SofaWare Technologies SBXW-166LHGE-4 Wireless Broadband Router User Manual Internet Security Appliance
SofaWare Technologies Ltd. Wireless Broadband Router Internet Security Appliance
Contents
- 1. DoC Revised
- 2. Users Manual Part 1
- 3. Users Manual Part 2
Users Manual Part 2
| Download: |  |
| Mirror Download [FCC.gov] | |
| Document ID | 476793 |
| Application ID | hNmiA0DNHFRxuAcoMpK4mw== |
| Document Description | Users Manual Part 2 |
| Short Term Confidential | No |
| Permanent Confidential | No |
| Supercede | No |
| Document Type | User Manual |
| Display Format | Adobe Acrobat PDF - pdf |
| Filesize | 250.56kB (3131938 bits) |
| Date Submitted | 2004-10-06 00:00:00 |
| Date Available | 2004-10-06 00:00:00 |
| Creation Date | 2004-09-17 10:27:48 |
| Producing Software | Acrobat Distiller 6.0 (Windows) |
| Document Lastmod | 2004-09-17 10:28:17 |
| Document Title | Internet Security Appliance |
| Document Creator | (Acrobat PDFMaker 6.0 for Word) |
| Document Author: | Part No: 700797, June 2004 |
Using Static Routes
c. Click Apply.
The changes are saved.
Deleting a Static Route
Note: The “default” route cannot be deleted.
To delete a static route
1. Click Network in the main menu, and click the Routes tab.
The Static Routes page appears, with a listing of existing static routes.
2. In the desired route row, click the Delete
A confirmation message appears.
3. Click OK.
The route is deleted.
140
Check Point Safe@Office User Guide
icon.
Viewing the Event Log
Chapter 6
Viewing Reports
This chapter describes the Safe@Office Portal reports.
This chapter includes the following topics:
Viewing the Event Log....................................................................... 141
Viewing Computers............................................................................ 144
Viewing Connections ......................................................................... 147
Viewing the Event Log
You can track network activity using the Event Log. The Event Log displays
the most recent events and color codes them.
Table 20: Event Log Color Coding
An event marked in
Indicates…
Blue
Changes in your setup that you have made
this color…
yourself or as a result of a security update
implemented by your Service Center
Red
Connection attempts that were blocked by your
firewall.
Orange
Connection attempts that were blocked by your
custom security rules
Chapter 6: Viewing Reports
141
Viewing the Event Log
An event marked in
Indicates…
Green
Traffic accepted by the firewall.
this color…
By default, accepted traffic is not logged.
However, such traffic may be logged if specified
by a security policy downloaded from your
Service Center.
The logs detail the date and the time the event occurred, and its type. If the
event is a communication attempt that was rejected by the firewall, the event
details include the source and destination IP address, the destination port, and
the protocol used for the communication attempt (for example, TCP or UDP).
Note: You can configure the Safe@Office appliance to send event logs
to a Syslog server. For information, see Configuring Syslog Logging
on page 263.
142
Check Point Safe@Office User Guide
Viewing the Event Log
To view the event log
• Click Reports in the main menu, and click the Event Log tab.
The Event Log page appears.
You can do any of the following:
• Click the Refresh button to refresh the display.
• Click the Clear button to clear all events.
• If an event is highlighted in red, indicating a blocked attack on
your network, you can display the attacker’s details, by clicking
on the IP address of the attacking machine.
The Safe@Office appliance queries the Internet WHOIS server, and a
window displays the name of the entity to whom the IP address is
registered and their contact information. This information is useful in
tracking down hackers.
Chapter 6: Viewing Reports
143
Viewing Computers
Viewing Computers
This option allows you to view the currently active computers on your
network. The active computers are graphically displayed, each with its name,
IP address, and settings (DHCP, Static, etc.). You can also view node limit
information.
To view the active computers
1. Click Reports in the main menu, and click the Active Computers tab.
The Active Computers page appears.
If you configured High Availability, both the master and backup
appliances are shown.
If you are using Safe@Office 300W, the following is displayed next to
wireless computers:
• Transmission rate in Mbps
144
Check Point Safe@Office User Guide
Viewing Computers
• Signal strength in dB
• An information icon - You can mouse-over this icon to see the
following statistics:
Frames OK - The total number of frames that were successfully
transmitted and received
Errors - The total number of transmitted and received frames for
which an error occurred
Discarded/Dropped Frames - The total number of discarded or dropped
frames transmitted and received
Unicast Frames - The number of unicast frames transmitted and
received
Broadcast Frames - The number of broadcast frames transmitted and
received
Multicast Frames - The number of multicast frames transmitted and
received
If you are subscribed to SecureDesk, a status message next to each
computer indicates whether the computer complies with the SecureDesk
security level conditions. For information on SecureDesk, see Using
SecureDesk on page 183. For an explanation of the status messages, see
SecureDesk Status Messages on page 191.
If you are exceeding the maximum number of computers allowed by your
license, a warning message appears, and the computers over the node
limit are marked in red. These computers are still protected, but they are
blocked from accessing the Internet through the Safe@Office appliance.
Note: Computers that did not communicate through the firewall are not
counted for node limit purposes, even though they are protected by the
firewall.
Chapter 6: Viewing Reports
145
Viewing Computers
Note: To increase the number of computers allowed by your license, you
must upgrade your product. For further information, see Upgrading
Your Software Product on page 258.
2. To refresh the display, click Refresh.
3. To view node limit information, do the following:
a. Click Node Limit.
The Node Limit window appears with installed software product and
the number of nodes used.
b. Click Close to close the window.
146
Check Point Safe@Office User Guide
Viewing Connections
Viewing Connections
This option allows you to view the currently active connections between your
network and the external world. The active connections are displayed as a
list, specifying source IP address, destination IP address and port, and the
protocol used (TCP, UDP, etc.).
To view the active connections
• Click Reports in the main menu, and click the Active Connections
tab.
The Active Connections page appears.
You can do the following:
• Click the Refresh button to refresh the display.
• To view information on the destination machine, click its IP
address.
The Safe@Office appliance queries the Internet WHOIS server, and a
window displays the name of the entity to whom the IP address is
registered and their contact information.
Chapter 6: Viewing Reports
147
Viewing Connections
148
Check Point Safe@Office User Guide
Setting the Firewall Security Level
Chapter 7
Setting Your Security Policy
This chapter describes how to set up your Safe@Office appliance security
policy.
You can enhance your security policy by subscribing to services such as Web
Filtering and Email Antivirus scanning. You can also subscribe to
SecureDesk, which includes and enforces the use of McAfee VirusScan
ASaP Web-based antivirus service.
For information on subscribing to services and SecureDesk, see Using
Subscription Services on page 165.
This chapter includes the following topics:
Setting the Firewall Security Level .................................................... 149
Configuring Servers............................................................................ 152
Using Rules ........................................................................................ 154
Defining an Exposed Host.................................................................. 163
Setting the Firewall Security Level
The firewall security level can be controlled using a simple lever available on
the Firewall page. You can set the lever to three states.
Chapter 7: Setting Your Security Policy
149
Setting the Firewall Security Level
Table 21: Firewall Security Levels
This
Does this…
Further Details
Low
Enforces basic control on
All inbound traffic is blocked
incoming connections,
to the external Safe@Office
while permitting all
appliance IP address, except
outgoing connections.
for ICMP echoes ("pings").
level…
All outbound connections are
allowed.
Medium
Enforces strict control on
All inbound traffic is blocked.
all incoming connections,
while permitting safe
outgoing connections.
All outbound traffic is allowed
to the Internet except for
Windows file sharing (NBT
This is the default level
ports 137, 138, 139 and 445).
and is recommended for
most cases. Leave it
unchanged unless you
have a specific need for a
higher or lower security
level.
150
Check Point Safe@Office User Guide
Setting the Firewall Security Level
This
Does this…
Further Details
High
Enforces strict control on
All inbound traffic is blocked.
level…
all incoming and outgoing
Restricts all outbound traffic
connections.
except for the following: Web
traffic (HTTP, HTTPS), email
(IMAP, POP3, SMTP), ftp,
newsgroups, Telnet, DNS,
IPSEC IKE and VPN traffic.
Note: If the security policy is remotely managed, this lever might be
disabled.
Note: The definitions of firewall security levels provided in this table
represent the Safe@Office appliance’s default security policy. Security
updates downloaded from a Service Center may alter this policy and
change these definitions.
Chapter 7: Setting Your Security Policy
151
Configuring Servers
To change the firewall security level
1. Click Security in the main menu, and click the Firewall tab.
The Firewall page appears.
2. Drag the security lever to the desired level.
The Safe@Office appliance security level changes accordingly.
Configuring Servers
Note: If you do not intend to host any public Internet servers (Web
Server, Mail Server etc.) in your network, you can skip this section.
Using the Safe@Office Portal, you can selectively allow incoming network
connections into your network. For example, you can set up your own Web
server, Mail server or FTP server.
152
Check Point Safe@Office User Guide
Configuring Servers
Note: Configuring servers allows you to create simple Allow and Forward
rules for common services, and it is equivalent to creating Allow and
Forward rules in the Rules page. For information on creating rules, see
Using Rules on page 154.
To allow a service to be run on a specific host
1. Click Security in the main menu, and click the Servers tab.
The Servers page appears, displaying a list of services and a host IP
address for each allowed service.
2. Complete the fields using the information in the table below.
3. Click Apply.
A success message appears, and the selected computer is allowed to run
the desired service or application.
Table 22: Servers Page Fields
In this
Do this…
Allow
Select the desired service or application.
column…
Chapter 7: Setting Your Security Policy
153
Using Rules
In this
Do this…
VPN Only
Select this option to allow only connections made
column…
through a VPN.
Host IP
Type the IP address of the computer that will run the
service (one of your network computers) or click the
corresponding This Computer button to allow your
computer to host the service.
To stop the forwarding of a service to a specific host
1. Click Security in the main menu, and click the Servers tab.
The Servers page appears, displaying a list of services and a host IP
address for each allowed service.
2. In the desired service or application’s row, click Clear.
The Host IP field of the desired service is cleared.
3. Click Apply.
The service or application is not allowed on the specific host.
Using Rules
The Safe@Office appliance checks the protocol used, the ports range, and the
destination IP address, when deciding whether to allow or block traffic. By
default, in the Medium security level, the Safe@Office appliance blocks all
connection attempts from the Internet (WAN) to the LAN, and allows all
outgoing connection attempts from the LAN to the Internet (WAN).
154
Check Point Safe@Office User Guide
Using Rules
User-defined rules have priority over the default rules and provide you with
greater flexibility in defining and customizing your security policy.
The following rule types exist:
Table 23: Firewall Rule Types
Rule
Description
Allow and
This rule type enables you to do the following:
Forward
•
Permit incoming access from the Internet to
a specific service in your internal network.
•
Forward all such connections to a specific
computer in your network.
•
Redirect the specified connections to a
specific port. This option is called Port
Address Translation (PAT).
Creating an Allow and Forward rule is equivalent to
defining a server in the Servers page.
Note: You must use this type of rule to allow incoming
connections if your network uses Hide NAT.
Note: You cannot specify two Allow and Forward rules that
forward the same service to two different destinations.
Chapter 7: Setting Your Security Policy
155
Using Rules
Rule
Description
Allow
This rule type enables you to do the following:
•
Permit outgoing access from your internal
network to a specific service on the Internet.
Note: You can allow outgoing connections for
services that are not permitted by the default
security policy.
•
Permit incoming access from the Internet to
a specific service in your internal network.
•
Assign traffic to a QoS class.
If Traffic Shaper is enabled for the direction
of traffic specified in the rule (incoming or
outgoing), then Traffic Shaper will handle
relevant connections as specified in the
bandwidth policy for the selected QoS class.
For example, if Traffic Shaper is enabled for
outgoing traffic, and you create an Allow rule
associating all outgoing Web traffic with the
Urgent QoS class, then Traffic Shaper will
handle outgoing Web traffic as specified in
the bandwidth policy for the Urgent class.
For information on Traffic Shaper and QoS
classes, see Using Traffic Shaper on page
120.
This option is only available in Safe@Office
225.
Note: You cannot use an Allow rule to permit incoming
traffic, if the network or VPN uses Hide NAT. However,
you can use Allow rules for static NAT IP addresses.
Block
156
This rule type enables you to do the following:
•
Block outgoing access from your internal
network to a specific service on the Internet.
•
Block incoming access from the Internet to a
specific service in your internal network.
Check Point Safe@Office User Guide
Using Rules
Adding and Editing Rules
To add or edit a rule
1. Click Security in the main menu, and click the Rules tab.
The Rules page appears.
If you are using Safe@Office 105 or 110, the QoS column does not
appear.
2. Click Add Rule.
Chapter 7: Setting Your Security Policy
157
Using Rules
The Safe@Office Firewall Rule wizard opens, with the Step 1: Rule Type
dialog box displayed.
3. Select the type of rule you want to create.
4. Click Next.
The Step 2: Service dialog box appears.
The example below shows an Allow rule.
5. Complete the fields using the relevant information in the table
below.
6. Click Next.
158
Check Point Safe@Office User Guide
Using Rules
The Step 3: Destination and Source dialog box appears.
7. Complete the fields using the relevant information in the table
below.
The Step 4: Done dialog box appears.
8. Click Finish.
The new rule appears in the Firewall Rules page.
Chapter 7: Setting Your Security Policy
159
Using Rules
Table 24: Firewall Rule Fields
In this field…
Do this…
Any Service
Click this option to specify that the rule should apply to
any service.
Standard
Click this option to specify that the rule should apply to
Service
a specific standard service.
You must then select the desired service from the
drop-down list.
Custom Service
Click this option to specify that the rule should apply to
a specific non-standard service.
The Protocol and Port Range fields are enabled. You
must fill them in.
Protocol
Select the protocol (ESP, GRE, TCP, UDP or ANY) for
which the rule should apply.
Ports
To specify the port range to which the rule applies,
type the start port number in the left text box, and the
end port number in the right text box.
Note: If you do not enter a port range, the rule will apply
to all ports. If you enter only one port number, the
range will include only that port.
160
Check Point Safe@Office User Guide
Using Rules
In this field…
Do this…
Source
Select the source of the connections you want to
allow/block.
To specify an IP address, select Specified IP and type
the desired IP address in the filed provided.
To specify an IP address range, select Specified Range
and type the desired IP address range in the fields
provided.
Destination
Select the destination of the connections you want to
allow or block.
To specify an IP address, select Specified IP and type
the desired IP address in the text box.
To specify an IP address range, select Specified Range
and type the desired IP address range in the fields
provided. This option is not available in Allow and
Forward rules.
Chapter 7: Setting Your Security Policy
161
Using Rules
In this field…
Do this…
Quality of
Select the QoS class to which you want to assign the
Service Class
specified connections.
If Traffic Shaper is enabled, Traffic Shaper will handle
these connections as specified in the bandwidth policy
for the selected QoS class. If Traffic Shaper is not
enabled, this setting is ignored. For information on
Traffic Shaper and QoS classes, see Using Traffic
Shaper on page 120.
This drop-down list only appears when defining an Allow
rule in Safe@Office 225. It contains all QoS classes
defined in the portal.
Redirect to port
Select this option to redirect the connections to a
specific port.
You must then type the desired port in the field
provided.
This option is called Port Address Translation (PAT),
and is only available when defining an Allow and
Forward rule.
162
Check Point Safe@Office User Guide
Defining an Exposed Host
Deleting Rules
To delete an existing rule
1. Click Security in the main menu, and click the Rules tab.
The Rules page appears.
2. Click the
icon of the rule you wish to delete.
A confirmation message appears.
3. Click OK.
The rule is deleted.
