12 September 2011
Administration Guide
Security Gateway 80
R71.45
© 2011 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.
TRADEMARKS:
Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.
Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses.
Important Information Latest Documentation
The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=12228
For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com).
Revision History
Date Description
12 September 2011 First release of this document
Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments (mailto:[email protected]?subject=Feedback on Security Gateway 80 R71.45 Administration Guide).
Contents
Important Information ............................................................................................. 3 Introduction ............................................................................................................. 8
Welcome ............................................................................................................. 8 Security Gateway 80 Overview ............................................................................ 8
Installation and Deployment .................................................................................. 9 Prerequisites ....................................................................................................... 9 Step 1: Defining the Security Gateway 80 Object in SmartDashboard ................. 9
Defining a Single Gateway Object................................................................... 9 Step 2: Preparing to Install the Security Policy ...................................................14
Viewing the Policy Installation Status .............................................................16 Defining a SmartLSM Profile ..............................................................................19 Deploying with SmartProvisioning ......................................................................20 Deploying from a USB Drive ...............................................................................20
Sample Configuration File ..............................................................................20 Preparing the Configuration Files ...................................................................20 Deploying the Configuration File - Initial Configuration ...................................20 Deploying the Configuration File - Existing Configuration ...............................21 Viewing Configuration Logs ...........................................................................22 Troubleshooting Configuration Files ...............................................................22 Using the set property Command...................................................................23
Cluster Configuration ........................................................................................... 24 Security Gateway 80 Clusters ............................................................................24 Creating a Cluster for New Gateways .................................................................25
Configuring the Security Gateway 80 Appliances ...........................................25 Configuring the Cluster Object Using SmartDashboard .................................26
Converting an Existing Security Gateway 80 to a Cluster ...................................29 Configure the New Appliance .........................................................................29 Create and Configure a Cluster in SmartDashboard ......................................30 Reconfigure the Existing Security Gateway 80...............................................30 Configure the Cluster in SmartDashboard ......................................................30
Viewing Cluster Status in the WebUI ..................................................................31 Appliance Configuration ...................................................................................... 32
Introduction to the WebUI Application .................................................................33 The Overview Page ............................................................................................33 The Management Server Page ...........................................................................33 Networking .........................................................................................................35
Internet Settings .............................................................................................35 Internet Configuration ....................................................................................35 Internet Connection High Availability ..............................................................37 Local Network ................................................................................................37 Switch Mode Configuration ............................................................................40 Bridge Mode Configuration ............................................................................40 Routing ..........................................................................................................41 DNS ...............................................................................................................44 Automatic Topology .......................................................................................45
Implied Rules for Security Gateway 80 ...............................................................46 Administration .....................................................................................................47
Backup and Restore ......................................................................................47 Upgrade .........................................................................................................49 Factory Defaults .............................................................................................50 Administrators ................................................................................................51 Administrator Access .....................................................................................52
Licensing .......................................................................................................54 Security ..............................................................................................................55
Integrated Anti-Virus Protection .....................................................................55 URL Filtering ..................................................................................................55 Messaging Security .......................................................................................56
Diagnostics .........................................................................................................57 Tools ..............................................................................................................57 Traffic Logs ....................................................................................................58 System Logs ..................................................................................................58
CLI Reference ....................................................................................................59 Using Command Line Interface ......................................................................59 Supported Linux Commands ..........................................................................60 add admin access ..........................................................................................60 add host .........................................................................................................61 add interface ..................................................................................................61 add ntp ..........................................................................................................61 add snmp .......................................................................................................62 add switch ......................................................................................................63 add user.........................................................................................................63 backup settings ..............................................................................................63 cphaprob ........................................................................................................64 cphastop ........................................................................................................66 cpinfo .............................................................................................................66 cpshell ...........................................................................................................67 cpstart ............................................................................................................67 cpstat .............................................................................................................67 cpstop ............................................................................................................69 cpwd_admin ..................................................................................................69 cpwd_admin config ........................................................................................70 cpwd_admin start|stop ...................................................................................71 delete admin access ......................................................................................72 delete ICMP server ........................................................................................72 delete dhcp ....................................................................................................72 delete dns ......................................................................................................73 delete domainname .......................................................................................73 delete host .....................................................................................................74 delete interface ..............................................................................................74 delete ntp .......................................................................................................75 delete proxy ...................................................................................................75 delete snmp ...................................................................................................75 delete switch ..................................................................................................76 delete user .....................................................................................................76 dynamic objects .............................................................................................77 exit .................................................................................................................77 fetch certificate...............................................................................................78 fetch license ...................................................................................................78 fetch policy .....................................................................................................78 fw Commands ................................................................................................79 reboot ............................................................................................................80 restore default-settings ..................................................................................80 restore settings ..............................................................................................80 revert to factory defaults ................................................................................81 revert to saved image ....................................................................................81 set admin access ...........................................................................................81 set date ..........................................................................................................82 set dhcp server ..............................................................................................82 set dhcp relay ................................................................................................90 set dns ...........................................................................................................90 set dnsproxy ..................................................................................................91
set dns mode .................................................................................................91 set domainname ............................................................................................91 set expert password .......................................................................................92 set ha internet primary ...................................................................................92 set host ..........................................................................................................92 set hostname .................................................................................................93 set inactivity-timeout ......................................................................................93 set interface ...................................................................................................93 set static-route ............................................................................................. 101 set proxy ...................................................................................................... 105 set sic_init .................................................................................................... 106 set snmp ...................................................................................................... 106 set time ........................................................................................................ 111 set time-zone ............................................................................................... 111 set user ........................................................................................................ 112 set user-lock ................................................................................................ 113 shell/expert .................................................................................................. 114 show admin access ..................................................................................... 114 show backup settings ................................................................................... 115 show clock ................................................................................................... 115 show commands .......................................................................................... 115 show date .................................................................................................... 116 show dhcp ................................................................................................... 116 show dns ..................................................................................................... 117 show domainname ....................................................................................... 118 show ha internet .......................................................................................... 118 show host .................................................................................................... 118 show hostname ............................................................................................ 119 show icmp servers ....................................................................................... 119 show inactivity-timeout ................................................................................. 119 show interface.............................................................................................. 120 show interfaces ............................................................................................ 120 show license ................................................................................................ 120 show logs ..................................................................................................... 121 show memory usage .................................................................................... 121 show ntp ...................................................................................................... 121 show proxy .................................................................................................. 122 show restore settings log ............................................................................. 122 show revert log ............................................................................................ 123 show route ................................................................................................... 123 show rule hits ............................................................................................... 123 show saved image ....................................................................................... 124 show snmp .................................................................................................. 124 show software version ................................................................................. 125 show time .................................................................................................... 126 show timezone ............................................................................................. 126 show timezone-dst ....................................................................................... 126 show upgrade log ........................................................................................ 127 show user .................................................................................................... 127 show user-lock ............................................................................................. 127 show vpn tunnel ........................................................................................... 128 upgrade from usb|tftp server ........................................................................ 128 vpn ............................................................................................................... 129
Advanced Configuration .................................................................................... 131 Upgrade Using a USB Drive ............................................................................. 131 Boot Loader ...................................................................................................... 132 Upgrade Using Boot Loader ............................................................................. 132 Restore Factory Defaults from the Boot Loader Menu ...................................... 133 Front Panel ....................................................................................................... 134
Back Panel ....................................................................................................... 135 Remote Access VPN ........................................................................................ 135
Index .................................................................................................................... 137
Page 8
Chapter 1
Introduction Make sure to review the version’s release notes (http://supportcenter.checkpoint.com) and the Security Gateway 80 Getting Started Guide (http://supportcontent.checkpoint.com/documentation_download?ID=10833), before performing the procedures in this guide.
In This Chapter
Welcome 8
Security Gateway 80 Overview 8
Welcome Thank you for choosing Check Point’s Security Gateway 80. We hope that you will be satisfied with this system and our support services. Check Point products provide your business with the most up to date and secure solutions available today.
Check Point also delivers worldwide technical services including educational, professional and support services through a network of Authorized Training Centers, Certified Support Partners and Check Point technical support personnel to ensure that you get the most out of your security investment.
For additional information on the Internet Security Product Suite and other security solutions, refer to the Check Point Web site (http://www.checkpoint.com), or call Check Point at 1(800) 429-4391. For additional technical information about Check Point products, consult the Check Point Support Center (http://supportcenter.checkpoint.com).
Welcome to the Check Point family. We look forward to meeting all of your current and future network, application and management security needs.
Security Gateway 80 Overview Check Point's Security Gateway 80 delivers integrated unified threat management to protect your organization from today's emerging threats. Based on proven Check Point security technologies such as Stateful Inspection, Application Intelligence, and SMART (Security Management Architecture), Security Gateway 80 provides simplified deployment while delivering uncompromising levels of security.
Security Gateway 80 supports the Check Point Software Blade architecture, providing independent, modular and centrally managed security building blocks. Software Blades can be quickly enabled and configured into a solution based on specific security needs.
Page 9
Chapter 2
Installation and Deployment You can deploy a configuration to individual Security Gateway 80s using SmartDashboard and managing a gateway object or a SmartLSM profile. Configure a large number of Security Gateway 80s (massive deployment) using SmartProvisioning or from a configuration file that is stored on a USB drive.
To install your Security Gateway 80 appliance, follow the instructions described in the Security Gateway 80 Getting Started Guide (http://supportcontent.checkpoint.com/documentation_download?ID=10833).
In This Chapter
Prerequisites 9
Step 1: Defining the Security Gateway 80 Object in SmartDashboard 9
Step 2: Preparing to Install the Security Policy 14
Defining a SmartLSM Profile 19
Deploying with SmartProvisioning 20
Deploying from a USB Drive 20
Prerequisites To manage the Security Gateway 80 appliance, you must install a Security Management Server and SmartConsole clients that operate with Security Gateway 80.
These Security Management Server versions operate with Security Gateway 80:
For R70 – version R70.40 and higher
For R71 – version R71.20 and higher
R75 and higher versions
Note - Currently the new Security Gateway 80 R71.45 features that require central management (Large Scale Management and Provisioning) are only supported with Security Management Server version R71.45. These features will also be supported with R75 Security Management Server in the near future.
For installation instructions, see the version’s release notes (http://supportcenter.checkpoint.com).
Step 1: Defining the Security Gateway 80 Object in SmartDashboard
SmartDashboard allows you to define two Security Gateway 80 objects in SmartDashboard: gateways and SmartLSM profiles. Managing these objects in SmartDashboard allows you to provision various network settings such as, DNS, Internet connections and routing. You can use a SmartLSM profile to manage a large number of Security Gateway 80 gateways.
Defining a Single Gateway Object You can use SmartDashboard creation wizard to define a Security Gateway 80 before or after configuration of the appliance on site. There are two options to define a gateway object:
Step 1: Defining the Security Gateway 80 Object in SmartDashboard
Installation and Deployment Page 10
Management First - Where you define the gateway object in SmartDashboard before you configure and set up the actual appliance on site. This is commonly used for remotely deployed appliances or appliances that connect to the Security Management Server with a dynamic IP (e.g. assigned by a DHCP server or an ISP), as the IP is not known at the time of the configuration of the object in SmartDashboard. You can prepare a policy that the appliance will fetch when it is configured.
Gateway First – Where you configure and set up the Security Gateway 80 appliance first. It will then try to communicate with the Security Management Server (if this is configured) at 1 hour intervals. If connectivity with the gateway is possible during object creation in SmartDashboard, the wizard can retrieve data from the gateway (such as topology), and then help in configuration.
To define a single gateway object:
1. Log in to SmartDashboard using your Security Management credentials.
2. From the Network Objects tree, right click Check Point and select Security Gateway. The Check Point Security Gateway Creation window opens.
3. Select Wizard Mode. The wizard opens to General Properties.
4. Type a name for the Security Gateway 80 object and make sure that the gateway platform is set to CPSG 80 series.
5. Select one of the following options for getting the gateway's IP address:
Static IP address - enter the IP address of the appliance. Note that if the Security Gateway 80 appliance has not yet been set up and defined, the Resolve from Name option does not work at this point.
Dynamic IP address (e.g. assigned by DHCP server)
Click Next. The Trusted Communication window opens.
6. If you specified a static IP address, the Authentication and Trusted Communication sections show (if you specified a dynamic IP address, go to step 7).
a) In the Authentication section, select one of the options:
Initiate trusted communication securely by using a one-time password - the one-time password is used to authenticate communication between the Security Gateway and the Security Management server in a secure manner. Enter a one-time password and confirm it. This password is only used for establishing the initial trust. Once established, trust is based on security certificates.
Important - This password must be identical to the one-time password you define for the appliance in the First Time Configuration Wizard.
Initiate trusted communication without authentication (less secure) - select this option only if you are sure that there is no risk of imposture (for example, when in a lab setting).
Step 1: Defining the Security Gateway 80 Object in SmartDashboard
Installation and Deployment Page 11
b) In the Trusted Communication section, select one of the initialization options:
Initiate trusted communication automatically when the Gateway connects to the Security Management server for the first time - trust will be established when the Gateway will connect for the first time.
Initiate trusted communication now and click Connect. A status window appears. Use this option only if you have already set up the appliance.
The Trust state field displays the current trust status.
Click Next and go to step 8.
7. If you specified a dynamic IP address, the Gateway Identifier and Authentication sections show.
a) Select one of the identifiers:
Gateway name – enter the same name that you will give the appliance during its initial configuration.
MAC address – enter the MAC address that is on the sticker on the appliance or on the box.
First to connect – means that this Gateway will be the first appliance to connect.
Note - For your convenience, if the gateway name matches, the Security Management Server will identify the gateway regardless of its MAC address.
b) In the Authentication section, select one of the options:
Initiate trusted communication securely by using a one-time password - the one-time password is used to authenticate communication between the Security Gateway and the Security Management server in a secure manner. Enter a one-time password and confirm it. This password is only used for establishing the initial trust. Once established, trust is based on security certificates.
Important - This password must be identical to the one-time password you define for the appliance in the First Time Configuration Wizard.
Initiate trusted communication without authentication (less secure) - select this option only if you are sure that there is no risk of imposture (for example, when in a lab setting).
Step 1: Defining the Security Gateway 80 Object in SmartDashboard
Installation and Deployment Page 12
Click Next.
8. In the Blade Activation window, select the security and software blades that you want to activate and configure.
To configure blades now:
a) Make sure that the Activate and configure software blades now option is selected.
b) Select the check boxes next to the blades you want to activate and configure.
To configure blades later:
Select the Activate and configure software blades later option. Do this later by editing the object from the Network Objects tree.
Click Next.
9. If you selected to activate and configure software blades now, configure the required options:
For NAT, the Hide internal networks behind the Gateway’s external IP check box is selected by default. Clear it, if you do not want to use this feature.
For IPSec VPN: Make sure that the VPN community has been predefined. If it is a star community, Security Gateway 80 is added as a satellite gateway.
Step 1: Defining the Security Gateway 80 Object in SmartDashboard
Installation and Deployment Page 13
Select a VPN community that the Gateway participates in from the Participate in a site to site community list.
For IPS:
Select a profile from the Assign IPS Profile list or click Manage to create/edit an IPS profile.
For URL Filtering, Anti-Spam and Email Security, Anti-Virus and Anti-Malware, there are no other settings to configure.
Click Next.
10. If you selected IPSEC VPN, configure VPN Encryption Domain settings.
To hide the VPN domain, select Hide VPN domain behind this gateway's external IP.
The VPN domain contains network objects behind this gateway. Instead of defining the network topology behind this gateway, it is possible to use this option, which sets the VPN domain to be this gateway’s external IP address. This option is only applicable if you chose to hide all internal networks behind this gateway’s external IP (see gateway’s NAT settings). All outgoing traffic from networks behind this gateway to other sites that participate in VPN community will be encrypted (including replies, of course).
Note - If you choose this option, connections that are initiated from other sites that are directed to hosts behind this gateway will not be encrypted. If you require access to hosts behind this gateway, either choose other options (define VPN topology) or, if possible, make sure all traffic from other sites is directed to this gateway’s external IP and define corresponding NAT port-forwarding rules, such as: Translate the destination of incoming HTTP connections that are directed to this gateway’s external IP to the IP address of a web server behind this gateway.
To create a new VPN domain group, go to step 11.
To select a predefined VPN domain, go to step 12.
11. To create a new VPN domain group:
a) Make sure that the Create a new VPN domain option is selected.
b) In the Name field, enter a name for the group.
c) From the Available objects list, select the applicable object(s) and click . The objects are added to the VPN domain members list.
d) If necessary, create a new object by pressing New.
12. To select a predefined VPN domain:
Step 2: Preparing to Install the Security Policy
Installation and Deployment Page 14
a) Choose the Select an existing VPN domain option.
b) From the VPN Domain list, select the domain.
Click Next.
13. In the Installation Wizard Completion window, you can view a summary of the configuration parameters you set and can perform further actions.
Select Edit Gateway properties for further configuration if you want to continue configuring the Security Gateway. When you click Finish, the General Properties window of the newly defined object opens.
Click Finish.
Step 2: Preparing to Install the Security Policy
This step lets you prepare the policy for automatic installation once the gateway connects.
Step 2: Preparing to Install the Security Policy
Installation and Deployment Page 15
Note - If Security Gateway 80 has been physically set up and configured, upon successful completion of this step, the policy will be pushed to the gateway. For a list of possible statuses, see Viewing the Policy Installation Status (on page 16).
When you use the "Management First" installation path, at the end of the Install Policy process, the policy's status for a Security Gateway 80 that has not yet been set up is "waiting for first connection". This implies that trusted communication has not yet been established between the Security Management server and the Security Gateway 80. Once the gateway connects, it establishes trust and attempts to install the policy automatically.
1. Click Policy > Install from the SmartDashboard menu.
2. In the Install Policy window, choose the installation targets — the Security Gateway 80 Security Gateways on which the policy should be installed and the policy components (Network Security, QoS, etc.).
By default, all gateways that are managed by the Security Management server are available for selection.
3. In the Installation Mode section, select how the security policy should be installed:
On each selected gateway independently
On all selected gateways, if it fails do not install on gateways of the same version
Note - If the gateway is part of a VPN community, the policy should be installed on other members of the community in order to establish a VPN tunnel between them. In a star community, policy installation is required only on the center gateways of the community.
4. Click OK. The Installation Process window displays the status of the Network Security policy for the selected target.
Important - If the Security Gateway 80 object is defined but the appliance is not set up and it is in the "Waiting for first connection" status, you will see a message that says "Installation completed successfully". This means that the policy is successfully prepared for installation.
5. Continue tracking the status of the security policy installation with the Policy Installation Status window and the status bar ("Viewing the Policy Installation Status" on page 16).
Note - When you use the "Gateway First" installation path, trust is already established in Step 1: Defining the Security Gateway 80 Object in SmartDashboard. In this case, the policy will be pushed to the gateway from the Security Management Server and you won't see a "Waiting for first connection" message.
Step 2: Preparing to Install the Security Policy
Installation and Deployment Page 16
Important - Once trust has been established with a gateway, even if a gateway loses connectivity for some reason (Internet connection issues, or a change of IP in the case of a DAIP appliance that is not updated in the Security Management Server, then as before, during policy installation, an installation completed successfully message is shown, meaning that the policy has been successfully prepared, even if it was not installed yet on the gateway, but it is pending a connection from the gateway.
Viewing the Policy Installation Status You can view policy installation status in SmartDashboard with the:
Status bar
Status popup notification balloon
Policy Installation Status window
SmartDashboard Status Bar
You can view the installation status of managed gateways via the status bar that appears at the bottom of the SmartDashboard window. The status bar shows how many gateways are in Pending or Failed mode.
Pending - gateways that are either in the waiting for first connection status or are in the pending status (see below for detailed explanations).
Failed - gateways that have failed to install the policy. If there are no failures, that is shown.
The status bar is updated dynamically each time a gateway attempts to install a policy or attempts to connect to the Security Management server.
SmartDashboard Status Popup Notification Balloons
The result of gateway attempts to install a policy or connect to the Security Management Server also appear in SmartDashboard popup notification balloons that appear upon the occurrence of such events. For example:
Trusted Communication (SIC) establishment from the gateway (when using the "Management First" installation path.
Step 2: Preparing to Install the Security Policy
Installation and Deployment Page 17
Policy installation fetch from the gateway (as the Security Gateway 80 can periodically attempt to fetch the policy from its Security Management Server which is useful in DAIP appliances).
SIC attempts from an unknown gateway/host. This may indicate incorrect configuration (for example, configuring a gateway first and attempting to connect to a Security Management Server before creating the gateway object in SmartDashboard).
Click Settings in a balloon to configure the display and occurrence settings of the balloons.
SmartDashboard Policy Installation Status Window
To track the status of the last policy installed on each gateway, you can use the Policy Installation Status window.
The window has two sections. The top section shows a list of gateways and status information regarding the installed policy. You can use the filter fields to focus on certain policies of interest and hide other data by defining the appropriate criteria per field. Once you have applied the filtering criteria, only entries matching the selected criteria are shown. If the system logs trusted communication (SIC) attempts from unknown gateways, a yellow status bar appears below the filter fields.
Step 2: Preparing to Install the Security Policy
Installation and Deployment Page 18
The bottom section shows details of a row you select in the gateway list (errors that occurred, the date the policy was prepared, verification warnings). If there is a yellow status bar, clicking Show details shows the details of unknown gateways attempting to connect to the Security Management Server.
These statuses can appear in this window:
Icon Policy status Description
Succeeded Policy installation succeeded.
Succeeded Policy installation succeeded but there are verification warnings.
Waiting for first connection
Communication settings were set up on the Gateway object; waiting for first connection with the appliance to establish trust and if a policy has been prepared, it will attempt to install it.
If connection settings were set up for a Security Gateway 80 appliance, but a policy was not prepared, the Policy Type column shows "No Policy Prepared" and upon first connection only trust will be established.
Waiting for first connection
Same as above but there are warnings that indicate attempts to establish trust that failed or there are verification warnings.
Defining a SmartLSM Profile
Installation and Deployment Page 19
Icon Policy status Description
Pending The policy remains in the pending status until the Gateway successfully connects to the Security Management server and retrieves the policy.
This status appears when the Security Management server has problems connecting to the Gateway. For example, if the Gateway is unavailable for receiving communication, as in behind NAT.
Note that this status is applicable only if the first or previous install policy operation was successful.
Pending Same as above but there are verification warnings.
Warning Warning.
Information Information.
Failed Policy not installed due to a verification error.
Failed Policy installation failed.
You can access the Policy Installation Status window in the following ways:
From the menu bar - click Policy > Policy Installation Status.
From the toolbar - click the Policy Installation Status icon .
From the status bar - click on either the Failed or Pending link. The contents of the Policy Installation Status window are shown filtered according to the link clicked.
From notification balloons - click the See Details link in the balloon.
Note - If there is a yellow status bar in the Policy Installation Status window, clicking Show details shows the details of unknown gateways attempting to connect to the Security Management Server.
Defining a SmartLSM Profile Use SmartDashboard to define a single SmartLSM profile for Security Gateway 80.
To define a single SmartLSM profile Security Gateway 80:
1. Log in to SmartDashboard using your Security Management credentials.
2. Open the Security Policy that you want to be enforced on the Security Gateway 80 SmartLSM Security Gateways.
3. From the Network Objects tree, right-click Check Point and select SmartLSM Profile > 80 Series Gateway.
The SmartLSM Security Profile window opens.
4. Define the SmartLSM security profile using the navigation tree in this window.
To open the online help for each window, click Help.
5. Click OK and then install the policy.
Note - To activate SmartProvisioning functionality, a security policy must be installed on the LSM profile.
Deploying with SmartProvisioning
Installation and Deployment Page 20
Deploying with SmartProvisioning You can use SmartProvisioning to manage security profiles that are deployed to Security Gateway 80 gateway objects. Configure these appliances using the First Time Wizard or a USB drive configuration file before you manage them with SmartProvisioning.
For more information about massive deployment using SmartProvisioning, see the SmartProvisioning R71.45 Administration Guide (http://supportcontent.checkpoint.com/documentation_download?ID=12229).
Deploying from a USB Drive You can deploy Security Gateway 80 configuration files using a USB drive and quickly configure many appliances without using the First Time Wizard. The configuration file lets you configure more settings and parameters then are available in the First Time Wizard.
You can deploy configuration files in these conditions:
An appliance with default settings is not configured at all
An appliance that already has an existing configuration
Security Gateway 80 starts, automatically mounts the USB drive, and checks the root directory for a configuration file.
