Check Point VPN-1 Edge X Series User Manual
  1. Manuals
  2. Brands
  3. Check Point Manuals
  4. Network Hardware
  5. VPN-1 Edge X Series
  6. User manual

Check Point VPN-1 Edge X Series User Manual

Internet security appliance
Hide thumbs
1
2
3
4
Table Of Contents
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
Table of Contents

Advertisement

Quick Links

Download this manual
Check Point VPN-1 Edge
Internet Security Appliance
User Guide
Version 7.0
Part No: 700800, December 2006

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the VPN-1 Edge X Series and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Check Point VPN-1 Edge X Series

Summary of Contents for Check Point VPN-1 Edge X Series

  • Page 1 Check Point VPN-1 Edge Internet Security Appliance User Guide Version 7.0 Part No: 700800, December 2006...
  • Page 2 SofaWare Technologies Ltd. Finally, any free program is threatened constantly by software patents. Check Point, the Check Point logo, FireWall-1, FireWall-1 We wish to avoid the danger that redistributors of a free program will SecureServer, FireWall-1 SmallOffice, FloodGate-1, INSPECT, IQ...
  • Page 3 running for such interactive use in the most ordinary If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to way, to print or display an announcement including an appropriate copyright notice and a notice that there is no copy the source code from the same place counts as distribution of the warranty (or else, saying that you provide a warranty)
  • Page 4 Do not use any accessories other than those approved by 10. If you wish to incorporate parts of the Program into other free Check Point. Failure to do so may result in loss of programs whose distribution conditions are different, write to the performance, damage to the product, fire, electric shock or author to ask for permission.

  • Page 5: Table Of Contents

    VPN-1 Edge Products .........................2 Product Features..........................4 Software Requirements ........................15 Getting to Know Your VPN-1 Edge X Series Appliance ..............16 Getting to Know Your VPN-1 Edge X ADSL Series Appliance ............20 Getting to Know Your VPN-1 Edge X Industrial Series Appliance ..........25 Getting to Know Your VPN-1 Edge W Series Appliance..............29...
  • Page 6 Adding Internal Networks to Bridges .....................208 Adding Internet Connections to Bridges ..................213 Configuring High Availability ......................217 Overview............................217 Configuring High Availability on a Gateway .................220 Sample Implementation on Two Gateways..................224 Using Traffic Shaper.........................229 Overview............................229 Setting Up Traffic Shaper .......................230 Check Point VPN-1 Edge User Guide...
  • Page 7 Contents Predefined QoS Classes ........................231 Adding and Editing Classes ......................232 Deleting Classes..........................236 Restoring Traffic Shaper Defaults....................237 Working with Wireless Networks....................239 Overview............................239 Configuring Wireless Networks......................247 Troubleshooting Wireless Connectivity..................273 Viewing Reports ..........................277 Viewing the Event Log ........................277 Using the Traffic Monitor .......................280 Viewing Computers ........................285 Viewing Connections ........................287 Viewing Wireless Statistics......................289...
  • Page 8 Logging off a Remote Access VPN Site ..................470 Installing a Certificate ........................470 Uninstalling a Certificate ........................477 Viewing VPN Tunnels ........................478 Viewing IKE Traces for VPN Connections ..................481 Managing Users..........................483 Changing Your Login Credentials ....................483 Adding and Editing Users .......................486 Check Point VPN-1 Edge User Guide...
  • Page 9 Contents Adding Quick Guest HotSpot Users ....................489 Viewing and Deleting Users ......................491 Setting Up Remote VPN Access for Users ..................492 Using RADIUS Authentication.......................492 Configuring the RADIUS Vendor-Specific Attribute..............497 Using Remote Desktop........................501 Overview............................501 Workflow ............................502 Configuring Remote Desktop ......................502 Configuring the Host Computer......................506 Accessing a Remote Computer's Desktop..................509 Maintenance ............................513 Viewing Firmware Status........................514...
  • Page 10 Service Center and Upgrades ......................583 Other Problems ..........................584 Specifications .............................585 Technical Specifications .........................585 CE Declaration of Conformity ......................592 Federal Communications Commission Radio Frequency Interference Statement ......595 ADSL Settings ...........................597 Glossary of Terms ..........................605 Index..............................611 Check Point VPN-1 Edge User Guide...

  • Page 11: About This Guide

    About Your Check Point VPN-1 Edge Appliance About This Guide To make finding information in this manual easier, some types of information are marked with special symbols or formatting. Boldface type is used for command and button names. Note: Notes are denoted by indented text and preceded by the Note icon.

  • Page 13: Introduction

    Contacting Technical Support ..............39 About Your Check Point VPN-1 Edge Appliance The Check Point VPN-1 Edge appliance is a unified threat management (UTM) appliance that enables secure high-speed Internet access from the office. Developed by SofaWare Technologies, an affiliate of Check Point Software Technologies, the worldwide leader in securing the Internet, the VPN-1 Edge appliance incorporates the X and W product families.

  • Page 14: Vpn-1 Edge Products

    VPN-1 Edge X VPN-1 Edge X8 VPN-1 Edge X16 VPN-1 Edge X32 VPN-1 Edge XU VPN-1 Edge X Industrial VPN-1 Edge X8 Industrial VPN-1 Edge X16 Industrial VPN-1 Edge X32 Industrial VPN-1 Edge XU Industrial Check Point VPN-1 Edge User Guide...
  • Page 15 VPN-1 Edge Products VPN-1 Edge X ADSL VPN-1 Edge X8 ADSL VPN-1 Edge X16 ADSL VPN-1 Edge X32 ADSL VPN-1 Edge XU ADSL Table 2: VPN-1 Edge W Products Hardware Series Models VPN-1 Edge W VPN-1 Edge W8 VPN-1 Edge W16 VPN-1 Edge W32 VPN-1 Edge WU VPN-1 Edge W ADSL...

  • Page 16: Product Features

    150 (XU) / 80 (Other Models) (Mbps) VPN Throughput (Mbps) 30 (XU) / 20 (Other Models) Concurrent Firewall 8,000 Connections Hardware Features 4-Port LAN Switch 10/100 Mbps WAN Port Ethernet, 10/100 Ethernet, 10/100 ADSL2+ Mbps Mbps Check Point VPN-1 Edge User Guide...
  • Page 17 DMZ/WAN2 Port 10/100 Mbps Dialup Backup With external serial / USB modem Console Port (Serial) Print Server USB 2.0 Ports — Firewall & Security Features Check Point Stateful Inspection Firewall Application Intelligence SmartDefense™ (IPS) Network Address Translation (NAT) Chapter 1: Introduction...
  • Page 18 P2P File Sharing Blocking / Monitoring Port-based and Tag- based VLAN Port-based Security (802.1x) Secure HotSpot (Guest Access) Remote Access Users 1/10/15/25 VPN Server with SecuRemote, L2TP OfficeMode and RADIUS Support Site-to-Site VPN Gateway Check Point VPN-1 Edge User Guide...
  • Page 19 Product Features Route-based VPN Backup VPN Gateways Remote Access VPN SecuRemote (Included) Client Site-to-Site VPN Tunnels (Managed) IPSEC Features Hardware-accelerated DES, 3DES, AES, MD5, SHA-1, Hardware Random Number Generator (RNG), Internet Key Exchange (IKE), Perfect Forward Secrecy (PFS), IPSEC Compression, IPSEC NAT Traversal (NAT-T), IPSEC VPN Pass-through Networking Supported Internet...
  • Page 20 Automatic Gateway Failover (HA) Dynamic Routing Management Central Management Check Point SmartCenter, Check Point SmartLSM, Check Point SmartUpdate, CheckPoint Provider-1, SofaWare SMP Local Management HTTP / HTTPS / SSH / SNMP / Serial CLI Remote Desktop Integrated Microsoft Terminal Services Client...
  • Page 21 Product Features Hardware Specifications Power 100/110/120/210/22 5V DC / 24V DC 100/110/120/210/220/ 0/230VAC (Linear 230VAC (Linear Power Adapter) or Power Adapter) or 100~240VAC 100~240VAC (Switched Power (Switched Power Adapter) Adapter) Mounting Options Desktop, Wall, or DIN Rail or Rack Desktop, Wall, or Rack Mounting* Mounting* Rack Mounting*...
  • Page 22 Dialup Backup (Req. Ext. Modem) Console Port (Serial) Print Server USB 2.0 Ports Firewall & Security Features Check Point Stateful Inspection Firewall Application Intelligence (IPS) Intrusion Detection and Prevention using Check Point SmartDefense Network Address Translation (NAT) Check Point VPN-1 Edge User Guide...
  • Page 23 Product Features Four Preset Security Policies Anti-spoofing Voice over IP (H.323) Support Unlimited INSPECT Policy Rules Instant Messenger Blocking / Monitoring P2P File Sharing Blocking / Monitoring Port-based and Tag-based VLAN Port-based Security (802.1x) Secure HotSpot (Guest Access) Remote Access Users 1/10/15/25 VPN Server with OfficeMode SecuRemote, L2TP...
  • Page 24 Transparent Bridge Mode Spanning Tree Protocol (STP) Traffic Shaper (QoS) Traffic Monitoring Dead Internet Connection Detection (DCD) Backup Internet Connection DHCP Server, Client, and Relay MAC Cloning Static NAT Static Routes and Source Routes Check Point VPN-1 Edge User Guide...
  • Page 25 Product Features Ethernet Cable Type Recognition DiffServ Tagging Automatic Gateway Failover (HA) Dynamic Routing Wireless Wireless Protocols 802.11b (11 Mbps), 802.11g (54 Mbps), Super G* (108 Mbps) Wireless Security VPN over Wireless, WEP, WPA2 (802.11i), WPA- Personal, WPA-Enterprise, 802.1x Wireless QoS (WMM) Dual Diversity Antennas Virtual Access Points (VAP) Wireless Distribution System...
  • Page 26 Product Features Management Central Management Check Point SmartCenter, Check Point SmartLSM, Check Point SmartUpdate, CheckPoint Provider-1, SofaWare SMP Local Management HTTP / HTTPS / SSH / SNMP / Serial CLI Remote Desktop Integrated Microsoft Terminal Services Client Local Diagnostics Tools...

  • Page 27: Software Requirements

    VPN Management • Security Reporting • Vulnerability Scanning Service These services require an additional purchase of subscription. For more information, contact your Check Point reseller. Software Requirements One of the following browsers: • Microsoft Internet Explorer 6.0 or higher •...

  • Page 28: Getting To Know Your Vpn-1 Edge X Series Appliance

    Getting to Know Your VPN-1 Edge X Series Appliance Getting to Know Your VPN-1 Edge X Series Appliance Package Contents The VPN-1 Edge X package includes the following: • VPN-1 Edge X Internet Security Appliance • Power supply • CAT5 Straight-through Ethernet cable •...
  • Page 29 Getting to Know Your VPN-1 Edge X Series Appliance Rear Panel All physical connections (network and power) are made via the rear panel of your VPN-1 Edge appliance. Figure 1: VPN-1 Edge X Appliance Rear Panel The following table lists the VPN-1 Edge X appliance's rear panel elements.
  • Page 30 Getting to Know Your VPN-1 Edge X Series Appliance Label Description Serial A serial (RS-232) port used for connecting computers in order to access the VPN- 1 Edge CLI (Command Line Interface), or for connecting an external dialup modem. Depending on the appliance model, this port may have either a DB9 RS232 connector, or an RJ-45 connector.
  • Page 31 Getting to Know Your VPN-1 Edge X Series Appliance Table 6: VPN-1 Edge X Appliance Status LEDs State Explanation PWR/SEC Power off Flashing quickly (Green) System boot-up Flashing slowly (Green) Establishing Internet connection On (Green) Normal operation Flashing (Red) Hacker attack blocked...

  • Page 32: Getting To Know Your Vpn-1 Edge X Adsl Series Appliance

    • Power supply • CAT5 Straight-through Ethernet cable • Getting Started Guide • Documentation CDROM • Wall mounting kit • RS232 serial adaptor (RJ45 to DB9) • USB extension cable • RJ11 telephone cable Check Point VPN-1 Edge User Guide...
  • Page 33 Getting to Know Your VPN-1 Edge X ADSL Series Appliance Network Requirements • 10BaseT or 100BaseT Network Interface Card installed on each computer • CAT 5 STP (Category 5 Shielded Twisted Pair) Straight Through Ethernet cable for each attached device •...
  • Page 34 VPN-1 Edge model for your phone line: Annex A for POTS (regular) phone lines, and Annex B for ISDN (digital) phone lines. Your VPN-1 Edge model's ADSL annex type appears on the bottom of the appliance. Check Point VPN-1 Edge User Guide...
  • Page 35 Getting to Know Your VPN-1 Edge X ADSL Series Appliance Label Description DMZ/ A dedicated Ethernet port (RJ-45) used to connect a DMZ (Demilitarized Zone) WAN2 computer or network. Alternatively, can serve as a secondary WAN port or as a VLAN trunk.
  • Page 36 ADSL connection established DAT Off ADSL line is idle DAT Flashing Data is being transmitted/received Flashing (Green) VPN port in use Serial Flashing (Green) Serial port in use Flashing (Green) USB port in use Check Point VPN-1 Edge User Guide...

  • Page 37: Getting To Know Your Vpn-1 Edge X Industrial Series Appliance

    Getting to Know Your VPN-1 Edge X Industrial Series Appliance Getting to Know Your VPN-1 Edge X Industrial Series Appliance A growing number of manufacturing companies are controlling machines on the production floor over Ethernet. When equipment is exposed to mixed networks of Industrial Ethernet and TCP/IP, it is also exposed to the threat of network attacks, malware, and security configuration errors, which can lead to downtime, equipment damage, or even personal injury.
  • Page 38 Note: Additional slots appear on each of the appliance's side panels. For information on mounting the appliance on a DIN rail, see Mounting the VPN-1 Edge X Industrial Appliance on a DIN Rail on page 51. Check Point VPN-1 Edge User Guide...
  • Page 39 Getting to Know Your VPN-1 Edge X Industrial Series Appliance Element Description Circular holes Holes for the DIN rail bracket's screws. Note: Additional holes appear on each of the appliance's side panels. For information on mounting the appliance on a DIN rail, see Mounting the VPN-1 Edge X Industrial Appliance on a DIN Rail on page 51.
  • Page 40 24V DC connector plug to this jack. Do not connect power to this jack at the same time as using the 5V connector. Table 11: VPN-1 Edge X Appliance Status LEDs State Explanation Flashing (Green) VPN port in use Serial Flashing (Green) Serial port in use PWR SEC Power off Check Point VPN-1 Edge User Guide...

  • Page 41: Getting To Know Your Vpn-1 Edge W Series Appliance

    Getting to Know Your VPN-1 Edge W Series Appliance State Explanation Flashing quickly (Green) System boot-up Flashing slowly (Green) Establishing Internet connection On (Green) Normal operation Flashing (Red) Hacker attack blocked On (Red) Error Getting to Know Your VPN-1 Edge W Series Appliance Package Contents The VPN-1 Edge W package includes the following:...
  • Page 42 All physical connections (network and power) are made via the rear panel of your VPN-1 Edge appliance. Figure 7: VPN-1 Edge W SBXW-166LHGE-5 Appliance Rear Panel Figure 8: VPN-1 Edge W SBXW-166LHGE-6 Appliance Rear Panel The following table lists the VPN-1 Edge W appliance's rear panel elements. Check Point VPN-1 Edge User Guide...
  • Page 43 Getting to Know Your VPN-1 Edge W Series Appliance Table 12: VPN-1 Edge W Appliance Rear Panel Elements Label Description A power jack used for supplying power to the unit. Connect the supplied power supply to this jack. RESET A button used for rebooting the VPN-1 Edge appliance or resetting the VPN-1 Edge appliance to its factory defaults.
  • Page 44 For an explanation of the VPN-1 Edge W appliance’s status LEDs, see the table below. Table 13: VPN-1 Edge W Appliance Status LEDs State Explanation PWR/SEC Power off Flashing quickly (Green) System boot-up Flashing slowly (Green) Establishing Internet connection On (Green) Normal operation Check Point VPN-1 Edge User Guide...
  • Page 45 Getting to Know Your VPN-1 Edge W Series Appliance State Explanation Flashing (Red) Hacker attack blocked On (Red) Error Flashing (Orange) Software update in progress LINK/ACT Off, 100 Off LAN 1-4/ Link is down WAN/ DMZ/WAN2 LINK/ACT On, 100 Off 10 Mbps link established for the corresponding port LINK/ACT On, 100 On...

  • Page 46: Getting To Know Your Vpn-1 Edge W Adsl Appliance

    An ADSL line suitable for your appliance model: • For Annex A ADSL models, an ADSL over POTS line (regular telephone line) • For Annex B ADSL models, an ADSL over ISDN line (digital line) Check Point VPN-1 Edge User Guide...
  • Page 47 Getting to Know Your VPN-1 Edge W ADSL Appliance • A splitter with a micro-filter, installed on all the jacks connected to the same phone line • If desired, you can connect your appliance to an external broadband Internet connection via a cable or DSL modem with an Ethernet interface (RJ-45). •...
  • Page 48 VPN-1 Edge model for your phone line: Annex A for POTS (regular) phone lines, and Annex B for ISDN (digital) phone lines. Your VPN-1 Edge model's ADSL annex type appears on the bottom of the appliance. Check Point VPN-1 Edge User Guide...
  • Page 49 Getting to Know Your VPN-1 Edge W ADSL Appliance Label Description DMZ/ A dedicated Ethernet port (RJ-45) used to connect a DMZ (Demilitarized Zone) WAN2 computer or network. Alternatively, can serve as a secondary WAN port or as a VLAN trunk. LAN 1-4 Local Area Network switch: Four Ethernet ports (RJ-45) used for connecting computers or other network devices...
  • Page 50 ADSL line is idle DAT Flashing Data is being transmitted/received Flashing (Green) VPN port in use Serial Flashing (Green) Serial port in use Flashing (Green) USB port in use WLAN Flashing (Green) WLAN in use Check Point VPN-1 Edge User Guide...

  • Page 51: Contacting Technical Support

    Contacting Technical Support Contacting Technical Support If there is a problem with your VPN-1 Edge appliance, see http://www.checkpoint.com/techsupport/. You can also download the latest version of this guide from the Check Point software subscription website. Chapter 1: Introduction...

  • Page 53: Installing And Setting Up Vpn-1 Edge

    Before You Install the VPN-1 Edge Appliance Chapter 2 Installing and Setting Up VPN-1 Edge This chapter describes how to properly set up and install your VPN-1 Edge appliance in your networking environment. This chapter includes the following topics: Before You Install the VPN-1 Edge Appliance..........41 Wall Mounting the Appliance ..............49 Mounting the VPN-1 Edge X Industrial Appliance on a DIN Rail ....51 Securing the Appliance against Theft............55...
  • Page 54 Before You Install the VPN-1 Edge Appliance Windows 2000/XP Checking the TCP/IP Installation Click Start > Settings > Control Panel. The Control Panel window appears. Double-click the Network and Dial-up Connections icon. Check Point VPN-1 Edge User Guide...
  • Page 55 Before You Install the VPN-1 Edge Appliance The Network and Dial-up Connections window appears. icon and select Properties from the pop-up menu that Right-click the opens. The Local Area Connection Properties window appears. Chapter 2: Installing and Setting Up VPN-1 Edge...
  • Page 56 Installing TCP/IP Protocol In the Local Area Connection Properties window click Install…. The Select Network Component Type window appears. Choose Protocol and click Add. The Select Network Protocol window appears. Check Point VPN-1 Edge User Guide...
  • Page 57 Before You Install the VPN-1 Edge Appliance Choose Internet Protocol (TCP/IP) and click OK. TCP/IP protocol is installed on your computer. TCP/IP Settings In the Local Area Connection Properties window double-click the Internet Protocol (TCP/IP) component, or select it and click Properties. The Internet Protocol (TCP/IP) Properties window opens.
  • Page 58 Choose Apple Menus -> Control Panels -> TCP/IP. The TCP/IP window appears. Click the Connect via drop-down list, and select Ethernet. Click the Configure drop-down list, and select Using DHCP Server. Close the window and save the setup. Check Point VPN-1 Edge User Guide...
  • Page 59 Before You Install the VPN-1 Edge Appliance Mac OS-X Use the following procedure for setting up the TCP/IP Protocol. Choose Apple -> System Preferences. The System Preferences window appears. Click Network. The Network window appears. Chapter 2: Installing and Setting Up VPN-1 Edge...
  • Page 60 Before You Install the VPN-1 Edge Appliance Click Configure. Check Point VPN-1 Edge User Guide...

  • Page 61: Wall Mounting The Appliance

    Wall Mounting the Appliance TCP/IP configuration fields appear. Click the Configure IPv4 drop-down list, and select Using DHCP. Click Apply Now. Wall Mounting the Appliance For your convenience, the VPN-1 Edge appliance includes a wall mounting kit, which consists of two plastic conical anchors and two cross-head screws. To mount the VPN-1 Edge appliance on the wall Decide where you want to mount your VPN-1 Edge appliance.
  • Page 62 5 mm from the wall. Align the holes on the VPN-1 Edge appliance's underside with the screws on the wall, then push the appliance in and down. Check Point VPN-1 Edge User Guide...

