Attribute Name |
Type |
Value |
Description |
Admin Lockout - Mobile application session timeout |
int |
30 |
Allowed mobile application session before automatic logout is executed (in days) |
Administrators RADIUS authentication - Default Shell |
options |
Clish |
Default shell for super administrators. To enable this feature please contact Check Point support. |
Administrators RADIUS authentication - Local authentication (RADIUS inaccessible) |
bool |
false |
Perform local administrator authentication only if RADIUS server is not configured or is inaccessible. |
Aggressive aging - Aggress ive aging enforcement method |
options |
Both |
Choose when aggressive aging timeouts are enforced |
Aggressive aging - Connection table percentage limit |
int |
80 |
|
Aggressive aging - Enable aggressive aging of connections |
bool |
true |
|
Aggressive aging - Enable reduced timeout for ICMP connections |
bool |
true |
|
Aggressive aging - Enable reduced timeout for TCP handshake |
bool |
true |
|
Aggressive aging - Enable reduced timeout for TCP session |
bool |
true |
|
Aggressive aging - Enable reduced timeout for TCP termination |
bool |
true |
|
Aggressive aging - Enable reduced timeout for UDP connections |
bool |
true |
|
Aggressive aging - Enable reduced timeout for non TCP/UDP/ICMP connections |
bool |
false |
|
Aggressive aging - Enable reduced timeout for non TCP/UDP/ICMP connections |
bool |
false |
|
Aggressive aging - ICMP connections reduced timeout |
int |
3 |
|
Aggressive aging - Memory consumption percentage limit |
int |
80 |
|
Aggressive aging - Other IP protocols reduced timeout |
int |
15 |
|
Aggressive aging - Pending Data connections reduced timeout |
int |
15 |
|
Aggressive aging - TCP handshake reduced timeout |
int |
5 |
|
Aggressive aging - TCP session reduced timeout |
int |
600 |
|
Aggressive aging - TCP termination reduced timeout |
int |
3 |
|
Aggressive aging - Tracking options for aggressive aging |
options |
Log |
|
Aggressive aging - UDP connections reduced timeout |
int |
15 |
|
Anti ARP Spoofing - Anti ARP Spoofing mode |
options |
Off |
Mode for Anti ARP spoofing protection. The protection can be turned off, on or in detect only mode |
Anti ARP Spoofing - Detection window time to indicate attack |
int |
180 |
Time period (in seconds) during which IP addresses, assigned to the same MAC address, indicate an ARP spoofing attack |
Anti ARP Spoofing - Number of IP addresses to indicate attack |
int |
3 |
The number of IP addresses assigned to the same MAC address during the Detection window time that will indicate an ARP spoofing attack |
Anti ARP Spoofing - Suspicious MAC block period |
int |
1800 |
Time period (in seconds) during which suspicious MAC addresses are kept in the blocked list |
Anti-Spam policy - All mail track |
options |
None |
Indicates the tracking options for non-spam emails |
Anti-Spam policy - Allowed mail track |
options |
None |
Indicates the tracking options for emails that were explicitly allowed in the Exceptions page |
Anti-Spam policy - Bypass timeout |
int |
0 |
Indicates the timeout (in seconds) of a POP3 inspection bypass mechanism. Bypass will be activated in case the inspection daemon is unavailable for the indicated time period. Relevant for POP3 and for Anti-Virus, Anti-Spam and Threat Emulation inspection. A value of zero means bypass is disabled. |
Anti-Spam policy - Content based Anti-Spam timeout |
int |
10 |
Indicates the timeout (in seconds) to wait for an answer from the cloud during content-based Anti-Spam inspection |
Anti-Spam policy - Email size scan |
int |
8 |
Indicates the maximal size of an email's content to scan (in KB) |
Anti-Spam policy - IP reputation fail open |
bool |
true |
Use Anti-Spam IP reputation fail-open mode upon internal error |
Anti-Spam policy - IP reputation timeout |
int |
10 |
Indicates the timeout (in seconds) to wait for an IP reputation test result |
Anti-Spam policy - Scan outgoing emails |
bool |
false |
Scan the content of emails which are sent from the local network to the Internet |
Anti-Spam policy - Transparent proxy |
bool |
true |
Use a transparent proxy for inspected email connections |
Anti-spoofing - Enable global anti-spoofing |
bool |
true |
Indicates if anti-spoofing is enabled automatically on all interfaces according to their zone |
Application Control and URL Filtering - Block when service is unavailable |
bool |
false |
Block web requests traffic when the Check Point categorization and widget definitions online web service is unavailable |
Application Control and URL Filtering - Categorize cached and translated pages |
bool |
true |
Perform URL categorization of cached pages and translated pages created by search engines |
Application Control and URL Filtering - Custom App over HTTPS |
bool |
false |
Indicates whether custom URLs and applications will be matched over HTTPS traffic using SNI field. Important note: as SNI field in HTTPS traffic is browser-dependent and promiscuous, it does not guarantee 100% match. |
Application Control and URL Filtering - Encrypt RAD Communication |
bool |
false |
Indicates if the communication with the RAD cloud is encrypted |
Application Control and URL Filtering - Enforce safe search |
