SofaWare Technologies SBXW-166LHGE-4 Wireless Broadband Router User Manual Internet Security Appliance

SofaWare Technologies Ltd. Wireless Broadband Router Internet Security Appliance

UserManual.wiki >

SofaWare Technologies >

SBXW-166LHGE-4 User Manual >

Users Manual Part 2

Contents

1. DoC Revised
2. Users Manual Part 1
3. Users Manual Part 2

Users Manual Part 2

Using Static Routes 140 Check Point Safe@Office User Guide c. Click Apply. The changes are saved. Deleting a Static Route Note: The “default” route cannot be deleted. To delete a static route 1. Click Network in the main menu, and click the Routes tab. The Static Routes page appears, with a listing of existing static routes. 2. In the desired route row, click the Delete icon. A confirmation message appears. 3. Click OK. The route is deleted.

Viewing the Event Log Chapter 6: Viewing Reports 141 Chapter 6 This chapter describes the Safe@Office Portal reports. This chapter includes the following topics: .144 .147 Vi Viewing the Event Log.......................................................................141 Viewing Computers........................................................................... Viewing Connections ........................................................................ Viewing Reports ewing the Event Log Yo can track network activity using the Event Log. The Event Log displays u e most recent events and color codes them. An event marked in this color… Indicates… thTable 20: Event Log Color Coding Blity update implemented by your Service Center ue Changes in your setup that you have made yourself or as a result of a securRed Connection attempts that were blocked by your firewall. Orange Connection attempts that were blocked by your custom security rules

Viewing the Event Log 142 Check Point Safe@Office User Guide An event marked in olor…Indicates… this c Green Traffic accepted by the firewall. cceptr, such tray policService Center. By default, aHoweveby a securited traffic is not logged. ffic may be logged if specified y downloaded from your The logs detail the date and the time the ev red, and its type. If the event is a communication attempt that was rejected by the firewall, the event inclu on I , and the protocol tempt (for example, TCP or UDP). ent occurdetails de the source and destinati used for the communication atP address, the destination port NSafe@O logs t mation, ng oote: You can configure the o a Syslog server. For inforffice appliance to send event see Configuring Syslog Loggin page 263.

Viewing the Event Log Chapter 6: Viewing Reports 143 To view the event log • Click Reports in the main menu, and c b. The Event Log page appears. lick the Event Log ta You ca• Clic• Clic ar all events. • If an event is highlighted in red, indicating a blocked attack on your network, you can display the attacker’s details, by clicking on the IP address of the attacking machine. The Safe@Office appliance queries the Internet WHOIS server, and a window displays the name of the entity to whom the IP address is registered and their contact information. This information is useful in tracking down hackers. n do any of the following: k the Refresh button to refresh the display. k the Clear button to cle

Viewing Computers 144 Check Point Safe@Office User Guide V iewing Computers This option allows you to view the currently actinetwork. The active computers are graphically dve computers on your isplayed, each with its name, IP e limit information. 1. Click Reports in the main menu, and click the Active Computers tab. The Active Computers page appears. address, and settings (DHCP, Static, etc.). You can also view nodTo view the active computers If you configured High Availability, both the master and backup appliances are shown. If you are using Safe@Office 300W, the following is displayed next to wireless computers: • Transmission rate in Mbps

Viewing Computers Chapter 6: Viewing Reports 145 mouse-over this icon to see the following statistics: Frames OK - The total number of frames that were successfully transmitted and received Errors - The total number of transmitted and received frames for which an error occurred Discarded/Dropped Frames - The total number of discarded or dropped frames transmitted and received Unicast Frames - The number of unicast frames transmitted and received Broadcast Frames - The number of broadcast frames transmitted anreceived • Signal strength in dB • An information icon - You cand Multicast Frames - The number of multicast frames transmitted and received If ycomsecurityou are subsc reDesk, a status message next to each puter indica he computer complies with the SecureDesk level conditions. For information on SecureDesk, see Using SecureDesk on page 183. For an explanation of the status messages, see ae excee y your e, a warnin de limit are marked mputers are still protected, but they are blocked from accessing the Internet through the Safe@Office appliance. ribed to Secutes whether tSecureDesk St tus Messages on page 191. If you arlicens ding the maximum number of computers allowed bg message appears, and the computers over the no in red. These co Note: Com counted f y the firewall. puters that did not communicate through the firewall are notor node limit purposes, even though they are protected b

Viewing Computers 146 Check Point Safe@Office User Guide Note: To increase the number of computers allowed by your must upgrade your product. For further information, see Uplicense, you grading 2. h. imit window appears with installed software product and Your Software Product on page 258. To refresh the display, click Refres3. To view node limit information, do the following: a. Click Node Limit. The Node Lthe number of nodes used. b. Click Close to close the window.

Viewing Connections Chapter 6: Viewing Reports 147 ing tions View Connec This option allow ween your network and the ext played as a list, specifying s r rt, and the protocol used (T PTo view the activ• Click Rep ns tab. The Active Connectis you to view the currently active connections beternal world. The active connections are disou ce IP address, destination IP address and poC , UDP, etc.). e connections orts in the main menu, and click the Active Connectioons page appears. You can do the following: • Click the Refresh button to refresh the display. • To view information on the destination machine, click its IP address. The Safe@Office appliance queries the Internet WHOIS server, and a window displays the name of the entity to whom the IP address is registered and their contact information.

Viewing Connections 148 Check Point Safe@Office User Guide

Setting the Firewall Security Level Chapter 7: Setting Your Security Policy 149 Chapter 7 This chapter describes howpolicy. to set up your Safe@Office appliance security es such as Web Fil scanning. You can also subscribe to SecureDesk, which includes and enforces the use of McAfee VirusScan ASaP eb-based antivirus service. ForSu Services on page 165. es the following topics: 9 152 Using Rules ........................................................................................154 Defining an Exposed Host..................................................................163 Setting the Firewall Security Level You can enhance your security policy by subscribing to servictering and Email Antivirus W information on subscribing to services and SecureDesk, see Using bscriptionThis chapter includSetting the Firewall Security Level ....................................................14Configuring Servers............................................................................ The firewall security level can be controlled using a simple lever available on e states. Setting Your Security Policy the Firewall page. You can set the lever to thre

Setting the Firewall Security Level 150 Check Point Safe@Office User Guide TTleveles this… Further Details able 21: Firewall Security Levels his Do… Low Enforces basic control on incoming connections, while permitting all outgoing connections. All inbound traffic is blocked to the external Safe@Office appliance IP address, except for ICMP echoes ("pings"). All outbound connections are allowed. Medium Enforces strict control on all incoming connections, outgoing connections. This is the default level and is recommended for cases. Leave it have a specific need for a ty level. All inbound traffic is blocked. wed to the Internet except for Windows file sharing (NBT ports 137, 138, 139 and 445). while permitting safe All outbound traffic is allomostunchanged unless you higher or lower securi

Setting the Firewall Security Level Chapter 7: Setting Your Security Policy 151 level… e Further Details This Do s this… High Enfoall incoming and outgoing connnbound traffic is blocked. fic except for the following: Web traffic (HTTP, HTTPS), email ups, Telnet, DNS, . rces strict control on All iections. Restricts all outbound traf(IMAP, POP3, SMTP), ftp, newsgroIPSEC IKE and VPN traffic Note: If the security policy is remotely managed, this lever might be disable d. Note: The definitions of firewall security levels provided in this table represe urity update change these defnt the Safe@Office appliance’s default security policy. Secs downloaded from a Service Center may alter this policy andinitions.

Configuring Servers 152 Check Point Safe@Office User Guide To change the firewall security level The Firewall p1. Click Security in the main menu, and click the Firewall tab. age appears. 2. Drag the securiThe Safe@Of Configurinty lever to the desired level. fice appliance security level changes accordingly. g Servers Note: If Server, network, you can skip this section. Using the Safe@Office Portal, you can selectively allow incoming network connections into your network. For example, you can set up your own Web server, Mail server or FTP server. you do not intend to host any public Internet servers (Web Mail Server etc.) in your

Configuring Servers Chapter 7: Setting Your Security Policy 153 Note: Configuring servers allows you to create simple Allow and Forward rules for common services, and it is equivalent to creating Allow and ar s, see To allow a serv1. Click Security menu, and click the Servers tab. The Servers p address for eaForwUsing Rulesd rules in the Rules page. For information on creating rule on page 154. ice to be run on a specific host in the mainage appears, displaying a list of services and a host IPch allowed service. 2. Complete th fields using the information in the tae ble below. 3. essage appears, and the selected computer is allowed to run service or application. Table 22: Servers Page Fields In this column… Do this… Click Apply. A success mthe desired Allow Select the desired service or application.

Using Rules 154 Check Point Safe@Office User Guide column… In this Do this… VPN Only Select this option to allow only connections made through a VPN. He computer to host the service. ost IP Type the IP address of the computer that will run thservice (one of your network computers) or click the corresponding This Computer button to allow your To stop1. Click in the main menu, and click the tab. ervices and a host IP 2. on’s row, click . The field of the desired service is cleared. 3. Click Apply. The service or application is not allowed on the specific host. Using Rules the forwarding of a service to a specific host Security ServersThe Servers page appears, displaying a list of saddress for each allowed service. ClearIn the desired service or applicatiHost IP The Safe@Office appliance checks the protocol used, the ports range, and the destination IP address, when deciding whether to allow or block traffic. Bs all l outy default, in the Medium security level, the Safe@Office appliance blockconnection attempts from the Internet (WAN) to the LAN, and allows algoing connection attempts from the LAN to the Internet (WAN).

Using Rules Chapter 7: Setting Your Security Policy 155 Us ide you with reater flexibility in defining and customizing your security policy. The following rule types exist: Table 23: Firewall Rule Types Rule Description er-defined rules have priority over the default rules and provgAllow and Forward This rule type enables you to do the following: • Permit incoming access from the Internet to a specific service in your internal network. • Forward all such connections to a specific computer in your network. • Redirect the specified connections to a specific port. This option is called Port Address Translation (PAT). Creating an Allow and Forward rule is equivalent to defining a server in the Servers page. Note: You must use this type of rule to allow incoming connections if your network uses Hide NAT. Note: You cannot specify two Allow and Forward rules that forward the same service to two different destinations.

Using Rules 156 Check Point Safe@Office User Guide Rule Description Allow This rule type enables you to do the following: • Permit outgoing access from your internal network to a specific service on the Internet. Note: You can allow outgoing connections for services that are not permitted by the default security policy. • Permit incoming access from the Internet to a specific service in your internal network. • Assign traffic to a QoS class. If Traffic Shaper is enabled for the direction of traffic specified in the rule (incoming or outgoing), then Traffic Shaper will handle relevant connections as specified in the bandwidth policy for the selected QoS class. For example, if Traffic Shaper is enabled for outgoing traffic, and you create an Allow rule associating all outgoing Web traffic with the Urgent QoS class, then Traffic Shaper will handle outgoing Web traffic as specified in the bandwidth policy for the Urgent class. For information on Traffic Shaper and QoS classes, see Using Traffic Shaper on page 120. This option is only available in Safe@Office 225. Note: You cannot use an Allow rule to permit incoming traffic, if the network or VPN uses Hide NAT. However, you can use Allow rules for static NAT IP addresses. Block This rule type enables you to do the following: • Block outgoing access from your internal network to a specific service on the Internet. • Block incoming access from the Internet to a specific service in your internal network.

Using Rules Chapter 7: Setting Your Security Policy 157 Adding and Editing Rules To add or edit a rule 1. Click Security in the main menu, and click the Rules tab. The Rules page appears. Ifap. Click Add Rule. you are using Safe@Office 105 or 110, the QoS column does not pear. 2

Using Rules 158 Check Point Safe@Office User Guide e wizard opens, with the Step 1: Rule Type dialog box displayed. The Safe@Office Firewall Rul 3. Select the type of rule you want to create. 4. Click Next. The Step 2: Service dialog box appears. The example below shows an Allow rule. 5. ml6. CliCo plete the fields using the relevant information in the table be ow. ck Next.

Using Rules Chapter 7: Setting Your Security Policy 159 The Step 3: Destination and Source dialog box appears. 7. Complete the fields using the relevant information in the table belThow. e Step 4: Done dialog box appears. 8. Click Finish. The new rule appears in the Firewall Rules page.

Using Rules 160 Check Point Safe@Office User Guide TablIn the 24: Firewall Rule Fields is field… Do this… Any Serve. ice Click this option to specify that the rule should apply to any servicStand dService u must then select the desired service from the drop-down list. Custospecific non-standard service. abled. You Protocol Select the protocol (ESP, GRE, TCP, UDP or ANY) for which the rule should apply. P To specify the port range to which the rule applies, type the start port number in the left text box, and the n the right text box. No t enter a port range, the rule will apply to all ports. If you enter only one port number, the raar Click this option to specify that the rule should apply toa specific standard service. Yom Service Click this option to specify that the rule should apply to a The Protocol and Port Range fields are enmust fill them in. orts end port number ite: If you do nonge will include only that port.

Using Rules Chapter 7: Setting Your Security Policy 161 Do this… In this field…Source S to allow/block. To s c ess, select Specified IP and type the the filed provided. To Specified Range andprovideelect the source of the connections you want pe ify an IP addrdesired IP address in specify an IP address range, select type the desired IP address range in the fields d. Destination Select the destination of the connections youw or block. want to alloTothe desirToand tproviFor specify an IP address, select Specified IP and type ed IP address in the text box. specify an IP address range, select Specified Range ype the desired IP address range in the fields ded. This option is not available in Allow and ward rules.

Using Rules 162 Check Point Safe@Office User Guide In this field… Do this… QualitS class to which you want to assign the ndle pecified in the bandwidth policy for the selected QoS class. If Traffic Shaper is not r information on ee Using Traffic Shaper on page 120. This drop-down list only ap ears when defining an Allow y of Select the QoService Class specified connections. If Traffic Shaper is enabled, Traffic Shaper will hathese connections as senabled, this setting is ignored. FoTraffic Shaper and QoS classes, sprule in Safe@Office 225. It contains all QoS classes defined in the portal. R ect the connections to a type the desired port in the field le when defining an Allow and edirect to port Select this option to redirspecific port. You must thenprovided. This option is called Port Address Translation (PAT), and is only availabForward rule.

Defining an Exposed Host Chapter 7: Setting Your Security Policy 163 Deleting Rules To1. C , and click the Rules tab. 2. delete an existing rule lick Security in the main menuThe Rules page appears. Click the icon of the rule you wish to delete. A confirmation message appears. 3. The rule is deleted. Defining an Exposed Host Click OK. The Safe@Office appliance allows you to define an exposed host, which icomputer that is not protected by the firewall. This is useful for setting up a public server. It allows unlimited incoming and outgoing connections between the Internet and the exposed host computer. s a The exposed host receives all traffic that was not forwarded to another puter b com y use of Allow and Forward rules. Warning - Entering an IP address may make the designated computer vulnerable to hacker attacks. Defining an exposed host is not recommended unless you are fully aware of the security risks. To define a computer as an exposed host 1. Click Security in the main menu, and click the Exposed Host tab.

