appliances n Setting up the Quantum Spark Appliance on page 15 2 Follow the applicable First Time Deployment option See First Time Deployment Options on page 16 3 Install the required licenses See Managing Licenses on page 43 4 Configure the required users and objects See Managing Users and Objec...

Page 14: ...1500 1600 and 1800 Appliance Series R80 20 40 Locally Managed Administration Guide 14 n VPN see Configuring VPN on page 25 and Managing VPN on page 217 n Clusters see Managing Clusters on page 30 n QoS see Configuring QoS on page 33 ...

Page 15: ... in red for a short period The LED then turns blue and starts to blink This shows a boot is in progress and firmware is being installed When the LED turns a solid blue the appliance is ready for login Note The LED is red if there is an alert or error n If you use an external modem Connect the Ethernet cable to the WAN port on the appliance back panel and plug it into your external modem or router ...

Page 16: ...ere are different options for first time deployment of your Small and Medium Business SMB gateways n First Time Configuration Wizard For more information see the Getting Started Guide for your appliance model n Zero Touch Cloud Service on page 17 n Deploying from a USB Drive or SD Card on page 18 Note SD card deployment is supported only in 1570 1590 appliances ...

Page 17: ...the Internet Connection settings and then fetch the settings from the Zero Touch server To connect to the Zero Touch server from the First Time Configuration Wizard 1 In the Welcome page of the First Time Configuration Wizard click Fetch Settings from the Cloud 2 In the window that opens click Yes to confirm that you want to proceed 3 The Internet connection page of the First Time Configuration Wi...

Page 18: ...Rome Stockholm Vienna set ntp server primary 10 1 1 10 set ntp server secondary set user admin type admin password aaaa set interface WAN ipv4 address 10 1 1 134 subnet mask 255 255 255 192 default gw 10 1 1 129 delete interface LAN1_Switch set dhcp server interface LAN1 disable set interface LAN1 ipv4 address 10 4 6 3 subnet mask 255 255 255 0 add interface LAN1 vlan 2 set dhcp server interface L...

Page 19: ...ation error To deploy the configuration file from a USB drive for the initial configuration 1 Insert the USB drive into a Quantum Spark Appliance n Quantum Spark Appliance is OFF Turn on the appliance The Power LED is red when the appliance is first turned on It blinks blue while the boot is in progress and then turns solid blue when the process is complete n Quantum Spark Appliance is ON The appl...

Page 20: ...onfigured appliance 1 From the CLI enter the command set property USB_auto_configuration once The appliance is set to use a configuration script from a USB drive 2 Insert the USB drive in the appliance the appliance automatically detects the USB drive The USB LED comes on and is a constant orange 3 The appliance locates the USB configuration file and begins to run the script The USB LED blinks blu...

Page 21: ...ppliance is configured correctly Suggested Workflow Configuration File Error This section contains a suggested workflow that explains what to do if there is an error with the configuration file on a USB drive Use the set property USB_auto_configuration command when you run a configuration file script on a configured appliance 1 The USB drive with the configuration file is inserted into a USB port ...

Page 22: ...e WAN internet primary ipv4 address 66 66 66 11 Error missing argument subnet mask for a new connection Autoconfiguration CLI script failed clish return code 1 Using the set property Command The set property CLI command controls how the Quantum Spark Appliance runs configuration scripts from a USB drive These commands do not change how the First Time Configuration Wizard in the Web UI configures t...

Page 23: ...cally connects to Cloud Services Or n The Service Center IP address the Quantum Spark Appliance gateway ID and the registration key Use these details to connect manually your Quantum Spark Appliance to Cloud Services To automatically connect to Cloud Services 1 Make sure the Quantum Spark Appliance was configured with the First Time Configuration Wizard See the relevant Getting Started Guide 2 In ...

Page 24: ...se interfaces Configuration 1 Go to Device Wireless Network 2 Click Guest and follow the wizard instructions See Configuring Wireless Network on page 70 n Set the network protection unprotected or protected network n Set the access and log policy options in the Access Policy tab 3 Make sure that the Use Hotspot checkbox is selected in the wizard 4 Make sure you defined the network interfaces for H...

Page 25: ...ct the Allow traffic from Remote Access users by default option l To select the applicable connection methods For more details see Configuring the Remote Access Blade on page 217 n If the gateway uses a dynamic IP address we recommend you use the DDNS feature See Configuring DDNS and Access Service on page 115 n For the Check Point VPN client or Mobile client method make sure that the applicable c...

Page 26: ...nfigure to add a RADIUS server See Configuring Remote Access Authentication Servers on page 226 3 Click permissions for RADIUS users to set access permissions To configure AD users 1 Go to VPN Authentication Servers and click New to add an AD domain See Configuring Remote Access Authentication Servers on page 226 2 Click permissions for Active Directory users to set access permissions L2TP VPN Cli...

Page 27: ...itoring To make sure the VPN is working 1 Send traffic between the local and peer gateway 2 Go to VPN VPN Tunnels to monitor the tunnel status See Viewing VPN Tunnels on page 240 Configuring Site to Site VPN with a Certificate Introduction In this Site to Site VPN configuration method a certificate is used for authentication Prerequisites n Make sure the Site to Site VPN blade is set to On and All...

Page 28: ...hange CAs between gateways Click Add to add the Trusted CA of the peer gateway This makes sure the CA is uploaded on both the local and peer gateways See Managing Trusted CAs on page 244 Sign a request using one of the gateway s CAs You create a request from one gateway that must be signed by the peer gateway s CA 1 Use the New Signing Request option in Managing Installed Certificates on page 116 ...

Page 29: ...e certificate with the Upload Signed Certificate or Upload P12 Certificate option See Managing Installed Certificates on page 116 2 Make sure that the 3rd party CA is installed on both of the gateways Use the Add option in Managing Trusted CAs on page 244 To authenticate with an existing 3rd party certificate 1 Create a P12 certificate for the local and peer gateway 2 Upload the P12 certificate us...

Page 30: ...switch on LAN ports checkbox 2 Configure network settings on the appliance that is the primary active member 3 Connect a sync cable between the appliances 4 Configure the active member 5 Configure the standby member Prerequisites n In WebUI Device Local Network delete bridge and switch configurations before you start to configure a cluster n The appliances in a cluster must have the same hardware ...

Page 31: ...ive member The WebUI of the standby cluster member only has one tab Device To show the status of the cluster member Go to Device High Availability Important If it is necessary to add a new cluster interface after the cluster is already configured and running follow the procedure in sk176369 no downtime is required Upgrading a Cluster When you upgrade a cluster member you can maintain network conne...

Page 32: ...y member n The former standby member is now the active member To upgrade a cluster member manually 1 On the Device System Operations page click Manual Upgrade The Upgrade Software Wizard opens 2 Follow the Wizard instructions to upgrade the cluster member The upgrade process automatically reboots the member To see the status of each cluster member Go to Device High Availability ...

Page 33: ...r upload speeds You get the speed information from your ISP QoS policy rules apply separately on each configured Internet connection Prerequisites In Access Policy QoS Blade Control make sure the QoS blade is turned on Configuration 1 In Device Internet select an Internet connection and click Edit 2 In the Advanced tab edit the QoS Settings These values are used as a 100 percent baseline when you ...

Page 34: ... in you can select the Save user name checkbox to save the administrator s user name The name is saved until you clear the browser s cookies When you log in correctly the WebUI opens to Home System The left pane lets you navigate between the different pages of each of these tabs n Home n Device n Access Policy n Threat Prevention n VPN n Users Objects n Logs Monitoring To log in to the WebUI in a ...

Page 35: ...and wireless network radio status If applicable click the links to configure Internet and Wireless options n Statistics Shows live data graphs of packet rate and throughput To monitor your device s internet connection from your mobile device you must first configure this on the WebUI Home System page To configure connection monitoring 1 In the WebUI go to Home System Internet connections and click...

Page 36: ...figured in the WebUI n Access Policy Contains the Firewall Application URL Filtering User Awareness and QoS blades n Threat Prevention Contains the Intrusion Prevention IPS Anti Virus Anti Bot Threat Emulation and Anti Spam blades n VPN Contains the Remote Access and Site to Site VPN blades It also contains certificate options You can click the tab name link or Software Blade link to access the ta...

Page 37: ... bar graph icon The blade statistics window opens 2 If the blade is turned on n View the graph and details n To go to other blade statistics click the arrows in the header 3 If the blade is turned off n Click View demo to see an example of the statistics shown n Click the X icon to close the demo To view an alert 1 Hover over the alert triangle 2 Click the applicable link ...

Page 38: ... the Security Management Server section click Settings to adjust trust settings or Setup to initialize a connection The Welcome to the Security Management Server Configuration Wizard opens Click Next 2 In the One Time Password SIC page select an option for authenticating trusted communication n Initiate trusted communication securely by using a one time password The one time password is used to au...

Page 39: ... the policy you can investigate the issue with the Security Management Server administrator When the issue is resolved click the Fetch Policy button that shows instead of the Connect button n To connect to the Security Management Server later select Connect to the Security Management Server later 4 Click Finish To reinitialize trusted communication with the Security Management Server 1 In the Secu...

Page 40: ...he MAC address of the Quantum Spark Appliance n At the top of the WebUI application near the search box The name of your Quantum Spark Appliance These are the sections on this page n Cloud Services This section shows Cloud Services details l The Configure option lets you configure initial connectivity l When connected you can click Details to see connectivity details and Fetch now to get updated a...

Page 41: ... to Cloud Services 1 Connect to Cloud Services Provider and establish a secure connection Make sure the gateway registration information is correct 2 Get the security policy and settings 3 Install the security policy and settings When you connect for the first time the appliance must verify the certificate of the Cloud Services Provider against its trusted Certificate Authority list If verificatio...

Page 42: ...test connectivity to the Cloud Services 1 Open a console connection 2 Log in 3 Run this CLI command test cloud connectivity service center addr addr To get an updated security policy activated blades and service settings Click Fetch now The appliance gets the latest policy activated blades and service settings from Cloud Services ...

Page 43: ...ctivate the license it may be because n There is a connectivity issue such as a proxy between your appliance and the Internet Or n Your appliance is not registered If there is a proxy between your appliance and the Internet you must configure the proxy details before you can activate your license To configure the proxy details 1 Click Set proxy 2 Select Use proxy server and enter the proxy server ...

Page 44: ...ed and click Import The activation process starts The region is set when the license is installed The region determines the wireless frequency and parameters as the regulations vary according to region If you are using a trial license only basic radio settings are allowed in all zones A warning that selected wireless radio settings are not applied shows on the Summary page of the First Time Config...

Page 45: ...ws events in a table For each event n Time n Severity Type of event such as Security Alert Attention Required or Informative Event n Subject n Message To filter Enter text in the search filter To view details of a security event Click the event row in the table and click View Details To set the notification setting 1 Click Settings The Notifications Settings windows opens 2 Under Mobile notificati...

Page 46: ... Objects on page 272 window or New Server Wizard see Defining Firewall Servers on page 171 opens Enter the information in the fields and click Apply Use these objects to reserve IP addresses to MAC addresses in the DHCP server and also add this object name as a device in the local DNS service Network objects and server objects can be used in the security configurations for example in the Access Po...

Page 47: ... stack host the Active devices do not show the IPv6 address Note This page is available from the Home and Logs Monitoring tabs To add a new network object and bypass SSL inspection based on the host MAC address locally managed only 1 Click the Device Name Save as and select Device type Network Object 2 For Host MAC address enter a custom value or select from the menu 3 Select the checkbox for Bypa...

Page 48: ...st day At hourly intervals For example if you generate a report at 10 15 AM the report represents data from the last 24 hours ending at 10 00 AM of the current day n Bandwidth Usage The doughnut chart shows the top 10 applications or users that consumed the most bandwidth in the selected time frame last hour or last day Click the Applications or Users links to toggle between the statistics To show...