Defining an Exposed Host
The Safe@Office appliance allows you to define an exposed host, which is a
computer that is not protected by the firewall. This is useful for setting up a
public server. It allows unlimited incoming and outgoing connections
between the Internet and the exposed host computer.
The exposed host receives all traffic that was not forwarded to another
computer by use of Allow and Forward rules.
Warning - Entering an IP address may make the designated computer
vulnerable to hacker attacks. Defining an exposed host is not
recommended unless you are fully aware of the security risks.
To define a computer as an exposed host
1. Click Security in the main menu, and click the Exposed Host tab.
Chapter 7: Setting Your Security Policy
163
Defining an Exposed Host
The Exposed Host page appears.
2. In the Exposed Host field, type the IP address of the computer you
wish to define as an exposed host. Alternatively, you can click This
Computer to define your computer as the exposed host.
3. Click Apply.
The selected computer is now defined as an exposed host.
164
Check Point Safe@Office User Guide
Connecting to a Service Center
Chapter 8
Using Subscription Services
This chapter explains how to start subscription services, and how to use
Software Updates, Web Filtering, and Email Antivirus services.
For information on using the SecureDesk service, see Using SecureDesk on
page 183.
Note: Check with your reseller regarding availability of subscription
services, or surf to www.sofaware.com/servicecenters to locate your
nearest Service Center.
This chapter includes the following topics:
Connecting to a Service Center .......................................................... 165
Viewing Services Information............................................................ 169
Refreshing Your Service Center Connection...................................... 171
Configuring Your Account................................................................. 171
Disconnecting from Your Service Center........................................... 172
Web Filtering...................................................................................... 172
Virus Scanning ................................................................................... 175
Automatic and Manual Updates ......................................................... 179
Connecting to a Service Center
To connect to a Service Center
1. Click Services in the main menu, and click the Account tab.
Chapter 8: Using Subscription Services
165
Connecting to a Service Center
The Account page appears.
2. In the Service Account area, click Connect.
The Safe@Office Services Wizard opens, with the Service Center dialog
box displayed.
3. Make sure the Connect to a different Service Center check box is
selected.
166
Check Point Safe@Office User Guide
Connecting to a Service Center
4. Do one of the following:
• To connect to the SofaWare Service Center, select
usercenter.sofaware.com.
• To specify a Service Center, select Specified IP and then in the
Specified IP field, enter the desired Service Center’s IP address, as
given to you by your system administrator.
5. Click Next.
• The Connecting… screen appears.
• If the Service Center requires authentication, the Service Center
Login dialog box appears.
Enter your gateway ID and registration key in the appropriate fields,
as given to you by your service provider, then click Next.
• The Connecting… screen appears.
Chapter 8: Using Subscription Services
167
Connecting to a Service Center
• The Confirmation dialog box appears with a list of services to
which you are subscribed.
6. Click Next.
The Done screen appears with a success message.
7. Click Finish.
The following things happen:
• If a new firmware is available, the Safe@Office appliance may
start downloading it. This may take several minutes. Once the
download is complete, the Safe@Office appliance restarts using
the new firmware.
• The Welcome page appears.
168
Check Point Safe@Office User Guide
Viewing Services Information
• The services to which you are subscribed are now available on
your Safe@Office appliance and listed as such on the Account
page. See Viewing Services Information on page 169 for further
information.
• The Services submenu includes the services to which you are
subscribed.
Viewing Services Information
The Account page displays the following information about your
subscription.
Chapter 8: Using Subscription Services
169
Viewing Services Information
Table 25: Account Page Fields
This field…
Displays…
Service Center
The name of the Service Center to which you are
Name
connected (if known).
Gateway ID
Your gateway ID.
Subscription will
The date on which your subscription to services will
end on
end.
Service
The services available in your service plan.
Subscription
The status of your subscription to each service:
Status
•
Subscribed
•
Not Subscribed
The status of each service:
Information
•
Connected. You are connected to the
service through the Service Center.
•
N/A. The service is not available.
The mode to which each service is set.
If you are subscribed to Dynamic DNS, this field
displays your gateway's domain name.
For further information, see Using SecureDesk on
page 183 , Web Filtering on page 172, Virus
Scanning on page 175, and Automatic and
Manual Updates on page 179.
170
Check Point Safe@Office User Guide
Refreshing Your Service Center Connection
Refreshing Your Service Center
Connection
This option restarts your Safe@Office appliance’s connection to the Service
Center and refreshes your Safe@Office appliance’s service settings.
To refresh your Service Center connection
1. Click Services in the main menu, and click the Account tab.
The Account page appears.
2. In the Service Account area, click Refresh.
The Safe@Office appliance reconnects to the Service Center.
Your service settings are refreshed.
Configuring Your Account
This option allows you to access your Service Center Web site, which may
offer additional configuration options for your account.
To configure your account
1. Click Services in the main menu, and click the Account tab.
The Account page appears.
2. In the Service Account area, click Configure.
Note: If no additional settings are available from your Service Center,
this button will not appear.
Chapter 8: Using Subscription Services
171
Disconnecting from Your Service Center
Your Service Center Web site opens.
3. Follow the on-screen instructions.
Disconnecting from Your Service Center
If desired, you can disconnect from your Service Center.
To disconnect from your Service Center
1. Click Services in the main menu, and click the Account tab.
The Account page appears.
2. In the Service Account area, click Connect.
The Safe@Office Services Wizard opens, with the first Subscription
Services dialog box displayed.
3. Clear the Connect to a different Service Center check box.
4. Click Next.
The Done screen appears with a success message.
5. Click Finish.
The following things happen:
• You are disconnected from the Service Center.
• The services to which you were subscribed are no longer available
on your Safe@Office appliance.
Web Filtering
When the Web Filtering service is enabled, access to Web content is
restricted according to the categories specified under Allow Categories.
Authorized users will be able to view Web pages with no restrictions, only
172
Check Point Safe@Office User Guide
Web Filtering
after they have provided the administrator password via the Web Filtering
pop-up window.
Note: Web Filtering is only available if you are connected to a Service
Center and subscribed to this service.
Enabling/Disabling Web Filtering
Note: If you are remotely managed, contact your Service Center to
change these settings.
To enable/disable Web Filtering
1. Click Services in the main menu, and click the Web Filtering tab.
The Web Filtering page appears.
2. Drag the On/Off lever upwards or downwards.
Web Filtering is enabled/disabled for all internal network computers.
Chapter 8: Using Subscription Services
173
Web Filtering
Selecting Categories for Blocking
You can define which types of Web sites should be considered appropriate
for your family or office members, by selecting the categories. Categories
will remain visible, while categories marked with
will be
marked with
blocked and will require the administrator password for viewing.
Note: If you are remotely managed, contact your Service Center to
change these settings.
To allow/block a category
1. In the Allow Categories area, click
category.
or
next to the desired
2. Click Apply.
Temporarily Disabling Web Filtering
If desired, you can temporarily disable the Web Filtering service.
To temporarily disable Web Filtering
1. Click Services in the main menu, and click the Web Filtering tab.
The Web Filtering page appears.
2. Click Snooze.
• Web Filtering is temporarily disabled for all internal network
computers.
174
Check Point Safe@Office User Guide
Virus Scanning
• The Snooze button changes to Resume.
• The Web Filtering Off popup window opens.
3. To re-enable the service, click Resume, either in the popup window,
or on the Web Filtering page.
• The service is re-enabled for all internal network computers.
• If you clicked Resume in the Web Filtering page, the button
changes to Snooze.
• If you clicked Resume in the Web Filtering Off popup window, the
popup window closes.
Virus Scanning
When the Email Antivirus service is enabled, your email is automatically
scanned for the detection and elimination of all known viruses and vandals.
Chapter 8: Using Subscription Services
175
Virus Scanning
Note: Email Antivirus is only available if you are connected to a Service
Center and subscribed to this service.
Enabling/Disabling Email Antivirus
Note: If you are remotely managed, contact your Service Center to
change these settings.
To enable/disable Email Antivirus
1. Click Services in the main menu, and click the Email Antivirus tab.
The Email Antivirus page appears.
2. Drag the On/Off lever upwards or downwards.
Email Antivirus is enabled/disabled for all internal network computers.
176
Check Point Safe@Office User Guide
Virus Scanning
Selecting Protocols for Scanning
If you are locally managed, you can define which protocols should be
scanned for viruses:
• Email retrieving (POP3). If enabled, all incoming email in the POP3
protocol will be scanned
• Email sending (SMTP). If enabled, all outgoing email will be
scanned
Protocols marked with
not.
will be scanned, while those marked with
will
Note: If you are remotely managed, contact your Service Center to
change these settings.
To enable virus scanning for a protocol
1. In the Protocols area, click
or
next to the desired protocol.
2. Click Apply.
Temporarily Disabling Email Antivirus
If you are having problems sending or receiving email you can temporarily
disable the Email Antivirus service.
To temporarily disable Email Antivirus
1. Click Services in the main menu, and click the Email Antivirus tab.
The Email Antivirus page appears.
Chapter 8: Using Subscription Services
177
Virus Scanning
2. Click Snooze.
• Email Antivirus is temporarily disabled for all internal network
computers.
• The Snooze button changes to Resume.
• The Email Antivirus Off popup window opens.
3. To re-enable the service, click Resume, either in the popup window,
or on the Email Antivirus page.
• The service is re-enabled for all internal network computers.
• If you clicked Resume in the Email Antivirus page, the button
changes to Snooze.
• If you clicked Resume in the Email Antivirus Off popup window,
the popup window closes.
178
Check Point Safe@Office User Guide
Automatic and Manual Updates
Automatic and Manual Updates
The Software Updates service enables you to check for new security and
software updates.
Note: Software Updates are only available if you are connected to a
Service Center and subscribed to this service.
Checking for Software Updates when
Locally Managed
If your Safe@Office appliance is locally managed, you can set it to
automatically check for software updates, or you can set it so that software
updates must be checked for manually.
To configure software updates when locally managed
1. Click Services in the main menu, and click the Software Updates
tab.
The Software Updates page appears.
Chapter 8: Using Subscription Services
179
Automatic and Manual Updates
2. To set the Safe@Office appliance to automatically check for and
install new software updates, drag the Automatic/Manual lever
upwards.
The Safe@Office appliance checks for new updates and installs them
according to its schedule.
Note: When the Software Updates service is set to Automatic, you can
still manually check for updates.
3. To set the Safe@Office appliance so that software updates must be
checked for manually, drag the Automatic/Manual lever downwards.
The Safe@Office appliance does not check for software updates
automatically.
4. To manually check for software updates, click Update Now.
The system checks for new updates and installs them.
Checking for Software Updates When
Remotely Managed
If your Safe@Office appliance is remotely managed, it automatically checks
for software updates and installs them without user intervention. However,
you can still check for updates manually, if needed.
To manually check for security and software updates
1. Click Services in the main menu, and click the Software Updates
tab.
180
Check Point Safe@Office User Guide
Automatic and Manual Updates
The Software Updates page appears.
2. Click Update Now.
The system checks for new updates and installs them.
Chapter 8: Using Subscription Services
181
Automatic and Manual Updates
Chapter 9
Using SecureDesk
SecureDesk allows you to make access through the firewall conditional upon
the state of a computer's antivirus software. For example, you can configure
SecureDesk to allow access for computers on which the antivirus software is
enabled but not up-to-date, or to block access for computers on which the
antivirus software is up-to-date, but not the most recent build. SecureDesk
enables you to quickly and easily install and update antivirus software on all
computers in the network simultaneously and reports the status of the
antivirus software on each computer.
SecureDesk requires that you install McAfee VirusScan ASaP, a Web-based
antivirus service included in the SecureDesk subscription service.
SecureDesk monitors the state of the installed VirusScan virus signatures,
agent, and engine, and blocks access through the firewall if they do not match
the security level set in the Safe@Office Portal. Authorized users can
override the block by providing the administrator password via a pop-up
window.
If desired, you can disable SecureDesk for a specific computer or network.
For example, you might want to disable SecureDesk for a printer with an IP
address, or for a computer with an operating system that VirusScan does not
support. To do so you must add the computer or network as a network object.
For information on adding network objects and disabling or enabling
SecureDesk, see Using Network Objects on page 129.
Note: SecureDesk is only available if you are connected to a Service
Center and subscribed to this service.
This chapter includes the following topics:
Installing McAfee VirusScan ASaP ...................................................184
Updating McAfee VirusScan ASaP on All Computers ......................186
Setting the SecureDesk Security Level...............................................186
Checking Antivirus Compliancy ........................................................189
Overriding SecureDesk.......................................................................195
Viewing SecureDesk Reports .............................................................196
Chapter 9: Using SecureDesk
183
Installing McAfee VirusScan ASaP
Installing McAfee VirusScan ASaP
Once you have subscribed to SecureDesk and connected to the Service
Center (see Connecting to a Service Center on page 165), you must install
McAfee VirusScan ASaP on all computers in your network.
Note: You must disable the Windows XP "Internet Connection Firewall"
option before you install McAfee VirusScan ASaP.
The VirusScan installer automatically uninstalls most antivirus programs
before installing VirusScan. For a list of products that the VirusScan installer
automatically uninstalls, refer to the Quick Start Guide. If your antivirus
program does not appear in the list, you must manually uninstall the program
before installing VirusScan.
Note: If your current antivirus software is part of a suite of programs, you
may have to reinstall the suite without the antivirus component after
installing VirusScan.
If VirusScan is already installed on your computer, check whether it complies
with the SecureDesk security level conditions using the procedure Checking
Antivirus Compliancy on page 189.
To install McAfee VirusScan ASaP
1. Click Security in the main menu, and click the SecureDesk tab.
184
Check Point Safe@Office User Guide
Installing McAfee VirusScan ASaP
The SecureDesk page appears.
2. Do one of the following:
• To install VirusScan on this computer only, click Download and
install the latest antivirus software.
• To install VirusScan on all the computers in your network, click
Run the desktop security software Push Installer.
The McAfee Security page opens in a new window, with the McAfee
Secure-1 VirusScan ASaP popup window on top.
3. Follow the online instructions to complete installation.
If antivirus software is already installed, the installer may remove it.
VirusScan is installed.
For information on troubleshooting installation and using VirusScan, see the
User Help. To access VirusScan ASaP User Help, right-click on the
VirusScan icon in the taskbar, and select Scan Now > Help.
Chapter 9: Using SecureDesk
185
Updating McAfee VirusScan ASaP on All Computers
Updating McAfee VirusScan ASaP on All
Computers
If the version of VirusScan installed on a computer is not up-to-date,
SecureDesk may block access through the firewall for that computer,
depending on the SecureDesk security level. You can update the installed
version of VirusScan on all computers in the network simultaneously, using
the Push Installer.
For information on how to check whether version of VirusScan installed on a
computer is up-to-date , see Checking Antivirus Compliancy on page 189.
To update McAfee VirusScan ASaP on all computers
1. Click Security in the main menu, and click the SecureDesk tab.
The SecureDesk page appears.
2. Click Run the desktop security software Push Installer.
The McAfee Security page opens in a new window, with the McAfee
Secure-1 VirusScan ASaP popup window on top.
3. Follow the online instructions to complete updating.
VirusScan is updated on all computers in the network.
Setting the SecureDesk Security Level
The SecureDesk security level determines what conditions a computer's
antivirus software must meet before the computer can access the Internet.
You control the SecureDesk security level using a simple lever available on
the SecureDesk page. You can set the lever to four states.
186
Check Point Safe@Office User Guide
Setting the SecureDesk Security Level
Note: If the security policy is remotely managed, this lever might be
disabled.
Table 26: SecureDesk Security Levels
This
security
Enforces these conditions...
level...
Off
None.
SecureDesk is disabled, and users can freely access the
Internet, regardless of whether antivirus software is installed
or not.
Note: You can disable SecureDesk for a specific computer or
network, using the information in Using Network Objects on
page 129.
