SofaWare Technologies SBX-166LHGE-5 Safe@Office/VPN-1 Edge User Manual Part 2
SofaWare Technologies Ltd. Safe@Office/VPN-1 Edge Users Manual Part 2
Contents
- 1. Users Manual Part 1
- 2. Users Manual Part 2
- 3. Users Manual Part 3
Users Manual Part 2
Configuring High Availability
Chapter 5: Managing Your Network 135
The Step 2: Computer Details dialog box appears. If you chose Single Computer,
the dialog box includes the Perform Static NAT option.
If you chose Network, the dialog box does not include this option.
11. Complete the fields using the information in the tables below.
12. Click Next.
Configuring High Availability
136 Check Point Safe@Office User Guide
The Step 3: Save dialog box appears.
13. Type a name for the network object in the field.
14. Click Finish.
To add or edit a network object via the Active Computers page
1. Click Reports in the main menu, and click the Active Computers tab.
Configuring High Availability
Chapter 5: Managing Your Network 137
The Active Computers page appears.
If a computer has not yet been added as a network object, the Add button
appears next to it. If a computer has already been added as a network object, the
Edit button appears next to it.
2. Do one of the following:
• To add a network object, click Add next to the desired computer.
• To edit a network object, click Edit next to the desired computer.
The Safe@Office Network Object Wizard opens, with the Step 1: Network Object
Type dialog box displayed.
3. Do one of the following:
• To specify that the network object should represent a single computer or
device, click Single Computer.
Configuring High Availability
138 Check Point Safe@Office User Guide
• To specify that the network object should represent a network, click
Network.
4. Click Next.
The Step 2: Computer Details dialog box appears.
The computer's IP address and MAC address are automatically filled in.
5. Complete the fields using the information in the tables below.
6. Click Next.
The Step 3: Save dialog box appears with the network object's name. If you are
adding a new network object, this name is the computer's name.
7. To change the network object name, type the desired name in the field.
8. Click Finish.
The new object appears in the Network Objects page.
Configuring High Availability
Chapter 5: Managing Your Network 139
Table 16: Network Object Fields for a Single Computer
In this field… Do this…
IP Address Type the IP address of the local computer, or click This Computer to
specify your computer.
Reserve a fixed IP
address for this
computer
Select this option to assign the network object's IP address to a MAC
address, and to allow the network object to connect to the WLAN
when MAC Filtering is used. For information about MAC Filtering, see
Configuring a Wireless Network on page 163.
MAC Address Type the MAC address you want to assign to the network object's IP
address, or click This Computer to specify your computer's MAC
address.
Perform Static NAT
(Network Address
Translation)
Select this option to map the local computer's IP address to an
Internet IP address.
You must then fill in the External IP field.
External IP Type the Internet IP address to which you want to map the local
computer's IP address.
Exclude this computer
from HotSpot
enforcement
Select this option to exclude the network object from HotSpot
enforcement.
Configuring High Availability
140 Check Point Safe@Office User Guide
Table 17: Network Object Fields for a Network
In this field… Do this…
IP Range Type the range of local computer IP addresses in the network.
Perform Static NAT
(Network Address
Translation)
Select this option to map the network's IP address range to a range of
Internet IP addresses of the same size.
You must then fill in the External IP Range field.
External IP Range Type the Internet IP address range to which you want to map the
network's IP address range.
Exclude this network
from HotSpot
enforcement
Select this option to exclude this network from HotSpot enforcement.
Viewing and Deleting Network Objects
To view or delete a network object
1. Click Network in the main menu, and click the Network Objects tab.
The Network Objects page appears with a list of network objects.
2. To delete a network object, do the following:
a. In the desired network object's row, click the Erase icon.
A confirmation message appears.
b. Click OK.
The network object is deleted.
Using Static Routes
Chapter 5: Managing Your Network 141
Using Static Routes
A static route is a setting that explicitly specifies the route for packets originating
in a certain subnet and/or destined for a certain subnet. Packets with a source and
destination that does not match any defined static route will be routed to the default
gateway. To modify the default gateway, see Using a LAN Connection on page
67.
A static route can be based on the packet's destination IP address, or based on the
source IP address, in which case it is a source route.
Source routing can be used, for example, for load balancing between two Internet
connections. For example, if you have an Accounting department and a Marketing
department, and you want each to use a different Internet connection for outgoing
traffic, you can add a static route specifying that traffic originating from the
Accounting department should be sent via WAN1, and another static route
specifying that traffic originating from the Marketing department should be sent via
WAN2.
The Static Routes page lists all existing routes, including the default, and indicates
whether each route is currently "Up" (reachable) or not.
Adding and Editing Static Routes
To add a static route
1. Click Network in the main menu, and click the Routes tab.
Using Static Routes
142 Check Point Safe@Office User Guide
The Static Routes page appears, with a list of existing static routes.
2. Do one of the following:
• To add a static route, click New Route.
• To edit an existing static route, click Edit next to the desired route in the
list.
Using Static Routes
Chapter 5: Managing Your Network 143
The Static Route Wizard opens displaying the Step 1: Source and Destination
dialog box.
3. To select a specific source network (source routing), do the following:
a) In the Source drop-down list, select Specified Network.
New fields appear.
b) In the Network field, type the IP address of the source network.
Using Static Routes
144 Check Point Safe@Office User Guide
c) In the Netmask drop-down list, select the subnet mask.
4. To select a specific destination network, do the following:
a) In the Destination drop-down list, select Specified Network.
New fields appear.
b) In the Network field, type the IP address of the destination network.
c) In the Netmask drop-down list, select the subnet mask.
5. Click Next.
Using Static Routes
Chapter 5: Managing Your Network 145
The Step 2: Next Hop and Metric dialog box appears.
6. In the Next Hop IP field, type the IP address of the gateway (next hop router) to
which to route the packets destined for this network.
7. In the Metric field, type the static route's metric.
The gateway sends a packet to the route that matches the packet's destination
and has the lowest metric.
The default value is 10.
8. Click Next.
Using Static Routes
146 Check Point Safe@Office User Guide
The new static route is saved.
Viewing and Deleting Static Routes
Note: The “default” route cannot be deleted.
To delete a static route
1. Click Network in the main menu, and click the Routes tab.
The Static Routes page appears, with a list of existing static routes.
2. In the desired route row, click the Erase icon.
A confirmation message appears.
3. Click OK.
The route is deleted.
Managing Ports
Chapter 5: Managing Your Network 147
Managing Ports
The Safe@Office appliance enables you to quickly and easily assign its ports to
different uses, as shown in the table below. Furthermore, you can restrict each port
to a specific link speed and duplex setting.
Table 18: Ports and Assignments
You can assign this port... To these uses...
LAN LAN network
VLAN network
DMZ/WAN2 DMZ network
Second WAN connection
VLAN trunk
RS232 Dialup modem
Serial console
Managing Ports
148 Check Point Safe@Office User Guide
Viewing Port Statuses
You can view the status of the Safe@Office appliance's ports on the Ports page,
including each Ethernet connection's duplex state. This is useful if you need to
check whether the appliance's physical connections are working, and you can’t see
the LEDs on front of the appliance.
Note: In the Safe@Office 500 model SBX-166LHG-2, status information is only
available for the WAN and DMZ ports, and not for LAN ports 1-4.
To view port statuses
1. Click Network in the main menu, and click the Ports tab.
The Ports page appears.
The following information is displayed for each enabled port:
Managing Ports
Chapter 5: Managing Your Network 149
• Assign To. The port's current assignment. For example, if the
DMZ/WAN2 port is currently used for the DMZ, the drop-down list
displays "DMZ".
• Link Configuration. The configured link speed (10 Mbps or 100 Mbps) and
duplex (Full Duplex or Half Duplex) configured for the port.
Automatic Detection indicates that the port is configured to automatically
detect the link speed and duplex.
• Status. The detected link speed and duplex.
No Link indicates that the appliance does not detect anything connected to the
port.
Disabled indicates that the port is disabled. For example, if the DMZ/WAN2
port is currently assigned to the DMZ, but the DMZ is disabled, the port is
marked as such.
2. To refresh the display, click Refresh.
Modifying Port Assignments
You can assign ports to different networks or purposes. Since modifying port
assignments often requires additional configurations, use the table below to
determine which procedure you should use:
Table 19: Modifying Port Assignments
To assign a port
to...
See...
LAN The procedure below
VLAN or
VLAN Trunk
Configuring VLANs on page 113
Managing Ports
150 Check Point Safe@Office User Guide
To assign a port
to...
See...
WAN2 Setting Up a LAN or Broadband Backup Connection on page 93
DMZ Configuring a DMZ Network
Console Using a Console on page 392
Modem Setting Up a Dialup Modem on page 86
To modify a port assignment
1. Click Network in the main menu, and click the Ports tab.
The Ports page appears.
In the Assigned To drop-down list to the right of the port, select the desired port
assignment.
2. Click Apply.
The port is reassigned to the specified network or purpose.
Managing Ports
Chapter 5: Managing Your Network 151
Modifying Link Configurations
By default, the Safe@Office automatically detects the link speed and duplex. If
desired, you can manually restrict the Safe@Office appliance's ports to a specific
link speed and duplex.
Note: In the Safe@Office 500 model SBX-166LHG-2, restricting the link speed and
duplex is available for the WAN and DMZ ports, and not for LAN ports 1-4.
To modify a port's link configuration
1. Click Network in the main menu, and click the Ports tab.
The Ports page appears.
2. In the Link Configuration drop-down list to the right of the port, do one of the
following:
• Select the desired link speed and duplex.
• Select Automatic Detection to configure the port to automatically detect
the link speed and duplex.
This is the default.
3. Click Apply.
The port uses the specified link speed and duplex.
Managing Ports
152 Check Point Safe@Office User Guide
Resetting Ports to Defaults
You can reset the Safe@Office appliance's ports to their default link configurations
("Automatic Detection") and default assignments (shown in the table below).
Table 20: Default Port Assignments
Port Default Assignment
1-4 LAN
DMZ / WAN2 DMZ
WAN This port is always assigned to the WAN.
RS232 Modem
To reset ports to defaults
1. Click Network in the main menu, and click the Ports tab.
The Ports page appears.
2. Click Default.
A confirmation message appears.
3. Click OK.
The ports are reset to their default assignments and to "Automatic Detection"
link configuration.
All currently-established connections that are not supported by the default
settings may be broken. For example, if you were using the DMZ/WAN2 port as
WAN2, the port reverts to its DMZ assignment, and the secondary Internet
connection moves to the WAN port.
Overview
Chapter 6: Using Traffic Shaper 153
Chapter 6
This chapter describes how to use Traffic Shaper to control the flow of
communication to and from your network.
This chapter includes the following topics:
Overview..................................................................................................153
Setting Up Traffic Shaper.........................................................................155
Predefined QoS Classes............................................................................156
Adding and Editing Classes......................................................................157
Deleting Classes .......................................................................................161
Restoring Traffic Shaper Defaults............................................................162
Overview
Traffic Shaper is a bandwidth management solution that allows you to set
bandwidth policies to control the flow of communication. Traffic Shaper ensures
that important traffic takes precedence over less important traffic, so that your
business can continue to function with minimum disruption, despite network
congestion.
Traffic Shaper uses Stateful Inspection technology to access and analyze data
derived from all communication layers. This data is used to classify traffic in
Quality of Service (QoS) classes. Traffic Shaper divides available bandwidth
among the classes according to weight. For example, suppose Web traffic is
deemed three times as important as FTP traffic, and these services are assigned
weights of 30 and 10 respectively. If the lines are congested, Traffic Shaper will
maintain the ratio of bandwidth allocated to Web traffic and FTP traffic at 3:1.
If a specific class is not using all of its bandwidth, the leftover bandwidth is divided
among the remaining classes, in accordance with their relative weights. In the
example above, if only one Web and one FTP connection are active and they are
competing, the Web connection will receive 75% (30/40) of the leftover
Using Traffic Shaper
Overview
154 Check Point Safe@Office User Guide
bandwidth, and the FTP connection will receive 25% (10/40) of the leftover
bandwidth. If the Web connection closes, the FTP connection will receive 100% of
the bandwidth.
Each class has a bandwidth limit, which is the maximum amount of bandwidth that
connections belonging to that class may use together. Once a class has reached its
bandwidth limit, connections belonging to that class will not be allocated further
bandwidth, even if there is unused bandwidth available. For example, traffic used
by Peer-To-Peer file-sharing applications may be limited to a specific rate, such as
512 kilobit per second. Each class also has a “Delay Sensitivity” value, indicating
whether connections belonging to the class should be given precedence over
connections belonging to other classes.
Your Safe@Office appliance offers different degrees of traffic shaping, depending
on its model:
• Simplified Traffic Shaper. Includes a fixed set of four predefined classes.
You can assign network traffic to each class, but you cannot modify the
classes, delete them, or create new classes. Available in Safe@Office 500.
• Advanced Traffic Shaper. Includes a set of four predefined classes, but
enables you to modify the classes, delete them, and create new classes.
You can define up to eight classes, including weight, bandwidth limits, and
DiffServ (Differentiated Services) Packet Marking parameters. DiffServ
marks packets as belonging to a certain Quality of Service class. These
packets are then granted priority on the public network according to their
class. Available in Safe@Office 500 with Power Pack.
Note: You can prioritize wireless traffic from WMM-compliant multimedia
applications, by enabling Wireless Multimedia (WMM) for the WLAN network. See
Manually Configuring a WLAN on page 167.
Setting Up Traffic Shaper
Chapter 6: Using Traffic Shaper 155
Setting Up Traffic Shaper
To set up Traffic Shaper
1. Enable Traffic Shaper for the Internet connection, using the procedure Using
Internet Setup on page 65.
You can enable Traffic Shaper for incoming or outgoing connections.
• When enabling Traffic Shaper for outgoing traffic:
Specify a rate (in kilobits/second) slightly lower than your Internet
connection's maximum measured upstream speed.
• When enabling Traffic Shaper for incoming traffic:
Specify a rate (in kilobits/second) slightly lower than your Internet
connection's maximum measured downstream speed.
It is recommended to try different rates in order to determine which ones
provide the best results.
Note: Traffic Shaper cannot control the number or type of packets it receives from
the Internet; it can only affect the rate of incoming traffic by dropping received
packets. This makes the shaping of inbound traffic less accurate than the shaping
of outbound traffic. It is therefore recommended to enable traffic shaping for
incoming traffic only if necessary.