bool |
false |
Force filtering explicit content in search engines results |
Application Control and URL Filtering - Fail Mode |
options |
Block all requests |
Indicates the action to take on traffic in case of an internal system error or overload |
Application Control and URL Filtering - Non-standard HTTP ports |
bool |
true |
Enable HTTP inspection on non-standard ports for the Application Control or URLF blade |
Application Control and URL Filtering - Track browse time |
bool |
true |
Indicates if the total time that users are connected to different sites and applications in an HTTP session will be shown in relevant logs |
Application Control and URL Filtering - Use HTTP referer header |
bool |
true |
Indicates if the HTTP referer header is used by the inspection engine to improve application identification |
Application Control and URL Filtering - Web site categorization mode |
options |
Background |
Indicates the categorization mode: Background - requests are allowed until categorization is complete, Hold - requests are blocked until categorization is complete |
Capacity Optimization - Connections hash table size |
int |
131072 |
Indicates the size in bytes of the connections hash table |
Capacity Optimization - Maximum concurrent connections |
int |
150000 |
Indicates the overall maximum number of concurrent connections |
Cloud Services firmware upgrade - Service access maximum retries |
int |
3 |
Indicates the maximum number of retries when failing to upgrade using the service |
Cloud Services firmware upgrade - Service access timeout until retry |
int |
180 |
Indicates the time to wait when a connection failure to the service before the next retry |
Cluster - Use virtual MAC |
bool |
false |
Indicates if a virtual MAC address will be used by all cluster members to allow a quicker failover by the network's switch |
DDNS - iterations |
int |
2 |
Number of DNS updates |
DHCP bridge - MAC assignment |
options |
Use internal interfaces mac |
Indicates whether the MAC address for the DHCP bridge is taken from an internal (LAN) or external port (WAN, DMZ). |
DHCP relay - Use internal IP addresses as source |
bool |
false |
Indicates if DHCP relay packets from the appliance will originate from internal IP addresses |
Firewall Policy - Connection Persistence |
bool |
false |
Handling established connections when installing a new policy |
Firewall Policy - Log implied rules |
bool |
false |
Produce log records for connections that match implied rules |
Hardware options - Reset to factory defaults timeout |
int |
12 |
Indicates the amount of time (in seconds) that you need to press and hold the factory defaults button on the back panel to restore to the factory defaults image |
Hotspot - Enable portal |
options |
Enabled |
Select 'Disabled' to disable the hotspot feature entirely |
Hotspot - Prevent simultaneous log-in |
bool |
false |
The same user will not be allowed to login via hotspot portal from more than one machine in parallel |
IP Resolving - IP Resolving Activation |
options |
Enabled |
Enable / Disable IP Resolving logs enrichment |
IP Resolving - IP Resolving TTL |
int |
1800 |
The time (in seconds) for which the hostname resolution will be used |
IP fragments parameters - Action |
options |
Allow |
Indicates if IP fragments will be allowed or dropped by default |
IP fragments parameters - Maximum fragments |
int |
200 |
Indicates how many IP fragments can arrive before discarding incomplete packets |
IP fragments parameters - Minimum fragments size |
int |
0 |
IP Fragments minimum fragment size |
IP fragments parameters - Packet Capture |
bool |
false |
IP Fragments packet capture settings |
IP fragments parameters - Timeout |
int |
1 |
Indicates the timeout (in seconds) before discarding incomplete packets |
IP fragments parameters - Track options |
options |
Log |
Indicates if and how to log IP fragments |
IPS additional parameters - Max Ping Limit |
int |
1400 |
Indicates the maximal ping packet size that will be allowed when the 'Max Ping Size' protection is active |
IPS additional parameters - Non-standard HTTP ports |
bool |
true |
Enable HTTP inspection on non-standard ports for the IPS blade |
IPS engine settings - Allow protocol unknown commands |
bool |
false |
Indicates whether protocol commands, that are not completely supported by the inspection module, will be blocked or not |
IPS engine settings - Description |
comments |
Access denied due to IPS policy violation |
A configured string to show in the error page if configured |
IPS engine settings - Error page for supported web protections |
options |
Show pre-defined HTML error page |
Indicates if IPS protections supporting an error page will show it upon attack prevention |
IPS engine settings - HTML error page configuration |
bool |
false |
Indicates if the error page will contain an error code |
IPS engine settings - Logo URL |
bool |
false |
Optionally enter a URL that leads to your company logo. |
IPS engine settings - Logo URL address |
urlv6 |
|
An accessible URL that leads to a logo file to show in the error page |
IPS engine settings - Send detailed error code |
bool |
true |
indicates if the error page will contain a configured string |
