Support Center > Search Results > SecureKnowledge Details
Best Practices - How to manage multiple Quantum Spark Appliances (SMB) Security Gateways Technical Level
Cause


Solution

Table of Contents

  • (1) Introduction
  • (2) SMP Deployment Scenario - ISP Use Case
  • (3) SMP Deployment Scenario - MSSP Use Case
  • (4) SMS Deployment Scenario - ATM Use Case
  • (5) SMS Deployment Scenario - Branch Use Case

(1) Introduction

Show / Hide this section

In the age of remote distributed workforces, Quantum Spark, Branch, and Remote Office appliances demand access to corporate resources to work effectively and efficiently. These appliances require an inexpensive, yet effective solution to provide secure access to critical resources from any device, anywhere.

The security solution must be easy to deploy, easy to manage, and easy to maintain. It must secure the extending attack surface [such as printers, smart/IoT assets] by providing a very strong security posture.

The management solution must be secure, fast, agile, efficient, and scalable.

Check Point offers 2 management solution options to manage a large fleet of Quantum Spark Appliances (SMB) Security Gateways.

    • Cloud Management - Quantum Security Portal (SMP).

    • Central Management - Security Management Server, SMS with LSM and Smart Provisioning.

The first option, SMP. is the preferred solution.

The second option, SMS is for customers who have special requirements or in need to comply with regulations.

This SK includes 4 Quantum Spark appliance Use Cases.

(2) SMP Deployment Scenario - ISP Use Case

Show / Hide this section

Internet Service Providers (ISP) require a 'black box' solution, which means the customers doesn't have access to the Quantum Spark Security Gateway. The solution must be white-labeled, and must integrate into the ISP environment with Out of Band (OOB) management and support for API calls. This is needed for delivering and provisioning services. The ISP customers receive detailed reporting via email and receive incident alerts over SMS. All ISP processes are combined in a streamlined process and offer a high-value security solution.

Other ISP KPIs (Key Performance Index):

  • Administrative costs
  • SLA and SLA compliance
  • Customer Effort Score (CES)
  • Average First Response Time (AFRT)
  • First Call Resolution (FCR)
  • Customer satisfaction score (CSAT)
  • Net promoter score (NPS)
  • Client Contribution (CC)
  • Client Effective Rate (CER)
  • Monthly Recurring Revenue (MRR)
  • Billing resources
  • Product margins and services rates
  • Sales Expenses and compensations.

With our solution, we make sure all ISP KPI's will stay under the benchmark metric with a very good NPS score.

Customer experience is the key to success!


Technical Requirements - Security Gateway 
  • Gateways must hold a dedicated preset file (firmware) that contains the configuration for a generic PPPoE dialer to setup ADSL/VDSL.
  • Easy and fast provisioning of all needed features and functionalities (i.e. Wi-Fi).
  • Remote scheduled and automated firmware upgrades.
  • Backup option to store backups in the ISP environment over TFTP and FTP.
  • All logs must be stored on an external Log Server in the ISP environment.
Technical Requirements - Management
  • Fully centralized cloud configuration with automation and orchestration using Zero Touch. (ZT), Reach My Device (RMD), and Security Management Portal (SMP).
  • Backups and configurations are shared over SOAP API calls.
  • Policy installation and status monitoring is done in the ISP environment.
  • Automated  processes to send reports via email and alerts via SMS to ISP customers.
  1. A dedicated Remote Management Service, RMS dialer is configured to connect to Zero Touch.
  2. A PPPoE dialer (ADSL/VDSL) is configured via the Zero Touch template, and the RMS dialer is removed.
  3. DDNS (Dynamic DNS) is enabled. In this configuration, a name instead of an IP address is tied to a Security Gateway. Reach My Device and an RMD tunnel is set up. The RMD service allows the gateway to be reachable, even behind a NAT device, i.e. a router.
  4. Logs and events are stored in the ISP environment via SOAP API calls backups.
  5. An Out of Band, OOB dialer is added for remote management.
  6. The Security Gateway is not accessible for the customer. Reports are shared via email and alerts are shared via SMS.

Deployment, Automation and Orchestration

Check Point offers Zero Touch, autoconf.clish, and APIs for deployment. By default, every Quantum Spark Security Gateway reaches out to the Zero Touch portal, using its MAC address. This is compiled in the code. For Zero Touch to work, do not use the First Time Configuration Wizard to configure the gateway. 

