SMB GWs Advanced Settings

Document created by Günther W. Albrecht on Feb 14, 2018Last modified by Günther W. Albrecht on Jul 31, 2018
Version 13Show Document
  • View in full screen mode

In Device > Advanced > Advanced Settings you can manage very advanced settings of the device. This is very important for locally managed units as they have no .def files on SMS for advanced configuration.

 

Changing these Advanced Settings can be harmful to the stability, security and performance of the appliance, so they should only be used in special configurations and when advised by CP – the default settings are suggested for best performance and security. As an example, FW Rulebase can only Accept or Block packets – when set to Block, traffic from external is dropped, from internal rejected. This behaviour can be changed on locally managed devices using the "Firewall Policy - Blocked packets action" parameter.

 

The following list contains all Advanced Settings included in firmware R77.20.80. Although you can search and read them in Embedded GAiA WebGUI, i sometimes find it more convenient to have a complete list .

 

The Advanced Settings on centrally managed units contain only 18 parameters:

Attribute Name

Type

Value

Description

Additional Management Settings - Move temporary policy files to storage

bool

false

Indicates whether the temporary policy installation files will be saved to the storage partition

Anti ARP Spoofing - Anti ARP Spoofing mode

options

Off

Mode for Anti ARP spoofing protection. The protection can be turned off, on or in detect only mode

Anti ARP Spoofing - Detection window time to indicate attack

int

180

Time period (in seconds) during which IP addresses, assigned to the same MAC address, indicate an ARP spoofing attack

Anti ARP Spoofing - Number of IP addresses to indicate attack

int

3

The number of IP addresses assigned to the same MAC address during the Detection window time that will indicate an ARP spoofing attack

Anti ARP Spoofing - Suspicious MAC block period

int

1800

Time period (in seconds) during which suspicious MAC addresses are kept in the blocked list

MAC Filtering settings - Log blocked MAC addresses

options

Enabled

Indicates if blocked MAC addresses should be logged or not

MAC Filtering settings - Log suspension

int

1

Indicates the suspension time (in seconds) between logs for blocked MAC addresses

Internet - Reset Sierra USB on LSI error

bool

true

Indicates whether Sierra type USB modems will be reset when they send an Invalid LSI signal

DHCP relay - Use internal IP addresses as source

bool

false

Indicates if DHCP relay packets from the appliance will originate from internal IP addresses

Serial port - Port speed

options

115200

Indicates the port speed (Baud Rate) of the serial connection

Serial port - Flow control

options

RTS/CTS

Indicates the method of data flow control to and from the serial port

Serial port - Enable serial port

options

Enabled

Indicates if the serial port is enabled

Serial port - Mode

options

Console

Indicates if the serial port is used to connect to the appliance's console, a remote telnet server or allow a remote telnet connection to the device connected to the serial port.

Hotspot - Enable portal

options

Enabled

Select 'Disabled' to disable the hotspot feature entirely

USB modem watchdog - Interval

int

5

Indicates how often the USB modem watchdog probes the internet

USB modem watchdog - Mode

options

Disabled

Indicates if the USB modem watchdog is enabled when internet probing is enabled, and the reset type (either hard-reset to shut down the power for the USB modem or gateway-reset to reboot the gateway itself).

Hotspot - Prevent simultaneous log-in

bool

false

The same user will not be allowed to login via hotspot portal from more than one machine in parallel

Report Settings - Max Period

options

Weekly

Maximum period to collect and monitor data. You must reboot your appliance to apply changes.

 

Advanced Settings on StandAlone units contain 244 parameters (sorted alphabetically):

Attribute Name

Type

Value

Description

Administrators RADIUS authentication - Local authentication (RADIUS inaccessible)

bool

false

Perform local administrator authentication only if RADIUS server is not configured or is inaccessible.

