Security Gateway 80 - downloads.checkpoint.com€¦ · R75 and higher versions Note - Currently the...

12 September 2011

Administration Guide

Security Gateway 80

R71.45

© 2011 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:

Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.

Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses.

http://www.checkpoint.com/copyright.html

http://www.checkpoint.com/3rd_party_copyright.html

Important Information Latest Documentation

The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=12228

For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com).

Revision History

Date Description

12 September 2011 First release of this document

Feedback

Check Point is engaged in a continuous effort to improve its documentation.

Please help us by sending your comments (mailto:[email protected]?subject=Feedback on Security Gateway 80 R71.45 Administration Guide).

http://supportcontent.checkpoint.com/documentation_download?ID=12228

http://supportcenter.checkpoint.com/

mailto:[email protected]?subject=Feedback%20on%20Security%20Gateway%2080%20%20R71.45%20Administration%20Guide

mailto:[email protected]?subject=Feedback%20on%20Security%20Gateway%2080%20%20R71.45%20Administration%20Guide

Contents

Important Information ............................................................................................. 3 Introduction ............................................................................................................. 8

Welcome ............................................................................................................. 8 Security Gateway 80 Overview ............................................................................ 8

Installation and Deployment .................................................................................. 9 Prerequisites ....................................................................................................... 9 Step 1: Defining the Security Gateway 80 Object in SmartDashboard ................. 9

Defining a Single Gateway Object................................................................... 9 Step 2: Preparing to Install the Security Policy ...................................................14

Viewing the Policy Installation Status .............................................................16 Defining a SmartLSM Profile ..............................................................................19 Deploying with SmartProvisioning ......................................................................20 Deploying from a USB Drive ...............................................................................20

Sample Configuration File ..............................................................................20 Preparing the Configuration Files ...................................................................20 Deploying the Configuration File - Initial Configuration ...................................20 Deploying the Configuration File - Existing Configuration ...............................21 Viewing Configuration Logs ...........................................................................22 Troubleshooting Configuration Files ...............................................................22 Using the set property Command...................................................................23

Cluster Configuration ........................................................................................... 24 Security Gateway 80 Clusters ............................................................................24 Creating a Cluster for New Gateways .................................................................25

Configuring the Security Gateway 80 Appliances ...........................................25 Configuring the Cluster Object Using SmartDashboard .................................26

Converting an Existing Security Gateway 80 to a Cluster ...................................29 Configure the New Appliance .........................................................................29 Create and Configure a Cluster in SmartDashboard ......................................30 Reconfigure the Existing Security Gateway 80...............................................30 Configure the Cluster in SmartDashboard ......................................................30

Viewing Cluster Status in the WebUI ..................................................................31 Appliance Configuration ...................................................................................... 32

Introduction to the WebUI Application .................................................................33 The Overview Page ............................................................................................33 The Management Server Page ...........................................................................33 Networking .........................................................................................................35

Internet Settings .............................................................................................35 Internet Configuration ....................................................................................35 Internet Connection High Availability ..............................................................37 Local Network ................................................................................................37 Switch Mode Configuration ............................................................................40 Bridge Mode Configuration ............................................................................40 Routing ..........................................................................................................41 DNS ...............................................................................................................44 Automatic Topology .......................................................................................45

Implied Rules for Security Gateway 80 ...............................................................46 Administration .....................................................................................................47

Backup and Restore ......................................................................................47 Upgrade .........................................................................................................49 Factory Defaults .............................................................................................50 Administrators ................................................................................................51 Administrator Access .....................................................................................52

Licensing .......................................................................................................54 Security ..............................................................................................................55

Integrated Anti-Virus Protection .....................................................................55 URL Filtering ..................................................................................................55 Messaging Security .......................................................................................56

Diagnostics .........................................................................................................57 Tools ..............................................................................................................57 Traffic Logs ....................................................................................................58 System Logs ..................................................................................................58

CLI Reference ....................................................................................................59 Using Command Line Interface ......................................................................59 Supported Linux Commands ..........................................................................60 add admin access ..........................................................................................60 add host .........................................................................................................61 add interface ..................................................................................................61 add ntp ..........................................................................................................61 add snmp .......................................................................................................62 add switch ......................................................................................................63 add user.........................................................................................................63 backup settings ..............................................................................................63 cphaprob ........................................................................................................64 cphastop ........................................................................................................66 cpinfo .............................................................................................................66 cpshell ...........................................................................................................67 cpstart ............................................................................................................67 cpstat .............................................................................................................67 cpstop ............................................................................................................69 cpwd_admin ..................................................................................................69 cpwd_admin config ........................................................................................70 cpwd_admin start|stop ...................................................................................71 delete admin access ......................................................................................72 delete ICMP server ........................................................................................72 delete dhcp ....................................................................................................72 delete dns ......................................................................................................73 delete domainname .......................................................................................73 delete host .....................................................................................................74 delete interface ..............................................................................................74 delete ntp .......................................................................................................75 delete proxy ...................................................................................................75 delete snmp ...................................................................................................75 delete switch ..................................................................................................76 delete user .....................................................................................................76 dynamic objects .............................................................................................77 exit .................................................................................................................77 fetch certificate...............................................................................................78 fetch license ...................................................................................................78 fetch policy .....................................................................................................78 fw Commands ................................................................................................79 reboot ............................................................................................................80 restore default-settings ..................................................................................80 restore settings ..............................................................................................80 revert to factory defaults ................................................................................81 revert to saved image ....................................................................................81 set admin access ...........................................................................................81 set date ..........................................................................................................82 set dhcp server ..............................................................................................82 set dhcp relay ................................................................................................90 set dns ...........................................................................................................90 set dnsproxy ..................................................................................................91

set dns mode .................................................................................................91 set domainname ............................................................................................91 set expert password .......................................................................................92 set ha internet primary ...................................................................................92 set host ..........................................................................................................92 set hostname .................................................................................................93 set inactivity-timeout ......................................................................................93 set interface ...................................................................................................93 set static-route ............................................................................................. 101 set proxy ...................................................................................................... 105 set sic_init .................................................................................................... 106 set snmp ...................................................................................................... 106 set time ........................................................................................................ 111 set time-zone ............................................................................................... 111 set user ........................................................................................................ 112 set user-lock ................................................................................................ 113 shell/expert .................................................................................................. 114 show admin access ..................................................................................... 114 show backup settings ................................................................................... 115 show clock ................................................................................................... 115 show commands .......................................................................................... 115 show date .................................................................................................... 116 show dhcp ................................................................................................... 116 show dns ..................................................................................................... 117 show domainname ....................................................................................... 118 show ha internet .......................................................................................... 118 show host .................................................................................................... 118 show hostname ............................................................................................ 119 show icmp servers ....................................................................................... 119 show inactivity-timeout ................................................................................. 119 show interface.............................................................................................. 120 show interfaces ............................................................................................ 120 show license ................................................................................................ 120 show logs ..................................................................................................... 121 show memory usage .................................................................................... 121 show ntp ...................................................................................................... 121 show proxy .................................................................................................. 122 show restore settings log ............................................................................. 122 show revert log ............................................................................................ 123 show route ................................................................................................... 123 show rule hits ............................................................................................... 123 show saved image ....................................................................................... 124 show snmp .................................................................................................. 124 show software version ................................................................................. 125 show time .................................................................................................... 126 show timezone ............................................................................................. 126 show timezone-dst ....................................................................................... 126 show upgrade log ........................................................................................ 127 show user .................................................................................................... 127 show user-lock ............................................................................................. 127 show vpn tunnel ........................................................................................... 128 upgrade from usb|tftp server ........................................................................ 128 vpn ............................................................................................................... 129

Advanced Configuration .................................................................................... 131 Upgrade Using a USB Drive ............................................................................. 131 Boot Loader ...................................................................................................... 132 Upgrade Using Boot Loader ............................................................................. 132 Restore Factory Defaults from the Boot Loader Menu ...................................... 133 Front Panel ....................................................................................................... 134

Back Panel ....................................................................................................... 135 Remote Access VPN ........................................................................................ 135

Index .................................................................................................................... 137

Chapter 1

Introduction Make sure to review the version’s release notes (http://supportcenter.checkpoint.com) and the Security Gateway 80 Getting Started Guide (http://supportcontent.checkpoint.com/documentation_download?ID=10833), before performing the procedures in this guide.

In This Chapter

Welcome 8

Security Gateway 80 Overview 8

Welcome Thank you for choosing Check Point’s Security Gateway 80. We hope that you will be satisfied with this system and our support services. Check Point products provide your business with the most up to date and secure solutions available today.

Check Point also delivers worldwide technical services including educational, professional and support services through a network of Authorized Training Centers, Certified Support Partners and Check Point technical support personnel to ensure that you get the most out of your security investment.

For additional information on the Internet Security Product Suite and other security solutions, refer to the Check Point Web site (http://www.checkpoint.com), or call Check Point at 1(800) 429-4391. For additional technical information about Check Point products, consult the Check Point Support Center (http://supportcenter.checkpoint.com).

Welcome to the Check Point family. We look forward to meeting all of your current and future network, application and management security needs.

Security Gateway 80 Overview Check Point's Security Gateway 80 delivers integrated unified threat management to protect your organization from today's emerging threats. Based on proven Check Point security technologies such as Stateful Inspection, Application Intelligence, and SMART (Security Management Architecture), Security Gateway 80 provides simplified deployment while delivering uncompromising levels of security.

Security Gateway 80 supports the Check Point Software Blade architecture, providing independent, modular and centrally managed security building blocks. Software Blades can be quickly enabled and configured into a solution based on specific security needs.



http://www.checkpoint.com/


Chapter 2

Installation and Deployment You can deploy a configuration to individual Security Gateway 80s using SmartDashboard and managing a gateway object or a SmartLSM profile. Configure a large number of Security Gateway 80s (massive deployment) using SmartProvisioning or from a configuration file that is stored on a USB drive.

To install your Security Gateway 80 appliance, follow the instructions described in the Security Gateway 80 Getting Started Guide (http://supportcontent.checkpoint.com/documentation_download?ID=10833).

In This Chapter

Prerequisites 9

Step 1: Defining the Security Gateway 80 Object in SmartDashboard 9

Step 2: Preparing to Install the Security Policy 14

Defining a SmartLSM Profile 19

Deploying with SmartProvisioning 20

Deploying from a USB Drive 20

Prerequisites To manage the Security Gateway 80 appliance, you must install a Security Management Server and SmartConsole clients that operate with Security Gateway 80.

These Security Management Server versions operate with Security Gateway 80:

For R70 – version R70.40 and higher

For R71 – version R71.20 and higher

R75 and higher versions

Note - Currently the new Security Gateway 80 R71.45 features that require central management (Large Scale Management and Provisioning) are only supported with Security Management Server version R71.45. These features will also be supported with R75 Security Management Server in the near future.

For installation instructions, see the version’s release notes (http://supportcenter.checkpoint.com).

Step 1: Defining the Security Gateway 80 Object in SmartDashboard

SmartDashboard allows you to define two Security Gateway 80 objects in SmartDashboard: gateways and SmartLSM profiles. Managing these objects in SmartDashboard allows you to provision various network settings such as, DNS, Internet connections and routing. You can use a SmartLSM profile to manage a large number of Security Gateway 80 gateways.

Defining a Single Gateway Object You can use SmartDashboard creation wizard to define a Security Gateway 80 before or after configuration of the appliance on site. There are two options to define a gateway object:




Installation and Deployment

Management First - Where you define the gateway object in SmartDashboard before you configure and set up the actual appliance on site. This is commonly used for remotely deployed appliances or appliances that connect to the Security Management Server with a dynamic IP (e.g. assigned by a DHCP server or an ISP), as the IP is not known at the time of the configuration of the object in SmartDashboard. You can prepare a policy that the appliance will fetch when it is configured.

Gateway First – Where you configure and set up the Security Gateway 80 appliance first. It will then try to communicate with the Security Management Server (if this is configured) at 1 hour intervals. If connectivity with the gateway is possible during object creation in SmartDashboard, the wizard can retrieve data from the gateway (such as topology), and then help in configuration.

To define a single gateway object:

1. Log in to SmartDashboard using your Security Management credentials.

2. From the Network Objects tree, right click Check Point and select Security Gateway. The Check Point Security Gateway Creation window opens.

3. Select Wizard Mode. The wizard opens to General Properties.

4. Type a name for the Security Gateway 80 object and make sure that the gateway platform is set to CPSG 80 series.

5. Select one of the following options for getting the gateway's IP address:

Static IP address - enter the IP address of the appliance. Note that if the Security Gateway 80 appliance has not yet been set up and defined, the Resolve from Name option does not work at this point.

Dynamic IP address (e.g. assigned by DHCP server)

Click Next. The Trusted Communication window opens.

6. If you specified a static IP address, the Authentication and Trusted Communication sections show (if you specified a dynamic IP address, go to step 7).

a) In the Authentication section, select one of the options:

Initiate trusted communication securely by using a one-time password - the one-time password is used to authenticate communication between the Security Gateway and the Security Management server in a secure manner. Enter a one-time password and confirm it. This password is only used for establishing the initial trust. Once established, trust is based on security certificates.

Important - This password must be identical to the one-time password you define for the appliance in the First Time Configuration Wizard.

Initiate trusted communication without authentication (less secure) - select this option only if you are sure that there is no risk of imposture (for example, when in a lab setting).



b) In the Trusted Communication section, select one of the initialization options:

Initiate trusted communication automatically when the Gateway connects to the Security Management server for the first time - trust will be established when the Gateway will connect for the first time.

Initiate trusted communication now and click Connect. A status window appears. Use this option only if you have already set up the appliance.

The Trust state field displays the current trust status.

Click Next and go to step 8.

7. If you specified a dynamic IP address, the Gateway Identifier and Authentication sections show.

a) Select one of the identifiers:

Gateway name – enter the same name that you will give the appliance during its initial configuration.

MAC address – enter the MAC address that is on the sticker on the appliance or on the box.

First to connect – means that this Gateway will be the first appliance to connect.

Note - For your convenience, if the gateway name matches, the Security Management Server will identify the gateway regardless of its MAC address.

b) In the Authentication section, select one of the options:

Initiate trusted communication securely by using a one-time password - the one-time password is used to authenticate communication between the Security Gateway and the Security Management server in a secure manner. Enter a one-time password and confirm it. This password is only used for establishing the initial trust. Once established, trust is based on security certificates.

Important - This password must be identical to the one-time password you define for the appliance in the First Time Configuration Wizard.

Initiate trusted communication without authentication (less secure) - select this option only if you are sure that there is no risk of imposture (for example, when in a lab setting).



Click Next.

8. In the Blade Activation window, select the security and software blades that you want to activate and configure.

To configure blades now:

a) Make sure that the Activate and configure software blades now option is selected.

b) Select the check boxes next to the blades you want to activate and configure.

To configure blades later:

Select the Activate and configure software blades later option. Do this later by editing the object from the Network Objects tree.

Click Next.

9. If you selected to activate and configure software blades now, configure the required options:

For NAT, the Hide internal networks behind the Gateway’s external IP check box is selected by default. Clear it, if you do not want to use this feature.

For IPSec VPN: Make sure that the VPN community has been predefined. If it is a star community, Security Gateway 80 is added as a satellite gateway.



Select a VPN community that the Gateway participates in from the Participate in a site to site community list.

For IPS:

Select a profile from the Assign IPS Profile list or click Manage to create/edit an IPS profile.

For URL Filtering, Anti-Spam and Email Security, Anti-Virus and Anti-Malware, there are no other settings to configure.

Click Next.

10. If you selected IPSEC VPN, configure VPN Encryption Domain settings.

To hide the VPN domain, select Hide VPN domain behind this gateway's external IP.

The VPN domain contains network objects behind this gateway. Instead of defining the network topology behind this gateway, it is possible to use this option, which sets the VPN domain to be this gateway’s external IP address. This option is only applicable if you chose to hide all internal networks behind this gateway’s external IP (see gateway’s NAT settings). All outgoing traffic from networks behind this gateway to other sites that participate in VPN community will be encrypted (including replies, of course).

Note - If you choose this option, connections that are initiated from other sites that are directed to hosts behind this gateway will not be encrypted. If you require access to hosts behind this gateway, either choose other options (define VPN topology) or, if possible, make sure all traffic from other sites is directed to this gateway’s external IP and define corresponding NAT port-forwarding rules, such as: Translate the destination of incoming HTTP connections that are directed to this gateway’s external IP to the IP address of a web server behind this gateway.

To create a new VPN domain group, go to step 11.

To select a predefined VPN domain, go to step 12.

11. To create a new VPN domain group:

a) Make sure that the Create a new VPN domain option is selected.

b) In the Name field, enter a name for the group.

c) From the Available objects list, select the applicable object(s) and click . The objects are added to the VPN domain members list.

d) If necessary, create a new object by pressing New.

12. To select a predefined VPN domain:

Step 2: Preparing to Install the Security Policy


a) Choose the Select an existing VPN domain option.

b) From the VPN Domain list, select the domain.

Click Next.

13. In the Installation Wizard Completion window, you can view a summary of the configuration parameters you set and can perform further actions.

Select Edit Gateway properties for further configuration if you want to continue configuring the Security Gateway. When you click Finish, the General Properties window of the newly defined object opens.

Click Finish.


This step lets you prepare the policy for automatic installation once the gateway connects.



Note - If Security Gateway 80 has been physically set up and configured, upon successful completion of this step, the policy will be pushed to the gateway. For a list of possible statuses, see Viewing the Policy Installation Status (on page 16).

When you use the "Management First" installation path, at the end of the Install Policy process, the policy's status for a Security Gateway 80 that has not yet been set up is "waiting for first connection". This implies that trusted communication has not yet been established between the Security Management server and the Security Gateway 80. Once the gateway connects, it establishes trust and attempts to install the policy automatically.

1. Click Policy > Install from the SmartDashboard menu.

2. In the Install Policy window, choose the installation targets — the Security Gateway 80 Security Gateways on which the policy should be installed and the policy components (Network Security, QoS, etc.).

By default, all gateways that are managed by the Security Management server are available for selection.

3. In the Installation Mode section, select how the security policy should be installed:

On each selected gateway independently

On all selected gateways, if it fails do not install on gateways of the same version

Note - If the gateway is part of a VPN community, the policy should be installed on other members of the community in order to establish a VPN tunnel between them. In a star community, policy installation is required only on the center gateways of the community.

4. Click OK. The Installation Process window displays the status of the Network Security policy for the selected target.

Important - If the Security Gateway 80 object is defined but the appliance is not set up and it is in the "Waiting for first connection" status, you will see a message that says "Installation completed successfully". This means that the policy is successfully prepared for installation.

5. Continue tracking the status of the security policy installation with the Policy Installation Status window and the status bar ("Viewing the Policy Installation Status" on page 16).

Note - When you use the "Gateway First" installation path, trust is already established in Step 1: Defining the Security Gateway 80 Object in SmartDashboard. In this case, the policy will be pushed to the gateway from the Security Management Server and you won't see a "Waiting for first connection" message.



Important - Once trust has been established with a gateway, even if a gateway loses connectivity for some reason (Internet connection issues, or a change of IP in the case of a DAIP appliance that is not updated in the Security Management Server, then as before, during policy installation, an installation completed successfully message is shown, meaning that the policy has been successfully prepared, even if it was not installed yet on the gateway, but it is pending a connection from the gateway.

Viewing the Policy Installation Status You can view policy installation status in SmartDashboard with the:

Status bar

Status popup notification balloon

Policy Installation Status window

SmartDashboard Status Bar

You can view the installation status of managed gateways via the status bar that appears at the bottom of the SmartDashboard window. The status bar shows how many gateways are in Pending or Failed mode.

Pending - gateways that are either in the waiting for first connection status or are in the pending status (see below for detailed explanations).

Failed - gateways that have failed to install the policy. If there are no failures, that is shown.

The status bar is updated dynamically each time a gateway attempts to install a policy or attempts to connect to the Security Management server.

SmartDashboard Status Popup Notification Balloons

The result of gateway attempts to install a policy or connect to the Security Management Server also appear in SmartDashboard popup notification balloons that appear upon the occurrence of such events. For example:

Trusted Communication (SIC) establishment from the gateway (when using the "Management First" installation path.



Policy installation fetch from the gateway (as the Security Gateway 80 can periodically attempt to fetch the policy from its Security Management Server which is useful in DAIP appliances).

SIC attempts from an unknown gateway/host. This may indicate incorrect configuration (for example, configuring a gateway first and attempting to connect to a Security Management Server before creating the gateway object in SmartDashboard).

Click Settings in a balloon to configure the display and occurrence settings of the balloons.

SmartDashboard Policy Installation Status Window

To track the status of the last policy installed on each gateway, you can use the Policy Installation Status window.

The window has two sections. The top section shows a list of gateways and status information regarding the installed policy. You can use the filter fields to focus on certain policies of interest and hide other data by defining the appropriate criteria per field. Once you have applied the filtering criteria, only entries matching the selected criteria are shown. If the system logs trusted communication (SIC) attempts from unknown gateways, a yellow status bar appears below the filter fields.



The bottom section shows details of a row you select in the gateway list (errors that occurred, the date the policy was prepared, verification warnings). If there is a yellow status bar, clicking Show details shows the details of unknown gateways attempting to connect to the Security Management Server.