Deployment example 1 
Reconfigure the LAN network, as ISPs are using the 192.168.x.x network. The Quantum Spark Gateway is by default using that network as well. The below script can be used in the Zero Touch Template (see sk116375) or on a USB stick using autoconf.clish (see sk110796).
 
Zero Touch CLI script: 
set dhcp server interface LAN1_Switch enable
set interface LAN1_Switch ipv4-address "<ip address>" subnet-mask "255.255.255.0"
set dhcp server interface " LAN1_Switch" include-ip-pool " 192.168.200.1-192.168.200.254"
set interface LAN1_Switch description "Local SMB/Customer network"
set interface LAN1_Switch exclude-from-dns-proxy "off"
set interface LAN1_Switch state "on"
set interface LAN1_Switch hotspot "on"

Deployment example 2
Setting bridge interfaces (see sk105518).

Zero Touch CLI script: 
add internet-connection name Internet1 interface WAN type static ipv4-address 192.168.1.99 mask-length 24 default-gw 192.168.1.1 conn-test-timeout 0
add bridge name br0
set bridge br0 add member LAN1_Switch
set bridge br0 add member Internet1
set dhcp server interface br0 disable
set interface br0 ipv4-address 192.168.1.99 mask-length 24

Step by Step Workflow
  1. During the procurement process, an agreement is created that the Quantum Spark Security Gateways hold a dedicated firmware (preset file) version with a generic DSL dialer with disabled local user access.
  2. For successful hands-off deployment Zero Touch (ZT)), you must validate that the MAC addresses of the Quantum Spark Gateways are in the correct User Center Account. Refer to sk116375.
  3. Create the Security Management Portal [SMP] Service Domain. Refer to sk122259.
  4. In SMP, create a Plan [configuration template] that can be assigned to the Quantum Spark Security Gateway. Refer to Quantum Spark Portal Admin Guide  for details.
  5. The plan holds: 
    • The Access Policy.
    • Threat Prevention Policy.
    • Firmware versions.
    • Backup configuration.
    • Reporting and notifications.
    • VPN.
    • Gateway behind NAT [RMD] refer to sk177266.
    • Administrator access.
    • CLI scripts.
  6. In SMP configure the general settings of the Service Domain. I.e. DNS, MFA, reporting, and customer alerts
  7. Create a template (replacing the First Time Configuration Wizard) in Zero Touch, run an inventory, and claim the gateway. The template will be executed, the gateway will seamlessly be pushed to the configured Plan in SMP. Refer to sk177523 for more details.
Optional - This procedure can be automated by using API calls. Refer to Zero Touch API User Guide and SMP API Reference Guide for more details. 

Sizing Guidelines and Guidance

Cloud Management (SMP) can manage an unlimited number of Security Gateways. SMP works with plans. Plans are configuration templates that are assigned to a Quantum Spark gateway. Customers can choose between silver, gold, or platinum plan. The silver plan holds minimum security and platinum plans offer the highest security model. The design of the plans is flexible. The SMP itself can store up to 3 months of logs.

Best Practices

    • For more information on Quantum Spark Gateways refer to the Quantum Spark Cheatsheets.
    • Check Point recommends that you enforce password complexity at the Service Domain level and to enable "two step authentication" for all Service Domain users.
    • We recommend that you enable alerts about Security Incidents, Networking Events, and Operation Events at the Plan level.
    • For local admin access port 4434 is used and for SMP push actions port 18191 is used. For more information about Quantum Spark Gateways and SMP ports, review sk110216.
    • Use “Gradual upgrade” to upgrade the firmware of the connected Quantum Spark gateways assigned to the plan. Via upgrade, control the number of x=max 5 stages over x=max 60 days.
    • Check Point recommends that you change the policy to keep all connections during policy installation. This can be done via a CLI script: set fw policy advanced-settings keep-old-connections true
    • SMP supports CLI scripts per plan.
    • You can forward SMP syslog events (events of the SMP Service Domain itself) to an external syslog server.
    • You can configure login attempts, gateway creation, and other customer alerts at the "custom alerts" section on the Service Domain level.
    • Quantum Spark Gateways managed by SMP can still be managed via the WatchTower app. For more information review the WatchTower User Guide.
    • For information about applying administrator access, refer to sk157172.
    • NAT Traversal, also known as UDP encapsulation, allows traffic to get to the specified destination when a device does not have a public IP address. This is usually the case if your ISP is behind NAT, or the external interface of your firewall is connected to a device that has NAT enabled. When an IP packet passes through a network address translator device, it is changed in a way that is not compatible with IPsec. NAT T can be enforced on Quantum Spark gateways. For more information, review sk162472.
    • Proxy ARP is a mechanism that allows the configuration of a gateway to respond to ARP requests on behalf of other hosts. Proxy ARP allows a router to answer ARP requests where the target IP address is not the router itself but a destination that the router can reach. If a host does not know the default gateway, proxy ARP can learn the first hop. For more information, review sk114531. You may have some issues after you configure manual static NAT as the gateway does not answer ARP requests for the NATed IP address. As ARP is broadcast traffic, the gateway does not forward this traffic by design. Proxy ARP for Manual NAT is stored in the local.arp file.
    • For more automation refer to the SMP API reference guide .

