Support Center > Search Results > SecureKnowledge Details
Support Center
The information you are about to copy is INTERNAL! DO NOT share it with anyone outside Check Point.
 Print    Email
SofaWare FAQ

Solution ID: sk65606
Product: Edge, Safe@Office
Version: All
Platform / Model: Edge, Safe@ N, Safe@ X
Date Created: 02-Nov-2011
Last Modified: 24-Mar-2015
Rate this document
[1=Worst,5=Best]
Solution

Table of Contents

  • Licensing
  • General
  • Firewall
  • Logging
  • VPN
  • Customer Support and Services
  • Network Connectivity (LAN/DMZ/WAN)
  • Wireless LAN
  • VStream Anti-Virus
  • ADSL
  • High Availability
  • Remote Desktop
  • Toshiba PCX5000

 

Show Entire Article

 

Licensing

Show All In This Section

 

General

Show All In This Section

  • I forgot the Safe@Office administrator password. What can I do? (LP16227)

    The Safe@Office does not have a default administrator password. In case you forgot the password, reset the Safe@Office to factory settings, by pressing the reset button on the back of the box for 10 seconds. After the box reboots, you will be able to enter a new password.
  • How can I configure the Safe@Office appliance from a remote location? (LP16228)

    The Safe@Office appliance supports remote management. You can enable remote management and connect to the box from the Internet, by connecting with your browser to https://<Appliance_External_IP_Address>:981. To enable management of the Safe@Office from a remote location:

    1. Connect with your browser to http://my.firewall (from LAN)
    2. Click on the Setup menu.
    3. Click on the Management menu.
    4. Choose the suitable management option for you.

    Note: In case the Safe@Office appliance is installed behind another firewall or a NAT device, make sure to allow HTTPS traffic on TCP port 981 towards the Safe@Office appliance.

  • How can I backup and restore the Safe@Office configuration? (LP16322)

    In order to backup the Safe@Office configuration, perform the following:

    1. Connect with your browser to http://my.firewall (from LAN)
    2. Click on 'Setup > Tools'.
    3. Click on the "Export" button.
    4. Save the exported configuration file to a local folder.

    In order to restore the Safe@Office configuration from a file:

    1. Connect with your browser to http://my.firewall (from LAN)
    2. Click on 'Setup > Tools'.
    3. Click on the "Import" button.
    4. Locate the configuration file (.cfg) on your local hard drive and upload it.
  • Error message "Service Center did not respond" when trying to connect to a Service Center (LP16330)

    The connection to a Check Point Service Center uses a proprietory protocol called SWTP (SofaWare Transport Protocol). This protocol makes sure that all communications between a Safe@Office box and the Service Center are secured and encrypted. The communication between the Safe@Office and a Service Center uses UDP ports 9281/9282.

    In case your Safe@Office is behind another firewall, make sure to enable traffic through the SWTP ports mentioned. In addition, make sure that your router does not block these ports using ACLs (Access List).

  • What is Check Point Safe@Office? (LP16999)

    The Check Point Safe@Office appliance is an advanced Internet security appliance that enables secure high-speed Internet access from the office. The Safe@Office firewall, based on the world-leading Check Point Embedded NG Stateful Inspection technology, inspects and filters all incoming and outgoing traffic, blocking all unauthorized traffic.

    The Safe@Office appliance also allows sharing your Internet connection among several PCs or other network devices, enabling advanced office networking and saving the cost of purchasing static IP addresses. You can also connect Safe@Office appliances to security services available from select service providers, including firewall security updates, Web filtering, and dynamic DNS. Business users can use the Safe@Office appliance to securely connect to the office network.

  • How do I configure my Embedded NGX Solution? (LP17000)

    Embedded NGX Solutions are configured through a simple Web-browser portal. No software installation is required. Just connect your Embedded NGX Solution, launch your browser, and connect from LAN with your browser to http://my.firewall.
  • What is the default LAN IP address of the Safe@Office appliance? (LP17001)

    The default LAN IP address of the Safe@Office appliance is 192.168.10.1.
  • Do Safe@Office Solutions work with any operating system? (LP17002)

    Yes. Safe@Office Solutions protect all of the computers on your network, regardless of their operating system. Plus, Safe@Office Solutions are configured through a Web browser and require no software installation on your computers. Therefore, they are manageable from any type of computer, regardless of its operating system.
  • Which management options are available for Safe@Office? (LP17004)

    The following management options are available for Safe@Office:

    • Local web-based management
    • SofaWare Security Management Portal (SMP)

    Safe@Office appliances cannot be managed by Check Point SmartCenter. For an appliance supporting SmartCenter enterprise management, refer to VPN-1 Edge.

  • How is this solution better than using a PC firewall? (LP17005)

    Inherent drawbacks with PC firewalls make Safe@Office solutions a superior choice:

    • PC firewalls protect a single PC. A Safe@Office Solution protects your entire network - all the PCs, Macintoshes, servers and other devices on the network
    • PC firewalls are managed and configured by the consumer. Most common security flaws originate from faulty configuration. To reduce risk for users, Safe@Office Solutions come with a pre-configured security policy. In addition, Safe@Office Solutions can be managed by a security solutions provider, transferring responsibility for security expertise to security experts.
  • Which Safe@Office models are available? (LP17006)

    To view the list of available Safe@Office models and their technical specifications, click here.
  • Why are the date and time displayed incorrectly? (LP17010)

    In the Safe@Office 'S' series, when a computer on the LAN connects to the Safe@Office Portal, the Safe@Office appliance adjusts its date and time to match that of the computer. If the date and time displayed in the Safe@Office Portal are incorrect, it probably means that the date and time on the computer connected to the Safe@Office Portal are incorrect. In the Safe@Office 200 series, you can adjust the time on the Setup page's Tools tab.
  • Can I connect an Ethernet switch to my appliance? (LP17011)

    You can cascade an additional hub or switch to the Safe@Office 'S' series appliance, by using a crossed Ethernet cable. The Safe@Office 'X' series automatically detects the cable type, so you can use either a straight-through or crossed cable.
  • Activate the TFTP server on the appliance (LP135792)

    Items can be uploaded to the Check Point security appliance in order to make them permanent even after a reset to factory settings. An item can be either a firmware image file, a bootloader file or a configuration (CFG) file.

    The Check Point security appliance has an embedded TFTP server installed with default IP address 192.168.10.1, and a TFTP client must be used in order to upload items to the appliance. TFTP client software are usually part of the operating system, but can also be 3rd party software. To upload items perform the following:

    1. Activate the TFTP server on the appliance by following these steps: unplug the power cord, hold the reset button on the back of the box, and plug in the power cord, while holding the button until the pwr/sec led is steady red.
    2. Connect a computer to one of the security appliance LAN ports.
    3. Configure the computer to use an IP address of the range 192.168.10.0 /255 (note that 192.168.10.1 is already taken by the appliance TFTP server by default).
    4. In case you are using the Windows 2000 embedded TFTP client, open command prompt and type the following command:
      tftp -i 192.168.10.1 put [filename]
      The appliance will reboot.

    Note: When uploading a firmware or bootloader file, the file must be compiled in TFTP format. A configuration file can be uploaded in CFG format.

  • Missing images in the my.firewall page (LP144347)

    When connecting with your browser from LAN to http://my.firewall configuration page, images may not be displayed correctly because of the following reasons:

    1. Your browser cache is full
    2. Personal firewall installed prevents some scripts and images to run

    Solutions:

    1. Clear your browser cache
    2. Stop your personal firewall or filter the my.firewall page from the firewall tables.
  • What are the the Check Point appliances vendor specific RADIUS attributes? (LP145353)

    "Vendor specific RADIUS attributes" is supported with firmware 5.0.82 and subsequent versions. You can configure your RADIUS server to use the following attributes:

    SofaWare Vendor ID: 6983

    The list of permissions and corresponding attributes and values is described in the following table:

    Permission Type Attribute ID Possible Values (String)
    Admin 1
    • None
    • Read Only
    • Read / Write
    VPN Access 2
    • True
    • False
    HotSpot 3
    • True
    • False
    Web Filter Override Permission 4
    • True
    • False
  • Using Preset Configuration Files with Check Point Embedded NG Appliances (LP145374)

    Introduction

    The RESET button on your Embedded NG appliance can be used for resetting the VPN-1 Edge appliance to its factory defaults. This results in the loss of all user settings, and reverting to the factory default firmware. Optionally, a preset configuration file can be loaded to the Embedded NG appliance, using the TFTP protocol, allowing a service provider or reseller to permanently modify the factory default settings. The preset configuration file is retained even after a reset to defaults operation.

    The following procedures are valid for all the models in the Safe@Office and VPN-1 Edge appliance families.

    Loading a Preset Configuration file

    Preparing a Preset Configuration File

    The Embedded NG configuration file is a simple text file, containing CLI (Command Line Interface) commands for the appliance. For more information on the Embedded NG CLI syntax, refer to the Embedded NG CLI Guide.

    The configuration file should be stored as a text file with the extension .cfg.

    The first line in the configuration file must begin with: "# Configuration script" and the last line in the file should begin with "# END Configuration script". These two lines are mandatory.

    Note: The preset configuration file will not be cleared when the appliance is reset to defaults. The only way to clear a preset configuration file is by loading an empty configuration file (a configuration file with no CLI commands).

    Tip: You can export a complete configuration file from an existing appliance by going to the 'Setup > Tools' tab in the Embedded NG configuration portal, and clicking the "Export" button.

    Warning: Always make sure that the configuration file is valid before uploading it to the appliance.

    Activating the Embedded NG TFTP server

    Activate the TFTP server on the appliance by following these steps:

    1. Unplug the power cord.
    2. Using a pointed object, press the RESET button on the back of the VPN-1 Edge appliance steadily, while plugging in the power cord.
    3. Keep pressing the RESET button a few seconds until the PWR/SEC LED lights steadily in red.

    Configuring the TFTP client

    1. Use a standard Ethernet cable to connect a computer to one of the LAN ports of the appliance.
    2. Configure the computer to use any fixed IP address in the range 192.168.10.2 - 192.168.10.254. Set the subnet mask to 255.255.255.0.
    3. If SecuRemote is installed on your PC, disable it.
    4. In case you are using the Windows 2000 embedded TFTP client, type the following command on the Windows command prompt: tftp -i 192.168.10.1 put filename.cfg
    5. The appliance will store the configuration file and automatically restart.
    6. Allow the VPN-1 Edge appliance to boot-up until the system is ready (PWR/SEC LED flashes slowly or illuminates steadily in green light).

    Resetting to defaults

    To reset the VPN-1 Edge appliance to factory defaults using the Reset button:

    1. Make sure the VPN-1 Edge appliance is powered on.
    2. Using a pointed object, press the RESET button on the back of the VPN-1 Edge appliance steadily for seven seconds, and then release it.
    3. Allow the VPN-1 Edge appliance to boot-up until the system is ready (PWR/SEC LED flashes slowly or illuminates steadily in green light).

    The appliance will revert to the factory default settings (or to the preset configuration file, if one is loaded). The firmware will be reset to the factory default firmware.

  • A U.S. Robotics 56K Courier modem does not dial when connected to a Check Point Embedded NG security appliance (LP157573)

    U.S. Robotics 56K Courier modem may not be able to dial out after configuring the Embedded NG security gateway with dialup connection properties. This happens because the default settings of the dialup modem do not allow a delay after the Embedded NG security gateway sends the ATZ command to the modem.

    Solution: Configure the following init string \d\d\AT on the Embedded NG security gateway to create the necessary delay.

    To configure an init string perform the following:

    1. Connect with your browser to http://my.firewall (from LAN)
    2. Login to the admin console.
    3. Click on the 'Network > Ports' menu.
    4. Click on the "Setup" link near the RS232 (Dialup) image.
    5. Type \d\d\AT in the Initialization String field and click "Apply".
    6. Test the modem connection.
  • Configuring the RADIUS Vendor-Specific Attribute (LP158412)

    Learn how to configure a Vendor-Specific Attribute when using a RADIUS to authenticate local and VPN users with RADIUS servers from different vendors. Refer to Configuring the RADIUS Vendor-Specific Attribute.
  • Which printers are supported by the USB print server in my Embedded NGX appliance? (LP172241)

    The print server is compatible with most printers with a USB interface. Multifunction printers will operate as a printer only. Scanner functionality in these printers is not supported.

    The following printers are known to operate correctly with the Embedded NGX integrated print server:

    Brother HL-2030
    Brother HL-2040
    Brother HL-5140
    Brother HL-5240
    Canon MF5750
    Canon MF5770
    Canon MP150
    Canon MP390
    Canon MP500
    Canon MP700
    Canon MP780
    Canon S520
    Canon i250
    Canon i350
    Canon i450
    Canon i560
    Canon i850
    Canon i860
    Canon i865
    Canon i905D
    Canon i9100
    Canon i960
    Canon i9950
    Canon iP1000
    Canon iP1300
    Canon iP1600
    Canon iP1700
    Canon iP3000
    Canon iP4000
    Canon iP4200
    Canon iP5000
    Canon iP8500
    Canon MF5750
    Canon MF5770
    Canon MP150
    Canon MP390
    Canon MP500
    Canon MP700
    Canon MP780
    Canon S450
    Canon S520
    Canon PIXMA MP600
    Dell Laser Printer 1700n
    Dell Laser Printer 1710n
    Dell Laser Printer P1500
    DYMO LabelWriter 320
    HP Color Inkjet CP1700
    HP Color LaserJet 1500
    HP Color LaserJet 1600
    HP Color LaserJet 2550
    HP Color LaserJet 2600n
    HP Color LaserJet 3500
    HP Color LaserJet 3550
    HP DesignJet 70
    HP Deskjet 1220C
    HP Deskjet D1400
    HP DeskJet D2300
    HP DeskJet F2100 series
    HP Deskjet F4100 series
    HP Deskjet 3600
    HP Deskjet 3740
    HP Deskjet 3820
    HP Deskjet 3840
    HP DeskJet 3900
    HP Deskjet 460
    HP Deskjet 5100
    HP Deskjet 5400
    HP Deskjet 5550
    HP Deskjet 5600
    HP Deskjet 5700
    HP Deskjet 5900
    HP Deskjet 6122
    HP Deskjet 640c
    HP Deskjet 6500
    HP Deskjet 6800
    HP Deskjet 810C
    HP Deskjet 815C
    HP Deskjet 830C
    HP Deskjet 845C
    HP Deskjet 920C
    HP Deskjet 930C
    HP Deskjet 940C
    HP Deskjet 950C
    HP Deskjet 960C
    HP Deskjet 970C
    HP Deskjet 980C
    HP Deskjet 990C
    HP LaserJet 1010
    HP LaserJet 1012
    HP LaserJet 1015
    HP LaserJet 1150
    HP LaserJet 1200
    HP LaserJet 1220
    HP LaserJet 1300
    HP LaserJet 1320
    HP LaserJet 2300
    HP LaserJet 3015
    HP LaserJet 3030
    HP LaserJet 3055
    HP LaserJet 3200
    HP LaserJet 3330
    HP Officejet 4100
    HP Officejet 4200
    HP Officejet 4300
    HP Officejet 5500
    HP Officejet 5600
    HP Officejet J5700
    HP Officejet 6100
    HP Officejet 6200
    HP Officejet 7100
    HP Officejet 7400
    HP Officejet G85
    HP OfficeJet G85xi
    HP Officejet V40
    HP Officejet V40xi
    HP Officejet d
    HP OfficeJet Pro K850
    HP PSC 1200
    HP PSC 1310
    HP PSC 1500
    HP PSC 2100
    HP PSC 2350
    HP PSC 2400
    HP PSC 2500
    HP PSC 720
    HP PSC 750
    HP PSC 920
    HP PSC 930
    HP PSC 950
    HP Photosmart 1218
    HP Photosmart 2570
    HP Photosmart 3200
    HP Photosmart 7150
    HP PhotoSmart 7200
    HP Photosmart 7350
    HP Photosmart 7400
    HP Photosmart 7550
    HP Photosmart 7600
    HP Photosmart 7700
    HP Photosmart 7900
    HP Photosmart D7100
    HP Photosmart D7300
    Konica Minolta PagePro PP1350W
    Kyocera KM-1820
    Lexmark 1200 Series
    Lexmark C510
    Lexmark E210 Laser Printer
    Lexmark E232
    Lexmark E238
    Lexmark E323
    Lexmark E330
    Lexmark X1100
    Lexmark X215
    Lexmark X340
    Lexmark X6100
    Lexmark Z35
    Lexmark Z45
    Oki ML5590
    Samsung CLP-510
    Samsung ML-1450
    Samsung ML-1650
    Samsung ML-1710
    Samsung ML-1740
    Samsung ML-1750
    Samsung ML-2010
    Samsung ML-2550
    Samsung SCX-4100
    Samsung SCX-4x16
    Samsung SCX-4x21
    Samsung SCX-5x12
    Xerox DocuPrint P1202
    Xerox Phaser 3116
    Xerox Phaser 3117
    Xerox Phaser 3120
    Xerox Phaser 3121
    Xerox Phaser 3130
    Xerox Phaser 3150
    Xerox Phaser 3210
    Xerox Phaser 6100 Color Laser
    Xerox Phaser 6180DN
    Xerox Phaser 7300 Series
    Xerox WorkCentre 4118
    Xerox WorkCentre PE16
    Xerox WorkCentre PE120

    The following printers are known to be incompatible with the Print Server:

    HP OfficeJet G85
    HP OfficeJet K80xi
    HP Laserjet 1020
    Lexmark-6100
    Lexmark-6150

  • Check Point Embedded NGX log messages reference (LP173482)

  • How do I perform a factory reset to the appliance (LP223535)

    Note that this will erase all passwords and configurations

    To reset the box to defaults, perform the following:

    1. Unplug the power cord.
    2. Hold the reset button on the back of the box.
    3. Plug in the power cord while holding the button until the pwr/sec led is steady red.
    4. Leave the reset button for 3 seconds.
    5. Press the reset button again for 10 seconds until the pwr/sec led starts blinking red.
    6. Reconfigure your box and install certificates.
  • How do I change the default timeout settings for a specific type of service? (LP339484)

    In order to change the timeout for a specific service you need to follow these steps:

    1. Go to the libsw directory on Security Management Server / Domain Management Server (refer to sk31448).
    2. Open the init.def file.
    3. In the in tcp_timeouts section, you can add the specific service and the timeout.
    4. After changing the value, you need to reinstall the Edge policy.

