SofaWare Technologies SBXW-166LHGE-4 Wireless Broadband Router User Manual Internet Security Appliance
SofaWare Technologies Ltd. Wireless Broadband Router Internet Security Appliance
Contents
- 1. DoC Revised
- 2. Users Manual Part 1
- 3. Users Manual Part 2
Users Manual Part 2
Using Static Routes c. Click Apply. The changes are saved. Deleting a Static Route Note: The “default” route cannot be deleted. To delete a static route 1. Click Network in the main menu, and click the Routes tab. The Static Routes page appears, with a listing of existing static routes. 2. In the desired route row, click the Delete A confirmation message appears. 3. Click OK. The route is deleted. 140 Check Point Safe@Office User Guide icon. Viewing the Event Log Chapter 6 Viewing Reports This chapter describes the Safe@Office Portal reports. This chapter includes the following topics: Viewing the Event Log....................................................................... 141 Viewing Computers............................................................................ 144 Viewing Connections ......................................................................... 147 Viewing the Event Log You can track network activity using the Event Log. The Event Log displays the most recent events and color codes them. Table 20: Event Log Color Coding An event marked in Indicates… Blue Changes in your setup that you have made this color… yourself or as a result of a security update implemented by your Service Center Red Connection attempts that were blocked by your firewall. Orange Connection attempts that were blocked by your custom security rules Chapter 6: Viewing Reports 141 Viewing the Event Log An event marked in Indicates… Green Traffic accepted by the firewall. this color… By default, accepted traffic is not logged. However, such traffic may be logged if specified by a security policy downloaded from your Service Center. The logs detail the date and the time the event occurred, and its type. If the event is a communication attempt that was rejected by the firewall, the event details include the source and destination IP address, the destination port, and the protocol used for the communication attempt (for example, TCP or UDP). Note: You can configure the Safe@Office appliance to send event logs to a Syslog server. For information, see Configuring Syslog Logging on page 263. 142 Check Point Safe@Office User Guide Viewing the Event Log To view the event log • Click Reports in the main menu, and click the Event Log tab. The Event Log page appears. You can do any of the following: • Click the Refresh button to refresh the display. • Click the Clear button to clear all events. • If an event is highlighted in red, indicating a blocked attack on your network, you can display the attacker’s details, by clicking on the IP address of the attacking machine. The Safe@Office appliance queries the Internet WHOIS server, and a window displays the name of the entity to whom the IP address is registered and their contact information. This information is useful in tracking down hackers. Chapter 6: Viewing Reports 143 Viewing Computers Viewing Computers This option allows you to view the currently active computers on your network. The active computers are graphically displayed, each with its name, IP address, and settings (DHCP, Static, etc.). You can also view node limit information. To view the active computers 1. Click Reports in the main menu, and click the Active Computers tab. The Active Computers page appears. If you configured High Availability, both the master and backup appliances are shown. If you are using Safe@Office 300W, the following is displayed next to wireless computers: • Transmission rate in Mbps 144 Check Point Safe@Office User Guide Viewing Computers • Signal strength in dB • An information icon - You can mouse-over this icon to see the following statistics: Frames OK - The total number of frames that were successfully transmitted and received Errors - The total number of transmitted and received frames for which an error occurred Discarded/Dropped Frames - The total number of discarded or dropped frames transmitted and received Unicast Frames - The number of unicast frames transmitted and received Broadcast Frames - The number of broadcast frames transmitted and received Multicast Frames - The number of multicast frames transmitted and received If you are subscribed to SecureDesk, a status message next to each computer indicates whether the computer complies with the SecureDesk security level conditions. For information on SecureDesk, see Using SecureDesk on page 183. For an explanation of the status messages, see SecureDesk Status Messages on page 191. If you are exceeding the maximum number of computers allowed by your license, a warning message appears, and the computers over the node limit are marked in red. These computers are still protected, but they are blocked from accessing the Internet through the Safe@Office appliance. Note: Computers that did not communicate through the firewall are not counted for node limit purposes, even though they are protected by the firewall. Chapter 6: Viewing Reports 145 Viewing Computers Note: To increase the number of computers allowed by your license, you must upgrade your product. For further information, see Upgrading Your Software Product on page 258. 2. To refresh the display, click Refresh. 3. To view node limit information, do the following: a. Click Node Limit. The Node Limit window appears with installed software product and the number of nodes used. b. Click Close to close the window. 146 Check Point Safe@Office User Guide Viewing Connections Viewing Connections This option allows you to view the currently active connections between your network and the external world. The active connections are displayed as a list, specifying source IP address, destination IP address and port, and the protocol used (TCP, UDP, etc.). To view the active connections • Click Reports in the main menu, and click the Active Connections tab. The Active Connections page appears. You can do the following: • Click the Refresh button to refresh the display. • To view information on the destination machine, click its IP address. The Safe@Office appliance queries the Internet WHOIS server, and a window displays the name of the entity to whom the IP address is registered and their contact information. Chapter 6: Viewing Reports 147 Viewing Connections 148 Check Point Safe@Office User Guide Setting the Firewall Security Level Chapter 7 Setting Your Security Policy This chapter describes how to set up your Safe@Office appliance security policy. You can enhance your security policy by subscribing to services such as Web Filtering and Email Antivirus scanning. You can also subscribe to SecureDesk, which includes and enforces the use of McAfee VirusScan ASaP Web-based antivirus service. For information on subscribing to services and SecureDesk, see Using Subscription Services on page 165. This chapter includes the following topics: Setting the Firewall Security Level .................................................... 149 Configuring Servers............................................................................ 152 Using Rules ........................................................................................ 154 Defining an Exposed Host.................................................................. 163 Setting the Firewall Security Level The firewall security level can be controlled using a simple lever available on the Firewall page. You can set the lever to three states. Chapter 7: Setting Your Security Policy 149 Setting the Firewall Security Level Table 21: Firewall Security Levels This Does this… Further Details Low Enforces basic control on All inbound traffic is blocked incoming connections, to the external Safe@Office while permitting all appliance IP address, except outgoing connections. for ICMP echoes ("pings"). level… All outbound connections are allowed. Medium Enforces strict control on All inbound traffic is blocked. all incoming connections, while permitting safe outgoing connections. All outbound traffic is allowed to the Internet except for Windows file sharing (NBT This is the default level ports 137, 138, 139 and 445). and is recommended for most cases. Leave it unchanged unless you have a specific need for a higher or lower security level. 150 Check Point Safe@Office User Guide Setting the Firewall Security Level This Does this… Further Details High Enforces strict control on All inbound traffic is blocked. level… all incoming and outgoing Restricts all outbound traffic connections. except for the following: Web traffic (HTTP, HTTPS), email (IMAP, POP3, SMTP), ftp, newsgroups, Telnet, DNS, IPSEC IKE and VPN traffic. Note: If the security policy is remotely managed, this lever might be disabled. Note: The definitions of firewall security levels provided in this table represent the Safe@Office appliance’s default security policy. Security updates downloaded from a Service Center may alter this policy and change these definitions. Chapter 7: Setting Your Security Policy 151 Configuring Servers To change the firewall security level 1. Click Security in the main menu, and click the Firewall tab. The Firewall page appears. 2. Drag the security lever to the desired level. The Safe@Office appliance security level changes accordingly. Configuring Servers Note: If you do not intend to host any public Internet servers (Web Server, Mail Server etc.) in your network, you can skip this section. Using the Safe@Office Portal, you can selectively allow incoming network connections into your network. For example, you can set up your own Web server, Mail server or FTP server. 152 Check Point Safe@Office User Guide Configuring Servers Note: Configuring servers allows you to create simple Allow and Forward rules for common services, and it is equivalent to creating Allow and Forward rules in the Rules page. For information on creating rules, see Using Rules on page 154. To allow a service to be run on a specific host 1. Click Security in the main menu, and click the Servers tab. The Servers page appears, displaying a list of services and a host IP address for each allowed service. 2. Complete the fields using the information in the table below. 3. Click Apply. A success message appears, and the selected computer is allowed to run the desired service or application. Table 22: Servers Page Fields In this Do this… Allow Select the desired service or application. column… Chapter 7: Setting Your Security Policy 153 Using Rules In this Do this… VPN Only Select this option to allow only connections made column… through a VPN. Host IP Type the IP address of the computer that will run the service (one of your network computers) or click the corresponding This Computer button to allow your computer to host the service. To stop the forwarding of a service to a specific host 1. Click Security in the main menu, and click the Servers tab. The Servers page appears, displaying a list of services and a host IP address for each allowed service. 2. In the desired service or application’s row, click Clear. The Host IP field of the desired service is cleared. 3. Click Apply. The service or application is not allowed on the specific host. Using Rules The Safe@Office appliance checks the protocol used, the ports range, and the destination IP address, when deciding whether to allow or block traffic. By default, in the Medium security level, the Safe@Office appliance blocks all connection attempts from the Internet (WAN) to the LAN, and allows all outgoing connection attempts from the LAN to the Internet (WAN). 154 Check Point Safe@Office User Guide Using Rules User-defined rules have priority over the default rules and provide you with greater flexibility in defining and customizing your security policy. The following rule types exist: Table 23: Firewall Rule Types Rule Description Allow and This rule type enables you to do the following: Forward • Permit incoming access from the Internet to a specific service in your internal network. • Forward all such connections to a specific computer in your network. • Redirect the specified connections to a specific port. This option is called Port Address Translation (PAT). Creating an Allow and Forward rule is equivalent to defining a server in the Servers page. Note: You must use this type of rule to allow incoming connections if your network uses Hide NAT. Note: You cannot specify two Allow and Forward rules that forward the same service to two different destinations. Chapter 7: Setting Your Security Policy 155 Using Rules Rule Description Allow This rule type enables you to do the following: • Permit outgoing access from your internal network to a specific service on the Internet. Note: You can allow outgoing connections for services that are not permitted by the default security policy. • Permit incoming access from the Internet to a specific service in your internal network. • Assign traffic to a QoS class. If Traffic Shaper is enabled for the direction of traffic specified in the rule (incoming or outgoing), then Traffic Shaper will handle relevant connections as specified in the bandwidth policy for the selected QoS class. For example, if Traffic Shaper is enabled for outgoing traffic, and you create an Allow rule associating all outgoing Web traffic with the Urgent QoS class, then Traffic Shaper will handle outgoing Web traffic as specified in the bandwidth policy for the Urgent class. For information on Traffic Shaper and QoS classes, see Using Traffic Shaper on page 120. This option is only available in Safe@Office 225. Note: You cannot use an Allow rule to permit incoming traffic, if the network or VPN uses Hide NAT. However, you can use Allow rules for static NAT IP addresses. Block 156 This rule type enables you to do the following: • Block outgoing access from your internal network to a specific service on the Internet. • Block incoming access from the Internet to a specific service in your internal network. Check Point Safe@Office User Guide Using Rules Adding and Editing Rules To add or edit a rule 1. Click Security in the main menu, and click the Rules tab. The Rules page appears. If you are using Safe@Office 105 or 110, the QoS column does not appear. 2. Click Add Rule. Chapter 7: Setting Your Security Policy 157 Using Rules The Safe@Office Firewall Rule wizard opens, with the Step 1: Rule Type dialog box displayed. 3. Select the type of rule you want to create. 4. Click Next. The Step 2: Service dialog box appears. The example below shows an Allow rule. 5. Complete the fields using the relevant information in the table below. 6. Click Next. 158 Check Point Safe@Office User Guide Using Rules The Step 3: Destination and Source dialog box appears. 7. Complete the fields using the relevant information in the table below. The Step 4: Done dialog box appears. 8. Click Finish. The new rule appears in the Firewall Rules page. Chapter 7: Setting Your Security Policy 159 Using Rules Table 24: Firewall Rule Fields In this field… Do this… Any Service Click this option to specify that the rule should apply to any service. Standard Click this option to specify that the rule should apply to Service a specific standard service. You must then select the desired service from the drop-down list. Custom Service Click this option to specify that the rule should apply to a specific non-standard service. The Protocol and Port Range fields are enabled. You must fill them in. Protocol Select the protocol (ESP, GRE, TCP, UDP or ANY) for which the rule should apply. Ports To specify the port range to which the rule applies, type the start port number in the left text box, and the end port number in the right text box. Note: If you do not enter a port range, the rule will apply to all ports. If you enter only one port number, the range will include only that port. 160 Check Point Safe@Office User Guide Using Rules In this field… Do this… Source Select the source of the connections you want to allow/block. To specify an IP address, select Specified IP and type the desired IP address in the filed provided. To specify an IP address range, select Specified Range and type the desired IP address range in the fields provided. Destination Select the destination of the connections you want to allow or block. To specify an IP address, select Specified IP and type the desired IP address in the text box. To specify an IP address range, select Specified Range and type the desired IP address range in the fields provided. This option is not available in Allow and Forward rules. Chapter 7: Setting Your Security Policy 161 Using Rules In this field… Do this… Quality of Select the QoS class to which you want to assign the Service Class specified connections. If Traffic Shaper is enabled, Traffic Shaper will handle these connections as specified in the bandwidth policy for the selected QoS class. If Traffic Shaper is not enabled, this setting is ignored. For information on Traffic Shaper and QoS classes, see Using Traffic Shaper on page 120. This drop-down list only appears when defining an Allow rule in Safe@Office 225. It contains all QoS classes defined in the portal. Redirect to port Select this option to redirect the connections to a specific port. You must then type the desired port in the field provided. This option is called Port Address Translation (PAT), and is only available when defining an Allow and Forward rule. 162 Check Point Safe@Office User Guide Defining an Exposed Host Deleting Rules To delete an existing rule 1. Click Security in the main menu, and click the Rules tab. The Rules page appears. 