SofaWare Technologies SBXW-166LHGE-6 Wireless Broadband Router User Manual Check Point Safe Office User Guide

SofaWare Technologies Ltd. Wireless Broadband Router Check Point Safe Office User Guide

UserManual.wiki >

SofaWare Technologies >

SBXW-166LHGE-6 User Manual >

Manual Pt2

1. Manual Pt1
2. Manual Pt2

Manual Pt2

Using SmartDefense Chapter 9: Setting Your Security Policy 235 In this field… Do this… Max. Connections/Second from Same Source IP Type the maximum number of network connections allowed per second from the same source IP address. The default value is 100. Set a lower threshold for stronger protection against DoS attacks. Note: Setting this value too low can lead to false alarms. Welchia The Welchia worm uses the MS DCOM vulnerability or a WebDAV vulnerability. After infecting a computer, the worm begins searching for other live computers to infect. It does so by sending a specific ping packet to a target and waiting for the reply that signals that the target is alive. This flood of pings may disrupt network connectivity. You can configure how the Welchia worm should be handled.

Using SmartDefense 236 Check Point Safe@Office User Guide Table 43: Welchia Fields In this field… Do this… Action Specify what action to take when the Welchia worm is detected, by selecting one of the following: • Block. Block the attack. This is the default. • None. No action. Track Specify whether to log Welchia worm attacks, by selecting one of the following: • Log. Log the attack. This is the default. • None. Do not log the attack. Cisco IOS DOS Cisco routers are configured to process and accept Internet Protocol version 4 (IPv4) packets by default. When a Cisco IOS device is sent a specially crafted sequence of IPv4 packets (with protocol type 53 - SWIPE, 55 - IP Mobility, 77 - Sun ND, or 103 - Protocol Independent Multicast - PIM), the router will stop processing inbound traffic on that interface.

Using SmartDefense Chapter 9: Setting Your Security Policy 237 You can configure how Cisco IOS DOS attacks should be handled. Table 44: Cisco IOS DOS In this field… Do this… Action Specify what action to take when a Cisco IOS DOS attack occurs, by selecting one of the following: • Block. Block the attack. This is the default. • None. No action. Track Specify whether to log Cisco IOS DOS attacks, by selecting one of the following: • Log. Log the attack. This is the default. • None. Do not log the attack. Number of Hops to Protect Type the number of hops from the enforcement module that Cisco routers should be protected. The default value is 10.

Using SmartDefense 238 Check Point Safe@Office User Guide In this field… Do this… Action Protection for SWIPE - Protocol 53 / IP Mobility - Protocol 55 / SUN-ND - Protocol 77 / PIM - Protocol 103 Specify what action to take when an IPv4 packet of the specific protocol type is received, by selecting one of the following: • Block. Drop the packet. This is the default. • None. No action. Null Payload Some worms, such as Sasser, use ICMP echo request packets with null payload to detect potentially vulnerable hosts. You can configure how null payload ping packets should be handled. Table 45: Null Payload Fields In this field… Do this… Action Specify what action to take when null payload ping packets are detected, by selecting one of the following: • Block. Block the packets. This is the default. • None. No action.

Using SmartDefense Chapter 9: Setting Your Security Policy 239 In this field… Do this… Track Specify whether to log null payload ping packets, by selecting one of the following: • Log. Log the packets. This is the default. • None. Do not log the packets. TCP This category allows you to configure various protections related to the TCP protocol. It includes the following: • Strict TCP on page 239 • Small PMTU on page 241 Strict TCP Out-of-state TCP packets are SYN-ACK or data packets that arrive out of order, before the TCP SYN packet. Note: In normal conditions, out-of-state TCP packets can occur after the Safe@Office restarts, since connections which were established prior to the reboot are unknown. This is normal and does not indicate an attack.

Using SmartDefense 240 Check Point Safe@Office User Guide You can configure how out-of-state TCP packets should be handled. Table 46: Strict TCP In this field… Do this… Action Specify what action to take when an out-of-state TCP packet arrives, by selecting one of the following: • Block. Block the packets. • None. No action. This is the default. Track Specify whether to log null payload ping packets, by selecting one of the following: • Log. Log the packets. This is the default. • None. Do not log the packets.

Using SmartDefense Chapter 9: Setting Your Security Policy 241 Small PMTU Small PMTU (Packet MTU) is a bandwidth attack in which the client fools the server into sending large amounts of data using small packets. Each packet has a large overhead that creates a "bottleneck" on the server. You can protect against this attack by specifying a minimum packet size for data sent over the Internet. Table 47: Small PMTU Fields In this field… Do this… Action Specify what action to take when a packet is smaller than the Minimal MTU Size threshold, by selecting one of the following: • Block. Block the packet. • None. No action. This is the default. Track Specify whether to issue logs for packets are smaller than the Minimal MTU Size threshold, by selecting one of the following: • Log. Issue logs. This is the default. • None. Do not issue logs.

Using SmartDefense 242 Check Point Safe@Office User Guide In this field… Do this… Minimal MTU Size Type the minimum value allowed for the MTU field in IP packets sent by a client. An overly small value will not prevent an attack, while an overly large value might degrade performance and cause legitimate requests to be dropped. The default value is 300. Port Scan An attacker can perform a port scan to determine whether ports are open and vulnerable to an attack. This is most commonly done by attempting to access a port and waiting for a response. The response indicates whether or not the port is open. This category includes the following types of port scans: • Host Port Scan. The attacker scans a specific host's ports to determine which of the ports are open. • Sweep Scan. The attacker scans various hosts to determine where a specific port is open. You can configure how the Safe@Office appliance should react when a port scan is detected.

Using SmartDefense Chapter 9: Setting Your Security Policy 243 Table 48: Port Scan Fields In this field… Do this… Number of ports accessed SmartDefense detects ports scans by measuring the number of ports accessed over a period of time. The number of ports accessed must exceed the Number of ports accessed value, within the number of seconds specified by the In a period of [seconds] value, in order for SmartDefense to consider the activity a scan. Type the minimum number of ports that must be accessed within the In a period of [seconds] period, in order for SmartDefense to detect the activity as a port scan. For example, if this value is 30, and 40 ports are accessed within a specified period of time, SmartDefense will detect the activity as a port scan. For Host Port Scan, the default value is 30. For Sweep Scan, the default value is 50.

Using SmartDefense 244 Check Point Safe@Office User Guide In this field… Do this… In a period of [seconds] SmartDefense detects ports scans by measuring the number of ports accessed over a period of time. The number of ports accessed must exceed the Number of ports accessed value, within the number of seconds specified by the In a period of [seconds] value, in order for SmartDefense to consider the activity a scan. Type the maximum number of seconds that can elapse, during which the Number of ports accessed threshold is exceeded, in order for SmartDefense to detect the activity as a port scan. For example, if this value is 20, and the Number of ports accessed threshold is exceeded for 15 seconds, SmartDefense will detect the activity as a port scan. If the threshold is exceeded for 30 seconds, SmartDefense will not detect the activity as a port scan. The default value is 20 seconds. Track Specify whether to issue logs for scans, by selecting one of the following: • Log. Issue logs. This is the default. • None. Do not issue logs. This is the default. Detect scans from Internet only Specify whether to detect only scans originating from the Internet, by selecting one of the following: • False. Do not detect only scans from the Internet. This is the default. • True. Detect only scans from the Internet.

Using SmartDefense Chapter 9: Setting Your Security Policy 245 FTP This category allows you to configure various protections related to the FTP protocol. It includes the following: • FTP Bounce on page 245 • Block Known Ports on page 246 • Block Port Overflow on page 247 • Blocked FTP Commands on page 248 FTP Bounce When connecting to an FTP server, the client sends a PORT command specifying the IP address and port to which the FTP server should connect and send data. An FTP Bounce attack is when an attacker sends a PORT command specifying the IP address of a third party instead of the attacker's own IP address. The FTP server then sends data to the victim machine. You can configure how FTP bounce attacks should be handled.

Using SmartDefense 246 Check Point Safe@Office User Guide Table 49: FTP Bounce Fields In this field… Do this… Action Specify what action to take when an FTP Bounce attack occurs, by selecting one of the following: • Block. Block the attack. This is the default. • None. No action. Track Specify whether to log FTP Bounce attacks, by selecting one of the following: • Log. Log the attack. This is the default. • None. Do not log the attack. Block Known Ports You can choose to block the FTP server from connecting to well-known ports. Note: Known ports are published ports associated with services (for example, SMTP is port 25). This provides a second layer of protection against FTP bounce attacks, by preventing such attacks from reaching well-known ports.

Using SmartDefense Chapter 9: Setting Your Security Policy 247 Table 50: Block Known Ports Fields In this field… Do this… Action Specify what action to take when the FTP server attempts to connect to a well-known port, by selecting one of the following: • Block. Block the connection. • None. No action. This is the default. Block Port Overflow FTP clients send PORT commands when connecting to the FTP sever. A PORT command consists of a series of numbers between 0 and 255, separated by commas. To enforce compliance to the FTP standard and prevent potential attacks against the FTP server, you can block PORT commands that contain a number greater than 255.

Using SmartDefense 248 Check Point Safe@Office User Guide Table 51: Block Port Overflow In this field… Do this… Action Specify what action to take for PORT commands containing a number greater than 255, by selecting one of the following: • Block. Block the PORT command. This is the default. • None. No action. Blocked FTP Commands Some seldom-used FTP commands may compromise FTP server security and integrity. You can specify which FTP commands should be allowed to pass through the security server, and which should be blocked. To enable FTP command blocking • In the Action drop-down list, select Block. The FTP commands listed in the Blocked commands box will be blocked. FTP command blocking is enabled by default.

Using SmartDefense Chapter 9: Setting Your Security Policy 249 To disable FTP command blocking • In the Action drop-down list, select None. All FTP commands are allowed, including those in the Blocked commands box. To block a specific FTP command 1. In the Allowed commands box, select the desired FTP command. 2. Click Block. The FTP command appears in the Blocked commands box. 3. Click Apply. When FTP command blocking is enabled, the FTP command will be blocked. To allow a specific FTP command 1. In the Blocked commands box, select the desired FTP command. 2. Click Accept. The FTP command appears in the Allowed commands box. 3. Click Apply. The FTP command will be allowed, regardless of whether FTP command blocking is enabled or disabled. Microsoft Networks This category includes File and Print Sharing. Microsoft operating systems and Samba clients rely on Common Internet File System (CIFS), a protocol for sharing files and printers. However, this protocol is also widely used by worms as a means of propagation.

Using SmartDefense 250 Check Point Safe@Office User Guide You can configure how CIFS worms should be handled. Table 52: File Print and Sharing Fields In this field… Do this… Action Specify what action to take when a CIFS worm attack is detected, by selecting one of the following: • Block. Block the attack. • None. No action. This is the default. Track Specify whether to log CIFS worm attacks, by selecting one of the following: • Log. Log the attack. • None. Do not log the attack. This is the default. CIFS worm patterns list Select the worm patterns to detect. Patterns are matched against file names (including file paths but excluding the disk share name) that the client is trying to read or write from the server.

Using SmartDefense Chapter 9: Setting Your Security Policy 251 IGMP This category includes the IGMP protocol. IGMP is used by hosts and routers to dynamically register and discover multicast group membership. Attacks on the IGMP protocol usually target a vulnerability in the multicast routing software/hardware used, by sending specially crafted IGMP packets. You can configure how IGMP attacks should be handled. Table 53: IGMP Fields In this field… Do this… Action Specify what action to take when an IGMP attack occurs, by selecting one of the following: • Block. Block the attack. This is the default. • None. No action. Track Specify whether to log IGMP attacks, by selecting one of the following: • Log. Log the attack. This is the default. • None. Do not log the attack.

Using SmartDefense 252 Check Point Safe@Office User Guide In this field… Do this… Enforce IGMP to multicast addresses According to the IGMP specification, IGMP packets must be sent to multicast addresses. Sending IGMP packets to a unicast or broadcast address might constitute and attack; therefore the Safe@Office appliance blocks such packets. Specify whether to allow or block IGMP packets that are sent to non-multicast addresses, by selecting one of the following: • Block. Block IGMP packets that are sent to non-multicast addresses. This is the default. • None. No action. Peer to Peer SmartDefense can block peer-to-peer traffic, by identifying the proprietary protocols and preventing the initial connection to the peer-to-peer networks. This prevents not only downloads, but also search operations. This category includes the following nodes: • KaZaA • Gnutella • eMule • BitTorrent Note: SmartDefense can detect peer-to-peer traffic regardless of the TCP port being used to initiate the session.

Using SmartDefense Chapter 9: Setting Your Security Policy 253 In each node, you can configure how peer-to-peer connections of the selected type should be handled, using the table below. Table 54: Peer to Peer Fields In this field… Do this… Action Specify what action to take when a connection is attempted, by selecting one of the following: • Block. Block the connection. • None. No action. This is the default. Track Specify whether to log peer-to-peer connections, by selecting one of the following: • Log. Log the connection. • None. Do not log the connection. This is the default. Block proprietary protocols on all ports Specify whether proprietary protocols should be blocked on all ports, by selecting one of the following: • Block. Block the proprietary protocol on all ports. This in effect prevents all communication using this peer-to-peer application. This is the default. • None. Do not block the proprietary protocol on all ports.

Using SmartDefense 254 Check Point Safe@Office User Guide Instant Messengers SmartDefense can block instant messaging applications that use VoIP protocols, by identifying the messaging application's fingerprints and HTTP headers. This category includes the following nodes: • Skype • Yahoo • ICQ Note: SmartDefense can detect instant messaging traffic regardless of the TCP port being used to initiate the session. In each node, you can configure how instant messaging connections of the selected type should be handled, using the table below.