Sample Configuration File This is a sample Security Gateway 80 configuration file for USB deployment.
set hostname Demo1
set interface WAN internet primary ipv4-address 66.66.66.11 mask-length 25
set interface SWITCH ipv4-address 192.168.5.1 subnet-mask 255.255.255.0
delete switch port LAN4
set interface LAN4 ipv4-address 4.4.4.4 mask-length 24
add host name WebServer ipv4-address 192.168.5.4
set time-zone Eastern-Time(US-and-Canada)
set ntp server pool.ntp.org
set ntp active on
set sic_init password aaaa
fetch certificate mgmt-ipv4-address 66.66.66.91
fetch policy mgmt-ipv4-address 66.66.66.91
add user admin2 password-hash $1$vqtaGOkr$Xhb.fj14RzIvNa5BSwmZL0
Preparing the Configuration Files The Security Gateway 80 Massive Deployment configuration files are composed of CLIsh commands. These are the file names that can be used:
autoconf.clish
autoconf.XX-XX-XX-XX-XX.clish
You can create multiple configuration files for different Security Gateway 80 appliances. Name each file according to the MAC address of each Security Gateway 80 appliance. Security Gateway 80 first searches for a configuration file with the same MAC address. If there is no file that matches the MAC address of the
appliance, the autoconf.clish configuration file is loaded.
Deploying the Configuration File - Initial Configuration This section describes how to deploy a configuration file on a USB drive to Security Gateway 80. The file must be correctly configured and formatted before being deployed. The USB drive can be inserted in the front or the rear USB port.
Deploying from a USB Drive
Installation and Deployment Page 21
You can deploy the configuration file to Security Gateway 80 when the appliance is off or when it is powered on.
Important - Do not remove the USB drive or insert a second USB drive while the Security Gateway 80 configuration script is running. Otherwise, it is possible that Security Gateway 80 does not configure and run correctly.
To deploy the configuration file from a USB drive for the initial configuration:
1. Insert the USB drive into Security Gateway 80.
Security Gateway 80 is OFF - Turn on the appliance. The Power LED comes on and is green.
Security Gateway 80 is ON - The appliance automatically detects the USB drive.
The USB LED comes on and is solid orange.
2. Security Gateway 80 locates the USB configuration file and begins running the script. The USB LED blinks green while the script is running.
3. The configuration script finishes.
Security Gateway 80 USB LED is solid green and the screen displays: System Started.
4. Remove the USB drive from Security Gateway 80.
Note - The USB LED blinks red when there is a problem running the configuration script. Turn off Security Gateway 80 and confirm that the configuration files are formatted correctly ("Preparing the Configuration Files" on page 20).
For more information about errors with configuration files, see Troubleshooting Configuration Files (on page 22).
Deploying the Configuration File - Existing Configuration This section describes how to deploy a configuration file on a USB drive to Security Gateway 80 to edit or
update the existing configuration. Use the set property command to set the appliance to use a
configuration file on a USB drive. The USB drive can be inserted in the front or the rear USB port.
You can deploy the configuration file to Security Gateway 80 either when the appliance is off or when it is powered on.
Important - Do not remove the USB drive or insert a second USB drive while the Security Gateway 80 configuration script is running. Otherwise, it is possible that Security Gateway 80 does not configure and run correctly.
To deploy the configuration file from a USB drive to a configured appliance:
1. From the CLI, enter the command: set property USB_auto_configuration once.
The appliance is set to use a configuration script from a USB drive.
2. Insert the USB drive in the appliance.
The appliance is ON - The appliance automatically detects the USB drive.
The appliance is OFF - Turn on the appliance. The Power LED comes on and is green.
The USB LED comes on and is solid orange.
3. The appliance locates the USB configuration file and begins running the script. The USB LED blinks green while the script is running.
4. The configuration script finishes.
The USB LED is solid green and the screen displays: System Started.
5. Remove the USB drive from the appliance.
Note - The USB LED blinks red when there is a problem running the configuration script. Turn off the appliance and confirm that the configuration files are formatted correctly ("Preparing the Configuration Files" on page 20).
For more information about errors with configuration files, see Troubleshooting Configuration Files (on page 22).
Deploying from a USB Drive
Installation and Deployment Page 22
Viewing Configuration Logs After Security Gateway 80 is successfully configured from a USB drive, a log is created.
The log file is called autonconf.<MAC>.<timestamp>.<log>
The log file is created in the USB root directory and in /tmp on the appliance.
Troubleshooting Configuration Files This section discusses the scenario where the configuration file fails and the Security Gateway 80 is not fully configured.
Configuration File Error
If there is an error and the configuration file fails, the appliance is not fully configured and is no longer in the initial default condition. The commands in the configuration file that appear before the error are applied to the appliance. You can examine the configuration log to find where the error occurred.
When there is a not fully configured appliance, the First Time Wizard is displayed in the Web UI. However, not all of the settings from the failed configuration file are displayed in the First Time Wizard. Check Point recommends that you should not use the First Time Wizard to configure an appliance when the configuration file fails.
Note - You should restore the default settings to a partially configured appliance before using the First Time Wizard to ensure that the appliance is configured correctly.
Suggested Workflow - Configuration File Error
This section contains a suggested workflow that explains what to do if there is an error with the configuration
file on a USB drive. Use the set property USB_auto_configuration ("Using the set property
Command" on page 23) command when you are running a configuration file script on a configured appliance.
1. The USB drive with the configuration file is inserted into a USB port on Security Gateway 80.
2. The USB LED on the front panel blinks red. There is a problem with the configuration file script.
Sample console output displaying an error
Booting Check Point RD-6281-A User Space...
INIT: Entering runlevel: 3
........sd 2:0:0:0: [sda] Assuming drive cache: write through
sd 2:0:0:0: [sda] Assuming drive cache: write through
.....................................................
System Started...
Start running autoconfiguration CLI script from USB2 ... Error.
autoconf.00-1C-7F-21-07-94.2011-07-21.1248.log was copied to USB2
3. The log file is created and contains the configuration details.
The log file is called autonconf.<MAC>.<timestamp>.<log>
The log file is created in the USB root directory and in /tmp on the appliance.
4. Analyze the log file to find the problem.
5. If you cannot repair the configuration file:
a) Remove the USB drive.
b) Run the CLI command: restore default-settings.
c) Connect to the Web UI and use the First Time Wizard to configure the appliance.
6. If you can repair the configuration file:
a) Remove the USB drive.
b) Run the CLI command: restore default-settings.
Deploying from a USB Drive
Installation and Deployment Page 23
c) Insert the USB drive and run the configuration script again.
Sample Configuration Log with Error
This is a sample configuration log file for a configuration script that fails.
set hostname Demo1
set hostname: Setting hostname to 'Demo1'
OK
set interface WAN internet primary ipv4-address 66.66.66.11
Error: missing argument 'subnet-mask' for a new connection
Autoconfiguration CLI script failed, clish return code = 1
Using the set property Command The set property CLI command controls how Security Gateway 80 runs configuration scripts from a
USB drive. These commands do not change how the First Time Wizard in the Web UI configures the appliance.
set propert USB_auto_configuration off - The appliance does not run configuration scripts
from a USB drive.
set propert USB_auto_configuration once - The appliance only runs the next configuration
script from a USB drive.
set propert USB_auto_configuration any - The appliance always runs configuration scripts
from a USB drive.
Page 24
Chapter 3
Cluster Configuration
In This Chapter
Security Gateway 80 Clusters 24
Creating a Cluster for New Gateways 25
Converting an Existing Security Gateway 80 to a Cluster 29
Viewing Cluster Status in the WebUI 31
Security Gateway 80 Clusters A Security Gateway 80 security gateway cluster is a group of 2 members each representing a separate Security Gateway 80 appliance on which High Availability software has been installed. ClusterXL is the Check Point clustering solution. Third party OPSEC Certified clustering products are not supported.
High Availability
High Availability allows organizations to maintain a connection when there is a failure in a cluster member. Only one machine is active (Active/Standby operation) in this configuration. Load sharing is not supported in this configuration.
Prerequisites
General overview of the process - During Cluster configuration only a "Gateway First" installation path is supported. Therefore, the gateways must be configured first using their actual IPs. Only afterwards should the cluster object be created in SmartDashboard, and the following policy installation from the Security Management Server will alert the gateways to the fact that they are configured as cluster members.
Before you define a Security Gateway 80 cluster:
Make sure you have defined all of the network interfaces in use for each of the Security Gateway 80 gateways. The interfaces must be defined within the same subnet. To verify definitions, access the WebUI of the appliance.
The following is only required in order to work with the Cluster Wizard in SmartDashboard:
Make sure a cable is connected between the two LAN2/SYNC ports of both appliances. You do not need to assign them IPs as they will be created automatically later. If you do assign them, make sure the LAN2/SYNC interfaces use the same subnet. You can use a different SYNC interface other than LAN2. Refer to sk52500 (http://supportcontent.checkpoint.com/solutions?id=sk52500) for details (you will be able to use the Cluster Wizard in SmartDashboard but you will need to make further adjustments to the cluster object before policy installation).
The Cluster Wizard assumes that the WAN interface will be part of the cluster. Make sure the WAN interfaces in each of the gateways are configured with a static IP of a matching subnet.
When configuring the appliances that will be used in the cluster, make sure to set both of the appliances with the same one-time password used for authenticating and establishing trusted communication. Without this you will not be able to use the Cluster Wizard in SmartDashboard, and you will need to create the cluster object using Classic Mode. Trusted communication without authentication is not supported on Security Gateway 80 cluster members.
Creating a Cluster for New Gateways
Cluster Configuration Page 25
Creating a Cluster for New Gateways
Configuring the Security Gateway 80 Appliances Full instructions on setting up and connecting the Security Gateway 80 appliance appear in the Security Gateway 80 Quick Start Guide. Below is the general workflow:
1. Connect your computer to the Security Gateway 80 appliance on its LAN1 interface.
2. Configure your computer to obtain an IP address automatically.
3. Launch your Web browser, and connect to http://my.gateway
Note - When you configure two Security Gateway 80 appliances from your web browser, do so by connecting only one to a power source, configuring it according to the below instructions and then disconnecting it from the power source. Then do the same for the second appliance and reboot it at the end. If you do not do these instructions, you will not be able to use the http://my.gateway URL correctly and you will need to connect using the gateway's actual IP address (which is initially 192.168.1.1 on LAN1 before configuring it otherwise with the First Time Wizard).
After you configure and connect both appliances to a power source, install a policy and renew the dynamic IP of the computer. You can then use http://my.gateway to access the active member of the cluster.
First Time Wizard Configuration
1. Provide a password and continue to the next step.
2. Set the Internet connection Protocol to Static IP if you want to connect to the Security Management Server through this interface.
3. Configure the IP address, subnet mask, default gateway and DNS server. Click Next.
Note - Configure the same subnet for the WAN interface on the second cluster member if you want the WAN interface to be part of the cluster. This is also the assumption in the Cluster Wizard in SmartDashboard.
In the Local Network configuration step:
4. Disable the switch on the LAN port by clearing the Enable Switch on LAN ports checkbox.
5. Set the IP address and subnet mask for the LAN1 interface.
Note - Configure same the subnet for the LAN1 interface on the second cluster member if you want LAN1 to be a part of the cluster.
In the LAN settings, if you want to set up DHCP, set a different range for each member. The active member will provide the addresses to the clients.
6. Select the option Initiate trusted communication securely by using a one-time password.
7. Set the one-time password. Configure the same password for the second cluster member so it will be able to use the Cluster Wizard in SmartDashboard later.
8. Select the Connect to the Security Management server later option.
9. Click Next to continue and complete the wizard.
10. Configure the cluster SYNC interface on the same subnet as the SYNC interface on the second cluster member (use a cross Ethernet cable for SYNC interface connection).
Creating a Cluster for New Gateways
Cluster Configuration Page 26
Note - When you use the SmartDashboard cluster wizard, the LAN2 interface serves as the SYNC interface between cluster members. You do not have to configure an IP on LAN2 at any stage of the gateway side configuration. If you do not configure them, LAN2 SYNC interfaces are automatically set to 10.231.149.1 and 10.231.149.2. To set a different SYNC interface (not LAN2), refer to sk52500 (http://supportcontent.checkpoint.com/solutions?id=sk52500).
Remember the one-time password. You will need it to configure the cluster in SmartDashboard. It must be the same on both clusters.
IP addresses need to be configured on both cluster members before you open SmartDashboard and run the Cluster configuration wizard. If you want to configure IPs in interfaces other than WAN and LAN1, do so in each gateway’s WebUI application with the Internet/Local Network pages. Make sure that for each interface that needs to be part of the cluster you configure an IP in the same subnet as the second cluster member.
Configuring the Cluster Object Using SmartDashboard To create a cluster for two new Security Gateway 80 gateways, use the SmartDashboard Security Gateway 80 Cluster wizard.
1. Log in to SmartDashboard using your Security Management credentials.
2. From the Network Objects tree, right click Check Point and select Security Cluster > 80 Series. The Check Point Security Gateway Cluster Creation dialog box opens.
3. Select Wizard Mode. The wizard opens to General Properties.
4. Type a name for the Security Gateway 80 cluster.
5. Click Next. The wizard opens to Cluster Members.
6. In the First Member and Second Member sections, type a Member name and Member IP address for each of the members.
7. Clear the Define the second cluster member now check box if you want to complete the wizard definitions for the first member only so that you can check that communication and connectivity is in order.
Creating a Cluster for New Gateways
Cluster Configuration Page 27
8. Type and confirm the One-time password that is used for establishing initial trust. Once established, trust is based on security certificates. This password must be identical to the same one-time password defined for both members (the same one-time password must be defined for both members in their corresponding appliances' First Time Configuration Wizard or WebUI).
9. Click Next. The wizard opens to Cluster Interface Configuration. See the section ("Cluster Interface Configuration" on page 28) for details.
10. To enable High Availability on the interface, select the Enable High Availability on <name> interface checkbox, where <name> shows the network interface defined in the Security Gateway 80 appliance.
11. When High Availability is selected, enter a virtual IP Address and Net Mask for the cluster. The virtual IP will be applied in the next policy installation.
12. Click Next.
13. Repeat steps 10 - 12 for each defined interface.
Creating a Cluster for New Gateways
Cluster Configuration Page 28
Note - The Cluster Wizard in SmartDashboard assumes the common scenario of High Availability on the WAN interface. When reaching the screen of the WAN interface, you will not be able to disable High Availability on the WAN interface (other configurations can be configured later by editing the Cluster object).
Note - If the WAN interface was not defined, edit the Cluster object in SmartDashboard following the wizard and choose a correct main IP for the cluster object (this IP is used for example in VPN as one of the Link selection options).
14. Upon completion, click Finish or select Edit Cluster in Advanced mode to further configure the cluster.
Cluster Interface Configuration
In this window you define whether a network interface on the Security Gateway 80 participates in the security gateway cluster. This window appears for each of the network interfaces that have been configured in the Security Gateway 80 appliance. The total number of interfaces configured for the gateway appears in the window title. For example, if 3 interfaces have been configured for the gateway, a total of 3 windows will require configuration. The first window will display (1 of 3 interfaces). The name of the interface you are currently configuring appears in the Interface column.
Each network interface (on both members) has a unique IP address. If High Availability is enabled on the interface, then the cluster itself requires an additional unique virtual IP address. This IP address is visible to the network and ensures that failover events are transparent to all hosts in the network.
When High Availability is not enabled, the interface is considered not-monitored private (i.e. it is not cluster related).
You can configure High Availability for all network interfaces except for the WAN interface. By default, the WAN interface is always part of the cluster. If you do not want the WAN interface to participate in the cluster, you can edit this setting by double-clicking on the Security Gateway 80 security gateway cluster object, and selecting Topology node > Edit Topology.
If the WAN interface was not defined, edit the Cluster object in SmartDashboard following the wizard and choose a correct main IP for the cluster object (this IP is used for example in VPN as one of the Link selection options).
The graphic breadcrumb depiction at the top of the window shows you the interface you are currently configuring. You do not configure the LAN2 interface as it is automatically configured by the wizard and is
Converting an Existing Security Gateway 80 to a Cluster
Cluster Configuration Page 29
used exclusively for the SYNC interface. Make sure a cable is connected between the two LAN2/SYNC ports of both appliances.
The graphic depiction at the bottom of the page indicates whether the interface is set for High Availability or not. When you configure High Availability, the physical IPs of both members meet at a point indicated by the cluster's virtual IP address.
To configure other, more advanced options for interfaces, click "Edit Cluster in Advanced mode" at the end of the wizard, edit the topology of the cluster and make the necessary adjustments.
Converting an Existing Security Gateway 80 to a Cluster
Do the following procedures to allow an existing Security Gateway 80 to become part of a cluster.
Note - The procedures require some downtime.
Terms used:
SG80GW - represents the existing Security Gateway 80 gateway object that has already established trust and has an installed policy.
SG80Cluster - represents the new Security Gateway 80 cluster object that you will create.
SG80GW_2 - represents the new cluster member object that will join the existing gateway.
Configure the New Appliance Configure the new appliance SG80GW_2 with the First Time Configuration Wizard:
1. Make sure to set the actual IP addresses that you want to use and not the virtual IP addresses that you will use later (as used by the existing gateway SG80GW).
Converting an Existing Security Gateway 80 to a Cluster
Cluster Configuration Page 30
2. The default switch configuration is not supported in a cluster configuration. In the event that you did not change this setting (clear the Enable switch on LAN ports checkbox), it will be automatically removed during the cluster's first policy installation. However, it is more secure to remove the switch configuration before initial policy installation.
3. The LAN2 port is used for cluster synchronization. It is recommended to keep it unassigned, so that automatic IP addresses are assigned to the SYNC interfaces. If you want to control all of the IP addresses in the system, you can however configure a static IP address.
4. Do not fetch the policy from the Security Management Server.
Create and Configure a Cluster in SmartDashboard 1. Create a new Security Gateway 80 cluster using the wizard. Define its IP address as the IP used by the
existing gateway SG80GW.
2. Define the first member with SG80GW_2's IP address.
Important - Do not define the second member using the wizard.
3. Establish trusted communication and then define the various IP addresses of the clustered interfaces. Use the existing gateway SG80GW IP address as the virtual IP of the cluster where needed.
4. At the end of the wizard, select the Edit the cluster in Advanced Mode checkbox.
5. In Advanced Mode, copy to the cluster object all relevant configuration settings from SG80GW.
Reconfigure the Existing Security Gateway 80 1. Go to the SG80GW and connect to it using the WebUI.
2. Reconfigure the IP addresses of the clustered interfaces with the actual IP addresses that will be used by the gateway as a member of the cluster.
Important - Downtime starts.
Configure the Cluster in SmartDashboard 1. Change the main IP and the IPs that appear in the topology table of the SG80GW object.
2. Install policy on SG80Cluster.
Important - Downtime ends. At this point, the cluster contains only one member, SG80GW_2.
3. Edit the SG80Cluster object. Go to Cluster Members tab > Add > Add existing gateway.
4. If SG80GW does not appear in the list, press Help and make sure SG80GW doesn't match any of the categories that prevent it from being added to a cluster.
Note - You can use the information on this Help page to determine if there are any configuration settings you might want to copy to the new SG80Cluster object.
5. Edit the topology of the SG80Cluster object. Click Topology > Get Topology under the new SG80GW object. Make corrections if needed.
6. Install policy on SG80Cluster.
Viewing Cluster Status in the WebUI
Cluster Configuration Page 31
Viewing Cluster Status in the WebUI After you complete policy installation on the Security Gateway 80 gateway and the gateway works as a cluster member, you can view cluster status in the WebUI application (Appliance > Cluster).
Page 32
Chapter 4
Appliance Configuration This chapter contains instructions that help you configure the Security Gateway 80 appliance and understand special Security Gateway 80 issues.
In This Chapter
Introduction to the WebUI Application 33
The Overview Page 33
The Management Server Page 33
Networking 35
Implied Rules for Security Gateway 80 46
Administration 47
Security 55
Diagnostics 57
CLI Reference 59
Introduction to the WebUI Application
Appliance Configuration Page 33
Introduction to the WebUI Application Security Gateway 80 uses a web application to configure the appliance. You currently cannot configure the appliance through the command line.
After you use the First Time Configuration Wizard (see the Security Gateway 80 Getting Started Guide (http://supportcontent.checkpoint.com/documentation_download?ID=10833)), when you connect to the appliance with a browser (with the appliance’s IP or, if using the appliance as a DNS proxy or DHCP server, to "my.gateway"), it redirects the web page to a secure https site and asks for administrator credentials.
Logging in correctly opens the Overview page of the WebUI application. The left pane lets you navigate between the different configuration pages.
The Overview Page The Overview page gives you system and network information. It also gives status information about the software blades installed on the appliance.
Two traffic monitors show real-time packet rate and throughput data on the machine.
For each activated blade, additional further information is shown (for example, for the Firewall blade – how many packets are dropped, number of current connections, etc.).
You can also see in this page a summary of the current connectivity state with the Security Management Server. For more information see the Management Server page.
The Management Server Page This page lets you:
Test connection status with the Security Management Server (this is also done periodically by the appliance).
Reinitialize trusted communication (when you click the Advanced link).
The Management Server Page
Appliance Configuration Page 34
See the status of the latest attempt to install a policy on the appliance.
Manually fetch the policy from the Security Management Server.
View the status of the Internet connection.
Networking
Appliance Configuration Page 35
Networking
Internet Settings The WebUI Internet page lets you set and enable the Internet network connection.
The Internet table displays all available Internet connections.
To set an Internet network connection:
1. Click the Edit link in the relevant Primary or Secondary row.
2. Configure the parameters in the Internet Configuration page that opens and click Apply.
3. Enable the configured connection; click the checkbox in the Enabled column.
Internet Configuration The Internet Configuration page lets you configure the properties of the primary or secondary Internet connection and define it as either a WAN or DMZ interface.
Types of connections available:
Static IP - A fixed (non-dynamic) IP address.
DHCP - Dynamic Host Configuration Protocol (DHCP) automatically issues IP addresses within a specified range to devices on a network.
PPPoE - a network protocol for encapsulating Point-to-Point Protocol (PPP) frames inside Ethernet frames. It is used mainly with DSL services where individual users connect to the DSL modem over Ethernet and in plain Metro Ethernet networks.
PPTP - the Point-to-Point Tunneling Protocol (PPTP) is a method for implementing virtual private networks. PPTP uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets.
L2TP - Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs). It does not provide any encryption or confidentiality by itself; it relies on an encryption protocol that it passes within the tunnel to provide privacy.
Bridge - connects multiple network segments at the data link layer (Layer 2). One LAN WAN bridge is supported.
To configure Internet connections:
1. Select a Network Interface.
2. Select a Connection Type.
3. For bridges, select an interface from the Assign Interface list.
4. Enter IP address, Subnet Mask and Default Gateway details.
5. Enter DNS Server details (for the PPPoE, PPTP, L2TP and DHCP protocols).
6. For the various dialer connection types, enter the ISP Login user Name, ISP Password and Server Host Name or IP when needed.
7. Click Apply.
Advanced Configuration Options
For all connection types, you have the option to configure additional advanced settings:
ICMP monitoring configuration – enables the appliance to better monitor the connection’s health. Mostly relevant for Internet Connection High Availability configuration, see below.
Advanced dialer settings (for applicable connection types), such as the ability to configure whether the connection will be up all the time, or only connect on demand.
Port Settings - MTU, Link speed and MAC address changes.
Networking
Appliance Configuration Page 36
Note - MTU changes cause a momentary loss of connectivity as the interface resets with the new MTU. In a DMZ interface, the momentary loss of connectivity is in the LAN interfaces as well (hardware limitation).
MAC address changes are mostly relevant when the appliance is designed to replace an existing appliance whose MAC address is used by various devices in its environment.
To configure advanced configuration options:
1. Click the Advanced link.
2. To use ICMP requests to monitor the connection, select the checkbox and click Configure.
a) Click Add to add a server.
b) Select or clear the Send ICMP requests to default gateway checkbox.
c) Set the values for Interval between requests, Failover after and Resume requests after parameters.
d) Click OK.
WAN Port Settings
1. Set the MTU size. Note that for a DMZ interface the MTU value is applied to all LAN ports.
2. Select which MAC address clone method to use.
3. Select the Link Speed.
4. Click Apply.
Important Notes
Bridge
Only one bridge is supported. It always includes the WAN port and one LAN port (or the switch).