These statuses can appear in this window:

Icon Policy status Description

Succeeded Policy installation succeeded.

Succeeded Policy installation succeeded but there are verification warnings.

Waiting for first connection

Communication settings were set up on the Gateway object; waiting for first connection with the appliance to establish trust and if a policy has been prepared, it will attempt to install it.

If connection settings were set up for a Security Gateway 80 appliance, but a policy was not prepared, the Policy Type column shows "No Policy Prepared" and upon first connection only trust will be established.

Waiting for first connection

Same as above but there are warnings that indicate attempts to establish trust that failed or there are verification warnings.

Defining a SmartLSM Profile


Icon Policy status Description

Pending The policy remains in the pending status until the Gateway successfully connects to the Security Management server and retrieves the policy.

This status appears when the Security Management server has problems connecting to the Gateway. For example, if the Gateway is unavailable for receiving communication, as in behind NAT.

Note that this status is applicable only if the first or previous install policy operation was successful.

Pending Same as above but there are verification warnings.

Warning Warning.

Information Information.

Failed Policy not installed due to a verification error.

Failed Policy installation failed.

You can access the Policy Installation Status window in the following ways:

From the menu bar - click Policy > Policy Installation Status.

From the toolbar - click the Policy Installation Status icon .

From the status bar - click on either the Failed or Pending link. The contents of the Policy Installation Status window are shown filtered according to the link clicked.

From notification balloons - click the See Details link in the balloon.

Note - If there is a yellow status bar in the Policy Installation Status window, clicking Show details shows the details of unknown gateways attempting to connect to the Security Management Server.

Defining a SmartLSM Profile Use SmartDashboard to define a single SmartLSM profile for Security Gateway 80.

To define a single SmartLSM profile Security Gateway 80:


2. Open the Security Policy that you want to be enforced on the Security Gateway 80 SmartLSM Security Gateways.

3. From the Network Objects tree, right-click Check Point and select SmartLSM Profile > 80 Series Gateway.

The SmartLSM Security Profile window opens.

4. Define the SmartLSM security profile using the navigation tree in this window.

To open the online help for each window, click Help.

5. Click OK and then install the policy.

Note - To activate SmartProvisioning functionality, a security policy must be installed on the LSM profile.

Deploying with SmartProvisioning


Deploying with SmartProvisioning You can use SmartProvisioning to manage security profiles that are deployed to Security Gateway 80 gateway objects. Configure these appliances using the First Time Wizard or a USB drive configuration file before you manage them with SmartProvisioning.

For more information about massive deployment using SmartProvisioning, see the SmartProvisioning R71.45 Administration Guide (http://supportcontent.checkpoint.com/documentation_download?ID=12229).

Deploying from a USB Drive You can deploy Security Gateway 80 configuration files using a USB drive and quickly configure many appliances without using the First Time Wizard. The configuration file lets you configure more settings and parameters then are available in the First Time Wizard.

You can deploy configuration files in these conditions:

An appliance with default settings is not configured at all

An appliance that already has an existing configuration

Security Gateway 80 starts, automatically mounts the USB drive, and checks the root directory for a configuration file.

Sample Configuration File This is a sample Security Gateway 80 configuration file for USB deployment.

set hostname Demo1

set interface WAN internet primary ipv4-address 66.66.66.11 mask-length 25

set interface SWITCH ipv4-address 192.168.5.1 subnet-mask 255.255.255.0

delete switch port LAN4

set interface LAN4 ipv4-address 4.4.4.4 mask-length 24

add host name WebServer ipv4-address 192.168.5.4

set time-zone Eastern-Time(US-and-Canada)

set ntp server pool.ntp.org

set ntp active on

set sic_init password aaaa

fetch certificate mgmt-ipv4-address 66.66.66.91

fetch policy mgmt-ipv4-address 66.66.66.91

add user admin2 password-hash $1$vqtaGOkr$Xhb.fj14RzIvNa5BSwmZL0

Preparing the Configuration Files The Security Gateway 80 Massive Deployment configuration files are composed of CLIsh commands. These are the file names that can be used:

autoconf.clish

autoconf.XX-XX-XX-XX-XX.clish

You can create multiple configuration files for different Security Gateway 80 appliances. Name each file according to the MAC address of each Security Gateway 80 appliance. Security Gateway 80 first searches for a configuration file with the same MAC address. If there is no file that matches the MAC address of the

appliance, the autoconf.clish configuration file is loaded.

Deploying the Configuration File - Initial Configuration This section describes how to deploy a configuration file on a USB drive to Security Gateway 80. The file must be correctly configured and formatted before being deployed. The USB drive can be inserted in the front or the rear USB port.


Deploying from a USB Drive


You can deploy the configuration file to Security Gateway 80 when the appliance is off or when it is powered on.

Important - Do not remove the USB drive or insert a second USB drive while the Security Gateway 80 configuration script is running. Otherwise, it is possible that Security Gateway 80 does not configure and run correctly.

To deploy the configuration file from a USB drive for the initial configuration:

1. Insert the USB drive into Security Gateway 80.

Security Gateway 80 is OFF - Turn on the appliance. The Power LED comes on and is green.

Security Gateway 80 is ON - The appliance automatically detects the USB drive.

The USB LED comes on and is solid orange.

2. Security Gateway 80 locates the USB configuration file and begins running the script. The USB LED blinks green while the script is running.

3. The configuration script finishes.

Security Gateway 80 USB LED is solid green and the screen displays: System Started.

4. Remove the USB drive from Security Gateway 80.

Note - The USB LED blinks red when there is a problem running the configuration script. Turn off Security Gateway 80 and confirm that the configuration files are formatted correctly ("Preparing the Configuration Files" on page 20).

For more information about errors with configuration files, see Troubleshooting Configuration Files (on page 22).

Deploying the Configuration File - Existing Configuration This section describes how to deploy a configuration file on a USB drive to Security Gateway 80 to edit or

update the existing configuration. Use the set property command to set the appliance to use a

configuration file on a USB drive. The USB drive can be inserted in the front or the rear USB port.

You can deploy the configuration file to Security Gateway 80 either when the appliance is off or when it is powered on.

Important - Do not remove the USB drive or insert a second USB drive while the Security Gateway 80 configuration script is running. Otherwise, it is possible that Security Gateway 80 does not configure and run correctly.

To deploy the configuration file from a USB drive to a configured appliance:

1. From the CLI, enter the command: set property USB_auto_configuration once.

The appliance is set to use a configuration script from a USB drive.

2. Insert the USB drive in the appliance.

The appliance is ON - The appliance automatically detects the USB drive.

The appliance is OFF - Turn on the appliance. The Power LED comes on and is green.

The USB LED comes on and is solid orange.

3. The appliance locates the USB configuration file and begins running the script. The USB LED blinks green while the script is running.

4. The configuration script finishes.

The USB LED is solid green and the screen displays: System Started.

5. Remove the USB drive from the appliance.

Note - The USB LED blinks red when there is a problem running the configuration script. Turn off the appliance and confirm that the configuration files are formatted correctly ("Preparing the Configuration Files" on page 20).

For more information about errors with configuration files, see Troubleshooting Configuration Files (on page 22).



Viewing Configuration Logs After Security Gateway 80 is successfully configured from a USB drive, a log is created.

The log file is called autonconf.<MAC>.<timestamp>.<log>

The log file is created in the USB root directory and in /tmp on the appliance.

Troubleshooting Configuration Files This section discusses the scenario where the configuration file fails and the Security Gateway 80 is not fully configured.

Configuration File Error

If there is an error and the configuration file fails, the appliance is not fully configured and is no longer in the initial default condition. The commands in the configuration file that appear before the error are applied to the appliance. You can examine the configuration log to find where the error occurred.

When there is a not fully configured appliance, the First Time Wizard is displayed in the Web UI. However, not all of the settings from the failed configuration file are displayed in the First Time Wizard. Check Point recommends that you should not use the First Time Wizard to configure an appliance when the configuration file fails.

Note - You should restore the default settings to a partially configured appliance before using the First Time Wizard to ensure that the appliance is configured correctly.

Suggested Workflow - Configuration File Error

This section contains a suggested workflow that explains what to do if there is an error with the configuration

file on a USB drive. Use the set property USB_auto_configuration ("Using the set property

Command" on page 23) command when you are running a configuration file script on a configured appliance.

1. The USB drive with the configuration file is inserted into a USB port on Security Gateway 80.

2. The USB LED on the front panel blinks red. There is a problem with the configuration file script.

Sample console output displaying an error

Booting Check Point RD-6281-A User Space...

INIT: Entering runlevel: 3

........sd 2:0:0:0: [sda] Assuming drive cache: write through

sd 2:0:0:0: [sda] Assuming drive cache: write through

.....................................................

System Started...

Start running autoconfiguration CLI script from USB2 ... Error.

autoconf.00-1C-7F-21-07-94.2011-07-21.1248.log was copied to USB2

3. The log file is created and contains the configuration details.

The log file is called autonconf.<MAC>.<timestamp>.<log>

The log file is created in the USB root directory and in /tmp on the appliance.

4. Analyze the log file to find the problem.

5. If you cannot repair the configuration file:

a) Remove the USB drive.

b) Run the CLI command: restore default-settings.

c) Connect to the Web UI and use the First Time Wizard to configure the appliance.

6. If you can repair the configuration file:

a) Remove the USB drive.

b) Run the CLI command: restore default-settings.



c) Insert the USB drive and run the configuration script again.

Sample Configuration Log with Error

This is a sample configuration log file for a configuration script that fails.

set hostname Demo1

set hostname: Setting hostname to 'Demo1'

OK

set interface WAN internet primary ipv4-address 66.66.66.11

Error: missing argument 'subnet-mask' for a new connection

Autoconfiguration CLI script failed, clish return code = 1

Using the set property Command The set property CLI command controls how Security Gateway 80 runs configuration scripts from a

USB drive. These commands do not change how the First Time Wizard in the Web UI configures the appliance.

set propert USB_auto_configuration off - The appliance does not run configuration scripts

from a USB drive.

set propert USB_auto_configuration once - The appliance only runs the next configuration

script from a USB drive.

set propert USB_auto_configuration any - The appliance always runs configuration scripts

from a USB drive.

Chapter 3

Cluster Configuration

In This Chapter

Security Gateway 80 Clusters 24

Creating a Cluster for New Gateways 25

Converting an Existing Security Gateway 80 to a Cluster 29

Viewing Cluster Status in the WebUI 31

Security Gateway 80 Clusters A Security Gateway 80 security gateway cluster is a group of 2 members each representing a separate Security Gateway 80 appliance on which High Availability software has been installed. ClusterXL is the Check Point clustering solution. Third party OPSEC Certified clustering products are not supported.

High Availability

High Availability allows organizations to maintain a connection when there is a failure in a cluster member. Only one machine is active (Active/Standby operation) in this configuration. Load sharing is not supported in this configuration.

Prerequisites

General overview of the process - During Cluster configuration only a "Gateway First" installation path is supported. Therefore, the gateways must be configured first using their actual IPs. Only afterwards should the cluster object be created in SmartDashboard, and the following policy installation from the Security Management Server will alert the gateways to the fact that they are configured as cluster members.

Before you define a Security Gateway 80 cluster:

Make sure you have defined all of the network interfaces in use for each of the Security Gateway 80 gateways. The interfaces must be defined within the same subnet. To verify definitions, access the WebUI of the appliance.

The following is only required in order to work with the Cluster Wizard in SmartDashboard:

Make sure a cable is connected between the two LAN2/SYNC ports of both appliances. You do not need to assign them IPs as they will be created automatically later. If you do assign them, make sure the LAN2/SYNC interfaces use the same subnet. You can use a different SYNC interface other than LAN2. Refer to sk52500 (http://supportcontent.checkpoint.com/solutions?id=sk52500) for details (you will be able to use the Cluster Wizard in SmartDashboard but you will need to make further adjustments to the cluster object before policy installation).

The Cluster Wizard assumes that the WAN interface will be part of the cluster. Make sure the WAN interfaces in each of the gateways are configured with a static IP of a matching subnet.

When configuring the appliances that will be used in the cluster, make sure to set both of the appliances with the same one-time password used for authenticating and establishing trusted communication. Without this you will not be able to use the Cluster Wizard in SmartDashboard, and you will need to create the cluster object using Classic Mode. Trusted communication without authentication is not supported on Security Gateway 80 cluster members.

http://supportcontent.checkpoint.com/solutions?id=sk52500

Creating a Cluster for New Gateways



Configuring the Security Gateway 80 Appliances Full instructions on setting up and connecting the Security Gateway 80 appliance appear in the Security Gateway 80 Quick Start Guide. Below is the general workflow:

1. Connect your computer to the Security Gateway 80 appliance on its LAN1 interface.

2. Configure your computer to obtain an IP address automatically.

3. Launch your Web browser, and connect to http://my.gateway

Note - When you configure two Security Gateway 80 appliances from your web browser, do so by connecting only one to a power source, configuring it according to the below instructions and then disconnecting it from the power source. Then do the same for the second appliance and reboot it at the end. If you do not do these instructions, you will not be able to use the http://my.gateway URL correctly and you will need to connect using the gateway's actual IP address (which is initially 192.168.1.1 on LAN1 before configuring it otherwise with the First Time Wizard).

After you configure and connect both appliances to a power source, install a policy and renew the dynamic IP of the computer. You can then use http://my.gateway to access the active member of the cluster.

First Time Wizard Configuration

1. Provide a password and continue to the next step.

2. Set the Internet connection Protocol to Static IP if you want to connect to the Security Management Server through this interface.

3. Configure the IP address, subnet mask, default gateway and DNS server. Click Next.

Note - Configure the same subnet for the WAN interface on the second cluster member if you want the WAN interface to be part of the cluster. This is also the assumption in the Cluster Wizard in SmartDashboard.

In the Local Network configuration step:

4. Disable the switch on the LAN port by clearing the Enable Switch on LAN ports checkbox.

5. Set the IP address and subnet mask for the LAN1 interface.

Note - Configure same the subnet for the LAN1 interface on the second cluster member if you want LAN1 to be a part of the cluster.

In the LAN settings, if you want to set up DHCP, set a different range for each member. The active member will provide the addresses to the clients.

6. Select the option Initiate trusted communication securely by using a one-time password.

7. Set the one-time password. Configure the same password for the second cluster member so it will be able to use the Cluster Wizard in SmartDashboard later.

8. Select the Connect to the Security Management server later option.

9. Click Next to continue and complete the wizard.

10. Configure the cluster SYNC interface on the same subnet as the SYNC interface on the second cluster member (use a cross Ethernet cable for SYNC interface connection).



Note - When you use the SmartDashboard cluster wizard, the LAN2 interface serves as the SYNC interface between cluster members. You do not have to configure an IP on LAN2 at any stage of the gateway side configuration. If you do not configure them, LAN2 SYNC interfaces are automatically set to 10.231.149.1 and 10.231.149.2. To set a different SYNC interface (not LAN2), refer to sk52500 (http://supportcontent.checkpoint.com/solutions?id=sk52500).

Remember the one-time password. You will need it to configure the cluster in SmartDashboard. It must be the same on both clusters.

IP addresses need to be configured on both cluster members before you open SmartDashboard and run the Cluster configuration wizard. If you want to configure IPs in interfaces other than WAN and LAN1, do so in each gateway’s WebUI application with the Internet/Local Network pages. Make sure that for each interface that needs to be part of the cluster you configure an IP in the same subnet as the second cluster member.

Configuring the Cluster Object Using SmartDashboard To create a cluster for two new Security Gateway 80 gateways, use the SmartDashboard Security Gateway 80 Cluster wizard.


2. From the Network Objects tree, right click Check Point and select Security Cluster > 80 Series. The Check Point Security Gateway Cluster Creation dialog box opens.

3. Select Wizard Mode. The wizard opens to General Properties.

4. Type a name for the Security Gateway 80 cluster.

5. Click Next. The wizard opens to Cluster Members.

6. In the First Member and Second Member sections, type a Member name and Member IP address for each of the members.

7. Clear the Define the second cluster member now check box if you want to complete the wizard definitions for the first member only so that you can check that communication and connectivity is in order.




8. Type and confirm the One-time password that is used for establishing initial trust. Once established, trust is based on security certificates. This password must be identical to the same one-time password defined for both members (the same one-time password must be defined for both members in their corresponding appliances' First Time Configuration Wizard or WebUI).

9. Click Next. The wizard opens to Cluster Interface Configuration. See the section ("Cluster Interface Configuration" on page 28) for details.

10. To enable High Availability on the interface, select the Enable High Availability on <name> interface checkbox, where <name> shows the network interface defined in the Security Gateway 80 appliance.

11. When High Availability is selected, enter a virtual IP Address and Net Mask for the cluster. The virtual IP will be applied in the next policy installation.

12. Click Next.

13. Repeat steps 10 - 12 for each defined interface.



Note - The Cluster Wizard in SmartDashboard assumes the common scenario of High Availability on the WAN interface. When reaching the screen of the WAN interface, you will not be able to disable High Availability on the WAN interface (other configurations can be configured later by editing the Cluster object).

Note - If the WAN interface was not defined, edit the Cluster object in SmartDashboard following the wizard and choose a correct main IP for the cluster object (this IP is used for example in VPN as one of the Link selection options).

14. Upon completion, click Finish or select Edit Cluster in Advanced mode to further configure the cluster.

Cluster Interface Configuration

In this window you define whether a network interface on the Security Gateway 80 participates in the security gateway cluster. This window appears for each of the network interfaces that have been configured in the Security Gateway 80 appliance. The total number of interfaces configured for the gateway appears in the window title. For example, if 3 interfaces have been configured for the gateway, a total of 3 windows will require configuration. The first window will display (1 of 3 interfaces). The name of the interface you are currently configuring appears in the Interface column.

Each network interface (on both members) has a unique IP address. If High Availability is enabled on the interface, then the cluster itself requires an additional unique virtual IP address. This IP address is visible to the network and ensures that failover events are transparent to all hosts in the network.

When High Availability is not enabled, the interface is considered not-monitored private (i.e. it is not cluster related).

You can configure High Availability for all network interfaces except for the WAN interface. By default, the WAN interface is always part of the cluster. If you do not want the WAN interface to participate in the cluster, you can edit this setting by double-clicking on the Security Gateway 80 security gateway cluster object, and selecting Topology node > Edit Topology.

If the WAN interface was not defined, edit the Cluster object in SmartDashboard following the wizard and choose a correct main IP for the cluster object (this IP is used for example in VPN as one of the Link selection options).

The graphic breadcrumb depiction at the top of the window shows you the interface you are currently configuring. You do not configure the LAN2 interface as it is automatically configured by the wizard and is

Converting an Existing Security Gateway 80 to a Cluster


used exclusively for the SYNC interface. Make sure a cable is connected between the two LAN2/SYNC ports of both appliances.

The graphic depiction at the bottom of the page indicates whether the interface is set for High Availability or not. When you configure High Availability, the physical IPs of both members meet at a point indicated by the cluster's virtual IP address.

To configure other, more advanced options for interfaces, click "Edit Cluster in Advanced mode" at the end of the wizard, edit the topology of the cluster and make the necessary adjustments.


Do the following procedures to allow an existing Security Gateway 80 to become part of a cluster.

Note - The procedures require some downtime.

Terms used:

SG80GW - represents the existing Security Gateway 80 gateway object that has already established trust and has an installed policy.

SG80Cluster - represents the new Security Gateway 80 cluster object that you will create.

SG80GW_2 - represents the new cluster member object that will join the existing gateway.

Configure the New Appliance Configure the new appliance SG80GW_2 with the First Time Configuration Wizard:

1. Make sure to set the actual IP addresses that you want to use and not the virtual IP addresses that you will use later (as used by the existing gateway SG80GW).



2. The default switch configuration is not supported in a cluster configuration. In the event that you did not change this setting (clear the Enable switch on LAN ports checkbox), it will be automatically removed during the cluster's first policy installation. However, it is more secure to remove the switch configuration before initial policy installation.

3. The LAN2 port is used for cluster synchronization. It is recommended to keep it unassigned, so that automatic IP addresses are assigned to the SYNC interfaces. If you want to control all of the IP addresses in the system, you can however configure a static IP address.

4. Do not fetch the policy from the Security Management Server.

Create and Configure a Cluster in SmartDashboard 1. Create a new Security Gateway 80 cluster using the wizard. Define its IP address as the IP used by the

existing gateway SG80GW.

2. Define the first member with SG80GW_2's IP address.

Important - Do not define the second member using the wizard.

3. Establish trusted communication and then define the various IP addresses of the clustered interfaces. Use the existing gateway SG80GW IP address as the virtual IP of the cluster where needed.

4. At the end of the wizard, select the Edit the cluster in Advanced Mode checkbox.

5. In Advanced Mode, copy to the cluster object all relevant configuration settings from SG80GW.

Reconfigure the Existing Security Gateway 80 1. Go to the SG80GW and connect to it using the WebUI.

2. Reconfigure the IP addresses of the clustered interfaces with the actual IP addresses that will be used by the gateway as a member of the cluster.

Important - Downtime starts.

Configure the Cluster in SmartDashboard 1. Change the main IP and the IPs that appear in the topology table of the SG80GW object.

