Nodes are counted, based on the number of concurrent IP addresses generating traffic through the firewall. An IP node will generate traffic through the firewall when it sends packets to resources outside its own network (such as the Internet, DMZ, secondary logical network etc.). As a result, devices like network printers, switches or access points will not be counted as licensed nodes.
In order to upgrade the node limit, you need to purchase a product upgrade. In most cases, you will simply get a product key string. However, an upgrade from a 5/10 nodes product to a 25 nodes product may require replacing your hardware. Contact your reseller for upgrade and pricing information. Additionally, you can manually purchase an upgrade to the node limit at the Check Point Store.
An IP node will release its license after 60 minutes of not generating traffic through the firewall. An IP node that released its license is displayed in blue on the Active Computers page.
An IP node will take up a license if it generates traffic through the firewall. In order to prevent a node from generating traffic through the firewall, you'll need to set the node up with no default gateway information. Note that this will make the node unable to browse the Internet.
The Safe@Office does not have a default administrator password. In case you forgot the password, reset the Safe@Office to factory settings, by pressing the reset button on the back of the box for 10 seconds. After the box reboots, you will be able to enter a new password.
The Safe@Office appliance supports remote management. You can enable remote management and connect to the box from the Internet, by connecting with your browser to https://<Appliance_External_IP_Address>:981. To enable management of the Safe@Office from a remote location:
Note: In case the Safe@Office appliance is installed behind another firewall or a NAT device, make sure to allow HTTPS traffic on TCP port 981 towards the Safe@Office appliance.
The connection to a Check Point Service Center uses a proprietory protocol called SWTP (SofaWare Transport Protocol). This protocol makes sure that all communications between a Safe@Office box and the Service Center are secured and encrypted. The communication between the Safe@Office and a Service Center uses UDP ports 9281/9282.
In case your Safe@Office is behind another firewall, make sure to enable traffic through the SWTP ports mentioned. In addition, make sure that your router does not block these ports using ACLs (Access List).
The Check Point Safe@Office appliance is an advanced Internet security appliance that enables secure high-speed Internet access from the office. The Safe@Office firewall, based on the world-leading Check Point Embedded NG Stateful Inspection technology, inspects and filters all incoming and outgoing traffic, blocking all unauthorized traffic.
The Safe@Office appliance also allows sharing your Internet connection among several PCs or other network devices, enabling advanced office networking and saving the cost of purchasing static IP addresses. You can also connect Safe@Office appliances to security services available from select service providers, including firewall security updates, Web filtering, and dynamic DNS. Business users can use the Safe@Office appliance to securely connect to the office network.
Embedded NGX Solutions are configured through a simple Web-browser portal. No software installation is required. Just connect your Embedded NGX Solution, launch your browser, and connect from LAN with your browser to http://my.firewall.
Yes. Safe@Office Solutions protect all of the computers on your network, regardless of their operating system. Plus, Safe@Office Solutions are configured through a Web browser and require no software installation on your computers. Therefore, they are manageable from any type of computer, regardless of its operating system.
The following management options are available for Safe@Office:
Local web-based management
SofaWare Security Management Portal (SMP)
Safe@Office appliances cannot be managed by Check Point SmartCenter. For an appliance supporting SmartCenter enterprise management, refer to VPN-1 Edge.
Inherent drawbacks with PC firewalls make Safe@Office solutions a superior choice:
PC firewalls protect a single PC. A Safe@Office Solution protects your entire network - all the PCs, Macintoshes, servers and other devices on the network
PC firewalls are managed and configured by the consumer. Most common security flaws originate from faulty configuration. To reduce risk for users, Safe@Office Solutions come with a pre-configured security policy. In addition, Safe@Office Solutions can be managed by a security solutions provider, transferring responsibility for security expertise to security experts.
In the Safe@Office 'S' series, when a computer on the LAN connects to the Safe@Office Portal, the Safe@Office appliance adjusts its date and time to match that of the computer. If the date and time displayed in the Safe@Office Portal are incorrect, it probably means that the date and time on the computer connected to the Safe@Office Portal are incorrect. In the Safe@Office 200 series, you can adjust the time on the Setup page's Tools tab.
You can cascade an additional hub or switch to the Safe@Office 'S' series appliance, by using a crossed Ethernet cable. The Safe@Office 'X' series automatically detects the cable type, so you can use either a straight-through or crossed cable.
Items can be uploaded to the Check Point security appliance in order to make them permanent even after a reset to factory settings. An item can be either a firmware image file, a bootloader file or a configuration (CFG) file.
The Check Point security appliance has an embedded TFTP server installed with default IP address 192.168.10.1, and a TFTP client must be used in order to upload items to the appliance. TFTP client software are usually part of the operating system, but can also be 3rd party software. To upload items perform the following:
Activate the TFTP server on the appliance by following these steps: unplug the power cord, hold the reset button on the back of the box, and plug in the power cord, while holding the button until the pwr/sec led is steady red.
Connect a computer to one of the security appliance LAN ports.
Configure the computer to use an IP address of the range 192.168.10.0 /255 (note that 192.168.10.1 is already taken by the appliance TFTP server by default).
In case you are using the Windows 2000 embedded TFTP client, open command prompt and type the following command: tftp -i 192.168.10.1 put [filename] The appliance will reboot.
Note: When uploading a firmware or bootloader file, the file must be compiled in TFTP format. A configuration file can be uploaded in CFG format.
When connecting with your browser from LAN to http://my.firewall configuration page, images may not be displayed correctly because of the following reasons:
Your browser cache is full
Personal firewall installed prevents some scripts and images to run
Solutions:
Clear your browser cache
Stop your personal firewall or filter the my.firewall page from the firewall tables.
"Vendor specific RADIUS attributes" is supported with firmware 5.0.82 and subsequent versions. You can configure your RADIUS server to use the following attributes:
SofaWare Vendor ID: 6983
The list of permissions and corresponding attributes and values is described in the following table:
The RESET button on your Embedded NG appliance can be used for resetting the VPN-1 Edge appliance to its factory defaults. This results in the loss of all user settings, and reverting to the factory default firmware. Optionally, a preset configuration file can be loaded to the Embedded NG appliance, using the TFTP protocol, allowing a service provider or reseller to permanently modify the factory default settings. The preset configuration file is retained even after a reset to defaults operation.
The following procedures are valid for all the models in the Safe@Office and VPN-1 Edge appliance families.
Loading a Preset Configuration file
Preparing a Preset Configuration File
The Embedded NG configuration file is a simple text file, containing CLI (Command Line Interface) commands for the appliance. For more information on the Embedded NG CLI syntax, refer to the Embedded NG CLI Guide.
The configuration file should be stored as a text file with the extension .cfg.
The first line in the configuration file must begin with: "# Configuration script" and the last line in the file should begin with "# END Configuration script". These two lines are mandatory.
Note: The preset configuration file will not be cleared when the appliance is reset to defaults. The only way to clear a preset configuration file is by loading an empty configuration file (a configuration file with no CLI commands).
Tip: You can export a complete configuration file from an existing appliance by going to the 'Setup > Tools' tab in the Embedded NG configuration portal, and clicking the "Export" button.
Warning: Always make sure that the configuration file is valid before uploading it to the appliance.
Activating the Embedded NG TFTP server
Activate the TFTP server on the appliance by following these steps:
Unplug the power cord.
Using a pointed object, press the RESET button on the back of the VPN-1 Edge appliance steadily, while plugging in the power cord.
Keep pressing the RESET button a few seconds until the PWR/SEC LED lights steadily in red.
Configuring the TFTP client
Use a standard Ethernet cable to connect a computer to one of the LAN ports of the appliance.
Configure the computer to use any fixed IP address in the range 192.168.10.2 - 192.168.10.254. Set the subnet mask to 255.255.255.0.
If SecuRemote is installed on your PC, disable it.
In case you are using the Windows 2000 embedded TFTP client, type the following command on the Windows command prompt: tftp -i 192.168.10.1 put filename.cfg
The appliance will store the configuration file and automatically restart.
Allow the VPN-1 Edge appliance to boot-up until the system is ready (PWR/SEC LED flashes slowly or illuminates steadily in green light).
