Check Point L-71 Скачать руководство пользователя страница 68

Страница: 68 / 124

Appliance Configuration

Check Point 1400 Appliances Centrally Managed Administration Guide R77.20.85 | 68

To configure Monitor Mode with user-defined networks:

> add monitor-mode-network ipv4-address

<IP>

subnet-mask <mask> > set

monitor-mode-configuration use-defined-networks true

To see user-defined Internal networks:

> show monitor-mode-network

To disable Anti-Spoofing:

> set antispoofing advanced-settings global-activation false

If you do not see the Monitor Mode option:

Run this CLI command:

set monitor-mode-configuration allow-monitor-mode true

Select an interface and click

Edit

Monitor Mode is now added to the options list.

For more information on monitor mode, see sk112572

http://supportcontent.checkpoint.com/solutions?id=sk112572

To edit a physical interface:

Configure the fields in the tabs. Note that for the DMZ there is an additional tab

Access Policy

Configuration tab

•

Assigned to

- Select the required option:

•

Unassigned

- The physical interface is not part of any network and cannot be used.

•

One of the existing configured

switches

bridges

•

Separate network -

When selecting a separate network configure this information:



IP address



Subnet mask



DHCP Server settings

Select one of the options:

Enabled

- Enter the IP address range and if necessary the IP address exclude range.

The appliance's own IP address is automatically excluded from this range. You can also
exclude or reserve specific IP addresses by defining network objects in the

Users &

Objects

Network Objects

page. Reserving specific IP addresses requires the MAC

address of the device.

Relay

- Enter the DHCP server IP address.

Disabled

Note

- When you create a switch, you cannot remove the first interface inside unless you delete

the switch.

Advanced tab

The options that are shown vary based on interface type and status. Configure the options that are
applicable:

•

Description

Enter an optional description. The description is shown in the local network table

next to the name.

•

MTU size -

Configure the Maximum Transmission Unit size for an interface. Note that in the

Check Point Appliance, the value is global for all physical LAN and DMZ ports.

Содержание L-71

Страница 1: ...19 May 2020 Administration Guide CHECK POINT 1400 APPLIANCES CENTRALLY MANAGED Models L 71 L 71W L 71WD L 72 L 72W L 72P R77 20 85 Classification Protected...

Страница 2: ...t assumes no responsibility for errors or omissions This publication and features described herein are subject to change without notice RESTRICTED RIGHTS LEGEND Use duplication or disclosure by the go...

Страница 3: ...k140193 Latest Version of this Document Open the latest version of this document in a Web browser https sc1 checkpoint com documents R77 20 85 1400_Central_AdminGuide html_fr ameset htm Download the l...

Страница 4: ...scale Deployment 23 Defining a SmartLSM Appliance Cluster Profile 23 Deploying with SmartProvisioning 24 Installing a Security Policy 25 Viewing the Policy Installation Status 25 SmartProvisioning 28...

Страница 5: ...a Hotspot 72 Configuring the Routing Table 74 Configuring MAC Filtering 76 Configuring the DNS Server 79 Configuring the Proxy Server 79 Backup Restore Upgrade and Other System Operations 80 Configuri...

Страница 6: ...onitoring Data 113 Viewing Reports 113 Using System Tools 113 SNMP 114 Advanced Configuration 115 Dynamic Routing 115 Upgrade Using a USB Drive 116 Upgrade Using an SD Card 117 Boot Loader 118 Upgrade...

Страница 7: ...tion see the 1400 Security Gateway series product page https supportcenter checkpoint com supportcenter portal model version R77 os eventSu bmit_doShowproductpage productTab documents product 490 This...

Страница 8: ...ted to an outlet The Power LED on the front panel lights up This indicates that the appliance is turned on The Alert LED on the front panel starts to blink This indicates that the appliance is booting...

Страница 9: ...ou configure between 1 and 25 Check Point Appliance gateways using SmartDashboard Then you can manage device settings from SmartProvisioning Large scale deployment Where you configure over 25 Check Po...

Страница 10: ...eck Point Appliance before or after you configure the appliance on site Options to define a gateway object Management First Define the gateway object in SmartDashboard before you configure and set up...

