User guide

ManualsBrandsCheck Point Software Technologies ManualsNetworkingSafe@Office 1000NW

Check Point Safe@Office

Internet Security Appliance

User Guide

Version 8.2

Part No: 700797, November 2010

Summary of content (854 pages)

PAGE 1
Check Point Safe@Office Internet Security Appliance User Guide Version 8.
PAGE 2
COPYRIGHT & TRADEMARKS Copyright © 2010 SofaWare, All Rights Reserved. No part of this document may be reproduced in any form or by any means without written permission from SofaWare. Information in this document is subject to change without notice and does not represent a commitment on part of SofaWare Technologies Ltd. SofaWare, Safe@Home and Safe@Office are trademarks, service marks, or registered trademarks of SofaWare Technologies Ltd.
PAGE 3
modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program).
PAGE 4
6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7.
PAGE 5
 Do not expose the appliance to extreme high or low temperatures.  Do not disassemble or open the appliance. Failure to comply will void the warranty.  Do not use any accessories other than those approved by Check Point. Failure to do so may result in loss of performance, damage to the product, fire, electric shock or injury, and will void the warranty.  Route power adapter cords where they are not likely to be walked on or pinched by items placed on or against them.
PAGE 6
PAGE 7
Contents Contents About This Guide ................................................................................................................................. ix Introduction ........................................................................................................................................... 1 About Your Check Point Safe@Office Appliance .............................................................................. 1 Safe@Office Product Family ...................................
PAGE 8
Contents Wall Mounting the Safe@Office Appliance ................................................................................... 103 Securing the Safe@Office Appliance against Theft........................................................................ 105 Setting Up the Safe@Office Appliance .......................................................................................... 107 Getting Started .....................................................................................................
PAGE 9
Contents Using Bridges ..................................................................................................................................... 259 Overview ......................................................................................................................................... 259 Workflow ........................................................................................................................................ 265 Adding and Editing Bridges ......................
PAGE 10
Contents Viewing Network Statistics ............................................................................................................. 362 Viewing the Routing Table ............................................................................................................. 374 Viewing Wireless Station Statistics ................................................................................................ 376 Viewing Logs .......................................................................
PAGE 11
Contents Using Web Content Filtering ........................................................................................................... 565 Overview ......................................................................................................................................... 565 Using Web Rules ............................................................................................................................ 567 Using Web Filtering ..............................................
PAGE 12
Contents Managing Users ................................................................................................................................. 677 Changing Your Login Credentials .................................................................................................. 677 Adding and Editing Users ............................................................................................................... 680 Adding Quick Guest HotSpot Users ............................................
PAGE 13
Contents Using Diagnostic Tools ................................................................................................................... 738 Backing Up and Restoring the Safe@Office Appliance Configuration .......................................... 752 Using Rapid Deployment ................................................................................................................ 759 Resetting the Safe@Office Appliance to Defaults ...........................................................
PAGE 14
PAGE 15
About Your Check Point Safe@Office Appliance About This Guide To make finding information in this guide easier, some types of information are marked with special symbols or formatting. Boldface type is used for command and button names. Note: Notes are denoted by indented text and preceded by the Note icon. Warning: Warnings are denoted by indented text and preceded by the Warning icon.
PAGE 16
About Your Check Point Safe@Office Appliance All products, with or without the Power Pack, with ADSL only All products, with or without the Power Pack, without ADSL only x Check Point Safe@Office User Guide
PAGE 17
About Your Check Point Safe@Office Appliance Chapter 1 Introduction This chapter introduces the Check Point Safe@Office appliance and this guide. This chapter includes the following topics: About Your Check Point Safe@Office Appliance .......................................1 Safe@Office Product Family .......................................................................2 Safe@Office 1000N and 1000N ADSL Product Features............................3 Safe@Office 1000NW and 1000NW ADSL Product Features ...
PAGE 18
Safe@Office Product Family The Safe@Office appliance also allows sharing your Internet connection among several PCs or other network devices, enabling advanced office networking and saving the cost of purchasing static IP addresses. With the Safe@Office appliance, you can subscribe to additional security services available from select service providers, including firewall security and software updates, Antivirus, Antispam, Web Filtering, reporting, VPN management, and Dynamic DNS.
PAGE 19
Safe@Office 1000N and 1000N ADSL Product Features Safe@Office 1000N and 1000N ADSL Product Features Table 1: Safe@Office 1000N and 1000N ADSL Features Feature SKU Prefix Safe@Office 1000N Safe@Office 1000N ADSL CPSB-1000N-n CPSB-1000N-n-ADSL Concurrent Users 25/Unlimited Capacity Firewall Throughput 1 Gbps VPN Throughput 200 Mbps Concurrent Firewall 60,000 Connections Hardware Features 4-Port LAN Switch WAN Port ADSL Standards Ethernet, 10/100/1000 Mbps Ethernet, 10/100/1000 Mbps ADSL2+ —
PAGE 20
Safe@Office 1000N and 1000N ADSL Product Features DMZ/WAN2 Port Ethernet / SFP, 10/100/1000 Mbps Dialup Backup With external serial / USB modem Console Port (Serial) ExpressCard Port — Print Server — USB 2.0 Ports — 2 Firewall & Security Features Check Point Stateful Inspection Firewall Application Intelligence SmartDefense™ (IPS) Network Address Translation (NAT) Four Preset Security Policies Anti-spoofing Voice over IP Support SIP, H.
PAGE 21
Safe@Office 1000N and 1000N ADSL Product Features P2P File Sharing Blocking / Monitoring Port-based and Tag- * based VLAN Port-based Security * (802.
PAGE 22
Safe@Office 1000N and 1000N ADSL Product Features IPSEC Features Hardware-accelerated DES, 3DES, AES, MD5, SHA-1, Hardware Random Number Generator (RNG), Internet Key Exchange (IKE), Perfect Forward Secrecy (PFS), IPSEC Compression, IPSEC NAT Traversal (NAT-T), IPSEC VPN Pass-through Networking Supported Internet Connection Methods Static IP, DHCP, PPPoE, PPTP, Static IP, DHCP, PPPoE, PPTP, Telstra, Cable, Dialup Telstra, Cable, EoA, PPPoA, IPoA, Dialup Transparent Bridge Mode Spanning Tree Protocol
PAGE 23
Safe@Office 1000N and 1000N ADSL Product Features MAC Cloning Network Address Translation (NAT) Rules Static Routes, Source Routes, and ServiceBased Routes Ethernet Cable Type Recognition DiffServ Tagging * Automatic Gateway * Failover (HA) Multicast Routing * Dynamic Routing * Management Central Management Local Management SMP HTTP / HTTPS / SSH / SNMP / Serial CLI Remote Desktop Integrated Microsoft Terminal Services Client Local Diagnostics Ping, WHOIS, Packet Sniffer, Status Monitor, Traff
PAGE 24
Safe@Office 1000NW and 1000NW ADSL Product Features Setting Rapid Deployment Hardware Specifications Power 100/110/120/210/220/230VAC (Linear Power Adapter) or 100~240VAC (Switched Power Adapter) Mounting Options Desktop, Wall, or Rack Mounting** Warranty 1 Year Hardware * Requires Power Pack upgrade CPSB-1000-UPG-PPACK. ** Rack mounting requires the optional rack mounting kit (sold separately).
PAGE 25
Safe@Office 1000NW and 1000NW ADSL Product Features Hardware Features 4-Port LAN Switch WAN Port Ethernet, 10/100/1000 Mbps Ethernet ADSL2+ 10/100/1000 Mbps ADSL Standards — ADSL2, ADSL2+, T.1413 G.DMT (G.992.1) G.Lite (G.992.2) Either: ANNEX A (ADSL over POTS) Or: ANNEX B (ADSL over ISDN) DMZ/WAN2 Port Ethernet 10/100/1000 Mbps Dialup Backup With external serial / USB modem Console Port (Serial) ExpressCard Port — Print Server USB 2.
PAGE 26
Safe@Office 1000NW and 1000NW ADSL Product Features Intelligence SmartDefense™ (IPS) Network Address Translation (NAT) Four Preset Security Policies Anti-spoofing Voice over IP Support SIP, H.323 Instant Messenger Blocking / Monitoring P2P File Sharing Blocking / Monitoring Port-based and Tag- * based VLAN Port-based Security * (802.
PAGE 27
Safe@Office 1000NW and 1000NW ADSL Product Features VPN Server with Check Point VPN Clients, L2TP OfficeMode and RADIUS Support Site-to-Site VPN Gateway Route-based VPN Backup VPN Gateways Remote Access VPN SecuRemote / SecureClient / L2TP / Endpoint Connect Client IPSEC Features Hardware-accelerated DES, 3DES, AES, MD5, SHA-1, Hardware Random Number Generator (RNG), Internet Key Exchange (IKE), Perfect Forward Secrecy (PFS), IPSEC Compression, IPSEC NAT Traversal (NAT-T), IPSEC VPN Pass-through Netw
PAGE 28
Safe@Office 1000NW and 1000NW ADSL Product Features Dead Internet Connection Detection (DCD) WAN Load Balancing Backup Internet Connection DHCP Server, Client, and Relay DHCP Leases 1024 DNS Server MAC Cloning Network Address Translation (NAT) Rules Static Routes, Source Routes, and ServiceBased Routes Ethernet Cable Type Recognition DiffServ Tagging * Automatic Gateway * Failover (HA) Multicast Routing 12 * Check Point Safe@Office User Guide
PAGE 29
Safe@Office 1000NW and 1000NW ADSL Product Features Dynamic Routing * Management Central Management Local Management SMP HTTP / HTTPS / SSH / SNMP / Serial CLI Remote Desktop Integrated Microsoft Terminal Services Client Local Diagnostics Ping, WHOIS, Packet Sniffer, Status Monitor, Traffic Monitor, My Tools Computers Display, Connection Table Display, Network Interface Monitor, VPN Tunnel Monitor, Routing Table Display, Event Log, Security Log NTP Automatic Time Setting Rapid Deployment Hardware
PAGE 30
Safe@Office 500 and 500 ADSL Product Features Safe@Office 500 and 500 ADSL Product Features Table 3: Safe@Office 500 and 500 ADSL Features Feature SKU Prefix Safe@Office 500 Safe@Office 500 ADSL CPSB-500G-n CPSB-500G-n-ADSL Concurrent Users 5/25/U Capacity Firewall Throughput 190 Mbps VPN Throughput 35 Mbps Concurrent Firewall 8,000 Connections Hardware Features 4-Port LAN Switch WAN Port ADSL Standards 10/100 Mbps Ethernet, 10/100 Mbps ADSL2+ — ADSL2, ADSL2+, T.1413 G.DMT (G.992.1) G.
PAGE 31
Safe@Office 500 and 500 ADSL Product Features Dialup Backup With external serial / USB modem Console Port (Serial) Print Server — USB 2.0 Ports — 2 Firewall & Security Features Check Point Stateful Inspection Firewall Application Intelligence SmartDefense™ (IPS) Network Address Translation (NAT) Four Preset Security Policies Anti-spoofing Voice over IP Support SIP, H.
PAGE 32
Safe@Office 500 and 500 ADSL Product Features Port-based and Tag- * based VLAN Port-based Security * (802.
PAGE 33
Safe@Office 500 and 500 ADSL Product Features Networking Supported Internet Connection Methods Static IP, DHCP, PPPoE, PPTP, Static IP, DHCP, PPPoE, PPTP, Telstra, Cable, Dialup Telstra, Cable, EoA, PPPoA, IPoA, Dialup Transparent Bridge Mode Spanning Tree Protocol (STP) Traffic Shaper (QoS) Basic/Advanced* Traffic Monitoring Dead Internet Connection Detection (DCD) WAN Load Balancing Backup Internet Connection DHCP Server, Client, and Relay DNS Server MAC Cloning Network Address Translation (NAT) R
PAGE 34
Safe@Office 500 and 500 ADSL Product Features Static Routes, Source Routes, and ServiceBased Routes Ethernet Cable Type Recognition DiffServ Tagging * Automatic Gateway * Failover (HA) Multicast Routing * Dynamic Routing * Management Central Management Local Management SMP HTTP / HTTPS / SSH / SNMP / Serial CLI Remote Desktop Integrated Microsoft Terminal Services Client Local Diagnostics Ping, WHOIS, Packet Sniffer, Status Monitor, Traffic Monitor, My Tools Computers Display, Connection Tab
PAGE 35
Safe@Office 500W and 500W ADSL Product Features Hardware Specifications Power 100/110/120/210/220/230VAC (Linear Power Adapter) or 100~240VAC (Switched Power Adapter) Mounting Options Desktop, Wall, or Rack Mounting** Warranty 1 Year Hardware * Requires Power Pack upgrade CPSB-500-UPG-PPACK. ** Rack mounting requires the optional rack mounting kit (sold separately).
PAGE 36
Safe@Office 500W and 500W ADSL Product Features WAN Port ADSL Standards Ethernet, 10/100 Mbps ADSL2+ — ADSL2, ADSL2+, T.1413 G.DMT (G.992.1) G.Lite (G.992.2) Either: ANNEX A (ADSL over POTS) Or: ANNEX B (ADSL over ISDN) DMZ/WAN2 Port Dialup Backup 10/100 Mbps With external serial / USB modem Console Port (Serial) Print Server USB 2.
PAGE 37
Safe@Office 500W and 500W ADSL Product Features Four Preset Security Policies Anti-spoofing Voice over IP Support SIP, H.323 Instant Messenger Blocking / Monitoring P2P File Sharing Blocking / Monitoring Port-based and Tag- * based VLAN Port-based Security * (802.
PAGE 38
Safe@Office 500W and 500W ADSL Product Features Route-based VPN Backup VPN Gateways Remote Access VPN SecuRemote / SecureClient / L2TP / Endpoint Connect Client IPSEC Features Hardware-accelerated DES, 3DES, AES, MD5, SHA-1, Hardware Random Number Generator (RNG), Internet Key Exchange (IKE), Perfect Forward Secrecy (PFS), IPSEC Compression, IPSEC NAT Traversal (NAT-T), IPSEC VPN Pass-through Networking Supported Internet Connection Methods Static IP, DHCP, PPPoE, PPTP, Static IP, DHCP, PPPoE, PPTP,
PAGE 39
Safe@Office 500W and 500W ADSL Product Features Connection DHCP Server, Client, and Relay DNS Server MAC Cloning Network Address Translation (NAT) Rules Static Routes, Source Routes, and ServiceBased Routes Ethernet Cable Type Recognition DiffServ Tagging * Automatic Gateway * Failover (HA) Multicast Routing * Dynamic Routing * Management Central Management Local Management Remote Desktop Chapter 1: Introduction SMP HTTP / HTTPS / SSH / SNMP / Serial CLI Integrated Microsoft Terminal Services Cli
PAGE 40
Safe@Office 500W and 500W ADSL Product Features Local Diagnostics Ping, WHOIS, Packet Sniffer, Status Monitor, Traffic Monitor, My Tools Computers Display, Connection Table Display, Network Interface Monitor, VPN Tunnel Monitor, Routing Table Display, Event Log, Security Log NTP Automatic Time Setting Rapid Deployment Hardware Specifications Power 100/110/120/210/220/230VAC (Linear Power Adapter) or 100~240VAC (Switched Power Adapter) Mounting Options Warranty Desktop, Wall, or Rack Mounting** 1 Yea
PAGE 41
Wireless Features Wireless Features Table 5: Safe@Office Wireless Features Feature Wireless Protocols Wireless Security Safe@Office 500W / Safe@Office 1000NW / Safe@Office 500W ADSL Safe@Office 1000W ADSL 802.11b (11 Mbps), 802.11g (54 802.11b (11 Mbps), 802.11g (54 Mbps), Super G (108 Mbps)** Mbps), 802.11n (300 Mbps) VPN over Wireless, WEP, WPA2 (802.11i), WPA-Personal, WPAEnterprise, 802.
PAGE 42
Optional Security Services * Requires Power Pack upgrade CPSB-500-UPG-PPACK or CPSB-1000-UPG-PPACK, depending on series. ** Super G and XR mode are only available with select wireless network adapters. Actual ranges are subject to change in different environments.
PAGE 43
Getting to Know Your Safe@Office 1000N Appliance Getting to Know Your Safe@Office 1000N Appliance Package Contents The Safe@Office 1000N package includes the following: • Safe@Office 1000N Internet Security Appliance • Power adapter • CAT5 Straight-through Ethernet cable • Getting Started Guide • Documentation CDROM • Wall mounting kit • RS232 serial adaptor (RJ45 to DB9) Network Requirements • 10BaseT or 100BaseT or 1000BaseT Network Interface Card installed on each computer • CAT 5 STP
PAGE 44
Getting to Know Your Safe@Office 1000N Appliance Rear Panel All physical connections (network and power) are made via the rear panel of your Safe@Office appliance. Figure 1: Safe@Office 1000N Appliance Rear Panel The following table lists the Safe@Office 1000N appliance's rear panel elements.
PAGE 45
Getting to Know Your Safe@Office 1000N Appliance Label Description RESET A button used for rebooting the Safe@Office appliance or resetting the Safe@Office appliance to its factory defaults. You need to use a pointed object to press this button. • Short press. Reboots the Safe@Office appliance • Long press (10 seconds or until SYS LED begins to blink rapidly). Resets the Safe@Office appliance to its factory defaults, and resets your firmware to the version that shipped with the Safe@Office appliance.
PAGE 46
Getting to Know Your Safe@Office 1000N Appliance Table 7: Safe@Office 1000N Appliance Status LEDs LED State Explanation Power Off Power off On (Green) Normal operation On (Red) Boot failed or TFTP mode Flashing quickly (Red) High temperature or system failure Flashing slowly (Orange) Writing update to flash memory Flashing quickly (Green) System boot in progress Flashing slowly (Green) Establishing Internet connection On (Green) Normal operation Off Normal operation Flashing for 5 sec
PAGE 47
Getting to Know Your Safe@Office 1000N ADSL Appliance 1000Mbps Off, VPN RS232/Serial 10 Mbps link established for the corresponding LINK/ACT Flashing (Green) port 1000Mbps On (Orange), 100 Mbps link established for the corresponding Data is being transmitted/received LINK/ACT Flashing (Green) port 1000Mbps On (Green), 1000 Mbps link established for the Data is being transmitted/received LINK/ACT Flashing (Green) corresponding port Off No VPN tunnel established On (Green) VPN idle / No ac
PAGE 48
Getting to Know Your Safe@Office 1000N ADSL Appliance Getting to Know Your Safe@Office 1000N ADSL Appliance Package Contents The Safe@Office 1000N ADSL package includes the following: • Safe@Office 1000N ADSL Internet Security Appliance • Power adapter • CAT5 Straight-through Ethernet cable • Getting Started Guide • Documentation CDROM • Wall mounting kit • RS232 serial adaptor (RJ45 to DB9) • RJ11 telephone cable Network Requirements • 10BaseT or 100BaseT or 1000BaseT Network Interface C
PAGE 49
Getting to Know Your Safe@Office 1000N ADSL Appliance • If desired, you can connect your appliance to an external broadband Internet connection via a cable or DSL modem with an Ethernet interface (RJ-45). Rear Panel All physical connections (network and power) are made via the rear panel of your Safe@Office appliance. Figure 3: Safe@Office 1000N ADSL Appliance Rear Panel The following table lists the Safe@Office 1000N ADSL appliance's rear panel elements.
PAGE 50
Getting to Know Your Safe@Office 1000N ADSL Appliance Label Description DSL An RJ-11 ADSL port used for connecting the integrated ADSL modem to an ADSL line. A splitter with a micro-filter is usually required when connecting this port to the phone jack. If unsure, check with your ADSL service provider. Before connecting this port to the line, make sure that you are using the correct Safe@Office model for your phone line: Annex A for POTS (regular) phone lines, and Annex B for ISDN (digital) phone lines.
PAGE 51
Getting to Know Your Safe@Office 1000N ADSL Appliance Side Panel The side panel includes a slot for inserting an ExpressCard cellular modem. Figure 4: Safe@Office 1000N ADSL Appliance Side Panel Front Panel The Safe@Office 1000N ADSL appliance includes several status LEDs that enable you to monitor the appliance’s operation. Figure 5: Safe@Office 1000N ADSL Appliance Front Panel For an explanation of the Safe@Office 1000N ADSL appliance’s status LEDs, see the table below.
PAGE 52
Getting to Know Your Safe@Office 1000N ADSL Appliance Security GbE Status (LAN 1-4 / DMZ/WAN2) Flashing quickly (Red) High temperature or system failure Flashing slowly (Orange) Writing update to flash memory Flashing quickly (Green) System boot in progress Flashing slowly (Green) Establishing Internet connection On (Green) Normal operation Off Normal operation Flashing for 5 sec (Orange) Virus blocked Flashing for 1 sec (Red) Hacker attack blocked 1000Mbps Off, LINK/ACT Off No Link 100
PAGE 53
Getting to Know Your Safe@Office 1000N ADSL Appliance 1000Mbps On (Green), DSL VPN RS232/Serial USB EXC 1000 Mbps link established for the LINK/ACT Flashing (Green) corresponding port Link Off Link is down Link Flashing Establishing ADSL connection Link On ADSL connection established DAT Off ADSL line is idle DAT Flashing Data is being transmitted/received Off No VPN tunnel established On (Green) VPN idle / No activity Flashing (Green) VPN activity Off No data terminal connected
PAGE 54
Getting to Know Your Safe@Office 1000NW Appliance Getting to Know Your Safe@Office 1000NW Appliance Package Contents The Safe@Office 1000NW package includes the following: • Safe@Office 1000NW Wireless Security Appliance • Power adapter • CAT5 Straight-through Ethernet cable • Getting Started Guide • Documentation CDROM • Wall mounting kit • RS232 serial adaptor (RJ45 to DB9) • Two antennas • USB extension cable Network Requirements • 10BaseT or 100BaseT or 1000BaseT Network Interface C
PAGE 55
Getting to Know Your Safe@Office 1000NW Appliance Rear Panel All physical connections (network and power) are made via the rear panel of your Safe@Office appliance. Figure 6: Safe@Office 1000NW Appliance Rear Panel The following table lists the Safe@Office 1000NW appliance's rear panel elements.
PAGE 56
Getting to Know Your Safe@Office 1000NW Appliance Label Description Internet. Serial A serial (RS-232) port used for connecting computers in order to access the Safe@Office CLI (Command Line Interface), or for connecting an external dialup modem. An RJ-45 to DB9 converter is supplied for your convenience. Warning: Do not connect an Ethernet cable to the RJ-45 serial port. USB Two USB 2.
PAGE 57
Getting to Know Your Safe@Office 1000NW Appliance Front Panel The Safe@Office 1000NW appliance includes several status LEDs that enable you to monitor the appliance’s operation. Figure 7: Safe@Office 1000NW Appliance Front Panel For an explanation of the Safe@Office 1000NW appliance’s status LEDs, see the table below.
PAGE 58
Getting to Know Your Safe@Office 1000NW Appliance Security GbE Status (WAN / DMZ / LAN 1-4) Flashing quickly (Green) System boot in progress Flashing slowly (Green) Establishing Internet connection On (Green) Normal operation Off Normal operation Flashing for 5 sec (Orange) Virus blocked Flashing for 1 sec (Red) Hacker attack blocked 1000Mbps Off, LINK/ACT Off No Link 1000Mbps Off, 10 Mbps link established for the corresponding LINK/ACT On (Green) port 1000Mbps On (Orange), 100 Mbps li
PAGE 59
Getting to Know Your Safe@Office 1000NW Appliance VPN RS232/Serial WLAN Off No VPN tunnel established On (Green) VPN idle / No activity Flashing (Green) VPN activity Off No data terminal connected On (Green) Data terminal ready Flashing (Green) Serial activity Off WLAN not enabled/connected On (Green) USB WLAN connected in idle / No activity Flashing (Green) WLAN activity Off No USB device connected On (Green) USB device connected Flashing (Green) Activity on the USB device Chap
PAGE 60
Getting to Know Your Safe@Office 1000NW ADSL Appliance Getting to Know Your Safe@Office 1000NW ADSL Appliance Package Contents The Safe@Office 1000NW ADSL package includes the following: • Safe@Office 1000NW ADSL Wireless Security Appliance • Power adapter • CAT5 Straight-through Ethernet cable • Getting Started Guide • Documentation CDROM • Wall mounting kit • RS232 serial adaptor (RJ45 to DB9) • Two antennas • USB extension cable • RJ11 telephone cable Network Requirements • 10BaseT
PAGE 61
Getting to Know Your Safe@Office 1000NW ADSL Appliance • A splitter with a micro-filter, installed on all the jacks connected to the same phone line • If desired, you can connect your appliance to an external broadband Internet connection via a cable or DSL modem with an Ethernet interface (RJ-45). Rear Panel All physical connections (network and power) are made via the rear panel of your Safe@Office appliance.
PAGE 62
Getting to Know Your Safe@Office 1000NW ADSL Appliance Table 12: Safe@Office 1000NW ADSL Appliance Rear Panel Elements Label Description LAN 1-4 Local Area Network switch: Four Ethernet ports (RJ-45) used for connecting computers or other network devices DMZ/ A dedicated Ethernet port (RJ-45) used to connect a DMZ (Demilitarized Zone) WAN2 computer or network. Alternatively, can serve as a secondary WAN port or as a VLAN trunk.
PAGE 63
Getting to Know Your Safe@Office 1000NW ADSL Appliance Label Description firmware to the version that shipped with the Safe@Office appliance. This results in the loss of all security services and passwords and reverting to the factory default firmware. You will have to re-configure your Safe@Office appliance. Do not reset the unit without consulting your system administrator. PWR A power jack used for supplying power to the unit. Connect the supplied power adapter to this jack.
PAGE 64
Getting to Know Your Safe@Office 1000NW ADSL Appliance Front Panel The Safe@Office 1000NW ADSL appliance includes several status LEDs that enable you to monitor the appliance’s operation. Figure 10: Safe@Office 1000NW ADSL Appliance Front Panel For an explanation of the Safe@Office 1000NW ADSL appliance’s status LEDs, see the table below.
PAGE 65
Getting to Know Your Safe@Office 1000NW ADSL Appliance GbE Status (LAN 1-4 / DMZ/WAN2) DSL 1000Mbps Off, LINK/ACT Off No Link 1000Mbps Off, 10 Mbps link established for the corresponding LINK/ACT On (Green) port 1000Mbps On (Orange), 100 Mbps link established for the corresponding LINK/ACT On port 1000Mbps On (Green), 1000 Mbps link established for the LINK/ACT On corresponding port 1000Mbps Off, 10 Mbps link established for the corresponding LINK/ACT Flashing (Green) port 1000Mbps On (
PAGE 66
Getting to Know Your Safe@Office 1000NW ADSL Appliance VPN RS232/Serial USB WLAN Off No VPN tunnel established On (Green) VPN idle / No activity Flashing (Green) VPN activity Off No data terminal connected On (Green) Data terminal ready Flashing (Green) Serial activity Off No USB device connected On (Green) USB device connected Flashing (Green) Activity on the USB device Off WLAN not enabled/connected On (Green) EXC 50 WLAN connected in idle / No activity Flashing (Green) WLAN
PAGE 67
Getting to Know Your Safe@Office 500 Appliance Getting to Know Your Safe@Office 500 Appliance Package Contents The Safe@Office 500 package includes the following: • Safe@Office 500 Internet Security Appliance • Power adapter • CAT5 Straight-through Ethernet cable • Getting Started Guide • Documentation CDROM • RS232 serial adaptor (RJ45 to DB9); model SBX-166LHGE-5 only Network Requirements • 10BaseT or 100BaseT Network Interface Card installed on each computer • CAT 5 STP (Category 5 Shiel
PAGE 68
Getting to Know Your Safe@Office 500 Appliance Figure 12: Safe@Office 500 SBX-166LHGE-6 Appliance Rear Panel The following table lists the Safe@Office 500 appliance's rear panel elements. Table 14: Safe@Office 500 Appliance Rear Panel Elements Label Description PWR A power jack used for supplying power to the unit. Connect the supplied power adapter to this jack. RESET A button used for rebooting the Safe@Office appliance or resetting the Safe@Office appliance to its factory defaults.
PAGE 69
Getting to Know Your Safe@Office 500 Appliance Label Description WAN Wide Area Network: An Ethernet port (RJ-45) used for connecting your broadband modem, a wide area network router, or a network leading to the Internet. DMZ/ A dedicated Ethernet port (RJ-45) used to connect a DMZ (Demilitarized Zone) WAN2 computer or network. Alternatively, can serve as a secondary WAN port or as a VLAN trunk.
PAGE 70
Getting to Know Your Safe@Office 500 ADSL Appliance LED State Explanation Flashing (Red) Hacker attack blocked, or error occurred during rapid deployment process LAN 1-4/ On (Green) Normal operation On (Red) Error LINK/ACT Off, 100 Off Link is down LINK/ACT On, 100 Off 10 Mbps link established for the WAN/ DMZ/WAN2 corresponding port LINK/ACT On, 100 On 100 Mbps link established for the corresponding port VPN Serial 54 LNK/ACT Flashing Data is being transmitted/received Off No VPN ac
PAGE 71
Getting to Know Your Safe@Office 500 ADSL Appliance Getting to Know Your Safe@Office 500 ADSL Appliance Package Contents The Safe@Office 500 ADSL package includes the following: • Safe@Office 500 ADSL Internet Security Appliance • Power adapter • CAT5 Straight-through Ethernet cable • Getting Started Guide • Documentation CDROM • Wall mounting kit • RS232 serial adaptor (RJ45 to DB9) • USB extension cable • RJ11 telephone cable Network Requirements • 10BaseT or 100BaseT Network Interfac
PAGE 72
Getting to Know Your Safe@Office 500 ADSL Appliance • If desired, you can connect your appliance to an external broadband Internet connection via a cable or DSL modem with an Ethernet interface (RJ-45). Rear Panel All physical connections (network and power) are made via the rear panel of your Safe@Office appliance. Figure 14: Safe@Office 500 ADSL Appliance Rear Panel The following table lists the Safe@Office 500 ADSL appliance's rear panel elements.
PAGE 73
Getting to Know Your Safe@Office 500 ADSL Appliance Label Description Serial An RJ-45 serial (RS-232) port used for connecting computers in order to access the Safe@Office CLI (Command Line Interface), or for connecting an external dialup modem. An RJ-45 to DB9 converter is supplied for your convenience. Warning: Do not connect an Ethernet cable to the RJ-45 serial port. DSL An RJ-11 ADSL port used for connecting the integrated ADSL modem to an ADSL line.
PAGE 74
Getting to Know Your Safe@Office 500 ADSL Appliance Front Panel The Safe@Office 500 ADSL appliance includes several status LEDs that enable you to monitor the appliance’s operation. Figure 15: Safe@Office 500 ADSL Appliance Front Panel For an explanation of the Safe@Office 500 ADSL appliance’s status LEDs, see the following table.
PAGE 75
Getting to Know Your Safe@Office 500 ADSL Appliance LED State Explanation LINK/ACT On, 100 On 100 Mbps link established for the corresponding port DSL VPN Serial USB LNK/ACT Flashing Data is being transmitted/received Link Off Link is down Link Flashing Establishing ADSL connection Link On ADSL connection established DAT Off ADSL line is idle DAT Flashing Data is being transmitted/received Off No VPN activity Flashing (Green) VPN activity On (Green) VPN tunnels established, no act
PAGE 76
Getting to Know Your Safe@Office 500W Appliance Getting to Know Your Safe@Office 500W Appliance Package Contents The Safe@Office 500W package includes the following: • Safe@Office 500W Internet Security Appliance • Power adapter • CAT5 Straight-through Ethernet cable • Getting Started Guide • Documentation CDROM • Wall mounting kit • RS232 serial adaptor (RJ45 to DB9); model SBXW-166LHGE-5 only • Two antennas • USB extension cable 60 Check Point Safe@Office User Guide
PAGE 77
Getting to Know Your Safe@Office 500W Appliance Network Requirements • 10BaseT or 100BaseT Network Interface Card installed on each computer • CAT 5 STP (Category 5 Shielded Twisted Pair) Straight Through Ethernet cable for each attached device • An 802.11b, 802.11g or 802.
PAGE 78
Getting to Know Your Safe@Office 500W Appliance Table 18: Safe@Office 500W Appliance Rear Panel Elements Label Description PWR A power jack used for supplying power to the unit. Connect the supplied power adapter to this jack. RESET A button used for rebooting the Safe@Office appliance or resetting the Safe@Office appliance to its factory defaults. You need to use a pointed object to press this button. • Short press. Reboots the Safe@Office appliance • Long press (7 seconds).
PAGE 79
Getting to Know Your Safe@Office 500W Appliance Label Description LAN 1-4 Local Area Network switch: Four Ethernet ports (RJ-45) used for connecting computers or other network devices. ANT 1/ Antenna connectors, used to connect the supplied wireless antennas . ANT 2 Front Panel The Safe@Office 500W appliance includes several status LEDs that enable you to monitor the appliance’s operation.
PAGE 80
Getting to Know Your Safe@Office 500W Appliance LED LAN 1-4/ State Explanation On (Red) Error Flashing (Orange) Software update in progress LINK/ACT Off, 100 Off Link is down LINK/ACT On, 100 Off 10 Mbps link established for the corresponding WAN/ DMZ/WAN2 port LINK/ACT On, 100 On 100 Mbps link established for the corresponding port VPN Serial USB WLAN 64 LNK/ACT Flashing Data is being transmitted/received Off No VPN activity Flashing (Green) VPN activity On (Green) VPN tunnels e
PAGE 81
Getting to Know Your Safe@Office 500W ADSL Appliance Getting to Know Your Safe@Office 500W ADSL Appliance Package Contents The Safe@Office 500W ADSL package includes the following: • Safe@Office 500W ADSL Internet Security Appliance • Power adapter • CAT5 Straight-through Ethernet cable • Getting Started Guide • Documentation CDROM • Wall mounting kit • RS232 serial adaptor (RJ45 to DB9) • Two antennas • USB extension cable • RJ11 telephone cable Network Requirements • 10BaseT or 100B
PAGE 82
Getting to Know Your Safe@Office 500W ADSL Appliance • If desired, you can connect your appliance to an external broadband Internet connection via a cable or DSL modem with an Ethernet interface (RJ-45). • An 802.11b, 802.11g or 802.11 Super G wireless card installed on each wireless station Rear Panel All physical connections (network and power) are made via the rear panel of your Safe@Office appliance.
PAGE 83
Getting to Know Your Safe@Office 500W ADSL Appliance Label Description Serial An RJ-45 serial (RS-232) port used for connecting computers in order to access the Safe@Office CLI (Command Line Interface), or for connecting an external dialup modem. An RJ-45 to DB9 converter is supplied for your convenience. Warning: Do not connect an Ethernet cable to the RJ-45 serial port. DSL An RJ-11 ADSL port used for connecting the integrated ADSL modem to an ADSL line.
PAGE 84
Getting to Know Your Safe@Office 500W ADSL Appliance Front Panel The Safe@Office 500W ADSL appliance includes several status LEDs that enable you to monitor the appliance’s operation. Figure 20: Safe@Office 500W ADSL Appliance Front Panel For an explanation of the Safe@Office 500W ADSL appliance’s status LEDs, see the following table.
PAGE 85
Getting to Know Your Safe@Office 500W ADSL Appliance LED State Explanation LINK/ACT On, 100 On 100 Mbps link established for the corresponding port DSL VPN Serial USB WLAN LNK/ACT Flashing Data is being transmitted/received Link Off Link is down Link Flashing Establishing ADSL connection Link On ADSL connection established DAT Off ADSL line is idle DAT Flashing Data is being transmitted/received Off No VPN activity Flashing (Green) VPN activity On (Green) VPN tunnels established,
PAGE 86
Contacting Technical Support Contacting Technical Support In case of a problem with your Safe@Office appliance, see http://www.sofaware.com/support. You can also download the latest version of this guide from the site.
PAGE 87
Introduction to Information Security Chapter 2 Safe@Office Security This chapter explains the basic security concepts on which Safe@Office security is based. This chapter includes the following topics: Introduction to Information Security ..........................................................71 The Safe@Office Firewall ..........................................................................
PAGE 88
Introduction to Information Security • Commercial companies store information about their revenues, business and marketing plans, current and future product lines, information about competitors, and so on. Just as the type of information may differ from organization to organization, the form in which it is stored may vary.
PAGE 89
Introduction to Information Security Information Security Challenges The challenges of information security can be divided into the following areas: • Confidentiality and Privacy - Ensuring that only the intended recipients can read certain information • Authentication - Ensuring that information is actually sent by the stated sender • Integrity - Ensuring that the original information was not altered and that no one tampered with it • Availability - Ensuring that important information can be access
PAGE 90
Introduction to Information Security In order for a security policy be effective, it must be accompanied by the following measures: • Awareness - A security policy must be accompanied by steps taken to increase the employees' awareness of security issues. If employees are unaware of a security policy rule and the reason for it, they are likely to break it. • Enforcement - To enforce a security policy, an organization can take various measures, both human and electronic.
PAGE 91
Introduction to Information Security • Applications are hosted on a main computer rather than on personal workstations. This helps organizations share application resources. For example, in service departments, the customer database is located on a main computer, while all customer relations transactions are managed by software clients running on the agents' computers.
PAGE 92
The Safe@Office Firewall • Large businesses have the funds and expertise to constantly enhance their security and are therefore a difficult target for hackers. This makes small businesses a far more attractive target for network attacks. • The state's awareness of privacy and data protection is enforced through legislation. For example, the Health Insurance Portability and Accountability Act (HIPAA) that was enacted by the U.S.