Low
Antivirus software must be installed and enabled, but it need
not be up-to-date.
Medium
Antivirus software must be installed, enabled, and up-todate.
In order for the antivirus software to qualify as up-to-date, the
installed antivirus components' version numbers must be
equal to or higher than the version numbers displayed in the
Service Status table's Minimum column.
Chapter 9: Using SecureDesk
187
Setting the SecureDesk Security Level
This
security
Enforces these conditions...
level...
High
The most recent antivirus software must be installed and
enabled.
In order for the antivirus software to qualify as the most
recent, the installed antivirus components' version numbers
must match the version numbers displayed in the Service
Status table's Current column.
To change the SecureDesk security level
1. Click Security in the main menu, and click the SecureDesk tab.
The SecureDesk page appears.
2. Drag the lever to the desired level.
SecureDesk enforces the new security level conditions.
If you raised the security level, and the antivirus software installed on
your computer does not meet the new security level conditions, the
Current Device Status and Actions area displays an appropriate status
message, and the Update your antivirus software to the latest version link
appears.
For an explanation of all status messages and their colors, see
SecureDesk Status Messages on page 191.
3. If necessary, update your antivirus software by doing the following:
a. Click Update your antivirus software to the latest version.
The McAfee Security page opens in a new window, with the McAfee
Secure-1 VirusScan ASaP popup window on top.
b. Follow the online instructions to complete updating.
188
Check Point Safe@Office User Guide
Checking Antivirus Compliancy
VirusScan is updated on all computers in the network.
For information on updating VirusScan on all compters in the network,
see Updating McAfee VirusScan ASaP on All Computers on page 186.
Checking Antivirus Compliancy
You can check whether a computer's antivirus software complies with the
SecureDesk security level conditions.
To check antivirus compliancy for your computer
1. Click Security in the main menu, and click the SecureDesk tab.
The SecureDesk page appears, and the Current Device Status and Actions
area displays a color-coded status message indicating whether the
computer complies with the SecureDesk security level conditions. For an
explanation of the status message and its color, see the table below.
If the antivirus software installed on your computer does not meet the
security level conditions, the Update your antivirus software to the latest
version link appears.
2. To view detailed information about the antivirus status and
component versions, point to the status message.
A popup window displays the desired information.
3. If necessary, update your antivirus software by doing the following:
a. Click Update your antivirus software to the latest version.
Chapter 9: Using SecureDesk
189
Checking Antivirus Compliancy
The McAfee Security page opens in a new window, with the McAfee
Secure-1 VirusScan ASaP popup window on top.
b. Follow the online instructions to complete updating.
VirusScan is updated on all computers in the network.
To check antivirus compliancy for all computers in the network
1. Click Reports in the main menu, and click the Active Computers tab.
The Active Computers page appears.
A color-coded status message next to each computer indicates whether the
computer complies with the SecureDesk security level conditions. For an
explanation of the status messages and their colors, see the tables below.
2. To view detailed information about the antivirus status and
component versions, point to the status message.
A popup window displays the desired information.
3. If necessary, update the antivirus software on all computers in the
network.
For instructions, see Updating McAfee VirusScan ASaP on All
Computers on page 186.
190
Check Point Safe@Office User Guide
Checking Antivirus Compliancy
Table 27: SecureDesk Status Messages
Message
Explanation
SecureDesk is
The antivirus software complies with the SecureDesk
compliant
security level conditions, and access through the firewall
is not blocked.
Compliant, but
The antivirus software complies with the SecureDesk
SecureDesk not
security level conditions, and access through the firewall
most up-to-date
is not blocked.
However, the antivirus components' version numbers do
not match the version numbers displayed in the Service
Status table's Current column.
It is recommended to update your software.
Compliant, but
The antivirus software complies with the SecureDesk
SecureDesk
security level conditions, and access through the firewall
scanner is
is not blocked.
disabled
However, the scanner is disabled, and the
computer/network is not currently protected from
viruses.
It is recommended to enable the scanner.
Chapter 9: Using SecureDesk
191
Checking Antivirus Compliancy
Message
Explanation
SecureDesk not
The antivirus software components' version numbers are
up-to-date
less than the version numbers displayed in the Service
Status table's Minimum column.
Access through the firewall may be blocked, depending
on whether the SecureDesk security level conditions
require that the antivirus software is up-to-date.
Update your software.
SecureDesk
The scanner is disabled, and the computer/network is
scanner is
not currently protected from viruses.
disabled
Access through the firewall is blocked.
Enable the scanner.
SecureDesk not
The antivirus software components' version numbers are
up-to-date and
less than the version numbers displayed in the Service
scanner is
Status table's Minimum column, and the scanner is
disabled
disabled. The computer/network is not currently
protected from viruses.
Access through the firewall is blocked.
Update your software and enable the scanner.
192
Check Point Safe@Office User Guide
Checking Antivirus Compliancy
Message
Explanation
SecureDesk is
The antivirus software does not comply with the
not compliant
SecureDesk security level conditions, and access
through the firewall is blocked.
Check the SecureDesk security level conditions, and
make changes to your antivirus software accordingly.
For information on SecureDesk security levels, see
Setting the SecureDesk Security Level on page 186.
SecureDesk
The antivirus engine and virus signatures are installed,
scanner not
but the antivirus scanner is not.
installed
Access through the firewall is blocked.
Install the scanner.
SecureDesk not
VirusScan is not installed, and access through the
installed
firewall is blocked.
Install the antivirus software.
SecureDesk
SecureDesk has not yet determined the antivirus
state is unknown
software's state, because the computer is not
responding.
Access through the firewall is temporarily blocked.
Chapter 9: Using SecureDesk
193
Checking Antivirus Compliancy
Message
Explanation
Excluded from
SecureDesk is disabled for this computer/network.
Antivirus
compliance
checking
Access through the firewall is not blocked.
For information on enabling SecureDesk, see Using
Network Objects on page 129.
Table 28: SecureDesk Status Message Color Coding
Color
Explanation
Red
Error.
The antivirus software does not comply with the
SecureDesk security level conditions, and access
through the firewall is blocked.
Orange
Warning.
The antivirus software complies with the SecureDesk
security level conditions, and access through the firewall
is not blocked. However, the state of the antivirus
software is not ideal.
Green
OK.
The antivirus software complies with the SecureDesk
security level conditions, and access through the firewall
is not blocked.
194
Check Point Safe@Office User Guide
Overriding SecureDesk
Overriding SecureDesk
SecureDesk blocks access through the firewall if your computer's antivirus
software does not comply with the SecureDesk security level conditions.
When you attempt to connect to the Internet, the following things happen:
• The Access Denied page appears
• The Event Log specifies that the connection was blocked by
SecureDesk.
You can correct the problem by clicking Download and install the latest
antivirus software to install up-to-date software, and then clicking Continue to
the original page. Alternatively, Safe@Office administrators with Read/Write
permissions can override the block using the procedure below.
To override SecureDesk
1. In the Access Denied page's Administrator Override area, in the
Username field, type your user name.
2. In the Password field, type your password.
Chapter 9: Using SecureDesk
195
Viewing SecureDesk Reports
3. Click OK.
SecureDesk is temporarily disabled for your computer only.
The page you were blocked from accessing appears.
The Antivirus Off popup window appears.
4. To re-enable the service, click Resume in the popup window.
The service is re-enabled for your computer.
Viewing SecureDesk Reports
You can view reports on SecureDesk's activities for all computers in your
network.
Note: You must be connected to the Internet to view SecureDesk
reports.
To view SecureDesk reports
1. Click Services in the main menu, and click the SecureDesk tab.
196
Check Point Safe@Office User Guide
Viewing SecureDesk Reports
The SecureDesk page appears.
2. Click SecureDesk Reports.
A SecureDesk report opens in a new window. This may take some time.
Chapter 9: Using SecureDesk
197
Overview
Chapter 10
Working With VPNs
This chapter describes how to use your Safe@Office appliance as a Remote
Access VPN Client, server, or gateway.
This chapter includes the following topics:
Overview ............................................................................................ 199
Setting Up Your Safe@Office Appliance as a Remote Access VPN
Server........................................................................................................ 204
Adding and Editing VPN Sites using Safe@Office 110 and 225....... 206
Deleting a VPN Site ........................................................................... 231
Enabling/Disabling a VPN Site .......................................................... 232
Logging on to a VPN Site................................................................... 233
Logging off a VPN Site ...................................................................... 236
Installing a Certificate ........................................................................ 237
Uninstalling a Certificate.................................................................... 240
Viewing VPN Tunnels ....................................................................... 241
Overview
You can configure your Safe@Office appliance as part of a virtual private
network (VPN). A VPN is a private data network consisting of a group of
gateways that can securely connect to each other. Each member of the VPN
is called a VPN site, and a connection between two VPN sites is called a VPN
tunnel. VPN tunnels encrypt and authenticate all traffic passing through
them. Through these tunnels, employees can safely use their company’s
network resources when working at home. For example, they can securely
read email, use the company’s intranet, or access the company’s database
from home.
The are three types of VPN sites:
• Remote Access VPN Server - Makes a network remotely available to
authorized users, who connect to the Remote Access VPN Server
Chapter 10: Working With VPNs
199
Overview
using Remote Access VPN Clients, such as Check Point
SecuRemote. Unless the Remote Access VPN Server is also a
Remote Access VPN Client, it cannot initiate a connection to other
VPN sites.
• Site-to-Site VPN Gateway - Can connect with another Site-to-Site
VPN Gateway in a permanent, bi-directional relationship.
• Remote Access VPN Client - Can connect to a Remote Access VPN
Server, but other VPN sites cannot initiate a connection to the
Remote Access VPN Client. Defining a Remote Access VPN
Client is a hardware alternative to using SecuRemote software.
Safe@Office 105 acts as a Remote Access VPN Server for one user, allowing
a single remote employee to securely work from home or on the road.
Safe@Office 110 and 225 provide full VPN functionality. They can act as a
Remote Access VPN Client, a Remote Access VPN Server for multiple users,
or a Site-to-Site VPN Gateway.
A virtual private network (VPN) must include at least one Remote Access
VPN Server or gateway. The type of VPN sites you include in a VPN
depends on the type of VPN you want to create, Site-to-Site or Remote
Access.
Note: A locally managed Remote Access VPN Server or gateway must
have a static IP address. If you need a Remote Access VPN Server or
gateway with a dynamic IP address, you must use SofaWare Security
Management Portal (SMP) management.
A SecuRemote or Safe@Office Remote Access VPN Client can have a
dynamic IP address, regardless of whether it is locally or remotely
managed.
Note: This chapter explains how to define a VPN locally. However, if
your appliance is centrally managed by a Service Center, then the
Service Center can automatically deploy VPN configuration for your
appliance.
200
Check Point Safe@Office User Guide
Overview
Site-to-Site VPNs
A Site-to-Site VPN consists of two or more Site-to-Site VPN Gateways that
can communicate with each other in a bi-directional relationship. The
connected networks function as a single network. You can use this type of
VPN to mesh office branches into one corporate network.
Figure 8: Site-to-Site VPN
Chapter 10: Working With VPNs
201
Overview
To create a Site-to-Site VPN with two VPN sites
1. On the first VPN site’s Safe@Office appliance, do the following:
a. Define the second VPN site as a Site-to-Site VPN Gateway,
or create a PPPoE tunnel to the second VPN site, using the
procedure Adding and Editing VPN Sites on page 206.
b. Enable the Remote Access VPN Server using the procedure
Setting Up Your Safe@Office Appliance as a Remote
Access VPN Server on page 204.
2. On the second VPN site’s Safe@Office appliance, do the following:
a. Define the first VPN site as a Site-to-Site VPN Gateway, or
create a PPPoE tunnel to the first VPN site, using the
procedure Adding and Editing VPN Sites on page 206.
b. Then enable the Remote Access VPN Server using the
procedure Setting Up Your Safe@Office Appliance as a
Remote Access VPN Server on page 204.
202
Check Point Safe@Office User Guide
Overview
Remote Access VPNs
A Remote Access VPN consists of one Remote Access VPN Server or Siteto-Site VPN Gateway, and one or more Remote Access VPN Clients. You
can use this type of VPN to make an office network remotely available to
authorized users, such as employees working from home, who connect to the
office Remote Access VPN Server with their Remote Access VPN Clients.
Figure 9: Remote Access VPN
Chapter 10: Working With VPNs
203
Setting Up Your Safe@Office Appliance as a Remote Access VPN Server
To create a Remote Access VPN with two VPN sites
1. On the remote user VPN site's Safe@Office appliance, add the
office Remote Access VPN Server as a Remote Access VPN site.
See Adding and Editing VPN Sites on page 206.
The remote user's Safe@Office appliance will act as a Remote Access
VPN Client.
2. On the office VPN site's Safe@Office appliance, enable the Remote
Access VPN Server.
See Setting Up Your Safe@Office Appliance as a Remote Access VPN
Server on page 204.
Setting Up Your Safe@Office Appliance
as a Remote Access VPN Server
You can make your network remotely available to authorized users by setting
up your Safe@Office appliance as a Remote Access VPN Server. Remote
access users can connect to the Remote Access VPN Server via Check Point
SecuRemote or a via Safe@Office appliance in Remote Access VPN mode.
Note: The Check Point SecuRemote Remote Access VPN Client can be
downloaded for free from
http://www.checkpoint.com/techsupport/downloads_sr.html
To set up your Safe@Office appliance as a Remote Access VPN
Server
1. Click VPN in the main menu, and click the VPN Server tab.
204
Check Point Safe@Office User Guide
Setting Up Your Safe@Office Appliance as a Remote Access VPN Server
The VPN Server page appears.
2. Drag the Enabled/Disabled lever to Enabled.
The Remote Access VPN Server is enabled.
The check box is enabled.
3. To allow authenticated users to bypass NAT when connecting to
your internal network, select Bypass NAT.
4. To allow authenticated users to bypass the firewall and access your
internal network without restriction, select Bypass the firewall.
5. Follow the procedure Setting Up Remote VPN Access for Users on
page 252.
Note: Disabling the Remote Access VPN Server will cause all existing
VPN tunnels to disconnect.
Chapter 10: Working With VPNs
205
Adding and Editing VPN Sites using Safe@Office 110 and 225
Adding and Editing VPN Sites using
Safe@Office 110 and 225
To add or edit VPN sites
1. Click VPN in the main menu, and click the VPN Sites tab.
The VPN Sites page appears with a list of VPN sites.
2. Do one of the following:
• To add a VPN site, click New Site.
• To edit a VPN site, click Edit in the desired VPN site’s row.
206
Check Point Safe@Office User Guide
Adding and Editing VPN Sites using Safe@Office 110 and 225
The Safe@Office VPN Site Wizard opens, with the Welcome to the VPN Site
Wizard dialog box displayed.
3. Do one of the following:
• Select Remote Access VPN to establish remote access from your
Remote Access VPN Client to a Remote Access VPN Server.
• Select Site to Site VPN to create a permanent bi-directional
connection to another Site-to-Site VPN Gateway.
• Select PPPoE to create a non-encrypted connection to a PPPoE
server.
4. Click Next.
Chapter 10: Working With VPNs
207
Adding and Editing VPN Sites using Safe@Office 110 and 225
Configuring a Remote Access VPN Site
If you selected Remote Access VPN, the VPN Gateway Address dialog box
appears.
1. Enter the IP address of the Remote Access VPN Server to which
you want to connect, as given to you by the network administrator.
2. Click Next.
The VPN Network Configuration dialog box appears.
3. Specify how you want to obtain the VPN network configuration.
Refer to VPN Network Configuration Fields on page 215.
4. Click Next.
The following things happen in the order below:
208
Check Point Safe@Office User Guide
Adding and Editing VPN Sites using Safe@Office 110 and 225
• If you chose Specify Configuration, a second VPN Network
Configuration dialog box appears.
