| Attribute Name |
Type |
Value |
Description |
|
Acceleration Settings - Acceleration state enabled
|
bool |
true |
Indicates whether acceleration is enabled |
| Admin Lockout - Mobile application session timeout |
int |
30 |
Allowed mobile application session before automatic logout is executed (in days) |
| Admin Lockout - Mobile seamless login session timeout |
int |
1 |
Allowed mobile application seamless login session before automatic logout is executed (in days) |
| Administrators RADIUS authentication - Default Shell |
options |
Clish |
Default shell for super administrators. To enable this feature, contact Check Point support. |
| Administrators RADIUS authentication - Local authentication (RADIUS inaccessible) |
bool |
false |
Perform local administrator authentication only if RADIUS server is not configured or is inaccessible. |
| Aggressive aging - Aggressive aging enforcement method |
options |
Both |
Choose when aggressive aging timeouts are enforced |
| Aggressive aging - Connection table percentage limit |
int |
80 |
|
| Aggressive aging - Enable aggressive aging of connections |
bool |
true |
|
| Aggressive aging - Enable reduced timeout for ICMP connections |
bool |
true |
|
| Aggressive aging - Enable reduced timeout for TCP handshake |
bool |
true |
|
| Aggressive aging - Enable reduced timeout for TCP session |
bool |
true |
|
| Aggressive aging - Enable reduced timeout for TCP termination |
bool |
true |
|
| Aggressive aging - Enable reduced timeout for UDP connections |
bool |
true |
|
| Aggressive aging - Enable reduced timeout for non TCP/UDP/ICMP connections |
bool |
false |
|
| Aggressive aging - Enable reduced timeout for non TCP/UDP/ICMP connections |
bool |
false |
|
| Aggressive aging - ICMP connections reduced timeout |
int |
3 |
|
| Aggressive aging - Memory consumption percentage limit |
int |
80 |
|
| Aggressive aging - Other IP protocols reduced timeout |
int |
15 |
|
| Aggressive aging - Pending Data connections reduced timeout |
int |
15 |
|
| Aggressive aging - TCP handshake reduced timeout |
int |
5 |
|
| Aggressive aging - TCP session reduced timeout |
int |
600 |
|
| Aggressive aging - TCP termination reduced timeout |
int |
3 |
|
| Aggressive aging - Tracking options for aggressive aging |
options |
Log |
|
| Aggressive aging - UDP connections reduced timeout |
int |
15 |
|
| Anti-Spam policy - All mail track |
options |
None |
Indicates the tracking options for non-spam emails |
| Anti-Spam policy - Allowed mail track |
options |
None |
Indicates the tracking options for emails that were explicitly allowed in the Exceptions page |
| Anti-Spam policy - Bypass timeout |
int |
0 |
Indicates the timeout (in seconds) of a POP3 inspection bypass mechanism. Bypass will be activated in case the inspection daemon is unavailable for the indicated time period. Relevant for POP3 and for Anti-Virus, Anti-Spam and Threat Emulation inspection. A value of zero means bypass is disabled. |
| Anti-Spam policy - Content based Anti-Spam timeout |
int |
10 |
Indicates the timeout (in seconds) to wait for an answer from the cloud during content-based Anti-Spam inspection |
| Anti-Spam policy - Email size scan |
int |
8 |
Indicates the maximal size of an email's content to scan (in KB) |
| Anti-Spam policy - IP reputation fail open |
bool |
true |
Use Anti-Spam IP reputation fail-open mode upon internal error |
| Anti-Spam policy - IP reputation timeout |
int |
10 |
Indicates the timeout (in seconds) to wait for an IP reputation test result |
|
Anti-Spam policy - Scan outgoing emails
|
bool |
false |
Scan the content of emails which are sent from the local network to the Internet |
| Anti-Spam policy - Transparent proxy |
bool |
true |
Use a transparent proxy for inspected email connections |
| Anti-spoofing - Enable global anti-spoofing |
bool |
true |
Indicates if anti-spoofing is enabled automatically on all interfaces according to their zone |
| Application Control and URL Filtering - Block when service is unavailable |
bool |
false |
Block web requests traffic when the Check Point categorization and widget definitions online web service is unavailable |
| Application Control and URL Filtering - Categorize cached and translated pages |
bool |
true |
Perform URL categorization of cached pages and translated pages created by search engines |
| Application Control and URL Filtering - Custom app over HTTPS |
bool |
false |
Indicates whether custom URLs and applications will be matched over HTTPS traffic using SNI field. Important note: as SNI field in HTTPS traffic is browser-dependent and promiscuous, it does not guarantee 100% match. |
| Application Control and URL Filtering - Encrypt RAD communication |
bool |
false |
Indicates if the communication with the RAD cloud is encrypted |
| Application Control and URL Filtering - Enforce safe search |
bool |
false |
Force filtering explicit content in search engines results |
| Application Control and URL Filtering - Fail mode |
options |
Block all requests |
Indicates the action to take on traffic in case of an internal system error or overload |
| Application Control and URL Filtering - Non-standard HTTP ports |
bool |
true |
Enable HTTP inspection on non-standard ports for the Application Control or URLF blade |
| Application Control and URL Filtering - Track browse time |
bool |
true |
Indicates if the total time that users are connected to different sites and applications in an HTTP session will be shown in relevant logs |
| Application Control and URL Filtering - Use HTTP referer header |
bool |
true |
Indicates if the HTTP referer header is used by the inspection engine to improve application identification |
| Application Control and URL Filtering - UserCheck portal address |
string |
|
Configure this parameter only when locally managed GW is configured in bridge mode and tag based VLAN traffic is passing through it. Use local address which isn't under the bridge |
