Download Print this page

Edimax VPN-1 Edge Series User Manual

Internet security appliance

Table Of Contents

Table of Contents

Advertisement

Quick Links

Download this manual

Check Point VPN-1 Edge

Internet Security Appliance

User Guide

Version 6.0

Part No: 700800, November 2005

Table of Contents

Advertisement

Table of Contents

Troubleshooting

Need help?

Need help?

Do you have a question about the VPN-1 Edge Series and is the answer not in the manual?

Questions and answers

Summary of Contents for Edimax VPN-1 Edge Series

Page 1 Check Point VPN-1 Edge Internet Security Appliance User Guide Version 6.0 Part No: 700800, November 2005...
Page 2 We protect your rights with two steps: (1) copyright the software, and COPYRIGHT & TRADEMARKS (2) offer you this license which gives you legal permission to copy, Copyright © 2005 SofaWare, All Rights Reserved. No part of this distribute and/or modify the software. document may be reproduced in any form or by any means without Also, for each author's protection and ours, we want to make certain written permission from SofaWare.
Page 3 running for such interactive use in the most ordinary way, If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to to print or display an announcement including an appropriate copyright notice and a notice that there is no copy the source code from the same place counts as distribution of the warranty (or else, saying that you provide a warranty) and...
Page 4 countries not thus excluded. In such case, this License incorporates the When installing the appliance, ensure that the vents are not limitation as if written in the body of this License. blocked. 9. The Free Software Foundation may publish revised and/or new Do not place this product on an unstable surface or support.
Page 5: Table Of Contents
Contents Contents About This Guide ..........................xi Chapter 1: Introduction ........................1 About Your Check Point VPN-1 Edge Appliance ................1 VPN-1 Edge Products .........................2 VPN-1 Edge Features and Compatibility....................3 Connectivity............................3 Firewall ............................4 VPN ..............................5 Management............................5 Optional Security Services......................6 Package Contents ..........................6 Network Requirements ........................7 Getting to Know Your VPN-1 Edge X series Appliance ..............8 Rear Panel ............................8 Front Panel ............................9...
Page 6 Contents Securing the Appliance against Theft ....................34 Network Installation..........................37 Setting Up the VPN-1 Edge Appliance.....................38 Chapter 3: Getting Started.........................41 Initial Login to the VPN-1 Edge Portal.....................41 Logging on to the VPN-1 Edge Portal ....................44 Accessing the VPN-1 Edge Portal Remotely Using HTTPS ............46 Using the VPN-1 Edge Portal ......................48 Main Menu............................49 Main Frame...........................50...
Page 7 Contents Using No Connection........................78 Setting Up a Dialup Modem ......................85 Viewing Internet Connection Information ..................88 Enabling/Disabling the Internet Connection ..................90 Using Quick Internet Connection/Disconnection................92 Configuring a Backup Internet Connection..................92 Setting Up a LAN or Broadband Backup Connection ..............92 Setting Up a Dialup Backup Connection ..................93 Chapter 5: Managing Your Network ....................95 Configuring Network Settings ......................95 Configuring a DHCP Server ......................96...
Page 8 Contents Modifying Link Configurations ....................150 Resetting Ports to Defaults......................150 Chapter 6: Using Traffic Shaper .....................153 Overview............................153 Setting Up Traffic Shaper .......................154 Predefined QoS Classes ........................155 Adding and Editing Classes ......................156 Deleting Classes..........................161 Restoring Traffic Shaper Defaults....................162 Chapter 7: Configuring a Wireless Network ..................163 Overview............................163 About the Wireless Hardware in Your VPN-1 Edge W series Appliance ........164 Wireless Security Protocols ......................165...
Page 9 Contents Viewing Connections ........................199 Viewing Wireless Statistics......................200 Chapter 9: Setting Your Security Policy..................205 Default Security Policy ........................206 Setting the Firewall Security Level....................207 Configuring Servers ........................210 Using Rules .............................212 Adding and Editing Rules ......................216 Enabling/Disabling Rules ......................222 Changing Rules' Priority ......................222 Deleting Rules..........................223 Using SmartDefense ........................223 Configuring SmartDefense......................224...
Page 10 Contents Chapter 11: SMART Management and Subscription Services.............287 Connecting to a Service Center.......................288 Viewing Services Information ......................293 Refreshing Your Service Center Connection ..................294 Configuring Your Account ......................294 Disconnecting from Your Service Center ..................295 Web Filtering ..........................296 Enabling/Disabling Web Filtering ....................296 Selecting Categories for Blocking ....................297 Temporarily Disabling Web Filtering ..................298 Email Filtering ..........................300...
Page 11 Contents Configuring a Remote Access VPN Site..................322 Configuring a Site-to-Site VPN Gateway ...................335 Deleting a VPN Site ........................351 Enabling/Disabling a VPN Site.......................352 Logging on to a Remote Access VPN Site..................353 Logging on through the VPN-1 Edge Portal................353 Logging on through the my.vpn page ..................355 Logging off a Remote Access VPN Site ..................357 Installing a Certificate ........................357 Generating a Self-Signed Certificate...................358...
Page 12 Contents Configuring Syslog Logging......................398 Controlling the Appliance via the Command Line................400 Using the VPN-1 Edge Portal .....................400 Using the Serial Console......................402 Configuring HTTPS........................404 Configuring SSH..........................406 Configuring SNMP .........................408 Setting the Time on the Appliance....................411 Using Diagnostic Tools........................415 Using IP Tools ..........................416 Using Packet Sniffer ........................418 Filter String Syntax ........................421 Backing Up the VPN-1 Edge Appliance Configuration..............429...
Page 13 Contents Chapter 16: Troubleshooting ......................451 Connectivity ............................452 Service Center and Upgrades ......................456 Other Problems ..........................457 Chapter 17: Specifications........................459 Technical Specifications .........................459 CE Declaration of Conformity ......................462 Federal Communications Commission Radio Frequency Interference Statement ......464 Glossary of Terms ..........................465 Index..............................473 Contents...
Page 15: About This Guide
About Your Check Point VPN-1 Edge Appliance About This Guide To make finding information in this manual easier, some types of information are marked with special symbols or formatting. Boldface type is used for command and button names. Note: Notes are denoted by indented text and preceded by the Note icon. Warning: Warnings are denoted by indented text and preceded by the Warning icon.
Page 17: Chapter 1: Introduction
About Your Check Point VPN-1 Edge Appliance Chapter 1 Introduction This chapter introduces the Check Point VPN-1 Edge appliance and this guide. This chapter includes the following topics: About Your Check Point VPN-1 Edge Appliance........1 VPN-1 Edge Products...................2 VPN-1 Edge Features and Compatibility .............3 Getting to Know Your VPN-1 Edge X series Appliance ......8 Getting to Know Your VPN-1 Edge W Series Appliance......11 Contacting Technical Support ..............15...
Page 18: Vpn-1 Edge Products
VPN-1 Edge Products You can also connect VPN-1 Edge appliances to security services available from select service providers, including firewall security and software updates, Web Filtering, reporting, VPN management, and Dynamic DNS. Business users can use the VPN-1 Edge appliance to securely connect to the corporate network. VPN-1 Edge Products The VPN-1 Edge appliance is available with the following hardware: •...
Page 19: Vpn-1 Edge Features And Compatibility
VPN-1 Edge Features and Compatibility VPN-1 Edge Features and Compatibility Connectivity All VPN-1 Edge models have the following features: • LAN ports: 4-ports 10/100 Mbps Fast Ethernet switch • WAN port: 10/100 Mbps Fast Ethernet • DMZ/WAN2 Port: 10/100 Mbps Fast Ethernet •...
Page 20: Firewall
VPN-1 Edge Features and Compatibility The VPN-1 Edge W includes the following additional features: • Wireless LAN interface with dual diversity antennas supporting up to 108 Mbps (Super G) and Extended Range (XR) • Wireless QoS (WMM) • Integrated USB print server Firewall All VPN-1 Edge models have the following features: •...
Page 21: Vpn
VPN-1 Edge Features and Compatibility All VPN-1 Edge models have the following features: • Remote Access VPN Server with OfficeMode and RADIUS support • Remote Access VPN Client • Site-to-Site VPN Gateway • IPSEC VPN pass-through • Algorithms: AES/3DES/DES, SHA1/MD5 •...
Page 22: Optional Security Services
• Dynamic DNS Service • VPN Management • Security Reporting • Vulnerability Scanning Service Package Contents All VPN-1 Edge series include the following: • VPN-1 Edge Internet Security Appliance • Power adapter • CAT5 Straight-through Ethernet cable • Getting Started Guide •...
Page 23: Network Requirements
VPN-1 Edge Features and Compatibility Network Requirements • A broadband Internet connection via cable or DSL modem with Ethernet interface (RJ-45) • 10BaseT or 100BaseT Network Interface Card installed on each computer • TCP/IP network protocol installed on each computer •...
Page 24: Getting To Know Your Vpn-1 Edge X Series Appliance
Getting to Know Your VPN-1 Edge X series Appliance Getting to Know Your VPN-1 Edge X series Appliance Rear Panel The following figure shows the VPN-1 Edge X series appliance's rear panel. All physical connections (network and power) to the VPN-1 Edge appliance are made via the rear panel of your VPN-1 Edge appliance.
Page 25: Front Panel
Getting to Know Your VPN-1 Edge X series Appliance Label Description RESET A button used for rebooting the VPN-1 Edge appliance or resetting the VPN-1 Edge appliance to its factory defaults. You need to use a pointed object to press this button.
Page 26 Getting to Know Your VPN-1 Edge X series Appliance For an explanation of the VPN-1 Edge X appliance’s status LEDs, see the table below. Table 2: VPN-1 Edge X Appliance Status LEDs State Explanation PWR/SEC Power off Flashing quickly (Green) System boot-up Flashing slowly (Green) Establishing Internet connection...
Page 27: Getting To Know Your Vpn-1 Edge W Series Appliance
Getting to Know Your VPN-1 Edge W Series Appliance Getting to Know Your VPN-1 Edge W Series Appliance Rear Panel All physical connections (network and power) to the VPN-1 Edge appliance are made via the rear panel of your VPN-1 Edge appliance. Figure 3: VPN-1 Edge W Appliance Rear Panel Items The following table lists the VPN-1 Edge W appliance's rear panel elements.
Page 28 Getting to Know Your VPN-1 Edge W Series Appliance Label Description RESET A button used for rebooting the VPN-1 Edge appliance or resetting the VPN-1 Edge appliance to its factory defaults. You need to use a pointed object to press this button.
Page 29: Front Panel
Getting to Know Your VPN-1 Edge W Series Appliance Front Panel The VPN-1 Edge W appliance includes several status LEDs that enable you to monitor the appliance’s operation. Figure 4: VPN-1 Edge W Appliance Front Panel For an explanation of the VPN-1 Edge W appliance’s status LEDs, see the table below.
Page 30 Getting to Know Your VPN-1 Edge W Series Appliance Table 4: VPN-1 Edge W Appliance Status LEDs State Explanation PWR/SEC Power off Flashing quickly (Green) System boot-up Flashing slowly (Green) Establishing Internet connection On (Green) Normal operation Flashing (Red) Hacker attack blocked On (Red) Error Flashing (Orange)
Page 31: Contacting Technical Support
Contacting Technical Support Contacting Technical Support If there is a problem with your VPN-1 Edge appliance, see http://www.checkpoint.com/techsupport/. You can also download the latest version of this guide from the Check Point software subscription website. Chapter 1: Introduction...
Page 33: Chapter 2: Installing And Setting Up The Vpn-1 Edge Appliance
Before You Install the VPN-1 Edge Appliance Chapter 2 Installing and Setting up the VPN-1 Edge Appliance This chapter describes how to properly set up and install your VPN-1 Edge appliance in your networking environment. This chapter includes the following topics: Before You Install the VPN-1 Edge Appliance..........17 Wall Mounting the Appliance ..............32 Securing the Appliance against Theft............34...
Page 34: Windows 2000/Xp
Before You Install the VPN-1 Edge Appliance Windows 2000/XP Note: While Windows XP has an "Internet Connection Firewall" option, it is recommended to disable it if you are using a VPN-1 Edge appliance, since the VPN-1 Edge appliance offers better protection. Checking the TCP/IP Installation 1.
Page 35 Before You Install the VPN-1 Edge Appliance The Network and Dial-up Connections window appears. icon and select Properties from the pop-up menu that 3. Right-click the opens. Chapter 2: Installing and Setting up the VPN-1 Edge Appliance...
Page 36 Before You Install the VPN-1 Edge Appliance The Local Area Connection Properties window appears. 4. In the above window, check if TCP/IP appears in the components list and if it is properly configured with the Ethernet card, installed on your computer. If TCP/IP does not appear in the Components list, you must install it as described in the next section.
Page 37 Before You Install the VPN-1 Edge Appliance Installing TCP/IP Protocol 1. In the Local Area Connection Properties window click Install…. The Select Network Component Type window appears. 2. Choose Protocol and click Add. The Select Network Protocol window appears. 3. Choose Internet Protocol (TCP/IP) and click OK. TCP/IP protocol is installed on your computer.
Page 38 Before You Install the VPN-1 Edge Appliance TCP/IP Settings 1. In the Local Area Connection Properties window double-click the Internet Protocol (TCP/IP) component, or select it and click Properties. The Internet Protocol (TCP/IP) Properties window opens. 2. Click the Obtain an IP address automatically radio button. Note: Normally, it is not recommended to assign a static IP address to your PC but rather to obtain an IP address automatically.
Page 39: Windows 98/Millennium
Before You Install the VPN-1 Edge Appliance Windows 98/Millennium Checking the TCP/IP Installation 1. Click Start > Settings > Control Panel. The Control Panel window appears. 2. Double-click the icon. Chapter 2: Installing and Setting up the VPN-1 Edge Appliance...
Page 40 Before You Install the VPN-1 Edge Appliance The Network window appears. 3. In the Network window, check if TCP/IP appears in the network components list and if it is already configured with the Ethernet card, installed on your computer. Installing TCP/IP Protocol Note: If TCP/IP is already installed and configured on your computer skip this section and move directly to TCP/IP Settings.
Page 41 Before You Install the VPN-1 Edge Appliance The Select Network Component Type window appears. 2. Choose Protocol and click Add. The Select Network Protocol window appears. 3. In the Manufacturers list choose Microsoft, and in the Network Protocols list choose TCP/IP. 4.
Page 42 Before You Install the VPN-1 Edge Appliance TCP/IP Settings Note: If you are connecting your VPN-1 Edge appliance to an existing LAN, consult your network manager for the correct configurations. 1. In the Network window, double-click the TCP/IP service for the Ethernet card, which has been installed on your computer (e.g.
Page 43 Before You Install the VPN-1 Edge Appliance 3. Click the DNS Configuration tab, and click the Disable DNS radio button. Chapter 2: Installing and Setting up the VPN-1 Edge Appliance...
Page 44: Mac Os
Before You Install the VPN-1 Edge Appliance 4. Click the IP Address tab, and click the Obtain an IP address automatically radio button. Note: Normally, it is not recommended to assign a static IP address to your PC but rather to obtain an IP address automatically.
Page 45 Before You Install the VPN-1 Edge Appliance 1. Choose Apple Menus -> Control Panels -> TCP/IP. The TCP/IP window appears. 2. Click the Connect via drop-down list, and select Ethernet. 3. Click the Configure drop-down list, and select Using DHCP Server. 4.
Page 46: Mac Os-X
Before You Install the VPN-1 Edge Appliance Mac OS-X Use the following procedure for setting up the TCP/IP Protocol. 1. Choose Apple -> System Preferences. The System Preferences window appears. 2. Click Network. The Network window appears. Check Point VPN-1 Edge User Guide...
Page 47 Before You Install the VPN-1 Edge Appliance 3. Click Configure. Chapter 2: Installing and Setting up the VPN-1 Edge Appliance...
Page 48: Wall Mounting The Appliance
Wall Mounting the Appliance TCP/IP configuration fields appear. 4. Click the Configure IPv4 drop-down list, and select Using DHCP. 5. Click Apply Now. Wall Mounting the Appliance If desired, you can mount your VPN-1 Edge W series appliance on the wall. To mount the VPN-1 Edge appliance on the wall 1.
Page 49 Wall Mounting the Appliance Note: Mounting the appliance facing downwards is not recommended, as dust might accumulate in unused ports. 3. Mark two drill holes on the wall, in accordance with the following sketch: 4. Drill two 3.5 mm diameter holes, approximately 25 mm deep. 5.
Page 50: Securing The Appliance Against Theft
Securing the Appliance against Theft 7. Align the holes on the VPN-1 Edge appliance's underside with the screws on the wall, then push the appliance in and down. Your VPN-1 Edge appliance is wall mounted. You can now connect it to your computer.
Page 51 Securing the Appliance against Theft While these parts may differ between devices, all looped security cables include a bolt with knobs, as shown in the diagram below: Figure 6: Looped Security Cable Bolt The bolt has two states, Open and Closed, and is used to connect the looped security cable to the appliance's security slot.
Page 52 Securing the Appliance against Theft 4. Insert the bolt into the VPN-1 Edge appliance's security slot, then slide the bolt to the Closed position until the the bolts holes are aligned. 5. Thread the anti-theft device's pin through the bolt’s holes, and insert the pin into the main body of the anti-theft device, as described in the documentation that came with your device.
Page 53: Network Installation
Network Installation Network Installation 1. Verify that you have the correct cable type. For information, see Network Requirements. 2. Connect the LAN cable: • Connect one end of the Ethernet cable to one of the LAN ports at the back of the unit.
Page 54: Setting Up The Vpn-1 Edge Appliance
Setting Up the VPN-1 Edge Appliance 6. In wireless models, prepare the VPN-1 Edge appliance for a wireless connection: a. Connect the antennas that came with your VPN-1 Edge appliance to the ANT1 and ANT2 antenna connectors in the appliance's rear panel. b.
Page 55 Setting Up the VPN-1 Edge Appliance Logging on to the VPN-1 Edge Portal and setting up your password Initial Login to the VPN-1 Edge Portal on page 41 Configuring an Internet connection Using the Internet Wizard on page 56 Setting the Time on your VPN-1 Edge appliance Setting the Time on the Appliance on page 411 Setting up a wireless network (W only)
