Table of Contents

• Licensing
• General
• Firewall
• Logging
• VPN
• Customer Support and Services
• Network Connectivity (LAN/DMZ/WAN)
• Wireless LAN
• VStream Anti-Virus
• ADSL
• High Availability
• Remote Desktop
• Toshiba PCX5000

Show Entire Article

Licensing

Show All In This Section

• How are nodes counted within the Safe@Office product line license? (LP16317)

  Nodes are counted, based on the number of concurrent IP addresses generating traffic through the firewall. An IP node will generate traffic through the firewall when it sends packets to resources outside its own network (such as the Internet, DMZ, secondary logical network etc.). As a result, devices like network printers, switches or access points will not be counted as licensed nodes.

• How do I upgrade the Check Point security appliance node limit? (LP16318)

  In order to upgrade the node limit, you need to purchase a product upgrade. In most cases, you will simply get a product key string. However, an upgrade from a 5/10 nodes product to a 25 nodes product may require replacing your hardware. Contact your reseller for upgrade and pricing information. Additionally, you can manually purchase an upgrade to the node limit at the Check Point Store.

• How long does it take for an IP node to release a license? (LP16319)

  An IP node will release its license after 60 minutes of not generating traffic through the firewall. An IP node that released its license is displayed in blue on the Active Computers page.

• How do I prevent an IP node from taking up a license? (LP16320)

  An IP node will take up a license if it generates traffic through the firewall. In order to prevent a node from generating traffic through the firewall, you'll need to set the node up with no default gateway information. Note that this will make the node unable to browse the Internet.

• I reset my appliance to factory settings and lost the product key information. What can I do? (LP16321)

  Contact your reseller to retrieve the latest product key for your appliance.

General

Show All In This Section

• I forgot the Safe@Office administrator password. What can I do? (LP16227)

  The Safe@Office does not have a default administrator password. In case you forgot the password, reset the Safe@Office to factory settings, by pressing the reset button on the back of the box for 10 seconds. After the box reboots, you will be able to enter a new password.

• How can I configure the Safe@Office appliance from a remote location? (LP16228)

  The Safe@Office appliance supports remote management. You can enable remote management and connect to the box from the Internet, by connecting with your browser to https://<Appliance_External_IP_Address>:981. To enable management of the Safe@Office from a remote location:

  1. Connect with your browser to http://my.firewall (from LAN)
  2. Click on the Setup menu.
  3. Click on the Management menu.
  4. Choose the suitable management option for you.

  Note: In case the Safe@Office appliance is installed behind another firewall or a NAT device, make sure to allow HTTPS traffic on TCP port 981 towards the Safe@Office appliance.

• How can I backup and restore the Safe@Office configuration? (LP16322)

  In order to backup the Safe@Office configuration, perform the following:

  1. Connect with your browser to http://my.firewall (from LAN)
  2. Click on 'Setup > Tools'.
  3. Click on the "Export" button.
  4. Save the exported configuration file to a local folder.

  In order to restore the Safe@Office configuration from a file:

  1. Connect with your browser to http://my.firewall (from LAN)
  2. Click on 'Setup > Tools'.
  3. Click on the "Import" button.
  4. Locate the configuration file (.cfg) on your local hard drive and upload it.

• Error message "Service Center did not respond" when trying to connect to a Service Center (LP16330)

  The connection to a Check Point Service Center uses a proprietory protocol called SWTP (SofaWare Transport Protocol). This protocol makes sure that all communications between a Safe@Office box and the Service Center are secured and encrypted. The communication between the Safe@Office and a Service Center uses UDP ports 9281/9282.

  In case your Safe@Office is behind another firewall, make sure to enable traffic through the SWTP ports mentioned. In addition, make sure that your router does not block these ports using ACLs (Access List).

• What is Check Point Safe@Office? (LP16999)

  The Check Point Safe@Office appliance is an advanced Internet security appliance that enables secure high-speed Internet access from the office. The Safe@Office firewall, based on the world-leading Check Point Embedded NG Stateful Inspection technology, inspects and filters all incoming and outgoing traffic, blocking all unauthorized traffic.

  The Safe@Office appliance also allows sharing your Internet connection among several PCs or other network devices, enabling advanced office networking and saving the cost of purchasing static IP addresses. You can also connect Safe@Office appliances to security services available from select service providers, including firewall security updates, Web filtering, and dynamic DNS. Business users can use the Safe@Office appliance to securely connect to the office network.

• How do I configure my Embedded NGX Solution? (LP17000)

  Embedded NGX Solutions are configured through a simple Web-browser portal. No software installation is required. Just connect your Embedded NGX Solution, launch your browser, and connect from LAN with your browser to http://my.firewall.

• What is the default LAN IP address of the Safe@Office appliance? (LP17001)

  The default LAN IP address of the Safe@Office appliance is 192.168.10.1.

• Do Safe@Office Solutions work with any operating system? (LP17002)

  Yes. Safe@Office Solutions protect all of the computers on your network, regardless of their operating system. Plus, Safe@Office Solutions are configured through a Web browser and require no software installation on your computers. Therefore, they are manageable from any type of computer, regardless of its operating system.

• Which management options are available for Safe@Office? (LP17004)

  The following management options are available for Safe@Office:

  • Local web-based management
  • SofaWare Security Management Portal (SMP)

  Safe@Office appliances cannot be managed by Check Point SmartCenter. For an appliance supporting SmartCenter enterprise management, refer to VPN-1 Edge.

• How is this solution better than using a PC firewall? (LP17005)

  Inherent drawbacks with PC firewalls make Safe@Office solutions a superior choice:

  • PC firewalls protect a single PC. A Safe@Office Solution protects your entire network - all the PCs, Macintoshes, servers and other devices on the network
  • PC firewalls are managed and configured by the consumer. Most common security flaws originate from faulty configuration. To reduce risk for users, Safe@Office Solutions come with a pre-configured security policy. In addition, Safe@Office Solutions can be managed by a security solutions provider, transferring responsibility for security expertise to security experts.

• Which Safe@Office models are available? (LP17006)

  To view the list of available Safe@Office models and their technical specifications, click here.

• Why are the date and time displayed incorrectly? (LP17010)

  In the Safe@Office 'S' series, when a computer on the LAN connects to the Safe@Office Portal, the Safe@Office appliance adjusts its date and time to match that of the computer. If the date and time displayed in the Safe@Office Portal are incorrect, it probably means that the date and time on the computer connected to the Safe@Office Portal are incorrect. In the Safe@Office 200 series, you can adjust the time on the Setup page's Tools tab.

• Can I connect an Ethernet switch to my appliance? (LP17011)

  You can cascade an additional hub or switch to the Safe@Office 'S' series appliance, by using a crossed Ethernet cable. The Safe@Office 'X' series automatically detects the cable type, so you can use either a straight-through or crossed cable.

• Activate the TFTP server on the appliance (LP135792)

  Items can be uploaded to the Check Point security appliance in order to make them permanent even after a reset to factory settings. An item can be either a firmware image file, a bootloader file or a configuration (CFG) file.

  The Check Point security appliance has an embedded TFTP server installed with default IP address 192.168.10.1, and a TFTP client must be used in order to upload items to the appliance. TFTP client software are usually part of the operating system, but can also be 3rd party software. To upload items perform the following:

  1. Activate the TFTP server on the appliance by following these steps: unplug the power cord, hold the reset button on the back of the box, and plug in the power cord, while holding the button until the pwr/sec led is steady red.
  2. Connect a computer to one of the security appliance LAN ports.
  3. Configure the computer to use an IP address of the range 192.168.10.0 /255 (note that 192.168.10.1 is already taken by the appliance TFTP server by default).
  4. In case you are using the Windows 2000 embedded TFTP client, open command prompt and type the following command:
     tftp -i 192.168.10.1 put [filename]
     The appliance will reboot.

  Note: When uploading a firmware or bootloader file, the file must be compiled in TFTP format. A configuration file can be uploaded in CFG format.

• Missing images in the my.firewall page (LP144347)

  When connecting with your browser from LAN to http://my.firewall configuration page, images may not be displayed correctly because of the following reasons:

  1. Your browser cache is full
  2. Personal firewall installed prevents some scripts and images to run

  Solutions:

  1. Clear your browser cache
  2. Stop your personal firewall or filter the my.firewall page from the firewall tables.

• What are the the Check Point appliances vendor specific RADIUS attributes? (LP145353)

  "Vendor specific RADIUS attributes" is supported with firmware 5.0.82 and subsequent versions. You can configure your RADIUS server to use the following attributes:

  SofaWare Vendor ID: 6983

  The list of permissions and corresponding attributes and values is described in the following table:

  Permission Type	Attribute ID	Possible Values (String)
  Admin	1	None Read Only Read / Write
  VPN Access	2	True False
  HotSpot	3	True False
  Web Filter Override Permission	4	True False

• Using Preset Configuration Files with Check Point Embedded NG Appliances (LP145374)

  Introduction

  The RESET button on your Embedded NG appliance can be used for resetting the VPN-1 Edge appliance to its factory defaults. This results in the loss of all user settings, and reverting to the factory default firmware. Optionally, a preset configuration file can be loaded to the Embedded NG appliance, using the TFTP protocol, allowing a service provider or reseller to permanently modify the factory default settings. The preset configuration file is retained even after a reset to defaults operation.

  The following procedures are valid for all the models in the Safe@Office and VPN-1 Edge appliance families.

  Loading a Preset Configuration file

  Preparing a Preset Configuration File

  The Embedded NG configuration file is a simple text file, containing CLI (Command Line Interface) commands for the appliance. For more information on the Embedded NG CLI syntax, refer to the Embedded NG CLI Guide.

  The configuration file should be stored as a text file with the extension .cfg.

  The first line in the configuration file must begin with: "# Configuration script" and the last line in the file should begin with "# END Configuration script". These two lines are mandatory.

  Note: The preset configuration file will not be cleared when the appliance is reset to defaults. The only way to clear a preset configuration file is by loading an empty configuration file (a configuration file with no CLI commands).

  Tip: You can export a complete configuration file from an existing appliance by going to the 'Setup > Tools' tab in the Embedded NG configuration portal, and clicking the "Export" button.

  Warning: Always make sure that the configuration file is valid before uploading it to the appliance.

  Activating the Embedded NG TFTP server

  Activate the TFTP server on the appliance by following these steps:

  1. Unplug the power cord.
  2. Using a pointed object, press the RESET button on the back of the VPN-1 Edge appliance steadily, while plugging in the power cord.
  3. Keep pressing the RESET button a few seconds until the PWR/SEC LED lights steadily in red.

  Configuring the TFTP client

  1. Use a standard Ethernet cable to connect a computer to one of the LAN ports of the appliance.
  2. Configure the computer to use any fixed IP address in the range 192.168.10.2 - 192.168.10.254. Set the subnet mask to 255.255.255.0.
  3. If SecuRemote is installed on your PC, disable it.
  4. In case you are using the Windows 2000 embedded TFTP client, type the following command on the Windows command prompt: tftp -i 192.168.10.1 put filename.cfg
  5. The appliance will store the configuration file and automatically restart.
  6. Allow the VPN-1 Edge appliance to boot-up until the system is ready (PWR/SEC LED flashes slowly or illuminates steadily in green light).

  Resetting to defaults

  To reset the VPN-1 Edge appliance to factory defaults using the Reset button:

  1. Make sure the VPN-1 Edge appliance is powered on.
  2. Using a pointed object, press the RESET button on the back of the VPN-1 Edge appliance steadily for seven seconds, and then release it.
  3. Allow the VPN-1 Edge appliance to boot-up until the system is ready (PWR/SEC LED flashes slowly or illuminates steadily in green light).

  The appliance will revert to the factory default settings (or to the preset configuration file, if one is loaded). The firmware will be reset to the factory default firmware.

• A U.S. Robotics 56K Courier modem does not dial when connected to a Check Point Embedded NG security appliance (LP157573)

  U.S. Robotics 56K Courier modem may not be able to dial out after configuring the Embedded NG security gateway with dialup connection properties. This happens because the default settings of the dialup modem do not allow a delay after the Embedded NG security gateway sends the ATZ command to the modem.

  Solution: Configure the following init string \d\d\AT on the Embedded NG security gateway to create the necessary delay.

  To configure an init string perform the following:

  1. Connect with your browser to http://my.firewall (from LAN)
  2. Login to the admin console.
  3. Click on the 'Network > Ports' menu.
  4. Click on the "Setup" link near the RS232 (Dialup) image.
  5. Type \d\d\AT in the Initialization String field and click "Apply".
  6. Test the modem connection.

• Configuring the RADIUS Vendor-Specific Attribute (LP158412)

  Learn how to configure a Vendor-Specific Attribute when using a RADIUS to authenticate local and VPN users with RADIUS servers from different vendors. Refer to Configuring the RADIUS Vendor-Specific Attribute.

• Which printers are supported by the USB print server in my Embedded NGX appliance? (LP172241)

  The print server is compatible with most printers with a USB interface. Multifunction printers will operate as a printer only. Scanner functionality in these printers is not supported.

  The following printers are known to operate correctly with the Embedded NGX integrated print server:

  Brother HL-2030
  Brother HL-2040
  Brother HL-5140
  Brother HL-5240
  Canon MF5750
  Canon MF5770
  Canon MP150
  Canon MP390
  Canon MP500
  Canon MP700
  Canon MP780
  Canon S520
  Canon i250
  Canon i350
  Canon i450
  Canon i560
  Canon i850
  Canon i860
  Canon i865
  Canon i905D
  Canon i9100
  Canon i960
  Canon i9950
  Canon iP1000
  Canon iP1300
  Canon iP1600
  Canon iP1700
  Canon iP3000
  Canon iP4000
  Canon iP4200
  Canon iP5000
  Canon iP8500
  Canon MF5750
  Canon MF5770
  Canon MP150
  Canon MP390
  Canon MP500
  Canon MP700
  Canon MP780
  Canon S450
  Canon S520
  Canon PIXMA MP600
  Dell Laser Printer 1700n
  Dell Laser Printer 1710n
  Dell Laser Printer P1500
  DYMO LabelWriter 320
  HP Color Inkjet CP1700
  HP Color LaserJet 1500
  HP Color LaserJet 1600
  HP Color LaserJet 2550
  HP Color LaserJet 2600n
  HP Color LaserJet 3500
  HP Color LaserJet 3550
  HP DesignJet 70
  HP Deskjet 1220C
  HP Deskjet D1400
  HP DeskJet D2300
  HP DeskJet F2100 series
  HP Deskjet F4100 series
  HP Deskjet 3600
  HP Deskjet 3740
  HP Deskjet 3820
  HP Deskjet 3840
  HP DeskJet 3900
  HP Deskjet 460
  HP Deskjet 5100
  HP Deskjet 5400
  HP Deskjet 5550
  HP Deskjet 5600
  HP Deskjet 5700
  HP Deskjet 5900
  HP Deskjet 6122
  HP Deskjet 640c
  HP Deskjet 6500
  HP Deskjet 6800
  HP Deskjet 810C
  HP Deskjet 815C
  HP Deskjet 830C
  HP Deskjet 845C
  HP Deskjet 920C
  HP Deskjet 930C
  HP Deskjet 940C
  HP Deskjet 950C
  HP Deskjet 960C
  HP Deskjet 970C
  HP Deskjet 980C
  HP Deskjet 990C
  HP LaserJet 1010
  HP LaserJet 1012
  HP LaserJet 1015
  HP LaserJet 1150
  HP LaserJet 1200
  HP LaserJet 1220
  HP LaserJet 1300
  HP LaserJet 1320
  HP LaserJet 2300
  HP LaserJet 3015
  HP LaserJet 3030
  HP LaserJet 3055
  HP LaserJet 3200
  HP LaserJet 3330
  HP Officejet 4100
  HP Officejet 4200
  HP Officejet 4300
  HP Officejet 5500
  HP Officejet 5600
  HP Officejet J5700
  HP Officejet 6100
  HP Officejet 6200
  HP Officejet 7100
  HP Officejet 7400
  HP Officejet G85
  HP OfficeJet G85xi
  HP Officejet V40
  HP Officejet V40xi
  HP Officejet d
  HP OfficeJet Pro K850
  HP PSC 1200
  HP PSC 1310
  HP PSC 1500
  HP PSC 2100
  HP PSC 2350
  HP PSC 2400
  HP PSC 2500
  HP PSC 720
  HP PSC 750
  HP PSC 920
  HP PSC 930
  HP PSC 950
  HP Photosmart 1218
  HP Photosmart 2570
  HP Photosmart 3200
  HP Photosmart 7150
  HP PhotoSmart 7200
  HP Photosmart 7350
  HP Photosmart 7400
  HP Photosmart 7550
  HP Photosmart 7600
  HP Photosmart 7700
  HP Photosmart 7900
  HP Photosmart D7100
  HP Photosmart D7300
  Konica Minolta PagePro PP1350W
  Kyocera KM-1820
  Lexmark 1200 Series
  Lexmark C510
  Lexmark E210 Laser Printer
  Lexmark E232
  Lexmark E238
  Lexmark E323
  Lexmark E330
  Lexmark X1100
  Lexmark X215
  Lexmark X340
  Lexmark X6100
  Lexmark Z35
  Lexmark Z45
  Oki ML5590
  Samsung CLP-510
  Samsung ML-1450
  Samsung ML-1650
  Samsung ML-1710
  Samsung ML-1740
  Samsung ML-1750
  Samsung ML-2010
  Samsung ML-2550
  Samsung SCX-4100
  Samsung SCX-4x16
  Samsung SCX-4x21
  Samsung SCX-5x12
  Xerox DocuPrint P1202
  Xerox Phaser 3116
  Xerox Phaser 3117
  Xerox Phaser 3120
  Xerox Phaser 3121
  Xerox Phaser 3130
  Xerox Phaser 3150
  Xerox Phaser 3210
  Xerox Phaser 6100 Color Laser
  Xerox Phaser 6180DN
  Xerox Phaser 7300 Series
  Xerox WorkCentre 4118
  Xerox WorkCentre PE16
  Xerox WorkCentre PE120

  The following printers are known to be incompatible with the Print Server:

  HP OfficeJet G85
  HP OfficeJet K80xi
  HP Laserjet 1020
  Lexmark-6100
  Lexmark-6150

• Check Point Embedded NGX log messages reference (LP173482)

  Refer to Check Point Embedded NGX Log Messages Reference.

