Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
G_W_Albrecht
Legend
Legend

R80.20.15 Locally Managed Advanced Settings

What is new ?

OS advanced settings - Enable destination check on PPPoE bool false Specifies whether PPPoE destination check is enabled
OS advanced settings - Enable flow-control for network switch bool false Indicates if flow-control is enabled for network switch
Reach My Device - Allow open permanent tunnel bool true Use permanent tunnel when running Reach My Device
Streaming engine settings - Stream Inspection Timeout tracking options Log  
Streaming engine settings - TCP Invalid Checksum action options Prevent TCP Invalid Checksum activation mode
Streaming engine settings - TCP Invalid Checksum tracking options Log  
Streaming engine settings - TCP Invalid Retransmission action options Prevent TCP Invalid Retransmission activation mode
Streaming engine settings - TCP Invalid Retransmission tracking options Log  
Streaming engine settings - TCP Out of Sequence action options Prevent TCP Out of Sequence activation mode

 

Nothing was removed, and all together now we have for locally managed 15x0 units:

Attribute Name Type Value Description
Admin Lockout - Mobile application session timeout int 30 Allowed mobile application session before automatic logout is executed (in days)
Administrators RADIUS authentication - Default Shell options Clish Default shell for super administrators. To enable this feature please contact Check Point support.
Administrators RADIUS authentication - Local authentication (RADIUS inaccessible) bool false Perform local administrator authentication only if RADIUS server is not configured or is inaccessible.
Aggressive aging - Aggress ive aging enforcement method options Both Choose when aggressive aging timeouts are enforced
Aggressive aging - Connection table percentage limit int 80  
Aggressive aging - Enable aggressive aging of connections bool true  
Aggressive aging - Enable reduced timeout for ICMP connections bool true  
Aggressive aging - Enable reduced timeout for TCP handshake bool true  
Aggressive aging - Enable reduced timeout for TCP session bool true  
Aggressive aging - Enable reduced timeout for TCP termination bool true  
Aggressive aging - Enable reduced timeout for UDP connections bool true  
Aggressive aging - Enable reduced timeout for non TCP/UDP/ICMP connections bool false  
Aggressive aging - Enable reduced timeout for non TCP/UDP/ICMP connections bool false  
Aggressive aging - ICMP connections reduced timeout int 3  
Aggressive aging - Memory consumption percentage limit int 80  
Aggressive aging - Other IP protocols reduced timeout int 15  
Aggressive aging - Pending Data connections reduced timeout int 15  
Aggressive aging - TCP handshake reduced timeout int 5  
Aggressive aging - TCP session reduced timeout int 600  
Aggressive aging - TCP termination reduced timeout int 3  
Aggressive aging - Tracking options for aggressive aging options Log  
Aggressive aging - UDP connections reduced timeout int 15  
Anti ARP Spoofing - Anti ARP Spoofing mode options Off Mode for Anti ARP spoofing protection. The protection can be turned off, on or in detect only mode
Anti ARP Spoofing - Detection window time to indicate attack int 180 Time period (in seconds) during which IP addresses, assigned to the same MAC address, indicate an ARP spoofing attack
Anti ARP Spoofing - Number of IP addresses to indicate attack int 3 The number of IP addresses assigned to the same MAC address during the Detection window time that will indicate an ARP spoofing attack
Anti ARP Spoofing - Suspicious MAC block period int 1800 Time period (in seconds) during which suspicious MAC addresses are kept in the blocked list
Anti-Spam policy - All mail track options None Indicates the tracking options for non-spam emails
Anti-Spam policy - Allowed mail track options None Indicates the tracking options for emails that were explicitly allowed in the Exceptions page
Anti-Spam policy - Bypass timeout int 0 Indicates the timeout (in seconds) of a POP3 inspection bypass mechanism. Bypass will be activated in case the inspection daemon is unavailable for the indicated time period. Relevant for POP3 and for Anti-Virus, Anti-Spam and Threat Emulation inspection. A value of zero means bypass is disabled.
