vpn 1 edge embedded management

7/31/2019 VPN 1 Edge Embedded Management

http://slidepdf.com/reader/full/vpn-1-edge-embedded-management 1/46

Check Point®VPN-1 Edge/EmbeddedManagement Solutions

For additional technical information about Check Point products, consult Check Point’s SecureKnowledge at

https://secureknowledge.checkpoint.com

See the latest version of this document in the User Center at

http://www.checkpoint.com/support/technical/documents/docs_r60.htm

Part No.: 701308

April 2005

https://secureknowledge.checkpoint.com/

https://secureknowledge.checkpoint.com/



Check Point Software Technologies Ltd.U.S. Headquarters: 800 Bridge Parkway, Redwood City, CA 94065, Tel: (650) 628-2000 Fax: (650) 654-4233, [email protected] Headquarters: 3A Jabotinsky Street, Ramat Gan, 52520, Israel, Tel: 972-3-753 4555 Fax: 972-3-575 9256, http://www.checkpoint.com

© 2003-2005 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyrightand distributed under licensing restricting their use, copying, distribution, anddecompilation. No part of this product or related documentation may be reproduced inany form or by any means without prior written authorization of Check Point. While everyprecaution has been taken in the preparation of this book, Check Point assumes noresponsibility for errors or omissions. This publication and features described herein aresubject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth insubparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause atDFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:

©2003-2005 Check Point Software Technologies Ltd. All rights reserved.

Check Point, Application Intelligence, Check Point Express, the Check Point logo, AlertAdvisor, ClusterXL, Cooperative Enforcement, ConnectControl, Connectra, CoSa,Cooperative Security Alliance, Eventia, Eventia Analyzer, FireWall-1, FireWall-1 GX,FireWall-1 SecureServer, FloodGate-1, Hacker ID, IMsecure, INSPECT, INSPECT XL,Integrity, InterSpect, IQ Engine, Open Security Extension, OPSEC, Policy LifecycleManagement, Provider-1, Safe@Home, Safe@Office, SecureClient, SecureKnowledge,

SecurePlatform, SecuRemote, SecureXL Turbocard, SecureServer, SecureUpdate,SecureXL, SiteManager-1, SmartCenter, SmartCenter Pro, Smarter Security,SmartDashboard, SmartDefense, SmartLSM, SmartMap, SmartUpdate, SmartView,SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker,SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM,User-to-Address Mapping, UserAuthority, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge,VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1VSX, VPN-1 XL, Web Intelligence, ZoneAlarm, ZoneAlarm Pro, Zone Labs, and the ZoneLabs logo, are trademarks or registered trademarks of Check Point SoftwareTechnologies Ltd. or its affiliates. All other product names mentioned herein aretrademarks or registered trademarks of their respective owners. The products describedin this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935 and6,850,943 and may be protected by other U.S. Patents, foreign patents, or pending

applications.

THIRD PARTIES:

Entrust is a registered trademark of Entrust Technologies, Inc. in the United States andother countries. Entrust’s logos and Entrust product and service names are alsotrademarks of Entrust Technologies, Inc. Entrust Technologies Limited is a wholly ownedsubsidiary of Entrust Technologies, Inc. FireWall-1 and SecuRemote incorporatecertificate management technology from Entrust.

Verisign is a trademark of Verisign Inc.

The following statements refer to those portions of the software copyrighted by Universityof Michigan. Portions of the software copyright © 1992-1996 Regents of the University of

Michigan. All rights reserved. Redistribution and use in source and binary forms arepermitted provided that this notice is preserved and that due credit is given to theUniversity of Michigan at Ann Arbor. The name of the University may not be used toendorse or promote products derived from this software without specific prior writtenpermission. This software is provided “as is” without express or implied warranty.Copyright © Sax Software (terminal emulation only).

The following statements refer to those portions of the software copyrighted by CarnegieMellon University.

Copyright 1997 by Carnegie Mellon University. All Rights Reserved.

Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright noticeappear in all copies and that both that copyright notice and this permission notice appear

in supporting documentation, and that the name of CMU not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission.CMU DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, INNO EVENT SHALL CMU BE LIABLE FOR ANY SPECIAL, INDIRECT ORCONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROMLOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR INCONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

The following statements refer to those portions of the software copyrighted by The OpenGroup.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND

NONINFRINGEMENT. IN NO EVENT SHALL THE OPEN GROUP BE LIABLE FOR ANYCLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THESOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

The following statements refer to those portions of the software copyrighted by TheOpenSSL Project. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).

THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY *EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THEIMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULARPURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS

CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, ORPROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANYTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THEUSE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCHDAMAGE.

The following statements refer to those portions of the software copyrighted by EricYoung. THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANYEXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THEIMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULARPURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR

CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, ORPROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANYTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THEUSE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCHDAMAGE. Copyright © 1998 The Open Group.

The following statements refer to those portions of the software copyrighted by Jean-loupGailly and Mark Adler Copyright (C) 1995-2002 Jean-loup Gailly and Mark Adler. Thissoftware is provided 'as-is', without any express or implied warranty. In no event will theauthors be held liable for any damages arising from the use of this software. Permissionis granted to anyone to use this software for any purpose, including commercial

applications, and to alter it and redistribute it freely, subject to the following restrictions:1. The origin of this software must not be misrepresented; you must not claim that youwrote the original software. If you use this software in a product, an acknowledgment inthe product documentation would be appreciated but is not required.

2. Altered source versions must be plainly marked as such, and must not bemisrepresented as being the original software.

3. This notice may not be removed or altered from any source distribution.

The following statements refer to those portions of the software copyrighted by the GnuPublic License. This program is free software; you can redistribute it and/or modify itunder the terms of the GNU General Public License as published by the Free SoftwareFoundation; either version 2 of the License, or (at your option) any later version. Thisprogram is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;without even the implied warranty of MERCHANTABILITY or FITNESS FOR APARTICULAR PURPOSE. See the GNU General Public License for more details.Youshould have received a copy of the GNU General Public License along with this program;if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139,USA.

The following statements refer to those portions of the software copyrighted by ThaiOpen Source Software Center Ltd and Clark Cooper Copyright (c) 2001, 2002 Expatmaintainers. Permission is hereby granted, free of charge, to any person obtaining acopy of this software and associated documentation files (the "Software"), to deal in theSoftware without restriction, including without limitation the rights to use, copy, modify,merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permitpersons to whom the Software is furnished to do so, subject to the following conditions:The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUTWARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITEDTO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULARPURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS ORCOPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHERLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,

ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USEOR OTHER DEALINGS IN THE SOFTWARE.GDChart is free for use in your applications and for chart generation. YOU MAY NOT re-distribute or represent the code as your own. Any re-distributions of the code MUSTreference the author, and include any and all original documentation. Copyright. BruceVerderaime. 1998, 1999, 2000, 2001. Portions copyright 1994, 1995, 1996, 1997, 1998,1999, 2000, 2001, 2002 by Cold Spring Harbor Laboratory. Funded under Grant P41-RR02188 by the National Institutes of Health. Portions copyright 1996, 1997, 1998, 1999,

2000, 2001, 2002 by Boutell.Com, Inc. Portions relating to GD2 format copyright 1999,



2000, 2001, 2002 Philip Warner. Portions relating to PNG copyright 1999, 2000, 2001,2002 Greg Roelofs. Portions relating to gdttf.c copyright 1999, 2000, 2001, 2002 JohnEllson ([email protected]). Portions relating to gdft.c copyright 2001, 2002 John Ellson([email protected]). Portions relating to JPEG and to color quantization copyright2000, 2001, 2002, Doug Becker and copyright (C) 1994, 1995, 1996, 1997, 1998, 1999,2000, 2001, 2002, Thomas G. Lane. This software is based in part on the work of theIndependent JPEG Group. See the file README-JPEG.TXT for more information.Portions relating to WBMP copyright 2000, 2001, 2002 Maurice Szmurlo and Johan Vanden Brande. Permission has been granted to copy, distribute and modify gd in anycontext without fee, including a commercial application, provided that this notice ispresent in user-accessible supporting documentation. This does not affect your

ownership of the derived work itself, and the intent is to assure proper credit for theauthors of gd, not to interfere with your productive use of gd. If you have questions, ask."Derived works" includes all programs that utilize the library. Credit must be given inuser-accessible documentation. This software is provided "AS IS." The copyright holdersdisclaim all warranties, either express or implied, including but not limited to impliedwarranties of merchantability and fitness for a particular purpose, with respect to thiscode and accompanying documentation. Although their code does not appear in gd 2.0.4,the authors wish to thank David Koblas, David Rowley, and Hutchison Avenue SoftwareCorporation for their prior contributions.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use thisfile except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0

The curl license

COPYRIGHT AND PERMISSION NOTICECopyright (c) 1996 - 2004, Daniel Stenberg, <[email protected]>.All rights reserved.