Aggressive aging - Aggressive aging enforcement method

options

Both

Choose when aggressive aging timeouts are enforced

Aggressive aging - Connection table percentage limit

int

80

Connection table percentage limit

Aggressive aging - Enable aggressive aging of connections

bool

true

Enable aggressive aging of connections

Aggressive aging - Enable reduced timeout for ICMP connections

bool

true

Enable reduced timeout for ICMP connections

Aggressive aging - Enable reduced timeout for non TCP/UDP/ICMP connections

bool

false

Enable reduced timeout for non TCP/UDP/ICMP connections

Aggressive aging - Enable reduced timeout for TCP handshake

bool

true

Enable reduced timeout for TCP handshake

Aggressive aging - Enable reduced timeout for TCP session

bool

true

Enable reduced timeout for TCP session

Aggressive aging - Enable reduced timeout for TCP termination

bool

true

Enable reduced timeout for TCP termination

Aggressive aging - Enable reduced timeout for UDP connections

bool

true

Enable reduced timeout for UDP connections

Aggressive aging - ICMP connections reduced timeout

int

3

ICMP connections reduced timeout

Aggressive aging - Memory consumption percentage limit

int

80

Memory consumption percentage limit

Aggressive aging - Other IP protocols reduced timeout

int

15

Other IP protocols reduced timeout

Aggressive aging - Pending Data connections reduced timeout

int

15

Pending Data connections reduced timeout

Aggressive aging - TCP handshake reduced timeout

int

5

TCP handshake reduced timeout

Aggressive aging - TCP session reduced timeout

int

600

TCP session reduced timeout

Aggressive aging - TCP termination reduced timeout

int

3

TCP termination reduced timeout

Aggressive aging - Tracking options for aggressive aging

options

Log

Tracking options for aggressive aging

Aggressive aging - UDP connections reduced timeout

int

15

UDP connections reduced timeout

Anti ARP Spoofing - Anti ARP Spoofing mode

options

Off

Mode for Anti ARP spoofing protection. The protection can be turned off, on or in detect only mode

Anti ARP Spoofing - Detection window time to indicate attack

int

180

Time period (in seconds) during which IP addresses, assigned to the same MAC address, indicate an ARP spoofing attack

Anti ARP Spoofing - Number of IP addresses to indicate attack

int

3

The number of IP addresses assigned to the same MAC address during the Detection window time that will indicate an ARP spoofing attack

Anti ARP Spoofing - Suspicious MAC block period

int

1800

Time period (in seconds) during which suspicious MAC addresses are kept in the blocked list

Anti-Spam policy - All mail track

options

None

Indicates the tracking options for non-spam emails

Anti-Spam policy - Allowed mail track

options

None

Indicates the tracking options for emails that were explicitly allowed in the Exceptions page

Anti-Spam policy - Content based Anti-Spam timeout

int

10

Indicates the timeout (in seconds) to wait for an answer from the cloud during content-based Anti-Spam inspection

Anti-Spam policy - E-mail size scan

int

8

Indicates the maximal size of an email's content to scan (in KB)

Anti-Spam policy - IP reputation fail open

bool

true

Use Anti-Spam IP reputation fail-open mode upon internal error

Anti-Spam policy - IP reputation timeout

int

10

Indicates the timeout (in seconds) to wait for an IP reputation test result

Anti-Spam policy - Scan outgoing emails

bool

false

Scan the content of emails which are sent from the local network to the Internet

Anti-Spam policy - Transparent proxy

bool

true

Use a transparent proxy for inspected email connections

Anti-spoofing - Enable global anti-spoofing

bool

true

Indicates if anti-spoofing is enabled automatically on all interfaces according to their zone

Application Control and URL Filtering - Block when service is unavailable

bool

false

Block web requests traffic when the Check Point categorization and widget definitions  web service is unavailable

Application Control and URL Filtering - Categorize cached and translated pages

bool

true

Perform URL categorization of cached pages and translated pages created by search engines

Application Control and URL Filtering - Custom App over HTTPS

bool

false

Indicates whether custom URLs and applications will be matched over HTTPS traffic using SNI field. Important note: as SNI field in HTTPS traffic is browser-dependent and promiscuous, it does not guarantee 100% match.

Application Control and URL Filtering - Enforce safe search

bool

false

Force filtering explicit content in search engines results

Application Control and URL Filtering - Fail Mode

options

Block all requests

Indicates the action to take on traffic in case of an internal system error or overload

Application Control and URL Filtering - Track browse time

bool

true

Indicates if the total time that users are connected to different sites and applications in an HTTP session will be shown in relevant logs

Application Control and URL Filtering - Use HTTP referer header

bool

true

Indicates if the HTTP referer header is used by the inspection engine to improve application identification

Application Control and URL Filtering - Web site categorization mode

options

Background

Indicates the categorization mode: Background - requests are allowed until categorization is complete, Hold - requests are blocked until categorization is complete

Capacity Optimization - Connections hash table size

int

131072

Indicates the size in bytes of the connections hash table

Capacity Optimization - Maximum concurrent connections

int

150000

Indicates the overall maximum number of concurrent connections

Cloud Services firmware upgrade - Service access maximum retries

int

3

Indicates the maximum number of retries when failing to upgrade using the service

Cloud Services firmware upgrade - Service access timeout until retry

int

180

Indicates the time to wait when a connection failure to the service before the next retry

