SofaWare Technologies SBX-166LHGE-2 Internet Security Appliance User Manual

Download:
Mirror Download [FCC.gov]
Document ID	381166
Application ID	/7TF60r80UjSsqz8rpU4bQ==
Document Description	User Manual
Short Term Confidential	No
Permanent Confidential	No
Supercede	No
Document Type	User Manual
Display Format	Adobe Acrobat PDF - pdf
Filesize	284.04kB (3550524 bits)
Date Submitted	2003-12-12 00:00:00
Date Available	2003-12-12 00:00:00
Creation Date	2003-10-23 06:12:35
Producing Software	Acrobat Distiller 5.0.5 (Windows)
Document Lastmod	2003-12-11 16:28:08
Document Title	Microsoft Word - Check Point Safe@Office Users Guide 1023.doc
Document Creator	PScript5.dll Version 5.2
Document Author:	Goldies

Check Point Safe@Office
Internet Security Appliance
User Guide
Version 4.0.50
Part No:700797, October, 2003
COPYRIGHT & TRADEMARKS
Copyright © 2003 SofaWare, All Rights
Reserved. No part of this document may be
reproduced in any form or by any means
without written permission from SofaWare.
of Safety or Performance and could result
in violation of Part 15 of the FCC Rules.
When installing the appliance, ensure
that the vents are not blocked.
Do not use the appliance outdoors.
Information in this document is subject to
change without notice and does not represent
a commitment on part of SofaWare
Technologies Ltd.
Do not expose the appliance to liquid or
moisture.
SofaWare, Safe@Home and Safe@Office are
trademarks, service marks, or registered
trademarks of SofaWare Technologies Ltd.
Do not drop, throw, or bend the
appliance since rough treatment could
damage it.
Check Point, the Check Point logo, FireWall1, FireWall-1 SecureServer, FireWall-1
SmallOffice, FloodGate-1, INSPECT, IQ
Engine, Meta IP, MultiGate, Open Security
Extension, OPSEC, Provider-1,
SecureKnowledge, SecureUpdate,
SiteManager-1, SVN, UAM, User-to-Address
Mapping, UserAuthority, Visual Policy
Editor, VPN-1, VPN-1 Accelerator Card,
VPN-1 Gateway, VPN-1 SecureClient, VPN1 SecuRemote, VPN-1 SecureServer, and
VPN-1 Edge are trademarks, service marks,
or registered trademarks of Check Point
Software Technologies Ltd. or its affiliates.
Do not use any accessories other than
those approved by Check Point. Failure to
do so may result in loss of performance,
damage to the product, fire, electric shock
or injury, and will void the warranty.
All other product names mentioned herein are
trademarks or registered trademarks of their
respective owners.
The products described in this document are
protected by U.S. Patent No. 5,606,668 and
5,835,726 and may be protected by other U.S.
Patents, foreign patents, or pending
applications.
SAFETY PRECAUTIONS
Carefully read the Safety Instructions the
Installation and Operating Procedures
provided in this User's Guide before
attempting to install or operate the appliance.
Failure to follow these instructions may result
in damage to equipment and/or personal
injuries.
Before cleaning the appliance, unplug the
power cord. Use only a soft cloth
dampened with water for cleaning.
Any changes or modifications to this
product not explicitly approved by the
manufacturer could void any assurances
Do not expose the appliance to extreme
high or low temperatures.
Do not disassemble or open the
appliance. Failure to comply will void the
warranty.
Do not route the cables in a walkway or
in a location that will crimp the cables.
POWER ADAPTER
The appliance should only be used with
the power adapter provided. The power
adapter should be plugged into a surge
protected power source. In addition, be
careful not to overload the wall outlets,
extension cords, etc. used to power this
unit.
Connect the power adapter only to power
sources as marked on the product.
To reduce risk of damage to the electric
cord, remove it from the outlet by holding
the power adapter rather than the cord.
SECURITY DISCLAIMER
The appliance provides your office network
with the highest level of security. However,
no product can provide you with absolute
protection against a determined effort to
break into your system. We recommend using
additional security measures to secure highly
valuable or sensitive information.
Contents
Contents
Chapter 1: Introduction ................................................................................... 1
About Your Check Point Safe@Office Appliance ......................................... 1
Safe@Office Products .................................................................................... 2
Safe@Office 105 ........................................................................................ 2
Safe@Office 110 ........................................................................................ 2
Safe@Office 225 ........................................................................................ 3
Safe@Office 225U ..................................................................................... 3
Safe@Office Features and Compatibility ....................................................... 3
Connectivity................................................................................................ 3
Firewall....................................................................................................... 5
VPN ............................................................................................................ 6
Management ............................................................................................... 7
Optional Security Services ......................................................................... 8
Package Contents........................................................................................ 9
Network Requirements ............................................................................... 9
Getting to Know Your Safe@Office 100 Series........................................... 10
Rear Panel................................................................................................. 10
Front Panel................................................................................................ 12
Getting to Know Your Safe@Office 200 Series........................................... 13
Rear Panel................................................................................................. 13
Front Panel................................................................................................ 15
About This Guide ......................................................................................... 16
Contacting Technical Support ...................................................................... 17
Contents
Contents
Chapter 2: Installing and Setting up the Safe@Office Appliance .............. 19
Before You Install the Safe@Office Appliance............................................ 19
Windows 2000/XP.................................................................................... 20
Windows 98/Millennium .......................................................................... 25
Mac OS..................................................................................................... 31
Network Installation ..................................................................................... 31
Setting Up the Safe@Office Appliance ........................................................ 32
Chapter 3: Getting Started ............................................................................ 35
Initial Login to the Safe@Office Portal........................................................ 35
Logging on to the Safe@Office Portal ......................................................... 38
Accessing the Safe@Office Portal Remotely ............................................... 40
Using the Safe@Office Portal ...................................................................... 41
Main Menu ............................................................................................... 43
Main Frame............................................................................................... 44
Status Bar.................................................................................................. 45
Logging off ................................................................................................... 47
Chapter 4: Configuring the Internet Connection ........................................ 49
Overview ...................................................................................................... 49
Using the Setup Wizard ................................................................................ 50
Using a Direct LAN Connection .............................................................. 52
Using a Cable Modem Connection........................................................... 53
Using a PPTP or PPPoE Dialer Connection ............................................. 54
Using PPPoE............................................................................................. 55
Using PPTP .............................................................................................. 57
Using Automatic DHCP ........................................................................... 58
Using Internet Setup ..................................................................................... 59
ii
Check Point Safe@Office User Guide
Contents
Using a LAN Connection ......................................................................... 61
Using a Cable Modem Connection........................................................... 63
Using a PPPoE Connection ...................................................................... 64
Using a PPTP Connection ........................................................................ 65
Using a Telstra (BPA) Connection ........................................................... 68
Using No Connection ............................................................................... 69
Cloning a MAC Address............................................................................... 72
Viewing Internet Connection Information.................................................... 73
Enabling/Disabling the Internet Connection................................................. 75
Using Quick Internet Connection/Disconnection ......................................... 76
Configuring a Backup Internet Connection .................................................. 76
Chapter 5: Managing Your Network............................................................ 79
Configuring Network Settings ...................................................................... 79
Enabling/Disabling the DHCP Server ...................................................... 79
Changing IP Addresses............................................................................. 82
Enabling/Disabling Hide NAT ................................................................. 83
Configuring a DMZ Network ................................................................... 84
Configuring High Availability...................................................................... 87
Using Static NAT ......................................................................................... 91
Adding and Editing Static NAT Mappings............................................... 92
Viewing and Deleting Static NAT Mappings ........................................... 96
Using Static Routes....................................................................................... 96
Adding a Static Route............................................................................... 97
Viewing and Editing Static Routes........................................................... 99
Deleting a Static Route ........................................................................... 100
Contents
iii
Contents
Chapter 6: Viewing Reports ........................................................................ 101
Viewing the Event Log ............................................................................... 101
Viewing Computers .................................................................................... 104
Viewing Connections.................................................................................. 106
Chapter 7: Setting Your Security Policy .................................................... 107
Setting the Firewall Security Level............................................................. 107
Configuring Servers.................................................................................... 110
Creating Rules ............................................................................................ 112
Adding and Editing Rules....................................................................... 113
Deleting Rules ........................................................................................ 121
Defining an Exposed Host .......................................................................... 121
Chapter 8: Using Subscription Services ..................................................... 123
Connecting to a Service Center................................................................... 123
Viewing Services Information .................................................................... 130
Refreshing Your Service Center Connection.............................................. 131
Configuring Your Account ......................................................................... 131
Disconnecting from Your Service Center................................................... 132
Web Filtering .............................................................................................. 133
Enabling/Disabling Web Filtering .......................................................... 133
Selecting Categories for Blocking .......................................................... 134
Temporarily Disabling Web Filtering..................................................... 134
Virus Scanning............................................................................................ 136
Enabling/Disabling Email Antivirus....................................................... 136
Selecting Protocols for Scanning............................................................ 137
Temporarily Disabling Email Antivirus ................................................. 137
Automatic and Manual Updates ................................................................. 139
iv
Check Point Safe@Office User Guide
Contents
Checking for Software Updates when Locally Managed ....................... 139
Checking for Software Updates When Remotely Managed ................... 140
Chapter 9: Working With VPNs ................................................................. 143
Overview .................................................................................................... 143
Setting Up Your Safe@Office Appliance as a VPN Server ....................... 145
Adding and Editing VPN Sites ................................................................... 146
Configuring a Remote Access VPN Site ................................................ 148
Configuring a Site-to-Site VPN Gateway............................................... 156
Creating a PPPoE Tunnel ....................................................................... 163
Deleting a VPN Site.................................................................................... 166
Enabling/Disabling a VPN Site .................................................................. 167
Logging on to a VPN Site........................................................................... 168
Logging on through the Safe@Office Portal .......................................... 168
Logging on through the my.vpn page ..................................................... 170
Logging off a VPN Site .............................................................................. 172
Installing a Certificate................................................................................. 172
Uninstalling a Certificate ............................................................................ 175
Viewing VPN Tunnels................................................................................ 176
Chapter 10: Managing Users ....................................................................... 181
Changing Your Password ........................................................................... 181
Using Safe@Office 105.......................................................................... 181
Using Safe@Office 110 and 225 ............................................................ 183
Adding Users .............................................................................................. 184
Viewing and Editing Users ......................................................................... 185
Deleting Users ............................................................................................ 187
Setting Up Remote VPN Access for Users................................................. 188
Contents
Contents
Using RADIUS Authentication .................................................................. 189
Chapter 11: Maintenance............................................................................. 193
Viewing Firmware Status ........................................................................... 193
Updating the Firmware ............................................................................... 195
Upgrading Your Software Product ............................................................. 197
Registering Your Safe@Office Appliance ................................................. 202
Configuring Syslog Logging ...................................................................... 204
Configuring HTTPS.................................................................................... 206
Setting the Time on the Appliance.............................................................. 209
Controlling the Appliance via the Command Line ..................................... 213
Using Diagnostic Tools .............................................................................. 214
Backing Up the Safe@Office Appliance Configuration............................. 218
Exporting the Safe@Office Appliance Configuration ............................ 219
Importing the Safe@Office Appliance Configuration ............................ 220
Resetting the Safe@Office Appliance to Defaults...................................... 222
Running Diagnostics................................................................................... 224
Rebooting the Safe@Office Appliance....................................................... 225
Chapter 12: Troubleshooting....................................................................... 227
Connectivity................................................................................................ 227
Service Center and Upgrades...................................................................... 231
Other Problems ........................................................................................... 232
Chapter 13: Specifications ........................................................................... 233
Technical Specifications ............................................................................. 233
CE Declaration of Conformity.................................................................... 235
Federal Communications Commission Radio Frequency Interference
Statement .................................................................................................... 235
vi
Check Point Safe@Office User Guide
Contents
Glossary of Terms......................................................................................... 237
Index .............................................................................................................. 245
Contents
vii
Contents
viii
Check Point Safe@Office User Guide
About Your Check Point Safe@Office Appliance
Chapter 1
Introduction
This chapter introduces the Check Point Safe@Office appliance and this
guide.
This chapter includes the following topics:
About Your Check Point Safe@Office Appliance .................................1
Safe@Office Products ............................................................................2
Safe@Office Features and Compatibility...............................................3
Getting to Know Your Safe@Office 100 Series ..................................10
Getting to Know Your Safe@Office 200 Series ..................................13
About This Guide .................................................................................16
Contacting Technical Support ..............................................................17
About Your Check Point Safe@Office
Appliance
The Check Point Safe@Office appliance is an advanced Internet security
appliance that enables secure high-speed Internet access from the office.
Developed and supported by SofaWare Technologies, an affiliate of Check
Point Software Technologies, the worldwide leader in securing the Internet,
the Safe@Office appliance incorporates the 100 and 200 product families.
The 100 series and 200 series firewall, based on the world-leading Check
Point Embedded NG Stateful Inspection technology, inspects and filters all
incoming and outgoing traffic, blocking all unauthorized traffic.
The Safe@Office appliance also allows sharing your Internet connection
among several PCs or other network devices, enabling advanced office
networking and saving the cost of purchasing static IP addresses.
You can also connect Safe@Office appliances to security services available
from select service providers, including firewall security updates, Web
filtering, and dynamic DNS. Business users can use the Safe@Office
appliance to securely connect to the office network.
Chapter 1: Introduction
Safe@Office Products
Safe@Office Products
The Safe@Office appliance is available with the following hardware:
Safe@Office 100 series or Safe@Office 200 series. Both provide a Webbased management interface, which enables you to manage and configure the
Safe@Office appliance operation and options. However, the 200 series
provides higher firewall and VPN throughput and has a dedicated DMZ port
and a serial port.
The 100 series includes models Safe@Office 105 and Safe@Office 110. The
200 series includes model Safe@Office 225 and Safe@Office 225U.
Your Safe@Office appliance can be upgraded to a more advanced model
within its hardware series, without replacing the hardware. Contact your
reseller for more details.
Safe@Office 105
Safe@Office 105 protects your home or small business network from hostile
Internet activity. It can also act as a VPN server which allows a single user to
securely access resources protected by the Safe@Office appliance from home
or while travelling. It is intended for home or small business users and can be
used by up to five computers.
Safe@Office 110
In addition to all the benefits of Safe@Office 105, Safe@Office 110 provides
expanded VPN functionality: it acts not only as a VPN server but as a VPN
client, enabling employees working from home to securely connect to the
office. Safe@Office 110 can also be configured as a VPN gateway, which
allows permanent bi-directional connections between two gateways, such as
two company offices.
Safe@Office 110 is intended for small and medium businesses with one or
more branch offices, and for their employees working from home. It can be
used by up to ten computers.
Check Point Safe@Office User Guide
Safe@Office Features and Compatibility
Safe@Office 225
Safe@Office 225 provides all the benefits of Safe@Office 110, along with
support for High Availability. High Availability enables you to install a
second Safe@Office appliance on your network and configure that appliance
as a backup to the first Safe@Office appliance, thereby ensuring that your
network is consistently protected and connected to the Internet.
Safe@Office 225 includes a hardware DMZ port and offers higher VPN and
firewall performance than the 100 series.
Like Safe@Office 110, Safe@Office 225 is intended for companies with
extended VPN networks. Safe@Office 225 supports 25 computers.
Safe@Office 225U
Safe@Office 225U provides the same functionality as Safe@Office 225 but
does not have a license limitaion on the number of computers.
All references to Safe@Office 225 in this guide are also relevant to
Safe@Office 225U.
Safe@Office Features and Compatibility
Connectivity
Feature
Concurrent firewall
connections
LAN Ports
Safe@Office
Safe@Office
Safe@Office
2,000
2,000
8,000
4-ports 10/100
4-ports 10/100
4-ports 10/100
105
110
225/225U
Mbps Fast
Mbps Fast
Mbps Fast
Ethernet switch
Ethernet switch
Ethernet switch
Chapter 1: Introduction
Safe@Office Features and Compatibility
Feature
WAN Port
Safe@Office
Safe@Office
Safe@Office
10/100 Mbps
10/100 Mbps
10/100 Mbps
Fast Ethernet
Fast Ethernet
Fast Ethernet
105
110
225/225U
10/100 Mbps
DMZ/WAN2 Port
Fast Ethernet
Serial Console Port
Ethernet cable type
recognition
Users (nodes)
10
25 or Unlimited
Supported Internet
Static IP, DHCP Client, Cable Modem, PPTP Client,
connection methods
PPPoE Client, Telstra BPA login
DHCP Server
MAC Cloning
Backup Internet
connection
High Availability
Static NAT
Static Routes
Check Point Safe@Office User Guide
Safe@Office Features and Compatibility
Firewall
Feature
Firewall Type
Safe@Office
Safe@Office
Safe@Office
Check Point
Check Point
Check Point
Firewall-1
Firewall-1
Firewall-1
Embedded NG
Embedded NG
Embedded NG
Unlimited
Unlimited
Unlimited
Logical
Physical
105
100
225/225U
Network Address
Translation (NAT)
INSPECT Policy
Rules
User-defined rules
Three levels preset
security policies
DoS Protection
Anti-spoofing
Attack Logging
Voice over IP
(H.323) Support
Exposed Host
DMZ Network
Chapter 1: Introduction
Safe@Office Features and Compatibility
VPN
Feature
VPN Type
Safe@Office
Safe@Office
Safe@Office
Check Point
Check Point
Check Point
VPN-1
VPN-1
VPN-1
Embedded NG
Embedded NG
Embedded NG
Remote Access
Remote Access
Client
Client
RemoteAccess
Remote Access
Server
Server
Site-to-Site
Site-to-Site
105
IPSEC VPN
Remote
mode
Access Server
110
225/225U
IPSEC VPN
pass-through
Encryption
AES/3DES/DES
AES/3DES/DES
AES/3DES/DES
Authentication
SHA1/MD5
SHA1/MD5
SHA1/MD5
X.509 Digital
Certificates
RADIUS client
Hardware
Acceleration
Hardware Random
Number Generator
Check Point Safe@Office User Guide
Safe@Office Features and Compatibility
Management
Feature
Safe@Office
Safe@Office
Safe@Office
SofaWare SMP
SofaWare SMP
SofaWare SMP
105
110
225/225U
Web
Management
HTTPS Access
(local and
remote)
Multiple
Administrators
CLI
Management
Systems
Chapter 1: Introduction
Safe@Office Features and Compatibility
Optional Security Services
Feature
Safe@Office
105
Safe@Office
110
Safe@Office
225/225U
Firewall security
and software
updates
Web Filtering *
Email Antivirus
protection *
Dynamic DNS
Service *
VPN Management
Centralized
Logging and
Intrusion Detection
* When managed by SofaWare Security Management Portal (SMP).
Check Point Safe@Office User Guide
Safe@Office Features and Compatibility
Package Contents
• Safe@Office Internet Security Appliance
• CAT5 Straight-through Ethernet Cable
• Power Adapter
• Getting Started Guide
• This Users Guide
Network Requirements
• A broadband Internet connection via cable or DSL modem with
Ethernet interface (RJ-45)
• 10BaseT or 100BaseT Network Interface Card installed on each
computer
• TCP/IP network protocol installed on each computer
• Internet Explorer 5.0 or higher, or Netscape Navigator 4.7 and
higher
• CAT 5 STP (Category 5 Shielded Twisted Pair) Straight Through
Ethernet cable for each attached device
Note: To cascade an additional hub or switch to the Safe@Office 100
appliance, you must use a crossed Ethernet cable instead. The
Safe@Office 200 series automatically detects the cable type, so you
can use either a straight-through or crossed cable.
Note: For optimal results, it is highly recommended to use either
Microsoft Internet Explorer 5.5 or higher, or Netscape Navigator 6.2 or
higher.
Chapter 1: Introduction
Getting to Know Your Safe@Office 100 Series
Getting to Know Your Safe@Office 100
Series
Rear Panel
The following figure shows the Safe@Office 100 series appliance's rear
panel. All physical connections (network and power) to the Safe@Office
appliance are made via the rear panel of your Safe@Office appliance.
Figure 1: Safe@Office Appliance 100 Rear Panel Items
The following table lists the Safe@Office appliance's rear panel elements.
10
Check Point Safe@Office User Guide
Getting to Know Your Safe@Office 100 Series
Table 1: Safe@Office Appliance 100 Rear Panel Elements
Label
PWR
Description
A power jack used for supplying power to the unit. Connect the
supplied power adapter to this jack.
RESET
A button used for rebooting the Safe@Office appliance or
resetting the Safe@Office appliance to its factory defaults. You
need to use a pointed object to press this button.
