Check Point VPN-1 Edge/Embedded Management Solutions

For additional technical information about Check Point products, consult Check Points SecureKnowledge at

https://secureknowledge.checkpoint.com
See the latest version of this document in the User Center at http://www.checkpoint.com/support/technical/documents/docs_r60.htm

Part No.: 701308 April 2005

 2003-2005 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:
2003-2005 Check Point Software Technologies Ltd. All rights reserved. Check Point, Application Intelligence, Check Point Express, the Check Point logo, AlertAdvisor, ClusterXL, Cooperative Enforcement, ConnectControl, Connectra, CoSa, Cooperative Security Alliance, Eventia, Eventia Analyzer, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, IMsecure, INSPECT, INSPECT XL, Integrity, InterSpect, IQ Engine, Open Security Extension, OPSEC, Policy Lifecycle Management, Provider-1, Safe@Home, Safe@Office, SecureClient, SecureKnowledge, SecurePlatform, SecuRemote, SecureXL Turbocard, SecureServer, SecureUpdate, SecureXL, SiteManager-1, SmartCenter, SmartCenter Pro, Smarter Security, SmartDashboard, SmartDefense, SmartLSM, SmartMap, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM, User-to-Address Mapping, UserAuthority, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 VSX, VPN-1 XL, Web Intelligence, ZoneAlarm, ZoneAlarm Pro, Zone Labs, and the Zone Labs logo, are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935 and 6,850,943 and may be protected by other U.S. Patents, foreign patents, or pending applications.

THIRD PARTIES:
Entrust is a registered trademark of Entrust Technologies, Inc. in the United States and other countries. Entrusts logos and Entrust product and service names are also trademarks of Entrust Technologies, Inc. Entrust Technologies Limited is a wholly owned subsidiary of Entrust Technologies, Inc. FireWall-1 and SecuRemote incorporate certificate management technology from Entrust. Verisign is a trademark of Verisign Inc. The following statements refer to those portions of the software copyrighted by University of Michigan. Portions of the software copyright 1992-1996 Regents of the University of Michigan. All rights reserved. Redistribution and use in source and binary forms are permitted provided that this notice is preserved and that due credit is given to the University of Michigan at Ann Arbor. The name of the University may not be used to endorse or promote products derived from this software without specific prior written permission. This software is provided as is without express or implied warranty. Copyright Sax Software (terminal emulation only). The following statements refer to those portions of the software copyrighted by Carnegie Mellon University. Copyright 1997 by Carnegie Mellon University. All Rights Reserved. Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of CMU not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission.CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL CMU BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. The following statements refer to those portions of the software copyrighted by The Open Group. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND

NONINFRINGEMENT. IN NO EVENT SHALL THE OPEN GROUP BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. The following statements refer to those portions of the software copyrighted by The OpenSSL Project. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The following statements refer to those portions of the software copyrighted by Eric Young. THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Copyright 1998 The Open Group. The following statements refer to those portions of the software copyrighted by Jean-loup Gailly and Mark Adler Copyright (C) 1995-2002 Jean-loup Gailly and Mark Adler. This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions: 1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required. 2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software. 3. This notice may not be removed or altered from any source distribution. The following statements refer to those portions of the software copyrighted by the Gnu Public License. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. The following statements refer to those portions of the software copyrighted by Thai Open Source Software Center Ltd and Clark Cooper Copyright (c) 2001, 2002 Expat maintainers. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. GDChart is free for use in your applications and for chart generation. YOU MAY NOT redistribute or represent the code as your own. Any re-distributions of the code MUST reference the author, and include any and all original documentation. Copyright. Bruce Verderaime. 1998, 1999, 2000, 2001. Portions copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 by Cold Spring Harbor Laboratory. Funded under Grant P41RR02188 by the National Institutes of Health. Portions copyright 1996, 1997, 1998, 1999, 2000, 2001, 2002 by Boutell.Com, Inc. Portions relating to GD2 format copyright 1999,

Check Point Software Technologies Ltd.

U.S. Headquarters: 800 Bridge Parkway, Redwood City, CA 94065, Tel: (650) 628-2000 Fax: (650) 654-4233, info@CheckPoint.com International Headquarters: 3A Jabotinsky Street, Ramat Gan, 52520, Israel, Tel: 972-3-753 4555 Fax: 972-3-575 9256, http://www.checkpoint.com

2000, 2001, 2002 Philip Warner. Portions relating to PNG copyright 1999, 2000, 2001, 2002 Greg Roelofs. Portions relating to gdttf.c copyright 1999, 2000, 2001, 2002 John Ellson (ellson@graphviz.org). Portions relating to gdft.c copyright 2001, 2002 John Ellson (ellson@graphviz.org). Portions relating to JPEG and to color quantization copyright 2000, 2001, 2002, Doug Becker and copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, Thomas G. Lane. This software is based in part on the work of the Independent JPEG Group. See the file README-JPEG.TXT for more information. Portions relating to WBMP copyright 2000, 2001, 2002 Maurice Szmurlo and Johan Van den Brande. Permission has been granted to copy, distribute and modify gd in any context without fee, including a commercial application, provided that this notice is present in user-accessible supporting documentation. This does not affect your ownership of the derived work itself, and the intent is to assure proper credit for the authors of gd, not to interfere with your productive use of gd. If you have questions, ask. "Derived works" includes all programs that utilize the library. Credit must be given in user-accessible documentation. This software is provided "AS IS." The copyright holders disclaim all warranties, either express or implied, including but not limited to implied warranties of merchantability and fitness for a particular purpose, with respect to this code and accompanying documentation. Although their code does not appear in gd 2.0.4, the authors wish to thank David Koblas, David Rowley, and Hutchison Avenue Software Corporation for their prior contributions. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http:/ /www.apache.org/licenses/LICENSE-2.0 The curl license COPYRIGHT AND PERMISSION NOTICE Copyright (c) 1996 - 2004, Daniel Stenberg, <daniel@haxx.se>.All rights reserved. Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Except as contained in this notice, the name of a copyright holder shall not be used in advertising or otherwise to promote the sale, use or other dealings in this Software without prior written authorization of the copyright holder. The PHP License, version 3.0 Copyright (c) 1999 - 2004 The PHP Group. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. The name "PHP" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact group@php.net. 4. Products derived from this software may not be called "PHP", nor may "PHP" appear in their name, without prior written permission from group@php.net. You may indicate that your software works in conjunction with PHP by saying "Foo for PHP" instead of calling it "PHP Foo" or "phpfoo" 5. The PHP Group may publish revised and/or new versions of the license from time to time. Each version will be given a distinguishing version number. Once covered code has been published under a particular version of the license, you may always continue to use it under the terms of that version. You may also choose to use such covered code under the terms of any subsequent version of the license published by the PHP Group. No one other than the PHP Group has the right to modify the terms applicable to covered code created under this License. 6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes PHP, freely available from <http://www.php.net/>". THIS SOFTWARE IS PROVIDED BY THE PHP DEVELOPMENT TEAM ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE PHP DEVELOPMENT TEAM OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN

CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This software consists of voluntary contributions made by many individuals on behalf of the PHP Group. The PHP Group can be contacted via Email at group@php.net. For more information on the PHP Group and the PHP project, please see <http:// www.php.net>. This product includes the Zend Engine, freely available at <http:// www.zend.com>. This product includes software written by Tim Hudson (tjh@cryptsoft.com). Copyright (c) 2003, Itai Tzur <itzur@actcom.co.il> All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: Redistribution of source code must retain the above copyright notice, this list of conditions and the following disclaimer. Neither the name of Itai Tzur nor the names of other contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Copyright 2003, 2004 NextHop Technologies, Inc. All rights reserved. Confidential Copyright Notice Except as stated herein, none of the material provided as a part of this document may be copied, reproduced, distrib-uted, republished, downloaded, displayed, posted or transmitted in any form or by any means, including, but not lim-ited to, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of NextHop Technologies, Inc. Permission is granted to display, copy, distribute and download the materials in this doc-ument for personal, non-commercial use only, provided you do not modify the materials and that you retain all copy-right and other proprietary notices contained in the materials unless otherwise stated. No material contained in this document may be "mirrored" on any server without written permission of NextHop. Any unauthorized use of any material contained in this document may violate copyright laws, trademark laws, the laws of privacy and publicity, and communications regulations and statutes. Permission terminates automatically if any of these terms or condi-tions are breached. Upon termination, any downloaded and printed materials must be immediately destroyed. Trademark Notice The trademarks, service marks, and logos (the "Trademarks") used and displayed in this document are registered and unregistered Trademarks of NextHop in the US and/or other countries. The names of actual companies and products mentioned herein may be Trademarks of their respective owners. Nothing in this document should be construed as granting, by implication, estoppel, or otherwise, any license or right to use any Trademark displayed in the document. The owners aggressively enforce their intellectual property rights to the fullest extent of the law. The Trademarks may not be used in any way, including in advertising or publicity pertaining to distribution of, or access to, materials in this document, including use, without prior, written permission. Use of Trademarks as a "hot" link to any website is prohibited unless establishment of such a link is approved in advance in writing. Any questions concerning the use of these Trademarks should be referred to NextHop at U.S. +1 734 222 1600.