• How do I perform a factory reset to the appliance (LP223535)

  Note that this will erase all passwords and configurations

  To reset the box to defaults, perform the following:

  1. Unplug the power cord.
  2. Hold the reset button on the back of the box.
  3. Plug in the power cord while holding the button until the pwr/sec led is steady red.
  4. Leave the reset button for 3 seconds.
  5. Press the reset button again for 10 seconds until the pwr/sec led starts blinking red.
  6. Reconfigure your box and install certificates.

• How do I change the default timeout settings for a specific type of service? (LP339484)

  In order to change the timeout for a specific service you need to follow these steps:

  1. Go to the libsw directory on Security Management Server / Domain Management Server (refer to sk31448).
  2. Open the init.def file.
  3. In the in tcp_timeouts section, you can add the specific service and the timeout.
  4. After changing the value, you need to reinstall the Edge policy.

  Note: you need to change this value manually every time that you replace the libsw directory, or after you install HA. For example ( for port 400 TCP, we changed the timeout for 7200 seconds)

  ADD_TCP_TIMEOUT(21,FTP_CONTROL_TIMEOUT),
  ADD_TCP_TIMEOUT(400,7200)
  ADD_TCP_TIMEOUT(66666,TCP_TIMEOUT),
  ADD_TCP_TIMEOUT(0,0)

• SNMP MIB table for Check Point Embedded NGX Appliances ver.8.0 (LP337727 + LP145159)

  Download the SNMP MIB file for Edge / Safe@Office from here.

  The following are some example outputs:

  System Information

  In this section you will find general system information such as name, location and uptime.

  Example:

  SNMPv2-MIB::sysDescr.0 = STRING: SofaWare Embedded NG
  SNMPv2-MIB::sysObjectID.0 = OID: netSnmpAgentOIDs
  SNMPv2-MIB::sysUpTimeInstance = Timeticks: (49802) 0:08:18.02
  SNMPv2-MIB::sysContact.0 = STRING:
  SNMPv2-MIB::sysName.0 = STRING: 00:08:da:70:20:8c
  SNMPv2-MIB::sysLocation.0 = STRING:
  SNMPv2-MIB::sysServices.0 = INTEGER: 72
  SNMPv2-MIB::sysORLastChange.0 = Timeticks: (26) 0:00:00.26
  SNMPv2-MIB::sysORID.1 = OID: snmpMIB
  SNMPv2-MIB::sysORID.2 = OID: vacmBasicGroup
  SNMPv2-MIB::sysORID.3 = OID: ifMIB
  SNMPv2-MIB::sysORDescr.1 = STRING: The MIB module for SNMPv2 entities
  SNMPv2-MIB::sysORDescr.2 = STRING: View-based Access Control Model for SNMP.
  SNMPv2-MIB::sysORDescr.3 = STRING: The MIB module to describe generic objects for network interface sub-layers
  SNMPv2-MIB::sysORUpTime.1 = Timeticks: (0) 0:00:00.00
  SNMPv2-MIB::sysORUpTime.2 = Timeticks: (0) 0:00:00.00
  SNMPv2-MIB::sysORUpTime.3 = Timeticks: (26) 0:00:00.26
  

  Interface information

  Note: In this section you will find information about the interfaces of the appliance such as- MAC addresses, interface speed, up/down status, number of packets passed and so on.

  Example:

  IF-MIB::ifNumber.0 = INTEGER: 6
  IF-MIB::ifIndex.1 = INTEGER: 1
  IF-MIB::ifIndex.2 = INTEGER: 2
  IF-MIB::ifIndex.3 = INTEGER: 3
  IF-MIB::ifIndex.4 = INTEGER: 4
  IF-MIB::ifIndex.5 = INTEGER: 5
  IF-MIB::ifIndex.6 = INTEGER: 6
  IF-MIB::ifDescr.1 = STRING: lo
  IF-MIB::ifDescr.2 = STRING: eth0
  IF-MIB::ifDescr.3 = STRING: eth1
  IF-MIB::ifDescr.4 = STRING: eth2
  IF-MIB::ifDescr.5 = STRING: tunl0
  IF-MIB::ifDescr.6 = STRING: wlan0
  IF-MIB::ifType.1 = INTEGER: softwareLoopback(24)
  IF-MIB::ifType.2 = INTEGER: ethernetCsmacd(6)
  IF-MIB::ifType.3 = INTEGER: ethernetCsmacd(6)
  IF-MIB::ifType.4 = INTEGER: ethernetCsmacd(6)
  IF-MIB::ifType.5 = INTEGER: tunnel(131)
  IF-MIB::ifType.6 = INTEGER: ethernetCsmacd(6)
  IF-MIB::ifMtu.1 = INTEGER: 16436
  IF-MIB::ifMtu.2 = INTEGER: 1500
  IF-MIB::ifMtu.3 = INTEGER: 1500
  IF-MIB::ifMtu.4 = INTEGER: 1500
  IF-MIB::ifMtu.5 = INTEGER: 1480
  IF-MIB::ifMtu.6 = INTEGER: 1500
  IF-MIB::ifSpeed.1 = Gauge32: 10000000
  IF-MIB::ifSpeed.2 = Gauge32: 10000000
  IF-MIB::ifSpeed.3 = Gauge32: 10000000
  IF-MIB::ifSpeed.4 = Gauge32: 10000000
  IF-MIB::ifSpeed.5 = Gauge32: 0
  IF-MIB::ifSpeed.6 = Gauge32: 10000000
  IF-MIB::ifPhysAddress.1 = STRING:
  IF-MIB::ifPhysAddress.2 = STRING: 0:8:da:70:20:8a
  IF-MIB::ifPhysAddress.3 = STRING: 0:8:da:70:20:8c
  IF-MIB::ifPhysAddress.4 = STRING: 0:8:da:70:20:8b
  IF-MIB::ifPhysAddress.5 = STRING:
  IF-MIB::ifPhysAddress.6 = STRING: 0:f:ea:91:4c:e1
  IF-MIB::ifAdminStatus.1 = INTEGER: up(1)
  IF-MIB::ifAdminStatus.2 = INTEGER: up(1)
  IF-MIB::ifAdminStatus.3 = INTEGER: up(1)
  IF-MIB::ifAdminStatus.4 = INTEGER: up(1)
  IF-MIB::ifAdminStatus.5 = INTEGER: down(2)
  IF-MIB::ifAdminStatus.6 = INTEGER: down(2)
  IF-MIB::ifOperStatus.1 = INTEGER: up(1)
  IF-MIB::ifOperStatus.2 = INTEGER: down(2)
  IF-MIB::ifOperStatus.3 = INTEGER: up(1)
  IF-MIB::ifOperStatus.4 = INTEGER: down(2)
  IF-MIB::ifOperStatus.5 = INTEGER: down(2)
  IF-MIB::ifOperStatus.6 = INTEGER: down(2)
  IF-MIB::ifLastChange.1 = Timeticks: (0) 0:00:00.00
  IF-MIB::ifLastChange.2 = Timeticks: (0) 0:00:00.00
  IF-MIB::ifLastChange.3 = Timeticks: (0) 0:00:00.00
  IF-MIB::ifLastChange.4 = Timeticks: (0) 0:00:00.00
  IF-MIB::ifLastChange.5 = Timeticks: (0) 0:00:00.00
  IF-MIB::ifLastChange.6 = Timeticks: (0) 0:00:00.00
  IF-MIB::ifInOctets.1 = Counter32: 0
  IF-MIB::ifInOctets.2 = Counter32: 193692
  IF-MIB::ifInOctets.3 = Counter32: 811607
  IF-MIB::ifInOctets.4 = Counter32: 0
  IF-MIB::ifInOctets.5 = Counter32: 0
  IF-MIB::ifInOctets.6 = Counter32: 0
  IF-MIB::ifInUcastPkts.1 = Counter32: 0
  IF-MIB::ifInUcastPkts.2 = Counter32: 1521
  IF-MIB::ifInUcastPkts.3 = Counter32: 1635
  IF-MIB::ifInUcastPkts.4 = Counter32: 0
  IF-MIB::ifInUcastPkts.5 = Counter32: 0
  IF-MIB::ifInUcastPkts.6 = Counter32: 0
  IF-MIB::ifInNUcastPkts.1 = Counter32: 0
  IF-MIB::ifInNUcastPkts.2 = Counter32: 0
  IF-MIB::ifInNUcastPkts.3 = Counter32: 0
  IF-MIB::ifInNUcastPkts.4 = Counter32: 0
  IF-MIB::ifInNUcastPkts.5 = Counter32: 0
  IF-MIB::ifInNUcastPkts.6 = Counter32: 0
  IF-MIB::ifInDiscards.1 = Counter32: 0
  IF-MIB::ifInDiscards.2 = Counter32: 0
  IF-MIB::ifInDiscards.3 = Counter32: 0
  IF-MIB::ifInDiscards.4 = Counter32: 0
  IF-MIB::ifInDiscards.5 = Counter32: 0
  IF-MIB::ifInDiscards.6 = Counter32: 0
  IF-MIB::ifInErrors.1 = Counter32: 0
  IF-MIB::ifInErrors.2 = Counter32: 0
  IF-MIB::ifInErrors.3 = Counter32: 0
  IF-MIB::ifInErrors.4 = Counter32: 0
  IF-MIB::ifInErrors.5 = Counter32: 0
  IF-MIB::ifInErrors.6 = Counter32: 198
  IF-MIB::ifInUnknownProtos.1 = Counter32: 0
  IF-MIB::ifInUnknownProtos.2 = Counter32: 0
  IF-MIB::ifInUnknownProtos.3 = Counter32: 0
  IF-MIB::ifInUnknownProtos.4 = Counter32: 0
  IF-MIB::ifInUnknownProtos.5 = Counter32: 0
  IF-MIB::ifInUnknownProtos.6 = Counter32: 0
  IF-MIB::ifOutOctets.1 = Counter32: 0
  IF-MIB::ifOutOctets.2 = Counter32: 1131094
  IF-MIB::ifOutOctets.3 = Counter32: 62054
  IF-MIB::ifOutOctets.4 = Counter32: 0
  IF-MIB::ifOutOctets.5 = Counter32: 0
  IF-MIB::ifOutOctets.6 = Counter32: 0
  IF-MIB::ifOutUcastPkts.1 = Counter32: 0
  IF-MIB::ifOutUcastPkts.2 = Counter32: 1735
  IF-MIB::ifOutUcastPkts.3 = Counter32: 515
  IF-MIB::ifOutUcastPkts.4 = Counter32: 0
  IF-MIB::ifOutUcastPkts.5 = Counter32: 0
  IF-MIB::ifOutUcastPkts.6 = Counter32: 0
  IF-MIB::ifOutNUcastPkts.1 = Counter32: 0
  IF-MIB::ifOutNUcastPkts.2 = Counter32: 0
  IF-MIB::ifOutNUcastPkts.3 = Counter32: 0
  IF-MIB::ifOutNUcastPkts.4 = Counter32: 0
  IF-MIB::ifOutNUcastPkts.5 = Counter32: 0
  IF-MIB::ifOutNUcastPkts.6 = Counter32: 0
  IF-MIB::ifOutDiscards.1 = Counter32: 0
  IF-MIB::ifOutDiscards.2 = Counter32: 0
  IF-MIB::ifOutDiscards.3 = Counter32: 0
  IF-MIB::ifOutDiscards.4 = Counter32: 0
  IF-MIB::ifOutDiscards.5 = Counter32: 0
  IF-MIB::ifOutDiscards.6 = Counter32: 1
  IF-MIB::ifOutErrors.1 = Counter32: 0
  IF-MIB::ifOutErrors.2 = Counter32: 0
  IF-MIB::ifOutErrors.3 = Counter32: 0
  IF-MIB::ifOutErrors.4 = Counter32: 0
  IF-MIB::ifOutErrors.5 = Counter32: 0
  IF-MIB::ifOutErrors.6 = Counter32: 0
  IF-MIB::ifOutQLen.1 = Gauge32: 0
  IF-MIB::ifOutQLen.2 = Gauge32: 0
  IF-MIB::ifOutQLen.3 = Gauge32: 0
  IF-MIB::ifOutQLen.4 = Gauge32: 0
  IF-MIB::ifOutQLen.5 = Gauge32: 0
  IF-MIB::ifOutQLen.6 = Gauge32: 0
  IF-MIB::ifSpecific.1 = OID: zeroDotZero
  IF-MIB::ifSpecific.2 = OID: zeroDotZero
  IF-MIB::ifSpecific.3 = OID: zeroDotZero
  IF-MIB::ifSpecific.4 = OID: zeroDotZero
  IF-MIB::ifSpecific.5 = OID: zeroDotZero
  IF-MIB::ifSpecific.6 = OID: zeroDotZero
  MI::zeroDotZero
  

  SNMP Information

  Note: In this section you will find information concerning SNMP packets, which have passed through the appliance, such as: incoming/outgoing count, number of get/set requests, number of erroneous packets and so on.

  Example:

  SNMPv2-MIB::snmpInPkts.0 = Counter32: 347
  SNMPv2-MIB::snmpOutPkts.0 = Counter32: 347
  SNMPv2-MIB::snmpInBadVersions.0 = Counter32: 0
  SNMPv2-MIB::snmpInBadCommunityNames.0 = Counter32: 0
  SNMPv2-MIB::snmpInBadCommunityUses.0 = Counter32: 0
  SNMPv2-MIB::snmpInASNParseErrs.0 = Counter32: 0
  SNMPv2-MIB::snmpInTooBigs.0 = Counter32: 0
  SNMPv2-MIB::snmpInNoSuchNames.0 = Counter32: 0
  SNMPv2-MIB::snmpInBadValues.0 = Counter32: 0
  SNMPv2-MIB::snmpInReadOnlys.0 = Counter32: 0
  SNMPv2-MIB::snmpInGenErrs.0 = Counter32: 0
  SNMPv2-MIB::snmpInTotalReqVars.0 = Counter32: 357
  SNMPv2-MIB::snmpInTotalSetVars.0 = Counter32: 0
  SNMPv2-MIB::snmpInGetRequests.0 = Counter32: 0
  SNMPv2-MIB::snmpInGetNexts.0 = Counter32: 361
  SNMPv2-MIB::snmpInSetRequests.0 = Counter32: 0
  SNMPv2-MIB::snmpInGetResponses.0 = Counter32: 0
  SNMPv2-MIB::snmpInTraps.0 = Counter32: 0
  SNMPv2-MIB::snmpOutTooBigs.0 = Counter32: 0
  SNMPv2-MIB::snmpOutNoSuchNames.0 = Counter32: 0
  SNMPv2-MIB::snmpOutBadValues.0 = Counter32: 0
  SNMPv2-MIB::snmpOutGenErrs.0 = Counter32: 0
  SNMPv2-MIB::snmpOutGetRequests.0 = Counter32: 0
  SNMPv2-MIB::snmpOutGetNexts.0 = Counter32: 0
  SNMPv2-MIB::snmpOutSetRequests.0 = Counter32: 0
  SNMPv2-MIB::snmpOutGetResponses.0 = Counter32: 371
  SNMPv2-MIB::snmpOutTraps.0 = Counter32: 0
  SNMPv2-MIB::snmpEnableAuthenTraps.0 = INTEGER: disabled(2)
  SNMPv2-MIB::snmpSilentDrops.0 = Counter32: 0
  SNMPv2-MIB::snmpProxyDrops.0 = Counter32: 0
  

  ARP Table information

  Note: In this section you will find the entries of the ARP table.

