User's Manual

ManualsBrandsSofaWare Technologies ManualsElectronicsInternet Security Appliance

Check Point Safe@Office

Internet Security Appliance

User Guide

Version 4.0.50

Part No:700797, October, 2003

Summary of content (260 pages)

PAGE 1
Check Point Safe@Office Internet Security Appliance User Guide Version 4.0.
PAGE 2
COPYRIGHT & TRADEMARKS Copyright © 2003 SofaWare, All Rights Reserved. No part of this document may be reproduced in any form or by any means without written permission from SofaWare. of Safety or Performance and could result in violation of Part 15 of the FCC Rules. When installing the appliance, ensure that the vents are not blocked. Do not use the appliance outdoors.
PAGE 3
Contents Contents Chapter 1: Introduction ................................................................................... 1 About Your Check Point Safe@Office Appliance ......................................... 1 Safe@Office Products .................................................................................... 2 Safe@Office 105 ........................................................................................ 2 Safe@Office 110 ...............................................................
PAGE 4
Contents Chapter 2: Installing and Setting up the Safe@Office Appliance .............. 19 Before You Install the Safe@Office Appliance............................................ 19 Windows 2000/XP.................................................................................... 20 Windows 98/Millennium .......................................................................... 25 Mac OS.....................................................................................................
PAGE 5
Contents Using a LAN Connection ......................................................................... 61 Using a Cable Modem Connection........................................................... 63 Using a PPPoE Connection ...................................................................... 64 Using a PPTP Connection ........................................................................ 65 Using a Telstra (BPA) Connection ...........................................................
PAGE 6
Contents Chapter 6: Viewing Reports ........................................................................ 101 Viewing the Event Log ............................................................................... 101 Viewing Computers .................................................................................... 104 Viewing Connections.................................................................................. 106 Chapter 7: Setting Your Security Policy .......................................
PAGE 7
Contents Checking for Software Updates when Locally Managed ....................... 139 Checking for Software Updates When Remotely Managed ................... 140 Chapter 9: Working With VPNs ................................................................. 143 Overview .................................................................................................... 143 Setting Up Your Safe@Office Appliance as a VPN Server ....................... 145 Adding and Editing VPN Sites .......................
PAGE 8
Contents Using RADIUS Authentication .................................................................. 189 Chapter 11: Maintenance............................................................................. 193 Viewing Firmware Status ........................................................................... 193 Updating the Firmware ............................................................................... 195 Upgrading Your Software Product ........................................................
PAGE 9
Contents Glossary of Terms......................................................................................... 237 Index ..............................................................................................................
PAGE 10
Contents viii Check Point Safe@Office User Guide
PAGE 11
About Your Check Point Safe@Office Appliance Chapter 1 Introduction This chapter introduces the Check Point Safe@Office appliance and this guide. This chapter includes the following topics: About Your Check Point Safe@Office Appliance .................................1 Safe@Office Products ............................................................................2 Safe@Office Features and Compatibility...............................................3 Getting to Know Your Safe@Office 100 Series ..........
PAGE 12
Safe@Office Products Safe@Office Products The Safe@Office appliance is available with the following hardware: Safe@Office 100 series or Safe@Office 200 series. Both provide a Webbased management interface, which enables you to manage and configure the Safe@Office appliance operation and options. However, the 200 series provides higher firewall and VPN throughput and has a dedicated DMZ port and a serial port. The 100 series includes models Safe@Office 105 and Safe@Office 110.
PAGE 13
Safe@Office Features and Compatibility Safe@Office 225 Safe@Office 225 provides all the benefits of Safe@Office 110, along with support for High Availability. High Availability enables you to install a second Safe@Office appliance on your network and configure that appliance as a backup to the first Safe@Office appliance, thereby ensuring that your network is consistently protected and connected to the Internet.
PAGE 14
Safe@Office Features and Compatibility Feature WAN Port Safe@Office Safe@Office Safe@Office 10/100 Mbps 10/100 Mbps 10/100 Mbps Fast Ethernet Fast Ethernet Fast Ethernet 105 110 225/225U 10/100 Mbps DMZ/WAN2 Port Fast Ethernet Serial Console Port Ethernet cable type recognition Users (nodes) 5 10 25 or Unlimited Supported Internet Static IP, DHCP Client, Cable Modem, PPTP Client, connection methods PPPoE Client, Telstra BPA login DHCP Server MAC Cloning Backup Internet connection H
PAGE 15
Safe@Office Features and Compatibility Firewall Feature Firewall Type Safe@Office Safe@Office Safe@Office Check Point Check Point Check Point Firewall-1 Firewall-1 Firewall-1 Embedded NG Embedded NG Embedded NG Unlimited Unlimited Unlimited Logical Physical 105 100 225/225U Network Address Translation (NAT) INSPECT Policy Rules User-defined rules Three levels preset security policies DoS Protection Anti-spoofing Attack Logging Voice over IP (H.
PAGE 16
Safe@Office Features and Compatibility VPN Feature VPN Type Safe@Office Safe@Office Safe@Office Check Point Check Point Check Point VPN-1 VPN-1 VPN-1 Embedded NG Embedded NG Embedded NG Remote Access Remote Access Client Client RemoteAccess Remote Access Server Server Site-to-Site Site-to-Site 105 IPSEC VPN Remote mode Access Server 110 225/225U IPSEC VPN pass-through Encryption AES/3DES/DES AES/3DES/DES AES/3DES/DES Authentication SHA1/MD5 SHA1/MD5 SHA1/MD5 X.
PAGE 17
Safe@Office Features and Compatibility Management Feature Safe@Office Safe@Office Safe@Office SofaWare SMP SofaWare SMP SofaWare SMP 105 110 225/225U Web Management HTTPS Access (local and remote) Multiple Administrators CLI Management Systems Chapter 1: Introduction 7
PAGE 18
Safe@Office Features and Compatibility Optional Security Services Feature Safe@Office 105 Safe@Office 110 Safe@Office 225/225U Firewall security and software updates Web Filtering * Email Antivirus protection * Dynamic DNS Service * VPN Management Centralized Logging and Intrusion Detection * When managed by SofaWare Security Management Portal (SMP).
PAGE 19
Safe@Office Features and Compatibility Package Contents • Safe@Office Internet Security Appliance • CAT5 Straight-through Ethernet Cable • Power Adapter • Getting Started Guide • This Users Guide Network Requirements • A broadband Internet connection via cable or DSL modem with Ethernet interface (RJ-45) • 10BaseT or 100BaseT Network Interface Card installed on each computer • TCP/IP network protocol installed on each computer • Internet Explorer 5.0 or higher, or Netscape Navigator 4.
PAGE 20
Getting to Know Your Safe@Office 100 Series Getting to Know Your Safe@Office 100 Series Rear Panel The following figure shows the Safe@Office 100 series appliance's rear panel. All physical connections (network and power) to the Safe@Office appliance are made via the rear panel of your Safe@Office appliance. Figure 1: Safe@Office Appliance 100 Rear Panel Items The following table lists the Safe@Office appliance's rear panel elements.
PAGE 21
Getting to Know Your Safe@Office 100 Series Table 1: Safe@Office Appliance 100 Rear Panel Elements Label PWR Description A power jack used for supplying power to the unit. Connect the supplied power adapter to this jack. RESET A button used for rebooting the Safe@Office appliance or resetting the Safe@Office appliance to its factory defaults. You need to use a pointed object to press this button. • Short press. Reboots the Safe@Office appliance • Long press (7 seconds).
PAGE 22
Getting to Know Your Safe@Office 100 Series Front Panel The Safe@Office 100 appliance includes several status LEDs that enable you to monitor the appliance’s operation. Figure 2: Safe@Office 100 Appliance Front Panel For an explanation of the Safe@Office 100 appliance’s status LEDs, see the table below.
PAGE 23
Getting to Know Your Safe@Office 200 Series LED State Explanation LINK/ACT On, 100 On 100 Mbps link established for the corresponding port. LINK/ACT Flashing Data is being transmitted/received Getting to Know Your Safe@Office 200 Series Rear Panel The following figure shows the Safe@Office 200 series appliance's rear panel. All physical connections (network and power) to the Safe@Office appliance are made via the rear panel of your Safe@Office appliance.
PAGE 24
Getting to Know Your Safe@Office 200 Series Table 3: Safe@Office 200 Appliance Rear Panel Elements Label Description PWR A power jack used for supplying power to the unit. Connect the supplied power adapter to this jack. RESET A button used for rebooting the Safe@Office appliance or resetting the Safe@Office appliance to its factory defaults. You need to use a pointed object to press this button. • Short press. Reboots the Safe@Office appliance • Long press (7 seconds).
PAGE 25
Getting to Know Your Safe@Office 200 Series Front Panel The Safe@Office 200 appliances includes several status LEDs that enable you to monitor the appliance’s operation. Figure 4: Safe@Office 200 Appliance Front Panel For an explanation of the Safe@Office 200 appliance’s status LEDs, see the table below.
PAGE 26
About This Guide LED State Explanation LINK/ACT On, 100 On 100 Mbps link established for the corresponding port. LINK/ACT Flashing Data is being transmitted/received. VPN Serial Flashing (Green) Flashing (Green) VPN tunnel in use Serial port in use About This Guide To make finding information in this manual easier, some types of information are marked with special symbols or formatting. Boldface type is used for command and button names.
PAGE 27
Contacting Technical Support Contacting Technical Support If there is a problem with your Safe@Office appliance, surf to http://www.sofaware.com/support and fill out a technical support request form. You can also download the latest version of this guide from the site.
PAGE 28
Contacting Technical Support 18 Check Point Safe@Office User Guide
PAGE 29
Before You Install the Safe@Office Appliance Chapter 2 Installing and Setting up the Safe@Office Appliance This chapter describes how to properly set up and install your Safe@Office appliance in your networking environment. This chapter includes the following topics: Before You Install the Safe@Office Appliance ...................................19 Network Installation .............................................................................31 Setting Up the Safe@Office Appliance......................
PAGE 30
Before You Install the Safe@Office Appliance Windows 2000/XP Note: While Windows XP has an "Internet Connection Firewall" option, it is recommended not to enable it if you are using a Safe@Office appliance, since the Safe@Office appliance offers better protection. Checking the TCP/IP Installation 1. Click Start > Settings > Control Panel. The Control Panel window appears. 2. Double-click the Network and Dial-up Connections icon.
PAGE 31
Before You Install the Safe@Office Appliance The Network and Dial-up Connections window appears. 3. Right-click the that opens.
PAGE 32
Before You Install the Safe@Office Appliance The Local Area Connection Properties window appears. 4. In the above window, check if TCP/IP appears in the components list and if it is properly configured with the Ethernet card, installed on your computer. If TCP/IP does not appear in the Components list, you must install it as described in the next section.