Resetting to defaults
To reset the VPN-1 Edge appliance to factory defaults using the Reset button:
Make sure the VPN-1 Edge appliance is powered on.
Using a pointed object, press the RESET button on the back of the VPN-1 Edge appliance steadily for seven seconds, and then release it.
Allow the VPN-1 Edge appliance to boot-up until the system is ready (PWR/SEC LED flashes slowly or illuminates steadily in green light).
The appliance will revert to the factory default settings (or to the preset configuration file, if one is loaded). The firmware will be reset to the factory default firmware.
U.S. Robotics 56K Courier modem may not be able to dial out after configuring the Embedded NG security gateway with dialup connection properties. This happens because the default settings of the dialup modem do not allow a delay after the Embedded NG security gateway sends the ATZ command to the modem.
Solution: Configure the following init string \d\d\AT on the Embedded NG security gateway to create the necessary delay.
To configure an init string perform the following:
Learn how to configure a Vendor-Specific Attribute when using a RADIUS to authenticate local and VPN users with RADIUS servers from different vendors. Refer to Configuring the RADIUS Vendor-Specific Attribute.
The print server is compatible with most printers with a USB interface. Multifunction printers will operate as a printer only. Scanner functionality in these printers is not supported.
The following printers are known to operate correctly with the Embedded NGX integrated print server:
Brother HL-2030 Brother HL-2040 Brother HL-5140 Brother HL-5240 Canon MF5750 Canon MF5770 Canon MP150 Canon MP390 Canon MP500 Canon MP700 Canon MP780 Canon S520 Canon i250 Canon i350 Canon i450 Canon i560 Canon i850 Canon i860 Canon i865 Canon i905D Canon i9100 Canon i960 Canon i9950 Canon iP1000 Canon iP1300 Canon iP1600 Canon iP1700 Canon iP3000 Canon iP4000 Canon iP4200 Canon iP5000 Canon iP8500 Canon MF5750 Canon MF5770 Canon MP150 Canon MP390 Canon MP500 Canon MP700 Canon MP780 Canon S450 Canon S520 Canon PIXMA MP600 Dell Laser Printer 1700n Dell Laser Printer 1710n Dell Laser Printer P1500 DYMO LabelWriter 320 HP Color Inkjet CP1700 HP Color LaserJet 1500 HP Color LaserJet 1600 HP Color LaserJet 2550 HP Color LaserJet 2600n HP Color LaserJet 3500 HP Color LaserJet 3550 HP DesignJet 70 HP Deskjet 1220C HP Deskjet D1400 HP DeskJet D2300 HP DeskJet F2100 series HP Deskjet F4100 series HP Deskjet 3600 HP Deskjet 3740 HP Deskjet 3820 HP Deskjet 3840 HP DeskJet 3900 HP Deskjet 460 HP Deskjet 5100 HP Deskjet 5400 HP Deskjet 5550 HP Deskjet 5600 HP Deskjet 5700 HP Deskjet 5900 HP Deskjet 6122 HP Deskjet 640c HP Deskjet 6500 HP Deskjet 6800 HP Deskjet 810C HP Deskjet 815C HP Deskjet 830C HP Deskjet 845C HP Deskjet 920C HP Deskjet 930C HP Deskjet 940C HP Deskjet 950C HP Deskjet 960C HP Deskjet 970C HP Deskjet 980C HP Deskjet 990C HP LaserJet 1010 HP LaserJet 1012 HP LaserJet 1015 HP LaserJet 1150 HP LaserJet 1200 HP LaserJet 1220 HP LaserJet 1300 HP LaserJet 1320 HP LaserJet 2300 HP LaserJet 3015 HP LaserJet 3030 HP LaserJet 3055 HP LaserJet 3200 HP LaserJet 3330 HP Officejet 4100 HP Officejet 4200 HP Officejet 4300 HP Officejet 5500 HP Officejet 5600 HP Officejet J5700 HP Officejet 6100 HP Officejet 6200 HP Officejet 7100 HP Officejet 7400 HP Officejet G85 HP OfficeJet G85xi HP Officejet V40 HP Officejet V40xi HP Officejet d HP OfficeJet Pro K850 HP PSC 1200 HP PSC 1310 HP PSC 1500 HP PSC 2100 HP PSC 2350 HP PSC 2400 HP PSC 2500 HP PSC 720 HP PSC 750 HP PSC 920 HP PSC 930 HP PSC 950 HP Photosmart 1218 HP Photosmart 2570 HP Photosmart 3200 HP Photosmart 7150 HP PhotoSmart 7200 HP Photosmart 7350 HP Photosmart 7400 HP Photosmart 7550 HP Photosmart 7600 HP Photosmart 7700 HP Photosmart 7900 HP Photosmart D7100 HP Photosmart D7300 Konica Minolta PagePro PP1350W Kyocera KM-1820 Lexmark 1200 Series Lexmark C510 Lexmark E210 Laser Printer Lexmark E232 Lexmark E238 Lexmark E323 Lexmark E330 Lexmark X1100 Lexmark X215 Lexmark X340 Lexmark X6100 Lexmark Z35 Lexmark Z45 Oki ML5590 Samsung CLP-510 Samsung ML-1450 Samsung ML-1650 Samsung ML-1710 Samsung ML-1740 Samsung ML-1750 Samsung ML-2010 Samsung ML-2550 Samsung SCX-4100 Samsung SCX-4x16 Samsung SCX-4x21 Samsung SCX-5x12 Xerox DocuPrint P1202 Xerox Phaser 3116 Xerox Phaser 3117 Xerox Phaser 3120 Xerox Phaser 3121 Xerox Phaser 3130 Xerox Phaser 3150 Xerox Phaser 3210 Xerox Phaser 6100 Color Laser Xerox Phaser 6180DN Xerox Phaser 7300 Series Xerox WorkCentre 4118 Xerox WorkCentre PE16 Xerox WorkCentre PE120
The following printers are known to be incompatible with the Print Server:
HP OfficeJet G85 HP OfficeJet K80xi HP Laserjet 1020 Lexmark-6100 Lexmark-6150
In order to change the timeout for a specific service you need to follow these steps:
Go to the libsw directory on Security Management Server / Domain Management Server (refer to sk31448).
Open the init.def file.
In the in tcp_timeouts section, you can add the specific service and the timeout.
After changing the value, you need to reinstall the Edge policy.
Note: you need to change this value manually every time that you replace the libsw directory, or after you install HA. For example ( for port 400 TCP, we changed the timeout for 7200 seconds)
Note: In this section you will find information about the interfaces of the appliance such as- MAC addresses, interface speed, up/down status, number of packets passed and so on.
Note: In this section you will find information concerning SNMP packets, which have passed through the appliance, such as: incoming/outgoing count, number of get/set requests, number of erroneous packets and so on.
Note: In this section you will find statistic information concerning ip packets such as number of incoming packets, number of packets discarded, and so on.
The default security policy that comes with the Safe@ appliance basically blocks all incoming traffic and allows all outbound traffic, initiated from your home or office.
Low: All outbound traffic is allowed. All inbound traffic is blocked, except for ICMP echos ("pings").
Medium: All outbound traffic is allowed, except for Windows file sharing (NBT ports 137, 138, 139 and 445). All inbound traffic is blocked.
High: Restrictions apply to outbound traffic, allowing only Web traffic (HTTP, HTTPS), Email (IMAP, POP3, SMTP), ftp, NNTP, Telnet, DNS, IKE, 2746 UDP and 256 TCP traffic out. All inbound traffic is blocked.
"TCP Out of State" log message indicates that the Check Point security appliance intercepted a non-Syn packet which does not have an entry in the firewall's TCP connections table. Being a Stateful Inspection firewall, the Check Point security appliance will not let a TCP session initiate without a Syn packet first, in order to prevent a DoS (Denial of Service) attack.
The Check Point security appliance can be configured to log, block or ignore non-Syn packets activity, by using the following command line syntax:
The SmartDefense AI (Application Intelligence) engine can identify the Microsoft MSN Messenger application signature and block its traffic. To block MSN Messenger traffic, perform the following:
Configure a rule that blocks traffic on ports TCP/UDP 1863.
