1. Manuals
  2. Brands
  3. Infinity Manuals
  4. Network Hardware
  5. Check Point L-71WD
  6. Administration manual

Infinity Check Point L-71WD Administration Manual

Appliances centrally managed r77.20.75
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
22 February 2018
CHECK POINT
1100/1200R/1400
APPLIANCES
CENTRALLY MANAGED
R77.20.75
Models: L-50, L-50D, L-50W, L-50WD, L-61i, L-71,
L-71W, L-71WD, L-72, L-72W, L-72P
Administration Guide

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the Check Point L-71WD and is the answer not in the manual?

Questions and answers

Related Manuals for Infinity Check Point L-71WD

Summary of Contents for Infinity Check Point L-71WD

  • Page 1 22 February 2018 CHECK POINT 1100/1200R/1400 APPLIANCES CENTRALLY MANAGED R77.20.75 Models: L-50, L-50D, L-50W, L-50WD, L-61i, L-71, L-71W, L-71WD, L-72, L-72W, L-72P Administration Guide...
  • Page 2 © 2018 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point.

  • Page 3: Important Information

    Important Information Latest Software We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks. Check Point R77.20.75 For more about this release, see the R77.20.75 home page. Latest Version of this Document Download the latest version of this document http://downloads.checkpoint.com/dc/download.htm?ID=59765.

  • Page 4: Table Of Contents

    Contents Important Information ....................3 Check Point 1100, 1200R, and 1400 Appliance Overview ..........7 Installation ........................8 Setting Up the Check Point Appliance ............... 8 Connecting the Cables ....................8 About the PoE ......................9 Deployment Types ..................... 9 Predefining a Centrally Managed Deployment ............
  • Page 5 Sample Configuration File ..................... 40 Preparing the Configuration Files ................. 40 Deploying the Configuration File - Initial Configuration ..........40 Deploying the Configuration File - Existing Configuration ..........41 Viewing Configuration Logs ................... 42 Troubleshooting Configuration Files ................42 Using the set property Command .................. 43 Appliance Configuration ....................
  • Page 6 Viewing Active Connections ..................110 Viewing Monitoring Data ....................111 Viewing Reports......................111 Using System Tools ..................... 111 SNMP ........................... 111 Advanced Configuration .................... 113 Dynamic Routing ....................113 Upgrade Using a USB Drive ................... 114 Upgrade Using an SD Card ..................115 Boot Loader ......................

  • Page 7: Check Point 1100, 1200R, And 1400 Appliance Overview

    CHAPTE R 1 Check Point 1100, 1200R, and 1400 Appliance Overview Check Point 1100, 1200R, and 1400 appliances support the Check Point Software Blade architecture and provide independent, modular and centrally managed security building blocks. You can quickly enable and configure the Software Blades to meet your specific security needs. These appliances run an embedded version of the Gaia operating system.

  • Page 8: Installation

    CHAPTE R 2 Installation In This Section: Setting Up the Check Point Appliance ................8 Connecting the Cables ....................8 About the PoE .........................9 Deployment Types ......................9 Predefining a Centrally Managed Deployment .............9 Small-scale Deployment Installation ................Large-scale Deployment Installation ................Setting Up the Check Point Appliance 1.

  • Page 9: About The Poe

    Installation About the PoE The PoE wired model is in 1470/1490 appliances only. The PoE switch is a type of PSE (Power Sourcing Equipment), and delivers power to the PD (Powered Devices) end point. By default, the PoE port automatically provides power when a compliant PD is connected.

  • Page 10: Small-Scale Deployment Installation

    CHAPTE R 3 Small-scale Deployment Installation In This Section: Small-scale Deployment Workflow ................Defining a Gateway Object .................... Defining a Gateway Cluster Object ................Creating the Security Policy ..................Setting Server IP Behind a 3rd Party NAT Device............This chapter contains procedures for defining a gateway or a gateway cluster. Do the procedures that match your requirements, then install the policy.
  • Page 11 Installation 4. Enter a name for the Check Point Appliance object and select the hardware type for the hardware platform. If the appliance does not appear in the hardware list in the R77.30 SmartDashboard, see sk111292 http://supportcontent.checkpoint.com/solutions?id=sk111292. 5. Set the Security Gateway Version to R77.20. 6.
  • Page 12 Installation 3. Configure the required options: • NAT - the Hide internal networks behind the Gateway’s external IP checkbox is selected by default. • QoS - Set the inbound and outbound bandwidth rates. • IPSec VPN - Make sure that the VPN community has been predefined. If it is a star community, the Check Point Appliance is added as a satellite gateway.