Complete the fields using the information in VPN Network
Configuration Fields on page 215 and click Next.
• The Authentication Method dialog box appears.
5. Complete the fields using the information in Authentication
Methods Fields on page 216.
6. Click Next.
Chapter 10: Working With VPNs
209
Adding and Editing VPN Sites using Safe@Office 110 and 225
Username and Password Authentication Method
If you selected Username and Password, the VPN Login dialog box appears.
1. Complete the fields using the information in VPN Login Fields on
page 217.
2. Click Next.
• If you selected Automatic Login, the Connect dialog box appears.
Do the following:
1) To try to connect to the Remote Access VPN Server,
select the Try to Connect to the VPN Gateway check box.
This allows you to test the VPN connection.
210
Check Point Safe@Office User Guide
Adding and Editing VPN Sites using Safe@Office 110 and 225
Warning: If you try to connect to the VPN site before completing the
wizard, all existing tunnels will be terminated.
2) Click Next.
If you selected Try to Connect to the VPN Gateway, the
Connecting… screen appears, and then the Contacting VPN Site
screen appears.
• The Site Name dialog box appears.
3. Enter a name for the VPN site.
You may choose any name.
4. Click Next.
The VPN Site Created screen appears.
Chapter 10: Working With VPNs
211
Adding and Editing VPN Sites using Safe@Office 110 and 225
5. Click Finish.
The VPN Sites page reappears. If you added a VPN site, the new site
appears in the VPN Sites list. If you edited a VPN site, the modifications
are reflected in the VPN Sites list.
Certificate Authentication Method
If you selected Certificate, the Connect dialog box appears.
1. To try to connect to the Remote Access VPN Server, select the Try
to Connect to the VPN Gateway check box.
This allows you to test the VPN connection.
Warning: If you try to connect to the VPN site before completing the
wizard, all existing tunnels will be terminated.
2. Click Next.
If you selected Try to Connect to the VPN Gateway, the Connecting…
screen appears, and then the Contacting VPN Site screen appears.
212
Check Point Safe@Office User Guide
Adding and Editing VPN Sites using Safe@Office 110 and 225
The Site Name dialog box appears.
3. Enter a name for the VPN site.
You may choose any name.
4. Click Next.
The VPN Site Created screen appears.
5. Click Finish.
The VPN Sites page reappears. If you added a VPN site, the new site
appears in the VPN Sites list. If you edited a VPN site, the modifications
are reflected in the VPN Sites list.
Chapter 10: Working With VPNs
213
Adding and Editing VPN Sites using Safe@Office 110 and 225
RSA SecurID Authentication Method
If you selected RSA SecurID, the Site Name dialog box appears.
1. Enter a name for the VPN site.
You may choose any name.
2. Click Next.
The VPN Site Created screen appears.
3. Click Finish.
The VPN Sites page reappears. If you added a VPN site, the new site
appears in the VPN Sites list. If you edited a VPN site, the modifications
are reflected in the VPN Sites list.
214
Check Point Safe@Office User Guide
Adding and Editing VPN Sites using Safe@Office 110 and 225
Table 29: VPN Network Configuration Fields
In this field…
Do this…
Download
Click this option to obtain the network configuration by
Configuration
downloading it from the VPN site.
This option will automatically configure your VPN
settings, by downloading the network topology
definition from the Remote Access VPN Server.
Note: Downloading the network configuration is only
possible if you are connecting to a Check Point VPN1 or Safe@Office Site-to-Site VPN Gateway.
Specify
Click this option to provide the network configuration
Configuration
manually.
Route All Traffic
Click this option to route all network traffic through the
VPN site.
For example, if your VPN consists of a central office
and a number of remote offices, and the remote
offices are only allowed to access Internet resources
through the central office, you can choose to route all
traffic from the remote offices through the central
office.
Note: You can only configure one VPN site to route all
traffic.
Destination network
Type up to three destination network addresses at the
VPN site to which you want to connect.
Chapter 10: Working With VPNs
215
Adding and Editing VPN Sites using Safe@Office 110 and 225
In this field…
Do this…
Subnet mask
Select the subnet masks for the destination network
addresses.
Note: Obtain the destination networks and subnet
masks from the VPN site’s system administrator.
Backup Gateway
Type the name of the VPN site to use if the primary
VPN site fails.
Table 30: Authentication Methods Fields
In this field…
Do this…
Username and
Select this option to use a user name and password
Password
for VPN authentication.
In the next step, you can specify whether you want to
log on to the VPN site automatically or manually.
Certificate
Select this option to use a certificate for VPN
authentication.
If you select this option, a certificate must have been
installed. (Refer to Installing a Certificate on page
237 for more information about certificates and
instructions on how to install a certificate.)
216
Check Point Safe@Office User Guide
Adding and Editing VPN Sites using Safe@Office 110 and 225
In this field…
Do this…
RSA SecurID
Select this option to use an RSA SecurID token for
Token
VPN authentication.
When authenticating to the VPN site, you must enter
a four-digit PIN code and the SecurID passcode
shown in your SecurID token's display. The RSA
SecurID token generates a new passcode every
minute.
SecurID is only supported in Remote Access manual
login mode.
Table 31: VPN Login Fields
In this field…
Do this…
Manual Login
Click this option to configure the site for Manual
Login.
Manual Login connects only the computer you are
currently logged onto to the VPN site, and only when
the appropriate user name and password have been
entered. For further information on Automatic and
Manual Login, see, Logging on to a VPN Site on
page 233.
Chapter 10: Working With VPNs
217
Adding and Editing VPN Sites using Safe@Office 110 and 225
In this field…
Do this…
Automatic Login
Click this option to enable the Safe@Office appliance
to log on to the VPN site automatically.
You must then fill in the Username and Password fields.
Automatic Login provides all the computers on your
internal network with constant access to the VPN site.
For further information on Automatic and Manual
Login, see Logging on to a VPN Site on page 233.
Username
Type the user name to be used for logging on to the
VPN site.
Password
Type the password to be used for logging on to the
VPN site.
218
Check Point Safe@Office User Guide
Adding and Editing VPN Sites using Safe@Office 110 and 225
Configuring a Site-to-Site VPN Gateway
If you selected Site to Site VPN, the VPN Gateway Address dialog box appears.
1. Complete the fields using the information in VPN Gateway Address
Fields on page 226.
2. Click Next.
The VPN Network Configuration dialog box appears.
3. Specify how you want to obtain the VPN network configuration.
Refer to VPN Network Configuration Fields on page 215.
4. Click Next.
Chapter 10: Working With VPNs
219
Adding and Editing VPN Sites using Safe@Office 110 and 225
• If you chose Specify Configuration, a second VPN Network
Configuration dialog box appears.
Complete the fields using the information in VPN Network
Configuration Fields on page 215, and then click Next.
• The Authentication Method dialog box appears.
5. Complete the fields using the information in Authentication
Methods Fields on page 227.
6. Click Next.
220
Check Point Safe@Office User Guide
Adding and Editing VPN Sites using Safe@Office 110 and 225
Shared Secret Authentication Method
If you selected Shared Secret, the Authentication dialog box appears.
If you chose Download Configuration, the dialog box contains additional
fields.
1. Complete the fields using the information in VPN Authentication
Fields on page 228 and click Next.
Chapter 10: Working With VPNs
221
Adding and Editing VPN Sites using Safe@Office 110 and 225
The Connect dialog box appears.
2. To try to connect to the Remote Access VPN Server, select the Try
to Connect to the VPN Gateway check box.
This allows you to test the VPN connection.
Warning: If you try to connect to the VPN site before completing the
wizard, all existing tunnels will be terminated.
3. Click Next.
• If you selected Try to Connect to the VPN Gateway, the
Connecting… screen appears, and then the Contacting VPN Site
screen appears.
• The Site Name dialog box appears.
222
Check Point Safe@Office User Guide
Adding and Editing VPN Sites using Safe@Office 110 and 225
4. Enter a name for the VPN site.
You may choose any name.
5. To keep the tunnel to the VPN site alive even if there is no network
traffic between the Safe@Office appliance and the VPN site, select
Keep this site alive.
6. Click Next.
• If you selected Keep this site alive, and previously you chose
Download Configuration, the "Keep Alive" Configuration dialog box
appears.
Do the following:
1) Type up to three IP addresses which the Safe@Office
appliance should ping in order to keep the tunnel to
the VPN site alive.
2) Click Next.
• The VPN Site Created screen appears.
7. Click Finish.
The VPN Sites page reappears. If you added a VPN site, the new site
appears in the VPN Sites list. If you edited a VPN site, the modifications
are reflected in the VPN Sites list.
Chapter 10: Working With VPNs
223
Adding and Editing VPN Sites using Safe@Office 110 and 225
Certificate Authentication Method
If you selected Certificate, the following things happen:
• If you chose Download Configuration, the Authentication dialog box
appears.
Complete the fields using the information in VPN Authentication Fields
on page 228 and click Next.
• The Connect dialog box appears.
1. To try to connect to the Remote Access VPN Server, select the Try
to Connect to the VPN Gateway check box.
This allows you to test the VPN connection.
224
Check Point Safe@Office User Guide
Adding and Editing VPN Sites using Safe@Office 110 and 225
Warning: If you try to connect to the VPN site before completing the
wizard, all existing tunnels will be terminated.
2. Click Next.
• If you selected Try to Connect to the VPN Gateway, the following
things happen:
The Connecting… screen appears.
• The Contacting VPN Site screen appears.
• The Site Name dialog box appears.
3. Enter a name for the VPN site.
You may choose any name.
4. To keep the tunnel to the VPN site alive even if there is no network
traffic between the Safe@Office appliance and the VPN site, select
Keep this site alive.
5. Click Next.
Chapter 10: Working With VPNs
225
Adding and Editing VPN Sites using Safe@Office 110 and 225
• If you selected Keep this site alive, and previously you chose
Download Configuration, the "Keep Alive" Configuration dialog box
appears.
Do the following:
1) Type up to three IP addresses which the Safe@Office
appliance should ping in order to keep the tunnel to
the VPN site alive.
2) Click Next.
• The VPN Site Created screen appears.
6. Click Finish.
The VPN Sites page reappears. If you added a VPN site, the new site
appears in the VPN Sites list. If you edited a VPN site, the modifications
are reflected in the VPN Sites list.
Table 32: VPN Gateway Address Fields
In this field…
Do this…
Gateway Address
Type the IP address of the Site-to-Site VPN
Gateway to which you want to connect, as given to
you by the network administrator.
226
Check Point Safe@Office User Guide
Adding and Editing VPN Sites using Safe@Office 110 and 225
In this field…
Do this…
Bypass NAT
Select this option to allow the VPN site to bypass
NAT when connecting to your internal network.
Bypass the FW
Select this option to allow the VPN site to bypass the
firewall and access your internal network without
restriction.
Table 33: Authentication Methods Fields
In this field…
Do this…
Shared Secret
Select this option to use a shared secret for VPN
authentication.
A shared secret is a string used to identify VPN sites
to each other.
Certificate
Select this option to use a certificate for VPN
authentication.
If you select this option, a certificate must have been
installed. (Refer to Installing a Certificate on page
237 for more information about certificates and
instructions on how to install a certificate.)
Chapter 10: Working With VPNs
227
Adding and Editing VPN Sites using Safe@Office 110 and 225
Table 34: VPN Authentication Fields
In this field…
Do this…
Topology User
Type the topology user’s user name.
Topology
Type the topology user’s password.
Password
Use Shared
Type the shared secret to use for secure
Secret
communications with the VPN site.
This shared secret is a string used to identify the
VPN sites to each other. The secret can contain
spaces and special characters.
Creating a PPPoE Tunnel
If you selected PPPoE, the VPN Network Configuration dialog box appears.
1. Complete the fields using the information in VPN Network
Configuration Fields on page 215.
2. Click Next.
228
Check Point Safe@Office User Guide
Adding and Editing VPN Sites using Safe@Office 110 and 225
The PPPoE Login page appears.
3. Complete the fields using the information in the table below.
4. Click Next.
The Connect dialog box appears.
5. If you don’t want to try to connect to the VPN site, clear the Try to
Connect to the VPN Gateway check box.
This allows you to test the VPN connection.
Warning: If you try to connect to the VPN site before completing the
wizard, all existing tunnels will be terminated.
6. Click Next.
Chapter 10: Working With VPNs
229
Adding and Editing VPN Sites using Safe@Office 110 and 225
If you selected Try to Connect to the VPN Gateway, the Connecting…
screen appears, and then the Contacting VPN Site screen appears.
The Site Name dialog box appears.
7. Enter a name for the VPN site.
You may choose any name.
8. Click Next.
The VPN Site Created screen appears.
9. Click Finish.
The VPN Sites page reappears. If you added a VPN site, the new site
appears in the VPN Sites list. If you edited a VPN site, the modifications
are reflected in the VPN Sites list.
230
Check Point Safe@Office User Guide
Deleting a VPN Site
Table 35: PPPoE Login Fields
In this field…
Do this…
User
The PPPoE username.
Password
The PPPoE password.
Service
The service name configured in the PPPoE server.
You only need to fill in this field if there is more than
one PPPoE server in the WAN network.
Note: If you do not fill in this field, the first PPPoE
server found is used.
Deleting a VPN Site
To delete a VPN site
1. Click VPN in the main menu, and click the VPN Sites tab.
The VPN Sites page appears, with a list of VPN sites.
2. In the desired VPN site’s row, click the Delete
icon.
A confirmation message appears.
3. Click OK.
The VPN site is deleted.
Chapter 10: Working With VPNs
231
Enabling/Disabling a VPN Site
Enabling/Disabling a VPN Site
You can only connect to VPN sites that are enabled.
To enable/disable a VPN site
1. Click VPN in the main menu, and click the VPN Sites tab.
The VPN Sites page appears, with a list of VPN sites.
2. To enable a VPN site, do the following:
a. Click the
icon in the desired VPN site’s row.
A confirmation message appears.
b. Click OK.
The icon changes to
, and the VPN site is enabled.
3. To disable a VPN site, do the following:
Note: Disabling a VPN site eliminates the tunnel and erases the network
topology.
a. Click the
icon in the desired VPN site’s row.
A confirmation message appears.
b. Click OK.
The icon changes to
232
, and the VPN site is disabled.
Check Point Safe@Office User Guide
Logging on to a VPN Site
Logging on to a VPN Site
You need to manually log on to Remote Access VPN Servers configured for
Manual Login. You do not need to manually log on to a Remote Access VPN
Server configured for Automatic Login or a Site-to-Site VPN Gateway: all
the computers on your network have constant access to it.
Manual Login can be done through either the Safe@Office Portal or the
my.vpn page. When you log on and traffic is sent to the VPN site, a VPN
tunnel is established. Only the computer from which you logged on can use
the tunnel. To share the tunnel with other computers in your home network,
you must log on to the VPN site from those computers, using the same user
name and password.
Note: You must use a single user name and password for each VPN
destination gateway.
Logging on through the Safe@Office Portal
Note: You can only login to sites that are configured for Manual Login.
To manually log on to a VPN site through the Safe@Office Portal
1. Click VPN in the main menu, and click the VPN Login tab.
Chapter 10: Working With VPNs
233
Logging on to a VPN Site
The VPN Login page appears.
2. From the Site Name list, select the site to which you want to log on.
Note: Disabled VPN sites will not appear in the Site list.
3. Enter your user name and password in the appropriate fields.
4. Click Login.
• If the Safe@Office appliance is configured to automatically
download the network configuration, the Safe@Office appliance
downloads the network configuration.
• If when adding the VPN site you specified a network
configuration, the Safe@Office appliance attempts to create a
tunnel to the VPN site.
• Once the Safe@Office appliance has finished connecting, the VPN
Login Status box appears. The Status field displays “Connected”.