PAGE 33
Before You Install the Safe@Office Appliance Installing TCP/IP Protocol 1. In the Local Area Connection Properties window click Install…. The Select Network Component Type window appears. 2. Choose Protocol and click Add. The Select Network Protocol window appears. 3. Choose Internet Protocol (TCP/IP) and click OK. TCP/IP protocol is installed on your computer.
PAGE 34
Before You Install the Safe@Office Appliance TCP/IP Settings 1. In the Local Area Connection Properties window double-click the Internet Protocol (TCP/IP) component, or select it and click Properties. The Internet Protocol (TCP/IP) Properties window opens. 2. Click the Obtain an IP address automatically radio button. Note: Normally, it is not recommended to assign a static IP address to your PC but rather to obtain an IP address automatically.
PAGE 35
Before You Install the Safe@Office Appliance Your computer is now ready to access your Safe@Office appliance. Windows 98/Millennium Checking the TCP/IP Installation 1. Click Start > Settings > Control Panel. The Control Panel window appears. 2. Double-click the icon.
PAGE 36
Before You Install the Safe@Office Appliance The Network window appears. 3. In the Network window, check if TCP/IP appears in the network components list and if it is already configured with the Ethernet card, installed on your computer.
PAGE 37
Before You Install the Safe@Office Appliance Installing TCP/IP Protocol Note: If TCP/IP is already installed and configured on your computer skip this section and move directly to TCP/IP Settings. 1. In the Network window, click Add. The Select Network Component Type window appears. 2. Choose Protocol and click Add. The Select Network Protocol window appears. 3. In the Manufacturers list choose Microsoft, and in the Network Protocols list choose TCP/IP. 4. Click OK.
PAGE 38
Before You Install the Safe@Office Appliance If Windows asks for original Windows installation files, provide the installation CD and relevant path when required (e.g. D:\win98) 5. Restart your computer if prompted. TCP/IP Settings Note: If you are connecting your Safe@Office appliance to an existing LAN, consult your network manager for the correct configurations. 1. In the Network window, double-click the TCP/IP service for the Ethernet card, which has been installed on your computer (e.g. ).
PAGE 39
Before You Install the Safe@Office Appliance 3. Click the DNS Configuration tab, and click the Disable DNS radio button.
PAGE 40
Before You Install the Safe@Office Appliance 4. Click the IP Address tab, and click the Obtain an IP address automatically radio button. Note: Normally, it is not recommended to assign a static IP address to your PC but rather to obtain an IP address automatically. If for some reason you need to assign a static IP address, select Specify an IP address, type in an IP address in the range of 192.168.10.129-254, enter 255.255.255.0 in the Subnet Mask field, and click OK to save the new settings.
PAGE 41
Network Installation Mac OS Use the following procedure for setting up the TCP/IP Protocol. 1. Choose Apple Menus -> Control Panels -> TCP/IP. The TCP/IP window appears. 2. Click the Connect via drop-down list and select Ethernet. 3. Click the Configure drop-down list and select Using DHCP Server. 4. Close the window and save the setup. Network Installation 1. Verify that you have the correct cable type. For information, see Network Requirements on page 9. 2.
PAGE 42
Setting Up the Safe@Office Appliance Connect one end of the Ethernet cable to the WAN port at the back of the unit. Connect the other end of the cable to a Cable Modem, xDSL modem or office network. 4. Connect the power adapter to the power socket, labeled PWR, at the back of the Safe@Office appliance. Plug in the AC power adapter to the wall electrical outlet. Warning: The Safe@Office appliance AC adapter is compatible with either 100, 120 or 230 VAC input power.
PAGE 43
Setting Up the Safe@Office Appliance Logging on to the Safe@Office Portal and setting up your password Initial Login to the Safe@Office Portal on page 35 Configuring an Internet connection Using the Setup Wizard on page 50 Setting the Time on your Safe@Office appliance (200 series only) Setting the Time on the Appliance on page 209 Installing the Product Key Upgrading Your Software Product on page 197 Registering your Safe@Office Appliance Registering Your Safe@Office Appliance on page 202 Setting up
PAGE 44
Setting Up the Safe@Office Appliance 34 Check Point Safe@Office User Guide
PAGE 45
Initial Login to the Safe@Office Portal Chapter 3 Getting Started This chapter contains all the information you need in order to get started using your Safe@Office appliance. This chapter includes the following topics: Initial Login to the Safe@Office Portal................................................35 Logging on to the Safe@Office Portal .................................................38 Accessing the Safe@Office Portal Remotely.......................................
PAGE 46
Initial Login to the Safe@Office Portal The initial login page appears. 2. Type a password both in the Password and the Confirm Password fields. Note: The password must be five to 25 characters (letters or numbers). Note: You can change your password at any time. For further information, see Changing Your Password on page 181. 3. Click OK.
PAGE 47
Initial Login to the Safe@Office Portal The Setup Wizard opens, with the Welcome screen displayed. 4. Configure your Internet connection using either the Setup Wizard or Internet Setup. The Setup Wizard takes you through the configuration process step by step. For information on using the Setup Wizard, see Using the Setup Wizard on page 50. Internet Setup offers advanced setup options. For example, if you are using Safe@Office 110 or 225, you can configure two Internet connections using Internet Setup.
PAGE 48
Logging on to the Safe@Office Portal Logging on to the Safe@Office Portal To log on to the Safe@Office Portal 1. Do one of the following: Browse to http://my.firewall. Or To log on through HTTPS (locally or remotely), follow the procedure Accessing the Safe@Office Portal Remotely on page 40. The login page appears.
PAGE 49
Logging on to the Safe@Office Portal If you are using Safe@Office 110 or 225, the page appears as follows: 2. Type in your username and password. 3. Click OK. The Welcome page appears.
PAGE 50
Accessing the Safe@Office Portal Remotely Accessing the Safe@Office Portal Remotely You can access the Safe@Office Portal remotely (from the Internet) through HTTPS. HTTPS is a protocol for accessing a secure Web server. It is used to transfer confidential user information, since it encrypts data and utilizes a secure port. Note: You can also use HTTPS to access the Safe@Office Portal from your internal network.
PAGE 51
Using the Safe@Office Portal If this is your first attempt to access the Safe@Office Portal through HTTPS, the certificate in the Safe@Office appliance is not yet known to the browser, so the Security Alert dialog box appears. To avoid seeing this dialog box again, install the certificate of the destination Safe@Office appliance. If you are using Internet Explorer 5, do the following: 1) Click View Certificate. The Certificate dialog box appears, with the General tab displayed.
PAGE 52
Using the Safe@Office Portal Table 5: Safe@Office Portal Elements Element Main menu Description Used for navigating between the various topics (such as Reports, Security, and Setup). Main frame Displays information and controls related to the selected topic. The main frame may also contain tabs that allow you to view different pages related to the selected topic. Status bar Shows your Internet connection and managed services status.
PAGE 53
Using the Safe@Office Portal Main Menu The main menu includes the following submenus. Table 6: Main Menu Submenus This Does this… Welcome Displays the welcome information. Reports Provides reporting capabilities in terms of event submenu… logging, established connections, and active computers. Security Provides controls and options for setting the security of any computer in the network. Services Allows you to control your subscription to subscription services.
PAGE 54
Using the Safe@Office Portal This Does this… Users Allows you to manage Safe@Office appliance users. submenu… This submenu only appears in Safe@Office 110 and 225. VPN Allows you to manage, configure, and log on to VPN sites. This submenu only appears in Safe@Office 110 and 225. Help Provides context-sensitive help. Logout Allows you to log off of the Safe@Office Portal. Main Frame The main frame displays the relevant data and controls pertaining to the menu and tab you select.
PAGE 55
Using the Safe@Office Portal Status Bar The status bar, located at the bottom of each page, displays the fields below. In the Safe@Office 200 series, the status bar also displays the date and time. Table 7: Status Bar Fields This field… Displays this… Internet Your Internet connection status. The connection status may be one of the following: • Connected. The Safe@Office appliance is connected to the Internet. • Not Connected. The Internet connection is down. • Establishing Connection.
PAGE 56
Using the Safe@Office Portal This field… Displays this… Service Displays your subscription services status. Center Your Service Center may offer various subscription services. These include the firewall service and optional services such as Web Filtering and Email Antivirus. Your subscription services status may be one of the following: • Not Subscribed. You are not subscribed to security services. • Connection Failed. The Safe@Office appliance failed to connect to the Service Center. • Connecting.
PAGE 57
Logging off Logging off Logging off terminates your administration session. Any subsequent attempt to connect to the Safe@Office Portal will require re-entering of the administration password. To log off of the Safe@Office Portal • Do one of the following: If you are connected through HTTP, click Logout in the main menu. The Logout page appears. If you are connected through HTTPS, the Logout option does not appear in the main menu. Close the browser window.
PAGE 58
PAGE 59
Overview Chapter 4 Configuring the Internet Connection This chapter describes how to configure and work with an Safe@Office Internet connection. This chapter includes the following topics: Overview ..............................................................................................49 Using the Setup Wizard........................................................................50 Using Internet Setup.............................................................................
PAGE 60
Using the Setup Wizard Using the Setup Wizard The Setup Wizard allows you to configure your Safe@Office appliance for Internet connection quickly and easily through its user-friendly interface. It lets you to choose between the following three types of broadband connection methods: • Direct LAN Connection • Cable Modem • PPTP or PPPoE dialer Note: The first time you log on to the Safe@Office Portal, the Setup Wizard starts automatically. In this case, you should skip to step 2 in the procedure below.
PAGE 61
Using the Setup Wizard The Setup Wizard opens with the Welcome page displayed. 3. Click Next. The Internet Connection Method dialog box appears.
PAGE 62
Using the Setup Wizard 4. Select the Internet connection method you want to use for connecting to the Internet. Note: If you selected PPTP or PPPoE dialer, do not use your dial-up software to connect to the Internet. 5. Click Next. Using a Direct LAN Connection No further settings are required for a direct LAN (Local Area Network) connection. The Confirmation screen appears. 1. Click Next. The system attempts to connect to the Internet via the selected connection. The Connecting… screen appears.
PAGE 63
Using the Setup Wizard Using a Cable Modem Connection If you selected the Cable Modem connection method, the Identification dialog box appears. 1. If your ISP requires a specific hostname for authentication, enter it in the Host Name field. The ISP will supply you with the proper hostname, if required. Most ISPs do not require a specific hostname. 2. A MAC address is a 12-digit identifier assigned to every network device.
PAGE 64
Using the Setup Wizard If the ISP requires authentication using the MAC address of a different computer, enter the MAC address in the MAC cloning field. 3. Click Next. The Confirmation screen appears. 4. Click Next. The system attempts to connect to the Internet. The Connecting… screen appears. At the end of the connection process the Connected screen appears. 5. Click Finish.
PAGE 65
Using the Setup Wizard Note: Most xDSL providers use PPPoE. If you are uncertain regarding which connection method to use contact your xDSL provider. 2. Click Next. Using PPPoE If you selected the PPPoE connection method, the DSL Configuration dialog box appears. 1. Complete the fields using the information in the table below. 2. Click Next. The Confirmation screen appears.