Permission to use, copy, modify, and distribute this software for any purpose

with or without fee is hereby granted, provided that the above copyright

notice and this permission notice appear in all copies.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE ANDNONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THE

AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OROTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OROTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE

OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.Except as contained in this notice, the name of a copyright holder shall not be used inadvertising or otherwise to promote the sale, use or other dealings in this Softwarewithout prior written authorization of the copyright holder.

The PHP License, version 3.0

Copyright (c) 1999 - 2004 The PHP Group. All rights reserved.

Redistribution and use in source and binary forms, with or without modification, ispermitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materialsprovided with the distribution.

3. The name "PHP" must not be used to endorse or promote products derived from thissoftware without prior written permission. For written permission, please [email protected].

4. Products derived from this software may not be called "PHP", nor may "PHP" appear in their name, without prior written permission from [email protected]. You may indicatethat your software works in conjunction with PHP by saying "Foo for PHP" instead of calling it "PHP Foo" or "phpfoo"

5. The PHP Group may publish revised and/or new versions of the license from time totime. Each version will be given a distinguishing version number. Once covered code hasbeen published under a particular version of the license, you may always continue to useit under the terms of that version. You may also choose to use such covered code under the terms of any subsequent version of the license published by the PHP Group. No oneother than the PHP Group has the right to modify the terms applicable to covered codecreated under this License.

6. Redistributions of any form whatsoever must retain the following acknowledgment:

"This product includes PHP, freely available from <http://www.php.net/>".

THIS SOFTWARE IS PROVIDED BY THE PHP DEVELOPMENT TEAM ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR APARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE PHPDEVELOPMENT TEAM OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT,INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS ORSERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN

CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OROTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVENIF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This software consists of voluntary contributions made by many individuals on behalf of the PHP Group. The PHP Group can be contacted via Email at [email protected].

For more information on the PHP Group and the PHP project, please see <http://www.php.net>. This product includes the Zend Engine, freely available at <http://www.zend.com>.

This product includes software written by Tim Hudson ([email protected]).

Copyright (c) 2003, Itai Tzur <[email protected]>

All rights reserved.

Redistribution and use in source and binary forms, with or without modification, arepermitted provided that the following conditions are met:

Redistribution of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

Neither the name of Itai Tzur nor the names of other contributors may be used toendorse or promote products derived from this software without specific prior writtenpermission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS ANDCONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OFMERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AREDISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS

BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, ORCONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENTOF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; ORBUSINESS

INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCEOR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd

Permission is hereby granted, free of charge, to any person obtaining a copy of thissoftware and associated documentation files (the "Software"), to deal in the Softwarewithout restriction, including without limitation the rights to use, copy, modify, merge,publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons

to whom the Software is furnished to do so, subject to the following conditions: Theabove copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE ANDNONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHTHOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHERIN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF ORIN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS INTHE SOFTWARE.

Copyright © 2003, 2004 NextHop Technologies, Inc. All rights reserved.

Confidential Copyright Notice

Except as stated herein, none of the material provided as a part of this document may becopied, reproduced, distrib-uted, republished, downloaded, displayed, posted or transmitted in any form or by any means, including, but not lim-ited to, electronic,mechanical, photocopying, recording, or otherwise, without the prior written permission of NextHop Technologies, Inc. Permission is granted to display, copy, distribute anddownload the materials in this doc-ument for personal, non-commercial use only,provided you do not modify the materials and that you retain all copy-right and other proprietary notices contained in the materials unless otherwise stated. No materialcontained in this document may be "mirrored" on any server without written permission of NextHop. Any unauthorized use of any material contained in this document may violatecopyright laws, trademark laws, the laws of privacy and publicity, and communicationsregulations and statutes. Permission terminates automatically if any of these terms or condi-tions are breached. Upon termination, any downloaded and printed materials must

be immediately destroyed.

Trademark Notice

The trademarks, service marks, and logos (the "Trademarks") used and displayed in thisdocument are registered and unregistered Trademarks of NextHop in the US and/or other countries. The names of actual companies and products mentioned herein may beTrademarks of their respective owners. Nothing in this document should be construed asgranting, by implication, estoppel, or otherwise, any license or right to use any Trademarkdisplayed in the document. The owners aggressively enforce their intellectual propertyrights to the fullest extent of the law. The Trademarks may not be used in any way,including in advertising or publicity pertaining to distribution of, or access to, materials in

this document, including use, without prior, written permission. Use of Trademarks as a"hot" link to any website is prohibited unless establishment of such a link is approved in

advance in writing. Any questions concerning the use of these Trademarks should bereferred to NextHop at U.S. +1 734 222 1600.



U.S. Government Restricted Rights

The material in document is provided with "RESTRICTED RIGHTS." Software andaccompanying documentation are provided to the U.S. government ("Government") in atransaction subject to the Federal Acquisition Regulations with Restricted Rights. TheGovernment's rights to use, modify, reproduce, release, perform, display or disclose are

restricted by paragraph (b)(3) of the Rights in Noncommercial Computer Software andNoncommercial Computer Soft-ware Documentation clause at DFAR 252.227-7014 (Jun1995), and the other restrictions and terms in paragraph (g)(3)(i) of Rights in Data-General clause at FAR 52.227-14, Alternative III (Jun 87) and paragraph (c)(2) of theCommer-cial

Computer Software-Restricted Rights clause at FAR 52.227-19 (Jun 1987).

Use of the material in this document by the Government constitutes acknowledgment of NextHop's proprietary rights in them, or that of the original creator. The Contractor/Licensor is NextHop located at 1911 Landings Drive, Mountain View, California 94043.Use, duplication, or disclosure by the Government is subject to restrictions as set forth inapplicable laws and regulations.

Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty Disclaimer Warranty

THE MATERIAL IN THIS DOCUMENT IS PROVIDED "AS IS" WITHOUT WARRANTIESOF ANY KIND EITHER EXPRESS OR IMPLIED. TO THE FULLEST EXTENT POSSIBLEPURSUANT TO THE APPLICABLE LAW, NEXTHOP DISCLAIMS ALL WARRAN-TIES,

EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIEDWARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,NON INFRINGEMENT OR OTHER VIOLATION OF RIGHTS. NEITHER NEXTHOP NOR

ANY OTHER PROVIDER OR DEVELOPER OF MATERIAL CONTAINED IN THISDOCUMENT WARRANTS OR MAKES ANY REPRESEN-TATIONS REGARDING THEUSE, VALIDITY, ACCURACY, OR RELIABILITY OF, OR THE RESULTS OF THE USEOF, OR OTHER-WISE RESPECTING, THE MATERIAL IN THIS DOCUMENT.

Limitation of Liability

UNDER NO CIRCUMSTANCES SHALL NEXTHOP BE LIABLE FOR ANY DIRECT,INDIRECT, SPECIAL, INCIDENTAL OR CONSE-QUENTIAL DAMAGES, INCLUDING,BUT NOT LIMITED TO, LOSS OF DATA OR PROFIT, ARISING OUT OF THE USE, ORTHE

INABILITY TO USE, THE MATERIAL IN THIS DOCUMENT, EVEN IF NEXTHOP OR ANEXTHOP AUTHORIZED REPRESENTATIVE HAS ADVISED OF THE POSSIBILITY OFSUCH DAMAGES. IF YOUR USE OF MATERIAL FROM THIS DOCUMENT RESULTSIN

THE NEED FOR SERVICING, REPAIR OR CORRECTION OF EQUIPMENT OR DATA,YOU ASSUME ANY COSTS THEREOF. SOME STATES DO NOT ALLOW THEEXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SOTHE

ABOVE LIMITATION OR EXCLUSION MAY NOT FULLY APPLY TO YOU.

Copyright © ComponentOne, LLC 1991-2002. All Rights Reserved.

