Quantum SPARK 1500 Administration Manual
  1. Manuals
  2. Brands
  3. Quantum Manuals
  4. Network Hardware
  5. CHECK POINT SPARK 1500 Series
  6. Administration manual

Quantum SPARK 1500 Administration Manual

Hide thumbs Also See for SPARK 1500:
1
2
3
4
Table Of Contents
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
Table of Contents

Advertisement

Quick Links

04 March 2024
QUANTUM SPARK 1500,
1600, 1800, 1900, 2000
APPLIANCES
R81.10.X
Locally Managed
Administration Guide

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the SPARK 1500 and is the answer not in the manual?

Questions and answers

Related Manuals for Quantum SPARK 1500

Summary of Contents for Quantum SPARK 1500

  • Page 1 04 March 2024 QUANTUM SPARK 1500, 1600, 1800, 1900, 2000 APPLIANCES R81.10.X Locally Managed Administration Guide...
  • Page 2 Check Point Copyright Notice © 2022 - 2024 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point.
  • Page 3 Download the latest version of this document in PDF format. Feedback Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments.       |      3 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 4 "Configuring High Availability" on page 193 "Configuring VPN Sites" on page 340 15 February 2023 Updated "Configuring the Remote Access Blade" on page 309 24 January 2023 First release of this document       |      4 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 5: Table Of Contents

    Configuration and Upgrade Scenarios Configuring Cloud Services Configuring a Guest Network Introduction to the WebUI The Home Tab Viewing System Information Controlling and Monitoring Software Blades       |      5 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 6 IPv4 Connection Types IPv6 Connection Types IPv6 configuration Other configuration types Cellular Connections Monitoring Configuring the Wireless Network Dynamic Frequency Selection (DFS) Cloning a VAP Additional Configurations       |      6 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 7 Configuring the Proxy Server Backup, Restore, Upgrade, and Other System Operations Using the Software Upgrade Wizard Welcome Upload Software Upgrade Settings Upgrading Backing up the System       |      7 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 8 Route Redistribution Routing Options Routing Monitor Configuring the Routing Table Background Routing Table Columns Limitations Adding a Specific IPv4 Static Route Adding a Default IPv4 Static Route       |      8 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 9 Configuring the Attribute Values Restoring Default Values Clarifications Changes Between Versions Managing the Access Policy Configuring the Firewall Access Policy and Blade Firewall Policy Application & URL Filtering Updates       |      9 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 10 Smart Accel Configuring Smart Accel in R81.10.05 and higher Smart Accel for Services Smart Accel for Assets Configuring Smart Accel in R81.10.00 Getting Started Monitoring Configuring       |      10 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 11 Enabling and Disabling Threat Prevention Enabling Threat Emulation Policy for the FTP Protocol Configuring a Custom Policy for Threat Prevention Scheduling Threat Prevention Updates Configuring Threat Prevention Policy Exceptions       |      11 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 12 L2TP VPN Client configuration Configuring Site to Site VPN with a Preshared Secret Introduction Prerequisites Configuration Monitoring Configuring Site to Site VPN with a Certificate Introduction Prerequisites Configuration       |      12 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 13 Configuring the IKE ID Type for the IKEv2 Main Mode (MM) Negotiation with 3rd- party VPN Peers Tunnel Health Monitoring Managing Trusted CAs Managing Installed Certificates Managing Internal Certificates Managing Users and Objects       |      13 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 14 Managing Network Object Groups Logs and Monitoring Viewing Security Logs Viewing System Logs Configuring External Log Servers External Check Point Log Server Syslog Server Configuration Secured Syslog       |      14 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 15 SNMP Traps for Hardware Sensors Advanced Configuration Upgrade Using a USB Drive Upgrade Using an SD Card Boot Loader Upgrade Using Boot Loader Restoring Factory Defaults Custom Default Image       |      15 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 16 Configuring Bypass mode in Gaia Clish RESTful API Enabling and disabling the REST API Request Structure Response Structure Versioning REST API Commands (1) Login (2) Logout (3) Generate-Report (4) Run-Clish-Command       |      16 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 17: Overview Of Quantum Spark 1500, 1600, 1800, 1900 And 2000 Appliance Series

    Policy Based Routing, and DDNS support. Quick deployment with USB is supported for all appliances, and with SD card and Dual SIM card for the 1570 / 1590 appliances. This guide describes all aspects that apply to the Quantum Spark 1530 / 1550, 1570R, and 1570 / 1590 Appliances.

  • Page 18: 1600 And 1800 Appliances

    Overview of Quantum Spark 1500, 1600, 1800, 1900 and 2000 Appliance Series 1600 and 1800 Appliances The Quantum Spark 1600 / 1800 Security Appliances, part of the 1600 / 1800 Appliance family, deliver enterprise-grade security, run the R81.10 code base in an all-in-one security solution to protect Medium Business employees, network and data from cyber-theft.
  • Page 19 - Quantum Spark R81.10.X Known Limitations sk181134 - Quantum Spark R81.10.X Resolved Issues Small Business Cyber Security video channel Note - Some topics only apply to specific appliances or models.       |      19 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 20: Getting Started With 1500, 1600, And 1800 Appliance Series

    4. Configure the required users and objects. "Managing Users and Objects" on page 364 5. Configure required appliance settings. "Managing the Device" on page 74 6. Configure and install the required Security Policies.       |      20 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 21 8. Configure other required settings, such as: VPN (see "Configuring VPN" on page 303 "Managing VPN" on page 302 "Configuring High Availability" on page 193 Clusters (see "Configuring QoS" on page 262 QoS (see       |      21 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 22: Setting Up The Quantum Spark Appliance

    Setting Up the Quantum Spark Appliance Setting Up the Quantum Spark Appliance To set up the Quantum Spark 1530 / 1550, 1570 / 1590, 1570R, 1600, and 1800 Appliance: 1. Remove the Quantum Spark Appliance from the shipping carton and place it on a tabletop.

  • Page 23: Using Default Wifi

    Note - If you were connected to WiFi: After the One Touch script finishes running, the WiFi network you were connected to is deleted. As a result, you are disconnected from the appliance.       |      23 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 24: First Time Deployment Options

    "Zero Touch Cloud Service" on page 25 "Deploying from a USB Drive or SD Card" on page 27 Note - SD card deployment is supported only in 1570 / 1590 appliances.       |      24 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 25: Zero Touch Cloud Service

    When you reconnect to the WebUI or click Refresh, the browser opens to show the status of the installation process. After the gateway downloads and successfully applies the settings, it does not connect to the Zero Touch server again.       |      25 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 26 Zero Touch Cloud Service R80.20 ZeroTouch For more information on how to use Zero Touch, see sk116375 and the Web Portal Administration Guide       |      26 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 27: Deploying From A Usb Drive Or Sd Card

    Deploying from a USB Drive or SD Card Deploying from a USB Drive or SD Card You can deploy the Quantum Spark Appliance configuration files from a USB drive or SD card (1570 / 1590, 1600 / 1800 appliances only) and quickly configure many appliances without using the First Time Configuration Wizard.

  • Page 28: Preparing The Configuration Files

    If there is a configuration file with the same MAC address as the gateway, that file is loaded second. Use the # symbol to add comments to the configuration file.       |      28 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 29: Deploying The Configuration File - Initial Configuration

    Deploying from a USB Drive or SD Card Deploying the Configuration File - Initial Configuration This section describes how to deploy a configuration file on a USB drive to Quantum Spark Appliance. You must configure and format the file correctly before you deploy it. You can insert the USB drive in the front or rear USB port.

  • Page 30: Deploying The Configuration File - Existing Configuration

    Note - The USB LED is red when there is a problem running the configuration script. Turn off the appliance and confirm that the configuration files are formatted correctly. Viewing Configuration Logs After the Quantum Spark Appliance is successfully configured from a USB drive, a log is created. The log file is called: autonconf.<MAC Address>.<timestamp>.<log>...

  • Page 31: Troubleshooting Configuration Files

    Deploying from a USB Drive or SD Card Troubleshooting Configuration Files This section discusses the scenario where the configuration file fails and the Quantum Spark Appliance is not fully configured. Configuration File Error If there is an error and the configuration file fails, the appliance is not fully configured and is no longer in the initial default condition.

  • Page 32: Suggested Workflow - Configuration File Error

    USB drive. Use the set property USB_auto_configuration command when you run a configuration file script on a configured appliance. 1. The USB drive with the configuration file is inserted into a USB port on the Quantum Spark Appliance.

  • Page 33: Sample Configuration Log With Error

    The appliance only runs the next configuration script from a USB drive. set property USB_auto_configuration always The appliance always runs configuration scripts from a USB drive.       |      33 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 34: Configuration And Upgrade Scenarios

    1. In the WebUI, go to the Home > Cloud Services page. 2. Follow the Connect to Cloud Services procedure in "Configuring Cloud Services" on page 43       |      34 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 35: Configuring A Guest Network

    Note - You see the Hotspot portal one time in the given timeout period. The default timeout period is 4 hours. User activity on this network is logged with user names if the Log traffic option was selected.       |      35 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 36: Introduction To The Webui

    The Quantum Spark Appliance uses a web application to configure the appliance. After you use the First Time Configuration Wizard (see the Quantum Spark Appliance Getting Started Guide ), when you connect to the appliance with a browser (with the appliance's IP or, if the appliance is used as a DNS proxy or DHCP server, to "http://my.firewall"), it...

  • Page 37: The Home Tab

    The Quantum Spark Appliance requires only minimal user input of basic configuration elements, such as IP addresses, routing information, and blade configuration. The initial configuration of the Quantum Spark Appliance can be done through a First Time Configuration Wizard. When initial configuration is completed, every entry that uses http://my.firewall shows the WebUI Home >...
  • Page 38 Help us improve product stability by getting critical updates from Check Point - Pushes critical updates outside of the regular update notification and upload schedule. Available starting from R81.10.08. Selecting these checkboxes is optional, but highly recommended.       |      38 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 39: Controlling And Monitoring Software Blades

    If you change other policy settings, the change is temporary. Any changes made locally are overridden in the next synchronization between the gateway and Cloud Services.       |      39 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 40 Click View demo to see an example of the statistics shown Click the X icon to close the demo. To view an alert: 1. Hover over the alert triangle. 2. Click the applicable link.       |      40 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 41: Setting The Management Mode

    (for example, when in a lab setting). Click Next. 3. In the Security Management Server Connection page, select a connection method:       |      41 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 42 Security Management Server. Internet To test connectivity, click Test Connection Status. A status message shows the results of the test. You can click Settings to configure Internet connections.       |      42 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 43: Configuring Cloud Services

    At the bottom of the login page - The name defined by the Cloud Services Provider for your Security Gateway and the MAC address of the Quantum Spark Appliance. At the top of the WebUI application (near the search box) - The name of your Quantum Spark Appliance.
  • Page 44 Received an email from your Cloud Services Provider that contains an activation key for your appliance and also an activation link The Service Center IP address, the appliance gateway ID, and the registration key       |      44 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 45 1. Connect to the command line on the appliance. 2. Log in to the Expert mode. 3. Run this command: runCliCommand.lua testcloudconnectivity [<IP Address or FQDN>]       |      45 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 46 To get an updated security policy, activated blades, and service settings: Click Fetch now. The appliance gets the latest policy, activated blades, and service settings from Cloud Services.       |      46 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 47: Managing Licenses