Anti-Spam policy - Content based Anti-Spam timeout int 10 Indicates the timeout (in seconds) to wait for an answer from the cloud during content-based Anti-Spam inspection
Anti-Spam policy - Email size scan int 8 Indicates the maximal size of an email's content to scan (in KB)
Anti-Spam policy - IP reputation fail open bool true Use Anti-Spam IP reputation fail-open mode upon internal error
Anti-Spam policy - IP reputation timeout int 10 Indicates the timeout (in seconds) to wait for an IP reputation test result
Anti-Spam policy - Scan outgoing emails bool false Scan the content of emails which are sent from the local network to the Internet
Anti-Spam policy - Transparent proxy bool true Use a transparent proxy for inspected email connections
Anti-spoofing - Enable global anti-spoofing bool true Indicates if anti-spoofing is enabled automatically on all interfaces according to their zone
Application Control and URL Filtering - Block when service is unavailable bool false Block web requests traffic when the Check Point categorization and widget definitions online web service is unavailable
Application Control and URL Filtering - Categorize cached and translated pages bool true Perform URL categorization of cached pages and translated pages created by search engines
Application Control and URL Filtering - Custom App over HTTPS bool false Indicates whether custom URLs and applications will be matched over HTTPS traffic using SNI field. Important note: as SNI field in HTTPS traffic is browser-dependent and promiscuous, it does not guarantee 100% match.
Application Control and URL Filtering - Encrypt RAD Communication bool false Indicates if the communication with the RAD cloud is encrypted
Application Control and URL Filtering - Enforce safe search bool false Force filtering explicit content in search engines results
Application Control and URL Filtering - Fail Mode options Block all requests Indicates the action to take on traffic in case of an internal system error or overload
Application Control and URL Filtering - Non-standard HTTP ports bool true Enable HTTP inspection on non-standard ports for the Application Control or URLF blade
Application Control and URL Filtering - Track browse time bool true Indicates if the total time that users are connected to different sites and applications in an HTTP session will be shown in relevant logs
Application Control and URL Filtering - Use HTTP referer header bool true Indicates if the HTTP referer header is used by the inspection engine to improve application identification
Application Control and URL Filtering - Web site categorization mode options Background Indicates the categorization mode: Background - requests are allowed until categorization is complete, Hold - requests are blocked until categorization is complete
Capacity Optimization - Connections hash table size int 131072 Indicates the size in bytes of the connections hash table
Capacity Optimization - Maximum concurrent connections int 150000 Indicates the overall maximum number of concurrent connections
Cloud Services firmware upgrade - Service access maximum retries int 3 Indicates the maximum number of retries when failing to upgrade using the service
Cloud Services firmware upgrade - Service access timeout until retry int 180 Indicates the time to wait when a connection failure to the service before the next retry
Cluster - Use virtual MAC bool false Indicates if a virtual MAC address will be used by all cluster members to allow a quicker failover by the network's switch
DDNS - iterations int 2 Number of DNS updates
DHCP bridge - MAC assignment options Use internal interfaces mac Indicates whether the MAC address for the DHCP bridge is taken from an internal (LAN) or external port (WAN, DMZ).
DHCP relay - Use internal IP addresses as source bool false Indicates if DHCP relay packets from the appliance will originate from internal IP addresses
Firewall Policy - Connection Persistence bool false Handling established connections when installing a new policy
Firewall Policy - Log implied rules bool false Produce log records for connections that match implied rules
Hardware options - Reset to factory defaults timeout int 12 Indicates the amount of time (in seconds) that you need to press and hold the factory defaults button on the back panel to restore to the factory defaults image
Hotspot - Enable portal options Enabled Select 'Disabled' to disable the hotspot feature entirely
Hotspot - Prevent simultaneous log-in bool false The same user will not be allowed to login via hotspot portal from more than one machine in parallel
IP Resolving - IP Resolving Activation options Enabled Enable / Disable IP Resolving logs enrichment
IP Resolving - IP Resolving TTL int 1800 The time (in seconds) for which the hostname resolution will be used
IP fragments parameters - Action options Allow Indicates if IP fragments will be allowed or dropped by default
IP fragments parameters - Maximum fragments int 200 Indicates how many IP fragments can arrive before discarding incomplete packets
IP fragments parameters - Minimum fragments size int 0 IP Fragments minimum fragment size
IP fragments parameters - Packet Capture bool false IP Fragments packet capture settings
IP fragments parameters - Timeout int 1 Indicates the timeout (in seconds) before discarding incomplete packets
IP fragments parameters - Track options options Log Indicates if and how to log IP fragments
IPS additional parameters - Max Ping Limit int 1400 Indicates the maximal ping packet size that will be allowed when the 'Max Ping Size' protection is active
IPS additional parameters - Non-standard HTTP ports bool true Enable HTTP inspection on non-standard ports for the IPS blade
IPS engine settings - Allow protocol unknown commands bool false Indicates whether protocol commands, that are not completely supported by the inspection module, will be blocked or not
IPS engine settings - Description comments Access denied due to IPS policy violation A configured string to show in the error page if configured
IPS engine settings - Error page for supported web protections options Show pre-defined HTML error page Indicates if IPS protections supporting an error page will show it upon attack prevention
IPS engine settings - HTML error page configuration bool false Indicates if the error page will contain an error code
IPS engine settings - Logo URL bool false Optionally enter a URL that leads to your company logo.