Defining an Exposed Host 164 Check Point Safe@Office User Guide The Exposed Host page appears. 2. In he Exposed Host field, type the IP address of the computer you , you can click This d host. 3. . twish to define as an exposed host. AlternativelyComputer to define your computer as the exposeClick Apply. The selected computer is now defined as an exposed host

Connecting to a Service Center Chapter 8: Using Subscription Services 165 Chapter 8 This chapter explains how to start subscription services, and how tSoftware Updates, Web Filtering, and Email Antivirus services. o use see Using SecureDesk on For information on using the SecureDesk service, page 183. Note: Check with your reseller servicesnearest S regarding availability of subscription , or surf to www.sofaware.com/servicecenters to locate your ervice Center. This des the following topics: C.........................................165 Viewing Services Information............................................................169 ...................................171 C...................................171 Disconnecting from Your Service Center...........................................172 Web Filtering......................................................................................172 Virus Scanning ...................................................................................175 Automatic and Manual Updates .........................................................179 C chapter incluonnecting to a Service Center .................Refreshing Your Service Center Connection...onfiguring Your Account..............................onnecting to a Service Center To1. Cli enu, and click the Account tab. Using Subscription Services connect to a Service Center ck Services in the main m

Connecting to a Service Center 166 Check Point Safe@Office User Guide The Account page appears. 2. In the Service Account area, click Connect. The Safe@Office Services Wizard opens, with the Service Center dialog b splayed. ox di 3. Make sure the Connect to a different Service Center check box is selected.

Connecting to a Service Center Chapter 8: Using Subscription Services 167 ecify a Service Center, select Specified IP and then in the , egiven to you by your system administrator. 5. Click Next. • The pears. • If the Service Center requires authentication, the Service Center 4. Do one of the following: • To connect to the SofaWare Service Center, select usercenter.sofaware.com. • To spSpecified IP field nter the desired Service Center’s IP address, as Connecting… screen apLogin dialog box appears. Enter your gateway ID and registration as given to you by your service providerkey in the appropriate fields, , then click Next. • The Connecting… screen appears.

Connecting to a Service Center 168 Check Point Safe@Office User Guide of services to which you are subscribed. • The Confirmation dialog box appears with a list ck Next. 6. CliThe Done screen appears with a success message. 7. Click Finish. The following things happen: • If a new firmware is available, the Safe@Office appliance may start downloading it. This may take several minutes. Once the download is complete, the Safe@Office appliance restarts using the new firmware. • The Welcome page appears.

Viewing Services Information Chapter 8: Using Subscription Services 169 • The services to which you are subscribed are now available on Account for further your Safe@Office appliance and listed as such on the page. See Viewing Services Information on page 169information. • The Services submenu includes the services to which you are subscribed. Viewing Services Information The Account page displays the following information about your subscription.

Viewing Services Information 170 Check Point Safe@Office User Guide TThis Displays… able 25: Account Page Fields field… Serviame connected (if known). ce Center The name of the Service Center to which you are NGateway ID Send oServi The services available in your service plan. Subscri e: • Subscribed • Connected. You are connected to the service through the Service Center. • N/A. The service is not available. Indisplays your gateway's domain name. on Scanning on page 175, and Automatic and Manual Updates on page 179. Your gateway ID. ubscription will n The date on which your subscription to services will end. ce ption The status of your subscription to each servic• Not Subscribed Status The status of each service: formation The mode to which each service is set. If you are subscribed to Dynamic DNS, this field For further information, see Using SecureDeskpage 183 , Web Filtering on page 172, Virus

Refreshing Your Service Center Connection Chapter 8: Using Subscription Services 171 Refreshing Your Service Center Connection This option restarts your Safe@Office appliance’s connection to the Service Center and refreshes your Safe@Office appliance’s service settings. To refresh your Service Center connection 1. Click Services in the main menu, and click the Account tab. The Account page appears. nt area, click Refresh. enter. Your service settings are refreshed. Configuring Your Account 2. In the Service AccouThe Safe@Office appliance reconnects to the Service C This option allows you to access your Service Center Web site, which may offer additional configuration options for your account. To configure your account 1. Click Services in the main menu, and click the Account tab. The Account page appears. 2. In the Service Account area, click Configure. Note: If no additional settings are available from your Service Center, this button will not appear.

Disconnecting from Your Service Center 172 Check Point Safe@Office User Guide Your Service Center Web site opens. 3. Follow the on-screen instructions. Disconnecting from Your Service Center If desired, you can disconnect from your Service Center. To disconnect from your Service Center 1. Click Services in the main menu, and click the Account tab. The Account page appears. 2. In the Service Account area, click Connect. The Safe@Office Services Wizard opens, with the first Subscription Services dialog box displayed. 3. Clear the Connect to a different Service Center check box. 4. Click Next. The Done screen appears with a success message. 5. Click Finish. The following things happen: • You are disconnected from the Service Center. • The services to which you were subscribed are no longer available on your Safe@Office appliance. Web Filtering When the Web Filtering service is enabled, access to Web content is restricted according to the categories specified under Allow Categories. Authorized users will be able to view Web pages with no restrictions, only

Web Filtering Chapter 8: Using Subscription Services 173 after they have provided the administrator password via the Web Filtering po p-up window. nabling/Disabling Web Filtering Note: Web Filtering is oCenter and subscribed Enly available if you are connected to a Service to this service. change these settings. To enable/disable Web Filtering 1. Click Services in the main menu, and click the Web Filtering tab. The Web Filtering page appears. Note: If you are remotely managed, contact your Service Center to 2. Drag the On/Off lever upwards or downwards. Web Filtering is enabled/disabled for all internal network computers.

Web Filtering 174 Check Point Safe@Office User Guide Selecting Categories for Blocking You can define which types of Web sites should be considered appropriate for your family or office members, by selecting the categories. Categories marked with will remain visible, while categories marked with will be blocked and will require the administrator password for viewing. Note: If you are remotely managed, contact your Service Center to change these settings. To allo /block a category w1. In the Allow Categories area, click or next to the desired category. 2. Click Apply. Temporarily Disabling Web Filtering If desired, you can temporarily disable the Web Filtering service. To temporarily disable Web Filtering lick the Web Filtering tab. 2. Click Snooze. • Web Filtering is temporarily disabled for all internal network computers. 1. Click Services in the main menu, and cThe Web Filtering page appears.

Virus Scanning Chapter 8: Using Subscription Services 175 o Resume. • The Snooze button changes t • The Web Filtering Off popup window opens. 3. or ton Vtomatically scanned for the detection and elimination of all known viruses and vandals. To re-enable the service, click Resume, either in the popup window, on the Web Filtering page. • The service is re-enabled for all internal network computers. • If you clicked Resume in the Web Filtering page, the butchanges to Snooze. • If you clicked Resume in the Web Filtering Off popup window, the popup window closes. irus Scanning When the Email Antivirus service is enabled, your email is au

Virus Scanning 176 Check Point Safe@Office User Guide Note: Email Antivirus is only available if you are connected to a Service Center and subscribed to this service. Enabling/Disabling Email Antivirus Note: If you are remotely managed, contact your Service Center to change these settings. tab. To enable/disable Email Antivirus 1. Click Services in the main menu, and click the Email AntivirusThe Email Antivirus page appears. 2. Drag the On/Off lever upwards or downwards. Email Antivirus is enabled/disabled for all internal network computers.

Virus Scanning Chapter 8: Using Subscription Services 177 Selecting Protocols for Scanning If you are locally managed, you can define which protocols should be ned forl retrieving (POP3). If enabled, all incoming email in the POP3 ocol will be scanned • Email sending (SMTP). If enabled, all outgoing email will be scanned Protocols mscan• Emaiprot viruses: arked with will be scanned, while those marked with will not. N are remotely managed, contact your Service Center to cTo enable ning for a protocol 1. In the Protocols area, click ote: If youhange these settings. virus scan or next to the desired protocol. 2. Click Apply or. Temp arily Disabling Email Antivirus aving problems sending or receiving email you can tempormail Antivirus service. If you are h arily disable the ETo temporarily disable Email Antivirus 1. Click Services in the main menu, and click the Email Antivirus tab. The Email Antivirus page appears.

Virus Scanning 178 Check Point Safe@Office User Guide 2. Click Snooze. • Email Antivirus is temporarily disabled for all internal network computers. • The Snooze button changes to Resume. • The Email Antivirus Off popup window opens. To re-enable the service, click Resume, either in the popup window, or on the Email3. Antivirus page. network computers. changes to Snooze. indow, • The service is re-enabled for all internal • If you clicked Resume in the Email Antivirus page, the button • If you clicked Resume in the Email Antivirus Off popup wthe popup window closes.

Automatic and Manual Updates Chapter 8: Using Subscription Services 179 AuThe Software Updates service enables you to check for new security and tomatic and Manual Updates software updates. Note: Software Updates are only available if you are connected to a Service Center and subscribed to this service. CLhecking for Software Updates when ocally Managed If yautupdTo1. our Safe@Office appliance is locally managed, you can set it to omatically check for software updates, or you can set it so that software ates must be checked for manually. configure software updates when locally managed Click Services in the main menu, and click the Software Updates tab. The Software Updates page appears.

Automatic and Manual Updates 180 Check Point Safe@Office User Guide 2. Toins ual lever Th talls them acc set the Safe@Office appliance to automatically check for and tall new software updates, drag the Automatic/Manupwards. e Safe@Office appliance checks for new updates and insording to its schedule. Note: When the Software Updates service is set to Automatic, you can still manually check for updates. 3. hat software updates must be checked for manually, drag the Automatic/Manual lever downwards. 4. Checking for Software Updates When RTo set the Safe@Office appliance so tThe Safe@Office appliance does not check for software updates automatically. To manually check for software updates, click Update Now. The system checks for new updates and installs them. emotely Managed If your Safe@Office appliance is remotely managed, it automatically checks user intervention. However, you can still check for updates manually, if needed. To manually check for security and software updates icefor software updates and installs them without1. Click Servtab. s in the main menu, and click the Software Updates

Automatic and Manual Updates Chapter 8: Using Subscription Services 181 The Software Updates page appears. 2. Click UpdThe system ate checks for ne Now. w updates and installs them.

Automatic and Manual Updates Chapter 9: Using SecureDesk 183 ChapterSecureDesk allows you to make access through the firewall conditional upon the state of a com r example, you can configure SecureDesk to allow access for computers on which the antivirus software is not u ich the recureDesk ftware on all computers in the ltaneously and reports the status of the antivirus software on each computer. SecureDesk requires that you install McAfee VirusScan ASaP, a Web-based iceesk monitors the state of the installed VirusScan virus signatures, nd engin not match y level set in the Safe@Office Portal. Authorized users can the bloc p window. If desired, you can disable SecureDesk for a specific computer or network. nter with an IP sScan does not rt. To do s he computer or network as a network object. formation rk objects and disabling or enabling SecureDesk, see Using Network Objects on page 129. 9 puter's antivirus software. Foenabled butantivirus softwaenables you to qp-to-date, or to block access for computers on whe is up-to-date, but not the most recent build. Suickly and easily install and update antivirus sonetwork simuantivirus servSecureDagent, athe securitoverride included in the SecureDesk subscription service. e, and blocks access through the firewall if they do k by providing the administrator password via a pop-uFor example, you might want to disable SecureDesk for a priaddress, or for a computer with an operating system that VirusuppoFor in o you must add ton adding netwo Note: SecureDCente This chapter incl Installing McAfee VirusScan ASaP ...................................................184 Updating McAfee VirusScan ASaP on All Computers ......................186 Setting the SecureDesk Security Level...............................................186 Checking Antivirus Compliancy ........................................................189 Overriding SecureDesk.......................................................................195 Viewing SecureDesk Reports.............................................................196 esk Using SecureDesk is only available if you are connected to a Service r and subscribed to this service. udes the following topics:

Installing McAfee VirusScan ASaP 184 Check Point Safe@Office User Guide lling ee VirusScan ASaP Insta McAf ubscribed to SecureDesk and connected to the Servnecting to a Service COnce you have s ice Center (see Con enter on page 165), you must install McAfee VirusScan ASaP on all computers in your network. Note: wall" optiThe VirusScan i cally uninstalls most antivirus programs before installing a list of products that the VirusScan installer automatically uninstalls, refer to the Quick Start Guide. If your antivirus manually uninstall the program You must disable the Windows XP "Internet Connection Fireon before you install McAfee VirusScan ASaP. nstaller automati VirusScan. For program does not appear in the list, you mustbefore installing VirusScan. Note: If your current antivirus software is part of a suite of programs, you may have to reinstall the suite without the antivirus component after ies To install McAfee VirusScan ASaP 1. Click Security in the main menu, and click the SecureDesk tab. installing VirusScan. If VirusScan is already installed on your computer, check whether it complwith the SecureDesk security level conditions using the procedure CheckingAntivirus Compliancy on page 189.

Installing McAfee VirusScan ASaP Chapter 9: Using SecureDesk 185 The SecureDesk page appears. 2. Do one of the following: • To install VirusScan on this computer only, click Download and install the latest antivirus software. • To install VirusScan onRun the desktop securi all the computers in your network, click ty software Push Installer. fee w on top. stallation. software is already installed, the installer may remove it. For VirusScan, see the Us elp, right-click on the VirusScan icon in the taskbar, and select > Help. The McAfee Security page opens in a new window, with the McASecure-1 VirusScan ASaP popup windo3. Follow the online instructions to complete inIf antivirusVirusScan is installed. information on troubleshooting installation and using er Help. To access VirusScan ASaP User HScan Now

Updating McAfee VirusScan ASaP on All Computers 186 Check Point Safe@Office User Guide n All Updating McAfee VirusScan ASaP oComputers If the version of VirusScan installed on a computer is not up-to-date, SecureDesk may block access through the firewall for that computer, depending on ureDesk security level. You can update the installed version of Vi ng the Pus InsFor information on how to check whether version of VirusScan installed on a ing Antivirus Compliancy on page 189. To ASaP on all computers 1. C ck Security in the main menu, and click the SecureDesk tab. rs. 2. The McAfee Security page opens in a new window, with the McAfee Secure-1 VirusScan ASaP popup window on top. 3. Follow the online instructions to complete updating. VirusScan is updated on all computers in the network. Setting the SecureDesk Security Level the SecrusScan on all computers in the network simultaneously, usitaller. h computer is up-to-date , see Check update McAfee VirusScan liThe SecureDesk page appeaClick Run the desktop security software Push Installer. The SecureDesk security level determines what conditions a computer's antivirus software must meet before the computer can access the Internet. You control the SecureDesk security level using a simple lever available on the SecureDesk page. You can set the lever to four states.

Setting the SecureDesk Security Level Chapter 9: Using SecureDesk 187 Note: If the sdisabled. ecurity policy is remotely managed, this lever might be Table 26: SecureDesk SecTsecl el..ns... urity Levels his Enforces these conditiourity ev . Offpage 129. None. SecureDesk is disabled, and users can freely access the Internet, regardless of whether antivirus software is installed or not. Note: You can disable SecureDesk for a specific computer or network, using the information in Using Network Objects on Low Antivirus software must be installed and enabled, but it need up-to-date. Mnot beedium Antivirus software must be installed, enabled, and up-to-date. In order for the antivirus software to qualify as up-to-date, the installed antivirus components' version numbers must be equal to or higher than the version numbers displayed in the Service Status table's Minimum column.