2. If you are using Safe@Office 500 with Power Pack, you can add QoS classes
that reflect your communication needs, or modify the four predefined QoS
classes.
See Adding and Editing Classes on page 157.
Note: If you are using Safe@Office 500, you have Simplified Traffic Shaper, and you
cannot add or modify the classes. To add or modify classes, upgrade to
Safe@Office 500 with Power Pack, which supports Advanced Traffic Shaper.
Predefined QoS Classes
156 Check Point Safe@Office User Guide
3. Use Allow or Allow and Forward rules to assign different types of connections
to QoS classes.
For example, if Traffic Shaper is enabled for outgoing traffic, and you create an
Allow rule associating all outgoing VPN traffic with the Urgent QoS class, then
Traffic Shaper will handle outgoing VPN traffic as specified in the bandwidth
policy for the Urgent class.
See Adding and Editing Rules on page 215.
Note: Traffic Shaper must be enabled for the direction of traffic specified in the rule.
Note: If you do not assign a connection type to a class, Traffic Shaper automatically
assigns the connection type to the predefined "Default" class.
Predefined QoS Classes
Traffic Shaper provides the following predefined QoS classes.
To assign traffic to these classes, define firewall rules as described in Using Rules
on page 211.
Table 21: Predefined QoS Classes
Class Weight Delay Sensitivity Useful for
Default 10 Medium
(Normal Traffic)
Normal traffic.
All traffic is assigned to this class by default.
Urgent 15 High
(Interactive Traffic)
Traffic that is highly sensitive to delay. For
example, IP telephony, videoconferencing,
and interactive protocols that require quick
user response, such as telnet.
Adding and Editing Classes
Chapter 6: Using Traffic Shaper 157
Class Weight Delay Sensitivity Useful for
Important 20 Medium
(Normal Traffic)
Normal traffic
Low Priority 5 Low
(Bulk Traffic)
Traffic that is not sensitive to long delays. For
example, SMTP traffic (outgoing email).
In Simplified Traffic Shaper, these classes cannot be changed.
Adding and Editing Classes
To add or edit a QoS class
1. Click Network in the main menu, and click the Traffic Shaper tab.
The Quality of Service Classes page appears.
2. Click Add.
Adding and Editing Classes
158 Check Point Safe@Office User Guide
The Safe@Office QoS Class Editor wizard opens, with the Step 1 of 3: Quality of
Service Parameters dialog box displayed.
3. Complete the fields using the relevant information in the table below.
4. Click Next.
The Step 2 of 3: Advanced Options dialog box appears.
5. Complete the fields using the relevant information in the table below.
Adding and Editing Classes
Chapter 6: Using Traffic Shaper 159
Note: Traffic Shaper may not enforce guaranteed rates and relative weights for
incoming traffic as accurately as for outgoing traffic. This is because Traffic Shaper
cannot control the number or type of packets it receives from the Internet; it can
only affect the rate of incoming traffic by dropping received packets. It is therefore
recommended to enable traffic shaping for incoming traffic only if necessary. For
information on enabling Traffic Shaper for incoming and outgoing traffic, see Using
Internet Setup on page 65.
6. Click Next.
The Step 3 of 3: Save dialog box appears with a summary of the class.
7. Type a name for the class.
For example, if you are creating a class for high priority Web connections, you
can name the class "High Priority Web".
8. Click Finish.
The new class appears in the Quality of Service Classes page.
Adding and Editing Classes
160 Check Point Safe@Office User Guide
Table 22: QoS Class Fields
In this field… Do this…
Relative Weight Type a value indicating the class's importance relative to the other
defined classes.
For example, if you assign one class a weight of 100, and you assign
another class a weight of 50, the first class will be allocated twice the
amount of bandwidth as the second when the lines are congested.
Delay Sensitivity Select the degree of precedence to give this class in the transmission
queue:
• Low (Bulk Traffic) - Traffic that is not sensitive to long delays.
For example, SMTP traffic (outgoing email).
• Medium (Normal Traffic) - Normal traffic
• High (Interactive Traffic) - Traffic that is highly sensitive to delay.
For example, IP telephony, videoconferencing, and interactive
protocols that require quick user response, such as telnet.
Traffic Shaper serves delay-sensitive traffic with a lower latency. That is,
Traffic Shaper attempts to send packets with a "High (Interactive Traffic)"
level before packets with a "Medium (Normal Traffic)" or "Low (Bulk
Traffic)" level.
Outgoing Traffic:
Guarantee At
Least
Select this option to guarantee a minimum bandwidth for outgoing traffic
belonging to this class. Then type the minimum bandwidth (in
kilobits/second) in the field provided.
Outgoing Traffic:
Limit rate to
Select this option to limit the rate of outgoing traffic belonging to this
class. Then type the maximum rate (in kilobits/second) in the field
provided.
Incoming Traffic:
Guarantee At
Least
Select this option to guarantee a minimum bandwidth for incoming traffic
belonging to this class. Then type the minimum bandwidth (in
kilobits/second) in the field provided.
Deleting Classes
Chapter 6: Using Traffic Shaper 161
In this field… Do this…
Incoming Traffic:
Limit rate to
Select this option to limit the rate of incoming traffic belonging to this
class. Then type the maximum rate (in kilobits/second) in the field
provided.
DiffServ Code
Point
Select this option to mark packets belonging to this class with a DiffServ
Code Point (DSCP), which is an integer between 0 and 63. Then type the
DSCP in the field provided.
The marked packets will be given priority on the public network according
to their DSCP.
To use this option, your ISP or private WAN must support DiffServ. You
can obtain the correct DSCP value from your ISP or private WAN
administrator.
Deleting Classes
You cannot delete a class that is currently used by a rule. You can determine
whether a class is in use or not, by viewing the Rules page.
To delete an existing QoS class
1. Click Network in the main menu, and click the Traffic Shaper tab.
The Quality of Service Classes page appears.
2. Click the Erase icon of the class you wish to delete.
A confirmation message appears.
3. Click OK.
The class is deleted.
Restoring Traffic Shaper Defaults
162 Check Point Safe@Office User Guide
Restoring Traffic Shaper Defaults
If desired, you can reset the Traffic Shaper bandwidth policy to use the four
predefined classes, and restore these classes to their default settings. For
information on these classes and their defaults, see Predefined QoS Classes on
page 156.
Note: This will delete any additional classes you defined in Traffic
Shaper and reset all rules to use the Default class.
If one of the additional classes is currently used by a rule, you
cannot reset Traffic Shaper to defaults. You can determine whether
a class is in use or not, by viewing the Rules page.
To restore Traffic Shaper defaults
1. Click Network in the main menu, and click the Traffic Shaper tab.
The Quality of Service Classes page appears.
2. Click Restore Defaults.
A confirmation message appears.
3. Click OK.
Overview
Chapter 7: Configuring a Wireless Network 163
Chapter 7
This chapter describes how to set up a wireless internal network.
This chapter includes the following topics:
Overview..................................................................................................163
About the Wireless Hardware in Your Safe@Office 500W Appliance ...164
Wireless Security Protocols......................................................................165
Manually Configuring a WLAN...............................................................167
Using the Wireless Configuration Wizard................................................178
Preparing the Wireless Stations................................................................184
Troubleshooting Wireless Connectivity...................................................185
Overview
In addition to the LAN and DMZ networks, you can define a wireless internal
network called a WLAN (wireless LAN) network, when using Safe@Office 500W.
For information on default security policy rules controlling traffic to and from the
WLAN, see Default Security Policy on page 205.
You can configure a WLAN network in either of the following ways:
• Wireless Configuration Wizard. Guides you through the WLAN setup step
by step.
See Using the Wireless Configuration Wizard on page 178.
• Manual configuration. Offers advanced setup options.
See Manually Configuring a WLAN on page 167.
Note: It is recommended to configure the WLAN via Ethernet and not via a wireless
connection, because the wireless connection could be broken after making a
change to the configuration.
Configuring a Wireless Network
About the Wireless Hardware in Your Safe@Office 500W Appliance
164 Check Point Safe@Office User Guide
About the Wireless Hardware in Your Safe@Office
500W Appliance
Your Safe@Office 500W appliance features a built-in 802.11b/g access point that
is tightly integrated with the firewall and hardware-accelerated VPN.
Safe@Office 500W supports the latest 802.11g standard (up to 54Mbps) and is
backwards compatible with the older 802.11b standard (up to 11Mbps), so that
both new and old adapters of these standards are interoperable. Safe@Office 500W
also supports a special Super G mode that allows reaching a throughput of up to
108Mbps with Super G compatible stations. For more information on the Super G
mode refer to: http://www.super-ag.com.
Safe@Office 500W transmits in 2.4GHz range, using dual diversity antennas to
increase the range. In addition, the Safe@Office 500W supports a special extended
range (XR) mode that allows up to three times the range of a regular 802.11g
access point. XR dramatically stretches the performance of a wireless LAN, by
enabling long-range connections. The architecture delivers receive sensitivities of
up to 105dBm, over 20 dB more than the 802.11 specification. This allows ranges
of up to 300 meters indoors, and up to 1 km (3200 ft) outdoors, with XR-enabled
wireless stations (actual range depends on environment).
Wireless Security Protocols
Chapter 7: Configuring a Wireless Network 165
Wireless Security Protocols
The Safe@Office wireless security appliance supports the following security
protocols:
Table 23: Wireless Security Protocols
Security
Protocol
Description
None No security method is used. This option is not recommended, because it
allows unauthorized users to access your WLAN network, although you can
still limit access from the WLAN by creating firewall rules. This method is
suitable for creating public access points.
WEP encryption In the WEP (Wired Equivalent Privacy) encryption security method, wireless
stations must use a pre-shared key to connect to your network. This method
is not recommended, due to known security flaws in the WEP protocol. It is
provided for compatibility with existing wireless deployments.
Note: The appliance and the wireless stations must be configured with the
same WEP key.
802.1X: RADIUS
authentication, no
encryption
In the 802.1x security method, wireless stations (supplicants) attempting to
connect to the access point (authenticator) must first be authenticated by a
RADIUS server (authentication server) which supports 802.1x . All messages
are passed in EAP (Extensible Authentication Protocol).
This method is recommended for situations in which you want to authenticate
wireless users, but do not need to encrypt the data.
Note: To use this security method, you must first configure a RADIUS server.
See Using RADIUS Authentication. on page 372
Wireless Security Protocols
166 Check Point Safe@Office User Guide
Security
Protocol
Description
WPA: RADIUS
authentication,
encryption
The WPA (Wi-Fi Protected Access) security method uses MIC (message
integrity check) to ensure the integrity of messages, and TKIP (Temporal Key
Integrity Protocol) to enhance data encryption.
Furthermore, WPA includes 802.1x and EAP authentication, based on a
central RADIUS authentication server. This method is recommended for
situations where you want to authenticate wireless stations using a RADIUS
server, and to encrypt the transmitted data.
Note: To use this security method, you must first configure a RADIUS server
which supports 802.1x. See Using RADIUS Authentication. on page 372
WPA-PSK:
password
authentication,
encryption
The WPA-PSK security method is a variation of WPA that does not require an
authentication server. WPA-PSK periodically changes and authenticates
encryption keys. This is called rekeying.
This option is recommended for small networks, which want to authenticate
and encrypt wireless data, but do not want to install a RADIUS server.
Note: The appliance and the wireless stations must be configured with the
same passphrase.
WPA2 (802.11i) The WPA2 security method uses the more secure Advanced Encryption
Standard (AES) cipher, instead of the RC4 cipher used by WPA and WEP.
When using WPA or WPA-PSK security methods, the Safe@Office enables
you to restrict access to the WLAN network to wireless stations that support
the WPA2 security method. If this setting is not selected, the Safe@Office
appliance allows clients to connect using both WPA and WPA2.
Manually Configuring a WLAN
Chapter 7: Configuring a Wireless Network 167
Note: For increased security, it is recommended to enable the Safe@Office internal
VPN Server for users connecting from your internal networks, and to install
SecuRemote on each computer in the WLAN. This ensures that all connections
from the WLAN to the LAN are encrypted and authenticated. For information, see
Internal VPN Server on page 308 and Setting Up Your Safe@Office Appliance
as a VPN Server on page 309.
Manually Configuring a WLAN
To manually configure a WLAN network
1. Prepare the appliance for a wireless connection as described in Network
Installation on page 37.
2. If you want to use 802.1X or WPA security mode for the WLAN, configure a
RADIUS server.
For information on security modes, see Basic WLAN Settings Fields on page
170.
For information on configuring RADIUS servers, see Using RADIUS
Authentication on page 372.
3. Click Network in the main menu, and click the My Network tab.
The My Network page appears.
4. In the WLAN network's row, click Edit.
Manually Configuring a WLAN
168 Check Point Safe@Office User Guide
The Edit Network Settings page appears.
5. In the Mode drop-down list, select Enabled.
The fields are enabled.
6. If desired, enable or disable Hide NAT.
See Enabling/Disabling Hide NAT on page 109.
7. If desired, configure a DHCP server.
See Configuring a DHCP Server on page 96.
Manually Configuring a WLAN
Chapter 7: Configuring a Wireless Network 169
8. Complete the fields using the information in Basic WLAN Settings Fields on
page 170.
9. To configure advanced settings, click Show Advanced Settings and complete the
fields using the information in Advanced WLAN Settings Fields on page 174.
New fields appear.
10. Click Apply.
A warning message appears, telling you that you are about to change your
network settings.
Manually Configuring a WLAN
170 Check Point Safe@Office User Guide
11. Click OK.
A success message appears.
12. Prepare the wireless stations.
See Preparing the Wireless Stations on page 184.
Table 24: WLAN Settings Fields
In this field… Do this…
IP Address Type the IP address of the WLAN network's default gateway.
Note: The WLAN network must not overlap other networks.
Subnet Mask Type the WLAN’s internal network range.
Wireless Settings
Network Name
(SSID)
Type the network name (SSID) that identifies your wireless network. This
name will be visible to wireless stations passing near your access point,
unless you enable the Hide the Network Name (SSID) option.
It can be up to 32 alphanumeric characters long and is case-sensitive.
Country Select the country where you are located.
Warning: Choosing an incorrect country may result in the violation of
government regulations.
Manually Configuring a WLAN
Chapter 7: Configuring a Wireless Network 171
In this field… Do this…
Operation Mode Select an operation mode:
• 802.11b (11Mbps). Operates in the 2.4 GHz range and offers a
maximum theoretical rate of 11 Mbps. When using this mode,
only 802.11b stations will be able to connect.