IPS engine settings - Send error code |
bool |
false |
Indicates if an error code will be sent to the other URL as a parameter |
IPS engine settings - URL for redirection |
urlv6 |
|
Users will be redirected to this URL upon detection of an attack |
Internal Certificates configure - Internal CA certificate expiration |
int |
20 |
The number of years the internal CA certificate is valid |
Internet - Reset Sierra USB on LSI error |
bool |
true |
Indicates whether Sierra type USB modems will be reset when they send an Invalid LSI signal |
MAC Filtering settings - Log blocked MAC addresses |
options |
Enabled |
Indicates if blocked MAC addresses should be logged or not |
MAC Filtering settings - Log suspension |
int |
1 |
Indicates the suspension time (in seconds) between logs for blocked MAC addresses |
Managed services - Allow seamless administrator access from remote Management Server |
bool |
true |
Indicates if an administrator can access the appliance from a remote Security Management Server without the need to enter an administrator user name and password |
Managed services - Show device details in Login |
bool |
true |
Indicates if appliance details are shown when an administrator accesses the appliance |
Mobile Settings - Notification cloud server URL |
urlv6 |
https://smbcloud-api-gateway.iaas.checkpoint.com/notifications/mobile/send |
Cloud server URL used for sending mobile notifications |
Mobile Settings - Pairing code expiration |
int |
1 |
Time until pairing code is expired, in hours. |
Mobile Settings - Verify SSL certificate |
bool |
true |
Verify SSL certificate when sending mobile notifications to cloud server |
NAT - ARP manual file merge |
bool |
false |
Indicates, when automatic ARP detection is enabled, to use the ARP definitions in a local file with higher priority |
NAT - Address allocation and release tracking |
options |
None |
Specifies whether to log each allocation and release of an IP address from the IP Pool |
NAT - Address exhaustion tracking |
options |
Log |
Indicates whether or not to log and/or alert on exhaustion of IP pool |
NAT - Automatic ARP detection |
bool |
true |
Automatically detect ARP requests for external IP addresses of internal devices to be answered by the device |
NAT - IP Pool NAT |
options |
Do not use IP pool NAT |
IP pool NAT mode |
NAT - IP pool per interface |
bool |
false |
Uses an IP address pool for NAT per interface |
NAT - Increase hide capacity |
bool |
true |
Indicates if hide-NAT capacity is given additional space |
NAT - NAT cache expiration |
int |
30 |
Indicates the expiration time in minutes for NAT cache entries |
NAT - NAT cache number of entries |
int |
10000 |
Indicates the maximum number of NAT cache entries |
NAT - NAT enable |
bool |
true |
Indicates if the device's NAT capabilities are enabled |
NAT - NAT hash size |
int |
0 |
Indicates the hash bucket size of NAT tables |
NAT - NAT limit |
int |
0 |
Indicates the maximum number of connections with NAT |
NAT - Perform cluster hide fold |
bool |
false |
Indicates if local IP addresses will be hidden behind the cluster IP address when applicable |
NAT - Prefer IP Pool NAT over hide NAT |
bool |
true |
Overrides hide NAT with IP pool NAT |
NAT - Return unused addresses to IP Pool NAT after |
int |
60 |
Return unused addresses to IP pool NAT |
NAT - Reuse IP addresses from the Pool for different destinations |
bool |
false |
Allows NAT to re-use IP addresses for different destinations |
NAT - Translate destination on client side |
bool |
true |
Translates destination IP addresses on client side (for automatically generated NAT rules) |
NAT - Translate destination on client side (manual rules) |
bool |
true |
Translates destination IP addresses on client side (for manually configured NAT rules) |
NAT - Use IP Pool NAT for VPN clients connections |
bool |
false |
Uses IP Pool NAT for VPN clients connections |
NAT - Use IP Pool NAT for gateway to gateway connections |
bool |
false |
Uses IP pool NAT for gateway to gateway connections |
Notifications policy - Send push notifications |
bool |
true |
Indicates whether notifications are sent to mobile application |
Notifications policy - The maximum number of notifications sent per hour |
int |
60 |
The maximum number of notifications sent to mobile devices per hour |
OS advanced settings - Disable transfer of DHCP options from WAN to LAN |
bool |
false |
Specifies whether transfer of DHCP options from WAN to LAN is disabled |
OS advanced settings - Enable Wifi Monitors |
bool |
false |
Specifies whether WIFI monitors are on |
OS advanced settings - Enable automatic Wifi Channel Change |
bool |
false |
Specifies whether WiFi switches channels automatically during operation |
OS advanced settings - Enable destination check on PPPoE |
bool |
false |
Specifies whether PPPoE destination check is enabled |
OS advanced settings - Enable flow-control for network switch |
bool |
false |
Indicates if flow-control is enabled for network switch |
Operating system - Operating system |
int |
20 |
tmpDirSize |
Operating system - System temporary directory size |
int |
40 |
Controls the size (in MB) of the temporary directory that is used by the system |