2. Click the icon of the rule you wish to delete. A confirmation message appears. 3. Click OK. The rule is deleted. Defining an Exposed Host The Safe@Office appliance allows you to define an exposed host, which is a computer that is not protected by the firewall. This is useful for setting up a public server. It allows unlimited incoming and outgoing connections between the Internet and the exposed host computer. The exposed host receives all traffic that was not forwarded to another computer by use of Allow and Forward rules. Warning - Entering an IP address may make the designated computer vulnerable to hacker attacks. Defining an exposed host is not recommended unless you are fully aware of the security risks. To define a computer as an exposed host 1. Click Security in the main menu, and click the Exposed Host tab. Chapter 7: Setting Your Security Policy 163 Defining an Exposed Host The Exposed Host page appears. 2. In the Exposed Host field, type the IP address of the computer you wish to define as an exposed host. Alternatively, you can click This Computer to define your computer as the exposed host. 3. Click Apply. The selected computer is now defined as an exposed host. 164 Check Point Safe@Office User Guide Connecting to a Service Center Chapter 8 Using Subscription Services This chapter explains how to start subscription services, and how to use Software Updates, Web Filtering, and Email Antivirus services. For information on using the SecureDesk service, see Using SecureDesk on page 183. Note: Check with your reseller regarding availability of subscription services, or surf to www.sofaware.com/servicecenters to locate your nearest Service Center. This chapter includes the following topics: Connecting to a Service Center .......................................................... 165 Viewing Services Information............................................................ 169 Refreshing Your Service Center Connection...................................... 171 Configuring Your Account................................................................. 171 Disconnecting from Your Service Center........................................... 172 Web Filtering...................................................................................... 172 Virus Scanning ................................................................................... 175 Automatic and Manual Updates ......................................................... 179 Connecting to a Service Center To connect to a Service Center 1. Click Services in the main menu, and click the Account tab. Chapter 8: Using Subscription Services 165 Connecting to a Service Center The Account page appears. 2. In the Service Account area, click Connect. The Safe@Office Services Wizard opens, with the Service Center dialog box displayed. 3. Make sure the Connect to a different Service Center check box is selected. 166 Check Point Safe@Office User Guide Connecting to a Service Center 4. Do one of the following: • To connect to the SofaWare Service Center, select usercenter.sofaware.com. • To specify a Service Center, select Specified IP and then in the Specified IP field, enter the desired Service Center’s IP address, as given to you by your system administrator. 5. Click Next. • The Connecting… screen appears. • If the Service Center requires authentication, the Service Center Login dialog box appears. Enter your gateway ID and registration key in the appropriate fields, as given to you by your service provider, then click Next. • The Connecting… screen appears. Chapter 8: Using Subscription Services 167 Connecting to a Service Center • The Confirmation dialog box appears with a list of services to which you are subscribed. 6. Click Next. The Done screen appears with a success message. 7. Click Finish. The following things happen: • If a new firmware is available, the Safe@Office appliance may start downloading it. This may take several minutes. Once the download is complete, the Safe@Office appliance restarts using the new firmware. • The Welcome page appears. 168 Check Point Safe@Office User Guide Viewing Services Information • The services to which you are subscribed are now available on your Safe@Office appliance and listed as such on the Account page. See Viewing Services Information on page 169 for further information. • The Services submenu includes the services to which you are subscribed. Viewing Services Information The Account page displays the following information about your subscription. Chapter 8: Using Subscription Services 169 Viewing Services Information Table 25: Account Page Fields This field… Displays… Service Center The name of the Service Center to which you are Name connected (if known). Gateway ID Your gateway ID. Subscription will The date on which your subscription to services will end on end. Service The services available in your service plan. Subscription The status of your subscription to each service: Status • Subscribed • Not Subscribed The status of each service: Information • Connected. You are connected to the service through the Service Center. • N/A. The service is not available. The mode to which each service is set. If you are subscribed to Dynamic DNS, this field displays your gateway's domain name. For further information, see Using SecureDesk on page 183 , Web Filtering on page 172, Virus Scanning on page 175, and Automatic and Manual Updates on page 179. 170 Check Point Safe@Office User Guide Refreshing Your Service Center Connection Refreshing Your Service Center Connection This option restarts your Safe@Office appliance’s connection to the Service Center and refreshes your Safe@Office appliance’s service settings. To refresh your Service Center connection 1. Click Services in the main menu, and click the Account tab. The Account page appears. 2. In the Service Account area, click Refresh. The Safe@Office appliance reconnects to the Service Center. Your service settings are refreshed. Configuring Your Account This option allows you to access your Service Center Web site, which may offer additional configuration options for your account. To configure your account 1. Click Services in the main menu, and click the Account tab. The Account page appears. 2. In the Service Account area, click Configure. Note: If no additional settings are available from your Service Center, this button will not appear. Chapter 8: Using Subscription Services 171 Disconnecting from Your Service Center Your Service Center Web site opens. 3. Follow the on-screen instructions. Disconnecting from Your Service Center If desired, you can disconnect from your Service Center. To disconnect from your Service Center 1. Click Services in the main menu, and click the Account tab. The Account page appears. 2. In the Service Account area, click Connect. The Safe@Office Services Wizard opens, with the first Subscription Services dialog box displayed. 3. Clear the Connect to a different Service Center check box. 4. Click Next. The Done screen appears with a success message. 5. Click Finish. The following things happen: • You are disconnected from the Service Center. • The services to which you were subscribed are no longer available on your Safe@Office appliance. Web Filtering When the Web Filtering service is enabled, access to Web content is restricted according to the categories specified under Allow Categories. Authorized users will be able to view Web pages with no restrictions, only 172 Check Point Safe@Office User Guide Web Filtering after they have provided the administrator password via the Web Filtering pop-up window. Note: Web Filtering is only available if you are connected to a Service Center and subscribed to this service. Enabling/Disabling Web Filtering Note: If you are remotely managed, contact your Service Center to change these settings. To enable/disable Web Filtering 1. Click Services in the main menu, and click the Web Filtering tab. The Web Filtering page appears. 2. Drag the On/Off lever upwards or downwards. Web Filtering is enabled/disabled for all internal network computers. Chapter 8: Using Subscription Services 173 Web Filtering Selecting Categories for Blocking You can define which types of Web sites should be considered appropriate for your family or office members, by selecting the categories. Categories will remain visible, while categories marked with will be marked with blocked and will require the administrator password for viewing. Note: If you are remotely managed, contact your Service Center to change these settings. To allow/block a category 1. In the Allow Categories area, click category. or next to the desired 2. Click Apply. Temporarily Disabling Web Filtering If desired, you can temporarily disable the Web Filtering service. To temporarily disable Web Filtering 1. Click Services in the main menu, and click the Web Filtering tab. The Web Filtering page appears. 2. Click Snooze. • Web Filtering is temporarily disabled for all internal network computers. 174 Check Point Safe@Office User Guide Virus Scanning • The Snooze button changes to Resume. • The Web Filtering Off popup window opens. 3. To re-enable the service, click Resume, either in the popup window, or on the Web Filtering page. • The service is re-enabled for all internal network computers. • If you clicked Resume in the Web Filtering page, the button changes to Snooze. • If you clicked Resume in the Web Filtering Off popup window, the popup window closes. Virus Scanning When the Email Antivirus service is enabled, your email is automatically scanned for the detection and elimination of all known viruses and vandals. Chapter 8: Using Subscription Services 175 Virus Scanning Note: Email Antivirus is only available if you are connected to a Service Center and subscribed to this service. Enabling/Disabling Email Antivirus Note: If you are remotely managed, contact your Service Center to change these settings. To enable/disable Email Antivirus 1. Click Services in the main menu, and click the Email Antivirus tab. The Email Antivirus page appears. 2. Drag the On/Off lever upwards or downwards. Email Antivirus is enabled/disabled for all internal network computers. 176 Check Point Safe@Office User Guide Virus Scanning Selecting Protocols for Scanning If you are locally managed, you can define which protocols should be scanned for viruses: • Email retrieving (POP3). If enabled, all incoming email in the POP3 protocol will be scanned • Email sending (SMTP). If enabled, all outgoing email will be scanned Protocols marked with not. will be scanned, while those marked with will Note: If you are remotely managed, contact your Service Center to change these settings. To enable virus scanning for a protocol 1. In the Protocols area, click or next to the desired protocol. 2. Click Apply. Temporarily Disabling Email Antivirus If you are having problems sending or receiving email you can temporarily disable the Email Antivirus service. To temporarily disable Email Antivirus 1. Click Services in the main menu, and click the Email Antivirus tab. The Email Antivirus page appears. Chapter 8: Using Subscription Services 177 Virus Scanning 2. Click Snooze. • Email Antivirus is temporarily disabled for all internal network computers. • The Snooze button changes to Resume. • The Email Antivirus Off popup window opens. 3. To re-enable the service, click Resume, either in the popup window, or on the Email Antivirus page. • The service is re-enabled for all internal network computers. • If you clicked Resume in the Email Antivirus page, the button changes to Snooze. • If you clicked Resume in the Email Antivirus Off popup window, the popup window closes. 178 Check Point Safe@Office User Guide Automatic and Manual Updates Automatic and Manual Updates The Software Updates service enables you to check for new security and software updates. Note: Software Updates are only available if you are connected to a Service Center and subscribed to this service. Checking for Software Updates when Locally Managed If your Safe@Office appliance is locally managed, you can set it to automatically check for software updates, or you can set it so that software updates must be checked for manually. To configure software updates when locally managed 1. Click Services in the main menu, and click the Software Updates tab. The Software Updates page appears. Chapter 8: Using Subscription Services 179 Automatic and Manual Updates 2. To set the Safe@Office appliance to automatically check for and install new software updates, drag the Automatic/Manual lever upwards. The Safe@Office appliance checks for new updates and installs them according to its schedule. Note: When the Software Updates service is set to Automatic, you can still manually check for updates. 3. To set the Safe@Office appliance so that software updates must be checked for manually, drag the Automatic/Manual lever downwards. The Safe@Office appliance does not check for software updates automatically. 4. To manually check for software updates, click Update Now. The system checks for new updates and installs them. Checking for Software Updates When Remotely Managed If your Safe@Office appliance is remotely managed, it automatically checks for software updates and installs them without user intervention. However, you can still check for updates manually, if needed. To manually check for security and software updates 1. Click Services in the main menu, and click the Software Updates tab. 180 Check Point Safe@Office User Guide Automatic and Manual Updates The Software Updates page appears. 2. Click Update Now. The system checks for new updates and installs them. Chapter 8: Using Subscription Services 181 Automatic and Manual Updates Chapter 9 Using SecureDesk SecureDesk allows you to make access through the firewall conditional upon the state of a computer's antivirus software. For example, you can configure SecureDesk to allow access for computers on which the antivirus software is enabled but not up-to-date, or to block access for computers on which the antivirus software is up-to-date, but not the most recent build. SecureDesk enables you to quickly and easily install and update antivirus software on all computers in the network simultaneously and reports the status of the antivirus software on each computer. SecureDesk requires that you install McAfee VirusScan ASaP, a Web-based antivirus service included in the SecureDesk subscription service. SecureDesk monitors the state of the installed VirusScan virus signatures, agent, and engine, and blocks access through the firewall if they do not match the security level set in the Safe@Office Portal. Authorized users can override the block by providing the administrator password via a pop-up window. If desired, you can disable SecureDesk for a specific computer or network. For example, you might want to disable SecureDesk for a printer with an IP address, or for a computer with an operating system that VirusScan does not support. To do so you must add the computer or network as a network object. For information on adding network objects and disabling or enabling SecureDesk, see Using Network Objects on page 129. Note: SecureDesk is only available if you are connected to a Service Center and subscribed to this service. This chapter includes the following topics: Installing McAfee VirusScan ASaP ...................................................184 Updating McAfee VirusScan ASaP on All Computers ......................186 Setting the SecureDesk Security Level...............................................186 Checking Antivirus Compliancy ........................................................189 Overriding SecureDesk.......................................................................195 Viewing SecureDesk Reports .............................................................196 Chapter 9: Using SecureDesk 183 Installing McAfee VirusScan ASaP Installing McAfee VirusScan ASaP Once you have subscribed to SecureDesk and connected to the Service Center (see Connecting to a Service Center on page 165), you must install McAfee VirusScan ASaP on all computers in your network. Note: You must disable the Windows XP "Internet Connection Firewall" option before you install McAfee VirusScan ASaP. The VirusScan installer automatically uninstalls most antivirus programs before installing VirusScan. For a list of products that the VirusScan installer automatically uninstalls, refer to the Quick Start Guide. If your antivirus program does not appear in the list, you must manually uninstall the program before installing VirusScan. Note: If your current antivirus software is part of a suite of programs, you may have to reinstall the suite without the antivirus component after installing VirusScan. If VirusScan is already installed on your computer, check whether it complies with the SecureDesk security level conditions using the procedure Checking Antivirus Compliancy on page 189. To install McAfee VirusScan ASaP 1. Click Security in the main menu, and click the SecureDesk tab. 184 Check Point Safe@Office User Guide Installing McAfee VirusScan ASaP The SecureDesk page appears. 