  Example:

  RFC1213-MIB::atIfIndex.2.1.192.168.10.11 = INTEGER: 2
  RFC1213-MIB::atIfIndex.3.1.62.90.32.1 = INTEGER: 3
  RFC1213-MIB::atIfIndex.3.1.62.90.32.2 = INTEGER: 3
  RFC1213-MIB::atIfIndex.3.1.62.90.32.3 = INTEGER: 3
  RFC1213-MIB::atIfIndex.3.1.62.90.32.10 = INTEGER: 3
  RFC1213-MIB::atIfIndex.3.1.62.90.32.11 = INTEGER: 3
  RFC1213-MIB::atIfIndex.3.1.62.90.32.15 = INTEGER: 3
  RFC1213-MIB::atIfIndex.3.1.62.90.32.72 = INTEGER: 3
  RFC1213-MIB::atIfIndex.3.1.62.90.32.89 = INTEGER: 3
  RFC1213-MIB::atIfIndex.3.1.62.90.32.105 = INTEGER: 3
  RFC1213-MIB::atIfIndex.3.1.62.90.32.145 = INTEGER: 3
  RFC1213-MIB::atIfIndex.3.1.62.90.32.210 = INTEGER: 3
  RFC1213-MIB::atIfIndex.3.1.62.90.32.250 = INTEGER: 3
  RFC1213-MIB::atPhysAddress.2.1.192.168.10.11 = Hex-STRING: 00 D0 B7 8E 20 07
  RFC1213-MIB::atPhysAddress.3.1.62.90.32.1 = Hex-STRING: 00 80 C8 B9 D8 4B
  RFC1213-MIB::atPhysAddress.3.1.62.90.32.2 = Hex-STRING: 00 06 29 33 22 04
  RFC1213-MIB::atPhysAddress.3.1.62.90.32.3 = Hex-STRING: 00 D0 B7 8E 20 08
  RFC1213-MIB::atPhysAddress.3.1.62.90.32.10 = Hex-STRING: 00 0C F1 DB D2 A1
  RFC1213-MIB::atPhysAddress.3.1.62.90.32.11 = Hex-STRING: 00 09 6B 07 0B 65
  RFC1213-MIB::atPhysAddress.3.1.62.90.32.15 = Hex-STRING: 00 09 6B 94 05 4F
  RFC1213-MIB::atPhysAddress.3.1.62.90.32.72 = Hex-STRING: 00 11 11 6C 08 04
  RFC1213-MIB::atPhysAddress.3.1.62.90.32.89 = Hex-STRING: 00 08 DA 70 09 0E
  RFC1213-MIB::atPhysAddress.3.1.62.90.32.105 = Hex-STRING: 00 07 E9 1A 02 48
  RFC1213-MIB::atPhysAddress.3.1.62.90.32.145 = Hex-STRING: 00 03 BA 13 15 75
  RFC1213-MIB::atPhysAddress.3.1.62.90.32.210 = Hex-STRING: 00 0C F1 BA 3F 97
  RFC1213-MIB::atPhysAddress.3.1.62.90.32.250 = Hex-STRING: 00 D0 B7 80 58 37
  RFC1213-MIB::atNetAddress.2.1.192.168.10.11 = Network Address: C0:A8:0A:0B
  RFC1213-MIB::atNetAddress.3.1.62.90.32.1 = Network Address: 3E:5A:20:01
  RFC1213-MIB::atNetAddress.3.1.62.90.32.2 = Network Address: 3E:5A:20:02
  RFC1213-MIB::atNetAddress.3.1.62.90.32.3 = Network Address: 3E:5A:20:03
  RFC1213-MIB::atNetAddress.3.1.62.90.32.10 = Network Address: 3E:5A:20:0A
  RFC1213-MIB::atNetAddress.3.1.62.90.32.11 = Network Address: 3E:5A:20:0B
  RFC1213-MIB::atNetAddress.3.1.62.90.32.15 = Network Address: 3E:5A:20:0F
  RFC1213-MIB::atNetAddress.3.1.62.90.32.72 = Network Address: 3E:5A:20:48
  RFC1213-MIB::atNetAddress.3.1.62.90.32.89 = Network Address: 3E:5A:20:59
  RFC1213-MIB::atNetAddress.3.1.62.90.32.105 = Network Address: 3E:5A:20:69
  RFC1213-MIB::atNetAddress.3.1.62.90.32.145 = Network Address: 3E:5A:20:91
  RFC1213-MIB::atNetAddress.3.1.62.90.32.210 = Network Address: 3E:5A:20:D2
  RFC1213-MIB::atNetAddress.3.1.62.90.32.250 = Network Address: 3E:5A:20:FA
  RFC1213-MIB::ipNetToMediaIfIndex.2.192.168.10.11 = INTEGER: 2
  RFC1213-MIB::ipNetToMediaIfIndex.3.62.90.32.1 = INTEGER: 3
  RFC1213-MIB::ipNetToMediaIfIndex.3.62.90.32.2 = INTEGER: 3
  RFC1213-MIB::ipNetToMediaIfIndex.3.62.90.32.3 = INTEGER: 3
  RFC1213-MIB::ipNetToMediaIfIndex.3.62.90.32.10 = INTEGER: 3
  RFC1213-MIB::ipNetToMediaIfIndex.3.62.90.32.11 = INTEGER: 3
  RFC1213-MIB::ipNetToMediaIfIndex.3.62.90.32.15 = INTEGER: 3
  RFC1213-MIB::ipNetToMediaIfIndex.3.62.90.32.72 = INTEGER: 3
  RFC1213-MIB::ipNetToMediaIfIndex.3.62.90.32.89 = INTEGER: 3
  RFC1213-MIB::ipNetToMediaIfIndex.3.62.90.32.105 = INTEGER: 3
  RFC1213-MIB::ipNetToMediaIfIndex.3.62.90.32.145 = INTEGER: 3
  RFC1213-MIB::ipNetToMediaIfIndex.3.62.90.32.210 = INTEGER: 3
  RFC1213-MIB::ipNetToMediaIfIndex.3.62.90.32.250 = INTEGER: 3
  RFC1213-MIB::ipNetToMediaPhysAddress.2.192.168.10.11 = Hex-STRING: 00 D0 B7 8E 20 07
  RFC1213-MIB::ipNetToMediaPhysAddress.3.62.90.32.1 = Hex-STRING: 00 80 C8 B9 D8 4B
  RFC1213-MIB::ipNetToMediaPhysAddress.3.62.90.32.2 = Hex-STRING: 00 06 29 33 22 04
  RFC1213-MIB::ipNetToMediaPhysAddress.3.62.90.32.3 = Hex-STRING: 00 D0 B7 8E 20 08
  RFC1213-MIB::ipNetToMediaPhysAddress.3.62.90.32.10 = Hex-STRING: 00 0C F1 DB D2 A1
  RFC1213-MIB::ipNetToMediaPhysAddress.3.62.90.32.11 = Hex-STRING: 00 09 6B 07 0B 65
  RFC1213-MIB::ipNetToMediaPhysAddress.3.62.90.32.15 = Hex-STRING: 00 09 6B 94 05 4F
  RFC1213-MIB::ipNetToMediaPhysAddress.3.62.90.32.72 = Hex-STRING: 00 11 11 6C 08 04
  RFC1213-MIB::ipNetToMediaPhysAddress.3.62.90.32.89 = Hex-STRING: 00 08 DA 70 09 0E
  RFC1213-MIB::ipNetToMediaPhysAddress.3.62.90.32.105 = Hex-STRING: 00 07 E9 1A 02 48
  RFC1213-MIB::ipNetToMediaPhysAddress.3.62.90.32.145 = Hex-STRING: 00 03 BA 13 15 75
  RFC1213-MIB::ipNetToMediaPhysAddress.3.62.90.32.210 = Hex-STRING: 00 0C F1 BA 3F 97
  RFC1213-MIB::ipNetToMediaPhysAddress.3.62.90.32.250 = Hex-STRING: 00 D0 B7 80 58 37
  RFC1213-MIB::ipNetToMediaNetAddress.2.192.168.10.11 = IpAddress: 192.168.10.11
  RFC1213-MIB::ipNetToMediaNetAddress.3.62.90.32.1 = IpAddress: 62.90.32.1
  RFC1213-MIB::ipNetToMediaNetAddress.3.62.90.32.2 = IpAddress: 62.90.32.2
  RFC1213-MIB::ipNetToMediaNetAddress.3.62.90.32.3 = IpAddress: 62.90.32.3
  RFC1213-MIB::ipNetToMediaNetAddress.3.62.90.32.10 = IpAddress: 62.90.32.10
  RFC1213-MIB::ipNetToMediaNetAddress.3.62.90.32.11 = IpAddress: 62.90.32.11
  RFC1213-MIB::ipNetToMediaNetAddress.3.62.90.32.15 = IpAddress: 62.90.32.15
  RFC1213-MIB::ipNetToMediaNetAddress.3.62.90.32.72 = IpAddress: 62.90.32.72
  RFC1213-MIB::ipNetToMediaNetAddress.3.62.90.32.89 = IpAddress: 62.90.32.89
  RFC1213-MIB::ipNetToMediaNetAddress.3.62.90.32.105 = IpAddress: 62.90.32.105
  RFC1213-MIB::ipNetToMediaNetAddress.3.62.90.32.145 = IpAddress: 62.90.32.145
  RFC1213-MIB::ipNetToMediaNetAddress.3.62.90.32.210 = IpAddress: 62.90.32.210
  RFC1213-MIB::ipNetToMediaNetAddress.3.62.90.32.250 = IpAddress: 62.90.32.250
  RFC1213-MIB::ipNetToMediaType.2.192.168.10.11 = INTEGER: dynamic(3)
  RFC1213-MIB::ipNetToMediaType.3.62.90.32.1 = INTEGER: dynamic(3)
  RFC1213-MIB::ipNetToMediaType.3.62.90.32.2 = INTEGER: dynamic(3)
  RFC1213-MIB::ipNetToMediaType.3.62.90.32.3 = INTEGER: dynamic(3)
  RFC1213-MIB::ipNetToMediaType.3.62.90.32.10 = INTEGER: dynamic(3)
  RFC1213-MIB::ipNetToMediaType.3.62.90.32.11 = INTEGER: dynamic(3)
  RFC1213-MIB::ipNetToMediaType.3.62.90.32.15 = INTEGER: dynamic(3)
  RFC1213-MIB::ipNetToMediaType.3.62.90.32.72 = INTEGER: dynamic(3)
  RFC1213-MIB::ipNetToMediaType.3.62.90.32.89 = INTEGER: dynamic(3)
  RFC1213-MIB::ipNetToMediaType.3.62.90.32.105 = INTEGER: dynamic(3)
  RFC1213-MIB::ipNetToMediaType.3.62.90.32.145 = INTEGER: dynamic(3)
  RFC1213-MIB::ipNetToMediaType.3.62.90.32.210 = INTEGER: dynamic(3)
  RFC1213-MIB::ipNetToMediaType.3.62.90.32.250 = INTEGER: dynamic(3)
  

  IP Information

  Note: In this section you will find statistic information concerning ip packets such as number of incoming packets, number of packets discarded, and so on.

  Example:

  IP-MIB::ipForwarding.0 = INTEGER: forwarding(1)
  IP-MIB::ipDefaultTTL.0 = INTEGER: 64
  IP-MIB::ipInReceives.0 = Counter32: 2224
  IP-MIB::ipInHdrErrors.0 = Counter32: 0
  IP-MIB::ipInAddrErrors.0 = Counter32: 0
  IP-MIB::ipForwDatagrams.0 = Counter32: 1090
  IP-MIB::ipInUnknownProtos.0 = Counter32: 0
  IP-MIB::ipInDiscards.0 = Counter32: 0
  IP-MIB::ipInDelivers.0 = Counter32: 1077
  IP-MIB::ipOutRequests.0 = Counter32: 1603
  IP-MIB::ipOutDiscards.0 = Counter32: 0
  IP-MIB::ipOutNoRoutes.0 = Counter32: 0
  IP-MIB::ipReasmTimeout.0 = INTEGER: 0
  IP-MIB::ipReasmReqds.0 = Counter32: 0
  IP-MIB::ipReasmOKs.0 = Counter32: 0
  IP-MIB::ipReasmFails.0 = Counter32: 0
  IP-MIB::ipFragOKs.0 = Counter32: 0
  IP-MIB::ipFragFails.0 = Counter32: 0
  IP-MIB::ipFragCreates.0 = Counter32: 0
  IP-MIB::ipAdEntAddr.0.0.0.0 = IpAddress: 0.0.0.0
  IP-MIB::ipAdEntAddr.127.0.0.1 = IpAddress: 127.0.0.1
  IP-MIB::ipAdEntAddr.192.168.10.1 = IpAddress: 192.168.10.1
  IP-MIB::ipAdEntAddr.192.168.253.1 = IpAddress: 192.168.253.1
  IP-MIB::ipAdEntIfIndex.0.0.0.0 = INTEGER: 3
  IP-MIB::ipAdEntIfIndex.127.0.0.1 = INTEGER: 1
  IP-MIB::ipAdEntIfIndex.192.168.10.1 = INTEGER: 2
  IP-MIB::ipAdEntIfIndex.192.168.253.1 = INTEGER: 4
  IP-MIB::ipAdEntNetMask.0.0.0.0 = IpAddress: 0.0.0.0
  IP-MIB::ipAdEntNetMask.127.0.0.1 = IpAddress: 255.0.0.0
  IP-MIB::ipAdEntNetMask.192.168.10.1 = IpAddress: 255.255.255.0
  IP-MIB::ipAdEntNetMask.192.168.253.1 = IpAddress: 255.255.255.0
  IP-MIB::ipAdEntBcastAddr.0.0.0.0 = INTEGER: 0
  IP-MIB::ipAdEntBcastAddr.127.0.0.1 = INTEGER: 0
  IP-MIB::ipAdEntBcastAddr.192.168.10.1 = INTEGER: 1
  IP-MIB::ipAdEntBcastAddr.192.168.253.1 = INTEGER: 1
  IP-MIB::ipAdEntReasmMaxSize.0.0.0.0 = INTEGER: -1
  IP-MIB::ipAdEntReasmMaxSize.127.0.0.1 = INTEGER: -1
  IP-MIB::ipAdEntReasmMaxSize.192.168.10.1 = INTEGER: -1
  IP-MIB::ipAdEntReasmMaxSize.192.168.253.1 = INTEGER: -1
  

  Route table information

  Note: In this section you will find the entries of the route table.

  Example:

  RFC1213-MIB::ipRouteDest.0.0.0.0 = IpAddress: 0.0.0.0
  RFC1213-MIB::ipRouteDest.62.90.32.0 = IpAddress: 62.90.32.0
  RFC1213-MIB::ipRouteDest.127.0.0.0 = IpAddress: 127.0.0.0
  RFC1213-MIB::ipRouteDest.192.168.10.0 = IpAddress: 192.168.10.0
  RFC1213-MIB::ipRouteDest.192.168.253.0 = IpAddress: 192.168.253.0
  RFC1213-MIB::ipRouteIfIndex.0.0.0.0 = INTEGER: 3
  RFC1213-MIB::ipRouteIfIndex.62.90.32.0 = INTEGER: 3
  RFC1213-MIB::ipRouteIfIndex.127.0.0.0 = INTEGER: 6
  RFC1213-MIB::ipRouteIfIndex.192.168.10.0 = INTEGER: 2
  RFC1213-MIB::ipRouteIfIndex.192.168.253.0 = INTEGER: 4
  RFC1213-MIB::ipRouteMetric1.0.0.0.0 = INTEGER: 1
  RFC1213-MIB::ipRouteMetric1.62.90.32.0 = INTEGER: 0
  RFC1213-MIB::ipRouteMetric1.127.0.0.0 = INTEGER: 0
  RFC1213-MIB::ipRouteMetric1.192.168.10.0 = INTEGER: 0
  RFC1213-MIB::ipRouteMetric1.192.168.253.0 = INTEGER: 0
  RFC1213-MIB::ipRouteMetric2.0.0.0.0 = INTEGER: -1
  RFC1213-MIB::ipRouteMetric2.62.90.32.0 = INTEGER: -1
  RFC1213-MIB::ipRouteMetric2.127.0.0.0 = INTEGER: -1
  RFC1213-MIB::ipRouteMetric2.192.168.10.0 = INTEGER: -1
  RFC1213-MIB::ipRouteMetric2.192.168.253.0 = INTEGER: -1
  RFC1213-MIB::ipRouteMetric3.0.0.0.0 = INTEGER: -1
  RFC1213-MIB::ipRouteMetric3.62.90.32.0 = INTEGER: -1
  RFC1213-MIB::ipRouteMetric3.127.0.0.0 = INTEGER: -1
  RFC1213-MIB::ipRouteMetric3.192.168.10.0 = INTEGER: -1
  RFC1213-MIB::ipRouteMetric3.192.168.253.0 = INTEGER: -1
  RFC1213-MIB::ipRouteMetric4.0.0.0.0 = INTEGER: -1
  RFC1213-MIB::ipRouteMetric4.62.90.32.0 = INTEGER: -1
  RFC1213-MIB::ipRouteMetric4.127.0.0.0 = INTEGER: -1
  RFC1213-MIB::ipRouteMetric4.192.168.10.0 = INTEGER: -1
  RFC1213-MIB::ipRouteMetric4.192.168.253.0 = INTEGER: -1
  RFC1213-MIB::ipRouteNextHop.0.0.0.0 = IpAddress: 62.90.32.1
  RFC1213-MIB::ipRouteNextHop.62.90.32.0 = IpAddress: 0.0.0.0
  RFC1213-MIB::ipRouteNextHop.127.0.0.0 = IpAddress: 0.0.0.0
  RFC1213-MIB::ipRouteNextHop.192.168.10.0 = IpAddress: 0.0.0.0
  RFC1213-MIB::ipRouteNextHop.192.168.253.0 = IpAddress: 0.0.0.0
  RFC1213-MIB::ipRouteType.0.0.0.0 = INTEGER: indirect(4)
  RFC1213-MIB::ipRouteType.62.90.32.0 = INTEGER: direct(3)
  RFC1213-MIB::ipRouteType.127.0.0.0 = INTEGER: direct(3)
  RFC1213-MIB::ipRouteType.192.168.10.0 = INTEGER: direct(3)
  RFC1213-MIB::ipRouteType.192.168.253.0 = INTEGER: direct(3)
  RFC1213-MIB::ipRouteProto.0.0.0.0 = INTEGER: local(2)
  RFC1213-MIB::ipRouteProto.62.90.32.0 = INTEGER: local(2)
  RFC1213-MIB::ipRouteProto.127.0.0.0 = INTEGER: local(2)
  RFC1213-MIB::ipRouteProto.192.168.10.0 = INTEGER: local(2)
  RFC1213-MIB::ipRouteProto.192.168.253.0 = INTEGER: local(2)
  RFC1213-MIB::ipRouteAge.0.0.0.0 = INTEGER: 0
  RFC1213-MIB::ipRouteAge.62.90.32.0 = INTEGER: 0
  RFC1213-MIB::ipRouteAge.127.0.0.0 = INTEGER: 0
  RFC1213-MIB::ipRouteAge.192.168.10.0 = INTEGER: 0
  RFC1213-MIB::ipRouteAge.192.168.253.0 = INTEGER: 0
  RFC1213-MIB::ipRouteMask.0.0.0.0 = IpAddress: 0.0.0.0
  RFC1213-MIB::ipRouteMask.62.90.32.0 = IpAddress: 255.255.255.0
  RFC1213-MIB::ipRouteMask.127.0.0.0 = IpAddress: 255.0.0.0
  RFC1213-MIB::ipRouteMask.192.168.10.0 = IpAddress: 255.255.255.0
  RFC1213-MIB::ipRouteMask.192.168.253.0 = IpAddress: 255.255.255.0
  RFC1213-MIB::ipRouteMetric5.0.0.0.0 = INTEGER: -1
  RFC1213-MIB::ipRouteMetric5.62.90.32.0 = INTEGER: -1
  RFC1213-MIB::ipRouteMetric5.127.0.0.0 = INTEGER: -1
  RFC1213-MIB::ipRouteMetric5.192.168.10.0 = INTEGER: -1
  RFC1213-MIB::ipRouteMetric5.192.168.253.0 = INTEGER: -1
  RFC1213-MIB::ipRouteInfo.0.0.0.0 = OID: zeroDotZero
  RFC1213-MIB::ipRouteInfo.62.90.32.0 = OID: zeroDotZero
  RFC1213-MIB::ipRouteInfo.127.0.0.0 = OID: zeroDotZero
  RFC1213-MIB::ipRouteInfo.192.168.10.0 = OID: zeroDotZero
  RFC1213-MIB::ipRouteInfo.192.168.253.0 = OID: zeroDotZero
  RFC1213-MIB::ipRoutingDiscards.0 = Counter32: 0
  

  System load average information

  Note: In this section you will find the load information.