Privacy settings - Help us improve product experience by sending data to Check Point |
bool |
false |
Privacy statement: Check Point does not upload data that contains private or sensitive information. For more information, refer to sk120332. |
Privacy settings - Location service requires sending your IP address to 3rd party |
bool |
false |
Using automatic timezone feature requires sending your IP address to 3rd party. |
QoS blade - Logging |
bool |
true |
Indicates if the appliance logs QoS events when the QoS blade is enabled |
Reach My Device - Allow open permanent tunnel |
bool |
true |
Use permanent tunnel when running Reach My Device |
Reach My Device - Ignore SSL certificate |
bool |
false |
Ignore SSL certificate when running Reach My Device |
Reach My Device - Server address |
urlv6 |
smbrelay.checkpoint.com |
Indicates the address of the remote server that allows administration access to the appliance from the internet even when behind NAT |
Report Settings - Max period |
options |
Monthly |
Maximum period to collect and monitor data in local management. You must reboot your appliance to apply changes. |
Report Settings - Reports cloud server URL |
urlv6 |
https://smbcloud-api-gateway.iaas.checkpoint.com/reports/pdf |
Reports cloud server URL used to generate report PDF |
SSL inspection policy - Additional HTTPS ports |
port-range |
8080,3128 |
Additional HTTPS ports for ssl inspection (a comma separated list of ports/ranges) |
SSL inspection policy - Log empty SSL connections |
bool |
false |
Log connections that were terminated by the client before data was sent - might indicate the client did not install CA certificate |
SSL inspection policy - Retrieve intermediate CA certificates |
bool |
true |
Indicates if the SSL inspection mechanism will perform it's validations on all intermidate CA certificates in the certificate chain |
SSL inspection policy - SSL Inspection categorization mode |
options |
Hold |
Indicates the categorization mode of SSL Inspection: Background - requests are allowed until categorization is complete, Hold - requests are blocked until categorization is complete |
SSL inspection policy - Track validation errors |
options |
Log |
Choose if the SSL Inspection validations are tracked |
SSL inspection policy - Validate CRL |
bool |
true |
Indicates if the SSL inspection mechanism will drop connections that present a revoked certificate |
SSL inspection policy - Validate Expiration |
bool |
false |
Indicates if the SSL inspection mechanism will drop connections that present an expired certificate |
SSL inspection policy - Validate unreachable CRL |
bool |
false |
Indicates if the SSL inspection mechanism will drop connections that present a certificate with an unreachable CRL |
SSL inspection policy - Validate untrusted certificates |
bool |
false |
Indicates if the SSL inspection mechanism will drop connections that present an untrusted server certificate |
Serial port - Enable serial port |
options |
Enabled |
Indicates if the serial port is enabled |
Serial port - Port speed |
options |
115200 |
Indicates the port speed (Baud Rate) of the serial connection |
Stateful Inspection - Accept out of state TCP packets |
int |
0 |
Indicates if TCP packets which are not consistent with the current state of the TCP connection are dropped (when set to 0) or accepted (when set to any other value) |
Stateful Inspection - Accept stateful ICMP Errors |
bool |
true |
Accept ICMP error packets which refer to another non-ICMP connection that was accepted by the Rule Base |
Stateful Inspection - Accept stateful ICMP Replies |
bool |
true |
Accept ICMP reply packets for ICMP requests that were accepted by the Rule Base |
Stateful Inspection - Accept stateful UDP replies for unknown services |
bool |
true |
|
Stateful Inspection - Accept stateful other IP protocols replies for unknown services |
bool |
true |
Accept stateful non TCP/UDP protocols replies for unknown services |
Stateful Inspection - Allow IPv6 packets |
bool |
false |
Allow IPv6 traffic to pass without inspection |
Stateful Inspection - Drop out of state ICMP packets |
bool |
true |
Drop ICMP packets which are not in the context of a virtual session |
Stateful Inspection - ICMP virtual session timeout |
int |
30 |
Indicates the timeout (in seconds) for ICMP virtual sessions |
Stateful Inspection - Log dropped out of state ICMP packets |
int |
0 |
|
Stateful Inspection - Log dropped out of state TCP packets |
int |
0 |
|
Stateful Inspection - Other IP protocols virtual session timeout |
int |
60 |
Indicates the timeout (in seconds) for other IP protocols virtual sessions (non TCP/UDP/ICMP) |
Stateful Inspection - Perform deep packet inspection on LAN to LAN traffic |
bool |
false |
|
Stateful Inspection - Perform deep packet inspection on traffic between LAN and DMZ networks |
bool |
true |
|
Stateful Inspection - TCP end timeout |
int |
20 |
Indicates the timeout (in seconds) for TCP session end |
Stateful Inspection - TCP session timeout |
int |
3600 |
Indicates the timeout (in seconds) for TCP sessions |
Stateful Inspection - TCP start timeout |
int |
25 |
Indicates the timeout (in seconds) for TCP session start |
Stateful Inspection - UDP virtual session timeout |
int |
40 |