234
Check Point Safe@Office User Guide
Logging on to a VPN Site
• The VPN Login Status box remains open until you manually log
off the VPN site.
Logging on through the my.vpn page
Note: You don’t need to know the my.firewall page administrator’s
password in order to use the my.vpn page.
To manually log on to a VPN site through the my.vpn page
1. Direct your web browser to http://my.vpn
The VPN Login screen appears.
2. In the Site Name list, select the site to which you want to log on.
3. Enter your user name and password in the appropriate fields.
4. Click Login.
• If the Safe@Office appliance is configured to automatically
download the network configuration, the Safe@Office appliance
downloads the network configuration.
Chapter 10: Working With VPNs
235
Logging off a VPN Site
• If when adding the VPN site you specified a network
configuration, the Safe@Office appliance attempts to create a
tunnel to the VPN site.
• The VPN Login Status box appears. The Status field tracks the
connection’s progress.
• Once the Safe@Office appliance has finished connecting, the
Status field changes to “Connected”.
• The VPN Login Status box remains open until you manually log
off of the VPN site.
Logging off a VPN Site
You need to manually log off a VPN site in the following cases:
• You are using Safe@Office 105.
• The VPN site is a Remote Access VPN site configured for Manual
Login.
To log off a VPN site
• In the VPN Login Status box, click Logout.
All open tunnels from the Safe@Office appliance to the VPN site are
closed, and the VPN Login Status box closes.
Note: Closing the browser or dismissing the VPN Login Status box will also
terminate the VPN session within a short time.
236
Check Point Safe@Office User Guide
Installing a Certificate
Installing a Certificate
A digital certificate is a secure means of authenticating the Safe@Office
appliance to other Site-to-Site VPN Gateways. The certificate is issued by the
Certificate Authority (CA) to entities such as gateways, users, or computers.
The entity then uses the certificate to identify itself and provide verifiable
information.
For instance, the certificate includes the Distinguishing Name (DN)
(identifying information) of the entity, as well as the public key (information
about itself). After two entities exchange and validate each other's
certificates, they can begin encrypting information between themselves using
the public keys in the certificates.
The Safe@Office appliance supports certificates encoded in the PKCS#12
(Personal Information Exchange Syntax Standard) format. The PKCS#12 file
must have a ".p12" file extension
Note: To use certificates authentication, each Safe@Office appliance
should have a unique certificate. Do not use the same certificate for
more than one gateway.
If you do not have a PKCS#12, obtain it from your network security
administrator.
To install a certificate
1. Click VPN in the main menu, and click the Certificate tab.
Chapter 10: Working With VPNs
237
Installing a Certificate
The Certificate page appears, with instructions on how to install the
certificate.
2. Click Install Certificate.
A Certificate page requests you to specify a certificate file for upload.
3. Click Browse to open a file browser from which to locate and select
the file.
The filename that you selected is displayed.
4. Click Upload.
238
Check Point Safe@Office User Guide
Installing a Certificate
You are requested to enter the pass-phrase.
5. Type the pass-phrase you received from the network security
administrator.
6. Click OK.
The certificate is installed.
A success message appears.
7. Click OK.
The name of the CA that issued the certificate and the name of the
gateway to which this certificate was issued appear.
Chapter 10: Working With VPNs
239
Uninstalling a Certificate
Uninstalling a Certificate
You cannot uninstall the certificate if there is a VPN site currently defined to
use certificate authentication.
When a certificate is currently installed, the Certificate page presents two
options:
• Install Certificate: Allows you to install a new certificate. The
current certificate will be replaced.
• Uninstall Certificate: Allows you to uninstall the current certificate.
Therefore, no certificate exists on the Safe@Office appliance, and
you will not be able to connect to the VPN if a certificate is still
required.
To uninstall a certificate
1. Click VPN in the main menu, and click the Certificate tab.
The Certificate page appears with the name of the currently installed
certificate.
2. Click Uninstall.
A confirmation message appears.
3. Click OK.
The certificate is uninstalled.
A success message appears.
4. Click OK.
240
Check Point Safe@Office User Guide
Viewing VPN Tunnels
Viewing VPN Tunnels
You can view a list of currently established VPN tunnels. VPN tunnels are
created and closed as follows:
• Remote Access VPN sites configured for Automatic Login, Site-toSite VPN Gateways and PPPoE tunnels
A tunnel is created whenever your computer attempts any kind of
communication with a computer at the VPN site. The tunnel is closed
when not in use for a period of time.
Note: Although the VPN tunnel is automatically closed, the site remains
open, and if you attempt to communicate with the site, the tunnel will be
reestablished.
• Remote Access VPN sites configured for Manual Login
A tunnel is created whenever your computer attempts any kind of
communication with a computer at the VPN site, after you have manually
logged on to the site. All open tunnels connecting to the site are closed
when you manually log off.
Chapter 10: Working With VPNs
241
Viewing VPN Tunnels
To view VPN tunnels
• Click Reports in the main menu, and click the VPN Tunnels tab.
The VPN Tunnels page appears with a table of open tunnels to VPN sites.
The VPN Tunnels page includes the information described in the table below.
You can refresh the table by clicking Refresh.
Table 36: VPN Tunnels Page Fields
This field…
Displays…
The Safe@Office appliance Internet IP address.
242
Check Point Safe@Office User Guide
Viewing VPN Tunnels
This field…
Displays…
The security protocol (IPSec), the type of encryption
used to secure the connection, and the type of
Message Authentication Code (MAC) used to verify the
integrity of the message.
This information is presented in the following format:
Security protocol: Encryption type/Authentication type
Note: All VPN settings are automatically negotiated
between the two sites. The encryption and
authentication schemes used for the connection are the
strongest of those used at the two sites.
Your Safe@Office appliance supports AES, 3DES, and
DES encryption schemes, and MD5 and SHA
authentication schemes.
The name and IP address of the VPN gateway to which
the tunnel is connected.
User
The user logged on to the VPN site.
Duration
The time at which the tunnel was established.
This information is presented in the format hh:mm:ss,
where:
hh=hours
mm=minutes
ss=seconds
Chapter 10: Working With VPNs
243
Viewing VPN Tunnels
244
Check Point Safe@Office User Guide
Changing Your Password
Chapter 11
Managing Users
This chapter describes how to manage Safe@Office appliance users. In
Safe@Office 105, there is a single user called "admin", whose password can
be changed; in Safe@Office 110 and 225, you can define multiple users and
assign them various permissions.
This chapter includes the following topics:
Changing Your Password ................................................................... 245
Adding Users...................................................................................... 248
Viewing and Editing Users................................................................. 248
Deleting Users .................................................................................... 251
Setting Up Remote VPN Access for Users......................................... 252
Using RADIUS Authentication .......................................................... 252
Changing Your Password
You can change your password at any time. How this task is performed
depends on the Safe@Office model you are using.
Using Safe@Office 105
To change your password
1. Click Password in the main menu.
Chapter 11: Managing Users
245
Changing Your Password
The Password page appears.
2. Edit the Password and Confirm password fields.
Note: Use 5 to 25 characters (letters or numbers) for the new password.
3. Click Apply.
Your changes are saved.
Using Safe@Office 110 and 225
To change your password
1. Click Users in the main menu, and click the Internal Users tab.
246
Check Point Safe@Office User Guide
Changing Your Password
The Internal Users page appears.
2. In the row of your username, click Edit.
The Edit User page appears.
3. Edit the Password and Confirm password fields.
Note: Use 5 to 25 characters (letters or numbers) for the new password.
4. Click Apply.
Your changes are saved.
Chapter 11: Managing Users
247
Adding Users
Adding Users
To add a user
1. Click Users in the main menu, and click the Internal Users tab.
The Internal Users page appears.
2. Click New User.
The Edit User page appears. The options that appear on the page are
dependant on the software and services you are using.
3. Complete the fields using the information in Edit User Page Fields
on page 249.
4. Click Apply.
The new user is saved.
Viewing and Editing Users
To view or edit users
1. Click Users in the main menu, and click the Internal Users tab.
The Internal Users page appears.
2. In the desired user’s row, click Edit.
The Edit User page appears with the user’s details. The options that appear
on the page are dependant on the software and services you are using.
3. To edit the user’s details, do the following:
248
Check Point Safe@Office User Guide
Viewing and Editing Users
a. Edit the fields using Edit User Page Fields on page 249.
b. Click Apply.
The changes are saved.
4. To return to the Users page without making any changes, click
Cancel.
Table 37: Edit User Page Fields
In this field…
Do this…
Username
Enter a username for the user.
Password
Enter a password for the user. Use five to 25
characters (letters or numbers) for the new
password.
Confirm Password
Re-enter the user’s password.
Chapter 11: Managing Users
249
Viewing and Editing Users
In this field…
Do this…
Administrator Level
Select the user’s level of access to the
Safe@Office Portal.
The levels are:
•
No Access: The user cannot access
the Safe@Office Portal.
•
Read/Write: The user can log on to the
Safe@Office Portal and modify
system settings.
•
Read Only: The user can log on to the
Safe@Office Portal, but cannot
modify system settings or export the
appliance configuration via the
Setup>Tools page. For example, you
could assign this administrator level
to technical support personnel who
need to view the Event Log.
The default level is No Access.
The “admin” user’s Administrator Level
(Read/Write) cannot be changed.
VPN Remote
Select this option to allow the user to connect to
Access
this Safe@Office appliance using their VPN client.
For further information on setting up VPN remote
access, see Setting Up Remote VPN Access for
Users on page 252.
This option only appears in Safe@Office 110 and
225.
250
Check Point Safe@Office User Guide
Deleting Users
In this field…
Do this…
Web Filtering
Select this option to allow the user to override
Override
Web Filtering.
This option only appears if the Web Filtering
service is defined.
This option cannot be changed for the “admin”
user.
Deleting Users
Note: The “admin” user cannot be deleted.
To delete a user
1. Click Users in the main menu, and click the Internal Users tab.
The Internal Users page appears.
2. In the desired user’s row, click the Delete
icon.
A confirmation message appears.
3. Click OK.
The user is deleted.
Chapter 11: Managing Users
251
Setting Up Remote VPN Access for Users
Setting Up Remote VPN Access for
Users
If you are using your Safe@Office appliance as a Remote Access VPN
Server, you can allow users to access it remotely through their Remote
Access VPN Clients (a Check Point SecureClient, Check Point SecuRemote,
or another Embedded NG appliance).
To set up remote VPN access for a user
1. Enable your Remote Access VPN Server, using the procedure
Setting Up Your Safe@Office Appliance as a Remote Access VPN
Server on page 204.
2. Add the user to the system, using the procedure Adding Users on
page 248. You must select the VPN Remote Access option.
Note: When using Safe@Office 105, there is only one pre-defined user
called ‘admin’, and you cannot create additional users.
Using RADIUS Authentication
You can use RADIUS to authenticate both Safe@Office appliance users and
Remote Access VPN Clients trying to connect to the Safe@Office appliance.
When a user accesses the Safe@Office Portal and tries to log on, the
Safe@Office appliance sends the entered user name and password to the
RADIUS server. The server then checks whether the RADIUS database
contains a matching user name and password pair. If so, then the user is
logged on.
252
Check Point Safe@Office User Guide
Using RADIUS Authentication
To use RADIUS authentication
1. Click Users in the main menu, and click the RADIUS tab.
The RADIUS page appears.
2. Complete the fields using the table below.
3. Click Apply.
Table 38: RADIUS Page Fields
In this field…
Do this…
Address
Type the IP address of the computer that will run
the RADIUS service (one of your network
computers) or click the corresponding This
Computer button to allow your computer to host the
service.
To clear the text box, click Clear.
Chapter 11: Managing Users
253
Using RADIUS Authentication
In this field…
Do this…
Port
Type the port number on the RADIUS server’s
host computer.
To reset this field to the default (port 1812), click
Default.
Shared Secret
Type the shared secret to use for secure
communication with the RADIUS server.
Administrator Level
Select the level of access to the Safe@Office
Portal to assign to all users authenticated by the
RADIUS server.
The levels are:
•
No Access: The user cannot access
the Safe@Office Portal
•
Read/Write: The user can log on to the
Safe@Office Portal and modify
system settings.
•
Read Only: The user can log on to the
Safe@Office Portal, but cannot
modify system settings.
The default level is No Access.
Web Filtering
Select this option to allow all users authenticated
Override
by the RADIUS server to override Web Filtering.
This option only appears if the Web Filtering
service is defined.
254
Check Point Safe@Office User Guide
Viewing Firmware Status
Chapter 12
Maintenance
This chapter describes the tasks required for maintenance and diagnosis of
your Safe@Office appliance.
This chapter includes the following topics:
Viewing Firmware Status ................................................................... 255
Updating the Firmware....................................................................... 257
Upgrading Your Software Product ..................................................... 258
Registering Your Safe@Office Appliance ......................................... 262
Configuring Syslog Logging .............................................................. 263
Configuring HTTPS ........................................................................... 265
Setting the Time on the Appliance ..................................................... 267
Controlling the Appliance via the Command Line ............................. 271
Using Diagnostic Tools ...................................................................... 272
Backing Up the Safe@Office Appliance Configuration..................... 274
Resetting the Safe@Office Appliance to Defaults ............................. 277
Running Diagnostics .......................................................................... 279
Rebooting the Safe@Office Appliance .............................................. 280
Viewing Firmware Status
The firmware is the software program embedded in the Safe@Office
appliance.
You can view your current firmware version and additional details.
Chapter 12: Maintenance
255
Viewing Firmware Status
To view the firmware status
• Click Setup in the main menu, and click the Firmware tab.
The Firmware page appears.
The Firmware page displays the following information:
Table 39: Firmware Status Fields
This field…
Displays…
For example…
Firmware Version
The current version of the
4.0
firmware
Hardware Type
The type of the current
200 series
Safe@Office appliance
hardware
Hardware Version
The current hardware
version of the Safe@Office
appliance
256
Check Point Safe@Office User Guide
1.0
Updating the Firmware
This field…
Displays…
For example…
Installed Product
The licensed software and
Safe@Office 225
the number of allowed
unlimited nodes
nodes
Uptime
The time that elapsed from
01:21:15
the moment the unit was
turned on
Updating the Firmware
If you are subscribed to Software Updates, firmware updates are performed
automatically. These updates include new product features and protection
against new security threats. Check with your reseller for the availability of
Software Updates and other services. For information on subscribing to
services, see Connecting to a Service Center on page 165.
If you are not subscribed to the Software Updates service, you must update
your firmware manually.
To update your Safe@Office firmware manually
1. Click Setup in the main menu, and click the Firmware tab.
The Firmware page appears.
2. Click Firmware Update.
Chapter 12: Maintenance
257
Upgrading Your Software Product
The Firmware Update page appears.
3. Click Browse.
A browse window appears.
4. Select the image file and click Open.
The Firmware Update page reappears. The path to the firmware update
image file appears in the Browse text box.
5. Click Upload.
Your Safe@Office appliance firmware is updated. This may take a few
minutes. At the end of the process the Safe@Office appliance restarts
automatically.
Upgrading Your Software Product
Upgrading your Safe@Office appliance is a very simple process. After
purchasing an upgrade, you will receive a new Product Key that will enable
you to use the upgraded product on the same Safe@Office appliance you
have today. For example, if you are using Safe@Office 105, you can
purchase an upgrade to Safe@Office 110 and enjoy extended VPN features
258
Check Point Safe@Office User Guide
Upgrading Your Software Product
on your existing Safe@Office appliance. Likewise, you can upgrade from
Safe@Office 225 to 225U without changing your hardware.
Note: You can only upgrade within the same appliance hardware type.
Note: To purchase an upgrade, contact your Safe@Office appliance
provider.
To upgrade your product, you must install the new Product Key.