    Note: you need to change this value manually every time that you replace the libsw directory, or after you install HA. For example ( for port 400 TCP, we changed the timeout for 7200 seconds)

    ADD_TCP_TIMEOUT(21,FTP_CONTROL_TIMEOUT),
    ADD_TCP_TIMEOUT(400,7200)
    ADD_TCP_TIMEOUT(66666,TCP_TIMEOUT),
    ADD_TCP_TIMEOUT(0,0)

  • SNMP MIB table for Check Point Embedded NGX Appliances ver.8.0 (LP337727 + LP145159)

    Download the SNMP MIB file for Edge / Safe@Office from here.

    The following are some example outputs:

    System Information

    In this section you will find general system information such as name, location and uptime.

    Example:

    SNMPv2-MIB::sysDescr.0 = STRING: SofaWare Embedded NG
    SNMPv2-MIB::sysObjectID.0 = OID: netSnmpAgentOIDs
    SNMPv2-MIB::sysUpTimeInstance = Timeticks: (49802) 0:08:18.02
    SNMPv2-MIB::sysContact.0 = STRING:
    SNMPv2-MIB::sysName.0 = STRING: 00:08:da:70:20:8c
    SNMPv2-MIB::sysLocation.0 = STRING:
    SNMPv2-MIB::sysServices.0 = INTEGER: 72
    SNMPv2-MIB::sysORLastChange.0 = Timeticks: (26) 0:00:00.26
    SNMPv2-MIB::sysORID.1 = OID: snmpMIB
    SNMPv2-MIB::sysORID.2 = OID: vacmBasicGroup
    SNMPv2-MIB::sysORID.3 = OID: ifMIB
    SNMPv2-MIB::sysORDescr.1 = STRING: The MIB module for SNMPv2 entities
    SNMPv2-MIB::sysORDescr.2 = STRING: View-based Access Control Model for SNMP.
    SNMPv2-MIB::sysORDescr.3 = STRING: The MIB module to describe generic objects for network interface sub-layers
    SNMPv2-MIB::sysORUpTime.1 = Timeticks: (0) 0:00:00.00
    SNMPv2-MIB::sysORUpTime.2 = Timeticks: (0) 0:00:00.00
    SNMPv2-MIB::sysORUpTime.3 = Timeticks: (26) 0:00:00.26
    

    Interface information

    Note: In this section you will find information about the interfaces of the appliance such as- MAC addresses, interface speed, up/down status, number of packets passed and so on.

    Example:

    IF-MIB::ifNumber.0 = INTEGER: 6
    IF-MIB::ifIndex.1 = INTEGER: 1
    IF-MIB::ifIndex.2 = INTEGER: 2
    IF-MIB::ifIndex.3 = INTEGER: 3
    IF-MIB::ifIndex.4 = INTEGER: 4
    IF-MIB::ifIndex.5 = INTEGER: 5
    IF-MIB::ifIndex.6 = INTEGER: 6
    IF-MIB::ifDescr.1 = STRING: lo
    IF-MIB::ifDescr.2 = STRING: eth0
    IF-MIB::ifDescr.3 = STRING: eth1
    IF-MIB::ifDescr.4 = STRING: eth2
    IF-MIB::ifDescr.5 = STRING: tunl0
    IF-MIB::ifDescr.6 = STRING: wlan0
    IF-MIB::ifType.1 = INTEGER: softwareLoopback(24)
    IF-MIB::ifType.2 = INTEGER: ethernetCsmacd(6)
    IF-MIB::ifType.3 = INTEGER: ethernetCsmacd(6)
    IF-MIB::ifType.4 = INTEGER: ethernetCsmacd(6)
    IF-MIB::ifType.5 = INTEGER: tunnel(131)
    IF-MIB::ifType.6 = INTEGER: ethernetCsmacd(6)
    IF-MIB::ifMtu.1 = INTEGER: 16436
    IF-MIB::ifMtu.2 = INTEGER: 1500
    IF-MIB::ifMtu.3 = INTEGER: 1500
    IF-MIB::ifMtu.4 = INTEGER: 1500
    IF-MIB::ifMtu.5 = INTEGER: 1480
    IF-MIB::ifMtu.6 = INTEGER: 1500
    IF-MIB::ifSpeed.1 = Gauge32: 10000000
    IF-MIB::ifSpeed.2 = Gauge32: 10000000
    IF-MIB::ifSpeed.3 = Gauge32: 10000000
    IF-MIB::ifSpeed.4 = Gauge32: 10000000
    IF-MIB::ifSpeed.5 = Gauge32: 0
    IF-MIB::ifSpeed.6 = Gauge32: 10000000
    IF-MIB::ifPhysAddress.1 = STRING:
    IF-MIB::ifPhysAddress.2 = STRING: 0:8:da:70:20:8a
    IF-MIB::ifPhysAddress.3 = STRING: 0:8:da:70:20:8c
    IF-MIB::ifPhysAddress.4 = STRING: 0:8:da:70:20:8b
    IF-MIB::ifPhysAddress.5 = STRING:
    IF-MIB::ifPhysAddress.6 = STRING: 0:f:ea:91:4c:e1
    IF-MIB::ifAdminStatus.1 = INTEGER: up(1)
    IF-MIB::ifAdminStatus.2 = INTEGER: up(1)
    IF-MIB::ifAdminStatus.3 = INTEGER: up(1)
    IF-MIB::ifAdminStatus.4 = INTEGER: up(1)
    IF-MIB::ifAdminStatus.5 = INTEGER: down(2)
    IF-MIB::ifAdminStatus.6 = INTEGER: down(2)
    IF-MIB::ifOperStatus.1 = INTEGER: up(1)
    IF-MIB::ifOperStatus.2 = INTEGER: down(2)
    IF-MIB::ifOperStatus.3 = INTEGER: up(1)
    IF-MIB::ifOperStatus.4 = INTEGER: down(2)
    IF-MIB::ifOperStatus.5 = INTEGER: down(2)
    IF-MIB::ifOperStatus.6 = INTEGER: down(2)
    IF-MIB::ifLastChange.1 = Timeticks: (0) 0:00:00.00
    IF-MIB::ifLastChange.2 = Timeticks: (0) 0:00:00.00
    IF-MIB::ifLastChange.3 = Timeticks: (0) 0:00:00.00
    IF-MIB::ifLastChange.4 = Timeticks: (0) 0:00:00.00
    IF-MIB::ifLastChange.5 = Timeticks: (0) 0:00:00.00
    IF-MIB::ifLastChange.6 = Timeticks: (0) 0:00:00.00
    IF-MIB::ifInOctets.1 = Counter32: 0
    IF-MIB::ifInOctets.2 = Counter32: 193692
    IF-MIB::ifInOctets.3 = Counter32: 811607
    IF-MIB::ifInOctets.4 = Counter32: 0
    IF-MIB::ifInOctets.5 = Counter32: 0
    IF-MIB::ifInOctets.6 = Counter32: 0
    IF-MIB::ifInUcastPkts.1 = Counter32: 0
    IF-MIB::ifInUcastPkts.2 = Counter32: 1521
    IF-MIB::ifInUcastPkts.3 = Counter32: 1635
    IF-MIB::ifInUcastPkts.4 = Counter32: 0
    IF-MIB::ifInUcastPkts.5 = Counter32: 0
    IF-MIB::ifInUcastPkts.6 = Counter32: 0
    IF-MIB::ifInNUcastPkts.1 = Counter32: 0
    IF-MIB::ifInNUcastPkts.2 = Counter32: 0
    IF-MIB::ifInNUcastPkts.3 = Counter32: 0
    IF-MIB::ifInNUcastPkts.4 = Counter32: 0
    IF-MIB::ifInNUcastPkts.5 = Counter32: 0
    IF-MIB::ifInNUcastPkts.6 = Counter32: 0
    IF-MIB::ifInDiscards.1 = Counter32: 0
    IF-MIB::ifInDiscards.2 = Counter32: 0
    IF-MIB::ifInDiscards.3 = Counter32: 0
    IF-MIB::ifInDiscards.4 = Counter32: 0
    IF-MIB::ifInDiscards.5 = Counter32: 0
    IF-MIB::ifInDiscards.6 = Counter32: 0
    IF-MIB::ifInErrors.1 = Counter32: 0
    IF-MIB::ifInErrors.2 = Counter32: 0
    IF-MIB::ifInErrors.3 = Counter32: 0
    IF-MIB::ifInErrors.4 = Counter32: 0
    IF-MIB::ifInErrors.5 = Counter32: 0
    IF-MIB::ifInErrors.6 = Counter32: 198
    IF-MIB::ifInUnknownProtos.1 = Counter32: 0
    IF-MIB::ifInUnknownProtos.2 = Counter32: 0
    IF-MIB::ifInUnknownProtos.3 = Counter32: 0
    IF-MIB::ifInUnknownProtos.4 = Counter32: 0
    IF-MIB::ifInUnknownProtos.5 = Counter32: 0
    IF-MIB::ifInUnknownProtos.6 = Counter32: 0
    IF-MIB::ifOutOctets.1 = Counter32: 0
    IF-MIB::ifOutOctets.2 = Counter32: 1131094
    IF-MIB::ifOutOctets.3 = Counter32: 62054
    IF-MIB::ifOutOctets.4 = Counter32: 0
    IF-MIB::ifOutOctets.5 = Counter32: 0
    IF-MIB::ifOutOctets.6 = Counter32: 0
    IF-MIB::ifOutUcastPkts.1 = Counter32: 0
    IF-MIB::ifOutUcastPkts.2 = Counter32: 1735
    IF-MIB::ifOutUcastPkts.3 = Counter32: 515
    IF-MIB::ifOutUcastPkts.4 = Counter32: 0
    IF-MIB::ifOutUcastPkts.5 = Counter32: 0
    IF-MIB::ifOutUcastPkts.6 = Counter32: 0
    IF-MIB::ifOutNUcastPkts.1 = Counter32: 0
    IF-MIB::ifOutNUcastPkts.2 = Counter32: 0
    IF-MIB::ifOutNUcastPkts.3 = Counter32: 0
    IF-MIB::ifOutNUcastPkts.4 = Counter32: 0
    IF-MIB::ifOutNUcastPkts.5 = Counter32: 0
    IF-MIB::ifOutNUcastPkts.6 = Counter32: 0
    IF-MIB::ifOutDiscards.1 = Counter32: 0
    IF-MIB::ifOutDiscards.2 = Counter32: 0
    IF-MIB::ifOutDiscards.3 = Counter32: 0
    IF-MIB::ifOutDiscards.4 = Counter32: 0
    IF-MIB::ifOutDiscards.5 = Counter32: 0
    IF-MIB::ifOutDiscards.6 = Counter32: 1
    IF-MIB::ifOutErrors.1 = Counter32: 0
    IF-MIB::ifOutErrors.2 = Counter32: 0
    IF-MIB::ifOutErrors.3 = Counter32: 0
    IF-MIB::ifOutErrors.4 = Counter32: 0
    IF-MIB::ifOutErrors.5 = Counter32: 0
    IF-MIB::ifOutErrors.6 = Counter32: 0
    IF-MIB::ifOutQLen.1 = Gauge32: 0
    IF-MIB::ifOutQLen.2 = Gauge32: 0
    IF-MIB::ifOutQLen.3 = Gauge32: 0
    IF-MIB::ifOutQLen.4 = Gauge32: 0
    IF-MIB::ifOutQLen.5 = Gauge32: 0
    IF-MIB::ifOutQLen.6 = Gauge32: 0
    IF-MIB::ifSpecific.1 = OID: zeroDotZero
    IF-MIB::ifSpecific.2 = OID: zeroDotZero
    IF-MIB::ifSpecific.3 = OID: zeroDotZero
    IF-MIB::ifSpecific.4 = OID: zeroDotZero
    IF-MIB::ifSpecific.5 = OID: zeroDotZero
    IF-MIB::ifSpecific.6 = OID: zeroDotZero
    MI::zeroDotZero
    

    SNMP Information

    Note: In this section you will find information concerning SNMP packets, which have passed through the appliance, such as: incoming/outgoing count, number of get/set requests, number of erroneous packets and so on.

    Example:

    SNMPv2-MIB::snmpInPkts.0 = Counter32: 347
    SNMPv2-MIB::snmpOutPkts.0 = Counter32: 347
    SNMPv2-MIB::snmpInBadVersions.0 = Counter32: 0
    SNMPv2-MIB::snmpInBadCommunityNames.0 = Counter32: 0
    SNMPv2-MIB::snmpInBadCommunityUses.0 = Counter32: 0
    SNMPv2-MIB::snmpInASNParseErrs.0 = Counter32: 0
    SNMPv2-MIB::snmpInTooBigs.0 = Counter32: 0
    SNMPv2-MIB::snmpInNoSuchNames.0 = Counter32: 0
    SNMPv2-MIB::snmpInBadValues.0 = Counter32: 0
    SNMPv2-MIB::snmpInReadOnlys.0 = Counter32: 0
    SNMPv2-MIB::snmpInGenErrs.0 = Counter32: 0
    SNMPv2-MIB::snmpInTotalReqVars.0 = Counter32: 357
    SNMPv2-MIB::snmpInTotalSetVars.0 = Counter32: 0
    SNMPv2-MIB::snmpInGetRequests.0 = Counter32: 0
    SNMPv2-MIB::snmpInGetNexts.0 = Counter32: 361
    SNMPv2-MIB::snmpInSetRequests.0 = Counter32: 0
    SNMPv2-MIB::snmpInGetResponses.0 = Counter32: 0
    SNMPv2-MIB::snmpInTraps.0 = Counter32: 0
    SNMPv2-MIB::snmpOutTooBigs.0 = Counter32: 0
    SNMPv2-MIB::snmpOutNoSuchNames.0 = Counter32: 0
    SNMPv2-MIB::snmpOutBadValues.0 = Counter32: 0
    SNMPv2-MIB::snmpOutGenErrs.0 = Counter32: 0
    SNMPv2-MIB::snmpOutGetRequests.0 = Counter32: 0
    SNMPv2-MIB::snmpOutGetNexts.0 = Counter32: 0
    SNMPv2-MIB::snmpOutSetRequests.0 = Counter32: 0
    SNMPv2-MIB::snmpOutGetResponses.0 = Counter32: 371
    SNMPv2-MIB::snmpOutTraps.0 = Counter32: 0
    SNMPv2-MIB::snmpEnableAuthenTraps.0 = INTEGER: disabled(2)
    SNMPv2-MIB::snmpSilentDrops.0 = Counter32: 0
    SNMPv2-MIB::snmpProxyDrops.0 = Counter32: 0
    

    ARP Table information

    Note: In this section you will find the entries of the ARP table.