BIND: ISC Bind (Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC"))

Copyright 1997-2001, Theo de Raadt: the OpenBSD 2.9 Release



Table of Contents 5

Table Of Contents

Chapter 1 Introduction to VPN-1 Edge/Embedded AppliancesIntroduction 7

The Need for Security & VPN Solutions for Different Sized Organizations 8

The Check Point Solution for VPN-1 Edge & VPN-1 Embedded Appliances 8

Finding the Right Check Point Management Solution 9

An Overview of VPN-1 Edge/Embedded 11VPN-1 Edge and Embedded Device Functionality 14

Chapter 2 Installation and ConfigurationIntroduction to the Installation and Configuration Processes 17

Before You Begin 17

Overview of Workflow for SmartCenter Management Solution 18

Overview of Workflow for SmartLSM Management Solution 18

Configuration Operations 20Installing and Configuring VPN-1 Edge/Embedded Appliances 20

Installing and Configuring VPN-1 Edge/Embedded in SmartCenter 20

Creating and Working with VPN-1 Edge/Embedded objects for SmartCenter 21

Creating and Working with VPN-1 Edge/Embedded objects for SmartLSM 28

Creating a Security Policy for the VPN-1 Edge/Embedded Appliance 31

Security Policy Operations 32

Managing VPN-1 Edge/Embedded Devices with SmartCenter Server 33

Remote Login to the SmartCenter Server 34

Configuring VPN in SmartCenter 35Viewing Logs in the SmartView Tracker 42

Downloading the Latest Firmware from SmartUpdate 43



6



7

CHAPTER 1

Introduction to VPN-1

Edge/EmbeddedAppliances

In This Chapter

Introduction

Thank you for using Check Point VPN-1 Edge and VPN-1 Embedded appliances;

appliances which provide secure connectivity and VPN solutions at affordable prices.

Check Point’s VPN-1 Edge appliances, which include the X-series and S-series

appliances, are easy to install and user-friendly. Moreover, along with the VPN-1

Embedded appliances (such as, Nokia and NEC devices), they are seamlessly and

securely integrated with different Check Point management solutions, such as,

SmartCenter, Provider-1 and SmartLSM.

This document describes how your VPN-1 Edge and VPN-1 Embedded appliances aremanaged using various Check Point management solutions, such as SmartCenter,

Provider-1 and SmartLSM. In this document you will also learn about Check Point

features that the VPN-1 Edge and other Embedded appliances supports, and how to use

these appliances for your VPN solutions.

Introduction page 7

The Need for Security & VPN Solutions for Different Sized Organizations page 8

The Check Point Solution for VPN-1 Edge & VPN-1 Embedded Appliances page 8

http://www.checkpoint.com/techsupport/ng_application_intelligence/releasenotes.html










The Need for Security & VPN Solutions for Different Sized Organizations

8

The Need for Security & VPN Solutions for Different SizedOrganizations

All enterprises and organizations, large and small, require tailor-made security and VPNsolutions for the management of their remote sites and branch offices. These solutions

must take into consideration that remote sites or branch offices:

• do not necessarily need enterprise-size solutions or costs for their moderate-sized

employee-base.

• do not require advanced Security Policy and VPN configurations but do require full

security and connectivity.

• do not necessarily employ a full-time security administrator and are not necessarilylooking to manage the VPN-1 Pro or VPN-1 Express module themselves.

What these businesses require is a solution that offers connectivity and security at an

affordable rate that is easy to integrate into existing infrastructure and is easy to use.

The Check Point Solution for VPN-1 Edge & VPN-1

Embedded AppliancesVPN-1 Edge is a series of appliances offered by Check Point that provides both

Security and VPN solutions, which are affordable, easy to configure and simple to

manage for securing enterprise remote sites and large-scale VPN deployments. Moreover,

Check Point supports management of other VPN-1 Embedded appliances.

VPN-1 Edge appliances and VPN-1 Embedded appliances support SMART

management and can be used in conjunction with VPN-1 Pro and VPN-1 Express.

VPN-1 Edge and VPN-1 Embedded appliances enable enterprise customers to quickly

and easily create a seamless Check Point Internet security infrastructure. Theses

appliances can be centrally managed and easily incorporated into existing

infrastructures. These appliances do not include moving parts, easy to use and do not

compromise either connectivity or security.



Finding the Right Check Point Management Solution

Chapter 1 Introduction to VPN-1 Edge/Embedded Appliances 9

Finding the Right Check Point Management Solution

The VPN-1 Edge and VPN-1 Embedded appliances can be managed using any one of

the following Check Point management solutions: SmartCenter (Pro or Express),Provider-1 or SmartLSM:

• SmartCenter is considered the standard VPN-1 Edge and Embedded management

solution and is often used in conjunction with SmartLSM. SmartCenter

management is useful for organizations with branch offices who are looking for

affordable alternatives and basic security and VPN solutions for each branch office.

The VPN-1 Edge and VPN-1 Embedded appliances are represented by an object

which is created and managed in SmartDashboard called the VPN-1

Edge/Embedded Gateway.

FIGURE 1-1 SmartCenter Deployment

• SmartLSM , is an extension of SmartCenter providing administrators with an

effective means of provisioning and managing hundreds and thousands of VPN-1

Edge/Embedded ROBO (Remote Office/Branch Office) Gateways. VPN-1Edge/Embedded Profiles and Profile policies are defined in SmartDashboard.

VPN-1 Edge/Embedded ROBO Gateways are provisioned and managed via the

SmartLSM console application. For more information see the SmartLSM Guide .



The Check Point Solution for VPN-1 Edge & VPN-1 Embedded Appliances

10

FIGURE 1-2 SmartLSM Deployment

• Provider-1, is used by large enterprises and by Managed Service Providers to

centrally manage multiple, fully customized, customer domains. VPN-1

Edge/Embedded appliances are integrated transparently with this management

solution. The management capabilities of a Provider-1 CMA (Customer

Management Add-On) are equivalent to those of the SmartCenter Server, including

the SmartLSM extension. Global VPN Communities are currently not supported

for VPN-1 Edge/Embedded appliances.



An Overview of VPN-1 Edge/Embedded


FIGURE 1-3 Provider-1 Deployment


In This Section

VPN-1 Edge versus VPN-1 Embedded

Check Point’s VPN-1 Edge appliances are available in two different series:• S-series, which is ideal for telecommuters and small remote offices, require remote

access VPN. This series has a stateful inspection firewall.

• X-series, ideal for sites requiring site-to-site VPN. This series also delivers

additional capabilities such as high performance, high availability, support for

multi-ISPs and automatic recovery.

VPN-1 Edge versus VPN-1 Embedded page 11

Advantages of the VPN-1 Edge/Embedded Appliances page 12

Overview of a Typical Workflow page 13




12

• W-series, provides secure wireless connectivity for remote sites, branch offices, and

partner sites by integrating a secure wireless access point with market-leading

VPN-1/FireWall-1 technology, high availability support, and simple Web-based

setup.

The following VPN-1 Embedded appliances are also supported:

• Nokia’s IP30 and IP40

• NEC’s SecureBlade, SecureBlade 300

Whatever the series, the VPN-1 Edge/Embedded appliances support any of the Check

Point management solutions (SmartCenter, SmartLSM...etc). Apart from their own

seamless integration and ease of use, they also benefit from most of the advantages of any regular VPN-1 Pro gateway.

Advantages of the VPN-1 Edge/Embedded Appliances

There are several distinct advantages to working with VPN-1 Edge/Embedded devices.

The features that are supported depend on the device that you own:

• Installation, Integration and Configuration - The VPN-1 Edge appliance itself

is easy to install and configure. Moreover, the VPN-1 Edge/Embedded appliancecan be used immediately once SmartCenter (Pro or Express) has been installed. The

appliance is “diskless”. It contains pre-configured software and can be used

out-of-the-box.

• VPN - VPN-1 Edge/Embedded appliances can be implemented in Check Point

VPN-1 solutions which offer full encryption and authentication capabilities. These

Appliances can participate as a peer Gateway in the corporate VPN with just one

click. The appliances can participate in a Site-to-Site Community (both Star or Meshed), or as a Remote Access client. For more information on building VPN

Communities, see the VPN Guide .

• Security - A Security Policy can be enforced on VPN-1 Edge/Embedded

appliances. Some of the security highlights include: support of Check Point’s

patented Stateful Inspection, Anti-spoofing, DoS protection and H.323 VoIP. Some

of the networking highlights include DHCP, NAT support and Access Control.

• Logging and gleaning the status of appliances - The status and traffic of theVPN-1 Edge/Embedded appliances can be monitored and logged using the Check

Point SmartConsole clients: SmartView Tracker and SmartView Status. These tools

can be used for troubleshooting purposes.

• centralized upgrading - the firmware of the VPN-1 Edge/Embedded Device can

be upgraded automatically on account of Check Point SmartUpdate support.





Overview of a Typical Workflow

1 Install the VPN-1 Edge and/or Embedded appliance. For more information see

your vendor documentation.