To install a Product Key
1. Click Setup in the main menu, and click the Firmware tab.
The Firmware page appears.
2. Click Upgrade Product.
The Safe@Office Licensing Wizard opens, with the Install Product Key
dialog box displayed.
3. Click Enter a different Product Key.
4. In the Product Key field, enter the new Product Key.
5. Click Next.
Chapter 12: Maintenance
259
Upgrading Your Software Product
The Installed New Product Key dialog box appears.
6. Click Next.
The first Registration dialog box appears.
7. Do one of the following:
260
Check Point Safe@Office User Guide
Upgrading Your Software Product
• To register your Safe@Office appliance later on, clear the I want
to register my product check box and then click Next.
• To register your Safe@Office appliance now, do the following:
1) Click Next.
A second Registration dialog box appears.
2) Enter your contact information in the appropriate fields.
3) To receive email notifications regarding new firmware
versions and services, select the check box.
4) Click Next.
The Registration… screen appears.
Chapter 12: Maintenance
261
Registering Your Safe@Office Appliance
The third Registration dialog box appears.
8. Click Finish.
Your Safe@Office appliance is restarted and the Welcome page appears.
Registering Your Safe@Office Appliance
If you want to activate your warranty and optionally receive notifications of
new firmware versions and services, you must register your Safe@Office
appliance.
Privacy Statement: Check Point is committed to protecting your privacy. We
use the information we collect about you to process orders and to improve
our ability to serve your needs. We will under no circumstances sell, lease, or
otherwise disclose any of your personal or contact details without your
explicit permission.
To register your Safe@Office appliance
1. Click Setup in the main menu, and click the Firmware tab.
The Firmware page appears.
2. Click Upgrade Product.
262
Check Point Safe@Office User Guide
Configuring Syslog Logging
The Safe@Office Licensing Wizard opens, with the Install Product Key
dialog box displayed.
3. Select Keep these settings.
4. Click Next.
The first Registration dialog box appears.
5. Verify that the I want to register my product check box is selected.
6. Click Next.
A second Registration dialog box appears.
7. Enter your contact information in the appropriate fields.
8. To receive email notifications regarding new firmware versions and
services, select the check box.
9. Click Next.
The Registration… screen appears.
The third Registration dialog box appears.
10. Click Finish.
Your Safe@Office appliance is restarted and the Welcome page appears.
Configuring Syslog Logging
You can configure the Safe@Office appliance to send event logs to a Syslog
server residing in your internal network or on the Internet. The logs detail the
date and the time each event occurred. If the event is a communication
attempt that was rejected by the firewall, the event details include the source
and destination IP address, the destination port, and the protocol used for the
communication attempt (for example, TCP or UDP).
This same information is also available in the Event Log page (see Viewing
the Event Log on page 141). However, while the Event Log can display
Chapter 12: Maintenance
263
Configuring Syslog Logging
hundreds of logs, a Syslog server can store an unlimited number of logs.
Furthermore, Syslog servers can provide useful tools for managing your logs.
Note: Kiwi Syslog Daemon is freeware and can be downloaded from
http://www.kiwisyslog.com. For technical support, contact Kiwi
Enterprises.
To configure Syslog logging
1. Click Setup in the main menu, and click the Logging tab.
The Logging page appears.
2. Complete the fields using the information in the table below.
3. Click Apply.
Table 40: Logging Page Fields
In this field…
Do this…
Syslog Server
Type the IP address of the computer that will run
the Syslog service (one of your network
computers), or click This Computer to allow your
computer to host the service.
264
Check Point Safe@Office User Guide
Configuring HTTPS
In this field…
Do this…
Clear
Click to clear the Syslog Server field.
Syslog Port
Type the port number of the Syslog server.
Default
Click to reset the Syslog Port field to the default
(port 514 UDP).
Configuring HTTPS
You can enable Safe@Office appliance users to access the Safe@Office
Portal from the Internet. To do so, you must first configure HTTPS.
To configure HTTPS
1. Click Setup in the main menu, and click the Management tab.
The Management page appears.
Chapter 12: Maintenance
265
Configuring HTTPS
2. Specify from where HTTPS access to the Safe@Office Portal
should be granted. See HTTPS Access Options on page 267 for
information.
Warning: If remote HTTPS is enabled, your Safe@Office appliance
settings can be changed remotely, so make sure all Safe@Office
appliance users’ passwords are unguessable.
If you selected IP Address Range, additional fields appear.
3. If you selected IP Address Range, enter the desired IP address range
in the fields provided.
4. Click Apply.
The HTTPS configuration is saved. You can now access the Safe@Office
Portal through the Internet, using the procedure Accessing the
Safe@Office Portal Remotely on page 49.
266
Check Point Safe@Office User Guide
Setting the Time on the Appliance
Table 41: HTTPS Access Options
Select this
option…
Internal Network
To allow HTTPS access from…
The internal network only.
This disables remote HTTPS capability.
Note: You can use HTTPS to access the
Safe@Office Portal from your internal network, by
surfing to https://my.firewall.
Internal Network and
The internal network and your VPN.
VPN
IP Address Range
A particular range of IP addresses.
Additional fields appear, in which you can enter
the desired IP address range.
ANY
Any IP address.
Setting the Time on the Appliance
You set the time displayed in the Safe@Office 225 Portal during initial
appliance setup. If desired, you can change the date and time displayed in the
Safe@Office 225 Portal using the procedure below.
Chapter 12: Maintenance
267
Setting the Time on the Appliance
Note: The Safe@Office 100 series takes the time from your local
computer and you do not have to manually set the time.
To set the time
1. Click Setup in the main menu, and click the Tools tab.
The Tools page appears.
If you are using Safe@Office 105 or 110, the page appears without the
Set Time button.
2. Click Set Time.
268
Check Point Safe@Office User Guide
Setting the Time on the Appliance
The Safe@Office Set Time Wizard opens displaying the Set the Safe@Office
time dialog box.
3. Complete the fields using the information in the table below.
4. Click Next.
The following things happen in the order below:
• If you selected Specify date and time, the Specify Date and Time
dialog box appears.
Set the date, time, and time zone in the fields provided, then click
Next.
Chapter 12: Maintenance
269
Setting the Time on the Appliance
• The Date and Time Updated window appears.
5. Click Finish.
Table 42: Set Time Wizard Fields
Select this
To allow HTTPS access from…
option…
Your computer's
Set the appliance time to your computer’s
clock
system time.
Your computer’s system time is displayed to the
right of this option.
Keep the current time
Do not change the appliance’s time.
The current appliance time is displayed to the
right of this option.
Specify date and time
270
Set the appliance to a specific date and time.
Check Point Safe@Office User Guide
Controlling the Appliance via the Command Line
Controlling the Appliance via the
Command Line
The Safe@Office Portal enables you to control your appliance via the
command line interface.
To control the appliance via the command line
1. Click Setup in the main menu, and click the Tools tab.
The Tools page appears.
2. Click Command.
The Command Line page appears.
3. In the upper field, type a command.
You can view a list of supported commands using the command help.
For information on all commands, refer to the Embedded NG CLI
Reference Guide.
4. Click Go.
Chapter 12: Maintenance
271
Using Diagnostic Tools
The command is implemented.
Using Diagnostic Tools
The Safe@Office appliance is equipped with a set of diagnostic tools that are
useful for troubleshooting Internet connectivity.
Table 43: Diagnostic Tools
Use this tool…
To do this…
Ping
Check that a specific IP address or DNS name can
be reached via the Internet.
Traceroute
Display a list of all routers used to connect from the
Safe@Office appliance to a specific IP address or
DNS name.
WHOIS
Display the name and contact information of
the entity to whom a specific IP address or DNS
name is registered. This information is useful in
tracking down hackers.
To use a diagnostic tool
1. Click Setup in the main menu, and click the Tools tab.
The Tools page appears.
2. In the Tools drop-down list, select the desired tool.
3. In the Address field, type the IP address or DNS name for which to
run the tool.
272
Check Point Safe@Office User Guide
Using Diagnostic Tools
4. Click Go.
• If you selected Ping, the following things happen:
The Safe@Office appliance sends packets to the specified the IP
address or DNS name.
The IP Tools window opens and displays the percentage of packet loss
and the amount of time it each packet took to reach the specified host
and return (round-trip) in milliseconds.
• If you selected Traceroute, the following things happen:
The Safe@Office appliance connects to the specified IP address or
DNS name.
The IP Tools window opens and displays a list of routers used to make
the connection.
Chapter 12: Maintenance
273
Backing Up the Safe@Office Appliance Configuration
• If you selected WHOIS, the following things happen:
The Safe@Office appliance queries the Internet WHOIS server.
A window displays the name of the entity to whom the IP address or
DNS name is registered and their contact information.
Backing Up the Safe@Office Appliance
Configuration
You can export the Safe@Office appliance configuration to a *.cfg file, and
use this file to backup and restore Safe@Office appliance settings, as needed.
The configuration file includes all your settings.
Exporting the Safe@Office Appliance
Configuration
Exporting the Safe@Office appliance configuration creates a configuration
file.
274
Check Point Safe@Office User Guide
Backing Up the Safe@Office Appliance Configuration
To export the Safe@Office appliance configuration
1. Click Setup in the main menu, and click the Tools tab.
The Tools page appears.
2. Click Export.
A standard File Download dialog box appears.
3. Click Save.
The Save As dialog box appears.
4. Browse to a destination directory of your choice.
5. Type a name for the configuration file and click Save.
The *.cfg configuration file is created and saved to the specified
directory.
Chapter 12: Maintenance
275
Backing Up the Safe@Office Appliance Configuration
Importing the Safe@Office Appliance
Configuration
In order to restore your Safe@Office appliance’s configuration from a
configuration file, you must import the file.
To import the Safe@Office appliance configuration
1. Click Setup in the main menu, and click the Tools tab.
The Tools page appears.
2. Click Import.
The Import Settings page appears.
3. Do one of the following:
• In the Import Settings field, type the full path to the configuration
file.
Or
• Click Browse, and browse to the configuration file.
4. Click Upload.
276
Check Point Safe@Office User Guide
Resetting the Safe@Office Appliance to Defaults
A confirmation message appears.
5. Click OK.
The Safe@Office appliance settings are imported.
The Import Settings page displays the configuration file's content and the
result of implementing each configuration command.
Resetting the Safe@Office Appliance to
Defaults
You can reset the Safe@Office appliance to its default settings. When you
reset your Safe@Office appliance, it reverts to the state it was originally in
when you purchased it. You can choose to keep the current firmware or to
revert to the firmware version that shipped with the Safe@Office appliance.
Warning: This operation erases all your settings and password information.
You will have to set a new password and reconfigure your Safe@Office
appliance for Internet connection. For information on performing these
tasks, see Setting Up the Safe@Office Appliance on page 41.
Chapter 12: Maintenance
277
Resetting the Safe@Office Appliance to Defaults
You can reset the Safe@Office appliance to defaults via the Web
management interface (software) or by manually pressing the Reset button
(hardware) located at the back of the Safe@Office appliance.
To reset the Safe@Office appliance to factory defaults via the
Web interface
1. Click Setup in the main menu, and click the Tools tab.
The Tools page appears.
2. Click Factory Settings.
A confirmation message appears.
3. To revert to the firmware version that shipped with the appliance,
select the check box.
4. Click OK.
• The Please Wait screen appears.
• The Safe@Office appliance returns to its factory defaults.
278
Check Point Safe@Office User Guide
Running Diagnostics
• The Safe@Office appliance is restarted (the PWR/SEC LED
flashes quickly).
This may take a few minutes.
• The Login page appears.
To reset the Safe@Office appliance to factory defaults using the
Reset button
1. Make sure the Safe@Office appliance is powered on.
2. Using a pointed object, press the RESET button on the back of the
Safe@Office appliance steadily for seven seconds and then release
it.
3. Allow the Safe@Office appliance to boot-up until the system is
ready (PWR/SEC LED flashes slowly or illuminates steadily in
green light).
For information on the appliance's front and rear panels, see Getting to
Know Your Safe@Office 100 Series on page 14 or Getting to Know Your
Safe@Office 200 Series on page 17.
Warning: If you choose to reset the Safe@Office appliance by disconnecting
the power cable and then reconnecting it, be sure to leave the Safe@Office
appliance disconnected for at least three seconds, or the Safe@Office
appliance might not function properly until you reboot it as described below.
Running Diagnostics
You can view technical information about your Safe@Office appliance’s
hardware, firmware, license, network status, and Service Center.
This information is useful for troubleshooting. You can copy and paste it into
the body an email and send it to technical support.
Chapter 12: Maintenance
279
Rebooting the Safe@Office Appliance
To run diagnostics
1. Click Setup in the main menu, and click the Tools tab.
The Tools page appears.
2. Click Diagnostics.
Technical information about your Safe@Office appliance appears in a
new window.
3. To refresh the contents of the window, click Refresh.
The contents are refreshed.
4. To close the window, click Close.
Rebooting the Safe@Office Appliance
If your Safe@Office appliance is not functioning properly, rebooting it may
solve the problem.
To reboot the Safe@Office appliance
1. Click Setup in the main menu, and click the Tools tab.
The Tools page appears.
2. Click Restart.
A confirmation message appears.
3. Click OK.
• The Please Wait screen appears.
280
Check Point Safe@Office User Guide
Rebooting the Safe@Office Appliance
• The Safe@Office appliance is restarted (the PWR/SEC LED
flashes quickly).
This may take a few minutes.
• The Login page appears.
Chapter 12: Maintenance
281
Connectivity
Chapter 13
Troubleshooting
This chapter provides solutions to common problems you may encounter
while using the Safe@Office appliance.
This chapter includes the following topics:
Connectivity ....................................................................................... 283
Service Center and Upgrades ............................................................. 288
Other Problems................................................................................... 288
Connectivity
I cannot access the Internet. What should I do?
• Check if the PWR/SEC LED is green. If not, check the power
connection to the Safe@Office appliance.
• Check if the WAN LINK/ACT LED is green. If not, check the
network cable to the modem and make sure the modem is turned
on.
• Check if the LAN LINK/ACT LED for the port used by your
computer is green. If not, check if the network cable linking your
computer to the Safe@Office appliance is connected properly. Try
replacing the cable or connecting it to a different LAN port.
• Using your web browser, go to http://my.firewall and see whether
"Connected" appears on the Status Bar. Make sure that your
Safe@Office appliance network settings are configured as per your
ISP directions.
• Check your TCP/IP configuration according to Installing and
Setting up the Safe@Office Appliance on page 25.
• If Web Filtering or Email Anti Virus scanning are on, try turning
them off.
Chapter 13: Troubleshooting
283
Connectivity
• Check if you have defined firewall rules which block your Internet
connectivity.
• Check with your ISP for possible service outage.
• Check whether you are exceeding the maximum number of
computers allowed by your license, by following the procedure
Viewing Computers on page 144.
I cannot access my DSL broadband connection. What should I do?
DSL equipment comes in two flavors: bridges (commonly known as DSL
modems) and routers. Some DSL equipment can be configured to work both
ways.
• If you connect to your ISP using a PPPoE or PPTP dialer defined in
your operating system, your equipment is most likely configured as
a DSL bridge. Configure a PPPoE or PPTP type DSL connection.
• If you were not instructed to configure a dialer in your operating
system, your equipment is most likely configured as a DSL router.
Configure a LAN connection, even if you are using a DSL
connection.
For instructions, see Configuring the Internet Connection on page 57.
284
Check Point Safe@Office User Guide
Connectivity
I cannot access my Cable broadband connection. What should I do?
• Some cable ISPs require you to register the MAC address of the
device behind the cable modem. You may need to clone your
Ethernet adapter MAC address onto the Safe@Office appliance.
For instructions, see Configuring the Internet Connection on page
57.