  Example:

  UCD-SNMP-MIB-OLD::laIndex.1 = INTEGER: 1
  UCD-SNMP-MIB-OLD::laIndex.2 = INTEGER: 2
  UCD-SNMP-MIB-OLD::laIndex.3 = INTEGER: 3
  UCD-SNMP-MIB-OLD::laNames.1 = STRING: Load-1
  UCD-SNMP-MIB-OLD::laNames.2 = STRING: Load-5
  UCD-SNMP-MIB-OLD::laNames.3 = STRING: Load-15
  UCD-SNMP-MIB-OLD::laLoad.1 = STRING: 1.00
  UCD-SNMP-MIB-OLD::laLoad.2 = STRING: 1.00
  UCD-SNMP-MIB-OLD::laLoad.3 = STRING: 0.92
  UCD-SNMP-MIB-OLD::laConfig.1 = STRING: 12.00
  UCD-SNMP-MIB-OLD::laConfig.2 = STRING: 12.00
  UCD-SNMP-MIB-OLD::laConfig.3 = STRING: 12.00
  UCD-SNMP-MIB-OLD::laLoadInt.1 = INTEGER: 100
  UCD-SNMP-MIB-OLD::laLoadInt.2 = INTEGER: 100
  UCD-SNMP-MIB-OLD::laLoadInt.3 = INTEGER: 92
  UCD-SNMP-MIB-OLD::laErrorFlag.1 = INTEGER: 0
  UCD-SNMP-MIB-OLD::laErrorFlag.2 = INTEGER: 0
  UCD-SNMP-MIB-OLD::laErrorFlag.3 = INTEGER: 0
  UCD-SNMP-MIB-OLD::laErrMessage.1 = STRING:
  UCD-SNMP-MIB-OLD::laErrMessage.2 = STRING:
  UCD-SNMP-MIB-OLD::laErrMessage.3 = STRING:
  

Firewall

Show All In This Section

• What is the difference between the low, medium and high security levels? (LP16225)

  The default security policy that comes with the Safe@ appliance basically blocks all incoming traffic and allows all outbound traffic, initiated from your home or office.

  • Low: All outbound traffic is allowed. All inbound traffic is blocked, except for ICMP echos ("pings").
  • Medium: All outbound traffic is allowed, except for Windows file sharing (NBT ports 137, 138, 139 and 445). All inbound traffic is blocked.
  • High: Restrictions apply to outbound traffic, allowing only Web traffic (HTTP, HTTPS), Email (IMAP, POP3, SMTP), ftp, NNTP, Telnet, DNS, IKE, 2746 UDP and 256 TCP traffic out. All inbound traffic is blocked.

• Does the Safe@Office support H.323 VoIP through the firewall? (LP16226)

  Yes. You'll need to create a custom firewall rule to allow H.323 VoIP traffic.

• What does the "TCP Out of State" log message mean? (LP171691)

  "TCP Out of State" log message indicates that the Check Point security appliance intercepted a non-Syn packet which does not have an entry in the firewall's TCP connections table. Being a Stateful Inspection firewall, the Check Point security appliance will not let a TCP session initiate without a Syn packet first, in order to prevent a DoS (Denial of Service) attack.

  The Check Point security appliance can be configured to log, block or ignore non-Syn packets activity, by using the following command line syntax:

  • Logging only: set fw ai stricttcp log
  • Blocking and Logging: set fw ai stricttcp block
  • Ignoring: set fw ai stricttcp disable

• How to block Microsoft MSN Messenger traffic? (LP186791)

  The SmartDefense AI (Application Intelligence) engine can identify the Microsoft MSN Messenger application signature and block its traffic. To block MSN Messenger traffic, perform the following:

  1. Configure a rule that blocks traffic on ports TCP/UDP 1863.
  2. Configure SmartDefense to block the MSN Messenger application.

  To configure a rule that blocks traffic on port TCP/UDP 1863:

  1. Connect with your browser to http://my.firewall (from LAN)
  2. Click on 'Security > Rules'.
  3. Click on the "Add Rule" button to start the firewall rules wizard and follow the instructions displayed.
  4. Configure a rule with the following attributes:
     
     • Rule type: Block
     • Service: Custom service - protocol Any, Port 1863
     • Source: LAN, Destination: WAN (Internet)

  To configure SmartDefense to block MSN Messenger, perform the following:

  1. Connect with your browser to http://my.firewall (from LAN)
  2. Click on 'Security > SmartDefense'.
  3. Collapse the 'HTTP > Header Rejection' branch.
  4. Choose "Block" from the Action drop-down menu.
  5. Check the MSN Messenger options from the applications list (Msn Messenger(1), Msn Messenger(2), Msn Messenger(3), Msn Messenger(4).
  6. Click "Apply".

  Notes:

  1. In case you do not see a list of applications, click the "Defaults" button on the relevant SmartDefense page.
  2. Only new MSN Messenger sessions will be blocked. As a result, you will need to make sure to restart all MSN Messenger sessions.

• How to block Microsoft MSN Messenger Live (version 8.0) traffic? (LP210807)

  The SmartDefense AI (Application Intelligence) engine can identify the Microsoft MSN Messenger Live (version 8.0 build 8.0.0812.00) application signature and block its traffic. To block MSN Messenger traffic, perform the following:

  1. Configure a rule that blocks traffic on ports TCP/UDP 1863. Add the signature to the SmartDefense AI inspect engine using command line.
  2. Configure SmartDefense to block the MSN Messenger Live application.

  To configure a rule that blocks traffic on port TCP/UDP 1863:

  1. Connect with your browser to http://my.firewall (from LAN)
  2. Click on 'Security > Rules'.
  3. Click on the "Add Rule" button to start the firewall rules wizard and follow the instructions displayed.
  4. Configure a rule with the following attributes:
     
     • Rule type: Block
     • Service: Custom service - protocol Any, Port 1863
     • Source: LAN, Destination: WAN (Internet)

  To add the MSN Messenger Live application signature, perform the following:

  1. Connect with your browser to http://my.firewall (from LAN)
  2. Click on 'Setup > Tools'.
  3. Click on the "Command" button.
  4. In the command line text box, type the following command:
     

     add smartdefense ai http worm-catcher patterns name MSN8 regexp /gateway/gateway\.dll active true

  5. Click the "Go" button for changes to take effect.

  To configure SmartDefense to block MSN Messenger, perform the following:

  1. Connect with your browser to http://my.firewall (from LAN)
  2. Click on 'Security > SmartDefense'.
  3. Collapse the 'HTTP > Worm Catcher'.
  4. Choose "Block" from the Action drop-down menu.
  5. Select the "MSN8" option from the applications list.
  6. Click "Apply".

  Notes:

  1. In case you do not see a list of applications, click the "Defaults" button on the relevant SmartDefense page. Only new MSN Messenger sessions will be blocked. As a result, you will need to make sure to restart all MSN Messenger sessions.

Logging

Show All In This Section

• How can I save my appliance event log entries? (LP17685)

  In order to save the appliance event log entries perform the following:

  1. Connect with your browser to http://my.firewall (from LAN)
  2. Click on 'Reports > Event Log'.
  3. Click on Save.

  The logs will be saved as a Microsoft Excel file (XLS).

  Note: With this method you can only save up to the 100 current displayed event log entries. In case you want to save all event log entries, you can use the Syslog logging option.

• Do Embedded NGX appliances support Syslog logging? (LP17689)

  Yes. Embedded NGX appliances (excluding ZoneAlarm Secure Wireless Router Z100G) support Syslog logging. Using Syslog logging you can save the ongoing events generated by your appliance even beyond the current 100 events.

• What is the Syslog protocol? (LP17827)

  Check Point appliances implement the Syslog protocol as described in RFC 3164.

  The syslog protocol provides a transport to allow a machine to send event notification messages across IP networks to event message collectors - also known as syslog servers. In this case, a machine is referred to as a Check Point appliance. It is important to note that the device sending the syslog message to the server must be able to establish network connectivity with the syslog server, and both the syslog server and the device sending the message must understand the formatting of the syslog messages.

• What is the default port used by the Check Point appliances to send Syslog messages? (LP17828)

  The Check Point appliances use UDP port 514 as the default port for sending Syslog messages.

• What Syslog server utility is recommended to be used with Check Point appliances? (LP17829)

  Since Syslog is a standard protocol, any Syslog server utility can be used.

  For example:

  • Free 30-day trial , then it will automatically switch to free mode:

    http://www.kiwisyslog.com
http://www.kiwisyslog.com/kiwi-syslog-server-overview/
    
    

  • Free 30-day trial , then it will automatically switch to free mode:

    http://www.winsyslog.com/en/
http://www.winsyslog.com/en/download/
http://www.winsyslog.com/en/manual/
    
    

  • Free:

    http://www.thestarsoftware.com/syslogdaemonlite.html
http://www.thestarsoftware.com/setup/syslogdaemonlite_setup.exe
    
    

  • Free:

    http://www.xs4all.nl/~hneel/software.htm
http://www.xs4all.nl/~hneel/software/syslog.zip

• What is the meaning of negative rule numbers when logging events on SmartCenter, SMP or an External Syslog server? (LP157572)

  This article is relevant only if your Check Point Embedded NG gateways is installed with firmware 6.0 or above.

  Negative rule numbers are given to implied rules that are logged by either:

  • Check Point SmartCenter
  • SofaWare Management Portal (SMP)
  • External Syslog server

  Starting from version 6.0, along with the rule numbers, a "log reason" is added, thus allowing generating reports based on rule numbers, while still displaying a textual description. Below is the complete list of these numbers with the corresponding rules. Most of these messages are sent from version 6.0 onwards (Where [5] appears, version 5.0 may also send these messages.)

  • Rule -1: Stateless ICMP [5]. ICMP replies that don't match to any request, ICMP errors that don't match any of the active connections, etc.
  • Rule -4: Anti-Spoofing [5]. The connection was dropped due to the automatic anti-spoofing rules.
  • Rule -5: Connection matched by a custom rule (a.k.a. "user rule").
  • Rule -9: HotSpot Connection dropped because the user is not yet authenticated on a hotspot enabled network.
  • Rule -10:Encryption mismatch [5] Dropped clear text packet that should have been encrypted.
  • Rule -11: TCP out of state rule [5] Logs or drops packets that try to open a connection without the full 3 way handshake.
  • Rule -12: Land Attack
  • Rule -13: Ping size exceeds maximum allowed size
  • Rule -14: ICMP with null payload
  • Rule -15: Welchia ICMP worm
  • Rule -16: Christmas packet (also in 5.0 versions) Packets that have too many flags lit in them. For instance, SYN and FIN, SYN and RST, etc.
  • Rule -17: Cisco IOS DoS attack
  • Rule -18: Connection exceeds allowed network quota
  • Rule -19: FTP bounce
  • Rule -20: FTP port command overflow
  • Rule -21: FTP port command tried to open a known port
  • Rule -22: FTP illegal command
  • Rule -23: KaZaa traffic
  • Rule -24: Skype traffic
  • Rule -25: BitTorrent traffic
  • Rule -26: eMule traffic
  • Rule -27: Gnutella traffic
  • Rule -28: ICQ traffic
  • Rule -29: Yahoo traffic
  • Rule -30: Short IGMP packet
  • Rule -31: IGMP packet with bad TTL
  • Rule -32: IGMP packet not sent to a multicast address
  • Rule -33: Vertical Port Scan traffic
  • Rule -34: Horizontal Port Scan traffic
  • Rule -35: FTP data traffic
  • Rule -36: ICMP replay attack
  • Rule -37: TCP reset replay attack
  • Rule -38: Winny traffic
  • Rule -39: Packet should not have been encrypted
  • Rule -40: Msn Messenger traffic
  • Rule-41: SIP Firewall Bypass
  • Rule-42: InvalidSIPMessage
  • Rule-43: Illegal Connection To GW

VPN

Show All In This Section

• How do you configure Microsoft Windows 2000 IAS (Internet Authentication Service) with Active Directory as a RADIUS to authenticate local and remote VPN access users? (LP12478)

  Installing Active Directory on a Windows 2000 server

  • http://www.microsoft.com/windows2000/en/server/help/sag_ADtopnode.htm?id=111
  • http://www.petri.co.il/how_to_install_active_directory_on_w2k.htm

  Install IAS Service

  • http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/sag_ias_install.htm

  Configure IAS to support remote/local users authentication

  1. Go to Start menu > Programs > Administrative tools > Internet Authentication service.
  2. Expand the Internet Authentication Service and right-click on "Clients". Click "New Client".
  3. In the Add Client window, enter a name and choose the protocol as "RADIUS". Click "Next".
  4. Fill in the Client address with the appliance LAN IP address that the IAS server is connected to. Make sure to select "RADIUS Standard" as the Client-Vendor, and add the shared secret to match the one you entered on the appliance RADIUS page.
  5. Click "Finish" to return to the console root.
  6. Click on "Remote Access Policies" in the left pane and double-click the policy labeled "Allow access if dial-in permission is enabled".
  7. Click "Edit Profile" and go to the Authentication tab. Under Authentication Methods, make sure only "Unencrypted Authentication (PAP, SPAP)" is checked. The VPN client can use only this method for authentication.
  8. Click "Apply" and then "OK" twice.
  9. To modify the users to allow connection, go to Start menu > Programs > Administrative tools > Users and Computers.
  10. Double-click the user for whom you want to allow access.
  11. Click the Dial-in tab and select "Allow Access under Remote Access Permission" (Dial-in or VPN).
  12. Click "Apply" and "OK".

  Configure the appliance to support RADIUS authentication for remote VPN users

  1. Under 'VPN' tab > 'VPN Server', set the VPN server to "Enabled", and select the "Bypass NAT" and "Bypass Firewall" options.
  2. Under the Users tab, click the RADIUS tab.
  3. In the address field, enter the IP address of the IAS server.
  4. In the Shared Secret field, enter the same shared secret text that you specified in the IAS configuration.
  5. Select the "VPN Remote Access" check box to allow VPN clients authentication.
  6. Under the 'VPN' > 'Certificate' tab, install a PKCS#12 (.p12) certificate.

  Note: A certificate is needed to support Hybrid Mode authentication. Hybrid mode authentication is a method to authenticate with a VPN endpoint, using authentication schemes other than shared secret or digital certificates. Other methods can be using SecurID cards, RADIUS, LDAP etc.

• After installing SecureRemote on Windows XP, the VPN dialer (usually used for ADSL connection) does not work and may generate errors 651 or 800, because it cannot reach the ADSL modem (LP12480)

  Remove or rename the file %SystemRoot%\system32\drivers\scap.sys and reboot.

  Note: The scap.sys file is created with SecureRemote installation. If the file is not found, re-install SecureRemote and repeat the step above.

• When doing VPN between a Safe@Office and Check Point VPN-1 (any version) you may get an error message on the SmartView Tracker event log: "received a cleartext packet within an encrypted connection and the tunnel is dropped" (LP12481)

  To workaround this, access SmartDashboard and check the "Accept VPN-1 & FireWall-1 Control connections" check box under Global Properties. This will enable certain implied rules needed to create a successful VPN tunnel and topology download. More information can be found in the Firewall-1 Administration guide.

• How to manage latency (speed) issues, or TCP session disconnections over a VPN tunnel (LP12482)

  The Problem: Latency over a VPN tunnel is quite a common issue, and is caused by packet fragmentation.The problem occurs when a packet becomes fragmented and has to be reassembled by a VPN device. Also, with newer technologies being used, such as Load Balancing, the fragmented packets may reach the VPN client out of order. The VPN client then has to reassemble the out of order packets. If one packet is not received, the VPN client cannot reassemble the complete packet.