PAGE 93
The Safe@Office Firewall Security Requirements In order to make control decisions for new communication attempts, it is not sufficient for the firewall to examine packets in isolation. Depending upon the communication attempt, both the communication state (derived from past communications) and the application state (derived from other applications) may be critical in the control decision.
PAGE 94
The Safe@Office Firewall Packet filters have the following advantages and disadvantages: Table 22: Packet Filter Advantages and Disadvantages Advantages Disadvantages Application independence Low security High performance No screening above the network layer Scalability Application-Layer Gateways Application-layer gateways improve security by examining all application layers, bringing context information into the decision-making process.
PAGE 95
The Safe@Office Firewall Check Point Stateful Inspection Technology Invented by Check Point, Stateful Inspection is the industry standard for network security solutions. A powerful inspection module examines every packet, ensuring that packets do not enter a network unless they comply with the network's security policy. Stateful Inspection technology implements all necessary firewall capabilities between the data and network layers.
PAGE 96
The Safe@Office Firewall The Safe@Office firewall examines IP addresses, port numbers, and any other information required. It understands the internal structures of the IP protocol family and applications, and is able to extract data from a packet's application content and store it, to provide context in cases where the application does not provide it.
PAGE 97
The Safe@Office Firewall Step 3 Channel Type Data Description Source TCP Source Destination Port Client initiates data FTP connection to client TCP Destination Port D > 1023 FTP server P P FTP client D server on port P 4 Data Server FTP acknowledges data server connection The following diagram demonstrates the establishment of a Passive FTP connection through a firewall protecting the FTP server.
PAGE 98
The Safe@Office Firewall FTP client-server communication. The following table examines how different firewall technologies handle this challenge: Table 25: Firewall Technologies and Passive FTP Connections Firewall Technology Action Packet Filter Packet filters can handle outbound FTP connections in either of the following ways: • By leaving the entire upper range of ports (greater than 1023) open.
PAGE 99
The Safe@Office Firewall Firewall Technology Action Stateful Inspection Firewall A Stateful Inspection firewall examines the FTP application-layer data in an FTP session. When the client initiates a command session, the firewall extracts the port number from the request. The firewall then records both the client and server's IP addresses and port numbers in an FTP-data pending request list.
PAGE 100
PAGE 101
Before You Install the Safe@Office Appliance Chapter 3 Installing and Setting Up Safe@Office This chapter describes how to properly set up and install your Safe@Office appliance in your networking environment. This chapter includes the following topics: Before You Install the Safe@Office Appliance .........................................85 Appliance Installation .................................................................................99 Wall Mounting the Safe@Office Appliance.....................
PAGE 102
Before You Install the Safe@Office Appliance Windows Vista Checking the TCP/IP Installation 1. Click Start > Control Panel. The Control Panel window appears. 2. 86 Under Network and Internet, click View network status and tasks.
PAGE 103
Before You Install the Safe@Office Appliance The Network Sharing Center screen appears. 3. In the Tasks pane, click Manage network connections.
PAGE 104
Before You Install the Safe@Office Appliance The Network Connections screen appears. 4. Double-click the Local Area Connection icon. The Local Area Connection Status window opens. 5. 88 Click Properties.
PAGE 105
Before You Install the Safe@Office Appliance The Local Area Connection Properties window opens. 6. Check if Internet Protocol Version 4 (TCP/IPv4) appears in the list box and if it is properly configured with the Ethernet card installed on your computer. TCP/IP Settings 1. In the Local Area Connection Properties window, double-click the Internet Protocol Version 4 (TCP/IPv4) component, or select it and click Properties. The Internet Protocol Version 4 (TCP/IPv4) Properties window appears. 2.
PAGE 106
Before You Install the Safe@Office Appliance Note: Normally, it is not recommended to assign a static IP address to your PC but rather to obtain an IP address automatically. If for some reason you need to assign a static IP address, select Specify an IP address, type in an IP address in the range of 192.168.10.129-254, enter 255.255.255.0 in the Subnet Mask field, and click OK to save the new settings. (Note that 192.168.
PAGE 107
Before You Install the Safe@Office Appliance The Network and Dial-up Connections window appears. 3. Right-click the opens. icon and select Properties from the pop-up menu that The Local Area Connection Properties window appears.
PAGE 108
Before You Install the Safe@Office Appliance 4. 92 In the above window, check if TCP/IP appears in the components list and if it is properly configured with the Ethernet card installed on your computer. If TCP/IP does not appear in the Components list, you must install it as described in the next section.
PAGE 109
Before You Install the Safe@Office Appliance Installing TCP/IP Protocol 1. In the Local Area Connection Properties window click Install. The Select Network Component Type window appears. 2. Select Protocol and click Add. The Select Network Protocol window appears. 3. Choose Internet Protocol (TCP/IP) and click OK. TCP/IP protocol is installed on your computer.
PAGE 110
Before You Install the Safe@Office Appliance TCP/IP Settings 1. In the Local Area Connection Properties window, double-click the Internet Protocol (TCP/IP) component, or select it and click Properties. The Internet Protocol (TCP/IP) Properties window opens. 2. Click the Obtain an IP address automatically radio button. Note: Normally, it is not recommended to assign a static IP address to your PC but rather to obtain an IP address automatically.
PAGE 111
Before You Install the Safe@Office Appliance Mac OS Use the following procedure for setting up the TCP/IP Protocol. 1. Choose Apple Menus -> Control Panels -> TCP/IP. The TCP/IP window appears. 2. Click the Connect via drop-down list, and select Ethernet. 3. Click the Configure drop-down list, and select Using DHCP Server. 4. Close the window and save the setup.
PAGE 112
Before You Install the Safe@Office Appliance Mac OS-X Use the following procedure for setting up the TCP/IP Protocol. 1. Choose Apple -> System Preferences. The System Preferences window appears. 2. 96 Click Network.
PAGE 113
Before You Install the Safe@Office Appliance The Network window appears. 3. Click Configure.
PAGE 114
Appliance Installation TCP/IP configuration fields appear. 4. Click the Configure IPv4 drop-down list, and select Using DHCP. 5. Click Apply Now.
PAGE 115
Appliance Installation Appliance Installation Installing Non-ADSL Models To install the Safe@Office appliance 1. Verify that you have the correct cable type. For information, see Network Requirements on page 61. 2. Connect the LAN cable: Connect one end of the Ethernet cable to one of the appliance's LAN ports. b. Connect the other end to PCs, hubs, or other network devices. Connect the WAN cable: a. 3. 4. Connect one end of an Ethernet cable to the appliance's Ethernet WAN port. a.
PAGE 116
Appliance Installation Figure 22: Typical Connection Diagram Installing ADSL Models To install the Safe@Office appliance 1. Verify that you have the correct cable type. For information, see Network Requirements on page 61. 2. Connect the LAN cable: Connect one end of the Ethernet cable to one of the appliance's LAN ports. b. Connect the other end to PCs, hubs, or other network devices. Connect the ADSL cable: a. 3. a. b. 100 Connect one end of the telephone cable to the appliance's DSL port.
PAGE 117
Appliance Installation 4. To use the appliance with a non-ADSL connection, or with an existing ADSL modem, connect an Ethernet cable: 5. Connect one end of the Ethernet cable to the appliance's DMZ/WAN2 port. Connect the other end of the cable to an external cable modem, DSL modem, or office network. Connect the power adapter to the appliance's power socket, labeled PWR. 6. Plug the power adapter into the wall electrical outlet. a. b.
PAGE 118
Appliance Installation Cascading Your Appliance The Safe@Office appliance protects all computers and network devices that are connected to its LAN and DMZ ports. If desired, you can increase the appliance's port capacity by cascading hubs or switches. To cascade the Safe@Office appliance to a hub or switch 1. Connect a standard Ethernet cable to one of the appliance's LAN ports or to its DMZ/WAN2 Ethernet port.
PAGE 119
Wall Mounting the Safe@Office Appliance Connecting the Appliance to Network Printers In models with a print server, you can connect network printers. To connect network printers 1. Connect one end of a USB cable to one of the appliance's USB ports. If needed, you can use the provided USB extension cord. 2. Connect the other end to a printer or a USB 2.0 hub. Warning: Verify that the USB devices' power requirement does not exceed the appliance's USB power adapter capabilities.
PAGE 120
Wall Mounting the Safe@Office Appliance 3. Mark two drill holes on the wall, in accordance with the following sketch: 4. Drill two 3.5 mm diameter holes, approximately 25 mm deep. 5. Insert two plastic conical anchors into the holes. Note: The conical anchors you received with your Safe@Office appliance are suitable for concrete walls. If you want to mount the appliance on a plaster wall, you must use anchors that are suitable for plaster walls. 6.
PAGE 121
Securing the Safe@Office Appliance against Theft Your Safe@Office appliance is wall mounted. You can now connect it to your computer. Securing the Safe@Office Appliance against Theft The Safe@Office appliance features a security slot to the rear of the right panel, which enables you to secure your appliance against theft, using an anti-theft security device. Note: Anti-theft security devices are available at most computer hardware stores.
PAGE 122
Securing the Safe@Office Appliance against Theft While these parts may differ between devices, all looped security cables include a bolt with knobs, as shown in the diagram below: Figure 25: Looped Security Cable Bolt The bolt has two states, Open and Closed, and is used to connect the looped security cable to the appliance's security slot. To install an anti-theft device on the Safe@Office appliance 1.
PAGE 123
Setting Up the Safe@Office Appliance 5. Thread the anti-theft device's pin through the bolt’s holes, and insert the pin into the main body of the anti-theft device, as described in the documentation that came with your device. Setting Up the Safe@Office Appliance After you have installed the Safe@Office appliance, you must set it up using the steps shown below. When setting up your Safe@Office appliance for the first time after installation, these steps follow each other automatically.
PAGE 124
Setting Up the Safe@Office Appliance Logging in to the Safe@Office Portal and setting up your password Initial Login to the Safe@Office Portal on page 111 Configuring an Internet connection Using the Internet Wizard on page 126 Setting the time on your Safe@Office appliance Setting the Time on the Appliance on page 735 Setting up a wireless network (wireless appliances only) Configuring a Wireless Network on page 305 Installing the Product Key Upgrading Your Software Product on page 722 Setting up sub
PAGE 125
Setting Up the Safe@Office Appliance You can access the Setup Wizard at any time after initial setup, using the procedure below. To access the Setup Wizard 1. Click Setup in the main menu, and click the Firmware tab. The Firmware page appears. 2. Click Safe@Office Setup Wizard.
PAGE 126
Setting Up the Safe@Office Appliance The Safe@Office Setup Wizard opens with the Welcome page displayed.
PAGE 127
Initial Login to the Safe@Office Portal Chapter 4 Getting Started This chapter contains all the information you need in order to get started using your Safe@Office appliance. This chapter includes the following topics: Initial Login to the Safe@Office Portal....................................................111 Logging in to the Safe@Office Portal ......................................................114 Accessing the Safe@Office Portal Remotely Using HTTPS ...................
PAGE 128
Initial Login to the Safe@Office Portal The initial login page appears. 2. Type a password both in the Password and the Confirm password fields. Note: The password must be five to 25 characters (letters or numbers). Note: You can change your username and password at any time. For further information, see Changing Your Password on page 677. 3. 112 Click OK.
PAGE 129
Initial Login to the Safe@Office Portal The Safe@Office Setup Wizard opens, with the Welcome page displayed. 4. Configure your Internet connection using one of the following ways: • • Internet Wizard The Internet Wizard is the first part of the Setup Wizard, and it takes you through basic Internet connection setup, step by step. For information on using the Internet Wizard, see Using the Internet Wizard on page 126.
PAGE 130
Logging in to the Safe@Office Portal Logging in to the Safe@Office Portal Note: By default, HTTP and HTTPS access to the Safe@Office Portal is not allowed from the WLAN, unless you do one of the following: • Configure a specific firewall rule to allow access from the WLAN. See Using Rules on page 400. Or • Enable HTTPS access from the Internet. See Configuring HTTPS on page 728. To log in to the Safe@Office Portal 1. Do one of the following: • • 114 Browse to http://my.firewall.
PAGE 131
Logging in to the Safe@Office Portal The login page appears. 2. Type your username and password. 3. Click OK.
PAGE 132
Accessing the Safe@Office Portal Remotely Using HTTPS The Welcome page appears. Accessing the Safe@Office Portal Remotely Using HTTPS You can access the Safe@Office Portal remotely (from the Internet) through HTTPS. HTTPS is a protocol for accessing a secure Web server. It is used to transfer confidential user information. If desired, you can also use HTTPS to access the Safe@Office Portal from your internal network.
PAGE 133
Accessing the Safe@Office Portal Remotely Using HTTPS Note: In order to access the Safe@Office Portal remotely using HTTPS, you must first do both of the following: • Configure your password, using HTTP. See Initial Login to the Safe@Office Portal on page 111. • Configure HTTPS Remote Access. See Configuring HTTPS on page 728. Note: Your browser must support 128-bit cipher strength. To check your browser's cipher strength, open Internet Explorer and click Help > About Internet Explorer.
PAGE 134
Using the Safe@Office Portal g. h. Click OK. The Security Alert dialog box reappears. Click Yes. The Safe@Office Portal appears. Using the Safe@Office Portal The Safe@Office Portal is a Web-based management interface, which enables you to manage and configure the Safe@Office appliance operation and options. The Safe@Office Portal consists of three major elements.
PAGE 135
Using the Safe@Office Portal Figure 26: Safe@Office Portal Chapter 4: Getting Started 119
PAGE 136
Using the Safe@Office Portal Main Menu The main menu includes the following submenus. Table 27: Main Menu Submenus This submenu… Does this… Welcome Displays general welcome information. Reports Provides reporting capabilities in terms of appliance status, traffic monitoring, active computers, established connections, and more. Logs Provides a general event log displaying appliance events, and a security event log displaying firewall events.
PAGE 137
Using the Safe@Office Portal This submenu… Does this… Logout Allows you to log out of the Safe@Office Portal. Main Frame The main frame displays the relevant data and controls pertaining to the menu and tab you select. These elements sometimes differ depending on what model you are using. The differences are described throughout this guide. Status Bar The status bar is located at the bottom of each page. It displays the fields below, as well as the date and time.
PAGE 138
Using the Safe@Office Portal This field… Displays this… page 125. Service Center Displays your subscription services status. Your Service Center may offer various subscription services. These include the firewall service and optional services such as Web Filtering and Email Antivirus. Your subscription services status may be one of the following: 122 • Not Subscribed. You are not subscribed to security services. • Connection Failed. The Safe@Office appliance failed to connect to the Service Center.
PAGE 139
Logging Out Logging Out Logging out terminates your administration session. Any subsequent attempt to connect to the Safe@Office Portal will require re-entering of the administration password. To log out of the Safe@Office Portal • Click Logout in the main menu. The Login page appears.
PAGE 140
PAGE 141
Overview Chapter 5 Configuring the Internet Connection This chapter describes how to configure and work with a Safe@Office Internet connection. This chapter includes the following topics: Overview ..................................................................................................125 Using the Internet Wizard.........................................................................126 Using Internet Setup .................................................................................
PAGE 142
Using the Internet Wizard You can configure your Internet connection using any of the following setup tools: • Setup Wizard. Guides you through the Safe@Office appliance setup step by step. The first part of the Setup Wizard is the Internet Wizard. For further information on the Setup Wizard, see Setting Up the Safe@Office Appliance on page 107. • Internet Wizard. Guides you through the Internet connection configuration process step by step.
PAGE 143
Using the Internet Wizard Configuring an Ethernet-Based Connection on NonADSL Models To configure an Ethernet-Based connection 1. Click Network in the main menu, and click the Internet tab. The Internet page appears. 2. Click Internet Wizard. The Internet Wizard opens with the Welcome page displayed. 3. Click Next.
PAGE 144
Using the Internet Wizard The Internet Connection Method dialog box appears. 4. Select the Internet connection method you want to use for connecting to the Internet. If you are uncertain regarding which connection method to use, contact your ISP. Note: If you selected PPTP or PPPoE, do not use your dial-up software to connect to the Internet. 5. Click Next. If you chose PPPoE, continue at Using a PPPoE Connection on page 129. If you chose PPTP, continue at Using a PPTP Connection on page 131.
PAGE 145
Using the Internet Wizard Using a PPPoE Connection If you selected the PPPoE (PPP over Ethernet) connection method, the PPP Configuration dialog box appears. 1. Complete the fields using the information in the following table. 2. Click Next. The Confirmation screen appears.
PAGE 146
Using the Internet Wizard 3. Click Next. The system attempts to connect to the Internet via the specified connection. The Connecting… screen appears. At the end of the connection process the Connected screen appears. 4. Click Finish. Table 29: PPPoE Connection Fields In this field… Do this… Username Type your user name. Password Type your password. Confirm password Type your password again. Service Type your service name. This field can be left blank.
PAGE 147
Using the Internet Wizard Using a PPTP Connection If you selected the PPTP connection method, the PPP Configuration dialog box appears. 1. Complete the fields using the information in the following table. 2. Click Next. The Confirmation screen appears. 3. Click Next. The system attempts to connect to the Internet via the specified connection. The Connecting… screen appears. At the end of the connection process the Connected screen appears. 4. Click Finish.
PAGE 148
Using the Internet Wizard Table 30: PPTP Connection Fields In this field… Do this… Username Type your user name. Password Type your password. Confirm password Type your password again. Service Type your service name. Server IP Type the IP address of the PPTP modem. Internal IP Type the local IP address required for accessing the PPTP modem. Subnet Mask Select the subnet mask of the PPTP modem. Using a Cable Modem Connection No further settings are required for a cable modem connection.
PAGE 149
Using the Internet Wizard Using a Static IP Connection If you selected the Static IP connection method, the Static IP Configuration dialog box appears. 1. Complete the fields using the information in the following table. 2. Click Next. The Confirmation screen appears. 3. Click Next. The system attempts to connect to the Internet via the specified connection. The Connecting… screen appears. At the end of the connection process the Connected screen appears. 4. Click Finish.
PAGE 150
Using the Internet Wizard Table 31: PPPoE Connection Fields In this field… Do this… IP Address Type the static IP address of your Safe@Office appliance. Subnet Mask Select the subnet mask that applies to the static IP address of your Safe@Office appliance. Default Gateway Type the IP address of your ISP’s default gateway. Primary DNS Server Type the IP address of your ISP's primary DNS server. Secondary DNS Server Type the IP address of your ISP's secondary DNS server. This field is optional.
PAGE 151
Using the Internet Wizard Configuring an Ethernet-Based Connection on ADSL Models Note: In ADSL models, an Ethernet-based connection is made on the DMZ/WAN2 port. To configure an Ethernet-based connection 1. Click Network in the main menu, and click the Internet tab. The Internet page appears. 2. Click Internet Wizard. The Internet Wizard opens with the Welcome page displayed. 3. Click Next. The Internet Connection Port dialog box appears. 4.
PAGE 152
Using the Internet Wizard The Internet Connection Method dialog box appears. 6. Select the Internet connection method you want to use for connecting to the Internet. 7. Click Next. If you chose PPPoE, continue at Using a PPPoE Connection on page 129. If you chose PPTP, continue at Using a PPTP Connection on page 131. If you chose Cable Modem, continue at Using a Cable Modem Connection on page 132. If you chose Static IP, continue at Using a Static IP Connection on page 133.
PAGE 153
Using the Internet Wizard Configuring a Direct ADSL Connection To configure a direct ADSL connection 1. Click Network in the main menu, and click the Internet tab. The Internet page appears. 2. Click Internet Wizard. The Internet Wizard opens with the Welcome page displayed. 3. Click Next. The Internet Connection Port dialog box appears. 4. Click Use the ADSL port. The ADSL Connection Settings dialog box appears. 5.
PAGE 154
Using the Internet Wizard The ADSL Configuration Assistant opens. 6. 2) In the Country drop-down list, select your country. 3) In the ISP / Telco drop-down list, select your ISP or telephone company. The ADSL Configuration Assistant closes, and the fields are filled in with the correct values for your ISP. • To manually fill in the supported ADSL settings for your ISP, complete the fields using the information in the following table. Click Next. The Internet Connection Method dialog box appears. 7.
PAGE 155
Using the Internet Wizard If you chose PPPoE or PPPoA, continue at Using a PPPoE or PPPoA Connection on page 140. If you chose Static IP, continue at Using a Static IP Connection on page 133. If you chose DHCP, continue at Using a DHCP Connection on page 134. Table 32: ADSL Connection Fields In this field… Do this… DSL Standard Select the standard to support for the DSL line, as specified by your ISP. This can be one of the following: VPI Number • ADSL2 • ADSL2+ • Multimode • T.1413 • G.
PAGE 156
Using the Internet Wizard Using a PPPoE or PPPoA Connection If you selected the PPPoE (PPP over Ethernet) or PPPoA (PPP over ATM) connection method, the PPP Configuration dialog box appears. 1. Complete the fields using the information in the following table. 2. Click Next. The Confirmation screen appears. 3. Click Next. The system attempts to connect to the Internet via the specified connection. The Connecting… screen appears. At the end of the connection process the Connected screen appears. 4.
PAGE 157
Using Internet Setup Table 33: PPPoE Connection Fields In this field… Do this… Username Type your user name. Password Type your password. Confirm password Type your password again. Using Internet Setup Internet Setup allows you to manually configure your Internet connection. For information on configuring bridged Internet connections, see Adding Internet Connections to Bridges on page 274. To configure the Internet connection using Internet Setup 1.
PAGE 158
Using Internet Setup The Internet page appears. 2. 142 Next to the desired Internet connection, click Edit.
PAGE 159
Using Internet Setup The Internet Setup page appears. 3. Do one of the following: • • • • To configure an ADSL connection using the internal ADSL modem, continue at Configuring a Direct ADSL Connection on page 144. This option is available in ADSL models only. To configure an Ethernet-based connection, continue at Configuring an Ethernet-Based Connection on page 153. To configure a Dialup connection, continue at Configuring a Dialup Connection on page 166.
PAGE 160
Using Internet Setup Configuring a Direct ADSL Connection 1. In the Port drop-down list, select ADSL. 2. Do one of the following: • To automatically fill in the supported ADSL settings for your ISP, do the following: 1) Click Search by country and ISP. The ADSL Configuration Assistant opens. 2) In the Country drop-down list, select your country. 3) In the ISP / Telco drop-down list, select your ISP or telephone company. The ADSL Configuration Assistant closes.
PAGE 161
Using Internet Setup Using a PPPoA (PPP over ATM) Connection 1. Complete the fields using the relevant information in Internet Setup Fields on page 168.
PAGE 162
Using Internet Setup New fields appear, depending on the check boxes you selected. 2. Click Apply. The Safe@Office appliance attempts to connect to the Internet, and the Status Bar displays the Internet status “Establishing Connection”. This may take several seconds.
PAGE 163
Using Internet Setup Once the connection is made, the Status Bar displays the Internet status “Connected”. Using an EoA (Ethernet over ATM) Connection 1. Complete the fields using the relevant information in Internet Setup Fields on page 168.
PAGE 164
Using Internet Setup New fields appear, depending on the check boxes you selected. 2. Click Apply. The Safe@Office appliance attempts to connect to the Internet, and the Status Bar displays the Internet status “Establishing Connection”. This may take several seconds. Once the connection is made, the Status Bar displays the Internet status “Connected”.
PAGE 165
Using Internet Setup Using a PPPoE (PPP over Ethernet) Connection 1. Complete the fields using the relevant information in Internet Setup Fields on page 168.
PAGE 166
Using Internet Setup New fields appear, depending on the check boxes you selected. 2. Click Apply. The Safe@Office appliance attempts to connect to the Internet, and the Status Bar displays the Internet status “Establishing Connection”. This may take several seconds.
PAGE 167
Using Internet Setup Once the connection is made, the Status Bar displays the Internet status “Connected”. Using an IPoA (IP over ATM) Connection 1. Complete the fields using the relevant information in Internet Setup Fields on page 168.
PAGE 168
Using Internet Setup New fields appear, depending on the check boxes you selected. 2. Click Apply. The Safe@Office appliance attempts to connect to the Internet, and the Status Bar displays the Internet status “Establishing Connection”. This may take several seconds. Once the connection is made, the Status Bar displays the Internet status “Connected”.
PAGE 169
Using Internet Setup Configuring an Ethernet-Based Connection 1. In the Port drop-down list, do one of the following: • To configure an Ethernet-based connection through the WAN port, select WAN. • To configure an Ethernet-based connection through the DMZ/WAN2 port, select WAN2. This option is available in non-ADSL models only. • To configure an Ethernet-based connection through a LAN port, select the desired LAN port. This option is available with the Power Pack license only.
PAGE 170
Using Internet Setup Using a LAN Connection 1. 154 Complete the fields using the relevant information in Internet Setup Fields on page 168.
PAGE 171
Using Internet Setup New fields appear, depending on the check boxes you selected. 2. Click Apply. The Safe@Office appliance attempts to connect to the Internet, and the Status Bar displays the Internet status “Establishing Connection”. This may take several seconds. Once the connection is made, the Status Bar displays the Internet status “Connected”.
PAGE 172
Using Internet Setup Using a Cable Modem Connection 1. 156 Complete the fields using the relevant information in Internet Setup Fields on page 168.
PAGE 173
Using Internet Setup New fields appear, depending on the check boxes you selected. 2. Click Apply. The Safe@Office appliance attempts to connect to the Internet, and the Status Bar displays the Internet status “Establishing Connection”. This may take several seconds. Once the connection is made, the Status Bar displays the Internet status “Connected”.
PAGE 174
Using Internet Setup Using a PPPoE Connection 1. 158 Complete the fields using the relevant information in Internet Setup Fields on page 168.
PAGE 175
Using Internet Setup New fields appear, depending on the check boxes you selected. 2. Click Apply. The Safe@Office appliance attempts to connect to the Internet, and the Status Bar displays the Internet status “Establishing Connection”. This may take several seconds. Once the connection is made, the Status Bar displays the Internet status “Connected”.
PAGE 176
Using Internet Setup Using a PPTP Connection 1. 160 Complete the fields using the relevant information in Internet Setup Fields on page 168.
PAGE 177
Using Internet Setup New fields appear, depending on the check boxes you selected. 2. Click Apply. The Safe@Office appliance attempts to connect to the Internet, and the Status Bar displays the Internet status “Establishing Connection”. This may take several seconds.
PAGE 178
Using Internet Setup Once the connection is made, the Status Bar displays the Internet status “Connected”. Using an L2TP Connection 1. 162 Complete the fields using the relevant information in Internet Setup Fields on page 168.
PAGE 179
Using Internet Setup New fields appear, depending on the check boxes you selected. 2. Click Apply. The Safe@Office appliance attempts to connect to the Internet, and the Status Bar displays the Internet status “Establishing Connection”. This may take several seconds.
PAGE 180
Using Internet Setup Once the connection is made, the Status Bar displays the Internet status “Connected”. Using a Telstra (BPA) Connection Use this Internet connection type only if you are subscribed to Telstra® BigPond™ Internet. Telstra BigPond is a trademark of Telstra Corporation Limited. 1. 164 Complete the fields using the relevant information in Internet Setup Fields on page 168.
PAGE 181
Using Internet Setup New fields appear, depending on the check boxes you selected. 2. Click Apply. The Safe@Office appliance attempts to connect to the Internet, and the Status Bar displays the Internet status “Establishing Connection”. This may take several seconds. Once the connection is made, the Status Bar displays the Internet status “Connected”.
PAGE 182
Using Internet Setup Configuring a Dialup Connection Note: To use this connection type, you must first set up the dialup or cellular modem. For information, see Setting Up Modems on page 176. 1. In the Port drop-down list, do one of the following: • To configure a Dialup connection on the Serial port (using a connected RS232 modem), select Serial. • To configure a Dialup connection on a USB port (using a connected USB modem), select Cellular Modem. The Connection Type field displays Dialup. 2.
PAGE 183
Using Internet Setup New fields appear, depending on the check boxes you selected. 3. Click Apply. The Safe@Office appliance attempts to connect to the Internet, and the Status Bar displays the Internet status “Establishing Connection”. This may take several seconds. Once the connection is made, the Status Bar displays the Internet status “Connected”.
PAGE 184
Using Internet Setup Configuring No Connection 1. In the Port drop-down list, select None. The fields disappear. 2. Click Apply. Table 34: Internet Setup Fields In this field… Do this… ADSL Link Settings DSL Standard Select the standard to support for the DSL line, as specified by your ISP. VPI Number Type the VPI number to use for the ATM virtual path, as specified by your ISP. VCI Number Type the VCI number to use for the ATM virtual circuit, as specified by your ISP.
PAGE 185
Using Internet Setup In this field… Do this… Service Type your service name. If your ISP has not provided you with a service name, leave this field empty. Authentication Specify the authentication method to use for PPP connections, by Method selecting one of the following: Server IP • Auto. If possible, use CHAP; otherwise, use PAP. This is the default. • PAP • CHAP If you selected PPTP, type the IP address of the PPTP server as given by your ISP.
PAGE 186
Using Internet Setup In this field… Do this… When no higher Select this option to specify that the appliance should only establish a priority connection connection in the following cases: is available • When no other connection exists, and the Safe@Office appliance is not acting as a Backup appliance. If another connection opens, the appliance will disconnect. For information on configuring the appliance as a Backup or Master, see Configuring High Availability on page 281.
PAGE 187
Using Internet Setup In this field… Do this… IP Address Type the static IP address of your Safe@Office appliance. Subnet Mask Select the subnet mask that applies to the static IP address of your Safe@Office appliance. Default Gateway Type the IP address of your ISP’s default gateway. Name Servers Obtain Domain Clear this option if you want the Safe@Office appliance to obtain an IP Name Servers address automatically using DHCP, but not to automatically configure automatically DNS servers.
PAGE 188
Using Internet Setup In this field… Do this… page 293. Shape Select this option to enable Traffic Shaper for incoming traffic. Then type a Downstream: Link rate (in kilobits/second) slightly lower than your Internet connection's Rate maximum measured downstream speed in the field provided. It is recommended to try different rates in order to determine which one provides the best results.
PAGE 189
Using Internet Setup In this field… Do this… Note: When configuring MAC cloning for the secondary Internet connection, the DMZ/WAN2 port must be configured as WAN2; otherwise this field is disabled. For information on configuring ports, see Managing Ports on page 246. Hardware MAC Address This field displays the Safe@Office appliance's MAC address. This field is read-only.
PAGE 190
Using Internet Setup In this field… Do this… Balancing on page 192. High Availability The High Availability area only appears in Safe@Office <500PP>. Do not connect if If you are using High Availability (HA), select this option to specify that the this gateway is in gateway should connect to the Internet only if it is the Active Gateway in passive state the HA cluster. This is called WAN HA. This field is only enabled if HA is configured.
PAGE 191
Using Internet Setup In this field… Do this… Connection Probing While the Probe Next Hop option checks the availability of the next hop Method router, which is usually at your ISP, connectivity to the next hop router does not always indicate that the Internet is accessible. For example, if there is a problem with a different router at the ISP, the next hop will be reachable, but the Internet might be inaccessible. Connection probing is a way to detect Internet failures that are more than one hop away.
PAGE 192
Setting Up Modems In this field… Do this… 1, 2, 3 If you chose the Ping Addresses connection probing method, type the IP addresses or DNS names of the desired servers. If you chose the Probe VPN Gateway (RDP) connection probing method, type the IP addresses or DNS names of the desired VPN gateways. You can clear a field by clicking Clear. Setting Up Modems You can use a connected modem as a primary or secondary Internet connection method.
PAGE 193
Setting Up Modems See Setting Up an ExpressCard Cellular Modem on page 185. Setting Up an RS232 Modem Note: Your RS232 dialup modem and your Safe@Office appliance's Serial port must be configured for the same speed. By default, the appliance's Serial port's speed is 57600 bps. For information on changing the Serial port's speed, refer to the Embedded NGX CLI Reference Guide. To set up an RS232 dialup modem 1. Connect an RS232 dialup modem to your Safe@Office appliance's serial port.
PAGE 194
Setting Up Modems 3. Next to Serial, click Edit. The Port Setup page appears. 4. 178 In the Assign to Network drop-down list, select Dialup.
PAGE 195
Setting Up Modems New fields appear. 5. Complete the fields using the information in Dialup Fields on page 180. 6. Click Apply. 7. To check that that the values you entered are correct, click Test. The page displays a message indicating whether the test succeeded. 8. Configure a Dialup Internet connection on the Serial port. See Using Internet Setup on page 141.
PAGE 196
Setting Up Modems Table 35: RS232 Dialup Fields In this field… Do this… Modem Type Select the modem type. You can select one of the predefined modem types or Custom. If you selected Custom, the Installation String field is enabled. Otherwise, it is filled in with the correct installation string for the modem type. Initialization String Type the installation string for the custom modem type. If you selected a standard modem type, this field is read-only. Dial Mode Select the dial mode the modem uses.
PAGE 197
Setting Up Modems Setting Up a USB Modem Warning: Before attaching a USB modem, ensure that the total power drawn by all connected USB devices does not exceed 2.5W per port (0.5A at 5V). If the total current consumed by a port exceeds 0.5A, a powered USB hub must be used, to avoid damage to the gateway. To set up a USB modem 1. Connect a USB-based modem to one of your Safe@Office appliance's USB ports. For information on locating the USB ports, see Introduction on page 1. 2.
PAGE 198
Setting Up Modems 3. Next to USB, click Edit. The USB Devices page appears. If the Safe@Office appliance detected the modem, the modem is listed on the page. If the modem is not listed, check that you connected the modem correctly, then click Refresh to refresh the page. 4. 182 Next to the modem, click Edit.
PAGE 199
Setting Up Modems The USB Modem Setup page appears. 5. Complete the fields using the information in USB Dialup Fields on page 184. 6. Click Apply. 7. To check that that the values you entered are correct, click Test. The page displays a message indicating whether the test succeeded. 8. Configure a Dialup Internet connection on the Cellular Modem port. See Using Internet Setup on page 141.
PAGE 200
Setting Up Modems Table 36: USB Dialup Fields In this field… Do this… Modem Type Select the modem type. You can select one of the predefined modem types or Custom. If you selected Custom, the Installation String field is enabled. Otherwise, it is filled in with the correct installation string for the modem type. Initialization String Type the installation string for the custom modem type. If you selected a standard modem type, this field is read-only. Dial Mode Select the dial mode the modem uses.
PAGE 201
Setting Up Modems In this field… Do this… PIN Type the Personal Identification Number (PIN) code that you received with your cellular SIM card, if required by your modem. The PIN code is usually 4 digits long. Warning: Entering an incorrect PIN code may cause your SIM card to be blocked. Setting Up an ExpressCard Cellular Modem To set up an ExpressCard cellular modem 1. Insert an ExpressCard into the ExpressCard slot on the side of the appliance.
PAGE 202
Setting Up Modems The Ports page appears. 3. Next to ExC, click Edit. The USB Devices page appears. If the Safe@Office appliance detected the modem, the modem is listed on the page. If the modem is not listed, check that you connected the modem correctly, then click Refresh to refresh the page. 4. 186 Next to the modem, click Edit.
PAGE 203
Setting Up Modems The Cellular Modem Setup page appears. 5. Complete the fields using the information in USB Dialup Fields on page 184. 6. Click Apply. 7. To check that that the values you entered are correct, click Test. The page displays a message indicating whether the test succeeded. 8. Configure a Dialup Internet connection on the Cellular Modem port. See Using Internet Setup on page 141.
PAGE 204
Viewing Internet Connection Information Viewing Internet Connection Information You can view information on your Internet connection(s) in terms of status, duration, and activity. To view Internet connection information 1. Click Network in the main menu, and click the Internet tab. The Internet page appears. For an explanation of the fields on this page, see the following table. 2. 188 To refresh the information on this page, click Refresh.
PAGE 205
Viewing Internet Connection Information Table 37: Internet Page Fields Field Description Status Indicates the connection’s status. Duration Indicates the connection duration, if active. The duration is given in the format hh:mm:ss, where: hh=hours mm=minutes ss=seconds IP Address Your IP address. Enabled Indicates whether or not the connection is enabled.
PAGE 206
Enabling/Disabling the Internet Connection Enabling/Disabling the Internet Connection You can temporarily disable an Internet connection. This is useful if, for example, you are going on vacation and do not want to leave your computer connected to the Internet. If you have two Internet connections, you can force the Safe@Office appliance to use a particular connection, by disabling the other connection. The Internet connection’s Enabled/Disabled status is persistent through Safe@Office appliance reboots.
PAGE 207
Configuring a Backup Internet Connection Configuring a Backup Internet Connection You can configure both a primary and a secondary Internet connection. The secondary connection acts as a backup, so that if the primary connection fails, the Safe@Office appliance remains connected to the Internet. You have full flexibility in deciding which port to use for each Internet connection.
PAGE 208
Configuring WAN Load Balancing Configuring WAN Load Balancing If your network is prone to congestion, for example in large offices which include multiple active clients and/or servers, you can increase the amount of available bandwidth by configuring WAN load balancing.
PAGE 209
Configuring WAN Load Balancing ensure full utilization of both Internet connections, the ratio between the connections' load balancing weights should reflect the ratio between the connections' bandwidths. Note: To ensure continuous Internet connectivity, if one of the Internet connections fails, all traffic will be routed to the other connection. To configure WAN load balancing 1. Configure the desired load balancing weight for both the primary and secondary Internet connections.
PAGE 210
PAGE 211
Configuring Network Settings Chapter 6 Managing Your Network This chapter describes how to manage and configure your network connection and settings. This chapter includes the following topics: Configuring Network Settings ..................................................................195 Using the Internal DNS Server .................................................................224 Using Network Objects ............................................................................
PAGE 212
Configuring Network Settings Configuring the LAN Network To configure the LAN network 1. Click Network in the main menu, and click the My Network tab. The My Network page appears. 2. 196 Click Edit in the LAN network’s row.