U.S. Government Restricted Rights The material in document is provided with "RESTRICTED RIGHTS." Software and accompanying documentation are provided to the U.S. government ("Government") in a transaction subject to the Federal Acquisition Regulations with Restricted Rights. The Government's rights to use, modify, reproduce, release, perform, display or disclose are restricted by paragraph (b)(3) of the Rights in Noncommercial Computer Software and Noncommercial Computer Soft-ware Documentation clause at DFAR 252.227-7014 (Jun 1995), and the other restrictions and terms in paragraph (g)(3)(i) of Rights in DataGeneral clause at FAR 52.227-14, Alternative III (Jun 87) and paragraph (c)(2) of the Commer-cial Computer Software-Restricted Rights clause at FAR 52.227-19 (Jun 1987). Use of the material in this document by the Government constitutes acknowledgment of NextHop's proprietary rights in them, or that of the original creator. The Contractor/ Licensor is NextHop located at 1911 Landings Drive, Mountain View, California 94043. Use, duplication, or disclosure by the Government is subject to restrictions as set forth in applicable laws and regulations. Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty THE MATERIAL IN THIS DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTIES OF ANY KIND EITHER EXPRESS OR IMPLIED. TO THE FULLEST EXTENT POSSIBLE PURSUANT TO THE APPLICABLE LAW, NEXTHOP DISCLAIMS ALL WARRAN-TIES, EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON INFRINGEMENT OR OTHER VIOLATION OF RIGHTS. NEITHER NEXTHOP NOR ANY OTHER PROVIDER OR DEVELOPER OF MATERIAL CONTAINED IN THIS DOCUMENT WARRANTS OR MAKES ANY REPRESEN-TATIONS REGARDING THE USE, VALIDITY, ACCURACY, OR RELIABILITY OF, OR THE RESULTS OF THE USE OF, OR OTHER-WISE RESPECTING, THE MATERIAL IN THIS DOCUMENT. Limitation of Liability UNDER NO CIRCUMSTANCES SHALL NEXTHOP BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL OR CONSE-QUENTIAL DAMAGES, INCLUDING, BUT NOT LIMITED TO, LOSS OF DATA OR PROFIT, ARISING OUT OF THE USE, OR THE INABILITY TO USE, THE MATERIAL IN THIS DOCUMENT, EVEN IF NEXTHOP OR A NEXTHOP AUTHORIZED REPRESENTATIVE HAS ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IF YOUR USE OF MATERIAL FROM THIS DOCUMENT RESULTS IN THE NEED FOR SERVICING, REPAIR OR CORRECTION OF EQUIPMENT OR DATA, YOU ASSUME ANY COSTS THEREOF. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATION OR EXCLUSION MAY NOT FULLY APPLY TO YOU. Copyright ComponentOne, LLC 1991-2002. All Rights Reserved. BIND: ISC Bind (Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")) Copyright 1997-2001, Theo de Raadt: the OpenBSD 2.9 Release

Table Of Contents
Chapter 1 Introduction to VPN-1 Edge/Embedded Appliances
Introduction 7 The Need for Security & VPN Solutions for Different Sized Organizations 8 The Check Point Solution for VPN-1 Edge & VPN-1 Embedded Appliances 8 Finding the Right Check Point Management Solution 9 An Overview of VPN-1 Edge/Embedded 11 VPN-1 Edge and Embedded Device Functionality 14

Chapter 2

Installation and Configuration

Introduction to the Installation and Configuration Processes 17 Before You Begin 17 Overview of Workflow for SmartCenter Management Solution 18 Overview of Workflow for SmartLSM Management Solution 18 Configuration Operations 20 Installing and Configuring VPN-1 Edge/Embedded Appliances 20 Installing and Configuring VPN-1 Edge/Embedded in SmartCenter 20 Creating and Working with VPN-1 Edge/Embedded objects for SmartCenter 21 Creating and Working with VPN-1 Edge/Embedded objects for SmartLSM 28 Creating a Security Policy for the VPN-1 Edge/Embedded Appliance 31 Security Policy Operations 32 Managing VPN-1 Edge/Embedded Devices with SmartCenter Server 33 Remote Login to the SmartCenter Server 34 Configuring VPN in SmartCenter 35 Viewing Logs in the SmartView Tracker 42 Downloading the Latest Firmware from SmartUpdate 43

Table of Contents 5

CHAPTER

Introduction to VPN-1 Edge/Embedded Appliances

In This Chapter
Introduction page 7

The Need for Security & VPN Solutions for Different Sized Organizations page 8 The Check Point Solution for VPN-1 Edge & VPN-1 Embedded Appliances page 8

Introduction
Thank you for using Check Point VPN-1 Edge and VPN-1 Embedded appliances; appliances which provide secure connectivity and VPN solutions at affordable prices. Check Points VPN-1 Edge appliances, which include the X-series and S-series appliances, are easy to install and user-friendly. Moreover, along with the VPN-1 Embedded appliances (such as, Nokia and NEC devices), they are seamlessly and securely integrated with different Check Point management solutions, such as, SmartCenter, Provider-1 and SmartLSM. This document describes how your VPN-1 Edge and VPN-1 Embedded appliances are managed using various Check Point management solutions, such as SmartCenter, Provider-1 and SmartLSM. In this document you will also learn about Check Point features that the VPN-1 Edge and other Embedded appliances supports, and how to use these appliances for your VPN solutions.

The Need for Security & VPN Solutions for Different Sized Organizations

The Need for Security & VPN Solutions for Different Sized Organizations
All enterprises and organizations, large and small, require tailor-made security and VPN solutions for the management of their remote sites and branch offices. These solutions must take into consideration that remote sites or branch offices: do not necessarily need enterprise-size solutions or costs for their moderate-sized employee-base. do not require advanced Security Policy and VPN configurations but do require full security and connectivity. do not necessarily employ a full-time security administrator and are not necessarily looking to manage the VPN-1 Pro or VPN-1 Express module themselves. What these businesses require is a solution that offers connectivity and security at an affordable rate that is easy to integrate into existing infrastructure and is easy to use.

The Check Point Solution for VPN-1 Edge & VPN-1 Embedded Appliances
VPN-1 Edge is a series of appliances offered by Check Point that provides both Security and VPN solutions, which are affordable, easy to configure and simple to manage for securing enterprise remote sites and large-scale VPN deployments. Moreover, Check Point supports management of other VPN-1 Embedded appliances. VPN-1 Edge appliances and VPN-1 Embedded appliances support SMART management and can be used in conjunction with VPN-1 Pro and VPN-1 Express. VPN-1 Edge and VPN-1 Embedded appliances enable enterprise customers to quickly and easily create a seamless Check Point Internet security infrastructure. Theses appliances can be centrally managed and easily incorporated into existing infrastructures. These appliances do not include moving parts, easy to use and do not compromise either connectivity or security.