(3) SMP Deployment Scenario - MSSP Use Case

Show / Hide the section

Quantum Spark appliances, SOHOs, boutiques, small shops, and remote locations need enterprise-grade security. As they lack the budget and dedicated IT personnel and yet require state of the art security, Check Point offers "out of the box" security. MSSPs and MSPs offer services to manage those environments and incorporate their services, meeting MSSPs KPIs to minimize administrative costs, billing, recurring revenue, SLA rates, and much more! All of this makes sure your valuable assets are protected against sophisticated cyber attacks as Quantum Spark appliances are also attractive targets for attacks/hackers. Quantum Spark appliances are adopting cloud (i.e. O365) and IoT solutions as well, and need to make sure their attack surface is not expanding. MSSP offers cross-vertical solutions that protect, for example, Point of Sale (PoS) systems, IoT assets, mobile, and network asset security. Think of our attractive Quantum Spark Security Bundles. Make sure the Quantum Spark appliances hold a good security posture using Enterprise Threat Intelligence with easy rollout and management, all based on the Zero Trust principle. All this is combined in a streamlined sales process with automated ordering, procurement, and rollout processes to address the deployment challenge and offer security value to the MSSP customers.

Technical Requirements - Gateway 
  • Easy order process with "delayed license activation" for up to 6 months. Includes purchase to stock, sell out and end user activation.
  • Manuel intervention for creation of PPPoE dialer for ADSL or VDSL setup.
  • Easy and fast provisioning (i.e. Wi-Fi).
  • Easy and quick remote scheduled automated firmware upgrades.
  • Customers require read access to the Quantum Spark Gateway.
Technical Requirements - Management
  • Cloud configuration with automation and orchestration using Zero Touch (ZT), Reach My Device (RMD), and Quantum Security Portal (SMP). 
  • Installation with associated plans (configuration templates). 
  • Remote scheduled firmware upgrades.
  • Reports and alerts to SOC of MSSP.
  • Customers receive reports from the SMP with dedicated logo and customized to the business.
  • Customers' environments are displayed on SOC screens at MSSP.
  • Customers who require changes can contact NOC for those remote changes.
  1. Order and procurement. Automated order, procurement and deployment processes.
  2. Order entries in UC of customers.
  3. Deployment, management and services, i.e. firmware upgrades and backups.
  4. Hands off configuration that utilizes Zero Touch (ZT) and Quantum Security Portal (SMP) with an option for a manual intervention for ADSL/VDSL. An internet connection must be established first.

Deployment, Automation and Orchestration

Check Point offers Zero Touch, autoconf.clish and APIs for deployment. By default, every Quantum Spark Security Gateway reaches out to the Zero Touch portal, using its MAC address that is compiled in the code. For Zero Touch to work, do not configure the Security Gateway through the First Time Configuration Wizard. 

Deployment example 1
How to change a gateway name when "automatic gateway creation" is enabled in the SMP Plan. By default, all Quantum Spark Gateways are added in SMP with a name based on its MAC address. To add the Quantum Spark Gateways using a naming convention, please refer to sk177523.

Deployment example 2
Orchestrated rollout of Quantum Spark with VPN. Refer to sk177545.

Sizing Guidelines and Guidance

Cloud Management (SMP) can manage unlimited amount of gateways. SMP works with plans. Plans are configuration templates that are assigned to a Quantum Spark gateway. Customers can choose between silver, gold or platinum plan. The silver plan holds minimum security and platinum plans offers the highest security model. The design of the plans is flexible. The SMP itself can store up to 3 months of logs.