Page 56 Setting Up the VPN-1 Edge Appliance To access the Setup Wizard 1. Click Setup in the main menu, and click the Firmware tab. The Firmware page appears. 2. Click VPN-1 Edge Setup Wizard. The VPN-1 Edge Setup Wizard opens with the Welcome page displayed. Check Point VPN-1 Edge User Guide...
Page 57: Chapter 3: Getting Started
Initial Login to the VPN-1 Edge Portal Chapter 3 Getting Started This chapter contains all the information you need in order to get started using your VPN-1 Edge appliance. This chapter includes the following topics: Initial Login to the VPN-1 Edge Portal ............41 Logging on to the VPN-1 Edge Portal............44 Accessing the VPN-1 Edge Portal Remotely Using HTTPS......46 Using the VPN-1 Edge Portal..............48...
Page 58 Initial Login to the VPN-1 Edge Portal The initial login page appears. 2. Type a password both in the Password and the Confirm Password fields. Note: The password must be five to 25 characters (letters or numbers). Note: You can change your password at any time. For further information, see Changing Your Password.
Page 59 Initial Login to the VPN-1 Edge Portal The VPN-1 Edge Setup Wizard opens, with the Welcome page displayed. 4. Configure your Internet connection using one of the following ways: • Internet Wizard The Internet Wizard is the first part of the Setup Wizard, and it takes you through basic Internet connection setup, step by step.
Page 60: Logging On To The Vpn-1 Edge Portal
Logging on to the VPN-1 Edge Portal Logging on to the VPN-1 Edge Portal Note: By default, HTTP and HTTPS access to the VPN-1 Edge Portal is not allowed from the WLAN, unless you do one of the following: • Configure a specific firewall rule to allow access from the WLAN.
Page 61 Logging on to the VPN-1 Edge Portal The login page appears. 2. Type your username and password. 3. Click OK. Chapter 3: Getting Started...
Page 62: Accessing The Vpn-1 Edge Portal Remotely Using Https
Accessing the VPN-1 Edge Portal Remotely Using HTTPS The Welcome page appears. Accessing the VPN-1 Edge Portal Remotely Using HTTPS You can access the VPN-1 Edge Portal remotely (from the Internet) through HTTPS. HTTPS is a protocol for accessing a secure Web server. It is used to transfer confidential user information.
Page 63 Accessing the VPN-1 Edge Portal Remotely Using HTTPS Note: Your browser must support 128-bit cipher strength. To check your browser's cipher strength, open Internet Explorer and click Help > About Internet Explorer. To access the VPN-1 Edge Portal from your internal network •...
Page 64: Using The Vpn-1 Edge Portal
Using the VPN-1 Edge Portal The Security Alert dialog box reappears. h. Click Yes. The VPN-1 Edge Portal appears. Using the VPN-1 Edge Portal The VPN-1 Edge Portal is a Web-based management interface, which enables you to manage and configure the VPN-1 Edge appliance operation and options. The VPN-1 Edge Portal consists of three major elements.
Page 65: Main Menu
Using the VPN-1 Edge Portal Figure 8: VPN-1 Edge Portal Main Menu The main menu includes the following submenus. Table 6: Main Menu Submenus This Does this… submenu… Welcome Displays general welcome information. Reports Provides reporting capabilities in terms of event logging, traffic monitoring, active computers, and established connections.
Page 66: Main Frame
Using the VPN-1 Edge Portal This Does this… submenu… Network Allows you to manage and configure your network settings and Internet connections. Setup Provides a set of tools for managing your VPN-1 Edge appliance. Allows you to upgrade your license and firmware and to configure HTTPS access to your VPN-1 Edge appliance.
Page 67 Using the VPN-1 Edge Portal Table 7: Status Bar Fields This field… Displays this… Internet Your Internet connection status. The connection status may be one of the following: • Connected. The VPN-1 Edge appliance is connected to the Internet. • Connected –...
Page 68 Using the VPN-1 Edge Portal This field… Displays this… Service Displays your subscription services status. Center Your Service Center may offer various subscription services. These include the firewall service and optional services such as Web Filtering and Email Antivirus. Your subscription services status may be one of the following: •...
Page 69: Logging Off
Logging off Logging off Logging off terminates your administration session. Any subsequent attempt to connect to the VPN-1 Edge Portal will require re-entering of the administration password. To log off of the VPN-1 Edge Portal • Do one of the following: •...
Page 71: Chapter 4: Configuring The Internet Connection
Overview Chapter 4 Configuring the Internet Connection This chapter describes how to configure and work with an VPN-1 Edge Internet connection. This chapter includes the following topics: Overview ....................55 Using the Internet Wizard ................56 Using Internet Setup ...................65 Setting Up a Dialup Modem...............85 Viewing Internet Connection Information..........88 Enabling/Disabling the Internet Connection..........90 Using Quick Internet Connection/Disconnection ........92...
Page 72: Using The Internet Wizard
Using the Internet Wizard • Enable Traffic Shaper for traffic flowing through the connection. For information on Traffic Shaper, see Using Traffic Shaper. • Configure a dialup connection as a backup Internet connection. Before configuring the connection, you must first set up the modem. For information, see Setting Up a Dialup Modem on page 85.
Page 73 Using the Internet Wizard The Internet Wizard opens with the Welcome page displayed. 3. Click Next. The Internet Connection Method dialog box appears. 4. Select the Internet connection method you want to use for connecting to the Internet. Note: If you selected PPTP or PPPoE dialer, do not use your dial-up software to connect to the Internet.
Page 74: Using A Direct Lan Connection
Using the Internet Wizard 5. Click Next. Using a Direct LAN Connection No further settings are required for a direct LAN (Local Area Network) connection. The Confirmation screen appears. 1. Click Next. The system attempts to connect to the Internet via the selected connection. The Connecting…...
Page 75 Using the Internet Wizard At the end of the connection process the Connected screen appears. 2. Click Finish. Chapter 4: Configuring the Internet Connection...
Page 76: Using A Cable Modem Connection
Using the Internet Wizard Using a Cable Modem Connection If you selected the Cable Modem connection method, the Identification dialog box appears. 1. If your ISP requires a specific hostname for authentication, type it in the Host Name field. The ISP will supply you with the proper hostname, if required. Most ISPs do not require a specific hostname.
Page 77: Using A Pptp Or Pppoe Dialer Connection
Using the Internet Wizard The Confirmation screen appears. 4. Click Next. The system attempts to connect to the Internet. The Connecting… screen appears. At the end of the connection process the Connected screen appears. 5. Click Finish. Using a PPTP or PPPoE Dialer Connection If you selected the PPTP or PPPoE dialer connection method, the DSL Connection Type dialog box appears.
Page 78: Using Pppoe
Using the Internet Wizard Using PPPoE If you selected the PPPoE connection method, the DSL Configuration dialog box appears. 1. Complete the fields using the information in the table below. 2. Click Next. The Confirmation screen appears. 3. Click Next. The system attempts to connect to the Internet via the DSL connection.
Page 79: Using Pptp
Using the Internet Wizard In this field… Do this… Password Type your password. Confirm password Type your password again. Service Type your service name. This field can be left blank. Using PPTP If you selected the PPTP connection method, the DSL Configuration dialog box appears.
Page 80 Using the Internet Wizard At the end of the connection process the Connected screen appears. 4. Click Finish. Table 9: PPTP Connection Fields In this field… Do this… Username Type your user name. Password Type your password. Confirm password Type your password again. Service Type your service name.
Page 81: Using Internet Setup
Using Internet Setup Using Internet Setup Internet Setup allows you to manually configure your Internet connection. To configure the Internet connection using Internet Setup 1. Click Network in the main menu, and click the Internet tab. 2. Next to the desired Internet connection, click Edit. Chapter 4: Configuring the Internet Connection...
Page 82: Using A Lan Connection
Using Internet Setup The Internet Setup page appears. 3. From the Connection Type drop-down list, select the Internet connection type you are using/intend to use. The display changes according to the connection type you selected. The following steps should be performed in accordance with the connection type you have chosen.
Page 83 Using Internet Setup 1. Complete the fields using the relevant information in Internet Setup Fields on page 78. New fields appear, depending on the check boxes you selected. 2. Click Apply. The VPN-1 Edge appliance attempts to connect to the Internet, and the Status Bar displays the Internet status “Connecting”.
Page 84: Using A Cable Modem Connection
Using Internet Setup Once the connection is made, the Status Bar displays the Internet status “Connected”. Using a Cable Modem Connection 1. Complete the fields using the relevant information in Internet Setup Fields on page 78. Check Point VPN-1 Edge User Guide...
Page 85 Using Internet Setup New fields appear, depending on the check boxes you selected. 2. Click Apply. The VPN-1 Edge appliance attempts to connect to the Internet, and the Status Bar displays the Internet status “Connecting”. This may take several seconds. Once the connection is made, the Status Bar displays the Internet status “Connected”.
Page 86: Using A Pppoe Connection
Using Internet Setup Using a PPPoE Connection 1. Complete the fields using the relevant information in Internet Setup Fields on page 78. Check Point VPN-1 Edge User Guide...
Page 87 Using Internet Setup New fields appear, depending on the check boxes you selected. 2. Click Apply. The VPN-1 Edge appliance attempts to connect to the Internet, and the Status Bar displays the Internet status “Connecting”. This may take several seconds. Once the connection is made, the Status Bar displays the Internet status “Connected”.
Page 88: Using A Pptp Connection
Using Internet Setup Using a PPTP Connection 1. Complete the fields using the relevant information in Internet Setup Fields on page 78. Check Point VPN-1 Edge User Guide...
Page 89 Using Internet Setup New fields appear, depending on the check boxes you selected. 2. Click Apply. The VPN-1 Edge appliance attempts to connect to the Internet, and the Status Bar displays the Internet status “Connecting”. This may take several seconds. Chapter 4: Configuring the Internet Connection...
Page 90: Using A Telstra (Bpa) Connection
Using Internet Setup Once the connection is made, the Status Bar displays the Internet status “Connected”. Using a Telstra (BPA) Connection Use this Internet connection type only if you are subscribed to Telstra® BigPond™ Internet. Telstra BigPond is a trademark of Telstra Corporation Limited. 1.
Page 91 Using Internet Setup New fields appear, depending on the check boxes you selected. 2. Click Apply. The VPN-1 Edge appliance attempts to connect to the Internet, and the Status Bar displays the Internet status “Connecting”. This may take several seconds. Once the connection is made, the Status Bar displays the Internet status “Connected”.
Page 92: Using A Dialup Connection
Using Internet Setup Using a Dialup Connection To use this connection type, you must first set up the dialup modem. For information, see Setting Up a Dialup Modem on page 85. 1. Complete the fields using the relevant information in Internet Setup Fields on page 78.
Page 93 Using Internet Setup New fields appear, depending on the check boxes you selected. 2. Click Apply. The VPN-1 Edge appliance attempts to connect to the Internet, and the Status Bar displays the Internet status “Connecting”. This may take several seconds. Once the connection is made, the Status Bar displays the Internet status “Connected”.
Page 94: Using No Connection
Using Internet Setup Using No Connection If you do not have an Internet connection, set the connection type to None. • Click Apply. Table 10: Internet Setup Fields In this field… Do this… Username Type your user name. Password Type your password. Confirm password Type your password.
Page 95 Using Internet Setup In this field… Do this… Connect on Select this option if you do not want the dialup modem to be constantly demand connected to the Internet. The modem will dial a connection only under certain conditions. This option is useful when configuring a dialup backup connection. For information, see Setting Up a Dialup Backup Connection on page 93.
Page 96 Using Internet Setup In this field… Do this… Default Gateway Type the IP address of your ISP’s default gateway. Name Servers Obtain Domain Clear this option if you want the VPN-1 Edge appliance to obtain an IP Name Servers address automatically using DHCP, but not to automatically configure automatically DNS servers.
Page 97 Using Internet Setup In this field… Do this… Shape Select this option to enable Traffic Shaper for incoming traffic. Then type Downstream: Link a rate (in kilobits/second) slightly lower than your Internet connection's Rate maximum measured downstream speed in the field provided. It is recommended to try different rates in order to determine which one provides the best results.
Page 98 Using Internet Setup In this field… Do this… MAC Cloning A MAC address is a 12-digit identifier assigned to every network device. If your ISP restricts connections to specific, recognized MAC addresses, you must select this option to clone a MAC address. Note: When configuring MAC cloning for the secondary Internet connection, the DMZ/WAN2 port must be configured as WAN2;...
Page 99 Using Internet Setup In this field… Do this… Probe Next Hop Select this option to automatically detect loss of connectivity to the default gateway. If you selected LAN, this is done by sending ARP requests to the default gateway. If you selected PPTP, PPPoE, or Dialup, this is done by sending PPP echo reply (LCP) messages to the PPP peer.
Page 100 Using Internet Setup In this field… Do this… While the Probe Next Hop option checks the availability of the next hop Connection Probing Method router, which is usually at your ISP, connectivity to the next hop router does not always indicate that the Internet is accessible. For example, if there is a problem with a different router at the ISP, the next hop will be reachable, but the Internet might be inaccessible.
Page 101: Setting Up A Dialup Modem
Setting Up a Dialup Modem In this field… Do this… If you chose the Ping Addresses connection probing method, type the IP 1, 2, 3 addresses or DNS names of the desired servers. If you chose the Probe VPN Gateway (RDP) connection probing method, type the IP addresses or DNS names of the desired VPN gateways.
Page 102 Setting Up a Dialup Modem The Ports page appears. 3. In the RS232 drop-down list, select Dialup. 4. Click Apply. 5. Next to the RS232 drop-down list, click Setup. Check Point VPN-1 Edge User Guide...
Page 103 Setting Up a Dialup Modem The Dialup page appears. 6. Complete the fields using the information in the table below. 7. Click Apply. 8. To check that that the values you entered are correct, click Test. The Dialup page displays a message indicating whether the test succeeded. 9.
Page 104: Viewing Internet Connection Information
Viewing Internet Connection Information In this field… Do this… Initialization String Type the installation string for the custom modem type. If you selected a standard modem type, this field is read-only. Dial Mode Select the dial mode the modem uses. Port Speed Select the modem's port speed (in bits per second).
Page 105 Viewing Internet Connection Information The Internet page appears. For an explanation of the fields on this page, see the table below. 2. To refresh the information on this page, click Refresh. Chapter 4: Configuring the Internet Connection...
Page 106: Enabling/Disabling The Internet Connection
Enabling/Disabling the Internet Connection Table 12: Internet Page Fields Field Description Status Indicates the connection’s status. Duration Indicates the connection duration, if active. The duration is given in the format hh:mm:ss, where: hh=hours mm=minutes ss=seconds IP Address Your IP address. Enabled Indicates whether or not the connection is enabled.
Page 107 Enabling/Disabling the Internet Connection To enable/disable an Internet connection 1. Click Network in the main menu, and click the Internet tab. The Internet page appears. 2. Next to the Internet connection, do one of the following: • To enable the connection, click The button changes to and the connection is enabled.
Page 108: Using Quick Internet Connection/Disconnection
Using Quick Internet Connection/Disconnection Using Quick Internet Connection/Disconnection By clicking the Connect or Disconnect button (depending on the connection status) on the Internet page, you can establish a quick Internet connection using the currently-selected connection type. In the same manner, you can terminate the active connection.
Page 109: Setting Up A Dialup Backup Connection
Configuring a Backup Internet Connection 3. Configure two Internet connections. For instructions, see Using Internet Setup on page 65. Important: The two connections can be of different types. However, they cannot both be LAN DHCP connections. Using the VPN-1 Edge Appliance's DMZ/WAN2 Port To set up a LAN or broadband backup Internet connection 1.
Page 110 Configuring a Backup Internet Connection 2. Configure a LAN or broadband primary Internet connection. For instructions, see Using Internet Setup on page 65. 3. Configure a Dialup secondary Internet connection. For instructions, see Using Internet Setup on page 65. Check Point VPN-1 Edge User Guide...
Page 111: Chapter 5: Managing Your Network
Configuring Network Settings Chapter 5 Managing Your Network This chapter describes how to manage and configure your network connection and settings. This chapter includes the following topics: Configuring Network Settings..............95 Configuring High Availability..............121 Using Static Routes ..................140 Managing Ports..................146 Configuring Network Settings Warning: These are advanced settings.
Page 112: Configuring A Dhcp Server
Configuring Network Settings Configuring a DHCP Server By default, the VPN-1 Edge appliance operates as a DHCP (Dynamic Host Configuration Protocol) server. This allows the VPN-1 Edge appliance to automatically configure all the devices on your network with their network configuration details.
Page 113 Configuring Network Settings Enabling/Disabling the VPN-1 Edge DHCP Server You can enable and disable the VPN-1 Edge DHCP Server for internal networks. Note: Enabling and disabling the DHCP Server is not available for the OfficeMode network. To enable/disable the VPN-1 Edge DHCP server 1.
Page 114 Configuring Network Settings The Edit Network Settings page appears. 3. From the DHCP Server list, select Enabled or Disabled. 4. Click Apply. A warning message appears. 5. Click OK. A success message appears 6. If your computer is configured to obtain its IP address automatically (using DHCP), and either the VPN-1 Edge DHCP server or another DHCP server is enabled, restart your computer.
Page 115 Configuring Network Settings Configuring the DHCP Address Range By default, the VPN-1 Edge DHCP server automatically sets the DHCP address range. The DHCP address range is the range of IP addresses that the DHCP server can assign to network devices. IP addresses outside of the DHCP address range are reserved for statically addressed computers.
Page 116 Configuring Network Settings The DHCP IP range fields appear. b. In the DHCP IP range fields, type the desired DHCP range. 4. To allow the DHCP server to set the IP address range, select the Automatic DHCP range check box. 5.
Page 117 Configuring Network Settings Configuring DHCP Relay You can configure DHCP relay for internal networks. Note: DHCP relay will not work if the appliance is located behind a NAT device. Note: Configuring DHCP options is not available for the OfficeMode network. To configure DHCP relay 1.
Page 118 Configuring Network Settings The Automatic DHCP range check box is disabled, and the Relay to IP field appears. 4. In the Relay to IP field, type the IP address of the desired DHCP server. 5. Click Apply. A warning message appears. 6.