• 802.11g (54 Mbps). Operates in the 2.4 GHz range, and offers a
maximum theoretical rate of 54 Mbps. When using this mode,
only 802.11g stations will be able to connect.
• 802.11b/g (11/54 Mbps). Operates in the 2.4 GHz range, and offers
a maximum theoretical rate of 54 Mbps. When using this mode,
both 802.11b stations and 802.11g stations will be able to
connect.
• 802.11g Super (108 Mbps). Operates in the 2.4 GHz range, and
offers a maximum theoretical rate of 108 Mbps. When using this
mode, only 802.11g Super stations will be able to connect.
• 802.11g Super (11/54/108). Operates in the 2.4 GHz range, and
offers a maximum theoretical rate of 108 Mbps. When using this
mode, 802.11b stations, 802.11g stations, and 802.11g Super
stations will all be able to connect.
Each operation mode indicates a wireless protocol (such as 802.11g
Super), followed by the maximum bandwidth (such as 108 Mbps).
The list of modes is dependent on the selected country.
You can prevent older wireless stations from slowing down your network, by
choosing an operation mode that restricts access to newer wireless
stations.
Note: The actual data transfer speed is usually significantly lower than the
maximum theoretical bandwidth and degrades with distance.
Important: The station wireless cards must support the selected operation
mode. For a list of cards supporting 802.11g Super, refer to
http://www.super-ag.com.
Manually Configuring a WLAN
172 Check Point Safe@Office User Guide
In this field… Do this…
Channel Select the radio frequency to use for the wireless connection:
• Automatic. The Safe@Office appliance automatically selects a
channel. This is the default.
• A specific channel. The list of channels is dependent on the
selected country and operation mode.
Note: If there is another wireless network in the vicinity, the two networks
may interfere with one another. To avoid this problem, the networks should
be assigned channels that are at least 25 MHz (5 channels) apart.
Alternatively, you can reduce the transmission power.
Security Select the security protocol to use. For information on the supported
security protocols, see Wireless Security Protocols on page 165.
If you select WEP encryption, the WEP Keys area opens.
If you select WPA, the Require WPA2 (802.11i) field appears.
If you select WPA-PSK, the Passphrase and Require WPA2 (802.11i) fields
appear.
Passphrase Type the passphrase for accessing the network, or click Random to randomly
generate a passphrase.
This must be between 8 and 63 characters. It can contain spaces and
special characters, and is case-sensitive.
For the highest security, choose a long passphrase that is hard to guess, or
use the Random button.
Note: The wireless stations must be configured with this passphrase as well.
Manually Configuring a WLAN
Chapter 7: Configuring a Wireless Network 173
In this field… Do this…
Require WPA2
(802.11i)
Specify whether you want to require wireless stations to connect using
WPA2, by selecting one of the following:
• Enable. Only wireless stations using WPA2 can access the
WLAN network.
• Disable. Wireless stations using either WPA or WPA2 can access
the WLAN network. This is the default.
WEP Keys If you selected WEP encryption, you must configure at least one WEP key.
The wireless stations must be configured with the same key, as well.
Key 1, 2, 3, 4 radio
button
Click the radio button next to the WEP key that this gateway should use for
transmission.
The selected key must be entered in the same key slot (1-4) on the station
devices, but the key need not be selected as the transmit key on the
stations.
Note: You can use all four keys to receive data.
Key 1, 2, 3, 4
length
Select the WEP key length from the drop-down list.
The possible key lengths are:
• 64 Bits. The key length is 10 characters.
• 128 Bits. The key length is 26 characters.
• 152 Bits. The key length is 32 characters.
Note: Some wireless card vendors call these lengths 40/104/128,
respectively.
Note: WEP is generally considered to be insecure, regardless of the
selected key length.
Manually Configuring a WLAN
174 Check Point Safe@Office User Guide
In this field… Do this…
Key 1, 2, 3, 4 text
box
Type the WEP key, or click Random to randomly generate a key matching
the selected length. The key is composed of hexadecimal characters 0-9
and A-F, and is not case-sensitive.
Table 25: Advanced WLAN Settings Fields
In this field… Do this…
Advanced Security
Hide the Network
Name (SSID)
Specify whether you want to hide your network's SSID, by selecting one of
the following:
• Yes. Hide the SSID.
Only devices to which your SSID is known can connect to your
network.
• No. Do not hide the SSID.
Any device within range can detect your network name using the
wireless network discovery features of some products, such as
Microsoft Windows XP, and attempt to connect to your network.
This is the default.
Note: Hiding the SSID does not provide strong security, because by a
determined attacker can still discover your SSID. Therefore, it is not
recommended to rely on this setting alone for security.
Manually Configuring a WLAN
Chapter 7: Configuring a Wireless Network 175
In this field… Do this…
MAC Address
Filtering
Specify whether you want to enable MAC address filtering, by selecting one
of the following:
• Yes. Enable MAC address filtering.
Only MAC addresses that you added as network objects can
connect to your network.
For information on network objects, see Using Network
Objects on page 131.
• No. Disable MAC address filtering. This is the default.
Note: MAC address filtering does not provide strong security, since MAC
addresses can be spoofed by a determined attacker. Therefore, it is not
recommended to rely on this setting alone for security.
Wireless Transmitter
Transmission Rate Select the transmission rate:
• Automatic. The Safe@Office appliance automatically selects a
rate. This is the default.
• A specific rate
Transmitter Power Select the transmitter power.
Setting a higher transmitter power increases the access point's range. A
lower power reduces interference with other access points in the vicinity.
The default value is Full. It is not necessary to change this value, unless
there are other access points in the vicinity.
Manually Configuring a WLAN
176 Check Point Safe@Office User Guide
In this field… Do this…
Antenna Selection Multipath distortion is caused by the reflection of Radio Frequency (RF)
signals traveling from the transmitter to the receiver along more than one
path. Signals that were reflected by some surface reach the receiver after
non-reflected signals and distort them.
Safe@Office appliances avoid the problems of multipath distortion by using
an antenna diversity system. To provide antenna diversity, each wireless
security appliance has two antennas.
Specify which antenna to use for communicating with wireless stations:
• Automatic. The Safe@Office appliance receives signals through
both antennas and automatically selects the antenna with the
lowest distortion signal to use for communicating. The selection
is made on a per-station basis. This is the default.
• ANT 1. The ANT 1antenna is always used for communicating.
• ANT 2. The ANT 2 antenna is always used for communicating.
Use manual diversity control (ANT 1 or ANT 2), if there is only one antenna
connected to the appliance.
Fragmentation
Threshold
Type the smallest IP packet size (in bytes) that requires that the IP packet
be split into smaller fragments.
If you are experiencing significant radio interference, set the threshold to a
low value (around 1000), to reduce error penalty and increase overall
throughput.
Otherwise, set the threshold to a high value (around 2000), to reduce
overhead.
The default value is 2346.
Manually Configuring a WLAN
Chapter 7: Configuring a Wireless Network 177
In this field… Do this…
RTS Threshold Type the smallest IP packet size for which a station must send an RTS
(Request To Send) before sending the IP packet.
If multiple wireless stations are in range of the access point, but not in range
of each other, they might send data to the access point simultaneously,
thereby causing data collisions and failures. RTS ensures that the channel
is clear before the each packet is sent.
If your network is congested, and the users are distant from one another,
set the RTS threshold to a low value (around 500).
Setting a value equal to the fragmentation threshold effectively disables
RTS.
The default value is 2346.
Extended Range
Mode (XR)
Specify whether to use Extended Range (XR) mode:
• Disabled. XR mode is disabled.
• Enabled. XR mode is enabled. XR will be automatically
negotiated with XR-enabled wireless stations and used as
needed. This is the default.
For more information on XR mode, see About the Wireless Hardware in
Your Safe@Office 500W Appliance on page 164.
Multimedia QoS
(WMM)
Specify whether to use the Wireless Multimedia (WMM) standard to
prioritize traffic from WMM-compliant multimedia applications:
• Disabled. WMM is disabled. This is the default.
• Enabled. WMM is enabled. The Safe@Office appliance will
prioritize multimedia traffic according to four access categories
(Voice, Video, Best Effort, and Background). This allows for
smoother streaming of voice and video when using WMM aware
applications.
Using the Wireless Configuration Wizard
178 Check Point Safe@Office User Guide
Using the Wireless Configuration Wizard
The Wireless Configuration Wizard provides a quick and simple way of setting up
your basic WLAN parameters for the first time.
To configure a WLAN using the Wireless Configuration Wizard
1. Prepare the appliance for a wireless connection as described in Network
Installation on page 37.
2. Click Network in the main menu, and click the My Network tab.
The My Network page appears.
3. In the WLAN network's row, click Edit.
The Edit Network Settings page appears.
4. Click Wireless Wizard.
The Wireless Configuration Wizard opens, with the Wireless Configuration dialog
box displayed.
5. Select the Enable wireless networking check box to enable the WLAN.
Using the Wireless Configuration Wizard
Chapter 7: Configuring a Wireless Network 179
The fields are enabled.
6. Complete the fields using the information in Basic WLAN Settings Fields on
page 170.
7. Click Next.
8. The Wireless Security dialog box appears.
9. Do one of the following:
• Click WPA-PSK to use the WPA-PSK security mode.
WPA-PSK periodically changes and authenticates encryption keys. This is a
recommended security mode for small, private wireless networks, which
want to authenticate and encrypt wireless data but do not want to install a
RADIUS server. Both WPA and the newer, more secure WPA2 (802.11i)
will be accepted.
• Click WEP to use the WEP security mode.
Using WEP, wireless stations must use a pre-shared key to connect to your
network. WEP is widely known to be insecure, and is supported mainly for
compatibility with existing networks and stations that do not support other
methods.
Using the Wireless Configuration Wizard
180 Check Point Safe@Office User Guide
• Click No Security to use no security to create a public, unsecured access
point.
Note: You cannot configure WPA and 802.1x using this wizard. For information on
configuring these modes, see Manually Configuring a WLAN on page 167.
10. Click Next.
WPA-PSK
If you chose WPA-PSK, the Wireless Configuration-WPA-PSK dialog box appears.
Do the following:
1. In the text box, type the passphrase for accessing the network, or click Random
to randomly generate a passphrase.
This must be between 8 and 63 characters. It can contain spaces and special
characters, and is case-sensitive.
2. Click Next.
Using the Wireless Configuration Wizard
Chapter 7: Configuring a Wireless Network 181
The Wireless Security Confirmation dialog box appears.
3. Click Next.
4. The Wireless Security Complete dialog box appears.
5. Click Finish.
The wizard closes.
6. Prepare the wireless stations.
Using the Wireless Configuration Wizard
182 Check Point Safe@Office User Guide
See Preparing the Wireless Stations on page 184.
WEP
If you chose WEP, the Wireless Configuration-WEP dialog box appears.
Do the following:
1. Choose a WEP key length.
The possible key lengths are:
• 64 Bits - The key length is 10 hexadecimal characters.
• 128 Bits - The key length is 26 hexadecimal characters.
• 152 Bits - The key length is 32 hexadecimal characters.
Some wireless card vendors call these lengths 40/104/128, respectively.
Note that WEP is generally considered to be insecure, regardless of the selected
key length.
2. In the text box, type the WEP key, or click Random to randomly generate a key
matching the selected length.
The key is composed of characters 0-9 and A-F, and is not case-sensitive. The
wireless stations must be configured with this same key.
Using the Wireless Configuration Wizard
Chapter 7: Configuring a Wireless Network 183
3. Click Next.
The Wireless Security Confirmation dialog box appears.
4. Click Next.
The Wireless Security Complete dialog box appears.
5. Click Finish.
The wizard closes.
6. Prepare the wireless stations.
See Preparing the Wireless Stations on page 184.
No Security
The Wireless Security Complete dialog box appears.
• Click Finish.
The wizard closes.
Preparing the Wireless Stations
184 Check Point Safe@Office User Guide
Preparing the Wireless Stations
After you have configured a WLAN, the wireless stations must be prepared for
connection to the WLAN.
To prepare the wireless stations
1. If you selected the WEP security mode, give the WEP key to the wireless
stations' administrators.
2. If you selected the WPA-PSK security mode, give the passphrase to the wireless
stations' administrator.
3. The wireless stations' administrators should configure the wireless stations and
connect them to the WLAN.
Refer to the wireless cards' documentation for details.
Note: Some wireless cards have "Infrastructure" and "Ad-hoc" modes. These modes
are also called "Access Point" and "Peer to Peer". Choose the "Infrastructure" or
"Access Point" mode.
You can set the wireless cards to either "Long Preamble" or "Short Preamble".
Note: The wireless cards' region and the Safe@Office appliance's region must both
match the region of the world where you are located. If you purchased your
Safe@Office appliance in a different region, contact technical support.
Troubleshooting Wireless Connectivity
Chapter 7: Configuring a Wireless Network 185
Troubleshooting Wireless Connectivity
I cannot connect to the WLAN from a wireless station. What should I do?
• Check that the SSID configured on the station matches the Safe@Office
appliance's SSID. The SSID is case-sensitive.
• Check that the encryption settings configured on the station (encryption
mode and keys) match the Safe@Office appliance's encryption settings.
• If MAC filtering is enabled, verify that the MAC address of all stations is
listed in the Network Objects page (see Viewing and Deleting Network
Objects on page 140).
How do I test wireless reception?
• Look at the Wireless page, and check for excessive errors or dropped
packets.
• Look at the Active Computers page, to see information for specific wireless
stations, such as the number of transmission errors, and the current
reception power of each station.
• On the wireless station, open a command window and type ping
my.firewall. If you see a large number of dropped packets, you are
experiencing poor reception.
Wireless reception is poor. What should I do?
• Adjust the angle of the antennas, until the reception improves. The
antennas radiate horizontally in all directions.
• If both antennas are connected to the Safe@Office appliance, check that
the Antenna Selection parameter in the WLAN's advanced settings is set to
Automatic (see Manually Configuring a WLAN on page 167).
• Relocate the Safe@Office appliance to a place with better reception, and
avoid obstructions, such as walls and electrical equipment. For example,
try mounting the appliance in a high place with a direct line of sight to the
wireless stations.
• Check for interference with nearby electrical equipment, such as
microwave ovens and cordless or cellular phones.