• Short press. Reboots the Safe@Office appliance
• Long press (7 seconds). Resets the Safe@Office
appliance to its factory defaults, and resets your
firmware to the version that shipped with the
Safe@Office appliance. This results in the loss of all
security services and passwords and reverting to the
factory default firmware. You will have to re-configure
your Safe@Office appliance.
Do not reset the unit without consulting your system
administrator.
WAN
Wide Area Network: An Ethernet port (RJ-45) used for
connecting your cable or xDSL modem
LAN 1-4
Local Area Network switch: Four Ethernet ports (RJ-45) used
for connecting computers or other network devices
Chapter 1: Introduction
11
Getting to Know Your Safe@Office 100 Series
Front Panel
The Safe@Office 100 appliance includes several status LEDs that enable you
to monitor the appliance’s operation.
Figure 2: Safe@Office 100 Appliance Front Panel
For an explanation of the Safe@Office 100 appliance’s status LEDs, see the
table below.
Table 2: Safe@Office 100 Appliance Status LEDs
LED
State
Explanation
PWR/SEC
Off
Power off
Flashing quickly
System boot-up
(Green)
Flashing slowly
Establishing Internet connection
(Green)
LAN 1-4/WAN
On (Green)
Normal Operation
Flashing (Red)
Hacker attack blocked
On (Red)
Error
LINK/ACT Off, 100 Off
Link is down.
LINK/ACT On, 100 Off
10 Mbps link established for the
corresponding port.
12
Check Point Safe@Office User Guide
Getting to Know Your Safe@Office 200 Series
LED
State
Explanation
LINK/ACT On, 100 On
100 Mbps link established for the
corresponding port.
LINK/ACT Flashing
Data is being transmitted/received
Getting to Know Your Safe@Office 200
Series
Rear Panel
The following figure shows the Safe@Office 200 series appliance's rear
panel. All physical connections (network and power) to the Safe@Office
appliance are made via the rear panel of your Safe@Office appliance.
Figure 3: Safe@Office 200 Appliance Rear Panel Items
The following table lists the Safe@Office 200 appliance's rear panel
elements.
Chapter 1: Introduction
13
Getting to Know Your Safe@Office 200 Series
Table 3: Safe@Office 200 Appliance Rear Panel Elements
Label
Description
PWR
A power jack used for supplying power to the unit. Connect
the supplied power adapter to this jack.
RESET
A button used for rebooting the Safe@Office appliance or
resetting the Safe@Office appliance to its factory defaults.
You need to use a pointed object to press this button.
• Short press. Reboots the Safe@Office appliance
• Long press (7 seconds). Resets the Safe@Office
appliance to its factory defaults, and resets your
firmware to the version that shipped with the
Safe@Office appliance. This results in the loss of
all security services and passwords and reverting
to the factory default firmware. You will have to reconfigure your Safe@Office appliance.
Do not reset the unit without consulting your system
administrator.
RS-232
A serial port (reserved for future use)
WAN
Wide Area Network: An Ethernet port (RJ-45) used for
connecting your cable or xDSL modem, or for connecting a
hub when setting up more than one Internet connection
DMZ/WAN2
A dedicated Ethernet port (RJ-45) used for a DMZ
computer, or for a hub when connecting a DMZ network
LAN 1-4
Local Area Network switch: Four Ethernet ports (RJ-45)
used for connecting computers or other network devices
14
Check Point Safe@Office User Guide
Getting to Know Your Safe@Office 200 Series
Front Panel
The Safe@Office 200 appliances includes several status LEDs that enable
you to monitor the appliance’s operation.
Figure 4: Safe@Office 200 Appliance Front Panel
For an explanation of the Safe@Office 200 appliance’s status LEDs, see the
table below.
Table 4: Safe@Office 200 Appliance Status LEDs
LED
State
Explanation
PWR/SEC
Off
Power off
Flashing quickly (Green)
System boot-up
Flashing slowly (Green)
Establishing Internet
connection
LAN 1-4/WAN/
On (Green)
Normal Operation
Flashing (Red)
Hacker attack blocked
On (Red)
Error
LINK/ACT Off, 100 Off
Link is down.
LINK/ACT On, 100 Off
10 Mbps link
DMZ/WAN2
established for the
corresponding port.
Chapter 1: Introduction
15
About This Guide
LED
State
Explanation
LINK/ACT On, 100 On
100 Mbps link
established for the
corresponding port.
LINK/ACT Flashing
Data is being
transmitted/received.
VPN
Serial
Flashing (Green)
Flashing (Green)
VPN tunnel in use
Serial port in use
About This Guide
To make finding information in this manual easier, some types of information
are marked with special symbols or formatting.
Boldface type is used for command and button names.
Note: Notes are denoted by indented text and preceded by the Note
icon.
Warning: Warnings are denoted by indented text and preceded by the
Warning icon.
Each task is marked with a product bar indicating the Safe@Office products
required to perform the task. If you cannot perform the task using a particular
product, that product is crossed out. For example, the product bar below
indicates a task that requires Safe@Office 110, 225, or 225U. You cannot
perform this task with Safe@Office 105.
16
Check Point Safe@Office User Guide
Contacting Technical Support
Contacting Technical Support
If there is a problem with your Safe@Office appliance, surf to
http://www.sofaware.com/support and fill out a technical support request
form.
You can also download the latest version of this guide from the site.
Chapter 1: Introduction
17
Contacting Technical Support
18
Check Point Safe@Office User Guide
Before You Install the Safe@Office Appliance
Chapter 2
Installing and Setting up the
Safe@Office Appliance
This chapter describes how to properly set up and install your Safe@Office
appliance in your networking environment.
This chapter includes the following topics:
Before You Install the Safe@Office Appliance ...................................19
Network Installation .............................................................................31
Setting Up the Safe@Office Appliance................................................32
Before You Install the Safe@Office
Appliance
Prior to connecting and setting up your Safe@Office appliance for operation,
you must do the following:
• Check if TCP/IP Protocol is installed on your computer.
• Check your computer’s TCP/IP settings to make sure it obtains its
IP address automatically.
Refer to the relevant section in this guide in accordance with the operating
system that runs on your computer. The following sections will guide you
through the TCP/IP setup and installation process.
Chapter 2: Installing and Setting up the Safe@Office Appliance
19
Before You Install the Safe@Office Appliance
Windows 2000/XP
Note: While Windows XP has an "Internet Connection Firewall" option, it
is recommended not to enable it if you are using a Safe@Office
appliance, since the Safe@Office appliance offers better protection.
Checking the TCP/IP Installation
1. Click Start > Settings > Control Panel.
The Control Panel window appears.
2. Double-click the Network and Dial-up Connections icon.
20
Check Point Safe@Office User Guide
Before You Install the Safe@Office Appliance
The Network and Dial-up Connections window appears.
3. Right-click the
that opens.
icon and select Properties from the pop-up menu
Chapter 2: Installing and Setting up the Safe@Office Appliance
21
Before You Install the Safe@Office Appliance
The Local Area Connection Properties window appears.
4. In the above window, check if TCP/IP appears in the components list and if
it is properly configured with the Ethernet card, installed on your computer.
If TCP/IP does not appear in the Components list, you must install it as
described in the next section.
22
Check Point Safe@Office User Guide
Before You Install the Safe@Office Appliance
Installing TCP/IP Protocol
1. In the Local Area Connection Properties window click Install….
The Select Network Component Type window appears.
2. Choose Protocol and click Add.
The Select Network Protocol window appears.
3. Choose Internet Protocol (TCP/IP) and click OK.
TCP/IP protocol is installed on your computer.
Chapter 2: Installing and Setting up the Safe@Office Appliance
23
Before You Install the Safe@Office Appliance
TCP/IP Settings
1. In the Local Area Connection Properties window double-click the Internet
Protocol (TCP/IP) component, or select it and click Properties.
The Internet Protocol (TCP/IP) Properties window opens.
2. Click the Obtain an IP address automatically radio button.
Note: Normally, it is not recommended to assign a static IP address to
your PC but rather to obtain an IP address automatically. If for some
reason you need to assign a static IP address, select Specify an IP
address, type in an IP address in the range of 192.168.10.129-254,
enter 255.255.255.0 in the Subnet Mask field, and click OK to save the
new settings.
(Note that 192.168.10 is the default value, and it may vary if you
changed it in the My Network page.)
3. Click the Obtain DNS server address automatically radio button.
4. Click OK to save the new settings.
24
Check Point Safe@Office User Guide
Before You Install the Safe@Office Appliance
Your computer is now ready to access your Safe@Office appliance.
Windows 98/Millennium
Checking the TCP/IP Installation
1. Click Start > Settings > Control Panel.
The Control Panel window appears.
2. Double-click the
icon.
Chapter 2: Installing and Setting up the Safe@Office Appliance
25
Before You Install the Safe@Office Appliance
The Network window appears.
3. In the Network window, check if TCP/IP appears in the network components
list and if it is already configured with the Ethernet card, installed on your
computer.
26
Check Point Safe@Office User Guide
Before You Install the Safe@Office Appliance
Installing TCP/IP Protocol
Note: If TCP/IP is already installed and configured on your computer skip
this section and move directly to TCP/IP Settings.
1. In the Network window, click Add.
The Select Network Component Type window appears.
2. Choose Protocol and click Add.
The Select Network Protocol window appears.
3. In the Manufacturers list choose Microsoft, and in the Network Protocols list
choose TCP/IP.
4. Click OK.
Chapter 2: Installing and Setting up the Safe@Office Appliance
27
Before You Install the Safe@Office Appliance
If Windows asks for original Windows installation files, provide the
installation CD and relevant path when required (e.g. D:\win98)
5. Restart your computer if prompted.
TCP/IP Settings
Note: If you are connecting your Safe@Office appliance to an existing
LAN, consult your network manager for the correct configurations.
1. In the Network window, double-click the TCP/IP service for the Ethernet
card, which has been installed on your computer
(e.g.
).
The TCP/IP Properties window opens.
2. Click the Gateway tab, and remove any installed gateways.
28
Check Point Safe@Office User Guide
Before You Install the Safe@Office Appliance
3. Click the DNS Configuration tab, and click the Disable DNS radio button.
Chapter 2: Installing and Setting up the Safe@Office Appliance
29
Before You Install the Safe@Office Appliance
4. Click the IP Address tab, and click the Obtain an IP address automatically
radio button.
Note: Normally, it is not recommended to assign a static IP address to
your PC but rather to obtain an IP address automatically. If for some
reason you need to assign a static IP address, select Specify an IP
address, type in an IP address in the range of 192.168.10.129-254,
enter 255.255.255.0 in the Subnet Mask field, and click OK to save the
new settings.
(Note that 192.168.10 is the default value, and it may vary if you
changed it in the My Network page.)
5. Click Yes when prompted for “Do you want to restart your computer?”.
Your computer restarts, and the new settings to take effect.
Your computer is now ready to access your Safe@Office appliance.
30
Check Point Safe@Office User Guide
Network Installation
Mac OS
Use the following procedure for setting up the TCP/IP Protocol.
1. Choose Apple Menus -> Control Panels -> TCP/IP.
The TCP/IP window appears.
2. Click the Connect via drop-down list and select Ethernet.
3. Click the Configure drop-down list and select Using DHCP Server.
4. Close the window and save the setup.
Network Installation
1. Verify that you have the correct cable type.
For information, see Network Requirements on page 9.
2. Connect the LAN cable:
Connect one end of the Ethernet cable to one of the LAN ports at
the back of the unit.
Connect the other end to PCs, hubs, or other network devices.
3. Connect the WAN cable:
Chapter 2: Installing and Setting up the Safe@Office Appliance
31
Setting Up the Safe@Office Appliance
Connect one end of the Ethernet cable to the WAN port at the
back of the unit.
Connect the other end of the cable to a Cable Modem, xDSL
modem or office network.
4. Connect the power adapter to the power socket, labeled PWR, at the back of
the Safe@Office appliance. Plug in the AC power adapter to the wall
electrical outlet.
Warning: The Safe@Office appliance AC adapter is compatible with
either 100, 120 or 230 VAC input power. Please verify that the wall
outlet voltage is compatible with the voltage specified on your power
supply. Failure to observe this warning may result in injuries or damage
to equipment.
Figure 5: Typical Connection Diagram
Setting Up the Safe@Office Appliance
After you have installed the Safe@Office appliance, you must set it up using
the steps shown below.
When setting up your Safe@Office appliance for the first time after
installation, these steps follow each other automatically. After you have
logged on and setup your password, the Setup Wizard automatically opens
and displays the dialog boxes for configuring your Internet connection. After
you have configured your Internet connection, the Setup Wizard
automatically displays the dialog boxes for registering your Safe@Office
appliance. If desired, you can exit the Setup Wizard and perform each of
these steps separately.
32
Check Point Safe@Office User Guide
Setting Up the Safe@Office Appliance
Logging on to the Safe@Office Portal and setting up your
password
Initial Login to the Safe@Office Portal on page 35
Configuring an Internet connection
Using the Setup Wizard on page 50
Setting the Time on your Safe@Office appliance
(200 series only)
Setting the Time on the Appliance on page 209
Installing the Product Key
Upgrading Your Software Product on page 197
Registering your Safe@Office Appliance
Registering Your Safe@Office Appliance on page 202
Setting up subscription services
Connecting to a Service Center on page 123
Chapter 2: Installing and Setting up the Safe@Office Appliance
33
Setting Up the Safe@Office Appliance
34
Check Point Safe@Office User Guide
Initial Login to the Safe@Office Portal
Chapter 3
Getting Started
This chapter contains all the information you need in order to get started
using your Safe@Office appliance.
This chapter includes the following topics:
Initial Login to the Safe@Office Portal................................................35
Logging on to the Safe@Office Portal .................................................38
Accessing the Safe@Office Portal Remotely.......................................40
Using the Safe@Office Portal ..............................................................41
Logging off...........................................................................................47
Initial Login to the Safe@Office Portal
The first time you log on to the Safe@Office Portal, you must set up your
password.
To log on to the Safe@Office Portal for the first time
1. Browse to http://my.firewall.
Chapter 3: Getting Started
35
Initial Login to the Safe@Office Portal
The initial login page appears.
2. Type a password both in the Password and the Confirm Password fields.
Note: The password must be five to 25 characters (letters or numbers).
Note: You can change your password at any time. For further
information, see Changing Your Password on page 181.
3. Click OK.
36
Check Point Safe@Office User Guide
Initial Login to the Safe@Office Portal
The Setup Wizard opens, with the Welcome screen displayed.
4. Configure your Internet connection using either the Setup Wizard or
Internet Setup.
The Setup Wizard takes you through the configuration process step by
step. For information on using the Setup Wizard, see Using the Setup
Wizard on page 50.
Internet Setup offers advanced setup options. For example, if you are
using Safe@Office 110 or 225, you can configure two Internet
connections using Internet Setup. To use Internet Setup, click Cancel and
refer to Using Internet Setup on page 59.
Chapter 3: Getting Started
37
Logging on to the Safe@Office Portal
Logging on to the Safe@Office Portal
To log on to the Safe@Office Portal
1. Do one of the following:
Browse to http://my.firewall.
Or
To log on through HTTPS (locally or remotely), follow the
procedure Accessing the Safe@Office Portal Remotely on page
40.
The login page appears.
38
Check Point Safe@Office User Guide
Logging on to the Safe@Office Portal
If you are using Safe@Office 110 or 225, the page appears as follows:
2. Type in your username and password.
3. Click OK.
The Welcome page appears.
Chapter 3: Getting Started
39
Accessing the Safe@Office Portal Remotely
Accessing the Safe@Office Portal
Remotely
You can access the Safe@Office Portal remotely (from the Internet) through
HTTPS. HTTPS is a protocol for accessing a secure Web server. It is used to
transfer confidential user information, since it encrypts data and utilizes a
secure port.
Note: You can also use HTTPS to access the Safe@Office Portal from
your internal network.
Note: In order to access the Safe@Office Portal remotely, you must first
do the following:
Configure your password, using HTTP. See Initial Login to the
Safe@Office Portal on page 35.
Configure HTTPS. See Configuring HTTPS on page 206.
To access the Safe@Office Portal from your internal network
• Browse to https://my.firewall.
(Note that the URL starts with “https”, not “http”.)
The Safe@Office Portal appears.
To access the Safe@Office Portal from the Internet
• Browse to https://:981.
(Note that the URL starts with “https”, not “http”.)
The following things happen in the order below:
40
Check Point Safe@Office User Guide
Using the Safe@Office Portal
If this is your first attempt to access the Safe@Office Portal
through HTTPS, the certificate in the Safe@Office appliance is
not yet known to the browser, so the Security Alert dialog box
appears.
To avoid seeing this dialog box again, install the certificate of the
destination Safe@Office appliance. If you are using Internet Explorer
5, do the following:
1) Click View Certificate.
The Certificate dialog box appears, with the General tab
displayed.
2) Click Install Certificate.
The Certificate Import Wizard opens.
3) Click Next.
4) Click Next.
5) Click Finish.
6) Click Yes.
7) Click OK.
The Security Alert dialog box reappears.
8) Click Yes.
The Safe@Office Portal appears.
Using the Safe@Office Portal
The Safe@Office Portal is a web-based management interface, which enables
you to manage and configure the Safe@Office appliance operation and
options.
The Safe@Office Portal consists of three major elements.
Chapter 3: Getting Started
41
Using the Safe@Office Portal
Table 5: Safe@Office Portal Elements
Element
Main menu
Description
Used for navigating between the various topics (such
as Reports, Security, and Setup).
Main frame
Displays information and controls related to the
selected topic. The main frame may also contain tabs
that allow you to view different pages related to the
selected topic.
Status bar
Shows your Internet connection and managed services
status.
Figure 6: Safe@Office Portal
42
Check Point Safe@Office User Guide
Using the Safe@Office Portal
Main Menu
The main menu includes the following submenus.
Table 6: Main Menu Submenus
This
Does this…
Welcome
Displays the welcome information.
Reports
Provides reporting capabilities in terms of event
submenu…
logging, established connections, and active
computers.
Security
Provides controls and options for setting the security
of any computer in the network.
Services
Allows you to control your subscription to
subscription services.
Network
Allows you to manage and configure your network
settings and Internet connections.
Setup
Provides a set of tools for managing your
Safe@Office appliance. Allows you to upgrade your
product key and firmware and to configure HTTPS
access to your Safe@Office appliance.
Password
Allows you to set your password.
This submenu only appears in Safe@Office 105.
Chapter 3: Getting Started
43
Using the Safe@Office Portal
This
Does this…
Users
Allows you to manage Safe@Office appliance users.
submenu…
This submenu only appears in Safe@Office 110 and
225.
VPN
Allows you to manage, configure, and log on to VPN
sites.
This submenu only appears in Safe@Office 110 and
225.
Help
Provides context-sensitive help.
Logout
Allows you to log off of the Safe@Office Portal.
Main Frame
The main frame displays the relevant data and controls pertaining to the
menu and tab you select. These elements sometimes differ depending on
what model you are using. The differences are described throughout this
guide.
44
Check Point Safe@Office User Guide
Using the Safe@Office Portal
Status Bar
The status bar, located at the bottom of each page, displays the fields below.
In the Safe@Office 200 series, the status bar also displays the date and time.
Table 7: Status Bar Fields
This field…
Displays this…
Internet
Your Internet connection status.
The connection status may be one of the following:
• Connected. The Safe@Office appliance is
connected to the Internet.
• Not Connected. The Internet connection is down.
• Establishing Connection. The Safe@Office
appliance is connecting to the Internet.
• Contacting Gateway. The Safe@Office appliance is
trying to contact the Internet default gateway.
• Disabled. The Internet connection has been
manually disabled.
Note: Using Safe@Office 110 and 225, you can configure
both a primary and a secondary Internet connection.
When both connections are configured, the Status bar
displays both statuses. For example “Internet [Primary]:
Connected”. For information on configuring a secondary
Internet connection, see Configuring the Internet
Connection on page 49.
Chapter 3: Getting Started
45
Using the Safe@Office Portal
This field…
Displays this…
Service
Displays your subscription services status.
Center
Your Service Center may offer various subscription
services. These include the firewall service and optional
services such as Web Filtering and Email Antivirus.
Your subscription services status may be one of the
following:
• Not Subscribed. You are not subscribed to
security services.
• Connection Failed. The Safe@Office appliance
failed to connect to the Service Center.
• Connecting. The Safe@Office appliance is
connecting to the Service Center.
• Connected. You are connected to the Service
Center, and security services are active.
46
Check Point Safe@Office User Guide
Logging off
Logging off
Logging off terminates your administration session. Any subsequent attempt
to connect to the Safe@Office Portal will require re-entering of the
administration password.