When working in bridge mode, Internet Connection in High Availability is not supported. You can configure the DMZ interface as "standard DMZ" but not as a secondary Internet connection.
Dialers
ISP details (login and password) are provided by your service provider. In case of authentication failure contact your service provider.
If PPPoE connection is disconnected by your service provider, the following message appears: "PPPoE server unavailable". If connection was disconnected due to timeout on Link Control Protocol the following message appears: "PPP Link Control Protocol timed out (no response from server). Contact your service provider."
If PPTP connection is disconnected by your service provider, this message appears: "Internet connection was disconnected by your service provider".
In case of disconnection, the appliance will try to connect again every 30 seconds.
You can set the IP address of your dialer connection statically by specifying "Tunnel IP assignment->Use the following IP Address" under Advanced (while editing the Internet connection).
For PPTP and L2TP it is possible to set the IP address of your local tunnel network.
These connection monitoring methods are supported:
For dialers - define Link Control Protocol (LCP) interval and max number of attempts. Gateway will send LCP echo request every X seconds and if no reply arrived after Y attempts, the status of your connection will become "PPP Link Control Protocol timed out (no response from server). Contact your service provider." and in case Internet High Availability is enabled, the other connection will become active.
For all connection types (except bridge): It is possible to set one or more servers to which the appliance sends ICMP Echo replies periodically. If no reply arrived after Y attempts the status of your connection will become "Destination server is unreachable (no reply for ICMP requests)" and in case Internet High Availability is enabled, the other connection will become active.
Setting MTU
Networking
Appliance Configuration Page 37
For dialers - the value of the field you enter is actually X bytes more than the effective MTU on the dialer interface. For example: when set to a default of 1500 bytes, the MTU of the PPP interface in case of PPPoE will effectively be 1492, and in case of L2TP – 1460. If you wish to set the MTU to X, you need to set it to X+Y (Y=8 for PPPoE and Y=40 for L2TP).
Internet Connection High Availability These are the Internet Connection High Availability options:
You can configure two different internet connections, where only one will be active and is used for the default route of the appliance into the internet. This is most commonly used in ISP redundancy cases.
You can configure two separate connections on separate interfaces of the WAN and DMZ interfaces. In this case the appliance will try to connect the two connections, but at a given time only one is considered the active connection and is used as the default route.
You can configure two connections on the same interface, and the appliance will try to connect with the other connection details each time the existing connection is considered down.
The first row in the table is the primary connection. When you click the Internet Connection High Availability link you can configure the option to Revert to Primary connection when possible, thus giving the primary connection a priority over the secondary connection.
Conditions for a failover:
The appliance checks the link status of each interface to see if a cable is disconnected. Also, in dynamic IP connection types, the appliance also verifies that it has an IP.
Other than that, you can configure ICMP monitoring that tests the connection’s health against known servers or the default gateway. This configuration gives you additional control over the Internet Connection High Availability configuration.
Internet Connection High Availability is not supported in bridge mode and when using the "connect on demand" dialer advanced option.
Local Network The Local Network WebUI page lets you set and enable the local network connections, LAN switch or WAN-LAN bridge that you configure.
Networking
Appliance Configuration Page 38
The Network table displays all available network connections that are not external. For the DMZ interface, this page lets you configure it as a DMZ interface (as opposed to an external interface to the Internet, that you can configure in the Internet page).
LAN Switch
You can configure a port based switch between several LAN ports. Only one switch is supported, and the LAN1 port will always be a part of it. Switch configuration between all LAN ports is the default configuration set during the appliance’s First Time Configuration wizard and can be removed during the wizard, or configured more accurately in the WebUI application.
The LAN Switch has an IP through which you can connect to the WebUI application.
Traffic between switch ports is neither inspected nor included in the traffic counters within the different Check Point software blades.
Switch configuration is not available when you configure the appliance as a cluster member according to the policy installed on it from the Security Management Server. If a LAN switch is configured during policy installation that changes the appliance’s status to be a cluster member, the switch will automatically dismantle, as its IP is assigned to LAN1, and the rest of the interfaces that were part of the cluster become unassigned.
To set or edit a local network connection:
1. Click the Edit link in the Action column of the related row.
a) If you want to configure a switch, configure the parameters in the LAN Switch Configuration page that opens and click Apply.
Networking
Appliance Configuration Page 39
b) If you do not want to configure a switch, configure the parameters in the Interface Configuration page that appears and click Apply.
2. To enable the configured connection, click the Enabled checkbox.
Note - A LAN switch is created by default. It appears below the Networks list with its corresponding details.
To remove the switch, click Unassign all ports in the Action column. This will detach all ports from the switch and remove the switch configuration.
To create a VLAN (according to the IEEE 802.1q Standard) on one of the interfaces:
1. Click New VLAN.
2. Configure the parameters in the Interface Configuration page and click Apply.
To create a switch (not available when the appliance is set as a cluster member):
1. Click Create Switch.
2. Configure the parameters in the LAN Switch Configuration page and click Apply.
To create a WAN-LAN bridge (available only when no Internet connection is set):
1. Click Create Bridge.
2. Configure the parameters in the Internet Configuration page and click Apply.
Networking
Appliance Configuration Page 40
Switch Mode Configuration The Security Gateway 80 appliance is initially configured in switch mode. The default switch contains all LAN ports. You can change this default option within the First Time Configuration Wizard or within the Local Network page in the WebUI.
The LAN Switch Configuration page lets you configure the LAN switch parameters.
To configure LAN switch parameters:
1. In Network Interfaces:
a) To add an interface, select an interface from the Available Interfaces list and click Add.
b) To remove an interface, select an interface from the Selected Interfaces list and click Remove (or edit the interface and choose a different IP assignment for it "unassigned" or "Static IP").
2. Enter IP address and Subnet Mask details.
3. In DHCP Server, select whether to enable, disable or use DHCP Relay.
When DHCP Server is enabled, supply the first and last IP addresses in the range.
You can also add a DHCP Exclude list. To do that, supply the range of the exclude list.
When DHCP Relay is enabled, supply the DHCP Server IP address.
Click Apply.
If you click the Advanced link, you can:
Change the MTU used by the LAN ports (this change also applies to all LAN ports not in the switch as well as the DMZ interface).
Change the MAC address that the interface uses.
Bridge Mode Configuration The Security Gateway 80 appliance can operate in switch mode and bridge mode.
In switch mode - where some or all of the LAN ports are connected to the same network.
Networking
Appliance Configuration Page 41
In bridge mode that connects between two different networks at the layer 2 level.
You can configure a bridge in Security Gateway 80 alongside a switch and the appliance will operate as a router between them. The bridge is always between the WAN interface and one of the LAN interfaces. It is possible to bridge between the WAN and LAN Switch itself.
Check Point Software Blades inspect and count with the different counters the traffic that goes through the bridge.
You can configure this functionality on the appliance with the First Time Configuration Wizard (only between WAN and LAN1) and also the WebUI for advanced configuration settings.
When you configure the object in the Topology node in SmartDashboard and select the Manually defined on the Security Management server, based on the below Topology Table option to determine the networks behind the gateway, you cannot calculate the topology using the Get topology option, rather it is necessary to define the topology manually.
In Security Gateway 80 bridge configuration is not supported on cluster members.
For bridge and cluster limitations, refer to the Security Gateway 80 Known Limitations SK (http://supportcontent.checkpoint.com/solutions?id=sk52180).
Notes - 1. Only one bridge is supported. It always includes the WAN port and one LAN port (or the switch).
2. When working in bridge mode, Internet Connection in High Availability is not supported. You can configure the DMZ interface as "standard DMZ" but not as a secondary Internet connection.
Routing The Routing page shows a routing table with the routes on your appliance. You can add new routes from here.
Table Columns Description
Destination The destination host or network the route leads to.
Networking
Appliance Configuration Page 42
Table Columns Description
Destination Mask The mask of the destination host or network.
The mask must match the destination IP. For example: the mask for destination IP 10.0.0.1 must be set to 255.255.255.255. To define a route to the entire class C network 10.0.0.0/24, use the corresponding network mask 255.255.255.0
Next Hop The IP of the default gateway for this route. Not applicable on manually created advanced routing rules through a specific interface. For more details, see sk53000 (http://supportcontent.checkpoint.com/solutions?id=sk53000).
Interface The physical network interface through which this route is accessible: LAN, WAN, DMZ or LAN Switch. Can either be resolved automatically or manually chosen. When it is manually chosen, the next hop is not mandatory and can be N/A (see sk53000 (http://supportcontent.checkpoint.com/solutions?id=sk53000)).
Metric Determines the priority of the route. If multiple routes to the same destination exist, the route with the lowest metric is chosen.
Action The edit/delete action of a user's manually configured routes.
The Routing page shows the routing rules that the operating system configures automatically according to the IPs defined on the various interfaces and the default route you configure. However, through this page it is also possible to add more routing rules.
The default route and the routing rules you configure manually are shown in bold, and it is possible to edit/delete the rules you manually configure.
To add a new route:
1. On the Routing Table page, click New Route. The Route Configuration page appears.
2. Configure the parameters in the page that opens.
Networking
Appliance Configuration Page 43
To edit an existing route:
Click Edit in the specific route's Action column.
To delete a route:
Click Delete in the specific route's Action column.
Route Configuration
The Route Configuration page lets you configure information for each route.
To add a new route:
1. Supply the:
Destination IP Address
Destination Subnet mask
Next Hop (Default gateway)
Metric (0-100)
Interface (from the drop-down box)
2. Click Apply.
Important notes for when you add a new route:
Make sure the destination IP address which is normally a network address matches the destination subnet mask.
Normally, the next hop belongs to one of the directly attached networks, and the appliance can resolve automatically through which interface the traffic is sent. However, you can configure a specific interface through which the traffic is sent. To do this, click on the combo box next to the Interface option. Once you configure a specific interface, when you type 0.0.0.0, the relevant traffic is routed through the interface without using a next hop. For more details, see sk53000 (http://supportcontent.checkpoint.com/solutions?id=sk53000).
Note - Choosing a specific interface through which to send traffic is an advanced option – make sure the network the appliance is connected to, is configured correctly to prevent connectivity issues.
This page does not support adding a specific interface with a next hop which is not in the interface’s same subnet.
Networking
Appliance Configuration Page 44
Other Important notes:
You cannot add a default route from this page. The default route of the system is inherited from Internet connection settings. To change the default route, edit the relevant Internet connection and set its "default gateway" (next hop) to the desired IP.
If Internet Connection High Availability is set, the default route will change automatically upon failover (according to the active Internet connection).
When a network interface is disabled, all routes leading to this interface become "inactive". In such cases, the system routes traffic according to active routing rules (typically, to the default route). Route will appear as ‘inactive’ in routing page, and will automatically become active once interface is enabled.
When no default route is active (e.g. when there is no active Internet connection) the following note
appears: Note: There is no default route since no Internet connection is enabled.
DNS In the DNS page, you can configure the DNS server configuration and add a new host.
You need to configure DNS for the appliance to enable it to resolve names and for users who configure or receive through DHCP the appliance as its DNS server. In the second option, Security Gateway 80 acts as a DNS proxy, and resolves incoming DNS requests when it uses its configured DNS servers.
Configuring Security Gateway 80 as the DNS server (in fact proxy), manually or receiving it through the appliance’s DHCP service, lets users connect through a browser to the "my.gateway" URL. This is an alternative to manually entering the appliance’s IP – for easier management of the appliance.
With this page you can also manually add hosts through which the gateway will resolve DNS requests, without consulting its configured DNS servers.
To configure DNS:
1. Choose if you want to define up to three DNS servers that are applied to all Internet connections or use the DNS configuration provided by the active Internet connection (Primary). When you select Set DNS server configuration, make sure that you enter correct IP addresses.
Typically you use the first option (global DNS settings) if your DNS servers are located in the headquarters office. In this case, all DNS requests from this branch office will be directed to these DNS servers.
The second option gives a more dynamic definition of DNS servers. The gateway will use the DNS settings of the currently-active Internet connection (for static IP – the DNS manually entered under
Networking
Appliance Configuration Page 45
"Internet Connection"-> Edit, for DHCP / Dialers – the DNS automatically given by the ISP). If Internet Connection High Availability is enabled, the DNS servers will switch automatically when there is failover.
2. The Security Gateway 80 appliance functions as your DNS proxy by default. It provides DNS resolving services to internal hosts behind it if this option is set. This option is global and applies to all internal ports (including DMZ if not configured as a secondary Internet connection). To obtain IP addresses directly from the DNS proxy, select the Enable DNS Proxy - resolves local DNS requests checkbox.
3. Click Apply.
To add a new host:
1. Click New Host. The Host Configuration page appears.
2. Configure the parameters in the page that opens and click Apply.
To delete a host:
Click Delete in the row of the host.
To edit a host:
1. Click Edit in the row of the host.
2. In the Host Configuration page, make your changes and click Apply.
Automatic Topology Anti-Spoofing and other security features are based on the topology table you configure when you edit the gateway object in SmartDashboard. You can manually configure the topology table or get the topology from the gateway automatically. Each time the topology changes, it is necessary to get the topology and install the policy again.
Security Gateway 80 introduces a new mode called "Automatic Topology", where the configured topology table is not necessary for features that do not involve other gateways. This option lets those features to continue to work, based on the gateway’s routing table, when the network configuration changes on the gateway side. When you use "Automatic Topology" it is not necessary to install a policy when changes occur.
When you select the Automatically calculated by the gateway option that is based on the Security Gateway 80's operating system's routing table, these features functional automatically:
Anti-Spoofing
Anti-Virus Directional scan
Implied Rules for Security Gateway 80
Appliance Configuration Page 46
IPS (that protects only incoming connections)
After you configure automatic topology for the first time, an install policy is necessary.
Note - Automatic topology is exposed to errors that are defined in the routing table that can occur for example when an interface is disabled.
If it is not necessary to use the automatic topology feature, you can configure topology manually. Select the Manually defined on the Security Management Server option.
When you use VPN, automatic topology limits the options to define VPN tunnels as other gateways need to know the topology and IPs of the gateway. The only scenario that supports VPN and automatic topology is when NAT is configured. In this case, the only data that is encrypted is outgoing traffic from behind the gateway to other members of the VPN community. Other gateways will only recognize the gateway’s primary IP as this is configured in SmartDashboard regardless of the topology table. For more information, see Step 1: Defining the Security Gateway 80 Object in SmartDashboard.
Implied Rules for Security Gateway 80 These implied rules apply only to Security Gateway 80 gateways and not to other gateways except for the outgoing Internet connections rule. This rule existed for DHCP only and still allows outgoing DHCP traffic from Dynamic Address IP modules that are not Security Gateway 80:
Accept Dynamic Address modules' outgoing Internet connections - lets the appliance connect to the Internet if it needs traffic to set itself up (for example, as necessary in DHCP and PPTP). There is no need to add an explicit rule in the Security Policy in SmartDashboard in order to allow this access. If you wish to override this, go to SmartDashboard > Firewall Implied Rules section and clear the checkbox.
Accept incoming traffic to DHCP and DNS services of Gateway - gives access to the appliance’s provided services to the internal interfaces (DNS and DHCP). There is no need to add an explicit rule in the Security Policy in SmartDashboard in order to allow this access. If you wish to override this, go to SmartDashboard > Firewall Implied Rules section and clear the checkbox.
Accept Web and SSH connections for Gateway's administration - lets administrators access the appliance. For more information, see Administrator Access (on page 52).
Administration
Appliance Configuration Page 47
Administration The System Operations page lets you manage the settings and image as well as reboot the appliance.
Backup and Restore
Backup
The backup file you create in the WebUI contains these elements:
System settings
Security policy (if you select this option)
SIC certificate - see below machine replacement notes
License - since each license is per MAC address, when you restore to a different machine you need a new license.
The backup file does not include the actual software image.
Note - All content in the appliance is deleted when you do a backup.
You commonly back up your settings so that you can restore them later if necessary on the same appliance.
Note - You can use the backup file to restore your settings if you replace your appliance. In this case you do not need to reinitialize trust (SIC) with the Security Management Server, but you will need to reactivate the licenses, as they are configured according to MAC addresses. For more information see the Restore section. You do have the option to copy your settings to other appliances, but in that case you will need to reinitialize trust with the Security Management Server as well as reactive the licenses.
Administration
Appliance Configuration Page 48
Restore
You can restore your appliance settings from a backup file you create.
You can restore different back up versions if the restore function supports the version being backed up.
To restore an appliance with a backup file from another appliance, do these steps on the new appliance:
1. Open the First Time Wizard (login to http://my.gateway).
2. Set a one-time password and click Next.
3. Click Cancel.
4. Save the settings and continue.
5. Open the WebUI (http://my.gateway).
Administration
Appliance Configuration Page 49
6. Go to the System Operations page and click Restore.
7. Select the Settings File and click Upload File.
8. Enter the License page in the WebUI.
9. Activate the license on the new appliance. This is mandatory as the new appliance has a unique MAC address that requires a new license (the backup file contains the license from the other appliance).
Upgrade There are three methods you can use to upgrade the Security Gateway 80 appliance:
Upgrade using WebUI
Upgrade using a USB drive (on page 131)
Upgrade using boot loader (on page 132)
Upgrade Using WebUI
When you do an upgrade with the WebUI, an upgrade wizard prompts you to upload the new image.
Regardless of whether you save the current image before the upgrade, the system does the upgrade on a separate flash partition, and your current-running partition is not affected.
If for some reason, you cannot access the appliance after upgrade, or the appliance does not start up properly from boot, disconnect the power cable and reconnect it. The appliance will automatically revert to the previous image.
To upgrade the appliance from the WebUI:
1. Select Appliance > System Operations and click Upgrade.
The Software Upgrade Wizard opens.
2. Click Next.
3. Click Browse and select the new software image file.
4. Click Upload.
The software image file is uploaded to the appliance.
5. Click Next.
In the upgrade wizard, before the actual upgrade process begins, you also have an option to save a local image with the Image Backup option. You can manually return to it at any time by clicking Revert to Previous Version in the System Operation page in the WebUI.
Administration
Appliance Configuration Page 50
6. Select Save a local backup, if you want to save a local image.
7. Click Next.
The wizard shows a progress bar that indicates the upgrade stages. Image backup and the actual upgrade process each take several minutes.
Upon successful completion, the appliance reboots. The browser application shows a message regarding the upgrade status while the appliance is down. Once the appliance is back up, the browser redirects to the login page.
8. Press CTRL+F5 to refresh the browser.
Note - After a successful system upgrade, it is recommended to clear your browser’s cache to delete previous’ version files from the browser cache.
Note - Each appliance also contains a factory default image (not to be confused with the saved backup image that you can save during an upgrade). The upgrade process through the WebUI does not replace the saved factory defaults on the appliance. However, when you upgrade with other available methods (used mainly in factory and distribution hubs) such as upgrade from USB or a bootp server, the upgrade process creates a new factory default image that is saved on the appliance. For more information regarding upgrade from USB or upgrade from bootp server, see Advanced Configuration (on page 131).
Factory Defaults The Security Gateway 80 appliance contains a default factory image.
When the appliance is turned on for the first time, it loads with the default image.
As part of a troubleshooting process, you can restore the Security Gateway 80 appliance to its factory default settings if necessary.
You can restore a Security Gateway 80 appliance to the factory default image with the WebUI, Boot Loader or a button on the back panel.
Administration
Appliance Configuration Page 51
Important - When you restore factory defaults, you delete all information on the appliance and it is necessary to run the First Time Configuration Wizard as explained in the Security Gateway 80 Quick Start Guide. If you upgraded your appliance in the past using the WebUI, you must upgrade it again.
To restore factory defaults with the WebUI:
1. In the Security Gateway 80 WebUI, click Appliance > System Operations. The System Operations pane opens.
2. In the Appliance section, click Factory Defaults.
3. In the pop-up window that opens, click OK.
4. While factory defaults are being restored, all LAN Link and Activity LEDs blink orange and green alternately to show progress.
This takes some minutes. When this completes, the appliance reboots automatically.
To restore factory defaults with the button on the back panel:
1. Press the Factory defaults button with a pin and hold it for at least 3 seconds.
2. When the Power and Notice LEDs are lit red, release the button. The appliance reboots itself and starts to restore factory defaults immediately.
3. While factory defaults are being restored, all LAN Link and Activity LEDs blink orange and green alternately to show progress.
This takes some few minutes. When this completes, the appliance reboots automatically.
To restore the Security Gateway 80 appliance to its default factory configuration using the Boot loader menu, see the Advanced Configuration (on page 131) section.
Administrators The Administrators page in the WebUI lists the Security Gateway 80 Administrators, lets you create new administrators and lets you configure account security settings.
Administrators have the permission to access the WebUI application and also log in through SSH to the restricted cpshell.
Administration
Appliance Configuration Page 52
Administrator Accounts
To create a Security Gateway 80 Administrator and configure security settings:
1. On the Administrators page, click New. The Administrator Account page appears.
2. Configure the parameters in the page that opens.
To change a password:
1. Click Change Password for the relevant administrator.
2. Configure the parameters in the page that opens.
Account Security Settings
1. Set the Session Timeout value.
2. To Enable Login Restrictions, click the checkbox and set the parameters:
Lock Account After __ Failed Login Attempts
Unlock Account After __ minutes.
3. Click Apply.
Administrator Account Configuration
1. Provide an Administrator Name and a Password for the Security Gateway 80 Administrator.
2. Confirm the password.
3. Click Apply.
Change Password
1. Enter the Old Password for the Security Gateway 80 Administrator.
2. Enter the New Password.
3. Confirm the password.
4. Click Apply.
Administrator Access In the Admin Access page, a list of client IPs is shown if you configure specific IP addresses. Only the client IPs that you configure are permitted to access the Security Gateway 80 appliance. You can add or remove a Web/SSH client and set the access ports.
Administration
Appliance Configuration Page 53
To allow administrator access from any IP address:
1. In the Admin Access page, select the Any IP Address option.
2. Select the interface type from which the IP addresses can obtain access from the Interface list.
3. Change the WEB Port (HTTPS) and/or SSH access ports if needed.
Note - If you change the WEB port, you will disconnect from the WebUI application and you will need to revisit http://my.gateway or the appliance's IP from your browser. This will redirect you to the correct port.
4. Click Apply.
To allow administrator access from a specific IP address:
1. In the Admin Access page, select the Specific IP Address option.
2. Click Add. The Access Policy IP Address Configuration page appears.
3. Define the IP address as either:
Specific IP - manually provide the IP address or click Get IP from My Computer.
Specific Network - manually provide the Network Address and Subnet Mask
4. Click Apply. The IP is added to the table.
5. Select the interface type from which the IP addresses can obtain access from the Interface list.
6. Change the WEB Port (HTTPS) and/or SSH access ports if required.
7. Click Apply.
To delete administrator access from a specific IP address:
1. In the Admin Access page, select the IP Address you want to delete from the IP Address table.
2. Click Delete.
To give administrator access from specific interfaces:
1. In the Admin Access page, select an option from the Interface list:
a) ALL - access is permitted from all interfaces.
b) LAN1 + WAN - access is permitted from the LAN1 interface, interfaces that are part of the switch that LAN1 participates in (if configured) and from any interface that you define as an external interface (leads to the Internet, for example, WAN).
c) WAN - access is permitted from any interface defined as an external interface (leads to the internet, for example, WAN).
d) ALL LAN – Access is permitted from all LAN# interfaces. Access is not permitted in this option from the DMZ interface.
e) LAN1 - Access is permitted from the LAN1 interface, interfaces that are part of the switch that LAN1 participates in (if configured).
2. Click Apply.
Important Notes:
Administrator access by interface is not supported when your Internet Connection is configured in bridge mode (the option Access from the above IP addresses is allowed only from the following interfaces does not appear).
An automatic implied rule is defined to allow the access specified here. There is no need to add an explicit rule in the Security Policy in SmartDashboard in order to allow this access. If you wish to override this, go to SmartDashboard > Firewall Implied Rules section and clear "Accept Web and SSH connections for gateway's administration".
For your convenience, when you block the IP address or the network interface through which you are currently connected, you will not be disconnected immediately. The access policy is applied immediately, but your current session remains active until you log out.
Administration
Appliance Configuration Page 54
Licensing In the License Activation page in the WebUI, select a method to use to activate the software blade licenses. You also need to do this procedure to update your license after you purchase a new software blade.