Page 49: ...Access Policy Firewall Blade Control page to see Applications and URL Filtering settings Security events Shows the number of n Anti Bot Malwares detected by the Security Gateway n Anti Virus Malwares detected by the Security Gateway n Threat Emulation Malicious files found since the last reboot and how many files scanned n The number of IPS attacks You can click the links to open the Threat Preven...

Page 50: ...t at 11 15 AM the report represents data from the last month ending at 08 00 AM of the current day System Reboot In the first 24 hour cycle after an appliance starts up after installation or an update the system adds one more time interval to the delta of the next applicable report interval For example for weekly reports that are generated at pair hour intervals the appliance requires 1 more hours...

Page 51: ...th consuming statistics by category site and user You can click the Top category Top site or Top user link to get to the applicable report page It also shows Bandwidth Usage by Applications statistics for the top 5 applications in a doughnut chart and total traffic received and sent n The number of infected devices servers and recently active infected devices n The number of high risk applications...

Page 52: ...handle traffic and without cache memory This gives a more accurate picture of the actual memory usage in the appliance but it may differ from figures you receive from Linux tools The information is automatically refreshed n Disk Usage click the Refresh button for the most updated disk usage information 2 Click Close to return to the Tools page To show the routing table 1 Click Show Routing Table T...

Page 53: ... Start and then Stop when you want to stop packet capturing 3 Click Download File to view or save the capture file You can activate packet capture and go to other WebUI application pages while the packet capture runs in the background However the packet capture stops automatically if the WebUI session ends Make sure you return to the packet capture page stop and download the capture result before ...

Page 54: ... n Add a new connection and edit delete or disable existing connections n Monitor the servers and internet connections see Monitoring on page 68 We recommend you contact your local Internet Service Provider ISP to understand how to configure your specific internet connection Notes ADSL VDSL settings are relevant only for devices that have a DSL port In 1570 1590 appliances you can also configure a...

Page 55: ... performance and redundancy by increasing the network throughput and bandwidth A WAN or LAN bond can act like a regular internet connection in the cluster flow A WAN bond in a cluster can be a monitoring interface n USB Serial is for cellular modems n ADSL VDSL If you select the ADSL VDSL interface you must select one of these for the connection type PPPoE IPoE static IP or IPoE dynamic IP You can...

Page 56: ...nternet IP of the appliance is determined statically You must enter the IP address the subnet mask default gateway and DNS Server Settings n PPTP The Point to Point Tunneling Protocol PPTP uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets n L2TP Layer 2 Tunneling Protocol L2TP is a tunneling protocol It does not provide any encryption or confidentiality but reli...

Page 57: ...Pv4 and IPv6 addresses through the same PPPoE connection This prevents the need to define the same dialer connection details more than once n IPv6 Bridge A Layer 2 bridge between internal and external networks containing both IPv4 and IPv6 addresses or just IPv6 to make the gateway reachable through the bridge in a dual stack pure IPv6 network To configure a new internet connection IPv4 1 In the I...

Page 58: ...onnection type 9 Click Apply Prefix Delegation IPv6 only When an internet connection has prefix delegation enabled the gateway can request a prefix in addition to an IP address from the server and configure an internal network DHCPv6 server that uses this prefix Connected devices are then routable without the need to use NAT These connection types support prefix delegation n PPPoE IPv6 n LAN IPv6 ...

Page 59: ... is enabled automatically on the internal network bridge Hosts behind this internal network bridge receive a globally routable IPv6 address automatically 4 The internet connection interface is not assigned with any global IPv6 address but still has a link local IPv6 address 5 A default gateway route is created to the ISP s gateway link local address as with all IPv6 internet connection 6 ND proxy ...

Page 60: ... the interface type is the same for both IPv4 and IPv6 For example if the IPv4 the interface is configured as WAN the IPv6 interface must also be configured as WAN 3 The AFTR address field is displayed Note This field is not mandatory when the IPv6 connection type is DHCPv6 4 In the Linked connection field select the IPv6 connection name 5 In the Advanced tab n Set the default MTU of the DS Lite i...

Page 61: ...PIP feature in Advanced Settings on page 125 2 Configure an IPv6 Internet connection 3 In the Configuring Internet Connectivity page click New Edit the IPv4 connection The Edit Internet Connection window opens 4 For Connection type select IPv4 over IPv6 IPIP Note Make sure the interface type is the same for both IPv4 and IPv6 For example if the IPv4 the interface is configured as WAN the IPv6 inte...

Page 62: ...tive for Load Sharing Traffic is assigned to Active interfaces based on the transmit hash policy Layer2 or Layer3 4 n High Availability Active Backup Gives redundancy when there is an interface or link failure If you select this mode you must select a Master i e the primary default port for the traffic 6 Select the Connection type 7 In the Advanced tab select the Mii interval The Mii interval is t...

Page 63: ...Edit Internet Connection window The remaining steps are optional additional settings and are not essential for configuration 4 In the Cellular tab under Cellular settings select the Primary SIM and which SIM to disable SIM 1 SIM 2 or Neither n SIM 1 Micro SIM n SIM 2 Nano SIM 5 For each SIM enter the APN and PIN number Note Some cellular carriers require a password to access the cellular internet ...

Page 64: ...use of carrier specific parameters when you register with that carrier To select an active image for a SIM 1 In Device Internet double click an existing cellular connection or select the connection and click Edit You can also click New to create a new cellular connection The Edit Internet Connection window opens 2 In the Cellular tab for each SIM select the new Carrier configuration package from t...

Page 65: ...r Static IP connection can be established over a USB interface n A single DHCP or Static IP connection or multiple PPPoE connections can be established over one untagged or one VLAN tagged WAN or DMZ interface n When all the ADSL standards are turned off in the Advanced Settings and you can only connect using the VDSL2 standard the VPI the VCI and the encapsulation options still appear even though...

Page 66: ... checkbox if necessary This is relevant only when you are in high availability mode For PPTP and L2TP n IP Address Assignment l In Local tunnel IP address select if the IP address is obtained automatically or manually configured If manually configured enter the IP address l In WAN IP assignment select if the WAN IP address is obtained automatically or manually configured If manually configured ent...

Page 67: ...m If the modem has a PPPoE connection set the MTU in the gateway to 1492 or lower n MAC address clone If you select Override default MAC address you can override the default MAC address used by the Internet connection This is useful when the appliance replaces another device and wants to mimic its MAC address n Link Speed If necessary select Disable auto negotiation This lets you manually define t...

Page 68: ... priority connections are unavailable n Load Balancing Weight The traffic to the Internet is divided between all available connections based on their weights NAT Settings If the gateway s global hide NAT is turned on in the Access Policy NAT page you can disable NAT settings for specified internet connections To disable NAT settings 1 Go to Device Internet 2 Select an internet connection and click...

Page 69: ...o one or more servers on the Internet Select this option to use more methods and servers to detect connectivity loss 3 For Connection probing method select ping addresses 4 Under Advanced Probing Settings use the default values or enter new ones for n Recovery time in seconds n Max latency allowed milliseconds n Probing frequency seconds n Window size pings n Failover pings percent failures 5 Clic...

Page 70: ...dit the clone To clone a VAP Select the relevant VAP and click Clone When you clone a VAP it receives a new name which is displayed in the table The IP address and range of the clone is different than the original To edit a VAP 1 Double click the relevant VAP or select the VAP name and click Edit The Edit window opens Note The wireless radio transmitter is the main VAP 2 In the Configuration tab s...

Page 71: ...elect the correct Operation mode Channel Channel width and Transmitter power 3 Click Advanced to set the Guard Interval and Antenna control 4 Click Apply This configuration is global for all wireless networks Some options may not be available or allowed depending on your country s wireless standards 1530 1550 appliances only The wireless client search options depend on the frequency that the appli...

Page 72: ...wn as WPA Personal The RADIUS servers Enterprise mode option requires defining RADIUS servers in the Users Objects Authentication Servers page Each user that tries to connect to the wireless network is authenticated through the RADIUS server This option is also known as WPA Enterprise n Network password When authenticating using a password enter a password or click Generate for an automatically ge...

Page 73: ... IP address n Disabled IPv6 Auto Assignment Select one of the options n SLAAC Stateless Address Autoconfiguration n DHCPv6 Server Enter the IP address range and the IP addresses exclude range n DHCPv6 Server Relay Enter the DHCPv6 server IP address and the Secondary DHCPv6 server IP address Access Policy tab These options create automatic rules that are shown in the Access Policy Firewall Policy p...

Page 74: ...ns n Use the WINS servers configured for the internet connection n Use the following WINS servers Enter the IP addresses of the First and Second WINS servers Lease Lease time Configure the timeout in hours for a single device to retain a dynamically acquired IP address Other Settings You can optionally configure these additional parameters so they will be distributed to DHCP clients n Time servers...

Page 75: ...of interference from neighbour APs is very good grade 2 5 Even the strongest interferer of all APs ExampleWiFi accounting for 74 percent of potential interference has a relatively low rssi 24 Wifi Setup Grades below 2 5 excellent 2 5 3 0 very good 3 0 3 5 good 3 5 5 0 not so good 5 0 6 5 not good above 6 5 terrible As for individual clients they can experience quality issues if their signal is too...

Page 76: ...eate and configure VPN tunnels VTI which can be used to create routing rules which determine which traffic is routed through the tunnel and therefore also encrypted Route based VPN n Create a BOND Link Aggregation between two or more interfaces This improves performance and redundancy by increasing the network throughput and bandwidth The LAN Bond can be an unassigned network n On wireless devices...

Page 77: ...enabled Otherwise it shows disabled l Wireless networks Shows if the wireless network is up or disabled Reserved IP Address for Specific MAC You can configure your network so that IP addresses are assigned only for known hosts Known hosts are already defined as network objects and a specific MAC address is assigned to the IP Other hosts DHCP requests are ignored To configure 1 Select the specific ...

Page 78: ...ified IP addresses if you define network objects in the Users Objects Network Objects page To reserve specified IP addresses you must have the device MAC address n Relay Enter the DHCP server IP address n Disabled IPv6 Auto Assignment for IPv6 configurations n SLAAC Stateless Address Autoconfiguration The host selects its own full IPv6 address after it receives the IPv6 address prefix from the gat...

Page 79: ... from requests to the Internet specifically requests to Google The rest of the networks are considered internal User Defined Networks You can manually define internal networks If a network is not defined as internal it is considered external In both Automatic Learning and user defined networks n Traffic to internal hosts is inspected by the Incoming Internal VPN Rule Base n Traffic to external hos...

Page 80: ...ning disable user defined networks set monitor mode configuration use defined networks false 3 To configure Monitor Mode with user defined networks add monitor mode network ipv4 address IP Address subnet mask Mask set monitor mode configuration use defined networks true 4 To see user defined Internal networks show monitor mode network 5 To disable Anti Spoofing set antispoofing advanced settings g...

Page 81: ...size Configure the Maximum Transmission Unit size for an interface Note that in the Quantum Spark Appliance the value is global for all physical LAN and DMZ ports n Disable auto negotiation Select this option to configure manually the link speed of the interface n Override default MAC address This option is for local networks except those on VLANs and wireless networks Use this option to override ...

Page 82: ...by defining network objects in the Users Objects Network Objects page Reserving specific IP addresses requires the MAC address of the device l Relay Enter the DHCP server IP address l Disabled The Advanced tab n MTU size Configure the Maximum Transmission Unit size for an interface n Disable auto negotiation Select this option to configure manually the link speed of the interface n Override defaul...