Finding the Right Check Point Management Solution

Finding the Right Check Point Management Solution

The VPN-1 Edge and VPN-1 Embedded appliances can be managed using any one of the following Check Point management solutions: SmartCenter (Pro or Express), Provider-1 or SmartLSM: SmartCenter is considered the standard VPN-1 Edge and Embedded management solution and is often used in conjunction with SmartLSM. SmartCenter management is useful for organizations with branch offices who are looking for affordable alternatives and basic security and VPN solutions for each branch office. The VPN-1 Edge and VPN-1 Embedded appliances are represented by an object which is created and managed in SmartDashboard called the VPN-1 Edge/Embedded Gateway.
FIGURE 1-1 SmartCenter Deployment

SmartLSM, is an extension of SmartCenter providing administrators with an effective means of provisioning and managing hundreds and thousands of VPN-1 Edge/Embedded ROBO (Remote Office/Branch Office) Gateways. VPN-1 Edge/Embedded Profiles and Profile policies are defined in SmartDashboard. VPN-1 Edge/Embedded ROBO Gateways are provisioned and managed via the SmartLSM console application. For more information see the SmartLSM Guide.

Chapter 1

Introduction to VPN-1 Edge/Embedded Appliances

The Check Point Solution for VPN-1 Edge & VPN-1 Embedded Appliances

FIGURE 1-2

SmartLSM Deployment

Provider-1, is used by large enterprises and by Managed Service Providers to centrally manage multiple, fully customized, customer domains. VPN-1 Edge/Embedded appliances are integrated transparently with this management solution. The management capabilities of a Provider-1 CMA (Customer Management Add-On) are equivalent to those of the SmartCenter Server, including the SmartLSM extension. Global VPN Communities are currently not supported for VPN-1 Edge/Embedded appliances.

10

An Overview of VPN-1 Edge/Embedded

FIGURE 1-3

Provider-1 Deployment

An Overview of VPN-1 Edge/Embedded In This Section

VPN-1 Edge versus VPN-1 Embedded Advantages of the VPN-1 Edge/Embedded Appliances Overview of a Typical Workflow VPN-1 Edge versus VPN-1 Embedded Check Points VPN-1 Edge appliances are available in two different series: S-series, which is ideal for telecommuters and small remote offices, require remote access VPN. This series has a stateful inspection firewall. X-series, ideal for sites requiring site-to-site VPN. This series also delivers additional capabilities such as high performance, high availability, support for multi-ISPs and automatic recovery. page 11 page 12 page 13

Chapter 1

Introduction to VPN-1 Edge/Embedded Appliances

11

The Check Point Solution for VPN-1 Edge & VPN-1 Embedded Appliances

W-series, provides secure wireless connectivity for remote sites, branch offices, and partner sites by integrating a secure wireless access point with market-leading VPN-1/FireWall-1 technology, high availability support, and simple Web-based setup.

The following VPN-1 Embedded appliances are also supported: Nokias IP30 and IP40 NECs SecureBlade, SecureBlade 300 Whatever the series, the VPN-1 Edge/Embedded appliances support any of the Check Point management solutions (SmartCenter, SmartLSM...etc). Apart from their own seamless integration and ease of use, they also benefit from most of the advantages of any regular VPN-1 Pro gateway. Advantages of the VPN-1 Edge/Embedded Appliances There are several distinct advantages to working with VPN-1 Edge/Embedded devices. The features that are supported depend on the device that you own: Installation, Integration and Configuration - The VPN-1 Edge appliance itself is easy to install and configure. Moreover, the VPN-1 Edge/Embedded appliance can be used immediately once SmartCenter (Pro or Express) has been installed. The appliance is diskless. It contains pre-configured software and can be used out-of-the-box. VPN - VPN-1 Edge/Embedded appliances can be implemented in Check Point VPN-1 solutions which offer full encryption and authentication capabilities. These Appliances can participate as a peer Gateway in the corporate VPN with just one click. The appliances can participate in a Site-to-Site Community (both Star or Meshed), or as a Remote Access client. For more information on building VPN Communities, see the VPN Guide. Security - A Security Policy can be enforced on VPN-1 Edge/Embedded appliances. Some of the security highlights include: support of Check Points patented Stateful Inspection, Anti-spoofing, DoS protection and H.323 VoIP. Some of the networking highlights include DHCP, NAT support and Access Control. Logging and gleaning the status of appliances - The status and traffic of the VPN-1 Edge/Embedded appliances can be monitored and logged using the Check Point SmartConsole clients: SmartView Tracker and SmartView Status. These tools can be used for troubleshooting purposes. centralized upgrading - the firmware of the VPN-1 Edge/Embedded Device can be upgraded automatically on account of Check Point SmartUpdate support.

12

An Overview of VPN-1 Edge/Embedded

Overview of a Typical Workflow 1 2 Install the VPN-1 Edge and/or Embedded appliance. For more information see your vendor documentation. Create objects to represent these appliances in the respective management solution (for example, SmartLSM, etc.). This includes the creation of a VPN-1 Edge/Embedded Profile and a Gateway, where the latter is the network object that represents the VPN-1 Edge/Embedded appliance. The initial configuration of the appliance and the connection to the SmartCenter Server is done via a Web GUI called the VPN-1 Edge/Embedded portal (http://my.firewall). It is imperative that trust is established between the SmartCenter and the device in order that they can communicate freely and securely. Moreover, connection to the SmartCenter server from the device needs to take place in order that the management operations carried out by the SmartCenter server, can be applied. This establishment of trust is equivalent to the SIC (Secure Internal Communication) process that takes place in SmartCenter between regular gateways and the SmartCenter Server. Perform management operations. All the management operations such as defining VPN relations with other gateways, fetching a policy or updating the software version embedded in the appliance (or firmware, as it is called) is performed by the SmartCenter Server using any one (or a combination) of the Check Point management solutions (SmartDashboard, SmartLSM or Provider), or via the Command Line. SmartCenter uses a UDP-based protocol which is encrypted (called SWTP_SMS or SWTP_Gateway) in order to communicate with the VPN-1 Edge/Embedded appliance. This protocol is enforced in an implied rule in the Security Policy. For more about SmartCenter management, see the SmartCenter Guide.

Chapter 1

Introduction to VPN-1 Edge/Embedded Appliances

13

The Check Point Solution for VPN-1 Edge & VPN-1 Embedded Appliances

VPN-1 Edge and Embedded Device Functionality In This Section

VPN-1 Edge/Embedded Appliances: VPN Communities and Management page 14 VPN-1 Edge/Embedded and Packet Filtering FireWall Logging in the SmartView Tracker page 15 page 15

Viewing the Status of VPN-1 Edge/Embedded Appliances & VPN Creation page 16 Upgrading VPN-1 Edge/Embedded Appliance Firmware using SmartUpdate page 16 VPN-1 Edge/Embedded Appliances: VPN Communities and Management VPN-1 Edge/Embedded Gateways can participate in two types of VPN communities: Site-to-Site and Remote Access. These communities are explained in more detail in the VPN Guide.
Site-to-Site

Unless otherwise stated, VPN-1 Edge and Embedded Device Gateways are added to communities and participate in the VPN tunnel in the same manner as all VPN-1 Pro Gateway objects; they are added, like regular participating gateways into the VPN community (Star or Meshed). Consult the VPN guide for more information on building VPN between Gateways.
Note - On SmartCenter Express, any VPN-1 Edge/Embedded appliance that is connecting using Site-to-Site VPN is considered to be an additional managed site; therefore, you are required to obtain an additional license.

VPN-1 Edge/Embedded as a Remote Access Client

You can configure the VPN-1 Edge/Embedded appliance to act as a remote client, (it is added to a Remote Access Community). In this case it is configured in an atypical VPN configuration where the VPN-1 Edge/Embedded Gateway is added as a User group to the VPN-1 community. This User group is created by default and is called VPN-1 Embedded devices defined as Remote Access. All machines deployed behind the VPN-1 Edge/Embedded Gateway will also function as Remote Access Clients. This means that all traffic from these gateways will be tunneled as well.