PAGE 66
Using the Setup Wizard 3. Click Next. The system attempts to connect to the Internet via the DSL connection. The Connecting… screen appears. At the end of the connection process the Connected screen appears. 4. Click Finish. Table 8: PPPoE Connection Fields In this field… Do this… Username Type your user name. Password Type your password. Confirm password Type your password. Service Type your service name. This field can be left blank.
PAGE 67
Using the Setup Wizard Using PPTP If you selected the PPTP connection method, the DSL Configuration dialog box appears. 1. Complete the fields using the information in the table below. 2. Click Next. The Confirmation screen appears. 3. Click Next. The system attempts to connect to the Internet via the DSL connection. The Connecting… screen appears. At the end of the connection process the Connected screen appears. 4. Click Finish.
PAGE 68
Using the Setup Wizard Table 9: PPTP Connection Fields In this field… Do this… Username Type your user name. Password Type your password. Confirm password Type your password. Service Type your service name. Server IP Type the IP address of the PPTP modem. Internal IP Type the local IP address required for accessing the PPTP modem. Subnet Mask Type the subnet mask of the PPTP modem.
PAGE 69
Using Internet Setup Using Internet Setup Internet Setup allows you to manually configure your Internet connection. To configure the Internet connection using Internet Setup 1. Click Network in the main menu, and click the Internet tab.
PAGE 70
Using Internet Setup When using Safe@Office 110 or 225, the Internet page appears as follows: 2. If your ISP restricts connections to specific, recognized MAC addresses, clone a MAC address using the procedure Cloning a MAC Address on page 72. 3. Next to the Internet connection, click Edit. The Internet Setup page appears.
PAGE 71
Using Internet Setup 4. From the Connection Type drop-down list, select the Internet connection type you are using/intend to use. The display changes according to the connection type you selected. The following steps should be performed in accordance with the connection type you have chosen. Using a LAN Connection 1. Complete the fields using the relevant information in Internet Setup Fields on page 69.
PAGE 72
Using Internet Setup If you cleared the Obtain IP address automatically (using DHCP) check box, the page appears as follows: If you cleared the Obtain Domain Name Servers automatically check box, the page appears as follows: 2. Click Apply.
PAGE 73
Using Internet Setup The Safe@Office appliance attempts to connect to the Internet, and the Status Bar displays the Internet status “Connecting”. This may take several seconds. Once the connection is made, the Status Bar displays the Internet status “Connected”. Using a Cable Modem Connection 1. Complete the fields using the relevant information in Internet Setup Fields on page 69. If you cleared the Obtain Domain Name Servers automatically check box, the page appears as follows: 2. Click Apply.
PAGE 74
Using Internet Setup Using a PPPoE Connection 1. Complete the fields using the relevant information in Internet Setup Fields on page 69. If you cleared the Obtain Domain Name Servers automatically check box, the page appears as follows: 2. Click Apply.
PAGE 75
Using Internet Setup The Safe@Office appliance attempts to connect to the Internet, and the Status Bar displays the Internet status “Connecting”. This may take several seconds. Once the connection is made, the Status Bar displays the Internet status “Connected”. Using a PPTP Connection 1. Complete the fields using the relevant information in Internet Setup Fields on page 69.
PAGE 76
Using Internet Setup If you cleared the Obtain IP address automatically (using DHCP) check box, the page appears as follows: 66 Check Point Safe@Office User Guide
PAGE 77
Using Internet Setup If you cleared the Obtain Domain Name Servers automatically check box, the page appears as follows: 2. Click Apply. The Safe@Office appliance attempts to connect to the Internet, and the Status Bar displays the Internet status “Connecting”. This may take several seconds. Once the connection is made, the Status Bar displays the Internet status “Connected”.
PAGE 78
Using Internet Setup Using a Telstra (BPA) Connection Use this Internet connection type only if you are subscribed to Telstra® BigPond™ Internet. Telstra BigPond is a trademark of Telstra Corporation Limited. 1. Complete the fields using the relevant information in Internet Setup Fields on page 69. If you cleared the Obtain Domain Name Servers automatically check box, the page appears as follows: 2. Click Apply.
PAGE 79
Using Internet Setup The Safe@Office appliance attempts to connect to the Internet, and the Status Bar displays the Internet status “Connecting”. This may take several seconds. Once the connection is made, the Status Bar displays the Internet status “Connected”. Using No Connection If you are using Safe@Office 110 or 225, and you do not have a secondary Internet connection, set the connection type to None. • Click Apply.
PAGE 80
Using Internet Setup In this field… Do this… Service Type your service name. If your ISP has not provided you with a service name, leave this field empty. MTU The MTU field allows you to control the maximum transmission unit size. As a general recommendation you should leave this field empty. If however you wish to modify the default MTU, it is recommended that you consult with your ISP first and use MTU values between 1300 and 1500.
PAGE 81
Using Internet Setup In this field… Do this… Obtain Domain Clear this option if you want the Safe@Office Name Servers appliance to obtain an IP address automatically automatically using DHCP, but not to automatically configure DNS and WINS servers IP Address Type the static IP address of your Safe@Office appliance. Subnet Mask Select the subnet mask that applies to the static IP address of your Safe@Office appliance. Default Gateway Type the IP address of your ISP’s default gateway.
PAGE 82
Cloning a MAC Address Cloning a MAC Address A MAC address is a 12-digit identifier assigned to every network device. If your ISP restricts connections to specific, recognized MAC addresses, you must clone a MAC address. To clone a MAC address 1. Click Network in the main menu, and click the Internet tab. The Internet page appears. 2. In the Cloned MAC address field, click Edit. The MAC Cloning page appears.
PAGE 83
Viewing Internet Connection Information 3. Do one of the following: Click This Computer to automatically "clone" the MAC address of your computer to the Safe@Office appliance. Or If the ISP requires authentication using the MAC address of a different computer, enter the MAC address in the MAC cloning field. 4. Click Apply. 5. Click Back. The Internet page reappears with your computer’s MAC address displayed.
PAGE 84
Viewing Internet Connection Information Table 11: Internet Page Fields Field Description Status Indicates the connection’s status. Duration Indicates the connection duration, if active. The duration is given in the format hh:mm:ss, where: hh=hours mm=minutes ss=seconds IP Address Your IP address. Enabled Indicates whether or not the connection is enabled. For further information, see Enabling/Disabling the Internet Connection on page 75 WAN MAC The Safe@Office appliance’s MAC address.
PAGE 85
Enabling/Disabling the Internet Connection Enabling/Disabling the Internet Connection You can temporarily disable an Internet connection. This is useful if, for example, you are going on vacation and do not want to leave your computer connected to the Internet. If you are using Safe@Office 110 or 225 and have two Internet connections, you can force the Safe@Office appliance to use a particular connection, by disabling the other connection.
PAGE 86
Using Quick Internet Connection/Disconnection Using Quick Internet Connection/Disconnection By clicking the Connect or Disconnect button (depending on the connection status) on the Internet page, you can establish a quick Internet connection using the currently-selected connection type. In the same manner, you can terminate the active connection. The Internet connection retains its Connected/Not Connected status until the Safe@Office appliance is rebooted.
PAGE 87
Configuring a Backup Internet Connection For instructions, see Using Internet Setup on page 59. Note: You can configure different DNS servers for the two connections. The Safe@Office appliance acts as a DNS relay and routes requests from computers within the network to the appropriate DNS server for the active Internet connection. Important: The two connections can be of different types. However, they cannot both be LAN DHCP connections.
PAGE 88
Configuring a Backup Internet Connection 78 Check Point Safe@Office User Guide
PAGE 89
Configuring Network Settings Chapter 5 Managing Your Network This chapter describes how to manage and configure your network connection and settings. This chapter includes the following topics: Configuring Network Settings..............................................................79 Configuring High Availability .............................................................87 Using Static NAT .................................................................................91 Using Static Routes ........
PAGE 90
Configuring Network Settings Note: When using a Safe@Office 200 series appliance, you can enable the DHCP server for a DMZ network. To enable/disable the DHCP server 1. Click Network in the main menu, and click the My Network tab. The My Network page appears.
PAGE 91
Configuring Network Settings When using Safe@Office 110 and 225, the My Network page appears as follows: 2. In the DHCP Server list, select Enabled or Disabled. 3. Click Apply. A warning message appears. 4. Click OK. If you chose to disable the DHCP server, the DHCP server is disabled. If you chose to enable the DHCP server, it is enabled. A success message appears 5.
PAGE 92
Configuring Network Settings Changing IP Addresses If desired, you can change your Safe@Office appliance’s internal IP address. Using Safe@Office 110 or 225, you can also change the entire range of IP addresses in your internal network.
PAGE 93
Configuring Network Settings 5. Click Apply. A warning message appears. 6. Click OK. The Safe@Office appliance's internal IP address and/or the internal network range are changed. A success message appears. 7. Do one of the following: If your computer is configured to obtain its IP address automatically (using DHCP), and the Safe@Office DHCP server is enabled, restart your computer. Your computer obtains an IP address in the new range.
PAGE 94
Configuring Network Settings To enable/disable Hide NAT 1. Click Network in the main menu, and click the My Network tab. The My Network page appears. 2. From the Hide NAT list, select Enabled or Disabled. 3. Click Apply. A warning message appears. 4. Click OK. If you chose to disable Hide NAT, it is disabled. If you chose to enable Hide NAT, it is enabled.
PAGE 95
Configuring Network Settings Configuring a DMZ Network using Safe@Office 110 Note: Computers in the DMZ network cannot obtain IP addresses using DHCP, and therefore must be assigned static IP address. For instructions, see TCP/IP Settings on page 28, on page 24. The default gateway for the DMZ computers should be specified as the Safe@Office DMZ IP address. To configure a DMZ network 1. Connect the DMZ computers to any of the appliance's LAN ports. 2.
PAGE 96
Configuring Network Settings b. Click OK. The default settings are restored. 8. Click Apply. A warning message appears. 9. Click OK. A success message appears. Configuring a DMZ Network using Safe@Office 225 Note: If desired, you can enable the DHCP server for the DMZ network. The default gateway for the DMZ computers should be specified as the Safe@Office DMZ IP address. To configure a DMZ network 1. Connect the DMZ computer to the DMZ port.
PAGE 97
Configuring High Availability Note: The DMZ network must not overlap the LAN network. 6. In the DMZ Subnet Mask text box, type the DMZ’s internal network range. 7. To reset the network to its default settings, do the following: a. Click Default. A confirmation message appears. b. Click OK. The default settings are restored. 8. Click Apply. A warning message appears. 9. Click OK. A success message appears.
