1. Manuals
  2. Brands
  3. Infinity Manuals
  4. Network Hardware
  5. CHECK POINT 1100
  6. Administration manual

Infinity CHECK POINT 1100 Administration Manual

Appliances centrally managed
Hide thumbs Also See for CHECK POINT 1100:
Table of Contents

Advertisement

Quick Links

Download this manual
6 November 2017
CHECK POINT
1100/1200R/1400
APPLIANCES
CENTRALLY MANAGED
R77.20.70
Models: L-50, L-50D, L-50W, L-50WD, L-61i, L-71,
L-71W, L-72, L-72W, L-72P
Administration Guide

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the CHECK POINT 1100 and is the answer not in the manual?

Questions and answers

Related Manuals for Infinity CHECK POINT 1100

Summary of Contents for Infinity CHECK POINT 1100

  • Page 1 6 November 2017 CHECK POINT 1100/1200R/1400 APPLIANCES CENTRALLY MANAGED R77.20.70 Models: L-50, L-50D, L-50W, L-50WD, L-61i, L-71, L-71W, L-72, L-72W, L-72P Administration Guide...
  • Page 2 © 2017 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point.

  • Page 3: Important Information

    Important Information Latest Software We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks. Check Point R77.20.70 For more about this release, see the R77.20.70 home page http://supportcontent.checkpoint.com/solutions?id=sk120473.

  • Page 4: Table Of Contents

    Contents Important Information ....................3 Check Point 1100, 1200R, and 1400 Appliance Overview ..........7 Installation ........................8 Setting Up the Check Point Appliance ............... 8 Connecting the Cables ....................8 About the PoE ......................8 Deployment Types ..................... 9 Predefining a Centrally Managed Deployment ............
  • Page 5 Sample Configuration File ..................... 40 Preparing the Configuration Files ................. 40 Deploying the Configuration File - Initial Configuration ..........40 Deploying the Configuration File - Existing Configuration ..........41 Viewing Configuration Logs ................... 42 Troubleshooting Configuration Files ................42 Using the set property Command .................. 43 Appliance Configuration ....................
  • Page 6 Viewing Active Connections ..................110 Viewing Monitoring Data ....................111 Viewing Reports......................111 Using System Tools ..................... 111 SNMP ........................... 111 Advanced Configuration .................... 113 Dynamic Routing ....................113 Upgrade Using a USB Drive ................... 114 Upgrade Using an SD Card ..................116 Boot Loader ......................

  • Page 7: Check Point 1100, 1200R, And 1400 Appliance Overview

    Check Point 1100, 1200R, and 1400 Appliance Overview Check Point 1100, 1200R, and 1400 appliances support the Check Point Software Blade architecture and provide independent, modular and centrally managed security building blocks. You can quickly enable and configure the Software Blades to meet your specific security needs.

  • Page 8: Installation

    The PoE standard model is fully supported. It is fully compliant with 802.3af (PoE) and 802.3at (PoE+). All 4 ports support 802.3af. Due to power budget limitations, only 2 ports at a time support 802.3at. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 9: Deployment Types

    After you install the SmartConsole clients you can define the Check Point Appliance object in SmartDashboard (in small-scale deployments) or create a SmartLSM profile (in large-scale deployments) and prepare the security policy. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 10: Small-Scale Deployment Installation

    2. From the Network Objects tree, right click Check Point and select Security Gateway. The Check Point Security Gateway Creation window opens. 3. Select Wizard Mode. The wizard opens to General Properties. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...
  • Page 11 In the Blade Activation page, select the software blades that you want to activate and configure. To configure blades later: 1. Select Activate and configure software blades later. 2. Click Next. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...
  • Page 12 4. If you want to configure more options of the Security Gateway, select Edit Gateway properties for further configuration. 5. Click Finish. The General Properties window of the newly defined object opens. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 13: Defining A Gateway Cluster Object