2. Install policy on SG80Cluster.

Important - Downtime ends. At this point, the cluster contains only one member, SG80GW_2.

3. Edit the SG80Cluster object. Go to Cluster Members tab > Add > Add existing gateway.

4. If SG80GW does not appear in the list, press Help and make sure SG80GW doesn't match any of the categories that prevent it from being added to a cluster.

Note - You can use the information on this Help page to determine if there are any configuration settings you might want to copy to the new SG80Cluster object.

5. Edit the topology of the SG80Cluster object. Click Topology > Get Topology under the new SG80GW object. Make corrections if needed.

6. Install policy on SG80Cluster.

Viewing Cluster Status in the WebUI


Viewing Cluster Status in the WebUI After you complete policy installation on the Security Gateway 80 gateway and the gateway works as a cluster member, you can view cluster status in the WebUI application (Appliance > Cluster).

Chapter 4

Appliance Configuration This chapter contains instructions that help you configure the Security Gateway 80 appliance and understand special Security Gateway 80 issues.

In This Chapter

Introduction to the WebUI Application 33

The Overview Page 33

The Management Server Page 33

Networking 35

Implied Rules for Security Gateway 80 46

Administration 47

Security 55

Diagnostics 57

CLI Reference 59

Introduction to the WebUI Application

Appliance Configuration

Introduction to the WebUI Application Security Gateway 80 uses a web application to configure the appliance. You currently cannot configure the appliance through the command line.

After you use the First Time Configuration Wizard (see the Security Gateway 80 Getting Started Guide (http://supportcontent.checkpoint.com/documentation_download?ID=10833)), when you connect to the appliance with a browser (with the appliance’s IP or, if using the appliance as a DNS proxy or DHCP server, to "my.gateway"), it redirects the web page to a secure https site and asks for administrator credentials.

Logging in correctly opens the Overview page of the WebUI application. The left pane lets you navigate between the different configuration pages.

The Overview Page The Overview page gives you system and network information. It also gives status information about the software blades installed on the appliance.

Two traffic monitors show real-time packet rate and throughput data on the machine.

For each activated blade, additional further information is shown (for example, for the Firewall blade – how many packets are dropped, number of current connections, etc.).

You can also see in this page a summary of the current connectivity state with the Security Management Server. For more information see the Management Server page.

The Management Server Page This page lets you:

Test connection status with the Security Management Server (this is also done periodically by the appliance).

Reinitialize trusted communication (when you click the Advanced link).


The Management Server Page


See the status of the latest attempt to install a policy on the appliance.

Manually fetch the policy from the Security Management Server.

View the status of the Internet connection.

Networking


Networking

Internet Settings The WebUI Internet page lets you set and enable the Internet network connection.

The Internet table displays all available Internet connections.

To set an Internet network connection:

1. Click the Edit link in the relevant Primary or Secondary row.

2. Configure the parameters in the Internet Configuration page that opens and click Apply.

3. Enable the configured connection; click the checkbox in the Enabled column.

Internet Configuration The Internet Configuration page lets you configure the properties of the primary or secondary Internet connection and define it as either a WAN or DMZ interface.

Types of connections available:

Static IP - A fixed (non-dynamic) IP address.

DHCP - Dynamic Host Configuration Protocol (DHCP) automatically issues IP addresses within a specified range to devices on a network.

PPPoE - a network protocol for encapsulating Point-to-Point Protocol (PPP) frames inside Ethernet frames. It is used mainly with DSL services where individual users connect to the DSL modem over Ethernet and in plain Metro Ethernet networks.

PPTP - the Point-to-Point Tunneling Protocol (PPTP) is a method for implementing virtual private networks. PPTP uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets.

L2TP - Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs). It does not provide any encryption or confidentiality by itself; it relies on an encryption protocol that it passes within the tunnel to provide privacy.

Bridge - connects multiple network segments at the data link layer (Layer 2). One LAN WAN bridge is supported.

To configure Internet connections:

1. Select a Network Interface.

2. Select a Connection Type.

3. For bridges, select an interface from the Assign Interface list.

4. Enter IP address, Subnet Mask and Default Gateway details.

5. Enter DNS Server details (for the PPPoE, PPTP, L2TP and DHCP protocols).

6. For the various dialer connection types, enter the ISP Login user Name, ISP Password and Server Host Name or IP when needed.

7. Click Apply.

Advanced Configuration Options

For all connection types, you have the option to configure additional advanced settings:

ICMP monitoring configuration – enables the appliance to better monitor the connection’s health. Mostly relevant for Internet Connection High Availability configuration, see below.

Advanced dialer settings (for applicable connection types), such as the ability to configure whether the connection will be up all the time, or only connect on demand.

Port Settings - MTU, Link speed and MAC address changes.

Networking


Note - MTU changes cause a momentary loss of connectivity as the interface resets with the new MTU. In a DMZ interface, the momentary loss of connectivity is in the LAN interfaces as well (hardware limitation).

MAC address changes are mostly relevant when the appliance is designed to replace an existing appliance whose MAC address is used by various devices in its environment.

To configure advanced configuration options:

1. Click the Advanced link.

2. To use ICMP requests to monitor the connection, select the checkbox and click Configure.

a) Click Add to add a server.

b) Select or clear the Send ICMP requests to default gateway checkbox.

c) Set the values for Interval between requests, Failover after and Resume requests after parameters.

d) Click OK.

WAN Port Settings

1. Set the MTU size. Note that for a DMZ interface the MTU value is applied to all LAN ports.

2. Select which MAC address clone method to use.

3. Select the Link Speed.

4. Click Apply.

Important Notes

Bridge

Only one bridge is supported. It always includes the WAN port and one LAN port (or the switch).

When working in bridge mode, Internet Connection in High Availability is not supported. You can configure the DMZ interface as "standard DMZ" but not as a secondary Internet connection.

Dialers

ISP details (login and password) are provided by your service provider. In case of authentication failure contact your service provider.

If PPPoE connection is disconnected by your service provider, the following message appears: "PPPoE server unavailable". If connection was disconnected due to timeout on Link Control Protocol the following message appears: "PPP Link Control Protocol timed out (no response from server). Contact your service provider."

If PPTP connection is disconnected by your service provider, this message appears: "Internet connection was disconnected by your service provider".

In case of disconnection, the appliance will try to connect again every 30 seconds.

You can set the IP address of your dialer connection statically by specifying "Tunnel IP assignment->Use the following IP Address" under Advanced (while editing the Internet connection).

For PPTP and L2TP it is possible to set the IP address of your local tunnel network.

These connection monitoring methods are supported:

For dialers - define Link Control Protocol (LCP) interval and max number of attempts. Gateway will send LCP echo request every X seconds and if no reply arrived after Y attempts, the status of your connection will become "PPP Link Control Protocol timed out (no response from server). Contact your service provider." and in case Internet High Availability is enabled, the other connection will become active.

For all connection types (except bridge): It is possible to set one or more servers to which the appliance sends ICMP Echo replies periodically. If no reply arrived after Y attempts the status of your connection will become "Destination server is unreachable (no reply for ICMP requests)" and in case Internet High Availability is enabled, the other connection will become active.

Setting MTU

Networking


For dialers - the value of the field you enter is actually X bytes more than the effective MTU on the dialer interface. For example: when set to a default of 1500 bytes, the MTU of the PPP interface in case of PPPoE will effectively be 1492, and in case of L2TP – 1460. If you wish to set the MTU to X, you need to set it to X+Y (Y=8 for PPPoE and Y=40 for L2TP).

Internet Connection High Availability These are the Internet Connection High Availability options:

You can configure two different internet connections, where only one will be active and is used for the default route of the appliance into the internet. This is most commonly used in ISP redundancy cases.

You can configure two separate connections on separate interfaces of the WAN and DMZ interfaces. In this case the appliance will try to connect the two connections, but at a given time only one is considered the active connection and is used as the default route.

You can configure two connections on the same interface, and the appliance will try to connect with the other connection details each time the existing connection is considered down.

The first row in the table is the primary connection. When you click the Internet Connection High Availability link you can configure the option to Revert to Primary connection when possible, thus giving the primary connection a priority over the secondary connection.

Conditions for a failover:

The appliance checks the link status of each interface to see if a cable is disconnected. Also, in dynamic IP connection types, the appliance also verifies that it has an IP.

Other than that, you can configure ICMP monitoring that tests the connection’s health against known servers or the default gateway. This configuration gives you additional control over the Internet Connection High Availability configuration.

Internet Connection High Availability is not supported in bridge mode and when using the "connect on demand" dialer advanced option.

Local Network The Local Network WebUI page lets you set and enable the local network connections, LAN switch or WAN-LAN bridge that you configure.

Networking


The Network table displays all available network connections that are not external. For the DMZ interface, this page lets you configure it as a DMZ interface (as opposed to an external interface to the Internet, that you can configure in the Internet page).

LAN Switch

You can configure a port based switch between several LAN ports. Only one switch is supported, and the LAN1 port will always be a part of it. Switch configuration between all LAN ports is the default configuration set during the appliance’s First Time Configuration wizard and can be removed during the wizard, or configured more accurately in the WebUI application.

The LAN Switch has an IP through which you can connect to the WebUI application.

Traffic between switch ports is neither inspected nor included in the traffic counters within the different Check Point software blades.

Switch configuration is not available when you configure the appliance as a cluster member according to the policy installed on it from the Security Management Server. If a LAN switch is configured during policy installation that changes the appliance’s status to be a cluster member, the switch will automatically dismantle, as its IP is assigned to LAN1, and the rest of the interfaces that were part of the cluster become unassigned.

To set or edit a local network connection:

1. Click the Edit link in the Action column of the related row.

a) If you want to configure a switch, configure the parameters in the LAN Switch Configuration page that opens and click Apply.

Networking


b) If you do not want to configure a switch, configure the parameters in the Interface Configuration page that appears and click Apply.

2. To enable the configured connection, click the Enabled checkbox.

Note - A LAN switch is created by default. It appears below the Networks list with its corresponding details.

To remove the switch, click Unassign all ports in the Action column. This will detach all ports from the switch and remove the switch configuration.

To create a VLAN (according to the IEEE 802.1q Standard) on one of the interfaces:

1. Click New VLAN.

2. Configure the parameters in the Interface Configuration page and click Apply.

To create a switch (not available when the appliance is set as a cluster member):

1. Click Create Switch.

2. Configure the parameters in the LAN Switch Configuration page and click Apply.

To create a WAN-LAN bridge (available only when no Internet connection is set):

1. Click Create Bridge.

2. Configure the parameters in the Internet Configuration page and click Apply.

Networking


Switch Mode Configuration The Security Gateway 80 appliance is initially configured in switch mode. The default switch contains all LAN ports. You can change this default option within the First Time Configuration Wizard or within the Local Network page in the WebUI.

The LAN Switch Configuration page lets you configure the LAN switch parameters.

To configure LAN switch parameters:

1. In Network Interfaces:

a) To add an interface, select an interface from the Available Interfaces list and click Add.

b) To remove an interface, select an interface from the Selected Interfaces list and click Remove (or edit the interface and choose a different IP assignment for it "unassigned" or "Static IP").

2. Enter IP address and Subnet Mask details.

3. In DHCP Server, select whether to enable, disable or use DHCP Relay.

When DHCP Server is enabled, supply the first and last IP addresses in the range.

You can also add a DHCP Exclude list. To do that, supply the range of the exclude list.

When DHCP Relay is enabled, supply the DHCP Server IP address.

Click Apply.

If you click the Advanced link, you can:

Change the MTU used by the LAN ports (this change also applies to all LAN ports not in the switch as well as the DMZ interface).

Change the MAC address that the interface uses.

Bridge Mode Configuration The Security Gateway 80 appliance can operate in switch mode and bridge mode.

In switch mode - where some or all of the LAN ports are connected to the same network.

Networking


In bridge mode that connects between two different networks at the layer 2 level.

You can configure a bridge in Security Gateway 80 alongside a switch and the appliance will operate as a router between them. The bridge is always between the WAN interface and one of the LAN interfaces. It is possible to bridge between the WAN and LAN Switch itself.

Check Point Software Blades inspect and count with the different counters the traffic that goes through the bridge.

You can configure this functionality on the appliance with the First Time Configuration Wizard (only between WAN and LAN1) and also the WebUI for advanced configuration settings.

When you configure the object in the Topology node in SmartDashboard and select the Manually defined on the Security Management server, based on the below Topology Table option to determine the networks behind the gateway, you cannot calculate the topology using the Get topology option, rather it is necessary to define the topology manually.

In Security Gateway 80 bridge configuration is not supported on cluster members.

For bridge and cluster limitations, refer to the Security Gateway 80 Known Limitations SK (http://supportcontent.checkpoint.com/solutions?id=sk52180).

Notes - 1. Only one bridge is supported. It always includes the WAN port and one LAN port (or the switch).

2. When working in bridge mode, Internet Connection in High Availability is not supported. You can configure the DMZ interface as "standard DMZ" but not as a secondary Internet connection.

Routing The Routing page shows a routing table with the routes on your appliance. You can add new routes from here.

Table Columns Description

Destination The destination host or network the route leads to.


Networking


Table Columns Description

Destination Mask The mask of the destination host or network.

The mask must match the destination IP. For example: the mask for destination IP 10.0.0.1 must be set to 255.255.255.255. To define a route to the entire class C network 10.0.0.0/24, use the corresponding network mask 255.255.255.0

Next Hop The IP of the default gateway for this route. Not applicable on manually created advanced routing rules through a specific interface. For more details, see sk53000 (http://supportcontent.checkpoint.com/solutions?id=sk53000).

Interface The physical network interface through which this route is accessible: LAN, WAN, DMZ or LAN Switch. Can either be resolved automatically or manually chosen. When it is manually chosen, the next hop is not mandatory and can be N/A (see sk53000 (http://supportcontent.checkpoint.com/solutions?id=sk53000)).

Metric Determines the priority of the route. If multiple routes to the same destination exist, the route with the lowest metric is chosen.

Action The edit/delete action of a user's manually configured routes.

The Routing page shows the routing rules that the operating system configures automatically according to the IPs defined on the various interfaces and the default route you configure. However, through this page it is also possible to add more routing rules.

The default route and the routing rules you configure manually are shown in bold, and it is possible to edit/delete the rules you manually configure.

To add a new route:

1. On the Routing Table page, click New Route. The Route Configuration page appears.

2. Configure the parameters in the page that opens.



Networking


To edit an existing route:

Click Edit in the specific route's Action column.

To delete a route:

Click Delete in the specific route's Action column.

Route Configuration

The Route Configuration page lets you configure information for each route.

To add a new route:

1. Supply the:

Destination IP Address

Destination Subnet mask

Next Hop (Default gateway)

Metric (0-100)

Interface (from the drop-down box)

2. Click Apply.

Important notes for when you add a new route:

Make sure the destination IP address which is normally a network address matches the destination subnet mask.

Normally, the next hop belongs to one of the directly attached networks, and the appliance can resolve automatically through which interface the traffic is sent. However, you can configure a specific interface through which the traffic is sent. To do this, click on the combo box next to the Interface option. Once you configure a specific interface, when you type 0.0.0.0, the relevant traffic is routed through the interface without using a next hop. For more details, see sk53000 (http://supportcontent.checkpoint.com/solutions?id=sk53000).

Note - Choosing a specific interface through which to send traffic is an advanced option – make sure the network the appliance is connected to, is configured correctly to prevent connectivity issues.

This page does not support adding a specific interface with a next hop which is not in the interface’s same subnet.


Networking


Other Important notes:

You cannot add a default route from this page. The default route of the system is inherited from Internet connection settings. To change the default route, edit the relevant Internet connection and set its "default gateway" (next hop) to the desired IP.

If Internet Connection High Availability is set, the default route will change automatically upon failover (according to the active Internet connection).

When a network interface is disabled, all routes leading to this interface become "inactive". In such cases, the system routes traffic according to active routing rules (typically, to the default route). Route will appear as ‘inactive’ in routing page, and will automatically become active once interface is enabled.

When no default route is active (e.g. when there is no active Internet connection) the following note

appears: Note: There is no default route since no Internet connection is enabled.

DNS In the DNS page, you can configure the DNS server configuration and add a new host.

You need to configure DNS for the appliance to enable it to resolve names and for users who configure or receive through DHCP the appliance as its DNS server. In the second option, Security Gateway 80 acts as a DNS proxy, and resolves incoming DNS requests when it uses its configured DNS servers.

Configuring Security Gateway 80 as the DNS server (in fact proxy), manually or receiving it through the appliance’s DHCP service, lets users connect through a browser to the "my.gateway" URL. This is an alternative to manually entering the appliance’s IP – for easier management of the appliance.

With this page you can also manually add hosts through which the gateway will resolve DNS requests, without consulting its configured DNS servers.

To configure DNS:

1. Choose if you want to define up to three DNS servers that are applied to all Internet connections or use the DNS configuration provided by the active Internet connection (Primary). When you select Set DNS server configuration, make sure that you enter correct IP addresses.

Typically you use the first option (global DNS settings) if your DNS servers are located in the headquarters office. In this case, all DNS requests from this branch office will be directed to these DNS servers.

The second option gives a more dynamic definition of DNS servers. The gateway will use the DNS settings of the currently-active Internet connection (for static IP – the DNS manually entered under

Networking


"Internet Connection"-> Edit, for DHCP / Dialers – the DNS automatically given by the ISP). If Internet Connection High Availability is enabled, the DNS servers will switch automatically when there is failover.

2. The Security Gateway 80 appliance functions as your DNS proxy by default. It provides DNS resolving services to internal hosts behind it if this option is set. This option is global and applies to all internal ports (including DMZ if not configured as a secondary Internet connection). To obtain IP addresses directly from the DNS proxy, select the Enable DNS Proxy - resolves local DNS requests checkbox.

3. Click Apply.

To add a new host:

1. Click New Host. The Host Configuration page appears.

2. Configure the parameters in the page that opens and click Apply.

To delete a host:

Click Delete in the row of the host.

To edit a host:

1. Click Edit in the row of the host.

2. In the Host Configuration page, make your changes and click Apply.

Automatic Topology Anti-Spoofing and other security features are based on the topology table you configure when you edit the gateway object in SmartDashboard. You can manually configure the topology table or get the topology from the gateway automatically. Each time the topology changes, it is necessary to get the topology and install the policy again.

Security Gateway 80 introduces a new mode called "Automatic Topology", where the configured topology table is not necessary for features that do not involve other gateways. This option lets those features to continue to work, based on the gateway’s routing table, when the network configuration changes on the gateway side. When you use "Automatic Topology" it is not necessary to install a policy when changes occur.

When you select the Automatically calculated by the gateway option that is based on the Security Gateway 80's operating system's routing table, these features functional automatically:

Anti-Spoofing

Anti-Virus Directional scan

Implied Rules for Security Gateway 80


IPS (that protects only incoming connections)

After you configure automatic topology for the first time, an install policy is necessary.

Note - Automatic topology is exposed to errors that are defined in the routing table that can occur for example when an interface is disabled.

If it is not necessary to use the automatic topology feature, you can configure topology manually. Select the Manually defined on the Security Management Server option.

When you use VPN, automatic topology limits the options to define VPN tunnels as other gateways need to know the topology and IPs of the gateway. The only scenario that supports VPN and automatic topology is when NAT is configured. In this case, the only data that is encrypted is outgoing traffic from behind the gateway to other members of the VPN community. Other gateways will only recognize the gateway’s primary IP as this is configured in SmartDashboard regardless of the topology table. For more information, see Step 1: Defining the Security Gateway 80 Object in SmartDashboard.

Implied Rules for Security Gateway 80 These implied rules apply only to Security Gateway 80 gateways and not to other gateways except for the outgoing Internet connections rule. This rule existed for DHCP only and still allows outgoing DHCP traffic from Dynamic Address IP modules that are not Security Gateway 80:

Accept Dynamic Address modules' outgoing Internet connections - lets the appliance connect to the Internet if it needs traffic to set itself up (for example, as necessary in DHCP and PPTP). There is no need to add an explicit rule in the Security Policy in SmartDashboard in order to allow this access. If you wish to override this, go to SmartDashboard > Firewall Implied Rules section and clear the checkbox.

Accept incoming traffic to DHCP and DNS services of Gateway - gives access to the appliance’s provided services to the internal interfaces (DNS and DHCP). There is no need to add an explicit rule in the Security Policy in SmartDashboard in order to allow this access. If you wish to override this, go to SmartDashboard > Firewall Implied Rules section and clear the checkbox.

Accept Web and SSH connections for Gateway's administration - lets administrators access the appliance. For more information, see Administrator Access (on page 52).

Administration


Administration The System Operations page lets you manage the settings and image as well as reboot the appliance.

Backup and Restore

Backup

The backup file you create in the WebUI contains these elements:

System settings

Security policy (if you select this option)

SIC certificate - see below machine replacement notes

License - since each license is per MAC address, when you restore to a different machine you need a new license.

The backup file does not include the actual software image.

Note - All content in the appliance is deleted when you do a backup.

You commonly back up your settings so that you can restore them later if necessary on the same appliance.