Setting the SecureDesk Security Level 188 Check Point Safe@Office User Guide This seculevelrity ... Enforces these conditions... High d and t ers The most recent antivirus software must be installeenabled. In order for the antivirus software to qualify as the mosrecent, the installed antivirus components' version numbmust match the version numbers displayed in the Service Status table's Current column. To change the SecureDesk security level 1. Click Security in the main menu, and click the SecureDesk tab. The SecureDesk page appears. 2. Drag the lever to the desired level. SecureDesk enforces the new security level conditions. If you raiyou omCurrent Dmessage, to the latest version link appears. For an exSecureD Messages on page 191. 3. If necessa. ClickThe M urity page opens in a new window, with the McAfee Secure-1 VirusScan ASaP popup window on top. b. Follow the online instructions to complete updating. sed the security level, and the antivirus software installed on puter does not meet the new security level conditions, the evice Status and Actions area displays an appropriate status and the Update your antivirus softwarer cplanation of all status messages and their colors, see esk Status ary, update your antivirus software by doing the following: Update your antivirus software to the latest version. cAfee Sec

Checking Antivirus Compliancy Chapter 9: Using SecureDesk 189 n all computers in the network. Checking Antivirus Compliancy VirusScan is updated oFor information on updating VirusScan on all compters in the network, see Updating McAfee VirusScan ASaP on All Computers on page 186. You can check whether a computer's antivirus software complies with the SecureDesk security level conditions. To check antivirus compliancy for your computer 1. Click Security in the main menu, and click the SecureDesk tab. The SecureDesk page appears, and the Current Device Status and Actions area displays a color-coded status message indicating whether the computer complies with the SecureDesk security level conditions. For an explanation of the status message and its color, see the table below. If the antivirus software installed on your computer does not meet the security level conditions, the Update your antivirus software to the latest version link appears. 2. To view detailed information about the antivirus status and component versions, point to the status message. e desired information. A popup window displays th 3. If necessary, update your antivirus software by doing the following: a. Click Update your antivirus software to the latest version.

Checking Antivirus Compliancy 190 Check Point Safe@Office User Guide The McAfee Security page opens in a new window, with the McAfee To ch network 1. tab. ThSecure-1 VirusScan ASaP popup window on top. b. Follow the online instructions to complete updating. VirusScan is updated on all computers in the network. eck antivirus compliancy for all computers in theClick Reports in the main menu, and click the Active Computers e Active Computers page appears. A color-coded status message next to each computer indicates whether tcomputer complies with the SecureDesk security level conditions. For aexplanation of the status messages and their colors, see the tables below. 2. To view detailed information about the antivirus status and he n component versions, point to the status message. red information. software on all computers in the network. For instructions, see Updating McAfee VirusScan ASaP on All Computers on page 186. A popup window displays the desi3. If necessary, update the antivirus

Checking Antivirus Compliancy Chapter 9: Using SecureDesk 191 Table 27: SecureDesk Status Messages Message Explanation SecureDesk is comp rough the firewall liant security level conditions, and access thThe antivirus software complies with the SecureDesk is not blocked. CSecumostlevel conditions, and access through the firewall r, the antivirus components' version numbers do Compliant, but SecureDesk scdiThe antivirus software complies with the SecureDesk security level conditions, and access through the firewall viruses. d to enable the scanner. ompliant, but reDesk not The antivirus software complies with the SecureDesk security up-to-date is not blocked. Howevenot match the version numbers displayed in the Service Status table's Current column. It is recommended to update your software. anner is sabled is not blocked. However, the scanner is disabled, and the computer/network is not currently protected from It is recommende

Checking Antivirus Compliancy 192 Check Point Safe@Office User Guide Message Explanation Secuupoftware components' version numbers are reDesk not The antivirus s-to-date less than the version numbers displayed in the Service Status table's Minimum column.Access through the firewall may be blocked, dependingon whether the SecureDesk security level conditions require that the antivirus software is up-to-date. Update your software. SscannecureD sk er is bled, and the computer/network is not currently protected from viruses. SecureDesk not up-to-date and scdiThe antivirus software components' version numbers are less than the version numbers displayed in the Service Minimum column, and the scanner is tly Access through the firewall is blocked. software and enable the scanner. eThe scanner is disadisabled Access through the firewall is blocked. Enable the scanner. anner is Status table's sabled disabled. The computer/network is not currenviruses. protected from Update your

Checking Antivirus Compliancy Chapter 9: Using SecureDesk 193 Message Explanation SecureDesk is not compliant The antivirus software does not comply with the SecureDesk security level conditions, and access through the firewall is blocked. Check the SecureDesk security level conditions, and make changes to your antivirus software accordingly. For information on SecureDesk security levels, see Setting the SecureDesk Security Level on page 186. SecureDesk scanninstall ngine and virus signatures are installed, irus scanner is not. Secuinstalled firewall is blocked. Install the antivirus software. stresponding. er not The antivirus ebut the antived Access through the firewall is blocked. Install the scanner. reDesk not VirusScan is not installed, and access through the SecureDesk SecureDesk has not yet determined the antivirus ate is unknown software's state, because the computer is not Access through the firewall is temporarily blocked.

Checking Antivirus Compliancy 194 Check Point Safe@Office User Guide Message Explanation Excluded from Antivirus compliance checking SecureDesk is disabled for this computer/network. Access through the firewall is not blocked. For information on enabling SecureDesk, see Using Network Objects on page 129. Table 28: SecureDesk Status Message Color Coding Color Explanation Red Error. ply with the ked. The antivirus software does not comSecureDesk security level conditions, and accessthrough the firewall is blocOrange Warning. ecureDesk rough the firewall is not blocked. However, the state of the antivirus software is not ideal. Green OK. The antivirus software complies with the SecureDesk security level conditions, and access through the firewall is not blocked. The antivirus software complies with the Ssecurity level conditions, and access th

Overriding SecureDesk Chapter 9: Using SecureDesk 195 Overriding SecureDesk SecureDesk blocks access through the firewall if your computer's antivirus When you attempt to connect to the Internet, the following things happen: software does not comply with the SecureDesk security level conditions. • The Access Denied page appears • The Event Log specifies that the connection blocked by SecureDesk. You ca by clicking Download and install the latest antiviru Continue to the origina ead/Write permissio ow. erri1. In the Ae area, in the Use e your user name. 2. In the Password field, type your password. was n correct the problems software to install up-to-date software, and then clickingl page. Alternatively, Safe@Office administrators with Rns can override the block using the procedure belTo ov de SecureDesk ccess Denied page's Administrator Overridrname field, typ

Viewing SecureDesk Reports 196 Check Point Safe@Office User Guide 3. Click OSecureing appears. The Antivirus Off popup window appears. K. Desk is temporarily disabled for your computer only. The page you were blocked from access 4. To re-enable the service, click Resume in the popup window. The service is re-enabled for your computer. Viewing SecureDesk Reports You can view reports on SecureDesk's activities for all computers in your network. Note: You must be connected to the Internet to view SecureDesk reports. To view SecureDesk reports 1. Click Services in the main menu, and click the SecureDesk tab.

Viewing SecureDesk Reports Chapter 9: Using SecureDesk 197 The SecureDesk page appears. 2. Click SecureDesk Reports. A SecureDesk report opens in a new window. This may take some time.

Overview Chapter 10: Working With VPNs 199 CThis chapter describes how to use your Safe@Office appliance as a Remote nclu ing topics: Overview ............................................................................................199 ing Up Yo........... ..............................204 and Editin and 225.......206 Deleting a VP ......231 Enabling/Disab 232 Logging on to ..........233 Logging off a ........236 Installing a Certificate ........................................................................237 Uninstalling a ..240 Viewing VPN 241 w You can configure your Safe@Office appliance as part of a virtual private network (VPN). A VPN is a private data network consisting of a group of gateways that can securely connect to each other. Each member of the VPN is called a VPN site, and a connection between two VPN sites is called a VPN tunnel. VPN tunnels encrypt and authenticate all traffic passing through them. Through these tunnels, employees can safely use their company’s network resources when working at home. For example, they can securely read email, use the company’s intranet, or access the company’s database from home. The are three types of VPN sites: • Remote Access VPN Server - Makes a network remotely available to authorized users, who connect to the Remote Access VPN Server Working With VPNs hapter 10 Access VPN Client, server, or gateway. This chapter i des the follow SettServer....... Addingur Safe@Office Appliance as a Remote Access VPN ........................................................g VPN Sites using Safe@Office 110N Site .....................................................................ling a VPN Site .......................................................... a VPN Site.........................................................VPN Site..............................................................Certificate.................................................................. Tunnels .......................................................................Overvie

Overview 200 Check Point Safe@Office User Guide using Remote Access VPN Clients, such as Check Point SecuRemote. Unless the Remote Access VPN Server is also a Remote Access VPN Client, it cannot initiate a connection to other • Site-to-Site VPN connect with another Site-to-Site VPN Gateway in a permanent, bi-directional relationship. • Remote Access N Server, but otheRemote Access Client is a hardw Safe@Office 105 a llowing a single remote employee to securely work from home or on the road. Safe@Office 110 and 225 provide full VPN functionality. They can act as a Remote Access VP ers, or a Site-to-Site VP ay. depends on the type or Remote Access. VPN sites. Gateway - CanVPN Client - Can connect to a Remote Access VPr VPN sites cannot initiate a connection to the VPN Client. Defining a Remote Access VPN are alternative to using SecuRemote software. cts as a Remote Access VPN Server for one user, aN Client, a Remote Access VPN Server for multiple usN GatewA virtual private netVPN Server or gate work (VPN) must include at least one Remote Access way. The type of VPN sites you include in a VPN of VPN you want to create, Site-to-Site Note: A d Remote Access VPN Server or gateway must have a static IP address. If you need a Remote Access VPN Server or gatewa curity Manageecu ve a managelocally managey with a dynamic IP address, you must use SofaWare Sement Portal (SMP) management. A Sdynamic IP addrRemote or Safe@Office Remote Access VPN Client can haess, regardless of whether it is locally or remotely d. Note: This chapter explains how to define a VPN locally. However, if your appliance is centrally managed by a Service Center, then the Service Center can automatically deploy VPN configuration for your appliance.

Overview Chapter 10: Working With VPNs 201 PN o or more Site-to-Site VPN Gateways that te w r in a bi-directional relationship. The works officeSite-to-Site VPNs A Site-to-Site Vcan communica consists of twith each otheconnected netVPN to mesh function as a single network. You can use this type of branches into one corporate network. Figure 8: Site-to-Site VPN

Overview 202 Check Point Safe@Office User Guide To create a Site-to-Site VPN with two VPN sites VPN Office appliance, do the following: e the seor create a P nnel to the second VPN site, using the procedure Adding and Editing VPN Sites on page 206. b. Enable the RSetting Up YAccess VPN2. On the second V : a. Define the ficreate a PPP the first VPN site, using the procedure Adding and Editing VPN Sites on page 206. ableprocedure Se as a Remote Access 1. On the first site’s Safe@a. Defin cond VPN site as a Site-to-Site VPN Gateway, PPoE tuemote Access VPN Server using the procedure our Safe@Office Appliance as a Remote Server on page 204. PN site’s Safe@Office appliance, do the followingrst VPN site as a Site-to-Site VPN Gateway, or oE tunnel tob. Then en the Remote Access VPN Server using the tting Up Your Safe@Office Appliance VPN Server on page 204.

Overview Chapter 10: Working With VPNs 203 can use this type of VPN to make an office network remotely available to authorized users, such as employees working from home, who connect to the office Remote Access VPN Server with their Remote Access VPN Clients. Remote Access VPNs A Remote Acce s of PN Server oss VPN consist one Remote Access V r Site-to-Site VPN Gateway, and one or more Remote Access VPN Clients. You Figure 9: Remote Access VPN

Setting Up Your Safe@Office Appliance as a Remote Access VPN Server 204 Check Point Safe@Office User Guide To cre wo VPN sites 1. On the remote user VPN site's Safe@Office appliance, add the office Remote Access VPN Server as a Remote Access VPN site. See Adding and Editing VPN Sites on page 206. The remote user's Safe@Office appliance will act as a Remote Access VPN Client. 2. On the office VPN site's Safe@Office appliance, enable the Remote Access VPN Server. See Setting Up Your Safe@Office Appliance as a Remote Access VPN Server on page 204. Setting Up Your Safe@Office Appliance as a Remote Access VPN Server ate a Remote Access VPN with t You can make your network remotely available to authorized users by setting up your Safe@Office appliance as a Remote Access VPN Server. Remote erver via Check Point mode. access users can connect to the Remote Access VPN SSecuRemote or a via Safe@Office appliance in Remote Access VPN Note: The Check Point SecuRemote Remote Access VPN Client can be downloaded for free from http://www.checkpoint.com/techsupport/downloads_sr.html To set up your Safe@Office appliance as a Remote Access VPN Server 1. Click VPN in the main menu, and click the VPN Server tab.

Setting Up Your Safe@Office Appliance as a Remote Access VPN Server Chapter 10: Working With VPNs 205 The VPN Server page appears. 2. Drag the Enabled/Disabled lever to Enabled. The Remote Access VPN Server is enabled. The check box is enabled. 3. To allow authenticated users to bypass N T when connecting to 4. ss your pass the firewall. 5. Follow the procedure Setting Up Remote VPN Access for Users on page 25 Ayour internal network, select Bypass NAT. To allow authenticated users to bypass the firewall and acceinternal network without restriction, select By2. Note: Disabling the Remote Access VPN Server will cause all existing VPN tunnels to d isconnect.

Adding and Editing VPN Sites using Safe@Office 110 and 225 206 Check Point Safe@Office User Guide Adding and Editing VPN Sites using Safe@Office 110 and 225 To add or edit VPN sites 1. Click VPN in the main menu, and click the VPN Sites tab. The VPN Sites page appears with a list of VPN sites. 2. Do on g: • • To ow. e of the followinTo add a VPN site, click New Site. edit a VPN site, click Edit in the desired VPN site’s r

Adding and Editing VPN Sites using Safe@Office 110 and 225 Chapter 10: Working With VPNs 207 The Safe@Office VPN Site Wizard opens, with the Welcome to the VPN Site Wizard dialog box displayed. 3. Do one of the following: • Select Remote Access VPN to establish remote access from your Remote Access VPN Client to a Rem cess VPN Server. -to-Site VPN Gateway. ncrypted connection to a PPPoE server. ote Ac• Select Site to Site VPN to create a permanent bi-directional connection to another Site• Select PPPoE to create a non-e4. Click Next.

Adding and Editing VPN Sites using Safe@Office 110 and 225 208 Check Point Safe@Office User Guide Co cess VPN Site If you selected Remote Access VPN, the VPN Gateway Address dialog box nfiguring a Remote Acappears. 1. Enter the IP address of the Remote Access VPN Server to which you want to connect, as given to you by the network administrator. 2. Click Next. The VPN Network Configuration dialog box appears. 3. e network configuration. Network Configuration Fields on page 215. 4. Sp cify how you want to obtain the VPN Refer to VPNClick Next. The following things happen in the order below:

Adding and Editing VPN Sites using Safe@Office 110 and 225 Chapter 10: Working With VPNs 209 • If you chose Specify Configuration, a second VPN Network Configuration dialog box appears. e fields using the information in VPN Network n Fields on page 215 and click Next. Complete thConfiguratio• The Authentication Method dialog box appears. 5. Complete the fieMethods Fields6. Click Next. lds using the information in Authentication on page 216.