Configure SmartDefense to block the MSN Messenger application.
To configure a rule that blocks traffic on port TCP/UDP 1863:
The SmartDefense AI (Application Intelligence) engine can identify the Microsoft MSN Messenger Live (version 8.0 build 8.0.0812.00) application signature and block its traffic. To block MSN Messenger traffic, perform the following:
Configure a rule that blocks traffic on ports TCP/UDP 1863. Add the signature to the SmartDefense AI inspect engine using command line.
Configure SmartDefense to block the MSN Messenger Live application.
To configure a rule that blocks traffic on port TCP/UDP 1863:
Select the "MSN8" option from the applications list.
Click "Apply".
Notes:
In case you do not see a list of applications, click the "Defaults" button on the relevant SmartDefense page. Only new MSN Messenger sessions will be blocked. As a result, you will need to make sure to restart all MSN Messenger sessions.
The logs will be saved as a Microsoft Excel file (XLS).
Note: With this method you can only save up to the 100 current displayed event log entries. In case you want to save all event log entries, you can use the Syslog logging option.
Yes. Embedded NGX appliances (excluding ZoneAlarm Secure Wireless Router Z100G) support Syslog logging. Using Syslog logging you can save the ongoing events generated by your appliance even beyond the current 100 events.
Check Point appliances implement the Syslog protocol as described in RFC 3164.
The syslog protocol provides a transport to allow a machine to send event notification messages across IP networks to event message collectors - also known as syslog servers. In this case, a machine is referred to as a Check Point appliance. It is important to note that the device sending the syslog message to the server must be able to establish network connectivity with the syslog server, and both the syslog server and the device sending the message must understand the formatting of the syslog messages.
This article is relevant only if your Check Point Embedded NG gateways is installed with firmware 6.0 or above.
Negative rule numbers are given to implied rules that are logged by either:
Check Point SmartCenter
SofaWare Management Portal (SMP)
External Syslog server
Starting from version 6.0, along with the rule numbers, a "log reason" is added, thus allowing generating reports based on rule numbers, while still displaying a textual description. Below is the complete list of these numbers with the corresponding rules. Most of these messages are sent from version 6.0 onwards (Where [5] appears, version 5.0 may also send these messages.)
Rule -1: Stateless ICMP [5]. ICMP replies that don't match to any request, ICMP errors that don't match any of the active connections, etc.
Rule -4: Anti-Spoofing [5]. The connection was dropped due to the automatic anti-spoofing rules.
Rule -5: Connection matched by a custom rule (a.k.a. "user rule").
Rule -9: HotSpot Connection dropped because the user is not yet authenticated on a hotspot enabled network.
Rule -10:Encryption mismatch [5] Dropped clear text packet that should have been encrypted.
Rule -11: TCP out of state rule [5] Logs or drops packets that try to open a connection without the full 3 way handshake.
Rule -12: Land Attack
Rule -13: Ping size exceeds maximum allowed size
Rule -14: ICMP with null payload
Rule -15: Welchia ICMP worm
Rule -16: Christmas packet (also in 5.0 versions) Packets that have too many flags lit in them. For instance, SYN and FIN, SYN and RST, etc.
Configure IAS to support remote/local users authentication
Go to Start menu > Programs > Administrative tools > Internet Authentication service.
Expand the Internet Authentication Service and right-click on "Clients". Click "New Client".
In the Add Client window, enter a name and choose the protocol as "RADIUS". Click "Next".
Fill in the Client address with the appliance LAN IP address that the IAS server is connected to. Make sure to select "RADIUS Standard" as the Client-Vendor, and add the shared secret to match the one you entered on the appliance RADIUS page.
Click "Finish" to return to the console root.
Click on "Remote Access Policies" in the left pane and double-click the policy labeled "Allow access if dial-in permission is enabled".
Click "Edit Profile" and go to the Authentication tab. Under Authentication Methods, make sure only "Unencrypted Authentication (PAP, SPAP)" is checked. The VPN client can use only this method for authentication.
Click "Apply" and then "OK" twice.
To modify the users to allow connection, go to Start menu > Programs > Administrative tools > Users and Computers.
Double-click the user for whom you want to allow access.
Click the Dial-in tab and select "Allow Access under Remote Access Permission" (Dial-in or VPN).
Click "Apply" and "OK".
Configure the appliance to support RADIUS authentication for remote VPN users
Under 'VPN' tab > 'VPN Server', set the VPN server to "Enabled", and select the "Bypass NAT" and "Bypass Firewall" options.
Under the Users tab, click the RADIUS tab.
In the address field, enter the IP address of the IAS server.
In the Shared Secret field, enter the same shared secret text that you specified in the IAS configuration.
Select the "VPN Remote Access" check box to allow VPN clients authentication.
Under the 'VPN' > 'Certificate' tab, install a PKCS#12 (.p12) certificate.
Note: A certificate is needed to support Hybrid Mode authentication. Hybrid mode authentication is a method to authenticate with a VPN endpoint, using authentication schemes other than shared secret or digital certificates. Other methods can be using SecurID cards, RADIUS, LDAP etc.
To workaround this, access SmartDashboard and check the "Accept VPN-1 & FireWall-1 Control connections" check box under Global Properties. This will enable certain implied rules needed to create a successful VPN tunnel and topology download. More information can be found in the Firewall-1 Administration guide.
The Problem: Latency over a VPN tunnel is quite a common issue, and is caused by packet fragmentation.The problem occurs when a packet becomes fragmented and has to be reassembled by a VPN device. Also, with newer technologies being used, such as Load Balancing, the fragmented packets may reach the VPN client out of order. The VPN client then has to reassemble the out of order packets. If one packet is not received, the VPN client cannot reassemble the complete packet.
MTU (Maximum Transmission Unit) The largest number of bytes a frame can carry, not counting the frame's header and trailer. A frame is a single unit of transportation on the data link layer. It consists of header data plus data that was passed down from the network layer (also sometimes trailer data). An Ethernet frame has an MTU of 1500 bytes, but the size of the frame can be up to 1526 bytes (22 byte header, 4 byte CRC trailer).
What MTU size should I set?
To determine the right MTU setting, run a fragmented ping test from a command prompt on the client machine: ping <Public_IP_Address_of_Sbox> -f -l 1500
Most likely, you will receive the message: "Packet needs to be fragmented but DF set."
The DF refers to the "Don't Fragment" bit. Keep lowering the byte size from 1500, until you receive a reply without an error message. The point at which you receive a reply without an error is the point of fragmentation. The MTU size should be just below that point.
How to modify MTU settings on the Check Point SecuRemote/SecureClient VPN software? SecuRemote/SecureClient software enables you to modify the MTU value for the virtual connection only. In order to change the MTU values, run the MTUadjust.exe tool from C:\Program Files\CheckPoint\SecuRemote\Bin.
How to modify MTU settings on the Check Point appliance? To modify the MTU settings on the Check Point appliance, edit the MTU field of the Internet connection settings.
Yes. Embedded NG 4.5 and later supports the Internet Engineering Task Force (IETF) draft standard for NAT traversal (NAT-T), which allows Site-to-Site VPN tunnels to pass through NAT devices. NAT Traversal is also fully supported for VPN remote access (SecuRemote) users, by means of UDP Encapsulation.
All our appliances support AES (Advanced Encryption Standard - 128 or 256 bits), 3DES (Triple Data Encryption Standard), and DES encryption, as well as SHA1 and MD5 message digest algorithms.
AES-256/SHA1 is used automatically and cannot be manually modified in the following cases:
Remote access VPN between a Check Point SecuRemote/SecureClient and a Safe@Office box
Remote access VPN between Safe@Office boxes
Site to Site VPN between Safe@Office boxes with firmware version earlier than 5.0.
Encryption and message digest algorithms are negotiated automatically in VPN between a Safe@Office and another VPN endpoint.
PFS is not supported by default, and it needs to be configured using the command line interface. To access the command line interface, perform the following:
Make sure that a valid VPN Certificate is installed. The certificate can be found under the VPN option in the left menu > Certificate in the top menu.