Note - You can use the backup file to restore your settings if you replace your appliance. In this case you do not need to reinitialize trust (SIC) with the Security Management Server, but you will need to reactivate the licenses, as they are configured according to MAC addresses. For more information see the Restore section. You do have the option to copy your settings to other appliances, but in that case you will need to reinitialize trust with the Security Management Server as well as reactive the licenses.

Administration


Restore

You can restore your appliance settings from a backup file you create.

You can restore different back up versions if the restore function supports the version being backed up.

To restore an appliance with a backup file from another appliance, do these steps on the new appliance:

1. Open the First Time Wizard (login to http://my.gateway).

2. Set a one-time password and click Next.

3. Click Cancel.

4. Save the settings and continue.

5. Open the WebUI (http://my.gateway).

Administration


6. Go to the System Operations page and click Restore.

7. Select the Settings File and click Upload File.

8. Enter the License page in the WebUI.

9. Activate the license on the new appliance. This is mandatory as the new appliance has a unique MAC address that requires a new license (the backup file contains the license from the other appliance).

Upgrade There are three methods you can use to upgrade the Security Gateway 80 appliance:

Upgrade using WebUI

Upgrade using a USB drive (on page 131)

Upgrade using boot loader (on page 132)

Upgrade Using WebUI

When you do an upgrade with the WebUI, an upgrade wizard prompts you to upload the new image.

Regardless of whether you save the current image before the upgrade, the system does the upgrade on a separate flash partition, and your current-running partition is not affected.

If for some reason, you cannot access the appliance after upgrade, or the appliance does not start up properly from boot, disconnect the power cable and reconnect it. The appliance will automatically revert to the previous image.

To upgrade the appliance from the WebUI:

1. Select Appliance > System Operations and click Upgrade.

The Software Upgrade Wizard opens.

2. Click Next.

3. Click Browse and select the new software image file.

4. Click Upload.

The software image file is uploaded to the appliance.

5. Click Next.

In the upgrade wizard, before the actual upgrade process begins, you also have an option to save a local image with the Image Backup option. You can manually return to it at any time by clicking Revert to Previous Version in the System Operation page in the WebUI.

Administration


6. Select Save a local backup, if you want to save a local image.

7. Click Next.

The wizard shows a progress bar that indicates the upgrade stages. Image backup and the actual upgrade process each take several minutes.

Upon successful completion, the appliance reboots. The browser application shows a message regarding the upgrade status while the appliance is down. Once the appliance is back up, the browser redirects to the login page.

8. Press CTRL+F5 to refresh the browser.

Note - After a successful system upgrade, it is recommended to clear your browser’s cache to delete previous’ version files from the browser cache.

Note - Each appliance also contains a factory default image (not to be confused with the saved backup image that you can save during an upgrade). The upgrade process through the WebUI does not replace the saved factory defaults on the appliance. However, when you upgrade with other available methods (used mainly in factory and distribution hubs) such as upgrade from USB or a bootp server, the upgrade process creates a new factory default image that is saved on the appliance. For more information regarding upgrade from USB or upgrade from bootp server, see Advanced Configuration (on page 131).

Factory Defaults The Security Gateway 80 appliance contains a default factory image.

When the appliance is turned on for the first time, it loads with the default image.

As part of a troubleshooting process, you can restore the Security Gateway 80 appliance to its factory default settings if necessary.

You can restore a Security Gateway 80 appliance to the factory default image with the WebUI, Boot Loader or a button on the back panel.

Administration


Important - When you restore factory defaults, you delete all information on the appliance and it is necessary to run the First Time Configuration Wizard as explained in the Security Gateway 80 Quick Start Guide. If you upgraded your appliance in the past using the WebUI, you must upgrade it again.

To restore factory defaults with the WebUI:

1. In the Security Gateway 80 WebUI, click Appliance > System Operations. The System Operations pane opens.

2. In the Appliance section, click Factory Defaults.

3. In the pop-up window that opens, click OK.

4. While factory defaults are being restored, all LAN Link and Activity LEDs blink orange and green alternately to show progress.

This takes some minutes. When this completes, the appliance reboots automatically.

To restore factory defaults with the button on the back panel:

1. Press the Factory defaults button with a pin and hold it for at least 3 seconds.

2. When the Power and Notice LEDs are lit red, release the button. The appliance reboots itself and starts to restore factory defaults immediately.

3. While factory defaults are being restored, all LAN Link and Activity LEDs blink orange and green alternately to show progress.

This takes some few minutes. When this completes, the appliance reboots automatically.

To restore the Security Gateway 80 appliance to its default factory configuration using the Boot loader menu, see the Advanced Configuration (on page 131) section.

Administrators The Administrators page in the WebUI lists the Security Gateway 80 Administrators, lets you create new administrators and lets you configure account security settings.

Administrators have the permission to access the WebUI application and also log in through SSH to the restricted cpshell.

Administration


Administrator Accounts

To create a Security Gateway 80 Administrator and configure security settings:

1. On the Administrators page, click New. The Administrator Account page appears.


To change a password:

1. Click Change Password for the relevant administrator.


Account Security Settings

1. Set the Session Timeout value.

2. To Enable Login Restrictions, click the checkbox and set the parameters:

Lock Account After __ Failed Login Attempts

Unlock Account After __ minutes.

3. Click Apply.

Administrator Account Configuration

1. Provide an Administrator Name and a Password for the Security Gateway 80 Administrator.

2. Confirm the password.

3. Click Apply.

Change Password

1. Enter the Old Password for the Security Gateway 80 Administrator.

2. Enter the New Password.

3. Confirm the password.

4. Click Apply.

Administrator Access In the Admin Access page, a list of client IPs is shown if you configure specific IP addresses. Only the client IPs that you configure are permitted to access the Security Gateway 80 appliance. You can add or remove a Web/SSH client and set the access ports.

Administration


To allow administrator access from any IP address:

1. In the Admin Access page, select the Any IP Address option.

2. Select the interface type from which the IP addresses can obtain access from the Interface list.

3. Change the WEB Port (HTTPS) and/or SSH access ports if needed.

Note - If you change the WEB port, you will disconnect from the WebUI application and you will need to revisit http://my.gateway or the appliance's IP from your browser. This will redirect you to the correct port.

4. Click Apply.

To allow administrator access from a specific IP address:

1. In the Admin Access page, select the Specific IP Address option.

2. Click Add. The Access Policy IP Address Configuration page appears.

3. Define the IP address as either:

Specific IP - manually provide the IP address or click Get IP from My Computer.

Specific Network - manually provide the Network Address and Subnet Mask

4. Click Apply. The IP is added to the table.

5. Select the interface type from which the IP addresses can obtain access from the Interface list.

6. Change the WEB Port (HTTPS) and/or SSH access ports if required.

7. Click Apply.

To delete administrator access from a specific IP address:

1. In the Admin Access page, select the IP Address you want to delete from the IP Address table.

2. Click Delete.

To give administrator access from specific interfaces:

1. In the Admin Access page, select an option from the Interface list:

a) ALL - access is permitted from all interfaces.

b) LAN1 + WAN - access is permitted from the LAN1 interface, interfaces that are part of the switch that LAN1 participates in (if configured) and from any interface that you define as an external interface (leads to the Internet, for example, WAN).

c) WAN - access is permitted from any interface defined as an external interface (leads to the internet, for example, WAN).

d) ALL LAN – Access is permitted from all LAN# interfaces. Access is not permitted in this option from the DMZ interface.

e) LAN1 - Access is permitted from the LAN1 interface, interfaces that are part of the switch that LAN1 participates in (if configured).

2. Click Apply.

Important Notes:

Administrator access by interface is not supported when your Internet Connection is configured in bridge mode (the option Access from the above IP addresses is allowed only from the following interfaces does not appear).

An automatic implied rule is defined to allow the access specified here. There is no need to add an explicit rule in the Security Policy in SmartDashboard in order to allow this access. If you wish to override this, go to SmartDashboard > Firewall Implied Rules section and clear "Accept Web and SSH connections for gateway's administration".

For your convenience, when you block the IP address or the network interface through which you are currently connected, you will not be disconnected immediately. The access policy is applied immediately, but your current session remains active until you log out.

Administration


Licensing In the License Activation page in the WebUI, select a method to use to activate the software blade licenses. You also need to do this procedure to update your license after you purchase a new software blade.

To activate a license now:

1. Select Choose how to activate the license and either:

a) Click Obtain License from User Center and then Activate License. The Security Gateway 80 appliance will contact Check Point's User Center and will install the license automatically. To use a proxy server, click the Set Proxy link, select the checkbox and enter the address and port. Note that this option is available only if you are connected to the Internet.

b) Click Import Activation file and then Browse to select a license activation file. You can receive the activation file by doing one of these offline procedures:

Using your User Center account - log into your User Center account from a PC connected to the Internet and select the specific container of your Security Gateway 80 appliance, then within the Product Information tab, click on License, click on Activate and then this message is shown: "Licenses were generated successfully". Click Get Activation File and save your activation file locally.

Registering your appliance - go to http://register.checkpoint.com, fill in your appliance details and then click Activate. This message is shown: "Licenses were generated successfully". Click Get Activation File and save your activation file locally.

Click Activate License (once you click this, you will see the option Reactivate License). The software blades associated with this license and their expiration dates are shown.

2. To set trial licenses that are valid for 30 days, click Activate later (use trial license).

License States and Descriptions

State Description

Trial Before or after SIC was established, no license

Never License installed, never expires (relevant for Firewall and IPSec VPN blades only)

Expires License installed and expires on this specific date

Expired License installed but has expired

No subscription License installed but subscription not found

Missing License License error - the license does not cover this blade (contact Check Point account services)

No License No service - the relevant container does not contain this blade (contact Check Point account services)

Security


Security

Integrated Anti-Virus Protection Viruses are a major threat to network operations and have become increasingly dangerous and sophisticated. For example, worms, blended threats (which use combinations of malicious code and vulnerabilities for infection and dissemination) and trojan horses.

No extra IT resources are necessary for integrated Anti-Virus solutions and organizations benefit from their easy management in the familiar Check Point SMART infrastructure, which includes policy management, logging and monitoring. As a single box solution, hardware management is also simplified.

Eicar is used by various security solutions as a method of checking the soundness of the installation in a safe manner. Although R71 blocks live viruses by default, Eicar is only detected with an appropriate log to prevent the false detection (in stream mode). As opposed to R71, Security Gateway 80 blocks Eicar viruses by default.

How Eicar handles viruses depends on the mode of this command: fw ctl set int g_ci_av_eicar_handling_mode <mode>

Where <mode> is:

0 - Monitor only

1 - Ignore

2 - Block

Architecture

When Anti-Virus scanning is enabled, scanning is done in Stream mode - where traffic for the selected protocols is processed in the kernel on the stream of data without storing the entire file. The data is allowed or blocked based on the response of the kernel.

This mode is based on state-of-the-art virus signatures that are frequently updated in order to detect recent Malware outbreaks.

Anti-Virus scanning is applied only to accepted traffic that has been allowed by the security policy.

URL Filtering Access to the Internet can expose your organization to a variety of security threats and negatively affect employee productivity as a result of non-work-related surfing and downloading of files. Due to the problems associated with excessive employee Web surfing, organizations are turning to URL Filtering to control employee Internet access, reduce legal liability and improve organizational security. URL Filtering enforces filtering rules based on the organization's needs and predefined categories made up of URLs and patterns of URLs.

URL Filtering includes reporting and monitoring tools that capture and present Web traffic data, and give organizations an in-depth look at how Web surfing affects their organization's security and supports decisions regarding Web surfing limitations.

A Web filter is a function that screens Web page requests to determine whether or not to display their Web content. The Web filter verifies the Web page URL against a list of approved sites and blocks access to complete sites or pages within sites that contain objectionable material (for example, pornography, illegal software and spyware).

Architecture

When a URL request arrives at a local machine, the machine checks the Network Exceptions List to determine whether to enforce the URL Filtering policy. The URL Filtering policy is activated if the connection is accepted by the Security Policy. If the URL Filtering policy is enforced, the URL header is stripped and the address is sent to the Web Filter engine.

Security


The URL is allowed or blocked based on URL request information in the predefined database and/or the Web Filter Allow/Block Lists. For example, if the URL address matches two or more categories, and one of them is blocked, the URL address is denied, however, if the same address appears in the Allow List it is accepted.

The Web Filter engine is located in Check Point’s data center, while the Security Gateway 80 queries Check Point’s center for each request and categorizes it accordingly. A local cache is maintained on the Security Gateway 80 to ensure high performance.

Messaging Security The relentless and unprecedented growth in unwanted email now poses an unexpected security threat to the network. As the amount of resources (disk space, network bandwidth, CPU) devoted to handling unsolicited emails increases from year to year, employees waste more and more time sorting through unsolicited bulk email commonly known as spam. Anti-Spam and Mail provides network administrators with an easy and central way to eliminate most of the spam reaching their networks.

The Security Gateway 80 appliance performs Anti-Spam based on IP reputations.

IP Reputation Anti-Spam - IP reputation is an Anti-Spam mechanism that checks the IP address of the message sender (contained in the opening SYN packet) against a dynamic database of suspect IP addresses. If, according to the IP reputation service, the originating network has a reputation for sending spam, then the spam session is blocked at connect time. In this way, the IP reputation feature creates a list of trusted email sources.

Diagnostics


Diagnostics

Tools The Tools page contains options for pinging or tracing an IP address, performing a DNS lookup, showing the routing table, capturing packets and resource monitoring.

To monitor system resources:

1. Click Monitor System Resources. The System Resources page opens and shows the following information:

CPU usage history

Memory usage history - memory is calculated without memory that was preallocated to handle traffic and without cache memory. This gives a more accurate picture of the actual memory usage in the appliance but it may defer from figures you receive from Linux tools.

Disk usage

2. Click Refresh Disk Usage to display the most updated disk usage.

3. Click Close to return to the Tools page.

To show the routing table:

1. Click Show Routing Table. The output appears in the Command Output box.

2. Click Back to return to the Tools page.

To capture packets:

1. Click Packet Capture.

2. Select an option from the Select Network list.

3. Click Start and then Stop when you want to stop packet capturing.

4. Click Download to view or save the capture file.

Diagnostics



You can activate packet capture and go to other WebUI application pages while the packet capture runs in the background. However, the packet capture stops automatically if the WebUI session ends. Make sure you return to the packet capture page, stop and download the capture result before you end the WebUI session.

Note - The capture utility uses tcpdump. "fw monitor" is available through the command line interface.

To ping or trace an IP address:

1. Enter an IP or host name in the Host Name or IP Address box.

2. Click Ping or Trace Route. The output appears in the Command Output box.


To perform a DNS lookup:

1. Enter a Host Name or IP Address.

2. Click Lookup. The output appears in the Command Output box.


To generate a CPInfo file:

1. Click Generate CPInfo File.

2. Click Download CPInfo File to view or save the CPInfo file.

Traffic Logs The Traffic Logs page lets you browse the last 100 log records. These logs are sent to SmartView tracker, but are also available on this page, for your convenience.

Note that the number of logs shown is not configurable, and is not related to the SmartDashboard setting "GW properties> Logs and alert > Max log size…" (this setting only applies to logs that are saved by the gateway when the Security Management Server cannot be reached).

The Service column that shows the destination port on UDP/TCP traffic is empty in non UDP/TCP traffic (see the Protocol column for this information). Some known destination ports are translated into the known protocols that pass through them. Port 4434 in Security Gateway 80 is translated by default to https.

System Logs The System Logs page displays systems logs generated from the appliance at all levels except for the debug level. These logs should be used mainly for troubleshooting purposes and can also provide the administrator notifications for events which occurred on the appliance.

For example: Setting an external connection as the "Active" connection while the appliance is configured in Internet Connection High Availability mode.

To download the full log file:

1. Click Download Full Log File.

2. Click Open or Save.

To save a snapshot of the system logs to the flash disk:

1. Select the option Save a snapshot of system logs to flash every ___ minutes.

2. Click Apply.

The default value for the interval is 180 minutes (3 hours).

The minimum value for the interval is 30 minutes.

This is an effort to keep system logs persistent across boot, but not 100% guaranteed.

CLI Reference


CLI Reference

Using Command Line Interface Changes to the Security Gateway 80 appliance should be made with the WebUI. When using command line interface (CLI) note these aspects:

Security Gateway 80's operating system is SecurePlatform Embedded.

CLI default shell (cpshell) is restricted as in SecurePlatform. You can log in to Expert mode for a full bash shell as in SecurePlatform.

Changes to the configuration are only supported from the appliance WebUI. Advanced users can use the command line shell for troubleshooting and temporary networking modifications, but changes are not persistent and are lost upon boot. Note that temporary changes are not reflected in the WebUI.

These SecurePlatform commands are not supported in this version:

ifconfig

ifconfig --save

SSH to the appliance is supported and is enabled through the WebUI.

You can enable login directly to expert mode. To do this:

Login to Expert mode using the "Expert" password.

Run the command bashUser on

You will now always login directly to expert mode (this mode is not deleted during reboot)

To turn this mode off, run the command bashUser off

SCP to the appliance is supported but you need to enable direct login to Expert mode. For more information, see sk52763 (http://supportcontent.checkpoint.com/solutions?id=sk52763). Note that SFTP that is commonly used by winSCP is not supported.

CLISH Auto-completion

All CLISH commands support auto-completion. Standard Check Point and native Linux commands can be used from the CLISH shell but do not support auto-completion. These are examples of the different commands:

CLISH - fetch, set, show

Standard Check Point - cphaprob, fw, vpn

Native Linux - ping, tcpdump, traceroute

CLI Syntax

The CLI commands are formatted according to these syntax rules.

Notation Description

Text without brackets or braces Items you must type as shown

<Text inside angle brackets> Placeholder for which you must supply a value

[Text inside square brackets] Optional items

Vertical bar (|) Separator for mutually exclusive items; choose one

{Text inside braces} Set of required items; choose one

Ellipsis (…) Multiple values or parameters can be entered


CLI Reference


Using Hostnames

Follow these standards when using hostnames in Security Gateway 80 CLI commands.

Hostnames can only contain alphanumeric characters and periods

Only use underscore characters in the first segment of a hostname, but not as the first or last character

The last segment must start with an alphabetic character

For example, my_host.checkpoint is a legal hostname, but myhost.check_point causes an error

message because there is an underscore character in the second segment.

Using Domain Names

Follow these standards when using domain names in Security Gateway 80 CLI commands.

Domain names can only contain alphanumeric characters and periods

The last segment must start with an alphabetic character

For example, mydomain.checkpoint.com is a legal domain name, but my_domain.checkpoint.com

causes an error message because there is an underscore character in the first segment.

Supported Linux Commands These standard Linux commands are also supported by the Security Gateway 80 CLI.

arp

netstat

nslookup

ping

resize

sleep

tcpdump

top

traceroute

uptime

add admin access Adds a specific IPv4 address or a network IPv4 address from which the admin can remotely access the appliance.

Description The admin can access via the single IPv4 address or a network address

Syntax add admin-access-ipv4-address

{single-ipv4-address|network-ipv4-address} <ip_addr>

{subnet-mask <netmask>|mask-length <mask_length>}

Parameters Parameter Description <ip_addr>

IPv4 address

<mask_length

> Interface mask length, a value between 1 - 32

<netmask> Interface IPv4 address subnet mask

Return Value 0 on success, 1 on failure

CLI Reference


Example add admin-access-ipv4-address 1.1.1.1 subnet-mask

255.255.255.0 mask-length 18

Output Success prints OK. Failure prints appropriate error message.

add host

Description Adds a static host named <host> and IP address <ip_addr>.

Syntax add host name <host> ipv4-address <ip_addr>

Parameters Parameter Description <host>

The host name

<ip_addr> The host IPv4 address format


Example add host name John ipv4-address 1.1.1.1


add interface

Description Adds VLAN <vlan> to interface <interface>.

Syntax add interface <interface> vlan <vlan>

Parameters Parameter Description <interface>

Valid interface name

<vlan> VLAN name - a value between 1 and 4094.


Example add interface LAN4 vlan 1


add ntp Adds an NTP (Network Time Protocol) server with option to designate it as the primary or secondary server.

Description Adds an NTP server with IP address or host name <ip_addr_host>.

Syntax add ntp server <ip_addr_host> [prefer <on|off> active

<on|off>]

Parameters Parameter Description <ip_addr_host>

NTP server host name or IPv4 address format.

<on/off> On – enables NTP server, Off – disables NTP

server


CLI Reference


Example add ntp server 1.1.1.1

add ntp server 1.1.1.2 prefer on

add ntp server 1.1.1.2 prefer on ntp_active off

add ntp server 1.1.1.2 active on


Comments If active is off or is not set, then NTP is disabled.

add snmp Adds SNMP related parameters.

Adding SNMP v2 Traps Receiver

The add snmp command adds an SNMPv2 traps receiver.

Description Adds SNMPv2 traps receiver, <comm_string> is used for SNMP

security and authentication.

Syntax add snmp traps receiver <ip_addr> version v2

community <comm_string>


Trap receiver IPv4 address.

<comm_string> A password for v1 and v2 protocols. The value can be any word.


Example add snmp traps receiver 1.1.1.1 version v2 community

abcd


Adding SNMP v3 Traps Receiver

The add snmp command adds SNMPv3 traps receiver.