2 Create objects to represent these appliances in the respective management solution

(for example, SmartLSM, etc.). This includes the creation of a VPN-1

Edge/Embedded Profile and a Gateway, where the latter is the network object that

represents the VPN-1 Edge/Embedded appliance.

3 The initial configuration of the appliance and the connection to the SmartCenter

Server is done via a Web GUI called the VPN-1 Edge/Embedded portal

(http://my.firewall). It is imperative that trust is established between theSmartCenter and the device in order that they can communicate freely and securely.

Moreover, connection to the SmartCenter server from the device needs to take

place in order that the management operations carried out by the SmartCenter

server, can be applied. This establishment of trust is equivalent to the SIC (Secure

Internal Communication) process that takes place in SmartCenter between regular

gateways and the SmartCenter Server.

4 Perform management operations. All the management operations such as defining

VPN relations with other gateways, fetching a policy or updating the software

version embedded in the appliance (or firmware , as it is called) is performed by the

SmartCenter Server using any one (or a combination) of the Check Point

management solutions (SmartDashboard, SmartLSM or Provider), or via the

Command Line.

SmartCenter uses a UDP-based protocol which is encrypted (called SWTP_SMS or

SWTP_Gateway) in order to communicate with the VPN-1 Edge/Embeddedappliance. This protocol is enforced in an implied rule in the Security Policy. For

more about SmartCenter management, see the SmartCenter Guide .




14

VPN-1 Edge and Embedded Device Functionality

In This Section

VPN-1 Edge/Embedded Appliances: VPN Communities andManagement

VPN-1 Edge/Embedded Gateways can participate in two types of VPN communities:

Site-to-Site and Remote Access. These communities are explained in more detail in the

VPN Guide .

Site-to-Site

Unless otherwise stated, VPN-1 Edge and Embedded Device Gateways are added to

communities and participate in the VPN tunnel in the same manner as all VPN-1 Pro

Gateway objects; they are added, like regular participating gateways into the VPN

community (Star or Meshed). Consult the VPN guide for more information on building

VPN between Gateways.

VPN-1 Edge/Embedded as a Remote Access Client

You can configure the VPN-1 Edge/Embedded appliance to act as a remote client, (it

is added to a Remote Access Community). In this case it is configured in an atypical

VPN configuration where the VPN-1 Edge/Embedded Gateway is added as a User group to the VPN-1 community. This User group is created by default and is called

VPN-1 Embedded devices defined as Remote Access. All machines deployed behind the

VPN-1 Edge/Embedded Gateway will also function as Remote Access Clients. This

means that all traffic from these gateways will be tunneled as well.

VPN-1 Edge/Embedded Appliances: VPN Communities and Management page 14

VPN-1 Edge/Embedded and Packet Filtering FireWall page 15

Logging in the SmartView Tracker page 15

Viewing the Status of VPN-1 Edge/Embedded Appliances & VPN Creation page 16

Upgrading VPN-1 Edge/Embedded Appliance Firmware using SmartUpdate page 16

Note - On SmartCenter Express, any VPN-1 Edge/Embedded appliance that is connecting

using Site-to-Site VPN is considered to be an additional managed site; therefore, you are

required to obtain an additional license.



VPN-1 Edge and Embedded Device Functionality


VPN-1 Edge/Embedded Managed by an External Management Server

VPN-1 Edge/Embedded Gateway objects that are managed by an external Management

Server can be defined. These objects can be used in VPN communities. Typically,

externally managed gateway are used in Extranet scenarios with partners, or withadditional Management Servers.

VPN-1 Edge/Embedded and Packet Filtering FireWall

VPN-1 Edge/Embedded appliances use Check Point’s Stateful Inspection technology

just like regular VPN-1 Pro Gateways.

Gateways which are used in the Rule Base, get their Security Policy from theSmartCenter Server. This policy enforces the manner in which connections are allowed

(or not allowed) to pass to and from the VPN-1 Edge/Embedded appliance.

Access Control is used to determine the resources and services that are authorized to be

used. This access authorization sets the level of security. Rules are attributed to VPN-1

Edge/Embedded gateways by installing the rule on a specific gateway. For more about

Access Control, see the FireWall and SmartDefense Guide .

VPN-1 Edge/Embedded appliances can be used with the following actions in theSecurity Policy Rule Base: Accept, Drop and Reject.

Logging in the SmartView Tracker

VPN-1 Edge logs can be generated and sent to a logging server. This server

consolidates all VPN-1 Edge logs in the SmartView Tracker. You can view regular logs

and audit logs (for management operations) in the SmartView Tracker. You can use

these logs to troubleshoot and confirm that connections are passing to and from theVPN-1 Edge/Embedded appliance, according to what is specified in the Security

Policy. SmartView Tracker has a pre-defined query called VPN-1 Edge/Embedded

which can be used to focus on the logs generated from the appliances specifically.

Since the VPN-1 Edge/Embedded Gateway fetches at periodic intervals, you will

notice that logs appear in the SmartView Tracker only after the periodic interval has

passed.




16

Viewing the Status of VPN-1 Edge/Embedded Appliances & VPNCreation

Use the SmartView Monitor in order to learn more about the status of the VPN-1

Edge\Embedded appliances. SmartView Monitor is available to both VPN-1 Pro andCheck Point Express customers. SmartLSM customers may view the status of their

objects in SmartView Monitor, or in the SmartLSM SmartConsole.

Upgrading VPN-1 Edge/Embedded Appliance Firmware usingSmartUpdate

The firmware of the VPN-1 Edge/Embedded Gateway represents the software that is

running on the appliance. The VPN-1 Edge/Embedded Gateway’s firmware can be

viewed and upgraded using SmartUpdate. This is a centralized management tool which

is used to upgrade all modules in the system by downloading new versions from the

download center. When installing new firmware, the firmware is prepared at the

SmartCenter Server, downloaded and subsequently installed when the VPN-1

Edge/Embedded Gateway fetches for updates. Since the VPN-1 Edge/Embedded

Gateway fetches at periodic intervals, you will notice the upgraded version on the

gateway only after the periodic interval has passed.

Note - SmartLSM is only available to VPN-1 Pro customers.



17

CHAPTER 2

Installation andConfiguration

In This Chapter

Introduction to the Installation and Configuration

ProcessesThe installation and configuration process depends on a number of factors: the

management solution that you are using (whether SmartCenter, SmartLSM or

Provider-1), the type of VPN community that you are configuring as well as the type

of device that you are using.

Before You Begin

Before you can work with the VPN-1 Edge/Embedded appliance, you need to install

and configure it via the VPN-1 Edge/Embedded Portal. This is a Web GUI used

expressly for the management of the appliance. Apart from the actual installation

process you need to perform a first time login to the VPN-1 Edge/Embedded appliance

via the portal. In this first time login you are meant to set up initial administrator

permissions and an authorization permission as well as the Internet connection itself.

For more information, see the relevant vendor documentation.

Introduction to the Installation and Configuration Processes page 17

Before You Begin page 17 Overview of Workflow for SmartCenter Management Solution page 18

Overview of Workflow for SmartLSM Management Solution page 18

Configuration Operations page 20

f kfl f l



Overview of Workflow for SmartCenter Management Solution

18

Overview of Workflow for SmartCenter ManagementSolution

This workflow assumes that you have installed SmartCenter (Pro or Express). For more

information see the Getting Started Guide for NGX R60 .

The following workflow represents the order in which you should work with the

VPN-1 Edge and Embedded appliances. More details about each step in the workflow

can be found in this document.

1 Install and configure the VPN-1 Edge or Embedded appliance. Consult with the

relevant vendor documentation for more information. If you are setting up the

appliance on the network, make sure that it is successfully connected.

2 In SmartDashboard:

• Create the VPN-1 Edge/Embedded Gateways. Make sure that you setup the

VPN-1 Edge/Embedded appliance’s topology properly and add the Gateway to a

VPN Community.

• Create rules for your objects and install the Security Policy. This step should be

repeated whenever a modification to the VPN-1 Edge/Embedded objects aremade.

3 On the VPN-1 Edge/Embedded portal, define your SmartCenter Server as the

VPN-1 Edge/Embedded appliance’s management server. This means that the

SmartCenter Server is now responsible for managing the appliance including VPN

relations, Access Control, Licensing and updates. The communication between the

SmartCenter Server and the VPN-1 Edge/Embedded appliance is securely

connected.

Overview of Workflow for SmartLSM ManagementSolution

This workflow assumes that you have installed SmartCenter Pro. For more information

see the Getting Started Guide for NGX R60 .

The following workflow represents the order in which you should work with theVPN-1 Edge and Embedded appliances. More details about each step in the workflow

can be found in this document.