    Creating a Cluster for New Gateways To create a cluster for new gateways: • Set up and configure the Check Point Appliance gateways. • Create and configure the cluster object in SmartDashboard that represents the gateways. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...
  • Page 14 The Check Point Security Gateway Cluster Creation dialog box opens. 3. Select Wizard Mode. The wizard opens to General Properties. 4. Enter a name for the Check Point Appliance cluster. 5. Click Next. The wizard opens to Cluster Members. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...
  • Page 15 WAN interface is always part of the cluster. If you do not want the WAN interface to be part of the cluster, double-click on the Check Point Appliance security gateway cluster object, and select Topology node > Edit Topology. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...
  • Page 16 2. Define the IP address as the IP used by the existing gateway GW. 3. Define the first member with GW_2's IP address. Important - Do not define the second member using the wizard. 4. Establish trusted communication. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 17: Creating The Security Policy

    Rule Base. This Security Policy can be applied to numerous Check Point Appliance gateways. Resolution of the security zone is done by the actual association on the Check Point Appliance gateway object in SmartDashboard. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...
  • Page 18 OK. 6. In the Action field, select accept. 7. Right-click the Install On field, select Add > Targets, and select the gateway object or SmartLSM profile. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...
  • Page 19 SmartDashboard popup notification balloons when such events occur. You can configure these notifications. To monitor the status of the last policy installed on each gateway, you can use the Policy Installation Status window. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...
  • Page 20 NAT). Pending Same as above but there are verification warnings. Warning Warning. Information Information. Failed Policy not installed due to a verification error. Failed Policy installation failed. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 21: Setting Server Ip Behind A 3Rd Party Nat Device

    IP address. You can configure this from the First Time Configuration Wizard - Security Management Server Connection page (select Always use this IP address and enter the IP address) or from the WebUI Home > Security Management page. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 22: Large-Scale Deployment Installation

    Use a USB drive to quickly configure multiple appliances without the First Time Configuration Wizard. For more details, see Deploying from a USB Drive. 5. Manage the appliance settings in SmartProvisioning. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 23: Defining A Smartlsm Gateway Profile For A Large-Scale Deployment

    • Prepare the WAN interfaces on the same subnet. • Select a random IP address from the WAN and the Internal networks addresses pool to use as the Cluster Virtual IP. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 24: Deploying With Smartprovisioning

    SmartDashboard. Configure these appliances using the First Time Configuration Wizard or a USB drive configuration file before you manage them with SmartProvisioning. For more information about large-scale deployment using SmartProvisioning, see the SmartProvisioning Administration Guide Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 25: Installing A Security Policy

    SmartDashboard popup notification balloons when such events occur. You can configure these notifications. To monitor the status of the last policy installed on each gateway, you can use the Policy Installation Status window. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...
  • Page 26 NAT). Pending Same as above but there are verification warnings. Warning Warning. Information Information. Failed Policy not installed due to a verification error. Failed Policy installation failed. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...
  • Page 27 From the status bar - Click Failed or Pending. The contents of the Policy Installation Status window are shown filtered according to the link clicked. • From notification balloons - Click See Details in the balloon. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 28: Smartprovisioning

    5. In No Provisioning Profile, select this option if you want to enable provisioning but are not yet ready to assign a specific profile. 6. In Provisioning Profile, select the provisioning profile to assign to this gateway, from the list of profiles created in SmartProvisioning. 7. Click Next. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 29: Communication Properties

    For a CA certificate from a third party (for example, if your organization already has certificates from an external CA for other devices), clear this checkbox and request the certificate from the appropriate CA server. 2. Click Next. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 30: Finish

    For more information, see Managing Device Settings (on page 32). 4. In No Provisioning Profile, select this option if you want to enable provisioning but are not yet ready to assign a specific profile. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 31: Cluster Names

    2. On each Check Point Appliance, open the WebUI Home > Security Management page and click Fetch Policy to manually pull the policy immediately. Alternatively, the appliance connects to the Security Management Server at predefined periodic intervals to pull the policy. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 32: Defining Smartlsm Gateways Using Lsm Cli