2. Do one of the following: • To install VirusScan on this computer only, click Download and install the latest antivirus software. • To install VirusScan on all the computers in your network, click Run the desktop security software Push Installer. The McAfee Security page opens in a new window, with the McAfee Secure-1 VirusScan ASaP popup window on top. 3. Follow the online instructions to complete installation. If antivirus software is already installed, the installer may remove it. VirusScan is installed. For information on troubleshooting installation and using VirusScan, see the User Help. To access VirusScan ASaP User Help, right-click on the VirusScan icon in the taskbar, and select Scan Now > Help. Chapter 9: Using SecureDesk 185 Updating McAfee VirusScan ASaP on All Computers Updating McAfee VirusScan ASaP on All Computers If the version of VirusScan installed on a computer is not up-to-date, SecureDesk may block access through the firewall for that computer, depending on the SecureDesk security level. You can update the installed version of VirusScan on all computers in the network simultaneously, using the Push Installer. For information on how to check whether version of VirusScan installed on a computer is up-to-date , see Checking Antivirus Compliancy on page 189. To update McAfee VirusScan ASaP on all computers 1. Click Security in the main menu, and click the SecureDesk tab. The SecureDesk page appears. 2. Click Run the desktop security software Push Installer. The McAfee Security page opens in a new window, with the McAfee Secure-1 VirusScan ASaP popup window on top. 3. Follow the online instructions to complete updating. VirusScan is updated on all computers in the network. Setting the SecureDesk Security Level The SecureDesk security level determines what conditions a computer's antivirus software must meet before the computer can access the Internet. You control the SecureDesk security level using a simple lever available on the SecureDesk page. You can set the lever to four states. 186 Check Point Safe@Office User Guide Setting the SecureDesk Security Level Note: If the security policy is remotely managed, this lever might be disabled. Table 26: SecureDesk Security Levels This security Enforces these conditions... level... Off None. SecureDesk is disabled, and users can freely access the Internet, regardless of whether antivirus software is installed or not. Note: You can disable SecureDesk for a specific computer or network, using the information in Using Network Objects on page 129. Low Antivirus software must be installed and enabled, but it need not be up-to-date. Medium Antivirus software must be installed, enabled, and up-todate. In order for the antivirus software to qualify as up-to-date, the installed antivirus components' version numbers must be equal to or higher than the version numbers displayed in the Service Status table's Minimum column. Chapter 9: Using SecureDesk 187 Setting the SecureDesk Security Level This security Enforces these conditions... level... High The most recent antivirus software must be installed and enabled. In order for the antivirus software to qualify as the most recent, the installed antivirus components' version numbers must match the version numbers displayed in the Service Status table's Current column. To change the SecureDesk security level 1. Click Security in the main menu, and click the SecureDesk tab. The SecureDesk page appears. 2. Drag the lever to the desired level. SecureDesk enforces the new security level conditions. If you raised the security level, and the antivirus software installed on your computer does not meet the new security level conditions, the Current Device Status and Actions area displays an appropriate status message, and the Update your antivirus software to the latest version link appears. For an explanation of all status messages and their colors, see SecureDesk Status Messages on page 191. 3. If necessary, update your antivirus software by doing the following: a. Click Update your antivirus software to the latest version. The McAfee Security page opens in a new window, with the McAfee Secure-1 VirusScan ASaP popup window on top. b. Follow the online instructions to complete updating. 188 Check Point Safe@Office User Guide Checking Antivirus Compliancy VirusScan is updated on all computers in the network. For information on updating VirusScan on all compters in the network, see Updating McAfee VirusScan ASaP on All Computers on page 186. Checking Antivirus Compliancy You can check whether a computer's antivirus software complies with the SecureDesk security level conditions. To check antivirus compliancy for your computer 1. Click Security in the main menu, and click the SecureDesk tab. The SecureDesk page appears, and the Current Device Status and Actions area displays a color-coded status message indicating whether the computer complies with the SecureDesk security level conditions. For an explanation of the status message and its color, see the table below. If the antivirus software installed on your computer does not meet the security level conditions, the Update your antivirus software to the latest version link appears. 2. To view detailed information about the antivirus status and component versions, point to the status message. A popup window displays the desired information. 3. If necessary, update your antivirus software by doing the following: a. Click Update your antivirus software to the latest version. Chapter 9: Using SecureDesk 189 Checking Antivirus Compliancy The McAfee Security page opens in a new window, with the McAfee Secure-1 VirusScan ASaP popup window on top. b. Follow the online instructions to complete updating. VirusScan is updated on all computers in the network. To check antivirus compliancy for all computers in the network 1. Click Reports in the main menu, and click the Active Computers tab. The Active Computers page appears. A color-coded status message next to each computer indicates whether the computer complies with the SecureDesk security level conditions. For an explanation of the status messages and their colors, see the tables below. 2. To view detailed information about the antivirus status and component versions, point to the status message. A popup window displays the desired information. 3. If necessary, update the antivirus software on all computers in the network. For instructions, see Updating McAfee VirusScan ASaP on All Computers on page 186. 190 Check Point Safe@Office User Guide Checking Antivirus Compliancy Table 27: SecureDesk Status Messages Message Explanation SecureDesk is The antivirus software complies with the SecureDesk compliant security level conditions, and access through the firewall is not blocked. Compliant, but The antivirus software complies with the SecureDesk SecureDesk not security level conditions, and access through the firewall most up-to-date is not blocked. However, the antivirus components' version numbers do not match the version numbers displayed in the Service Status table's Current column. It is recommended to update your software. Compliant, but The antivirus software complies with the SecureDesk SecureDesk security level conditions, and access through the firewall scanner is is not blocked. disabled However, the scanner is disabled, and the computer/network is not currently protected from viruses. It is recommended to enable the scanner. Chapter 9: Using SecureDesk 191 Checking Antivirus Compliancy Message Explanation SecureDesk not The antivirus software components' version numbers are up-to-date less than the version numbers displayed in the Service Status table's Minimum column. Access through the firewall may be blocked, depending on whether the SecureDesk security level conditions require that the antivirus software is up-to-date. Update your software. SecureDesk The scanner is disabled, and the computer/network is scanner is not currently protected from viruses. disabled Access through the firewall is blocked. Enable the scanner. SecureDesk not The antivirus software components' version numbers are up-to-date and less than the version numbers displayed in the Service scanner is Status table's Minimum column, and the scanner is disabled disabled. The computer/network is not currently protected from viruses. Access through the firewall is blocked. Update your software and enable the scanner. 192 Check Point Safe@Office User Guide Checking Antivirus Compliancy Message Explanation SecureDesk is The antivirus software does not comply with the not compliant SecureDesk security level conditions, and access through the firewall is blocked. Check the SecureDesk security level conditions, and make changes to your antivirus software accordingly. For information on SecureDesk security levels, see Setting the SecureDesk Security Level on page 186. SecureDesk The antivirus engine and virus signatures are installed, scanner not but the antivirus scanner is not. installed Access through the firewall is blocked. Install the scanner. SecureDesk not VirusScan is not installed, and access through the installed firewall is blocked. Install the antivirus software. SecureDesk SecureDesk has not yet determined the antivirus state is unknown software's state, because the computer is not responding. Access through the firewall is temporarily blocked. Chapter 9: Using SecureDesk 193 Checking Antivirus Compliancy Message Explanation Excluded from SecureDesk is disabled for this computer/network. Antivirus compliance checking Access through the firewall is not blocked. For information on enabling SecureDesk, see Using Network Objects on page 129. Table 28: SecureDesk Status Message Color Coding Color Explanation Red Error. The antivirus software does not comply with the SecureDesk security level conditions, and access through the firewall is blocked. Orange Warning. The antivirus software complies with the SecureDesk security level conditions, and access through the firewall is not blocked. However, the state of the antivirus software is not ideal. Green OK. The antivirus software complies with the SecureDesk security level conditions, and access through the firewall is not blocked. 194 Check Point Safe@Office User Guide Overriding SecureDesk Overriding SecureDesk SecureDesk blocks access through the firewall if your computer's antivirus software does not comply with the SecureDesk security level conditions. When you attempt to connect to the Internet, the following things happen: • The Access Denied page appears • The Event Log specifies that the connection was blocked by SecureDesk. You can correct the problem by clicking Download and install the latest antivirus software to install up-to-date software, and then clicking Continue to the original page. Alternatively, Safe@Office administrators with Read/Write permissions can override the block using the procedure below. To override SecureDesk 1. In the Access Denied page's Administrator Override area, in the Username field, type your user name. 2. In the Password field, type your password. Chapter 9: Using SecureDesk 195 Viewing SecureDesk Reports 3. Click OK. SecureDesk is temporarily disabled for your computer only. The page you were blocked from accessing appears. The Antivirus Off popup window appears. 4. To re-enable the service, click Resume in the popup window. The service is re-enabled for your computer. Viewing SecureDesk Reports You can view reports on SecureDesk's activities for all computers in your network. Note: You must be connected to the Internet to view SecureDesk reports. To view SecureDesk reports 1. Click Services in the main menu, and click the SecureDesk tab. 196 Check Point Safe@Office User Guide Viewing SecureDesk Reports The SecureDesk page appears. 2. Click SecureDesk Reports. A SecureDesk report opens in a new window. This may take some time. Chapter 9: Using SecureDesk 197 Overview Chapter 10 Working With VPNs This chapter describes how to use your Safe@Office appliance as a Remote Access VPN Client, server, or gateway. This chapter includes the following topics: Overview ............................................................................................ 199 Setting Up Your Safe@Office Appliance as a Remote Access VPN Server........................................................................................................ 204 Adding and Editing VPN Sites using Safe@Office 110 and 225....... 206 Deleting a VPN Site ........................................................................... 231 Enabling/Disabling a VPN Site .......................................................... 232 Logging on to a VPN Site................................................................... 233 Logging off a VPN Site ...................................................................... 236 Installing a Certificate ........................................................................ 237 Uninstalling a Certificate.................................................................... 240 Viewing VPN Tunnels ....................................................................... 241 Overview You can configure your Safe@Office appliance as part of a virtual private network (VPN). A VPN is a private data network consisting of a group of gateways that can securely connect to each other. Each member of the VPN is called a VPN site, and a connection between two VPN sites is called a VPN tunnel. VPN tunnels encrypt and authenticate all traffic passing through them. Through these tunnels, employees can safely use their company’s network resources when working at home. For example, they can securely read email, use the company’s intranet, or access the company’s database from home. The are three types of VPN sites: • Remote Access VPN Server - Makes a network remotely available to authorized users, who connect to the Remote Access VPN Server Chapter 10: Working With VPNs 199 Overview using Remote Access VPN Clients, such as Check Point SecuRemote. Unless the Remote Access VPN Server is also a Remote Access VPN Client, it cannot initiate a connection to other VPN sites. • Site-to-Site VPN Gateway - Can connect with another Site-to-Site VPN Gateway in a permanent, bi-directional relationship. • Remote Access VPN Client - Can connect to a Remote Access VPN Server, but other VPN sites cannot initiate a connection to the Remote Access VPN Client. Defining a Remote Access VPN Client is a hardware alternative to using SecuRemote software. Safe@Office 105 acts as a Remote Access VPN Server for one user, allowing a single remote employee to securely work from home or on the road. Safe@Office 110 and 225 provide full VPN functionality. They can act as a Remote Access VPN Client, a Remote Access VPN Server for multiple users, or a Site-to-Site VPN Gateway. A virtual private network (VPN) must include at least one Remote Access VPN Server or gateway. The type of VPN sites you include in a VPN depends on the type of VPN you want to create, Site-to-Site or Remote Access. Note: A locally managed Remote Access VPN Server or gateway must have a static IP address. If you need a Remote Access VPN Server or gateway with a dynamic IP address, you must use SofaWare Security Management Portal (SMP) management. A SecuRemote or Safe@Office Remote Access VPN Client can have a dynamic IP address, regardless of whether it is locally or remotely managed. Note: This chapter explains how to define a VPN locally. However, if your appliance is centrally managed by a Service Center, then the Service Center can automatically deploy VPN configuration for your appliance. 200 Check Point Safe@Office User Guide Overview Site-to-Site VPNs A Site-to-Site VPN consists of two or more Site-to-Site VPN Gateways that can communicate with each other in a bi-directional relationship. The connected networks function as a single network. You can use this type of VPN to mesh office branches into one corporate network. Figure 8: Site-to-Site VPN Chapter 10: Working With VPNs 201 Overview To create a Site-to-Site VPN with two VPN sites 1. On the first VPN site’s Safe@Office appliance, do the following: a. Define the second VPN site as a Site-to-Site VPN Gateway, or create a PPPoE tunnel to the second VPN site, using the procedure Adding and Editing VPN Sites on page 206. b. Enable the Remote Access VPN Server using the procedure Setting Up Your Safe@Office Appliance as a Remote Access VPN Server on page 204. 2. On the second VPN site’s Safe@Office appliance, do the following: a. Define the first VPN site as a Site-to-Site VPN Gateway, or create a PPPoE tunnel to the first VPN site, using the procedure Adding and Editing VPN Sites on page 206. b. Then enable the Remote Access VPN Server using the procedure Setting Up Your Safe@Office Appliance as a Remote Access VPN Server on page 204. 202 Check Point Safe@Office User Guide Overview Remote Access VPNs A Remote Access VPN consists of one Remote Access VPN Server or Siteto-Site VPN Gateway, and one or more Remote Access VPN Clients. You can use this type of VPN to make an office network remotely available to authorized users, such as employees working from home, who connect to the office Remote Access VPN Server with their Remote Access VPN Clients. Figure 9: Remote Access VPN Chapter 10: Working With VPNs 203 Setting Up Your Safe@Office Appliance as a Remote Access VPN Server To create a Remote Access VPN with two VPN sites 1. On the remote user VPN site's Safe@Office appliance, add the office Remote Access VPN Server as a Remote Access VPN site. See Adding and Editing VPN Sites on page 206. The remote user's Safe@Office appliance will act as a Remote Access VPN Client. 2. On the office VPN site's Safe@Office appliance, enable the Remote Access VPN Server. See Setting Up Your Safe@Office Appliance as a Remote Access VPN Server on page 204. Setting Up Your Safe@Office Appliance as a Remote Access VPN Server You can make your network remotely available to authorized users by setting up your Safe@Office appliance as a Remote Access VPN Server. Remote access users can connect to the Remote Access VPN Server via Check Point SecuRemote or a via Safe@Office appliance in Remote Access VPN mode. Note: The Check Point SecuRemote Remote Access VPN Client can be downloaded for free from http://www.checkpoint.com/techsupport/downloads_sr.html To set up your Safe@Office appliance as a Remote Access VPN Server 1. Click VPN in the main menu, and click the VPN Server tab. 204 Check Point Safe@Office User Guide Setting Up Your Safe@Office Appliance as a Remote Access VPN Server The VPN Server page appears. 