Using SmartDefense Chapter 9: Setting Your Security Policy 255 Table 55: Instant Messengers Fields In this field… Do this… Action Specify what action to take when a connection is attempted, by selecting one of the following: • Block. Block the connection. • None. No action. This is the default. Track Specify whether to log instant messenger connections, by selecting one of the following: • Log. Log the connection. • None. Do not log the connection. This is the default. Block proprietary protocols on all ports Specify whether proprietary protocols should be blocked on all ports, by selecting one of the following: • Block. Block the proprietary protocol on all ports. This in effect prevents all communication using this instant messenger application. This is the default. • None. Do not block the proprietary protocol on all ports.

Using Secure HotSpot 256 Check Point Safe@Office User Guide Using Secure HotSpot You can enable your Safe@Office appliance as a public Internet access hotspot for specific networks. When users on those networks attempt to access the Internet, they are automatically re-directed to the My HotSpot page http://my.hotspot. On this page, they must read and accept the My HotSpot terms of use, and if My HotSpot is configured to be password-protected, they must log on using their Safe@Office username and password. The users may then access the Internet. Users can also log out in the My HotSpot page. Note: HotSpot users are automatically logged out after one hour of inactivity. Safe@Office Secure HotSpot is useful in any wired or wireless environment where Web-based user authentication or terms-of-use approval is required prior to gaining access to the network. For example, Secure HotSpot can be used in public computer labs, educational institutions, libraries, Internet cafés, and so on. The Safe@Office appliance allows you to add guest users quickly and easily. By default, guest users are given a username and password that expire in 24 hours and granted HotSpot Access permissions only. For information on adding quick guest users, see Adding Quick Guest Users on page 367.

Using Secure HotSpot Chapter 9: Setting Your Security Policy 257 You can choose to exclude specific network objects from HotSpot enforcement. For information, see Using Network Objects on page 129. Important: SecuRemote VPN software users who are authenticated by the Internal VPN Server are automatically exempt from HotSpot enforcement. This allows, for example, authenticated employees to gain full access to the corporate LAN, while guest users are permitted to access the Internet only. Note: HotSpot enforcement can block traffic passing through the firewall; however, it does not block local traffic on the same network segment (traffic that does not pass through the firewall). Setting Up Secure HotSpot To set up Secure HotSpot 1. Enable Secure HotSpot for the desired networks. See Enabling/Disabling Secure HotSpot on page 258. 2. Customize Secure HotSpot as desired. See Customizing Secure HotSpot on page 259. 3. Grant HotSpot Access permissions to users on the selected networks. See Adding and Editing Users on page 363. 4. To exclude specific computers from HotSpot enforcement, by adding or editing their network objects. See Adding and Editing Network Objects on page 130. You must select Exclude this computer/network from HotSpot enforcement option. 5. Add quick guest users as needed. See Adding Quick Guest Users on page 367.

Using Secure HotSpot 258 Check Point Safe@Office User Guide Enabling/Disabling Secure HotSpot To enable/disable Secure HotSpot 1. Click Security in the main menu, and click the My HotSpot tab. The My HotSpot page appears. 2. In the HotSpot Networks area, do one of the following: • To enable Secure HotSpot for a specific network, select the check box next to the network. • To disable Secure HotSpot for a specific network, clear the check box next to the network. 3. Click Apply.

Using Secure HotSpot Chapter 9: Setting Your Security Policy 259 Customizing Secure HotSpot To customize Secure HotSpot 1. Click Security in the main menu, and click the My HotSpot tab. The My HotSpot page appears. 2. Complete the fields using the information in the table below. Additional fields may appear. 3. To preview the My HotSpot page, click Preview. A browser window opens displaying the My HotSpot page.

Using Secure HotSpot 260 Check Point Safe@Office User Guide 4. Click Apply. Your changes are saved. Table 56: My HotSpot Fields In this field… Do this… My HotSpot Title Type the title that should appear on the My HotSpot page. The default title is "Welcome to My HotSpot". My HotSpot Terms Type the terms to which the user must agree before accessing the Internet. You can use HTML tags as needed. My HotSpot is password protected Select this option to require users to enter their username and password before accessing the Internet. If this option is not selected, users will be required only to accept the terms of use before accessing the network. The Allow a user to login from more than one computer at the same time check box appears. Allow a user to login from more than one computer at the same time Select this option to allow a single user to log on to My HotSpot from multiple computers at the same time.

Defining an Exposed Host Chapter 9: Setting Your Security Policy 261 Defining an Exposed Host The Safe@Office appliance allows you to define an exposed host, which is a computer that is not protected by the firewall. This is useful for setting up a public server. It allows unlimited incoming and outgoing connections between the Internet and the exposed host computer. The exposed host receives all traffic that was not forwarded to another computer by use of Allow and Forward rules. Warning: Entering an IP address may make the designated computer vulnerable to hacker attacks. Defining an exposed host is not recommended unless you are fully aware of the security risks. To define a computer as an exposed host 1. Click Security in the main menu, and click the Exposed Host tab. The Exposed Host page appears.

Defining an Exposed Host 262 Check Point Safe@Office User Guide 2. In the Exposed Host field, type the IP address of the computer you wish to define as an exposed host. Alternatively, you can click This Computer to define your computer as the exposed host. 3. Click Apply. The selected computer is now defined as an exposed host. To clear the exposed host 1. Click Security in the main menu, and click the Exposed Host tab. The Exposed Host page appears. 2. Click Clear. 3. Click Apply. No exposed host is defined.

Overview Chapter 10: Using VStream Antivirus 263 Chapter 10 This chapter explains how to use the VStream Antivirus engine to block security threats before they reach your network. This chapter includes the following topics: Overview ..................................................................................................263 Enabling/Disabling VStream Antivirus....................................................265 Viewing VStream Signature Database Information .................................266 Configuring VStream Antivirus ...............................................................267 Updating VStream Antivirus....................................................................279 Overview The Safe@Office appliance includes VStream Antivirus, an embedded stream-based antivirus engine based on Check Point Stateful Inspection and Application Intelligence technologies, that performs virus scanning at the kernel level. VStream Antivirus scans files for malicious content on the fly, without downloading the files into intermediate storage. This means minimal added latency and support for unlimited file sizes; and since VStream Antivirus stores only minimal state information per connection, it can scan thousands of connections concurrently. In order to scan archive files on the fly, VStream Antivirus performs real-time decompression and scanning of ZIP, TAR, and GZ archive files, with support for nested archive files. When VStream Antivirus detects malicious content, the action it takes depends on the protocol in which the virus was found. See the table below. In each case, VStream Antivirus blocks the file and writes a log to the Event Log. Using VStream Antivirus

Overview 264 Check Point Safe@Office User Guide Table 57: VStream Antivirus Actions If a virus if found in this protocol... VStream Antivirus does this... The protocol is detected on this port... HTTP • Terminates the connection All ports on which VStream is enabled by the policy, not only port 80 POP3 • Terminates the connection • Deletes the virus-infected email from the server The standard TCP port 110. IMAP • Terminates the connection • Replaces the virus-infected email with a message notifying the user that a virus was found The standard TCP port 143 SMTP • Rejects the virus-infected email with error code 554 • Sends a "Virus detected" message to the sender The standard TCP port 25 FTP • Terminates the data connection • Sends a "Virus detected" message to the FTP client The standard TCP port 21 TCP and UDP • Terminates the connection Generic TCP and UDP ports, other than those listed above Note: In protocols that are not listed in this table, VStream Antivirus uses a "best effort" approach to detect viruses. In such cases, detection of viruses is not guaranteed and depends on the specific encoding used by the protocol.

Enabling/Disabling VStream Antivirus Chapter 10: Using VStream Antivirus 265 If you are subscribed to the VStream Antivirus subscription service, VStream Antivirus virus signatures are automatically updated, so that security is always up-to-date, and your network is always protected. Note: VStream Antivirus differs from the Email Antivirus subscription service (part of the Email Filtering service) in the following ways: • Email Antivirus is centralized, redirecting traffic through the Service Center for scanning, while VStream Antivirus scans for viruses in the Safe@Office gateway itself. • Email Antivirus is specific to email, scanning incoming POP3 and outgoing SMTP connections only, while VStream Antivirus supports additional protocols, including incoming SMTP and outgoing POP3 connections. You can use either antivirus solution or both in conjunction. For information on Email Antivirus, see Email Filtering on page 294. Enabling/Disabling VStream Antivirus To enable/disable VStream Antivirus 1. Click Antivirus in the main menu, and click the Antivirus tab.

Viewing VStream Signature Database Information 266 Check Point Safe@Office User Guide The VStream Antivirus page appears. 2. Drag the On/Off lever upwards or downwards. VStream Antivirus is enabled/disabled for all internal network computers. Viewing VStream Signature Database Information VStream Antivirus maintains two databases: a daily database and a main database. The daily database is updated frequently with the newest virus signatures. Periodically, the contents of the daily database are moved to the main database, leaving the daily database empty. This system of incremental updates to the main database allows for quicker updates and saves on network bandwidth. You can view information about the VStream signature databases currently in use, in the VStream Antivirus page.

Configuring VStream Antivirus Chapter 10: Using VStream Antivirus 267 Table 58: Account Page Fields This field… Displays… Main database The date and time at which the main database was last updated, followed by the version number. Daily database The date and time at which the daily database was last updated, followed by the version number. Next update The next date and time at which the Safe@Office appliance will check for updates. Status The current status of the database. This includes the following statuses: • Database Not Installed • OK Configuring VStream Antivirus You can configure VStream Antivirus in the following ways: • Configuring the VStream Antivirus Policy on page 267 • Configuring VStream Advanced Settings on page 275 Configuring the VStream Antivirus Policy VStream Antivirus includes a flexible mechanism that allows the user to define exactly which traffic should be scanned, by specifying the protocol, ports, and source and destination IP addresses. VStream Antivirus processes policy rules in the order they appear in the Antivirus Policy table, so that rule 1 is applied before rule 2, and so on. This enables you to define exceptions to rules, by placing the exceptions higher up in the Rules table.

Configuring VStream Antivirus 268 Check Point Safe@Office User Guide For example, if you want to scan all outgoing SMTP traffic, except traffic from a specific IP address, you can create a rule scanning all outgoing SMTP traffic and move the rule down in the Antivirus Policy table. Then create a rule passing SMTP traffic from the desired IP address and move this rule to a higher location in the Antivirus Policy table than the first rule. In the figure below, the general rule is rule number 2, and the exception is rule number 1. The Safe@Office appliance will process rule 1 first, passing outgoing SMTP traffic from the specified IP address, and only then it will process rule 2, scanning all outgoing SMTP traffic. The following rule types exist: VStream Antivirus Rule Types Table 59: VStream Antivirus Rule Types Rule Description Pass This rule type enables you to specify that VStream Antivirus should not scan traffic matching the rule.

Configuring VStream Antivirus Chapter 10: Using VStream Antivirus 269 Rule Description Scan This rule type enables you to specify that VStream Antivirus should scan traffic matching the rule. If a virus is found, it is blocked and logged. Adding and Editing Rules To add or edit a rule 1. Click Antivirus in the main menu, and click the Policy tab. The Antivirus Policy page appears. 2. Do one of the following: • To add a new rule, click Add Rule. • To edit an existing rule, click the Edit icon next to the desired rule.

Configuring VStream Antivirus 270 Check Point Safe@Office User Guide The VStream Policy Rule Wizard opens, with the Step 1: Rule Type dialog box displayed. 3. Select the type of rule you want to create. 4. Click Next. The Step 2: Service dialog box appears. The example below shows a Scan rule. 5. Complete the fields using the relevant information in the table below.

Configuring VStream Antivirus Chapter 10: Using VStream Antivirus 271 6. Click Next. The Step 3: Destination & Source dialog box appears. 7. Complete the fields using the relevant information in the table below. The Step 4: Done dialog box appears. 8. Click Finish. The new rule appears in the Firewall Rules page.

Configuring VStream Antivirus 272 Check Point Safe@Office User Guide Table 60: VStream Rule Fields In this field… Do this… Any Service Click this option to specify that the rule should apply to any service. Standard Service Click this option to specify that the rule should apply to a specific standard service. You must then select the desired service from the drop-down list. Custom Service Click this option to specify that the rule should apply to a specific non-standard service. The Protocol and Port Range fields are enabled. You must fill them in. Protocol Select the protocol (TCP, UDP, or ANY) for which the rule should apply. Ports To specify the port range to which the rule applies, type the start port number in the left text box, and the end port number in the right text box. Note: If you do not enter a port range, the rule will apply to all ports. If you enter only one port number, the range will include only that port. If the connection source is Select the source of the connections you want to allow/block. To specify an IP address, select Specified IP and type the desired IP address in the filed provided. To specify an IP address range, select Specified Range and type the desired IP address range in the fields provided.

Configuring VStream Antivirus Chapter 10: Using VStream Antivirus 273 In this field… Do this… And the destination is Select the destination of the connections you want to allow or block. To specify an IP address, select Specified IP and type the desired IP address in the text box. To specify an IP address range, select Specified Range and type the desired IP address range in the fields provided. This option is not available in Allow and Forward rules. To specify the Safe@Office Portal and network printers, select This Gateway. This option is not available in Allow and Forward rules. To specify any destination except the Safe@Office Portal and network printers, select ANY. Data Direction Select the direction of connections to which the rule should apply: • Download and Upload data. The rule applies to downloaded and uploaded data. This is the default. • Download data. The rule applies to downloaded data, that is, data flowing from the destination of the connection to the source of the connection. • Upload data. The rule applies to uploaded data, that is, data flowing from the source of the connection to the destination of the connection. Enabling/Disabling Rules You can temporarily disable a VStream Antivirus rule. To enable/disable a rule 1. Click Antivirus in the main menu, and click the Policy tab. The Antivirus Policy page appears.