Cluster - Use virtual MAC

bool

false

Indicates if a virtual MAC address will be used by all cluster members to allow a quicker failover by the network's switch

DDNS - iterations

int

1

Number of DNS updates

DHCP relay - Use internal IP addresses as source

bool

false

Indicates if DHCP relay packets from the appliance will originate from internal IP addresses

Firewall Policy - Blocked packets action

options

Automatic

Action for blocked packets: Drop, reject or automatic (drop from external and reject from internal)

Firewall Policy - Log implied rules

bool

false

Produce log records for connections that match implied rules

General temporary directory size - General temporary directory size

int

20

Controls the size (in MB) of the general temporary directory

General temporary directory size - System temporary directory size

int

40

Controls the size (in MB) of the temporary directory that is used by the system

Hardware options - Reset to factory defaults timeout

int

12

Indicates the amount of time (in seconds) that you need to press and hold the factory defaults button on the back panel to restore to the factory defaults image

Hotspot - Enable portal

options

Enabled

Select 'Disabled' to disable the hotspot feature entirely

Hotspot - Prevent simultaneous log-in

bool

false

The same user will not be allowed to login via hotspot portal from more than one machine in parallel

Internal Certificates configure - Internal CA certificate expiration

int

20

The number of years the internal CA certificate is valid

Internet - Reset Sierra USB on LSI error

bool

true

Indicates whether Sierra type USB modems will be reset when they send an Invalid LSI signal

IP fragments parameters - Action

options

Allow

Indicates if IP fragments will be allowed or dropped by default

IP fragments parameters - Maximum fragments

int

200

Indicates how many IP fragments can arrive before discarding incomplete packets

IP fragments parameters - Minimum fragments size

int

0

IP Fragments minimum fragment size

IP fragments parameters - Packet Capture

bool

false

IP Fragments packet capture settings

IP fragments parameters - Timeout

int

1

Indicates the timeout (in seconds) before discarding incomplete packets

IP fragments parameters - Track options

options

Log

Indicates if and how to log IP fragments

IPS additional parameters - Max Ping Limit

int

1000

Indicates the maximal ping packet size that will be allowed when the 'Max Ping Size' protection is active

IPS additional parameters - Non-standard HTTP ports

bool

true

Enable HTTP inspection on non-standard ports for the IPS blade

IPS engine settings - Description

comments

Access denied due to IPS policy violation

A configured string to show in the error page if configured

IPS engine settings - Error page for supported web protections

options

Show pre-defined HTML error page

Indicates if IPS protections supporting an error page will show it upon attack prevention

IPS engine settings - HTML error page configuration

bool

false

Indicates if the error page will contain an error code

IPS engine settings - Logo URL

bool

false

Optionally enter a URL that leads to your company logo.

IPS engine settings - Logo URL address

url

An accessible URL that leads to a logo file to show in the error page

IPS engine settings - Send detailed error code

bool

true

indicates if the error page will contain a configured string

IPS engine settings - Send error code

bool

false

Indicates if an error code will be sent to the other URL as a parameter

IPS engine settings - URL for redirection

url

Users will be redirected to this URL upon detection of an attack

MAC Filtering settings - Log blocked MAC addresses

options

Enabled

Indicates if blocked MAC addresses should be logged or not

MAC Filtering settings - Log suspension

int

1

Indicates the suspension time (in seconds) between logs for blocked MAC addresses

Managed services - Allow seamless administrator access from remote Management Server

bool

true

Indicates if an administrator can access the appliance from a remote Security Management Server without the need to enter an administrator user name and password

Managed services - Show device details in Login

bool

true

Indicates if appliance details are shown when an administrator accesses the appliance

NAT - Address allocation and release tracking

options

None

Specifies whether to log each allocation and release of an IP address from the IP Pool

NAT - Address exhaustion tracking

options

Log

Indicates whether or not to log and/or alert on exhaustion of IP pool

NAT - ARP manual file merge

bool

false

Indicates, when automatic ARP detection is enabled, to use the ARP definitions in a local file with higher priority

NAT - Automatic ARP detection

bool

true

Automatically detect ARP requests for external IP addresses of internal devices to be answered by the device

NAT - Increase hide capacity

bool

true

Indicates if hide-NAT capacity is given additional space

NAT - IP Pool NAT

options

Do not use IP pool NAT

IP pool NAT mode

NAT - IP pool per interface

bool

false

Uses an IP address pool for NAT per interface

NAT - NAT cache expiration

int

30

Indicates the expiration time in minutes for NAT cache entries

NAT - NAT cache number of entries

int

10000

Indicates the maximum number of NAT cache entries

NAT - NAT enable

bool

true

Indicates if the device's NAT capabilities are enabled

NAT - NAT hash size

int

0

Indicates the hash bucket size of NAT tables

NAT - NAT limit

int

0

Indicates the maximum number of connections with NAT

NAT - Perform cluster hide fold

bool

false

Indicates if local IP addresses will be hidden behind the cluster IP address when applicable