To activate a license now:
1. Select Choose how to activate the license and either:
a) Click Obtain License from User Center and then Activate License. The Security Gateway 80 appliance will contact Check Point's User Center and will install the license automatically. To use a proxy server, click the Set Proxy link, select the checkbox and enter the address and port. Note that this option is available only if you are connected to the Internet.
b) Click Import Activation file and then Browse to select a license activation file. You can receive the activation file by doing one of these offline procedures:
Using your User Center account - log into your User Center account from a PC connected to the Internet and select the specific container of your Security Gateway 80 appliance, then within the Product Information tab, click on License, click on Activate and then this message is shown: "Licenses were generated successfully". Click Get Activation File and save your activation file locally.
Registering your appliance - go to http://register.checkpoint.com, fill in your appliance details and then click Activate. This message is shown: "Licenses were generated successfully". Click Get Activation File and save your activation file locally.
Click Activate License (once you click this, you will see the option Reactivate License). The software blades associated with this license and their expiration dates are shown.
2. To set trial licenses that are valid for 30 days, click Activate later (use trial license).
License States and Descriptions
State Description
Trial Before or after SIC was established, no license
Never License installed, never expires (relevant for Firewall and IPSec VPN blades only)
Expires License installed and expires on this specific date
Expired License installed but has expired
No subscription License installed but subscription not found
Missing License License error - the license does not cover this blade (contact Check Point account services)
No License No service - the relevant container does not contain this blade (contact Check Point account services)
Security
Appliance Configuration Page 55
Security
Integrated Anti-Virus Protection Viruses are a major threat to network operations and have become increasingly dangerous and sophisticated. For example, worms, blended threats (which use combinations of malicious code and vulnerabilities for infection and dissemination) and trojan horses.
No extra IT resources are necessary for integrated Anti-Virus solutions and organizations benefit from their easy management in the familiar Check Point SMART infrastructure, which includes policy management, logging and monitoring. As a single box solution, hardware management is also simplified.
Eicar is used by various security solutions as a method of checking the soundness of the installation in a safe manner. Although R71 blocks live viruses by default, Eicar is only detected with an appropriate log to prevent the false detection (in stream mode). As opposed to R71, Security Gateway 80 blocks Eicar viruses by default.
How Eicar handles viruses depends on the mode of this command: fw ctl set int g_ci_av_eicar_handling_mode <mode>
Where <mode> is:
0 - Monitor only
1 - Ignore
2 - Block
Architecture
When Anti-Virus scanning is enabled, scanning is done in Stream mode - where traffic for the selected protocols is processed in the kernel on the stream of data without storing the entire file. The data is allowed or blocked based on the response of the kernel.
This mode is based on state-of-the-art virus signatures that are frequently updated in order to detect recent Malware outbreaks.
Anti-Virus scanning is applied only to accepted traffic that has been allowed by the security policy.
URL Filtering Access to the Internet can expose your organization to a variety of security threats and negatively affect employee productivity as a result of non-work-related surfing and downloading of files. Due to the problems associated with excessive employee Web surfing, organizations are turning to URL Filtering to control employee Internet access, reduce legal liability and improve organizational security. URL Filtering enforces filtering rules based on the organization's needs and predefined categories made up of URLs and patterns of URLs.
URL Filtering includes reporting and monitoring tools that capture and present Web traffic data, and give organizations an in-depth look at how Web surfing affects their organization's security and supports decisions regarding Web surfing limitations.
A Web filter is a function that screens Web page requests to determine whether or not to display their Web content. The Web filter verifies the Web page URL against a list of approved sites and blocks access to complete sites or pages within sites that contain objectionable material (for example, pornography, illegal software and spyware).
Architecture
When a URL request arrives at a local machine, the machine checks the Network Exceptions List to determine whether to enforce the URL Filtering policy. The URL Filtering policy is activated if the connection is accepted by the Security Policy. If the URL Filtering policy is enforced, the URL header is stripped and the address is sent to the Web Filter engine.
Security
Appliance Configuration Page 56
The URL is allowed or blocked based on URL request information in the predefined database and/or the Web Filter Allow/Block Lists. For example, if the URL address matches two or more categories, and one of them is blocked, the URL address is denied, however, if the same address appears in the Allow List it is accepted.
The Web Filter engine is located in Check Point’s data center, while the Security Gateway 80 queries Check Point’s center for each request and categorizes it accordingly. A local cache is maintained on the Security Gateway 80 to ensure high performance.
Messaging Security The relentless and unprecedented growth in unwanted email now poses an unexpected security threat to the network. As the amount of resources (disk space, network bandwidth, CPU) devoted to handling unsolicited emails increases from year to year, employees waste more and more time sorting through unsolicited bulk email commonly known as spam. Anti-Spam and Mail provides network administrators with an easy and central way to eliminate most of the spam reaching their networks.
The Security Gateway 80 appliance performs Anti-Spam based on IP reputations.
IP Reputation Anti-Spam - IP reputation is an Anti-Spam mechanism that checks the IP address of the message sender (contained in the opening SYN packet) against a dynamic database of suspect IP addresses. If, according to the IP reputation service, the originating network has a reputation for sending spam, then the spam session is blocked at connect time. In this way, the IP reputation feature creates a list of trusted email sources.
Diagnostics
Appliance Configuration Page 57
Diagnostics
Tools The Tools page contains options for pinging or tracing an IP address, performing a DNS lookup, showing the routing table, capturing packets and resource monitoring.
To monitor system resources:
1. Click Monitor System Resources. The System Resources page opens and shows the following information:
CPU usage history
Memory usage history - memory is calculated without memory that was preallocated to handle traffic and without cache memory. This gives a more accurate picture of the actual memory usage in the appliance but it may defer from figures you receive from Linux tools.
Disk usage
2. Click Refresh Disk Usage to display the most updated disk usage.
3. Click Close to return to the Tools page.
To show the routing table:
1. Click Show Routing Table. The output appears in the Command Output box.
2. Click Back to return to the Tools page.
To capture packets:
1. Click Packet Capture.
2. Select an option from the Select Network list.
3. Click Start and then Stop when you want to stop packet capturing.
4. Click Download to view or save the capture file.
Diagnostics
Appliance Configuration Page 58
5. Click Back to return to the Tools page.
You can activate packet capture and go to other WebUI application pages while the packet capture runs in the background. However, the packet capture stops automatically if the WebUI session ends. Make sure you return to the packet capture page, stop and download the capture result before you end the WebUI session.
Note - The capture utility uses tcpdump. "fw monitor" is available through the command line interface.
To ping or trace an IP address:
1. Enter an IP or host name in the Host Name or IP Address box.
2. Click Ping or Trace Route. The output appears in the Command Output box.
3. Click Back to return to the Tools page.
To perform a DNS lookup:
1. Enter a Host Name or IP Address.
2. Click Lookup. The output appears in the Command Output box.
3. Click Back to return to the Tools page.
To generate a CPInfo file:
1. Click Generate CPInfo File.
2. Click Download CPInfo File to view or save the CPInfo file.
Traffic Logs The Traffic Logs page lets you browse the last 100 log records. These logs are sent to SmartView tracker, but are also available on this page, for your convenience.
Note that the number of logs shown is not configurable, and is not related to the SmartDashboard setting "GW properties> Logs and alert > Max log size…" (this setting only applies to logs that are saved by the gateway when the Security Management Server cannot be reached).
The Service column that shows the destination port on UDP/TCP traffic is empty in non UDP/TCP traffic (see the Protocol column for this information). Some known destination ports are translated into the known protocols that pass through them. Port 4434 in Security Gateway 80 is translated by default to https.
System Logs The System Logs page displays systems logs generated from the appliance at all levels except for the debug level. These logs should be used mainly for troubleshooting purposes and can also provide the administrator notifications for events which occurred on the appliance.
For example: Setting an external connection as the "Active" connection while the appliance is configured in Internet Connection High Availability mode.
To download the full log file:
1. Click Download Full Log File.
2. Click Open or Save.
To save a snapshot of the system logs to the flash disk:
1. Select the option Save a snapshot of system logs to flash every ___ minutes.
2. Click Apply.
The default value for the interval is 180 minutes (3 hours).
The minimum value for the interval is 30 minutes.
This is an effort to keep system logs persistent across boot, but not 100% guaranteed.
CLI Reference
Appliance Configuration Page 59
CLI Reference
Using Command Line Interface Changes to the Security Gateway 80 appliance should be made with the WebUI. When using command line interface (CLI) note these aspects:
Security Gateway 80's operating system is SecurePlatform Embedded.
CLI default shell (cpshell) is restricted as in SecurePlatform. You can log in to Expert mode for a full bash shell as in SecurePlatform.
Changes to the configuration are only supported from the appliance WebUI. Advanced users can use the command line shell for troubleshooting and temporary networking modifications, but changes are not persistent and are lost upon boot. Note that temporary changes are not reflected in the WebUI.
These SecurePlatform commands are not supported in this version:
ifconfig
ifconfig --save
SSH to the appliance is supported and is enabled through the WebUI.
You can enable login directly to expert mode. To do this:
Login to Expert mode using the "Expert" password.
Run the command bashUser on
You will now always login directly to expert mode (this mode is not deleted during reboot)
To turn this mode off, run the command bashUser off
SCP to the appliance is supported but you need to enable direct login to Expert mode. For more information, see sk52763 (http://supportcontent.checkpoint.com/solutions?id=sk52763). Note that SFTP that is commonly used by winSCP is not supported.
CLISH Auto-completion
All CLISH commands support auto-completion. Standard Check Point and native Linux commands can be used from the CLISH shell but do not support auto-completion. These are examples of the different commands:
CLISH - fetch, set, show
Standard Check Point - cphaprob, fw, vpn
Native Linux - ping, tcpdump, traceroute
CLI Syntax
The CLI commands are formatted according to these syntax rules.
Notation Description
Text without brackets or braces Items you must type as shown
<Text inside angle brackets> Placeholder for which you must supply a value
[Text inside square brackets] Optional items
Vertical bar (|) Separator for mutually exclusive items; choose one
{Text inside braces} Set of required items; choose one
Ellipsis (…) Multiple values or parameters can be entered
CLI Reference
Appliance Configuration Page 60
Using Hostnames
Follow these standards when using hostnames in Security Gateway 80 CLI commands.
Hostnames can only contain alphanumeric characters and periods
Only use underscore characters in the first segment of a hostname, but not as the first or last character
The last segment must start with an alphabetic character
For example, my_host.checkpoint is a legal hostname, but myhost.check_point causes an error
message because there is an underscore character in the second segment.
Using Domain Names
Follow these standards when using domain names in Security Gateway 80 CLI commands.
Domain names can only contain alphanumeric characters and periods
The last segment must start with an alphabetic character
For example, mydomain.checkpoint.com is a legal domain name, but my_domain.checkpoint.com
causes an error message because there is an underscore character in the first segment.
Supported Linux Commands These standard Linux commands are also supported by the Security Gateway 80 CLI.
arp
netstat
nslookup
ping
resize
sleep
tcpdump
top
traceroute
uptime
add admin access Adds a specific IPv4 address or a network IPv4 address from which the admin can remotely access the appliance.
Description The admin can access via the single IPv4 address or a network address
Syntax add admin-access-ipv4-address
{single-ipv4-address|network-ipv4-address} <ip_addr>
{subnet-mask <netmask>|mask-length <mask_length>}
Parameters Parameter Description <ip_addr>
IPv4 address
<mask_length
> Interface mask length, a value between 1 - 32
<netmask> Interface IPv4 address subnet mask
Return Value 0 on success, 1 on failure
CLI Reference
Appliance Configuration Page 61
Example add admin-access-ipv4-address 1.1.1.1 subnet-mask
255.255.255.0 mask-length 18
Output Success prints OK. Failure prints appropriate error message.
add host
Description Adds a static host named <host> and IP address <ip_addr>.
Syntax add host name <host> ipv4-address <ip_addr>
Parameters Parameter Description <host>
The host name
<ip_addr> The host IPv4 address format
Return Value 0 on success, 1 on failure
Example add host name John ipv4-address 1.1.1.1
Output Success prints OK. Failure prints appropriate error message.
add interface
Description Adds VLAN <vlan> to interface <interface>.
Syntax add interface <interface> vlan <vlan>
Parameters Parameter Description <interface>
Valid interface name
<vlan> VLAN name - a value between 1 and 4094.
Return Value 0 on success, 1 on failure
Example add interface LAN4 vlan 1
Output Success prints OK. Failure prints appropriate error message.
add ntp Adds an NTP (Network Time Protocol) server with option to designate it as the primary or secondary server.
Description Adds an NTP server with IP address or host name <ip_addr_host>.
Syntax add ntp server <ip_addr_host> [prefer <on|off> active
<on|off>]
Parameters Parameter Description <ip_addr_host>
NTP server host name or IPv4 address format.
<on/off> On – enables NTP server, Off – disables NTP
server
Return Value 0 on success, 1 on failure
CLI Reference
Appliance Configuration Page 62
Example add ntp server 1.1.1.1
add ntp server 1.1.1.2 prefer on
add ntp server 1.1.1.2 prefer on ntp_active off
add ntp server 1.1.1.2 active on
Output Success prints OK. Failure prints appropriate error message.
Comments If active is off or is not set, then NTP is disabled.
add snmp Adds SNMP related parameters.
Adding SNMP v2 Traps Receiver
The add snmp command adds an SNMPv2 traps receiver.
Description Adds SNMPv2 traps receiver, <comm_string> is used for SNMP
security and authentication.
Syntax add snmp traps receiver <ip_addr> version v2
community <comm_string>
Parameters Parameter Description <ip_addr>
Trap receiver IPv4 address.
<comm_string> A password for v1 and v2 protocols. The value can be any word.
Return Value 0 on success, 1 on failure
Example add snmp traps receiver 1.1.1.1 version v2 community
abcd
Output Success prints OK. Failure prints appropriate error message.
Adding SNMP v3 Traps Receiver
The add snmp command adds SNMPv3 traps receiver.
Description Adds SNMPv3 traps receiver, security parameters that are defined for
the <v3_user>are used.
Syntax add snmp traps receiver <ip_addr> version v3 usm
user <v3_user>
Parameters Parameter Description <ip_addr>
Trap receiver IPv4 address.
<v3_user> A string representing the name of the user to add.
Return Value 0 on success, 1 on failure
Example set dhcp server interface LAN2 lease-time 18
Output Success prints OK. Failure prints appropriate error message.
Comments add snmp traps receiver 1.1.1.1 version v3 user usm1
CLI Reference
Appliance Configuration Page 63
add switch Adds an interface to a LAN switch. If the LAN switch does not exist, it is created and inherits all settings from the LAN1 interface.
Description Adds an interface <interface> to a LAN switch.
Syntax add switch port <interface>
Parameters Parameter Description <interface>
Valid interface name
Return Value 0 on success, 1 on failure
Example add switch port LAN4
Output Success prints OK. Failure prints appropriate error message.
Comments The interface that is added to the switch must be unassigned. When executing the command on an interface that has an IP address
assigned to it, the following error message is printed: Error:
<interface> port has static IP address assigned.
LAN1 is always a part of LAN switch.
add user Adds a new user with two optional password parameters: standard and MD5 encrypted.
Description Adds a new user named <user> and specifies password <pass> or
<pass_hash>.
Syntax add user <user> [password <pass>]
add user <user> [password-hash <pass_hash>]
Parameters Parameter Description <user>
User login name
<pass> User password. Alphanumeric and special characters are allowed
<pass_hash> User password, MD5 string representation
Return Value 0 on success, 1 on failure
Example add user John
add user John password extremelySafePassword
Output Success prints OK. Failure prints appropriate error message.
Comments Password <pass> or <pass_hash> can be set later using the set
user command.
To generate a password-hash, you can use this command on any Security Gateway 80 gateway (as an expert user).
cryptpw –a md5 <password string>
backup settings Creates a backup file that contains the current settings for the appliance. The file is saved to either a USB device or TFTP server. You can use these options when the backup file is created:
Specific file name (The default file name contains the current image and a date and time stamp)
CLI Reference
Appliance Configuration Page 64
Password encryption
Backup policies
Add a comment to the file
Description Backup the settings currently on the appliance and save them to a file.
Syntax backup settings to {usb|tftp server <serverIP>}
[filename <filename>] [file-encryption {off|on
password <pass>}] [backup-policy {on|off}] [add-
comment <comment>]
Parameters Parameter Description <comment>
Comment that is added to the file.
<filename> Name of the backup file.
<pass> Password for the file. Alphanumeric and special characters are allowed.
<serverIP> IPv4 address of the TFTP server.
Return Value 0 on success, 1 on failure
Example backup settings to usb file-encryption on password
admin backup-policy on add-comment
check_point_new_configuration
Output Success prints OK. Failure prints appropriate error message.
Comments When saving the backup file to a USB device, the backup settings command fails if there are two USB devices connected to the appliance.
cphaprob The cphaprob command defines critical cluster member processes for the appliance. When a critical
process fails, the appliance is considered to have failed.
Description Manages the cluster properties of the appliance
Syntax cphaprob [-i[a]] [-d <device>] [-s
{ok|init|problem}] [-f <file>] [-p]
[register|unregister|report|list|state|if]
CLI Reference
Appliance Configuration Page 65
Parameters Parameter Description register
Registers <appliance> as a critical process
-a Lists all devices in the cluster
-d <device> The name of the device as it appears in the output
of the cphaprob list
-p The configuration change is permanent and applies after the appliance reboots.
-t <timeout> If <device> fails to contact ClusterXL in
<timeout> seconds, <device> is considered to
have failed.
To disable this parameter, enter the value 0.
-s Status to be reported.
ok – <appliance> is alive
init – <appliance> is initializing
problem – <appliance> has failed
-f <file>
register Option to automatically register several appliances.
The file defined in the <file> field should contain
the list of appliances with these parameters:
<device>
<timeout>
Status
unregister Unregisters <device> as a critical process.
report Reports the status of the <device> to the gateway.
list Displays that state of:
-i – Internal (as well as external) devices,
such as interface check and HA initialization.
-e – External devices, such as devices
registered by the user or outside the kernel.
For example, fwd, sync, filter.
-ia – All devices, including those used for
internal purposes, such as note initialization
and load-balance configuration.
state Displays the state of all the gateways in the High Availability configuration.
if Displays the state of interfaces.
Example cphaprob -d $process -t 0 -s ok -p register
Output Success prints OK. Failure prints appropriate error message.
These are some typical scenarios for the cphaprob command.
Argument Description
cphaprob -d <device> -t
<timeout(sec)> -s
<ok|init|problem> [-p]
register
Register <device> as a critical process, and add it to the list of devices that must be running for the cluster member to be considered active.
CLI Reference
Appliance Configuration Page 66
Argument Description
cphaprob -f <file>
register Register all the user defined critical devices listed in <file>.
cphaprob -d <device> [-p]
unregister Unregister a user defined <device> as a critical process. This means that this device is no longer considered critical.
cphaprob -a unregister Unregister all the user defined <device>.
cphaprob -d <device> -s
<ok|init|problem> report Report the status of a user defined critical device to ClusterXL.
cphaprob [-i[a]] [-e] list View the list of critical devices on a cluster member, and of all the other machines in the cluster.
cphaprob state View the status of a cluster member, and of all the other members of the cluster.
cphaprob [-a] if View the state of the cluster member interfaces and the virtual cluster interfaces.
Examples
cphaprob -d <device> -t <timeout(sec)> -s <ok|init|problem> [-p] register
cphaprob -f <file> register
cphaprob -d <device> [-p] unregister
cphaprob -a unregister
cphaprob -d <device> -s <ok|init|problem> report
cphaprob [-i[a]] [-e] list
cphaprob state
cphaprob [-a] if
cphastop Running cphastop on an appliance that is a cluster member stops the appliance from passing traffic. State
synchronization also stops.
Description Disables High Availability on the appliance
Syntax cphastop
Parameters Parameter Description n/a
Return Value 0 on success, 1 on failure
Example cphastop
Output Success prints OK. Failure prints appropriate error message.
cpinfo CPinfo is a utility that collects data on a machine at the time of execution. The CPinfo output file enables Check Point's support engineers to analyze setups from a remote location. The file is saved to a USB drive or a TFTP server.
Description Creates Check Point Support Information file on USB drive or TFTP server
CLI Reference
Appliance Configuration Page 67
Syntax cpinfo {to-tftp <ipaddr>|to-usb}
Parameters Parameter Description <ipaddr>
IPv4 address
Return Value 0 on success, 1 on failure
Example cpinfo to-usb
Output Success prints Creating cpinfo.txt file. Failure prints
appropriate error message.
cpshell
Description Starts cpshell.
Syntax cpshell
Parameters Parameter Description n/a
Return Value 0 on success, 1 on failure
Example cpshell
Output None
Comments Use the shell ("shell/expert" on page 114) command to switch to
expert mode.
cpstart Start all Check Point processes and applications running on a machine.
Description Starts firewall services
Syntax cpstart
Parameters Parameter Description
n/a
Return Value 0 on success, 1 on failure
Example cpstart
Output Success prints Starting CP products.... Failure prints
appropriate error message.
cpstat Displays the status of Check Point applications.
Description Display Check Point statistics info
Syntax cpstat [-h <host>] [-p <port>] [-s <SICname>] [-f
<flavor>] [-o <polling>] [-c <count>] [-e <period>]
[-d] application_flag <flag>
CLI Reference
Appliance Configuration Page 68
Parameters Parameter Description -h <host>
A resolvable hostname, a dot-notation address (for example: 192.168.33.23), or a DAIP object name.
The default is localhost.
-p <port> Port number of the server. The default is the standard server port (18192).
-s <SICname> Secure Internal Communication (SIC) name of the server.
-f <flavor> The flavor of the output (as it appears in the configuration file). The default is the first flavor found in the configuration file.
-o <polling> Polling interval (seconds) specifies the pace of the results.
The default is 0, meaning the results are shown
only once.
-c <count> Specifies how many times the results are shown.
The default is 0, meaning the results are repeatedly
shown.
-e <period> Specifies the interval (seconds) over which 'statistical' olds are computed. Ignored for regular olds.
-d Debug mode.
<flag> One of these applications is displayed:
One of the following:
fw — Firewall component of the Security
Gateway
vpn — VPN component of the Security
Gateway
fg — QoS (formerly FloodGate-1)
ha — ClusterXL (High Availability)
os — OS Status
mg — for the Security Management server
persistency - for historical status values
polsrv
uas
svr
cpsemd
cpsead
asm
ls
ca
Return Value 0 on success, 1 on failure
Example cpstat -h 192.168.1.1 fw
Output Success prints OK. Failure prints appropriate error message.
CLI Reference
Appliance Configuration Page 69
The following flavors can be added to the application flags:
fw — "default", "interfaces", "all", "policy", "perf", "hmem", "kmem", "inspect", "cookies", "chains", "fragments", "totals", "ufp", "http", "ftp",
"telnet", "rlogin", "smtp", "pop3", "sync"
vpn — "default", "product", "IKE", "ipsec", "traffic", "compression", "accelerator", "nic", "statistics", "watermarks", "all"
fg — "all"
ha — "default", "all"
os — "default", "ifconfig", "routing", "memory", "old_memory", "cpu", "disk", "perf", "multi_cpu", "multi_disk", "all", "average_cpu", "average_memory",
"statistics"
mg — "default"
persistency — "product", "Tableconfig", "SourceConfig"
polsrv — "default", "all"
uas — "default"
svr — "default"
cpsemd — "default"
cpsead — "default"
asm — "default", "WS"
ls — "default"
ca — "default", "crl", "cert", user", "all"
cpstop Terminate all Check Point processes and applications running on the appliance.
Description Stops firewall services
Syntax cpstop
Parameters Parameter Description n/a
Return Value 0 on success, 1 on failure
Example cpstop
Output Success prints Uninstalling Security Policy.... Failure
prints appropriate error message.
cpwd_admin The cpwd_admin utility can be used to verify if a process is running and to stop and start a process if
necessary.
Description cpwd_admin commands
Syntax cpwd_admin {del <name>|detach
<name>|list|kill|exist|start_monitor|stop_monitor|
monitor_list}
CLI Reference
Appliance Configuration Page 70
Parameters Parameter Description del
Deletes process
detach Detaches process
list Print status of processes
kill Stops cpWatchDog
exist Checks if cpWatchDog is running
start_monitor cpwd starts monitoring this machine
stop_monitor cpwd stops monitoring this machine
monitor_list Displays list of monitoring processes
<name> Name of process
Return Value 0 on success, 1 on failure
Example cpwd admin start_monitor
Output Success prints OK. Failure prints appropriate error message.
cpwd_admin config Sets cpWatchDog configuration parameters. When the parameters are changed, these changes are applied
after cpwd is stopped and restarted.