  • Page 63: Mounting The Vpn-1 Edge X Industrial Appliance On A Din Rail

    Mounting the VPN-1 Edge X Industrial Appliance on a DIN Rail Your VPN-1 Edge appliance is wall mounted. You can now connect it to your computer. See Network Installation on page 57. Mounting the VPN-1 Edge X Industrial Appliance on a DIN Rail For your convenience, the VPN-1 Edge X Industrial appliance includes a DIN rail mounting bracket, which enables you to mount your appliance in any DIN Rail cabinet or...
  • Page 64 To mount the appliance facing up, thread the DIN rail bracket's knobs in the slots on the appliance's right side panel. • To mount the appliance facing down, thread the DIN rail bracket's knobs in the slots on the appliance's left side panel. Check Point VPN-1 Edge User Guide...
  • Page 65 Mounting the VPN-1 Edge X Industrial Appliance on a DIN Rail Note: To locate the appliance's right and left side panels, hold the appliance with its front panel facing away from you. The side panel on your left is the appliance left side panel, and the side panel on your right is the appliance's right side panel.
  • Page 66 Mounting the VPN-1 Edge X Industrial Appliance on a DIN Rail When mounted, the appliance should appear as follows: Check Point VPN-1 Edge User Guide...

  • Page 67: Securing The Appliance Against Theft

    Securing the Appliance against Theft Securing the Appliance against Theft The VPN-1 Edge appliance features a security slot to the rear of the right panel, which enables you to secure your appliance against theft, using an anti-theft security device. Note: Anti-theft security devices are available at most computer hardware stores. This procedure explains how to install a looped security cable on your appliance.
  • Page 68 Slide the anti-theft device's bolt to the Open position. Insert the bolt into the VPN-1 Edge appliance's security slot, then slide the bolt to the Closed position until the bolts holes are aligned. Check Point VPN-1 Edge User Guide...

  • Page 69: Appliance Installation

    Appliance Installation Thread the anti-theft device's pin through the bolt’s holes, and insert the pin into the main body of the anti-theft device, as described in the documentation that came with your device. Appliance Installation Installing VPN-1 Edge X and W To install the VPN-1 Edge appliance Verify that you have the correct cable type.
  • Page 70 Connect the other end of the cable to a cable modem, DSL modem, or office network. Do one of the following: • To use 24V DC input power, see Connecting a 24V Power Supply on page Check Point VPN-1 Edge User Guide...
  • Page 71 Appliance Installation You will need a 24V DC industrial power supply. • To use 5V DC input power: 1) Connect the 5V power supply provided with the VPN-1 Edge appliance to the 5V power socket at the back of the unit. 2) Plug the power supply into the wall electrical outlet.
  • Page 72 Using a small flathead screwdriver, loosen the screw in the 24V DC connector plug that came with the VPN-1 Edge appliance. Hold the plug groove-side up, with the terminals facing you. Insert the Green and Yellow (GND) wire in the center terminal. Check Point VPN-1 Edge User Guide...
  • Page 73 Appliance Installation Insert the Black (-) wire in the right terminal. Insert the Brown (+) wire in the left terminal. Firmly tighten the plug's screw. Warning: Failure to tighten the DC connector plug's screw sufficiently may result in a fire. Prepare the other end of the harness for connection with the 24V DC industrial power supply, by doing the following: Strip the wires about 6-7 mm.
  • Page 74 Connect the other end of the cable to an external cable modem, DSL modem, or office network. Connect the power supply to the appliance's power socket, labeled PWR. Plug the power supply into the wall electrical outlet. Check Point VPN-1 Edge User Guide...
  • Page 75 Appliance Installation Warning: The VPN-1 Edge appliance power supply is compatible with either 100, 120 or 230 VAC input power. Verify that the wall outlet voltage is compatible with the voltage specified on your power supply. Failure to observe this warning may result in injuries or damage to equipment.
  • Page 76 To prepare the VPN-1 Edge appliance for a wireless connection Connect the antennas that came with your VPN-1 Edge appliance to the ANT1 and ANT2 antenna connectors in the appliance's rear panel. Bend the antennas at the hinges, so that they point upwards. Check Point VPN-1 Edge User Guide...

  • Page 77: Setting Up The Vpn-1 Edge Appliance

    Setting Up the VPN-1 Edge Appliance Connecting the Appliance to Network Printers In models with a print server, you can connect network printers. To connect network printers Connect one end of a USB cable to one of the appliance's USB ports. If needed, you can use the provided USB extension cord.
  • Page 78 Connecting to a Service Center on page 392 You can access the Setup Wizard at any time after initial setup, using the procedure below. To access the Setup Wizard Click Setup in the main menu, and click the Firmware tab. Check Point VPN-1 Edge User Guide...
  • Page 79 Setting Up the VPN-1 Edge Appliance The Firmware page appears. Click VPN-1 Edge Setup Wizard. The VPN-1 Edge Setup Wizard opens with the Welcome page displayed. Chapter 2: Installing and Setting Up VPN-1 Edge...

  • Page 81: Getting Started

    Initial Login to the VPN-1 Edge Portal Chapter 3 Getting Started This chapter contains all the information you need in order to get started using your VPN-1 Edge appliance. This chapter includes the following topics: Initial Login to the VPN-1 Edge Portal ............69 Logging on to the VPN-1 Edge Portal............72 Accessing the VPN-1 Edge Portal Remotely Using HTTPS......74 Using the VPN-1 Edge Portal..............76...
  • Page 82 Note: The password must be five to 25 characters (letters or numbers). Note: You can change your username and password at any time. For further information, see Changing Your Password on page 483. Click OK. Check Point VPN-1 Edge User Guide...
  • Page 83 Initial Login to the VPN-1 Edge Portal The VPN-1 Edge Setup Wizard opens, with the Welcome page displayed. Configure your Internet connection using one of the following ways: • Internet Wizard The Internet Wizard is the first part of the Setup Wizard, and it takes you through basic Internet connection setup, step by step.

  • Page 84: Logging On To The Vpn-1 Edge Portal

    To log on to the VPN-1 Edge Portal Do one of the following: • Browse to http://my.firewall. • To log on through HTTPS (locally or remotely), follow the procedure Accessing the VPN-1 Edge Portal Remotely on page 74. Check Point VPN-1 Edge User Guide...
  • Page 85 Logging on to the VPN-1 Edge Portal The login page appears. Type your username and password. Click OK. The Welcome page appears. Chapter 3: Getting Started...

  • Page 86: Accessing The Vpn-1 Edge Portal Remotely Using Https

    If this is your first attempt to access the VPN-1 Edge Portal through HTTPS, the certificate in the VPN-1 Edge appliance is not yet known to the browser, so the Security Alert dialog box appears. Check Point VPN-1 Edge User Guide...
  • Page 87 Accessing the VPN-1 Edge Portal Remotely Using HTTPS To avoid seeing this dialog box again, install the certificate of the destination VPN-1 Edge appliance. If you are using Internet Explorer 6, do the following: Click View Certificate. The Certificate dialog box appears, with the General tab displayed. Click Install Certificate.

  • Page 88: Using The Vpn-1 Edge Portal

    Displays information and controls related to the selected topic. The main frame may also contain tabs that allow you to view different pages related to the selected topic. Status bar Shows your Internet connection and managed services status. Check Point VPN-1 Edge User Guide...
  • Page 89 Using the VPN-1 Edge Portal Figure 18: VPN-1 Edge Portal Chapter 3: Getting Started...
  • Page 90 Allows you to manage VPN-1 Edge appliance users. Allows you to manage, configure, and log on to VPN sites. Help Provides context-sensitive help. Logout Allows you to log off of the VPN-1 Edge Portal. Check Point VPN-1 Edge User Guide...
  • Page 91 Using the VPN-1 Edge Portal Main Frame The main frame displays the relevant data and controls pertaining to the menu and tab you select. These elements sometimes differ depending on what model you are using. The differences are described throughout this guide. Status Bar The status bar is located at the bottom of each page.
  • Page 92 Connection Failed. The VPN-1 Edge appliance failed to connect to the Service Center. • Connecting. The VPN-1 Edge appliance is connecting to the Service Center. • Connected. You are connected to the Service Center, and security services are active. Check Point VPN-1 Edge User Guide...

  • Page 93: Logging Off

    Logging off Logging off Logging off terminates your administration session. Any subsequent attempt to connect to the VPN-1 Edge Portal will require re-entering of the administration password. To log off of the VPN-1 Edge Portal • Do one of the following: •...

  • Page 95: Configuring The Internet Connection

    Overview Chapter 4 Configuring the Internet Connection This chapter describes how to configure and work with a VPN-1 Edge Internet connection. This chapter includes the following topics: Overview ....................83 Using the Internet Wizard ................84 Using Internet Setup ...................99 Setting Up Dialup Modems ..............129 Viewing Internet Connection Information..........137 Enabling/Disabling the Internet Connection..........139 Using Quick Internet Connection/Disconnection ........139...

  • Page 96: Using The Internet Wizard

    Note: The first time you log on to the VPN-1 Edge Portal, the Internet Wizard starts automatically as part of the Setup Wizard. In this case, you should skip to step 3 in the following procedure. Check Point VPN-1 Edge User Guide...
  • Page 97 Using the Internet Wizard Configuring an Ethernet-Based Connection on Non- ADSL Models To configure an Ethernet-Based connection Click Network in the main menu, and click the Internet tab. The Internet page appears. Click Internet Wizard. The Internet Wizard opens with the Welcome page displayed. Click Next.
  • Page 98 If you chose Cable Modem, continue at Using a Cable Modem Connection on page If you chose Static IP, continue at Using a Static IP Connection on page 91. If you chose DHCP, continue at Using a DHCP Connection on page 92. Check Point VPN-1 Edge User Guide...
  • Page 99 Using the Internet Wizard Using a PPPoE Connection If you selected the PPPoE (PPP over Ethernet) connection method, the PPP Configuration dialog box appears. Complete the fields using the information in the following table. Click Next. The Confirmation screen appears. Click Next.
  • Page 100 Table 19: PPPoE Connection Fields In this field… Do this… Username Type your user name. Password Type your password. Confirm password Type your password again. Service Type your service name. This field can be left blank. Check Point VPN-1 Edge User Guide...
  • Page 101 Using the Internet Wizard Using a PPTP Connection If you selected the PPTP connection method, the PPP Configuration dialog box appears. Complete the fields using the information in the following table. Click Next. The Confirmation screen appears. Click Next. The system attempts to connect to the Internet via the specified connection. The Connecting…...
  • Page 102 No further settings are required for a cable modem connection. The Confirmation screen appears. Click Next. The system attempts to connect to the Internet via the specified connection. The Connecting… screen appears. At the end of the connection process the Connected screen appears. Click Finish. Check Point VPN-1 Edge User Guide...
  • Page 103 Using the Internet Wizard Using a Static IP Connection If you selected the Static IP connection method, the Static IP Configuration dialog box appears. Complete the fields using the information in the following table. Click Next. The Confirmation screen appears. Click Next.
  • Page 104 No further settings are required for a DHCP (Dynamic IP) connection. The Confirmation screen appears. Click Next. The system attempts to connect to the Internet via the specified connection. The Connecting… screen appears. At the end of the connection process the Connected screen appears. Click Finish. Check Point VPN-1 Edge User Guide...
  • Page 105 Using the Internet Wizard Configuring an Ethernet-Based Connection on ADSL Models Note: In ADSL models, an Ethernet-based connection is made on the DMZ/WAN2 port. To configure an Ethernet-based connection Click Network in the main menu, and click the Internet tab. The Internet page appears.
  • Page 106 If you chose Cable Modem, continue at Using a Cable Modem Connection on page If you chose Static IP, continue at Using a Static IP Connection on page 91. If you chose DHCP, continue at Using a DHCP Connection on page 92. Check Point VPN-1 Edge User Guide...
  • Page 107 Using the Internet Wizard Configuring a Direct ADSL Connection To configure a direct ADSL connection Click Network in the main menu, and click the Internet tab. The Internet page appears. Click Internet Wizard. The Internet Wizard opens with the Welcome page displayed. Click Next.
  • Page 108 If you chose PPPoE or PPPoA, continue at Using a PPPoE or PPPoA Connection on page 98. If you chose Static IP, continue at Using a Static IP Connection on page 91. If you chose DHCP, continue at Using a DHCP Connection on page 92. Check Point VPN-1 Edge User Guide...
  • Page 109 Using the Internet Wizard Table 22: ADSL Connection Fields In this field… Do this… DSL Standard Select the standard to support for the DSL line, as specified by your ISP. This can be one of the following: • ADSL2 • ADSL2+ •...
  • Page 110 The Confirmation screen appears. Click Next. The system attempts to connect to the Internet via the specified connection. The Connecting… screen appears. At the end of the connection process the Connected screen appears. Click Finish. Check Point VPN-1 Edge User Guide...

  • Page 111: Using Internet Setup

    Using Internet Setup Table 23: PPPoE Connection Fields In this field… Do this… Username Type your user name. Password Type your password. Confirm password Type your password again. Using Internet Setup Internet Setup allows you to manually configure your Internet connection. For information on configuring bridged Internet connections, see Adding Internet Connections to Bridges on page 213.
  • Page 112 Using Internet Setup The Internet page appears. Next to the desired Internet connection, click Edit. Check Point VPN-1 Edge User Guide...
  • Page 113 Using Internet Setup The Internet Setup page appears. Do one of the following: • To configure an ADSL connection using the internal ADSL modem, continue at Configuring a Direct ADSL Connection on page 102. This option is available in ADSL models only. •...
  • Page 114 If you chose EoA, continue at Using an EoA Connection on page 105. If you chose PPPoE, continue at Using a PPPoE Connection on page 107. For information on configuring bridged connections, see Adding Internet Connections to Bridges on page 213. Check Point VPN-1 Edge User Guide...
  • Page 115 Using Internet Setup Using a PPPoA (PPP over ATM) Connection Complete the fields using the relevant information in Internet Setup Fields on page 122. Chapter 4: Configuring the Internet Connection...
  • Page 116 The VPN-1 Edge appliance attempts to connect to the Internet, and the Status Bar displays the Internet status “Connecting”. This may take several seconds. Once the connection is made, the Status Bar displays the Internet status “Connected”. Check Point VPN-1 Edge User Guide...
  • Page 117 Using Internet Setup Using an EoA (Ethernet over ATM) Connection Complete the fields using the relevant information in Internet Setup Fields on page 122. Chapter 4: Configuring the Internet Connection...
  • Page 118 The VPN-1 Edge appliance attempts to connect to the Internet, and the Status Bar displays the Internet status “Connecting”. This may take several seconds. Once the connection is made, the Status Bar displays the Internet status “Connected”. Check Point VPN-1 Edge User Guide...
  • Page 119 Using Internet Setup Using a PPPoE (PPP over Ethernet) Connection Complete the fields using the relevant information in Internet Setup Fields on page 122. Chapter 4: Configuring the Internet Connection...
  • Page 120 The VPN-1 Edge appliance attempts to connect to the Internet, and the Status Bar displays the Internet status “Connecting”. This may take several seconds. Once the connection is made, the Status Bar displays the Internet status “Connected”. Check Point VPN-1 Edge User Guide...
  • Page 121 Using Internet Setup Configuring an Ethernet-Based Connection In the Port drop-down list, do one of the following: • To configure an Ethernet-based connection through the WAN port, select WAN. • To configure an Ethernet-based connection through the DMZ/WAN2 port, select WAN2. This option is available in non-ADSL models only.
  • Page 122 Using Internet Setup Using a LAN Connection Complete the fields using the relevant information in Internet Setup Fields on page 122. Check Point VPN-1 Edge User Guide...
  • Page 123 Using Internet Setup New fields appear, depending on the check boxes you selected. Click Apply. The VPN-1 Edge appliance attempts to connect to the Internet, and the Status Bar displays the Internet status “Connecting”. This may take several seconds. Once the connection is made, the Status Bar displays the Internet status “Connected”. Chapter 4: Configuring the Internet Connection...
  • Page 124 Using Internet Setup Using a Cable Modem Connection Complete the fields using the relevant information in Internet Setup Fields on page 122. Check Point VPN-1 Edge User Guide...
  • Page 125 Using Internet Setup New fields appear, depending on the check boxes you selected. Click Apply. The VPN-1 Edge appliance attempts to connect to the Internet, and the Status Bar displays the Internet status “Connecting”. This may take several seconds. Once the connection is made, the Status Bar displays the Internet status “Connected”. Chapter 4: Configuring the Internet Connection...
  • Page 126 Using Internet Setup Using a PPPoE Connection Complete the fields using the relevant information in Internet Setup Fields on page 122. Check Point VPN-1 Edge User Guide...
  • Page 127 Using Internet Setup New fields appear, depending on the check boxes you selected. Click Apply. The VPN-1 Edge appliance attempts to connect to the Internet, and the Status Bar displays the Internet status “Connecting”. This may take several seconds. Once the connection is made, the Status Bar displays the Internet status “Connected”. Chapter 4: Configuring the Internet Connection...
  • Page 128 Using Internet Setup Using a PPTP Connection Complete the fields using the relevant information in Internet Setup Fields on page 122. Check Point VPN-1 Edge User Guide...
  • Page 129 Using Internet Setup New fields appear, depending on the check boxes you selected. Click Apply. The VPN-1 Edge appliance attempts to connect to the Internet, and the Status Bar displays the Internet status “Connecting”. This may take several seconds. Once the connection is made, the Status Bar displays the Internet status “Connected”. Chapter 4: Configuring the Internet Connection...
  • Page 130 Use this Internet connection type only if you are subscribed to Telstra® BigPond™ Internet. Telstra BigPond is a trademark of Telstra Corporation Limited. Complete the fields using the relevant information in Internet Setup Fields on page 122. Check Point VPN-1 Edge User Guide...
  • Page 131 Using Internet Setup New fields appear, depending on the check boxes you selected. Click Apply. The VPN-1 Edge appliance attempts to connect to the Internet, and the Status Bar displays the Internet status “Connecting”. This may take several seconds. Once the connection is made, the Status Bar displays the Internet status “Connected”. Chapter 4: Configuring the Internet Connection...
  • Page 132 To configure a Dialup connection on a USB port (using a connected USB modem), select USBModem1. The Connection Type field displays Dialup. Complete the fields using the relevant information in Internet Setup Fields on page 122. Check Point VPN-1 Edge User Guide...
  • Page 133 Using Internet Setup New fields appear, depending on the check boxes you selected. Click Apply. The VPN-1 Edge appliance attempts to connect to the Internet, and the Status Bar displays the Internet status “Connecting”. This may take several seconds. Once the connection is made, the Status Bar displays the Internet status “Connected”. Chapter 4: Configuring the Internet Connection...
  • Page 134 ISP. Encapsulation Select the encapsulation type to use for the DSL line, as specified by Type your ISP. PPP Settings Username Type your user name. Password Type your password. Confirm password Type your password. Check Point VPN-1 Edge User Guide...
  • Page 135 Using Internet Setup In this field… Do this… Service Type your service name. If your ISP has not provided you with a service name, leave this field empty. Server IP If you selected PPTP, type the IP address of the PPTP server as given by your ISP.
  • Page 136 Clear this option if you want the VPN-1 Edge appliance to obtain an IP Server address automatically using DHCP, but not to automatically configure the automatically WINS server. Primary DNS Type the Primary DNS server IP address. Server Check Point VPN-1 Edge User Guide...
  • Page 137 Using Internet Setup In this field… Do this… Secondary DNS Type the Secondary DNS server IP address. Server WINS Server Type the WINS server IP address. Traffic Shaper Shape Upstream: Select this option to enable Traffic Shaper for outgoing traffic. Then type Link Rate a rate (in kilobits/second) slightly lower than your Internet connection's maximum measured upstream speed in the field provided.
  • Page 138 If the ISP requires authentication using the MAC address of a different computer, type the MAC address in this field. Note: In the secondary Internet connection, this field is enabled only if the DMZ/WAN2 port is set to WAN2. Check Point VPN-1 Edge User Guide...
  • Page 139 Using Internet Setup In this field… Do this… High Availability Do not connect if If you are using High Availability (HA), select this option to specify that the this gateway is in gateway should connect to the Internet only if it is the Active Gateway in passive state the HA cluster.
  • Page 140 Internet connection is considered to be down. Use this option if you have Check Point VPN gateways, and you want loss of connectivity to these gateways to trigger ISP failover to an Internet connection from which these gateways are reachable.

  • Page 141: Setting Up Dialup Modems

    Setting Up Dialup Modems In this field… Do this… If you chose the Ping Addresses connection probing method, type the IP 1, 2, 3 addresses or DNS names of the desired servers. If you chose the Probe VPN Gateway (RDP) connection probing method, type the IP addresses or DNS names of the desired VPN gateways.
  • Page 142 Connect an RS232 dialup modem to your VPN-1 Edge appliance's serial port. For information on locating the serial port, see Introduction on page 1. Click Network in the main menu, and click the Ports tab. The Ports page appears. Next to Serial, click Edit. Check Point VPN-1 Edge User Guide...
  • Page 143 Setting Up Dialup Modems The Port Setup page appears. In the Assign to Network drop-down list, select Dialup. New fields appear. Complete the fields using the information in Dialup Fields on page 132. Click Apply. Chapter 4: Configuring the Internet Connection...
  • Page 144 Type the installation string for the custom modem type. If you selected a standard modem type, this field is read-only. Dial Mode Select the dial mode the modem uses. Port Speed Select the modem's port speed (in bits per second). Check Point VPN-1 Edge User Guide...
  • Page 145 Setting Up Dialup Modems Setting Up a USB Modem Warning: Before attaching a USB modem, ensure that the total power drawn by all connected USB devices does not exceed 5W (1A at 5V). If the total current consumed by USB devices exceeds 5W, a powered USB hub must be used, to avoid damage to the gateway To set up a USB modem Connect a USB-based modem to one of your VPN-1 Edge appliance's USB...
  • Page 146 Setting Up Dialup Modems The Ports page appears. Next to USB, click Edit. Check Point VPN-1 Edge User Guide...
  • Page 147 Setting Up Dialup Modems The USB Devices page appears. If the VPN-1 Edge appliance detected the modem, the modem is listed on the page. If the modem is not listed, check that you connected the modem correctly, then click Refresh to refresh the page. Next to the modem, click Edit.
  • Page 148 To check that that the values you entered are correct, click Test. The page displays a message indicating whether the test succeeded. Configure a Dialup Internet connection on the USB port. See Using Internet Setup on page 99. Check Point VPN-1 Edge User Guide...