• Some cable ISPs require using a hostname for the connection. Try
reconfiguring your Internet connection and specifying a hostname.
For further information, see Configuring the Internet Connection
on page 57.
I cannot access http://my.firewall or http://my.vpn. What should I do?
• Verify that the Safe@Office appliance is operating (PWR/SEC
LED is active)
• Check if the LAN LINK/ACT LED for the port used by your
computer is on. If not, check if the network cable linking your
computer to the Safe@Office appliance is connected properly.
Note: You may need to use a crossed cable when connecting the
Safe@Office appliance to another hub/switch.
• Try surfing to 192.168.10.1 instead of to my.firewall.
Note: 192.168.10 is the default value, and it may vary if you changed it
in the My Network page.
• Check your TCP/IP configuration according to Installing and
Setting up the Safe@Office Appliance on page 25.
• Restart your Safe@Office appliance and your broadband modem
by disconnecting the power and reconnecting after 5 seconds.
• If your web browser is configured to use an HTTP proxy to access
the
Internet, add "my.firewall" or "my.vpn" to your proxy exceptions
list.
Chapter 13: Troubleshooting
285
Connectivity
My network seems extremely slow. What should I do?
• The Ethernet cables may be faulty. For proper operation, the
Safe@Office appliance requires STP CAT5 (Shielded Twisted Pair
Category 5) Ethernet cables. Make sure that this specification is
printed on your cables.
• Your Ethernet card may be faulty or incorrectly configured. Try
replacing your Ethernet card.
• There may be an IP address conflict in your network. Check that
the TCP/IP settings of all your computers are configured to obtain
an IP address automatically.
I changed the network settings to incorrect values and am unable to
correct my error. What should I do?
Reset the network to its default settings using the button on the back of the
Safe@Office appliance unit. See Resetting the Safe@Office Appliance to
Defaults on page 277.
I am using the Safe@Office appliance behind another NAT device, and I
am having problems with some applications. What should I do?
By default, the Safe@Office appliance performs Network Address
Translation (NAT). It is possible to use the Safe@Office appliance behind
another device that performs NAT, such as a DSL router or Wireless router,
but the device will block all incoming connections from reaching your
Safe@Office appliance.
To fix this problem, do ONE of the following. (The solutions are listed in
order of preference.)
286
Check Point Safe@Office User Guide
Connectivity
• Consider whether you really need the router. The Safe@Office
appliance can be used as a replacement for your router, unless you
need it for some additional functionality that it provides, such as
Wireless access.
• If possible, disable NAT in the router. Refer to the router’s
documentation for instructions on how to do this.
• If the router has a “DMZ Computer” or “Exposed Host” option, set
it to the Safe@Office appliance’s external IP address.
• Open the following ports in the NAT device:
• UDP 9281/9282
• UDP 500
• TCP 256
• TCP 264
• ESP IP protocol 50
• TCP 981
I cannot receive audio or video calls through the Safe@Office appliance.
What should I do?
To enable audio/video, you must configure an IP Telephony (H.323) virtual
server. For instructions, see Configuring Servers on page 152.
I run a public Web server at home but it cannot be accessed from the
Internet. What should I do?
Configure a virtual Web Server. For instructions, see Configuring Servers on
page 152.
I cannot connect to the LAN network from the DMZ network. What should I
do?
By default, connections from the DMZ network to the LAN network are
blocked. To allow traffic from the DMZ to the LAN, configure appropriate
firewall rules. For instructions, see Using Rules on page 154.
Chapter 13: Troubleshooting
287
Service Center and Upgrades
Service Center and Upgrades
I purchased Safe@Office 110, but I only have Safe@Office 105
functionality. What should I do?
Your have not installed your product key. For further information, see
Upgrading Your Software Product on page 258.
I have exceeded my node limit. What does this mean? What should I do?
Your Product Key specifies a maximum number of nodes that you may
connect to the Safe@Office appliance.
The Safe@Office appliance tracks the cumulative number of nodes on the
internal network that have communicated through the firewall. When the
Safe@Office appliance encounters an IP address that exceeds the licensed
node limit, the Active Computers page displays a warning message and
marks nodes over the node limit in red. These nodes will not be able to access
the Internet through the Safe@Office appliance, but will be protected. The
Event Log page also warns you that you have exceeded the node limit.
To upgrade your Safe@Office appliance to support more nodes, purchase a
new Product Key. Contact your reseller for upgrade information.
While trying to connect to a Service Center, I received the message “The
Service Center did not respond”. What should I do?
• If you are using a Service Center other than the Check Point
Service Center, check that the Service Center IP address is typed
correctly.
• The Safe@Office appliance connects to the Service Center using
UDP ports 9281/9282. If the Safe@Office appliance is installed
behind another firewall, make sure that these ports are open.
Other Problems
I have forgotten my password. What should I do?
Reset your Safe@Office appliance to factory defaults using the Reset button
as detailed in Resetting the Safe@Office Appliance to Defaults on page 277.
288
Check Point Safe@Office User Guide
Other Problems
Why are the date and time displayed incorrectly?
In the Safe@Office 100 series, when a computer on the LAN connects to the
Safe@Office Portal, the Safe@Office appliance adjusts its date and time to
match that of the computer. If the date and time displayed in the Safe@Office
Portal are incorrect, it probably means that the date and time on the computer
connected to the Safe@Office Portal are incorrect.
In the Safe@Office 200 series, you can adjust the time on the Setup page's
Tools tab. For information, see Setting the Time on the Appliance on page
267.
I cannot use a certain network application. What should I do?
Look at the Event Log page. If it lists blocked attacks, do the following:
• Turn the Safe@Office appliance security to Low and try again.
• If the application still does not work, set the computer on which
you want to use the application to be the exposed host.
For instructions, see Defining an Exposed Host on page 163.
When you have finished using the application, make sure to clear the exposed
host setting, otherwise your security might be compromised.
I installed McAfee VirusScan ASaP, but the SecureDesk status message
says "SecureDesk not installed". What should I do?
If you are using Windows XP, then the Windows XP firewall probably
prevented VirusScan from being installed correctly. Do the following:
1. Uninstall McAfee VirusScan ASaP via the Control Panel.
2. Disable the Windows XP Internet Connection Firewall option.
3. Re-install McAfee VirusScan ASaP using the information in
Installing McAfee VirusScan ASaP on page 184.
Chapter 13: Troubleshooting
289
Technical Specifications
Chapter 14
Specifications
This chapter includes the following topics:
Technical Specifications.....................................................................291
CE Declaration of Conformity............................................................295
Federal Communications Commission Radio Frequency Interference
Statement .................................................................................................. 297
Technical Specifications
Table 44: Safe@Office Appliance Attributes
Attribute
Safe@Office
105/110/
255/225U
Safe@Office
300
Safe@Office
300W
General
Dimensions
20.32 x 3.05 x
20 x 3.1 x
20 x 3.1 x
(width x height
12.19 cm
13.24 cm
15.5 cm
x depth)
(8 x 1.2 x 4.8
(7.9 x 1.2 x 5.2
(7.9 x 1.2 x 6.1
inches)
inches)
inches)
0.7 kg (1.56 lbs)
0.64 kg
0.69 kg (1.55 lbs)
Weight
Chapter 14: Specifications
291
Technical Specifications
Attribute
Safe@Office
105/110/
Safe@Office
300
255/225U
Supply
110VAC
voltage
(90 to 132 VAC)
Safe@Office
300W
100 ~ 240 VAC
100 to 240VAC
50/60 Hz
50/60 Hz
100VAC
230VAC
(200 to 265 VAC)
Line voltage
50/60 Hz
frequency, AC
(47 to 63 Hz)
Max. Power
13.5W
MAX 5.75W
MAX 8W
Consumption
(100series)/7.5W
(MAX 1.15A)
(MAX1.6A)
(200series)
w/o external
w/o external USB
USB devices
devices (USB –
(USB – MAX
MAX 1A)
1A)
Retail box
31 x 10 x 16 cm
29 x 25 x 76
29 x 25 x 7.6 cm
dimensions
(12.4 x 4 x 6.4
cm
(11.4 x 9.8 x 3
(width x height
inches)
(11.4 x 9.8 x 3
inches)
x depth)
inches)
Retail box
1.3 kg (2.9 lbs)
1.3 kg (2.9 lbs)
weight
Environmental
Conditions
292
Check Point Safe@Office User Guide
1.35 kg (3 lbs)
Technical Specifications
Attribute
Safe@Office
105/110/
255/225U
Temperature:
Safe@Office
300
Safe@Office
300W
- 20°C to +70°C
- 5°C to +70°C
- 5°C to +70°C
+ 5°C to +45°C
- 5°C ~ 50°C
- 5°C ~ 50°C
Humidity:
5% to 90% at
0% ~ 90%
0% ~ 90%
Storage/Oper
25°C
ation
(no
CNS1219 C6343
Storage/Trans
port
Temperature:
Operation
condensation)
Applicable
Standards
Shock &
ETSI 300 019-2-3
CNS1219
Vibration
CLASS 3.1 &
C6343
Bellcore GR 63
(NEBS)
Safety
EN60950/
EN60950/
EN60950/
IEC 60950
IEC 60950
IEC 60950
Chapter 14: Specifications
293
Technical Specifications
Attribute
Safe@Office
105/110/
Safe@Office
300
255/225U
Quality
ISO9001
Safe@Office
300W
ISO9001:2000
ISO9001:2000
TL9000-HW
TL9000-HW R3.0
R3.0
ISO14001
ISO14001
Ohsas18001:
Ohsas18001:
1999
294
Check Point Safe@Office User Guide
1999
CE Declaration of Conformity
CE Declaration of Conformity
SofaWare Technologies Ltd., 3 Hilazon St., Ramat-Gan Israel, hereby
declares that this equipment is in conformity with the essential requirements
specified in Article 3.1 (a) and 3.1 (b) of:
• Directive 89/336/EEC (EMC Directive)
• Directive 73/23/EEC (Low Voltage Directive – LVD)
• Directive 99/05/EEC (Radio Equipment and Telecommunications
Terminal Equipment Directive)
In accordance with the following standards:
Table 45: Safe@Office Appliance Standards
Safe@Office
Safe@Office
EN55022: 1994+A1: 1995+A2:
EN 300 328 V 1.4.1(2003-04)
Safe@Office
300
105/110/
255/225U
EN 50081-1:1992
1997
300W
EN 301 489-1 V 1.4.1(2002-
EN 50082-1:1997
EN 61000-3-2:2000
08)
EN 61000-3-3:1995+
EN 301 489-17 V 1.2.1(2002-
A1:2001
08)
EN55024: 1998+A1: 2001+A2:
EN 55022:1994+A1:
EN 55024:1998
2003
1995+A2 1997, Class B
EN 61000-3-2: 1995
IEC 61000-4-2:2001
EN 61000-3-2:2000
EN 61000-6-1:2001
EN 61000-6-3:2001
EN 55022:1998
EN 61000-3-3:1995+A1:
2001
Chapter 14: Specifications
295
CE Declaration of Conformity
Safe@Office
105/110/
255/225U
EN 61000-3-3: 1995
Safe@Office
300
Safe@Office
300W
IEC 61000-4-3:
EN 61000-4-2:1995+
2002+A1:2002
A1:1998+A2:2001
IEC 61000-4-4:1995+A1:
EN 61000-4-3:1996+A1:
2002+A2:2001
1998+A2: 2001
IEC 61000-4-5:2001
EN 61000-4-4:1995+A1:
EN 61000-4-2:1995
EN 61000-4-3:1996/
A2:2001
EN 61000-4-4:1995
2001+A2: 2001
IEC 61000-4-6:2001
EN 61000-4-5:1995
EN 61000-4-5:1995+A1:
IEC 61000-4-8:2001
EN 61000-4-6:1996
IEC 61000-4-11:2001
EN 61000-4-7:1993
EN 60950-1:2001
2001
EN 61000-4-6:1996+A1:
2001
EN 61000-4-8:1993
EN 61000-4EN 61000-4-9:1993
11:1994+A1: 2001
EN 61000-4-10:1993
EN 60950-1: 2001
EN 61000-4-11:1994
EN 61000-4-12:1995
EN 60950: 1992
The "CE" mark is affixed to this product to demonstrate conformance to the
R&TTE Directive 99/05/EEC (Radio Equipment and Telecommunications
Terminal Equipment Directive) and FCC Part 15 Class B.
296
Check Point Safe@Office User Guide
Federal Communications Commission Radio Frequency Interference Statement
The product has been tested in a typical configuration. For a copy of the
Original Signed Declaration (in full conformance with EN45014), please
contact SofaWare at the above address.
Federal Communications Commission
Radio Frequency Interference Statement
This equipment complies with the limits for a Class B digital device, pursuant
to Part 15 of the FCC Rules. These limits are designed to provide reasonable
protection against harmful interference when the equipment is operated in a
commercial environment. This equipment generates, uses, and can radiate
radio frequency energy and, if not installed and used in accordance with the
instruction manual, may cause harmful interference to radio communications.
Shielded cables must be used with this equipment to maintain compliance
with FCC regulations.
Changes or modifications not expressly approved by the manufacturer could
void the user’s authority to operate the equipment.
This device complies with Part 15 of the FCC Rules. Operation is subject to
the following two conditions: (1) this device may not cause harmful
interference, and (2) this device must accept any interference received,
including interference that may cause undesired operation.
This Class B digital apparatus complies with Canadian ICES-003.
Chapter 14: Specifications
297
ADSL Modem
Glossary of Terms
ADSL Modem
A device connecting a computer
to the Internet via an existing
phone line. ADSL (Asymmetric
Digital Subscriber Line) modems
offer a high-speed 'always-on'
connection.
CA
The Certificate Authority (CA)
issues certificates to entities such
as gateways, users, or computers.
The entity later uses the
certificate to identify itself and
provide verifiable information.
For instance, the certificate
includes the Distinguishing
Name (DN) (identifying
information) of the entity, as
well as the public key
(information about itself), and
possibly the IP address.
After two entities exchange and
validate each other's certificates,
they can begin encrypting
information between themselves
using the public keys in the
certificates.
Cable Modem
A device connecting a computer
to the Internet via the cable
television network. Cable
modems offer a high-speed
'always-on' connection.
Certificate Authority
The Certificate Authority (CA)
issues certificates to entities such
as gateways, users, or computers.
The entity later uses the
certificate to identify itself and
provide verifiable information.
For instance, the certificate
includes the Distinguishing
Name (DN) (identifying
information) of the entity, as
well as the public key
(information about itself), and
possibly the IP address.
After two entities exchange and
validate each other's certificates,
they can begin encrypting
information between themselves
using the public keys in the
certificates.
Cracking
An activity in which someone
breaks into someone else's
computer system, bypasses
passwords or licenses in
computer programs; or in other
ways intentionally breaches
computer security. The end
result is that whatever resides on
the computer can be viewed and
Glossary of Terms
299
DHCP
sensitive data can be stolen
without anyone knowing about
it. Sometimes, tiny programs are
'planted' on the computer that are
designed to watch out for, seize
and then transmit to another
computer, specific types of data.
An example of a Domain Name
is 'www.sofaware.com'.
Domain Name System
Domain Name System. The
Domain Name System (DNS)
refers to the Internet domain
names, or easy-to-remember
"handles", that are translated into
IP addresses.
DHCP
Any machine requires a unique
IP address to connect to the
Internet using Internet Protocol.
Dynamic Host Configuration
Protocol (DHCP) is a
communications protocol that
assigns Internet Protocol (IP)
addresses to computers on the
network.
An example of a Domain Name
is 'www.sofaware.com'.
Exposed Host
An exposed host allows one
computer to be exposed to the
Internet. An example of using an
exposed host would be exposing
a public server, while preventing
outside users from getting direct
access form this server back to
the private network.
