Check Point 1430/1450 Appliance Centrally Managed Getting Started Guide Models: L-71, L-71W, L-71WD Classification: [Protected] P/N 707410 DRAFT 2017 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS:
Refer to the Copyright page http://www.checkpoint.com/copyright.html for a list of our trademarks. Refer to the Third Party copyright notices http://www.checkpoint.com/3rd_party_copyright.html for a list of relevant copyrights and third-party licenses. 2 DRAFT Latest Documentation The latest version of this document is at:
http://downloads.checkpoint.com/dc/download.htm?ID=46106 To learn more, visit the Check Point Support Center http://supportcenter.checkpoint.com. Feedback Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments mailto:cp_techpub_feedback@checkpoint.com?subject=Feedba ck on Check Point 1430/1450 Appliance Centrally Managed Getting Started Guide. 3 DRAFT Health and Safety Information Read these warnings before setting up or using the appliance. Warning - Do not block air vents. A minimum 1/2-inch clearance is required. Warning - This appliance does not contain any user-serviceable parts. Do not remove any covers or attempt to gain access to the inside of the product. Opening the device or modifying it in any way has the risk of personal injury and will void your warranty. The following instructions are for trained service personnel only. Power Supply Information To reduce potential safety issues with the DC power source, only use one of these:
The AC adapter supplied with the appliance. A replacement AC adapter supplied by Check Point. An AC adapter purchased as an accessory from Check Point. 4 DRAFT To prevent damage to any system, it is important to handle all parts with care. These measures are generally sufficient to protect your equipment from static electricity discharge:
Restore the communications appliance system board and peripherals back into the antistatic bag when they are not in use or not installed in the chassis. Some circuitry on the system board can continue operating when the power is switched off. Do not allow the lithium battery cell used to power the real-time clock to short. The battery cell may heat up under these conditions and present a burn hazard. Warning - DANGER OF EXPLOSION IF BATTERY IS INCORRECTLY REPLACED. REPLACE ONLY WITH SAME OR EQUIVALENT TYPE RECOMMENDED BY THE MANUFACTURER. DISCARD USED BATTERIES ACCORDING TO THE MANUFACTURERS INSTRUCTIONS. Do not dispose of batteries in a fire or with household waste. Contact your local waste disposal agency for the address of the nearest battery deposit site. Disconnect the system board power supply from its power source before you connect or disconnect cables or install or remove any system board components. Failure to do this can result in personnel injury or equipment damage. Avoid short-circuiting the lithium battery; this can cause it to superheat and cause burns if touched. Do not operate the processor without a thermal solution. Damage to the processor can occur in seconds. 5 DRAFT For California:
Perchlorate Material - special handling may apply. See http://www.dtsc.ca.gov/hazardouswaste/perchlorate The foregoing notice is provided in accordance with California Code of Regulations Title 22, Division 4.5, Chapter 33. Best Management Practices for Perchlorate Materials. This product, part, or both may include a lithium manganese dioxide battery which contains a perchlorate substance. Proposition 65 Chemical Chemicals identified by the State of California, pursuant to the requirements of the California Safe Drinking Water and Toxic Enforcement Act of 1986, California Health & Safety Code s. 25249.5, et seq. ("Proposition 65"), that is "known to the State to cause cancer or reproductive toxicity." See http://www.calepa.ca.gov. WARNING:
Handling the cord on this product will expose you to lead, a chemical known to the State of California to cause cancer, and birth defects or other reproductive harm. Wash hands after handling. 6 DRAFT Declaration of Conformity Manufacturer's Name:
Check Point Software Technologies Ltd. Manufacturer's Address:
5 Ha'Solelim Street, Tel Aviv 67897, Israel Declares under our sole responsibility, that the products:
Model Number:
L-71, *L-71W , **L-71WD Product Options:
1430 Wired, 1430 WiFi, 1430 WiFi + DSL, 1450 Wired, 1450 WiFi, 1450 WiFi + DSL Date First Applied:
January 2016 Conform to the following Product Specifications:
RF/Wi-Fi (* marked model) Telecom (** marked model) 7 DRAFT Type EMC,
*RF/WiFi,
**Telecom Certification EN 55032:2015 + AC:2016, Class B EN 55032:2012 + AC:2013, Class B EN 55024:2010 / A1:2015 EN 55024:2010 EN61000-3-2:2014 EN61000-3-3:2013 EN61000-4-2:2009 EN61000-4-3:2006+A1:2008+A2:2010 EN61000-4-4:2012 EN61000-4-5:2014 EN61000-4-6:2014 EN61000-4-11:2004
*EN 300 328 V2.1.1 (2016-11)
*EN 301 893 V2.1.1 (2017-05)
*EN 301 489-1 V2.1.1 (2017-02)
*EN 301 489-17 V3.1.1 (2017-02)
*EN 62311:2008 (SAR)
*EN 50386:2002, EN50383:2010 (SAR)
**ITU-T K.21 (04-2008) 8 DRAFT Certification AS/NZS CISPR 32:2015, Class B Type EMC, AS/NZS CISPR 32:2013, Class B
*RF, **Telecom
* AS/NZS 4268:2017
* ARPANSA Radiation Protection Standard No.3:2002AS/NZS 2772.2:2011 (SAR)
**AS/CA S041.1-2015 & AS/CA S041.2-2015
**AS/CA S043.1:2015 / AS/CA S043.2:2015 9 DRAFT Certification 47 CRF FCC Part 15, Subpart B, Class B ANSI C63.4:2009 ANSI C63.4:2014 ICES-003:2012 Issue 5 Class B ICES-003:2016 Issue 6, Class B
*47 CFR FCC Part15, Subpart C
(section 15.247) ANSI C63.10:2013
*FCC Part 15, Subpart E (Section 15.407)
*KDB 905462 D02 UNII DFS Compliance Procedures New Rules v02
*FCC Part 2 (Section 2.1091) KDB 447498 D01
*RSS-247 Issue 1(1015-05)
*RSS-247 Issue 2 (2017-02)
*RSS-Gen Issue 4 (2014-11)
*RSS-102 Issue 5:2015
*IEEE C95.3-2002
*FCC KDB 447498 D01
**FCC Part 68, ANSI/TIA-968-B-3-2016
**CS-03 Part I Issue 9, Amendment 5, March 2016
**CS-03, Part VIII, Issue 9, Amendment 5, March 2016 10 Type EMC,
*RF, **Telecom DRAFT Certification VCCI, V-3/2015.4 Class B, V4/2012.04 VCCI-CISPR 32:2016, Class B JP ARIB STD-T66 (V3.7), MIC notice 88 Appendix 43 JP ARIB STD-T71 (V6.1), MIC notice 88 Appendix 45 EN 60950-1 IEC 60950-1 UL/ULc 60950-1, AS/NZS 60950-1 Type EMC,
*RF Safety Date and Place of Issue: January 2016, Tel Aviv, Israel Federal Communications Commission (FCC) Statement:
This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) This device may not cause harmful interference, and (2) This device must accept any interference received, including interference that may cause undesired operation. This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful 11 DRAFT interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one of the following measures:
Reorient or relocate the receiving antenna. Increase the separation between the equipment and receiver. Connect the equipment into an outlet on a circuit different from that to which the receiver is connected. Consult the dealer or an experienced radio/TV technician for help. FCC Caution:
Any changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate this equipment. This transmitter must not be co-located or operating in conjunction with any other antenna or transmitter. Radiation Exposure Statement This equipment complies with FCC RF radiation exposure limits set forth for an uncontrolled environment. This equipment should be installed and operated with a minimum distance of 20 centimeters between the radiator and your body. 12 DRAFT For Country Code Selection Usage (WLAN Devices) Note: The country code selection is for non-US models only and is not available to all US models. Per FCC regulation, all WiFi products marketed in the US must be fixed to US operation channels only. Canadian Department Compliance Statement This device complies with Industry Canada license-exempt RSS standard(s). Operation is subject to the following two conditions:
1. This device may not cause interference, and 2. This device must accept any interference, including interference that may cause undesired operation of the device. Le prsent appareil est conforme aux CNR d'Industrie Canada applicables aux appareils radio exempts de licence. L'exploitation est autorise aux deux conditions suivantes:
1. L'appareil ne doit pas produire de brouillage, et 2. L'utilisateur de l'appareil doit accepter tout brouillage radiolectrique subi, mme si le brouillage est susceptible d'en compromettre le fonctionnement. This Class B digital apparatus complies with Canadian ICES-003. Cet appareil numrique de la classe B est conforme la norme NMB-003 du Canada. This device and its antenna(s) must not be co-located or operating in conjunction with any other antenna or transmitter, except tested built-in radios. 13 DRAFT Cet appareil et son antenne ne doivent pas tre situs ou fonctionner en conjonction avec une autre antenne ou un autre metteur, exception faites des radios intgres qui ont t testes. The County Code Selection feature is disabled for products marketed in the US/ Canada. La fonction de slection de l'indicatif du pays est dsactive pour les produits commercialiss aux tats-Unis et au Canada. FOR WLAN 5 GHz DEVICE:
Caution :
1. The device for operation in the band 5150-5250 MHz is only for indoor use to reduce the potential for harmful interference to co-channel mobile satellite systems;
2. The maximum antenna gain permitted for devices in the bands 5250-5350 MHz and 5470-5725 MHz shall comply with the e.i.r.p. limit; and 3. The maximum antenna gain permitted for devices in the band 5725-5825 MHz shall comply with the e.i.r.p. limits specified for point-to-point and non point-to-point operation as appropriate. 4. The worst-case tilt angle(s) necessary to remain compliant with the e.i.r.p. elevation mask requirement set forth in Section 6.2.2(3) shall be clearly indicated. (For 5G B2 with DFS devices only) 5. Users should also be advised that high-power radars are allocated as primary users (i.e. priority users) of the bands 5250-5350 MHz and 5650-5850 MHz and that these radars could cause interference and/or damage to LE-LAN devices. 14 DRAFT Avertissement:
1. Les dispositifs fonctionnant dans la bande 5150-5250 MHz sont rservs uniquement pour une utilisation lintrieur afin de rduire les risques de brouillage prjudiciable aux systmes de satellites mobiles utilisant les mmes canaux;
2. Le gain maximal dantenne permis pour les dispositifs utilisant les bandes 5250-5350 MHz et 5470-5725 MHz doit se conformer la limite de p.i.r.e.;
3. Le gain maximal dantenne permis (pour les dispositifs utilisant la bande 5725-5825 MHz) doit se conformer la limite de p.i.r.e. spcifie pour lexploitation point point et non point point, selon le cas. 4. Les pires angles dinclinaison ncessaires pour rester conforme lexigence de la p.i.r.e. applicable au masque dlvation, et nonce la section 6.2.2 3), doivent tre clairement indiqus. (Pour 5G B2 avec les priphriques DFS uniquement) 5. De plus, les utilisateurs devraient aussi tre aviss que les utilisateurs de radars de haute puissance sont dsigns utilisateurs principaux (c.--d., quils ont la priorit) pour les bandes 5250-5350 MHz et 5650-5850 MHz et que ces radars pourraient causer du brouillage et/ou des dommages aux dispositifs LAN-EL. 15 DRAFT Japan Class B Compliance Statement:
European Union (EU) Electromagnetic Compatibility Directive This product is herewith confirmed to comply with the requirements set out in the Council Directive on the Approximation of the Laws of the Member States relating to Electromagnetic Compatibility Directive (2014/30/EU). This product is in conformity with Low Voltage Directive 2014/35/EU, and complies with the requirements in the Council Directive 2014/35/EU relating to electrical equipment designed for use within certain voltage limits and the Amendment Directive 93/68/EEC. 16 DRAFT Product Disposal This symbol on the product or on its packaging indicates that this product must not be disposed of with your other household waste. Instead, it is your responsibility to dispose of your waste equipment by handing it over to a designated collection point for the recycling of waste electrical and electronic equipment. The separate collection and recycling of your waste equipment at the time of disposal will help to conserve natural resources and ensure that it is recycled in a manner that protects human health and the environment. For more information about where you can drop off your waste equipment for recycling, please contact your local city office or your household waste disposal service. 17 DRAFT Informations relatives la sant et la scurit (Class B) Avant de mettre en place ou d'utiliser l'appareil, veuillez lire les avertissements suivants. Avertissement : ne pas obturer les arations. Il faut laisser au moins 1,27 cm d'espace libre. Avertissement : cet appareil ne contient aucune pice remplaable par l'utilisateur. Ne pas retirer de capot ni tenter d'atteindre l'intrieur. L'ouverture ou la modification de l'appareil peut entraner un risque de blessure et invalidera la garantie. Les instructions suivantes sont rserves un personnel de maintenance form. Information pour l'alimentation Pour limiter les risques avec l'alimentation CC, n'utilisez que l'une des solutions suivantes :
L'adaptateur secteur fourni avec l'appareil Un adaptateur secteur de remplacement, fourni par Check Point Un adaptateur secteur achet en tant qu'accessoire auprs de Check Point Pour viter d'endommager tout systme, il est important de manipuler les lments avec soin. Ces mesures sont 18 DRAFT gnralement suffisantes pour protger votre quipement contre les dcharges d'lectricit statique :
Remettez dans leur sachet antistatique la carte systme et les priphriques de l'appareil de communications lorsqu'ils ne sont pas utiliss ou installs dans le chssis. Certains circuits sur la carte systme peuvent rester fonctionnels lorsque si l'appareil est teint. Ne jamais court-circuiter la pile au lithium (qui alimente l'horloge temps-rel). Elle risque de s'chauffer et de causer des brlures. Avertissement : DANGER D'EXPLOSION SI LA PILE EST MAL REMPLACE. NE REMPLACER QU'AVEC UN TYPE IDENTIQUE OU QUIVALENT, RECOMMAND PAR LE CONSTRUCTEUR. LES PILES DOIVENT TRE MISES AU REBUT CONFORMMENT AUX INSTRUCTIONS DE LEUR FABRICANT. Ne pas jeter les piles au feu ni avec les dchets mnagers. Pour connatre l'adresse du lieu le plus proche de dpt des piles, contactez votre service local de gestion des dchets. Dbrancher l'alimentation de la carte systme de sa source lectrique avant de connecter ou dconnecter des cbles ou d'installer ou retirer des composants. dfaut, les risques sont d'endommager l'quipement et de causer des blessures corporelles. Ne pas court-circuiter la pile au lithium : elle risque de surchauffer et de causer des brlures en cas de contact. 19 DRAFT Ne pas faire fonctionner le processeur sans refroidissement. Le processeur peut tre endommag en quelques secondes. Pour la Californie :
Matriau perchlorat : manipulation spciale potentiellement requise. Voir http://www.dtsc.ca.gov/hazardouswaste/perchlorate L'avis suivant est fourni conformment au California Code of Regulations, titre 22, division 4.5, chapitre 33. Meilleures pratiques de manipulation des matriaux perchlorats. Ce produit, cette pice ou les deux peuvent contenir une pile au dioxyde de lithium manganse, qui contient une substance perchlorate. Produits chimiques Proposition 65 Les produits chimiques identifis par l'tat de Californie, conformment aux exigences du California Safe Drinking Water and Toxic Enforcement Act of 1986 du California Health
& Safety Code s. 25249.5, et seq. ( Proposition 65 ), qui sont connus par l'tat pour tre cancrigne ou tre toxiques pour la reproduction (voir http://www.calepa.ca.gov) AVERTISSEMENT :
La manipulation de ce cordon vous expose au contact du plomb, un lment reconnue par l'tat de Californie pour tre cancrigne, provoquer des malformations la naissance et autres dommages relatifs la reproduction. Se laver les mains aprs toute manipulation. 20 DRAFT Dclaration de conformit Nom du constructeur :
Check Point Software Technologies Ltd. Adresse du constructeur :
5 Ha'Solelim Street, Tel Aviv 67897, Isral Dclare sous son entire responsabilit que les produits :
Numro de modle :
L-71, *L-71W , **L-71WD Options de produit :
1430, 1430 Wi-Fi, 1430 Wi-Fi +
DSL, 1450, 1450 Wi-Fi, 1450 Wi-Fi + DSL Date de demande initiale :
Janvier 2016 Sont conformes aux normes produit suivantes :
RF/Wi-Fi (modle signal par *) Telecom ((modle signal par **) 21 DRAFT Type EMC,
*RF/WiFi,
**Telecom Certification EN 55032:2015 + AC:2016, Classe B EN 55032:2012 + AC:2013, Classe B EN 55024:2010 / A1:2015 EN 55024:2010 EN61000-3-2:2014 EN61000-3-3:2013 EN61000-4-2:2009 EN61000-4-3:2006+A1:2008+A2:2010 EN61000-4-4:2012 EN61000-4-5:2014 EN61000-4-6:2014 EN61000-4-11:2004
*EN 300 328 V2.1.1 (2016-11)
*EN 301 893 V2.1.1 (2017-05)
*EN 301 489-1 V2.1.1 (2017-02)
*EN 301 489-17 V3.1.1 (2017-02)
*EN 62311:2008 (SAR)
*EN 50386:2002, EN50383:2010 (SAR)
**ITU-T K.21 (04-2008) 22 DRAFT Certification AS/NZS CISPR 32:2015, Classe B AS/NZS CISPR 32:2013, Classe B
* AS/NZS 4268:2017
* ARPANSA Radiation Protection Standard No.3:2002AS/NZS 2772.2:2011 (SAR)
**AS/CA S041.1-2015 & AS/CA S041.2-2015
**AS/CA S043.1:2015 / AS/CA S043.2:2015 Type EMC,
*RF,
**Telecom 23 DRAFT Certification Type 47 CRF FCC Partie 15, Sous-partie B, Classe B EMC,
*RF,
**Telecom ANSI C63.4:2009 ANSI C63.4:2014 ICES-003:2012 Issue 5 Classe B ICES-003:2016 Issue 6, Classe B
*47 CFR FCC Partie15, Sous-partie C (section 15.247) ANSI C63.10:2013
*FCC Partie 15, Sous-partie E (Section 15.407)
*KDB 905462 D02 UNII DFS Procdure de conformit Nouvelles rgles v02
*FCC Partie 2 (Section 2.1091) KDB 447498 D01
*RSS-247 Issue 1(1015-05)
*RSS-247 Issue 2 (2017-02)
*RSS-Gen Issue 4 (2014-11)
*RSS-102 Issue 5:2015
*IEEE C95.3-2002
*FCC KDB 447498 D01
**FCC Part 68, ANSI/TIA-968-B-3-2016
**CS-03 Partie I Issue 9, Amendement 5, Mars 2016
**CS-03, Partie VIII, Issue 9, Amendement 5, Mars 2016 24 DRAFT Certification VCCI, V-3/2015.4 Classe B, V4/2012.04 VCCI-CISPR 32:2016, Classe B JP ARIB STD-T66 (V3.7), avis MIC 88 Annexe 43 JP ARIB STD-T71 (V6.1), avis MIC 88 Annexe 45 EN 60950-1 IEC 60950-1 UL/ULc 60950-1, AS/NZS 60950-1 Type EMC,
*RF Scurit Date et lieu d'mission : Janvier 2016, Tel Aviv, Isral Dclaration la Federal Communications Commission (FCC) :