  • Page 149: Viewing Internet Connection Information

    Viewing Internet Connection Information Viewing Internet Connection Information You can view information on your Internet connection(s) in terms of status, duration, and activity. To view Internet connection information Click Network in the main menu, and click the Internet tab. The Internet page appears. For an explanation of the fields on this page, see the following table.
  • Page 150 For further information, see Enabling/Disabling the Internet Connection on page 139 Received Packets The number of data packets received in the active connection. Sent Packets The number of data packets sent in the active connection. Check Point VPN-1 Edge User Guide...

  • Page 151: Enabling/Disabling The Internet Connection

    Enabling/Disabling the Internet Connection Enabling/Disabling the Internet Connection You can temporarily disable an Internet connection. This is useful if, for example, you are going on vacation and do not want to leave your computer connected to the Internet. If you have two Internet connections, you can force the VPN-1 Edge appliance to use a particular connection, by disabling the other connection.

  • Page 152: Configuring A Backup Internet Connection

    Note: You can configure different DNS servers for the primary and secondary connections. The VPN-1 Edge appliance acts as a DNS relay and routes requests from computers within the network to the appropriate DNS server for the active Internet connection. Check Point VPN-1 Edge User Guide...

  • Page 153: Managing Your Network

    Configuring Network Settings Chapter 5 Managing Your Network This chapter describes how to manage and configure your network connection and settings. This chapter includes the following topics: Configuring Network Settings..............141 Using Network Objects ................170 Using Static Routes ..................179 Managing Ports..................185 Configuring Network Settings Note: If you accidentally change the network settings to incorrect values and are unable to connect to the my.firewall Web portal, you can connect to the appliance...
  • Page 154 Configuring Network Settings Configuring the LAN Network To configure the LAN Click Network in the main menu, and click the My Network tab. The My Network page appears. Click Edit in the LAN network’s row. Check Point VPN-1 Edge User Guide...
  • Page 155 Configuring Network Settings The Edit Network Settings page for the LAN network appears. In the Mode drop-down list, select Enabled. The fields are enabled. If desired, change your VPN-1 Edge appliance’s internal IP address. See Changing IP Addresses on page 154. If desired, enable or disable Hide NAT.
  • Page 156 Note: The following DHCP server configurations are not available for the OfficeMode network: • Enabling and disabling the VPN-1 Edge DHCP Server • Setting the DHCP range manually • Configuring DHCP relay Note: Configuring DHCP options is not available for the DMZ. Check Point VPN-1 Edge User Guide...
  • Page 157 Configuring Network Settings Enabling/Disabling the VPN-1 Edge DHCP Server You can enable and disable the VPN-1 Edge DHCP Server for internal networks. To enable/disable the VPN-1 Edge DHCP server Click Network in the main menu, and click the My Network tab. The My Network page appears.
  • Page 158 Click Network in the main menu, and click the My Network tab. The My Network page appears. In the desired network's row, click Edit. The Edit Network Settings page appears. To set the DHCP range manually: Clear the Automatic DHCP range check box. Check Point VPN-1 Edge User Guide...
  • Page 159 Configuring Network Settings The DHCP IP range fields appear. In the DHCP IP range fields, type the desired DHCP range. To allow the DHCP server to set the IP address range, select the Automatic DHCP range check box. Click Apply. A warning message appears.
  • Page 160 The My Network page appears. In the desired network's row, click Edit. The Edit Network Settings page appears. In the DHCP Server list, select Relay. The Automatic DHCP range check box is disabled, and new fields appear. Check Point VPN-1 Edge User Guide...
  • Page 161 Configuring Network Settings In the Primary DHCP Server IP field, type the IP address of the primary DHCP server. In the Secondary DHCP Server IP field, type the IP address of the DHCP server to use if the primary DHCP server fails. Click Apply.
  • Page 162 In the desired network's row, click Edit. The Edit Network Settings page appears. In the DHCP area, click Options. The DHCP Server Options page appears. Complete the fields using the relevant information in the following table. Check Point VPN-1 Edge User Guide...
  • Page 163 Configuring Network Settings New fields appear, depending on the check boxes you selected. Click Apply. If your computer is configured to obtain its IP address automatically (using DHCP), restart your computer. Your computer obtains an IP address in the DHCP address range. Chapter 5: Managing Your Network...
  • Page 164 (in the Internet Setup page). The WINS Server 1 and WINS Server 2 fields appear. WINS Server 1, 2 Type the IP addresses of the Primary and Secondary WINS servers to use instead of the gateway. Check Point VPN-1 Edge User Guide...
  • Page 165 Configuring Network Settings In this field… Do this… Automatically assign Clear this option if you do not want the DHCP server to pass the default gateway current gateway IP address to DHCP clients as the default gateway's IP address. Normally, it is recommended to leave this option selected. The Default Gateway field is enabled.
  • Page 166 192.168.100.1 – 192.168.100.254. The default internal network range is 192.168.10.*. Click Apply. A warning message appears. Click OK. • The VPN-1 Edge appliance's internal IP address and/or the internal network range are changed. Check Point VPN-1 Edge User Guide...
  • Page 167 Configuring Network Settings • A success message appears. Do one of the following: • If your computer is configured to obtain its IP address automatically (using DHCP), and the VPN-1 Edge DHCP server is enabled, restart your computer. Your computer obtains an IP address in the new range. •...
  • Page 168 If you have more than one computer in the DMZ network, connect a hub or switch to the DMZ port, and connect the DMZ computers to the hub. Click Network in the main menu, and click the Ports tab. Check Point VPN-1 Edge User Guide...
  • Page 169 Configuring Network Settings The Ports page appears. Next to the DMZ/WAN2 port, click Edit. Chapter 5: Managing Your Network...
  • Page 170 The fields are enabled. 10. If desired, enable or disable Hide NAT. See Enabling/Disabling Hide NAT on page 155. 11. If desired, configure a DHCP server. See Configuring a DHCP Server on page 144. Check Point VPN-1 Edge User Guide...
  • Page 171 The IP addresses are allocated from a pool called the OfficeMode network. Note: OfficeMode requires either Check Point SecureClient or an L2TP client to be installed on the VPN clients. It is not supported by Check Point SecuRemote.
  • Page 172 If desired, enable or disable Hide NAT. See Enabling/Disabling Hide NAT on page 155. If desired, configure DHCP options. See Configuring DHCP Server Options on page 149. Click Apply. A warning message appears. Click OK. A success message appears. Check Point VPN-1 Edge User Guide...
  • Page 173 Configuring Network Settings Configuring VLANs Your VPN-1 Edge appliance allows you to partition your network into several virtual LAN networks (VLANs). A VLAN is a logical network behind the VPN-1 Edge appliance. Computers in the same VLAN behave as if they were on the same physical network: traffic flows freely between them, without passing through a firewall.
  • Page 174 All outgoing traffic from a tag-based VLAN contains the VLAN's tag in the packet headers. Incoming traffic to the VLAN must contain the VLAN's tag as well, or the packets are dropped. Tagging ensures that traffic is directed to the correct VLAN. Figure 19: Tag-based VLAN Check Point VPN-1 Edge User Guide...
  • Page 175 Configuring Network Settings • Port-based Port-based VLAN allows assigning the appliance's LAN ports to VLANs, effectively transforming the appliance's four-port switch into up to four firewall-isolated security zones. You can assign multiple ports to the same VLAN, or each port to a separate VLAN.
  • Page 176 Based VLANs on page 167. For information on adding and editing VAPs, see Configuring Virtual Access Points on page 265. For information on adding and editing WDS links, see Configuring WDS Links on page 269. Check Point VPN-1 Edge User Guide...
  • Page 177 Configuring Network Settings Adding and Editing Port-Based VLANs To add or edit a port-based VLAN Click Network in the main menu, and click the My Network tab. The My Network page appears. Do one of the following: • To add a VLAN, click Add Network. •...
  • Page 178 13. Next to the LAN port you want to assign, click Edit. The Port Setup page appears. 14. In the Assign to network drop-down list, select the VLAN network's name. You can assign more than one port to the VLAN. 15. Click Apply. Check Point VPN-1 Edge User Guide...
  • Page 179 Configuring Network Settings Adding and Editing Tag-Based VLANs To add or edit a tag-based VLAN Click Network in the main menu, and click the My Network tab. The My Network page appears. Do one of the following: • To add a VLAN, click Add Network. •...
  • Page 180 16. Configure a VLAN trunk (802.1Q) port on the VLAN-aware switch, according to the vendor instructions. Define the same VLAN IDs on the switch. 17. Connect the VPN-1 Edge appliance's DMZ/WAN2 port to the VLAN-aware switch's VLAN trunk port. Check Point VPN-1 Edge User Guide...
  • Page 181 Configuring Network Settings Deleting VLANs To delete a VLAN If the VLAN is port-based, do the following: Click Network in the main menu, and click the Ports tab. The Ports page appears. Remove all port assignments to the VLAN, by selecting other networks in the drop-down lists.

  • Page 182: Using Network Objects

    VPN-1 Edge appliance automatically replies to ARP queries with its own MAC address, thereby enabling communication. As a result, the Static NAT Internet IP addresses appear to external sources to be real computers connected to the WAN interface. Check Point VPN-1 Edge User Guide...
  • Page 183 Using Network Objects • Assign the network object's IP address to a MAC address Normally, the VPN-1 Edge DHCP server consistently assigns the same IP address to a specific computer. However, if the VPN-1 Edge DHCP server runs out of IP addresses and the computer is down, then the DHCP server may reassign the IP address to a different computer.
  • Page 184 The Network Objects page appears with a list of network objects. Do one of the following: • To add a network object, click New. • To edit an existing network object, click Edit next to the desired computer in the list. Check Point VPN-1 Edge User Guide...
  • Page 185 Using Network Objects The VPN-1 Edge Network Object Wizard opens, with the Step 1: Network Object Type dialog box displayed. Do one of the following: • To specify that the network object should represent a single computer or device, click Single Computer. •...
  • Page 186 Reserve a fixed IP address for this computer option. If you chose Network, the dialog box does not include this option. Complete the fields using the information in the tables below. Click Next. Check Point VPN-1 Edge User Guide...
  • Page 187 Using Network Objects The Step 3: Save dialog box appears. Type a name for the network object in the field. Click Finish. To add or edit a network object via the Active Computers page Click Reports in the main menu, and click the Active Computers tab. Chapter 5: Managing Your Network...
  • Page 188 Do one of the following: • To specify that the network object should represent a single computer or device, click Single Computer. • To specify that the network object should represent a network, click Network. Click Next. Check Point VPN-1 Edge User Guide...
  • Page 189 Using Network Objects The Step 2: Computer Details dialog box appears. The computer's IP address and MAC address are automatically filled in. Complete the fields using the information in the tables below. Click Next. The Step 3: Save dialog box appears with the network object's name. If you are adding a new network object, this name is the computer's name.
  • Page 190 IP address range. Exclude this network Select this option to exclude this network from Secure HotSpot from HotSpot enforcement. enforcement Exclude this network Select this option to exclude this network from Web Filtering. from Web Filtering Check Point VPN-1 Edge User Guide...

  • Page 191: Using Static Routes

    Using Static Routes Viewing and Deleting Network Objects To view or delete a network object Click Network in the main menu, and click the Network Objects tab. The Network Objects page appears with a list of network objects. To delete a network object, do the following: In the desired network object's row, click the Erase icon.
  • Page 192 The Static Routes page appears, with a list of existing static routes. Do one of the following: • To add a static route, click New Route. • To edit an existing static route, click Edit next to the desired route in the list. Check Point VPN-1 Edge User Guide...
  • Page 193 Using Static Routes The Static Route Wizard opens displaying the Step 1: Source and Destination dialog box. To select a specific source network (source routing), do the following: a) In the Source drop-down list, select Specified Network. New fields appear. b) In the Network field, type the IP address of the source network.
  • Page 194 In the Network field, type the IP address of the destination network. c) In the Netmask drop-down list, select the subnet mask. Click Next. The Step 2: Next Hop and Metric dialog box appears. Check Point VPN-1 Edge User Guide...
  • Page 195 Using Static Routes In the Next Hop IP field, type the IP address of the gateway (next hop router) to which to route the packets destined for this network. In the Metric field, type the static route's metric. The gateway sends a packet to the route that matches the packet's destination and has the lowest metric.
  • Page 196 The Static Routes page appears, with a list of existing static routes. To refresh the view, click Refresh. To delete a route, do the following: In the desired route row, click the Erase icon. A confirmation message appears. Click OK. The route is deleted. Check Point VPN-1 Edge User Guide...

  • Page 197: Managing Ports

    Managing Ports Managing Ports The VPN-1 Edge appliance enables you to quickly and easily assign its ports to different uses, as shown in the following table. If desired, you can also disable ports. Table 30: Ports and Assignments You can assign this port... To these uses...
  • Page 198 Ethernet connection's duplex state. This is useful if you need to check whether the appliance's physical connections are working, and you can’t see the LEDs on front of the appliance. To view port statuses Click Network in the main menu, and click the Ports tab. Check Point VPN-1 Edge User Guide...
  • Page 199 Managing Ports The Ports page appears. In non-ADSL models, this page appears as follows: Chapter 5: Managing Your Network...
  • Page 200 Managing Ports In ADSL models, this page appears as follows: The page displays the information for each port, as described in the following table. To refresh the display, click Refresh. Check Point VPN-1 Edge User Guide...
  • Page 201 Managing Ports Table 31: Ports Fields This field… Displays… Assign To The port's current assignment. For example, if the DMZ/WAN2 port is currently used for the DMZ, the field displays "DMZ". Status The port's current status. This can be any of the following: •...
  • Page 202 Table 32: Modifying Port Assignments To assign a port to... See... No network The procedure below. This disables the port. The procedure below Check Point VPN-1 Edge User Guide...
  • Page 203 Managing Ports To assign a port to... See... VLAN or Configuring VLANs on page 161 VLAN Trunk A WAN Internet connection The procedure below. Note: When you configure an Ethernet-based Internet connection on a port, the port is automatically assigned to Internet use.
  • Page 204 • To disable a network port, select None. • To disable the Serial port, select Disabled. Click Apply. A warning message appears. Click OK. The port is reassigned to the specified network or purpose. Check Point VPN-1 Edge User Guide...
  • Page 205 Managing Ports Modifying Link Configurations By default, the VPN-1 Edge appliance automatically detects the link speed and duplex. If desired, you can manually restrict the appliance's ports to a specific link speed and duplex. To modify a port's link configuration Click Network in the main menu, and click the Ports tab.
  • Page 206 For example, if you were using the DMZ/WAN2 port as WAN2, the port reverts to its DMZ assignment, and the secondary Internet connection moves to the WAN or ADSL port. Check Point VPN-1 Edge User Guide...
  • Page 207 Managing Ports Resetting All Ports to Defaults To reset all ports to defaults Click Network in the main menu, and click the Ports tab. The Ports page appears. Click Default. A confirmation message appears. Click OK. All ports are reset to their default assignments and to "Automatic Detection" link configuration.

  • Page 209: Using Bridges

    Overview Chapter 6 Using Bridges This chapter describes how to connect multiple network segments at the data-link layer, using bridges. This chapter includes the following topics: Overview ....................197 Workflow....................203 Adding and Editing Bridges ..............204 Adding Internal Networks to Bridges............208 Adding Internet Connections to Bridges ..........213 Overview The VPN-1 Edge appliance enables you to connect multiple network segments at the data- link layer, by configuring a bridge.
  • Page 210 The network interfaces operate as if they were connected by a hub or switch. Figure 21: Bridge with Four VLANs Check Point VPN-1 Edge User Guide...
  • Page 211 Overview For example, if you assign the LAN and primary WLAN networks to a bridge and disable the bridge's internal firewall, the two networks will act as a single, seamless network, and only traffic from the LAN and primary WLAN networks to other networks (for example, the Internet) will be inspected by the firewall.
  • Page 212 When a packet is received on one of the bridge ports, the forwarding table is automatically updated to map the source MAC address to the network port from which the packet originated, and the gateway processes the received packet according to the packet's type. Check Point VPN-1 Edge User Guide...
  • Page 213 Overview When a bridge receives an IP packet, the gateway processes the packet as follows: The destination MAC address is looked up in the bridge's forwarding table. If the destination MAC address is found in the forwarding table, the packet is forwarded to the corresponding port.
  • Page 214 STP also uses this information to provide fault tolerance, by re- computing the topology in the event that a bridge or a network link fails. Figure 23: Dual Redundant Bridges with STP Check Point VPN-1 Edge User Guide...

  • Page 215: Workflow

    Workflow Figure 24: Link Redundancy with STP Workflow To use a bridge Add a bridge. See Adding and Editing Bridges on page 204. Add the desired internal networks to the bridge. See Adding Internal Networks to Bridges on page 208. Add the desired Internet connections to the bridge.

  • Page 216: Adding And Editing Bridges

    Antivirus Rules on page 379. Adding and Editing Bridges To add or edit a bridge Click Network in the main menu, and click the My Network tab. The My Network page appears. Do one of the following: Check Point VPN-1 Edge User Guide...
  • Page 217 Adding and Editing Bridges • To add a bridge, click Add Bridge. • To edit a bridge, click Edit in the desired bridge's row. The Bridge Configuration page appears. Complete the fields using the following table. Click Apply. A success message appears. Chapter 6: Using Bridges...
  • Page 218 Specify whether to enable STP for this bridge, by selecting one of the following: • Enabled. STP is enabled. • Disabled. STP is disabled. This is the default value. If you selected Enabled, the Bridge Priority field appears. Check Point VPN-1 Edge User Guide...
  • Page 219 Adding and Editing Bridges In this field… Do this… Bridge Priority Select the bridge's priority. The bridge's priority is combined with a bridged network's MAC address to create the bridge's ID. The bridge with the lowest ID is elected as the root bridge. The other bridges in the tree calculate the shortest distance to the root bridge, in order to eliminate loops in the topology and provide fault tolerance.

  • Page 220: Adding Internal Networks To Bridges

    To add an internal network to a bridge Click Network in the main menu, and click the My Network tab. The My Network page appears. Click Edit in the desired network's row. In the Mode drop-down list, select Bridged. Check Point VPN-1 Edge User Guide...
  • Page 221 Adding Internal Networks to Bridges New fields appear. Complete these fields as described below. Chapter 6: Using Bridges...
  • Page 222 Adding Internal Networks to Bridges If you assign the network to a bridge that uses STP, additional fields appear. Click Apply. A warning message appears. Click OK. A success message appears. Check Point VPN-1 Edge User Guide...
  • Page 223 Adding Internal Networks to Bridges In the My Network page, the internal network appears indented under the bridge. Table 35: Bridged Network Fields In this field… Do this… Assign to Bridge Select the bridge to which the connection should be assigned. Bridge Anti-Spoofing Select this option to enable anti-spoofing.
  • Page 224 STP uses the available port with the lowest cost to forward frames to the root port. All other ports are blocked. It is recommended to set a lower value for faster links. This field only appears if the selected bridge uses STP. Check Point VPN-1 Edge User Guide...

  • Page 225: Adding Internet Connections To Bridges

    Adding Internet Connections to Bridges In this field… Do this… Spanning Tree Protocol - Port Select the port's priority. Priority The port's priority is combined with the port's logical number to create the port's ID. The port with the lowest ID is elected as the root port, which forwards frames out of the bridge.
  • Page 226 In the Connection Type field, select Bridged. New fields appear. Complete the fields specified in the table below. Complete the rest of the fields using the relevant information in Internet Setup Fields on page 122. Check Point VPN-1 Edge User Guide...
  • Page 227 Adding Internet Connections to Bridges New fields appear, depending on the selected options, and whether the selected bridge uses STP. Click Apply. The VPN-1 Edge appliance attempts to connect to the Internet, and the Status Bar displays the Internet status “Connecting”. This may take several seconds. Once the connection is made, the Status Bar displays the Internet status “Connected”.
  • Page 228 Note: If you select the same priority for all ports, the root port will be elected based on the port's logical number. The default value is 128. This field only appears if the selected bridge uses STP. Check Point VPN-1 Edge User Guide...

  • Page 229: Configuring High Availability

    Overview Chapter 7 Configuring High Availability This chapter describes how to configure High Availability (HA) for two or more VPN-1 Edge appliances. This chapter includes the following topics: Overview ....................217 Configuring High Availability on a Gateway...........220 Sample Implementation on Two Gateways ..........224 Overview You can create a High Availability (HA) cluster consisting of two or more VPN-1 Edge appliances.
  • Page 230 WAN virtual IP address, in the event that the Active Gateway fails. If desired, you can configure a WAN virtual IP address for the WAN2 interface, as well. Check Point VPN-1 Edge User Guide...
  • Page 231 Overview Note: To use a WAN virtual IP address, the Internet connection method must be "Static IP". PPP-based connections and dynamic IP connections are not supported. Before configuring HA, the following requirements must be met: • You must have at least two identical VPN-1 Edge appliances. •...

  • Page 232: Configuring High Availability On A Gateway

    Each appliance must have a different internal IP address. See Changing IP Addresses on page 154. Click Setup in the main menu, and click the High Availability tab. The High Availability page appears. Select the Gateway High Availability check box. Check Point VPN-1 Edge User Guide...
  • Page 233 Configuring High Availability on a Gateway The fields are enabled. Next to each network for which you want to enable HA, select the HA check box. The Internet-Primary field represents the WAN interface, and the Internet-Secondary field represents the WAN2 interface. In the Virtual IP field, type the default gateway IP address.
  • Page 234 See Using Internet Setup on page 99. Table 37: High Availability Page Fields In this field… Do this… Priority My Priority Type the gateway's priority. This must be an integer between 1 and 255. Check Point VPN-1 Edge User Guide...
  • Page 235 Configuring High Availability on a Gateway In this field… Do this… Internet Connection Tracking Internet - Primary Type the amount to reduce the gateway's priority if the primary Internet connection goes down. This must be an integer between 0 and 255. Internet - Secondary Type the amount to reduce the gateway's priority if the secondary Internet connection goes down.