Description Manages cpWatchDog parameters
Syntax cpwed_admin config {-p|-a <value=data value=data...>|-
d <value value...>|-r}
Parameters Parameter Description -p
Prints the cpwd parameters.
-a Adds one or more monitoring parameters
-d Deletes one or more parameters.
-r Restores the default cpwd parameters.
CLI Reference
Appliance Configuration Page 71
<value> Argument Description timeout
If rerun_mode=1, how much time passes from
process failure to rerun. The default value is 60 seconds.
no_limit Maximum number of times that cpwd tries to restart
a process. The default is 5.
zero_timeout After failing no_limit times to restart a process,
cpwd waits zero_timeout seconds before
retrying. The default is 7200 seconds.
This value should be greater than timeout.
sleep_mode 1 - wait timeout
0 - ignore timeout. Rerun the process
immediately
dbg_mode 1 - Accept pop-up error messages (with exit-
code#0) displayed when a process terminates
abruptly (Windows NT only).
0 -Do not receive pop-up error messages.
This is useful if pop-up error messages freeze
the machine. This is the default value
(Windows NT only).
rerun_mode 1 - Rerun a failed process. This is the default
value.
0 - Do not rerun a failed process.
stop_timeout The time in seconds that the cpwd waits for a stop
command to be completed. Default is 60 seconds.
reset_startup
s The time in seconds that the cpwd waits after the
process begins before it resets the
startup_counter. Default value is 1 hour. An
hour after the process begins the startup counter is reset to 0.
Return Value 0 on success, 1 on failure
Example cpwd_admin config -a timeout=120 no_limit=12
Output Success prints OK. Failure prints appropriate error message.
cpwd_admin start|stop Starts a new or stops an existing process using cpwd.
Description Starts or stops a process
Syntax cpwd_admin {start|stop} -name <process> -path <path>
-command <cli_command>
Parameters Parameter Description <process>
Name process
<"path"> Full path of the executable, including the executable name.
<cli_command> Name of CLI command
Return Value 0 on success, 1 on failure
CLI Reference
Appliance Configuration Page 72
Example cpwd_admin start -name FWM -path $FWDIR/bin/fwm -
command fwm
Output Success prints OK. Failure prints appropriate error message.
delete admin access Deletes a specific IP address or network address from which the admin can access the appliance.
Description Deletes an IP address that allows remote access to the appliance
Syntax delete admin-access-ipv4-address ipv4-address
<ip_addr>
Parameters Parameter Description ip_addr
IPv4 address
Return Value 0 on success, 1 on failure
Example delete admin-access-ipv4-address ipv4-address
1.1.1.1
Output Success prints OK. Failure prints appropriate error message.
delete ICMP server Deletes an ICMP server from the primary or secondary Internet connection for the appliance.
Description Deletes the settings for an ICMP server
Syntax delete icmp-server <ip_addr> connection
{primary|secondary}
Parameters Parameter Description <ip_addr>
IPv4 address
primary ICMP server for the primary Internet connection
secondary ICMP server for the secondary Internet connection
Return Value 0 on success, 1 on failure
Example delete icmp-server 1.1.1.1 connection primary
Output Success prints OK. Failure prints appropriate error message.
delete dhcp You can use the delete dhcp command to configured DHCP (Dynamic Host Configuration Protocol)
settings. You can delete these settings:
Range of excluded IP addresses
Custom DHCP option codes
Deleting Excluded IP Addresses
Description Deletes IP address exclude range <DHCP_excl> that was defined for
interface <interface>.
Syntax delete dhcp server interface <interface> exclude-
range <DHCP_excl>
CLI Reference
Appliance Configuration Page 73
Parameters Parameter Description <interface>
Valid interface name
<DHCP_excl> IP address range: <ipv4-address>-<ipv4-address>
Return Value 0 on success, 1 on failure
Example delete dhcp server interface LAN2 exclude-range
1.1.1.1-1.1.1.8
Output Success prints OK. Failure prints appropriate error message.
Deleting DHCP Custom Option Code
Description Deletes DHCP custom option with code <code> that was defined for
interface <interface>.
Syntax delete dhcp server interface <interface> custom-
option code <code>
Parameters Parameter Description <code>
Integer that represents the DHCP custom option
<interface> Valid interface name
Return Value 0 on success, 1 on failure
Example delete dhcp server interface LAN2 custom-option code
12
Output Success prints Configurations Saved Successfully. Failure
prints an appropriate error message.
Comments For more information regarding DHCP options please read RFC 2132.
delete dns Deletes the settings for the DNS (Domain Name Server) servers. The secondary DNS server is used when the primary DNS server does not respond. The tertiary DNS server is used when the primary and secondary DNS servers do not respond.
Description Deletes the specified DNS server.
Syntax delete dns {primary|secondary|tertiary}
Parameters Parameter Description n/a
Return Value 0 on success, 1 on failure
Example delete dns secondary
Output Success prints OK. Failure prints appropriate error message.
delete domainname
Description Removes the domain name of the system.
Syntax delete domainname
CLI Reference
Appliance Configuration Page 74
Parameters Parameter Description n/a
Return Value 0 on success, 1 on failure
Example delete domainname
Output Success prints OK. Failure prints appropriate error message.
Comments To set a domain name for the system, use the set domainname
command.
delete host
Description Deletes the static host named <host>.
Syntax delete host name <host>
Parameters Parameter Description <host>
Name of the static host
Return Value 0 on success, 1 on failure
Example delete host name cnn.com
Output Success prints OK. Failure prints appropriate error message.
delete interface You can use the delete interface command to delete these parameters from an interface:
Configured VLANs
Internet interfaces
Deleting VLANs
Description Deletes the VLAN named <vlan> from interface named
<interface>.
Syntax delete interface <interface> vlan <vlan>
Parameters Parameter Description
<interface> Valid interface name
<vlan> VLAN name - a value between 1 and 4094.
Return Value 0 on success, 1 on failure
Example delete interface LAN4 vlan 14
Output Success prints OK. Failure prints appropriate error message.
Deleting the Internet Interface
Description Deletes the Internet interface <interface> and can be used for
<primary|secondary> connection.
CLI Reference
Appliance Configuration Page 75
Syntax delete interface <interface> [internet
<primary|secondary>]
Parameters Parameter Description
<interface> Valid interface name
<primary|
secondary> Primary or secondary Internet connection
Return Value 0 on success, 1 on failure
Example delete interface WAN
delete interface DMZ internet secondary
Output Success prints OK. Failure prints appropriate error message.
Comments <primary|secondary> must be used when a secondary Internet
connection is defined on the WAN.
When configuring the Internet connection for an interface in a DMZ, you
must use the <primary|secondary> parameter.
delete ntp Deletes the NTP (Network Time Protocol) server.
Description Deletes the NTP server with IP address or host name
<ip_addr_host>.
Syntax delete ntp server <ip_addr_host>
Parameters Parameter Description <ip_addr_host>
NTP server host name or IP address
Return Value 0 on success, 1 on failure
Example delete ntp server 0.pool.ntp.org
delete ntp server 195.43.74.3
Output Success prints OK. Failure prints appropriate error message.
delete proxy
Description Deletes a proxy server.
Syntax delete proxy
Parameters Parameter Description n/a
Return Value 0 on success, 1 on failure
Example delete proxy
Output Success prints OK. Failure prints appropriate error message.
delete snmp Deletes these SNMP parameters:
SNMP trap receiver
SNMP contact information
CLI Reference
Appliance Configuration Page 76
SNMP location
SNMP v3 user
Description Deletes SNMP related parameters
Syntax delete snmp {trap receiver
<ip_addr>|contact|location|user <v3_user>}
Parameters Parameter Description <ip_addr>
Trap receiver IPv4 address.
<v3_user> A string representing the name of the user to delete.
Return Value 0 on success, 1 on failure
Example delete snmp trap receiver 1.1.1.1
delete snmp user usm1
Output Success prints OK. Failure prints appropriate error message.
delete switch Removes an interface from a LAN switch. Use the all option, to remove all ports from LAN switch.
Description Deletes the interface named <interface> from a LAN switch.
Syntax delete switch port {<interface>|all}
Parameters Parameter Description <interface>
Valid interface name that is removed from LAN switch.
Return Value 0 on success, 1 on failure
Example delete switch port LAN2
delete switch port all
Output Success prints OK. Failure prints appropriate error message.
Comments Port LAN1 cannot be removed from a LAN Switch.
When executing the delete switch port all command, the port
LAN1 inherits the LAN switch configuration.
delete user
Description Deletes existing user with login name <user>.
Syntax delete user <user>
Parameters Parameter Description
<user> Login name of user
Return Value 0 on success, 1 on failure
Example delete user John
Output Success prints OK. Failure prints appropriate error message.
CLI Reference
Appliance Configuration Page 77
dynamic objects Manages dynamic objects on the appliance. The dynamic_objects command specifies an IP address to
which the dynamic object is resolved.
First, define the dynamic object in the SmartDashboard. Then create the same object with the CLI (-n argument). After the new object is created on the gateway with the CLI, you can use the dynamic_objects command to specify an IP address for the object.
This command cannot be executed when the Check Point gateway is running.
Description Manages dynamic objects on the appliance
Syntax dynamic_objects -o <object> [-r <fromIP> <toIP> ...]
[-a] [-d] [-l] [-n <object> ] [-c] [-do <object>]
Parameters Parameter Description -o
Name of the dynamic object that is being configured
-r Defines the range of IP addresses that are being configured for this object
-a Adds range of IP addresses to the dynamic object
-d Deletes range of IP addresses from the dynamic object
-l Lists dynamic objects that are used on the appliance
-n Creates a new dynamic object
-c Compare the objects in the dynamic objects file and
in objects.C.
-do Deletes the dynamic object
<object> Name of dynamic object
<fromIP> Starting IPv4 address
<toIP> Ending IPv4 address
Return Value 0 on success, 1 on failure
Example dynamic_objects -n sg80gw -r 190.160.1.1
190.160.1.40 -a
Output Success prints Operation completed successfully. Failure
prints appropriate error message.
exit
Description Exits from the shell.
Syntax exit
Parameters Parameter Description n/a
Return Value None
CLI Reference
Appliance Configuration Page 78
Example exit
Output None
fetch certificate Establishes SIC connection with management server and fetches certificate.
Description Establishes SIC connection with management server and fetches certificate. You fetch the certificate from a specific gateway with the
gateway-name parameter.
Syntax fetch certificate mgmt-ipv4-address <ip_addr>
[gateway-name <gw_name>]
Parameters Parameter Description <ip_addr>
Management IPv4 address
<gw_name> Gateway/Module name
Return Value 0 on success, 1 on failure
Example fetch certificate mgmt-ipv4-address 192.168.1.100
gateway-name mySG80
Output Success prints OK. Failure prints appropriate error message.
fetch license Fetches a license from one of these locations:
Local gateway (There is an option to specify the file name with the <file_name> parameter.)
User Center at Check Point
USB device (There is an option to specify the file name with the <file_name> parameter.)
Description Fetches license from specified location.
Syntax fetch license {local [file
<file_name>]|usercenter|usb [file <file_name>]
Parameters Parameter Description <file_name>
Name of the file that contains the license
Return Value 0 on success, 1 on failure
Example fetch license usb file LicenseFile.xml
Output Success prints OK. Failure prints appropriate error message.
fetch policy Fetches a policy from one of these locations:
Management server
Local gateway
Description Fetches policy from the management server with IPv4 address
<ip_addr>.
Syntax fetch policy mgmt-ipv4-address <ip_addr>
CLI Reference
Appliance Configuration Page 79
Parameters Parameter Description <ip_addr>
IPv4 address of the management server
Return Value 0 on success, 1 on failure
Example fetch policy mgmt-ipv4-address192.168.1.100
Output Success prints Done. Failure prints appropriate error message.
fw Commands The fw commands are used for working with various aspects of the firewall. All fw commands are executed
on the Check Point Security Gateway. For more about the fw commands, see the R71 Command Line
Interface (CLI) Reference Guide (http://supportcontent.checkpoint.com/documentation_download?ID=10324).
fw commands can be found by typing fw [TAB] at a command line. For some of the CLI commands, you
can enter the -h parameter to display all the relevant arguments and parameters. These commands are:
fw command Explanation
fw accel [-h] Turn acceleration on/off
fw activation [-h] Activate license
fw avload [-h] Load AV signatures to kernel
fw ctl [args] Control kernel
fw debug [-h] Turn debug output on or off
fw fetch Fetch last policy
fw fetchdefault [-h] Fetch default policy
fw fetchlocal [-h] Fetch local policy
fw monitor [-h] Monitor Check Point Security Gateway 80 traffic
fw pull_cert Pull certificate from internal CA
fw sfwd fw daemon
fw sic_init [-h] Initialize SIC
fw sic_reset [-h] Reset SIC
fw sic_test Test SIC with management
fw stat [-h] Display policy installation status of the Gateway. (Command is provided for backward compatibility.)
fw tab [-h] Display kernel-table content
fw unloadlocal Unload local policy
fw ver [-k] Display version
CLI Reference
Appliance Configuration Page 80
reboot
Description Reboots the system.
Syntax reboot
Parameters Parameter Description n/a
Return Value None
Example reboot
Output None
restore default-settings All the custom user settings for the appliance are deleted and the default settings are restored. The current software image (firmware version) is not changed.
Description Restores the default settings of the appliance without affecting the software image
Syntax restore default-settings
Parameters Parameter Description n/a
Return Value 0 on success, 1 on failure
Example restore default-settings
Output n/a
Comments The appliance automatically reboots after the default settings are restored.
restore settings Restores the appliance settings from a backup file. The backup file can be located on a USB device or on a TFTP server.
Description Restores the settings from a backup file to the appliance.
Syntax restore settings from {usb|tftp server <serverIP>}
filename <file_name>
Parameters Parameter Description <file_name>
Name of the backup file.
<serverIP> IPv4 address of the TFTP server.
Return Value 0 on success, 1 on failure
Example restore settings from tftp server 1.1.1.1 filename
sg80
Output n/a
Comments The appliance automatically reboots after the settings are restored.
CLI Reference
Appliance Configuration Page 81
revert to factory defaults Reverts the appliance to the original factory defaults. This command deletes all data and software images from the appliance.
Description Revert the appliance to the factory defaults
Syntax revert to factory-defaults
Parameters Parameter Description n/a
Return Value 0 on success, 1 on failure
Example revert to factory-defaults
Output Success prints warning message. Enter yes to continue.
Failure prints appropriate error message.
revert to saved image
Description Reverts the appliance to the saved software image
Syntax revert to saved-image
Parameters Parameter Description n/a
Return Value 0 on success, 1 on failure
Example revert to saved-image
Output Success prints OK. Failure prints appropriate error message.
set admin access Configures for how the admin can configure the appliance from the configured IP address. The add admin access command ("add admin access" on page 60) allows remote management of the appliance.
Description Sets admin access parameters
Syntax set admin-access [interfaces <interface>] [web-
access-port <web_port>] [ssh-access-port <ssh_port>]
[allowed-ipv4-addresses <any|specific>
CLI Reference
Appliance Configuration Page 82
Parameters Parameter Description <interface>
Configure from which interfaces admin access is allowed. These options can be used:
any
SWITCH+WAN
WAN
LAN
SWITCH
<web_port> Configures the web port for HTTPS access
<ssh_port> Secure Shell (SSH) port
<any|
specific> any - Configures allowed admin access from all
IPv4 addresses
specific - Only IPv4 addresses that are
configured with the add admin access command can be used to access the appliance.
Return Value 0 on success, 1 on failure
Example set admin-access web-access-port 4434 allowed-ipv4-
addresses specific
Output Success prints OK. Failure prints appropriate error message.
Comments Your access to the appliance may be blocked (although your current session is retained).
set date
Description Sets system date in YYYY-MM-DD format.
Syntax set date <date>
Parameters Parameter Description <date>
Date in YYYY-MM-DD format
Return Value 0 on success, 1 on failure
Example set date 2011-04-18
Output Success prints OK. Failure prints appropriate error message.
set dhcp server The set dhcp server command configures a range of parameters for the DHCP (Dynamic Host
Configuration protocol) server.
Setting the IP Pool
The set dhcp server command sets the range of IP addresses that can be assigned by the DHCP
server.
Description Sets the DHCP server IP pool for interface <interface>.
Syntax set dhcp server interface <interface> ip-pool start
<ip_addr> end <ip_addr>
CLI Reference
Appliance Configuration Page 83
Parameters Parameter Description <interface>
Valid interface name
<ip_addr> IPv4 address format
Return Value 0 on success, 1 on failure
Example set dhcp server interface LAN2 ip-pool start
192.168.1.50 end 192.168.1.60
Output Success prints Configurations Saved Successfully. Failure
prints appropriate error message.
Excluding IP Addresses
The set dhcp server command sets a range of IP addresses that cannot be assigned by the DHCP
(Dynamic Host Configuration Protocol) server.
Description Sets IP address exclude range to DHCP server for interface
<interface>.
Syntax set dhcp server interface <interface> exclude-range
start <ip_addr> end <ip_addr>
Parameters Parameter Description <interface>
Valid interface name
<ip_addr> IPv4 address format
Return Value 0 on success, 1 on failure
Example set dhcp server interface LAN2 exclude-range
192.168.1.52 end 192.168.1.54
Output Success prints Configurations Saved Successfully. Failure
prints appropriate error message.
Comments DHCP IP-pool must be set for the interface before executing this command. If the DHCP IP-pool is not set, the following error message
is displayed: Error: DHCP IP pool should be defined on interface prior to defining exclude IP range.
Enabling the DHCP Server
The set dhcp server command enables or disables the DHCP server.
Description Enables or disables the DHCP server.
Syntax set dhcp server interface <interface>
{enable|disable}
Parameters Parameter Description <interface>
Valid interface name
Return Value 0 on success, 1 on failure
Example set dhcp server interface LAN2 enable
Output Success prints Configurations Saved Successfully. Failure
prints appropriate error message.
CLI Reference
Appliance Configuration Page 84
Configuring the Default Gateway
The set dhcp server command configures the default gateway for the DHCP clients.
Description Configures the default gateway for the DHCP clients.
Syntax set dhcp server interface <interface> default-
gateway {auto|<ip_addr>}
Parameters Parameter Description <interface>
Valid interface name
<ip_addr> IPv4 address format
Return Value 0 on success, 1 on failure
Example set dhcp server interface LAN2 default-gateway auto
Output Success prints Configurations Saved Successfully. Failure
prints appropriate error message.
Configuring the WINS Server
The set dhcp server command configures the WINS (Windows Internet Name Service) server for the
DHCP clients.
Description Configures the WINS server for the DHCP clients.
Syntax set dhcp server interface <interface> wins
{none|<ip_addr>}
Parameters Parameter Description <interface>
Valid interface name
<ip_addr> IPv4 address format
Return Value 0 on success, 1 on failure
Example set dhcp server interface LAN2 wins 192.168.1.50
Output Success prints Configurations Saved Successfully. Failure
prints appropriate error message.
Configuring IP Lease Time
The set dhcp server command configures the number of hours that an IP address is leased to a DHCP
client.
Description Configures IP lease time (in hours).
Syntax set dhcp server interface <interface> lease-time
<hours>
Parameters Parameter Description <interface>
Valid interface name
<hours> Lease time in hours
Return Value 0 on success, 1 on failure
Example set dhcp server interface LAN2 lease-time 18
CLI Reference
Appliance Configuration Page 85
Output Success prints Configurations Saved Successfully. Failure
prints appropriate error message.
Configuring a DNS Server
The set dhcp server command configures the IP address of the DNS (Domain Name System) server for
the DHCP server.
Description Configures the DNS server IP address to <ip_addr>.
Syntax set dhcp server interface <interface> dns
{auto|primary <ip_addr>|secondary <ip_addr>|tertiary
<ip_addr>}
Parameters Parameter Description <interface>
Valid interface name
<ip_addr> IPv4 address format
Return Value 0 on success, 1 on failure
Example set dhcp server interface LAN2 dns tertiary
192.168.1.50
Output Success prints Configurations Saved Successfully. Failure
prints appropriate error message.
Configuring Subnet Time Offset
The set dhcp server command configures the number of seconds that the subnet is offset from ETC (Coordinated Universal Time).
Description Configures subnet time offset from ETC.
Syntax set dhcp server interface <interface> time
{none|<offset>}
Parameters Parameter Description <interface>
Valid interface name
<offset> Offset in seconds from Coordinated Universal Time (ETC)
Return Value 0 on success, 1 on failure
Example set dhcp server interface LAN2 time 18
Output Success prints Configurations Saved Successfully. Failure
prints appropriate error message.
Configuring the Swap Server
The set dhcp server command configures the IP address of the swap server.
Description Configures the swap server.
Syntax set dhcp server interface <interface> swap
{none|<ip_addr>}
Parameters Parameter Description <interface>
Valid interface name
<ip_addr> IPv4 address format
CLI Reference
Appliance Configuration Page 86
Return Value 0 on success, 1 on failure
Example set dhcp server interface LAN2 swap 192.160.1.150
Output Success prints Configurations Saved Successfully. Failure
prints appropriate error message.
Configuring the SMTP Server
The set dhcp server command configures the IP addresses of the SMTP (Simple Mail Transport
Protocol) servers.
Description Configures the SMTP servers.
Syntax set dhcp server interface <interface> smtp
{none|<ip_addr>[,<ip_addr>...]}
Parameters Parameter Description <interface>
Valid interface name
<ip_addr> IPv4 address format
Return Value 0 on success, 1 on failure
Example set dhcp server interface LAN2 smtp
192.168.1.50,192.168.60
Output Success prints Configurations Saved Successfully. Failure
prints appropriate error message.
Configuring the SMTP Server
The set dhcp server command configures the IP addresses of the NTP (Network Time Protocol)
servers.
Description Configures the NTP servers.
Syntax set dhcp server interface <interface> ntp
{none|<ip_addr>[,<ip_addr>...]}
Parameters Parameter Description <interface>
Valid interface name
<ip_addr> IPv4 address format
Return Value 0 on success, 1 on failure
Example set dhcp server interface LAN2 ntp
192.168.1.50,192.168.1.60
Output Success prints Configurations Saved Successfully. Failure
prints appropriate error message.
Configuring a TFTP Server
The set dhcp server command configures a TFTP (Trivial File Transfer Protocol) server.
Description Configures a TFTP server.
Syntax set dhcp server interface <interface> tftp
{none|<tftp_server>}
CLI Reference
Appliance Configuration Page 87
Parameters Parameter Description <interface>
Valid interface name
<tftp_server> TFTP server name
Return Value 0 on success, 1 on failure
Example set dhcp server interface LAN2 tftp none
Output Success prints Configurations Saved Successfully. Failure
prints appropriate error message.
Configuring the Path for a Bootstrap File
The set dhcp server command configures the path for a bootstrap file.
Description Configures bootstrap file path.
Syntax set dhcp server interface <interface> file
{none|<boot_file>}
Parameters Parameter Description <boot_file>
Bootstrap file path
<interface> Valid interface name
Return Value 0 on success, 1 on failure
Example set dhcp server interface LAN2 file none
Output Success prints Configurations Saved Successfully. Failure
prints appropriate error message.
Configuring Client Root Disk
The set dhcp server command configures the path for the root disk for the client.
Description Configures the path-name that contains the root disk for the client
Syntax set dhcp server interface <interface> root
{none|<root_path>}
Parameters Parameter Description <interface>
Valid interface name
<root_path> Path name for the root disk of the client
Return Value 0 on success, 1 on failure
Example set dhcp server interface LAN2 root none
Output Success prints Configurations Saved Successfully. Failure
prints appropriate error message.
Configuring DHCP Extensions
The set dhcp server command configures additional DHCP options.
Description Name of a file containing additional options to be interpreted according to RFC2132.
CLI Reference
Appliance Configuration Page 88
Syntax set dhcp server interface <interface> extensions
{none|<extensions>}
Parameters Parameter Description <extensions>
Name of a file containing additional options to be interpreted according to RFC2132.
<interface> Valid interface name
Return Value 0 on success, 1 on failure
Example set dhcp server interface LAN2 extensions none
Output Success prints Configurations Saved Successfully. Failure
prints appropriate error message.
Configuring WINS Node-Type
The set dhcp server command configures the WINS Node-Type.
Description Configures WINS Node-Type for clients.