To log off of the Safe@Office Portal
• Do one of the following:
If you are connected through HTTP, click Logout in the main
menu.
The Logout page appears.
If you are connected through HTTPS, the Logout option does not
appear in the main menu. Close the browser window.
Chapter 3: Getting Started
47
Overview
Chapter 4
Configuring the Internet
Connection
This chapter describes how to configure and work with an Safe@Office
Internet connection.
This chapter includes the following topics:
Overview ..............................................................................................49
Using the Setup Wizard........................................................................50
Using Internet Setup.............................................................................59
Cloning a MAC Address ......................................................................72
Viewing Internet Connection Information ...........................................73
Enabling/Disabling the Internet Connection ........................................75
Using Quick Internet Connection/Disconnection.................................76
Configuring a Backup Internet Connection..........................................76
Overview
You must configure your Internet connection before you can access the
Internet through the Safe@Office appliance. You can configure your Internet
connection using either of the following setup tools:
• Setup Wizard. Guides you through the configuration process step by
step.
• Internet Setup. Offers advanced setup options. If you are using
Safe@Office 110 or 225, you can configure two Internet
connections using Internet Setup.
Chapter 4: Configuring the Internet Connection
49
Using the Setup Wizard
Using the Setup Wizard
The Setup Wizard allows you to configure your Safe@Office appliance for
Internet connection quickly and easily through its user-friendly interface. It
lets you to choose between the following three types of broadband connection
methods:
• Direct LAN Connection
• Cable Modem
• PPTP or PPPoE dialer
Note: The first time you log on to the Safe@Office Portal, the Setup
Wizard starts automatically. In this case, you should skip to step 2 in the
procedure below.
To set up the Internet connection using the Setup Wizard
1. Click Network in the main menu, and click the Internet tab.
The Internet page appears
2. Click Setup Wizard.
50
Check Point Safe@Office User Guide
Using the Setup Wizard
The Setup Wizard opens with the Welcome page displayed.
3. Click Next.
The Internet Connection Method dialog box appears.
Chapter 4: Configuring the Internet Connection
51
Using the Setup Wizard
4. Select the Internet connection method you want to use for connecting to the
Internet.
Note: If you selected PPTP or PPPoE dialer, do not use your dial-up
software to connect to the Internet.
5. Click Next.
Using a Direct LAN Connection
No further settings are required for a direct LAN (Local Area Network)
connection. The Confirmation screen appears.
1. Click Next.
The system attempts to connect to the Internet via the selected connection.
The Connecting… screen appears.
At the end of the connection process the Connected screen appears.
2. Click Finish.
52
Check Point Safe@Office User Guide
Using the Setup Wizard
Using a Cable Modem Connection
If you selected the Cable Modem connection method, the Identification dialog
box appears.
1. If your ISP requires a specific hostname for authentication, enter it in the
Host Name field. The ISP will supply you with the proper hostname, if
required.
Most ISPs do not require a specific hostname.
2. A MAC address is a 12-digit identifier assigned to every network device. If
your ISP restricts connections to specific, recognized MAC addresses, they
will instruct you to enter the MAC address. Otherwise, you may leave this
field blank.
If your ISP requires the MAC address, do either of the following:
Click This Computer to automatically "clone" the MAC address of
your computer to the Safe@Office appliance.
Or
Chapter 4: Configuring the Internet Connection
53
Using the Setup Wizard
If the ISP requires authentication using the MAC address of a
different computer, enter the MAC address in the MAC cloning
field.
3. Click Next.
The Confirmation screen appears.
4. Click Next.
The system attempts to connect to the Internet.
The Connecting… screen appears. At the end of the connection process
the Connected screen appears.
5. Click Finish.
Using a PPTP or PPPoE Dialer Connection
If you selected the PPTP or PPPoE dialer connection method, the DSL
Connection Type dialog box appears.
1. Select the connection method used by your DSL provider.
54
Check Point Safe@Office User Guide
Using the Setup Wizard
Note: Most xDSL providers use PPPoE. If you are uncertain regarding
which connection method to use contact your xDSL provider.
2. Click Next.
Using PPPoE
If you selected the PPPoE connection method, the DSL Configuration dialog
box appears.
1. Complete the fields using the information in the table below.
2. Click Next.
The Confirmation screen appears.
Chapter 4: Configuring the Internet Connection
55
Using the Setup Wizard
3. Click Next.
The system attempts to connect to the Internet via the DSL connection.
The Connecting… screen appears.
At the end of the connection process the Connected screen appears.
4. Click Finish.
Table 8: PPPoE Connection Fields
In this field…
Do this…
Username
Type your user name.
Password
Type your password.
Confirm password
Type your password.
Service
Type your service name.
This field can be left blank.
56
Check Point Safe@Office User Guide
Using the Setup Wizard
Using PPTP
If you selected the PPTP connection method, the DSL Configuration dialog
box appears.
1. Complete the fields using the information in the table below.
2. Click Next.
The Confirmation screen appears.
3. Click Next.
The system attempts to connect to the Internet via the DSL connection.
The Connecting… screen appears.
At the end of the connection process the Connected screen appears.
4. Click Finish.
Chapter 4: Configuring the Internet Connection
57
Using the Setup Wizard
Table 9: PPTP Connection Fields
In this field…
Do this…
Username
Type your user name.
Password
Type your password.
Confirm password
Type your password.
Service
Type your service name.
Server IP
Type the IP address of the PPTP modem.
Internal IP
Type the local IP address required for accessing
the PPTP modem.
Subnet Mask
Type the subnet mask of the PPTP modem.
Using Automatic DHCP
If you selected the Automatic DHCP connection method, no further
configuration is required. The Confirmation screen appears.
1. Click Next.
The system attempts to connect to the Internet via the selected connection.
The Connecting… screen appears.
At the end of the connection process the Connected screen appears.
2. Click Finish.
58
Check Point Safe@Office User Guide
Using Internet Setup
Using Internet Setup
Internet Setup allows you to manually configure your Internet connection.
To configure the Internet connection using Internet Setup
1. Click Network in the main menu, and click the Internet tab.
Chapter 4: Configuring the Internet Connection
59
Using Internet Setup
When using Safe@Office 110 or 225, the Internet page appears as
follows:
2. If your ISP restricts connections to specific, recognized MAC addresses,
clone a MAC address using the procedure Cloning a MAC Address on page
72.
3. Next to the Internet connection, click Edit.
The Internet Setup page appears.
60
Check Point Safe@Office User Guide
Using Internet Setup
4. From the Connection Type drop-down list, select the Internet connection
type you are using/intend to use.
The display changes according to the connection type you selected.
The following steps should be performed in accordance with the connection
type you have chosen.
Using a LAN Connection
1. Complete the fields using the relevant information in Internet Setup Fields
on page 69.
Chapter 4: Configuring the Internet Connection
61
Using Internet Setup
If you cleared the Obtain IP address automatically (using DHCP) check
box, the page appears as follows:
If you cleared the Obtain Domain Name Servers automatically check box,
the page appears as follows:
2. Click Apply.
62
Check Point Safe@Office User Guide
Using Internet Setup
The Safe@Office appliance attempts to connect to the Internet, and the
Status Bar displays the Internet status “Connecting”. This may take
several seconds.
Once the connection is made, the Status Bar displays the Internet status
“Connected”.
Using a Cable Modem Connection
1. Complete the fields using the relevant information in Internet Setup Fields
on page 69.
If you cleared the Obtain Domain Name Servers automatically check box,
the page appears as follows:
2. Click Apply.
The Safe@Office appliance attempts to connect to the Internet, and the
Status Bar displays the Internet status “Connecting”. This may take
several seconds.
Once the connection is made, the Status Bar displays the Internet status
“Connected”.
Chapter 4: Configuring the Internet Connection
63
Using Internet Setup
Using a PPPoE Connection
1. Complete the fields using the relevant information in Internet Setup Fields
on page 69.
If you cleared the Obtain Domain Name Servers automatically check box,
the page appears as follows:
2. Click Apply.
64
Check Point Safe@Office User Guide
Using Internet Setup
The Safe@Office appliance attempts to connect to the Internet, and the
Status Bar displays the Internet status “Connecting”. This may take
several seconds.
Once the connection is made, the Status Bar displays the Internet status
“Connected”.
Using a PPTP Connection
1. Complete the fields using the relevant information in Internet Setup Fields
on page 69.
Chapter 4: Configuring the Internet Connection
65
Using Internet Setup
If you cleared the Obtain IP address automatically (using DHCP) check
box, the page appears as follows:
66
Check Point Safe@Office User Guide
Using Internet Setup
If you cleared the Obtain Domain Name Servers automatically check box,
the page appears as follows:
2. Click Apply.
The Safe@Office appliance attempts to connect to the Internet, and the
Status Bar displays the Internet status “Connecting”. This may take
several seconds.
Once the connection is made, the Status Bar displays the Internet status
“Connected”.
Chapter 4: Configuring the Internet Connection
67
Using Internet Setup
Using a Telstra (BPA) Connection
Use this Internet connection type only if you are subscribed to Telstra®
BigPond™ Internet. Telstra BigPond is a trademark of Telstra Corporation
Limited.
1. Complete the fields using the relevant information in Internet Setup Fields
on page 69.
If you cleared the Obtain Domain Name Servers automatically check box,
the page appears as follows:
2. Click Apply.
68
Check Point Safe@Office User Guide
Using Internet Setup
The Safe@Office appliance attempts to connect to the Internet, and the
Status Bar displays the Internet status “Connecting”. This may take
several seconds.
Once the connection is made, the Status Bar displays the Internet status
“Connected”.
Using No Connection
If you are using Safe@Office 110 or 225, and you do not have a secondary
Internet connection, set the connection type to None.
• Click Apply.
Table 10: Internet Setup Fields
In this field…
Do this…
Host Name
Type the hostname for authentication.
If your ISP has not provided you with a host name,
leave this field blank. Most ISPs do not require a
specific hostname.
Username
Type your user name.
Password
Type your password.
Confirm password
Type your password.
Chapter 4: Configuring the Internet Connection
69
Using Internet Setup
In this field…
Do this…
Service
Type your service name.
If your ISP has not provided you with a service
name, leave this field empty.
MTU
The MTU field allows you to control the maximum
transmission unit size.
As a general recommendation you should leave this
field empty. If however you wish to modify the default
MTU, it is recommended that you consult with your
ISP first and use MTU values between 1300 and
1500.
Server IP
If you selected PPTP, type the IP address of the
PPTP server as given by your ISP.
If you selected Telstra (BPA), type the IP address of
the Telstra authentication server as given by Telstra.
External IP
If you selected PPTP, type the IP address of the
PPTP client as given by your ISP.
If you selected PPPoE, this field is optional, and you
do not have to fill it in unless your ISP has instructed
you to do so.
Obtain IP address
Clear this option if you do not want the Safe@Office
automatically
appliance to obtain an IP address automatically
(using DHCP)
using DHCP.
70
Check Point Safe@Office User Guide
Using Internet Setup
In this field…
Do this…
Obtain Domain
Clear this option if you want the Safe@Office
Name Servers
appliance to obtain an IP address automatically
automatically
using DHCP, but not to automatically configure DNS
and WINS servers
IP Address
Type the static IP address of your Safe@Office
appliance.
Subnet Mask
Select the subnet mask that applies to the static IP
address of your Safe@Office appliance.
Default Gateway
Type the IP address of your ISP’s default gateway.
Preferred DNS
Type the Primary DNS server IP address.
Server
Alternate DNS
Type the Secondary DNS server IP address.
Server
WINS Server
Type the WINS server IP address.
Chapter 4: Configuring the Internet Connection
71
Cloning a MAC Address
Cloning a MAC Address
A MAC address is a 12-digit identifier assigned to every network device. If
your ISP restricts connections to specific, recognized MAC addresses, you
must clone a MAC address.
To clone a MAC address
1. Click Network in the main menu, and click the Internet tab.
The Internet page appears.
2. In the Cloned MAC address field, click Edit.
The MAC Cloning page appears.
72
Check Point Safe@Office User Guide
Viewing Internet Connection Information
3. Do one of the following:
Click This Computer to automatically "clone" the MAC address of
your computer to the Safe@Office appliance.
Or
If the ISP requires authentication using the MAC address of a
different computer, enter the MAC address in the MAC cloning
field.
4. Click Apply.
5. Click Back.
The Internet page reappears with your computer’s MAC address
displayed.
Viewing Internet Connection Information
You can view information on your Internet connection(s) in terms of status,
duration, and activity.
To view Internet connection information
• Click Network in the main menu, and click the Internet tab.
The Internet page appears.
The following information is displayed:
Chapter 4: Configuring the Internet Connection
73
Viewing Internet Connection Information
Table 11: Internet Page Fields
Field
Description
Status
Indicates the connection’s status.
Duration
Indicates the connection duration, if active. The
duration is given in the format hh:mm:ss, where:
hh=hours
mm=minutes
ss=seconds
IP Address
Your IP address.
Enabled
Indicates whether or not the connection is enabled.
For further information, see Enabling/Disabling the
Internet Connection on page 75
WAN MAC
The Safe@Office appliance’s MAC address.
Address
Cloned MAC
Address
The cloned MAC address.
For further information, see Cloning a MAC
Address on page 72.
Received Packets
The number of data packets received in the active
connection.
Sent Packets
The number of data packets sent in the active
connection.
74
Check Point Safe@Office User Guide
Enabling/Disabling the Internet Connection
Enabling/Disabling the Internet
Connection
You can temporarily disable an Internet connection. This is useful if, for
example, you are going on vacation and do not want to leave your computer
connected to the Internet. If you are using Safe@Office 110 or 225 and have
two Internet connections, you can force the Safe@Office appliance to use a
particular connection, by disabling the other connection.
The Internet connection’s Enabled/Disabled status is persistent through
Safe@Office appliance reboots.
To enable/disable an Internet connection
1. Click Network in the main menu, and click the Internet tab.
The Internet page appears.
2. Next to the Internet connection, do one of the following:
To enable the connection, click
The button changes to
and the connection is enabled.
To disable the connection, click
The button changes to
and the connection is disabled.
Chapter 4: Configuring the Internet Connection
75
Using Quick Internet Connection/Disconnection
Using Quick Internet
Connection/Disconnection
By clicking the Connect or Disconnect button (depending on the connection
status) on the Internet page, you can establish a quick Internet connection
using the currently-selected connection type. In the same manner, you can
terminate the active connection.
The Internet connection retains its Connected/Not Connected status until the
Safe@Office appliance is rebooted. The Safe@Office appliance then
connects to the Internet if the connection is enabled. For information on
enabling an Internet connection, see Enabling/Disabling the Internet
Connection on page 75.
Configuring a Backup Internet
Connection
You can configure both a primary and a secondary Internet connection. The
secondary connection acts as a backup, so that if the primary connection fails,
the Safe@Office appliance remains connected to the Internet.
To set up a backup Internet connection
1. Connect a hub or switch to the WAN port on your appliance's rear panel.
Note: Do not connect to the DMZ port.
2. Connect your two modems or routers to the hub/switch.
3. Configure two Internet connections.
76
Check Point Safe@Office User Guide
Configuring a Backup Internet Connection
For instructions, see Using Internet Setup on page 59.
Note: You can configure different DNS servers for the two connections.
The Safe@Office appliance acts as a DNS relay and routes requests
from computers within the network to the appropriate DNS server for the
active Internet connection.
Important: The two connections can be of different types. However, they
cannot both be LAN DHCP connections.
Chapter 4: Configuring the Internet Connection
77
Configuring a Backup Internet Connection
78
Check Point Safe@Office User Guide
Configuring Network Settings
Chapter 5
Managing Your Network
This chapter describes how to manage and configure your network
connection and settings.
This chapter includes the following topics:
Configuring Network Settings..............................................................79
Configuring High Availability .............................................................87
Using Static NAT .................................................................................91
Using Static Routes ..............................................................................96
Configuring Network Settings
Warning: These are advanced settings. Do not change them unless it is
necessary and you are qualified to do so.
Note: If you change the network settings to incorrect values and are
unable to correct the error, you can reset the Safe@Office appliance to
its default settings. See Resetting the Safe@Office appliance to
Defaults on page 222.
Enabling/Disabling the DHCP Server
By default, the Safe@Office appliance operates as a DHCP (Dynamic Host
Configuration Protocol) server. This allows the Safe@Office appliance to
automatically configure all the devices on your network with their network
configuration details. If you have another DHCP server configured in your
network, you must disable the Safe@Office DHCP server. Otherwise, it is
highly recommended to leave this setting enabled.
Chapter 5: Managing Your Network
79
Configuring Network Settings
Note: When using a Safe@Office 200 series appliance, you can enable
the DHCP server for a DMZ network.
To enable/disable the DHCP server
1. Click Network in the main menu, and click the My Network tab.
The My Network page appears.
80
Check Point Safe@Office User Guide
Configuring Network Settings
When using Safe@Office 110 and 225, the My Network page appears as
follows:
2. In the DHCP Server list, select Enabled or Disabled.
3. Click Apply.
A warning message appears.
4. Click OK.
If you chose to disable the DHCP server, the DHCP server is
disabled.
If you chose to enable the DHCP server, it is enabled.
A success message appears
5. Do one of the following:
If your computer is configured to obtain its IP address
automatically
(using DHCP), and the Safe@Office DHCP server is enabled,
restart your computer.
Otherwise, manually reconfigure your computer to use the new
address range using the TCP/IP settings. For information on
configuring TCP/IP, see TCP/IP Settings on page 28, on page 24.
Chapter 5: Managing Your Network
81
Configuring Network Settings
Changing IP Addresses
If desired, you can change your Safe@Office appliance’s internal IP address.
Using Safe@Office 110 or 225, you can also change the entire range of IP
addresses in your internal network. You may want to perform these tasks if,
for example, you are adding the Safe@Office appliance to a large existing
network and don't want to change that network’s IP address range, or if you
are using a DHCP server other than the Safe@Office appliance, that assigns
addresses within a different range.
To change IP addresses
1. Click Network in the main menu, and click the My Network tab.
The My Network page appears.
2. To change the Safe@Office appliance’s internal IP address, enter the new
IP address in the Safe@Office LAN IP field.
3. To change the internal network range, enter a new value in the LAN Subnet
Mask field.
Note: The internal network range is defined both by the Safe@Office
appliance’s internal IP address and by the subnet mask.
For example, if the Safe@Office appliance’s internal IP address is
192.168.100.7, and you set the subnet mask to 255.255.255.0, the
network’s IP address range will be 192.168.100.1 – 192.168.100.254.
4. To reset the network to its default settings, do the following:
a. Click Default.
A confirmation message appears.
b. Click OK.
The internal network range is set to 192.168.10.*, and DHCP and
Hide NAT are enabled.
82
Check Point Safe@Office User Guide
Configuring Network Settings
5. Click Apply.
A warning message appears.
6. Click OK.
The Safe@Office appliance's internal IP address and/or the
internal network range are changed.
A success message appears.
7. Do one of the following:
If your computer is configured to obtain its IP address
automatically
(using DHCP), and the Safe@Office DHCP server is enabled,
restart your computer.
Your computer obtains an IP address in the new range.
Otherwise, manually reconfigure your computer to use the new
address range using the TCP/IP settings. For information on
configuring TCP/IP, see TCP/IP Settings on page 28, on page 24.
Enabling/Disabling Hide NAT
Hide Network Address Translation (NAT) enables you to share a single
public Internet IP address among several computers, by “hiding” the private
IP addresses of the internal computers behind the Safe@Office appliance’s
single Internet IP address.
Note: If Hide NAT is disabled, you must obtain a range of Internet IP
addresses from your ISP. Hide NAT is enabled by default.
Note: Static NAT and Hide NAT can be used together.
Chapter 5: Managing Your Network
83
Configuring Network Settings
To enable/disable Hide NAT
1. Click Network in the main menu, and click the My Network tab.
The My Network page appears.
2. From the Hide NAT list, select Enabled or Disabled.
3. Click Apply.
A warning message appears.
4. Click OK.
If you chose to disable Hide NAT, it is disabled.
If you chose to enable Hide NAT, it is enabled.
Configuring a DMZ Network
In addition to the LAN network, you can define a second internal network
called a DMZ (demilitarized zone) network, when using Safe@Office 110
and 225. Safe@Office 110 does not have a dedicated DMZ port, so the DMZ
is a logical second network behind the Safe@Office appliance, and you must
connect DMZ computers to LAN ports. Safe@Office 225 has a dedicated
DMZ port to which you must connect all DMZ computers.
By default, all traffic is allowed from the LAN network to the DMZ network,
and no traffic is allowed from the DMZ network to the LAN network. You
can easily customize this behavior by creating firewall user rules. For further
information, see Creating Rules on page 112.