Adding and Editing VPN Sites using Safe@Office 110 and 225 210 Check Point Safe@Office User Guide entication Method Username and Password, the VPN Login dialog box appears. Username and Password AuthIf you selected 1. Complete the fields using the information in VPN Login Fields on page 217. 2. Click Next. • If you select dialog box appears. ed Automatic Login, the Connect Do the following: 1) To try to connect to the Remote Access VPN Server, select the Try to Connect to the VPN Gateway check box. This allows you to test the VPN connection.

Adding and Editing VPN Sites using Safe@Office 110 and 225 Chapter 10: Working With VPNs 211 Warning: If you try to connect to the VPN site before completing the wizard, all existing tunnels will be terminated. 2) Click Next. If you selected Try to Connect to the VPN Gateway, the Connecting… screen appears, and then the Contacting VPN Site screen appears. • The Site Name dialog box appears. 3. You may choose any name. 4. Click N Created screen appears. Enter a name for the VPN site. ext. The VPN Site

Adding and Editing VPN Sites using Safe@Office 110 and 225 212 Check Point Safe@Office User Guide 5. page reappears. If you added a VPN site, the new site ns Certificate Authentication Method If you selected Certificate, the Connect dialog box appears. Click Finish. The VPN Sitesappears in the VPN Sites list. If you edited a VPN site, the modificatioare reflected in the VPN Sites list. 1. To try to connect to the Remote Access VPN Server, select the Try to Connect to the VPN Gateway check box. This allows you to test the VPN connection. Warning: If you try to connect to the VPN site before completing the wizard, all existing tunnels will be terminated. 2. Click Next. If you selected Try to Connect to the VPN Gateway, the Connecting… screen appears, and then the Contacting VPN Site screen appears.

Adding and Editing VPN Sites using Safe@Office 110 and 225 Chapter 10: Working With VPNs 213 The Site Name dialog box appears. r the VPN site. 3. Enter a name foYou may choos4. Click Next. The VPN Site Created screen appears. e any name. 5. Click Finish. The VPN Sites page reappears. If you added a VPN site, the new site e VPN Sites list. If you edited a VPN site, the modifications VPN Sites list. appears in thare reflected in the

Adding and Editing VPN Sites using Safe@Office 110 and 225 214 Check Point Safe@Office User Guide ears. RSA SecurID Authentication Method If you selected RSA SecurID, the Site Name dialog box app 1. Yo2. Th eeEnter a name for the VPN site. u may choose any name. Click Next. e VPN Site Created scr n appears. 3. Click Finish. The VPN Sites page reappears. If you added a VPN site, the new site appears in the VPN Sites list. If you edited a VPN site, the modifications are reflected in the VPN Sites list.

Adding and Editing VPN Sites using Safe@Office 110 and 225 Chapter 10: Working With VPNs 215 s In this field… Do this… Table 29: VPN Network Configuration FieldDownload CClick this option to obtain the network configuration by ology onfiguration downloading it from the VPN site. This option will automatically configure your VPN settings, by downloading the network topdefinition from the Remote Access VPN Server. Note: Downloading the network configuration is only possible if you are connecting to a Check Point VPN-1 or Safe@Office Site-to-Site VPN Gateway. Specify ConfigurationClick this option to provide the network configuration oute All Traffic Click this option to route all network traffic through the For example, if your VPN consists of a central office and a number of remote offices, and the remote offices are only allowed to access Internet resources Note: You can only configure one VPN site to route all traffic. Destination network Type up to three destination network addresses at the VPN site to which you want to connect. manually. RVPN site. through the central office, you can choose to route all traffic from the remote offices through the central office.

Adding and Editing VPN Sites using Safe@Office 110 and 225 216 Check Point Safe@Office User Guide In this field… Do this… Subnet mask Select the subnet masks for the destination network addresses. Note: Obtain the destination networks and subnet masks from the VPN site’s system administrator. Backup Gateway Type the name of the VPN site to use if the primary VPN site fails. TIn this field…able 30: Authentication Methods Fields Do this… UPsword for VPN authentication. nt to sername and Select this option to use a user name and pasassword In the next step, you can specify whether you walog on to the VPN site automatically or manually. Certif t PN 237 for more information about certificates and instructions on how to install a certificate.) ica e Select this option to use a certificate for Vauthentication. If you select this option, a certificate must have been installed. (Refer to Installing a Certificate on page

Adding and Editing VPN Sites using Safe@Office 110 and 225 Chapter 10: Working With VPNs 217 In this field… Do this… RSA SecurID oken Select this option to use an RSA SecurID token for VPN authentication. ter SecurID passcode SecurID is only supported in Remote Access manual login mode. TWhen authenticating to the VPN site, you must ena four-digit PIN code and the shown in your SecurID token's display. The RSA SecurID token generates a new passcode every minute. Table 31: VPN Login Fields In this field… Do this… Manual Login Click this option to configure the site for Manual Login. Manual Login connects only the computer you are en e been Manual Login, see, Logging on to a VPN Site on currently logged onto to the VPN site, and only whthe appropriate user name and password haventered. For further information on Automatic and page 233.

Adding and Editing VPN Sites using Safe@Office 110 and 225 218 Check Point Safe@Office User Guide In this field… Do this…Autom i ce . t then fill in the Username and Password fields. s all the computers on your ant access to the VPN site. For further information on Automatic and Manual Login, see Logging on to a VPN Site on page 233. at c Login Click this option to enable the Safe@Office applianto log on to the VPN site automaticallyYou musAutomatic Login provideinternal network with constU to the PassVPN site. sername Type the user name to be used for logging onVPN site. word Type the password to be used for logging on to the

Adding and Editing VPN Sites using Safe@Office 110 and 225 Chapter 10: Working With VPNs 219 Configuring a Site-to-Site VPN Gateway appears. If you selected Site to Site VPN, the VPN Gateway Address dialog box 1. Complete the fields using the information in VPN Gateway AddreFields on pa ss ge 226. 2. Click Next. guration dialog box appears. The VPN Network Confi 3. Specify how you want to obtain the VPN network configuration. Refer to VPN Network Configuration Fields on page 215. 4. Click Next.

Adding and Editing VPN Sites using Safe@Office 110 and 225 220 Check Point Safe@Office User Guide Configuration dialog box appears. • If you chose Specify Configuration, a second VPN Network Complete the fields using the information in VPN Network Configuration Fields on page 215, and then click Next. rs. • The Authentication Method dialog box appea 5. Complete the fields using the information in Authentication Methods Fields on page 227. 6. Click Next.

Adding and Editing VPN Sites using Safe@Office 110 and 225 Chapter 10: Working With VPNs 221 ShIf y ox appears. ared Secret Authentication Method ou selected Shared Secret, the Authentication dialog b If you chose Download Configuration, the dialog box contains additional fields. 1. Complete the fields using the information in VPN Authentication Fields on page 228 and click Next.

Adding and Editing VPN Sites using Safe@Office 110 and 225 222 Check Point Safe@Office User Guide The Connect dialog box appears. 2. To try to connect to the Remote Accesto Connect to the VPN Gateway check s VPN Server, select the Try box. This allows you to test the VPN connection. Warning: If you try to connect to the VPN site before completing the wizard, all existing tunnels will be terminated. • The Site Name dialog box appears. 3. Click Next. • If you selected Try to Connect to the VPN Gateway, the Connecting… screen appears, and then the Contacting VPN Site screen appears.

Adding and Editing VPN Sites using Safe@Office 110 and 225 Chapter 10: Working With VPNs 223 N site. 5. traffic between the Safe@Office appliance and the VPN site, select Keep this site alive. 6. Click Next. • If you selected Keep this site alive, and previously you chose Download Configuration, the "Keep Alive" Configuration dialog box appears. 4. Enter a name for the VPYou may choose any name. To keep the tunnel to the VPN site alive even if there is no network Do the fol1) Type uappliance should ping in order to keep the tunnel to the VPN site alive. 2) Click Next. • The VPN Site Created screen appears. 7. Click Finish. The VPN Sites page reappears. If you added a VPN site, the new site appears in the VPN Sites list. If you edited a VPN site, the modifications are reflected in the VPN Sites list. lowing: p to three IP addresses which the Safe@Office

Adding and Editing VPN Sites using Safe@Office 110 and 225 224 Check Point Safe@Office User Guide Certificate Authentication Method If you selected Certificate, the following things happen: • If you hose D appear cs. ownload Configuration, the Authentication dialog box Complete the fields using the information in VPN Authentication Fields on page 228 a• The Connect dnd click Next. ialog box appears. 1. To try to conn emote Access VPN Server, select the Try to Connect to teway check box. This allows y PN connection. ect to the Rthe VPN Gaou to test the V

Adding and Editing VPN Sites using Safe@Office 110 and 225 Chapter 10: Working With VPNs 225 Warning: If you try to connect to the VPN site before completing the wizard, all existing tunnels will be terminated. 2. Click Next. • If you selected Try to Connect to the VPN Gateway, the following things happen: The Connecting… screen appears. • The Contacting VPN Site screen appears. • The Site Name dialog box appears. 3. Enter a name for the VPN site. You may choose any name. 4. To keep the tunnel to the VPN site alive even if there is no network traffic between the Safe@Office appliance and the VPN site, select Keep this site alive. 5. Click Next.

Adding and Editing VPN Sites using Safe@Office 110 and 225 226 Check Point Safe@Office User Guide • If you selected Keep this site alive, and previously you chose Download Configuration, the "Keep Alive" Configuration dialog box appears. Do the following: 1) Type up to three IP addresses which the Safe@Office appliance should ping in order to keep the tunnel to the VPN site alive. 2) Click Next. • The VPN Site Created screen appears. 6. Click Finish. The VPN Sites page reappears. If you added a VPN site, the new site appears in the VPN Sites list. If you edited a VPN site, the modifications are reflected in the VPN Sites list. Table 32: VPN Gateway Address Fields In this field… Do this… Gateway Address Type the IP address of the Site-to-Site VPN Gateway to which you want to connect, as given to you by the network administrator.

Adding and Editing VPN Sites using Safe@Office 110 and 225 Chapter 10: Working With VPNs 227 In t o this… his field… DBypass NAT Select this optionNAT when conne to allow the VPN site to bypass cting to your internal network. Bypass the FW Select this option to allow the VPN site to bypass the firewall and access your internal network without restriction. T ble I thisa 33: Authentication Methods Fields n field… Do this… Sharedauthentication. A shared secret is a string used to identify VPN sites Secret Select this option to use a shared secret for VPN to each other. Con, a certificate must have been installed. (Refer to Installing a Certificate on page 237 for more information about certificates and instructions on how to install a certificate.) ertificate Select this option to use a certificate for VPN authentication. If you select this opti

Adding and Editing VPN Sites using Safe@Office 110 and 225 228 Check Point Safe@Office User Guide Tabl Fields In this field… Do this… e 34: VPN Authentication Topology User Type the topology user’s user name. Topology Password Type the topology user’s password. Use Shared SType the shared secret to use for secure e. VPN sites to each other. The secret can contain spaces and special characters. ecret communications with the VPN sitThis shared secret is a string used to identify the alog box appears. Creating a PPPoE Tunnel If you selected PPPoE, the VPN Network Configuration di 1. Complete the fields using the information in VPN Network Configuration Fields on page 215. 2. Click Next.

Adding and Editing VPN Sites using Safe@Office 110 and 225 Chapter 10: Working With VPNs 229 The PPPoE Login page appears. 3. Complete the fields using the information in the table below. ars. 4. Click Next. The Connect dialog box appe 5. If you don’t want to try to connect to the VPN site, clear the Try to Connect to the VPN Gateway check box. This allows you to test the VPN connection. Warning wizard, all existing tunnels will be terminated. : If you try to connect to the VPN site before completing the 6. Click Next.

Adding and Editing VPN Sites using Safe@Office 110 and 225 230 Check Point Safe@Office User Guide y to Connect to the VPN Gateway, the Connecting… If you selected Trscreen appears, and then the Contacting VPN Site screen appears. The Site Name dialog box appears. 7. Enter a name for the VPN site. ame. s. s You may choose any n8. Click Next. The VPN Site Created screen appear9. Click Finish. The VPN Sites page reappears. If you added a VPN site, the new site appears in the VPN Sites list. If you edited a VPN site, the modificationare reflected in the VPN Sites list.

Deleting a VPN Site Chapter 10: Working With VPNs 231 Table 35: PPPoE Login Fields In this field… Do this… User The PPPoE username. Password ThService The service name configured in the PPPoE server. You on re than onNote: eld, the first PPPoE se d. e PPPoE password. ly need to fill in this field if there is moe PPPoE server in the WAN network. If you do not fill in this firver found is use Deleting a VPN Site enu, and click the VPN Sites tab. ears, with a list of VPN sites. To delete a VPN site 1. Click VPN in the main mThe VPN Sites page app2. In the desired VPN site’s row, click the Delete icon. A confirmation message appears. 3. Click OK. The VPN site is de leted.

Enabling/Disabling a VPN Site 232 Check Point Safe@Office User Guide /Dis a VPN Site Enabling abling to VPN sites that are enabled. a VPN site You can only connectTo enable/disable 1. Click VPN in the mThe VPN Sites pag ars, with a list of VPN sites. 2. To enable a VPN site, do the following: lick thain menu, and click the VPN Sites tab. e appea. C e ic d VPN site’s row. A confirmation message appears. b. Click OK. The icon changes toon in the desire , and the VPN site is enabled. 3. To disable a VPN site, do the following: topology. Note: Disabling a VPN site eliminates the tunnel and erases the network a. Click the icon in the desired VPN site’s row. A confirmation message appears. b. Click OK. The icon changes to , and the VPN site is disabled.

Logging on to a VPN Site Chapter 10: Working With VPNs 233 Logging on to a VPN Site You need to manually log on to Remote Access VPN Servers configManual Login. You do not need to manually log on to a Remote AccServer confthe computured for ess VPN igured for Automatic Login or a Site-to-Site VPN Gateway: all ers on your network have constant access to it. Manual Login can be done through either the Safe@Office Portal or the my.vpn page. When you log on and traffic is sent to the VPN site, a VPN se ork, tunnel is established. Only the computer from which you logged on can uthe tunnel. To share the tunnel with other computers in your home netwyou must log on to the VPN site from those computers, using the same user name and password. Note: You must use a single user name and passdestination gateway. word for each VPN Logging on through the Safe@Office Portal Note: Y@Office Portal 1. Click VPN in the main menu, and click the VPN Login tab. ou can only login to sites that are configured for Manual Login. To manually log on to a VPN site through the Safe

Logging on to a VPN Site 234 Check Point Safe@Office User Guide The VPN Login page appears. 2. From the Site Name list, select the site to which you want to log on. Note: Disabled VPN sites will not appear in the Site list. 3. Enter your user name and password in the appropriate fields. 4. Click Login. • If the Safe@Office appliance is configured to automatically download the network configuration, the Safe@Office appliance downloads the network configuration. ed a network ion, the Safe@Office appliance attempts to create a tunnel to the VPN site. • Once the Safe@Office appliance has finished connecting, the VPN Login Status box appears. The Status field displays “Connected”. • If when adding the VPN site you specificonfigurat

Logging on to a VPN Site Chapter 10: Working With VPNs 235 mains open until you manually log off the VPN site. Logging on through the my.vpn page • The VPN Login Status box re Note: You do know the my.firewall page administrator’s password in e the my.vpn page. To manually log on to a VPN site through the my.vpn page Direct your web brThe VPN Login screen appears. n’t need to order to us1. owser to http://my.vpn 2. In the Site Name list, select the site to which you want to log on. 3. Enter your user name and password in the appropriate fields. 4. Click Login. • If the Safe@Office appliance is configured to automatically download the network configuration, the Safe@Office appliance downloads the network configuration.