Syntax set dhcp server interface <interface> node-type
{none|<node_type>}
Parameters Parameter Description <interface>
Valid interface name
<node_type> Integer that represents WINS Node-Type for clients
Return Value 0 on success, 1 on failure
Example set dhcp server interface LAN2 node-type none
Output Success prints Configurations Saved Successfully. Failure
prints appropriate error message.
Configuring NBDD
The set dhcp server command configures the NetBIOS datagram distribution servers (NBDD)
Description Configures NetBIOS datagram distribution servers (NBDD).
Syntax set dhcp server interface <interface> ddserver
none|<ip-addr>[,<ip-addr>...]
Parameters Parameter Description <interface>
Valid interface name
<ip_addr> IPv4 address format
Return Value 0 on success, 1 on failure
Example set dhcp server interface LAN2 ddserver
192.168.1.1,192.168.1.18
Output Success prints Configurations Saved Successfully. Failure
prints appropriate error message.
Configuring NetBIOS Scope
The set dhcp server command configures the NetBIOS over TCP/IP scope parameter as specified in
RFC 1001/1002.
CLI Reference
Appliance Configuration Page 89
Description Configure NetBIOS scope parameters.
Syntax set dhcp server interface <interface> scope
{none|<NetBIOS_scope>}
Parameters Parameter Description <interface>
Valid interface name
<NetBIOS_scope> Specified in RFC 1001/1002
Return Value 0 on success, 1 on failure
Example set dhcp server interface LAN2 scope none
Output Success prints Configurations Saved Successfully. Failure
prints appropriate error message.
Configuring Call Manager
The set dhcp server command configures the call manager server IP addresses.
Description Configures call manager server IP addresses.
Syntax set dhcp server interface <interface> callmgr
{none|<ip_addr>}[,<ip_addr>...]
Parameters Parameter Description <interface>
Valid interface name
<ip_addr> IPv4 address format
Return Value 0 on success, 1 on failure
Example set dhcp server interface LAN2 callmgr
198.162.1.1,198.162.1.18,198.162.2.1
Output Success prints Configurations Saved Successfully. Failure
prints appropriate error message.
,
Configuring X-Windows Display
The set dhcp server command configures the X-Windows Display Manager.
Description Configures X-Windows Display Manager.
Syntax set dhcp server interface <interface> xwin-display-
mgr {none|<ip_addr>}[,<ip_addr>...]
Parameters Parameter Description <interface>
Valid interface name
<ip_addr> IPv4 address format
Return Value 0 on success, 1 on failure
Example set dhcp server interface LAN2 xwin-display-mgr none
Output Success prints Configurations Saved Successfully. Failure
prints appropriate error message.
Configuring VoIP Phones
The set dhcp server command configures the Avaya, Nortel, or Thomson VoIP phones.
CLI Reference
Appliance Configuration Page 90
Description Configures VoIP phone parameters.
Syntax set dhcp server interface <interface> {avaya-
voip|nortel-voip|thomson-voip} {none|<config_string>}
Parameters Parameter Description <config_string>
Configuration string used to configure VoIP phones
<interface> Valid interface name
Return Value 0 on success, 1 on failure
Example set dhcp server interface LAN2 nortel-voip none
Output Success prints Configurations Saved Successfully. Failure
prints appropriate error message.
Configuring Custom DHCP Option
The set dhcp server command configures a custom DHCP server option.
Description Configures a custom DHCP server option.
Syntax set dhcp server interface <interface> custom-option
code <code> type <type> value <value> [name <name> ]
Parameters Parameter Description <interface>
Valid interface name
Return Value 0 on success, 1 on failure
Example n/a
Output Success prints Configurations Saved Successfully. Failure
prints appropriate error message.
set dhcp relay Manages DHCP relay for the IP addresses of a specific interface.
Description Manages DHCP relay for interface <interface> to <ip_addr>.
Syntax set dhcp relay interface <interface> {relay-to|off}
<ip_addr> {on|off}
Parameters Parameter Description <interface>
Valid interface name
<ip_addr> IPv4 address format
Return Value 0 on success, 1 on failure
Example set dhcp relay interface LAN2 relay-to 198.162.1.1
off
Output Success prints Configurations Saved Successfully. Failure
prints appropriate error message.
set dns Sets primary, secondary or tertiary DNS servers that are used to resolve hostnames. The secondary and tertiary DNS servers are optional.
CLI Reference
Appliance Configuration Page 91
Description Sets DNS server to IP address <ip_addr>.
Syntax set dns {primary|secondary|tertiary} <ip_addr>
Parameters Parameter Description <ip_addr>
IPv4 address format
Return Value 0 on success, 1 on failure
Example set dns server secondary 4.4.4.4
Output Success prints OK. Failure prints appropriate error message.
set dnsproxy
Description Enables/disables the DNS proxy server.
Syntax set dnsproxy {enable|disable}
Parameters Parameter Description n/a
Return Value 0 on success, 1 on failure
Example set dnsproxy enable
Output Success prints OK. Failure prints appropriate error message.
set dns mode Sets the mode for the DNS server. Internet mode the DNS configuration is inherited from the internet connection. In global mode the manual settings are taken as the DNS configuration.
Description Sets global or internet mode for the DNS server.
Syntax set dns mode <global|internet>
Parameters Parameter Description <global|
internet> Global or internet mode
Return Value 0 on success, 1 on failure
Example set dns mode global
Output Success prints OK. Failure prints appropriate error message.
set domainname
Description Sets the domain name for the system to be <domain>
Syntax set domainname <domain>
Parameters Parameter Description <domain>
Domain name for the system
Return Value 0 on success, 1 on failure
CLI Reference
Appliance Configuration Page 92
Example set domainname checkpoint.com
Output Success prints OK. Failure prints appropriate error message.
set expert password The set expert password command configures the initial password or password hash for the expert
shell.
Description Sets password or password hash for the expert shell
Syntax set expert {password|password-hash}
{<pass>|<pass_hash>}
Parameters Parameter Description <pass>
Password using alphanumeric and special characters
<pass_hash> Password MD5 string representation
Return Value 0 on success, 1 on failure
Example set expert password-hash
$1$CTnQg69e$dwMJPcrB27XnAXUckPW7N0
Output Success prints OK. Failure prints appropriate error message.
Comments To generate a password-hash, you can use this command on any Security Gateway 80 gateway (as an expert user).
cryptpw –a md5 <password string>
set ha internet primary Set configuration parameters for Internet High Availability mode when both Internet connections are configured.
Description Changes the active Internet connection to primary whenever possible
Syntax set ha-internet primary-up {on|off}
Parameters Parameter Description on
The appliance reverts to the primary Internet connection when it is available
off The appliance does not change the Internet connection
Return Value 0 on success, 1 on failure
Example set ha-internet primary-up on
Output Success prints OK. Failure prints appropriate error message.
set host Static host configuration for existing host name.
Description Sets the IPv4 address of the existing host name <host> to
<ip_addr>
CLI Reference
Appliance Configuration Page 93
Syntax set host name <host> ipv4_address <ip_addr>
Parameters Parameter Description <host>
The name of an existing static host
<ip_addr> IPv4 address format
Return Value 0 on success, 1 on failure
Example set host name cnn.com ipv4_address 2.2.2.2
Output Success prints OK. Failure prints appropriate error message.
set hostname
Description Sets the host name of the machines to <host>.
Syntax set hostname <host>
Parameters Parameter Description <host>
Host name
Return Value 0 on success, 1 on failure
Example set hostname SG80
Output Success prints OK. Failure prints appropriate error message.
set inactivity-timeout
Description Specifies inactivity timeout for web UI and shells assigned to users (in minutes).
Syntax set inactivity-timeout <time_out>
Parameters Parameter Description <time_out>
Inactivity timeout in minutes.
Range: 1-999
Default: 10
Return Value 0 on success, 1 on failure
Example set inactivity-timeout 60
Output Success prints OK. Failure prints appropriate error message.
set interface You can use the set interface command to manage and configure the interfaces.
Managing Interfaces
The set interface command can remove any IP assignment, or enables or disables the interface.
Description Manages the interfaces
CLI Reference
Appliance Configuration Page 94
Syntax set interface <interface> [internet
<primary|secondary>] {disable|enable|unassigned}
Parameters Parameter Description <interface>
Valid interface name
<primary|
secondary> Primary or secondary Internet connection. Only the WAN and DMZ can be set for Internet interfaces.
Return Value 0 on success, 1 on failure
Example set interface LAN5 enable
Output Success prints OK. Failure prints appropriate error message.
Configuring Static IP
Description The set interface command can set parameters for different static IP
interface types.
Syntax set interface <interface> [internet
<primary|secondary>] type static ipv4-address
<ip_addr> {subnet-mask <ip_mask>|mask-length <mask-
length>} [default-gw <ip_addr>] [dns-primary <ip_addr>
[dns-secondary <ip_addr>] [dns-tertiary <ip_addr>]]
[conn-test-timeout <conn_time>]]
Parameters Parameter Description <conn_time>
Number of seconds before connection test
timeout. A number between 0 and 999.
A value of 0 applies the configuration and skips
the connection tests.
<interface> Valid interface name
<ip_addr> IPv4 address format
<ip_mask> IP address for subnet mask
<mask_length> Mask length
<primary|
secondary> Primary or secondary Internet connection. Only the WAN and DMZ can be set for Internet interfaces.
Return Value 0 on success, 1 on failure
Example set interface LAN5 type static ipv4-address 1.1.1.1
subnet-mask 255.255.255.0 dns-primary 2.2.2.2 dns
secondary 3.3.3.3
Output Success prints OK. Failure prints appropriate error message.
Configuring a Bridge
Description The set interface command can set parameters for a bridge interface
type.
CLI Reference
Appliance Configuration Page 95
Syntax set interface <interface> [internet
<primary|secondary>] type bridge port <port> ipv4-
address <ip_addr> {subnet-mask <ip_mask>|mask-length
<mask-length>} [default-gw <ip_addr>] [dns-primary
<ip_addr>] [dns-secondary <ip_addr>] [dns-tertiary
<ip_addr>] [conn-test-timeout <conn_time>]
Parameters Parameter Description <conn_time>
Number of seconds before connection test
timeout. A number between 0 and 999.
A value of 0 applies the configuration and skips
the connection tests.
<interface> Valid interface name
<ip_addr> IPv4 address format
<ip_mask> IP address for subnet mask
<mask_length> Mask length
<port> LAN port number or SWITCH
<primary|
secondary> Primary or secondary Internet connection. Only the WAN and DMZ can be set for Internet interfaces.
Return Value 0 on success, 1 on failure
Example set interface LAN Switch type bridge port SWITCH ipv4-
address 1.1.1.1 subnet-mask 255.255.255.0 dns-primary
2.2.2.2 dns secondary 3.3.3.3
Output Success prints OK. Failure prints appropriate error message.
Configuring PPPoE
The set interface command can set parameters for the PPPoE Internet interface types:
Description Sets interface type PPPoE settings with user name <user> and password
<pass>. Can only be set for internet interfaces.
Syntax set interface <interface> internet <primary|secondary>
type pppoe username <user> password <pass> [local-ipv4-
address <auto|ip_addr>] [method <auto|on-demand idle-
time <idle>>] [link-monitor-interval <interval>] [link-
monitor-threshold <threshold>] [conn-test-timeout
<conn_time>]
CLI Reference
Appliance Configuration Page 96
Parameters Parameter Description <interface>
Valid interface name.
<ip_addr> IPv4 address format.
<ip_mask> IP address for subnet mask
<user> ISP user login name.
<pass> ISP user password. Alphanumeric and special characters are allowed.
<primary|
secondary> Primary or secondary Internet connection. Only the WAN and DMZ can be set for Internet interfaces.
local-ipv4-
address Local tunnel IPv4 address assignment.
auto - Get the IPv4 address from ISP.
<ip_addr> - IP address for local tunnel.
method Dialer connection method.
auto - Connect automatically. This is the
default setting.
on-demand - Connects on demand.
idle-time - Idle timeout in minutes
before disconnect when using Connect on demand. Value is between 1 and 999
minutes.
link-monitor-
interval Seconds between each connection status
monitoring. <interval> value is between 1 and
999 seconds.
link-monitor-
threshold Number of failed attempts after which the
connection is assumed to be down. <threshold>
value is between 1 and 999 attempts.
<conn_time> Number of seconds before connection test
timeout. A number between 0 and 999.
A value of 0 applies the configuration and skips
the connection tests.
Return Value 0 on success, 1 on failure
Example set interface WAN internet primary type pppoe username
John password verySecurePassword local-ipv4-address
1.1.1.1 method on-demand idle-time 30 link-monitor-
interval 40 link-monitor-threshold 50
Output Success prints OK. Failure prints appropriate error message.
Configuring PPTP and L2TP
The set interface command can set parameters for these Internet interface types:
PPTP
L2TP
Description Sets interface type (PPTP and L2TP) settings with user name <user> and
password <pass>. Can only be set for internet interfaces.
CLI Reference
Appliance Configuration Page 97
Syntax set interface <interface> internet <primary|secondary>
type {pptp|l2tp} username <user> password <pass> server
<server> [local-ipv4-address <auto|ip_addr>] [wan-ipv4-
address <auto|<ip_addr> {subnet-mask <ip_mask>|mask-
length <mask-length>} [default-gw <ip_addr>]>] [method
<auto|on-demand idle-time <idle>>] [link-monitor-
interval <interval>] [link-monitor-threshold
<threshold>] [conn-test-timeout <conn_time>]
CLI Reference
Appliance Configuration Page 98
Parameters Parameter Description <interface>
Valid interface name.
<ip_addr> IPv4 address format.
<ip_mask> IP address for subnet mask
<mask_length> Mask length
<user> ISP user login name.
<pass> ISP user password. Alphanumeric and special characters are allowed.
<primary|
secondary> Primary or secondary Internet connection. Only the WAN and DMZ can be set for Internet interfaces.
<server> Server host name or IP address.
local-ipv4-
address Local tunnel IPv4 address assignment.
auto - Get the IPv4 address from ISP.
<ip_addr> - IP address for local tunnel.
wan-ipv4-address WAN IPv4 address assignment
auto - Get the WAN IPv4 address from
ISP. This is the default setting.
<ip_addr> - IP address for WAN port.
<ip_mask> - IP address for subnet mask
for WAN port.
<mask_length> - Mask length for WAN
port.
default-gw - Default gateway for WAN
port.
method Dialer connection method.
auto - Connect automatically. This is the
default setting.
on-demand - Connects on demand.
idle-time - Idle timeout in minutes
before disconnect when using Connect on demand. Value is between 1 and 999
minutes.
link-monitor-
interval Seconds between each connection status
monitoring. <interval> value is between 1 and
999 seconds.
link-monitor-
threshold Number of failed attempts after which the
connection is assumed to be down. <threshold>
value is between 1 and 999 attempts.
<conn_time> Number of seconds before connection test
timeout. A number between 0 and 999.
A value of 0 applies the configuration and skips
the connection tests.
Return Value 0 on success, 1 on failure
CLI Reference
Appliance Configuration Page 99
Example set interface WAN internet primary type l2tp username
John password verySecurePassword server 1.1.1.1 local-
ipv4-address 2.2.2.2 wan-ipv4-address 3.3.3.3 subnet-
mask 255.255.255.0 default-gw 4.4.4.4 method on-demand
idle-time 30 link-monitor-interval 40 link-monitor-
threshold 50
Output Success prints OK. Failure prints appropriate error message.
Configuring DHCP
The set interface command can set parameters for DHCP internet interface type.
Description Obtains IP automatically using DHCP, can be set only for internet interfaces.
Syntax set interface <interface> internet <primary|secondary>
type dhcp [conn-test-timeout <conn_time>]
Parameters Parameter Description <conn_time>
Number of seconds before connection test
timeout. A number between 0 and 999.
A value of 0 applies the configuration and skips
the connection tests.
<interface> Valid interface name
<primary|
secondary> Primary or secondary Internet connection. Only the WAN and DMZ can be set for Internet interfaces.
Return Value 0 on success, 1 on failure
Example set interface LAN5 internet secondary type dhcp
Output Success prints OK. Failure prints appropriate error message.
Configuring Advanced Interface Settings
The set interface command configures these advanced settings for the interface:
Auto-negotiation
MAC address
MTU
Duplex
Speed
Description Sets advanced interface preferences.
Syntax set interface <interface> [internet
<primary|secondary> auto-negotiation <on|off> mac-
addr <mac_addr> mtu <mtu> duplex <duplex> speed
<speed>]
CLI Reference
Appliance Configuration Page 100
Parameters Parameter Description <interface>
Valid interface name
<primary|
secondary> Interfaces available for internet are only WAN or DMZ
<on|off> on or off
<mac_addr> default or MAC address format, 00:1C:7F:21:05:BE
<mtu> MTU size - integer in range 68-1500
<duplex> half or full
<speed> 10M/100M/1000M
Return Value 0 on success, 1 on failure
Example set interface LAN3 mac-addr 00:1C:7F:21:05:BE
Output Success prints OK. Failure prints appropriate error message.
Configuring ICMP
The set interface command can configure the ICMP (Internet Control Message Protocol) settings for
the appliance.
Description Manages ICMP settings
Syntax set interface <interface> [internet
<primary|secondary>] icmp-monitor <on|off> [icmp-to-
servers <on|off>] [icmp-to-default-gw <on|off>]
[icmp-interval <seconds>] [icmp-failover-after
<fail>] [icmp-resume-after <seconds>]
Parameters Parameter Description <interface>
Valid interface name
<primary|
secondary> Primary or secondary Internet connection. Only the WAN and DMZ can be set for Internet interfaces.
icmp-monitor on - Enables ICMP monitoring
icmp-to-
servers on - Enables ICMP monitoring on configured
servers
icmp-to-
default-gw on - Sends ICMP requests to default gateway
icmp-interval Configures the number of seconds in between ICMP requests
icmp-
failover-
after
Configures maximum number of failed ICMP requests before the other Internet connection becomes active.
icmp-resume-
after Configures the number of seconds after an ICMP failover that ICMP requests are resumed
Return Value 0 on success, 1 on failure
Example set interface WAN internet primary icmp-monitor on
icmp-to-default-gw on icmp-interval 10
CLI Reference
Appliance Configuration Page 101
Output Success prints OK. Failure prints appropriate error message.
set static-route
Deleting Routes
You can use the set static-route command to delete existing static routes.
A route that has both a gateway IP address and a gateway interface defined is different than a route that only has gateway IP address or only a gateway interface defined. Both of these routes can exist simultaneously.
Deleting Routes by Destination IP Address
The set static-route command deletes existing static routes.
Description Deletes all routes with this destination IP address.
Syntax set static-route <dest_IP> off
Parameters Parameter Description <dest_IP>
Destination IP address and subnet bit number of the
route. <IPv4-address>/<Subnet-bit-number>
Return Value 0 on success, 1 on failure
Example set static-route 1.1.1.1/32 off
Output Success prints OK. Failure prints appropriate error message.
Deleting Routes by Destination and Gateway IP Address
The set static-route command deletes existing static routes.
Description Delete all routes that have a destination of <dest_IP> and a gateway
address of <gw_IP>.
Syntax set static-route <dest_IP> nexthop gateway ipv4-
address <gw_IP> off
Parameters Parameter Description <dest_IP>
Destination IP address and subnet bit number of the
route. <IPv4-address>/<Subnet-bit-number>
<gw_IP> Gateway IP address.
Return Value 0 on success, 1 on failure
Example set static-route 1.1.1.1/32 nexthop gateway ipv4-
address 192.168.1.10 off
Output Success prints OK. Failure prints appropriate error message.
Deleting Routes by Destination IP Address and Interface
The set static-route command deletes existing static routes.
Description Delete all routes that have a destination of <dest_IP> and a gateway
interface <interface>.
Syntax set static-route <dest_IP> nexthop gateway logical
<interface> off
CLI Reference
Appliance Configuration Page 102
Parameters Parameter Description <dest_IP>
Destination IP address and subnet bit number of the
route. <IPv4-address>/<Subnet-bit-number>
<interface> Interface to which the gateway is connected.
Return Value 0 on success, 1 on failure
Example set static-route 1.1.1.1/32 nexthop gateway logical
LAN1 off
Output Success prints OK. Failure prints appropriate error message.
Deleting Routes by Destination and Gateway IP Address and Interface
The set static-route command deletes existing static routes.
Description Delete all routes that match all of these parameters: <dest_IP>,
<gw_IP>, and <interface>.
Syntax set static-route <dest_IP> nexthop gateway ipv4-
address <gw_IP> logical <interface> off
Parameters Parameter Description <dest_IP>
Destination IP address and subnet bit number of the
route. <IPv4-address>/<Subnet-bit-number>
<gw_IP> IP Gateway address.
<interface> Interface to which the gateway is connected.
Return Value 0 on success, 1 on failure
Example set static-route 1.1.1.1/32 nexthop gateway ipv4-
address 192.168.1.10 logical LAN1 off
Output Success prints OK. Failure prints appropriate error message.
Adding Routes
You can use the set static-route command to create new static routes. If a priority is not specified for
the route, a default value of zero is used.
A route that has both a gateway IP address and a gateway interface defined is different than a route that only has gateway IP address or only a gateway interface defined. Both of these routes can exist simultaneously.
Adding a Route with a Specific Gateway IP Address
The set static-route command creates new static routes.
Description Adds a route with a destination <dest_IP> and a gateway IP address
of <gw_IP>. The gateway interface is determined automatically and is
assigned the default route priority 0.
Syntax set static-route <dest_IP> nexthop gateway ipv4-
address <gw_IP> on
Parameters Parameter Description <dest_IP>
Destination IP address and subnet bit number of the
route. <IPv4-address>/<Subnet-bit-number>
<gw_IP> Gateway IP address
CLI Reference
Appliance Configuration Page 103
Return Value 0 on success, 1 on failure
Example set static-route 172.15.47.0/24 nexthop gateway
ipv4-address 10.0.0.1 on
Output Success prints OK. Failure prints appropriate error message.
Comments If you are adding a route that already exists, the priority of the existing
route is changed to 0.
Adding a Route with a Specific Gateway IP Address and Priority
The set static-route command creates new static routes.
Description Adds a route with a destination <dest_IP>, a gateway IP address of
<gw_IP>, and a priority of <priority>. The gateway interface is
determined automatically.
Syntax set static-route <dest_IP> nexthop gateway ipv4-
address <gw_IP> priority <priority> on
Parameters Parameter Description <dest_IP>
Destination IP address and subnet bit number of the
route. <IPv4-address>/<Subnet-bit-number>
<gw_IP> Gateway IP address
<priority> Priority (metric) of the route.
Return Value 0 on success, 1 on failure
Example set static-route 1.1.1.1/32 nexthop gateway ipv4-
address 192.168.1.10 priority 3 on
Output Success prints OK. Failure prints appropriate error message.
Comments If you are adding a route that already exists, the priority of the existing
route is changed to <priority>.
Adding a Route with a Specific Interface
The set static-route command creates new static routes.
Description Adds a route with a destination <dest_IP> and a gateway interface of <interface>. The gateway interface is determined automatically and is
assigned the default priority 0.
Syntax set static-route <dest_IP> nexthop gateway ipv4-
address <gw_IP> logical <interface> on
Parameters Parameter Description <dest_IP>
Destination IP address and subnet bit number of the route. <IPv4-address>/<Subnet-bit-number>
<gw_IP> Gateway IP address
<interface> Interface to which the gateway is connected.
Return Value 0 on success, 1 on failure
Example set static-route 1.1.1.1/32 nexthop gateway logical
LAN1 on
Output Success prints OK. Failure prints appropriate error message.
CLI Reference
Appliance Configuration Page 104
Comments If you are adding a route that already exists, the priority of the existing
route is changed to 0.
Adding a Route with a Specific Interface and Priority
The set static-route command creates new static routes.
Description Adds a route with a destination <dest_IP>, a gateway interface of
<interface>, and a priority of <priority>. The gateway IP address
is determined automatically.
Syntax set static-route <dest_IP> nexthop gateway logical
<interface> priority <priority> on
Parameters Parameter Description <dest_IP>
Destination IP address and subnet bit number of the
route. <IPv4-address>/<Subnet-bit-number>
<interface> Interface to which the gateway is connected.
<priority> Priority (metric) of the route.
Return Value 0 on success, 1 on failure
Example set static-route 10.0.0.0/8 nexthop gateway logical
SWITCH priority 12 on
Output Success prints OK. Failure prints appropriate error message.
Comments If you are adding a route that already exists, the priority of the existing
route is changed to <priority>.
Adding a Route with a Specific Gateway IP Address and Interface
The set static-route command creates new static routes.
