A1: Currently, only the Safe@Home firewall option is available.

A2: If you have your PCX5000 connected to the internet, surf to http://my.pcx, click on 'Setup>System>Upgrade', choose to upgrade by entering a product key, click "Next", and click on the link for more information The link will redirect you to the upgrade purchase page.
Fill in your personal and credit card information. After submitting, you'll get a product key for upgrade. Please see the PCX5000 user guide for additional information.

A3: When you entered the MAC address in the web form, you either typed the wrong MAC address, or did not use the LAN MAC address. Please surf to http://my.pcx and click on the Status menu. Please make sure to use the LAN MAC address that appears on this page.

A4: No. The upgrade only activates the firewall options. Additional managed services will be available through select service providers in the future.

A5: Surf to the Toshiba PCX5000 home page for downloads.

A6: Check Point will provide you with technical support on subjects concerning the Safe@ firewall only. For hardware problems, installation issues, configuration and wireless issues, please contact Toshiba.

A7: For Toshiba support options, please see the Toshiba PCX5000 home page.

A8: Please send your upgrade request to order@checkpoint.com. A Check Point representative will contact you to get your billing information.

A9: Please contact order@checkpoint.com.

A10: Installing Active Directory on a Win2K server
The following links are good resources for information about Active Directory installation and deployment:

• http://www.microsoft.com/windows2000/en/server/help/sag_ADtopnode.htm?id=111
• http://www.petri.co.il/how_to_install_active_directory_on_w2k.htm

Install IAS Service
Please refer to this link for instructions about IAS service installation:

• http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/sag_ias_install.htm

Configure IAS to support remote/local users authentication

1. Click on 'Start > Programs > Administrative tools > Internet Authentication service'.
2. Expand the Internet Authentication Service and right-click on "Clients". Click "New Client".
3. In the Add Client window, enter a name and choose the protocol as "RADIUS". Click "Next".
4. Fill in the Client address with the appliance LAN IP address that the IAS server is connected to. Make sure to select "RADIUS Standard" as the Client-Vendor, and add the shared secret to match the one you entered on the appliance RADIUS page.
5. Click "Finish" to return to the console root.
6. Click on "Remote Access Policies" in the left pane and double-click the policy labeled "Allow access if dial-in permission is enabled".
7. Click "Edit Profile" and go to the Authentication tab. Under Authentication Methods, make sure only "Unencrypted Authentication (PAP, SPAP)" is checked. The VPN client can use only this method for authentication.
8. Click "Apply" and then "OK" twice.
9. To modify the users to allow connection, go to 'Start > Programs > Administrative tools > Users and Computers'.
10. Double-click the user for whom you want to allow access.
11. Click the Dial-in tab and select "Allow Access under Remote Access Permission" (Dial-in or VPN).
12. Click "Apply" and "OK".

Configure the appliance to support RADIUS authentication for remote VPN users

1. Under 'VPN tab > VPN Server', set the VPN server to "Enabled", and select the "Bypass NAT" and "Bypass Firewall" options.
2. Under the Users tab, click the RADIUS tab.
3. In the address field, enter the IP address of the IAS server.
4. In the Shared Secret field, enter the same shared secret text that you specified in the IAS configuration.
5. Select the "VPN Remote Access" check box to allow VPN clients authentication.
6. Under the 'VPN > Certificate' tab, install a PKCS#12 (.p12) certificate.

Note: A certificate is needed to support Hybrid Mode authentication. Hybrid mode authentication is a method to authenticate with a VPN endpoint, using authentication schemes other than shared secret or digital certificates. Other methods can be using SecurID cards, RADIUS, LDAP etc.

A11: Remove or rename the file %SystemRoot%system32driversscap.sys and reboot.

Note: The scap.sys file is created with SecureRemote installation. If the file is not found, re-install SecureRemote and repeat the step above.

A12: To workaround this, access SmartDashboard and check the "Accept VPN-1 & FireWall-1 Control connections" check box under Global Properties. This will enable certain implied rules needed to create a successful VPN tunnel and topology download. More information can be found in the Firewall-1 Administration guide.

A13: The Problem: Latency over a VPN tunnel is quite a common issue, and is caused by packet fragmentation.The problem occurs when a packet becomes fragmented and has to be reassembled by a VPN device. Also, with newer technologies being used, such as Load Balancing, the fragmented packets may reach the VPN client out of order. The VPN client then has to reassemble the out of order packets. If one packet is not received, the VPN client cannot reassemble the complete packet.

MTU (Maximum Transmission Unit)
The largest number of bytes a frame can carry, not counting the frame's header and trailer. A frame is a single unit of transportation on the data link layer. It consists of header data plus data that was passed down from the network layer (also sometimes trailer data). An Ethernet frame has an MTU of 1500 bytes, but the size of the frame can be up to 1526 bytes (22 byte header, 4 byte CRC trailer).

What MTU size should I set?

To determine the right MTU setting, run a fragmented ping test from a command prompt on the client machine:

ping <Public IP of Sbox> -f -l 1500

Most likely, you will receive the message: "Packet needs to be fragmented but DF set."

The DF refers to the "Don't Fragment" bit. Keep lowering the byte size from 1500, until you receive a reply without an error message. The point at which you receive a reply without an error is the point of fragmentation. The MTU size should be just below that point.

How to modify MTU settings on the Check Point SecuRemote/SecureClient VPN software?
SecuRemote/SecureClient software enables you to modify the MTU value for the virtual connection only. In order to change the MTU values, run the MTUadjust.exe tool from C:\Program Files\CheckPoint\SecuRemote\Bin.

How to modify MTU settings on the Check Point appliance?
To modify the MTU settings on the Check Point appliance, edit the MTU field of the Internet connection settings.

A14: Yes. Embedded NG 4.5 and later supports the Internet Engineering Task Force (IETF) draft standard for NAT traversal (NAT-T), which allows Site-to-Site VPN tunnels to pass through NAT devices. NAT Traversal is also fully supported for VPN remote access (SecuRemote) users, by means of UDP Encapsulation.

A15: All our appliances support AES (Advanced Encryption Standard - 128 or 256 bits), 3DES (Triple Data Encryption Standard), and DES encryption, as well as SHA1 and MD5 message digest algorithms.

AES-256/SHA1 is used automatically and cannot be manually modified in the following cases:

• Remote access VPN between a Check Point SecuRemote/SecureClient and a Safe@Office box
• Remote access VPN between Safe@Office boxes
• Site to Site VPN between Safe@Office boxes with firmware version earlier than 5.0.

Encryption and message digest algorithms are negotiated automatically in VPN between a Safe@Office and another VPN endpoint.

A16: Yes. All Check Point VPN appliances can communicate with any VPN gateway that is fully compliant with the IPSEC standard.

A17: VPN clients are available free for download here.

A18: PFS is not supported by default, and it needs to be configured using the command line interface. To access the command line interface, do the following:

• Surf to http://my.firewall
• Click on Setup > Tools
• Click on Command

To enable PFS, type: set vpn sites <site number> usepfs <true | false>

A19: No. Only the listed clients are supported for VPN Remote Access. 

A20: When "Bypass the firewall" is selected in the VPN Server page, all firewall rules are ignored for VPN traffic.

When "Bypass NAT" is selected, all incoming and outgoing VPN traffic uses the private IP addresses.

A21: Yes. UDP encapsulation is used by the Check Point VPN client to traverse ESP (Encapsulated Security Payload) over NAT (Network Address Translation).

To configure this option in SecuRemote/SecureClient version R55: 
1. Click on the envelope icon with the golden key in the task bar.
2. The SecuRemote window will open.
3. In the tools menu, select Advance IKE Settings...
4. Check the "Force UDP Encapsulation" checkbox. 
5. Click "OK" to return to the main SecuRemote window.
6. In the File menu, select "Stop VPN-1 SecuRemote".
8. Start the VPN client again.

To configure this option in the SecuRemote/SecureClient version R56: 
1. Click on the envelope icon with the golden key in the task bar.
2. The SecuRemote window will open. Click the Options button.
3. Select Settings from the Option menu.
4. Select the desired VPN profile in the Settings window.
5. Click the Properties button.
6. Select the Advanced tab.
7. Check the Connectivity enhancements box.
8. Check the Force UDP Encapsulation checkbox.
9. Click OK.
10. Stop and Start the VPN client again from the task bar.

A22: This procedure assumes the reader is familiar with the basic concepts and scenario of Remote Access VPN installation, as described in the Safe@Office/Embedded NGX UTM appliance Remote Access VPN Technology Guide.

1. Make sure that a valid VPN Certificate is installed. The certificate can be found under the VPN option in the left menu > Certificate in the top menu.
2. In case SecuRemote/SecureClient is installed under Windows XP with SP2 or above, or if you use a 3rd party firewall software on your PC:
   
   • Turn off the internal Windows firewall, or make sure that the following ports are allowed:
     UDP 500 (IKE)
     TCP 264 (Topology download)
     UDP 2746 (UDP encapsulation)
     UDP 259 (Check Point RDP)
     UDP 4500 (NAT-T)
     IP Protocol 50 (AKA ESP or IPSEC Passthru)
     For Endpoint connect, TCP 443 (HTTPS) is also required
3. In case the VPN client is installed on a computer behind a NAT device:
   
   • In case the SecuRemote/SecureClient software is installed on a computer behind a NAT device, it is recommended to use the "Force UDP Encapsulation" setting in the VPN client. For instructions, see Q12 (LP17861) above.
   • Make sure that the VPN client network IP address range and the VPN gateway's network IP range are not overlapping.
4. Modify MTU settings on the VPN client. SecuRemote/SecureClient software enables you to modify the MTU value for the virtual connection only. In order to change the MTU values, run the MTUadjust.exe tool from C:\Program Files\CheckPoint\SecuRemote\Bin.
5. Check the VPN gateway settings:
   
   • Make sure that the VPN gateway is configured properly, as described in the Safe@Office/Embedded NGX UTM appliance Remote Access VPN Technology Guide.
   • Make sure that the VPN gateway is configured with a public IP address. In case the VPN gateway is behind a NAT device, the remote access VPN connection will not work.
6. In case the VPN server is installed behind a NAT device:
   Note: If possible, consult with your ISP about ways to assign the security appliance a valid IP. Otherwise, do the following:
   
   • Make sure to open the following ports and traffic in the NAT device:
     UDP 500 (IKE)
     TCP 264 (Topology download)
     UDP 2746 (UDP encapsulation)
     UDP 259 (Check Point RDP)
     UDP 4500 (NAT-T)
     IP Protocol 50 (AKA ESP or IPSEC Passthru)
     For Endpoint connect, TCP 443 (HTTPS) is also required
   • Use the command line interface and type the following command:
     set device behindnat <IP>
     (Where IP is the public IP address of the NAT device). To access the command line interface, surf to http://my.firewall and click on 'Setup > Tools > Command'.

   Note: This command line is supported with firmware 5.0.57 and subsequent versions.

A23: To view the VPN topology after topology download took place, go to 'Reports - Tunnels - View Topology'.

A24: An "Invalid Certificate" error message appears when installing a PKCS#12 (.p12) certificate that was created using OpenSSL. This may happen if the DN (Distinguished Name) information entered for the CA (Certificate Authority) and the self-signed certificate are similar.

In order to workaround this, repeat the instructions in the Creating a PKCS#12 Certificate For Manual Installation on Embedded NG Appliances document, but this time make sure to use different DN information when creating the CA and the self-signed certificate.  

A25: The following is available with Check Point security appliances installed with firmware version 5.0.x and subsequent versions.

The default IKE behavior of the Check Point security appliance is to auto-negotiate the SA parameters between VPN end points. In most cases, there is no need to modify the default proposals parameters. However, you may want to override the default parameters in the following cases:

• Your organization's network security policy is restricted to a definite configuration.
• Some IPSEC compliant devices cannot auto-negotiate some or all of the IKE SA proposals.

Use the Check Point security appliance CLI (Command Line Interface) to modify the IKE SA parameters:

To modify IKE phase-1 encryption parameters, use the following command syntax:
set vpn sites [site number] phase1ikealgs [automatic | des/md5 | des/sha1 | 3des/md5 | 3des/sha1 | aes128/md5 | aes128/sha1 | aes256/md5 | aes256/sha1 ] 

To modify IKE phase-2 encryption parameters, use the following command syntax:
set vpn sites [site number] phase2ikealgs [automatic | des/md5 | des/sha1 | 3des/md5 | 3des/sha1 | aes128/md5 | aes128/sha1 | aes256/md5 | aes256/sha1 ]

To modify IKE phase-1 SA lifetime, use the following command syntax:
set vpn sites [site number] phase1exptime [Minutes]

To modify IKE phase-2 SA lifetime, use the following command syntax:
set vpn sites [site number] phase2exptime [seconds]

A26: It is assumed that the reader has implemented the Remote Access VPN configuration, as described in the Safe@Office/Embedded NGX UTM appliance Remote Access VPN Technology document.

When using Check Point SecuRemote/SecureClient to create a remote access VPN with a Check Point appliance, only authentication phase works, but the remote network cannot be reached. This may happen if the Check Point appliance is configured for DSL PPTP connection with an Alcatel modem using 10.0.0.0 /8 IP network range. It appears that the Orange 3G data network is using NAT with the  same IP range, which causes some routing problems.

To workaround this, narrow the network between the Check Point appliance and the Alcatel modem by doing the following:

1. Surf to http://my.firewall
2. Click on Network menu.
3. Click on "Edit" near the active Internet connection entry.
4. Choose "PPTP" as the connection type.
5. Uncheck the "Obtain IP address automatically (using DHCP)" checkbox.
6. In the IP address box, type "10.0.0.137".
7. From the Subnet Mask dropdown box, choose "255.255.255.252 /30".
8. Click "Apply".
9. Try the remote access VPN connection again after the appliance has regained a connection to the Internet.

Note: The above assumes that the Alcatel modem is configured with its default IP address 10.0.0.138. 

A27: It is assumed that the reader has configured either the Remote Access VPN or Site-to-Site VPN as suggested in the relevant step-by-step configuration papers, in this knowledge base.

The reason for not being able to view or browse remote computers is not related to the VPN you just created, but to the way the NetBIOS application works. Microsoft adapted NetBIOS as the way to implement the File and Print sharing services between Windows Workgroups based computers. Originally, NetBIOS was designed for computers to communicate with each other on the same local area network.

NetBIOS is a TCP/IP based protocol. Normally, computers in a TCP/IP based network communicate with each other by calling each others' IP addresses and not by their computer names. In order to identify computers by a name, a naming translation service is required. NetBIOS is no different in that manner. Windows based computers within the same local area network will use broadcast techniques to publish their names, and update their own translation table. In other words, each computer holds a table with a computer name and its matching IP address. However, broadcast messages cannot traverse different subnets, as broadcast does not support routing schemes. This prevents computers on different networks communicating by their host names.

In order to enable computers on different subnets to communicate by names, a naming translation service is required. Such a service is a WINS (Windows Internet Naming Service) server, which is a system designed to match between Windows client names and IP addresses.

When creating a Check Point IPSec VPN connection, you perform data encryption between endpoints, and the privacy is achieved because only intended parties can actually 'read' and understand the data. Technically and practically, networks on both ends of the VPN tunnel are not joined together by a VPN tunnel, and therefore they remain on different subnets. Computers on both sides of a VPN tunnel will also need to be aware of a naming translation service to use the Microsoft File and Print sharing services. If no naming service is available, the remote computers' shared folders and printers can always be accessed using IP addresses, for example: \\192.168.10.3\C$.

Additional settings on a Windows client

Check that the remote computers are configured to support NetBIOS over TCP/IP.