IPS engine settings - Logo URL address urlv6   An accessible URL that leads to a logo file to show in the error page
IPS engine settings - Send detailed error code bool true indicates if the error page will contain a configured string
IPS engine settings - Send error code bool false Indicates if an error code will be sent to the other URL as a parameter
IPS engine settings - URL for redirection urlv6   Users will be redirected to this URL upon detection of an attack
Internal Certificates configure - Internal CA certificate expiration int 20 The number of years the internal CA certificate is valid
Internet - Reset Sierra USB on LSI error bool true Indicates whether Sierra type USB modems will be reset when they send an Invalid LSI signal
MAC Filtering settings - Log blocked MAC addresses options Enabled Indicates if blocked MAC addresses should be logged or not
MAC Filtering settings - Log suspension int 1 Indicates the suspension time (in seconds) between logs for blocked MAC addresses
Managed services - Allow seamless administrator access from remote Management Server bool true Indicates if an administrator can access the appliance from a remote Security Management Server without the need to enter an administrator user name and password
Managed services - Show device details in Login bool true Indicates if appliance details are shown when an administrator accesses the appliance
Mobile Settings - Notification cloud server URL urlv6 https://smbcloud-api-gateway.iaas.checkpoint.com/notifications/mobile/send Cloud server URL used for sending mobile notifications
Mobile Settings - Pairing code expiration int 1 Time until pairing code is expired, in hours.
Mobile Settings - Verify SSL certificate bool true Verify SSL certificate when sending mobile notifications to cloud server
NAT - ARP manual file merge bool false Indicates, when automatic ARP detection is enabled, to use the ARP definitions in a local file with higher priority
NAT - Address allocation and release tracking options None Specifies whether to log each allocation and release of an IP address from the IP Pool
NAT - Address exhaustion tracking options Log Indicates whether or not to log and/or alert on exhaustion of IP pool
NAT - Automatic ARP detection bool true Automatically detect ARP requests for external IP addresses of internal devices to be answered by the device
NAT - IP Pool NAT options Do not use IP pool NAT IP pool NAT mode
NAT - IP pool per interface bool false Uses an IP address pool for NAT per interface
NAT - Increase hide capacity bool true Indicates if hide-NAT capacity is given additional space
NAT - NAT cache expiration int 30 Indicates the expiration time in minutes for NAT cache entries
NAT - NAT cache number of entries int 10000 Indicates the maximum number of NAT cache entries
NAT - NAT enable bool true Indicates if the device's NAT capabilities are enabled
NAT - NAT hash size int 0 Indicates the hash bucket size of NAT tables
NAT - NAT limit int 0 Indicates the maximum number of connections with NAT
NAT - Perform cluster hide fold bool false Indicates if local IP addresses will be hidden behind the cluster IP address when applicable
NAT - Prefer IP Pool NAT over hide NAT bool true Overrides hide NAT with IP pool NAT
NAT - Return unused addresses to IP Pool NAT after int 60 Return unused addresses to IP pool NAT
NAT - Reuse IP addresses from the Pool for different destinations bool false Allows NAT to re-use IP addresses for different destinations
NAT - Translate destination on client side bool true Translates destination IP addresses on client side (for automatically generated NAT rules)
NAT - Translate destination on client side (manual rules) bool true Translates destination IP addresses on client side (for manually configured NAT rules)
NAT - Use IP Pool NAT for VPN clients connections bool false Uses IP Pool NAT for VPN clients connections
NAT - Use IP Pool NAT for gateway to gateway connections bool false Uses IP pool NAT for gateway to gateway connections
Notifications policy - Send push notifications bool true Indicates whether notifications are sent to mobile application
Notifications policy - The maximum number of notifications sent per hour int 60 The maximum number of notifications sent to mobile devices per hour
OS advanced settings - Disable transfer of DHCP options from WAN to LAN bool false Specifies whether transfer of DHCP options from WAN to LAN is disabled
OS advanced settings - Enable Wifi Monitors bool false Specifies whether WIFI monitors are on
OS advanced settings - Enable automatic Wifi Channel Change bool false Specifies whether WiFi switches channels automatically during operation
OS advanced settings - Enable destination check on PPPoE bool false Specifies whether PPPoE destination check is enabled
OS advanced settings - Enable flow-control for network switch bool false Indicates if flow-control is enabled for network switch
Operating system - Operating system int 20 tmpDirSize
Operating system - System temporary directory size int 40 Controls the size (in MB) of the temporary directory that is used by the system
Privacy settings - Help us improve product experience by sending data to Check Point bool false Privacy statement: Check Point does not upload data that contains private or sensitive information. For more information, refer to sk120332.