  • Page 13: Defining A Gateway Cluster Object

    Installation Defining a Gateway Cluster Object A Check Point Appliance Security Gateway is a group of 2 members. Each represents a separate Check Point Appliance which has High Availability software installed. ClusterXL is the Check Point clustering solution. Third party OPSEC Certified clustering products are not supported. High Availability High Availability allows organizations to maintain a connection when there is a failure in a cluster member.
  • Page 14 Installation Configuring the Check Point Appliance Gateways Getting Started Guide See your Check Point Appliance for full instructions to set up and connect the Check Point Appliance. This is the general workflow: 1. Connect your computer to the Check Point Appliance on its LAN1 interface. 2.
  • Page 15 Installation 6. In the First Member and Second Member sections, enter a Member name and Member IP address. If you want to check the communication and connectivity, clear the Define the second cluster member now check box. This allows you to complete the wizard definitions for the first member only.
  • Page 16 Installation If the WAN interface was not defined, edit the Cluster object in SmartDashboard with the wizard and select a correct main IP for the cluster object. (This IP is used, for example, in VPN as one of the Link selection options). The breadcrumb image at the top of the window shows you the interface you are currently configuring.

  • Page 17: Creating The Security Policy

    Installation 4. Establish trusted communication. 5. Define all the IP addresses of the clustered interfaces. Use the existing gateway GW IP address as the virtual IP of the cluster. 6. At the end of the wizard, select the Edit the cluster in Advanced Mode checkbox. 7.
  • Page 18 Installation Workflow 1. Associate a security zone object with an interface on the gateway object. 2. Use the security zone object in a rule. 3. Install policy. To associate a security zone object with an interface on the gateway object: 1.
  • Page 19 Installation Installing a Security Policy Use this procedure to prepare the policy for automatic installation when the gateway connects. Note - If the Check Point Appliance is physically set up and configured, when you successfully complete this step, the policy is pushed to the gateway. For a list of possible statuses, see Viewing the Policy Installation Status (on page 19).
  • Page 20 Installation The window has two sections. The top section shows a list of gateways and status details regarding the installed policy. You can use the filter fields to see only policies of interest and hide other details by defining the applicable criteria for each field. After you apply the filtering criteria, only entries that match the selected criteria are shown.

  • Page 21: Setting Server Ip Behind A 3Rd Party Nat Device

    Installation You can access the Policy Installation Status window in these ways: • From the menu bar - Click Policy > Policy Installation Status. • From the toolbar - Click the Policy Installation Status icon. • From the status bar - Click Failed or Pending. The contents of the Policy Installation Status window are shown filtered according to the link clicked.

  • Page 22: Large-Scale Deployment Installation

    CHAPTE R 4 Large-scale Deployment Installation In This Section: Supported Security Management Versions ..............Large-scale Deployment Workflow ................Defining a SmartLSM Gateway Profile for a Large-scale Deployment ..... Defining a SmartLSM Appliance Cluster Profile ............Deploying with SmartProvisioning ................Installing a Security Policy ...................

  • Page 23: Defining A Smartlsm Gateway Profile For A Large-Scale Deployment

    Installation Defining a SmartLSM Gateway Profile for a Large-scale Deployment SmartLSM lets you manage a large number of Check Point Appliance gateways from one Security Management Server. When you use a SmartLSM profile, you reduce the administrative overhead as you define the gateway properties and policy per profile. The SmartLSM profile is a logical object that contains the firewall and policy components.

  • Page 24: Deploying With Smartprovisioning

    Installation To create a SmartLSM Cluster profile: 1. In SmartDashboard, from Network Objects, right-click Check Point > SmartLSM profile > Small Office Appliance Cluster. 2. In General Properties, enter a Name for the profile (for example, ClusterProfile1). 3. Select the Cluster Members tab and click Add to add the two cluster members to the profile. 4.

  • Page 25: Installing A Security Policy

    Installation Installing a Security Policy Use this procedure to prepare the policy for automatic installation when the gateway connects. Note - If the Check Point Appliance is physically set up and configured, when you successfully complete this step, the policy is pushed to the gateway. For a list of possible statuses, see Viewing the Policy Installation Status (on page 19).
  • Page 26 Installation The window has two sections. The top section shows a list of gateways and status details regarding the installed policy. You can use the filter fields to see only policies of interest and hide other details by defining the applicable criteria for each field. After you apply the filtering criteria, only entries that match the selected criteria are shown.
  • Page 27 Installation You can access the Policy Installation Status window in these ways: • From the menu bar - Click Policy > Policy Installation Status. • From the toolbar - Click the Policy Installation Status icon. • From the status bar - Click Failed or Pending. The contents of the Policy Installation Status window are shown filtered according to the link clicked.

  • Page 28: Smartprovisioning

    CHAPTE R 5 SmartProvisioning In This Section: Creating a Gateway ....................... Creating a SmartLSM Appliance Cluster ..............Defining SmartLSM Gateways Using LSM CLI ............Managing Device Settings .................... You can create a Security Gateway or cluster object out of SmartLSM profiles in SmartProvisioning.

  • Page 29: Communication Properties

    SmartProvisioning Communication Properties In the Communication Properties page, you define an Activation Key that is used to set up Secure Internal Communication (SIC) Trust between the SmartLSM Security Gateway and the Security Management Server. This is the same key that you should enter in the one-time password field of the Security Management Server Authentication page of the Check Point Appliance First Time Configuration Wizard.