2. Drag the Enabled/Disabled lever to Enabled. The Remote Access VPN Server is enabled. The check box is enabled. 3. To allow authenticated users to bypass NAT when connecting to your internal network, select Bypass NAT. 4. To allow authenticated users to bypass the firewall and access your internal network without restriction, select Bypass the firewall. 5. Follow the procedure Setting Up Remote VPN Access for Users on page 252. Note: Disabling the Remote Access VPN Server will cause all existing VPN tunnels to disconnect. Chapter 10: Working With VPNs 205 Adding and Editing VPN Sites using Safe@Office 110 and 225 Adding and Editing VPN Sites using Safe@Office 110 and 225 To add or edit VPN sites 1. Click VPN in the main menu, and click the VPN Sites tab. The VPN Sites page appears with a list of VPN sites. 2. Do one of the following: • To add a VPN site, click New Site. • To edit a VPN site, click Edit in the desired VPN site’s row. 206 Check Point Safe@Office User Guide Adding and Editing VPN Sites using Safe@Office 110 and 225 The Safe@Office VPN Site Wizard opens, with the Welcome to the VPN Site Wizard dialog box displayed. 3. Do one of the following: • Select Remote Access VPN to establish remote access from your Remote Access VPN Client to a Remote Access VPN Server. • Select Site to Site VPN to create a permanent bi-directional connection to another Site-to-Site VPN Gateway. • Select PPPoE to create a non-encrypted connection to a PPPoE server. 4. Click Next. Chapter 10: Working With VPNs 207 Adding and Editing VPN Sites using Safe@Office 110 and 225 Configuring a Remote Access VPN Site If you selected Remote Access VPN, the VPN Gateway Address dialog box appears. 1. Enter the IP address of the Remote Access VPN Server to which you want to connect, as given to you by the network administrator. 2. Click Next. The VPN Network Configuration dialog box appears. 3. Specify how you want to obtain the VPN network configuration. Refer to VPN Network Configuration Fields on page 215. 4. Click Next. The following things happen in the order below: 208 Check Point Safe@Office User Guide Adding and Editing VPN Sites using Safe@Office 110 and 225 • If you chose Specify Configuration, a second VPN Network Configuration dialog box appears. Complete the fields using the information in VPN Network Configuration Fields on page 215 and click Next. • The Authentication Method dialog box appears. 5. Complete the fields using the information in Authentication Methods Fields on page 216. 6. Click Next. Chapter 10: Working With VPNs 209 Adding and Editing VPN Sites using Safe@Office 110 and 225 Username and Password Authentication Method If you selected Username and Password, the VPN Login dialog box appears. 1. Complete the fields using the information in VPN Login Fields on page 217. 2. Click Next. • If you selected Automatic Login, the Connect dialog box appears. Do the following: 1) To try to connect to the Remote Access VPN Server, select the Try to Connect to the VPN Gateway check box. This allows you to test the VPN connection. 210 Check Point Safe@Office User Guide Adding and Editing VPN Sites using Safe@Office 110 and 225 Warning: If you try to connect to the VPN site before completing the wizard, all existing tunnels will be terminated. 2) Click Next. If you selected Try to Connect to the VPN Gateway, the Connecting… screen appears, and then the Contacting VPN Site screen appears. • The Site Name dialog box appears. 3. Enter a name for the VPN site. You may choose any name. 4. Click Next. The VPN Site Created screen appears. Chapter 10: Working With VPNs 211 Adding and Editing VPN Sites using Safe@Office 110 and 225 5. Click Finish. The VPN Sites page reappears. If you added a VPN site, the new site appears in the VPN Sites list. If you edited a VPN site, the modifications are reflected in the VPN Sites list. Certificate Authentication Method If you selected Certificate, the Connect dialog box appears. 1. To try to connect to the Remote Access VPN Server, select the Try to Connect to the VPN Gateway check box. This allows you to test the VPN connection. Warning: If you try to connect to the VPN site before completing the wizard, all existing tunnels will be terminated. 2. Click Next. If you selected Try to Connect to the VPN Gateway, the Connecting… screen appears, and then the Contacting VPN Site screen appears. 212 Check Point Safe@Office User Guide Adding and Editing VPN Sites using Safe@Office 110 and 225 The Site Name dialog box appears. 3. Enter a name for the VPN site. You may choose any name. 4. Click Next. The VPN Site Created screen appears. 5. Click Finish. The VPN Sites page reappears. If you added a VPN site, the new site appears in the VPN Sites list. If you edited a VPN site, the modifications are reflected in the VPN Sites list. Chapter 10: Working With VPNs 213 Adding and Editing VPN Sites using Safe@Office 110 and 225 RSA SecurID Authentication Method If you selected RSA SecurID, the Site Name dialog box appears. 1. Enter a name for the VPN site. You may choose any name. 2. Click Next. The VPN Site Created screen appears. 3. Click Finish. The VPN Sites page reappears. If you added a VPN site, the new site appears in the VPN Sites list. If you edited a VPN site, the modifications are reflected in the VPN Sites list. 214 Check Point Safe@Office User Guide Adding and Editing VPN Sites using Safe@Office 110 and 225 Table 29: VPN Network Configuration Fields In this field… Do this… Download Click this option to obtain the network configuration by Configuration downloading it from the VPN site. This option will automatically configure your VPN settings, by downloading the network topology definition from the Remote Access VPN Server. Note: Downloading the network configuration is only possible if you are connecting to a Check Point VPN1 or Safe@Office Site-to-Site VPN Gateway. Specify Click this option to provide the network configuration Configuration manually. Route All Traffic Click this option to route all network traffic through the VPN site. For example, if your VPN consists of a central office and a number of remote offices, and the remote offices are only allowed to access Internet resources through the central office, you can choose to route all traffic from the remote offices through the central office. Note: You can only configure one VPN site to route all traffic. Destination network Type up to three destination network addresses at the VPN site to which you want to connect. Chapter 10: Working With VPNs 215 Adding and Editing VPN Sites using Safe@Office 110 and 225 In this field… Do this… Subnet mask Select the subnet masks for the destination network addresses. Note: Obtain the destination networks and subnet masks from the VPN site’s system administrator. Backup Gateway Type the name of the VPN site to use if the primary VPN site fails. Table 30: Authentication Methods Fields In this field… Do this… Username and Select this option to use a user name and password Password for VPN authentication. In the next step, you can specify whether you want to log on to the VPN site automatically or manually. Certificate Select this option to use a certificate for VPN authentication. If you select this option, a certificate must have been installed. (Refer to Installing a Certificate on page 237 for more information about certificates and instructions on how to install a certificate.) 216 Check Point Safe@Office User Guide Adding and Editing VPN Sites using Safe@Office 110 and 225 In this field… Do this… RSA SecurID Select this option to use an RSA SecurID token for Token VPN authentication. When authenticating to the VPN site, you must enter a four-digit PIN code and the SecurID passcode shown in your SecurID token's display. The RSA SecurID token generates a new passcode every minute. SecurID is only supported in Remote Access manual login mode. Table 31: VPN Login Fields In this field… Do this… Manual Login Click this option to configure the site for Manual Login. Manual Login connects only the computer you are currently logged onto to the VPN site, and only when the appropriate user name and password have been entered. For further information on Automatic and Manual Login, see, Logging on to a VPN Site on page 233. Chapter 10: Working With VPNs 217 Adding and Editing VPN Sites using Safe@Office 110 and 225 In this field… Do this… Automatic Login Click this option to enable the Safe@Office appliance to log on to the VPN site automatically. You must then fill in the Username and Password fields. Automatic Login provides all the computers on your internal network with constant access to the VPN site. For further information on Automatic and Manual Login, see Logging on to a VPN Site on page 233. Username Type the user name to be used for logging on to the VPN site. Password Type the password to be used for logging on to the VPN site. 218 Check Point Safe@Office User Guide Adding and Editing VPN Sites using Safe@Office 110 and 225 Configuring a Site-to-Site VPN Gateway If you selected Site to Site VPN, the VPN Gateway Address dialog box appears. 1. Complete the fields using the information in VPN Gateway Address Fields on page 226. 2. Click Next. The VPN Network Configuration dialog box appears. 3. Specify how you want to obtain the VPN network configuration. Refer to VPN Network Configuration Fields on page 215. 4. Click Next. Chapter 10: Working With VPNs 219 Adding and Editing VPN Sites using Safe@Office 110 and 225 • If you chose Specify Configuration, a second VPN Network Configuration dialog box appears. Complete the fields using the information in VPN Network Configuration Fields on page 215, and then click Next. • The Authentication Method dialog box appears. 5. Complete the fields using the information in Authentication Methods Fields on page 227. 6. Click Next. 220 Check Point Safe@Office User Guide Adding and Editing VPN Sites using Safe@Office 110 and 225 Shared Secret Authentication Method If you selected Shared Secret, the Authentication dialog box appears. If you chose Download Configuration, the dialog box contains additional fields. 1. Complete the fields using the information in VPN Authentication Fields on page 228 and click Next. Chapter 10: Working With VPNs 221 Adding and Editing VPN Sites using Safe@Office 110 and 225 The Connect dialog box appears. 2. To try to connect to the Remote Access VPN Server, select the Try to Connect to the VPN Gateway check box. This allows you to test the VPN connection. Warning: If you try to connect to the VPN site before completing the wizard, all existing tunnels will be terminated. 3. Click Next. • If you selected Try to Connect to the VPN Gateway, the Connecting… screen appears, and then the Contacting VPN Site screen appears. • The Site Name dialog box appears. 222 Check Point Safe@Office User Guide Adding and Editing VPN Sites using Safe@Office 110 and 225 4. Enter a name for the VPN site. You may choose any name. 5. To keep the tunnel to the VPN site alive even if there is no network traffic between the Safe@Office appliance and the VPN site, select Keep this site alive. 6. Click Next. • If you selected Keep this site alive, and previously you chose Download Configuration, the "Keep Alive" Configuration dialog box appears. Do the following: 1) Type up to three IP addresses which the Safe@Office appliance should ping in order to keep the tunnel to the VPN site alive. 2) Click Next. • The VPN Site Created screen appears. 7. Click Finish. The VPN Sites page reappears. If you added a VPN site, the new site appears in the VPN Sites list. If you edited a VPN site, the modifications are reflected in the VPN Sites list. Chapter 10: Working With VPNs 223 Adding and Editing VPN Sites using Safe@Office 110 and 225 Certificate Authentication Method If you selected Certificate, the following things happen: • If you chose Download Configuration, the Authentication dialog box appears. Complete the fields using the information in VPN Authentication Fields on page 228 and click Next. • The Connect dialog box appears. 1. To try to connect to the Remote Access VPN Server, select the Try to Connect to the VPN Gateway check box. This allows you to test the VPN connection. 224 Check Point Safe@Office User Guide Adding and Editing VPN Sites using Safe@Office 110 and 225 Warning: If you try to connect to the VPN site before completing the wizard, all existing tunnels will be terminated. 2. Click Next. • If you selected Try to Connect to the VPN Gateway, the following things happen: The Connecting… screen appears. • The Contacting VPN Site screen appears. • The Site Name dialog box appears. 3. Enter a name for the VPN site. You may choose any name. 4. To keep the tunnel to the VPN site alive even if there is no network traffic between the Safe@Office appliance and the VPN site, select Keep this site alive. 5. Click Next. Chapter 10: Working With VPNs 225 Adding and Editing VPN Sites using Safe@Office 110 and 225 • If you selected Keep this site alive, and previously you chose Download Configuration, the "Keep Alive" Configuration dialog box appears. Do the following: 1) Type up to three IP addresses which the Safe@Office appliance should ping in order to keep the tunnel to the VPN site alive. 2) Click Next. • The VPN Site Created screen appears. 6. Click Finish. The VPN Sites page reappears. If you added a VPN site, the new site appears in the VPN Sites list. If you edited a VPN site, the modifications are reflected in the VPN Sites list. Table 32: VPN Gateway Address Fields In this field… Do this… Gateway Address Type the IP address of the Site-to-Site VPN Gateway to which you want to connect, as given to you by the network administrator. 226 Check Point Safe@Office User Guide Adding and Editing VPN Sites using Safe@Office 110 and 225 In this field… Do this… Bypass NAT Select this option to allow the VPN site to bypass NAT when connecting to your internal network. Bypass the FW Select this option to allow the VPN site to bypass the firewall and access your internal network without restriction. Table 33: Authentication Methods Fields In this field… Do this… Shared Secret Select this option to use a shared secret for VPN authentication. A shared secret is a string used to identify VPN sites to each other. Certificate Select this option to use a certificate for VPN authentication. If you select this option, a certificate must have been installed. (Refer to Installing a Certificate on page 237 for more information about certificates and instructions on how to install a certificate.) Chapter 10: Working With VPNs 227 Adding and Editing VPN Sites using Safe@Office 110 and 225 Table 34: VPN Authentication Fields In this field… Do this… Topology User Type the topology user’s user name. Topology Type the topology user’s password. Password Use Shared Type the shared secret to use for secure Secret communications with the VPN site. This shared secret is a string used to identify the VPN sites to each other. The secret can contain spaces and special characters. Creating a PPPoE Tunnel If you selected PPPoE, the VPN Network Configuration dialog box appears. 1. Complete the fields using the information in VPN Network Configuration Fields on page 215. 2. Click Next. 228 Check Point Safe@Office User Guide Adding and Editing VPN Sites using Safe@Office 110 and 225 The PPPoE Login page appears. 3. Complete the fields using the information in the table below. 4. Click Next. The Connect dialog box appears. 5. If you don’t want to try to connect to the VPN site, clear the Try to Connect to the VPN Gateway check box. This allows you to test the VPN connection. Warning: If you try to connect to the VPN site before completing the wizard, all existing tunnels will be terminated. 6. Click Next. Chapter 10: Working With VPNs 229 Adding and Editing VPN Sites using Safe@Office 110 and 225 If you selected Try to Connect to the VPN Gateway, the Connecting… screen appears, and then the Contacting VPN Site screen appears. The Site Name dialog box appears. 7. Enter a name for the VPN site. You may choose any name. 8. Click Next. The VPN Site Created screen appears. 9. Click Finish. The VPN Sites page reappears. If you added a VPN site, the new site appears in the VPN Sites list. If you edited a VPN site, the modifications are reflected in the VPN Sites list. 230 Check Point Safe@Office User Guide Deleting a VPN Site Table 35: PPPoE Login Fields In this field… Do this… User The PPPoE username. Password The PPPoE password. Service The service name configured in the PPPoE server. You only need to fill in this field if there is more than one PPPoE server in the WAN network. Note: If you do not fill in this field, the first PPPoE server found is used. Deleting a VPN Site To delete a VPN site 1. Click VPN in the main menu, and click the VPN Sites tab. The VPN Sites page appears, with a list of VPN sites. 2. In the desired VPN site’s row, click the Delete icon. A confirmation message appears. 3. Click OK. The VPN site is deleted. Chapter 10: Working With VPNs 231 Enabling/Disabling a VPN Site Enabling/Disabling a VPN Site You can only connect to VPN sites that are enabled. To enable/disable a VPN site 1. Click VPN in the main menu, and click the VPN Sites tab. The VPN Sites page appears, with a list of VPN sites. 