    Example:

    RFC1213-MIB::atIfIndex.2.1.192.168.10.11 = INTEGER: 2
    RFC1213-MIB::atIfIndex.3.1.62.90.32.1 = INTEGER: 3
    RFC1213-MIB::atIfIndex.3.1.62.90.32.2 = INTEGER: 3
    RFC1213-MIB::atIfIndex.3.1.62.90.32.3 = INTEGER: 3
    RFC1213-MIB::atIfIndex.3.1.62.90.32.10 = INTEGER: 3
    RFC1213-MIB::atIfIndex.3.1.62.90.32.11 = INTEGER: 3
    RFC1213-MIB::atIfIndex.3.1.62.90.32.15 = INTEGER: 3
    RFC1213-MIB::atIfIndex.3.1.62.90.32.72 = INTEGER: 3
    RFC1213-MIB::atIfIndex.3.1.62.90.32.89 = INTEGER: 3
    RFC1213-MIB::atIfIndex.3.1.62.90.32.105 = INTEGER: 3
    RFC1213-MIB::atIfIndex.3.1.62.90.32.145 = INTEGER: 3
    RFC1213-MIB::atIfIndex.3.1.62.90.32.210 = INTEGER: 3
    RFC1213-MIB::atIfIndex.3.1.62.90.32.250 = INTEGER: 3
    RFC1213-MIB::atPhysAddress.2.1.192.168.10.11 = Hex-STRING: 00 D0 B7 8E 20 07
    RFC1213-MIB::atPhysAddress.3.1.62.90.32.1 = Hex-STRING: 00 80 C8 B9 D8 4B
    RFC1213-MIB::atPhysAddress.3.1.62.90.32.2 = Hex-STRING: 00 06 29 33 22 04
    RFC1213-MIB::atPhysAddress.3.1.62.90.32.3 = Hex-STRING: 00 D0 B7 8E 20 08
    RFC1213-MIB::atPhysAddress.3.1.62.90.32.10 = Hex-STRING: 00 0C F1 DB D2 A1
    RFC1213-MIB::atPhysAddress.3.1.62.90.32.11 = Hex-STRING: 00 09 6B 07 0B 65
    RFC1213-MIB::atPhysAddress.3.1.62.90.32.15 = Hex-STRING: 00 09 6B 94 05 4F
    RFC1213-MIB::atPhysAddress.3.1.62.90.32.72 = Hex-STRING: 00 11 11 6C 08 04
    RFC1213-MIB::atPhysAddress.3.1.62.90.32.89 = Hex-STRING: 00 08 DA 70 09 0E
    RFC1213-MIB::atPhysAddress.3.1.62.90.32.105 = Hex-STRING: 00 07 E9 1A 02 48
    RFC1213-MIB::atPhysAddress.3.1.62.90.32.145 = Hex-STRING: 00 03 BA 13 15 75
    RFC1213-MIB::atPhysAddress.3.1.62.90.32.210 = Hex-STRING: 00 0C F1 BA 3F 97
    RFC1213-MIB::atPhysAddress.3.1.62.90.32.250 = Hex-STRING: 00 D0 B7 80 58 37
    RFC1213-MIB::atNetAddress.2.1.192.168.10.11 = Network Address: C0:A8:0A:0B
    RFC1213-MIB::atNetAddress.3.1.62.90.32.1 = Network Address: 3E:5A:20:01
    RFC1213-MIB::atNetAddress.3.1.62.90.32.2 = Network Address: 3E:5A:20:02
    RFC1213-MIB::atNetAddress.3.1.62.90.32.3 = Network Address: 3E:5A:20:03
    RFC1213-MIB::atNetAddress.3.1.62.90.32.10 = Network Address: 3E:5A:20:0A
    RFC1213-MIB::atNetAddress.3.1.62.90.32.11 = Network Address: 3E:5A:20:0B
    RFC1213-MIB::atNetAddress.3.1.62.90.32.15 = Network Address: 3E:5A:20:0F
    RFC1213-MIB::atNetAddress.3.1.62.90.32.72 = Network Address: 3E:5A:20:48
    RFC1213-MIB::atNetAddress.3.1.62.90.32.89 = Network Address: 3E:5A:20:59
    RFC1213-MIB::atNetAddress.3.1.62.90.32.105 = Network Address: 3E:5A:20:69
    RFC1213-MIB::atNetAddress.3.1.62.90.32.145 = Network Address: 3E:5A:20:91
    RFC1213-MIB::atNetAddress.3.1.62.90.32.210 = Network Address: 3E:5A:20:D2
    RFC1213-MIB::atNetAddress.3.1.62.90.32.250 = Network Address: 3E:5A:20:FA
    RFC1213-MIB::ipNetToMediaIfIndex.2.192.168.10.11 = INTEGER: 2
    RFC1213-MIB::ipNetToMediaIfIndex.3.62.90.32.1 = INTEGER: 3
    RFC1213-MIB::ipNetToMediaIfIndex.3.62.90.32.2 = INTEGER: 3
    RFC1213-MIB::ipNetToMediaIfIndex.3.62.90.32.3 = INTEGER: 3
    RFC1213-MIB::ipNetToMediaIfIndex.3.62.90.32.10 = INTEGER: 3
    RFC1213-MIB::ipNetToMediaIfIndex.3.62.90.32.11 = INTEGER: 3
    RFC1213-MIB::ipNetToMediaIfIndex.3.62.90.32.15 = INTEGER: 3
    RFC1213-MIB::ipNetToMediaIfIndex.3.62.90.32.72 = INTEGER: 3
    RFC1213-MIB::ipNetToMediaIfIndex.3.62.90.32.89 = INTEGER: 3
    RFC1213-MIB::ipNetToMediaIfIndex.3.62.90.32.105 = INTEGER: 3
    RFC1213-MIB::ipNetToMediaIfIndex.3.62.90.32.145 = INTEGER: 3
    RFC1213-MIB::ipNetToMediaIfIndex.3.62.90.32.210 = INTEGER: 3
    RFC1213-MIB::ipNetToMediaIfIndex.3.62.90.32.250 = INTEGER: 3
    RFC1213-MIB::ipNetToMediaPhysAddress.2.192.168.10.11 = Hex-STRING: 00 D0 B7 8E 20 07
    RFC1213-MIB::ipNetToMediaPhysAddress.3.62.90.32.1 = Hex-STRING: 00 80 C8 B9 D8 4B
    RFC1213-MIB::ipNetToMediaPhysAddress.3.62.90.32.2 = Hex-STRING: 00 06 29 33 22 04
    RFC1213-MIB::ipNetToMediaPhysAddress.3.62.90.32.3 = Hex-STRING: 00 D0 B7 8E 20 08
    RFC1213-MIB::ipNetToMediaPhysAddress.3.62.90.32.10 = Hex-STRING: 00 0C F1 DB D2 A1
    RFC1213-MIB::ipNetToMediaPhysAddress.3.62.90.32.11 = Hex-STRING: 00 09 6B 07 0B 65
    RFC1213-MIB::ipNetToMediaPhysAddress.3.62.90.32.15 = Hex-STRING: 00 09 6B 94 05 4F
    RFC1213-MIB::ipNetToMediaPhysAddress.3.62.90.32.72 = Hex-STRING: 00 11 11 6C 08 04
    RFC1213-MIB::ipNetToMediaPhysAddress.3.62.90.32.89 = Hex-STRING: 00 08 DA 70 09 0E
    RFC1213-MIB::ipNetToMediaPhysAddress.3.62.90.32.105 = Hex-STRING: 00 07 E9 1A 02 48
    RFC1213-MIB::ipNetToMediaPhysAddress.3.62.90.32.145 = Hex-STRING: 00 03 BA 13 15 75
    RFC1213-MIB::ipNetToMediaPhysAddress.3.62.90.32.210 = Hex-STRING: 00 0C F1 BA 3F 97
    RFC1213-MIB::ipNetToMediaPhysAddress.3.62.90.32.250 = Hex-STRING: 00 D0 B7 80 58 37
    RFC1213-MIB::ipNetToMediaNetAddress.2.192.168.10.11 = IpAddress: 192.168.10.11
    RFC1213-MIB::ipNetToMediaNetAddress.3.62.90.32.1 = IpAddress: 62.90.32.1
    RFC1213-MIB::ipNetToMediaNetAddress.3.62.90.32.2 = IpAddress: 62.90.32.2
    RFC1213-MIB::ipNetToMediaNetAddress.3.62.90.32.3 = IpAddress: 62.90.32.3
    RFC1213-MIB::ipNetToMediaNetAddress.3.62.90.32.10 = IpAddress: 62.90.32.10
    RFC1213-MIB::ipNetToMediaNetAddress.3.62.90.32.11 = IpAddress: 62.90.32.11
    RFC1213-MIB::ipNetToMediaNetAddress.3.62.90.32.15 = IpAddress: 62.90.32.15
    RFC1213-MIB::ipNetToMediaNetAddress.3.62.90.32.72 = IpAddress: 62.90.32.72
    RFC1213-MIB::ipNetToMediaNetAddress.3.62.90.32.89 = IpAddress: 62.90.32.89
    RFC1213-MIB::ipNetToMediaNetAddress.3.62.90.32.105 = IpAddress: 62.90.32.105
    RFC1213-MIB::ipNetToMediaNetAddress.3.62.90.32.145 = IpAddress: 62.90.32.145
    RFC1213-MIB::ipNetToMediaNetAddress.3.62.90.32.210 = IpAddress: 62.90.32.210
    RFC1213-MIB::ipNetToMediaNetAddress.3.62.90.32.250 = IpAddress: 62.90.32.250
    RFC1213-MIB::ipNetToMediaType.2.192.168.10.11 = INTEGER: dynamic(3)
    RFC1213-MIB::ipNetToMediaType.3.62.90.32.1 = INTEGER: dynamic(3)
    RFC1213-MIB::ipNetToMediaType.3.62.90.32.2 = INTEGER: dynamic(3)
    RFC1213-MIB::ipNetToMediaType.3.62.90.32.3 = INTEGER: dynamic(3)
    RFC1213-MIB::ipNetToMediaType.3.62.90.32.10 = INTEGER: dynamic(3)
    RFC1213-MIB::ipNetToMediaType.3.62.90.32.11 = INTEGER: dynamic(3)
    RFC1213-MIB::ipNetToMediaType.3.62.90.32.15 = INTEGER: dynamic(3)
    RFC1213-MIB::ipNetToMediaType.3.62.90.32.72 = INTEGER: dynamic(3)
    RFC1213-MIB::ipNetToMediaType.3.62.90.32.89 = INTEGER: dynamic(3)
    RFC1213-MIB::ipNetToMediaType.3.62.90.32.105 = INTEGER: dynamic(3)
    RFC1213-MIB::ipNetToMediaType.3.62.90.32.145 = INTEGER: dynamic(3)
    RFC1213-MIB::ipNetToMediaType.3.62.90.32.210 = INTEGER: dynamic(3)
    RFC1213-MIB::ipNetToMediaType.3.62.90.32.250 = INTEGER: dynamic(3)
    

    IP Information

    Note: In this section you will find statistic information concerning ip packets such as number of incoming packets, number of packets discarded, and so on.

    Example:

    IP-MIB::ipForwarding.0 = INTEGER: forwarding(1)
    IP-MIB::ipDefaultTTL.0 = INTEGER: 64
    IP-MIB::ipInReceives.0 = Counter32: 2224
    IP-MIB::ipInHdrErrors.0 = Counter32: 0
    IP-MIB::ipInAddrErrors.0 = Counter32: 0
    IP-MIB::ipForwDatagrams.0 = Counter32: 1090
    IP-MIB::ipInUnknownProtos.0 = Counter32: 0
    IP-MIB::ipInDiscards.0 = Counter32: 0
    IP-MIB::ipInDelivers.0 = Counter32: 1077
    IP-MIB::ipOutRequests.0 = Counter32: 1603
    IP-MIB::ipOutDiscards.0 = Counter32: 0
    IP-MIB::ipOutNoRoutes.0 = Counter32: 0
    IP-MIB::ipReasmTimeout.0 = INTEGER: 0
    IP-MIB::ipReasmReqds.0 = Counter32: 0
    IP-MIB::ipReasmOKs.0 = Counter32: 0
    IP-MIB::ipReasmFails.0 = Counter32: 0
    IP-MIB::ipFragOKs.0 = Counter32: 0
    IP-MIB::ipFragFails.0 = Counter32: 0
    IP-MIB::ipFragCreates.0 = Counter32: 0
    IP-MIB::ipAdEntAddr.0.0.0.0 = IpAddress: 0.0.0.0
    IP-MIB::ipAdEntAddr.127.0.0.1 = IpAddress: 127.0.0.1
    IP-MIB::ipAdEntAddr.192.168.10.1 = IpAddress: 192.168.10.1
    IP-MIB::ipAdEntAddr.192.168.253.1 = IpAddress: 192.168.253.1
    IP-MIB::ipAdEntIfIndex.0.0.0.0 = INTEGER: 3
    IP-MIB::ipAdEntIfIndex.127.0.0.1 = INTEGER: 1
    IP-MIB::ipAdEntIfIndex.192.168.10.1 = INTEGER: 2
    IP-MIB::ipAdEntIfIndex.192.168.253.1 = INTEGER: 4
    IP-MIB::ipAdEntNetMask.0.0.0.0 = IpAddress: 0.0.0.0
    IP-MIB::ipAdEntNetMask.127.0.0.1 = IpAddress: 255.0.0.0
    IP-MIB::ipAdEntNetMask.192.168.10.1 = IpAddress: 255.255.255.0
    IP-MIB::ipAdEntNetMask.192.168.253.1 = IpAddress: 255.255.255.0
    IP-MIB::ipAdEntBcastAddr.0.0.0.0 = INTEGER: 0
    IP-MIB::ipAdEntBcastAddr.127.0.0.1 = INTEGER: 0
    IP-MIB::ipAdEntBcastAddr.192.168.10.1 = INTEGER: 1
    IP-MIB::ipAdEntBcastAddr.192.168.253.1 = INTEGER: 1
    IP-MIB::ipAdEntReasmMaxSize.0.0.0.0 = INTEGER: -1
    IP-MIB::ipAdEntReasmMaxSize.127.0.0.1 = INTEGER: -1
    IP-MIB::ipAdEntReasmMaxSize.192.168.10.1 = INTEGER: -1
    IP-MIB::ipAdEntReasmMaxSize.192.168.253.1 = INTEGER: -1
    

    Route table information

    Note: In this section you will find the entries of the route table.

    Example:

    RFC1213-MIB::ipRouteDest.0.0.0.0 = IpAddress: 0.0.0.0
    RFC1213-MIB::ipRouteDest.62.90.32.0 = IpAddress: 62.90.32.0
    RFC1213-MIB::ipRouteDest.127.0.0.0 = IpAddress: 127.0.0.0
    RFC1213-MIB::ipRouteDest.192.168.10.0 = IpAddress: 192.168.10.0
    RFC1213-MIB::ipRouteDest.192.168.253.0 = IpAddress: 192.168.253.0
    RFC1213-MIB::ipRouteIfIndex.0.0.0.0 = INTEGER: 3
    RFC1213-MIB::ipRouteIfIndex.62.90.32.0 = INTEGER: 3
    RFC1213-MIB::ipRouteIfIndex.127.0.0.0 = INTEGER: 6
    RFC1213-MIB::ipRouteIfIndex.192.168.10.0 = INTEGER: 2
    RFC1213-MIB::ipRouteIfIndex.192.168.253.0 = INTEGER: 4
    RFC1213-MIB::ipRouteMetric1.0.0.0.0 = INTEGER: 1
    RFC1213-MIB::ipRouteMetric1.62.90.32.0 = INTEGER: 0
    RFC1213-MIB::ipRouteMetric1.127.0.0.0 = INTEGER: 0
    RFC1213-MIB::ipRouteMetric1.192.168.10.0 = INTEGER: 0
    RFC1213-MIB::ipRouteMetric1.192.168.253.0 = INTEGER: 0
    RFC1213-MIB::ipRouteMetric2.0.0.0.0 = INTEGER: -1
    RFC1213-MIB::ipRouteMetric2.62.90.32.0 = INTEGER: -1
    RFC1213-MIB::ipRouteMetric2.127.0.0.0 = INTEGER: -1
    RFC1213-MIB::ipRouteMetric2.192.168.10.0 = INTEGER: -1
    RFC1213-MIB::ipRouteMetric2.192.168.253.0 = INTEGER: -1
    RFC1213-MIB::ipRouteMetric3.0.0.0.0 = INTEGER: -1
    RFC1213-MIB::ipRouteMetric3.62.90.32.0 = INTEGER: -1
    RFC1213-MIB::ipRouteMetric3.127.0.0.0 = INTEGER: -1
    RFC1213-MIB::ipRouteMetric3.192.168.10.0 = INTEGER: -1
    RFC1213-MIB::ipRouteMetric3.192.168.253.0 = INTEGER: -1
    RFC1213-MIB::ipRouteMetric4.0.0.0.0 = INTEGER: -1
    RFC1213-MIB::ipRouteMetric4.62.90.32.0 = INTEGER: -1
    RFC1213-MIB::ipRouteMetric4.127.0.0.0 = INTEGER: -1
    RFC1213-MIB::ipRouteMetric4.192.168.10.0 = INTEGER: -1
    RFC1213-MIB::ipRouteMetric4.192.168.253.0 = INTEGER: -1
    RFC1213-MIB::ipRouteNextHop.0.0.0.0 = IpAddress: 62.90.32.1
    RFC1213-MIB::ipRouteNextHop.62.90.32.0 = IpAddress: 0.0.0.0
    RFC1213-MIB::ipRouteNextHop.127.0.0.0 = IpAddress: 0.0.0.0
    RFC1213-MIB::ipRouteNextHop.192.168.10.0 = IpAddress: 0.0.0.0
    RFC1213-MIB::ipRouteNextHop.192.168.253.0 = IpAddress: 0.0.0.0
    RFC1213-MIB::ipRouteType.0.0.0.0 = INTEGER: indirect(4)
    RFC1213-MIB::ipRouteType.62.90.32.0 = INTEGER: direct(3)
    RFC1213-MIB::ipRouteType.127.0.0.0 = INTEGER: direct(3)
    RFC1213-MIB::ipRouteType.192.168.10.0 = INTEGER: direct(3)
    RFC1213-MIB::ipRouteType.192.168.253.0 = INTEGER: direct(3)
    RFC1213-MIB::ipRouteProto.0.0.0.0 = INTEGER: local(2)
    RFC1213-MIB::ipRouteProto.62.90.32.0 = INTEGER: local(2)
    RFC1213-MIB::ipRouteProto.127.0.0.0 = INTEGER: local(2)
    RFC1213-MIB::ipRouteProto.192.168.10.0 = INTEGER: local(2)
    RFC1213-MIB::ipRouteProto.192.168.253.0 = INTEGER: local(2)
    RFC1213-MIB::ipRouteAge.0.0.0.0 = INTEGER: 0
    RFC1213-MIB::ipRouteAge.62.90.32.0 = INTEGER: 0
    RFC1213-MIB::ipRouteAge.127.0.0.0 = INTEGER: 0
    RFC1213-MIB::ipRouteAge.192.168.10.0 = INTEGER: 0
    RFC1213-MIB::ipRouteAge.192.168.253.0 = INTEGER: 0
    RFC1213-MIB::ipRouteMask.0.0.0.0 = IpAddress: 0.0.0.0
    RFC1213-MIB::ipRouteMask.62.90.32.0 = IpAddress: 255.255.255.0
    RFC1213-MIB::ipRouteMask.127.0.0.0 = IpAddress: 255.0.0.0
    RFC1213-MIB::ipRouteMask.192.168.10.0 = IpAddress: 255.255.255.0
    RFC1213-MIB::ipRouteMask.192.168.253.0 = IpAddress: 255.255.255.0
    RFC1213-MIB::ipRouteMetric5.0.0.0.0 = INTEGER: -1
    RFC1213-MIB::ipRouteMetric5.62.90.32.0 = INTEGER: -1
    RFC1213-MIB::ipRouteMetric5.127.0.0.0 = INTEGER: -1
    RFC1213-MIB::ipRouteMetric5.192.168.10.0 = INTEGER: -1
    RFC1213-MIB::ipRouteMetric5.192.168.253.0 = INTEGER: -1
    RFC1213-MIB::ipRouteInfo.0.0.0.0 = OID: zeroDotZero
    RFC1213-MIB::ipRouteInfo.62.90.32.0 = OID: zeroDotZero
    RFC1213-MIB::ipRouteInfo.127.0.0.0 = OID: zeroDotZero
    RFC1213-MIB::ipRouteInfo.192.168.10.0 = OID: zeroDotZero
    RFC1213-MIB::ipRouteInfo.192.168.253.0 = OID: zeroDotZero
    RFC1213-MIB::ipRoutingDiscards.0 = Counter32: 0
    