Troubleshooting Wireless Connectivity
186 Check Point Safe@Office User Guide
• Check the Transmission Power parameter in the WLAN's advanced settings
(see Manually Configuring a WLAN on page 167).
• Make sure that you are not using two access points in close proximity and
on the same frequency. For minimum interference, channel separation
between nearby access points must be at least 25 MHz (5 channels).
• The Safe@Office appliance supports XR (Extended Range) technology.
For best range, enable XR mode in the WLAN's advanced settings (see
Manually Configuring a WLAN on page 167), and use XR-enabled
stations.
• Range outdoors is normally much higher than indoors, depending on
environmental conditions.
Note: You can observe any changes in the wireless reception in the Active Computers
page. Make sure to refresh the page after making a change.
Note: Professional companies are available for help in setting up reliable wireless
networks, with access to specialized testing equipment and procedures.
There are excessive collisions between wireless stations. What should I do?
If you have many concurrently active wireless stations, there may be collisions
between them. Such collisions may be the result of a "hidden node" problem: not
all of the stations are within range of each other, and therefore are "hidden" from
one another. For example, if station A and station C do not detect each other, but
both stations detect and are detected by station B, then both station A and C may
attempt to send packets to station B simultaneously. In this case, the packets will
collide, and Station B will receive corrupted data.
The solution to this problem lies in the use of the RTS protocol. Before sending a
certain size IP packet, a station sends an RTS (Request To Send) packet. If the
recipient is not currently receiving packets from another source, it sends back a
CTS (Clear To Send) packet, indicating that the station can send the IP packet. Try
setting the RTS Threshold parameter in the WLAN's advanced settings (see
Manually Configuring a WLAN on page 167) to a lower value. This will cause
stations to use RTS for smaller IP packets, thus decreasing the likeliness of
collisions.
Troubleshooting Wireless Connectivity
Chapter 7: Configuring a Wireless Network 187
In addition, try setting the Fragmentation Threshold parameter in the WLAN's
advanced settings (see Manually Configuring a WLAN on page 167) to a lower
value. This will cause stations to fragment IP packets of a certain size into smaller
packets, thereby reducing the likeliness of collisions and increasing network speed.
Note: Reducing the RTS Threshold and the Fragmentation Threshold too much can
have a negative impact on performance.
Note: Setting an RTS Threshold value equal to the Fragmentation Threshold value
effectively disables RTS.
I am not getting the full speed. What should I do?
• The actual speed is always less then the theoretical speed, and degrades
with distance.
• Read the section about reception problems. Better reception means better
speed.
• Check that all your wireless stations support the wireless standard you are
using (802.11g or 802.11g Super), and that this standard is enabled in the
station software. Transmission speed is determined by the slowest station
associated with the access point. For a list of wireless stations that support
802.11g Super, see www.super-ag.com.
Viewing the Event Log
Chapter 8: Viewing Reports 189
Chapter 8
This chapter describes the Safe@Office Portal reports.
This chapter includes the following topics:
Viewing the Event Log.............................................................................189
Using the Traffic Monitor ........................................................................193
Viewing Computers..................................................................................196
Viewing Connections ...............................................................................199
Viewing Wireless Statistics......................................................................200
Viewing the Event Log
You can track network activity using the Event Log. The Event Log displays the
most recent events and color-codes them.
Table 26: Event Log Color Coding
An event marked in
this color…
Indicates…
Blue Changes in your setup that you have made yourself or as a result of
a security update implemented by your Service Center.
Red Connection attempts that were blocked by your firewall.
Orange Connection attempts that were blocked by your custom security
rules.
Viewing Reports
Viewing the Event Log
190 Check Point Safe@Office User Guide
An event marked in
this color…
Indicates…
Green Traffic accepted by the firewall.
By default, accepted traffic is not logged.
However, such traffic may be logged if specified by a security policy
downloaded from your Service Center, or if specified in user-defined
rules.
You can create firewall rules specifying that certain types of connections should be
logged, whether the connections are incoming or outgoing, blocked or accepted.
For information, see Using Rules on page 211.
The logs detail the date and the time the event occurred, and its type. If the event is
a communication attempt that was rejected by the firewall, the event details include
the source and destination IP address, the destination port, and the protocol used for
the communication attempt (for example, TCP or UDP). If the event is a
connection made or attempted over a VPN tunnel, the event is marked by a lock
icon in the VPN column.
This information is useful for troubleshooting. You can export the logs to an *.xls
(Microsoft Excel) file, and then store it for analysis purposes or send it to technical
support.
Note: You can configure the Safe@Office appliance to send event logs to a Syslog
server. For information, see Configuring Syslog Logging on page 388.
Viewing the Event Log
Chapter 8: Viewing Reports 191
To view the event log
1. Click Reports in the main menu, and click the Event Log tab.
The Event Log page appears.
2. If an event is highlighted in red, indicating a blocked attack on your network,
you can display the attacker’s details, by clicking on the IP address of the
attacking machine.
The Safe@Office appliance queries the Internet WHOIS server, and a window
displays the name of the entity to whom the IP address is registered and their
contact information. This information is useful in tracking down hackers.
3. To refresh the display, click Refresh.
4. To save the displayed events to an *.xls file:
a. Click Save.
Viewing the Event Log
192 Check Point Safe@Office User Guide
A standard File Download dialog box appears.
b. Click Save.
The Save As dialog box appears.
c. Browse to a destination directory of your choice.
d. Type a name for the configuration file and click Save.
The *.xls file is created and saved to the specified directory.
5. To clear all displayed events:
a. Click Clear.
A confirmation message appears.
b. Click OK.
All events are cleared.
Using the Traffic Monitor
Chapter 8: Viewing Reports 193
Using the Traffic Monitor
You can view incoming and outgoing traffic for selected network interfaces and
QoS classes using the Traffic Monitor. This enables you to identify network traffic
trends and anomalies, and to fine tune Traffic Shaper QoS class assignments.
The Traffic Monitor displays separate bar charts for incoming traffic and outgoing
traffic, and displays traffic rates in kilobits/second. If desired, you can change the
number of seconds represented by the bars in the charts, using the procedure
Configuring Traffic Monitor Settings on page 195.
In network traffic reports, the traffic is color-coded as described in the table below.
In the All QoS Classes report, the traffic is color-coded by QoS class.
Table 27: Traffic Monitor Color Coding for Networks
Traffic marked in this color… Indicates…
Blue VPN-encrypted traffic
Red Traffic blocked by the firewall
Green Traffic accepted by the firewall
You can export a detailed traffic report for all enabled networks and all defined
QoS classes, using the procedure Exporting General Traffic Reports on page 196.
Viewing Traffic Reports
To view a traffic report
1. Click Reports in the main menu, and click the Traffic Monitor tab.
Using the Traffic Monitor
194 Check Point Safe@Office User Guide
The Traffic Monitor page appears.
2. In the Traffic Monitor Report drop-down list, select the network interface for
which you want to view a report.
The list includes all currently enabled networks. For example, if the DMZ
network is enabled, it will appear in the list.
If Traffic Shaper is enabled, the list also includes the defined QoS classes.
Choose All QoS Classes to display a report including all QoS classes. For
information on enabling Traffic Shaper see Using Internet Setup on page 65.
The selected report appears in the Traffic Monitor page.
3. To refresh all traffic reports, click Refresh.
4. To clear all traffic reports, click Clear.
Note: The firewall blocks broadcast packets used during the normal operation of
your network. This may lead to a certain amount of traffic of the type "Traffic
blocked by firewall" that appears under normal circumstances and usually does not
indicate an attack.
Using the Traffic Monitor
Chapter 8: Viewing Reports 195
Configuring Traffic Monitor Settings
You can configure the interval at which the Safe@Office appliance should collect
traffic data for network traffic reports.
To configure Traffic Monitor settings
1. Click Reports in the main menu, and click the Traffic Monitor tab.
The Traffic Monitor page appears.
2. Click Settings.
The Traffic Monitor Settings page appears.
3. In the Sample monitoring data every field, type the interval (in seconds) at which
the Safe@Office appliance should collect traffic data.
The default value is one sample every 1800 seconds (30 minutes).
4. Click Apply.
Viewing Computers
196 Check Point Safe@Office User Guide
Exporting General Traffic Reports
You can export a general traffic report that includes information for all enabled
networks and all defined QoS classes to a *.csv (Comma Separated Values) file.
You can open and view the file in Microsoft Excel.
To export a general traffic report
1. Click Reports in the main menu, and click the Traffic Monitor tab.
The Traffic Monitor page appears.
2. Click Export.
A standard File Download dialog box appears.
3. Click Save.
The Save As dialog box appears.
4. Browse to a destination directory of your choice.
5. Type a name for the configuration file and click Save.
A *.csv file is created and saved to the specified directory.
Viewing Computers
This option allows you to view the currently active computers on your network.
The active computers are graphically displayed, each with its name, IP address, and
settings (DHCP, Static, etc.). You can also view node limit information.
To view the active computers
1. Click Reports in the main menu, and click the Active Computers tab.
Viewing Computers
Chapter 8: Viewing Reports 197
The Active Computers page appears.
If you configured High Availability, both the master and backup appliances are
shown. If you configured OfficeMode, the OfficeMode network is shown.
If you are using Safe@Office 500W, the wireless stations are shown. For
information on viewing statistics for these computers, see Viewing Wireless
Statistics on page 200. If a wireless station has been blocked from accessing the
Internet through the Safe@Office appliance, the reason why it was blocked is
shown in red.
If you are exceeding the maximum number of computers allowed by your
license, a warning message appears, and the computers over the node limit are
marked in red. These computers are still protected, but they are blocked from
accessing the Internet through the Safe@Office appliance.
If HotSpot mode is enabled for some networks, each computer's HotSpot status
is displayed next to it. The possible statuses include:
Viewing Computers
198 Check Point Safe@Office User Guide
• Authenticated. The computer is logged on to My HotSpot.
• Not Authenticated. The computer is not logged on to My HotSpot.
• Excluded from HotSpot. The computer is in an IP address range excluded
from HotSpot enforcement. To enforce HotSpot, you must edit the
network object. See Adding and Editing Network Objects on page 132.
Note: Computers that did not communicate through the firewall are not counted for
node limit purposes, even though they are protected by the firewall.
Note: To increase the number of computers allowed by your license, you can
upgrade your product. For further information, see Upgrading Your Software
Product on page 383.
Next to each computer, an Add button enables you to add a network object for
the computer, or an Edit button enables you to edit an existing network object
for the computer. For information on adding and editing network objects, see
Adding and Editing Network Objects on page 132.
2. To refresh the display, click Refresh.
3. To view node limit information, do the following:
a. Click Node Limit.
The Node Limit window appears with installed software product and the
number of nodes used.
b. Click Close to close the window.
Viewing Connections
Chapter 8: Viewing Reports 199
Viewing Connections
This option allows you to view the currently active connections between your
network and the external world.
To view the active connections
1. Click Reports in the main menu, and click the Active Connections tab.
The Active Connections page appears.
The page displays the information in the table below.
2. To refresh the display, click Refresh.
3. To view information on the destination machine, click its IP address.
The Safe@Office appliance queries the Internet WHOIS server, and a window
displays the name of the entity to which the IP address is registered and their
contact information.
Viewing Wireless Statistics
200 Check Point Safe@Office User Guide
4. To view information about a port, click the port.
A window opens displaying information about the port.
Table 28: Active Connections Fields
This field… Displays…
Protocol The protocol used (TCP, UDP, etc.)
Source - IP Address The source IP address
Source - Port The source port
Destination - IP
Address
The destination IP address
Destination -Port The destination port
QoS Class The QoS class to which the connection belongs
Options An icon indicating further details:
• - The connection is encrypted.
• - The connection is being scanned by VStream Antivirus.
Viewing Wireless Statistics
If your WLAN is enabled, you can view wireless statistics for the WLAN or for
individual wireless stations.
To view statistics for the WLAN
1. Click Reports in the main menu, and click the Wireless tab.
Viewing Wireless Statistics
Chapter 8: Viewing Reports 201
The Wireless page appears.
The page displays the information in the table below.
2. To refresh the display, click Refresh.
Table 29: WLAN Statistics
This field… Displays…
Wireless
Mode
The operation mode used by the WLAN, followed by the transmission rate in
Mbps
MAC Address The MAC address of the Safe@Office appliance's WLAN interface
Domain The Safe@Office access point's region
Country The country configured for the WLAN
Channel The radio frequency used by the WLAN
Viewing Wireless Statistics
202 Check Point Safe@Office User Guide
This field… Displays…
Security The security mode used by the WLAN
Connected
Stations
The number of wireless stations currently connected to the WLAN
Frames OK The total number of frames that were successfully transmitted and received
Errors The total number of transmitted and received frames for which an error
occurred
Discarded/
Dropped
Frames
The total number of discarded or dropped frames transmitted and received
Unicast Frames The number of unicast frames transmitted and received
Broadcast
Frames
The number of broadcast frames transmitted and received
Multicast
Frames
The number of multicast frames transmitted and received
To view statistics for a wireless station
1. Click Reports in the main menu, and click the Active Computers tab.
The Active Computers page appears.
The following information appears next to each wireless station:
• The signal strength in dB
• A bar chart representing the signal strength
2. Mouse-over the information icon next to the wireless station.
A tooltip displays displays statistics for the wireless station, as described in the
table below.
Viewing Wireless Statistics
Chapter 8: Viewing Reports 203
3. To refresh the display, click Refresh.
Table 30: Wireless Station Statistics
This field… Displays…
Current Rate The current reception and transmission rate in Mbps
Frames OK The total number of frames that were successfully transmitted and received
Errors The total number of transmitted and received frames for which an error
occurred
Discarded/
Dropped
Frames
The total number of discarded or dropped frames transmitted and received
Unicast Frames The number of unicast frames transmitted and received
Broadcast
Frames
The number of broadcast frames transmitted and received
Multicast
Frames
The number of multicast frames transmitted and received
WLAN Mode The wireless client's operation mode, indicating the client's maximum speed.
Possible values are B, G, and 108G.
For more information, see Basic WLAN Settings Fields on page 170.
XR Indicates whether the wireless client supports Extended Range (XR) mode.
Possible values are:
• yes. The wireless client supports XR mode.
• no. The wireless client does not support XR mode.
Viewing Wireless Statistics
204 Check Point Safe@Office User Guide
This field… Displays…
Cipher The security protocol used for the connection with the wireless client.
For more information, see Wireless Security Protocols on page 165.