14

VPN-1 Edge and Embedded Device Functionality

VPN-1 Edge/Embedded Managed by an External Management Server

VPN-1 Edge/Embedded Gateway objects that are managed by an external Management Server can be defined. These objects can be used in VPN communities. Typically, externally managed gateway are used in Extranet scenarios with partners, or with additional Management Servers. VPN-1 Edge/Embedded and Packet Filtering FireWall VPN-1 Edge/Embedded appliances use Check Points Stateful Inspection technology just like regular VPN-1 Pro Gateways. Gateways which are used in the Rule Base, get their Security Policy from the SmartCenter Server. This policy enforces the manner in which connections are allowed (or not allowed) to pass to and from the VPN-1 Edge/Embedded appliance. Access Control is used to determine the resources and services that are authorized to be used. This access authorization sets the level of security. Rules are attributed to VPN-1 Edge/Embedded gateways by installing the rule on a specific gateway. For more about Access Control, see the FireWall and SmartDefense Guide. VPN-1 Edge/Embedded appliances can be used with the following actions in the Security Policy Rule Base: Accept, Drop and Reject. Logging in the SmartView Tracker VPN-1 Edge logs can be generated and sent to a logging server. This server consolidates all VPN-1 Edge logs in the SmartView Tracker. You can view regular logs and audit logs (for management operations) in the SmartView Tracker. You can use these logs to troubleshoot and confirm that connections are passing to and from the VPN-1 Edge/Embedded appliance, according to what is specified in the Security Policy. SmartView Tracker has a pre-defined query called VPN-1 Edge/Embedded which can be used to focus on the logs generated from the appliances specifically. Since the VPN-1 Edge/Embedded Gateway fetches at periodic intervals, you will notice that logs appear in the SmartView Tracker only after the periodic interval has passed.

Chapter 1

Introduction to VPN-1 Edge/Embedded Appliances

15

The Check Point Solution for VPN-1 Edge & VPN-1 Embedded Appliances

Viewing the Status of VPN-1 Edge/Embedded Appliances & VPN Creation Use the SmartView Monitor in order to learn more about the status of the VPN-1 Edge\Embedded appliances. SmartView Monitor is available to both VPN-1 Pro and Check Point Express customers. SmartLSM customers may view the status of their objects in SmartView Monitor, or in the SmartLSM SmartConsole.
Note - SmartLSM is only available to VPN-1 Pro customers.

Upgrading VPN-1 Edge/Embedded Appliance Firmware using SmartUpdate The firmware of the VPN-1 Edge/Embedded Gateway represents the software that is running on the appliance. The VPN-1 Edge/Embedded Gateways firmware can be viewed and upgraded using SmartUpdate. This is a centralized management tool which is used to upgrade all modules in the system by downloading new versions from the download center. When installing new firmware, the firmware is prepared at the SmartCenter Server, downloaded and subsequently installed when the VPN-1 Edge/Embedded Gateway fetches for updates. Since the VPN-1 Edge/Embedded Gateway fetches at periodic intervals, you will notice the upgraded version on the gateway only after the periodic interval has passed.

16

CHAPTER

Installation and Configuration

In This Chapter
Introduction to the Installation and Configuration Processes Before You Begin Overview of Workflow for SmartCenter Management Solution Overview of Workflow for SmartLSM Management Solution Configuration Operations page 17 page 17 page 18 page 18 page 20

Introduction to the Installation and Configuration Processes

The installation and configuration process depends on a number of factors: the management solution that you are using (whether SmartCenter, SmartLSM or Provider-1), the type of VPN community that you are configuring as well as the type of device that you are using.

Before You Begin

Before you can work with the VPN-1 Edge/Embedded appliance, you need to install and configure it via the VPN-1 Edge/Embedded Portal. This is a Web GUI used expressly for the management of the appliance. Apart from the actual installation process you need to perform a first time login to the VPN-1 Edge/Embedded appliance via the portal. In this first time login you are meant to set up initial administrator permissions and an authorization permission as well as the Internet connection itself. For more information, see the relevant vendor documentation.

17

Overview of Workflow for SmartCenter Management Solution

Overview of Workflow for SmartCenter Management Solution

This workflow assumes that you have installed SmartCenter (Pro or Express). For more information see the Getting Started Guide for NGX R60. The following workflow represents the order in which you should work with the VPN-1 Edge and Embedded appliances. More details about each step in the workflow can be found in this document. 1 Install and configure the VPN-1 Edge or Embedded appliance. Consult with the relevant vendor documentation for more information. If you are setting up the appliance on the network, make sure that it is successfully connected. In SmartDashboard: Create the VPN-1 Edge/Embedded Gateways. Make sure that you setup the VPN-1 Edge/Embedded appliances topology properly and add the Gateway to a VPN Community. Create rules for your objects and install the Security Policy. This step should be repeated whenever a modification to the VPN-1 Edge/Embedded objects are made. On the VPN-1 Edge/Embedded portal, define your SmartCenter Server as the VPN-1 Edge/Embedded appliances management server. This means that the SmartCenter Server is now responsible for managing the appliance including VPN relations, Access Control, Licensing and updates. The communication between the SmartCenter Server and the VPN-1 Edge/Embedded appliance is securely connected.

Overview of Workflow for SmartLSM Management Solution

This workflow assumes that you have installed SmartCenter Pro. For more information see the Getting Started Guide for NGX R60. The following workflow represents the order in which you should work with the VPN-1 Edge and Embedded appliances. More details about each step in the workflow can be found in this document. 1 Install and configure the VPN-1 Edge or Embedded appliance. Consult with the relevant vendor documentation for more information. If you are setting up the appliance on the network, make sure that it is successfully connected. To enable SmartLSM, run the command LSMenabler on on the SmartCenter Server Pro.

18

In SmartDashboard, Create a Smart LSM VPN-1 Edge/Embedded Profiles. When creating the profile you can specify the VPN community in which you would like the profile to participate. This step can also take place at a later stage.
Note - In SmartLSM, the profile associated with the VPN-1 Edge/Embedded Gateway can only participate in a Star community for Site-to-Site configuration.

Create one or more dynamic objects to be enforced on the VPN-1 Edge/Embedded ROBO Gateway. Create rules for your objects and install the Security Policy. This step should be repeated whenever a modification to the VPN-1 Edge/Embedded ROBO objects are made. (This step needs to take place after you have created the VPN-1 Edge/Embedded ROBO Gateway in SmartLSM). Close SmartDashboard. 4 In SmartLSM, create a VPN-1 Edge/Embedded ROBO Gateway, add the dynamic object to the VPN-1 Edge/Embedded ROBO Gateway and update the CO (Corporate Office) Gateway, for more information see the SmartLSM Guide. On the VPN-1 Edge/Embedded portal, define your SmartCenter Server as the VPN-1 Edge/Embedded appliances management server. This means that the SmartCenter Server is now responsible for managing the appliance including VPN relations, Access Control, Licensing and updates. The communication between the SmartCenter Server and the VPN-1 Edge/Embedded appliance is securely connected.

Chapter 2

Installation and Configuration

19

Configuration Operations

Configuration Operations
In This Section
Installing and Configuring VPN-1 Edge/Embedded in SmartCenter page 20

Creating and Working with VPN-1 Edge/Embedded objects for SmartCenter page 21 Creating and Working with VPN-1 Edge/Embedded objects for SmartLSM page 28 Creating a Security Policy for the VPN-1 Edge/Embedded Appliance Security Policy Operations Managing VPN-1 Edge/Embedded Devices with SmartCenter Server Remote Login to the SmartCenter Server Configuring VPN in SmartCenter Configuring VPN-1 in SmartLSM Viewing Logs in the SmartView Tracker Downloading the Latest Firmware from SmartUpdate page 31 page 32 page 33 page 34 page 35 page 41 page 42 page 43

Installing and Configuring VPN-1 Edge/Embedded Appliances

For information on how to install, configure and work with the VPN-1 Edge/Embedded Appliance, consult with the relevant vendor documentation for more information.