In case SecuRemote/SecureClient is installed under Windows XP with SP2 or above, or if you use a 3rd party firewall software on your PC:
Turn off the internal Windows firewall, or make sure that the following ports are allowed: UDP 500 (IKE) TCP 264 (Topology download) UDP 2746 (UDP encapsulation) UDP 259 (Check Point RDP) UDP 4500 (NAT-T) IP Protocol 50 (AKA ESP or IPSEC Passthru) For Endpoint connect, TCP 443 (HTTPS) is also required
In case the VPN client is installed on a computer behind a NAT device:
In case the SecuRemote/SecureClient software is installed on a computer behind a NAT device, it is recommended to use the "Force UDP Encapsulation" setting in the VPN client. For instructions, refer to Question LP17861 in this article.
Make sure that the VPN client network IP address range and the VPN gateway's network IP range are not overlapping.
Modify MTU settings on the VPN client. SecuRemote/SecureClient software enables you to modify the MTU value for the virtual connection only. In order to change the MTU values, run the MTUadjust.exe tool from C:\Program Files\CheckPoint\SecuRemote\Bin.
Make sure that the VPN gateway is configured with a public IP address. In case the VPN gateway is behind a NAT device, the remote access VPN connection will not work.
In case the VPN server is installed behind a NAT device: Note: If possible, consult with your ISP about ways to assign the security appliance a valid IP. Otherwise, perform the following:
Make sure to open the following ports and traffic in the NAT device: UDP 500 (IKE) TCP 264 (Topology download) UDP 2746 (UDP encapsulation) UDP 259 (Check Point RDP) UDP 4500 (NAT-T) IP Protocol 50 (AKA ESP or IPSEC Passthru) For Endpoint connect, TCP 443 (HTTPS) is also required
Use the command line interface and type the following command: set device behindnat <IP_Address> (where <IP_Address> is the public IP address of the NAT device). To access the command line interface, connect from LAN with your browser to http://my.firewall and click on 'Setup > Tools > Command'.
Note: This command line is supported with firmware 5.0.57 and above versions.
An "Invalid Certificate" error message appears when installing a PKCS#12 (.p12) certificate that was created using OpenSSL. This may happen if the DN (Distinguished Name) information entered for the CA (Certificate Authority) and the self-signed certificate are similar.
The following is available with Check Point security appliances installed with firmware version 5.0.x and subsequent versions.
The default IKE behavior of the Check Point security appliance is to auto-negotiate the SA parameters between VPN end points. In most cases, there is no need to modify the default proposals parameters. However, you may want to override the default parameters in the following cases:
Your organization's network security policy is restricted to a definite configuration.
Some IPSEC compliant devices cannot auto-negotiate some or all of the IKE SA proposals.
Use the Check Point security appliance CLI (Command Line Interface) to modify the IKE SA parameters:
To modify IKE phase-1 encryption parameters, use the following command syntax: set vpn sites [site number] phase1ikealgs [automatic | des/md5 | des/sha1 | 3des/md5 | 3des/sha1 | aes128/md5 | aes128/sha1 | aes256/md5 | aes256/sha1]
To modify IKE phase-2 encryption parameters, use the following command syntax: set vpn sites [site number] phase2ikealgs [automatic | des/md5 | des/sha1 | 3des/md5 | 3des/sha1 | aes128/md5 | aes128/sha1 | aes256/md5 | aes256/sha1]
To modify IKE phase-1 SA lifetime, use the following command syntax: set vpn sites [site number] phase1exptime [minutes]
To modify IKE phase-2 SA lifetime, use the following command syntax: set vpn sites [site number] phase2exptime [seconds]
When using Check Point SecuRemote/SecureClient to create a remote access VPN with a Check Point appliance, only authentication phase works, but the remote network cannot be reached. This may happen if the Check Point appliance is configured for DSL PPTP connection with an Alcatel modem using 10.0.0.0 /8 IP network range. It appears that the Orange 3G data network is using NAT with the same IP range, which causes some routing problems.
To workaround this, narrow the network between the Check Point appliance and the Alcatel modem by doing the following:
It is assumed that the reader has configured either the Remote Access VPN or Site-to-Site VPN as suggested in the relevant step-by-step configuration papers, in this knowledge base.
The reason for not being able to view or browse remote computers is not related to the VPN you just created, but to the way the NetBIOS application works. Microsoft adapted NetBIOS as the way to implement the File and Print sharing services between Windows Workgroups based computers. Originally, NetBIOS was designed for computers to communicate with each other on the same local area network.
NetBIOS is a TCP/IP based protocol. Normally, computers in a TCP/IP based network communicate with each other by calling each others' IP addresses and not by their computer names. In order to identify computers by a name, a naming translation service is required. NetBIOS is no different in that manner. Windows based computers within the same local area network will use broadcast techniques to publish their names, and update their own translation table. In other words, each computer holds a table with a computer name and its matching IP address. However, broadcast messages cannot traverse different subnets, as broadcast does not support routing schemes. This prevents computers on different networks communicating by their host names.
In order to enable computers on different subnets to communicate by names, a naming translation service is required. Such a service is a WINS (Windows Internet Naming Service) server, which is a system designed to match between Windows client names and IP addresses.
When creating a Check Point IPSec VPN connection, you perform data encryption between endpoints, and the privacy is achieved because only intended parties can actually 'read' and understand the data. Technically and practically, networks on both ends of the VPN tunnel are not joined together by a VPN tunnel, and therefore they remain on different subnets. Computers on both sides of a VPN tunnel will also need to be aware of a naming translation service to use the Microsoft File and Print sharing services. If no naming service is available, the remote computers' shared folders and printers can always be accessed using IP addresses, for example: \\192.168.10.3\C$.
Additional settings on a Windows client
Check that the remote computers are configured to support NetBIOS over TCP/IP.
To enable NetBIOS over TCP/IP in Windows 2000 and Windows XP:
The Check Point security appliance displays the IKE phase-1 VPN tunnel information on the 'Reports > VPN Tunnels' page. By default, the phase-1 lifetime used by Check Point VPN software is 24 hours, and therefore the display will refresh after that interval, even if the VPN clients are actually disconnected. This does not mean that there is traffic over the tunnel.
IKE phase-1 is responsible for creating the VPN tunnel and involves heavy mathematical calculations that consume CPU. In order to reduce the load on the CPU, IKE phase-1 is renewed only every 24 hours.
Installing Active Directory on a Windows 2000 server. The following links are good resources for information about Active Directory installation and deployment:
Install IAS Service Refer to this web page from Microsoft for instructions about IAS service installation.
Configure IAS to support remote/local users authentication
Go to Start menu > Programs > Administrative tools > Internet Authentication service.
Right-click on the Radius Clients folder, and select New RADIUS Client.
In the New RADIUS Client window, fill in a "friendly" name and the IP address of your security appliance. Click Next.
From the Client-Vendor drop-down menu, choose RADIUS Standard.Fill in the shared secret in the Shared Secret text field to match the one you entered on the security appliance's RADIUS page, and confirm the shared secret in the Confirm Shared Secret field.
Click Finish to return to the Internet Authentication Service window.
Right-click on Remote Access Policies in the left pane and choose New Remote Access Policyfrom the menu.
Click Next in the New Remote Access Policy Wizardwindow.
In the Policy Configuration Method window, choose Set up a custom policy. In the Policy Name field, type a name for the policy (For example, VPN Access). Click Next.
In the Policy Conditions window, click Add; the Select Attribute window opens. Choose NAS-IP-Address from the attribute types list and click Add. In the NAS-IP-Address window, type the IP address of your security appliance and click OK to go back to the previous Window. Click Next.
In the Permissions window, choose Grant remote access permission and click Next.
In the Profile window, click Edit Profile. The Edit Dial-in Profile window opens.
In the Edit Dial-in Profile window, click on the Authentication tab and make sure that only the Unencrypted authentication (PAP, SPAP) option is checked.
In the Edit Dial-in Profile window, click on the Encryption tab and make sure that only the No encryptionoption is checked. Click OK to return to the previous window. Click Next.
In the Completing the New Remote Access Policy Wizard window, click Finish.
In the Internet Authentication Service window, expand the Connection Request Processing menu. Right-click the Connection Request Policies item and choose NewConnection Request Policy.
The New Connection Request Policy Wizard appears. Click Next.