Description Adds SNMPv3 traps receiver, security parameters that are defined for

the <v3_user>are used.

Syntax add snmp traps receiver <ip_addr> version v3 usm

user <v3_user>



<v3_user> A string representing the name of the user to add.


Example set dhcp server interface LAN2 lease-time 18


Comments add snmp traps receiver 1.1.1.1 version v3 user usm1

CLI Reference


add switch Adds an interface to a LAN switch. If the LAN switch does not exist, it is created and inherits all settings from the LAN1 interface.

Description Adds an interface <interface> to a LAN switch.

Syntax add switch port <interface>




Example add switch port LAN4


Comments The interface that is added to the switch must be unassigned. When executing the command on an interface that has an IP address

assigned to it, the following error message is printed: Error:

<interface> port has static IP address assigned.

LAN1 is always a part of LAN switch.

add user Adds a new user with two optional password parameters: standard and MD5 encrypted.

Description Adds a new user named <user> and specifies password <pass> or

<pass_hash>.

Syntax add user <user> [password <pass>]

add user <user> [password-hash <pass_hash>]

Parameters Parameter Description <user>

User login name

<pass> User password. Alphanumeric and special characters are allowed

<pass_hash> User password, MD5 string representation


Example add user John

add user John password extremelySafePassword


Comments Password <pass> or <pass_hash> can be set later using the set

user command.

To generate a password-hash, you can use this command on any Security Gateway 80 gateway (as an expert user).

cryptpw –a md5 <password string>

backup settings Creates a backup file that contains the current settings for the appliance. The file is saved to either a USB device or TFTP server. You can use these options when the backup file is created:

Specific file name (The default file name contains the current image and a date and time stamp)

CLI Reference


Password encryption

Backup policies

Add a comment to the file

Description Backup the settings currently on the appliance and save them to a file.

Syntax backup settings to {usb|tftp server <serverIP>}

[filename <filename>] [file-encryption {off|on

password <pass>}] [backup-policy {on|off}] [add-

comment <comment>]

Parameters Parameter Description <comment>

Comment that is added to the file.

<filename> Name of the backup file.

<pass> Password for the file. Alphanumeric and special characters are allowed.

<serverIP> IPv4 address of the TFTP server.


Example backup settings to usb file-encryption on password

admin backup-policy on add-comment

check_point_new_configuration


Comments When saving the backup file to a USB device, the backup settings command fails if there are two USB devices connected to the appliance.

cphaprob The cphaprob command defines critical cluster member processes for the appliance. When a critical

process fails, the appliance is considered to have failed.

Description Manages the cluster properties of the appliance

Syntax cphaprob [-i[a]] [-d <device>] [-s

{ok|init|problem}] [-f <file>] [-p]

[register|unregister|report|list|state|if]

CLI Reference


Parameters Parameter Description register

Registers <appliance> as a critical process

-a Lists all devices in the cluster

-d <device> The name of the device as it appears in the output

of the cphaprob list

-p The configuration change is permanent and applies after the appliance reboots.

-t <timeout> If <device> fails to contact ClusterXL in

<timeout> seconds, <device> is considered to

have failed.

To disable this parameter, enter the value 0.

-s Status to be reported.

ok – <appliance> is alive

init – <appliance> is initializing

problem – <appliance> has failed

-f <file>

register Option to automatically register several appliances.

The file defined in the <file> field should contain

the list of appliances with these parameters:

<device>

<timeout>

Status

unregister Unregisters <device> as a critical process.

report Reports the status of the <device> to the gateway.

list Displays that state of:

-i – Internal (as well as external) devices,

such as interface check and HA initialization.

-e – External devices, such as devices

registered by the user or outside the kernel.

For example, fwd, sync, filter.

-ia – All devices, including those used for

internal purposes, such as note initialization

and load-balance configuration.

state Displays the state of all the gateways in the High Availability configuration.

if Displays the state of interfaces.

Example cphaprob -d $process -t 0 -s ok -p register


These are some typical scenarios for the cphaprob command.

Argument Description

cphaprob -d <device> -t

<timeout(sec)> -s

<ok|init|problem> [-p]

register

Register <device> as a critical process, and add it to the list of devices that must be running for the cluster member to be considered active.

CLI Reference


Argument Description

cphaprob -f <file>

register Register all the user defined critical devices listed in <file>.

cphaprob -d <device> [-p]

unregister Unregister a user defined <device> as a critical process. This means that this device is no longer considered critical.

cphaprob -a unregister Unregister all the user defined <device>.

cphaprob -d <device> -s

<ok|init|problem> report Report the status of a user defined critical device to ClusterXL.

cphaprob [-i[a]] [-e] list View the list of critical devices on a cluster member, and of all the other machines in the cluster.

cphaprob state View the status of a cluster member, and of all the other members of the cluster.

cphaprob [-a] if View the state of the cluster member interfaces and the virtual cluster interfaces.

Examples

cphaprob -d <device> -t <timeout(sec)> -s <ok|init|problem> [-p] register

cphaprob -f <file> register

cphaprob -d <device> [-p] unregister

cphaprob -a unregister

cphaprob -d <device> -s <ok|init|problem> report

cphaprob [-i[a]] [-e] list

cphaprob state

cphaprob [-a] if

cphastop Running cphastop on an appliance that is a cluster member stops the appliance from passing traffic. State

synchronization also stops.

Description Disables High Availability on the appliance

Syntax cphastop

Parameters Parameter Description n/a


Example cphastop


cpinfo CPinfo is a utility that collects data on a machine at the time of execution. The CPinfo output file enables Check Point's support engineers to analyze setups from a remote location. The file is saved to a USB drive or a TFTP server.

Description Creates Check Point Support Information file on USB drive or TFTP server

CLI Reference


Syntax cpinfo {to-tftp <ipaddr>|to-usb}

Parameters Parameter Description <ipaddr>

IPv4 address


Example cpinfo to-usb

Output Success prints Creating cpinfo.txt file. Failure prints

appropriate error message.

cpshell

Description Starts cpshell.

Syntax cpshell



Example cpshell

Output None

Comments Use the shell ("shell/expert" on page 114) command to switch to

expert mode.

cpstart Start all Check Point processes and applications running on a machine.

Description Starts firewall services

Syntax cpstart

Parameters Parameter Description

n/a


Example cpstart

Output Success prints Starting CP products.... Failure prints


cpstat Displays the status of Check Point applications.

Description Display Check Point statistics info

Syntax cpstat [-h <host>] [-p <port>] [-s <SICname>] [-f

<flavor>] [-o <polling>] [-c <count>] [-e <period>]

[-d] application_flag <flag>

CLI Reference


Parameters Parameter Description -h <host>

A resolvable hostname, a dot-notation address (for example: 192.168.33.23), or a DAIP object name.

The default is localhost.

-p <port> Port number of the server. The default is the standard server port (18192).

-s <SICname> Secure Internal Communication (SIC) name of the server.

-f <flavor> The flavor of the output (as it appears in the configuration file). The default is the first flavor found in the configuration file.

-o <polling> Polling interval (seconds) specifies the pace of the results.

The default is 0, meaning the results are shown

only once.

-c <count> Specifies how many times the results are shown.

The default is 0, meaning the results are repeatedly

shown.

-e <period> Specifies the interval (seconds) over which 'statistical' olds are computed. Ignored for regular olds.

-d Debug mode.

<flag> One of these applications is displayed:

One of the following:

fw — Firewall component of the Security

Gateway

vpn — VPN component of the Security

Gateway

fg — QoS (formerly FloodGate-1)

ha — ClusterXL (High Availability)

os — OS Status

mg — for the Security Management server

persistency - for historical status values

polsrv

uas

svr

cpsemd

cpsead

asm

ls

ca


Example cpstat -h 192.168.1.1 fw


CLI Reference


The following flavors can be added to the application flags:

fw — "default", "interfaces", "all", "policy", "perf", "hmem", "kmem", "inspect", "cookies", "chains", "fragments", "totals", "ufp", "http", "ftp",

"telnet", "rlogin", "smtp", "pop3", "sync"

vpn — "default", "product", "IKE", "ipsec", "traffic", "compression", "accelerator", "nic", "statistics", "watermarks", "all"

fg — "all"

ha — "default", "all"

os — "default", "ifconfig", "routing", "memory", "old_memory", "cpu", "disk", "perf", "multi_cpu", "multi_disk", "all", "average_cpu", "average_memory",

"statistics"

mg — "default"

persistency — "product", "Tableconfig", "SourceConfig"

polsrv — "default", "all"

uas — "default"

svr — "default"

cpsemd — "default"

cpsead — "default"

asm — "default", "WS"

ls — "default"

ca — "default", "crl", "cert", user", "all"

cpstop Terminate all Check Point processes and applications running on the appliance.

Description Stops firewall services

Syntax cpstop



Example cpstop

Output Success prints Uninstalling Security Policy.... Failure

prints appropriate error message.

cpwd_admin The cpwd_admin utility can be used to verify if a process is running and to stop and start a process if

necessary.

Description cpwd_admin commands

Syntax cpwd_admin {del <name>|detach

<name>|list|kill|exist|start_monitor|stop_monitor|

monitor_list}

CLI Reference


Parameters Parameter Description del

Deletes process

detach Detaches process

list Print status of processes

kill Stops cpWatchDog

exist Checks if cpWatchDog is running

start_monitor cpwd starts monitoring this machine

stop_monitor cpwd stops monitoring this machine

monitor_list Displays list of monitoring processes

<name> Name of process


Example cpwd admin start_monitor


cpwd_admin config Sets cpWatchDog configuration parameters. When the parameters are changed, these changes are applied

after cpwd is stopped and restarted.

Description Manages cpWatchDog parameters

Syntax cpwed_admin config {-p|-a <value=data value=data...>|-

d <value value...>|-r}

Parameters Parameter Description -p

Prints the cpwd parameters.

-a Adds one or more monitoring parameters

-d Deletes one or more parameters.

-r Restores the default cpwd parameters.

CLI Reference


<value> Argument Description timeout

If rerun_mode=1, how much time passes from

process failure to rerun. The default value is 60 seconds.

no_limit Maximum number of times that cpwd tries to restart

a process. The default is 5.

zero_timeout After failing no_limit times to restart a process,

cpwd waits zero_timeout seconds before

retrying. The default is 7200 seconds.

This value should be greater than timeout.

sleep_mode 1 - wait timeout

0 - ignore timeout. Rerun the process

immediately

dbg_mode 1 - Accept pop-up error messages (with exit-

code#0) displayed when a process terminates

abruptly (Windows NT only).

0 -Do not receive pop-up error messages.

This is useful if pop-up error messages freeze

the machine. This is the default value

(Windows NT only).

rerun_mode 1 - Rerun a failed process. This is the default

value.

0 - Do not rerun a failed process.

stop_timeout The time in seconds that the cpwd waits for a stop

command to be completed. Default is 60 seconds.

reset_startup

s The time in seconds that the cpwd waits after the

process begins before it resets the

startup_counter. Default value is 1 hour. An

hour after the process begins the startup counter is reset to 0.


Example cpwd_admin config -a timeout=120 no_limit=12


cpwd_admin start|stop Starts a new or stops an existing process using cpwd.

Description Starts or stops a process

Syntax cpwd_admin {start|stop} -name <process> -path <path>

-command <cli_command>

Parameters Parameter Description <process>

Name process

<"path"> Full path of the executable, including the executable name.

<cli_command> Name of CLI command


CLI Reference


Example cpwd_admin start -name FWM -path $FWDIR/bin/fwm -

command fwm


delete admin access Deletes a specific IP address or network address from which the admin can access the appliance.

Description Deletes an IP address that allows remote access to the appliance

Syntax delete admin-access-ipv4-address ipv4-address

<ip_addr>

Parameters Parameter Description ip_addr

IPv4 address


Example delete admin-access-ipv4-address ipv4-address

1.1.1.1


delete ICMP server Deletes an ICMP server from the primary or secondary Internet connection for the appliance.

Description Deletes the settings for an ICMP server

Syntax delete icmp-server <ip_addr> connection

{primary|secondary}


IPv4 address

primary ICMP server for the primary Internet connection

secondary ICMP server for the secondary Internet connection


Example delete icmp-server 1.1.1.1 connection primary


delete dhcp You can use the delete dhcp command to configured DHCP (Dynamic Host Configuration Protocol)

settings. You can delete these settings:

Range of excluded IP addresses

Custom DHCP option codes

Deleting Excluded IP Addresses

Description Deletes IP address exclude range <DHCP_excl> that was defined for

interface <interface>.

Syntax delete dhcp server interface <interface> exclude-

range <DHCP_excl>

CLI Reference




<DHCP_excl> IP address range: <ipv4-address>-<ipv4-address>


Example delete dhcp server interface LAN2 exclude-range

1.1.1.1-1.1.1.8


Deleting DHCP Custom Option Code

Description Deletes DHCP custom option with code <code> that was defined for


Syntax delete dhcp server interface <interface> custom-

option code <code>

Parameters Parameter Description <code>

Integer that represents the DHCP custom option

<interface> Valid interface name


Example delete dhcp server interface LAN2 custom-option code

12

Output Success prints Configurations Saved Successfully. Failure

prints an appropriate error message.

Comments For more information regarding DHCP options please read RFC 2132.

delete dns Deletes the settings for the DNS (Domain Name Server) servers. The secondary DNS server is used when the primary DNS server does not respond. The tertiary DNS server is used when the primary and secondary DNS servers do not respond.

Description Deletes the specified DNS server.

Syntax delete dns {primary|secondary|tertiary}



Example delete dns secondary


delete domainname

Description Removes the domain name of the system.

Syntax delete domainname

CLI Reference




Example delete domainname


Comments To set a domain name for the system, use the set domainname

command.

delete host

Description Deletes the static host named <host>.

Syntax delete host name <host>


Name of the static host


Example delete host name cnn.com


delete interface You can use the delete interface command to delete these parameters from an interface:

Configured VLANs

Internet interfaces

Deleting VLANs

Description Deletes the VLAN named <vlan> from interface named

<interface>.

Syntax delete interface <interface> vlan <vlan>



<vlan> VLAN name - a value between 1 and 4094.


Example delete interface LAN4 vlan 14


Deleting the Internet Interface

Description Deletes the Internet interface <interface> and can be used for

<primary|secondary> connection.

CLI Reference


Syntax delete interface <interface> [internet

<primary|secondary>]



<primary|

secondary> Primary or secondary Internet connection


Example delete interface WAN

delete interface DMZ internet secondary


Comments <primary|secondary> must be used when a secondary Internet

connection is defined on the WAN.

When configuring the Internet connection for an interface in a DMZ, you

must use the <primary|secondary> parameter.

delete ntp Deletes the NTP (Network Time Protocol) server.

Description Deletes the NTP server with IP address or host name

<ip_addr_host>.

Syntax delete ntp server <ip_addr_host>

Parameters Parameter Description <ip_addr_host>

NTP server host name or IP address


Example delete ntp server 0.pool.ntp.org

delete ntp server 195.43.74.3


delete proxy

Description Deletes a proxy server.

Syntax delete proxy



Example delete proxy


delete snmp Deletes these SNMP parameters:

SNMP trap receiver

SNMP contact information

CLI Reference


SNMP location

SNMP v3 user

Description Deletes SNMP related parameters

Syntax delete snmp {trap receiver

<ip_addr>|contact|location|user <v3_user>}



<v3_user> A string representing the name of the user to delete.


Example delete snmp trap receiver 1.1.1.1

delete snmp user usm1


delete switch Removes an interface from a LAN switch. Use the all option, to remove all ports from LAN switch.

Description Deletes the interface named <interface> from a LAN switch.

Syntax delete switch port {<interface>|all}


Valid interface name that is removed from LAN switch.


Example delete switch port LAN2

delete switch port all


Comments Port LAN1 cannot be removed from a LAN Switch.

When executing the delete switch port all command, the port

LAN1 inherits the LAN switch configuration.

delete user

Description Deletes existing user with login name <user>.

Syntax delete user <user>


<user> Login name of user


Example delete user John


CLI Reference


dynamic objects Manages dynamic objects on the appliance. The dynamic_objects command specifies an IP address to

which the dynamic object is resolved.

First, define the dynamic object in the SmartDashboard. Then create the same object with the CLI (-n argument). After the new object is created on the gateway with the CLI, you can use the dynamic_objects command to specify an IP address for the object.

This command cannot be executed when the Check Point gateway is running.

Description Manages dynamic objects on the appliance

Syntax dynamic_objects -o <object> [-r <fromIP> <toIP> ...]

[-a] [-d] [-l] [-n <object> ] [-c] [-do <object>]

Parameters Parameter Description -o

Name of the dynamic object that is being configured

-r Defines the range of IP addresses that are being configured for this object

-a Adds range of IP addresses to the dynamic object

-d Deletes range of IP addresses from the dynamic object

-l Lists dynamic objects that are used on the appliance

-n Creates a new dynamic object

-c Compare the objects in the dynamic objects file and

in objects.C.

-do Deletes the dynamic object

<object> Name of dynamic object

<fromIP> Starting IPv4 address

<toIP> Ending IPv4 address


Example dynamic_objects -n sg80gw -r 190.160.1.1

190.160.1.40 -a

Output Success prints Operation completed successfully. Failure


exit

Description Exits from the shell.

Syntax exit


Return Value None

CLI Reference


Example exit

Output None

fetch certificate Establishes SIC connection with management server and fetches certificate.

Description Establishes SIC connection with management server and fetches certificate. You fetch the certificate from a specific gateway with the

gateway-name parameter.

Syntax fetch certificate mgmt-ipv4-address <ip_addr>

[gateway-name <gw_name>]


Management IPv4 address

<gw_name> Gateway/Module name


Example fetch certificate mgmt-ipv4-address 192.168.1.100

gateway-name mySG80


fetch license Fetches a license from one of these locations:

Local gateway (There is an option to specify the file name with the <file_name> parameter.)

User Center at Check Point

USB device (There is an option to specify the file name with the <file_name> parameter.)

Description Fetches license from specified location.

Syntax fetch license {local [file

<file_name>]|usercenter|usb [file <file_name>]

Parameters Parameter Description <file_name>

Name of the file that contains the license


Example fetch license usb file LicenseFile.xml


fetch policy Fetches a policy from one of these locations:

Management server

Local gateway

Description Fetches policy from the management server with IPv4 address

<ip_addr>.

Syntax fetch policy mgmt-ipv4-address <ip_addr>

CLI Reference



IPv4 address of the management server


Example fetch policy mgmt-ipv4-address192.168.1.100

Output Success prints Done. Failure prints appropriate error message.

fw Commands The fw commands are used for working with various aspects of the firewall. All fw commands are executed

on the Check Point Security Gateway. For more about the fw commands, see the R71 Command Line

Interface (CLI) Reference Guide (http://supportcontent.checkpoint.com/documentation_download?ID=10324).

fw commands can be found by typing fw [TAB] at a command line. For some of the CLI commands, you

can enter the -h parameter to display all the relevant arguments and parameters. These commands are:

fw command Explanation

fw accel [-h] Turn acceleration on/off

fw activation [-h] Activate license

fw avload [-h] Load AV signatures to kernel

fw ctl [args] Control kernel

fw debug [-h] Turn debug output on or off

fw fetch Fetch last policy

fw fetchdefault [-h] Fetch default policy

fw fetchlocal [-h] Fetch local policy

fw monitor [-h] Monitor Check Point Security Gateway 80 traffic

fw pull_cert Pull certificate from internal CA

fw sfwd fw daemon

fw sic_init [-h] Initialize SIC

fw sic_reset [-h] Reset SIC

fw sic_test Test SIC with management

fw stat [-h] Display policy installation status of the Gateway. (Command is provided for backward compatibility.)

fw tab [-h] Display kernel-table content

fw unloadlocal Unload local policy

fw ver [-k] Display version


CLI Reference


reboot

Description Reboots the system.

Syntax reboot


Return Value None

Example reboot

Output None

restore default-settings All the custom user settings for the appliance are deleted and the default settings are restored. The current software image (firmware version) is not changed.

Description Restores the default settings of the appliance without affecting the software image

Syntax restore default-settings



Example restore default-settings

Output n/a

Comments The appliance automatically reboots after the default settings are restored.

restore settings Restores the appliance settings from a backup file. The backup file can be located on a USB device or on a TFTP server.

Description Restores the settings from a backup file to the appliance.

Syntax restore settings from {usb|tftp server <serverIP>}

filename <file_name>

Parameters Parameter Description <file_name>

Name of the backup file.

<serverIP> IPv4 address of the TFTP server.


Example restore settings from tftp server 1.1.1.1 filename

sg80

Output n/a

Comments The appliance automatically reboots after the settings are restored.

CLI Reference


revert to factory defaults Reverts the appliance to the original factory defaults. This command deletes all data and software images from the appliance.

Description Revert the appliance to the factory defaults

Syntax revert to factory-defaults



Example revert to factory-defaults

Output Success prints warning message. Enter yes to continue.

Failure prints appropriate error message.

revert to saved image

Description Reverts the appliance to the saved software image

Syntax revert to saved-image



Example revert to saved-image


set admin access Configures for how the admin can configure the appliance from the configured IP address. The add admin access command ("add admin access" on page 60) allows remote management of the appliance.