For example, you could assign your company’s accounting department to the
LAN network and the rest of the company to the DMZ network. The
accounting department would be able to connect to all company computers,
while the rest of the employees would not be able to access any sensitive
information on the accounting department computers. You could then create
firewall rules that allow specific DMZ computers (such a manager’s
computer) to connect to the LAN network and the accounting department.
84
Check Point Safe@Office User Guide
Configuring Network Settings
Configuring a DMZ Network using Safe@Office 110
Note: Computers in the DMZ network cannot obtain IP addresses using
DHCP, and therefore must be assigned static IP address. For
instructions, see TCP/IP Settings on page 28, on page 24.
The default gateway for the DMZ computers should be specified as the
Safe@Office DMZ IP address.
To configure a DMZ network
1. Connect the DMZ computers to any of the appliance's LAN ports.
2. Click Network in the main menu, and click the My Network tab.
The My Network page appears.
3. In the Logical DMZ Settings area, in the DMZ Mode drop-down list, select
Enabled.
The Logical DMZ Settings fields are enabled.
4. If desired, enable or disable Hide NAT.
See Enabling/Disabling Hide NAT on page 83.
5. In the Safe@Office DMZ IP text box, the IP address of the DMZ network's
default gateway.
Note: The DMZ network must not overlap the LAN network.
6. In the DMZ Subnet Mask text box, type the DMZ’s internal network range.
7. To reset the network to its default settings, do the following:
a. Click Default.
A confirmation message appears.
Chapter 5: Managing Your Network
85
Configuring Network Settings
b. Click OK.
The default settings are restored.
8. Click Apply.
A warning message appears.
9. Click OK.
A success message appears.
Configuring a DMZ Network using Safe@Office 225
Note: If desired, you can enable the DHCP server for the DMZ network.
The default gateway for the DMZ computers should be specified as the
Safe@Office DMZ IP address.
To configure a DMZ network
1. Connect the DMZ computer to the DMZ port.
If you have more than one computer in the DMZ network, connect a hub
or switch to the DMZ port, and connect the DMZ computers to the hub.
2. Click Network in the main menu, and click the My Network tab.
The My Network page appears.
3. In the Logical DMZ Settings area, in the DMZ Mode drop-down list, select
Enabled.
The Logical DMZ Settings fields are enabled.
4. If desired, enable or disable Hide NAT.
See Enabling/Disabling Hide NAT on page 83.
5. In the Safe@Office DMZ IP text box, the IP address of the DMZ network's
default gateway.
86
Check Point Safe@Office User Guide
Configuring High Availability
Note: The DMZ network must not overlap the LAN network.
6. In the DMZ Subnet Mask text box, type the DMZ’s internal network range.
7. To reset the network to its default settings, do the following:
a. Click Default.
A confirmation message appears.
b. Click OK.
The default settings are restored.
8. Click Apply.
A warning message appears.
9. Click OK.
A success message appears.
Configuring High Availability
You can install two Safe@Office 225 appliances on your network, one acting
as the “Master”, the default gateway through which all network traffic is
routed, and one acting as the “Backup”. If the Master fails, the Backup
automatically and transparently takes over all the roles of the Master. This
ensures that your network is consistently protected by a Safe@Office
appliance and connected to the Internet.
The Master and Backup each have separate IP addresses within the local
network. In addition, the Master and Backup share a single virtual IP address,
which is the default gateway address for the local network. The virtual IP
address is used by the Master gateway, which sends periodic signals, or
“heartbeats”, to the network. If the Backup gateway detects that the heartbeat
has stopped (indicating that the Master gateway has failed), it takes over of
the virtual IP address and all of the Master gateway’s roles. When the Master
Chapter 5: Managing Your Network
87
Configuring High Availability
gateway is running once again, it reclaims the virtual IP address and resumes
its roles.
Before configuring High Availability, the following requirements must be
met:
• You must have two identical Safe@Office 225 appliances.
• The Safe@Office appliances must have identical firmware versions
and firewall rules.
• The Safe@Office appliances must have different LAN and DMZ IP
addresses, and they must be located on the same subnet. For
information on configuring LAN and DMZ addresses, see
Configuring Network Settings on page 79.
• The LAN ports of the two Safe@Office appliances must be
connected via a hub or a switch.
You can configure both the LAN network and the DMZ network for High
Availability.
The procedure below explains how to configure High Availability for the
LAN network, but can be used to configure High Availability for the DMZ
network as well.
Note: You can enable the DHCP server in both Safe@Office appliances.
The Backup gateway’s DHCP server will start answering DHCP
requests only if the Master gateway fails.
Note: You can force a fail-over to the Backup Safe@Office appliance.
You may want to do this in order to verify that High Availability is
working properly, or if the Master Safe@Office appliance needs repairs.
To force a fail-over, switch off the primary box or disconnect it from the
LAN network.
88
Check Point Safe@Office User Guide
Configuring High Availability
To configure High Availability
1. In the Master Safe@Office appliance, do the following:
a. Set the appliance’s internal IP address.
For further information, see Changing IP Addresses on page 82.
b. Configure the LAN network range.
For further information, see Changing IP Addresses on page 82.
c. Click Network in the main menu, and click the High
Availability tab.
The High Availability page appears.
d. In the LAN area, in the High Availability Mode drop-down list,
select Master.
e. In the Virtual Router IP text box, type the default gateway IP
address.
This can be any unused IP address in the LAN network, and must be
the same for both gateways.
f. Click Apply.
A success message appears.
Chapter 5: Managing Your Network
89
Configuring High Availability
2. In the Backup appliance, do the following:
a. Set the appliance’s internal IP address.
For further information, see Changing IP Addresses on page 82.
The internal IP address must differ from the Master appliance’s
internal IP address.
b. Configure the LAN network range to the same range you
configured in the Master appliance.
For further information, see Changing IP Addresses on page 82.
c. Click Network in the main menu, and click the High
Availability tab.
The High Availability page appears.
d. In the LAN area, in the High Availability Mode drop-down list,
select Backup.
e. In the Virtual Router IP text box, type the default gateway IP
address.
This address must be identical to the Virtual Router IP address you
specified when configuring the Master gateway.
f. Click Apply.
A success message appears.
90
Check Point Safe@Office User Guide
Using Static NAT
Using Static NAT
Static NAT (or One-to-One NAT) allows the mapping of Internet IP
addresses or address ranges to hosts inside the internal network.
This is useful if you want a computer in your private network to have its own
Internet IP address. For example, if you have both a mail server and a Web
server in your network, you can map each one to a separate Internet IP
address.
Static NAT rules do not imply any security rules. To allow incoming traffic
to a host for which you defined Static NAT, you must create an Allow rule.
When specifying firewall rules for such hosts, use the host’s internal IP
address, and not the Internet IP address to which the internal IP address is
mapped. For further information, see Creating Rules on page 112.
Note: Static NAT and Hide NAT can be used together.
Note: Safe@Office appliance supports Proxy ARP (Address Resolution
Protocol). When an external source attempts to communicate with such
a computer, the Safe@Office appliance automatically replies to ARP
queries with its own MAC address, thereby enabling communication. As
a result, the Static NAT Internet IP addresses appear to external
sources to be real computers connected to the WAN interface.
Chapter 5: Managing Your Network
91
Using Static NAT
Adding and Editing Static NAT Mappings
To add or edit a static NAT mapping
1. Click Network in the main menu, and click the Static NAT tab.
The Static NAT page appears.
2. Do one of the following:
To add a new Static NAT mapping, click New.
To edit an existing Static NAT mapping, click Edit.
92
Check Point Safe@Office User Guide
Using Static NAT
The Static NAT wizard opens, with the Static NAT Mapping dialog box
displayed.
3. Complete the fields using the information in the table below.
4. Click Next.
Chapter 5: Managing Your Network
93
Using Static NAT
The Static NAT Mapping Updated dialog box is displayed.
5. Click Finish.
If you added a new mapping, it appears in the Static NAT page.
94
Check Point Safe@Office User Guide
Using Static NAT
Table 12: Static NAT Fields
In this field…
Map this WAN IP
Do this…
Click this option to map an Internet IP address
to a local computer.
You must then fill in the MAP this WAN IP and To
this Internal IP fields.
Map this WAN IP
Type the desired Internet IP address.
To this Internal IP
Type the IP address of the local computer, or
click This Computer to specify your computer.
Map this WAN IP
Click this option to map a range of Internet IP
range
addresses to a range of local computer IP
addresses of the same size.
You must then fill in the MAP this WAN IP range
and To this Internal IP range fields.
Map this WAN IP
Type the desired Internet IP address range.
range
To this Internal IP
Type the range of local computer IP addresses.
range
Chapter 5: Managing Your Network
95
Using Static Routes
Viewing and Deleting Static NAT Mappings
To view static NAT mappings
1. Click Network in the main menu, and click the Static NAT tab.
The Static NAT page appears with a list of existing static NAT mappings.
2. To delete a static NAT mapping, do the following:
a. In the desired static NAT mapping row, click the Delete
icon.
A confirmation message appears.
b. Click OK.
The mapping is deleted.
Using Static Routes
A static route is a setting that explicitly specifies the route for packets
destined for a certain subnet. Packets with a destination that does not match
any defined static route will be routed to the default gateway.
To modify the default gateway, see Using a LAN Connection on page 61.
The Static Routes page lists all existing routes, including the default, and
indicates whether each route is currently "Up", or reachable, or not.
96
Check Point Safe@Office User Guide
Using Static Routes
Adding a Static Route
To add a static route
1. Click Network in the main menu, and click the Static Routes tab.
The Static Routes page appears, with a listing of existing static routes.
2. Click New Route.
Chapter 5: Managing Your Network
97
Using Static Routes
The Edit Route page appears.
3. Complete the fields using the information in Edit Route Page Fields on
page 98.
4. Click Apply.
The new static route is saved.
Table 13: Edit Route Page Fields
In this field…
Do this…
Destination Network
Type the network address of the destination
network.
Subnet Mask
Select the subnet mask.
Gateway IP
Type the IP address of the gateway (next hop
router) to which to route the packets destined for
this network.
98
Check Point Safe@Office User Guide
Using Static Routes
In this field…
Do this…
Metric
Type the static route's metric.
The gateway sends a packet to the route that
matches the packet's destination and has the
lowest metric.
Viewing and Editing Static Routes
To edit a static route
1. Click Network in the main menu, and click the Static Routes tab.
The Static Routes page appears, with a listing of existing static routes.
2. To edit the route details, do the following:
a. In the desired route row, click Edit.
The Edit Route page appears displaying the destination network,
subnet mask, and gateway IP of the selected route.
b. Edit the fields using Edit Route Page Fields on page 98.
c. Click Apply.
The changes are saved.
Chapter 5: Managing Your Network
99
Using Static Routes
Deleting a Static Route
Note: The “default” route cannot be deleted.
To delete a static route
1. Click Network in the main menu, and click the Static Routes tab.
The Static Routes page appears, with a listing of existing static routes.
2. In the desired route row, click the Delete
A confirmation message appears.
3. Click OK.
The route is deleted.
100
Check Point Safe@Office User Guide
icon.
Viewing the Event Log
Chapter 6
Viewing Reports
This chapter describes the Safe@Office Portal reports.
This chapter includes the following topics:
Viewing the Event Log.......................................................................101
Viewing Computers............................................................................104
Viewing Connections .........................................................................106
Viewing the Event Log
You can track network activity using the Event Log. The Event Log displays
the most recent events and color codes them.
Table 14: Event Log Color Coding
An event marked in
Indicates…
Blue
Changes in your setup that you have made
this color…
yourself or as a result of a security update
implemented by your Service Center
Red
Connection attempts that were blocked by your
firewall
Chapter 6: Viewing Reports
101
Viewing the Event Log
An event marked in
Indicates…
Orange
Connection attempts that were blocked by your
this color…
custom security rules
Green
Traffic accepted by the firewall.
By default, accepted traffic is not logged.
However, such traffic may be logged if specified
by a security policy downloaded from your
Service Center.
The logs detail the date and the time the event occurred, and its type. If the
event is a communication attempt that was rejected by the firewall, the event
details include the source and destination IP address, the destination port, and
the protocol used for the communication attempt (for example, TCP or UDP).
Note: You can configure the Safe@Office appliance to send event logs
to a Syslog server. For information, see Configuring Syslog Logging
on page 204.
102
Check Point Safe@Office User Guide
Viewing the Event Log
To view the event log
• Click Reports in the main menu, and click the Event Log tab.
The Event Log page appears.
You can do any of the following:
Click the Refresh button to refresh the display.
Click the Clear button to clear all events.
If an event is highlighted in red, indicating a blocked attack on
your network, you can display the attacker’s details, by clicking
on the IP address of the attacking machine.
The Safe@Office appliance queries the Internet WHOIS server, and a
window displays the name of the entity to whom the IP address is
registered and their contact information. This information is useful in
tracking down hackers.
Chapter 6: Viewing Reports
103
Viewing Computers
Viewing Computers
This option allows you to view the currently active computers on your
network. The active computers are graphically displayed, each with its name,
IP address, and settings (DHCP, Static, etc.).
You can also view node limit information.
To view the active computers
1. Click Reports in the main menu, and click the Active Computers tab.
The Active Computers page appears.
If you configured High Availability, both the master and backup
appliances are shown.
If you are exceeding the maximum number of concurrent computers
allowed by your license, a warning message appears, and the computers
over the node limit are marked in red. These computers are still protected,
but they are blocked from accessing the Internet through the Safe@Office
appliance.
104
Check Point Safe@Office User Guide
Viewing Computers
Note: Computers that did not communicate through the firewall are not
counted for node limit purposes, even though they are protected by the
firewall.
Note: To increase the number of computers allowed by your license, you
must upgrade your product. For further information, see Upgrading
Your Software Product on page 197.
If desired, you can click the Refresh button to refresh the display.
2. To view node limit information, do the following:
a. Click Node Limit.
The Node Limit window appears with installed software product and
the number of nodes used.
b. Click Close to close the window.
Chapter 6: Viewing Reports
105
Viewing Connections
Viewing Connections
This option allows you to view the currently active connections between your
network and the external world. The active connections are displayed as a
list, specifying source IP address, destination IP address and port, and the
protocol used (TCP, UDP, etc.).
To view the active connections
• Click Reports in the main menu, and click the Active Connections
tab.
The Active Connections page appears.
You can do the following:
Click the Refresh button to refresh the display.
To view information on the destination machine, click its IP
address.
The Safe@Office appliance queries the Internet WHOIS server, and a
window displays the name of the entity to whom the IP address is
registered and their contact information.
106
Check Point Safe@Office User Guide
Setting the Firewall Security Level
Chapter 7
Setting Your Security Policy
This chapter describes how to set up your Safe@Office appliance security
policy.
You can enhance your security policy by subscribing to services such as Web
Filtering and E-mail Antivirus scanning. For information on these services
and the subscription process, see Using Subscription Services on page 123.
This chapter includes the following topics:
Setting the Firewall Security Level ....................................................107
Configuring Servers ...........................................................................110
Creating Rules ....................................................................................112
Defining an Exposed Host..................................................................121
Setting the Firewall Security Level
The firewall security level can be controlled using a simple lever available on
the Firewall page. You can set the lever to three states.
Note: If the security policy is remotely managed, this lever might be
disabled.
Chapter 7: Setting Your Security Policy
107
Setting the Firewall Security Level
Table 15: Firewall Security Levels
This
Does this…
Further Details
Low
Enforces basic control on
All inbound traffic is blocked
incoming connections,
to the external Safe@Office
while permitting all
appliance IP address, except
outgoing connections.
for ICMP echoes ("pings").
level…
All outbound connections are
allowed.
Medium
Enforces strict control on
all incoming connections,
while permitting safe
outgoing connections.
This is the default level
All inbound traffic is blocked.
All outbound traffic is allowed
to the Internet except for
Windows file sharing (NBT
ports 137, 138, 139 and 445).
and is recommended for
most cases. Leave it
unchanged unless you
have a specific need for a
higher or lower security
level.
108
Check Point Safe@Office User Guide
Setting the Firewall Security Level
This
Does this…
Further Details
High
Enforces strict control on
All inbound traffic is blocked.
level…
all incoming and outgoing
connections.
Restricts all outbound traffic
except for the following: Web
traffic (HTTP, HTTPS), email
(IMAP, POP3, SMTP), ftp,
newsgroups, Telnet, DNS,
IPSEC IKE and VPN traffic.
Note: The definitions of firewall security levels provided in this table
represent the Safe@Office appliance’s default security policy. Security
updates downloaded from a Service Center may alter this policy and
change these definitions.
To change the firewall security level
1. Click Security in the main menu, and click the Firewall tab.
The Firewall page appears.
Chapter 7: Setting Your Security Policy
109
Configuring Servers
2. Drag the security lever to the desired level.
The Safe@Office appliance security level changes accordingly.
Configuring Servers
Note: If you do not intend to host any public Internet servers (Web
Server, Mail Server etc.) in your network, you can skip this section.
Using the Safe@Office Portal, you can selectively allow incoming network
connections into your network. For example, you can set up your own Web
server, Mail server or FTP server.
Note: Configuring servers allows you to create simple Allow and Forward
rules for common services, and it is equivalent to creating Allow and
Forward rules in the Rules page. For information on creating rules, see
Creating Rules on page 112.
110
Check Point Safe@Office User Guide
Configuring Servers
To allow a service to be run on a specific host
1. Click Security in the main menu, and click the Servers tab.
The Servers page appears, displaying a list of services and a host IP
address for each allowed service.
2. Complete the fields using the information in the table below.
3. Click Apply.
A success message appears, and the selected computer is allowed to run
the desired service or application.
Table 16: Servers Page Fields
In this
Do this…
Allow
Select the desired service or application.
VPN Only
Select this option to allow only connections made
column…
through a VPN.
Chapter 7: Setting Your Security Policy
111
Creating Rules
In this
Do this…
Host IP
Type the IP address of the computer that will run the
column…
service (one of your network computers) or click the
corresponding This Computer button to allow your
computer to host the service.
To stop the forwarding of a service to a specific host
1. Click Security in the main menu, and click the Servers tab.
The Servers page appears, displaying a list of services and a host IP
address for each allowed service.
2. In the desired service or application’s row, click Clear.
The Host IP text box of the desired service is cleared.
3. Click Apply.
The service or application is not allowed on the specific host.
Creating Rules
The Safe@Office appliance checks the protocol used, the ports range and the
destination IP address, when deciding whether to allow or block traffic.
By default, in the Medium security level, the Safe@Office appliance blocks
all connection attempts from the Internet (WAN) to the LAN, and allows all
outgoing connection attempts from the LAN to the Internet (WAN).
User-defined rules have priority over the default rules.
112
Check Point Safe@Office User Guide
Creating Rules
Adding and Editing Rules
Rules provide you with greater flexibility in defining and customizing your
security policy.
The following rule types exist:
Table 17: Firewall Rule Types
Rule
Description
Allow and
This rule type enables you to do the following:
Forward
• Permit incoming access from the Internet to a
specific service in your internal network.
• Forward all such connections to a specific
computer in your network.
Creating an Allow and Forward rule is equivalent to
defining a server in the Servers page.
Note: You must use this type of rule to allow incoming
connections if your network uses Hide NAT.
Note: You cannot specify two Allow and Forward rules that
forward the same service to two different destinations.
Chapter 7: Setting Your Security Policy
113
Creating Rules
Rule
Description
Allow
This rule type enables you to do the following:
• Permit outgoing access from your internal
network to a specific service on the Internet.
Note: You can allow outgoing connections for
services that are not permitted by the default
security policy.
• Permit incoming access from the Internet to a
specific service in your internal network.
Note: You cannot use an Allow rule to permit incoming
traffic, if the network or VPN uses Hide NAT. However,
you can use Allow rules for static NAT IP addresses.
• You can only define Allow rules in Safe@Office
110 and 225.
Block
This rule type enables you to do the following:
• Block outgoing access from your internal network
to a specific service on the Internet
• Block incoming access from the Internet to a
specific service in your internal network
To add or edit a rule
1. Click Security in the main menu, and click the Rules tab.
114
Check Point Safe@Office User Guide
Creating Rules
The Rules page appears.
2. Click Add Rule.
The Firewall Rule wizard opens, with the Step 1: Rule Type dialog box
displayed.
Chapter 7: Setting Your Security Policy
115
Creating Rules
If you are using Safe@Office 110 or 225 the page appears as follows:
3. Select the type of rule you want to create.
4. Click Next.
The Step 2: Service dialog box appears.
116
Check Point Safe@Office User Guide
Creating Rules
The example below shows an Allow and Forward rule.
