Download
Share
Print this page
Check Point 700 Administration Manual
  1. Manuals
  2. Brands
  3. Check Point Manuals
  4. Network Hardware
  5. 700
  6. Administration manual
Check Point 700 Administration Manual

Check Point 700 Administration Manual

Hide thumbs

Advertisement

Quick Links

Download this manual
19 May 2020
CHECK POINT 700/900
APPLIANCES
R77.20.87
Models: L-71, L-71W, L-71WD, L-72, L-72W, L-72P,
LU-72
Administration Guide

Advertisement

loading
Need help?

Need help?

Do you have a question about the 700 and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Check Point 700

Summary of Contents for Check Point 700

  • Page 1 19 May 2020 CHECK POINT 700/900 APPLIANCES R77.20.87 Models: L-71, L-71W, L-71WD, L-72, L-72W, L-72P, LU-72 Administration Guide...
  • Page 2 Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.
  • Page 3 We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks. Certifications For third party independent certification of Check Point products, see the Check Point Certifications page https://www.checkpoint.com/products-solutions/certified-check-point-solutions/. Check Point R77.20.87 For more about this release, see the R77.20.87 home page...
  • Page 4 Contents Important Information ...................... 3 Check Point 700 and 900 Appliance Overview..............7 Installation ........................8 Setting Up the Check Point Appliance ................8 Connecting the Cables ....................8 About the PoE ........................ 9 First Time Deployment Options ..................10 Zero Touch Cloud Service ...................
  • Page 5 Configuring MAC Filtering ..................58 Configuring the DNS Server ..................60 Configuring the Proxy Server ..................61 Backup, Restore, Upgrade, and Other System Operations .......... 61 Configuring Local and Remote System Administrators ..........65 Configuring Administrator Access ................70 Managing Device Details ................... 71 Managing Date and Time ...................
  • Page 6 Managing Applications & URLs ................182 Managing System Services ..................183 Managing Service Groups ..................186 Managing Network Objects ..................187 Managing Network Object Groups ................189 Logs and Monitoring ....................190 Viewing Security Logs ..................... 190 Viewing System Logs....................191 Configuring External Log Servers ................
  • Page 7 (more than 2) in High Availability or Load Sharing mode, Policy Based Routing, and DDNS support. Quick deployment with USB is supported for all appliances, and with SD card for the 700 and 910 appliances. For more information, see the 700 Security Gateway series product page https://www.checkpoint.com/products/small-business-security/.
  • Page 8 192.168.1.1. Connecting the Cables 1. For 700 appliances: Connect the power supply unit to the appliance and to a power outlet. The appliance is turned on when the power supply unit is connected to an outlet. For 910 appliance: Connect the power cable to the appliance. The appliance is connected directly to the power source.
  • Page 9 (PoE+). All 4 ports support 802.3af. Due to power budget limitations, only 2 ports at a time support 802.3at. The total power dedicated for all PoE ports is 62W: • 802.3af maximum power delivery per port is 15.4W • 802.3at maximum power delivery per port is 31W Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 10 Note - If a collision is detected between an internal network (LAN) and an IP returned via DHCP (WAN), the conflicting LAN address is changed automatically. If a colliding LAN IP address is changed, a message appears in the system logs. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 11 After the gateway downloads and successfully applies the settings, it does not connect to the Zero Touch server again. For more information on how to use Zero Touch, see sk116375 Check Point SMB Zero http://supportcontent.checkpoint.com/solutions?id=sk116375 and the Touch User Guide http://downloads.checkpoint.com/dc/download.htm?ID=53585. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 12 Using the set property Command ................ You can deploy the Check Point Appliance configuration files from a USB drive or SD card and quickly configure many appliances without using the First Time Configuration Wizard. The configuration file lets you configure more settings and parameters than are available in the First Time Configuration Wizard.
  • Page 13 Deploying the Configuration File - Initial Configuration This section describes how to deploy a configuration file on a USB drive to the Check Point Appliance. You must configure and format the file correctly before you deploy it. You can insert the USB drive in the front or rear USB port.
  • Page 14 To deploy the configuration file from a USB drive for the initial configuration: 1. Insert the USB drive into a Check Point Appliance. • Check Point Appliance is OFF - Turn on the appliance. The Power LED comes on and is green. •...
  • Page 15 USB drive. Use the set property USB_auto_configuration (on page 16) command when you run a configuration file script on a configured appliance. 1. The USB drive with the configuration file is inserted into a USB port on the Check Point Appliance.
  • Page 16 Autoconfiguration CLI script failed, clish return code = 1 Using the set property Command The set property CLI command controls how the Check Point Appliance runs configuration scripts from a USB drive. These commands do not change how the First Time Configuration Wizard in the Web UI configures the appliance.
  • Page 17 This chapter contains workflows for common configuration and upgrade scenarios. Configuring Cloud Services Introduction Cloud Services lets you connect your Check Point Appliance to a Cloud Services Provider that uses a Web-based application to manage, configure, and monitor the appliance. Prerequisites Before you connect to Cloud Services, make sure you have: •...
  • Page 18 Remote access VPN • Site to site VPN using a preshared secret • Site to site VPN using a certificate Note - VPN does not work with pure IPv6, only with dual stack. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 19 If the gateway uses a dynamic IP address, we recommend you use the DDNS feature. See Configuring DDNS and Access Services (on page 72). • For the Check Point VPN client or Mobile client method, make sure that the applicable client is How to connect installed on the hosts. Click for more information.