Installing and Configuring VPN-1 Edge/Embedded in SmartCenter

VPN-1 Edge support is enabled automatically during the installation of the SmartCenter Server (Pro or Express), for version NGX R60. There is no need to install any additional component.
Note - VPN-1 Edge cannot be managed from a SmartCenter Server running on Nokia.

20

Creating and Working with VPN-1 Edge/Embedded objects for SmartCenter

Creating and Working with VPN-1 Edge/Embedded objects for SmartCenter

A VPN-1 Edge/Embedded Gateway object which represents the VPN-1 Edge/Embedded Appliance should be defined in SmartDashboard in order for the SmartCenter Server to be able to manage the VPN-1 Edge/Embedded appliance: Create the VPN-1 Edge/Embedded Gateway which represents the VPN-1 Edge/Embedded appliance and associate it with a VPN-1 Edge/Embedded Profile. See Creating a VPN-1 Edge/Embedded Gateway on page 21. During this process you must assign the previously created profile to the VPN-1 Edge/Embedded Gateway that is being created. Creating a VPN-1 Edge/Embedded Gateway A VPN-1 Edge/Embedded Gateway object is a network object that represents a VPN-1 Edge/Embedded appliance. This Gateway sits on the network and can be managed by the SmartCenter Server or by an external management server. 1 In the Network Objects tab of the Objects Tree create a new VPN-1 Edge/Embedded Gateway.
Defining a VPN-1 Edge/Embedded Gateway

FIGURE 2-1

In the VPN-1 Edge/Embedded Gateway - General page, configure (FIGURE 2-2): the general settings of the window, including its name and IP Address (whether static or dynamic), the VPN-1 Edge/Embedded Profile and version information (Type). It is very important to select the exact version of your appliance. It is also necessary to define a Password (also known as a Registration Key). This password is used for encryption and authentication purposes. the VPN settings, to allow the VPN-1 Edge/Embedded Gateway to become member of a VPN community, select the VPN Enabled check box and select the VPN Community type (whether Site to Site or Remote Access). the management settings, if this Gateway is managed by an external server, check Externally Managed Gateway.

Chapter 2

Installation and Configuration

21

Configuration Operations

FIGURE 2-2

New VPN-1 Edge/Embedded Gateway configured for Site-to-Site VPN-1

In the VPN-1 Edge/Embedded Gateway - Topology page (FIGURE 2-3), the topology is set automatically because it represents the hard coded device. The set topology includes the following three interfaces (two internal and one external): DMZ represents a logical second network behind the Safe@Office appliance. You must connect DMZ computers to the LAN ports. DMZ is a dedicated Ethernet port (RJ-45) used to connect a DMZ (Demilitarized Zone) computer or network. Alternatively, the DMZ can serve as a secondary WAN port. LAN represents the private network. LAN 1-4 Local Area Network switch: Four Ethernet ports (RJ-45) are used for connecting computers or other network devices.

22

Creating and Working with VPN-1 Edge/Embedded objects for SmartCenter

WAN represents the external interface to the router. A WAN interface card, is a network interface card (NIC) that allows devices to connect to a wide area network. Wide Area Network (WAN): An Ethernet port (RJ-45) used for connecting your cable or xDSL modem, or for connecting a hub when setting up more than one Internet connection Although these three interfaces automatically appear in the Topology window, they are not associated with an IP address and a Network Mask. If you deselect the Dynamic Address option in the General Properties window and add a static IP address, the WAN automatically receives the specified static IP address and its Network Mask is 255.255.255.255. The Type drop-down list in the General Properties window defines the hardware type and its associated topology. Currently all hardware types share the same topology. Every hardware type has one external interface and two internal interfaces. It is possible to add only one additional external interface. Once you have defined the general settings as well as the topology definitions of the VPN-1 Edge/Embedded Gateway a certificate is automatically created.
Note - Pre-Shared Secrets work in conjunction with Static IP Addresses only.

For managed devices it is essential to specify the correct network. When managing multiple devices it is better to define the networks on the devices so as to ensure that the networks do not overlap one with one another. For externally managed devices the networks specified depends upon both the NAT settings on the other side as well as the agreed configuration.

Chapter 2

Installation and Configuration

23

Configuration Operations

FIGURE 2-3

Configure the topology settings

In the VPN-1 Edge/Embedded Gateway - VPN page, associate the VPN-1 Edge/Embedded Gateway with the VPN Community of your choice (if one already exists) (FIGURE 2-4). This page can only be set by closing and reopening the VPN-1 Edge/Embedded Gateway object. At this point a certificate is created for the VPN-1 Edge/Embedded Gateway. You can also add a VPN-1 Gateway to a selected VPN community by opening the VPN community directly from the VPN Manager view. To enable High Availability configure a backup gateway. Refer to Configuring High Availability section in the Check Point VPN-1 Edge Internet Security Appliance Version 5.0 user guide.

24

Creating and Working with VPN-1 Edge/Embedded objects for SmartCenter

FIGURE 2-4

Configuring the VPN settings

Note - To perform a detailed configuration of the created VPN-1 Edge/Embedded Gateway launch the gateway in a browser. To do this, right-click the specific VPN-1 Edge/Embedded Gateway and select Manage Devices...

In the VPN-1 Edge/Embedded Gateway - Content Filtering page (FIGURE 2-5), select Use UFP Use CVP or both if you want to restrict access to Web content and/or , automatically scan your email for the detection and elimination of all known viruses and vandals, in relation to the specific gateway. The type of UFP Server and CVP Server used for content filtering is determined in Policy > Global Properties > VPN-1 Edge/Embedded Gateway window.

Chapter 2

Installation and Configuration

25

Configuration Operations

FIGURE 2-5

Configuring Content Filtering

In the VPN-1 Edge/Embedded Gateway - Advanced page (FIGURE 2-6), enter the following information: Product Key enables you to remotely update the current VPN-1 Edge/Embedded gateway license (18 hexadecimal characters in three groups separated by hyphens). MAC Address enables stronger validation of the VPN-1 Edge/Embedded gateway when communicating with the SmartCenter Server. Configuration Script enables you to enter a script for relevant commands and features. The written script will be downloaded automatically and executed to the VPN-1 Edge device. For more detailed information about configuration scripts, refer to the Check Point Embedded NG CLI Reference Guide v.5 that can be found at http://www.sofaware.com

26

Creating and Working with VPN-1 Edge/Embedded objects for SmartCenter

FIGURE 2-6

Configuring Advanced Settings

Chapter 2

Installation and Configuration

27

Configuration Operations

Creating and Working with VPN-1 Edge/Embedded objects for SmartLSM

The objects that are used in the SmartLSM management solution are partly created in SmartDashboard and partly, SmartLSM. VPN-1 Edge/Embedded ROBO Gateway object which represents the VPN-1 Edge/Embedded appliance. This object is created in SmartLSM. SmartLSM VPN-1 Edge/Embedded Profile which is an object which is associated with the VPN-1 Edge/Embedded ROBO Gateway and provides it with a basic Security Policy and VPN definition. This object is created in SmartDashboard, A Dynamic Object which is used by the SmartLSM VPN-1 Edge/Embedded Profile in order to enforce the Security Policy. This object is created in SmartDashboard and added to the SmartLSM VPN-1 Edge/Embedded Profile in SmartLSM. The order of the creation of the VPN-1 Edge objects is: 1 Create the SmartLSM VPN-1 Edge/Embedded ROBO gateway in SmartDashboard. See Creating and Working with VPN-1 Edge/Embedded objects for SmartCenter on page 21. Create a Dynamic Object in SmartDashboard. Close SmartDashboard and open SmartLSM. Create the VPN-1 Edge/Embedded ROBO Gateway which represents the VPN-1 Edge/Embedded appliance in SmartLSM, and associate it with a VPN-1 Edge/Embedded ROBO Profile. See Creating a VPN-1 Edge/Embedded ROBO Gateway on page 30. During this process you must assign the previously created profile to the VPN-1 Edge/Embedded ROBO Gateway that is being created.