NAT - Prefer IP Pool NAT over hide NAT

bool

true

Overrides hide NAT with IP pool NAT

NAT - Return unused addresses to IP Pool NAT after x minutes

int

60

Return unused addresses to IP pool NAT

NAT - Reuse IP addresses from the Pool for different destinations

bool

false

Allows NAT to re-use IP addresses for different destinations

NAT - Translate destination on client side

bool

true

Translates destination IP addresses on client side (for automatically generated NAT rules)

NAT - Translate destination on client side (manual rules)

bool

true

Translates destination IP addresses on client side (for manually configured NAT rules)

NAT - Use IP Pool NAT for gateway to gateway connections

bool

false

Uses IP pool NAT for gateway to gateway connections

NAT - Use IP Pool NAT for VPN clients connections

bool

false

Uses IP Pool NAT for VPN clients connections

Privacy settings - Help us improve product experience by sending data to Check Point

bool

true

Privacy statement: Check Point does not upload data that contains private or sensitive information. For more information, refer to sk120332.

QoS blade - Logging

bool

true

Indicates if the appliance logs QoS events when the QoS blade is enabled

Reach My Device - Ignore SSL certificate

bool

false

Ignore SSL certificate when running Reach My Device

Reach My Device - Server address

url

smbrelay.checkpoint.com

Indicates the address of the remote server that allows administration access to the appliance from the internet even when behind NAT

Report Settings - Max period

options

Monthly

Maximum period to collect and monitor data in local management. You must reboot your appliance to apply changes.

Serial port - Enable serial port

options

Enabled

Indicates if the serial port is enabled

Serial port - Flow control

options

RTS/CTS

Indicates the method of data flow control to and from the serial port

Serial port - Mode

options

Console

Indicates if the serial port is used to connect to the appliance's console, a remote telnet server or allow a remote telnet connection to the device connected to the serial port.

Serial port - Port speed

options

115200

Indicates the port speed (Baud Rate) of the serial connection

SSL inspection policy - Additional HTTPS ports

port-range

8080, 3128

Additional HTTPS ports for ssl inspection (a comma separated list of ports/ranges)

SSL inspection policy - Log empty SSL connections

bool

false

Log connections that were terminated by the client before data was sent - might indicate the client did not install CA certificate

SSL inspection policy - Retrieve intermediate CA certificates

bool

true

Indicates if the SSL inspection mechanism will perform it's validations on all intermidate CA certificates in the certificate chain

SSL inspection policy - SSL Inspection categorization mode

options

Hold

Indicates the categorization mode of SSL Inspection: Background - requests are allowed until categorization is complete, Hold - requests are blocked until categorization is complete

SSL inspection policy - Track validation errors

options

Log

Choose if the SSL Inspection validations are tracked

SSL inspection policy - Validate CRL

bool

true

Indicates if the SSL inspection mechanism will drop connections that present a revoked certificate

SSL inspection policy - Validate Expiration

bool

false

Indicates if the SSL inspection mechanism will drop connections that present an expired certificate

SSL inspection policy - Validate unreachable CRL

bool

false

Indicates if the SSL inspection mechanism will drop connections that present a certificate with an unreachable CRL

SSL inspection policy - Validate untrusted certificates

bool

false

Indicates if the SSL inspection mechanism will drop connections that present an untrusted server certificate

Stateful Inspection - Accept out of state TCP packets

int

0

Indicates if TCP packets which are not consistent with the current state of the TCP connection are dropped (when set to 0) or accepted (when set to any other value)

Stateful Inspection - Accept stateful ICMP Errors

bool

true

Accept ICMP error packets which refer to another non-ICMP connection that was accepted by the Rule Base

Stateful Inspection - Accept stateful ICMP Replies

bool

true

Accept ICMP reply packets for ICMP requests that were accepted by the Rule Base

Stateful Inspection - Accept stateful other IP protocols replies for unknown services

bool

true

Accept stateful non TCP/UDP protocols replies for unknown services

Stateful Inspection - Accept stateful UDP replies for unknown services

bool

true

Accept stateful UDP replies for unknown services

Stateful Inspection - Allow IPv6 packets

bool

false

Allow IPv6 traffic to pass without inspection

Stateful Inspection - Allow LAN-DMZ DPI

bool

true

Allow Deep Packet Inspection in traffic between internal networks and the DMZ network