  • Page 236: Sample Implementation On Two Gateways

    LAN, DMZ LAN, DMZ Internet Connections Primary and secondary Primary only LAN Network IP Address 192.169.100.1 192.169.100.2 LAN Network 255.255.255.0 255.255.255.0 Subnet Mask DMZ Network IP Address 192.169.101.1 192.169.101.2 DMZ Network 255.255.255.0 255.255.255.0 Subnet Mask Check Point VPN-1 Edge User Guide...
  • Page 237 Sample Implementation on Two Gateways The gateways have two internal networks in common, LAN and DMZ. This means that you can configure HA for the LAN network, the DMZ network, or both. You can use either of the networks as the synchronization interface. The procedure below shows how to configure HA for both the LAN and DMZ networks.
  • Page 238 In the DMZ network's Virtual IP field, type the default gateway IP address 192.168.101.3. Click the Synchronization radio button next to DMZ. In the My Priority field, type "60". The low priority means that Gateway B will be the Passive Gateway. Check Point VPN-1 Edge User Guide...
  • Page 239 Sample Implementation on Two Gateways In the Internet - Primary field, type "20". Gateway B will reduce its priority by 20, if its Internet connection goes down. Click Apply. A success message appears. Gateway A's priority is 100, and Gateway B's priority is 60. So long as one of Gateway A's Internet connections is up, Gateway A is the Active Gateway, because its priority is higher than that of Gateway B.

  • Page 241: Using Traffic Shaper

    Overview Chapter 8 Using Traffic Shaper This chapter describes how to use Traffic Shaper to control the flow of communication to and from your network. This chapter includes the following topics: Overview ....................229 Setting Up Traffic Shaper.................230 Predefined QoS Classes................231 Adding and Editing Classes..............232 Deleting Classes ..................236 Restoring Traffic Shaper Defaults ............237...

  • Page 242: Setting Up Traffic Shaper

    Use Allow or Allow and Forward rules to assign different types of connections to QoS classes. For example, if Traffic Shaper is enabled for outgoing traffic, and you create an Allow rule associating all outgoing VPN traffic with the Urgent QoS class, then Traffic Check Point VPN-1 Edge User Guide...

  • Page 243: Predefined Qos Classes

    Predefined QoS Classes Shaper will handle outgoing VPN traffic as specified in the bandwidth policy for the Urgent class. See Adding and Editing Rules on page 307. Note: Traffic Shaper must be enabled for the direction of traffic specified in the rule. Note: If you do not assign a connection type to a class, Traffic Shaper automatically assigns the connection type to the built-in "Default"...

  • Page 244: Adding And Editing Classes

    SMTP traffic (outgoing email). Adding and Editing Classes To add or edit a QoS class Click Network in the main menu, and click the Traffic Shaper tab. The Quality of Service Classes page appears. Click Add. Check Point VPN-1 Edge User Guide...
  • Page 245 Adding and Editing Classes The VPN-1 Edge QoS Class Editor wizard opens, with the Step 1 of 3: Quality of Service Parameters dialog box displayed. Complete the fields using the relevant information in the following table. Click Next. The Step 2 of 3: Advanced Options dialog box appears. Complete the fields using the relevant information in the following table.
  • Page 246 For example, if you are creating a class for high priority Web connections, you can name the class "High Priority Web". Click Finish. The new class appears in the Quality of Service Classes page. Check Point VPN-1 Edge User Guide...
  • Page 247 Adding and Editing Classes Table 40: QoS Class Fields In this field… Do this… Relative Weight Type a value indicating the class's importance relative to the other defined classes. For example, if you assign one class a weight of 100, and you assign another class a weight of 50, the first class will be allocated twice the amount of bandwidth as the second when the lines are congested.

  • Page 248: Deleting Classes

    Click Network in the main menu, and click the Traffic Shaper tab. The Quality of Service Classes page appears. In the desired class's row, click the Erase icon. A confirmation message appears. Click OK. The class is deleted. Check Point VPN-1 Edge User Guide...

  • Page 249: Restoring Traffic Shaper Defaults

    Restoring Traffic Shaper Defaults Restoring Traffic Shaper Defaults If desired, you can reset the Traffic Shaper bandwidth policy to use the four predefined classes, and restore these classes to their default settings. For information on these classes and their defaults, see Predefined QoS Classes on page 231. Note: This will delete any additional classes you defined in Traffic Shaper and reset all rules to use the Default class.

  • Page 251: Working With Wireless Networks

    Overview Chapter 9 Working with Wireless Networks This chapter describes how to configure wireless internal networks. This chapter includes the following topics: Overview ....................239 Configuring Wireless Networks ...............247 Troubleshooting Wireless Connectivity ...........273 Overview Your VPN-1 Edge wireless appliance features a built-in 802.11b/g access point that is tightly integrated with the firewall and VPN.
  • Page 252 Guest network a low priority, and by enabling Secure HotSpot on this network, you could define terms of use that the guest users must accept before accessing the Internet. In contrast, the Employee VAP would use the more secure WPA2-Enterprise Check Point VPN-1 Edge User Guide...
  • Page 253 Overview (802.11i) encryption standard and allow employees to access company resources such as the intranet. You can configure up to three VAPs, in addition to the primary WLAN. For information on configuring VAPs, see Configuring VAPs on page 265. Wireless Distribution System Links The VPN-1 Edge appliance enables you to extend the primary WLAN's coverage area, by creating a Wireless Distribution System (WDS).
  • Page 254 When used together with bridge mode and Spanning Tree Protocol (STP), you can use WDS links to create redundant topologies, such as a loop or mesh of linked access points. Figure 26: Two Access Points Linked by a WDS Bridge Check Point VPN-1 Edge User Guide...
  • Page 255 Overview Figure 27: Redundant Loop of Access Points Linked by WDS and STP You can configure up to seven WDS links, in addition to the primary WLAN. For information on configuring WDS links, see Configuring WDS Links on page 269. Note: All access points in a WDS must use the same radio channel for the WDS link and for communicating with wireless stations.
  • Page 256 No security method is used. This option is not recommended, because it allows unauthorized users to access your wireless network, although you can still limit access from the wireless network by creating firewall rules. This method is suitable for creating public access points. Check Point VPN-1 Edge User Guide...
  • Page 257 Overview Security Description Protocol WEP encryption In the WEP (Wired Equivalent Privacy) encryption security method, wireless stations must use a pre-shared key to connect to your network. This method is not recommended, due to known security flaws in the WEP protocol. It is provided for compatibility with existing wireless deployments.
  • Page 258 LAN are encrypted and authenticated. For information, see Internal VPN Server on page 419 and Setting Up Your VPN-1 Edge Appliance as a VPN Server on page 420. Check Point VPN-1 Edge User Guide...

  • Page 259: Configuring Wireless Networks

    Configuring Wireless Networks Configuring Wireless Networks Note: It is recommended to configure wireless networks via Ethernet and not via a wireless connection, because the wireless connection could be broken after making a change to the configuration. Using the Wireless Configuration Wizard The Wireless Configuration Wizard provides a quick and simple way of setting up your basic primary WLAN parameters for the first time.
  • Page 260 Select the Enable wireless networking check box to enable the primary WLAN. The fields are enabled. Complete the fields using the information in Basic WLAN Settings Fields on page 256. Click Next. The Wireless Security dialog box appears. Check Point VPN-1 Edge User Guide...
  • Page 261 Configuring Wireless Networks Do one of the following: • Click WPA-Personal to use the WPA-Personal security mode. WPA-Personal (also called WPA-PSK) uses a passphrase for authentication. This method is recommended for small, private wireless networks, which want to authenticate and encrypt wireless data but do not want to install a RADIUS server.
  • Page 262 In the text box, type the passphrase for accessing the network, or click Random to randomly generate a passphrase. This must be between 8 and 63 characters. It can contain spaces and special characters, and is case-sensitive. Click Next. Check Point VPN-1 Edge User Guide...
  • Page 263 Configuring Wireless Networks The Wireless Security Confirmation dialog box appears. Click Next. The Wireless Security Complete dialog box appears. Click Finish. The wizard closes. Prepare the wireless stations. Chapter 9: Working with Wireless Networks...
  • Page 264 The key is composed of characters 0-9 and A-F, and is not case-sensitive. The wireless stations must be configured with this same key. Click Next. The Wireless Security Confirmation dialog box appears. Click Next. Check Point VPN-1 Edge User Guide...
  • Page 265 Configuring Wireless Networks The Wireless Security Complete dialog box appears. Click Finish. The wizard closes. Prepare the wireless stations. No Security The Wireless Security Complete dialog box appears. • Click Finish. The wizard closes. Manually Configuring a Wireless Network To manually configure a wireless network Prepare the appliance for a wireless connection as described in Network Installation on page 57.
  • Page 266 The wireless network must not overlap other networks. In the Subnet Mask field, type the wireless network’s internal network range. If desired, enable or disable Hide NAT. See Enabling/Disabling Hide NAT on page 155. Check Point VPN-1 Edge User Guide...
  • Page 267 Configuring Wireless Networks If desired, configure a DHCP server. See Configuring a DHCP Server on page 144. 10. Complete the fields using the information in Basic Wireless Settings Fields on page 256. 11. To configure advanced settings, click Show Advanced Settings and complete the fields using the information in Advanced Wireless Settings Fields on page 261.
  • Page 268 Select the country where you are located. Warning: Choosing an incorrect country may result in the violation of government regulations. This field only appears when configuring the primary WLAN, and it is inherited by all VAPs and WDS links. Check Point VPN-1 Edge User Guide...
  • Page 269 Configuring Wireless Networks In this field… Do this… Operation Mode Select an operation mode: • 802.11b (11 Mbps). Operates in the 2.4 GHz range and offers a maximum theoretical rate of 11 Mbps. When using this mode, only 802.11b stations will be able to connect. •...
  • Page 270 25 MHz (5 channels) apart. Alternatively, you can reduce the transmission power. This field only appears when configuring the primary WLAN, and it is inherited by all VAPs and WDS links. Check Point VPN-1 Edge User Guide...
  • Page 271 Configuring Wireless Networks In this field… Do this… Security Select the security protocol to use. For information on the supported security protocols, see Wireless Security Protocols on page 244. If you select WEP encryption, the WEP Keys area opens. If you select WPA-Enterprise, the Require WPA2 (802.11i) field appears. If you select WPA-Personal, the Passphrase and Require WPA2 (802.11i) fields appear.
  • Page 272 Type the WEP key, or click Random to randomly generate a key matching Key 1, 2, 3, 4 text the selected length. The key is composed of hexadecimal characters 0-9 and A-F, and is not case-sensitive. Check Point VPN-1 Edge User Guide...
  • Page 273 Configuring Wireless Networks Table 43: Advanced Wireless Settings Fields In this field… Do this… Advanced Security Hide the Network Specify whether you want to hide your network's SSID, by selecting one of Name (SSID) the following: • Yes. Hide the SSID. Only devices to which your SSID is known can connect to your network.
  • Page 274 The default value is Full. It is not necessary to change this value, unless there are other access points in the vicinity. This field only appears when configuring the primary WLAN, and it is inherited by all VAPs and WDS links. Check Point VPN-1 Edge User Guide...
  • Page 275 Configuring Wireless Networks In this field… Do this… Antenna Selection Multipath distortion is caused by the reflection of Radio Frequency (RF) signals traveling from the transmitter to the receiver along more than one path. Signals that were reflected by some surface reach the receiver after non-reflected signals and distort them.
  • Page 276 Enabled. WMM is enabled. The VPN-1 Edge appliance will prioritize multimedia traffic according to four access categories (Voice, Video, Best Effort, and Background). This allows for smoother streaming of voice and video when using WMM aware applications. Check Point VPN-1 Edge User Guide...
  • Page 277 Configuring Wireless Networks Configuring Virtual Access Points You can partition the wireless network into wireless VLANs called virtual access points (VAPs). You can use VAPs to grant different permissions to groups of wireless users, by configuring each VAP with the desired security policy and network settings, and then assigning each group of wireless users to the relevant VAP.
  • Page 278 The My Network page appears. Click Add Network. The Edit Network Settings page appears. In the Network Name field, type a name for the VAP. In the Type drop-down list, select Virtual Access Point. Check Point VPN-1 Edge User Guide...
  • Page 279 Configuring Wireless Networks New fields appear. In the Mode drop-down list, select Enabled. The fields are enabled. In the IP Address field, type the IP address of the VAP network's default gateway. The VAP network must not overlap other networks. In the Subnet Mask field, type the VAP's internal network range.
  • Page 280 Note: Some wireless cards have "Infrastructure" and "Ad-hoc" modes. These modes are also called "Access Point" and "Peer to Peer". On the wireless client, choose the "Infrastructure" or "Access Point" mode. You can set the wireless cards to either "Long Preamble" or "Short Preamble". Check Point VPN-1 Edge User Guide...
  • Page 281 Configuring Wireless Networks Configuring Wireless Distribution System Links You can extend the wireless network across multiple access points, or connect the networks behind different access points, by creating a Wireless Distribution System (WDS). To create a WDS, you must add WDS links between the desired access points. For more information on WDS links, see Overview on page 239.
  • Page 282 WDS link. Note: This is the MAC address of the WLAN interface, not the WAN MAC address. To see your access point's WLAN MAC address, click Reports in the main menu, and then click Wireless. Check Point VPN-1 Edge User Guide...
  • Page 283 Configuring Wireless Networks Do one of the following: • To create a bridged WDS link: 1) In the Mode drop-down list, select Bridged. The fields are enabled and additional fields appear. 2) Complete these fields as described in Bridged Network Fields on page 211.
  • Page 284 Note: Both sides of the WDS link must use the same radio channel and security settings. Note: WDS links support using the WEP security mode or no security. However, the access point can use any supported security protocol to communicate with wireless stations, including the WPA/WPA2 protocols. Check Point VPN-1 Edge User Guide...

  • Page 285: Troubleshooting Wireless Connectivity

    Troubleshooting Wireless Connectivity Troubleshooting Wireless Connectivity I cannot connect to a wireless network from a wireless station. What should I do? • Check that the SSID configured on the station matches the VPN-1 Edge appliance's SSID. The SSID is case-sensitive. •...
  • Page 286 A and station C do not detect each other, but both stations detect and are detected by station B, then both station A and C may attempt to send packets to station B Check Point VPN-1 Edge User Guide...
  • Page 287 Troubleshooting Wireless Connectivity simultaneously. In this case, the packets will collide, and Station B will receive corrupted data. The solution to this problem lies in the use of the RTS protocol. Before sending a certain size IP packet, a station sends an RTS (Request To Send) packet. If the recipient is not currently receiving packets from another source, it sends back a CTS (Clear To Send) packet, indicating that the station can send the IP packet.

  • Page 289: Viewing Reports

    Viewing the Event Log Chapter 10 Viewing Reports This chapter describes the VPN-1 Edge Portal reports. This chapter includes the following topics: Viewing the Event Log................277 Using the Traffic Monitor ................280 Viewing Computers..................285 Viewing Connections ................287 Viewing Wireless Statistics ..............289 Viewing ADSL Statistics .................293 Viewing the Event Log You can track network activity using the Event Log.
  • Page 290 (Microsoft Excel) file, and then store it for analysis purposes or send it to technical support. Note: You can configure the VPN-1 Edge appliance to send event logs to a Syslog server. For information, see Configuring Syslog Logging on page 520. Check Point VPN-1 Edge User Guide...
  • Page 291 Viewing the Event Log To view the event log Click Reports in the main menu, and click the Event Log tab. The Event Log page appears. If an event is highlighted in red, indicating a blocked attack on your network, you can display the attacker’s details, by clicking on the IP address of the attacking machine.

  • Page 292: Using The Traffic Monitor

    Configuring Traffic Monitor Settings on page 284. In network traffic reports, the traffic is color-coded as described in the following table. In the All QoS Classes report, the traffic is color-coded by QoS class. Check Point VPN-1 Edge User Guide...
  • Page 293 Using the Traffic Monitor Table 45: Traffic Monitor Color Coding for Networks Traffic marked in this color… Indicates… Blue VPN-encrypted traffic Traffic blocked by the firewall Green Traffic accepted by the firewall You can export a detailed traffic report for all enabled networks and all defined QoS classes, using the procedure Exporting General Traffic Reports on page 283.
  • Page 294 Note: The firewall blocks broadcast packets used during the normal operation of your network. This may lead to a certain amount of traffic of the type "Traffic blocked by firewall" that appears under normal circumstances and usually does not indicate an attack. Check Point VPN-1 Edge User Guide...
  • Page 295 Using the Traffic Monitor Exporting General Traffic Reports You can export a general traffic report that includes information for all enabled networks and all defined QoS classes to a *.csv (Comma Separated Values) file. You can open and view the file in Microsoft Excel. To export a general traffic report Click Reports in the main menu, and click the Traffic Monitor tab.
  • Page 296 In the Sample monitoring data every field, type the interval (in seconds) at which the VPN-1 Edge appliance should collect traffic data. The default value is one sample every 1800 seconds (30 minutes). Click Apply. Check Point VPN-1 Edge User Guide...

  • Page 297: Viewing Computers

    Viewing Computers Viewing Computers This option allows you to view the currently active computers on your network. The active computers are graphically displayed, each with its name, IP address, and settings (DHCP, Static, etc.). You can also view node limit information. To view the active computers Click Reports in the main menu, and click the Active Computers tab.
  • Page 298 For information on adding and editing network objects, see Adding and Editing Network Objects on page 171. To refresh the display, click Refresh. To view node limit information, do the following: Click Node Limit. Check Point VPN-1 Edge User Guide...

  • Page 299: Viewing Connections

    Viewing Connections The Node Limit window appears with installed software product and the number of nodes used. Click Close to close the window. Viewing Connections This option allows you to view currently active connections between your networks, as well as those from your networks to the Internet. Note: The report does not display connections between bridged networks, where Firewall Between Members is disabled.
  • Page 300 A window opens displaying information about the port. Table 46: Active Connections Fields This field… Displays… Protocol The protocol used (TCP, UDP, etc.) Source - IP Address The source IP address Source - Port The source port Check Point VPN-1 Edge User Guide...

  • Page 301: Viewing Wireless Statistics

    Viewing Wireless Statistics This field… Displays… Destination - IP The destination IP address Address Destination -Port The destination port QoS Class The QoS class to which the connection belongs (if Traffic Shaper is enabled) Options An icon indicating further details: •...
  • Page 302 Viewing Wireless Statistics The Wireless page appears. The page displays the information in the following tables. To refresh the display, click Refresh. Check Point VPN-1 Edge User Guide...
  • Page 303 Viewing Wireless Statistics Table 47: Wireless Statistics This field… Displays… Status Wireless Mode The operation mode used by the primary WLAN, followed by the transmission rate in Mbps Domain The VPN-1 Edge access point's region Country The country configured for the primary WLAN Channel The radio frequency used by the primary WLAN Statistics for...
  • Page 304 The total number of frames that were successfully transmitted and received Management The total number of transmitted and received management packets Control The total number of received control packets Errors The total number of transmitted and received frames for which an error occurred Check Point VPN-1 Edge User Guide...

  • Page 305: Viewing Adsl Statistics

    Viewing ADSL Statistics This field… Displays… Indicates whether the client is using Multimedia QoS (WMM). Possible values are: • yes. The client is using WMM. • no. The client is not using WMM. Indicates whether the wireless client supports Extended Range (XR) mode. Possible values are: •...
  • Page 306 The ADSL connection's current status (OK, Modem Initializing, No Sync, Establishing Connection, Connected, Disabled) DSL Standard The DSL line's standard Self Test Indicates whether DSL modem has passed a self-test Trellis Coding The DSL line's trellis coding Check Point VPN-1 Edge User Guide...
  • Page 307 Viewing ADSL Statistics This field… Displays… Framing The DSL line's framing structure Structure Line Rate The line rate for transmission (TX) and reception (RX) in kbps Tx Power The local and remote transmission power in dB. SNR Margin The local and remote Signal to Noise Ration (SNR) margin in dB. The SNR margin is the difference between the amount of noise received by the by the local/remote line end, and the amount of noise it can tolerate.

  • Page 309: Setting Your Security Policy

    Viewing ADSL Statistics Chapter 11 Setting Your Security Policy This chapter describes how to set up your VPN-1 Edge appliance security policy. You can enhance your security policy by subscribing to services such as Web Filtering and Email Filtering. You can also integrate all VPN-1 Edge appliances into an overall enterprise security policy by connecting to SMART management.

  • Page 310: Default Security Policy

    For further information, see Using Rules on page 303. Setting the Firewall Security Level The firewall security level can be controlled using a simple lever available on the Firewall page. You can set the lever to the following states. Check Point VPN-1 Edge User Guide...
  • Page 311 Setting the Firewall Security Level Table 50: Firewall Security Levels This Does this… Further Details level… Enforces basic control on All inbound traffic is blocked to the external VPN-1 incoming connections, Edge appliance IP address, except for ICMP while permitting all echoes ("pings").
  • Page 312 To change the firewall security level Click Security in the main menu, and click the Firewall tab. The Firewall page appears. Drag the security lever to the desired level. The VPN-1 Edge appliance security level changes accordingly. Check Point VPN-1 Edge User Guide...

