cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
Danny
Pearl

Check Point 1400 Appliance - FAQ

image.png
Author: Danny Jung

Q: What's the official product site ?
A: Check Point 1400 Appliance | Datasheet | Support Center

Q: What's the 1400 Appliance's SecureKnowledge article ?
A: sk110985 | Release Notes | Known Limitations

Q: Where can I find Getting Started Guides ?
A: Centrally Managed 1430 / 1450 Appliances | Centrally Managed 1470 / 1490 Appliances

Q: What's new ?
A: The Check Point 1400 Appliance series was introduced at the Check Point Experience 2016 in Nice, France and is the successor to the 1100 Appliance series. As such it features the best All-In-One NGF Enterprise-Class Security solution for Branch Offices. The 1400 Appliance integrates an 8/18-Port Switch (Layer 3, managed), DSL modem (Annex A/B), Next Generation Firewall (including a NAT Router, Threat Prevention, IPS, Anti-Virus, Anti-Spam, Application Control & URL Filtering), Identity Awareness, Mobile Access, WLAN Router, Wi-Fi Hotspot, PoE and more. It also offers dynamic routing, quick deployment functions, 3G connectivity using a USB or Express Card support, multiple Internet connections, Policy Based Routing, DDNS (DynDns, No-IP), and more is planned with the upcoming firmware releases.

Q: How does it look like ?
1430/1450 Appliance with WiFi option:


1470/1490 Appliance with WiFi & PoE option:


Q: Which 1400 Appliance license models are available ?
A: 1430 Appliance -> replaces 1120 & 1140 Appliance
A: 1450 Appliance -> replaces 1180 Appliance
A: 1470 Appliance
A: 1490 Appliance

Q: Can I upgrade the licensed model later on (1430 -> 1350 or 1470 -> 1490) ?
A: Of course. Read here.

Q: Which 1400 Appliance hardware models are available ?
A: Model: L-71 Check Point 1430/1450 Appliances
A: Model: L-71W Check Point 1430/1450 WiFi Appliances
A: Model: L-72 Check Point 1470/1490 Appliances
A: Model: L-72W Check Point 1470/1490 WiFi Appliances
A: Model: L-72P Check Point 1470/1490 PoE Appliances

The hardware doesn't differ between 1430 / 1450 and between 1470 / 1490 appliances. It's the license that limits the appliance and locks it down to the licensed system qualities.

Q: What does the boot screen show ?
A: Code:

 

U-Boot 2015.01-alpine_db_s1-1.65.1-HAL (Nov 17 2016 - 10:24:23)  Check Point version: 85

I2C:   ready
DRAM:  1 GiB

   ______  __                    __        _______           _            _
.' ___  |[  |                  [  |  _   |_   __ \         (_)          / |_
/ .'   \_| | |--.  .---.  .---.  | | / ]    | |__) | .--.   __   _ .--. `| |-'
| |        | .-. |/ /__\\/ /'`\] | '' <     |  ___// .'`\ \[  | [ `.-. | | |
\ `.___.'\ | | | || \__.,| \__.  | |`\ \   _| |_   | \__. | | |  | | | | | |,
`.____ .'[___]|__]'.__.''.___.'[__|  \_] |_____|   '.__.' [___][___||__]\__/


power_init_board: EEPROM per device information - using defaults!
Board config ID: alpine_db (S1-L71)
NAND:  1024 MiB
  00:00.0     - Network controller
  00:01.0     - Network controller
  00:02.0     - Network controller
  00:03.0     - Network controller
  00:04.0     - Cryptographic device
  00:05.0     - Base system peripheral
  01:00.0     - Serial bus controller
In:    serial
Out:   serial
Err:   serial

Verifying CRC for settings area... Done

************ Hit 'Ctrl + C' for boot menu ************

## Booting kernel from Legacy Image at 08001000 ...
   Image Name:   Linux-3.10.20-al-5.0-pr2
   Created:      2017-05-21  12:24:05 UTC
   Image Type:   ARM Linux Kernel Image (uncompressed)
   Data Size:    8710168 Bytes = 8.3 MiB
   Load Address: 00008000
   Entry Point:  00008000
   Verifying Checksum ... OK
   Loading Kernel Image ... OK

Starting kernel ...