    To configure the proxy details: 1. Click Set proxy. 2. Select Use proxy server and enter the proxy server Address and Port. 3. Click Apply 4. Click Activate License.       |      47 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 48 When the country and wireless region match, you see the full settings.       |      48 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 49: Viewing The Site Map

    To filter: Enter text in the search filter. To view details of a security event: Click the event row in the table and click View Details.       |      49 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 50 3. Click Apply Starting in R81.10.08, there are two new notification types: This page is available from the Home and Logs & Monitoring page.       |      50 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 51: Assets

    Name - Name of the device. The vendor icons appear next to the name. IP Address Interface Vendor Device Type For each asset, click one of these options: Refresh Actions       |      51 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 52 Override (select Asset type and Vendor from the pulldown menu), Bypass (select the applicable checkboxes to bypass by Smart Accel and to bypass by SSL Inspection.       |      52 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 53 IoT device. Override 5. Click the arrow to expand the Functions section. 6. Click the arrow to expand the Interface section.       |      53 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 54: Managing Active Devices

    Interface - Name of the appliance interface, to which the device is connected. Blocking a Device Manually Click the device to select it and click Block.       |      54 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 55: Toobar Buttons

    Start/Stop Traffic Monitor - Gather upload and download packet rates for active devices. This operation may affect performance. To stop, click Stop Traffic Monitoring. Revoke Certificate - Revokes the certificate assigned to the device.       |      55 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 56: Revoking The Hotspot Access

    6. Click Apply Note - You can also do this from the Users & Objects > Network Objects page. Click New, and then for Type, select Device.       |      56 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 57: Viewing Monitoring Data

    The Monitoring page is divided into these sections: Network Security Troubleshooting To expand or collapse the sections, click the arrow icon in the section's title bar.       |      57 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 58: Network

    Total traffic statistics - Next to the area graph you can see total traffic statistics for the last day or hour. Security Infected devices - Shows the number of: Infected devices Infected servers Recently active infected devices       |      58 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 59: Troubleshooting

    Links to pages that can be useful for monitoring and troubleshooting purposes. Note - This page is available from the Home and Logs & Monitoring tabs.       |      59 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 60: Viewing Reports

    AM. The generated time derives from the delta of the first applicable pair hour which is 02:00 and the added 2 hours. The total wait is 2 hours.       |      60 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 61 The table of contents contains links to the network analysis, security analysis, and infected devices reports. Click a link to go directly to the selected section.       |      61 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 62 Report Pages Each report page shows a detailed graph, table, and descriptions. Note - This page is available from the Home and Logs & Monitoring tabs.       |      62 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 63: Using System Tools

    Click the names of column to sort the output. Show Routing R81.10.00 Opens a popup window that shows this information for Table each route: Source Destination Service Gateway Metric Interface Origin       |      63 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 64 Opens a popup window that shows the result of the Services Ports Cloud Services Connectivity Test (the output of the Gaia Clish command "test cloud- connectivity").       |      64 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 65 Opens a popup window, in which you can capture traffic that passes through appliance interfaces. Warning - When you use this tool, the CPU load increases. Schedule a maintenance window.       |      65 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 66 Using System Tools Available Action Description From       |      66 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 67 The appliance captures traffic only on interfaces with a configured IP address. The packet capture stops automatically if the WebUI session ends. Procedure:       |      67 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 68 Click Save to download the file. b. Your web browser saves this file (fw_ monitor.log) in the default download folder.       |      68 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 69 Note - If you entered a "grep" filter, then the saved file contains only the relevant lines you see on the screen. a. Click Save to download the file.       |      69 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 70 Using System Tools Available Action Description From b. Your web browser saves this file (fw_ctl_ zdebug_drop.log) in the default download folder.       |      70 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 71 Site to Site VPN connection to / from this appliance. 6. Click the Stop Debugging button. 7. Click Download File to download the archive with the required log files.       |      71 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 72 Opens a popup window that shows the result of the DNS lookup for the specified IP address / hostname (the output of the Gaia Clish command "nslookup").       |      72 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 73 When the mini-USB is used as a console connector, Windows OS does not automatically detect and download the driver needed for serial communication. You must manually install the driver. For more information, see sk182035.       |      73 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 74: Managing The Device

    3. Configure an Internet connection. a. Click New or Add an IPv4 Internet connection. The New Internet Connection window opens. b. Configure the required setting on the Configuration tab:       |      74 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 75 Internet connections supplied by ISPs are unreliable and experience multiple disconnections, you can connect your appliances to multiple Internet connections from different ISPs.       |      75 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 76 Based on the selected connection type, additional fields may appear. Connection Type Additional Fields DHCP None VXLAN Peer address Destination port Internet connection Static IP IP address Subnet mask Default gateway       |      76 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 77 ARP requests (pinging) to the default gateway and expecting responses. Important - If you use Dynamic Routing, you must clear this option to prevent probing of the default gateway.       |      77 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 78 Configures how this Internet connection (PPTP or L2TP) gets its WAN IP address - automatically or uses the configured IP address, Subnet mask, and Default gateway.       |      78 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 79 You cannot apply an MTU on: Interfaces assigned to switches or bonds. Bridges - Configure the MTU separately for each of their children. Aliases Virtual Access Points       |      79 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 80 Dashboard page > in the QoS section, move the slider to the right position (enabled green). Enable QoS (download) Enables and configures the restriction for the inbound traffic (download on the internal networks behind the appliance).       |      80 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 81 The appliance uses an Internet connection with a lower priority only if an Internet connection with a higher priority failed. Load Balancing > Weight Configures how to share the traffic between the Internet connections.       |      81 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 82 In the DHCP Settings section, configure the applicable settings. Configuration Hostname via DHCP Controls whether the appliance gets its hostname from your DHCP server.       |      82 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 83 For example, Cellular networks have a plan, and if you exceed your limit it can be costly. In the MPLS network, you pay per use. 4. Click Save.       |      83 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 84: Ipv4 Connection Types

    Cellular Modem - Connect to the Internet with a cellular modem to the ISP through a 3G or 4G network. For this option, select the USB/Serial option in the Interface name.       |      84 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 85: Ipv6 Connection Types

    The New Internet Connection window opens in the Configuration tab. 2. For Interface, select DMZ. For a DSL over DMZ Connection, select SFP-DSL. For a non-DSL connection, select RJ45/SFP-Fiber. 3. Click Save.       |      85 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 86: Ipv6 Configuration

    Addresses are provided via Stateless Address Auto Configuration, according to SLAAC rules. The prefix and subnet are provided. DHCPv6 Address range is set according to the prefix and subnet.       |      86 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 87 7. Expand the NAT Settings section and select the Do not hide internal networks behind this Internet connection checkbox. 8. Make sure Prefix Delegation is disabled:       |      87 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 88 Static IP - WAN, DMZ or unassigned LAN port. The DS-Lite master WAN connection type must be one of these: Dynamic IPv6 Static IPv6 PPPoEv6 Bridge IPv6       |      88 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 89 DS-Lite – The gateway address is non-globally-routable and automatically selected from the subnet 192.0.0.0/32. IPIP - The gateway address is globally-routable and you configure it manually.       |      89 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 90 VNE is an added service that enables you to send an HTTP(S) request to your provider's server and update them that your IPv6 address changed. For Service name, select one of these:       |      90 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 91 Configure the default MTU of the IPIP interface to 1460 (IPv4 default = 1500). The size of the IPv6 header is 40. 9. Click Apply.       |      91 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 92: Other Configuration Types

    Layer2 - Based on the XOR of hardware MAC addresses. Layer2+3 - Based on the XOR of hardware MAC addresses and IP addresses. Layer3+4 - Based on the IP addresses and Ports. 9. Click Apply.       |      92 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 93: Cellular Connections

    6. For Connection Type, select one of these values: IPv4 – Both SIMs are configured to IPv4 only IPv6 – Both SIMs are configured to IPv6 only       |      93 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 94 7. Configure the required values. Format: [<SIM ID Number (MCC/MNC)>] apn=<STRING> carrier_package=<STRING> Example: [302220] apn=isp.telus.com carrier_package=TELUS 8. Save the changes in the file and exit Vi editor.       |      94 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 95 Some carriers require the module to run a specific carrier configuration file, and may also request this for the certification process. In addition, the carrier configuration file ensures the use of carrier-specific parameters when you register with that carrier.       |      95 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 96 PTM: Use connection as VLAN - Select this checkbox to add a virtual Internet interface. VLAN ID - Enter a VLAN ID between 1 and 4094.       |      96 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 97: Monitoring

    On the Internet Connectivity page, click Connection monitoring... Procedure The Monitoring Servers table shows the configured connections: Connection - Name. For example, Internet1. Server Name IP address Packet Loss Failures       |      97 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 98 4. Under Advanced Probing Settings, use the default values or enter new ones for: Recovery time (in seconds) Max latency allowed (milliseconds) Probing frequency (seconds) Window size (pings) Failover pings (percent failures) 5. Click Apply.       |      98 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 99 Click the Monitor cellular modem link to see this information in the Cellular Modem Monitoring window: Cellular radio Cellular modem Operator SIM cards - Which SIM is active, primary or disabled.       |      99 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 100: Configuring The Wireless Network

    1530 / 1550 appliances only: The wireless client search options depend on the frequency that the appliance is set to. The Quantum Spark Appliance can be configured to only one frequency at a time and is set to 2.4 GHz by default. If you change the radio settings to 802.11 ac or 802.11 ac/n, the frequency automatically changes to 5 GHz.
  • Page 101 Hide the Network Name (SSID) - When selected, this wireless network name is not automatically shown to users scanning for them. Connecting to the wireless network can be done manually by adding the specified network name.       |      101 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 102: Dynamic Frequency Selection (Dfs)

    1. Double click the relevant VAP or select the VAP name and click Edit. The Edit window opens. Note - The wireless radio transmitter is the main VAP. 2. In the Configuration tab, select the Wireless Security:       |      102 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 103: Additional Configurations

    1. For these fields, select options from the pull-down menu: Operation mode Channel width Channel Transmitter power 2. In the Advanced section, select the Guard Interval from the pull-down menu.       |      103 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 104 IP address - IPv4 and IPv6 addresses Subnet mask - for IPv4 addresses Prefix length - for IPv6 addresses DHCPv4 Server Select one of the options:       |      104 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 105 Note - In IPv4-only mode, this tab is called DHCPv4 Settings. The values for the DHCP options configured on this tab will be distributed by the DHCP server to the DHCP clients.       |      105 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 106 You can optionally configure these additional parameters so they will be distributed to DHCP clients: Time servers Call manager TFTP server TFTP boot file X Window display manager       |      106 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 107: Wireless Scheduler