Page 83: ...the appliance in our example LAN4 2 Assign a random IP address to this interface This can by a dummy IP address that must not be used in your internal networks 3 Go to the Device Advanced Settings page See Advanced Settings on page 125 4 Search for UserCheck Portal Redirect Address 5 Select this attribute 6 Click Edit 7 Enter the same IP address you assigned to the dedicated interface in our examp...

Page 84: ...ect one of the options l Enabled Enter the IP address range and if necessary the IP address exclude range The appliance s own IP address is automatically excluded from this range You can also exclude or reserve specific IP addresses by defining network objects in the Users Objects Network Objects page Reserving specific IP addresses requires the MAC address of the device l Relay Enter the DHCP ser...

Page 85: ... LAN or switch If you remove or disable the LAN any assigned alias IPs are also removed When you edit an alias IP you cannot change the port or the ID To create an Alias IP on WAN you must create an additional internet connection on the same WAN interface See Configuring Internet Connectivity on page 54 VPN Tunnel VTI To create edit a VPN Tunnel VTI A Virtual Tunnel Interface VTI is a virtual inte...

Page 86: ...s the source IP address for outbound traffic l Internet connection Select from the list l Local bridge interface Select the local interface from the list Virtual Access Point VAP To create edit a Virtual Access Point VAP See the Device Wireless Network help page The DHCP SLAAC Settings tab Note In IPv4 only mode this tab is called DHCPv4 Settings The values for the DHCP options configured on this ...

Page 87: ...clients n Time servers n Call manager n TFTP server n TFTP boot file n X Window display manager n Avaya IP phone n Nortel IP phone n Thomson IP phone Custom Options Lets you add custom options that are not listed above For each custom option you must configure the name tag type and data fields BOND Bonding also known as Link Aggregation is a process that joins two or more interfaces together It im...

Page 88: ...faces based on the transmit hash policy Layer2 or Layer3 4 n High Availability Active Backup Provides redundancy when there is an interface or link failure If you select this mode you must select a Master the primary default port for the traffic 4 Under Interface Configuration a Select the interface b Enter the Local IPv4 address and Subnet mask c Select if you want to Use hotspot when connecting ...

Page 89: ...de from the Hotspot If no network interface was defined for the Hotspot click Configure in Local Network In the Access section of the page you can configure if authentication is required and allow access to all users or to a specified user group Active Directory RADIUS or local Hotspot is automatically activated in the system To disable Hotspot 1 Go to Device Advanced Settings 2 Search for Hotspot...

Page 90: ...c user group enter the group s name in the text box 4 Click Apply Any user user group that browses from configured interfaces is redirected to the Check Point Hotspot portal and must enter authentication credentials To configure the session timeout 1 In Session timeout enter the number of minutes that defines how long a user stays logged in to the session before it is ends 2 Click Apply To customi...

Page 91: ...al 1 Go to Device Advanced Settings 2 Select Hotspot 3 Click Edit The Hotspot window opens 4 Click the checkbox for Prevent simultaneous login 5 Click Apply The same user cannot log in to the Hotspot portal from more than one computer at a time On the Active Devices page available through the Home and Logs Monitoring tabs you can revoke Hotspot access for connected users ...

Page 92: ...s the service IP protocol and ports or service group Next Hop The next hop gateway for this route with these options n Specified IP address of the next hop gateway n Specified Internet connection from the connections configured in the appliance n Specified VPN Tunnel Interface VTI Metric Determines the priority of the route If multiple routes to the same destination exist the route with the lowest...

Page 93: ...K 7 Click any service and select a service name or enter a service name in the search field You can create a new service or service group Note Static routes are not supported for source based or service based routes using VTI VPN 8 Optional Enter a comment 9 Enter a Metric between 0 and 100 The default is 0 10 To enable Scope Local select the checkbox 11 Click Apply To configure a default route 1 ...

Page 94: ...ve Internet connection When a network interface is disabled all routes that lead to it show as inactive in the routing page A route automatically becomes active when the interface is enabled Traffic for an inactive route is routed based on active routing rules usually to the default route The edit delete enable and disable options on the Device Local Network page are only available for manually de...

Page 95: ... Filter allowlist 2 Move the slider to ON After MAC filtering is enabled you can disable the feature for specified networks To edit the LAN MAC Filter allowlist 1 Go to Device MAC Filtering LAN MAC Filter 2 To add a new MAC Address click Add New 3 To select MAC addresses from the list of Active Devices click Add Select 4 To edit a MAC address select it from the list and click Edit 5 To delete a MA...

Page 96: ... tag based VLAN interface defined on one of the LAN physical ports 4 If 802 1x is turned on for a tag based VLAN because 802 1x is port based activate it on both the VLAN and the associated port for example LAN5 and LAN5 1 To enable 802 1x authentication on a LAN switch or interface 1 Go to Device Local Network 2 Select the LAN interface and click Edit The Edit window opens in the Configuration ta...

Page 97: ...To configure logging for MAC filtering and 802 1x authentication 1 Go to Device Advanced Settings 2 Set the value of the MAC Filtering settings Log blocked MAC addresses attribute to n Enabled To enable logging n Disabled To disable logging Note This attribute is available only in Locally Managed mode In Centrally Managed mode configure logging with CLI 3 Optional n To reduce the number of logs sp...

Page 98: ...ically provided by the ISP If Internet Connection High Availability is enabled the DNS servers switch automatically upon failover 2 By default the appliance functions as your DNS proxy and provides DNS resolving services to internal hosts behind it network objects This option is global and applies to all internal networks To get IP addresses directly from the DNS servers defined above clear the En...

Page 99: ...anaged Administration Guide 99 Configuring the Proxy Server In the Device Proxy page you can configure a proxy server to use to connect to the Check Point update and license servers To configure a proxy server 1 Select Use a proxy server 2 Enter a Host name or IP address 3 Enter a Port 4 Click Apply ...

Page 100: ... the confirmation message The factory default settings are restored The appliance reboots to complete the operation Note This does not change the software image Only the settings are restored to their default values IP address 192 168 1 1 WebUI address https 192 168 1 1 4434 the username admin and the password admin To revert to the factory default image 1 Click Factory Defaults 2 Click OK in the ...

Page 101: ...o upgrade it immediately or click More Information to see what is new in the firmware version n If the gateway is configured by Cloud Services automatic firmware upgrades are locked They can only be set by Cloud Services To upgrade your appliance firmware manually 1 Click Manual Upgrade The Upgrade Software Wizard opens 2 Follow the Wizard instructions Note The firewall remains active while the up...

Page 102: ... the backed up file 3 Click Upload File Important Notes n To replace an existing appliance with another one for example upon hardware failure you can restore the settings saved on your previous appliance and reactivate your license through Device License n To duplicate an existing appliance you can restore the settings of the original appliance on the new one n Restoring settings of a different ve...

Page 103: ...mage including the firmware all system settings and the current security policy When you click Next the upgrade process starts Upgrading The Upgrading page shows an upgrade progress indicator and checks off each step as it is completed n Initializing upgrade process n Installing new image Backing up the System The backup file includes all your system settings such as network settings and DNS confi...

Page 104: ... Configure the file storage destination a Select the Protocol SFTP or FTP b Enter a Backup server path c Enter a username and password d Click Apply 4 Optional Select Use file encryption If you select this option you must enter and confirm a password 5 In Schedule Periodic Backup select frequency n Daily Select time of day hour range n Weekly Select day of week and time of day n Monthly Select day...

Page 105: ...rators can update or modify operating system settings They can select a service or network object but cannot create or modify it n Mobile Administrator Mobile administrators are allowed all networking operations on all interfaces They can change their own passwords generate reports reboot change events and mobile policy active hosts operations and pairing They cannot login from or access the WebUI...

Page 106: ...ake sure a RADIUS server is defined on the appliance If there is no server click the RADIUS configuration link at the top of this page You must configure the IP address and shared secret used by the RADIUS server 3 When you have a configured RADIUS server click Edit permissions The RADIUS Authentication window opens 4 Click the Enable RADIUS authentication for administrators checkbox Use roles def...

Page 107: ...he pull down menu 3 Click Generate This generates a QR code to connect the Check Point WatchTower mobile application with the appliance for the first time For more information about the mobile application see the Check Point SMB WatchTower App User Guide Configuring a RADIUS Server for non local Quantum Spark Appliance users Non local users can be defined on a RADIUS server and not in the Quantum ...

Page 108: ...lues are Administrator Role Value Super Admin adminRole Read only monitorrole Networking Admin networkingrole Mobile Admin mobilerole Configuring a FreeRADIUS server for non local appliance users 1 Create the dictionary file dictionary checkpoint in the etc freeradius on the RADIUS server Add these lines in the dictionary checkpoint file Check Point dictionary file for FreeRADIUS AAA server VENDOR...

Page 109: ...de subdicts dict checkpoint to etc openradius dictionaries right after dict ascend add vendor 2620 CheckPoint set default vendor CheckPoint space RAD VSA STD len_ofs 1 len_size 1 len_adj 0 val_ofs 2 val_size 2 val_type String nodec 0 noenc 0 add attribute 229 CP Gaia User Role add attribute 230 CP Gaia SuperUser Access val_type Integer val_size 4 2 Add this line in the etc openradius dictionaries ...

Page 110: ...log in as a Super User A user with super user permissions can use the Quantum Spark Appliance shell to do system level operations including working with the file system 1 Connect to the Quantum Spark Appliance platform over SSH or serial console 2 Log in to the Gaia Clish shell with your user name and password 3 Run expert 4 Enter the Expert mode password ...

Page 111: ...unnels from a remote site or uses a remote access client n Internet Clear traffic from the Internet not recommended to allow access from all IP addresses To allow administrator access from any IP address 1 Select the Any IP address option This option is less secure and not recommended We recommend you allow access from the Internet to specific IP addresses only 2 Change the WEB Port HTTPS and or S...

Page 112: ... My Computer 6 Click Apply The IP address is added to the table 7 Change the WEB Port HTTPS and or SSH port if necessary 8 Click Apply An administrator can use the configured IP addresses to access the appliance through the allowed interface sources To delete administrator access from a specific IP address 1 Select the IP Address you want to delete from the IP Address table 2 Click Delete Importan...

Page 113: ...ters and the hyphen character Do not use the hyphen as the first or last character n For wireless devices only Configure the Country The allowed wireless radio settings vary based on the standards in each country n Assign a Web portal certificate To assign a Web portal certificate 1 Click the downward arrow next to the Web portal certificate field The list of uploaded certificates shows 2 Select t...

Page 114: ...twork Time Protocol NTP Server option 2 Enter the Host name or IP addresses of the NTP Server If the Primary NTP Server fails to respond the Secondary NTP Server is queried 3 Set the Update Interval minutes field 4 Select the NTP Authentication checkbox if you want to supply a Shared Secret and a Shared Secret Identifier this is optional Note You cannot use these characters in a password or shared...

Page 115: ...vider Select the DDNS provider that you set up an account with n User name Enter the user name of the account n Password Enter the password of the account Note You cannot use these characters in a password or shared secret Maximum number of characters 255 n Host name Enter your routable host name as defined in your DDNS account For more information about these details refer to your provider s webs...

Page 116: ...dvanced Setting enable Do not encrypt connections originating from the local gateway How to access the gateway with the Reach My Device service When registration is complete an outgoing tunnel to the Check Point Cloud Service is established with the appliance s IP address Remote Access to the WebUI Web Link Use this URL in a browser to remotely access the appliance For example https mygateway web ...

Page 117: ...s Provider certificate is used by community members configured by Cloud Services Note If you turn Cloud Services off the Cloud Services Provider certificate is removed These are the steps to create a signed certificate 1 Create a signing request 2 Export the signed request download the signing request from the appliance 3 Send the signing request to the CA 4 When you receive the signed certificate...