To enable NetBIOS over TCP/IP in Win2K and WinXP:

1. Open 'Control Panel > Network Connections'.
2. Open your network connection properties.
3. Open the TCP/IP properties.
4. Click on the "Advanced" button.
5. Click on the WINS tab.
6. Check the "Enable NetBIOS over TCP/IP" checkbox.

A28: The Check Point security appliance displays the IKE phase-1 VPN tunnel information on the 'Reports > VPN Tunnels' page. By default, the phase-1 lifetime used by Check Point VPN software is 24 hours, and therefore the display will refresh after that interval, even if the VPN clients are actually disconnected. This does not mean that there is traffic over the tunnel.

IKE phase-1 is responsible for creating the VPN tunnel and involves heavy mathematical calculations that consume CPU. In order to reduce the load on the CPU, IKE phase-1 is renewed only every 24 hours.

A29: Installing Active Directory on a Win2K server
The following links are good resources for information about Active Directory installation and deployment:

• http://www.microsoft.com/windowsserver2003/technologies/directory/activedirectory/default.mspx
• http://www.petri.co.il/how_to_install_active_directory_on_windows_2003.htm

Install IAS Service
Please refer to this web page from Microsoft for instructions about IAS service installation.

Configure IAS to support remote/local users authentication

1. Click on Start > Programs > Administrative tools > Internet Authentication service.
2. Right−click on the Radius Clients folder, and choose New RADIUS Client.
3. In the New RADIUS Client window, fill in a "friendly" name and the IP address of your security appliance. Click Next.
4. From the Client-Vendor drop-down menu, choose RADIUS Standard. Fill in the shared secret in the Shared Secret text field to match the one you entered on the security appliance's RADIUS page, and confirm the shared secret in the Confirm Shared Secret field.
5. Click Finish to return to the Internet Authentication Service window.
6. Right-click on Remote Access Policies in the left pane and choose New Remote Access Policy from the menu.
7. Click Next in the New Remote Access Policy Wizard window.
8. In the Policy Configuration Method window, choose Set up a custom policy. In the Policy Name field, type a name for the policy (For example, VPN Access). Click Next.
9. In the Policy Conditions window, click Add; the Select Attribute window opens. Choose NAS-IP-Address from the attribute types list and click Add. In the NAS-IP-Address window, type the IP address of your security appliance and click OK to go back to the previous Window. Click Next.
10. In the Permissions window, choose Grant remote access permission and click Next.
11. In the Profile window, click Edit Profile. The Edit Dial-in Profile window opens.
12. In the Edit Dial-in Profile window, click on the Authentication tab and make sure that only the Unencrypted authentication (PAP, SPAP) option is checked.
13. In the Edit Dial-in Profile window, click on the  Encryption tab and make sure that only the No encryption option is checked. Click OK to return to the previous window. Click Next.
14. In the Completing the New Remote Access Policy Wizard window, click Finish.
15. In the Internet Authentication Service window, expand the Connection Request Processing menu. Right-click the Connection Request Policies item and choose New Connection Request Policy.
16. The New Connection Request Policy Wizard appears. Click Next.
17. In the Policy Configuration Method window, choose Set up a custom policy. In the Policy Name field, type a name for the policy (For example, VPN Access). Click Next.
18. In the Policy Conditions window, click Add; the Select Attribute window opens. Choose NAS-IP-Address from the attribute types list and click Add. In the NAS-IP-Address window, type the IP address of your security appliance and click OK to go back to the previous Window. Click Next.
19. The Request Processing Method window appears. Click Next.
20. In the Completing the New Connection Request Processing Policy Wizard window, click Finish.
21. To modify the Active Directory users to allow connection, go to Control Panel > Administrative tools > Active Directory Users and Computers.
22. Double-click the user you want to authenticate using RADIUS.
23. Click the Dial-in tab, select Allow Access.
24. Click Apply and OK.

Configure the appliance to support RADIUS authentication

1. In the Users menu, click the RADIUS tab.
2. In the Address field, enter the IP address of the Microsoft IAS server.
3. In the Port field, choose the RADIUS port (default value is 1812).
4. In the Shared Secret field, enter the same shared secret text that you specified in the IAS configuration.
5. Choose the administration level or VPN access.

Note: A PKCS#12 certificate needs to be installed on the security appliance to support Hybrid Mode authentication for remote access VPN users. Hybrid mode authentication is a method to authenticate with a VPN endpoint using authentication schemes other than shared secret or digital certificates. Other methods can be using SecurID cards, RADIUS, LDAP etc. Please click here for information about Creating a PKCS#12 Certificate For Manual Installation on Embedded NG Appliances.

A30: Note: It is recommended that you read the following article from Microsoft: "Enterprise Deployment of Secure 802.11 Networks Using Microsoft Windows".

The following components are needed to support 802.1x wireless authentication with Micrsoft 2003 and Active Directory RADIUS:

• Microsoft Windows 2003 Server running IAS
• IIS with ASP support
• Certificate Services to create an Enterprise Root CA (Certificate Authority)
• Active Directory
• Wireless clients running Windows 2000/XP

Install IAS Service
Please refer to the "Install IAS instructions" from Microsoft.

Install IIS with ASP support
Please refer to the "Install IIS 6.0 instructions" from Microsoft.

Install Certificate Services and an Enterprise Root CA
Please refer to the "Step-by-Step Guide to Setting up a Certification Authority" from Microsoft. In addition please refer to the "Step-by-Step Guide to Certificate Services Web Pages" from Microsoft to learn about how to enroll certificates to the wireless clients computers.

Installing Active Directory on a Win2K server
The following links are good resources for information about Active Directory installation and deployment:

• http://www.microsoft.com/windowsserver2003/technologies/directory/activedirectory/default.mspx
• http://www.petri.co.il/how_to_install_active_directory_on_windows_2003.htm

Configure IAS to support wireless users authentication

1. Click on 'Start > Programs > Administrative tools > Internet Authentication service'.
2. Right-click on the Radius Clients folder, and choose "New RADIUS Client".
3. In the New RADIUS Client window, fill in a "friendly" name and the IP address of your Embedded NG security appliance. Click "Next".
4. From the Client-Vendor drop-down menu, choose "RADIUS Standard". Fill in the shared secret in the Shared Secret text field to match the one you entered on the security appliance's RADIUS page, and confirm the shared secret in the Confirm Shared Secret field.
5. Click "Finish" to return to the Internet Authentication Service window.
6. Right-click on Remote Access Policies in the left pane and choose "New Remote Access Policy" from the menu.
7. Click "Next" in the New Remote Access Policy Wizard window.
8. In the Policy Configuation Method window, choose "Set up a custom policy". In the Policy Name field, type a name for the policy (For example, VPN Access). Click "Next".
9. In the Policy Conditions window, click "Add" ; the Select Attribute window opens. Choose "NAS-Port-Type" from the attribute types list and click "Add". In the NAS-Port-Type window, choose "Wireless - IEEE 802.11" from the left pane and click "Add"; the selection should now appear in in the right pane. Click "OK" to go back to the previous Window. Click "Next".
10. In the Permissions window, choose "Grant remote access permission" and click "Next".
11. In the Profile window, click "Edit Profile". The Edit Dial-in Profile window opens.
12. In the Edit Dial-in Profile window, click on the Authentication tab. Select the "Micorsoft Encrypted Authentication version 2 (MS-CHAP v2)" option. Click on the "EAP Methods" button. In the Select EAP Types window, click "Add" and select "Protected EAP (PEAP)". Click "OK" to return to previous window. Click "Next".
13. In the Completing the New Remote Access Policy Wizard window, click "Finish".
14. In the Internet Authentication Service window, expand the Connection Request Processing menu. Right-click the "Connection Request Policies" item and choose "New Connection Request Policy".
15. The New Connection Request Policy Wizard appears. Click "Next".
16. In the Policy Configuation method window, choose "A custom policy". In the Policy Name field, type a name for the policy (For example, VPN Access). Click "Next".
17. Choose "NAS-Port-Type" from the attribute types list and click "Add". In the NAS-Port-Type window, choose "Wireless - IEEE 802.11" from the left pane and click "Add"; the selection should now appear in the right pane. Click "OK" to go back to the previous Window. Click "Next". The Completing the New Connection Request Processing Policy Wizard windows appears.
18. In the Completing the New Connection Request Processing Policy Wizard window, click "Finish".
19. To modify the Active Directory users to allow connection, go to 'Control Panel > Administrative tools > Active Directory Users and Computers'.
20. Double-click the user you want to authenticate using RADIUS.
21. Click the Dial-in tab, select "Allow Access".
22. Click "Apply" and "OK".

Configure the Embedded NG security appliance to support 802.1x wireless authentication

1. Login to the Embedded NG Security appliance admin page.
2. Click on the Network menu.
3. Click on the My Network tab.
4. Click on the "Edit" button of the WLAN network.
5. From the Security drop-down box choose "802.1x: RADIUS authentication, no encryption".
6. Click "Apply".

Configure the Embedded NG Wireless Security appliance to support RADIUS authentication

1. In the Users menu, click the RADIUS tab.
2. In the Address field, enter the IP address of the Microsoft IAS server.
3. In the Port field, choose the RADIUS port (default value is 1812).
4. In the Shared Secret field, enter the same shared secret text that you specified in the IAS configuration.
5. Choose an additional administrator or VPN access level.
6. Click "Apply".

Configure the wireless client to support 802.1x authentication

Depending on the wireless client configuration software, some or all of the following need to be configured:

• 802.1x support
• Server properties or certificate authrity (CA) information
• Username and password
• Domain or server information

A31: The following solution is relevant to a Remote Access configuration between two Check Point Embedded NG security appliances, when one serves as the VPN client, and the second serves as the VPN server. Typically, the failure will take place when the client box is installed with firmware version 5.0.x or subsequent firmware. The client box will be able to authenticate with the server, however communication with the remote network behind the VPN server box fails with an event log error message: "Error: No loaded CA name, as well as no CA name in topology"
Solution:
The VPN client module installed with firmware 5.0 is doing Hybrid Mode IKE (Internet Key Exchange). In order for the Embedded NG VPN server to support this mode, a PKCS#12 certificate needs to be installed on the VPN server box. To create a certificate for an Embedded NG appliance, installed with a firmware version earlier than 5.0.x, please see Creating a PKCS#12 Certificate For Manual Installation on Embedded NG Appliances.

A32: The Embedded NG gateway allows securing your internal networks communications by connecting to its internal VPN server, using the Check Point SecuRemote/SecureClient VPN client. In other words, the VPN client must work in a 'Route All Traffic' mode to encrypt all traffic sent by the clients' host to the internal Embedded NG interface.
'Route All Traffic' mode is supported by the Check Point VPN client only when it is installed in an "Extended View" installation, instead of "Compact View". In case the VPN client is installed in "Compact Mode", traffic will be blocked by the firewall.

To switch the Check Point VPN client (versions R56 or R60) from "Compact View" to "Extended View":

1. Right-Click the SecuRemote/SecureClient icon in the tray icon.
2. Choose "Settings" from the menu.
3. Click the Advanced tab.
4. Select the "Extended View" button and click "OK"
5. The VPN client software will restart itself in Extended View mode.
6. Delete the existing VPN site and create a new one.
7. Once connected to the Embedded NG internal interface using the new settings, a new site will appear in the VPN client console under the name of 'RouteAllTraffic'.

A33: VPN connection may not be established between a Check Point Embedded NG gateway and a Cisco PIX. In some cases, the tunnel is created, but different errors may appear in the Embedded NG event log indicating VPN connection failure. The issues can be caused due to:

• Wrong setup of the Embedded NG and Cisco PIX VPN gateways
• The Embedded NG VPN gateway is configured to send "Keepalive" packets that the Cisco PIX gateway cannot handle.

Solution

1. Check the Cisco PIX configuration, as described in the "How to create a site-to-site between a Cisco PIX and a Check Point Embedded NG VPN gateway" article.
2. When running the Check Point Embedded NG site to site VPN wizard, make sure to uncheck the "Keepalive" option.

A34: This is the solution as offered in the Microsoft knowledgebase: http://support.microsoft.com/kb/240262

Note:

• Steps 12,13, where the configuration is related to the Embedded NGX gateway.
• This article contains information about modifying the registry. Before you modify the registry, make sure you know how to back it up, and how to restore the registry if a problem occurs.

To implement the preshared Key authentication method for use with a L2TP/IPSec connection: 

1. Add the ProhibitIpSec registry value to both Windows 2000-based endpoint computers.
2. Manually configure an IPSec policy, before an L2TP/IPSec connection can be established between two Windows 2000-based computers.

To add the ProhibitIpSec registry value to your Windows 2000-based computer, follow these steps: 

1. Click "Start", click "Run", type "regedt32", and then click "OK".
2.  Locate, and then click the following registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters
3. In the Edit menu, click "Add Value".
4. In the Value Name box, type "ProhibitIpSec".
5. In the Data Type list, click "REG_DWORD", and then click "OK".
6. In the Data box, type "1", and then click "OK".
7. Quit Registry Editor, and then restart your computer.

How to create an IPSec policy for use with L2TP/IPSec Connections, by using a preshared key:

1. Click "Start", click "Run", type "mmc", and then click "OK".
2. Click "Console", click "Add/Remove Snap-in", click "Add", click "IP Security Policy Management", click "Add", click "Finish", click "Close", and then click "OK".
3. Right-click "IP Security Policies on Local Machine", click "Create IP Security Policy", and then click "Next".
4. In the IP Security Policy Name dialog box, type the name for the IP Security policy in the Name box, and then click "Next".
5. In the Requests for Secure Communication dialog box, click to clear the "Activate the default response rule" checkbox, and then click "Next".
6. Click to select the Edit Properties checkbox, and then click "Finish".
7. In the New IP Security Policy Properties dialog box, click "Add" on the Rules tab, and then click "Next".
8. In the Tunnel Endpoint dialog box, click "This rule does not specify a tunnel", and then click "Next".
9. In the Network Type dialog box, click "All network connections", and then click "Next".
10. In the Authentication Method dialog box, click "Use this string to protect the key exchange (preshared key)", type a preshared key, and then click "Next".
11. In the IP Filter List dialog box, click "Add", type a name for the IP filter list in the Name box, click "Add", and then click "Next".
12. In the IP Traffic Source dialog box, click "A specific IP Address" in the Source address box, type the Embedded NGX appliance's IP address in the IP Address box, and then click "Next".
13. In the IP Traffic Destination dialog box, click "A specific IP Address" in the Destination address box, type "ANY", and then click "Next".
14. In the IP Protocol Type dialog box, click "UDP" in the "Select a protocol type" box, and then click "Next".
15. In the IP Protocol Port dialog box, click "From this port", type "1701" in the "From this port" box, click "To any port", and then click "Next".
16. Click to select the Edit properties checkbox, click "Finish", and then click to select the "Mirrored". Also match packets with the exact opposite source and destination addresses checkbox in the Filter Properties dialog box.
17. Click "OK", and then click "Close".
18. In the IP Filter List dialog box, click the IP filter that you just created, and then click "Next".
19. In the Filter Action dialog box, click "Add", and then create a new filter action that specifies which integrity and encryption algorithms will be used. Note: This new filter action must have the "Accept unsecured communication, but always respond using IPSec" feature disabled to improve security.
20. Click "Next", click "Finish", and then click "Close".
21. Right-click the IPSec policy that you just created, and then click "Assign".

A35: The requirement for using Endpoint Connect with the Embedded NGX Appliances:

• Firmware 8.1.37 or higher is required for Endpoint Connect support.
• Port 443 must not be forwarded from "This gateway" to an internal host. If you already forward port 443, you can configure Endpoint Connect to use port 981, instead. (You can configure Endpoint Connect to use a different port when creating the site, simply by adding the port after the IP address, for example 62.233.20.70:981. When using with the Embedded NGX Appliances, you can either use ports 443 or 981. If you want to use port 981, you also need to open access to HTTPS management from "any" under Setup - Management.)
• Endpoint Connect is not supported on the Z100G Wireless Router.