2 3 4

In This Section
Creating a SmartLSM VPN-1 Edge/Embedded ROBO Profile Creating a VPN-1 Edge/Embedded ROBO Gateway page 29 page 30

28

Creating and Working with VPN-1 Edge/Embedded objects for SmartLSM

Creating a SmartLSM VPN-1 Edge/Embedded ROBO Profile A security policy is defined for a VPN-1 Edge/Embedded appliance, represented by a VPN-1 Edge/Embedded ROBO Gateway by associating it to a profile.
Defining VPN-1 Edge/Embedded ROBO Profiles

In SmartDashboard, create a new SmartLSM Profile in the Network Objects tab of the Objects Tree.
Creating a new SmartLSM Profile in SmartDashboard

FIGURE 2-7

In the

General

page, enter the name and an optional comment (FIGURE 2-8).

FIGURE 2-8

Configure the SmartLSM VPN-1/FireWall-1 Profile settings

In the VPN page (FIGURE 2-9), enter the type of community that you would like to associate with the said profile and save the profile by closing it.

Chapter 2

Installation and Configuration

29

Configuration Operations

FIGURE 2-9

Configure the SmartLSM VPN-1/FireWall-1 Profile Settings for VPN

Creating a VPN-1 Edge/Embedded ROBO Gateway A VPN-1 Edge/Embedded ROBO Gateway object is a network object that represents a VPN-1 Edge/Embedded Appliance that is created and managed in SmartLSM. This Gateway sits on the network can be managed by the SmartCenter Server or by an external management server.
Defining VPN-1 Edge/Embedded ROBO Gateways

Before you can create the Edge/Embedded ROBO Gateway make sure that you have exited the SmartDashboard, if it is in Read/Write mode. To define VPN-1 Edge/Embedded ROBO Gateways refer to the Adding a VPN-1 Edge/Embedded ROBO Gateway and Managing VPN-1 Edge/Embedded Objects sections in the NGX R60 SmartLSM user guide.

30

Creating a Security Policy for the VPN-1 Edge/Embedded Appliance

Creating a Security Policy for the VPN-1 Edge/Embedded Appliance

1 Create your Security Policy rules. For more information on creating rules see the SmartCenter Guide. When you are creating your rules, be aware that the VPN-1 Edge/Embedded Gateway can be used in the Install On column even if there is a VPN Community specified in the VPN column. You may need a rule that allows designated services (such as ftp, telnet and http) to be performed by the VPN community. In this rule, the VPN-1 Pro gateway should be your target. For example:
Example: a rule allowing services for Site-to-Site and Remote Access communities respectively

TABLE 2-1

Source

Destination

VPN

Service

Action

Install On

Any

Any

Mesh-co mm RA_com m

ftp telnet http ftp telnet http

Accept

VPN1_Pro_G W VPN1_Pro_G W

All Users or VPN-1 Embedded Devices defined as Remote Access

TABLE 2-2

Any

Accept

Allowing connections from network to VPN-1 Edge/Embedded Gateway Destination VPN Service Action Install On

Source

Edge_Net

VPN_Edge_ Pro_GW

Any

Any

Accept

Any

Once the rules are complete install your Security Policy (Policy > Install Policy). The VPN-1 Edge/Embedded Gateway periodically fetch the Security Policy from the SmartCenter Server. When the policy installation is complete the SmartCenter Server will attempt to update the VPN-1 Edge/Embedded Gateway with the new security policy. In order for the changes to take place immediately you can force a Policy update from the VPN-1 Edge/Embedded Portal.
Chapter 2 Installation and Configuration 31

Configuration Operations

Security Policy Operations In This Section

Installing and uninstalling the Security Policy Downloading a Security Policy Verifying that the Security Policy was downloaded Installing and uninstalling the Security Policy When the Security Policy is installed or uninstalled, the Security Policy is automatically downloaded to or off-loaded from the SmartCenter Server. When the VPN-1 Edge/Embedded Gateways check the SmartCenter Server for updates, the activity (whether installation or uninstallation) is implemented. To install, select Policy > Install Policy. To uninstall, select Policy > Uninstall Policy. Downloading a Security Policy From the VPN-1 Edge/Embedded Portal 1 2 3 Login from VPN-1 Edge/Embedded portal to http://my.firewall. Click
Services Updates

page 32 page 32 page 32

and Accounts and then click Refresh, Or, click and then click Update Now.

Services

and Software

When the VPN-1 Edge/Embedded Gateway polls for updates, it downloads the latest Security Policy.

From SmartLSM, select Actions > Push Policy. The SmartCenter Server pushes the Security Server to the VPN-1 Edge/Embedded ROBO Gateway. Verifying that the Security Policy was downloaded 1 2 3 4 Login from VPN-1 Edge/Embedded portal to http://my.firewall. Click
Reports

and then click

Event Log.

Verify that the following message appears: Installed updated Security Policy (downloaded). Click Setup, Tools and Diagnostics. The VPN-1 Edge/Embedded object is displayed in the Policy field.

32

Managing VPN-1 Edge/Embedded Devices with SmartCenter Server

Managing VPN-1 Edge/Embedded Devices with SmartCenter Server

Before you can begin to work with the VPN-1 Edge/Embedded Appliance whether your appliance is managed in SmartDashboard, or in SmartLSM, you need to logon to the VPN-1 Edge/Embedded portal and define the SmartCenter server as the active management server. Once successfully completed, this step allows the SmartCenter Server to perform a number of management operations for the VPN-1 Edge/Embedded Appliance such as VPN-1 relations, updating the Security Policy and upgrading to later versions of firmware. Proceed as follows: 1 2 3 Browse to http://my.firewall. Enter and confirm your password. In the Services screen, connect to the SmartCenter Server by clicking on Connect. A wizard is displayed in which you are required to configure the settings of the SmartCenter Server.

FIGURE 2-10 Login to the SmartCenter Server in the VPN-1 Edge Embedded Portal

During the SmartCenter Server setup, you are required to enter the detail of the VPN-1 Edge/Embedded Gateway object that you created. Note that the Gateway ID refers to the name of the said gateway and the Password refers to the Registration Key specified during the creation of the VPN-1 Edge/Embedded Gateway object.

Chapter 2

Installation and Configuration

33

Configuration Operations

FIGURE 2-11 Configuring the Gateway object.

Once this setup is successfully completed, the VPN-1 Edge/Embedded appliance and the SmartCenter server can communication securely. For more information about this procedure, see the relevant vendor information.
Note - If your device is not installed locally, you will need to logon securely to the VPN-1 Edge/Embedded Portal using HTTPS (https://<current IP Address>:981). For more information see the relevant vendor information.

Remote Login to the SmartCenter Server

If your device is not installed locally, you will need to logon securely to the VPN-1 Edge/Embedded Portal using HTTPS (https://<current IP Address>:981). For more information see the relevant vendor information

34

Configuring VPN in SmartCenter

Configuring VPN in SmartCenter

VPN-1 Edge/Embedded Gateway can be added to Site-to-Site communities, as well as to Remote Access communities. The VPN-1 Edge/Embedded Appliance can also be configured to act as a Remote Access client. For more information, see the VPN-1 Guide. In particular the chapters dealing with: Building VPN Between Gateways PKI

In This Section
VPN-1 Edge/Embedded Gateway in Site-to-Site VPN Configuration VPN-1 Edge/Embedded Managed by an External Management Server VPN-1 Edge/Embedded Gateway in Site-to-Site VPN Configuration For VPN to be established the following must take place: 1 The VPN-1 Edge/Embedded Gateway must be defined and configured for Site-to-Site and a certificate created (if the VPN Community members are to use a certificate to authenticate). On the General page (see FIGURE 2-2): On the VPN-1 Edge/Embedded Gateway check VPN Enabled and select Site to Site in order to allow the VPN-1 Edge/Embedded Gateway to participate like any regular VPN-1 Gateway in a star or meshed community. This means that any gateway can initiate a VPN tunnel to the VPN-1 Edge/Embedded Gateway and the VPN-1 Edge/Embedded Gateway can initiate a VPN tunnel to any other gateway. In terms of IP addresses: If the VPN-1 Edge/Embedded Gateway has a static IP Address, you can use a certificate or an IKE pre-shared secret to establish a VPN tunnel. In this case the password you enter is used for the IKE pre-shared secret. If the VPN-1 Edge/Embedded Gateway has dynamic IP Address, (select Dynamic Address) only a certificate can be used in order to establish a VPN tunnel. In this case, make sure that you have selected Manually defined in the VPN-1 Edge/Embedded Gateway - Topology page (see FIGURE 2-3). Make sure that the type that you select corresponds to the actual appliance that you have in your possession. page 35 page 40