Page 118: ... the CA 1 Select the signing request entry from the table 2 Click Upload Signed Certificate 3 Browse to the signed certificate file crt 4 Click Complete The status of the installed certificate record changes from Waiting for signed certificate to Verified To upload a P12 file 1 Click Upload P12 Certificate 2 Browse to the file 3 Edit the Certificate name if necessary 4 Enter the certificate passwo...

Page 119: ...S is configured or its external IP address If you have multiple Internet connections configured in load sharing mode you can manually enter an accessible IP address for this appliance This is used by remote sites to access the internal CA and check for certificate revocation 3 Select the number of years for which the Internal VPN Certificate is valid The default is 3 The maximum value allowed is 2...

Page 120: ...mote site In third party appliances make sure to look in its Administration Guide to see where signing requests are created The file must be in a path accessible to the appliance After you click OK in the file browsing window the file is uploaded If it is correctly formatted it is signed by the Internal CA and the Download button is available 3 Click Download The signed certificate is downloaded t...

Page 121: ... n Non HA also called private The physical interface in this member does not participate in High Availability functions n Monitored also called private monitored The physical interface in this member is not coupled with another interface on the other member as in High Availability interface mode The interface s status is still monitored and if a problem occurs the member will fail over to the seco...

Page 122: ... member If a primary member is already configured and this appliance connects to it 3 Click Next 4 For a primary member a In Step 2 SIC Settings enter a password and confirm it This password is used for establishing trust between the members Note You cannot use these characters in a password or shared secret Maximum number of characters 255 b The default Sync interface is LAN2 If it is necessary t...

Page 123: ...ortal You can configure a cluster in which both gateways are managed by Quantum Spark Portal Make sure the gateways are connected to Quantum Spark Portal before you create the cluster A cluster supported by Quantum Spark Portal is very similar to a locally managed cluster One member is Active and the other is Standby To change the status of the Active member click Force Member Down To configure th...

Page 124: ...s After the cluster is set up you see the High Availability cluster between the two appliances If both gateways are properly configured from a network perspective and software health one gateway is marked as active and the peer gateway is marked as standby A list of configured interfaces shows To see information about the cluster members and the High Availability status click diagnostics Upgrading...

Page 125: ...ext to the search string To configure the appliance attributes 1 Select an attribute 2 Click Edit The attribute window opens 3 Configure the settings or click Restore Defaults to reset the attribute to the default settings For more details on the attributes see the next sections 4 Click Apply To reset all the appliance attributes to the default settings 1 From the Advanced Settings window click Re...

Page 126: ...ded each incoming connection triggers the deletion of ten connections from the eligible for deletion list An additional ten connections are deleted with every new connection until the memory consumption or the connections capacity falls below the enforcement limit If there are no eligible for deletion connections no connections are deleted at that time but the list is checked after each subsequent...

Page 127: ...limit if memory exceeds a limit or if both exceed their limits 2 Enter the percentage that you want to define as the limit to either connections table or memory consumption If you select both the values in the percentage fields of the other options are applied Default is 80 with connections from the eligible for deletion list being deleted if either the connections table or memory consumption pass...

Page 128: ...on timeout Indicates the timeout in seconds to wait for an IP reputation test result Scan outgoing emails Scan the content of emails which are sent from the local network to the Internet Transparent proxy Use a transparent proxy for inspected email connections When disabled configuration of the proxy address and port is required on client machines Table Anti Spam policy Attributes Anti Spoofing At...

Page 129: ... inspection engine to improved application identification Web site categorization mode Indicates the mode that is used for website categorization Background Requests are allowed until categorization is complete When a request cannot be categorized with a cached response an uncategorized response is received Access to the site is allowed In the background the Check Point Online Web Service continue...

Page 130: ...s to allow a quicker failover by the network s switch Using the virtual MAC address n Minimizes the potential traffic outage during fail over n Removes the need to use G ARPs for NATed IP addresses Table Cluster Attributes DDNS Attribute Description Iterations Number of DNS updates Table DDNS Attributes DHCP Bride Attribute Description MAC Assignment Indicates whether the MAC address for the DHCP ...

Page 131: ...x J M In an Annex A appliance Combined with supported ADSL2 it specifies Annex M ADSL2 In an Annex B appliance Combined with supported ADSL2 it specifies Annex J ADSL2 DSL globals Annex L In an Annex A appliance Combined with enabled ADSL2 G 992 3 specifies support for Annex L DSL globals 8a Supports VDSL Profile 8a DSL globals 8b Supports VDSL Profile 8b DSL globals 8c Supports VDSL Profile 8c DS...

Page 132: ...reject from internal Log implied rules Produce log records for connections that match implied rules Table Firewall Policy Attributes General Temporary Directory Size Attribute Description General temporary directory size Controls the size in MB of the general temporary directory System temporary directory size Controls the size in MB of the temporary directory that is used by the system Table Gene...

Page 133: ...ts Fragmented IP packets are allowed if they do not exceed a configured threshold When selecting this option you can configure the maximum number of accepted incomplete packets You can also configure the timeout in seconds for holding unassembled fragmented packets before discarding them Table IP Fragments Parameters IP Resolving Attributes Description IP Resolving IP Resolving Activation Enable D...

Page 134: ...how n Show pre defined HTML error page You can configure an HTML page that opens when an attack is detected To configure the page go to Advanced Settings IPS engine settings HTML error page configuration n Redirect to another URL Enter a URL to which users are redirected when an attack is detected You can also select to add an error code that provides more information about the detected attack Thi...

Page 135: ...when they send an invalid LSI signal Path MTU Discovery Mode Select from these options n Disabled n Run Once Runs once after establishing internet connection and tries to detect path MTU n Run as a daemon Runs in the background and tries to detect path MTU Table Internet Attributes Internet Connection Type Description IPv4 over IPv6 IPIP Indicates whether IPv4 over IPv6 IPIP Internet connection is...

Page 136: ... Management Server without the need to enter an administrator user name and password Show device details in Login Indicates if appliance details are shown when an administrator accesses the appliance Table Managed Service Attributes Mobile Settings Attribute Description Mobile Settings Notification cloud server URL Cloud server URL used for sending mobile notifications Mobile Settings Pairing code...

Page 137: ... VPN clients connections Applies to connections from VPN remote access clients to the gateway n Use IP Pool NAT for gateway to gateway connections Applies to site to site VPN connections n Prefer IP Pool NAT over Hide NAT Specifies that IP Pool NAT has priority over Hide NAT if both match the same connection Hide NAT is only applied if the IP pool is used up n Reuse IP addresses from the Pool for ...

Page 138: ... Translate destination on client side manual rules Translates destination IP addresses on client side for manually configured NAT rules Table NAT Attributes continued Notification Policy Attributes Description Notification Language Notification language Notifications Policy Send push notifications Indicates whether notifications are sent to mobile application Notifications Policy The maximum numbe...

Page 139: ...oolean Default false Enable automatic WiFi Channel Change Specifies whether WiFi switches channels automatically during operation Type Boolean Default false Enable destination check on PPPoE Specifies whether PPP0E destination check is enabled Type Boolean Default false Enable flow control for network switch Indicates if flow control is enabled for network switch Type Boolean Default false Force c...

Page 140: ...access service Server address Indicates the address of the remote server that allows administration access to the appliance from the Internet even when behind NAT Table Reach My Device Attributes Report Settings Attributes Description Report Settings Max Period Maximum period to collect and monitor data You must reboot the appliance to apply changes Report Settings Reports cloud server URL Reports...

Page 141: ...cted device This console is accessible through a telnet connection to a configured port on the appliance In Listen on TCP port enter the port number To configure an implicit rule that allows traffic from any source to this port make sure Implicitly allow traffic to this port is selected If you do not create an implicit rule you must manually define an access rule in the Firewall Rule Base Two appl...

Page 142: ...P or UDP connection that was accepted by the Rule Base Accept stateful ICMP replies Accept ICMP reply packets for ICMP requests that were accepted by the Rule Base Accept stateful UDP replies for unknown services Specifies if UDP replies are to be accepted for unknown services In each UDP service object it is possible to configure whether UDP replies for it are accepted if the service is matched o...

Page 143: ... protocols virtual session timeout A virtual session of services which are not TCP UDP or ICMP is considered to have timed out after this time period in seconds TCP end timeout Indicates the timeout in seconds for TCP session end A TCP session is considered as ended following two FIN packets one in each direction or an RST packet TCP session timeout Indicates the timeout in seconds for TCP session...

Page 144: ...pecified window Segments outside this window are not processed by the receiving host TCP segments which are outside the TCP receiving window should not be processed by the gateway All data from TCP segments that are outside of the window is either dropped or removed If the segment is near the window data is stripped If the segment is far from the window the segment is dropped TCP Invalid Retransmi...

Page 145: ... URG bit set in protocols which do not support the TCP out of band functionality When set to detect usage of the URG bit causes the traffic to bypass deep inspection blades Stream Inspection Timeout A connection being inspected by a dedicated process may be delayed until inspection is completed If inspection is not completed within a time limit the connection is dropped so that resources are not k...

Page 146: ...sification is complete When a connection cannot be classified with the cached responses it remains blocked until the Check Point Online Web Service completes classification n Background Connections are allowed until classification is complete When a connection cannot be classified with a cached response an uncategorized response is received The connection is allowed In the background the Check Poi...

Page 147: ...emulation is completed Emulation location Indicates if emulation is done on Public ThreatCloud or on remote private SandBlast Primary emulation gateway The IP address of the primary remote emulation gateway Table Threat Prevention Threat Emulation Policy Attributes continued Threat Prevention Policy Attribute Description Block when service is unavailable Block web requests traffic when the Check P...

Page 148: ...esumes in the next connection This improves performance because the remaining part of the connection is fully accelerated However changing the setting to Full is not recommended because of a severe security impact The remaining sessions of the connection are not inspected Threat Prevention policy Update Threat Prevention With Full Packages Update Threat Prevention with the most up to date packages...

Page 149: ...set only occurs when probing fails on all internet connections and not just USB modem Type Boolean Table USB Modem Watchdog Attributes continued Update Services Schedule Attribute Description Maximum number of retries Indicates the maximum number of retries for a single update when the cloud is unavailable Timeout until retry Indicates the timeout in seconds until update retry Table Update service...

Page 150: ...ight Table User Management Attributes VPN Remote Access Attribute Description Allow clear Traffic while disconnected Indicates if traffic to the VPN domain is handled when the Remote Access VPN client is not connected to the site is sent without encryption clear or dropped Allow simultaneous login Indicates if a user can log in to multiple sessions If the option is disabled and a user logs in a se...

Page 151: ...or IKE phase 1 and 2 Endpoint Connect re authentication timeout Indicates the time in minutes until the Endpoint Connect user s credentials are resent to the gateway to verify authorization IKE IP Compression Support Indicates if IPSec packets from remote access clients is compressed IKE Over TCP Enables support of IKE over TCP IKE restart recovery When dealing with Remote Access clients the appli...

Page 152: ...ays encryption domain goes out with the Office Mode IP as the internal source IP The Office Mode IP is what hosts in the encryption domain recognize as the remote user s IP address The Office Mode IP address assigned by a specific gateway can be used in its own encryption domain and in neighboring encryption domains as well The neighboring encryption domains should reside behind gateways that are ...

Page 153: ...fault algorithms SNX uninstall This parameter lets you configure under which conditions the SSL Network Extender client uninstalls itself The options are Do not uninstall automatically recommended default always uninstall upon disconnection and ask the user upon disconnection SNX upgrade This parameter lets you configure under which conditions the SSL Network Extender client installs itself The op...