  • Page 20 To make sure the VPN is working: 1. Send traffic between the local and peer gateway. VPN Tunnels 2. Go to > to monitor the tunnel status. See Viewing VPN Tunnels (on page 164). Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 21 2. Export this request using the option. 3. Use the peer gateway's internal CA to sign the request on the peer gateway. Trusted CAs If the peer gateway is a locally managed Check Point gateway, go to > Sign a Request use the option.
  • Page 22 QoS can be activated on Internet connections and requires at least one Internet connection is configured with the maximum download and/or upload speeds. You get the speed information from your ISP. QoS policy rules apply separately on each configured Internet connection. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 23 Note - Connect the sync cable only after you complete the First Time Configuration Wizard and remove the switch on both appliances. No additional configuration is required on both members. Best Practice - Designate the same LAN port for the Sync interface. The default Sync interface is LAN2/SYNC. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 24 "Active" and "Standby." 3. Upgrade the active member. The active member automatically reboots. Note - The upgrade process is the same for each cluster member. Only manual upgrade is supported. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 25 For more information, see Working with the Firewall Access Policy (on page 113). 3. If you know the IP address of the SIP server, you can use it as the source of this rule. 4. Optional - Configure a log for this rule. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 26 The Check Point Appliance uses a web application to configure the appliance. Getting Started After you use the First Time Configuration Wizard (see the Check Point Appliance Guide ), when you connect to the appliance with a browser (with the appliance’s IP or, if the appliance is used as a DNS proxy or DHCP server, to "my.firewall"), it redirects the web page to a...
  • Page 27 > page shows an overview of the Check Point Appliance. The Check Point Appliance requires only minimal user input of basic configuration elements, such as IP addresses, routing information, and blade configuration. The initial configuration of the Check Point Appliance can be done through a First Time Configuration Wizard. When initial Home configuration is completed, every entry that uses http://my.firewall shows the WebUI...
  • Page 28 Alternatively, follow the connection procedure below. When you successfully connect, a security policy and other settings are pushed to the appliance. The settings defined by Cloud Services contain your activated blades, security policy, and service settings. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 29 At the bottom of the login page - The name defined by the Cloud Services Provider for your Security Gateway and the MAC address of the Check Point Appliance. • At the top of the WebUI application (near the search box) - The name of your Check Point Appliance. These are the sections on this page: Cloud Services •...
  • Page 30 Check Point User Center with its credentials to pull the license information and activate the appliance. In most cases, you must first register the appliance in your Check Point User Center account or create one if you don't already have one. A User Center account is necessary to receive support and updates.
  • Page 31 Site Map > page shows a site map of the WebUI. It shows all of the tabs and the pages they contain. Click the link to any page directly from the Site Map page. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 32 Traffic - Shows upload and download packet rates for all IP addresses when traffic monitoring is active. Note - Traffic monitoring does not differentiate between IPv4 and IPv6 addresses. To temporarily block a device: Block. Select the device and click Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 33 Connections. You can click the links to open the corresponding WebUI pages. The Monitoring page is divided into these sections: • Network • Security • Troubleshooting To expand or collapse the sections, click the arrow icon in the section's title bar. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 34 Anti-Bot - Malwares detected by the Security Gateway. • Anti-Virus - Malwares detected by the Security Gateway. • Threat Emulation - Malicious files found since the last reboot and how many files scanned. • The number of IPS attacks. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 35 2 hours. The total wait is 2 hours. After you start up an appliance, reports are generated: • Hourly reports - 2-3 minutes from startup. • Daily reports - 1-2 hours from startup. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 36 On the page you can: • Monitor system resources. • Show the routing table. • Verify the appliance connectivity to Cloud Services. • Display DSL Statistics (DSL models only) • Generate a CPInfo file. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 37 To perform a DNS lookup: Host Name or IP Address. 1. Enter a 2. Click Lookup. The output appears in the Command Output window. Close 3. Click to return to the Tools page. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 38 Note - This page is available from the Home, Device, and Logs & Monitoring tabs. Managing the Device This section describes how to set up and manage your Check Point Appliance. Configuring Internet Connectivity Device Internet > page shows how the Check Point Appliance connects to the Internet. You can configure a single Internet connection or multiple connections in High Availability or Load Balancing configurations.
  • Page 39 Note - If you use an analog modem through the serial port, you cannot connect to the appliance with the serial port or get terminal server functionality. For more on the terminal Device Advanced Settings. server, go to > Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 40 Only one internet connection can be established over a VDSL/ADSL interface carrying ATM traffic or a USB interface. • One IPoE or PPPoE connection can be established over ATM running over the DSL interface. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 41 - In Service, enter a service name (optional) and select the • Authentication method. Connect on demand Connect on demand • - Select the checkbox if necessary. This is relevant only when you are in high availability mode. Port Settings Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 42 The traffic to the Internet is divided between all available connections based on their weights. NAT Settings Access Policy If the gateway's global hide NAT is turned on in the > page, you can disable NAT settings for specified internet connections. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 43 730/750 appliances only: The wireless client search options depend on the frequency that the appliance is set to. The Check Point Appliance can be configured to only one frequency at a time and is set to 2.4 GHz by default. If you change the radio settings to 802.11 ac or 802.11...
  • Page 44 Wireless Network tab Interface Configuration Assigned to Separate network • - Select or one of the existing configured networks. When selecting a separate network configure this information: IP address - • IPv4 and IPv6 addresses. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 45 DNS Server Settings (For DHCPv4) These settings are effective only if a DHCPv4 server is enabled. Auto Device • - This uses the DNS configuration of the appliance as configured in the > Device Internet > pages. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 46 Between the LAN ports of a switch, traffic is not monitored or inspected. Note - MAC filtering is disabled on switch networks. To enforce MAC filtering on a network with several ports, use bridge. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 47 > page. 700 appliances only: There are two radio transmitters: 2.4 GHz and 5 GHz. Each network is configured separately under a specified transmitter. You can also use unassigned LAN ports to create an internet connection. In the table, these ports Assigned to Internet.