    Gateway version must match its SmartLSM profile's version as defined in SmartDashboard for correct policy behavior. As a result, after firmware upgrade, the SmartLSM profile is replaced with the default SmartLSM security profile. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...
  • Page 33 6. In Default SmartLSM Profile after installation, select the new SmartLSM profile of the Security Gateway (the Security Gateway version must match its SmartLSM profile's version as defined in SmartDashboard for correct policy behavior). The Security Gateway replaces its Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 34: Configuring Radius

    To configure RADIUS settings on a Provisioning Profile: 1. Open the Security Gateway Profile window, and select the RADIUS tab. 2. Select Manage RADIUS settings centrally from this application. 3. Click Advanced. The Profile Settings window opens. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 35: Configuring Hotspot

    • Allow users from specific group - Select to allow access to a specific user group and not all users. Enter the group's name in the text box. 7. Click Apply. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 36: Configuring A Configuration Script

    Mandatory - Each gateway is managed without a Provisioning Profile. 6. Click OK. Your selection determines the functionality of the Gateway window for the type of device configuration for which you made this profile setting. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...
  • Page 37 Warning - If you select Use the following settings and do not enter values for a specified topic, the current settings on the device are deleted. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 38: First Time Deployment Options

    The settings from the Zero Touch server replace the First Time Configuration Wizard. After the gateway downloads and successfully applies the settings, it does not connect to the Zero Touch server again. For more information on how to use Zero Touch, see sk116375 http://supportcontent.checkpoint.com/solutions?id=sk116375. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 39: Deploying From A Usb Drive Or Sd Card

    The Check Point Appliance starts, automatically mounts the USB drive or SD card, and searches the root directory for a configuration file. Note - The USB drive must be formatted in FAT32. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 40: Sample Configuration File

    You can deploy the configuration file to the Check Point Appliance when the appliance is off or when it is powered on. Important - Do not remove the USB drive or insert a second USB drive while the configuration script runs. This may cause a configuration error. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 41: Deploying The Configuration File - Existing Configuration

    ("Preparing the Configuration Files" on page 40). For more information about errors with configuration files, see Troubleshooting Configuration Files (on page 42). Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 42: Viewing Configuration Logs

    ..sd 2:0:0:0: [sda] Assuming drive cache: write through sd 2:0:0:0: [sda] Assuming drive cache: write through ............. System Started... Start running autoconfiguration CLI script from USB2 ... Error. autoconf.00-1C-7F-21-07-94.2011-07-21.1248.log was copied to USB2 Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 43: Using The Set Property Command

    USB_auto_configuration once - The appliance only runs the next configuration script from a USB drive. • set propert USB_auto_configuration any - The appliance always runs configuration scripts from a USB drive. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 44: Appliance Configuration

    Note - If the locale of a user matches a localized WebUI, the Login window automatically loads in the specified language. Only English is supported as the input language. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 45: The Home Tab

    To go to other blade statistics, click the arrows in the header. 3. If the blade is turned off or has no license: Click View demo to see an example of the statistics shown and then click Close. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 46: Setting The Management Mode

    If trust was established but the gateway could not fetch the policy, you can investigate the issue with the Security Management Server administrator. When the issue is resolved, click the Fetch Policy button that shows instead of the Connect button. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 47: Managing Licenses

    You are notified that you successfully activated the appliance. After initial activation, the Activate License button shows Reactivate. If changes are made to your license, click Reactivate to get the updated license information. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 48: Viewing The Site Map

    Zone - Shows if the appliance is connected physically or through a wireless connection. • Traffic - Shows upload and download packet rates for all IP addresses when traffic monitoring is active. Note - Traffic monitoring does not differentiate between IPv4 and IPv6 addresses. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 49: Viewing Monitoring Data