Configuring VStream Antivirus 274 Check Point Safe@Office User Guide 2. Next to the desired rule, do one of the following: • To enable the rule, click . The button changes to and the rule is enabled. • To disable the rule, click . The button changes to and the rule is disabled. Changing Rules' Priority To change a rule's priority 1. Click Antivirus in the main menu, and click the Policy tab. The Antivirus Policy page appears. 2. Do one of the following: • Click next to the desired rule, to move the rule up in the table. • Click next to the desired rule, to move the rule down in the table. The rule's priority changes accordingly. Deleting Rules To delete an existing rule 1. Click Antivirus in the main menu, and click the Policy tab. The Antivirus Policy page appears. 2. Click the Erase icon of the rule you wish to delete. A confirmation message appears.

Configuring VStream Antivirus Chapter 10: Using VStream Antivirus 275 3. Click OK. The rule is deleted. Configuring VStream Advanced Settings To configure VStream Antivirus advanced settings 1. Click Antivirus in the main menu, and click the Advanced tab. The Advanced Antivirus Settings page appears. 2. Complete the fields using the table below. 3. Click Apply. 4. To restore the default VStream Antivirus settings, do the following: a) Click Default. A confirmation message appears. b) Click OK.

Configuring VStream Antivirus 276 Check Point Safe@Office User Guide The VStream Antivirus settings are reset to their defaults. For information on the default values, refer to the table below. Table 61: Advanced Antivirus Settings Fields In this field… Do this… File Types Block potentially unsafe file types in email messages Select this option to block all emails containing potentially unsafe attachments. Unsafe file types are: • DOS/Windows executables, libraries and drivers • Compiled HTML Help files • VBScript files • Files with {CLSID} in their name • The following file extensions: ade, adp, bas, bat, chm, cmd,com, cpl, crt, exe, hlp, hta, inf, ins, isp, js, jse, lnk, mdb, mde, msc, msi, msp, mst, pcd, pif, reg, scr, sct, shs,shb, url, vb, vbe, vbs, wsc, wsf, wsh.

Configuring VStream Antivirus Chapter 10: Using VStream Antivirus 277 In this field… Do this… Pass safe file types without scanning Select this option to accept common file types that are known to be safe, without scanning them. Safe files types are: • MPEG streams • RIFF Ogg Stream • MP3 • PDF • PostScript • WMA/WMV/ASF • RealMedia • JPEG - only the header is scanned, and the rest of the file is skipped Selecting this option reduces the load on the gateway by skipping safe file types. This option is selected by default. Status Maximum nesting level Type the maximum number of nested content levels that VStream Antivirus should scan. Setting a higher number increases security. Setting a lower number prevents attackers from overloading the gateway by sending extremely nested archive files. The default value is 5 levels.

Configuring VStream Antivirus 278 Check Point Safe@Office User Guide In this field… Do this… Maximum compression ratio 1:x Fill in the field to complete the maximum compression ratio of files that VStream Antivirus should scan. For example, to specify a 1:150 maximum compression ratio, type 150. Setting a higher number allows the scanning of highly compressed files, but creates a potential for highly compressible files to create a heavy load on the appliance. Setting a lower number prevents attackers from overloading the gateway by sending extremely compressible files. The default value is 100. When archived file exceeds limit or extraction fails Specify how VStream Antivirus should handle files that exceed the Maximum nesting level or the Maximum compression ratio, and files for which scanning fails. Select one of the following: • Pass file without scanning. Scan only the number of levels specified, and skip the scanning of more deeply nested archives. Furthermore, skip scanning highly compressible files, and skip scanning archives that cannot be extracted because they are corrupt. This is the default. • Block file. Block the file. When a password-protected file is found in archive VStream Antivirus cannot extract and scan password-protected files inside archive. Specify how VStream Antivirus should handle such files, by selecting one of the following: • Pass file without scanning. Accept the file without scanning it. This is the default. • Block file. Block the file.

Updating VStream Antivirus Chapter 10: Using VStream Antivirus 279 Updating VStream Antivirus When you are subscribed to the VStream Antivirus updates service, VStream Antivirus virus signatures are automatically updated, keeping security up-to-date with no need for user intervention. However, you can still check for updates manually, if needed. To update the VStream Antivirus virus signature database 1. Click Antivirus in the main menu, and click the Antivirus tab. The VStream Antivirus page appears. 2. Click Update Now. The VStream Antivirus database is updated with the latest virus signatures.

Connecting to a Service Center Chapter 11: Using Subscription Services 281 Chapter 11 This chapter explains how to start subscription services, and how to use Software Updates, Web Filtering, and Email Filtering services. Note: Check with your reseller regarding availability of subscription services, or surf to www.sofaware.com/servicecenters to locate a Service Center in your area. This chapter includes the following topics: Connecting to a Service Center................................................................281 Viewing Services Information..................................................................287 Refreshing Your Service Center Connection............................................288 Configuring Your Account.......................................................................288 Disconnecting from Your Service Center.................................................289 Web Filtering............................................................................................290 Email Filtering..........................................................................................294 Automatic and Manual Updates...............................................................298 Connecting to a Service Center To connect to a Service Center 1. Click Services in the main menu, and click the Account tab. Using Subscription Services

Connecting to a Service Center 282 Check Point Safe@Office User Guide The Account page appears. 2. In the Service Account area, click Connect.

Connecting to a Service Center Chapter 11: Using Subscription Services 283 The Safe@Office Services Wizard opens, with the Service Center dialog box displayed. 3. Make sure the Connect to a different Service Center check box is selected. 4. Do one of the following: • To connect to the SofaWare Service Center, choose usercenter.sofaware.com. • To specify a Service Center, choose Specified IP and then in the Specified IP field, enter the desired Service Center’s IP address, as given to you by your system administrator. 5. Click Next. • The Connecting… screen appears.

Connecting to a Service Center 284 Check Point Safe@Office User Guide • If the Service Center requires authentication, the Service Center Login dialog box appears. Enter your gateway ID and registration key in the appropriate fields, as given to you by your service provider, then click Next. • The Connecting… screen appears. • The Confirmation dialog box appears with a list of services to which you are subscribed.

Connecting to a Service Center Chapter 11: Using Subscription Services 285 6. Click Next. The Done screen appears with a success message. 7. Click Finish. The following things happen: • If a new firmware is available, the Safe@Office appliance may start downloading it. This may take several minutes. Once the download is complete, the Safe@Office appliance restarts using the new firmware. • The Welcome page appears.

Connecting to a Service Center 286 Check Point Safe@Office User Guide • The services to which you are subscribed are now available on your Safe@Office appliance and listed as such on the Account page. See Viewing Services Information on page 287 for further information. • The Services submenu includes the services to which you are subscribed.

Viewing Services Information Chapter 11: Using Subscription Services 287 Viewing Services Information The Account page displays the following information about your subscription. Table 62: Account Page Fields This field… Displays… Service Center Name The name of the Service Center to which you are connected (if known). Gateway ID Your gateway ID. Subscription will end on The date on which your subscription to services will end. Service The services available in your service plan. Subscription The status of your subscription to each service: • Subscribed • Not Subscribed Status The status of each service: • Connected. You are connected to the service through the Service Center. • Connecting. Connecting to the Service Center. • N/A. The service is not available.

Refreshing Your Service Center Connection 288 Check Point Safe@Office User Guide This field… Displays… Information The mode to which each service is set. If you are subscribed to Dynamic DNS, this field displays your gateway's domain name. For further information, see Web Filtering on page 290, Virus Scanning on page 294, and Automatic and Manual Updates on page 298. Refreshing Your Service Center Connection This option restarts your Safe@Office appliance’s connection to the Service Center and refreshes your Safe@Office appliance’s service settings. To refresh your Service Center connection 1. Click Services in the main menu, and click the Account tab. The Account page appears. 2. In the Service Account area, click Refresh. The Safe@Office appliance reconnects to the Service Center. Your service settings are refreshed. Configuring Your Account This option allows you to access your Service Center's Web site, which may offer additional configuration options for your account. Contact your Service Center for a user ID and password.

Disconnecting from Your Service Center Chapter 11: Using Subscription Services 289 To configure your account 1. Click Services in the main menu, and click the Account tab. The Account page appears. 2. In the Service Account area, click Configure. Note: If no additional settings are available from your Service Center, this button will not appear. Your Service Center's Web site opens. 3. Follow the on-screen instructions. Disconnecting from Your Service Center If desired, you can disconnect from your Service Center. To disconnect from your Service Center 1. Click Services in the main menu, and click the Account tab. The Account page appears. 2. In the Service Account area, click Connect. The Safe@Office Services Wizard opens, with the first Subscription Services dialog box displayed. 3. Clear the Connect to a different Service Center check box. 4. Click Next. The Done screen appears with a success message. 5. Click Finish. The following things happen: • You are disconnected from the Service Center.

Web Filtering 290 Check Point Safe@Office User Guide • The services to which you were subscribed are no longer available on your Safe@Office appliance. Web Filtering When the Web Filtering service is enabled, access to Web content is restricted according to the categories specified under Allow Categories. Authorized users will be able to view Web pages with no restrictions, only after they have provided the administrator password via the Web Filtering pop-up window. Note: Web Filtering is only available if you are connected to a Service Center and subscribed to this service. Enabling/Disabling Web Filtering Note: If you are remotely managed, contact your Service Center to change these settings. To enable/disable Web Filtering 1. Click Services in the main menu, and click the Web Filtering tab.

Web Filtering Chapter 11: Using Subscription Services 291 The Web Filtering page appears. 2. Drag the On/Off lever upwards or downwards. Web Filtering is enabled/disabled. Selecting Categories for Blocking You can define which types of Web sites should be considered appropriate for your family or office members, by selecting the categories. Categories marked with will remain visible, while categories marked with will be blocked and will require the administrator password for viewing. Note: If you are remotely managed, contact your Service Center to change these settings.

Web Filtering 292 Check Point Safe@Office User Guide To allow/block a category • In the Allow Categories area, click or next to the desired category. Temporarily Disabling Web Filtering If desired, you can temporarily disable the Web Filtering service. To temporarily disable Web Filtering 1. Click Services in the main menu, and click the Web Filtering tab. The Web Filtering page appears. 2. Click Snooze. • Web Filtering is temporarily disabled for all internal network computers.

Email Filtering Chapter 11: Using Subscription Services 295 Enabling/Disabling Email Filtering Note: If you are remotely managed, contact your Service Center to change these settings. To enable/disable Email Filtering 1. Click Services in the main menu, and click the Email Filtering tab. The Email Filtering page appears. 2. Next to Email Antivirus, drag the On/Off lever upwards or downwards. Email Antivirus is enabled/disabled. 3. Next to Email Antispam, drag the On/Off lever upwards or downwards. Email Antispam is enabled/disabled.

Email Filtering 296 Check Point Safe@Office User Guide Selecting Protocols for Scanning If you are locally managed, you can define which protocols should be scanned for viruses and spam: • Email retrieving (POP3). If enabled, all incoming email in the POP3 protocol will be scanned. • Email sending (SMTP). If enabled, all outgoing email will be scanned. Protocols marked with will be scanned, while those marked with will not. Note: If you are remotely managed, contact your Service Center to change these settings. To enable virus and spam scanning for a protocol • In the Options area, click or next to the desired protocol. Temporarily Disabling Email Filtering If you are having problems sending or receiving email you can temporarily disable the Email Filtering services. To temporarily disable Email Filtering 1. Click Services in the main menu, and click the Email Filtering tab. The Email Filtering page appears. 2. Click Snooze. • Email Antivirus and Email Antispam are temporarily disabled for all internal network computers.

Automatic and Manual Updates 298 Check Point Safe@Office User Guide Automatic and Manual Updates The Software Updates service enables you to check for new security and software updates. Note: Software Updates are only available if you are connected to a Service Center and subscribed to this service. Checking for Software Updates when Remotely Managed If your Safe@Office appliance is remotely managed, it automatically checks for software updates and installs them without user intervention. However, you can still check for updates manually, if needed. To manually check for security and software updates 1. Click Services in the main menu, and click the Software Updates tab. The Software Updates page appears. 2. Click Update Now.

Automatic and Manual Updates Chapter 11: Using Subscription Services 299 The system checks for new updates and installs them. Checking for Software Updates when Locally Managed If your Safe@Office appliance is locally managed, you can set it to automatically check for software updates, or you can set it so that software updates must be checked for manually. To configure software updates when locally managed 1. Click Services in the main menu, and click the Software Updates tab. The Software Updates page appears. 2. To set the Safe@Office appliance to automatically check for and install new software updates, drag the Automatic/Manual lever upwards. The Safe@Office appliance checks for new updates and installs them according to its schedule.

Automatic and Manual Updates 300 Check Point Safe@Office User Guide Note: When the Software Updates service is set to Automatic, you can still manually check for updates. 3. To set the Safe@Office appliance so that software updates must be checked for manually, drag the Automatic/Manual lever downwards. The Safe@Office appliance does not check for software updates automatically. 4. To manually check for software updates, click Update Now. The system checks for new updates and installs them.