Stateful Inspection - Allow LAN-LAN DPI

bool

false

Allow Deep Packet Inspection in traffic between internal networks

Stateful Inspection - Drop out of state ICMP packets

bool

true

Drop ICMP packets which are not in the context of a virtual session

Stateful Inspection - ICMP virtual session timeout

int

30

Indicates the timeout (in seconds) for ICMP virtual sessions

Stateful Inspection - Log dropped out of state ICMP packets

int

0

Log dropped out of state ICMP packets

Stateful Inspection - Log dropped out of state TCP packets

int

0

Log dropped out of state TCP packets

Stateful Inspection - Other IP protocols virtual session timeout

int

60

Indicates the timeout (in seconds) for other IP protocols virtual sessions (non TCP/UDP/ICMP)

Stateful Inspection - TCP end timeout

int

20

Indicates the timeout (in seconds) for TCP session end

Stateful Inspection - TCP session timeout

int

3600

Indicates the timeout (in seconds) for TCP sessions

Stateful Inspection - TCP start timeout

int

25

Indicates the timeout (in seconds) for TCP session start

Stateful Inspection - UDP virtual session timeout

int

40

Indicates the timeout (in seconds) for UDP virtual sessions

Streaming engine settings - Stream Inspection Timeout action

options

Prevent

Stream Inspection Timeout activation mode

Streaming engine settings - Stream Inspection Timeout tracking

options

Log

Stream Inspection Timeout tracking

Streaming engine settings - TCP Invalid Checksum action

options

Prevent

TCP Invalid Checksum activation mode

Streaming engine settings - TCP Invalid Checksum tracking

options

None

TCP Invalid Checksum tracking

Streaming engine settings - TCP Invalid Retransmission action

options

Prevent

TCP Invalid Retransmission activation mode

Streaming engine settings - TCP Invalid Retransmission tracking

options

Log

TCP Invalid Retransmission tracking

Streaming engine settings - TCP Out of Sequence action

options

Prevent

TCP Out of Sequence activation mode

Streaming engine settings - TCP Out of Sequence tracking

options

None

TCP Out of Sequence tracking

Streaming engine settings - TCP Segment Limit Enforcement action

options

Prevent

TCP Segment Limit Enforcement activation mode

Streaming engine settings - TCP Segment Limit Enforcement tracking

options

Log

TCP Segment Limit Enforcement tracking

Streaming engine settings - TCP SYN Modified Retransmission action

options

Prevent

TCP SYN Modified Retransmission activation mode

Streaming engine settings - TCP SYN Modified Retransmission tracking

options

Log

TCP SYN Modified Retransmission tracking

Streaming engine settings - TCP Urgent Data Enforcement action

options

Prevent

TCP Urgent Data Enforcement activation mode

Streaming engine settings - TCP Urgent Data Enforcement tracking

options

Log

TCP Urgent Data Enforcement tracking

Threat Prevention Anti-Bot policy - Resource classification mode

options

Hold

Indicates the classification mode for the Anti-Bot engine: Background - connections are allowed until classification is complete, Hold - connections are blocked until classification is complete

Threat Prevention Anti-Virus policy - File scan size limit

int

0

Indicates the size limit (in KB) of a file scanned by the Anti-Virus engine. To specify no limit, set to 0.

Threat Prevention Anti-Virus policy - MIME maximum nesting level

int

7

Indicates the maximum number of levels in nested MIME content that the ThreatSpect engine scans in mail traffic

Threat Prevention Anti-Virus policy - MIME nesting level exceeded action

options

Block

Indicates if an email should be blocked or accepted if there are more nested levels of MIME content than the configured amount

Threat Prevention Anti-Virus policy - Priority scanning

bool

true

Scan according to security and performance priorities for maximum optimization

Threat Prevention Anti-Virus policy - Resource classification mode

options

Hold

Indicates the classification mode for the Anti-Virus engine: Background - connections are allowed until classification is complete, Hold - connections are blocked until classification is complete

Threat Prevention policy - Block when service is unavailable

bool

false

Block web requests traffic when the Check Point ThreatCloud  web service is unavailable

Threat Prevention policy - Fail mode

options

Allow all requests

Indicates the action to take on traffic in case of an internal system error or overload

Threat Prevention policy - File inspection size limit

int

0

Indicates the size limit (in KB) of a file inspected by Threat Prevention engines. Note: A limit too low may have an impact on the functionality of the Application Control blade. To specify no limit, set to 0.