Default Security Policy
Chapter 9: Setting Your Security Policy 205
Chapter 9
This chapter describes how to set up your Safe@Office appliance security policy.
You can enhance your security policy by subscribing to services such as Web
Filtering and Email Filtering. For information on subscribing to services, see Using
Subscription Services on page 283.
This chapter includes the following topics:
Default Security Policy.............................................................................205
Setting the Firewall Security Level ..........................................................206
Configuring Servers..................................................................................209
Using Rules ..............................................................................................211
Using SmartDefense.................................................................................222
Using Secure HotSpot ..............................................................................258
Defining an Exposed Host........................................................................263
Default Security Policy
The Safe@Office default security policy includes the following rules:
Setting Your Security Policy
Setting the Firewall Security Level
206 Check Point Safe@Office User Guide
• Access is blocked from the WAN (Internet) to all internal networks (LAN,
DMZ, WLAN, VLANs, and OfficeMode).
• Access is allowed from the internal networks to the WAN, according to the
firewall security level (Low/Medium/High).
• Access is allowed from the LAN network to the other internal networks
(DMZ, WLAN, VLANs, and OfficeMode).
• Access is blocked from the DMZ, WLAN, VLAN, and OfficeMode
networks to the other internal networks, (including between different
VLANs).
• HTTP access to the Safe@Office Portal (my.firewall and my.vpn) is
allowed from all internal networks except the WLAN. The WLAN can
only access the Safe@Office Portal using HTTPS, unless a specific user-
defined rule allows this.
• When using the print server function (see Using Network Printers on page
427), access from internal networks to connected network printers is
allowed.
• Access from the WAN to network printers is blocked.
These rules are independent of the firewall security level.
You can easily override the default security policy, by creating user-defined
firewall rules. For further information, see Using Rules on page 211.
Setting the Firewall Security Level
The firewall security level can be controlled using a simple lever available on the
Firewall page. You can set the lever to three states.
Setting the Firewall Security Level
Chapter 9: Setting Your Security Policy 207
Table 31: Firewall Security Levels
This
level…
Does this… Further Details
Low Enforces basic control on
incoming connections,
while permitting all
outgoing connections.
All inbound traffic is blocked to the external
Safe@Office appliance IP address, except for
ICMP echoes ("pings").
All outbound connections are allowed.
Medium Enforces strict control on
all incoming connections,
while permitting safe
outgoing connections.
This is the default level
and is recommended for
most cases. Leave it
unchanged unless you
have a specific need for a
higher or lower security
level.
All inbound traffic is blocked.
All outbound traffic is allowed to the Internet
except for Windows file sharing (NBT ports 137,
138, 139 and 445).
High Enforces strict control on
all incoming and outgoing
connections.
All inbound traffic is blocked.
Restricts all outbound traffic except for the
following: Web traffic (HTTP, HTTPS), email
(IMAP, POP3, SMTP), ftp, newsgroups, Telnet,
DNS, IPSEC IKE and VPN traffic.
Note: If the security policy is remotely managed, this lever might be disabled.
Setting the Firewall Security Level
208 Check Point Safe@Office User Guide
Note: The definitions of firewall security levels provided in this table represent the
Safe@Office appliance’s default security policy. Security updates downloaded from
a Service Center may alter this policy and change these definitions.
To change the firewall security level
1. Click Security in the main menu, and click the Firewall tab.
The Firewall page appears.
2. Drag the security lever to the desired level.
The Safe@Office appliance security level changes accordingly.
Configuring Servers
Chapter 9: Setting Your Security Policy 209
Configuring Servers
Note: If you do not intend to host any public Internet servers (Web Server, Mail
Server etc.) in your network, you can skip this section.
Using the Safe@Office Portal, you can selectively allow incoming network
connections into your network. For example, you can set up your own Web server,
Mail server or FTP server.
Note: Configuring servers allows you to create simple Allow and Forward rules for
common services, and it is equivalent to creating Allow and Forward rules in the
Rules page. For information on creating rules, see Using Rules on page 211.
To allow a service to be run on a specific host
1. Click Security in the main menu, and click the Servers tab.
The Servers page appears, displaying a list of services and a host IP address for
each allowed service.
Configuring Servers
210 Check Point Safe@Office User Guide
2. Complete the fields using the information in the table below.
3. Click Apply.
A success message appears, and the selected computer is allowed to run the
desired service or application.
Table 32: Servers Page Fields
In this
column…
Do this…
Allow Select the desired service or application.
VPN Only Select this option to allow only connections made through a VPN.
Host IP Type the IP address of the computer that will run the service (one of your
network computers) or click the corresponding This Computer button to
allow your computer to host the service.
To stop the forwarding of a service to a specific host
1. Click Security in the main menu, and click the Servers tab.
The Servers page appears, displaying a list of services and a host IP address for
each allowed service.
2. In the desired service or application’s row, click Clear.
The Host IP field of the desired service is cleared.
3. Click Apply.
The service or application is not allowed on the specific host.
Using Rules
Chapter 9: Setting Your Security Policy 211
Using Rules
The Safe@Office appliance checks the protocol used, the ports range, and the
destination IP address, when deciding whether to allow or block traffic.
User-defined rules have priority over the default security policy rules and provide
you with greater flexibility in defining and customizing your security policy.
For example, if you assign your company’s accounting department to the LAN
network and the rest of the company to the DMZ network, then as a result of the
default security policy rules, the accounting department will be able to connect to
all company computers, while the rest of the employees will not be able to access
any sensitive information on the accounting department computers. You can
override the default security policy rules, by creating firewall rules that allow
specific DMZ computers (such a manager’s computer) to connect to the LAN
network and the accounting department.
The Safe@Office appliance processes user-defined rules in the order they appear in
the Rules table, so that rule 1 is applied before rule 2, and so on. This enables you
to define exceptions to rules, by placing the exceptions higher up in the Rules table.
Using Rules
212 Check Point Safe@Office User Guide
For example, if you want to block all outgoing FTP traffic, except traffic from a
specific IP address, you can create a rule blocking all outgoing FTP traffic and
move the rule down in the Rules table. Then create a rule allowing FTP traffic from
the desired IP address and move this rule to a higher location in the Rules table
than the first rule. In the figure below, the general rule is rule number 2, and the
exception is rule number 1.
The Safe@Office appliance will process rule 1 first, allowing outgoing FTP traffic
from the specified IP address, and only then it will process rule 2, blocking all
outgoing FTP traffic.
The following rule types exist:
Using Rules
Chapter 9: Setting Your Security Policy 213
Table 33: Firewall Rule Types
Rule Description
Allow and
Forward
This rule type enables you to do the following:
• Permit incoming access from the Internet to a specific service in
your internal network.
• Forward all such connections to a specific computer in your
network.
• Redirect the specified connections to a specific port. This option is
called Port Address Translation (PAT).
• Assign traffic to a QoS class.
If Traffic Shaper is enabled for incoming traffic, then Traffic Shaper
will handle relevant connections as specified in the bandwidth policy
for the selected QoS class. For example, if Traffic Shaper is enabled
for incoming traffic, and you create an Allow and Forward rule
associating all incoming Web traffic with the Urgent QoS class, then
Traffic Shaper will handle incoming Web traffic as specified in the
bandwidth policy for the Urgent class.
For information on Traffic Shaper and QoS classes, see Using
Traffic Shaper on page 153.
Creating an Allow and Forward rule is equivalent to defining a server in the
Servers page.
Note: You must use this type of rule to allow incoming connections if your
network uses Hide NAT.
Note: You cannot specify two Allow and Forward rules that forward the same
service to two different destinations.
Using Rules
214 Check Point Safe@Office User Guide
Rule Description
Allow This rule type enables you to do the following:
• Permit outgoing access from your internal network to a specific
service on the Internet.
Note: You can allow outgoing connections for services that are not
permitted by the default security policy.
• Permit incoming access from the Internet to a specific service in
your internal network.
• Assign traffic to a QoS class.
If Traffic Shaper is enabled for the direction of traffic specified in the
rule (incoming or outgoing), then Traffic Shaper will handle relevant
connections as specified in the bandwidth policy for the selected
QoS class. For example, if Traffic Shaper is enabled for outgoing
traffic, and you create an Allow rule associating all outgoing Web
traffic with the Urgent QoS class, then Traffic Shaper will handle
outgoing Web traffic as specified in the bandwidth policy for the
Urgent class.
For information on Traffic Shaper and QoS classes, see Using
Traffic Shaper on page 153.
Note: You cannot use an Allow rule to permit incoming traffic, if the network or
VPN uses Hide NAT. However, you can use Allow rules for static NAT IP
addresses.
Block This rule type enables you to do the following:
• Block outgoing access from your internal network to a specific
service on the Internet.
• Block incoming access from the Internet to a specific service in your
internal network.
Using Rules
Chapter 9: Setting Your Security Policy 215
Adding and Editing Rules
To add or edit a rule
1. Click Security in the main menu, and click the Rules tab.
The Rules page appears.
2. Do one of the following:
• To add a new rule, click Add Rule.
• To edit an existing rule, click the Edit icon next to the desired rule.
Using Rules
216 Check Point Safe@Office User Guide
The Safe@Office Firewall Rule wizard opens, with the Step 1: Rule Type dialog
box displayed.
3. Select the type of rule you want to create.
4. Click Next.
The Step 2: Service dialog box appears.
The example below shows an Allow rule.
5. Complete the fields using the relevant information in the table below.
Using Rules
Chapter 9: Setting Your Security Policy 217
6. Click Next.
The Step 3: Destination & Source dialog box appears.
7. Complete the fields using the relevant information in the table below.
The Step 4: Done dialog box appears.
8. Click Finish.
The new rule appears in the Firewall Rules page.
Using Rules
218 Check Point Safe@Office User Guide
Table 34: Firewall Rule Fields
In this field… Do this…
Any Service Click this option to specify that the rule should apply to any service.
Standard
Service
Click this option to specify that the rule should apply to a specific standard
service.
You must then select the desired service from the drop-down list.
Custom Service Click this option to specify that the rule should apply to a specific non-
standard service.
The Protocol and Port Range fields are enabled. You must fill them in.
Protocol Select the protocol (ESP, GRE, TCP, UDP or ANY) for which the rule
should apply.
Ports To specify the port range to which the rule applies, type the start port
number in the left text box, and the end port number in the right text box.
Note: If you do not enter a port range, the rule will apply to all ports. If you
enter only one port number, the range will include only that port.
Source Select the source of the connections you want to allow/block.
To specify an IP address, select Specified IP and type the desired IP address
in the filed provided.
To specify an IP address range, select Specified Range and type the desired
IP address range in the fields provided.
Using Rules
Chapter 9: Setting Your Security Policy 219
In this field… Do this…
Destination Select the destination of the connections you want to allow or block.
To specify an IP address, select Specified IP and type the desired IP address
in the text box.
To specify an IP address range, select Specified Range and type the desired
IP address range in the fields provided. This option is not available in Allow
and Forward rules.
To specify the Safe@Office IP address, select This Gateway. This option is
not available in Allow and Forward rules.
To specify any destination except the Safe@Office Portal and network
printers, select ANY.
Quality of
Service class
Select the QoS class to which you want to assign the specified connections.
If Traffic Shaper is enabled, Traffic Shaper will handle these connections as
specified in the bandwidth policy for the selected QoS class. If Traffic Shaper
is not enabled, this setting is ignored. For information on Traffic Shaper and
QoS classes, see Using Traffic Shaper on page 153.
This drop-down list only appears when defining an Allow rule or an Allow and
Forward rule.
Log accepted
connections /
Log blocked
connections
Select this option to log the specified blocked or allowed connections.
By default, accepted connections are not logged, and blocked connections
are logged. You can modify this behavior by changing the check box's state.
Using Rules
220 Check Point Safe@Office User Guide
In this field… Do this…
Redirect to port Select this option to redirect the connections to a specific port.
You must then type the desired port in the field provided.
This option is called Port Address Translation (PAT), and is only available
when defining an Allow and Forward rule.
Enabling/Disabling Rules
You can temporarily disable a user-defined rule.
To enable/disable a rule
1. Click Security in the main menu, and click the Rules tab.
The Rules page appears.
2. Next to the desired rule, do one of the following:
• To enable the rule, click .
The button changes to and the rule is enabled.
• To disable the rule, click .
The button changes to and the rule is disabled.
Using Rules
Chapter 9: Setting Your Security Policy 221
Changing Rules' Priority
To change a rule's priority
1. Click Security in the main menu, and click the Rules tab.
The Rules page appears.
2. Do one of the following:
• Click next to the desired rule, to move the rule up in the table.
• Click next to the desired rule, to move the rule down in the table.
The rule's priority changes accordingly.
Deleting Rules
To delete an existing rule
1. Click Security in the main menu, and click the Rules tab.
The Rules page appears.
2. Click the Erase icon of the rule you wish to delete.
A confirmation message appears.
3. Click OK.
The rule is deleted.
Using SmartDefense
222 Check Point Safe@Office User Guide
Using SmartDefense
The Safe@Office appliance includes Check Point SmartDefense Services, based on
Check Point Application Intelligence. SmartDefense provides a combination of
attack safeguards and attack-blocking tools that protect your network in the
following ways:
• Validating compliance to standards
• Validating expected usage of protocols (Protocol Anomaly Detection)
• Limiting application ability to carry malicious data
• Controlling application-layer operations
In addition, SmartDefense aids proper usage of Internet resources, such as FTP,
instant messaging, Peer-to-Peer (P2P) file sharing, file-sharing operations, and File
Transfer Protocol (FTP) uploading, among others.
Using SmartDefense
Chapter 9: Setting Your Security Policy 223
Configuring SmartDefense
For convenience, SmartDefense is organized as a tree, in which each branch
represents a category of settings.
When a category is expanded, the settings it contains appear as nodes. For
information on each category and the nodes it contains, see SmartDefense
Categories on page 226.
Each node represents an attack type, a sanity check, or a protocol or service that is
vulnerable to attacks. To control how SmartDefense handles an attack, you must
configure the relevant node's settings.
Using SmartDefense
224 Check Point Safe@Office User Guide
To configure a SmartDefense node
1. Click Security in the main menu, and click the SmartDefense tab.
The SmartDefense page appears.
The left pane displays a tree containing SmartDefense categories.
• To expand a category, click the icon next to it.
• To collapse a category, click the icon next to it.