A36: You can configure Endpoint Connect to use a different port when creating the site, simply by adding the port after the IP address, for example 62.233.20.70:981
When using with the Embedded NGX Appliances, you can either use ports 443 or 981. If you want to use port 981, you also need to open access to HTTPS management from "any" under Setup - Management.

A37: The following clients are supported:

• CheckPoint Endpoint Connect R73. (Supported on Windows systems, 32 and 64bit)
• CheckPoint SecuRemote/SecureClient (Supported on 32bit Windows and MAC OS)
• L2TP Dialer.

A38: Endpoint Connect (EPC) clients cannot connect to Safe@Office/UTM-1 Edge appliances after firmware upgrade to v8.2 post GA (8.2.33).

SYMPTOMS:

In previous GA versions (such as v8.1.47 or v8.2.26), the EPC clients were able to connect to Safe@Office/UTM-1 Edge appliances on ports 981 or 443, depending on configuration.

After upgrading to v8.2 post GA, EPC clients might not be able to connect on the same port.

CAUSE:

With the upgrade to a newer firmware version, the EPC is set to one default port (443 or 981).

If the following apply, the port will automatically be set to default port 981:

• Web server under 'Security > Servers' tab is enabled.
• A rule with Web Service that is called "Web Server" exists.
• A rule that contains port 443 exists.

If none of the above apply to your settings, the default port will automatically be set to 443.

SOLUTION:

With the upgrade to a newer firmware version, the port number can be configured to other port numbers.

If you are experiencing the above behavior, please do the following:

• Make sure that the EPC port in the Safe@Office/UTM-1 Edge appliances matches the EPC port used in the EPC client.
• Make sure that there are no security rules or NAT rules configured on Safe@Office/UTM-1 Edge appliances, or on SMP, that match the EPC port, defined in the appliance.

A39: The IP30/IP40 appliance is supported by the Check Point Support Organization. Support contracts must be purchased through your sales representative, or reseller, in order to receive technical support from Check Point.

A40: In order to activate the support plans and/or product upgrades for your Safe@Office product, surf to http://www.sofaware.com/activate and fill in the product activation form.

Support plans activation
Once your activation request is processed and validated, a confirmation message will be sent to you by email and you will be allowed to connect to the Check Point service center to get the services.

To connect to the Check Point Service Center do the following:

• Surf to http://my.firewall  
• Click on the Services menu.
• Click on the Connect button.
• Choose to connect to usercenter.sofaware.com
• The subscription based services you purchased will be applied immediately.

Product upgrade activation
Once your activation request is processed and validated, a confirmation message will be sent to you with the Product Key (license) that will upgrade your product. To install the product key do the following:

• Surf to http://my.firewall  
• Click on 'Setup > Upgrade Product'.
• Enter the product key string in the designated field.

A41: Technical support for Safe@Office products is provided by the Check Point Small Business Support team.

Fill in the online support request form (http://www.sofaware.com/supportForm.aspx) and one of our support experts will get back to you shortly by email.  

Chat live with a support expert when available. Technical support, on all channels, is available Mon-Fri, 9 AM - 5 PM (US and Europe time).

A42: The following support options and plans are available for purchase by Safe@Office security appliance owners:

Annual Safe@Office Support and Subscription
(ST-CPSB)
Annual support and services plan that includes the following:
* Security and firmware updates
* Email, web and chat support
* Advanced replacement
* Dynamic DNS

Annual Safe@Office Antivirus, SmartDefense, Support and Subscripiton
(STAV-CPSB)
* Gateway antivirus updates
* Security and firmware updates
* Email, web and chat support
* Advanced replacement
* Dynamic DNS

Annual Safe@Office Web Filtering Service
(WF-CPSB)
* Provides URL filtering based on category classification of web-sites.

A43: Safe@Office Advanced Security Services Plan* Includes the following:

• Security and firmware updates.
• Email, web and chat support.
• Telephone support in English, from 8:00 AM to 5 PM local time.
• Advance hardware replacement.
• Anti-Virus subscription service.
• Web Filtering subscription service.

* Advanced Security Services are available only in North America.

A44: If your Embedded NGX appliance is under hardware warranty and/or a valid support plan, it can be replaced in case of a hardware malfunction (Return Material Authorization). Please follow the RMA procedure as described below:

• Contact the Check Point Small Business Support team , using one of the following methods: Open a support ticket, or initiate a chat session at www.sofaware.com.
• A support expert will attempt to troubleshoot an issue to confirm or exclude a hardware issue. You will be updated at each step of the troubleshooting process. 
• In case a hardware issue is present, you will be issued an RMA form that must be filled and submitted to the Check Point Small Business Support team.
• An RMA specialist will review the troubleshooting steps and will approve the RMA (or will ask to take further steps in the debugging process). 
• You will be issued an RMA number for follow-up. 
• A replacement product will be sent to the address specified in the RMA form.
• A tracking number and estimated shipping date will be emailed to you once available.

Please note that the license on the replacement box is functional for 30 days only. In order to receive the permanent license, the damaged hardware must be shipped to the logistics center in the US or Europe (depending on your location), and a notification with a tracking number and courier for the returned hardware must be sent to the Check Point SMB Support Team.

A45: Information about Safe@Office models, features, datasheet and comparison charts are available from the Check Point web site.

A46: In order to view your subscription expiration date, please do the following:

• Surf to http://my.firewall
• Click on "Services".
• The subscription expiration date is displayed.

A47: Please contact your reseller for Safe@Office support plan renewal options. Once you renew the support plan, please refresh your service center connection to view the new expiration date.

A48: What are Demo Embedded NGX Gateways?

Demo UTM Gateways are Safe@Office and VPN-1 Edge UTM gateways that are available for partners for the purpose of customer product demo only. Demo UTM Gateways are also knows as NFR (Not for Resale) gateways. You can recognize a Demo UTM Gateways as it is labeled with a 'Not for Resale' sticker on the exterior of the appliance.

How many demo UTM Gateways can a partner purchase?

A partner can purchase up to 3 demo units.

What's included with a Demo UTM Gateway Out of the Box?

• Demo UTM Gateways arrive with no license installed "out of the box".
• The Demo UTM Gateways package include a welcome letter with a Temporary Demo license.
• Temporary Demo licenses are good for 30 days only.
• No subscription services are applied to Demo UTM Gateways, out of the box.
• The 30 days demo license cannot be extended, but can be replaced with a Permanent Demo license only.

How to get a permanent Demo license and service for my Demo gateway?

With a simple activation procedure, partners can get:

• A permanent Demo license
• 1 year of support and subscription services from the Check Point Service Center:
  
  • Software and security updates
  • Vstream Antivirus Signature updates
  • Web filtering
  • Monthly security reports

To activate:

1. Partner fills in the Demo Gateway Activation Form on the SofaWare web site.
2. The form details are accepted by the SofaWare support team
3. The SofaWare team sends a Permanent Demo license string to the partner to install on the Demo UTM Gateway by email
4. The Sofaware team adds the Demo UTM Gateway and owner information to the Check Point Service Center
5. The SofaWare team sends an acknowledge email and technical instructions to the partner email address.

A49: The default security policy that comes with the Safe@ appliance basically blocks all incoming traffic and allows all outbound traffic, initiated from your home or office.

• Low: All outbound traffic is allowed. All inbound traffic is blocked, except for ICMP echos ("pings").
• Medium: All outbound traffic is allowed, except for Windows file sharing (NBT ports 137, 138, 139 and 445). All inbound traffic is blocked.
• High: Restrictions apply to outbound traffic, allowing only Web traffic (HTTP, HTTPS), Email (IMAP, POP3, SMTP), ftp, NNTP, Telnet, DNS, IKE, 2746 UDP and 256 TCP traffic out. All inbound traffic is blocked.

A50: Yes. You'll need to create a custom firewall rule to allow H.323 VoIP traffic.

A51: "TCP Out of State" log message indicates that the Check Point security appliance intercepted a non-Syn packet which does not have an entry in the firewall's TCP connections table. Being a Stateful Inspection firewall, the Check Point security appliance will not let a TCP session initiate without a Syn packet first, in order to prevent a DoS (Denial of Service) attack.

The Check Point security appliance can be configured to log, block or ignore non-Syn packets activity, by using the following command line syntax:

• Logging only - command line syntax: set fw ai stricttcp log
• Blocking and Logging - command line syntax: set fw ai stricttcp block
• Ignoring - command line syntax: set fw ai stricttcp disable

A52: The SmartDefense AI (Application Intelligence) engine can identify the Microsoft MSN Messenger application signature and block its traffic. To block MSN Messenger traffic, do the following:

1. Configure a rule that blocks traffic on ports TCP/UDP 1863.
2. Configure SmartDefense to block the MSN Messenger application.

To configure a rule that blocks traffic on port TCP/UDP 1863:

1. Surf to http://my.firewall
2. Click on 'Security > Rules'.
3. Click on the "Add Rule" button to start the firewall rules wizard and follow the instructions displayed.
4. Configure a rule with the following attributes:
   
   • Rule type: Block
   • Service: Custom service - protocol Any, Port 1863
   • Source: LAN, Destination: WAN (Internet)

To configure SmartDefense to block MSN Messenger, do the following:

1. Surf to http://my.firewall
2. Click on 'Security > SmartDefense'.
3. Collapse the 'HTTP > Header Rejection' branch.
4. Choose "Block" from the Action drop-down menu.
5. Check the MSN Messenger options from the applications list (Msn Messenger(1), Msn Messenger(2), Msn Messenger(3), Msn Messenger(4).
6. Click "Apply".

Notes:

1. In case you don't see a list of applications, please click the "Defaults" button on the relevant SmartDefense page.
2. Only new MSN Messenger sessions will be blocked. As a result, you will need to make sure to restart all MSN Messenger sessions.

A53: The SmartDefense AI (Application Intelligence) engine can identify the Microsoft MSN Messenger Live (version 8.0 build 8.0.0812.00) application signature and block its traffic. To block MSN Messenger traffic, do the following:

1. Configure a rule that blocks traffic on ports TCP/UDP 1863. Add the signature to the SmartDefense AI inspect engine using command line.
2. Configure SmartDefense to block the MSN Messenger Live application.

To configure a rule that blocks traffic on port TCP/UDP 1863:

1. Surf to http://my.firewall
2. Click on 'Security > Rules'.
3. Click on the "Add Rule" button to start the firewall rules wizard and follow the instructions displayed.
4. Configure a rule with the following attributes:
   
   • Rule type: Block
   • Service: Custom service - protocol Any, Port 1863
   • Source: LAN, Destination: WAN (Internet)

To add the MSN Messenger Live application signature, do the following:

1. Surf to http://my.firewall
2. Click on 'Setup > Tools'.
3. Click on the "Command" button.
4. In the command line text box, type the following command:
   

   add smartdefense ai http worm-catcher patterns name MSN8 regexp /gateway/gateway\.dll active true

5. Click the "Go" button for changes to take effect.

To configure SmartDefense to block MSN Messenger, do the following:

1. Surf to http://my.firewall
2. Click on 'Security > SmartDefense'.
3. Collapse the 'HTTP > Worm Catcher'.
4. Choose "Block" from the Action drop-down menu.
5. Select the "MSN8" option from the applications list.
6. Click "Apply".

Notes:

1. In case you don't see a list of applications, please click the "Defaults" button on the relevant SmartDefense page. Only new MSN Messenger sessions will be blocked. As a result, you will need to make sure to restart all MSN Messenger sessions.

A54: The Safe@Office does not have a default administrator password. In case you forgot the password, please reset the Safe@Office to factory settings, by pressing the reset button on the back of the box for 10 seconds. After the box reboots, you will be able to enter a new password.

A55: The Safe@Office appliance supports remote management. You can enable remote management and connect to the box from the Internet, by surfing to https://IP:981 (IP is the Internet Address of the Safe@Office appliance). To enable management of the Safe@Office from a remote location:

1. Surf to http://my.firewall  
2. Click on the Setup menu.
3. Click on the Management menu.
4. Choose the suitable management option for you.

Note: In case the Safe@Office appliance is installed behind another firewall or a NAT device, make sure to allow HTTPS traffic on TCP port 981 towards the Safe@Office appliance.

A57: In order to backup the Safe@Office configuration, do the following:

1. Surf to http://my.firewall 
2. Click on 'Setup > Tools'.
3. Click on the "Export" button.
4. Save the exported configuration file to a local folder.

In order to restore the Safe@Office configuration from a file:

1. Surf to http://my.firewall 
2. Click on 'Setup > Tools'.
3. Click on the "Import" button.
4. Locate the configuration file (.cfg) on your local hard drive and upload it.

A58: The connection to a Check Point Service Center uses a propriatory protocol called SWTP (SofaWare Transport Protocol). This protocol makes sure that all communications between a Safe@Office box and the Service Center are secured and encrypted. The communication between the Safe@Office and a Service Center uses UDP ports 9281/9282.

In case your Safe@Office is behind another firewall, please make sure to enable traffic through the SWTP ports mentioned. In addition, please make sure that your router does not block these ports using ACLs (Access List).

A59: The Check Point Safe@Office appliance is an advanced Internet security appliance that enables secure high-speed Internet access from the office. The Safe@Office firewall, based on the world-leading Check Point Embedded NG Stateful Inspection technology, inspects and filters all incoming and outgoing traffic, blocking all unauthorized traffic.

The Safe@Office appliance also allows sharing your Internet connection among several PCs or other network devices, enabling advanced office networking and saving the cost of purchasing static IP addresses. You can also connect Safe@Office appliances to security services available from select service providers, including firewall security updates, Web filtering, and dynamic DNS. Business users can use the Safe@Office appliance to securely connect to the office network.

A60: Embedded NGX Solutions are configured through a simple Web-browser portal. No software installation is required. Just connect your Embedded NGX Solution, launch your browser, and surf to http://my.firewall.

A61: The default LAN IP address of the Safe@Office appliance is 192.168.10.1.

A62: Yes. Safe@Office Solutions protect all of the computers on your network, regardless of their operating system. Plus, Safe@Office Solutions are configured through a Web browser and require no software installation on your computers. Therefore, they are manageable from any type of computer, regardless of its operating system.

A63: The following management options are available for Safe@Office:

• Local web-based management
• SofaWare Security Management Portal (SMP)

Safe@Office appliances cannot be managed by Check Point SmartCenter. For an appliance supporting SmartCenter enterprise management, refer to VPN-1 Edge.

A64: Inherent drawbacks with PC firewalls make Safe@Office solutions a superior choice:

• PC firewalls protect a single PC. A Safe@Office Solution protects your entire network - all the PCs, Macintoshes, servers and other devices on the network
• PC firewalls are managed and configured by the consumer. Most common security flaws originate from faulty configuration. To reduce risk for users, Safe@Office Solutions come with a pre-configured security policy. In addition, Safe@Office Solutions can be managed by a security solutions provider, transferring responsibility for security expertise to security experts.

A65: To view the list of available Safe@Office models and their technical specifications, click here (http://www.sofaware.com/general.aspx?boneID=135&nsID=142&objID=94). ???

A66: In the Safe@Office 'S' series, when a computer on the LAN connects to the Safe@Office Portal, the Safe@Office appliance adjusts its date and time to match that of the computer. If the date and time displayed in the Safe@Office Portal are incorrect, it probably means that the date and time on the computer connected to the Safe@Office Portal are incorrect. In the Safe@Office 200 series, you can adjust the time on the Setup page's Tools tab.

A67: You can cascade an additional hub or switch to the Safe@Office 'S' series appliance, by using a crossed Ethernet cable. The Safe@Office 'X' series automatically detects the cable type, so you can use either a straight-through or crossed cable.