Page 119 Configuring Network Settings Configuring DHCP Server Options If desired, you can configure the following custom DHCP options for an internal network: • Domain suffix • DNS servers • WINS servers • NTP servers • VoIP call managers • TFTP server and boot filename Note: Configuring DHCP options is not available for the DMZ or VLANs.
Page 120 Configuring Network Settings The DHCP Server Options page appears. 4. Complete the fields using the relevant information in the table below. Check Point VPN-1 Edge User Guide...
Page 121 Configuring Network Settings New fields appear, depending on the check boxes you selected. 5. Click Apply. 6. If your computer is configured to obtain its IP address automatically (using DHCP), restart your computer. Your computer obtains an IP address in the DHCP address range. Table 13: DHCP Server Options Fields In this field…...
Page 122 Configuring Network Settings In this field… Do this… Name Servers Automatically assign Clear this option if you do not want the gateway to act as a DNS relay DNS server server and pass its own IP address to DHCP clients. (recommended) Normally, it is recommended to leave this option selected.
Page 123: Changing Ip Addresses
Configuring Network Settings In this field… Do this… TFTP Server Trivial File Transfer Protocol (TFTP) enables booting diskless computers over the network. To assign a TFTP server to the DHCP clients, type the IP address of the TFTP server. TFTP Boot File Type the boot file to use for booting DHCP clients via TFTP.
Page 124: Enabling/Disabling Hide Nat
Configuring Network Settings Note: The internal network range is defined both by the VPN-1 Edge appliance’s internal IP address and by the subnet mask. For example, if the VPN-1 Edge appliance’s internal IP address is 192.168.100.7, and you set the subnet mask to 255.255.255.0, the network’s IP address range will be 192.168.100.1 –...
Page 125: Configuring A Dmz Network
Configuring Network Settings Note: If Hide NAT is disabled, you must obtain a range of Internet IP addresses from your ISP. Hide NAT is enabled by default. Note: Static NAT and Hide NAT can be used together. To enable/disable Hide NAT 1.
Page 126 Configuring Network Settings If you have more than one computer in the DMZ network, connect a hub or switch to the DMZ port, and connect the DMZ computers to the hub. 2. Click Network in the main menu, and click the Ports tab. The Ports page appears.
Page 127: Configuring The Officemode Network
Configuring Network Settings 8. If desired, enable or disable Hide NAT. See Enabling/Disabling Hide NAT on page 108. 9. If desired, configure a DHCP server. See Configuring a DHCP Server on page 96. 10. In the IP Address field, type the IP address of the DMZ network's default gateway.
Page 128 Configuring Network Settings connects and authenticates. The IP addresses are allocated from a pool called the OfficeMode network. Note: OfficeMode requires Check Point SecureClient to be installed on the VPN clients. It is not supported by Check Point SecuRemote. When OfficeMode is not supported by the VPN client, traditional mode will be selected used instead.
Page 129: Configuring Vlans
Configuring Network Settings A success message appears. Configuring VLANs Your VPN-1 Edge appliance allows you partition your network into several virtual LAN networks (VLANs). A VLAN is a logical network behind the VPN-1 Edge appliance. Computers in the same VLAN behave as if they were on the same physical network: traffic flows freely between them, without passing through a firewall.
Page 130 Configuring Network Settings The VPN-1 Edge appliance supports the following VLAN types: • Tag-based In tag-based VLAN you use one of the gateway’s ports as a 802.1Q VLAN trunk, connecting the appliance to a VLAN-aware switch. Each VLAN behind the trunk is assigned an identifying number called a “VLAN ID”, also referred to as a "VLAN tag".
Page 131 Configuring Network Settings • Port-based Port-based VLAN allows assigning the appliance's LAN ports to VLANs, effectively transforming the appliance's four-port switch into up to four firewall- isolated security zones. You can assign multiple ports to the same VLAN, or each port to a separate VLAN. Figure 10: Port-based VLAN Port-based VLAN does not require an external VLAN-capable switch, and is therefore simpler to use than tag-based VLAN.
Page 132 Configuring Network Settings Adding and Editing Port-Based VLANs To add or edit a port-based VLAN 1. Click Network in the main menu, and click the My Network tab. The My Network page appears. 2. Do one of the following: • To add a VLAN site, click Add VLAN. •...
Page 133 Configuring Network Settings 5. In the IP Address field, type the IP address of the VLAN network's default gateway. Note: The VLAN network must not overlap other networks. 6. In the Subnet Mask field, type the VLAN's internal network range. 7.
Page 134 Configuring Network Settings Adding and Editing Tag-Based VLANs To add or edit a tag-based VLAN 1. Click Network in the main menu, and click the My Network tab. The My Network page appears. 2. Do one of the following: • To add a VLAN site, click Add VLAN. •...
Page 135 Configuring Network Settings 10. Click Apply. A warning message appears. 11. Click OK. A success message appears. 12. Click Network in the main menu, and click the Ports tab. The Ports page appears. 13. In the DMZ/WAN2 drop-down list, select VLAN Trunk. 14.
Page 136 Configuring Network Settings Deleting VLANs To delete a VLAN 1. If the VLAN is port-based, do the following: a. Click Network in the main menu, and click the Ports tab. The Ports page appears. b. Remove all port assignments to the VLAN, by selecting other networks in the drop-down lists.
Page 137: Configuring High Availability
Configuring High Availability Configuring High Availability You can create a High Availability (HA) cluster consisting of two or more VPN-1 Edge appliances. For example, you can install two VPN-1 Edge appliances on your network, one acting as the “Master”, the default gateway through which all network traffic is routed, and one acting as the “Backup”.
Page 138 Configuring High Availability priority by a user-specified amount, if its Internet connection goes down. If the Active Gateway's priority drops below another gateway's priority, then the other gateway becomes the Active Gateway. Note: You can force a fail-over to a passive VPN-1 Edge appliance. You may want to do this in order to verify that HA is working properly, or if the active VPN-1 Edge appliance needs repairs.
Page 139: Configuring High Availability On A Gateway
Configuring High Availability • You must have at least two identical VPN-1 Edge appliances. • The appliances must have identical firmware versions and firewall rules. • The appliances' internal networks must be the same. • The appliances must have different real internal IP addresses, but share the same virtual IP address.
Page 140 Configuring High Availability 3. Select the Gateway High Availability check box. The fields are enabled. 4. Next to each network for which you want to enable HA, select the HA check box. 5. In the Virtual IP field, type the default gateway IP address. This can be any unused IP address in the network, and must be the same for all gateways.
Page 141 Configuring High Availability Note: The synchronization interface must be the same for all gateways, and must always be connected and enabled on all gateways. Otherwise, multiple appliances may become active, causing unpredictable problems. 7. Complete the fields using the information the table below. 8.
Page 142 Configuring High Availability In this field… Do this… Internet - Secondary Type the amount to reduce the gateway's priority if the secondary Internet connection goes down. This must be an integer between 0 and 255. Note: This value is only relevant if you configured a backup connection.
Page 143: Sample Implementation On Two Gateways
Configuring High Availability Sample Implementation on Two Gateways The following procedure illustrates how to configure HA for the following two VPN-1 Edge gateways, Gateway A and Gateway B: Table 15: Gateway Details Gateway A Gateway B Internal Networks LAN, DMZ LAN, DMZ Internet Connections Primary and secondary...
Page 144 Configuring High Availability 2. Connect the DMZ port of Gateways A and B to hub 2. 3. Connect the LAN network computers of Gateways A and B to hub 1. 4. Connect the DMZ network computers of Gateways A and B to hub 2. 5.
Page 145 Configuring High Availability Gateway A will reduce its priority by 30, if its secondary Internet connection goes down. l. Click Apply. A success message appears. 6. Do the following on Gateway B: a. Set the gateway's internal IP addresses and network range to the values specified in the table above.
Page 146 Configuring High Availability Gateway A's priority is 100, and Gateway B's priority is 60. So long as one of Gateway A's Internet connections is up, Gateway A is the Active Gateway, because its priority is higher than that of Gateway B. If both of Gateway A's Internet connections are down, it deducts from its priority 20 (for the primary connection) and 30 (for the secondary connection), reducing its priority to 50.
Page 147: Adding And Editing Network Objects
Configuring High Availability Note: The VPN-1 Edge appliance supports Proxy ARP (Address Resolution Protocol). When an external source attempts to communicate with such a computer, the VPN-1 Edge appliance automatically replies to ARP queries with its own MAC address, thereby enabling communication. As a result, the Static NAT Internet IP addresses appear to external sources to be real computers connected to the WAN interface.
Page 148 Configuring High Availability To add or edit a network object via the Network Objects page 1. Click Network in the main menu, and click the Network Objects tab. The Network Objects page appears with a list of network objects. 2. Do one of the following: •...
Page 149 Configuring High Availability The VPN-1 Edge Network Object Wizard opens, with the Step 1: Network Object Type dialog box displayed. 3. Do one of the following: • To specify that the network object should represent a single computer or device, click Single Computer. •...
Page 150 Configuring High Availability The Step 2: Computer Details dialog box appears. If you chose Single Computer, the dialog box includes the Perform Static NAT option. If you chose Network, the dialog box does not include this option. 5. Complete the fields using the information in the tables below. 6.
Page 151 Configuring High Availability The Step 3: Save dialog box appears. 7. Type a name for the network object in the field. 8. Click Finish. To add or edit a network object via the Active Computers page 1. Click Reports in the main menu, and click the Active Computers tab. Chapter 5: Managing Your Network...
Page 152 Configuring High Availability The Active Computers page appears. If a computer has not yet been added as a network object, the Add button appears next to it. If a computer has already been added as a network object, the Edit button appears next to it. 2.
Page 153 Configuring High Availability • To specify that the network object should represent a network, click Network. 4. Click Next. The Step 2: Computer Details dialog box appears. The computer's IP address and MAC address are automatically filled in. 5. Complete the fields using the information in the tables below. 6.
Page 154 Configuring High Availability Table 16: Network Object Fields for a Single Computer In this field… Do this… Type the IP address of the local computer, or click This Computer to IP Address specify your computer. Reserve a fixed IP Select this option to assign the network object's IP address to a MAC address for this address, and to allow the network object to connect to the WLAN computer...
Page 155: Viewing And Deleting Network Objects
Configuring High Availability Table 17: Network Object Fields for a Network In this field… Do this… IP Range Type the range of local computer IP addresses in the network. Perform Static NAT Select this option to map the network's IP address range to a range of (Network Address Internet IP addresses of the same size.
Page 156: Using Static Routes
Using Static Routes Using Static Routes A static route is a setting that explicitly specifies the route for packets originating in a certain subnet and/or destined for a certain subnet. Packets with a source and destination that does not match any defined static route will be routed to the default gateway.
Page 157 Using Static Routes The Static Routes page appears, with a list of existing static routes. 2. Do one of the following: • To add a static route, click New Route. • To edit an existing static route, click Edit next to the desired route in the list.
Page 158 Using Static Routes The Static Route Wizard opens displaying the Step 1: Source and Destination dialog box. 3. To select a specific source network (source routing), do the following: a) In the Source drop-down list, select Specified Network. New fields appear. b) In the Network field, type the IP address of the source network.
Page 159 Using Static Routes c) In the Netmask drop-down list, select the subnet mask. 4. To select a specific destination network, do the following: a) In the Destination drop-down list, select Specified Network. New fields appear. b) In the Network field, type the IP address of the destination network. c) In the Netmask drop-down list, select the subnet mask.
Page 160 Using Static Routes The Step 2: Next Hop and Metric dialog box appears. 6. In the Next Hop IP field, type the IP address of the gateway (next hop router) to which to route the packets destined for this network. 7.
Page 161: Viewing And Deleting Static Routes
Using Static Routes The new static route is saved. Viewing and Deleting Static Routes Note: The “default” route cannot be deleted. To delete a static route 1. Click Network in the main menu, and click the Routes tab. The Static Routes page appears, with a list of existing static routes. 2.
Page 162: Managing Ports
Managing Ports Managing Ports The VPN-1 Edge appliance enables you to quickly and easily assign its ports to different uses, as shown in the table below. Furthermore, you can restrict each port to a specific link speed and duplex setting. Table 18: Ports and Assignments You can assign this port...
Page 163: Viewing Port Statuses
Managing Ports Viewing Port Statuses You can view the status of the VPN-1 Edge appliance's ports on the Ports page, including the each Ethernet connection's duplex state. This is useful if you need to check whether the appliance's physical connections are working, and you can’t see the LEDs on front of the appliance.
Page 164: Modifying Port Assignments
Managing Ports The following information is displayed for each enabled port: • Assign To. The port's current assignment. For example, if the DMZ/WAN2 port is currently used for the DMZ, the drop-down list displays "DMZ". • Link Configuration. The configured link speed (10 Mbps or 100 Mbps) and duplex (Full Duplex or Half Duplex) configured for the port.
Page 165 Managing Ports To assign a port See... to... VLAN or Configuring VLANs on page 113 VLAN Trunk WAN2 Setting Up a LAN or Broadband Backup Connection on page 92 Configuring a DMZ Network Console Using a Console on page 402 Modem Setting Up a Dialup Modem on page 85 To modify a port assignment...
Page 166: Modifying Link Configurations
Managing Ports Modifying Link Configurations By default, the VPN-1 Edge automatically detects the link speed and duplex. If desired, you can manually restrict the VPN-1 Edge appliance's ports to a specific link speed and duplex. Note: In the VPN-1 Edge model SBX-166LHG-2, restricting the link speed and duplex is available for the WAN and DMZ ports, and not for LAN ports 1-4.
Page 167 Managing Ports Table 20: Default Port Assignments Port Default Assignment DMZ / WAN2 This port is always assigned to the WAN. RS232 Modem To reset ports to defaults 1. Click Network in the main menu, and click the Ports tab. The Ports page appears.
Page 169: Chapter 6: Using Traffic Shaper
Overview Chapter 6 Using Traffic Shaper This chapter describes how to use Traffic Shaper to control the flow of communication to and from your network. This chapter includes the following topics: Overview ....................153 Setting Up Traffic Shaper.................154 Predefined QoS Classes................155 Adding and Editing Classes..............156 Deleting Classes ..................161 Restoring Traffic Shaper Defaults ............162...
Page 170: Setting Up Traffic Shaper
Setting Up Traffic Shaper competing, the Web connection will receive 75% (30/40) of the leftover bandwidth, and the FTP connection will receive 25% (10/40) of the leftover bandwidth. If the Web connection closes, the FTP connection will receive 100% of the bandwidth.
Page 171: Predefined Qos Classes
Predefined QoS Classes 2. Define QoS classes that reflect your communication needs. Alternatively, use the four built-in QoS classes. See Adding and Editing a Class on page 156. 3. Use Allow or Allow and Forward rules to assign different types of connections to QoS classes.
Page 172: Adding And Editing Classes
Adding and Editing Classes Class Weight Delay Sensitivity Useful for Urgent High Traffic that is highly sensitive to delay. For (Interactive Traffic) example, IP telephony, videoconferencing, and interactive protocols that require quick user response, such as telnet. Important Medium Normal traffic (Normal Traffic) Low Priority Traffic that is not sensitive to long delays.
Page 173 Adding and Editing Classes The Quality of Service Classes page appears. 2. Click Add. The VPN-1 Edge QoS Class Editor wizard opens, with the Step 1 of 3: Quality of Service Parameters dialog box displayed. 3. Complete the fields using the relevant information in the table below. Chapter 6: Using Traffic Shaper...
Page 174 Adding and Editing Classes 4. Click Next. The Step 2 of 3: Advanced Options dialog box appears. 5. Complete the fields using the relevant information in the table below. Note: Traffic Shaper may not enforce guaranteed rates and relative weights for incoming traffic as accurately as for outgoing traffic.
Page 175 Adding and Editing Classes The Step 3 of 3: Save dialog box appears with a summary of the class. 7. Type a name for the class. For example, if you are creating a class for high priority Web connections, you can name the class "High Priority Web".
Page 176 Adding and Editing Classes In this field… Do this… Delay Sensitivity Select the degree of precedence to give this class in the transmission queue: • Low (Bulk Traffic) - Traffic that is not sensitive to long delays. For example, SMTP traffic (outgoing email). •...
Page 177: Deleting Classes
Deleting Classes In this field… Do this… DiffServ Code Select this option to mark packets belonging to this class with a DiffServ Point Code Point (DSCP), which is an integer between 0 and 63. Then type the DSCP in the field provided. The marked packets will be given priority on the public network according to their DSCP.
Page 178: Restoring Traffic Shaper Defaults
Restoring Traffic Shaper Defaults Restoring Traffic Shaper Defaults If desired, you can reset the Traffic Shaper bandwidth policy to use the four predefined classes, and restore these classes to their default settings. For information on these classes and their defaults, see Predefined QoS Classes on page 155.
Page 179: Chapter 7: Configuring A Wireless Network
Overview Chapter 7 Configuring a Wireless Network This chapter describes how to set up a wireless internal network. This chapter includes the following topics: Overview ....................163 About the Wireless Hardware in Your VPN-1 Edge W series Appliance 164 Wireless Security Protocols..............165 Manually Configuring a WLAN...............167 Using the Wireless Configuration Wizard..........178 Preparing the Wireless Stations..............184...
Page 180: About The Wireless Hardware In Your Vpn-1 Edge W Series Appliance
About the Wireless Hardware in Your VPN-1 Edge W series Appliance About the Wireless Hardware in Your VPN-1 Edge W series Appliance Your VPN-1 Edge W series appliance features a built-in 802.11b/g access point that is tightly integrated with the firewall and hardware-accelerated VPN. VPN-1 Edge W supports the latest 802.11g standard (up to 54Mbps) and is backwards compatible with the older 802.11b standard (up to 11Mbps), so that both new and old adapters of these standards are interoperable.
Page 181: Wireless Security Protocols