2. Expand the relevant category, and click on the desired node.
Using SmartDefense
Chapter 9: Setting Your Security Policy 225
The right pane displays a description of the node, followed by fields.
3. To modify the node's current settings, do the following:
a) Complete the fields using the relevant information in SmartDefense
Categories on page 226.
b) Click Apply.
4. To reset the node to its default values:
a) Click Default.
A confirmation message appears.
b) Click OK.
The fields are reset to their default values, and your changes are saved.
Using SmartDefense
226 Check Point Safe@Office User Guide
SmartDefense Categories
SmartDefense includes the following categories:
• Denial of Service on page 226
• IP and ICMP on page 231
• TCP on page 241
• Port Scan on page 244
• FTP on page 247
• Microsoft Networks on page 251
• IGMP on page 253
• Peer to Peer on page 254
• Instant Messengers on page 256
Denial of Service
Denial of Service (DoS) attacks are aimed at overwhelming the target with
spurious data, to the point where it is no longer able to respond to legitimate
service requests.
This category includes the following attacks:
• Teardrop on page 226
• Ping of Death on page 227
• LAND on page 228
• Non-TCP Flooding on page 229
Teardrop
In a Teardrop attack, the attacker sends two IP fragments, the latter entirely
contained within the former. This causes some computers to allocate too much
memory and crash.
Using SmartDefense
Chapter 9: Setting Your Security Policy 227
You can configure how Teardrop attacks should be handled.
Table 35: Teardrop Fields
In this field… Do this…
Action Specify what action to take when a Teardrop attack occurs, by selecting one
of the following:
• Block. Block the attack. This is the default.
• None. No action.
Track Specify whether to log Teardrop attacks, by selecting one of the following:
• Log. Log the attack. This is the default.
• None. Do not log the attack.
Ping of Death
In a Ping of Death attack, the attacker sends a fragmented PING request that
exceeds the maximum IP packet size (64KB). Some operating systems are unable
to handle such requests and crash.
Using SmartDefense
228 Check Point Safe@Office User Guide
You can configure how Ping of Death attacks should be handled.
Table 36: Ping of Death Fields
In this field… Do this…
Action Specify what action to take when a Ping of Death attack occurs, by selecting
one of the following:
• Block. Block the attack. This is the default.
• None. No action.
Track Specify whether to log Ping of Death attacks, by selecting one of the
following:
• Log. Log the attack. This is the default.
• None. Do not log the attack.
LAND
In a LAND attack, the attacker sends a SYN packet, in which the source address
and port are the same as the destination (the victim computer). The victim
computer then tries to reply to itself and either reboots or crashes.
Using SmartDefense
Chapter 9: Setting Your Security Policy 229
You can configure how LAND attacks should be handled.
Table 37: LAND Fields
In this field… Do this…
Action Specify what action to take when a LAND attack occurs, by selecting one of
the following:
• Block. Block the attack. This is the default.
• None. No action.
Track Specify whether to log LAND attacks, by selecting one of the following:
• Log. Log the attack. This is the default.
• None. Do not log the attack.
Non-TCP Flooding
Advanced firewalls maintain state information about connections in a State table.
In non-TCP Flooding attacks, the attacker sends high volumes of non-TCP traffic.
Since such traffic is connectionless, the related state information cannot be cleared
or reset, and the firewall State table is quickly filled up. This prevents the firewall
from accepting new connections and results in a Denial of Service (DoS).
Using SmartDefense
230 Check Point Safe@Office User Guide
You can protect against Non-TCP Flooding attacks by limiting the percentage of
state table capacity used for non-TCP connections.
Table 38: Non-TCP Flooding Fields
In this field… Do this…
Action Specify what action to take when the percentage of state table capacity used
for non-TCP connections reaches the Max. percent non TCP traffic threshold.
Select one of the following:
• Block. Block any additional non-TCP connections.
• None. No action. This is the default.
Track Specify whether to log non-TCP connections that exceed the Max. Percent
Non-TCP Traffic threshold, by selecting one of the following:
• Log. Log the connections.
• None. Do not log the connections. This is the default.
Max. Percent
Non-TCP Traffic
Type the maximum percentage of state table capacity allowed for non-TCP
connections.
The default value is 0%.
Using SmartDefense
Chapter 9: Setting Your Security Policy 231
IP and ICMP
This category allows you to enable various IP and ICMP protocol tests, and to
configure various protections against IP and ICMP-related attacks. It includes the
following:
• Packet Sanity on page 231
• Max Ping Size on page 233
• IP Fragments on page 234
• Network Quota on page 236
• Welchia on page 237
• Cisco IOS DOS on page 238
• Null Payload on page 240
Packet Sanity
Packet Sanity performs several Layer 3 and Layer 4 sanity checks. These include
verifying packet size, UDP and TCP header lengths, dropping IP options, and
verifying the TCP flags.
You can configure whether logs should be issued for offending packets.
Using SmartDefense
232 Check Point Safe@Office User Guide
Table 39: Packet Sanity Fields
In this field… Do this…
Action Specify what action to take when a packet fails a sanity test, by selecting
one of the following:
• Block. Block the packet. This is the default.
• None. No action.
Track Specify whether to issue logs for packets that fail the packet sanity tests, by
selecting one of the following:
• Log. Issue logs. This is the default.
• None. Do not issue logs.
Disable relaxed
UDP length
verification
The UDP length verification sanity check measures the UDP header length
and compares it to the UDP header length specified in the UDP header. If
the two values differ, the packet may be corrupted.
However, since different applications may measure UDP header length
differently, the Safe@Office appliance relaxes the UDP length verification
sanity check by default, performing the check but not dropping offending
packets. This is called relaxed UDP length verification.
Specify whether the Safe@Office appliance should relax the UDP length
verification sanity check or not, by selecting one of the following:
• True. Disable relaxed UDP length verification. The Safe@Office
appliance will drop packets that fail the UDP length verification
check.
• False. Do not disable relaxed UDP length verification. The
Safe@Office appliance will not drop packets that fail the UDP
length verification check. This is the default.
Using SmartDefense
Chapter 9: Setting Your Security Policy 233
Max Ping Size
PING (ICMP echo request) is a program that uses ICMP protocol to check whether
a remote machine is up. A request is sent by the client, and the server responds
with a reply echoing the client's data.
An attacker can echo the client with a large amount of data, causing a buffer
overflow. You can protect against such attacks by limiting the allowed size for
ICMP echo requests.
Table 40: Max Ping Size Fields
In this field… Do this…
Action Specify what action to take when an ICMP echo response exceeds the Max
Ping Size threshold, by selecting one of the following:
• Block. Block the request. This is the default.
• None. No action.
Track Specify whether to log ICMP echo responses that exceed the Max Ping Size
threshold, by selecting one of the following:
• Log. Log the responses. This is the default.
• None. Do not log the responses.
Using SmartDefense
234 Check Point Safe@Office User Guide
In this field… Do this…
Max Ping Size Specify the maximum data size for ICMP echo response.
The default value is 1500.
IP Fragments
When an IP packet is too big to be transported by a network link, it is split into
several smaller IP packets and transmitted in fragments. To conceal a known attack
or exploit, an attacker might imitate this common behavior and break the data
section of a single packet into several fragmented packets. Without reassembling
the fragments, it is not always possible to detect such an attack. Therefore, the
Safe@Office appliance always reassembles all the fragments of a given IP packet,
before inspecting it to make sure there are no attacks or exploits in the packet.
You can configure how fragmented packets should be handled.
Using SmartDefense
Chapter 9: Setting Your Security Policy 235
Table 41: IP Fragments Fields
In this field… Do this…
Forbid IP Fragments Specify whether all fragmented packets should be dropped, by selecting
one of the following:
• True. Drop all fragmented packets.
• False. No action. This is the default.
Under normal circumstances, it is recommended to leave this field set to
False. Setting this field to True may disrupt Internet connectivity, because
it does not allow any fragmented packets.
Max Number of
Incomplete Packets
Type the maximum number of fragmented packets allowed. Packets
exceeding this threshold will be dropped.
The default value is 300.
Timeout for
Discarding
Incomplete Packets
When the Safe@Office appliance receives packet fragments, it waits for
additional fragments to arrive, so that it can reassemble the packet.
Type the number of seconds to wait before discarding incomplete
packets.
The default value is 10.
Track Specify whether to log fragmented packets, by selecting one of the
following:
• Log. Log all fragmented packets.
• None. Do not log the fragmented packets. This is the default.
Using SmartDefense
236 Check Point Safe@Office User Guide
Network Quota
An attacker may try to overload a server in your network by establishing a very
large number of connections per second. To protect against Denial Of Service
(DoS) attacks, Network Quota enforces a limit upon the number of connections per
second that are allowed from the same source IP address.
You can configure how connection that exceed that limit should be handled.
Table 42: Network Quota Fields
In this field… Do this…
Action Specify what action to take when the number of network connections
from the same source reaches the Max. Connections/Second per Source IP
threshold. Select one of the following:
• Block. Block all new connections from the source. Existing
connections will not be blocked. This is the default.
• None. No action.
Track Specify whether to log connections from a specific source that exceed
the Max. Connections/Second per Source IP threshold, by selecting one of
the following:
• Log. Log the connections. This is the default.
• None. Do not log the connections.
Using SmartDefense
Chapter 9: Setting Your Security Policy 237
In this field… Do this…
Max.
Connections/Second
from Same Source IP
Type the maximum number of network connections allowed per second
from the same source IP address.
The default value is 100.
Set a lower threshold for stronger protection against DoS attacks.
Note: Setting this value too low can lead to false alarms.
Welchia
The Welchia worm uses the MS DCOM vulnerability or a WebDAV vulnerability.
After infecting a computer, the worm begins searching for other live computers to
infect. It does so by sending a specific ping packet to a target and waiting for the
reply that signals that the target is alive. This flood of pings may disrupt network
connectivity.
You can configure how the Welchia worm should be handled.
Using SmartDefense
238 Check Point Safe@Office User Guide
Table 43: Welchia Fields
In this field… Do this…
Action Specify what action to take when the Welchia worm is detected, by selecting
one of the following:
• Block. Block the attack. This is the default.
• None. No action.
Track Specify whether to log Welchia worm attacks, by selecting one of the
following:
• Log. Log the attack. This is the default.
• None. Do not log the attack.
Cisco IOS DOS
Cisco routers are configured to process and accept Internet Protocol version 4
(IPv4) packets by default. When a Cisco IOS device is sent a specially crafted
sequence of IPv4 packets (with protocol type 53 - SWIPE, 55 - IP Mobility, 77 -
Sun ND, or 103 - Protocol Independent Multicast - PIM), the router will stop
processing inbound traffic on that interface.
Using SmartDefense
Chapter 9: Setting Your Security Policy 239
You can configure how Cisco IOS DOS attacks should be handled.
Table 44: Cisco IOS DOS
In this field… Do this…
Action Specify what action to take when a Cisco IOS DOS attack occurs,
by selecting one of the following:
• Block. Block the attack. This is the default.
• None. No action.
Track Specify whether to log Cisco IOS DOS attacks, by selecting one of
the following:
• Log. Log the attack. This is the default.
• None. Do not log the attack.
Number of Hops to Protect Type the number of hops from the enforcement module that Cisco
routers should be protected.
The default value is 10.
Using SmartDefense
240 Check Point Safe@Office User Guide
In this field… Do this…
Action Protection for
SWIPE - Protocol 53 /
IP Mobility - Protocol 55 /
SUN-ND - Protocol 77 /
PIM - Protocol 103
Specify what action to take when an IPv4 packet of the specific
protocol type is received, by selecting one of the following:
• Block. Drop the packet. This is the default.
• None. No action.
Null Payload
Some worms, such as Sasser, use ICMP echo request packets with null payload to
detect potentially vulnerable hosts.
You can configure how null payload ping packets should be handled.
Table 45: Null Payload Fields
In this field… Do this…
Action Specify what action to take when null payload ping packets are detected, by
selecting one of the following:
• Block. Block the packets. This is the default.
• None. No action.
Using SmartDefense
Chapter 9: Setting Your Security Policy 241
In this field… Do this…
Track Specify whether to log null payload ping packets, by selecting one of the
following:
• Log. Log the packets. This is the default.
• None. Do not log the packets.
TCP
This category allows you to configure various protections related to the TCP
protocol. It includes the following:
• Strict TCP on page 241
• Small PMTU on page 243
Strict TCP
Out-of-state TCP packets are SYN-ACK or data packets that arrive out of order,
before the TCP SYN packet.
Note: In normal conditions, out-of-state TCP packets can occur after the
Safe@Office restarts, since connections which were established prior to the reboot
are unknown. This is normal and does not indicate an attack.
Using SmartDefense
242 Check Point Safe@Office User Guide
You can configure how out-of-state TCP packets should be handled.
Table 46: Strict TCP
In this field… Do this…
Action Specify what action to take when an out-of-state TCP packet arrives, by
selecting one of the following:
• Block. Block the packets.
• None. No action. This is the default.
Track Specify whether to log null payload ping packets, by selecting one of the
following:
• Log. Log the packets. This is the default.
• None. Do not log the packets.
Using SmartDefense
Chapter 9: Setting Your Security Policy 243
Small PMTU
Small PMTU (Packet MTU) is a bandwidth attack in which the client fools the
server into sending large amounts of data using small packets. Each packet has a
large overhead that creates a "bottleneck" on the server.
You can protect against this attack by specifying a minimum packet size for data
sent over the Internet.
Table 47: Small PMTU Fields
In this field… Do this…
Action Specify what action to take when a packet is smaller than the Minimal MTU
Size threshold, by selecting one of the following:
• Block. Block the packet.
• None. No action. This is the default.
Track Specify whether to issue logs for packets are smaller than the Minimal MTU
Size threshold, by selecting one of the following:
• Log. Issue logs. This is the default.
• None. Do not issue logs.
Using SmartDefense
244 Check Point Safe@Office User Guide
In this field… Do this…
Minimal MTU
Size
Type the minimum value allowed for the MTU field in IP packets sent by a
client.
An overly small value will not prevent an attack, while an overly large value
might degrade performance and cause legitimate requests to be dropped.
The default value is 300.
Port Scan
An attacker can perform a port scan to determine whether ports are open and
vulnerable to an attack. This is most commonly done by attempting to access a port
and waiting for a response. The response indicates whether or not the port is open.
This category includes the following types of port scans:
• Host Port Scan. The attacker scans a specific host's ports to determine
which of the ports are open.