Страница 11: ...ically when the Gateway connects to the Security Management server for the first time or Initiate trusted communication now 4 Click Connect A status window appears 5 Click Next To configure a dynamic...

Страница 12: ...to other sites that participate in VPN community will be encrypted With this option connections that are initiated from other sites that are directed to hosts behind this gateway are not encrypted If...

Страница 13: ...ns access the WebUI of the appliance These actions are only required to work with the Cluster Wizard in SmartDashboard Make sure a cable is connected between the two LAN2 SYNC ports of both appliances...

Страница 14: ...on the same subnet as the SYNC interface of the second cluster member use a cross Ethernet cable for SYNC interface connection When you use the SmartDashboard cluster wizard the LAN2 interface is the...

Страница 15: ...s selected enter a virtual IP Address and Net Mask for the cluster The virtual IP is applied in the next policy installation 13 Click Next 14 Repeat steps 12 14 for each defined interface 15 Click Fin...

Страница 16: ...convert an existing Check Point Appliance to a cluster Note The procedures require some downtime Terms used GW the existing Check Point Appliance gateway object that has already established trust and...

Страница 17: ...in the list press Help and make sure GW does not match any of the categories that prevent it from being added to a cluster Note Use the information on this Help page to determine if there are any con...

Страница 18: ...zone After you associated a security zone object to the applicable interface on the gateway you can use it in a rule To create a rule with a security zone just add the security zone object to the Sou...

Страница 19: ...d On each selected gateway independently On all selected gateways if it fails do not install on gateways of the same version 4 Click OK The Installation Process window shows the status of the Network...

Страница 20: ...ucceeded Succeeded Policy installation succeeded but there are verification warnings Waiting for first connection A Check Point Appliance object is configured but the gateway is not connected to the S...

Страница 21: ...eable IP address of the Security Management Server is manually configured to create a first connection When SIC is established between the appliance and Security Management Server the policy is fetche...

Страница 22: ...is firmware upgrade package CP1400AS1100 If you do not use the CP1400AS1100 you cannot select the package in the view For R80 20 Manage the 1400 appliances as 1400 SMB appliances Large scale Deploymen...

Страница 23: ...window click Help 5 Click OK and then install the policy Note To activate SmartProvisioning functionality you must install a security policy on the LSM profile 6 Continue in SmartProvisioning on page...

Страница 24: ...e sure to configure it correctly The host octet for the Virtual IP addresses can be modified later 5 For each Virtual IP interface double click the text field to enter the interface name security zone...

Страница 25: ...d On each selected gateway independently On all selected gateways if it fails do not install on gateways of the same version 4 Click OK The Installation Process window shows the status of the Network...

Страница 26: ...ucceeded Succeeded Policy installation succeeded but there are verification warnings Waiting for first connection A Check Point Appliance object is configured but the gateway is not connected to the S...

Страница 27: ...dow in these ways From the menu bar Click Policy Policy Installation Status From the toolbar Click the Policy Installation Status icon From the status bar Click Failed or Pending The contents of the P...

Страница 28: ...General Properties 1 Enter a Name for the SmartLSM Security Gateway It cannot contain spaces or non alphanumeric characters 2 Enter an optional Comment that identifies the SmartLSM Security Gateway 3...

Страница 29: ...t field To clear the key click Clear To initialize certification The SIC certificate must be shared between the Security Management Server and the SmartLSM Security Gateway With this SmartLSM wizard y...

Страница 30: ...g a SmartLSM Appliance Cluster Make sure you have a SmartLSM cluster profile defined in SmartDashboard before you create a Small Office Appliance cluster in SmartProvisioning To create a new SmartLSM...

Страница 31: ...o this step again for the second member 3 Click Next VPN Properties 1 Select how to create a VPN certificate For a CA certificate from the Internal Check Point CA select I wish to create a VPN Certifi...

Страница 32: ...Device Settings You can manage device settings directly on individual gateways or you can use a SmartProvisioning Profile to manage multiple gateways For more information about provisioning profiles...

Страница 33: ...ion time can be limited to a specified list of time ranges in the week They start at the nearest time range after firmware settings were applied You can also define that the download takes place immed...