Description Adds a route with a destination <dest_IP>, a gateway IP address of
<gw_IP> and a gateway interface of <interface>. The route is
assigned the default priority 0.
Syntax set static-route <dest_IP> nexthop gateway ipv4-
address <gw_IP> logical <interface> on
Parameters Parameter Description <dest_IP>
Destination IP address and subnet bit number of the
route. <IPv4-address>/<Subnet-bit-number>
<gw_IP> Gateway IP address
<interface> Interface to which the gateway is connected.
Return Value 0 on success, 1 on failure
Example set static-route 1.1.1.1/32 nexthop gateway ipv4-
address 192.168.1.10 logical LAN1 on
Output Success prints OK. Failure prints appropriate error message.
Comments If you are adding a route that already exists, the priority of the existing
route is changed to 0.
Editing Routes
You can use the set static route command to edit the priority of an existing route. If you change of the
other parameters for the route, the existing route is left unchanged and a new route is created.
CLI Reference
Appliance Configuration Page 105
A route that has both a gateway IP address and a gateway interface defined is different than a route that only has gateway IP address or only a gateway interface defined. Both of these routes can exist simultaneously.
set static-route <dest_IP> nexthop gateway ipv4-address <gw_IP> priority <priority> on
The set static-route command edits static routes.
Description Edits a route with a destination <dest_IP>, a gateway IP address of
<gw_IP>, and does not have a gateway interface defined. The priority
is changed to <priority>.
Syntax set static-route <dest_IP> nexthop gateway ipv4-
address <gw_IP> priority <priority> on
Parameters Parameter Description <dest_IP>
Destination IP address and subnet bit number of the
route. <IPv4-address>/<Subnet-bit-number>
<gw_IP> Gateway IP address
<priority> Priority (metric) of the route.
Return Value 0 on success, 1 on failure
Example set static-route 1.1.1.1/32 nexthop gateway ipv4-
address 192.168.1.10 priority 3 on
Output Success prints OK. Failure prints appropriate error message.
Comments If the route does not exist, then a new one is created with a destination
<dest_IP>, a gateway interface of <interface>, and a priority of
<priority>. The gateway interface is determined automatically.
set proxy You can configure a proxy server that is used to fetch a license from Check Point User Center.
Managing a Proxy Server
The set proxy command enables or disables the proxy server that is used to fetch a license from Check
Point User Center.
Description Enables or disables the proxy server
Syntax set proxy {enable|disable}
Parameters Parameter Description n/a
Return Value 0 on success, 1 on failure
Example set proxy disable
Output Success prints OK. Failure prints appropriate error message.
Configuring a Proxy Server
The set proxy command configures the settings of the proxy server that is used to fetch a license from
Check Point User Center.
CLI Reference
Appliance Configuration Page 106
Description Sets proxy server IP address and port number. Also enables the proxy server that is set.
Syntax set proxy server <server> port <port>
Parameters Parameter Description <server>
Proxy server hostname or IPv4 address.
<port> Valid port numbers are between 1 and 65535.
Return Value 0 on success, 1 on failure
Example set dhcp server interface LAN2 lease-time 18
Output Success prints OK. Failure prints appropriate error message.
set sic_init
Description Sets the SIC password.
Syntax set sic_init password <pass>
Parameters Parameter Description <pass>
One-time password, as specified by the Security Management server administrator.
Return Value 0 on success, 1 on failure
Example set sic_init password verySecurePassword
Output Success prints OK. Failure prints appropriate error message.
set snmp You can use the set snmp command to manage and configure the SNMP settings. You must use the add
snmp command to configure the SNMP v2 or v3 parameters for these commands:
set snmp traps receiver
set snmp usm user
Managing SNMP Agent
The set snmp command enables and disables an SNMP agent.
Description Enables and disables the SNMP agent.
Syntax set snmp agent <on|off>
Parameters Parameter Description <on|off>
On or off
Return Value 0 on success, 1 on failure
Example set snmp agent on
Output Success prints OK. Failure prints appropriate error message.
CLI Reference
Appliance Configuration Page 107
Setting SNMP Version
The set snmp command sets the SNMP version.
Description Sets SNMP version
Syntax set snmp agent-version <any|v3-only>
Parameters Parameter Description <any|v3-only>
Any version or only v3
Return Value 0 on success, 1 on failure
Example set snmp agent-version v3-only
Output Success prints OK. Failure prints appropriate error message.
Setting Community String
The set snmp command sets the SNMP community string.
Description Sets the SNMP agent community string.
Syntax set snmp community <comm_string>
Parameters Parameter Description <comm_string>
A password for v1 and v2 protocols. The value can be any word.
Return Value 0 on success, 1 on failure
Example set snmp community anystring read-only
Output Success prints OK. Failure prints appropriate error message.
Setting SNMP Host Information
The set snmp command sets the information about the host for the SNMP agent.
Description Sets information about the host the SNMP agent is running on.
Syntax set snmp contact <contact_string>
Parameters Parameter Description <contact_string>
The value can be word.
Return Value 0 on success, 1 on failure
Example set snmp contact checkpoint
Output Success prints OK. Failure prints appropriate error message.
Setting Host Location
The set snmp command sets the information about the host for the SNMP agent.
Description Sets information about the host the SNMP agent is running on.
Syntax set snmp contact <contact_string>
CLI Reference
Appliance Configuration Page 108
Parameters Parameter Description <contact_string>
The value can be any word.
Return Value 0 on success, 1 on failure
Example set snmp contact checkpoint
Output Success prints OK. Failure prints appropriate error message.
Setting Host Location
The set snmp command sets the information about the host location.
Description Sets information about the location of the host on which the SNMP agent is running.
Syntax set snmp location <location>
Parameters Parameter Description <location>
The value can be any word.
Return Value 0 on success, 1 on failure
Example set snmp location lab
Output Success prints OK. Failure prints appropriate error message.
Managing SNMP Traps
The set snmp command enables and disables the SNMP traps.
Description Enables and disables SNMP traps.
Syntax set snmp traps {enable|disable}
Parameters Parameter Description n/a
Return Value 0 on success, 1 on failure
Example set snmp traps enable
Output Success prints OK. Failure prints appropriate error message.
Setting SNMP v2 Receivers
The set snmp command sets a community string for SNMPv2 traps receiver.
Description Sets a community string for SNMPv2 traps receiver.
Syntax set snmp traps receiver <ip_addr> version v2
community <comm_string>
Parameters Parameter Description <ip_addr>
Trap receiver IPv4 address.
<comm_string> A password for v1 and v2 protocols. The value can be any word.
CLI Reference
Appliance Configuration Page 109
Return Value 0 on success, 1 on failure
Example set snmp traps receiver 1.1.1.1 version v2 community
anystring
Output Success prints OK. Failure prints appropriate error message.
Configuring SNMP v3 Receivers
The set snmp command configures users for SNMP v3 traps receivers.
Description Sets USM user for SNMPv3 traps receiver.
Syntax set snmp traps receiver <ip_addr> version v3 usm
user <usm_user>
Parameters Parameter Description <ip_addr>
Trap receiver IPv4 address
<usm_user> Name user that was added with add snmp.
Return Value 0 on success, 1 on failure
Example set snmp traps receiver 1.1.1.1 version v3 usm user
john
Output Success prints OK. Failure prints appropriate error message.
Comments Security parameters that were defined for the <v3_user> with the add
snmp command are used.
Configuring SNMP v3 Users
The set snmp command configures an SNMP v3 user.
Description Sets USM security user parameters for the <v3_user>
Syntax set snmp usm user <usm_user> security-level
<NoPriv|Priv> auth-pass-type < auth-type > auth-
pass-phrase <auth-phrase> privacy-pass-type <priv-
type> privacy-pass-phrase <priv-phrase>
Parameters Parameter Description <usm_user>
Name user that was added with add snmp.
<NoPriv|Priv> Priv - Messages sent or received by this user
are authenticated using the privacy and authentication passwords.
<auth-type> Authentication decryption protocol. Available
values for this field are: MD5 and SHA1.
<auth-phrase> The localized secret key used by the authentication protocol for authenticating messages.
<priv-type> Which privacy decryption protocol to use. Available
values for this field are: AES and DES.
<priv-phrase> The localized secret key used by the privacy protocol for encrypting and decrypting messages.
Return Value 0 on success, 1 on failure
CLI Reference
Appliance Configuration Page 110
Example set snmp user usm1 security-level authPriv auth-
pass-type SHA1 auth-pass-phrase safeAuthPassPhrase
privacy-pass-type AES privacy-pass-phrase
safePrivacyPassPhrase
Output Success prints OK. Failure prints appropriate error message.
Comments You must add the user with the add snmp command.
Setting a Single Trap
The set snmp command configures parameters for a single SNMP trap.
Description Sets a single trap related parameters.
Syntax set snmp traps trap-name <trap_name> [enable
<on|off> threshold <threshold> severity <severity>
repetitions <reps> repetitions-delay <rep_delay>]
Parameters Parameter Description <on|off>
On or off
<reps> Number of repetitions for trap.
Available values are: 1-10 or infinite for
sending traps as long as the trap condition holds.
<rep_delay> Delay time (seconds) between repetitions.
<severity> Trap severity: (1) Low, (2) Medium, (3) High, (4) Critical.
<threshold> Trap threshold, value must be a positive number
<trap_name> Enter a valid trap-name value.
Output Success prints OK. Failure prints appropriate error message.
CLI Reference
Appliance Configuration Page 111
Comments These are the valid trap-name values:
interface-link-down
interface-disconnected
memory-utilization
partition-free-space
core-utilization
core-interrupts-rate
new-connections-rate
concurrent-connections-rate
bytes-throughput
accepted-packet-rate
temperature-sensor-reading
voltage-sensor-reading
cluster-member-state-changed
cluster-block-state-error
cluster-state-error
cluster-problem-status
cluster-interface-down
connection-with-log-server-error
connection-with-all-log-servers-error
set time
Description Sets system time in HH:MM format.
Syntax set system time <time>
Parameters Parameter Description <time>
Time in HH:MM format.
Return Value 0 on success, 1 on failure
Example set system time 15:08
Output Success prints OK. Failure prints appropriate error message.
set time-zone
Description Sets system time zone.
Syntax set time-zone [<area>] <region>|<complete_region>
CLI Reference
Appliance Configuration Page 112
Parameters Parameter Description <area>
A continent for the time zone.
<complete_
region> List of all cities for a region on a continent.
<region> A city on a continent for a specific time zone.
Return Value 0 on success, 1 on failure
Example set time-zone Berlin
set time-zone Europe Berlin
set time-zone Amsterdam/Berlin/Bern/Rome/
Stockholm/Vienna(GMT+01:00)
Output Success prints OK. Failure prints appropriate error message.
Comments You can only use continents and cities that are pre-configured on the appliance. Use auto-completion to display the list of continents and cities.
set user Sets parameters for a specific user name.
Setting Password for a User
The set password command configures a password for an existing user.
Description Sets password <pass> to an existing user <user>.
Syntax set user <user> password <pass>
Parameters Parameter Description <pass>
User password. Alphanumeric and special characters are allowed.
<user> User login name.
Return Value 0 on success, 1 on failure
Example set user John password verySecurePassword
Output Success prints OK. Failure prints appropriate error message.
Setting Password Hash for a User
The set password command configures a password hash for an existing user.
Description Sets password hash <pass_hash> to an existing user <user>.
Syntax set user <user> password-hash <pass_hash>
Parameters Parameter Description <pass_hash>
Password MD5 string representation
<user> User login name
Return Value 0 on success, 1 on failure
CLI Reference
Appliance Configuration Page 113
Example set user John password-hash
$1$CTnQg69e$dwMJPcrB27XnAXUckPW7N0
Output Success prints OK. Failure prints appropriate error message.
Comments To generate a password-hash, you can use the command cryptpw –
a md5 <password string> on any Security Gateway 80 gateway
(as an expert user).
Setting Shell for a User
The set password command configures the login shell to an existing user.
Description Sets login shell to user <user>
Syntax set user <user> shell <clish|bash>
Parameters Parameter Description <clish|bash>
CLISH or Bash shell
<user> User login name
Return Value 0 on success, 1 on failure
Example set user John shell cli
Output Success prints OK. Failure prints appropriate error message.
set user-lock The set user-lock command configures how a user can be locked-out of the WebUI. This command
does not apply to the CLI.
Disabling User-lock
The set user-lock command can disable user-lock and users are never locked-out of the WebUI.
Description Disables user-lock for the WebUI
Syntax set user-lock disable
Parameters Parameter Description n/a
Return Value 0 on success, 1 on failure
Example set user-lock disable
Output Success prints OK. Failure prints appropriate error message.
Configuring User-lock
The set user-lock command enables user-lock and configures the parameters for failed logins for the
WebUI. These are the default values for the parameters:
attempts - 3. The user is locked-out after three failed login attempts.
time - 1. The user is locked-out and cannot attempt to login for one minute.
CLI Reference
Appliance Configuration Page 114
Description Sets number of attempts <attempts> after which the user is locked-
out of the WebUI.
Sets the amount of time <time> that the user is locked-out and cannot
attempt to login to the WebUI.
Syntax set user-lock {attempts <attempts>|time <time>}
Parameters Parameter Description <attempts>
Number of permitted login attempts. A number between 1 and 999.
<time> Number of minutes before the user can attempt to login again.
Return Value 0 on success, 1 on failure
Example set user-lock attempts 10 time 60
Output Success prints OK. Failure prints appropriate error message.
Comments You can use both the attempts and time parameters.
shell/expert The shell and expert commands switch to CLI expert mode.
Description Switches to expert mode.
Syntax shell
expert
Parameters Parameter Description n/a
Return Value None
Example shell
Output None
Comments Use the cpshell (on page 67) command to start cpshell.
show admin access Displays admin access configuration information including interfaces and IPv4 addresses.
Use the show admin-access-ipv4-addresses command to only display the IP addresses from which
the admin is allowed to remotely access the appliance.
Description Displays admin access configuration information
Syntax show {admin-access|admin-access-ipv4-addresses}
Parameters Parameter Description n/a
Return Value 0 on success, 1 on failure
Example show admin-access
CLI Reference
Appliance Configuration Page 115
Output Success displays admin access configuration information. Failure prints appropriate error message.
show backup settings Displays information of a previous backup of the appliance's settings.
show backup-settings-log displays the log file of previous backup settings operations.
Description Displays backup settings information
Syntax show backup-settings-{log|info {from tftp server
<server> filename <file>|from usb filename <file>}}
Parameters Parameter Description <server>
IP address or host name of the TFTP server
<file> Name of backup file
Return Value 0 on success, 1 on failure
Example show backup-settings-log
show backup-settings-info from usb filename backup
Output Success prints backup settings information. Failure prints appropriate error message.
show clock
Description Displays current system date and time
Syntax show clock
Parameters Parameter Description n/a
Return Value 0 on success, 1 on failure
Example show clock
Output Success displays date and time. Failure prints appropriate error message.
show commands
Description Displays all available CLI commands.
Syntax show commands
Parameters Parameter Description n/a
Return Value 0 on success, 1 on failure
Example show commands
Output List of all available CLI commands.
CLI Reference
Appliance Configuration Page 116
show date
Description Displays current date in DD-Month-YYYY format.
Syntax show date
Parameters Parameter Description n/a
Return Value 0 on success, 1 on failure
Example show date
Output Current date
show dhcp Displays DHCP (Dynamic Host Configuration Protocol) settings.
Showing DHCP Settings
The show dhcp command displays the current DHCP settings. The server parameter displays all the
custom server options and advanced settings for all the interfaces.
Description Displays a table with all DHCP related settings. Also, all of the custom DHCP server options and advanced settings for all interfaces will be displayed.
Syntax show dhcp [server]
Parameters Parameter Description n/a
Return Value 0 on success, 1 on failure
Example show dhcp server
Output Prints a table with all DHCP related settings
Server parameter - All of the custom DHCP server options and
advanced settings for all interfaces
Comments These columns are included in the output table: Interface name,
Enabled, Start Address, End Address, Exclude start IP
address, Exclude end IP address
Showing DHCP for an Interface
The show dhcp command displays if the DHCP server for a specific interface is enabled or disabled.
Description Indicates if DHCP server for interface <interface> is enabled or
disabled.
Syntax show dhcp server interface <interface> active
Parameters Parameter Description <interface>
Valid interface name
Return Value 0 on success, 1 on failure
CLI Reference
Appliance Configuration Page 117
Example show dhcp server interface LAN2 active
Output DHCP is enabled: DHCP server for interface LAN Switch is enabled
DHCP is disabled: DHCP server for interface LAN7 is disabled
Showing DHCP IP Pool
The show dhcp command displays the range of IP addresses that are available to DHCP clients on a
specific interface.
Description Displays the IP pool for DHCP servers for interface <interface>
Syntax show dhcp server interface <interface> ip-pool
Parameters Parameter Description <interface>
Valid interface name
Return Value 0 on success, 1 on failure
Example show dhcp server interface SWITCH ip-pool
Output IP-pool for interface <interface> starts at:
<start_ip_address> and ends at: <end_ip_address>
Comments If an IP pool is not set for the interface, this message is displayed: IP-pool is not set for interface: <interface>
show dns The show dns command displays these DNS (Domain Name Settings) settings:
show dns - Displays all DNS related parameters.
show dns mode - Displays DNS mode (global or internet).
show dns primary - Displays IP address of first DNS server.
show dns secondary - Displays IP address of second DNS server.
show dns tertiary - Displays IP address of third DNS server.
show dns dns-proxy - Displays IP address of DNS proxy server.
Description Displays DNS related values.
Syntax show dns [mode|primary|secondary|tertiary|dns-proxy]
Parameters Parameter Description n/a
Return Value 0 on success, 1 on failure
Example show dns primary
CLI Reference
Appliance Configuration Page 118
Output show dns - Table containing all DNS related parameters, these
columns are displayed: DNS Mode, First Server, Second
Server, Third Server, DNS Proxy.
show dns mode - Global or Internet
show dns primary - IPv4 address of the first DNS server.
show dns secondary - IPv4 address of the second DNS server.
show dns tertiary - IPv4 address of the third DNS server.
show dns dns-proxy - IPv4 address of the DNS proxy server.
show domainname
Description Displays the domain name of the system.
Syntax show domainname
Parameters Parameter Description n/a
Return Value 0 on success, 1 on failure
Example show domainname
Output Domain name of the system.
show ha internet
Description Displays configuration parameters for Internet High Availability mode
Syntax show ha-internet
Parameters Parameter Description n/a
Return Value 0 on success, 1 on failure
Example show ha-internet
Output Success prints Internet High Availability parameters. Failure prints appropriate error message.
show host The show host command displays these host settings:
show host - Displays configuration for all configured hosts
show host name <host> - Displays configuration for host <host>
Description Displays static host configuration.
Syntax show host [name <host>]
Parameters Parameter Description <host>
The name of the host
Return Value 0 on success, 1 on failure
Example show host name cnn.com
CLI Reference
Appliance Configuration Page 119
Output show host - Table containing configuration for all configured
hosts. Table columns are: Host Name, and IP Address.
show host name <host> - Table containing configuration for
host <host>.Table columns are: Host Name, and IP Address,
or Host does not exist. if the host does not exist.
show hostname
Description Displays host name.
Syntax show hostname
Parameters Parameter Description n/a
Return Value 0 on success, 1 on failure
Example show hostname
Output Host name of the machine
show icmp servers
Description Displays list of ICMP servers
Syntax show icmp-servers [primary|secondary|all]
Parameters Parameter Description primary
Displays ICMP servers for the primary Internet connection
secondary Displays ICMP servers for the secondary Internet connection
all Displays ICMP servers for all the Internet connections
Return Value 0 on success, 1 on failure
Example show icmp-servers primary
Output Success prints ICMP server parameters. Failure prints appropriate error message.
show inactivity-timeout
Description Displays inactivity timeout for web UI and shells assigned to users (in minutes)
Syntax show inactivity-timeout
Parameters Parameter Description n/a
Return Value 0 on success, 1 on failure
Example show inactivity-timeout
CLI Reference
Appliance Configuration Page 120
Output Inactivity-timeout: <X> minutes.
<X> is the inactivity timeout for web UI and shells assigned to users.
show interface Displays parameters and status of a specific interface.
Description Displays detailed information about interface <interface>
Syntax show interface <interface> all
Parameters Parameter Description <interface>
Valid interface name
Return Value 0 on success, 1 on failure
Example show interface WAN all
Output Detailed information about the interface.
show interfaces The show interfaces command displays these interface settings:
show interfaces - Displays all interfaces, their parameters and status in a table format.
show interfaces all - Displays detailed information for all interfaces.
Description Displays all interfaces, their parameters and status.
Syntax show interfaces [all]
Parameters Parameter Description n/a
Return Value 0 on success, 1 on failure
Example show interfaces
Output show interfaces
Local Networks table with these columns : Name, IPv4 Address,
Subnet Mask, IP assignment, Status, Enabled
LAN Switch table with these columns: Name, IPv4 Address,
Subnet Mask, IP assignment, Interfaces, Enabled
Internet Connections table with these columns: Connection,
Interface, Connection Type, Status, Duration, IPv4
Address, Enabled
show interfaces all - Detailed information about each interface
show license
Description Displays current license state.
Syntax show license
Parameters Parameter Description n/a
CLI Reference
Appliance Configuration Page 121
Return Value 0 on success, 1 on failure
Example show license
Output Current license state
show logs The show logs command displays these logs:
System
Kernel
Traffic
Description Displays specific log file
Syntax show logs {system|kernel|traffic}
Parameters Parameter Description n/a
Return Value 0 on success, 1 on failure
Example show logs kernel
Output Success displays log file. Failure prints appropriate error message.
show memory usage
Description Displays the amount of memory that is being used
Syntax show memory-usage
Parameters Parameter Description n/a
Return Value 0 on success, 1 on failure
Example show memory-usage
Output Success prints used memory. Failure prints appropriate error message.
show ntp The show ntp command displays NTP (Network Time Protocol) settings.
Showing NTP Status
The show ntp command displays if NTP is enabled or disabled.
Description Indicates if NTP is enabled or disabled.
Syntax show ntp active
Parameters Parameter Description n/a
CLI Reference
Appliance Configuration Page 122
Return Value 0 on success, 1 on failure
Example show ntp active
Output Yes - NTP is enabled, otherwise No
Showing NTP Servers
The show ntp command displays the configured NTP servers.
Description Displays NTP servers
Syntax show ntp servers
Parameters Parameter Description n/a
Return Value 0 on success, 1 on failure
Example show ntp servers
Output Table with the configured NTP servers
Comments If NTP is disabled this note is displayed: NOTE: NTP servers are not active
show proxy Displays the current proxy settings used for fetching the license from the Check Point User Center.
Description Displays the current proxy settings.
Syntax show proxy
Parameters Parameter Description n/a
Return Value 0 on success, 1 on failure
Example show proxy
Output Table containing these columns: Status, IP Address, Port
show restore settings log Displays the log file of previous restore settings to default operations. You can display these restore settings log files:
restore-settings-log - Log file for restoring saved settings
restore-default-settings-log - Log file for restoring the default settings
Description Displays log file for restore settings command
Syntax show {restore-settings-log|restore-default-settings-
log}
Parameters Parameter Description n/a
CLI Reference
Appliance Configuration Page 123
Return Value 0 on success, 1 on failure
Example show restore-settings-log
Output Success prints restore settings log file. Failure prints
appropriate error message.
show revert log
Description Displays the log file of previous revert operations
Syntax show revert-log
Parameters Parameter Description n/a
Return Value 0 on success, 1 on failure
Example show revert-log
Output Success prints revert log file. Failure prints appropriate error message.
show route
Description Displays the routing table.
Syntax show route
Parameters Parameter Description n/a
Return Value 0 on success, 1 on failure
Example show route
Output Routing table with these columns: Destination, Destination
Mask, Interface, Next Hop, Metric, Destination Mask,
Notes.
show rule hits Displays the firewall rules that received the most hits.
Description Displays the top firewall policy rule hits
Syntax show rule-hits [top <rule>]
Parameters Parameter Description <rule>
Number of rules in the security policy that are displayed.
Minimum value is 1.
Return Value 0 on success, 1 on failure
Example show rule-hits top 3
CLI Reference
Appliance Configuration Page 124
Output Success prints number of hits per rule. Failure prints appropriate error message.
show saved image
Description Displays information about the saved backup image
Syntax show saved-image
Parameters Parameter Description n/a
Return Value 0 on success, 1 on failure
Example show saved-image
Output Success prints information about the image. Failure prints appropriate error message.
show snmp The show snmp command displays information about the SNMP settings on the appliance.