DHCP uses the concept of a
"lease" or amount of time that a
given IP address will be valid for
a computer.
DMZ
A DMZ (demilitarized zone) is
an internal network defined in
addition to the LAN network and
protected by the Safe@Office
appliance.
DNS
The Domain Name System
(DNS) refers to the Internet
domain names, or easy-toremember "handles", that are
translated into IP addresses.
300
Firmware
Software embedded in a device.
Gateway
A network point that acts as an
entrance to another network.
Check Point Safe@Office User Guide
Hacking
Hub
A device with multiple ports,
connecting several PCs or
network devices on a network.
Hacking
An activity in which someone
breaks into someone else's
computer system, bypasses
passwords or licenses in
computer programs; or in other
ways intentionally breaches
computer security. The end
result is that whatever resides on
the computer can be viewed and
sensitive data can be stolen
without anyone knowing about
it. Sometimes, tiny programs are
'planted' on the computer that are
designed to watch out for, seize
and then transmit to another
computer, specific types of data.
HTTPS
Hypertext Transfer Protocol over
Secure Socket Layer, or HTTP
over SSL.
A protocol for accessing a secure
Web server. It uses SSL as a
sublayer under the regular HTTP
application. This directs
messages to a secure port
number rather than the default
Web port number, and uses a
public key to encrypt data
HTTPS is used to transfer
confidential user information.
IP Address
An IP address is a 32-bit number
that identifies each computer
sending or receiving data packets
across the Internet. When you
request an HTML page or send
e-mail, the Internet Protocol part
of TCP/IP includes your IP
address in the message and sends
it to the IP address that is
obtained by looking up the
domain name in the Uniform
Resource Locator you requested
or in the e-mail address you're
sending a note to. At the other
end, the recipient can see the IP
address of the Web page
requestor or the e-mail sender
and can respond by sending
another message using the IP
address it received.
IP Spoofing
A technique where an attacker
attempts to gain unauthorized
access through a false source
address to make it appear as
though communications have
originated in a part of the
network with higher access
privileges. For example, a packet
originating on the Internet may
Glossary of Terms
301
IPSEC
be masquerading as a local
packet with the source IP address
of an internal host. The firewall
can protect against IP spoofing
attacks by limiting network
access based on the gateway
interface from which data is
being received.
IPSEC
IPSEC is the leading Virtual
Private Networking (VPN)
standard. IPSEC enables
individuals or offices to establish
secure communication channels
('tunnels') over the Internet.
ISP
An ISP (Internet service
provider) is a company that
provides access to the Internet
and other related services.
LAN
A local area network (LAN) is a
group of computers and
associated devices that share a
common communications line
and typically share the resources
of a single server within a small
geographic area.
Mbps
Megabits per second.
Measurement unit for the rate of
data transmission.
MTU
The Maximum Transmission
Unit (MTU) is a parameter that
determines the largest datagram
than can be transmitted by an IP
interface (without it needing to
be broken down into smaller
units). The MTU should be
larger than the largest datagram
you wish to transmit unfragmented. Note: This only
prevents fragmentation locally.
Some other link in the path may
have a smaller MTU - the
datagram will be fragmented at
that point. Typical values are
1500 bytes for an Ethernet
interface or 1452 for a PPP
interface.
NAT
MAC Address
The MAC (Media Access
Control) address is a computer's
302
unique hardware number. When
connected to the Internet from
your computer, a mapping
relates your IP address to your
computer's physical (MAC)
address on the LAN.
Network Address Translation
(NAT) is the translation or
mapping of an IP address to a
different IP address. NAT can be
Check Point Safe@Office User Guide
NetBIOS
used to map several internal IP
addresses to a single IP address,
thereby sharing a single IP
address assigned by the ISP
among several PCs.
Check Point FireWall-1's
Stateful Inspection Network
Address Translation (NAT)
implementation supports
hundreds of pre-defined
applications, services, and
protocols, more than any other
firewall vendor.
NetBIOS
NetBIOS is the networking
protocol used by DOS and
Windows machines.
Packet
A packet is the basic unit of data
that flows from one source on
the Internet to another
destination on the Internet. When
any file (e-mail message, HTML
file, GIF file etc.) is sent from
one place to another on the
Internet, the file is divided into
"chunks" of an efficient size for
routing. Each of these packets is
separately numbered and
includes the Internet address of
the destination. The individual
packets for a given file may
travel different routes through
the Internet. When they have all
arrived, they are reassembled
into the original file at the
receiving end.
PPPoE
PPPoE (Point-to-Point Protocol
over Ethernet) enables
connecting multiple computer
users on an Ethernet local area
network to a remote site or ISP,
through common customer
premises equipment (e.g.
modem).
PPTP
The Point-to-Point Tunneling
Protocol (PPTP) allows
extending a local network by
establishing private “tunnels”
over the Internet. This protocol it
is also used by some DSL
providers as an alternative for
PPPoE.
RJ-45
The RJ-45 is a connector for
digital transmission over
ordinary phone wire.
Router
A router is a device that
determines the next network
point to which a packet should
be forwarded toward its
destination. The router is
connected to at least two
networks.
Glossary of Terms
303
Server
Server
TCP
A server is a program (or host)
that awaits and requests from
client programs across the
network. For example, a Web
server is the computer program,
running on a specific host, that
serves requested HTML pages or
files. Your browser is the client
program, in this case.
Stateful Inspection
Stateful Inspection was invented
by Check Point to provide the
highest level of security by
examining every layer within a
packet, unlike other systems of
inspection. Stateful Inspection
extracts information required for
security decisions from all
application layers and retains
this information in dynamic state
tables for evaluating subsequent
connection attempts. In other
words, it learns!
Subnet Mask
A 32-bit identifier indicating
how the network is split into
subnets. The subnet mask
indicates which part of the IP
address is the host ID and which
indicates the subnet.
304
TCP (Transmission Control
Protocol) is a set of rules
(protocol) used along with the
Internet Protocol (IP) to send
data in the form of message units
between computers over the
Internet. While IP takes care of
handling the actual delivery of
the data, TCP takes care of
keeping track of the individual
units of data (called packets) that
a message is divided into for
efficient routing through the
Internet.
For example, when an HTML
file is sent to you from a Web
server, the Transmission Control
Protocol (TCP) program layer in
that server divides the file into
one or more packets, numbers
the packets, and then forwards
them individually to the IP
program layer. Although each
packet has the same destination
IP address, it may get routed
differently through the network.
At the other end (the client
program in your computer), TCP
reassembles the individual
packets and waits until they have
arrived to forward them to you
as a single file.
Check Point Safe@Office User Guide
TCP/IP
TCP/IP
TCP/IP (Transmission Control
Protocol/Internet Protocol) is the
underlying communication
protocol of the Internet.
UDP
UDP (User Datagram Protocol)
is a communications protocol
that offers a limited amount of
service when messages are
exchanged between computers in
a network that uses the Internet
Protocol (IP). UDP is an
alternative to the Transmission
Control Protocol (TCP) and,
together with IP, is sometimes
referred to as UDP/IP. Like the
Transmission Control Protocol,
UDP uses the Internet Protocol
to actually get a data unit (called
a datagram) from one computer
to another. Unlike TCP,
however, UDP does not provide
the service of dividing a message
into packets (datagrams) and
reassembling it at the other end.
depends on the Internet
application protocol. On the Web
(which uses the Hypertext
Transfer Protocol), an example
of a URL is
'http://www.sofaware.com'.
VPN
A virtual private network (VPN)
is a private data network that
makes use of the public
telecommunication
infrastructure, maintaining
privacy through the use of a
tunneling protocol and security
procedures.
VPN tunnel
A secure connection between a
Remote Access VPN Client and
a Remote Access VPN Server.
WLAN
A WLAN is a wireless local area
network protected by the
Safe@Office appliance.
UDP is often used for
applications such as streaming
data.
URL
A URL (Uniform Resource
Locator) is the address of a file
(resource) accessible on the
Internet. The type of resource
Glossary of Terms
305
A
Index
account, configuring • 171
active computers, viewing •
144
active connections, viewing
• 147
Allow and Forward rules,
explained • 157
Allow rules, explained •
157
antivirus
checking compliancy •
189
installing • 184
Automatic login • 233
backup connection • 91
Block rules, explained •
157
explained • 299
cable type • 40
certificate
explained • 237
installing • 237
uninstalling • 240
command line interface
controlling the appliance
via • 271
DHCP
configuring • 94
explained • 300
DHCP Server
enabling/disabling • 94
explained • 94
diagnostic tools
Ping • 272
Traceroute • 272
CA, explained • 237, 299
using • 272
cable modem
WHOIS • 272
connection • 61, 70
diagnostics • 279
Index
307
E
dialup
connection • 77, 92
firewall
levels • 149
modem • 84
rule types • 155
dialup modem, setting up •
84
setting security level •
149
DMZ
configuring • 102
firmware
configuring High
Availability for • 117
explained • 255, 300
explained • 102, 300
viewing status • 255
DNS • 91, 272, 300
updating manually • 257
front panel • 15, 19
Dynamic DNS • 10, 169
gateways
Email Antivirus
backup • 117
enabling/disabling • 176
default • 102, 117, 137
selecting protocols for •
177
explained • 300
ID • 169
snoozing • 177
master • 117
temporarily disabling •
177
event log, viewing • 141
exposed host
Site-to-Site VPN • 199
Hide NAT
defining a computer as •
163
explained • 163, 300
308
Check Point Safe@Office User Guide
enabling/disabling • 101
explained • 101, 302
I
high availability
Internet Setup • 66
configuring • 117
Internet Wizard • 58
explained • 117
IP address
HTTPS
changing • 100
configuring • 265
explained • 301
explained • 301
hiding • 101
using • 49
hub • 13, 17, 40, 91, 117,
283, 301
IPSEC • 2
VPN mode • 8, 302
ISP, explained • 302
initial login • 45
installation
cable type • 40
LAN
cable • 40
network • 40
configuring High
Availability for • 117
SecureDesk • 184
connection • 58, 60, 68
Internet connection
configuring • 57
configuring backup • 91
enabling/disabling • 89
establishing quick • 89
terminating • 90
explained • 302
ports • 4, 14, 17, 40
licenses • 144, 255, 279,
283
MAC address
troubleshooting • 283
cloning • 86
viewing information •
88
explained • 86, 302
Index
309
N
Manual Login • 233
MTU, explained • 79, 302
packet • 88, 137, 272, 301,
303
password
NetBIOS, explained • 303
changing • 245
network
changing internal range
of • 100
configuring • 93
setting up • 45
Ping • 272
PPPoE
connection • 63, 71
configuring a DMZ •
102
configuring high
availability • 117
enabling DHCP Server
on • 94
explained • 303
tunnels • 206
PPPoE tunnels, creating •
206
PPTP
enabling Hide NAT •
101
connection • 64, 73
explained • 303
installation on • 40
managing • 93
Product Key • 258
objects • 129
network objects
QoS
adding and editing • 130
classes • 120
deleting • 136
explained • 120
using • 129
QoS classes
network requirements • 13
node limit, viewing • 144
310
Check Point Safe@Office User Guide
adding and editing • 122
R
assigning services to •
154
event log • 141
built-in • 128
SecureDesk • 196
deleting • 127
viewing • 141
explained • 120
restoring defaults • 128
RADIUS
explained • 252
using • 252
rear panel • 14, 17
rebooting • 280
registering • 262
node limit • 144
routers • 91, 117, 272, 283,
303
rules
adding and editing • 157
deleting • 163
types • 157
using • 154
Safe@Office 100 series
Remote Access VPN
Clients, explained • 199
front panel • 15, 19
Remote Access VPN
Servers • 2
Safe@Office 105 • 2
configuring • 204
explained • 199
Remote Access VPN sites •
208
reports
active computers • 144
active connections • 147
rear panel • 14, 17
Safe@Office 110 • 2
Safe@Office 200 series
front panel • 19
rear panel • 17
Safe@Office 225 • 3
Safe@Office 225U • 3
Safe@Office appliance
Index
311
S
about • 1
remotely accessing • 49
backing up • 274
using • 50
changing internal IP
address of • 100
SecureDesk
checking antivirus
compliancy • 189
configuring Internet
connection • 57
enabling/disabling •
129, 183
exporting configuration
• 274
installing McAfee
VirusScan • 184
features • 4
overriding • 195
importing configuration
• 276
installing • 25, 40
setting security level •
186
maintenance • 255
status messages • 191
models • 2
viewing reports • 196
network requirements •
13
security
rebooting • 280
configuring servers •
152
registering • 262
creating rules • 154
resetting to factory
defaults • 277
defining a computer as
an exposed host • 163
Safe@Office Portal
firewall • 149
elements • 50
security policy • 149
initial login • 45
servers
logging off • 236
configuring • 152
logging on • 47
explained • 304
312
Check Point Safe@Office User Guide
T
Remote Access VPN •
2, 199, 204
Stateful Inspection • 1, 302,
304
Web • 129, 152, 283
Static NAT
Service Center
connecting to • 165
disconnecting from •
172
refreshing a connection
to • 171
services
Email Antivirus • 175
SecureDesk • 183
software updates • 179
Web Filtering • 172
Setup Wizard • 45, 58
Site-to-Site VPN gateways
• 206
explained • 199
installing a certificate •
237
PPPoE tunnels • 206
software updates
checking for manually •
179
explained • 179
explained • 129
using • 130
static routes
adding • 137
deleting • 140
explained • 137
using • 137
viewing and editing •
139
subnet masks, explained •
304
subscription services
explained • 165
starting • 165
viewing information •
169
Syslog logging
configuring • 263
explained • 263
TCP, explained • 304
Index
313
U
adding • 248
TCP/IP
explained • 304
deleting • 251
setting up for MAC OS
• 37
managing • 245
setting up remote VPN
access for • 252
setting up for Windows
95/98 • 31
viewing and editing •
248
setting up for Windows
XP/2000 • 26
technical support • 24
Telstra • 75
VPN
explained • 199, 305
time, setting • 267
Remote Access • 203,
206
Traceroute • 272
Traffic Shaper
enabling • 66, 120
sites • 199, 231, 232,
233, 236
explained • 120
Site-to-Site • 201, 206
restoring defaults • 128
tunnnels • 199, 233, 241
using • 120
troubleshooting • 283
VPN functionality • 200
VPN sites
typographical conventions
• 24
deleting • 231
UDP, explained • 305
URL, explained • 305
users
314
adding and editing using
Safe@Office 110 and
225 • 206
enabling/disabling • 232
logging off • 236
logging on • 233
Check Point Safe@Office User Guide
W
VPN tunnels
creation and closing of •
241
establishing • 233
explained • 199, 305
viewing • 241
WAN
cable • 40
connections • 154
ports • 4, 14, 17, 40, 91
Web Filtering
enabling/disabling • 173
selecting categories for •
174
snoozing • 174
temporarily disabling •
174
WHOIS • 272
WLAN
configuring • 104
defined • 305
Index
315
Source Exif Data:
File Type : PDF File Type Extension : pdf MIME Type : application/pdf PDF Version : 1.4 Linearized : No Encryption : Standard V1.2 (40-bit) User Access : Print, Copy, Fill forms, Extract, Assemble, Print high-res Modify Date : 2004:09:17 10:28:17+08:00 Create Date : 2004:09:17 10:27:48+08:00 Title : Internet Security Appliance Subject : Check Point Safe@Office Author : Part No: 700797, June 2004 Creator : (Acrobat PDFMaker 6.0 for Word) Producer : Acrobat Distiller 6.0 (Windows) Page Count : 176 Mod Date : 2004:09:17 10:28:17+08:00 Creation Date : 2004:09:17 10:27:48+08:00 Metadata Date : 2004:09:17 10:28:17+08:00 Has XFA : NoEXIF Metadata provided by EXIF.tools