PAGE 98
Configuring High Availability gateway is running once again, it reclaims the virtual IP address and resumes its roles. Before configuring High Availability, the following requirements must be met: • You must have two identical Safe@Office 225 appliances. • The Safe@Office appliances must have identical firmware versions and firewall rules. • The Safe@Office appliances must have different LAN and DMZ IP addresses, and they must be located on the same subnet.
PAGE 99
Configuring High Availability To configure High Availability 1. In the Master Safe@Office appliance, do the following: a. Set the appliance’s internal IP address. For further information, see Changing IP Addresses on page 82. b. Configure the LAN network range. For further information, see Changing IP Addresses on page 82. c. Click Network in the main menu, and click the High Availability tab. The High Availability page appears. d.
PAGE 100
Configuring High Availability 2. In the Backup appliance, do the following: a. Set the appliance’s internal IP address. For further information, see Changing IP Addresses on page 82. The internal IP address must differ from the Master appliance’s internal IP address. b. Configure the LAN network range to the same range you configured in the Master appliance. For further information, see Changing IP Addresses on page 82. c. Click Network in the main menu, and click the High Availability tab.
PAGE 101
Using Static NAT Using Static NAT Static NAT (or One-to-One NAT) allows the mapping of Internet IP addresses or address ranges to hosts inside the internal network. This is useful if you want a computer in your private network to have its own Internet IP address. For example, if you have both a mail server and a Web server in your network, you can map each one to a separate Internet IP address. Static NAT rules do not imply any security rules.
PAGE 102
Using Static NAT Adding and Editing Static NAT Mappings To add or edit a static NAT mapping 1. Click Network in the main menu, and click the Static NAT tab. The Static NAT page appears. 2. Do one of the following: To add a new Static NAT mapping, click New. To edit an existing Static NAT mapping, click Edit.
PAGE 103
Using Static NAT The Static NAT wizard opens, with the Static NAT Mapping dialog box displayed. 3. Complete the fields using the information in the table below. 4. Click Next.
PAGE 104
Using Static NAT The Static NAT Mapping Updated dialog box is displayed. 5. Click Finish. If you added a new mapping, it appears in the Static NAT page.
PAGE 105
Using Static NAT Table 12: Static NAT Fields In this field… Map this WAN IP Do this… Click this option to map an Internet IP address to a local computer. You must then fill in the MAP this WAN IP and To this Internal IP fields. Map this WAN IP Type the desired Internet IP address. To this Internal IP Type the IP address of the local computer, or click This Computer to specify your computer.
PAGE 106
Using Static Routes Viewing and Deleting Static NAT Mappings To view static NAT mappings 1. Click Network in the main menu, and click the Static NAT tab. The Static NAT page appears with a list of existing static NAT mappings. 2. To delete a static NAT mapping, do the following: a. In the desired static NAT mapping row, click the Delete icon. A confirmation message appears. b. Click OK. The mapping is deleted.
PAGE 107
Using Static Routes Adding a Static Route To add a static route 1. Click Network in the main menu, and click the Static Routes tab. The Static Routes page appears, with a listing of existing static routes. 2. Click New Route.
PAGE 108
Using Static Routes The Edit Route page appears. 3. Complete the fields using the information in Edit Route Page Fields on page 98. 4. Click Apply. The new static route is saved. Table 13: Edit Route Page Fields In this field… Do this… Destination Network Type the network address of the destination network. Subnet Mask Select the subnet mask. Gateway IP Type the IP address of the gateway (next hop router) to which to route the packets destined for this network.
PAGE 109
Using Static Routes In this field… Do this… Metric Type the static route's metric. The gateway sends a packet to the route that matches the packet's destination and has the lowest metric. Viewing and Editing Static Routes To edit a static route 1. Click Network in the main menu, and click the Static Routes tab. The Static Routes page appears, with a listing of existing static routes. 2. To edit the route details, do the following: a. In the desired route row, click Edit.
PAGE 110
Using Static Routes Deleting a Static Route Note: The “default” route cannot be deleted. To delete a static route 1. Click Network in the main menu, and click the Static Routes tab. The Static Routes page appears, with a listing of existing static routes. 2. In the desired route row, click the Delete A confirmation message appears. 3. Click OK. The route is deleted. 100 Check Point Safe@Office User Guide icon.
PAGE 111
Viewing the Event Log Chapter 6 Viewing Reports This chapter describes the Safe@Office Portal reports. This chapter includes the following topics: Viewing the Event Log.......................................................................101 Viewing Computers............................................................................104 Viewing Connections .........................................................................
PAGE 112
Viewing the Event Log An event marked in Indicates… Orange Connection attempts that were blocked by your this color… custom security rules Green Traffic accepted by the firewall. By default, accepted traffic is not logged. However, such traffic may be logged if specified by a security policy downloaded from your Service Center. The logs detail the date and the time the event occurred, and its type.
PAGE 113
Viewing the Event Log To view the event log • Click Reports in the main menu, and click the Event Log tab. The Event Log page appears. You can do any of the following: Click the Refresh button to refresh the display. Click the Clear button to clear all events. If an event is highlighted in red, indicating a blocked attack on your network, you can display the attacker’s details, by clicking on the IP address of the attacking machine.
PAGE 114
Viewing Computers Viewing Computers This option allows you to view the currently active computers on your network. The active computers are graphically displayed, each with its name, IP address, and settings (DHCP, Static, etc.). You can also view node limit information. To view the active computers 1. Click Reports in the main menu, and click the Active Computers tab. The Active Computers page appears. If you configured High Availability, both the master and backup appliances are shown.
PAGE 115
Viewing Computers Note: Computers that did not communicate through the firewall are not counted for node limit purposes, even though they are protected by the firewall. Note: To increase the number of computers allowed by your license, you must upgrade your product. For further information, see Upgrading Your Software Product on page 197. If desired, you can click the Refresh button to refresh the display. 2. To view node limit information, do the following: a. Click Node Limit.
PAGE 116
Viewing Connections Viewing Connections This option allows you to view the currently active connections between your network and the external world. The active connections are displayed as a list, specifying source IP address, destination IP address and port, and the protocol used (TCP, UDP, etc.). To view the active connections • Click Reports in the main menu, and click the Active Connections tab. The Active Connections page appears.
PAGE 117
Setting the Firewall Security Level Chapter 7 Setting Your Security Policy This chapter describes how to set up your Safe@Office appliance security policy. You can enhance your security policy by subscribing to services such as Web Filtering and E-mail Antivirus scanning. For information on these services and the subscription process, see Using Subscription Services on page 123. This chapter includes the following topics: Setting the Firewall Security Level ................................................
PAGE 118
Setting the Firewall Security Level Table 15: Firewall Security Levels This Does this… Further Details Low Enforces basic control on All inbound traffic is blocked incoming connections, to the external Safe@Office while permitting all appliance IP address, except outgoing connections. for ICMP echoes ("pings"). level… All outbound connections are allowed. Medium Enforces strict control on all incoming connections, while permitting safe outgoing connections.
PAGE 119
Setting the Firewall Security Level This Does this… Further Details High Enforces strict control on All inbound traffic is blocked. level… all incoming and outgoing connections. Restricts all outbound traffic except for the following: Web traffic (HTTP, HTTPS), email (IMAP, POP3, SMTP), ftp, newsgroups, Telnet, DNS, IPSEC IKE and VPN traffic. Note: The definitions of firewall security levels provided in this table represent the Safe@Office appliance’s default security policy.
PAGE 120
Configuring Servers 2. Drag the security lever to the desired level. The Safe@Office appliance security level changes accordingly. Configuring Servers Note: If you do not intend to host any public Internet servers (Web Server, Mail Server etc.) in your network, you can skip this section. Using the Safe@Office Portal, you can selectively allow incoming network connections into your network. For example, you can set up your own Web server, Mail server or FTP server.
PAGE 121
Configuring Servers To allow a service to be run on a specific host 1. Click Security in the main menu, and click the Servers tab. The Servers page appears, displaying a list of services and a host IP address for each allowed service. 2. Complete the fields using the information in the table below. 3. Click Apply. A success message appears, and the selected computer is allowed to run the desired service or application.
PAGE 122
Creating Rules In this Do this… Host IP Type the IP address of the computer that will run the column… service (one of your network computers) or click the corresponding This Computer button to allow your computer to host the service. To stop the forwarding of a service to a specific host 1. Click Security in the main menu, and click the Servers tab. The Servers page appears, displaying a list of services and a host IP address for each allowed service. 2.
PAGE 123
Creating Rules Adding and Editing Rules Rules provide you with greater flexibility in defining and customizing your security policy. The following rule types exist: Table 17: Firewall Rule Types Rule Description Allow and This rule type enables you to do the following: Forward • Permit incoming access from the Internet to a specific service in your internal network. • Forward all such connections to a specific computer in your network.
PAGE 124
Creating Rules Rule Description Allow This rule type enables you to do the following: • Permit outgoing access from your internal network to a specific service on the Internet. Note: You can allow outgoing connections for services that are not permitted by the default security policy. • Permit incoming access from the Internet to a specific service in your internal network. Note: You cannot use an Allow rule to permit incoming traffic, if the network or VPN uses Hide NAT.
PAGE 125
Creating Rules The Rules page appears. 2. Click Add Rule. The Firewall Rule wizard opens, with the Step 1: Rule Type dialog box displayed.
PAGE 126
Creating Rules If you are using Safe@Office 110 or 225 the page appears as follows: 3. Select the type of rule you want to create. 4. Click Next. The Step 2: Service dialog box appears.
PAGE 127
Creating Rules The example below shows an Allow and Forward rule. 5. Complete the fields using the relevant information in the table below. 6. Click Next.
PAGE 128
Creating Rules The Step 3: Destination and Source dialog box appears. 7. Complete the fields using the relevant information in Table 16.
PAGE 129
Creating Rules The Step 4: Done dialog box appears. 8. Click Finish. The new rule appears in the Firewall Rules page. Table 18: Firewall Rule Fields In this field… Do this… Any Service Click this option to specify that the rule should apply to any service. Standard Click this option to specify that the rule should apply to Service a specific standard service. You must then select the desired service from the drop-down list.
PAGE 130
Creating Rules In this field… Do this… Custom Service Click this option to specify that the rule should apply to a specific non-standard service. The Protocol and Port Range fields are enabled. You must fill them in. Protocol Select the protocol (ESP, GRE, TCP, UDP or ANY) for which the rule should apply. Ports To specify the port range to which the rule applies, type the start port number in the left text box, and the end port number in the right text box.
PAGE 131
Defining an Exposed Host Deleting Rules To delete an existing rule 1. Click Security in the main menu, and click the Rules tab. The Rules page appears. 2. Click the icon of the rule you wish to delete. A confirmation message appears. 3. Click OK. The rule is deleted. Defining an Exposed Host The Safe@Office appliance allows you to define an exposed host, which is a computer that is not protected by the firewall. This is useful for setting up a public server.