Indicates the timeout (in seconds) for UDP virtual sessions |
Stateful Inspection - traceroute maximal TTL |
int |
29 |
Maximal value for TTL field for a packet to be considered as a traceroute |
Streaming engine settings - Stream Inspection Timeout action |
options |
Prevent |
Stream Inspection Timeout activation mode |
Streaming engine settings - Stream Inspection Timeout tracking |
options |
Log |
|
Streaming engine settings - TCP Invalid Checksum action |
options |
Prevent |
TCP Invalid Checksum activation mode |
Streaming engine settings - TCP Invalid Checksum tracking |
options |
Log |
|
Streaming engine settings - TCP Invalid Retransmission action |
options |
Prevent |
TCP Invalid Retransmission activation mode |
Streaming engine settings - TCP Invalid Retransmission tracking |
options |
Log |
|
Streaming engine settings - TCP Out of Sequence action |
options |
Prevent |
TCP Out of Sequence activation mode |
Streaming engine settings - TCP Out of Sequence tracking |
options |
Log |
|
Streaming engine settings - TCP SYN Modified Retransmission action |
options |
Prevent |
TCP SYN Modified Retransmission activation mode |
Streaming engine settings - TCP SYN Modified Retransmission tracking |
options |
Log |
|
Streaming engine settings - TCP Segment Limit Enforcement action |
options |
Prevent |
TCP Segment Limit Enforcement activation mode |
Streaming engine settings - TCP Segment Limit Enforcement tracking |
options |
Log |
|
Streaming engine settings - TCP Urgent Data Enforcement action |
options |
Detect |
TCP Urgent Data Enforcement activation mode |
Streaming engine settings - TCP Urgent Data Enforcement tracking |
options |
Log |
|
Threat Prevention Anti-Bot policy - Resource classification mode |
options |
Hold |
Indicates the classification mode for the Anti-Bot engine: Background - connections are allowed until classification is complete, Hold - connections are blocked until classification is complete |
Threat Prevention Anti-Virus policy - File scan size limit |
int |
0 |
Indicates the size limit (in KB) of a file scanned by the Anti-Virus engine. To specify no limit, set to 0. |
Threat Prevention Anti-Virus policy - MIME maximum nesting level |
int |
7 |
Indicates the maximum number of levels in nested MIME content that the ThreatSpect engine scans in mail traffic |
Threat Prevention Anti-Virus policy - MIME nesting level exceeded action |
options |
Block |
Indicates if an email should be blocked or accepted if there are more nested levels of MIME content than the configured amount |
Threat Prevention Anti-Virus policy - Priority scanning |
bool |
true |
Scan according to security and performance priorities for maximum optimization |
Threat Prevention Anti-Virus policy - Resource classification mode |
options |
Hold |
Indicates the classification mode for the Anti-Virus engine: Background - connections are allowed until classification is complete, Hold - connections are blocked until classification is complete |
Threat Prevention Threat Emulation policy - Emulation connection handling mode - IMAP |
options |
Background - connections are allowed until emulation handling is complete |
Indicates the strictness mode of the Threat Emulation engine over IMAP: Background - connections are allowed while the file emulation runs (if needed), Hold - connections are blocked until the file emulation is completed |
Threat Prevention Threat Emulation policy - Emulation connection handling mode - POP3 |
options |
Background - connections are allowed until emulation handling is complete |
Indicates the strictness mode of the Threat Emulation engine over POP3: Background - connections are allowed while the file emulation runs (if needed), Hold - connections are blocked until the file emulation is completed |
Threat Prevention Threat Emulation policy - Emulation connection handling mode - SMTP |
options |
Background - connections are allowed until emulation handling is complete |
Indicates the strictness mode of the Threat Emulation engine over SMTP: Background - connections are allowed while the file emulation runs (if needed), Hold - connections are blocked until the file emulation is completed |
Threat Prevention Threat Emulation policy - Emulation location |
options |
Emulation is done on Public Threat Cloud |
Indicates if emulation is done on Public Threat Cloud or on remote (private) SandBlast |
Threat Prevention Threat Emulation policy - Primary Emulation gateway |
ipv4addr |
|
The IP address of the primary remote emulation gateway |
Threat Prevention policy - Block when service is unavailable |
bool |
false |
Block web requests traffic when the Check Point ThreatCloud online web service is unavailable |
Threat Prevention policy - Fail mode |
options |
Allow all requests |
Indicates the action to take on traffic in case of an internal system error or overload |
Threat Prevention policy - File inspection size limit |
int |
0 |
Indicates the size limit (in KB) of a file inspected by Threat Prevention engines. Note: A limit too low may have an impact on the functionality of the Application Control blade. To specify no limit, set to 0. |
Threat Prevention policy - Method for skipping HTTP inspection |
options |
Default |