1 Install and configure the VPN-1 Edge or Embedded appliance. Consult with the

relevant vendor documentation for more information. If you are setting up the

appliance on the network, make sure that it is successfully connected.

2 To enable SmartLSM, run the command LSMenabler on on the SmartCenter Server Pro.



Chapter 2 Installation and Configuration 19

3 In SmartDashboard,

• Create a Smart LSM VPN-1 Edge/Embedded Profiles. When creating the

profile you can specify the VPN community in which you would like the profile

to participate. This step can also take place at a later stage.

• Create one or more dynamic objects to be enforced on the VPN-1

Edge/Embedded ROBO Gateway.

• Create rules for your objects and install the Security Policy. This step should berepeated whenever a modification to the VPN-1 Edge/Embedded ROBO

objects are made. (This step needs to take place after you have created the

VPN-1 Edge/Embedded ROBO Gateway in SmartLSM).

• Close SmartDashboard.

4 In SmartLSM, create a VPN-1 Edge/Embedded ROBO Gateway, add the dynamic

object to the VPN-1 Edge/Embedded ROBO Gateway and update the CO(Corporate Office) Gateway, for more information see the SmartLSM Guide .

5 On the VPN-1 Edge/Embedded portal, define your SmartCenter Server as the

VPN-1 Edge/Embedded appliance’s management server. This means that the

SmartCenter Server is now responsible for managing the appliance including VPN

relations, Access Control, Licensing and updates. The communication between the

SmartCenter Server and the VPN-1 Edge/Embedded appliance is securely

connected.

Note - In SmartLSM, the profile associated with the VPN-1 Edge/Embedded Gateway can only

participate in a Star community for Site-to-Site configuration.

ConfigurationOperations



Configuration Operations

20


In This Section

Installing and Configuring VPN-1 Edge/Embedded Appliances

For information on how to install, configure and work with the VPN-1

Edge/Embedded Appliance, consult with the relevant vendor documentation for more

information.

Installing and Configuring VPN-1 Edge/Embedded inSmartCenter

VPN-1 Edge support is enabled automatically during the installation of the

SmartCenter Server (Pro or Express), for version NGX R60. There is no need to install

any additional component.

Installing and Configuring VPN-1 Edge/Embedded in SmartCenter page 20

Creating and Working with VPN-1 Edge/Embedded objects for SmartCenter page 21

Creating and Working with VPN-1 Edge/Embedded objects for SmartLSM page 28

Creating a Security Policy for the VPN-1 Edge/Embedded Appliance page 31

Security Policy Operations page 32

Managing VPN-1 Edge/Embedded Devices with SmartCenter Server page 33

Remote Login to the SmartCenter Server page 34

Configuring VPN in SmartCenter page 35

Configuring VPN-1 in SmartLSM page 41

Viewing Logs in the SmartView Tracker page 42

Downloading the Latest Firmware from SmartUpdate page 43

Note - VPN-1 Edge cannot be managed from a SmartCenter Server running on Nokia.

Creating and Working with VPN-1 Edge/Embedded objects for SmartCenter



Creating and Working with VPN 1 Edge/Embedded objects for SmartCenter


Creating and Working with VPN-1 Edge/Embedded objects forSmartCenter

A VPN-1 Edge/Embedded Gateway object which represents the VPN-1

Edge/Embedded Appliance should be defined in SmartDashboard in order for the

SmartCenter Server to be able to manage the VPN-1 Edge/Embedded appliance:

Create the VPN-1 Edge/Embedded Gateway which represents the VPN-1

Edge/Embedded appliance and associate it with a VPN-1 Edge/Embedded Profile. See

“Creating a VPN-1 Edge/Embedded Gateway” on page 21. During this process you

must assign the previously created profile to the VPN-1 Edge/Embedded Gateway that

is being created.

Creating a VPN-1 Edge/Embedded Gateway

A VPN-1 Edge/Embedded Gateway object is a network object that represents a VPN-1

Edge/Embedded appliance. This Gateway sits on the network and can be managed by

the SmartCenter Server or by an external management server.

1 In the Network Objects tab of the Objects Tree create a new VPN-1

Edge/Embedded Gateway.FIGURE 2-1 Defining a VPN-1 Edge/Embedded Gateway

2 In the VPN-1 Edge/Embedded Gateway - General page, configure (FIGURE 2-2):

• the general settings of the window, including its name and IP Address (whether

static or dynamic), the VPN-1 Edge/Embedded Profile and version information

(Type). It is very important to select the exact version of your appliance. It is

also necessary to define a Password (also known as a Registration Key). Thispassword is used for encryption and authentication purposes.

• the VPN settings, to allow the VPN-1 Edge/Embedded Gateway to become

member of a VPN community, select the VPN Enabled check box and select the

VPN Community type (whether Site to Site or Remote Access).

• the management settings, if this Gateway is managed by an external server,

check Externally Managed Gateway.




g p

22

FIGURE 2-2 New VPN-1 Edge/Embedded Gateway configured for Site-to-Site VPN-1

3 In the VPN-1 Edge/Embedded Gateway - Topology page (FIGURE 2-3), the topology

is set automatically because it represents the hard coded device.

The set topology includes the following three interfaces (two internal and one

external):

• DMZ represents a logical second network behind the Safe@Office appliance.

You must connect DMZ computers to the LAN ports. DMZ is a dedicated

Ethernet port (RJ-45) used to connect a DMZ (Demilitarized Zone) computer

or network. Alternatively, the DMZ can serve as a secondary WAN port.

• LAN represents the private network. LAN 1-4 Local Area Network switch:

Four Ethernet ports (RJ-45) are used for connecting computers or other

network devices.





• WAN represents the external interface to the router. A WAN interface card, is a

network interface card (NIC) that allows devices to connect to a wide area

network. Wide Area Network (WAN): An Ethernet port (RJ-45) used for

connecting your cable or xDSL modem, or for connecting a hub when settingup more than one Internet connection

Although these three interfaces automatically appear in the Topology window, they

are not associated with an IP address and a Network Mask.

If you deselect the Dynamic Address option in the General Properties window and

add a static IP address, the WAN automatically receives the specified static IP

address and its Network Mask is 255.255.255.255.

The Type drop-down list in the General Properties window defines the hardwaretype and its associated topology. Currently all hardware types share the same

topology. Every hardware type has one external interface and two internal

interfaces. It is possible to add only one additional external interface.

Once you have defined the general settings as well as the topology definitions of the

VPN-1 Edge/Embedded Gateway a certificate is automatically created.

For managed devices it is essential to specify the correct network. When managing

multiple devices it is better to define the networks on the devices so as to ensure

that the networks do not overlap one with one another.

For externally managed devices the networks specified depends upon both the

NAT settings on the other side as well as the agreed configuration.

Note - Pre-Shared Secrets work in conjunction with Static IP Addresses only.




FIGURE 2-4 Configuring the VPN settings

5 In the VPN-1 Edge/Embedded Gateway - Content Filtering page (FIGURE 2-5), select

Use UFP, Use CVP or both if you want to restrict access to Web content and/or

automatically scan your email for the detection and elimination of all known viruses

and vandals, in relation to the specific gateway.

The type of UFP Server and CVP Server used for content filtering is determined inPolicy > Global Properties > VPN-1 Edge/Embedded Gateway window.

Note - To perform a detailed configuration of the created VPN-1 Edge/Embedded Gateway

launch the gateway in a browser. To do this, right-click the specific VPN-1 Edge/EmbeddedGateway and select Manage Devices...




26

FIGURE 2-5 Configuring Content Filtering

6 In the VPN-1 Edge/Embedded Gateway - Advanced page (FIGURE 2-6), enter the

following information:

• Product Key enables you to remotely update the current VPN-1

Edge/Embedded gateway license (18 hexadecimal characters in three groups

separated by hyphens).

• MAC Address enables stronger validation of the VPN-1 Edge/Embedded gateway

when communicating with the SmartCenter Server.

• Configuration Script enables you to enter a script for relevant commands and

features. The written script will be downloaded automatically and executed tothe VPN-1 Edge device.

For more detailed information about configuration scripts, refer to the Check Point

Embedded NG CLI Reference Guide v.5 that can be found at

http://www.sofaware.com


http://www.sofaware.com/

http://www.sofaware.com/




FIGURE 2-6 Configuring Advanced Settings




28

Creating and Working with VPN-1 Edge/Embedded objects forSmartLSM

The objects that are used in the SmartLSM management solution are partly created in

SmartDashboard and partly, SmartLSM.