Showing SNMP Agent
Displays information about the status or version of the SNMP agent. The show snmp community
command displays the SNMP agent community string (a "password" for SNMP v1 and v2 protocols).
Description Displays SNMP agent information
Syntax show snmp {agent|agent-version|community}
Parameters Parameter Description agent
on - SNMP agent is enabled
off - SNMP agent is disabled
Return Value 0 on success, 1 on failure
Example show snmp agent
Output Success prints SNMP agent information. Failure prints appropriate error message.
Showing SNMP Host Information
Displays information about the SNMP host. These parameters are displayed:
show snmp contact - Information about the host on which the SNMP agent is running
show snmp location - The location of the SNMP host
Description Displays information about the SNMP host
Syntax show snmp {contact|location}
Parameters Parameter Description n/a
CLI Reference
Appliance Configuration Page 125
Return Value 0 on success, 1 on failure
Example show snmp location
Output Success prints OK. Failure prints appropriate error message.
Showing SNMP Trap Information
Displays information about the SNMP traps. These parameters are displayed:
status - Displays SNMP traps status
enabled-traps - Display list of all enabled SNMP traps
receivers - Displays SNMP trap receivers
Description Displays information about the SNMP traps
Syntax show snmp traps {status|enabled-traps|receivers}
Parameters Parameter Description n/a
Return Value 0 on success, 1 on failure
Example show snmp traps enabled-traps
Output Success prints SNMP trap information. Failure prints appropriate error message.
Showing SNMP Users
Displays information about SNMP v3 users. These parameters are displayed:
show snmp users - Displays the list of all SNMP v3 users
show snmp user <user> - Displays the information about a specific SNMP v3 user
Description Displays information about SNMP v3 users
Syntax show {snmp users|snmp user <user>}
Parameters Parameter Description <user>
SNMP v3 user name
Return Value 0 on success, 1 on failure
Example
Output Success prints information about SNMP v3 users. Failure prints appropriate error message.
show software version
Description Displays version of the current software
Syntax show software-version
Parameters Parameter Description n/a
CLI Reference
Appliance Configuration Page 126
Return Value 0 on success, 1 on failure
Example show software-version
Output Success prints appliance software version. Failure prints appropriate error message.
show time
Description Displays current date in HH-MM-SS format.
Syntax show time
Parameters Parameter Description n/a
Return Value 0 on success, 1 on failure
Example show time
Output Current time.
show timezone
Description Displays system time zone in format AREA REGION.
Syntax show timezone
Parameters Parameter Description n/a
Return Value 0 on success, 1 on failure
Example show timezone
Output Time zone in format AREA REGION.
Comments AREA is geographic area. REGION is a region inside a specific area.
show timezone-dst
Description Displays system Daylight Saving Time status.
Syntax show timezone-dst
Parameters Parameter Description n/a
Return Value 0 on success, 1 on failure
Example show timezone-dst
Output Yes, if the clock is set to automatically adjust for daylight saving
changes
No, if adjusting clock automatically for daylight saving changes is
turned off.
CLI Reference
Appliance Configuration Page 127
show upgrade log
Description Displays upgrade log files
Syntax show upgrade-log
Parameters Parameter Description n/a
Return Value 0 on success, 1 on failure
Example show upgrade-log
Output Success prints upgrade log files. Failure prints appropriate error message.
show user The show user command displays these user settings:
show user - Displays table containing user related preferences for all users.
show user <user> password-hash - Displays password hash for user <user>.
show user <user> shell - Displays shell assigned for user <user>.
Description Displays user related preferences.
Syntax show user [<use> {password-hash|shell}]
Parameters Parameter Description <user>
User login name
Return Value 0 on success, 1 on failure
Example show user John shell
Output show user - Table containing user related preferences for all
users. The table contains these columns: Username, Password
Hash, Shell.
show user <user> password-hash - Password-hash for
user <user> is '<pass_hash>' or No such user
'<user>' if <user> does not exist.
show user <user> shell - Shell for user '<user>' is
'<cli|bash>' or No such user '<user>' if <user> does
not exist.
Comments password-hash is a password MD5 string representation.
show user-lock The show user-lock command displays the user-lock settings. A user is locked-out of the WebUI after a
specific number of failed login attempts. The show user-lock command displays these user-lock settings:
show user-lock - Displays a table with all the user-lock preferences.
show user-lock active - Displays if user-lock is enabled or disabled.
show user-lock attempts - Displays maximum number of login attempts before the user is locked-
out.
show user-lock time - Displays duration in minutes that the user is locked-out of the WebUI.
CLI Reference
Appliance Configuration Page 128
Description Displays user-lock settings.
Syntax show user-lock [active|attempts|time]
Parameters Parameter Description n/a
Return Value 0 on success, 1 on failure
Example show user-lock attempts
Output show user-lock -Table containing all user-lock preferences with
these columns: Enabled, Attempts, Time (mins).
show user-lock active - User-lock is enabled when
user-lock is enabled, User-lock is disabled otherwise.
show user-lock attempts - Allowed login attempts:
<X> where X is maximum number of login attempts before the user
is locked-out (A number between 1 and 999).
show user-lock time - Lock-out time: <X> minutes where X is
the total number of minutes that the user is locked-out of the
WebUI.
Comments User-lock settings do not apply to the CLI.
show vpn tunnel Displays all IKE (Internet Key Exchange) and IPSec (Internet Protocol Security) SAs (Security Associations).
Description Displays information about the VPN tunnel
Syntax show vpn-tunnel-info
Parameters Parameter Description n/a
Return Value 0 on success, 1 on failure
Example show vpn-tunnel-info
Output Success prints information about the VPN tunnel. Failure prints appropriate error message.
upgrade from usb|tftp server
Description Upgrades the software image from a file on a USB drive or TFTP server.
Syntax upgrade from {usb [file <usb_file>]|tftp server
<server> filename <tftp_file>} save-backup <on|off>
CLI Reference
Appliance Configuration Page 129
Parameters Parameter Description <usb_file>
Name of software image file on USB drive.
<server> Host name or IP address of TFTP server.
<tftp_file> Name of software image file on TFTP server.
<on|off> on - Saves a backup software image and overwrites
any existing backup image.
off - Does not save a backup software image. This
is the default setting.
Return Value 0 on success, 1 on failure
Example upgrade from usb save-backup on
Output Success prints OK. Failure prints appropriate error message.
vpn The vpn command manages the VPN driver and helps to debug the VPN.
Managing VPN Driver
Description Installs the VPN kernel (vpnk) and connects to the firewall kernel (fwk), attaching the VPN driver to the Firewall driver
Syntax vpn drv <on|off>
Parameters Parameter Description <on|off>
Starts or stops the VPN kernel
Return Value 0 on success, 1 on failure
Example vpn drv on
Output Success prints OK. Failure prints appropriate error message.
Launching TunnelUtil Tool
You can use the vpn tunnelutil command to launch the VPN TunnelUtil tool. This tool can be used to:
List IKE and IPSec SAs
Delete IKE and IPSec SAs
Description Launches the VPN TunnelUtil tool
Syntax vpn tunnelutil
Parameters Parameter Description n/a
Return Value 0 on success, 1 on failure
Example vpn tunnelutil
Output Success launches VPN TunnelUtil tool. Failure prints appropriate error message.
CLI Reference
Appliance Configuration Page 130
Debugging VPN
Description The vpn debug command contains multiple utilities for troubleshooting
VPN issues.
Syntax vpn debug {on [TOPIC=level]|off} [ikeon|ikeoff] [trunc
[TOPIC=level]] [mon|moff]
Parameters Parameter Description on|off
Writes debugging information to $FWDIR/log/sfwd.elg
[TOPIC=level] Sets level of debugging for a particular topic.
This argument can only be used after on or trunc.
ikeon|ikeoff Writes IKE packet information into $FWDIR/log/ike.elg
trunc Writes both sfwd.elg and ike.elg, but first
clears the files
mon|moff Writes raw IKE packets to $FWDIR/log/ikemonitor.snoop
Return Value 0 on success, 1 on failure
Example vpn debug on
Output Failure prints appropriate error message.
Upgrade Using a USB Drive
Advanced Configuration Page 131
Advanced Configuration
Upgrade Using a USB Drive This section explains how you can upgrade the appliance with a USB drive without a console connection to the appliance. It is possible to manually choose from a console the specific file you wish to use for the upgrade. For more information, see Upgrade Using Boot Loader (on page 132).
Installing a new firmware image from a USB drive
Check Point releases new firmware images every so often. You can reburn the appliance using the image file and a USB drive. Note that you can also upgrade using the WebUI, in which case you will not lose your previous settings if the new image supports it. When you reburn a new image with a USB drive, the appliance deletes your previous settings and creates a new factory default image to which the appliance can return to.
To upgrade to a new firmware image from a USB drive:
1. Disconnect the Security Gateway 80 appliance from the power source.
2. Place the firmware image file on a USB drive, in the top folder. The firmware image file is recognized by its name so do not rename it.
3. Make sure the top folder of the USB drive does not contain any previous Boot loader or Firmware images (u-boot*.ubt files or fw1*.img files).
4. Connect the USB drive to one of the USB ports on the Security Gateway 80 appliance. If the operation does not succeed, this may be due to the fact that the USB1 port does not recognize all USB drives. Some USB drives also use a different file system and those are not supported.
5. Connect the appliance to the power source. The appropriate USB LED will light and blink several times as it recognizes the file and uploads it to the appliance. The LED turns off once the file uploads. This takes several seconds.
If the file is valid, all LAN LEDs will start to blink to show progress. Every other LED blinks at a different speed. The LAN LEDs blink in orange and green (Link LEDs blink orange and Activity LEDs blink green).
Upon successful installation all LAN LEDs will turn solid green and the appliance awaits your input.
6. Remove the USB drive and disconnect the appliance from the power source.
7. Reconnect the appliance to the power source. Allow the appliance to boot successfully. The first boot after an image reburn takes more time than a normal boot. Wait patiently for the Notice LED to stop blinking (this indicates that the boot is complete).
As this operation has removed your previous settings please refer to the Getting Started Guide and reconfigure your appliance with the First Time Configuration Wizard.
Note - When you upgrade with a USB drive, you also replace the saved factory defaults image of the appliance as this method reburns the appliance. For more information, see Upgrade (on page 49).
Installing a new Boot-Loader from a USB drive
Check Point releases new Boot Loader rarely. This usually comes together with a new image. To upgrade to a new U-Boot or Firmware image requires booting the appliance.
To replace Boot-Loader (usually done before you upgrade to the new image, if one exists):
1. Disconnect your Security Gateway 80 appliance from the power source.
2. Place the Boot loader file on a USB drive, in the top folder. The Boot loader file is recognized by its name so do not rename it.
3. Make sure the top folder of the USB drive does not contain any previous Boot loader or Firmware images (u-boot*.ubt files or fw1*.img files).
4. Connect the USB drive to your Security Gateway 80 appliance, to one of the USB ports. If the operation does not succeed, this may be due to the fact that the USB1 port does not recognize all USB drives. Some USB drives also use a different file system and those are not supported.
Boot Loader
Advanced Configuration Page 132
5. Connect the appliance to the power source. The appropriate USB LED will light and blink several times as it recognizes the file and uploads it to the appliance. The LED turns off once the file uploads. This takes several seconds.
If the file is valid, all LAN LEDs will start to blink to show progress. Every other LED blinks at a different speed. The LAN LEDs blink in orange and green (Link LEDs blink orange and Activity LEDs blink green).
Upon successful installation all LAN LEDs will turn solid green and the appliance awaits your input.
6. Remove the USB drive and disconnect the appliance from the power source.
7. If you need to install a new firmware image, refer to the firmware image installation section before reconnecting the appliance to the power source.
Boot Loader The SecurePlatform Embedded Boot Menu shows during boot and is available by pressing Ctrl+C while the appliance is booting. The menu contains the available options.
When you are in Boot Loader, all interfaces are down and you can only activate them for options that require connectivity. At this point Check Point’s services are not active.
Options 1-3 start the appliance.
Normal mode is the default boot mode for the appliance.
Debug mode boot gives printouts of processes that are initialized during boot.
Maintenance mode boots the machine and gives access only to the file system (network interfaces, Check Point processes and the appliance’s services are down).
Note - During normal/debug boot, if there is an error and the appliance cannot boot properly, it reverts to maintenance mode and the Power LED turns solid red.
Options 4-5 are explained in the subsequent sections.
Options 6-7 let you manually choose a specific file from a USB drive and install/update an image or a new boot loader. Once you choose the file and it is downloaded onto the appliance the rest of the procedure is the same as in Upgrade Using a USB Drive (on page 131).
Option 8 restarts the appliance.
Upgrade Using Boot Loader To restore the Security Gateway 80 appliance to its default factory configuration using U-boot (boot loader):
1. Connect to the appliance with a console connection (use the serial console connection on the back panel of the appliance), boot the appliance and press Ctrl+C. The Secure Platform Embedded Boot Menu is shown.
2. Press 5 to select Install/Update Image/Boot-Loader from Network.
3. You are asked if you want to manually load the image from a TFTP server, or if you want to use automatic mode with a bootp server.
Restore Factory Defaults from the Boot Loader Menu
Advanced Configuration Page 133
4. If you choose manual mode, you are asked to fill in the IP of the TFTP server and the image name.
5. If you choose automatic mode, the procedure starts automatically to search for the bootp server.
6. While in menu mode, pressing Ctrl+C again returns you to the Boot Loader menu.
During the upgrade, all LAN Link and Activity LEDs blink orange and green alternately to indicate progress. This takes up to a few minutes.
Upon successful completion all LAN Link and Activity will light in green, and the appliance waits for you to either press a key or to manually reboot (pull the power cable out and put it back in). Error in the upgrade process is indicated by all LAN Link and Activity LEDs blinking red.
Restore Factory Defaults from the Boot Loader Menu
To restore the Security Gateway 80 appliance to its default factory configuration from U-boot (boot loader):
1. Connect to the appliance with a console connection (use the serial console connection on the back panel of the appliance), boot the appliance and press Ctrl-C. The Secure Platform Embedded Boot Menu is shown.
2. Press 4 to select Restore to Factory Defaults (local).
3. When you are prompted: "Are you sure? (y/n)" choose y to continue and restore the appliance to its factory defaults settings.
While factory defaults are being restored, all LAN Link and Activity LEDs will blink orange and green alternately to indicate progress. This takes a few minutes.
Upon completion, the appliance boots automatically.
Front Panel
Advanced Configuration Page 134
Front Panel
Key Description
1 USB1 port.
2 Power LED
Green when the appliance is turned on.
Red when there is a boot error (the appliance booted in maintenance
mode).
3 Notice LED
Blinking green during boot.
Blinking red when there is no Internet connection. See the WebUI Logs
> System Logs page for more details.
Solid red when the appliance has a resource problem such as memory
shortage. See the WebUI Logs > Traffic Logs page for more details.
4 LAN1 - LAN8, DMZ and WAN port LEDs - when a specific port is inactive, both of the port's indicators are not lit.
Link Indicator
Orange when the port speed is 1000 Mbps.
Green when the port speed is 100 Mbps.
Not lit when the port speed is 10 Mbps.
Activity Indicator
Solid green when link is up and there is no traffic.
Blinking green when there is traffic.
5 USB1 and USB2 port LEDs - orange when a USB device is connected.
Back Panel
Advanced Configuration Page 135
Back Panel
Key Description
1 Power outlet - connects to the power supply unit's cable.
2 Reboot button - lets you forcibly reboot the appliance. The button is recessed into the appliance chassis to prevent accidental reboot. The appliance reboots immediately after you press the button.
3 LAN1 - LAN8 - built in Ethernet ports. LAN2/SYNC - in a cluster configuration, you must connect a cable between this port on both appliances that take part in the cluster. You can configure the cluster sync port to a port other than LAN2.
4 DMZ and WAN - built in Ethernet ports.
5 USB2 - second USB port.
6 Console - serial connection configured in 115200 bps.
7 Factory Defaults button - lets you restore the appliance to its factory defaults. The button is recessed into the appliance chassis to prevent accidental restoring of factory default settings. See Factory Defaults (on page 50).
Remote Access VPN For Security Gateway 80, you need to configure these for Security Gateway 80 working with Endpoint Connect:
The SNX URL is https://<WAN-IP> This is the IP configured for your Internet connection.
For L2TP clients, the PSK is configured in different locations:
If the Security Management Server is R70.40 and higher - configure the client in a file on the Security Management Server: /opt/CPSFWCMP-R70/conf/l2tp.conf
If the Security Management Server is R71.20 and higher, there is a GUI option in the Global Properties.
Index A
add admin access • 60 add host • 61 add interface • 61 add ntp • 61 add snmp • 62 add switch • 63 add user • 63 Adding a Route with a Specific Gateway IP
Address • 102 Adding a Route with a Specific Gateway IP
Address and Interface • 104 Adding a Route with a Specific Gateway IP
Address and Priority • 103 Adding a Route with a Specific Interface • 103 Adding a Route with a Specific Interface and
Priority • 104 Adding Routes • 102 Adding SNMP v2 Traps Receiver • 62 Adding SNMP v3 Traps Receiver • 62 Administration • 47 Administrator Access • 52 Administrators • 51 Advanced Configuration • 131 Appliance Configuration • 32 Automatic Topology • 45
B
Back Panel • 135 Backup and Restore • 47 backup settings • 63 Boot Loader • 132 Bridge Mode Configuration • 40
C
CLI Reference • 59 CLI Syntax • 59 Cluster Configuration • 24 Cluster Interface Configuration • 28 Configuration File Error • 22 Configure the Cluster in SmartDashboard • 30 Configure the New Appliance • 29 Configuring a Bridge • 95 Configuring a DNS Server • 85 Configuring a Proxy Server • 105 Configuring a TFTP Server • 86 Configuring Advanced Interface Settings • 99 Configuring Call Manager • 89 Configuring Client Root Disk • 87 Configuring Custom DHCP Option • 90 Configuring DHCP • 99 Configuring DHCP Extensions • 87 Configuring ICMP • 100 Configuring IP Lease Time • 84 Configuring NBDD • 88 Configuring NetBIOS Scope • 88 Configuring PPPoE • 95 Configuring PPTP and L2TP • 96 Configuring SNMP v3 Receivers • 109
Configuring SNMP v3 Users • 109 Configuring Static IP • 94 Configuring Subnet Time Offset • 85 Configuring the Cluster Object Using
SmartDashboard • 26 Configuring the Default Gateway • 84 Configuring the Path for a Bootstrap File • 87 Configuring the Security Gateway 80
Appliances • 25 Configuring the SMTP Server • 86 Configuring the Swap Server • 85 Configuring the WINS Server • 84 Configuring User-lock • 113 Configuring VoIP Phones • 89 Configuring WINS Node-Type • 88 Configuring X-Windows Display • 89 Converting an Existing Security Gateway 80 to
a Cluster • 29 cphaprob • 64 cphastop • 66 cpinfo • 66 cpshell • 67 cpstart • 67 cpstat • 67 cpstop • 69 cpwd_admin • 69 cpwd_admin config • 70 cpwd_admin start|stop • 71 Create and Configure a Cluster in
SmartDashboard • 30 Creating a Cluster for New Gateways • 25
D
Debugging VPN • 130 Defining a Single Gateway Object • 9 Defining a SmartLSM Profile • 19 delete admin access • 72 delete dhcp • 72 delete dns • 73 delete domainname • 73 delete host • 74 delete ICMP server • 72 delete interface • 74 delete ntp • 75 delete proxy • 75 delete snmp • 75 delete switch • 76 delete user • 76 Deleting DHCP Custom Option Code • 73 Deleting Excluded IP Addresses • 72 Deleting Routes • 101 Deleting Routes by Destination and Gateway IP
Address • 101 Deleting Routes by Destination and Gateway IP
Address and Interface • 102 Deleting Routes by Destination IP Address •
101 Deleting Routes by Destination IP Address and
Interface • 101 Deleting the Internet Interface • 74 Deleting VLANs • 74 Deploying from a USB Drive • 20 Deploying the Configuration File - Existing
Configuration • 21
Page 138
Deploying the Configuration File - Initial Configuration • 20
Deploying with SmartProvisioning • 20 Diagnostics • 57 Disabling User-lock • 113 DNS • 44 dynamic objects • 77
E
Editing Routes • 104 Enabling the DHCP Server • 83 Excluding IP Addresses • 83 exit • 77
F
Factory Defaults • 50 fetch certificate • 78 fetch license • 78 fetch policy • 78 Front Panel • 134 fw Commands • 79
I
Implied Rules for Security Gateway 80 • 46 Important Information • 3 Installation and Deployment • 9 Integrated Anti-Virus Protection • 55 Internet Configuration • 35 Internet Connection High Availability • 37 Internet Settings • 35 Introduction • 8 Introduction to the WebUI Application • 33
L
Launching TunnelUtil Tool • 129 Licensing • 54 Local Network • 37
M
Managing a Proxy Server • 105 Managing Interfaces • 94 Managing SNMP Agent • 106 Managing SNMP Traps • 108 Managing VPN Driver • 129 Messaging Security • 56
N
Networking • 35
P
Preparing the Configuration Files • 20 Prerequisites • 9
R
reboot • 80 Reconfigure the Existing Security Gateway 80 •
30 Remote Access VPN • 135 restore default-settings • 80 Restore Factory Defaults from the Boot Loader
Menu • 133 restore settings • 80 revert to factory defaults • 81
revert to saved image • 81 Routing • 41
S
Sample Configuration File • 20 Sample Configuration Log with Error • 23 Security • 55 Security Gateway 80 Clusters • 24 Security Gateway 80 Overview • 8 set admin access • 81 set date • 82 set dhcp relay • 90 set dhcp server • 82 set dns • 91 set dns mode • 91 set dnsproxy • 91 set domainname • 91 set expert password • 92 set ha internet primary • 92 set host • 93 set hostname • 93 set inactivity-timeout • 93 set interface • 93 set proxy • 105 set sic_init • 106 set snmp • 106 set static-route • 101 set static-route <dest_IP> nexthop gateway
ipv4-address <gw_IP> priority <priority> on • 105
set time • 111 set time-zone • 111 set user • 112 set user-lock • 113 Setting a Single Trap • 110 Setting Community String • 107 Setting Host Location • 107, 108 Setting Password for a User • 112 Setting Password Hash for a User • 112 Setting Shell for a User • 113 Setting SNMP Host Information • 107 Setting SNMP v2 Receivers • 108 Setting SNMP Version • 107 Setting the IP Pool • 82 shell/expert • 114 show admin access • 114 show backup settings • 115 show clock • 115 show commands • 115 show date • 116 show dhcp • 116 show dns • 117 show domainname • 118 show ha internet • 118 show host • 118 show hostname • 119 show icmp servers • 119 show inactivity-timeout • 119 show interface • 120 show interfaces • 120 show license • 120 show logs • 121 show memory usage • 121 show ntp • 121 show proxy • 122
Page 139
show restore settings log • 122 show revert log • 123 show route • 123 show rule hits • 123 show saved image • 124 show snmp • 124 show software version • 125 show time • 126 show timezone • 126 show timezone-dst • 126 show upgrade log • 127 show user • 127 show user-lock • 127 show vpn tunnel • 128 Showing DHCP for an Interface • 116 Showing DHCP IP Pool • 117 Showing DHCP Settings • 116 Showing NTP Servers • 122 Showing NTP Status • 121 Showing SNMP Agent • 124 Showing SNMP Host Information • 124 Showing SNMP Trap Information • 125 Showing SNMP Users • 125 Step 1
Defining the Security Gateway 80 Object in SmartDashboard • 9
Step 2 Preparing to Install the Security Policy • 14
Suggested Workflow - Configuration File Error • 22
Supported Linux Commands • 60 Switch Mode Configuration • 40 System Logs • 58
T
The Management Server Page • 33 The Overview Page • 33 Tools • 57 Traffic Logs • 58 Troubleshooting Configuration Files • 22
U
Upgrade • 49 upgrade from usb|tftp server • 128 Upgrade Using a USB Drive • 131 Upgrade Using Boot Loader • 132 URL Filtering • 55 Using Command Line Interface • 59 Using Domain Names • 60 Using Hostnames • 60 Using the set property Command • 23
V
Viewing Cluster Status in the WebUI • 31 Viewing Configuration Logs • 22 Viewing the Policy Installation Status • 16 vpn • 129
W
Welcome • 8