In the Policy Configuration Method window, choose Set up a custom policy. In the Policy Name field, type a name for the policy (For example, VPN Access). Click Next.
In the Policy Conditions window, click Add; the Select Attribute window opens. Choose NAS-IP-Address from the attribute types list and click Add. In the NAS-IP-Address window, type the IP address of your security appliance and click OK to go back to the previous Window. Click Next.
The Request Processing Method window appears. Click Next.
In the Completing the New Connection Request Processing Policy Wizard window, click Finish.
To modify the Active Directory users to allow connection, go to Control Panel > Administrative tools > Active Directory Users and Computers.
Double-click the user you want to authenticate using RADIUS.
Click the Dial-in tab, select Allow Access.
Click Apply and OK.
Configure the appliance to support RADIUS authentication
In the Users menu, click the RADIUS tab.
In the Address field, enter the IP address of the Microsoft IAS server.
In the Port field, choose the RADIUS port (default value is 1812).
In the Shared Secret field, enter the same shared secret text that you specified in the IAS configuration.
Choose the administration level or VPN access.
Note: A PKCS#12 certificate needs to be installed on the security appliance to support Hybrid Mode authentication for remote access VPN users. Hybrid mode authentication is a method to authenticate with a VPN endpoint using authentication schemes other than shared secret or digital certificates. Other methods can be using SecurID cards, RADIUS, LDAP etc. Information about Creating a PKCS#12 Certificate For Manual Installation on Embedded NG Appliances.
Note: It is recommended that you read the following article from Microsoft: "Enterprise Deployment of Secure 802.11 Networks Using Microsoft Windows".
The following components are needed to support 802.1x wireless authentication with Micrsoft 2003 and Active Directory RADIUS:
Microsoft Windows 2003 Server running IAS
IIS with ASP support
Certificate Services to create an Enterprise Root CA (Certificate Authority)
Active Directory
Wireless clients running Windows 2000/XP
Install IAS Service Refer to the "Install IAS instructions" from Microsoft.
Install IIS with ASP support Refer to the "Install IIS 6.0 instructions" from Microsoft.
Install Certificate Services and an Enterprise Root CA Refer to the "Step-by-Step Guide to Setting up a Certification Authority" from Microsoft. In addition, refer to the "Step-by-Step Guide to Certificate Services Web Pages" from Microsoft to learn about how to enroll certificates to the wireless clients computers.
Installing Active Directory on a Windows 2000 server The following links are good resources for information about Active Directory installation and deployment:
Configure IAS to support wireless users authentication
Go to Start menu > Programs > Administrative tools > Internet Authentication service.
Right-click on the Radius Clients folder, and choose "New RADIUS Client".
In the New RADIUS Client window, fill in a "friendly" name and the IP address of your Embedded NG security appliance. Click "Next".
From the Client-Vendor drop-down menu, choose "RADIUS Standard". Fill in the shared secret in the Shared Secret text field to match the one you entered on the security appliance's RADIUS page, and confirm the shared secret in the Confirm Shared Secret field.
Click "Finish" to return to the Internet Authentication Service window.
Right-click on Remote Access Policies in the left pane and choose "New Remote Access Policy" from the menu.
Click "Next" in the New Remote Access Policy Wizard window.
In the Policy Configuration Method window, choose "Set up a custom policy". In the Policy Name field, type a name for the policy (For example, VPN Access). Click "Next".
In the Policy Conditions window, click "Add" ; the Select Attribute window opens. Choose "NAS-Port-Type" from the attribute types list and click "Add". In the NAS-Port-Type window, choose "Wireless - IEEE 802.11" from the left pane and click "Add"; the selection should now appear in in the right pane. Click "OK" to go back to the previous Window. Click "Next".
In the Permissions window, choose "Grant remote access permission" and click "Next".
In the Profile window, click "Edit Profile". The Edit Dial-in Profile window opens.
In the Edit Dial-in Profile window, click on the Authentication tab. Select the "Microsoft Encrypted Authentication version 2 (MS-CHAP v2)" option. Click on the "EAP Methods" button. In the Select EAP Types window, click "Add" and select "Protected EAP (PEAP)". Click "OK" to return to previous window. Click "Next".
In the Completing the New Remote Access Policy Wizard window, click "Finish".
In the Internet Authentication Service window, expand the Connection Request Processing menu. Right-click the "Connection Request Policies" item and choose "New Connection Request Policy".
The New Connection Request Policy Wizard appears. Click "Next".
In the Policy Configuration method window, choose "A custom policy". In the Policy Name field, type a name for the policy (For example, VPN Access). Click "Next".
Choose "NAS-Port-Type" from the attribute types list and click "Add". In the NAS-Port-Type window, choose "Wireless - IEEE 802.11" from the left pane and click "Add"; the selection should now appear in the right pane. Click "OK" to go back to the previous Window. Click "Next". The Completing the New Connection Request Processing Policy Wizard windows appears.
In the Completing the New Connection Request Processing Policy Wizard window, click "Finish".
To modify the Active Directory users to allow connection, go to 'Control Panel > Administrative tools > Active Directory Users and Computers'.
Double-click the user you want to authenticate using RADIUS.
Click the Dial-in tab, select "Allow Access".
Click "Apply" and "OK".
Configure the Embedded NG security appliance to support 802.1x wireless authentication
Login to the Embedded NG Security appliance admin page.
Click on the Network menu.
Click on the My Network tab.
Click on the "Edit" button of the WLAN network.
From the Security drop-down box choose "802.1x: RADIUS authentication, no encryption".
Click "Apply".
Configure the Embedded NG Wireless Security appliance to support RADIUS authentication
In the Users menu, click the RADIUS tab.
In the Address field, enter the IP address of the Microsoft IAS server.
In the Port field, choose the RADIUS port (default value is 1812).
In the Shared Secret field, enter the same shared secret text that you specified in the IAS configuration.
Choose an additional administrator or VPN access level.
Click "Apply".
Configure the wireless client to support 802.1x authentication
Depending on the wireless client configuration software, some or all of the following need to be configured:
802.1x support
Server properties or certificate authority (CA) information
The following solution is relevant to a Remote Access configuration between two Check Point Embedded NG security appliances, when one serves as the VPN client, and the second serves as the VPN server. Typically, the failure will take place when the client box is installed with firmware version 5.0.x or subsequent firmware. The client box will be able to authenticate with the server, however communication with the remote network behind the VPN server box fails with an event log error message: "Error: No loaded CA name, as well as no CA name in topology" Solution: The VPN client module installed with firmware 5.0 is doing Hybrid Mode IKE (Internet Key Exchange). In order for the Embedded NG VPN server to support this mode, a PKCS#12 certificate needs to be installed on the VPN server box. To create a certificate for an Embedded NG appliance, installed with a firmware version earlier than 5.0.x, refer to Creating a PKCS#12 Certificate For Manual Installation on Embedded NG Appliances.
The Embedded NG gateway allows securing your internal networks communications by connecting to its internal VPN server, using the Check Point SecuRemote/SecureClient VPN client. In other words, the VPN client must work in a 'Route All Traffic' mode to encrypt all traffic sent by the clients' host to the internal Embedded NG interface.
'Route All Traffic' mode is supported by the Check Point VPN client only when it is installed in an "Extended View" installation, instead of "Compact View". In case the VPN client is installed in "Compact Mode", traffic will be blocked by the firewall.
To switch the Check Point VPN client (versions R56 or R60) from "Compact View" to "Extended View":
Right-Click the SecuRemote/SecureClient icon in the tray icon.
Choose "Settings" from the menu.
Click the Advanced tab.
Select the "Extended View" button and click "OK"
The VPN client software will restart itself in Extended View mode.
Delete the existing VPN site and create a new one.
Once connected to the Embedded NG internal interface using the new settings, a new site will appear in the VPN client console under the name of 'RouteAllTraffic'.
VPN connection may not be established between a Check Point Embedded NG gateway and a Cisco PIX. In some cases, the tunnel is created, but different errors may appear in the Embedded NG event log indicating VPN connection failure. The issues can be caused due to:
Wrong setup of the Embedded NG and Cisco PIX VPN gateways
The Embedded NG VPN gateway is configured to send "Keepalive" packets that the Cisco PIX gateway cannot handle.