Ce dispositif est conforme la section 15 des rglementations de la FCC. Son fonctionnement est soumis aux deux conditions suivantes : (1) Cet appareil ne doit pas causer d'interfrence prjudiciable et (2) Cet appareil doit tolrer toute interfrence reue, y compris celles qui pourraient causer un fonctionnement indsirable. Cet quipement a t test et dclar conforme aux limites pour appareils numriques de classe B, selon la section 15 des rglements de la FCC. Ces limitations sont conues pour fournir une protection raisonnable contre les interfrences nocives dans un environnement rsidentiel. Cet appareil gnre, et peut diffuser des frquences radio et, dans le cas dune installation et dune utilisation non conforme aux instructions, il peut provoquer des interfrences nuisibles aux 25 DRAFT communications radio. Cependant, il nexiste aucune garantie quaucune interfrence ne se produira dans le cadre d'une installation particulire. Si cet appareil provoque des interfrences avec un rcepteur radio ou un tlviseur, ce qui peut tre dtect en mettant lappareil sous et hors tension, lutilisateur peut essayer dliminer les interfrences en suivant au moins lune des procdures suivantes :
Rorienter ou dplacer lantenne de rception. Augmenter la distance entre lappareil et le rcepteur. Brancher lappareil sur une prise appartenant un circuit diffrent de celui sur lequel est branch le rcepteur. Consulter le distributeur ou un technicien radio/tlvision qualifi pour obtenir de laide. FCC Attention Tout changement ou modification non expressment approuv par la partie responsable de la conformit pourrait empcher lutilisateur autoris de faire fonctionner cet appareil. Cet metteur ne doit pas tre install ou utilis en conjonction avec d'autres antennes ou metteurs. Dclaration la FCC sur l'exposition aux rayonnements Cet quipement respecte les limites de la FCC en matire d'exposition aux rayonnements radio, pour un environnement non contrl. Cet quipement doit tre install et utilis en rservant au moins 20 cm entre l'lment rayonnant et l'utilisateur. 26 DRAFT Concernant la slection du code pays (appareils WLAN) Remarque: la slection du code pays est uniquement pour les modles hors Etats-Unis, et reste indisponible pour tout modle vendus aux tats-Unis. Selon la rglementation FCC tous les produits WIFI commercialiss aux Etats-Unis sont fixs uniquement sur des canaux amricains. Dclaration de conformit du dpartement Canadien :
Le prsent appareil est conforme aux CNR d'Industrie Canada applicables aux appareils radio exempts de licence. L'exploitation est autorise aux deux conditions suivantes:
1. L'appareil ne doit pas produire de brouillage, et 2. L'utilisateur de l'appareil doit accepter tout brouillage radiolectrique subi, mme si le brouillage est susceptible d'en compromettre le fonctionnement. Cet appareil numrique de la classe B est conforme la norme NMB-003 du Canada. Cet appareil et son antenne ne doivent pas tre situs ou fonctionner en conjonction avec une autre antenne ou un autre metteur, exception faites des radios intgres qui ont t testes. La fonction de slection de l'indicatif du pays est dsactive pour les produits commercialiss aux tats-Unis et au Canada. 27 DRAFT POUR WLAN 5 GHz DISPOSITIF:
Avertissement:
1. Les dispositifs fonctionnant dans la bande 5150-5250 MHz sont rservs uniquement pour une utilisation lintrieur afin de rduire les risques de brouillage prjudiciable aux systmes de satellites mobiles utilisant les mmes canaux;
2. Le gain maximal dantenne permis pour les dispositifs utilisant les bandes 5250-5350 MHz et 5470-5725 MHz doit se conformer la limite de p.i.r.e.;
3. Le gain maximal dantenne permis (pour les dispositifs utilisant la bande 5725-5825 MHz) doit se conformer la limite de p.i.r.e. spcifie pour lexploitation point point et non point point, selon le cas. 4. Les pires angles dinclinaison ncessaires pour rester conforme lexigence de la p.i.r.e. applicable au masque dlvation, et nonce la section 6.2.2 3), doivent tre clairement indiqus. (Pour 5G B2 avec les priphriques DFS uniquement) 5. De plus, les utilisateurs devraient aussi tre aviss que les utilisateurs de radars de haute puissance sont dsigns utilisateurs principaux (c.--d., quils ont la priorit) pour les bandes 5250-5350 MHz et 5650-5850 MHz et que ces radars pourraient causer du brouillage et/ou des dommages aux dispositifs LAN-EL. 28 DRAFT Dclaration de conformit de classe B pour le Japon :
Directive de l'Union europenne relative la compatibilit lectromagntique Ce produit est certifi conforme aux exigences de la directive du Conseil concernant le rapprochement des lgislations des tats membres relatives la directive sur la compatibilit lectromagntique (2014/30/EU). Ce produit est conforme la directive basse tension 2014/35/EU et satisfait aux exigences de la directive 2014/35/EU du Conseil relative aux quipements lectriques conus pour tre utiliss dans une certaine plage de tensions, selon les modifications de la directive 93/68/CEE. 29 DRAFT Mise au rebut du produit Ce symbole appos sur le produit ou son emballage signifie que le produit ne doit pas tre mis au rebut avec les autres dchets mnagers. Il est de votre responsabilit de le porter un centre de collecte dsign pour le recyclage des quipements lectriques et lectroniques. Le fait de sparer vos quipements lors de la mise au rebut, et de les recycler, contribue prserver les ressources naturelles et s'assure qu'ils sont recycls d'une faon qui protge la sant de l'homme et l'environnement. Pour obtenir plus d'informations sur les lieux o dposer vos quipements mis au rebut, veuillez contacter votre municipalit ou le service de gestion des dchets. 30 DRAFT Contents Health and Safety Information Informations relatives la sant et la scurit (Class B)18 Introduction 4 Configuring Check Point 1430/1450 Appliance 33 Welcome ...................................................................................33 Shipping Carton Contents .....................................................34 Check Point 1430/1450 Appliance Hardware ...................35 Front Panel .................................................................................... 36 Back Panel...................................................................................... 40 Security Gateway Software Blades ....................................45 47 Recommended Workflow .....................................................47 Deployment ..............................................................................49 Defining the Object in SmartDashboard ............................... 49 Preparing to Install the Security Policy ................................ 54 Setting Up the Check Point 1430/1450 Appliance ............. 56 Connecting the Cables ................................................................ 56 Using the First Time Configuration Wizard ......................... 57 Large-scale Deployment ......................................................79 Defining a SmartLSM Gateway Profile for a Large-scale Deployment .................................................................................... 79 Deploying with SmartProvisioning ......................................... 80 81 Restoring Factory Defaults DRAFT Appendix A: Browser Security Warnings Appendix B: Security Management Issues 84 86 Viewing the Policy Installation Status .............................. 86 Configuring Notification Settings....................................... 90 92 Support ..................................................................................... 92 Where To From Here? .......................................................... 92 Getting Support DRAFT Introduction Review these documents before doing the procedures in this guide:
Release Notes Known Limitations For more information about the Check Point 1430/1450 Appliance, see the relevant Check Point Appliance Administration Guide. Welcome Thank you for choosing Check Point's Internet Security Product Suite. Check Point 1430/1450 Appliance delivers integrated unified threat management to protect your organization from today's emerging threats. Check Point 1430/1450 Appliance supports the Check Point Software Blade architecture and provides independent, modular, and centrally managed security building blocks. Check Point 1430/1450 Appliance runs an embedded version of the Gaia operating system. Embedded Gaia supports built-in network switches, wireless networks, 4G/LTE Internet connectivity, multiple Internet connections (more than 2) in High Availability or Load Sharing mode, Policy Based Routing, DDNS support, and quick deployment (with USB). 33 DRAFT Shipping Carton Contents Item Appliance Power Supply and Accessories Guides Description A single Check Point 1430/1450 Appliance 1 power adapter 1 power cord 2 standard network cables 1 serial console cable 1 mini USB console cable Wall mount kit (screws and plastic anchors) 1 telephone cable (only in DSL models) Check Point 1430/1450 Appliance Quick Start Guide Check Point 1430/1450 Appliance Getting Started Guide Wireless Network Antennas 3 wireless network antennas (only in wireless network models) Sticker LEDs behavior License Agreement End user license agreement 34 DRAFT Check Point 1430/1450 Appliance Hardware These are the Check Point 1430/1450 Appliance models:
Wired Wireless (WiFi) Wireless + DSL The differences in the front and back panels are described in this section. 35 DRAFT Front Panel Wired Model WiFi Model 36 DRAFT Key Item Description 1 2 3 4 5 6 7 Alert LED Blinking green during boot. Red when the appliance has a resource problem such as memory shortage. Internet LED Green when connected to the Internet. Blinking red when the Internet connection is configured but fails to connect. SD LED Green when SD card is inserted. USB LED Green when a USB device is connected. LAN1 -
LAN6, DMZ, WAN LEDS Speed Indicator Orange when the port speed is 1000 Mbps. Green when the port speed is 100 Mbps. Not lit when the port speed is 10 Mbps. Activity Indicator Not lit when there is no link. Green when there is a link but no traffic encountered. Blinking green when encountering traffic. Power LED Green when the appliance is turned on. Red when there is a boot error or the appliance is in maintenance mode. USB port USB port that is used for:
Cellular and analog modems. Reinstalling the appliance with new firmware. Running a first-time configuration script. 8 WiFi LED
(Only in WiFi and WiFi + VDSL models). Blinking green when there is WiFi activity. Green when there is no WiFi activity. 37 DRAFT WiFi + DSL Key Item Description 1 2 Alert LED Blinking green during boot. Red when the appliance has a resource problem such as memory shortage. DSL LED Off DSL Modem is off. Blinking green - DSL modem is performing synchronization. Steady green DSL is synchronized. 3 Internet LED Off DSL Modem is off. Blinking green - DSL modem is performing synchronization. Steady green DSL is synchronized. SD LED Green when SD card is inserted. USB LED Green when a USB device is connected. 4 5 38 DRAFT Key Item Description 6 WiFi LED
(Only in WiFi and WiFi + DSL models). 7 8 DSL Traffic LED LAN1 -
LAN6, DMZ, WAN LEDS Blinking green when there is WiFi activity. Green when there is no WiFi activity. Off - DSL connection has not been established. Blinking Green - DSL connection is established. The blinking rate is proportional to the internet traffic rate. Speed Indicator Orange when the port speed is 1000 Mbps. Green when the port speed is 100 Mbps. Not lit when the port speed is 10 Mbps. Activity Indicator Not lit when there is no link. Green when there is a link but no traffic encountered. Blinking green when encountering traffic. 9 Power LED Green when the appliance is turned on. Red when there is a boot error or the appliance is in maintenance mode. 10 USB port USB port that is used for:
Cellular and analog modems. Reinstalling the appliance with new firmware. Running a first-time configuration script. 39 DRAFT Back Panel Wired Model WiFi Model 40 DRAFT Key Item Description Ground (Earth) Functional grounding. 1 2 3 DMZ and WAN ports Console port 4 Reboot button 5 PWR+12VDC 6 Factory Default button Built in Ethernet ports. RJ45 or Mini USB Serial connection configured to 115200 bps by default. Note - When both the RJ45 and Mini USB cables are connected, the Mini USB takes precedence. Lets you forcibly reboot the appliance. The button is recessed into the appliance chassis to prevent accidental reboot. The appliance reboots after you press the button. Connects to the power supply unit's cable. Note - The power unit cable must be securely screwed in to the appliance. Lets you restore the appliance to its factory defaults. The button is recessed into the appliance chassis to prevent accidental restoring of factory default settings. See Restoring Factory Defaults (on page 81). 41 DRAFT Key Item 7 LAN1-LAN6 ports Description Built in Ethernet ports. 8 ANT1, ANT2 and ANT3 Ports for attaching wireless network antennas. (Only in WiFi and WiFi +
VDSL models). 42 DRAFT WiFi + DSL Key Item Description 1 2 3 ANT1, ANT2 and ANT3 Ports for attaching wireless network antennas. (Only in WiFi and WiFi + DSL models). DSL Port for attaching telephone cable
(only in WiFi + DSL models). Factory Default button Lets you restore the appliance to its factory defaults. The button is recessed into the appliance chassis to prevent accidental restoring of factory default settings. See Restoring Factory Defaults (on page 81). 43 DRAFT Key Item 4 PWR+12VDC 5 Reboot button 6 Console port Description Connects to the power supply unit's cable. Note - The power unit cable must be securely screwed in to the appliance. Lets you forcibly reboot the appliance. The button is recessed into the appliance chassis to prevent accidental reboot. The appliance reboots after you press the button. RJ45 or Mini USB Serial connection configured to 115200 bps by default. You can also use this port to connect an analog modem. Note - When both the RJ45 and Mini USB cables are connected, the Mini USB takes precedence. DMZ and WAN ports Built in Ethernet ports. Ground (Earth) Functional grounding. LAN1 - LAN6 ports Built in Ethernet ports. 7 8 9 44 DRAFT Security Gateway Software Blades Check Point 1430/1450 Appliance has these Software Blades:
Firewall - Worlds most proven firewall solution that can examine hundreds of applications, protocols and services out-of-the box. The firewall also performs Network Address Translation and intelligent VoIP security. IPSec VPN - Sophisticated (but simple to manage) Site-to-Site VPN and flexible Remote Access working seamlessly with a variety of VPN agents. Application Control - Signature-based granular control of thousands of Internet applications and Web 2.0 widgets. URL Filtering - Best of breed URL filtering engine, based on a central database, located in the Check Point data center. This ensures excellent coverage of URLs, while maintaining minimal footprints on devices. Check Point 1430/1450 Appliance provides cut-through performance, as URL categorization queries are done asynchronously. Identity Awareness - Gives user and machine visibility across network blades. Enables the creation of identity-based access policies for application and resource control. IPS (More than 2000 protections) - Best in class integrated IPS with leading performance and unlimited scaling. IPS protections are updated with IPS updates. Anti-spam & Email Security (based on IP Reputation and content) - Comprehensive and multidimensional protection for organizations email infrastructure. This includes updates. 45 DRAFT Anti-virus - Provides superior Anti-virus protection against modern malware multiple attack vectors and threats. It offers powerful security coverage by supporting millions of signatures. In addition, it leverages the Check Point ThreatCloud repository to identify and block incoming malicious files from entering the organization. Anti-Bot - Detects bot-infected machines and prevents bot damages by blocking bot Command and Control (C&C) communications. Threat Emulation - Protects networks against unknown threats in files that are downloaded from the internet or attached to emails. Advanced Networking and Clustering - For dynamic routing and Multicast support. Wire speed packet inspection with SecureXL and high availability or load sharing with ClusterXL. QoS - Quality of Service optimizes network performance by prioritizing business-critical applications and end-user traffic. It guarantees bandwidth and control latency for streaming applications, such as VoIP and video conferencing. 46 DRAFT Configuring Check Point 1430/1450 Appliance The appliance is a Security Gateway. A remote Security Management Server manages the Security Gateway in SmartDashboard with a network object and security policy. We recommend that you define a gateway object and prepare the policy before you configure the appliance with the First Time Configuration Wizard. Recommended Workflow There are two types of centrally managed deployments:
Small-scale deployment - Where you configure between 1 and 25 Check Point 1430/1450 Appliance gateways. Large-scale deployment - Where you configure over 25 Check Point 1430/1450 Appliance gateways using a SmartLSM profile and SmartProvisioning. In small-scale deployment, you configure multiple Check Point 1430/1450 Appliance gateways. 1. Install a Security Management Server and SmartConsole client that operate with Check Point 1430/1450 Appliance. 2. Define the Check Point 1430/1450 Appliance object in SmartDashboard and prepare a policy for it. 3. Set up the Check Point 1430/1450 Appliance and connect the cables. 47 DRAFT 4. Use the First Time Configuration Wizard to do the initial Check Point 1430/1450 Appliance configuration. 5. Optional: You can manage settings such as DNS, host names, and routing through SmartProvisioning. For more information, see the SmartProvisioning section in the appliance Administration Guide. To define a large-scale deployment (on page 79)