Page 154: ...ark to encrypted decrypted IPSec packet DPD triggers new IKE negotiation DPD triggers new IKE negotiation Delete IKE SAs from a dead peer Delete IKE SAs from a dead peer Delete IPsec SAs on IKE SA delete Delete IPsec SAs on IKE SA delete Delete tunnel SAs when Tunnel Test fails When permanent VPN tunnels are enabled and a Tunnel Test fails delete the relevant peer s tunnel SAs Do not encrypt conne...

Page 155: ...dentified IP addresses protection is active and the method by which it detects potential attackers IKE Reply From Same IP Indicates if the source IP address used in IKE session is based on destination when replying to incoming connections or based on the general source IP address link selection configuration Join adjacent subnets in IKE Quick Mode Indicates if to join adjacent subnets in IKE Quick...

Page 156: ...see the status of the VPN tunnel in the Logs and Monitoring tab Permanent tunnel down tracking Indicates how to log when the tunnel goes down Log don t log or alert Permanent tunnel up tracking Indicates how to log when the tunnel is up Log don t log or alert RDP packet reply timeout Timeout in seconds for an RDP packet reply Reply from incoming interface When tunnel is initiated from remote site ...

Page 157: ...tion over SIP traffic automatically accepts SIP connections to registered ports Table VoIP Attributes Web Interface Settings and Customizations Attribute Description Multiple parameters Select Use a company logo in the appliance s web interface to display a different logo not the Check Point default logo In Company logo click the Upload company logo link browse to the logo file and click Apply In ...

Page 158: ...ation URL Filtering Defines how to control Internet browsing and application usage The Access Policy Firewall Blade Control page lets you easily define the default policy for your organization In addition you can define and view the rule based policy in the Access Policy Firewall Policy page Configurations in the Firewall Blade Control page are shown as automatically generated system rules at the ...

Page 159: ...he Internet traffic from outside your organization to it The Standard policy option is the default level and is recommended for most cases Keep it unless you have a specified need for a higher or lower security level n Off Allows all traffic When the firewall is deactivated your network is not secured Manually defined rules are not applied Note When the blade is managed by Cloud Services a lock ic...

Page 160: ...m your organization to the Internet Application URL Filtering are service based features and require Internet connectivity to download the latest signature package for new applications and to contact the Check Point cloud for URL categorization This page lets you define the default policy for Application URL Filtering control It is recommended by default to block browsing to security risk categori...

Page 161: ...more granular policy go to the Access Policy Firewall Blade Control page n Limit bandwidth consuming applications Applications that use a lot of bandwidth can decrease performance necessary for important business applications This option gives accelerated QoS bandwidth control for applications When you select this option P2P file sharing media sharing and media streams are selected by default but ...

Page 162: ...gs and also configure user based Access Policy rules User recognition can be done seamlessly by the appliance using your organization s AD server The user database and authentication are all done through the AD server When a user logs in to the AD server the appliance is notified Users from the AD server can be used as the Source in Access Policy rules Alternatively or in addition users can be def...

Page 163: ...atabase contains more than 4 500 applications and about 96 million categorized URLs Each application has a description a category additional categories and a risk level You can include applications and categories in your Application Control and URL Filtering rules If your appliance is licensed for the Application Control URL Filtering blades the database is updated regularly with new applications ...

Page 164: ...as exceptions to the default policy You can also customize messages that are shown to users for specified websites when they are blocked or accepted by the Rule Base see below You can also use an Ask action for applications or URLs that lets the end user determine whether browsing is for work related purposes or not For example we recommend you add a rule that asks the users before browsing to unc...

Page 165: ...thing and you configure access only through manual rules Within each section there are these sections n Manual Rules Rules that you manually create n Auto Generated Rules Rules that the system determines based on the initial Firewall Policy mode Strict or Standard as explained above These rules are also influenced by other elements in the system For example when you add a server a corresponding ru...

Page 166: ... Service Type of network service that is accepted or blocked Action Firewall action that is done when traffic matches the rule For outgoing traffic rules you can use the Customize messages option to configure Ask or Inform actions in addition to the regular Block or Accept actions The messages shown can be set for these action types Accept and Inform Block and Inform or Ask Ask action lets the end...

Page 167: ...nder Selected The Add Rule window opens It shows the rule fields in two ways n A rule summary sentence with default values n A table with the rule base fields in a table 3 Click the links in the rule summary or the table cells to select network objects or options that fill out the rule base fields See the descriptions above Note The Application field is relevant only for outgoing rules In the Sour...

Page 168: ...ions for automatically generated rules 1 Select a rule and click Edit 2 Edit the fields as necessary 3 Click Apply To delete a rule 1 Select a rule and click Delete 2 Click Yes in the confirmation message To enable or disable a rule n To disable a manually defined rule that you have added to the rule base select the rule and click Disable n To enable a manually defined rule that you previously dis...

Page 169: ...wall Access Policy page in the Rule Base click New If necessary specify the rule order 2 Click Updatable objects and select the objects you want 3 Click Import 4 Edit the rule so the source and destination use the specified countries 5 Select the Action and Log 6 Optional Enter a comment 7 Optional Apply limitations such as time or traffic limits 8 Click Apply Customizing Messages You can customiz...

Page 170: ...e notification cannot be shown in the browser or application the behavior is l If the Fallback action is Accept The user can access the website or application l If the Fallback action is Block The Security Gateway tries to show the notification in the application that caused the notification If it cannot the website or application is blocked and the user does not see a notification n Frequency You...

Page 171: ... link in the comment to open the Access tab in the Server Properties An easier way to define server objects is by detecting them in the Home Active Devices page and saving them as servers For example this option automatically detects the MAC address of the server making configuration easier During the wizard n Click Cancel to quit the wizard n Click Next to move to the next page of the wizard n Cl...

Page 172: ...evices page the MAC address is detected automatically Step 3 Access 1 Select the zones from which the server is accessible n All zones including the Internet Select this option to create a server that anyone from outside the organization can access This option requires configuring how the server is accessible through NAT in the next step n Only trusted zones my organization Select the applicable c...

Page 173: ... the Hide internal networks behind the Gateway s external IP address checkbox in the Access Policy NAT Control page is cleared see above for details It means there are no NAT rules on the server When you complete the wizard the server is added to the list of servers on the page and the automatically generated access rules are added to the Access Policy Firewall Policy Rule Base Note This page is a...

Page 174: ...you configure servers that are accessible from the Internet even if they do not have a routable IP address You can also configure servers with NAT settings from this page To disable NAT for outgoing traffic Hide NAT By default NAT is configured for outgoing traffic If it is necessary to disable NAT make sure Hide internal networks behind the Gateway s external IP address is set to OFF Important In...

Page 175: ...ly relevant if the Hide internal networks behind the Gateway s external IP address checkbox in the Access Policy NAT Control page is cleared see above for details It means there are no NAT rules on the server 5 When you have multiple internal servers that use the same port select Redirect from port and enter a different port number that is used when you access this server from the Internet Traffic...

Page 176: ...ion The network object a specified IP address or network group object a specified IP address range that is the original destination of the connections to translate Original Service The original service used for the connections to translate Translated Source The network object or network group object that is the new source to which the original source is translated Translated Destination The networ...

Page 177: ...ed source to be a single IP address When this option is not selected you can still use an IP range in the Original Source and a different IP range of the same size in the Translated Source This rule does the IP address translation from one range to another respectively the first IP in the first range is translated to the first IP in the second range and so on 7 Select Serve as an ARP Proxy for the...

Page 178: ...0 1600 and 1800 Appliance Series R80 20 40 Locally Managed Administration Guide 178 To change the rule order Note You can only change the order of manually defined rules 1 Select the rule to move 2 Drag and drop it to the necessary position ...

Page 179: ...ields that manage the NAT rules Rule Base Field Description Original Source The network object a specified IP address or network group object a specified IP address range that is the original source of the connections to translate Original Destination The network object a specified IP address or network group object a specified IP address range that is the original destination of the connections t...

Page 180: ...resses IP ranges networks etc and the translated source to be a single IP address When this option is not selected you can still use an IP range in the Original Source and a different IP range of the same size in the Translated Source This rule does the IP address translation from one range to another respectively the first IP in the first range is translated to the first IP in the second range et...

Page 181: ...Inspecting VoIP Traffic Quantum Spark 1500 1600 and 1800 Appliance Series R80 20 40 Locally Managed Administration Guide 181 Inspecting VoIP Traffic ...

Page 182: ...lable network objects are shown in a table with a Group name You can select a single IP or a range of servers with external IP address b To add a new IP address click New To remove an IP address select it and click Remove c Select whether to Log traffic from this provider d Select whether to Disable SIP traffic inspection When this setting is enabled application level inspection and NAT of the SIP...

Page 183: ...for Outgoing access to the Internet and Incoming Internal and VPN traffic Notes n For an on premise configuration without PBX the destination should be the IP_Phones object n If you allow access to the PBX portal another rule is created Source Destination Application Service Action Log Comment Any PBX Server HTTP S Accept None Generated rule SIP VOIP Forwarding rules are automatically created in t...

Page 184: ...to Access Policy Policy 2 Add a rule to the Incoming Internal and VPN traffic Rule Base that allows SIP traffic Source Destination Application Service Action Log A network object that holds the IP address of the SIP server A network object that holds the IP addresses of the phones behind the gateway SIP Accept Select the applicable option For more information see Working with the Firewall Access P...

Page 185: ...rs before they can access network resources or the Internet When users try to access a protected resource they must log in to a web page to continue This is a method that identifies locally defined users or users that were not successfully identified by other methods You can configure the Browser Based Authentication to appear for all traffic but because this method of identification is not seamle...

Page 186: ...he checkbox Use user groups from specific branch only Click Add and enter a branch path in the AD Branch field 5 Click Apply You can also add a new AD Domain in the Users Objects Authentication Servers page For Browser Based Authentication 1 To block access for unauthenticated users when the portal is not available select Block unauthenticated users when the captive portal is not applicable This c...

Page 187: ...the Captive Portal runs on the Check Point Appliance or enter a different portal address n Session timeout Sets for how long an authenticated user can access the network or Internet before they have to authenticate again n Enable Unregistered guests login Allow an unregistered guest user to be identified in the logs by name and not only by IP address An unregistered user is an unmanaged non AD use...

Page 188: ...ast one Internet connection to be configured with the maximum download and or upload speeds provided by your ISP For more information about your download and upload speeds contact your local ISP This page lets you configure a default simplified QoS policy You can configure a more advanced policy in the Access Policy QoS Policy page QoS policy applies to traffic over external interfaces only QoS Se...

Page 189: ... of traffic if needed and if necessary click the all services link to edit a list of selected guaranteed services This option adds a rule to the QoS Policy Rule Base n Limit Bandwidth Consuming Applications Applications that use a lot of bandwidth can decrease performance necessary for important business applications Click the Bandwidth Consuming Applications link to see the default applications c...

Page 190: ...ge the value click the percentage link You can view the QoS Policy Rule Base on this page For each rule you see these fields Rule Base Field Description No Rule number in the QoS policy Source Network object that starts the connection Destination Network object that completes the connection Service Type of network service for which bandwidth is adjusted based on weight limit and guarantee Guarante...

Page 191: ...ted two times the amount of bandwidth as the second when lines are congested To create a QoS rule 1 Click the arrow next to New 2 Click one of the available positioning options for the rule On Top On Bottom Above Selected or Under Selected The Add Rule window opens It shows the rule fields in two manners n A rule summary sentence with default values n A table with the rule base fields in a table 3...

Page 192: ... Click Apply To delete a QoS rule 1 Select a rule and click Delete 2 Click Yes in the confirmation message To enable or disable a QoS rule n To disable a manually defined rule that you have added to the Rule Base select the rule and click Disable n To enable a manually defined rule that you have previously disabled select the rule and click Enable To change the QoS rule order 1 Select the rule to ...