When changed from the default value, and file size inspection limit is used, HTTP inspection will be fully skipped instead of skipping only a single session. This is not recommended due to a high security impact as the following sessions will not be inspected at all following a large file sent via HTTP on a single connection. |
Threat Prevention policy - Update Threat Prevention With Full Packages |
bool |
false |
Update Threat Prevention with the most up to date Packages |
USB modem watchdog - Interval |
int |
5 |
Indicates how often the USB modem watchdog probes the internet |
USB modem watchdog - Mode |
options |
Disabled |
Indicates if the USB modem watchdog is enabled when internet probing is enabled, and the reset type (either hard-reset to shut down the power for the USB modem or gateway-reset to reboot the gateway itself). |
USB modem watchdog - USB only |
bool |
false |
Monitor only USB modem connection |
Update Services Schedule - Maximum number of retries |
int |
3 |
Indicates the maximum number of retries for a single update when the cloud is unavailable until the next scheduled update |
Update Services Schedule - Timeout until retry |
int |
180 |
Indicates the timeout (in seconds) until update retry |
User Awareness - Active Directory association timeout |
int |
720 |
Indicates the timeout (in minutes) for caching an association between a user and an IP address |
User Awareness - Allow DNS for unknown users |
bool |
true |
The default is to allow DNS for unknown users even when configured to be blocked in Browser Based Portal settings |
User Awareness - Assume single user per IP address |
bool |
true |
Indicates a mode where per IP address, only the last user who logged is identified |
User Awareness - Log blocked unknown users |
bool |
false |
Indicates if a log should be issued when unknown users are blocked (see Browser Based Portal settings) |
User Awareness - Use NTLMv2 protocol for Active Directory Queries |
bool |
false |
NTLMv2 mode - true for using NTLMv2, false for using NTLMv1 |
User Management - Automatically delete expired local users |
bool |
false |
Automatically delete all expired local users every 24 hours (after midnight) |
VPN Remote Access - Allow clear Traffic while disconnected |
bool |
true |
Indicates how traffic to the VPN domain is handled when the Remote Access VPN client is not connected to the site; sent in clear or dropped |
VPN Remote Access - Allow simultaneous login |
bool |
true |
If disabled, and the same user logs in for a second time, it will disconnect his existing session |
VPN Remote Access - Authentication timeout |
int |
120 |
Indicates for how much time (in minutes) the remote client's password remains valid if timeout is enabled |
VPN Remote Access - Auto-disconnect in VPN domain |
bool |
true |
Indicates if the client disconnects automatically to save resources when it connects from inside the secured internal network (local encryption domain) |
VPN Remote Access - Back connections enable |
bool |
false |
Enable back connections from the encryption domain behind the gateway to the client |
VPN Remote Access - Back connections keep-alive interval |
int |
20 |
Indicates the interval (in seconds) between keep-alive packets to the gateway required for gateway to client back connections |
VPN Remote Access - Enable Visitor Mode on All Interfaces |
options |
All |
Enable visitor mode on all interfaces |
VPN Remote Access - Enable Visitor Mode on This Interface |
ipv4addr |
0.0.0.0 |
Support visitor mode on this interface |
VPN Remote Access - Encrypt DNS traffic |
bool |
true |
Indicates if DNS queries sent by the remote client to a DNS server located in the encryption domain are passed through the VPN tunnel |
VPN Remote Access - Encryption Method |
options |
IKEv1 |
Indicates which IKE encryption method (version) is used for IKE phase 1 and 2 |
VPN Remote Access - Endpoint Connect re-authentication timeout |
int |
480 |
Indicates the time (in minutes) until the Endpoint Connect user's credentials are resent to the gateway to verify authorization |
VPN Remote Access - IKE IP Compression Support |
bool |
false |
Indicates if IPSec packets from remote access clients will be compressed |
VPN Remote Access - IKE Over TCP |
bool |
false |
Enables support of IKE over TCP |
VPN Remote Access - IKE restart recovery |
bool |
true |
Indicates that the gateway will save tunnel details so it can cause the remote client to discard the old SA and re-initiate IKE upon gateway crash or restart |
VPN Remote Access - Legacy NAT traversal |
bool |
true |
Indicates if the Check Point proprietary NAT traversal mechanism (UDP encapsulation) is enabled for SecureClient |
VPN Remote Access - Minimum TLS version support in the SSL VPN portal |
options |
TLS 1.2 |
Indicates the minimum TLS protocol version which the SSL VPN portal supports. For security reasons, it's recommended to support TLS 1.2 and above. |
VPN Remote Access - Office Mode Enable With Multiple Interfaces |
bool |
false |
Indicates if a mechanism (with a performance impact) to improve connectivity between remote access client and an appliance with multiple external interfaces is enabled |
VPN Remote Access - Office Mode Perform Antispoofing |
bool |
false |