5. Complete the fields using the relevant information in the table below.
6. Click Next.
Chapter 7: Setting Your Security Policy
117
Creating Rules
The Step 3: Destination and Source dialog box appears.
7. Complete the fields using the relevant information in Table 16.
118
Check Point Safe@Office User Guide
Creating Rules
The Step 4: Done dialog box appears.
8. Click Finish.
The new rule appears in the Firewall Rules page.
Table 18: Firewall Rule Fields
In this field…
Do this…
Any Service
Click this option to specify that the rule should apply to
any service.
Standard
Click this option to specify that the rule should apply to
Service
a specific standard service.
You must then select the desired service from the
drop-down list.
Chapter 7: Setting Your Security Policy
119
Creating Rules
In this field…
Do this…
Custom Service
Click this option to specify that the rule should apply to
a specific non-standard service.
The Protocol and Port Range fields are enabled. You
must fill them in.
Protocol
Select the protocol (ESP, GRE, TCP, UDP or ANY) for
which the rule should apply.
Ports
To specify the port range to which the rule applies,
type the start port number in the left text box, and the
end port number in the right text box.
Note: If you do not enter a port range, the rule will
apply to all ports. If you enter only one port number,
the range will include only that port.
Source
Select the source of the connections you want to
allow/block.
To specify an IP address, select Specified IP and type
the desired IP address in the text box.
Destination
Select the destination of the connections you want to
allow or block.
To specify an IP address, select Specified IP and type
the desired IP address in the text box.
120
Check Point Safe@Office User Guide
Defining an Exposed Host
Deleting Rules
To delete an existing rule
1. Click Security in the main menu, and click the Rules tab.
The Rules page appears.
2. Click the
icon of the rule you wish to delete.
A confirmation message appears.
3. Click OK.
The rule is deleted.
Defining an Exposed Host
The Safe@Office appliance allows you to define an exposed host, which is a
computer that is not protected by the firewall. This is useful for setting up a
public server. It allows unlimited incoming and outgoing connections
between the Internet and the exposed host computer.
The exposed host receives all traffic that was not forwarded to another
computer by use of Allow and Forward rules.
Warning - Entering an IP address may make the designated computer
vulnerable to hacker attacks. Defining an exposed host is not
recommended unless you are fully aware of the security risks.
Chapter 7: Setting Your Security Policy
121
Defining an Exposed Host
To define a computer as an exposed host
1. Click Security in the main menu, and click the Exposed Host tab.
The Exposed Host page appears.
2. In the Exposed Host text box, type the IP address of the computer you wish
to define as an exposed host. Alternatively, you can click This Computer to
define your computer as the exposed host.
3. Click Apply.
The selected computer is now defined as an exposed host.
122
Check Point Safe@Office User Guide
Connecting to a Service Center
Chapter 8
Using Subscription Services
This chapter explains how to start and use subscription services, such as
automatic software and security policy updates, content filtering, email virus
scanning, and remote logging.
Note: Check with your reseller regarding availability of subscription
services, or surf to www.sofaware.com/servicecenters to locate your
nearest Service Center.
This chapter includes the following topics:
Connecting to a Service Center ..........................................................123
Viewing Services Information............................................................130
Refreshing Your Service Center Connection .....................................131
Configuring Your Account.................................................................131
Disconnecting from Your Service Center ..........................................132
Web Filtering......................................................................................133
Virus Scanning ...................................................................................136
Automatic and Manual Updates .........................................................139
Connecting to a Service Center
To connect to a Service Center
1. Click Services in the main menu, and click the Account tab.
Chapter 8: Using Subscription Services
123
Connecting to a Service Center
The Account page appears.
2. In the Service Account area, click Connect.
124
Check Point Safe@Office User Guide
Connecting to a Service Center
The Setup Wizard opens, with the Subscription Services dialog box
displayed.
3. Make sure the I wish to connect to a Service Center check box is selected.
4. Do one of the following:
To connect to the SofaWare Service Center, select
usercenter.sofaware.com.
To specify a Service Center, do the following:
1) Select Specified.
2) In the Specified text box, enter the desired Service Center’s
IP address, as given to you by your system administrator.
5. Click Next.
The Connecting… screen appears.
Chapter 8: Using Subscription Services
125
Connecting to a Service Center
If the Service Center requires authentication, the Service Center
Login dialog box appears.
Do the following:
1) Enter your gateway ID and registration key in the
appropriate fields, as given to you by your service provider.
2) Click Next.
The Connecting… screen appears.
126
Check Point Safe@Office User Guide
Connecting to a Service Center
The Confirmation dialog box appears with a list of services to
which you are subscribed.
6. Click Next.
Chapter 8: Using Subscription Services
127
Connecting to a Service Center
The Done screen appears with a success message.
7. Click Finish.
The following things happen:
If a new firmware is available, the Safe@Office appliance may
start downloading it. This may take several minutes. Once the
download is complete, the Safe@Office appliance restarts using
the new firmware.
The Welcome page appears.
128
Check Point Safe@Office User Guide
Connecting to a Service Center
The services to which you are subscribed are now available on
your Safe@Office appliance and listed as such on the Account
page. See Viewing Services Information on page 130 for further
information.
The Services submenu includes the services to which you are
subscribed.
Chapter 8: Using Subscription Services
129
Viewing Services Information
Viewing Services Information
The Account page displays the following information about your
subscription.
Table 19: Account Page Fields
This field…
Displays…
Service Center
The name of the Service Center to which you are
Name
connected (if known).
Subscription will
The date on which your subscription to services will
end on
end.
Service
The services available in your service plan.
Subscription
The status of your subscription to each service:
• Subscribed
• Not Subscribed
Status
The status of each service:
• Connected. You are connected to the service
through the Service Center.
• N/A. The service is not available.
Mode
The mode to which each service is set.
For further information, see Web Filtering on page
133, Virus Scanning on page 136, and Automatic
and Manual Updates on page 139.
130
Check Point Safe@Office User Guide
Refreshing Your Service Center Connection
Refreshing Your Service Center
Connection
This option restarts your Safe@Office appliance’s connection to the Service
Center and refreshes your Safe@Office appliance’s service settings.
To refresh your Service Center connection
1. Click Services in the main menu, and click the Account tab.
The Account page appears.
2. In the Service Account area, click Refresh.
The Safe@Office appliance reconnects to the Service Center.
Your service settings are refreshed.
Configuring Your Account
This option allows you to access your Service Center Web site, which may
offer additional configuration options for your account.
To configure your account
1. Click Services in the main menu, and click the Account tab.
The Account page appears.
2. In the Service Account area, click Configure.
Note: If no additional settings are available from your Service Center,
this button will not appear.
Chapter 8: Using Subscription Services
131
Disconnecting from Your Service Center
Your Service Center Web site opens.
3. Follow the on-screen instructions.
Disconnecting from Your Service Center
If desired, you can disconnect from your Service Center.
To disconnect from your Service Center
1. Click Services in the main menu, and click the Account tab.
The Account page appears.
2. In the Service Account area, click Connect.
The Setup Wizard opens, with the first Subscription Services dialog box
displayed.
3. Clear the I wish to connect to a Service Center check box.
4. Click Next.
The Done screen appears with a success message.
5. Click Finish.
The following things happen:
You are disconnected from the Service Center.
The services to which you were subscribed are no longer available
on your Safe@Office appliance.
132
Check Point Safe@Office User Guide
Web Filtering
Web Filtering
When enabled, access to Web content is restricted according to the categories
specified under ‘Allow Categories’. Adult users will be able to view Web
pages with no restrictions, only after they have provided the administrator
password via the Web Filtering pop-up window.
Enabling/Disabling Web Filtering
Note: If you are remotely managed, contact your Service Center to
change these settings.
To enable/disable Web Filtering
1. Click Services in the main menu, and click the Web Filtering tab.
The Web Filtering page appears.
2. Drag the On/Off lever upwards or downwards.
Web Filtering is enabled/disabled for all internal network computers.
Chapter 8: Using Subscription Services
133
Web Filtering
Selecting Categories for Blocking
You can define which types of Web sites should be considered appropriate
for your family or office members, by selecting the categories. Categories
will remain visible, while categories marked with
will be
marked with
blocked and will require the administrator password for viewing.
Note: If you are remotely managed, contact your Service Center to
change these settings.
To allow/block a category
1. In the Allow Categories area, click
or
next to the desired category.
2. Click Apply.
Temporarily Disabling Web Filtering
If desired, you can temporarily disable the Web Filtering service, temporarily
disabling it.
To temporarily disable Web Filtering
1. Click Services in the main menu, and click the Web Filtering tab.
The Web Filtering page appears.
2. Click Snooze.
Web Filtering is temporarily disabled for all internal network
computers.
134
Check Point Safe@Office User Guide
Web Filtering
The Snooze button changes to Resume.
The Web Filtering Off popup window opens.
3. To re-enable the service, click Resume, either in the popup window, or on
the Web Filtering page.
The service is re-enabled for all internal network computers.
If you clicked Resume in the Web Filtering page, the button
changes to Snooze.
If you clicked Resume in the Web Filtering Off popup window, the
popup window closes.
Chapter 8: Using Subscription Services
135
Virus Scanning
Virus Scanning
Enabling this option will result in automatic scanning of your email for the
detection and elimination of all known viruses and vandals.
Enabling/Disabling Email Antivirus
Note: If you are remotely managed, contact your Service Center to
change these settings.
To enable/disable Email Antivirus
1. Click Services in the main menu, and click the Email Antivirus tab.
The Email Antivirus page appears.
2. Drag the On/Off lever upwards or downwards.
Email Antivirus is enabled/disabled for all internal network computers.
136
Check Point Safe@Office User Guide
Virus Scanning
Selecting Protocols for Scanning
If you are locally managed, you can define which protocols should be
scanned for viruses:
• Email retrieving (POP3). If enabled, all incoming email in the POP3
protocol will be scanned
• Email sending (SMTP). If enabled, all outgoing email will be scanned
Protocols marked with
not.
will be scanned, while those marked with
will
Note: If you are remotely managed, contact your Service Center to
change these settings.
To enable virus scanning for a protocol
1. In the Protocols area, click
or
next to the desired protocol.
2. Click Apply.
Temporarily Disabling Email Antivirus
If you are having problems sending or receiving email you can temporarily
disable the Email Antivirus service.
To temporarily disable Email Antivirus
1. Click Services in the main menu, and click the Email Antivirus tab.
The Email Antivirus page appears.
2. Click Snooze.
Chapter 8: Using Subscription Services
137
Virus Scanning
Email Antivirus is temporarily disabled for all internal network
computers.
The Snooze button changes to Resume.
The Email Antivirus Off popup window opens.
3. To re-enable the service, click Resume, either in the popup window, or on
the Email Antivirus page.
The service is re-enabled for all internal network computers.
If you clicked Resume in the Email Antivirus page, the button
changes to Snooze.
138
Check Point Safe@Office User Guide
Automatic and Manual Updates
If you clicked Resume in the Email Antivirus Off popup window,
the popup window closes.
Automatic and Manual Updates
If you are subscribed to Software Updates, you can check for new security
and software updates.
Checking for Software Updates when
Locally Managed
If your Safe@Office appliance is locally managed, you can set it to
automatically check for software updates, or you can set it so that software
updates must be checked for manually.
To configure software updates when locally managed
1. Click Services in the main menu, and click the Software Updates tab.
The Software Updates page appears.
Chapter 8: Using Subscription Services
139
Automatic and Manual Updates
2. To set the Safe@Office appliance to automatically check for and install new
software updates, drag the Automatic/Manual lever upwards.
The Safe@Office appliance checks for new updates and installs them
according to its schedule.
Note: When the Software Updates service is set to Automatic, you can
still manually check for updates.
3. To set the Safe@Office appliance so that software updates must be checked
for manually, drag the Automatic/Manual lever downwards.
The Safe@Office appliance does not check for software updates
automatically.
4. To manually check for software updates, click Update Now.
The system checks for new updates and installs them.
Checking for Software Updates When
Remotely Managed
If your Safe@Office appliance is remotely managed, it automatically checks
for software updates and installs them without user intervention. However,
you can still check for updates manually, if needed.
To manually check for security and software updates
1. Click Services in the main menu, and click the Software Updates tab.
140
Check Point Safe@Office User Guide
Automatic and Manual Updates
The Software Updates page appears.
2. Click Update Now.
The system checks for new updates and installs them.
Chapter 8: Using Subscription Services
141
Automatic and Manual Updates
142
Check Point Safe@Office User Guide
Overview
Chapter 9
Working With VPNs
This chapter describes how to use your Safe@Office appliance as a VPN
client, server, or gateway.
This chapter includes the following topics:
Overview ............................................................................................143
Setting Up Your Safe@Office Appliance as a VPN Server ...............145
Adding and Editing VPN Sites ..........................................................146
Deleting a VPN Site ...........................................................................166
Enabling/Disabling a VPN Site ..........................................................167
Logging on to a VPN Site ..................................................................168
Logging off a VPN Site......................................................................172
Installing a Certificate ........................................................................172
Uninstalling a Certificate....................................................................175
Viewing VPN Tunnels .......................................................................176
Overview
A virtual private network (VPN) consists of at least one VPN server or
gateway, and several VPN clients. A VPN server makes the office network
remotely available to authorized users, such as employees working from
home, who connect to the VPN server using VPN clients. A VPN gateway
can be connected to another VPN gateway in a permanent, bi-directional
relationship. The two connected networks function as a single network.
A connection between two VPN sites is called a VPN tunnel. VPN tunnels
encrypt and authenticate all traffic passing through them. Through these
tunnels, employees can safely use their company’s network resources when
working at home. For example, they can securely read email, use the
company’s intranet, or access the company’s database from home.
Chapter 9: Working With VPNs
143
Overview
Note: This chapter explains how to define a VPN locally. However, if
your appliance is centrally managed by a Service Center, then the
Service Center can automatically deploy VPN configuration for your
appliance.
Figure 7: Typical Office VPN
Safe@Office 105 acts as a VPN server for one user, allowing a single remote
employee to securely work from home or on the road.
Safe@Office 110 and 225 provide full VPN functionality. They can act as a
VPN client, a VPN server for multiple users, or a VPN gateway.
144
Check Point Safe@Office User Guide
Setting Up Your Safe@Office Appliance as a VPN Server
Setting Up Your Safe@Office Appliance
as a VPN Server
You can make your network remotely available to authorized users by setting
up your Safe@Office appliance as a VPN server. Remote access users can
connect to the VPN server via Check Point SecuRemote or a Safe@Office
appliance in Remote Access VPN mode.
Note: The Check Point SecuRemote VPN client can be downloaded for
free from http://www.checkpoint.com/techsupport/downloads_sr.html
To set up your Safe@Office appliance as a VPN server
1. Click VPN in the main menu, and click the VPN Server tab.
The VPN Server page appears.
2. Drag the Enabled/Disabled lever to Enabled.
The VPN server is enabled.
The check box is enabled.
Chapter 9: Working With VPNs
145
Adding and Editing VPN Sites
3. To allow authenticated users to access to your internal network without
restriction and bypass NAT, select Unrestricted Access.
4. Follow the procedure Setting Up Remote VPN Access for Users on page
188.
Note: Disabling the VPN server will cause all existing VPN tunnels to
disconnect.
Adding and Editing VPN Sites
You define each VPN site according to the function you want your
Safe@Office appliance to perform when connecting to it:
• VPN client
Define the VPN site as a Remote Access VPN site using the procedure
below.
• VPN gateway
On the first VPN site’s Safe@Office appliance, define the second
VPN site as a Site-to-Site VPN gateway or create a PPPoE tunnel
to the second VPN site, using the procedure below.
Then enable the VPN server using the procedure Setting Up Your
Safe@Office Appliance as a VPN Server on page 145.
On the second VPN site’s Safe@Office appliance, define the first
VPN site as a Site-to-Site VPN gateway or create a PPPoE tunnel
to the first VPN site, using the procedure below.
Then enable the VPN server using the procedure Setting Up Your
Safe@Office Appliance as a VPN Server on page 145.
146
Check Point Safe@Office User Guide
Adding and Editing VPN Sites
To add or edit VPN sites
1. Click VPN in the main menu, and click the VPN Sites tab.
The VPN Sites page appears with a list of VPN sites.
2. Do one of the following:
To add a VPN site, click New Site.
To edit a VPN site, click Edit in the desired VPN site’s row.
The VPN Site Wizard opens, with the Welcome to the VPN Site Wizard
dialog box displayed.
3. Do one of the following:
Select Remote Access VPN to establish remote access from your
VPN client to a VPN server or gateway.
Select Site to Site VPN to create a permanent bi-directional
connection to another gateway.
Chapter 9: Working With VPNs
147
Adding and Editing VPN Sites
Select PPPoE to create a non-encrypted connection to a PPPoE
server.
4. Click Next.
Configuring a Remote Access VPN Site
If you selected Remote Access VPN, the VPN Gateway Address dialog box
appears.
1. Enter the IP address of the VPN gateway to which you want to connect, as
given to you by the network administrator.
2. Click Next.
148
Check Point Safe@Office User Guide
Adding and Editing VPN Sites
The VPN Network Configuration dialog box appears.
3. Specify how you want to obtain the VPN network configuration. Refer to
VPN Network Configuration Fields on page 155.
4. Click Next.
The following things happen in the order below:
Chapter 9: Working With VPNs
149
Adding and Editing VPN Sites
If you chose Specify Configuration, a second VPN Network
Configuration dialog box appears.
Do the following:
1) Complete the fields using the information in VPN Network
Configuration Fields on page 155.
2) Click Next.
150
Check Point Safe@Office User Guide
Adding and Editing VPN Sites
The VPN Login dialog box appears.
5. Complete the fields using the information in VPN Login Fields on page
154.
6. Click Next.
Chapter 9: Working With VPNs
151
Adding and Editing VPN Sites
The Site Name dialog box appears.
7. Enter a name for the VPN site.
You may choose any name.
8. Click Next.
152
Check Point Safe@Office User Guide
Adding and Editing VPN Sites
The VPN Site Created screen appears.
9. Click Finish.
The VPN Sites page reappears. If you added a VPN site, the new site
appears in the VPN Sites list. If you edited a VPN site, the modifications
are reflected in the VPN Sites list.
Chapter 9: Working With VPNs
153
Adding and Editing VPN Sites
Table 20: VPN Login Fields
In this field…
Manual Login
Do this…
Click this option to configure the site for Manual
Login.
Manual Login connects only the computer you are
currently logged onto to the VPN site, and only when
the appropriate user name and password have been
entered. For further information on Automatic and
Manual Login, see, Logging on to a VPN Site on
page 168.
Automatic Login
Click this option to enable the Safe@Office
appliance to log on to the VPN site automatically.
You must then fill in the Username and Password
fields.
Automatic Login provides all the computers on your
internal network with constant access to the VPN
site. For further information on Automatic and
Manual Login, see Logging on to a VPN Site on
page 168.
Username
Type the user name to be used for logging on to the
VPN site.
Password
Type the password to be used for logging on to the
VPN site.
154
Check Point Safe@Office User Guide
Adding and Editing VPN Sites
Table 21: VPN Network Configuration Fields
In this field…
Do this…
Download
Click this option to obtain the network configuration
Configuration
by downloading it from the VPN site.
This option will automatically configure your VPN
settings, by downloading the network topology
definition from the VPN server.
Note: Downloading the network configuration is only
possible if you are connecting to a Check Point VPN1 or Safe@Office VPN gateway.
Specify
Click this option to provide the network configuration
Configuration
manually.
Route All Traffic
Click this option to route all network traffic through
the VPN site.
This option increases network security. For example,
if your VPN consists of a central office and a number
of remote offices, and the remote offices are only
allowed to access Internet resources through the
central office, you can choose to route all traffic from
the remote offices through the central office.
Note: You can only configure one VPN site to route
all traffic.
Destination
Type up to three destination network addresses at
network
the VPN site to which you want to connect.
Chapter 9: Working With VPNs
155
Adding and Editing VPN Sites
In this field…
Do this…
Subnet mask
Select the subnet masks for the destination network
addresses.
Note: Obtain the destination networks and subnet
masks from the VPN gateway’s system
administrator.
Backup Gateway
Type the name of the VPN gateway to use if the
primary VPN gateway fails.
Configuring a Site-to-Site VPN Gateway
If you selected Site to Site VPN, the VPN Gateway Address dialog box appears.
1. In the VPN Gateway field, enter the IP address of the VPN gateway to which
you want to connect, as given to you by the network administrator.
156
Check Point Safe@Office User Guide
Adding and Editing VPN Sites
2. To allow the VPN site to access to your internal network without restriction
and bypass NAT, select Unrestricted Access.
3. Click Next.
The Resolving… screen appears.