Wireless Security Protocols Wireless Security Protocols The VPN-1 Edge wireless security appliance supports the following security protocols: Table 23: Wireless Security Protocols Security Description Protocol None No security method is used. This option is not recommended, because it allows unauthorized users to access your WLAN network, although you can still limit access from the WLAN by creating firewall rules.
Page 182 Wireless Security Protocols Security Description Protocol WPA: RADIUS The WPA (Wi-Fi Protected Access) security method uses MIC (message authentication, integrity check) to ensure the integrity of messages, and TKIP (Temporal Key encryption Integrity Protocol) to enhance data encryption. Furthermore, WPA includes 802.1x and EAP authentication, based on a central RADIUS authentication server.
Page 183: Manually Configuring A Wlan
Manually Configuring a WLAN Note: For increased security, it is recommended to enable the VPN-1 Edge internal VPN Server for users connecting from your internal networks, and to install SecuRemote on each computer in the WLAN. This ensures that all connections from the WLAN to the LAN are encrypted and authenticated.
Page 184 Manually Configuring a WLAN The Edit Network Settings page appears. 5. In the Mode drop-down list, select Enabled. The fields are enabled. 6. If desired, enable or disable Hide NAT. See Enabling/Disabling Hide NAT on page 108. 7. If desired, configure a DHCP server. See Configuring a DHCP Server on page 96.
Page 185 Manually Configuring a WLAN 8. Complete the fields using the information in Basic WLAN Settings Fields on page 170. 9. To configure advanced settings, click Show Advanced Settings and complete the fields using the information in Advanced WLAN Settings Fields on page 174. New fields appear.
Page 186 Manually Configuring a WLAN 11. Click OK. A success message appears. 12. Prepare the wireless stations. See Preparing the Wireless Stations on page 184. Table 24: WLAN Settings Fields In this field… Do this… IP Address Type the IP address of the WLAN network's default gateway. Note: The WLAN network must not overlap other networks.
Page 187 Manually Configuring a WLAN In this field… Do this… Operation Mode Select an operation mode: • 802.11b (11Mbps). Operates in the 2.4 GHz range and offers a maximum theoretical rate of 11 Mbps. When using this mode, only 802.11b stations will be able to connect. •...
Page 188 Manually Configuring a WLAN In this field… Do this… Channel Select the radio frequency to use for the wireless connection: • Automatic. The VPN-1 Edge appliance automatically selects a channel. This is the default. • A specific channel. The list of channels is dependent on the selected country and operation mode.
Page 189 Manually Configuring a WLAN In this field… Do this… Require WPA2 Specify whether you want to require wireless stations to connect using (802.11i) WPA2, by selecting one of the following: • Enable. Only wireless stations using WPA2 can access the WLAN network.
Page 190 Manually Configuring a WLAN In this field… Do this… Type the WEP key, or click Random to randomly generate a key matching Key 1, 2, 3, 4 text the selected length. The key is composed of hexadecimal characters 0-9 and A-F, and is not case-sensitive. Table 25: Advanced WLAN Settings Fields In this field…...
Page 191 Manually Configuring a WLAN In this field… Do this… MAC Address Specify whether you want to enable MAC address filtering, by selecting one Filtering of the following: • Yes. Enable MAC address filtering. Only MAC addresses that you added as network objects can connect to your network.
Page 192 Manually Configuring a WLAN In this field… Do this… Antenna Selection Multipath distortion is caused by the reflection of Radio Frequency (RF) signals traveling from the transmitter to the receiver along more than one path. Signals that were reflected by some surface reach the receiver after non-reflected signals and distort them.
Page 193 Manually Configuring a WLAN In this field… Do this… RTS Threshold Type the smallest IP packet size for which a station must send an RTS (Request To Send) before sending the IP packet. If multiple wireless stations are in range of the access point, but not in range of each other, they might send data to the access point simultaneously, thereby causing data collisions and failures.
Page 194: Using The Wireless Configuration Wizard
Using the Wireless Configuration Wizard Using the Wireless Configuration Wizard The Wireless Configuration Wizard provides a quick and simple way of setting up your basic WLAN parameters for the first time. To configure a WLAN using the Wireless Configuration Wizard 1.
Page 195 Using the Wireless Configuration Wizard The fields are enabled. 6. Complete the fields using the information in Basic WLAN Settings Fields on page 170. 7. Click Next. 8. The Wireless Security dialog box appears. 9. Do one of the following: •...
Page 196: Wpa-Psk
Using the Wireless Configuration Wizard • Click No Security to use no security to create a public, unsecured access point. Note: You cannot configure WPA and 802.1x using this wizard. For information on configuring these modes, see Manually Configuring a WLAN on page 167. 10.
Page 197 Using the Wireless Configuration Wizard The Wireless Security Confirmation dialog box appears. 3. Click Next. 4. The Wireless Security Complete dialog box appears. 5. Click Finish. The wizard closes. 6. Prepare the wireless stations. See Preparing the Wireless Stations on page 184. Chapter 7: Configuring a Wireless Network...
Page 198: Wep
Using the Wireless Configuration Wizard If you chose WEP, the Wireless Configuration-WEP dialog box appears. Do the following: 1. Choose a WEP key length. The possible key lengths are: • 64 Bits - The key length is 10 hexadecimal characters. •...
Page 199: No Security
Using the Wireless Configuration Wizard The Wireless Security Confirmation dialog box appears. 4. Click Next. The Wireless Security Complete dialog box appears. 5. Click Finish. The wizard closes. 6. Prepare the wireless stations. See Preparing the Wireless Stations on page 184. No Security The Wireless Security Complete dialog box appears.
Page 200: Preparing The Wireless Stations
Preparing the Wireless Stations Preparing the Wireless Stations After you have configured a WLAN, the wireless stations must be prepared for connection to the WLAN. To prepare the wireless stations 1. If you selected the WEP security mode, give the WEP key to the wireless stations' administrators.
Page 201: Troubleshooting Wireless Connectivity
Troubleshooting Wireless Connectivity Troubleshooting Wireless Connectivity I cannot connect to the WLAN from a wireless station. What should I do? • Check that the SSID configured on the station matches the VPN-1 Edge appliance's SSID. The SSID is case-sensitive. • Check that the encryption settings configured on the station (encryption mode and keys) match the VPN-1 Edge appliance's encryption settings.
Page 202 Troubleshooting Wireless Connectivity • Check the Transmission Power parameter in the WLAN's advanced settings (see Manually Configuring a WLAN on page 167). • Make sure that you are not using two access points in close proximity and on the same frequency. For minimum interference, channel separation between nearby access points must be at least 25 MHz (5 channels).
Page 203 Troubleshooting Wireless Connectivity In addition, try setting the Fragmentation Threshold parameter in the WLAN's advanced settings (see Manually Configuring a WLAN on page 167) to a lower value. This will cause stations to fragment IP packets of a certain size into smaller packets, thereby reducing the likeliness of collisions and increasing network speed.
Page 205: Chapter 8: Viewing Reports
Viewing the Event Log Chapter 8 Viewing Reports This chapter describes the VPN-1 Edge Portal reports. This chapter includes the following topics: Viewing the Event Log................189 Using the Traffic Monitor ................193 Viewing Computers..................196 Viewing Connections ................199 Viewing Wireless Statistics ..............200 Viewing the Event Log You can track network activity using the Event Log.
Page 206 Viewing the Event Log An event marked in Indicates… this color… Green Traffic accepted by the firewall. By default, accepted traffic is not logged. However, such traffic may be logged if specified by a security policy downloaded from your Service Center, or if specified in user-defined rules.
Page 207 Viewing the Event Log To view the event log 1. Click Reports in the main menu, and click the Event Log tab. The Event Log page appears. 2. If an event is highlighted in red, indicating a blocked attack on your network, you can display the attacker’s details, by clicking on the IP address of the attacking machine.
Page 208 Viewing the Event Log a. Click Save. A standard File Download dialog box appears. b. Click Save. The Save As dialog box appears. c. Browse to a destination directory of your choice. d. Type a name for the configuration file and click Save. The *.xls file is created and saved to the specified directory.
Page 209: Using The Traffic Monitor
Using the Traffic Monitor Using the Traffic Monitor You can view incoming and outgoing traffic for selected network interfaces and QoS classes using the Traffic Monitor. This enables you to identify network traffic trends and anomalies, and to fine tune Traffic Shaper QoS class assignments. The Traffic Monitor displays separate bar charts for incoming traffic and outgoing traffic, and displays traffic rates in kilobits/second.
Page 210 Using the Traffic Monitor The Traffic Monitor page appears. 2. In the Traffic Monitor Report drop-down list, select the network interface for which you want to view a report. The list includes all currently enabled networks. For example, if the DMZ network is enabled, it will appear in the list.
Page 211: Exporting General Traffic Reports
Using the Traffic Monitor Exporting General Traffic Reports You can export a general traffic report that includes information for all enabled networks and all defined QoS classes to a *.csv (Comma Separated Values) file. You can open and view the file in Microsoft Excel. To export a general traffic report 1.
Page 212: Viewing Computers
Viewing Computers The Traffic Monitor Settings page appears. 3. In the Sample monitoring data every field, type the interval (in seconds) at which the VPN-1 Edge appliance should collect traffic data. The default value is one sample every 1800 seconds (30 minutes). 4.
Page 213 Viewing Computers The Active Computers page appears. If you configured High Availability, both the master and backup appliances are shown. If you configured OfficeMode, the OfficeMode network is shown. If you are using VPN-1 Edge W, the wireless stations are shown. For information on viewing statistics for these computers, see Viewing Wireless Statistics on page 200.
Page 214 Viewing Computers • Authenticated. The computer is logged on to My HotSpot. • Not Authenticated. The computer is not logged on to My HotSpot. • Excluded from HotSpot. The computer is in an IP address range excluded from HotSpot enforcement. To enforce HotSpot, you must edit the network object.
Page 215: Viewing Connections
Viewing Connections Viewing Connections This option allows you to view the currently active connections between your network and the external world. To view the active connections 1. Click Reports in the main menu, and click the Active Connections tab. The Active Connections page appears. The page displays the information in the table below.
Page 216: Viewing Wireless Statistics
Viewing Wireless Statistics 4. To view information about a port, click the port. A window opens displaying information about the port. Table 28: Active Connections Fields This field… Displays… Protocol The protocol used (TCP, UDP, etc.) Source - IP Address The source IP address Source - Port The source port...
Page 217 Viewing Wireless Statistics The Wireless page appears. The page displays the information in the table below. 2. To refresh the display, click Refresh. Table 29: WLAN Statistics This field… Displays… Wireless The operation mode used by the WLAN, followed by the transmission rate in Mode Mbps MAC Address...
Page 218 Viewing Wireless Statistics This field… Displays… Security The security mode used by the WLAN Connected The number of wireless stations currently connected to the WLAN Stations Frames OK The total number of frames that were successfully transmitted and received Errors The total number of transmitted and received frames for which an error occurred Discarded/...
Page 219 Viewing Wireless Statistics 3. To refresh the display, click Refresh. Table 30: Wireless Station Statistics This field… Displays… Current Rate The current reception and transmission rate in Mbps Frames OK The total number of frames that were successfully transmitted and received Errors The total number of transmitted and received frames for which an error occurred...
Page 220 Viewing Wireless Statistics This field… Displays… Cipher The security protocol used for the connection with the wireless client. For more information, see Wireless Security Protocols on page 165. Check Point VPN-1 Edge User Guide...
Page 221: Chapter 9: Setting Your Security Policy
Viewing Wireless Statistics Chapter 9 Setting Your Security Policy This chapter describes how to set up your VPN-1 Edge appliance security policy. You can enhance your security policy by subscribing to services such as Web Filtering and Email Filtering. You can also integrate all VPN-1 Edge appliances into an overall enterprise security policy by connecting to SMART management.
Page 222: Default Security Policy
Default Security Policy This chapter includes the following topics: Default Security Policy................206 Setting the Firewall Security Level ............207 Configuring Servers................. 210 Using Rules ..................... 212 Using SmartDefense ................223 Using Secure HotSpot ................261 Defining an Exposed Host ............... 266 Default Security Policy The VPN-1 Edge default security policy includes the following rules: •...
Page 223: Setting The Firewall Security Level
Setting the Firewall Security Level You can easily override the default security policy, by creating user-defined firewall rules. For further information, see Using Rules on page 212. Setting the Firewall Security Level The firewall security level can be controlled using a simple lever available on the Firewall page.
Page 224 Setting the Firewall Security Level This Does this… Further Details level… High Enforces strict control on All inbound traffic is blocked. all incoming and outgoing Restricts all outbound traffic except for the connections. following: Web traffic (HTTP, HTTPS), email (IMAP, POP3, SMTP), ftp, newsgroups, Telnet, DNS, IPSEC IKE and VPN traffic.
Page 225 Setting the Firewall Security Level To change the firewall security level 1. Click Security in the main menu, and click the Firewall tab. The Firewall page appears. 2. Drag the security lever to the desired level. The VPN-1 Edge appliance security level changes accordingly. Chapter 9: Setting Your Security Policy...
Page 226: Configuring Servers
Configuring Servers Configuring Servers Note: If you do not intend to host any public Internet servers (Web Server, Mail Server etc.) in your network, you can skip this section. Using the VPN-1 Edge Portal, you can selectively allow incoming network connections into your network.
Page 227 Configuring Servers The Servers page appears, displaying a list of services and a host IP address for each allowed service. 2. Complete the fields using the information in the table below. 3. Click Apply. A success message appears, and the selected computer is allowed to run the desired service or application.
Page 228: Using Rules
Using Rules In this Do this… column… Host IP Type the IP address of the computer that will run the service (one of your network computers) or click the corresponding This Computer button to allow your computer to host the service. To stop the forwarding of a service to a specific host 1.
Page 229 Using Rules specific DMZ computers (such a manager’s computer) to connect to the LAN network and the accounting department. The VPN-1 Edge appliance processes user-defined rules in the order they appear in the Rules table, so that rule 1 is applied before rule 2, and so on. This enables you to define exceptions to rules, by placing the exceptions higher up in the Rules table.
Page 230 Using Rules Table 33: Firewall Rule Types Rule Description Allow and This rule type enables you to do the following: Forward • Permit incoming access from the Internet to a specific service in your internal network. • Forward all such connections to a specific computer in your network.
Page 231 Using Rules Rule Description Allow This rule type enables you to do the following: • Permit outgoing access from your internal network to a specific service on the Internet. Note: You can allow outgoing connections for services that are not permitted by the default security policy.
Page 232: Adding And Editing Rules
Using Rules Adding and Editing Rules To add or edit a rule 1. Click Security in the main menu, and click the Rules tab. The Rules page appears. 2. Do one of the following: • To add a new rule, click Add Rule. •...
Page 233 Using Rules The VPN-1 Edge Firewall Rule wizard opens, with the Step 1: Rule Type dialog box displayed. 3. Select the type of rule you want to create. 4. Click Next. The Step 2: Service dialog box appears. The example below shows an Allow rule. 5.
Page 234 Using Rules 6. Click Next. The Step 3: Destination & Source dialog box appears. 7. Complete the fields using the relevant information in the table below. The Step 4: Done dialog box appears. 8. Click Finish. The new rule appears in the Firewall Rules page. Check Point VPN-1 Edge User Guide...
Page 235 Using Rules Table 34: Firewall Rule Fields In this field… Do this… Any Service Click this option to specify that the rule should apply to any service. Standard Click this option to specify that the rule should apply to a specific standard Service service.
Page 236 Using Rules In this field… Do this… Destination Select the destination of the connections you want to allow or block. To specify an IP address, select Specified IP and type the desired IP address in the text box. To specify an IP address range, select Specified Range and type the desired IP address range in the fields provided.
Page 237 Using Rules In this field… Do this… Redirect to port Select this option to redirect the connections to a specific port. You must then type the desired port in the field provided. This option is called Port Address Translation (PAT), and is only available when defining an Allow and Forward rule.
Page 238: Enabling/Disabling Rules
Using Rules Enabling/Disabling Rules You can temporarily disable a user-defined rule. To enable/disable a rule 1. Click Security in the main menu, and click the Rules tab. The Rules page appears. 2. Next to the desired rule, do one of the following: •...
Page 239: Deleting Rules
Using SmartDefense Deleting Rules To delete an existing rule 1. Click Security in the main menu, and click the Rules tab. The Rules page appears. 2. Click the Erase icon of the rule you wish to delete. A confirmation message appears. 3.
Page 240: Configuring Smartdefense
Using SmartDefense Configuring SmartDefense For convenience, SmartDefense is organized as a tree, in which each branch represents a category of settings. When a category is expanded, the settings it contains appear as nodes. For information on each category and the nodes it contains, see SmartDefense Categories on page 226.
Page 241 Using SmartDefense To configure a SmartDefense node 1. Click Security in the main menu, and click the SmartDefense tab. The SmartDefense page appears. The left pane displays a tree containing SmartDefense categories. • To expand a category, click the icon next to it. •...
Page 242: Smartdefense Categories
Using SmartDefense The right pane displays a description of the node, followed by fields. 3. To modify the node's current settings, do the following: a) Complete the fields using the relevant information in SmartDefense Categories on page 226. b) Click Apply. 4.
Page 243 Using SmartDefense • Denial of Service on page 227 • IP and ICMP on page 232 • TCP on page 243 • Port Scan on page 246 • FTP on page 249 • Microsoft Networks on page 254 • IGMP on page 255 •...
Page 244 Using SmartDefense You can configure how Teardrop attacks should be handled. Table 35: Teardrop Fields In this field… Do this… Action Specify what action to take when a Teardrop attack occurs, by selecting one of the following: • Block. Block the attack. This is the default. •...