2. To enable a VPN site, do the following: a. Click the icon in the desired VPN site’s row. A confirmation message appears. b. Click OK. The icon changes to , and the VPN site is enabled. 3. To disable a VPN site, do the following: Note: Disabling a VPN site eliminates the tunnel and erases the network topology. a. Click the icon in the desired VPN site’s row. A confirmation message appears. b. Click OK. The icon changes to 232 , and the VPN site is disabled. Check Point Safe@Office User Guide Logging on to a VPN Site Logging on to a VPN Site You need to manually log on to Remote Access VPN Servers configured for Manual Login. You do not need to manually log on to a Remote Access VPN Server configured for Automatic Login or a Site-to-Site VPN Gateway: all the computers on your network have constant access to it. Manual Login can be done through either the Safe@Office Portal or the my.vpn page. When you log on and traffic is sent to the VPN site, a VPN tunnel is established. Only the computer from which you logged on can use the tunnel. To share the tunnel with other computers in your home network, you must log on to the VPN site from those computers, using the same user name and password. Note: You must use a single user name and password for each VPN destination gateway. Logging on through the Safe@Office Portal Note: You can only login to sites that are configured for Manual Login. To manually log on to a VPN site through the Safe@Office Portal 1. Click VPN in the main menu, and click the VPN Login tab. Chapter 10: Working With VPNs 233 Logging on to a VPN Site The VPN Login page appears. 2. From the Site Name list, select the site to which you want to log on. Note: Disabled VPN sites will not appear in the Site list. 3. Enter your user name and password in the appropriate fields. 4. Click Login. • If the Safe@Office appliance is configured to automatically download the network configuration, the Safe@Office appliance downloads the network configuration. • If when adding the VPN site you specified a network configuration, the Safe@Office appliance attempts to create a tunnel to the VPN site. • Once the Safe@Office appliance has finished connecting, the VPN Login Status box appears. The Status field displays “Connected”. 234 Check Point Safe@Office User Guide Logging on to a VPN Site • The VPN Login Status box remains open until you manually log off the VPN site. Logging on through the my.vpn page Note: You don’t need to know the my.firewall page administrator’s password in order to use the my.vpn page. To manually log on to a VPN site through the my.vpn page 1. Direct your web browser to http://my.vpn The VPN Login screen appears. 2. In the Site Name list, select the site to which you want to log on. 3. Enter your user name and password in the appropriate fields. 4. Click Login. • If the Safe@Office appliance is configured to automatically download the network configuration, the Safe@Office appliance downloads the network configuration. Chapter 10: Working With VPNs 235 Logging off a VPN Site • If when adding the VPN site you specified a network configuration, the Safe@Office appliance attempts to create a tunnel to the VPN site. • The VPN Login Status box appears. The Status field tracks the connection’s progress. • Once the Safe@Office appliance has finished connecting, the Status field changes to “Connected”. • The VPN Login Status box remains open until you manually log off of the VPN site. Logging off a VPN Site You need to manually log off a VPN site in the following cases: • You are using Safe@Office 105. • The VPN site is a Remote Access VPN site configured for Manual Login. To log off a VPN site • In the VPN Login Status box, click Logout. All open tunnels from the Safe@Office appliance to the VPN site are closed, and the VPN Login Status box closes. Note: Closing the browser or dismissing the VPN Login Status box will also terminate the VPN session within a short time. 236 Check Point Safe@Office User Guide Installing a Certificate Installing a Certificate A digital certificate is a secure means of authenticating the Safe@Office appliance to other Site-to-Site VPN Gateways. The certificate is issued by the Certificate Authority (CA) to entities such as gateways, users, or computers. The entity then uses the certificate to identify itself and provide verifiable information. For instance, the certificate includes the Distinguishing Name (DN) (identifying information) of the entity, as well as the public key (information about itself). After two entities exchange and validate each other's certificates, they can begin encrypting information between themselves using the public keys in the certificates. The Safe@Office appliance supports certificates encoded in the PKCS#12 (Personal Information Exchange Syntax Standard) format. The PKCS#12 file must have a ".p12" file extension Note: To use certificates authentication, each Safe@Office appliance should have a unique certificate. Do not use the same certificate for more than one gateway. If you do not have a PKCS#12, obtain it from your network security administrator. To install a certificate 1. Click VPN in the main menu, and click the Certificate tab. Chapter 10: Working With VPNs 237 Installing a Certificate The Certificate page appears, with instructions on how to install the certificate. 2. Click Install Certificate. A Certificate page requests you to specify a certificate file for upload. 3. Click Browse to open a file browser from which to locate and select the file. The filename that you selected is displayed. 4. Click Upload. 238 Check Point Safe@Office User Guide Installing a Certificate You are requested to enter the pass-phrase. 5. Type the pass-phrase you received from the network security administrator. 6. Click OK. The certificate is installed. A success message appears. 7. Click OK. The name of the CA that issued the certificate and the name of the gateway to which this certificate was issued appear. Chapter 10: Working With VPNs 239 Uninstalling a Certificate Uninstalling a Certificate You cannot uninstall the certificate if there is a VPN site currently defined to use certificate authentication. When a certificate is currently installed, the Certificate page presents two options: • Install Certificate: Allows you to install a new certificate. The current certificate will be replaced. • Uninstall Certificate: Allows you to uninstall the current certificate. Therefore, no certificate exists on the Safe@Office appliance, and you will not be able to connect to the VPN if a certificate is still required. To uninstall a certificate 1. Click VPN in the main menu, and click the Certificate tab. The Certificate page appears with the name of the currently installed certificate. 2. Click Uninstall. A confirmation message appears. 3. Click OK. The certificate is uninstalled. A success message appears. 4. Click OK. 240 Check Point Safe@Office User Guide Viewing VPN Tunnels Viewing VPN Tunnels You can view a list of currently established VPN tunnels. VPN tunnels are created and closed as follows: • Remote Access VPN sites configured for Automatic Login, Site-toSite VPN Gateways and PPPoE tunnels A tunnel is created whenever your computer attempts any kind of communication with a computer at the VPN site. The tunnel is closed when not in use for a period of time. Note: Although the VPN tunnel is automatically closed, the site remains open, and if you attempt to communicate with the site, the tunnel will be reestablished. • Remote Access VPN sites configured for Manual Login A tunnel is created whenever your computer attempts any kind of communication with a computer at the VPN site, after you have manually logged on to the site. All open tunnels connecting to the site are closed when you manually log off. Chapter 10: Working With VPNs 241 Viewing VPN Tunnels To view VPN tunnels • Click Reports in the main menu, and click the VPN Tunnels tab. The VPN Tunnels page appears with a table of open tunnels to VPN sites. The VPN Tunnels page includes the information described in the table below. You can refresh the table by clicking Refresh. Table 36: VPN Tunnels Page Fields This field… Displays… The Safe@Office appliance Internet IP address. 242 Check Point Safe@Office User Guide Viewing VPN Tunnels This field… Displays… The security protocol (IPSec), the type of encryption used to secure the connection, and the type of Message Authentication Code (MAC) used to verify the integrity of the message. This information is presented in the following format: Security protocol: Encryption type/Authentication type Note: All VPN settings are automatically negotiated between the two sites. The encryption and authentication schemes used for the connection are the strongest of those used at the two sites. Your Safe@Office appliance supports AES, 3DES, and DES encryption schemes, and MD5 and SHA authentication schemes. The name and IP address of the VPN gateway to which the tunnel is connected. User The user logged on to the VPN site. Duration The time at which the tunnel was established. This information is presented in the format hh:mm:ss, where: hh=hours mm=minutes ss=seconds Chapter 10: Working With VPNs 243 Viewing VPN Tunnels 244 Check Point Safe@Office User Guide Changing Your Password Chapter 11 Managing Users This chapter describes how to manage Safe@Office appliance users. In Safe@Office 105, there is a single user called "admin", whose password can be changed; in Safe@Office 110 and 225, you can define multiple users and assign them various permissions. This chapter includes the following topics: Changing Your Password ................................................................... 245 Adding Users...................................................................................... 248 Viewing and Editing Users................................................................. 248 Deleting Users .................................................................................... 251 Setting Up Remote VPN Access for Users......................................... 252 Using RADIUS Authentication .......................................................... 252 Changing Your Password You can change your password at any time. How this task is performed depends on the Safe@Office model you are using. Using Safe@Office 105 To change your password 1. Click Password in the main menu. Chapter 11: Managing Users 245 Changing Your Password The Password page appears. 2. Edit the Password and Confirm password fields. Note: Use 5 to 25 characters (letters or numbers) for the new password. 3. Click Apply. Your changes are saved. Using Safe@Office 110 and 225 To change your password 1. Click Users in the main menu, and click the Internal Users tab. 246 Check Point Safe@Office User Guide Changing Your Password The Internal Users page appears. 2. In the row of your username, click Edit. The Edit User page appears. 3. Edit the Password and Confirm password fields. Note: Use 5 to 25 characters (letters or numbers) for the new password. 4. Click Apply. Your changes are saved. Chapter 11: Managing Users 247 Adding Users Adding Users To add a user 1. Click Users in the main menu, and click the Internal Users tab. The Internal Users page appears. 2. Click New User. The Edit User page appears. The options that appear on the page are dependant on the software and services you are using. 3. Complete the fields using the information in Edit User Page Fields on page 249. 4. Click Apply. The new user is saved. Viewing and Editing Users To view or edit users 1. Click Users in the main menu, and click the Internal Users tab. The Internal Users page appears. 2. In the desired user’s row, click Edit. The Edit User page appears with the user’s details. The options that appear on the page are dependant on the software and services you are using. 3. To edit the user’s details, do the following: 248 Check Point Safe@Office User Guide Viewing and Editing Users a. Edit the fields using Edit User Page Fields on page 249. b. Click Apply. The changes are saved. 4. To return to the Users page without making any changes, click Cancel. Table 37: Edit User Page Fields In this field… Do this… Username Enter a username for the user. Password Enter a password for the user. Use five to 25 characters (letters or numbers) for the new password. Confirm Password Re-enter the user’s password. Chapter 11: Managing Users 249 Viewing and Editing Users In this field… Do this… Administrator Level Select the user’s level of access to the Safe@Office Portal. The levels are: • No Access: The user cannot access the Safe@Office Portal. • Read/Write: The user can log on to the Safe@Office Portal and modify system settings. • Read Only: The user can log on to the Safe@Office Portal, but cannot modify system settings or export the appliance configuration via the Setup>Tools page. For example, you could assign this administrator level to technical support personnel who need to view the Event Log. The default level is No Access. The “admin” user’s Administrator Level (Read/Write) cannot be changed. VPN Remote Select this option to allow the user to connect to Access this Safe@Office appliance using their VPN client. For further information on setting up VPN remote access, see Setting Up Remote VPN Access for Users on page 252. This option only appears in Safe@Office 110 and 225. 250 Check Point Safe@Office User Guide Deleting Users In this field… Do this… Web Filtering Select this option to allow the user to override Override Web Filtering. This option only appears if the Web Filtering service is defined. This option cannot be changed for the “admin” user. Deleting Users Note: The “admin” user cannot be deleted. To delete a user 1. Click Users in the main menu, and click the Internal Users tab. The Internal Users page appears. 2. In the desired user’s row, click the Delete icon. A confirmation message appears. 3. Click OK. The user is deleted. Chapter 11: Managing Users 251 Setting Up Remote VPN Access for Users Setting Up Remote VPN Access for Users If you are using your Safe@Office appliance as a Remote Access VPN Server, you can allow users to access it remotely through their Remote Access VPN Clients (a Check Point SecureClient, Check Point SecuRemote, or another Embedded NG appliance). To set up remote VPN access for a user 1. Enable your Remote Access VPN Server, using the procedure Setting Up Your Safe@Office Appliance as a Remote Access VPN Server on page 204. 2. Add the user to the system, using the procedure Adding Users on page 248. You must select the VPN Remote Access option. Note: When using Safe@Office 105, there is only one pre-defined user called ‘admin’, and you cannot create additional users. Using RADIUS Authentication You can use RADIUS to authenticate both Safe@Office appliance users and Remote Access VPN Clients trying to connect to the Safe@Office appliance. When a user accesses the Safe@Office Portal and tries to log on, the Safe@Office appliance sends the entered user name and password to the RADIUS server. The server then checks whether the RADIUS database contains a matching user name and password pair. If so, then the user is logged on. 252 Check Point Safe@Office User Guide Using RADIUS Authentication To use RADIUS authentication 1. Click Users in the main menu, and click the RADIUS tab. The RADIUS page appears. 2. Complete the fields using the table below. 3. Click Apply. Table 38: RADIUS Page Fields In this field… Do this… Address Type the IP address of the computer that will run the RADIUS service (one of your network computers) or click the corresponding This Computer button to allow your computer to host the service. To clear the text box, click Clear. Chapter 11: Managing Users 253 Using RADIUS Authentication In this field… Do this… Port Type the port number on the RADIUS server’s host computer. To reset this field to the default (port 1812), click Default. Shared Secret Type the shared secret to use for secure communication with the RADIUS server. Administrator Level Select the level of access to the Safe@Office Portal to assign to all users authenticated by the RADIUS server. The levels are: • No Access: The user cannot access the Safe@Office Portal • Read/Write: The user can log on to the Safe@Office Portal and modify system settings. • Read Only: The user can log on to the Safe@Office Portal, but cannot modify system settings. The default level is No Access. Web Filtering Select this option to allow all users authenticated Override by the RADIUS server to override Web Filtering. This option only appears if the Web Filtering service is defined. 254 Check Point Safe@Office User Guide Viewing Firmware Status Chapter 12 Maintenance This chapter describes the tasks required for maintenance and diagnosis of your Safe@Office appliance. This chapter includes the following topics: Viewing Firmware Status ................................................................... 255 Updating the Firmware....................................................................... 257 Upgrading Your Software Product ..................................................... 258 Registering Your Safe@Office Appliance ......................................... 262 Configuring Syslog Logging .............................................................. 263 Configuring HTTPS ........................................................................... 265 Setting the Time on the Appliance ..................................................... 267 Controlling the Appliance via the Command Line ............................. 