  • Page 313: Configuring Servers

    Configuring Servers Configuring Servers Note: If you do not intend to host any public Internet servers (Web Server, Mail Server etc.) in your network, you can skip this section. Using the VPN-1 Edge Portal, you can selectively allow incoming network connections into your network.
  • Page 314 In the desired service or application’s row, click Clear. The Host IP field of the desired service is cleared. Click Apply. The service or application is not allowed on the specific host. Check Point VPN-1 Edge User Guide...

  • Page 315: Using Rules

    Using Rules Using Rules The VPN-1 Edge appliance checks the protocol used, the ports range, and the destination IP address, when deciding whether to allow or block traffic. User-defined rules have priority over the default security policy rules and provide you with greater flexibility in defining and customizing your security policy.
  • Page 316 The VPN-1 Edge appliance will process rule 1 first, allowing outgoing FTP traffic from the specified IP address, and only then it will process rule 2, blocking all outgoing FTP traffic. The following rule types exist: Check Point VPN-1 Edge User Guide...
  • Page 317 Using Rules Table 52: Firewall Rule Types Rule Description Allow and This rule type enables you to do the following: Forward • Permit incoming access from the Internet to a specific service in your internal network. • Forward all such connections to a specific computer in your network.
  • Page 318 This rule type enables you to do the following: • Block outgoing access from your internal network to a specific service on the Internet. • Block incoming access from the Internet to a specific service in your internal network. Check Point VPN-1 Edge User Guide...
  • Page 319 Using Rules Adding and Editing Firewall Rules To add or edit a firewall rule Click Security in the main menu, and click the Rules tab. The Rules page appears. Do one of the following: • To add a new rule, click Add Rule. •...
  • Page 320 Select the type of rule you want to create. Click Next. The Step 2: Service dialog box appears. The example below shows an Allow rule. Complete the fields using the relevant information in the following table. Click Next. Check Point VPN-1 Edge User Guide...
  • Page 321 Using Rules The Step 3: Destination & Source dialog box appears. Complete the fields using the relevant information in the following table. The Step 4: Done dialog box appears. Click Finish. The new rule appears in the Firewall Rules page. Chapter 11: Setting Your Security Policy...
  • Page 322 To specify an IP address, select Specified IP and type the desired IP address in the field provided. To specify an IP address range, select Specified Range and type the desired IP address range in the fields provided. Check Point VPN-1 Edge User Guide...
  • Page 323 Using Rules In this field… Do this… Destination Select the destination of the connections you want to allow or block. To specify an IP address, select Specified IP and type the desired IP address in the text box. To specify an IP address range, select Specified Range and type the desired IP address range in the fields provided.
  • Page 324 Next to the desired rule, do one of the following: • To enable the rule, click The button changes to and the rule is enabled. • To disable the rule, click The button changes to and the rule is disabled. Check Point VPN-1 Edge User Guide...
  • Page 325 Using Rules Changing Firewall Rules' Priority To change a firewall rule's priority Click Security in the main menu, and click the Rules tab. The Rules page appears. Do one of the following: • Click next to the desired rule, to move the rule up in the table. •...

  • Page 326: Using Smartdefense

    Using SmartDefense Using SmartDefense The VPN-1 Edge appliance includes Check Point SmartDefense Services, based on Check Point Application Intelligence. SmartDefense provides a combination of attack safeguards and attack-blocking tools that protect your network in the following ways: • Validating compliance to standards •...
  • Page 327 Using SmartDefense Using the SmartDefense Wizard The SmartDefense Wizard allows you to configure your SmartDefense security policy quickly and easily through its user-friendly interface. Note: The SmartDefense wizard clears any existing SmartDefense settings. After using the wizard, you can fine tune the policy settings using the SmartDefense tree. See Using the SmartDefense Tree on page 319.
  • Page 328 For information on the levels, see the following table. Click Next. The Step 2: Application Intelligence Server Types dialog box appears. Select the check boxes next to the types of public servers that are running on your network. Check Point VPN-1 Edge User Guide...
  • Page 329 Using SmartDefense Click Next. The Step 3: Application Blocking dialog box appears. Select the check boxes next to the types of applications you want to block from running on your network. Click Next. The Step 4: Confirmation dialog box appears. Click Finish.
  • Page 330 Enables the same protections as High level, as well as the following: Extra Strict • Strict TCP (Log + Block) • Small PMTU (Log + Block) • Max Ping Size (set to 512) • Network Quota Check Point VPN-1 Edge User Guide...
  • Page 331 Using SmartDefense Using the SmartDefense Tree For convenience, SmartDefense is organized as a tree, in which each branch represents a category of settings. When a category is expanded, the settings it contains appear as nodes. For information on each category and the nodes it contains, see SmartDefense Categories on page 321. Each node represents an attack type, a sanity check, or a protocol or service that is vulnerable to attacks.
  • Page 332 To modify the node's current settings, do the following: a) Complete the fields using the relevant information in SmartDefense Categories on page 321. b) Click Apply. To reset the node to its default values: a) Click Default. Check Point VPN-1 Edge User Guide...
  • Page 333 Using SmartDefense A confirmation message appears. b) Click OK. The fields are reset to their default values, and your changes are saved. SmartDefense Categories SmartDefense includes the following categories: • Denial of Service on page 321 • IP and ICMP on page 327 •...
  • Page 334 Block. Block the attack. This is the default. • None. No action. Track Specify whether to log Teardrop attacks, by selecting one of the following: • Log. Log the attack. This is the default. • None. Do not log the attack. Check Point VPN-1 Edge User Guide...
  • Page 335 Using SmartDefense Ping of Death In a Ping of Death attack, the attacker sends a fragmented PING request that exceeds the maximum IP packet size (64KB). Some operating systems are unable to handle such requests and crash. You can configure how Ping of Death attacks should be handled. Table 56: Ping of Death Fields In this field…...
  • Page 336 Block. Block the attack. This is the default. • None. No action. Track Specify whether to log LAND attacks, by selecting one of the following: • Log. Log the attack. This is the default. • None. Do not log the attack. Check Point VPN-1 Edge User Guide...
  • Page 337 Using SmartDefense Non-TCP Flooding Advanced firewalls maintain state information about connections in a State table. In Non- TCP Flooding attacks, the attacker sends high volumes of non-TCP traffic. Since such traffic is connectionless, the related state information cannot be cleared or reset, and the firewall State table is quickly filled up.
  • Page 338 The attacking hosts send large amounts of spurious data to the victim, so that the victim is no longer able to respond to legitimate service requests. You can configure how DDoS attacks should be handled. Check Point VPN-1 Edge User Guide...
  • Page 339 Using SmartDefense Table 59: Distributed Denial of Service Fields In this field… Do this… Action Specify what action to take when a DDoS attack occurs, by selecting one of the following: • Block. Block the attack. This is the default. •...
  • Page 340 Track Specify whether to issue logs for packets that fail the packet sanity tests, by selecting one of the following: • Log. Issue logs. This is the default. • None. Do not issue logs. Check Point VPN-1 Edge User Guide...
  • Page 341 Using SmartDefense In this field… Do this… Disable relaxed The UDP length verification sanity check measures the UDP header length UDP length and compares it to the UDP header length specified in the UDP header. If verification the two values differ, the packet may be corrupted. However, since different applications may measure UDP header length differently, the VPN-1 Edge appliance relaxes the UDP length verification sanity check by default, performing the check but not dropping offending...
  • Page 342 • Log. Log the responses. This is the default. • None. Do not log the responses. Max Ping Size Specify the maximum data size for ICMP echo response. The default value is 1500. Check Point VPN-1 Edge User Guide...
  • Page 343 Using SmartDefense IP Fragments When an IP packet is too big to be transported by a network link, it is split into several smaller IP packets and transmitted in fragments. To conceal a known attack or exploit, an attacker might imitate this common behavior and break the data section of a single packet into several fragmented packets.
  • Page 344 The default value is 10. Track Specify whether to log fragmented packets, by selecting one of the following: • Log. Log all fragmented packets. • None. Do not log the fragmented packets. This is the default. Check Point VPN-1 Edge User Guide...
  • Page 345 Using SmartDefense Network Quota An attacker may try to overload a server in your network by establishing a very large number of connections per second. To protect against Denial Of Service (DoS) attacks, Network Quota enforces a limit upon the number of connections per second that are allowed from the same source IP address.
  • Page 346 This flood of pings may disrupt network connectivity. You can configure how the Welchia worm should be handled. Check Point VPN-1 Edge User Guide...
  • Page 347 Using SmartDefense Table 64: Welchia Fields In this field… Do this… Action Specify what action to take when the Welchia worm is detected, by selecting one of the following: • Block. Block the attack. This is the default. • None. No action. Track Specify whether to log Welchia worm attacks, by selecting one of the following:...
  • Page 348 IP Mobility - Protocol 55 / • Block. Drop the packet. This is the default. SUN-ND - Protocol 77 / • None. No action. PIM - Protocol 103 Check Point VPN-1 Edge User Guide...
  • Page 349 Using SmartDefense Null Payload Some worms, such as Sasser, use ICMP echo request packets with null payload to detect potentially vulnerable hosts. You can configure how null payload ping packets should be handled. Table 66: Null Payload Fields In this field… Do this…...
  • Page 350 Note: In normal conditions, out-of-state TCP packets can occur after the VPN-1 Edge restarts, since connections which were established prior to the reboot are unknown. This is normal and does not indicate an attack. You can configure how out-of-state TCP packets should be handled. Check Point VPN-1 Edge User Guide...
  • Page 351 Using SmartDefense Table 67: Strict TCP In this field… Do this… Action Specify what action to take when an out-of-state TCP packet arrives, by selecting one of the following: • Block. Block the packets. • None. No action. This is the default. Track Specify whether to log null payload ping packets, by selecting one of the following:...
  • Page 352 Type the minimum value allowed for the MTU field in IP packets sent by a Size client. An overly small value will not prevent an attack, while an overly large value might degrade performance and cause legitimate requests to be dropped. The default value is 300. Check Point VPN-1 Edge User Guide...
  • Page 353 Using SmartDefense SynDefender In a SYN attack, the attacker sends many SYN packets without finishing the three-way handshake. This causes the attacked host to be unable to accept new connections. You can protect against this attack by specifying a maximum amount of time for completing handshakes.
  • Page 354 Host Port Scan. The attacker scans a specific host's ports to determine which of the ports are open. • Sweep Scan. The attacker scans various hosts to determine where a specific port is open. Check Point VPN-1 Edge User Guide...
  • Page 355 Using SmartDefense You can configure how the VPN-1 Edge appliance should react when a port scan is detected. Table 70: Port Scan Fields In this field… Do this… Number of ports SmartDefense detects ports scans by measuring the number of ports accessed accessed over a period of time.
  • Page 356 Specify whether to detect only scans originating from the Internet, by from Internet only selecting one of the following: • False. Do not detect only scans from the Internet. This is the default. • True. Detect only scans from the Internet. Check Point VPN-1 Edge User Guide...
  • Page 357 Using SmartDefense This category allows you to configure various protections related to the FTP protocol. It includes the following: • Blocked FTP Commands on page 348 • Block Known Ports on page 346 • Block Port Overflow on page 347 •...
  • Page 358 Note: Known ports are published ports associated with services (for example, SMTP is port 25). This provides a second layer of protection against FTP bounce attacks, by preventing such attacks from reaching well-known ports. Check Point VPN-1 Edge User Guide...
  • Page 359 Using SmartDefense Table 72: Block Known Ports Fields In this field… Do this… Action Specify what action to take when the FTP server attempts to connect to a well-known port, by selecting one of the following: • Block. Block the connection. •...
  • Page 360 In the Allowed commands box, select the desired FTP command. Click Block. The FTP command appears in the Blocked commands box. Click Apply. When FTP command blocking is enabled, the FTP command will be blocked. Check Point VPN-1 Edge User Guide...
  • Page 361 Using SmartDefense To allow a specific FTP command In the Blocked commands box, select the desired FTP command. Click Accept. The FTP command appears in the Allowed commands box. Click Apply. The FTP command will be allowed, regardless of whether FTP command blocking is enabled or disabled.
  • Page 362 A worm is a self-replicating malware (malicious software) that propagates by actively sending itself to new machines. Some worms propagate by using security vulnerabilities in the HTTP protocol. You can specify how HTTP-based worm attacks should be handled. Check Point VPN-1 Edge User Guide...
  • Page 363 Using SmartDefense Table 75: Worm Catcher Fields In this field… Do this… Action Specify what action to take when an HTTP-based worm attack is detected, by selecting one of the following: • Block. Block the attack. • None. No action. This is the default. Track Specify whether to log HTTP-based worm attacks, by selecting one of the following:...
  • Page 364 Select the worm patterns to detect. CIFS worm patterns Patterns are matched against file names (including file paths but list excluding the disk share name) that the client is trying to read or write from the server. Check Point VPN-1 Edge User Guide...
  • Page 365 Using SmartDefense IGMP This category includes the IGMP protocol. IGMP is used by hosts and routers to dynamically register and discover multicast group membership. Attacks on the IGMP protocol usually target a vulnerability in the multicast routing software/hardware used, by sending specially crafted IGMP packets. You can configure how IGMP attacks should be handled.
  • Page 366 This category includes the following nodes: • BitTorrent • eMule • Gnutella • KaZaA • Winny Note: SmartDefense can detect peer-to-peer traffic regardless of the TCP port being used to initiate the session. Check Point VPN-1 Edge User Guide...
  • Page 367 Using SmartDefense In each node, you can configure how peer-to-peer connections of the selected type should be handled, using the following table. Table 78: Peer to Peer Fields In this field… Do this… Action Specify what action to take when a connection is attempted, by selecting one of the following: •...
  • Page 368 This field is not relevant for eMule and Winny. Instant Messaging Traffic SmartDefense can block instant messaging applications that use VoIP protocols, by identifying the messaging application's fingerprints and HTTP headers. This category includes the following nodes: • • Skype • Yahoo Check Point VPN-1 Edge User Guide...
  • Page 369 Using SmartDefense Note: SmartDefense can detect instant messaging traffic regardless of the TCP port being used to initiate the session. Note: Note: Skype versions up to 2.0.0.103 are supported. In each node, you can configure how instant messaging connections of the selected type should be handled, using the following table.
  • Page 370 Click Security in the main menu, and click the SmartDefense tab. The SmartDefense page appears. Click Reset to Defaults. A confirmation message appears. Click OK. The SmartDefense policy is reset to its default settings. Check Point VPN-1 Edge User Guide...

  • Page 371: Using Port-Based Security

    Using Port-Based Security Using Port-Based Security The VPN-1 Edge appliance supports the IEEE 802.1x standard for secure RADIUS authentication of users and devices that are directly attached to VPN-1 Edge appliance's LAN and DMZ ports, as well as the wireless LAN. When an 802.1x security scheme is implemented for a port, users attempting to connect to that port are required to authenticate using their network user name and password.
  • Page 372 To configure a Quarantine network other than the LAN or DMZ, add a port- based VLAN network. See Adding and Editing Port-Based VLANs on page 165. Click Network in the main menu, and click the Ports tab. Check Point VPN-1 Edge User Guide...
  • Page 373 Using Port-Based Security The Ports page appears. Next to the desired port, click Edit. Chapter 11: Setting Your Security Policy...
  • Page 374 In the Port Security drop-down list, select 802.1x. To configure a Quarantine network, in the Quarantine Network drop-down list, select the network that should be the Quarantine network. 10. Click Apply. A warning message appears. 11. Click OK. Check Point VPN-1 Edge User Guide...
  • Page 375 Using Port-Based Security Resetting 802.1x Locking When 802.1x port-based security is configured for a LAN port, the first host that attempts to connect to this port is “locked” to the port. In order to connect a different computer to the port, you must first reset 802.1x locking. To reset 802.1x locking on all ports Click Network in the main menu, and click the Ports tab.

  • Page 376: Using Secure Hotspot

    For example, Secure HotSpot can be used in public computer labs, educational institutions, libraries, Internet cafés, and so on. Check Point VPN-1 Edge User Guide...
  • Page 377 Using Secure HotSpot The VPN-1 Edge appliance allows you to add guest users quickly and easily. By default, guest users are given a username and password that expire in 24 hours and granted HotSpot Access permissions only. For information on adding quick guest users, see Adding Quick Guest Users on page 489.
  • Page 378 Using Secure HotSpot See Adding Quick Guest Users on page 489. Enabling/Disabling Secure HotSpot To enable/disable Secure HotSpot Click Security in the main menu, and click the My HotSpot tab. The My HotSpot page appears. Check Point VPN-1 Edge User Guide...
  • Page 379 Using Secure HotSpot In the HotSpot Networks area, do one of the following: • To enable Secure HotSpot for a specific network, select the check box next to the network. • To disable Secure HotSpot for a specific network, clear the check box next to the network.
  • Page 380 Using Secure HotSpot Additional fields may appear. To preview the My HotSpot page, click Preview. A browser window opens displaying the My HotSpot page. Click Apply. Your changes are saved. Check Point VPN-1 Edge User Guide...
  • Page 381 Using Secure HotSpot Table 80: My HotSpot Fields In this field… Do this… My HotSpot Type the title that should appear on the My HotSpot page. Title The default title is "Welcome to My HotSpot". My HotSpot Type the terms to which the user must agree before accessing the Internet. Terms You can use HTML tags as needed.

  • Page 382: Defining An Exposed Host

    Click Security in the main menu, and click the Exposed Host tab. The Exposed Host page appears. In the Exposed Host field, type the IP address of the computer you wish to define as an exposed host. Check Point VPN-1 Edge User Guide...
  • Page 383 Defining an Exposed Host Alternatively, you can click This Computer to define your computer as the exposed host. Click Apply. The selected computer is now defined as an exposed host. To clear the exposed host Click Security in the main menu, and click the Exposed Host tab. The Exposed Host page appears.

  • Page 385: Using Vstream Antivirus

    Overview The VPN-1 Edge appliance includes VStream Antivirus, an embedded stream-based antivirus engine based on Check Point Stateful Inspection and Application Intelligence technologies, that performs virus scanning at the kernel level. VStream Antivirus scans files for malicious content on the fly, without downloading the files into intermediate storage.
  • Page 386 Note: In protocols that are not listed in this table, VStream Antivirus uses a "best effort" approach to detect viruses. In such cases, detection of viruses is not guaranteed and depends on the specific encoding used by the protocol. Check Point VPN-1 Edge User Guide...

  • Page 387: Enabling/Disabling Vstream Antivirus

    Enabling/Disabling VStream Antivirus If you are subscribed to the VStream Antivirus subscription service, VStream Antivirus virus signatures are automatically updated, so that security is always up-to-date, and your network is always protected. Note: VStream Antivirus differs from the Email Antivirus subscription service (part of the Email Filtering service) in the following ways: •...

  • Page 388: Viewing Vstream Signature Database Information

    This system of incremental updates to the main database allows for quicker updates and saves on network bandwidth. You can view information about the VStream signature databases currently in use, in the VStream Antivirus page. Check Point VPN-1 Edge User Guide...

  • Page 389: Configuring Vstream Antivirus

    Configuring VStream Antivirus Table 82: VStream Antivirus Page Fields This field… Displays… Main database The date and time at which the main database was last updated, followed by the version number. Daily database The date and time at which the daily database was last updated, followed by the version number.
  • Page 390 This rule type enables you to specify that VStream Antivirus should not scan traffic matching the rule. Scan This rule type enables you to specify that VStream Antivirus should scan traffic matching the rule. If a virus is found, it is blocked and logged. Check Point VPN-1 Edge User Guide...
  • Page 391 Configuring VStream Antivirus Adding and Editing VStream Antivirus Rules To add or edit a VStream Antivirus rule Click Antivirus in the main menu, and click the Policy tab. The Antivirus Policy page appears. Do one of the following: • To add a new rule, click Add Rule. •...
  • Page 392 Select the type of rule you want to create. Click Next. The Step 2: Service dialog box appears. The example below shows a Scan rule. Complete the fields using the relevant information in the following table. Check Point VPN-1 Edge User Guide...
  • Page 393 Configuring VStream Antivirus Click Next. The Step 3: Destination & Source dialog box appears. Complete the fields using the relevant information in the following table. Click Next. The Step 4: Done dialog box appears. Click Finish. The new rule appears in the Firewall Rules page. Chapter 12: Using VStream Antivirus...
  • Page 394 To specify an IP address, select Specified IP and type the desired IP address source is in the field provided. To specify an IP address range, select Specified Range and type the desired IP address range in the fields provided. Check Point VPN-1 Edge User Guide...
  • Page 395 Configuring VStream Antivirus In this field… Do this… And the Select the destination of the connections you want to allow or block. destination is To specify an IP address, select Specified IP and type the desired IP address in the text box. To specify an IP address range, select Specified Range and type the desired IP address range in the fields provided.
  • Page 396 Click next to the desired rule, to move the rule up in the table. • Click next to the desired rule, to move the rule down in the table. The rule's priority changes accordingly. Check Point VPN-1 Edge User Guide...
  • Page 397 Configuring VStream Antivirus Deleting VStream Antivirus Rules To delete an existing VStream Antivirus rule Click Antivirus in the main menu, and click the Policy tab. The Antivirus Policy page appears. Click the Erase icon of the rule you wish to delete. A confirmation message appears.
  • Page 398 To restore the default VStream Antivirus settings, do the following: a) Click Default. A confirmation message appears. b) Click OK. The VStream Antivirus settings are reset to their defaults. For information on the default values, refer to the following table. Check Point VPN-1 Edge User Guide...
  • Page 399 Configuring VStream Antivirus Table 85: Advanced Antivirus Settings Fields In this field… Do this… File Types Block potentially unsafe Select this option to block all emails containing potentially unsafe file types in email attachments. messages Unsafe file types are: • DOS/Windows executables, libraries and drivers •...
  • Page 400 Type the maximum number of nested content levels that VStream Antivirus should scan. Setting a higher number increases security. Setting a lower number prevents attackers from overloading the gateway by sending extremely nested archive files. The default value is 5 levels. Check Point VPN-1 Edge User Guide...
  • Page 401 Configuring VStream Antivirus In this field… Do this… Maximum Compression Fill in the field to complete the maximum compression ratio of Ratio 1:x files that VStream Antivirus should scan. For example, to specify a 1:150 maximum compression ratio, type 150. Setting a higher number allows the scanning of highly compressed files, but creates a potential for highly compressible files to create a heavy load on the appliance.