The VPN Network Configuration dialog box appears.
4. Specify how you want to obtain the VPN network configuration. Refer to
VPN Network Configuration Fields on page 155.
5. Click Next.
Chapter 9: Working With VPNs
157
Adding and Editing VPN Sites
If you chose Specify Configuration, a second VPN Network
Configuration dialog box appears.
Do the following:
1) Complete the fields using the information in VPN Network
Configuration Fields on page 155.
2) Click Next.
158
Check Point Safe@Office User Guide
Adding and Editing VPN Sites
The Authentication dialog box appears.
If you chose Download Configuration, the dialog box appears as
follows:
6. Complete the fields using the table below.
Chapter 9: Working With VPNs
159
Adding and Editing VPN Sites
7. Click Next.
The Connect dialog box appears.
8. If you don’t want to try to connect to the VPN gateway, clear the Try to
Connect to the VPN Gateway check box.
This allows you to test the VPN connection.
Warning: If you try to connect to the VPN site before completing the
wizard, all existing tunnels will be terminated.
9. Click Next.
If you selected Try to Connect to the VPN Gateway, the following
things happen:
The Connecting… screen appears.
The Contacting VPN Site screen appears.
160
Check Point Safe@Office User Guide
Adding and Editing VPN Sites
The Site Name dialog box appears.
10. Enter a name for the VPN site.
You may choose any name.
11. To keep the tunnel to the VPN site alive even if there is no network traffic
between the Safe@Office appliance and the VPN site, select Keep this site
alive.
12. Click Next.
The VPN Site Created screen appears.
13. Click Finish.
The VPN Sites page reappears. If you added a VPN site, the new site
appears in the VPN Sites list. If you edited a VPN site, the modifications
are reflected in the VPN Sites list.
Chapter 9: Working With VPNs
161
Adding and Editing VPN Sites
Table 22: VPN Authentication Fields
In this field…
Do this…
Topology User
Type the topology user’s user name.
Topology
Type the topology user’s password.
Password
Use Shared
Select this option to use a shared secret for VPN
Secret
authentication.
If you select this option, you must fill in the Shared
Secret field.
Shared Secret
Type the shared secret to use for secure
communications with the VPN site. This shared
secret is a string used to identify the VPN sites to
each other. The secret can contain spaces and
special characters.
Use Certificate
Select this option to use a certificate for VPN
authentication.
If you select this option, a certificate must have been
installed. (Refer to Installing a Certificate on page
172 for more information about certificates and
instructions on how to install a certificate.)
162
Check Point Safe@Office User Guide
Adding and Editing VPN Sites
Creating a PPPoE Tunnel
If you selected PPPoE, the VPN Network Configuration dialog box appears.
1. Complete the fields using the information in VPN Network Configuration
Fields on page 155.
2. Click Next.
Chapter 9: Working With VPNs
163
Adding and Editing VPN Sites
The PPPoE Login page appears.
3. Complete the fields using the information in the table below.
4. Click Next.
164
Check Point Safe@Office User Guide
Adding and Editing VPN Sites
The Site Name dialog box appears.
5. Enter a name for the VPN site.
You may choose any name.
6. Click Next.
The VPN Site Created screen appears.
7. Click Finish.
The VPN Sites page reappears. If you added a VPN site, the new site
appears in the VPN Sites list. If you edited a VPN site, the modifications
are reflected in the VPN Sites list.
Chapter 9: Working With VPNs
165
Deleting a VPN Site
Table 23: PPPoE Login Fields
In this field…
Do this…
User
The PPPoE username.
Password
The PPPoE password.
Service
The service name configured in the PPPoE server.
You only need to fill in this field if there is more than
one PPPoE server in the WAN network.
Note: If you do not fill in this field, the first PPPoE
server found is used.
Deleting a VPN Site
To delete a VPN site
1. Click VPN in the main menu, and click the VPN Sites tab.
The VPN Sites page appears, with a list of VPN sites.
2. In the desired VPN site’s row, click the Delete
A confirmation message appears.
3. Click OK.
The VPN site is deleted.
166
Check Point Safe@Office User Guide
icon.
Enabling/Disabling a VPN Site
Enabling/Disabling a VPN Site
You can only connect to VPN sites that are enabled.
To enable/disable a VPN site
1. Click VPN in the main menu, and click the VPN Sites tab.
The VPN Sites page appears, with a list of VPN sites.
2. To enable a VPN site, do the following:
a. Click the
icon in the desired VPN site’s row.
A confirmation message appears.
b. Click OK.
The icon changes to
, and the VPN site is enabled.
3. To disable a VPN site, do the following:
Note: Disabling a VPN site eliminates the tunnel and erases the network
topology.
a. Click the
icon in the desired VPN site’s row.
A confirmation message appears.
b. Click OK.
The icon changes to
, and the VPN site is disabled.
Chapter 9: Working With VPNs
167
Logging on to a VPN Site
Logging on to a VPN Site
You need to manually log on to Remote Access VPN sites configured for
Manual Login. You do not need to manually log on to a Remote Access VPN
site configured for Automatic Login or a Site-to-Site VPN gateway: all the
computers on your network have constant access to it.
Manual Login can be done through either the Safe@Office Portal or the
my.vpn page. When you log on and traffic is sent to the VPN site, a VPN
tunnel is established. Only the computer from which you logged on can use
the tunnel. To share the tunnel with other computers in your home network,
you must log on to the VPN site from those computers, using the same user
name and password.
Note: You must use a single user name and password for each VPN
destination gateway.
Logging on through the Safe@Office Portal
Note: You can only login to sites that are configured for Manual Login.
To manually log on to a VPN site through the Safe@Office Portal
1. Click VPN in the main menu, and click the VPN Login tab.
168
Check Point Safe@Office User Guide
Logging on to a VPN Site
The VPN Login page appears.
2. From the Site Name list, select the site to which you want to log on.
Note: Disabled VPN sites will not appear in the Site list.
3. Enter your user name and password in the appropriate fields.
4. Click Login.
If the Safe@Office appliance is configured to automatically
download the network configuration, the Safe@Office appliance
downloads the network configuration.
If when adding the VPN site you specified a network
configuration, the Safe@Office appliance attempts to create a
tunnel to the VPN site.
Chapter 9: Working With VPNs
169
Logging on to a VPN Site
Once the Safe@Office appliance has finished connecting, the VPN
Login Status box appears. The Status field displays “Connected”.
The VPN Login Status box remains open until you manually log
off the VPN site.
Logging on through the my.vpn page
Note: You don’t need to know the my.firewall page administrator’s
password in order to use the my.vpn page.
To manually log on to a VPN site through the my.vpn page
1. Direct your web browser to http://my.vpn
170
Check Point Safe@Office User Guide
Logging on to a VPN Site
The VPN Login screen appears.
2. In the Site Name list, select the site to which you want to log on.
3. Enter your user name and password in the appropriate fields.
4. Click Login.
If the Safe@Office appliance is configured to automatically
download the network configuration, the Safe@Office appliance
downloads the network configuration.
If when adding the VPN site you specified a network
configuration, the Safe@Office appliance attempts to create a
tunnel to the VPN site.
The VPN Login Status box appears. The Status field tracks the
connection’s progress.
Once the Safe@Office appliance has finished connecting, the
Status field changes to “Connected”.
The VPN Login Status box remains open until you manually log
off of the VPN site.
Chapter 9: Working With VPNs
171
Logging off a VPN Site
Logging off a VPN Site
You need to manually log off a VPN site if the VPN site is a Remote Access
VPN site configured for Manual Login.
To log off a VPN site
• In the VPN Login Status box, click Logout.
All open tunnels from the Safe@Office appliance to the VPN site are
closed, and the VPN Login Status box closes.
Note: Closing the browser or dismissing the VPN Login Status box will also
terminate the VPN session within a short time.
Installing a Certificate
A digital certificate is a secure means of authenticating the Safe@Office
appliance to other VPN gateways. The certificate is issued by the Certificate
Authority (CA) to entities such as gateways, users, or computers. The entity
then uses the certificate to identify itself and provide verifiable information.
For instance, the certificate includes the Distinguishing Name (DN)
(identifying information) of the entity, as well as the public key (information
about itself). After two entities exchange and validate each other's
certificates, they can begin encrypting information between themselves using
the public keys in the certificates.
The Safe@Office appliance supports certificates encoded in the PKCS#12
(Personal Information Exchange Syntax Standard) format. The PKCS#12 file
must have a ".p12" file extension
172
Check Point Safe@Office User Guide
Installing a Certificate
Note: To use certificates authentication, each Safe@Office appliance
should have a unique certificate. Do not use the same certificate for
more than one gateway.
If you do not have a PKCS#12, obtain it from your network security
administrator.
To install a certificate
1. Click VPN in the main menu, and click the Certificate tab.
The Certificate page appears, with instructions on how to install the
certificate.
2. Click Install Certificate.
Chapter 9: Working With VPNs
173
Installing a Certificate
A Certificate page appears as follows:
3. Click Browse to open a file browser from which to locate and select the file.
The filename that you selected is displayed.
4. Click Upload.
You are requested to enter the pass-phrase.
5. Type the pass-phrase you received from the network security administrator.
6. Click OK.
The certificate is installed.
174
Check Point Safe@Office User Guide
Uninstalling a Certificate
A success message appears.
7. Click OK.
The name of the CA that issued the certificate and the name of the
gateway to which this certificate was issued appear.
Uninstalling a Certificate
You cannot uninstall the certificate if there is a VPN site currently defined to
use certificate authentication.
When a certificate is currently installed, the Certificate page presents two
options:
Chapter 9: Working With VPNs
175
Viewing VPN Tunnels
• Install Certificate: Allows you to install a new certificate. The
current certificate will be replaced.
• Uninstall Certificate: Allows you to uninstall the current certificate.
Therefore, no certificate exists on the Safe@Office appliance, and
you will not be able to connect to the VPN if a certificate is still
required.
To uninstall a certificate
1. Click VPN in the main menu, and click the Certificate tab.
The Certificate page appears with the name of the currently installed
certificate.
2. Click Uninstall.
A confirmation message appears.
3. Click OK.
The certificate is uninstalled.
A success message appears.
4. Click OK.
Viewing VPN Tunnels
You can view a list of currently established VPN tunnels. VPN tunnels are
created and closed as follows:
• Remote Access VPN sites configured for Automatic Login, Site-toSite VPN gateways and PPPoE tunnels: A tunnel is created
whenever your computer attempts any kind of communication with
a computer at the VPN site. The tunnel is closed when not in use
for a period of time.
176
Check Point Safe@Office User Guide
Viewing VPN Tunnels
Note: Although the VPN tunnel is automatically closed, the site remains
open, and if you attempt to communicate with the site, the tunnel will be
reestablished.
• Remote Access VPN sites configured for Manual Login: A tunnel is
created whenever your computer attempts any kind of
communication with a computer at the VPN site, after you have
manually logged on to the site. All open tunnels connecting to the
site are closed when you manually log off.
To view VPN tunnels
• Click Reports in the main menu, and click the VPN Tunnels tab.
The VPN Tunnels page appears with a table of open tunnels to VPN sites.
The VPN Tunnels page includes the information described in VPN Tunnels
Page Fields on page 178.
You can refresh the table by clicking Refresh.
Chapter 9: Working With VPNs
177
Viewing VPN Tunnels
Table 24: VPN Tunnels Page Fields
This field…
Displays…
The Safe@Office appliance Internet IP address.
The security protocol (IPSec), the type of encryption used
to secure the connection, and the type of Message
Authentication Code (MAC) used to verify the integrity of
the message.
This information is presented in the following format:
Security protocol: Encryption type/Authentication type
Note: All VPN settings are automatically negotiated
between the two sites. The encryption and authentication
schemes used for the connection are the strongest of
those used at the two sites.
Your Safe@Office appliance supports AES, 3DES, and
DES encryption schemes, and MD5 and SHA
authentication schemes.
The name and IP address of the VPN gateway to which
the tunnel is connected.
User
178
The user logged on to the VPN site.
Check Point Safe@Office User Guide
Viewing VPN Tunnels
This field…
Displays…
Duration
The time at which the tunnel was established.
This information is presented in the format hh:mm:ss,
where:
hh=hours
mm=minutes
ss=seconds
Chapter 9: Working With VPNs
179
Viewing VPN Tunnels
180
Check Point Safe@Office User Guide
Changing Your Password
Chapter 10
Managing Users
This chapter describes how to manage Safe@Office appliance users. In
Safe@Office 105, there is a single user called "admin", whose password can
be changed; in Safe@Office 110 and 225, you can define multiple users and
assign them various permissions.
This chapter includes the following topics:
Changing Your Password...................................................................181
Adding Users......................................................................................184
Viewing and Editing Users.................................................................185
Deleting Users ....................................................................................187
Setting Up Remote VPN Access for Users ........................................188
Using RADIUS Authentication..........................................................189
Changing Your Password
You can change your password at any time. How this task is performed
depends on the Safe@Office model you are using.
Using Safe@Office 105
To change your password
1. Click Password in the main menu.
Chapter 10: Managing Users
181
Changing Your Password
The Password page appears.
2. Edit the Password and Confirm password fields.
Note: Use 5 to 25 characters (letters or numbers) for the new password.
3. Click Apply.
Your changes are saved.
182
Check Point Safe@Office User Guide
Changing Your Password
Using Safe@Office 110 and 225
To change your password
1. Click Users in the main menu, and click the Internal Users tab.
The Internal Users page appears.
2. In the row of your username, click Edit.
Chapter 10: Managing Users
183
Adding Users
The Edit User page appears.
3. Edit the Password and Confirm password fields.
Note: Use 5 to 25 characters (letters or numbers) for the new password.
4. Click Apply.
Your changes are saved.
Adding Users
To add a user
1. Click Users in the main menu, and click the Internal Users tab.
The Internal Users page appears.
2. Click New User.
The Edit User page appears. The options that appear on the page are
dependant on the software and services you are using.
184
Check Point Safe@Office User Guide
Viewing and Editing Users
3. Complete the fields using the information in Edit User Page Fields on page
186.
4. Click Apply.
The new user is saved.
The Edit User page appears.
Viewing and Editing Users
To view or edit users
1. Click Users in the main menu, and click the Internal Users tab.
The Internal Users page appears.
2. In the desired user’s row, click Edit.
The Edit User page appears with the user’s details. The options that appear
on the page are dependant on the software and services you are using.
3. To edit the user’s details, do the following:
a. Edit the fields using Edit User Page Fields on page 186.
b. Click Apply.
The changes are saved.
4. To return to the Users page without making any changes, click Cancel.
Chapter 10: Managing Users
185
Viewing and Editing Users
Table 25: Edit User Page Fields
In this field…
Do this…
Username
Enter a username for the user.
You cannot change the “admin” user’s username.
Password
Enter a password for the user. Use five to 25
characters (letters or numbers) for the new
password.
Confirm Password
Re-enter the user’s password.
Administrator Level
Select the user’s level of access to the
Safe@Office Portal.
The levels are:
• No Access: The user cannot access the
Safe@Office Portal
• Read/Write: The user can log on to the
Safe@Office Portal and modify system
settings.
• Read Only: The user can log on to the
Safe@Office Portal, but cannot modify
system settings. For example, you could
assign this administrator level to technical
support personnel who need to view the
Event Log.
The default level is No Access.
The “admin” user’s Administrator Level
(Read/Write) cannot be changed.
186
Check Point Safe@Office User Guide
Deleting Users
In this field…
Do this…
VPN Remote
Select this option to allow the user to connect to
Access
this Safe@Office appliance using their VPN client.
For further information on setting up VPN remote
access, see Setting Up Remote VPN Access for
Users on page 188.
This option only appears in Safe@Office 110 and
225.
Web Filtering
Select this option to allow the user to override
Override
Web Filtering.
This option only appears if the Web Filtering
service is defined.
This option cannot be changed for the “admin”
user.
Deleting Users
Note: The “admin” user cannot be deleted.
To delete a user
1. Click Users in the main menu, and click the Internal Users tab.
The Internal Users page appears.
Chapter 10: Managing Users
187
Setting Up Remote VPN Access for Users
2. In the desired user’s row, click the Delete
icon.
A confirmation message appears.
3. Click OK.
The user is deleted.
Setting Up Remote VPN Access for
Users
If you are using your Safe@Office appliance as a VPN server, you can allow
users to access it remotely through their VPN clients (a Check Point
SecureClient, Check Point SecuRemote, or another Embedded NG
appliance).
To set up remote VPN access for a user
1. Enable your VPN server, using the procedure Setting Up Your
Safe@Office Appliance as a VPN Server on page 145.
List continue
2. Add the user to the system, using the procedure Adding Users on page
184. You must select the VPN Remote Access option.
Note: When using Safe@Office 105, there is only one pre-defined user
called ‘admin’, and you cannot create additional users.
188
Check Point Safe@Office User Guide
Using RADIUS Authentication
Using RADIUS Authentication
You can use RADIUS to authenticate both Safe@Office appliance users and
VPN clients trying to connect to the Safe@Office appliance.
When a user accesses the Safe@Office Portal and tries to log on, the
Safe@Office appliance sends the entered user name and password to the
RADIUS server. The server then checks whether the RADIUS database
contains a matching user name and password pair. If so, then the user is
logged on.
To use RADIUS authentication
1. Click Users in the main menu, and click the RADIUS tab.
The RADIUS page appears.
2. Complete the fields using RADIUS Page Fields on page 190.
3. Click Apply.
Chapter 10: Managing Users
189
Using RADIUS Authentication
Table 26: RADIUS Page Fields
In this field…
Address
Do this…
Type the IP address of the computer that will run
the RADIUS service (one of your network
computers) or click the corresponding This
Computer button to allow your computer to host the
service.
To clear the text box, click Clear.
Port
Type the port number on the RADIUS server’s
host computer.
To reset this field to the default (port 1812), click
Default.
Shared Secret
Type the shared secret to use for secure
communication with the RADIUS server.
190
Check Point Safe@Office User Guide
Using RADIUS Authentication
In this field…
Do this…
Administrator Level
Select the level of access to the Safe@Office
Portal to assign to all users authenticated by the
RADIUS server.
The levels are:
• No Access: The user cannot access the
Safe@Office Portal
• Read/Write: The user can log on to the
Safe@Office Portal and modify system
settings.
• Read Only: The user can log on to the
Safe@Office Portal, but cannot modify
system settings.
The default level is No Access.
Web Filtering
Select this option to allow all users authenticated
Override
by the RADIUS server to override Web Filtering.
This option only appears if the Web Filtering
service is defined.
Chapter 10: Managing Users
191
Using RADIUS Authentication
192
Check Point Safe@Office User Guide
Viewing Firmware Status
Chapter 11
Maintenance
This chapter describes the tasks required for maintenance and diagnosis of
your Safe@Office appliance.
This chapter includes the following topics:
Viewing Firmware Status...................................................................193
Updating the Firmware.......................................................................195
Upgrading Your Software Product.....................................................197
Registering Your Safe@Office Appliance .........................................202
Configuring Syslog Logging ..............................................................204
Configuring HTTPS ...........................................................................206
Setting the Time on the Appliance .....................................................209
Controlling the Appliance via the Command Line.............................216
Using Diagnostic Tools ......................................................................214
Backing Up the Safe@Office Appliance Configuration ....................218
Resetting the Safe@Office Appliance to Defaults .............................222
Running Diagnostics ..........................................................................224
Rebooting the Safe@Office Appliance ..............................................225
Viewing Firmware Status
The firmware is the software program embedded in the Safe@Office
appliance.
You can view your current firmware version and additional details.
Chapter 11: Maintenance
193
Viewing Firmware Status
To view the firmware status
• Click Setup in the main menu, and click the Firmware tab.
The Firmware page appears.
The Firmware page displays the following information:
Table 27: Firmware Status Fields
This field…
Displays…
For example…
Firmware Version
The current version of the
4.0
firmware
Hardware Type
The type of the current
200 series
Safe@Office appliance
hardware
Hardware Version
The current hardware
version of the Safe@Office
appliance
194
Check Point Safe@Office User Guide
1.0
Updating the Firmware
This field…
Displays…
For example…
Installed Product
The licensed software and
Safe@Office 225
the number of allowed
unlimited nodes
nodes
Uptime
The time that elapsed from
01:21:15
the moment the unit was
turned on
Updating the Firmware
If you are subscribed to Software Updates, firmware updates are performed
automatically. These updates include new product features and protection
against new security threats. Check with your reseller for the availability of
Software Updates and other services. For information on subscribing to
services, see Starting Your Subscription Services on page 123.
If you are not subscribed to the Software Updates service, you must update
your firmware manually.