VPN-1 Edge/Embedded Gateway in a Remote Access Client Configuration page 38

Chapter 2

Installation and Configuration

35

Configuration Operations

Add a Password that will be used later on the VPN-1 Edge/Embedded Portal and for the pre-shared secret (if you have a static IP Address). On the Topology page (see FIGURE 2-3): Gateway defined is used for NAT implementation. Manually Defined is used if the VPN-1 Edge/Embedded Gateway is configured for dynamic IP Address or if NAT is not being implemented. On the VPN page (see FIGURE 2-4) generate the certificate and close the VPN-1 Edge/Embedded Gateway. 2 If you do not already have one, create a Star or Meshed community in the VPN Manager. For more about these communities and how to configure them, see the VPN Guide.

To create a Site-to-Site community:

FIGURE 2-12 Create a new Site-to-Site Community

In a Star Community

In the Central Gateways page click Add and select the desired VPN-1 Edge/Embedded Gateway. Click OK.
Note - If you are creating a Star community, it is not recommended to include the VPN-1 Edge/Embedded Gateway as a Central Gateway.

In the Satellite Gateways page, click Add and select the desired VPN-1 Edge/Embedded Gateway. Click OK.

36

Configuring VPN in SmartCenter

FIGURE 2-13 Add VPN-1 Edge/Embedded Gateway as Satellite Gateway

In a Meshed Community

In the Participating Gateways page, click Edge/Embedded Gateway. Click OK.

In Star and Meshed Communities

Add

and select the desired VPN-1

In the VPN Properties page, specify the properties for the phases of IKE negotiation. In the Shared Secret page, specify whether the VPN community member should be authenticated using a pre-shared secret or a certificate. If you would like to use a secret, make sure to select Use only shared secret for all external members. The secret used is the password defined when the VPN-1 Edge/Embedded Gateway object was created. If you would like to use certificates as a means of authentication, make sure that Use only shared secret for all external members is unchecked. 3 4 In the Rule Base, create the rules of your Security Policy. See Creating a Security Policy for the VPN-1 Edge/Embedded Appliance on page 31. Install the rule base on the Central Gateways (for a Star community).

Chapter 2

Installation and Configuration

37

Configuration Operations

In the VPN-1 Edge/Embedded Portal define the SmartCenter server as the active management server, see Managing VPN-1 Edge/Embedded Devices with SmartCenter Server on page 33. In the VPN window of the VPN-1 Edge/Embedded Portal, the Site-to-Site configuration is automatically loaded, including its topology and enterprise profile.

VPN-1 Edge/Embedded Gateway in a Remote Access Client Configuration In order for the VPN-1 Edge/Embedded Gateway to function as a Remote Access Client, the gateway must be configured to participate in the Remote Access community. When the VPN-1 Edge/Embedded Gateway object is defined in the Check Point database, an additional User Group called All VPN-1 Edge/Embedded Gateway Appliances is created. This User Group is used in the definition of the Remote Access community.
Note - The User Group All VPN-1 Edge/Embedded Gateway Appliances is not a regular User Group and as such it doesnt appear in the Users and Administrators tab of the Objects Tree.

For more information about Remote Access Clients, see the VPN-1 Guide.
Adding the VPN-1 Edge/Embedded Gateway to a Remote Access Community

There are two basic ways to add the VPN-1 Edge/Embedded Gateway to a community: In the VPN-1 Edge/Embedded Gateway - VPN page. click on Add. Select the community to which you would like to associate the selected gateway. In the VPN Manager view, select the Remote Access community to which you would like to add the VPN-1 Edge/Embedded Gateway. Add the VPN-1 Edge/Embedded Gateway in the Participant User Group page by clicking on Add and selecting the default User Group called VPN-1 Embedded Devices defined as Remote Access to which the VPN-1 Edge/Embedded Gateway is associated. When VPN-1 Edge/Embedded Gateways are configured to work in client mode, it is important that the SmartCenter Server be deployed outside of the VPN domain of the Remote Access Client. If you are working with Remote Access Automatic login mode, the SmartCenter Server may be within the VPN domain, however, in this case, you must create the VPN domain in the VPN-1 Edge/Embedded Gateway before connecting the VPN-1 Edge/Embedded Gateway to the SmartCenter Server. For VPN to be established the following must take place:

38

Configuring VPN in SmartCenter

Create a VPN-1 Edge/Embedded Gateway object. Make sure that you select VPN enabled and Remote Access on the General page. Remote Access means that the selected VPN Edge Gateway can act as a Remote Access client to the corporate gateway, no other gateways will be able to initiate a VPN tunnel to this VPN Edge/Embedded Gateway. This VPN-1 Edge/Embedded Gateway can be enforced as part of a User Group in a Remote Access VPN community. If the VPN-1 Edge/Embedded Gateway has a static IP Address, use an IKE pre-shared secret to establish a VPN tunnel. In this case you will need to enter the password created on the VPN-1 Edge/Embedded Gateway object. Create a RemoteAccess community in the VPN Manager that includes the VPN-1 Edge/Embedded Gateway object. For more about these communities and how to configure them, see the VPN Guide. In the Participating Gateways page click Add and select the Central Gateway. Click OK. In the Participant User Groups page, click Add and select VPN-1 Embedded Devices defined as Remote Access. Click OK.

FIGURE 2-14 Add User Group

Click

OK

to exit the Remote Access community window.

Chapter 2 Installation and Configuration 39

Configuration Operations

In the Rule Base, define a rule for the Remote Access community and install it on the Gateway. See Creating a Security Policy for the VPN-1 Edge/Embedded Appliance on page 31. Install the Security Policy on the desired gateways. In the VPN-1 Edge/Embedded Portal define the SmartCenter server as the active management server, see Managing VPN-1 Edge/Embedded Devices with SmartCenter Server on page 33. In the VPN window of the VPN-1 Edge/Embedded Portal, the Remote Access configuration is automatically loaded. Create a new Site to represent the VPN-1 Pro Gateway on the VPN-1 Edge/Embedded appliance. On the VPN screen, click on New Site and run the wizard and do the following steps in the Wizard: Add the IP Address of the regular VPN-1 Pro Gateway. Check Download Configuration. Enter the name of the Site. Under VPN Login, select Automatic Login and refer to the vendor documentation for more information. In SmartDashboard, install the Security Policy.

VPN-1 Edge/Embedded Managed by an External Management Server You can configure the VPN-1 Edge/Embedded appliance to be managed by an external Management Server. This means that it is not managed by the local SmartCenter or MDS server. This scenario is typical for Extranet or connection to partner sites. This requires configuration in two places: 1 On the VPN-1 Edge/Embedded Gateway object: On the General page, check Externally Managed Gateway. The setting defined in the Topology page, depends on the agreed configuration. Modify the VPN Community to which you are adding the VPN-1 Edge/Embedded. Make sure that you check Use only Shared Secret for Members on the Shared Secret page.
all External

Modify the Security Policy, make sure that rule installed on the profile is disabled. Install the Security Policy. On the VPN-1 Edge/Embedded Portal on the VPN screen. Click on New Site and run the wizard and do the following steps: Add the IP Address of the regular VPN-1 Pro Gateway Check Download Configuration.