Страница 34: ...onization with a Security Gateway that references this profile b According to these time ranges Select to use the Security Gateway time or local time Add Edit Click Add or Edit to open the Time Range...

Страница 35: ...on a Provisioning Profile 1 Open the Security Gateway Profile window and select the Hotspot tab 2 Select Manage Hotspot settings centrally from this application 3 Click Advanced The Profile Settings...

Страница 36: ...tab other than General 3 Select management settings for gateways that reference the profile Manage settings locally on the device Each gateway that references this profile has its own settings config...

Страница 37: ...e following settings Manage these settings on this gateway individually with the values given here Centrally Override mandatory Overriding profile settings is mandatory configure settings here To chan...

Страница 38: ...com Note You cannot use Zero Touch if you connect to the internet through a proxy server Zero Touch enables a gateway to automatically fetch settings from the cloud when it is connected to the intern...

Страница 39: ...hows the installation status It may take several minutes until the installation is complete Note If a collision is detected between an internal network LAN and an IP returned via DHCP WAN the conflict...

Страница 40: ...without using the First Time Configuration Wizard The configuration file lets you configure more settings and parameters than are available in the First Time Configuration Wizard You can deploy config...

Страница 41: ...aring the Configuration Files The Check Point Appliance Massive Deployment configuration files are composed of CLIsh commands These are the file names that can be used autoconf clish autoconf XX XX XX...

Страница 42: ...onfiguration file Use the set property command to set the appliance to use a configuration file on a USB drive The USB drive can be inserted in the front or the rear USB port You can deploy the config...

Страница 43: ...nfiguration Wizard to configure an appliance when the configuration file fails Restore the default settings to a partially configured appliance before you use the First Time Configuration Wizard to en...

Страница 44: ...ion script that fails set hostname Demo1 set hostname Setting hostname to Demo1 OK set interface WAN internet primary ipv4 address 66 66 66 11 Error missing argument subnet mask for a new connection A...

Страница 45: ...o a secure https site and asks for administrator credentials When you log in you can select the Save user name checkbox to save the administrator s user name The name is saved until you clear the brow...

Страница 46: ...d lets you quickly navigate to the blade configuration page It also gives you Access to the basic settings of the blades with the Settings button cogwheel icon and lets you activate the blades Access...

Страница 47: ...To go to other blade statistics click the arrows in the header 3 If the blade is turned off a Click View demo to see an example of the statistics shown b Click the X icon to close the demo To view an...

Страница 48: ...ing 3 Click Next In the Security Management Server Connection page select a connection method To connect to the Security Management Server now select Connect to the Security Management Server now ente...

Страница 49: ...egistration information is not successfully retrieved browse to https smbregistration checkpoint com 3 Complete the applicable fields in the User Center registration Appliance MAC address Appliance re...

Страница 50: ...coming services usually indicate servers Zone Shows if the appliance is connected physically or through a wireless connection Traffic Shows upload and download packet rates for all IP addresses when t...

Страница 51: ...monitoring report click Demo To close the sample reports click Back The number of current connections in the system is shown for VPN Tunnels Active Devices and Connections You can click the links to o...

Страница 52: ...d devices Infected servers Recently active infected devices You can click All Infected Devices to open the Logs Monitoring Infected Devices page High risk applications Shows The number of high risk ap...

Страница 53: ...e first 24 hour cycle after an appliance starts up after installation or an update the system adds one more time interval to the delta of the next applicable report interval For example for weekly rep...

Страница 54: ...d and sent The number of infected devices servers and recently active infected devices The number of high risk applications the most used high risk applications and the top users of high risk applicat...

Страница 55: ...ports and their state To display DSL statistics Click DSL Statistics A window opens and shows the statistic parameters To generate a CPInfo file 1 Click Generate CPInfo File A message next to the butt...

Страница 56: ...ion or multiple connections in High Availability or Load Balancing configurations When multiple Internet connections are defined the page shows them in a table You can add a new connection and edit de...

Страница 57: ...DSL modem You must enter the IP address the subnet mask default gateway and DNS Server Settings IPoE dynamic IP DSL only The Internet IP of the appliance is imported through DHCP IPoE static IP DSL T...