Threat Prevention policy - Method for skipping HTTP inspection

options

Default

When changed from the default value, and file size inspection limit is used, HTTP inspection will be fully skipped instead of skipping only a single session. This is not recommended due to a high security impact as the following sessions will not be inspected at all following a large file sent via HTTP on a single connection.

Threat Prevention Threat Emulation policy - Emulation connection handling mode - POP3

options

Background connections are allowed until emulation handling is complete

Indicates the strictness mode of the Threat Emulation engine over PP3: Background - connections are allowed while the file emulation runs (if needed), Hold - connections are blocked until the file emulation is completed

Threat Prevention Threat Emulation policy - Emulation connection handling mode - SMTP

options

Background connections are allowed until emulation handling is complete

Indicates the strictness mode of the Threat Emulation engine over SMTP: Background - connections are allowed while the file emulation runs (if needed), Hold - connections are blocked until the file emulation is completed

Threat Prevention Threat Emulation policy - Emulation location

options

Emulation is done on Public Threat Cloud

Indicates if emulation is done on Public Threat Cloud or on remote (private) SandBlast

Threat Prevention Threat Emulation policy - Primary Emulation gateway

ipv4addr

Background connections are allowed until emulation handling is complete

The IP address of the primary remote emulation gateway

Update Services Schedule - Maximum number of retries

int

3

Indicates the maximum number of retries for a single update when the cloud is unavailable until the next scheduled update

Update Services Schedule - Timeout until retry

int

180

Indicates the timeout (in seconds) until update retry

USB modem watchdog - Interval

int

5

Indicates how often the USB modem watchdog probes the internet

USB modem watchdog - Mode

options

Disabled

Indicates if the USB modem watchdog is enabled when internet probing is enabled, and the reset type (either hard-reset to shut down the power for the USB modem or gateway-reset to reboot the gateway itself).

User Awareness - Active Directory association timeout

int

720

Indicates the timeout (in minutes) for caching an association between a user and an IP address

User Awareness - Allow DNS for unknown users

bool

true

The default is to allow DNS for unknown users even when configured to be blocked in Browser Based Portal settings

User Awareness - Assume single user per IP address

bool

true

Indicates a mode where per IP address, only the last user who logged is identified

User Awareness - Log blocked unknown users

bool

false

Indicates if a log should be issued when unknown users are blocked (see Browser Based Portal settings)

User Management - Automatically delete expired local users

bool

false

Automatically delete all expired local users every 24 hours (after midnight)

VoIP - Accept MGCP connections to registered ports

bool

false

Indicates if deep inspection over MGCP traffic will automatically accept MGCP connections to registered ports

VoIP - Accept SIP connections to registered ports

bool

false

Indicates if deep inspection over SIP traffic will automatically accept SIP connections to registered ports

VPN Remote Access - Allow clear Traffic while disconnected

bool

true

Indicates how traffic to the VPN domain is handled when the Remote Access VPN client is not connected to the site; sent in clear or dropped

VPN Remote Access - Allow simultaneous login

bool

true

If disabled, and the same user logs in for a second time, it will disconnect his existing session

VPN Remote Access - Authentication timeout

int

120

Indicates for how much time (in minutes) the remote client's password remains valid if timeout is enabled

VPN Remote Access - Authentication timeout enable

bool

false

Indicates if the remote client's password remains valid only for a configured amount of time

VPN Remote Access - Auto-disconnect in VPN domain

bool

true

Indicates if the client disconnects automatically to save resources when it connects from inside the secured internal network (local encryption domain)

VPN Remote Access - Back connections enable

bool

false

Enable back connections from the encryption domain behind the gateway to the client

VPN Remote Access - Back connections keep-alive interval

int

20

Indicates the interval (in seconds) between keep-alive packets to the gateway required for gateway to client back connections

VPN Remote Access - Enable Visitor Mode on All Interfaces

options

All

Enable visitor mode on all interfaces

VPN Remote Access - Enable Visitor Mode on This Interface

ipv4addr

0.0.0.0

Support visitor mode on this interface

VPN Remote Access - Encrypt DNS traffic

bool

true

Indicates if DNS queries sent by the remote client to a DNS server located in the encryption domain are passed through the VPN tunnel

VPN Remote Access - Encryption Method

options

IKEv1

Indicates which IKE encryption method (version) is used for IKE phase 1 and 2

VPN Remote Access - Endpoint Connect re-authentication timeout

int

480

Indicates the time (in minutes) until the Endpoint Connect user's credentials are resent to the gateway to verify authorization