    System load average information

    Note: In this section you will find the load information.

    Example:

    UCD-SNMP-MIB-OLD::laIndex.1 = INTEGER: 1
    UCD-SNMP-MIB-OLD::laIndex.2 = INTEGER: 2
    UCD-SNMP-MIB-OLD::laIndex.3 = INTEGER: 3
    UCD-SNMP-MIB-OLD::laNames.1 = STRING: Load-1
    UCD-SNMP-MIB-OLD::laNames.2 = STRING: Load-5
    UCD-SNMP-MIB-OLD::laNames.3 = STRING: Load-15
    UCD-SNMP-MIB-OLD::laLoad.1 = STRING: 1.00
    UCD-SNMP-MIB-OLD::laLoad.2 = STRING: 1.00
    UCD-SNMP-MIB-OLD::laLoad.3 = STRING: 0.92
    UCD-SNMP-MIB-OLD::laConfig.1 = STRING: 12.00
    UCD-SNMP-MIB-OLD::laConfig.2 = STRING: 12.00
    UCD-SNMP-MIB-OLD::laConfig.3 = STRING: 12.00
    UCD-SNMP-MIB-OLD::laLoadInt.1 = INTEGER: 100
    UCD-SNMP-MIB-OLD::laLoadInt.2 = INTEGER: 100
    UCD-SNMP-MIB-OLD::laLoadInt.3 = INTEGER: 92
    UCD-SNMP-MIB-OLD::laErrorFlag.1 = INTEGER: 0
    UCD-SNMP-MIB-OLD::laErrorFlag.2 = INTEGER: 0
    UCD-SNMP-MIB-OLD::laErrorFlag.3 = INTEGER: 0
    UCD-SNMP-MIB-OLD::laErrMessage.1 = STRING:
    UCD-SNMP-MIB-OLD::laErrMessage.2 = STRING:
    UCD-SNMP-MIB-OLD::laErrMessage.3 = STRING:
    

 

Firewall

Show All In This Section

  • What is the difference between the low, medium and high security levels? (LP16225)

    The default security policy that comes with the Safe@ appliance basically blocks all incoming traffic and allows all outbound traffic, initiated from your home or office.

    • Low: All outbound traffic is allowed. All inbound traffic is blocked, except for ICMP echos ("pings").
    • Medium: All outbound traffic is allowed, except for Windows file sharing (NBT ports 137, 138, 139 and 445). All inbound traffic is blocked.
    • High: Restrictions apply to outbound traffic, allowing only Web traffic (HTTP, HTTPS), Email (IMAP, POP3, SMTP), ftp, NNTP, Telnet, DNS, IKE, 2746 UDP and 256 TCP traffic out. All inbound traffic is blocked.
  • Does the Safe@Office support H.323 VoIP through the firewall? (LP16226)

    Yes. You'll need to create a custom firewall rule to allow H.323 VoIP traffic.
  • What does the "TCP Out of State" log message mean? (LP171691)

    "TCP Out of State" log message indicates that the Check Point security appliance intercepted a non-Syn packet which does not have an entry in the firewall's TCP connections table. Being a Stateful Inspection firewall, the Check Point security appliance will not let a TCP session initiate without a Syn packet first, in order to prevent a DoS (Denial of Service) attack.

    The Check Point security appliance can be configured to log, block or ignore non-Syn packets activity, by using the following command line syntax:

    • Logging only: set fw ai stricttcp log
    • Blocking and Logging: set fw ai stricttcp block
    • Ignoring: set fw ai stricttcp disable
  • How to block Microsoft MSN Messenger traffic? (LP186791)

    The SmartDefense AI (Application Intelligence) engine can identify the Microsoft MSN Messenger application signature and block its traffic. To block MSN Messenger traffic, perform the following:

    1. Configure a rule that blocks traffic on ports TCP/UDP 1863.
    2. Configure SmartDefense to block the MSN Messenger application.

    To configure a rule that blocks traffic on port TCP/UDP 1863:

    1. Connect with your browser to http://my.firewall (from LAN)
    2. Click on 'Security > Rules'.
    3. Click on the "Add Rule" button to start the firewall rules wizard and follow the instructions displayed.
    4. Configure a rule with the following attributes:
      • Rule type: Block
      • Service: Custom service - protocol Any, Port 1863
      • Source: LAN, Destination: WAN (Internet)

    To configure SmartDefense to block MSN Messenger, perform the following:

    1. Connect with your browser to http://my.firewall (from LAN)
    2. Click on 'Security > SmartDefense'.
    3. Collapse the 'HTTP > Header Rejection' branch.
    4. Choose "Block" from the Action drop-down menu.
    5. Check the MSN Messenger options from the applications list (Msn Messenger(1), Msn Messenger(2), Msn Messenger(3), Msn Messenger(4).
    6. Click "Apply".

    Notes:

    1. In case you do not see a list of applications, click the "Defaults" button on the relevant SmartDefense page.
    2. Only new MSN Messenger sessions will be blocked. As a result, you will need to make sure to restart all MSN Messenger sessions.
  • How to block Microsoft MSN Messenger Live (version 8.0) traffic? (LP210807)

    The SmartDefense AI (Application Intelligence) engine can identify the Microsoft MSN Messenger Live (version 8.0 build 8.0.0812.00) application signature and block its traffic. To block MSN Messenger traffic, perform the following:

    1. Configure a rule that blocks traffic on ports TCP/UDP 1863. Add the signature to the SmartDefense AI inspect engine using command line.
    2. Configure SmartDefense to block the MSN Messenger Live application.

    To configure a rule that blocks traffic on port TCP/UDP 1863:

    1. Connect with your browser to http://my.firewall (from LAN)
    2. Click on 'Security > Rules'.
    3. Click on the "Add Rule" button to start the firewall rules wizard and follow the instructions displayed.
    4. Configure a rule with the following attributes:
      • Rule type: Block
      • Service: Custom service - protocol Any, Port 1863
      • Source: LAN, Destination: WAN (Internet)

    To add the MSN Messenger Live application signature, perform the following:

    1. Connect with your browser to http://my.firewall (from LAN)
    2. Click on 'Setup > Tools'.
    3. Click on the "Command" button.
    4. In the command line text box, type the following command:

      add smartdefense ai http worm-catcher patterns name MSN8 regexp /gateway/gateway\.dll active true

    5. Click the "Go" button for changes to take effect.

    To configure SmartDefense to block MSN Messenger, perform the following:

    1. Connect with your browser to http://my.firewall (from LAN)
    2. Click on 'Security > SmartDefense'.
    3. Collapse the 'HTTP > Worm Catcher'.
    4. Choose "Block" from the Action drop-down menu.
    5. Select the "MSN8" option from the applications list.
    6. Click "Apply".

    Notes:

    1. In case you do not see a list of applications, click the "Defaults" button on the relevant SmartDefense page. Only new MSN Messenger sessions will be blocked. As a result, you will need to make sure to restart all MSN Messenger sessions.

 

Logging

Show All In This Section

  • How can I save my appliance event log entries? (LP17685)

    In order to save the appliance event log entries perform the following:

    1. Connect with your browser to http://my.firewall (from LAN)
    2. Click on 'Reports > Event Log'.
    3. Click on Save.

    The logs will be saved as a Microsoft Excel file (XLS).

    Note: With this method you can only save up to the 100 current displayed event log entries. In case you want to save all event log entries, you can use the Syslog logging option.

  • Do Embedded NGX appliances support Syslog logging? (LP17689)

    Yes. Embedded NGX appliances (excluding ZoneAlarm Secure Wireless Router Z100G) support Syslog logging. Using Syslog logging you can save the ongoing events generated by your appliance even beyond the current 100 events.
  • What is the Syslog protocol? (LP17827)

    Check Point appliances implement the Syslog protocol as described in RFC 3164.

    The syslog protocol provides a transport to allow a machine to send event notification messages across IP networks to event message collectors - also known as syslog servers. In this case, a machine is referred to as a Check Point appliance. It is important to note that the device sending the syslog message to the server must be able to establish network connectivity with the syslog server, and both the syslog server and the device sending the message must understand the formatting of the syslog messages.

  • What is the default port used by the Check Point appliances to send Syslog messages? (LP17828)

    The Check Point appliances use UDP port 514 as the default port for sending Syslog messages.
  • What Syslog server utility is recommended to be used with Check Point appliances? (LP17829)

    Since Syslog is a standard protocol, any Syslog server utility can be used.

    For example:

    • Free 30-day trial , then it will automatically switch to free mode:

      http://www.kiwisyslog.com
      http://www.kiwisyslog.com/kiwi-syslog-server-overview/


    • Free 30-day trial , then it will automatically switch to free mode:

      http://www.winsyslog.com/en/
      http://www.winsyslog.com/en/download/
      http://www.winsyslog.com/en/manual/


    • Free:

      http://www.thestarsoftware.com/syslogdaemonlite.html
      http://www.thestarsoftware.com/setup/syslogdaemonlite_setup.exe


    • Free:

      http://www.xs4all.nl/~hneel/software.htm
      http://www.xs4all.nl/~hneel/software/syslog.zip
  • What is the meaning of negative rule numbers when logging events on SmartCenter, SMP or an External Syslog server? (LP157572)

    This article is relevant only if your Check Point Embedded NG gateways is installed with firmware 6.0 or above.

    Negative rule numbers are given to implied rules that are logged by either:

    • Check Point SmartCenter
    • SofaWare Management Portal (SMP)
    • External Syslog server

    Starting from version 6.0, along with the rule numbers, a "log reason" is added, thus allowing generating reports based on rule numbers, while still displaying a textual description. Below is the complete list of these numbers with the corresponding rules. Most of these messages are sent from version 6.0 onwards (Where [5] appears, version 5.0 may also send these messages.)

    • Rule -1: Stateless ICMP [5]. ICMP replies that don't match to any request, ICMP errors that don't match any of the active connections, etc.
    • Rule -4: Anti-Spoofing [5]. The connection was dropped due to the automatic anti-spoofing rules.
    • Rule -5: Connection matched by a custom rule (a.k.a. "user rule").
    • Rule -9: HotSpot Connection dropped because the user is not yet authenticated on a hotspot enabled network.
    • Rule -10:Encryption mismatch [5] Dropped clear text packet that should have been encrypted.
    • Rule -11: TCP out of state rule [5] Logs or drops packets that try to open a connection without the full 3 way handshake.
    • Rule -12: Land Attack
    • Rule -13: Ping size exceeds maximum allowed size
    • Rule -14: ICMP with null payload
    • Rule -15: Welchia ICMP worm
    • Rule -16: Christmas packet (also in 5.0 versions) Packets that have too many flags lit in them. For instance, SYN and FIN, SYN and RST, etc.
    • Rule -17: Cisco IOS DoS attack
    • Rule -18: Connection exceeds allowed network quota
    • Rule -19: FTP bounce
    • Rule -20: FTP port command overflow
    • Rule -21: FTP port command tried to open a known port
    • Rule -22: FTP illegal command
    • Rule -23: KaZaa traffic
    • Rule -24: Skype traffic
    • Rule -25: BitTorrent traffic
    • Rule -26: eMule traffic
    • Rule -27: Gnutella traffic
    • Rule -28: ICQ traffic
    • Rule -29: Yahoo traffic
    • Rule -30: Short IGMP packet
    • Rule -31: IGMP packet with bad TTL
    • Rule -32: IGMP packet not sent to a multicast address
    • Rule -33: Vertical Port Scan traffic
    • Rule -34: Horizontal Port Scan traffic
    • Rule -35: FTP data traffic
    • Rule -36: ICMP replay attack
    • Rule -37: TCP reset replay attack
    • Rule -38: Winny traffic
    • Rule -39: Packet should not have been encrypted
    • Rule -40: Msn Messenger traffic
    • Rule-41: SIP Firewall Bypass
    • Rule-42: InvalidSIPMessage
    • Rule-43: Illegal Connection To GW

 

VPN

Show All In This Section

  • How do you configure Microsoft Windows 2000 IAS (Internet Authentication Service) with Active Directory as a RADIUS to authenticate local and remote VPN access users? (LP12478)

    Installing Active Directory on a Windows 2000 server

    Install IAS Service

    Configure IAS to support remote/local users authentication

    1. Go to Start menu > Programs > Administrative tools > Internet Authentication service.
    2. Expand the Internet Authentication Service and right-click on "Clients". Click "New Client".
    3. In the Add Client window, enter a name and choose the protocol as "RADIUS". Click "Next".
    4. Fill in the Client address with the appliance LAN IP address that the IAS server is connected to. Make sure to select "RADIUS Standard" as the Client-Vendor, and add the shared secret to match the one you entered on the appliance RADIUS page.
    5. Click "Finish" to return to the console root.
    6. Click on "Remote Access Policies" in the left pane and double-click the policy labeled "Allow access if dial-in permission is enabled".
    7. Click "Edit Profile" and go to the Authentication tab. Under Authentication Methods, make sure only "Unencrypted Authentication (PAP, SPAP)" is checked. The VPN client can use only this method for authentication.
    8. Click "Apply" and then "OK" twice.
    9. To modify the users to allow connection, go to Start menu > Programs > Administrative tools > Users and Computers.
    10. Double-click the user for whom you want to allow access.
    11. Click the Dial-in tab and select "Allow Access under Remote Access Permission" (Dial-in or VPN).
    12. Click "Apply" and "OK".

    Configure the appliance to support RADIUS authentication for remote VPN users

    1. Under 'VPN' tab > 'VPN Server', set the VPN server to "Enabled", and select the "Bypass NAT" and "Bypass Firewall" options.
    2. Under the Users tab, click the RADIUS tab.
    3. In the address field, enter the IP address of the IAS server.
    4. In the Shared Secret field, enter the same shared secret text that you specified in the IAS configuration.
    5. Select the "VPN Remote Access" check box to allow VPN clients authentication.
    6. Under the 'VPN' > 'Certificate' tab, install a PKCS#12 (.p12) certificate.

    Note: A certificate is needed to support Hybrid Mode authentication. Hybrid mode authentication is a method to authenticate with a VPN endpoint, using authentication schemes other than shared secret or digital certificates. Other methods can be using SecurID cards, RADIUS, LDAP etc.

  • After installing SecureRemote on Windows XP, the VPN dialer (usually used for ADSL connection) does not work and may generate errors 651 or 800, because it cannot reach the ADSL modem (LP12480)

    Remove or rename the file %SystemRoot%\system32\drivers\scap.sys and reboot.