Страница 58: ...a dual stack pure IPv6 network For PPPoE over ATM over VDSL ADSL or IPoE over ATM over VDSL ADSL or for an ADSL interface Enter the VPI number and VCI number you received from your service provider a...

Страница 59: ...ss Assignment PPPoE IPv4 only In Local tunnel IP address select if the IP address is obtained automatically or manually configured If manually configured enter the IP address Service Provider Settings...

Страница 60: ...nfigured in High Availability or Load Sharing modes When you configure more than one Internet connection the Device Internet page lets you toggle between these options The Advanced setting of each Int...

Страница 61: ...able the Wireless network click Disable Enable To edit the radio settings 1 Click Radio settings 2 Select the correct Operation mode Channel Channel width and Transmitter power 3 Click Advanced to set...

Страница 62: ...ver This option is also known as WPA Enterprise Network password When authenticating using a password enter a password or click Generate for an automatically generated password Show To see the passwor...

Страница 63: ...te automatic rules that are shown in the Access Policy Firewall Policy page Allow access from this network to local networks Wireless network is trusted Log traffic from this network to local networks...

Страница 64: ...ally acquired IP address Other Settings You can optionally configure these additional parameters so they will be distributed to DHCP clients Time servers Call manager TFTP server TFTP boot file X Wind...

Страница 65: ...cified transmitter You can also use unassigned LAN ports to create an internet connection In the table these ports have the status Assigned to Internet Notes LAN ports assigned to internet connections...

Страница 66: ...ork configure the settings for the switch Monitor Mode See below 3 Choose the IP address and Subnet mask the switch uses 4 Use Hotspot Select this checkbox to redirect users to the Hotspot portal befo...

Страница 67: ...or mode in the WebUI 1 Go to Device Local Network 2 Select an interface and double click The Edit window opens in the Configuration tab 3 In the Assigned To drop down menu select Monitor Mode The Manu...

Страница 68: ...ace is not part of any network and cannot be used One of the existing configured switches or bridges Separate network When selecting a separate network configure this information IP address Subnet mas...

Страница 69: ...or more information on the maximum number of VLANs that you can configure for each appliance refer to sk113247 http supportcontent checkpoint com solutions id sk113247 Configure the fields in the tabs...

Страница 70: ...the fields in the tabs Configuration tab In Bridge Configuration select the networks you want to be part of the bridge Enable Spanning Tree Protocol When Spanning Tree Protocol STP IEEE 802 1d is ena...

Страница 71: ...d IPv6 Settings Configure the Router Advisement fields To create edit a Virtual Access Point VAP See the Device Wireless Network help page DHCP SLAAC Settings tab Note In IPv4 only mode this tab is ca...

Страница 72: ...d custom options that are not listed above For each custom option you must configure the name tag type and data fields Configuring a Hotspot In the Device Hotspot page if a network interface was defin...

Страница 73: ...t list enter the filter value The list shows the objects that match the filter 4 If necessary click New to add new objects to the list For information on how to create a new object see the Users Objec...

Страница 74: ...pply The same user cannot log in to the Hotspot portal from more than one computer at a time On the Active Devices page available through the Home and Logs Monitoring tabs you can revoke Hotspot acces...

Страница 75: ...IP address Internet connection Select an internet connection VPN Tunnel VTI Select the VPN Tunnel 3 Click OK 4 Click any source and select an option in the new window that opens Any Specified IP addr...

Страница 76: ...vice Local Network page are only available for manually defined routing rules created on this page You cannot edit delete enable and disable routing rules created by the operating system for directly...

Страница 77: ...CLI You cannot configure MAC filtering in the WebUI 802 1x Authentication Protocol IEEE 802 1x is a port based network access protocol that provides an authentication mechanism for devices that are ph...

Страница 78: ...lect the LAN interface and click Edit 2 The Edit window opens in the Configuration tab 3 Click the Advanced tab 4 Clear Activate 802 1x authentication 5 Click Apply To configure logging for MAC filter...

Страница 79: ...ck Point Appliance functions as your DNS proxy and provides DNS resolving services to internal hosts behind it network objects This option is global and applies to all internal networks To get IP addr...

Страница 80: ...ick OK in the confirmation message The factory default settings are restored The appliance reboots to complete the operation Note This does not change the software image Only the settings are restored...