    Connections. You can click the links to open the corresponding WebUI pages. The Monitoring page is divided into these sections: • Network • Security • Troubleshooting To expand or collapse the sections, click the arrow icon in the section's title bar. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...
  • Page 50 Threat Emulation - Malicious files found since the last reboot and how many files scanned. • The number of IPS attacks. You can click the links to open the Threat Prevention > Blade Control page. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 51: Viewing Reports

    Hourly reports - 2-3 minutes from startup. • Daily reports - 1-2 hours from startup. • Weekly reports - 2-4 hours from startup. • Monthly reports - 4-8 hours from startup. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...
  • Page 52 Click a link to go directly to the selected section. Report Pages Each report page shows a detailed graph, table, and descriptions. Note - This page is available from the Home and Logs & Monitoring tabs. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 53: Using System Tools

    To perform a DNS lookup: 1. Enter a Host Name or IP Address. 2. Click Lookup. The output appears in the Command Output window. 3. Click Close to return to the Tools page. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...
  • Page 54 To download the Windows driver for Mini-USB console socket (1400 appliances only): Click the Download link. Note - This page is available from the Home, Device, and Logs & Monitoring tabs. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 55: Managing The Device

    (VPNs). It does not provide any encryption or confidentiality but relies on an encryption protocol that it passes within the tunnel to provide privacy. Bridge - Connects multiple network segments at the data link layer (Layer 2). • Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...
  • Page 56  IP address or host name. Probe DNS servers - When you select this option, the appliance probes the DNS  servers as defined in the Internet connection and expects responses. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...
  • Page 57 Kbps rates for the selected options as provided by your ISP for the Internet upload and download bandwidth. Make sure that the QoS blade has been turned on. You can do this from Home > Security Dashboard > QoS > ON. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 58: Configuring The Wireless Network

    Note- If you turn off the wireless radio and then turn it back on, the VAPs remain disabled. To enable the VAPs, you must select the relevant entries in the table and click Enable. • To disable or enable the Wireless network, click Disable/Enable. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...
  • Page 59 Users & Objects > Authentication Servers page. Each user that tries to connect to the wireless network is authenticated through the RADIUS server. This option is also known as WPA Enterprise. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...
  • Page 60 DHCPv6 Server - Enter the IP address range and the IP addresses exclude range • DHCPv6 Server Relay - Enter the DHCPv6 server IP address and the Secondary DHCPv6 server IP address Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...
  • Page 61 Use the following WINS servers - Enter the IP addresses of the First and Second WINS • servers. Lease • Lease time - Configure the timeout in hours for a single device to retain a dynamically acquired IP address. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 62: Configuring The Local Network

    1400 appliances only: There are two radio transmitters: 2.4 GHz and 5 GHz. Each network is configured separately under a specified transmitter. To create any of the above options: Click New and choose the option you want. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...
  • Page 63 3. Choose the IP address and Subnet mask the switch uses. 4. Use Hotspot - Select this checkbox to redirect users to the Hotspot portal before allowing access from this interface. Hotspot configuration is defined in the Device > Hotspot page. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...
  • Page 64 4. To use Automatic Learning, do not select Manually define internal networks and click Apply. 5. To use your own network definitions, select Manually define internal networks. The network definition features and table show. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...
  • Page 65 1. Run this CLI command: set monitor-mode-configuration allow-monitor-mode true 2. Select an interface and click Edit. Monitor Mode is now added to the options list. For more information on monitor mode, see sk112572 http://supportcontent.checkpoint.com/solutions?id=sk112572. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...
  • Page 66 These options create automatic rules that are shown in the Access Policy > Firewall Policy page. Allow access from this network to local networks • • Log traffic from this network to local networks Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...
  • Page 67 Local IPv4 address - The IP address to be used for the local point-to-point virtual interface. • • Remote IP address - The IP address to be used at the peer gateway’s point-to-point virtual interface. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...
  • Page 68 Exclude from DNS proxy – Select this checkbox for any network that you do not want exposed • to internal domains. In guest VAPs (wireless network for guests), this is selected by default. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...
  • Page 69 IP address. Other Settings You can optionally configure these additional parameters so they will be distributed to DHCP clients: Time servers • • Call manager TFTP server • • TFTP boot file Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 70: Configuring A Hotspot