  MTU (Maximum Transmission Unit)
  The largest number of bytes a frame can carry, not counting the frame's header and trailer. A frame is a single unit of transportation on the data link layer. It consists of header data plus data that was passed down from the network layer (also sometimes trailer data). An Ethernet frame has an MTU of 1500 bytes, but the size of the frame can be up to 1526 bytes (22 byte header, 4 byte CRC trailer).

  What MTU size should I set?

  To determine the right MTU setting, run a fragmented ping test from a command prompt on the client machine:
  ping <Public_IP_Address_of_Sbox> -f -l 1500

  Most likely, you will receive the message: "Packet needs to be fragmented but DF set."

  The DF refers to the "Don't Fragment" bit. Keep lowering the byte size from 1500, until you receive a reply without an error message. The point at which you receive a reply without an error is the point of fragmentation. The MTU size should be just below that point.

  How to modify MTU settings on the Check Point SecuRemote/SecureClient VPN software?
  SecuRemote/SecureClient software enables you to modify the MTU value for the virtual connection only. In order to change the MTU values, run the MTUadjust.exe tool from C:\Program Files\CheckPoint\SecuRemote\Bin.

  How to modify MTU settings on the Check Point appliance?
  To modify the MTU settings on the Check Point appliance, edit the MTU field of the Internet connection settings.

• My appliance is behind a NAT device. Can I establish site to site VPN tunnels? (LP15657)

  Yes. Embedded NG 4.5 and later supports the Internet Engineering Task Force (IETF) draft standard for NAT traversal (NAT-T), which allows Site-to-Site VPN tunnels to pass through NAT devices. NAT Traversal is also fully supported for VPN remote access (SecuRemote) users, by means of UDP Encapsulation.

• What encryption methods are supported by my appliance? (LP15658)

  All our appliances support AES (Advanced Encryption Standard - 128 or 256 bits), 3DES (Triple Data Encryption Standard), and DES encryption, as well as SHA1 and MD5 message digest algorithms.

  AES-256/SHA1 is used automatically and cannot be manually modified in the following cases:

  • Remote access VPN between a Check Point SecuRemote/SecureClient and a Safe@Office box
  • Remote access VPN between Safe@Office boxes
  • Site to Site VPN between Safe@Office boxes with firmware version earlier than 5.0.

  Encryption and message digest algorithms are negotiated automatically in VPN between a Safe@Office and another VPN endpoint.

• Can I establish a site to site VPN with VPN equipment from other vendors? (LP15659)

  Yes. All Check Point VPN appliances can communicate with any VPN gateway that is fully compliant with the IPSEC standard.

• Where can I download the Check Point SecuRemote/SecureClient/Endpoint Connect VPN client? (LP16329)

  VPN clients are available for download here.

• How can I configure the Safe@Office box to support Perfect Forward Secrecy (PFS)? (LP16973)

  PFS is not supported by default, and it needs to be configured using the command line interface. To access the command line interface, perform the following:

  • Connect with your browser to http://my.firewall (from LAN)
  • Click on Setup > Tools
  • Click on Command

  To enable PFS, type: set vpn sites <site_number> usepfs <true | false>

• Can I establish a remote access VPN using a VPN client from other vendors? (LP16983)

  No. Only the listed clients are supported for VPN Remote Access.

• What is the effect of the 'Bypass Firewall' and 'Bypass NAT' settings on VPN communications? (LP16985)

  When "Bypass the firewall" is selected in the VPN Server page, all firewall rules are ignored for VPN traffic.
  
  When "Bypass NAT" is selected, all incoming and outgoing VPN traffic uses the private IP addresses.

• Does the Check Point SecuRemote/SecureClient VPN software supports UDP encapsulation? (LP17861)

  Yes. UDP encapsulation is used by the Check Point VPN client to traverse ESP (Encapsulated Security Payload) over NAT (Network Address Translation).

  To configure this option in SecuRemote/SecureClient version R55:

  1. Click on the envelope icon with the golden key in the task bar.
  2. The SecuRemote window will open.
  3. In the tools menu, select Advance IKE Settings...
  4. Check the "Force UDP Encapsulation" checkbox.
  5. Click "OK" to return to the main SecuRemote window.
  6. In the File menu, select "Stop VPN-1 SecuRemote".
  7. Start the VPN client again.

  To configure this option in the SecuRemote/SecureClient version R56:

  1. Click on the envelope icon with the golden key in the task bar.
  2. The SecuRemote window will open. Click the Options button.
  3. Select Settings from the Option menu.
  4. Select the desired VPN profile in the Settings window.
  5. Click the Properties button.
  6. Select the Advanced tab.
  7. Check the Connectivity enhancements box.
  8. Check the Force UDP Encapsulation checkbox.
  9. Click OK.
  10. Stop and Start the VPN client again from the task bar.

• Troubleshooting a Remote Access VPN connection using Check Point SecuRemote/SecureClient/Endpoint Connect VPN Software (LP17863)

  This procedure assumes the reader is familiar with the basic concepts and scenario of Remote Access VPN installation, as described in the Safe@Office/Embedded NGX UTM appliance Remote Access VPN Technology Guide.

  1. Make sure that a valid VPN Certificate is installed. The certificate can be found under the VPN option in the left menu > Certificate in the top menu.
  2. In case SecuRemote/SecureClient is installed under Windows XP with SP2 or above, or if you use a 3rd party firewall software on your PC:
     
     • Turn off the internal Windows firewall, or make sure that the following ports are allowed:
       UDP 500 (IKE)
       TCP 264 (Topology download)
       UDP 2746 (UDP encapsulation)
       UDP 259 (Check Point RDP)
       UDP 4500 (NAT-T)
       IP Protocol 50 (AKA ESP or IPSEC Passthru)
       For Endpoint connect, TCP 443 (HTTPS) is also required
  3. In case the VPN client is installed on a computer behind a NAT device:
     
     • In case the SecuRemote/SecureClient software is installed on a computer behind a NAT device, it is recommended to use the "Force UDP Encapsulation" setting in the VPN client. For instructions, refer to Question LP17861 in this article.
     • Make sure that the VPN client network IP address range and the VPN gateway's network IP range are not overlapping.
  4. Modify MTU settings on the VPN client. SecuRemote/SecureClient software enables you to modify the MTU value for the virtual connection only. In order to change the MTU values, run the MTUadjust.exe tool from C:\Program Files\CheckPoint\SecuRemote\Bin.
  5. Check the VPN gateway settings:
     
     • Make sure that the VPN gateway is configured properly, as described in the Safe@Office/Embedded NGX UTM appliance Remote Access VPN Technology Guide.
     • Make sure that the VPN gateway is configured with a public IP address. In case the VPN gateway is behind a NAT device, the remote access VPN connection will not work.
  6. In case the VPN server is installed behind a NAT device:
     Note: If possible, consult with your ISP about ways to assign the security appliance a valid IP. Otherwise, perform the following:
     
     • Make sure to open the following ports and traffic in the NAT device:
       UDP 500 (IKE)
       TCP 264 (Topology download)
       UDP 2746 (UDP encapsulation)
       UDP 259 (Check Point RDP)
       UDP 4500 (NAT-T)
       IP Protocol 50 (AKA ESP or IPSEC Passthru)
       For Endpoint connect, TCP 443 (HTTPS) is also required
     • Use the command line interface and type the following command:
       set device behindnat <IP_Address>
       (where <IP_Address> is the public IP address of the NAT device). To access the command line interface, connect from LAN with your browser to http://my.firewall and click on 'Setup > Tools > Command'.

     Note: This command line is supported with firmware 5.0.57 and above versions.

• How can I view the VPN topology of my appliance? (LP17888)

  To view the VPN topology after topology download took place, go to 'Reports - Tunnels - View Topology'.

• Error message: "Invalid Certificate" when installing a PKCS#12 certificate that was created with OpenSSL (LP28965)

  An "Invalid Certificate" error message appears when installing a PKCS#12 (.p12) certificate that was created using OpenSSL. This may happen if the DN (Distinguished Name) information entered for the CA (Certificate Authority) and the self-signed certificate are similar.
  
  In order to workaround this, repeat the instructions in the Creating a PKCS#12 Certificate For Manual Installation on Embedded NG Appliances document, but this time make sure to use different DN information when creating the CA and the self-signed certificate.

• How to modify the default IKE SA (Internet Key Exchange Security Association) proposals? (LP29221)

  The following is available with Check Point security appliances installed with firmware version 5.0.x and subsequent versions.

  The default IKE behavior of the Check Point security appliance is to auto-negotiate the SA parameters between VPN end points. In most cases, there is no need to modify the default proposals parameters. However, you may want to override the default parameters in the following cases:

  • Your organization's network security policy is restricted to a definite configuration.
  • Some IPSEC compliant devices cannot auto-negotiate some or all of the IKE SA proposals.

  Use the Check Point security appliance CLI (Command Line Interface) to modify the IKE SA parameters:

  To modify IKE phase-1 encryption parameters, use the following command syntax:
  set vpn sites [site number] phase1ikealgs [automatic | des/md5 | des/sha1 | 3des/md5 | 3des/sha1 | aes128/md5 | aes128/sha1 | aes256/md5 | aes256/sha1]

  To modify IKE phase-2 encryption parameters, use the following command syntax:
  set vpn sites [site number] phase2ikealgs [automatic | des/md5 | des/sha1 | 3des/md5 | 3des/sha1 | aes128/md5 | aes128/sha1 | aes256/md5 | aes256/sha1]

  To modify IKE phase-1 SA lifetime, use the following command syntax:
  set vpn sites [site number] phase1exptime [minutes]

  To modify IKE phase-2 SA lifetime, use the following command syntax:
  set vpn sites [site number] phase2exptime [seconds]

• When using Check Point SecuRemote/SecureClient to create a remote access VPN with a Check Point appliance, only authentication phase works, but the remote network cannot be reached. This may happen if the Check Point appliance is configured for DSL PPTP connection with an Alcatel modem using 10.0.0.0 /8 IP network range (LP29268)

  It is assumed that the reader has implemented the Remote Access VPN configuration, as described in the Safe@Office/Embedded NGX UTM appliance Remote Access VPN Technology document.

  When using Check Point SecuRemote/SecureClient to create a remote access VPN with a Check Point appliance, only authentication phase works, but the remote network cannot be reached. This may happen if the Check Point appliance is configured for DSL PPTP connection with an Alcatel modem using 10.0.0.0 /8 IP network range. It appears that the Orange 3G data network is using NAT with the same IP range, which causes some routing problems.

  To workaround this, narrow the network between the Check Point appliance and the Alcatel modem by doing the following:

  1. Connect with your browser to http://my.firewall (from LAN)
  2. Click on Network menu.
  3. Click on "Edit" near the active Internet connection entry.
  4. Choose "PPTP" as the connection type.
  5. Uncheck the "Obtain IP address automatically (using DHCP)" checkbox.
  6. In the IP address box, type "10.0.0.137".
  7. From the Subnet Mask dropdown box, choose "255.255.255.252 /30".
  8. Click "Apply".
  9. Try the remote access VPN connection again after the appliance has regained a connection to the Internet.

  Note: The above assumes that the Alcatel modem is configured with its default IP address 10.0.0.138.

• I have established a VPN connection successfully. Why can't I see the remote computers? (LP29269)

  It is assumed that the reader has configured either the Remote Access VPN or Site-to-Site VPN as suggested in the relevant step-by-step configuration papers, in this knowledge base.

  The reason for not being able to view or browse remote computers is not related to the VPN you just created, but to the way the NetBIOS application works. Microsoft adapted NetBIOS as the way to implement the File and Print sharing services between Windows Workgroups based computers. Originally, NetBIOS was designed for computers to communicate with each other on the same local area network.

  NetBIOS is a TCP/IP based protocol. Normally, computers in a TCP/IP based network communicate with each other by calling each others' IP addresses and not by their computer names. In order to identify computers by a name, a naming translation service is required. NetBIOS is no different in that manner. Windows based computers within the same local area network will use broadcast techniques to publish their names, and update their own translation table. In other words, each computer holds a table with a computer name and its matching IP address. However, broadcast messages cannot traverse different subnets, as broadcast does not support routing schemes. This prevents computers on different networks communicating by their host names.

  In order to enable computers on different subnets to communicate by names, a naming translation service is required. Such a service is a WINS (Windows Internet Naming Service) server, which is a system designed to match between Windows client names and IP addresses.

  When creating a Check Point IPSec VPN connection, you perform data encryption between endpoints, and the privacy is achieved because only intended parties can actually 'read' and understand the data. Technically and practically, networks on both ends of the VPN tunnel are not joined together by a VPN tunnel, and therefore they remain on different subnets. Computers on both sides of a VPN tunnel will also need to be aware of a naming translation service to use the Microsoft File and Print sharing services. If no naming service is available, the remote computers' shared folders and printers can always be accessed using IP addresses, for example: \\192.168.10.3\C$.

  Additional settings on a Windows client

  Check that the remote computers are configured to support NetBIOS over TCP/IP.

  To enable NetBIOS over TCP/IP in Windows 2000 and Windows XP:

  1. Open 'Control Panel' > 'Network Connections'.
  2. Open your network connection properties.
  3. Open the TCP/IP properties.
  4. Click on the "Advanced" button.
  5. Click on the WINS tab.
  6. Check the "Enable NetBIOS over TCP/IP" checkbox.

• I have disconnected the VPN client but it is still displayed as connected on the 'Reports > VPN Tunnels' page (LP55653)

  The Check Point security appliance displays the IKE phase-1 VPN tunnel information on the 'Reports > VPN Tunnels' page. By default, the phase-1 lifetime used by Check Point VPN software is 24 hours, and therefore the display will refresh after that interval, even if the VPN clients are actually disconnected. This does not mean that there is traffic over the tunnel.
  
  IKE phase-1 is responsible for creating the VPN tunnel and involves heavy mathematical calculations that consume CPU. In order to reduce the load on the CPU, IKE phase-1 is renewed only every 24 hours.

• How to configure Microsoft Windows 2003 IAS (Internet Authentication Service) with Active Directory as a RADIUS to authenticate local and remote VPN access users (LP55964)

   

  Installing Active Directory on a Windows 2000 server.
  The following links are good resources for information about Active Directory installation and deployment:

  • http://www.microsoft.com/windowsserver2003/technologies/directory/activedirectory/default.mspx
  • http://www.petri.co.il/how_to_install_active_directory_on_windows_2003.htm

  Install IAS Service
  Refer to this web page from Microsoft for instructions about IAS service installation.

  Configure IAS to support remote/local users authentication

  1. Go to Start menu > Programs > Administrative tools > Internet Authentication service.
  2. Right-click on the Radius Clients folder, and select New RADIUS Client.
  3. In the New RADIUS Client window, fill in a "friendly" name and the IP address of your security appliance. Click Next.
  4. From the Client-Vendor drop-down menu, choose RADIUS Standard. Fill in the shared secret in the Shared Secret text field to match the one you entered on the security appliance's RADIUS page, and confirm the shared secret in the Confirm Shared Secret field.
  5. Click Finish to return to the Internet Authentication Service window.
  6. Right-click on Remote Access Policies in the left pane and choose New Remote Access Policy from the menu.
  7. Click Next in the New Remote Access Policy Wizard window.
  8. In the Policy Configuration Method window, choose Set up a custom policy. In the Policy Name field, type a name for the policy (For example, VPN Access). Click Next.
  9. In the Policy Conditions window, click Add; the Select Attribute window opens. Choose NAS-IP-Address from the attribute types list and click Add. In the NAS-IP-Address window, type the IP address of your security appliance and click OK to go back to the previous Window. Click Next.
  10. In the Permissions window, choose Grant remote access permission and click Next.
  11. In the Profile window, click Edit Profile. The Edit Dial-in Profile window opens.
  12. In the Edit Dial-in Profile window, click on the Authentication tab and make sure that only the Unencrypted authentication (PAP, SPAP) option is checked.
  13. In the Edit Dial-in Profile window, click on the Encryption tab and make sure that only the No encryption option is checked. Click OK to return to the previous window. Click Next.
  14. In the Completing the New Remote Access Policy Wizard window, click Finish.
  15. In the Internet Authentication Service window, expand the Connection Request Processing menu. Right-click the Connection Request Policies item and choose New Connection Request Policy.
  16. The New Connection Request Policy Wizard appears. Click Next.
  17. In the Policy Configuration Method window, choose Set up a custom policy. In the Policy Name field, type a name for the policy (For example, VPN Access). Click Next.
  18. In the Policy Conditions window, click Add; the Select Attribute window opens. Choose NAS-IP-Address from the attribute types list and click Add. In the NAS-IP-Address window, type the IP address of your security appliance and click OK to go back to the previous Window. Click Next.
  19. The Request Processing Method window appears. Click Next.
  20. In the Completing the New Connection Request Processing Policy Wizard window, click Finish.
  21. To modify the Active Directory users to allow connection, go to Control Panel > Administrative tools > Active Directory Users and Computers.
  22. Double-click the user you want to authenticate using RADIUS.
  23. Click the Dial-in tab, select Allow Access.
  24. Click Apply and OK.

  Configure the appliance to support RADIUS authentication

  1. In the Users menu, click the RADIUS tab.
  2. In the Address field, enter the IP address of the Microsoft IAS server.
  3. In the Port field, choose the RADIUS port (default value is 1812).
  4. In the Shared Secret field, enter the same shared secret text that you specified in the IAS configuration.
  5. Choose the administration level or VPN access.