Office Mode - Perform Anti-Spoofing on Office Mode addresses |
VPN Remote Access - Office Mode allocate from RADIUS |
bool |
false |
Indicates if the Office Mode allocated IP addresses will be taken from the RADIUS server used to authenticate the user |
VPN Remote Access - Office Mode disable |
bool |
false |
Indicates if Office Mode (allocating IP addresses for Remote Access clients) is disabled. This is not recommended. |
VPN Remote Access - Prevent IP NAT Pool |
bool |
false |
Prevent IP Pool NAT configuration from being applied to Office Mode users. This is needed when using SecureClient as well as other VPN clients. |
VPN Remote Access - Radius retransmit timeout |
int |
5 |
Timeout interval (in seconds) for each RADIUS server connection attempt |
VPN Remote Access - Remote Access port |
port |
443 |
Select the port to which Remote Access clients connect, and SSL VPN Network extender portal uses |
VPN Remote Access - Reserve port 443 for port forwarding |
bool |
false |
Reserving port 443 for port forwarding (port 443 will not be used for Remote Access and SSL VPN Network extender) |
VPN Remote Access - SNX keep-alive interval |
int |
20 |
Indicates the time (in seconds) between the SSL Network Extender client keep-alive packets |
VPN Remote Access - SNX re-authentication timeout |
int |
480 |
Indicates the time (in minutes) between re-authentication of SSL Network Extender remote access users and Check Point Mobile VPN users |
VPN Remote Access - SNX support 3DES |
bool |
true |
Indicates if the 3DES encryption algorithm will be supported in SSL clients as well as the default algorithms |
VPN Remote Access - SNX support RC4 |
bool |
true |
Indicates if the RC4 encryption algorithm will be supported in SSL clients as well as the default algorithms |
VPN Remote Access - SNX uninstall |
options |
Do not uninstall |
Indicates when and if the SSL Network Extender client will uninstall itself upon disconnection |
VPN Remote Access - SNX upgrade |
options |
Ask user |
Indicates when and if the SSL Network Extender client will upgrade itself upon connection |
VPN Remote Access - Single Office Mode Per Site |
|
|
|
VPN Remote Access - Topology updates manual interval |
int |
168 |
Indicates the manually configured interval (in hours) for topology updates to the clients. Will be applicable only if the override settings is set to true. |
VPN Remote Access - Topology updates override |
bool |
false |
Indicates if the configured topology updates settings will override the default 'once a week' policy |
VPN Remote Access - Topology updates upon startup only |
bool |
true |
Indicates if topology updates will occur only when the client starts. Will be applicable only if the override settings is set to true. |
VPN Remote Access - Verify device certificate |
bool |
true |
Client will verify the device's certificate against revocation list |
VPN Remote Access - block user if belongs to at least one group without permission |
bool |
false |
Indicates if strict group permissions are enabled - user will not have remote access permission if belongs to at least one group without remote access permission |
VPN Site to Site global settings - Accept NAT Traversal |
bool |
true |
Indicates if industry standard NAT traversal (UDP encapsulation) is enabled. This enables VPN tunnel establishment even when the remote site is behind a NAT device. |
VPN Site to Site global settings - Administrative notifications |
options |
Log |
Indicates how to log an administrative event (for example, when a certificate is about to expire) |
VPN Site to Site global settings - Check validity of IPSec reply packets |
bool |
false |
|
VPN Site to Site global settings - Cluster SA sync packets threshold |
long |
200000 |
Sync SA with other cluster members when packets number reaches this threshold |
VPN Site to Site global settings - Copy DiffServ mark from encrypted/decrypted IPSec packet |
bool |
false |
|
VPN Site to Site global settings - Copy DiffServ mark to encrypted/decrypted IPSec packet |
bool |
true |
|
VPN Site to Site global settings - DPD triggers new IKE negotiation |
bool |
true |
|
VPN Site to Site global settings - Delete IKE SAs from a dead peer |
bool |
true |
|
VPN Site to Site global settings - Delete IPsec SAs on IKE SA delete |
bool |
false |
|
VPN Site to Site global settings - Delete tunnel SAs when Tunnel Test fails |
bool |
true |
When permanent VPN tunnels are enabled and a Tunnel Test fails, delete the relevant peer's tunnel SAs. Not supported in High Availability Cluster mode |
VPN Site to Site global settings - Do not encrypt connections originating from the local gateway |
bool |
false |
Exclude the Internet connection's IP address from the local encryption domain. Packets whose original source or destination IP address is the local gateway's Internet connection IP address will not go through a VPN tunnel. This parameter may be useful when the gateway is behind hide NAT. |
VPN Site to Site global settings - Do not encrypt local DNS requests |
bool |
false |
When enabled, DNS requests originating from the appliance will not be encrypted. Relevant when a configured DNS server is in a VPN peer's encryption domain. |