To update your Safe@Office appliance firmware manually
1. Click Setup in the main menu, and click the Firmware tab.
The Firmware page appears.
2. Click Firmware Update.
Chapter 11: Maintenance
195
Updating the Firmware
The Firmware Update page appears.
3. Click Browse.
A browse window appears.
4. Select the image file and click Open.
The Firmware Update page reappears. The path to the firmware update
image file appears in the Browse text box.
5. Click Upload.
Your Safe@Office appliance firmware is updated. This takes about one
minute. At the end of the process the Safe@Office appliance restarts
automatically.
196
Check Point Safe@Office User Guide
Upgrading Your Software Product
Upgrading Your Software Product
Upgrading your Safe@Office appliance is a very simple process. After
purchasing an upgrade, you will receive a new Product Key that will enable
you to use the upgraded product on the same Safe@Office appliance you
have today. For example, if you are using Safe@Office 105, you can
purchase an upgrade to Safe@Office 110 and enjoy extended VPN features
on your existing Safe@Office appliance. Likewise, you can upgrade from
Safe@Office 225 to 225U without changing your hardware.
Note: You can only upgrade within the same appliance hardware type.
Note: To purchase an upgrade, contact your Safe@Office appliance
provider.
To upgrade your product, you must install the new Product Key.
To install a Product Key
1. Click Setup in the main menu, and click the Firmware tab.
The Firmware page appears.
2. Click Upgrade Product.
Chapter 11: Maintenance
197
Upgrading Your Software Product
The Setup Wizard opens, with the Install Product Key dialog box
displayed.
3. Click Product Key.
4. In the Product Key field, enter the new Product Key.
5. Click Next.
198
Check Point Safe@Office User Guide
Upgrading Your Software Product
The Installed New Product Key dialog box appears.
6. Click Next.
The first Registration dialog box appears.
Chapter 11: Maintenance
199
Upgrading Your Software Product
7. Do one of the following:
To register your Safe@Office appliance later on, do the
following:
1) Clear the I want to register my product check box.
2) Click Next.
200
Check Point Safe@Office User Guide
Upgrading Your Software Product
To register your Safe@Office appliance now, click Next.
A second Registration dialog box appears.
Do the following:
1) Enter your contact information in the appropriate fields.
2) To receive email notifications regarding new firmware
versions and services, select the check box.
3) Click Next.
The Registration… screen appears.
Chapter 11: Maintenance
201
Registering Your Safe@Office Appliance
The third Registration dialog box appears.
8. Click Finish.
Your Safe@Office appliance is restarted and the Welcome page appears.
Registering Your Safe@Office Appliance
If you want to activate your warranty and optionally receive notifications of
new firmware versions and services, you must register your Safe@Office
appliance.
Privacy Statement: Check Point is committed to protecting your privacy. We
use the information we collect about you to process orders and to improve
our ability to serve your needs. We will under no circumstances sell, lease, or
otherwise disclose any of your personal or contact details without your
explicit permission.
202
Check Point Safe@Office User Guide
Registering Your Safe@Office Appliance
To register your Safe@Office appliance
1. Click Setup in the main menu, and click the Firmware tab.
The Firmware page appears.
2. Click Upgrade Product.
The Setup Wizard opens, with the Install Product Key dialog box
displayed.
3. Select Keep these settings.
4. Click Next.
The Product Key Not Modified screen appears.
5. Click Next.
The first Registration dialog box appears.
6. Verify that the I want to register my product check box is selected.
7. Click Next.
A second Registration dialog box appears.
Chapter 11: Maintenance
203
Configuring Syslog Logging
8. Enter your contact information in the appropriate fields.
9. To receive email notifications regarding new firmware versions and
services, select the check box.
10. Click Next.
The Registration… screen appears.
The third Registration dialog box appears.
11. Click Finish.
Your Safe@Office appliance is restarted and the Welcome page appears.
Configuring Syslog Logging
You can configure the Safe@Office appliance to send event logs to a Syslog
server residing in your internal network or on the Internet. The logs detail the
date and the time each event occurred. If the event is a communication
attempt that was rejected by the firewall, the event details include the source
and destination IP address, the destination port, and the protocol used for the
communication attempt (for example, TCP or UDP).
This same information is also available in the Event Log page (see Viewing
the Event Log on page 101). However, the Event Log can only display up to
100 logs, while a Syslog server can store an unlimited number of logs.
Furthermore, Syslog servers can provide useful tools for managing your logs.
Note: Kiwi Syslog Daemon is freeware and can be downloaded from
http://www.kiwisyslog.com. For technical support, contact Kiwi
Enterprises.
204
Check Point Safe@Office User Guide
Configuring Syslog Logging
To configure Syslog logging
1. Click Setup in the main menu, and click the Logging tab.
The Logging page appears.
2. Complete the fields using the information in the table below.
3. Click Apply.
Table 28: Logging Page Fields
In this field…
Syslog Server
Do this…
Type the IP address of the computer that will run
the Syslog service (one of your network
computers), or click This Computer to allow your
computer to host the service.
Clear
Click to clear the Syslog Server field.
Syslog Port
Type the port number of the Syslog server.
Chapter 11: Maintenance
205
Configuring HTTPS
In this field…
Do this…
Default
Click to reset the Syslog Port field to the default
(port 514 UDP).
Configuring HTTPS
You can enable Safe@Office appliance users to access the Safe@Office
Portal from the Internet. To do so, you must first configure HTTPS.
To configure HTTPS
1. Click Setup in the main menu, and click the Management tab.
The Management page appears.
2. Specify from where HTTPS access to the Safe@Office Portal should be
granted. See the table below for information.
206
Check Point Safe@Office User Guide
Configuring HTTPS
Warning: If remote HTTPS is enabled, your Safe@Office appliance
settings can be changed remotely, so make sure all Safe@Office
appliance users’ passwords are unguessable.
If you selected IP Address Range, additional fields appear.
3. If you selected IP Address Range, enter the desired IP address range in the
fields provided.
4. Click Apply.
The HTTPS configuration is saved. You can now access the Safe@Office
Portal through the Internet, using the procedure Accessing the
Safe@Office Portal Remotely on page 40.
Chapter 11: Maintenance
207
Configuring HTTPS
Table 29: HTTPS Access Options
Select this
option…
Internal Network
To allow HTTPS access from…
The internal network only.
This disables remote HTTPS capability.
Note: You can use HTTPS to access the
Safe@Office Portal from your internal network, by
surfing to https://my.firewall.
Internal Network and
The internal network and your VPN.
VPN
IP Address Range
A particular range of IP addresses.
Additional fields appear, in which you can enter
the desired IP address range.
ANY
208
Any IP address.
Check Point Safe@Office User Guide
Setting the Time on the Appliance
Setting the Time on the Appliance
You set the time displayed in the Safe@Office 225 Portal during initial
appliance setup. If desired, you can change the date and time displayed in the
Safe@Office 225 Portal using the procedure below.
Note: The Safe@Office 100 series takes the time from your local
computer and you do not have to manually set the time.
To set the time
1. Click Setup in the main menu, and click the Tools tab.
The Tools page appears.
Chapter 11: Maintenance
209
Setting the Time on the Appliance
If you are using Safe@Office 225, the page appears as follows:
2. Click Set Time.
The Safe@Office Set Time Wizard opens displaying the Set the
Safe@Office time dialog box.
210
Check Point Safe@Office User Guide
Setting the Time on the Appliance
3. Complete the fields using the information in the table below.
4. Click Next.
The following things happen in the order below:
If you selected Specify date and time, the Specify Date and Time
dialog box appears.
Do the following:
1) Set the date, time, and time zone in the fields provided.
2) Click Next.
Chapter 11: Maintenance
211
Setting the Time on the Appliance
The Date and Time Updated window appears.
5. Click Finish.
Table 30: Set Time Wizard Fields
Select this
option…
Your computer’s clock
To do this…
Set the appliance time to your computer’s
system time.
Your computer’s system time is displayed to the
right of this option.
212
Check Point Safe@Office User Guide
Controlling the Appliance via the Command Line
Select this
To do this…
Keep the current time
Do not change the appliance’s time.
option…
The current appliance time is displayed to the
right of this option.
Specify date and time
Set the appliance to a specific date and time.
Controlling the Appliance via the
Command Line
The Safe@Office Portal enables you to control your appliance via the
command line interface.
To control the appliance via the command line
1. Click Setup in the main menu, and click the Tools tab.
The Tools page appears.
2. Click Command.
Chapter 11: Maintenance
213
Using Diagnostic Tools
The Command Line page appears.
3. In the upper text box type a command.
You can view a list of supported commands using the command help.
4. Click Go.
The command is implemented.
Using Diagnostic Tools
The Safe@Office appliance is equipped with a set of diagnostic tools that are
useful for troubleshooting Internet connectivity.
Table 31: Diagnostic Tools
Use this tool…
To do this…
Ping
Check that a specific IP address or DNS name can
be reached via the Internet.
214
Check Point Safe@Office User Guide
Using Diagnostic Tools
Use this tool…
To do this…
Traceroute
Display a list of all routers used to connect from the
Safe@Office appliance to a specific IP address or
DNS name.
WHOIS
Display the name and contact information of
the entity to whom a specific IP address or DNS
name is registered. This information is useful in
tracking down hackers.
To use a diagnostic tool
1. Click Setup in the main menu, and click the Tools tab.
The Tools page appears.
2. In the Tools drop-down list, select the desired tool.
3. In the Address field, type the IP address or DNS name for which to run
the tool.
4. Click Go.
Chapter 11: Maintenance
215
Using Diagnostic Tools
If you selected Ping, the following things happen:
The Safe@Office appliance sends packets to the specified the IP
address or DNS name.
The IP Tools window opens and displays the percentage of packet loss
and the amount of time it each packet took to reach the specified host
and return (round-trip) in milliseconds.
216
Check Point Safe@Office User Guide
Using Diagnostic Tools
If you selected Traceroute, the following things happen:
The Safe@Office appliance connects to the specified IP address or
DNS name.
The IP Tools window opens and displays a list of routers used to make
the connection.
Chapter 11: Maintenance
217
Backing Up the Safe@Office Appliance Configuration
If you selected WHOIS, the following things happen:
The Safe@Office appliance queries the Internet WHOIS server.
A window displays the name of the entity to whom the IP address or
DNS name is registered and their contact information.
Backing Up the Safe@Office Appliance
Configuration
You can export the Safe@Office appliance configuration to a *.cfg file, and
use this file to backup and restore Safe@Office appliance settings, as needed.
The configuration file includes all your settings.
218
Check Point Safe@Office User Guide
Backing Up the Safe@Office Appliance Configuration
Exporting the Safe@Office Appliance
Configuration
Exporting the Safe@Office appliance configuration creates a configuration
file.
To export the Safe@Office appliance configuration
1. Click Setup in the main menu, and click the Tools tab.
The Tools page appears.
2. Click Export.
A standard File Download dialog box appears.
3. Click Save.
Chapter 11: Maintenance
219
Backing Up the Safe@Office Appliance Configuration
The Save As dialog box appears.
4. Browse to a destination directory of your choice.
5. Type a name for the configuration file and click Save.
The *.cfg configuration file is created and saved to the specified
directory.
Importing the Safe@Office Appliance
Configuration
In order to restore your Safe@Office appliance’s configuration from a
configuration file, you must import the file.
To import the Safe@Office appliance configuration
1. Click Setup in the main menu, and click the Tools tab.
The Tools page appears.
2. Click Import.
220
Check Point Safe@Office User Guide
Backing Up the Safe@Office Appliance Configuration
The Import Settings page appears.
3. Do one of the following:
In the Import Settings field, type the full path to the configuration
file.
Or
Click Browse, and browse to the configuration file.
4. Click Upload.
A confirmation message appears.
5. Click OK.
The Safe@Office appliance settings are imported.
A success message appears.
6. Click OK.
The Tools page reappears.
Chapter 11: Maintenance
221
Resetting the Safe@Office Appliance to Defaults
Resetting the Safe@Office Appliance to
Defaults
You can reset the Safe@Office appliance to its default settings. When you
reset your Safe@Office appliance, it reverts to the state it was originally in
when you purchased it, and your firmware reverts to the version that shipped
with the Safe@Office appliance.
Warning: This operation erases all your settings and password information.
You will have to set a new password and reconfigure your Safe@Office
appliance for Internet connection. For information on performing these
tasks, see Setting Up the Safe@Office Appliance.
You can reset the Safe@Office appliance to defaults via the Web
management interface (software) or by manually pressing the Reset button
(hardware) located at the back of the Safe@Office appliance.
To reset the Safe@Office appliance to factory defaults via the Web
interface
1. Click Setup in the main menu, and click the Tools tab.
The Tools page appears.
2. Click Factory Settings.
A confirmation message appears.
3. Click OK.
222
Check Point Safe@Office User Guide
Resetting the Safe@Office Appliance to Defaults
The Please Wait screen appears.
The Safe@Office appliance returns to its factory defaults.
The Safe@Office appliance is restarted (the PWR/SEC LED
flashes quickly).
This may take up to a minute.
The Login page appears.
To reset the Safe@Office appliance to factory defaults using the
Reset button
1. Make sure the Safe@Office appliance is powered on.
2. Using a pointed object, press the RESET button on the back of the
Safe@Office appliance steadily for seven seconds and then release it.
3. Allow the Safe@Office appliance to boot-up until the system is ready
(PWR/SEC LED flashes slowly or illuminates steadily in green light).
For information on the appliance's front and rear panels, see Getting to
Know Your Safe@Office 100 Series on page 10 or Getting to Know Your
Safe@Office 200 Series on page 13.
Warning: If you choose to reset the Safe@Office appliance by disconnecting
the power cable and then reconnecting it, be sure to leave the Safe@Office
appliance disconnected for at least three seconds, or the Safe@Office
appliance might not function properly until you reboot it as described below.
Chapter 11: Maintenance
223
Running Diagnostics
Running Diagnostics
You can view technical information about your Safe@Office appliance’s
hardware, firmware, license, network status, and Service Center.
This information is useful for troubleshooting. You can copy and paste it into
the body an email and send it to technical support.
To run diagnostics
1. Click Setup in the main menu, and click the Tools tab.
The Tools page appears.
2. Click Diagnostics.
Technical information about your Safe@Office appliance appears in a
new window.
3. To refresh the contents of the window, click Refresh.
The contents are refreshed.
4. To close the window, click Close.
224
Check Point Safe@Office User Guide
Rebooting the Safe@Office Appliance
Rebooting the Safe@Office Appliance
If your Safe@Office appliance is not functioning properly, rebooting it may
solve the problem.
To reboot the Safe@Office appliance
1. Click Setup in the main menu, and click the Tools tab.
The Tools page appears.
2. Click Restart.
A confirmation message appears.
3. Click OK.
The Please Wait screen appears.
The Safe@Office appliance is restarted (the PWR/SEC LED
flashes quickly).
This may take up to a minute.
The Login page appears.
Chapter 11: Maintenance
225
Rebooting the Safe@Office Appliance
226
Check Point Safe@Office User Guide
Connectivity
Chapter 12
Troubleshooting
This chapter provides solutions to common problems you may encounter
while using the Safe@Office appliance.
This chapter includes the following topics:
Connectivity .......................................................................................227
Service Center and Upgrades .............................................................231
Other Problems...................................................................................232
Connectivity
I cannot access the Internet. What should I do?
• Check if the PWR/SEC LED is green. If not, check the power
connection to the Safe@Office appliance.
• Check if the WAN LINK/ACT LED is green. If not, check the
network cable to the modem and make sure the modem is turned
on.
• Check if the LAN LINK/ACT LED for the port used by your
computer is green. If not, check if the network cable linking your
computer to the Safe@Office appliance is connected properly. Try
replacing the cable or connecting it to a different LAN port.
• Using your web browser, go to http://my.firewall and see whether
"Connected" appears on the Status Bar. Make sure that your
Safe@Office appliance network settings are configured as per your
ISP directions.
• Check your TCP/IP configuration according to Installing and
Setting up the Safe@Office Appliance on page 19.
Chapter 12: Troubleshooting
227
Connectivity
• If Web Filtering or Email Anti Virus scanning are on, try turning
them off.
• Check if you have defined firewall rules which block your Internet
connectivity.
• Check with your ISP for possible service outage.
• Check whether you are exceeding the maximum number of
computers allowed by your license, by following the procedure
Viewing Computers on page 104.
I cannot access my DSL broadband connection. What should I do?
DSL equipment comes in two flavors: bridges (commonly known as DSL
modems) and routers. Some DSL equipment can be configured to work both
ways.
• If you connect to your ISP using a PPPoE or PPTP dialer defined in
your operating system, your equipment is most likely configured as
a DSL bridge. Configure a PPPoE or PPTP type DSL connection.
• If you were not instructed to configure a dialer in your operating
system, your equipment is most likely configured as a DSL router.
Configure a LAN connection, even if you are using a DSL
connection.
For instructions, see Configuring the Internet Connection on page 49.
I cannot access my Cable broadband connection. What should I do?
• Some cable ISPs require you to register the MAC address of the
device behind the cable modem. You may need to clone your
Ethernet adapter MAC address onto the Safe@Office appliance.
For instructions, see Configuring the Internet Connection on page
49.
• Some cable ISPs require using a hostname for the connection. Try
reconfiguring your Internet connection and specifying a hostname.
For further information, see Configuring the Internet Connection
on page 49.
228
Check Point Safe@Office User Guide
Connectivity
I cannot access http://my.firewall or http://my.vpn. What should I do?
• Verify that the Safe@Office appliance is operating (PWR/SEC
LED is active)
• Check if the LAN LINK/ACT LED for the port used by your
computer is on. If not, check if the network cable linking your
computer to the Safe@Office appliance is connected properly.
Note: You may need to use a crossed cable when connecting the
Safe@Office appliance to another hub/switch.
• Try surfing to 192.168.10.1 instead of to my.firewall.
Note: 192.168.10 is the default value, and it may vary if you changed it
in the My Network page.
• Check your TCP/IP configuration according to Installing and
Setting up the Safe@Office Appliance on page 19.
• Restart your Safe@Office appliance and your broadband modem by
disconnecting the power and reconnecting after 5 seconds.
• If your web browser is configured to use an HTTP proxy to access
the
Internet, add "my.firewall" or "my.vpn" to your proxy exceptions
list.
My network seems extremely slow. What should I do?
• The Ethernet cables may be faulty. For proper operation, the
Safe@Office appliance requires STP CAT5 (Shielded Twisted Pair
Category 5) Ethernet cables. Make sure that this specification is
printed on your cables.
• Your Ethernet card may be faulty or incorrectly configured. Try
replacing your Ethernet card.
• There may be an IP address conflict in your network. Check that the
TCP/IP settings of all your computers are configured to obtain an
IP address automatically.
Chapter 12: Troubleshooting
229
Connectivity
I changed the network settings to incorrect values and am unable to
correct my error. What should I do?
Reset the network to its default settings using the button on the back of the
Safe@Office appliance unit. See Resetting the Safe@Office Appliance to
Defaults on page 222.
I am using the Safe@Office appliance behind another NAT device, and I
am having problems with some applications. What should I do?
By default, the Safe@Office appliance performs Network Address
Translation (NAT). It is possible to use the Safe@Office appliance behind
another device that performs NAT, such as a DSL router or Wireless router,
but the device will block all incoming connections from reaching your
Safe@Office appliance.
To fix this problem, do ONE of the following. (The solutions are listed in
order of preference.)
• Consider whether you really need the router. The Safe@Office
appliance can be used as a replacement for your router, unless you
need it for some additional functionality that it provides, such as
Wireless access.
• If possible, disable NAT in the router. Refer to the router’s
documentation for instructions on how to do this.
• If the router has a “DMZ Computer” or “Exposed Host” option, set
it to the Safe@Office appliance’s external IP address.
• Open the following ports in the NAT device:
UDP 9281/9282
UDP 500
TCP 256
TCP 264
ESP IP protocol 50
TCP 981
230
Check Point Safe@Office User Guide
Service Center and Upgrades
I cannot receive audio or video calls through the Safe@Office appliance.
What should I do?
To enable audio/video, you must configure an IP Telephony (H.323) virtual
server. For instructions, see Configuring Servers.
I run a public Web server at home but it cannot be accessed from the
Internet. What should I do?
Configure a virtual Web Server. For instructions, see Configuring Servers.
I cannot connect to the LAN network from the DMZ network. What should I
do?
By default, connections from the DMZ network to the LAN network are
blocked. To allow traffic from the DMZ to the LAN, configure appropriate
firewall rules. For instructions, see Creating Rules on page 112.
Service Center and Upgrades
I purchased Safe@Office 110, but I only have Safe@Office 105
functionality. What should I do?