VPN Remote Access - IKE IP Compression Support

bool

false

Indicates if IPSec packets from remote access clients will be compressed

VPN Remote Access - IKE Over TCP

bool

false

Enables support of IKE over TCP

VPN Remote Access - IKE restart recovery

bool

true

Indicates that the gateway will save tunnel details so it can cause the remote client to discard the old SA and re-initiate IKE upon gateway crash or restart

VPN Remote Access - Legacy NAT traversal

bool

true

Indicates if the Check Point proprietary NAT traversal mechanism (UDP encapsulation) is enabled for SecureClient

VPN Remote Access - Minimum TLS version support in the SSL VPN portal

options

TLS 1.2

Indicates the minimum TLS protocol version which the SSL VPN portal supports. For security reasons, it's recommended to support TLS 1.2 and above.

VPN Remote Access - Office Mode allocate from RADIUS

bool

false

Indicates if the Office Mode allocated IP addresses will be taken from the RADIUS server used to authenticate the user

VPN Remote Access - Office Mode disable

bool

false

Indicates if Office Mode (allocating IP addresses for Remote Access clients) is disabled. This is not recommended.

VPN Remote Access - Office Mode Enable With Multiple Interfaces

bool

false

Indicates if a mechanism (with a performance impact) to improve connectivity between remote access client and an appliance with multiple external interfaces is enabled

VPN Remote Access - Office Mode Perform Antispoofing

bool

false

Office Mode - Perform Anti-Spoofing on Office Mode addresses

VPN Remote Access - Prevent IP NAT Pool

bool

false

Prevent IP Pool NAT configuration from being applied to Office Mode users. This is needed when using SecureClient as well as other VPN clients.

VPN Remote Access - Radius retransmit timeout

int

5

Timeout interval (in seconds) for each RADIUS server connection attempt

VPN Remote Access - Remote Access port

port

443

Select the port to which Remote Access clients connect, and SSL VPN Network extender portal uses

VPN Remote Access - Reserve port 443 for port forwarding

bool

false

Reserving port 443 for port forwarding (port 443 will not be used for Remote Access and SSL VPN Network extender)

VPN Remote Access - Single Office Mode Per Site

bool

false

Use first allocated Office Mode IP Address for all connections to the Gateways of the site

VPN Remote Access - SNX keep-alive interval

int

20

Indicates the time (in seconds) between the SSL Network Extender client keep-alive packets

VPN Remote Access - SNX reauthentication timeout

int

480

Indicates the time (in minutes) between re-authentication of SSL Network Extender remote access users and Check Point Mobile VPN users

VPN Remote Access - SNX support 3DES

bool

true

Indicates if the 3DES encryption algorithm will be supported in SSL clients as well as the default algorithms

VPN Remote Access - SNX support RC4

bool

true

Indicates if the RC4 encryption algorithm will be supported in SSL clients as well as the default algorithms

VPN Remote Access - SNX uninstall

options

Do not uninstall

Indicates when and if the SSL Network Extender client will uninstall itself upon disconnection

VPN Remote Access - SNX upgrade

options

Ask user

Indicates when and if the SSL Network Extender client will upgrade itself upon connection

VPN Remote Access - Topology updates manual interval

int

168

Indicates the manually configured interval (in hours) for topology updates to the clients. Will be applicable only if the override settings is set to true.

VPN Remote Access - Topology updates override

bool

false

Indicates if the configured topology updates settings will override the default 'once a week' policy

VPN Remote Access - Topology updates upon startup only

bool

true

Indicates if topology updates will occur only when the client starts. Will be applicable only if the override settings is set to true.

VPN Remote Access - Verify device certificate

bool

true

Client will verify the device's certificate against revocation list

VPN Site to Site global settings - Accept NAT Traversal

bool

true

Indicates if industry standard NAT traversal (UDP encapsulation) is enabled. This ena- bles VPN tunnel establishment even when the remote site is behind a NAT device.

VPN Site to Site global settings - Administrative notifications

options

Log

Indicates how to log an administrative event (for example, when a certificate is about to expire)

VPN Site to Site global settings - Check validity of IPSec reply packets

bool

false

Check validity of IPSec reply packets

VPN Site to Site global settings - Cluster SA sync packets threshold

long

200000

Sync SA with other cluster members when packets number reaches this threshold

VPN Site to Site global settings - Copy DiffServ mark from encrypted/decrypted IPSec packet

bool

false

Copy DiffServ mark from encrypted/decrypted IPSec packet

VPN Site to Site global settings - Copy DiffServ mark to encrypted/decrypted IPSec packet

bool

true

Copy DiffServ mark to encrypted/decrypted IPSec packet

VPN Site to Site global settings - Delete IKE SAs from a dead peer

bool

true

Delete IKE SAs from a dead peer

VPN Site to Site global settings - Delete IPsec SAs on IKE SA delete

bool

false

Delete IPsec SAs on IKE SA delete

VPN Site to Site global settings - Delete tunnel SAs when Tunnel Test fails

bool

true

When permanent VPN tunnels are enabled and a Tunnel Test fails, delete the relevant peer's tunnel SAs. Not supported in High Availability Cluster mode