A68: Items can be uploaded to the Check Point security appliance in order to make them permanent even after a reset to factory settings. An item can be either a firmware file, a bootloader file or a configuration (CFG) file. The Check Point security appliance has an embedded TFTP server installed with default IP address 192.168.10.1, and a TFTP client must be used in order to upload items to the appliance. TFTP client software are usually part of the operating system, but can also be 3rd party software. To upload items do the following:

1. Activate the TFTP server on the appliance by following these steps: unplug the power cord, hold the reset button on the back of the box, and plug in the power cord, while holding the button until the pwr/sec led is steady red.
2. Connect a computer to one of the security appliance LAN ports. 
3. Configure the computer to use an IP address of the range 192.168.10.0 /255 (note that 192.168.10.1 is already taken by the appliance TFTP server by default). 
4. In case you are using the Win2K embedded TFTP client, open command prompt and type the following command:
   

   tftp -i 192.168.10.1 put [filename]
   The appliance will reboot.

Note: When uploading a firmware or bootloader file, the file must be compiled in TFTP format. A configuration file can be uploaded in CFG format.

A69: When surfing to the my.firewall configuration page, images may not be displayed correctly because of the following reasons:

1. Your browser cache is full
2. Personal firewall installed prevents some scripts and images to run

Solutions:

1. Clear your browser cache
2. Stop your personal firewall or filter the my.firewall page from the firewall tables.

A70: "Vendor specific RADIUS attributes" is supported with firmware 5.0.82 and subsequent versions. You can configure your RADIUS server to use the following attributes:

SofaWare Vendor ID: 6983

The list of permissions and corresponding attributes and values is described in the following table:

Permission Type	Attribute ID	Possible Values (String)
ADMIN	1	None Readonly Readwrite
VPN Access	2	True False
HotSpot	3	True False
Web Filter Override Permission	4	True False

A71: Introduction

The RESET button on your Embedded NG appliance can be used for resetting the VPN-1 Edge appliance to its factory defaults. This results in the loss of all user settings, and reverting to the factory default firmware. Optionally, a preset configuration file can be loaded to the Embedded NG appliance, using the TFTP protocol, allowing a service provider or reseller to permanently modify the factory default settings. The preset configuration file is retained even after a reset to defaults operation.

The following procedures are valid for all the models in the Safe@Office and VPN-1 Edge appliance families.

Loading a Preset Configuration file

Preparing a Preset Configuration File

The Embedded NG configuration file is a simple text file, containing CLI (Command Line Interface) commands for the appliance. For more information on the Embedded NG CLI syntax, refer to the Embedded NG CLI Guide.

The configuration file should be stored as a text file with the extension .cfg.

The first line in the configuration file must begin with: "# Configuration script" and the last line in the file should begin with "# END Configuration script". These two lines are mandatory.

Note: The preset configuration file will not be cleared when the appliance is reset to defaults. The only way to clear a preset configuration file is by loading an empty configuration file (a configuration file with no CLI commands).

Tip: You can export a complete configuration file from an existing appliance by going to the 'Setup > Tools' tab in the Embedded NG configuration portal, and clicking the "Export" button.

Warning: Always make sure that the configuration file is valid before uploading it to the appliance.

Activating the Embedded NG TFTP server

Activate the TFTP server on the appliance by following these steps:

1. Unplug the power cord.
2. Using a pointed object, press the RESET button on the back of the VPN-1 Edge appliance steadily, while plugging in the power cord.
3. Keep pressing the RESET button a few seconds until the PWR/SEC LED lights steadily in red.

Configuring the TFTP client

1. Use a standard Ethernet cable to connect a computer to one of the LAN ports of the appliance.
2. Configure the computer to use any fixed IP address in the range 192.168.10.2 - 192.168.10.254. Set the subnet mask to 255.255.255.0.
3. If SecuRemote is installed on your PC, disable it.
4. In case you are using the Windows 2000 embedded TFTP client, type the following command on the Windows command prompt: tftp -i 192.168.10.1 put [filename.cfg]
5. The appliance will store the configuration file and automatically restart.
6. Allow the VPN-1 Edge appliance to boot-up until the system is ready (PWR/SEC LED flashes slowly or illuminates steadily in green light).

Resetting to defaults

To reset the VPN-1 Edge appliance to factory defaults using the Reset button:

1. Make sure the VPN-1 Edge appliance is powered on.
2. Using a pointed object, press the RESET button on the back of the VPN-1 Edge appliance steadily for seven seconds, and then release it.
3. Allow the VPN-1 Edge appliance to boot-up until the system is ready (PWR/SEC LED flashes slowly or illuminates steadily in green light).

The appliance will revert to the factory default settings (or to the preset configuration file, if one is loaded). The firmware will be reset to the factory default firmware.

A72: U.S. Robotics 56K Courier modem may not be able to dial out after configuring the Embedded NG security gateway with dialup connection properties. This happens because the default settings of the dialup modem do not allow a delay after the Embedded NG security gateway sends the ATZ command to the modem.

Solution: Configure the following init string \d\d\AT on the Embedded NG security gateway to create the necessary delay.

To configure an init string do the following:

1. Surf to http://my.firewall and login to the admin console.
2. Click on the 'Network > Ports' menu.
3. Click on the "Setup" link near the RS232 (Dialup) image.
4. Type \d\d\AT in the Initialization String field and click "Apply".
5. Test the modem connection.

A73: Learn how to configure a Vendor-Specific Attribute when using a RADIUS to authenticate local and VPN users with RADIUS servers from different vendors. See Configuring the RADIUS Vendor-Specific Attribute.

A74: The print server is compatible with most printers with a USB interface. Multifunction printers will operate as a printer only. Scanner functionality in these printers is not supported.

The following printers are known to operate correctly with the Embedded NGX integrated print server:

Brother HL-2030
Brother HL-2040
Brother HL-5140
Brother HL-5240
Canon MF5750
Canon MF5770
Canon MP150
Canon MP390
Canon MP500
Canon MP700
Canon MP780
Canon S520
Canon i250
Canon i350
Canon i450
Canon i560
Canon i850
Canon i860
Canon i865
Canon i905D
Canon i9100
Canon i960
Canon i9950
Canon iP1000
Canon iP1300
Canon iP1600
Canon iP1700
Canon iP3000
Canon iP4000
Canon iP4200
Canon iP5000
Canon iP8500
Canon MF5750
Canon MF5770
Canon MP150
Canon MP390
Canon MP500
Canon MP700
Canon MP780
Canon S450
Canon S520
Canon PIXMA MP600
Dell Laser Printer 1700n
Dell Laser Printer 1710n
Dell Laser Printer P1500
DYMO LabelWriter 320
HP Color Inkjet CP1700
HP Color LaserJet 1500
HP Color LaserJet 1600
HP Color LaserJet 2550
HP Color LaserJet 2600n
HP Color LaserJet 3500
HP Color LaserJet 3550
HP DesignJet 70
HP Deskjet 1220C
HP Deskjet D1400
HP DeskJet D2300
HP DeskJet F2100 series
HP Deskjet F4100 series
HP Deskjet 3600
HP Deskjet 3740
HP Deskjet 3820
HP Deskjet 3840
HP DeskJet 3900
HP Deskjet 460
HP Deskjet 5100
HP Deskjet 5400
HP Deskjet 5550
HP Deskjet 5600
HP Deskjet 5700
HP Deskjet 5900
HP Deskjet 6122
HP Deskjet 640c
HP Deskjet 6500
HP Deskjet 6800
HP Deskjet 810C
HP Deskjet 815C
HP Deskjet 830C
HP Deskjet 845C
HP Deskjet 920C
HP Deskjet 930C
HP Deskjet 940C
HP Deskjet 950C
HP Deskjet 960C
HP Deskjet 970C
HP Deskjet 980C
HP Deskjet 990C
HP LaserJet 1010
HP LaserJet 1012
HP LaserJet 1015
HP LaserJet 1150
HP LaserJet 1200
HP LaserJet 1220
HP LaserJet 1300
HP LaserJet 1320
HP LaserJet 2300
HP LaserJet 3015
HP LaserJet 3030
HP LaserJet 3055
HP LaserJet 3200
HP LaserJet 3330
HP Officejet 4100
HP Officejet 4200
HP Officejet 4300
HP Officejet 5500
HP Officejet 5600
HP Officejet J5700
HP Officejet 6100
HP Officejet 6200
HP Officejet 7100
HP Officejet 7400
HP Officejet G85
HP OfficeJet G85xi
HP Officejet V40
HP Officejet V40xi
HP Officejet d
HP OfficeJet Pro K850
HP PSC 1200
HP PSC 1310
HP PSC 1500
HP PSC 2100
HP PSC 2350
HP PSC 2400
HP PSC 2500
HP PSC 720
HP PSC 750
HP PSC 920
HP PSC 930
HP PSC 950
HP Photosmart 1218
HP Photosmart 2570
HP Photosmart 3200
HP Photosmart 7150
HP PhotoSmart 7200
HP Photosmart 7350
HP Photosmart 7400
HP Photosmart 7550
HP Photosmart 7600
HP Photosmart 7700
HP Photosmart 7900
HP Photosmart D7100
HP Photosmart D7300
Konica Minolta PagePro PP1350W
Kyocera KM-1820
Lexmark 1200 Series
Lexmark C510
Lexmark E210 Laser Printer
Lexmark E232
Lexmark E238
Lexmark E323
Lexmark E330
Lexmark X1100
Lexmark X215
Lexmark X340
Lexmark X6100
Lexmark Z35
Lexmark Z45
Oki ML5590
Samsung CLP-510
Samsung ML-1450
Samsung ML-1650
Samsung ML-1710
Samsung ML-1740
Samsung ML-1750
Samsung ML-2010
Samsung ML-2550
Samsung SCX-4100
Samsung SCX-4x16
Samsung SCX-4x21
Samsung SCX-5x12
Xerox DocuPrint P1202
Xerox Phaser 3116
Xerox Phaser 3117
Xerox Phaser 3120
Xerox Phaser 3121
Xerox Phaser 3130
Xerox Phaser 3150
Xerox Phaser 3210
Xerox Phaser 6100 Color Laser
Xerox Phaser 6180DN
Xerox Phaser 7300 Series
Xerox WorkCentre 4118
Xerox WorkCentre PE16
Xerox WorkCentre PE120

The following printers are known to be incompatible with the Print Server:

HP OfficeJet G85
HP OfficeJet K80xi
HP Laserjet 1020
Lexmark-6100
Lexmark-6150

A75: See Check Point Embedded NGX Log Messages Reference.

A76: Please note that this will erase all passwords and configurations

To reset the box to defaults, please do the following:

1. Unplug the power cord.
2. Hold the reset button on the back of the box.
3. Plug in the power cord while holding the button until the pwr/sec led is steady red.
4. Leave the reset button for 3 seconds.
5. Press the reset button again for 10 seconds until the pwr/sec led starts blinking red.
6. Reconfigure your box and install certs.

A77: Please use the following link: http://www.sofaware.com/general.aspx?boneID=148&nsId=142&objId=103

A78: In order to change the timeout for a specific service you need to follow these steps:

1. Go to the libsw directory.
2. Open the init.def file.
3. In the in tcp_timeouts section, you can add the specific service and the timeout.
4. After changing the value, you need to reinstall the Edge policy.

Please note: you need to change this value manually every time that you replace the libsw directory, or after you install HA. For example, ( for port 400 TCP, I changed the timeout for 7200 seconds)

ADD_TCP_TIMEOUT(21,FTP_CONTROL_TIMEOUT),
ADD_TCP_TIMEOUT(400,7200)
ADD_TCP_TIMEOUT(66666,TCP_TIMEOUT),
ADD_TCP_TIMEOUT(0,0)

A79: Nodes are counted, based on the number of concurrent IP addresses generating traffic through the firewall. An IP node will generate traffic through the firewall when it sends packets to resources outside its own network (such as the Internet, DMZ, secondary logical network etc.). As a result, devices like network printers, switches or access points will not be counted as licensed nodes.

A80: In order to upgrade the node limit, you need to purchase a product upgrade. In most cases, you will simply get a product key string. However, an upgrade from a 5/10 nodes product to a 25 nodes product may require replacing your hardware. Please contact your reseller for upgrade and pricing information.  Additionally, you can manually purchase an upgrade to the node limit at the Check Point Store.

A81: An IP node will release its license after 60 minutes of not generating traffic through the firewall. An IP node that released its license is displayed in blue on the Active Computers page.

A82: An IP node will take up a license if it generates traffic through the firewall. In order to prevent a node from generating traffic through the firewall, you'll need to set the node up with no default gateway information. Please note that this will make the node unable to surf the Internet.

A83: Please contact your reseller to retrieve the latest product key for your appliance.

A84: System Information

In this section you will find general system information such as name, location and uptime.

SNMPv2-MIB::sysDescr.0 = STRING: SofaWare Embedded NG

SNMPv2-MIB::sysObjectID.0 = OID: netSnmpAgentOIDs

SNMPv2-MIB::sysUpTimeInstance = Timeticks: (49802) 0:08:18.02

SNMPv2-MIB::sysContact.0 = STRING:

SNMPv2-MIB::sysName.0 = STRING: 00:08:da:70:20:8c

SNMPv2-MIB::sysLocation.0 = STRING:

SNMPv2-MIB::sysServices.0 = INTEGER: 72

SNMPv2-MIB::sysORLastChange.0 = Timeticks: (26) 0:00:00.26

SNMPv2-MIB::sysORID.1 = OID: snmpMIB

SNMPv2-MIB::sysORID.2 = OID: vacmBasicGroup

SNMPv2-MIB::sysORID.3 = OID: ifMIB

SNMPv2-MIB::sysORDescr.1 = STRING: The MIB module for SNMPv2 entities

SNMPv2-MIB::sysORDescr.2 = STRING: View-based Access Control Model for SNMP.

SNMPv2-MIB::sysORDescr.3 = STRING: The MIB module to describe generic objects for network interface sub-layers

SNMPv2-MIB::sysORUpTime.1 = Timeticks: (0) 0:00:00.00

SNMPv2-MIB::sysORUpTime.2 = Timeticks: (0) 0:00:00.00

SNMPv2-MIB::sysORUpTime.3 = Timeticks: (26) 0:00:00.26

Interface information

In this section you will find information about the interfaces of the appliance such as- MAC addresses, interface speed, up/down status, number of packets passed and so on.