  • Page 48 Security Gateways can monitor traffic from a Mirror Port or Span Port on a switch. With Monitor Mode, the appliance uses Automatic Learning or user-defined networks to identify internal and external traffic, and to enforce policy. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 49 The Internal network you defined (with Monitor Mode in the name) shows in the list of interfaces. Note - You can configure multiple local networks to be in monitor mode at the same time (700 and 910 appliances). After you configure monitor mode:...
  • Page 50 MTU size - • Configure the Maximum Transmission Unit size for an interface. Note that in the Check Point Appliance, the value is global for all physical LAN and DMZ ports. Disable auto negotiation • - Select this option to manually configure the link speed of the interface.
  • Page 51 Route Based VPN tunnel. The Route Based VPN tunnel works as a point-to-point connection between two peer Security Gateways in a VPN community. Each peer Security Gateway has one VTI that connects to the tunnel. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 52 IP addresses by defining network objects in the > Network Objects page. Reserving specific IP addresses requires the MAC address of the device. Relay • - Enter the DHCP server IP address. Disabled • Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 53 Default Gateway Select one of these options: Use this gateway's IP address as the default gateway • Use the following IP address • - Enter an IP address to use as the default gateway. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 54 (Active Directory, RADIUS or local). Hotspot is automatically activated in the system. To turn off Hotspot: Device Advanced Settings. 1. Go to > 2. Search for Hotspot and double-click the entry. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 55 Edit <interface> window opens. Hotspot. 3. Select 4. Click Apply. Any user that browses from configured interfaces is redirected to the Check Point Hotspot portal. To configure Hotspot exceptions: Manage Exceptions. 1. Click The Manage Hotspot Network Objects Exceptions window opens.
  • Page 56 Specified Internet connection from the connections configured in the appliance • Specified VPN Tunnel Interface (VTI) Metric Determines the priority of the route. If multiple routes to the same destination exist, the route with the lowest metric is selected. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 57 (next hop) to a different IP address. 4. Click Apply. When no default route is active, this message shows: "Note - No default route is configured. Internet connections might be down or not configured." Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 58 5. To delete a MAC address, select it from the list and click To disable MAC filtering for a specific interface: Device Local Network. 1. Go to > Edit 2. Select a LAN interface and click The Edit LAN window opens. 3. Click Advanced. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 59 > VLAN. 2. Select the LAN and click New VLAN Configuration window opens in the tab. Assigned to: select the LAN ID. 3. For Advanced Activate 802.1x authentication. 4. In the tab, select Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 60 ISP). If Internet Connection High Availability is enabled, the DNS servers switch automatically upon failover. 2. By default, the Check Point Appliance functions as your DNS proxy and provides DNS resolving services to internal hosts behind it (network objects). This option is global and applies to all internal networks.
  • Page 61 4. Click Apply. Configuring the Proxy Server Device Proxy In the > page, you can configure a proxy server to use to connect to the Check Point update and license servers. To configure a proxy server: Use a proxy server. 1. Select Host name or IP address.
  • Page 62 If the gateway is configured by Cloud Services, automatic firmware upgrades are locked. They can only be set by Cloud Services. To manually upgrade your appliance firmware: Manual Upgrade. 1. Click The Upgrade Software Wizard opens. 2. Follow the Wizard instructions. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 63 IPv6 Enforcement Settings window opens. 2. To enforce IPv6 security policy, click the checkbox. 3. To enable IPv6 networking, click the checkbox. 4. Click Apply. Note - This causes the appliance to reboot. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 64 2. To encrypt the file, click If you select this option, you must enter and confirm a password. 3. Optional - add a comment about the backup file. Create Backup. 4. Click System settings are backed up. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 65 4. Enter a username and password. 5. Click Apply. Configuring Local and Remote System Administrators Device Administrators > page lists the Check Point Appliance administrators and lets you: • Create new local administrators. • Configure the session timeout. • Limit login failure attempts.
  • Page 66 You must configure the IP address and shared secret used by the RADIUS server. edit permissions. 3. When you have a configured RADIUS server, click RADIUS Authentication window opens. Enable RADIUS authentication for administrators 4. Click the checkbox. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 67 Configuring a RADIUS Server for non-local Check Point Appliance users: Non-local users can be defined on a RADIUS server and not in the Check Point Appliance. When a non-local user logs in to the appliance, the RADIUS server authenticates the user and assigns the applicable permissions.
  • Page 68 = nokiaipso ignore-ports = no port-number-usage = per-port-type help-id = 2000 3. Add to the dictiona.dcm file the line: “@checkpoint.dct” 4. Add this Check Point Vendor-Specific Attribute to users in your RADIUS server user configuration file: <role> CP-Gaia-User-Role = <role> Where...
  • Page 69 Appliance Configuration 3. Add this Check Point Vendor-Specific Attribute to users in your RADIUS server user configuration file: <role> CP-Gaia-User-Role = <role> Where is the name of the administrator role that is defined in the WebUI. Administrator Role Value Super Admin...
  • Page 70 Appliance Configuration To log in as a Super User: A user with super user permissions can use the Check Point Appliance shell to do system-level operations, including working with the file system. 1. Connect to the Check Point Appliance platform using an SSH client or serial console client.