Page 193: ... Click Download CA Certificate to download the gateway s internal CA certificate Note The certificate is available for all users on the gateway You do not need administrator credentials If you do not have administrator credentials connect from an internal or wireless network to http my firewall ica or https IP_Address_of_Appliance ica You must install this certificate on every client behind the ga...

Page 194: ... all possible traffic regardless of its source and destination To configure more advanced exceptions go to the SSL Inspection Exceptions page To set the SSL inspection bypass policy n Wireless networks to bypass Select or clear which wireless networks to bypass Untrusted networks are selected by default Note Wireless networks must be assigned to Separate Network not switch or bridge n Categories S...

Page 195: ...ens 3 Configure the settings for URL Filtering Note HTTPS categorization only applies when the URL Filtering blade is turned on To disable SSL inspection and HTTPS categorization Select Off Upgrades in the SSL Bypass mechanism include n Stop the inspection of the first connection to bypassed sites n Allow bypass of Non Browser Applications connections n Allow Bypass of connections to servers that ...

Page 196: ... On the SSL Inspection Exceptions page you can define manual rules to configure exceptions to bypass SSL inspection for specific traffic You can configure more advanced exceptions with specific scope category and tracking options To add bypass exceptions 1 Click New 2 For each exception enter n Source n Destination n Category Custom Application n Track ...

Page 197: ...redefined list of trusted CAs based on the Mozilla LibCurl Trusted CA list Only a server certificate signed by one of those CAs is recognized as a valid certificate The table shows the list of trusted CAs Trusted CA types n Default from the gateway These CAs can be disabled but not deleted n Added by user These CAs can be deleted To add a CA manually to the trusted CA list 1 Click Add The Add a Tr...

Page 198: ...hreat Emulation Gives networks protection against unknown threats in files that are downloaded from the Internet or attached to emails In emulation the file is opened on more than one virtual computer with different operating system environments These virtual computers are closely monitored for unusual and malicious behavior Any malicious behavior is immediately logged and you can use Prevent mode...

Page 199: ...s n None Do not log n Log Create a log n Alert Log with an alert 3 Under Protection Activation for each confidence level High confidence Medium confidence and Low confidence select the applicable action from the list n Ask Traffic is blocked until the user confirms it is allowed n Prevent Blocks identified virus or bot traffic or identified malicious files from passing through the gateway n Detect...

Page 200: ...0 Locally Managed Administration Guide 200 To schedule updates 1 Click Schedule The Activate Automatic Updates window opens 2 Select the Software Blades to receive automatic updates n IPS n Anti Virus n Anti Bot n Application Control 3 Select the Recurrence and Time of day 4 Click Apply ...

Page 201: ...work select DMZ network and select the Any Scope except checkbox n Source Network object that initiates the connection n Destination Network object that is the target of the connection n Protection In the Blades tab select Any for all or for a specific blade In the IPS protections tab select a specific IPS protection from the list n Service Port Type of network service If you make an exception for...

Page 202: ... Prevention Infinity SOC The Check Point Infinity SOC sk164332 is supported from R80 20 40 in the Locally managed mode Infinity SOC enables cybersecurity teams to effectively and efficiently prevent detect and respond to all threats Infinity SOC doubles the effectiveness of SOC teams by automating time consuming tasks allowing security teams to focus on remediation and attack prevention You can en...

Page 203: ...ion in attack statistics see sk164332 section De obfuscate the real IP of the victim c Click Apply To enable the Infinity SOC feature in Gaia Clish run these commands 1 Allow the appliance to send data to Check Point set privacy settings advanced settings customer consent true 2 Allow viewing attack statistics in your User Center Account set threat prevention policy advanced settings allow attack ...

Page 204: ...lt in host or server infection For example l When you browse to an infected or a potentially unsafe Internet site there is a possibility that malware was installed l When you download an infected file there is a possibility that the file was opened or triggered and infected the host or server n Object name Shows the object name if the host or server was configured as a network object n IP MAC addr...

Page 205: ...k the links in the rule summary or the table cells to select network objects or options that fill out the exception rule fields n Scope Select either Any or a specific scope from the list If necessary you can create a New network object network object group or local user If it is necessary to negate a specified scope select the scope and select the Any Scope except checkbox For example if the scop...

Page 206: ...Managed Administration Guide 206 To view the logs of a specified entry 1 Select the list entry for which to view logs 2 Click Logs The Logs Monitoring Security Logs page opens and shows the logs applicable to the IP MAC address Note This page is available from the Home and Logs Monitoring tabs ...

Page 207: ...or manually configure a specific protection to override the general policy To search for a specified protection 1 Enter a name in the filter box 2 Scroll the pages with the next and previous page buttons at the bottom of the page To configure the IPS policy go to the Threat Prevention Threat Prevention Blade Control page You can see the details of each protection and also configure a manual overri...

Page 208: ...e instructions in the window that opens and click Apply Thresholds are configured for CPU Usage and Memory Usage There is always a high watermark and a low watermark Bypass occurs when the high watermark is exceeded and the IPS engine continues inspection when the load drops below the low watermark In this way when under load the IPS engine does not toggle between modes too frequently 3 In Bypass ...

Page 209: ...can incoming files l External and DMZ Files that originate from external and the DMZ interfaces are inspected Note DMZ is not supported in 1530 1550 appliances l External Files that originate from external interfaces are inspected l All Files transferred between all interfaces are inspected n Scan both incoming and outgoing files Files that originate from outside the organization and from within t...

Page 210: ... page for a description of the action types n URLs with malware Protections related to URLs that are used for malware distribution and malware infection servers n Viruses Real time protection from the latest malware and viruses by examining each file against the Check Point ThreatCloud database To enable Detect only mode Select the checkbox Anti Bot You can set policy overrides to override the gen...

Page 211: ...o Access Policy SSL Inspection Policy 3 For file type policy Process specific file type families Click Configure for a list of file types and set prescribed actions to take place when these files pass through the Threat Emulation engine To edit an action for a specified file type right click the row and click Edit You can also click the file type so it is selected and then Click Edit The available...

Page 212: ...on the Small Business Security video channel To enable Detect only mode Select the checkbox User Messages You can customize messages for protection types set with the Ask action When traffic is matched for a protection type that is set to Ask the user s internet browser shows the message in a new window These are the Ask options and their related notifications Option Anti Virus Notification Anti B...

Page 213: ...Accept for when the notification cannot be shown in the browser or application that caused the notification most notably in non web applications l If the Fallback action is Accept The user can access the website or application l If the Fallback action is Block The website or application is blocked and the user does not see a notification n Frequency You can set the number of times that the Anti Vi...

Page 214: ... checkbox to handle suspected spam separately see below To enable or disable Anti Spam 1 Select On or Off 2 Click Apply Note When the blade is managed by Cloud Services a lock icon is shown You cannot toggle between the on and off states If you change other policy settings the change is temporary Any changes made locally will be overridden in the next synchronization between the gateway and Cloud ...

Page 215: ...Handle suspected spam separately 2 Select an option block flag email subject or flag email header When selecting a flag option it is possible to modify the text string used to flag the suspected spam emails The default is SUSPECTED SPAM You can choose the flag option for Spam and for Suspected Spam Use this option to have a different string for the flag action 3 Select a tracking option 4 Click Ap...

Page 216: ... its own classification To block or allow by senders requires the Anti Spam engine to be configured to filter based on Email content in the Threat Prevention Anti Spam Blade Control page Note IP address exceptions are ignored for POP3 traffic To add a new sender domain IP address to the Allow or Block list 1 Click Add or New in the Allow or Block list 2 Enter the IP address or Sender Domain 3 Clic...

Page 217: ...tatic IP Internet connection on the appliance If you do not use a static IP your appliance s IP address can vary based on to your Internet Service Provider DDNS lets home users connect to the organization by name and not IP address that can change See Device DDNS for more details To configure DDNS click the DDNS link or the Internet link for static IP address To enable or disable VPN Remote Access...

Page 218: ...indow and click Apply To manage SSL VPN bookmarks 1 Select the SSL VPN checkbox 2 Click Apply 3 Click Manage SSL VPN bookmarks The VPN Advanced page opens 4 In SSL VPN bookmarks click New to create new bookmarks A new window opens 5 Enter these details n URL Note If you select Global bookmark all users see this bookmark n Type Link or RDP remote desktop protocol n Label The bookmark name n Tooltip...

Page 219: ...connect link next to the relevant remote access method 2 Click the E mail these instructions to automatically open a pre filled email that contains the instructions 3 Click Close To change the Remote Access port settings If the default remote access port port 443 and a server use the same port a conflict message shows You must change the default remote access port if the Check Point VPN client Mob...

Page 220: ...ive Directory group If no authentication servers are defined click the Active Directory RADIUS server link to define them Note that when User Awareness is turned off there is no user identification based on Browser Based Authentication and Active Directory Queries To add a new local user with remote access permissions 1 Click Add New Local User 2 In the Remote Access tab in the window that opens e...

Page 221: ...ctory group 1 Click Add Active Directory Group 2 If no Active Directory was defined you are prompted to configure one For more information on configuring Active Directory see VPN Authentication Servers 3 When an Active Directory has been defined you see a list of available user groups defined in the server 4 Select one of the user groups 5 Click Apply The Active Directory group is added to the tab...

Page 222: ...r Select For specific RADIUS groups only and enter in the text field the names of the user groups separated by commas n To allow administrators with read only permissions to authenticate Select Read only Administrators 5 Click Apply The RADIUS server or specific users from the RADIUS server are added to the table on the page Two Factor Authentication Two Factor Authentication also called multi fac...

Page 223: ...nter the n DynamicID URL n Provider user name n Provider password n API ID n Message to display optional 7 In the Advanced tab under Dynamic ID Settings enter the n Length of the one time password n Amount of time in minutes until the password expires n Maximum number of retries 8 Under Country Code enter the Default country code 9 Click Apply To sign in with Two Factor Authentication 1 Connect to...

Page 224: ...ccess permissions 4 Click Apply To configure SSL VPN bookmarks 1 Click Add New Local User Users Group Active Directory Group SSL VPN Bookmarks tab A new window opens 2 Enter new bookmarks or select existing bookmarks Note If you select Global bookmark this bookmark is always shown 3 Click Apply To edit a user or group 1 Select the user or group from the list 2 Click Edit 3 Make the relevant change...

Page 225: ...00 Appliance Series R80 20 40 Locally Managed Administration Guide 225 Remote Access Connected Remote Users The VPN Remote Access Connected Remote Users page shows the currently connected remote users n Username n IP address n Connection Time n Next Authentication Time ...

Page 226: ...he case additional configuration is necessary in the VPN Remote Access Users page To add a RADIUS server 1 Click Configure 2 In the Primary tab enter this information n IP address The IP address of the RADIUS server n Port The port number through which the RADIUS server communicates with clients The default is 1812 n Shared secret The secret pre shared information used for message encryption betwe...

Page 227: ... enter in the text field the names of the user groups separated by commas n To allow administrators with Read only permissions to authenticate Select Read only Administrators 4 Click Apply To add an Active Directory domain 1 In the Active Directory section click New 2 Enter this information n Domain The domain name n IP address The IP address of one of the domain controllers of your domain n User ...

Page 228: ... a large list of users and you might not want to grant them all remote access permissions to your organization Usually you keep the Selected Active Directory user groups option and configure remote access permissions through VPN Remote Access Users page 3 Click Apply To change synchronization mode with the defined Active Directories 1 Click Configure in the toolbar of the Active Directory table 2 ...

Page 229: ... IP addresses is configurable To configure the Office Mode network 1 Enter the Office Network address and Office Subnet Mask 2 Click Apply The default setting for office mode is 172 16 10 0 24 To assign a VPN certificate 1 Click the downward arrow next to the VPN Remote Access certificate field The list of uploaded certificates shows 2 Select the desired certificate Note You cannot select the defa...