40

Configuring VPN in SmartCenter

Configure the routing destination and subnet mask of the external management server Under Authentication, select Use shared secret. Click on Connect in order to connect to the VPN-1 Pro Gateway. Configuring VPN-1 in SmartLSM VPN-1 Edge/Embedded ROBO Gateways can participate in a meshed Site-to-Site communities. In SmartLSM, VPN is supported using IKE authentication with Check Point internal certificates: 1 2 In the VPN-1 Edge/Embedded Portal, verify that a certificate has been installed on the VPN-1 Edge/Embedded Device before establishing the VPN tunnel. In SmartLSM: Add a dynamic object to the VPN-1 Edge/Embedded ROBO Gateway. In order to implement VPN on VPN-1 Edge/Embedded ROBO Gateways, dynamic objects need to be added to the VPN domain of these objects. Make sure you check Add to VPN domain. Update the Corporate Office (CO) Gateway. In SmartDashboard, create a VPN Star community that includes the VPN-1 Edge/Embedded ROBO Gateway and the CO Gateway as follows: In the Central Gateway page, click Add. Select the CO gateway from the displayed list and click OK. In the Satellite Gateways page, click Add. Select the SmartLSM VPN-1 Edge/ Embedded profile from the displayed list and click OK. In the VPN Properties page, specify the IKE phase properties. In the Shared Secret page, uncheck the Use only Shared secret for all External Members. Make sure that shared secret is only used for external members and set the properties for the IKE negotiations. A topology file and a certificate are downloaded to the VPN-1 Edge/Embedded ROBO Gateway. This topology file lists the members of the VPN community and specifies the encryption information. On the VPN-1 Edge/Embedded Portal, on the VPN screen specify the configuration type (whether Site-to-Site or Remote Access and check Download Configuration.

Chapter 2

Installation and Configuration

41

Configuration Operations

Viewing Logs in the SmartView Tracker

For auditing logs, open the
Audit

view in the SmartView Tracker.

For your convenience add the Origin column to the Audit view (View > Query options > Query Properties, select Origin) and select the VPN-1 Edge/Embedded appliance that you would like to track. This enables you to figure out from which VPN-1 Edge appliance the log was generated. For security logs: security logs are displayed in the Log view of the SmartView Tracker. Double-click on the log in order to see more information.
FIGURE 2-15 Viewing Security logs

42

Downloading the Latest Firmware from SmartUpdate

Downloading the Latest Firmware from SmartUpdate

You can use SmartUpdate to get automatic updates of the latest firmware version. To download the latest firmware: 1 2 3 4 In the Product Repository pane, right-click a VPN-1 Edge/Embedded Gateway and select Add from Download Center. In the displayed window, select the firmware that you would like to download and click Download. In the Product Repository, right-click a VPN-1 Edge/Embedded Gateway and select Install Product. Select the firmware and click
OK.

The firmware is downloaded and sent to the SmartCenter Server who is responsible for downloading it to the VPN-1 Edge/Embedded Gateways when the latter are ready to receive it.

Chapter 2

Installation and Configuration

43

Configuration Operations

44

Index

A
Access Control 15, 18, 19 active management server 38 Anti-spoofing 12 Appliance Before You Begin 17 installing 17 managed by External Management Server 15 S-series 11 supported 12 VPN, Site-to-Site, Remote Access 14 W-series 12 X-series 11 Audit view 42 authentication 21 authentication capabilities 12

E
Embedded appliance 18 Enable SmartLSM run LSMenabler 18 encryption 21 Ethernet port 22 exteranl interface 23 External Management Server 40 Extranet 40 Extranet scenarios 15

L
LAN 22 LAN ports 22 large-scale VPN deployments 8 license string 26 Licensing 18, 19

M
MAC address 26 Managed Service Providers 10 management operations 33 Management Server 40 Management Settings 21 Management Solutions 17 SmartCenter, Provider1,SmartLSM 9 Managing VPN-1 Edge/Embedded Devices 33 MDS server 40 Meshed Community 35, 36 meshed Site-to-Site communities 41 multi-ISPs 11

F
firmware 16, 43 ftp 31

C
centralized management tool 16 centralized upgrading 12 Check Point Express 16 Check Point internal certificates 41 Check Point management solutions 12 Check Points Stateful Inspection 15 client mode 38 Configuration Script 26 connectivity 8 content filtering 25 Corporate Office (CO) Gateway 41 CVP Server 25

G
Global VPN Communities 10

H
hardware type 23 High Availability 24 high performance 11 http 31 //my.firewall connecting to 13

N
NAT implementation 36 NAT settings 23 Network Objects 21, 29 NIC 23

D
DMZ 22 dynamic IP Address 35, 36 Dynamic Object 19, 28, 41

I
IKE authentication 41 IKE negotiation 37 IKE phase properties 41 IKE pre-shared secret 35, 39 initial administrator permissions 17 internal interface 23 Introduction 7

O
Objects Tree 21

P
PKI 35 45

R PN-1 Edge/Embedded appliance 28 profile 29 Protocol SWTP_Gateway 13 SWTP_SMS 13 Provider-1 7, 10 Provider-1 CMA 10 SmartConsole clients 12 SmartLSM 7, 9, 16, 18, 30, 41 SmartLSM management solution 28 SmartLSM VPN-1 Edge/ Embedded Profile 41 SmartLSM VPN-1 Edge/Embedded Profile 28 SmartLSM VPN-1 Edge/Embedded ROBO Profile create 29 SmartUpdate 16, 43 download firmware 43 upgrading firmware 16 SmartView Monitor 16 SmartView Status monitoring the status 16 SmartView Tracker 15, 42 creating logs 15 view logs 42 Star Community 19, 35, 36 Stateful Inspection 12 static IP Address 35, 39 subnet mask 41 VPN-1 Edge/Embedded appliance 13, 15, 17, 34 VPN-1 Edge/Embedded Gateway 9, 15, 24, 26, 31, 35, 43 create 21 VPN-1 Edge/Embedded Gateway object 21, 33 VPN-1 Edge/Embedded Gateways 14 VPN-1 Edge/Embedded object 18 VPN-1 Edge/Embedded Portal 13, 18, 19, 33, 36, 38 VPN-1 Edge/Embedded Profile 13, 21 VPN-1 Edge/Embedded ROBO 9 VPN-1 Edge/Embedded ROBO Gateway 19, 28, 30, 41 create 30 VPN-1 EdgeEmbedded appliances 16 VPN-1 Embedded appliances 7 VPN-1 Express module 8 VPN-1 Pro 8, 16 VPN-1 Pro gateway 12 VPN-1/FireWall-1 technology 12

R
Remote Access 14 default User group 14 Remote Access Client 12, 35, 38, 39 Remote Access Community 14, 31, 35, 38, 40 Remote Access VPN configure 38 Remote Access VPN community 39 remote client 14 Remote Login 34 ROBO 9 Rule Base 15, 37, 40

S
secure connectivity 7 Security 8 security logs 42 Security Policy 8, 12, 15, 18, 19, 31, 32, 33, 40 actions 15 define 31 download 32 install & uninstall 32 verify download 32 security policy 29 Security Policy rules 31 SIC 13 Site-to-Site 14, 31 Site-to-Site configuration 19, 38 Site-to-Site VPN 14 configure 35 Smart LSM VPN-1 Edge/Embedded Profiles 19 SMART management 8 SmartCenter 7, 9 SmartCenter Express 14 SmartCenter management 13 SmartCenter Pro 18 SmartCenter Server 30 connecting to 13 SmartCenter server 34 SmartCenter Server setup 33

T
telnet 31 topology 23

W
WAN 23 WAN interface card 23 WAN port 22 Web content 25 Web GUI 17 Workflow SmartCenter management 18 SmartLSM Management 18 using the appliance 13

U
UFP Server 25

V
VPN configure 35 VPN community 12, 17, 21, 24, 31 VPN configuration in SmartLSM 41 VPN Manager 36, 39 VPN relations 18, 19 VPN settings 21 VPN solutions 7, 8, 9 VPN Star community 41 VPN tunnel 35 VPN-1 Edge 7, 18, 20 VPN-1 Edge device 26 VPN-1 Edge logs 15 VPN-1 Edge/Embedded Appliance 21, 30, 33

X
xDSL modem 23

46