Overview Chapter 12: Working With VPNs 301 Chapter 12 This chapter describes how to use your Safe@Office appliance as a Remote Access VPN Client, server, or gateway. This chapter includes the following topics: Overview ..................................................................................................301 Setting Up Your Safe@Office Appliance as a VPN Server.....................307 Adding and Editing VPN Sites ................................................................312 Deleting a VPN Site .................................................................................343 Enabling/Disabling a VPN Site................................................................343 Logging on to a Remote Access VPN Site...............................................344 Logging off a Remote Access VPN Site ..................................................348 Installing a Certificate ..............................................................................348 Uninstalling a Certificate..........................................................................355 Viewing VPN Tunnels .............................................................................356 Viewing IKE Traces for VPN Connections..............................................359 Overview You can configure your Safe@Office appliance as part of a virtual private network (VPN). A VPN is a private data network consisting of a group of gateways that can securely connect to each other. Each member of the VPN is called a VPN site, and a connection between two VPN sites is called a VPN tunnel. VPN tunnels encrypt and authenticate all traffic passing through them. Through these tunnels, employees can safely use their company’s network resources when working at home. For example, they can securely read email, use the company’s intranet, or access the company’s database from home. The are four types of VPN sites: • Remote Access VPN Server. Makes a network remotely available to authorized users, who connect to the Remote Access VPN Server using the Working With VPNs

Overview 302 Check Point Safe@Office User Guide Check Point SecuRemote VPN Client, provided for free with your Safe@Office, or from another Safe@Office. • Internal VPN Server. SecuRemote can also be used from your internal networks, allowing you to secure your wired or wireless network with strong encryption and authentication. • Site-to-Site VPN Gateway. Can connect with another Site-to-Site VPN Gateway in a permanent, bi-directional relationship. • Remote Access VPN Client. Can connect to a Remote Access VPN Server, but other VPN sites cannot initiate a connection to the Remote Access VPN Client. Defining a Remote Access VPN Client is a hardware alternative to using SecuRemote software. Both Safe@Office 500 and 500W provide full VPN functionality. They can act as a Remote Access VPN Client, a Remote Access VPN Server for multiple users, or a Site-to-Site VPN Gateway. A virtual private network (VPN) must include at least one Remote Access VPN Server or gateway. The type of VPN sites you include in a VPN depends on the type of VPN you want to create, Site-to-Site or Remote Access. Note: A locally managed Remote Access VPN Server or gateway must have a static IP address. If you need a Remote Access VPN Server or gateway with a dynamic IP address, you must use SofaWare Security Management Portal (SMP) management. A SecuRemote or Safe@Office Remote Access VPN Client can have a dynamic IP address, regardless of whether it is locally or remotely managed. Note: This chapter explains how to define a VPN locally. However, if your appliance is centrally managed by a Service Center, then the Service Center can automatically deploy VPN configuration for your appliance. Site-to-Site VPNs A Site-to-Site VPN consists of two or more Site-to-Site VPN Gateways that can communicate with each other in a bi-directional relationship. The connected

Overview Chapter 12: Working With VPNs 303 networks function as a single network. You can use this type of VPN to mesh office branches into one corporate network. Figure 12: Site-to-Site VPN

Overview 304 Check Point Safe@Office User Guide To create a Site-to-Site VPN with two VPN sites 1. On the first VPN site’s Safe@Office appliance, do the following: a. Define the second VPN site as a Site-to-Site VPN Gateway, or create a PPPoE tunnel to the second VPN site, using the procedure Adding and Editing VPN Sites on page 312. b. Enable the Remote Access VPN Server using the procedure Setting Up Your Safe@Office Appliance as a Remote Access VPN Server on page 307. 2. On the second VPN site’s Safe@Office appliance, do the following: a. Define the first VPN site as a Site-to-Site VPN Gateway, or create a PPPoE tunnel to the first VPN site, using the procedure Adding and Editing VPN Sites on page 312. b. Then enable the Remote Access VPN Server using the procedure Setting Up Your Safe@Office Appliance as a Remote Access VPN Server on page 307.

Overview Chapter 12: Working With VPNs 305 Remote Access VPNs A Remote Access VPN consists of one Remote Access VPN Server or Site-to-Site VPN Gateway, and one or more Remote Access VPN Clients. You can use this type of VPN to make an office network remotely available to authorized users, such as employees working from home, who connect to the office Remote Access VPN Server with their Remote Access VPN Clients. Figure 13: Remote Access VPN

Overview 306 Check Point Safe@Office User Guide To create a Remote Access VPN with two VPN sites 1. On the remote user VPN site's Safe@Office appliance, add the office Remote Access VPN Server as a Remote Access VPN site. See Adding and Editing VPN Sites on page 312. The remote user's Safe@Office appliance will act as a Remote Access VPN Client. 2. On the office VPN site's Safe@Office appliance, enable the Remote Access VPN Server. See Setting Up Your Safe@Office Appliance as a Remote Access VPN Server on page 307. Internal VPN Server You can use your Safe@Office appliance as an internal VPN Server, for enhanced wired and wireless security. When the internal VPN Server is enabled, internal network PCs and PDAs with SecuRemote VPN Client software installed can establish a Remote Access VPN session to the gateway. This means that connections from internal network users to the gateway can be encrypted and authenticated. The benefits of using the internal VPN Server are two-fold: • Accessibility Using SecuRemote, you can enjoy a secure connection from anywhere—in your wireless network or on the road—without changing any settings. The standard is completely transparent and allows you to access company resources the same way, whether you are sitting at your desk or anywhere else. • Security Many of today's attacks are increasingly introduced from inside the network. Internal security threats cause outages, downtime, and lost revenue. Wired networks that deal with highly sensitive information—especially networks in public places, such as classrooms—are vulnerable to users trying to hack the internal network.

Setting Up Your Safe@Office Appliance as a VPN Server Chapter 12: Working With VPNs 307 Using the internal VPN Server, along with a strict security policy for non-VPN users, can enhance security both for wired networks and for wireless networks, which are particularly vulnerable to security breaches. The internal VPN Server can be used in the Safe@Office 500W wireless appliance, regardless of the wireless security settings. It also can be used in wired appliances, both for wired stations and for wireless stations. Note: You can enable wireless connections to a wired Safe@Office appliance, by connecting a wireless access point in bridge mode to one of the appliance's internal interfaces. Do not connect computers to the same interface as a wireless access point, since allowing direct access from the wireless network may pose a significant security risk. For information on setting up your Safe@Office appliance as an internal VPN Server, see Setting Up Your Safe@Office Appliance as a VPN Server on page 307. Setting Up Your Safe@Office Appliance as a VPN Server You can make your network available to authorized users connecting from the Internet or from your internal networks, by setting up your Safe@Office appliance as a VPN Server. Users can connect to the VPN Server via Check Point SecuRemote or via a Safe@Office appliance in Remote Access VPN mode. Enabling the VPN Server for users connecting from your internal networks adds a layer of security to such connections. For example, while you could create a firewall rule allowing a specific user on the DMZ or WLAN to access the LAN, enabling VPN access for the user means that such connections can be encrypted and authenticated. For more information, see Internal VPN Server on page 306.

Setting Up Your Safe@Office Appliance as a VPN Server 308 Check Point Safe@Office User Guide To set up your Safe@Office appliance as a VPN Server 1. Configure the VPN Server in one or more of the following ways: • To accept remote access connections from the Internet. See Configuring the Remote Access VPN Server on page 309. • To accept connections from your internal networks. See Configuring the Internal VPN Server on page 310. 2. If you configured the internal VPN Server, install SecuRemote on the desired internal network computers. See Installing SecuRemote on page 311. 3. Set up remote VPN access for users. See Setting Up Remote VPN Access for Users on page 369. Note: Disabling the VPN Server for a specific type of connection (from the Internet or from internal networks) will cause all existing VPN tunnels of that type to disconnect.

Setting Up Your Safe@Office Appliance as a VPN Server Chapter 12: Working With VPNs 309 Configuring the Remote Access VPN Server To configure the Remote Access VPN Server 1. Click VPN in the main menu, and click the VPN Server tab. The SecuRemote VPN Server page appears. 2. Select the Allow SecuRemote users to connect from the Internet check box.

Setting Up Your Safe@Office Appliance as a VPN Server 310 Check Point Safe@Office User Guide New check boxes appear. 3. To allow authenticated users connecting from the Internet to bypass NAT when connecting to your internal network, select the Bypass NAT check box. 4. To allow authenticated users connecting from the Internet to bypass the firewall and access your internal network without restriction, select the Bypass the firewall check box. 5. Click Apply. The Remote Access VPN Server is enabled for the specified connection types. Configuring the Internal VPN Server To configure the internal VPN Server 1. Click VPN in the main menu, and click the VPN Server tab. The SecuRemote VPN Server page appears.

Setting Up Your Safe@Office Appliance as a VPN Server Chapter 12: Working With VPNs 311 2. Select the Allow SecuRemote users to connect from my internal networks check box. New check boxes appear. 3. To allow authenticated users connecting from internal networks to bypass the firewall and access your internal network without restriction, select the Bypass the firewall check box. Bypass NAT is always enabled for the internal VPN server, and cannot be disabled. 4. Click Apply. The internal VPN Server is enabled for the specified connection types. Installing SecuRemote If you configured the Remote Access VPN Server to accept connections from your internal networks, you must install the SecuRemote VPN Client on internal network computers that should be allowed to remotely access your network.

Adding and Editing VPN Sites 312 Check Point Safe@Office User Guide To install SecuRemote 1. Click VPN in the main menu, and click the VPN Server tab. The SecuRemote VPN Server page appears. 2. Click the Download SecuRemote VPN client link. The VPN-1 SecuRemote for Safe@Office page opens in a new window. 3. Follow the online instructions to complete installation. SecuRemote is installed. For information on using SecuRemote, see the User Help. To access SecuRemote User Help, right-click on the SecuRemote VPN Client icon in the taskbar, select Settings, and then click Help. Adding and Editing VPN Sites To add or edit VPN sites 1. Click VPN in the main menu, and click the VPN Sites tab.

Adding and Editing VPN Sites Chapter 12: Working With VPNs 313 The VPN Sites page appears with a list of VPN sites. 2. Do one of the following: • To add a VPN site, click New Site. • To edit a VPN site, click Edit in the desired VPN site’s row. The Safe@Office VPN Site Wizard opens, with the Welcome to the VPN Site Wizard dialog box displayed.

Adding and Editing VPN Sites 314 Check Point Safe@Office User Guide 3. Do one of the following: • Select Remote Access VPN to establish remote access from your Remote Access VPN Client to a Remote Access VPN Server. • Select Site-to-Site VPN to create a permanent bi-directional connection to another Site-to-Site VPN Gateway. 4. Click Next. Configuring a Remote Access VPN Site If you selected Remote Access VPN, the VPN Gateway Address dialog box appears. 1. Enter the IP address of the Remote Access VPN Server to which you want to connect, as given to you by the network administrator. 2. To allow the VPN site to bypass the firewall and access your internal network without restriction, select the Bypass the firewall check box. 3. Click Next.

Adding and Editing VPN Sites Chapter 12: Working With VPNs 315 The VPN Network Configuration dialog box appears. 4. Specify how you want to obtain the VPN network configuration. Refer to VPN Network Configuration Fields on page 323. 5. Click Next. The following things happen in the order below: • If you chose Specify Configuration, a second VPN Network Configuration dialog box appears.

Adding and Editing VPN Sites 316 Check Point Safe@Office User Guide Complete the fields using the information in VPN Network Configuration Fields on page 323 and click Next. • The Authentication Method dialog box appears. 6. Complete the fields using the information in Authentication Methods Fields on page 325. 7. Click Next.

Adding and Editing VPN Sites Chapter 12: Working With VPNs 317 Username and Password Authentication Method If you selected Username and Password, the VPN Login dialog box appears. 1. Complete the fields using the information in VPN Login Fields on page 325. 2. Click Next. • If you selected Automatic Login, the Connect dialog box appears.

Adding and Editing VPN Sites 318 Check Point Safe@Office User Guide Do the following: 1) To try to connect to the Remote Access VPN Server, select the Try to Connect to the VPN Gateway check box. This allows you to test the VPN connection. Warning: If you try to connect to the VPN site before completing the wizard, all existing tunnels will be terminated. 2) Click Next. If you selected Try to Connect to the VPN Gateway, the Connecting… screen appears, and then the Contacting VPN Site screen appears. • The Site Name dialog box appears. 3. Enter a name for the VPN site. You may choose any name. 4. Click Next.

Adding and Editing VPN Sites Chapter 12: Working With VPNs 319 The VPN Site Created screen appears. 5. Click Finish. The VPN Sites page reappears. If you added a VPN site, the new site appears in the VPN Sites list. If you edited a VPN site, the modifications are reflected in the VPN Sites list. Certificate Authentication Method If you selected Certificate, the Connect dialog box appears.

Adding and Editing VPN Sites 320 Check Point Safe@Office User Guide 1. To try to connect to the Remote Access VPN Server, select the Try to Connect to the VPN Gateway check box. This allows you to test the VPN connection. Warning: If you try to connect to the VPN site before completing the wizard, all existing tunnels will be terminated. 2. Click Next. If you selected Try to Connect to the VPN Gateway, the Connecting… screen appears, and then the Contacting VPN Site screen appears. The Site Name dialog box appears. 3. Enter a name for the VPN site. You may choose any name. 4. Click Next.

Adding and Editing VPN Sites Chapter 12: Working With VPNs 321 The VPN Site Created screen appears. 5. Click Finish. The VPN Sites page reappears. If you added a VPN site, the new site appears in the VPN Sites list. If you edited a VPN site, the modifications are reflected in the VPN Sites list. RSA SecurID Authentication Method If you selected RSA SecurID, the Site Name dialog box appears.

Adding and Editing VPN Sites 322 Check Point Safe@Office User Guide 1. Enter a name for the VPN site. You may choose any name. 2. Click Next. The VPN Site Created screen appears. 3. Click Finish. The VPN Sites page reappears. If you added a VPN site, the new site appears in the VPN Sites list. If you edited a VPN site, the modifications are reflected in the VPN Sites list.

Adding and Editing VPN Sites Chapter 12: Working With VPNs 323 Table 63: VPN Network Configuration Fields In this field… Do this… Download Configuration Click this option to obtain the network configuration by downloading it from the VPN site. This option will automatically configure your VPN settings, by downloading the network topology definition from the Remote Access VPN Server. Note: Downloading the network configuration is only possible if you are connecting to a Check Point VPN-1 or Safe@Office Site-to-Site VPN Gateway. Specify Configuration Click this option to provide the network configuration manually. Route All Traffic Click this option to route all network traffic through the VPN site. For example, if your VPN consists of a central office and a number of remote offices, and the remote offices are only allowed to access Internet resources through the central office, you can choose to route all traffic from the remote offices through the central office. Note: You can only configure one VPN site to route all traffic.