    The Manage Hotspot Network Objects Exceptions window opens. 2. Select the objects to add as exceptions. The Selected Network Objects window shows the selected objects. To remove an object from the list, click the x next to it. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...
  • Page 71 The same user cannot log in to the Hotspot portal from more than one computer at a time. On the Active Computers page (available through the Home and Logs & Monitoring tabs), you can revoke Hotspot access for connected users. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 72: Configuring The Routing Table

    Specified IP address - Enter the IP Address and Mask 5. Click any destination and select an option in the new window that opens: • • Specified IP address - Enter the IP Address and Mask Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...
  • Page 73 To edit an existing route: Select the route and click Edit. To delete an existing route: Select the route and click Delete. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 74: Configuring Mac Filtering

    Broadcast traffic such as ARP and DHCP is not blocked. • To configure MAC filtering for a DMZ interface, you must use CLI. You cannot configure MAC filtering in the WebUI. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...
  • Page 75 1. Go to Device > Local Network. Select the LAN interface and click Edit. 2. The Edit window opens in the Configuration tab. 3. Click the Advanced tab. 4. Clear Activate 802.1x authentication. 5. Click Apply. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 76: Configuring The Dns Server

    Note these syntax guidelines: • The domain name must start and end with an alphanumeric character. • The domain name can contain periods, hyphens, and alphanumeric characters. 4. Click Apply. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 77: Configuring The Proxy Server

    The factory default settings are restored. The appliance reboots to complete the operation. Note - This restores the default software image which the appliance came with and also the default settings (IP address https://192.168.1.1:4434, the username: admin and password: admin). Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...
  • Page 78 The appliance reboots to complete the operation. To backup appliance settings: 1. Click Backup. The Backup Settings page opens. 2. To encrypt the backup file, select the Use File Encryption checkbox. Set and confirm a password. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...
  • Page 79 Click Upload. This may take a few minutes. When the upload is complete, the wizard automatically validates the image. A progress indicator at the bottom of the page tells you the percentage completed. When there is successful image validation, an "Upload Finished" status shows. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...
  • Page 80 3. Click Enable scheduled backups. 4. Configure the file storage destination (see below). 5. Optional - Select Use file encryption. If you select this option, you must enter and confirm a password. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 81: Configuring Local And Remote System Administrators

    If you continue the login process, the first administrator session ends automatically. The correct Administrator Role must be configured to perform the operations listed below. If not, a Permission Error message shows. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...
  • Page 82 2. Configure the session timeout (maximum time period of inactivity in minutes). The maximum value is 999 minutes. 3. To limit login failure attempts, click the Limit administrators login failure attempts checkbox. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...
  • Page 83 4. Add this Check Point Vendor-Specific Attribute to users in your RADIUS server user configuration file: CP-Gaia-User-Role = <group_name> Where <group_name> is the name of the RADIUS group that is defined in the Check Point Appliance WebUI. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...
  • Page 84 3. Add this Check Point Vendor-Specific Attribute to users in your RADIUS server user configuration file: CP-Gaia-User-Role = <group_name> Where <group_name> is the name of the RADIUS group that is defined in the Check Point Appliance WebUI. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 85: Configuring Administrator Access

    • IPv4 network • IPv6 address (1200R and 1400 appliances only) • IPv6 network (1200R and 1400 appliances only) 4. Enter the IP address or click Get IP from My Computer. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...
  • Page 86 When you block the IP address or the interface group through which you are currently connected, you are not disconnected immediately. The access policy is applied immediately, but your current session remains active until you log out. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 87: Managing Device Details