    Level of interference from other Wi-Fi networks on the current Wi-Fi channel. Signal level for the Wi-Fi clients connected to this appliance.       |      107 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 108 Please consult the following table regarding the individual clients connected to the appliance ExampleClient1 mac=XX:XX:XX:XX:XX:XX: rssi = 55, very good quality ExampleClient2 mac=XX:XX:XX:XX:XX:XX: rssi = 21, good quality       |      108 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 109: Configuring The Local Network

    You can also use unassigned LAN ports to create an internet connection. In the table, these ports have the status Assigned to Internet.       |      109 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 110 Physical interfaces - Shows cable connection status of each physical interface that is enabled. Otherwise, it shows disabled. Wireless networks - Shows if the wireless network is up or disabled.       |      110 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 111: Reserved Ip Address For Specific Mac

    3. Choose the IP address and Subnet mask the switch uses. 4. Use Hotspot - Select this checkbox to redirect users to the Hotspot portal before allowing access from this interface.       |      111 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 112: Wan As Lan

    BOND network. The WAN port (like the DMZ port), can only be used for a BOND network as part of an internet (external) network. The WAN as LAN feature is disabled by default.       |      112 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 113: Monitor Mode

    1. Go to Device > Local Network. 2. Select an interface and double-click. The Edit window opens in the Configuration tab. 3. In the Assigned To drop-down menu, select Monitor Mode.       |      113 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 114 3. To configure Monitor Mode with user-defined networks: add monitor-mode-network ipv4-address <IP Address> subnet-mask <Mask> set monitor-mode-configuration use-defined-networks true 4. To see user-defined Internal networks: show monitor-mode-network       |      114 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 115 Configuring the Local Network 5. To disable Anti-Spoofing: set antispoofing advanced-settings global-activation false       |      115 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 116: Mirror Port

    3. In the Port Mirroring section of the Advanced tab, select the checkbox Assign to mirror port. 4. In the Port field, select the mirror port from the drop-down menu.       |      116 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 117: Physical Interfaces

    Relay - Enter the DHCP server IP address. Disabled Note - When you create a switch, you cannot remove the first interface inside unless you delete the switch.       |      117 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 118: Bridge

    MTU size - Configure the Maximum Transmission Unit size for an interface. Note that in the Quantum Spark Appliance, the value is global for all physical LAN and DMZ ports. Disable auto negotiation - Select this option to configure manually the link speed of the interface.
  • Page 119 Users & Objects > Network Objects page. Reserving specific IP addresses requires the MAC address of the device. Relay - Enter the DHCP server IP address. Disabled       |      119 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 120 [SWITCH] --- VLAN Trunk --- (LAN) [Appliance in Bridge Mode] (WAN) --- VLAN Trunk --- [ROUTER] Example physical topology after the change (configuring an interface with a dummy IP address):       |      120 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 121 5. Select this attribute. 6. Click Edit. 7. Enter the same IP address you assigned to the dedicated interface (in our example, LAN4). 8. Click Apply       |      121 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 122: Vlans

    LAN4:1 have different IP addresses, but are on the same network. LAN4:1 is the alias. You can also have an alias IP for VLAN and a switch.       |      122 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 123: Vpn Tunnel (Vti)

    The VPN tunnel and its properties are defined by the VPN community that contains the two gateways. You must define the VPN community and its member Security Gateways before you can create a VTI.       |      123 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 124: Virtual Access Point (Vap)

    Select one of these options: Auto - Use the DNS configuration of the device. Use the following IP addresses - Enter the first, second and third DNS servers.       |      124 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 125 You can optionally configure these additional parameters so they will be distributed to DHCP clients: Time servers Call manager TFTP server TFTP boot file X Window display manager Avaya IP phone Nortel IP phone Thomson IP phone Custom Options       |      125 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 126: Gre

    Local address - The IP address assigned to the GRE interface (virtual). Remote address - The IP address of the peer on the GRE interface (virtual). 4. Click Apply.       |      126 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 127: Bond

    Enter the Local IPv4 address and Subnet mask. c. Select if you want to Use hotspot when connecting to network. 5. For DHCPv4, click Enabled.       |      127 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 128 7. If you selected 802.3ad or XOR as your operation mode, select the Hash policy from the dropdown menu (Layer2 or Layer3+4). 8. Click Apply To create a WAN BOND, see "Configuring Internet Connectivity" on page 74       |      128 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 129: Configuring A Hotspot

    A hotspot is an area that offers a wireless local area network with Internet access, through a router connected to a link to an Internet service provider. Hotspot is automatically activated in the system.       |      129 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 130 Define specified IP addresses, IP ranges or networks to exclude from the Hotspot. 1. Click Manage Exceptions. The Manage Hotspot Network Objects Exceptions window opens. 2. Select the objects to add as exceptions.       |      130 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 131: User Authentication

    1. In Session timeout, enter the number of minutes that defines how long a user stays logged in to the session before it is ends. 2. Click Apply       |      131 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 132: Disabling The Hotspot

    3. Select Disabled. 4. Click Apply On the Active Devices page (available from the Home and Logs & Monitoring tabs), you can revoke Hotspot access for connected users.       |      132 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 133: Configuring Mac Filtering

    4. Select Disable MAC filtering. To enable, clear this option. 5. Click Apply Note - MAC filtering is not supported on external, DMZ, and port bonding interfaces.       |      133 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 134: 802.1X Authentication Protocol

    3. For Assigned to: select the LAN ID. 4. In the Advanced tab, select Activate 802.1x authentication. 5. Enter a time for Re-authentication frequency (in seconds). 6. Click Apply       |      134 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 135 To reduce the number of logs, specify the value of the MAC Filtering settings - Log suspension attribute in seconds. To show all logs, set the value to "0". Note - Traffic dropped in the WiFi driver is not logged.       |      135 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 136: Configuring The Dns Server

    Note - Syntax guidelines: The domain name must start and end with an alphanumeric character. The domain name can contain periods, hyphens, and alphanumeric characters. 4. Click Apply       |      136 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 137: Configuring The Proxy Server

    Point update and license servers. 1. Select Use a proxy server. 2. Enter a Host name or IP address. 3. Enter a Port. 4. Click Apply       |      137 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 138: Backup, Restore, Upgrade, And Other System Operations

    Note - This does not change the software image. Only the settings are restored to their default values (IP address 192.168.1.1, WebUI address https://192.168.1.1:4434, the username admin and the password admin).       |      138 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 139 If the gateway is configured by Cloud Services, automatic firmware upgrades are locked. They can only be set by Cloud Services.       |      139 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 140 To restore a backed up configuration: 1. Click Restore. The Restore Settings page appears. 2. Browse to the location of the backed up file. 3. Click Upload File.       |      140 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 141: Using The Software Upgrade Wizard

    The backup contains the entire image, including the firmware, all system settings and the current security policy. When you click Next, the upgrade process starts.       |      141 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 142: Upgrading

    1. In Device > System Operations > Backup and Restore System Settings, click Settings. The Periodic Backup Settings window opens. 2. Click Enable scheduled backups. 3. Configure the file storage destination:       |      142 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 143 Monthly - Select day of month and time of day. Note - If a month does not include the selected day, the backup is executed on the last day of the month. 6. Click Apply       |      143 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 144: Configuring Local And Remote System Administrators

    Authentication of those remotely defined administrators is done by the same RADIUS server. Note - This page is available from the Device and Users & Objects tabs.       |      144 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 145: Administrator Roles

    If you continue the login process, the first administrator session ends automatically. The correct Administrator Role must be configured to perform the operations listed below. If not, a Permission Error message shows. Local Administrators       |      145 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 146 Receive Security alert notifications by email or SMS. See "Notifications" on page 49 To reset your password on the Login page of the WebUI (see below).       |      146 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 147 5. In the Confirm password field, Enter the password again. 6. Click Next 7. A message on the screen confirms your password was successfully changed. 8. Click Next to proceed to the Login page.       |      147 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 148: Remote Administrators

    Networking Admin Mobile Admin 7. To define groups, click Use specific RADIUS groups only and enter the RADIUS groups separated by a comma. 8. Click Apply       |      148 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 149: Pairing A Mobile Device

    This generates a QR code to connect the Check Point WatchTower mobile application with the appliance for the first time. WatchTower App User Guide For more information about the mobile application, see the       |      149 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 150: Configuring A Radius Server For Non-Local Quantum Spark Appliance Users

    Configuring a RADIUS Server for non-local Quantum Spark Appliance users Non-local users can be defined on a RADIUS server and not in the Quantum Spark Appliance. When a non-local user logs in to the appliance, the RADIUS server authenticates the user and assigns the applicable permissions.
  • Page 151 Where <role> is the name of the administrator role that is defined in the WebUI. Administrator Role Value Super Admin adminRole Read only monitorrole Networking Admin networkingrole Mobile Admin mobilerole       |      151 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 152 Where <role> is the name of the administrator role that is defined in the WebUI. Administrator Role Value Super Admin adminRole Read only monitorrole Networking Admin networkingrole Mobile Admin mobilerole       |      152 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 153 Configuring Local and Remote System Administrators To log in as a Super User: A user with super user permissions can use the Quantum Spark Appliance shell to do system- level operations, including working with the file system. 1. Connect to the Quantum Spark Appliance platform over SSH or serial console.

  • Page 154: Configuring Administrator Access

    To allow administrator access from specified IP addresses 1. Select the Specified IP addresses only option. 2. Click New. The IP Address Configuration page appears. 3. Select Type:       |      154 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 155 5. Enter the IP address or click Get IP from My Computer. 6. Click Save. The IP address is added to the table. 7. Change the WEB Port (HTTPS) and/or SSH port if necessary.       |      155 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 156: Two-Factor Authentication (2Fa)

    Note - In R81.10.10, Two-Factor Authentication is not supported when RADIUS or TACACS is configured for administrator access. Important - When Two-Factor Authentication is enabled, it is always required for login.       |      156 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 157 7. In the Authenticator app, add a new account in one of these ways: Scan the QR code you received in the email. Enter the one-time verification code you received in the email.       |      157 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 158 4. Enter the verification code you received and click Next. 5. If you did not receive a code, click Resend code or Try another way to receive the code by another method.       |      158 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 159 The new keys are sent to the email address of the selected administrator. Verify that you received the email and set the Authenticator app with the new secret key to allow login via the Authenticator app.       |      159 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 160: Managing Device Details

    The list of uploaded certificates shows. 2. Select the desired certificate. Note - You cannot select the default VPN certificate. 3. Click Apply 4. Reload the page.       |      160 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 161: Managing Date And Time

    1. From the Local Time Zone list, select the correct time zone option. 2. Select the Automatically adjust clock for daylight saving changes checkbox to enable automatic daylight saving changes. 3. Click Apply       |      161 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 162: Configuring Ddns And Access Service

    NAT device or firewall, and cannot be reached directly. In addition, the feature makes it easier to access an appliance with a dynamically assigned IP address.       |      162 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 163: Remote Access To The Webui

    Shell Link - Use this URL in a browser to open an SSH connection to the appliance to use CLI commands. For example: https://mygateway-shell.smbrelay.checkpoint.com Enter the administrator credentials.       |      163 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 164: Using System Tools