Best Practices

  • Quantum Spark clusters/HA pairs are supported by SMP. If switching is enabled (LANx_Switch), you cannot build a cluster. The interfaces should be unassigned. A Quantum Spark cluster is always active/passive. Wireless interfaces cannot be used as a sync interface. When a cluster is managed by SMP, connections are not synchronized. In the event of a failover, you must re-establish the connections. If "Client to Site (C2S)" is used in Office Mode setup with multiple interfaces, you must clear the table: Expert@hodesa-home]# fw tab -t userc_users -x -y Clearing table userc_users
  • The re-authentication time for SNX/SSL Network Extender can be changed. The default is 8 hours / 480 minutes. For example, you can change this to 24 hours /1440 minutes. For more information, refer to sk87522 .
  • It is also possible to use only AES-256 encryption. Refer to sk112314.
  • Check Point recommends that you enforce password complexity at Service Domain level and to enable "two step authentication" for all Service Domain users.
  • We recommend that you enable alerts for Security Incidents, Networking Events and Operation Events at the plan level.
  • For local admin access, port 4434 is used and for SMP push actions port 18191 is used. For more information about Quantum Spark and SMP ports, review sk110216.
  • Use “Gradual upgrade” to upgrade the firmware of the connected Quantum Spark gateways assigned to the plan. Via upgrade control, the number of x=max 5 stages over x=max 60 days
  • Check Point recommends that you change the policy to keep all connections during policy installation. This can be done via a CLI script: set fw policy advanced-settings keep-old-connections true
  • SMP supports CLI scripts per plan.
  • SMP syslog events (events of the SMP Service Domain itself) can be forwarded to an external syslog server
  • Login attempts, gateway creation and other customer alerts can be configured at the "custom alerts" section on Service Domain level.
  • Quantum Spark Security Gateways managed by SMP can still  be managed via the WatchTower app. For more information review the WatchTower User Guide.
  • To apply administrator access, refer to sk157172.
  • NAT Traversal, also known as UDP encapsulation, allows traffic to get to the specified destination when a device does not have a public IP address. This is usually the case if your ISP is behind NAT, or the external interface of your firewall is connected to a device that has NAT enabled. When an IP packet passes through a network address translator device, it is changed in a way that is not compatible with IPsec. NAT T can be enforced on Quantum Spark gateways. For more information, review sk162472.
  • Proxy ARP is a mechanism that allows the configuration of a gateway to respond to ARP requests on behalf of other hosts. Proxy ARP allows a router to answer ARP requests where the target IP address is not the router itself but a destination that the router can reach. If a host does not know the default gateway, proxy ARP can learn the first hop. For more information, review sk114531. You may have issues if you have manual static NAT, as the gateway does not answer ARP requests for the NATed IP address. As ARP is broadcast traffic, the gateway does not forward this traffic by design. Proxy ARP for manual NAT is stored in the local.arp file.

(4) SMS Deployment Scenario - ATM Use Case

Show / Hide the section

Automated Teller Machines (ATMs) require a proactive security solution. Examples for security measures include securing data traffic using IPsec VPNs, providing additional authentication, and authorization at the central sites. In addition, security for IP cameras used for surveillance and smart sensors observing physical attacks must be provided. Network security systems prevent unknown and known attacks, and secure vulnerable ATM systems from being exploited. The solution must provide insight and visibility with ATM specific alerts. Those events are shared with a SIEM solution and turned into actionable alerts. This framework also applies to Smart Lockers (i.e. Amazon Lockers, Red Locker])and Smart Vending machines.

Technical Requirements - Gateway 
  • LTE and 3G/4G support for fail back (redundancy).
  • Support for IoT and inline policy layers with relevant security controls.
  • Support for IPsec VPN to Security Control Center (Star VPN setup).
  • Log forwarding to SOC solution with dedicated Threat Intelligence.
Technical Requirements - Management
  • Central management solution at the Security Control Center with the use of LSM profiles (configuration templates) and SmartProvisioning.
  • High level and in depth status monitoring.
  • In the management of multiple gateways, the external IP address could change over time (use unique IDs instead of IP addresses).
  • VPN concentrator.
  • SIEM Solution, Smart Event with actionable alerts.
  • API support for automation and orchestration.
  • IoT Security Policies with either passive or active security controls.
  • In-depth reporting.


  1. Dedicated (Smart) asset security.
  2. IPsec (S2S) VPN solution.
  3. Threat intelligence and SOC solution.
  4. Central Management with LSM.
  5. Automation and orchestration.