Description Sets admin access parameters

Syntax set admin-access [interfaces <interface>] [web-

access-port <web_port>] [ssh-access-port <ssh_port>]

[allowed-ipv4-addresses <any|specific>

CLI Reference



Configure from which interfaces admin access is allowed. These options can be used:

any

SWITCH+WAN

WAN

LAN

SWITCH

<web_port> Configures the web port for HTTPS access

<ssh_port> Secure Shell (SSH) port

<any|

specific> any - Configures allowed admin access from all

IPv4 addresses

specific - Only IPv4 addresses that are

configured with the add admin access command can be used to access the appliance.


Example set admin-access web-access-port 4434 allowed-ipv4-

addresses specific


Comments Your access to the appliance may be blocked (although your current session is retained).

set date

Description Sets system date in YYYY-MM-DD format.

Syntax set date <date>

Parameters Parameter Description <date>

Date in YYYY-MM-DD format


Example set date 2011-04-18


set dhcp server The set dhcp server command configures a range of parameters for the DHCP (Dynamic Host

Configuration protocol) server.

Setting the IP Pool

The set dhcp server command sets the range of IP addresses that can be assigned by the DHCP

server.

Description Sets the DHCP server IP pool for interface <interface>.

Syntax set dhcp server interface <interface> ip-pool start

<ip_addr> end <ip_addr>

CLI Reference




<ip_addr> IPv4 address format


Example set dhcp server interface LAN2 ip-pool start

192.168.1.50 end 192.168.1.60



Excluding IP Addresses

The set dhcp server command sets a range of IP addresses that cannot be assigned by the DHCP

(Dynamic Host Configuration Protocol) server.

Description Sets IP address exclude range to DHCP server for interface

<interface>.

Syntax set dhcp server interface <interface> exclude-range

start <ip_addr> end <ip_addr>





Example set dhcp server interface LAN2 exclude-range

192.168.1.52 end 192.168.1.54



Comments DHCP IP-pool must be set for the interface before executing this command. If the DHCP IP-pool is not set, the following error message

is displayed: Error: DHCP IP pool should be defined on interface prior to defining exclude IP range.

Enabling the DHCP Server

The set dhcp server command enables or disables the DHCP server.

Description Enables or disables the DHCP server.

Syntax set dhcp server interface <interface>

{enable|disable}




Example set dhcp server interface LAN2 enable



CLI Reference


Configuring the Default Gateway

The set dhcp server command configures the default gateway for the DHCP clients.

Description Configures the default gateway for the DHCP clients.

Syntax set dhcp server interface <interface> default-

gateway {auto|<ip_addr>}





Example set dhcp server interface LAN2 default-gateway auto



Configuring the WINS Server

The set dhcp server command configures the WINS (Windows Internet Name Service) server for the

DHCP clients.

Description Configures the WINS server for the DHCP clients.

Syntax set dhcp server interface <interface> wins

{none|<ip_addr>}





Example set dhcp server interface LAN2 wins 192.168.1.50



Configuring IP Lease Time

The set dhcp server command configures the number of hours that an IP address is leased to a DHCP

client.

Description Configures IP lease time (in hours).

Syntax set dhcp server interface <interface> lease-time

<hours>



<hours> Lease time in hours



CLI Reference




Configuring a DNS Server

The set dhcp server command configures the IP address of the DNS (Domain Name System) server for

the DHCP server.

Description Configures the DNS server IP address to <ip_addr>.

Syntax set dhcp server interface <interface> dns

{auto|primary <ip_addr>|secondary <ip_addr>|tertiary

<ip_addr>}





Example set dhcp server interface LAN2 dns tertiary

192.168.1.50



Configuring Subnet Time Offset

The set dhcp server command configures the number of seconds that the subnet is offset from ETC (Coordinated Universal Time).

Description Configures subnet time offset from ETC.

Syntax set dhcp server interface <interface> time

{none|<offset>}



<offset> Offset in seconds from Coordinated Universal Time (ETC)


Example set dhcp server interface LAN2 time 18



Configuring the Swap Server

The set dhcp server command configures the IP address of the swap server.

Description Configures the swap server.

Syntax set dhcp server interface <interface> swap

{none|<ip_addr>}




CLI Reference



Example set dhcp server interface LAN2 swap 192.160.1.150



Configuring the SMTP Server

The set dhcp server command configures the IP addresses of the SMTP (Simple Mail Transport

Protocol) servers.

Description Configures the SMTP servers.

Syntax set dhcp server interface <interface> smtp

{none|<ip_addr>[,<ip_addr>...]}





Example set dhcp server interface LAN2 smtp

192.168.1.50,192.168.60



Configuring the SMTP Server

The set dhcp server command configures the IP addresses of the NTP (Network Time Protocol)

servers.

Description Configures the NTP servers.

Syntax set dhcp server interface <interface> ntp

{none|<ip_addr>[,<ip_addr>...]}





Example set dhcp server interface LAN2 ntp

192.168.1.50,192.168.1.60



Configuring a TFTP Server

The set dhcp server command configures a TFTP (Trivial File Transfer Protocol) server.

Description Configures a TFTP server.

Syntax set dhcp server interface <interface> tftp

{none|<tftp_server>}

CLI Reference




<tftp_server> TFTP server name


Example set dhcp server interface LAN2 tftp none



Configuring the Path for a Bootstrap File

The set dhcp server command configures the path for a bootstrap file.

Description Configures bootstrap file path.

Syntax set dhcp server interface <interface> file

{none|<boot_file>}

Parameters Parameter Description <boot_file>

Bootstrap file path



Example set dhcp server interface LAN2 file none



Configuring Client Root Disk

The set dhcp server command configures the path for the root disk for the client.

Description Configures the path-name that contains the root disk for the client

Syntax set dhcp server interface <interface> root

{none|<root_path>}



<root_path> Path name for the root disk of the client


Example set dhcp server interface LAN2 root none



Configuring DHCP Extensions

The set dhcp server command configures additional DHCP options.

Description Name of a file containing additional options to be interpreted according to RFC2132.

CLI Reference


Syntax set dhcp server interface <interface> extensions

{none|<extensions>}

Parameters Parameter Description <extensions>

Name of a file containing additional options to be interpreted according to RFC2132.



Example set dhcp server interface LAN2 extensions none



Configuring WINS Node-Type

The set dhcp server command configures the WINS Node-Type.

Description Configures WINS Node-Type for clients.

Syntax set dhcp server interface <interface> node-type

{none|<node_type>}



<node_type> Integer that represents WINS Node-Type for clients


Example set dhcp server interface LAN2 node-type none



Configuring NBDD

The set dhcp server command configures the NetBIOS datagram distribution servers (NBDD)

Description Configures NetBIOS datagram distribution servers (NBDD).

Syntax set dhcp server interface <interface> ddserver

none|<ip-addr>[,<ip-addr>...]





Example set dhcp server interface LAN2 ddserver

192.168.1.1,192.168.1.18



Configuring NetBIOS Scope

The set dhcp server command configures the NetBIOS over TCP/IP scope parameter as specified in

RFC 1001/1002.

CLI Reference


Description Configure NetBIOS scope parameters.

Syntax set dhcp server interface <interface> scope

{none|<NetBIOS_scope>}



<NetBIOS_scope> Specified in RFC 1001/1002


Example set dhcp server interface LAN2 scope none



Configuring Call Manager

The set dhcp server command configures the call manager server IP addresses.

Description Configures call manager server IP addresses.

Syntax set dhcp server interface <interface> callmgr

{none|<ip_addr>}[,<ip_addr>...]





Example set dhcp server interface LAN2 callmgr

198.162.1.1,198.162.1.18,198.162.2.1



,

Configuring X-Windows Display

The set dhcp server command configures the X-Windows Display Manager.

Description Configures X-Windows Display Manager.

Syntax set dhcp server interface <interface> xwin-display-

mgr {none|<ip_addr>}[,<ip_addr>...]





Example set dhcp server interface LAN2 xwin-display-mgr none



Configuring VoIP Phones

The set dhcp server command configures the Avaya, Nortel, or Thomson VoIP phones.

CLI Reference


Description Configures VoIP phone parameters.

Syntax set dhcp server interface <interface> {avaya-

voip|nortel-voip|thomson-voip} {none|<config_string>}

Parameters Parameter Description <config_string>

Configuration string used to configure VoIP phones



Example set dhcp server interface LAN2 nortel-voip none



Configuring Custom DHCP Option

The set dhcp server command configures a custom DHCP server option.

Description Configures a custom DHCP server option.

Syntax set dhcp server interface <interface> custom-option

code <code> type <type> value <value> [name <name> ]




Example n/a



set dhcp relay Manages DHCP relay for the IP addresses of a specific interface.

Description Manages DHCP relay for interface <interface> to <ip_addr>.

Syntax set dhcp relay interface <interface> {relay-to|off}

<ip_addr> {on|off}





Example set dhcp relay interface LAN2 relay-to 198.162.1.1

off



set dns Sets primary, secondary or tertiary DNS servers that are used to resolve hostnames. The secondary and tertiary DNS servers are optional.

CLI Reference


Description Sets DNS server to IP address <ip_addr>.

Syntax set dns {primary|secondary|tertiary} <ip_addr>


IPv4 address format


Example set dns server secondary 4.4.4.4


set dnsproxy

Description Enables/disables the DNS proxy server.

Syntax set dnsproxy {enable|disable}



Example set dnsproxy enable


set dns mode Sets the mode for the DNS server. Internet mode the DNS configuration is inherited from the internet connection. In global mode the manual settings are taken as the DNS configuration.

Description Sets global or internet mode for the DNS server.

Syntax set dns mode <global|internet>

Parameters Parameter Description <global|

internet> Global or internet mode


Example set dns mode global


set domainname

Description Sets the domain name for the system to be <domain>

Syntax set domainname <domain>

Parameters Parameter Description <domain>

Domain name for the system


CLI Reference


Example set domainname checkpoint.com


set expert password The set expert password command configures the initial password or password hash for the expert

shell.

Description Sets password or password hash for the expert shell

Syntax set expert {password|password-hash}

{<pass>|<pass_hash>}

Parameters Parameter Description <pass>

Password using alphanumeric and special characters

<pass_hash> Password MD5 string representation


Example set expert password-hash

$1$CTnQg69e$dwMJPcrB27XnAXUckPW7N0


Comments To generate a password-hash, you can use this command on any Security Gateway 80 gateway (as an expert user).

cryptpw –a md5 <password string>

set ha internet primary Set configuration parameters for Internet High Availability mode when both Internet connections are configured.

Description Changes the active Internet connection to primary whenever possible

Syntax set ha-internet primary-up {on|off}

Parameters Parameter Description on

The appliance reverts to the primary Internet connection when it is available

off The appliance does not change the Internet connection


Example set ha-internet primary-up on


set host Static host configuration for existing host name.

Description Sets the IPv4 address of the existing host name <host> to

<ip_addr>

CLI Reference


Syntax set host name <host> ipv4_address <ip_addr>


The name of an existing static host



Example set host name cnn.com ipv4_address 2.2.2.2


set hostname

Description Sets the host name of the machines to <host>.

Syntax set hostname <host>


Host name


Example set hostname SG80


set inactivity-timeout

Description Specifies inactivity timeout for web UI and shells assigned to users (in minutes).

Syntax set inactivity-timeout <time_out>

Parameters Parameter Description <time_out>

Inactivity timeout in minutes.

Range: 1-999

Default: 10


Example set inactivity-timeout 60


set interface You can use the set interface command to manage and configure the interfaces.

Managing Interfaces

The set interface command can remove any IP assignment, or enables or disables the interface.

Description Manages the interfaces

CLI Reference


Syntax set interface <interface> [internet

<primary|secondary>] {disable|enable|unassigned}



<primary|

secondary> Primary or secondary Internet connection. Only the WAN and DMZ can be set for Internet interfaces.


Example set interface LAN5 enable


Configuring Static IP

Description The set interface command can set parameters for different static IP

interface types.


<primary|secondary>] type static ipv4-address

<ip_addr> {subnet-mask <ip_mask>|mask-length <mask-

length>} [default-gw <ip_addr>] [dns-primary <ip_addr>

[dns-secondary <ip_addr>] [dns-tertiary <ip_addr>]]

[conn-test-timeout <conn_time>]]

Parameters Parameter Description <conn_time>

Number of seconds before connection test

timeout. A number between 0 and 999.

A value of 0 applies the configuration and skips

the connection tests.



<ip_mask> IP address for subnet mask

<mask_length> Mask length

<primary|



Example set interface LAN5 type static ipv4-address 1.1.1.1

subnet-mask 255.255.255.0 dns-primary 2.2.2.2 dns

secondary 3.3.3.3


Configuring a Bridge

Description The set interface command can set parameters for a bridge interface

type.

CLI Reference



<primary|secondary>] type bridge port <port> ipv4-

address <ip_addr> {subnet-mask <ip_mask>|mask-length

<mask-length>} [default-gw <ip_addr>] [dns-primary

<ip_addr>] [dns-secondary <ip_addr>] [dns-tertiary

<ip_addr>] [conn-test-timeout <conn_time>]










<port> LAN port number or SWITCH

<primary|



Example set interface LAN Switch type bridge port SWITCH ipv4-

address 1.1.1.1 subnet-mask 255.255.255.0 dns-primary

2.2.2.2 dns secondary 3.3.3.3


Configuring PPPoE

The set interface command can set parameters for the PPPoE Internet interface types:

Description Sets interface type PPPoE settings with user name <user> and password

<pass>. Can only be set for internet interfaces.

Syntax set interface <interface> internet <primary|secondary>

type pppoe username <user> password <pass> [local-ipv4-

address <auto|ip_addr>] [method <auto|on-demand idle-

time <idle>>] [link-monitor-interval <interval>] [link-

monitor-threshold <threshold>] [conn-test-timeout

<conn_time>]

CLI Reference



Valid interface name.

<ip_addr> IPv4 address format.


<user> ISP user login name.

<pass> ISP user password. Alphanumeric and special characters are allowed.

<primary|


local-ipv4-

address Local tunnel IPv4 address assignment.

auto - Get the IPv4 address from ISP.

<ip_addr> - IP address for local tunnel.

method Dialer connection method.

auto - Connect automatically. This is the

default setting.

on-demand - Connects on demand.

idle-time - Idle timeout in minutes

before disconnect when using Connect on demand. Value is between 1 and 999

minutes.

link-monitor-

interval Seconds between each connection status

monitoring. <interval> value is between 1 and

999 seconds.

link-monitor-

threshold Number of failed attempts after which the

connection is assumed to be down. <threshold>

value is between 1 and 999 attempts.

<conn_time> Number of seconds before connection test





Example set interface WAN internet primary type pppoe username

John password verySecurePassword local-ipv4-address

1.1.1.1 method on-demand idle-time 30 link-monitor-

interval 40 link-monitor-threshold 50


Configuring PPTP and L2TP

The set interface command can set parameters for these Internet interface types:

PPTP

L2TP

Description Sets interface type (PPTP and L2TP) settings with user name <user> and

password <pass>. Can only be set for internet interfaces.

CLI Reference



type {pptp|l2tp} username <user> password <pass> server

<server> [local-ipv4-address <auto|ip_addr>] [wan-ipv4-

address <auto|<ip_addr> {subnet-mask <ip_mask>|mask-

length <mask-length>} [default-gw <ip_addr>]>] [method

<auto|on-demand idle-time <idle>>] [link-monitor-

interval <interval>] [link-monitor-threshold

<threshold>] [conn-test-timeout <conn_time>]

CLI Reference



Valid interface name.

<ip_addr> IPv4 address format.



<user> ISP user login name.

<pass> ISP user password. Alphanumeric and special characters are allowed.

<primary|


<server> Server host name or IP address.

local-ipv4-

address Local tunnel IPv4 address assignment.

auto - Get the IPv4 address from ISP.

<ip_addr> - IP address for local tunnel.

wan-ipv4-address WAN IPv4 address assignment

auto - Get the WAN IPv4 address from

ISP. This is the default setting.

<ip_addr> - IP address for WAN port.

<ip_mask> - IP address for subnet mask

for WAN port.

<mask_length> - Mask length for WAN

port.

default-gw - Default gateway for WAN

port.

method Dialer connection method.

auto - Connect automatically. This is the

default setting.

on-demand - Connects on demand.

idle-time - Idle timeout in minutes

before disconnect when using Connect on demand. Value is between 1 and 999

minutes.

link-monitor-

interval Seconds between each connection status

monitoring. <interval> value is between 1 and

999 seconds.

link-monitor-

threshold Number of failed attempts after which the

connection is assumed to be down. <threshold>

value is between 1 and 999 attempts.

<conn_time> Number of seconds before connection test





CLI Reference


Example set interface WAN internet primary type l2tp username

John password verySecurePassword server 1.1.1.1 local-

ipv4-address 2.2.2.2 wan-ipv4-address 3.3.3.3 subnet-

mask 255.255.255.0 default-gw 4.4.4.4 method on-demand

idle-time 30 link-monitor-interval 40 link-monitor-

threshold 50


Configuring DHCP

The set interface command can set parameters for DHCP internet interface type.

Description Obtains IP automatically using DHCP, can be set only for internet interfaces.


type dhcp [conn-test-timeout <conn_time>]







<primary|



Example set interface LAN5 internet secondary type dhcp


Configuring Advanced Interface Settings

The set interface command configures these advanced settings for the interface:

Auto-negotiation

MAC address

MTU

Duplex

Speed

Description Sets advanced interface preferences.


<primary|secondary> auto-negotiation <on|off> mac-

addr <mac_addr> mtu <mtu> duplex <duplex> speed

<speed>]

CLI Reference




<primary|

secondary> Interfaces available for internet are only WAN or DMZ

<on|off> on or off

<mac_addr> default or MAC address format, 00:1C:7F:21:05:BE

<mtu> MTU size - integer in range 68-1500

<duplex> half or full

<speed> 10M/100M/1000M


Example set interface LAN3 mac-addr 00:1C:7F:21:05:BE


Configuring ICMP

The set interface command can configure the ICMP (Internet Control Message Protocol) settings for

the appliance.

Description Manages ICMP settings


<primary|secondary>] icmp-monitor <on|off> [icmp-to-

servers <on|off>] [icmp-to-default-gw <on|off>]

[icmp-interval <seconds>] [icmp-failover-after

<fail>] [icmp-resume-after <seconds>]



<primary|


icmp-monitor on - Enables ICMP monitoring

icmp-to-

servers on - Enables ICMP monitoring on configured

servers

icmp-to-

default-gw on - Sends ICMP requests to default gateway

icmp-interval Configures the number of seconds in between ICMP requests

icmp-

failover-

after

Configures maximum number of failed ICMP requests before the other Internet connection becomes active.

icmp-resume-

after Configures the number of seconds after an ICMP failover that ICMP requests are resumed


Example set interface WAN internet primary icmp-monitor on

icmp-to-default-gw on icmp-interval 10

CLI Reference



set static-route

Deleting Routes

You can use the set static-route command to delete existing static routes.

A route that has both a gateway IP address and a gateway interface defined is different than a route that only has gateway IP address or only a gateway interface defined. Both of these routes can exist simultaneously.

Deleting Routes by Destination IP Address

The set static-route command deletes existing static routes.

Description Deletes all routes with this destination IP address.

Syntax set static-route <dest_IP> off

Parameters Parameter Description <dest_IP>

Destination IP address and subnet bit number of the

route. <IPv4-address>/<Subnet-bit-number>


Example set static-route 1.1.1.1/32 off


Deleting Routes by Destination and Gateway IP Address


Description Delete all routes that have a destination of <dest_IP> and a gateway

address of <gw_IP>.

Syntax set static-route <dest_IP> nexthop gateway ipv4-

address <gw_IP> off




<gw_IP> Gateway IP address.


Example set static-route 1.1.1.1/32 nexthop gateway ipv4-

address 192.168.1.10 off


Deleting Routes by Destination IP Address and Interface


Description Delete all routes that have a destination of <dest_IP> and a gateway


Syntax set static-route <dest_IP> nexthop gateway logical

<interface> off

CLI Reference





<interface> Interface to which the gateway is connected.


Example set static-route 1.1.1.1/32 nexthop gateway logical

LAN1 off


Deleting Routes by Destination and Gateway IP Address and Interface


Description Delete all routes that match all of these parameters: <dest_IP>,

<gw_IP>, and <interface>.


address <gw_IP> logical <interface> off




<gw_IP> IP Gateway address.




address 192.168.1.10 logical LAN1 off


Adding Routes

You can use the set static-route command to create new static routes. If a priority is not specified for

the route, a default value of zero is used.


Adding a Route with a Specific Gateway IP Address

The set static-route command creates new static routes.

Description Adds a route with a destination <dest_IP> and a gateway IP address

of <gw_IP>. The gateway interface is determined automatically and is

assigned the default route priority 0.


address <gw_IP> on




<gw_IP> Gateway IP address

CLI Reference



Example set static-route 172.15.47.0/24 nexthop gateway

ipv4-address 10.0.0.1 on


Comments If you are adding a route that already exists, the priority of the existing

route is changed to 0.