  • Page 71 6. Change the and/or if necessary. 7. Click Apply. An administrator can access the Check Point Appliance using the configured IP addresses through the allowed interface sources. To allow administrator access from both specified and any IP addresses: Select this option when it is necessary to allow administrator access from the Internet (you must define the specified IP addresses).
  • Page 72 Configure DDNS account details in one of the supported providers. • Configure a service that lets you remotely connect to the appliance in instances where it is behind NAT, a firewall, or has a dynamically assigned IP address. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 73 To register to the Reach My Device service: 1. Click Register. The Reach My Device window opens. Host Name, use the default host name or enter a name for this Check Point Appliance to 2. For enable remote access. Register with an existing homename 3.
  • Page 74 Appliance Configuration How to access the gateway with the Reach My Device service: When registration is complete, an outgoing tunnel to the Check Point Cloud Service is established with the appliance's IP address. Remote Access to the WebUI Web Link - Use this URL in a browser to remotely access the appliance. For example: https://my gateway-web.smbrelay.checkpoint.com.
  • Page 75 2. Enter the Normally, the device suggests its own host name (when DDNS is configured) or its external IP address. If you have multiple Internet connections configured, in load sharing mode, you can Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 76 Enable Disable After you define a cluster, you can select to the cluster. The page shows the configured interfaces for monitoring or high availability enabled in a table, where you can edit them. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 77 Disable Force Member Down. 1. Click A confirmation message shows. 2. Click Yes. The original primary member is now the active member of the cluster. To see detailed information about the cluster status: Click Diagnostics. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 78 This is because all cluster management is done from the active member. Upgrading a cluster member: • Upgrade each cluster member individually. • Start with the standby member. • After upgrade, the appliance automatically reboots. • Only manual upgrade is supported. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 79 Upgrade. 2. Click The Upgrade Software Wizard opens. 3. Follow the wizard instructions. Note - 700 and 910 appliances support both IPv4 and IPv6 addresses. High Availability cluster only supports IPv6 in dual mode. Configuring Advanced Settings Device Advanced Settings >...
  • Page 80 The major benefit of Aggressive Aging is that it starts to operate when the machine still has available memory and the connections table is not entirely full. This way, it reduces the chances of connectivity problems that might have occurred under low-resource conditions. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 81 Detection window time that will an indicate an ARP spoofing attack. addresses to indicate attack Suspicious MAC Time period (in seconds) during which suspicious MAC addresses are kept block period in the blocked list. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 82 Application & URL Description Filtering Attributes Block when service Indicates if web requests are blocked when the Check Point categorization is unavailable and widget definitions Online Web Service is unavailable. Categorize cached Indicates if to perform URL categorization of cached pages and translated and translated pages created by search engines.
  • Page 83 (default). This option reduces latency in the categorization procedure. Hold - Requests are blocked until categorization is complete. When a request cannot be categorized with the cached responses, it remains blocked until the Check Point Online Web Service completes categorization. Capacity Optimization Capacity Description...
  • Page 84 Description Attribute DSL globals - Supports ITU G.993.2 VDSL2. VDSL2 DSL globals - ADSL Supports ITU G.992.1 ADSL (G.dmt). Dmt (G.992.1) DSL globals - ADSL Supports ITU G.992.2 ADSL Lite (G.lite). lite (G.992.2) Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 85 Firewall Policy Firewall Policy Description Attribute Blocked packets Action for blocked packets: Drop, reject or automatic (drop from external action and reject from internal). Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 86 Description Disabled Enable portal Select to disable the hotspot feature entirely. Prevent The same user will not be allowed to login via hotspot portal from more simultaneous log-in than one machine in parallel. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 87 Max ping limit Indicates the maximal ping packet size that are allowed when the 'Max Ping Size' protection is active. Non-standard HTTP Enable HTTP inspection on non-standard ports for the IPS blade. ports Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 88 Send detailed error code • - You can enter manually defined text that is shown in the HTML page. Enter the text in the Description box. For example, "Access denied due to IPS policy violation." Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 89 Security Management Server without the need to enter an administrator access from remote user name and password. Management Server Show device details Indicates if appliance details are shown when an administrator accesses in Login the appliance. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 90 Automatic ARP configuration is enabled, both definitions are maintained. If there is a conflict between the definitions (the same NAT IP address appears in both), then the manual configuration is used. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 91 NAT cache number Indicates the maximum number of NAT cache entries. of entries NAT hash size Indicates the hash bucket size of NAT tables. NAT limit Indicates the maximum number of connections with NAT. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 92 Indicates if the SSL certificate should be ignored when running the access certificate service. Server address Indicates the address of the remote server that allows administration access to the appliance from the Internet even when behind NAT. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 93 SSL Inspection SSL Inspection Description Attributes Additional HTTPS Additional HTTPS ports for SSL inspection (a comma separated list of ports ports/ranges). Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 94 This parameter services refers to all no UDP/TCP connections which are not covered by the service objects. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 95 (TCP three-way handshake) exceeds this time period (in seconds). UDP virtual session A UDP virtual session is timed out after this time period (in seconds). timeout Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 96 This does not indicate an attempted attack and for this reason, the default is to NOT log such events. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 97 Hold • - Connections are blocked until classification is complete. When a connection cannot be classified with the cached responses, it remains blocked until the Check Point Online Web Service completes classification. Background • - Connections are allowed until classification is complete.
  • Page 98 Hold • - Connections are blocked until classification is complete. When a connection cannot be classified with the cached responses, it remains blocked until the Check Point Online Web Service completes classification. Background • - Connections are allowed until classification is complete.
  • Page 99 The IP address of the primary remote emulation gateway. gateway Threat Prevention Policy Threat Prevention Description Policy Attributes Block when service Block web requests traffic when the Check Point ThreatCloud online web is unavailable service is unavailable. (Allow all requests Block all requests) on Fail mode Indicates the action to take traffic in case of an internal system error or overload.
  • Page 100 Users & Objects User Awareness is selected in > > Browser-Based Authentication Identification > tab. Without DNS traffic, the browsers of end users, may not show the Captive Portal. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 101 Enable back connections from the encryption domain behind the gateway enable to the client. Back connections Indicates the interval (in seconds) between keep-alive packets to the keep-alive interval gateway required for gateway to client back connections. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 102 Delete SA message. This causes the remote client to discard the old SA and initiate IKE phase 1 to reopen the tunnel. Legacy NAT Indicates if the Check Point proprietary NAT traversal mechanism (UDP traversal encapsulation) is enabled for SecureClient.
  • Page 103 443, make sure to select Reserve port 443 for port forwarding. SNX keep-alive Indicates the time (in seconds) between the SSL Network Extender client interval keep-alive packets. Indicates the time (in minutes) between re-authentication of SSL Network re-authentication Extender remote access users. timeout Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 104 Cluster SA sync Sync SA with other cluster members when the number of packets reaches packets threshold this threshold. Copy DiffServ mark Copy DiffServ mark from encrypted/decrypted IPSec packet. from encrypted /decrypted IPSEC packet Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 105 CA. IKE DoS from Indicates if the IKE DoS from known IP addresses protection is active and the method by which it detects potential attackers. known sites protection Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 106 "Route all traffic to remote VPN VPN site' site" is configured. configuration for admin access to the device Packet handling Indicates how to log the VPN packet handling errors: Log, don't log, or errors tracking alert. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 107 Indicates if deep inspection over MGCP traffic automatically accepts MGCP connections to registered ports. connections to registered ports Accept SIP Indicates if deep inspection over SIP traffic automatically accepts SIP connections to connections to registered ports. registered ports Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 108 Settings and Customizations Attributes Use a company logo in the appliance's web interface Multiple parameters Select display a different logo (not the Check Point default logo). Company logo, click the Upload company logo link, browse to the logo file, and click Apply.
  • Page 109 Appliance Configuration Managing the Access Policy This section describes how to set up and manage your Check Point Appliance access policy. Configuring the Firewall Access Policy and Blade Access Policy Firewall Blade Control In the > page you can set the default Access Policy control level, set the default applications and URLs to block and allow secure browsing, and configure User Awareness.
  • Page 110 Applications and URL Filtering are service based features and require Internet connectivity to download the latest signature package for new applications and to contact the Check Point cloud for URL categorization. This page lets you define the default policy for Applications & URL Filtering control.
  • Page 111 2. Select the blades for which to schedule updates. You must manually update the rest of the blades when new updates packages are available and a not up to date message is shown in the status bar at the bottom of the WebUI application. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 112 • - Select the 4. Click Apply. User Awareness User Awareness lets you configure the Check Point Appliance to enforce access control for individual users and groups and show user-based logs instead of IP address based logs. Configure Initially, click to set up how User Awareness recognizes users.
  • Page 113 Appliance Configuration More Information The Check Point Application Database contains more than 4,500 applications and about 96 million categorized URLs. Each application has a description, a category, additional categories, and a risk level. You can include applications and categories in your Application Control and URL Filtering rules. If your appliance is licensed for the Application Control &...
  • Page 114 URLs or groups. For more information, see Managing Applications & URLs (on page 182). This field is only shown in the Outgoing access to the Internet section. Service Type of network service that is accepted or blocked. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 115 (to configure a user based policy, make sure the User Awareness blade is activated). Users can be defined locally on the appliance or externally in an Access Policy User Awareness Blade Control Active Directory. For more details, see the > page. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 116 You can customize messages to let the Security Gateway communicate with users. This helps users understand that some websites are against the company's security policy. It also tells users about the changing Internet policy for websites and applications. When you configure such Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 117 Redirect the user to URL • - You can redirect the user to an external portal, not on the gateway. In the field, enter the URL for the external portal. The specified URL can be Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 118 2. When selecting built-in types, you can optionally click Edit to edit the protocol ports. 3. When you select Other Server: • Select the Protocol (TCP, UDP, or both). • Enter the TCP/UDP Ports (enter port numbers and/or port ranges separated by commas, for example, 1,3,5-8,15). Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 119 When you complete the wizard, the server is added to the list of servers on the page and the Access Policy Firewall Policy automatically generated access rules are added to the > Rule Base. Firewall Access Policy Note - This page is available from the sections on the tab. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 120 Internet even if they do not have a routable IP address. You can also configure servers with NAT settings from this page. Note - 700 and 910 appliances support both IPv4 and IPv6 addresses. To disable NAT for outgoing traffic (hide NAT): Hide By default, NAT is configured for outgoing traffic.
  • Page 121 Hide multiple sources behind the translated source addresses 6. Select the if you want the original source to contain multiple IP addresses, IP ranges, networks, etc. and the translated source to be a single IP address. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 122 Note - For the majority of cases, manual NAT rules are not necessary. There is no need to use this Access Policy option unless you are an experienced network administrator. See the > Control page for the commonly used options. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 123 Note for Access Policy rules - you can only edit the tracking options for automatically generated rules. 1. Select a rule and click Edit. 2. Edit the fields as necessary. 3. Click Apply. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 124 User Awareness lets you configure the Check Point Appliance to show user based logs instead of IP address based logs and enforce access control for individual users and user groups.
  • Page 125 Click AD Branch and enter a branch path in the field. 5. Click Apply. Users & Objects Authentication Servers You can also add a new AD Domain in the > page. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 126 Portal Address • - Keep the default setting which is the address the Captive Portal runs on the Check Point Appliance or enter a different portal address. Session timeout • - Sets for how long an authenticated user can access the network or Internet before they have to authenticate again.
  • Page 127 Bandwidth consuming applications control can also be configured in Access Policy Firewall Blade Control Policy > pages. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 128 The tracking and logging action that is done when traffic matches the rule. Comment An optional field that shows a comment if you entered one. For system generated rules of the default policy a Note is shown. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 129 This is shown as a comment below the rule. 8. Click Apply. Note - You can drag and drop rules to change the order of rules in the QoS Rule Base. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 130 Application & URL Filtering • • Anti-Virus • Anti-Bot • Threat Emulation Deploying SSL Inspection To deploy SSL inspection: SSL Traffic Inspection. 1. Select Download CA Certificate 2. Click to download the gateway’s internal CA certificate. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 131 - Select to enable logs to indicate that the SSL inspection policy decision was inspect or bypass. Note - These logs are generated in addition to the logs generated by the Software Blades. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 132 SSL inspection for specific traffic. You can configure more advanced exceptions with specific scope, category, and tracking options. To add bypass exceptions: 1. Click New. 2. For each exception, enter: Source • Destination • Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 133 2. Click Delete. Note - You can only delete a CA that was added by a user. To disable/enable a trusted CA: 1. Click the icon next to the CA. 2. Click Disable/Enable. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 134 > page. Check Point uses a large database of signature based protections and this page lets you use a default recommended policy. You can edit the policies and configure an IPS policy and Anti-Virus, Anti-Bot, and Threat Emulation policy that maximizes connectivity and security in your environment.
  • Page 135 Custom • - A protection profile that you can manually define. To configure a Custom IPS Policy: The levels for each protection are defined by the Check Point IPS service: Severity - • How critical is the potential threat. Confidence-level •...
  • Page 136 The confidence level value shows how well protections can correctly recognize a specified attack. The higher the Confidence level of a protection, the more confident Check Point is that recognized attacks are indeed attacks. Lower Confidence levels indicate that some legitimate traffic may be identified as an attack.
  • Page 137 In detect-only mode, only logs are shown and the blades do not block any traffic. To import an IPS update offline: On rare occasions, there are organizations where the gateway is without Internet connectivity, but IPS is still required. Please contact Check Point Support to receive an offline IPS update package. import 1. Click manually at the bottom of the page.
  • Page 138 You can set specified files and URLs that the Anti-Virus, Anti-Bot and Threat Emulation blades do not scan or analyze. For example, if there are files that you know are safe but can create a false positive when analyzed, add them to the Files Whitelist. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 139 Object name - Shows the object name if the host or server was configured as a network object. • IP/MAC address • Device/User Name - Shows a device or user name if the information is available to the Check Point Appliance through DHCP or User Awareness. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 140 An alert is a flag on a log. You can use it to filter logs. Write a comment 4. Optional - Add a comment in the field. 5. Click Apply. Threat Prevention Exceptions The rule is added to Malware Exceptions on the > page. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 141 • Prevent • Detect • Inactive The protection's actions are not affected anymore by the IPS policy configuration. Track 4. Select a option for the protection. 5. Click Apply. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 142 Threat Prevention Blade Control See the > page for a description of the action types. URLs with malware • - Protections related to URLs that are used for malware distribution and malware infection servers. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 143 Reputation domains • - Protections related to Command & Control (C&C) servers. Each host is checked against the Check Point ThreatCloud reputation database. Reputation IPs • - Protections related to Command & Control (C&C) servers. Each IP is checked against the Check Point ThreatCloud reputation database.
  • Page 144 Hold • - Connections are blocked until emulation is complete. In Threat Emulation, each file is run in the Check Point Public ThreatCloud to see if the file is malicious. The verdict is returned to the gateway. Advanced You can change the emulator location to a local private SandBlast appliance in the Settings page.
  • Page 145 (Hotspot and captive portal used by User Awareness). Click Upload, browse to the logo file and click Apply. If necessary, you can revert to the default logo by clicking Default. 5. Click Apply. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 146 Check Point can identify spam emails by their source address (most spam emails) and also the email content itself. You can configure the system to simply flag emails with spam content instead of blocking them and then configure your internal email server to use this flag to decide how to handle them.
  • Page 147 To block or allow by senders requires the Anti-Spam engine to be configured to filter based on Email content Threat Prevention Anti-Spam Blade Control page. in the > Note - IP address exceptions are ignored for POP3 traffic. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 148 If you change other policy settings, the change is temporary. Any changes made locally will be overridden in the next synchronization between the gateway and Cloud Services. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 149 Settings. These credentials are sent to the end user. Show characters, the password characters are visible. Note - If you select You can also specify the screen size of the remote desktop. The default mode is full screen. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 150 If the default remote access port (port 443) and a server use the same port, a conflict message shows. You must change the default remote access port if the Check Point VPN client, Mobile client, or SSL VPN remote access methods are enabled as they use port 443 by default.
  • Page 151 3. When an Active Directory has been defined, you see a list of available user groups defined in the server. 4. Select one of the user groups. 5. Click Apply. The Active Directory group is added to the table on the page. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 152 3. Make the relevant changes and click Apply. To delete a user or group: 1. Select the user or group from the list. 2. Click Delete. 3. Click in the confirmation message. The user or group is deleted. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 153 - The secret (pre-shared information used for message "encryption") between the RADIUS server and the Check Point Appliance. You cannot use these characters when you enter a password or shared secret: { } [ ] ` ~ | ‘ " # + \ Show - Displays the shared secret.
  • Page 154 When you edit, note that the Domain information is read-only and cannot be changed. When you add a new Active Directory domain, you cannot create another object using an existing domain. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 155 The appliance assigns each remote access user an IP address from a specified network so that the traffic inside the organization is not aware that it originated from outside the organization. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 156 For information on Users & Objects Network Objects creating a new network object, see the > page. 5. Click Apply. The Remote Access Local Encryption Domain window opens and shows the services you selected. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 157 Tooltip - Description 3. Click Apply. If you select RDP as the bookmark type, you must enter the user name and password in the Advanced Settings. These credentials are sent to the end user. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 158 The remote site can be accessible through another Check Point appliance (recommended) or a 3rd party VPN solution. Once defined, access to the remote site is determined by the incoming/internal/VPN traffic Rule...
  • Page 159 - The gateway uses its own certificate to authenticate itself. For more Internal Certificate. information, see > Remote Site Encryption Domain. Configure the conditions to encrypt traffic and 5. Select the send to this remote site. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 160 Settings • • Select to configure if the remote site is a Check Point Security Gateway. To enable permanent VPN tunnels, click the checkbox. • Select to disable NAT for this site. The original IP addresses are used even if hide NAT is defined.
  • Page 161 RDP session to test the route. The first IP to respond is chosen, and stays chosen until the VPN configuration changes. When you finish the new VPN site configuration, click Apply. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 162 If you try to configure two gateways to be the center, an error message shows. If you do not configure one gateway as a center, the site to site VPN acts like a mesh community and each gateway continues to handle its own traffic. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 163 Appliance Configuration To run a tunnel test with a remote site: Check Point uses a proprietary protocol to test if VPN tunnels are active. It supports any site-to-site VPN configuration. Tunnel testing requires two Security Gateways and uses UDP port 18234.
  • Page 164 Services, the community name with which the tunnel is associated. Status VPN tunnel status indication. To filter the list: Type to filter In the box, enter the filter criteria. The list is filtered. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 165 Specify which interface is used for incoming and outgoing VPN traffic. • Determine the best possible path for the traffic. In addition, with the Link Selection mechanisms, the administrator can select which source IP addresses are used for VPN traffic. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 166 VPN tunnel. Tunnel Health Monitoring Dead Peer Detection (DPD) is an additional keepalive mechanism supported by the Check Point Security Gateway to test if VPN tunnels are active. DPD uses IPsec traffic to minimize the number of messages required to confirm the availability of a peer and requires an IPsec established tunnel.
  • Page 167 Details 4. Click to see full CA details. 5. Click Apply. To delete a trusted CA: 1. Select the trusted CA from the list and click Delete. 2. Click in the confirmation message. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 168 4. When you receive the signed certificate from the CA, upload it to the appliance. To create a new certificate to be signed by a CA: New Signing Request. The New Certificate Request window opens. 1. Click Certificate 2. Enter a name. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 169 When DDNS is configured, you only need to reinitialize the certificate once. Changes in the DDNS feature configuration by default automatically reinitialize certificates. To reinitialize certificates: Reinitialize Certificates. 1. Click The Reinitialize Certificates window opens. Host/IP address. 2. Enter the Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 170 If it is correctly formatted, it is signed by the Internal CA and the Download button is available. 3. Click Download. The signed certificate is downloaded through your browser and is available to be imported to the remote site's certificates list. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 171 User Awareness lets you configure the Check Point Appliance to show user based logs instead of IP address based logs and enforce access control for individual users and user groups.
  • Page 172 In most cases, all traffic is not used because it is not a seamless identification method. Internet Selected network objects. If you select 3. Under Specific destinations, select Selected network objects, select the objects from the list or create new objects. 4. Click Finish. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 173 Portal Address • - Keep the default setting which is the address the Captive Portal runs on the Check Point Appliance or enter a different portal address. Session timeout • - Sets for how long an authenticated user can access the network or Internet before they have to authenticate again.
  • Page 174 The user or group is deleted. Configuring Local and Remote System Administrators Device Administrators > page lists the Check Point Appliance administrators and lets you: • Create new local administrators. • Configure the session timeout. •...
  • Page 175 2. Make sure a RADIUS server is defined on the appliance. If there is no server, click the RADIUS configuration link at the top of this page. You must configure the IP address and shared secret used by the RADIUS server. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 176 2. Select an administrator from the pull down menu. 3. Click Generate. This generates a QR code to connect the Check Point WatchTower mobile application with the appliance for the first time. For more information about the mobile application, see the Check Point SMB WatchTower App User Guide https://sc1.checkpoint.com/documents/SMB_WatchTower_App_UserGuide/html_frameset.htm.
  • Page 177 Configuring a RADIUS Server for non-local Check Point Appliance users: Non-local users can be defined on a RADIUS server and not in the Check Point Appliance. When a non-local user logs in to the appliance, the RADIUS server authenticates the user and assigns the applicable permissions.
  • Page 178 CP-Gaia-SuperUser-Access integer CheckPoint 2. Add to /etc/freeradius/dictionary the line: “$INCLUDE dictionary.checkpoint” 3. Add this Check Point Vendor-Specific Attribute to users in your RADIUS server user configuration file: <role> CP-Gaia-User-Role = <role> Where is the name of the administrator role that is defined in the WebUI.
  • Page 179 To log in as a Super User: A user with super user permissions can use the Check Point Appliance shell to do system-level operations, including working with the file system. 1. Connect to the Check Point Appliance platform using an SSH client or serial console client.
  • Page 180 - The secret (pre-shared information used for message "encryption") between the RADIUS server and the Check Point Appliance. You cannot use these characters when you enter a password or shared secret: { } [ ] ` ~ | ‘ " # + \ Show - Displays the shared secret.
  • Page 181 2. Click Edit. 3. Make the relevant changes and click Apply. To delete an Active Directory: 1. Select the Active Directory from the list. 2. Click Delete. 3. Click in the confirmation message. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 182 URLs. What is a category? Each URL is inspected by the Check Point Cloud using the URL Filtering blade and can be matched to one or more built in categories (for example, phishing sites, high bandwidth, gambling, or shopping, etc.).
  • Page 183 You use service objects to easily define the different network protocols. This is usually with IP protocol and ports (used by the TCP and UDP IP protocols). Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 184 • - For TCP services, enable this option to delay telling the Check Point Appliance about a connection so that the connection is only synchronized if it still exists in X seconds after the connection Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 185 2. As you enter text, the list is filtered and shows matching results. Built-in System Services Some built-in services represent Check Point's ability to perform deep inspection of the specific protocol. These system services cannot be deleted. When you edit them, the ports which you configure decide when the deep inspection occurs and you can add or change default ports.
  • Page 186 The service group is added to the list of groups. To edit a service group: 1. Select a group from the list. 2. Click Edit. 3. Make the necessary changes. 4. Click Apply. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 187 2. As you enter text, the list is filtered and shows matching results. Built-in System Service Groups Some built-in service groups represent Check Point's ability to perform deep inspection of a specific protocol. Such system service groups cannot be deleted. They contain a list of built in services which you can restore if you edit the content of such groups by clicking Reset.
  • Page 188 To filter for a specified network object: Type to filter 1. In the box, enter the name of the network object or part of it. 2. As you enter text, the list is filtered and shows matching results. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 189 To filter for a specified service group: Type to filter 1. In the box, enter the network object group name or part of it. 2. As you enter text, the list is filtered and shows matching results. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 190 When you insert an SD card, it mounts automatically and then local logs are saved to it. Before you Options Eject SD card safely. eject an SD card, make sure to unmount it. Select > Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 191 This is an effort to keep syslogs persistent across boot, but not 100% guaranteed. To refresh the system logs list: Click Refresh. The list is refreshed. To clear the log list: Clear Logs. 1. Click 2. Click in the confirmation message. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 192 Note - You cannot configure external log servers when Cloud Services is turned on. External Check Point Log Server You can use an external Check Point log server that is managed by a Security Management Server for storing additional logs.
  • Page 193 6. To fetch the policy from the cloud, go to > and click After you initiate traffic from resources behind the gateway, open the Check Point Log Server to verify that you see the logs. For more information, see sk145614 http://supportcontent.checkpoint.com/solutions?id=sk145614.
  • Page 194 Device/User Name - Shows a device or user name if the information is available to the Check Point Appliance through DHCP or User Awareness. • Incident type - Shows the detected incident type: • Found bot activity • Downloaded a malware • Accessed a site known to contain malware Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 195 Exceptions The rule is added to Malware Exceptions on the > page. To view the logs of a specified entry: 1. Select the list entry for which to view logs. 2. Click Logs. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 196 Viewing Active Connections Logs & Monitoring Connections > page shows a list of all active connections. The list shows these fields: • Protocol • Source Address • Source Port • Destination Address • Destination Port Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 197 To turn SNMP on or off: or OFF. 1. Change the SNMP On/Off slider position to 2. Click Apply. SNMP must be set to on to configure all SNMP settings (users, traps, and trap receivers). Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 198 2. Select the option to enable the trap or clear it to disable the trap. 3. If the trap contains a value, you can edit the threshold value when necessary. 4. Click Apply. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 199 Note - When you upgrade with a USB drive, you also replace the saved factory defaults image of the appliance as this method reburns the appliance. Note - Uboot update from a USB drive is currently not supported in 700 and 910 appliances. Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 200 (u-boot*.bin files or fwl*.gz files). 3. Insert the SD card into the SD card slot on the Check Point Appliance. If the operation does not succeed, this may be because the SD card slot does not recognize all devices.
  • Page 201 3. You are asked if you want to manually load the image from a TFTP server, or if you want to use automatic mode with a bootp server. 4. If you select manual mode, you are asked to fill in the IP of the Check Point Appliance, the IP of the TFTP server, and the image name.
  • Page 202 As part of a troubleshooting process, you can restore the Check Point Appliance to its factory default settings if necessary. You can restore a Check Point Appliance to the factory default image with the WebUI, Boot Loader, or a button on the back panel.
  • Page 203 This takes up to a few minutes. When completed, the appliance boots automatically. To disable the reset to default: Use this CLI command: >set additional-hw-settings reset-timeout 0 To enable the reset to default: Use this CLI command: >set additional-hw-settings reset-timeout 12 Check Point 700/900 Appliances Administration Guide R77.20.87...
  • Page 205 Deploying from a USB Drive or SD Card • 12 Capacity Optimization • 83 Deploying the Configuration File - Existing Check Point 700 and 900 Appliance Overview • 7 Configuration • 14 Cloud Services Firmware Upgrade • 84 Deploying the Configuration File - Initial Cluster •...
  • Page 206 Sample Configuration File • 13 Working with User Awareness • 124, 171 Sample Configuration Log with Error • 16 Serial Port • 93 Setting Up the Check Point Appliance • 8 Zero Touch Cloud Service • 10 SNMP • 197 SSL Inspection • 93 SSL Inspection Advanced •...

This manual is also suitable for:

900L-71L-71wL-71wdL-72L-72w ... Show all