    Note: The scap.sys file is created with SecureRemote installation. If the file is not found, re-install SecureRemote and repeat the step above.

  • When doing VPN between a Safe@Office and Check Point VPN-1 (any version) you may get an error message on the SmartView Tracker event log: "received a cleartext packet within an encrypted connection and the tunnel is dropped" (LP12481)

    To workaround this, access SmartDashboard and check the "Accept VPN-1 & FireWall-1 Control connections" check box under Global Properties. This will enable certain implied rules needed to create a successful VPN tunnel and topology download. More information can be found in the Firewall-1 Administration guide.
  • How to manage latency (speed) issues, or TCP session disconnections over a VPN tunnel (LP12482)

    The Problem: Latency over a VPN tunnel is quite a common issue, and is caused by packet fragmentation.The problem occurs when a packet becomes fragmented and has to be reassembled by a VPN device. Also, with newer technologies being used, such as Load Balancing, the fragmented packets may reach the VPN client out of order. The VPN client then has to reassemble the out of order packets. If one packet is not received, the VPN client cannot reassemble the complete packet.

    MTU (Maximum Transmission Unit)
    The largest number of bytes a frame can carry, not counting the frame's header and trailer. A frame is a single unit of transportation on the data link layer. It consists of header data plus data that was passed down from the network layer (also sometimes trailer data). An Ethernet frame has an MTU of 1500 bytes, but the size of the frame can be up to 1526 bytes (22 byte header, 4 byte CRC trailer).

    What MTU size should I set?

    To determine the right MTU setting, run a fragmented ping test from a command prompt on the client machine:
    ping <Public_IP_Address_of_Sbox> -f -l 1500

    Most likely, you will receive the message: "Packet needs to be fragmented but DF set."

    The DF refers to the "Don't Fragment" bit. Keep lowering the byte size from 1500, until you receive a reply without an error message. The point at which you receive a reply without an error is the point of fragmentation. The MTU size should be just below that point.

    How to modify MTU settings on the Check Point SecuRemote/SecureClient VPN software?
    SecuRemote/SecureClient software enables you to modify the MTU value for the virtual connection only. In order to change the MTU values, run the MTUadjust.exe tool from C:\Program Files\CheckPoint\SecuRemote\Bin.

    How to modify MTU settings on the Check Point appliance?
    To modify the MTU settings on the Check Point appliance, edit the MTU field of the Internet connection settings.

  • My appliance is behind a NAT device. Can I establish site to site VPN tunnels? (LP15657)

    Yes. Embedded NG 4.5 and later supports the Internet Engineering Task Force (IETF) draft standard for NAT traversal (NAT-T), which allows Site-to-Site VPN tunnels to pass through NAT devices. NAT Traversal is also fully supported for VPN remote access (SecuRemote) users, by means of UDP Encapsulation.
  • What encryption methods are supported by my appliance? (LP15658)

    All our appliances support AES (Advanced Encryption Standard - 128 or 256 bits), 3DES (Triple Data Encryption Standard), and DES encryption, as well as SHA1 and MD5 message digest algorithms.

    AES-256/SHA1 is used automatically and cannot be manually modified in the following cases:

    • Remote access VPN between a Check Point SecuRemote/SecureClient and a Safe@Office box
    • Remote access VPN between Safe@Office boxes
    • Site to Site VPN between Safe@Office boxes with firmware version earlier than 5.0.

    Encryption and message digest algorithms are negotiated automatically in VPN between a Safe@Office and another VPN endpoint.

  • Can I establish a site to site VPN with VPN equipment from other vendors? (LP15659)

    Yes. All Check Point VPN appliances can communicate with any VPN gateway that is fully compliant with the IPSEC standard.
  • Where can I download the Check Point SecuRemote/SecureClient/Endpoint Connect VPN client? (LP16329)

    VPN clients are available for download here.
  • How can I configure the Safe@Office box to support Perfect Forward Secrecy (PFS)? (LP16973)

    PFS is not supported by default, and it needs to be configured using the command line interface. To access the command line interface, perform the following:

    • Connect with your browser to http://my.firewall (from LAN)
    • Click on Setup > Tools
    • Click on Command

    To enable PFS, type: set vpn sites <site_number> usepfs <true | false>

  • Can I establish a remote access VPN using a VPN client from other vendors? (LP16983)

    No. Only the listed clients are supported for VPN Remote Access.
  • What is the effect of the 'Bypass Firewall' and 'Bypass NAT' settings on VPN communications? (LP16985)

    When "Bypass the firewall" is selected in the VPN Server page, all firewall rules are ignored for VPN traffic.

    When "Bypass NAT" is selected, all incoming and outgoing VPN traffic uses the private IP addresses.
  • Does the Check Point SecuRemote/SecureClient VPN software supports UDP encapsulation? (LP17861)

    Yes. UDP encapsulation is used by the Check Point VPN client to traverse ESP (Encapsulated Security Payload) over NAT (Network Address Translation).

    To configure this option in SecuRemote/SecureClient version R55:

    1. Click on the envelope icon with the golden key in the task bar.
    2. The SecuRemote window will open.
    3. In the tools menu, select Advance IKE Settings...
    4. Check the "Force UDP Encapsulation" checkbox.
    5. Click "OK" to return to the main SecuRemote window.
    6. In the File menu, select "Stop VPN-1 SecuRemote".
    7. Start the VPN client again.

    To configure this option in the SecuRemote/SecureClient version R56:

    1. Click on the envelope icon with the golden key in the task bar.
    2. The SecuRemote window will open. Click the Options button.
    3. Select Settings from the Option menu.
    4. Select the desired VPN profile in the Settings window.
    5. Click the Properties button.
    6. Select the Advanced tab.
    7. Check the Connectivity enhancements box.
    8. Check the Force UDP Encapsulation checkbox.
    9. Click OK.
    10. Stop and Start the VPN client again from the task bar.
  • Troubleshooting a Remote Access VPN connection using Check Point SecuRemote/SecureClient/Endpoint Connect VPN Software (LP17863)

    This procedure assumes the reader is familiar with the basic concepts and scenario of Remote Access VPN installation, as described in the Safe@Office/Embedded NGX UTM appliance Remote Access VPN Technology Guide.

    1. Make sure that a valid VPN Certificate is installed. The certificate can be found under the VPN option in the left menu > Certificate in the top menu.
    2. In case SecuRemote/SecureClient is installed under Windows XP with SP2 or above, or if you use a 3rd party firewall software on your PC:
      • Turn off the internal Windows firewall, or make sure that the following ports are allowed:
        UDP 500 (IKE)
        TCP 264 (Topology download)
        UDP 2746 (UDP encapsulation)
        UDP 259 (Check Point RDP)
        UDP 4500 (NAT-T)
        IP Protocol 50 (AKA ESP or IPSEC Passthru)
        For Endpoint connect, TCP 443 (HTTPS) is also required
    3. In case the VPN client is installed on a computer behind a NAT device:
      • In case the SecuRemote/SecureClient software is installed on a computer behind a NAT device, it is recommended to use the "Force UDP Encapsulation" setting in the VPN client. For instructions, refer to Question LP17861 in this article.
      • Make sure that the VPN client network IP address range and the VPN gateway's network IP range are not overlapping.
    4. Modify MTU settings on the VPN client. SecuRemote/SecureClient software enables you to modify the MTU value for the virtual connection only. In order to change the MTU values, run the MTUadjust.exe tool from C:\Program Files\CheckPoint\SecuRemote\Bin.
    5. Check the VPN gateway settings:
    6. In case the VPN server is installed behind a NAT device:
      Note: If possible, consult with your ISP about ways to assign the security appliance a valid IP. Otherwise, perform the following:
      • Make sure to open the following ports and traffic in the NAT device:
        UDP 500 (IKE)
        TCP 264 (Topology download)
        UDP 2746 (UDP encapsulation)
        UDP 259 (Check Point RDP)
        UDP 4500 (NAT-T)
        IP Protocol 50 (AKA ESP or IPSEC Passthru)
        For Endpoint connect, TCP 443 (HTTPS) is also required
      • Use the command line interface and type the following command:
        set device behindnat <IP_Address>
        (where <IP_Address> is the public IP address of the NAT device). To access the command line interface, connect from LAN with your browser to http://my.firewall and click on 'Setup > Tools > Command'.

      Note: This command line is supported with firmware 5.0.57 and above versions.

  • How can I view the VPN topology of my appliance? (LP17888)

    To view the VPN topology after topology download took place, go to 'Reports - Tunnels - View Topology'.
  • Error message: "Invalid Certificate" when installing a PKCS#12 certificate that was created with OpenSSL (LP28965)

    An "Invalid Certificate" error message appears when installing a PKCS#12 (.p12) certificate that was created using OpenSSL. This may happen if the DN (Distinguished Name) information entered for the CA (Certificate Authority) and the self-signed certificate are similar.

    In order to workaround this, repeat the instructions in the Creating a PKCS#12 Certificate For Manual Installation on Embedded NG Appliances document, but this time make sure to use different DN information when creating the CA and the self-signed certificate.
  • How to modify the default IKE SA (Internet Key Exchange Security Association) proposals? (LP29221)

    The following is available with Check Point security appliances installed with firmware version 5.0.x and subsequent versions.

    The default IKE behavior of the Check Point security appliance is to auto-negotiate the SA parameters between VPN end points. In most cases, there is no need to modify the default proposals parameters. However, you may want to override the default parameters in the following cases:

    • Your organization's network security policy is restricted to a definite configuration.
    • Some IPSEC compliant devices cannot auto-negotiate some or all of the IKE SA proposals.

    Use the Check Point security appliance CLI (Command Line Interface) to modify the IKE SA parameters:

    To modify IKE phase-1 encryption parameters, use the following command syntax:
    set vpn sites [site number] phase1ikealgs [automatic | des/md5 | des/sha1 | 3des/md5 | 3des/sha1 | aes128/md5 | aes128/sha1 | aes256/md5 | aes256/sha1]

    To modify IKE phase-2 encryption parameters, use the following command syntax:
    set vpn sites [site number] phase2ikealgs [automatic | des/md5 | des/sha1 | 3des/md5 | 3des/sha1 | aes128/md5 | aes128/sha1 | aes256/md5 | aes256/sha1]

    To modify IKE phase-1 SA lifetime, use the following command syntax:
    set vpn sites [site number] phase1exptime [minutes]

    To modify IKE phase-2 SA lifetime, use the following command syntax:
    set vpn sites [site number] phase2exptime [seconds]

  • When using Check Point SecuRemote/SecureClient to create a remote access VPN with a Check Point appliance, only authentication phase works, but the remote network cannot be reached. This may happen if the Check Point appliance is configured for DSL PPTP connection with an Alcatel modem using 10.0.0.0 /8 IP network range (LP29268)

    It is assumed that the reader has implemented the Remote Access VPN configuration, as described in the Safe@Office/Embedded NGX UTM appliance Remote Access VPN Technology document.

    When using Check Point SecuRemote/SecureClient to create a remote access VPN with a Check Point appliance, only authentication phase works, but the remote network cannot be reached. This may happen if the Check Point appliance is configured for DSL PPTP connection with an Alcatel modem using 10.0.0.0 /8 IP network range. It appears that the Orange 3G data network is using NAT with the same IP range, which causes some routing problems.

    To workaround this, narrow the network between the Check Point appliance and the Alcatel modem by doing the following:

    1. Connect with your browser to http://my.firewall (from LAN)
    2. Click on Network menu.
    3. Click on "Edit" near the active Internet connection entry.
    4. Choose "PPTP" as the connection type.
    5. Uncheck the "Obtain IP address automatically (using DHCP)" checkbox.
    6. In the IP address box, type "10.0.0.137".
    7. From the Subnet Mask dropdown box, choose "255.255.255.252 /30".
    8. Click "Apply".
    9. Try the remote access VPN connection again after the appliance has regained a connection to the Internet.

    Note: The above assumes that the Alcatel modem is configured with its default IP address 10.0.0.138.

  • I have established a VPN connection successfully. Why can't I see the remote computers? (LP29269)

    It is assumed that the reader has configured either the Remote Access VPN or Site-to-Site VPN as suggested in the relevant step-by-step configuration papers, in this knowledge base.

    The reason for not being able to view or browse remote computers is not related to the VPN you just created, but to the way the NetBIOS application works. Microsoft adapted NetBIOS as the way to implement the File and Print sharing services between Windows Workgroups based computers. Originally, NetBIOS was designed for computers to communicate with each other on the same local area network.

    NetBIOS is a TCP/IP based protocol. Normally, computers in a TCP/IP based network communicate with each other by calling each others' IP addresses and not by their computer names. In order to identify computers by a name, a naming translation service is required. NetBIOS is no different in that manner. Windows based computers within the same local area network will use broadcast techniques to publish their names, and update their own translation table. In other words, each computer holds a table with a computer name and its matching IP address. However, broadcast messages cannot traverse different subnets, as broadcast does not support routing schemes. This prevents computers on different networks communicating by their host names.

    In order to enable computers on different subnets to communicate by names, a naming translation service is required. Such a service is a WINS (Windows Internet Naming Service) server, which is a system designed to match between Windows client names and IP addresses.

    When creating a Check Point IPSec VPN connection, you perform data encryption between endpoints, and the privacy is achieved because only intended parties can actually 'read' and understand the data. Technically and practically, networks on both ends of the VPN tunnel are not joined together by a VPN tunnel, and therefore they remain on different subnets. Computers on both sides of a VPN tunnel will also need to be aware of a naming translation service to use the Microsoft File and Print sharing services. If no naming service is available, the remote computers' shared folders and printers can always be accessed using IP addresses, for example: \\192.168.10.3\C$.

    Additional settings on a Windows client

    Check that the remote computers are configured to support NetBIOS over TCP/IP.

    To enable NetBIOS over TCP/IP in Windows 2000 and Windows XP:

    1. Open 'Control Panel' > 'Network Connections'.
    2. Open your network connection properties.
    3. Open the TCP/IP properties.
    4. Click on the "Advanced" button.
    5. Click on the WINS tab.
    6. Check the "Enable NetBIOS over TCP/IP" checkbox.
  • I have disconnected the VPN client but it is still displayed as connected on the 'Reports > VPN Tunnels' page (LP55653)

    The Check Point security appliance displays the IKE phase-1 VPN tunnel information on the 'Reports > VPN Tunnels' page. By default, the phase-1 lifetime used by Check Point VPN software is 24 hours, and therefore the display will refresh after that interval, even if the VPN clients are actually disconnected. This does not mean that there is traffic over the tunnel.

    IKE phase-1 is responsible for creating the VPN tunnel and involves heavy mathematical calculations that consume CPU. In order to reduce the load on the CPU, IKE phase-1 is renewed only every 24 hours.
  • How to configure Microsoft Windows 2003 IAS (Internet Authentication Service) with Active Directory as a RADIUS to authenticate local and remote VPN access users (LP55964)

     

    Installing Active Directory on a Windows 2000 server.
    The following links are good resources for information about Active Directory installation and deployment:

    Install IAS Service
    Refer to this web page from Microsoft for instructions about IAS service installation.

    Configure IAS to support remote/local users authentication

    1. Go to Start menu > Programs > Administrative tools > Internet Authentication service.
    2. Right-click on the Radius Clients folder, and select New RADIUS Client.
    3. In the New RADIUS Client window, fill in a "friendly" name and the IP address of your security appliance. Click Next.
    4. From the Client-Vendor drop-down menu, choose RADIUS Standard. Fill in the shared secret in the Shared Secret text field to match the one you entered on the security appliance's RADIUS page, and confirm the shared secret in the Confirm Shared Secret field.
    5. Click Finish to return to the Internet Authentication Service window.
    6. Right-click on Remote Access Policies in the left pane and choose New Remote Access Policy from the menu.
    7. Click Next in the New Remote Access Policy Wizard window.
    8. In the Policy Configuration Method window, choose Set up a custom policy. In the Policy Name field, type a name for the policy (For example, VPN Access). Click Next.
    9. In the Policy Conditions window, click Add; the Select Attribute window opens. Choose NAS-IP-Address from the attribute types list and click Add. In the NAS-IP-Address window, type the IP address of your security appliance and click OK to go back to the previous Window. Click Next.
    10. In the Permissions window, choose Grant remote access permission and click Next.
    11. In the Profile window, click Edit Profile. The Edit Dial-in Profile window opens.
    12. In the Edit Dial-in Profile window, click on the Authentication tab and make sure that only the Unencrypted authentication (PAP, SPAP) option is checked.
    13. In the Edit Dial-in Profile window, click on the Encryption tab and make sure that only the No encryption option is checked. Click OK to return to the previous window. Click Next.
    14. In the Completing the New Remote Access Policy Wizard window, click Finish.
    15. In the Internet Authentication Service window, expand the Connection Request Processing menu. Right-click the Connection Request Policies item and choose New Connection Request Policy.
    16. The New Connection Request Policy Wizard appears. Click Next.
    17. In the Policy Configuration Method window, choose Set up a custom policy. In the Policy Name field, type a name for the policy (For example, VPN Access). Click Next.
    18. In the Policy Conditions window, click Add; the Select Attribute window opens. Choose NAS-IP-Address from the attribute types list and click Add. In the NAS-IP-Address window, type the IP address of your security appliance and click OK to go back to the previous Window. Click Next.
    19. The Request Processing Method window appears. Click Next.
    20. In the Completing the New Connection Request Processing Policy Wizard window, click Finish.
    21. To modify the Active Directory users to allow connection, go to Control Panel > Administrative tools > Active Directory Users and Computers.
    22. Double-click the user you want to authenticate using RADIUS.
    23. Click the Dial-in tab, select Allow Access.
    24. Click Apply and OK.