Adding a Route with a Specific Gateway IP Address and Priority


Description Adds a route with a destination <dest_IP>, a gateway IP address of

<gw_IP>, and a priority of <priority>. The gateway interface is

determined automatically.


address <gw_IP> priority <priority> on





<priority> Priority (metric) of the route.



address 192.168.1.10 priority 3 on



route is changed to <priority>.

Adding a Route with a Specific Interface


Description Adds a route with a destination <dest_IP> and a gateway interface of <interface>. The gateway interface is determined automatically and is

assigned the default priority 0.


address <gw_IP> logical <interface> on


Destination IP address and subnet bit number of the route. <IPv4-address>/<Subnet-bit-number>





LAN1 on


CLI Reference




Adding a Route with a Specific Interface and Priority


Description Adds a route with a destination <dest_IP>, a gateway interface of

<interface>, and a priority of <priority>. The gateway IP address

is determined automatically.

Syntax set static-route <dest_IP> nexthop gateway logical

<interface> priority <priority> on








SWITCH priority 12 on



route is changed to <priority>.

Adding a Route with a Specific Gateway IP Address and Interface


Description Adds a route with a destination <dest_IP>, a gateway IP address of

<gw_IP> and a gateway interface of <interface>. The route is

assigned the default priority 0.


address <gw_IP> logical <interface> on








address 192.168.1.10 logical LAN1 on




Editing Routes

You can use the set static route command to edit the priority of an existing route. If you change of the

other parameters for the route, the existing route is left unchanged and a new route is created.

CLI Reference



set static-route <dest_IP> nexthop gateway ipv4-address <gw_IP> priority <priority> on

The set static-route command edits static routes.

Description Edits a route with a destination <dest_IP>, a gateway IP address of

<gw_IP>, and does not have a gateway interface defined. The priority

is changed to <priority>.


address <gw_IP> priority <priority> on








address 192.168.1.10 priority 3 on


Comments If the route does not exist, then a new one is created with a destination

<dest_IP>, a gateway interface of <interface>, and a priority of

<priority>. The gateway interface is determined automatically.

set proxy You can configure a proxy server that is used to fetch a license from Check Point User Center.

Managing a Proxy Server

The set proxy command enables or disables the proxy server that is used to fetch a license from Check

Point User Center.

Description Enables or disables the proxy server

Syntax set proxy {enable|disable}



Example set proxy disable


Configuring a Proxy Server

The set proxy command configures the settings of the proxy server that is used to fetch a license from

Check Point User Center.

CLI Reference


Description Sets proxy server IP address and port number. Also enables the proxy server that is set.

Syntax set proxy server <server> port <port>

Parameters Parameter Description <server>

Proxy server hostname or IPv4 address.

<port> Valid port numbers are between 1 and 65535.




set sic_init

Description Sets the SIC password.

Syntax set sic_init password <pass>


One-time password, as specified by the Security Management server administrator.


Example set sic_init password verySecurePassword


set snmp You can use the set snmp command to manage and configure the SNMP settings. You must use the add

snmp command to configure the SNMP v2 or v3 parameters for these commands:

set snmp traps receiver

set snmp usm user

Managing SNMP Agent

The set snmp command enables and disables an SNMP agent.

Description Enables and disables the SNMP agent.

Syntax set snmp agent <on|off>

Parameters Parameter Description <on|off>

On or off


Example set snmp agent on


CLI Reference


Setting SNMP Version

The set snmp command sets the SNMP version.

Description Sets SNMP version

Syntax set snmp agent-version <any|v3-only>

Parameters Parameter Description <any|v3-only>

Any version or only v3


Example set snmp agent-version v3-only


Setting Community String

The set snmp command sets the SNMP community string.

Description Sets the SNMP agent community string.

Syntax set snmp community <comm_string>

Parameters Parameter Description <comm_string>

A password for v1 and v2 protocols. The value can be any word.


Example set snmp community anystring read-only


Setting SNMP Host Information

The set snmp command sets the information about the host for the SNMP agent.

Description Sets information about the host the SNMP agent is running on.

Syntax set snmp contact <contact_string>

Parameters Parameter Description <contact_string>

The value can be word.


Example set snmp contact checkpoint


Setting Host Location

The set snmp command sets the information about the host for the SNMP agent.

Description Sets information about the host the SNMP agent is running on.

Syntax set snmp contact <contact_string>

CLI Reference


Parameters Parameter Description <contact_string>

The value can be any word.


Example set snmp contact checkpoint


Setting Host Location

The set snmp command sets the information about the host location.

Description Sets information about the location of the host on which the SNMP agent is running.

Syntax set snmp location <location>

Parameters Parameter Description <location>

The value can be any word.


Example set snmp location lab


Managing SNMP Traps

The set snmp command enables and disables the SNMP traps.

Description Enables and disables SNMP traps.

Syntax set snmp traps {enable|disable}



Example set snmp traps enable


Setting SNMP v2 Receivers

The set snmp command sets a community string for SNMPv2 traps receiver.

Description Sets a community string for SNMPv2 traps receiver.

Syntax set snmp traps receiver <ip_addr> version v2

community <comm_string>



<comm_string> A password for v1 and v2 protocols. The value can be any word.

CLI Reference



Example set snmp traps receiver 1.1.1.1 version v2 community

anystring


Configuring SNMP v3 Receivers

The set snmp command configures users for SNMP v3 traps receivers.

Description Sets USM user for SNMPv3 traps receiver.

Syntax set snmp traps receiver <ip_addr> version v3 usm

user <usm_user>


Trap receiver IPv4 address

<usm_user> Name user that was added with add snmp.


Example set snmp traps receiver 1.1.1.1 version v3 usm user

john


Comments Security parameters that were defined for the <v3_user> with the add

snmp command are used.

Configuring SNMP v3 Users

The set snmp command configures an SNMP v3 user.

Description Sets USM security user parameters for the <v3_user>

Syntax set snmp usm user <usm_user> security-level

<NoPriv|Priv> auth-pass-type < auth-type > auth-

pass-phrase <auth-phrase> privacy-pass-type <priv-

type> privacy-pass-phrase <priv-phrase>

Parameters Parameter Description <usm_user>

Name user that was added with add snmp.

<NoPriv|Priv> Priv - Messages sent or received by this user

are authenticated using the privacy and authentication passwords.

<auth-type> Authentication decryption protocol. Available

values for this field are: MD5 and SHA1.

<auth-phrase> The localized secret key used by the authentication protocol for authenticating messages.

<priv-type> Which privacy decryption protocol to use. Available

values for this field are: AES and DES.

<priv-phrase> The localized secret key used by the privacy protocol for encrypting and decrypting messages.


CLI Reference


Example set snmp user usm1 security-level authPriv auth-

pass-type SHA1 auth-pass-phrase safeAuthPassPhrase

privacy-pass-type AES privacy-pass-phrase

safePrivacyPassPhrase


Comments You must add the user with the add snmp command.

Setting a Single Trap

The set snmp command configures parameters for a single SNMP trap.

Description Sets a single trap related parameters.

Syntax set snmp traps trap-name <trap_name> [enable

<on|off> threshold <threshold> severity <severity>

repetitions <reps> repetitions-delay <rep_delay>]


On or off

<reps> Number of repetitions for trap.

Available values are: 1-10 or infinite for

sending traps as long as the trap condition holds.

<rep_delay> Delay time (seconds) between repetitions.

<severity> Trap severity: (1) Low, (2) Medium, (3) High, (4) Critical.

<threshold> Trap threshold, value must be a positive number

<trap_name> Enter a valid trap-name value.


CLI Reference


Comments These are the valid trap-name values:

interface-link-down

interface-disconnected

memory-utilization

partition-free-space

core-utilization

core-interrupts-rate

new-connections-rate

concurrent-connections-rate

bytes-throughput

accepted-packet-rate

temperature-sensor-reading

voltage-sensor-reading

cluster-member-state-changed

cluster-block-state-error

cluster-state-error

cluster-problem-status

cluster-interface-down

connection-with-log-server-error

connection-with-all-log-servers-error

set time

Description Sets system time in HH:MM format.

Syntax set system time <time>

Parameters Parameter Description <time>

Time in HH:MM format.


Example set system time 15:08


set time-zone

Description Sets system time zone.

Syntax set time-zone [<area>] <region>|<complete_region>

CLI Reference


Parameters Parameter Description <area>

A continent for the time zone.

<complete_

region> List of all cities for a region on a continent.

<region> A city on a continent for a specific time zone.


Example set time-zone Berlin

set time-zone Europe Berlin

set time-zone Amsterdam/Berlin/Bern/Rome/

Stockholm/Vienna(GMT+01:00)


Comments You can only use continents and cities that are pre-configured on the appliance. Use auto-completion to display the list of continents and cities.

set user Sets parameters for a specific user name.

Setting Password for a User

The set password command configures a password for an existing user.

Description Sets password <pass> to an existing user <user>.

Syntax set user <user> password <pass>


User password. Alphanumeric and special characters are allowed.

<user> User login name.


Example set user John password verySecurePassword


Setting Password Hash for a User

The set password command configures a password hash for an existing user.

Description Sets password hash <pass_hash> to an existing user <user>.

Syntax set user <user> password-hash <pass_hash>

Parameters Parameter Description <pass_hash>

Password MD5 string representation

<user> User login name


CLI Reference


Example set user John password-hash

$1$CTnQg69e$dwMJPcrB27XnAXUckPW7N0


Comments To generate a password-hash, you can use the command cryptpw –

a md5 <password string> on any Security Gateway 80 gateway

(as an expert user).

Setting Shell for a User

The set password command configures the login shell to an existing user.

Description Sets login shell to user <user>

Syntax set user <user> shell <clish|bash>

Parameters Parameter Description <clish|bash>

CLISH or Bash shell

<user> User login name


Example set user John shell cli


set user-lock The set user-lock command configures how a user can be locked-out of the WebUI. This command

does not apply to the CLI.

Disabling User-lock

The set user-lock command can disable user-lock and users are never locked-out of the WebUI.

Description Disables user-lock for the WebUI

Syntax set user-lock disable



Example set user-lock disable


Configuring User-lock

The set user-lock command enables user-lock and configures the parameters for failed logins for the

WebUI. These are the default values for the parameters:

attempts - 3. The user is locked-out after three failed login attempts.

time - 1. The user is locked-out and cannot attempt to login for one minute.

CLI Reference


Description Sets number of attempts <attempts> after which the user is locked-

out of the WebUI.

Sets the amount of time <time> that the user is locked-out and cannot

attempt to login to the WebUI.

Syntax set user-lock {attempts <attempts>|time <time>}

Parameters Parameter Description <attempts>

Number of permitted login attempts. A number between 1 and 999.

<time> Number of minutes before the user can attempt to login again.


Example set user-lock attempts 10 time 60


Comments You can use both the attempts and time parameters.

shell/expert The shell and expert commands switch to CLI expert mode.

Description Switches to expert mode.

Syntax shell

expert


Return Value None

Example shell

Output None

Comments Use the cpshell (on page 67) command to start cpshell.

show admin access Displays admin access configuration information including interfaces and IPv4 addresses.

Use the show admin-access-ipv4-addresses command to only display the IP addresses from which

the admin is allowed to remotely access the appliance.

Description Displays admin access configuration information

Syntax show {admin-access|admin-access-ipv4-addresses}



Example show admin-access

CLI Reference


Output Success displays admin access configuration information. Failure prints appropriate error message.

show backup settings Displays information of a previous backup of the appliance's settings.

show backup-settings-log displays the log file of previous backup settings operations.

Description Displays backup settings information

Syntax show backup-settings-{log|info {from tftp server

<server> filename <file>|from usb filename <file>}}

Parameters Parameter Description <server>

IP address or host name of the TFTP server

<file> Name of backup file


Example show backup-settings-log

show backup-settings-info from usb filename backup

Output Success prints backup settings information. Failure prints appropriate error message.

show clock

Description Displays current system date and time

Syntax show clock



Example show clock

Output Success displays date and time. Failure prints appropriate error message.

show commands

Description Displays all available CLI commands.

Syntax show commands



Example show commands

Output List of all available CLI commands.

CLI Reference


show date

Description Displays current date in DD-Month-YYYY format.

Syntax show date



Example show date

Output Current date

show dhcp Displays DHCP (Dynamic Host Configuration Protocol) settings.

Showing DHCP Settings

The show dhcp command displays the current DHCP settings. The server parameter displays all the

custom server options and advanced settings for all the interfaces.

Description Displays a table with all DHCP related settings. Also, all of the custom DHCP server options and advanced settings for all interfaces will be displayed.

Syntax show dhcp [server]



Example show dhcp server

Output Prints a table with all DHCP related settings

Server parameter - All of the custom DHCP server options and

advanced settings for all interfaces

Comments These columns are included in the output table: Interface name,

Enabled, Start Address, End Address, Exclude start IP

address, Exclude end IP address

Showing DHCP for an Interface

The show dhcp command displays if the DHCP server for a specific interface is enabled or disabled.

Description Indicates if DHCP server for interface <interface> is enabled or

disabled.

Syntax show dhcp server interface <interface> active




CLI Reference


Example show dhcp server interface LAN2 active

Output DHCP is enabled: DHCP server for interface LAN Switch is enabled

DHCP is disabled: DHCP server for interface LAN7 is disabled

Showing DHCP IP Pool

The show dhcp command displays the range of IP addresses that are available to DHCP clients on a

specific interface.

Description Displays the IP pool for DHCP servers for interface <interface>

Syntax show dhcp server interface <interface> ip-pool




Example show dhcp server interface SWITCH ip-pool

Output IP-pool for interface <interface> starts at:

<start_ip_address> and ends at: <end_ip_address>

Comments If an IP pool is not set for the interface, this message is displayed: IP-pool is not set for interface: <interface>

show dns The show dns command displays these DNS (Domain Name Settings) settings:

show dns - Displays all DNS related parameters.

show dns mode - Displays DNS mode (global or internet).

show dns primary - Displays IP address of first DNS server.

show dns secondary - Displays IP address of second DNS server.

show dns tertiary - Displays IP address of third DNS server.

show dns dns-proxy - Displays IP address of DNS proxy server.

Description Displays DNS related values.

Syntax show dns [mode|primary|secondary|tertiary|dns-proxy]



Example show dns primary

CLI Reference


Output show dns - Table containing all DNS related parameters, these

columns are displayed: DNS Mode, First Server, Second

Server, Third Server, DNS Proxy.

show dns mode - Global or Internet

show dns primary - IPv4 address of the first DNS server.

show dns secondary - IPv4 address of the second DNS server.

show dns tertiary - IPv4 address of the third DNS server.

show dns dns-proxy - IPv4 address of the DNS proxy server.

show domainname

Description Displays the domain name of the system.

Syntax show domainname



Example show domainname

Output Domain name of the system.

show ha internet

Description Displays configuration parameters for Internet High Availability mode

Syntax show ha-internet



Example show ha-internet

Output Success prints Internet High Availability parameters. Failure prints appropriate error message.

show host The show host command displays these host settings:

show host - Displays configuration for all configured hosts

show host name <host> - Displays configuration for host <host>

Description Displays static host configuration.

Syntax show host [name <host>]


The name of the host


Example show host name cnn.com

CLI Reference


Output show host - Table containing configuration for all configured

hosts. Table columns are: Host Name, and IP Address.

show host name <host> - Table containing configuration for

host <host>.Table columns are: Host Name, and IP Address,

or Host does not exist. if the host does not exist.

show hostname

Description Displays host name.

Syntax show hostname



Example show hostname

Output Host name of the machine

show icmp servers

Description Displays list of ICMP servers

Syntax show icmp-servers [primary|secondary|all]

Parameters Parameter Description primary

Displays ICMP servers for the primary Internet connection

secondary Displays ICMP servers for the secondary Internet connection

all Displays ICMP servers for all the Internet connections


Example show icmp-servers primary

Output Success prints ICMP server parameters. Failure prints appropriate error message.

show inactivity-timeout

Description Displays inactivity timeout for web UI and shells assigned to users (in minutes)

Syntax show inactivity-timeout



Example show inactivity-timeout

CLI Reference


Output Inactivity-timeout: <X> minutes.

<X> is the inactivity timeout for web UI and shells assigned to users.

show interface Displays parameters and status of a specific interface.

Description Displays detailed information about interface <interface>

Syntax show interface <interface> all




Example show interface WAN all

Output Detailed information about the interface.

show interfaces The show interfaces command displays these interface settings:

show interfaces - Displays all interfaces, their parameters and status in a table format.

show interfaces all - Displays detailed information for all interfaces.

Description Displays all interfaces, their parameters and status.

Syntax show interfaces [all]



Example show interfaces

Output show interfaces

Local Networks table with these columns : Name, IPv4 Address,

Subnet Mask, IP assignment, Status, Enabled

LAN Switch table with these columns: Name, IPv4 Address,

Subnet Mask, IP assignment, Interfaces, Enabled

Internet Connections table with these columns: Connection,

Interface, Connection Type, Status, Duration, IPv4

Address, Enabled

show interfaces all - Detailed information about each interface

show license

Description Displays current license state.

Syntax show license


CLI Reference



Example show license

Output Current license state

show logs The show logs command displays these logs:

System

Kernel

Traffic

Description Displays specific log file

Syntax show logs {system|kernel|traffic}



Example show logs kernel

Output Success displays log file. Failure prints appropriate error message.

show memory usage

Description Displays the amount of memory that is being used

Syntax show memory-usage



Example show memory-usage

Output Success prints used memory. Failure prints appropriate error message.

show ntp The show ntp command displays NTP (Network Time Protocol) settings.

Showing NTP Status

The show ntp command displays if NTP is enabled or disabled.

Description Indicates if NTP is enabled or disabled.

Syntax show ntp active


CLI Reference



Example show ntp active

Output Yes - NTP is enabled, otherwise No

Showing NTP Servers

The show ntp command displays the configured NTP servers.

Description Displays NTP servers

Syntax show ntp servers



Example show ntp servers

Output Table with the configured NTP servers

Comments If NTP is disabled this note is displayed: NOTE: NTP servers are not active

show proxy Displays the current proxy settings used for fetching the license from the Check Point User Center.

Description Displays the current proxy settings.

Syntax show proxy



Example show proxy

Output Table containing these columns: Status, IP Address, Port

show restore settings log Displays the log file of previous restore settings to default operations. You can display these restore settings log files:

restore-settings-log - Log file for restoring saved settings

restore-default-settings-log - Log file for restoring the default settings

Description Displays log file for restore settings command

Syntax show {restore-settings-log|restore-default-settings-

log}


CLI Reference



Example show restore-settings-log

Output Success prints restore settings log file. Failure prints


show revert log

Description Displays the log file of previous revert operations

Syntax show revert-log



Example show revert-log

Output Success prints revert log file. Failure prints appropriate error message.

show route

Description Displays the routing table.

Syntax show route



Example show route

Output Routing table with these columns: Destination, Destination

Mask, Interface, Next Hop, Metric, Destination Mask,

Notes.

show rule hits Displays the firewall rules that received the most hits.

Description Displays the top firewall policy rule hits

Syntax show rule-hits [top <rule>]

Parameters Parameter Description <rule>

Number of rules in the security policy that are displayed.

Minimum value is 1.


Example show rule-hits top 3

CLI Reference


Output Success prints number of hits per rule. Failure prints appropriate error message.

show saved image

Description Displays information about the saved backup image

Syntax show saved-image



Example show saved-image

Output Success prints information about the image. Failure prints appropriate error message.

show snmp The show snmp command displays information about the SNMP settings on the appliance.

Showing SNMP Agent

Displays information about the status or version of the SNMP agent. The show snmp community

command displays the SNMP agent community string (a "password" for SNMP v1 and v2 protocols).

Description Displays SNMP agent information

Syntax show snmp {agent|agent-version|community}

Parameters Parameter Description agent

on - SNMP agent is enabled

off - SNMP agent is disabled


Example show snmp agent

Output Success prints SNMP agent information. Failure prints appropriate error message.

Showing SNMP Host Information

Displays information about the SNMP host. These parameters are displayed:

show snmp contact - Information about the host on which the SNMP agent is running

show snmp location - The location of the SNMP host

Description Displays information about the SNMP host

Syntax show snmp {contact|location}


CLI Reference



Example show snmp location


Showing SNMP Trap Information

Displays information about the SNMP traps. These parameters are displayed:

status - Displays SNMP traps status

enabled-traps - Display list of all enabled SNMP traps

receivers - Displays SNMP trap receivers

Description Displays information about the SNMP traps

Syntax show snmp traps {status|enabled-traps|receivers}



Example show snmp traps enabled-traps

Output Success prints SNMP trap information. Failure prints appropriate error message.

Showing SNMP Users

Displays information about SNMP v3 users. These parameters are displayed:

show snmp users - Displays the list of all SNMP v3 users

show snmp user <user> - Displays the information about a specific SNMP v3 user

Description Displays information about SNMP v3 users

Syntax show {snmp users|snmp user <user>}


SNMP v3 user name


Example

Output Success prints information about SNMP v3 users. Failure prints appropriate error message.

show software version

Description Displays version of the current software

Syntax show software-version


CLI Reference



Example show software-version

Output Success prints appliance software version. Failure prints appropriate error message.

show time

Description Displays current date in HH-MM-SS format.

Syntax show time



Example show time

Output Current time.

show timezone

Description Displays system time zone in format AREA REGION.