    Click the names of column to sort the output. Show Routing R81.10.00 Opens a popup window that shows this information for Table each route: Source Destination Service Gateway Metric Interface Origin       |      164 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 165 Opens a popup window that shows the result of the Services Ports Cloud Services Connectivity Test (the output of the Gaia Clish command "test cloud- connectivity").       |      165 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 166 Opens a popup window, in which you can capture traffic that passes through appliance interfaces. Warning - When you use this tool, the CPU load increases. Schedule a maintenance window.       |      166 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 167 Configuring DDNS and Access Service Available Action Description From       |      167 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 168 The appliance captures traffic only on interfaces with a configured IP address. The packet capture stops automatically if the WebUI session ends. Procedure:       |      168 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 169 Click Save to download the file. b. Your web browser saves this file (fw_ monitor.log) in the default download folder.       |      169 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 170 Note - If you entered a "grep" filter, then the saved file contains only the relevant lines you see on the screen. a. Click Save to download the file.       |      170 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 171 Configuring DDNS and Access Service Available Action Description From b. Your web browser saves this file (fw_ctl_ zdebug_drop.log) in the default download folder.       |      171 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 172 Site to Site VPN connection to / from this appliance. 6. Click the Stop Debugging button. 7. Click Download File to download the archive with the required log files.       |      172 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 173 Opens a popup window that shows the result of the DNS lookup for the specified IP address / hostname (the output of the Gaia Clish command "nslookup").       |      173 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 174 When the mini-USB is used as a console connector, Windows OS does not automatically detect and download the driver needed for serial communication. You must manually install the driver. For more information, see sk182035.       |      174 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 175: Advanced Routing

    Dynamic Routing CLI Guide for 1500, 1600, 1800, 1900, 2000 Appliances OSPF Note - In the R81.10.X releases, this feature is available starting from the R81.10.05 version.       |      175 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 176: Inbound Route Filters

    Quantum Spark R81.10.X For WebUI and Gaia Clish configuration instructions, see the Dynamic Routing CLI Guide for 1500, 1600, 1800, 1900, 2000 Appliances       |      176 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 177: Configuring The Routing Table

    (usually, to the default route). You cannot edit, delete, enable, and disable routes created by the operating system for directly attached networks or by dynamic routing protocols.       |      177 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 178: Routing Table Columns

    Notes: You can configure this parameter only in Gaia Clish. Static routes have a constant rank of 60 (cannot be changed).       |      178 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 179: Limitations

    Click the value Any. b. Select Specified IP Address. c. Configure the required IP Address. d. Configure the required Subnet Mask. e. Click OK. 5. In the Source column:       |      179 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 180 In the bottom right corner, you can click New > Service, or Service group to create a custom service or a group of services. c. Click OK. 7. In the Next Hop column:       |      180 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 181 10. Optional: In the Rank field, enter a value between 1 and 255 to define priority between routes with the same destination but for different routing protocols.       |      181 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 182 Off - To disable the route probing (this is the default). On - To enable the route probing. Configure the applicable probing servers. For example: dns.google.com dns.cloudflare.com dns.opendns.com       |      182 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 183: Adding A Default Ipv4 Static Route

    Click Apply. Adding a Default IPv4 Static Route This procedure adds a default static route to send traffic from any source, to any destination, for any protocol.       |      183 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 184 5. In the Source column: Leave the default value Any. 6. In the Service column: Leave the default value Any. 7. In the Next Hop column:       |      184 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 185 10. Optional: In the Probing method field, select the applicable option: Off - route probing is disabled. On - route probing is enabled. Configure the applicable nexthop servers to probe. For example:       |      185 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 186 12. Save the changes: In R81.10.10 and higher versions: Click Save. In R81.10.08 and lower versions: Click Apply.       |      186 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 187: Editing An Existing Static Route

    2. In the Advanced Routing section, click the Routing Table page. 3. In the routing table, click the route. 4. Above the routing table, click Enable or Disable.       |      187 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 188: Route Monitoring

    Latency 1.1.1.1 Active dns.google.com Each monitored route can have a maximum of 3 rows (one for each server). Route Status: Active (green) Inactive (red) Reconnecting (orange)       |      188 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 189: Static Routes And Sd-Wan

    You can upload a certificate signed by an intermediate CA or root CA. All intermediate and root CAs found in the P12 file are automatically uploaded to the trusted CAs list.       |      189 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 190 If the new signing request is signed by the Internal CA and the Organization Name is not defined in the DN, the Internal CA automatically generates the Organization Name. To export the signing request: Click Export.       |      190 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 191 To upload a P12 file: 1. Click Upload P12 Certificate. 2. Browse to the file. 3. Edit the Certificate name if necessary. 4. Enter the certificate password. 5. Click Apply       |      191 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 192: Managing Internal Certificates

    3. The maximum value allowed is 20. 4. Click Apply Note - The internal VPN certificate expiration date cannot be later than the CA expiration date.       |      192 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 193: Configuring High Availability

    Cluster Members. The cluster provides redundancy. In the Device view > Advanced section > High Availability page you can create a cluster of two appliances for high availability.       |      193 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 194 Active Cluster Member. To log in to specific Cluster Member, you must connect to the physical IP address of that Cluster Member.       |      194 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 195: Limitations

    If necessary, change network settings in the Device > Local Network page. It is not supported to configure a Cluster of Quantum Spark Appliances when an Internet connection is a Bond interface. Cluster requires Static IP addresses on the physical cluster interfaces.

  • Page 196: Prerequisites

    Configuration Wizard and remove the switch on both appliances. No additional configuration is required on the members. Best Practice - Designate the same LAN port for the Sync interface. The default Sync interface is LAN2/SYNC.       |      196 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 197: Configuration Workflow

    Configure the required settings for the Sync interface (by default, LAN2). Important - The configuration on the secondary Cluster Member must match the configuration on the primary Cluster Member. iv. Click Next.       |      197 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 198 From the left navigation panel, click Device. c. In the Advanced section, click the High Availability page. d. Click Configure Cluster. The New Cluster Wizard opens.       |      198 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 199 In the section Secure Internal Communication, click Establish Trust. v. Click Finish. g. The secondary Cluster Member fetches the settings from the primary Cluster Member and applies them.       |      199 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 200: Viewing Cluster Interfaces

    3. In the Advanced section, click the High Availability page. 4. The table List of Configured Interfaces shows information about the cluster interfaces: Column Description Name Name of the interface.       |      200 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 201 Cluster Member. IP Address Cluster Virtual IP address configured on the interface. Member IP Address Physical IP address configured on the interface.       |      201 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 202: Viewing The Cluster Status

    WebUI Home > System page for the active Cluster Member. 2. From the left navigation panel, click Device. 3. In the Advanced section, click the High Availability page. 4. Click View diagnostics.       |      202 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 203: Failing Over Manually

    3. In the Advanced section, click the High Availability page. 4. Click Disable Manual Failover. A confirmation message shows. 5. Click Yes. The original primary Cluster Member is now the Active Cluster Member.       |      203 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 204: Changing Network Configuration Of Cluster Members

    4. Click Reset Cluster Configuration. Important - This deletes all cluster configuration settings from both Cluster Members. You must run the New Cluster Wizard again to configure the cluster.       |      204 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 205: Upgrading A Cluster Manually

    Connect to the WebUI on the Cluster Member: https://<IP Address of the High Availability>:4434 b. From the left navigation panel, click Device. c. In the Advanced section, click the High Availability page.       |      205 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 206: Cluster Managed By Quantum Spark Portal

    Standby. Cluster Managed by Quantum Spark Portal Procedure You can configure a cluster in which both gateways are managed by Quantum Spark Portal. Make sure the gateways are connected to Quantum Spark Portal before you configure the cluster. A cluster supported by Quantum Spark Portal is very similar to a Locally Managed cluster.

  • Page 207: Advanced Settings

    1. Above the table with attributes, click Restore Defaults. The Confirm window opens. 2. Click Yes. 3. All appliance attributes are reset to the default settings.       |      207 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 208: Clarifications

    OS advanced settings - Enable GPS R81.10.07 and higher OS advanced settings - Enable Jumbo Frames R81.10.07 and higher USB Modem Watchdog - Enabled by Default R81.10.05 and higher       |      208 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 209 R81.10.05 and higher For more information on how to set up this connection, see the: Harmony Connect Administration Guide Harmony Connect for SMB Gateways Integration Guide       |      209 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 210: Managing The Access Policy

    Managing the Access Policy Managing the Access Policy This section describes how to set up and manage your Quantum Spark appliance Access Policy. Configuring the Firewall Access Policy and Blade In the Access Policy > Firewall Blade Control page you can set the default Access Policy control level, set the default applications and URLs to block and allow secure browsing, and configure User Awareness.

  • Page 211: Firewall Policy

    2. Select Block all outgoing services except the following. 3. Select which services to allow. 4. To allow all services, select Allow all outgoing services. 5. Click Apply       |      211 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 212: Application & Url Filtering

    Rules that contain application groups with both predefined applications and URLs are enforced only for the URLs and custom applications. They are not enforced for the predefined applications. Applications are not updated through the automatic updates.       |      212 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 213: Updates

    Not up to date - A new update package is ready to be downloaded but the scheduled hour for updates has not occurred yet. Updates are usually scheduled for off-peak hours (weekends or nights).       |      213 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 214: User Awareness

    At any time, you can also click Active Directory servers to define an AD server that the gateway can work with. Creating an AD server is also available in the Edit settings wizard.       |      214 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 215: Tracking

    The Check Point AppWiki link - The AppWiki is an easy to use tool that lets you search and filter the Application & URL Filtering Database.       |      215 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 216: Working With The Firewall Access Policy

    In Standard mode, you can configure in various pages a more granular default policy: Traffic from specific sources into your organization can be blocked or accepted by default. This configuration can be found in each specific sources' edit mode:       |      216 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 217 Policy mode (Strict or Standard) as explained above. These rules are also influenced by other elements in the system. For example, when you add a server, a corresponding rule is added to the Incoming, internal and VPN traffic section.       |      217 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 218 Comments you enter when you create a rule. generated Rules that the system automatically generates. You can click the rule object name link in the comment to open its configuration tab.       |      218 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 219: Configuring Access Rules

    4. In the Write a comment field, enter optional text that describes the rule. This is shown as a comment below the rule in the Access Policy.       |      219 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 220 To disable a manually defined rule that you have added to the rule base, select the rule and click Disable. To enable a manually defined rule that you previously disabled, select the rule and click Enable.       |      220 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 221: Updatable Objects

    5. Select the Action and Log. 6. Optional - Enter a comment. 7. Optional - Apply limitations such as time or traffic limits. 8. Click Apply.       |      221 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 222: Customizing Messages

    Ignore text (only for Ask) - This is the confirmation message for the Ask user message. Keep the default text or enter different text       |      222 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 223 (Hotspot and captive portal used by User Awareness). Click Upload, browse to the logo file and click Apply. If necessary, you can revert to the default logo by clicking Use Default. 5. Click Apply       |      223 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 224: Defining Firewall Servers