Page 230: ...le networks and choose the relevant checkboxes 4 Click New if the existing list does not contain the networks you need For information on creating a new network object see the Users Objects Network Objects page 5 Click Apply The Remote Access Local Encryption Domain window opens and shows the services you selected DNS Servers for Remote Access users You can define up to three DNS servers for Remot...

Page 231: ...ookmarks click New to create new bookmarks A new window opens 2 Enter these details n URL Note If you select Global bookmark this bookmark is shown to all users n Type Link or RDP remote desktop protocol n Label The bookmark name n Tooltip Description 3 Click Apply If you select RDP as the bookmark type you must enter the user name and password in the RDP Advanced Settings These credentials are se...

Page 232: ... it is now VPN traffic To enable or disable the VPN Site to Site blade 1 Select On or Off 2 Click Apply Note When the blade is managed by Cloud Services a lock icon is shown You cannot toggle between the on and off states If you change other policy settings the change is temporary Any changes made locally will be overridden in the next synchronization between the gateway and Cloud Services A warni...

Page 233: ... Configure a list of backup IP addresses in case of failure High Availability or to distribute data Load Sharing The appliance uses probing to monitor the remote site s IP addresses In High Availability you can configure one of the IP addresses as the primary When you select this option you must configure a probing method on the Advanced tab The probing method monitors which IP addresses to use fo...

Page 234: ...dden behind external IP of the remote gateway If the remote site is behind NAT and traffic is initiated from behind the remote site to this gateway When you select this option it is not necessary to define an encryption domain 6 Exclude networks Select this option to exclude networks from the specified encryption domain This may be useful if two gateways are in the same community and protect the s...

Page 235: ...a secondary identifier couple that is available in the Aggressive Mode The secondary identifier method is also available in IKEv2 l If you select Enable aggressive mode for IKEv1 o Use Diffie Hellman group Determines the strength of the shared DH key used in IKE phase 1 to exchange keys for IKE phase 2 A group with more bits ensures a stronger key but lower performance o Initiate VPN tunnel using ...

Page 236: ...onding The RDP probing is activated when a connection is opened and continues a background process o One time probing When a session is initiated all possible destination IP addresses receive an RDP session to test the route The first IP to respond is chosen and stays chosen until the VPN configuration changes Notes n For more information on installing the certificate see Managing Installed Certif...

Page 237: ...e Edit VPN Site window opens 3 In the Remote Site tab n For Connection type enter the IP address which is the public IP of the remote peer center gateway n In the Encryption domain select Route all traffic through this site 4 Click Apply This gateway is now designated as a satellite You can configure more than one satellite gateway to route all traffic through the center gateway If you try to conf...

Page 238: ...es Which type of VPN community is preferable A1 A star VPN community is preferable as every gateway does not have to create a VPN tunnel with all of the others Instead the 5 satellite peer gateways will each create one site to site star VPN community to the center gateway Only the star gateway center must create a site to site from itself to each of the remote peers Q2 A center gateway handles all...

Page 239: ...mmunity configured by the Cloud Services Provider n A table with the sites that are part of the community To test the VPN connection for a site 1 Select the site 2 Click Test If the test succeeds a success message is shown Click OK to close it If the test does not succeed click Details for more information If applicable click Retry To see the details of a site configured by Cloud Services Select a...

Page 240: ...stination gateway Community Name If the gateways are part of a community configured by Cloud Services the community name with which the tunnel is associated Status Indicates if a tunnel is up or is pending traffic to become active Phase 2 Methods Encryption and authentication methods used for the tunnel My encryption domain Indicates the tunnel s selectors subnets hosts allowed from the source gat...

Page 241: ...n domain and is transmitted to a different domain The local encryption domain defines n The internal networks that encrypted traffic from remote sites and networks can get access n That traffic from the encryption domain to remote sites is encrypted By default the local encryption domain is determined automatically by the appliance Networks behind LAN interfaces and trusted wireless networks are p...

Page 242: ...on select a method to specify the outgoing interface n According to the routing table The OS s routing table finds the interface link with the lowest metric highest priority through which to send traffic based on the remote site s IP addresses n Route based probing This method also consults the routing table for the link with the lowest metric But before choosing an interface link to send traffic ...

Page 243: ...nism is based on IKE encryption keys only The feature also allows you to monitor permanent tunnels based on DPD for both IKEv1 and IKEv2 In active mode a peer that is configured as DPD receives DPD Hello requests at regular intervals if there is no incoming IPSec traffic for 10 seconds To test if a VPN tunnel is active Select a Tunnel health monitoring method n Tunnel test Check Point Proprietary ...

Page 244: ...dd it to the other site s Trusted CA list When you use certificate based site to site VPN with multiple remote sites in a mesh configuration we recommend for all sites to use one CA to sign their internally used certificates on appliances that support creating signing requests You must also add the same CA to all sites Trusted CAs list That CA can be an external CA service like Verisign for a fee ...

Page 245: ...s you ve added to the list if necessary by selecting them and clicking Export To sign a remote site s certificate request by the Internal CA 1 Click Sign a Request 2 Click Browse to upload the signing request file as created in the remote site In third party appliances make sure to look in its Administration Guide to see where signing requests are created Note The file must be in a path accessible...

Page 246: ...site VPN SSL VPN and the Web portal When Cloud Services is turned on and the appliance is configured by Cloud Services the Cloud Services Provider certificate is downloaded automatically to the appliance The Cloud Services Provider certificate is used by community members configured by Cloud Services Note If you turn Cloud Services off the Cloud Services Provider certificate is removed These are t...

Page 247: ...he CA 1 Select the signing request entry from the table 2 Click Upload Signed Certificate 3 Browse to the signed certificate file crt 4 Click Complete The status of the installed certificate record changes from Waiting for signed certificate to Verified To upload a P12 file 1 Click Upload P12 Certificate 2 Browse to the file 3 Edit the Certificate name if necessary 4 Enter the certificate password...

Page 248: ...wn host name when DDNS is configured or its external IP address If you have multiple Internet connections configured in load sharing mode you can manually enter an accessible IP address for this appliance This is used by remote sites to access the internal CA and check for certificate revocation 3 Select the number of years for which the Internal VPN Certificate is valid The default is 3 The maxim...

Page 249: ...mote site In third party appliances make sure to look in its Administration Guide to see where signing requests are created The file must be in a path accessible to the appliance After you click OK in the file browsing window the file is uploaded If it is correctly formatted it is signed by the Internal CA and the Download button is available 3 Click Download The signed certificate is downloaded t...

Page 250: ...Authentication Uses a portal to authenticate either locally defined users or as a backup to other identification methods Browser Based Authentication uses a web interface to authenticate users before they can access network resources or the Internet When users try to access a protected resource they must log in to a web page to continue This is a method that identifies locally defined users or use...

Page 251: ...t represents that user or enter the user DN manually 4 To select user groups from specific branches select the checkbox Use user groups from specific branch only Click Add and enter a branch path in the AD Branch field 5 Click Apply You can also add a new AD Domain in the Users Objects Authentication Servers page For Browser Based Authentication 1 To block access for unauthenticated users when the...

Page 252: ...he Captive Portal runs on the Check Point Appliance or enter a different portal address n Session timeout Sets for how long an authenticated user can access the network or Internet before they have to authenticate again n Enable Unregistered guests login Allow an unregistered guest user to be identified in the logs by name and not only by IP address An unregistered user is an unmanaged non AD user...

Page 253: ...d can be up to 100 characters Note You cannot use these characters in a password or shared secret Maximum number of characters 255 3 For temporary or guest users click Temporary user Enter the expiration date and time 4 To give the user remote access permissions select Remote Access permissions 5 Click Apply The user is added to the table on the page To add a new local users group with remote acce...

Page 254: ...he User Management window opens 4 Click the checkbox for Automatically delete expired local users 5 Click Apply Expired local users are automatically deleted every 24 hours after midnight To edit a user or group 1 Select the user or group from the list 2 Click Edit 3 Make the relevant changes and click Apply To delete a user or group 1 Select the user or group from the list 2 Click Delete 3 Click ...

Page 255: ...rators can update or modify operating system settings They can select a service or network object but cannot create or modify it n Mobile Administrator Mobile administrators are allowed all networking operations on all interfaces They can change their own passwords generate reports reboot change events and mobile policy active hosts operations and pairing They cannot login from or access the WebUI...

Page 256: ...ake sure a RADIUS server is defined on the appliance If there is no server click the RADIUS configuration link at the top of this page You must configure the IP address and shared secret used by the RADIUS server 3 When you have a configured RADIUS server click Edit permissions The RADIUS Authentication window opens 4 Click the Enable RADIUS authentication for administrators checkbox Use roles def...

Page 257: ...he pull down menu 3 Click Generate This generates a QR code to connect the Check Point WatchTower mobile application with the appliance for the first time For more information about the mobile application see the Check Point SMB WatchTower App User Guide Configuring a RADIUS Server for non local Quantum Spark Appliance users Non local users can be defined on a RADIUS server and not in the Quantum ...

Page 258: ...lues are Administrator Role Value Super Admin adminRole Read only monitorrole Networking Admin networkingrole Mobile Admin mobilerole Configuring a FreeRADIUS server for non local appliance users 1 Create the dictionary file dictionary checkpoint in the etc freeradius on the RADIUS server Add these lines in the dictionary checkpoint file Check Point dictionary file for FreeRADIUS AAA server VENDOR...

Page 259: ...de subdicts dict checkpoint to etc openradius dictionaries right after dict ascend add vendor 2620 CheckPoint set default vendor CheckPoint space RAD VSA STD len_ofs 1 len_size 1 len_adj 0 val_ofs 2 val_size 2 val_type String nodec 0 noenc 0 add attribute 229 CP Gaia User Role add attribute 230 CP Gaia SuperUser Access val_type Integer val_size 4 2 Add this line in the etc openradius dictionaries ...

Page 260: ...log in as a Super User A user with super user permissions can use the Quantum Spark Appliance shell to do system level operations including working with the file system 1 Connect to the Quantum Spark Appliance platform over SSH or serial console 2 Log in to the Gaia Clish shell with your user name and password 3 Run expert 4 Enter the Expert mode password ...

Page 261: ...onfiguration is necessary in the VPN Remote Access Users page To add a RADIUS server 1 Click Configure 2 In the Primary tab enter this information n IP address The IP address of the RADIUS server n Port The port number through which the RADIUS server communicates with clients The default is 1812 n Shared secret The secret pre shared information used for message encryption between the RADIUS server...

Page 262: ...a RADIUS server Click the Remove link next to the RADIUS server you want to delete The RADIUS server is deleted To configure remote access permissions for users defined in the RADIUS server 1 Click Permissions for RADIUS users 2 Select or clear the Enable RADIUS authentication for User Awareness Remote Access and Hotspot checkbox When selected for Remote Access select or clear to use specific RADI...

Page 263: ...nged When you add a new Active Directory domain you cannot create another object using an existing domain To configure remote access permissions for all users defined in Active Directory By default users defined in the Active Directory are not given remote access permissions Instead in the VPN Remote Access Users page all users defined locally or in Active Directories can be selected to be granted...

Page 264: ... an Active Directory user group You can select a local user 3 Click Apply To edit an Active Directory 1 Select the Active Directory from the list 2 Click Edit 3 Make the relevant changes and click Apply To delete an Active Directory 1 Select the Active Directory from the list 2 Click Delete 3 Click OK in the confirmation message Note This page is available from the VPN and Users Objects tabs ...

Page 265: ... by the Check Point Cloud using the URL Filtering and can be matched to one or more built in categories for example phishing sites high bandwidth gambling or shopping etc The Application and Categories List A list of applications and categories is shown according to a filter that is shown above the list There are 4 filters n Common Commonly used applications custom applications and categories n Cu...