• VPN-1 Edge/Embedded ROBO Gateway object which represents the VPN-1

Edge/Embedded appliance. This object is created in SmartLSM.

• SmartLSM VPN-1 Edge/Embedded Profile which is an object which is associated

with the VPN-1 Edge/Embedded ROBO Gateway and provides it with a basic

Security Policy and VPN definition. This object is created in SmartDashboard,

• A Dynamic Object which is used by the SmartLSM VPN-1 Edge/EmbeddedProfile in order to enforce the Security Policy. This object is created in

SmartDashboard and added to the SmartLSM VPN-1 Edge/Embedded Profile in

SmartLSM.

The order of the creation of the VPN-1 Edge objects is:

1 Create the SmartLSM VPN-1 Edge/Embedded ROBO gateway in

SmartDashboard. See “Creating and Working with VPN-1 Edge/Embedded objects

for SmartCenter” on page 21.

2 Create a Dynamic Object in SmartDashboard.

3 Close SmartDashboard and open SmartLSM.

4 Create the VPN-1 Edge/Embedded ROBO Gateway which represents the VPN-1

Edge/Embedded appliance in SmartLSM, and associate it with a VPN-1

Edge/Embedded ROBO Profile. See “Creating a VPN-1 Edge/Embedded ROBOGateway” on page 30. During this process you must assign the previously created

profile to the VPN-1 Edge/Embedded ROBO Gateway that is being created.

In This Section

Creating a SmartLSM VPN-1 Edge/Embedded ROBO Profile page 29

Creating a VPN-1 Edge/Embedded ROBO Gateway page 30

Creating and Working with VPN-1 Edge/Embedded objects for SmartLSM




Creating a SmartLSM VPN-1 Edge/Embedded ROBO Profile

A security policy is defined for a VPN-1 Edge/Embedded appliance, represented by a

VPN-1 Edge/Embedded ROBO Gateway by associating it to a profile.

Defining VPN-1 Edge/Embedded ROBO Profiles

1 In SmartDashboard, create a new SmartLSM Profile in the Network Objects tab of

the Objects Tree.

FIGURE 2-7 Creating a new SmartLSM Profile in SmartDashboard

2 In the General page, enter the name and an optional comment (FIGURE 2-8).

FIGURE 2-8 Configure the SmartLSM VPN-1/FireWall-1 Profile settings

3 In the VPN page (FIGURE 2-9), enter the type of community that you would like

to associate with the said profile and save the profile by closing it.




30

FIGURE 2-9 Configure the SmartLSM VPN-1/FireWall-1 Profile Settings for VPN

Creating a VPN-1 Edge/Embedded ROBO Gateway

A VPN-1 Edge/Embedded ROBO Gateway object is a network object that represents

a VPN-1 Edge/Embedded Appliance that is created and managed in SmartLSM. This

Gateway sits on the network can be managed by the SmartCenter Server or by an

external management server.

Defining VPN-1 Edge/Embedded ROBO Gateways

Before you can create the Edge/Embedded ROBO Gateway make sure that you have

exited the SmartDashboard, if it is in Read/Write mode.

To define VPN-1 Edge/Embedded ROBO Gateways refer to the Adding a VPN-1

Edge/Embedded ROBO Gateway and Managing VPN-1 Edge/Embedded Objects sections in

the NGX R60 SmartLSM user guide.

Creating a Security Policy for the VPN-1 Edge/Embedded Appliance




Creating a Security Policy for the VPN-1 Edge/EmbeddedAppliance

1 Create your Security Policy rules. For more information on creating rules see the

SmartCenter Guide .

When you are creating your rules, be aware that the VPN-1 Edge/Embedded

Gateway can be used in the Install On column even if there is a VPN Community

specified in the VPN column.

You may need a rule that allows designated services (such as ftp, telnet and http) to

be performed by the VPN community. In this rule, the VPN-1 Pro gateway should

be your target.

For example:

TABLE 2-1 Example: a rule allowing services for Site-to-Site and Remote Access communitiesrespectively

TABLE 2-2 Allowing connections from network to VPN-1 Edge/Embedded Gateway

2 Once the rules are complete install your Security Policy (Policy > Install Policy).

The VPN-1 Edge/Embedded Gateway periodically fetch the Security Policy from

the SmartCenter Server. When the policy installation is complete the SmartCenter

Server will attempt to update the VPN-1 Edge/Embedded Gateway with the new

security policy. In order for the changes to take place immediately you can force a

Policy update from the VPN-1 Edge/Embedded Portal.

Source Destination VPN Service Action Install On

Any Any Mesh-comm

ftptelnet

http

Accept VPN1_Pro_GW

All Users or

VPN-1

Embedded

Devices defined

as Remote

Access

Any RA_com

m

ftp

telnet

http

Accept VPN1_Pro_G

W

Source Destination VPN Service Action Install On

Edge_Net VPN_Edge_

Pro_GW

Any Any Accept Any




32

Security Policy Operations

In This Section

Installing and uninstalling the Security Policy

When the Security Policy is installed or uninstalled, the Security Policy is automatically

downloaded to or off-loaded from the SmartCenter Server. When the VPN-1Edge/Embedded Gateways check the SmartCenter Server for updates, the activity

(whether installation or uninstallation) is implemented.

• To install, select Policy > Install Policy.

• To uninstall, select Policy > Uninstall Policy.

Downloading a Security Policy

From the VPN-1 Edge/Embedded Portal

1 Login from VPN-1 Edge/Embedded portal to http://my.firewall.

2 Click Services and Accounts and then click Refresh, Or, click Services and Software

Updates and then click Update Now.

3 When the VPN-1 Edge/Embedded Gateway polls for updates, it downloads the

latest Security Policy.

From SmartLSM, select Actions > Push Policy. The SmartCenter Server pushes the

Security Server to the VPN-1 Edge/Embedded ROBO Gateway.

Verifying that the Security Policy was downloaded

1 Login from VPN-1 Edge/Embedded portal to http://my.firewall.

2 Click Reports and then click Event Log.

3 Verify that the following message appears: Installed updated Security Policy

(downloaded).

4 Click Setup, Tools and Diagnostics.

The VPN-1 Edge/Embedded object is displayed in the Policy field.

Installing and uninstalling the Security Policy page 32

Downloading a Security Policy page 32

Verifying that the Security Policy was downloaded page 32

Managing VPN-1 Edge/Embedded Devices with SmartCenter Server




Managing VPN-1 Edge/Embedded Devices with SmartCenterServer

Before you can begin to work with the VPN-1 Edge/Embedded Appliance whether

your appliance is managed in SmartDashboard, or in SmartLSM, you need to logon tothe

VPN-1 Edge/Embedded portal and define the SmartCenter server as the active

management server.

Once successfully completed, this step allows the SmartCenter Server to perform a

number of management operations for the VPN-1 Edge/Embedded Appliance such as

VPN-1 relations, updating the Security Policy and upgrading to later versions of

firmware. Proceed as follows:

1 Browse to http://my.firewall.

2 Enter and confirm your password.

3 In the Services screen, connect to the SmartCenter Server by clicking on Connect.

A wizard is displayed in which you are required to configure the settings of the

SmartCenter Server.FIGURE 2-10 Login to the SmartCenter Server in the VPN-1 Edge Embedded Portal

During the SmartCenter Server setup, you are required to enter the detail of the

VPN-1 Edge/Embedded Gateway object that you created. Note that the Gateway

ID refers to the name of the said gateway and the Password refers to the

Registration Key specified during the creation of the VPN-1 Edge/Embedded

Gateway object.




34

FIGURE 2-11 Configuring the Gateway object.

Once this setup is successfully completed, the VPN-1 Edge/Embedded appliance

and the SmartCenter server can communication securely. For more information

about this procedure, see the relevant vendor information.

Remote Login to the SmartCenter Server

If your device is not installed locally, you will need to logon securely to the VPN-1

Edge/Embedded Portal using HTTPS (https://<current IP Address>:981). For

more information see the relevant vendor information

Note - If your device is not installed locally, you will need to logon securely to the VPN-1

Edge/Embedded Portal using HTTPS (https://<current IP Address>:981). For more

information see the relevant vendor information.

Configuring VPN in SmartCenter

C fi i VPN i S tC t





VPN-1 Edge/Embedded Gateway can be added to Site-to-Site communities, as well as

to Remote Access communities. The VPN-1 Edge/Embedded Appliance can also be

configured to act as a Remote Access client. For more information, see the VPN-1Guide . In particular the chapters dealing with:

• Building VPN Between Gateways

• PKI

In This Section

VPN-1 Edge/Embedded Gateway in Site-to-Site VPNConfiguration

For VPN to be established the following must take place:1 The VPN-1 Edge/Embedded Gateway must be defined and configured for

Site-to-Site and a certificate created (if the VPN Community members are to use a

certificate to authenticate).