    Click Back to go to an earlier page of the wizard. Click Finish to complete the wizard. To create a new object: Click New. The New Server Wizard opens and shows Step1: Server Type.       |      224 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 225 Enter the MAC address - This is required for IP reservation. When you create the object from the Active Devices page, the MAC address is detected automatically.       |      225 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 226 Access Policy > Firewall Policy Rule Base. Note - This page is available from the Firewall and NAT sections on the Access Policy tab.       |      226 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 227: Defining Nat Control

    Important - In most cases, if you turn off the hide NAT feature, you cause Internet connectivity issues. If your appliance is the gateway of your office to the Internet DO NOT set to off without consulting with networking experts.       |      227 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 228 You can click the object name link to open the Access tab of the server's properties or click the Servers page link to go to the Firewall Servers page.       |      228 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 229 The network object or network group object that is the new destination to Destination which the original destination is translated. Translated The new service to which the original service is translated. Service       |      229 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 230 Note - For Access Policy rules, you can only edit the tracking options for automatically generated rules. 1. Select a rule and click Edit. 2. Edit the fields as necessary. 3. Click Apply       |      230 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 231 Note - You can only change the order of manually defined rules. 1. Select the rule to move. 2. Drag and drop it to the necessary position.       |      231 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 232: Sd-Wan

    SD-WAN Policy does not support Custom Applications. SD-WAN does not support Bond, Bridge, and Alias interfaces. SD-WAN does not support Internet Connections with IPv6 address configured.       |      232 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 233: Getting Started With Sd-Wan

    Configure at least two Internet connections a. Connect to the appliance WebUI. b. From the left tree, click Device. c. In the middle pane, expand the section Network and click Internet.       |      233 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 234 You can also configure a new SD-WAN connection on the Access Policy > SD-WAN page. To navigate directly from the SD-WAN page to the Device > Internet page, click Manage and monitor links.       |      234 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 235 The default is dns.opendns.com e. In the Probing interval field, enter the time between the probing packets (in milli- seconds). The default is 1000 msec (1 sec).       |      235 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 236 The best probing mode was: For "WAN": Packet Loss = 1, Latency = 1, Jitter = 1 For "DMZ": Packet Loss = 2, Latency = 2, Jitter = 2       |      236 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 237 In the Jitter up to field, enter the maximum acceptable jitter in probing packets (in milli-seconds). The default is 80 msec. j. Click Save. Configure the Smart SD-WAN Prioritization of ISP Links       |      237 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 238 Local Breakout. See "Configuring User-Defined Steering Behavior Objects" on page 242 The appliance applies the rules in the order you put them in the policy.       |      238 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 239 (Top Rule, Bottom Rule, Above Selected, Below Selected). You can edit, disable, and enable the rule after you create it.       |      239 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 240 Click the applicable tab - Networks or Updatable objects. iii. Select the applicable objects. To select Updatable objects, click Import > select objects > click Save. iv. Click Select.       |      240 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 241 Trends - Traffic over a specific time frame In the Real-time view, hover the mouse on each Internet connection to see the tooltip with additional data - latency, jitter, and packet loss.       |      241 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 242: Predefined Steering Behavior Objects

    9. In the Thresholds section, configure the required criteria for the steering behavior. Available options Select Predefined and from the list, select the applicable category (each category has predefined thresholds).       |      242 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 243 The appliance sends pings to all configured hosts in parallel and measures the ISP link quality based on jitter, latency, and packet loss. a. Enter the applicable destination IP address or hostname for the First host, Second host, Third host.       |      243 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 244: Static Routes And Sd-Wan

    3. Go to the right tab Advanced. 4. Expand the last section SD-WAN Settings. 5. Clear the option This Internet connection will be a part of SD-WAN.       |      244 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 245: Advanced - Creating And Editing Nat Rules

    The network object or network group object that is the new destination to Destination which the original destination is translated. Translated The new service to which the original service is translated. Service       |      245 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 246 2. Edit the fields as necessary. 3. Click Apply To delete a rule: 1. Select a rule and click Delete. 2. Click Yes in the confirmation message.       |      246 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 247 1. Select the rule to move. 2. Drag and drop it to the necessary position. Note - You can only change the order of manually defined rules.       |      247 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 248: Inspecting Voip Traffic

    TCP SIP connections (the "SIP_TCP" service). Note - In the R81.10.X releases, this feature is available starting from the R81.10.05 version.       |      248 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 249 Select the SIP UDP/TCP ports, which by default are 5060. All phones should be configured to use the configured ports. Click New to add a new SIP service. Click Remove to delete a service.       |      249 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 250: Configuration

    IP addresses of the option address of the phones behind the SIP server gateway For more information, see "Working with the Firewall Access Policy" on page 216       |      250 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 251: Smart Accel

    To disable Smart Accel for Services 1. Go to the Access Policy view > Firewall section > Smart Accel page. 2. In the section Smart Accel Services, click the On toggle.       |      251 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 252: Smart Accel For Assets

    2. In the section Smart Accel Assets, click the Bypass by MAC link. 3. WebUI opens the Logs & Monitoring view > Status section > Active Devices page.       |      252 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 253: Configuring Smart Accel In R81.10.00

    1. Go to the Access Policy view > Firewall section > Smart Accel page. 2. Click the Off toggle. 3. At the bottom of the page, click Apply.       |      253 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 254: Iot

    Getting Started 1. Go to Access Policy > Firewall > IoT. 2. Move the IoT Protection slider to Enable. Optional: Click Advanced policy settings and follow these steps       |      254 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 255: Monitoring

    The devices are grouped according to family. For each family, you can see the policy and drill down to see the vendors, domains, and other information. Click the Assets graph on the far right of the page and filter for type.       |      255 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 256: Configuring

    If IoT is behind an Access Point (AP) or a Layer 3 device, configure it as a Layer 2 device. Otherwise, IoT policy is not applied on the hosts behind the Layer 3 device. IoT policy is not enforced on IPv6 traffic.       |      256 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 257: Working With User Awareness

    User Awareness lets you configure the Quantum Spark Appliance to show user based logs instead of IP address based logs and enforce access control for individual users and user groups.

  • Page 258: Enabling User Awareness

    To add a new Active DirectoryDomain: 1. Select Active Directory Queries and click Configure. The Active Directory Queries window opens. 2. Select Define a new Active Directory server. 3. Enter:       |      258 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 259: Browser-Based Authentication

    1. Under Policy Configuration, select Browser-Based Authentication and click Configure. 2. In the Identification tab, you can edit settings configured in the wizard if necessary. 3. In the Customization tab, select the relevant options:       |      259 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 260: Identity Collector

    R81.10.05 and higher. To configure the Identity Collector 1. In the Policy Configuration section, select Identity Collector and click Configure. The Authorized Clients window opens.       |      260 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 261 Identity Awareness Clients Administration Guide Note - This page is available from Access Policy > User Awareness Blade Control and Users & Objects > User Awareness.       |      261 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 262: Configuring Qos

    "Configuring the QoS Blade" on page 263 Define manual rules for further granularity if necessary in Access Policy > QoS > Policy. See "Configuring the QoS Policy" on page 266       |      262 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 263: Configuring The Qos Blade

    You cannot toggle between the on and off states. If you change other policy settings, the change is temporary. Any changes made locally will be overridden in the next synchronization between the gateway and Cloud Services.       |      263 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 264: Qos Default Policy

    You can also configure these applications limits in the: Access Policy view > Firewall section > Blade Control page. Access Policy view > Firewall section > Policy page.       |      264 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 265 For information on creating a new service, see the Users & Objects view > Network Resources section > Services page. 5. Click Apply. 6. Click Apply.       |      265 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 266: Configuring The Qos Policy

    The tracking and logging action that is done when traffic matches the rule. Comment An optional field that shows a comment if you entered one. For system generated rules of the default policy a Note is shown.       |      266 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 267 For example, if you enter a weight of 100 for a service and set 50 for a different service, the first service is allocated two times the amount of bandwidth as the second when lines are congested.       |      267 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 268 Note - For Access Policy rules, you can only edit the tracking options for automatically generated rules. 1. Select a rule and click Edit. 2. Edit the fields as necessary. 3. Click Apply       |      268 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 269 1. Select the rule to move. 2. Drag and drop it to the necessary position. Note - You can only change the order of manually defined rules.       |      269 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 270: Ssl Inspection Policy

    If you do not have administrator credentials, connect from an internal or wireless network to http://my.firewall/ica or https://<IP_Address_of_Appliance>/ica. You must install this certificate on every client behind the gateway.       |      270 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 271 IP address for this appliance. This is used by remote sites to access the internal CA and check for certificate revocation. 6. Click Apply       |      271 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 272: Ssl Inspection Bypass Policy

    In the section Tracking - Select to enable logs to see the SSL inspection policy decision ("Inspect" or "Bypass"). Note - The SSL Inspection generates these logs in addition to the Software Blades logs.       |      272 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 273: Https Categorization

    The Access Policy > Firewall Blade Control page opens. 3. Configure the settings for URL Filtering. Note - HTTPS categorization only applies when the URL Filtering blade is turned on.       |      273 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 274 TCP/IP connection. IMAPS refers to IMAP over SSL. SSL traffic inspection must be activated to scan HTTP and IMAP encrypted traffic.       |      274 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 275: Ssl Inspection Exceptions

    2. Click New to create a new rule to bypass the source/destination. Note - Everything that is not included in a rule is inspected. 3. For each exception, enter: Source Destination Category/Custom Application Track       |      275 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 276: Ssl Inspection Advanced

    Note - You can only delete a CA that was added by a user. To disable/enable a trusted CA: 1. Click the icon next to the CA. 2. Click Disable/Enable.       |      276 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 277: Managing Threat Prevention

    You configure all the settings for these blades in the same place and set a single profile for all of them. Enabling and Disabling Threat Prevention Move the slider to ON or OFF.       |      277 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 278: Enabling Threat Emulation Policy For The Ftp Protocol

    1. In the Threat Prevention Blade Control page, under Policy, select Custom. 2. For Tracking options, select one of these options: None – Do not log. Log – Create a log. Alert – Log with an alert.       |      278 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 279 6. To load the policy default values, click Load default settings: Recommended Strict 7. To save all settings on the Threat Prevention Blade Control page, click Apply.       |      279 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 280: Scheduling Threat Prevention Updates

    The Activate Automatic Updates window opens. 2. Select the Software Blades to receive automatic updates: Anti-Virus Anti-Bot Application Control 3. Select the Recurrence and Time of day. 4. Click Apply       |      280 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 281: Configuring Threat Prevention Policy Exceptions

    Protection – In the Blades tab, select Any for all or for a specific blade. In the IPS protections tab, select a specific IPS protection from the list.       |      281 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 282: Allowlists

    1. Select Email Addresses allowlist. 2. Click New. The Add Email Address window opens. 3. Enter the email address. 4. For Type, select Sender or Recipient. 5. Click Apply       |      282 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 283: Threat Prevention - Horizon Soc

    4. Optional: In the Threat Prevention Policy section, select the attribute Allow IP address information in attack statistics. a. Click Edit. b. Select Allow IP address information in attack statistics. c. Click Apply       |      283 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 284 3. Optional: Enable the real IP address information in the attack reports: set threat-prevention policy advanced-settings allow-ipaddr-in- stats true       |      284 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 285: Viewing Infected Devices