  • Page 402: Updating Vstream Antivirus

    To update the VStream Antivirus virus signature database Click Antivirus in the main menu, and click the Antivirus tab. The VStream Antivirus page appears. Click Update Now. The VStream Antivirus database is updated with the latest virus signatures. Check Point VPN-1 Edge User Guide...

  • Page 403: Smart Management And Subscription Services

    Services You can integrate all VPN-1 Edge appliances into an overall enterprise security policy for maximum security. Check Point's Security Management Architecture (SMART) delivers a single enterprise-wide security policy that you can centrally manage and automatically deploy to an unlimited number of VPN-1 Edge gateways.

  • Page 404: Connecting To A Service Center

    Connecting to a Service Center Connecting to a Service Center To connect to a Service Center Click Services in the main menu, and click the Account tab. The Account page appears. In the Service Account area, click Connect. Check Point VPN-1 Edge User Guide...
  • Page 405 Connecting to a Service Center The VPN-1 Edge Services Wizard opens, with the Service Center dialog box displayed. Make sure the Connect to a Service Center check box is selected. Do one of the following: • To connect to the SofaWare Service Center, choose usercenter.sofaware.com. •...
  • Page 406 Enter your gateway ID and registration key in the appropriate fields, as given to you by your service provider, then click Next. • The Connecting screen appears. • The Confirmation dialog box appears with a list of services to which you are subscribed. Click Next. Check Point VPN-1 Edge User Guide...
  • Page 407 Connecting to a Service Center The Done screen appears with a success message. Click Finish. The following things happen: • If a new firmware is available, the VPN-1 Edge appliance may start downloading it. This may take several minutes. Once the download is complete, the VPN-1 Edge appliance restarts using the new firmware.
  • Page 408 The services to which you are subscribed are now available on your VPN-1 Edge appliance and listed as such on the Account page. See Viewing Services Information on page 397 for further information. • The Services submenu includes the services to which you are subscribed. Check Point VPN-1 Edge User Guide...

  • Page 409: Viewing Services Information

    Viewing Services Information Viewing Services Information The Account page displays the following information about your subscription. Table 86: Account Page Fields This field… Displays… Service Center The name of the Service Center to which you are connected (if known). Name Gateway ID Your gateway ID.

  • Page 410: Refreshing Your Service Center Connection

    Click Services in the main menu, and click the Account tab. The Account page appears. In the Service Account area, click Refresh. The VPN-1 Edge appliance reconnects to the Service Center. Your service settings are refreshed. Check Point VPN-1 Edge User Guide...

  • Page 411: Configuring Your Account

    Configuring Your Account Configuring Your Account This option allows you to access your Service Center's Web site, which may offer additional configuration options for your account. Contact your Service Center for a user ID and password. To configure your account Click Services in the main menu, and click the Account tab.

  • Page 412: Web Filtering

    Web Filtering override permissions. For information on configuring network objects, see Using Network Objects on page 170. Note: Web Filtering is only available if you are connected to a Service Center and subscribed to this service. Check Point VPN-1 Edge User Guide...
  • Page 413 Web Filtering Enabling/Disabling Web Filtering Note: If you are remotely managed, contact your Service Center to change these settings. To enable/disable Web Filtering Click Services in the main menu, and click the Web Filtering tab. The Web Filtering page appears. Drag the On/Off lever upwards or downwards.
  • Page 414 Web Filtering when the service is enabled and the Service Center is unavailable, by doing do one of the following: • To temporarily block all connections to the Internet, click Check Point VPN-1 Edge User Guide...
  • Page 415 Web Filtering This ensures that users will not gain access to undesirable Web sites, even when the Service Center is unavailable. The button changes to • To temporarily allow all connections to the Internet, click This ensures continuous access to the Internet. The button changes to When the Service Center is available again, the gateway will enforce the configured Web Filtering policy.
  • Page 416 To re-enable the service, click Resume, either in the popup window, or on the Web Filtering page. • The service is re-enabled for all internal network computers. • If you clicked Resume in the Web Filtering page, the button changes to Snooze. Check Point VPN-1 Edge User Guide...

  • Page 417: Email Filtering

    Email Filtering • If you clicked Resume in the Web Filtering Off popup window, the popup window closes. Email Filtering There are two Email Filtering services: • Email Antivirus When the Email Antivirus service is enabled, your email is automatically scanned for the detection and elimination of all known viruses and vandals.
  • Page 418 To enable/disable Email Filtering Click Services in the main menu, and click the Email Filtering tab. The Email Filtering page appears. Next to Email Antivirus, drag the On/Off lever upwards or downwards. Email Antivirus is enabled/disabled. Check Point VPN-1 Edge User Guide...
  • Page 419 Email Filtering Selecting Protocols for Scanning If you are locally managed, you can define which protocols should be scanned for viruses and spam: • Email retrieving (POP3). If enabled, all incoming email in the POP3 protocol will be scanned. • Email sending (SMTP).
  • Page 420 To temporarily disable Email Filtering Click Services in the main menu, and click the Email Filtering tab. The Email Filtering page appears. Click Snooze. • Email Antivirus and Email Antispam are temporarily disabled for all internal network computers. Check Point VPN-1 Edge User Guide...
  • Page 421 Email Filtering • The Snooze button changes to Resume. • The Email Filtering Off popup window opens. To re-enable Email Antivirus and Email Antispam, click Resume, either in the popup window, or on the Email Filtering page. • The services are re-enabled for all internal network computers. •...

  • Page 422: Automatic And Manual Updates

    Click Services in the main menu, and click the Software Updates tab. The Software Updates page appears. To set the VPN-1 Edge appliance to automatically check for and install new software updates, drag the Automatic/Manual lever upwards. Check Point VPN-1 Edge User Guide...
  • Page 423 Automatic and Manual Updates The VPN-1 Edge appliance checks for new updates and installs them according to its schedule. Note: When the Software Updates service is set to Automatic, you can still manually check for updates. To set the VPN-1 Edge appliance so that software updates must be checked for manually, drag the Automatic/Manual lever downwards.
  • Page 424 Automatic and Manual Updates The Software Updates page appears. Click Update Now. The system checks for new updates and installs them. Check Point VPN-1 Edge User Guide...

  • Page 425: Working With Vpns

    VPNs using SMART management tools, refer to your SmartCenter documentation. Note: To connect an appliance to a Check Point SMART management server, you must connect the appliance to the Service Center using the Services page Connect tab.

  • Page 426: Overview

    SecuRemote Remote Access VPN Server. Makes a network remotely available to authorized users who connect to the Remote Access VPN Server using the Check Point SecuRemote VPN Client (provided for free with your VPN-1 Edge) or another VPN-1 Edge. •...
  • Page 427 Note: A locally managed VPN Server or gateway must have a static IP address. If you need a VPN Server or gateway with a dynamic IP address, you must use either Check Point SMART management or SofaWare Security Management Portal (SMP) management.
  • Page 428 The connected networks function as a single network. You can use this type of VPN to mesh office branches into one corporate network. Figure 28: Site-to-Site VPN Check Point VPN-1 Edge User Guide...
  • Page 429 Overview To create a Site-to-Site VPN with two VPN sites On the first VPN site’s VPN-1 Edge appliance, do the following: Define the second VPN site as a Site-to-Site VPN Gateway, using the procedure Adding and Editing VPN Sites on page 433. Enable a Remote Access VPN Server using the procedure Setting Up Your VPN-1 Edge Appliance as a VPN Server on page 420.
  • Page 430 Remote Access VPN Server with their Remote Access VPN Clients. Figure 29: Remote Access VPN Check Point VPN-1 Edge User Guide...
  • Page 431 Overview To create a Remote Access VPN with two VPN sites On the remote user VPN site's VPN-1 Edge appliance, add the office Remote Access VPN Server as a Remote Access VPN site. See Adding and Editing VPN Sites on page 433. The remote user's VPN-1 Edge appliance will act as a Remote Access VPN Client.

  • Page 432: Setting Up Your Vpn-1 Edge Appliance As A Vpn Server

    When the SecuRemote Remote Access VPN Server or SecuRemote Internal VPN Server is enabled, users can connect to the server via Check Point SecuRemote/SecureClient or via a VPN-1 Edge appliance in Remote Access VPN mode. When the L2TP (Layer 2 Tunneling Protocol) VPN Server is enabled, users can connect to the server using an L2TP client such as the Microsoft Windows L2TP IPSEC VPN Client.
  • Page 433 Setting Up Your VPN-1 Edge Appliance as a VPN Server To set up your VPN-1 Edge appliance as a VPN Server Configure the VPN Server in one or more of the following ways: • To accept SecuRemote/SecureClient or VPN-1 Edge remote access connections from the Internet.
  • Page 434 To configure the SecuRemote Remote Access VPN Server Click VPN in the main menu, and click the VPN Server tab. The VPN Server page appears. Select the Allow SecuRemote users to connect from the Internet check box. Check Point VPN-1 Edge User Guide...
  • Page 435 Setting Up Your VPN-1 Edge Appliance as a VPN Server New check boxes appear. To allow authenticated users connecting from the Internet to bypass NAT when connecting to your internal network, select the Bypass NAT check box. To allow authenticated users connecting from the Internet to bypass the default firewall policy and access your internal network without restriction, select the Bypass default firewall policy check box.
  • Page 436 Bypass default firewall policy check box. User-defined rules will still apply to the authenticated users. Note: Bypass NAT is always enabled for the internal VPN Server, and cannot be disabled. Check Point VPN-1 Edge User Guide...
  • Page 437 Setting Up Your VPN-1 Edge Appliance as a VPN Server Click Apply. The internal VPN Server is enabled for the specified connection types. Configuring the L2TP VPN Server To configure the L2TP VPN Server Click VPN in the main menu, and click the VPN Server tab. The VPN Server page appears.
  • Page 438 Follow the online instructions to complete installation. SecureClient/SecuRemote is installed. For information on using SecureClient/SecuRemote, see the User Help. To access SecureClient/SecuRemote User Help, right-click on the VPN Client icon in the taskbar, select Settings, and then click Help. Check Point VPN-1 Edge User Guide...
  • Page 439 Setting Up Your VPN-1 Edge Appliance as a VPN Server Configuring L2TP VPN Clients If you configured the L2TP VPN Server, you must configure the L2TP VPN Client on all computers that should be allowed to remotely access your network via L2TP connections. This procedure is relevant for computers with a Windows XP operating system.
  • Page 440 Setting Up Your VPN-1 Edge Appliance as a VPN Server The Network Connection Type dialog box appears. Choose Connect to the network at my workplace. Click Next. The Network Connection dialog box appears. Choose Virtual Private Network connection. Click Next. Check Point VPN-1 Edge User Guide...
  • Page 441 Setting Up Your VPN-1 Edge Appliance as a VPN Server The Connection Name dialog box appears. 10. In the Company Name field, type your company's name. 11. Click Next. The Public Network dialog box appears. 12. Choose Do not dial the initial connection. 13.
  • Page 442 The Completing the New Connection Wizard screen appears. 15. Click Finish. 16. In the Network and Dial-up Connections window, right-click on the L2TP connection, and click Properties in the popup menu. The connection's Properties dialog box opens. Check Point VPN-1 Edge User Guide...
  • Page 443 Setting Up Your VPN-1 Edge Appliance as a VPN Server 17. In the Security tab, choose Advanced (custom settings). 18. Click Settings. The Advanced Security Settings dialog box opens. 19. In the Data encryption drop-down list, select Optional encryption. 20. Choose Allow these protocols. 21.
  • Page 444 25. In the Key field, type the preshared secret you configured on the L2TP VPN Server. 26. Click OK. 27. In Properties dialog box, click the Networking tab. 28. In the Type of VPN drop-down list, select L2TP IPSec VPN. 29. Click OK. Check Point VPN-1 Edge User Guide...

  • Page 445: Adding And Editing Vpn Sites

    Adding and Editing VPN Sites Adding and Editing VPN Sites To add or edit VPN sites Click VPN in the main menu, and click the VPN Sites tab. The VPN Sites page appears with a list of VPN sites. Do one of the following: •...
  • Page 446 Select Remote Access VPN to establish remote access from your Remote Access VPN Client to a Remote Access VPN Server. • Select Site-to-Site VPN to create a permanent bi-directional connection to another Site-to-Site VPN Gateway. Click Next. Check Point VPN-1 Edge User Guide...
  • Page 447 Adding and Editing VPN Sites Configuring a Remote Access VPN Site If you selected Remote Access VPN, the VPN Gateway Address dialog box appears. Enter the IP address of the Remote Access VPN Server to which you want to connect, as given to you by the network administrator. To allow the VPN site to bypass the default firewall policy and access your internal network without restriction, select the Bypass default firewall policy check box.
  • Page 448 Specify how you want to obtain the VPN network configuration. Refer to VPN Network Configuration Fields on page 444. Click Next. The following things happen in the order below: • If you chose Specify Configuration, a second VPN Network Configuration dialog box appears. Check Point VPN-1 Edge User Guide...
  • Page 449 Adding and Editing VPN Sites Complete the fields using the information in VPN Network Configuration Fields on page 444 and click Next. • The Authentication Method dialog box appears. Complete the fields using the information in Authentication Methods Fields on page 446. Click Next.
  • Page 450 If you selected Username and Password, the VPN Login dialog box appears. Complete the fields using the information in VPN Login Fields on page 447. Click Next. • If you selected Automatic Login, the Connect dialog box appears. Do the following: Check Point VPN-1 Edge User Guide...
  • Page 451 Adding and Editing VPN Sites 1) To try to connect to the Remote Access VPN Server, select the Try to Connect to the VPN Gateway check box. This allows you to test the VPN connection. Warning: If you try to connect to the VPN site before completing the wizard, all existing tunnels to this site will be terminated.
  • Page 452 The VPN Sites page reappears. If you added a VPN site, the new site appears in the VPN Sites list. If you edited a VPN site, the modifications are reflected in the VPN Sites list. Check Point VPN-1 Edge User Guide...
  • Page 453 Adding and Editing VPN Sites Certificate Authentication Method If you selected Certificate, the Connect dialog box appears. To try to connect to the Remote Access VPN Server, select the Try to Connect to the VPN Gateway check box. This allows you to test the VPN connection. Warning: If you try to connect to the VPN site before completing the wizard, all existing tunnels to this site will be terminated.
  • Page 454 Adding and Editing VPN Sites The Site Name dialog box appears. Enter a name for the VPN site. You may choose any name. Click Next. The VPN Site Created screen appears. Click Finish. Check Point VPN-1 Edge User Guide...
  • Page 455 Adding and Editing VPN Sites The VPN Sites page reappears. If you added a VPN site, the new site appears in the VPN Sites list. If you edited a VPN site, the modifications are reflected in the VPN Sites list. RSA SecurID Authentication Method If you selected RSA SecurID, the Site Name dialog box appears.
  • Page 456 This option will automatically configure your VPN settings, by downloading the network topology definition from the Remote Access VPN Server. Note: Downloading the network configuration is only possible if you are connecting to a Check Point VPN-1 or VPN-1 Edge Site-to-Site VPN Gateway. Check Point VPN-1 Edge User Guide...
  • Page 457 Adding and Editing VPN Sites In this field… Do this… Specify Click this option to provide the network configuration manually. Configuration Route All Traffic Click this option to route all network traffic through the VPN site. For example, if your VPN consists of a central office and a number of remote offices, and the remote offices are only allowed to access Internet resources through the central office, you can choose to route all traffic from the remote offices through the central office.
  • Page 458 When authenticating to the VPN site, you must enter a four-digit PIN code and the SecurID passcode shown in your SecurID token's display. The RSA SecurID token generates a new passcode every minute. SecurID is only supported in Remote Access manual login mode. Check Point VPN-1 Edge User Guide...
  • Page 459 Adding and Editing VPN Sites Table 89: VPN Login Fields In this field… Do this… Manual Login Click this option to configure the site for Manual Login. Manual Login connects only the computer you are currently logged onto to the VPN site, and only when the appropriate user name and password have been entered.
  • Page 460 If you selected Site-to-Site VPN, the VPN Gateway Address dialog box appears. Complete the fields using the information in VPN Gateway Address Fields on page 460. Click Next. The VPN Network Configuration dialog box appears. Check Point VPN-1 Edge User Guide...
  • Page 461 Adding and Editing VPN Sites Specify how you want to obtain the VPN network configuration. Refer to VPN Network Configuration Fields on page 444. Click Next. • If you chose Specify Configuration, a second VPN Network Configuration dialog box appears. Complete the fields using the information in VPN Network Configuration Fields on page 444, and then click Next.
  • Page 462 Complete the fields using the information in Route Based VPN Fields on page 460, and then click Next. • The Authentication Method dialog box appears. Complete the fields using the information in Authentication Methods Fields on page 461. Click Next. Check Point VPN-1 Edge User Guide...
  • Page 463 Adding and Editing VPN Sites Shared Secret Authentication Method If you selected Shared Secret, the Authentication dialog box appears. If you chose Download Configuration, the dialog box contains additional fields. Complete the fields using the information in VPN Authentication Fields on page 461 and click Next.
  • Page 464 The Security Methods dialog box appears. To configure advanced security settings, click Show Advanced Settings. New fields appear. Complete the fields using the information in Security Methods Fields on page 462 and click Next. Check Point VPN-1 Edge User Guide...
  • Page 465 Adding and Editing VPN Sites The Connect dialog box appears. To try to connect to the Remote Access VPN Server, select the Try to Connect to the VPN Gateway check box. This allows you to test the VPN connection. Warning: If you try to connect to the VPN site before completing the wizard, all existing tunnels to this site will be terminated.
  • Page 466 You may choose any name. To keep the tunnel to the VPN site alive even if there is no network traffic between the VPN-1 Edge appliance and the VPN site, select Keep this site alive. Click Next. Check Point VPN-1 Edge User Guide...
  • Page 467 Adding and Editing VPN Sites • If you selected Keep this site alive, and previously you chose Download Configuration, the "Keep Alive" Configuration dialog box appears. Do the following: 1) Type up to three IP addresses which the VPN-1 Edge appliance should ping in order to keep the tunnel to the VPN site alive.
  • Page 468 If you chose Download Configuration, the Authentication dialog box appears. Complete the fields using the information in VPN Authentication Fields on page 461 and click Next. • The Security Methods dialog box appears. To configure advanced security settings, click Show Advanced Settings. Check Point VPN-1 Edge User Guide...
  • Page 469 Adding and Editing VPN Sites New fields appear. Complete the fields using the information in Security Methods Fields on page 462 and click Next. The Connect dialog box appears. To try to connect to the Remote Access VPN Server, select the Try to Connect to the VPN Gateway check box.
  • Page 470 You may choose any name. To keep the tunnel to the VPN site alive even if there is no network traffic between the VPN-1 Edge appliance and the VPN site, select Keep this site alive. Click Next. Check Point VPN-1 Edge User Guide...
  • Page 471 Adding and Editing VPN Sites • If you selected Keep this site alive, and previously you chose Download Configuration, the "Keep Alive" Configuration dialog box appears. Do the following: 1) Type up to three IP addresses which the VPN-1 Edge appliance should ping in order to keep the tunnel to the VPN site alive.
  • Page 472 VPN-1 Edge command line interface (CLI). For information on using CLI, see Controlling the Appliance via the Command Line on page 522. For information on the relevant commands for OSPF, refer to the Embedded NGX CLI Reference Guide. Check Point VPN-1 Edge User Guide...
  • Page 473 Adding and Editing VPN Sites Table 92: Authentication Methods Fields In this field… Do this… Shared Secret Select this option to use a shared secret for VPN authentication. A shared secret is a string used to identify VPN sites to each other. Certificate Select this option to use a certificate for VPN authentication.
  • Page 474 Select the encryption and integrity algorithm to use for VPN traffic: • Automatic. The VPN-1 Edge appliance automatically selects the best security methods supported by the site. This is the default. • A specific algorithm Check Point VPN-1 Edge User Guide...
  • Page 475 Adding and Editing VPN Sites In this field… Do this… Perfect Forward Specify whether to enable Perfect Forward Secrecy (PFS), by selecting Secrecy one of the following: • Enabled. PFS is enabled. The Diffie-Hellman group field is enabled. • Disabled. PFS is disabled. This is the default. Enabling PFS will generate a new Diffie-Hellman key during IKE Phase 2 and renew the key for each key exchange.

  • Page 476: Deleting A Vpn Site

    Click VPN in the main menu, and click the VPN Sites tab. The VPN Sites page appears, with a list of VPN sites. In the desired VPN site’s row, click the Erase icon. A confirmation message appears. Click OK. The VPN site is deleted. Check Point VPN-1 Edge User Guide...

  • Page 477: Enabling/Disabling A Vpn Site

    Enabling/Disabling a VPN Site Enabling/Disabling a VPN Site You can only connect to VPN sites that are enabled. To enable/disable a VPN site Click VPN in the main menu, and click the VPN Sites tab. The VPN Sites page appears, with a list of VPN sites. To enable a VPN site, do the following: Click the icon in the desired VPN site’s row.