271 Using Diagnostic Tools ...................................................................... 272 Backing Up the Safe@Office Appliance Configuration..................... 274 Resetting the Safe@Office Appliance to Defaults ............................. 277 Running Diagnostics .......................................................................... 279 Rebooting the Safe@Office Appliance .............................................. 280 Viewing Firmware Status The firmware is the software program embedded in the Safe@Office appliance. You can view your current firmware version and additional details. Chapter 12: Maintenance 255 Viewing Firmware Status To view the firmware status • Click Setup in the main menu, and click the Firmware tab. The Firmware page appears. The Firmware page displays the following information: Table 39: Firmware Status Fields This field… Displays… For example… Firmware Version The current version of the 4.0 firmware Hardware Type The type of the current 200 series Safe@Office appliance hardware Hardware Version The current hardware version of the Safe@Office appliance 256 Check Point Safe@Office User Guide 1.0 Updating the Firmware This field… Displays… For example… Installed Product The licensed software and Safe@Office 225 the number of allowed unlimited nodes nodes Uptime The time that elapsed from 01:21:15 the moment the unit was turned on Updating the Firmware If you are subscribed to Software Updates, firmware updates are performed automatically. These updates include new product features and protection against new security threats. Check with your reseller for the availability of Software Updates and other services. For information on subscribing to services, see Connecting to a Service Center on page 165. If you are not subscribed to the Software Updates service, you must update your firmware manually. To update your Safe@Office firmware manually 1. Click Setup in the main menu, and click the Firmware tab. The Firmware page appears. 2. Click Firmware Update. Chapter 12: Maintenance 257 Upgrading Your Software Product The Firmware Update page appears. 3. Click Browse. A browse window appears. 4. Select the image file and click Open. The Firmware Update page reappears. The path to the firmware update image file appears in the Browse text box. 5. Click Upload. Your Safe@Office appliance firmware is updated. This may take a few minutes. At the end of the process the Safe@Office appliance restarts automatically. Upgrading Your Software Product Upgrading your Safe@Office appliance is a very simple process. After purchasing an upgrade, you will receive a new Product Key that will enable you to use the upgraded product on the same Safe@Office appliance you have today. For example, if you are using Safe@Office 105, you can purchase an upgrade to Safe@Office 110 and enjoy extended VPN features 258 Check Point Safe@Office User Guide Upgrading Your Software Product on your existing Safe@Office appliance. Likewise, you can upgrade from Safe@Office 225 to 225U without changing your hardware. Note: You can only upgrade within the same appliance hardware type. Note: To purchase an upgrade, contact your Safe@Office appliance provider. To upgrade your product, you must install the new Product Key. To install a Product Key 1. Click Setup in the main menu, and click the Firmware tab. The Firmware page appears. 2. Click Upgrade Product. The Safe@Office Licensing Wizard opens, with the Install Product Key dialog box displayed. 3. Click Enter a different Product Key. 4. In the Product Key field, enter the new Product Key. 5. Click Next. Chapter 12: Maintenance 259 Upgrading Your Software Product The Installed New Product Key dialog box appears. 6. Click Next. The first Registration dialog box appears. 7. Do one of the following: 260 Check Point Safe@Office User Guide Upgrading Your Software Product • To register your Safe@Office appliance later on, clear the I want to register my product check box and then click Next. • To register your Safe@Office appliance now, do the following: 1) Click Next. A second Registration dialog box appears. 2) Enter your contact information in the appropriate fields. 3) To receive email notifications regarding new firmware versions and services, select the check box. 4) Click Next. The Registration… screen appears. Chapter 12: Maintenance 261 Registering Your Safe@Office Appliance The third Registration dialog box appears. 8. Click Finish. Your Safe@Office appliance is restarted and the Welcome page appears. Registering Your Safe@Office Appliance If you want to activate your warranty and optionally receive notifications of new firmware versions and services, you must register your Safe@Office appliance. Privacy Statement: Check Point is committed to protecting your privacy. We use the information we collect about you to process orders and to improve our ability to serve your needs. We will under no circumstances sell, lease, or otherwise disclose any of your personal or contact details without your explicit permission. To register your Safe@Office appliance 1. Click Setup in the main menu, and click the Firmware tab. The Firmware page appears. 2. Click Upgrade Product. 262 Check Point Safe@Office User Guide Configuring Syslog Logging The Safe@Office Licensing Wizard opens, with the Install Product Key dialog box displayed. 3. Select Keep these settings. 4. Click Next. The first Registration dialog box appears. 5. Verify that the I want to register my product check box is selected. 6. Click Next. A second Registration dialog box appears. 7. Enter your contact information in the appropriate fields. 8. To receive email notifications regarding new firmware versions and services, select the check box. 9. Click Next. The Registration… screen appears. The third Registration dialog box appears. 10. Click Finish. Your Safe@Office appliance is restarted and the Welcome page appears. Configuring Syslog Logging You can configure the Safe@Office appliance to send event logs to a Syslog server residing in your internal network or on the Internet. The logs detail the date and the time each event occurred. If the event is a communication attempt that was rejected by the firewall, the event details include the source and destination IP address, the destination port, and the protocol used for the communication attempt (for example, TCP or UDP). This same information is also available in the Event Log page (see Viewing the Event Log on page 141). However, while the Event Log can display Chapter 12: Maintenance 263 Configuring Syslog Logging hundreds of logs, a Syslog server can store an unlimited number of logs. Furthermore, Syslog servers can provide useful tools for managing your logs. Note: Kiwi Syslog Daemon is freeware and can be downloaded from http://www.kiwisyslog.com. For technical support, contact Kiwi Enterprises. To configure Syslog logging 1. Click Setup in the main menu, and click the Logging tab. The Logging page appears. 2. Complete the fields using the information in the table below. 3. Click Apply. Table 40: Logging Page Fields In this field… Do this… Syslog Server Type the IP address of the computer that will run the Syslog service (one of your network computers), or click This Computer to allow your computer to host the service. 264 Check Point Safe@Office User Guide Configuring HTTPS In this field… Do this… Clear Click to clear the Syslog Server field. Syslog Port Type the port number of the Syslog server. Default Click to reset the Syslog Port field to the default (port 514 UDP). Configuring HTTPS You can enable Safe@Office appliance users to access the Safe@Office Portal from the Internet. To do so, you must first configure HTTPS. To configure HTTPS 1. Click Setup in the main menu, and click the Management tab. The Management page appears. Chapter 12: Maintenance 265 Configuring HTTPS 2. Specify from where HTTPS access to the Safe@Office Portal should be granted. See HTTPS Access Options on page 267 for information. Warning: If remote HTTPS is enabled, your Safe@Office appliance settings can be changed remotely, so make sure all Safe@Office appliance users’ passwords are unguessable. If you selected IP Address Range, additional fields appear. 3. If you selected IP Address Range, enter the desired IP address range in the fields provided. 4. Click Apply. The HTTPS configuration is saved. You can now access the Safe@Office Portal through the Internet, using the procedure Accessing the Safe@Office Portal Remotely on page 49. 266 Check Point Safe@Office User Guide Setting the Time on the Appliance Table 41: HTTPS Access Options Select this option… Internal Network To allow HTTPS access from… The internal network only. This disables remote HTTPS capability. Note: You can use HTTPS to access the Safe@Office Portal from your internal network, by surfing to https://my.firewall. Internal Network and The internal network and your VPN. VPN IP Address Range A particular range of IP addresses. Additional fields appear, in which you can enter the desired IP address range. ANY Any IP address. Setting the Time on the Appliance You set the time displayed in the Safe@Office 225 Portal during initial appliance setup. If desired, you can change the date and time displayed in the Safe@Office 225 Portal using the procedure below. Chapter 12: Maintenance 267 Setting the Time on the Appliance Note: The Safe@Office 100 series takes the time from your local computer and you do not have to manually set the time. To set the time 1. Click Setup in the main menu, and click the Tools tab. The Tools page appears. If you are using Safe@Office 105 or 110, the page appears without the Set Time button. 2. Click Set Time. 268 Check Point Safe@Office User Guide Setting the Time on the Appliance The Safe@Office Set Time Wizard opens displaying the Set the Safe@Office time dialog box. 3. Complete the fields using the information in the table below. 4. Click Next. The following things happen in the order below: • If you selected Specify date and time, the Specify Date and Time dialog box appears. Set the date, time, and time zone in the fields provided, then click Next. Chapter 12: Maintenance 269 Setting the Time on the Appliance • The Date and Time Updated window appears. 5. Click Finish. Table 42: Set Time Wizard Fields Select this To allow HTTPS access from… option… Your computer's Set the appliance time to your computer’s clock system time. Your computer’s system time is displayed to the right of this option. Keep the current time Do not change the appliance’s time. The current appliance time is displayed to the right of this option. Specify date and time 270 Set the appliance to a specific date and time. Check Point Safe@Office User Guide Controlling the Appliance via the Command Line Controlling the Appliance via the Command Line The Safe@Office Portal enables you to control your appliance via the command line interface. To control the appliance via the command line 1. Click Setup in the main menu, and click the Tools tab. The Tools page appears. 2. Click Command. The Command Line page appears. 3. In the upper field, type a command. You can view a list of supported commands using the command help. For information on all commands, refer to the Embedded NG CLI Reference Guide. 4. Click Go. Chapter 12: Maintenance 271 Using Diagnostic Tools The command is implemented. Using Diagnostic Tools The Safe@Office appliance is equipped with a set of diagnostic tools that are useful for troubleshooting Internet connectivity. Table 43: Diagnostic Tools Use this tool… To do this… Ping Check that a specific IP address or DNS name can be reached via the Internet. Traceroute Display a list of all routers used to connect from the Safe@Office appliance to a specific IP address or DNS name. WHOIS Display the name and contact information of the entity to whom a specific IP address or DNS name is registered. This information is useful in tracking down hackers. To use a diagnostic tool 1. Click Setup in the main menu, and click the Tools tab. The Tools page appears. 2. In the Tools drop-down list, select the desired tool. 3. In the Address field, type the IP address or DNS name for which to run the tool. 272 Check Point Safe@Office User Guide Using Diagnostic Tools 4. Click Go. • If you selected Ping, the following things happen: The Safe@Office appliance sends packets to the specified the IP address or DNS name. The IP Tools window opens and displays the percentage of packet loss and the amount of time it each packet took to reach the specified host and return (round-trip) in milliseconds. • If you selected Traceroute, the following things happen: The Safe@Office appliance connects to the specified IP address or DNS name. The IP Tools window opens and displays a list of routers used to make the connection. Chapter 12: Maintenance 273 Backing Up the Safe@Office Appliance Configuration • If you selected WHOIS, the following things happen: The Safe@Office appliance queries the Internet WHOIS server. A window displays the name of the entity to whom the IP address or DNS name is registered and their contact information. Backing Up the Safe@Office Appliance Configuration You can export the Safe@Office appliance configuration to a *.cfg file, and use this file to backup and restore Safe@Office appliance settings, as needed. The configuration file includes all your settings. Exporting the Safe@Office Appliance Configuration Exporting the Safe@Office appliance configuration creates a configuration file. 274 Check Point Safe@Office User Guide Backing Up the Safe@Office Appliance Configuration To export the Safe@Office appliance configuration 1. Click Setup in the main menu, and click the Tools tab. The Tools page appears. 2. Click Export. A standard File Download dialog box appears. 3. Click Save. The Save As dialog box appears. 4. Browse to a destination directory of your choice. 5. Type a name for the configuration file and click Save. The *.cfg configuration file is created and saved to the specified directory. Chapter 12: Maintenance 275 Backing Up the Safe@Office Appliance Configuration Importing the Safe@Office Appliance Configuration In order to restore your Safe@Office appliance’s configuration from a configuration file, you must import the file. To import the Safe@Office appliance configuration 1. Click Setup in the main menu, and click the Tools tab. The Tools page appears. 2. Click Import. The Import Settings page appears. 3. Do one of the following: • In the Import Settings field, type the full path to the configuration file. Or • Click Browse, and browse to the configuration file. 4. Click Upload. 276 Check Point Safe@Office User Guide Resetting the Safe@Office Appliance to Defaults A confirmation message appears. 5. Click OK. The Safe@Office appliance settings are imported. The Import Settings page displays the configuration file's content and the result of implementing each configuration command. Resetting the Safe@Office Appliance to Defaults You can reset the Safe@Office appliance to its default settings. When you reset your Safe@Office appliance, it reverts to the state it was originally in when you purchased it. You can choose to keep the current firmware or to revert to the firmware version that shipped with the Safe@Office appliance. Warning: This operation erases all your settings and password information. You will have to set a new password and reconfigure your Safe@Office appliance for Internet connection. For information on performing these tasks, see Setting Up the Safe@Office Appliance on page 41. Chapter 12: Maintenance 277 Resetting the Safe@Office Appliance to Defaults You can reset the Safe@Office appliance to defaults via the Web management interface (software) or by manually pressing the Reset button (hardware) located at the back of the Safe@Office appliance. To reset the Safe@Office appliance to factory defaults via the Web interface 1. Click Setup in the main menu, and click the Tools tab. The Tools page appears. 2. Click Factory Settings. A confirmation message appears. 3. To revert to the firmware version that shipped with the appliance, select the check box. 4. Click OK. • The Please Wait screen appears. • The Safe@Office appliance returns to its factory defaults. 278 Check Point Safe@Office User Guide Running Diagnostics • The Safe@Office appliance is restarted (the PWR/SEC LED flashes quickly). This may take a few minutes. • The Login page appears. To reset the Safe@Office appliance to factory defaults using the Reset button 1. Make sure the Safe@Office appliance is powered on. 2. Using a pointed object, press the RESET button on the back of the Safe@Office appliance steadily for seven seconds and then release it. 3. Allow the Safe@Office appliance to boot-up until the system is ready (PWR/SEC LED flashes slowly or illuminates steadily in green light). For information on the appliance's front and rear panels, see Getting to Know Your Safe@Office 100 Series on page 14 or Getting to Know Your Safe@Office 200 Series on page 17. Warning: If you choose to reset the Safe@Office appliance by disconnecting the power cable and then reconnecting it, be sure to leave the Safe@Office appliance disconnected for at least three seconds, or the Safe@Office appliance might not function properly until you reboot it as described below. Running Diagnostics You can view technical information about your Safe@Office appliance’s hardware, firmware, license, network status, and Service Center. This information is useful for troubleshooting. You can copy and paste it into the body an email and send it to technical support. Chapter 12: Maintenance 279 Rebooting the Safe@Office Appliance To run diagnostics 1. Click Setup in the main menu, and click the Tools tab. The Tools page appears. 