    Configure the appliance to support RADIUS authentication

    1. In the Users menu, click the RADIUS tab.
    2. In the Address field, enter the IP address of the Microsoft IAS server.
    3. In the Port field, choose the RADIUS port (default value is 1812).
    4. In the Shared Secret field, enter the same shared secret text that you specified in the IAS configuration.
    5. Choose the administration level or VPN access.

    Note: A PKCS#12 certificate needs to be installed on the security appliance to support Hybrid Mode authentication for remote access VPN users. Hybrid mode authentication is a method to authenticate with a VPN endpoint using authentication schemes other than shared secret or digital certificates. Other methods can be using SecurID cards, RADIUS, LDAP etc. Information about Creating a PKCS#12 Certificate For Manual Installation on Embedded NG Appliances.

  • Support 802.1x wireless authentication with Micrsoft 2003 and Active Directory RADIUS (LP57407)

    Note: It is recommended that you read the following article from Microsoft: "Enterprise Deployment of Secure 802.11 Networks Using Microsoft Windows".

    The following components are needed to support 802.1x wireless authentication with Micrsoft 2003 and Active Directory RADIUS:

    • Microsoft Windows 2003 Server running IAS
    • IIS with ASP support
    • Certificate Services to create an Enterprise Root CA (Certificate Authority)
    • Active Directory
    • Wireless clients running Windows 2000/XP

    Install IAS Service
    Refer to the "Install IAS instructions" from Microsoft.

    Install IIS with ASP support
    Refer to the "Install IIS 6.0 instructions" from Microsoft.

    Install Certificate Services and an Enterprise Root CA
    Refer to the "Step-by-Step Guide to Setting up a Certification Authority" from Microsoft. In addition, refer to the "Step-by-Step Guide to Certificate Services Web Pages" from Microsoft to learn about how to enroll certificates to the wireless clients computers.

    Installing Active Directory on a Windows 2000 server
    The following links are good resources for information about Active Directory installation and deployment:

    Configure IAS to support wireless users authentication

    1. Go to Start menu > Programs > Administrative tools > Internet Authentication service.
    2. Right-click on the Radius Clients folder, and choose "New RADIUS Client".
    3. In the New RADIUS Client window, fill in a "friendly" name and the IP address of your Embedded NG security appliance. Click "Next".
    4. From the Client-Vendor drop-down menu, choose "RADIUS Standard". Fill in the shared secret in the Shared Secret text field to match the one you entered on the security appliance's RADIUS page, and confirm the shared secret in the Confirm Shared Secret field.
    5. Click "Finish" to return to the Internet Authentication Service window.
    6. Right-click on Remote Access Policies in the left pane and choose "New Remote Access Policy" from the menu.
    7. Click "Next" in the New Remote Access Policy Wizard window.
    8. In the Policy Configuration Method window, choose "Set up a custom policy". In the Policy Name field, type a name for the policy (For example, VPN Access). Click "Next".
    9. In the Policy Conditions window, click "Add" ; the Select Attribute window opens. Choose "NAS-Port-Type" from the attribute types list and click "Add". In the NAS-Port-Type window, choose "Wireless - IEEE 802.11" from the left pane and click "Add"; the selection should now appear in in the right pane. Click "OK" to go back to the previous Window. Click "Next".
    10. In the Permissions window, choose "Grant remote access permission" and click "Next".
    11. In the Profile window, click "Edit Profile". The Edit Dial-in Profile window opens.
    12. In the Edit Dial-in Profile window, click on the Authentication tab. Select the "Microsoft Encrypted Authentication version 2 (MS-CHAP v2)" option. Click on the "EAP Methods" button. In the Select EAP Types window, click "Add" and select "Protected EAP (PEAP)". Click "OK" to return to previous window. Click "Next".
    13. In the Completing the New Remote Access Policy Wizard window, click "Finish".
    14. In the Internet Authentication Service window, expand the Connection Request Processing menu. Right-click the "Connection Request Policies" item and choose "New Connection Request Policy".
    15. The New Connection Request Policy Wizard appears. Click "Next".
    16. In the Policy Configuration method window, choose "A custom policy". In the Policy Name field, type a name for the policy (For example, VPN Access). Click "Next".
    17. Choose "NAS-Port-Type" from the attribute types list and click "Add". In the NAS-Port-Type window, choose "Wireless - IEEE 802.11" from the left pane and click "Add"; the selection should now appear in the right pane. Click "OK" to go back to the previous Window. Click "Next". The Completing the New Connection Request Processing Policy Wizard windows appears.
    18. In the Completing the New Connection Request Processing Policy Wizard window, click "Finish".
    19. To modify the Active Directory users to allow connection, go to 'Control Panel > Administrative tools > Active Directory Users and Computers'.
    20. Double-click the user you want to authenticate using RADIUS.
    21. Click the Dial-in tab, select "Allow Access".
    22. Click "Apply" and "OK".

    Configure the Embedded NG security appliance to support 802.1x wireless authentication

    1. Login to the Embedded NG Security appliance admin page.
    2. Click on the Network menu.
    3. Click on the My Network tab.
    4. Click on the "Edit" button of the WLAN network.
    5. From the Security drop-down box choose "802.1x: RADIUS authentication, no encryption".
    6. Click "Apply".

    Configure the Embedded NG Wireless Security appliance to support RADIUS authentication

    1. In the Users menu, click the RADIUS tab.
    2. In the Address field, enter the IP address of the Microsoft IAS server.
    3. In the Port field, choose the RADIUS port (default value is 1812).
    4. In the Shared Secret field, enter the same shared secret text that you specified in the IAS configuration.
    5. Choose an additional administrator or VPN access level.
    6. Click "Apply".

    Configure the wireless client to support 802.1x authentication

    Depending on the wireless client configuration software, some or all of the following need to be configured:

    • 802.1x support
    • Server properties or certificate authority (CA) information
    • Username and password
    • Domain or server information
  • Remote Access VPN between two Check Point Embedded NG security appliances fails with errors (LP135165)

    The following solution is relevant to a Remote Access configuration between two Check Point Embedded NG security appliances, when one serves as the VPN client, and the second serves as the VPN server. Typically, the failure will take place when the client box is installed with firmware version 5.0.x or subsequent firmware. The client box will be able to authenticate with the server, however communication with the remote network behind the VPN server box fails with an event log error message: "Error: No loaded CA name, as well as no CA name in topology"
    Solution:
    The VPN client module installed with firmware 5.0 is doing Hybrid Mode IKE (Internet Key Exchange). In order for the Embedded NG VPN server to support this mode, a PKCS#12 certificate needs to be installed on the VPN server box. To create a certificate for an Embedded NG appliance, installed with a firmware version earlier than 5.0.x, refer to Creating a PKCS#12 Certificate For Manual Installation on Embedded NG Appliances.
  • Traffic is blocked when using the Check Point VPN client to the Embedded NG internal VPN server (LP143241)

    The Embedded NG gateway allows securing your internal networks communications by connecting to its internal VPN server, using the Check Point SecuRemote/SecureClient VPN client. In other words, the VPN client must work in a 'Route All Traffic' mode to encrypt all traffic sent by the clients' host to the internal Embedded NG interface.

    'Route All Traffic' mode is supported by the Check Point VPN client only when it is installed in an "Extended View" installation, instead of "Compact View". In case the VPN client is installed in "Compact Mode", traffic will be blocked by the firewall.

    To switch the Check Point VPN client (versions R56 or R60) from "Compact View" to "Extended View":

    1. Right-Click the SecuRemote/SecureClient icon in the tray icon.
    2. Choose "Settings" from the menu.
    3. Click the Advanced tab.
    4. Select the "Extended View" button and click "OK"
    5. The VPN client software will restart itself in Extended View mode.
    6. Delete the existing VPN site and create a new one.
    7. Once connected to the Embedded NG internal interface using the new settings, a new site will appear in the VPN client console under the name of 'RouteAllTraffic'.
  • Cannot establish a VPN tunnel between a Check Point Embedded NG gateway and Cisco PIX (LP155172)

    VPN connection may not be established between a Check Point Embedded NG gateway and a Cisco PIX. In some cases, the tunnel is created, but different errors may appear in the Embedded NG event log indicating VPN connection failure. The issues can be caused due to:

    • Wrong setup of the Embedded NG and Cisco PIX VPN gateways
    • The Embedded NG VPN gateway is configured to send "Keepalive" packets that the Cisco PIX gateway cannot handle.

    Solution

    1. Check the Cisco PIX configuration, as described in the "How to create a site-to-site between a Cisco PIX and a Check Point Embedded NG VPN gateway" article.
    2. When running the Check Point Embedded NG site to site VPN wizard, make sure to uncheck the "Keepalive" option.
  • How to implement the preshared Key authentication method for use with a L2TP/IPSec connection (LP211394)

    This is the solution as offered in the Microsoft knowledgebase: http://support.microsoft.com/kb/240262

    Note:

    • Steps 12,13, where the configuration is related to the Embedded NGX gateway.
    • This article contains information about modifying the registry. Before you modify the registry, make sure you know how to back it up, and how to restore the registry if a problem occurs.

    To implement the preshared Key authentication method for use with a L2TP/IPSec connection:

    1. Add the ProhibitIpSec registry value to both Windows 2000-based endpoint computers.
    2. Manually configure an IPSec policy, before an L2TP/IPSec connection can be established between two Windows 2000-based computers.

    To add the ProhibitIpSec registry value to your Windows 2000-based computer, follow these steps:

    1. Click "Start", click "Run", type "regedt32", and then click "OK".
    2. Locate, and then click the following registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters
    3. In the Edit menu, click "Add Value".
    4. In the Value Name box, type "ProhibitIpSec".
    5. In the Data Type list, click "REG_DWORD", and then click "OK".
    6. In the Data box, type "1", and then click "OK".
    7. Quit Registry Editor, and then restart your computer.

    How to create an IPSec policy for use with L2TP/IPSec Connections, by using a preshared key:

    1. Click "Start", click "Run", type "mmc", and then click "OK".
    2. Click "Console", click "Add/Remove Snap-in", click "Add", click "IP Security Policy Management", click "Add", click "Finish", click "Close", and then click "OK".
    3. Right-click "IP Security Policies on Local Machine", click "Create IP Security Policy", and then click "Next".
    4. In the IP Security Policy Name dialog box, type the name for the IP Security policy in the Name box, and then click "Next".
    5. In the Requests for Secure Communication dialog box, click to clear the "Activate the default response rule" checkbox, and then click "Next".
    6. Click to select the Edit Properties checkbox, and then click "Finish".
    7. In the New IP Security Policy Properties dialog box, click "Add" on the Rules tab, and then click "Next".
    8. In the Tunnel Endpoint dialog box, click "This rule does not specify a tunnel", and then click "Next".
    9. In the Network Type dialog box, click "All network connections", and then click "Next".
    10. In the Authentication Method dialog box, click "Use this string to protect the key exchange (preshared key)", type a preshared key, and then click "Next".
    11. In the IP Filter List dialog box, click "Add", type a name for the IP filter list in the Name box, click "Add", and then click "Next".
    12. In the IP Traffic Source dialog box, click "A specific IP Address" in the Source address box, type the Embedded NGX appliance's IP address in the IP Address box, and then click "Next".
    13. In the IP Traffic Destination dialog box, click "A specific IP Address" in the Destination address box, type "ANY", and then click "Next".
    14. In the IP Protocol Type dialog box, click "UDP" in the "Select a protocol type" box, and then click "Next".
    15. In the IP Protocol Port dialog box, click "From this port", type "1701" in the "From this port" box, click "To any port", and then click "Next".
    16. Click to select the Edit properties checkbox, click "Finish", and then click to select the "Mirrored". Also match packets with the exact opposite source and destination addresses checkbox in the Filter Properties dialog box.
    17. Click "OK", and then click "Close".
    18. In the IP Filter List dialog box, click the IP filter that you just created, and then click "Next".
    19. In the Filter Action dialog box, click "Add", and then create a new filter action that specifies which integrity and encryption algorithms will be used. Note: This new filter action must have the "Accept unsecured communication, but always respond using IPSec" feature disabled to improve security.
    20. Click "Next", click "Finish", and then click "Close".
    21. Right-click the IPSec policy that you just created, and then click "Assign".
  • What are the requirement for using Endpoint Connect with the Embedded NGX Appliances? (LP387173)

    The requirement for using Endpoint Connect with the Embedded NGX Appliances:

    • Firmware 8.1.37 or higher is required for Endpoint Connect support.
    • Port 443 must not be forwarded from "This gateway" to an internal host. If you already forward port 443, you can configure Endpoint Connect to use port 981, instead (you can configure Endpoint Connect to use a different port when creating the site, simply by adding the port after the IP address, for example: 62.233.20.70:981. When using with the Embedded NGX Appliances, you can either use ports 443 or 981. If you want to use port 981, you also need to open access to HTTPS management from "any" under Setup - Management.)
    • Endpoint Connect is not supported on the Z100G Wireless Router.
  • How can I use Endpoint Connect and still forward port https/443 to an internal host? (LP387175)

    You can configure Endpoint Connect to use a different port when creating the site, simply by adding the port after the IP address, for example 62.233.20.70:981
    When using with the Embedded NGX Appliances, you can either use ports 443 or 981. If you want to use port 981, you also need to open access to HTTPS management from "any" under Setup - Management.
  • What are the supported VPN clients for the Embedded NGX Appliances? (LP387176)

    The following clients are supported:

    • CheckPoint Endpoint Connect R73 (supported on Windows systems, 32-bit and 64-bit)
    • CheckPoint SecuRemote/SecureClient (supported on 32-bit Windows and Mac OS X)
    • L2TP Dialer.
  • Endpoint Connect Port Selection (LP398496)

    Endpoint Connect (EPC) clients cannot connect to Safe@Office/UTM-1 Edge appliances after firmware upgrade to v8.2 post GA (8.2.33).

    SYMPTOMS:

    In previous GA versions (such as v8.1.47 or v8.2.26), the EPC clients were able to connect to Safe@Office/UTM-1 Edge appliances on ports 981 or 443, depending on configuration.

    After upgrading to v8.2 post GA, EPC clients might not be able to connect on the same port.

    CAUSE:

    With the upgrade to a newer firmware version, the EPC is set to one default port (443 or 981).

    If the following apply, the port will automatically be set to default port 981:

    • Web server under 'Security > Servers' tab is enabled.
    • A rule with Web Service that is called "Web Server" exists.
    • A rule that contains port 443 exists.

    If none of the above apply to your settings, the default port will automatically be set to 443.

    SOLUTION:

    With the upgrade to a newer firmware version, the port number can be configured to other port numbers.

    If you are experiencing the above behavior, perform the following:

    • Make sure that the EPC port in the Safe@Office/UTM-1 Edge appliances matches the EPC port used in the EPC client.
    • Make sure that there are no security rules or NAT rules configured on Safe@Office/UTM-1 Edge appliances, or on SMP, that match the EPC port, defined in the appliance.

 

Customer Support and Services

Show All In This Section

  • How to get support and software updates for the IP30/IP40 appliance? (LP14651)

    The IP30/IP40 appliance is supported by the Check Point Support Organization. Support contracts must be purchased through your sales representative, or reseller, in order to receive technical support from Check Point.
  • How to activate my Safe@Office support plans or product upgrades? (LP15610)

    In order to activate the support plans and/or product upgrades for your Safe@Office product, connect with your browser to http://www.sofaware.com/activate and fill out the product activation form.

    Support plans activation
    Once your activation request is processed and validated, a confirmation message will be sent to you by email and you will be allowed to connect to the Check Point service center to get the services.

    To connect to the Check Point Service Center perform the following:

    • Connect with your browser to http://my.firewall (from LAN)
    • Click on the Services menu.
    • Click on the Connect button.
    • Choose to connect to usercenter.sofaware.com
    • The subscription based services you purchased will be applied immediately.

    Product upgrade activation
    Once your activation request is processed and validated, a confirmation message will be sent to you with the Product Key (license) that will upgrade your product. To install the product key perform the following:

    • Connect with your browser to http://my.firewall (from LAN)
    • Click on 'Setup > Upgrade Product'.
    • Enter the product key string in the designated field.
  • Who provides Technical Support for Safe@Office products? (LP15654)

    Technical support for Safe@Office products is provided by the Check Point Small Business Support team.

    Fill in the online support request form (http://www.sofaware.com/supportForm.aspx) and one of our support experts will get back to you shortly by email.

    Chat live with a support expert when available. Technical support, on all channels, is available Mon-Fri, 9 AM - 5 PM (US and Europe time).