VPN Site to Site global settings - Enable encrypted packets rerouting |
bool |
true |
Indicates if encrypted packets will be rerouted through the best interface according to the peer's IP address or probing. It is not recommended to change this value to false. |
VPN Site to Site global settings - Grace period after CRL is no longer valid |
int |
1800 |
Indicates the time (in seconds) after which a revoked certificate of a remote site remains valid, to allow wider window for CRL validity in case of clock mismatch |
VPN Site to Site global settings - Grace period before CRL is valid |
int |
7200 |
Indicates the time window (in seconds) where a certificate is considered valid prior to the time set by the CA, to allow wider window for CRL validity in case of clock mismatch |
VPN Site to Site global settings - IKE DoS from known sites protection |
options |
None |
Indicates if the IKE DoS from known IP addresses protection is active and the method by which it detects potential attackers |
VPN Site to Site global settings - IKE DoS from unknown sites protection |
options |
None |
Indicates if the IKE DoS from unidentified IP addresses protection is active and the method by which it detects potential attackers |
VPN Site to Site global settings - IKE reply from Same IP |
bool |
true |
Indicates if the source IP address used in IKE session will be according to destination when replying to incoming connections, or according to the general source IP address link selection configuration |
VPN Site to Site global settings - Join adjacent subnets in IKE Quick Mode |
bool |
true |
|
VPN Site to Site global settings - Keep DF flag on packet |
bool |
false |
Indicates if the 'Don't Fragment' flag is kept on the packet during encryption/decryption |
VPN Site to Site global settings - Keep IKE SA Keys |
options |
Automatic |
|
VPN Site to Site global settings - Key exchange error tracking |
options |
Log |
Indicates how to log VPN configuration errors or key exchange errors |
VPN Site to Site global settings - Maximum concurrent IKE negotiations |
int |
200 |
Indicates the maximum number of concurrent VPN IKE negotiations |
VPN Site to Site global settings - Maximum concurrent tunnels |
int |
10000 |
Indicates the maximum number of concurrent VPN tunnels |
VPN Site to Site global settings - Open SAs limit |
int |
20 |
Indicates the maximum number of open SAs per VPN peer |
VPN Site to Site global settings - Outgoing link tracking |
options |
None |
Logging of the outgoing VPN link: Log, don't log or alert |
VPN Site to Site global settings - Override 'Route all traffic to remote VPN site' configuration for admin access to the device |
bool |
true |
Exclude admin access traffic to the gateway from being routed to remote VPN site even if all traffic should be routed to it |
VPN Site to Site global settings - Packet handling errors tracking |
options |
Log |
Logging for VPN packet handling errors: Log, don't log or alert |
VPN Site to Site global settings - Perform Tunnel Tests using an internal IP address |
bool |
false |
Perform Tunnel Tests using an internal IP address which is part of the local encryption domain. |
VPN Site to Site global settings - Permanent tunnel down tracking |
options |
Log |
Logging for when the tunnel goes down: Log, don't log or alert |
VPN Site to Site global settings - Permanent tunnel up tracking |
options |
Log |
Logging for when the tunnel goes up: Log, don't log or alert |
VPN Site to Site global settings - RDP packet reply timeout |
int |
10 |
Timeout (in seconds) for an RDP packet reply |
VPN Site to Site global settings - Reply from incoming interface |
bool |
false |
When tunnel is initiated from remote site, reply from the same incoming interface when applicable (IKE and RDP sessions) |
VPN Site to Site global settings - Successful key exchange tracking |
options |
Log |
Logging for VPN successful key exchange: Log, don't log or alert |
VPN Site to Site global settings - Use cluster IP address for IKE |
bool |
true |
Indicates if IKE is performed using cluster IP address (when applicable) |
VPN Site to Site global settings - Use internal IP address for encrypted connections from local gateway |
bool |
false |
Encrypted connections originating from the local gateway will use an internal interface's IP address as the connection source |
VPN Site to Site global settings - VPN Tunnel Sharing |
options |
subnets |
Indicates under what conditions new tunnels are created, controlling the number of tunnels: per host pair, per subnet (Industry Standard) or a single tunnel per remote site/gateway |
VoIP - Accept MGCP connections to registered ports |
bool |
false |
Indicates if deep inspection over MGCP traffic will automatically accept MGCP connections to registered ports |
VoIP - Accept SIP connections to registered ports |
bool |
false |
Indicates if deep inspection over SIP traffic will automatically accept SIP connections to registered ports |
Web Interface Settings and Customizations - Company URL |
urlv6WithHttp |
Clicking the company logo in the web interface opens this URL |
Web Interface Settings and Customizations - Use a company logo in the appliance's web interface |
bool |
false |
The company logo is displayed on the appliance's web interface |