  • Page 478: Logging On To A Remote Access Vpn Site

    VPN site from those computers, using the same user name and password. Note: You must use a single user name and password for each VPN destination gateway. Check Point VPN-1 Edge User Guide...
  • Page 479 Logging on to a Remote Access VPN Site Logging on through the VPN-1 Edge Portal Note: You can only login to sites that are configured for Manual Login. To manually log on to a VPN site through the VPN-1 Edge Portal Click VPN in the main menu, and click the VPN Login tab.
  • Page 480 Note: You don’t need to know the my.firewall page administrator’s password in order to use the my.vpn page. To manually log on to a VPN site through the my.vpn page Direct your Web browser to http://my.vpn Check Point VPN-1 Edge User Guide...
  • Page 481 Logging on to a Remote Access VPN Site The VPN Login screen appears. In the Site Name list, select the site to which you want to log on. Enter your user name and password in the appropriate fields. Click Login. •...

  • Page 482: Logging Off A Remote Access Vpn Site

    Upon connecting to the VPN-1 Edge VPN Server for the first time, the entity should check that the VPN peer's fingerprint displayed in the SecuRemote/SecureClient VPN Client is identical to the fingerprint received. Check Point VPN-1 Edge User Guide...
  • Page 483 Installing a Certificate The VPN-1 Edge appliance supports certificates encoded in the PKCS#12 (Personal Information Exchange Syntax Standard) format, and enables you to install such certificates in the following ways: • By generating a self-signed certificate. See Generating a Self-Signed Certificate on page 471. •...
  • Page 484 Installing a Certificate The Certificate page appears. Click Install Certificate. The VPN-1 Edge Certificate Wizard opens, with the Certificate Wizard dialog box displayed. Click Generate a self-signed security certificate for this gateway. Check Point VPN-1 Edge User Guide...
  • Page 485 Installing a Certificate The Create Self-Signed Certificate dialog box appears. Complete the fields using the information in the following table. Click Next. The VPN-1 Edge appliance generates the certificate. This may take a few seconds. The Done dialog box appears, displaying the certificate's details. Click Finish.
  • Page 486 The name of the CA that issued the certificate (in this case, the VPN-1 Edge gateway) • The CA certificate's fingerprint • The starting and ending dates between which the gateway's certificate and the CA's certificate are valid Check Point VPN-1 Edge User Guide...
  • Page 487 Installing a Certificate Table 95: Certificate Fields In this field… Do this… Country Select your country from the drop-down list. Organization Type the name of your organization. Name Organizational Unit Type the name of your division. Gateway Name Type the gateway's name. This name will appear on the certificate, and will be visible to remote users inspecting the certificate.
  • Page 488 Click Browse to open a file browser from which to locate and select the file. The filename that you selected is displayed. Click Next. The Import-Certificate Passphrase dialog box appears. This may take a few moments. Type the pass-phrase you received from the network security administrator. Click Next. Check Point VPN-1 Edge User Guide...

  • Page 489: Uninstalling A Certificate

    Uninstalling a Certificate The Done dialog box appears, displaying the certificate's details. Click Finish. The VPN-1 Edge appliance installs the certificate. If a certificate is already installed, it is overwritten. The Certificate Wizard closes. The Certificates page displays the following information: •...

  • Page 490: Viewing Vpn Tunnels

    VPN site, after you have manually logged on to the site. All open tunnels connecting to the site are closed when you manually log off. To view VPN tunnels Click Reports in the main menu, and click the VPN Tunnels tab. Check Point VPN-1 Edge User Guide...
  • Page 491 Viewing VPN Tunnels The VPN Tunnels page appears with a table of open VPN tunnels. The VPN Tunnels page includes the information described in the following table. To refresh the table, click Refresh. Table 96: VPN Tunnels Page Fields This field… Displays…...
  • Page 492 Your VPN-1 Edge appliance supports AES, 3DES, and DES encryption schemes, and MD5 and SHA authentication schemes. Established The time at which the tunnel was established. This information is presented in the format hh:mm:ss, where: hh=hours mm=minutes ss=seconds Check Point VPN-1 Edge User Guide...

  • Page 493: Viewing Ike Traces For Vpn Connections

    Viewing IKE Traces for VPN Connections Table 97: VPN Tunnels Icons This icon… Represents… This gateway A network for which an IKE Phase-2 tunnel was negotiated A Remote Access VPN Server A Site-to-Site VPN Gateway A remote access VPN user An L2TP user Viewing IKE Traces for VPN Connections If you are experiencing VPN connection problems, you can save a trace of IKE (Internet...
  • Page 494 The *.elg file is created and saved to the specified directory. This file contains the IKE traces of all currently-established VPN tunnels. Use the IKE View tool to open and view the *.elg file, or send the file to technical support. Check Point VPN-1 Edge User Guide...

  • Page 495: Managing Users

    Changing Your Login Credentials Chapter 15 Managing Users This chapter describes how to manage VPN-1 Edge appliance users. You can define multiple users, set their passwords, and assign them various permissions. This chapter includes the following topics: Changing Your Login Credentials............483 Adding and Editing Users ................486 Adding Quick Guest HotSpot Users............489 Viewing and Deleting Users..............491...
  • Page 496 The Internal Users page appears. In the row of your username, click Edit. The Account Wizard opens displaying the Set User Details dialog box. Edit the Username field. Edit the Password and Confirm password fields. Check Point VPN-1 Edge User Guide...
  • Page 497 Changing Your Login Credentials Note: Use 5 to 25 characters (letters or numbers) for the new password. Click Next. The Set User Permissions dialog box appears. Click Finish. Your changes are saved. Chapter 15: Managing Users...

  • Page 498: Adding And Editing Users

    To edit an existing user, click Edit next to the desired user. The Account Wizard opens displaying the Set User Details dialog box. Complete the fields using the information in Set User Details Fields on page 487. Click Next. Check Point VPN-1 Edge User Guide...
  • Page 499 Adding and Editing Users The Set User Permissions dialog box appears. The options that appear on the page are dependant on the software and services you are using. Complete the fields using the information in Set User Permissions Fields on page 488.
  • Page 500 HotSpot users. • Read/Write: The user can log on to the VPN-1 Edge Portal and modify system settings. The default level is No Access. The “admin” user’s Administrator Level (Read/Write) cannot be changed. Check Point VPN-1 Edge User Guide...

  • Page 501: Adding Quick Guest Hotspot Users

    Adding Quick Guest HotSpot Users VPN Remote Select this option to allow the user to connect to this VPN-1 Edge Access appliance using their VPN client. For further information on setting up VPN remote access, see see Setting Up Remote VPN Access for Users on page 492 Web Filtering Select this option to allow the user to override Web Filtering.
  • Page 502 In the Expires field, click on the arrows to specify the expiration date and time. To print the user details, click Print. Click Finish. The guest user is saved. You can edit the guest user's details and permissions using the procedure Adding and Editing Users on page 486. Check Point VPN-1 Edge User Guide...

  • Page 503: Viewing And Deleting Users

    Viewing and Deleting Users Viewing and Deleting Users Note: The “admin” user cannot be deleted. To view or delete users Click Users in the main menu, and click the Internal Users tab. The Internal Users page appears with a list of all users and their permissions. The expiration time of expired users appears in red.

  • Page 504: Setting Up Remote Vpn Access For Users

    Server, as an internal VPN Server, or as an L2TP VPN Server, you can allow users to access it remotely through their Remote Access VPN Clients (a Check Point SecureClient, Check Point SecuRemote, an L2TP VPN Client, or another Embedded NGX appliance).
  • Page 505 Using RADIUS Authentication user, instead of these default permissions. This is done by configuring the RADIUS Vendor-Specific Attribute (VSA) with a set of attributes containing permission information for specific users. If the VSA is configured for a user, then the RADIUS server passes the VSA to the Embedded NGX gateway as part of the response to the authentication request, and the gateway assigns the user permissions as specified in the VSA.
  • Page 506 To clear the text box, click Clear. Port Type the port number on the RADIUS server’s host computer. The default port number is 1812. Shared Secret Type the shared secret to use for secure communication with the RADIUS server. Check Point VPN-1 Edge User Guide...
  • Page 507 Using RADIUS Authentication In this field… Do this… Realm If your organization uses RADIUS realms, type the realm to append to RADIUS requests. The realm will be appended to the username as follows: <username>@<realm> For example, if you set the realm to “myrealm”, and the user "JohnS" attempts to log on to the VPN-1 Edge Portal, the VPN-1 Edge appliance will send the RADIUS server an authentication request with the username “JohnS@myrealm”.
  • Page 508 Web Filtering. This option only appears if the Web Filtering service is defined. HotSpot Access Select this option to allow all users authenticated by the RADIUS server to access the My HotSpot page. Check Point VPN-1 Edge User Guide...

  • Page 509: Configuring The Radius Vendor-Specific Attribute

    Configuring the RADIUS Vendor-Specific Attribute Configuring the RADIUS Vendor-Specific Attribute For detailed instructions and examples, refer to the "Configuring the RADIUS Vendor- Specific Attribute" white paper. To assign permissions to specific RADIUS-authenticated users Create a remote access policy as follows: a) Assign the policy’s VSA (attribute 26) the SofaWare vendor code (6983).
  • Page 510 VPN-1 Edge Portal and add, edit, or delete "No Access"-level users. However, the user cannot modify other system settings. readwrite. The user can log on to the VPN-1 Edge Portal and modify system settings. Check Point VPN-1 Edge User Guide...
  • Page 511 Configuring the RADIUS Vendor-Specific Attribute Permission Description Attribute Attribute Attribute Values Notes Number Format true. The user can Indicates whether String This permission the user can remotely access is only relevant if access the the network via the VPN-1 Edge network from a VPN.

  • Page 513: Using Remote Desktop

    Overview Chapter 16 Using Remote Desktop This chapter describes how to remotely access the desktop of each of your computers, using the VPN-1 Edge appliance's Remote Desktop feature. This chapter includes the following topics: Overview ....................501 Workflow....................502 Configuring Remote Desktop..............502 Configuring the Host Computer ...............506 Accessing a Remote Computer's Desktop ..........509 Overview...

  • Page 514: Workflow

    Access remote computers' desktops as desired. See Accessing a Remote Computer's Desktop on page 509. Configuring Remote Desktop To configure Remote Desktop Click Setup in the main menu, and click the Remote Desktop tab. Check Point VPN-1 Edge User Guide...
  • Page 515 Configuring Remote Desktop The Remote Desktop page appears. Do one of the following: • To enable Remote Desktop, select the Allow remote desktop access check box. Chapter 16: Using Remote Desktop...
  • Page 516 Configuring Remote Desktop New fields appear. • To disable Remote Desktop, clear the Allow remote desktop access check box. Fields disappear. Complete the fields using the information in the following table. Click Apply. Check Point VPN-1 Edge User Guide...
  • Page 517 Configuring Remote Desktop Table 102: Remote Desktop Options In this field… Do this… Sharing Share local drives Select this option to allow the host computer to access hard drives on the client computer. This enables remote users to access their local hard drives when logged on to the host computer.

  • Page 518: Configuring The Host Computer

    For information, refer to Microsoft documentation. On the desktop, right-click on My Computer, and select Properties in the pop- up menu that appears. The System Properties dialog box appears displaying the General tab. Click the Remote tab. Check Point VPN-1 Edge User Guide...
  • Page 519 Configuring the Host Computer The Remote tab appears. Select the Allow users to connect remotely to this computer check box. Click Select Remote Users. The Remote Desktop Users dialog box appears. Do the following for each remote user who should be allowed to access this computer: Click Add.
  • Page 520 Type the desired user's username in the text box. The Check Names button is enabled. Click Check Names. Click OK. The Remote Desktop Users dialog box reappears with the desired user's username. Click OK. Click OK. Check Point VPN-1 Edge User Guide...

  • Page 521: Accessing A Remote Computer's Desktop

    Accessing a Remote Computer's Desktop Accessing a Remote Computer's Desktop Note: The client computer must meet the following requirements: • Microsoft Internet Explorer 6.0 or later • A working Internet connection To access a remote computer's desktop Click Reports in the main menu, and click the Active Computers tab. The Active Computers page appears.
  • Page 522 These are the credentials configured for your user account in Enabling the Remote Desktop Server on page 506. Click OK. The remote computer's desktop appears onscreen. You can use the following keyboard shortcuts during the Remote Desktop session: Check Point VPN-1 Edge User Guide...
  • Page 523 Accessing a Remote Computer's Desktop Table 103: Remote Desktop Keyboard Shortcuts This shortcut… Does this… ALT+INSERT Cycles through running programs in the order that they were started Displays the Start menu ALT+HOME CTRL+ALT+BREAK Toggles between displaying the session in a window and on the full screen Opens the Windows Security dialog box CTRL+ALT+END...

  • Page 525: Maintenance

    Accessing a Remote Computer's Desktop Chapter 17 Maintenance This chapter describes the tasks required for maintenance and diagnosis of your VPN-1 Edge appliance. This chapter includes the following topics: Viewing Firmware Status .................514 Updating the Firmware................516 Upgrading Your Software Product ............518 Configuring Syslog Logging ..............520 Controlling the Appliance via the Command Line ........522 Configuring HTTPS .................527...

  • Page 526: Viewing Firmware Status

    You can view your current firmware version and additional details. To view the firmware status • Click Setup in the main menu, and click the Firmware tab. The Firmware page appears. The Firmware page displays the following information: Check Point VPN-1 Edge User Guide...
  • Page 527 Viewing Firmware Status Table 104: Firmware Status Fields This field… Displays… For example… WAN MAC Address The MAC address used for 00:80:11:22:33:44 the Internet connection Firmware Version The current version of the firmware Installed Product The licensed software and VPN-1 Edge X (unlimited nodes) the number of allowed nodes Uptime...

  • Page 528: Updating The Firmware

    Connecting to a Service Center on page 392. When connected to SmartCenter, you can also update VPN-1 Edge firmware using SmartCenter's SmartUpdate.component. For information refer to the Check Point SmartUpdate documentation. If you are not subscribed to the Software Updates service, you must update your firmware manually.
  • Page 529 Updating the Firmware The Firmware Update page appears. Click Browse. A browse window appears. Select the image file and click Open. The Firmware Update page reappears. The path to the firmware update image file appears in the Browse text box. Click Upload.

  • Page 530: Upgrading Your Software Product

    If the Product Key is centrally managed, it cannot be changed locally. To install a Product Key Click Setup in the main menu, and click the Firmware tab. The Firmware page appears. Click Upgrade Product. Check Point VPN-1 Edge User Guide...
  • Page 531 Upgrading Your Software Product The VPN-1 Edge Licensing Wizard opens, with the Install Product Key dialog box displayed. Click Enter a different Product Key. In the Product Key field, enter the new Product Key. Click Next. The Installed New Product Key dialog box appears. Click Finish.

  • Page 532: Configuring Syslog Logging

    Note: When managed by SmartCenter, the appliance automatically sends logs to the SmartCenter Log Viewer using a secure protocol. You can still configure Syslog logging if desired. To configure Syslog logging Click Setup in the main menu, and click the Logging tab. Check Point VPN-1 Edge User Guide...
  • Page 533 Configuring Syslog Logging The Logging page appears. Complete the fields using the information in the following table. Click Apply. Table 105: Logging Page Fields In this field… Do this… Syslog Server Type the IP address of the computer that will run the Syslog service (one of your network computers), or click This Computer to allow your computer to host the service.

  • Page 534: Controlling The Appliance Via The Command Line

    Using the VPN-1 Edge Portal You can control your appliance via the VPN-1 Edge Portal's command line interface. To control the appliance via the VPN-1 Edge Portal Click Setup in the main menu, and click the Tools tab. Check Point VPN-1 Edge User Guide...
  • Page 535 Controlling the Appliance via the Command Line The Tools page appears. Click Command. The Command Line page appears. In the upper field, type a command. Chapter 17: Maintenance...
  • Page 536 Connect the serial console to your VPN-1 Edge appliance's serial port, using an RS-232 Null modem cable. For information on locating the serial port, see Rear Panel on page 17. Click Network in the main menu, and click the Ports tab. Check Point VPN-1 Edge User Guide...
  • Page 537 Controlling the Appliance via the Command Line The Ports page appears. Next to the Serial port, click Edit. Chapter 17: Maintenance...
  • Page 538 In the Assign to drop-down list, select Console. Click Apply. You can now control the VPN-1 Edge appliance from the serial console. For information on all supported commands, refer to the Embedded NGX CLI Reference Guide. Check Point VPN-1 Edge User Guide...

  • Page 539: Configuring Https

    Configuring HTTPS Configuring HTTPS You can enable VPN-1 Edge appliance users to access the VPN-1 Edge Portal from the Internet. To do so, you must first configure HTTPS. To configure HTTPS Click Setup in the main menu, and click the Management tab. The Management page appears.
  • Page 540 Click Apply. The HTTPS configuration is saved. If you configured remote HTTPS, you can now access the VPN-1 Edge Portal through the Internet, using the procedure Accessing the VPN-1 Edge Portal Remotely on page 74. Check Point VPN-1 Edge User Guide...
  • Page 541 Configuring HTTPS Table 106: Access Options Select this To allow access from… option… Internal Networks The internal network only. This disables remote access capability. This is the default. Internal Networks + The internal network and your VPN. Internal Networks + A particular range of IP addresses.

  • Page 542: Configuring Ssh

    See Access Options on page 529 for information. Warning: If remote SSH is enabled, your VPN-1 Edge appliance settings can be changed remotely, so it is especially important to make sure all VPN-1 Edge appliance users’ passwords are difficult to guess. Check Point VPN-1 Edge User Guide...
  • Page 543 Configuring SSH If you selected Internal Networks + IP Range, additional fields appear. If you selected Internal Networks + IP Range, enter the desired IP address range in the fields provided. Click Apply. The SSH configuration is saved. If you configured remote SSH access, you can now control the VPN-1 Edge appliance from the Internet, using an SSHv2 client.

  • Page 544: Configuring Snmp

    Click Setup in the main menu, and click the Management tab. The Management page appears. Specify from where SNMP access should be granted. See Access Options on page 529 for information. If you selected Internal Networks + IP Range, additional fields appear. Check Point VPN-1 Edge User Guide...
  • Page 545 Configuring SNMP The Community field and the Advanced link are enabled. If you selected Internal Networks + IP Range, enter the desired IP address range in the fields provided. In the Community field, type the name of the SNMP community string. SNMP clients uses the SNMP community string as a password, when connecting to the VPN-1 Edge appliance.
  • Page 546 This information will be visible to SNMP clients, and is useful for administrative purposes. System Contact Type the name of the contact person. This information will be visible to SNMP clients, and is useful for administrative purposes. Check Point VPN-1 Edge User Guide...

  • Page 547: Setting The Time On The Appliance

    Setting the Time on the Appliance In this field... Do this… SNMP Port Type the port to use for SNMP. The default port is 161. Setting the Time on the Appliance You set the time displayed in the VPN-1 Edge Portal during initial appliance setup. If desired, you can change the date and time using the procedure below.
  • Page 548 If you selected Specify date and time, the Specify Date and Time dialog box appears. Set the date, time, and time zone in the fields provided, then click Next. • If you selected Use a Time Server, the Time Servers dialog box appears. Check Point VPN-1 Edge User Guide...
  • Page 549 Setting the Time on the Appliance Complete the fields using the information in Time Servers Fields on page 538, then click Next. • The Date and Time Updated screen appears. Click Finish. Table 108: Set Time Wizard Fields Select this option… To do the following…...

  • Page 550: Using Diagnostic Tools

    Internet. Traceroute Display a list of all routers used to Using IP Tools on page 539 connect from the VPN-1 Edge appliance to a specific IP address or DNS name. Check Point VPN-1 Edge User Guide...
  • Page 551 Using Diagnostic Tools Use this To do this… For information, see... tool… WHOIS Display the name and contact information Using IP Tools on page 539 of the entity to which a specific IP address or DNS name is registered. This information is useful in tracking down hackers.
  • Page 552 If you selected Traceroute, the following things happen: The VPN-1 Edge appliance connects to the specified IP address or DNS name. The IP Tools window opens and displays a list of routers used to make the connection. Check Point VPN-1 Edge User Guide...
  • Page 553 Using Diagnostic Tools • If you selected WHOIS, the following things happen: The VPN-1 Edge appliance queries the Internet WHOIS server. A window displays the name of the entity to which the IP address or DNS name is registered and their contact information. Using Packet Sniffer The VPN-1 Edge appliance includes the Packet Sniffer tool, which enables you to capture packets from any internal network or VPN-1 Edge port.
  • Page 554 Browse to a destination directory of your choice. Type a name for the configuration file and click Save. The *.cap file is created and saved to the specified directory. Click Cancel to close the Packet Sniffer window. Check Point VPN-1 Edge User Guide...
  • Page 555 Using Diagnostic Tools Table 111: Packet Sniffer Fields In this field… Do this… Interface Select the interface from which to collect packets. The list includes the primary Internet connection, the VPN-1 Edge appliance ports, and all defined networks. Filter String Type the filter string to use for filtering the captured packets.
  • Page 556 The and element is used to concatenate filter string elements. The filtered packets must match all concatenated filter string elements. YNTAX element and element [and element...] element && element [&& element...] ARAMETERS element String. A filter string element. Check Point VPN-1 Edge User Guide...
  • Page 557 Using Diagnostic Tools XAMPLE The following filter string saves packets that both originate from IP address is 192.168.10.1 and are destined for port 80: src 192.168.10.1 and dst port 80 URPOSE The dst element captures all packets with a specific destination. YNTAX dst destination ARAMETERS...
  • Page 558 String. The protocol type of the packet. ip, ip6, arp, rarp, This can be the following: atalk, aarp, dec net, sca, lat, mopdl, moprc, iso, stp, ipx, netbeui XAMPLE The following filter string saves ARP packets: ether proto arp Check Point VPN-1 Edge User Guide...
  • Page 559 Using Diagnostic Tools host URPOSE The host element captures all incoming and outgoing packets for a specific computer. YNTAX host host ARAMETERS host IP Address or String. The computer to/from which the packet is sent. This can be the following: •...
  • Page 560 Note: This element can be prepended by tcp or udp. For information, see tcp on page 550 and udp on page 551. ARAMETERS port Integer. The port from/to which the packet is sent. Check Point VPN-1 Edge User Guide...
  • Page 561 Using Diagnostic Tools XAMPLE The following filter string saves all packets that either originated from port 80, or are destined for port 80: port 80 URPOSE The src element captures all packets with a specific source. YNTAX src source ARAMETERS source IP Address or String.
  • Page 562 - Capture all TCP packets destined for a specific port. • port - Capture all TCP packets originating from or destined for a specific port. • src port - Capture all TCP packets originating from a specific port. Check Point VPN-1 Edge User Guide...
  • Page 563 Using Diagnostic Tools XAMPLE The following filter string captures all TCP packets: XAMPLE The following filter string captures all TCP packets destined for port 80: tcp dst port 80 URPOSE The udp element captures all UDP packets. This element can be prepended to port-related elements.