Logging off a VPN Site 236 Check Point Safe@Office User Guide • If when adding the VPN site you specified a network configuration, fice appliance attempts to create a tunnel to the VPN site. gin connection’s pr• Once the Safe@ has finished connecting, the Status field ch cted”. • The VPN Login Status ally log off of the VPN site. Logging off a Vthe Safe@Of• The VPN Lo Status box appears. The Status field tracks theogress. Office applianceanges to “Conne box remains open until you manuPN Site You need to manually ing cases: • You are using Safe@Office 105. s a Remin. To log off a VPN siIn the VPN Login Status box, click Logout. All open tunnels from the Safe@Office appliance to the VPN site are closed, and the VPN Login Status box closes. log off a VPN site in the follow• The VPN site iLog ote Access VPN site configured for Manual te • Note: Closing the browser or dismissing the VPN Login Status box will also terminate the VPN session within a short time.

Installing a Certificate Chapter 10: Working With VPNs 237 Installing a Certificate A digital certificate is a secure means of authenticating the Safe@Office appliance to other Site-to-Site VPN Gateways. The certificate is issued by the Cateways, users, or computers. Th provide verifiable foror ienouertife pSust ertificate Authority (CA) to entities such as ge entity then uses the certificate to identify itself andin mation. F nstance, the certificate includes the Distinguishing Name (DN) (id tifying information) of the entity, as well as the public key (information ab t itself). After two entities exchange and validate each other's c icates, they can begin encrypting information between themselves using th ublic keys in the certificates. The afe@Office appliance supports certificates encoded in the PKCS#12 (Personal Information Exchange Syntax Standard) format. The PKCS#12 file m have a ".p12" file extension should have a unique certificate. Do not use the same certificate for Note: To use certificates authentication, each Safe@Office appliance more than one gateway. If you do not have a PKCS#12, obtain it from your network security To install a certificate 1. C ick VPN in the main menu, and click the Certificate tab. administrator. l

Installing a Certificate 238 Check Point Safe@Office User Guide ith instructions on how to install the The Certificate page appears, wcertificate. 2. Click Install Certificate. e page certif upload. A Certificat requests you to specify a icate file for 3. Click Browse to op h t d select the file. The filename that d is displayed. 4. Click Upload. en a file browser from whicyou selecteo locate an

Installing a Certificate Chapter 10: Working With VPNs 239 e. You are requested to enter the pass-phras 5. Type the pass-phrase you received from the network security rs. 7. The name of the CA that issued the certificate and the name of the gateway to which this certificate was issued appear. administrator. 6. Click OK. The certificate is installed. A success message appeaClick OK.

Uninstalling a Certificate 240 Check Point Safe@Office User Guide U te ninstalling a Certifica Yo o useWh is currently installed, the Certificate page presents two options: • Uninstall Certificate: Allows you to uninstall the current certificate. Therefore, no certificate exists on the Safe@Office appliance, and y installed certificate. 2. Click UniA conf3. C k O. u cannot uninstall the certificate if there is a VPN site currently defined t certificate authentication. en a certificate • Install Certificate: Allows you to install a new certificate. The current certificate will be replaced. you will not be able to connect to the VPN if a certificate is still required. To uninstall a certificate 1. Click VPN in the main menu, and click the Certificate tab. The Certificate page appears with the name of the currentlnstall. irmation message appears. K. licThe certificate is uninstalled. A success message appears4. Click OK.

Viewing VPN Tunnels Chapter 10: Working With VPNs 241 Viewing VPN Tunnels You can view a list of currently established VPN tunnels. VPN tunnels are ed as follows: • Site-to-A tunnel is created whenever your computer attempts any kind of communication with a computer at the VPN site. The tunnel is closed when not in use for a period of time. created and closRemote Access VPN sites configured for Automatic Login, Site VPN Gateways and PPPoE tunnels Note: Although the VPN tunnel is automatically closed, the site remains open, and if you attempt to communicate with the site, the tunnel will be reestablished. • Remote Access VPN sites configured for Manual Login A tunnel is created whenever your computer attempts any kind of communication with a computer at the VPN site, after you have manually the site. All open tunnels connecting to the site are closed logged on towhen you manually log off.

Viewing VPN Tunnels 242 Check Point Safe@Office User Guide To e• Cli ls tab. The VPN Tunnels page appears with a table of open tunnels to VPN sites. vi w VPN tunnels ck Reports in the main menu, and click the VPN Tunne The VPN T bed in the table below. You can ref sh the table by clicking Refresh. Table 36This field…unnels page includes the information descrire: VPN Tunnels Page Fields Displays… The Safe@Office appliance Internet IP address.

Viewing VPN Tunnels Chapter 10: Working With VPNs 243 This field… Displays… The security protocol (IPSec), the type of encryption used to secure the connection, and the type of Message Authentication Code (MAC) used to verify the integrity of the message. This information is presented in the following format: Security protocol: Encryption type/Authentication type Note: All VPN settings are automatically negotiated between the two sites. The encryption and strongest of those used at the two sites. DES encryption schemes, and MD5 and SHA authentication schemes. authentication schemes used for the connection are the Your Safe@Office appliance supports AES, 3DES, and The name and IP address of the VPN gateway to which the tunnel is connected. UDted in the format hh:mm:ss, where: s ser The user logged on to the VPN site. uration The time at which the tunnel was established. This information is presenhh=hours mm=minutes ss=second

Viewing VPN Tunnels 244 Check Point Safe@Office User Guide

Changing Your Password Chapter 11: Managing Users 245 Chapter 11 This chapt ow to manage Safe@Office appliance users. In Safe@Office 105, there is a single user called "admin", whose password can d 225, you can define multiple users and ...................................................................245 Adding Users......................................................................................248 Viewing and Editing Users.................................................................248 Deleting Users ....................................................................................251 Setting Up Remote VPN Access for Users.........................................252 Using RADIUS Authentication ..........................................................252 Changing Your Password You can change your password at any time. How this task is performed depends on the Safe@Office model you are using. Uer describes hbe changed; in Safe@Office 110 anassign them various permissions. This chapter includes the following topics: Changing Your Passwordsing Safe@Office 105 To change your pad in thrs ssword 1. Click Passwor e main menu. Managing Use

Changing Your Password 246 Check Point Safe@Office User Guide The Password page appears. 2. Edit the Password and Confirm password fields. Note: Use 5 to 25 characters (letters or numbers) for the new password. 3. Click Apply. Using Safe@Office 110 and 225 Your c are saved. hanges To change your password 1. Click Users in the main menu, and click the Internal Users tab.

Changing Your Password Chapter 11: Managing Users 247 sers page appears. The Internal U 2. In the row of your username, click Edit. The Edit User page appears. 3. Edit the Password nd Confirm password fields. a Note: Use 5 to 25 characters (letters or numbers) for the new password. 4. Click Apply. Your changes are saved.

Adding Users 248 Check Point Safe@Office User Guide Adding Users To add a user 1. Click Users in the main menu, and click the Internal Users tab. The Inter2. Clic NeThe Edit User page appears. The options that appear on the page are e software and services you are using. Page Fields 4. C ck Apply. V Editing Users nal Users page appears. w User. kdependant on th3. Complete the fields using the information in Edit User on page 249. liThe new user is saved. iewing and To view or edit users 1. Click Users in the main menu, and click the Internal Users tab. The Internal Users page appears. 2. In the desired user’s row, click Edit. The Edit User page appears with the user’s details. The options that appear on the page are dependant on the software and services you are using. 3. To edit the user’s details, do the following:

Viewing and Editing Users Chapter 11: Managing Users 249 ields using Edit User Page Fields on page 249. 4. To ge without making any changes, click Cancel. Table 3In tha. Edit the fb. Click Apply. The changes are saved. return to the Users pa7: Edit User Page Fields is field… Do this… Username Enter a username for the user. Password Enter a password for the user. Use five to 25 characters (letters or numbers) for the new password. Confirm Password Re-enter the user’s password.

Viewing and Editing Users 250 Check Point Safe@Office User Guide … In this field Do this… Administrator Level Select the user’s level of access to the user cannot access Safe@Office Portal and modify afe@Office Portal, but cannot odify system settings or export the appliance configuration via the Setup>Tools page. For example, you could assign this administrator level The default level is No Access. evel Safe@Office Portal. The levels are: • No Access: Thethe Safe@Office Portal. • Read/Write: The user can log on to the system settings. • Read Only: The user can log on to theSmto technical support personnel who need to view the Event Log. The “admin” user’s Administrator L(Read/Write) cannot be changed. VPN Remote Aon to allow the user to connect to this Safe@Office appliance using their VPN client. ation on setting up VPN remote access, see Setting Up Remote VPN Access for 2. Select this opticcess For further informUsers on page 25This option only appears in Safe@Office 110 and 225.

Deleting Users Chapter 11: Managing Users 251 Do this… In this field…Web Filtering Select this option to alloOverride w the user to override Web Filtering. This option only appears if the Web Filtering ged for the “admin” user. service is defined. This option cannot be chan Deleting Users Note: The “lete a user 1. Click Users in thThe Internal User2. In the desired user’s admin” user cannot be deleted. To dee main menu, and click the Internal Users tab. s page appears. row, click the Delete icon. ppears. A confirmation message a3. Click OK. The user is deleted.

Setting Up Remote VPN Access for Users 252 Check Point Safe@Office User Guide Setting Up Remote VPN Access for Users are using your Safe@Office appliance as a Remote Access VPN , you can allow users to access it remotelIf you Server y through their Remote Access VPN Clients (a Check Point SecureClient, Check Point SecuRemote, or another Embedded NG appliance). To set up remote VPN access for a user 1. Enable your Remote Access VPN Server, using the procedure Setting Up Your Safe@Office Appliance as a Remote Access VPN Server on page 204. 2. Add the user to the system, using the procedure Adding Users on page 248. You must select the VPN Remote Access option. Note: When using Safe@Office 105, there is only one pre-defined ucalled ‘admin’, and you cannot create additional users. ser Using RADIUS Authentication You can use RADIUS to authenticate both Safe@Office appliance users and Remote Access VPN Clients trying to connect to the Safe@Office appliance. When a user accesses the Safe@Office Portal and tries to log on, the Safe@Office appliance sends the entered user name and password to the RADIUS server. The server then checks whether the RADIUS database contains a matching user name and password pair. If so, then the user is logged on.

Using RADIUS Authentication Chapter 11: Managing Users 253 To1. CliTh use RADIUS authentication ck Users in the main menu, and click the RADIUS tab. e RADIUS page appears. 2. Complete the fields usi3. Click Apply. ng the table below. Table 38: RADIUS Page Fields In this field… Do this… Address Type the IP address of the computer that will run mputers) or click the corresponding This Computer button to allow your computer to host the service. the RADIUS service (one of your network coTo clear the text box, click Clear.

Using RADIUS Authentication 254 Check Point Safe@Office User Guide In this field… Do this… Port e port number on the RADIUS server’s host computer. lt (port 1812), click Default. Type thTo reset this field to the defauS Type the shared secret to use for secure with the RADIUS server. Administrator Level Select the level of access to the Safe@Office Portal to assign to all users authenticated by the RADIUS server. The levels are: • No Access: The user cannot access n to the Safe@Office Portal, but cannot Override on to allow all users authenticated by the RADIUS server to override Web Filtering. hared Secret communicationthe Safe@Office Portal • Read/Write: The user can log oSafe@Office Portal and modifysystem settings. • Read Only: The user can log on to the modify system settings. The default level is No Access. Web Filtering Select this optiThis option only appears if the Web Filtering service is defined.

Viewing Firmware Status Chapter 12: Maintenance 255 Chapter 12 This chapter describes the tasks required for maintenance and diagnosis of youTh apter includes the following topics: s...................................................................255 257 258 R ng Your Safe@Office Appliance .........................................262 nfiguring Syslog Logging ..............................................................263 .......................265 .......................267 he Appliance via the Command Line.............................271 ........................................................272 Up the Safe@Office Appliance Configuration.....................274 the Safe@Office Appliance to Defaults .............................277 ..............................279 Viewing Firmware Status r Safe@Office appliance. is ch Viewing Firmware StatuUpdating the Firmware.......................................................................Upgrading Your Software Product.....................................................egisteriCoConfiguring HTTPS ....................................................etting the Time on the Appliance ..............................S Controlling tUsing Diagnostic Tools ..............Backing ResettingRunning Diagnostics ............................................Rebooting the Safe@Office Appliance ..............................................280 The firmware is the software program embedded in the Safe@Office appliance. You can view your current firmware version and additional details. Maintenance

Viewing Firmware Status 256 Check Point Safe@Office User Guide e page appears. To view the firmware status • Click Setup in the main menu, and click the Firmware tab. The Firmwar The Firmware page displays the following information: Table 39: Firmware Status Fields T Displays… For example… his field… Firmw rrent version of the re 4.0 are Version The cuwafirmHardware Type The type of the current Safe@Office appliance hardware 200 series Hardware Version The current hardware version of the Safe@Office appliance 1.0

Updating the Firmware Chapter 12: Maintenance 257 This field… Displays… For example… Installed Product The licensed software and the number of allowed nodes Safe@Office 225 unlimited nodes Uptime The time that elapsed from the moment the unit was turned on 01:21:15 Updating the Firmware If y es, firmware updates are performed autom w product features and protection against n w security threats. Check with your reseller for the availability of Soft ng to ser eIf y pdate your fi To firmware manually Setup Firmwareou are subscribed to Software Updatatically. These updates include neeware Updates and other services. For information on subscribivic s, see Connecting to a Service Center on page 165. ou are not subscribed to the Software Updates service, you must urmware manually. update your Safe@Office1. Click in the main menu, and click the tab. The Firmware page appears. 2. Click Firmware Update.