Privacy settings - Location service requires sending your IP address to 3rd party bool false Using automatic timezone feature requires sending your IP address to 3rd party.
QoS blade - Logging bool true Indicates if the appliance logs QoS events when the QoS blade is enabled
Reach My Device - Allow open permanent tunnel bool true Use permanent tunnel when running Reach My Device
Reach My Device - Ignore SSL certificate bool false Ignore SSL certificate when running Reach My Device
Reach My Device - Server address urlv6 smbrelay.checkpoint.com Indicates the address of the remote server that allows administration access to the appliance from the internet even when behind NAT
Report Settings - Max period options Monthly Maximum period to collect and monitor data in local management. You must reboot your appliance to apply changes.
Report Settings - Reports cloud server URL urlv6 https://smbcloud-api-gateway.iaas.checkpoint.com/reports/pdf Reports cloud server URL used to generate report PDF
SSL inspection policy - Additional HTTPS ports port-range 8080,3128 Additional HTTPS ports for ssl inspection (a comma separated list of ports/ranges)
SSL inspection policy - Log empty SSL connections bool false Log connections that were terminated by the client before data was sent - might indicate the client did not install CA certificate
SSL inspection policy - Retrieve intermediate CA certificates bool true Indicates if the SSL inspection mechanism will perform it's validations on all intermidate CA certificates in the certificate chain
SSL inspection policy - SSL Inspection categorization mode options Hold Indicates the categorization mode of SSL Inspection: Background - requests are allowed until categorization is complete, Hold - requests are blocked until categorization is complete
SSL inspection policy - Track validation errors options Log Choose if the SSL Inspection validations are tracked
SSL inspection policy - Validate CRL bool true Indicates if the SSL inspection mechanism will drop connections that present a revoked certificate
SSL inspection policy - Validate Expiration bool false Indicates if the SSL inspection mechanism will drop connections that present an expired certificate
SSL inspection policy - Validate unreachable CRL bool false Indicates if the SSL inspection mechanism will drop connections that present a certificate with an unreachable CRL
SSL inspection policy - Validate untrusted certificates bool false Indicates if the SSL inspection mechanism will drop connections that present an untrusted server certificate
Serial port - Enable serial port options Enabled Indicates if the serial port is enabled
Serial port - Port speed options 115200 Indicates the port speed (Baud Rate) of the serial connection
Stateful Inspection - Accept out of state TCP packets int 0 Indicates if TCP packets which are not consistent with the current state of the TCP connection are dropped (when set to 0) or accepted (when set to any other value)
Stateful Inspection - Accept stateful ICMP Errors bool true Accept ICMP error packets which refer to another non-ICMP connection that was accepted by the Rule Base
Stateful Inspection - Accept stateful ICMP Replies bool true Accept ICMP reply packets for ICMP requests that were accepted by the Rule Base
Stateful Inspection - Accept stateful UDP replies for unknown services bool true  
Stateful Inspection - Accept stateful other IP protocols replies for unknown services bool true Accept stateful non TCP/UDP protocols replies for unknown services
Stateful Inspection - Allow IPv6 packets bool false Allow IPv6 traffic to pass without inspection
Stateful Inspection - Drop out of state ICMP packets bool true Drop ICMP packets which are not in the context of a virtual session
Stateful Inspection - ICMP virtual session timeout int 30 Indicates the timeout (in seconds) for ICMP virtual sessions
Stateful Inspection - Log dropped out of state ICMP packets int 0  
Stateful Inspection - Log dropped out of state TCP packets int 0  
Stateful Inspection - Other IP protocols virtual session timeout int 60 Indicates the timeout (in seconds) for other IP protocols virtual sessions (non TCP/UDP/ICMP)
Stateful Inspection - Perform deep packet inspection on LAN to LAN traffic bool false  
Stateful Inspection - Perform deep packet inspection on traffic between LAN and DMZ networks bool true  
Stateful Inspection - TCP end timeout int 20 Indicates the timeout (in seconds) for TCP session end
Stateful Inspection - TCP session timeout int 3600 Indicates the timeout (in seconds) for TCP sessions
Stateful Inspection - TCP start timeout int 25 Indicates the timeout (in seconds) for TCP session start
Stateful Inspection - UDP virtual session timeout int 40 Indicates the timeout (in seconds) for UDP virtual sessions