PAGE 132
Defining an Exposed Host To define a computer as an exposed host 1. Click Security in the main menu, and click the Exposed Host tab. The Exposed Host page appears. 2. In the Exposed Host text box, type the IP address of the computer you wish to define as an exposed host. Alternatively, you can click This Computer to define your computer as the exposed host. 3. Click Apply. The selected computer is now defined as an exposed host.
PAGE 133
Connecting to a Service Center Chapter 8 Using Subscription Services This chapter explains how to start and use subscription services, such as automatic software and security policy updates, content filtering, email virus scanning, and remote logging. Note: Check with your reseller regarding availability of subscription services, or surf to www.sofaware.com/servicecenters to locate your nearest Service Center. This chapter includes the following topics: Connecting to a Service Center ....................
PAGE 134
Connecting to a Service Center The Account page appears. 2. In the Service Account area, click Connect.
PAGE 135
Connecting to a Service Center The Setup Wizard opens, with the Subscription Services dialog box displayed. 3. Make sure the I wish to connect to a Service Center check box is selected. 4. Do one of the following: To connect to the SofaWare Service Center, select usercenter.sofaware.com. To specify a Service Center, do the following: 1) Select Specified. 2) In the Specified text box, enter the desired Service Center’s IP address, as given to you by your system administrator. 5. Click Next.
PAGE 136
Connecting to a Service Center If the Service Center requires authentication, the Service Center Login dialog box appears. Do the following: 1) Enter your gateway ID and registration key in the appropriate fields, as given to you by your service provider. 2) Click Next. The Connecting… screen appears.
PAGE 137
Connecting to a Service Center The Confirmation dialog box appears with a list of services to which you are subscribed. 6. Click Next.
PAGE 138
Connecting to a Service Center The Done screen appears with a success message. 7. Click Finish. The following things happen: If a new firmware is available, the Safe@Office appliance may start downloading it. This may take several minutes. Once the download is complete, the Safe@Office appliance restarts using the new firmware. The Welcome page appears.
PAGE 139
Connecting to a Service Center The services to which you are subscribed are now available on your Safe@Office appliance and listed as such on the Account page. See Viewing Services Information on page 130 for further information. The Services submenu includes the services to which you are subscribed.
PAGE 140
Viewing Services Information Viewing Services Information The Account page displays the following information about your subscription. Table 19: Account Page Fields This field… Displays… Service Center The name of the Service Center to which you are Name connected (if known). Subscription will The date on which your subscription to services will end on end. Service The services available in your service plan.
PAGE 141
Refreshing Your Service Center Connection Refreshing Your Service Center Connection This option restarts your Safe@Office appliance’s connection to the Service Center and refreshes your Safe@Office appliance’s service settings. To refresh your Service Center connection 1. Click Services in the main menu, and click the Account tab. The Account page appears. 2. In the Service Account area, click Refresh. The Safe@Office appliance reconnects to the Service Center. Your service settings are refreshed.
PAGE 142
Disconnecting from Your Service Center Your Service Center Web site opens. 3. Follow the on-screen instructions. Disconnecting from Your Service Center If desired, you can disconnect from your Service Center. To disconnect from your Service Center 1. Click Services in the main menu, and click the Account tab. The Account page appears. 2. In the Service Account area, click Connect. The Setup Wizard opens, with the first Subscription Services dialog box displayed. 3.
PAGE 143
Web Filtering Web Filtering When enabled, access to Web content is restricted according to the categories specified under ‘Allow Categories’. Adult users will be able to view Web pages with no restrictions, only after they have provided the administrator password via the Web Filtering pop-up window. Enabling/Disabling Web Filtering Note: If you are remotely managed, contact your Service Center to change these settings. To enable/disable Web Filtering 1.
PAGE 144
Web Filtering Selecting Categories for Blocking You can define which types of Web sites should be considered appropriate for your family or office members, by selecting the categories. Categories will remain visible, while categories marked with will be marked with blocked and will require the administrator password for viewing. Note: If you are remotely managed, contact your Service Center to change these settings. To allow/block a category 1.
PAGE 145
Web Filtering The Snooze button changes to Resume. The Web Filtering Off popup window opens. 3. To re-enable the service, click Resume, either in the popup window, or on the Web Filtering page. The service is re-enabled for all internal network computers. If you clicked Resume in the Web Filtering page, the button changes to Snooze. If you clicked Resume in the Web Filtering Off popup window, the popup window closes.
PAGE 146
Virus Scanning Virus Scanning Enabling this option will result in automatic scanning of your email for the detection and elimination of all known viruses and vandals. Enabling/Disabling Email Antivirus Note: If you are remotely managed, contact your Service Center to change these settings. To enable/disable Email Antivirus 1. Click Services in the main menu, and click the Email Antivirus tab. The Email Antivirus page appears. 2. Drag the On/Off lever upwards or downwards.
PAGE 147
Virus Scanning Selecting Protocols for Scanning If you are locally managed, you can define which protocols should be scanned for viruses: • Email retrieving (POP3). If enabled, all incoming email in the POP3 protocol will be scanned • Email sending (SMTP). If enabled, all outgoing email will be scanned Protocols marked with not. will be scanned, while those marked with will Note: If you are remotely managed, contact your Service Center to change these settings.
PAGE 148
Virus Scanning Email Antivirus is temporarily disabled for all internal network computers. The Snooze button changes to Resume. The Email Antivirus Off popup window opens. 3. To re-enable the service, click Resume, either in the popup window, or on the Email Antivirus page. The service is re-enabled for all internal network computers. If you clicked Resume in the Email Antivirus page, the button changes to Snooze.
PAGE 149
Automatic and Manual Updates If you clicked Resume in the Email Antivirus Off popup window, the popup window closes. Automatic and Manual Updates If you are subscribed to Software Updates, you can check for new security and software updates. Checking for Software Updates when Locally Managed If your Safe@Office appliance is locally managed, you can set it to automatically check for software updates, or you can set it so that software updates must be checked for manually.
PAGE 150
Automatic and Manual Updates 2. To set the Safe@Office appliance to automatically check for and install new software updates, drag the Automatic/Manual lever upwards. The Safe@Office appliance checks for new updates and installs them according to its schedule. Note: When the Software Updates service is set to Automatic, you can still manually check for updates. 3. To set the Safe@Office appliance so that software updates must be checked for manually, drag the Automatic/Manual lever downwards.
PAGE 151
Automatic and Manual Updates The Software Updates page appears. 2. Click Update Now. The system checks for new updates and installs them.
PAGE 152
Automatic and Manual Updates 142 Check Point Safe@Office User Guide
PAGE 153
Overview Chapter 9 Working With VPNs This chapter describes how to use your Safe@Office appliance as a VPN client, server, or gateway. This chapter includes the following topics: Overview ............................................................................................143 Setting Up Your Safe@Office Appliance as a VPN Server ...............145 Adding and Editing VPN Sites ..........................................................146 Deleting a VPN Site ..........................................
PAGE 154
Overview Note: This chapter explains how to define a VPN locally. However, if your appliance is centrally managed by a Service Center, then the Service Center can automatically deploy VPN configuration for your appliance. Figure 7: Typical Office VPN Safe@Office 105 acts as a VPN server for one user, allowing a single remote employee to securely work from home or on the road. Safe@Office 110 and 225 provide full VPN functionality.
PAGE 155
Setting Up Your Safe@Office Appliance as a VPN Server Setting Up Your Safe@Office Appliance as a VPN Server You can make your network remotely available to authorized users by setting up your Safe@Office appliance as a VPN server. Remote access users can connect to the VPN server via Check Point SecuRemote or a Safe@Office appliance in Remote Access VPN mode. Note: The Check Point SecuRemote VPN client can be downloaded for free from http://www.checkpoint.com/techsupport/downloads_sr.
PAGE 156
Adding and Editing VPN Sites 3. To allow authenticated users to access to your internal network without restriction and bypass NAT, select Unrestricted Access. 4. Follow the procedure Setting Up Remote VPN Access for Users on page 188. Note: Disabling the VPN server will cause all existing VPN tunnels to disconnect.
PAGE 157
Adding and Editing VPN Sites To add or edit VPN sites 1. Click VPN in the main menu, and click the VPN Sites tab. The VPN Sites page appears with a list of VPN sites. 2. Do one of the following: To add a VPN site, click New Site. To edit a VPN site, click Edit in the desired VPN site’s row. The VPN Site Wizard opens, with the Welcome to the VPN Site Wizard dialog box displayed. 3. Do one of the following: Select Remote Access VPN to establish remote access from your VPN client to a VPN server or gateway.
PAGE 158
Adding and Editing VPN Sites Select PPPoE to create a non-encrypted connection to a PPPoE server. 4. Click Next. Configuring a Remote Access VPN Site If you selected Remote Access VPN, the VPN Gateway Address dialog box appears. 1. Enter the IP address of the VPN gateway to which you want to connect, as given to you by the network administrator. 2. Click Next.
PAGE 159
Adding and Editing VPN Sites The VPN Network Configuration dialog box appears. 3. Specify how you want to obtain the VPN network configuration. Refer to VPN Network Configuration Fields on page 155. 4. Click Next.
PAGE 160
Adding and Editing VPN Sites If you chose Specify Configuration, a second VPN Network Configuration dialog box appears. Do the following: 1) Complete the fields using the information in VPN Network Configuration Fields on page 155. 2) Click Next.
PAGE 161
Adding and Editing VPN Sites The VPN Login dialog box appears. 5. Complete the fields using the information in VPN Login Fields on page 154. 6. Click Next.
PAGE 162
Adding and Editing VPN Sites The Site Name dialog box appears. 7. Enter a name for the VPN site. You may choose any name. 8. Click Next.
PAGE 163
Adding and Editing VPN Sites The VPN Site Created screen appears. 9. Click Finish. The VPN Sites page reappears. If you added a VPN site, the new site appears in the VPN Sites list. If you edited a VPN site, the modifications are reflected in the VPN Sites list.
PAGE 164
Adding and Editing VPN Sites Table 20: VPN Login Fields In this field… Manual Login Do this… Click this option to configure the site for Manual Login. Manual Login connects only the computer you are currently logged onto to the VPN site, and only when the appropriate user name and password have been entered. For further information on Automatic and Manual Login, see, Logging on to a VPN Site on page 168.
PAGE 165
Adding and Editing VPN Sites Table 21: VPN Network Configuration Fields In this field… Do this… Download Click this option to obtain the network configuration Configuration by downloading it from the VPN site. This option will automatically configure your VPN settings, by downloading the network topology definition from the VPN server. Note: Downloading the network configuration is only possible if you are connecting to a Check Point VPN1 or Safe@Office VPN gateway.
PAGE 166
Adding and Editing VPN Sites In this field… Do this… Subnet mask Select the subnet masks for the destination network addresses. Note: Obtain the destination networks and subnet masks from the VPN gateway’s system administrator. Backup Gateway Type the name of the VPN gateway to use if the primary VPN gateway fails. Configuring a Site-to-Site VPN Gateway If you selected Site to Site VPN, the VPN Gateway Address dialog box appears. 1.