Uncompressing Linux... done, booting the kernel.
INIT: version 2.88 booting

Booting Check Point User Space...
INIT: Entering runlevel: 3
System Started...‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

 

 

Q: What are the differences between the Wi-Fi-FCCA and Wi-Fi-WORLD SKUs and which should I order ?
A: The FCCA SKU is for the United States. The WORLD SKU is for the rest of the world.

Q: What is the sizing recommendation ?
A: The sizing recommendation is based on SPU (SecurePower Units).
A: 1430 Appliance -> 75 SPU (Home Office)
A: 1450 Appliance -> 141 SPU (Home Office)
A: 1470 Appliance -> 194 SPU (Branch Office)
A: 1490 Appliance -> 233 SPU (Branch Office)

Q: Do I have to renew the Threat Prevention blades to get updated signatures ?
A: Yes. The service blades are for 1 year, two or three years. When this period ends, they must be renewed to get updates.

Q: What are the throughput rates of the 1430 / 1450 / 1470 / 1490 appliances when used in production ?
A: Firewall: 900 / 1100 / 1600 / 1800 Mbps
A: Firewall & Threat Prevention: 90 / 150 / 175 / 220 Mbps

Q: How do the 700 Appliance models differ from the 1400 Appliance models ?
A: The 700 Appliance models are technically identical to the 1400 Appliance models. They even use the same firmware. However, they are branded and sold as an All-In-One solution for the SMB market and therefore cannot be managed centrally by a Check Point SmartCenter Server, just like the Check Point Safe@Office Appliance line they replaced.

Q: How do I get started ?
A: Check Point provides this Getting Started Guide.

Q: What is part of the content package ?
A: The appliance itself, a power supply, two network cables, a serial console cable, a USB cable for console connection and the usual Getting Started Guide.


Q: What CPU is working inside ?
A: ARM926EJ-S rev 1 (v5l)

Q: What operating system is it running on ?
A: The 1100 Appliance says: Check Point GAiA Embedded R77.20

Q: What are the features of Check Point GAiA Embedded OS ?
A: Check Point lists it right here.

Q: How much RAM does it feature ?
A: 1GB RAM

Q: Which MAC adressing scheme is used for the 1400 Appliance series ?
A: 00:1C:7F:__:__:__

Q: From which SmartCenter version upwards can 1400 appliances be managed centrally ?
A: R77.30 with 1400 appliance types add-on (Download).
A: R80 with 1400 appliance types add-on (Download).

Q: What is the most recent firmware version ?
A: Check Point lists all 1400 firmwares in sk97766.

Firmware Build Date  
R77.20.20 (990170830) [Apr 14 2016] | Release Notes (PDF) | Resolved Issues | SmartUpdate Package (R77.30)
R77.20.22 (990170838) [Jun 14 2016] | Release Notes (PDF) | Resolved Issues | SmartUpdate Package (R77.30)
R77.20.31 (990170952) [Aug 01 2016] | Release Notes (PDF) | Resolved Issues | SmartUpdate Package (R77.30)
R77.20.40 (990171107) [Oct 06 2016] | Release Notes (PDF) | Resolved Issues | SmartUpdate Package (R77.30)
R77.20.51 (990171302) [Feb 09 2017] | Release Notes (PDF) | Resolved Issues | SmartUpdate Package (R77.30 | R80)
R77.20.60 (990171684) [Oct 08 2017] | Release Notes (PDF) | Resolved Issues | SmartUpdate Package (R77.30 | R80)
R77.20.70 (990171948) [Nov 08 2017] | Release Notes (PDF) | Resolved Issues | SmartUpdate Package (R77.30 | R80)
R77.20.75 (990172239) [Jan 30 2018] | Release Notes (PDF) | Resolved Issues | SmartUpdate Package (R77.30 | R80)
R77.20.80 (990172392) [Jul 10 2018] | Release Notes (PDF) | Resolved Issues | SmartUpdate Package (R77.30 | R80)
R77.20.81 (990172525) [Oct 25 2018] | Release Notes (PDF) | Resolved Issues | SmartUpdate Package (R77.30 | R80)
R77.20.85 (990172755) [Jan 02 2019] | Release Notes (PDF) | Resolved Issues | SmartUpdate Package (R77.30 | R80)
R77.20.86 (990172840) [Mar 20 2019] | sk144852 | Release Notes | Resolved Issues | SmartUpdate Package (R77.30 | R80)

 

Q: Which is the default management port ?
A: Port 4434/tcp (https://192.168.1.1:4434)

Q: Which browser should I use to manage it ?
A: Only use the latest version of Google Chrome. There are some issues known when using Microsoft Internet Explorer to export VPN certificates and when using any Web browser on Apple Mac OS X.