Stateful Inspection - traceroute maximal TTL int 29 Maximal value for TTL field for a packet to be considered as a traceroute
Streaming engine settings - Stream Inspection Timeout action options Prevent Stream Inspection Timeout activation mode
Streaming engine settings - Stream Inspection Timeout tracking options Log  
Streaming engine settings - TCP Invalid Checksum action options Prevent TCP Invalid Checksum activation mode
Streaming engine settings - TCP Invalid Checksum tracking options Log  
Streaming engine settings - TCP Invalid Retransmission action options Prevent TCP Invalid Retransmission activation mode
Streaming engine settings - TCP Invalid Retransmission tracking options Log  
Streaming engine settings - TCP Out of Sequence action options Prevent TCP Out of Sequence activation mode
Streaming engine settings - TCP Out of Sequence tracking options Log  
Streaming engine settings - TCP SYN Modified Retransmission action options Prevent TCP SYN Modified Retransmission activation mode
Streaming engine settings - TCP SYN Modified Retransmission tracking options Log  
Streaming engine settings - TCP Segment Limit Enforcement action options Prevent TCP Segment Limit Enforcement activation mode
Streaming engine settings - TCP Segment Limit Enforcement tracking options Log  
Streaming engine settings - TCP Urgent Data Enforcement action options Detect TCP Urgent Data Enforcement activation mode
Streaming engine settings - TCP Urgent Data Enforcement tracking options Log  
Threat Prevention Anti-Bot policy - Resource classification mode options Hold Indicates the classification mode for the Anti-Bot engine: Background - connections are allowed until classification is complete, Hold - connections are blocked until classification is complete
Threat Prevention Anti-Virus policy - File scan size limit int 0 Indicates the size limit (in KB) of a file scanned by the Anti-Virus engine. To specify no limit, set to 0.
Threat Prevention Anti-Virus policy - MIME maximum nesting level int 7 Indicates the maximum number of levels in nested MIME content that the ThreatSpect engine scans in mail traffic
Threat Prevention Anti-Virus policy - MIME nesting level exceeded action options Block Indicates if an email should be blocked or accepted if there are more nested levels of MIME content than the configured amount
Threat Prevention Anti-Virus policy - Priority scanning bool true Scan according to security and performance priorities for maximum optimization
Threat Prevention Anti-Virus policy - Resource classification mode options Hold Indicates the classification mode for the Anti-Virus engine: Background - connections are allowed until classification is complete, Hold - connections are blocked until classification is complete
Threat Prevention Threat Emulation policy - Emulation connection handling mode - IMAP options Background - connections are allowed until emulation handling is complete Indicates the strictness mode of the Threat Emulation engine over IMAP: Background - connections are allowed while the file emulation runs (if needed), Hold - connections are blocked until the file emulation is completed
Threat Prevention Threat Emulation policy - Emulation connection handling mode - POP3 options Background - connections are allowed until emulation handling is complete Indicates the strictness mode of the Threat Emulation engine over POP3: Background - connections are allowed while the file emulation runs (if needed), Hold - connections are blocked until the file emulation is completed
Threat Prevention Threat Emulation policy - Emulation connection handling mode - SMTP options Background - connections are allowed until emulation handling is complete Indicates the strictness mode of the Threat Emulation engine over SMTP: Background - connections are allowed while the file emulation runs (if needed), Hold - connections are blocked until the file emulation is completed
Threat Prevention Threat Emulation policy - Emulation location options Emulation is done on Public Threat Cloud Indicates if emulation is done on Public Threat Cloud or on remote (private) SandBlast
Threat Prevention Threat Emulation policy - Primary Emulation gateway ipv4addr   The IP address of the primary remote emulation gateway
Threat Prevention policy - Block when service is unavailable bool false Block web requests traffic when the Check Point ThreatCloud online web service is unavailable
Threat Prevention policy - Fail mode options Allow all requests Indicates the action to take on traffic in case of an internal system error or overload
Threat Prevention policy - File inspection size limit int 0 Indicates the size limit (in KB) of a file inspected by Threat Prevention engines. Note: A limit too low may have an impact on the functionality of the Application Control blade. To specify no limit, set to 0.