    Incident type - Shows the detected incident type: Found bot activity Downloaded a malware Accessed a site known to contain malware Severity - Shows the severity of the malware:       |      285 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 286 High and above severity only - Shows devices and servers that are infected or possibly infected with malwares that have a severity classification of high or critical.       |      286 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 287 1. In the Logs and Monitoring tab, select the list entry for which to view logs. 2. Click Logs. The Security Logs page opens and shows the logs applicable to the IP/MAC address.       |      287 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 288: Viewing The Ips Protections List

    To configure the IPS policy, go to the Threat Prevention > Threat Prevention Blade Control page.You can see the details of each protection and also configure a manual override for individual protections' action, and tracking options.       |      288 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 289: Advanced Threat Prevention Engine Settings

    IMAP - Internet standard protocol used by email clients to retrieve email messages from a mail server over a TCP/IP connection. It allows you to access your email from any device.       |      289 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 290 Internet are inspected. 2. Select the protocols to scan for the selected scope: HTTP (on any port) Mail (SMTP, POP3 and IMAP       |      290 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 291 (no override). See the Threat Prevention > Threat Prevention Blade Control page for a description of the action types. URLs with malware - Protections related to URLs that are used for malware distribution and malware infection servers.       |      291 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 292: Anti-Bot

    Check Point ThreatCloud reputation database. Unusual activity - Protections related to the behavioral patterns common to botnet and malware activity. To enable Detect-only mode: Select the checkbox.       |      292 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 293: Threat Emulation

    To edit an action for a specified file type, right-click the row and click Edit. You can also click the file type so it is selected and then Click Edit. The available actions are:       |      293 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 294 To configure multiple remote emulators, you must use CLI commands. For more information on Threat Emulation, see the Threat Emulation video on the Small Business Security video channel To enable Detect-only mode: Select the checkbox.       |      294 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 295: User Messages

    User must enter a reason (only for Ask) - Select this checkbox if users must enter an explanation for their activity. The user message contains a text box to enter the reason.       |      295 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 296 (Hotspot and captive portal used by User Awareness). Click Upload, browse to the logo file and click Apply. If necessary, you can revert to the default logo by clicking Use Default. 5. Click Apply       |      296 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 297: Configuring The Anti-Spam Blade Control

    To configure Detect-only mode: In Detect-only mode, logs appear but the blade does not block any emails. 1. Select the Detect-only mode checkbox. 2. Click Apply       |      297 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 298 Flag email subject with - The default is SUSPECTED SPAM or you can enter a new text to add to the subject line. Flag email header 3. Select a tracking option: Alert None 4. Click Apply       |      298 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 299: Configuring Anti-Spam Exceptions

    Starting from R81.10.00, you can use RSA key authorization instead of password-based authentication when you log in with SSH. Warning - This configuration does not survive a firmware upgrade.       |      299 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 300 2. Transfer the file with the public key in the OpenSSH format (in the above example - /home/admin/MyKey.pub ) to the Quantum Spark Appliance, to the /storage/ partition. 3. Connect to the command line on the Quantum Spark Appliance.       |      300 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 301 In this line, change the value from "none" to the absolute path of the " authorized_ keys " file with the public key: AuthorizedKeysFile /storage/.ssh/authorized_keys d. Save changes in the file and exit Vi editor. 10. Reboot the Quantum Spark Appliance.       |      301 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 302: Managing Vpn

    Managing VPN Managing VPN This section describes how to set up and manage Remote Access and Site to Site VPN.       |      302 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 303: Configuring Vpn

    For the Check Point VPN client or Mobile client method, make sure that the applicable client is installed on the hosts. Click How to connect for more information.       |      303 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 304: Remote Access Configuration

    1. Go to VPN > Authentication Servers and click New to add an AD domain. See "Configuring Remote Access Authentication Servers" on page 328 2. Click permissions for Active Directory users to set access permissions.       |      304 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 305: L2Tp Vpn Client Configuration

    1. Send traffic between the local and peer gateway. 2. Go to VPN > VPN Tunnels to monitor the tunnel status. See "Viewing VPN Tunnels" on page 350       |      305 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 306: Configuring Site To Site Vpn With A Certificate

    Click Add to add the Trusted CA of the peer gateway. This makes sure the CA is uploaded on both the local and peer gateways. See "Managing Trusted CAs" on page 357 Sign a request using one of the gateway's CAs:       |      306 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 307 "Managing Installed Certificates" on page 189 2. Make sure that the 3rd party CA is installed on both of the gateways. Use the Add option in "Managing Trusted CAs" on page 357       |      307 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 308: Monitoring Vpn

    1. Pass traffic between the local and peer gateway. 2. Go to VPN > VPN Tunnels to monitor the tunnel status. "Viewing VPN Tunnels" on page 350       |      308 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 309: Configuring The Remote Access Blade

    "Configuring DDNS and Access Service" on page 162 To configure the static IP address, see "Configuring Internet Connectivity" on page 74 Note - Remote Access VPN supports connections from IPv4 addresses only.       |      309 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 310: Getting Started With Vpn Remote Access

    Configuring VPN Getting Started with VPN Remote Access       |      310 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 311 Configuring VPN Enable the VPN Remote Access Blade       |      311 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 312 Go to VPN > Remote Access > Blade Control. b. Select On. c. Mandatory: Select Allow traffic from Remote Access users. d. Optional: Select Log traffic from Remote Access users.       |      312 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 313 If a customer uses a public SMS server, the administrator must provide the username and password for the SMTP server and a Dynamic URL that contains the API of the external service provider.       |      313 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 314 On the VPN > Remote Access > Blade Control page, select Require users to confirm their identity using Two-Factor Authentication. ii. Click configure. The Two-Factor Authentication Settings window opens.       |      314 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 315 The one-time password (OTP) appears. Note - The OTP expires after 30 seconds. v. On your computer, connect to the VPN. Enter your username and password.       |      315 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 316 When you turn on Two-Factor Authentication, you enable it for all VPN clients. This means all VPN users must have a configured mobile phone number and email address with which to connect.       |      316 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 317 Remote Access VPN permissions, this information is necessary for Two-Factor Authentication during the Remote Access VPN connection. d. Select Remote Access permissions.       |      317 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 318 To see the traffic from the currently connected Remote Access VPN users, go to Logs & Monitoring > Logs > Security Logs (on the VPN > Remote Access > Blade Control page, you must select Log traffic from Remote Access users).       |      318 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 319: Advanced Options

    The Remote Access Port Settings window opens. 2. In the Remote Access port field, enter a new port number. 3. Select Reserve port 443 for port forwarding. 4. Click Apply.       |      319 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 320: Connections Between Remote Access Vpn Clients In The Same Office Mode Pool

    Select the option Back connections enable. d. Click Apply. 5. Configure an Access Policy rule to allow traffic between computers in the Office Mode network:       |      320 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 321 Click New. d. Configure this rule: Original Translated Original Original Translated Translated Destinatio Destinatio Source Service Source Service OMPOO OMPOOL *Any *Origina *Origina *Origina e. Click Apply.       |      321 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 322: Configuring Remote Access Users

    If no authentication servers are defined, click the Active Directory / RADIUS server link to define them. Note - When User Awareness is turned off, there is no user identification based on Browser-Based Authentication and Active Directory Queries.       |      322 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 323 5. In the SSL VPN Bookmarks tab, configure the SSL VPN bookmarks (see below). 6. Click Apply The group is added to the table on the page.       |      323 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 324 Usually you keep the Selected Active Directory user groups option. 3. Click Apply The Active Directory is added to the table on the page.       |      324 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 325 The New Local User window opens: 2. In the Remote Access tab, enter the: User name. Password. Email. Mobile phone number. 3. Select Remote Access permissions. 4. Click Apply       |      325 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 326 To delete a user or group: 1. Select the user or group from the list. 2. Click Delete. 3. Click OK in the confirmation message. The user or group is deleted.       |      326 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 327: Remote Access - Connected Remote Users

    Remote Access - Connected Remote Users The VPN Remote Access > Connected Remote Users page shows the currently connected remote users: Username IP address Connection Time       |      327 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 328: Configuring Remote Access Authentication Servers

    This can be used for VPN remote access user authentication. When this is the case, additional configuration is necessary in the VPN > Remote Access Users page.       |      328 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 329 The changes are updated in the RADIUS server. To delete a RADIUS server: Click the Remove link next to the RADIUS server you want to delete.       |      329 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 330 3. Select Use user groups from specific branch only if you want to use only part of the user database defined in the Active Directory. Enter the branch in the Branch full DN in the text field. 4. Click Apply       |      330 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 331 3. Click Apply To edit an Active Directory: 1. Select the Active Directory from the list. 2. Click Edit. 3. Make the relevant changes and click Apply.       |      331 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 332 1. Select the Active Directory from the list. 2. Click Delete. 3. Click OK in the confirmation message. Note - This page is available from the VPN and Users & Objects tabs.       |      332 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 333: Configuring Advanced Remote Access Options

    Automatically use the last installed certificate. Manually choose a VPN certificate - Select a certificate from the list of uploaded certificates in the drop-down menu. 2. Click Apply.       |      333 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 334 Users & Objects > Network Objects page. 5. Click Apply The Remote Access Local Encryption Domain window opens and shows the services you selected.       |      334 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 335: Dns Servers For Remote Access Users

    To configure the DNS domain name to be the same as the defined DNS domain name: 1. Click Configure automatically. 2. Click Apply The DNS domain name shows the text "Same as DNS domain name".       |      335 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 336: Ssl Vpn Bookmarks

    You can also specify the screen size of the remote desktop. The default mode is full screen. To manage SSL VPN bookmarks: 1. Click on a bookmark. 2. Click Edit or Delete. 3. Click Apply       |      336 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 337: Configuring The Site To Site Vpn Blade

    VPN site or see how many VPN sites are defined. The full list of the sites is located in VPN > Site to Site VPN Sites.       |      337 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 338 Optionally, you can manually create a local encryption domain instead. See the VPN > Site to Site Advanced page for instructions.       |      338 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 339: Harmony Connect

    Note - In the R81.10.X releases, this feature is available starting from the R81.10.05 version. From your Quantum Spark Appliance, you can set up a VPN connection with Harmony Connect to provide security and other services for your Security Gateway.