PAGE 213
Configuring Network Settings The Edit Network Settings page for the LAN network appears. 3. In the Mode drop-down list, select Enabled. The fields are enabled. 4. If desired, change your Safe@Office appliance’s internal IP address. See Changing IP Addresses on page 198. 5. If desired, enable or disable Hide NAT. See Enabling/Disabling Hide NAT on page 199. 6. If desired, configure a DHCP server. See Configuring a DHCP Server on page 200. 7. Click Apply. A warning message appears. 8. Click OK.
PAGE 214
Configuring Network Settings Changing IP Addresses If desired, you can change your Safe@Office appliance’s internal IP address, or the entire range of IP addresses in your internal network. To change IP addresses 1. Click Network in the main menu, and click the My Network tab. The My Network page appears. 2. In the desired network's row, click Edit. The Edit Network Settings page appears. 3. To change the Safe@Office appliance’s internal IP address, enter the new IP address in the IP Address field.
PAGE 215
Configuring Network Settings • Your computer obtains an IP address in the new range. Otherwise, manually reconfigure your computer to use the new address range using the TCP/IP settings. For information on configuring TCP/IP, see TCP/IP Settings on page 94.
PAGE 216
Configuring Network Settings Configuring a DHCP Server By default, the Safe@Office appliance operates as a DHCP (Dynamic Host Configuration Protocol) server. This allows the Safe@Office appliance to automatically configure all the devices on your network with their network configuration details. Note: The DHCP server only serves computers that are configured to obtain an IP address automatically.
PAGE 217
Configuring Network Settings Enabling/Disabling the Safe@Office DHCP Server You can enable and disable the Safe@Office DHCP Server for internal networks. To enable/disable the Safe@Office DHCP server 1. Click Network in the main menu, and click the My Network tab. The My Network page appears. 2. In the desired network's row, click Edit. The Edit Network Settings page appears. 3. From the DHCP Server list, select Enabled or Disabled. 4. Click Apply. A warning message appears. 5. Click OK.
PAGE 218
Configuring Network Settings Configuring the DHCP Address Range By default, the Safe@Office DHCP server automatically sets the DHCP address range. The DHCP address range is the range of IP addresses that the DHCP server can assign to network devices. IP addresses outside of the DHCP address range are reserved for statically addressed computers. If desired, you can set the Safe@Office DHCP range manually. To configure the DHCP address range 1. Click Network in the main menu, and click the My Network tab.
PAGE 219
Configuring Network Settings The DHCP IP range fields appear. 4. 2) In the DHCP IP range fields, type the desired DHCP range. Click Apply. A warning message appears. 5. Click OK. A success message appears 6. If your computer is configured to obtain its IP address automatically (using DHCP), and either the Safe@Office DHCP server or another DHCP server is enabled, restart your computer. Your computer obtains an IP address in the new DHCP address range.
PAGE 220
Configuring Network Settings Configuring DHCP Relay You can configure DHCP relay for internal networks. Note: DHCP relay will not work if the appliance is located behind a NAT device. To configure DHCP relay 1. Click Network in the main menu, and click the My Network tab. The My Network page appears. 2. In the desired network's row, click Edit. The Edit Network Settings page appears. 3. 204 In the DHCP Server list, select Relay.
PAGE 221
Configuring Network Settings The Automatic DHCP range check box is disabled, and new fields appear. 4. In the Primary DHCP Server IP field, type the IP address of the primary DHCP server. 5. In the Secondary DHCP Server IP field, type the IP address of the DHCP server to use if the primary DHCP server fails. 6. Click Apply. A warning message appears. 7. Click OK. A success message appears 8.
PAGE 222
Configuring Network Settings Configuring DHCP Server Options If desired, you can configure the following custom DHCP options for an internal network: • Domain suffix • DNS servers • WINS servers • Default gateway • NTP servers • VoIP call managers • TFTP server and boot filename • Avaya, Nortel, and Thomson IP phone configuration strings To configure DHCP options 1. Click Network in the main menu, and click the My Network tab. The My Network page appears. 2.
PAGE 223
Configuring Network Settings The DHCP Server Options page appears. 4. Complete the fields using the relevant information in the following table.
PAGE 224
Configuring Network Settings New fields appear, depending on the check boxes you selected. 5. Click Apply. 6. If your computer is configured to obtain its IP address automatically (using DHCP), restart your computer. Your computer obtains an IP address in the DHCP address range.
PAGE 225
Configuring Network Settings Table 38: DHCP Server Options Fields In this field… Do this… Domain Name Type a default domain suffix that should be passed to DHCP clients. The DHCP client will automatically append the domain suffix for the resolving of non-fully qualified names. For example, if the domain suffix is set to "mydomain.com", and the client tries to resolve the name “mail”, the suffix will be automatically appended to the name, resulting in “mail.mydomain.com”.
PAGE 226
Configuring Network Settings In this field… Do this… Automatically assign Clear this option if you do not want the DHCP server to pass the default gateway current gateway IP address to DHCP clients as the default gateway's IP address. Normally, it is recommended to leave this option selected. The Default Gateway field is enabled. Default Gateway Type the IP address to pass to DHCP clients as the default gateway, instead of the current gateway IP address.
PAGE 227
Configuring Network Settings In this field… Do this… Nortel IP Phone To enable Nortel IP phones to receive their configuration, type the phone's configuration string. Thomson IP Phone To enable Thomson IP phones to receive their configuration, type the phone's configuration string. Configuring a DMZ Network In addition to the LAN network, you can define a second internal network called a DMZ (demilitarized zone) network.
PAGE 228
Configuring Network Settings The Ports page appears. 3. 212 Next to the DMZ/WAN2 port, click Edit.
PAGE 229
Configuring Network Settings The Port Setup page appears. 4. In the Assign to network drop-down list, select DMZ. 5. Click Apply. A warning message appears. 6. Click OK. 7. Click Network in the main menu, and click the My Network tab. The My Network page appears. 8. In the DMZ network's row, click Edit. The Edit Network Settings page appears. 9. In the Mode drop-down list, select Enabled. The fields are enabled. 10.
PAGE 230
Configuring Network Settings Note: The DMZ network must not overlap other networks. 11. In the Subnet Mask drop-down list, select the DMZ’s internal network range. 12. If desired, enable or disable Hide NAT. See Enabling/Disabling Hide NAT on page 199. 13. If desired, configure a DHCP server. See Configuring a DHCP Server on page 200. 14. Click Apply. A warning message appears. 15. Click OK. A success message appears.
PAGE 231
Configuring Network Settings Note: OfficeMode requires either Check Point SecureClient, an L2TP client, or an Endpoint Connect client to be installed on the VPN clients. It is not supported by Check Point SecuRemote. When OfficeMode is not supported by the VPN client, traditional mode will be used instead. To configure the OfficeMode network 1. Click Network in the main menu, and click the My Network tab. The My Network page appears. 2. In the OfficeMode network's row, click Edit.
PAGE 232
Configuring Network Settings Configuring VLANs Your Safe@Office appliance allows you to partition your network into several virtual LAN networks (VLANs). A VLAN is a logical network behind the Safe@Office appliance. Computers in the same VLAN behave as if they were on the same physical network: traffic flows freely between them, without passing through a firewall. In contrast, traffic between a VLAN and other networks passes through the firewall and is subject to the security policy.
PAGE 233
Configuring Network Settings The Safe@Office appliance supports the following VLAN types: • Tag-based In tag-based VLAN you use one of the gateway’s ports as a 802.1Q VLAN trunk, connecting the appliance to a VLAN-aware switch. Each VLAN behind the trunk is assigned an identifying number called a “VLAN ID”, also referred to as a "VLAN tag". All outgoing traffic from a tag-based VLAN contains the VLAN's tag in the packet headers.
PAGE 234
Configuring Network Settings • Port-based Port-based VLAN allows assigning the appliance's LAN ports to VLANs, effectively transforming the appliance's four-port switch into up to four firewall-isolated security zones. You can assign multiple ports to the same VLAN, or each port to a separate VLAN. Port-based VLAN does not require an external VLAN-capable switch, and is therefore simpler to use than tag-based VLAN. However, port-based VLAN is limited by the number of appliance LAN ports.
PAGE 235
Configuring Network Settings • Wireless Distribution System (WDS) links In wireless Safe@Office models, you can extend the primary WLAN's coverage area, by creating a Wireless Distribution System (WDS). A WDS is a system of access points that communicate with each other wirelessly, without any need for a wired backbone. WDS is usually used together with bridge mode to connect the networks behind the access points. To create a WDS, you must add WDS links between the desired access points.
PAGE 236
Configuring Network Settings Adding and Editing Port-Based VLANs To add or edit a port-based VLAN 1. Click Network in the main menu, and click the My Network tab. The My Network page appears. 2. Do one of the following: • To add a VLAN, click Add Network. • To edit a VLAN, click Edit in the desired VLAN’s row. The Edit Network Settings page for VLAN networks appears. 3. In the Network Name field, type a name for the VLAN. 4. In the Type drop-down list, select Port Based VLAN.
PAGE 237
Configuring Network Settings 5. In the Mode drop-down list, select Enabled. The fields are enabled. 6. In the IP Address field, type the IP address of the VLAN network's default gateway. Note: The VLAN network must not overlap other networks. 7. In the Subnet Mask field, type the VLAN's internal network range. 8. If desired, enable or disable Hide NAT. See Enabling/Disabling Hide NAT on page 199. 9. If desired, configure a DHCP server. See Configuring a DHCP Server on page 200. 10. Click Apply.
PAGE 238
Configuring Network Settings Adding and Editing Tag-Based VLANs To add or edit a tag-based VLAN 1. Click Network in the main menu, and click the My Network tab. The My Network page appears. 2. Do one of the following: • To add a VLAN, click Add Network. • To edit a VLAN, click Edit in the desired VLAN’s row. The Edit Network Settings page for VLAN networks appears. 3. In the Network Name field, type a name for the VLAN. 4. In the Type drop-down list, select Tag Based VLAN.
PAGE 239
Configuring Network Settings A warning message appears. 12. Click OK. A success message appears. 13. Click Network in the main menu, and click the Ports tab. The Ports page appears. 14. In the DMZ/WAN2 drop-down list, select VLAN Trunk. 15. Click Apply. The DMZ/WAN2 port now operates as a VLAN Trunk port. In this mode, it will not accept untagged packets. 16. Configure a VLAN trunk (802.1Q) port on the VLAN-aware switch, according to the vendor instructions. Define the same VLAN IDs on the switch. 17.
PAGE 240
Using the Internal DNS Server 5. Click OK. The VLAN is deleted. Using the Internal DNS Server The Safe@Office appliance includes an internal DNS server, which can resolve DNS names for hosts defined as network objects. Each host is assigned a DNS name in the format ., where is the name of the network object representing the host, and is the domain name suffix configured for the internal DNS server.
PAGE 241
Using the Internal DNS Server Enabling the Internal DNS Server To enable the internal DNS server 1. Click Setup in the main menu, and click the DNS Server tab. The DNS Server page appears. 2. Select the Enable the Internal DNS Server check box.
PAGE 242
Using the Internal DNS Server The Domain Name Suffix field appears. 3. In the Domain Name Suffix field, type the desired domain name suffix. 4. Click Apply.
PAGE 243
Using Network Objects Using Network Objects You can add individual computers or networks as network objects. This enables you to configure various settings for the computer or network represented by the network object. You can configure the following settings for a network object: • Static NAT (or One-to-One NAT) Static NAT allows the mapping of Internet IP addresses or address ranges to hosts inside the internal network.
PAGE 244
Using Network Objects DHCP reservation, and it is useful if you are hosting a public Internet server on your network. • Web Filtering enforcement You can specify whether or not to enforce the Web Filtering service and Web rules for the network object. Network objects that are excluded from such enforcement will be able to access the Internet without restriction. For information on Web Filtering, see Web Filtering on page 575. For information on Web rules, see Using Web Rules on page 567.
PAGE 245
Using Network Objects Adding and Editing Network Objects You can add or edit network objects via: • The Network Objects page This page enables you to add both individual computers and networks. • The My Computers page This page enables you to add only individual computers as network objects. The computer's details are filled in automatically in the wizard. To add or edit a network object via the Network Objects page 1. Click Network in the main menu, and click the Network Objects tab.
PAGE 246
Using Network Objects 2. Do one of the following: To add a network object, click New. To edit an existing network object, click the Edit icon next to the desired computer in the list. The Safe@Office Network Object Wizard opens, with the Step 1: Network Object Type dialog box displayed. • • 3. Do one of the following: • 4. 230 To specify that the network object should represent a single computer or device, click Single Computer.
PAGE 247
Using Network Objects The Step 2: Computer Details dialog box appears. If you chose Single Computer, the dialog box includes the Reserve a fixed IP address for this computer option. If you chose Network, the dialog box does not include this option. 5. Complete the fields using the information in the tables below. 6. Click Next.
PAGE 248
Using Network Objects The Step 3: Save dialog box appears. 7. Type a name for the network object in the field. 8. Click Finish. To add or edit a network object via the My Computers page 1. 232 Click Reports in the main menu, and click the My Computers tab.
PAGE 249
Using Network Objects The My Computers page appears. If a computer has not yet been added as a network object, the Add button appears next to it. If a computer has already been added as a network object, the Edit button appears next to it. 2. Do one of the following: • To add a network object, click Add next to the desired computer. • To edit a network object, click Edit next to the desired computer. The Safe@Office Network Object Wizard opens, with the Step 1: Network Object Type dialog box displayed.
PAGE 250
Using Network Objects The computer's IP address and MAC address are automatically filled in. 5. Complete the fields using the information in the tables below. 6. Click Next. The Step 3: Save dialog box appears with the network object's name. If you are adding a new network object, this name is the computer's name. 7. To change the network object name, type the desired name in the field. 8. Click Finish. The new object appears in the Network Objects page.
PAGE 251
Using Network Objects In this field… Do this… Exclude this computer Select this option to exclude this computer from 802.1x port-based from 802.1x Port Security security enforcement. The computer will be able to connect to a Safe@Office appliance port and access the network without authenticating. Perform Static NAT Select this option to map the local computer's IP address to an (Network Address Internet IP address. Translation) You must then fill in the External IP field.
PAGE 252
Using Network Objects Table 40: Network Object Fields for a Network In this field… Do this… IP Range Type the range of local computer IP addresses in the network. Perform Static NAT Select this option to map the network's IP address range to a range of (Network Address Internet IP addresses of the same size. Translation) You must then fill in the External IP Range field. External IP Range Type the Internet IP address range to which you want to map the network's IP address range.
PAGE 253
Configuring Network Service Objects Viewing and Deleting Network Objects To view or delete a network object 1. Click Network in the main menu, and click the Network Objects tab. The Network Objects page appears with a list of network objects. 2. To delete a network object, do the following: a. b. In the desired network object's row, click Erase. A confirmation message appears. Click OK. The network object is deleted.
PAGE 254
Configuring Network Service Objects Adding and Editing Network Service Objects To add or edit a network service object 1. Click Network in the main menu, and click the Network Services tab. The Network Services page appears with a list of network service objects. 2. Do one of the following: • • 238 To add a network service object, click New. To edit an existing network service object, click Edit next to the desired object in the list.
PAGE 255
Configuring Network Service Objects The Safe@Office Network Service Wizard opens, with the Step 1: Network Service Details dialog box displayed. 3. Complete the fields using the information in the table below. 4. Click Next. The Step 2: Network Service Name dialog box appears. 5. Type a name for the network service object in the field.
PAGE 256
Configuring Network Service Objects 6. Click Finish. Table 41: Network Service Fields In this field… Do this… Protocol Select the network service's IP protocol. If you select Other, the Protocol Number field appears. If you select TCP or UDP, the Port Ranges field appears. Protocol Number Type the number of the network service's IP protocol. Port Ranges Type the network service's port or port ranges. Multiple ports or port ranges must be separated by commas.
PAGE 257
Using Static Routes Using Static Routes A static route is a setting that explicitly specifies the route to use for packets, according to one of the following criteria: • The packet's source IP address and/or destination IP address • The network service used to send the packet Packets that match the criteria for a specific static route are sent to the route's defined destination, or next hop, which can be a specific gateway's IP address or an Internet connection.
PAGE 258
Using Static Routes The Static Routes page lists all existing routes, including the default, and indicates whether each route is currently "Up" (reachable) or not. Adding and Editing Static Routes To add a static route 1. Click Network in the main menu, and click the Routes tab. The Static Routes page appears, with a list of existing static routes. 2. Do one of the following: • • 242 To add a static route, click New Route.
PAGE 259
Using Static Routes The Static Route Wizard opens displaying the Step 1: Source and Destination dialog box. 3. Complete the fields using the relevant information in the following table. 4. Click Next. The Step 2: Next Hop and Metric dialog box appears. 5. Complete the fields using the relevant information in the following table.
PAGE 260
Using Static Routes 6. Click Next. The new static route is saved. Table 42: Static Route Fields In this field… Source Do this… Specify the source network (source routing). This can be either of the following: • ANY. This route applies to packets originating in any network. • Specified Network. This route applies to packet originating in a specific network. The Network and Netmask fields appear. Source - Network Type the source network's IP address.
PAGE 261
Using Static Routes In this field… Do this… Next Hop IP Specify the next hop to which packets should be sent. This can be any of the following: Metric • Specified IP. Traffic matching this static route's criteria will be routed to a specific gateway. Type the IP address of the desired gateway (next hop router) in the field provided. • WAN (Internet). Traffic matching this static route's criteria will be routed to the Internet connection on the WAN1 interface. • WAN2 (Internet).
PAGE 262
Managing Ports Managing Ports The Safe@Office appliance enables you to quickly and easily assign its ports to different uses, as shown in the following table. If desired, you can also disable ports. Table 43: Ports and Assignments You can assign this port... To these uses... LAN 1-4 LAN network A WAN Internet connection A port-based VLAN A VLAN that is dynamically assigned by a RADIUS server, as part of an 802.
PAGE 263
Managing Ports You can assign this port... To these uses... USB Printers USB-based modems The Safe@Office appliance also allows you to restrict each port to a specific link speed and duplex setting and to configure its security scheme. For information on port-based security, see Using Port-Based Security on page 413. Viewing Port Statuses You can view the status of the Safe@Office appliance's ports on the Ports page, including each Ethernet connection's duplex state.
PAGE 264
Managing Ports The Ports page appears.
PAGE 265
Managing Ports In ADSL models, this page appears as follows: The page displays the information for each port, as described in the following table. 2. To refresh the display, click Refresh. Table 44: Ports Fields This field… Displays… Assign To The port's current assignment. For example, if the DMZ/WAN2 port is currently used for the DMZ, the field displays "DMZ".
PAGE 266
Managing Ports This field… Displays… Status The port's current status. Ethernet ports can have the following statuses: Status Description The detected link The port is in use. speed and duplex (Full Duplex or Half Duplex) No Link The appliance does not detect anything connected to the port. Disabled The port is disabled. For example, the DMZ/WAN2 port's status will be "Disabled" if the port is assigned to "None", or if it assigned to "DMZ" and the DMZ is disabled.
PAGE 267
Managing Ports This field… Displays… The ADSL port can have the following statuses: Status Description Sync OK The ADSL modem synchronized with the ADSL service provider. No Sync The ADSL modem failed to synchronize with the ADSL service provider. Check that a micro-filter is properly connected, and check that your DSL Standard setting is compatible with your service provider. You can view this setting in the Network > Internet Setup page. Disabled The port is disabled.
PAGE 268
Managing Ports This field… Displays… The USB port can have the following statuses: Status Description Connected (number) USB devices (printers or modem) are connected to the USB ports. The number of connected devices appears in parentheses. Not Connected No USB devices are connected to the USB ports. The ExC port can have the following statuses: Status Description Connected (number) A ExpressCard modems is inserted in the ExpressCard slot.
PAGE 269
Managing Ports This field… Displays… 802.1x The port's security scheme. This can be any of the following: Scheme Description N/A No security scheme is defined for the port. Unauthorized An 802.1x security scheme is defined for the port. Users have not yet connected to the port and attempted to authenticate, or a user failed to authenticate and no Quarantine network is configured. Authorized (network) An 802.1x security scheme is defined for the port.
PAGE 270
Managing Ports Modifying Port Assignments You can assign ports to different networks or purposes. Since modifying port assignments often requires additional configurations, use the following table to determine which procedure you should use. Table 45: Modifying Port Assignments To assign a port to... See... No network The procedure below. This disables the port. LAN The procedure below VLAN or Configuring VLANs on page 216 VLAN Trunk A WAN Internet connection The procedure below.
PAGE 271
Managing Ports To assign a port to... See... An ExpressCard modem Setting Up an ExpressCard Cellular Modem on page 185 To modify a port assignment 1. Click Network in the main menu, and click the Ports tab. The Ports page appears. 2. Next to the desired port, click Edit. The Port Setup page appears. 3. In the Assign to Network drop-down list, do one of the following: • • • To assign a network port to the LAN, select LAN.
PAGE 272
Managing Ports 4. • To disable the Serial port, select Disabled. Click Apply. A warning message appears. 5. Click OK. The port is reassigned to the specified network or purpose. Modifying Link Configurations By default, the Safe@Office appliance automatically detects the link speed and duplex. If desired, you can manually restrict the appliance's ports to a specific link speed and duplex setting. To modify a port's link configuration 1. Click Network in the main menu, and click the Ports tab.
PAGE 273
Managing Ports Resetting Ports to Defaults You can reset the Safe@Office appliance's ports to their default link configurations ("Automatic Detection") and default assignments (shown in the following table). Table 46: Default Port Assignments Port Default Assignment LAN 1-4 LAN DMZ / WAN2 DMZ WAN This port is always assigned to the WAN. ADSL This port is always assigned to the WAN. Serial Console Note: Resetting ports to their defaults may result in the loss of your Internet connection.
PAGE 274
Managing Ports Resetting All Ports to Defaults To reset all ports to defaults 1. Click Network in the main menu, and click the Ports tab. The Ports page appears. 2. Click Default. A confirmation message appears. 3. Click OK. All ports are reset to their default assignments and to "Automatic Detection" link configuration. Resetting Individual Ports to Defaults To reset a port to defaults 1. Click Network in the main menu, and click the Ports tab. The Ports page appears. 2.
PAGE 275
Overview Chapter 7 Using Bridges This chapter describes how to connect multiple network segments at the data-link layer, using a bridge. This chapter includes the following topics: Overview ..................................................................................................259 Workflow..................................................................................................265 Adding and Editing Bridges .....................................................................
PAGE 276
Overview If you enable the firewall between bridged network segments, the gateway operates as a regular firewall between network segments, inspecting traffic and dropping or blocking unauthorized or unsafe traffic. In contrast, if you disable the firewall between bridged network segments, all network interfaces assigned to the bridge are connected directly, with no firewall filtering the traffic between them. The network interfaces operate as if they were connected by a hub or switch.
PAGE 277
Overview For example, if you assign the LAN and primary WLAN networks to a bridge and disable the bridge's internal firewall, the two networks will act as a single, seamless network, and only traffic from the LAN and primary WLAN networks to other networks (for example, the Internet) will be inspected by the firewall. If you enable the internal firewall, it will enforce security rules and inspect traffic between the LAN and primary WLAN networks.
PAGE 278
Overview • Transparent roaming In a routed network, if a host is physically moved from one network area to another, then the host must be configured with a new IP address. However, in a bridged network, there is no need to reconfigure the host, and work can continue with minimal interruption. The Safe@Office appliance allows you to configure anti-spoofing for bridged network segments.
PAGE 279
Overview How Does Bridge Mode Work? Bridges operate at layer 2 of the OSI model, therefore adding a bridge to an existing network is completely transparent and does not require any changes to the network's structure. Each bridge maintains a forwarding table, which consists of associations.
PAGE 280
Overview Multiple Bridges and Spanning Tree Protocol When using multiple bridges, you can enable fault tolerance and optimal packet routing, by configuring Spanning Tree Protocol (STP - IEEE 802.1d). When STP is enabled, each bridge communicates with its neighboring bridges or switches to discover how they are interconnected. This information is then used to eliminate loops, while providing optimal routing of packets.
PAGE 281
Workflow Figure 32: Link Redundancy with STP Workflow To use a bridge 1. Add a bridge. See Adding and Editing Bridges on page 266. 2. Add the desired internal networks to the bridge. See Adding Internal Networks to Bridges on page 270. 3. Add the desired Internet connections to the bridge. See Adding Internet Connections to Bridges on page 274. 4. If you enabled the firewall between networks on this bridge, add security rules and VStream Antivirus rules as needed.
PAGE 282
Adding and Editing Bridges For information on adding security rules, see Adding and Editing Rules on page 404. For information on adding VStream Antivirus rules, see Adding and Editing Vstream Antivirus Rules on page 512. Adding and Editing Bridges To add or edit a bridge 1. Click Network in the main menu, and click the My Network tab. The My Network page appears. 2. Do one of the following: • • 266 To add a bridge, click Add Bridge. To edit a bridge, click Edit in the desired bridge's row.
PAGE 283
Adding and Editing Bridges The Bridge Configuration page appears. 3. Complete the fields using the following table. 4. Click Apply. A success message appears.
PAGE 284
Adding and Editing Bridges Table 47: Bridge Configuration Fields In this field… Do this… Network Name Type a name for the bridge. Firewall Between Members Specify whether the firewall should be enabled between networks on this bridge, by selecting one of the following: Non IP Traffic • Enabled. The firewall is enabled, and it will inspect traffic between networks on the bridge, enforcing firewall rules and SmartDefense protections. This is the default value. • Disabled.
PAGE 285
Adding Internal Networks to Bridges In this field… Do this… Bridge Priority Select this bridge's priority. The bridge's priority is combined with a bridged network's MAC address to create the bridge's ID. The bridge with the lowest ID is elected as the root bridge. The other bridges in the tree calculate the shortest distance to the root bridge, in order to eliminate loops in the topology and provide fault tolerance.
PAGE 286
Adding Internal Networks to Bridges Adding Internal Networks to Bridges Note: In order to add a VLAN of any type (port-based, tag-based, VAP, or WDS link) to the bridge, you must first create the desired VLAN. For information on adding port-based VLANs, see Adding and Editing Port-Based VLANs on page 220. For information on adding tag-based VLANs, see Adding and Editing Tag-Based VLANs on page 222.For information on adding VAPs, see Configuring Virtual Access Points on page 333.
PAGE 287
Adding Internal Networks to Bridges New fields appear. 4. Complete these fields as described below.
PAGE 288
Adding Internal Networks to Bridges If the assigned bridge uses STP, additional fields appear. 5. Click Apply. A warning message appears. 6. Click OK. A success message appears. In the My Network page, the internal network appears indented under the bridge.
PAGE 289
Adding Internal Networks to Bridges Table 48: Bridged Network Fields In this field… Do this… Assign to Bridge Select the bridge to which the network should be assigned. Bridge Anti-Spoofing Select this option to enable anti-spoofing. If anti-spoofing is enabled, only IP addresses within the Allowed IP Range can be source IP addresses for packets on this network. Allowed IP Range Type the range of IP addresses that should be allowed on this network.
PAGE 290
Adding Internet Connections to Bridges In this field… Do this… Spanning Tree Protocol - Port Select the port's priority. Priority The port's priority is combined with the port's logical number to create the port's ID. The port with the lowest ID is elected as the root port, which forwards frames out of the bridge. The other ports in the bridge calculate the least-cost path to the root port, in order to eliminate loops in the topology and provide fault tolerance.
PAGE 291
Adding Internet Connections to Bridges 4. This option is available in ADSL models only. • To use the WAN port, select WAN. This option is available in non-ADSL models only. • To use the DMZ/WAN2 port, select WAN2. Do one of the following: To configure a Bridged PPPoA connection, in the Connection Type field, select PPPoA. This option is available in ADSL models only. • Otherwise, in the Connection Type field, select Bridged. New fields appear. • 5. Complete the fields specified in the table below.
PAGE 292
Adding Internet Connections to Bridges 6. Complete the rest of the fields using the relevant information in Internet Setup Fields on page 168. New fields appear, depending on the selected options, and whether the selected bridge uses STP. 7. Click Apply. The Safe@Office appliance attempts to connect to the Internet, and the Status Bar displays the Internet status “Connecting”. This may take several seconds. Once the connection is made, the Status Bar displays the Internet status “Connected”.
PAGE 293
Adding Internet Connections to Bridges Table 49: Bridged Connection Fields In this field… Do this… Bridge Mode Select this option to configure a Bridged PPPoA connection. The Bridge To field appears. This field is relevant for Bridged PPPoA connections only. Bridge To Select the bridge to which you want to add the PPPoA connection. This field is relevant for Bridged PPPoA connections only. Assign to Bridge Select the bridge to which the connection should be assigned.
PAGE 294
Deleting Bridges In this field… Do this… Spanning Tree Protocol - Port Select the port's priority. Priority The port's priority is combined with the port's logical number to create the port's ID. The port with the lowest ID is elected as the root port, which forwards frames out of the bridge. The other ports in the bridge calculate the least-cost path to the root port, in order to eliminate loops in the topology and provide fault tolerance.
PAGE 295
Deleting Bridges 2. Remove all Internet connections from the bridge, by doing the following for each connection: Click Network in the main menu, and click the Internet tab. The Internet page appears. b. Next to the desired Internet connection, click Edit. c. The Internet Setup page appears. d. In the Connection Type field, select the desired connection type (not Bridged). e. Click Apply. Click Network in the main menu, and click the My Network tab. a. 3. The My Network page appears. 4.
PAGE 296
PAGE 297
Overview Chapter 8 Configuring High Availability This chapter describes how to configure High Availability (HA) for two or more Safe@Office appliances. This chapter includes the following topics: Overview ..................................................................................................281 Configuring High Availability on a Gateway ...........................................284 Sample Implementation on Two Gateways ..............................................
PAGE 298
Overview 4. When a gateway that was offline comes back online, or a gateway's priority changes, the gateway sends a heartbeat notifying the other gateways in the cluster. If the gateway's priority is now the highest, it becomes the Active Gateway. The Safe@Office appliance supports Internet connection tracking, which means that each appliance tracks its Internet connection's status and reduces its own priority by a userspecified amount, if its Internet connection goes down.
PAGE 299
Overview Note: To use a WAN virtual IP address, the Internet connection method must be "Static IP". PPP-based connections and dynamic IP connections are not supported. Before configuring HA, the following requirements must be met: • You must have at least two identical Safe@Office appliances. • The appliances must have identical firmware versions and firewall rules. • The appliances' internal networks and bridges must be the same.
PAGE 300
Configuring High Availability on a Gateway Configuring High Availability on a Gateway The following procedure explains how to configure HA on a single gateway. You must perform this procedure on each Safe@Office appliance that you want to include in the HA cluster. To configure HA on a Safe@Office appliance 1. Set the appliance’s internal IP addresses and network range. Each appliance must have a different internal IP address. See Changing IP Addresses on page 198. 2.
PAGE 301
Configuring High Availability on a Gateway The fields are enabled. 4. Next to each network for which you want to enable HA, select the HA check box. The Internet-Primary field represents the WAN interface, and the Internet-Secondary field represents the WAN2 interface. 5. In the Virtual IP field, type the default gateway IP address.
PAGE 302
Configuring High Availability on a Gateway This can be any unused IP address in the network, and must be the same for all gateways. You can assign a virtual IP address to any internal interface, as well as to "LAN Static IP" Internet connections (that is, LAN connections for which the Obtain IP address automatically (using DHCP) check box is cleared). 6. Click the Synchronization radio button next to the network you want to use as the synchronization interface.
PAGE 303
Configuring High Availability on a Gateway Table 50: High Availability Page Fields In this field… Do this… Priority My Priority Type the gateway's priority. This must be an integer between 1 and 255. Internet Connection Tracking Internet - Primary Type the amount to reduce the gateway's priority if the primary Internet connection goes down. This must be an integer between 0 and 255. Internet - Secondary Type the amount to reduce the gateway's priority if the secondary Internet connection goes down.
PAGE 304
Configuring High Availability on a Gateway In this field… Do this… When in passive state Disable VPN Select this option to specify that VPN connectivity should be disabled when the gateway is a Passive Gateway. Disable OSPF Select this option to specify that Open Shortest Path First (OSPF) dynamic routing should be disabled when the gateway is a Passive Gateway.
PAGE 305
Sample Implementation on Two Gateways In this field… Do this… Group ID If multiple HA clusters exist on the same network segment, type the ID number of the cluster to which the gateway should belong. This must be an integer between 1 and 255. The default value is 55. If only one HA cluster exists, there is no need to change this value.
PAGE 306
Sample Implementation on Two Gateways The procedure below shows how to configure HA for both the LAN and DMZ networks. The synchronization interface is the DMZ network, the LAN virtual IP address is 192.168.100.3, and the DMZ virtual IP address is 192.168.101.3. Gateway A is the Active Gateway. To configure HA for Gateway A and Gateway B 1. Connect the LAN port of Gateways A and B to hub 1. 2. Connect the DMZ port of Gateways A and B to hub 2. 3.
PAGE 307
Sample Implementation on Two Gateways 6. Gateway A will reduce its priority by 30, if its secondary Internet connection goes down. l. Click Apply. A success message appears. Do the following on Gateway B: a. Set the gateway's internal IP addresses and network range to the values specified in the table above. See Changing IP Addresses on page 198. b. Click Setup in the main menu, and click the High Availability tab. The High Availability page appears. c. Select the Gateway High Availability check box.
PAGE 308
Sample Implementation on Two Gateways 292 Check Point Safe@Office User Guide
PAGE 309
Overview Chapter 9 Using Traffic Shaper This chapter describes how to use Traffic Shaper to control the flow of communication to and from your network. This chapter includes the following topics: Overview ..................................................................................................293 Setting Up Traffic Shaper .........................................................................295 Predefined QoS Classes ............................................................................
PAGE 310
Overview Each class has a bandwidth limit, which is the maximum amount of bandwidth that connections belonging to that class may use together. Once a class has reached its bandwidth limit, connections belonging to that class will not be allocated further bandwidth, even if there is unused bandwidth available. For example, traffic used by PeerTo-Peer file-sharing applications may be limited to a specific rate, such as 512 kilobit per second.
PAGE 311
Setting Up Traffic Shaper Setting Up Traffic Shaper To set up Traffic Shaper 1. Enable Traffic Shaper for the Internet connection, using the procedure Using Internet Setup on page 141. You can enable Traffic Shaper for incoming or outgoing connections. • When enabling Traffic Shaper for outgoing traffic: Specify a rate (in kilobits/second) slightly lower than your Internet connection's maximum measured upstream speed.
PAGE 312
Predefined QoS Classes Shaper will handle outgoing VPN traffic as specified in the bandwidth policy for the Urgent class. See Adding and Editing Rules on page 404. Note: Traffic Shaper must be enabled for the direction of traffic specified in the rule. Note: If you do not assign a connection type to a class, Traffic Shaper automatically assigns the connection type to the predefined "Default" class. Predefined QoS Classes Traffic Shaper provides the following predefined QoS classes.
PAGE 313
Adding and Editing Classes Class Weight Delay Sensitivity Useful for Urgent 15 High Traffic that is highly sensitive to delay. For (Interactive Traffic) example, IP telephony, videoconferencing, and interactive protocols that require quick user response, such as telnet. Note that the weight (amount of bandwidth) allocated to this class is less than the weight allocated to the “Important” class. The "Urgent" class is ideal for delay-sensitive traffic that does not demand a high amount of bandwidth.
PAGE 314
Adding and Editing Classes Adding and Editing Classes To add or edit a QoS class 1. Click Network in the main menu, and click the Traffic Shaper tab. The Quality of Service Classes page appears. 2. 298 Click Add.
PAGE 315
Adding and Editing Classes The Safe@Office QoS Class Editor wizard opens, with the Step 1 of 3: Quality of Service Parameters dialog box displayed. 3. Complete the fields using the relevant information in the following table. 4. Click Next. The Step 2 of 3: Advanced Options dialog box appears. 5. Complete the fields using the relevant information in the following table.
PAGE 316
Adding and Editing Classes Note: Traffic Shaper may not enforce guaranteed rates and relative weights for incoming traffic as accurately as for outgoing traffic. This is because Traffic Shaper cannot control the number or type of packets it receives from the Internet; it can only affect the rate of incoming traffic by dropping received packets. It is therefore recommended to enable traffic shaping for incoming traffic only if necessary.
PAGE 317
Adding and Editing Classes Table 53: QoS Class Fields In this field… Do this… Relative Weight Type a value indicating the class's importance relative to the other defined classes. For example, if you assign one class a weight of 100, and you assign another class a weight of 50, the first class will be allocated twice the amount of bandwidth as the second when the lines are congested.
PAGE 318
Viewing and Deleting Classes In this field… Do this… Incoming Traffic: Select this option to limit the rate of incoming traffic belonging to this class. Limit rate to Then type the maximum rate (in kilobits/second) in the field provided. DiffServ Code Point Select this option to mark packets belonging to this class with a DiffServ Code Point (DSCP), which is an integer between 0 and 63. Then type the DSCP in the field provided.
PAGE 319
Restoring Traffic Shaper Defaults Restoring Traffic Shaper Defaults If desired, you can reset the Traffic Shaper bandwidth policy to use the four predefined classes, and restore these classes to their default settings. For information on these classes and their defaults, see Predefined QoS Classes on page 296. Note: This will delete any additional classes you defined in Traffic Shaper and reset all rules to use the Default class.
PAGE 320
PAGE 321
Overview Chapter 10 Working with Wireless Networks This chapter describes how to configure wireless internal networks. This chapter includes the following topics: Overview ..................................................................................................305 Configuring Wireless Networks ...............................................................314 Troubleshooting Wireless Connectivity ...................................................