  • What support plans are available with my Safe@Office security appliance? (LP15717)

    The following support options and plans are available for purchase by Safe@Office security appliance owners:

    Annual Safe@Office Support and Subscription
    (ST-CPSB)
    Annual support and services plan that includes the following:
    * Security and firmware updates
    * Email, web and chat support
    * Advanced replacement
    * Dynamic DNS

    Annual Safe@Office Anti-Virus, SmartDefense, Support and Subscription
    (STAV-CPSB)
    * Gateway Anti-Virus updates
    * Security and firmware updates
    * Email, web and chat support
    * Advanced replacement
    * Dynamic DNS

    Annual Safe@Office Web Filtering Service
    (WF-CPSB)
    * Provides URL filtering based on category classification of web-sites.

  • What does the Safe@Office Advanced Security Services Plan include? (LP15718)

    Safe@Office Advanced Security Services Plan* Includes the following:

    • Security and firmware updates.
    • Email, web and chat support.
    • Telephone support in English, from 8:00 AM to 5 PM local time.
    • Advance hardware replacement.
    • Anti-Virus subscription service.
    • Web Filtering subscription service.

    * Advanced Security Services are available only in North America.

  • What is the RMA (Return Material Authorization) procedure for damaged Safe@Office hardware? (LP15722)

    If your Embedded NGX appliance is under hardware warranty and/or a valid support plan, it can be replaced in case of a hardware malfunction (Return Material Authorization - RMA). Follow the RMA procedure as described below:

    • Contact the Check Point Small Business Support team , using one of the following methods: Open a support ticket, or initiate a chat session at www.sofaware.com.
    • A support expert will attempt to troubleshoot an issue to confirm or exclude a hardware issue. You will be updated at each step of the troubleshooting process.
    • In case a hardware issue is present, you will be issued an RMA form that must be filled and submitted to the Check Point Small Business Support team.
    • An RMA specialist will review the troubleshooting steps and will approve the RMA (or will ask to take further steps in the debugging process).
    • You will be issued an RMA number for follow-up.
    • A replacement product will be sent to the address specified in the RMA form.
    • A tracking number and estimated shipping date will be e-mailed to you once available.

    Note that the license on the replacement box is functional for 30 days only. In order to receive the permanent license, the damaged hardware must be shipped to the logistics center in the US or Europe (depending on your location), and a notification with a tracking number and courier for the returned hardware must be sent to the Check Point SMB Support Team.

  • Where can I view the Safe@Office models and features available? (LP15725)

    Information about Safe@Office models, features, datasheet and comparison charts are available from the Check Point web site.
  • How do I know my Safe@Office support and subscription expiration date? (LP16331)

    In order to view your subscription expiration date, perform the following:

    • Connect with your browser to http://my.firewall (from LAN)
    • Click on "Services".
    • The subscription expiration date is displayed.
  • How do I renew my Safe@Office support plan? (LP16332)

    Contact your reseller for Safe@Office support plan renewal options. Once you renew the support plan, refresh your service center connection to view the new expiration date.
  • Information about Demo Embedded NGX Gateways for small business channel partners (LP198358)

    What are Demo Embedded NGX Gateways?

    Demo UTM Gateways are Safe@Office and VPN-1 Edge UTM gateways that are available for partners for the purpose of customer product demo only. Demo UTM Gateways are also knows as NFR (Not for Resale) gateways. You can recognize a Demo UTM Gateways as it is labeled with a 'Not for Resale' sticker on the exterior of the appliance.

    How many demo UTM Gateways can a partner purchase?

    A partner can purchase up to 3 demo units.

    What's included with a Demo UTM Gateway Out of the Box?

    • Demo UTM Gateways arrive with no license installed "out of the box".
    • The Demo UTM Gateways package include a welcome letter with a Temporary Demo license.
    • Temporary Demo licenses are good for 30 days only.
    • No subscription services are applied to Demo UTM Gateways, out of the box.
    • The 30 days demo license cannot be extended, but can be replaced with a Permanent Demo license only.

    How to get a permanent Demo license and service for my Demo gateway?

    With a simple activation procedure, partners can get:

    • A permanent Demo license
    • 1 year of support and subscription services from the Check Point Service Center:
      • Software and security updates
      • VStream Anti-Virus Signature updates
      • Web filtering
      • Monthly security reports

    To activate:

    1. Partner fills in the Demo Gateway Activation Form on the SofaWare web site.
    2. The form details are accepted by the SofaWare support team
    3. The SofaWare team sends a Permanent Demo license string to the partner to install on the Demo UTM Gateway by email
    4. The Sofaware team adds the Demo UTM Gateway and owner information to the Check Point Service Center
    5. The SofaWare team sends an acknowledge email and technical instructions to the partner email address.

 

Network Connectivity (LAN/DMZ/WAN)

Show All In This Section

  • I cannot access http://my.firewall. What should I do? (LP17007)

    In case you cannot access the http://my.firewall page (from LAN), try the following:

    • Verify that the Safe@Office appliance is operating (PWR/SEC LED is active)
    • Check if the LAN LINK/ACT LED for the port used by your computer is on. If not, check if the network cable linking your computer to the Safe@Office appliance is connected properly.
      Note: You may need to use a crossed cable when connecting a Safe@Office 'S' series appliance to another hub/switch.
    • Try connecting from LAN with your browser to http://192.168.10.1 (instead of http://my.firewall).
      Note: 192.168.10.1 is the default IP address, and it may vary if you changed it in the My Network page.
    • Check your TCP/IP configuration according to "Installing and Setting up the Safe@Office Appliance" in the Safe@Office Users Guide.
    • Restart your Safe@Office appliance and your broadband modem by disconnecting the power and reconnecting after 5 seconds.
    • If your web browser is configured to use an HTTP proxy to access the Internet, add "my.firewall" or "my.vpn" to your proxy exceptions list.

    In case none of the above worked, contact Check Point Support.

  • I am using the Safe@Office appliance behind another NAT device, and I am having problems with some applications. What should I do?

    By default, the Safe@Office appliance performs Network Address Translation (NAT). It is possible to use the Safe@Office appliance behind another device that performs NAT, such as a DSL router or Wireless router, but the device will block all incoming connections from reaching your Safe@Office appliance. To fix this problem, do ONE of the following (the solutions are listed in order of preference).

    • Consider whether you really need the router. The Safe@Office appliance can often be used as a replacement for your existing router.
    • If possible, disable NAT in the router. Refer to the router's documentation for instructions on how to do this.
    • If the router has a "DMZ Computer" or "Exposed Host" option, set it to the Safe@Office appliance's external IP address.

    In any case, it is recommended that you open the following ports in the NAT device: UDP 9281/9282, UDP 500, TCP 256, TCP 264, ESP (IP protocol 50), TCP 981. Refer to your router documentation for instructions.

  • I cannot connect to the LAN network from the DMZ network. What should I do? (LP17009)

    By default, connections from the DMZ network to the LAN network are blocked. To allow traffic from the DMZ to the LAN, configure appropriate firewall rules. For instructions, refer to Safe@Office v7.5 User Guide - Chapter 12 'Setting Your Security Policy'.
  • How can I make my Safe@Office pingable from the Internet? (LP17886)

    In order to make the Safe@Office pingable from the Internet. you can use 2 methods:

    Method 1
    Change the security level to "Low". To change the security level perform the following :

    1. Connect with your browser to http://my.firewall (from LAN)
    2. Click on the Security tab.
    3. Click on the Firewall tab.
    4. Change the security level to "Low".

    It is recommended that you first understand the difference between the low, medium and high security levels. Refer to Question LP16225 in this article.

    Method 2
    Create a security rule to allow ICMP to the Embedded NG gateway from the Internet. To create the security rule:

    1. Connect with your browser to http://my.firewall (from LAN)
    2. Click on the Security tab.
    3. Click on the Rules tab.
    4. Click the "Add Rule" button to start the Firewall Rules Wizard.
    5. Choose Allow as the rule type and click "Next".
    6. Click the "Custom Service" button, choose ICMP from the Protocol dropdown box and click "Next".
    7. Choose the Source as "WAN (Internet)" and the Destination as "This Gateway", and click "Next".
    8. Click "Finish" to apply the rule.
  • Does the Safe@Office appliance support PPPoA (PPP over ATM)?

    No. Only DSL modems and routers support PPPoA. The Safe@Office appliance cannot replace your DSL equipment and therefore it does not need to support PPPoA. In case the Safe@Office appliance is connected to a device that supports PPPoA, you should choose "Direct LAN Connection" as the Internet connection type for the Safe@Office appliance.
  • What is DHCP Relay? (LP17889)

    DHCP Relay is used when the DHCP clients are located in a different subnet than the DHCP server. When the DHCP Relay option is used, the Check Point appliance becomes a DHCP relay agent. A relay agent is a small program that relays DHCP messages between clients and DHCP servers on different subnets. DHCP Relay configuration is supported over clear and VPN communications. DHCP Relay communicates through UDP ports 67/68. To enable DHCP Relay:

    1. Connect with your browser to http://my.firewall (from LAN)
    2. Click on the Network tab.
    3. Click on the My Network Tab.
    4. Click on "Edit" for the network you want enable DHCP Relay for.
    5. Fill in the internal IP Address and Subnet Mask of the Check Point appliance. This will determine the DHCP scope requested from the remote DHCP server.
    6. Choose "Relay" from the DHCP drop down box.

    Note: DHCP Relay will not work with NAT configuration. In case DHCP Relay is implemented over a VPN connection, make sure that the "Bypass NAT" checkbox is selected for the VPN connection on the Check Point appliance.

 

Wireless LAN

Show All In This Section

  • I cannot connect with your browser to http://my.firewall page from my wireless client (LP57420)

    By default, access to the Embedded NG Wireless security appliance's Web GUI from the WLAN (Wireless LAN) network is over HTTPS - https://my.firewall. In case you want to access the WebGUI from WLAN over HTTP (http://my.firewall), you'll need to configure a security rule to allow that. The security rule parameters can be:
    • Rule Type: Allow
    • Source: WLAN
    • Destination: This Gateway
    • Service: Web Server
  • How to configure MAC address filtering for wireless clients (LP57421)

    MAC address filtering is a method to authenticate wireless clients with the Embedded NG wireless security appliance and allow them to access the WLAN network. This method is not considered secured enough to stand on its own since MAC addresses can be easily cloned. As a result, it should be an additional measure on top of other security methods offered, such as WEP, WPA and 802.1x authentication standards.

    To configure MAC address filtering:

    1. Create a network object for the wireless clients you want to authenticate.
    2. Activate MAC address filtering on the appliance.

    To create a network object, perform the following:

    1. Connect with your browser to http://my.firewall (from LAN)
    2. Click on the Network menu.
    3. Click on the Network Objects tab.
    4. Click on the "New" button. The Network Object Wizard window appears.
    5. Choose "Single Computer" and click "Next".
    6. In the IP Address field, type in the IP address of the wireless client you want to authenticate.
    7. In the MAC Address field, type in the MAC address of the wireless network card, and click "Next".
    8. Type a name for the network object and click "Next".

    To activate MAC Address Filtering on the appliance, perform the following:

    1. Connect with your browser to http://my.firewall (from LAN)
    2. Click on the Network menu.
    3. Click on the My Network tab.
    4. Click on the "Edit" button near the WLAN.
    5. Click the "Show Advanced Settings" link
    6. From the MAC Address Filtering drop-down box choose "Yes".
    7. Click "Apply".

    Note: Once MAC Address Filtering is activated, wireless clients will not be able to communicate with the wireless network unless you create corresponding network objects for each wireless client.

  • Wireless Security with Check Point Safe@Office Appliances (LP135394)

  • My WiFi card does not get a signal from the Embedded NG wireless security appliance (LP154422)

    This procedure describes the troubleshooting steps in case your WiFi card (installed on your mobile computer) does not get any signal from the Embedded NG wireless security appliance.

    Important Notes

    The troubleshooting steps suggested in this procedure assume that there are no coverage issues and that the issue occurs even when the mobile computer is a very short distance from the Embedded NG security wireless appliance. For the purpose of simplified troubleshooting, it is recommended to turn off all wireless security options that may have been configured on the Embedded NG wireless security appliance and on the WiFi card installed on the mobile computer. If this is the first time you install the Embedded NG wireless security appliance, the WLAN network is disabled. To enable the WLAN network, perform the following:

    1. Physically connect your mobile computer to one of the LAN ports of the appliance.
    2. Connect with your browser to http://my.firewall (from LAN)
    3. Login to the administrator console.
    4. Click on the 'Network > My Network' menu.
    5. Click on the "Edit" button, near the WLAN line.
    6. From the Mode drop-down menu, choose "Enabled".

    Troubleshooting

    Checking the WiFi card settings on your mobile computer

    1. Check whether other mobile computers in your network cannot get a signal from the Embedded NG wireless security appliance. In case other computers are able to communicate over the wireless connection, it is more than likely that the issue is with your mobile computers' WiFi card setup.
    2. In case you configured the Embedded NG security wireless appliance to hide the SSID, make sure that the WiFi card is manually configured with the correct SSID.
    3. Make sure that the wireless standard (802.11 b/g) configured on the WiFi card matches the standard on the Embedded NG security wireless appliance.
    4. Make sure you have the latest driver for your WiFi card.
    5. Check for additional settings that can be configured on your wireless card - such as country and extended channels usage. These parameters are usually configured during the WiFi card installation, or via a vendors' wireless utility.
    6. In case you have an Intel based WiFi card installed on your mobile computer, you may need to enable extended channel mode (this may not be needed for all models). To setup extended channel mode for Intel based WiFi cards, perform the following in Windows:
      1. Go to Start menu > Settings > Control Panel.
      2. Double-click the Administrative Tools icon.
      3. Double-click the Computer Management icon.
      4. From the left pane of the Computer Management window, choose "Device Manager".
      5. From the right pane of the Computer Management window, expand the Network Adapters branch.
      6. Locate the Intel network card branch and double-click it to open the Intel network card properties.
      7. In the Intel card properties window, click the Advanced tab.
      8. In the Property window, select "Extended Channel Mode".
      9. Choose "Enable" from the Value drop-down box.

    Checking the Embedded NG wireless security appliance settings

    Force the wireless security appliance to work with a specific channel rather than automatically select a channel. To setup the channel mode, physically connect your mobile computer to one of the appliances' LAN ports and perform the following:

    1. Connect with your browser to http://my.firewall (from LAN)
    2. Click on the 'Network > My Network' menu.
    3. Click on the "Edit" button near the WLAN title.
    4. From the Channel drop-down box, choose an available channel.

    For additional troubleshooting steps, contact Check Point Support.

  • Troubleshooting WPA connection (LP223779)

    When using WPA encryption on the WLAN, the connection is dropped immediately after connecting. Connections and disconnections appear consecutively in the appliance event log.

    The solution:

    Import manual encryption configuration to the wireless Embedded NGX appliance.

    To apply the configuration file:

    1. Download one of the configuration files below that answers your needs:
      • TKIP.CFG - Manually sets the security appliance to use TKIP encryption for WPA.
      • AES.CFG - Forces the appliance to only use AES encryption (not supported by some older wireless client devices).
      • AUTO.CFG - Resets the encryption engine to automatic (security appliance default).
    2. Connect with your browser to http://my.firewall (from LAN)
    3. Browse to 'Setup > Tools > Import'.
    4. Click "Browse" and select the file you wish to import.
    5. Click "Open".
    6. Click the "Import" button to import.
    7. The wireless network will restart. You may need to reconfigure some or all of the wireless clients in your network.
    8. Configuration is done.
  • How to Bridge LAN and Wireless networks to a single network (LP223956)

    Note: Normally, the Transparent Bridges feature requires a Power Pack license on a Safe@Office appliance. However, from firmware version 7.0.39 and subsequent versions you can create only one bridge without the Power Pack license.

    In most cases, standard access points have the wired LAN and the wireless network bridged together, as a single network. However, in a secured deployment of networks, it is customary to separate the LAN (traditionally, the segment installed with the confidential business resources) from other networks that are considered potentially insecure. The Embedded NGX security appliances have the WLAN and the LAN segments separated by subnetting and firewalling, as the wireless medium is insecure, by definition.

    This may lead to different behavior than you were probably used to with your 'old' standard access point, especially when attempting to browse the workgroup computers on the LAN, using the Microsoft File and Print sharing service. This Microsoft service is designed to work best between computers on the same local area network. However, since the WLAN and LAN are on different networks, you can either connect to shared folders or printers on the LAN by using direct IP addresses (for example, \\192.168.10.2\C$) or you can install a WINS server to translate computer names into their corresponding IP addresses. This action will provide the functionality you are looking for by connecting to shared folders, and will keep your network secure.