Страница 81: ...rade The Upgrade Software Wizard opens 2 Follow the Wizard instructions Note The firewall remains active while the upgrade is in process Traffic disruption can only be caused by Saving a local image b...

Страница 82: ...licy click the checkbox 3 To enable IPv6 networking click the checkbox 4 Click Apply Note This causes the appliance to reboot Using the Software Upgrade Wizard Follow the instructions in each page of...

Страница 83: ...k settings and DNS configuration The backup file also contains the Secure Internal Communication certificate and your license If you want to replace an existing appliance with another one you can rest...

Страница 84: ...Only Administrators cannot update appliance configuration but can change their own passwords or run a traffic monitoring report from the Tools page Networking Administrator Limited permissions Networ...

Страница 85: ...S server is selected by default 5 Configure the role for each user on the RADIUS server See additional details below Note A user without role definition will get a login error 6 If you select Use defa...

Страница 86: ...lted RADIUS server for non local appliance users 1 Create the dictionary file checkpoint dct on the RADIUS server in the default dictionary directory that contains radius dct Add these lines to the fi...

Страница 87: ...ole Where role is the name of the administrator role that is defined in the WebUI Administrator Role Value Super Admin adminRole Read only monitorrole Networking Admin networkingrole To configure an O...

Страница 88: ...or serial console client 2 Log in to the Clish shell using your user name and password 3 Run Expert 4 Enter the expert password Configuring Administrator Access The Device Administrator Access page l...

Страница 89: ...table 6 Change the WEB Port HTTPS and or SSH port if necessary 7 Click Apply An administrator can access the Check Point Appliance using the configured IP addresses through the allowed interface sour...

Страница 90: ...Point Appliance Note The appliance name can only contain alphanumeric characters and the hyphen character Do not use the hyphen character as the first or last character Important If the gateway s Inte...

Страница 91: ...S account details in one of the supported providers Configure a service that lets you remotely connect to the appliance in instances where it is behind NAT a firewall or has a dynamically assigned IP...

Страница 92: ...y The validation token web link and shell link are shown on the page 5 Go to Device Administrator Access Configure Internet as a source for administrator access and set specified IP addresses When the...

Страница 93: ...can select and assign a Web portal certificate from the list of installed certificates with the exception of the Default certificate The new certificate must be configured on the Installed Certificate...

Страница 94: ...nsult with Check Point support when necessary To filter the list of attributes 1 Enter text in the Type to filter field The search results are dynamically shown as you type 2 To cancel the filter clic...

Страница 95: ...the console port There are three modes for working with this port Console This is the default mode configured The port is used to access the appliance s console Active Instead of connecting through t...

Страница 96: ...secret 3 For temporary or guest users click Temporary user Enter the expiration date and time 4 To give the user remote access permissions select Remote Access permissions 5 Click Apply The user is ad...

Страница 97: ...e Administrators page lists the Check Point Appliance administrators and lets you Create new local administrators Configure the session timeout Limit login failure attempts Administrators can also be...

Страница 98: ...nistrator from the list 2 Click Delete 3 Click Yes in the confirmation message Note You cannot delete an administrator who is currently logged in To allow access for administrators defined in a remote...

Страница 99: ...the Check Point Appliance When a non local user logs in to the appliance the RADIUS server authenticates the user and assigns the applicable permissions You must configure the RADIUS server to correc...

Страница 100: ...ictionary file dictionary checkpoint in etc freeradius on the RADIUS server Check Point dictionary file for freeradius AAA server VENDOR CheckPoint 2620 ATTRIBUTE CP Gaia User Role 229 string CheckPoi...

Страница 101: ...CP Gaia User Role add attribute 230 CP Gaia SuperUser Access val_type Integer val_size 4 2 Add the line include subdicts dict checkpoint to etc openradius dictionaries immediately after dict ascend 3...

Страница 102: ...1812 Shared secret The secret between the RADIUS server and the Check Point Appliance Show Displays the shared secret Timeout seconds A timeout value in seconds for communication with the RADIUS serv...

Страница 103: ...IP protocol if you selected Type Other ICMP type and ICMP code Enter the ICMP type and code that you want the service object to represent as listed in RFC 792 This option is only relevant if you selec...