Page 266: ...nce will detect in the URL and then Click OK 6 Do step 5 to add more related strings or regular expressions The custom application will be matched if one of the strings or expressions is found 7 Click the Additional Categories tab to select more categories if necessary 8 Click Apply You can use the application in a rule To create a custom applications group 1 Select New Applications Group 2 Enter ...

Page 267: ...fields that apply to the type of service you select Note that not all fields may show n Name Enter the service s name n Type Select the service type from the list l TCP l UDP l ICMP Select this option if it is necessary to represent a specific option within the ICMP protocol Note that this is an advanced option l Other Select this option to represent any IP protocol other than TCP or UDP n Ports E...

Page 268: ...xisting services are synchronized n Start synchronizing X seconds after the connection was initiated For TCP services enable this option to delay telling the Quantum Spark Appliance about a connection so that the connection is only synchronized if it still exists in X seconds after the connection is initiated Some TCP services HTTP for example are characterized by connections with a very short dur...

Page 269: ...n FTP The Firewall settings tab lets you configure how the firewall automatically detects data connections You can select one of these options l Any The Firewall detects and allows FTP data connections in all modes l Active The Firewall detects and allows FTP data connections in active mode only l Passive The Firewall detects and allows FTP data connections in passive mode only n PPTP_TCP The IPS ...

Page 270: ... the inspection of the specific protocol To create a new service group 1 Click New The New Service Group window opens 2 Enter a Name for the group and Comments optional 3 Click Select to show the full list of available services and select the relevant checkboxes 4 Click New if the existing list does not contain the services you need For information on creating a new service object see the Users Ob...

Page 271: ...col Such system service groups cannot be deleted They contain a list of built in services which you can restore if you edit the content of such groups by clicking Reset Some system service groups have additional configuration which affect the way the deep inspection is performed DNS The Firewall settings tab lets you configure NAT support over DNS Note that this option affects the performance of D...

Page 272: ...n create a maximum of 1000 objects in total For example 500 host objects 300 network objects and 200 Domain Name objects To create a Single IP network object 1 Click New The New Network Object window opens 2 In Type select Single IP 3 Enter an IP address and Object name 4 Select or clear these options as necessary n Allow DNS server to resolve this object name When the gateway is the DNS server fo...

Page 273: ...HCP service does not distribute the configured IP range to anyone 6 Click Apply Note Wildcard network objects that represent a series of non sequential IP addresses are supported To create a Network type network object 1 Click New The New Network Object window opens 2 In Type select Network 3 Enter a Network address and Subnet mask 4 Enter the Object name 5 Click Apply To create a Domain Name type...

Page 274: ...bject or part of it 2 As you enter text the list is filtered and shows matching results To add a new network object and bypass SSL inspection based on the host MAC address locally managed only 1 Click New The New Network Object window opens 2 For Type select Device 3 For Host MAC address enter a custom value or select from the menu 4 Select the checkbox for Bypass host with this MAC by SSL inspect...

Page 275: ...e group and Comments optional 3 Click Select to show the full list of available network objects and choose the relevant checkboxes 4 Click New if the existing list does not contain the network object you need For information on creating a new network object see the Users Objects Network Objects page 5 Click Apply The New Network Object Group window opens and shows the services you selected 6 You c...

Page 276: ...rch one field at a time the logical operators AND and OR are not supported Use one of these syntaxes n IP_address n Column_Name Value Examples n 203 0 113 64 n action drop n source port 22 For more details click Query Syntax in the table header To see the security log record 1 Select a log entry from the list 2 Click View Details or double click the entry The log record opens To refresh the securi...

Page 277: ...ptions Eject SD card safely Note From R77 20 85 and higher SD cards are formatted with ext4 Older versions are formatted as FAT32 If you upgrade from a lower version to R77 20 85 or higher the SD card will remain with FAT32 for backward compatibility To delete logs from local log storage 1 In Logs Monitoring Logs Security Logs page click Clear logs A confirmation window opens 2 Click Yes to delete...

Page 278: ...y administrators date and time changes n Warning Logs that show a connectivity or possible configuration failure The problem is not critical but requires your attention n Error System errors that alert you to the fact that a specific feature is not working This can be due to misconfiguration or connectivity loss which requires the attention of your Internet Service Provider To download the full lo...

Page 279: ...e an external Check Point Log Server from this page in the WebUI 1 Identify the Log Server you want to send logs to 2 Identify the Security Management Server that manages the Log Server 3 Open SmartConsole on this Security Management Server 4 Run the Security Gateway wizard to define and create a Security Gateway object that represents this appliance with the these details In the General Propertie...

Page 280: ...he Log Server is not located on the Security Management Server select Log server uses different IP address and enter the IP address 6 Click Apply Important n After successful configuration of the external log server any changes you make in the WebUI configuration on this page requires reinitialization of the SIC in SmartConsole If you do not reinitialize SIC in SmartConsole connectivity to the log...

Page 281: ...ateways in a secured and encrypted fashion Therefore he selects TLS Over TCP as the protocol UDP is not secure Notes n Only one remote TLS server is supported n You can upload a CA certificate to establish trust with the remote syslog server n The TLS server must be configured using its domain name Only UDP allows you to configure the server by IP address n The configured domain name must be ident...

Page 282: ...evices connected to your gateway s wireless network Relevant information for each connected device s network usage includes n SSID Name of the WiFi network n Channel n Frequency n Signal Strength n RSSI Received Signal Strength n Bandwidth Paired Mobile Devices The Logs Monitoring Paired Mobile Devices shows the mobile devices paired to the gateway To revoke a pairing 1 Select the device name 2 Cl...

Page 283: ...stination gateway Community Name If the gateways are part of a community configured by Cloud Services the community name with which the tunnel is associated Status Indicates if a tunnel is up or is pending traffic to become active Phase 2 Methods Encryption and authentication methods used for the tunnel My encryption domain Indicates the tunnel s selectors subnets hosts allowed from the source gat...

Page 284: ...ctive Connections The Logs Monitoring Connections page shows a list of all active connections The list shows these fields n Protocol n Source Address n Source Port n Destination Address n Destination Port To filter the list In the Type to filter box enter the filter criteria The list is filtered To refresh the list Click the Refresh link ...

Page 285: ...es n Channel n Frequency n Security n Signal strength n Signal noise Use case Use this information to decide which network to connect to and change based on your needs In addition this page displays the current wireless radio frequency and channel in use and the wireless networks configured Viewing Monitoring Data See Viewing Monitoring Data on page 48 Viewing Reports See Viewing Reports on page 5...

Page 286: ...v3 users n Configure the settings for SNMP trap receivers n Enable or disable SNMP traps that are sent to the trap receivers SNMP must be set to ON to configure all SNMP settings users traps and trap receivers To enable or disable SNMP 1 Change the SNMP On Off slider position to ON or OFF 2 Click Apply To configure SNMP settings Click Configure The Configure SNMP General Settings window opens You ...

Page 287: ...rs Prerequisites SNMP and SNMP traps must be enabled on the appliance SNMP Traps for VPN Tunnels SNMP trap for VPN tunnels provides better monitoring of VPN tunnel status For this specific trap users are alerted when VPN tunnels go down Currently only VPN tunnels configured as Permanent Tunnels are monitored This feature is off by default When the feature is enabled the VPN tunnels status is perio...

Page 288: ...anaged Administration Guide 288 To edit an SNMP trap 1 Select the trap from the list and click Edit 2 Select the Enable trap option to enable the trap or clear it to disable the trap 3 If the trap contains a value you can edit the threshold value when necessary 4 Click Apply ...

Page 289: ...ettings and creates a new factory default image To upgrade to a new firmware image from a USB drive 1 Disconnect the Quantum Spark Appliance from the power source 2 Place the firmware image file on a USB drive in the top folder Do not rename the file 3 Make sure the top folder of the USB drive does not contain any previous Boot loader or Firmware images u boot bin files or fw1 img files 4 Connect ...

Page 290: ...n any previous Boot loader or firmware images u boot bin files or fwl gz files 3 Insert the SD card into the SD card slot on the Quantum Spark Appliance If the operation does not succeed this may be because the SD card slot does not recognize all devices 4 Connect the appliance to the power source The installation begins with the image file This takes several minutes If the file is valid the Power...

Page 291: ...nt s services are not active n Options 1 3 start the appliance l Normal mode is the default boot mode for the appliance l Debug mode boot gives printouts of processes that are initialized during boot l Maintenance mode boots the machine and gives access only to the file system network interfaces Check Point processes and the appliance s services are down Note During normal debug boot if there is a...

Page 292: ...ll Update Image Boot Loader from Network 3 You are asked if you want to load the image manually from a TFTP server or if you want to use automatic mode with a bootp server 4 If you select manual mode you are asked to fill in the IP of the Quantum Spark Appliance the IP of the TFTP server and the image name 5 If you select automatic mode the procedure starts automatically to search for the bootp se...

Page 293: ...e Configuration Wizard To restore factory defaults with the WebUI 1 In the Quantum Spark Appliance WebUI click Device System Operations The System Operations pane opens 2 In the Appliance section click Factory Defaults 3 In the pop up window that opens click OK 4 While factory defaults are restored the Power LED blinks blue to show progress This takes some minutes When this completes the appliance...

Page 294: ... press CTRL C The Gaia Embedded Boot Menu appears 3 Enter 4 to select Restore to Factory Defaults local 4 When the prompt appears Are you sure y n enter y to continue and restore the appliance to its factory defaults settings While factory defaults are restored the Power LED blinks blue to show progress This takes up to a few minutes When completed the appliance boots automatically To disable the ...

Page 295: ...e gateway run this Gaia Clish command set rest api mode off Request Structure HTTP Post https gateway ip port web api command The default port number is 4434 HTTP Headers Header Description Content Type application json x chkp sid Session ID token as returned by the login command The x chkp sid header is mandatory in all API calls except the login API Request payload Text in JSON format containing...

Page 296: ... content varies depending on which API is called Returned value on failure n HTTP status 500 Internal Server Error 400 Bad Request or 401 Unauthorized n A JSON structure with the error details Versioning HTTP Post with a specific version https gateway ip port web api version command If no version is being sent the latest supported version is used Example https 192 168 1 1 4434 web api v1 login ...

Page 297: ...me Value Description Content Type application json Send JSON object to use the API Web Services Request Body Parameter Name Value Description user Required String Administrator username Password Required String Administrator password Response On Success HTTP Return code 200 Header Name Value Description sid String Session unique identifier for the x chkp sid header of each request role String The ...

Page 298: ... valid Request URL POST https gateway ip port web api v1 logout Request Headers Header Name Value Description Content Type application json Send JSON object to use the API Web Services x chkp sid string token Session unique identifier as the response to the login request Request Body There is no request body Response On Success HTTP Return code 200 On Failure HTTP Return code 400 401 500 3 Generat...

Page 299: ...n request Request Body Header Name Value Description type Required String Report time frame Allow values hourly weekly daily monthly Response On Success HTTP Return code 200 Header Name Value Description reportData Base64 string Send data JSON in base64 format On Failure HTTP Return code 400 401 500 Example Request type daily Example Response reportData report_json_in_base64_format 4 Run Clish Com...

Page 300: ... Value Description script Required String A single clish command in base64 format Response On Success HTTP Return code 200 Header Name Value Description output String Clish command output in base64 format On Failure HTTP Return code 400 401 500 Example Request script c2hvdyBwcm94eQ Example Response output dXNlLXByb3h5OiAgICAgICAgICAgICAgICAgICAgdHJ1ZQpzZXJ2ZXI6IC AgICAgICAgICAgICAgICAgICAgICAxLjEu...