Solution
Check the Cisco PIX configuration, as described in the "How to create a site-to-site between a Cisco PIX and a Check Point Embedded NG VPN gateway" article.
When running the Check Point Embedded NG site to site VPN wizard, make sure to uncheck the "Keepalive" option.
Steps 12,13, where the configuration is related to the Embedded NGX gateway.
This article contains information about modifying the registry. Before you modify the registry, make sure you know how to back it up, and how to restore the registry if a problem occurs.
To implement the preshared Key authentication method for use with a L2TP/IPSec connection:
Add the ProhibitIpSec registry value to both Windows 2000-based endpoint computers.
Manually configure an IPSec policy, before an L2TP/IPSec connection can be established between two Windows 2000-based computers.
To add the ProhibitIpSec registry value to your Windows 2000-based computer, follow these steps:
Click "Start", click "Run", type "regedt32", and then click "OK".
Locate, and then click the following registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters
In the Edit menu, click "Add Value".
In the Value Name box, type "ProhibitIpSec".
In the Data Type list, click "REG_DWORD", and then click "OK".
In the Data box, type "1", and then click "OK".
Quit Registry Editor, and then restart your computer.
How to create an IPSec policy for use with L2TP/IPSec Connections, by using a preshared key:
Click "Start", click "Run", type "mmc", and then click "OK".
Right-click "IP Security Policies on Local Machine", click "Create IP Security Policy", and then click "Next".
In the IP Security Policy Name dialog box, type the name for the IP Security policy in the Name box, and then click "Next".
In the Requests for Secure Communication dialog box, click to clear the "Activate the default response rule" checkbox, and then click "Next".
Click to select the Edit Properties checkbox, and then click "Finish".
In the New IP Security Policy Properties dialog box, click "Add" on the Rules tab, and then click "Next".
In the Tunnel Endpoint dialog box, click "This rule does not specify a tunnel", and then click "Next".
In the Network Type dialog box, click "All network connections", and then click "Next".
In the Authentication Method dialog box, click "Use this string to protect the key exchange (preshared key)", type a preshared key, and then click "Next".
In the IP Filter List dialog box, click "Add", type a name for the IP filter list in the Name box, click "Add", and then click "Next".
In the IP Traffic Source dialog box, click "A specific IP Address" in the Source address box, type the Embedded NGX appliance's IP address in the IP Address box, and then click "Next".
In the IP Traffic Destination dialog box, click "A specific IP Address" in the Destination address box, type "ANY", and then click "Next".
In the IP Protocol Type dialog box, click "UDP" in the "Select a protocol type" box, and then click "Next".
In the IP Protocol Port dialog box, click "From this port", type "1701" in the "From this port" box, click "To any port", and then click "Next".
Click to select the Edit properties checkbox, click "Finish", and then click to select the "Mirrored". Also match packets with the exact opposite source and destination addresses checkbox in the Filter Properties dialog box.
Click "OK", and then click "Close".
In the IP Filter List dialog box, click the IP filter that you just created, and then click "Next".
In the Filter Action dialog box, click "Add", and then create a new filter action that specifies which integrity and encryption algorithms will be used. Note: This new filter action must have the "Accept unsecured communication, but always respond using IPSec" feature disabled to improve security.
Click "Next", click "Finish", and then click "Close".
Right-click the IPSec policy that you just created, and then click "Assign".
The requirement for using Endpoint Connect with the Embedded NGX Appliances:
Firmware 8.1.37 or higher is required for Endpoint Connect support.
Port 443 must not be forwarded from "This gateway" to an internal host. If you already forward port 443, you can configure Endpoint Connect to use port 981, instead (you can configure Endpoint Connect to use a different port when creating the site, simply by adding the port after the IP address, for example: 62.233.20.70:981. When using with the Embedded NGX Appliances, you can either use ports 443 or 981. If you want to use port 981, you also need to open access to HTTPS management from "any" under Setup - Management.)
Endpoint Connect is not supported on the Z100G Wireless Router.
You can configure Endpoint Connect to use a different port when creating the site, simply by adding the port after the IP address, for example 62.233.20.70:981 When using with the Embedded NGX Appliances, you can either use ports 443 or 981. If you want to use port 981, you also need to open access to HTTPS management from "any" under Setup - Management.
Endpoint Connect (EPC) clients cannot connect to Safe@Office/UTM-1 Edge appliances after firmware upgrade to v8.2 post GA (8.2.33).
SYMPTOMS:
In previous GA versions (such as v8.1.47 or v8.2.26), the EPC clients were able to connect to Safe@Office/UTM-1 Edge appliances on ports 981 or 443, depending on configuration.
After upgrading to v8.2 post GA, EPC clients might not be able to connect on the same port.
CAUSE:
With the upgrade to a newer firmware version, the EPC is set to one default port (443 or 981).
If the following apply, the port will automatically be set to default port 981:
Web server under 'Security > Servers' tab is enabled.
A rule with Web Service that is called "Web Server" exists.
A rule that contains port 443 exists.
If none of the above apply to your settings, the default port will automatically be set to 443.
SOLUTION:
With the upgrade to a newer firmware version, the port number can be configured to other port numbers.
If you are experiencing the above behavior, perform the following:
Make sure that the EPC port in the Safe@Office/UTM-1 Edge appliances matches the EPC port used in the EPC client.
Make sure that there are no security rules or NAT rules configured on Safe@Office/UTM-1 Edge appliances, or on SMP, that match the EPC port, defined in the appliance.
The IP30/IP40 appliance is supported by the Check Point Support Organization. Support contracts must be purchased through your sales representative, or reseller, in order to receive technical support from Check Point.
In order to activate the support plans and/or product upgrades for your Safe@Office product, connect with your browser to http://www.sofaware.com/activate and fill out the product activation form.
Support plans activation Once your activation request is processed and validated, a confirmation message will be sent to you by email and you will be allowed to connect to the Check Point service center to get the services.
To connect to the Check Point Service Center perform the following:
The subscription based services you purchased will be applied immediately.
Product upgrade activation Once your activation request is processed and validated, a confirmation message will be sent to you with the Product Key (license) that will upgrade your product. To install the product key perform the following:
The following support options and plans are available for purchase by Safe@Office security appliance owners:
Annual Safe@Office Support and Subscription (ST-CPSB) Annual support and services plan that includes the following: * Security and firmware updates * Email, web and chat support * Advanced replacement * Dynamic DNS
Annual Safe@Office Anti-Virus, SmartDefense, Support and Subscription (STAV-CPSB) * Gateway Anti-Virus updates * Security and firmware updates * Email, web and chat support * Advanced replacement * Dynamic DNS
Annual Safe@Office Web Filtering Service (WF-CPSB) * Provides URL filtering based on category classification of web-sites.
If your Embedded NGX appliance is under hardware warranty and/or a valid support plan, it can be replaced in case of a hardware malfunction (Return Material Authorization - RMA). Follow the RMA procedure as described below:
Contact the Check Point Small Business Support team , using one of the following methods: Open a support ticket, or initiate a chat session at www.sofaware.com.
A support expert will attempt to troubleshoot an issue to confirm or exclude a hardware issue. You will be updated at each step of the troubleshooting process.
In case a hardware issue is present, you will be issued an RMA form that must be filled and submitted to the Check Point Small Business Support team.
An RMA specialist will review the troubleshooting steps and will approve the RMA (or will ask to take further steps in the debugging process).
You will be issued an RMA number for follow-up.
A replacement product will be sent to the address specified in the RMA form.
A tracking number and estimated shipping date will be e-mailed to you once available.
Note that the license on the replacement box is functional for 30 days only. In order to receive the permanent license, the damaged hardware must be shipped to the logistics center in the US or Europe (depending on your location), and a notification with a tracking number and courier for the returned hardware must be sent to the Check Point SMB Support Team.
Contact your reseller for Safe@Office support plan renewal options. Once you renew the support plan, refresh your service center connection to view the new expiration date.