Page 245 Using SmartDefense You can configure how Ping of Death attacks should be handled. Table 36: Ping of Death Fields In this field… Do this… Action Specify what action to take when a Ping of Death attack occurs, by selecting one of the following: •...
Page 246 Using SmartDefense You can configure how LAND attacks should be handled. Table 37: LAND Fields In this field… Do this… Action Specify what action to take when a LAND attack occurs, by selecting one of the following: • Block. Block the attack. This is the default. •...
Page 247 Using SmartDefense You can protect against Non-TCP Flooding attacks by limiting the percentage of state table capacity used for non-TCP connections. Table 38: Non-TCP Flooding Fields In this field… Do this… Action Specify what action to take when the percentage of state table capacity used for non-TCP connections reaches the Max.
Page 248 Using SmartDefense IP and ICMP This category allows you to enable various IP and ICMP protocol tests, and to configure various protections against IP and ICMP-related attacks. It includes the following: • Packet Sanity on page 232 • Max Ping Size on page 234 •...
Page 249 Using SmartDefense You can configure whether logs should be issued for offending packets. Table 39: Packet Sanity Fields In this field… Do this… Action Specify what action to take when a packet fails a sanity test, by selecting one of the following: •...
Page 250 Using SmartDefense In this field… Do this… Disable relaxed The UDP length verification sanity check measures the UDP header length UDP length and compares it to the UDP header length specified in the UDP header. If verification the two values differ, the packet may be corrupted. However, since different applications may measure UDP header length differently, the VPN-1 Edge appliance relaxes the UDP length verification sanity check by default, performing the check but not dropping offending...
Page 251 Using SmartDefense An attacker can echo the client with a large amount of data, causing a buffer overflow. You can protect against such attacks by limiting the allowed size for ICMP echo requests. Table 40: Max Ping Size Fields In this field… Do this…...
Page 252 Using SmartDefense or exploit, an attacker might imitate this common behavior and break the data section of a single packet into several fragmented packets. Without reassembling the fragments, it is not always possible to detect such an attack. Therefore, the VPN-1 Edge appliance always reassembles all the fragments of a given IP packet, before inspecting it to make sure there are no attacks or exploits in the packet.
Page 253 Using SmartDefense In this field… Do this… Timeout for When the VPN-1 Edge appliance receives packet fragments, it waits for Discarding additional fragments to arrive, so that it can reassemble the packet. Incomplete Packets Type the number of seconds to wait before discarding incomplete packets.
Page 254 Using SmartDefense You can configure how connection that exceed that limit should be handled. Table 42: Network Quota Fields In this field… Do this… Action Specify what action to take when the number of network connections from the same source reaches the Max. Connections/Second per Source IP threshold.
Page 255 Using SmartDefense In this field… Do this… Max. Type the maximum number of network connections allowed per second Connections/Second from the same source IP address. from Same Source IP The default value is 100. Set a lower threshold for stronger protection against DoS attacks. Note: Setting this value too low can lead to false alarms.
Page 256 Using SmartDefense You can configure how the Welchia worm should be handled. Table 43: Welchia Fields In this field… Do this… Action Specify what action to take when the Welchia worm is detected, by selecting one of the following: • Block.
Page 257 Using SmartDefense You can configure how Cisco IOS DOS attacks should be handled. Table 44: Cisco IOS DOS In this field… Do this… Action Specify what action to take when a Cisco IOS DOS attack occurs, by selecting one of the following: •...
Page 258 Using SmartDefense In this field… Do this… Action Protection for Specify what action to take when an IPv4 packet of the specific SWIPE - Protocol 53 / protocol type is received, by selecting one of the following: IP Mobility - Protocol 55 / •...
Page 259 Using SmartDefense In this field… Do this… Track Specify whether to log null payload ping packets, by selecting one of the following: • Log. Log the packets. This is the default. • None. Do not log the packets. This category allows you to configure various protections related to the TCP protocol.
Page 260 Using SmartDefense You can configure how out-of-state TCP packets should be handled. Table 46: Strict TCP In this field… Do this… Action Specify what action to take when an out-of-state TCP packet arrives, by selecting one of the following: • Block.
Page 261 Using SmartDefense You can protect against this attack by specifying a minimum packet size for data sent over the Internet. Table 47: Small PMTU Fields In this field… Do this… Specify what action to take when a packet is smaller than the Minimal MTU Action Size threshold, by selecting one of the following: •...
Page 262 Using SmartDefense Port Scan An attacker can perform a port scan to determine whether ports are open and vulnerable to an attack. This is most commonly done by attempting to access a port and waiting for a response. The response indicates whether or not the port is open. This category includes the following types of port scans: •...
Page 263 Using SmartDefense Table 48: Port Scan Fields In this field… Do this… Number of ports SmartDefense detects ports scans by measuring the number of ports accessed accessed over a period of time. The number of ports accessed must exceed the Number of ports accessed value, within the number of seconds specified by the In a period of [seconds] value, in order for SmartDefense to consider the activity a scan.
Page 264 Using SmartDefense In this field… Do this… In a period of SmartDefense detects ports scans by measuring the number of ports [seconds] accessed over a period of time. The number of ports accessed must exceed the Number of ports accessed value, within the number of seconds specified by the In a period of [seconds] value, in order for SmartDefense to consider the activity a scan.
Page 265 Using SmartDefense This category allows you to configure various protections related to the FTP protocol. It includes the following: • FTP Bounce on page 249 • Block Known Ports on page 250 • Block Port Overflow on page 251 • Blocked FTP Commands on page 253 FTP Bounce When connecting to an FTP server, the client sends a PORT command specifying the IP address and port to which the FTP server should connect and send data.
Page 266 Using SmartDefense Table 49: FTP Bounce Fields In this field… Do this… Action Specify what action to take when an FTP Bounce attack occurs, by selecting one of the following: • Block. Block the attack. This is the default. • None.
Page 267 Using SmartDefense This provides a second layer of protection against FTP bounce attacks, by preventing such attacks from reaching well-known ports. Table 50: Block Known Ports Fields In this field… Do this… Action Specify what action to take when the FTP server attempts to connect to a well-known port, by selecting one of the following: •...
Page 268 Using SmartDefense To enforce compliance to the FTP standard and prevent potential attacks against the FTP server, you can block PORT commands that contain a number greater than 255. Table 51: Block Port Overflow In this field… Do this… Action Specify what action to take for PORT commands containing a number greater than 255, by selecting one of the following: •...
Page 269 Using SmartDefense Blocked FTP Commands Some seldom-used FTP commands may compromise FTP server security and integrity. You can specify which FTP commands should be allowed to pass through the security server, and which should be blocked. To enable FTP command blocking •...
Page 270 Using SmartDefense When FTP command blocking is enabled, the FTP command will be blocked. To allow a specific FTP command 1. In the Blocked commands box, select the desired FTP command. 2. Click Accept. The FTP command appears in the Allowed commands box. 3.
Page 271 Using SmartDefense Table 52: File Print and Sharing Fields In this field… Do this… Action Specify what action to take when a CIFS worm attack is detected, by selecting one of the following: • Block. Block the attack. • None. No action. This is the default. Track Specify whether to log CIFS worm attacks, by selecting one of the following:...
Page 272 Using SmartDefense You can configure how IGMP attacks should be handled. Table 53: IGMP Fields In this field… Do this… Action Specify what action to take when an IGMP attack occurs, by selecting one of the following: • Block. Block the attack. This is the default. •...
Page 273 Using SmartDefense In this field… Do this… Enforce IGMP to According to the IGMP specification, IGMP packets must be sent to multicast addresses multicast addresses. Sending IGMP packets to a unicast or broadcast address might constitute and attack; therefore the VPN-1 Edge appliance blocks such packets.
Page 274 Using SmartDefense In each node, you can configure how peer-to-peer connections of the selected type should be handled, using the table below. Table 54: Peer to Peer Fields In this field… Do this… Action Specify what action to take when a connection is attempted, by selecting one of the following: •...
Page 275 Using SmartDefense Instant Messengers SmartDefense can block instant messaging applications that use VoIP protocols, by identifying the messaging application's fingerprints and HTTP headers. This category includes the following nodes: • Skype • Yahoo • ICQ Note: SmartDefense can detect instant messaging traffic regardless of the TCP port being used to initiate the session.
Page 276 Using SmartDefense In this field… Do this… Track Specify whether to log instant messenger connections, by selecting one of the following: • Log. Log the connection. • None. Do not log the connection. This is the default. Block proprietary Specify whether proprietary protocols should be blocked on all ports, by protocols on all ports selecting one of the following: •...
Page 277: Using Secure Hotspot
Using Secure HotSpot Using Secure HotSpot You can enable your VPN-1 Edge appliance as a public Internet access hotspot for specific networks. When users on those networks attempt to access the Internet, they are automatically re-directed to the My HotSpot page http://my.hotspot. On this page, they must read and accept the My HotSpot terms of use, and if My HotSpot is configured to be password-protected, they must log on using their VPN- 1 Edge username and password.
Page 278: Setting Up Secure Hotspot
Using Secure HotSpot You can choose to exclude specific network objects from HotSpot enforcement. For information, see Using Network Objects on page 130. Important: SecuRemote VPN software users who are authenticated by the Internal VPN Server are automatically exempt from HotSpot enforcement. This allows, for example, authenticated employees to gain full access to the corporate LAN, while guest users are permitted to access the Internet only.
Page 279: Enabling/Disabling Secure Hotspot
Using Secure HotSpot Enabling/Disabling Secure HotSpot To enable/disable Secure HotSpot 1. Click Security in the main menu, and click the My HotSpot tab. The My HotSpot page appears. 2. In the HotSpot Networks area, do one of the following: • To enable Secure HotSpot for a specific network, select the check box next to the network.
Page 280: Customizing Secure Hotspot
Using Secure HotSpot Customizing Secure HotSpot To customize Secure HotSpot 1. Click Security in the main menu, and click the My HotSpot tab. The My HotSpot page appears. 2. Complete the fields using the information in the table below. Additional fields may appear. 3.
Page 281 Using Secure HotSpot Your changes are saved. Table 56: My HotSpot Fields In this field… Do this… My HotSpot Type the title that should appear on the My HotSpot page. Title The default title is "Welcome to My HotSpot". My HotSpot Type the terms to which the user must agree before accessing the Internet.
Page 282: Defining An Exposed Host
Defining an Exposed Host Defining an Exposed Host The VPN-1 Edge appliance allows you to define an exposed host, which is a computer that is not protected by the firewall. This is useful for setting up a public server. It allows unlimited incoming and outgoing connections between the Internet and the exposed host computer.
Page 283 Defining an Exposed Host 2. In the Exposed Host field, type the IP address of the computer you wish to define as an exposed host. Alternatively, you can click This Computer to define your computer as the exposed host. 3. Click Apply. The selected computer is now defined as an exposed host.
Page 285: Chapter 10: Using Vstream Antivirus
Overview Chapter 10 Using VStream Antivirus This chapter explains how to use the VStream Antivirus engine to block security threats before they reach your network. This chapter includes the following topics: Overview ....................269 Enabling/Disabling VStream Antivirus............271 Viewing VStream Signature Database Information .........272 Configuring VStream Antivirus ...............273 Updating VStream Antivirus ..............285 Overview...
Page 286 Overview Table 57: VStream Antivirus Actions If a virus if found in VStream Antivirus does this... The protocol is detected this protocol... on this port... • Terminates the HTTP All ports on which VStream is connection enabled by the policy, not only port 80 •...
Page 287: Enabling/Disabling Vstream Antivirus
Enabling/Disabling VStream Antivirus If you are subscribed to the VStream Antivirus subscription service, VStream Antivirus virus signatures are automatically updated, so that security is always up- to-date, and your network is always protected. Note: VStream Antivirus differs from the Email Antivirus subscription service (part of the Email Filtering service) in the following ways: •...
Page 288: Viewing Vstream Signature Database Information
Viewing VStream Signature Database Information The VStream Antivirus page appears. 2. Drag the On/Off lever upwards or downwards. VStream Antivirus is enabled/disabled for all internal network computers. Viewing VStream Signature Database Information VStream Antivirus maintains two databases: a daily database and a main database. The daily database is updated frequently with the newest virus signatures.
Page 289: Configuring Vstream Antivirus
Configuring VStream Antivirus Table 58: Account Page Fields This field… Displays… Main database The date and time at which the main database was last updated, followed by the version number. Daily database The date and time at which the daily database was last updated, followed by the version number.
Page 290 Configuring VStream Antivirus For example, if you want to scan all outgoing SMTP traffic, except traffic from a specific IP address, you can create a rule scanning all outgoing SMTP traffic and move the rule down in the Antivirus Policy table. Then create a rule passing SMTP traffic from the desired IP address and move this rule to a higher location in the Antivirus Policy table than the first rule.
Page 291 Configuring VStream Antivirus Rule Description Scan This rule type enables you to specify that VStream Antivirus should scan traffic matching the rule. If a virus is found, it is blocked and logged. Adding and Editing Rules To add or edit a rule 1.
Page 292 Configuring VStream Antivirus The VStream Policy Rule Wizard opens, with the Step 1: Rule Type dialog box displayed. 3. Select the type of rule you want to create. 4. Click Next. The Step 2: Service dialog box appears. The example below shows a Scan rule. 5.
Page 293 Configuring VStream Antivirus 6. Click Next. The Step 3: Destination & Source dialog box appears. 7. Complete the fields using the relevant information in the table below. The Step 4: Done dialog box appears. 8. Click Finish. The new rule appears in the Firewall Rules page. Chapter 10: Using VStream Antivirus...
Page 294 Configuring VStream Antivirus Table 60: VStream Rule Fields In this field… Do this… Any Service Click this option to specify that the rule should apply to any service. Standard Click this option to specify that the rule should apply to a specific standard Service service.
Page 295 Configuring VStream Antivirus In this field… Do this… And the Select the destination of the connections you want to allow or block. destination is To specify an IP address, select Specified IP and type the desired IP address in the text box. To specify an IP address range, select Specified Range and type the desired IP address range in the fields provided.
Page 296 Configuring VStream Antivirus 2. Next to the desired rule, do one of the following: • To enable the rule, click The button changes to and the rule is enabled. • To disable the rule, click The button changes to and the rule is disabled. Changing Rules' Priority To change a rule's priority 1.
Page 297: Configuring Vstream Advanced Settings
Configuring VStream Antivirus 3. Click OK. The rule is deleted. Configuring VStream Advanced Settings To configure VStream Antivirus advanced settings 1. Click Antivirus in the main menu, and click the Advanced tab. The Advanced Antivirus Settings page appears. 2. Complete the fields using the table below. 3.
Page 298 Configuring VStream Antivirus The VStream Antivirus settings are reset to their defaults. For information on the default values, refer to the table below. Table 61: Advanced Antivirus Settings Fields In this field… Do this… File Types Block potentially unsafe Select this option to block all emails containing potentially unsafe file types in email attachments.
Page 299 Configuring VStream Antivirus In this field… Do this… Pass safe file types Select this option to accept common file types that are known to without scanning be safe, without scanning them. Safe files types are: • MPEG streams • RIFF Ogg Stream •...
Page 300 Configuring VStream Antivirus In this field… Do this… Maximum compression Fill in the field to complete the maximum compression ratio of ratio 1:x files that VStream Antivirus should scan. For example, to specify a 1:150 maximum compression ratio, type 150. Setting a higher number allows the scanning of highly compressed files, but creates a potential for highly compressible files to create a heavy load on the appliance.
Page 301: Updating Vstream Antivirus
Updating VStream Antivirus Updating VStream Antivirus When you are subscribed to the VStream Antivirus updates service, VStream Antivirus virus signatures are automatically updated, keeping security up-to-date with no need for user intervention. However, you can still check for updates manually, if needed. To update the VStream Antivirus virus signature database 1.
Page 303: Chapter 11: Smart Management And Subscription Services
Updating VStream Antivirus Chapter 11 SMART Management and Subscription Services You can integrate all VPN-1 Edge appliances into an overall enterprise security policy for maximum security. Check Point's Security Management Architecture (SMART) delivers a single enterprise-wide security policy that you can centrally manage and automatically deploy to an unlimited number of VPN-1 Edge gateways.
Page 304: Connecting To A Service Center
Connecting to a Service Center Connecting to a Service Center To connect to a Service Center 1. Click Services in the main menu, and click the Account tab. The Account page appears. 2. In the Service Account area, click Connect. Check Point VPN-1 Edge User Guide...
Page 305 Connecting to a Service Center The VPN-1 Edge Services Wizard opens, with the Service Center dialog box displayed. 3. Make sure the Connect to a different Service Center check box is selected. 4. Do one of the following: • To connect to the SofaWare Service Center, choose usercenter.sofaware.com.
Page 306 Connecting to a Service Center • If the Service Center requires authentication, the Service Center Login dialog box appears. Enter your gateway ID and registration key in the appropriate fields, as given to you by your service provider, then click Next. •...
Page 307 Connecting to a Service Center The Done screen appears with a success message. 7. Click Finish. The following things happen: • If a new firmware is available, the VPN-1 Edge appliance may start downloading it. This may take several minutes. Once the download is complete, the VPN-1 Edge appliance restarts using the new firmware.