• Sweep Scan. The attacker scans various hosts to determine where a specific
port is open.
You can configure how the Safe@Office appliance should react when a port scan is
detected.
Using SmartDefense
Chapter 9: Setting Your Security Policy 245
Table 48: Port Scan Fields
In this field… Do this…
Number of ports
accessed
SmartDefense detects ports scans by measuring the number of ports
accessed over a period of time. The number of ports accessed must exceed
the Number of ports accessed value, within the number of seconds specified by
the In a period of [seconds] value, in order for SmartDefense to consider the
activity a scan.
Type the minimum number of ports that must be accessed within the In a
period of [seconds] period, in order for SmartDefense to detect the activity as
a port scan.
For example, if this value is 30, and 40 ports are accessed within a specified
period of time, SmartDefense will detect the activity as a port scan.
For Host Port Scan, the default value is 30. For Sweep Scan, the default
value is 50.
Using SmartDefense
246 Check Point Safe@Office User Guide
In this field… Do this…
In a period of
[seconds]
SmartDefense detects ports scans by measuring the number of ports
accessed over a period of time. The number of ports accessed must exceed
the Number of ports accessed value, within the number of seconds specified by
the In a period of [seconds] value, in order for SmartDefense to consider the
activity a scan.
Type the maximum number of seconds that can elapse, during which the
Number of ports accessed threshold is exceeded, in order for SmartDefense to
detect the activity as a port scan.
For example, if this value is 20, and the Number of ports accessed threshold is
exceeded for 15 seconds, SmartDefense will detect the activity as a port
scan. If the threshold is exceeded for 30 seconds, SmartDefense will not
detect the activity as a port scan.
The default value is 20 seconds.
Track Specify whether to issue logs for scans, by selecting one of the following:
• Log. Issue logs. This is the default.
• None. Do not issue logs. This is the default.
Detect scans
from Internet only
Specify whether to detect only scans originating from the Internet, by
selecting one of the following:
• False. Do not detect only scans from the Internet. This is the
default.
• True. Detect only scans from the Internet.
Using SmartDefense
Chapter 9: Setting Your Security Policy 247
FTP
This category allows you to configure various protections related to the FTP
protocol. It includes the following:
• FTP Bounce on page 247
• Block Known Ports on page 248
• Block Port Overflow on page 249
• Blocked FTP Commands on page 250
FTP Bounce
When connecting to an FTP server, the client sends a PORT command specifying
the IP address and port to which the FTP server should connect and send data. An
FTP Bounce attack is when an attacker sends a PORT command specifying the IP
address of a third party instead of the attacker's own IP address. The FTP server
then sends data to the victim machine.
You can configure how FTP bounce attacks should be handled.
Using SmartDefense
248 Check Point Safe@Office User Guide
Table 49: FTP Bounce Fields
In this field… Do this…
Action Specify what action to take when an FTP Bounce attack occurs, by selecting
one of the following:
• Block. Block the attack. This is the default.
• None. No action.
Track Specify whether to log FTP Bounce attacks, by selecting one of the
following:
• Log. Log the attack. This is the default.
• None. Do not log the attack.
Block Known Ports
You can choose to block the FTP server from connecting to well-known ports.
Note: Known ports are published ports associated with services (for example, SMTP
is port 25).
This provides a second layer of protection against FTP bounce attacks, by
preventing such attacks from reaching well-known ports.
Using SmartDefense
Chapter 9: Setting Your Security Policy 249
Table 50: Block Known Ports Fields
In this field… Do this…
Action Specify what action to take when the FTP server attempts to connect to a
well-known port, by selecting one of the following:
• Block. Block the connection.
• None. No action. This is the default.
Block Port Overflow
FTP clients send PORT commands when connecting to the FTP sever. A PORT
command consists of a series of numbers between 0 and 255, separated by
commas.
To enforce compliance to the FTP standard and prevent potential attacks against
the FTP server, you can block PORT commands that contain a number greater than
255.
Using SmartDefense
250 Check Point Safe@Office User Guide
Table 51: Block Port Overflow
In this field… Do this…
Action Specify what action to take for PORT commands containing a number
greater than 255, by selecting one of the following:
• Block. Block the PORT command. This is the default.
• None. No action.
Blocked FTP Commands
Some seldom-used FTP commands may compromise FTP server security and
integrity. You can specify which FTP commands should be allowed to pass through
the security server, and which should be blocked.
To enable FTP command blocking
• In the Action drop-down list, select Block.
The FTP commands listed in the Blocked commands box will be blocked.
FTP command blocking is enabled by default.
Using SmartDefense
Chapter 9: Setting Your Security Policy 251
To disable FTP command blocking
• In the Action drop-down list, select None.
All FTP commands are allowed, including those in the Blocked commands box.
To block a specific FTP command
1. In the Allowed commands box, select the desired FTP command.
2. Click Block.
The FTP command appears in the Blocked commands box.
3. Click Apply.
When FTP command blocking is enabled, the FTP command will be blocked.
To allow a specific FTP command
1. In the Blocked commands box, select the desired FTP command.
2. Click Accept.
The FTP command appears in the Allowed commands box.
3. Click Apply.
The FTP command will be allowed, regardless of whether FTP command
blocking is enabled or disabled.
Microsoft Networks
This category includes File and Print Sharing.
Microsoft operating systems and Samba clients rely on Common Internet File
System (CIFS), a protocol for sharing files and printers. However, this protocol is
also widely used by worms as a means of propagation.
Using SmartDefense
252 Check Point Safe@Office User Guide
You can configure how CIFS worms should be handled.
Table 52: File Print and Sharing Fields
In this field… Do this…
Action Specify what action to take when a CIFS worm attack is detected, by
selecting one of the following:
• Block. Block the attack.
• None. No action. This is the default.
Track Specify whether to log CIFS worm attacks, by selecting one of the
following:
• Log. Log the attack.
• None. Do not log the attack. This is the default.
CIFS worm patterns
list
Select the worm patterns to detect.
Patterns are matched against file names (including file
paths but excluding the disk share name) that the client is
trying to read or write from the server.
Using SmartDefense
Chapter 9: Setting Your Security Policy 253
IGMP
This category includes the IGMP protocol.
IGMP is used by hosts and routers to dynamically register and discover multicast
group membership. Attacks on the IGMP protocol usually target a vulnerability in
the multicast routing software/hardware used, by sending specially crafted IGMP
packets.
You can configure how IGMP attacks should be handled.
Table 53: IGMP Fields
In this field… Do this…
Action Specify what action to take when an IGMP attack occurs, by selecting
one of the following:
• Block. Block the attack. This is the default.
• None. No action.
Track Specify whether to log IGMP attacks, by selecting one of the following:
• Log. Log the attack. This is the default.
• None. Do not log the attack.
Using SmartDefense
254 Check Point Safe@Office User Guide
In this field… Do this…
Enforce IGMP to
multicast addresses
According to the IGMP specification, IGMP packets must be sent to
multicast addresses. Sending IGMP packets to a unicast or broadcast
address might constitute and attack; therefore the Safe@Office appliance
blocks such packets.
Specify whether to allow or block IGMP packets that are sent to non-
multicast addresses, by selecting one of the following:
• Block. Block IGMP packets that are sent to non-multicast
addresses. This is the default.
• None. No action.
Peer to Peer
SmartDefense can block peer-to-peer traffic, by identifying the proprietary
protocols and preventing the initial connection to the peer-to-peer networks. This
prevents not only downloads, but also search operations.
This category includes the following nodes:
• KaZaA
• Gnutella
• eMule
• BitTorrent
Note: SmartDefense can detect peer-to-peer traffic regardless of the TCP port being
used to initiate the session.
Using SmartDefense
Chapter 9: Setting Your Security Policy 255
In each node, you can configure how peer-to-peer connections of the selected type
should be handled, using the table below.
Table 54: Peer to Peer Fields
In this field… Do this…
Action Specify what action to take when a connection is attempted, by selecting
one of the following:
• Block. Block the connection.
• None. No action. This is the default.
Track Specify whether to log peer-to-peer connections, by selecting one of the
following:
• Log. Log the connection.
• None. Do not log the connection. This is the default.
Block proprietary
protocols on all ports
Specify whether proprietary protocols should be blocked on all ports, by
selecting one of the following:
• Block. Block the proprietary protocol on all ports. This in effect
prevents all communication using this peer-to-peer
application. This is the default.
• None. Do not block the proprietary protocol on all ports.
Using SmartDefense
256 Check Point Safe@Office User Guide
Instant Messengers
SmartDefense can block instant messaging applications that use VoIP protocols, by
identifying the messaging application's fingerprints and HTTP headers.
This category includes the following nodes:
• Skype
• Yahoo
• ICQ
Note: SmartDefense can detect instant messaging traffic regardless of the TCP port
being used to initiate the session.
In each node, you can configure how instant messaging connections of the selected
type should be handled, using the table below.
Using SmartDefense
Chapter 9: Setting Your Security Policy 257
Table 55: Instant Messengers Fields
In this field… Do this…
Action Specify what action to take when a connection is attempted, by selecting
one of the following:
• Block. Block the connection.
• None. No action. This is the default.
Track Specify whether to log instant messenger connections, by selecting one
of the following:
• Log. Log the connection.
• None. Do not log the connection. This is the default.
Block proprietary
protocols on all ports
Specify whether proprietary protocols should be blocked on all ports, by
selecting one of the following:
• Block. Block the proprietary protocol on all ports. This in effect
prevents all communication using this instant messenger
application. This is the default.
• None. Do not block the proprietary protocol on all ports.
Using Secure HotSpot
258 Check Point Safe@Office User Guide
Using Secure HotSpot
You can enable your Safe@Office appliance as a public Internet access hotspot for
specific networks. When users on those networks attempt to access the Internet,
they are automatically re-directed to the My HotSpot page http://my.hotspot. On
this page, they must read and accept the My HotSpot terms of use, and if My
HotSpot is configured to be password-protected, they must log on using their
Safe@Office username and password. The users may then access the Internet.
Users can also log out in the My HotSpot page.
Note: HotSpot users are automatically logged out after one hour of inactivity.
Safe@Office Secure HotSpot is useful in any wired or wireless environment where
Web-based user authentication or terms-of-use approval is required prior to gaining
access to the network. For example, Secure HotSpot can be used in public
computer labs, educational institutions, libraries, Internet cafés, and so on.
The Safe@Office appliance allows you to add guest users quickly and easily. By
default, guest users are given a username and password that expire in 24 hours and
granted HotSpot Access permissions only. For information on adding quick guest
users, see Adding Quick Guest Users on page 369.
Using Secure HotSpot
Chapter 9: Setting Your Security Policy 259
You can choose to exclude specific network objects from HotSpot enforcement.
For information, see Using Network Objects on page 131.
Important: SecuRemote VPN software users who are authenticated by the Internal
VPN Server are automatically exempt from HotSpot enforcement. This allows, for
example, authenticated employees to gain full access to the corporate LAN, while
guest users are permitted to access the Internet only.
Note: HotSpot enforcement can block traffic passing through the firewall; however, it
does not block local traffic on the same network segment (traffic that does not pass
through the firewall).
Setting Up Secure HotSpot
To set up Secure HotSpot
1. Enable Secure HotSpot for the desired networks.
See Enabling/Disabling Secure HotSpot on page 260.
2. Customize Secure HotSpot as desired.
See Customizing Secure HotSpot on page 261.
3. Grant HotSpot Access permissions to users on the selected networks.
See Adding and Editing Users on page 365.
4. To exclude specific computers from HotSpot enforcement, by adding or editing
their network objects.
See Adding and Editing Network Objects on page 132.
You must select Exclude this computer/network from HotSpot enforcement
option.
5. Add quick guest users as needed.
See Adding Quick Guest Users on page 369.
Using Secure HotSpot
260 Check Point Safe@Office User Guide
Enabling/Disabling Secure HotSpot
To enable/disable Secure HotSpot
1. Click Security in the main menu, and click the My HotSpot tab.
The My HotSpot page appears.
2. In the HotSpot Networks area, do one of the following:
• To enable Secure HotSpot for a specific network, select the check box
next to the network.
• To disable Secure HotSpot for a specific network, clear the check box
next to the network.
3. Click Apply.
Using Secure HotSpot
Chapter 9: Setting Your Security Policy 261
Customizing Secure HotSpot
To customize Secure HotSpot
1. Click Security in the main menu, and click the My HotSpot tab.
The My HotSpot page appears.
2. Complete the fields using the information in the table below.
Additional fields may appear.
3. To preview the My HotSpot page, click Preview.
A browser window opens displaying the My HotSpot page.
Using Secure HotSpot
262 Check Point Safe@Office User Guide
4. Click Apply.
Your changes are saved.
Table 56: My HotSpot Fields
In this field… Do this…
My HotSpot
Title
Type the title that should appear on the My HotSpot page.
The default title is "Welcome to My HotSpot".
My HotSpot
Terms
Type the terms to which the user must agree before accessing the Internet.
You can use HTML tags as needed.
My HotSpot is
password
protected
Select this option to require users to enter their username and password
before accessing the Internet.
If this option is not selected, users will be required only to accept the terms of
use before accessing the network.
The Allow a user to login from more than one computer at the same time check box
appears.
Allow a user to
login from more
than one
computer at the
same time
Select this option to allow a single user to log on to My HotSpot from multiple
computers at the same time.
Defining an Exposed Host
Chapter 9: Setting Your Security Policy 263
Defining an Exposed Host
The Safe@Office appliance allows you to define an exposed host, which is a
computer that is not protected by the firewall. This is useful for setting up a public
server. It allows unlimited incoming and outgoing connections between the Internet
and the exposed host computer.
The exposed host receives all traffic that was not forwarded to another computer by
use of Allow and Forward rules.
Warning: Entering an IP address may make the designated computer vulnerable to
hacker attacks. Defining an exposed host is not recommended unless you are fully
aware of the security risks.
To define a computer as an exposed host
1. Click Security in the main menu, and click the Exposed Host tab.
The Exposed Host page appears.
Defining an Exposed Host
264 Check Point Safe@Office User Guide
2. In the Exposed Host field, type the IP address of the computer you wish to
define as an exposed host.
Alternatively, you can click This Computer to define your computer as the
exposed host.
3. Click Apply.
The selected computer is now defined as an exposed host.
To clear the exposed host
1. Click Security in the main menu, and click the Exposed Host tab.
The Exposed Host page appears.
2. Click Clear.
3. Click Apply.
No exposed host is defined.