Deployment, Automation and Orchestration

Check Point offers Zero Touch, autoconf.clish and APIs for deployment. By default, every Quantum Spark Security Gateway reaches out to the Zero Touch portal, using its MAC address which is compiled in the code. For Zero Touch to work, do not configure the Security Gateway through the First Time Configuration Wizard. 

Deployment example
Use up to 4 internet connections as fall back, using the FleXi Ports configuration. For more information, refer to sk177183.

Deployment example 2
Deploying a Quantum Spark Security Gateway with configuration on USB with autoconf.clish. For more information, refer to sk110796.

Sizing Guidelines and Guidance

  • For more ATM information, see the ATM Whitepaper on CheckMates.
  • We recommend that a Quantum Spark Gateway in an LSM setup is a DIAP (Dynamic IP) gateway. We also support static IP addresses.
  • SmartProvisioning provides high level and in depth monitoring. 
  • As all satellites are in a star VPN community, VPN configuration is easy.
  • Central management, SMS (LSM and SmartProvisioning). We currently recommend that you have a maximum of 2000 devices per domain.
  • IoT inline policy layers are supported for Quantum Spark Gateways only in centrally managed mode.
  • MEP (Multi Entry Point) is supported for Quantum Spark appliances in centrally managed mode.
  • If the Quantum Spark Security Gateway is centrally managed, the master file holds data for the management, log and alert server. It is overwritten with each policy installation. Location: $FWDIR/conf/masters. For SIC tests, a good result is 0 (=OK) and a bad result is a reply of 1 (SIC Error). The command can be run locally: # fw sic_test. Example: [Expert@hodesa-home]# fw sic_test.
  • Phase A: the policy is pushed to the gateway to the __tmp directory.
    Phase B: the policy is moved from the __tmp directory to the __local directory
    Policy installation creates local.cfg.gz in $FWDIR/state/local/FW1/
    In turn, the local.cfg is loaded into sfwd daemon memory after policy installation. 
    local.set.gz contains the IPS policy metadata.
    local.set is used during policy installation to prepare information to the kernel (mostly IPS) that is brought to the kernel during the policy installation.
  • Push vs Fetch policy
    Push policy is full installation from the Management Server.
    Push (from Management) also creates files in the management and then pushes them to the gateway.
    Fetch policy does not push all the policy and is from the gateway.
    Fetch (from the gateway) pulls policy files which already exist on the Management Server.
    Periodic Fetch is same as regular fetch, only periodic. It only fetches files which are already in the Management Server.

Best Practices

Site to Site (S2S) VPN
  • For more information on SmartProvisioning, refer to sk111626.
  • With the use of LSM, the external IP address might change over time, but we can still manage the Quantum Spark Gateways by its unique ID even if we use ISP redundancy.
  • This unique ID is also used besides management for tracking. We also offer reduced logging load on the central environment.
  • Do not use identical or duplicate names with VPN. For more information, refer to sk120139 and sk40179.
  • If there is no need for gateways to communicate with each other, we recommend you use a star VPN. Note - Compared to full mesh, this means that if the main gateway is down, all tunnels are down.
  • VPN with overlapping IP addresses should use static NAT.
  • If the gateway is in strict mode, you need to create inbound and outbound policies to explicitly allow traffic.
  • If the gateway is in standard mode, by default traffic is allowed based on the auto generated policies with relevant security controls in 'out of the box security.'
  • For more information, review: sk105119, sk104760, sk73980, Check Point Site-to-Site VPN Compatibility Matrix, VPN exchange template.
IoT and [Smart] Asset Security
  • You may want to review IoT security that can influence identity-base security. Follow the process indicated in sk176854.
  • For IoT Security Best Practices, refer to sk177203.
  • In a centrally managed Quantum Spark appliance, follow the procedure in sk173495.
  • For IoT Automation refer to IoT API Reference.
  • For detailed information on IoT, refer to the IoT Controller Cheat Sheet.

Tweak and tune advise
By default each LSM gateway (ROBO) fetches the Security Profile installed on the LSM Profile at every time interval. This fetch time is spread randomly to reduce load on the Management Server. The default is 4 hours. We recommend that you extend this timer, available in the LSM Security Profile.

(5) SMS Deployment Scenario - Branch Use Case

Show / Hide the section

Mobile locations and Enterprise Branches require security aligned with business HQ. Mobile locations and Branch Offices must be quickly and easily added to management. Enterprises require a network solution that is easy to deploy, manage and maintain. It must be secure, fast, agile, efficient and scalable. Branches need enterprise level protection with the complexity, cost and expertise. They require a consolidated security solution that provides the same protection used by large enterprises. Check Point recommends that you first design and then deploy a large scale solution of hundreds to thousands of Quantum Spark Security Gateways managed by a Multi-Domain Management Solution (MDMS) using a Large Scale Management [LSM].