  • Page 30: Finish

    SmartProvisioning Finish 1. Select Edit SmartLSM gateway properties after creation to work with the newly created object. 2. Click Finish to complete the SmartLSM Security Gateway creation. After the SmartLSM Security Gateway object is created: • Update the Corporate Office Gateway. •...

  • Page 31: Cluster Names

    SmartProvisioning 5. In Provisioning Profile, select the provisioning profile to assign to this gateway, from the list of profiles created in SmartProvisioning. 6. Click Next. Cluster Names The cluster members' names are shown with the configured prefix. Click Next. More Information 1.

  • Page 32: Defining Smartlsm Gateways Using Lsm Cli

    SmartProvisioning Defining SmartLSM Gateways Using LSM CLI This is a sample SmartLSM CLI script that you can use to create a new gateway object and associate it with a SmartLSM profile. Optionally, you can also set a SIC password and initiate a SIC connection.
  • Page 33 SmartProvisioning In some instances, it may be necessary to define exceptions for the default SmartLSM security profile. For example, if you do not want all gateways to use the specified default SmartLSM profile after installation, you can customize different security profiles to replace known security profiles. Let’s say you have a scenario with these details: •...

  • Page 34: Configuring Radius

    SmartProvisioning 6. In Default SmartLSM Profile after installation, select the new SmartLSM profile of the Security Gateway (the Security Gateway version must match its SmartLSM profile's version as defined in SmartDashboard for correct policy behavior). The Security Gateway replaces its SmartLSM profile after successful firmware installation and only if the new firmware version is different from the version you have now.

  • Page 35: Configuring Hotspot

    SmartProvisioning 4. Select an override profile setting: • Allowed • Denied • Mandatory For more information about override profile settings, see Configuring Profile Settings (on page 36). 5. Select RADIUS is activated on device to enable RADIUS on the Check Point Appliance. 6.

  • Page 36: Configuring A Configuration Script

    SmartProvisioning Configuring a Configuration Script To configure a configuration script on a Provisioning Profile: 1. Open the Security Gateway Profile window, and select the Configuration Script tab. 2. Select Manage Configuration Script centrally from this application. 3. Click Advanced. The Profile Settings window opens. 4.
  • Page 37 SmartProvisioning This table maps the profile settings selections to the Gateway window options: Profile Profile Override Gateway Window Display and options managed Settings are defined to be managed locally on the device. Locally Not relevant To change this, refer to the attached Provisioning Profile profile_name (controls are unavailable) Overriding profile settings is denied.

  • Page 38: First Time Deployment Options

    CHAPTE R 6 First Time Deployment Options In This Section: Zero Touch Cloud Service .................... Deploying from a USB Drive or SD Card ..............There are different options for first time deployment of your Small and Medium Business (SMB) gateways: Getting Started Guide •...

  • Page 39: Deploying From A Usb Drive Or Sd Card

    CHAPTE R 7 Deploying from a USB Drive or SD Card In This Section: Sample Configuration File ................... Preparing the Configuration Files ................Deploying the Configuration File - Initial Configuration..........Deploying the Configuration File - Existing Configuration ......... Viewing Configuration Logs ..................

  • Page 40: Sample Configuration File

    First Time Deployment Options Sample Configuration File This is a sample Check Point Appliance configuration file for USB deployment. set time-zone GMT+01:00(Amsterdam/Berlin/Bern/Rome/Stockholm/Vienna) set ntp server primary 10.1.1.10 set ntp server secondary set user admin type admin password aaaa set interface WAN ipv4-address 10.1.1.134 subnet-mask 255.255.255.192 default-gw 10.1.1.129 delete interface LAN1_Switch set dhcp server interface LAN1 disable...

  • Page 41: Deploying The Configuration File - Existing Configuration

    First Time Deployment Options To deploy the configuration file from a USB drive for the initial configuration: 1. Insert the USB drive into a Check Point Appliance. • Check Point Appliance is OFF - Turn on the appliance. The Power LED comes on and is green.

  • Page 42: Viewing Configuration Logs

    First Time Deployment Options Viewing Configuration Logs After the Check Point Appliance is successfully configured from a USB drive, a log is created. • The log file is called autonconf.<MAC>.<timestamp>.<log> • The log file is created in the USB root directory and in /tmp on the appliance. Troubleshooting Configuration Files This section discusses the scenario where the configuration file fails and the Check Point Appliance is not fully configured.

  • Page 43: Using The Set Property Command

    First Time Deployment Options 3. The log file is created and contains the configuration details. • The log file is called autonconf.<MAC>.<timestamp>.<log> • The log file is created in the USB root directory and in /tmp on the appliance. 4. Analyze the log file to find the problem. If you cannot repair the configuration file: 1.

  • Page 44: Appliance Configuration

    Appliance Configuration CHAPTE R 8 Appliance Configuration In This Section: Introduction to the WebUI Application ................. The Home Tab ....................... Managing the Device ....................Managing Users and Objects ..................Logs and Monitoring ....................This chapter contains instructions for special Check Point Appliance features. Introduction to the WebUI Application The Check Point Appliance uses a web application to configure the appliance.