Page 308 Connecting to a Service Center • The services to which you are subscribed are now available on your VPN- 1 Edge appliance and listed as such on the Account page. See Viewing Services Information on page 293 for further information. •...
Page 309: Viewing Services Information
Viewing Services Information Viewing Services Information The Account page displays the following information about your subscription. Table 62: Account Page Fields This field… Displays… Service Center The name of the Service Center to which you are connected (if known). Name Gateway ID Your gateway ID.
Page 310: Refreshing Your Service Center Connection
Refreshing Your Service Center Connection This field… Displays… Information The mode to which each service is set. If you are subscribed to Dynamic DNS, this field displays your gateway's domain name. For further information, see Web Filtering on page 296, Virus Scanning on page 300, and Automatic and Manual Updates on page 304.
Page 311: Disconnecting From Your Service Center
Disconnecting from Your Service Center To configure your account 1. Click Services in the main menu, and click the Account tab. The Account page appears. 2. In the Service Account area, click Configure. Note: If no additional settings are available from your Service Center, this button will not appear.
Page 312: Web Filtering
Web Filtering • The services to which you were subscribed are no longer available on your VPN-1 Edge appliance. Web Filtering When the Web Filtering service is enabled, access to Web content is restricted according to the categories specified under Allow Categories. Authorized users will be able to view Web pages with no restrictions, only after they have provided the administrator password via the Web Filtering pop-up window.
Page 313: Selecting Categories For Blocking
Web Filtering The Web Filtering page appears. 2. Drag the On/Off lever upwards or downwards. Web Filtering is enabled/disabled. Selecting Categories for Blocking You can define which types of Web sites should be considered appropriate for your family or office members, by selecting the categories. Categories marked with will remain visible, while categories marked with will be blocked and will require the administrator password for viewing.
Page 314: Temporarily Disabling Web Filtering
Web Filtering To allow/block a category • In the Allow Categories area, click next to the desired category. Temporarily Disabling Web Filtering If desired, you can temporarily disable the Web Filtering service. To temporarily disable Web Filtering 1. Click Services in the main menu, and click the Web Filtering tab. The Web Filtering page appears.
Page 315 Web Filtering • The Snooze button changes to Resume. • The Web Filtering Off popup window opens. 3. To re-enable the service, click Resume, either in the popup window, or on the Web Filtering page. • The service is re-enabled for all internal network computers. •...
Page 316: Email Filtering
Email Filtering • If you clicked Resume in the Web Filtering Off popup window, the popup window closes. Email Filtering There are two Email Filtering services: • Email Antivirus When the Email Antivirus service is enabled, your email is automatically scanned for the detection and elimination of all known viruses and vandals.
Page 317: Enabling/Disabling Email Filtering
Email Filtering Enabling/Disabling Email Filtering Note: If you are remotely managed, contact your Service Center to change these settings. To enable/disable Email Filtering 1. Click Services in the main menu, and click the Email Filtering tab. The Email Filtering page appears. 2.
Page 318: Selecting Protocols For Scanning
Email Filtering Selecting Protocols for Scanning If you are locally managed, you can define which protocols should be scanned for viruses and spam: • Email retrieving (POP3). If enabled, all incoming email in the POP3 protocol will be scanned. • Email sending (SMTP). If enabled, all outgoing email will be scanned. Protocols marked with will be scanned, while those marked with will not.
Page 319 Email Filtering • The Snooze button changes to Resume. • The Email Filtering Off popup window opens. 3. To re-enable Email Antivirus and Email Antispam, click Resume, either in the popup window, or on the Email Filtering page. • The services are re-enabled for all internal network computers. •...
Page 320: Automatic And Manual Updates
Automatic and Manual Updates Automatic and Manual Updates The Software Updates service enables you to check for new security and software updates. Note: Software Updates are only available if you are connected to a Service Center and subscribed to this service. Checking for Software Updates when Locally Managed If your VPN-1 Edge appliance is locally managed, you can set it to automatically check for software updates, or you can set it so that software updates must be...
Page 321: Checking For Software Updates When Remotely Managed
Automatic and Manual Updates 2. To set the VPN-1 Edge appliance to automatically check for and install new software updates, drag the Automatic/Manual lever upwards. The VPN-1 Edge appliance checks for new updates and installs them according to its schedule. Note: When the Software Updates service is set to Automatic, you can still manually check for updates.
Page 322 Automatic and Manual Updates The Software Updates page appears. 2. Click Update Now. The system checks for new updates and installs them. Check Point VPN-1 Edge User Guide...
Page 323: Chapter 12: Working With Vpns
Automatic and Manual Updates Chapter 12 Working with VPNs This chapter describes how to use your VPN-1 Edge appliance as a Remote Access VPN Client, VPN server, or VPN gateway. Note: For maximum security, you can integrate all VPN-1 Edge appliances into an overall enterprise security policy.
Page 324: Overview
Overview This chapter includes the following topics: Overview ....................308 Setting Up Your VPN-1 Edge Appliance as a VPN Server..... 314 Adding and Editing VPN Sites ............... 319 Deleting a VPN Site ................351 Enabling/Disabling a VPN Site ............... 352 Logging on to a Remote Access VPN Site ..........
Page 325 VPN Client. Defining a Remote Access VPN Client is a hardware alternative to using SecuRemote software. Both VPN-1 Edge series provide VPN functionality. The VPN-1 Edge appliance can act as a Remote Access VPN Client, a VPN Server, or a Site-to-Site VPN Gateway.
Page 326: Site-To-Site Vpns
Overview Site-to-Site VPNs A Site-to-Site VPN consists of two or more Site-to-Site VPN Gateways that can communicate with each other in a bi-directional relationship. The connected networks function as a single network. You can use this type of VPN to mesh office branches into one corporate network.
Page 327 Overview To create a Site-to-Site VPN with two VPN sites 1. On the first VPN site’s VPN-1 Edge appliance, do the following: a. Define the second VPN site as a Site-to-Site VPN Gateway, or create a PPPoE tunnel to the second VPN site, using the procedure Adding and Editing VPN Sites on page 319.
Page 328: Remote Access Vpns
Overview Remote Access VPNs A Remote Access VPN consists of one Remote Access VPN Server or Site-to-Site VPN Gateway, and one or more Remote Access VPN Clients. You can use this type of VPN to make an office network remotely available to authorized users, such as employees working from home, who connect to the office Remote Access VPN Server with their Remote Access VPN Clients.
Page 329: Internal Vpn Server
Overview To create a Remote Access VPN with two VPN sites 1. On the remote user VPN site's VPN-1 Edge appliance, add the office Remote Access VPN Server as a Remote Access VPN site. See Adding and Editing VPN Sites on page 319. The remote user's VPN-1 Edge appliance will act as a Remote Access VPN Client.
Page 330: Setting Up Your Vpn-1 Edge Appliance As A Vpn Server
Setting Up Your VPN-1 Edge Appliance as a VPN Server Using the internal VPN Server, along with a strict security policy for non-VPN users, can enhance security both for wired networks and for wireless networks, which are particularly vulnerable to security breaches. The internal VPN Server can be used in the VPN-1 Edge W wireless appliance, regardless of the wireless security settings.
Page 331 Setting Up Your VPN-1 Edge Appliance as a VPN Server To set up your VPN-1 Edge appliance as a VPN Server 1. Configure the VPN Server in one or more of the following ways: • To accept remote access connections from the Internet. See Configuring the Remote Access VPN Server on page 316.
Page 332: Configuring The Remote Access Vpn Server
Setting Up Your VPN-1 Edge Appliance as a VPN Server Configuring the Remote Access VPN Server To configure the Remote Access VPN Server 1. Click VPN in the main menu, and click the VPN Server tab. The SecuRemote VPN Server page appears. 2.
Page 333: Configuring The Internal Vpn Server
Setting Up Your VPN-1 Edge Appliance as a VPN Server New check boxes appear. 3. To allow authenticated users connecting from the Internet to bypass NAT when connecting to your internal network, select the Bypass NAT check box. 4. To allow authenticated users connecting from the Internet to bypass the firewall and access your internal network without restriction, select the Bypass the firewall check box.
Page 334 Setting Up Your VPN-1 Edge Appliance as a VPN Server 2. Select the Allow SecuRemote users to connect from my internal networks check box. New check boxes appear. 3. To allow authenticated users connecting from internal networks to bypass the firewall and access your internal network without restriction, select the Bypass the firewall check box.
Page 335: Installing Securemote
Adding and Editing VPN Sites Installing SecuRemote If you configured the Remote Access VPN Server to accept connections from your internal networks, you must install the SecuRemote VPN Client on internal network computers that should be allowed to remotely access your network. To install SecuRemote 1.
Page 336 Adding and Editing VPN Sites The VPN Sites page appears with a list of VPN sites. 2. Do one of the following: • To add a VPN site, click New Site. • To edit a VPN site, click Edit in the desired VPN site’s row. Check Point VPN-1 Edge User Guide...
Page 337 Adding and Editing VPN Sites The VPN-1 Edge VPN Site Wizard opens, with the Welcome to the VPN Site Wizard dialog box displayed. 3. Do one of the following: • Select Remote Access VPN to establish remote access from your Remote Access VPN Client to a Remote Access VPN Server.
Page 338: Configuring A Remote Access Vpn Site
Adding and Editing VPN Sites Configuring a Remote Access VPN Site If you selected Remote Access VPN, the VPN Gateway Address dialog box appears. 1. Enter the IP address of the Remote Access VPN Server to which you want to connect, as given to you by the network administrator.
Page 339 Adding and Editing VPN Sites The VPN Network Configuration dialog box appears. 4. Specify how you want to obtain the VPN network configuration. Refer to VPN Network Configuration Fields on page 331. 5. Click Next. The following things happen in the order below: •...
Page 340 Adding and Editing VPN Sites Complete the fields using the information in VPN Network Configuration Fields on page 331 and click Next. • The Authentication Method dialog box appears. 6. Complete the fields using the information in Authentication Methods Fields on page 333.
Page 341 Adding and Editing VPN Sites Username and Password Authentication Method If you selected Username and Password, the VPN Login dialog box appears. 1. Complete the fields using the information in VPN Login Fields on page 333. 2. Click Next. • If you selected Automatic Login, the Connect dialog box appears. Do the following: Chapter 12: Working with VPNs...
Page 342 Adding and Editing VPN Sites 1) To try to connect to the Remote Access VPN Server, select the Try to Connect to the VPN Gateway check box. This allows you to test the VPN connection. Warning: If you try to connect to the VPN site before completing the wizard, all existing tunnels will be terminated.
Page 343 Adding and Editing VPN Sites The VPN Site Created screen appears. 5. Click Finish. The VPN Sites page reappears. If you added a VPN site, the new site appears in the VPN Sites list. If you edited a VPN site, the modifications are reflected in the VPN Sites list.
Page 344 Adding and Editing VPN Sites 1. To try to connect to the Remote Access VPN Server, select the Try to Connect to the VPN Gateway check box. This allows you to test the VPN connection. Warning: If you try to connect to the VPN site before completing the wizard, all existing tunnels will be terminated.
Page 345 Adding and Editing VPN Sites The VPN Site Created screen appears. 5. Click Finish. The VPN Sites page reappears. If you added a VPN site, the new site appears in the VPN Sites list. If you edited a VPN site, the modifications are reflected in the VPN Sites list.
Page 346 Adding and Editing VPN Sites 1. Enter a name for the VPN site. You may choose any name. 2. Click Next. The VPN Site Created screen appears. 3. Click Finish. The VPN Sites page reappears. If you added a VPN site, the new site appears in the VPN Sites list.
Page 347 Adding and Editing VPN Sites Table 63: VPN Network Configuration Fields In this field… Do this… Download Click this option to obtain the network configuration by downloading it from Configuration the VPN site. This option will automatically configure your VPN settings, by downloading the network topology definition from the Remote Access VPN Server.
Page 348 Adding and Editing VPN Sites In this field… Do this… Route Based VPN Click this option to create a virtual tunnel interface (VTI) for this site, so that it can participate in a route-based VPN. Route-based VPNs allow routing connections over VPN tunnels, so that remote VPN sites can participate in dynamic or static routing schemes.
Page 349 Adding and Editing VPN Sites Table 64: Authentication Methods Fields In this field… Do this… Username and Select this option to use a user name and password for VPN Password authentication. In the next step, you can specify whether you want to log on to the VPN site automatically or manually.
Page 350 Adding and Editing VPN Sites In this field… Do this… Automatic Login Click this option to enable the VPN-1 Edge appliance to log on to the VPN site automatically. You must then fill in the Username and Password fields. Automatic Login provides all the computers on your internal network with constant access to the VPN site.
Page 351: Configuring A Site-To-Site Vpn Gateway
Adding and Editing VPN Sites Configuring a Site-to-Site VPN Gateway If you selected Site-to-Site VPN, the VPN Gateway Address dialog box appears. 1. Complete the fields using the information in VPN Gateway Address Fields on page 346. 2. Click Next. The VPN Network Configuration dialog box appears.
Page 352 Adding and Editing VPN Sites 3. Specify how you want to obtain the VPN network configuration. Refer to VPN Network Configuration Fields on page 331. 4. Click Next. • If you chose Specify Configuration, a second VPN Network Configuration dialog box appears. Complete the fields using the information in VPN Network Configuration Fields on page 331, and then click Next.
Page 353 Adding and Editing VPN Sites • If you chose Route Based VPN, the Route Based VPN dialog box appears. Complete the fields using the information in Route Based VPN Fields on page 347, and then click Next. • The Authentication Method dialog box appears. 5.
Page 354 Adding and Editing VPN Sites Shared Secret Authentication Method If you selected Shared Secret, the Authentication dialog box appears. If you chose Download Configuration, the dialog box contains additional fields. 1. Complete the fields using the information in VPN Authentication Fields on page 348 and click Next.
Page 355 Adding and Editing VPN Sites The Security Methods dialog box appears. 2. To configure advanced security settings, click Show Advanced Settings. New fields appear. 3. Complete the fields using the information in Security Methods Fields on page 348 and click Next. Chapter 12: Working with VPNs...
Page 356 Adding and Editing VPN Sites The Connect dialog box appears. 4. To try to connect to the Remote Access VPN Server, select the Try to Connect to the VPN Gateway check box. This allows you to test the VPN connection. Warning: If you try to connect to the VPN site before completing the wizard, all existing tunnels will be terminated.
Page 357 Adding and Editing VPN Sites • The Site Name dialog box appears. 6. Enter a name for the VPN site. You may choose any name. 7. To keep the tunnel to the VPN site alive even if there is no network traffic between the VPN-1 Edge appliance and the VPN site, select Keep this site alive.
Page 358 Adding and Editing VPN Sites • If you selected Keep this site alive, and previously you chose Download Configuration, the "Keep Alive" Configuration dialog box appears. Do the following: 1) Type up to three IP addresses which the VPN-1 Edge appliance should ping in order to keep the tunnel to the VPN site alive.
Page 359 Adding and Editing VPN Sites Certificate Authentication Method If you selected Certificate, the following things happen: • If you chose Download Configuration, the Authentication dialog box appears. Complete the fields using the information in VPN Authentication Fields on page 348 and click Next. •...
Page 360 Adding and Editing VPN Sites 1. To configure advanced security settings, click Show Advanced Settings. New fields appear. 2. Complete the fields using the information in Security Methods Fields on page 348 and click Next. The Connect dialog box appears. 3.
Page 361 Adding and Editing VPN Sites This allows you to test the VPN connection. Warning: If you try to connect to the VPN site before completing the wizard, all existing tunnels will be terminated. 4. Click Next. • If you selected Try to Connect to the VPN Gateway, the following things happen: The Connecting…...
Page 362 Adding and Editing VPN Sites • If you selected Keep this site alive, and previously you chose Download Configuration, the "Keep Alive" Configuration dialog box appears. Do the following: 1) Type up to three IP addresses which the VPN-1 Edge appliance should ping in order to keep the tunnel to the VPN site alive.
Page 363 Adding and Editing VPN Sites Table 66: VPN Gateway Address Fields In this field… Do this… Gateway Address Type the IP address of the Site-to-Site VPN Gateway to which you want to connect, as given to you by the network administrator. Bypass NAT Select this option to allow the VPN site to bypass NAT when connecting to your internal network.
Page 364 Adding and Editing VPN Sites Table 68: Authentication Methods Fields In this field… Do this… Shared Secret Select this option to use a shared secret for VPN authentication. A shared secret is a string used to identify VPN sites to each other. Certificate Select this option to use a certificate for VPN authentication.
Page 365 Adding and Editing VPN Sites Table 70: Security Methods Fields In this field… Do this… Phase 1 Security Methods Select the encryption and integrity algorithm to use for IKE negotiations: • Automatic. The VPN-1 Edge appliance automatically selects the best security methods supported by the site. This is the default.
Page 366 Adding and Editing VPN Sites In this field… Do this… Perfect Forward Specify whether to enable Perfect Forward Secrecy (PFS), by selecting Secrecy one of the following: • Enabled. PFS is enabled. The Diffie-Hellman group field is enabled. • Disabled. PFS is disabled. This is the default. Enabling PFS will generate a new Diffie-Hellman key during IKE Phase 2 and renew the key for each key exchange.
Page 367: Deleting A Vpn Site
Deleting a VPN Site Deleting a VPN Site To delete a VPN site 1. Click VPN in the main menu, and click the VPN Sites tab. The VPN Sites page appears, with a list of VPN sites. 2. In the desired VPN site’s row, click the Erase icon.
Page 368: Enabling/Disabling A Vpn Site
Enabling/Disabling a VPN Site Enabling/Disabling a VPN Site You can only connect to VPN sites that are enabled. To enable/disable a VPN site 1. Click VPN in the main menu, and click the VPN Sites tab. The VPN Sites page appears, with a list of VPN sites. 2.
Page 369: Logging On To A Remote Access Vpn Site