Страница 104: ...does not contain the services you need For information on creating a new service object see the Users Objects Services page 5 Click Apply The New Service Group window opens and shows the services you...

Страница 105: ...ry Allow DNS server to resolve this object name When the gateway is the DNS server for your internal networks the name of the server network object is translated to its IP address Exclude from DHCP se...

Страница 106: ...administrator of the Security Management Server that centrally manages this gateway must complete prerequisite steps You can use this page to manage URLs lists Add new URLs IP addresses or regular exp...

Страница 107: ...d after URLs lists are predefined in the appliance s security policy If a list was removed or renamed in the Security Management Server a warning shows above the table and next to the URLs List in the...

Страница 108: ...lick Query Syntax in the table header To see the security log record 1 Select a log entry from the list 2 Click View Details or double click the entry The log record opens To refresh the security log...

Страница 109: ...tor notifications for events which occurred on the appliance These are the syslog types Info Informative logs such as policy change information administrator login details and DHCP requests Notice Not...

Страница 110: ...l Select Show Obfuscated Fields Obfuscated packets are shown as plain text 6 Select logs to forward System logs Security logs Both system and security logs 7 Click Apply To configure additional syslog...

Страница 111: ...installed When you download an infected file there is a possibility that the file was opened or triggered and infected the host or server Object name Shows the object name if the host or server was c...

Страница 112: ...e See the Threat Prevention Threat Prevention Blade Control page for a description of the action types Log Select the tracking option None Log or Alert Logs are shown on the Logs Monitoring Security L...

Страница 113: ...fresh to manually refresh this page with updated tunnel information Note This page is available from the VPN and Logs Monitoring tabs Viewing Active Connections The Logs Monitoring Connections page sh...

Страница 114: ...d enable SNMP versions in addition to v3 SNMP v3 Users To add a new SNMP v3 user click New To edit an existing SNMP v3 user select the user from the list and click Edit To delete an SNMP v3 user selec...

Страница 115: ...ospf area backbone ospf_area range ip_prefix on off area backbone ospf_area range ip_prefix restrict on off stub network ip_prefix on off stub network ip_prefix stub network cost 1 677722 set ospf int...

Страница 116: ...he power source 2 Place the Boot loader file on a USB drive in the top folder Do not rename the file 3 Make sure the top folder of the USB drive does not contain any previous Boot loader or Firmware i...

Страница 117: ...ates a new factory default image Back up your settings so you can restore them after the installation is complete Note From R77 20 85 and higher SD cards are formatted with ext4 In earlier versions SD...

Страница 118: ...tenance Mode 4 Restore to Factory Defaults local 5 Install Update Image Boot Loader from Network 6 Restart Boot Loader 7 Run Hardware diagnostics 8 Install DSL Firmware Upload preset configuration fil...

Страница 119: ...are asked if you want to manually load the image from a TFTP server or if you want to use automatic mode with a bootp server 4 If you select manual mode you are asked to fill in the IP of the Check P...

Страница 120: ...ctivity LEDs blink orange and green alternately to show progress This takes some minutes When this completes the appliance reboots automatically To restore factory defaults with the button on the back...

Страница 121: ...y n select y to continue and restore the appliance to its factory defaults settings While factory defaults are restored all LAN Link and Activity LEDs blink orange and green alternately to indicate pr...

Страница 122: ......

Страница 123: ...an Existing Check Point Appliance to a Cluster 16 Creating a Cluster for New Gateways 13 Creating a Gateway 28 Creating a SmartLSM Appliance Cluster 30 Creating the Security Policy 17 D Defining a Gat...

Страница 124: ...onfiguration Files 43 U Upgrade Using a USB Drive 116 Upgrade Using an SD Card 117 Upgrade Using Boot Loader 119 Using System Tools 54 92 113 Using the set property Command 44 Using the Software Upgra...

Результаты поиска

Содержание L-71

Отзывы:

Похожие инструкции для L-71

Бренды по названию

Популярные бренды

Check Point L-71, Руководство администратора

Результаты поиска

Содержание L-71

Отзывы:

Похожие инструкции для L-71

Бренды по названию

Популярные бренды