  • Page 45: The Home Tab

    Appliance Configuration The Home Tab Viewing System Information The Home > System page shows an overview of the Check Point Appliance. The Check Point Appliance requires only minimal user input of basic configuration elements, such as IP addresses, routing information, and blade configuration. The initial configuration of the Check Point Appliance can be done through a First Time Configuration Wizard.

  • Page 46: Setting The Management Mode

    Appliance Configuration Setting the Management Mode The Home > Security Management page shows information for the management mode of the Check Point Appliance. You can also test Internet Connectivity from this page. To set the management type: Select one of the options: •...

  • Page 47: Managing Licenses

    Appliance Configuration To connect to the Security Management Server later, select Connect to the Security • Management Server later. 4. Click Finish. To reinitialize trusted communication with the Security Management Server: 1. In the Security Management Server section, click Advanced to reinitialize trusted communication.

  • Page 48: Viewing The Site Map

    Appliance Configuration If you work offline while configuring the appliance: 1. Browse to https://usercenter.checkpoint.com and fill out the requested information. You must enter the appliance's credentials, MAC address and registration key, that can be found on the Home > License page. 2.

  • Page 49: Viewing Monitoring Data

    Appliance Configuration Manage the display: • Save as - Save a selected device as a network object or server. When you select this option, the New Network Object ("Managing Network Objects" on page 102) window or New Server Wizard opens. Enter the information in the fields and click Apply. Use these objects to reserve IP addresses to MAC addresses in the DHCP server and also add this object name as a host in the local DNS service.
  • Page 50 Appliance Configuration Network By default, network statistics are shown for the last hour. You can also see statistics for the last day. Select the applicable option Last hour or Last day from the Network section's title bar. The data is automatically refreshed for the time period: Last hour - At one minute intervals.

  • Page 51: Viewing Reports

    Appliance Configuration Troubleshooting • System Resources - Click CPU, memory and disk usage to see CPU, memory, and disk usage information. • Device Info - Shows Security Gateway information. • Links to pages that can be useful for monitoring and troubleshooting purposes. Note - This page is available from the Home and Logs &...

  • Page 52: Using System Tools

    Appliance Configuration Note - Only the last generated report for each report type is saved in the appliance. When you generate a new report, you override the last saved report for the specified type. To generate a report: Click the applicable time frame link at the top of the page (Monthly, Weekly, Daily or Hourly). The line below the links shows the selected report and its time frame.
  • Page 53 Appliance Configuration • Capture packets. • Download the console-USB driver (1400 appliances only) To monitor system resources: 1. Click Monitor System Resources. The System Resources page opens and shows the following information: • CPU Usage History (automatically refreshed) Memory Usage History - memory is calculated without memory that was preallocated to •...

  • Page 54: Managing The Device

    Appliance Configuration You can activate packet capture and go to other WebUI application pages while the packet capture runs in the background. However, the packet capture stops automatically if the WebUI session ends. Make sure you return to the packet capture page, stop and download the capture result before you end the WebUI session.
  • Page 55 Appliance Configuration Configuration tab Note - When you change the connection type, the appliance may disconnect from the Internet. • Connection name - Enter a name for the connection or leave the default "InternetN" label (where N indicates an incrementing number). •...
  • Page 56 Appliance Configuration IPv6 connection types (1200R and 1400 appliances only): Note - The device can have only a single IPv5 Internet connection. • Static IPv6 - A fixed (non-dynamic) IP address. Obtain automatically (DHCPv6/SLAAC) - In both Dynamic Host Configuration Protocol •...
  • Page 57 Appliance Configuration • A single DHCP or Static IP connection can be established over a USB interface. • A single DHCP or Static IP connection or multiple PPPoE connections can be established over one untagged or one VLAN tagged WAN or DMZ interface. •...
  • Page 58 Appliance Configuration Port Settings • If necessary, select Use custom MTU value and set the MTU size. Note - For a DMZ interface the MTU value is applied to all LAN ports. To avoid fragmentation (which slows transmission), set the MTU according to the smallest MTU of all the network devices between your gateway and the packet destination.

  • Page 59: Configuring The Wireless Network

    Appliance Configuration NAT Settings If the gateway's global hide NAT is turned on in the Access Policy > NAT page, you can disable NAT settings for specified internet connections. To disable NAT settings: 1. Go to Device > Internet. 2. Select an internet connection and click Edit. The Edit Internet Connection window opens.
  • Page 60 Appliance Configuration 1470/1490 appliances only: There are two radio transmitters: 2.4 GHz and 5 GHz. Each network is configured separately under a specified transmitter. Dynamic Frequency Selection (DFS) detects radar signals that must be protected against interference from 5.0 GHz (802.11ac/n) radios. When these signals are detected, the operating frequency of the 5.0 GHz (802.11ac/n) radio switches to one that does not interfere with the radar systems.
  • Page 61 Appliance Configuration Wireless Network tab Interface Configuration • Assigned to - Select Separate network or one of the existing configured networks. When selecting a separate network configure this information: • IP address Note - 1100 appliances only support IPv4 addresses. 1200R and 1400 appliances support both IPv4 and IPv6 addresses.
  • Page 62 Appliance Configuration DHCP Server Settings (For DHCPv6/SLAAC) Select one of these options: Auto - Use the DNS configuration of the device. • • Use the following IP addresses - Enter the first, second and third DNS servers. DNS Server Settings (For DHCPv4) These settings are effective only if a DHCPv4 server is enabled.