Adding and Editing VPN Sites 324 Check Point Safe@Office User Guide In this field… Do this… Route Based VPN Click this option to create a virtual tunnel interface (VTI) for this site, so that it can participate in a route-based VPN. Route-based VPNs allow routing connections over VPN tunnels, so that remote VPN sites can participate in dynamic or static routing schemes. This improves network and VPN management efficiency for large networks. For constantly changing networks, it is recommended to use a route-based VPN combined with OSPF dynamic routing. This enables you to make frequent changes to the network topology, such as adding an internal network, without having to reconfigure static routes. OSPF is enabled using CLI. For information on using CLI, see Controlling the Appliance via the Command Line on page 388. For information on the relevant commands for OSPF, refer to the Embedded NGX CLI Reference Guide. This option is only available for when configuring a Site-to-Site VPN gateway. Destination network Type up to three destination network addresses at the VPN site to which you want to connect. Subnet mask Select the subnet masks for the destination network addresses. Note: Obtain the destination networks and subnet masks from the VPN site’s system administrator. Backup Gateway Type the name of the VPN site to use if the primary VPN site fails.

Adding and Editing VPN Sites Chapter 12: Working With VPNs 325 Table 64: Authentication Methods Fields In this field… Do this… Username and Password Select this option to use a user name and password for VPN authentication. In the next step, you can specify whether you want to log on to the VPN site automatically or manually. Certificate Select this option to use a certificate for VPN authentication. If you select this option, a certificate must have been installed. (Refer to Installing a Certificate on page 348 for more information about certificates and instructions on how to install a certificate.) RSA SecurID Token Select this option to use an RSA SecurID token for VPN authentication. When authenticating to the VPN site, you must enter a four-digit PIN code and the SecurID passcode shown in your SecurID token's display. The RSA SecurID token generates a new passcode every minute. SecurID is only supported in Remote Access manual login mode.

Adding and Editing VPN Sites 326 Check Point Safe@Office User Guide Table 65: VPN Login Fields In this field… Do this… Manual Login Click this option to configure the site for Manual Login. Manual Login connects only the computer you are currently logged onto to the VPN site, and only when the appropriate user name and password have been entered. For further information on Automatic and Manual Login, see, Logging on to a VPN Site on page 344. Automatic Login Click this option to enable the Safe@Office appliance to log on to the VPN site automatically. You must then fill in the Username and Password fields. Automatic Login provides all the computers on your internal network with constant access to the VPN site. For further information on Automatic and Manual Login, see Logging on to a VPN Site on page 344. Username Type the user name to be used for logging on to the VPN site. Password Type the password to be used for logging on to the VPN site.

Adding and Editing VPN Sites Chapter 12: Working With VPNs 327 Configuring a Site-to-Site VPN Gateway If you selected Site-to-Site VPN, the VPN Gateway Address dialog box appears. 1. Complete the fields using the information in VPN Gateway Address Fields on page 338. 2. Click Next. The VPN Network Configuration dialog box appears.

Adding and Editing VPN Sites 328 Check Point Safe@Office User Guide 3. Specify how you want to obtain the VPN network configuration. Refer to VPN Network Configuration Fields on page 323. 4. Click Next. • If you chose Specify Configuration, a second VPN Network Configuration dialog box appears. Complete the fields using the information in VPN Network Configuration Fields on page 323, and then click Next.

Adding and Editing VPN Sites Chapter 12: Working With VPNs 329 • If you chose Route Based VPN, the Route Based VPN dialog box appears. Complete the fields using the information in Route Based VPN Fields on page 339, and then click Next. • The Authentication Method dialog box appears. 5. Complete the fields using the information in Authentication Methods Fields on page 340. 6. Click Next.

Adding and Editing VPN Sites 330 Check Point Safe@Office User Guide Shared Secret Authentication Method If you selected Shared Secret, the Authentication dialog box appears. If you chose Download Configuration, the dialog box contains additional fields. 1. Complete the fields using the information in VPN Authentication Fields on page 340 and click Next.

Adding and Editing VPN Sites Chapter 12: Working With VPNs 331 The Security Methods dialog box appears. 2. To configure advanced security settings, click Show Advanced Settings. New fields appear. 3. Complete the fields using the information in Security Methods Fields on page 340 and click Next.

Adding and Editing VPN Sites 332 Check Point Safe@Office User Guide The Connect dialog box appears. 4. To try to connect to the Remote Access VPN Server, select the Try to Connect to the VPN Gateway check box. This allows you to test the VPN connection. Warning: If you try to connect to the VPN site before completing the wizard, all existing tunnels will be terminated. 5. Click Next. • If you selected Try to Connect to the VPN Gateway, the Connecting… screen appears, and then the Contacting VPN Site screen appears.

Adding and Editing VPN Sites Chapter 12: Working With VPNs 333 • The Site Name dialog box appears. 6. Enter a name for the VPN site. You may choose any name. 7. To keep the tunnel to the VPN site alive even if there is no network traffic between the Safe@Office appliance and the VPN site, select Keep this site alive. 8. Click Next.

Adding and Editing VPN Sites 334 Check Point Safe@Office User Guide • If you selected Keep this site alive, and previously you chose Download Configuration, the "Keep Alive" Configuration dialog box appears. Do the following: 1) Type up to three IP addresses which the Safe@Office appliance should ping in order to keep the tunnel to the VPN site alive. 2) Click Next. • The VPN Site Created screen appears. 9. Click Finish. The VPN Sites page reappears. If you added a VPN site, the new site appears in the VPN Sites list. If you edited a VPN site, the modifications are reflected in the VPN Sites list. Certificate Authentication Method If you selected Certificate, the following things happen:

Adding and Editing VPN Sites Chapter 12: Working With VPNs 335 • If you chose Download Configuration, the Authentication dialog box appears. Complete the fields using the information in VPN Authentication Fields on page 340 and click Next. • The Security Methods dialog box appears. 1. To configure advanced security settings, click Show Advanced Settings.

Adding and Editing VPN Sites 336 Check Point Safe@Office User Guide New fields appear. 2. Complete the fields using the information in Security Methods Fields on page 340 and click Next. The Connect dialog box appears. 3. To try to connect to the Remote Access VPN Server, select the Try to Connect to the VPN Gateway check box. This allows you to test the VPN connection.

Adding and Editing VPN Sites Chapter 12: Working With VPNs 337 Warning: If you try to connect to the VPN site before completing the wizard, all existing tunnels will be terminated. 4. Click Next. • If you selected Try to Connect to the VPN Gateway, the following things happen: The Connecting… screen appears. • The Contacting VPN Site screen appears. • The Site Name dialog box appears. 5. Enter a name for the VPN site. You may choose any name. 6. To keep the tunnel to the VPN site alive even if there is no network traffic between the Safe@Office appliance and the VPN site, select Keep this site alive. 7. Click Next.

Adding and Editing VPN Sites 338 Check Point Safe@Office User Guide • If you selected Keep this site alive, and previously you chose Download Configuration, the "Keep Alive" Configuration dialog box appears. Do the following: 1) Type up to three IP addresses which the Safe@Office appliance should ping in order to keep the tunnel to the VPN site alive. 2) Click Next. • The VPN Site Created screen appears. 8. Click Finish. The VPN Sites page reappears. If you added a VPN site, the new site appears in the VPN Sites list. If you edited a VPN site, the modifications are reflected in the VPN Sites list.

Adding and Editing VPN Sites Chapter 12: Working With VPNs 339 Table 66: VPN Gateway Address Fields In this field… Do this… Gateway Address Type the IP address of the Site-to-Site VPN Gateway to which you want to connect, as given to you by the network administrator. Bypass NAT Select this option to allow the VPN site to bypass NAT when connecting to your internal network. This option is selected by default. Bypass the firewall Select this option to allow the VPN site to bypass the firewall and access your internal network without restriction. Table 67: Route Based VPN Fields In this field… Do this… Tunnel Local IP Type a local IP address for this end of the VPN tunnel. Tunnel Remote IP Type the IP address of the remote end of the VPN tunnel. OSPF Cost Type the cost of this link for dynamic routing purposes. The default value is 10. If OSPF is not enabled, this setting is not used. OSPF is enabled using the Safe@Office command line interface (CLI). For information on using CLI, see Controlling the Appliance via the Command Line on page 388. For information on the relevant commands for OSPF, refer to the Embedded NGX CLI Reference Guide.

Adding and Editing VPN Sites 340 Check Point Safe@Office User Guide Table 68: Authentication Methods Fields In this field… Do this… Shared Secret Select this option to use a shared secret for VPN authentication. A shared secret is a string used to identify VPN sites to each other. Certificate Select this option to use a certificate for VPN authentication. If you select this option, a certificate must have been installed. (Refer to Installing a Certificate on page 348 for more information about certificates and instructions on how to install a certificate.) Table 69: VPN Authentication Fields In this field… Do this… Topology User Type the topology user’s user name. Topology Password Type the topology user’s password. Use Shared Secret Type the shared secret to use for secure communications with the VPN site. This shared secret is a string used to identify the VPN sites to each other. The secret can contain spaces and special characters.

Adding and Editing VPN Sites Chapter 12: Working With VPNs 341 Table 70: Security Methods Fields In this field… Do this… Phase 1 Security Methods Select the encryption and integrity algorithm to use for IKE negotiations: • Automatic. The Safe@Office appliance automatically selects the best security methods supported by the site. This is the default. • A specific algorithm Diffie-Hellman group Select the Diffie-Hellman group to use: • Automatic. The Safe@Office appliance automatically selects a group. This is the default. • A specific group A group with more bits ensures a stronger key but lowers performance. Renegotiate every Type the interval in minutes between IKE Phase-1 key negotiations. This is the IKE Phase-1 SA lifetime. A shorter interval ensures higher security, but impacts heavily on performance. Therefore, it is recommended to keep the SA lifetime around its default value. The default value is 1440 minutes (one day). Phase 2 Security Methods Select the encryption and integrity algorithm to use for VPN traffic: • Automatic. The Safe@Office appliance automatically selects the best security methods supported by the site. This is the default. • A specific algorithm

Adding and Editing VPN Sites 342 Check Point Safe@Office User Guide In this field… Do this… Perfect Forward Secrecy Specify whether to enable Perfect Forward Secrecy (PFS), by selecting one of the following: • Enabled. PFS is enabled. The Diffie-Hellman group field is enabled. • Disabled. PFS is disabled. This is the default. Enabling PFS will generate a new Diffie-Hellman key during IKE Phase 2 and renew the key for each key exchange. PFS increases security but lowers performance. It is recommended to enable PFS only in situations where extreme security is required. Diffie-Hellman group Select the Diffie-Hellman group to use: • Automatic. The Safe@Office appliance automatically selects a group. This is the default. • A specific group A group with more bits ensures a stronger key but lowers performance. Renegotiate every Type the interval in seconds between IPSec SA key negotiations. This is the IKE Phase-2 SA lifetime. A shorter interval ensures higher security. The default value is 3600 seconds (one hour).

Deleting a VPN Site Chapter 12: Working With VPNs 343 Deleting a VPN Site To delete a VPN site 1. Click VPN in the main menu, and click the VPN Sites tab. The VPN Sites page appears, with a list of VPN sites. 2. In the desired VPN site’s row, click the Erase icon. A confirmation message appears. 3. Click OK. The VPN site is deleted. Enabling/Disabling a VPN Site You can only connect to VPN sites that are enabled. To enable/disable a VPN site 1. Click VPN in the main menu, and click the VPN Sites tab. The VPN Sites page appears, with a list of VPN sites. 2. To enable a VPN site, do the following: a. Click the icon in the desired VPN site’s row. A confirmation message appears. b. Click OK. The icon changes to , and the VPN site is enabled.

Logging on to a Remote Access VPN Site 344 Check Point Safe@Office User Guide 3. To disable a VPN site, do the following: Note: Disabling a VPN site eliminates the tunnel and erases the network topology. a. Click the icon in the desired VPN site’s row. A confirmation message appears. b. Click OK. The icon changes to , and the VPN site is disabled. Logging on to a Remote Access VPN Site You need to manually log on to Remote Access VPN Servers configured for Manual Login. You do not need to manually log on to a Remote Access VPN Server configured for Automatic Login or a Site-to-Site VPN Gateway: all the computers on your network have constant access to it. Manual Login can be done through either the Safe@Office Portal or the my.vpn page. When you log on and traffic is sent to the VPN site, a VPN tunnel is established. Only the computer from which you logged on can use the tunnel. To share the tunnel with other computers in your home network, you must log on to the VPN site from those computers, using the same user name and password. Note: You must use a single user name and password for each VPN destination gateway.

Logging on to a Remote Access VPN Site Chapter 12: Working With VPNs 345 Logging on through the Safe@Office Portal Note: You can only login to sites that are configured for Manual Login. To manually log on to a VPN site through the Safe@Office Portal 1. Click VPN in the main menu, and click the VPN Login tab. The VPN Login page appears. 2. From the Site Name list, select the site to which you want to log on. Note: Disabled VPN sites will not appear in the Site Name list. 3. Type your user name and password in the appropriate fields. 4. Click Login.

Logging on to a Remote Access VPN Site 346 Check Point Safe@Office User Guide • If the Safe@Office appliance is configured to automatically download the network configuration, the Safe@Office appliance downloads the network configuration. • If when adding the VPN site you specified a network configuration, the Safe@Office appliance attempts to create a tunnel to the VPN site. • Once the Safe@Office appliance has finished connecting, the VPN Login Status box appears. The Status field displays “Connected”. • The VPN Login Status box remains open until you manually log off the VPN site. Logging on through the my.vpn page Note: You don’t need to know the my.firewall page administrator’s password in order to use the my.vpn page. To manually log on to a VPN site through the my.vpn page 1. Direct your Web browser to http://my.vpn

Logging on to a Remote Access VPN Site Chapter 12: Working With VPNs 347 The VPN Login screen appears. 2. In the Site Name list, select the site to which you want to log on. 3. Enter your user name and password in the appropriate fields. 4. Click Login. • If the Safe@Office appliance is configured to automatically download the network configuration, the Safe@Office appliance downloads the network configuration. • If when adding the VPN site you specified a network configuration, the Safe@Office appliance attempts to create a tunnel to the VPN site. • The VPN Login Status box appears. The Status field tracks the connection’s progress. • Once the Safe@Office appliance has finished connecting, the Status field changes to “Connected”. • The VPN Login Status box remains open until you manually log off of the VPN site.