Overview
Chapter 10: Using VStream Antivirus 265
Chapter 10
This chapter explains how to use the VStream Antivirus engine to block security
threats before they reach your network.
This chapter includes the following topics:
Overview..................................................................................................265
Enabling/Disabling VStream Antivirus....................................................267
Viewing VStream Signature Database Information .................................268
Configuring VStream Antivirus ...............................................................269
Updating VStream Antivirus....................................................................281
Overview
The Safe@Office appliance includes VStream Antivirus, an embedded stream-
based antivirus engine based on Check Point Stateful Inspection and Application
Intelligence technologies, that performs virus scanning at the kernel level.
VStream Antivirus scans files for malicious content on the fly, without
downloading the files into intermediate storage. This means minimal added latency
and support for unlimited file sizes; and since VStream Antivirus stores only
minimal state information per connection, it can scan thousands of connections
concurrently. In order to scan archive files on the fly, VStream Antivirus performs
real-time decompression and scanning of ZIP, TAR, and GZ archive files, with
support for nested archive files.
When VStream Antivirus detects malicious content, the action it takes depends on
the protocol in which the virus was found. See the table below. In each case,
VStream Antivirus blocks the file and writes a log to the Event Log.
Using VStream Antivirus
Overview
266 Check Point Safe@Office User Guide
Table 57: VStream Antivirus Actions
If a virus if found in
this protocol...
VStream Antivirus does this... The protocol is detected
on this port...
HTTP • Terminates the
connection All ports on which VStream is
enabled by the policy, not
only port 80
POP3 • Terminates the
connection
• Deletes the virus-
infected email from the
server
The standard TCP port 110.
IMAP • Terminates the
connection
• Replaces the virus-
infected email with a
message notifying the
user that a virus was
found
The standard TCP port 143
SMTP • Rejects the virus-
infected email with error
code 554
• Sends a "Virus
detected" message to
the sender
The standard TCP port 25
FTP • Terminates the data
connection
• Sends a "Virus detected"
message to the FTP
client
The standard TCP port 21
TCP and UDP • Terminates the
connection Generic TCP and UDP ports,
other than those listed above
Note: In protocols that are not listed in this table, VStream Antivirus uses a "best
effort" approach to detect viruses. In such cases, detection of viruses is not
guaranteed and depends on the specific encoding used by the protocol.
Enabling/Disabling VStream Antivirus
Chapter 10: Using VStream Antivirus 267
If you are subscribed to the VStream Antivirus subscription service, VStream
Antivirus virus signatures are automatically updated, so that security is always up-
to-date, and your network is always protected.
Note: VStream Antivirus differs from the Email Antivirus subscription service (part of
the Email Filtering service) in the following ways:
• Email Antivirus is centralized, redirecting traffic through the Service
Center for scanning, while VStream Antivirus scans for viruses in the
Safe@Office gateway itself.
• Email Antivirus is specific to email, scanning incoming POP3 and
outgoing SMTP connections only, while VStream Antivirus supports
additional protocols, including incoming SMTP and outgoing POP3
connections.
You can use either antivirus solution or both in conjunction. For information on
Email Antivirus, see Email Filtering on page 296.
Enabling/Disabling VStream Antivirus
To enable/disable VStream Antivirus
1. Click Antivirus in the main menu, and click the Antivirus tab.
Viewing VStream Signature Database Information
268 Check Point Safe@Office User Guide
The VStream Antivirus page appears.
2. Drag the On/Off lever upwards or downwards.
VStream Antivirus is enabled/disabled for all internal network computers.
Viewing VStream Signature Database Information
VStream Antivirus maintains two databases: a daily database and a main database.
The daily database is updated frequently with the newest virus signatures.
Periodically, the contents of the daily database are moved to the main database,
leaving the daily database empty. This system of incremental updates to the main
database allows for quicker updates and saves on network bandwidth.
You can view information about the VStream signature databases currently in use,
in the VStream Antivirus page.
Configuring VStream Antivirus
Chapter 10: Using VStream Antivirus 269
Table 58: Account Page Fields
This field… Displays…
Main database The date and time at which the main database was last updated,
followed by the version number.
Daily database The date and time at which the daily database was last updated, followed
by the version number.
Next update The next date and time at which the Safe@Office appliance will check for
updates.
Status The current status of the database. This includes the following statuses:
• Database Not Installed
• OK
Configuring VStream Antivirus
You can configure VStream Antivirus in the following ways:
• Configuring the VStream Antivirus Policy on page 269
• Configuring VStream Advanced Settings on page 277
Configuring the VStream Antivirus Policy
VStream Antivirus includes a flexible mechanism that allows the user to define
exactly which traffic should be scanned, by specifying the protocol, ports, and
source and destination IP addresses.
VStream Antivirus processes policy rules in the order they appear in the Antivirus
Policy table, so that rule 1 is applied before rule 2, and so on. This enables you to
define exceptions to rules, by placing the exceptions higher up in the Rules table.
Configuring VStream Antivirus
270 Check Point Safe@Office User Guide
For example, if you want to scan all outgoing SMTP traffic, except traffic from a
specific IP address, you can create a rule scanning all outgoing SMTP traffic and
move the rule down in the Antivirus Policy table. Then create a rule passing SMTP
traffic from the desired IP address and move this rule to a higher location in the
Antivirus Policy table than the first rule. In the figure below, the general rule is rule
number 2, and the exception is rule number 1.
The Safe@Office appliance will process rule 1 first, passing outgoing SMTP traffic
from the specified IP address, and only then it will process rule 2, scanning all
outgoing SMTP traffic.
The following rule types exist:
VStream Antivirus Rule Types
Table 59: VStream Antivirus Rule Types
Rule Description
Pass This rule type enables you to specify that VStream Antivirus should not scan
traffic matching the rule.
Configuring VStream Antivirus
Chapter 10: Using VStream Antivirus 271
Rule Description
Scan This rule type enables you to specify that VStream Antivirus should scan traffic
matching the rule.
If a virus is found, it is blocked and logged.
Adding and Editing Rules
To add or edit a rule
1. Click Antivirus in the main menu, and click the Policy tab.
The Antivirus Policy page appears.
2. Do one of the following:
• To add a new rule, click Add Rule.
• To edit an existing rule, click the Edit icon next to the desired rule.
Configuring VStream Antivirus
272 Check Point Safe@Office User Guide
The VStream Policy Rule Wizard opens, with the Step 1: Rule Type dialog box
displayed.
3. Select the type of rule you want to create.
4. Click Next.
The Step 2: Service dialog box appears.
The example below shows a Scan rule.
5. Complete the fields using the relevant information in the table below.
Configuring VStream Antivirus
Chapter 10: Using VStream Antivirus 273
6. Click Next.
The Step 3: Destination & Source dialog box appears.
7. Complete the fields using the relevant information in the table below.
The Step 4: Done dialog box appears.
8. Click Finish.
The new rule appears in the Firewall Rules page.
Configuring VStream Antivirus
274 Check Point Safe@Office User Guide
Table 60: VStream Rule Fields
In this field… Do this…
Any Service Click this option to specify that the rule should apply to any service.
Standard
Service
Click this option to specify that the rule should apply to a specific standard
service.
You must then select the desired service from the drop-down list.
Custom Service Click this option to specify that the rule should apply to a specific non-
standard service.
The Protocol and Port Range fields are enabled. You must fill them in.
Protocol Select the protocol (TCP, UDP, or ANY) for which the rule should apply.
Ports To specify the port range to which the rule applies, type the start port
number in the left text box, and the end port number in the right text box.
Note: If you do not enter a port range, the rule will apply to all ports. If you
enter only one port number, the range will include only that port.
If the
connection
source is
Select the source of the connections you want to allow/block.
To specify an IP address, select Specified IP and type the desired IP address
in the filed provided.
To specify an IP address range, select Specified Range and type the desired
IP address range in the fields provided.
Configuring VStream Antivirus
Chapter 10: Using VStream Antivirus 275
In this field… Do this…
And the
destination is
Select the destination of the connections you want to allow or block.
To specify an IP address, select Specified IP and type the desired IP address
in the text box.
To specify an IP address range, select Specified Range and type the desired
IP address range in the fields provided. This option is not available in Allow
and Forward rules.
To specify the Safe@Office Portal and network printers, select This Gateway.
This option is not available in Allow and Forward rules.
To specify any destination except the Safe@Office Portal and network
printers, select ANY.
Data Direction Select the direction of connections to which the rule should apply:
• Download and Upload data. The rule applies to downloaded and
uploaded data. This is the default.
• Download data. The rule applies to downloaded data, that is, data
flowing from the destination of the connection to the source of the
connection.
• Upload data. The rule applies to uploaded data, that is, data flowing
from the source of the connection to the destination of the
connection.
Enabling/Disabling Rules
You can temporarily disable a VStream Antivirus rule.
To enable/disable a rule
1. Click Antivirus in the main menu, and click the Policy tab.
The Antivirus Policy page appears.
Configuring VStream Antivirus
276 Check Point Safe@Office User Guide
2. Next to the desired rule, do one of the following:
• To enable the rule, click .
The button changes to and the rule is enabled.
• To disable the rule, click .
The button changes to and the rule is disabled.
Changing Rules' Priority
To change a rule's priority
1. Click Antivirus in the main menu, and click the Policy tab.
The Antivirus Policy page appears.
2. Do one of the following:
• Click next to the desired rule, to move the rule up in the table.
• Click next to the desired rule, to move the rule down in the table.
The rule's priority changes accordingly.
Deleting Rules
To delete an existing rule
1. Click Antivirus in the main menu, and click the Policy tab.
The Antivirus Policy page appears.
2. Click the Erase icon of the rule you wish to delete.
A confirmation message appears.
Configuring VStream Antivirus
Chapter 10: Using VStream Antivirus 277
3. Click OK.
The rule is deleted.
Configuring VStream Advanced Settings
To configure VStream Antivirus advanced settings
1. Click Antivirus in the main menu, and click the Advanced tab.
The Advanced Antivirus Settings page appears.
2. Complete the fields using the table below.
3. Click Apply.
4. To restore the default VStream Antivirus settings, do the following:
a) Click Default.
A confirmation message appears.
b) Click OK.
Configuring VStream Antivirus
278 Check Point Safe@Office User Guide
The VStream Antivirus settings are reset to their defaults. For information on
the default values, refer to the table below.
Table 61: Advanced Antivirus Settings Fields
In this field… Do this…
File Types
Block potentially unsafe
file types in email
messages
Select this option to block all emails containing potentially unsafe
attachments.
Unsafe file types are:
• DOS/Windows executables, libraries and drivers
• Compiled HTML Help files
• VBScript files
• Files with {CLSID} in their name
• The following file extensions: ade, adp, bas, bat, chm,
cmd,com, cpl, crt, exe, hlp, hta, inf, ins, isp, js, jse,
lnk, mdb, mde, msc, msi, msp, mst, pcd, pif, reg, scr,
sct, shs,shb, url, vb, vbe, vbs, wsc, wsf, wsh.
Configuring VStream Antivirus
Chapter 10: Using VStream Antivirus 279
In this field… Do this…
Pass safe file types
without scanning
Select this option to accept common file types that are known to
be safe, without scanning them.
Safe files types are:
• MPEG streams
• RIFF Ogg Stream
• MP3
• PDF
• PostScript
• WMA/WMV/ASF
• RealMedia
• JPEG - only the header is scanned, and the rest of
the file is skipped
Selecting this option reduces the load on the gateway by skipping
safe file types. This option is selected by default.
Status
Maximum nesting level Type the maximum number of nested content levels that
VStream Antivirus should scan.
Setting a higher number increases security. Setting a lower
number prevents attackers from overloading the gateway by
sending extremely nested archive files.
The default value is 5 levels.
Configuring VStream Antivirus
280 Check Point Safe@Office User Guide
In this field… Do this…
Maximum compression
ratio 1:x
Fill in the field to complete the maximum compression ratio of
files that VStream Antivirus should scan.
For example, to specify a 1:150 maximum compression ratio,
type 150.
Setting a higher number allows the scanning of highly
compressed files, but creates a potential for highly compressible
files to create a heavy load on the appliance. Setting a lower
number prevents attackers from overloading the gateway by
sending extremely compressible files.
The default value is 100.
When archived file
exceeds limit or extraction
fails
Specify how VStream Antivirus should handle files that exceed
the Maximum nesting level or the Maximum compression ratio, and
files for which scanning fails. Select one of the following:
• Pass file without scanning. Scan only the number of
levels specified, and skip the scanning of more deeply
nested archives. Furthermore, skip scanning highly
compressible files, and skip scanning archives that
cannot be extracted because they are corrupt. This is
the default.
• Block file. Block the file.
When a password-
protected file is found in
archive
VStream Antivirus cannot extract and scan password-protected
files inside archive. Specify how VStream Antivirus should handle
such files, by selecting one of the following:
• Pass file without scanning. Accept the file without
scanning it. This is the default.
• Block file. Block the file.
Updating VStream Antivirus
Chapter 10: Using VStream Antivirus 281
Updating VStream Antivirus
When you are subscribed to the VStream Antivirus updates service, VStream
Antivirus virus signatures are automatically updated, keeping security up-to-date
with no need for user intervention. However, you can still check for updates
manually, if needed.
To update the VStream Antivirus virus signature database
1. Click Antivirus in the main menu, and click the Antivirus tab.
The VStream Antivirus page appears.
2. Click Update Now.
The VStream Antivirus database is updated with the latest virus signatures.
Connecting to a Service Center
Chapter 11: Using Subscription Services 283
Chapter 11
This chapter explains how to start subscription services, and how to use Software
Updates, Web Filtering, and Email Filtering services.
Note: Check with your reseller regarding availability of subscription services, or surf
to www.sofaware.com/servicecenters to locate a Service Center in your area.
This chapter includes the following topics:
Connecting to a Service Center................................................................283
Viewing Services Information..................................................................289
Refreshing Your Service Center Connection............................................290
Configuring Your Account.......................................................................290
Disconnecting from Your Service Center.................................................291
Web Filtering............................................................................................292
Email Filtering..........................................................................................296
Automatic and Manual Updates ...............................................................300
Connecting to a Service Center
To connect to a Service Center
1. Click Services in the main menu, and click the Account tab.
Using Subscription Services
Connecting to a Service Center
284 Check Point Safe@Office User Guide
The Account page appears.
2. In the Service Account area, click Connect.