2. Click Diagnostics. Technical information about your Safe@Office appliance appears in a new window. 3. To refresh the contents of the window, click Refresh. The contents are refreshed. 4. To close the window, click Close. Rebooting the Safe@Office Appliance If your Safe@Office appliance is not functioning properly, rebooting it may solve the problem. To reboot the Safe@Office appliance 1. Click Setup in the main menu, and click the Tools tab. The Tools page appears. 2. Click Restart. A confirmation message appears. 3. Click OK. • The Please Wait screen appears. 280 Check Point Safe@Office User Guide Rebooting the Safe@Office Appliance • The Safe@Office appliance is restarted (the PWR/SEC LED flashes quickly). This may take a few minutes. • The Login page appears. Chapter 12: Maintenance 281 Connectivity Chapter 13 Troubleshooting This chapter provides solutions to common problems you may encounter while using the Safe@Office appliance. This chapter includes the following topics: Connectivity ....................................................................................... 283 Service Center and Upgrades ............................................................. 288 Other Problems................................................................................... 288 Connectivity I cannot access the Internet. What should I do? • Check if the PWR/SEC LED is green. If not, check the power connection to the Safe@Office appliance. • Check if the WAN LINK/ACT LED is green. If not, check the network cable to the modem and make sure the modem is turned on. • Check if the LAN LINK/ACT LED for the port used by your computer is green. If not, check if the network cable linking your computer to the Safe@Office appliance is connected properly. Try replacing the cable or connecting it to a different LAN port. • Using your web browser, go to http://my.firewall and see whether "Connected" appears on the Status Bar. Make sure that your Safe@Office appliance network settings are configured as per your ISP directions. • Check your TCP/IP configuration according to Installing and Setting up the Safe@Office Appliance on page 25. • If Web Filtering or Email Anti Virus scanning are on, try turning them off. Chapter 13: Troubleshooting 283 Connectivity • Check if you have defined firewall rules which block your Internet connectivity. • Check with your ISP for possible service outage. • Check whether you are exceeding the maximum number of computers allowed by your license, by following the procedure Viewing Computers on page 144. I cannot access my DSL broadband connection. What should I do? DSL equipment comes in two flavors: bridges (commonly known as DSL modems) and routers. Some DSL equipment can be configured to work both ways. • If you connect to your ISP using a PPPoE or PPTP dialer defined in your operating system, your equipment is most likely configured as a DSL bridge. Configure a PPPoE or PPTP type DSL connection. • If you were not instructed to configure a dialer in your operating system, your equipment is most likely configured as a DSL router. Configure a LAN connection, even if you are using a DSL connection. For instructions, see Configuring the Internet Connection on page 57. 284 Check Point Safe@Office User Guide Connectivity I cannot access my Cable broadband connection. What should I do? • Some cable ISPs require you to register the MAC address of the device behind the cable modem. You may need to clone your Ethernet adapter MAC address onto the Safe@Office appliance. For instructions, see Configuring the Internet Connection on page 57. • Some cable ISPs require using a hostname for the connection. Try reconfiguring your Internet connection and specifying a hostname. For further information, see Configuring the Internet Connection on page 57. I cannot access http://my.firewall or http://my.vpn. What should I do? • Verify that the Safe@Office appliance is operating (PWR/SEC LED is active) • Check if the LAN LINK/ACT LED for the port used by your computer is on. If not, check if the network cable linking your computer to the Safe@Office appliance is connected properly. Note: You may need to use a crossed cable when connecting the Safe@Office appliance to another hub/switch. • Try surfing to 192.168.10.1 instead of to my.firewall. Note: 192.168.10 is the default value, and it may vary if you changed it in the My Network page. • Check your TCP/IP configuration according to Installing and Setting up the Safe@Office Appliance on page 25. • Restart your Safe@Office appliance and your broadband modem by disconnecting the power and reconnecting after 5 seconds. • If your web browser is configured to use an HTTP proxy to access the Internet, add "my.firewall" or "my.vpn" to your proxy exceptions list. Chapter 13: Troubleshooting 285 Connectivity My network seems extremely slow. What should I do? • The Ethernet cables may be faulty. For proper operation, the Safe@Office appliance requires STP CAT5 (Shielded Twisted Pair Category 5) Ethernet cables. Make sure that this specification is printed on your cables. • Your Ethernet card may be faulty or incorrectly configured. Try replacing your Ethernet card. • There may be an IP address conflict in your network. Check that the TCP/IP settings of all your computers are configured to obtain an IP address automatically. I changed the network settings to incorrect values and am unable to correct my error. What should I do? Reset the network to its default settings using the button on the back of the Safe@Office appliance unit. See Resetting the Safe@Office Appliance to Defaults on page 277. I am using the Safe@Office appliance behind another NAT device, and I am having problems with some applications. What should I do? By default, the Safe@Office appliance performs Network Address Translation (NAT). It is possible to use the Safe@Office appliance behind another device that performs NAT, such as a DSL router or Wireless router, but the device will block all incoming connections from reaching your Safe@Office appliance. To fix this problem, do ONE of the following. (The solutions are listed in order of preference.) 286 Check Point Safe@Office User Guide Connectivity • Consider whether you really need the router. The Safe@Office appliance can be used as a replacement for your router, unless you need it for some additional functionality that it provides, such as Wireless access. • If possible, disable NAT in the router. Refer to the router’s documentation for instructions on how to do this. • If the router has a “DMZ Computer” or “Exposed Host” option, set it to the Safe@Office appliance’s external IP address. • Open the following ports in the NAT device: • UDP 9281/9282 • UDP 500 • TCP 256 • TCP 264 • ESP IP protocol 50 • TCP 981 I cannot receive audio or video calls through the Safe@Office appliance. What should I do? To enable audio/video, you must configure an IP Telephony (H.323) virtual server. For instructions, see Configuring Servers on page 152. I run a public Web server at home but it cannot be accessed from the Internet. What should I do? Configure a virtual Web Server. For instructions, see Configuring Servers on page 152. I cannot connect to the LAN network from the DMZ network. What should I do? By default, connections from the DMZ network to the LAN network are blocked. To allow traffic from the DMZ to the LAN, configure appropriate firewall rules. For instructions, see Using Rules on page 154. Chapter 13: Troubleshooting 287 Service Center and Upgrades Service Center and Upgrades I purchased Safe@Office 110, but I only have Safe@Office 105 functionality. What should I do? Your have not installed your product key. For further information, see Upgrading Your Software Product on page 258. I have exceeded my node limit. What does this mean? What should I do? Your Product Key specifies a maximum number of nodes that you may connect to the Safe@Office appliance. The Safe@Office appliance tracks the cumulative number of nodes on the internal network that have communicated through the firewall. When the Safe@Office appliance encounters an IP address that exceeds the licensed node limit, the Active Computers page displays a warning message and marks nodes over the node limit in red. These nodes will not be able to access the Internet through the Safe@Office appliance, but will be protected. The Event Log page also warns you that you have exceeded the node limit. To upgrade your Safe@Office appliance to support more nodes, purchase a new Product Key. Contact your reseller for upgrade information. While trying to connect to a Service Center, I received the message “The Service Center did not respond”. What should I do? • If you are using a Service Center other than the Check Point Service Center, check that the Service Center IP address is typed correctly. • The Safe@Office appliance connects to the Service Center using UDP ports 9281/9282. If the Safe@Office appliance is installed behind another firewall, make sure that these ports are open. Other Problems I have forgotten my password. What should I do? Reset your Safe@Office appliance to factory defaults using the Reset button as detailed in Resetting the Safe@Office Appliance to Defaults on page 277. 288 Check Point Safe@Office User Guide Other Problems Why are the date and time displayed incorrectly? In the Safe@Office 100 series, when a computer on the LAN connects to the Safe@Office Portal, the Safe@Office appliance adjusts its date and time to match that of the computer. If the date and time displayed in the Safe@Office Portal are incorrect, it probably means that the date and time on the computer connected to the Safe@Office Portal are incorrect. In the Safe@Office 200 series, you can adjust the time on the Setup page's Tools tab. For information, see Setting the Time on the Appliance on page 267. I cannot use a certain network application. What should I do? Look at the Event Log page. If it lists blocked attacks, do the following: • Turn the Safe@Office appliance security to Low and try again. • If the application still does not work, set the computer on which you want to use the application to be the exposed host. For instructions, see Defining an Exposed Host on page 163. When you have finished using the application, make sure to clear the exposed host setting, otherwise your security might be compromised. I installed McAfee VirusScan ASaP, but the SecureDesk status message says "SecureDesk not installed". What should I do? If you are using Windows XP, then the Windows XP firewall probably prevented VirusScan from being installed correctly. Do the following: 1. Uninstall McAfee VirusScan ASaP via the Control Panel. 2. Disable the Windows XP Internet Connection Firewall option. 3. Re-install McAfee VirusScan ASaP using the information in Installing McAfee VirusScan ASaP on page 184. Chapter 13: Troubleshooting 289 Technical Specifications Chapter 14 Specifications This chapter includes the following topics: Technical Specifications.....................................................................291 CE Declaration of Conformity............................................................295 Federal Communications Commission Radio Frequency Interference Statement .................................................................................................. 297 Technical Specifications Table 44: Safe@Office Appliance Attributes Attribute Safe@Office 105/110/ 255/225U Safe@Office 300 Safe@Office 300W General Dimensions 20.32 x 3.05 x 20 x 3.1 x 20 x 3.1 x (width x height 12.19 cm 13.24 cm 15.5 cm x depth) (8 x 1.2 x 4.8 (7.9 x 1.2 x 5.2 (7.9 x 1.2 x 6.1 inches) inches) inches) 0.7 kg (1.56 lbs) 0.64 kg 0.69 kg (1.55 lbs) Weight Chapter 14: Specifications 291 Technical Specifications Attribute Safe@Office 105/110/ Safe@Office 300 255/225U Supply 110VAC voltage (90 to 132 VAC) Safe@Office 300W 100 ~ 240 VAC 100 to 240VAC 50/60 Hz 50/60 Hz 100VAC 230VAC (200 to 265 VAC) Line voltage 50/60 Hz frequency, AC (47 to 63 Hz) Max. Power 13.5W MAX 5.75W MAX 8W Consumption (100series)/7.5W (MAX 1.15A) (MAX1.6A) (200series) w/o external w/o external USB USB devices devices (USB – (USB – MAX MAX 1A) 1A) Retail box 31 x 10 x 16 cm 29 x 25 x 76 29 x 25 x 7.6 cm dimensions (12.4 x 4 x 6.4 cm (11.4 x 9.8 x 3 (width x height inches) (11.4 x 9.8 x 3 inches) x depth) inches) Retail box 1.3 kg (2.9 lbs) 1.3 kg (2.9 lbs) weight Environmental Conditions 292 Check Point Safe@Office User Guide 1.35 kg (3 lbs) Technical Specifications Attribute Safe@Office 105/110/ 255/225U Temperature: Safe@Office 300 Safe@Office 300W - 20°C to +70°C - 5°C to +70°C - 5°C to +70°C + 5°C to +45°C - 5°C ~ 50°C - 5°C ~ 50°C Humidity: 5% to 90% at 0% ~ 90% 0% ~ 90% Storage/Oper 25°C ation (no CNS1219 C6343 Storage/Trans port Temperature: Operation condensation) Applicable Standards Shock & ETSI 300 019-2-3 CNS1219 Vibration CLASS 3.1 & C6343 Bellcore GR 63 (NEBS) Safety EN60950/ EN60950/ EN60950/ IEC 60950 IEC 60950 IEC 60950 Chapter 14: Specifications 293 Technical Specifications Attribute Safe@Office 105/110/ Safe@Office 300 255/225U Quality ISO9001 Safe@Office 300W ISO9001:2000 ISO9001:2000 TL9000-HW TL9000-HW R3.0 R3.0 ISO14001 ISO14001 Ohsas18001: Ohsas18001: 1999 294 Check Point Safe@Office User Guide 1999 CE Declaration of Conformity CE Declaration of Conformity SofaWare Technologies Ltd., 3 Hilazon St., Ramat-Gan Israel, hereby declares that this equipment is in conformity with the essential requirements specified in Article 3.1 (a) and 3.1 (b) of: • Directive 89/336/EEC (EMC Directive) • Directive 73/23/EEC (Low Voltage Directive – LVD) • Directive 99/05/EEC (Radio Equipment and Telecommunications Terminal Equipment Directive) In accordance with the following standards: Table 45: Safe@Office Appliance Standards Safe@Office Safe@Office EN55022: 1994+A1: 1995+A2: EN 300 328 V 1.4.1(2003-04) Safe@Office 300 105/110/ 255/225U EN 50081-1:1992 1997 300W EN 301 489-1 V 1.4.1(2002- EN 50082-1:1997 EN 61000-3-2:2000 08) EN 61000-3-3:1995+ EN 301 489-17 V 1.2.1(2002- A1:2001 08) EN55024: 1998+A1: 2001+A2: EN 55022:1994+A1: EN 55024:1998 2003 1995+A2 1997, Class B EN 61000-3-2: 1995 IEC 61000-4-2:2001 EN 61000-3-2:2000 EN 61000-6-1:2001 EN 61000-6-3:2001 EN 55022:1998 EN 61000-3-3:1995+A1: 2001 Chapter 14: Specifications 295 CE Declaration of Conformity Safe@Office 105/110/ 255/225U EN 61000-3-3: 1995 Safe@Office 300 Safe@Office 300W IEC 61000-4-3: EN 61000-4-2:1995+ 2002+A1:2002 A1:1998+A2:2001 IEC 61000-4-4:1995+A1: EN 61000-4-3:1996+A1: 2002+A2:2001 1998+A2: 2001 IEC 61000-4-5:2001 EN 61000-4-4:1995+A1: EN 61000-4-2:1995 EN 61000-4-3:1996/ A2:2001 EN 61000-4-4:1995 2001+A2: 2001 IEC 61000-4-6:2001 EN 61000-4-5:1995 EN 61000-4-5:1995+A1: IEC 61000-4-8:2001 EN 61000-4-6:1996 IEC 61000-4-11:2001 EN 61000-4-7:1993 EN 60950-1:2001 2001 EN 61000-4-6:1996+A1: 2001 EN 61000-4-8:1993 EN 61000-4EN 61000-4-9:1993 11:1994+A1: 2001 EN 61000-4-10:1993 EN 60950-1: 2001 EN 61000-4-11:1994 EN 61000-4-12:1995 EN 60950: 1992 The "CE" mark is affixed to this product to demonstrate conformance to the R&TTE Directive 99/05/EEC (Radio Equipment and Telecommunications Terminal Equipment Directive) and FCC Part 15 Class B. 296 Check Point Safe@Office User Guide Federal Communications Commission Radio Frequency Interference Statement The product has been tested in a typical configuration. For a copy of the Original Signed Declaration (in full conformance with EN45014), please contact SofaWare at the above address. Federal Communications Commission Radio Frequency Interference Statement This equipment complies with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Shielded cables must be used with this equipment to maintain compliance with FCC regulations. Changes or modifications not expressly approved by the manufacturer could void the user’s authority to operate the equipment. This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) this device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation. This Class B digital apparatus complies with Canadian ICES-003. Chapter 14: Specifications 297 ADSL Modem Glossary of Terms ADSL Modem A device connecting a computer to the Internet via an existing phone line. ADSL (Asymmetric Digital Subscriber Line) modems offer a high-speed 'always-on' connection. CA The Certificate Authority (CA) issues certificates to entities such as gateways, users, or computers. The entity later uses the certificate to identify itself and provide verifiable information. For instance, the certificate includes the Distinguishing Name (DN) (identifying information) of the entity, as well as the public key (information about itself), and possibly the IP address. After two entities exchange and validate each other's certificates, they can begin encrypting information between themselves using the public keys in the certificates. Cable Modem A device connecting a computer to the Internet via the cable television network. Cable modems offer a high-speed 'always-on' connection. Certificate Authority The Certificate Authority (CA) issues certificates to entities such as gateways, users, or computers. The entity later uses the certificate to identify itself and provide verifiable information. For instance, the certificate includes the Distinguishing Name (DN) (identifying information) of the entity, as well as the public key (information about itself), and possibly the IP address. After two entities exchange and validate each other's certificates, they can begin encrypting information between themselves using the public keys in the certificates. Cracking An activity in which someone breaks into someone else's computer system, bypasses passwords or licenses in computer programs; or in other ways intentionally breaches computer security. The end result is that whatever resides on the computer can be viewed and Glossary of Terms 299 DHCP sensitive data can be stolen without anyone knowing about it. Sometimes, tiny programs are 'planted' on the computer that are designed to watch out for, seize and then transmit to another computer, specific types of data. An example of a Domain Name is 'www.sofaware.com'. Domain Name System Domain Name System. The Domain Name System (DNS) refers to the Internet domain names, or easy-to-remember "handles", that are translated into IP addresses. DHCP Any machine requires a unique IP address to connect to the Internet using Internet Protocol. Dynamic Host Configuration Protocol (DHCP) is a communications protocol that assigns Internet Protocol (IP) addresses to computers on the network. An example of a Domain Name is 'www.sofaware.com'. Exposed Host An exposed host allows one computer to be exposed to the Internet. An example of using an exposed host would be exposing a public server, while preventing outside users from getting direct access form this server back to the private network. DHCP uses the concept of a "lease" or amount of time that a given IP address will be valid for a computer. DMZ A DMZ (demilitarized zone) is an internal network defined in addition to the LAN network and protected by the Safe@Office appliance. DNS The Domain Name System (DNS) refers to the Internet domain names, or easy-toremember "handles", that are translated into IP addresses. 