Logging off a Remote Access VPN Site 348 Check Point Safe@Office User Guide Logging off a Remote Access VPN Site You need to manually log off a VPN site, if it is a Remote Access VPN site configured for Manual Login. To log off a VPN site • In the VPN Login Status box, click Logout. All open tunnels from the Safe@Office appliance to the VPN site are closed, and the VPN Login Status box closes. Note: Closing the browser or dismissing the VPN Login Status box will also terminate the VPN session within a short time. Installing a Certificate A digital certificate is a secure means of authenticating the Safe@Office appliance to other Site-to-Site VPN Gateways. The certificate is issued by the Certificate Authority (CA) to entities such as gateways, users, or computers. The entity then uses the certificate to identify itself and provide verifiable information. For instance, the certificate includes the Distinguished Name (DN) (identifying information) of the entity, as well as the public key (information about itself). After two entities exchange and validate each other's certificates, they can begin encrypting information between themselves using the public keys in the certificates. The certificate also includes a fingerprint, a unique text used to identify the certificate. You can email your certificate's fingerprint to the remote user. Upon connecting to the Safe@Office VPN Server for the first time, the entity should check that the VPN peer's fingerprint displayed in the SecuRemote VPN Client is identical to the fingerprint received.

Installing a Certificate Chapter 12: Working With VPNs 349 The Safe@Office appliance supports certificates encoded in the PKCS#12 (Personal Information Exchange Syntax Standard) format, and enables you to install such certificates in the following ways: • By generating a self-signed certificate. See Generating a Self-Signed Certificate on page 349. • By importing a certificate. The PKCS#12 file you import must have a ".p12" file extension. If you do not have such a PKCS#12 file, obtain one from your network security administrator. See Importing a Certificate on page 353. Note: To use certificates authentication, each Safe@Office appliance should have a unique certificate. Do not use the same certificate for more than one gateway. Note: If your Safe@Office appliance is centrally managed, a certificate is automatically generated and downloaded to your appliance. In this case, there is no need to generate a self-signed certificate. Generating a Self-Signed Certificate To generate a self-signed certificate 1. Click VPN in the main menu, and click the Certificate tab.

Installing a Certificate 350 Check Point Safe@Office User Guide The Certificate page appears. 2. Click Install Certificate. The Safe@Office Certificate Wizard opens, with the Certificate Wizard dialog box displayed. 3. Click Generate a self-signed security certificate for this gateway.

Installing a Certificate Chapter 12: Working With VPNs 351 The Create Self-Signed Certificate dialog box appears. 4. Complete the fields using the information in the table below. 5. Click Next. The Safe@Office appliance generates the certificate. This may take a few seconds. The Done dialog box appears, displaying the certificate's details. 6. Click Finish.

Installing a Certificate 352 Check Point Safe@Office User Guide The Safe@Office appliance installs the certificate. If a certificate is already installed, it is overwritten. The Certificate Wizard closes. The Certificates page displays the following information: • The gateway's certificate • The gateway's name • The gateway certificate's fingerprint • The CA's certificate • The name of the CA that issued the certificate (in this case, the Safe@Office gateway) • The CA certificate's fingerprint • The starting and ending dates between which the gateway's certificate and the CA's certificate are valid

Installing a Certificate Chapter 12: Working With VPNs 353 Table 71: Certificate Fields In this field… Do this… Country Select your country from the drop-down list. Organization Name Type the name of your organization. Organizational Unit Type the name of your division. Gateway Name Type the gateway's name. This name will appear on the certificate, and will be visible to remote users inspecting the certificate. This field is filled in automatically with the gateway's MAC address. If desired, you can change this to a more descriptive name. Valid Until Use the drop-down lists to specify the month, day, and year when this certificate should expire. Note: You must renew the certificate when it expires. Importing a Certificate To install a certificate 1. Click VPN in the main menu, and click the Certificate tab. The Certificate page appears. 2. Click Install Certificate. The Safe@Office Certificate Wizard opens, with the Certificate Wizard dialog box displayed. 3. Click Import a security certificate in PKCS#12 format.

Installing a Certificate 354 Check Point Safe@Office User Guide The Import Certificate dialog box appears. 4. Click Browse to open a file browser from which to locate and select the file. The filename that you selected is displayed. 5. Click Next. The Import-Certificate Passphrase dialog box appears. This may take a few moments. 6. Type the pass-phrase you received from the network security administrator.

Uninstalling a Certificate Chapter 12: Working With VPNs 355 7. Click Next. The Done dialog box appears, displaying the certificate's details. 8. Click Finish. The Safe@Office appliance installs the certificate. If a certificate is already installed, it is overwritten. The Certificate Wizard closes. The Certificates page displays the following information: • The gateway's certificate • The gateway's name • The gateway certificate's fingerprint • The CA's certificate • The name of the CA that issued the certificate • The CA certificate's fingerprint • The starting and ending dates between which the gateway's certificate and the CA's certificate are valid Uninstalling a Certificate If you uninstall the certificate, no certificate will exist on the Safe@Office appliance, and you will not be able to connect to the VPN if a certificate is required. You cannot uninstall the certificate if there is a VPN site currently defined to use certificate authentication. Note: If you want to replace a currently-installed certificate, there is no need to uninstall the certificate first. When you install the new certificate, the old certificate will be overwritten.

Viewing VPN Tunnels 356 Check Point Safe@Office User Guide To uninstall a certificate 1. Click VPN in the main menu, and click the Certificate tab. The Certificate page appears with the name of the currently installed certificate. 2. Click Uninstall. A confirmation message appears. 3. Click OK. The certificate is uninstalled. A success message appears. 4. Click OK. Viewing VPN Tunnels You can view a list of currently established VPN tunnels. VPN tunnels are created and closed as follows: • Remote Access VPN sites configured for Automatic Login and Site-to-Site VPN Gateways A tunnel is created whenever your computer attempts any kind of communication with a computer at the VPN site. The tunnel is closed when not in use for a period of time. Note: Although the VPN tunnel is automatically closed, the site remains open, and if you attempt to communicate with the site, the tunnel will be reestablished. • Remote Access VPN sites configured for Manual Login A tunnel is created whenever your computer attempts any kind of communication with a computer at the VPN site, after you have manually logged on to the site. All open tunnels connecting to the site are closed when you manually log off.

Viewing VPN Tunnels Chapter 12: Working With VPNs 357 To view VPN tunnels 1. Click Reports in the main menu, and click the VPN Tunnels tab. The VPN Tunnels page appears with a table of open tunnels to VPN sites. The VPN Tunnels page includes the information described in the table below. 2. To refresh the table, click Refresh. Table 72: VPN Tunnels Page Fields This field… Displays… Type The currently active security protocol (IPSEC). Source The IP address or address range of the entity from which the tunnel originates. The entity's type is indicated by an icon. See VPN Tunnel Icons on page 358.

Viewing VPN Tunnels 358 Check Point Safe@Office User Guide This field… Displays… Destination The IP address or address range of the entity to which the tunnel is connected. The entity's type is indicated by an icon. See VPN Tunnel Icons on page 358. Security The type of encryption used to secure the connection, and the type of Message Authentication Code (MAC) used to verify the integrity of the message. This information is presented in the following format: Encryption type/Authentication type Note: All VPN settings are automatically negotiated between the two sites. The encryption and authentication schemes used for the connection are the strongest of those used at the two sites. Your Safe@Office appliance supports AES, 3DES, and DES encryption schemes, and MD5 and SHA authentication schemes. Established The time at which the tunnel was established. This information is presented in the format hh:mm:ss, where: hh=hours mm=minutes ss=seconds Table 73: VPN Tunnels Icons This icon… Represents… This gateway

Viewing IKE Traces for VPN Connections Chapter 12: Working With VPNs 359 This icon… Represents… A network for which an IKE Phase-2 tunnel was negotiated A Remote Access VPN Server A Site-to-Site VPN Gateway A remote access VPN user Viewing IKE Traces for VPN Connections If you are experiencing VPN connection problems, you can save a trace of IKE (Internet Key Exchange) negotiations to a file, and then use the free IKE View tool to view the file. The IKE View tool is available for the Windows platform. Note: Before viewing IKE traces, it is recommended to do the following: • The Safe@Office appliance stores traces for all recent IKE negotiations. If you want to view only new IKE trace data, clear all IKE trace data currently stored on the Safe@Office appliance. • Close all existing VPN tunnels except for the problematic tunnel, so as to make it easier to locate the problematic tunnel's IKE negotiation trace in the exported file. To clear all currently-stored IKE traces 1. Click Reports in the main menu, and click the VPN Tunnels tab. The VPN Tunnels page appears with a table of open tunnels to VPN sites. 2. Click Clear IKE Trace. All IKE trace data currently stored on the Safe@Office appliance is cleared.

Viewing IKE Traces for VPN Connections 360 Check Point Safe@Office User Guide To view the IKE trace for a connection 1. Establish a VPN tunnel to the VPN site with which you are experiencing connection problems. For information on when and how VPN tunnels are established, see Viewing VPN Tunnels on page 356. 2. Click Reports in the main menu, and click the VPN Tunnels tab. The VPN Tunnels page appears with a table of open tunnels to VPN sites. 3. Click Save IKE Trace. A standard File Download dialog box appears. 4. Click Save. The Save As dialog box appears. 5. Browse to a destination directory of your choice. 6. Type a name for the *.elg file and click Save. The *.elg file is created and saved to the specified directory. This file contains the IKE traces of all currently-established VPN tunnels. 7. Use the IKE View tool to open and view the *.elg file, or send the file to technical support.

Changing Your Password Chapter 13: Managing Users 361 Chapter 13 This chapter describes how to manage Safe@Office appliance users. You can define multiple users, set their passwords, and assign them various permissions. This chapter includes the following topics: Changing Your Password.........................................................................361 Adding and Editing Users ........................................................................363 Adding Quick Guest HotSpot Users.........................................................367 Viewing and Deleting Users.....................................................................369 Setting Up Remote VPN Access for Users...............................................369 Using RADIUS Authentication................................................................370 Configuring the RADIUS Vendor-Specific Attribute ..............................374 Changing Your Password You can change your password at any time. To change your password 1. Click Users in the main menu, and click the Internal Users tab. Managing Users

Changing Your Password 362 Check Point Safe@Office User Guide The Internal Users page appears. 2. In the row of your username, click Edit. The Account Wizard opens displaying the Set User Details dialog box. 3. Edit the Password and Confirm password fields.

Adding and Editing Users Chapter 13: Managing Users 363 Note: Use 5 to 25 characters (letters or numbers) for the new password. 4. Click Next. The Set User Permissions dialog box appears. 5. Click Finish. Your changes are saved. Adding and Editing Users This procedure explains how to add and edit users. For information on quickly adding guest HotSpot users via a shortcut that the Safe@Office appliance provides, see Adding Quick Guest HotSpot Users on page 367. To add or edit a user 1. Click Users in the main menu, and click the Internal Users tab.

Adding and Editing Users 364 Check Point Safe@Office User Guide The Internal Users page appears. 2. Do one of the following: • To create a new user, click New User. • To edit an existing user, click Edit next to the desire user. The Account Wizard opens displaying the Set User Details dialog box. 3. Complete the fields using the information in Set User Details Fields on page 365. 4. Click Next.

Adding and Editing Users Chapter 13: Managing Users 365 The Set User Permissions dialog box appears. The options that appear on the page are dependant on the software and services you are using. 5. Complete the fields using the information in Set User Permissions Fields on page 366. 6. Click Finish. The user is saved. Table 74: Set User Details Fields In this field… Do this… Username Enter a username for the user. Password Enter a password for the user. Use five to 25 characters (letters or numbers) for the new password. Confirm Password Re-enter the user’s password.

Adding and Editing Users 366 Check Point Safe@Office User Guide In this field… Do this… Expires On To specify an expiration time for the user, select this option and specify the expiration date and time in the fields provided. When the user account expires, it is locked, and the user can no longer log on to the Safe@Office appliance. If you do not select this option, the user will not expire. Table 75: Set User Permissions Fields In this field... Do this... Administrator Level Select the user’s level of access to the Safe@Office Portal. The levels are: • No Access: The user cannot access the Safe@Office Portal. • Read/Write: The user can log on to the Safe@Office Portal and modify system settings. • Read Only: The user can log on to the Safe@Office Portal, but cannot modify system settings or export the appliance configuration via the Setup>Tools page. For example, you could assign this administrator level to technical support personnel who need to view the Event Log. The default level is No Access. The “admin” user’s Administrator Level (Read/Write) cannot be changed. VPN Remote Access Select this option to allow the user to connect to this Safe@Office appliance using their VPN client. For further information on setting up VPN remote access, see Setting Up Remote VPN Access for Users on page 369.

Adding Quick Guest HotSpot Users Chapter 13: Managing Users 367 Web Filtering Override Select this option to allow the user to override Web Filtering. This option only appears if the Web Filtering service is defined. This option cannot be changed for the “admin” user. HotSpot Access Select this option to allow the user to log on to the My HotSpot page. For information on Secure HotSpot, see Configuring Secure HotSpot on page 256. This option only appears in Safe@Office 500 with Power Pack. Adding Quick Guest HotSpot Users The Safe@Office appliance provides a shortcut for quickly adding a guest HotSpot user. This is useful in situations where you want to grant temporary network access to guests, for example in an Internet café. The shortcut also enables printing the guest user's details in one click. By default, the quick guest user has the following characteristics: • Username in the format guest<number>, where <number> is a unique three-digit number. For example: guest123 • Randomly generated password • Expires in 24 hours • Administration Level: No Access • Permissions: HotSpot Access only For information on configuring Secure HotSpot, see Using Secure HotSpot on page 256.