PAGE 322
Overview compatible stations. For more information on the Super G mode refer to: http://www.super-ag.com. Safe@Office wireless appliances transmit in 2.4GHz range, using dual diversity antennas to increase the range. When the 802.11n standard is employed with Safe@Office 1000NW, the appliance can transmit in the 5GHz range, as well. Safe@Office 500W appliances support a special extended range (XR) mode that allows up to three times the range of a regular 802.11g access point.
PAGE 323
Overview Virtual Access Points The Safe@Office appliance enables you to partition the primary WLAN into virtual access points (VAPs). A VAP is a logical wireless network behind the Safe@Office appliance and is a type of VLAN (see Configuring VLANs on page 216). Like other types of VLANs, VAPs are isolated from each other and can have separate security policies, IP network segments, and Traffic Shaper settings. This enables you to configure separate policies for different groups of wireless users.
PAGE 324
Overview different access point, you can bridge the two network segments over WDS links. The network segments will communicate with each other wirelessly via their access points and act as a single network. For information on bridge mode, see Using Bridges on page 259. WDS links are considered a type of VLAN (see Configuring VLANs on page 216). Therefore, they can have separate security policies, IP network segments, and Traffic Shaper settings.
PAGE 325
Overview When used together with bridge mode and Spanning Tree Protocol (STP), you can use WDS links to create redundant topologies, such as a loop or mesh of linked access points.
PAGE 326
Overview Figure 35: Redundant Loop of Access Points Linked by WDS and STP Note: Mesh topology is only supported in Safe@Office 500W. You can configure up to seven WDS links, in addition to the primary WLAN. For information on configuring WDS links, see Configuring WDS Links on page 338. Note: All access points in a WDS must use the same radio channel for the WDS link and for communicating with wireless stations. Therefore, using WDS may have a negative impact on wireless throughput.
PAGE 327
Overview Network Count Limitations You can configure a total of eight wireless objects, including any combination of the following: • The primary WLAN • Up to three virtual access points (VAPs) • Up to seven WDS links For example, if you configure the primary WLAN and two VAPs, then you can configure five WDS links, or one more VAP and four WDS links. When Extended Range (XR) mode is enabled for a wireless object, then it is counted as two objects.
PAGE 328
Overview Security Description WEP encryption In the WEP (Wired Equivalent Privacy) encryption security method, wireless Protocol stations must use a pre-shared key to connect to your network. This method is not recommended, due to known security flaws in the WEP protocol. It is provided for compatibility with existing wireless deployments. Note: The appliance and the wireless stations must be configured with the same WEP key. 802.1x: RADIUS In the 802.
PAGE 329
Overview Security Protocol Description recommended for situations where you want to authenticate wireless stations, and to encrypt the transmitted data. Note: To use this security method, you must first configure either a RADIUS server that supports 802.1x, or set up the network for use with the Safe@Office EAP authenticator. For information on configuring a RADIUS server, see Using RADIUS Authentication.
PAGE 330
Configuring Wireless Networks Note: For increased security, it is recommended to enable the Safe@Office internal VPN Server for users connecting from your internal networks, and to install SecuRemote/SecureClient/L2TP/Endpoint Connect on each computer in the wireless network. This ensures that all connections from the wireless network to the LAN are encrypted and authenticated. For information, see Internal VPN Server on page 606 and Setting Up Your Safe@Office Appliance as a VPN Server on page 607.
PAGE 331
Configuring Wireless Networks The Wireless Configuration Wizard opens, with the Wireless Configuration dialog box displayed. 5. Select the Enable wireless networking check box to enable the primary WLAN. The fields are enabled. 6. Complete the fields using the information in Basic WLAN Settings Fields on page 324. 7. Click Next.
PAGE 332
Configuring Wireless Networks 8. The Wireless Security dialog box appears. 9. Do one of the following: • • • 316 Click WPA-Personal to use the WPA-Personal security mode. WPA-Personal (also called WPA-PSK) uses a passphrase for authentication. This method is recommended for small, private wireless networks, which want to authenticate and encrypt wireless data, but do not want to install a RADIUS server or use the Safe@Office EAP authenticator. Both WPA and the newer, more secure WPA2 (802.
PAGE 333
Configuring Wireless Networks 10. Do one of the following: • To bridge the LAN and WLAN networks so that they appear as a single unified network, click Bridge Mode. Traffic from the WLAN to the LAN will be allowed to pass freely, and the LAN and WLAN will share a single IP address range. Note: This option creates a bridge called "default-bridge", which includes the WLAN and the LAN. If desired, you can later remove this bridge by running the Wireless Configuration Wizard again, and choosing Firewall Mode.
PAGE 334
Configuring Wireless Networks Do the following: 1. In the text box, type the passphrase for accessing the network, or click Random to randomly generate a passphrase. This must be between 8 and 63 characters. It can contain spaces and special characters, and is case-sensitive. 2. Click Next. The Wireless Security Confirmation dialog box appears. 3. 318 Click Next.
PAGE 335
Configuring Wireless Networks 4. The Wireless Security Complete dialog box appears. 5. Click Finish. The wizard closes. 6. Prepare the wireless stations.
PAGE 336
Configuring Wireless Networks WEP If you chose WEP, the Wireless Configuration-WEP dialog box appears. Do the following: 1. Choose a WEP key length. The possible key lengths are: • 64 Bits - The key length is 10 hexadecimal characters. • 128 Bits - The key length is 26 hexadecimal characters. • 152 Bits - The key length is 32 hexadecimal characters. Some wireless card vendors call these lengths 40/104/128, respectively.
PAGE 337
Configuring Wireless Networks 4. Click Next. The Wireless Security Complete dialog box appears. 5. Click Finish. The wizard closes. 6. Prepare the wireless stations. No Security The Wireless Security Complete dialog box appears. • Click Finish. The wizard closes. Manually Configuring a Wireless Network To manually configure a wireless network 1. If you intend to use the 802.1x or WPA-Enterprise security mode for the wireless network, do one of the following: • 2. 3.
PAGE 338
Configuring Wireless Networks The Edit Network Settings page appears. The fields that appear depend on the hardware type. 5. In the Mode drop-down list, select Enabled. The fields are enabled. 6. In the IP Address field, type the IP address of the wireless network network's default gateway. The wireless network must not overlap other networks. 7. In the Subnet Mask field, type the wireless network’s internal network range. 8. If desired, enable or disable Hide NAT.
PAGE 339
Configuring Wireless Networks 10. Complete the fields using the information in Basic Wireless Settings Fields on page 324. 11. To configure advanced settings, click Show Advanced Settings and complete the fields using the information in Advanced Wireless Settings Fields on page 329. New fields appear. The fields that appear depend on the hardware type. 12. Click Apply. A warning message appears, telling you that you are about to change your network settings.
PAGE 340
Configuring Wireless Networks 13. Click OK. A success message appears. Note: Some wireless cards have "Infrastructure" and "Ad-hoc" modes. These modes are also called "Access Point" and "Peer to Peer". On the wireless client, choose the "Infrastructure" or "Access Point" mode. You can set the wireless cards to either "Long Preamble" or "Short Preamble".
PAGE 341
Configuring Wireless Networks In this field… Do this… • 802.11g Super (54/108 Mbps). Operates in the 2.4 GHz range, and offers a maximum theoretical rate of 108 Mbps. When using this mode, 802.1g stations and 802.11g Super stations will be able to connect. This mode is not available in Safe@Office 1000NW. • 802.11g Super (11/54/108). Operates in the 2.4 GHz range, and offers a maximum theoretical rate of 108 Mbps. When using this mode, 802.11b stations, 802.11g stations, and 802.
PAGE 342
Configuring Wireless Networks In this field… Do this… • A specific channel. The list of channels is dependent on the selected country and operation mode. Note: If there is another wireless network in the vicinity, the two networks may interfere with one another. To avoid this problem, the networks should be assigned channels that are at least 25 MHz (5 channels) apart. Alternatively, you can reduce the transmission power.
PAGE 343
Configuring Wireless Networks In this field… Do this… Authentication Specify which authentication server to use, by selecting one of the Server following: Passphrase • RADIUS. A RADIUS server. • Internal User Database. The Safe@Office EAP authenticator. Type the passphrase for accessing the network, or click Random to randomly generate a passphrase. This must be between 8 and 63 characters. It can contain spaces and special characters, and is case-sensitive.
PAGE 344
Configuring Wireless Networks In this field… Do this… WEP Keys If you selected WEP encryption, you must configure at least one WEP key. The wireless stations must be configured with the same key, as well. Key 1, 2, 3, 4 radio Click the radio button next to the WEP key that this gateway should use for button transmission. The selected key must be entered in the same key slot (1-4) on the station devices, but the key need not be selected as the transmit key on the stations.
PAGE 345
Configuring Wireless Networks Table 56: Advanced Wireless Settings Fields In this field… Do this… Advanced Security Hide the Network Specify whether you want to hide your network's SSID, by selecting one of Name (SSID) the following: • Yes. Hide the SSID. Only devices to which your SSID is known can connect to your network. • No. Do not hide the SSID. Any device within range can detect your network name and attempt to connect to your network. This is the default.
PAGE 346
Configuring Wireless Networks In this field… Do this… Wireless Transmitter Transmission Rate Select the transmission rate: • Automatic. The Safe@Office appliance automatically selects a rate. This is the default. • A specific rate This field only appears when configuring the primary WLAN, and it is inherited by all VAPs and WDS links. Transmitter Power Select the transmitter power. Setting a higher transmitter power increases the access point's range.
PAGE 347
Configuring Wireless Networks In this field… Do this… Antenna Selection Multipath distortion is caused by the reflection of Radio Frequency (RF) signals traveling from the transmitter to the receiver along more than one path. Signals that were reflected by some surface reach the receiver after non-reflected signals and distort them. Safe@Office appliances avoid the problems of multipath distortion by using an antenna diversity system.
PAGE 348
Configuring Wireless Networks In this field… Do this… RTS Threshold Type the smallest IP packet size for which a station must send an RTS (Request To Send) before sending the IP packet. If multiple wireless stations are in range of the access point, but not in range of each other, they might send data to the access point simultaneously, thereby causing data collisions and failures. RTS ensures that the channel is clear before the each packet is sent.
PAGE 349
Configuring Wireless Networks In this field… Do this… WDS Specify whether to enable WDS links: • Disabled. WDS links are disabled. • Enabled. WDS links are enabled. For information on configuring WDS links, see Configuring Wireless Distribution System Links on page 338. This field appears only for Safe@Office 1000NW. C onfiguring Virtual Access Points You can partition the wireless network into wireless VLANs called virtual access points (VAPs).
PAGE 350
Configuring Wireless Networks To add or edit a VAP 1. Configure and enable the primary WLAN. For information on configuring the primary WLAN manually, see Manually Configuring a Wireless Network on page 321. For information on using a wizard to configure the primary WLAN, see Using the Wireless Wizard on page 314. 2. If you intend to use the 802.1x or WPA-Enterprise security mode for the VAP, do one of the following: • 3.
PAGE 351
Configuring Wireless Networks The Edit Network Settings page appears. 5. In the Network Name field, type a name for the VAP. 6. In the Type drop-down list, select Virtual Access Point.
PAGE 352
Configuring Wireless Networks New fields appear. The fields that appear depend on the hardware type. 7. In the Mode drop-down list, select Enabled. The fields are enabled. 8. In the IP Address field, type the IP address of the VAP network's default gateway. The VAP network must not overlap other networks. 9. In the Subnet Mask field, type the VAP's internal network range. 10. If desired, enable or disable Hide NAT. See Enabling/Disabling Hide NAT on page 199. 11. If desired, configure a DHCP server.
PAGE 353
Configuring Wireless Networks See Configuring a DHCP Server on page 200. 12. Complete the fields using the information in Basic Wireless Settings Fields on page 324. 13. To configure advanced settings, click Show Advanced Settings and complete the fields using the information in Advanced Wireless Settings Fields on page 329. New fields appear. The fields that appear depend on the hardware type. 14. Click Apply.
PAGE 354
Configuring Wireless Networks Note: Some wireless cards have "Infrastructure" and "Ad-hoc" modes. These modes are also called "Access Point" and "Peer to Peer". On the wireless client, choose the "Infrastructure" or "Access Point" mode. You can set the wireless cards to either "Long Preamble" or "Short Preamble".
PAGE 355
Configuring Wireless Networks b) If using Safe@Office1000NW, enable WDS links. For information on configuring these settings, see Manually Configuring a Wireless Network on page 321. 2. Click Network in the main menu, and click the My Network tab. The My Network page appears. 3. Click Add Network. The Edit Network Settings page appears. 4. In the Network Name field, type a name for the WDS link. 5. In the Type drop-down list, select Wireless Distribution System. New fields appear.
PAGE 356
Configuring Wireless Networks Note: This is the MAC address of the WLAN interface, not the WAN MAC address. To see your access point's WLAN MAC address, click Reports in the main menu, and then click Wireless. 7. Do one of the following: • 8. To create a bridged WDS link: 1) In the Mode drop-down list, select Bridged. The fields are enabled and additional fields appear. 2) Complete these fields as described in Bridged Network Fields on page 273.
PAGE 357
Configuring Wireless Networks New fields appear. The fields that appear depend on the hardware type. 12. Click Apply. Note: Both sides of the WDS link must use the same radio channel and security settings. Note: The access point can use any supported security protocol to communicate with wireless stations.
PAGE 358
Troubleshooting Wireless Connectivity Troubleshooting Wireless Connectivity I cannot connect to a wireless network from a wireless station. What should I do? • Check that the SSID configured on the station matches the Safe@Office appliance's SSID. The SSID is case-sensitive. • Check that the encryption settings configured on the station (encryption mode and keys) match the Safe@Office appliance's encryption settings.
PAGE 359
Troubleshooting Wireless Connectivity • Relocate the Safe@Office appliance to a place with better reception, and avoid obstructions, such as walls and electrical equipment. For example, try mounting the appliance in a high place with a direct line of sight to the wireless stations. • Check for interference with nearby electrical equipment, such as microwave ovens and cordless or cellular phones. • Check the Transmission Power parameter in the primary WLAN's advanced settings.
PAGE 360
Troubleshooting Wireless Connectivity parameter in the wireless network's advanced settings to a lower value. This will cause stations to use RTS for smaller IP packets, thus decreasing the likeliness of collisions. In addition, try setting the Fragmentation Threshold parameter in the wireless network's advanced settings to a lower value. This will cause stations to fragment IP packets of a certain size into smaller packets, thereby reducing the likeliness of collisions and increasing network speed.
PAGE 361
Viewing the Safe@Office Appliance Status Chapter 11 Viewing Reports This chapter describes the Safe@Office Portal reports. This chapter includes the following topics: Viewing the Safe@Office Appliance Status.............................................345 Using the Traffic Monitor.........................................................................352 Viewing Computers ..................................................................................357 Viewing Connections ............................
PAGE 362
Viewing the Safe@Office Appliance Status To view the Safe@Office appliance's current status 1. Click Reports in the main menu, and click the Status tab. The Status Monitor page appears. The page displays the information in the following table. 2. 346 To refresh the display, click Refresh.
PAGE 363
Viewing the Safe@Office Appliance Status Table 57: Status Monitor Fields This field… Displays… Device Information Information about the Safe@Office appliance. Product The licensed software and the number of allowed nodes. MAC Address The Safe@Office appliance's WAN MAC address. Firmware The currently installed firmware: • Main. The version of the primary firmware • Backup.
PAGE 364
Viewing the Safe@Office Appliance Status This field… Displays… Internet The Safe@Office appliance's overall Internet connection status. This can be any of the following: Icon Description OK. One or both Internet connections are connected. Idle. Both Internet connections are in “idle” state. Disabled. Both Internet connections are disabled. Connected with problems. One Internet connection is connected, and the other Internet connection is in “Establishing Connection” state. No connectivity.
PAGE 365
Viewing the Safe@Office Appliance Status This field… Displays… Antivirus The Safe@Office appliance's VStream Antivirus status. This can be any of the following: Icon Description Antivirus enabled. VStream Antivirus is enabled. Antivirus disabled. VStream Antivirus is disabled. Antivirus is enabled but no database is installed. VStream Antivirus is enabled; however, the VStream Antivirus databases are not installed. Services The Safe@Office appliance's Service Center connection status.
PAGE 366
Viewing the Safe@Office Appliance Status This field… Displays… HA The Safe@Office appliance's High Availability status. This can be any of the following: Icon Description Passive. High Availability is enabled, and this appliance is a Passive Gateway. Master. High Availability is enabled, and this appliance is the Active Gateway. Disabled. High Availability is disabled. Resource Utilization Safe@Office appliance resource utilization information.
PAGE 367
Viewing the Safe@Office Appliance Status This field… Displays… System Mem The percentage of system memory in use, followed by the amount in kilobytes. Configuration The percentage of configuration storage space in use out of the total amount of space allocated for configuration storage, followed by the amount in kilobytes. CPU The percentage of CPU in use.
PAGE 368
Using the Traffic Monitor Using the Traffic Monitor You can view incoming and outgoing traffic for selected network interfaces and QoS classes using the Traffic Monitor. This enables you to identify network traffic trends and anomalies, and to fine tune Traffic Shaper QoS class assignments. The Traffic Monitor displays separate bar charts for incoming traffic and outgoing traffic, and displays traffic rates in kilobits/second.
PAGE 369
Using the Traffic Monitor Viewing Traffic Reports To view a traffic report 1. Click Reports in the main menu, and click the Traffic tab. The Traffic Monitor page appears. 2. In the Traffic Monitor Report drop-down list, select the network interface for which you want to view a report. The list includes all currently enabled networks. For example, if the DMZ network is enabled, it will appear in the list. If Traffic Shaper is enabled, the list also includes the defined QoS classes.
PAGE 370
Using the Traffic Monitor 3. To refresh all traffic reports, click Refresh. 4. To clear all traffic reports, click Clear. Note: The firewall blocks broadcast packets used during the normal operation of your network. This may lead to a certain amount of traffic of the type "Traffic blocked by firewall" that appears under normal circumstances and usually does not indicate an attack.
PAGE 371
Using the Traffic Monitor The Traffic Monitor Settings page appears. 3. In the Sample monitoring data every field, type the interval (in seconds) at which the Safe@Office appliance should collect traffic data. The default value is one sample every 1800 seconds (30 minutes). 4. Click Apply.
PAGE 372
Using the Traffic Monitor Exporting General Traffic Reports You can export a general traffic report that includes information for all enabled networks and all defined QoS classes to a *.csv (Comma Separated Values) file. You can open and view the file in Microsoft Excel. To export a general traffic report 1. Click Reports in the main menu, and click the Traffic tab. The Traffic Monitor page appears. 2. Click Export. A standard File Download dialog box appears. 3. Click Save.
PAGE 373
Viewing Computers Viewing Computers This option allows you to view the currently active computers on your network. The computers are graphically displayed, each with its name, IP address, and settings (DHCP, Static, etc.). You can also view node limit information. To view the computers 1. Click Reports in the main menu, and click the My Computers tab. The Active Computers page appears. If you configured High Availability, both the master and backup appliances are shown.
PAGE 374
Viewing Computers blocked from accessing the Internet through the Safe@Office appliance, the reason why it was blocked is shown in red. If a network is bridged, the bridge's name appears in parentheses next to the network's name. If you are exceeding the maximum number of computers allowed by your license, a warning message appears, and the computers over the node limit are marked in red.
PAGE 375
Viewing Connections The Node Limit window appears with installed software product and the number of nodes used. b. Click Close to close the window. Viewing Connections This option allows you to view currently active connections between your networks, as well as those from your networks to the Internet. Note: The report does not display connections between bridged networks, where Firewall Between Members is disabled. To view the active connections 1.
PAGE 376
Viewing Connections The Connections page appears. The page displays the information in the following table. 2. To view information about a destination machine, click its IP address. The Safe@Office appliance queries the Internet WHOIS server, and a window displays the name of the entity to which the IP address is registered and their contact information. 3. To view information about a destination port, click the port. A window opens displaying information about the port. 4.
PAGE 377
Viewing Network Statistics Table 59: Connections Fields This field… Displays… Protocol The protocol used (TCP, UDP, and so on) Source IP The source IP address. Port The source port Destination IP The destination IP address. Port The destination port. QoS Class The QoS class to which the connection belongs (if Traffic Shaper is enabled) Options An icon indicating further details: • - The connection is encrypted. • - The connection is being scanned by VStream Antivirus.
PAGE 378
Viewing Network Statistics Viewing Network Statistics You can view statistics for each of the Safe@Office appliance's Internet connections, internal networks and bridges, using the Network Interface Monitor. Viewing General Network Statistics You can view general statistics for the Safe@Office appliance's network interfaces. To view general network statistics 1. Click Reports in the main menu, and click the Networks tab. The Networks page appears displaying general network statistics.
PAGE 379
Viewing Network Statistics 2. To refresh the display, click Refresh. Table 60: General Network Statistics This field… Displays… Total Networks The total number of internal networks. Total Sent The total number of sent packets on all network interfaces. Total Received The total number of received packets on all network interfaces. Viewing Internet Connection Statistics You can view statistics for the primary and secondary Internet connections. To view statistics for an Internet connection 1.
PAGE 380
Viewing Network Statistics The page displays statistics for the Internet connection. The following example shows statistics for the primary Internet connection. For information on the fields, see the following table. 3. To refresh the display, click Refresh.
PAGE 381
Viewing Network Statistics This field… Displays… Internet Mode The Internet connection method used Connected The connection duration, in the format hh:mm:ss, where: hh=hours mm=minutes ss=seconds Remote IP Address The IP address of the PPP peer. This field is only relevant for PPP-based Internet connections. Connection Probing Probing Method The connection probing method configured for the Internet connection ADSL These fields only appear for ADSL connections.
PAGE 382
Viewing Network Statistics This field… Displays… RF status These fields only appear for ADSL connections. Tx Power The local and remote transmission power in dB SNR Margin The local and remote Signal to Noise Ration (SNR) margin in dB. The SNR margin is the difference between the amount of noise received by the local/remote line end, and the amount of noise it can tolerate. Line Attenuation The local and remote line attenuation in dB.
PAGE 383
Viewing Network Statistics This field… Displays… Errors The total number of transmitted and received packets for which an error occurred Dropped The total number of transmitted and received packets that the firewall dropped Overruns The total number of transmitted and received packets that were lost, because they were sent or arrived more quickly that the appliance could handle Frame/Carrier The total number of frame alignment and carrier errors.
PAGE 384
Viewing Network Statistics Viewing Wired Network Statistics You can view statistics for wired network interfaces, including the LAN, DMZ, OfficeMode, tag-based VLANs, and port-based VLANs. To view statistics for a wired network 1. Click Reports in the main menu, and click the Networks tab. The Networks page appears. 2. In the tree, click on the wired network. The page displays statistics for the network. The following example shows statistics for the LAN.
PAGE 385
Viewing Network Statistics Table 62: Wired Network Statistics This field… Displays… Type The network's type. Status The network's current status (Enabled/Disabled). IP Address The appliance's current IP address on the network interface. MAC Address The appliance's MAC address on the network interface.
PAGE 386
Viewing Network Statistics Viewing Wireless Network Statistics If the primary WLAN is enabled, you can view wireless statistics for the primary WLAN and VAPs. To view statistics for the primary WLAN and VAPs 1. Click Reports in the main menu, and click the Networks tab. The Networks page appears. 2. In the tree, click on the wireless network's name. The page displays statistics for the network. For information on the fields, see the following table. 3. 370 To refresh the display, click Refresh.
PAGE 387
Viewing Network Statistics Table 63: Wireless Statistics This field… Displays… Type The network's type, in this case "Wireless" Status The network's current status (Enabled/Disabled) IP Address The IP address of the wireless network's default gateway MAC Address The MAC address of the wireless network interface Wireless Wireless Mode The operation mode used by the WLAN, followed by the transmission rate in Mbps Domain The Safe@Office access point's region Country The country configured for t
PAGE 388
Viewing Network Statistics This field… Displays… Missing Fragments The total number of packets missed during transmission and reception that were dropped, because fragments of the packet were lost Discarded Retries The total number of discarded retry packets that were transmitted and received Discarded Misc The total number of transmitted and received packets that were discarded for other reasons Viewing Bridge Statistics You can view statistics for bridges. To view statistics for a bridge 1.
PAGE 389
Viewing Network Statistics The page displays statistics for the bridge. For information on the fields, see the following table. 3. To view statistics for bridged networks, in the tree, expand the bridge's node. The page displays statistics for the bridged network. 4. To refresh the display, click Refresh.
PAGE 390
Viewing the Routing Table This field… Displays… Errors The total number of transmitted and received packets for which an error occurred Dropped The total number of transmitted and received packets that the firewall dropped Overruns The total number of transmitted and received packets that were lost, because they were sent or arrived more quickly that the appliance could handle Frame/Carrier The total number of frame alignment and carrier errors.
PAGE 391
Viewing the Routing Table The Routing Table page appears. The page displays the information in the following table. 2. To resize a column, drag the relevant column divider right or left. 3. To refresh the display, click Refresh.
PAGE 392
Viewing Wireless Station Statistics This field… Displays… Interface The interface for which the route is configured Origin The route's type: • Connected Route. A route to a network that is directly connected to the Safe@Office appliance • Static Route. A destination-based or service-based static route. See Using Static Routes on page 241. • Dynamic Route. A route obtained through a dynamic routing protocol, such as OSPF • Source Route. A source-based static route.
PAGE 393
Viewing Wireless Station Statistics Table 66: Wireless Station Statistics This field… Displays… Current Rate The current reception and transmission rate in Mbps Frames OK The total number of frames that were successfully transmitted and received Management The total number of transmitted and received management packets Control The total number of received control packets Errors The total number of transmitted and received frames for which an error occurred Dup ratio The percentage of frames re
PAGE 394
PAGE 395
Viewing the Event Log Chapter 12 Viewing Logs This chapter describes the Safe@Office appliance logs. This chapter includes the following topics: Viewing the Event Log .............................................................................379 Viewing the Security Log .........................................................................
PAGE 396
Viewing the Event Log To view the event log 1. Click Logs in the main menu, and click the Event Log tab. The Event Log page appears. The log table contains the columns described in Event Log Columns on page 382. The log messages are color-coded as described in Event Log Color Coding on page 383. 2. To navigate the log table, do any of the following: • 3. 4.
PAGE 397
Viewing the Event Log 5. To refresh the display, click Refresh. 6. To save the displayed events to an *.xls file: 7. Click Save. A standard File Download dialog box appears. b. Click Save. The Save As dialog box appears. c. Browse to a destination directory of your choice. d. Type a name for the configuration file and click Save. The *.xls file is created and saved to the specified directory. To copy log messages, do the following: a. a.
PAGE 398
Viewing the Event Log 8. If you are using Internet Explorer, and this is the first time that you copy logs, a dialog box asks you whether you want to allow the Safe@Office Portal to access your clipboard. In this case, click Allow access. The selected logs are copied to your clipboard. To clear all displayed events: a. b. Click Clear. A confirmation message appears. Click OK. All events are cleared. Table 67: Event Log Columns This column... Displays...
PAGE 399
Viewing the Security Log Table 68: Event Log Color Coding An event marked in Indicates… Red An error message Orange A warning message Blue An informational message this color… Viewing the Security Log The Security Log displays security-related events, including the following: • Connections logged by firewall rules • Connections logged by VStream Antivirus • Connection logged by VStream Antispam • Security events logged by SmartDefense • Web sites blocked by Web rules or the centralized We
PAGE 400
Viewing the Security Log To view the security log 1. Click Logs in the main menu, and click the Security Log tab. The Security Log page appears. The log table contains the columns described in Security Log Columns on page 387. The log messages are color-coded as described in Security Log Color Coding on page 389. 2. To display information about a connection source or destination, click the relevant IP address.
PAGE 401
Viewing the Security Log 4. To navigate the log table, do any of the following: • 5. To scroll through the displayed log page:  Use the scroll bars, or  Click on a log message and then press the UP and DOWN arrows on your keyboard. • To view the next log page, click Next. • To view the previous log page, click Back. To specify the number of logs to display per page, in the drop-down list at the bottom of the log table, select the desired number. 6.
PAGE 402
Viewing the Security Log The selected logs are highlighted in yellow. b. Press CTRL+C. If you are using Internet Explorer, and this is the first time that you copy logs, a dialog box asks you whether you want to allow the Safe@Office Portal to access your clipboard. In this case, click Allow access. The selected logs are copied to your clipboard. 10. To clear all displayed events: a. b. 386 Click Clear. A confirmation message appears. Click OK. All events are cleared.
PAGE 403
Viewing the Security Log Table 69: Security Log Columns This column... Displays... No The log message number Date The date on which the action occurred, in the format DD:MM:YYYY, where: DD=date MM=month, in abbreviated form YYYY=year Time The time at which the action occurred, in the format hh:mm:ss, where: hh=hour mm=minutes ss=seconds Dir An icon indicating the direction of the connection on which the firewall acted.
PAGE 404
Viewing the Security Log This column... Displays... Service The protocol and destination port used for the connection. Reason The reason the action was logged. Rule The number of the firewall rule that was executed. Net The internal network where the action occurred. Information Additional information about the logged action. Table 70: Security Log Actions Action Icon Description Connection Accepted The firewall accepted a connection.
PAGE 405
Viewing the Security Log Action Icon Description Potential Spam Detected An email was rejected as potential spam. Mail Allowed A non-spam email was logged. Blocked by VStream VStream Antivirus blocked a connection. Antivirus Table 71: Security Log Color Coding An event marked in Indicates… Red Connection attempts that were blocked by your firewall, by a security this color… policy downloaded from your Service Center, or by user-defined rules.
PAGE 406
PAGE 407
The Safe@Office Firewall Security Policy Chapter 13 Setting Your Security Policy This chapter describes how to set up your Safe@Office appliance security policy. You can enhance your security policy by subscribing to services such as Web Filtering and Email Filtering. For information on subscribing to services, see Using Subscription Services on page 591. This chapter includes the following topics: The Safe@Office Firewall Security Policy ..............................................
PAGE 408
The Safe@Office Firewall Security Policy Security Policy Implementation The key to implementing a network security policy is to understand that a firewall is simply a technical tool that reflects and enforces a network security policy for accessing network resources. A rule base is an ordered set of individual network security rules, against which each attempted connection is checked. Each rule specifies the source, destination, service, and action to be taken for each connection.
PAGE 409
Default Security Policy Default Security Policy The Safe@Office default security policy includes the following rules: • Access is blocked from the WAN (Internet) to all internal networks (LAN, DMZ, primary WLAN, VLANs, VAPs, and OfficeMode). • Access is allowed from the internal networks to the WAN, according to the firewall security level (Low/Medium/High). • Access is allowed from the LAN network to the other internal networks (DMZ, primary WLAN, VLANs, VAPs, and OfficeMode).
PAGE 410
Setting the Firewall Security Level Setting the Firewall Security Level The firewall security level can be controlled using a simple lever available on the Firewall page. You can set the lever to the following states. Table 72: Firewall Security Levels This Does this… Further Details Low Enforces basic control on All inbound traffic is blocked to the external incoming connections, while Safe@Office appliance IP address, except for permitting all outgoing ICMP echoes ("pings").
PAGE 411
Setting the Firewall Security Level This Does this… Further Details Block All Blocks all access between All inbound and outbound traffic is blocked between networks. the internal networks. level… This does not affect traffic to and from the gateway itself. The definitions of firewall security levels provided in this table represent the Safe@Office appliance’s default security policy. You can easily override the default security policy, by creating user-defined firewall rules.
PAGE 412
Setting the Firewall Security Level The Firewall page appears. 2. Drag the security lever to the desired level. The Safe@Office appliance security level changes accordingly.
PAGE 413
Configuring Servers Configuring Servers Note: If you do not intend to host any public Internet servers in your network (such as a Web Server, Mail Server, or an exposed host), you can skip this section. The Safe@Office appliance enables you to configure the following types of public Internet servers: • Servers for specific services You can allow all incoming connections of a specific service and forward them to a particular host in your network.
PAGE 414
Configuring Servers The Servers page appears, displaying a list of services and a host IP address for each allowed service. 2. Complete the fields using the information in the following table. 3. Click Apply. A success message appears.
PAGE 415
Configuring Servers Table 73: Servers Page Fields In this column… Do this… Allow Select the check box next to the public server you want to configure. This can be either of the following: Host IP • A specific service or application (rows 1-9) • An exposed host (row 10) Type the IP address of the computer that will run the service (one of your network computers), or click the corresponding This Computer button to allow your computer to host the service.
PAGE 416
Using Rules Using Rules The Safe@Office appliance checks the protocol used, the ports range, and the destination IP address, when deciding whether to allow or block traffic. User-defined rules have priority over the default security policy rules and provide you with greater flexibility in defining and customizing your security policy.
PAGE 417
Using Rules For example, if you want to block all outgoing FTP traffic, except traffic from a specific IP address, you can create a rule blocking all outgoing FTP traffic and move the rule down in the Rules table. Then create a rule allowing FTP traffic from the desired IP address and move this rule to a higher location in the Rules table than the first rule. In the figure below, the general rule is rule number 2, and the exception is rule number 1.
PAGE 418
Using Rules Table 74: Firewall Rule Types Rule Description Allow and This rule type enables you to do the following: Forward • Permit incoming traffic from the Internet to a specific service and destination IP address in your internal network and then forward all such connections to a specific computer in your network. Such rules are called NAT forwarding rules. For example, if the gateway has two public IP addresses, 62.98.112.1 and 62.98.112.
PAGE 419
Using Rules Rule Description Allow This rule type enables you to do the following: • Permit outgoing access from your internal network to a specific service on the Internet. Permit incoming access from the Internet to a specific service in your internal network. • Assign traffic to a QoS class.
PAGE 420
Using Rules Adding and Editing Firewall Rules To add or edit a firewall rule 1. Click Security in the main menu, and click the Rules tab. The Rules page appears. 2. 404 Do one of the following: • To add a new rule, click Add Rule. • To edit an existing rule, click next to the desired rule.
PAGE 421
Using Rules The Safe@Office Firewall Rule wizard opens, with the Step 1: Rule Type dialog box displayed. 3. Select the type of rule you want to create. 4. Click Next. The Step 2: Service dialog box appears. The example below shows an Allow and Forward rule.
PAGE 422
Using Rules 5. Complete the fields using the relevant information in the following table. 6. Click Next. The Step 3: Destination & Source dialog box appears. 7. To configure advanced settings, click Show Advanced Settings. New fields appear.
PAGE 423
Using Rules 8. Complete the fields using the relevant information in the following table. 9. Click Next. The Step 4: Rule Options dialog box appears. 10. Complete the fields using the relevant information in the following table. 11. Click Next.
PAGE 424
Using Rules The Step 5: Done dialog box appears. 12. If desired, type a description of the rule in the field provided. 13. Click Finish. The new rule appears in the Rules page. Table 75: Firewall Rule Fields In this field… Do this… Any Service Click this option to specify that the rule should apply to any service. Standard Service Click this option to specify that the rule should apply to a specific standard service or a network service object.
PAGE 425
Using Rules In this field… Do this… Protocol Select the protocol for which the rule should apply (ESP, GRE, TCP, UDP, ICMP, IGMP, or OSPF). To specify that the rule should apply for any protocol, select ANY. To specify a protocol by number, select Other. The Protocol Number field appears. Port Range To specify the port range to which the rule applies, type the start port number in the left text box, and the end port number in the right text box.
PAGE 426
Using Rules In this field… Do this… To specify the Safe@Office IP addresses, select This Gateway. To specify any destination except the Safe@Office Portal IP addresses, select ANY. If the current time Select this option to specify that the rule should be applied only during is certain hours of the day. You must then use the fields and drop-down lists provided, to specify the desired time range. Forward the Select the destination to which matching connections should be forwarded.
PAGE 427
Using Rules In this field… Do this… Log accepted Select this option to log the specified blocked or allowed connections. connections / Log blocked By default, accepted connections are not logged, and blocked connections are logged. You can modify this behavior by changing the check box's state. connections Enabling/Disabling Firewall Rules You can temporarily disable a user-defined rule. To enable/disable a firewall rule 1. Click Security in the main menu, and click the Rules tab.
PAGE 428
Using Rules Reordering Firewall Rules To reorder firewall rules 1. Click Security in the main menu, and click the Rules tab. The Rules page appears. 2. For each rule you want to move, click on the rule and drag it to the desired location in the table. Enabling/Disabling Firewall Rule Logging You can enable or disable logging for a firewall rule, by using the information in Adding and Editing Firewall Rules on page 404, or by using the following shortcut.
PAGE 429
Using Port-Based Security Viewing and Deleting Firewall Rules To view or delete an existing firewall rule 1. Click Security in the main menu, and click the Rules tab. The Rules page appears with a list of existing firewall rules. 2. To resize a column, drag the relevant column divider right or left. 3. To delete a rule, do the following. a. b. . In the desired rule's row, click A confirmation message appears. Click OK. The rule is deleted.
PAGE 430
Using Port-Based Security network, all users who authenticate successfully on that port are assigned to the DMZ network. When using a RADIUS server for authentication, you can assign authenticated users to specific network segments, by configuring dynamic VLAN assignment on the RADIUS server. Upon successful authentication, the RADIUS server sends RADIUS option 81 [Tunnel-Private-Group-ID] to the Safe@Office appliance, indicating to which network segment the user should be assigned.
PAGE 431
Using Port-Based Security Configuring Port-Based Security To configure 802.1x port-based security for a port 1. Do one of the following: • 2. To use the Safe@Office EAP authenticator for authenticating clients, follow the workflow Using the Safe@Office EAP Authenticator for Authentication of Wired Clients on page 435. You will be referred back to this procedure at the appropriate stage in the workflow, at which point you can continue from the next step.
PAGE 432
Using Port-Based Security The Ports page appears. 5. 416 Next to the desired port, click Edit.