On the General page (see FIGURE 2-2):

• On the VPN-1 Edge/Embedded Gateway check VPN Enabled and select Site to

Site in order to allow the VPN-1 Edge/Embedded Gateway to participate like

any regular VPN-1 Gateway in a star or meshed community. This means that

any gateway can initiate a VPN tunnel to the VPN-1 Edge/Embedded Gateway

and the VPN-1 Edge/Embedded Gateway can initiate a VPN tunnel to any

other gateway.

• In terms of IP addresses:

• If the VPN-1 Edge/Embedded Gateway has a static IP Address, you can use a

certificate or an IKE pre-shared secret to establish a VPN tunnel. In this casethe password you enter is used for the IKE pre-shared secret.

• If the VPN-1 Edge/Embedded Gateway has dynamic IP Address, (select

Dynamic Address) only a certificate can be used in order to establish a VPN

tunnel. In this case, make sure that you have selected Manually defined in the

VPN-1 Edge/Embedded Gateway - Topology page (see FIGURE 2-3).

• Make sure that the type that you select corresponds to the actual appliance that

you have in your possession.

VPN-1 Edge/Embedded Gateway in Site-to-Site VPN Configuration page 35

VPN-1 Edge/Embedded Gateway in a Remote Access Client Configuration page 38

VPN-1 Edge/Embedded Managed by an External Management Server page 40


Add P d th t ill b d l t th VPN 1 Ed /E b dd d P t l



36

• Add a Password that will be used later on the VPN-1 Edge/Embedded Portal

and for the pre-shared secret (if you have a static IP Address).

On the Topology page (see FIGURE 2-3):

• Gateway defined is used for NAT implementation.• Manually Defined is used if the VPN-1 Edge/Embedded Gateway is configured

for dynamic IP Address or if NAT is not being implemented.

On the VPN page (see FIGURE 2-4) generate the certificate and close the VPN-1

Edge/Embedded Gateway.

2 If you do not already have one, create a Star or Meshed community in the VPN

Manager. For more about these communities and how to configure them, see theVPN Guide .

To create a Site-to-Site community:

FIGURE 2-12 Create a new Site-to-Site Community

In a Star Community

• In the Central Gateways page click Add and select the desired VPN-1

Edge/Embedded Gateway. Click OK.

• In the Satellite Gateways page, click Add and select the desired VPN-1

Edge/Embedded Gateway. Click OK.

Note - If you are creating a Star community, it is not recommended to include the VPN-1

Edge/Embedded Gateway as a Central Gateway.


FIGURE 2-13 Add VPN-1 Edge/Embedded Gateway as Satellite Gateway




FIGURE 2 13 Add VPN 1 Edge/Embedded Gateway as Satellite Gateway

In a Meshed Community

• In the Participating Gateways page, click Add and select the desired VPN-1

Edge/Embedded Gateway. ClickOK

.In Star and Meshed Communities

• In the VPN Properties page, specify the properties for the phases of IKE

negotiation.

• In the Shared Secret page, specify whether the VPN community member should

be authenticated using a pre-shared secret or a certificate. If you would like to

use a secret, make sure to select Use only shared secret for all external members.

The secret used is the password defined when the VPN-1 Edge/EmbeddedGateway object was created. If you would like to use certificates as a means of

authentication, make sure that Use only shared secret for all external members is

unchecked.

3 In the Rule Base, create the rules of your Security Policy. See “Creating a Security

Policy for the VPN-1 Edge/Embedded Appliance” on page 31.

4 Install the rule base on the Central Gateways (for a Star community).


5 In the VPN-1 Edge/Embedded Portal define the SmartCenter server as the active



38

5 In the VPN-1 Edge/Embedded Portal define the SmartCenter server as the active

management server, see “Managing VPN-1 Edge/Embedded Devices with

SmartCenter Server” on page 33. In the VPN window of the VPN-1

Edge/Embedded Portal, the Site-to-Site configuration is automatically loaded,

including its topology and enterprise profile.

VPN-1 Edge/Embedded Gateway in a Remote Access ClientConfiguration

In order for the VPN-1 Edge/Embedded Gateway to function as a Remote Access

Client, the gateway must be configured to participate in the Remote Access

community. When the VPN-1 Edge/Embedded Gateway object is defined in the

Check Point database, an additional User Group called “All VPN-1 Edge/Embedded

Gateway Appliances” is created. This User Group is used in the definition of the

Remote Access community.

For more information about Remote Access Clients, see the VPN-1 Guide .

Adding the VPN-1 Edge/Embedded Gateway to a Remote Access Community

There are two basic ways to add the VPN-1 Edge/Embedded Gateway to a

community:

• In the VPN-1 Edge/Embedded Gateway - VPN page. click on Add. Select the

community to which you would like to associate the selected gateway.

• In the VPN Manager view, select the Remote Access community to which you

would like to add the VPN-1 Edge/Embedded Gateway. Add the VPN-1

Edge/Embedded Gateway in the Participant User Group page by clicking on Add

and selecting the default User Group called VPN-1 Embedded Devices defined as

Remote Access to which the VPN-1 Edge/Embedded Gateway is associated.

When VPN-1 Edge/Embedded Gateways are configured to work in client mode, it is

important that the SmartCenter Server be deployed outside of the VPN domain of theRemote Access Client. If you are working with Remote Access Automatic login mode,

the SmartCenter Server may be within the VPN domain, however, in this case, you

must create the VPN domain in the VPN-1 Edge/Embedded Gateway before

connecting the VPN-1 Edge/Embedded Gateway to the SmartCenter Server.

For VPN to be established the following must take place:

Note - The User Group All VPN-1 Edge/Embedded Gateway Appliances is not a regular

User Group and as such it doesn’t appear in the Users and Administrators tab of the

Objects Tree.


1 Create a VPN-1 Edge/Embedded Gateway object. Make sure that you select VPN




1 Create a VPN 1 Edge/Embedded Gateway object. Make sure that you select VPN

enabled and Remote Access on the General page. Remote Access means that the

selected VPN Edge Gateway can act as a Remote Access client to the corporate

gateway, no other gateways will be able to initiate a VPN tunnel to this VPN

Edge/Embedded Gateway. This VPN-1 Edge/Embedded Gateway can be enforced

as part of a User Group in a Remote Access VPN community.

If the VPN-1 Edge/Embedded Gateway has a static IP Address, use an IKE

pre-shared secret to establish a VPN tunnel. In this case you will need to enter the

password created on the VPN-1 Edge/Embedded Gateway object.

2 Create a RemoteAccess community in the VPN Manager that includes the VPN-1

Edge/Embedded Gateway object. For more about these communities and how toconfigure them, see the VPN Guide .

• In the Participating Gateways page click Add and select the Central Gateway.

Click OK.

• In the Participant User Groups page, click Add and select VPN-1 Embedded

Devices defined as Remote Access. Click OK.

FIGURE 2-14 Add User Group

• Click OK to exit the Remote Access community window.


3 In the Rule Base, define a rule for the Remote Access community and install it on



40

, y

the Gateway. See “Creating a Security Policy for the VPN-1 Edge/Embedded

Appliance” on page 31. Install the Security Policy on the desired gateways.

4 In the VPN-1 Edge/Embedded Portal define the SmartCenter server as the activemanagement server, see “Managing VPN-1 Edge/Embedded Devices with

SmartCenter Server” on page 33.

• In the VPN window of the VPN-1 Edge/Embedded Portal, the Remote Access

configuration is automatically loaded. Create a new Site to represent the VPN-1

Pro Gateway on the VPN-1 Edge/Embedded appliance. On the VPN screen,

click on New Site and run the wizard and do the following steps in the Wizard:

• Add the IP Address of the regular VPN-1 Pro Gateway.

• Check Download Configuration.

• Enter the name of the Site.

• Under VPN Login, select Automatic Login and refer to the vendor documentation

for more information.

5 In SmartDashboard, install the Security Policy.

VPN-1 Edge/Embedded Managed by an External ManagementServer

You can configure the VPN-1 Edge/Embedded appliance to be managed by an external

Management Server. This means that it is not managed by the local SmartCenter or

MDS server. This scenario is typical for Extranet or connection to partner sites. This

requires configuration in two places:

1 On the VPN-1 Edge/Embedded Gateway object:

• On the General page, check Externally Managed Gateway.

• The setting defined in the Topology page, depends on the agreed configuration.