PAGE 167
Adding and Editing VPN Sites 2. To allow the VPN site to access to your internal network without restriction and bypass NAT, select Unrestricted Access. 3. Click Next. The Resolving… screen appears. The VPN Network Configuration dialog box appears. 4. Specify how you want to obtain the VPN network configuration. Refer to VPN Network Configuration Fields on page 155. 5. Click Next.
PAGE 168
Adding and Editing VPN Sites If you chose Specify Configuration, a second VPN Network Configuration dialog box appears. Do the following: 1) Complete the fields using the information in VPN Network Configuration Fields on page 155. 2) Click Next.
PAGE 169
Adding and Editing VPN Sites The Authentication dialog box appears. If you chose Download Configuration, the dialog box appears as follows: 6. Complete the fields using the table below.
PAGE 170
Adding and Editing VPN Sites 7. Click Next. The Connect dialog box appears. 8. If you don’t want to try to connect to the VPN gateway, clear the Try to Connect to the VPN Gateway check box. This allows you to test the VPN connection. Warning: If you try to connect to the VPN site before completing the wizard, all existing tunnels will be terminated. 9. Click Next. If you selected Try to Connect to the VPN Gateway, the following things happen: The Connecting… screen appears.
PAGE 171
Adding and Editing VPN Sites The Site Name dialog box appears. 10. Enter a name for the VPN site. You may choose any name. 11. To keep the tunnel to the VPN site alive even if there is no network traffic between the Safe@Office appliance and the VPN site, select Keep this site alive. 12. Click Next. The VPN Site Created screen appears. 13. Click Finish. The VPN Sites page reappears. If you added a VPN site, the new site appears in the VPN Sites list.
PAGE 172
Adding and Editing VPN Sites Table 22: VPN Authentication Fields In this field… Do this… Topology User Type the topology user’s user name. Topology Type the topology user’s password. Password Use Shared Select this option to use a shared secret for VPN Secret authentication. If you select this option, you must fill in the Shared Secret field. Shared Secret Type the shared secret to use for secure communications with the VPN site.
PAGE 173
Adding and Editing VPN Sites Creating a PPPoE Tunnel If you selected PPPoE, the VPN Network Configuration dialog box appears. 1. Complete the fields using the information in VPN Network Configuration Fields on page 155. 2. Click Next.
PAGE 174
Adding and Editing VPN Sites The PPPoE Login page appears. 3. Complete the fields using the information in the table below. 4. Click Next.
PAGE 175
Adding and Editing VPN Sites The Site Name dialog box appears. 5. Enter a name for the VPN site. You may choose any name. 6. Click Next. The VPN Site Created screen appears. 7. Click Finish. The VPN Sites page reappears. If you added a VPN site, the new site appears in the VPN Sites list. If you edited a VPN site, the modifications are reflected in the VPN Sites list.
PAGE 176
Deleting a VPN Site Table 23: PPPoE Login Fields In this field… Do this… User The PPPoE username. Password The PPPoE password. Service The service name configured in the PPPoE server. You only need to fill in this field if there is more than one PPPoE server in the WAN network. Note: If you do not fill in this field, the first PPPoE server found is used. Deleting a VPN Site To delete a VPN site 1. Click VPN in the main menu, and click the VPN Sites tab.
PAGE 177
Enabling/Disabling a VPN Site Enabling/Disabling a VPN Site You can only connect to VPN sites that are enabled. To enable/disable a VPN site 1. Click VPN in the main menu, and click the VPN Sites tab. The VPN Sites page appears, with a list of VPN sites. 2. To enable a VPN site, do the following: a. Click the icon in the desired VPN site’s row. A confirmation message appears. b. Click OK. The icon changes to , and the VPN site is enabled. 3.
PAGE 178
Logging on to a VPN Site Logging on to a VPN Site You need to manually log on to Remote Access VPN sites configured for Manual Login. You do not need to manually log on to a Remote Access VPN site configured for Automatic Login or a Site-to-Site VPN gateway: all the computers on your network have constant access to it. Manual Login can be done through either the Safe@Office Portal or the my.vpn page. When you log on and traffic is sent to the VPN site, a VPN tunnel is established.
PAGE 179
Logging on to a VPN Site The VPN Login page appears. 2. From the Site Name list, select the site to which you want to log on. Note: Disabled VPN sites will not appear in the Site list. 3. Enter your user name and password in the appropriate fields. 4. Click Login. If the Safe@Office appliance is configured to automatically download the network configuration, the Safe@Office appliance downloads the network configuration.
PAGE 180
Logging on to a VPN Site Once the Safe@Office appliance has finished connecting, the VPN Login Status box appears. The Status field displays “Connected”. The VPN Login Status box remains open until you manually log off the VPN site. Logging on through the my.vpn page Note: You don’t need to know the my.firewall page administrator’s password in order to use the my.vpn page. To manually log on to a VPN site through the my.vpn page 1. Direct your web browser to http://my.
PAGE 181
Logging on to a VPN Site The VPN Login screen appears. 2. In the Site Name list, select the site to which you want to log on. 3. Enter your user name and password in the appropriate fields. 4. Click Login. If the Safe@Office appliance is configured to automatically download the network configuration, the Safe@Office appliance downloads the network configuration. If when adding the VPN site you specified a network configuration, the Safe@Office appliance attempts to create a tunnel to the VPN site.
PAGE 182
Logging off a VPN Site Logging off a VPN Site You need to manually log off a VPN site if the VPN site is a Remote Access VPN site configured for Manual Login. To log off a VPN site • In the VPN Login Status box, click Logout. All open tunnels from the Safe@Office appliance to the VPN site are closed, and the VPN Login Status box closes. Note: Closing the browser or dismissing the VPN Login Status box will also terminate the VPN session within a short time.
PAGE 183
Installing a Certificate Note: To use certificates authentication, each Safe@Office appliance should have a unique certificate. Do not use the same certificate for more than one gateway. If you do not have a PKCS#12, obtain it from your network security administrator. To install a certificate 1. Click VPN in the main menu, and click the Certificate tab. The Certificate page appears, with instructions on how to install the certificate. 2. Click Install Certificate.
PAGE 184
Installing a Certificate A Certificate page appears as follows: 3. Click Browse to open a file browser from which to locate and select the file. The filename that you selected is displayed. 4. Click Upload. You are requested to enter the pass-phrase. 5. Type the pass-phrase you received from the network security administrator. 6. Click OK. The certificate is installed.
PAGE 185
Uninstalling a Certificate A success message appears. 7. Click OK. The name of the CA that issued the certificate and the name of the gateway to which this certificate was issued appear. Uninstalling a Certificate You cannot uninstall the certificate if there is a VPN site currently defined to use certificate authentication.
PAGE 186
Viewing VPN Tunnels • Install Certificate: Allows you to install a new certificate. The current certificate will be replaced. • Uninstall Certificate: Allows you to uninstall the current certificate. Therefore, no certificate exists on the Safe@Office appliance, and you will not be able to connect to the VPN if a certificate is still required. To uninstall a certificate 1. Click VPN in the main menu, and click the Certificate tab.
PAGE 187
Viewing VPN Tunnels Note: Although the VPN tunnel is automatically closed, the site remains open, and if you attempt to communicate with the site, the tunnel will be reestablished. • Remote Access VPN sites configured for Manual Login: A tunnel is created whenever your computer attempts any kind of communication with a computer at the VPN site, after you have manually logged on to the site. All open tunnels connecting to the site are closed when you manually log off.
PAGE 188
Viewing VPN Tunnels Table 24: VPN Tunnels Page Fields This field… Displays… The Safe@Office appliance Internet IP address. The security protocol (IPSec), the type of encryption used to secure the connection, and the type of Message Authentication Code (MAC) used to verify the integrity of the message. This information is presented in the following format: Security protocol: Encryption type/Authentication type Note: All VPN settings are automatically negotiated between the two sites.
PAGE 189
Viewing VPN Tunnels This field… Displays… Duration The time at which the tunnel was established.
PAGE 190
Viewing VPN Tunnels 180 Check Point Safe@Office User Guide
PAGE 191
Changing Your Password Chapter 10 Managing Users This chapter describes how to manage Safe@Office appliance users. In Safe@Office 105, there is a single user called "admin", whose password can be changed; in Safe@Office 110 and 225, you can define multiple users and assign them various permissions. This chapter includes the following topics: Changing Your Password...................................................................181 Adding Users.............................................................
PAGE 192
Changing Your Password The Password page appears. 2. Edit the Password and Confirm password fields. Note: Use 5 to 25 characters (letters or numbers) for the new password. 3. Click Apply. Your changes are saved.
PAGE 193
Changing Your Password Using Safe@Office 110 and 225 To change your password 1. Click Users in the main menu, and click the Internal Users tab. The Internal Users page appears. 2. In the row of your username, click Edit.
PAGE 194
Adding Users The Edit User page appears. 3. Edit the Password and Confirm password fields. Note: Use 5 to 25 characters (letters or numbers) for the new password. 4. Click Apply. Your changes are saved. Adding Users To add a user 1. Click Users in the main menu, and click the Internal Users tab. The Internal Users page appears. 2. Click New User. The Edit User page appears. The options that appear on the page are dependant on the software and services you are using.
PAGE 195
Viewing and Editing Users 3. Complete the fields using the information in Edit User Page Fields on page 186. 4. Click Apply. The new user is saved. The Edit User page appears. Viewing and Editing Users To view or edit users 1. Click Users in the main menu, and click the Internal Users tab. The Internal Users page appears. 2. In the desired user’s row, click Edit. The Edit User page appears with the user’s details.
PAGE 196
Viewing and Editing Users Table 25: Edit User Page Fields In this field… Do this… Username Enter a username for the user. You cannot change the “admin” user’s username. Password Enter a password for the user. Use five to 25 characters (letters or numbers) for the new password. Confirm Password Re-enter the user’s password. Administrator Level Select the user’s level of access to the Safe@Office Portal.
PAGE 197
Deleting Users In this field… Do this… VPN Remote Select this option to allow the user to connect to Access this Safe@Office appliance using their VPN client. For further information on setting up VPN remote access, see Setting Up Remote VPN Access for Users on page 188. This option only appears in Safe@Office 110 and 225. Web Filtering Select this option to allow the user to override Override Web Filtering. This option only appears if the Web Filtering service is defined.
PAGE 198
Setting Up Remote VPN Access for Users 2. In the desired user’s row, click the Delete icon. A confirmation message appears. 3. Click OK. The user is deleted. Setting Up Remote VPN Access for Users If you are using your Safe@Office appliance as a VPN server, you can allow users to access it remotely through their VPN clients (a Check Point SecureClient, Check Point SecuRemote, or another Embedded NG appliance). To set up remote VPN access for a user 1.