Q: How can I find things quickly ?
A: Use the search form at the upper right corner.

Q: Where can I find the sitemap for quick access to all available configuration pages ?
A: Right under "Home > Site Map".

Q: Where can I quickly view my 1400 Appliance's status in the Web UI ?
A: Right at the status bar. Mouse-overs provide you with quick status overviews, clicks forward you to the specific configuration pages.

Q: Which SD card types are supported ?
A: SD-HC card types up to 32GB only. If inserted the 1400 Appliance will automatically format them. Logs can then be saved to the card.

Q: Which 3G modems are supported ?
A: Check Point lists all supported modems in sk92809.

Model Type Port Support Reference
Huawei E372u-8 USB sk92809
Huawei Huawei E173s-2 USB sk92809
TP-Link MA260 USB sk92809
ZTE MF669 USB sk92809
Multi-Tech MTC-H5-B03 USB sk92809
Novatel MC547 USB sk92809

 

Q: Which 4G/LTE modems are supported ?
A: Check Point lists all supported modems in sk92809.

Model Type Port Support Reference
Huawei (Vodafone) K5150 USB sk92809
Huawei E398 USB sk92809
Sierra G-MC7710u Industrial USB sk92809
Sierra AirCard 312U USB sk92809
Sierra AirCard 313U USB sk92809
NCXX NCXX UX302NC USB sk92809

 

Q: The 1400 appliance type is missing in R77.30 / R80 SmartDashboard ?
A: Check Point provides a procedure for R77.30 and R80 to add it.

Q: Why do I have issues changing the filtering list of allowed MAC addresses for wireless connections ?
A: This is a known issue in current releases. Only change wireless settings when you are directly connected to your 1400 Appliance. Changing wireless settings, such as the MAC address filtering list, when connected per WLAN (via Wi-Fi) leads to a permanent error in the configuration that won't even be resolved by connecting directly later on. Only a complete reset of the 1400 Appliance will currently help fixing this issue.

Q: Why does my 1400 Appliance not perform as fast as my previous UTM-1 Edge N Appliance ?
A: The 1400 Appliance performs far more security functions than a UTM-1 Edge N, thus why you are seeing differences in performance. By disabling blades you are not using in Home > Security Dashboard, performance should improve. Always keep in mind that a 1400 Appliance is Check Points smallest NGTP Appliance, designed for the best security even at small and home office environments. Since it's an Embedded Appliance running on an ARM CPU it's by design of the product that it's performance assets are quite limited. The more blades it has to run, the less the overall performance will be.

Q: Why do I get an error when activating my Check Point 1400 Appliance ?
A: It's always recommended to activate the Check Point 1400 Appliance manually. Therefore just generate and download the activation file in your Check Point UserCenter account. Then activate your 1400 Appliance with the downloaded activation file. Backup the activation file for later activations.
A: As described in sk93382, doing the activation  can cause several errors, like 'Maximal number of activations exceeded.' or 'Cannot find registration information for the appliance in the Check Point User Center. Currently using trial license.'

Q: Does the 1400 Appliance support clustering ?
A: Of course. ClusterXL and Internet High Availability (HA -> Active/Standby) is fully supported. Only Internet Load Sharing (LS) is supported though. This applies for local and central management.

Q: How to configure a cluster between two locally managed 1400 Appliances ?
A: sk121096 describes the correct procedure.


Q: How can I create a custom boot script / disable SecureXL permanently ?
A: sk65015 describes a solution where a custom userScript can be created that will be loaded after each reboot. It's actually as simple as putting your commands or scripts containing full paths in /pfrm2.0/etc/userScript

Code:
[Expert@fw]# cd /pfrm2.0/etc/
[Expert@fw]# vi userScript
[Expert@fw]# chmod 777 userScript
‍‍‍

 

Q: How is synchronization configured in a 1400 Appliance cluster ?
A: The Sync interface is usually configured on LAN2. Using the wireless interface as the Sync interface is not supported.
A: Before configuring a local cluster, make sure that the sync interface is unassigned by checking the Device > Local Network page in the WebUI.
A: sk52500 describes how to configure a Sync interface other than LAN2.