Syntax show timezone



Example show timezone

Output Time zone in format AREA REGION.

Comments AREA is geographic area. REGION is a region inside a specific area.

show timezone-dst

Description Displays system Daylight Saving Time status.

Syntax show timezone-dst



Example show timezone-dst

Output Yes, if the clock is set to automatically adjust for daylight saving

changes

No, if adjusting clock automatically for daylight saving changes is

turned off.

CLI Reference


show upgrade log

Description Displays upgrade log files

Syntax show upgrade-log



Example show upgrade-log

Output Success prints upgrade log files. Failure prints appropriate error message.

show user The show user command displays these user settings:

show user - Displays table containing user related preferences for all users.

show user <user> password-hash - Displays password hash for user <user>.

show user <user> shell - Displays shell assigned for user <user>.

Description Displays user related preferences.

Syntax show user [<use> {password-hash|shell}]


User login name


Example show user John shell

Output show user - Table containing user related preferences for all

users. The table contains these columns: Username, Password

Hash, Shell.

show user <user> password-hash - Password-hash for

user <user> is '<pass_hash>' or No such user

'<user>' if <user> does not exist.

show user <user> shell - Shell for user '<user>' is

'<cli|bash>' or No such user '<user>' if <user> does

not exist.

Comments password-hash is a password MD5 string representation.

show user-lock The show user-lock command displays the user-lock settings. A user is locked-out of the WebUI after a

specific number of failed login attempts. The show user-lock command displays these user-lock settings:

show user-lock - Displays a table with all the user-lock preferences.

show user-lock active - Displays if user-lock is enabled or disabled.

show user-lock attempts - Displays maximum number of login attempts before the user is locked-

out.

show user-lock time - Displays duration in minutes that the user is locked-out of the WebUI.

CLI Reference


Description Displays user-lock settings.

Syntax show user-lock [active|attempts|time]



Example show user-lock attempts

Output show user-lock -Table containing all user-lock preferences with

these columns: Enabled, Attempts, Time (mins).

show user-lock active - User-lock is enabled when

user-lock is enabled, User-lock is disabled otherwise.

show user-lock attempts - Allowed login attempts:

<X> where X is maximum number of login attempts before the user

is locked-out (A number between 1 and 999).

show user-lock time - Lock-out time: <X> minutes where X is

the total number of minutes that the user is locked-out of the

WebUI.

Comments User-lock settings do not apply to the CLI.

show vpn tunnel Displays all IKE (Internet Key Exchange) and IPSec (Internet Protocol Security) SAs (Security Associations).

Description Displays information about the VPN tunnel

Syntax show vpn-tunnel-info



Example show vpn-tunnel-info

Output Success prints information about the VPN tunnel. Failure prints appropriate error message.

upgrade from usb|tftp server

Description Upgrades the software image from a file on a USB drive or TFTP server.

Syntax upgrade from {usb [file <usb_file>]|tftp server

<server> filename <tftp_file>} save-backup <on|off>

CLI Reference


Parameters Parameter Description <usb_file>

Name of software image file on USB drive.

<server> Host name or IP address of TFTP server.

<tftp_file> Name of software image file on TFTP server.

<on|off> on - Saves a backup software image and overwrites

any existing backup image.

off - Does not save a backup software image. This

is the default setting.


Example upgrade from usb save-backup on


vpn The vpn command manages the VPN driver and helps to debug the VPN.

Managing VPN Driver

Description Installs the VPN kernel (vpnk) and connects to the firewall kernel (fwk), attaching the VPN driver to the Firewall driver

Syntax vpn drv <on|off>


Starts or stops the VPN kernel


Example vpn drv on


Launching TunnelUtil Tool

You can use the vpn tunnelutil command to launch the VPN TunnelUtil tool. This tool can be used to:

List IKE and IPSec SAs

Delete IKE and IPSec SAs

Description Launches the VPN TunnelUtil tool

Syntax vpn tunnelutil



Example vpn tunnelutil

Output Success launches VPN TunnelUtil tool. Failure prints appropriate error message.

CLI Reference


Debugging VPN

Description The vpn debug command contains multiple utilities for troubleshooting

VPN issues.

Syntax vpn debug {on [TOPIC=level]|off} [ikeon|ikeoff] [trunc

[TOPIC=level]] [mon|moff]

Parameters Parameter Description on|off

Writes debugging information to $FWDIR/log/sfwd.elg

[TOPIC=level] Sets level of debugging for a particular topic.

This argument can only be used after on or trunc.

ikeon|ikeoff Writes IKE packet information into $FWDIR/log/ike.elg

trunc Writes both sfwd.elg and ike.elg, but first

clears the files

mon|moff Writes raw IKE packets to $FWDIR/log/ikemonitor.snoop


Example vpn debug on

Output Failure prints appropriate error message.

Upgrade Using a USB Drive

Advanced Configuration


Upgrade Using a USB Drive This section explains how you can upgrade the appliance with a USB drive without a console connection to the appliance. It is possible to manually choose from a console the specific file you wish to use for the upgrade. For more information, see Upgrade Using Boot Loader (on page 132).

Installing a new firmware image from a USB drive

Check Point releases new firmware images every so often. You can reburn the appliance using the image file and a USB drive. Note that you can also upgrade using the WebUI, in which case you will not lose your previous settings if the new image supports it. When you reburn a new image with a USB drive, the appliance deletes your previous settings and creates a new factory default image to which the appliance can return to.

To upgrade to a new firmware image from a USB drive:

1. Disconnect the Security Gateway 80 appliance from the power source.

2. Place the firmware image file on a USB drive, in the top folder. The firmware image file is recognized by its name so do not rename it.

3. Make sure the top folder of the USB drive does not contain any previous Boot loader or Firmware images (u-boot*.ubt files or fw1*.img files).

4. Connect the USB drive to one of the USB ports on the Security Gateway 80 appliance. If the operation does not succeed, this may be due to the fact that the USB1 port does not recognize all USB drives. Some USB drives also use a different file system and those are not supported.

5. Connect the appliance to the power source. The appropriate USB LED will light and blink several times as it recognizes the file and uploads it to the appliance. The LED turns off once the file uploads. This takes several seconds.

If the file is valid, all LAN LEDs will start to blink to show progress. Every other LED blinks at a different speed. The LAN LEDs blink in orange and green (Link LEDs blink orange and Activity LEDs blink green).

Upon successful installation all LAN LEDs will turn solid green and the appliance awaits your input.

6. Remove the USB drive and disconnect the appliance from the power source.

7. Reconnect the appliance to the power source. Allow the appliance to boot successfully. The first boot after an image reburn takes more time than a normal boot. Wait patiently for the Notice LED to stop blinking (this indicates that the boot is complete).

As this operation has removed your previous settings please refer to the Getting Started Guide and reconfigure your appliance with the First Time Configuration Wizard.

Note - When you upgrade with a USB drive, you also replace the saved factory defaults image of the appliance as this method reburns the appliance. For more information, see Upgrade (on page 49).

Installing a new Boot-Loader from a USB drive

Check Point releases new Boot Loader rarely. This usually comes together with a new image. To upgrade to a new U-Boot or Firmware image requires booting the appliance.

To replace Boot-Loader (usually done before you upgrade to the new image, if one exists):

1. Disconnect your Security Gateway 80 appliance from the power source.

2. Place the Boot loader file on a USB drive, in the top folder. The Boot loader file is recognized by its name so do not rename it.

3. Make sure the top folder of the USB drive does not contain any previous Boot loader or Firmware images (u-boot*.ubt files or fw1*.img files).

4. Connect the USB drive to your Security Gateway 80 appliance, to one of the USB ports. If the operation does not succeed, this may be due to the fact that the USB1 port does not recognize all USB drives. Some USB drives also use a different file system and those are not supported.

Boot Loader


5. Connect the appliance to the power source. The appropriate USB LED will light and blink several times as it recognizes the file and uploads it to the appliance. The LED turns off once the file uploads. This takes several seconds.

If the file is valid, all LAN LEDs will start to blink to show progress. Every other LED blinks at a different speed. The LAN LEDs blink in orange and green (Link LEDs blink orange and Activity LEDs blink green).

Upon successful installation all LAN LEDs will turn solid green and the appliance awaits your input.

6. Remove the USB drive and disconnect the appliance from the power source.

7. If you need to install a new firmware image, refer to the firmware image installation section before reconnecting the appliance to the power source.

Boot Loader The SecurePlatform Embedded Boot Menu shows during boot and is available by pressing Ctrl+C while the appliance is booting. The menu contains the available options.

When you are in Boot Loader, all interfaces are down and you can only activate them for options that require connectivity. At this point Check Point’s services are not active.

Options 1-3 start the appliance.

Normal mode is the default boot mode for the appliance.

Debug mode boot gives printouts of processes that are initialized during boot.

Maintenance mode boots the machine and gives access only to the file system (network interfaces, Check Point processes and the appliance’s services are down).

Note - During normal/debug boot, if there is an error and the appliance cannot boot properly, it reverts to maintenance mode and the Power LED turns solid red.

Options 4-5 are explained in the subsequent sections.

Options 6-7 let you manually choose a specific file from a USB drive and install/update an image or a new boot loader. Once you choose the file and it is downloaded onto the appliance the rest of the procedure is the same as in Upgrade Using a USB Drive (on page 131).

Option 8 restarts the appliance.

Upgrade Using Boot Loader To restore the Security Gateway 80 appliance to its default factory configuration using U-boot (boot loader):

1. Connect to the appliance with a console connection (use the serial console connection on the back panel of the appliance), boot the appliance and press Ctrl+C. The Secure Platform Embedded Boot Menu is shown.

2. Press 5 to select Install/Update Image/Boot-Loader from Network.

3. You are asked if you want to manually load the image from a TFTP server, or if you want to use automatic mode with a bootp server.

Restore Factory Defaults from the Boot Loader Menu


4. If you choose manual mode, you are asked to fill in the IP of the TFTP server and the image name.

5. If you choose automatic mode, the procedure starts automatically to search for the bootp server.

6. While in menu mode, pressing Ctrl+C again returns you to the Boot Loader menu.

During the upgrade, all LAN Link and Activity LEDs blink orange and green alternately to indicate progress. This takes up to a few minutes.

Upon successful completion all LAN Link and Activity will light in green, and the appliance waits for you to either press a key or to manually reboot (pull the power cable out and put it back in). Error in the upgrade process is indicated by all LAN Link and Activity LEDs blinking red.

Restore Factory Defaults from the Boot Loader Menu

To restore the Security Gateway 80 appliance to its default factory configuration from U-boot (boot loader):

1. Connect to the appliance with a console connection (use the serial console connection on the back panel of the appliance), boot the appliance and press Ctrl-C. The Secure Platform Embedded Boot Menu is shown.

2. Press 4 to select Restore to Factory Defaults (local).

3. When you are prompted: "Are you sure? (y/n)" choose y to continue and restore the appliance to its factory defaults settings.

While factory defaults are being restored, all LAN Link and Activity LEDs will blink orange and green alternately to indicate progress. This takes a few minutes.

Upon completion, the appliance boots automatically.

Front Panel


Front Panel

Key Description

1 USB1 port.

2 Power LED

Green when the appliance is turned on.

Red when there is a boot error (the appliance booted in maintenance

mode).

3 Notice LED

Blinking green during boot.

Blinking red when there is no Internet connection. See the WebUI Logs

> System Logs page for more details.

Solid red when the appliance has a resource problem such as memory

shortage. See the WebUI Logs > Traffic Logs page for more details.

4 LAN1 - LAN8, DMZ and WAN port LEDs - when a specific port is inactive, both of the port's indicators are not lit.

Link Indicator

Orange when the port speed is 1000 Mbps.

Green when the port speed is 100 Mbps.

Not lit when the port speed is 10 Mbps.

Activity Indicator

Solid green when link is up and there is no traffic.

Blinking green when there is traffic.

5 USB1 and USB2 port LEDs - orange when a USB device is connected.

Back Panel


Back Panel

Key Description

1 Power outlet - connects to the power supply unit's cable.

2 Reboot button - lets you forcibly reboot the appliance. The button is recessed into the appliance chassis to prevent accidental reboot. The appliance reboots immediately after you press the button.

3 LAN1 - LAN8 - built in Ethernet ports. LAN2/SYNC - in a cluster configuration, you must connect a cable between this port on both appliances that take part in the cluster. You can configure the cluster sync port to a port other than LAN2.

4 DMZ and WAN - built in Ethernet ports.

5 USB2 - second USB port.

6 Console - serial connection configured in 115200 bps.

7 Factory Defaults button - lets you restore the appliance to its factory defaults. The button is recessed into the appliance chassis to prevent accidental restoring of factory default settings. See Factory Defaults (on page 50).

Remote Access VPN For Security Gateway 80, you need to configure these for Security Gateway 80 working with Endpoint Connect:

The SNX URL is https://<WAN-IP> This is the IP configured for your Internet connection.

For L2TP clients, the PSK is configured in different locations:

If the Security Management Server is R70.40 and higher - configure the client in a file on the Security Management Server: /opt/CPSFWCMP-R70/conf/l2tp.conf

If the Security Management Server is R71.20 and higher, there is a GUI option in the Global Properties.

Index A

add admin access • 60 add host • 61 add interface • 61 add ntp • 61 add snmp • 62 add switch • 63 add user • 63 Adding a Route with a Specific Gateway IP

Address • 102 Adding a Route with a Specific Gateway IP

Address and Interface • 104 Adding a Route with a Specific Gateway IP

Address and Priority • 103 Adding a Route with a Specific Interface • 103 Adding a Route with a Specific Interface and

Priority • 104 Adding Routes • 102 Adding SNMP v2 Traps Receiver • 62 Adding SNMP v3 Traps Receiver • 62 Administration • 47 Administrator Access • 52 Administrators • 51 Advanced Configuration • 131 Appliance Configuration • 32 Automatic Topology • 45

B

Back Panel • 135 Backup and Restore • 47 backup settings • 63 Boot Loader • 132 Bridge Mode Configuration • 40

C

CLI Reference • 59 CLI Syntax • 59 Cluster Configuration • 24 Cluster Interface Configuration • 28 Configuration File Error • 22 Configure the Cluster in SmartDashboard • 30 Configure the New Appliance • 29 Configuring a Bridge • 95 Configuring a DNS Server • 85 Configuring a Proxy Server • 105 Configuring a TFTP Server • 86 Configuring Advanced Interface Settings • 99 Configuring Call Manager • 89 Configuring Client Root Disk • 87 Configuring Custom DHCP Option • 90 Configuring DHCP • 99 Configuring DHCP Extensions • 87 Configuring ICMP • 100 Configuring IP Lease Time • 84 Configuring NBDD • 88 Configuring NetBIOS Scope • 88 Configuring PPPoE • 95 Configuring PPTP and L2TP • 96 Configuring SNMP v3 Receivers • 109

Configuring SNMP v3 Users • 109 Configuring Static IP • 94 Configuring Subnet Time Offset • 85 Configuring the Cluster Object Using

SmartDashboard • 26 Configuring the Default Gateway • 84 Configuring the Path for a Bootstrap File • 87 Configuring the Security Gateway 80

Appliances • 25 Configuring the SMTP Server • 86 Configuring the Swap Server • 85 Configuring the WINS Server • 84 Configuring User-lock • 113 Configuring VoIP Phones • 89 Configuring WINS Node-Type • 88 Configuring X-Windows Display • 89 Converting an Existing Security Gateway 80 to

a Cluster • 29 cphaprob • 64 cphastop • 66 cpinfo • 66 cpshell • 67 cpstart • 67 cpstat • 67 cpstop • 69 cpwd_admin • 69 cpwd_admin config • 70 cpwd_admin start|stop • 71 Create and Configure a Cluster in

SmartDashboard • 30 Creating a Cluster for New Gateways • 25

D

Debugging VPN • 130 Defining a Single Gateway Object • 9 Defining a SmartLSM Profile • 19 delete admin access • 72 delete dhcp • 72 delete dns • 73 delete domainname • 73 delete host • 74 delete ICMP server • 72 delete interface • 74 delete ntp • 75 delete proxy • 75 delete snmp • 75 delete switch • 76 delete user • 76 Deleting DHCP Custom Option Code • 73 Deleting Excluded IP Addresses • 72 Deleting Routes • 101 Deleting Routes by Destination and Gateway IP

Address • 101 Deleting Routes by Destination and Gateway IP

Address and Interface • 102 Deleting Routes by Destination IP Address •

101 Deleting Routes by Destination IP Address and

Interface • 101 Deleting the Internet Interface • 74 Deleting VLANs • 74 Deploying from a USB Drive • 20 Deploying the Configuration File - Existing

Configuration • 21

Deploying the Configuration File - Initial Configuration • 20

Deploying with SmartProvisioning • 20 Diagnostics • 57 Disabling User-lock • 113 DNS • 44 dynamic objects • 77

E

Editing Routes • 104 Enabling the DHCP Server • 83 Excluding IP Addresses • 83 exit • 77

F

Factory Defaults • 50 fetch certificate • 78 fetch license • 78 fetch policy • 78 Front Panel • 134 fw Commands • 79

I

Implied Rules for Security Gateway 80 • 46 Important Information • 3 Installation and Deployment • 9 Integrated Anti-Virus Protection • 55 Internet Configuration • 35 Internet Connection High Availability • 37 Internet Settings • 35 Introduction • 8 Introduction to the WebUI Application • 33

L

Launching TunnelUtil Tool • 129 Licensing • 54 Local Network • 37

M

Managing a Proxy Server • 105 Managing Interfaces • 94 Managing SNMP Agent • 106 Managing SNMP Traps • 108 Managing VPN Driver • 129 Messaging Security • 56

N

Networking • 35

P

Preparing the Configuration Files • 20 Prerequisites • 9

R

reboot • 80 Reconfigure the Existing Security Gateway 80 •

30 Remote Access VPN • 135 restore default-settings • 80 Restore Factory Defaults from the Boot Loader

Menu • 133 restore settings • 80 revert to factory defaults • 81

revert to saved image • 81 Routing • 41

S

Sample Configuration File • 20 Sample Configuration Log with Error • 23 Security • 55 Security Gateway 80 Clusters • 24 Security Gateway 80 Overview • 8 set admin access • 81 set date • 82 set dhcp relay • 90 set dhcp server • 82 set dns • 91 set dns mode • 91 set dnsproxy • 91 set domainname • 91 set expert password • 92 set ha internet primary • 92 set host • 93 set hostname • 93 set inactivity-timeout • 93 set interface • 93 set proxy • 105 set sic_init • 106 set snmp • 106 set static-route • 101 set static-route <dest_IP> nexthop gateway

ipv4-address <gw_IP> priority <priority> on • 105

set time • 111 set time-zone • 111 set user • 112 set user-lock • 113 Setting a Single Trap • 110 Setting Community String • 107 Setting Host Location • 107, 108 Setting Password for a User • 112 Setting Password Hash for a User • 112 Setting Shell for a User • 113 Setting SNMP Host Information • 107 Setting SNMP v2 Receivers • 108 Setting SNMP Version • 107 Setting the IP Pool • 82 shell/expert • 114 show admin access • 114 show backup settings • 115 show clock • 115 show commands • 115 show date • 116 show dhcp • 116 show dns • 117 show domainname • 118 show ha internet • 118 show host • 118 show hostname • 119 show icmp servers • 119 show inactivity-timeout • 119 show interface • 120 show interfaces • 120 show license • 120 show logs • 121 show memory usage • 121 show ntp • 121 show proxy • 122

show restore settings log • 122 show revert log • 123 show route • 123 show rule hits • 123 show saved image • 124 show snmp • 124 show software version • 125 show time • 126 show timezone • 126 show timezone-dst • 126 show upgrade log • 127 show user • 127 show user-lock • 127 show vpn tunnel • 128 Showing DHCP for an Interface • 116 Showing DHCP IP Pool • 117 Showing DHCP Settings • 116 Showing NTP Servers • 122 Showing NTP Status • 121 Showing SNMP Agent • 124 Showing SNMP Host Information • 124 Showing SNMP Trap Information • 125 Showing SNMP Users • 125 Step 1

Defining the Security Gateway 80 Object in SmartDashboard • 9

Step 2 Preparing to Install the Security Policy • 14

Suggested Workflow - Configuration File Error • 22

Supported Linux Commands • 60 Switch Mode Configuration • 40 System Logs • 58

T

The Management Server Page • 33 The Overview Page • 33 Tools • 57 Traffic Logs • 58 Troubleshooting Configuration Files • 22

U

Upgrade • 49 upgrade from usb|tftp server • 128 Upgrade Using a USB Drive • 131 Upgrade Using Boot Loader • 132 URL Filtering • 55 Using Command Line Interface • 59 Using Domain Names • 60 Using Hostnames • 60 Using the set property Command • 23

V

Viewing Cluster Status in the WebUI • 31 Viewing Configuration Logs • 22 Viewing the Policy Installation Status • 16 vpn • 129

W

Welcome • 8

Security Gateway 80 - downloads.checkpoint.com€¦ · R75 and higher versions Note - Currently the...

Documents

Transcript of Security Gateway 80 - downloads.checkpoint.com€¦ · R75 and higher versions Note - Currently the...