VPN Site to Site global settings - Do not encrypt connections originating from the local gateway

bool

false

Exclude the Internet connection's IP address from the local encryption domain. Packets whose original source or destination IP address is the local gateway's Internet connection IP address will not go through a VPN tunnel. This parameter may be useful when the gateway is behind hide NAT.

VPN Site to Site global settings - Do not encrypt local DNS requests

bool

false

When enabled, DNS requests originating from the appliance will not be encrypted. Relevant when a configured DNS server is in a VPN peer's encryption domain.

VPN Site to Site global settings - DPD triggers new IKE negotiation

bool

true

DPD triggers new IKE negotiation

VPN Site to Site global settings - Enable encrypted packets rerouting

bool

true

Indicates if encrypted packets will be rerouted through the best interface according to the peer's IP address or probing. It is not recommended to change this value to false.

VPN Site to Site global settings - Grace period after CRL is no longer valid

int

1800

Indicates the time (in seconds) after which a revoked certificate of a remote site remains valid, to allow wider window for CRL validity in case of clock mismatch

VPN Site to Site global settings - Grace period before CRL is valid

int

7200

Indicates the time window (in seconds) where a certificate is considered valid prior to the time set by the CA, to allow wider window for CRL validity in case of clock mismatch

VPN Site to Site global settings - IKE DoS from known sites protection

options

None

Indicates if the IKE DoS from known IP addresses protection is active and the method by which it detects potential attackers

VPN Site to Site global settings - IKE DoS from unknown sites protection

options

None

Indicates if the IKE DoS from unidentified IP addresses protection is active and the method by which it detects potential attackers

VPN Site to Site global settings - IKE reply from Same IP

bool

true

Indicates if the source IP address used in IKE session will be according to destination when replying to incoming connections, or according to the general source IP address link selection configuration

VPN Site to Site global settings - Join adjacent subnets in IKE Quick Mode

bool

true

Join adjacent subnets in IKE Quick Mode

VPN Site to Site global settings - Keep DF flag on packet

bool

false

Indicates if the 'Don't Fragment' flag is kept on the packet during encryption/decryption

VPN Site to Site global settings - Keep IKE SA Keys

options

Automatic

Keep IKE SA Keys

VPN Site to Site global settings - Key exchange error tracking

options

Log

Indicates how to log VPN configuration errors or key exchange errors

VPN Site to Site global settings - Maximum concurrent IKE negotiations

int

200

Indicates the maximum number of concurrent VPN IKE negotiations

VPN Site to Site global settings - Maximum concurrent tunnels

int

10000

Indicates the maximum number of concurrent VPN tunnels

VPN Site to Site global settings - Open SAs limit

int

20

Indicates the maximum number of open SAs per VPN peer

VPN Site to Site global settings - Outgoing link tracking

options

None

Logging of the outgoing VPN link: Log, don't log or alert

VPN Site to Site global settings - Override 'Route all traffic to remote VPN site' configuration for admin access to the device

bool

true

Exclude admin access traffic to the gateway from being routed to remote VPN site even if all traffic should be routed to it

VPN Site to Site global settings - Packet handling errors tracking

options

Log

Logging for VPN packet handling errors: Log, don't log or alert

VPN Site to Site global settings - Perform Tunnel Tests using an internal IP address

bool

false

Perform Tunnel Tests using an internal IP address which is part of the encryption domain

VPN Site to Site global settings - Permanent tunnel down tracking

options

Log

Logging for when the tunnel goes down: Log, don't log or alert

VPN Site to Site global settings - Permanent tunnel up tracking

options

Log

Logging for when the tunnel goes up: Log, don't log or alert

VPN Site to Site global settings - RDP packet reply timeout

int

10

Timeout (in seconds) for an RDP packet reply

VPN Site to Site global settings - Reply from incoming interface

bool

false

When tunnel is initiated from remote site, reply from the same incoming interface when applicable (IKE and RDP sessions)

VPN Site to Site global settings - Successful key exchange tracking

options

Log

Logging for VPN successful key exchange: Log, don't log or alert