PAGE 433
Using Port-Based Security The Port Setup page appears. 6. In the Port Security drop-down list, select 802.1x. The Quarantine Network, Authentication Server, and Allow multiple hosts fields are enabled. 7. Complete the fields using the information in the following table. 8. Click Apply. A warning message appears. 9. Click OK.
PAGE 434
Using Port-Based Security Table 76: Port-Based Security Fields In this field… Do this… Assign to network Specify how the Safe@Office appliance should handle users who authenticate successfully, by selecting one of the following: • A network name. All users who authenticate to this port successfully are assigned to the specified network. • From RADIUS. Use dynamic VLAN assignment to assign users to specific networks. This option is only relevant when using a RADIUS server.
PAGE 435
Using Secure HotSpot Resetting 802.1x Locking When 802.1x port-based security is configured for a LAN port, the first host that attempts to connect to this port is “locked” to the port. In order to connect a different computer to the port, you must first reset 802.1x locking. To reset 802.1x locking on all ports 1. Click Network in the main menu, and click the Ports tab. The Ports page appears. 2. Click Reset 802.1x. A confirmation message appears. 3. Click OK. The 802.
PAGE 436
Using Secure HotSpot On this page, users must read and accept the My HotSpot terms of use, and if My HotSpot is configured to be password-protected, they must log in using their Safe@Office username and password. The users may then access the Internet or other corporate networks. Users can also log out in the My HotSpot page. Note: HotSpot users are automatically logged out after one hour of inactivity.
PAGE 437
Using Secure HotSpot My HotSpot page. For information on excluding network objects from HotSpot enforcement, see Using Network Objects on page 227. Important: SecuRemote/SecureClient/L2TP/Endpoint Connect VPN software users who are authenticated by the Internal VPN Server are automatically exempt from HotSpot enforcement. This allows, for example, authenticated employees to gain full access to the corporate LAN, while guest users are permitted to access the Internet only.
PAGE 438
Using Secure HotSpot Enabling/Disabling Secure HotSpot To enable/disable Secure HotSpot 1. Click Security in the main menu, and click the HotSpot tab. The My HotSpot page appears. 2. In the HotSpot Networks area, do one of the following: • • 422 To enable Secure HotSpot for a specific network, select the check box next to the network. To disable Secure HotSpot for a specific network, clear the check box next to the network.
PAGE 439
Using Secure HotSpot 3. Click Apply. Customizing Secure HotSpot To customize Secure HotSpot 1. Click Security in the main menu, and click the HotSpot tab. The My HotSpot page appears. 2. Complete the fields using the information in the following table. 3. To preview the My HotSpot page, click Preview. A browser window opens displaying the My HotSpot page. 4. Click Apply. Your changes are saved.
PAGE 440
Using NAT Rules In this field… Do this… My HotSpot Type the terms to which the user must agree before accessing the Internet. Terms You can use HTML tags as needed. My HotSpot is Select this option to require users to enter their username and password password- before accessing the Internet. protected If this option is not selected, users will be required only to accept the terms of use before accessing the network.
PAGE 441
Using NAT Rules Using NAT Rules Overview In an IP network, each computer is assigned a unique IP address that defines both the host and the network. A computer's IP address can be public and Internet-routable, or private and non-routable. Since IPv4, the current version of IP, provides only 32 bits of address space, available public IP addresses are becoming scarce, most having already been assigned.
PAGE 442
Using NAT Rules Supported NAT Rule Types The Safe@Office appliance enables you to define the following types of custom NAT rules: • Static NAT (or One-to-One NAT). Translation of an IP address range to another IP address range of the same size. This type of NAT rule allows the mapping of Internet IP addresses or address ranges to hosts inside the internal network. This is useful if you want each computer in your private network to have its own Internet IP addresses. • Hide NAT (or Many-to-One NAT).
PAGE 443
Using NAT Rules • Static NAT is configured for a network object (for information, see Using Network Objects on page 227) • NAT rules are received from the Service Center Implicitly defined NAT rules can only be edited or deleted indirectly. For example, in order to remove a NAT rule created when a certain network object was defined, you must modify the relevant network object.
PAGE 444
Using NAT Rules The Address Translation page appears. 2. 428 Do one of the following: • To add a new rule, click New. • To edit an existing rule, click next to the desired rule.
PAGE 445
Using NAT Rules The Address Translation wizard opens, with the Step 1 of 3: Original Connection Details dialog box displayed. 3. Complete the fields using the relevant information in the following table. 4. Click Next. The Step 2 of 3: Translations to Perform dialog box appears. 5. Complete the fields using the relevant information in the following table.
PAGE 446
Using NAT Rules 6. Click Next. The Step 3 of 3: Save Address Translation dialog box appears. 7. If desired, type a description of the rule in the field provided. 8. Click Finish. The new rule appears in the Address Translation page. Table 78: Address Translation Wizard Fields Field Description The source is Select the original source of the connections you want to translate. This list includes network objects.
PAGE 447
Using NAT Rules Field Description And the Select the original destination of the connections you want to translate. This destination is list includes network objects. To specify an IP address, select Specified IP and type the desired IP address in the text box. To specify an IP address range, select Specified Range and type the desired IP address range in the fields provided. To specify the Safe@Office IP addresses, select This Gateway.
PAGE 448
Using NAT Rules Field Description Change the Select the new destination to which the original destination should be destination to translated. This list includes network objects. To specify an IP address, select Specified IP and type the desired IP address in the field provided. To specify an IP address range, select Specified Range and type the desired IP address range in the fields provided. To specify that the original destination should not be translated, select Don't Change.
PAGE 449
Using the EAP Authenticator b. Click OK. The rule is deleted. Using the EAP Authenticator Wi-Fi Protected Access Enterprise (WPA-Enterprise) and 802.1x are Network Access Control (NAC) protocols that can be used to authenticate users connecting to the Check Point Safe@Office appliance. Both WPA-Enterprise and 802.1x can be used to control access to the wireless network; however, WPA-Enterprise has the added capability of encrypting transmitted data, and 802.
PAGE 450
Using the EAP Authenticator Workflows The Safe@Office built-in EAP authenticator can be used to authenticate wireless clients or wired clients connecting to appliance ports. Using the EAP Authenticator for Authentication of Wireless Clients To use the EAP authenticator for authentication of wireless clients 1. Configure the Safe@Office appliance as follows: a. Configure the desired wireless network for use with the EAP authenticator.
PAGE 451
Using the EAP Authenticator 2. See Adding and Editing Users on page 680. e. Provide each of the users with the authentication credentials you configured for them. Configure each wireless client as follows: a. 3. Configure the client for server authentication. See Configuring Clients for Server Authentication on Wireless Connections on page 436. b. Install the Safe@Office appliance's CA certificate as a trusted root CA. See Installing the Safe@Office Appliance's CA Certificate on Clients on page 442.
PAGE 452
Using the EAP Authenticator 2. instructions on generating a self-signed certificate, see Generating a Certificate on page 660.  A certificate received from the Service Center. c. Export the Safe@Office appliance's CA certificate. See Exporting the Safe@Office Appliance CA Certificate on page 669. d. For each client that should be allowed to connect to the Safe@Office appliance, add a user with Network Access permissions to the local user database. See Adding and Editing Users on page 680. e.
PAGE 453
Using the EAP Authenticator If the Choose a Wireless Network screen appears, click Change Advanced Settings. • If you are already connected to a wireless network, click Properties. The Wireless Network Connection Properties dialog box appears displaying the General tab. • 5. Click the Wireless Networks tab. The Wireless Networks tab appears. 6. Click Add and add your network. The Wireless network properties dialog box appears displaying the Association tab.
PAGE 454
Using the EAP Authenticator 7. In the Network name (SSID) field, type the Safe@Office appliance wireless network name. 8. In the Network Authentication drop-down list, select WPA. Note: You must select WPA, regardless of whether the Safe@Office appliance is configured to use the WPA-Enterprise or 802.1x security protocol. 9. In the Data encryption drop-down list, select AES. 10. Click the Authentication tab. The Authentication tab appears. 11.
PAGE 455
Using the EAP Authenticator The Protected EAP Properties dialog box appears. 14. Make sure that the Validate server certificate check box is selected. 15. In the Select Authentication Method drop-down list, select Secured password (EAP-MSCHAP v2). 16. If the user credentials for connecting to the Safe@Office appliance differ from the user credentials for connecting to Windows, do the following: a. Click Configure. The EAP MSCHAPv2 Properties dialog box appears. b. Clear the check box. c. Click OK. 17.
PAGE 456
Using the EAP Authenticator Configuring Clients for Server Authentication on Wired Connections To configure a Microsoft Windows client for server authentication 1. In the START menu, click Control Panel. 2. Click Network Connections. 3. Right-click on Local Area Connection, and click Properties in the popup menu that appears. The Local Area Connection Properties dialog box appears displaying the General tab. 4. Click the Authentication tab. The Authentication tab appears. 5.
PAGE 457
Using the EAP Authenticator The Protected EAP Properties dialog box appears. 9. Make sure that the Validate server certificate check box is selected. 10. In the Select Authentication Method drop-down list, select Secured password (EAP-MSCHAP v2). 11. If the user credentials for connecting to the Safe@Office appliance differ from the user credentials for connecting to Windows, do the following: a. Click Configure. The EAP MSCHAPv2 Properties dialog box appears. b. Clear the check box. c. Click OK. 12.
PAGE 458
Using the EAP Authenticator Installing the Safe@Office Appliance's CA Certificate on Clients To install the Safe@Office appliance's CA certificate on a Microsoft Windows client 1. On the client, right-click on the Safe@Office appliance's CA certificate you exported, and click Install PFX in the pop-up menu that appears. For information on exporting the CA certificate, see Exporting the Safe@Office Appliance CA Certificate on page 669.
PAGE 459
Using the EAP Authenticator The File to Import dialog box appears. 3. Browse to the Safe@Office appliance's CA certificate (*.p12 file). 4. Click Next. The Password dialog box appears. Do not type a password. 5. Click Next.
PAGE 460
Using the EAP Authenticator The Certificate Store dialog box appears. 6. Click Automatically select the certificate store based on the type of certificate. 7. Click Next. The Completing the Certificate Import Wizard screen appears. 8. 444 Click Finish.
PAGE 461
Using the EAP Authenticator If the Safe@Office appliance certificate was self-signed, a warning message appears. Do the following: Click Yes. A success message appears. b. Click OK. To check that the certificate was successfully installed as a trusted root CA, do the following: a. 9. a. b. c. On the client, open Internet Explorer. In the Tools menu, click Internet Options. The Internet Options dialog box appears displaying the General tab. Click the Content tab. The Content tab appears.
PAGE 462
Using the EAP Authenticator d. e. f. g. 446 Click Certificates. The Certificates dialog box appears. Click the Trusted Root Certification Authorities tab. The Trusted Root Certification Authorities tab appears. In the list, locate the Safe@Office appliance's CA certificate. The certificate's name is in the format CA-, where is the Safe@Office appliance's MAC address or gateway name. To view further information about the certificate, double-click on it.
PAGE 463
Using the EAP Authenticator The Certificate dialog box appears with additional information. Connecting Wireless Clients to the Safe@Office Appliance To connect a Microsoft Windows wireless client to the Safe@Office appliance with WPA Enterprise authentication 1. In the START menu, click Control Panel. 2. Click Network Connections. A list of wireless networks appears. 3. Select the Safe@Office appliance wireless network. 4. Click Connect. A popup message appears asking you to supply credentials.
PAGE 464
Using the EAP Authenticator The Enter Credentials dialog box appears. 6. Type the Network Access user's user name and password in the fields provided. 7. Click OK. The wireless client attempts to connect to the network. Upon successful connection, the client indicates that it is connected to the network.
PAGE 465
Overview Chapter 14 Using SmartDefense This chapter explains how to use Check Point SmartDefense Services. This chapter includes the following topics: Overview ..................................................................................................449 Configuring SmartDefense .......................................................................450 SmartDefense Categories .........................................................................458 Resetting SmartDefense to its Defaults ........
PAGE 466
Configuring SmartDefense Configuring SmartDefense You can configure SmartDefense using the following tools: • SmartDefense Wizard. Resets all SmartDefense settings to their defaults, and then creates a SmartDefense security policy according to your network and security preferences. See Using the SmartDefense Wizard on page 450. • SmartDefense Tree. Enables you to fine tune individual settings in the SmartDefense policy. You can use the SmartDefense tree instead of, or in addition to, the wizard.
PAGE 467
Configuring SmartDefense The SmartDefense page appears. 2. Click SmartDefense Wizard.
PAGE 468
Configuring SmartDefense The SmartDefense Wizard opens, with the Step 1: SmartDefense Level dialog box displayed. 3. Drag the lever to the desired level of SmartDefense enforcement. For information on the levels, see the following table. 4. Click Next. The Step 2: Application Intelligence Server Types dialog box appears.
PAGE 469
Configuring SmartDefense 5. Select the check boxes next to the types of public servers that are running on your network. 6. Click Next. The Step 3: Application Blocking dialog box appears. 7. Select the check boxes next to the types of applications you want to block from running on your network. 8. Click Next.
PAGE 470
Configuring SmartDefense The Step 4: Confirmation dialog box appears. 9. Click Finish. Existing SmartDefense settings are cleared, and the security policy is applied.
PAGE 471
Configuring SmartDefense Table 79: SmartDefense Security Levels This level… Does this… Minimal Disables all SmartDefense protections, except those that cannot be disabled. Normal Enables the following: • Teardrop • Ping of Death • LAND • Packet Sanity • Max Ping Size (set to 1500) • Welchia • Cisco IOS • Null Payload • IGMP • Small PMTU (Log Only) This level blocks the most common attacks.
PAGE 472
Configuring SmartDefense Using the SmartDefense Tree For convenience, SmartDefense is organized as a tree, in which each branch represents a category of settings. When a category is expanded, the settings it contains appear as nodes. For information on each category and the nodes it contains, see SmartDefense Categories on page 458. Each node represents an attack type, a sanity check, or a protocol or service that is vulnerable to attacks.
PAGE 473
Configuring SmartDefense To configure a SmartDefense node 1. Click Security in the main menu, and click the SmartDefense tab. The SmartDefense page appears. The left pane displays a tree containing SmartDefense categories. 2. • To expand a category, click the icon next to it. • To collapse a category, click the icon next to it. Expand the relevant category, and click on the desired node. The right pane displays a description of the node, followed by fields. 3.
PAGE 474
SmartDefense Categories Click Default. A confirmation message appears. b) Click OK. The fields are reset to their default values, and your changes are saved.
PAGE 475
SmartDefense Categories • Ping of Death on page 460 • Teardrop on page 459 Teardrop In a Teardrop attack, the attacker sends two IP fragments, the latter entirely contained within the former. This causes some computers to allocate too much memory and crash. You can configure how Teardrop attacks should be handled. Table 80: Teardrop Fields In this field… Do this… Action Specify what action to take when a Teardrop attack occurs, by selecting one of the following: Track • Block. Block the attack.
PAGE 476
SmartDefense Categories Ping of Death In a Ping of Death attack, the attacker sends a fragmented PING request that exceeds the maximum IP packet size (64KB). Some operating systems are unable to handle such requests and crash. You can configure how Ping of Death attacks should be handled. Table 81: Ping of Death Fields In this field… Do this… Action Specify what action to take when a Ping of Death attack occurs, by selecting one of the following: Track • Block. Block the attack. This is the default.
PAGE 477
SmartDefense Categories LAND In a LAND attack, the attacker sends a SYN packet, in which the source address and port are the same as the destination (the victim computer). The victim computer then tries to reply to itself and either reboots or crashes. You can configure how LAND attacks should be handled. Table 82: LAND Fields In this field… Do this… Action Specify what action to take when a LAND attack occurs, by selecting one of the following: Track • Block. Block the attack. This is the default.
PAGE 478
SmartDefense Categories Non-TCP Flooding Advanced firewalls maintain state information about connections in a State table. In NonTCP Flooding attacks, the attacker sends high volumes of non-TCP traffic. Since such traffic is connectionless, the related state information cannot be cleared or reset, and the firewall State table is quickly filled up. This prevents the firewall from accepting new connections and results in a Denial of Service (DoS).
PAGE 479
SmartDefense Categories In this field… Do this… Max. Percent Type the maximum percentage of state table capacity allowed for non-TCP Non-TCP Traffic connections. The default value is 10%. DDoS Attack In a distributed denial-of-service attack (DDoS attack), the attacker directs multiple hosts in a coordinated attack on a victim computer or network. The attacking hosts send large amounts of spurious data to the victim, so that the victim is no longer able to respond to legitimate service requests.
PAGE 480
SmartDefense Categories Table 84: Distributed Denial of Service Fields In this field… Do this… Action Specify what action to take when a DDoS attack occurs, by selecting one of the following: Track • Block. Block the attack. This is the default. • None. No action. Specify whether to log DDoS attacks, by selecting one of the following: • Log. Log the attack. This is the default. • None. Do not log the attack.
PAGE 481
SmartDefense Categories Packet Sanity Packet Sanity performs several Layer 3 and Layer 4 sanity checks. These include verifying packet size, UDP and TCP header lengths, dropping IP options, and verifying the TCP flags. You can configure whether logs should be issued for offending packets. Table 85: Packet Sanity Fields In this field… Do this… Action Specify what action to take when a packet fails a sanity test, by selecting one of the following: Track • Block. Block the packet. This is the default.
PAGE 482
SmartDefense Categories In this field… Do this… Disable relaxed The UDP length verification sanity check measures the UDP header length UDP length and compares it to the UDP header length specified in the UDP header. If verification the two values differ, the packet may be corrupted.
PAGE 483
SmartDefense Categories Max Ping Size PING (ICMP echo request) is a program that uses ICMP protocol to check whether a remote machine is up. A request is sent by the client, and the server responds with a reply echoing the client's data. An attacker can echo the client with a large amount of data, causing a buffer overflow. You can protect against such attacks by limiting the allowed size for ICMP echo requests.
PAGE 484
SmartDefense Categories IP Fragments When an IP packet is too big to be transported by a network link, it is split into several smaller IP packets and transmitted in fragments. To conceal a known attack or exploit, an attacker might imitate this common behavior and break the data section of a single packet into several fragmented packets. Without reassembling the fragments, it is not always possible to detect such an attack.
PAGE 485
SmartDefense Categories Table 87: IP Fragments Fields In this field… Do this… Forbid IP Fragments Specify whether all fragmented packets should be dropped, by selecting one of the following: • True. Drop all fragmented packets. • False. No action. This is the default. Under normal circumstances, it is recommended to leave this field set to False. Setting this field to True may disrupt Internet connectivity, because it does not allow any fragmented packets.
PAGE 486
SmartDefense Categories Network Quota An attacker may try to overload a server in your network by establishing a very large number of connections per second. To protect against Denial Of Service (DoS) attacks, Network Quota enforces a limit upon the number of connections per second that are allowed from the same source IP address. You can configure how connections that exceed that limit should be handled.
PAGE 487
SmartDefense Categories In this field… Do this… Max. Type the maximum number of network connections allowed per second Connections/Second from the same source IP address. from Same Source IP The default value is 100. Set a lower threshold for stronger protection against DoS attacks. Note: Setting this value too low can lead to false alarms. Welchia The Welchia worm uses the MS DCOM vulnerability or a WebDAV vulnerability.
PAGE 488
SmartDefense Categories Table 89: Welchia Fields In this field… Do this… Action Specify what action to take when the Welchia worm is detected, by selecting one of the following: Track • Block. Block the attack. This is the default. • None. No action. Specify whether to log Welchia worm attacks, by selecting one of the following: • Log. Log the attack. This is the default. • None. Do not log the attack.
PAGE 489
SmartDefense Categories Table 90: Cisco IOS DOS In this field… Do this… Action Specify what action to take when a Cisco IOS DOS attack occurs, by selecting one of the following: Track • Block. Block the attack. This is the default. • None. No action. Specify whether to log Cisco IOS DOS attacks, by selecting one of the following: Number of Hops to Protect • Log. Log the attack. This is the default. • None. Do not log the attack.
PAGE 490
SmartDefense Categories Null Payload Some worms, such as Sasser, use ICMP echo request packets with null payload to detect potentially vulnerable hosts. You can configure how null payload ping packets should be handled. Table 91: Null Payload Fields In this field… Do this… Action Specify what action to take when null payload ping packets are detected, by selecting one of the following: Track • Block. Block the packets. This is the default. • None. No action.
PAGE 491
SmartDefense Categories Checksum Verification SmartDefense identifies any IP, TCP, or UDP packets with incorrect checksums. You can configure how these packets should be handled. Table 92: Checksum Verification Fields In this field… Do this… Action Specify what action to take when packets with incorrect checksums are detected, by selecting one of the following: Track • Block. Block the packets. This is the default. • None. No action.
PAGE 492
SmartDefense Categories TCP This category allows you to configure various protections related to the TCP protocol. It includes the following: • Flags on page 482 • Sequence Verifier on page 481 • Small PMTU on page 477 • Strict TCP on page 476 • SynDefender on page 479 Strict TCP Out-of-state TCP packets are SYN-ACK or data packets that arrive out of order, before the TCP SYN packet.
PAGE 493
SmartDefense Categories Table 93: Strict TCP In this field… Do this… Action Specify what action to take when an out-of-state TCP packet arrives, by selecting one of the following: Track • Block. Block the packets. • None. No action. This is the default. Specify whether to log null payload ping packets, by selecting one of the following: • Log. Log the packets. This is the default. • None. Do not log the packets.
PAGE 494
SmartDefense Categories Table 94: Small PMTU Fields In this field… Do this… Action Specify what action to take when a packet is smaller than the Minimal MTU Size threshold, by selecting one of the following: Track • Block. Block the packet. • None. No action. This is the default. Specify whether to issue logs for packets are smaller than the Minimal MTU Size threshold, by selecting one of the following: • Log. Issue logs. This is the default. • None. Do not issue logs.
PAGE 495
SmartDefense Categories SynDefender In a SYN attack, the attacker sends many SYN packets without finishing the three-way handshake. This causes the attacked host to be unable to accept new connections. You can protect against this attack by specifying a maximum amount of time for completing handshakes. Table 95: SynDefender Fields In this field… Do this… Action Specify what action to take when a SYN attack occurs, by selecting one of the following: • Block. Block the packet. This is the default.
PAGE 496
SmartDefense Categories In this field… Do this… Log mode Specify upon which events logs should be issued, by selecting one of the following: • None. Do not issue logs. • Log per attack. Issue logs for each SYN attack. This is the default. • Log individual unfinished handshakes. Issue logs for each incomplete handshake. This field is only relevant if the Track field is set to Log.
PAGE 497
SmartDefense Categories Sequence Verifier The Safe@Office appliance examines each TCP packet's sequence number and checks whether it matches a TCP connection state. You can configure how the appliance handles packets that match a TCP connection in terms of the TCP session but have incorrect sequence numbers. Table 96: Strict TCP In this field… Do this… Action Specify what action to take when TCP packets with incorrect sequence numbers arrive, by selecting one of the following: Track • Block.
PAGE 498
SmartDefense Categories Flags The URG flag is used to indicate that there is urgent data in the TCP stream, and that the data should be delivered with high priority. Since handling of the URG flag is inconsistent between different operating systems, an attacker can use the URG flag to conceal certain attacks. You can configure how the URG flag should be handled.
PAGE 499
SmartDefense Categories Port Scan An attacker can perform a port scan to determine whether ports are open and vulnerable to an attack. This is most commonly done by attempting to access a port and waiting for a response. The response indicates whether or not the port is open. This category includes the following types of port scans: • Host Port Scan. The attacker scans a specific host's ports to determine which of the ports are open. • Sweep Scan.
PAGE 500
SmartDefense Categories Table 98: Port Scan Fields In this field… Do this… Number of ports SmartDefense detects ports scans by measuring the number of ports accessed accessed over a period of time. The number of ports accessed must exceed the Number of ports accessed value, within the number of seconds specified by the In a period of [seconds] value, in order for SmartDefense to consider the activity a scan.
PAGE 501
SmartDefense Categories In this field… Do this… Track Specify whether to issue logs for scans, by selecting one of the following: • Log. Issue logs. This is the default. • None. Do not issue logs. This is the default. Detect scans Specify whether to detect only scans originating from the Internet, by from Internet only selecting one of the following: • False. Do not detect only scans from the Internet. This is the default. • True. Detect only scans from the Internet.
PAGE 502
SmartDefense Categories FTP Bounce When connecting to an FTP server, the client sends a PORT command specifying the IP address and port to which the FTP server should connect and send data. An FTP Bounce attack is when an attacker sends a PORT command specifying the IP address of a third party instead of the attacker's own IP address. The FTP server then sends data to the victim machine. You can configure how FTP bounce attacks should be handled.
PAGE 503
SmartDefense Categories Block Known Ports You can choose to block the FTP server from connecting to well-known ports. Note: Known ports are published ports associated with services (for example, SMTP is port 25). This provides a second layer of protection against FTP bounce attacks, by preventing such attacks from reaching well-known ports.
PAGE 504
SmartDefense Categories Block Port Overflow FTP clients send PORT commands when connecting to the FTP sever. A PORT command consists of a series of numbers between 0 and 255, separated by commas. To enforce compliance to the FTP standard and prevent potential attacks against the FTP server, you can block PORT commands that contain a number greater than 255.
PAGE 505
SmartDefense Categories Blocked FTP Commands Some seldom-used FTP commands may compromise FTP server security and integrity. You can specify which FTP commands should be allowed to pass through the security server, and which should be blocked. To enable FTP command blocking • In the Action drop-down list, select Block. The FTP commands listed in the Blocked Commands box will be blocked. FTP command blocking is enabled by default.
PAGE 506
SmartDefense Categories To allow a specific FTP command 1. In the Blocked Commands box, select the desired FTP command. 2. Click Accept. The FTP command appears in the Allowed Commands box. 3. Click Apply. The FTP command will be allowed, regardless of whether FTP command blocking is enabled or disabled. HTTP This category allows you to configure various protections related to the HTTP protocol.
PAGE 507
SmartDefense Categories Table 102: Header Rejection Fields In this field… Do this… Action Specify what action to take when an HTTP header-based exploit is detected, by selecting one of the following: Track • Block. Block the attack. • None. No action. This is the default. Specify whether to log HTTP header-based exploits, by selecting one of the following: HTTP header values • Log. Log the attack. • None. Do not log the attack. This is the default. Select the HTTP header values to detect.
PAGE 508
SmartDefense Categories Table 103: Worm Catcher Fields In this field… Do this… Action Specify what action to take when an HTTP-based worm attack is detected, by selecting one of the following: Track • Block. Block the attack. • None. No action. This is the default. Specify whether to log HTTP-based worm attacks, by selecting one of the following: HTTP-based worm • Log. Log the attack. • None. Do not log the attack. This is the default. Select the worm patterns to detect.
PAGE 509
SmartDefense Categories Table 104: File Print and Sharing Fields In this field… Do this… Action Specify what action to take when a CIFS worm attack is detected, by selecting one of the following: Track • Block. Block the attack. • None. No action. This is the default. Specify whether to log CIFS worm attacks, by selecting one of the following: • • CIFS worm patterns list Log. Log the attack. None. Do not log the attack. This is the default. Select the worm patterns to detect.
PAGE 510
SmartDefense Categories IGMP This category includes the IGMP protocol. IGMP is used by hosts and routers to dynamically register and discover multicast group membership. Attacks on the IGMP protocol usually target a vulnerability in the multicast routing software/hardware used, by sending specially crafted IGMP packets. You can configure how IGMP attacks should be handled.
PAGE 511
SmartDefense Categories In this field… Do this… Specify whether to allow or block IGMP packets that are sent to nonmulticast addresses, by selecting one of the following: • Block. Block IGMP packets that are sent to non-multicast addresses. This is the default. • None. No action.
PAGE 512
SmartDefense Categories SIP The SmartDefense SIP Application Level Gateway (ALG) processes the SIP protocol, allows firewall and NAT traversal, and enables Traffic Shaper to operate on SIP connections. By default, the SIP ALG checks SIP sessions for RFC compliance. If desired, you can allow non-RFC-compliant SIP connections, so that VoIP devices that initiate non-standard SIP calls can communicate through the firewall.
PAGE 513
SmartDefense Categories H.323 H.323 telephony is used by various devices and applications, such as Microsoft Netmeeting. SmartDefense allows you to choose whether to disable or enable the H.323 Application Level Gateway (ALG), which allows firewall and NAT traversal of H.323 calls. Table 107: H.323 Fields In this field… Do this… Peer-to-peer Specify whether to enable H.323 support, by selecting one of the following: H.323 Support • Enabled. Enable H.323 support. • Disabled. Disabled H.323 support.
PAGE 514
SmartDefense Categories Peer-to-Peer SmartDefense can block peer-to-peer file-sharing traffic, by identifying the proprietary protocols and preventing the initial connection to the peer-to-peer networks. This prevents not only downloads, but also search operations. This category includes the following nodes: • BitTorrent • eMule • Gnutella • KaZaA • Winny Note: SmartDefense can detect peer-to-peer traffic regardless of the TCP port being used to initiate the session.
PAGE 515
SmartDefense Categories Table 108: Peer to Peer Fields In this field… Do this… Action Specify what action to take when a connection is attempted, by selecting one of the following: Track • Block. Block the connection. • None. No action. This is the default. Specify whether to log peer-to-peer connections, by selecting one of the following: • Log. Log the connection. • None. Do not log the connection. This is the default.
PAGE 516
SmartDefense Categories Instant Messaging Traffic SmartDefense can block instant messaging applications that use VoIP protocols, by identifying the messaging application's fingerprints and HTTP headers. This category includes the following nodes: • ICQ • MSN Messenger • Skype • Yahoo Note: SmartDefense can detect instant messaging traffic regardless of the TCP port being used to initiate the session. Note: Skype versions up to 2.0.0.103 are supported.
PAGE 517
SmartDefense Categories Table 109: Instant Messengers Fields In this field… Do this… Action Specify what action to take when a connection is attempted, by selecting one of the following: Track • Block. Block the connection. • None. No action. This is the default. Specify whether to log instant messenger connections, by selecting one of the following: • Log. Log the connection. • None. Do not log the connection. This is the default.
PAGE 518
SmartDefense Categories Games This category includes XBox LIVE. XBox 360 requires gateways hosting XBox LIVE games to use the "Open NAT" method rather than the normal "Strict NAT" method. Therefore, if you want to host online games on an XBox 360 console, you must first configure your Safe@Office appliance to use the "Open NAT" method.
PAGE 519
Resetting SmartDefense to its Defaults Resetting SmartDefense to its Defaults If desired, you can reset the SmartDefense security policy to its default settings. For information on the default value of each SmartDefense setting, see SmartDefense Categories on page 458. For information on resetting individual nodes in the SmartDefense tree to their default settings, see Using the SmartDefense Tree on page 456. To reset SmartDefense to its defaults 1.
PAGE 520
PAGE 521
Overview Chapter 15 Using Antivirus and Antispam Filtering This chapter explains how to use antivirus and antispam filtering. This chapter includes the following topics: Overview ..................................................................................................505 Using VStream Antivirus .........................................................................507 Using VStream Antispam .........................................................................
PAGE 522
Overview Point of Enforcement VStream Antivirus Email Antivirus VStream Antivirus scans for Email Antivirus is centralized, redirecting viruses in the Safe@Office traffic through the Service Center for gateway itself. scanning. You can use either antivirus solution, or both in conjunction. Antispam Filtering Solutions You can scan email messages for spam, by using VStream Antispam and/or the Email Antispam subscription service (part of the centralized Email Filtering service).
PAGE 523
Using VStream Antivirus Using VStream Antivirus The Safe@Office appliance includes VStream Antivirus, an embedded stream-based antivirus engine based on Check Point Stateful Inspection and Application Intelligence technologies, that performs virus scanning at the kernel level. VStream Antivirus scans files for malicious content on the fly, without downloading the files into intermediate storage.
PAGE 524
Using VStream Antivirus If a virus if found in VStream Antivirus does this... The protocol is detected IMAP • Terminates the connection The standard TCP port 143 • Replaces the virusinfected email with a message notifying the user that a virus was found • Rejects the virus-infected email with error code 554 • Sends a "Virus detected" message to the sender • Terminates the data connection • Sends a "Virus detected" message to the FTP client • Terminates the connection this protocol...
PAGE 525
Using VStream Antivirus Enabling/Disabling VStream Antivirus To enable/disable VStream Antivirus 1. Click Antivirus in the main menu, and click the Antivirus tab. The VStream Antivirus page appears. 2. Drag the On/Off lever upwards or downwards. VStream Antivirus is enabled/disabled for all internal network computers.
PAGE 526
Using VStream Antivirus Viewing VStream Antivirus Signature Database Information VStream Antivirus maintains two databases: a daily database and a main database. The daily database is updated frequently with the newest virus signatures. Periodically, the contents of the daily database are moved to the main database, leaving the daily database empty. This system of incremental updates to the main database allows for quicker updates and saves on network bandwidth.
PAGE 527
Using VStream Antivirus Configuring the VStream Antivirus Policy VStream Antivirus includes a flexible mechanism that allows the user to define exactly which traffic should be scanned, by specifying the protocol, ports, and source and destination IP addresses. VStream Antivirus processes policy rules in the order they appear in the Antivirus Policy table, so that rule 1 is applied before rule 2, and so on.
PAGE 528
Using VStream Antivirus The Safe@Office appliance will process rule 1 first, passing outgoing SMTP traffic from the specified IP address, and only then it will process rule 2, scanning all outgoing SMTP traffic. The following rule types exist: Table 115: VStream Antivirus Rule Types Rule Description Pass This rule type enables you to specify that VStream Antivirus should not scan traffic matching the rule.
PAGE 529
Using VStream Antivirus The Antivirus Policy page appears. 2. Do one of the following: • To add a new rule, click Add Rule. • To edit an existing rule, click Chapter 15: Using Antivirus and Antispam Filtering next to the desired rule.
PAGE 530
Using VStream Antivirus The VStream Policy Rule Wizard opens, with the Step 1: Rule Type dialog box displayed. 3. Select the type of rule you want to create. 4. Click Next. The Step 2: Service dialog box appears. The example below shows a Scan rule.
PAGE 531
Using VStream Antivirus 5. Complete the fields using the relevant information in the following table. 6. Click Next. The Step 3: Destination & Source dialog box appears. 7. To configure advanced settings, click Show Advanced Settings. New fields appear.
PAGE 532
Using VStream Antivirus 8. Complete the fields using the relevant information in the following table. 9. Click Next. The Step 4: Done dialog box appears. 10. If desired, type a description of the rule in the field provided. 11. Click Finish. The new rule appears in the Antivirus Policy page. Table 116: VStream Antivirus Rule Fields In this field… Do this… Any Service Click this option to specify that the rule should apply to any service.
PAGE 533
Using VStream Antivirus In this field… Do this… Custom Service Click this option to specify that the rule should apply to a specific nonstandard service. The Protocol and Port Range fields are enabled. You must fill them in. Protocol Select the protocol (TCP, UDP, or ANY) for which the rule should apply. Port Range To specify the port range to which the rule applies, type the start port number in the left text box, and the end port number in the right text box.
PAGE 534
Using VStream Antivirus In this field… Do this… Data Direction Select the direction of connections to which the rule should apply: • Download and Upload data. The rule applies to downloaded and uploaded data. This is the default. • Download data. The rule applies to downloaded data, that is, data flowing from the destination of the connection to the source of the connection. • Upload data.
PAGE 535
Using VStream Antivirus Enabling/Disabling VStream Antivirus Rules You can temporarily disable a VStream Antivirus rule. To enable/disable a VStream Antivirus rule 1. Click Antivirus in the main menu, and click the Policy tab. The Antivirus Policy page appears. 2. Next to the desired rule, do one of the following: • To enable the rule, click The button changes to • To disable the rule, click The button changes to . and the rule is enabled. . and the rule is disabled.
PAGE 536
Using VStream Antivirus Viewing and Deleting VStream Antivirus Rules To view or delete an existing VStream Antivirus rule 1. Click Antivirus in the main menu, and click the Policy tab. The Antivirus Policy page appears with a list of existing VStream Antivirus rules. 2. To resize a column, drag the relevant column divider right or left. 3. To delete a rule, do the following. a. b. . In the desired rule's row, click A confirmation message appears. Click OK. The rule is deleted.
PAGE 537
Using VStream Antivirus The Advanced Antivirus Settings page appears. 2. Complete the fields using the following table. 3. Click Apply. 4. To restore the default VStream Antivirus settings, do the following: Click Default. A confirmation message appears. b) Click OK. The VStream Antivirus settings are reset to their defaults. For information on the default values, refer to the following table.
PAGE 538
Using VStream Antivirus Table 117: Advanced Antivirus Settings Fields In this field… Do this… File Types Block potentially unsafe file Select this option to block all emails containing potentially unsafe types in email messages attachments.
PAGE 539
Using VStream Antivirus In this field… Do this… • WMA/WMV/ASF • RealMedia file • JPEG - only the header is scanned, and the rest of the file is skipped To view a list of safe file types, click Show next to this option. Selecting this option reduces the load on the gateway by skipping safe file types. This option is selected by default. Archive File Handling Maximum Nesting Level Type the maximum number of nested content levels that VStream Antivirus should scan.
PAGE 540
Using VStream Antivirus In this field… Do this… When archived file exceeds Specify how VStream Antivirus should handle files that exceed the limit or extraction fails Maximum nesting level or the Maximum compression ratio, and files for which scanning fails. Select one of the following: • Pass file without scanning. Scan only the number of levels specified, and skip the scanning of more deeply nested archives.