Threat Prevention policy - Method for skipping HTTP inspection options Default When changed from the default value, and file size inspection limit is used, HTTP inspection will be fully skipped instead of skipping only a single session. This is not recommended due to a high security impact as the following sessions will not be inspected at all following a large file sent via HTTP on a single connection.
Threat Prevention policy - Update Threat Prevention With Full Packages bool false Update Threat Prevention with the most up to date Packages
USB modem watchdog - Interval int 5 Indicates how often the USB modem watchdog probes the internet
USB modem watchdog - Mode options Disabled Indicates if the USB modem watchdog is enabled when internet probing is enabled, and the reset type (either hard-reset to shut down the power for the USB modem or gateway-reset to reboot the gateway itself).
USB modem watchdog - USB only bool false Monitor only USB modem connection
Update Services Schedule - Maximum number of retries int 3 Indicates the maximum number of retries for a single update when the cloud is unavailable until the next scheduled update
Update Services Schedule - Timeout until retry int 180 Indicates the timeout (in seconds) until update retry
User Awareness - Active Directory association timeout int 720 Indicates the timeout (in minutes) for caching an association between a user and an IP address
User Awareness - Allow DNS for unknown users bool true The default is to allow DNS for unknown users even when configured to be blocked in Browser Based Portal settings
User Awareness - Assume single user per IP address bool true Indicates a mode where per IP address, only the last user who logged is identified
User Awareness - Log blocked unknown users bool false Indicates if a log should be issued when unknown users are blocked (see Browser Based Portal settings)
User Awareness - Use NTLMv2 protocol for Active Directory Queries bool false NTLMv2 mode - true for using NTLMv2, false for using NTLMv1
User Management - Automatically delete expired local users bool false Automatically delete all expired local users every 24 hours (after midnight)
VPN Remote Access - Allow clear Traffic while disconnected bool true Indicates how traffic to the VPN domain is handled when the Remote Access VPN client is not connected to the site; sent in clear or dropped
VPN Remote Access - Allow simultaneous login bool true If disabled, and the same user logs in for a second time, it will disconnect his existing session
VPN Remote Access - Authentication timeout int 120 Indicates for how much time (in minutes) the remote client's password remains valid if timeout is enabled
VPN Remote Access - Auto-disconnect in VPN domain bool true Indicates if the client disconnects automatically to save resources when it connects from inside the secured internal network (local encryption domain)
VPN Remote Access - Back connections enable bool false Enable back connections from the encryption domain behind the gateway to the client
VPN Remote Access - Back connections keep-alive interval int 20 Indicates the interval (in seconds) between keep-alive packets to the gateway required for gateway to client back connections
VPN Remote Access - Enable Visitor Mode on All Interfaces options All Enable visitor mode on all interfaces
VPN Remote Access - Enable Visitor Mode on This Interface ipv4addr 0.0.0.0 Support visitor mode on this interface
VPN Remote Access - Encrypt DNS traffic bool true Indicates if DNS queries sent by the remote client to a DNS server located in the encryption domain are passed through the VPN tunnel
VPN Remote Access - Encryption Method options IKEv1 Indicates which IKE encryption method (version) is used for IKE phase 1 and 2
VPN Remote Access - Endpoint Connect re-authentication timeout int 480 Indicates the time (in minutes) until the Endpoint Connect user's credentials are resent to the gateway to verify authorization
VPN Remote Access - IKE IP Compression Support bool false Indicates if IPSec packets from remote access clients will be compressed
VPN Remote Access - IKE Over TCP bool false Enables support of IKE over TCP
VPN Remote Access - IKE restart recovery bool true Indicates that the gateway will save tunnel details so it can cause the remote client to discard the old SA and re-initiate IKE upon gateway crash or restart
VPN Remote Access - Legacy NAT traversal bool true Indicates if the Check Point proprietary NAT traversal mechanism (UDP encapsulation) is enabled for SecureClient
VPN Remote Access - Minimum TLS version support in the SSL VPN portal options TLS 1.2 Indicates the minimum TLS protocol version which the SSL VPN portal supports. For security reasons, it's recommended to support TLS 1.2 and above.