Upgrading Your Software Product 258 Check Point Safe@Office User Guide The Firmware Update page appears. 3. Click Browse. A browse window appears. 4. Select the image file and click Open. Your Safe@Office appliance firmware is updated. This may take a few of the process the Safe@Office appliance restarts Upgrading Your Software Product The Firmware Update page reappears. The path to the firmware update image file appears in the Browse text box. 5. Click Upload. minutes. At the end autom ly. atical Upgrading your Safe@Office appliance is a very simple process. After pur receive a new Product Key that will enable you on the same Safe@Office appliance you ng Safe@Office 105, you can purchase an upgrade to Safe@Office 110 and enjoy extended VPN features chasing an upgrade, you will to use the upgraded product have today. For example, if you are usi

Upgrading Your Software Product Chapter 12: Maintenance 259 on your existing Safe@Office appliance. Likewise, you can upgrade fromSafe@Office 225 to 225U without changing your hardware. Note: You can only upgrade within the same appliance hardware type. To upgrade your product, you must install thNote: To purchase an upgrade, contact your Safe@Office appliance provider. e new Product Key. Toe main menu, and click the Firmware tab. de Product. ens, with the Install Product Key dialog box displayed. install a Product Key 1. Click Setup in thThe Firmware page appears. 2. Click UpgraThe Safe@Office Licensing Wizard op 3. Click Enter a different Product Key. 4. In the Product Key field, enter the new Product Key. 5. Click Next.

Upgrading Your Software Product 260 Check Point Safe@Office User Guide The Installed New Product Key dialog box appears. 6. Click Next. The first Registration dialog box appears. 7. Do one of the following:

Upgrading Your Software Product Chapter 12: Maintenance 261 • To register your Safe@Office appliance later on, clear the I want uct check box and then click Next. to register my prod • To register your Safe@Office appliance now, do the following: 1) Click Next. A second Registration dialog box appears. 2) Enter your contact information in the appropriate fields. Registration… screen appears. 3) To receive email notifications regarding new firmware versions and services, select the check box. 4) Click Next. The

Registering Your Safe@Office Appliance 262 Check Point Safe@Office User Guide The third Registration dialog box appears. 8. Click Finish. Your Safe@Office appliance is restarted and the Welcome page appears. Registering Your Safe@Office Appliance If you want to activate your warranty and optionally receive notifications of new firmware versions and services, you must register your Safe@Office appliance. Privacy Statement: Check Point is committed to protecting your privacy. We use the information we collect about you to process orders and to improve our ability to serve your needs. We will under no circumstances sell, lease, or otherwise disclose any of your personal or contact details without your explicit permission. To register your Safe@Office appliance 1. Click Setup in the main menu, and click the Firmware tab. The Firmware page appears. 2. Click Upgrade Product.

Configuring Syslog Logging Chapter 12: Maintenance 263 3. 4. first Registration dialog box appears. 6. istration dialog box appears. and heck box. The third Registration10. Cl ck Fme page appears. ConfigThe Safe@Office Licensing Wizard opens, with the Install Product Keydialog box displayed. Select Keep these settings. Click Next. The 5. Verify that the I want to register my product check box is selected. Click Next. A second Reg7. Enter your contact information in the appropriate fields. 8. To receive email notifications regarding new firmware versions services, select the c9. Click Next. The Registration… screen appears. dialog box appears. inish. iYour Safe@Office appliance is restarted and the Welco uring Syslog Logging You can configure the Safe@Office appliance to send event logs to a ver residing in your internal network or on the Internet. The log Syslog ser s detail the atte that was rejected by the firewall, the event details include the source and for the com ication attempt (for example, TCP or UDP). This same information is also available in the Event Log page (see Viewing the Event Log on page 141). However, while the Event Log can display date and the time each event occurred. If the event is a communication mpt destination IP address, the destination port, and the protocol used mun

Configuring Syslog Logging 264 Check Point Safe@Office User Guide number of logs. your logs. hundreds of logs, a Syslog server can store an unlimited Furthermore, Syslog servers can provide useful tools for managing Note: Kiwi Syslog Daemon is freeware and can be downloaded fromhttp://www.kiwisysl og.com. For technical support, contact Kiwi 1. Enterprises. To configure Syslog logging Click Setup in the main menu, and click the Logging tab. The Logging page appears. 2. Complete the fields using the information in the table below. 3. Click Apply. Table 40: Logging Page Fields In this field… Do this… Syslog Server Type the IP address of the computer that will run the Syslog service (one of your network computers), or click This Computer to allow your computer to host the service.

Configuring HTTPS Chapter 12: Maintenance 265 In this field… Do this… Clear Click to clear the Syslog Server field. S r. D uyslog Port Type the port number of the Syslog serveefa lt Click to reset the Syslog Port field to the default (port 514 UDP). Configuring HTTPS You ca afe@Office appliance users to access the Safe@Office Portal do so, you must first configure HTTPS. n enable Sfrom the Internet. ToTo configure HTTPS 1. Click Setup in the main menu, and click the Management tab. The Management page appears.

Configuring HTTPS 266 Check Point Safe@Office User Guide e Portal ge 267 for 2. Specify from where HTTPS access to the Safe@Officshould be granted. See HTTPS Access Options on painformation. Warning: If remote HTTPS is enabled, your Safe@Office appliance settings can be changed remotely, so make sure all Safe@Office appliance users’ passwords are unguessable. If you selected IP Address Range, additional fields appear. 3. If you selected IP Address Range, enter the desired IP address range 4. in the fields provided. Click Apply. The HTTPS configuration is saved. You can now access the Safe@Office Portal through the Internet, using the procedure Accessing the Safe@Office Portal Remotely on page 49.

Setting the Time on the Appliance Chapter 12: Maintenance 267 SoTable 41: HTTPS Access Options elect this ption… To allow HTTPS access from… Internal Network The internal network only. This disables remote HTTPS capability. Note You can use HTTPS to access the your internal netw:Safe@Office Portal from ork, by surfing to https://my.firewall. In nVPN IP Adn enter ter al Network and The internal network and your VPN. dress Range A particular range of IP addresses. Additional fields appear, in which you cathe desired IP address range. ANY Any IP address. Setting the Time on the Appliance You set the time displayed in the Safe@Office 225 Portal during initial appliance setup. If desired, you can change the date and time displayed in the Safe@Office 225 Portal using the procedure below.

Setting the Time on the Appliance 268 Check Point Safe@Office User Guide Note: The Safe@Office 100 series takes the time from your local computer and you do not have to manually set the time. To set the time 1. Click Setup in the main menu, and click the Tools tab. The Tools page appears. If you are using Safe@Office 105 or 110, the page appears without the Set Time button. 2. Click Set Time.

Setting the Time on the Appliance Chapter 12: Maintenance 269 The Safe@Office Set Time Wizard opens displaying the Set the Safe@Office time dialog box. 3. Complete the fields using the information in the table below. Next. sele an fy Ddialog box 4. Click The following things happen in the order below: • If you cted Specify dateappears. d time, the Speci ate and Time Set the date, time, and time zone in the fields provided, then click Next.

Setting the Time on the Appliance 270 Check Point Safe@Office User Guide • The Date and Time Updated window appears. 5. Click Finish T ields o allow HT rom. Table 42: Set ime Wizard FSelect this option… T TPS access f … Your computer's clock Set the applian comsystem time. Your computer’ s displayed to the opce time to yours system time iputer’s right of this tion. Keep the current ange appliance’s timThe current ap me is displayed to the right of this option. date and time Set the appliance to a specific date and time. time Do not ch the pliance tie. Specify

Controlling the Appliance via the Command Line Chapter 12: Maintenance 271 Controlling the Appliance via the Command Line The Safe@Ocomman ffice Portal enables you to control your appliance via the d line interface. thSetup in the main menu, and click the Tools tab. ols pmmThe Comma pears. To control 1. Click e appliance via the command line The To2. Click Coage appears. and. nd Line page ap 3. In the upper field, type a command. You can view a list of supported commands using the command help. For information on all commands, refer to the Embedded NG CLI Reference Guide. 4. Click Go.

Using Diagnostic Tools 272 Check Point Safe@Office User Guide The command is implemented. Using Diagnostic Tools The Safe@Office appliance is equipp of diauseful for troubleshooting Internet co vity. Table 43: Diagnostic Tools Use this tool… To do this… ed with a set nnecti gnostic tools that are Ping Check that a specific IP address or DNS name can be reached via the Internet. Traceroute Display a list of all routers used to connect from the Safe@Office appliance to a specific IP address or DNS name. WHOIS Display the name and contact information of the entity to whom a specific IP address or DNS name is registered. This information is useful in tracking down hackers. To use a diagnostic tool 1. Click Setup in the main menu, and click the Tools tab. The Tools page appears. 2. In the Tools drop-down list, select the desired tool. 3. In the Address field, type the IP address or DNS name for which to run the tool.

Using Diagnostic Tools Chapter 12: Maintenance 273 4. Click Go. lays the percentage of packet loss took to reach the specified host • If you selected Ping, the following things happen: The Safe@Office appliance sends packets to the specified the IPaddress or DNS name. The IP Tools window opens and dispand the amount of time it each packetand return (round-trip) in milliseconds. • If you selected Traceroute, the following things happen: Offic DNS name. ols window opens and displays a liThe Safe@ e appliance connects to the specified IP address or The IP To st of routers used to make the connection.

Backing Up the Safe@Office Appliance Configuration 274 Check Point Safe@Office User Guide • If you selected WHOIS ings happThe Safe@Office appliance queries the Internet WHO r. A window displays the name of the entity to whom the IP address or DNS name is registered and their contact information. , the following th en: IS serve ion Backing Up the Safe@Office Appliance Configurat You can export the Sause this file to backu fe@Office appliance configuration to a *.cfg file, and p and restore Safe@Office app s needed. cludes all your settings. e Safe@Office Appliance Configuration liance settings, aThe configuration file in Exporting th Exporting the Safe@Office appliance configuration creates a configuration file.

Backing Up the Safe@Office Appliance Configuration Chapter 12: Maintenance 275 The Tools page appears. To export the Safe@Office appliance configuration 1. Click Setup in the main menu, and click the Tools tab. 2. Click Export. A standard File Download dialog box appears. 3. Click Save. The Save As dialog box appears. 4. Browse to a destination directory of your choice. 5. Type a name for the configuration file and click Save. The *.cfg configuration file is created and saved to the specified directory.

Backing Up the Safe@Office Appliance Configuration 276 Check Point Safe@Office User Guide Importing the Safe@Office Appliance Configuration In order to restore your Safe@Office appliance’s configuration from a configuration file, you must import the file. To import the Safe@Office appliance configuration 1. Click Setup in the main menu, and click the Tools tab. The Tools page appears. 2. Click Import. The Import Settings page appears. 3. Do one of the following: • In the Import Settings field, type the full path to the configuration file. Or • Click Browse, and browse to the configuration file. 4. Click Upload.

Resetting the Safe@Office Appliance to Defaults Chapter 12: Maintenance 277 A confirmation message ap5. Click OK. The Safe@Office appliance settings are Settings page displays the co nd the nfigurat on command. pears. imported. nfiguration file's content aThe Importresult of implementing each co i R fe@OffDesetting the Saefaults ice Appliance to You can reset the Safe@Office areset your Safe@Office appliancewhen you purchased it. You can crevert to the firmware version thappliance lt settings. When you , it reverts hoose to kt shipped w ce. to its defauto the state it was originally in eep the current firmware or to ith the Safe@Office applian Warning: This operatioYou n erases all your will have to set a new password anance for Internet connection. For iafe@Officsettings and password information. d reconfigure your Safe@Office nformation on performing these e Appliance on page 41. applitasks, see Setting Up the S

Resetting the Safe@Office Appliance to Defaults 278 Check Point Safe@Office User Guide ice appliance to) or by man utton he Safe Office appliance. pliance to Click Setup in the main menu, and click The Tools page appears. ppears. You can reset the Safe@Offmanagement interface (software(hardware) located at the back of tTo reset the Safe@Office apWeb interface defaults via the Web ually pressing the Reset b@ factory defaults via the the Tools tab. 1.2. Click Factory Settings. A confirmation message a 3. To revert to the firmware versioselect the check box. 4. Click OK. • The n that the appliance, Please Wait screen appears. shipped with • The Safe@Office appliance returns to its factory defaults.

Running Diagnostics Chapter 12: Maintenance 279 • The Safe@Office appliance is rest PWR/SEC LED ashes quickly). es. ars. ppliance efaults using the ice appliance ishe RESETly for sevence to boo slowly orce's front Series on e@Office 200 Series on page 17. arted (the flThis may take a few minut• The Login page appeTo reset the Safe@Office aReset button 1. Make sure the Safe@Off2. Using a pointed object, press tSafe@Office appliance steadiit. 3. Allow the Safe@Office appliaready (PWR/SEC LED flashesgreen light). For information on the applianKnow Your Safe@Office 100 to factory d powered on. button on the back of the n seconds and then release t-up until the system is illuminates steadily in and rear panels, see Getting to page 14 or Getting to Know Your Saf Warning: If you choose to resthe power cable and thenapet the Safe reconnecting Office pliance disconnected for at least thre properly u w. Running Diagnostics @Office appliance by disconnecting it, be sure to leave the Safe@e seconds, or the Safe@Office ntil you reboot it as described beloappliance might not function our Safe@Office appliance’s and Service Center. g. You can copy and paste pport. You can view technical infhardware, firmware, license, netormation about ywork status,This information is useful for troubleshootin it into the body an email and send it to technical su

Rebooting the Safe@Office Appliance 280 Check Point Safe@Office User Guide and click ut your Safe ce appliance appears in a . refresh the contents of the window, cl. ck Close. R e@OfTo run diagnostics 1. Click Setup in the main menu, The Tools page appears. 2. Click Diagnostics. Technical information abonew windowthe Tools tab. @Offi3. To ick Refresh. The contents are refreshed4. To close the window, cliebooting the Saf fice Appliance ning properly, rebooting it may the Tools tab. If your Safe@Office appliancesolve the problem. is not functioo reboot the Safe@Office applianceClick Setup in the main menu, and click ars. t screen appears. T1. The Tools page appears. 2. Click Restart. A confirmation message appe3. Click OK. • The Please Wai

Rebooting the Safe@Office Appliance Chapter 12: Maintenance 281 s restartinutes. . • The Safe@Office appliance iflashes quickly). This may take a few m• The Login page appearsed (the PWR/SEC LED

Connectivity Chapter 13: Troubleshooting 283 Chapter 13 Twhis chapter provides solutions to common hile using the Safe@Office appliance. is chapter includes the following topi...................des .................................. 288 C I c at should I D is green. If e power ice appliance. T LED is make s LED fo port used by your t, check if the rk cable linking your lianc ected properly. Try ng it to o http://mytatus Bar. Mnce network settings re configured as per your heck your TCP/IP configuration according to Installing and Setting up the Safe@Office Appliance on page 25. ti Virus scanning are on, try turning Troubleshooting problems you may encounter• If Web Filtering or Email Anthem off. Th cs: Connectivity ..................... Service Center and Upgra Other Problems................onnectivity annot access the Internet. Wh• Check if the PWR/SEC LEconnection to the Safe@Off• Check if the WAN LINK/ACnetwork cable to the modem andon. • Check if the LAN LINK/ACTcomputer is green. If nocomputer to the Safe@Office appreplacing the cable or connecti• Using your web browser, go t"Connected" appears on the S...............................................283 ...............................................288 ...............................................do? not, check thgreen. If not, check the ure the modem is turned r the netwoe is conna different LAN port. .firewall and see whether ake sure that your Safe@Office appliaISP directions. • C a

Connectivity 284 Check Point Safe@Office User Guide • Check if you have defined firewall rules which block your Internet connectivity. • Check with your ISP for possible service outage. • Check whether you are exceeding the maximum number of computers allowed by your license, by following the procedure Viewing Computers on page 144. I cannot access my DSL broadband connection. What should I do? DSL equipment comes in two flavors: bridges (commonly known as DSL modems) and routers. Some DSL equipment can be configured to work both ways. • If you connect to your ISP using a PPPoE or PPTP dialer defined in your operating system, your equipment is most likely configured as a DSL bridge. Configure a PPPoE or PPTP type DSL connection. • If you were not instructed to configure a dialer in your operating system, your equipment is most likely configured as a DSL router. Configure a LAN connection, even if you are using a DSL connection. For instructions, see Configuring the Internet Connection on page 57.