Logging on to a Remote Access VPN Site Logging on to a Remote Access VPN Site You need to manually log on to Remote Access VPN Servers configured for Manual Login. You do not need to manually log on to a Remote Access VPN Server configured for Automatic Login or a Site-to-Site VPN Gateway: all the computers on your network have constant access to it.
Page 370 Logging on to a Remote Access VPN Site The VPN Login page appears. 2. From the Site Name list, select the site to which you want to log on. Note: Disabled VPN sites will not appear in the Site Name list. 3.
Page 371: Logging On Through The My.vpn Page
Logging on to a Remote Access VPN Site • Once the VPN-1 Edge appliance has finished connecting, the VPN Login Status box appears. The Status field displays “Connected”. • The VPN Login Status box remains open until you manually log off the VPN site.
Page 372 Logging on to a Remote Access VPN Site The VPN Login screen appears. 2. In the Site Name list, select the site to which you want to log on. 3. Enter your user name and password in the appropriate fields. 4.
Page 373: Logging Off A Remote Access Vpn Site
Logging off a Remote Access VPN Site Logging off a Remote Access VPN Site You need to manually log off a VPN site, if it is a Remote Access VPN site configured for Manual Login. To log off a VPN site •...
Page 374: Generating A Self-Signed Certificate
Installing a Certificate The VPN-1 Edge appliance supports certificates encoded in the PKCS#12 (Personal Information Exchange Syntax Standard) format, and enables you to install such certificates in the following ways: • By generating a self-signed certificate. See Generating a Self-Signed Certificate on page 358. •...
Page 375 Installing a Certificate The Certificate page appears. 2. Click Install Certificate. The VPN-1 Edge Certificate Wizard opens, with the Certificate Wizard dialog box displayed. 3. Click Generate a self-signed security certificate for this gateway. Chapter 12: Working with VPNs...
Page 376 Installing a Certificate The Create Self-Signed Certificate dialog box appears. 4. Complete the fields using the information in the table below. 5. Click Next. The VPN-1 Edge appliance generates the certificate. This may take a few seconds. The Done dialog box appears, displaying the certificate's details. 6.
Page 377 Installing a Certificate The VPN-1 Edge appliance installs the certificate. If a certificate is already installed, it is overwritten. The Certificate Wizard closes. The Certificates page displays the following information: • The gateway's certificate • The gateway's name • The gateway certificate's fingerprint •...
Page 378: Importing A Certificate
Installing a Certificate Table 71: Certificate Fields In this field… Do this… Country Select your country from the drop-down list. Organization Type the name of your organization. Name Organizational Unit Type the name of your division. Gateway Name Type the gateway's name. This name will appear on the certificate, and will be visible to remote users inspecting the certificate.
Page 379 Installing a Certificate The Import Certificate dialog box appears. 4. Click Browse to open a file browser from which to locate and select the file. The filename that you selected is displayed. 5. Click Next. The Import-Certificate Passphrase dialog box appears. This may take a few moments.
Page 380: Uninstalling A Certificate
Uninstalling a Certificate 7. Click Next. The Done dialog box appears, displaying the certificate's details. 8. Click Finish. The VPN-1 Edge appliance installs the certificate. If a certificate is already installed, it is overwritten. The Certificate Wizard closes. The Certificates page displays the following information: •...
Page 381: Viewing Vpn Tunnels
Viewing VPN Tunnels To uninstall a certificate 1. Click VPN in the main menu, and click the Certificate tab. The Certificate page appears with the name of the currently installed certificate. 2. Click Uninstall. A confirmation message appears. 3. Click OK. The certificate is uninstalled.
Page 382 Viewing VPN Tunnels To view VPN tunnels 1. Click Reports in the main menu, and click the VPN Tunnels tab. The VPN Tunnels page appears with a table of open tunnels to VPN sites. The VPN Tunnels page includes the information described in the table below. 2.
Page 383 Viewing VPN Tunnels This field… Displays… Destination The IP address or address range of the entity to which the tunnel is connected. The entity's type is indicated by an icon. See VPN Tunnel Icons on page 367. Security The type of encryption used to secure the connection, and the type of Message Authentication Code (MAC) used to verify the integrity of the message.
Page 384: Viewing Ike Traces For Vpn Connections
Viewing IKE Traces for VPN Connections Table 73: VPN Tunnels Icons This icon… Represents… This gateway A network for which an IKE Phase-2 tunnel was negotiated A Remote Access VPN Server A Site-to-Site VPN Gateway A remote access VPN user Viewing IKE Traces for VPN Connections If you are experiencing VPN connection problems, you can save a trace of IKE (Internet Key Exchange) negotiations to a file, and then use the free IKE View tool...
Page 385 Viewing IKE Traces for VPN Connections 2. Click Clear IKE Trace. All IKE trace data currently stored on the VPN-1 Edge appliance is cleared. To view the IKE trace for a connection 1. Establish a VPN tunnel to the VPN site with which you are experiencing connection problems.
Page 387: Chapter 13: Managing Users
Changing Your Password Chapter 13 Managing Users This chapter describes how to manage VPN-1 Edge appliance users. You can define multiple users, set their passwords, and assign them various permissions. This chapter includes the following topics: Changing Your Password .................371 Adding and Editing Users ................373 Adding Quick Guest HotSpot Users............377 Viewing and Deleting Users..............379...
Page 388 Changing Your Password The Internal Users page appears. 2. In the row of your username, click Edit. The Account Wizard opens displaying the Set User Details dialog box. 3. Edit the Password and Confirm password fields. Check Point VPN-1 Edge User Guide...
Page 389: Adding And Editing Users
Adding and Editing Users Note: Use 5 to 25 characters (letters or numbers) for the new password. 4. Click Next. The Set User Permissions dialog box appears. 5. Click Finish. Your changes are saved. Adding and Editing Users This procedure explains how to add and edit users. For information on quickly adding guest HotSpot users via a shortcut that the VPN- 1 Edge appliance provides, see Adding Quick Guest HotSpot Users on page 377.
Page 390 Adding and Editing Users 2. Do one of the following: • To create a new user, click New User. • To edit an existing user, click Edit next to the desire user. The Account Wizard opens displaying the Set User Details dialog box. 3.
Page 391 Adding and Editing Users The Set User Permissions dialog box appears. The options that appear on the page are dependant on the software and services you are using. 5. Complete the fields using the information in Set User Permissions Fields on page 376.
Page 392 Adding and Editing Users In this field… Do this… Expires On To specify an expiration time for the user, select this option and specify the expiration date and time in the fields provided. When the user account expires, it is locked, and the user can no longer log on to the VPN-1 Edge appliance.
Page 393: Adding Quick Guest Hotspot Users
Adding Quick Guest HotSpot Users Web Filtering Select this option to allow the user to override Web Filtering. Override This option only appears if the Web Filtering service is defined. This option cannot be changed for the “admin” user. HotSpot Access Select this option to allow the user to log on to the My HotSpot page.
Page 394 Adding Quick Guest HotSpot Users To quickly create a guest user 1. Click Users in the main menu, and click the Internal Users tab. The Internal Users page appears. 2. Click Quick Guest. The Account Wizard opens displaying the Save Quick Guest dialog box. 3.
Page 395: Viewing And Deleting Users
Viewing and Deleting Users Viewing and Deleting Users Note: The “admin” user cannot be deleted. To view or delete users 1. Click Users in the main menu, and click the Internal Users tab. The Internal Users page appears with a list of all users and their permissions. The expiration time of expired users appears in red.
Page 396: Setting Up Remote Vpn Access For Users
Setting Up Remote VPN Access for Users Setting Up Remote VPN Access for Users If you are using your VPN-1 Edge appliance as a Remote Access VPN Server or as an internal VPN Server, you can allow users to access it remotely through their Remote Access VPN Clients (a Check Point SecureClient, Check Point SecuRemote, or another Embedded NGX appliance).
Page 397 Using RADIUS Authentication By default, all RADIUS-authenticated users are assigned the set of permissions specified in the VPN-1 Edge Portal's RADIUS page. However, you can configure the RADIUS server to pass the VPN-1 Edge appliance a specific set of permissions to grant the authenticated user, instead of these default permissions.
Page 398 Using RADIUS Authentication The RADIUS page appears. 2. Complete the fields using the table below. 3. Click Apply. 4. To restore the default RADIUS settings, do the following: a) Click Default. A confirmation message appears. b) Click OK. The RADIUS settings are reset to their defaults. For information on the default values, refer to the table below.
Page 399 Using RADIUS Authentication 5. To use the RADIUS VSA to assign permissions to users, configure the VSA. See Configuring the RADIUS Vendor-Specific Attribute on page 385. Table 76: RADIUS Page Fields In this field… Do this… Primary/Secondary Configure the primary and secondary RADIUS servers. RADIUS Server By default, the VPN-1 Edge appliance sends a request to the primary RADIUS server first.
Page 400 Using RADIUS Authentication In this field… Do this… Realm If your organization uses RADIUS realms, type the realm to append to RADIUS requests. The realm will be appended to the username as follows: <username>@<realm> For example, if you set the realm to “myrealm”, and the user "JohnS" attempts to log on to the VPN-1 Edge Portal, the VPN-1 Edge appliance will send the RADIUS server an authentication request with the username “JohnS@myrealm”.
Page 401: Configuring The Radius Vendor-Specific Attribute
Configuring the RADIUS Vendor-Specific Attribute In this field… Do this… Web Filtering Select this option to allow all users authenticated by the RADIUS server Override to override Web Filtering. This option only appears if the Web Filtering service is defined. HotSpot Access Select this option to allow the user to access the My HotSpot page.
Page 402 Configuring the RADIUS Vendor-Specific Attribute Table 77: VSA Syntax Permission Description Attribute Attribute Attribute Values Notes Number Format none. The user Admin Indicates the String administrator’s cannot access the level of access to VPN-1 Edge the Embedded Portal. NGX Portal readonly.
Page 403 Configuring the RADIUS Vendor-Specific Attribute Permission Description Attribute Attribute Attribute Values Notes Number Format true. The user can Hotspot Indicates whether String This permission the user can log access the Internet is only relevant if on via the My via My HotSpot. the Secure HotSpot page.
Page 405: Chapter 14: Maintenance
Viewing Firmware Status Chapter 14 Maintenance This chapter describes the tasks required for maintenance and diagnosis of your VPN-1 Edge appliance. This chapter includes the following topics: Viewing Firmware Status .................389 Updating the Firmware................391 Upgrading Your Software Product ............393 Registering Your VPN-1 Edge Appliance..........397 Configuring Syslog Logging ..............398 Controlling the Appliance via the Command Line ........400 Configuring HTTPS .................404...
Page 406 Viewing Firmware Status To view the firmware status • Click Setup in the main menu, and click the Firmware tab. The Firmware page appears. The Firmware page displays the following information: Table 78: Firmware Status Fields This field… Displays… For example… WAN MAC Address The MAC address used for 00:80:11:22:33:44...
Page 407: Updating The Firmware
Updating the Firmware This field… Displays… For example… Uptime The time that elapsed from 01:21:15 the moment the unit was turned on Hardware Type The type of the current Sbox-X VPN-1 Edge appliance hardware Hardware Version The current hardware version of the VPN-1 Edge appliance Updating the Firmware If you are subscribed to Software Updates, firmware updates are performed...
Page 408 Updating the Firmware 2. Click Firmware Update. The Firmware Update page appears. 3. Click Browse. A browse window appears. 4. Select the image file and click Open. The Firmware Update page reappears. The path to the firmware update image file appears in the Browse text box.
Page 409: Upgrading Your Software Product
Upgrading Your Software Product Upgrading Your Software Product You can upgrade the VPN-1 Edge product installed on your appliance, by purchasing a new license. You will receive a new Product Key that enables you to use advanced features on the same VPN-1 Edge appliance you have today. There is no need to replace your hardware.
Page 410 Upgrading Your Software Product The VPN-1 Edge Licensing Wizard opens, with the Install Product Key dialog box displayed. 3. Click Enter a different Product Key. 4. In the Product Key field, enter the new Product Key. 5. Click Next. The Installed New Product Key dialog box appears. 6.
Page 411 Upgrading Your Software Product The first Registration dialog box appears. 7. Do one of the following: • To register your VPN-1 Edge appliance later on, clear the I want to register my product check box and then click Next. • To register your VPN-1 Edge appliance now, do the following: 1) Click Next.
Page 412 Upgrading Your Software Product A second Registration dialog box appears. 2) Enter your contact information in the appropriate fields. 3) To receive email notifications regarding new firmware versions and services, select the check box. 4) Click Next. The Registration… screen appears. The third Registration dialog box appears.
Page 413: Registering Your Vpn-1 Edge Appliance
Registering Your VPN-1 Edge Appliance 8. Click Finish. Your VPN-1 Edge appliance is restarted and the Welcome page appears. Registering Your VPN-1 Edge Appliance If you want to activate your warranty and optionally receive notifications of new firmware versions and services, you must register your VPN-1 Edge appliance. Privacy Statement: Check Point is committed to protecting your privacy.
Page 414: Configuring Syslog Logging
Configuring Syslog Logging 9. Click Next. The Registration… screen appears. The third Registration dialog box appears. 10. Click Finish. Your VPN-1 Edge appliance is restarted and the Welcome page appears. Configuring Syslog Logging You can configure the VPN-1 Edge appliance to send event logs to a Syslog server residing in your internal network or on the Internet.
Page 415 Configuring Syslog Logging To configure Syslog logging 1. Click Setup in the main menu, and click the Logging tab. The Logging page appears. 2. Complete the fields using the information in the table below. 3. Click Apply. Table 79: Logging Page Fields In this field…...
Page 416: Controlling The Appliance Via The Command Line
Controlling the Appliance via the Command Line In this field… Do this… Syslog Port Type the port number of the Syslog server. Click to reset the Syslog Port field to the default (port 514 UDP). Default Controlling the Appliance via the Command Line Depending on your VPN-1 Edge model, you can control your appliance via the command line in the following ways: •...
Page 417 Controlling the Appliance via the Command Line The Tools page appears. 2. Click Command. The Command Line page appears. Chapter 14: Maintenance...
Page 418: Using The Serial Console
Controlling the Appliance via the Command Line 3. In the upper field, type a command. You can view a list of supported commands using the command help. For information on all commands, refer to the Embedded NGX CLI Reference Guide. 4.
Page 419 Controlling the Appliance via the Command Line The Ports page appears. 3. In the RS232 drop-down list, select Console. 4. Click Apply. You can now control the VPN-1 Edge appliance from the serial console. For information on all supported commands, refer to the Embedded NGX CLI Reference Guide.
Page 420: Configuring Https
Configuring HTTPS Configuring HTTPS You can enable VPN-1 Edge appliance users to access the VPN-1 Edge Portal from the Internet. To do so, you must first configure HTTPS. To configure HTTPS 1. Click Setup in the main menu, and click the Management tab. The Management page appears.
Page 421 Configuring HTTPS Note: You can use HTTPS to access the VPN-1 Edge Portal from your internal network, by surfing to https://my.firewall. If you selected IP Address Range, additional fields appear. 3. If you selected IP Address Range, enter the desired IP address range in the fields provided.
Page 422: Configuring Ssh
Configuring SSH Select this To allow access from… option… Internal Network and The internal network and your VPN. IP Address Range A particular range of IP addresses. Additional fields appear, in which you can enter the desired IP address range. Any IP address.
Page 423 Configuring SSH See Access Options on page 405 for information. Warning: If remote SSH is enabled, your VPN-1 Edge appliance settings can be changed remotely, so it is especially important to make sure all VPN-1 Edge appliance users’ passwords are difficult to guess. If you selected IP Address Range, additional fields appear.
Page 424: Configuring Snmp
Configuring SNMP Configuring SNMP The VPN-1 Edge appliance users can monitor the VPN-1 Edge appliance, using tools that support SNMP (Simple Network Management Protocol). You can enable users can do so via the Internet, by configuring remote SNMP access. The VPN-1 Edge appliance supports the following SNMP MIBs: •...
Page 425 Configuring SNMP The Community field and the Advanced link are enabled. 3. If you selected IP Address Range, enter the desired IP address range in the fields provided. 4. In the Community field, type the name of the SNMP community string. SNMP clients uses the SNMP community string as a password, when connecting to the VPN-1 Edge appliance.
Page 426 Configuring SNMP The SNMP Configuration page appears. 6. Complete the fields using the table below. 7. Click Apply. The SNMP configuration is saved. 8. Configure the SNMP clients with the SNMP community string. Table 81: Advanced SNMP Settings In this field... Do this…...
Page 427: Setting The Time On The Appliance
Setting the Time on the Appliance In this field... Do this… SNMP Port Type the port to use for SNMP. The default port is 161. Setting the Time on the Appliance You set the time displayed in the VPN-1 Edge Portal during initial appliance setup. If desired, you can change the date and time using the procedure below.
Page 428 Setting the Time on the Appliance 3. Complete the fields using the information in Set Time Wizard Fields on page 414. 4. Click Next. The following things happen in the order below: • If you selected Specify date and time, the Specify Date and Time dialog box appears.
Page 429 Setting the Time on the Appliance • If you selected Use a Time Server, the Time Servers dialog box appears. Complete the fields using the information in Time Servers Fields on page 414, then click Next. • The Date and Time Updated screen appears. 5.
Page 430 Setting the Time on the Appliance Table 82: Set Time Wizard Fields Select this option… To do the following… Your computer's clock Set the appliance time to your computer’s system time. Your computer’s system time is displayed to the right of this option.
Page 431: Using Diagnostic Tools
Using Diagnostic Tools Using Diagnostic Tools The VPN-1 Edge appliance is equipped with a set of diagnostic tools that are useful for troubleshooting Internet connectivity. Table 84: Diagnostic Tools Use this To do this… For information, see... tool… Ping Check that a specific IP address or DNS Using IP Tools on page 416 name can be reached via the Internet.
Page 432: Using Ip Tools
Using Diagnostic Tools Using IP Tools To use an IP tool 1. Click Setup in the main menu, and click the Tools tab. The Tools page appears. 2. In the IP Tools drop-down list, select the desired tool. 3. In the Address field, type the IP address or DNS name for which to run the tool. 4.