PAGE 541
Using VStream Antispam Updating VStream Antivirus When you are subscribed to the VStream Antivirus updates service, VStream Antivirus virus signatures are automatically updated, keeping security up-to-date with no need for user intervention. However, you can still check for updates manually, if needed. To update the VStream Antivirus virus signature database 1. Click Antivirus in the main menu, and click the Antivirus tab. The VStream Antivirus page appears. 2. Click Update Now.
PAGE 542
Using VStream Antispam attacks on your gateway or mail server. If you do not have a mail server in your network, there is no need to enable the IP Reputation engine. (If you do enable this engine anyway, it will have no negative effects.) • Block List VStream Antispam allows configuring a list of senders whose emails should be blocked. When an email reaches your mail server, the Block List engine determines whether the sender's email address appears on the list.
PAGE 543
Using VStream Antispam Detection Method IP Reputation Content Based Antispam and Examines the sender's IP address Content Based Antispam examines the Block List email's content, and Block List examines the email's Sender field.
PAGE 544
Using VStream Antispam How VStream Antispam Works Figure 36: VStream Antispam Flow VStream Antispam works as follows: 1. A TCP connection arrives at the SMTP port (TCP 25) or the POP3 port (TCP 110). 2. The connection is checked against the VStream Antispam policy, to determine whether it should be scanned. 3. If the IP Reputation engine is enabled, and the connection is an SMTP connection: a. b. c. 528 VStream Antispam sends the connection's source IP address to a VStream Antispam data center.
PAGE 545
Using VStream Antispam  4. 5. If the spam score exceeds the configured confidence level, VStream Antispam determines that the email is spam and handles it as specified by the IP Reputation engine's settings. d. VStream Antispam caches the results of the IP Reputation check. VStream Antispam checks whether the email sender appears on the Safe Sender List. If so, then the email is accepted. If the Block List engine is enabled: a. 6.
PAGE 546
Using VStream Antispam Header Marking VStream Antispam adds the following headers to each email that is scanned by the Content Based Antispam or Block List engine, but not blocked: • X-VStream-Spam-Level. Contains an integer between 0 and 100, where 100 indicates the highest likelihood that the email is spam. • X-VStream-Engine. The VStream Antispam engine, (either "Content Based Antispam" or "Block List") • X-Spam-Level.
PAGE 547
Using VStream Antispam Enabling/Disabling VStream Antispam You must enable at least one VStream Antispam engine in order for VStream Antispam to work. Once you have enabled the desired engines, you must configure them, using the relevant sections in this guide. To enable/disable VStream Antispam 1. Click Antispam in the main menu, and click the Antispam tab. The VStream Antispam page appears. 2. Complete the fields using the information in the following table.
PAGE 548
Using VStream Antispam Table 119: VStream Antispam Fields In this field… Do this… Content Based Specify the Content Based Antispam engine's mode, by dragging the lever Antispam to one of the following: • On. The Content Based Antispam engine is on. VStream Antispam will check email fingerprints against an online spam detection database. Emails that fail the check will be handled according to configured Content Based Antispam settings. • Monitor Only. The Content Based Antispam engine is on.
PAGE 549
Using VStream Antispam In this field… Do this… IP Reputation Specify the IP Reputation engine's mode for SMTP connections, by Checking dragging the lever to one of the following: • On. The IP Reputation engine is on. VStream Antispam will check the reputation of email senders against an online IP reputation database prior to accepting the TCP connection. Emails that fail the check will be handled according to configured IP Reputation settings. • Monitor Only. The IP Reputation engine is on.
PAGE 550
Using VStream Antispam This field… Displays... Spam The number of SMTP and POP3 email messages that the Content Based Antispam and Block List engines determined to be spam. Suspected Spam The number of SMTP and POP3 email messages that the Content Based Antispam and Block List engines determined to be suspected spam.
PAGE 551
Using VStream Antispam Configuring the Content Based Antispam Engine You can configure how VStream Antispam should handle spam and suspected spam that is detected by the Content Based Antispam engine. For information on enabling this engine, see Enabling/Disabling VStream Antispam on page 531. To configure Content Based Antispam engine settings 1. Click Antispam in the main menu, and click the Antispam tab. The VStream Antispam page appears. 2. Next to the Content Based Antispam lever, click Settings.
PAGE 552
Using VStream Antispam 4. Click Apply. Table 121: Content Based Antispam Settings Fields In this field… Do this… Spam Configure how VStream Antispam should handle spam that is detected using the Content Based Antispam engine. Action Specify the action VStream Antispam should take upon detecting spam, by selecting one of the following: • None. Take no action. • Reject. Block the email. The email will be permanently deleted. • Mark Subject. Mark the email's Subject line.
PAGE 553
Using VStream Antispam In this field… Do this… Track Specify whether VStream Antispam should log spam, by selecting one of the following: Confidence • Log. VStream Antispam should log spam. • None. VStream Antispam should not log spam. Type the minimum spam confidence level (SCL). If an email's SCL matches or exceeds this threshold, the email is considered spam. Setting a higher SCL reduces the number of legitimate emails erroneously identified as spam.
PAGE 554
Using VStream Antispam In this field… Do this… Money the Easy Way". The default value is [SUSPECTED SPAM]. Note: If your email client allows defining rules based on the Subject field, you can create rules specifying that emails whose Subject field contains certain words should be moved to specific folders. For example, you can configure your email client to move all emails whose Subject field contains [SUSPECTED SPAM] directly to a Quarantine folder.
PAGE 555
Using VStream Antispam Configuring the Block List Engine You can configure a list of email addresses and domain names that VStream Antispam should automatically block, if the Block List engine is enabled. For information on enabling the Block List engine, see Enabling/Disabling VStream Antispam on page 531. Adding Blocked Senders To add a blocked sender 1. Click Antispam in the main menu, and click the Antispam tab. The VStream Antispam page appears. 2. Next to the Block List lever, click Edit List.
PAGE 556
Using VStream Antispam The Blocked Sender List page appears. 3. Click Add. The Add Email to List dialog box appears. 4. In the field provided, do one of the following: • • 540 To block all email from a specific sender, type the sender's email address. To block all email from addresses ending with a specific domain, type the domain name. For example, if you type "@special-offers.com", then email addresses such as johns@special-offers.com and sarahm@special-offers.com will be blocked.
PAGE 557
Using VStream Antispam 5. Click OK. The sender appears in the Block Sender List table. Viewing and Deleting Blocked Senders To delete a blocked sender 1. Click Antispam in the main menu, and click the Antispam tab. The VStream Antispam page appears. 2. Next to the Block List lever, click Edit List. The Blocked Sender List page appears. 3. In the desired sender's row, click . The sender is deleted. Configuring the Block List Engine Settings To configure Block List engine settings 1.
PAGE 558
Using VStream Antispam The Antispam Block List Settings page appears. 3. Complete the fields using the information in the following table. 4. Click Apply.
PAGE 559
Using VStream Antispam Table 122: Antispam Block List Settings Fields In this field… Do this… Block Action Specify the action VStream Antispam should take upon receiving an email from a blocked sender, by selecting one of the following: • None. Take no action. • Reject. Block the email. • Mark Subject. Mark the email's Subject line. If you select Mark Subject, the Mark Text field appears. Note: If the Block List engine is in Monitor Only mode, this setting is ignored.
PAGE 560
Using VStream Antispam Configuring the IP Reputation Engine You can configure how VStream Antispam should handle spam and suspected spam that is detected by the IP Reputation engine. For information on enabling this engine, see Enabling/Disabling VStream Antispam on page 531. To configure IP Reputation engine settings 1. Click Antispam in the main menu, and click the Antispam tab. The VStream Antispam page appears. 2. Next to the IP Reputation Checking lever, click Settings.
PAGE 561
Using VStream Antispam 4. Click Apply. Table 123: Antispam IP Reputation Settings Fields In this field… Do this… Spam Configure how VStream Antispam should handle spam that is detected using the IP Reputation engine. Action Specify the action VStream Antispam should take upon detecting spam, by selecting one of the following: • Reject. Block the email. • None. Take no action. Note: If the IP Reputation engine is in Monitor Only mode, this setting is ignored.
PAGE 562
Using VStream Antispam In this field… Do this… Action Specify the action VStream Antispam should take upon detecting potential spam, by selecting one of the following: • Reject. Block the email. • None. Take no action. Note: If the IP Reputation engine is in Monitor Only mode, this setting is ignored. For information on changing the engine's mode, see Enabling/Disabling VStream Antispam on page 531.
PAGE 563
Using VStream Antispam Configuring the VStream Antispam Policy VStream Antispam includes a flexible mechanism that allows the user to define exactly which emails should be scanned for spam and which should be considered safe, by specifying the protocol, and the source and destination IP addresses. VStream Antispam processes policy rules in the order they appear in the Antispam Policy table, so that rule 1 is applied before rule 2, and so on.
PAGE 564
Using VStream Antispam The Safe@Office appliance will process rule 1 first, passing outgoing SMTP traffic from the specified IP address, and only then it will process rule 2, scanning all outgoing SMTP traffic. The following rule types exist: Table 124: VStream Antispam Rule Types Rule Description Pass This rule type enables you to specify that VStream Antispam should allow all emails matching the rule, without scanning the emails.
PAGE 565
Using VStream Antispam The Antispam Policy page appears. 2. Do one of the following: • To add a new rule, click Add Rule. • To edit an existing rule, click Chapter 15: Using Antivirus and Antispam Filtering next to the desired rule.
PAGE 566
Using VStream Antispam The VStream Antispam Policy Rule Wizard opens, with the Step 1: Rule Type dialog box displayed. 3. Select the type of rule you want to create. 4. Click Next. The Step 2: Destination & Source dialog box appears. 5. 550 Complete the fields using the relevant information in the following table.
PAGE 567
Using VStream Antispam 6. Click Next. The Step 3: Done dialog box appears. 7. If desired, type a description of the rule in the field provided. 8. Click Finish. The new rule appears in the Antispam Policy page. Table 125: VStream Antispam Policy Rule Wizard Fields In this field… Do this… If the email Select the email protocol to which the rule should apply. The supported protocol is protocols are SMTP and POP3. To specify both SMTP and POP3, select ANY.
PAGE 568
Using VStream Antispam In this field… Do this… The connection Select the source of the connections to which the rule should apply. source is To specify an IP address, select Specified IP and type the desired IP address in the field provided. To specify an IP address range, select Specified Range and type the desired IP address range in the fields provided. To specify connections originating from this gateway, select This Gateway. To specify any source except this gateway, select ANY.
PAGE 569
Using VStream Antispam Enabling/Disabling VStream Antispam Rules You can temporarily disable a VStream Antispam rule. To enable/disable a VStream Antispam rule 1. Click Antispam in the main menu, and click the Policy tab. The Antispam Policy page appears. 2. Next to the desired rule, do one of the following: • To enable the rule, click The button changes to • To disable the rule, click The button changes to . and the rule is enabled. . and the rule is disabled.
PAGE 570
Using VStream Antispam Viewing and Deleting VStream Antispam Rules To view or delete an existing VStream Antispam rule 1. Click Antispam in the main menu, and click the Policy tab. The Antispam Policy page appears with a list of existing VStream Antispam rules. 2. To resize a column, drag the relevant column divider right or left. 3. To delete a rule, do the following. a. b. . In the desired rule's row, click A confirmation message appears. Click OK. The rule is deleted.
PAGE 571
Using VStream Antispam The Safe Sender List page appears. 2. Click Add. The Add Email to List dialog box appears. 3. In the field provided, do one of the following: • • To allow all email from a specific sender, type the sender's email address. To allow all email from addresses ending with a specific domain, type the domain name. For example, if you type "@mycompany.com", then email addresses such as johns@mycompany.com and sarahm@mycompany.com will be allowed.
PAGE 572
Using VStream Antispam 4. Click OK. The sender appears in the Safe Senders table. Viewing and Deleting Safe Senders To view or delete a safe sender 1. Click Antispam in the main menu, and click the Safe Senders tab. The Safe Sender List page appears. 2. In the desired sender's row, click Erase. The sender is deleted.
PAGE 573
Using VStream Antispam Configuring VStream Antispam Advanced Settings To configure VStream Antispam advanced settings 1. Click Antispam in the main menu, and click the Advanced tab. The Advanced Antispam Settings page appears. 2. In the Track Non Spam Emails drop-down list, do one of the following: • 3. To specify that VStream Antispam should log email that is detected as legitimate mail, select Log.
PAGE 574
Using Centralized Email Filtering • 4. To specify that VStream Antivirus should not log email sent by addresses on the Safe Sender List, select None. Click Apply. Using Centralized Email Filtering There are two centralized Email Filtering services: • Email Antivirus When the Email Antivirus service is enabled, your email is automatically scanned for the detection and elimination of all known viruses and vandals. If a virus is detected, it is removed and replaced with a warning message.
PAGE 575
Using Centralized Email Filtering Enabling/Disabling Email Filtering To enable/disable Email Filtering 1. Click Services in the main menu, and click the Email Filtering tab. The Email Filtering page appears. 2. Next to Email Antivirus, drag the On/Off lever upwards or downwards. Email Antivirus is enabled/disabled.
PAGE 576
Using Centralized Email Filtering Selecting Protocols for Scanning If you are locally managed, you can define which protocols should be scanned for viruses and spam: • Email retrieving (POP3). If enabled, all incoming email in the POP3 protocol will be scanned. • Email sending (SMTP). If enabled, all outgoing email will be scanned. Protocols marked with will be scanned, while those marked with will not.
PAGE 577
Using Centralized Email Filtering 2. Next to the Bypass scanning if Service Center is unavailable option, specify how the gateway should handle Email Filtering when the service is enabled and the Service Center is unavailable, by doing do one of the following: • To temporarily block all email traffic, click . This ensures constant protection from spam and viruses. The button changes to • . To temporarily allow all email traffic, click .
PAGE 578
Using Centralized Email Filtering 3. • The Snooze button changes to Resume. • The Email Filtering Off popup window opens. To re-enable Email Antivirus and Email Antispam, click Resume, either in the popup window, or on the Email Filtering page. • • • 562 The services are re-enabled for all internal network computers. If you clicked Resume in the Email Filtering page, the button changes to Snooze. If you clicked Resume in the Email Filtering Off popup window, the popup window closes.
PAGE 579
Using Centralized Email Filtering Chapter 15: Using Antivirus and Antispam Filtering 563
PAGE 580
PAGE 581
Overview Chapter 16 Using Web Content Filtering This chapter explains how to use Web content filtering. This chapter includes the following topics: Overview ..................................................................................................565 Using Web Rules ......................................................................................567 Using Web Filtering .................................................................................575 Customizing the Access Denied Page .....
PAGE 582
Overview Web Rules Web Filtering Subscription and Web rules are included with the The Web Filtering service is subscription- Connection Safe@Office appliance and do based and requires a connection to the Requirement not require a Service Center Service Center. subscription or connection. You can use either Web content filtering solution or both in conjunction. When a user attempts to access a Web site, the Safe@Office appliance first evaluates the Web rules.
PAGE 583
Using Web Rules Using Web Rules You can block or allow access to specific Web pages, by defining Web rules. Note: Web rules affect outgoing traffic only and cannot be used to allow or limit access from the Internet to internal Web servers. The Safe@Office appliance processes Web rules in the order they appear in the Web Rules table, so that rule 1 is applied before rule 2, and so on. This enables you to define exceptions to rules, by placing the exceptions higher up in the Web Rules table.
PAGE 584
Using Web Rules The Safe@Office appliance will process rule 1 first, allowing access to the desired page, and only then it will process rule 2, blocking access to the rest of the site. The following rule types exist: Table 127: Web Rule Types Rule Description Allow This rule type enables you to specify that a specific Web page should be allowed. Block This rule type enables you to specify that a specific Web page should be blocked. Adding and Editing Web Rules To add or edit a Web rule 1.
PAGE 585
Using Web Rules The Web Rules page appears. 2. Do one of the following: • To add a new rule, click Add Rule. • To edit an existing rule, click Chapter 16: Using Web Content Filtering next to the desired rule.
PAGE 586
Using Web Rules The Safe@Office Web Rule Wizard opens, with the Step 1: Rule Type dialog box displayed. 3. Select the type of rule you want to create. 4. Click Next. The Step 2: Rule Location dialog box appears.
PAGE 587
Using Web Rules The example below shows a Block rule. 5. To configure advanced settings, click Show Advanced Settings. New fields appear. 6. Complete the fields using the relevant information in the following table. 7. Click Next.
PAGE 588
Using Web Rules The Step 3: Confirm Rule dialog box appears. 8. Click Finish. The new rule appears in the Web Rules page. Table 128: Web Rules Fields In this field… Do this… Block/Allow Type the URL or IP address to which the rule should apply. access to the following URL Wildcards (*) are supported. For example, to block all URLs that start with "http://www.casino-", set this field's value to: http://www.
PAGE 589
Using Web Rules In this field… Do this… Log allowed Select this option to log the specified blocked or allowed connections. connections / Log blocked By default, allowed Web pages are not logged, and blocked Web pages are logged. connections If the connection Select the source of the connections you want to allow/block. This list source is includes network objects. To specify an IP address, select Specified IP and type the desired IP address in the field provided.
PAGE 590
Using Web Rules Viewing and Deleting Web Rules To view or delete an existing Web rule 1. Click Security in the main menu, and click the Web Rules tab. The Web Rules page appears with a list of existing Web rules. 2. To resize a column, drag the relevant column divider right or left. 3. To delete a rule, do the following. a. b. . In the desired rule's row, click A confirmation message appears. Click OK. The rule is deleted.
PAGE 591
Using Web Filtering Using Web Filtering When the Web Filtering service is enabled, access to Web content is restricted according to the categories specified in the Allow Categories area of the Web Filtering page. Note: The Web Filtering service is only available if you are connected to a Service Center and subscribed to this service. For information on using subscription services, see Using Subscription Services on page 591. Enabling/Disabling Web Filtering To enable/disable Web Filtering 1.
PAGE 592
Using Web Filtering The Web Filtering page appears. 2. Drag the On/Off lever upwards or downwards. Web Filtering is enabled/disabled.
PAGE 593
Using Web Filtering Selecting Categories for Blocking You can define which types of Web sites should be considered appropriate for your family will remain or office members, by selecting the categories. Categories marked with visible, while categories marked with will be blocked and will require the administrator password for viewing. Note: If the Safe@Office appliance is remotely managed, contact your Service Center administrator to change these settings.
PAGE 594
Using Web Filtering 2. Next to the Bypass scanning if Service Center is unavailable option, specify how the gateway should handle Web Filtering when the service is enabled and the Service Center is unavailable, by doing do one of the following: • To temporarily block all connections to the Internet, click . This ensures that users will not gain access to undesirable Web sites, even when the Service Center is unavailable. The button changes to • .
PAGE 595
Using Web Filtering 3. • The Snooze button changes to Resume. • The Web Filtering Off popup window opens. To re-enable the service, click Resume, either in the popup window, or on the Web Filtering page.
PAGE 596
Using Web Filtering • • • The service is re-enabled for all internal network computers. If you clicked Resume in the Web Filtering page, the button changes to Snooze. If you clicked Resume in the Web Filtering Off popup window, the popup window closes. Configuring Automatic Snooze You can automatically disable the Web Filtering service during certain hours of the day, by configuring Automatic Snooze. To configure Automatic Snooze 1. Click Services in the main menu, and click the Web Filtering tab.
PAGE 597
Using Web Filtering The Web Filtering Automatic Snooze Settings page appears. 3. Do one of the following: • 4. To enable Automatic Snooze: 1) Select the Automatic Snooze check box. 2) In the fields provided, specify the hours between which the Web Filtering service should be disabled. • To disable Automatic Snooze, clear the Automatic Snooze check box. Click Apply. Automatic Snooze is enabled/disabled.
PAGE 598
Customizing the Access Denied Page Resetting Web Filtering Categories to Defaults If desired, you can reset the Web Filtering categories to their default settings. To restore Web Filtering defaults 1. Click Services in the main menu, and click the Web Filtering tab. The Web Filtering page appears. 2. Click Defaults A confirmation message appears. 3. Click OK.
PAGE 599
Customizing the Access Denied Page The Customize Access Denied Page page appears. In the following example, this page was accessed via the Web Rules page. 3. In the text box, type the message that should appear when a user attempts to access a blocked Web page. You can use HTML tags as needed. 4. To display the Access Denied page using HTTPS, select the Use HTTPS check box. 5. To preview the Access Denied page, click Preview. A browser window opens displaying the Access Denied page. 6. Click Apply.
PAGE 600
PAGE 601
Overview Chapter 17 Updating the Firmware This chapter explains how to update the Safe@Office appliance's firmware. This chapter includes the following topics: Overview ..................................................................................................585 Using Software Updates ...........................................................................586 Updating the Firmware Manually.............................................................
PAGE 602
Using Software Updates Using Software Updates Checking for Software Updates when Remotely Managed If your Safe@Office appliance is remotely managed, it automatically checks for software updates and installs them without user intervention. However, you can still check for updates manually, if needed. To manually check for security and software updates 1. Click Services in the main menu, and click the Software Updates tab. The Software Updates page appears. 2. 586 Click Update Now.
PAGE 603
Using Software Updates The system checks for new updates and installs them. Checking for Software Updates when Locally Managed If your Safe@Office appliance is locally managed, you can set it to automatically check for software updates, or you can set it so that software updates must be checked for manually. To configure software updates when locally managed 1. Click Services in the main menu, and click the Software Updates tab. The Software Updates page appears. 2.
PAGE 604
Updating the Firmware Manually Note: When the Software Updates service is set to Automatic, you can still manually check for updates. 3. To set the Safe@Office appliance so that software updates must be checked for manually, drag the Automatic/Manual lever downwards. The Safe@Office appliance does not check for software updates automatically. 4. To manually check for software updates, click Update Now. The system checks for new updates and installs them.
PAGE 605
Updating the Firmware Manually The Firmware Update page appears. 3. Click Browse. A browse window appears. 4. Select the image file and click Open. The Firmware Update page reappears. The path to the firmware update image file appears in the Browse text box. 5. Click Upload. Your Safe@Office appliance firmware is updated. Updating may take a few minutes. Do not power off the appliance. At the end of the process the Safe@Office appliance restarts automatically.
PAGE 606
PAGE 607
Connecting to a Service Center Chapter 18 Using Subscription Services This chapter explains how to connect your Safe@Office appliance to a Service Center and start subscription services. Note: Check with your reseller regarding availability of subscription services, or surf to www.sofaware.com/servicecenters to locate a Service Center in your area. This chapter includes the following topics: Connecting to a Service Center ...............................................................
PAGE 608
Connecting to a Service Center The Account page appears. 2. 592 In the Service Account area, click Connect.
PAGE 609
Connecting to a Service Center The Safe@Office Services Wizard opens, with the Service Center dialog box displayed. 3. Make sure the Connect to a Service Center check box is selected. 4. Do one of the following: 5. To connect to the SofaWare Service Center, choose usercenter.sofaware.com. To specify a Service Center, choose Specified IP and then in the Specified IP field, enter the desired Service Center’s IP address, as given to you by your system administrator. Click Next.
PAGE 610
Connecting to a Service Center • • • 594 If the Service Center requires authentication, the Service Center Login dialog box appears. Enter your gateway ID and registration key in the appropriate fields, as given to you by your service provider, then click Next. The Connecting screen appears. The Confirmation dialog box appears with a list of services to which you are subscribed.
PAGE 611
Connecting to a Service Center 6. Click Next. The Done screen appears with a success message. 7. Click Finish. The following things happen: • • If a new firmware is available, the Safe@Office appliance may start downloading it. This may take several minutes. Once the download is complete, the Safe@Office appliance restarts using the new firmware. The Welcome page appears.
PAGE 612
Connecting to a Service Center 596 • The services to which you are subscribed are now available on your Safe@Office appliance and listed as such on the Account page. See Viewing Services Information on page 597 for further information. • The Services submenu includes the services to which you are subscribed.
PAGE 613
Viewing Services Information Viewing Services Information The Account page displays the following information about your subscription. Table 129: Account Page Fields This field… Displays… Service Center The name of the Service Center to which you are connected (if known). Name Gateway ID Your gateway ID. Subscription will The date on which your subscription to services will end. end on Service The services available in your service plan.
PAGE 614
Refreshing Your Service Center Connection Refreshing Your Service Center Connection This option restarts your Safe@Office appliance’s connection to the Service Center and refreshes your Safe@Office appliance’s service settings. To refresh your Service Center connection 1. Click Services in the main menu, and click the Account tab. The Account page appears. 2. In the Service Account area, click Refresh. The Safe@Office appliance reconnects to the Service Center. Your service settings are refreshed.
PAGE 615
Configuring Your Account Configuring Your Account This option allows you to access your Service Center's Web site, which may offer additional configuration options for your account. Contact your Service Center for a user ID and password. To configure your account 1. Click Services in the main menu, and click the Account tab. The Account page appears. 2. In the Service Account area, click Configure. Note: If no additional settings are available from your Service Center, this button will not appear.
PAGE 616
Disconnecting from Your Service Center 4. Click Next. The Done screen appears with a success message. 5. Click Finish. The following things happen: • • 600 You are disconnected from the Service Center. The services to which you were subscribed are no longer available on your Safe@Office appliance.
PAGE 617
Overview Chapter 19 Working With VPNs This chapter describes how to use your Safe@Office appliance as a Remote Access VPN Client, server, or gateway. This chapter includes the following topics: Overview ..................................................................................................601 Setting Up Your Safe@Office Appliance as a VPN Server .....................607 Adding and Editing VPN Sites ................................................................
PAGE 618
Overview • SecuRemote Internal VPN Server. SecuRemote can also be used from your internal networks, allowing you to secure your wired or wireless network with strong encryption and authentication. • Endpoint Connect VPN Server. Makes a network available to authorized users who connect from the Internet or from your internal networks using the Check Point Endpoint Connect VPN Client.
PAGE 619
Overview Site-to-Site VPNs A Site-to-Site VPN consists of two or more Site-to-Site VPN Gateways that can communicate with each other in a bi-directional relationship. The connected networks function as a single network. You can use this type of VPN to mesh office branches into one corporate network.
PAGE 620
Overview To create a Site-to-Site VPN with two VPN sites 1. On the first VPN site’s Safe@Office appliance, do the following: a. 2. Define the second VPN site as a Site-to-Site VPN Gateway, using the procedure Adding and Editing VPN Sites on page 621. b. Enable a Remote Access VPN Server using the procedure Setting Up Your Safe@Office Appliance as a VPN Server on page 607. On the second VPN site’s Safe@Office appliance, do the following: a. b.
PAGE 621
Overview Remote Access VPNs A Remote Access VPN consists of one Remote Access VPN Server or Site-to-Site VPN Gateway, and one or more Remote Access VPN Clients. You can use this type of VPN to make an office network remotely available to authorized users, such as employees working from home, who connect to the office Remote Access VPN Server with their Remote Access VPN Clients.
PAGE 622
Overview To create a Remote Access VPN with two VPN sites 1. On the remote user VPN site's Safe@Office appliance, add the office Remote Access VPN Server as a Remote Access VPN site. See Adding and Editing VPN Sites on page 621. The remote user's Safe@Office appliance will act as a Remote Access VPN Client. 2. On the office VPN site's Safe@Office appliance, enable a Remote Access VPN Server. See Setting Up Your Safe@Office Appliance as a VPN Server on page 607.
PAGE 623
Setting Up Your Safe@Office Appliance as a VPN Server For information on setting up your Safe@Office appliance as an internal VPN Server, see Configuring the Internal VPN Server on page 610. Setting Up Your Safe@Office Appliance as a VPN Server You can make your network available to authorized users connecting from the Internet or from your internal networks, by setting up your Safe@Office appliance as a VPN Server.
PAGE 624
Setting Up Your Safe@Office Appliance as a VPN Server Note: The use of all Remote VPN Clients is subject to Check Point’s purchasing terms and conditions. To set up your Safe@Office appliance as a VPN Server 1. Configure the VPN Server in one or more of the following ways: • 2. To accept SecuRemote/SecureClient or Safe@Office remote access connections from the Internet. See Configuring the SecuRemote Remote Access VPN Server on page 609.
PAGE 625
Setting Up Your Safe@Office Appliance as a VPN Server See Setting Up Remote VPN Access for Users on page 687. Note: Disabling the VPN Server for a specific type of connection will cause all existing VPN tunnels of that type to disconnect. Configuring the SecuRemote Remote Access VPN Server To configure the SecuRemote Remote Access VPN Server 1. Click VPN in the main menu, and click the VPN Server tab. The VPN Server page appears. 2.
PAGE 626
Setting Up Your Safe@Office Appliance as a VPN Server 4. To allow authenticated users connecting from the Internet to bypass the default firewall policy and access your internal network without restriction, select the Bypass default firewall policy check box. User-defined rules will still apply to the authenticated users. 5. Click Apply. The SecuRemote Remote Access VPN Server is enabled for the specified connection types.
PAGE 627
Setting Up Your Safe@Office Appliance as a VPN Server Configuring the Endpoint Connect VPN Server To configure the Endpoint Connect VPN Server 1. Do one or more of the following: • 2. To accept Endpoint Connect remote access connections from the Internet, configure the SecuRemote Remote Access VPN Server. See Configuring the SecuRemote Remote Access VPN Server on page 609. • To accept Endpoint Connect connections from your internal networks, configure the SecuRemote Internal VPN Server.
PAGE 628
Setting Up Your Safe@Office Appliance as a VPN Server Configuring the L2TP VPN Server To configure the L2TP VPN Server 1. Click VPN in the main menu, and click the VPN Server tab. The VPN Server page appears. 2. Select the Allow L2TP clients to connect check box. New check boxes appear. 3. In the Preshared Secret field, type the preshared secret to use for secure communications between the L2TP clients and the VPN Server. The secret can contain spaces and special characters.
PAGE 629
Setting Up Your Safe@Office Appliance as a VPN Server Installing SecuRemote If you configured the SecuRemote Internal VPN Server, you must install the SecuRemote/SecureClient VPN Client on all internal network computers that should be allowed to remotely access your network via SecuRemote connections. To install SecureClient/SecuRemote 1. Click VPN in the main menu, and click the VPN Server tab. The VPN Server page appears. 2. Click the Download link.
PAGE 630
Setting Up Your Safe@Office Appliance as a VPN Server 3. Follow the online instructions to complete installation. Endpoint Connect is installed. Configuring L2TP VPN Clients If you configured the L2TP VPN Server, you must configure the L2TP VPN Client on all computers that should be allowed to remotely access your network via L2TP connections. This procedure is relevant for computers with a Windows XP operating system.
PAGE 631
Setting Up Your Safe@Office Appliance as a VPN Server The New Connection Wizard opens displaying the Welcome to the New Connection Wizard screen. 4. Click Next. The Network Connection Type dialog box appears. 5. Choose Connect to the network at my workplace. 6. Click Next.
PAGE 632
Setting Up Your Safe@Office Appliance as a VPN Server 7. The Network Connection dialog box appears. 8. Choose Virtual Private Network connection. 9. Click Next. The Connection Name dialog box appears. 10. In the Company Name field, type your company's name. 11. Click Next.
PAGE 633
Setting Up Your Safe@Office Appliance as a VPN Server The Public Network dialog box appears. 12. Choose Do not dial the initial connection. 13. Click Next. The VPN Server Selection dialog box appears. 14. In the field, type the Safe@Office appliance's IP address.
PAGE 634
Setting Up Your Safe@Office Appliance as a VPN Server The Completing the New Connection Wizard screen appears. 15. Click Finish. 16. In the Network and Dial-up Connections window, right-click on the L2TP connection, and click Properties in the popup menu. The connection's Properties dialog box opens. 17. In the Security tab, choose Advanced (custom settings). 18. Click Settings.
PAGE 635
Setting Up Your Safe@Office Appliance as a VPN Server The Advanced Security Settings dialog box opens. 19. In the Data encryption drop-down list, select Optional encryption. 20. Choose Allow these protocols. 21. Select the Unencrypted password (PAP) check box, and clear all other check boxes. 22. Click OK. 23. In Properties dialog box's Security tab, click IPSec Settings. The IPSec Settings dialog box opens. 24. Select the Use pre-shared key for authentication check box. 25.
PAGE 636
Setting Up Your Safe@Office Appliance as a VPN Server 28. In the Type of VPN drop-down list, select L2TP IPSec VPN. 29. Click OK.
PAGE 637
Adding and Editing VPN Sites Adding and Editing VPN Sites To add or edit VPN sites 1. Click VPN in the main menu, and click the VPN Sites tab. The VPN Sites page appears with a list of VPN sites. 2. Do one of the following: • • To add a VPN site, click New Site. To edit a VPN site, click Edit in the desired VPN site’s row.
PAGE 638
Adding and Editing VPN Sites The Safe@Office VPN Site Wizard opens, with the Welcome to the VPN Site Wizard dialog box displayed. 3. Do one of the following: 4. Select Remote Access VPN to establish remote access from your Remote Access VPN Client to a Remote Access VPN Server. • Select Site-to-Site VPN to create a permanent bi-directional connection to another Site-to-Site VPN Gateway. Click Next.
PAGE 639
Adding and Editing VPN Sites Configuring a Remote Access VPN Site If you selected Remote Access VPN, the VPN Gateway Address dialog box appears. 1. Enter the IP address of the Remote Access VPN Server to which you want to connect, as given to you by the network administrator. 2. To allow the VPN site to bypass the default firewall policy and access your internal network without restriction, select the Bypass default firewall policy check box. User-defined rules will still apply to the VPN site. 3.
PAGE 640
Adding and Editing VPN Sites The VPN Network Configuration dialog box appears. 4. Specify how you want to obtain the VPN network configuration. Refer to VPN Network Configuration Fields on page 633. 5. Click Next.
PAGE 641
Adding and Editing VPN Sites • • If you chose Specify Configuration, a second VPN Network Configuration dialog box appears. Complete the fields using the information in VPN Network Configuration Fields on page 633 and click Next. If you chose Specify Configuration or Route All Traffic, the Backup Gateway dialog box appears.
PAGE 642
Adding and Editing VPN Sites • In the Backup Gateway IP field, type the name of the VPN site to use if the primary VPN site fails, and then click Next. The Authentication Method dialog box appears. 6. Complete the fields using the information in Authentication Methods Fields on page 635. 7. Click Next.
PAGE 643
Adding and Editing VPN Sites Username and Password Authentication Method If you selected Username and Password, the VPN Login dialog box appears. 1. Complete the fields using the information in VPN Login Fields on page 635. 2. Click Next. • If you selected Automatic Login, the Connect dialog box appears.
PAGE 644
Adding and Editing VPN Sites Do the following: 1) To try to connect to the Remote Access VPN Server, select the Try to Connect to the VPN Gateway check box. This allows you to test the VPN connection. Warning: If you try to connect to the VPN site before completing the wizard, all existing tunnels to this site will be terminated. • 3. 2) Click Next. If you selected Try to Connect to the VPN Gateway, the Connecting… screen appears, and then the Contacting VPN Site screen appears.
PAGE 645
Adding and Editing VPN Sites The VPN Site Created screen appears. 5. Click Finish. The VPN Sites page reappears. If you added a VPN site, the new site appears in the VPN Sites list. If you edited a VPN site, the modifications are reflected in the VPN Sites list.
PAGE 646
Adding and Editing VPN Sites Certificate Authentication Method If you selected Certificate, the Connect dialog box appears. 1. To try to connect to the Remote Access VPN Server, select the Try to Connect to the VPN Gateway check box. This allows you to test the VPN connection. Warning: If you try to connect to the VPN site before completing the wizard, all existing tunnels to this site will be terminated. 2. Click Next.
PAGE 647
Adding and Editing VPN Sites The Site Name dialog box appears. 3. Enter a name for the VPN site. You may choose any name. 4. Click Next. The VPN Site Created screen appears.
PAGE 648
Adding and Editing VPN Sites 5. Click Finish. The VPN Sites page reappears. If you added a VPN site, the new site appears in the VPN Sites list. If you edited a VPN site, the modifications are reflected in the VPN Sites list. RSA SecurID Authentication Method If you selected RSA SecurID, the Site Name dialog box appears. 1. Enter a name for the VPN site. You may choose any name. 2. 632 Click Next.
PAGE 649
Adding and Editing VPN Sites The VPN Site Created screen appears. 3. Click Finish. The VPN Sites page reappears. If you added a VPN site, the new site appears in the VPN Sites list. If you edited a VPN site, the modifications are reflected in the VPN Sites list. Table 130: VPN Network Configuration Fields In this field… Do this… Download Click this option to obtain the network configuration by downloading it from Configuration the VPN site.
PAGE 650
Adding and Editing VPN Sites In this field… Do this… Specify Click this option to provide the network configuration manually. Configuration Route All Traffic Click this option to route all network traffic through the VPN site. For example, if your VPN consists of a central office and a number of remote offices, and the remote offices are only allowed to access Internet resources through the central office, you can choose to route all traffic from the remote offices through the central office.
PAGE 651
Adding and Editing VPN Sites In this field… Do this… Subnet mask Select the subnet masks for the destination network addresses. Note: Obtain the destination networks and subnet masks from the VPN site’s system administrator. Table 131: Authentication Methods Fields In this field… Do this… Username and Select this option to use a user name and password for VPN Password authentication. In the next step, you can specify whether you want to log in to the VPN site automatically or manually.
PAGE 652
Adding and Editing VPN Sites In this field… Do this… the appropriate user name and password have been entered. For further information on Automatic and Manual Login, see, Logging in to a VPN Site on page 655. Automatic Login Click this option to enable the Safe@Office appliance to log in to the VPN site automatically. You must then fill in the Username and Password fields. Automatic Login provides all the computers on your internal network with constant access to the VPN site.
PAGE 653
Adding and Editing VPN Sites 1. Complete the fields using the information in VPN Gateway Address Fields on page 650. 2. Click Next. The VPN Network Configuration dialog box appears. 3. Specify how you want to obtain the VPN network configuration. Refer to VPN Network Configuration Fields on page 633. 4. Click Next.