Q: How can I quickly check the top firewall policy rule hits ?
A: Login to your 1400 Appliance via SSH. Enter the command: show rule-hits

Q: How can I securely copy files via scp to/from my 1400 Appliance ?
A: Just enable Scp access with this expert-mode command: bashUser on

Code:
[Expert@fw]# bashUser on
user: admin

Bash login enabled.
Scp access enabled.

Note:
        Your default shell will now be bash,
        and when you login you will enter expert mode.
        We recommend that you use clish as your default shell,
        and move to expert mode only when necessary.
        You can move from bash to clish using the "clish" command.
        To restore your default shell to clish run "bashUser off"‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

 

A: Disable Scp access after copying your files via: bashUser off

Code:

 

[Expert@fw]# bashUser off
user: admin

Bash login disabled.
Scp access disabled.
Cpshell enabled.
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

 

 

A: sk52763 describes the same procedure for using WinSCP.

Q: Can I run my own scripts on the 1400 Appliance ?
A: Yes. They will not survive a firmware upgrade though, so keep track of your additions/modifications and recreate them after upgrading.

Q: How can I save local backups most easily ?
A: Just connect a standard FAT-formatted USB stick to the back or front USB port of your 1400 Appliance as a local storage device for backups.

Code:

 

 

clish> backup settings to usb
Creating backup...
Uploading backup_filename.zip to the USB device
Upload complete
Your settings have been successfully backed up and saved on your USB drive‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

 

A: Please note: An empty backup file will be created if the 1400 Appliance just runs with a trial license. To overcome this issue, you'd need to backup the specific files manually.

Q: Is dynamic routing supported ?
A: Of course.

Q: Which ports do I need to allow in order for my 1400 Appliance to be able to talk to my Check Point Security Management / Log Server ?
A: sk93566 lists the ports that need to be allowed. Usually it's:

1: Src - Any, Dst - Security Management server IP, TCP port 18210 (service FW1_ica_pull)
2: Src - Any, Dst - Security Management server IP, TCP port 18191 (service CPD)
3: Src - Any, Dst - Log Server server IP, TCP port 257 (service FW1_log)

Q: How can I set up a certificate based VPN on my 1100 / 1400 Appliance ?
A: Danny Jung has written an article about Certificate based VPNs with Check Point appliances.

Q: How can I troubleshoot VPN issues on my 1100 /1400 Appliance ?
# Web UI
A: Check for any related VPN log entries at Logs & Monitoring > Security Logs
A: Check the status of your VPN tunnels at VPN > VPN Tunnels
A: Test your VPN configuration at VPN > VPN Sites

# Console
A: You can do a full IKE debug in Expert Mode via these steps:
Step 1: Turn on VPN debug mode: vpn debug tunc; vpn debug on TDERROR_ALL_ALL=5
Step 2: Recreate the VPN issue
Step 3: Turn off VPN debug mode: vpn debug off; vpn debug ikeoff
Step 4: Copy $FWDIR/log/ike.elg to your PC and inspect it with IKEView

Q: How can I disable the First Time Configuration Wizard ?
A: The First Time Configuration Wizard will be disabled by default after completing it.
A: You might also disable it manually by executing the following command at the console: set property first-time-wizard off

Code:

 

$ ssh -l admin 192.168.1.1
admin@192.168.1.1's password:
> Welcome to CLISH. The First Time Configuration wizard was not completed yet
> NOTE: The First Time Configuration wizard may delete or override some of the settings you set in CLISH
> To disable the First Time Configuration wizard (and USB automatic configuration) please run "set property first-time-wizard off"

clish>‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

 

 

Q: How can I run the First Time Configuration Wizard again ?
A: You can run it once by entering the following command at the console: set property first-time-wizard once


Q: How do I successfully establish a VPN connection with a locally managed 1100 Appliance using certificates ?
A: While the Check Point 1100 Appliance was primarily designed to be centrally managed in corporate enterprise networks it is also possible that there is a locally (i.e. externally managed) 1100 Appliance that needs to be configured for a VPN connection to your corporate Check Point VPN gateway / cluster. Even dynamically assigned IP address (DAIP) gateway solutions which have to keep up a permanent VPN tunnel to the corporate office are possible. sk94028 describes the full configuration procedure.