  Note: A PKCS#12 certificate needs to be installed on the security appliance to support Hybrid Mode authentication for remote access VPN users. Hybrid mode authentication is a method to authenticate with a VPN endpoint using authentication schemes other than shared secret or digital certificates. Other methods can be using SecurID cards, RADIUS, LDAP etc. Information about Creating a PKCS#12 Certificate For Manual Installation on Embedded NG Appliances.

• Support 802.1x wireless authentication with Micrsoft 2003 and Active Directory RADIUS (LP57407)

  Note: It is recommended that you read the following article from Microsoft: "Enterprise Deployment of Secure 802.11 Networks Using Microsoft Windows".

  The following components are needed to support 802.1x wireless authentication with Micrsoft 2003 and Active Directory RADIUS:

  • Microsoft Windows 2003 Server running IAS
  • IIS with ASP support
  • Certificate Services to create an Enterprise Root CA (Certificate Authority)
  • Active Directory
  • Wireless clients running Windows 2000/XP

  Install IAS Service
  Refer to the "Install IAS instructions" from Microsoft.

  Install IIS with ASP support
  Refer to the "Install IIS 6.0 instructions" from Microsoft.

  Install Certificate Services and an Enterprise Root CA
  Refer to the "Step-by-Step Guide to Setting up a Certification Authority" from Microsoft. In addition, refer to the "Step-by-Step Guide to Certificate Services Web Pages" from Microsoft to learn about how to enroll certificates to the wireless clients computers.

  Installing Active Directory on a Windows 2000 server
  The following links are good resources for information about Active Directory installation and deployment:

  • http://www.microsoft.com/windowsserver2003/technologies/directory/activedirectory/default.mspx
  • http://www.petri.co.il/how_to_install_active_directory_on_windows_2003.htm

  Configure IAS to support wireless users authentication

  1. Go to Start menu > Programs > Administrative tools > Internet Authentication service.
  2. Right-click on the Radius Clients folder, and choose "New RADIUS Client".
  3. In the New RADIUS Client window, fill in a "friendly" name and the IP address of your Embedded NG security appliance. Click "Next".
  4. From the Client-Vendor drop-down menu, choose "RADIUS Standard". Fill in the shared secret in the Shared Secret text field to match the one you entered on the security appliance's RADIUS page, and confirm the shared secret in the Confirm Shared Secret field.
  5. Click "Finish" to return to the Internet Authentication Service window.
  6. Right-click on Remote Access Policies in the left pane and choose "New Remote Access Policy" from the menu.
  7. Click "Next" in the New Remote Access Policy Wizard window.
  8. In the Policy Configuration Method window, choose "Set up a custom policy". In the Policy Name field, type a name for the policy (For example, VPN Access). Click "Next".
  9. In the Policy Conditions window, click "Add" ; the Select Attribute window opens. Choose "NAS-Port-Type" from the attribute types list and click "Add". In the NAS-Port-Type window, choose "Wireless - IEEE 802.11" from the left pane and click "Add"; the selection should now appear in in the right pane. Click "OK" to go back to the previous Window. Click "Next".
  10. In the Permissions window, choose "Grant remote access permission" and click "Next".
  11. In the Profile window, click "Edit Profile". The Edit Dial-in Profile window opens.
  12. In the Edit Dial-in Profile window, click on the Authentication tab. Select the "Microsoft Encrypted Authentication version 2 (MS-CHAP v2)" option. Click on the "EAP Methods" button. In the Select EAP Types window, click "Add" and select "Protected EAP (PEAP)". Click "OK" to return to previous window. Click "Next".
  13. In the Completing the New Remote Access Policy Wizard window, click "Finish".
  14. In the Internet Authentication Service window, expand the Connection Request Processing menu. Right-click the "Connection Request Policies" item and choose "New Connection Request Policy".
  15. The New Connection Request Policy Wizard appears. Click "Next".
  16. In the Policy Configuration method window, choose "A custom policy". In the Policy Name field, type a name for the policy (For example, VPN Access). Click "Next".
  17. Choose "NAS-Port-Type" from the attribute types list and click "Add". In the NAS-Port-Type window, choose "Wireless - IEEE 802.11" from the left pane and click "Add"; the selection should now appear in the right pane. Click "OK" to go back to the previous Window. Click "Next". The Completing the New Connection Request Processing Policy Wizard windows appears.
  18. In the Completing the New Connection Request Processing Policy Wizard window, click "Finish".
  19. To modify the Active Directory users to allow connection, go to 'Control Panel > Administrative tools > Active Directory Users and Computers'.
  20. Double-click the user you want to authenticate using RADIUS.
  21. Click the Dial-in tab, select "Allow Access".
  22. Click "Apply" and "OK".

  Configure the Embedded NG security appliance to support 802.1x wireless authentication

  1. Login to the Embedded NG Security appliance admin page.
  2. Click on the Network menu.
  3. Click on the My Network tab.
  4. Click on the "Edit" button of the WLAN network.
  5. From the Security drop-down box choose "802.1x: RADIUS authentication, no encryption".
  6. Click "Apply".

  Configure the Embedded NG Wireless Security appliance to support RADIUS authentication

  1. In the Users menu, click the RADIUS tab.
  2. In the Address field, enter the IP address of the Microsoft IAS server.
  3. In the Port field, choose the RADIUS port (default value is 1812).
  4. In the Shared Secret field, enter the same shared secret text that you specified in the IAS configuration.
  5. Choose an additional administrator or VPN access level.
  6. Click "Apply".

  Configure the wireless client to support 802.1x authentication

  Depending on the wireless client configuration software, some or all of the following need to be configured:

  • 802.1x support
  • Server properties or certificate authority (CA) information
  • Username and password
  • Domain or server information

• Remote Access VPN between two Check Point Embedded NG security appliances fails with errors (LP135165)

  The following solution is relevant to a Remote Access configuration between two Check Point Embedded NG security appliances, when one serves as the VPN client, and the second serves as the VPN server. Typically, the failure will take place when the client box is installed with firmware version 5.0.x or subsequent firmware. The client box will be able to authenticate with the server, however communication with the remote network behind the VPN server box fails with an event log error message: "Error: No loaded CA name, as well as no CA name in topology"
  Solution:
  The VPN client module installed with firmware 5.0 is doing Hybrid Mode IKE (Internet Key Exchange). In order for the Embedded NG VPN server to support this mode, a PKCS#12 certificate needs to be installed on the VPN server box. To create a certificate for an Embedded NG appliance, installed with a firmware version earlier than 5.0.x, refer to Creating a PKCS#12 Certificate For Manual Installation on Embedded NG Appliances.

• Traffic is blocked when using the Check Point VPN client to the Embedded NG internal VPN server (LP143241)

  The Embedded NG gateway allows securing your internal networks communications by connecting to its internal VPN server, using the Check Point SecuRemote/SecureClient VPN client. In other words, the VPN client must work in a 'Route All Traffic' mode to encrypt all traffic sent by the clients' host to the internal Embedded NG interface.

  'Route All Traffic' mode is supported by the Check Point VPN client only when it is installed in an "Extended View" installation, instead of "Compact View". In case the VPN client is installed in "Compact Mode", traffic will be blocked by the firewall.

  To switch the Check Point VPN client (versions R56 or R60) from "Compact View" to "Extended View":

  1. Right-Click the SecuRemote/SecureClient icon in the tray icon.
  2. Choose "Settings" from the menu.
  3. Click the Advanced tab.
  4. Select the "Extended View" button and click "OK"
  5. The VPN client software will restart itself in Extended View mode.
  6. Delete the existing VPN site and create a new one.
  7. Once connected to the Embedded NG internal interface using the new settings, a new site will appear in the VPN client console under the name of 'RouteAllTraffic'.

• Cannot establish a VPN tunnel between a Check Point Embedded NG gateway and Cisco PIX (LP155172)

  VPN connection may not be established between a Check Point Embedded NG gateway and a Cisco PIX. In some cases, the tunnel is created, but different errors may appear in the Embedded NG event log indicating VPN connection failure. The issues can be caused due to:

  • Wrong setup of the Embedded NG and Cisco PIX VPN gateways
  • The Embedded NG VPN gateway is configured to send "Keepalive" packets that the Cisco PIX gateway cannot handle.

  Solution

  1. Check the Cisco PIX configuration, as described in the "How to create a site-to-site between a Cisco PIX and a Check Point Embedded NG VPN gateway" article.
  2. When running the Check Point Embedded NG site to site VPN wizard, make sure to uncheck the "Keepalive" option.

• How to implement the preshared Key authentication method for use with a L2TP/IPSec connection (LP211394)

  This is the solution as offered in the Microsoft knowledgebase: http://support.microsoft.com/kb/240262

  Note:

  • Steps 12,13, where the configuration is related to the Embedded NGX gateway.
  • This article contains information about modifying the registry. Before you modify the registry, make sure you know how to back it up, and how to restore the registry if a problem occurs.

  To implement the preshared Key authentication method for use with a L2TP/IPSec connection:

  1. Add the ProhibitIpSec registry value to both Windows 2000-based endpoint computers.
  2. Manually configure an IPSec policy, before an L2TP/IPSec connection can be established between two Windows 2000-based computers.

  To add the ProhibitIpSec registry value to your Windows 2000-based computer, follow these steps:

  1. Click "Start", click "Run", type "regedt32", and then click "OK".
  2. Locate, and then click the following registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters
  3. In the Edit menu, click "Add Value".
  4. In the Value Name box, type "ProhibitIpSec".
  5. In the Data Type list, click "REG_DWORD", and then click "OK".
  6. In the Data box, type "1", and then click "OK".
  7. Quit Registry Editor, and then restart your computer.

  How to create an IPSec policy for use with L2TP/IPSec Connections, by using a preshared key:

  1. Click "Start", click "Run", type "mmc", and then click "OK".
  2. Click "Console", click "Add/Remove Snap-in", click "Add", click "IP Security Policy Management", click "Add", click "Finish", click "Close", and then click "OK".
  3. Right-click "IP Security Policies on Local Machine", click "Create IP Security Policy", and then click "Next".
  4. In the IP Security Policy Name dialog box, type the name for the IP Security policy in the Name box, and then click "Next".
  5. In the Requests for Secure Communication dialog box, click to clear the "Activate the default response rule" checkbox, and then click "Next".
  6. Click to select the Edit Properties checkbox, and then click "Finish".
  7. In the New IP Security Policy Properties dialog box, click "Add" on the Rules tab, and then click "Next".
  8. In the Tunnel Endpoint dialog box, click "This rule does not specify a tunnel", and then click "Next".
  9. In the Network Type dialog box, click "All network connections", and then click "Next".
  10. In the Authentication Method dialog box, click "Use this string to protect the key exchange (preshared key)", type a preshared key, and then click "Next".
  11. In the IP Filter List dialog box, click "Add", type a name for the IP filter list in the Name box, click "Add", and then click "Next".
  12. In the IP Traffic Source dialog box, click "A specific IP Address" in the Source address box, type the Embedded NGX appliance's IP address in the IP Address box, and then click "Next".
  13. In the IP Traffic Destination dialog box, click "A specific IP Address" in the Destination address box, type "ANY", and then click "Next".
  14. In the IP Protocol Type dialog box, click "UDP" in the "Select a protocol type" box, and then click "Next".
  15. In the IP Protocol Port dialog box, click "From this port", type "1701" in the "From this port" box, click "To any port", and then click "Next".
  16. Click to select the Edit properties checkbox, click "Finish", and then click to select the "Mirrored". Also match packets with the exact opposite source and destination addresses checkbox in the Filter Properties dialog box.
  17. Click "OK", and then click "Close".
  18. In the IP Filter List dialog box, click the IP filter that you just created, and then click "Next".
  19. In the Filter Action dialog box, click "Add", and then create a new filter action that specifies which integrity and encryption algorithms will be used. Note: This new filter action must have the "Accept unsecured communication, but always respond using IPSec" feature disabled to improve security.
  20. Click "Next", click "Finish", and then click "Close".
  21. Right-click the IPSec policy that you just created, and then click "Assign".

• What are the requirement for using Endpoint Connect with the Embedded NGX Appliances? (LP387173)

  The requirement for using Endpoint Connect with the Embedded NGX Appliances:

  • Firmware 8.1.37 or higher is required for Endpoint Connect support.
  • Port 443 must not be forwarded from "This gateway" to an internal host. If you already forward port 443, you can configure Endpoint Connect to use port 981, instead (you can configure Endpoint Connect to use a different port when creating the site, simply by adding the port after the IP address, for example: 62.233.20.70:981. When using with the Embedded NGX Appliances, you can either use ports 443 or 981. If you want to use port 981, you also need to open access to HTTPS management from "any" under Setup - Management.)
  • Endpoint Connect is not supported on the Z100G Wireless Router.

• How can I use Endpoint Connect and still forward port https/443 to an internal host? (LP387175)

  You can configure Endpoint Connect to use a different port when creating the site, simply by adding the port after the IP address, for example 62.233.20.70:981
  When using with the Embedded NGX Appliances, you can either use ports 443 or 981. If you want to use port 981, you also need to open access to HTTPS management from "any" under Setup - Management.

• What are the supported VPN clients for the Embedded NGX Appliances? (LP387176)

  The following clients are supported:

  • CheckPoint Endpoint Connect R73 (supported on Windows systems, 32-bit and 64-bit)
  • CheckPoint SecuRemote/SecureClient (supported on 32-bit Windows and Mac OS X)
  • L2TP Dialer.

• Endpoint Connect Port Selection (LP398496)

  Endpoint Connect (EPC) clients cannot connect to Safe@Office/UTM-1 Edge appliances after firmware upgrade to v8.2 post GA (8.2.33).

  SYMPTOMS:

  In previous GA versions (such as v8.1.47 or v8.2.26), the EPC clients were able to connect to Safe@Office/UTM-1 Edge appliances on ports 981 or 443, depending on configuration.

  After upgrading to v8.2 post GA, EPC clients might not be able to connect on the same port.

  CAUSE:

  With the upgrade to a newer firmware version, the EPC is set to one default port (443 or 981).

  If the following apply, the port will automatically be set to default port 981:

  • Web server under 'Security > Servers' tab is enabled.
  • A rule with Web Service that is called "Web Server" exists.
  • A rule that contains port 443 exists.

  If none of the above apply to your settings, the default port will automatically be set to 443.

  SOLUTION:

  With the upgrade to a newer firmware version, the port number can be configured to other port numbers.

  If you are experiencing the above behavior, perform the following:

  • Make sure that the EPC port in the Safe@Office/UTM-1 Edge appliances matches the EPC port used in the EPC client.
  • Make sure that there are no security rules or NAT rules configured on Safe@Office/UTM-1 Edge appliances, or on SMP, that match the EPC port, defined in the appliance.

Customer Support and Services

Show All In This Section

• How to get support and software updates for the IP30/IP40 appliance? (LP14651)

  The IP30/IP40 appliance is supported by the Check Point Support Organization. Support contracts must be purchased through your sales representative, or reseller, in order to receive technical support from Check Point.

• How to activate my Safe@Office support plans or product upgrades? (LP15610)

  In order to activate the support plans and/or product upgrades for your Safe@Office product, connect with your browser to http://www.sofaware.com/activate and fill out the product activation form.

  Support plans activation
  Once your activation request is processed and validated, a confirmation message will be sent to you by email and you will be allowed to connect to the Check Point service center to get the services.

  To connect to the Check Point Service Center perform the following:

  • Connect with your browser to http://my.firewall (from LAN)
  • Click on the Services menu.
  • Click on the Connect button.
  • Choose to connect to usercenter.sofaware.com
  • The subscription based services you purchased will be applied immediately.

  Product upgrade activation
  Once your activation request is processed and validated, a confirmation message will be sent to you with the Product Key (license) that will upgrade your product. To install the product key perform the following:

  • Connect with your browser to http://my.firewall (from LAN)
  • Click on 'Setup > Upgrade Product'.
  • Enter the product key string in the designated field.

• Who provides Technical Support for Safe@Office products? (LP15654)

  Technical support for Safe@Office products is provided by the Check Point Small Business Support team.

  Fill in the online support request form (http://www.sofaware.com/supportForm.aspx) and one of our support experts will get back to you shortly by email.

  Chat live with a support expert when available. Technical support, on all channels, is available Mon-Fri, 9 AM - 5 PM (US and Europe time).

• What support plans are available with my Safe@Office security appliance? (LP15717)

  The following support options and plans are available for purchase by Safe@Office security appliance owners:

  Annual Safe@Office Support and Subscription
  (ST-CPSB)
  Annual support and services plan that includes the following:
  * Security and firmware updates
  * Email, web and chat support
  * Advanced replacement
  * Dynamic DNS

  Annual Safe@Office Anti-Virus, SmartDefense, Support and Subscription
  (STAV-CPSB)
  * Gateway Anti-Virus updates
  * Security and firmware updates
  * Email, web and chat support
  * Advanced replacement
  * Dynamic DNS

  Annual Safe@Office Web Filtering Service
  (WF-CPSB)
  * Provides URL filtering based on category classification of web-sites.

• What does the Safe@Office Advanced Security Services Plan include? (LP15718)

  Safe@Office Advanced Security Services Plan* Includes the following:

  • Security and firmware updates.
  • Email, web and chat support.
  • Telephone support in English, from 8:00 AM to 5 PM local time.
  • Advance hardware replacement.
  • Anti-Virus subscription service.
  • Web Filtering subscription service.

  * Advanced Security Services are available only in North America.