  • Page 340: Configuring Vpn Sites

    If you select IP address, and it is necessary to configure a static NAT IP address, select Behind static NAT and enter the IP address. Note - Behind static NAT applies to IPv4 addresses only.       |      340 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 341 Click Select to select the networks that represent the remote site's internal networks. Click New to create network objects.       |      341 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 342 VPN B - According to 4308. Suite-B GCM-128 or Suite-B-GCM-256 - According to 6379. Custom - Select this option to decide (manually) which encryption method is used (optional).       |      342 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 343 VPN tunnels, Select the checkbox. Select to disable NAT for this site. The original IP addresses are used even if hide NAT is defined. Encryption method Select the IKE version:       |      343 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 344 If you select Create IKEv2 VPN tunnel using these identifiers, configure these settings: Peer ID - Enter the identifier. Gateway ID - Select Use global identifier or Override global identifier (enter the new identifier).       |      344 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 345 An initial tunnel test begins with the remote site. If you have not yet configured it, click Skip. The VPN site is added to the table.       |      345 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 346 4. In the Advanced tab, select Allow traffic to the internet from remote site through this gateway. 5. Click Apply This gateway is now designated as the center. Hide NAT is done automatically in the center gateway.       |      346 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 347 2. Click Test. To edit a VPN site: 1. Select the VPN site from the list. 2. Click Edit. 3. Make the relevant changes and click Apply.       |      347 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 348 A2: In this case, a mesh community is better as each gateway can handle its own internet traffic and is not affected by any other gateway.       |      348 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 349: Configuring Advanced Site To Site Community Settings

    Encryption settings - IKE (Phase 1) and IPsec (Phase 2) settings Advanced settings - Encryption method and certificate matching For descriptions of the fields in the site details tabs, see "Configuring VPN Sites" on page 340       |      349 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 350: Viewing Vpn Tunnels

    The number of connections associated with the tunnel per instance. This Per Instance lets you know if a tunnel is over-utilized. To filter the list: In the Type to filter box, enter the filter criteria.       |      350 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 351 To delete all Security associations for a selected peer: Click Delete all SAs for the selected peer. Note - This page is available from the VPN and Logs & Monitoring tabs.       |      351 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 352: Configuring Advanced Site To Site Settings

    For information on how to create a new network object, see the Users & Objects > Network Objects page. 5. Click Apply. The Site to Site Local Encryption Domain window opens and shows the services you selected.       |      352 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 353: Configuring The Appliance Interfaces

    Configuring the IKE ID Type for the IKEv2 Main Mode (MM) Negotiation with 3rd-party VPN Peers Note - In the R81.10.X releases, this feature is available starting from the R81.10.10 version.       |      353 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 354 To configure IKEv2 ID Type to an FQDN: Important - Schedule a maintenance window. 1. Connect to the command line on the Quantum Spark appliance. 2. Log in.       |      354 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 355 5. Examine the value of the Registry parameter: ckp_regedit -p SOFTWARE\\CheckPoint\\VPN1 | grep BestRoutingSenderIP 6. Restart all Check Point services (this interrupts all traffic): cpstop ; cpstart       |      355 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 356: Tunnel Health Monitoring

    In DPD responder mode, the Check Point gateway sends the IKEv1 Vendor ID to peers from which the DPD Vendor ID was received and answers incoming DPD packets. To enable DPD responder mode: Select the checkbox.       |      356 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 357: Managing Trusted Cas

    3. A CA name is suggested, but you can enter another name if preferred. Click Preview CA details to see further information from the .CRT file. 4. Click Apply The CA is added to the Trusted CA list.       |      357 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 358 CA list. 3. You can also export other trusted CAs you've added to the list if necessary by selecting them and clicking Export.       |      358 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 359 Internal CA and the Download button is available. 3. Click Download. The signed certificate is downloaded through your browser and is available to be imported to the remote site's certificates list.       |      359 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 360: Managing Installed Certificates

    2. Export the signed request (download the signing request from the appliance). 3. Send the signing request to the CA. 4. When you receive the signed certificate from the CA, upload it to the appliance.       |      360 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 361 To upload a P12 file: 1. Click Upload P12 Certificate. 2. Browse to the file. 3. Edit the Certificate name if necessary. 4. Enter the certificate password. 5. Click Apply       |      361 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 362: Managing Internal Certificates

    3. The maximum value allowed is 20. 4. Click Apply Note - The internal VPN certificate expiration date cannot be later than the CA expiration date.       |      362 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 363 Internal CA and the Download button is available. 3. Click Download. The signed certificate is downloaded through your browser and is available to be imported to the remote site's certificates list.       |      363 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 364: Managing Users And Objects

    User Awareness lets you configure the Quantum Spark Appliance to show user based logs instead of IP address based logs and enforce access control for individual users and user groups.

  • Page 365: Enabling User Awareness

    If you have an existing Active Directory server, click Use existing Active Directory servers. To add a new Active DirectoryDomain: 1. Select Active Directory Queries and click Configure. The Active Directory Queries window opens.       |      365 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 366: Browser-Based Authentication

    3. Under Specific destinations, select Internet or Selected network objects. If you select Selected network objects, select the objects from the list or create new objects. 4. Click Finish.       |      366 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 367: Identity Collector

    5 - 10 minutes. 5. Click Apply Identity Collector Note - In the R81.10.X releases, this feature is available starting from the R81.10.05 version.       |      367 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 368 Identity Awareness Clients Administration Guide Note - This page is available from Access Policy > User Awareness Blade Control and Users & Objects > User Awareness.       |      368 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 369: Configuring Local Users And User Groups

    5. To remove a user, click the X next to the user name. 6. Click Apply The group is added to the table on the page.       |      369 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 370 To delete a user or group: 1. Select the user or group from the list. 2. Click Delete. 3. Click OK in the confirmation message. The user or group is deleted.       |      370 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 371: Configuring Local And Remote System Administrators

    Authentication of those remotely defined administrators is done by the same RADIUS server. Note - This page is available from the Device and Users & Objects tabs.       |      371 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 372: Administrator Roles

    If you continue the login process, the first administrator session ends automatically. The correct Administrator Role must be configured to perform the operations listed below. If not, a Permission Error message shows. Local Administrators       |      372 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 373 Receive Security alert notifications by email or SMS. See "Notifications" on page 49 To reset your password on the Login page of the WebUI (see below).       |      373 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 374 5. In the Confirm password field, Enter the password again. 6. Click Next 7. A message on the screen confirms your password was successfully changed. 8. Click Next to proceed to the Login page.       |      374 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 375: Remote Administrators

    Networking Admin Mobile Admin 7. To define groups, click Use specific RADIUS groups only and enter the RADIUS groups separated by a comma. 8. Click Apply       |      375 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 376: Pairing A Mobile Device

    This generates a QR code to connect the Check Point WatchTower mobile application with the appliance for the first time. WatchTower App User Guide For more information about the mobile application, see the       |      376 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 377: Configuring A Radius Server For Non-Local Quantum Spark Appliance Users

    Configuring a RADIUS Server for non-local Quantum Spark Appliance users Non-local users can be defined on a RADIUS server and not in the Quantum Spark Appliance. When a non-local user logs in to the appliance, the RADIUS server authenticates the user and assigns the applicable permissions.
  • Page 378 Where <role> is the name of the administrator role that is defined in the WebUI. Administrator Role Value Super Admin adminRole Read only monitorrole Networking Admin networkingrole Mobile Admin mobilerole       |      378 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 379 Where <role> is the name of the administrator role that is defined in the WebUI. Administrator Role Value Super Admin adminRole Read only monitorrole Networking Admin networkingrole Mobile Admin mobilerole       |      379 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 380 Configuring Local and Remote System Administrators To log in as a Super User: A user with super user permissions can use the Quantum Spark Appliance shell to do system- level operations, including working with the file system. 1. Connect to the Quantum Spark Appliance platform over SSH or serial console.

  • Page 381: Managing Authentication Servers

    This can be used for VPN remote access user authentication. When this is the case, additional configuration is necessary in the VPN view > Remote Access section > Remote Access Users page.       |      381 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 382: Radius Server

    4. On the Secondary tab, repeat Step 2 for a Secondary RADIUS server if applicable. 5. Click Apply The primary and secondary servers (if defined) are added to the RADIUS section on the page.       |      382 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 383 In the Default Administrators Role, select the applicable role. b. Optional: Select For Administrators use specific RADIUS group only. Enter the applicable RADIUS groups. 5. Click Apply       |      383 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 384 Enter the applicable RADIUS groups. 5. Click Apply 6. Configure the remote access permissions for RADIUS users in the VPN view > Remote Access section > Remote Access Users page.       |      384 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 385: Tacacs+ Server

    1. Click the Users & Objects view > Users Management section > Authentication Servers page. 2. Next to the TACACS+ server you want to delete, click the Remove link.       |      385 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 386 4. Select one of these: Use roles defined on TACACS+ server Use default role for TACACS+ users In the Default Administrators Role, select the applicable role. 5. Click Apply       |      386 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 387: Active Directory

    Active Directory. a. Click New. b. Enter the branch in the Branch full DN in the text field. c. Click Apply 5. Click Apply       |      387 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 388 Source picker. You cannot select a user from the Active Directory, only an Active Directory user group. You can select a local user. 4. Click Apply       |      388 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 389 Usually you keep the Selected Active Directory user groups option and configure remote access permissions on the VPN view > Remote Access section > > Remote Access Users page. 4. Click Apply       |      389 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 390: Managing Applications & Urls

    If new applications are added to an additional category that is in the access policy Rule Base, the rule is updated automatically when the database is updated.       |      390 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 391 7. Click the Additional Categories tab to select more categories if necessary. 8. Click Apply You can use the application in a rule.       |      391 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 392 4. If necessary, click New to add a custom application or URL to the list. For information on creating a custom application, see above. 5. Click Apply You can use the custom application group in a rule.       |      392 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 393: Managing System Services

    792. This option is only relevant, if in the Type field you selected ICMP. Comments - Enter an optional comment.       |      393 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 394 There is no point in synchronizing these connections because every synchronized connection consumes gateway resources, and the connection is likely to have finished by the time a failover occurs.       |      394 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 395 1. In the Type to filter box, enter the service name or part of it. 2. As you enter text, the list is filtered and shows matching results.       |      395 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 396 Citrix - The Firewall settings tab lets you configure which protocol to support on the configured ports. The default port 1494 is commonly used by two different protocols - Winframe or Citrix ICA.       |      396 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 397: Managing Service Groups

    The service group is added to the list of groups. To edit a service group: 1. Select a group from the list. 2. Click Edit. 3. Make the necessary changes. 4. Click Apply       |      397 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 398 NAT and an internal DNS server accessible to the Internet. The IPS settings tab lets you configure how and when DNS deep inspection is performed. Select the relevant options.       |      398 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 399: Managing Network Objects

    Domain Name - Represents a Domain. Device - Represents a device. Note - In the R81.10.X releases, this feature is available starting from the R81.10.05 version.       |      399 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 400 Exclude from DHCP service - The internal DHCP service does not distribute the configured IP range to anyone. 6. Click Apply Note - Wildcard network objects that represent a series of non-sequential IP addresses are supported.       |      400 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 401 5. In Object name, enter the applicable text. If you select to Use custom hardware name, configure: Device type - Select from the pull-down menu. Hardware Operating system 6. Click Apply       |      401 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 402 5. In Object name, enter the applicable text. 6. Click Apply Note - You can also do this on the Home > Active Devices page. Click Save as and select Device type Network Object.       |      402 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 403: Managing Network Object Groups

    The network object group is added to the list of groups. To edit a network object group: 1. Select a group from the list. 2. Click Edit. 3. Make the necessary changes. 4. Click Apply       |      403 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 404 1. In the Type to filter box, enter the network object group name or part of it. 2. As you enter text, the list is filtered and shows matching results.       |      404 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 405: Logs And Monitoring