Q: How do I set up certificate based VPNs with my Check Point 1100 / 1400 appliance ?
A: Please read my article about how to set up certificate based VPNs.

Q: Why does no traffic pass through the VPN tunnel between my 1400 Appliances and an interoperable device ?
A: You probably forgot to mark the interoperable device as a Check Point gateway as described here.

Q: Which clustering technology is being used by the Check Point 1400 Appliances ?
A: Check Point ClusterXL.

Q: Can I configure a locally managed Check Point 1400 Appliance cluster by using two different 1400 models ?
A: Yes. However, clusters should be always configured using identical cluster nodes for better consistency, stability and reliability.

Q: Can I configure a Check Point 1400 Appliance cluster with cluster nodes running on different firmwares ?
A: No. This would lead into the following error:


Q: Is there any other limitation when considering to run Check Point 1400 Appliances in clustering mode ?
A: Yes, you can't neither use switches nor bridges in the local configuration of your 1400 Appliances.

Q: How do I know if my inactive cluster node became active when running Check Point 1400 Appliances in clustering mode ?
A: In centralized management just check SmartView Monitor. In local management you'll receive a notification in the WebUI.

Q: How do I know if my active cluster node became inactive when running Check Point 1400 Appliances in clustering mode ?
A: In centralized management just check SmartView Monitor. In local management you'll receive a notification in the WebUI.

Q: When running Check Point 1400 Appliances in clustering mode, how can I manually change the activity of the cluster nodes ?
A: In centralized management just change the priority of the cluster nodes in the cluster object properties and install the security policy.
A: In local management you can force a member down by hitting the button 'Force Member Down' in the WebUI of the specific cluster node.
A: You can always use the typical ClusterXL commands at the console to control your Check Point 1100 Appliance cluster. (i.e. clusterXL_admin up/down)

Q: I configured a Check Point 1400 Appliance cluster but still keep getting errors ?
A: Don't forget to reboot your Check Point 1400 Appliances right after the cluster configuration in order to get the cluster working. Otherwise you might see blocked connections for the service 'CP_Cluster_sync' in your log files.

Q: I keep getting an 'Error during OS sync' at the end of my Check Point 1400 Appliance cluster configuration ?
A: To overcome this issue just reboot your Check Point 1400 Appliance without closing the error window shown below.

Q: Why are connections to TCP port 443 blocked on my 1400 Appliance ?
A: Because this port is already being used by the Visitor Mode functionality for Remote Access users. sk93746 provides a solution.

Q: Why is my VoIP phone not working behind my locally managed 1400 Appliance ? Why does my IPS blade still blocks SIP traffic with the error message 'IPS - SIP data malformed or Error with SIP data.' even after I turned it off ?
A: Because on Check Point 1400 Appliances that are locally manged, the implicit policy rules of the IPS blade are working, even if the blade is turned off or an exception rule is created. sk93200 provides a solution by changing the default port (5060) of the SIP_TCP and SIP_UDP objects and creating two new ones. This circumvents the content inspection engine and therefore will allow your VoIP phone to work.

Q: How do I to create an "Allow and Forward" rule on my locally managed 1400 Appliance ?
A: sk93588 describes how to make use of the server types for this.

Q: Is a 19" rack mount kit available for my 1400 Appliances ?
A: Yes, just order the 1400 rack mount kit accessory which will allow housing two 1400 Appliances side-by-side in a 19” wide rack.

Q: Is there an  DEMO of the 1400 appliance avaiable ?
A: While there isn't an  demo for the 1400, there is one for the 700 which is very similar to the 1400 when locally managed.

--------------------------------------

700 Appliance  demo

Login: demo

Password: checkpoint

--------------------------------------

Q: What's missing ?
A: The integrated Terminal Console window that the GAiA Portal features.
A: A visual overview about all ports and their connection status, similar to what the UTM-1 Edge offered under Network > Ports.
A: More information on the System Information page. Like cluster status, VPN status, connected USB sticks or SD cards etc.
A: An option to allow two or more Admins to login to the WebUI at the same time.