IF-MIB::ifNumber.0 = INTEGER: 6

IF-MIB::ifIndex.1 = INTEGER: 1

IF-MIB::ifIndex.2 = INTEGER: 2

IF-MIB::ifIndex.3 = INTEGER: 3

IF-MIB::ifIndex.4 = INTEGER: 4

IF-MIB::ifIndex.5 = INTEGER: 5

IF-MIB::ifIndex.6 = INTEGER: 6

IF-MIB::ifDescr.1 = STRING: lo

IF-MIB::ifDescr.2 = STRING: eth0

IF-MIB::ifDescr.3 = STRING: eth1

IF-MIB::ifDescr.4 = STRING: eth2

IF-MIB::ifDescr.5 = STRING: tunl0

IF-MIB::ifDescr.6 = STRING: wlan0

IF-MIB::ifType.1 = INTEGER: softwareLoopback(24)

IF-MIB::ifType.2 = INTEGER: ethernetCsmacd(6)

IF-MIB::ifType.3 = INTEGER: ethernetCsmacd(6)

IF-MIB::ifType.4 = INTEGER: ethernetCsmacd(6)

IF-MIB::ifType.5 = INTEGER: tunnel(131)

IF-MIB::ifType.6 = INTEGER: ethernetCsmacd(6)

IF-MIB::ifMtu.1 = INTEGER: 16436

IF-MIB::ifMtu.2 = INTEGER: 1500

IF-MIB::ifMtu.3 = INTEGER: 1500

IF-MIB::ifMtu.4 = INTEGER: 1500

IF-MIB::ifMtu.5 = INTEGER: 1480

IF-MIB::ifMtu.6 = INTEGER: 1500

IF-MIB::ifSpeed.1 = Gauge32: 10000000

IF-MIB::ifSpeed.2 = Gauge32: 10000000

IF-MIB::ifSpeed.3 = Gauge32: 10000000

IF-MIB::ifSpeed.4 = Gauge32: 10000000

IF-MIB::ifSpeed.5 = Gauge32: 0

IF-MIB::ifSpeed.6 = Gauge32: 10000000

IF-MIB::ifPhysAddress.1 = STRING:

IF-MIB::ifPhysAddress.2 = STRING: 0:8:da:70:20:8a

IF-MIB::ifPhysAddress.3 = STRING: 0:8:da:70:20:8c

IF-MIB::ifPhysAddress.4 = STRING: 0:8:da:70:20:8b

IF-MIB::ifPhysAddress.5 = STRING:

IF-MIB::ifPhysAddress.6 = STRING: 0:f:ea:91:4c:e1

IF-MIB::ifAdminStatus.1 = INTEGER: up(1)

IF-MIB::ifAdminStatus.2 = INTEGER: up(1)

IF-MIB::ifAdminStatus.3 = INTEGER: up(1)

IF-MIB::ifAdminStatus.4 = INTEGER: up(1)

IF-MIB::ifAdminStatus.5 = INTEGER: down(2)

IF-MIB::ifAdminStatus.6 = INTEGER: down(2)

IF-MIB::ifOperStatus.1 = INTEGER: up(1)

IF-MIB::ifOperStatus.2 = INTEGER: down(2)

IF-MIB::ifOperStatus.3 = INTEGER: up(1)

IF-MIB::ifOperStatus.4 = INTEGER: down(2)

IF-MIB::ifOperStatus.5 = INTEGER: down(2)

IF-MIB::ifOperStatus.6 = INTEGER: down(2)

IF-MIB::ifLastChange.1 = Timeticks: (0) 0:00:00.00

IF-MIB::ifLastChange.2 = Timeticks: (0) 0:00:00.00

IF-MIB::ifLastChange.3 = Timeticks: (0) 0:00:00.00

IF-MIB::ifLastChange.4 = Timeticks: (0) 0:00:00.00

IF-MIB::ifLastChange.5 = Timeticks: (0) 0:00:00.00

IF-MIB::ifLastChange.6 = Timeticks: (0) 0:00:00.00

IF-MIB::ifInOctets.1 = Counter32: 0

IF-MIB::ifInOctets.2 = Counter32: 193692

IF-MIB::ifInOctets.3 = Counter32: 811607

IF-MIB::ifInOctets.4 = Counter32: 0

IF-MIB::ifInOctets.5 = Counter32: 0

IF-MIB::ifInOctets.6 = Counter32: 0

IF-MIB::ifInUcastPkts.1 = Counter32: 0

IF-MIB::ifInUcastPkts.2 = Counter32: 1521

IF-MIB::ifInUcastPkts.3 = Counter32: 1635

IF-MIB::ifInUcastPkts.4 = Counter32: 0

IF-MIB::ifInUcastPkts.5 = Counter32: 0

IF-MIB::ifInUcastPkts.6 = Counter32: 0

IF-MIB::ifInNUcastPkts.1 = Counter32: 0

IF-MIB::ifInNUcastPkts.2 = Counter32: 0

IF-MIB::ifInNUcastPkts.3 = Counter32: 0

IF-MIB::ifInNUcastPkts.4 = Counter32: 0

IF-MIB::ifInNUcastPkts.5 = Counter32: 0

IF-MIB::ifInNUcastPkts.6 = Counter32: 0

IF-MIB::ifInDiscards.1 = Counter32: 0

IF-MIB::ifInDiscards.2 = Counter32: 0

IF-MIB::ifInDiscards.3 = Counter32: 0

IF-MIB::ifInDiscards.4 = Counter32: 0

IF-MIB::ifInDiscards.5 = Counter32: 0

IF-MIB::ifInDiscards.6 = Counter32: 0

IF-MIB::ifInErrors.1 = Counter32: 0

IF-MIB::ifInErrors.2 = Counter32: 0

IF-MIB::ifInErrors.3 = Counter32: 0

IF-MIB::ifInErrors.4 = Counter32: 0

IF-MIB::ifInErrors.5 = Counter32: 0

IF-MIB::ifInErrors.6 = Counter32: 198

IF-MIB::ifInUnknownProtos.1 = Counter32: 0

IF-MIB::ifInUnknownProtos.2 = Counter32: 0

IF-MIB::ifInUnknownProtos.3 = Counter32: 0

IF-MIB::ifInUnknownProtos.4 = Counter32: 0

IF-MIB::ifInUnknownProtos.5 = Counter32: 0

IF-MIB::ifInUnknownProtos.6 = Counter32: 0

IF-MIB::ifOutOctets.1 = Counter32: 0

IF-MIB::ifOutOctets.2 = Counter32: 1131094

IF-MIB::ifOutOctets.3 = Counter32: 62054

IF-MIB::ifOutOctets.4 = Counter32: 0

IF-MIB::ifOutOctets.5 = Counter32: 0

IF-MIB::ifOutOctets.6 = Counter32: 0

IF-MIB::ifOutUcastPkts.1 = Counter32: 0

IF-MIB::ifOutUcastPkts.2 = Counter32: 1735

IF-MIB::ifOutUcastPkts.3 = Counter32: 515

IF-MIB::ifOutUcastPkts.4 = Counter32: 0

IF-MIB::ifOutUcastPkts.5 = Counter32: 0

IF-MIB::ifOutUcastPkts.6 = Counter32: 0

IF-MIB::ifOutNUcastPkts.1 = Counter32: 0

IF-MIB::ifOutNUcastPkts.2 = Counter32: 0

IF-MIB::ifOutNUcastPkts.3 = Counter32: 0

IF-MIB::ifOutNUcastPkts.4 = Counter32: 0

IF-MIB::ifOutNUcastPkts.5 = Counter32: 0

IF-MIB::ifOutNUcastPkts.6 = Counter32: 0

IF-MIB::ifOutDiscards.1 = Counter32: 0

IF-MIB::ifOutDiscards.2 = Counter32: 0

IF-MIB::ifOutDiscards.3 = Counter32: 0

IF-MIB::ifOutDiscards.4 = Counter32: 0

IF-MIB::ifOutDiscards.5 = Counter32: 0

IF-MIB::ifOutDiscards.6 = Counter32: 1

IF-MIB::ifOutErrors.1 = Counter32: 0

IF-MIB::ifOutErrors.2 = Counter32: 0

IF-MIB::ifOutErrors.3 = Counter32: 0

IF-MIB::ifOutErrors.4 = Counter32: 0

IF-MIB::ifOutErrors.5 = Counter32: 0

IF-MIB::ifOutErrors.6 = Counter32: 0

IF-MIB::ifOutQLen.1 = Gauge32: 0

IF-MIB::ifOutQLen.2 = Gauge32: 0

IF-MIB::ifOutQLen.3 = Gauge32: 0

IF-MIB::ifOutQLen.4 = Gauge32: 0

IF-MIB::ifOutQLen.5 = Gauge32: 0

IF-MIB::ifOutQLen.6 = Gauge32: 0

IF-MIB::ifSpecific.1 = OID: zeroDotZero

IF-MIB::ifSpecific.2 = OID: zeroDotZero

IF-MIB::ifSpecific.3 = OID: zeroDotZero

IF-MIB::ifSpecific.4 = OID: zeroDotZero

IF-MIB::ifSpecific.5 = OID: zeroDotZero

IF-MIB::ifSpecific.6 = OID: zeroDotZero

MI::zeroDotZero

SNMP Information

In this section you will find information concerning snmp packets which have passed through the appliance, such as : incoming/outgoing count, number of get/set requests, number of erroneous packets and so on.

SNMPv2-MIB::snmpInPkts.0 = Counter32: 347

SNMPv2-MIB::snmpOutPkts.0 = Counter32: 347

SNMPv2-MIB::snmpInBadVersions.0 = Counter32: 0

SNMPv2-MIB::snmpInBadCommunityNames.0 = Counter32: 0

SNMPv2-MIB::snmpInBadCommunityUses.0 = Counter32: 0

SNMPv2-MIB::snmpInASNParseErrs.0 = Counter32: 0

SNMPv2-MIB::snmpInTooBigs.0 = Counter32: 0

SNMPv2-MIB::snmpInNoSuchNames.0 = Counter32: 0

SNMPv2-MIB::snmpInBadValues.0 = Counter32: 0

SNMPv2-MIB::snmpInReadOnlys.0 = Counter32: 0

SNMPv2-MIB::snmpInGenErrs.0 = Counter32: 0

SNMPv2-MIB::snmpInTotalReqVars.0 = Counter32: 357

SNMPv2-MIB::snmpInTotalSetVars.0 = Counter32: 0

SNMPv2-MIB::snmpInGetRequests.0 = Counter32: 0

SNMPv2-MIB::snmpInGetNexts.0 = Counter32: 361

SNMPv2-MIB::snmpInSetRequests.0 = Counter32: 0

SNMPv2-MIB::snmpInGetResponses.0 = Counter32: 0

SNMPv2-MIB::snmpInTraps.0 = Counter32: 0

SNMPv2-MIB::snmpOutTooBigs.0 = Counter32: 0

SNMPv2-MIB::snmpOutNoSuchNames.0 = Counter32: 0

SNMPv2-MIB::snmpOutBadValues.0 = Counter32: 0

SNMPv2-MIB::snmpOutGenErrs.0 = Counter32: 0

SNMPv2-MIB::snmpOutGetRequests.0 = Counter32: 0

SNMPv2-MIB::snmpOutGetNexts.0 = Counter32: 0

SNMPv2-MIB::snmpOutSetRequests.0 = Counter32: 0

SNMPv2-MIB::snmpOutGetResponses.0 = Counter32: 371

SNMPv2-MIB::snmpOutTraps.0 = Counter32: 0

SNMPv2-MIB::snmpEnableAuthenTraps.0 = INTEGER: disabled(2)

SNMPv2-MIB::snmpSilentDrops.0 = Counter32: 0

SNMPv2-MIB::snmpProxyDrops.0 = Counter32: 0

ARP Table information

In this section you will find the entries of the ARP table

RFC1213-MIB::atIfIndex.2.1.192.168.10.11 = INTEGER: 2

RFC1213-MIB::atIfIndex.3.1.62.90.32.1 = INTEGER: 3

RFC1213-MIB::atIfIndex.3.1.62.90.32.2 = INTEGER: 3

RFC1213-MIB::atIfIndex.3.1.62.90.32.3 = INTEGER: 3

RFC1213-MIB::atIfIndex.3.1.62.90.32.10 = INTEGER: 3

RFC1213-MIB::atIfIndex.3.1.62.90.32.11 = INTEGER: 3

RFC1213-MIB::atIfIndex.3.1.62.90.32.15 = INTEGER: 3

RFC1213-MIB::atIfIndex.3.1.62.90.32.72 = INTEGER: 3

RFC1213-MIB::atIfIndex.3.1.62.90.32.89 = INTEGER: 3

RFC1213-MIB::atIfIndex.3.1.62.90.32.105 = INTEGER: 3

RFC1213-MIB::atIfIndex.3.1.62.90.32.145 = INTEGER: 3

RFC1213-MIB::atIfIndex.3.1.62.90.32.210 = INTEGER: 3

RFC1213-MIB::atIfIndex.3.1.62.90.32.250 = INTEGER: 3

RFC1213-MIB::atPhysAddress.2.1.192.168.10.11 = Hex-STRING: 00 D0 B7 8E 20 07

RFC1213-MIB::atPhysAddress.3.1.62.90.32.1 = Hex-STRING: 00 80 C8 B9 D8 4B

RFC1213-MIB::atPhysAddress.3.1.62.90.32.2 = Hex-STRING: 00 06 29 33 22 04

RFC1213-MIB::atPhysAddress.3.1.62.90.32.3 = Hex-STRING: 00 D0 B7 8E 20 08

RFC1213-MIB::atPhysAddress.3.1.62.90.32.10 = Hex-STRING: 00 0C F1 DB D2 A1

RFC1213-MIB::atPhysAddress.3.1.62.90.32.11 = Hex-STRING: 00 09 6B 07 0B 65

RFC1213-MIB::atPhysAddress.3.1.62.90.32.15 = Hex-STRING: 00 09 6B 94 05 4F

RFC1213-MIB::atPhysAddress.3.1.62.90.32.72 = Hex-STRING: 00 11 11 6C 08 04

RFC1213-MIB::atPhysAddress.3.1.62.90.32.89 = Hex-STRING: 00 08 DA 70 09 0E

RFC1213-MIB::atPhysAddress.3.1.62.90.32.105 = Hex-STRING: 00 07 E9 1A 02 48

RFC1213-MIB::atPhysAddress.3.1.62.90.32.145 = Hex-STRING: 00 03 BA 13 15 75

RFC1213-MIB::atPhysAddress.3.1.62.90.32.210 = Hex-STRING: 00 0C F1 BA 3F 97

RFC1213-MIB::atPhysAddress.3.1.62.90.32.250 = Hex-STRING: 00 D0 B7 80 58 37

RFC1213-MIB::atNetAddress.2.1.192.168.10.11 = Network Address: C0:A8:0A:0B

RFC1213-MIB::atNetAddress.3.1.62.90.32.1 = Network Address: 3E:5A:20:01

RFC1213-MIB::atNetAddress.3.1.62.90.32.2 = Network Address: 3E:5A:20:02

RFC1213-MIB::atNetAddress.3.1.62.90.32.3 = Network Address: 3E:5A:20:03

RFC1213-MIB::atNetAddress.3.1.62.90.32.10 = Network Address: 3E:5A:20:0A

RFC1213-MIB::atNetAddress.3.1.62.90.32.11 = Network Address: 3E:5A:20:0B

RFC1213-MIB::atNetAddress.3.1.62.90.32.15 = Network Address: 3E:5A:20:0F

RFC1213-MIB::atNetAddress.3.1.62.90.32.72 = Network Address: 3E:5A:20:48

RFC1213-MIB::atNetAddress.3.1.62.90.32.89 = Network Address: 3E:5A:20:59

RFC1213-MIB::atNetAddress.3.1.62.90.32.105 = Network Address: 3E:5A:20:69

RFC1213-MIB::atNetAddress.3.1.62.90.32.145 = Network Address: 3E:5A:20:91

RFC1213-MIB::atNetAddress.3.1.62.90.32.210 = Network Address: 3E:5A:20:D2

RFC1213-MIB::atNetAddress.3.1.62.90.32.250 = Network Address: 3E:5A:20:FA

RFC1213-MIB::ipNetToMediaIfIndex.2.192.168.10.11 = INTEGER: 2

RFC1213-MIB::ipNetToMediaIfIndex.3.62.90.32.1 = INTEGER: 3

RFC1213-MIB::ipNetToMediaIfIndex.3.62.90.32.2 = INTEGER: 3

RFC1213-MIB::ipNetToMediaIfIndex.3.62.90.32.3 = INTEGER: 3

RFC1213-MIB::ipNetToMediaIfIndex.3.62.90.32.10 = INTEGER: 3

RFC1213-MIB::ipNetToMediaIfIndex.3.62.90.32.11 = INTEGER: 3

RFC1213-MIB::ipNetToMediaIfIndex.3.62.90.32.15 = INTEGER: 3

RFC1213-MIB::ipNetToMediaIfIndex.3.62.90.32.72 = INTEGER: 3

RFC1213-MIB::ipNetToMediaIfIndex.3.62.90.32.89 = INTEGER: 3

RFC1213-MIB::ipNetToMediaIfIndex.3.62.90.32.105 = INTEGER: 3

RFC1213-MIB::ipNetToMediaIfIndex.3.62.90.32.145 = INTEGER: 3

RFC1213-MIB::ipNetToMediaIfIndex.3.62.90.32.210 = INTEGER: 3

RFC1213-MIB::ipNetToMediaIfIndex.3.62.90.32.250 = INTEGER: 3

RFC1213-MIB::ipNetToMediaPhysAddress.2.192.168.10.11 = Hex-STRING: 00 D0 B7 8E 20 07