300 Firmware Software embedded in a device. Gateway A network point that acts as an entrance to another network. Check Point Safe@Office User Guide Hacking Hub A device with multiple ports, connecting several PCs or network devices on a network. Hacking An activity in which someone breaks into someone else's computer system, bypasses passwords or licenses in computer programs; or in other ways intentionally breaches computer security. The end result is that whatever resides on the computer can be viewed and sensitive data can be stolen without anyone knowing about it. Sometimes, tiny programs are 'planted' on the computer that are designed to watch out for, seize and then transmit to another computer, specific types of data. HTTPS Hypertext Transfer Protocol over Secure Socket Layer, or HTTP over SSL. A protocol for accessing a secure Web server. It uses SSL as a sublayer under the regular HTTP application. This directs messages to a secure port number rather than the default Web port number, and uses a public key to encrypt data HTTPS is used to transfer confidential user information. IP Address An IP address is a 32-bit number that identifies each computer sending or receiving data packets across the Internet. When you request an HTML page or send e-mail, the Internet Protocol part of TCP/IP includes your IP address in the message and sends it to the IP address that is obtained by looking up the domain name in the Uniform Resource Locator you requested or in the e-mail address you're sending a note to. At the other end, the recipient can see the IP address of the Web page requestor or the e-mail sender and can respond by sending another message using the IP address it received. IP Spoofing A technique where an attacker attempts to gain unauthorized access through a false source address to make it appear as though communications have originated in a part of the network with higher access privileges. For example, a packet originating on the Internet may Glossary of Terms 301 IPSEC be masquerading as a local packet with the source IP address of an internal host. The firewall can protect against IP spoofing attacks by limiting network access based on the gateway interface from which data is being received. IPSEC IPSEC is the leading Virtual Private Networking (VPN) standard. IPSEC enables individuals or offices to establish secure communication channels ('tunnels') over the Internet. ISP An ISP (Internet service provider) is a company that provides access to the Internet and other related services. LAN A local area network (LAN) is a group of computers and associated devices that share a common communications line and typically share the resources of a single server within a small geographic area. Mbps Megabits per second. Measurement unit for the rate of data transmission. MTU The Maximum Transmission Unit (MTU) is a parameter that determines the largest datagram than can be transmitted by an IP interface (without it needing to be broken down into smaller units). The MTU should be larger than the largest datagram you wish to transmit unfragmented. Note: This only prevents fragmentation locally. Some other link in the path may have a smaller MTU - the datagram will be fragmented at that point. Typical values are 1500 bytes for an Ethernet interface or 1452 for a PPP interface. NAT MAC Address The MAC (Media Access Control) address is a computer's 302 unique hardware number. When connected to the Internet from your computer, a mapping relates your IP address to your computer's physical (MAC) address on the LAN. Network Address Translation (NAT) is the translation or mapping of an IP address to a different IP address. NAT can be Check Point Safe@Office User Guide NetBIOS used to map several internal IP addresses to a single IP address, thereby sharing a single IP address assigned by the ISP among several PCs. Check Point FireWall-1's Stateful Inspection Network Address Translation (NAT) implementation supports hundreds of pre-defined applications, services, and protocols, more than any other firewall vendor. NetBIOS NetBIOS is the networking protocol used by DOS and Windows machines. Packet A packet is the basic unit of data that flows from one source on the Internet to another destination on the Internet. When any file (e-mail message, HTML file, GIF file etc.) is sent from one place to another on the Internet, the file is divided into "chunks" of an efficient size for routing. Each of these packets is separately numbered and includes the Internet address of the destination. The individual packets for a given file may travel different routes through the Internet. When they have all arrived, they are reassembled into the original file at the receiving end. PPPoE PPPoE (Point-to-Point Protocol over Ethernet) enables connecting multiple computer users on an Ethernet local area network to a remote site or ISP, through common customer premises equipment (e.g. modem). PPTP The Point-to-Point Tunneling Protocol (PPTP) allows extending a local network by establishing private “tunnels” over the Internet. This protocol it is also used by some DSL providers as an alternative for PPPoE. RJ-45 The RJ-45 is a connector for digital transmission over ordinary phone wire. Router A router is a device that determines the next network point to which a packet should be forwarded toward its destination. The router is connected to at least two networks. Glossary of Terms 303 Server Server TCP A server is a program (or host) that awaits and requests from client programs across the network. For example, a Web server is the computer program, running on a specific host, that serves requested HTML pages or files. Your browser is the client program, in this case. Stateful Inspection Stateful Inspection was invented by Check Point to provide the highest level of security by examining every layer within a packet, unlike other systems of inspection. Stateful Inspection extracts information required for security decisions from all application layers and retains this information in dynamic state tables for evaluating subsequent connection attempts. In other words, it learns! Subnet Mask A 32-bit identifier indicating how the network is split into subnets. The subnet mask indicates which part of the IP address is the host ID and which indicates the subnet. 304 TCP (Transmission Control Protocol) is a set of rules (protocol) used along with the Internet Protocol (IP) to send data in the form of message units between computers over the Internet. While IP takes care of handling the actual delivery of the data, TCP takes care of keeping track of the individual units of data (called packets) that a message is divided into for efficient routing through the Internet. For example, when an HTML file is sent to you from a Web server, the Transmission Control Protocol (TCP) program layer in that server divides the file into one or more packets, numbers the packets, and then forwards them individually to the IP program layer. Although each packet has the same destination IP address, it may get routed differently through the network. At the other end (the client program in your computer), TCP reassembles the individual packets and waits until they have arrived to forward them to you as a single file. Check Point Safe@Office User Guide TCP/IP TCP/IP TCP/IP (Transmission Control Protocol/Internet Protocol) is the underlying communication protocol of the Internet. UDP UDP (User Datagram Protocol) is a communications protocol that offers a limited amount of service when messages are exchanged between computers in a network that uses the Internet Protocol (IP). UDP is an alternative to the Transmission Control Protocol (TCP) and, together with IP, is sometimes referred to as UDP/IP. Like the Transmission Control Protocol, UDP uses the Internet Protocol to actually get a data unit (called a datagram) from one computer to another. Unlike TCP, however, UDP does not provide the service of dividing a message into packets (datagrams) and reassembling it at the other end. depends on the Internet application protocol. On the Web (which uses the Hypertext Transfer Protocol), an example of a URL is 'http://www.sofaware.com'. VPN A virtual private network (VPN) is a private data network that makes use of the public telecommunication infrastructure, maintaining privacy through the use of a tunneling protocol and security procedures. VPN tunnel A secure connection between a Remote Access VPN Client and a Remote Access VPN Server. WLAN A WLAN is a wireless local area network protected by the Safe@Office appliance. UDP is often used for applications such as streaming data. URL A URL (Uniform Resource Locator) is the address of a file (resource) accessible on the Internet. The type of resource Glossary of Terms 305 A Index account, configuring • 171 active computers, viewing • 144 active connections, viewing • 147 Allow and Forward rules, explained • 157 Allow rules, explained • 157 antivirus checking compliancy • 189 installing • 184 Automatic login • 233 backup connection • 91 Block rules, explained • 157 explained • 299 cable type • 40 certificate explained • 237 installing • 237 uninstalling • 240 command line interface controlling the appliance via • 271 DHCP configuring • 94 explained • 300 DHCP Server enabling/disabling • 94 explained • 94 diagnostic tools Ping • 272 Traceroute • 272 CA, explained • 237, 299 using • 272 cable modem WHOIS • 272 connection • 61, 70 diagnostics • 279 Index 307 E dialup connection • 77, 92 firewall levels • 149 modem • 84 rule types • 155 dialup modem, setting up • 84 setting security level • 149 DMZ configuring • 102 firmware configuring High Availability for • 117 explained • 255, 300 explained • 102, 300 viewing status • 255 DNS • 91, 272, 300 updating manually • 257 front panel • 15, 19 Dynamic DNS • 10, 169 gateways Email Antivirus backup • 117 enabling/disabling • 176 default • 102, 117, 137 selecting protocols for • 177 explained • 300 ID • 169 snoozing • 177 master • 117 temporarily disabling • 177 event log, viewing • 141 exposed host Site-to-Site VPN • 199 Hide NAT defining a computer as • 163 explained • 163, 300 308 Check Point Safe@Office User Guide enabling/disabling • 101 explained • 101, 302 I high availability Internet Setup • 66 configuring • 117 Internet Wizard • 58 explained • 117 IP address HTTPS changing • 100 configuring • 265 explained • 301 explained • 301 hiding • 101 using • 49 hub • 13, 17, 40, 91, 117, 283, 301 IPSEC • 2 VPN mode • 8, 302 ISP, explained • 302 initial login • 45 installation cable type • 40 LAN cable • 40 network • 40 configuring High Availability for • 117 SecureDesk • 184 connection • 58, 60, 68 Internet connection configuring • 57 configuring backup • 91 enabling/disabling • 89 establishing quick • 89 terminating • 90 explained • 302 ports • 4, 14, 17, 40 licenses • 144, 255, 279, 283 MAC address troubleshooting • 283 cloning • 86 viewing information • 88 explained • 86, 302 Index 309 N Manual Login • 233 MTU, explained • 79, 302 packet • 88, 137, 272, 301, 303 password NetBIOS, explained • 303 changing • 245 network changing internal range of • 100 configuring • 93 setting up • 45 Ping • 272 PPPoE connection • 63, 71 configuring a DMZ • 102 configuring high availability • 117 enabling DHCP Server on • 94 explained • 303 tunnels • 206 PPPoE tunnels, creating • 206 PPTP enabling Hide NAT • 101 connection • 64, 73 explained • 303 installation on • 40 managing • 93 Product Key • 258 objects • 129 network objects QoS adding and editing • 130 classes • 120 deleting • 136 explained • 120 using • 129 QoS classes network requirements • 13 node limit, viewing • 144 310 Check Point Safe@Office User Guide adding and editing • 122 R assigning services to • 154 event log • 141 built-in • 128 SecureDesk • 196 deleting • 127 viewing • 141 explained • 120 restoring defaults • 128 RADIUS explained • 252 using • 252 rear panel • 14, 17 rebooting • 280 registering • 262 node limit • 144 routers • 91, 117, 272, 283, 303 rules adding and editing • 157 deleting • 163 types • 157 using • 154 Safe@Office 100 series Remote Access VPN Clients, explained • 199 front panel • 15, 19 Remote Access VPN Servers • 2 Safe@Office 105 • 2 configuring • 204 explained • 199 Remote Access VPN sites • 208 reports active computers • 144 active connections • 147 rear panel • 14, 17 Safe@Office 110 • 2 Safe@Office 200 series front panel • 19 rear panel • 17 Safe@Office 225 • 3 Safe@Office 225U • 3 Safe@Office appliance Index 311 S about • 1 remotely accessing • 49 backing up • 274 using • 50 changing internal IP address of • 100 SecureDesk checking antivirus compliancy • 189 configuring Internet connection • 57 enabling/disabling • 129, 183 exporting configuration • 274 installing McAfee VirusScan • 184 features • 4 overriding • 195 importing configuration • 276 installing • 25, 40 setting security level • 186 maintenance • 255 status messages • 191 models • 2 viewing reports • 196 network requirements • 13 security rebooting • 280 configuring servers • 152 registering • 262 creating rules • 154 resetting to factory defaults • 277 defining a computer as an exposed host • 163 Safe@Office Portal firewall • 149 elements • 50 security policy • 149 initial login • 45 servers logging off • 236 configuring • 152 logging on • 47 explained • 304 312 Check Point Safe@Office User Guide T Remote Access VPN • 2, 199, 204 Stateful Inspection • 1, 302, 304 Web • 129, 152, 283 Static NAT Service Center connecting to • 165 disconnecting from • 172 refreshing a connection to • 171 services Email Antivirus • 175 SecureDesk • 183 software updates • 179 Web Filtering • 172 Setup Wizard • 45, 58 Site-to-Site VPN gateways • 206 explained • 199 installing a certificate • 237 PPPoE tunnels • 206 software updates checking for manually • 179 explained • 179 explained • 129 using • 130 static routes adding • 137 deleting • 140 explained • 137 using • 137 viewing and editing • 139 subnet masks, explained • 304 subscription services explained • 165 starting • 165 viewing information • 169 Syslog logging configuring • 263 explained • 263 TCP, explained • 304 Index 313 U adding • 248 TCP/IP explained • 304 deleting • 251 setting up for MAC OS • 37 managing • 245 setting up remote VPN access for • 252 setting up for Windows 95/98 • 31 viewing and editing • 248 setting up for Windows XP/2000 • 26 technical support • 24 Telstra • 75 VPN explained • 199, 305 time, setting • 267 Remote Access • 203, 206 Traceroute • 272 Traffic Shaper enabling • 66, 120 sites • 199, 231, 232, 233, 236 explained • 120 Site-to-Site • 201, 206 restoring defaults • 128 tunnnels • 199, 233, 241 using • 120 troubleshooting • 283 VPN functionality • 200 VPN sites typographical conventions • 24 deleting • 231 UDP, explained • 305 URL, explained • 305 users 314 adding and editing using Safe@Office 110 and 225 • 206 enabling/disabling • 232 logging off • 236 logging on • 233 Check Point Safe@Office User Guide W VPN tunnels creation and closing of • 241 establishing • 233 explained • 199, 305 viewing • 241 WAN cable • 40 connections • 154 ports • 4, 14, 17, 40, 91 Web Filtering enabling/disabling • 173 selecting categories for • 174 snoozing • 174 temporarily disabling • 174 WHOIS • 272 WLAN configuring • 104 defined • 305 Index 315
Source Exif Data:
File Type : PDF File Type Extension : pdf MIME Type : application/pdf PDF Version : 1.4 Linearized : No Encryption : Standard V1.2 (40-bit) User Access : Print, Copy, Fill forms, Extract, Assemble, Print high-res Modify Date : 2004:09:17 10:28:17+08:00 Create Date : 2004:09:17 10:27:48+08:00 Title : Internet Security Appliance Subject : Check Point Safe@Office Author : Part No: 700797, June 2004 Creator : (Acrobat PDFMaker 6.0 for Word) Producer : Acrobat Distiller 6.0 (Windows) Page Count : 176 Mod Date : 2004:09:17 10:28:17+08:00 Creation Date : 2004:09:17 10:27:48+08:00 Metadata Date : 2004:09:17 10:28:17+08:00 Has XFA : NoEXIF Metadata provided by EXIF.tools