  • Page 63: Configuring The Local Network

    Appliance Configuration Configuring the Local Network The Device > Local Network page lets you set and enable the local network connections, switches, bridge or wireless network (on wireless devices only). Note - 1100 appliances only support IPv4 addresses. 1200R and 1400 appliances support both IPv4 and IPv6 addresses.
  • Page 64 Appliance Configuration To create/edit a switch: Note - Between the LAN ports of a switch, traffic is not monitored or inspected. MAC filtering is disabled. Configure the fields in the tabs: Configuration tab 1. In Switch Configuration, select or clear the interfaces you want to be part of the switch. The table shows you which interfaces are already part of the switch (shown with checkmarks in the table) and which interfaces are not assigned yet and can be added to the switch (empty checkboxes in the table).
  • Page 65 Appliance Configuration User-Defined Networks - You can manually define internal networks. If a network is not defined as internal, it is considered external. In both Automatic Learning and user-defined networks: • Traffic to internal hosts is inspected by the Incoming/Internal/VPN Rule Base. •...
  • Page 66 Appliance Configuration If you do not see the Monitor Mode option: 1. Run this CLI command: set monitor-mode-configuration allow-monitor-mode true 2. Select an interface and click Edit. Monitor Mode is now added to the options list. For more information on monitor mode, see sk112572 http://supportcontent.checkpoint.com/solutions?id=sk112572.
  • Page 67 Appliance Configuration Note - This option is not supported in 1100 appliances. • Exclude from DNS proxy – Select this checkbox for any network that you do not want exposed to internal domains. In guest VAPs (wireless network for guests), this is selected by default. Access Policy tab (only for DMZ) These options create automatic rules that are shown in the Access Policy >...
  • Page 68 Appliance Configuration Configure the fields in the tab: Configuration tab VPN Tunnel ID - A number identifying the VTI. • • Peer - The name of the remote VPN site. See Configuring VPN Sites. The VPN tunnel interface can be numbered or unnumbered. Select the applicable option: •...
  • Page 69 Appliance Configuration Override default MAC address – This option is for local networks except those on VLANs and • wireless networks. Use this option to override the default MAC address used by the network’s interface, when the device has two separate local networks connected to the same external switch.

  • Page 70: Configuring A Hotspot

    Appliance Configuration Lease section • Lease time - Configure the timeout in hours for a single device to retain a dynamically acquired IP address. Other Settings You can optionally configure these additional parameters so they will be distributed to DHCP clients: Time servers •...
  • Page 71 Appliance Configuration To configure Hotspot for an interface: 1. Click Configure in Local Network. The Local Network window opens. 2. Select interface and click Edit. The Edit <interface> window opens. 3. Select Use Hotspot. 4. Click Apply. Any user that browses from configured interfaces is redirected to the Check Point Hotspot portal. To configure Hotspot exceptions: 1.

  • Page 72: Configuring The Routing Table

    Appliance Configuration To prevent simultaneous login to the Hotspot portal: 1. Go to Device > Advanced Settings. 2. Select Hotspot. 3. Click Edit. The Hotspot window opens. 4. Click the checkbox for Prevent simultaneous login. 5. Click Apply. The same user cannot log in to the Hotspot portal from more than one computer at a time. On the Active Computers page (available through the Home and Logs &...
  • Page 73 Appliance Configuration To add a new static route (IPv4 addresses): 1. In Device > Routing, above the Routing Table, click New. The New Routing Rule window opens with this message: Traffic from any source to any destination that belongs to any service should be routed through the next hop. 2.

  • Page 74: Configuring Mac Filtering

    Appliance Configuration For Internet Connection High Availability, the default route changes automatically on failover (based on the active Internet connection). When a network interface is disabled, all routes that lead to it show as inactive in the routing page. A route automatically becomes active when the interface is enabled. Traffic for an inactive route is routed based on active routing rules (usually to the default route).
  • Page 75 Appliance Configuration 4. Select Disable MAC filtering. To enable, clear this option. 5. Click Apply. Limitations: • MAC filtering is not supported on external interfaces and over switches between physical LAN ports (port-based VLANs). If you configure a physical switch between multiple LAN ports, you cannot activate MAC filtering on this network.

  • Page 76: Configuring The Dns Server

    Appliance Configuration 5. Enter a time for Re-authentication frequency (in seconds). 6. Click Apply. To disable 802.1x authentication on an interface: 1. Go to Device > Local Network. Select the LAN interface and click Edit. 2. The Edit window opens in the Configuration tab. 3.