RFC1213-MIB::ipNetToMediaPhysAddress.3.62.90.32.1 = Hex-STRING: 00 80 C8 B9 D8 4B

RFC1213-MIB::ipNetToMediaPhysAddress.3.62.90.32.2 = Hex-STRING: 00 06 29 33 22 04

RFC1213-MIB::ipNetToMediaPhysAddress.3.62.90.32.3 = Hex-STRING: 00 D0 B7 8E 20 08

RFC1213-MIB::ipNetToMediaPhysAddress.3.62.90.32.10 = Hex-STRING: 00 0C F1 DB D2 A1

RFC1213-MIB::ipNetToMediaPhysAddress.3.62.90.32.11 = Hex-STRING: 00 09 6B 07 0B 65

RFC1213-MIB::ipNetToMediaPhysAddress.3.62.90.32.15 = Hex-STRING: 00 09 6B 94 05 4F

RFC1213-MIB::ipNetToMediaPhysAddress.3.62.90.32.72 = Hex-STRING: 00 11 11 6C 08 04

RFC1213-MIB::ipNetToMediaPhysAddress.3.62.90.32.89 = Hex-STRING: 00 08 DA 70 09 0E

RFC1213-MIB::ipNetToMediaPhysAddress.3.62.90.32.105 = Hex-STRING: 00 07 E9 1A 02 48

RFC1213-MIB::ipNetToMediaPhysAddress.3.62.90.32.145 = Hex-STRING: 00 03 BA 13 15 75

RFC1213-MIB::ipNetToMediaPhysAddress.3.62.90.32.210 = Hex-STRING: 00 0C F1 BA 3F 97

RFC1213-MIB::ipNetToMediaPhysAddress.3.62.90.32.250 = Hex-STRING: 00 D0 B7 80 58 37

RFC1213-MIB::ipNetToMediaNetAddress.2.192.168.10.11 = IpAddress: 192.168.10.11

RFC1213-MIB::ipNetToMediaNetAddress.3.62.90.32.1 = IpAddress: 62.90.32.1

RFC1213-MIB::ipNetToMediaNetAddress.3.62.90.32.2 = IpAddress: 62.90.32.2

RFC1213-MIB::ipNetToMediaNetAddress.3.62.90.32.3 = IpAddress: 62.90.32.3

RFC1213-MIB::ipNetToMediaNetAddress.3.62.90.32.10 = IpAddress: 62.90.32.10

RFC1213-MIB::ipNetToMediaNetAddress.3.62.90.32.11 = IpAddress: 62.90.32.11

RFC1213-MIB::ipNetToMediaNetAddress.3.62.90.32.15 = IpAddress: 62.90.32.15

RFC1213-MIB::ipNetToMediaNetAddress.3.62.90.32.72 = IpAddress: 62.90.32.72

RFC1213-MIB::ipNetToMediaNetAddress.3.62.90.32.89 = IpAddress: 62.90.32.89

RFC1213-MIB::ipNetToMediaNetAddress.3.62.90.32.105 = IpAddress: 62.90.32.105

RFC1213-MIB::ipNetToMediaNetAddress.3.62.90.32.145 = IpAddress: 62.90.32.145

RFC1213-MIB::ipNetToMediaNetAddress.3.62.90.32.210 = IpAddress: 62.90.32.210

RFC1213-MIB::ipNetToMediaNetAddress.3.62.90.32.250 = IpAddress: 62.90.32.250

RFC1213-MIB::ipNetToMediaType.2.192.168.10.11 = INTEGER: dynamic(3)

RFC1213-MIB::ipNetToMediaType.3.62.90.32.1 = INTEGER: dynamic(3)

RFC1213-MIB::ipNetToMediaType.3.62.90.32.2 = INTEGER: dynamic(3)

RFC1213-MIB::ipNetToMediaType.3.62.90.32.3 = INTEGER: dynamic(3)

RFC1213-MIB::ipNetToMediaType.3.62.90.32.10 = INTEGER: dynamic(3)

RFC1213-MIB::ipNetToMediaType.3.62.90.32.11 = INTEGER: dynamic(3)

RFC1213-MIB::ipNetToMediaType.3.62.90.32.15 = INTEGER: dynamic(3)

RFC1213-MIB::ipNetToMediaType.3.62.90.32.72 = INTEGER: dynamic(3)

RFC1213-MIB::ipNetToMediaType.3.62.90.32.89 = INTEGER: dynamic(3)

RFC1213-MIB::ipNetToMediaType.3.62.90.32.105 = INTEGER: dynamic(3)

RFC1213-MIB::ipNetToMediaType.3.62.90.32.145 = INTEGER: dynamic(3)

RFC1213-MIB::ipNetToMediaType.3.62.90.32.210 = INTEGER: dynamic(3)

RFC1213-MIB::ipNetToMediaType.3.62.90.32.250 = INTEGER: dynamic(3)

IP Information

In this section you will find statistic information concerning ip packets such as number of incoming packets, number of packets discarded, and so on.

IP-MIB::ipForwarding.0 = INTEGER: forwarding(1)

IP-MIB::ipDefaultTTL.0 = INTEGER: 64

IP-MIB::ipInReceives.0 = Counter32: 2224

IP-MIB::ipInHdrErrors.0 = Counter32: 0

IP-MIB::ipInAddrErrors.0 = Counter32: 0

IP-MIB::ipForwDatagrams.0 = Counter32: 1090

IP-MIB::ipInUnknownProtos.0 = Counter32: 0

IP-MIB::ipInDiscards.0 = Counter32: 0

IP-MIB::ipInDelivers.0 = Counter32: 1077

IP-MIB::ipOutRequests.0 = Counter32: 1603

IP-MIB::ipOutDiscards.0 = Counter32: 0

IP-MIB::ipOutNoRoutes.0 = Counter32: 0

IP-MIB::ipReasmTimeout.0 = INTEGER: 0

IP-MIB::ipReasmReqds.0 = Counter32: 0

IP-MIB::ipReasmOKs.0 = Counter32: 0

IP-MIB::ipReasmFails.0 = Counter32: 0

IP-MIB::ipFragOKs.0 = Counter32: 0

IP-MIB::ipFragFails.0 = Counter32: 0

IP-MIB::ipFragCreates.0 = Counter32: 0

IP-MIB::ipAdEntAddr.0.0.0.0 = IpAddress: 0.0.0.0

IP-MIB::ipAdEntAddr.127.0.0.1 = IpAddress: 127.0.0.1

IP-MIB::ipAdEntAddr.192.168.10.1 = IpAddress: 192.168.10.1

IP-MIB::ipAdEntAddr.192.168.253.1 = IpAddress: 192.168.253.1

IP-MIB::ipAdEntIfIndex.0.0.0.0 = INTEGER: 3

IP-MIB::ipAdEntIfIndex.127.0.0.1 = INTEGER: 1

IP-MIB::ipAdEntIfIndex.192.168.10.1 = INTEGER: 2

IP-MIB::ipAdEntIfIndex.192.168.253.1 = INTEGER: 4

IP-MIB::ipAdEntNetMask.0.0.0.0 = IpAddress: 0.0.0.0

IP-MIB::ipAdEntNetMask.127.0.0.1 = IpAddress: 255.0.0.0

IP-MIB::ipAdEntNetMask.192.168.10.1 = IpAddress: 255.255.255.0

IP-MIB::ipAdEntNetMask.192.168.253.1 = IpAddress: 255.255.255.0

IP-MIB::ipAdEntBcastAddr.0.0.0.0 = INTEGER: 0

IP-MIB::ipAdEntBcastAddr.127.0.0.1 = INTEGER: 0

IP-MIB::ipAdEntBcastAddr.192.168.10.1 = INTEGER: 1

IP-MIB::ipAdEntBcastAddr.192.168.253.1 = INTEGER: 1

IP-MIB::ipAdEntReasmMaxSize.0.0.0.0 = INTEGER: -1

IP-MIB::ipAdEntReasmMaxSize.127.0.0.1 = INTEGER: -1

IP-MIB::ipAdEntReasmMaxSize.192.168.10.1 = INTEGER: -1

IP-MIB::ipAdEntReasmMaxSize.192.168.253.1 = INTEGER: -1

Route table information

In this section you will find the entries of the route table

RFC1213-MIB::ipRouteDest.0.0.0.0 = IpAddress: 0.0.0.0

RFC1213-MIB::ipRouteDest.62.90.32.0 = IpAddress: 62.90.32.0

RFC1213-MIB::ipRouteDest.127.0.0.0 = IpAddress: 127.0.0.0

RFC1213-MIB::ipRouteDest.192.168.10.0 = IpAddress: 192.168.10.0

RFC1213-MIB::ipRouteDest.192.168.253.0 = IpAddress: 192.168.253.0

RFC1213-MIB::ipRouteIfIndex.0.0.0.0 = INTEGER: 3

RFC1213-MIB::ipRouteIfIndex.62.90.32.0 = INTEGER: 3

RFC1213-MIB::ipRouteIfIndex.127.0.0.0 = INTEGER: 6

RFC1213-MIB::ipRouteIfIndex.192.168.10.0 = INTEGER: 2

RFC1213-MIB::ipRouteIfIndex.192.168.253.0 = INTEGER: 4

RFC1213-MIB::ipRouteMetric1.0.0.0.0 = INTEGER: 1

RFC1213-MIB::ipRouteMetric1.62.90.32.0 = INTEGER: 0

RFC1213-MIB::ipRouteMetric1.127.0.0.0 = INTEGER: 0

RFC1213-MIB::ipRouteMetric1.192.168.10.0 = INTEGER: 0

RFC1213-MIB::ipRouteMetric1.192.168.253.0 = INTEGER: 0

RFC1213-MIB::ipRouteMetric2.0.0.0.0 = INTEGER: -1

RFC1213-MIB::ipRouteMetric2.62.90.32.0 = INTEGER: -1

RFC1213-MIB::ipRouteMetric2.127.0.0.0 = INTEGER: -1

RFC1213-MIB::ipRouteMetric2.192.168.10.0 = INTEGER: -1

RFC1213-MIB::ipRouteMetric2.192.168.253.0 = INTEGER: -1

RFC1213-MIB::ipRouteMetric3.0.0.0.0 = INTEGER: -1

RFC1213-MIB::ipRouteMetric3.62.90.32.0 = INTEGER: -1

RFC1213-MIB::ipRouteMetric3.127.0.0.0 = INTEGER: -1

RFC1213-MIB::ipRouteMetric3.192.168.10.0 = INTEGER: -1

RFC1213-MIB::ipRouteMetric3.192.168.253.0 = INTEGER: -1

RFC1213-MIB::ipRouteMetric4.0.0.0.0 = INTEGER: -1

RFC1213-MIB::ipRouteMetric4.62.90.32.0 = INTEGER: -1

RFC1213-MIB::ipRouteMetric4.127.0.0.0 = INTEGER: -1

RFC1213-MIB::ipRouteMetric4.192.168.10.0 = INTEGER: -1

RFC1213-MIB::ipRouteMetric4.192.168.253.0 = INTEGER: -1

RFC1213-MIB::ipRouteNextHop.0.0.0.0 = IpAddress: 62.90.32.1

RFC1213-MIB::ipRouteNextHop.62.90.32.0 = IpAddress: 0.0.0.0

RFC1213-MIB::ipRouteNextHop.127.0.0.0 = IpAddress: 0.0.0.0

RFC1213-MIB::ipRouteNextHop.192.168.10.0 = IpAddress: 0.0.0.0

RFC1213-MIB::ipRouteNextHop.192.168.253.0 = IpAddress: 0.0.0.0

RFC1213-MIB::ipRouteType.0.0.0.0 = INTEGER: indirect(4)

RFC1213-MIB::ipRouteType.62.90.32.0 = INTEGER: direct(3)

RFC1213-MIB::ipRouteType.127.0.0.0 = INTEGER: direct(3)

RFC1213-MIB::ipRouteType.192.168.10.0 = INTEGER: direct(3)

RFC1213-MIB::ipRouteType.192.168.253.0 = INTEGER: direct(3)

RFC1213-MIB::ipRouteProto.0.0.0.0 = INTEGER: local(2)

RFC1213-MIB::ipRouteProto.62.90.32.0 = INTEGER: local(2)

RFC1213-MIB::ipRouteProto.127.0.0.0 = INTEGER: local(2)

RFC1213-MIB::ipRouteProto.192.168.10.0 = INTEGER: local(2)

RFC1213-MIB::ipRouteProto.192.168.253.0 = INTEGER: local(2)

RFC1213-MIB::ipRouteAge.0.0.0.0 = INTEGER: 0

RFC1213-MIB::ipRouteAge.62.90.32.0 = INTEGER: 0

RFC1213-MIB::ipRouteAge.127.0.0.0 = INTEGER: 0

RFC1213-MIB::ipRouteAge.192.168.10.0 = INTEGER: 0

RFC1213-MIB::ipRouteAge.192.168.253.0 = INTEGER: 0

RFC1213-MIB::ipRouteMask.0.0.0.0 = IpAddress: 0.0.0.0

RFC1213-MIB::ipRouteMask.62.90.32.0 = IpAddress: 255.255.255.0

RFC1213-MIB::ipRouteMask.127.0.0.0 = IpAddress: 255.0.0.0

RFC1213-MIB::ipRouteMask.192.168.10.0 = IpAddress: 255.255.255.0

RFC1213-MIB::ipRouteMask.192.168.253.0 = IpAddress: 255.255.255.0

RFC1213-MIB::ipRouteMetric5.0.0.0.0 = INTEGER: -1

RFC1213-MIB::ipRouteMetric5.62.90.32.0 = INTEGER: -1

RFC1213-MIB::ipRouteMetric5.127.0.0.0 = INTEGER: -1

RFC1213-MIB::ipRouteMetric5.192.168.10.0 = INTEGER: -1

RFC1213-MIB::ipRouteMetric5.192.168.253.0 = INTEGER: -1

RFC1213-MIB::ipRouteInfo.0.0.0.0 = OID: zeroDotZero

RFC1213-MIB::ipRouteInfo.62.90.32.0 = OID: zeroDotZero

RFC1213-MIB::ipRouteInfo.127.0.0.0 = OID: zeroDotZero

RFC1213-MIB::ipRouteInfo.192.168.10.0 = OID: zeroDotZero

RFC1213-MIB::ipRouteInfo.192.168.253.0 = OID: zeroDotZero

RFC1213-MIB::ipRoutingDiscards.0 = Counter32: 0

System load average information

In this section you will find the load information

UCD-SNMP-MIB-OLD::laIndex.1 = INTEGER: 1

UCD-SNMP-MIB-OLD::laIndex.2 = INTEGER: 2

UCD-SNMP-MIB-OLD::laIndex.3 = INTEGER: 3

UCD-SNMP-MIB-OLD::laNames.1 = STRING: Load-1

UCD-SNMP-MIB-OLD::laNames.2 = STRING: Load-5

UCD-SNMP-MIB-OLD::laNames.3 = STRING: Load-15

UCD-SNMP-MIB-OLD::laLoad.1 = STRING: 1.00

UCD-SNMP-MIB-OLD::laLoad.2 = STRING: 1.00

UCD-SNMP-MIB-OLD::laLoad.3 = STRING: 0.92

UCD-SNMP-MIB-OLD::laConfig.1 = STRING: 12.00

UCD-SNMP-MIB-OLD::laConfig.2 = STRING: 12.00

UCD-SNMP-MIB-OLD::laConfig.3 = STRING: 12.00

UCD-SNMP-MIB-OLD::laLoadInt.1 = INTEGER: 100

UCD-SNMP-MIB-OLD::laLoadInt.2 = INTEGER: 100

UCD-SNMP-MIB-OLD::laLoadInt.3 = INTEGER: 92

UCD-SNMP-MIB-OLD::laErrorFlag.1 = INTEGER: 0

UCD-SNMP-MIB-OLD::laErrorFlag.2 = INTEGER: 0

UCD-SNMP-MIB-OLD::laErrorFlag.3 = INTEGER: 0

UCD-SNMP-MIB-OLD::laErrMessage.1 = STRING:

UCD-SNMP-MIB-OLD::laErrMessage.2 = STRING:

UCD-SNMP-MIB-OLD::laErrMessage.3 = STRING:

A85: In case you cannot access the 'My.Firewall' page, try the following:

• Verify that the Safe@Office appliance is operating (PWR/SEC LED is active)
• Check if the LAN LINK/ACT LED for the port used by your computer is on. If not, check if the network cable linking your computer to the Safe@Office appliance is connected properly.
  Note: You may need to use a crossed cable when connecting a Safe@Office 'S' series appliance to another hub/switch. 
• Try surfing to 192.168.10.1 instead of to my.firewall. Note: 192.168.10 is the default value, and it may vary if you changed it in the My Network page.
• Check your TCP/IP configuration according to "Installing and Setting up the Safe@Office Appliance" in the Safe@Office Users Guide.
• Restart your Safe@Office appliance and your broadband modem by disconnecting the power and reconnecting after 5 seconds. 
• If your web browser is configured to use an HTTP proxy to access the Internet, add "my.firewall" or "my.vpn" to your proxy exceptions list.