Connectivity Chapter 13: Troubleshooting 285 I cannot access my Cable broadband connection. What shoul• Some cable ISPs require you to register the MAC address ofdevice behind the cable modem. You mayEthernet adapter MAC address onto the S e. uring the on page g a hostna nection. Try onfiguring your Internet connection an me. nfiguring t tion all or http://my.vpn. What should I do? e appliance/ACT LED for the po ur puter is on. If not, check if the network ca our ter to the Safe@Office appliance nnected properly. d I do? the need to clone your afe@Office appliancFor instructions, see Config57. Internet Connection• Some cable ISPs require usinrec me for the cond specifying a hostnaFor further information, see Coon page 57. he Internet ConnecI cannot access http://my.firew• Verify that the Safe@OfficLED is active) is operating (PWR/SEC • Check if the LAN LINKcom rt used by yoble linking ycompu is co Note: You may need to use a cross en connecting the Safe@Office appliance to another hub/•.168.10.1 instead of to m ed cable whswitch. Try surfing to 192 y.firewall. Note: 192.168.10 is the default valu it in the My Network page. figuration accordi d pliance one appliance a odem disconnecting the power and reconnect onds. If your web browser is configured to use a ss the or "my.vpn" to tions e, and it may vary if you changed• Check your TCP/IP conSetting up the Safe@Office Ap ng to Installing an page 25. • Restart your Safe@Officby nd your broadband ming after 5 sec• n HTTP proxy to acceInternet, add "my.firewall"list. your proxy excep

Connectivity 286 Check Point Safe@Office User Guide ork seems extremely slow. What should I do? •ay be faulty. Fo ration, the e requires STP C lded Twisted Pair thernet cables. Make sure th tion is cables. faulty or incor y placing your Ethernet card. ere may be an IP address conflict in your n . Check that r compu gured to obtain atically. I ch o incorrect valuecorrect my error. What should I do? R gs using the it. See Resetting th to e behind another NAT device, and I am applications. What should I do? ult, the Safe@Office appliance per k Address . It is possible to use the Sa nce behind anot , such as a reless router, bming connecSTo f problem, do ONE of the following isted in o My netw The Ethernet cables mSafe@Office applianc r proper opeAT5 (ShieCategory 5) Eprinted on your at this specifica• Your Ethernet card may be re rectly configured. Tr• Th etworkthe TCP/IP settings of all youan IP address autom ters are confianged the network settings t s and am unable to eset the network to its default settin the button on the back of e Safe@Office ApplianceSafe@Office appliance unDefaults on page 277. I am using the Safe@Office applianc having problems with some By defa forms NetworTranslation (NAT) fe@Office appliaDSL router or Wiher device that performs NATut the device will block all inco tions from reaching your afe@Office appliance. ix this . (The solutions are lrder of preference.)

Connectivity Chapter 13: Troubleshooting 287 need the d as a replacemen u itional functionalissible, disable NAT in the router. Refmentation for instructions on how to •MZ Computer” or “E set fice appliance’s external•llowing ports in the NAT d 500 • TCP 256 otocol 50 I ca or video calls through the Safe@Office appliance. WhT ou must configure ansConfiguring Server at home but it cann m the Internet. What should I do? Cor instru s on pI cannot connect to the LAN network from the DMZ network. What should I doB m the DMZ ne network are b fic from the DMZ t appropriate f s, see Using Rul • Consider whether you really router. The Safe@Officeappliance can be useneed it for some add t for your router, unless yoty that it provides, such as Wireless access. • If podocu er to the router’s do this. If the router has a “D xposed Host” option,it to the Safe@Of IP address. Open the fo evice: • UDP 9281/9282 • UDP• TCP 264 • ESP IP pr• TCP 981nnot receive audioat should I do? o enable audio/video, yerver. For instructions, see IP Telephony (H.323) virtual ers on page 152. I run a public Web serv ot be accessed froonfigure a virtual Web Server. Fage 152. ctions, see Configuring Server? y default, connections frolocked. To allow traf twork to the LAN o the LAN, configureirewall rules. For instruction es on page 154.

Service Center and Upgrades 288 Check Point Safe@Office User Guide r and Upg des ut I only hfunctionality. What should I do? have not installed your product key. formation, see uct on page 25eded my node limit. What does th ould I do? Y aximum num u may c liance. The nce tracks the cum mber of nodes on the i ave communicated e firewall. When the S unters an IP addr sed n ers page displa e and mark s over the node limit in red. These le to access t lian tected. The Eve you that you have e limit. T appliance t a n r reseller for u e information. Wh ervice Cent ived the message “The Se nd”. What shou• I re using a Service Center other tha that the Service Cen ed •e appliance connects to the Service Center using 1/9282. If the Safe@Office appliance is installed firewall, make sure tha orts are open. OI have forgott ord. What shouR Office appliance to fact g the Reset button @Office App . Service Cente raI purchased Safe@Office 110, b ave Safe@Office 105 Your For further inUpgrading Your Software Prod 8. I have exce is mean? What shber of nodes that yoour Product Key specifies a monnect to the Safe@Office appSafe@Office applianternal network that h ulative nu through thafe@Office appliance encoode limit, the Active Computs nodeess that exceeds the licenys a warning messag nodes will not be abhe Internet through the Safe@Office appnt Log page also warns ce, but will be proxceeded the nodeo upgrade your Safe@Officeew Product Key. Contact you o support more nodes, purchase pgradile trying to connect to a Srvice Center did not respof you aer, I receld I do? n the Check Point ter IP address is typService Center, checkcorrectly. The Safe@OfficUDP ports 928behind another t these pther Problems en my passweset your Safe@ ld I do? ory defaults usinas detailed in Resetting the Safe liance to Defaults on page 277

Other Problems Chapter 13: Troubleshooting 289 Wh ed incorrecIn th @Office 100 series, when a compu ects to the Safe@Office Portal, the Safe@Office applian e to m omputer. If the date and tim @Office P it probably means that th omputer connected to the Safe@Office Portal are incoI 00 series, you can adT Setting the T the Appliance on page 26I cannot use a certain network application. What should I do? e Event Log page. If it lists blocked•ffice appliance security t . •tion still does not work, set th which e the application to be the eee Defining an Exposed Host on page 163. nished using the application, make sure to clear the exposed ise your security mighcan ASaP, but the S age ". What shoul, then the Wind ly m being installed corcAfee VirusScan ASaP via the C2 s XP Internet Connecti3 VirusScan ASaP usiInstalling McAfee VirusScan ASaP on pa y are the date and time displaye Safe tly? ter on the LAN connce adjusts its date and timatch that of the c e displayed in the Safee date and time on the cortal are incorrect, rrect. n the Safe@Office 2 just the time on the Setup page's ime onools tab. For information, see7. Look at th attacks, do the following: Turn the Safe@O o Low and try again If the applicayou want to us e computer onxposed host. For instructions, sWhen you have fihost setting, otherw t be compromised. I installed McAfee VirusSsays "SecureDesk not installeds XPecureDesk status messd I do? ows XP firewall probabIf you are using Windowprevented VirusScan fro1. Uninstall Mrectly. Do the following: ontrol Panel. . Disable the Window on Firewall option. ng t. Re-install McAfee he information in ge 184.

Technical Specifications Chapter 14: Specifications 291 Chapter 14 udes the following topics: ns.....................................................................291 ity............................................................295 F Communications Commission Radi terference Statem 297 ical SpecificationsTa Appliance AttribuA e 10/ 5U Saf3300W This chapter inclTechnical SpecificatioCE Declaration of Conformederalent ..................................................................................................o Frequency InTechn ble 44: Safe@Office tes ttribute Safe@Offic105/1255/22e@Office 00 Safe@Office General Di(wix d20.32 x 3.05 x cm inches) 20 x 3.113.24 cm(7.9 x 1.2 x inche x (7.9 x 1.2 x 6.1 s) We lbs) 0.64 kg 5 lbs) Specifications mensions dth x height 12.19epth) (8 x 1.2 x 4.8 x 20 x 3.1 5.2 15.5 cm s) incheight 0.7 kg (1.56 0.69 kg (1.5

Technical Specifications 292 Check Point Safe@Office User Guide Attribute fice 5/110/ Safe@Office 30 00W Safe@Of10255/225U0 Safe@Office 3Suvoltag100VAC 230VAC 5 VAC) 100 ~ 24pply e 110VAC (90 to 132 VAC) (200 to 260 VAC 100 to 240VAC Line voltage frequency, AC 50/60 Hz (47 to 63 Hz) 50/60 Hz 50/60 Hz 5W eries)/7.5W s) MAX 5.75W(MAX 1.w/o externalUSB dev(USB – MAX1A) MAX 8W xternal USB Re(width x height x depth) x 10 x 16 cm x 6.4 inches) 29 x 25 x 76 cm (11.4 x 9.8 x 3 inches) 29 x 25 x 7.6 cm (11.4 x 9.8 x 3 inches) Retail box 1.3 kg (2.9 lbs) 1.3 kg (2 Max. Power 13.Consumption (100s(200serie 15A) (MAX1.6A) w/o eices devices (USB – MAX 1A) tail box 31 dimensions (12.4 x 4 weight .9 lbs) 1.35 kg (3 lbs)Environmental Conditions

Technical Specifications Chapter 14: Specifications 293 Attribute 255/225U Safe@Office 300 Safe@Office 300W Safe@Office 105/110/ TeStorage/TporC - 5°C to +70°C - 5°C to +70°C mperature: rans- 20°C to +70°t T rature: Operation + 5°C to +45°C - 5°C ~ 50°C - 5°C ~ 50°C HuStoation 5% to 90% at (no condensation) 0% ~ 90% 0% ~ 90% Sta ShoVibration CLASS 3.1 & Bellcore GR 63 CNS1219 C6343 CNS1219 C6343 950/ 0 EN60950/ IEC 60950 EN60950/ IEC 60950 empemidity: rage/Oper 25°C Applicable ndards ck & ETSI 300 019-2-3 (NEBS) Safety EN60IEC 6095

Technical Specifications 294 Check Point Safe@Office User Guide Attribute Safe@Office 105/110/ 255/225U Safe@Office 300 Safe@Office 300W Quality ISO9001 ISO9001:2000 TL9000-HW R3.0 ISO14001 Ohsas18001: 1999 ISO9001:2000 TL9000-HW R3.0 ISO14001 Ohsas18001: 1999

CE Declaration of Conformity Chapter 14: Specifications 295 CE Declaration of Conformity SofaWare Technologies Ltd., 3 Hilazon St., Ramat-Gan Israel, hereby declares that this equipment is in conformity with the essential requirements specified in Article 3.1 (a) and 3.1 (b) of: • Directive 89/336/EEC (EMC Directive) • Directive 73/23/EEC (Low Voltage Directive – LVD) • Directive 99/05/EEC (Radio Equipment and Telecommunications Terminal Equipment Directive) In accordance with the following standards: Table 45: Safe@Office Appliance Standards Safe@Office 105/110/ 255/225U Safe@Office 300 Safe@Office 300W EN 50081-1:1992 EN 50082-1:1997 EN 61000-6-1:2001 EN 61000-6-3:2001 EN 55022:1998 EN 55024:1998 EN 61000-3-2: 1995 EN55022: 1994+A1: 1995+A2: 1997 EN 61000-3-2:2000 EN 61000-3-3:1995+ A1:2001 EN55024: 1998+A1: 2001+A2: 2003 IEC 61000-4-2:2001 EN 300 328 V 1.4.1(2003-04) EN 301 489-1 V 1.4.1(2002-08) EN 301 489-17 V 1.2.1(2002-08) EN 55022:1994+A1: 1995+A2 1997, Class B EN 61000-3-2:2000 EN 61000-3-3:1995+A1: 2001

CE Declaration of Conformity 296 Check Point Safe@Office User Guide Safe@Office 105/110/ 255/225U Safe@Office 300 Safe@Office 300W EN 61000-3-3: 1995 EN 61000-4-2:1995 EN 61000-4-3:1996/ A2:2001 EN 61000-4-4:1995 EN 61000-4-5:1995 EN 61000-4-6:1996 EN 61000-4-7:1993 EN 61000-4-8:1993 EN 61000-4-9:1993 EN 61000-4-10:1993 EN 61000-4-11:1994 EN 61000-4-12:1995 EN 60950: 1992 IEC 61000-4-3: 2002+A1:2002 IEC 61000-4-4:1995+A1: 2002+A2:2001 IEC 61000-4-5:2001 IEC 61000-4-6:2001 IEC 61000-4-8:2001 IEC 61000-4-11:2001 EN 60950-1:2001 EN 61000-4-2:1995+ A1:1998+A2:2001 EN 61000-4-3:1996+A1: 1998+A2: 2001 EN 61000-4-4:1995+A1: 2001+A2: 2001 EN 61000-4-5:1995+A1: 2001 EN 61000-4-6:1996+A1: 2001 EN 61000-4-11:1994+A1: 2001 EN 60950-1: 2001 The "CE" mark is affixed to this product to demonstrate conformance to the R&TTE Directive 99/05/EEC (Radio Equipment and Telecommunications Terminal Equipment Directive) and FCC Part 15 Class B.

Federal Communications Commission Radio Frequency Interference Statement Chapter 14: Specifications 297 The product has been tested in a typical configuration. For a copy of the Original Signed Declaration (in full conformance with EN45014), please contact SofaWare at the above address. Federal Communications Commission Radio Frequency Interference Statement This equipment complies with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Shielded cables must be used with this equipment to maintain compliance with FCC regulations. Changes or modifications not expressly approved by the manufacturer could void the user’s authority to operate the equipment. This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) this device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation. This Class B digital apparatus complies with Canadian ICES-003.