PAGE 654
Adding and Editing VPN Sites • • 638 If you chose Specify Configuration, a second VPN Network Configuration dialog box appears. Complete the fields using the information in VPN Network Configuration Fields on page 633, and then click Next. If you chose Specify Configuration or Route All Traffic, the Backup Gateway dialog box appears.
PAGE 655
Adding and Editing VPN Sites • In the Backup Gateway IP field, type the name of the VPN site to use if the primary VPN site fails, and then click Next. If you chose Route Based VPN, the Route Based VPN dialog box appears. • Complete the fields using the information in Route Based VPN Fields on page 650, and then click Next. The Authentication Method dialog box appears.
PAGE 656
Adding and Editing VPN Sites 5. Complete the fields using the information in Authentication Methods Fields on page 651. 6. Click Next.
PAGE 657
Adding and Editing VPN Sites Shared Secret Authentication Method If you selected Shared Secret, the Authentication dialog box appears. If you chose Download Configuration, the dialog box contains additional fields. 1. Complete the fields using the information in VPN Authentication Fields on page 651 and click Next.
PAGE 658
Adding and Editing VPN Sites The Security Methods dialog box appears. 2. To configure advanced security settings, click Show Advanced Settings. New fields appear. 3. 642 Complete the fields using the information in Security Methods Fields on page 652 and click Next.
PAGE 659
Adding and Editing VPN Sites The Connect dialog box appears. 4. To try to connect to the Remote Access VPN Server, select the Try to Connect to the VPN Gateway check box. This allows you to test the VPN connection. Warning: If you try to connect to the VPN site before completing the wizard, all existing tunnels to this site will be terminated. 5. Click Next. • If you selected Try to Connect to the VPN Gateway, the Connecting… screen appears, and then the Contacting VPN Site screen appears.
PAGE 660
Adding and Editing VPN Sites • 6. The Site Name dialog box appears. Type a name for the VPN site. You may choose any name. 7. To keep the tunnel to the VPN site alive even if there is no network traffic between the Safe@Office appliance and the VPN site, select Keep this site alive. 8. Click Next.
PAGE 661
Adding and Editing VPN Sites • 9. If you selected Keep this site alive, and previously you chose Download Configuration, the "Keep Alive" Configuration dialog box appears. Do the following: 1) Type up to three IP addresses which the Safe@Office appliance should ping in order to keep the tunnel to the VPN site alive. 2) Click Next. • The VPN Site Created screen appears. Click Finish. The VPN Sites page reappears. If you added a VPN site, the new site appears in the VPN Sites list.
PAGE 662
Adding and Editing VPN Sites Certificate Authentication Method If you selected Certificate, the following things happen: 646 • If you chose Download Configuration, the Authentication dialog box appears. • Complete the fields using the information in VPN Authentication Fields on page 651 and click Next. The Security Methods dialog box appears.
PAGE 663
Adding and Editing VPN Sites 1. To configure advanced security settings, click Show Advanced Settings. New fields appear. 2. Complete the fields using the information in Security Methods Fields on page 652 and click Next. The Connect dialog box appears.
PAGE 664
Adding and Editing VPN Sites 3. To try to connect to the Remote Access VPN Server, select the Try to Connect to the VPN Gateway check box. This allows you to test the VPN connection. Warning: If you try to connect to the VPN site before completing the wizard, all existing tunnels to this site will be terminated. 4. Click Next. • • • 5. If you selected Try to Connect to the VPN Gateway, the following things happen: The Connecting… screen appears. The Contacting VPN Site screen appears.
PAGE 665
Adding and Editing VPN Sites • 8. If you selected Keep this site alive, and previously you chose Download Configuration, the "Keep Alive" Configuration dialog box appears. Do the following: 1) Type up to three IP addresses which the Safe@Office appliance should ping in order to keep the tunnel to the VPN site alive. 2) Click Next. • The VPN Site Created screen appears. Click Finish. The VPN Sites page reappears. If you added a VPN site, the new site appears in the VPN Sites list.
PAGE 666
Adding and Editing VPN Sites Table 133: VPN Gateway Address Fields In this field… Do this… Gateway Address Type the IP address of the Site-to-Site VPN Gateway to which you want to connect, as given to you by the network administrator. Bypass NAT Select this option to allow the VPN site to bypass NAT when connecting to your internal network. This option is selected by default.
PAGE 667
Adding and Editing VPN Sites Table 135: Authentication Methods Fields In this field… Do this… Shared Secret Select this option to use a shared secret for VPN authentication. A shared secret is a string used to identify VPN sites to each other. Certificate Select this option to use a certificate for VPN authentication. If you select this option, a certificate must have been installed.
PAGE 668
Adding and Editing VPN Sites Table 137: Security Methods Fields In this field… Do this… Phase 1 Security Methods Select the encryption and integrity algorithm to use for IKE negotiations: • Automatic. The Safe@Office appliance automatically selects the best security methods supported by the site. This is the default. • A specific algorithm Diffie-Hellman Select the Diffie-Hellman group to use: group • Automatic. The Safe@Office appliance automatically selects a group. This is the default.
PAGE 669
Adding and Editing VPN Sites In this field… Do this… Perfect Forward Specify whether to enable Perfect Forward Secrecy (PFS), by selecting Secrecy one of the following: • Enabled. PFS is enabled. The Diffie-Hellman group field is enabled. • Disabled. PFS is disabled. This is the default. Enabling PFS will generate a new Diffie-Hellman key during IKE Phase 2 and renew the key for each key exchange. PFS increases security but lowers performance.
PAGE 670
Viewing and Deleting VPN Sites Viewing and Deleting VPN Sites To view or delete a VPN site 1. Click VPN in the main menu, and click the VPN Sites tab. The VPN Sites page appears, with a list of all VPN sites. 2. To delete a VPN site, do the following. a. b. In the desired VPN site's row, click the Erase A confirmation message appears. Click OK. The VPN site is deleted. icon. Enabling/Disabling a VPN Site You can only connect to VPN sites that are enabled. To enable/disable a VPN site 1.
PAGE 671
Logging in to a Remote Access VPN Site Note: Disabling a VPN site eliminates the tunnel and erases the network topology. a. b. Click the icon in the desired VPN site’s row. A confirmation message appears. Click OK. The icon changes to , and the VPN site is disabled. Logging in to a Remote Access VPN Site You need to manually log in to Remote Access VPN Servers configured for Manual Login.
PAGE 672
Logging in to a Remote Access VPN Site Logging in through the Safe@Office Portal Note: You can only log in to sites that are configured for Manual Login. To manually log in to a VPN site through the Safe@Office Portal 1. Click VPN in the main menu, and click the VPN Sites tab. The VPN Sites page appears. 2. Next to the desired VPN site, click Login. The VPN Status dialog box appears. 3. Type your user name and password in the appropriate fields. 4. Click Login.
PAGE 673
Logging in to a Remote Access VPN Site Logging in through the my.vpn page To manually log in to a VPN site through the my.vpn page 1. Direct your Web browser to http://my.vpn The VPN Login screen appears. 2. In the Site Name list, select the site to which you want to log in. 3. Enter your user name and password in the appropriate fields. 4. Click Login.
PAGE 674
Logging Out of a Remote Access VPN Site • • Once the Safe@Office appliance has finished connecting, the Status field changes to “Connected”. The VPN Login Status box remains open until you manually log out of the VPN site. Logging Out of a Remote Access VPN Site You can manually log out of a VPN site, if it is a Remote Access VPN site configured for Manual Login. To log out of a VPN site • In the VPN Login Status box, click Logout.
PAGE 675
Using Certificates Safe@Office VPN Server for the first time, the entity should check that the VPN peer's fingerprint displayed in the SecuRemote/SecureClient VPN Client is identical to the fingerprint received. The Safe@Office appliance supports certificates encoded in the PKCS#12 (Personal Information Exchange Syntax Standard) format. Installing a Certificate The Safe@Office appliance enables you to install PKCS#12 certificates in the following ways: • By generating a self-signed certificate.
PAGE 676
Using Certificates Generating a Self-Signed Certificate To generate a self-signed certificate 1. Click VPN in the main menu, and click the Certificate tab. The Certificate page appears. 2. 660 Click Install Certificate.
PAGE 677
Using Certificates The Safe@Office Certificate Wizard opens, with the Certificate Wizard dialog box displayed. 3. Click Generate a self-signed security certificate for this gateway. The Create Self-Signed Certificate dialog box appears. 4. Complete the fields using the information in the following table. 5. Click Next.
PAGE 678
Using Certificates The Safe@Office appliance generates the certificate. This may take a few seconds. The Done dialog box appears, displaying the certificate's details. 6. Click Finish. The Safe@Office appliance installs the certificate. If a certificate is already installed, it is overwritten. The Certificate Wizard closes.
PAGE 679
Using Certificates • The starting and ending dates between which the gateway's certificate and the CA's certificate are valid Chapter 19: Working With VPNs 663
PAGE 680
Using Certificates Table 138: Certificate Fields In this field… Do this… Country Select your country from the drop-down list. Organization Name Type the name of your organization. Organizational Unit Type the name of your division. Gateway Name Type the gateway's name. This name will appear on the certificate, and will be visible to remote users inspecting the certificate. This field is filled in automatically with the gateway's MAC address.
PAGE 681
Using Certificates The Import Certificate dialog box appears. 4. Click Browse to open a file browser from which to locate and select the file. The filename that you selected is displayed. 5. Click Next. The Import-Certificate Passphrase dialog box appears. This may take a few moments.
PAGE 682
Using Certificates 6. Type the pass-phrase you received from the network security administrator. 7. Click Next. The Done dialog box appears, displaying the certificate's details. 8. Click Finish. The Safe@Office appliance installs the certificate. If a certificate is already installed, it is overwritten. The Certificate Wizard closes.
PAGE 683
Using Certificates Uninstalling a Certificate If you uninstall the certificate, no certificate will exist on the Safe@Office appliance, and you will not be able to connect to the VPN if a certificate is required. You cannot uninstall the certificate if there is a VPN site currently defined to use certificate authentication. Note: If you want to replace a currently-installed certificate, there is no need to uninstall the certificate first.
PAGE 684
Using Certificates Exporting Certificates The Safe@Office appliance allows you to export the following certificates: • The device certificate Exporting the device certificate is useful for backup purposes. Note: If your Safe@Office appliance is centrally managed, there is no need to back up the device certificate, as it can be downloaded from the Service Center as needed. • The device Certificate Authority (CA) certificate When using the Safe@Office EAP authenticator with WPA-Enterprise or 802.
PAGE 685
Using Certificates The certificate is exported as a *.p12 file and saved to the specified directory. Note: This file contains the gateway's private key, which is confidential and must not be passed to unauthorized users. Exporting the CA Certificate To export the CA certificate 1. Click VPN in the main menu, and click the Certificate tab. The Certificate page appears with the name of the currently installed certificate. 2. Click Export CA Certificate. A standard File Download dialog box appears. 3.
PAGE 686
Viewing VPN Tunnels Viewing VPN Tunnels You can view a list of currently established VPN tunnels. VPN tunnels are created and closed as follows: • Remote Access VPN sites configured for Automatic Login and Site-to-Site VPN Gateways A tunnel is created whenever your computer attempts any kind of communication with a computer at the VPN site. The tunnel is closed when not in use for a period of time.
PAGE 687
Viewing VPN Tunnels The VPN Tunnels page appears with a table of open VPN tunnels. The VPN Tunnels page includes the information described in the following table. 2. To resize a column, drag the relevant column divider right or left. 3. To refresh the table, click Refresh. Table 139: VPN Tunnels Page Fields This field… Displays… Type The currently active security protocol (IPSEC). Source The IP address or address range of the entity from which the tunnel originates.
PAGE 688
Viewing VPN Tunnels This field… Displays… Destination The IP address or address range of the entity to which the tunnel is connected. The entity's type is indicated by an icon. See VPN Tunnel Icons on page 672. Security The type of encryption used to secure the connection, and the type of Message Authentication Code (MAC) used to verify the integrity of the message. This information is presented in the following format: Encryption type/Authentication type.
PAGE 689
Viewing IKE Traces for VPN Connections This icon… Represents… A network for which an IKE Phase-2 tunnel was negotiated A Remote Access VPN Server A Site-to-Site VPN Gateway A remote access VPN user An L2TP user Viewing IKE Traces for VPN Connections If you are experiencing VPN connection problems, you can save a trace of IKE (Internet Key Exchange) negotiations to a file, and then use the free IKE View tool to view the file. The IKE View tool is available for the Windows platform.
PAGE 690
Viewing VPN Topology To view the IKE trace for a connection 1. Establish a VPN tunnel to the VPN site with which you are experiencing connection problems. For information on when and how VPN tunnels are established, see Viewing VPN Tunnels on page 670. 2. Click Reports in the main menu, and click the Tunnels tab. The VPN Tunnels page appears with a table of open tunnels to VPN sites. 3. Click Save IKE Trace. A standard File Download dialog box appears. 4. Click Save. The Save As dialog box appears.
PAGE 691
Viewing VPN Topology The VPN Topology page appears displaying a tree of VPN sites to which the appliance is connected. 3. To view topology information for a VPN site, in the tree, click the VPN site's name. The right pane displays the information described in the following table.
PAGE 692
Viewing VPN Topology Table 141: VPN Topology Page Fields This field… Displays… Split DNS The VPN site's split DNS mappings. When split DNS is configured for a VPN site, certain domain suffixes are mapped to corporate DNS servers. This means that requests for these domain suffixes are sent to the specific DNS servers to which they are mapped, while all other requests are sent to the ISP's DNS servers. For example, a VPN site's split DNS mappings might indicate that all requests for the domain suffix ".
PAGE 693
Changing Your Login Credentials Chapter 20 Managing Users This chapter describes how to manage Safe@Office appliance users. You can define multiple users, set their passwords, and assign them various permissions. This chapter includes the following topics: Changing Your Login Credentials ............................................................677 Adding and Editing Users.........................................................................680 Adding Quick Guest HotSpot Users .......................
PAGE 694
Changing Your Login Credentials The Internal Users page appears. 2. 678 In the row of your username, click Edit.
PAGE 695
Changing Your Login Credentials The Account Wizard opens displaying the Set User Details dialog box. 3. Edit the Username field. 4. Edit the Password and Confirm password fields. Note: Use 5 to 25 characters (letters or numbers) for the new password. 5. Click Next.
PAGE 696
Adding and Editing Users The Set User Permissions dialog box appears. 6. Click Finish. Your changes are saved. Adding and Editing Users This procedure explains how to add and edit users. For information on quickly adding guest HotSpot users via a shortcut that the Safe@Office appliance provides, see Adding Quick Guest HotSpot Users on page 685. To add or edit a user 1. Click Users in the main menu, and click the Internal Users tab. The Internal Users page appears. 2.
PAGE 697
Adding and Editing Users The Account Wizard opens displaying the Set User Details dialog box. 3. Complete the fields using the information in Set User Details Fields on page 682. 4. Click Next. The Set User Permissions dialog box appears.
PAGE 698
Adding and Editing Users The options that appear on the page are dependant on the software and services you are using. 5. Complete the fields using the information in Set User Permissions Fields on page 683. 6. Click Finish. The user is saved. Table 142: Set User Details Fields In this field… Do this… Username Enter a username for the user. Password Enter a password for the user. Use five to 25 characters (letters or numbers) for the new password. Confirm Password Re-enter the user’s password.
PAGE 699
Adding and Editing Users Table 143: Set User Permissions Fields In this field... Do this... Administrator Level Select the user’s level of access to the Safe@Office Portal. The levels are: • No Access: The user cannot access the Safe@Office Portal. • Read Only: The user can log in to the Safe@Office Portal, but cannot modify system settings or export the appliance configuration via the Setup>Tools page.
PAGE 700
Adding Quick Guest HotSpot Users Remote Desktop Select this option to allow the user to log in to the my.firewall portal, view Access the My Computers page, and remotely access computers' desktops, using the Remote Desktop feature. Note: The user can perform these actions, even if their level of administrative access is "No Access". For information on Remote Desktop, see Using Remote Desktop on page 699.
PAGE 701
Adding Quick Guest HotSpot Users Adding Quick Guest HotSpot Users The Safe@Office appliance provides a shortcut for quickly adding a guest HotSpot user. This is useful in situations where you want to grant temporary network access to guests, for example in an Internet caf‫י‬. The shortcut also enables printing the guest user's details in one click. By default, the quick guest user has the following characteristics: • Username in the format guest, where is a unique three-digit number.
PAGE 702
Viewing and Deleting Users The Account Wizard opens displaying the Save Quick Guest dialog box. 3. In the Expires field, click on the arrows to specify the expiration date and time. 4. To print the user details, click Print. 5. Click Finish. The guest user is saved. You can edit the guest user's details and permissions using the procedure Adding and Editing Users on page 680. Viewing and Deleting Users To view or delete users 1. Click Users in the main menu, and click the Internal Users tab.
PAGE 703
Setting Up Remote VPN Access for Users a) 3. In the desired user’s row, click . A confirmation message appears. b) Click OK. The user is deleted. To delete all expired users, do the following: Click Clear Expired. A confirmation message appears. b) Click OK. The expired users are deleted.
PAGE 704
Using RADIUS Authentication Using RADIUS Authentication You can use Remote Authentication Dial-In User Service (RADIUS) to authenticate both Safe@Office appliance users and Remote Access VPN Clients trying to connect to the Safe@Office appliance. Note: When RADIUS authentication is in use, the Safe@Office appliance must have a certificate. When a user tries to log in to the Safe@Office Portal, the Safe@Office appliance sends the entered user name and password to the RADIUS server.
PAGE 705
Using RADIUS Authentication to analyze RADIUS accounting data and generate performance reports for Secure HotSpot usage. Note: You can configure the Safe@Office appliance to send accounting information to the RADIUS server throughout the entire session. This allows for richer data collection. For information, refer to the Embedded NGX CLI Reference Guide. To use RADIUS authentication 1. Click Users in the main menu, and click the RADIUS tab. The RADIUS page appears.
PAGE 706
Using RADIUS Authentication 2. Complete the fields using the following table. 3. Click Apply. 4. To restore the default RADIUS settings, do the following: Click Default. A confirmation message appears. b) Click OK. The RADIUS settings are reset to their defaults. For information on the default values, refer to the following table. If desired, configure user permissions and/or the HotSpot session timeout on the RADIUS server. a) 5. See Configuring RADIUS Attributes on page 694.
PAGE 707
Using RADIUS Authentication In this field… Do this… Realm If your organization uses RADIUS realms, type the realm to append to RADIUS requests. The realm will be appended to the username as follows: @ For example, if you set the realm to “myrealm”, and the user "JohnS" attempts to log in to the Safe@Office Portal, the Safe@Office appliance will send the RADIUS server an authentication request with the username “JohnS@myrealm”. This field is optional.
PAGE 708
Using RADIUS Authentication In this field… Do this… Administrator Level Select the level of access to the Safe@Office Portal to assign to all users authenticated by the RADIUS server. The levels are: • No Access: The user cannot access the Safe@Office Portal. • Read Only: The user can log in to the Safe@Office Portal, but cannot modify system settings or export the appliance configuration via the Setup>Tools page.
PAGE 709
Using RADIUS Authentication In this field… Do this… Remote Desktop Select this option to allow all users authenticated by the RADIUS server Access to log in to the my.firewall portal, view the Active Computers page, and remotely access computers' desktops, using the Remote Desktop feature. Note: Authenticated users can perform these actions, even if their level of administrative access is "No Access". For information on Remote Desktop, see Using Remote Desktop on page 699.
PAGE 710
Configuring RADIUS Attributes Configuring RADIUS Attributes To configure a timeout for Secure HotSpot sessions • Set the Session-Timeout Attribute (attribute 27) to the number of seconds after which users should be automatically logged out from the hotspot. To assign permissions to specific RADIUS-authenticated users 1. Create a remote access policy as follows: a) Assign the policy’s VSA (attribute 26) the SofaWare vendor code (6983).
PAGE 711
Configuring RADIUS Attributes Table 145: VSA Syntax Permission Admin Description Indicates the Attribute Attribute Number Format 1 String Attribute Values none. The user administrator’s cannot access the level of access to Safe@Office Portal. the Safe@Office readonly. The user Portal Notes can log in to the Safe@Office Portal, but cannot modify system settings. users-manager. The user can log in to the Safe@Office Portal and add, edit, or delete "No Access"-level users.
PAGE 712
Configuring RADIUS Attributes Permission VPN Description Attribute Values Notes true. The user can This permission is the user can remotely access the only relevant if access the network via VPN. the Safe@Office network from a false. The user Remote Access Indicates whether Attribute Attribute Number Format 2 String Remote Access cannot remotely VPN Client. access the network VPN Server is enabled. The gateway must via VPN. have a certificate. Hotspot true.
PAGE 713
Configuring RADIUS Attributes Permission Description Attribute Attribute Number Format 5 String Attribute Values Notes true. The user can This permission is RemoteDe Indicates whether sktop the user can log in to the only relevant if remotely access my.firewall portal, the Remote computers' view the Active Desktop feature is desktops, using Computers page, enabled. the Remote and remotely Desktop feature.
PAGE 714
PAGE 715
Overview Chapter 21 Using Remote Desktop This chapter describes how to remotely access the desktop of each of your computers, using the Safe@Office appliance's Remote Desktop feature. This chapter includes the following topics: Overview ..................................................................................................699 Workflow..................................................................................................700 Configuring Remote Desktop ..................................
PAGE 716
Workflow Workflow To use Remote Desktop 1. Configure Remote Desktop. See Configuring Remote Desktop on page 701. 2. Enable the Remote Desktop server on computers that authorized users should be allowed to remotely access. See Configuring the Host Computer on page 704. 3. Grant Remote Desktop Access permissions to users who should be allowed to remotely access desktops. See Adding and Editing Users on page 680. 4. The authorized users can access remote computers' desktops as desired.
PAGE 717
Configuring Remote Desktop Configuring Remote Desktop To configure Remote Desktop 1. Click Setup in the main menu, and click the Remote Desktop tab. The Remote Desktop page appears. 2. Do one of the following: • To enable Remote Desktop, select the Allow remote desktop access check box.
PAGE 718
Configuring Remote Desktop New fields appear. 3. To disable Remote Desktop, clear the Allow remote desktop access check box. Fields disappear. Complete the fields using the information in the following table. 4. Click Apply.
PAGE 719
Configuring Remote Desktop Table 146: Remote Desktop Options In this field… Do this… Sharing Share local drives Select this option to allow the host computer to access hard drives on the client computer. This enables remote users to access their local hard drives when logged in to the host computer. Share local printers Select this option to allow the host computer to access printers on the client computer. This enables remote users to access their local printer when logged in to the host computer.
PAGE 720
Configuring the Host Computer Configuring the Host Computer To enable remote users to connect to a computer, you must enable the Remote Desktop server on that computer. Note: The host computer must have one of the following operating systems installed: • Microsoft Windows Server 2003 • Microsoft Windows XP Professional • Microsoft Windows XP Media Center • Microsoft Windows XP Tablet PC 2005 To enable users to remotely connect to a computer 1. Log on to the desired computer as an administrator.
PAGE 721
Configuring the Host Computer The Remote tab appears. 5. Select the Allow users to connect remotely to this computer check box. 6. Click Select Remote Users. The Remote Desktop Users dialog box appears. 7. Do the following for each remote user who should be allowed to access this computer: a. Click Add.
PAGE 722
Configuring the Host Computer The Select Users dialog box appears. b. c. d. Type the desired user's username in the text box. The Check Names button is enabled. Click Check Names. Click OK. The Remote Desktop Users dialog box reappears with the desired user's username. 8. Click OK. 9. Click OK.
PAGE 723
Accessing a Remote Computer's Desktop Accessing a Remote Computer's Desktop Note: The client computer must meet the following requirements: • Microsoft Internet Explorer 6.0 or later • A working Internet connection To access a remote computer's desktop 1. Click Reports in the main menu, and click the My Computers tab. The My Computers page appears. 2. Next to the desired computer, click Remote Desktop.
PAGE 724
Accessing a Remote Computer's Desktop • 3. The Remote Desktop Connection Security Warning dialog box appears. Select the desired connection options. The available options depend on your Remote Desktop configuration. See Configuring Remote Desktop on page 701. 4. Click OK. The Log On to Windows dialog box appears. 5. Type your username and password for the remote computer. These are the credentials configured for your user account in Enabling the Remote Desktop Server on page 704. 6. Click OK.
PAGE 725
Accessing a Remote Computer's Desktop You can use the following keyboard shortcuts during the Remote Desktop session: Table 147: Remote Desktop Keyboard Shortcuts This shortcut… Does this… ALT+INSERT Cycles through running programs in the order that they were started ALT+HOME Displays the Start menu CTRL+ALT+BREAK Toggles between displaying the session in a window and on the full screen CTRL+ALT+END Opens the Windows Security dialog box Chapter 21: Using Remote Desktop 709
PAGE 726
PAGE 727
Overview Chapter 22 Controlling the Appliance via the Command Line This chapter describes various ways of controlling your Safe@Office appliance through the command line. This chapter includes the following topics: Overview ..................................................................................................711 Using the Safe@Office Portal ..................................................................712 Using the Serial Console ............................................................
PAGE 728
Using the Safe@Office Portal Using the Safe@Office Portal You can control your appliance via the Safe@Office Portal's command line interface. To control the appliance via the Safe@Office Portal 1. Click Setup in the main menu, and click the Tools tab. The Tools page appears. 2. 712 Click Command.
PAGE 729
Using the Safe@Office Portal The Command Line page appears. 3. In the upper field, type a command. You can view a list of supported commands using the command help. For information on all commands, refer to the Embedded NGX CLI Reference Guide. 4. Click Go. The command is implemented.
PAGE 730
Using the Serial Console Using the Serial Console You can connect a console to the Safe@Office appliance, and use the console to control the appliance via the command line. Note: Your terminal emulation software and your Safe@Office appliance's Serial port must be configured for the same speed. By default, the appliance's Serial port's speed is 57600 bps. For information on changing the Serial port's speed, refer to the Embedded NGX CLI Reference Guide. To control the appliance via a console 1.
PAGE 731
Using the Serial Console The Ports page appears. 3. Next to the Serial port, click Edit.
PAGE 732
Using the Serial Console The Port Setup page appears. 4. In the Assign to drop-down list, select Console. 5. In the Port Speed drop-down list, select the Serial port's speed (in bits per second). The Serial port's speed must match that of the attached serial console. The default value is 57600. 6. 7. In the Flow Control drop-down list, select the method of flow control supported by the attached device: • RTS/CTS. Hardware-based flow control, using the Serial port's RTS/CTS lines. • XON/XOFF.
PAGE 733
Configuring SSH Configuring SSH Safe@Office appliance users can control the appliance via the command line, using the SSH (Secure Shell) management protocol. You can enable users to do so via the Internet, by configuring remote SSH access. You can also integrate the Safe@Office appliance with SSH-based management systems. Note: The Safe@Office appliance supports SSHv2 clients only. The SSHv1 protocol contains security vulnerabilities and is not supported.
PAGE 734
Configuring SSH If you selected Internal Networks + IP Range, additional fields appear. 3. If you selected Internal Networks + IP Range, enter the desired IP address range in the fields provided. 4. Click Apply. The SSH configuration is saved. If you configured remote SSH access, you can now control the Safe@Office appliance from the Internet, using an SSHv2 client. For information on all supported commands, refer to the Embedded NGX CLI Reference Guide.
PAGE 735
Configuring SSH Table 148: SSH Access Options Select this To allow access from… Internal Networks The internal network only. option… This disables remote access capability. This is the default. Internal Networks + The internal network and your VPN. VPN Internal Networks + IP Range A particular range of IP addresses. Additional fields appear, in which you can enter the desired IP address range. ANY Any IP address. Disabled Nowhere. This disables both local and remote access capability.
PAGE 736
Viewing Firmware Status Chapter 23 Maintenance This chapter describes the tasks required for maintenance and diagnosis of your Safe@Office appliance. This chapter includes the following topics: Viewing Firmware Status .........................................................................720 Upgrading Your Software Product ...........................................................722 Configuring a Gateway Hostname............................................................
PAGE 737
Viewing Firmware Status The Firmware page appears. The Firmware page displays the following information: Table 149: Firmware Status Fields This field… Displays… For example… WAN MAC Address The MAC address used for 00:80:11:22:33:44 the Internet connection Firmware Version The current version of the 8.
PAGE 738
Upgrading Your Software Product This field… Displays… For example… Uptime The time that elapsed from 01:21:15 the moment the unit was turned on Hardware Type The type of the current SBox-200 Safe@Office appliance hardware Hardware Version The current hardware version of the Safe@Office appliance Upgrading Your Software Product You can upgrade your Safe@Office 1000N appliance by adding the Safe@Office 1000N Power Pack.
PAGE 739
Upgrading Your Software Product The Safe@Office Licensing Wizard opens, with the Install Product Key dialog box displayed. 3. Click Enter a different Product Key. 4. In the Product Key field, enter the new Product Key. 5. Click Next. The Installed New Product Key dialog box appears.
PAGE 740
Configuring a Gateway Hostname 6. Click Finish. Configuring a Gateway Hostname You can define a gateway hostname for the Safe@Office appliance. The gateway hostname is used to identify the Safe@Office appliance and appears in the following places: • The Safe@Office Portal’s title bar • The Safe@Office appliance's SNMP hostname • Syslog messages sent by the Safe@Office appliance • The command line prompt By default, the Safe@Office appliance's MAC address is used as the gateway hostname.
PAGE 741
Configuring Syslog Logging The Gateway Name page appears. 3. In the Gateway Name field, type the desired hostname. 4. To reset the gateway hostname to the default value (the appliance's MAC address), click Default. 5. Click Apply.
PAGE 742
Configuring Syslog Logging Configuring Syslog Logging You can configure the Safe@Office appliance to send event logs to a Syslog server residing in your internal network or on the Internet. The logs detail the date and the time each event occurred. If the event is a communication attempt that was rejected by the firewall, the event details include the source and destination IP address, the destination port, and the protocol used for the communication attempt (for example, TCP or UDP).
PAGE 743
Configuring Syslog Logging The Logging page appears. 2. Complete the fields using the information in the following table. 3. Click Apply. Table 150: Logging Page Fields In this field… Do this… Syslog Server Type the IP address of the computer that will run the Syslog service (one of your network computers), or click This Computer to allow your computer to host the service. Clear Click to clear the Syslog Server field. Syslog Port Type the port number of the Syslog server.
PAGE 744
Configuring HTTPS Configuring HTTPS You can enable Safe@Office appliance users to access the Safe@Office Portal from the Internet. To do so, you must first configure HTTPS. Note: Configuring HTTPS is equivalent to creating a simple Allow rule, where the destination is This Gateway. To create more complex rules for HTTPS, such as allowing HTTPS connections from multiple IP address ranges, define Allow rules for TCP port 443, with the destination This Gateway. For information, see Using Rules on page 400.
PAGE 745
Configuring HTTPS 2. Specify from where HTTPS access to the Safe@Office Portal should be granted. See Access Options on page 730 for information. Warning: If remote HTTPS is enabled, your Safe@Office appliance settings can be changed remotely, so it is especially important to make sure all Safe@Office appliance users’ passwords are difficult to guess. Note: You can use HTTPS to access the Safe@Office Portal from your internal network, by surfing to https://my.firewall.
PAGE 746
Configuring SNMP Table 151: Access Options Select this To allow access from… Internal Networks The internal network only. option… This disables remote access capability. This is the default. Internal Networks + The internal network and your VPN. VPN Internal Networks + IP Range A particular range of IP addresses. Additional fields appear, in which you can enter the desired IP address range. ANY Any IP address. Disabled Nowhere. This disables both local and remote access capability.
PAGE 747
Configuring SNMP • IP-MIB All SNMP access is read-only. Note: Configuring SNMP is equivalent to creating a simple Allow rule, where the destination is This Gateway. To create more complex rules for SNMP, such as allowing SNMP connections from multiple IP address ranges, define Allow rules for the relevant port (by default, TCP port 161), with the destination This Gateway. For information, see Using Rules on page 400. To configure SNMP 1. Click Setup in the main menu, and click the Management tab.
PAGE 748
Configuring SNMP 3. If you selected Internal Networks + IP Range, enter the desired IP address range in the fields provided. 4. In the Community field, type the name of the SNMP community string. SNMP clients uses the SNMP community string as a password, when connecting to the Safe@Office appliance. The default value is "public". It is recommended to change this string. 5. 732 To configure advanced SNMP settings, do the following: a. Click Advanced. The SNMP Configuration page appears. b.
PAGE 749
Configuring SNMP If you selected the Send SNMP Traps check box, additional fields appear. 6. Click Apply. The SNMP configuration is saved. 7. Configure the SNMP clients with the SNMP community string. Table 152: Advanced SNMP Settings In this field... Do this… System Location Type a description of the appliance's location. This information will be visible to SNMP clients, and is useful for administrative purposes. System Contact Type the name of the contact person.
PAGE 750
Setting the Time on the Appliance In this field... Do this… SNMP Port Type the port to use for SNMP. The default port is 161. Send SNMP Traps Select this option to enable sending SNMP traps. An SNMP trap is a notification sent from one application to another. Send Traps On: Indicates that SNMP traps will automatically be sent upon Startup / Shutdown startup/shutdown events. This option is always selected.
PAGE 751
Setting the Time on the Appliance Setting the Time on the Appliance You set the time displayed in the Safe@Office Portal during initial appliance setup. If desired, you can change the date and time using the procedure below. To set the time 1. Click Setup in the main menu, and click the Tools tab. The Tools page appears. 2. Click Set Time. The Safe@Office Set Time Wizard opens displaying the Set the Safe@Office Time dialog box. 3.
PAGE 752
Setting the Time on the Appliance The following things happen in the order below: • • If you selected Specify date and time, the Specify Date and Time dialog box appears. Set the date, time, and time zone in the fields provided, then click Next. If you selected Use a Time Server, the Time Servers dialog box appears. Complete the fields using the information in Time Servers Fields on page 738, then click Next.
PAGE 753
Setting the Time on the Appliance • 5. The Date and Time Updated screen appears. Click Finish. Table 153: Set Time Wizard Fields Select this option… To do the following… Your computer's clock Set the appliance time to your computer’s system time. Your computer’s system time is displayed to the right of this option. Keep the current setting Do not change the appliance’s time. The current appliance time is displayed to the right of this option.
PAGE 754
Using Diagnostic Tools Table 154: Time Servers Fields In this field… Do this… Primary Server Type the IP address of the Primary NTP server. Secondary Server Type the IP address of the Secondary NTP server. This field is optional. Clear Clear the field. Select your time zone Select the time zone in which you are located. Using Diagnostic Tools The Safe@Office appliance is equipped with a set of diagnostic tools that are useful for troubleshooting Internet connectivity.
PAGE 755
Using Diagnostic Tools Use this tool… To do this… For information, see... Packet Sniffer Capture network traffic. This information is Using Packet Sniffer on page useful troubleshooting network problems. 741 Using IP Tools To use an IP tool 1. Click Setup in the main menu, and click the Tools tab. The Tools page appears. 2. In the IP Tools area, complete the fields using the information in the following table. 3. Click Go.
PAGE 756
Using Diagnostic Tools The IP Tools window opens and displays a list of routers used to make the connection. • 740 If you selected WHOIS, the following things happen: The Safe@Office appliance queries the Internet WHOIS server. A window displays the name of the entity to which the IP address or DNS name is registered and their contact information.
PAGE 757
Using Diagnostic Tools Table 156: IP Tools Fields In this field… Do this… Tool Select the desired tool. Source Address Select the IP address from which the packets should originate. This can be any of the following: • Auto. Automatically select a connected or enabled interface form which to send the packets. • A connected Internet connection • An enabled internal network This field is only enabled if you selected the Ping or Traceroute tools.
PAGE 758
Using Diagnostic Tools direction will be indicated by i (input) or o (output). To use Packet Sniffer 1. Click Setup in the main menu, and click the Tools tab. The Tools page appears. 2. Click Sniffer. The Packet Sniffer window opens. 3. Complete the fields using the information in the following table. 4. Click Start. The Packet Sniffer window displays the name of the interface, the number of packets collected, and the percentage of storage space remaining on the appliance for storing the packets.
PAGE 759
Using Diagnostic Tools 7. Browse to a destination directory of your choice. 8. Type a name for the configuration file and click Save. The *.cap file is created and saved to the specified directory. 9. Click Cancel to close the Packet Sniffer window. Table 157: Packet Sniffer Fields In this field… Do this… Interface Select the interface from which to collect packets. The list includes the primary Internet connection, the Safe@Office appliance ports, and all defined networks.
PAGE 760
Using Diagnostic Tools Filter String Syntax The following represents a list of basic filter string elements: • and on page 744 • dst on page 745 • dst port on page 745 • ether proto on page 746 • host on page 747 • not on page 747 • or on page 748 • port on page 748 • src on page 749 • src port on page 749 • tcp on page 750 • udp on page 751 For detailed information on filter syntax, refer to http://www.tcpdump.org.
PAGE 761
Using Diagnostic Tools EXAMPLE The following filter string saves packets that both originate from IP address is 192.168.10.1 and are destined for port 80: src 192.168.10.1 and dst port 80 dst PURPOSE The dst element captures all packets with a specific destination. SYNTAX dst destination PARAMETERS destination IP Address or String. The computer to which the packet is sent.