VPN Remote Access - Office Mode Enable With Multiple Interfaces bool false Indicates if a mechanism (with a performance impact) to improve connectivity between remote access client and an appliance with multiple external interfaces is enabled
VPN Remote Access - Office Mode Perform Antispoofing bool false Office Mode - Perform Anti-Spoofing on Office Mode addresses
VPN Remote Access - Office Mode allocate from RADIUS bool false Indicates if the Office Mode allocated IP addresses will be taken from the RADIUS server used to authenticate the user
VPN Remote Access - Office Mode disable bool false Indicates if Office Mode (allocating IP addresses for Remote Access clients) is disabled. This is not recommended.
VPN Remote Access - Prevent IP NAT Pool bool false Prevent IP Pool NAT configuration from being applied to Office Mode users. This is needed when using SecureClient as well as other VPN clients.
VPN Remote Access - Radius retransmit timeout int 5 Timeout interval (in seconds) for each RADIUS server connection attempt
VPN Remote Access - Remote Access port port 443 Select the port to which Remote Access clients connect, and SSL VPN Network extender portal uses
VPN Remote Access - Reserve port 443 for port forwarding bool false Reserving port 443 for port forwarding (port 443 will not be used for Remote Access and SSL VPN Network extender)
VPN Remote Access - SNX keep-alive interval int 20 Indicates the time (in seconds) between the SSL Network Extender client keep-alive packets
VPN Remote Access - SNX re-authentication timeout int 480 Indicates the time (in minutes) between re-authentication of SSL Network Extender remote access users and Check Point Mobile VPN users
VPN Remote Access - SNX support 3DES bool true Indicates if the 3DES encryption algorithm will be supported in SSL clients as well as the default algorithms
VPN Remote Access - SNX support RC4 bool true Indicates if the RC4 encryption algorithm will be supported in SSL clients as well as the default algorithms
VPN Remote Access - SNX uninstall options Do not uninstall Indicates when and if the SSL Network Extender client will uninstall itself upon disconnection
VPN Remote Access - SNX upgrade options Ask user Indicates when and if the SSL Network Extender client will upgrade itself upon connection
VPN Remote Access - Single Office Mode Per Site      
VPN Remote Access - Topology updates manual interval int 168 Indicates the manually configured interval (in hours) for topology updates to the clients. Will be applicable only if the override settings is set to true.
VPN Remote Access - Topology updates override bool false Indicates if the configured topology updates settings will override the default 'once a week' policy
VPN Remote Access - Topology updates upon startup only bool true Indicates if topology updates will occur only when the client starts. Will be applicable only if the override settings is set to true.
VPN Remote Access - Verify device certificate bool true Client will verify the device's certificate against revocation list
VPN Remote Access - block user if belongs to at least one group without permission bool false Indicates if strict group permissions are enabled - user will not have remote access permission if belongs to at least one group without remote access permission
VPN Site to Site global settings - Accept NAT Traversal bool true Indicates if industry standard NAT traversal (UDP encapsulation) is enabled. This enables VPN tunnel establishment even when the remote site is behind a NAT device.
VPN Site to Site global settings - Administrative notifications options Log Indicates how to log an administrative event (for example, when a certificate is about to expire)
VPN Site to Site global settings - Check validity of IPSec reply packets bool false  
VPN Site to Site global settings - Cluster SA sync packets threshold long 200000 Sync SA with other cluster members when packets number reaches this threshold
VPN Site to Site global settings - Copy DiffServ mark from encrypted/decrypted IPSec packet bool false  
VPN Site to Site global settings - Copy DiffServ mark to encrypted/decrypted IPSec packet bool true  
VPN Site to Site global settings - DPD triggers new IKE negotiation bool true  
VPN Site to Site global settings - Delete IKE SAs from a dead peer bool true  
VPN Site to Site global settings - Delete IPsec SAs on IKE SA delete bool false  
VPN Site to Site global settings - Delete tunnel SAs when Tunnel Test fails bool true When permanent VPN tunnels are enabled and a Tunnel Test fails, delete the relevant peer's tunnel SAs. Not supported in High Availability Cluster mode
VPN Site to Site global settings - Do not encrypt connections originating from the local gateway bool false Exclude the Internet connection's IP address from the local encryption domain. Packets whose original source or destination IP address is the local gateway's Internet connection IP address will not go through a VPN tunnel. This parameter may be useful when the gateway is behind hide NAT.