In case none of the above worked, please contact technical support.

A86: By default, the Safe@Office appliance performs Network Address Translation (NAT). It is possible to use the Safe@Office appliance behind another device that performs NAT, such as a DSL router or Wireless router, but the device will block all incoming connections from reaching your Safe@Office appliance. To fix this problem, do ONE of the following. (The solutions are listed in order of preference.)

• Consider whether you really need the router. The Safe@Office appliance can often be used as a replacement for your existing router. 
• If possible, disable NAT in the router. Refer to the router's documentation for instructions on how to do this. 
• If the router has a "DMZ Computer" or "Exposed Host" option, set it to the Safe@Office appliance's external IP address. 

In any case, it is recommended that you open the following ports in the NAT device: UDP 9281/9282, UDP 500, TCP 256, TCP 264, ESP (IP protocol 50), TCP 981. See your router documentation for instructions.

A87: By default, connections from the DMZ network to the LAN network are blocked. To allow traffic from the DMZ to the LAN, configure appropriate firewall rules. For instructions, see 'Creating Rules' in the 'Safe@Office User Guide'.

A88: In order to make the Safe@Office pingable from the Internet. you can use 2 methods:

Method 1
Change the security level to "Low". To change the security level do the following :

1. Surf to http://my.firewall
2. Click on the Security tab.
3. Click on the Firewall tab.
4. Change the security level to "Low".

It is recommended that you first understand the difference between the low, medium and high security levels. See (LP16225) above.

Method 2
Create a security rule to allow ICMP to the Embedded NG gateway from the Internet. To create the security rule:

1. Surf to http://my.firewall
2. Click on the Security tab.
3. Click on the Rules tab.
4. Click the "Add Rule" button to start the Firewall Rules Wizard.
5. Choose Allow as the rule type and click "Next".  
6. Click the "Custom Service" button, choose ICMP from the Protocol dropdown box and click "Next".
7. Choose the Source as "WAN (Internet)" and the Destination as "This Gateway", and click "Next".
8. Click "Finish" to apply the rule.

A89: No. Only DSL modems and routers support PPPoA. The Safe@Office appliance cannot replace your DSL equipment and therefore it does not need to support PPPoA. In case the Safe@Office appliance is connected to a device that supports PPPoA, you should choose "Direct LAN Connection" as the Internet connection type for the Safe@Office appliance.

A90: DHCP Relay is used when the DHCP clients are located in a different subnet than the DHCP server. When the DHCP Relay option is used, the Check Point appliance becomes a DHCP relay agent. A relay agent is a small program that relays DHCP messages between clients and DHCP servers on different subnets. DHCP Relay configuation is supported over clear and VPN communications. DHCP Relay  communicates through UDP ports 67/68. To enable DHCP Relay:

1. Surf to http://my.firewall.
2. Click on the Network tab.
3. Click on the My Network Tab.
4. Click on "Edit" for the network you want enable DHCP Relay for.
5. Fill in the internal IP Address and Subnet Mask of the Check Point appliance. This will determine the DHCP scope requested from the remote DHCP server.
6. Choose "Relay" from the DHCP drop down box.

Note: DHCP Relay will not work with NAT configuration. In case DHCP Relay is implemented over a VPN connection, make sure that the "Bypass NAT" checkbox is selected for the VPN connection on the Check Point appliance.

A91: In order to save the appliance event log entries do the following:

1. Surf to http://my.firewall
2. Click on 'Reports > Event Log'.
3. Click on Save.

The logs will be saved as a Microsoft Excel file (XLS).

Note: With this method you can only save up to the 100 current displayed event log entries. In case you want to save all event log entries, you can use the Syslog logging option.

A92: Yes. Embedded NGX appliances (excluding ZoneAlarm Secure Wireless Router Z100G) support Syslog logging. Using Syslog logging you can save the ongoing events generated by your appliance even beyond the current 100 events.

A93: Check Point appliances implement the Syslog protocol as described in RFC 3164.

The syslog protocol provides a transport to allow a machine to send event notification messages across IP networks to event message collectors - also known as syslog servers. In this case, a machine is referred to as a Check Point appliance. It is important to note that the device sending the syslog message to the server must be able to establish network connectivity with the syslog server, and both the syslog server and the device sending the message must understand the formatting of the syslog messages.

A94: The Check Point appliances use UDP port 514 as the default port for sending Syslog messages.

A95: Since Syslog is a standard protocol, any Syslog server utility can be used. A free Syslog server is available for download at http://www.kiwisyslog.com/. Please see the Software vendor for more information.

A96: This article is relevant only if your Check Point Embedded NG gateways is installed with firmware 6.0 or above.

Negative rule numbers are given to implied rules that are logged by either:

• Check Point SmartCenter
• SofaWare Management Portal (SMP)
• External Syslog server

Starting from version 6.0, along with the rule numbers, a "log reason" is added, thus allowing generating reports based on rule numbers, while still displaying a textual description. Below is the complete list of these numbers with the corresponding rules. Most of these messages are sent from version 6.0 onwards. (Where [5] appears, version 5.0 may also send these messages.)

• Rule -1: Stateless ICMP [5]. ICMP replies that don't match to any request, ICMP errors that don't match any of the active connections, etc.
• Rule -4: Anti-Spoofing [5]. The connection was dropped due to the automatic anti-spoofing rules.
• Rule -5: Connection matched by a custom rule (a.k.a. "user rule").
• Rule -9: HotSpot Connection dropped because the user is not yet authenticated on a hotspot enabled network.
• Rule -10:Encryption mismatch [5] Dropped clear text packet that should have been encrypted.
• Rule -11: TCP out of state rule [5] Logs or drops packets that try to open a connection without the full 3 way handshake.
• Rule -12: Land Attack
• Rule -13: Ping size exceeds maximum allowed size
• Rule -14: ICMP with null payload
• Rule -15: Welchia ICMP worm
• Rule -16: Christmas packet (also in 5.0 versions) Packets that have too many flags lit in them. For instance, SYN and FIN, SYN and RST, etc.
• Rule -17: Cisco IOS DoS attack
• Rule -18: Connection exceeds allowed network quota
• Rule -19: FTP bounce
• Rule -20: FTP port command overflow
• Rule -21: FTP port command tried to open a known port
• Rule -22: FTP illegal command
• Rule -23: KaZaa traffic
• Rule -24: Skype traffic
• Rule -25: BitTorrent traffic
• Rule -26: eMule traffic
• Rule -27: Gnutella traffic
• Rule -28: ICQ traffic
• Rule -29: Yahoo traffic
• Rule -30: Short IGMP packet
• Rule -31: IGMP packet with bad TTL
• Rule -32: IGMP packet not sent to a multicast address
• Rule -33: Vertical Port Scan traffic
• Rule -34: Horizontal Port Scan traffic
• Rule -35: FTP data traffic
• Rule -36: ICMP replay attack
• Rule -37: TCP reset replay attack
• Rule -38: Winny traffic
• Rule -39: Packet should not have been encrypted
• Rule -40: Msn Messenger traffic
• Rule-41: SIP Firewall Bypass
• Rule-42: InvalidSIPMessage
• Rule-43: Illegal Connection To GW

A97: See SNMP MIB table for Check Point Embedded NGX Appliances ver.8.0

A98: See Configuring a Dialup Backup Internet Connection

A99: See Configuring a Broadband Backup Internet Connection

A101: By default, access to the setup page of the Embedded NG Wireless security appliance from the WLAN (Wireless LAN) network is by using https://my.firewall. In case you want to access the page using HTTP, you'll need to configure a security rule to allow that. The security rule parameters can be:

• Rule Type: Allow
• Source: WLAN
• Destination: This Gateway
• Service: Web Server

A102: MAC address filtering is a method to authenticate wireless clients with the Emedded NG wireless security appliance and allow them to access the WLAN network. This method is not considered secured enough to stand on its own since MAC addresses can be easily cloned. As a result, it should be an additional measure on top of other security methods offered, such as WEP, WPA and 802.1x authentication standards.

To configure MAC address filtering:

1. Create a network object for the wireless clients you want to authenticate.
2. Activate MAC address filtering on the appliance.

To create a network object, do the following:

1. Surf to https://my.firewall
2. Click on the Network menu.
3. Click on the Network Objects tab.
4. Click on the "New" button. The Network Object Wizard window appears.
5. Choose "Single Computer" and click "Next".
6. In the IP Address field, type in the IP address of the wireless client you want to authenticate.
7. In the MAC Address field, type in the MAC address of the wireless network card, and click "Next".
8. Type a name for the network object and click "Next".

To activate MAC Address Filtering on the appliance, do the following:

1. Surf to https://my.firewall
2. Click on the Network menu.
3. Click on the My Network tab.
4. Click on the "Edit" button near the WLAN.
5. Click the "Show Advanced Settings" link
6. From the MAC Address Filtering drop-down box choose "Yes".
7. Click "Apply".

Note: Once MAC Address Filtering is activated, wireless clients will not be able to communicate with the wireless network unless you create corresponding network objects for each wireless client.

A103: See Wireless Security with Check Point Safe@Office Appliances

A104: This procedure describes the troubleshooting steps in case your WiFi card (installed on your mobile computer) does not get any signal from the Embedded NG wireless security appliance.

Important Notes

The troubleshooting steps suggested in this procedure assume that there are no coverage issues and that the issue occurs even when the mobile computer is a very short distance from the Embedded NG security wireless appliance. For the purpose of simplified troubleshooting, it is recommended to turn off all wireless security options that may have been configured on the Embedded NG wireless security appliance and on the WiFi card installed on the mobile computer. If this is the first time you install the Embedded NG wireless security appliance, the WLAN network is disabled. To enable the WLAN network, do the following:

1. Physically connect your mobile computer to one of the LAN ports of the appliance.
2. Surf to http://my.firewall and login to the administrator console.
3. Click on the 'Network > My Network' menu.
4. Click on the "Edit" button, near the WLAN line.
5. From the Mode drop-down menu, choose "Enabled".

Troubleshooting

Checking the WiFi card settings on your mobile computer

1. Check whether other mobile computers in your network cannot get a signal from the Embedded NG wireless security appliance. In case other computers are able to communicate over the wireless connection, it is more than likely that the issue is with your mobile computers' WiFi card setup.
2. In case you configured the Embedded NG security wireless appliance to hide the SSID, make sure that the WiFi card is manually configured with the correct SSID.
3. Make sure that the wireless standard (802.11 b/g) configured on the WiFi card matches the standard on the Embedded NG security wireless appliance.
4. Make sure you have the latest driver for your WiFi card.
5. Check for additional settings that can be configured on your wireless card - such as country and extended channels usage. These parameters are usually configured during the WiFi card installation, or via a vendors' wireless utility.
6. In case you have an Intel based WiFi card installed on your mobile computer, you may need to enable extended channel mode (this may not be needed for all models). To setup extended channel mode for Intel based WiFi cards, do the following in Windows:
   
   1. Go to 'Start > Settings > Control Panel'.
   2. Double-click the Administrative Tools icon.
   3. Double-click the Computer Management icon.
   4. From the left pane of the Computer Management window, choose "Device Manager".
   5. From the right pane of the Computer Management window, expand the Network Adapters branch.
   6. Locate the Intel network card branch and double-click it to open the Intel network card properties.
   7. In the Intel card properties window, click the Advanced tab.
   8. In the Property window, select "Extended Channel Mode".
   9. Choose "Enable" from the Value drop-down box.

Checking the Embedded NG wireless security appliance settings

Force the wireless security appliance to work with a specific channel rather than automatically select a channel. To setup the channel mode, physically connect your mobile computer to one of the appliances' LAN ports and do the following:

1. Surf to http://my.firewall
2. Click on the 'Network > My Network' menu.
3. Click on the "Edit" button near the WLAN title.
4. From the Channel drop-down box, choose an available channel.

For additional troubleshooting steps, please contact the relevant Check Point Technical Support teams.

A105: When using WPA encryption on the WLAN, the connection is dropped immediately after connecting. Connections and disconnections appear consecutively in the appliance event log.

The solution:

Import manual encryption configuration to the wireless Embedded NGX appliance.

To apply the configuration file:

1. Download one of the configuration files below that answers your needs:
   
   • TKIP.CFG - Manually sets the security appliance to use TKIP encryption for WPA.
   • AES.CFG - Forces the appliance to only use AES encryption (not supported by some older wireless client devices).
   • AUTO.CFG - Resets the encryption engine to automatic (security appliance default).
2. Go to http://my.firewall (when accessing from the LAN).
3. Browse to 'Setup > Tools > Import'.
4. Click "Browse" and select the file you wish to import.
5. Click "Open".
6. Click the "Import" button to import.
7. The wireless network will restart. You may need to reconfigure some or all of the wireless clients in your network.
8. Configuration is done.

A106: Note: Normally, the Transparent Bridges feature requires a Power Pack license on a Safe@Office appliance. However, from firmware version 7.0.39 and subsequent versions you can create only one bridge without the Power Pack license.

In most cases, standard access points have the wired LAN and the wireless network bridged together, as a single network. However, in a secured deployment of networks, it is customary to separate the LAN (traditionally, the segment installed with the confidential business resources) from other networks that are considered potentially insecure. The Embedded NGX security appliances have the WLAN and the LAN segements separated by subnetting and firewalling, as the wireless medium is insecure, by definition.

This may lead to different behavior than you were probably used to with your 'old' standard access point, especially when attempting to browse the workgroup computers on the LAN, using the Microsoft File and Print sharing service. This Microsoft service is designed to work best between computers on the same local area network. However, since the WLAN and LAN are on different networks, you can either connect to shared folders or printers on the LAN by using direct IP addresses (for example, \\192.168.10.2\C$) or you can install a WINS server to translate computer names into their corresponding IP addresses. This action will provide the functionality you are looking for by connecting to shared folders, and will keep your network secure.