    Secret Identifier (this is optional). You cannot use these characters when you enter a password or shared secret: { } [ ] ` ~ | ‘ " # + \ 5. Click Apply. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 88: Configuring Ddns And Access Services

    3. Make sure Reinitialize internal certificates is selected. When you enable this feature or change settings, you must reinitialize the internal certificates for them to be valid for the new DNS. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 89: Using System Tools

    The validation token, web link, and shell link are shown on the DDNS & Appliance Access page. 5. Go to Device > Administrator Access. Configure Internet as a source for administrator access and set specified IP addresses. Using System Tools See Using System Tools (on page 53). Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 90: Managing Installed Certificates

    "Verified". To upload a P12 file: 1. Click Upload P12 Certificate. 2. Browse to the file. 3. Edit the Certificate name if necessary. 4. Enter the certificate password. 5. Click Apply. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 91: Configuring High Availability

    To reset all the appliance attributes to the default settings: 1. From the Advanced Settings window, click Restore Defaults. The Confirm window opens. 2. Click Yes. All appliance attributes are reset to the default settings. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...
  • Page 92 Two appliances, one in active mode and the other in passive mode, can allow a client to remotely connect to a console connected to the appliance in passive mode over the internet using a telnet connection. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 93: Managing Users And Objects

    3. Click Edit. The User Management window opens. 4. Click the checkbox for Automatically delete expired local users. 5. Click Apply. Expired local users are automatically deleted every 24 hours (after midnight). Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 94: Configuring Local And Remote System Administrators

    4. Click Apply. The name and Administrator Role is added to the table. When logged in to the WebUI, the administrator name and role is shown at the top of the page. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...
  • Page 95 6. To enforce password complexity on administrators, click the checkbox and enter the number of days for the password to expire. 7. Click Apply. Note - This page is available from the Device and Users & Objects tabs. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...
  • Page 96 1. Create the dictionary file dictionary.checkpoint in /etc/freeradius/ on the RADIUS server: # Check Point dictionary file for freeradius AAA server VENDOR CheckPoint 2620 ATTRIBUTE CP-Gaia-User-Role string CheckPoint ATTRIBUTE CP-Gaia-SuperUser-Access integer CheckPoint 2. Add to /etc/freeradius/dictionary the line: “$INCLUDE dictionary.checkpoint” Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...
  • Page 97 1. Connect to the Check Point Appliance platform using an SSH client or serial console client. 2. Log in to the clish shell using your user name and password. 3. Run Expert 4. Enter the expert password. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 98: Managing Authentication Servers

    To edit a RADIUS server: 1. Click the IP address link of the RADIUS server you want to edit. 2. Make the necessary changes. 3. Click Apply. The changes are updated in the RADIUS server. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...
  • Page 99 When you edit, note that the Domain information is read-only and cannot be changed. When you add a new Active Directory domain, you cannot create another object using an existing domain. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 100: Managing System Services

    You use service objects to easily define the different network protocols. This is usually with IP protocol and ports (used by the TCP and UDP IP protocols). You can use these objects to define policy based routing in the Device > Routing page. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 101: Managing Service Groups

    The Users & Objects > Service Groups page lists the service groups defined in the system. In this page you can add new service groups, and edit or delete existing service groups. There are built in service groups for common services. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 102: Managing Network Objects

    Single IP - A network object that represents a device with a single IP address. • IP Range - A network object that represents a range of IP addresses. • Network - A network object that represents a network. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...
  • Page 103 4. Enter the Object name. 5. Click Apply. To edit a network object: 1. Select a network object from the list. 2. Click Edit. 3. Make the necessary changes. 4. Click Apply. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 104: Managing Url Lists

    Note - The names of the predefined URLs lists does NOT show the LOCAL_ prefix that was used to define the application in Security Management Server. For example, LOCAL_whitelist is shown as just whitelist. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...
  • Page 105 To filter for a specified URLs list: Do one of these: • In the All Lists box, select the URLs list. • In the Type to filter field, enter the URLs list name to shows matching results. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 106: Logs And Monitoring