Technical Requirements - Security Gateway 
  • VPN redundancy (between geographic hubs).
  • Route injection through VPN/OSPF.
  • Firmware updates lower than 150 mbps.
  • Easy and fast provisioning.
Technical Requirements - Management
  • Fully centralized configuration.
  • Central management of backups and configurations.
  • Policy installation and status monitoring.
  • Dynamic objects.

  1. VPN Communities. For each geo, the hubs are configured as a star for each of the 5 domains.
  2. Central management with LSM and Smart Provisioning and in depth monitoring + alerting.
  3. The satellite gateways are managed by LSM profiles. NAT-T is enforced (vpn_force_nat_t).
  4. For the 5 star communities, permanent tunnels are configured and "automatic route injection (RIM) is enabled. The central office gateway cluster is configured with OSPF to redistribute routes from RIM into the MPLS network.

Deployment, Automation and Orchestration


Check Point offers Zero Touch, autoconf.clish and APIs for deployment. By default, every Quantum Spark Security Gateway reaches out to the Zero Touch portal, using its MAC address that is compiled in the code. For Zero Touch to work, do not configure the Security Gateway through the First Time Configuration Wizard. 

Deployment example 1
For deployment with LTE. For more information, refer to sk167276.

Deployment example 2
Orchestrated rollout of LSM Centrally managed gateways. For more information, refer to sk116136.

Multi-Domain Security Management (MDSM), The MDSM farm consists of 5 Multi-Domain Servers [MDS], which are geographically distributed. There are 2 Check Point clusters in each of the geo hubs for redundancy and route distribution. Because there is a mix of 3G and 4G connections, DSL lines and LAN connections with a variety of static and dynamically assigned public an translated IP addresses. The LSM Security Profile does not differentiate between dynamic and static IP addresses in order to keep the setup simple. Reach My Device (RMD) shows that we can manage Quantum Spark gateways hidden behind a NAT device.

Site to Site (S2S) VPN
To keep the VPN configuration identical for all Quantum Spark Gateways, this is how VPN is configured:
  • Each of the 5 geo hubs are configured as a star VPN community.
  • To meet the requirements of VPN redundancy with the geo hubs, 2 separate clusters per geo hub are implemented in different Data Centers and are the central gateways for the VPN communities.
  • The LSM profiles used to manage the Quantum Spark Gateways are added as Satellite Gateways.
  • NAT-T is enforced on the Quantum Spark Gateways using the global parameter "force NAT-T" (vpn_force_nat_t).
  • For the star community, permanent tunnels are configured and "Automatic Route Injection (RIM)" is enabled. The central gateway clusters are configured using OSPF and redistribute routes received from RIM into the MPLS network.
Sizing Guidelines and Guidance
  • We recommend that a Quantum Spark Security Gateway in a LSM setup is a DIAP (Dynamic IP) gateway. We also support static IP addresses.
  • Smart Provisioning provides high level and in-depth monitoring. 
  • As all satellites are in a star VPN community, VPN configuration is easy.
  • Central management, SMS (LSM and Smart Provisioning). We currently recommend that you have a maximum of 2000 devices per domain.
  • IoT inline policy layers are supported for Quantum Spark Gateways only in centrally managed mode.
  • MEP (Multi Entry Point) is supported for Quantum Spark appliances in centrally managed mode.
  • NAT Traversal, also known as UDP encapsulation, allows traffic to get to the specified destination when a device does not have a public IP address. This is usually the case if your ISP is behind NAT, or the external interface of your firewall is connected to a device that has NAT enabled. When an IP packet passes through a network address translator device, it is changed in a way that is not compatible with IPsec. NAT T can be enforced on Quantum Spark gateways. For more information, review sk162472.
  • For VPN investigation and debugging, review sk34467.
  • The IKEView utility is a tool created to assist in analysis of the ike.elg (IKEv1) and ikev2.xmll (IKEv2) files. For more information, refer to sk30994.
Tweak and tune advise
By default, each LSM gateway [ROBO] fetches the Security Profile installed on the LSM Profile in every time interval. This fetch time is spread randomly to reduce load on the management server. The default is 4 hours. We recommend that you extend this timer, available in the LSM Security Profile.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment