Checkpoint vpn-1 edge serial settings

In this tab you configure the physical ports of the selected UTM-1 Edge device, configuring valid use for different ports. You can assign a RS port for a dial-up modem or for a serial console. You can edit port usage through SmartProvisioning.

SmartProvisioning settings affect the devices only if the device topology is set to All IP addresses behind the gateway based on Interfaces information. If you select Use the following settings , the table and Edit button are enabled. You cannot add port assignments from SmartProvisioning. This should be done locally, to prevent configurations of ports that are not actually on the device.

For information on these classes and their defaults, see Predefined QoS Classes on page Note: This will delete any additional classes you defined in Traffic Shaper and reset all rules to use the Default class. If one of the additional classes is currently used by a rule, you cannot reset Traffic Shaper to defaults. To restore Traffic Shaper defaults 1. Click Restore Defaults. Guides you through the WLAN setup step by step. See Using the Wireless Configuration Wizard on page Offers advanced setup options.

Note: It is recommended to configure the WLAN via Ethernet and not via a wireless connection, because the wireless connection could be broken after making a change to the configuration. This enables you to configure separate policies for different groups of wireless users. The Guest VAP would use simple WPA-Personal encryption, and the security policy would mandate that stations connected to this network can access the Internet, but not sensitive company resources.

You could configure Traffic Shaper bandwidth management to give stations in the Guest network a low priority, and by enabling Secure HotSpot on this network, you could define terms of use that the guest users must accept before accessing the Internet. VPN-1 Edge wireless appliances support the latest VPN-1 Edge wireless appliances also support a special Super G mode that allows reaching a throughput of up to Mbps with Super G compatible stations.

VPN-1 Edge wireless appliances transmit in 2. In addition, the VPN-1 Edge appliance supports a special extended range XR mode that allows up to three times the range of a regular XR dramatically stretches the performance of a wireless LAN, by enabling long-range connections. This allows ranges of up to meters indoors, and up to 1 km ft outdoors, with XR-enabled wireless stations actual range depends on environment. This option is not recommended, because it allows unauthorized users to access your WLAN network, although you can still limit access from the WLAN by creating firewall rules.

This method is suitable for creating public access points. This method is not recommended, due to known security flaws in the WEP protocol. It is provided for compatibility with existing wireless deployments. Note: The appliance and the wireless stations must be configured with the same WEP key. This method is recommended for situations in which you want to authenticate wireless users, but do not need to encrypt the data.

Furthermore, WPA-Enterprise includes This method is recommended for situations where you want to authenticate wireless stations using a RADIUS server, and to encrypt the transmitted data. WPAPersonal periodically changes and authenticates encryption keys. This is called rekeying. This option is recommended for small networks, which want to authenticate and encrypt wireless data, but do not want to install a RADIUS server.

Note: The appliance and the wireless stations must be configured with the same passphrase. WPA2 Prepare the appliance for a wireless connection as described in Network Installation on page If you want to use For information on security modes, see Basic Wireless Settings Fields on page The WLAN network must not overlap other networks. Complete the fields using the information in Basic Wireless Settings Fields on page To configure advanced settings, click Show Advanced Settings and complete the fields using the information in Advanced Wireless Settings Fields on page A warning message appears, telling you that you are about to change your network settings.

Prepare the wireless stations. See Preparing the Wireless Stations on page This name will be visible to wireless stations passing near your access point, unless you enable the Hide the Network Name SSID option. It can be up to 32 alphanumeric characters long and is case-sensitive. Country Select the country where you are located. Warning: Choosing an incorrect country may result in the violation of government regulations. Operates in the 2. When using this mode, only When using this mode, both When using this mode, The list of modes is dependent on the selected country.

You can prevent older wireless stations from slowing down your network, by choosing an operation mode that restricts access to newer wireless stations. Note: The actual data transfer speed is usually significantly lower than the maximum theoretical bandwidth and degrades with distance.

Important: The station wireless cards must support the selected operation mode. For a list of cards supporting The VPN-1 Edge appliance automatically selects a channel. A specific channel. The list of channels is dependent on the selected country and operation mode. Note: If there is another wireless network in the vicinity, the two networks may interfere with one another.

To avoid this problem, the networks should be assigned channels that are at least 25 MHz 5 channels apart. Alternatively, you can reduce the transmission power. For information on the supported security protocols, see Wireless Security Protocols on page Passphrase Type the passphrase for accessing the network, or click Random to randomly generate a passphrase. This must be between 8 and 63 characters. It can contain spaces and special characters, and is case-sensitive.

For the highest security, choose a long passphrase that is hard to guess, or use the Random button. Note: The wireless stations must be configured with this passphrase as well. Require WPA2 The wireless stations must be configured with the same key, as well. Key 1, 2, 3, 4 radio button Click the radio button next to the WEP key that this gateway should use for transmission. The selected key must be entered in the same key slot on the station devices, but the key need not be selected as the transmit key on the stations.

Note: You can use all four keys to receive data. Key 1, 2, 3, 4 length Select the WEP key length from the drop-down list. The key length is 10 characters. The key length is 26 characters. The key length is 32 characters. Note: WEP is generally considered to be insecure, regardless of the selected key length.

Key 1, 2, 3, 4 text box Type the WEP key, or click Random to randomly generate a key matching the selected length. The key is composed of hexadecimal characters and A-F, and is not case-sensitive. Hide the SSID. Only devices to which your SSID is known can connect to your network. Do not hide the SSID. Any device within range can detect your network name using the wireless network discovery features of some products, such as Microsoft Windows XP, and attempt to connect to your network.

Therefore, it is not recommended to rely on this setting alone for security. Enable MAC address filtering. Only MAC addresses that you added as network objects can connect to your network. For information on network objects, see Using Network Objects on page Disable MAC address filtering. Allow stations to communicate with each other. Block traffic between wireless stations. The VPN-1 Edge appliance automatically selects a rate.

Transmitter Power Select the transmitter power. Setting a higher transmitter power increases the access point's range. A lower power reduces interference with other access points in the vicinity.

The default value is Full. It is not necessary to change this value, unless there are other access points in the vicinity. Signals that were reflected by some surface reach the receiver after non-reflected signals and distort them. VPN-1 Edge appliances avoid the problems of multipath distortion by using an antenna diversity system.

To provide antenna diversity, each wireless security appliance has two antennas. The VPN-1 Edge appliance receives signals through both antennas and automatically selects the antenna with the lowest distortion signal to use for communicating. The selection is made on a per-station basis. ANT 1. The ANT 1antenna is always used for communicating.

ANT 2. The ANT 2 antenna is always used for communicating. Fragmentation Threshold Type the smallest IP packet size in bytes that requires that the IP packet be split into smaller fragments. If you are experiencing significant radio interference, set the threshold to a low value around , to reduce error penalty and increase overall throughput. Otherwise, set the threshold to a high value around , to reduce overhead.

If multiple wireless stations are in range of the access point, but not in range of each other, they might send data to the access point simultaneously, thereby causing data collisions and failures. RTS ensures that the channel is clear before the each packet is sent. If your network is congested, and the users are distant from one another, set the RTS threshold to a low value around Setting a value equal to the fragmentation threshold effectively disables RTS.

XR mode is disabled. XR mode is enabled. XR will be automatically negotiated with XR-enabled wireless stations and used as needed. WMM is disabled. WMM is enabled. This allows for smoother streaming of voice and video when using WMM aware applications. Click Wireless Wizard. The Wireless Security dialog box appears. This method is recommended for small, private wireless networks, which want to authenticate and encrypt wireless data but do not want to install a RADIUS server.

Using WEP, wireless stations must use a pre-shared key to connect to your network. WEP is widely known to be insecure, and is supported mainly for compatibility with existing networks and stations that do not support other methods.

Do the following: 1. In the text box, type the passphrase for accessing the network, or click Random to randomly generate a passphrase. The Wireless Security Complete dialog box appears. The wizard closes. Choose a WEP key length. Note that WEP is generally considered to be insecure, regardless of the selected key length. In the text box, type the WEP key, or click Random to randomly generate a key matching the selected length.

The key is composed of characters and A-F, and is not case-sensitive. The wireless stations must be configured with this same key. The Wireless Security Confirmation dialog box appears. The procedure below explains how to add or edit a VAP. To add or edit a VAP 1. Configure and enable the primary wireless network WLAN. If you want to use WPA-Enterprise or Click Add Network. In the Type drop-down list, select Virtual Access Point. The VAP network must not overlap other networks.

To prepare the wireless stations 1. If you selected the WPA-Personal security mode, give the passphrase to the wireless stations' administrator. The wireless stations' administrators should configure the wireless stations and connect them to the WLAN. Refer to the wireless cards' documentation for details. Note: Some wireless cards have "Infrastructure" and "Ad-hoc" modes. These modes are also called "Access Point" and "Peer to Peer". Choose the "Infrastructure" or "Access Point" mode.

You can set the wireless cards to either "Long Preamble" or "Short Preamble". Note: The wireless cards' region and the VPN-1 Edge appliance's region must both match the region of the world where you are located. If you purchased your VPN-1 Edge appliance in a different region, contact technical support. What should I do? The SSID is case-sensitive. How do I test wireless reception? On the wireless station, open a command window and type ping my. If you see a large number of dropped packets, you are experiencing poor reception.

The antennas radiate horizontally in all directions. Relocate the VPN-1 Edge appliance to a place with better reception, and avoid obstructions, such as walls and electrical equipment. For example, try mounting the appliance in a high place with a direct line of sight to the wireless stations. Check for interference with nearby electrical equipment, such as microwave ovens and cordless or cellular phones. For minimum interference, channel separation between nearby access points must be at least 25 MHz 5 channels.

Range outdoors is normally much higher than indoors, depending on environmental conditions. Note: You can observe any changes in the wireless reception in the Active Computers page. Make sure to refresh the page after making a change. Note: Professional companies are available for help in setting up reliable wireless networks, with access to specialized testing equipment and procedures. If you have many concurrently active wireless stations, there may be collisions between them.

Such collisions may be the result of a "hidden node" problem: not all of the stations are within range of each other, and therefore are "hidden" from one another. For example, if station A and station C do not detect each other, but both stations detect and are detected by station B, then both station A and C may attempt to send packets to station B simultaneously.

In this case, the packets will collide, and Station B will receive corrupted data. The solution to this problem lies in the use of the RTS protocol.

If the recipient is not currently receiving packets from another source, it sends back a CTS Clear To Send packet, indicating that the station can send the IP packet. This will cause stations to use RTS for smaller IP packets, thus decreasing the likeliness of collisions. This will cause stations to fragment IP packets of a certain size into smaller packets, thereby reducing the likeliness of collisions and increasing network speed.

I am not getting the full speed. Better reception means better speed. Check that all your wireless stations support the wireless standard you are using Transmission speed is determined by the slowest station associated with the access point.

For a list of wireless stations that support This chapter includes the following topics: Viewing the Event Log The Event Log displays the most recent events and color-codes them.

Table Event Log Color Coding An event marked in this color… Blue Indicates… Changes in your setup that you have made yourself or as a result of a security update implemented by your Service Center. Red Orange Connection attempts that were blocked by your firewall. Connection attempts that were blocked by your custom security rules. By default, accepted traffic is not logged. However, such traffic may be logged if specified by a security policy downloaded from your Service Center, or if specified in user-defined rules.

In addition, accepted traffic may be logged if SmartDefense protections' Action field is set to "Track" instead of "Block". You can create firewall rules specifying that certain types of connections should be logged, whether the connections are incoming or outgoing, blocked or accepted. For information, see Using Rules on page The logs detail the date and the time the event occurred, and its type.

If the event is a communication attempt that was rejected by the firewall, the event details include the source and destination IP address, the destination port, and the protocol used for the communication attempt for example, TCP or UDP.

If the event is a connection made or attempted over a VPN tunnel, the event is marked by a lock icon in the VPN column. This information is useful for troubleshooting. For information, see Configuring Syslog Logging on page Click Reports in the main menu, and click the Event Log tab. The Event Log page appears. This information is useful in tracking down hackers. Click Save. The Save As dialog box appears. Browse to a destination directory of your choice. Type a name for the configuration file and click Save.

To clear all displayed events: a. Click Clear. All events are cleared. Using the Traffic Monitor You can view incoming and outgoing traffic for selected network interfaces and QoS classes using the Traffic Monitor. This enables you to identify network traffic trends and anomalies, and to fine tune Traffic Shaper QoS class assignments.

If desired, you can change the number of seconds represented by the bars in the charts, using the procedure Configuring Traffic Monitor Settings on page In network traffic reports, the traffic is color-coded as described in the following table. Viewing Traffic Reports To view a traffic report 1. Click Reports in the main menu, and click the Traffic Monitor tab. In the Traffic Monitor Report drop-down list, select the network interface for which you want to view a report.

The list includes all currently enabled networks. For example, if the DMZ network is enabled, it will appear in the list. If Traffic Shaper is enabled, the list also includes the defined QoS classes. The selected report appears in the Traffic Monitor page. To refresh all traffic reports, click Refresh.

To clear all traffic reports, click Clear. Note: The firewall blocks broadcast packets used during the normal operation of your network. This may lead to a certain amount of traffic of the type "Traffic blocked by firewall" that appears under normal circumstances and usually does not indicate an attack. You can open and view the file in Microsoft Excel. To export a general traffic report 1. The Traffic Monitor page appears. Click Export. A standard File Download dialog box appears.

Configuring Traffic Monitor Settings You can configure the interval at which the VPN-1 Edge appliance should collect traffic data for network traffic reports. To configure Traffic Monitor settings 1. Click Settings. In the Sample monitoring data every field, type the interval in seconds at which the VPN-1 Edge appliance should collect traffic data.

The default value is one sample every seconds 30 minutes. Viewing Computers This option allows you to view the currently active computers on your network. You can also view node limit information. To view the active computers 1. If you configured High Availability, both the master and backup appliances are shown. If you configured OfficeMode, the OfficeMode network is shown. For information on viewing statistics for these computers, see Viewing Wireless Statistics on page If a wireless station has been blocked from accessing the Internet through the VPN-1 Edge appliance, the reason why it was blocked is shown in red.

If you are exceeding the maximum number of computers allowed by your license, a warning message appears, and the computers over the node limit are marked in red. These computers are still protected, but they are blocked from accessing the Internet through the VPN-1 Edge appliance. Note: Computers that did not communicate through the firewall are not counted for node limit purposes, even though they are protected by the firewall and appear in the Active Computers table.

Chapter 8: Viewing Reports Viewing Computers Note: To increase the number of computers allowed by your license, you can upgrade your product. For further information, see Upgrading Your Software Product on page If HotSpot mode is enabled for some networks, each computer's HotSpot status is displayed next to it. The computer is logged on to My HotSpot. Not Authenticated. The computer is not logged on to My HotSpot. Excluded from HotSpot. The computer is in an IP address range excluded from HotSpot enforcement.

To enforce HotSpot, you must edit the network object. See Adding and Editing Network Objects on page Next to each computer, an Add button enables you to add a network object for the computer, or an Edit button enables you to edit an existing network object for the computer.

For information on adding and editing network objects, see Adding and Editing Network Objects on page To view node limit information, do the following: a. Click Node Limit. The Node Limit window appears with installed software product and the number of nodes used. Click Close to close the window. To view the active connections 1. Click Reports in the main menu, and click the Connections tab. The Active Connections page appears.

The page displays the information in the following table. To view information on the destination machine, click its IP address. To view information about a port, click the port. Click Reports in the main menu, and click the Wireless tab. The page displays the information in the following tables. The Active Computers page appears. A tooltip displays statistics for the wireless station, as described in the following table.

Table Wireless Station Statistics This field… Current Rate Frames OK Management Control Errors Displays… The current reception and transmission rate in Mbps The total number of frames that were successfully transmitted and received The total number of transmitted and received management packets The total number of received control packets The total number of transmitted and received frames for which an error occurred QoS Indicates whether the client is using Multimedia QoS WMM.

The client is using WMM. The client is not using WMM. The wireless client supports XR mode. The wireless client does not support XR mode. To view ADSL statistics 1. The ADSL page appears. Line Attenuation The local and remote line attenuation in dB. You can enhance your security policy by subscribing to services such as Web Filtering and Email Filtering.

Note: When the firewall is managed by SmartCenter, the SmartCenter security policy replaces the default security policy and the firewall security levels. The firewall security level is set to High and cannot be changed. Note: Local security rules take precedence over rules configured by the central management.

When using the print server function see Using Network Printers on page , access from internal networks to connected network printers is allowed. Access from the WAN to network printers is blocked.

You can easily override the default security policy, by creating user-defined firewall rules. You can set the lever to the following states. Table Firewall Security Levels This Does this… Further Details level… Low Enforces basic control on incoming connections, while permitting all outgoing connections. All outbound connections are allowed.

Medium Enforces strict control on all incoming connections, while permitting safe outgoing connections. This is the default level and is recommended for most cases. Leave it unchanged unless you have a specific need for a higher or lower security level. All inbound traffic is blocked. All outbound traffic is allowed to the Internet except for Windows file sharing NBT ports , , and This does not affect traffic to and from the gateway itself.

Note: If the security policy is remotely managed, this lever might be disabled. Note: Security updates downloaded from a Service Center may alter the security policy and change these definitions. Click Security in the main menu, and click the Firewall tab. The Firewall page appears. Drag the security lever to the desired level. The VPN-1 Edge appliance security level changes accordingly.

Using the VPN-1 Edge Portal, you can selectively allow incoming network connections into your network. Note: Configuring servers allows you to create simple Allow and Forward rules for common services, and it is equivalent to creating Allow and Forward rules in the Rules page. For information on creating rules, see Using Rules on page To allow a service to be run on a specific host 1. Click Security in the main menu, and click the Servers tab.

The Servers page appears, displaying a list of services and a host IP address for each allowed service. A success message appears, and the selected computer is allowed to run the desired service or application. Type the IP address of the computer that will run the service one of your network computers or click the corresponding This Computer button to allow your computer to host the service. To stop the forwarding of a service to a specific host 1. The Host IP field of the desired service is cleared.

The service or application is not allowed on the specific host. User-defined rules have priority over the default security policy rules and provide you with greater flexibility in defining and customizing your security policy. The VPN-1 Edge appliance processes user-defined rules in the order they appear in the Rules table, so that rule 1 is applied before rule 2, and so on. This enables you to define exceptions to rules, by placing the exceptions higher up in the Rules table.

Then create a rule allowing FTP traffic from the desired IP address and move this rule to a higher location in the Rules table than the first rule. In the figure below, the general rule is rule number 2, and the exception is rule number 1. Forward all such connections to a specific computer in your network. Redirect the specified connections to a specific port. Assign traffic to a QoS class. If Traffic Shaper is enabled for incoming traffic, then Traffic Shaper will handle relevant connections as specified in the bandwidth policy for the selected QoS class.

For example, if Traffic Shaper is enabled for incoming traffic, and you create an Allow and Forward rule associating all incoming Web traffic with the Urgent QoS class, then Traffic Shaper will handle incoming Web traffic as specified in the bandwidth policy for the Urgent class. Creating an Allow and Forward rule is equivalent to defining a server in the Servers page.

Note: You cannot specify two Allow and Forward rules that forward the same service to two different destinations. Note: You can allow outgoing connections for services that are not permitted by the default security policy. Permit incoming access from the Internet to a specific service in your internal network. If Traffic Shaper is enabled for the direction of traffic specified in the rule incoming or outgoing , then Traffic Shaper will handle relevant connections as specified in the bandwidth policy for the selected QoS class.

For example, if Traffic Shaper is enabled for outgoing traffic, and you create an Allow rule associating all outgoing Web traffic with the Urgent QoS class, then Traffic Shaper will handle outgoing Web traffic as specified in the bandwidth policy for the Urgent class. Block incoming access from the Internet to a specific service in your internal network. Click Security in the main menu, and click the Rules tab. The Rules page appears. To edit an existing rule, click the Edit icon next to the desired rule.

Select the type of rule you want to create. The Step 2: Service dialog box appears. The example below shows an Allow rule. The Step 4: Done dialog box appears. The new rule appears in the Firewall Rules page. Click this option to specify that the rule should apply to a specific standard service.

You must then select the desired service from the drop-down list. Custom Service Click this option to specify that the rule should apply to a specific nonstandard service.

The Protocol and Port Range fields are enabled. You must fill them in. Ports To specify the port range to which the rule applies, type the start port number in the left text box, and the end port number in the right text box. Remote Access VPN ensures that the connections between corporate networks and remote and mobile devices are secure and can be accessed virtually anywhere users are located.

A secure remote access solution promotes collaboration by connecting global virtual teams at headquarters, branch offices, remote locations, or mobile users on the go. Each host typically has VPN client software loaded or uses a web-based client. Privacy and integrity of sensitive information is ensured through:. R80 Security Management has allowed our company to easily and significantly improve our protections over time. CheckPoint Next Gen FW, The Best Way To Protect A Corporation Against The Latest Threats Our experience with CheckPoint has been very satisfactory for the advanced security approach, being able to provide our corporation with the latest generation security mechanisms and being able to have maximum control and visibility of our perimeter security.

It is an old, but still modern and competitive solution, and Check Point is always on the edge of security technologies. Endpoint Remote Access Datasheet. Check Point Capsule Workspace Datasheet. Harmony Endpoint Solution Brief. Endpoint Security Support. Remote Access Admin Guide. Mobile Access Admin Guide. Secure Remote Workforce During Coronavirus.