Demo UTM Gateways are Safe@Office and VPN-1 Edge UTM gateways that are available for partners for the purpose of customer product demo only. Demo UTM Gateways are also knows as NFR (Not for Resale) gateways. You can recognize a Demo UTM Gateways as it is labeled with a 'Not for Resale' sticker on the exterior of the appliance.
How many demo UTM Gateways can a partner purchase?
A partner can purchase up to 3 demo units.
What's included with a Demo UTM Gateway Out of the Box?
Demo UTM Gateways arrive with no license installed "out of the box".
The Demo UTM Gateways package include a welcome letter with a Temporary Demo license.
Temporary Demo licenses are good for 30 days only.
No subscription services are applied to Demo UTM Gateways, out of the box.
The 30 days demo license cannot be extended, but can be replaced with a Permanent Demo license only.
How to get a permanent Demo license and service for my Demo gateway?
With a simple activation procedure, partners can get:
A permanent Demo license
1 year of support and subscription services from the Check Point Service Center:
Software and security updates
VStream Anti-Virus Signature updates
Web filtering
Monthly security reports
To activate:
Partner fills in the Demo Gateway Activation Form on the SofaWare web site.
The form details are accepted by the SofaWare support team
The SofaWare team sends a Permanent Demo license string to the partner to install on the Demo UTM Gateway by email
The Sofaware team adds the Demo UTM Gateway and owner information to the Check Point Service Center
The SofaWare team sends an acknowledge email and technical instructions to the partner email address.
In case you cannot access the http://my.firewall page (from LAN), try the following:
Verify that the Safe@Office appliance is operating (PWR/SEC LED is active)
Check if the LAN LINK/ACT LED for the port used by your computer is on. If not, check if the network cable linking your computer to the Safe@Office appliance is connected properly. Note: You may need to use a crossed cable when connecting a Safe@Office 'S' series appliance to another hub/switch.
Try connecting from LAN with your browser to http://192.168.10.1 (instead of http://my.firewall). Note: 192.168.10.1 is the default IP address, and it may vary if you changed it in the My Network page.
Check your TCP/IP configuration according to "Installing and Setting up the Safe@Office Appliance" in the Safe@Office Users Guide.
Restart your Safe@Office appliance and your broadband modem by disconnecting the power and reconnecting after 5 seconds.
If your web browser is configured to use an HTTP proxy to access the Internet, add "my.firewall" or "my.vpn" to your proxy exceptions list.
By default, the Safe@Office appliance performs Network Address Translation (NAT). It is possible to use the Safe@Office appliance behind another device that performs NAT, such as a DSL router or Wireless router, but the device will block all incoming connections from reaching your Safe@Office appliance. To fix this problem, do ONE of the following (the solutions are listed in order of preference).
Consider whether you really need the router. The Safe@Office appliance can often be used as a replacement for your existing router.
If possible, disable NAT in the router. Refer to the router's documentation for instructions on how to do this.
If the router has a "DMZ Computer" or "Exposed Host" option, set it to the Safe@Office appliance's external IP address.
In any case, it is recommended that you open the following ports in the NAT device: UDP 9281/9282, UDP 500, TCP 256, TCP 264, ESP (IP protocol 50), TCP 981. Refer to your router documentation for instructions.
By default, connections from the DMZ network to the LAN network are blocked. To allow traffic from the DMZ to the LAN, configure appropriate firewall rules. For instructions, refer to Safe@Office v7.5 User Guide - Chapter 12 'Setting Your Security Policy'.
It is recommended that you first understand the difference between the low, medium and high security levels. Refer to Question LP16225 in this article.
Method 2 Create a security rule to allow ICMP to the Embedded NG gateway from the Internet. To create the security rule:
No. Only DSL modems and routers support PPPoA. The Safe@Office appliance cannot replace your DSL equipment and therefore it does not need to support PPPoA. In case the Safe@Office appliance is connected to a device that supports PPPoA, you should choose "Direct LAN Connection" as the Internet connection type for the Safe@Office appliance.
DHCP Relay is used when the DHCP clients are located in a different subnet than the DHCP server. When the DHCP Relay option is used, the Check Point appliance becomes a DHCP relay agent. A relay agent is a small program that relays DHCP messages between clients and DHCP servers on different subnets. DHCP Relay configuration is supported over clear and VPN communications. DHCP Relay communicates through UDP ports 67/68. To enable DHCP Relay:
Click on "Edit" for the network you want enable DHCP Relay for.
Fill in the internal IP Address and Subnet Mask of the Check Point appliance. This will determine the DHCP scope requested from the remote DHCP server.
Choose "Relay" from the DHCP drop down box.
Note: DHCP Relay will not work with NAT configuration. In case DHCP Relay is implemented over a VPN connection, make sure that the "Bypass NAT" checkbox is selected for the VPN connection on the Check Point appliance.
By default, access to the Embedded NG Wireless security appliance's Web GUI from the WLAN (Wireless LAN) network is over HTTPS - https://my.firewall. In case you want to access the WebGUI from WLAN over HTTP (http://my.firewall), you'll need to configure a security rule to allow that. The security rule parameters can be:
MAC address filtering is a method to authenticate wireless clients with the Embedded NG wireless security appliance and allow them to access the WLAN network. This method is not considered secured enough to stand on its own since MAC addresses can be easily cloned. As a result, it should be an additional measure on top of other security methods offered, such as WEP, WPA and 802.1x authentication standards.
To configure MAC address filtering:
Create a network object for the wireless clients you want to authenticate.
Activate MAC address filtering on the appliance.
To create a network object, perform the following:
From the MAC Address Filtering drop-down box choose "Yes".
Click "Apply".
Note: Once MAC Address Filtering is activated, wireless clients will not be able to communicate with the wireless network unless you create corresponding network objects for each wireless client.
This procedure describes the troubleshooting steps in case your WiFi card (installed on your mobile computer) does not get any signal from the Embedded NG wireless security appliance.
Important Notes
The troubleshooting steps suggested in this procedure assume that there are no coverage issues and that the issue occurs even when the mobile computer is a very short distance from the Embedded NG security wireless appliance. For the purpose of simplified troubleshooting, it is recommended to turn off all wireless security options that may have been configured on the Embedded NG wireless security appliance and on the WiFi card installed on the mobile computer. If this is the first time you install the Embedded NG wireless security appliance, the WLAN network is disabled. To enable the WLAN network, perform the following:
Physically connect your mobile computer to one of the LAN ports of the appliance.
Checking the WiFi card settings on your mobile computer
Check whether other mobile computers in your network cannot get a signal from the Embedded NG wireless security appliance. In case other computers are able to communicate over the wireless connection, it is more than likely that the issue is with your mobile computers' WiFi card setup.
In case you configured the Embedded NG security wireless appliance to hide the SSID, make sure that the WiFi card is manually configured with the correct SSID.
Make sure that the wireless standard (802.11 b/g) configured on the WiFi card matches the standard on the Embedded NG security wireless appliance.
Make sure you have the latest driver for your WiFi card.
Check for additional settings that can be configured on your wireless card - such as country and extended channels usage. These parameters are usually configured during the WiFi card installation, or via a vendors' wireless utility.
In case you have an Intel based WiFi card installed on your mobile computer, you may need to enable extended channel mode (this may not be needed for all models). To setup extended channel mode for Intel based WiFi cards, perform the following in Windows:
Go to Start menu > Settings > Control Panel.
Double-click the Administrative Tools icon.
Double-click the Computer Management icon.
From the left pane of the Computer Management window, choose "Device Manager".
From the right pane of the Computer Management window, expand the Network Adapters branch.
Locate the Intel network card branch and double-click it to open the Intel network card properties.
In the Intel card properties window, click the Advanced tab.
In the Property window, select "Extended Channel Mode".
Choose "Enable" from the Value drop-down box.
Checking the Embedded NG wireless security appliance settings
Force the wireless security appliance to work with a specific channel rather than automatically select a channel. To setup the channel mode, physically connect your mobile computer to one of the appliances' LAN ports and perform the following:
When using WPA encryption on the WLAN, the connection is dropped immediately after connecting. Connections and disconnections appear consecutively in the appliance event log.
The solution:
Import manual encryption configuration to the wireless Embedded NGX appliance.
To apply the configuration file:
Download one of the configuration files below that answers your needs:
TKIP.CFG - Manually sets the security appliance to use TKIP encryption for WPA.