  • Page 77: Configuring The Proxy Server

    Appliance Configuration When DNS proxy is enabled, Resolve Network Objects controls if the DNS proxy treats the local network objects as a hosts list. When selected, the local DNS servers resolves network object names to their IP addresses for internal network clients. 3.
  • Page 78 Appliance Configuration To restore factory default settings: 1. Click Default Settings. 2. Click OK in the confirmation message. The factory default settings are restored. The appliance reboots to complete the operation. Note - This does not change the software image. Only the settings are restored to their default values (IP address https://192.168.1.1:4434, the username: admin and password: admin).
  • Page 79 Appliance Configuration Note - The firewall remains active while the upgrade is in process. Traffic disruption can only be caused by: • Saving a local image before the upgrade (this causes the Firewall daemon to shut down). This may lead to disruption in VPN connections. •...
  • Page 80 Appliance Configuration IPv6 Mode To enable IPv6 networking and enforce IPv6 security (1200R and 1400 appliances only): 1. Click IPv6 Enforcement Settings. The IPv6 Enforcement Settings window opens. 2. To enforce IPv6 security policy, click the checkbox. 3. To enable IPv6 networking, click the checkbox. 4.
  • Page 81 Appliance Configuration Backing up the System In the Device > System Operations page you can backup and restore system settings. To create a backup file: 1. Click Create Backup File. The Backup Settings window opens. 2. To encrypt the file, click Use file encryption. If you select this option, you must enter and confirm a password.

  • Page 82: Configuring Local And Remote System Administrators

    Appliance Configuration Configuring Local and Remote System Administrators The Device > Administrators page lists the Check Point Appliance administrators and lets you: • Create new local administrators • Configure the session timeout • Limit login failure attempts Administrators can also be defined in a remote RADIUS server and you can configure the appliance to allow them access.
  • Page 83 Appliance Configuration To delete a locally defined administrator: 1. Select an administrator from the list. 2. Click Delete. 3. Click Yes in the confirmation message. Note - You cannot delete an administrator who is currently logged in. To allow access for administrators defined in a remote RADIUS server: 1.
  • Page 84 Appliance Configuration Configuring a RADIUS Server for non-local Check Point Appliance users: Non-local users can be defined on a RADIUS server and not in the Check Point Appliance. When a non-local user logs in to the appliance, the RADIUS server authenticates the user and assigns the applicable permissions.
  • Page 85 Appliance Configuration To configure a server for non-local appliance users: FreeRADIUS 1. Create the dictionary file dictionary.checkpoint in /etc/freeradius/ on the RADIUS server: # Check Point dictionary file for freeradius AAA server VENDOR CheckPoint 2620 ATTRIBUTE CP-Gaia-User-Role string CheckPoint ATTRIBUTE CP-Gaia-SuperUser-Access integer CheckPoint...

  • Page 86: Configuring Administrator Access

    Appliance Configuration 2. Add the line $include subdicts/dict.checkpoint /etc/openradius/dictionaries immediately after dict.ascend 3. Add this Check Point Vendor-Specific Attribute to users in your RADIUS server user configuration file: <role> CP-Gaia-User-Role = <role> Where is the name of the administrator role that is defined in the WebUI. Administrator Role Value Super Admin...
  • Page 87 Appliance Configuration To allow administrator access from any IP address: 1. Select the Any IP address option. This option is less secure and not recommended. We recommend you allow access from the Internet to specific IP addresses only. 2. Change the WEB Port (HTTPS) and/or SSH port if necessary. 3.

  • Page 88: Managing Device Details

    Appliance Configuration To delete administrator access from a specific IP address: 1. Select the IP Address you want to delete from the IP Address table. 2. Click Delete. Important Notes: • Configuring different access permissions for LAN and Internet is not supported when your Internet Connection is configured in bridge mode (the option Allow administration access from does not show Internet or LAN).

  • Page 89: Configuring Ddns And Access Services

    Appliance Configuration To use Network Time Protocol (NTP) to synchronize the clocks of computers on the network: 1. Select the Set Date and Time Using a Network Time Protocol (NTP) Server option. 2. Enter the Host name or IP addresses of the Primary NTP Server and Secondary NTP Server. If the Primary NTP Server fails to respond, the Secondary NTP Server is queried.

  • Page 90: Using System Tools

    Appliance Configuration Reach My Device Reach My Device lets you remotely connect to the appliance from the Internet so that you can use the WebUI or CLI when necessary. This is done by tunneling the administrative UI or CLI connections through a Check Point Cloud Service. Such configuration is very useful in instances where the appliance is behind a NAT device or firewall, and cannot be reached directly.

  • Page 91: Managing Installed Certificates

    Appliance Configuration Managing Installed Certificates On the Installed Certificates page, you can create and manage appliance certificates or upload a P12 certificate. Uploaded certificates and the default certificates are displayed in a table. To see certificate details, click the certificate name. On the Device >...