• What is the RMA (Return Material Authorization) procedure for damaged Safe@Office hardware? (LP15722)

  If your Embedded NGX appliance is under hardware warranty and/or a valid support plan, it can be replaced in case of a hardware malfunction (Return Material Authorization - RMA). Follow the RMA procedure as described below:

  • Contact the Check Point Small Business Support team , using one of the following methods: Open a support ticket, or initiate a chat session at www.sofaware.com.
  • A support expert will attempt to troubleshoot an issue to confirm or exclude a hardware issue. You will be updated at each step of the troubleshooting process.
  • In case a hardware issue is present, you will be issued an RMA form that must be filled and submitted to the Check Point Small Business Support team.
  • An RMA specialist will review the troubleshooting steps and will approve the RMA (or will ask to take further steps in the debugging process).
  • You will be issued an RMA number for follow-up.
  • A replacement product will be sent to the address specified in the RMA form.
  • A tracking number and estimated shipping date will be e-mailed to you once available.

  Note that the license on the replacement box is functional for 30 days only. In order to receive the permanent license, the damaged hardware must be shipped to the logistics center in the US or Europe (depending on your location), and a notification with a tracking number and courier for the returned hardware must be sent to the Check Point SMB Support Team.

• Where can I view the Safe@Office models and features available? (LP15725)

  Information about Safe@Office models, features, datasheet and comparison charts are available from the Check Point web site.

• How do I know my Safe@Office support and subscription expiration date? (LP16331)

  In order to view your subscription expiration date, perform the following:

  • Connect with your browser to http://my.firewall (from LAN)
  • Click on "Services".
  • The subscription expiration date is displayed.

• How do I renew my Safe@Office support plan? (LP16332)

  Contact your reseller for Safe@Office support plan renewal options. Once you renew the support plan, refresh your service center connection to view the new expiration date.

• Information about Demo Embedded NGX Gateways for small business channel partners (LP198358)

  What are Demo Embedded NGX Gateways?

  Demo UTM Gateways are Safe@Office and VPN-1 Edge UTM gateways that are available for partners for the purpose of customer product demo only. Demo UTM Gateways are also knows as NFR (Not for Resale) gateways. You can recognize a Demo UTM Gateways as it is labeled with a 'Not for Resale' sticker on the exterior of the appliance.

  How many demo UTM Gateways can a partner purchase?

  A partner can purchase up to 3 demo units.

  What's included with a Demo UTM Gateway Out of the Box?

  • Demo UTM Gateways arrive with no license installed "out of the box".
  • The Demo UTM Gateways package include a welcome letter with a Temporary Demo license.
  • Temporary Demo licenses are good for 30 days only.
  • No subscription services are applied to Demo UTM Gateways, out of the box.
  • The 30 days demo license cannot be extended, but can be replaced with a Permanent Demo license only.

  How to get a permanent Demo license and service for my Demo gateway?

  With a simple activation procedure, partners can get:

  • A permanent Demo license
  • 1 year of support and subscription services from the Check Point Service Center:
    
    • Software and security updates
    • VStream Anti-Virus Signature updates
    • Web filtering
    • Monthly security reports

  To activate:

  1. Partner fills in the Demo Gateway Activation Form on the SofaWare web site.
  2. The form details are accepted by the SofaWare support team
  3. The SofaWare team sends a Permanent Demo license string to the partner to install on the Demo UTM Gateway by email
  4. The Sofaware team adds the Demo UTM Gateway and owner information to the Check Point Service Center
  5. The SofaWare team sends an acknowledge email and technical instructions to the partner email address.

Network Connectivity (LAN/DMZ/WAN)

Show All In This Section

• I cannot access http://my.firewall. What should I do? (LP17007)

  In case you cannot access the http://my.firewall page (from LAN), try the following:

  • Verify that the Safe@Office appliance is operating (PWR/SEC LED is active)
  • Check if the LAN LINK/ACT LED for the port used by your computer is on. If not, check if the network cable linking your computer to the Safe@Office appliance is connected properly.
    Note: You may need to use a crossed cable when connecting a Safe@Office 'S' series appliance to another hub/switch.
  • Try connecting from LAN with your browser to http://192.168.10.1 (instead of http://my.firewall).
    Note: 192.168.10.1 is the default IP address, and it may vary if you changed it in the My Network page.
  • Check your TCP/IP configuration according to "Installing and Setting up the Safe@Office Appliance" in the Safe@Office Users Guide.
  • Restart your Safe@Office appliance and your broadband modem by disconnecting the power and reconnecting after 5 seconds.
  • If your web browser is configured to use an HTTP proxy to access the Internet, add "my.firewall" or "my.vpn" to your proxy exceptions list.

  In case none of the above worked, contact Check Point Support.

• I am using the Safe@Office appliance behind another NAT device, and I am having problems with some applications. What should I do?

  By default, the Safe@Office appliance performs Network Address Translation (NAT). It is possible to use the Safe@Office appliance behind another device that performs NAT, such as a DSL router or Wireless router, but the device will block all incoming connections from reaching your Safe@Office appliance. To fix this problem, do ONE of the following (the solutions are listed in order of preference).

  • Consider whether you really need the router. The Safe@Office appliance can often be used as a replacement for your existing router.
  • If possible, disable NAT in the router. Refer to the router's documentation for instructions on how to do this.
  • If the router has a "DMZ Computer" or "Exposed Host" option, set it to the Safe@Office appliance's external IP address.

  In any case, it is recommended that you open the following ports in the NAT device: UDP 9281/9282, UDP 500, TCP 256, TCP 264, ESP (IP protocol 50), TCP 981. Refer to your router documentation for instructions.

• I cannot connect to the LAN network from the DMZ network. What should I do? (LP17009)

  By default, connections from the DMZ network to the LAN network are blocked. To allow traffic from the DMZ to the LAN, configure appropriate firewall rules. For instructions, refer to Safe@Office v7.5 User Guide - Chapter 12 'Setting Your Security Policy'.

• How can I make my Safe@Office pingable from the Internet? (LP17886)

  In order to make the Safe@Office pingable from the Internet. you can use 2 methods:

  Method 1
  Change the security level to "Low". To change the security level perform the following :

  1. Connect with your browser to http://my.firewall (from LAN)
  2. Click on the Security tab.
  3. Click on the Firewall tab.
  4. Change the security level to "Low".

  It is recommended that you first understand the difference between the low, medium and high security levels. Refer to Question LP16225 in this article.

  Method 2
  Create a security rule to allow ICMP to the Embedded NG gateway from the Internet. To create the security rule:

  1. Connect with your browser to http://my.firewall (from LAN)
  2. Click on the Security tab.
  3. Click on the Rules tab.
  4. Click the "Add Rule" button to start the Firewall Rules Wizard.
  5. Choose Allow as the rule type and click "Next".
  6. Click the "Custom Service" button, choose ICMP from the Protocol dropdown box and click "Next".
  7. Choose the Source as "WAN (Internet)" and the Destination as "This Gateway", and click "Next".
  8. Click "Finish" to apply the rule.

• Does the Safe@Office appliance support PPPoA (PPP over ATM)?

  No. Only DSL modems and routers support PPPoA. The Safe@Office appliance cannot replace your DSL equipment and therefore it does not need to support PPPoA. In case the Safe@Office appliance is connected to a device that supports PPPoA, you should choose "Direct LAN Connection" as the Internet connection type for the Safe@Office appliance.

• What is DHCP Relay? (LP17889)

  DHCP Relay is used when the DHCP clients are located in a different subnet than the DHCP server. When the DHCP Relay option is used, the Check Point appliance becomes a DHCP relay agent. A relay agent is a small program that relays DHCP messages between clients and DHCP servers on different subnets. DHCP Relay configuration is supported over clear and VPN communications. DHCP Relay communicates through UDP ports 67/68. To enable DHCP Relay:

  1. Connect with your browser to http://my.firewall (from LAN)
  2. Click on the Network tab.
  3. Click on the My Network Tab.
  4. Click on "Edit" for the network you want enable DHCP Relay for.
  5. Fill in the internal IP Address and Subnet Mask of the Check Point appliance. This will determine the DHCP scope requested from the remote DHCP server.
  6. Choose "Relay" from the DHCP drop down box.

  Note: DHCP Relay will not work with NAT configuration. In case DHCP Relay is implemented over a VPN connection, make sure that the "Bypass NAT" checkbox is selected for the VPN connection on the Check Point appliance.

Wireless LAN

Show All In This Section

• I cannot connect with your browser to http://my.firewall page from my wireless client (LP57420)

  By default, access to the Embedded NG Wireless security appliance's Web GUI from the WLAN (Wireless LAN) network is over HTTPS - https://my.firewall. In case you want to access the WebGUI from WLAN over HTTP (http://my.firewall), you'll need to configure a security rule to allow that. The security rule parameters can be:

  • Rule Type: Allow
  • Source: WLAN
  • Destination: This Gateway
  • Service: Web Server

• How to configure MAC address filtering for wireless clients (LP57421)

  MAC address filtering is a method to authenticate wireless clients with the Embedded NG wireless security appliance and allow them to access the WLAN network. This method is not considered secured enough to stand on its own since MAC addresses can be easily cloned. As a result, it should be an additional measure on top of other security methods offered, such as WEP, WPA and 802.1x authentication standards.

  To configure MAC address filtering:

  1. Create a network object for the wireless clients you want to authenticate.
  2. Activate MAC address filtering on the appliance.

  To create a network object, perform the following:

  1. Connect with your browser to http://my.firewall (from LAN)
  2. Click on the Network menu.
  3. Click on the Network Objects tab.
  4. Click on the "New" button. The Network Object Wizard window appears.
  5. Choose "Single Computer" and click "Next".
  6. In the IP Address field, type in the IP address of the wireless client you want to authenticate.
  7. In the MAC Address field, type in the MAC address of the wireless network card, and click "Next".
  8. Type a name for the network object and click "Next".

  To activate MAC Address Filtering on the appliance, perform the following:

  1. Connect with your browser to http://my.firewall (from LAN)
  2. Click on the Network menu.
  3. Click on the My Network tab.
  4. Click on the "Edit" button near the WLAN.
  5. Click the "Show Advanced Settings" link
  6. From the MAC Address Filtering drop-down box choose "Yes".
  7. Click "Apply".

  Note: Once MAC Address Filtering is activated, wireless clients will not be able to communicate with the wireless network unless you create corresponding network objects for each wireless client.

• Wireless Security with Check Point Safe@Office Appliances (LP135394)

  Refer to Wireless Security with Check Point Safe@Office Appliances

• My WiFi card does not get a signal from the Embedded NG wireless security appliance (LP154422)

  This procedure describes the troubleshooting steps in case your WiFi card (installed on your mobile computer) does not get any signal from the Embedded NG wireless security appliance.

  Important Notes

  The troubleshooting steps suggested in this procedure assume that there are no coverage issues and that the issue occurs even when the mobile computer is a very short distance from the Embedded NG security wireless appliance. For the purpose of simplified troubleshooting, it is recommended to turn off all wireless security options that may have been configured on the Embedded NG wireless security appliance and on the WiFi card installed on the mobile computer. If this is the first time you install the Embedded NG wireless security appliance, the WLAN network is disabled. To enable the WLAN network, perform the following:

  1. Physically connect your mobile computer to one of the LAN ports of the appliance.
  2. Connect with your browser to http://my.firewall (from LAN)
  3. Login to the administrator console.
  4. Click on the 'Network > My Network' menu.
  5. Click on the "Edit" button, near the WLAN line.
  6. From the Mode drop-down menu, choose "Enabled".

  Troubleshooting

  Checking the WiFi card settings on your mobile computer

  1. Check whether other mobile computers in your network cannot get a signal from the Embedded NG wireless security appliance. In case other computers are able to communicate over the wireless connection, it is more than likely that the issue is with your mobile computers' WiFi card setup.
  2. In case you configured the Embedded NG security wireless appliance to hide the SSID, make sure that the WiFi card is manually configured with the correct SSID.
  3. Make sure that the wireless standard (802.11 b/g) configured on the WiFi card matches the standard on the Embedded NG security wireless appliance.
  4. Make sure you have the latest driver for your WiFi card.
  5. Check for additional settings that can be configured on your wireless card - such as country and extended channels usage. These parameters are usually configured during the WiFi card installation, or via a vendors' wireless utility.
  6. In case you have an Intel based WiFi card installed on your mobile computer, you may need to enable extended channel mode (this may not be needed for all models). To setup extended channel mode for Intel based WiFi cards, perform the following in Windows:
     
     1. Go to Start menu > Settings > Control Panel.
     2. Double-click the Administrative Tools icon.
     3. Double-click the Computer Management icon.
     4. From the left pane of the Computer Management window, choose "Device Manager".
     5. From the right pane of the Computer Management window, expand the Network Adapters branch.
     6. Locate the Intel network card branch and double-click it to open the Intel network card properties.
     7. In the Intel card properties window, click the Advanced tab.
     8. In the Property window, select "Extended Channel Mode".
     9. Choose "Enable" from the Value drop-down box.

  Checking the Embedded NG wireless security appliance settings

  Force the wireless security appliance to work with a specific channel rather than automatically select a channel. To setup the channel mode, physically connect your mobile computer to one of the appliances' LAN ports and perform the following:

  1. Connect with your browser to http://my.firewall (from LAN)
  2. Click on the 'Network > My Network' menu.
  3. Click on the "Edit" button near the WLAN title.
  4. From the Channel drop-down box, choose an available channel.

  For additional troubleshooting steps, contact Check Point Support.

• Troubleshooting WPA connection (LP223779)

  When using WPA encryption on the WLAN, the connection is dropped immediately after connecting. Connections and disconnections appear consecutively in the appliance event log.

  The solution:

  Import manual encryption configuration to the wireless Embedded NGX appliance.

  To apply the configuration file:

  1. Download one of the configuration files below that answers your needs:
     
     • TKIP.CFG - Manually sets the security appliance to use TKIP encryption for WPA.
     • AES.CFG - Forces the appliance to only use AES encryption (not supported by some older wireless client devices).
     • AUTO.CFG - Resets the encryption engine to automatic (security appliance default).
  2. Connect with your browser to http://my.firewall (from LAN)
  3. Browse to 'Setup > Tools > Import'.
  4. Click "Browse" and select the file you wish to import.
  5. Click "Open".
  6. Click the "Import" button to import.
  7. The wireless network will restart. You may need to reconfigure some or all of the wireless clients in your network.
  8. Configuration is done.

• How to Bridge LAN and Wireless networks to a single network (LP223956)

  Note: Normally, the Transparent Bridges feature requires a Power Pack license on a Safe@Office appliance. However, from firmware version 7.0.39 and subsequent versions you can create only one bridge without the Power Pack license.

  In most cases, standard access points have the wired LAN and the wireless network bridged together, as a single network. However, in a secured deployment of networks, it is customary to separate the LAN (traditionally, the segment installed with the confidential business resources) from other networks that are considered potentially insecure. The Embedded NGX security appliances have the WLAN and the LAN segments separated by subnetting and firewalling, as the wireless medium is insecure, by definition.

  This may lead to different behavior than you were probably used to with your 'old' standard access point, especially when attempting to browse the workgroup computers on the LAN, using the Microsoft File and Print sharing service. This Microsoft service is designed to work best between computers on the same local area network. However, since the WLAN and LAN are on different networks, you can either connect to shared folders or printers on the LAN by using direct IP addresses (for example, \\192.168.10.2\C$) or you can install a WINS server to translate computer names into their corresponding IP addresses. This action will provide the functionality you are looking for by connecting to shared folders, and will keep your network secure.

  Another option that is less recommended from the point of view of wireless security, is to bridge between the LAN and WLAN networks, making them a "single network". To create a bridge between the LAN and WLAN networks:

  1. Connect with your browser to http://my.firewall (from LAN)
  2. Click on 'Network > My Network'.
  3. Click on the "Edit" button next to the WLAN network.
  4. Click on the "Wireless Wizard" button button at the bottom of the page.
  5. In the Wireless Configuration Wizard window, complete the necessary settings for your wireless network, and click "Next".
  6. Choose the required wireless security protocol for your network, choose "Bridge Mode" to create a bridge between the WLAN and the LAN, and click "Next".
  7. Complete the Wireless Configuration Wizard with the required information for your wireless network.
  8. The WLAN and LAN will now be bridged together and will share the same subnet.

• Depending on your wireless client software, all or some of the options may be supported. In case your wireless client does not support all the advanced options, it might result in the following symptoms: (a) The WLAN connection might be dropped, immediately after connecting ; (b) Connections and disconnections might appear consecutively in the appliance event log (LP223963)

  The Embedded NGX appliance offers a variety of security and additional advanced options (such as QoS for multimedia over wireless). Depending on your wireless client software, all or some of the options may be supported. In case your wireless client does not support all the advanced options, it might result in the following symptoms:

  • The WLAN connection might be dropped, immediately after connecting.
  • Connections and disconnections might appear consecutively in the appliance event log.

  To improve the compatibility between your wireless client and the Embedded NGX appliance and overcome the symptoms above, attempt the following steps:

  • Import manual encryption configuration to the wireless Embedded NGX appliance.
  • Disable Multimedia Quality of Service (QoS WMM).

  To apply manual encryption configuration to the Embedded NGX appliance:

  1. Download one of the configuration files below that answers your needs:
     
     • TKIP.CFG - Manually sets the security appliance to use TKIP encryption for WPA.
     • AES.CFG - Forces the appliance to only use AES encryption (not supported by some older wireless client devices).
     • AUTO.CFG - Resets the encryption engine to automatic (security appliance default).
  2. Connect with your browser to http://my.firewall (from LAN)
  3. Browse to 'Setup > Tools > Import'.
  4. Click "Browse" and select the file you wish to import.
  5. Click "Open".
  6. Click the "Import button to import.
  7. The wireless network will restart. You may need to reconfigure some or all of the wireless clients in your network.
  8. Configuration is done.