PAGE 199
Using RADIUS Authentication Using RADIUS Authentication You can use RADIUS to authenticate both Safe@Office appliance users and VPN clients trying to connect to the Safe@Office appliance. When a user accesses the Safe@Office Portal and tries to log on, the Safe@Office appliance sends the entered user name and password to the RADIUS server. The server then checks whether the RADIUS database contains a matching user name and password pair. If so, then the user is logged on. To use RADIUS authentication 1.
PAGE 200
Using RADIUS Authentication Table 26: RADIUS Page Fields In this field… Address Do this… Type the IP address of the computer that will run the RADIUS service (one of your network computers) or click the corresponding This Computer button to allow your computer to host the service. To clear the text box, click Clear. Port Type the port number on the RADIUS server’s host computer. To reset this field to the default (port 1812), click Default.
PAGE 201
Using RADIUS Authentication In this field… Do this… Administrator Level Select the level of access to the Safe@Office Portal to assign to all users authenticated by the RADIUS server. The levels are: • No Access: The user cannot access the Safe@Office Portal • Read/Write: The user can log on to the Safe@Office Portal and modify system settings. • Read Only: The user can log on to the Safe@Office Portal, but cannot modify system settings. The default level is No Access.
PAGE 202
Using RADIUS Authentication 192 Check Point Safe@Office User Guide
PAGE 203
Viewing Firmware Status Chapter 11 Maintenance This chapter describes the tasks required for maintenance and diagnosis of your Safe@Office appliance. This chapter includes the following topics: Viewing Firmware Status...................................................................193 Updating the Firmware.......................................................................195 Upgrading Your Software Product.....................................................
PAGE 204
Viewing Firmware Status To view the firmware status • Click Setup in the main menu, and click the Firmware tab. The Firmware page appears. The Firmware page displays the following information: Table 27: Firmware Status Fields This field… Displays… For example… Firmware Version The current version of the 4.
PAGE 205
Updating the Firmware This field… Displays… For example… Installed Product The licensed software and Safe@Office 225 the number of allowed unlimited nodes nodes Uptime The time that elapsed from 01:21:15 the moment the unit was turned on Updating the Firmware If you are subscribed to Software Updates, firmware updates are performed automatically. These updates include new product features and protection against new security threats.
PAGE 206
Updating the Firmware The Firmware Update page appears. 3. Click Browse. A browse window appears. 4. Select the image file and click Open. The Firmware Update page reappears. The path to the firmware update image file appears in the Browse text box. 5. Click Upload. Your Safe@Office appliance firmware is updated. This takes about one minute. At the end of the process the Safe@Office appliance restarts automatically.
PAGE 207
Upgrading Your Software Product Upgrading Your Software Product Upgrading your Safe@Office appliance is a very simple process. After purchasing an upgrade, you will receive a new Product Key that will enable you to use the upgraded product on the same Safe@Office appliance you have today. For example, if you are using Safe@Office 105, you can purchase an upgrade to Safe@Office 110 and enjoy extended VPN features on your existing Safe@Office appliance.
PAGE 208
Upgrading Your Software Product The Setup Wizard opens, with the Install Product Key dialog box displayed. 3. Click Product Key. 4. In the Product Key field, enter the new Product Key. 5. Click Next.
PAGE 209
Upgrading Your Software Product The Installed New Product Key dialog box appears. 6. Click Next. The first Registration dialog box appears.
PAGE 210
Upgrading Your Software Product 7. Do one of the following: To register your Safe@Office appliance later on, do the following: 1) Clear the I want to register my product check box. 2) Click Next.
PAGE 211
Upgrading Your Software Product To register your Safe@Office appliance now, click Next. A second Registration dialog box appears. Do the following: 1) Enter your contact information in the appropriate fields. 2) To receive email notifications regarding new firmware versions and services, select the check box. 3) Click Next. The Registration… screen appears.
PAGE 212
Registering Your Safe@Office Appliance The third Registration dialog box appears. 8. Click Finish. Your Safe@Office appliance is restarted and the Welcome page appears. Registering Your Safe@Office Appliance If you want to activate your warranty and optionally receive notifications of new firmware versions and services, you must register your Safe@Office appliance. Privacy Statement: Check Point is committed to protecting your privacy.
PAGE 213
Registering Your Safe@Office Appliance To register your Safe@Office appliance 1. Click Setup in the main menu, and click the Firmware tab. The Firmware page appears. 2. Click Upgrade Product. The Setup Wizard opens, with the Install Product Key dialog box displayed. 3. Select Keep these settings. 4. Click Next. The Product Key Not Modified screen appears. 5. Click Next. The first Registration dialog box appears. 6. Verify that the I want to register my product check box is selected. 7. Click Next.
PAGE 214
Configuring Syslog Logging 8. Enter your contact information in the appropriate fields. 9. To receive email notifications regarding new firmware versions and services, select the check box. 10. Click Next. The Registration… screen appears. The third Registration dialog box appears. 11. Click Finish. Your Safe@Office appliance is restarted and the Welcome page appears.
PAGE 215
Configuring Syslog Logging To configure Syslog logging 1. Click Setup in the main menu, and click the Logging tab. The Logging page appears. 2. Complete the fields using the information in the table below. 3. Click Apply. Table 28: Logging Page Fields In this field… Syslog Server Do this… Type the IP address of the computer that will run the Syslog service (one of your network computers), or click This Computer to allow your computer to host the service. Clear Click to clear the Syslog Server field.
PAGE 216
Configuring HTTPS In this field… Do this… Default Click to reset the Syslog Port field to the default (port 514 UDP). Configuring HTTPS You can enable Safe@Office appliance users to access the Safe@Office Portal from the Internet. To do so, you must first configure HTTPS. To configure HTTPS 1. Click Setup in the main menu, and click the Management tab. The Management page appears. 2. Specify from where HTTPS access to the Safe@Office Portal should be granted. See the table below for information.
PAGE 217
Configuring HTTPS Warning: If remote HTTPS is enabled, your Safe@Office appliance settings can be changed remotely, so make sure all Safe@Office appliance users’ passwords are unguessable. If you selected IP Address Range, additional fields appear. 3. If you selected IP Address Range, enter the desired IP address range in the fields provided. 4. Click Apply. The HTTPS configuration is saved.
PAGE 218
Configuring HTTPS Table 29: HTTPS Access Options Select this option… Internal Network To allow HTTPS access from… The internal network only. This disables remote HTTPS capability. Note: You can use HTTPS to access the Safe@Office Portal from your internal network, by surfing to https://my.firewall. Internal Network and The internal network and your VPN. VPN IP Address Range A particular range of IP addresses. Additional fields appear, in which you can enter the desired IP address range.
PAGE 219
Setting the Time on the Appliance Setting the Time on the Appliance You set the time displayed in the Safe@Office 225 Portal during initial appliance setup. If desired, you can change the date and time displayed in the Safe@Office 225 Portal using the procedure below. Note: The Safe@Office 100 series takes the time from your local computer and you do not have to manually set the time. To set the time 1. Click Setup in the main menu, and click the Tools tab. The Tools page appears.
PAGE 220
Setting the Time on the Appliance If you are using Safe@Office 225, the page appears as follows: 2. Click Set Time. The Safe@Office Set Time Wizard opens displaying the Set the Safe@Office time dialog box.
PAGE 221
Setting the Time on the Appliance 3. Complete the fields using the information in the table below. 4. Click Next. The following things happen in the order below: If you selected Specify date and time, the Specify Date and Time dialog box appears. Do the following: 1) Set the date, time, and time zone in the fields provided. 2) Click Next.
PAGE 222
Setting the Time on the Appliance The Date and Time Updated window appears. 5. Click Finish. Table 30: Set Time Wizard Fields Select this option… Your computer’s clock To do this… Set the appliance time to your computer’s system time. Your computer’s system time is displayed to the right of this option.
PAGE 223
Controlling the Appliance via the Command Line Select this To do this… Keep the current time Do not change the appliance’s time. option… The current appliance time is displayed to the right of this option. Specify date and time Set the appliance to a specific date and time. Controlling the Appliance via the Command Line The Safe@Office Portal enables you to control your appliance via the command line interface. To control the appliance via the command line 1.
PAGE 224
Using Diagnostic Tools The Command Line page appears. 3. In the upper text box type a command. You can view a list of supported commands using the command help. 4. Click Go. The command is implemented. Using Diagnostic Tools The Safe@Office appliance is equipped with a set of diagnostic tools that are useful for troubleshooting Internet connectivity. Table 31: Diagnostic Tools Use this tool… To do this… Ping Check that a specific IP address or DNS name can be reached via the Internet.
PAGE 225
Using Diagnostic Tools Use this tool… To do this… Traceroute Display a list of all routers used to connect from the Safe@Office appliance to a specific IP address or DNS name. WHOIS Display the name and contact information of the entity to whom a specific IP address or DNS name is registered. This information is useful in tracking down hackers. To use a diagnostic tool 1. Click Setup in the main menu, and click the Tools tab. The Tools page appears. 2.
PAGE 226
Using Diagnostic Tools If you selected Ping, the following things happen: The Safe@Office appliance sends packets to the specified the IP address or DNS name. The IP Tools window opens and displays the percentage of packet loss and the amount of time it each packet took to reach the specified host and return (round-trip) in milliseconds.
PAGE 227
Using Diagnostic Tools If you selected Traceroute, the following things happen: The Safe@Office appliance connects to the specified IP address or DNS name. The IP Tools window opens and displays a list of routers used to make the connection.
PAGE 228
Backing Up the Safe@Office Appliance Configuration If you selected WHOIS, the following things happen: The Safe@Office appliance queries the Internet WHOIS server. A window displays the name of the entity to whom the IP address or DNS name is registered and their contact information. Backing Up the Safe@Office Appliance Configuration You can export the Safe@Office appliance configuration to a *.cfg file, and use this file to backup and restore Safe@Office appliance settings, as needed.
PAGE 229
Backing Up the Safe@Office Appliance Configuration Exporting the Safe@Office Appliance Configuration Exporting the Safe@Office appliance configuration creates a configuration file. To export the Safe@Office appliance configuration 1. Click Setup in the main menu, and click the Tools tab. The Tools page appears. 2. Click Export. A standard File Download dialog box appears. 3. Click Save.
PAGE 230
Backing Up the Safe@Office Appliance Configuration The Save As dialog box appears. 4. Browse to a destination directory of your choice. 5. Type a name for the configuration file and click Save. The *.cfg configuration file is created and saved to the specified directory. Importing the Safe@Office Appliance Configuration In order to restore your Safe@Office appliance’s configuration from a configuration file, you must import the file. To import the Safe@Office appliance configuration 1.
PAGE 231
Backing Up the Safe@Office Appliance Configuration The Import Settings page appears. 3. Do one of the following: In the Import Settings field, type the full path to the configuration file. Or Click Browse, and browse to the configuration file. 4. Click Upload. A confirmation message appears. 5. Click OK. The Safe@Office appliance settings are imported. A success message appears. 6. Click OK. The Tools page reappears.