Adding Quick Guest HotSpot Users 368 Check Point Safe@Office User Guide To quickly create a guest user 1. Click Users in the main menu, and click the Internal Users tab. The Internal Users page appears. 2. Click Quick Guest. The Account Wizard opens displaying the Save Quick Guest dialog box. 3. In the Expires field, click on the arrows to specify the expiration date and time. 4. To print the user details, click Print. 5. Click Finish. The guest user is saved. You can edit the guest user's details and permissions using the procedure Adding and Editing Users on page 363.

Viewing and Deleting Users Chapter 13: Managing Users 369 Viewing and Deleting Users Note: The “admin” user cannot be deleted. To view or delete users 1. Click Users in the main menu, and click the Internal Users tab. The Internal Users page appears with a list of all users and their permissions. The expiration time of expired users appears in red. 2. To delete a user, do the following: a) In the desired user’s row, click the Erase icon. A confirmation message appears. b) Click OK. The user is deleted. 3. To delete all expired users, do the following: a) Click Clear Expired. A confirmation message appears. b) Click OK. The expired users are deleted. Setting Up Remote VPN Access for Users If you are using your Safe@Office appliance as a Remote Access VPN Server or as an internal VPN Server, you can allow users to access it remotely through their

Using RADIUS Authentication 370 Check Point Safe@Office User Guide Remote Access VPN Clients (a Check Point SecureClient, Check Point SecuRemote, or another Embedded NGX appliance). To set up remote VPN access for a user 1. Enable your VPN Server, using the procedure Setting Up Your Safe@Office Appliance as a VPN Server on page 307. 2. Add or edit the user, using the procedure Adding and Editing Users on page 363. You must select the VPN Remote Access option. Using RADIUS Authentication You can use Remote Authentication Dial-In User Service (RADIUS) to authenticate both Safe@Office appliance users and Remote Access VPN Clients trying to connect to the Safe@Office appliance. Note: When RADIUS authentication is in use, Remote Access VPN Clients must have a certificate. When a user tries to log on to the Safe@Office Portal, the Safe@Office appliance sends the entered user name and password to the RADIUS server. The server then checks whether the RADIUS database contains a matching user name and password pair. If so, then the user is logged on. By default, all RADIUS-authenticated users are assigned the set of permissions specified in the Safe@Office Portal's RADIUS page. However, you can configure the RADIUS server to pass the Safe@Office appliance a specific set of permissions to grant the authenticated user, instead of these default permissions. This is done by configuring the RADIUS Vendor-Specific Attribute (VSA) with a set of attributes containing permission information for specific users. If the VSA is configured for a user, then the RADIUS server passes the VSA to the Embedded NGX gateway as part of the response to the authentication request, and the gateway assigns the user permissions as specified in the VSA. If the VSA is not returned by the RADIUS

Using RADIUS Authentication Chapter 13: Managing Users 371 server for a specific user, the gateway will use the default permission set for this user. To use RADIUS authentication 1. Click Users in the main menu, and click the RADIUS tab. The RADIUS page appears. 2. Complete the fields using the table below. 3. Click Apply. 4. To restore the default RADIUS settings, do the following: a) Click Default.

Using RADIUS Authentication 372 Check Point Safe@Office User Guide A confirmation message appears. b) Click OK. The RADIUS settings are reset to their defaults. For information on the default values, refer to the table below. 5. To use the RADIUS VSA to assign permissions to users, configure the VSA. See Configuring the RADIUS Vendor-Specific Attribute on page 374. Table 76: RADIUS Page Fields In this field… Do this… Primary/Secondary RADIUS Server Configure the primary and secondary RADIUS servers. By default, the Safe@Office appliance sends a request to the primary RADIUS server first. If the primary RADIUS server does not respond after three attempts, the Safe@Office appliance will send the request to the secondary RADIUS server. Address Type the IP address of the computer that will run the RADIUS service (one of your network computers) or click the corresponding This Computer button to allow your computer to host the service. To clear the text box, click Clear. Port Type the port number on the RADIUS server’s host computer. The default port number is 1812. Shared Secret Type the shared secret to use for secure communication with the RADIUS server.

Using RADIUS Authentication Chapter 13: Managing Users 373 In this field… Do this… Realm If your organization uses RADIUS realms, type the realm to append to RADIUS requests. The realm will be appended to the username as follows: <username>@<realm> For example, if you set the realm to “myrealm”, and the user "JohnS" attempts to log on to the Safe@Office Portal, the Safe@Office appliance will send the RADIUS server an authentication request with the username “JohnS@myrealm”. This field is optional. Timeout Type the interval of time in seconds between attempts to communicate with the RADIUS server. The default value is 3 seconds. RADIUS User Permissions If the RADIUS VSA (Vendor-Specific Attribute) is configured for a user, the fields in this area will have no effect, and the user will be granted the permissions specified in the VSA. If the VSA is not configured for the user, the permissions configured in this area will be used. Administrator Level Select the level of access to the Safe@Office Portal to assign to all users authenticated by the RADIUS server. The levels are: • No Access: The user cannot access the Safe@Office Portal • Read/Write: The user can log on to the Safe@Office Portal and modify system settings. • Read Only: The user can log on to the Safe@Office Portal, but cannot modify system settings. The default level is No Access.

Configuring the RADIUS Vendor-Specific Attribute 374 Check Point Safe@Office User Guide In this field… Do this… Web Filtering Override Select this option to allow all users authenticated by the RADIUS server to override Web Filtering. This option only appears if the Web Filtering service is defined. HotSpot Access Select this option to allow the user to access the My HotSpot page. This option only appears in Safe@Office 500 with Power Pack. Configuring the RADIUS Vendor-Specific Attribute For detailed instructions and examples, refer to the "Configuring the RADIUS Vendor-Specific Attribute" white paper. To assign permissions to specific RADIUS-authenticated users 1. Create a remote access policy as follows: a) Assign the policy’s VSA (attribute 26) the SofaWare vendor code (6983). b) For each permission you want to grant, configure the relevant attribute of the VSA with the desired value, as described in the table below. For example, to assign the user VPN access permissions, set attribute number 2 to “true”. 2. Assign the policy to the desired user or user group.

Configuring the RADIUS Vendor-Specific Attribute Chapter 13: Managing Users 375 Table 77: VSA Syntax Permission Description Attribute Number Attribute Format Attribute Values Notes Admin Indicates the administrator’s level of access to the Embedded NGX Portal 1 String none. The user cannot access the Safe@Office Portal. readonly. The user can log on to the Safe@Office Portal, but cannot modify system settings. readwrite. The user can log on to the Safe@Office Portal and modify system settings. VPN Indicates whether the user can access the network from a Remote Access VPN Client. 2 String true. The user can remotely access the network via VPN. false. The user cannot remotely access the network via VPN. This permission is only relevant if the Safe@Office Remote Access VPN Server is enabled. The gateway must have a certificate.

Configuring the RADIUS Vendor-Specific Attribute 376 Check Point Safe@Office User Guide Permission Description Attribute Number Attribute Format Attribute Values Notes Hotspot Indicates whether the user can log on via the My HotSpot page. 3 String true. The user can access the Internet via My HotSpot. false. The user cannot access the Internet via My HotSpot. This permission is only relevant if the Secure HotSpot feature is enabled. UFP Indicates whether the user can override Web Filtering. 4 String true. The user can override Web Filtering. false. The user cannot override Web Filtering. This permission is only relevant if the Web Filtering service is enabled.

Viewing Firmware Status Chapter 14: Maintenance 377 Chapter 14 This chapter describes the tasks required for maintenance and diagnosis of your Safe@Office appliance. This chapter includes the following topics: Viewing Firmware Status.........................................................................377 Updating the Firmware.............................................................................379 Upgrading Your Software Product...........................................................381 Registering Your Safe@Office Appliance ...............................................385 Configuring Syslog Logging....................................................................386 Controlling the Appliance via the Command Line...................................388 Configuring HTTPS .................................................................................392 Configuring SSH......................................................................................394 Configuring SNMP...................................................................................396 Setting the Time on the Appliance ...........................................................399 Using Diagnostic Tools............................................................................403 Backing Up the Safe@Office Appliance Configuration...........................417 Resetting the Safe@Office Appliance to Defaults ...................................420 Running Diagnostics ................................................................................423 Rebooting the Safe@Office Appliance ....................................................424 Viewing Firmware Status The firmware is the software program embedded in the Safe@Office appliance. You can view your current firmware version and additional details. Maintenance

Viewing Firmware Status 378 Check Point Safe@Office User Guide To view the firmware status • Click Setup in the main menu, and click the Firmware tab. The Firmware page appears. The Firmware page displays the following information: Table 78: Firmware Status Fields This field… Displays… For example… WAN MAC Address The MAC address used for the Internet connection 00:80:11:22:33:44 Firmware Version The current version of the firmware 6.0 Installed Product The licensed software and the number of allowed nodes Safe@Office 500 unlimited nodes

Updating the Firmware Chapter 14: Maintenance 379 This field… Displays… For example… Uptime The time that elapsed from the moment the unit was turned on 01:21:15 Hardware Type The type of the current Safe@Office appliance hardware Sbox-500 Hardware Version The current hardware version of the Safe@Office appliance 1.0 Updating the Firmware If you are subscribed to Software Updates, firmware updates are performed automatically. These updates include new product features and protection against new security threats. Check with your reseller for the availability of Software Updates and other services. For information on subscribing to services, see Connecting to a Service Center on page 281. If you are not subscribed to the Software Updates service, you must update your firmware manually. To update your Safe@Office firmware manually 1. Click Setup in the main menu, and click the Firmware tab. The Firmware page appears. 2. Click Firmware Update.

Updating the Firmware 380 Check Point Safe@Office User Guide The Firmware Update page appears. 3. Click Browse. A browse window appears. 4. Select the image file and click Open. The Firmware Update page reappears. The path to the firmware update image file appears in the Browse text box. 5. Click Upload. Your Safe@Office appliance firmware is updated. Updating may take a few minutes, during which time the PWR/SEC LED may start flashing red or orange. Do not power off the appliance. At the end of the process the Safe@Office appliance restarts automatically.

Upgrading Your Software Product Chapter 14: Maintenance 381 Upgrading Your Software Product You can upgrade your Safe@Office 500 appliance by adding the Safe@Office 500 Power Pack. After purchasing the Power Pack, you will receive a new Product Key that enables you to use the Power Pack on the same Safe@Office appliance you have today. There is no need to replace your hardware. You can also purchase node upgrades, as needed. Note: To purchase the Power Pack or node upgrades, contact your Safe@Office appliance provider. To upgrade your product, you must install the new Product Key. To install a Product Key 1. Click Setup in the main menu, and click the Firmware tab. The Firmware page appears. 2. Click Upgrade Product.

Upgrading Your Software Product 382 Check Point Safe@Office User Guide The Safe@Office Licensing Wizard opens, with the Install Product Key dialog box displayed. 3. Click Enter a different Product Key. 4. In the Product Key field, enter the new Product Key. 5. Click Next. The Installed New Product Key dialog box appears. 6. Click Next.

Upgrading Your Software Product Chapter 14: Maintenance 383 The first Registration dialog box appears. 7. Do one of the following: • To register your Safe@Office appliance later on, clear the I want to register my product check box and then click Next. • To register your Safe@Office appliance now, do the following: 1) Click Next.

Upgrading Your Software Product 384 Check Point Safe@Office User Guide A second Registration dialog box appears. 2) Enter your contact information in the appropriate fields. 3) To receive email notifications regarding new firmware versions and services, select the check box. 4) Click Next. The Registration… screen appears. The third Registration dialog box appears.

Registering Your Safe@Office Appliance Chapter 14: Maintenance 385 8. Click Finish. Your Safe@Office appliance is restarted and the Welcome page appears. Registering Your Safe@Office Appliance If you want to activate your warranty and optionally receive notifications of new firmware versions and services, you must register your Safe@Office appliance. Privacy Statement: Check Point is committed to protecting your privacy. We use the information we collect about you to process orders and to improve our ability to serve your needs. We will under no circumstances sell, lease, or otherwise disclose any of your personal or contact details without your explicit permission. To register your Safe@Office appliance 1. Click Setup in the main menu, and click the Firmware tab. The Firmware page appears. 2. Click Upgrade Product. The Safe@Office Licensing Wizard opens, with the Install Product Key dialog box displayed. 3. Select Keep these settings. 4. Click Next. The first Registration dialog box appears. 5. Verify that the I want to register my product check box is selected. 6. Click Next. A second Registration dialog box appears. 7. Enter your contact information in the appropriate fields. 8. To receive email notifications regarding new firmware versions and services, select the check box.

Configuring Syslog Logging 386 Check Point Safe@Office User Guide 9. Click Next. The Registration… screen appears. The third Registration dialog box appears. 10. Click Finish. Your Safe@Office appliance is restarted and the Welcome page appears. Configuring Syslog Logging You can configure the Safe@Office appliance to send event logs to a Syslog server residing in your internal network or on the Internet. The logs detail the date and the time each event occurred. If the event is a communication attempt that was rejected by the firewall, the event details include the source and destination IP address, the destination port, and the protocol used for the communication attempt (for example, TCP or UDP). This same information is also available in the Event Log page (see Viewing the Event Log on page 187). However, while the Event Log can display hundreds of logs, a Syslog server can store an unlimited number of logs. Furthermore, Syslog servers can provide useful tools for managing your logs. Note: Kiwi Syslog Daemon is freeware and can be downloaded from http://www.kiwisyslog.com. For technical support, contact Kiwi Enterprises. To configure Syslog logging 1. Click Setup in the main menu, and click the Logging tab.