  To disable Multimedia QoS:

  1. Connect with your browser to http://my.firewall (from LAN)
  2. Browse to 'Network > My Network'.
  3. In the WLAN line, click "Edit".
  4. Click "Show Advanced Settings".
  5. In the Multimedia QoS (WMM) drop-down list, choose "Disabled".
  6. Click "Apply".
  7. Configuration is done.

• Which third-party wireless antennas can be used with my appliance? (LP316479)

  Embedded NGX wireless appliances use RP-SMA connectors.

  Before substituting any antennas other than the ones supplied by Check Point, note:

  • Substituting an antenna other than the ones supplied by Check Point, may be in violation of local regulations. Installers should abide by all FCC, EU, or local regulations and requirements before deploying any 3rd party antennas.
  • Check Point and its affiliates are not responsible for any damage caused by use of a 3rd party antennas. Check Point will not replace or repair appliances damaged by use of an improper antenna.

VStream Anti-Virus

Show All In This Section

• What is the VStream Anti-Virus? (LP171924)

  The Embedded NGX security gateway (with firmware 6.0 and subsequent versions) includes VStream Anti-Virus, an embedded streambased Anti-Virus engine based on Check Point Stateful Inspection and Application Intelligence technologies that performs virus scanning at the kernel level. VStream Anti-Virus scans files for malicious content on the fly, without downloading the files into intermediate storage. This means minimal added latency and support for unlimited file sizes; and since VStream Anti-Virus stores only minimal state information per connection, it can scan thousands of connections concurrently. In order to scan archive files on the fly, VStream Anti-Virus performs real-time decompression and scanning of ZIP, TAR, and GZ archive files, with support for nested archive files.

• What is the default action policy when viruses are detected? (LP171925)

  When VStream Anti-Virus detects malicious content, the action it takes depends on the protocol, in which the virus was found. Refer to the table below. In each case, VStream Anti-Virus blocks the file and writes a log to the Event Log.

  If a virus is found in this protocol...	VStream Anti-Virus does this...	The protocol is detected on this port...
  HTTP	Terminates the connection.	All ports on which VStream is enabled by the policy, not only port 80
  POP3	Terminates the connection. Deletes the virus-infected email from the server.	The standard TCP port 110
  IMAP	Terminates the connection. Replaces the virus-infected email with a message notifying the user that a virus was found.	The standard TCP port 143
  SMTP	Rejects the virus-infected email with error code 554. Sends a "Virus detected" message to the sender.	The standard TCP port 25
  FTP	Terminates the data connection. Sends a "Virus detected" message to the FTP client.	The standard TCP port 21
  TCP and UDP	Terminates the connection.	Generic TCP and UDP ports, other than those listed above

  In protocols that are not listed in this table, VStream Anti-Virus uses a "best effort" approach to detect viruses. In such cases, detection of viruses is not guaranteed and depends on the specific encoding, used by the protocol.

• What is the difference between the VStream Anti-Virus and the Email Anti-Virus subscription service? (LP171926)

  VStream Anti-Virus differs from the Email Anti-Virus subscription service (part of the Email Filtering service) in the following ways:

  • Email Anti-Virus is centralized, redirecting traffic through the Service Center for scanning, while VStream Anti-Virus scans for viruses in the Safe@Office gateway itself.
  • Email Anti-Virus is specific to e-mail, scanning incoming POP3 and outgoing SMTP connections only, while VStream Anti-Virus supports additional protocols, including incoming SMTP and outgoing POP3 connections.

  You can use either Anti-Virus solution, or both, in conjunction.

• What is the difference between the main and the daily Anti-Virus signatures databases? (LP171927)

  VStream Anti-Virus maintains two databases: a daily database and a main database. The daily database is updated frequently with the newest virus signatures. Periodically, the contents of the daily database are moved to the main database, leaving the daily database empty. This system of incremental updates to the main database allows for quicker updates and saves on network bandwidth. You can view information about the VStream signature databases currently in use, on the VStream Anti-Virus page.

• I am subscribed to the VStream Anti-Virus signatures updates, but installation of daily virus definitions fails (LP310602)

  The daily VStream Anti-Virus signatures updates fail to install, interrupting the normal operation of the VStream Anti-Virus.

  Symptoms

  A failure to install the VStream Anti-Virus signatures updates may result with one or more of the following symptoms:

  • A "failed to install daily database" error message appears in the Anti-Virus page.
  • Upon initiating an update, using the 'Update now' button in the menu, nothing happens.

  Possible cause

  This may occur in case the definition update from the service center was interrupted, and the downloaded archive has become corrupted.

  Solution

  In order to solve this issue perform the following:

  • Reset the Anti-Virus signatures database.
  • Refresh the connection to the Service Center.

  Note: This procedure will not affect any of the existing settings on the appliance.

  To reset the Anti-Virus signature database on a ZoneAlarm Z100G Secure Wireless Router, perform the following:

  1. Click here to download the script (*.CFG) file and save it to a local folder on your computer.
  2. Connect with your browser to http://my.firewall (from LAN)
  3. Click "Setup" on the main menu, and then the Tools tab.
  4. Click "Import", browse for the script file, and click "Upload". A confirmation message will appear in case the upload finished successfully.
  5. The Anti-Virus signature database is now reset.

  To reset the Anti-Virus signature database on any other Embedded NGX appliance, type perform the following:

  1. Connect with your browser to http://my.firewall (from LAN)
  2. Click "Setup" on the main menu, and then on Tools.
  3. Click "Command".
  4. In the command text box, type the command: reset vstream-database and click "Go".
  5. The Anti-Virus signature database is now reset.

  To refresh the connection to the Service Center perform the following:

  1. Connect with your browser to http://my.firewall (from LAN)
  2. Click on "Services".
  3. Click "Refresh".

ADSL

Show All In This Section

• Typical ADSL configuration of various worldwide ISPs (LP196537)

  The Following list describes the typical ADSL configuration, required by worldwide well known ISPs and Telco's. We recommend to consult with your ADSL provider for the most recent ADSL configuration.

  Country	Service Provider	Connection Type	VPI	VCI	Encapsulation
  Argentina	Arnet	PPPoE	0	33	LLC
  Argentina	Speedy	PPPoE	8	35	LLC
  Australia	Most ISPs	PPPoE	8	35	LLC
  Australia	Arachnet	PPPoA	8	35	VCMUX
  Australia	Telestra	PPPoE	8	35	LLC
  Austria	Most ISPs	PPPoA	8	48	VCMUX
  Austria	AON	PPPoA	1	32	VCMUX
  Belgium	ADSL Office	PPPoE	8	35	VCMUX
  Belgium	Belgacom ADSL	PPPoA	8	35	VCMUX / LLC
  Belgium	Turboline	PPPoA	8	35	LLC
  Brazil	Brasil Telecom (brturbo)	PPPoE	0	35	LLC
  Brazil	do rio grande do sul são	PPPoE	1	32	LLC
  Brazil	Speedy da Telefonica	PPPoE	8	35	LLC
  Brazil	Velox da Telemar	PPPoE	0	33	LLC
  Bulgaria	BTK (ISDN)	PPPoE	1	32	LLC
  Bulgaria	BTK (POTS)	PPPoE	0	35	LLC
  Czech Republic	Cesky Telecom (PPPoA)	PPPoA	8	48	VCMUX
  Czech Republic	Cesky Telecom (PPPoE)	PPPoE	8	48	LLC
  Denmark	Cybercity	PPPoA	0	35	VCMUX
  Denmark	Tiscali	PPPoA	8	35	VCMUX
  Denmark	Tiscali (World Online)	PPPoA	0	35	VCMUX
  Egypt	Raya Telecom	PPPoA	8	80	VCMUX
  France	9Online	PPPoA	8	35	VCMUX
  France	AOL	PPPoA	8	35	VCMUX
  France	Cegetel ADSL Max 8 Mb	PPPoA	8	35	VCMUX
  France	Cegetel non dégroupé 512 IP/ADSL et dégroupé	PPPoA	8	35	VCMUX
  France	Claranet	PPPoA	8	35	VCMUX
  France	Club-Internet	PPPoA	8	35	VCMUX
  France	EasyConnect	PPPoA	8	35	LLC
  France	Free non dégroupé 512/128 & 1024/128	PPPoA	8	35	VCMUX
  France	Free non dégroupé ADSL Max	PPPoA	8	35	VCMUX
  France	Freesurf	PPPoA	8	35	VCMUX
  France	FT	PPPoA	8	35	VCMUX
  France	Generic Netissimo	PPPoA	8	35	LLC
  France	HRNet	PPPoA	8	35	VCMUX
  France	Nerim	PPPoA	8	35	VCMUX
  France	Nordnet	PPPoA	8	35	VCMUX
  France	Tiscali.fr (128k)	PPPoA	8	35	LLC
  France	Tiscali.fr (512k)	PPPoA	8	35	VCMUX
  France	Tiscaly Liberty Surf	PPPoA	8	35	LLC
  France	Wanadoo	PPPoA	8	35	VCMUX
  France	Worldnet	PPPoA	8	35	VCMUX
  Germany	1&1 (Dun)	PPPoE	1	32	LLC
  Germany	Alice DSL	PPPoE	1	32	LLC
  Germany	Anderer Provider für T-DSL (Dun)	PPPoE	1	32	LLC
  Germany	Arcor	PPPoE	1	32	LLC
  Germany Germany Germany	DT Mnet NetCologne	PPPoE PPPoE PPPoE	1 1 8	32 32 35	LLC LLC LLC
  Germany	QSC	PPPoE	1	32	LLC
  Germany	Tiscali	PPPoE	1	32	LLC
  Germany	T-Online (Dun)	PPPoE	1	32	LLC
  Hungary	Matav	PPPoE	1	32	LLC
  Iceland	Islandssimi	PPPoA	0	35	VCMUX
  Iceland	Landssimi	PPPoA	8	48	VCMUX
  India	Most ISPs	PPPoA	0	32	VCMUX
  Ireland	Most ISPs	PPPoE	8	35	LLC
  Israel	Bezeq	PPPoE	8	48	LLC
  Italy	Albacom	PPPoA	8	35	VCMUX
  Italy	Aruba	PPPoA	8	35	VCMUX
  Italy	Liberto.it	PPPoA	8	35	VCMUX
  Italy	MC-link	PPPoA	8	35	VCMUX
  Italy	Nextra	PPPoA	8	35	VCMUX
  Italy	Telecom Italia	PPPoA	8	35	VCMUX
  Italy	Telvia	PPPoA	8	35	VCMUX
  Italy	Tiscali	PPPoA	8	35	VCMUX
  Italy	Wind	PPPoA	8	35	VCMUX / LLC
  Mexico	Telmex Infinitum	PPPoE	8	35	LLC
  Morocco	Maroc Telecom	PPPoA	8	35	VCMUX
  Netherlands	Bbeyond (PPPoE)	PPPoE	0	33	LLC
  Netherlands	Bbeyond (PPPoA)	PPPoA	0	35	VCMUX
  Netherlands	KPN	PPPoA	8	48	VCMUX
  New Zealand	New Zealand Telecom	PPPoA	0	100	VCMUX
  Poland	NETIA	PPPoE	8	35	LLC
  Poland	TPSA	PPPoA	0	35	VCMUX
  Portugal	Portugal Telecom	PPPoA	0	35	VCMUX
  Russia	MTU Intel	PPPoE	1	50	LLC
  Singapore	SingNet Broadband	PPPoA	0	100	VCMUX
  Slovenia	SiOL	PPPoE	1	32	LLC
  Spain	Albura	PPPoA	1	32	VCMUX
  Spain	Arrakis	PPPoA	0	35	VCMUX
  Spain	Arsys	PPPoE	1	33	LLC
  Spain	Auna	PPPoA	0	35	VCMUX
  Spain	Colt Teecom	PPPoA	0	35	VCMUX
  Spain	Communitel	PPPoA	0	33	VCMUX
  Spain	ERES MAS	PPPoA	8	35	LLC
  Spain	Euskatel	PPPoE	8	32	LLC
  Spain	Jazztel	PPPoA	8	35	LLC
  Spain	Telefonica	PPPoE	8	32	VCMUX / LLC
  Spain	Telepac	PPPoE	0	35	LLC
  Spain	Terra	PPPoE	8	32	LLC
  Spain	Tiscali	PPPoA	1	32	VCMUX
  Spain	Uni2	PPPoA	1	33	VCMUX
  Spain	Wanadoo Spain	PPPoE	8	32	LLC
  Spain	Ya.com	PPPoE	8	32	LLC
  Sweden	Skanova	PPPoE	8	35	LLC
  UAE	Etisalat Classical IP for Business	PPPoA	0	50	VCMUX
  UAE	Etisalat Classical IP Single User	PPPoE	0	100	LLC
  UAE	Etislat	PPPoA	0	50	LLC
  UAE	UAE-Other	PPPoE	0	50	LLC
  UK	Most ISPs	PPPoA	0	38	VCMUX
  US	AOL	PPPoE	0	35	LLC
  US	BellSouth	PPPoE	8	35	LLC
  US	Covad	PPPoE	0	35	LLC
  US	EarthLink	PPPoE	0	35	LLC
  US	Qwest	PPPoE	0	32	LLC
  US	SBC	PPPoE	0	35	LLC
  US	Sprint	PPPoE	0	35	LLC
  US	Verizon	PPPoE	0	35	LLC

• I am experiencing frequent disconnections with my Embedded NGX appliance with embedded ADSL modem. What can I do? (LP224491)

  This solution applies only to Embedded NGX appliances with an embedded ADSL modem.

  1. Connect with your browser to http://my.firewall (from LAN)
  2. Click on the Setup menu.
  3. Click on the Tools tab.
  4. Click on the "Command" button. The Command Line window appears.
  5. In the command line, type the command: set port adsl auto-sra mode disable.
  6. Click "Go".
  7. The default value was changed.

High Availability

Show All In This Section

• How to configure a Dialup Backup connection with a Check Point Embedded NG appliance (Firmware 5.0.x) (LP57008)

  Refer to Configuring a Dialup Backup Internet Connection

• How to configure a Broadband Backup connection with a Check Point Embedded NG appliance (Firmware 5.0.x) (LP57009)

  Refer to Configuring a Broadband Backup Internet Connection

Remote Desktop

Show All In This Section

• How to work with the Remote Desktop feature of Embedded NGX appliances on Windows Vista operating system? (LP316577)

  An internal error message is received when trying to initiate a Remote Desktop connection via the http://my.firewall portal to a computer that runs the Windows Vista operating system.

  Possible cause

  When initiating a Remote Desktop connection via the http://my.firewall portal, the remote computer is configured to support only allow connections using Network Level Authentication. The Embedded NGX security appliances use an Active X component to run the Remote Desktop feature, and this component does not support Network Level Authentication.

  Solution

  Configure the Remote Settings on the computer to which you are connecting, to allow connections from computers running any version of Remote Desktop.

  To update the Remote Settings configuration, perform the following:

  1. On your desktop, right-click on the Computers icon.
  2. Click on Properties from the pop-up menu.
  3. Click on the "Remote Settings" option from the left-hand menu.
  4. Click on the "Allow connections from computers running any version of Remote Desktop (less secure)" radio button.

  Note: This option is equivalent to the "Allow users to connect remotely to this computer" option, when using Windows XP, as an operating system. The "Allow connections only from computers running remote desktop with Network Level Authentication (more secure)" option is unique to remote desktop connections via the local remote desktop clients, when both use the Windows Vista operating system.

  For detailed instructions on how to remotely access the desktop of each of your computers using the Embedded NGX appliances' Remote Desktop feature, refer to Safe@Office v7.5 User Guide - Chapter 18 'Using Remote Desktop'.

Toshiba PCX5000

Show All In This Section

• What upgrade options do I have? (LP12332)

  Currently, only the Safe@Home firewall option is available.

• How do I purchase an upgrade for my PCX5000? (LP12333)

  If you have your PCX5000 connected to the internet, connect with your browser to http://my.pcx, click on 'Setup > System > Upgrade', choose to upgrade by entering a product key, click "Next", and click on the link for more information The link will redirect you to the upgrade purchase page.
  Fill in your personal and credit card information. After submitting, you'll get a product key for upgrade. Refer to the PCX5000 user guide for additional information.

• I have purchased the upgrade online, received a product key and tried to install it, but I get an error message that the product key cannot be authenticated - what can I do? (LP12334)

  When you entered the MAC address in the web form, you either typed the wrong MAC address, or did not use the LAN MAC address. Connect with your browser to http://my.pcx and click on the Status menu. Make sure to use the LAN MAC address that appears on this page.

• Does the upgrade include additional managed services such as URL filtering and email Anti-Virus scanning? (LP12336)

  No. The upgrade only activates the firewall options. Additional managed services will be available through select service providers in the future.

• Where can I download the latest PCX5000 user guide, drivers and documentation? (LP12337)

  Connect with your browser to the Toshiba PCX5000 home page for downloads.

• What technical support will I get from Check Point for the Toshiba PCX5000 Cable Modem? (LP12338)

  Check Point will provide you with technical support on subjects concerning the Safe@ firewall only. For hardware problems, installation issues, configuration and wireless issues, contact Toshiba.

• What technical support options do I have with Toshiba? (LP12339)

  For Toshiba support options, refer to the Toshiba PCX5000 home page.

• What if I don't want to purchase the upgrade online - who can I talk to? (LP12340)

  Send your upgrade request to order@checkpoint.com. A Check Point representative will contact you to get your billing information.

• Who can I call if there is a problem with my order or billing?

  Contact order@checkpoint.com.