  • Page 564: Backing Up The Vpn-1 Edge Appliance Configuration

    Exporting the VPN-1 Edge appliance configuration creates a configuration file. To export the VPN-1 Edge appliance configuration Click Setup in the main menu, and click the Tools tab. The Tools page appears. Click Export. A standard File Download dialog box appears. Click Save. Check Point VPN-1 Edge User Guide...
  • Page 565 Backing Up the VPN-1 Edge Appliance Configuration The Save As dialog box appears. Browse to a destination directory of your choice. Type a name for the configuration file and click Save. The *.cfg configuration file is created and saved to the specified directory. Importing the VPN-1 Edge Appliance Configuration In order to restore your VPN-1 Edge appliance’s configuration from a configuration file, you must import the file.
  • Page 566 Note: If the appliance's IP address changed as a result of the configuration import, your computer may be disconnected from the network; therefore you may not be able to see the results. Check Point VPN-1 Edge User Guide...

  • Page 567: Resetting The Vpn-1 Edge Appliance To Defaults

    Resetting the VPN-1 Edge Appliance to Defaults Resetting the VPN-1 Edge Appliance to Defaults You can reset the VPN-1 Edge appliance to its default settings. When you reset your VPN- 1 Edge appliance, it reverts to the state it was originally in when you purchased it. Warning: This operation erases all your settings and password information.
  • Page 568 The Please Wait screen appears. • The VPN-1 Edge appliance returns to its factory defaults. • The VPN-1 Edge appliance is restarted (the PWR/SEC LED flashes quickly). This may take a few minutes. • The Login page appears. Check Point VPN-1 Edge User Guide...
  • Page 569 Resetting the VPN-1 Edge Appliance to Defaults To reset the VPN-1 Edge appliance to factory defaults using the Reset button Make sure the VPN-1 Edge appliance is powered on. Using a pointed object, press the RESET button on the back of the VPN-1 Edge appliance steadily for seven seconds and then release it.

  • Page 570: Running Diagnostics

    Type a name for the configuration file and click Save. The *.html file is created and saved to the specified directory. To refresh the contents of the window, click Refresh. The contents are refreshed. To close the window, click Close. Check Point VPN-1 Edge User Guide...

  • Page 571: Rebooting The Vpn-1 Edge Appliance

    Rebooting the VPN-1 Edge Appliance Rebooting the VPN-1 Edge Appliance If your VPN-1 Edge appliance is not functioning properly, rebooting it may solve the problem. To reboot the VPN-1 Edge appliance Click Setup in the main menu, and click the Firmware tab. The Firmware page appears.

  • Page 573: Using Network Printers

    Overview Chapter 18 Using Network Printers This chapter describes how to set up and use network printers. This chapter includes the following topics: Overview ....................561 Setting Up Network Printers..............562 Configuring Computers to Use Network Printers........565 Viewing Network Printers ................575 Changing Network Printer Ports...............576 Resetting Network Printers...............577 Overview Some VPN-1 Edge models include a built-in print server, enabling you to connect USB-...

  • Page 574: Setting Up Network Printers

    See Network Installation on page 57. Turn the printer on. In the VPN-1 Edge Portal, click Network in the main menu, and click the Ports tab. The Ports page appears. Next to USB, click Edit. Check Point VPN-1 Edge User Guide...
  • Page 575 Setting Up Network Printers The USB Devices page appears. If the VPN-1 Edge appliance detected the printer, the printer is listed on the page. If the printer is not listed, check that you connected the printer correctly, then click Refresh to refresh the page. Next to the printer, click Edit.
  • Page 576 Configure each computer from which you want to enable printing to the network printer. See Configuring Computers to Use Network Printers on page 565. Check Point VPN-1 Edge User Guide...

  • Page 577: Configuring Computers To Use Network Printers

    Configuring Computers to Use Network Printers Configuring Computers to Use Network Printers Perform the relevant procedure on each computer from which you want to enable printing via the VPN-1 Edge print server to a network printer. Windows 2000/XP This procedure is relevant for computers with a Windows 2000/XP operating system. To configure a computer to use a network printer If the computer for which you want to enable printing is located on the WAN, create an Allow rule for connections from the computer to This Gateway.
  • Page 578 Note: Do not select the Automatically detect and install my Plug and Play printer check box. Click Next. The Select a Printer Port dialog box appears. Click Create a new port. In the Type of port drop-down list, select Standard TCP/IP Port. 10. Click Next. Check Point VPN-1 Edge User Guide...
  • Page 579 Configuring Computers to Use Network Printers The Add Standard TCP/IP Port Wizard opens with the Welcome dialog box displayed. 11. Click Next. The Add Port dialog box appears. 12. In the Printer Name or IP Address field, type the VPN-1 Edge appliance's LAN IP address, or "my.firewall".
  • Page 580 16. In the Port Number field, type the printer's port number, as shown in the Printers page. 17. In the Protocol area, make sure that Raw is selected. 18. Click OK. The Add Standard TCP/IP Printer Port Wizard reappears. Check Point VPN-1 Edge User Guide...
  • Page 581 Configuring Computers to Use Network Printers 19. Click Next. The Completing the Add Standard TCP/IP Printer Port Wizard dialog box appears. 20. Click Finish. The Add Printer Wizard reappears, with the Install Printer Software dialog box displayed. 21. Do one of the following: •...
  • Page 582 24. Right-click the printer and click Properties in the popup menu. The printer's Properties dialog box opens. 25. In the Ports tab, in the list box, select the port you added. The port's name is IP_<LAN IP address>. 26. Click OK. Check Point VPN-1 Edge User Guide...
  • Page 583 Configuring Computers to Use Network Printers MAC OS-X This procedure is relevant for computers with the latest version of the MAC OS-X operating system. Note: This procedure may not apply to earlier MAC OS-X versions. To configure a computer to use a network printer If the computer for which you want to enable printing is located on the WAN, create an Allow rule for connections from the computer to This Gateway.
  • Page 584 Configuring Computers to Use Network Printers The Print & Fax window appears. In the Printing tab, click Set Up Printers. The Printer List window appears. Click Add. Check Point VPN-1 Edge User Guide...
  • Page 585 Configuring Computers to Use Network Printers New fields appear. In the first drop-down list, select IP Printing. In the Printer Type drop-down list, select Socket/HP Jet Direct. In the Printer Address field, type the VPN-1 Edge appliance's LAN IP address, or "my.firewall".
  • Page 586 12. In the Model Name list, select the desired model. 13. Click Add. The new printer appears in the Printer List window. 14. In the Printer List window, select the newly added printer, and click Make Default. Check Point VPN-1 Edge User Guide...

  • Page 587: Viewing Network Printers

    Viewing Network Printers Viewing Network Printers To view network printers Click Network in the main menu, and click the Ports tab. The Ports page appears. Next to USB, click Edit. The USB Devices page appears, displaying a list of connected printers. For each printer, the model, serial number, port, and status is displayed.

  • Page 588: Changing Network Printer Ports

    The USB Devices page appears, displaying a list of connected printers. Next to the desired printer, click Edit. The Printer Setup page appears. In the printer's Printer Server TCP Port field, type the desired port number. Click Apply. Check Point VPN-1 Edge User Guide...

  • Page 589: Resetting Network Printers

    Resetting Network Printers Resetting Network Printers You can cause a network printer to restart the current print job, by resetting the network printer. You may want to do this if the print job has stalled. To reset a network printer Click Network in the main menu, and click the Ports tab.

  • Page 591: Troubleshooting

    Connectivity Chapter 19 Troubleshooting This chapter provides solutions to common problems you may encounter while using the VPN-1 Edge appliance. Note: For information on troubleshooting wireless connectivity, see Troubleshooting Wireless Connectivity on page 273. This chapter includes the following topics: Connectivity ....................
  • Page 592 You can view this setting in the Network > Internet Setup page. • Advanced ADSL configuration fine tuning options are available via the CLI. For information, refer to the Embedded NGX CLI Reference Guide. Check Point VPN-1 Edge User Guide...
  • Page 593 Connectivity I cannot access http://my.firewall or http://my.vpn. What should I do? • Verify that the VPN-1 Edge appliance is operating (PWR/SEC LED is active) • Check if the LAN LINK/ACT LED for the port used by your computer is on. If not, check if the network cable linking your computer to the VPN-1 Edge appliance is connected properly.
  • Page 594 Configuring Servers on page 301. I run a public Web server at home but it cannot be accessed from the Internet. What should I Configure a virtual Web Server. For instructions, see Configuring Servers on page 301. Check Point VPN-1 Edge User Guide...

  • Page 595: Service Center And Upgrades

    While trying to connect to a Service Center, I received the message “The Service Center did not respond”. What should I do? • If you are using a Service Center other than the Check Point Service Center, check that the Service Center IP address is typed correctly. •...

  • Page 596: Other Problems

    When you have finished using the application, make sure to clear the exposed host setting, otherwise your security might be compromised. In the VPN-1 Edge Portal, I do not see the pop-up windows that the guide describes. What should I do? Disable any pop-up blockers for http://my.firewall. Check Point VPN-1 Edge User Guide...

  • Page 597: Specifications

    Federal Communications Commission Radio Frequency Interference Statement ....................595 Technical Specifications Check Point is committed to protecting the environment. The latest VPN-1 Edge unified threat management appliance models are compliant with the RoHS Directive, meeting the European Union's strict restrictions on hazardous substances.
  • Page 598 5V DC @ 3.3A Output Max. Power 8.5W 10.5W Consumption 13.5W (including USB devices) 15.5W (including USB devices) Environmental Conditions Temperature: -5ºC ~ 80º C -5ºC ~ 80ºC Storage/Transport Temperature: Operation 0ºC ~ 40ºC 0ºC ~ 40ºC Check Point VPN-1 Edge User Guide...
  • Page 599 Technical Specifications Humidity: 10 ~ 95% / 10 ~ 90% 10 ~ 95% / 10 ~ 90% Storage/Operation (non-condensed) (non-condensed) Applicable Standards Safety cULus, CB, LVD cULus, CB, LVD Quality ISO9001, ISO 14001, TL9000 ISO9001, ISO 14001, TL9000 CE . FCC 15B.VCCI CE .
  • Page 600 CE . FCC 15B.VCCI CE . FCC 15B.VCCI Reliability EN 300 019 - 1, 2, 3 EN 300 019 - 1, 2, 3 Environment RoHS & WEEE RoHS & WEEE MTBF (hours) 68,000 68,000 R&TTE .FCC15C,TELCO Check Point VPN-1 Edge User Guide...
  • Page 601 Technical Specifications Table 114: VPN-1 Edge Non-ADSL Models Attributes Attribute VPN-1 Edge X Industrial VPN-1 Edge W SBXI-166LHGE-6 SBXW-166LHGE-6 Physical Attributes Dimensions 200 x 32 x 128 mm 200 x 32 x 128 mm (width x height x depth) (7.87 x 1.26 x 5.04 inches) (7.87 x 1.26 x 5.04 inches) Weight Without DIN rail adapter:...
  • Page 602 EN 55022 & EN 55024 FCC Part 15 B & C AS/NZS 4268: 2003 A1 Reliability ETSI EN 300 019-2 - 1, 2, 3 EN 300 019 - 1, 2, 3 Environment RoHS & WEEE RoHS & WEEE Check Point VPN-1 Edge User Guide...
  • Page 603 Technical Specifications MTBF (hours) When used with Hirschmann 68,000 RPS30 Industrial 24V DC power supply: 370,000 When used with supplied 5V power supply: 68,000 R&TTE .FCC15C, TELCO Wireless Attributes Table 115: VPN-1 Edge Wireless Attributes Attribute All Wireless Models Operation Frequency 2.412-2.484 MHz Transmission Power 79.4 mW...

  • Page 604: Ce Declaration Of Conformity

    VPN-1 Edge W ADSL EN 55022 EN 50081-1 EN 61000-3-2 EN 50082-1 EN 61000-3-3 EN 61000-6-1 EN 61000-4-2 EN 61000-6-3 EN 61000-4-3 EN 55022 EN 61000-4-4 EN 55024 EN 61000-4-5 EN 61000-3-2 EN 61000-4-6 EN 61000-3-3 Check Point VPN-1 Edge User Guide...
  • Page 605 CE Declaration of Conformity Attribute VPN-1 Edge X, VPN-1 Edge W, VPN-1 Edge X ADSL VPN-1 Edge W ADSL EN 61000-4-8 EN 61000-4-2 EN 61000-4-11 EN 61000-4-3 ENV50204 EN 61000-4-4 EN 61000-4-5 EN 61000-4-6 EN 61000-4-7 EN 61000-4-8 EN 61000-4-9 EN 61000-4-10 EN 61000-4-11 EN 61000-4-12...
  • Page 606 Directive 99/05/EEC (Radio Equipment and Telecommunications Terminal Equipment Directive). The product has been tested in a typical configuration. For a copy of the Original Signed Declaration (in full conformance with EN45014), please contact SofaWare at the above address. Check Point VPN-1 Edge User Guide...

  • Page 607: Federal Communications Commission Radio Frequency Interference Statement

    Federal Communications Commission Radio Frequency Interference Statement Federal Communications Commission Radio Frequency Interference Statement This equipment complies with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment.

  • Page 609: Adsl Settings

    Federal Communications Commission Radio Frequency Interference Statement Appendix A ADSL Settings This appendix lists the typical ADSL settings for each country and service provider. Table 118: ADSL Settings Country Service Provider Connection Encapsulation Type Argentina Arnet PPPoE Argentina Speedy PPPoE Australia Most ISPs PPPoE...
  • Page 610 Denmark Cybercity PPPoA VCMUX Denmark Tiscali PPPoA VCMUX Denmark Tiscali (World PPPoA VCMUX Online) Egypt Raya Telecom PPPoA VCMUX France 9Online PPPoA VCMUX France PPPoA VCMUX France Cegetel ADSL PPPoA VCMUX Max 8 Mb Check Point VPN-1 Edge User Guide...
  • Page 611 Federal Communications Commission Radio Frequency Interference Statement Country Service Provider Connection Encapsulation Type France Cegetel non PPPoA VCMUX dégroupé 512 IP/ADSL et dégroupé France Claranet PPPoA VCMUX France Club-Internet PPPoA VCMUX France EasyConnect PPPoA France Free non PPPoA VCMUX dégroupé 512/128 &...
  • Page 612 PPPoE Germany PPPoE Germany PPPoE Germany Tiscali PPPoE Germany T-Online (Dun) PPPoE Germany NetCologne PPPoE Germany Mnet PPPoE Hungary Matav PPPoE Iceland Islandssimi PPPoA VCMUX Iceland Landssimi PPPoA VCMUX India Most ISPs PPPoA VCMUX Check Point VPN-1 Edge User Guide...
  • Page 613 Federal Communications Commission Radio Frequency Interference Statement Country Service Provider Connection Encapsulation Type Ireland Most ISPs PPPoE Israel Bezeq PPPoA VCMUX Italy Albacom PPPoA VCMUX Italy Aruba PPPoA VCMUX Italy Liberto.it PPPoA VCMUX Italy MC-link PPPoA VCMUX Italy Nextra PPPoA VCMUX Italy Telecom Italia...
  • Page 614 Colt Teecom PPPoA VCMUX Spain Communitel PPPoA VCMUX Spain ERES MAS PPPoA Spain Euskatel PPPoE Spain Jazztel PPPoA Spain Telefonica PPPoE VCMUX / LLC Spain Telepac PPPoE Spain Terra PPPoE Spain Tiscali PPPoA VCMUX Check Point VPN-1 Edge User Guide...
  • Page 615 Federal Communications Commission Radio Frequency Interference Statement Country Service Provider Connection Encapsulation Type Spain Uni2 PPPoA VCMUX Spain Wanadoo Spain PPPoE Spain Ya.com PPPoE Sweden Skanova PPPoE Etisalat Classical PPPoA VCMUX IP for Business Etisalat Classical PPPoE IP Single User Etislat PPPoA UAE-Other...
  • Page 616 Federal Communications Commission Radio Frequency Interference Statement Check Point VPN-1 Edge User Guide...

  • Page 617: Glossary Of Terms

    Glossary of Terms Glossary of Terms Certificate Authority The Certificate Authority (CA) issues ADSL Modem certificates to entities such as gateways, A device connecting a computer to the users, or computers. The entity later Internet via an existing phone line. uses the certificate to identify itself and ADSL (Asymmetric Digital Subscriber provide verifiable information.
  • Page 618 "handles", that are translated computer that are designed to watch out into IP addresses. for, seize and then transmit to another computer, specific types of data. An example of a Domain Name is 'www.sofaware.com'. Check Point VPN-1 Edge User Guide...
  • Page 619 Glossary of Terms HTTPS IP Spoofing Hypertext Transfer Protocol over Secure A technique where an attacker attempts Socket Layer, or HTTP over SSL. to gain unauthorized access through a false source address to make it appear as A protocol for accessing a secure Web though communications have originated server.
  • Page 620 IP address. NAT common customer premises equipment can be used to map several internal IP (e.g. modem). addresses to a single IP address, thereby sharing a single IP address assigned by the ISP among several PCs. Check Point VPN-1 Edge User Guide...
  • Page 621 Stateful Inspection was invented by individually to the IP program layer. Check Point to provide the highest level Although each packet has the same of security by examining every layer destination IP address, it may get routed within a packet, unlike other systems of differently through the network.
  • Page 622 UDP is often used for applications such as streaming data. A URL (Uniform Resource Locator) is the address of a file (resource) accessible on the Internet. The type of Check Point VPN-1 Edge User Guide...

  • Page 623: Index

    Index Index bridges adding and editing • 204 802.1x adding connections to • 213 configuring for a wireless network • 244 adding networks to • 208 configuring for ports • 359 explained • 197 multiple • 202 account, configuring • 399 using •...
  • Page 624 High Availability for • 217 firewall rules explained • 156, 606 adding and editing • 307 DNS • 140, 538, 606 changing priority • 313 Dynamic DNS • 15, 391, 397 deleting • 313 enabling/disabling • 312 Check Point VPN-1 Edge User Guide...
  • Page 625 Index types • 307 explained • 606 using • 303 using • 74 firmware hub • 17, 57, 140, 217, 579, 607 explained • 514, 606 updating manually • 516 IGMP • 353 viewing status • 514 IKE traces, viewing • 481 FTP Bounce •...
  • Page 626 • 277 adding and editing • 171 viewing • 277 using • 170 viewing and deleting • 179 Network Quota • 333 MAC address • 607 node limit, viewing • 285 Check Point VPN-1 Edge User Guide...
  • Page 627 Index Non-TCP Flooding • 325 modifying assignments • 190 Null Payload • 337 modifying link configurations • 193 resetting to defaults • 194 viewing statuses • 186 OfficeMode PPPoA connection • 98, 103 about • 159 PPPoE configuring • 159 connection •...
  • Page 628 • 280 firewall • 298 viewing • 277 Secure HotSpot • 364 wireless statistics • 289 SmartDefense • 314 routers • 140, 217, 538, 579, 609 security policy RS232 dialup modem, setting up • 130 Check Point VPN-1 Edge User Guide...
  • Page 629 Index default • 298 using • 314 setting up • 297 SNMP serial console • 17, 30 configuring • 532 controlling appliance via • 524 explained • 532 using • 524 software updates • 516 servers checking for manually • 410 configuring •...
  • Page 630 • 377 exporting reports • 283 virtual access points (VAPs) using • 280 about • 161, 239 viewing reports • 281 adding and editing • 265 traffic reports deleting • 169 exporting • 283 Check Point VPN-1 Edge User Guide...
  • Page 631 Index VLAN viewing • 478 adding and editing • 164 VPN-1 Edge appliance deleting • 169 about • 1 port-based • 161, 165 backing up • 552 tag-based • 161, 167 cascading • 64 virtual access points • 265 changing internal IP address of • 154 configuring Internet connection •...
  • Page 632 • 21 explained • 241 package contents • 20 links • 241 rear panel • 21 WDS links VPN-1 Edge X product family configuring • 269 about • 1 explained • 241 Check Point VPN-1 Edge User Guide...
  • Page 633 Index Web Filtering enabling/disabling • 401 selecting categories for • 402 snoozing • 403 temporarily disabling • 403 Welchia • 334 WEP • 239, 244 WHOIS • 538 wireless networks troubleshooting connectivity • 273 viewing statistics for • 289 wireless protocols • 244 wireless stations viewing •...

This manual is also suitable for:

Vpn-1 edge x industrial seriesVpn-1 edge x adsl seriesVpn-1 edge w seriesVpn-1 edge w adsl seriesVpn-1 edge x8Vpn-1 edge x16 ... Show all

Table of Contents