Your have not installed your product key. For further information, see
Upgrading Your Software Product on page 197.
I have exceeded my node limit. What does this mean? What should I do?
Your Product Key specifies a maximum number of nodes that you may
connect to the Safe@Office appliance.
The Safe@Office appliance tracks the cumulative number of nodes on the
internal network that have communicated through the firewall. When the
Safe@Office appliance encounters an IP address that exceeds the licensed
node limit, the Active Computers page displays a warning message and
marks nodes over the node limit in red. These nodes will not be able to access
the Internet through the Safe@Office appliance, but will be protected. The
Event Log page also warns you that you have exceeded the node limit.
To upgrade your Safe@Office appliance to support more nodes, purchase a
new Product Key. Contact your reseller for upgrade information.
Chapter 12: Troubleshooting
231
Other Problems
While trying to connect to a Service Center, I received the message “The
Service Center did not respond”. What should I do?
• If you are using a Service Center other than the Check Point Service
Center, check that the Service Center IP address is typed correctly.
• The Safe@Office appliance connects to the Service Center using
UDP ports 9281/9282. If the Safe@Office appliance is installed
behind another firewall, make sure that these ports are open.
Other Problems
I have forgotten my password. What should I do?
Reset your Safe@Office appliance to factory defaults using the Reset button
as detailed in Resetting the Safe@Office Appliance to Defaults on page 222.
Why are the date and time displayed incorrectly?
In the Safe@Office 100 series, when a computer on the LAN connects to the
Safe@Office Portal, the Safe@Office appliance adjusts its date and time to
match that of the computer. If the date and time displayed in the Safe@Office
Portal are incorrect, it probably means that the date and time on the computer
connected to the Safe@Office Portal are incorrect.
In the Safe@Office 200 series, you can adjust the time on the Setup page's
Tools tab. For information, see Setting the Time on the Appliance on
page 209.
I cannot use a certain network application. What should I do?
Look at the Event Log page. If it lists blocked attacks, do the following:
• Turn the Safe@Office appliance security to Low and try again.
• If the application still does not work, set the computer on which you
want to use the application to be the exposed host.
For instructions, see Defining an Exposed Host on page 121.
When you have finished using the application, make sure to clear the exposed
host setting, otherwise your security might be compromised.
232
Check Point Safe@Office User Guide
Technical Specifications
Chapter 13
Specifications
This chapter includes the following topics:
Technical Specifications ....................................................................233
CE Declaration of Conformity ...........................................................235
Federal Communications Commission Radio Frequency Interference
Statement............................................................................................234
Technical Specifications
Table 32: Safe@Office Appliance Attributes
Attribute
Details
General
Dimensions
20.32 x 3.05 x 12.19 cm
(width x height x depth)
(8.0 x 1.2 x 4.8 inches)
Weight
0.7 kg (1.56 lbs)
Supply voltage
110VAC (90 to 132 VAC)
100VAC
230VAC (200 to 265 VAC)
Line voltage frequency, AC
50/60 Hz (47 to 63 Hz)
Max. Power Consumption
13.5W (100 series) / 7.5W (200 series)
Chapter 13: Specifications
233
Technical Specifications
Attribute
Details
Retail box dimensions
31 x 10 x 16 cm
(width x height x depth)
(12.4 x 4 x 6.4 inches)
Retail box weight
1.3 kg (2.9 lbs)
Environmental Conditions
Temperature:
- 20°C to +70°C
Storage/Transport
Temperature: Operation
+ 5°C to +45°C
Humidity: Storage/Operation
5% to 90% at 25°C (no condensation)
Applicable Standards
Shock & Vibration
ETSI 300 019-2-3 CLASS 3.1 & Bellcore
GR 63 (NEBS)
Safety
EN60950/IEC 60950
Quality
ISO9001
234
Check Point Safe@Office User Guide
CE Declaration of Conformity
CE Declaration of Conformity
SofaWare Technologies Ltd., 3 Hilazon St., Ramat-Gan Israel, Hereby declares that
this equipment is in conformity with the essential requirements specified in Article 3.1
(a) and 3.1 (b) of:
• Directive 89/336/EEC (EMC Directive)
• Directive 73/23/EEC (Low Voltage Directive – LVD)
• Directive 99/05/EEC (Radio Equipment and Telecommunications
Terminal Equipment Directive)
In accordance with the following standards:
EN 50081-1:1992, EN 50082-1:1997, EN 61000-6-1:2001, EN 61000-63:2001, EN 55022:1998, EN 55024:1998, EN 61000-3-2: 1995, EN 61000-33: 1995, EN 61000-4-2:1995, EN 61000-4-3:1996/A2:2001, EN 61000-44:1995, EN 61000-4-5:1995, EN 61000-4-6:1996, EN 61000-4-7:1993, EN
61000-4-8:1993, EN 61000-4-9:1993, EN 61000-4-10:1993, EN 61000-411:1994,EN 61000-4-12:1995, EN 60950: 1992.
The "CE" mark is affixed to this product to demonstrate conformance to the
R&TTE Directive 99/05/EEC (Radio Equipment and Telecommunications
Terminal Equipment Directive) and FCC Part 15 Class B.
The product has been tested in a typical configuration. For a copy of the
Original Signed Declaration (in full conformance with EN45014), please
contact SofaWare at the above address.
Federal Communications Commission
Radio Frequency Interference Statement
This equipment complies with the limits for a Class B digital device, pursuant
to Part 15 of the FCC Rules. These limits are designed to provide reasonable
protection against harmful interference when the equipment is operated in a
commercial environment. This equipment generates, uses, and can radiate
radio frequency energy and, if not installed and used in accordance with the
instruction manual, may cause harmful interference to radio communications.
Chapter 13: Specifications
235
Federal Communications Commission Radio Frequency Interference Statement
Shielded cables must be used with this equipment to maintain compliance
with FCC regulations.
Changes or modifications not expressly approved by the manufacturer could
void the user’s authority to operate the equipment.
This device complies with Part 15 of the FCC Rules. Operation is subject to
the following two conditions: (1) this device may not cause harmful
interference, and (2) this device must accept any interference received,
including interference that may cause undesired operation.
This Class B digital apparatus complies with Canadian ICES-003.
236
Check Point Safe@Office User Guide
ADSL Modem
Glossary of Terms
ADSL Modem
A device connecting a computer
to the Internet via an existing
phone line. ADSL (Asymmetric
Digital Subscriber Line) modems
offer a high-speed 'always-on'
connection.
Cable Modem
A device connecting a computer
to the Internet via the cable
television network. Cable
modems offer a high-speed
'always-on' connection.
Certificate Authority
The Certificate Authority (CA)
issues certificates to entities such
as gateways, users, or computers.
The entity later uses the
certificate to identify itself and
provide verifiable information.
For instance, the certificate
includes the Distinguishing
Name (DN) (identifying
information) of the entity, as
well as the public key
(information about itself), and
possibly the IP address.
After two entities exchange and
validate each other's certifcates,
they can begin encrypting
information between themselves
using the public keys in the
certificates.
Cracking
An activity in which someone
breaks into someone else's
computer system, bypasses
passwords or licenses in
computer programs; or in other
ways intentionally breaches
computer security. The end
result is that whatever resides on
the computer can be viewed and
sensitive data can be stolen
without anyone knowing about
it. Sometimes, tiny programs are
'planted' on the computer that are
designed to watch out for, seize
and then transmit to another
computer, specific types of data.
DHCP
Any machine requires a unique
IP address to connect to the
Internet using Internet Protocol.
Dynamic Host Configuration
Protocol (DHCP) is a
communications protocol that
assigns Internet Protocol (IP)
addresses to computers on the
network.
Glossary of Terms
237
DMZ
DHCP uses the concept of a
"lease" or amount of time that a
given IP address will be valid for
a computer.
DMZ
A DMZ (demilitarized zone) is
an internal network defined in
addition to the LAN network and
protected by the Appliance.
Domain Name System
The Domain Name System
(DNS) refers to the Internet
domain names, or easy-toremember "handles", that are
translated into IP addresses.
An example of a Domain Name
is 'www.sofaware.com'.
Exposed Host
An exposed host allows one
computer to be exposed to the
Internet. An example of using an
exposed host would be exposing
a public server, while preventing
outside users from getting direct
access form this server back to
the private network.
Firmware
Software embedded in a device.
238
Gateway
A network point that acts as an
entrance to another network.
Hacking
An activity in which someone
breaks into someone else's
computer system, bypasses
passwords or licenses in
computer programs; or in other
ways intentionally breaches
computer security. The end
result is that whatever resides on
the computer can be viewed and
sensitive data can be stolen
without anyone knowing about
it. Sometimes, tiny programs are
'planted' on the computer that are
designed to watch out for, seize
and then transmit to another
computer, specific types of data.
HTTPS
Hypertext Transfer Protocol over
Secure Socket Layer, or HTTP
over SSL.
A protocol for accessing a secure
Web server. It uses SSL as a
sublayer under the regular HTTP
application. This directs
messages to a secure port
number rather than the default
Web port number, and uses a
public key to encrypt data
Check Point Safe@Office User Guide
Hub
HTTPS is used to transfer
confidential user information.
Hub
A device with multiple ports,
connecting several PCs or
network devices on a network.
IP Address
An IP address is a 32-bit number
that identifies each computer
sending or receiving data packets
across the Internet. When you
request an HTML page or send
e-mail, the Internet Protocol part
of TCP/IP includes your IP
address in the message and sends
it to the IP address that is
obtained by looking up the
domain name in the Uniform
Resource Locator you requested
or in the e-mail address you're
sending a note to. At the other
end, the recipient can see the IP
address of the Web page
requestor or the e-mail sender
and can respond by sending
another message using the IP
address it received.
IP Spoofing
A technique where an attacker
attempts to gain unauthorized
access through a false source
address to make it appear as
though communications have
originated in a part of the
network with higher access
privileges. For example, a packet
originating on the Internet may
be masquerading as a local
packet with the source IP address
of an internal host. The firewall
can protect against IP spoofing
attacks by limiting network
access based on the gateway
interface from which data is
being received.
IPSEC
IPSEC is the leading Virtual
Private Networking (VPN)
standard. IPSEC enables
individuals or offices to establish
secure communication channels
('tunnels') over the Internet.
ISP
An ISP (Internet service
provider) is a company that
provides access to the Internet
and other related services.
LAN
A local area network (LAN) is a
group of computers and
associated devices that share a
common communications line
and typically share the resources
of a single server within a small
geographic area.
Glossary of Terms
239
MAC Address
MAC Address
NAT
The MAC (Media Access
Control) address is a computer's
unique hardware number. When
connected to the Internet from
your computer, a mapping
relates your IP address to your
computer's physical (MAC)
address on the LAN.
Mbps
Megabits per second.
Measurement unit for the rate of
data transmission.
MTU
The Maximum Transmission
Unit (MTU) is a parameter that
determines the largest datagram
than can be transmitted by an IP
interface (without it needing to
be broken down into smaller
units). The MTU should be
larger than the largest datagram
you wish to transmit unfragmented. Note: This only
prevents fragmentation locally.
Some other link in the path may
have a smaller MTU - the
datagram will be fragmented at
that point. Typical values are
1500 bytes for an Ethernet
interface or 1452 for a PPP
interface.
240
Network Address Translation
(NAT) is the translation or
mapping of an IP address to a
different IP address. NAT can be
used to map several internal IP
addresses to a single IP address,
thereby sharing a single IP
address assigned by the ISP
among several PCs.
Check Point FireWall-1's
Stateful Inspection Network
Address Translation (NAT)
implementation supports
hundreds of pre-defined
applications, services, and
protocols, more than any other
firewall vendor.
NetBIOS
NetBIOS is the networking
protocol used by DOS and
Windows machines.
Packet
A packet is the basic unit of data
that flows from one source on
the Internet to another
destination on the Internet. When
any file (e-mail message, HTML
file, GIF file etc.) is sent from
one place to another on the
Internet, the file is divided into
"chunks" of an efficient size for
Check Point Safe@Office User Guide
PPPoE
routing. Each of these packets is
separately numbered and
includes the Internet address of
the destination. The individual
packets for a given file may
travel different routes through
the Internet. When they have all
arrived, they are reassembled
into the original file at the
receiving end.
PPPoE
PPPoE (Point-to-Point Protocol
over Ethernet) enables
connecting multiple computer
users on an Ethernet local area
network to a remote site or ISP,
through common customer
premises equipment (e.g.
modem).
PPTP
The Point-to-Point Tunneling
Protocol (PPTP) allows
extending a local network by
establishing private “tunnels”
over the Internet. This protocol it
is also used by some DSL
providers as an alternative for
PPPoE.
RJ-45
The RJ-45 is a connector for
digital transmission over
ordinary phone wire.
Router
A router is a device that
determines the next network
point to which a packet should
be forwarded toward its
destination. The router is
connected to at least two
networks.
Server
A server is a program (or host)
that awaits and requests from
client programs across the
network. For example, a Web
server is the computer program,
running on a specific host, that
serves requested HTML pages or
files. Your browser is the client
program, in this case.
Stateful Inspection
Stateful Inspection was invented
by Check Point to provide the
highest level of security by
examining every layer within a
packet, unlike other systems of
inspection. Stateful Inspection
extracts information required for
security decisions from all
application layers and retains
this information in dynamic state
tables for evaluating subsequent
connection attempts. In other
words, it learns!
Glossary of Terms
241
Subnet Mask
Subnet Mask
A 32-bit identifier indicating
how the network is split into
subnets. The subnet mask
indicates which part of the IP
address is the host ID and which
indicates the subnet.
TCP
TCP (Transmission Control
Protocol) is a set of rules
(protocol) used along with the
Internet Protocol (IP) to send
data in the form of message units
between computers over the
Internet. While IP takes care of
handling the actual delivery of
the data, TCP takes care of
keeping track of the individual
units of data (called packets) that
a message is divided into for
efficient routing through the
Internet.
For example, when an HTML
file is sent to you from a Web
server, the Transmission Control
Protocol (TCP) program layer in
that server divides the file into
one or more packets, numbers
the packets, and then forwards
them individually to the IP
program layer. Although each
packet has the same destination
IP address, it may get routed
differently through the network.
242
At the other end (the client
program in your computer), TCP
reassembles the individual
packets and waits until they have
arrived to forward them to you
as a single file.
TCP/IP
TCP/IP (Transmission Control
Protocol/Internet Protocol) is the
underlying communication
protocol of the Internet.
UDP
UDP (User Datagram Protocol)
is a communications protocol
that offers a limited amount of
service when messages are
exchanged between computers in
a network that uses the Internet
Protocol (IP). UDP is an
alternative to the Transmission
Control Protocol (TCP) and,
together with IP, is sometimes
referred to as UDP/IP. Like the
Transmission Control Protocol,
UDP uses the Internet Protocol
to actually get a data unit (called
a datagram) from one computer
to another. Unlike TCP,
however, UDP does not provide
the service of dividing a message
into packets (datagrams) and
reassembling it at the other end.
Check Point Safe@Office User Guide
URL
UDP is often used for
applications such as streaming
data.
URL
A URL (Uniform Resource
Locator) is the address of a file
(resource) accessible on the
Internet. The type of resource
depends on the Internet
application protocol. On the Web
(which uses the Hypertext
Transfer Protocol), an example
of a URL is
'http://www.sofaware.com'.
VPN
A virtual private network (VPN)
is a private data network that
makes use of the public
telecommunication
infrastructure, maintaining
privacy through the use of a
tunneling protocol and security
procedures.
VPN tunnel
A secure connection between a
VPN client and a VPN server.
Glossary of Terms
243
244
Check Point Safe@Office User Guide
Index
account, configuring • 131
active computers, viewing •
104
active connections, viewing
• 106
Allow and Forward rules,
explained • 113
Allow rules, explained • 113
Automatic Login • 168
Block rules, explained • 113
cable type • 31
certificate
explained • 172
installing • 172
uninstalling • 175
CLI
controlling the appliance
via • 213
command line
controlling the appliance
via • 213
DHCP Server
enabling/disabling • 79
explained • 79
diagnostic tools
Ping • 214
Traceroute • 214
using • 214
WHOIS • 214
diagnostics • 224
DMZ
configuring • 84
explained • 84
Email Antivirus
enabling/disabling • 136
selecting protocols for •
137
snoozing • 137
Index
245
F
temporarily disabling •
137
event log, viewing • 101
initial login • 35
installation
exposed host
defining a computer as •
121
explained • 121
cable type • 31
network • 31
Internet connection
configuring • 49
configuring backup • 76
firewall
enabling/disabling • 75
levels • 107
establishing quick • 75
setting security level •
107
terminating • 76
troubleshooting • 227
firmware
explained • 193
updating manually • 195
viewing status • 193
front panel • 12, 15
viewing information • 73
Internet Setup • 59
MAC address
cloning • 72
Hide NAT
enabling/disabling • 83
explained • 83
HTTPS • 40
explained • 72
Manual Login • 168
network
configuring • 206
246
Check Point Safe@Office User Guide
changing internal range of
• 82
P
configuring • 79
registering • 202
configuring a DMZ • 84
reports
enabling DHCP Server on
• 79
active computers • 104
enabling Hide NAT • 83
event log • 101
managing • 79
node limit • 104
using Static NAT • 91
viewing • 101
node limit, viewing • 104
active connections • 106
rules
adding and editing • 113
package contents • 9
creating • 112
password
deleting • 121
changing • 181
setting up • 35
Ping • 214
PPPoE tunnels, creating •
146
Product Key • 197
RADIUS
types • 113
Safe@Office 100 appliance
front panel • 12
rear panel • 10
Safe@Office 105 • 2
Safe@Office 110 • 2
Safe@Office 200 appliance
explained • 189
front panel • 15
using • 189
rear panel • 13
rear panel • 10, 13
Safe@Office 225 • 3
rebooting • 225
Safe@Office 225U • 3
Index
247
S
logging on • 38
Safe@Office appliance
about • 1
remotely accessing • 40
backing up • 218
using • 41
changing internal IP
address of • 82
security
configuring servers • 110
configuring Internet
connection • 49
creating rules • 112
defining a computer as an
exposed host • 121
exporting configuration •
219
features • 3
importing configuration •
220
installing • 19, 31
firewall • 107
security policy • 107
servers, configuring • 110
Service Center
maintenance • 193
connecting to • 123
package contents • 9
disconnecting from • 132
rebooting • 225
refreshing a connection to
• 131
registering • 202
resetting to factory
defaults • 222
services
Email Antivirus • 136
software updates • 139,
195
technical specifications •
233
Web Filtering • 133
Safe@Office Portal
elements • 41
Setup Wizard • 50
initial login • 35
Site to Site VPN gateways •
146
logging off • 172
248
Check Point Safe@Office User Guide
T
software updates • 195
checking for manually •
139
explained • 139
Static NAT
adding and editing
mappings • 92
explained • 91
using • 91
viewing and deleting
mappings • 96
static routes
adding • 97
deleting • 100
TCP/IP
setting up for MAC OS •
31
setting up for Windows
95/98 • 25
setting up for Windows
XP/2000 • 20
technical support • 17
time,setting • 209
Traceroute • 214
troubleshooting • 227
users
explained • 96
adding • 184
using • 96
deleting • 187
viewing and editing • 99
managing • 181
subscription services
explained • 123
setting up remote VPN
access for • 188
starting • 123
viewing and editing • 185
viewing information • 130
Syslog logging
configuring • 204
explained • 204
VPN clients, explained • 143
VPN gateways
explained • 143
Index
249
W
temporarily disabling •
134
installing a certificate •
172
PPPoE tunnels • 146
WHOIS • 214
Site to Site • 146
VPN sites
deleting • 166
enabling/disabling • 167
logging off • 172
logging on • 168
Remote Access • 146
VPN tunnels
creation and closing of •
176
establishing • 168
viewing • 176
VPN tunnels, explained •
143
VPN, explained • 143
Web Filtering
enabling/disabling • 133
selecting categories for •
134
snoozing • 134
250
Check Point Safe@Office User Guide

---

Source Exif Data:

File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.3
Linearized                      : No
Create Date                     : 2003:10:23 06:12:35Z
Modify Date                     : 2003:12:11 16:28:08+08:00
Page Count                      : 260
Creation Date                   : 2003:10:23 06:12:35Z
Mod Date                        : 2003:10:23 11:07:55+02:00
Producer                        : Acrobat Distiller 5.0.5 (Windows)
Author                          : Goldies
Metadata Date                   : 2003:10:23 11:07:55+02:00
Creator                         : Goldies
Title                           : Microsoft Word - Check Point Safe@Office Users Guide 1023.doc

EXIF Metadata provided by EXIF.tools