    The Logs & Monitoring > Logs > Security Logs page shows the last 100 log records. To load more records, continue scrolling down the page. The log table is automatically refreshed.       |      405 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 406 2. In the Security Logs Settings window, select the checkbox Limit the number of logs to search. 3. In the Maximum number of logs to search field, use the arrows to select the desired number. 4. Click Save.       |      406 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 407 1. Select Actions > Stop local logging. 2. To resume, select Actions > Resume local logging. Note - In version R81.10.08 and lower, select Options instead of Actions.       |      407 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 408 Logs are not deleted from the remote logs server. The logs are deleted, and the logs grid reloads automatically. Exporting Security Logs To export the security logs, see "Configuring External Log Servers" on page 410       |      408 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 409: Viewing System Logs

    1. Click Clear Logs. 2. Click OK in the confirmation message. To search system logs table: Enter keyword for the log in the text search field.       |      409 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 410: Configuring External Log Servers

    Use cases for an external Check Point Log Server: Extend the log retention time. For example, currently, when your gateway is managed by Quantum Spark Portal, you can retain logs for 3 months. If you configure an external Log Server, you can retain the logs for a year.
  • Page 411 To see the logs, you must connect with SmartConsole to the dedicated Log Server (and not the Security Management Server).       |      411 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 412: Syslog Server Configuration

    6. Optional - Select Show obfuscated fields. Obfuscated packets are shown as plain text. 7. Select Forwarded logs: System logs Security logs 8. Click Upload to upload a Trusted CA Certificate. 9. Click Apply       |      412 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 413: Secured Syslog

    Select the syslog server you want to edit and click Edit. To delete the syslog server: 1. Select the syslog server. 2. Click Delete. Notifications "Notifications" on page 49       |      413 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 414: Managing Active Devices

    Interface - Name of the appliance interface, to which the device is connected. Blocking a Device Manually Click the device to select it and click Block.       |      414 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 415: Toobar Buttons

    Start/Stop Traffic Monitor - Gather upload and download packet rates for active devices. This operation may affect performance. To stop, click Stop Traffic Monitoring. Revoke Certificate - Revokes the certificate assigned to the device.       |      415 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 416: Revoking The Hotspot Access

    The Assets page displays devices in the internal networks. When an asset is connected to the gateway, it automatically appears here. The top of the page shows multiple counters:       |      416 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 417 Name - Name of the device. The vendor icons appear next to the name. IP Address Interface Vendor Device Type For each asset, click one of these options: Refresh Actions       |      417 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 418 Override (select Asset type and Vendor from the pulldown menu), Bypass (select the applicable checkboxes to bypass by Smart Accel and to bypass by SSL Inspection.       |      418 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 419 IoT device. Override 5. Click the arrow to expand the Functions section. 6. Click the arrow to expand the Interface section.       |      419 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 420: Wireless Active Devices

    The Logs & Monitoring > Paired Mobile Devices shows the mobile devices paired to the gateway. To revoke a pairing: 1. Select the device name. 2. Click Revoke. 3. In the confirmation window that opens, click Yes.       |      420 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 421: Viewing Infected Devices

    Incident type - Shows the detected incident type: Found bot activity Downloaded a malware Accessed a site known to contain malware Severity - Shows the severity of the malware:       |      421 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 422 High and above severity only - Shows devices and servers that are infected or possibly infected with malwares that have a severity classification of high or critical.       |      422 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 423 1. In the Logs and Monitoring tab, select the list entry for which to view logs. 2. Click Logs. The Security Logs page opens and shows the logs applicable to the IP/MAC address.       |      423 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 424: Viewing Vpn Tunnels

    The number of connections associated with the tunnel per instance. This Per Instance lets you know if a tunnel is over-utilized. To filter the list: In the Type to filter box, enter the filter criteria.       |      424 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 425 To delete all Security associations for a selected peer: Click Delete all SAs for the selected peer. Note - This page is available from the VPN and Logs & Monitoring tabs.       |      425 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 426: Viewing Active Connections

    To filter the list: In the Type to filter box, enter the filter criteria. The list is filtered. To refresh the list: Click the Refresh link.       |      426 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 427: Access Points

    Viewing Reports "Viewing Reports" on page 60 Dr. Spark With the Dr. Spark feature, you can check the Quantum Spark Appliance performance, sizing and health status. Note - The Dr. Spark feature is available as a separate tab starting from R81.10.08. In earlier versions, the Dr.
  • Page 428 - This test was not applicable to this appliance. Download Last Prints the last report generated. Report Note - In the R81.10.X releases, this feature is available starting from the R81.10.08 version.       |      428 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 429 VPN-S2S is enabled but no tunnels are up NGTP is active ----CPU and Memory---- Available CPU: 99.61% Available memory on the Gateway: 3943320 KB Fw1 memory consumption: 11% SFWD memory consumption: 181648 KB       |      429 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 430: Using System Tools

    Click the names of column to sort the output. Show Routing R81.10.00 Opens a popup window that shows this information for Table each route: Source Destination Service Gateway Metric Interface Origin       |      430 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 431 Opens a popup window that shows the result of the Services Ports Cloud Services Connectivity Test (the output of the Gaia Clish command "test cloud- connectivity").       |      431 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 432 Opens a popup window, in which you can capture traffic that passes through appliance interfaces. Warning - When you use this tool, the CPU load increases. Schedule a maintenance window.       |      432 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 433 Access Points Available Action Description From       |      433 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 434 The appliance captures traffic only on interfaces with a configured IP address. The packet capture stops automatically if the WebUI session ends. Procedure:       |      434 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 435 Click Save to download the file. b. Your web browser saves this file (fw_ monitor.log) in the default download folder.       |      435 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 436 Note - If you entered a "grep" filter, then the saved file contains only the relevant lines you see on the screen. a. Click Save to download the file.       |      436 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 437 Access Points Available Action Description From b. Your web browser saves this file (fw_ctl_ zdebug_drop.log) in the default download folder.       |      437 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 438 Site to Site VPN connection to / from this appliance. 6. Click the Stop Debugging button. 7. Click Download File to download the archive with the required log files.       |      438 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 439 Opens a popup window that shows the result of the DNS lookup for the specified IP address / hostname (the output of the Gaia Clish command "nslookup").       |      439 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 440 When the mini-USB is used as a console connector, Windows OS does not automatically detect and download the driver needed for serial communication. You must manually install the driver. For more information, see sk182035.       |      440 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 441: Snmp

    To edit an existing SNMP v3 user, select the user from the list and click Edit. To delete an SNMP v3 user, select the user from the list and click Delete.       |      441 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 442: Snmp Traps Receivers

    Indicators are success or failure. These traps are on by default when SNMP traps are enabled and cannot be individually turned off or configured by the user.       |      442 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 443 2. Select the Enable trap option to enable the trap or clear it to disable the trap. 3. If the trap contains a value, you can edit the threshold value when necessary. 4. Click Apply       |      443 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 444: Advanced Configuration

    Note - A USB storage device used for clean installation of a new image on the 1500 series must be formatted with the FAT32 file-system.       |      444 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 445 3. Make sure the top folder of the USB drive does not contain any previous Boot loader or Firmware images (u-boot*.bin files, or fw1*.img files). 4. Connect the USB drive to the USB port on the Quantum Spark Appliance. 5. Connect the appliance to the power source.When the appliance is turned on, the Power LED on the front panel lights up in red for a short period.

  • Page 446: Upgrade Using An Sd Card

    (u-boot*.bin files or fwl*.gz files). 3. Insert the SD card into the SD card slot on the Quantum Spark Appliance. If the operation does not succeed, this may be because the SD card slot does not recognize all devices.
  • Page 447 If there is a configuration file with the same MAC address as the gateway, that file is loaded second. Use the # symbol to add comments to the configuration file.       |      447 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 448: Boot Loader

    "Restoring Factory Defaults" on page 451 4. Restore to Factory Defaults (local) "Upgrade Using Boot Loader" on page 450 5. Install/Update Image/Boot-Loader from Network       |      448 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 449 6. Restart Boot-Loader Runs the hardware diagnostics on the appliance. 7. Run Hardware diagnostics 8. Install DSL Uploads a preset configuration file. Firmware/Upload preset configuration file       |      449 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 450: Upgrade Using Boot Loader

    5. You are asked if you want to load the image manually from a TFTP server, or if you want to use automatic mode with a BOOTP server. 6. If you select manual mode, you are asked to fill in the IP of the Quantum Spark Appliance, the IP of the TFTP server, and the image name.

  • Page 451: Restoring Factory Defaults

    3. While factory defaults are restored, the Power LED blinks blue to show progress. This takes some few minutes. When this completes, the appliance reboots automatically.       |      451 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 452 To disable the reset to default: Use this Gaia Clish command: set additional-hw-settings reset-timeout 0 To enable the reset to default: Use this Gaia Clish command: set additional-hw-settings reset-timeout 12       |      452 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 453: Custom Default Image

    LAN4 port connection and traffic bypasses the appliance. Force-bypass - "Bypass". The connection between the DMZ and LAN4 port is forcibly bypassed and the traffic bypasses the appliance regardless of the software status.       |      453 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 454: Configuring Bypass Mode In The Webui

    Configuring Bypass mode in Gaia Clish To display the current (Fonic) Bypass configured mode: show fonic-settings advanced-settings To switch between Active and Bypass mode: set fonic-settings advanced-settings mode       |      454 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 455: Restful Api

    The x-chkp-sid header is mandatory in all API calls except the login API. Request payload Text in JSON format containing the different parameters. Example: https://192.168.1.1:4434/web-api/login       |      455 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 456: Response Structure

    A JSON structure with the error details Versioning HTTP Post with a specific version https://<gateway-ip>:<port>/web-api/<version>/<command> If no version is being sent, the latest supported version is used. Example: https://192.168.1.1:4434/web-api/v1/login       |      456 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 457: Rest Api Commands

    Send JSON object to use the API Web Services. Content-Type Request Body Parameter Name Value Description user (Required) String Administrator username Password (Required) String Administrator password       |      457 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 458: Logout

    "session-timeout": 10 (2) Logout Description Log out from the current session. After you log out, the session id is no longer valid. Request URL POST https://<gateway-ip>:<port>/web-api/v1/logout       |      458 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 459: Generate-Report

    Session unique identifier as the response to the login request. Request Body Header Name Value Description type (Required) String Report time frame. Allow values: {hourly, weekly, daily, monthly}       |      459 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

  • Page 460: Run-Clish-Command

    Description Content- application/json Send JSON object to use the API Web Services. Type x-chkp-sid string token Session unique identifier as the response to the login request.       |      460 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...
  • Page 461 Example Request "script": " c2hvdyBwcm94eQ==" Example Response "output": "dXNlLXByb3h5OiAgICAgICAgICAgICAgICAgICAgdHJ1ZQpzZXJ2ZXI6IC AgICAgICAgICAgICAgICAgICAgICAxLjEuMS4xCnBvcnQ6ICAgICAgICAgICAgICAg ICAgICAg ICAgIDgwODAKCg==" The script is: show proxy The output is: use-proxy: true server: proxy.checkpoint.com port: 8080       |      461 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide...

This manual is also suitable for:

Spark 1600Spark 1800Spark 1900Spark 2000

Table of Contents