PAGE 762
Using Diagnostic Tools PARAMETERS port Integer. The port to which the packet is sent. EXAMPLE The following filter string saves packets that are destined for port 80: dst port 80 ether proto PURPOSE The ether proto element is used to capture packets of a specific ether protocol type. SYNTAX ether proto \protocol PARAMETERS protocol String. The protocol type of the packet. This can be the following: ip, ip6, arp, rarp, atalk, aarp, dec net, sca, lat, mopdl, moprc, iso, stp, ipx, or netbeui.
PAGE 763
Using Diagnostic Tools host PURPOSE The host element captures all incoming and outgoing packets for a specific computer. SYNTAX host host PARAMETERS host IP Address or String. The computer to/from which the packet is sent. This can be the following: • An IP address • A host name EXAMPLE The following filter string saves all packets that either originated from IP address 192.168.10.1, or are destined for that same IP address: host 192.168.10.
PAGE 764
Using Diagnostic Tools or PURPOSE The or element is used to alternate between string elements. The filtered packets must match at least one of the filter string elements. SYNTAX element or element [or element...] element || element [|| element...] PARAMETERS element String. A filter string element. EXAMPLE The following filter string saves packets that either originate from IP address 192.168.10.1 or IP address 192.168.10.10: src 192.168.10.1 or src 192.168.10.
PAGE 765
Using Diagnostic Tools EXAMPLE The following filter string saves all packets that either originated from port 80, or are destined for port 80: port 80 src PURPOSE The src element captures all packets with a specific source. SYNTAX src source PARAMETERS source IP Address or String. The computer from which the packet is sent. This can be the following: • An IP address • A host name EXAMPLE The following filter string saves packets that originated from IP address 192.168.10.1: src 192.168.10.
PAGE 766
Using Diagnostic Tools PARAMETERS port Integer. The port from which the packet is sent. EXAMPLE The following filter string saves packets that originated from port 80: src port 80 tcp PURPOSE The tcp element captures all TCP packets. This element can be prepended to port-related elements. Note: When not prepended to other elements, the tcp element is the equivalent of ip proto tcp. SYNTAX tcp tcp element PARAMETERS element String.
PAGE 767
Using Diagnostic Tools EXAMPLE 1 The following filter string captures all TCP packets: tcp EXAMPLE 2 The following filter string captures all TCP packets destined for port 80: tcp dst port 80 udp PURPOSE The udp element captures all UDP packets. This element can be prepended to port-related elements. Note: When not prepended to other elements, the udp element is the equivalent of ip proto udp. SYNTAX udp udp element PARAMETERS element String.
PAGE 768
Backing Up and Restoring the Safe@Office Appliance Configuration EXAMPLE 1 The following filter string captures all UDP packets: udp EXAMPLE 2 The following filter string captures all UDP packets destined for port 80: udp dst port 80 Backing Up and Restoring the Safe@Office Appliance Configuration The Safe@Office appliance provides the following ways of backing up and restoring its configuration: • Backup and restore on your computer You can export the Safe@Office appliance configuration to a *.
PAGE 769
Backing Up and Restoring the Safe@Office Appliance Configuration Backing Up the Appliance Configuration Exporting the Appliance Configuration to Your Computer To export the Safe@Office appliance configuration to your computer 1. Click Setup in the main menu, and click the Tools tab. The Tools page appears. 2. Click Export. A standard File Download dialog box appears. 3. Click Save. The Save As dialog box appears. 4. Browse to a destination directory of your choice. 5.
PAGE 770
Backing Up and Restoring the Safe@Office Appliance Configuration Backing Up the Appliance Configuration to a USB Flash Drive The USB flash drive must have at least 64MB of free space. Note: Some USB flash drives may not be supported by the appliance. To backup the appliance configuration to a USB flash drive 1. Connect a USB flash drive to one of your Safe@Office appliance's USB ports. For information on locating the USB ports, see Introduction on page 1. 2.
PAGE 771
Backing Up and Restoring the Safe@Office Appliance Configuration The Safe@Office appliance creates the folder on the USB flash drive, where is the appliance's MAC address, and writes the following files to this folder: • embeddedngx.cfg • embeddedngx.p12 The Step 2: Backup Complete screen appears. 6. Click Finish. You can now restore the configuration from the USB flash drive as needed. See Restoring the Appliance Configuration from a USB Flash Drive on page 758.
PAGE 772
Backing Up and Restoring the Safe@Office Appliance Configuration Restoring the Appliance Configuration Importing the Appliance Configuration from Your Computer To import the appliance configuration from your computer 1. Click Setup in the main menu, and click the Tools tab. The Tools page appears. 2. Click Import. The Import Settings page appears. 3. Do one of the following: • In the Import Settings field, type the full path to the configuration file.
PAGE 773
Backing Up and Restoring the Safe@Office Appliance Configuration 4. Click Upload. A confirmation message appears. 5. Click OK. The Safe@Office appliance settings are imported. The Import Settings page displays the configuration file's content and the result of implementing each configuration command. Note: If the appliance's IP address changed as a result of the configuration import, your computer may be disconnected from the network; therefore you may not be able to see the results.
PAGE 774
Backing Up and Restoring the Safe@Office Appliance Configuration Restoring the Appliance Configuration from a USB Flash Drive To restore the appliance configuration from a USB flash drive 1. Connect a USB flash drive to one of your Safe@Office appliance's USB ports. For information on locating the USB ports, see Introduction on page 1. 2. Click Setup in the main menu, and click the Tools tab. The Tools page appears. 3. Click Backup/Restore.
PAGE 775
Using Rapid Deployment Note: If the appliance's IP address changed as a result of the configuration import, your computer may be disconnected from the network; therefore you may not be able to see the results. 6. Click Finish. Using Rapid Deployment Safe@Office appliances are shipped with a specific firmware and group of settings that represent the appliance's default state.
PAGE 776
Using Rapid Deployment Preparing the USB Flash Drive for Rapid Deployment Before performing a rapid deployment, you must load the USB flash drive with the files you want to install on the appliance(s). To prepare the USB flash drive 1. For each appliance you want to deploy, create a folder named , where is the appliance’s MAC address, and the colons are replaced by underscores.
PAGE 777
Using Rapid Deployment Table 158: Rapid Deployment File Names This file... Should be named... The primary firmware primary.firm / primary.img The backup firmware secondary.firm / secondary.img The configuration file embeddedngx.cfg The default configuration file preset.cfg The certificate embeddedngx.p12 Performing a Rapid Deployment You must perform the following procedure on each Safe@Office appliance you want to deploy. To perform a rapid deployment 1.
PAGE 778
Resetting the Safe@Office Appliance to Defaults • If the deploy folder exists, the appliance loads shared settings from it. The appliance then loads its private settings from the folder named after its MAC address. Note: If the appliance loads an updated firmware file, the appliance restarts and then continues the rapid deployment process. Do not disconnect the USB flash drive until the process is complete.
PAGE 779
Resetting the Safe@Office Appliance to Defaults When resetting the appliance via the Safe@Office Portal, you can choose to keep the current firmware or to revert to the firmware version that shipped with the Safe@Office appliance. In contrast, using the Reset button automatically reverts the firmware version. To reset the Safe@Office appliance to factory defaults via the Web interface 1. Click Setup in the main menu, and click the Tools tab. The Tools page appears. 2. Click Factory Settings.
PAGE 780
Resetting the Safe@Office Appliance to Defaults • The Please Wait screen appears. • • The Safe@Office appliance returns to its factory defaults. The Safe@Office appliance is restarted. This may take a few minutes. The Login page appears. • To reset the Safe@Office appliance to factory defaults using the Reset button 1. Make sure the Safe@Office appliance is powered on. 2.
PAGE 781
Running Diagnostics Running Diagnostics You can view technical information about your Safe@Office appliance’s hardware, firmware, license, network status, and Service Center. This information is useful for troubleshooting. You can export it to an *.html file and send it to technical support. To view diagnostic information 1. Click Setup in the main menu, and click the Tools tab. The Tools page appears. 2. Click Diagnostics. Technical information about your Safe@Office appliance appears in a new window.
PAGE 782
Rebooting the Safe@Office Appliance Rebooting the Safe@Office Appliance If your Safe@Office appliance is not functioning properly, rebooting it may solve the problem. To reboot the Safe@Office appliance 1. Click Setup in the main menu, and click the Firmware tab. The Firmware page appears. 2. Click Restart. A confirmation message appears. 3. Click OK. • The Please Wait screen appears. • The Safe@Office appliance is restarted. This may take a few minutes. The Login page appears.
PAGE 783
Overview Chapter 24 Using Network Printers This chapter describes how to set up and use network printers. This chapter includes the following topics: Overview ..................................................................................................767 Setting Up Network Printers.....................................................................768 Configuring Computers to Use Network Printers.....................................771 Viewing Network Printers ......................................
PAGE 784
Setting Up Network Printers Setting Up Network Printers To set up a network printer 1. Connect the network printer to the Safe@Office appliance. See Connecting the Appliance to Network Printers on page 103. 2. Turn the printer on. 3. In the Safe@Office Portal, click Network in the main menu, and click the Ports tab. The Ports page appears. 4. 768 Next to USB, click Edit.
PAGE 785
Setting Up Network Printers The USB Devices page appears. If the Safe@Office appliance detected the printer, the printer is listed on the page. If the printer is not listed, check that you connected the printer correctly, then click Refresh to refresh the page. 5. Next to the printer, click Edit.
PAGE 786
Setting Up Network Printers The Printer Setup page appears. 6. Write down the port number allocated to the printer. The port number appears in the Printer Server TCP Port field. You will need this number later, when configuring computers to use the network printer. 7. To change the port number, do the following: a. Type the desired port number in the Printer Server TCP Port field. Note: Printer port numbers may not overlap, and must be high ports. b. Click Apply.
PAGE 787
Configuring Computers to Use Network Printers See Configuring Computers to Use Network Printers on page 771. Configuring Computers to Use Network Printers Perform the relevant procedure on each computer from which you want to enable printing via the Safe@Office print server to a network printer. Windows Vista This procedure is relevant for computers with a Windows Vista operating system. To configure a computer to use a network printer 1.
PAGE 788
Configuring Computers to Use Network Printers The Control Panel window opens. 3. 772 Under Hardware and Sound, click Printer.
PAGE 789
Configuring Computers to Use Network Printers The Printers screen appears. 4. Click Add a printer. The Add Printer wizard opens displaying the Choose a local or network printer screen. 5. Click Add a local printer. 6. Click Next.
PAGE 790
Configuring Computers to Use Network Printers The Choose a printer port dialog box appears. 7. Click Create a new port. 8. In the Type of port drop-down list, select Standard TCP/IP Port. 9. Click Next. The Type a printer hostname or IP address dialog box appears. 10. In the Device type drop-down list, select Autodetect. 11. In the Hostname or IP address field, type the Safe@Office appliance's LAN IP address, or "my.firewall".
PAGE 791
Configuring Computers to Use Network Printers 12. In the Port name field, type the port name. 13. Select the Query the printer and automatically select the driver to use check box. 14. Click Next. The following things happen: • If Windows cannot identify your printer, the Additional Port Information Required dialog box appears. Do the following: 1) Click Custom. 2) Click Settings.
PAGE 792
Configuring Computers to Use Network Printers The Configure Standard TCP/IP Port Monitor dialog box opens. • 3) In the Protocol area, make sure that Raw is selected. 4) In the Port Number field, type the printer's port number, as shown in the Printers page. 5) Click OK. 6) Click Next. The Install the printer driver dialog box displayed. 15. Do one of the following: • 776 Use the lists to select the printer's manufacturer and model.
PAGE 793
Configuring Computers to Use Network Printers • If your printer does not appear in the lists, insert the CD that came with your printer in the computer's CD-ROM drive, and click Have Disk. 16. Click Next. 17. Complete the remaining dialog boxes in the wizard as desired, and click Finish. The printer appears in the Printers and Faxes window. 18. Right-click the printer and click Properties in the popup menu. The printer's Properties dialog box opens. 19.
PAGE 794
Configuring Computers to Use Network Printers Windows 2000/XP This procedure is relevant for computers with a Windows 2000/XP operating system. To configure a computer to use a network printer 1. If the computer for which you want to enable printing is located on the WAN, create an Allow rule for connections from the computer to This Gateway. See Adding and Editing Rules on page 404. 2. Click Start > Settings > Control Panel. The Control Panel window opens. 3. Click Printers and Faxes.
PAGE 795
Configuring Computers to Use Network Printers The Local or Network Printer dialog box appears. 6. Click Local printer attached to this computer. Note: Do not select the Automatically detect and install my Plug and Play printer check box. 7. Click Next. The Select a Printer Port dialog box appears. 8. Click Create a new port. 9. In the Type of port drop-down list, select Standard TCP/IP Port. 10. Click Next.
PAGE 796
Configuring Computers to Use Network Printers The Add Standard TCP/IP Port Wizard opens with the Welcome dialog box displayed. 11. Click Next. The Add Port dialog box appears. 12. In the Printer Name or IP Address field, type the Safe@Office appliance's LAN IP address, or "my.firewall". You can find the LAN IP address in the Safe@Office Portal, under Network > My Network. The Port Name field is filled in automatically. 13. Click Next.
PAGE 797
Configuring Computers to Use Network Printers The Add Standard TCP/IP Printer Port Wizard opens, with the Additional Port Information Required dialog box displayed. 14. Click Custom. 15. Click Settings. The Configure Standard TCP/IP Port Monitor dialog box opens. 16. In the Port Number field, type the printer's port number, as shown in the Printers page. 17. In the Protocol area, make sure that Raw is selected. 18. Click OK. The Add Standard TCP/IP Printer Port Wizard reappears.
PAGE 798
Configuring Computers to Use Network Printers 19. Click Next. The Completing the Add Standard TCP/IP Printer Port Wizard dialog box appears. 20. Click Finish. The Add Printer Wizard reappears, with the Install Printer Software dialog box displayed. 21. Do one of the following: • • Use the lists to select the printer's manufacturer and model. If your printer does not appear in the lists, insert the CD that came with your printer in the computer's CD-ROM drive, and click Have Disk. 22. Click Next. 23.
PAGE 799
Configuring Computers to Use Network Printers The printer appears in the Printers and Faxes window. 24. Right-click the printer and click Properties in the popup menu. The printer's Properties dialog box opens. 25. In the Ports tab, in the list box, select the port you added. The port's name is IP_. 26. Click OK.
PAGE 800
Configuring Computers to Use Network Printers MAC OS-X This procedure is relevant for computers with the latest version of the MAC OS-X operating system. Note: This procedure may not apply to earlier MAC OS-X versions. To configure a computer to use a network printer 1. If the computer for which you want to enable printing is located on the WAN, create an Allow rule for connections from the computer to This Gateway. See Adding and Editing Rules on page 404. 2. Choose Apple -> System Preferences.
PAGE 801
Configuring Computers to Use Network Printers The Print & Fax window appears. 5. In the Printing tab, click Set Up Printers. The Printer List window appears. 6. Click Add.
PAGE 802
Configuring Computers to Use Network Printers New fields appear. 7. In the first drop-down list, select IP Printing. 8. In the Printer Type drop-down list, select Socket/HP Jet Direct. 9. In the Printer Address field, type the Safe@Office appliance's LAN IP address, or "my.firewall". You can find the LAN IP address in the Safe@Office Portal, under Network > My Network. 10. In the Queue Name field, type the name of the required printer queue.
PAGE 803
Configuring Computers to Use Network Printers A list of models appears. 12. In the Model Name list, select the desired model. 13. Click Add. The new printer appears in the Printer List window. 14. In the Printer List window, select the newly added printer, and click Make Default.
PAGE 804
Viewing Network Printers Viewing Network Printers To view network printers 1. Click Network in the main menu, and click the Ports tab. The Ports page appears. 2. Next to USB, click Edit. The USB Devices page appears, displaying a list of connected printers. For each printer, the model, serial number, and status is displayed. A printer can have the following statuses: Initialize. The printer is initializing. Ready. The printer is ready. Not Ready. The printer is not ready.
PAGE 805
Changing Network Printer Ports Changing Network Printer Ports When you set up a new network printer, the Safe@Office appliance automatically assigns a port number to the printer. If you want to use a different port number, you can easily change it, as described in Setting Up Network Printers on page 768. However, you may sometimes need to change the port number after completing printer setup.
PAGE 806
Resetting Network Printers Resetting Network Printers You can cause a network printer to restart the current print job, by resetting the network printer. You may want to do this if the print job has stalled. To reset a network printer 1. Click Network in the main menu, and click the Ports tab. The Ports page appears. 2. Next to USB, click Edit. The USB Devices page appears, displaying a list of connected printers. 3. Next to the desired printer, click Reset Server.
PAGE 807
Connectivity Chapter 25 Troubleshooting This chapter provides solutions to common problems you may encounter while using the Safe@Office appliance. Note: For information on troubleshooting wireless connectivity, see Troubleshooting Wireless Connectivity on page 342. This chapter includes the following topics: Connectivity ............................................................................................ 791 Service Center and Upgrades ............................................................
PAGE 808
Connectivity • Check if you have defined firewall rules which block your Internet connectivity. • Check with your ISP for possible service outage. • Check whether you are exceeding the maximum number of computers allowed by your license, by viewing the My Computers page. I cannot access my DSL broadband connection. What should I do? DSL equipment comes in two flavors: bridges (commonly known as DSL modems) and routers. Some DSL equipment can be configured to work both ways.
PAGE 809
Connectivity I cannot access http://my.firewall or http://my.vpn. What should I do? • Verify that the Safe@Office appliance is operating. • Check if the LED for the LAN port used by your computer is green. If not, check if the network cable linking your computer to the Safe@Office appliance is connected properly. • By default, unencrypted HTTP access is not allowed from the wireless LAN to http://my.firewall or http://my.vpn.
PAGE 810
Connectivity I am using the Safe@Office appliance behind another NAT device, and I am having problems with some applications. What should I do? By default, the Safe@Office appliance performs Network Address Translation (NAT). It is possible to use the Safe@Office appliance behind another device that performs NAT, such as a DSL router or Wireless router, but the device will block all incoming connections from reaching your Safe@Office appliance. To fix this problem, do ONE of the following.
PAGE 811
Service Center and Upgrades I cannot connect to the LAN network from the DMZ or primary WLAN network. What should I do? By default, connections from the DMZ or primary WLAN network to the LAN network are blocked. To allow traffic from the DMZ or primary WLAN to the LAN, configure appropriate firewall rules. For instructions, see Using Rules on page 400. Service Center and Upgrades I have exceeded my node limit.
PAGE 812
Other Problems Other Problems I have forgotten my password. What should I do? Reset your Safe@Office appliance to factory defaults using the Reset button as detailed in Resetting the Safe@Office Appliance to Defaults on page 762. Why are the date and time displayed incorrectly? You can adjust the time on the Setup page's Tools tab. For information, see Setting the Time on the Appliance on page 735. I cannot use a certain network application. What should I do? Look at the Event Log page.
PAGE 813
Technical Specifications Chapter 26 Specifications This chapter includes the following topics: Technical Specifications .......................................................................... 797 CE Declaration of Conformity ................................................................. 807 Technical Specifications Safe@Office 1000N and 1000NW ADSL Model Attributes Table 159: Safe@Office ADSL Model Attributes Attribute Safe@Office 1000N ADSL Safe@Office 1000NW ADSL 20 x 3.1 x 12.8 cm 20 x 3.
PAGE 814
Technical Specifications Power Adapter Nominal 12VDC @ 2 A 12VDC @ 2 A 15W 15W 20W (including USB devices) 20W (including USB devices) -20ºC ~ 70ºC -20ºC ~ 70ºC Temperature: Operation 0ºC ~ 35ºC 0ºC ~ 35ºC Humidity: 10 ~ 90% / 10 ~ 90% 10 ~ 90% / 10 ~ 90% (non-condensed) (non-condensed) Safety TBD TBD Quality TBD TBD EMC TBD TBD Reliability TBD TBD Environment TBD TBD MTBF (hours) TBD TBD RF TBD TBD Output Max.
PAGE 815
Technical Specifications Non-ADSL Model Attributes Table 160: Safe@Office Non-ADSL Model Attributes Attribute Safe@Office 1000N SBXN- Safe@Office 1000NW 20 x 3.1 x 12.8 cm 20 x 3.1 x 12.8 cm (7.87 x 1.22 x 5.04 inches) (7.87 x 1.22 x 5.04 inches) 100-1 SBXNW-100-1 Physical Attributes Dimensions (width x height x depth) (excluding antenna connectors) Weight 750g. (full / packaged 1505g) 770g.
PAGE 816
Technical Specifications Humidity: 10 ~ 90% / 10 ~ 90% 10 ~ 90% / 10 ~ 90% (non-condensed) (non-condensed) Safety cULus, CB, CE, LVD cULus, CB, CE, LVD Quality ISO9001, ISO 14001, TL9000 ISO9001, ISO 14001, TL9000 EMC CE, FCC 15B CE, FCC 15B Reliability EN 300 019 - 1, 2, 3 EN 300 019 - 1, 2, 3 Environment RoHS & WEEE, China RoHS RoHS & WEEE, China RoHS MTBF (hours) 100,000 hours at 25÷C 100,000 hours at 25÷C RF N/A CE R&TTE .
PAGE 817
Technical Specifications Wireless Attributes Table 161: Safe@Office Wireless Attributes Attribute Operation Frequency Safe@Office 1000NW SBXNW-100-1 Safe@Office 1000NW ADSL SBXNWDE-100-2 2.412-2.484 MHz Transmission Power Mode dBm mW 802.11b 16 40mW 802.11g 11 (54Mbps), 16 13mW (54Mbps), (6Mbps) 40mW (6Mbps) 9 (MCS7, MCS15), 8mW (MCS7, 16 (MCS0) MCS15), 40mW 802.11n (HT20) (MCS0) 802.11n (HT40) 8 (MCS7, MCS15), 6.
PAGE 818
Technical Specifications Safe@Office 500 and 500W Table 162: Safe@Office ADSL Models Attributes Attribute Safe@Office 500 ADSL Safe@Office 500W ADSL Dimensions 200 x 33 x 122 mm 200 x 33 x 130 mm (width x height x depth) (7.87 x 1.3 x 4.8 inches) (7.87 x 1.3 x 5.12 inches) SBXD-166LHGE-5 SBXWD-166LHGE-5 Physical Attributes (incl. antenna connectors) Weight 660 g (1.46 lbs) 694 g (1.53 lbs) Retail Box Dimensions 290 x 250 x 80 mm 290 x 250 x 80 mm (width x height x depth) (11.42 x 9.
PAGE 819
Technical Specifications Temperature: Operation 0÷C ~ 40÷C 0÷C ~ 40÷C Humidity: 10 ~ 95% / 10 ~ 90% 10 ~ 95% / 10 ~ 90% (non-condensed) (non-condensed) Safety cULus, CB, LVD cULus, CB, LVD Quality ISO9001, ISO 14001, TL9000 ISO9001, ISO 14001, TL9000 EMC CE . FCC 15B.VCCI CE . FCC 15B.VCCI Reliability EN 300 019 - 1, 2, 3 EN 300 019 - 1, 2, 3 Environment RoHS & WEEE RoHS & WEEE ADSL FCC Part 68.CS03 FCC Part 68.
PAGE 820
Technical Specifications 5V Power Adapter Unit Power Adapter Nominal In: 100~240VAC @ 0.5A In: 100~240VAC @ 0.5A 9VAC @ 1.5 A 12VDC @ 1.5 A Input Power Adapter Nominal Output OR: 12VDC @ 1.5 A Max. Power 4.5W Consumption 6.5W 11.
PAGE 821
Technical Specifications RF N/A FCC15C,TELCO Table 164: Table 165: Safe@Office Non-ADSL Models Attributes Attribute Safe@Office 500 Safe@Office 500W Dimensions 200 x 32 x 128 mm 200 x 32 x 128 mm (width x height x depth) (7.87 x 1.26 x 5.04 inches) (7.87 x 1.26 x 5.04 inches) Weight 675 g (1.49 lbs) 685 g (1.51 lbs) Retail Box Dimensions 290 x 250 x 80 mm 290 x 250 x 80 mm (width x height x depth) (11.42 x 9.84 x 3.15 inches) (11.42 x 9.84 x 3.15 inches) Retail box weight 1.
PAGE 822
Technical Specifications Temperature: Operation 0ºC ~ 40ºC 0ºC ~ 40ºC Humidity: 10% ~ 85% 10% ~ 85% (non-condensed) (non-condensed) Safety IEC 60950, EN 60950 IEC 60950, EN 60950 Quality ISO 9001, 9002, 14001 ISO 9001, 9002, 14001 EMC FCC part 15B FCC Part 15 B & C VCCI V-3/V-4 AS/NZS 4268: 2003 A1 Storage/Operation Applicable Standards DGT Reliability EN 300 019 - 1, 2, 3 EN 300 019 - 1, 2, 3 Environment RoHS & WEEE RoHS & WEEE MTBF (hours) 68,000 hours at 30ºC 68,000 hours at
PAGE 823
CE Declaration of Conformity DBPSK WPA Authentication EAP-TLS, EAP-TTLS, PEAP (EAP-GTC), PEAP (EAP-MSCHAP V2) Modes CE Declaration of Conformity CE Check Point is committed to protecting the environment. Safe@Office unified threat management appliances are compliant with the RoHS Directive, meeting the European Union's strict restrictions on hazardous substances.
PAGE 824
CE Declaration of Conformity Table 167: Safe@Office CE Compliance Standards Attribute 500 500 ADSL 500W ADSL 500W H/W Model SBX-166LHGE-5 SBX-166LHGE-5 SBX-166LHGE-5 SBX-166LHGE-6 EMC: V V V V EN 55022 V V V EN 50081-1 V EN 50082-1 V EN 61000-3- V V V V V V V V EN 55024 V V V V CISPR 22 V V V V Safety: V V V V EN 60950 V V V V IEC 60950 V V V V Telecom: V V ITU-T V V 2 EN 61000-33 G.992.1, .2, .3*, .
PAGE 825
CE Declaration of Conformity Attribute 500 500 ADSL 500W ADSL V V ITU-T G.703 V V ITU-T G.
PAGE 826
CE Declaration of Conformity Attribute 1000N 1000NW 1000N ADSL 1000NW ADSL EN 61000-3- V V V V V V V V EN 55024 V V V V CISPR 22 V V V V EN 60950 V V V V IEC 60950 V V V V TBR21 V V ITU-T V V V V ITU-T G.703 V V ITU-T G.704 V V 2 EN 61000-33 Safety: Telecom: G.992.1, .2, .3*, .
PAGE 827
CE Declaration of Conformity Attribute 1000N 1000NW 1000N ADSL 1000NW ADSL EN 300 328 V V EN 301 489- V V V V V V 1 EN 301 48917 EN 50385 The "CE" mark is affixed to this product to demonstrate conformance to the R&TTE Directive 99/05/EEC (Radio Equipment and Telecommunications Terminal Equipment Directive) and FCC Part 15 Class B. The product has been tested in a typical configuration.
PAGE 828
CE Declaration of Conformity This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) this device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation. This Class B digital apparatus complies with Canadian ICES-003.
PAGE 829
CE Declaration of Conformity Attribute 500 500 ADSL 500W ADSL 500W C22.2 No. V V V V V V V V V V V V V V 60950 K60950 Telecom: FCC Part 68 TIA-968-A1, 2 & 3 CS-03 Part I & VIII Issue 8 RF: FCC Part V 15, Subpart C IEEE C95.
PAGE 830
CE Declaration of Conformity Attribute 1000N 1000NW 1000N ADSL 1000NW ADSL V V V V CISPR 22 V V V V ICES-003 V V V V ANSI C63.4 V V V V UL 60950 V V V V C22.2 No. V V V V V V V V EMC: FCC Part 15, Class B Safety: 60950 Telecom: FCC Part 68 CS-03 Part I & VIII Issue 8 RF: FCC Part V V V V 15, Subpart C IEEE C95.
PAGE 831
CE Declaration of Conformity China China RoHS, RoHS & WEEE Declaration and Certification These systems have been verified to comply with the China RoHS and EU RoHS & WEEE Directives throughout the design, development and supply chain definition.
PAGE 832
CE Declaration of Conformity • Tributyl tin (TBT) and triphenyl tin (TPT) compounds Additional Materials Information • The cables may use PVC as an insulating material to ensure product safety • The case material is sheet metal • Product may contain post-industrial recycled content (plastics, metal, glass) No CFCs (chlorofluorocarbons), HCFCs (hydrofluorocarbons) or other ozone depleting substances are used in packaging material.
PAGE 833
CE Declaration of Conformity AC Mains O O O O O O Accessories O O O O O O Cables O O O O O O Table 172: Onboard Components - Lead (Pb) Component Name Part Hazardous Concentrati Substance on (ppm) s Components onboard DC Jack Lead (Pb) 36050 RoHS Quantity Lead as an 1 Exemptions alloying element in steel containing up to 0,35 % lead by weight, aluminium containing up to 0,4 % lead by weight and as a copper alloy containing up to 4 % lead by weight.
PAGE 834
CE Declaration of Conformity Crystal Lead (Pb) 11800 Lead in high 1 melting temperature type solders (i.e. lead-based alloys containing 85 % by weight or more lead). (2005/747/EC) CAPACITO Lead (Pb) 6551 R Lead in 2 electronic ceramic parts (e.g. piezoelectronic devices) (2002/95/EC) CAPACITO R Lead (Pb) 6981 Lead in 1 electronic ceramic parts (e.g.
PAGE 835
Glossary of Terms Glossary of Terms A ADSL Modem A device connecting a computer to the Internet via an existing phone line. ADSL (Asymmetric Digital Subscriber Line) modems offer a high-speed 'always-on' connection. C CA The Certificate Authority (CA) issues certificates to entities such as gateways, users, or computers. The entity later uses the certificate to identify itself and provide verifiable information.
PAGE 836
Glossary of Terms D DHCP Any machine requires a unique IP address to connect to the Internet using Internet Protocol. Dynamic Host Configuration Protocol (DHCP) is a communications protocol that assigns Internet Protocol (IP) addresses to computers on the network. DHCP uses the concept of a "lease" or amount of time that a given IP address will be valid for a computer. DMZ A DMZ (demilitarized zone) is an internal network defined in addition to the LAN network and protected by the Safe@Office appliance.
PAGE 837
Glossary of Terms HTTPS Hypertext Transfer Protocol over Secure Socket Layer, or HTTP over SSL. A protocol for accessing a secure Web server. It uses SSL as a sublayer under the regular HTTP application. This directs messages to a secure port number rather than the default Web port number, and uses a public key to encrypt data HTTPS is used to transfer confidential user information. Hub A device with multiple ports, connecting several PCs or network devices on a network.
PAGE 838
Glossary of Terms M MAC Address The MAC (Media Access Control) address is a computer's unique hardware number. When connected to the Internet from your computer, a mapping relates your IP address to your computer's physical (MAC) address on the LAN. Mbps Megabits per second. Measurement unit for the rate of data transmission.
PAGE 839
Glossary of Terms PPTP The Point-to-Point Tunneling Protocol (PPTP) allows extending a local network by establishing private “tunnels” over the Internet. This protocol it is also used by some DSL providers as an alternative for PPPoE. R RJ-45 The RJ-45 is a connector for digital transmission over ordinary phone wire. Router A router is a device that determines the next network point to which a packet should be forwarded toward its destination. The router is connected to at least two networks.
PAGE 840
Glossary of Terms At the other end (the client program in your computer), TCP reassembles the individual packets and waits until they have arrived to forward them to you as a single file. TCP/IP TCP/IP (Transmission Control Protocol/Internet Protocol) is the underlying communication protocol of the Internet. U UDP UDP (User Datagram Protocol) is a communications protocol that offers a limited amount of service when messages are exchanged between computers in a network that uses the Internet Protocol (IP).
PAGE 841
Index Index 8 802.
PAGE 842
Index certificate Packet Sniffer • 738 explained • 654 Ping • 735 exporting • 663 Traceroute • 735 exporting CA • 664 using • 735 exporting device • 663 WHOIS • 735 generating self-signed • 655 importing • 659 installing • 654 uninstalling • 662 diagnostics running • 762 dialup connection • 164 Checksum Verification • 473 RS232 modem • 175 Cisco IOS DOS • 470 USB modem • 179 command line interface controlling the appliance via • 707 Content Based Antispam engine direct ADSL connection • 13
PAGE 843
Index Email Antispam • 556 types • 402 Email Antivirus • 556 using • 398 enabling/disabling • 557 firmware selecting protocols for • 558 explained • 818 snoozing • 559 updating • 581 temporarily disabling • 559 updating by using Software Updates • 582 EoA configuring a connection • 123 Event Log viewing • 377 exposed host defining a computer as • 395 explained • 818 F File and Print Sharing • 490 firewall about • 389 levels • 392 rule types • 400 setting security level • 392 technologies • 76
PAGE 844
Index configuring • 279 configuring backup • 189 explained • 279 enabling/disabling • 188 Host Port Scan • 481 establishing quick • 188 HTTPS terminating • 188 configuring • 724 troubleshooting • 789 explained • 819 viewing information • 186 using • 116 hub • 99, 189, 279, 789, 819 I Internet Setup using • 139 Internet Wizard IGMP • 492 IKE traces viewing • 668 installation ADSL models • 100 using • 124 IP address changing • 196 explained • 819 hiding • 197 cable type • 99 IP Fragments •
PAGE 845
Index configuring • 608 LAN cable • 99 configuring a connection • 123 MTU explained • 820 N NAT rules configuring High Availability for • 279 about • 423 explained • 819 adding and editing • 425 ports • 99 types • 424 LAND • 459 using • 423 licenses viewing and deleting • 430 upgrading • 718 link configurations modifying • 254 load balancing NetBIOS explained • 820 network changing internal range of • 196 about • 190 configuring • 193 configuring • 190 configuring a DMZ • 209 login initi
PAGE 846
Index Network Interface Monitor viewing bridge statistics • 370 viewing general network statistics • 360 viewing Internet connection statistics • 361 viewing wired network statistics • 366 viewing wireless network statistics • 368 network objects adding and editing • 227 using • 225 viewing and deleting • 235 Network Quota • 468 network service objects filter string syntax • 741 using • 738 password changing • 673 setting up • 111 Peer to Peer • 496 Ping of Death • 458 Port-based VLAN about • 214 adding a
PAGE 847
Index configuring • 303 performing • 758 defined • 822 preparing for • 757 printers changing ports • 787 configuring computers to use • 769 Remote Access VPN Clients Remote Access VPN Clients • 597 Remote Access VPN Servers resetting • 788 configuring • 603 setting up • 766 explained • 597 using • 765 viewing • 786 Q QoS classes • 291 explained • 291 QoS classes Remote Desktop accessing a remote desktop • 703 configuring • 697 configuring the host computer • 700 using • 695 reports active compu
PAGE 848
Index NAT • 423 package contents • 65 VStream Antispam • 545 rear panel • 66 VStream Antivirus • 509 Web • 563 S Safe Senders Safe@Office 500 series about • 1 features • 3 product family • 2 adding • 553 Safe@Office appliance deleting • 554 backing up • 749 Safe@Office cascading • 102 front panel • 53 changing internal IP address of • 196 network requirements • 51 configuring Internet connection • 123 package contents • 51 connecting to network printers • 103 rear panel •
PAGE 849
Index setting the time • 732 setting up • 107 explained • 597 security status • 343 about • 71 technical specifications • 795 configuring port-based security • 411 Safe@Office appliance configuration configuring servers • 395 backing up to a USB flash drive • 751 creating firewall rules • 398 exporting • 750 defining a computer as an exposed host • 395 importing • 753 restoring from a USB flash drive • 755 Safe@Office Portal elements • 118 initial • 111 logging in • 114 logging out • 653 remote
PAGE 850
Index Service Center connecting to • 587 explained • 239 Spanning Tree Protocol disconnecting from • 595 explained • 262 refreshing a connection to • 594 with WDS • 305 service routing explained • 239 services Email Filtering • 556 SSH configuring • 713 explained • 713 Stateful Inspection software updates • 582 explained • 821 Web Filtering • 571 technology • 79 Setup Wizard • 111, 124 SIP • 494 Site-to-Site VPN gateways Static IP configuring a connection • 131 Static NAT explained • 597 exp
PAGE 851
Index explained • 587 starting • 587 viewing information • 593 Sweep Scan • 481 SynDefender • 477 Syslog logging viewing reports • 351 traffic reports exporting • 354 viewing • 351 Traffic Shaper advanced • 291 configuring • 722 enabling • 291 explained • 722 explained • 291 T restoring defaults • 301 Tag-based VLAN setting up • 293 about • 214 simplified • 291 adding and editing • 220 using • 291 deleting • 221 TCP TCP, explained • 821 TCP/IP setting up for MAC OS • 95 setting up for Windows
PAGE 852
Index configuring • 509 virtual access points (VAPs) enabling/disabling • 649 logging in • 650 about • 214 logging out • 653 adding and editing • 331 types • 597 deleting • 221 VLAN VPN tunnels creation and closing of • 665 adding and editing • 217 establishing • 650 configuring • 53 explained • 822 configuring port-based • 218 viewing • 665 configuring tag-based • 220 VStream Antispam configuring virtual access points • 331 about • 523 deleting • 221 configuring advanced settings • 555
PAGE 853
Index reordering • 551 types • 546 VStream Antivirus explained • 305 Web content filtering solutions about • 561 about • 505 comparison of • 561 configuring • 505 Web Filtering • 571 configuring advanced settings • 518 Web rules • 563 configuring policy • 509 default policy • 506 enabling/disabling • 507 rules • 510 updating • 523 viewing database information • 508 VStream Antivirus rules adding and editing • 510 deleting • 518 enabling/disabling • 517 reordering • 517 types • 510 W WAN Web Filte
PAGE 854
Index wireless protocols supported • 309 wireless stations viewing • 368 Worm Catcher • 489 X XBox LIVE • 500 838 Check Point Safe@Office User Guide