PAGE 232
Resetting the Safe@Office Appliance to Defaults Resetting the Safe@Office Appliance to Defaults You can reset the Safe@Office appliance to its default settings. When you reset your Safe@Office appliance, it reverts to the state it was originally in when you purchased it, and your firmware reverts to the version that shipped with the Safe@Office appliance. Warning: This operation erases all your settings and password information.
PAGE 233
Resetting the Safe@Office Appliance to Defaults The Please Wait screen appears. The Safe@Office appliance returns to its factory defaults. The Safe@Office appliance is restarted (the PWR/SEC LED flashes quickly). This may take up to a minute. The Login page appears. To reset the Safe@Office appliance to factory defaults using the Reset button 1. Make sure the Safe@Office appliance is powered on. 2.
PAGE 234
Running Diagnostics Running Diagnostics You can view technical information about your Safe@Office appliance’s hardware, firmware, license, network status, and Service Center. This information is useful for troubleshooting. You can copy and paste it into the body an email and send it to technical support. To run diagnostics 1. Click Setup in the main menu, and click the Tools tab. The Tools page appears. 2. Click Diagnostics. Technical information about your Safe@Office appliance appears in a new window.
PAGE 235
Rebooting the Safe@Office Appliance Rebooting the Safe@Office Appliance If your Safe@Office appliance is not functioning properly, rebooting it may solve the problem. To reboot the Safe@Office appliance 1. Click Setup in the main menu, and click the Tools tab. The Tools page appears. 2. Click Restart. A confirmation message appears. 3. Click OK. The Please Wait screen appears. The Safe@Office appliance is restarted (the PWR/SEC LED flashes quickly). This may take up to a minute. The Login page appears.
PAGE 236
Rebooting the Safe@Office Appliance 226 Check Point Safe@Office User Guide
PAGE 237
Connectivity Chapter 12 Troubleshooting This chapter provides solutions to common problems you may encounter while using the Safe@Office appliance. This chapter includes the following topics: Connectivity .......................................................................................227 Service Center and Upgrades .............................................................231 Other Problems...................................................................................
PAGE 238
Connectivity • If Web Filtering or Email Anti Virus scanning are on, try turning them off. • Check if you have defined firewall rules which block your Internet connectivity. • Check with your ISP for possible service outage. • Check whether you are exceeding the maximum number of computers allowed by your license, by following the procedure Viewing Computers on page 104. I cannot access my DSL broadband connection.
PAGE 239
Connectivity I cannot access http://my.firewall or http://my.vpn. What should I do? • Verify that the Safe@Office appliance is operating (PWR/SEC LED is active) • Check if the LAN LINK/ACT LED for the port used by your computer is on. If not, check if the network cable linking your computer to the Safe@Office appliance is connected properly. Note: You may need to use a crossed cable when connecting the Safe@Office appliance to another hub/switch. • Try surfing to 192.168.10.1 instead of to my.firewall.
PAGE 240
Connectivity I changed the network settings to incorrect values and am unable to correct my error. What should I do? Reset the network to its default settings using the button on the back of the Safe@Office appliance unit. See Resetting the Safe@Office Appliance to Defaults on page 222. I am using the Safe@Office appliance behind another NAT device, and I am having problems with some applications. What should I do? By default, the Safe@Office appliance performs Network Address Translation (NAT).
PAGE 241
Service Center and Upgrades I cannot receive audio or video calls through the Safe@Office appliance. What should I do? To enable audio/video, you must configure an IP Telephony (H.323) virtual server. For instructions, see Configuring Servers. I run a public Web server at home but it cannot be accessed from the Internet. What should I do? Configure a virtual Web Server. For instructions, see Configuring Servers. I cannot connect to the LAN network from the DMZ network.
PAGE 242
Other Problems While trying to connect to a Service Center, I received the message “The Service Center did not respond”. What should I do? • If you are using a Service Center other than the Check Point Service Center, check that the Service Center IP address is typed correctly. • The Safe@Office appliance connects to the Service Center using UDP ports 9281/9282. If the Safe@Office appliance is installed behind another firewall, make sure that these ports are open.
PAGE 243
Technical Specifications Chapter 13 Specifications This chapter includes the following topics: Technical Specifications ....................................................................233 CE Declaration of Conformity ...........................................................235 Federal Communications Commission Radio Frequency Interference Statement............................................................................................
PAGE 244
Technical Specifications Attribute Details Retail box dimensions 31 x 10 x 16 cm (width x height x depth) (12.4 x 4 x 6.4 inches) Retail box weight 1.3 kg (2.9 lbs) Environmental Conditions Temperature: - 20°C to +70°C Storage/Transport Temperature: Operation + 5°C to +45°C Humidity: Storage/Operation 5% to 90% at 25°C (no condensation) Applicable Standards Shock & Vibration ETSI 300 019-2-3 CLASS 3.
PAGE 245
CE Declaration of Conformity CE Declaration of Conformity SofaWare Technologies Ltd., 3 Hilazon St., Ramat-Gan Israel, Hereby declares that this equipment is in conformity with the essential requirements specified in Article 3.1 (a) and 3.
PAGE 246
Federal Communications Commission Radio Frequency Interference Statement Shielded cables must be used with this equipment to maintain compliance with FCC regulations. Changes or modifications not expressly approved by the manufacturer could void the user’s authority to operate the equipment. This device complies with Part 15 of the FCC Rules.
PAGE 247
ADSL Modem Glossary of Terms A ADSL Modem A device connecting a computer to the Internet via an existing phone line. ADSL (Asymmetric Digital Subscriber Line) modems offer a high-speed 'always-on' connection. C Cable Modem A device connecting a computer to the Internet via the cable television network. Cable modems offer a high-speed 'always-on' connection. Certificate Authority The Certificate Authority (CA) issues certificates to entities such as gateways, users, or computers.
PAGE 248
DMZ DHCP uses the concept of a "lease" or amount of time that a given IP address will be valid for a computer. DMZ A DMZ (demilitarized zone) is an internal network defined in addition to the LAN network and protected by the Appliance. Domain Name System The Domain Name System (DNS) refers to the Internet domain names, or easy-toremember "handles", that are translated into IP addresses. An example of a Domain Name is 'www.sofaware.com'.
PAGE 249
Hub HTTPS is used to transfer confidential user information. Hub A device with multiple ports, connecting several PCs or network devices on a network. I IP Address An IP address is a 32-bit number that identifies each computer sending or receiving data packets across the Internet.
PAGE 250
MAC Address M N MAC Address NAT The MAC (Media Access Control) address is a computer's unique hardware number. When connected to the Internet from your computer, a mapping relates your IP address to your computer's physical (MAC) address on the LAN. Mbps Megabits per second. Measurement unit for the rate of data transmission.
PAGE 251
PPPoE routing. Each of these packets is separately numbered and includes the Internet address of the destination. The individual packets for a given file may travel different routes through the Internet. When they have all arrived, they are reassembled into the original file at the receiving end. PPPoE PPPoE (Point-to-Point Protocol over Ethernet) enables connecting multiple computer users on an Ethernet local area network to a remote site or ISP, through common customer premises equipment (e.g. modem).
PAGE 252
Subnet Mask Subnet Mask A 32-bit identifier indicating how the network is split into subnets. The subnet mask indicates which part of the IP address is the host ID and which indicates the subnet. T TCP TCP (Transmission Control Protocol) is a set of rules (protocol) used along with the Internet Protocol (IP) to send data in the form of message units between computers over the Internet.
PAGE 253
URL UDP is often used for applications such as streaming data. URL A URL (Uniform Resource Locator) is the address of a file (resource) accessible on the Internet. The type of resource depends on the Internet application protocol. On the Web (which uses the Hypertext Transfer Protocol), an example of a URL is 'http://www.sofaware.com'.
PAGE 254
244 Check Point Safe@Office User Guide
PAGE 255
Index A account, configuring • 131 active computers, viewing • 104 active connections, viewing • 106 Allow and Forward rules, explained • 113 Allow rules, explained • 113 Automatic Login • 168 B Block rules, explained • 113 C cable type • 31 certificate explained • 172 installing • 172 uninstalling • 175 CLI controlling the appliance via • 213 command line controlling the appliance via • 213 D DHCP Server enabling/disabling • 79 explained • 79 diagnostic tools Ping • 214 Traceroute • 214 using • 214 WHOIS
PAGE 256
F temporarily disabling • 137 event log, viewing • 101 I initial login • 35 installation exposed host defining a computer as • 121 explained • 121 cable type • 31 network • 31 Internet connection configuring • 49 F configuring backup • 76 firewall enabling/disabling • 75 levels • 107 establishing quick • 75 setting security level • 107 terminating • 76 troubleshooting • 227 firmware explained • 193 updating manually • 195 viewing status • 193 front panel • 12, 15 viewing information • 73 Inter
PAGE 257
P configuring • 79 registering • 202 configuring a DMZ • 84 reports enabling DHCP Server on • 79 active computers • 104 enabling Hide NAT • 83 event log • 101 managing • 79 node limit • 104 using Static NAT • 91 viewing • 101 node limit, viewing • 104 P active connections • 106 rules adding and editing • 113 package contents • 9 creating • 112 password deleting • 121 changing • 181 setting up • 35 Ping • 214 PPPoE tunnels, creating • 146 Product Key • 197 R RADIUS types • 113 S Safe@Off
PAGE 258
S logging on • 38 Safe@Office appliance about • 1 remotely accessing • 40 backing up • 218 using • 41 changing internal IP address of • 82 security configuring servers • 110 configuring Internet connection • 49 creating rules • 112 defining a computer as an exposed host • 121 exporting configuration • 219 features • 3 importing configuration • 220 installing • 19, 31 firewall • 107 security policy • 107 servers, configuring • 110 Service Center maintenance • 193 connecting to • 123 package con
PAGE 259
T software updates • 195 checking for manually • 139 explained • 139 Static NAT adding and editing mappings • 92 explained • 91 using • 91 viewing and deleting mappings • 96 static routes adding • 97 deleting • 100 T TCP/IP setting up for MAC OS • 31 setting up for Windows 95/98 • 25 setting up for Windows XP/2000 • 20 technical support • 17 time,setting • 209 Traceroute • 214 troubleshooting • 227 U users explained • 96 adding • 184 using • 96 deleting • 187 viewing and editing • 99 managing • 181
PAGE 260
W temporarily disabling • 134 installing a certificate • 172 PPPoE tunnels • 146 WHOIS • 214 Site to Site • 146 VPN sites deleting • 166 enabling/disabling • 167 logging off • 172 logging on • 168 Remote Access • 146 VPN tunnels creation and closing of • 176 establishing • 168 viewing • 176 VPN tunnels, explained • 143 VPN, explained • 143 W Web Filtering enabling/disabling • 133 selecting categories for • 134 snoozing • 134 250 Check Point Safe@Office User Guide