    SD card (persistent). When you insert an SD card, it mounts automatically and then local logs are saved to it. Before you eject an SD card, make sure to unmount it. Select Options > Eject SD card safely. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 107: Viewing System Logs

    This is an effort to keep syslogs persistent across boot, but not 100% guaranteed. To refresh the system logs list: Click Refresh. The list is refreshed. To clear the log list: 1. Click Clear Logs. 2. Click OK in the confirmation message. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 108: Configuring External Log Servers

    Point Appliance through DHCP or User Awareness. • Incident type - Shows the detected incident type: • Found bot activity • Downloaded a malware • Accessed a site known to contain malware Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...
  • Page 109 Monitoring > Security Logs page. An alert is a flag on a log. You can use it to filter logs. 4. Optional - Add a comment in the Write a comment field. 5. Click Apply. The rule is added to Malware Exceptions on the Threat Prevention > Exceptions page. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 110: Viewing Vpn Tunnels

    The Logs & Monitoring > Connections page shows a list of all active connections. The list shows these fields: • Protocol • Source Address • Source Port • Destination Address • Destination Port Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 111: Viewing Monitoring Data

    To edit an existing SNMP v3 user, select the user from the list and click Edit. • To delete an SNMP v3 user, select the user from the list and click Delete. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...
  • Page 112 2. Select the Enable trap option to enable the trap or clear it to disable the trap. 3. If the trap contains a value, you can edit the threshold value when necessary. 4. Click Apply. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 113: Advanced Configuration

    Gaia Advanced Routing Administration Guide See the for more information. Note - The save config and route map commands are not supported. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 114: Upgrade Using A Usb Drive

    Check Point releases new Boot Loader rarely. This usually comes with a new image. To upgrade to a new U-Boot or Firmware image, you must boot the appliance. Replace the Boot Loader before you upgrade to a new image. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...
  • Page 115 Note - When you upgrade with a USB drive, you also replace the saved factory defaults image of the appliance as this method reburns the appliance. Note - Uboot update from a USB drive is currently not supported in 1400 appliances. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 116: Upgrade Using An Sd Card

    First the autoconf.clish configuration file is loaded. If there is a configuration file with the same MAC address as the gateway, that file is loaded second. Use the # symbol to add comments to the configuration file. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 117: Boot Loader

    Please enter your selection: When you are in Boot Loader, all interfaces are down and you can only activate them for options that require connectivity. At this point Check Point’s services are not active. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 118: Upgrade Using Boot Loader

    (pull the power cable out and put it back in). Error in the upgrade process is indicated by all LAN Link and Activity LEDs blinking red. Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 119: Restoring Factory Defaults

    Welcome to Gaia Embedded Boot Menu: 1. Start in normal Mode 2. Start in debug Mode 3. Start in maintenance Mode 4. Restore to Factory Defaults (local) 5. Install/Update Image/Boot-Loader from Network Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...
  • Page 120 To disable the reset to default: Use this CLI command: >set additional-hw-settings reset-timeout 0 To enable the reset to default: Use this CLI command: >set additional-hw-settings reset-timeout 12 Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.70...

  • Page 121: Index

    Deploying the Configuration File - Initial Boot Loader • 117 Configuration • 40 Deploying with SmartProvisioning • 24 Deployment Types • 9 Check Point 1100, 1200R, and 1400 Appliance Dynamic Routing • 113 Overview • 7 Cluster Interface Configuration • 15 Cluster Names • 31 Finish •...
  • Page 122 Restoring Factory Defaults • 119 Sample Configuration File • 40 Sample Configuration Log with Error • 43 Setting Server IP Behind a 3rd Party NAT Device • 21 Setting the Management Mode • 46 Setting Up the Check Point Appliance • 8 Small-scale Deployment Installation •...

This manual is also suitable for:

Check point 1200rCheck point 1400L-50L-50dL-50wL-50wd ... Show all

Table of Contents