Configuring Syslog Logging Chapter 14: Maintenance 387 The Logging page appears. 2. Complete the fields using the information in the table below. 3. Click Apply. Table 79: Logging Page Fields In this field… Do this… Syslog Server Type the IP address of the computer that will run the Syslog service (one of your network computers), or click This Computer to allow your computer to host the service. Clear Click to clear the Syslog Server field. Syslog Port Type the port number of the Syslog server. Default Click to reset the Syslog Port field to the default (port 514 UDP).

Controlling the Appliance via the Command Line 388 Check Point Safe@Office User Guide Controlling the Appliance via the Command Line Depending on your Safe@Office model, you can control your appliance via the command line in the following ways: • Using the Safe@Office Portal's command line interface. See Using the Safe@Office Portal on page 388. • Using a console connected to the Safe@Office appliance. For information, see Using the Serial Console on page 390. • Using an SSH client. See Configuring SSH on page 394. Using the Safe@Office Portal You can control your appliance via the Safe@Office Portal's command line interface. To control the appliance via the Safe@Office Portal 1. Click Setup in the main menu, and click the Tools tab.

Controlling the Appliance via the Command Line Chapter 14: Maintenance 389 The Tools page appears. 2. Click Command. The Command Line page appears.

Controlling the Appliance via the Command Line 390 Check Point Safe@Office User Guide 3. In the upper field, type a command. You can view a list of supported commands using the command help. For information on all commands, refer to the Embedded NGX CLI Reference Guide. 4. Click Go. The command is implemented. Using the Serial Console You can connect a console to the Safe@Office appliance, and use the console to control the appliance via the command line. Note: Your terminal emulation software must be set to 57600 bps, N-8-1. To control the appliance via a console 1. Connect the serial console to your Safe@Office appliance's serial port, using an RS-232 Null modem cable. For information on locating the serial port, see Rear Panel. 2. Click Network in the main menu, and click the Ports tab.

Controlling the Appliance via the Command Line Chapter 14: Maintenance 391 The Ports page appears. 3. In the RS232 drop-down list, select Console. 4. Click Apply. You can now control the Safe@Office appliance from the serial console. For information on all supported commands, refer to the Embedded NGX CLI Reference Guide.

Configuring HTTPS 392 Check Point Safe@Office User Guide Configuring HTTPS You can enable Safe@Office appliance users to access the Safe@Office Portal from the Internet. To do so, you must first configure HTTPS. To configure HTTPS 1. Click Setup in the main menu, and click the Management tab. The Management page appears. 2. Specify from where HTTPS access to the Safe@Office Portal should be granted. See Access Options on page 393 for information. Warning: If remote HTTPS is enabled, your Safe@Office appliance settings can be changed remotely, so it is especially important to make sure all Safe@Office appliance users’ passwords are difficult to guess.

Configuring HTTPS Chapter 14: Maintenance 393 Note: You can use HTTPS to access the Safe@Office Portal from your internal network, by surfing to https://my.firewall. If you selected IP Address Range, additional fields appear. 3. If you selected IP Address Range, enter the desired IP address range in the fields provided. 4. Click Apply. The HTTPS configuration is saved. If you configured remote HTTPS, you can now access the Safe@Office Portal through the Internet, using the procedure Accessing the Safe@Office Portal Remotely on page 44. Table 80: Access Options Select this option… To allow access from… Internal Network The internal network only. This disables remote access capability.

Configuring SSH 394 Check Point Safe@Office User Guide Select this option… To allow access from… Internal Network and VPN The internal network and your VPN. IP Address Range A particular range of IP addresses. Additional fields appear, in which you can enter the desired IP address range. ANY Any IP address. Disabled Nowhere. This completely disables access. This option is only available for SNMP. Configuring SSH Safe@Office appliance users can control the appliance via the command line, using the SSH (Secure Shell) management protocol. You can enable users to do so via the Internet, by configuring remote SSH access. You can also integrate the Safe@Office appliance with SSH-based management systems. Note: The Safe@Office appliance supports SSHv2 clients only. The SSHv1 protocol contains security vulnerabilities and is not supported. To configure SSH 1. Click Setup in the main menu, and click the Management tab. The Management page appears. 2. Specify from where SSH access should be granted.

Configuring SSH Chapter 14: Maintenance 395 See Access Options on page 393 for information. Warning: If remote SSH is enabled, your Safe@Office appliance settings can be changed remotely, so it is especially important to make sure all Safe@Office appliance users’ passwords are difficult to guess. If you selected IP Address Range, additional fields appear. 3. If you selected IP Address Range, enter the desired IP address range in the fields provided. 4. Click Apply. The SSH configuration is saved. If you configured remote SSH access, you can now control the Safe@Office appliance from the Internet, using an SSHv2 client. For information on all supported commands, refer to the Embedded NGX CLI Reference Guide.

Configuring SNMP 396 Check Point Safe@Office User Guide Configuring SNMP The Safe@Office appliance users can monitor the Safe@Office appliance, using tools that support SNMP (Simple Network Management Protocol). You can enable users can do so via the Internet, by configuring remote SNMP access. The Safe@Office appliance supports the following SNMP MIBs: • SNMPv2-MIB • RFC1213-MIB • IF-MIB • IP-MIB All SNMP access is read-only. To configure SNMP 1. Click Setup in the main menu, and click the Management tab. The Management page appears. 2. Specify from where SNMP access should be granted. See Access Options on page 393 for information. If you selected IP Address Range, additional fields appear.

Configuring SNMP Chapter 14: Maintenance 397 The Community field and the Advanced link are enabled. 3. If you selected IP Address Range, enter the desired IP address range in the fields provided. 4. In the Community field, type the name of the SNMP community string. SNMP clients uses the SNMP community string as a password, when connecting to the Safe@Office appliance. The default value is "public". It is recommended to change this string. 5. To configure advanced SNMP settings, click Advanced.

Configuring SNMP 398 Check Point Safe@Office User Guide The SNMP Configuration page appears. 6. Complete the fields using the table below. 7. Click Apply. The SNMP configuration is saved. 8. Configure the SNMP clients with the SNMP community string. Table 81: Advanced SNMP Settings In this field... Do this… System Location Type a description of the appliance's location. This information will be visible to SNMP clients, and is useful for administrative purposes. System Contact Type the name of the contact person. This information will be visible to SNMP clients, and is useful for administrative purposes.

Setting the Time on the Appliance Chapter 14: Maintenance 399 In this field... Do this… SNMP Port Type the port to use for SNMP. The default port is 161. Setting the Time on the Appliance You set the time displayed in the Safe@Office Portal during initial appliance setup. If desired, you can change the date and time using the procedure below. To set the time 1. Click Setup in the main menu, and click the Tools tab. The Tools page appears. 2. Click Set Time. The Safe@Office Set Time Wizard opens displaying the Set the Safe@Office Time dialog box.

Setting the Time on the Appliance 400 Check Point Safe@Office User Guide 3. Complete the fields using the information in Set Time Wizard Fields on page 402. 4. Click Next. The following things happen in the order below: • If you selected Specify date and time, the Specify Date and Time dialog box appears. Set the date, time, and time zone in the fields provided, then click Next.

Setting the Time on the Appliance Chapter 14: Maintenance 401 • If you selected Use a Time Server, the Time Servers dialog box appears. Complete the fields using the information in Time Servers Fields on page 402, then click Next. • The Date and Time Updated screen appears. 5. Click Finish.

Setting the Time on the Appliance 402 Check Point Safe@Office User Guide Table 82: Set Time Wizard Fields Select this option… To do the following… Your computer's clock Set the appliance time to your computer’s system time. Your computer’s system time is displayed to the right of this option. Keep the current time Do not change the appliance’s time. The current appliance time is displayed to the right of this option. Use a Time Server Synchronize the appliance time with a Network Time Protocol (NTP) server. Specify date and time Set the appliance to a specific date and time. Table 83: Time Servers Fields In this field… Do this… Primary Server Type the IP address of the Primary NTP server. Secondary Server Type the IP address of the Secondary NTP server. This field is optional. Clear Clear the field. Select your time zone Select the time zone in which you are located.

Using Diagnostic Tools Chapter 14: Maintenance 403 Using Diagnostic Tools The Safe@Office appliance is equipped with a set of diagnostic tools that are useful for troubleshooting Internet connectivity. Table 84: Diagnostic Tools Use this tool… To do this… For information, see... Ping Check that a specific IP address or DNS name can be reached via the Internet. Using IP Tools on page 404 Traceroute Display a list of all routers used to connect from the Safe@Office appliance to a specific IP address or DNS name. Using IP Tools on page 404 WHOIS Display the name and contact information of the entity to which a specific IP address or DNS name is registered. This information is useful in tracking down hackers. Using IP Tools on page 404 Packet Sniffer Capture network traffic. This information is useful troubleshooting network problems. Using Packet Sniffer on page 406

Using Diagnostic Tools 404 Check Point Safe@Office User Guide Using IP Tools To use an IP tool 1. Click Setup in the main menu, and click the Tools tab. The Tools page appears. 2. In the IP Tools drop-down list, select the desired tool. 3. In the Address field, type the IP address or DNS name for which to run the tool. 4. Click Go. • If you selected Ping, the following things happen: The Safe@Office appliance sends packets to the specified the IP address or DNS name. The IP Tools window opens and displays the percentage of packet loss and the amount of time it each packet took to reach the specified host and return (round-trip) in milliseconds. • If you selected Traceroute, the following things happen: The Safe@Office appliance connects to the specified IP address or DNS name.

Using Diagnostic Tools Chapter 14: Maintenance 405 The IP Tools window opens and displays a list of routers used to make the connection. • If you selected WHOIS, the following things happen: The Safe@Office appliance queries the Internet WHOIS server. A window displays the name of the entity to which the IP address or DNS name is registered and their contact information.

Using Diagnostic Tools 406 Check Point Safe@Office User Guide Using Packet Sniffer The Safe@Office appliance includes the Packet Sniffer tool, which enables you to capture packets from any internal network or Safe@Office port. This is useful for troubleshooting network problems and for collecting data about network behavior. The Safe@Office appliance saves the captured packets to a file on your computer. You can use a free protocol analyzer, such as Ethereal, to analyze the file, or you can send it to technical support. Ethereal runs on all popular computing platforms and can be downloaded from http://www.ethereal.com. To use Packet Sniffer 1. Click Setup in the main menu, and click the Tools tab. The Tools page appears. 2. Click Sniffer. The Packet Sniffer window opens. 3. Complete the fields using the information in the table below. 4. Click Start.

Using Diagnostic Tools Chapter 14: Maintenance 407 The Packet Sniffer window displays the name of the interface, the number of packets collected, and the percentage of storage space remaining on the appliance for storing the packets. 5. Click Stop to stop collecting packets. A standard File Download dialog box appears. 6. Click Save. The Save As dialog box appears. 7. Browse to a destination directory of your choice. 8. Type a name for the configuration file and click Save. The *.cap file is created and saved to the specified directory. 9. Click Cancel to close the Packet Sniffer window.

Using Diagnostic Tools 408 Check Point Safe@Office User Guide Table 85: Packet Sniffer Fields In this field… Do this… Interface Select the interface from which to collect packets. The list includes the primary Internet connection, the Safe@Office appliance ports, and all defined networks. Filter String Type the filter string to use for filtering the captured packets. Only packets that match the filter condition will be saved. For a list of basic filter strings elements, see Filter String Syntax on page 409. For detailed information on filter syntax, go to http://www.tcpdump.org/tcpdump_man.html. Note: Do not enclose the filter string in quotation marks. If you do not specify a filter string, Packet Sniffer will save all packets on the selected interface. Capture only traffic to/from this gateway Select this option to capture incoming and outgoing packets for this gateway only. If this option is not selected, Packet Sniffer will collect packets for all traffic on the interface.

Using Diagnostic Tools Chapter 14: Maintenance 409 Filter String Syntax The following represents a list of basic filter string elements: • and on page 409 • dst on page 410 • dst port on page 410 • ether proto on page 411 • host on page 412 • not on page 412 • or on page 413 • port on page 413 • src on page 414 • src port on page 414 • tcp on page 415 • udp on page 416 For detailed information on filter syntax, refer to http://www.tcpdump.org. and PURPOSE The and element is used to concatenate filter string elements. The filtered packets must match all concatenated filter string elements. SYNTAX element and element [and element...] element && element [&& element...]

Using Diagnostic Tools 410 Check Point Safe@Office User Guide PARAMETERS element String. A filter string element. EXAMPLE The following filter string saves packets that both originate from IP address is 192.168.10.1 and are destined for port 80: src 192.168.10.1 and dst port 80 dst PURPOSE The dst element captures all packets with a specific destination. SYNTAX dst destination PARAMETERS destination IP Address or String. The computer to which the packet is sent. This can be the following: • An IP address • A host name EXAMPLE The following filter string saves packets that are destined for the IP address 192.168.10.1: dst 192.168.10.1 dst port PURPOSE The dst port element captures all packets destined for a specific port. SYNTAX dst port port

$Using Diagnostic Tools Chapter 14: Maintenance 411 Note: This element can be prepended by tcp or udp. For information, see tcp on page 415 and udp on page 416. PARAMETERS port Integer. The port to which the packet is sent. EXAMPLE The following filter string saves packets that are destined for port 80: dst port 80 ether proto PURPOSE The ether proto element is used to capture packets of a specific ether protocol type. SYNTAX ether proto \protocol PARAMETERS protocol String. The protocol type of the packet. This can be the following: ip, ip6, arp, rarp, atalk, aarp, dec net, sca, lat, mopdl, moprc, iso, stp, ipx, or netbeui. EXAMPLE The following filter string saves ARP packets: ether proto arp$