Tags (3)
43 Replies
Admin
Admin

Re: Check Point 1400 Appliance - FAQ

This is awesome... thx 

Looking forward for more posts like this one on other platforms 

Re: Check Point 1400 Appliance - FAQ

Wow, very nice!  Thanks for providing all of this information in one place. A couple of comments below.... 

Would add a link to the published performance numbers in the 1400 datasheet as the numbers are slightly different.

Q: What are the throughput rates when used in production ?
A: 350 Mbps - Firewall
A: 50 Mbps - Firewall & IPS

Load sharing is not supported. 

Q: Does the 1400 Appliance support clustering ?
A: Of course. High Availability (Active/Standby) and Load Sharing (Active/Active) clustering mode is supported.

Small typo here.... see 14100

Q: Why do I get an error when activating my Check Point 1400 Appliance ?
A: It's always recommended to activate the Check Point 1400 Appliance manually. Therefore just generate and download the activation file in your Check Point UserCenter account. Then activate your 14100 Appliance

While there isn't an online demo for the 1400, there is one for the 700 which is very similar to the 1400 when locally managed.

700 Appliance online demo: (demo/checkpoint)

Q: What's missing ?
A: An online demo of the Check Point 1400 Appliance's WebUI, similar to the old UTM-1 Edge Demo.

Admin
Admin

Re: Check Point 1400 Appliance - FAQ

One correction to your correction Smiley Happy

Load Sharing is only supported with Central Management.

With local management, only HA is supported.

Re: Check Point 1400 Appliance - FAQ

Wasn't sure if we were talking about multiple Internet links or ClusterXL so checked internally. Here's the answer for the 2 cases. This applies to local and central management.

ClusterXL LS is not supported.
ClusterXL HA is fully supported.

Internet HA, Internet LS are both supported.

P.S. for this section's Known Limitations it may be difficult to track as new firmware becomes available. sk105380 may be a better link for known limitations. Looks like it's more general article and covers unsupported features as well.

Q: What's the 1400 Appliance's SecureKnowledge article ?
A: sk110985 | Release Notes | Known Limitations

thx,

bob

Re: Check Point 1400 Appliance - FAQ

Very nice, thanks!

A small complement to the userScript:

This file is not executed as a separate script but sourced instead. Hence you should just add commands to this file.

No shell definition (#!), and more important: no return code (eg. exit 0), since this will skip the rest of the startup script!

sk52520

thx, bernhard

0 Kudos

Re: Check Point 1400 Appliance - FAQ

dears

Can i control cp 1400 models from management R80.10 ?

0 Kudos
Danny
Pearl

Re: Check Point 1400 Appliance - FAQ

Yes, of course.

0 Kudos
VENKAT_S_P
Nickel

Re: Check Point 1400 Appliance - FAQ

How to find the serial number from command line?

0 Kudos
Danny
Pearl

Re: Check Point 1400 Appliance - FAQ

Simply run: show diag

Note the shown HW MAC Address and open the Product Information window of that 1400 appliance within Check Point UserCenter.

Below the MAC Adress you'll see the SN serial number.

0 Kudos
VENKAT_S_P
Nickel

Re: Check Point 1400 Appliance - FAQ

Thanks Danny, much helpful

0 Kudos
aim_bots
Ivory

Re: Check Point 1400 Appliance - FAQ

Where can I download or configure the SmartDashboard? Im using 1490 appliance.

Thanks

0 Kudos
Admin
Admin

Re: Check Point 1400 Appliance - FAQ

You would download the appropriate version of SmartDashboard based on the software version installed on your Security Management server (e.g. Smart-1 or Open Server appliance) from SupportCenter.

If you only have a 1490, you cannot use SmartDashboard to manage the device.

aim_bots
Ivory

Re: Check Point 1400 Appliance - FAQ

Sorry I am new at this device. You mean having 1490 I cannot use SmartDashboard why? Is it because of its version? 

Is there any software I can install to monitor the bandwidth using 1490?

Thanks

0 Kudos
Admin
Admin

Re: Check Point 1400 Appliance - FAQ

SmartDashboard is meant to connect to a Security Management Server (i.e capable of managing other devices).