ADSL Modem Glossary of Terms 299 A ADSL Modem A device connecting a computer to the Internet via an existing phone line. ADSL (Asymmetric Digital Subscriber Line) modems offer a high-speed 'always-on' connection. C CA The Certificate Authority (CA) issues certificates to entities such as gateways, users, or computers. The entity later uses the certificate to identify itself and provide verifiable information. For instance, the certificate includes the Distinguishing Name (DN) (identifying information) of the entity, as well as the public key (information about itself), and possibly the IP address. After two entities exchange and validate each other's certificates, they can begin encrypting information between themselves using the public keys in the certificates. Cable Modem A device connecting a computer to the Internet via the cable television network. Cable modems offer a high-speed 'always-on' connection. Certificate Authority The Certificate Authority (CA) issues certificates to entities such as gateways, users, or computers. The entity later uses the certificate to identify itself and provide verifiable information. For instance, the certificate includes the Distinguishing Name (DN) (identifying information) of the entity, as well as the public key (information about itself), and possibly the IP address. After two entities exchange and validate each other's certificates, they can begin encrypting information between themselves using the public keys in the certificates. Cracking An activity in which someone breaks into someone else's computer system, bypasses passwords or licenses in computer programs; or in other ways intentionally breaches computer security. The end result is that whatever resides on the computer can be viewed and Glossary of Terms

DHCP 300 Check Point Safe@Office User Guide sensitive data can be stolen without anyone knowing about it. Sometimes, tiny programs are 'planted' on the computer that are designed to watch out for, seize and then transmit to another computer, specific types of data. D DHCP Any machine requires a unique IP address to connect to the Internet using Internet Protocol. Dynamic Host Configuration Protocol (DHCP) is a communications protocol that assigns Internet Protocol (IP) addresses to computers on the network. DHCP uses the concept of a "lease" or amount of time that a given IP address will be valid for a computer. DMZ A DMZ (demilitarized zone) is an internal network defined in addition to the LAN network and protected by the Safe@Office appliance. DNS The Domain Name System (DNS) refers to the Internet domain names, or easy-to-remember "handles", that are translated into IP addresses. An example of a Domain Name is 'www.sofaware.com'. Domain Name System Domain Name System. The Domain Name System (DNS) refers to the Internet domain names, or easy-to-remember "handles", that are translated into IP addresses. An example of a Domain Name is 'www.sofaware.com'. E Exposed Host An exposed host allows one computer to be exposed to the Internet. An example of using an exposed host would be exposing a public server, while preventing outside users from getting direct access form this server back to the private network. F Firmware Software embedded in a device. G Gateway A network point that acts as an entrance to another network.

Hacking Glossary of Terms 301 H Hacking An activity in which someone breaks into someone else's computer system, bypasses passwords or licenses in computer programs; or in other ways intentionally breaches computer security. The end result is that whatever resides on the computer can be viewed and sensitive data can be stolen without anyone knowing about it. Sometimes, tiny programs are 'planted' on the computer that are designed to watch out for, seize and then transmit to another computer, specific types of data. HTTPS Hypertext Transfer Protocol over Secure Socket Layer, or HTTP over SSL. A protocol for accessing a secure Web server. It uses SSL as a sublayer under the regular HTTP application. This directs messages to a secure port number rather than the default Web port number, and uses a public key to encrypt data HTTPS is used to transfer confidential user information. Hub A device with multiple ports, connecting several PCs or network devices on a network. I IP Address An IP address is a 32-bit number that identifies each computer sending or receiving data packets across the Internet. When you request an HTML page or send e-mail, the Internet Protocol part of TCP/IP includes your IP address in the message and sends it to the IP address that is obtained by looking up the domain name in the Uniform Resource Locator you requested or in the e-mail address you're sending a note to. At the other end, the recipient can see the IP address of the Web page requestor or the e-mail sender and can respond by sending another message using the IP address it received. IP Spoofing A technique where an attacker attempts to gain unauthorized access through a false source address to make it appear as though communications have originated in a part of the network with higher access privileges. For example, a packet originating on the Internet may

IPSEC 302 Check Point Safe@Office User Guide be masquerading as a local packet with the source IP address of an internal host. The firewall can protect against IP spoofing attacks by limiting network access based on the gateway interface from which data is being received. IPSEC IPSEC is the leading Virtual Private Networking (VPN) standard. IPSEC enables individuals or offices to establish secure communication channels ('tunnels') over the Internet. ISP An ISP (Internet service provider) is a company that provides access to the Internet and other related services. L LAN A local area network (LAN) is a group of computers and associated devices that share a common communications line and typically share the resources of a single server within a small geographic area. M MAC Address The MAC (Media Access Control) address is a computer's unique hardware number. When connected to the Internet from your computer, a mapping relates your IP address to your computer's physical (MAC) address on the LAN. Mbps Megabits per second. Measurement unit for the rate of data transmission. MTU The Maximum Transmission Unit (MTU) is a parameter that determines the largest datagram than can be transmitted by an IP interface (without it needing to be broken down into smaller units). The MTU should be larger than the largest datagram you wish to transmit un-fragmented. Note: This only prevents fragmentation locally. Some other link in the path may have a smaller MTU - the datagram will be fragmented at that point. Typical values are 1500 bytes for an Ethernet interface or 1452 for a PPP interface. N NAT Network Address Translation (NAT) is the translation or mapping of an IP address to a different IP address. NAT can be

NetBIOS Glossary of Terms 303 used to map several internal IP addresses to a single IP address, thereby sharing a single IP address assigned by the ISP among several PCs. Check Point FireWall-1's Stateful Inspection Network Address Translation (NAT) implementation supports hundreds of pre-defined applications, services, and protocols, more than any other firewall vendor. NetBIOS NetBIOS is the networking protocol used by DOS and Windows machines. P Packet A packet is the basic unit of data that flows from one source on the Internet to another destination on the Internet. When any file (e-mail message, HTML file, GIF file etc.) is sent from one place to another on the Internet, the file is divided into "chunks" of an efficient size for routing. Each of these packets is separately numbered and includes the Internet address of the destination. The individual packets for a given file may travel different routes through the Internet. When they have all arrived, they are reassembled into the original file at the receiving end. PPPoE PPPoE (Point-to-Point Protocol over Ethernet) enables connecting multiple computer users on an Ethernet local area network to a remote site or ISP, through common customer premises equipment (e.g. modem). PPTP The Point-to-Point Tunneling Protocol (PPTP) allows extending a local network by establishing private “tunnels” over the Internet. This protocol it is also used by some DSL providers as an alternative for PPPoE. R RJ-45 The RJ-45 is a connector for digital transmission over ordinary phone wire. Router A router is a device that determines the next network point to which a packet should be forwarded toward its destination. The router is connected to at least two networks.

Server 304 Check Point Safe@Office User Guide S Server A server is a program (or host) that awaits and requests from client programs across the network. For example, a Web server is the computer program, running on a specific host, that serves requested HTML pages or files. Your browser is the client program, in this case. Stateful Inspection Stateful Inspection was invented by Check Point to provide the highest level of security by examining every layer within a packet, unlike other systems of inspection. Stateful Inspection extracts information required for security decisions from all application layers and retains this information in dynamic state tables for evaluating subsequent connection attempts. In other words, it learns! Subnet Mask A 32-bit identifier indicating how the network is split into subnets. The subnet mask indicates which part of the IP address is the host ID and which indicates the subnet. T TCP TCP (Transmission Control Protocol) is a set of rules (protocol) used along with the Internet Protocol (IP) to send data in the form of message units between computers over the Internet. While IP takes care of handling the actual delivery of the data, TCP takes care of keeping track of the individual units of data (called packets) that a message is divided into for efficient routing through the Internet. For example, when an HTML file is sent to you from a Web server, the Transmission Control Protocol (TCP) program layer in that server divides the file into one or more packets, numbers the packets, and then forwards them individually to the IP program layer. Although each packet has the same destination IP address, it may get routed differently through the network. At the other end (the client program in your computer), TCP reassembles the individual packets and waits until they have arrived to forward them to you as a single file.

TCP/IP Glossary of Terms 305 TCP/IP TCP/IP (Transmission Control Protocol/Internet Protocol) is the underlying communication protocol of the Internet. U UDP UDP (User Datagram Protocol) is a communications protocol that offers a limited amount of service when messages are exchanged between computers in a network that uses the Internet Protocol (IP). UDP is an alternative to the Transmission Control Protocol (TCP) and, together with IP, is sometimes referred to as UDP/IP. Like the Transmission Control Protocol, UDP uses the Internet Protocol to actually get a data unit (called a datagram) from one computer to another. Unlike TCP, however, UDP does not provide the service of dividing a message into packets (datagrams) and reassembling it at the other end. UDP is often used for applications such as streaming data. URL A URL (Uniform Resource Locator) is the address of a file (resource) accessible on the Internet. The type of resource depends on the Internet application protocol. On the Web (which uses the Hypertext Transfer Protocol), an example of a URL is 'http://www.sofaware.com'. V VPN A virtual private network (VPN) is a private data network that makes use of the public telecommunication infrastructure, maintaining privacy through the use of a tunneling protocol and security procedures. VPN tunnel A secure connection between a Remote Access VPN Client and a Remote Access VPN Server. W WLAN A WLAN is a wireless local area network protected by the Safe@Office appliance.

A Index 307 A account, configuring • 171 active computers, viewing • 144 active connections, viewing • 147 Allow and Forward rules, explained • 157 Allow rules, explained • 157 antivirus checking compliancy • 189 installing • 184 Automatic login • 233 B backup connection • 91 Block rules, explained • 157 C CA, explained • 237, 299 cable modem connection • 61, 70 explained • 299 cable type • 40 certificate explained • 237 installing • 237 uninstalling • 240 command line interface controlling the appliance via • 271 D DHCP configuring • 94 explained • 300 DHCP Server enabling/disabling • 94 explained • 94 diagnostic tools Ping • 272 Traceroute • 272 using • 272 WHOIS • 272 diagnostics • 279 Index

E 308 Check Point Safe@Office User Guide dialup connection • 77, 92 modem • 84 dialup modem, setting up • 84 DMZ configuring • 102 configuring High Availability for • 117 explained • 102, 300 DNS • 91, 272, 300 Dynamic DNS • 10, 169 E Email Antivirus enabling/disabling • 176 selecting protocols for • 177 snoozing • 177 temporarily disabling • 177 event log, viewing • 141 exposed host defining a computer as • 163 explained • 163, 300 F firewall levels • 149 rule types • 155 setting security level • 149 firmware explained • 255, 300 updating manually • 257 viewing status • 255 front panel • 15, 19 G gateways backup • 117 default • 102, 117, 137 explained • 300 ID • 169 master • 117 Site-to-Site VPN • 199 H Hide NAT enabling/disabling • 101 explained • 101, 302

I Index 309 high availability configuring • 117 explained • 117 HTTPS configuring • 265 explained • 301 using • 49 hub • 13, 17, 40, 91, 117, 283, 301 I initial login • 45 installation cable type • 40 network • 40 SecureDesk • 184 Internet connection configuring • 57 configuring backup • 91 enabling/disabling • 89 establishing quick • 89 terminating • 90 troubleshooting • 283 viewing information • 88 Internet Setup • 66 Internet Wizard • 58 IP address changing • 100 explained • 301 hiding • 101 IPSEC • 2 VPN mode • 8, 302 ISP, explained • 302 L LAN cable • 40 configuring High Availability for • 117 connection • 58, 60, 68 explained • 302 ports • 4, 14, 17, 40 licenses • 144, 255, 279, 283 M MAC address cloning • 86 explained • 86, 302

N 310 Check Point Safe@Office User Guide Manual Login • 233 MTU, explained • 79, 302 N NetBIOS, explained • 303 network changing internal range of • 100 configuring • 93 configuring a DMZ • 102 configuring high availability • 117 enabling DHCP Server on • 94 enabling Hide NAT • 101 installation on • 40 managing • 93 objects • 129 network objects adding and editing • 130 deleting • 136 using • 129 network requirements • 13 node limit, viewing • 144 P packet • 88, 137, 272, 301, 303 password changing • 245 setting up • 45 Ping • 272 PPPoE connection • 63, 71 explained • 303 tunnels • 206 PPPoE tunnels, creating • 206 PPTP connection • 64, 73 explained • 303 Product Key • 258 Q QoS classes • 120 explained • 120 QoS classes adding and editing • 122

R Index 311 assigning services to • 154 built-in • 128 deleting • 127 explained • 120 restoring defaults • 128 R RADIUS explained • 252 using • 252 rear panel • 14, 17 rebooting • 280 registering • 262 Remote Access VPN Clients, explained • 199 Remote Access VPN Servers • 2 configuring • 204 explained • 199 Remote Access VPN sites • 208 reports active computers • 144 active connections • 147 event log • 141 node limit • 144 SecureDesk • 196 viewing • 141 routers • 91, 117, 272, 283, 303 rules adding and editing • 157 deleting • 163 types • 157 using • 154 S Safe@Office 100 series front panel • 15, 19 rear panel • 14, 17 Safe@Office 105 • 2 Safe@Office 110 • 2 Safe@Office 200 series front panel • 19 rear panel • 17 Safe@Office 225 • 3 Safe@Office 225U • 3 Safe@Office appliance

S 312 Check Point Safe@Office User Guide about • 1 backing up • 274 changing internal IP address of • 100 configuring Internet connection • 57 exporting configuration • 274 features • 4 importing configuration • 276 installing • 25, 40 maintenance • 255 models • 2 network requirements • 13 rebooting • 280 registering • 262 resetting to factory defaults • 277 Safe@Office Portal elements • 50 initial login • 45 logging off • 236 logging on • 47 remotely accessing • 49 using • 50 SecureDesk checking antivirus compliancy • 189 enabling/disabling • 129, 183 installing McAfee VirusScan • 184 overriding • 195 setting security level • 186 status messages • 191 viewing reports • 196 security configuring servers • 152 creating rules • 154 defining a computer as an exposed host • 163 firewall • 149 security policy • 149 servers configuring • 152 explained • 304

T Index 313 Remote Access VPN • 2, 199, 204 Web • 129, 152, 283 Service Center connecting to • 165 disconnecting from • 172 refreshing a connection to • 171 services Email Antivirus • 175 SecureDesk • 183 software updates • 179 Web Filtering • 172 Setup Wizard • 45, 58 Site-to-Site VPN gateways • 206 explained • 199 installing a certificate • 237 PPPoE tunnels • 206 software updates checking for manually • 179 explained • 179 Stateful Inspection • 1, 302, 304 Static NAT explained • 129 using • 130 static routes adding • 137 deleting • 140 explained • 137 using • 137 viewing and editing • 139 subnet masks, explained • 304 subscription services explained • 165 starting • 165 viewing information • 169 Syslog logging configuring • 263 explained • 263 T TCP, explained • 304

U 314 Check Point Safe@Office User Guide TCP/IP explained • 304 setting up for MAC OS • 37 setting up for Windows 95/98 • 31 setting up for Windows XP/2000 • 26 technical support • 24 Telstra • 75 time, setting • 267 Traceroute • 272 Traffic Shaper enabling • 66, 120 explained • 120 restoring defaults • 128 using • 120 troubleshooting • 283 typographical conventions • 24 U UDP, explained • 305 URL, explained • 305 users adding • 248 deleting • 251 managing • 245 setting up remote VPN access for • 252 viewing and editing • 248 V VPN explained • 199, 305 Remote Access • 203, 206 sites • 199, 231, 232, 233, 236 Site-to-Site • 201, 206 tunnnels • 199, 233, 241 VPN functionality • 200 VPN sites adding and editing using Safe@Office 110 and 225 • 206 deleting • 231 enabling/disabling • 232 logging off • 236 logging on • 233

W Index 315 VPN tunnels creation and closing of • 241 establishing • 233 explained • 199, 305 viewing • 241 W WAN cable • 40 connections • 154 ports • 4, 14, 17, 40, 91 Web Filtering enabling/disabling • 173 selecting categories for • 174 snoozing • 174 temporarily disabling • 174 WHOIS • 272 WLAN configuring • 104 defined • 305

Navigation menu