  • Page 92: Configuring High Availability

    Appliance Configuration Configuring High Availability The Security Gateway is not part of a Security Cluster. To define it as a cluster member, define a Security Cluster object in your Security Management Server and install a security policy. Note - A cluster in bridge in Active/Standby mode is supported in 1200R and 1400 appliances. Configuring Advanced Settings The Device >...
  • Page 93 Appliance Configuration Additional Information for Attributes Attribute Description Select Use internal IP addresses as source if DHCP relay DHCP relay Use internal IP addresses as packets from the appliance will originate from internal IP source addresses. This may be required if the DHCP server is located behind a remote VPN site.

  • Page 94: Managing Users And Objects

    Appliance Configuration Managing Users and Objects This section describes how to set up and manage users (User Awareness, users, administrators, and authentication servers) and network resources. Configuring Local Users and User Groups In the Users & Objects > Users page you can create local users and user groups. To use these objects in the Access Policy, make sure to activate User Awareness.

  • Page 95: Configuring Local And Remote System Administrators

    Appliance Configuration To edit a user or group: 1. Select the user or group from the list. 2. Click Edit. 3. Make the relevant changes and click Apply. To delete a user or group: 1. Select the user or group from the list. 2.
  • Page 96 Appliance Configuration To create a local administrator: 1. Click New. The Add Administrator page opens. 2. Configure the parameters (name, password, and password confirmation). The hyphen (-) character is allowed in the administrator name. You cannot use these characters when you enter a password or shared secret: { } [ ] ` ~ | ‘...
  • Page 97 Appliance Configuration To set the Session Timeout value for both local and remotely defined administrators: 1. Click Security Settings. The Administrators Security Settings window opens. 2. Configure the session timeout (maximum time period of inactivity in minutes). The maximum value is 999 minutes. 3.
  • Page 98 Appliance Configuration 4. Add this Check Point Vendor-Specific Attribute to users in your RADIUS server user configuration file: <role> CP-Gaia-User-Role = <role> Where allowed values are: Administrator Role Value Super Admin adminrole Read only monitorrole Networking Admin networkingrole To configure a server for non-local appliance users: FreeRADIUS 1.
  • Page 99 Appliance Configuration To configure an server for non-local appliance users: OpenRADIUS 1. Create the dictionary file dict.checkpoint in /etc/openradius/subdicts/ on the RADIUS server: # Check Point Gaia vendor specific attributes # (Formatted for the OpenRADIUS RADIUS server.) # Add this file to etc/openradius/subdicts/ and add the line # "$include subdicts/dict.checkpoint"...

  • Page 100: Authentication Servers

    Appliance Configuration Authentication Servers In the Users & Objects > Authentication Servers page you can define and view different authentication servers where users can define both an external user database and the authentication method for administrators in that database. You can define this type of authentication server: •...

  • Page 101: Managing Service Groups

    Appliance Configuration To create a new service: 1. Click New. 2. In the Service tab, enter information in the fields that apply to the type of service you select. Note that not all fields may show: • Name - Enter the service's name. •...

  • Page 102: Managing Network Objects

    Appliance Configuration To create a new service group: 1. Click New. The New Service Group window opens. 2. Enter a Name for the group and Comments (optional). 3. Click Select to show the full list of available services and select the relevant checkboxes. 4.
  • Page 103 Appliance Configuration To create a Single IP network object: 1. Click New. The New Network Object window opens. 2. In Type, select Single IP. 3. Enter an IP address and Object name. 4. Select or clear these options as necessary: Allow DNS server to resolve this object name - When the gateway is the DNS server for •...

  • Page 104: Managing Url Lists

    Appliance Configuration To delete a network object: 1. Select the network object from the list. 2. Click Delete. 3. Click Yes in the confirmation message. To filter for a specified network object: 1. In the Type to filter box, enter the name of the network object or part of it. 2.
  • Page 105 Appliance Configuration Important - • If Application Control is turned off or no custom applications have been defined in the Security Management Server, this page is empty and shows a message that informs that local URLs can only be defined after URLs lists are predefined in the appliance's security policy.

  • Page 106: Logs And Monitoring

    Appliance Configuration Logs and Monitoring This section describes the security and system logs. It also describes various monitoring tools. Viewing Security Logs The Logs & Monitoring > Security Logs page lets you browse the last 100 log records. These logs are sent to SmartView tracker, but are also available on this page. Note that the number of logs shown is not configurable, and is not related to the SmartDashboard setting "GW properties >...

  • Page 107: Viewing System Logs

    Appliance Configuration To delete logs from local log storage: 1. In Logs & Monitoring > Logs > Security Logs page, click Clear logs. A confirmation window opens. 2. Click Yes to delete logs. The logs are deleted, and the logs grid reloads automatically. Note - Logs are deleted from the external SD card (if inserted) or from the local logs storage.