AES.CFG - Forces the appliance to only use AES encryption (not supported by some older wireless client devices).
AUTO.CFG - Resets the encryption engine to automatic (security appliance default).
Note: Normally, the Transparent Bridges feature requires a Power Pack license on a Safe@Office appliance. However, from firmware version 7.0.39 and subsequent versions you can create only one bridge without the Power Pack license.
In most cases, standard access points have the wired LAN and the wireless network bridged together, as a single network. However, in a secured deployment of networks, it is customary to separate the LAN (traditionally, the segment installed with the confidential business resources) from other networks that are considered potentially insecure. The Embedded NGX security appliances have the WLAN and the LAN segments separated by subnetting and firewalling, as the wireless medium is insecure, by definition.
This may lead to different behavior than you were probably used to with your 'old' standard access point, especially when attempting to browse the workgroup computers on the LAN, using the Microsoft File and Print sharing service. This Microsoft service is designed to work best between computers on the same local area network. However, since the WLAN and LAN are on different networks, you can either connect to shared folders or printers on the LAN by using direct IP addresses (for example, \\192.168.10.2\C$) or you can install a WINS server to translate computer names into their corresponding IP addresses. This action will provide the functionality you are looking for by connecting to shared folders, and will keep your network secure.
Another option that is less recommended from the point of view of wireless security, is to bridge between the LAN and WLAN networks, making them a "single network". To create a bridge between the LAN and WLAN networks:
Click on the "Edit" button next to the WLAN network.
Click on the "Wireless Wizard" button button at the bottom of the page.
In the Wireless Configuration Wizard window, complete the necessary settings for your wireless network, and click "Next".
Choose the required wireless security protocol for your network, choose "Bridge Mode" to create a bridge between the WLAN and the LAN, and click "Next".
Complete the Wireless Configuration Wizard with the required information for your wireless network.
The WLAN and LAN will now be bridged together and will share the same subnet.
The Embedded NGX appliance offers a variety of security and additional advanced options (such as QoS for multimedia over wireless). Depending on your wireless client software, all or some of the options may be supported. In case your wireless client does not support all the advanced options, it might result in the following symptoms:
The WLAN connection might be dropped, immediately after connecting.
Connections and disconnections might appear consecutively in the appliance event log.
To improve the compatibility between your wireless client and the Embedded NGX appliance and overcome the symptoms above, attempt the following steps:
Import manual encryption configuration to the wireless Embedded NGX appliance.
Disable Multimedia Quality of Service (QoS WMM).
To apply manual encryption configuration to the Embedded NGX appliance:
Download one of the configuration files below that answers your needs:
TKIP.CFG - Manually sets the security appliance to use TKIP encryption for WPA.
AES.CFG - Forces the appliance to only use AES encryption (not supported by some older wireless client devices).
AUTO.CFG - Resets the encryption engine to automatic (security appliance default).
Embedded NGX wireless appliances use RP-SMA connectors.
Before substituting any antennas other than the ones supplied by Check Point, note:
Substituting an antenna other than the ones supplied by Check Point, may be in violation of local regulations. Installers should abide by all FCC, EU, or local regulations and requirements before deploying any 3rd party antennas.
Check Point and its affiliates are not responsible for any damage caused by use of a 3rd party antennas. Check Point will not replace or repair appliances damaged by use of an improper antenna.
The Embedded NGX security gateway (with firmware 6.0 and subsequent versions) includes VStream Anti-Virus, an embedded streambased Anti-Virus engine based on Check Point Stateful Inspection and Application Intelligence technologies that performs virus scanning at the kernel level. VStream Anti-Virus scans files for malicious content on the fly, without downloading the files into intermediate storage. This means minimal added latency and support for unlimited file sizes; and since VStream Anti-Virus stores only minimal state information per connection, it can scan thousands of connections concurrently. In order to scan archive files on the fly, VStream Anti-Virus performs real-time decompression and scanning of ZIP, TAR, and GZ archive files, with support for nested archive files.
When VStream Anti-Virus detects malicious content, the action it takes depends on the protocol, in which the virus was found. Refer to the table below. In each case, VStream Anti-Virus blocks the file and writes a log to the Event Log.
If a virus is found in this protocol...
VStream Anti-Virus does this...
The protocol is detected on this port...
HTTP
Terminates the connection.
All ports on which VStream is enabled by the policy, not only port 80
POP3
Terminates the connection.
Deletes the virus-infected email from the server.
The standard TCP port 110
IMAP
Terminates the connection.
Replaces the virus-infected email with a message notifying the user that a virus was found.
The standard TCP port 143
SMTP
Rejects the virus-infected email with error code 554.
Sends a "Virus detected" message to the sender.
The standard TCP port 25
FTP
Terminates the data connection.
Sends a "Virus detected" message to the FTP client.
The standard TCP port 21
TCP and UDP
Terminates the connection.
Generic TCP and UDP ports, other than those listed above
In protocols that are not listed in this table, VStream Anti-Virus uses a "best effort" approach to detect viruses. In such cases, detection of viruses is not guaranteed and depends on the specific encoding, used by the protocol.
VStream Anti-Virus differs from the Email Anti-Virus subscription service (part of the Email Filtering service) in the following ways:
Email Anti-Virus is centralized, redirecting traffic through the Service Center for scanning, while VStream Anti-Virus scans for viruses in the Safe@Office gateway itself.
Email Anti-Virus is specific to e-mail, scanning incoming POP3 and outgoing SMTP connections only, while VStream Anti-Virus supports additional protocols, including incoming SMTP and outgoing POP3 connections.
You can use either Anti-Virus solution, or both, in conjunction.
VStream Anti-Virus maintains two databases: a daily database and a main database. The daily database is updated frequently with the newest virus signatures. Periodically, the contents of the daily database are moved to the main database, leaving the daily database empty. This system of incremental updates to the main database allows for quicker updates and saves on network bandwidth. You can view information about the VStream signature databases currently in use, on the VStream Anti-Virus page.
The Following list describes the typical ADSL configuration, required by worldwide well known ISPs and Telco's. We recommend to consult with your ADSL provider for the most recent ADSL configuration.
An internal error message is received when trying to initiate a Remote Desktop connection via the http://my.firewall portal to a computer that runs the Windows Vista operating system.
Possible cause
When initiating a Remote Desktop connection via the http://my.firewall portal, the remote computer is configured to support only allow connections using Network Level Authentication. The Embedded NGX security appliances use an Active X component to run the Remote Desktop feature, and this component does not support Network Level Authentication.
Solution
Configure the Remote Settings on the computer to which you are connecting, to allow connections from computers running any version of Remote Desktop.
To update the Remote Settings configuration, perform the following:
On your desktop, right-click on the Computers icon.
Click on Properties from the pop-up menu.
Click on the "Remote Settings" option from the left-hand menu.
Click on the "Allow connections from computers running any version of Remote Desktop (less secure)" radio button.
Note: This option is equivalent to the "Allow users to connect remotely to this computer" option, when using Windows XP, as an operating system. The "Allow connections only from computers running remote desktop with Network Level Authentication (more secure)" option is unique to remote desktop connections via the local remote desktop clients, when both use the Windows Vista operating system.
For detailed instructions on how to remotely access the desktop of each of your computers using the Embedded NGX appliances' Remote Desktop feature, refer to Safe@Office v7.5 User Guide - Chapter 18 'Using Remote Desktop'.
If you have your PCX5000 connected to the internet, connect with your browser to http://my.pcx, click on 'Setup > System > Upgrade', choose to upgrade by entering a product key, click "Next", and click on the link for more information The link will redirect you to the upgrade purchase page. Fill in your personal and credit card information. After submitting, you'll get a product key for upgrade. Refer to the PCX5000 user guide for additional information.
When you entered the MAC address in the web form, you either typed the wrong MAC address, or did not use the LAN MAC address. Connect with your browser to http://my.pcx and click on the Status menu. Make sure to use the LAN MAC address that appears on this page.
Check Point will provide you with technical support on subjects concerning the Safe@ firewall only. For hardware problems, installation issues, configuration and wireless issues, contact Toshiba.