Another option that is less recommended from the point of view of wireless security, is to bridge between the LAN and WLAN networks, making them a "single network". To create a bridge between the LAN and WLAN networks:

1. Surf to http://my.firewall
2. Click on 'Network > My Network'.
3. Click on the "Edit" button next to the WLAN network.
4. Click on the "Wireless Wizard" button button at the bottom of the page.
5. In the Wireless Configuration Wizard window, complete the necessary settings for your wireless network, and click "Next".
6. Choose the required wireless security protocol for your network, choose "Bridge Mode" to create a bridge between the WLAN and the LAN, and click "Next".
7. Complete the Wireless Configuration Wizard with the required information for your wireless network.
8. The WLAN and LAN will now be bridged together and will share the same subnet.

A107: The Embedded NGX appliance offers a variety of security and additional advanced options (such as QoS for multimedia over wireless). Depending on your wireless client software, all or some of the options may be supported. In case your wireless client does not support all the advanced options, it might result in the following symptoms:

• The WLAN connection might be dropped, immediately after connecting.
• Connections and disconnections might appear consecutively in the appliance event log.

To improve the compatibility between your wireless client and the Embedded NGX appliance and overcome the symptoms above, attempt the following steps:

• Import manual encryption configuration to the wireless Embedded NGX appliance.
• Disable Multimedia Quality of Service (QoS WMM).

To apply manual encryption configuration to the Embedded NGX appliance:

1. Download one of the configuration files below that answers your needs:
   
   • TKIP.CFG - Manually sets the security appliance to use TKIP encryption for WPA.
   • AES.CFG - Forces the appliance to only use AES encryption (not supported by some older wireless client devices).
   • AUTO.CFG - Resets the encryption engine to automatic (security appliance default).
2. Go to http://my.firewall (when accessing from the LAN).
3. Browse to 'Setup > Tools > Import'.
4. Click "Browse" and select the file you wish to import.
5. Click "Open".
6. Click the "Import button to import.
7. The wireless network will restart. You may need to reconfigure some or all of the wireless clients in your network.
8. Configuration is done.

To disable Multimedia QoS:

1. Go to http://my.firewall.
2. Browse to 'Network > My Network'.
3. In the WLAN line, click "Edit".
4. Click "Show Advanced Settings".
5. In the Multimedia QoS (WMM) drop-down list, choose "Disabled".
6. Click "Apply".
7. Configuration is done.

A108: Embedded NGX wireless appliances use RP-SMA connectors.

Before substituting any antennas other than the ones supplied by Check Point, please note:

• Substituting an antenna other than the ones supplied by Check Point, may be in violation of local regulations. Installers should abide by all FCC, EU, or local regulations and requirements before deploying any 3rd party antennas.
• Check Point and its affiliates are not responsible for any damage caused by use of a 3rd party antennas. Check Point will not replace or repair appliances damaged by use of an improper antenna.

A109: The Embedded NGX security gateway (with firmware 6.0 and subsequent versions) includes VStream Antivirus, an embedded streambased antivirus engine based on Check Point Stateful Inspection and Application Intelligence technologies that performs virus scanning at the kernel level. VStream Antivirus scans files for malicious content on the fly, without downloading the files into intermediate storage. This means minimal added latency and support for unlimited file sizes; and since VStream Antivirus stores only minimal state information per connection, it can scan thousands of connections concurrently. In order to scan archive files on the fly, VStream Antivirus performs real-time decompression and scanning of ZIP, TAR, and GZ archive files, with support for nested archive files.

A110: When VStream Antivirus detects malicious content, the action it takes depends on the protocol, in which the virus was found. See the table below. In each case, VStream Antivirus blocks the file and writes a log to the Event Log.

If a virus if found in this protocol...	VStream Antivirus does this...	The protocol is detected on this port...
HTTP	Terminates the connection.	All ports on which VStream is enabled by the policy, not only port 80
POP3	Terminates the connection. Deletes the virus-infected email from the server.	The standard TCP port 110
IMAP	Terminates the connection. Replaces the virus-infected email with a message notifying the user that a virus was found.	The standard TCP port 143
SMTP	Rejects the virus-infected email with error code 554. Sends a "Virus detected" message to the sender.	The standard TCP port 25
FTP	Terminates the data connection. Sends a "Virus detected" message to the FTP client.	The standard TCP port 21
TCP and UDP	Terminates the connection.	Generic TCP and UDP ports, other than those listed above

In protocols that are not listed in this table, VStream Antivirus uses a "best effort" approach to detect viruses. In such cases, detection of viruses is not guaranteed and depends on the specific encoding, used by the protocol.

A111: VStream Antivirus differs from the Email Antivirus subscription service (part of the Email Filtering service) in the following ways:

• Email Antivirus is centralized, redirecting traffic through the Service Center for scanning, while VStream Antivirus scans for viruses in the Safe@Office gateway itself.
• Email Antivirus is specific to email, scanning incoming POP3 and outgoing SMTP connections only, while VStream Antivirus supports additional protocols, including incoming SMTP and outgoing POP3 connections.

You can use either antivirus solution, or both, in conjunction.

A112: VStream Antivirus maintains two databases: a daily database and a main database. The daily database is updated frequently with the newest virus signatures. Periodically, the contents of the daily database are moved to the main database, leaving the daily database empty. This system of incremental updates to the main database allows for quicker updates and saves on network bandwidth. You can view information about the VStream signature databases currently in use, on the VStream Antivirus page.

A113: The daily VStream antivirus signatures updates fail to install, interrupting the normal operation of the Vstream Antivirus.

Symptoms

A failure to install the VStream antivirus signatures updates may result with one or more of the following symptoms:

• A "failed to install daily database" error message appears in the Antivirus page.
• Upon initiating an update, using the “Update now” button in the menu, nothing happens.

Possible cause

This may occur in case the definition update from the service center was interrupted, and the downloaded archive has become corrupted.

Solution

In order to solve this issue do the following:

• Reset the Antivirus signatures database.
• Refresh the connection to the Service Center.

Note: This procedure will not affect any of the existing settings on the appliance.

To reset the antivirus signature database on a ZoneAlarm Z100G Secure Wireless Router, do the following:

1. Click here to download the script (*.CFG) file and save it to a local folder on your computer.
2. Surf to https://my.firewall
3. Click "Setup" on the main menu, and then the Tools tab.
4. Click "Import", browse for the script file, and click "Upload". A confirmation message will appear in case the upload finished successfully.
5. The Antivirus signature database is now reset.

To reset the antivirus signature database on any other Embedded NGX appliance, type do the following:

1. Surf to https://my.firewall
2. Click "Setup" on the main menu, and then on Tools.
3. Click "Command".
4. In the command text box, type the command: reset vstream-database and click "Apply".
5. The Antivirus signature database is now reset.

To refresh the connection to the Service Center do the following:

1. Surf to https://my.firewall
2. Click on "Services".
3. Click "Refresh".

A114: The Following list describes the typical ADSL configuration, required by worldwide well known ISPs and Telco's. We recommend to consult with your ADSL provider for the most recent ADSL configuration.

Country	Service Provider	Connection Type	VPI	VCI	Encapsulation
Argentina	Arnet	PPPoE	0	33	LLC
Argentina	Speedy	PPPoE	8	35	LLC
Australia	Most ISPs	PPPoE	8	35	LLC
Australia	Arachnet	PPPoA	8	35	VCMUX
Australia	Telestra	PPPoE	8	35	LLC
Austria	Most ISPs	PPPoA	8	48	VCMUX
Austria	AON	PPPoA	1	32	VCMUX
Belgium	ADSL Office	PPPoE	8	35	VCMUX
Belgium	Belgacom ADSL	PPPoA	8	35	VCMUX / LLC
Belgium	Turboline	PPPoA	8	35	LLC
Brazil	Brasil Telecom (brturbo)	PPPoE	0	35	LLC
Brazil	do rio grande do sul são	PPPoE	1	32	LLC
Brazil	Speedy da Telefonica	PPPoE	8	35	LLC
Brazil	Velox da Telemar	PPPoE	0	33	LLC
Bulgaria	BTK (ISDN)	PPPoE	1	32	LLC
Bulgaria	BTK (POTS)	PPPoE	0	35	LLC
Czech Republic	Cesky Telecom (PPPoA)	PPPoA	8	48	VCMUX
Czech Republic	Cesky Telecom (PPPoE)	PPPoE	8	48	LLC
Denmark	Cybercity	PPPoA	0	35	VCMUX
Denmark	Tiscali	PPPoA	8	35	VCMUX
Denmark	Tiscali (World Online)	PPPoA	0	35	VCMUX
Egypt	Raya Telecom	PPPoA	8	80	VCMUX
France	9Online	PPPoA	8	35	VCMUX
France	AOL	PPPoA	8	35	VCMUX
France	Cegetel ADSL Max 8 Mb	PPPoA	8	35	VCMUX
France	Cegetel non dégroupé 512 IP/ADSL et dégroupé	PPPoA	8	35	VCMUX
France	Claranet	PPPoA	8	35	VCMUX
France	Club-Internet	PPPoA	8	35	VCMUX
France	EasyConnect	PPPoA	8	35	LLC
France	Free non dégroupé 512/128 & 1024/128	PPPoA	8	35	VCMUX
France	Free non dégroupé ADSL Max	PPPoA	8	35	VCMUX
France	Freesurf	PPPoA	8	35	VCMUX
France	FT	PPPoA	8	35	VCMUX
France	Generic Netissimo	PPPoA	8	35	LLC
France	HRNet	PPPoA	8	35	VCMUX
France	Nerim	PPPoA	8	35	VCMUX
France	Nordnet	PPPoA	8	35	VCMUX
France	Tiscali.fr (128k)	PPPoA	8	35	LLC
France	Tiscali.fr (512k)	PPPoA	8	35	VCMUX
France	Tiscaly Liberty Surf	PPPoA	8	35	LLC
France	Wanadoo	PPPoA	8	35	VCMUX
France	Worldnet	PPPoA	8	35	VCMUX
Germany	1&1 (Dun)	PPPoE	1	32	LLC
Germany	Alice DSL	PPPoE	1	32	LLC
Germany	Anderer Provider für T-DSL (Dun)	PPPoE	1	32	LLC
Germany	Arcor	PPPoE	1	32	LLC
Germany Germany Germany	DT Mnet NetCologne	PPPoE PPPoE PPPoE	1 1 8	32 32 35	LLC LLC LLC
Germany	QSC	PPPoE	1	32	LLC
Germany	Tiscali	PPPoE	1	32	LLC
Germany	T-Online (Dun)	PPPoE	1	32	LLC
Hungary	Matav	PPPoE	1	32	LLC
Iceland	Islandssimi	PPPoA	0	35	VCMUX
Iceland	Landssimi	PPPoA	8	48	VCMUX
India	Most ISPs	PPPoA	0	32	VCMUX
Ireland	Most ISPs	PPPoE	8	35	LLC
Israel	Bezeq	PPPoE	8	48	LLC
Italy	Albacom	PPPoA	8	35	VCMUX
Italy	Aruba	PPPoA	8	35	VCMUX
Italy	Liberto.it	PPPoA	8	35	VCMUX
Italy	MC-link	PPPoA	8	35	VCMUX
Italy	Nextra	PPPoA	8	35	VCMUX
Italy	Telecom Italia	PPPoA	8	35	VCMUX
Italy	Telvia	PPPoA	8	35	VCMUX
Italy	Tiscali	PPPoA	8	35	VCMUX
Italy	Wind	PPPoA	8	35	VCMUX / LLC
Mexico	Telmex Infinitum	PPPoE	8	35	LLC
Morocco	Maroc Telecom	PPPoA	8	35	VCMUX
Netherlands	Bbeyond (PPPoE)	PPPoE	0	33	LLC
Netherlands	Bbeyond (PPPoA)	PPPoA	0	35	VCMUX
Netherlands	KPN	PPPoA	8	48	VCMUX
New Zealand	New Zealand Telecom	PPPoA	0	100	VCMUX
Poland	NETIA	PPPoE	8	35	LLC
Poland	TPSA	PPPoA	0	35	VCMUX
Portugal	Portugal Telecom	PPPoA	0	35	VCMUX
Russia	MTU Intel	PPPoE	1	50	LLC
Singapore	SingNet Broadband	PPPoA	0	100	VCMUX
Slovenia	SiOL	PPPoE	1	32	LLC
Spain	Albura	PPPoA	1	32	VCMUX
Spain	Arrakis	PPPoA	0	35	VCMUX
Spain	Arsys	PPPoE	1	33	LLC
Spain	Auna	PPPoA	0	35	VCMUX
Spain	Colt Teecom	PPPoA	0	35	VCMUX
Spain	Communitel	PPPoA	0	33	VCMUX
Spain	ERES MAS	PPPoA	8	35	LLC
Spain	Euskatel	PPPoE	8	32	LLC
Spain	Jazztel	PPPoA	8	35	LLC
Spain	Telefonica	PPPoE	8	32	VCMUX / LLC
Spain	Telepac	PPPoE	0	35	LLC
Spain	Terra	PPPoE	8	32	LLC
Spain	Tiscali	PPPoA	1	32	VCMUX
Spain	Uni2	PPPoA	1	33	VCMUX
Spain	Wanadoo Spain	PPPoE	8	32	LLC
Spain	Ya.com	PPPoE	8	32	LLC
Sweden	Skanova	PPPoE	8	35	LLC
UAE	Etisalat Classical IP for Business	PPPoA	0	50	VCMUX
UAE	Etisalat Classical IP Single User	PPPoE	0	100	LLC
UAE	Etislat	PPPoA	0	50	LLC
UAE	UAE-Other	PPPoE	0	50	LLC
UK	Most ISPs	PPPoA	0	38	VCMUX
US	AOL	PPPoE	0	35	LLC
US	BellSouth	PPPoE	8	35	LLC
US	Covad	PPPoE	0	35	LLC
US	EarthLink	PPPoE	0	35	LLC
US	Qwest	PPPoE	0	32	LLC
US	SBC	PPPoE	0	35	LLC
US	Sprint	PPPoE	0	35	LLC
US	Verizon	PPPoE	0	35	LLC

A115: This solution applies only to Embedded NGX appliances with an embedded ADSL modem.

1. Surf to https://my.firewall
2. Click on the Setup menu.
3. Click on the Tools tab.
4. Click on the "Command" button. The Command Line window appears.
5. In the command line, type the command: set port adsl auto-sra mode disable.
6. Click "Go".
7. The default value was changed.

A116: An internal error message is received when trying to initiate a Remote Desktop connection via the http://my.firewall portal to a computer that runs the Windows Vista operating system.

Possible cause

When initiating a Remote Desktop connection via the http://my.firewall portal, the remote computer is configured to support only allow connections using Network Level Authentication. The Embedded NGX security appliances use an Active X component to run the Remote Desktop feature, and this component does not support Network Level Authentication.

Solution

Configure the Remote Settings on the computer to which you are connecting, to allow connections from computers running any version of Remote Desktop.

To update the Remote Settings configuration, do the following:

1. On your desktop, right-click on the Computers icon.
2. Click on Properties from the pop-up menu.
3. Click on the "Remote Settings" option from the left-hand menu.
4. Click on the "Allow connections from computers running any version of Remote Desktop (less secure)" radio button.

Note: This option is equivalent to the "Allow users to connect remotely to this computer" option, when using Windows XP, as an operating system. The "Allow connections only from computers running remote desktop with Network Level Authentication (more secure)" option is unique to remote desktop connections via the local remote desktop clients, when both use the Windows Vista operating system.

For detailed instructions on how to remotely access the desktop of each of your computers using the Embedded NGX appliances' Remote Desktop feature, please refer to Chapter 18, Using Remote Desktop, of the Check Point Safe@Office, v7.5 User Guide.