  • Page 108: Configuring External Log Servers

    Appliance Configuration Configuring External Log Servers The Logs & Monitoring > Log Servers page lets you configure external log servers for system logs when necessary for additional logging storage. You can configure a gateway to send logs to multiple external syslog servers. To configure an external syslog server: 1.
  • Page 109 Appliance Configuration • Severity - Shows the severity of the malware: • • Medium • High • Critical • Protection name - Shows the Anti-Bot or Anti-Virus protection name. • Last incident - The date of the last incident. • Incidents - Shows the total number of incidents on the host or server in the last month.

  • Page 110: Viewing Vpn Tunnels

    Appliance Configuration To view the logs of a specified entry: 1. Select the list entry for which to view logs. 2. Click Logs. The Logs & Monitoring > Security Logs page opens and shows the logs applicable to the IP/MAC address. Note - This page is available from the Home and Logs &...

  • Page 111: Viewing Monitoring Data

    Appliance Configuration To filter the list: In the Type to filter box, enter the filter criteria. The list is filtered. To refresh the list: Click the Refresh link. Viewing Monitoring Data See Viewing Monitoring Data (on page 49). Viewing Reports See Viewing Reports (on page 51).
  • Page 112 Appliance Configuration SNMP Traps Receivers You can add, delete, or edit the properties of SNMP trap receivers. • To add an SNMP trap receiver, click New. Note - To add a new SNMP v3 trap receiver, there must be an SNMP v3 user defined for it. To edit an existing SNMP trap receiver, select the trap receiver from the list and click Edit.

  • Page 113: Advanced Configuration

    CHAPTE R 9 Advanced Configuration In This Section: Dynamic Routing ......................Upgrade Using a USB Drive ..................Upgrade Using an SD Card ..................Boot Loader ....................... Upgrade Using Boot Loader ..................Restoring Factory Defaults ..................Dynamic Routing Dynamic Routing is supported with Gaia networking stacks. RIP, OSPF, BGP, and PIM are supported.

  • Page 114: Upgrade Using A Usb Drive

    Advanced Configuration Upgrade Using a USB Drive This section explains how you can upgrade the appliance with a USB drive without a console connection to the appliance. For more information, see Upgrade Using Boot Loader (on page 118). Note - The USB drive must be formatted in FAT32. Installing a new firmware image from a USB drive Check Point releases new firmware images every so often.

  • Page 115: Upgrade Using An Sd Card

    Advanced Configuration 3. Make sure the top folder of the USB drive does not contain any previous Boot loader or Firmware images (u-boot*.ubt files or fw1*.img files). 4. Connect the USB drive to one of the appliance USB ports. If the operation does not succeed, this may be because the USB port does not recognize all USB drives.

  • Page 116: Boot Loader

    Advanced Configuration To upgrade to a new firmware image from an SD card: 1. Disconnect the Check Point Appliance from the power source. 2. Place the firmware image on the SD card in the top folder. Do not rename the file. Make sure the top folder of the SD card does not contain any previous Boot loader or firmware images (u-boot*.bin files or fwl*.gz files).
  • Page 117 Advanced Configuration 7. Install/Update Boot-Loader from USB 8. Restart Boot-Loader 9. Install DSL Firmware / Upload preset configuration file Please enter your selection: When you are in Boot Loader, all interfaces are down and you can only activate them for options that require connectivity.

  • Page 118: Upgrade Using Boot Loader

    Advanced Configuration Upgrade Using Boot Loader To upgrade the Check Point Appliance using U-boot (boot loader): Note - In 1470/1490 appliances only, Bootloader is supported only through the DMZ port and is not available through the LAN ports. 1. Connect to the appliance with a console connection (use the serial console connection on the back panel of the appliance), boot the appliance and press Ctrl+C.

  • Page 119: Restoring Factory Defaults

    Advanced Configuration Restoring Factory Defaults The Check Point Appliance contains a default factory image. When the appliance is turned on for the first time, it loads with the default image. As part of a troubleshooting process, you can restore the Check Point Appliance to its factory default settings if necessary.
  • Page 120 Advanced Configuration 6. Install/Update Image from USB 7. Install/Update Boot-Loader from USB 8. Restart Boot-Loader Please enter your selection : 3. Enter 4 to select Restore to Factory Defaults (local). 4. When you are prompted: "Are you sure? (y/n)" select y to continue and restore the appliance to its factory defaults settings.

  • Page 121: Index

    Creating a SmartLSM Appliance Cluster • 30 Creating the Security Policy • 17 Index Defining a Gateway Cluster Object • 13 Defining a Gateway Object • 10 Defining a SmartLSM Appliance Cluster Profile About the PoE • 9 • 23 Advanced Configuration •...
  • Page 122 Restoring Factory Defaults • 119 Sample Configuration File • 40 Sample Configuration Log with Error • 43 Setting Server IP Behind a 3rd Party NAT Device • 21 Setting the Management Mode • 46 Setting Up the Check Point Appliance • 8 Small-scale Deployment Installation •...

This manual is also suitable for:

Check point 1200rCheck point 1400Check point l-50Check point l-50dCheck point l-50wCheck point l-50wd ... Show all

Table of Contents