    Another option that is less recommended from the point of view of wireless security, is to bridge between the LAN and WLAN networks, making them a "single network". To create a bridge between the LAN and WLAN networks:

    1. Connect with your browser to http://my.firewall (from LAN)
    2. Click on 'Network > My Network'.
    3. Click on the "Edit" button next to the WLAN network.
    4. Click on the "Wireless Wizard" button button at the bottom of the page.
    5. In the Wireless Configuration Wizard window, complete the necessary settings for your wireless network, and click "Next".
    6. Choose the required wireless security protocol for your network, choose "Bridge Mode" to create a bridge between the WLAN and the LAN, and click "Next".
    7. Complete the Wireless Configuration Wizard with the required information for your wireless network.
    8. The WLAN and LAN will now be bridged together and will share the same subnet.
  • Depending on your wireless client software, all or some of the options may be supported. In case your wireless client does not support all the advanced options, it might result in the following symptoms: (a) The WLAN connection might be dropped, immediately after connecting ; (b) Connections and disconnections might appear consecutively in the appliance event log (LP223963)

    The Embedded NGX appliance offers a variety of security and additional advanced options (such as QoS for multimedia over wireless). Depending on your wireless client software, all or some of the options may be supported. In case your wireless client does not support all the advanced options, it might result in the following symptoms:

    • The WLAN connection might be dropped, immediately after connecting.
    • Connections and disconnections might appear consecutively in the appliance event log.

    To improve the compatibility between your wireless client and the Embedded NGX appliance and overcome the symptoms above, attempt the following steps:

    • Import manual encryption configuration to the wireless Embedded NGX appliance.
    • Disable Multimedia Quality of Service (QoS WMM).

    To apply manual encryption configuration to the Embedded NGX appliance:

    1. Download one of the configuration files below that answers your needs:
      • TKIP.CFG - Manually sets the security appliance to use TKIP encryption for WPA.
      • AES.CFG - Forces the appliance to only use AES encryption (not supported by some older wireless client devices).
      • AUTO.CFG - Resets the encryption engine to automatic (security appliance default).
    2. Connect with your browser to http://my.firewall (from LAN)
    3. Browse to 'Setup > Tools > Import'.
    4. Click "Browse" and select the file you wish to import.
    5. Click "Open".
    6. Click the "Import button to import.
    7. The wireless network will restart. You may need to reconfigure some or all of the wireless clients in your network.
    8. Configuration is done.

    To disable Multimedia QoS:

    1. Connect with your browser to http://my.firewall (from LAN)
    2. Browse to 'Network > My Network'.
    3. In the WLAN line, click "Edit".
    4. Click "Show Advanced Settings".
    5. In the Multimedia QoS (WMM) drop-down list, choose "Disabled".
    6. Click "Apply".
    7. Configuration is done.
  • Which third-party wireless antennas can be used with my appliance? (LP316479)

    Embedded NGX wireless appliances use RP-SMA connectors.

    Before substituting any antennas other than the ones supplied by Check Point, note:

    • Substituting an antenna other than the ones supplied by Check Point, may be in violation of local regulations. Installers should abide by all FCC, EU, or local regulations and requirements before deploying any 3rd party antennas.
    • Check Point and its affiliates are not responsible for any damage caused by use of a 3rd party antennas. Check Point will not replace or repair appliances damaged by use of an improper antenna.

 

VStream Anti-Virus

Show All In This Section

  • What is the VStream Anti-Virus? (LP171924)

    The Embedded NGX security gateway (with firmware 6.0 and subsequent versions) includes VStream Anti-Virus, an embedded streambased Anti-Virus engine based on Check Point Stateful Inspection and Application Intelligence technologies that performs virus scanning at the kernel level. VStream Anti-Virus scans files for malicious content on the fly, without downloading the files into intermediate storage. This means minimal added latency and support for unlimited file sizes; and since VStream Anti-Virus stores only minimal state information per connection, it can scan thousands of connections concurrently. In order to scan archive files on the fly, VStream Anti-Virus performs real-time decompression and scanning of ZIP, TAR, and GZ archive files, with support for nested archive files.
  • What is the default action policy when viruses are detected? (LP171925)

    When VStream Anti-Virus detects malicious content, the action it takes depends on the protocol, in which the virus was found. Refer to the table below. In each case, VStream Anti-Virus blocks the file and writes a log to the Event Log.
    If a virus is found in this protocol... VStream Anti-Virus does this...
    The protocol is detected on this port...

    HTTP

    • Terminates the connection.

    All ports on which VStream is enabled by the policy, not only port 80

    POP3
    • Terminates the connection.
    • Deletes the virus-infected email from the
      server.
    The standard TCP port 110
    IMAP
    • Terminates the connection.
    • Replaces the virus-infected email with a message notifying the user that a virus was found.
    The standard TCP port 143
    SMTP
    • Rejects the virus-infected email with error code 554.
    • Sends a "Virus detected" message to the sender.
    The standard TCP port 25
    FTP
    • Terminates the data connection.
    • Sends a "Virus detected" message to the FTP client.
    The standard TCP port 21
    TCP and UDP
    • Terminates the connection.
    Generic TCP and UDP ports,
    other than those listed above

    In protocols that are not listed in this table, VStream Anti-Virus uses a "best effort" approach to detect viruses. In such cases, detection of viruses is not guaranteed and depends on the specific encoding, used by the protocol.

  • What is the difference between the VStream Anti-Virus and the Email Anti-Virus subscription service? (LP171926)

    VStream Anti-Virus differs from the Email Anti-Virus subscription service (part of the Email Filtering service) in the following ways:

    • Email Anti-Virus is centralized, redirecting traffic through the Service Center for scanning, while VStream Anti-Virus scans for viruses in the Safe@Office gateway itself.
    • Email Anti-Virus is specific to e-mail, scanning incoming POP3 and outgoing SMTP connections only, while VStream Anti-Virus supports additional protocols, including incoming SMTP and outgoing POP3 connections.

    You can use either Anti-Virus solution, or both, in conjunction.

  • What is the difference between the main and the daily Anti-Virus signatures databases? (LP171927)

    VStream Anti-Virus maintains two databases: a daily database and a main database. The daily database is updated frequently with the newest virus signatures. Periodically, the contents of the daily database are moved to the main database, leaving the daily database empty. This system of incremental updates to the main database allows for quicker updates and saves on network bandwidth. You can view information about the VStream signature databases currently in use, on the VStream Anti-Virus page.
  • I am subscribed to the VStream Anti-Virus signatures updates, but installation of daily virus definitions fails (LP310602)

    The daily VStream Anti-Virus signatures updates fail to install, interrupting the normal operation of the VStream Anti-Virus.

    Symptoms

    A failure to install the VStream Anti-Virus signatures updates may result with one or more of the following symptoms:

    • A "failed to install daily database" error message appears in the Anti-Virus page.
    • Upon initiating an update, using the 'Update now' button in the menu, nothing happens.

    Possible cause

    This may occur in case the definition update from the service center was interrupted, and the downloaded archive has become corrupted.

    Solution

    In order to solve this issue perform the following:

    • Reset the Anti-Virus signatures database.
    • Refresh the connection to the Service Center.

    Note: This procedure will not affect any of the existing settings on the appliance.

    To reset the Anti-Virus signature database on a ZoneAlarm Z100G Secure Wireless Router, perform the following:

    1. Click here to download the script (*.CFG) file and save it to a local folder on your computer.
    2. Connect with your browser to http://my.firewall (from LAN)
    3. Click "Setup" on the main menu, and then the Tools tab.
    4. Click "Import", browse for the script file, and click "Upload". A confirmation message will appear in case the upload finished successfully.
    5. The Anti-Virus signature database is now reset.

    To reset the Anti-Virus signature database on any other Embedded NGX appliance, type perform the following:

    1. Connect with your browser to http://my.firewall (from LAN)
    2. Click "Setup" on the main menu, and then on Tools.
    3. Click "Command".
    4. In the command text box, type the command: reset vstream-database and click "Go".
    5. The Anti-Virus signature database is now reset.

    To refresh the connection to the Service Center perform the following:

    1. Connect with your browser to http://my.firewall (from LAN)
    2. Click on "Services".
    3. Click "Refresh".

 

ADSL

Show All In This Section

  • Typical ADSL configuration of various worldwide ISPs (LP196537)

    The Following list describes the typical ADSL configuration, required by worldwide well known ISPs and Telco's. We recommend to consult with your ADSL provider for the most recent ADSL configuration.

    Country Service Provider Connection Type VPI VCI Encapsulation
    Argentina Arnet PPPoE 0 33 LLC
    Argentina Speedy PPPoE 8 35 LLC
    Australia Most ISPs PPPoE 8 35 LLC
    Australia Arachnet PPPoA 8 35 VCMUX
    Australia Telestra PPPoE 8 35 LLC
    Austria Most ISPs PPPoA 8 48 VCMUX
    Austria AON PPPoA 1 32 VCMUX
    Belgium ADSL Office PPPoE 8 35 VCMUX
    Belgium Belgacom ADSL PPPoA 8 35 VCMUX / LLC
    Belgium Turboline PPPoA 8 35 LLC
    Brazil Brasil Telecom (brturbo) PPPoE 0 35 LLC
    Brazil do rio grande do sul são PPPoE 1 32 LLC
    Brazil Speedy da Telefonica PPPoE 8 35 LLC
    Brazil Velox da Telemar PPPoE 0 33 LLC
    Bulgaria BTK (ISDN) PPPoE 1 32 LLC
    Bulgaria BTK (POTS) PPPoE 0 35 LLC
    Czech Republic Cesky Telecom (PPPoA) PPPoA 8 48 VCMUX
    Czech Republic Cesky Telecom (PPPoE) PPPoE 8 48 LLC
    Denmark Cybercity PPPoA 0 35 VCMUX
    Denmark Tiscali PPPoA 8 35 VCMUX
    Denmark Tiscali (World Online) PPPoA 0 35 VCMUX
    Egypt Raya Telecom PPPoA 8 80 VCMUX
    France 9Online PPPoA 8 35 VCMUX
    France AOL PPPoA 8 35 VCMUX
    France Cegetel ADSL Max 8 Mb PPPoA 8 35 VCMUX
    France Cegetel non dégroupé 512 IP/ADSL et dégroupé PPPoA 8 35 VCMUX
    France Claranet PPPoA 8 35 VCMUX
    France Club-Internet PPPoA 8 35 VCMUX
    France EasyConnect PPPoA 8 35 LLC
    France Free non dégroupé 512/128 & 1024/128 PPPoA 8 35 VCMUX
    France Free non dégroupé ADSL Max PPPoA 8 35 VCMUX
    France Freesurf PPPoA 8 35 VCMUX
    France FT PPPoA 8 35 VCMUX
    France Generic Netissimo PPPoA 8 35 LLC
    France HRNet PPPoA 8 35 VCMUX
    France Nerim PPPoA 8 35 VCMUX
    France Nordnet PPPoA 8 35 VCMUX
    France Tiscali.fr (128k) PPPoA 8 35 LLC
    France Tiscali.fr (512k) PPPoA 8 35 VCMUX
    France Tiscaly Liberty Surf PPPoA 8 35 LLC
    France Wanadoo PPPoA 8 35 VCMUX
    France Worldnet PPPoA 8 35 VCMUX
    Germany 1&1 (Dun) PPPoE 1 32 LLC
    Germany Alice DSL PPPoE 1 32 LLC
    Germany Anderer Provider für T-DSL (Dun) PPPoE 1 32 LLC
    Germany Arcor PPPoE 1 32 LLC
    Germany
    Germany
    Germany
    DT
    Mnet
    NetCologne
    PPPoE
    PPPoE
    PPPoE
    1
    1
    8
    32
    32
    35
    LLC
    LLC
    LLC
    Germany QSC PPPoE 1 32 LLC
    Germany Tiscali PPPoE 1 32 LLC
    Germany T-Online (Dun) PPPoE 1 32 LLC
    Hungary Matav PPPoE 1 32 LLC
    Iceland Islandssimi PPPoA 0 35 VCMUX
    Iceland Landssimi PPPoA 8 48 VCMUX
    India Most ISPs PPPoA 0 32 VCMUX
    Ireland Most ISPs PPPoE 8 35 LLC
    Israel Bezeq PPPoE 8 48 LLC
    Italy Albacom PPPoA 8 35 VCMUX
    Italy Aruba PPPoA 8 35 VCMUX
    Italy Liberto.it PPPoA 8 35 VCMUX
    Italy MC-link PPPoA 8 35 VCMUX
    Italy Nextra PPPoA 8 35 VCMUX
    Italy Telecom Italia PPPoA 8 35 VCMUX
    Italy Telvia PPPoA 8 35 VCMUX
    Italy Tiscali PPPoA 8 35 VCMUX
    Italy Wind PPPoA 8 35 VCMUX / LLC
    Mexico Telmex Infinitum PPPoE 8 35 LLC
    Morocco Maroc Telecom PPPoA 8 35 VCMUX
    Netherlands Bbeyond (PPPoE) PPPoE 0 33 LLC
    Netherlands Bbeyond (PPPoA) PPPoA 0 35 VCMUX
    Netherlands KPN PPPoA 8 48 VCMUX
    New Zealand New Zealand Telecom PPPoA 0 100 VCMUX
    Poland NETIA PPPoE 8 35 LLC
    Poland TPSA PPPoA 0 35 VCMUX
    Portugal Portugal Telecom PPPoA 0 35 VCMUX
    Russia MTU Intel PPPoE 1 50 LLC
    Singapore SingNet Broadband PPPoA 0 100 VCMUX
    Slovenia SiOL PPPoE 1 32 LLC
    Spain Albura PPPoA 1 32 VCMUX
    Spain Arrakis PPPoA 0 35 VCMUX
    Spain Arsys PPPoE 1 33 LLC
    Spain Auna PPPoA 0 35 VCMUX
    Spain Colt Teecom PPPoA 0 35 VCMUX
    Spain Communitel PPPoA 0 33 VCMUX
    Spain ERES MAS PPPoA 8 35 LLC
    Spain Euskatel PPPoE 8 32 LLC
    Spain Jazztel PPPoA 8 35 LLC
    Spain Telefonica PPPoE 8 32 VCMUX / LLC
    Spain Telepac PPPoE 0 35 LLC
    Spain Terra PPPoE 8 32 LLC
    Spain Tiscali PPPoA 1 32 VCMUX
    Spain Uni2 PPPoA 1 33 VCMUX
    Spain Wanadoo Spain PPPoE 8 32 LLC
    Spain Ya.com PPPoE 8 32 LLC
    Sweden Skanova PPPoE 8 35 LLC
    UAE Etisalat Classical IP for Business PPPoA 0 50 VCMUX
    UAE Etisalat Classical IP Single User PPPoE 0 100 LLC
    UAE Etislat PPPoA 0 50 LLC
    UAE UAE-Other PPPoE 0 50 LLC
    UK Most ISPs PPPoA 0 38 VCMUX
    US AOL PPPoE 0 35 LLC
    US BellSouth PPPoE 8 35 LLC
    US Covad PPPoE 0 35 LLC
    US EarthLink PPPoE 0 35 LLC
    US Qwest PPPoE 0 32 LLC
    US SBC PPPoE 0 35 LLC
    US Sprint PPPoE 0 35 LLC
    US Verizon PPPoE 0 35 LLC
  • I am experiencing frequent disconnections with my Embedded NGX appliance with embedded ADSL modem. What can I do? (LP224491)

    This solution applies only to Embedded NGX appliances with an embedded ADSL modem.

    1. Connect with your browser to http://my.firewall (from LAN)
    2. Click on the Setup menu.
    3. Click on the Tools tab.
    4. Click on the "Command" button. The Command Line window appears.
    5. In the command line, type the command: set port adsl auto-sra mode disable.
    6. Click "Go".
    7. The default value was changed.

 

High Availability

Show All In This Section

 

Remote Desktop

Show All In This Section

  • How to work with the Remote Desktop feature of Embedded NGX appliances on Windows Vista operating system? (LP316577)

    An internal error message is received when trying to initiate a Remote Desktop connection via the http://my.firewall portal to a computer that runs the Windows Vista operating system.

    Possible cause

    When initiating a Remote Desktop connection via the http://my.firewall portal, the remote computer is configured to support only allow connections using Network Level Authentication. The Embedded NGX security appliances use an Active X component to run the Remote Desktop feature, and this component does not support Network Level Authentication.

    Solution

    Configure the Remote Settings on the computer to which you are connecting, to allow connections from computers running any version of Remote Desktop.

    To update the Remote Settings configuration, perform the following:

    1. On your desktop, right-click on the Computers icon.
    2. Click on Properties from the pop-up menu.
    3. Click on the "Remote Settings" option from the left-hand menu.
    4. Click on the "Allow connections from computers running any version of Remote Desktop (less secure)" radio button.

    Note: This option is equivalent to the "Allow users to connect remotely to this computer" option, when using Windows XP, as an operating system. The "Allow connections only from computers running remote desktop with Network Level Authentication (more secure)" option is unique to remote desktop connections via the local remote desktop clients, when both use the Windows Vista operating system.

    For detailed instructions on how to remotely access the desktop of each of your computers using the Embedded NGX appliances' Remote Desktop feature, refer to Safe@Office v7.5 User Guide - Chapter 18 'Using Remote Desktop'.

 

Toshiba PCX5000

Show All In This Section


Give us Feedback
Rate this document
[1=Worst,5=Best]
Additional comments...(Max 2000 characters allowed)
Characters left: 2000