(recommended workflow:
1. Install a Security Management Server and SmartConsole clients that operate with Check Point 1430/1450 Appliance. 2. Define a SmartLSM profile in SmartDashboard. 3. Deploy with SmartProvisioning. 48 DRAFT Deployment To manage the Check Point 1430/1450 Appliance in a centrally managed deployment, you must install a Security Management Server and SmartConsole clients that operate with Check Point 1430/1450 Appliance. The Security Management Server versions that operate with Check Point 1430/1450 Appliance are versions R77.30 and higher. For installation instructions, see the versions release notes. After you install the SmartConsole clients you can define the Check Point 1430/1450 Appliance object in SmartDashboard (in small-scale deployments) or create a SmartLSM profile (in large-scale deployments) and prepare the security policy. Defining the Object in SmartDashboard You can define the Check Point 1430/1450 Appliance in SmartDashboard before or after configuration of the appliance on site. The options are:
Management First - The gateway object is defined in SmartDashboard before you configure and set up the actual appliance on site. This is used for remotely deployed appliances or appliances that connect to the Security Management Server with a dynamic IP, as the IP is not known at the time of the configuration of the object in SmartDashboard. You can prepare a policy that the appliance will fetch when it is configured. 49 DRAFT Gateway First You first configure and set up the Check Point 1430/1450 Appliance. It will then try to communicate with the Security Management Server (if this is configured) at one hour intervals. If the gateway is connected when you create the object in SmartDashboard, the wizard retrieves data from the gateway and helps in configuration. Note - We recommend that you use the Management First option using the steps below. To define the Check Point 1430/1450 Appliance object:
1. Log in to SmartDashboard with your Security Management credentials. 2. From the Network Objects tree, right click Check Point and select Security Gateway/Management. The Check Point Security Gateway Creation window opens. 3. Select Wizard Mode. The wizard opens to General Properties. 4. Enter a name for the Check Point 1430/1450 Appliance object and select the hardware type for the hardware platform. If the Check Point 1430/1450 Appliance does not appear in the hardware list in the R77.30 SmartDashboard, refer to sk111292 http://supportcontent.checkpoint.com/solutions?id=sk1112 92. 5. Set the Security Gateway Version to R77.20. 6. Select Static IP address or Dynamic IP address to get the gateway's IP address. 7. Click Next. 50 DRAFT To configure a static IP address:
1. 2. In the Authentication section, select Initiate trusted communication securely by using a one-time password or Initiate trusted communication without authentication
(less secure). If you selected Initiate trusted communication securely by using a one-time password, enter a one-time password and confirm it. This password is only used to establish the initial trust. Once established, trust is based on security certificates. Important - This password must be identical to the one-time password you define for the appliance in the First Time Configuration Wizard. 3. In the Trusted Communication section, select Initiate trusted communication automatically when the Gateway connects to the Security Management server for the first time or Initiate trusted communication now. 4. Click Connect. A status window appears. 5. Click Next. To configure a dynamic IP address:
1. In the Gateway Identifier section, select one identifier:
Gateway name, MAC address or First to connect. In the Authentication section, select Initiate trusted communication securely by using a one-time password or Initiate trusted communication without authentication
(less secure). If you select Initiate trusted communication securely by using a one-time password, enter a one-time password 2. 3. 51 DRAFT and confirm it. This password is only used for establishing the initial trust. Once established, trust is based on security certificates. Important - This password must be identical to the one-time password you define for the appliance in the First Time Configuration Wizard. 4. Click Next. To configure the software blades:
In the Blade Activation page, select the software blades that you want to activate and configure. To configure blades later:
1. Select Activate and configure software blades later. 2. Click Next. To configure blades now:
1. Select Activate and configure software blades now. 2. Select the check boxes next to the blades you want to activate and configure. 3. Configure the required options:
NAT - the Hide internal networks behind the Gateways external IP checkbox is selected by default. QoS - Set the inbound and outbound bandwidth rates. IPSec VPN - Make sure that the VPN community has been predefined. If it is a star community, Check Point 1430/1450 Appliance is added as a satellite gateway. Select a VPN community that the Gateway participates in from the Participate in a site to site community list. 52 DRAFT IPS - Select a profile from the Assign IPS Profile list or click Manage to create/edit an IPS profile. Identity Awareness - Complete the wizard pages that open to define the Identity Awareness acquisition sources. In the Active Directory Servers page of the wizard, make sure to select only AD servers that your gateway works with. 4. Click Next. To hide the VPN domain:
Select Hide VPN domain behind this gateway's external IP. Select this option only if you want to hide all internal networks behind this gateways external IP. All outgoing traffic from networks behind this gateway to other sites that participate in VPN community will be encrypted. With this option, connections that are initiated from other sites that are directed to hosts behind this gateway will not be encrypted. If you need access to hosts behind this gateway, choose other options (define VPN topology) or make sure all traffic from other sites is directed to this gateway's external IP and define corresponding NAT port-forwarding rules, such as:
Translate the destination of incoming HTTP connections that are directed to this gateway's external IP to the IP address of a web server behind this gateway. 53 DRAFT To create a new VPN domain group:
1. Make sure that the Create a new VPN domain option is selected. In the Name field, enter a name for the group. 2. 3. From the Available objects list, select the applicable objects and click Add. The objects are added to the VPN domain members list. To select a predefined VPN domain:
1. Click Select an existing VPN domain. 2. From the VPN Domain list, select the domain. 3. Click Next. 4. In the Installation Wizard Completion page, you see a summary of the configuration parameters you set. If you want to configure more options of the Security Gateway, select Edit Gateway properties for further configuration. 5. Click Finish. The General Properties window of the newly defined object opens. Preparing to Install the Security Policy To prepare the policy for automatic installation when the gateway connects:
1. 2. Select the Security Gateways on which to install the policy. In the menu, click Policy > Install. The Install Policy window opens. 3. Select the policy components. 54 DRAFT 4. Select how the security policy is installed:
On each selected gateway independently On all selected gateways If it fails, do not install on gateways of the same version. 5. Click OK. The Installation Process window shows the status of the Network Security policy for the selected target. If you used the Management First configuration option:
The Check Point 1430/1450 Appliance object is defined but the appliance is not set up. The Installation Process window shows the "Waiting for first connection" status and the message "Installation completed successfully". The policy is successfully prepared for installation and not actually installed. When the appliance will be set up and the gateway connects to the Security Management Server, it establishes trust and then attempts to install the policy automatically. If you used the Gateway First configuration option:
When you successfully complete this step, the policy is pushed to the Check Point 1430/1450 Appliance. For a list of possible statuses, see Viewing the Policy Installation Status (on page 86). You can track the status of the security policy installation with the Policy Installation Status window and the status bar. 55 DRAFT Setting Up the Check Point 1430/1450 Appliance 1. Remove the Check Point 1430/1450 Appliance from the shipping carton and place it on a tabletop. Identity the network interface marked as LAN1. This interface is preconfigured with the IP address 192.168.1.1. 2. Connecting the Cables 1. Connect the power supply unit to the appliance and to a power outlet. The appliance is turned on when the power supply unit is connected to an outlet. The Power LED on the front panel lights up. This indicates that the appliance is turned on. The Alert LED (called the Notice LED in the 600 appliance) on the front panel starts to blink. This indicates that the appliance is booting up. When the Alert LED turns off, the appliance is ready for login. 2. Connect the standard network cable to the LAN1 port on the appliance and to the network adapter on your PC. 3. Connect another standard network cable to the WAN port on the appliance and to the external modem, external router, or network point. 56 DRAFT Using the First Time Configuration Wizard Configure the Check Point 1430/1450 Appliance with the First Time Configuration Wizard. To close the wizard and save configured settings, click Quit. Note - In the First Time Configuration Wizard, you may not see all the pages described in this guide. The pages that show in the wizard depend on your Check Point 1430/1450 Appliance model and the options you select. Starting the First Time Configuration Wizard To configure the Check Point 1430/1450 Appliance for the first time after you complete the hardware setup, you use the First Time Configuration Wizard. If you do not complete the wizard because of one of these conditions, the wizard will run again the next time you connect to the appliance:
The browser window is closed. The appliance is restarted while you run the wizard. After you complete the wizard, you can use the WebUI (Web User Interface) to change settings configured with the First Time Configuration Wizard and to configure advanced settings. To open the WebUI, enter one of these addresses in the browser:
http://my.firewall http://192.168.1.1:4434 57 DRAFT If a security warning message shows, confirm it and continue. For more details, see Appendix A: Browser Security Warnings
(on page 84). The First Time Configuration Wizard runs. Welcome The Welcome page introduces the product and shows the name of your appliance. To change the language of the WebUI application:
Select the language link at the top of the page. Note that only English is allowed as the input language. 58 DRAFT Authentication Details In the Authentication Details page, enter these details to log in to the Check Point 1430/1450 Appliance WebUI application or if the wizard closes abnormally:
Administrator Name - We recommend that you change the default "admin" login name of the administrator. The name is case sensitive. Password - A strong password has a minimum of 6 characters with at least one capital letter, one lower case letter, and a special character. Use the Password strength meter to measure the strength of your password. Note - The meter is only an indicator and does not enforce creation of a password with a specified number of characters or character combination. To enforce password complexity, click the check box. Confirm Password - Enter the password again. Country - Select a country from the list (for wireless network models). 59 DRAFT Appliance Date and Time Settings In the Appliance Date and Time Settings page, configure the appliance's date, time, and time zone settings manually or use the Network Time Protocol option. When you set the time manually, the host computer's settings are used for the default date and time values. If necessary, change the time zone setting to reflect your correct location. Daylight Savings Time is automatically enabled by default. You can change this in the WebUI application on the Device > Date and Time page. 60 DRAFT When you use the NTP option, there are two default servers you can use. These are ntp.checkpoint.com and ntp2.checkpoint.com. Appliance Name In the Appliance Name page, enter a name to identify the Check Point 1430/1450 Appliance, and enter a domain name
(optional). When the gateway performs DNS resolving for a specified objects name, the domain name is appended to the object name. This lets hosts in the network look up hosts by their internal names. 61 DRAFT The name of the appliance must be identical to the name of the gateway object in the Security Management Server if:
Check Point 1430/1450 Appliance does not use a static IP and the unique identifier for the gateway in SmartDashboard is set to use the gateway name. Check Point 1430/1450 Appliance is managed through SmartProvisioning. 62 DRAFT Security Policy Management In the Security Policy Management page, select how to manage security settings. Central management - A remote Security Management Server manages the Security Gateway in SmartDashboard with a network object and security policy. Local management - The appliance uses a web application to manage the security policy. After you configure the appliance with the First Time Configuration Wizard, the default security policy is enforced automatically. With the WebUI, you can configure the software blades you activated and fine tune the security policy. This Getting Started Guide describes how to configure a centrally managed deployment. 63 DRAFT Internet Connection In the Internet Connection page, configure your Internet connectivity details or select Configure Internet connection later. To configure Internet connection now:
1. Select Configure Internet connection now. 2. From the Connection Protocol drop down list, select the protocol used for connecting to the Internet. 3. Fill in the fields for the selected connection protocol. The required information is different for each protocol. You can get it from your Internet Service Provider (ISP). Static IP - A fixed (non-dynamic) IP address. DHCP - Dynamic Host Configuration Protocol (DHCP) automatically issues IP addresses within a specified range to devices on a network. This is a common option when you connect through a cable modem. PPPoE (PPP over Ethernet) - A network protocol for encapsulating Point-to-Point Protocol (PPP) frames inside Ethernet frames. It is used mainly with DSL services where individual users connect to the DSL modem over Ethernet and in plain Metro Ethernet networks. PPTP - The Point-to-Point Tunneling Protocol (PPTP) is a method for implementing virtual private networks. PPTP uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets. L2TP - Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks
(VPNs). It does not provide any encryption or confidentiality by itself. It relies on an encryption 64 DRAFT 4. 5. protocol that it passes within the tunnel to provide privacy. Cellular Modem - Connect to the Internet using a wireless modem to a cellular ISP. Analog Modem - Connect to the Internet using an analog modem. Bridge - Connects multiple network segments at the data link layer (Layer 2). Wireless - Connects to a wireless network. Connection through the wireless interface in the First Time Configuration Wizard is always DHCP. In the DNS Server field (shown for Static IP and Bridge connections), enter the DNS server address information in the relevant fields. For DHCP, PPPoE, PPTP, L2TP, Analog Modem, and Cellular Modem, the DNS settings are supplied by your service provider. You can override these settings later in the WebUI application under the Device >
DNS page. We recommend you configure the DNS as Check Point 1430/1450 Appliance needs to perform DNS resolving for different functions. For example, to connect to Check Point User Center during license activation or when Application Control, Web Filtering, Traditional Anti-virus or Anti-spam services are enabled. In the Network names(SSID) field, click the arrow to select a wireless network. If the network is secure, enter a password. Depending on the security type, you might need to enter the user name. 65 DRAFT To test your ISP connection status:
Click Connect. The appliance connects to your ISP. Success or failure shows at the bottom of the page. Local Network In the Local Network page, select whether to enable or disable switch on LAN ports and configure your network settings. By default, they are enabled. You can change the IP address and stay connected as the appliance's original IP is kept as an alias IP until the first time you boot the appliance. DHCP is enabled by default and a default range is configured. Make sure to set the range accordingly and be careful not to include predefined static IPs in your network. Set the exclusion 66 DRAFT range for IP addresses that should not be defined by the DHCP server. The appliance's IP address is automatically excluded from the range. For example, if the appliance IP is 1.1.1.1 the range also starts from 1.1.1.1, but will exclude its own IP address. Important - If you choose to disable the switch on LAN ports (clear the checkbox), make sure your network cable is placed in the LAN1 port. Otherwise, connectivity will be lost when you click Next. 67 DRAFT Wireless Network (for Wireless Network Models) This applies to Wireless Network (WiFi) models only. In the Wireless Network page, configure wireless connectivity details. When you configure a wireless network, you must define a network name (SSID). The SSID (service set identifier) is a unique string that identifies a WLAN network to clients that try to open a wireless connection with it. We recommend that you protect the wireless network with a password. Otherwise, a wireless client can connect to the network without authentication. To configure the wireless network now:
1. Select Configure wireless network now. 2. Enter a name in the Network name (SSID) field. This is the wireless network name shown to clients that look for access points in the transmission area. 3. Select Protected network (recommended) if the wireless network is protected by password. 4. Enter a Password. 5. Click Hide to conceal the password. 68 DRAFT Administrator Access In the Administrator Access page, configure if administrators can use Check Point 1430/1450 Appliance from a specified IP address or any IP address. To configure administrator access:
1. Select the sources from where administrators are allowed access:
LAN - All internal physical ports. Trusted wireless - Wireless networks that are allowed access to the LAN by default. This field is only shown in wireless network modes. VPN - Uses encrypted traffic through VPN tunnels from a remote site or using a remote access client. 69 DRAFT Internet - Clear traffic from the Internet (not recommended). 2. Select the IP address that the administrator can access Check Point 1430/1450 Appliance from:
Any IP address Specified IP addresses only Specified IP addresses from the internet and any IP address from other sources - Select this option to allow administrator access from the internet from specific IP addresses only and access from other selected sources from any IP address. This option is the default. To specify IP addresses:
1. Click New. 2. In the IP Address Configuration window, select an option:
Specific IP address - Enter the IP address or click Get IP from my computer. Specific network - Enter the Network IP address and Subnet mask. 3. Click Apply. 70 DRAFT Appliance Activation In the Appliance Activation page, the appliance can connect to the Check Point User Center with its credentials to pull the license information and activate the appliance. If you have Internet connectivity configured:
Click Activate License. You will be notified that you successfully activated the appliance and you will be shown the status of your license for each blade. If you work offline while you configure the appliance:
On a computer with authorized access to the Check Point User Center http://supportcenter.checkpoint.com, use your User Center account or Register your appliance. 71 DRAFT To use your User Center account:
1. Log into your User Center account. 2. Select the specified container of your Check Point 1430/1450 Appliance. 3. From the Product Information tab, click License >
Activate. This message is shown: "Licenses were generated successfully."
4. Click Get Activation File and save the file locally. To register your appliance:
1. Go to http://register.checkpoint.com
(http://register.checkpoint.com/cpapp). 2. Fill in your appliance details and click Activate. This message is shown: "Licenses were generated successfully."
3. Click Get Activation File and save the file locally. To continue configuring your appliance:
1. In the Appliance Activation page of the First Time Configuration Wizard, click Offline. The Import from File window opens. 2. Browse to the activation file you downloaded and click Import. The activation process starts. You will be notified that you successfully activated the appliance and you will be shown the status of your license for each blade. If there is a proxy between your appliance and the Internet, you must configure the proxy details before you can activate your license. 72 DRAFT To configure the proxy details:
1. Click Set proxy. 2. Select Use proxy server and enter the proxy server Address and Port. 3. Click Apply. 4. Click Activate License. You will be notified that you successfully activated the appliance and you will be shown the status of your license for each blade. To postpone appliance registration and get a 30-day trial license:
1. Click Next. The "License activation was not complete" message shows. 2. Click OK. The appliance uses a 30-day trial license for all blades. You can register the appliance later from the WebUI Device >
License page. 73 DRAFT Security Management Server Authentication When you select central management as your security policy management method, the Security Management Server Authentication page opens. Select an option to authenticate trusted communication with the Security Management Server:
Initiate trusted communication securely by using a one-time password - The one-time password is used to authenticate communication between Check Point 1430/1450 Appliance and the Security Management Server securely. Enter a one-time password and confirm it. This password is only used for establishing the initial trust. When established, trust is based on security certificates. 74 DRAFT Important - This password must be identical to the Secure Communication authentication one-time password configured for the Check Point 1430/1450 Appliance object in the SmartDashboard of the Security Management Server. Initiate trusted communication without authentication
(not secure) - Use this option only if there is no risk of malicious behavior (for example, when in a lab setting). Configure one-time password later - Set the one-time password at a different time using the WebUI application. 75 DRAFT Security Management Server Connection After you set a one-time password for the Security Management Server and the Check Point 1430/1450 Appliance, you can connect to the Security Management Server to establish trust between the Security Management Server and Check Point 1430/1450 Appliance. Select Connect to the Security Management Server now to connect to the Security Management Server now. Management address - Enter the IP address or host name of the Security Management Server. Connect - When you successfully connect to the Security Management Server, the security policy will automatically be fetched and installed. 76 If the Security Management Server is deployed behind a 3rd party NAT device, select Always use the above address to connect to the Security Management Server. Manually enter the IP address or the host name of the appliance should connect to in order to reach the Security Management Server. If you enter an IP address, it will override the automatic mechanism that determines the routable IP address of the Security Management Server for each appliance. If you enter a host name, it is saved and the Security Gateway will re-resolve the name if the IP address changes. This configuration can be edited later in the Home
> Security Management page of the WebUI. If you do not select this checkbox and you use a host name to fetch the policy, when the policy is fetched, the Security Management Server IP is set to the IP address in the policy. DRAFT Select where to send logs:
Send logs to same address - The logs will be sent to the IP address entered on this page for the Security Management Server. Send logs to - Enter the IP address of a log server. Send logs according to policy - The logs will be sent according to the log server definitions that are defined in the policy. Select Connect to the Security Management Server later to connect to the Security Management Server later. 77 DRAFT Summary The Summary page shows the details of the elements configured with the First Time Configuration Wizard. Click Finish to complete the First Time Configuration Wizard. The WebUI opens on the Home > System page. Note - You should back up the system configuration in the WebUI. Go to the Device > Backup page. 78 DRAFT Large-scale Deployment Defining a SmartLSM Gateway Profile for a Large-scale Deployment SmartLSM lets you manage a large number of Check Point 1430/1450 Appliance gateways from one Security Management Server. When you use a SmartLSM profile, you reduce the administrative overhead per gateway by defining most of the gateway properties, as well as the policy, per profile. The SmartLSM profile is a logical object that contains the firewall and policy components. Use SmartDashboard to define a single SmartLSM profile for Check Point 1430/1450 Appliance. To define a single SmartLSM profile Check Point 1430/1450 Appliance:
1. Log in to SmartDashboard using your Security Management credentials. 2. Open the Security Policy that you want to be enforced on the Check Point 1430/1450 Appliance SmartLSM Security Gateways. 3. From the Network Objects tree, right-click Check Point and select SmartLSM Profile > Small Office Appliance Gateway. The SmartLSM Security Profile window opens. 4. Define the SmartLSM security profile using the navigation tree in this window. To open the online help for each window, click Help. 79 DRAFT 5. Click OK and then install the policy. Note - To activate SmartProvisioning functionality, a security policy must be installed on the LSM profile. 6. Continue in SmartProvisioning. Deploying with SmartProvisioning You can use SmartProvisioning to manage many Check Point 1430/1450 Appliance gateway objects with deployed SmartLSM security profiles. Configure these appliances using the First Time Configuration Wizard (on page 57) or a USB drive configuration file. For more information about the USB drive configuration file and large-scale deployment using SmartProvisioning, see the relevant Check Point Appliance Administration Guide. 80 DRAFT Restoring Factory Defaults The Check Point 1430/1450 Appliance contains a default factory image. When the appliance is turned on for the first time, it loads with the default image. As part of a troubleshooting process, you can restore the Check Point 1430/1450 Appliance to its factory default settings if necessary. You can restore a Check Point 1430/1450 Appliance to the factory default image with the WebUI, Boot Loader, or a button on the back panel. Important - When you restore factory defaults, you delete all information on the appliance and it is necessary to run the First Time Configuration Wizard. To restore factory defaults with the WebUI:
1. In the Check Point 1430/1450 Appliance WebUI, click Device > System Operations. The System Operations pane opens. In the Appliance section, click Factory Defaults. In the pop-up window that opens, click OK. 2. 3. 4. While factory defaults are being restored, all LAN Link and Activity LEDs blink orange and green alternately to show progress. This takes some minutes. When this completes, the appliance reboots automatically. 81 DRAFT To restore factory defaults with the button on the back panel:
1. Press the Factory Default button with a pin and hold it for at least 12 seconds. 2. When the Power and Notice LEDs are lit red, release the button. The appliance reboots itself and starts to restore factory defaults immediately. 3. While factory defaults are being restored, all LAN Link and Activity LEDs blink orange and green alternately to show progress. This takes some few minutes. When this completes, the appliance reboots automatically. To disable the option for reset to default:
Use this CLI command:
>set additional-hw-settings reset-timeout 0 To enable the option for reset to default:
Use this CLI command:
>set additional-hw-settings reset-timeout 12 82 DRAFT To restore the Check Point 1430/1450 Appliance to its default factory configuration using U-boot (boot loader):
1. Connect to the appliance with a console connection (using the serial console connection on the back panel of the appliance). 2. Boot the appliance and press Ctrl-C. The Gaia Embedded Boot Menu is shown. Welcome to Gaia Embedded Boot Menu:
1. Start in normal Mode 2. Start in debug Mode 3. Start in maintenance Mode 4. Restore to Factory Defaults (local) 5. Install/Update Image/Boot-Loader from Network 6. Restart Boot-Loader 7. Run Hardware diagnostics 8.Upload preset configuration file Please enter your selection :
3. Enter 4 to select Restore to Factory Defaults (local). 4. When you are prompted: "Are you sure? (y/n)" select y to continue and restore the appliance to its factory defaults settings. While factory defaults are being restored, all LAN Link and Activity LEDs blink orange and green alternately to indicate progress. This takes up to a few minutes. When completed, the appliance boots automatically. 83 DRAFT Appendix A: Browser Security Warnings When you log in to the appliance from the Internet Explorer, Mozilla FireFox, or Google Chrome browser you might see a security warning. You can safely confirm the warning and continue to log in as usual. Mozilla FireFox 1. Click I understand the Risks. 2. Click Add Exception. The Add Security Exception dialog box opens. 3. Click Confirm Security Exception. 84 DRAFT Internet Explorer Click Continue to this website (not recommended). Google Chrome Click Advanced and then click the Proceed to 192.168.1.1 link that is shown. 85 DRAFT Appendix B: Security Management Issues Viewing the Policy Installation Status You can see the installation status of managed gateways with the status bar that shows at the bottom of the SmartDashboard window. The status bar shows how many gateways are in Pending or Failed mode. Pending - gateways that are in the waiting for first connection status or are in the pending status (see below for detailed explanations). Failed - gateways that have failed to install the policy. The status bar is updated dynamically each time a gateway tries to install a policy or tries to connect to the Security Management Server. The results of these actions are also shown in SmartDashboard popup notification balloons when such events occur. You can configure these notifications
("Configuring Notification Settings " on page 90). To monitor the status of the last policy installed on each gateway, you can use the Policy Installation Status window. The window has two sections. The top section shows a list of gateways and status details regarding the installed policy. You can use the filter fields to see only policies of interest and hide other details by defining the applicable criteria for each field. After you apply the filtering criteria, only entries that match the 86 DRAFT selected criteria are shown. If the system logs trusted communication (SIC) attempts from unknown gateways, a yellow status bar opens below the filter fields. The bottom section shows details of a row you select in the gateway list (errors that occurred, the date the policy was prepared, verification warnings). If there is a yellow status bar, click Show details to show the details of unknown gateways that try to connect to the Security Management Server. These are the different statuses in this window:
Icon Policy status Description Succeeded Policy installation succeeded. Succeeded Policy installation succeeded but there are verification warnings. Waiting for first connection A Check Point 1430/1450 Appliance object is configured, but the gateway is not connected to the Security Management Server
(initial trust is not established). If a policy is prepared, it is pulled when the gateway is connected. If a policy is not prepared, the Policy Type column shows "No Policy Prepared." When the gateway is first connected, only trust is established. Waiting for first connection Same as above, with warnings that attempts to establish trust failed or there are verification warnings. 87 DRAFT Icon Policy status Description Pending The policy remains in the pending status until the gateway successfully connects to the Security Management Server and retrieves the policy. This status is shown only if there was at least one successful policy installation. For example, when the Security Management Server has problems connecting to the Gateway (the Gateway is unavailable for receiving communication, as in behind NAT). Pending Same as above but there are verification warnings. Warning Warning. Information Information. Failed Policy not installed due to a verification error. Failed Policy installation failed. 88 DRAFT You can access the Policy Installation Status window in these ways:
From the menu bar - Click Policy > Policy Installation Status. From the toolbar - Click the Policy Installation Status icon. From the status bar - Click Failed or Pending. The contents of the Policy Installation Status window are shown filtered according to the link clicked. From notification balloons - Click See Details in the balloon. 89 DRAFT Configuring Notification Settings The status bar is updated each time a gateway tries to install a policy or tries to connect to the Security Management Server. You can also configure a popup notification balloon to open in SmartDashboard. You can configure the types of events shown and how notification balloons are shown. By default, notification balloons stay open until they are manually closed. To configure notification settings:
1. From the Policy Installation Status window, click Notification Settings or From a notification balloon, click Settings. 2. To show trials of installing a policy, select Gateway fetches a policy. 90 DRAFT 3. To show trials of connecting to the Security Management Server, select Gateway attempts to establish trusted communication (SIC). 4. To set the notifications to pop-up momentarily in SmartDashboard and then fade out, select Notifications fade out automatically. If you do not select this check box, notifications will stay open until you manually close them. 91 DRAFT Getting Support Support For technical assistance, contact Check Point 24 hours a day, seven days a week at:
+1 972-444-6600 (Americas)
+972 3-611-5100 (International) When you contact support, you must provide your MAC address. For more technical information, go to:
http://support.checkpoint.com
(http://supportcenter.checkpoint.com). To learn more about the Check Point Internet Security Product Suite and other security solutions, go to:
http://www.checkpoint.com (http://www.checkpoint.com). Where To From Here?
You have now learned the basics that are necessary to get started. For more information about the Check Point 1430/1450 Appliance and links to the administration guides, see the Check Point site. Be sure to also use our Online Help when you operate the Check Point 1430/1450 Appliance WebUI and with Check Point SmartConsole clients. 92 DRAFT