SMB appliances such as the 1490 do not contain a management server.

The WebUI does have a monitoring feature for bandwidth.

0 Kudos

Re: Check Point 1400 Appliance - FAQ

Is there a demo of cloud services portal?

0 Kudos

Re: Check Point 1400 Appliance - FAQ

If you're asking about Security Management Portal (SMP) yes please see the Live Demo for 700 gateways and SMP discussion.

Re: Check Point 1400 Appliance - FAQ

Thanks, very helpful.

0 Kudos

Re: Check Point 1400 Appliance - FAQ

Bro, Dude! Thanks for this! This really helped me a ton. Not only about 1400 too, many tidbits here useful(such as the HA info) hihi
Thanks a lot

0 Kudos
XBensemhoun
Silver

Re: Check Point 1400 Appliance - FAQ

Hi all, a question : for an appliance already in Production, could we change settings from locally to centrally managed ? And if so:

 > what should be the limitation or the impact ?

 > what should be steps to retrieve already created objects/rules into the SMS ?

...and in the other way : from centrally to locally managed ? And if so:

 > what should be the limitation or the impact ?

Thanks in advance

Re: Check Point 1400 Appliance - FAQ

Hi All

      I would like to ask. If my customer are running on R77.20.20, can i directly upgrade to R77.20.75? or there is a version upgrade steps?

regards

Anthony

0 Kudos
Admin
Admin

Re: Check Point 1400 Appliance - FAQ

You should be able to do a direct upgrade.

0 Kudos

Re: Check Point 1400 Appliance - FAQ

thanks

0 Kudos
XBensemhoun
Silver

Re: Check Point 1400 Appliance - FAQ

Does anyone have the answer ? Thanks in advance

Employee
Employee

Re: Check Point 1400 Appliance - FAQ

Hello everyone, can i manage a 1400 series with a smart-1 or open server ???

0 Kudos
Employee+
Employee+

Re: Check Point 1400 Appliance - FAQ

Yes you can 🙂

Employee
Employee

Re: Check Point 1400 Appliance - FAQ

Do SmartEvent reports include events from 1400 series?

0 Kudos
Oliver_Fink
Nickel

Re: Check Point 1400 Appliance - FAQ

We have a customer having the idea of a 4-node multi-site cluster with 1400 appliances. Even if I am not convinced by the idea of using these appliances for this purpose, I have to check if a cluster with more than 2 nodes is available for 1400 hardware. I think can read between the lines of the documentation that you can only configure 2 nodes. But it is also stated that clustering is using ClusterXL and the number of nodes is not listed at the known limitations.

I tested with the R80.20 demo server. There I am not able to create a 4-node cluster in wizard mode, but in classic mode I am.

So my question is: Can anybody confirm if clustering of 4 1400 appliances is a supported configuration or not?

0 Kudos
Danny
Pearl

Re: Check Point 1400 Appliance - FAQ

Hi Oliver,

Check Point notes in it's Check Point 1470/1490 Appliance Admin Guide:

Defining a Gateway Cluster
"A Check Point 1470/1490 Appliance security gateway cluster is a group of 2 members each representing a separate Check Point 1470/1490 Appliance on which High Availability software has
been installed. ClusterXL is the Check Point clustering solution. Third party OPSEC Certified clustering products are not supported."

So even if you can configure a cluster with more than two nodes, it is not supported. This is valid for local and central deployments, as noted by Bob Bent above.

Oliver_Fink
Nickel

Re: Check Point 1400 Appliance - FAQ

Hi, Danny.

Your citation is exactly what I had in mind when I wrote: "I think can read between the lines of the documentation that you can only configure 2 nodes." As you did, I would conclude that Check Point thinks of a cluster of two nodes – same as in your first version of your answer did when you wrote that you never thought of more than 2 nodes. I also admit that I would not try a 1400 cluster with more than 2 nodes of my own accord.

But I cannot read explicitly that more than 2 nodes are not supported. I would not insist on this if there were no possibility to configure more nodes.

In the meantime I found sk138893: How to create Centrally managed cluster for Embedded Gaia SMB gateways. There at classic mode is also explained with "Add the two New Cluster members from the Option Window". So, I believe, you are right. But I added feedback to sk138893 requesting clarification.

Thanks for your support.

0 Kudos