Page 433 Using Diagnostic Tools • If you selected Traceroute, the following things happen: The VPN-1 Edge appliance connects to the specified IP address or DNS name. The IP Tools window opens and displays a list of routers used to make the connection.
Page 434: Using Packet Sniffer
Using Diagnostic Tools Using Packet Sniffer The VPN-1 Edge appliance includes the Packet Sniffer tool, which enables you to capture packets from any internal network or VPN-1 Edge port. This is useful for troubleshooting network problems and for collecting data about network behavior. The VPN-1 Edge appliance saves the captured packets to a file on your computer.
Page 435 Using Diagnostic Tools The Packet Sniffer window displays the name of the interface, the number of packets collected, and the percentage of storage space remaining on the appliance for storing the packets. 5. Click Stop to stop collecting packets. A standard File Download dialog box appears. 6.
Page 436 Using Diagnostic Tools In this field… Do this… Filter String Type the filter string to use for filtering the captured packets. Only packets that match the filter condition will be saved. For a list of basic filter strings elements, see Filter String Syntax on page 421.
Page 437: Filter String Syntax
Using Diagnostic Tools Filter String Syntax The following represents a list of basic filter string elements: • and on page 421 • dst on page 422 • dst port on page 422 • ether proto on page 423 • host on page 424 •...
Page 438 Using Diagnostic Tools ARAMETERS element String. A filter string element. XAMPLE The following filter string saves packets that both originate from IP address is 192.168.10.1 and are destined for port 80: src 192.168.10.1 and dst port 80 URPOSE element captures all packets with a specific destination. YNTAX dst destination ARAMETERS...
Page 439 Using Diagnostic Tools Note: This element can be prepended by tcp or udp. For information, see tcp on page 427 and udp on page 428. ARAMETERS port Integer. The port to which the packet is sent. XAMPLE The following filter string saves packets that are destined for port 80: dst port 80 ether proto URPOSE...
Page 440 Using Diagnostic Tools host URPOSE element captures all incoming and outgoing packets for a specific host computer. YNTAX host host ARAMETERS host IP Address or String. The computer to/from which the packet is sent. This can be the following: • An IP address •...
Page 441 Using Diagnostic Tools XAMPLE The following filter string saves packets that are not destined for port 80: not dst port 80 URPOSE element is used to alternate between string elements. The filtered packets must match at least one of the filter string elements. YNTAX element or element [or element...] element || element [|| element...]...
Page 442 Using Diagnostic Tools ARAMETERS port Integer. The port from/to which the packet is sent. XAMPLE The following filter string saves all packets that either originated from port 80, or are destined for port 80: port 80 URPOSE element captures all packets with a specific source. YNTAX src source ARAMETERS...
Page 443 Using Diagnostic Tools Note: This element can be prepended by tcp or udp. For information, see tcp on page 427 and udp on page 428. ARAMETERS port Integer. The port to which the packet is sent. XAMPLE The following filter string saves packets that originated from port 80: src port 80 URPOSE element captures all TCP packets.
Page 444 Using Diagnostic Tools XAMPLE The following filter string captures all TCP packets: XAMPLE The following filter string captures all TCP packets destined for port 80: tcp dst port 80 URPOSE element captures all UDP packets. This element can be prepended to port- related elements.
Page 445: Backing Up The Vpn-1 Edge Appliance Configuration
Backing Up the VPN-1 Edge Appliance Configuration XAMPLE The following filter string captures all UDP packets destined for port 80: udp dst port 80 Backing Up the VPN-1 Edge Appliance Configuration You can export the VPN-1 Edge appliance configuration to a *.cfg file, and use this file to backup and restore VPN-1 Edge appliance settings, as needed.
Page 446: Importing The Vpn-1 Edge Appliance Configuration
Backing Up the VPN-1 Edge Appliance Configuration 4. Browse to a destination directory of your choice. 5. Type a name for the configuration file and click Save. The *.cfg configuration file is created and saved to the specified directory. Importing the VPN-1 Edge Appliance Configuration In order to restore your VPN-1 Edge appliance’s configuration from a configuration file, you must import the file.
Page 447 Backing Up the VPN-1 Edge Appliance Configuration 3. Do one of the following: • In the Import Settings field, type the full path to the configuration file. • Click Browse, and browse to the configuration file. 4. Click Upload. A confirmation message appears. 5.
Page 448: Resetting The Vpn-1 Edge Appliance To Defaults
Resetting the VPN-1 Edge Appliance to Defaults Resetting the VPN-1 Edge Appliance to Defaults You can reset the VPN-1 Edge appliance to its default settings. When you reset your VPN-1 Edge appliance, it reverts to the state it was originally in when you purchased it.
Page 449 Resetting the VPN-1 Edge Appliance to Defaults A confirmation message appears. 3. To revert to the firmware version that shipped with the appliance, select the check box. 4. Click OK. • The Please Wait screen appears. • The VPN-1 Edge appliance returns to its factory defaults. •...
Page 450 Resetting the VPN-1 Edge Appliance to Defaults To reset the VPN-1 Edge appliance to factory defaults using the Reset button 1. Make sure the VPN-1 Edge appliance is powered on. 2. Using a pointed object, press the RESET button on the back of the VPN-1 Edge appliance steadily for seven seconds and then release it.
Page 451: Running Diagnostics
Running Diagnostics Running Diagnostics You can view technical information about your VPN-1 Edge appliance’s hardware, firmware, license, network status, and Service Center. This information is useful for troubleshooting. You can export it to an *.html file and send it to technical support. To view diagnostic information 1.
Page 452: Rebooting The Vpn-1 Edge Appliance
Rebooting the VPN-1 Edge Appliance Rebooting the VPN-1 Edge Appliance If your VPN-1 Edge appliance is not functioning properly, rebooting it may solve the problem. To reboot the VPN-1 Edge appliance 1. Click Setup in the main menu, and click the Firmware tab. The Firmware page appears.
Page 453: Chapter 15: Using Network Printers
Overview Chapter 15 Using Network Printers This chapter describes how to set up and use network printers. This chapter includes the following topics: Overview ....................437 Setting Up Network Printers..............438 Configuring Computers to Use Network Printers........439 Viewing Network Printers ................449 Changing Network Printer Ports...............449 Resetting Network Printers...............450 Overview The VPN-1 Edge W series includes a built-in print server, enabling you to connect...
Page 454: Setting Up Network Printers
Setting Up Network Printers Setting Up Network Printers To set up a network printer 1. Connect the network printer to the VPN-1 Edge appliance. See Network Installation on page 37. 2. Turn the printer on. 3. In the VPN-1 Edge Portal, click Setup in the main menu, and click the Printers tab.
Page 455: Configuring Computers To Use Network Printers
Configuring Computers to Use Network Printers The port number appears in the Printer Server TCP Port field. You will need this number later, when configuring computers to use the network printer. 6. To change the port number, do the following: a.
Page 456 Configuring Computers to Use Network Printers 2. Click Start > Settings > Control Panel. The Control Panel window opens. 3. Click Printers and Faxes. The Printers and Faxes window opens. 4. Right-click in the window, and click Add Printer in the popup menu. The Add Printer Wizard opens with the Welcome dialog box displayed.
Page 457 Configuring Computers to Use Network Printers Note: Do not select the Automatically detect and install my Plug and Play printer check box. 7. Click Next. The Select a Printer Port dialog box appears. 8. Click Create a new port. 9. In the Type of port drop-down list, select Standard TCP/IP Port. 10.
Page 458 Configuring Computers to Use Network Printers The Add Port dialog box appears. 12. In the Printer Name or IP Address field, type the VPN-1 Edge appliance's LAN IP address, or "my.firewall". You can find the LAN IP address in the VPN-1 Edge Portal, under Network > My Network.
Page 459 Configuring Computers to Use Network Printers The Configure Standard TCP/IP Port Monitor dialog box opens. 16. In the Port Number field, type the printer's port number, as shown in the Printers page. 17. In the Protocol area, make sure that Raw is selected. 18.
Page 460 Configuring Computers to Use Network Printers The Add Printer Wizard reappears, with the Install Printer Software dialog box displayed. 21. Do one of the following: • Use the lists to select the printer's manufacturer and model. • If your printer does not appear in the lists, insert the CD that came with your printer in the computer's CD-ROM drive, and click Have Disk.
Page 461: Mac Os-X
Configuring Computers to Use Network Printers The port's name is IP_<LAN IP address>. 26. Click OK. MAC OS-X This procedure is relevant for computers with the latest version of the MAC OS-X operating system. Note: This procedure may not apply to earlier MAC OS-X versions. To configure a computer to use a network printer 1.
Page 462 Configuring Computers to Use Network Printers The System Preferences window appears. 3. Click Show All to display all categories. 4. In the Hardware area, click Print & Fax. The Print & Fax window appears. 5. In the Printing tab, click Set Up Printers. Check Point VPN-1 Edge User Guide...
Page 463 Configuring Computers to Use Network Printers The Printer List window appears. 6. Click Add. New fields appear. 7. In the first drop-down list, select IP Printing. 8. In the Printer Type drop-down list, select Socket/HP Jet Direct. 9. In the Printer Address field, type the VPN-1 Edge appliance's LAN IP address, or "my.firewall".
Page 464 Configuring Computers to Use Network Printers 11. In the Printer Model list, select the desired printer type. A list of models appears. 12. In the Model Name list, select the desired model. 13. Click Add. The new printer appears in the Printer List window. 14.
Page 465: Viewing Network Printers
Viewing Network Printers Viewing Network Printers To view network printers 1. Click Setup in the main menu, and click the Printers tab. The Printers page appears, displaying a list of connected printers. For each printer, the model, serial number, port, and status is displayed. A printer can have the following statuses: •...
Page 466: Resetting Network Printers
Resetting Network Printers computers. To do this, you must change the replacement printer's port number to the malfunctioning printer's port number, as described below. Note: Each printer port number must be different, and must be a high port. To change a printer's port 1.
Page 467: Chapter 16: Troubleshooting
Resetting Network Printers Chapter 16 Troubleshooting This chapter provides solutions to common problems you may encounter while using the VPN-1 Edge appliance. Note: For information on troubleshooting wireless connectivity, see Troubleshooting Wireless Connectivity on page 185. This chapter includes the following topics: Connectivity ....................
Page 468: Connectivity
Connectivity Connectivity I cannot access the Internet. What should I do? • Check if the PWR/SEC LED is green. If not, check the power connection to the VPN-1 Edge appliance. • Check if the WAN LINK/ACT LED is green. If not, check the network cable to the modem and make sure the modem is turned on.
Page 469 Connectivity • If you connect to your ISP using a PPPoE or PPTP dialer defined in your operating system, your equipment is most likely configured as a DSL bridge. Configure a PPPoE or PPTP type DSL connection. • If you were not instructed to configure a dialer in your operating system, your equipment is most likely configured as a DSL router.
Page 470 Connectivity • Check your TCP/IP configuration according to Installing and Setting up the VPN-1 Edge Appliance on page 17. • Restart your VPN-1 Edge appliance and your broadband modem by disconnecting the power and reconnecting after 5 seconds. • If your Web browser is configured to use an HTTP proxy to access the Internet, add "my.firewall"...
Page 471 Connectivity • Consider whether you really need the router. The VPN-1 Edge appliance can be used as a replacement for your router, unless you need it for some additional functionality that it provides, such as Wireless access. • If possible, disable NAT in the router. Refer to the router’s documentation for instructions on how to do this.
Page 472: Service Center And Upgrades
Service Center and Upgrades Service Center and Upgrades I purchased an advanced VPN-1 Edge model, but I only have the functionality of a simpler VPN- 1 Edge model. What should I do? Your have not installed your product key. For further information, see Upgrading Your Software Product on page 393.
Page 473: Other Problems
Other Problems Other Problems I have forgotten my password. What should I do? Reset your VPN-1 Edge appliance to factory defaults using the Reset button as detailed in Resetting the VPN-1 Edge Appliance to Defaults on page 432. Why are the date and time displayed incorrectly? You can adjust the time on the Setup page's Tools tab.
Page 475: Chapter 17: Specifications
Technical Specifications Chapter 17 Specifications This chapter includes the following topics: Technical Specifications................459 CE Declaration of Conformity..............462 Federal Communications Commission Radio Frequency Interference Statement ....................464 Technical Specifications Table 86: VPN-1 Edge Appliance Attributes Attribute VPN-1 Edge X VPN-1 Edge W General Dimensions...
Page 476 Technical Specifications Attribute VPN-1 Edge X VPN-1 Edge W Power supply nominal All Models: 9VAC, 1.5A All Models: 5VDC, 3A output voltage Max. Power 7.5W 8W (1.6A w/o external USB Consumption devices) 13W (2.6A w USB devices) Retail box dimensions 31 x 10 x 16 cm 29 x 25 x 7.6 cm (width x height x depth)
Page 477 Technical Specifications Attribute VPN-1 Edge X VPN-1 Edge W Quality ISO9001 ISO9001:2000 TL9000-HW R3.0 ISO14001 Ohsas18001: 1999 Wireless Operation Frequency 2.412-2.484 MHz Transmission Power 79.4 mW Modulation OFDM, DSSS, 64QAM, 16QAM, QPSK, BPSK, CCK, DQPSK, DBPSK WPA Authentication EAP-TLS, EAP-TTLS, PEAP (EAP- Modes GTC), PEAP (EAP-MSCHAP V2) Chapter 17: Specifications...
Page 478: Ce Declaration Of Conformity
CE Declaration of Conformity CE Declaration of Conformity SofaWare Technologies Ltd., 3 Hilazon St., Ramat-Gan Israel, Hereby declares that this equipment is in conformity with the essential requirements specified in Article 3.1 (a) and 3.1 (b) of: • Directive 89/336/EEC (EMC Directive) •...
Page 479 CE Declaration of Conformity Attribute VPN-1 Edge X VPN-1 Edge W EN 61000-4-8:1993 EN 61000-4-2:1995 EN 61000-4-11:1994 EN 61000-4-3:1996/A2:2001 ENV50204:1995 EN 61000-4-4:1995 EN 61000-4-5:1995 EN 61000-4-6:1996 EN 61000-4-7:1993 EN 61000-4-8:1993 EN 61000-4-9:1993 EN 61000-4-10:1993 EN 61000-4-11:1994 EN 61000-4-12:1995 Safety EN 60950: 2000 EN 60950: 2000 IEC 60950:1999 IEC 60950:1999...
Page 480: Federal Communications Commission Radio Frequency Interference Statement
Federal Communications Commission Radio Frequency Interference Statement Federal Communications Commission Radio Frequency Interference Statement This equipment complies with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment.
Page 481: Glossary Of Terms
Glossary of Terms Glossary of Terms network. Cable modems offer a high-speed 'always-on' connection. ADSL Modem A device connecting a computer to Certificate Authority the Internet via an existing phone The Certificate Authority (CA) line. ADSL (Asymmetric Digital issues certificates to entities such as Subscriber Line) modems offer a gateways, users, or computers.
Page 482 Glossary of Terms Domain Name System anyone knowing about it. Domain Name System. The Domain Sometimes, tiny programs are Name System (DNS) refers to the 'planted' on the computer that are Internet domain names, or easy-to- designed to watch out for, seize and remember "handles", that are then transmit to another computer, translated into IP addresses.
Page 483 Glossary of Terms other ways intentionally breaches receiving data packets across the computer security. The end result is Internet. When you request an that whatever resides on the HTML page or send e-mail, the computer can be viewed and Internet Protocol part of TCP/IP sensitive data can be stolen without includes your IP address in the anyone knowing about it.
Page 484 Glossary of Terms IPSEC IPSEC is the leading Virtual Private The Maximum Transmission Unit Networking (VPN) standard. IPSEC (MTU) is a parameter that enables individuals or offices to determines the largest datagram than establish secure communication can be transmitted by an IP interface channels ('tunnels') over the Internet.
Page 485 Glossary of Terms NetBIOS PPTP NetBIOS is the networking protocol The Point-to-Point Tunneling used by DOS and Windows Protocol (PPTP) allows extending a machines. local network by establishing private “tunnels” over the Internet. This protocol it is also used by some DSL Packet providers as an alternative for PPPoE.
Page 486 Glossary of Terms level of security by examining every divides the file into one or more layer within a packet, unlike other packets, numbers the packets, and systems of inspection. Stateful then forwards them individually to Inspection extracts information the IP program layer. Although each required for security decisions from packet has the same destination IP all application layers and retains this...
Page 487 Glossary of Terms TCP, however, UDP does not provide the service of dividing a message into packets (datagrams) and reassembling it at the other end. UDP is often used for applications such as streaming data. A URL (Uniform Resource Locator) is the address of a file (resource) accessible on the Internet.
Page 489: Index
Index Index cable type • 37 certificate 802.1x • 163, 165 explained • 357 generating self-signed • 358 account, configuring • 294 importing • 362 active computers, viewing • 196 installing • 357 active connections, viewing • 199 uninstalling • 364 Allow and Forward rules, explained •...
Page 490 Index diagnostics • 435 dialup File and Print Sharing • 254 connection • 76, 93 firewall modem • 85 levels • 207 dialup modem, setting up • 85 rule types • 214 setting security level • 207 configuring • 109 firmware configuring High Availability for •...
Page 491 Index Host Port Scan • 246 IP address HTTPS changing • 107 configuring • 404 explained • 467 explained • 467 hiding • 108 using • 46 IP Fragments • 235 hub • 8, 37, 92, 121, 452, 467 IPSEC VPN mode •...
Page 492 Index MTU, explained • 78, 468 OfficeMode about • 111 NetBIOS, explained • 468 configuring • 111 network changing internal range of • 107 configuring • 95 packet • 88, 140, 415, 467, 469 configuring a DMZ • 109 Packet Sanity • 232 configuring a VLAN •...
Page 493 Index connection • 63, 72 Remote Access VPN Servers explained • 469 configuring • 314, 316 print server • 437 explained • 308 printers Remote Access VPN sites • 322 changing ports • 449 reports configuring computers to use • 439 active computers •...
Page 494 Index security disconnecting from • 295 configuring servers • 210 refreshing a connection to • 294 creating rules • 212 services defining a computer as an exposed host • Email Filtering • 300 software updates • 304, 391 firewall • 207 Web Filtering •...
Page 495 Index Stateful Inspection • 1, 468, 469 setting up for Windows XP/2000 • 18 Static NAT Teardrop • 227 explained • 130 technical support • 15 using • 131 Telstra • 74 static routes Traceroute • 415 adding and editing • 140 Traffic Monitor explained •...
Page 496 • 308, 471 viewing • 365 VPN-1 Edge Vendor-Specific Attribute rear panel • 11 about • 380 VPN-1 Edge series configuring • 273 features • 3 VLAN VPN-1 Edge appliance adding and editing • 116, 118 about • 1 deleting •...
Page 497 Index VPN-1 Edge Portal elements • 48 initial login • 41 cable • 37 logging on • 44 connections • 212 remotely accessing • 46 ports • 3, 8, 37, 92 using • 48 Web Filtering VPN-1 Edge W series enabling/disabling •...

This manual is also suitable for:

Vpn-1 edge x seriesVpn-1 edge w seriesVpn-1 edge x8Vpn-1 edge x16Vpn-1 edge x32Vpn-1 edge xu ... Show all