VPN Site to Site global settings - Do not encrypt local DNS requests bool false When enabled, DNS requests originating from the appliance will not be encrypted. Relevant when a configured DNS server is in a VPN peer's encryption domain.
VPN Site to Site global settings - Enable encrypted packets rerouting bool true Indicates if encrypted packets will be rerouted through the best interface according to the peer's IP address or probing. It is not recommended to change this value to false.
VPN Site to Site global settings - Grace period after CRL is no longer valid int 1800 Indicates the time (in seconds) after which a revoked certificate of a remote site remains valid, to allow wider window for CRL validity in case of clock mismatch
VPN Site to Site global settings - Grace period before CRL is valid int 7200 Indicates the time window (in seconds) where a certificate is considered valid prior to the time set by the CA, to allow wider window for CRL validity in case of clock mismatch
VPN Site to Site global settings - IKE DoS from known sites protection options None Indicates if the IKE DoS from known IP addresses protection is active and the method by which it detects potential attackers
VPN Site to Site global settings - IKE DoS from unknown sites protection options None Indicates if the IKE DoS from unidentified IP addresses protection is active and the method by which it detects potential attackers
VPN Site to Site global settings - IKE reply from Same IP bool true Indicates if the source IP address used in IKE session will be according to destination when replying to incoming connections, or according to the general source IP address link selection configuration
VPN Site to Site global settings - Join adjacent subnets in IKE Quick Mode bool true  
VPN Site to Site global settings - Keep DF flag on packet bool false Indicates if the 'Don't Fragment' flag is kept on the packet during encryption/decryption
VPN Site to Site global settings - Keep IKE SA Keys options Automatic  
VPN Site to Site global settings - Key exchange error tracking options Log Indicates how to log VPN configuration errors or key exchange errors
VPN Site to Site global settings - Maximum concurrent IKE negotiations int 200 Indicates the maximum number of concurrent VPN IKE negotiations
VPN Site to Site global settings - Maximum concurrent tunnels int 10000 Indicates the maximum number of concurrent VPN tunnels
VPN Site to Site global settings - Open SAs limit int 20 Indicates the maximum number of open SAs per VPN peer
VPN Site to Site global settings - Outgoing link tracking options None Logging of the outgoing VPN link: Log, don't log or alert
VPN Site to Site global settings - Override 'Route all traffic to remote VPN site' configuration for admin access to the device bool true Exclude admin access traffic to the gateway from being routed to remote VPN site even if all traffic should be routed to it
VPN Site to Site global settings - Packet handling errors tracking options Log Logging for VPN packet handling errors: Log, don't log or alert
VPN Site to Site global settings - Perform Tunnel Tests using an internal IP address bool false Perform Tunnel Tests using an internal IP address which is part of the local encryption domain.
VPN Site to Site global settings - Permanent tunnel down tracking options Log Logging for when the tunnel goes down: Log, don't log or alert
VPN Site to Site global settings - Permanent tunnel up tracking options Log Logging for when the tunnel goes up: Log, don't log or alert
VPN Site to Site global settings - RDP packet reply timeout int 10 Timeout (in seconds) for an RDP packet reply
VPN Site to Site global settings - Reply from incoming interface bool false When tunnel is initiated from remote site, reply from the same incoming interface when applicable (IKE and RDP sessions)
VPN Site to Site global settings - Successful key exchange tracking options Log Logging for VPN successful key exchange: Log, don't log or alert
VPN Site to Site global settings - Use cluster IP address for IKE bool true Indicates if IKE is performed using cluster IP address (when applicable)
VPN Site to Site global settings - Use internal IP address for encrypted connections from local gateway bool false Encrypted connections originating from the local gateway will use an internal interface's IP address as the connection source
VPN Site to Site global settings - VPN Tunnel Sharing options subnets Indicates under what conditions new tunnels are created, controlling the number of tunnels: per host pair, per subnet (Industry Standard) or a single tunnel per remote site/gateway
VoIP - Accept MGCP connections to registered ports bool false Indicates if deep inspection over MGCP traffic will automatically accept MGCP connections to registered ports
VoIP - Accept SIP connections to registered ports bool false Indicates if deep inspection over SIP traffic will automatically accept SIP connections to registered ports
Web Interface Settings and Customizations - Company URL urlv6WithHttp Clicking the company logo in the web interface opens this URL
Web Interface Settings and Customizations - Use a company logo in the appliance's web interface bool false The company logo is displayed on the appliance's web interface
0 Replies