2 Modify the VPN Community to which you are adding the VPN-1

Edge/Embedded. Make sure that you check Use only Shared Secret for all External

Members on the Shared Secret page.

3 Modify the Security Policy, make sure that rule installed on the profile is disabled.

Install the Security Policy.

• On the VPN-1 Edge/Embedded Portal on the VPN screen. Click on New Site

and run the wizard and do the following steps:

• Add the IP Address of the regular VPN-1 Pro Gateway

• Check Download Configuration.


• Configure the routing destination and subnet mask of the external management




server

• Under Authentication, select Use shared secret.

• Click on Connect in order to connect to the VPN-1 Pro Gateway.

Configuring VPN-1 in SmartLSM

VPN-1 Edge/Embedded ROBO Gateways can participate in a meshed Site-to-Site

communities. In SmartLSM, VPN is supported using IKE authentication with Check

Point internal certificates:

1 In the VPN-1 Edge/Embedded Portal, verify that a certificate has been installed on

the VPN-1 Edge/Embedded Device before establishing the VPN tunnel.

2 In SmartLSM:

• Add a dynamic object to the VPN-1 Edge/Embedded ROBO Gateway. In

order to implement VPN on VPN-1 Edge/Embedded ROBO Gateways,

dynamic objects need to be added to the VPN domain of these objects. Make

sure you check Add to VPN domain.

• Update the Corporate Office (CO) Gateway.

3 In SmartDashboard, create a VPN Star community that includes the VPN-1

Edge/Embedded ROBO Gateway and the CO Gateway as follows:

• In the Central Gateway page, click Add. Select the CO gateway from the

displayed list and click OK.

• In the Satellite Gateways page, click Add. Select the SmartLSM VPN-1 Edge/

Embedded profile from the displayed list and click OK.• In the VPN Properties page, specify the IKE phase properties.

• In the Shared Secret page, uncheck the Use only Shared secret for all External

Members.

Make sure that shared secret is only used for external members and set the

properties for the IKE negotiations.

A topology file and a certificate are downloaded to the VPN-1 Edge/Embedded

ROBO Gateway. This topology file lists the members of the VPN communityand specifies the encryption information.

4 On the VPN-1 Edge/Embedded Portal, on the VPN screen specify the

configuration type (whether Site-to-Site or Remote Access and check Download

Configuration.


Viewing Logs in the SmartView Tracker



42

For auditing logs, open the Audit view in the SmartView Tracker.

For your convenience add the Origin column to the Audit view (View > Query options

> Query Properties, select Origin) and select the VPN-1 Edge/Embedded appliance that

you would like to track. This enables you to figure out from which VPN-1 Edge

appliance the log was generated.

For security logs: security logs are displayed in the Log view of the SmartView Tracker.

Double-click on the log in order to see more information.

FIGURE 2-15 Viewing Security logs

Downloading the Latest Firmware from SmartUpdate

Downloading the Latest Firmware from SmartUpdate




You can use SmartUpdate to get automatic updates of the latest firmware version. To

download the latest firmware:

1 In the Product Repository pane, right-click a VPN-1 Edge/Embedded Gateway and

select Add from Download Center.

2 In the displayed window, select the firmware that you would like to download and

click Download.

3 In the Product Repository, right-click a VPN-1 Edge/Embedded Gateway and

select Install Product.

4 Select the firmware and click OK.

The firmware is downloaded and sent to the SmartCenter Server who is responsible for

downloading it to the VPN-1 Edge/Embedded Gateways when the latter are ready to

receive it.




44

Index



45

AAccess Control 15, 18, 19active management server 38Anti-spoofing 12

ApplianceBefore You Begin 17installing 17managed by External

Management Server 15S-series 11supported 12VPN, Site-to-Site, Remote

Access 14W-series 12

X-series 11Audit view 42authentication 21authentication capabilities 12

Ccentralized management tool 16centralized upgrading 12Check Point Express 16Check Point internal certificates 41Check Point management

solutions 12Check Point’s Stateful Inspection 15client mode 38Configuration Script 26connectivity 8content filtering 25

Corporate Office (CO) Gateway 41CVP Server 25

DDMZ 22dynamic IP Address 35, 36Dynamic Object 19, 28, 41

EEmbedded appliance 18Enable SmartLSM

run LSMenabler 18

encryption 21Ethernet port 22exteranl interface 23External Management Server 40Extranet 40Extranet scenarios 15

Ffirmware 16, 43ftp 31

GGlobal VPN Communities 10

Hhardware type 23High Availability 24high performance 11http 31

//my.firewallconnecting to 13

IIKE authentication 41IKE negotiation 37IKE phase properties 41IKE pre-shared secret 35, 39initial administrator permissions 17

internal interface 23Introduction 7

LLAN 22LAN ports 22large-scale VPN deployments 8

license string 26Licensing 18, 19

MMAC address 26Managed Service Providers 10management operations 33

Management Server 40Management Settings 21Management Solutions 17

SmartCenter, Provider-1,SmartLSM 9

Managing VPN-1 Edge/EmbeddedDevices 33

MDS server 40Meshed Community 35, 36meshed Site-to-Site communities 41multi-ISPs 11

NNAT implementation 36NAT settings 23Network Objects 21, 29NIC 23

OObjects Tree 21

PPKI 35

R

PN-1 Edge/Embedded appliance 28profile 29P l

SmartConsole clients 12SmartLSM 7, 9, 16, 18, 30, 41S LSM l i 28

VPN-1 Edge/Embeddedappliance 13, 15, 17, 34

VPN 1Ed /E b dd d G 9



46

ProtocolSWTP_Gateway 13SWTP_SMS 13

Provider-1 7, 10Provider-1 CMA 10

RRemote Access 14

default User group 14Remote Access Client 12, 35, 38, 39

Remote Access Community 14, 31,35, 38, 40

Remote Access VPNconfigure 38

Remote Access VPN community 39remote client 14Remote Login 34ROBO 9Rule Base 15, 37, 40

Ssecure connectivity 7Security 8security logs 42Securit y Policy 8, 12, 15, 18, 19, 31,

32, 33, 40actions 15

define 31download 32install & uninstall 32verify download 32

security policy 29Security Policy rules 31SIC 13Site-to-Site 14, 31Site-to-Site configuration 19, 38Site-to-Site VPN 14

configure 35Smart LSM VPN-1 Edge/Embedded

Profiles 19SMART management 8SmartCenter 7, 9SmartCenter Express 14SmartCenter management 13SmartCenter Pro 18SmartCenter Server 30

connecting to 13SmartCenter server 34

SmartCenter Server setup 33

SmartLSM management solution 28SmartLSM VPN-1 Edge/ Embedded

Profile 41

SmartLSM VPN-1 Edge/EmbeddedProfile 28SmartLSM VPN-1 Edge/Embedded

ROBO Profilecreate 29

SmartUpdate 16, 43download firmware 43upgrading firmware 16

SmartView Monitor 16SmartView Status

monitoring the status 16SmartView Tracker 15, 42

creating logs 15view logs 42

Star Community 19, 35, 36Stateful Inspection 12static IP Address 35, 39subnet mask 41

Ttelnet 31topology 23

U

UFP Server 25

VVPN

configure 35VPN community 12, 17, 21, 24, 31VPN configuration

in SmartLSM 41VPN Manager 36, 39VPN relations 18, 19VPN settings 21VPN solutions 7, 8, 9VPN Star community 41VPN tunnel 35VPN-1 Edge 7, 18, 20VPN-1 Edge device 26VPN-1 Edge logs 15VPN-1 Edge/Embedded

Appliance 21, 30, 33

VPN-1 Edge/Embedded Gateway 9,15, 24, 26, 31, 35, 43

create 21

VPN-1 Edge/Embedded Gatewayobject 21, 33VPN-1 Edge/Embedded

Gateways 14VPN-1 Edge/Embedded object 18VPN-1 Edge/Embedded Portal 13,

18, 19, 33, 36, 38VPN-1 Edge/Embedded Profile 13,

21VPN-1 Edge/Embedded ROBO 9VPN-1 Edge/Embedded ROBO

Gateway 19, 28, 30, 41create 30

VPN-1 EdgeEmbeddedappliances 16

VPN-1 Embedded appliances 7VPN-1 Express module 8VPN-1 Pro 8, 16VPN-1 Pro gateway 12VPN-1/FireWall-1 technology 12

WWAN 23WAN interface card 23WAN port 22Web content 25Web GUI 17Workflow

SmartCenter management 18SmartLSM Management 18using the appliance 13

XxDSL modem 23

vpn 1 edge embedded management

Documents