| Application Control and URL Filtering - Web site categorization mode |
options |
Background |
Indicates the categorization mode: Background - requests are allowed until categorization is complete, Hold - requests are blocked until categorization is complete |
| Bypass CRL - CRL bypass limit |
long |
10000 |
Bypass CRL if the list exceeds the defined limit |
| Capacity Optimization - Connections hash table size |
int |
131072 |
Indicates the size in bytes of the connections hash table |
| Capacity Optimization - Maximum concurrent connections |
int |
150000 |
Indicates the overall maximum number of concurrent connections |
| Cloud Services firmware upgrade - Check for new firmware |
bool |
false |
Perform checks for new recommended firmware |
| Cloud Services firmware upgrade - Service access maximum retries |
int |
3 |
Indicates the maximum number of retries when failing to upgrade using the service |
| Cloud Services firmware upgrade - Service access timeout until retry |
int |
180 |
Indicates the time to wait when a connection failure to the service before the next retry |
| Cluster - Different number of interfaces |
bool |
false |
Indicates that the number of interfaces is not the same for cluster members |
| Cluster - Process RA on standby |
bool |
false |
Indicates if RA packets are processed on standby |
| Cluster - Restart the routed process upon failover |
bool |
false |
Indicates if the main routing process is restarted upon cluster failover. This is more stable behavior but it prevents some features like graceful-restart for BGP and OSPF. Cluster must be re-configured for this setting to take effect. After re-configuring the cluster, all local cluster settings are reset to their defaults. |
| Cluster - Synchronization |
bool |
false |
Indicates if the synchronization mechanism is enabled. Switching the flag from false to true may cause failover |
| Cluster - Use virtual MAC |
bool |
false |
Indicates if a virtual MAC address will be used by all cluster members to allow a quicker failover by the network's switch |
| DDNS - iterations |
int |
2 |
Number of DNS updates |
| DHCP bridge - MAC assignment |
options |
Use internal interfaces mac |
Indicates whether the MAC address for the DHCP bridge is taken from an internal (LAN) or external port (WAN, DMZ). |
| DHCP relay - Use internal IP addresses as source |
bool |
false |
Indicates if DHCP relay packets from the appliance will originate from internal IP addresses |
| Dr. Spark job - Run Dr. Spark night job |
bool |
false |
Indicates if the Dr. Spark night job runs every night at 2 AM. |
| Firewall Policy - Connection Persistence |
bool |
false |
Handling established connections when installing a new policy |
| Firewall Policy - Log implied rules |
bool |
false |
Produce log records for connections that match implied rules |
| Hardware options - Reset to factory defaults timeout |
int |
12 |
Indicates the amount of time (in seconds) that you need to press and hold the factory defaults button on the back panel to restore to the factory defaults image |
| Hotspot - Enable portal |
options |
Enabled |
Select 'Disabled' to disable the hotspot feature entirely |
| Hotspot - Prevent simultaneous log-in |
bool |
false |
The same user will not be allowed to login via hotspot portal from more than one machine in parallel |
| IP Resolving - IP Resolving Activation |
options |
Enabled |
Enable / Disable IP Resolving logs enrichment |
| IP Resolving - IP Resolving TTL |
int |
1800 |
The time (in seconds) for which the hostname resolution will be used |
| IP fragments parameters - Action |
options |
Allow |
Indicates if IP fragments will be allowed or dropped by default |
| IP fragments parameters - Maximum fragments |
int |
200 |
Indicates how many IP fragments can arrive before discarding incomplete packets |
| IP fragments parameters - Minimum fragments size |
int |
0 |
IP Fragments minimum fragment size |
| IP fragments parameters - Packet Capture |
bool |
false |
IP Fragments packet capture settings |
| IP fragments parameters - Timeout |
int |
1 |
Indicates the timeout (in seconds) before discarding incomplete packets |
| IP fragments parameters - Track options |
options |
Log |
Indicates if and how to log IP fragments |
| IPS additional parameters - Max Ping Limit |
int |
1400 |
Indicates the maximal ping packet size that will be allowed when the 'Max Ping Size' protection is active |
| IPS additional parameters - Non-standard HTTP ports |
bool |
true |
Enable HTTP inspection on non-standard ports for the IPS blade |
| IPS engine settings - Allow protocol unknown commands |
bool |
false |
Indicates whether protocol commands, that are not completely supported by the inspection module, will be blocked or not |
| IPS engine settings - Apply filter |
bool |
true |
Filter IPS protections to improve performance |
| IPS engine settings - Bypass under load legacy |
bool |
true |
Indicates if only the IPS engine moves to bypass mode when the appliance is under heavy load |
| IPS engine settings - Description |
comments |
Access denied due to IPS policy violation |
A configured string to show in the error page if configured |
| IPS engine settings - Error page for supported web protections |
options |
Show predefined HTML error page |
Indicates if IPS protections supporting an error page will show it upon attack prevention |
| IPS engine settings - HTML error page configuration |
bool |
false |
Indicates if the error page will contain an error code |
| IPS engine settings - Logo URL |
bool |
false |
Optionally enter a URL that leads to your company logo. |
| IPS engine settings - Logo URL address |
urlv6 |
|
An accessible URL that leads to a logo file to show in the error page |
| IPS engine settings - Send detailed error code |
bool |
true |
indicates if the error page will contain a configured string |
| IPS engine settings - Send error code |
bool |
false |
Indicates if an error code will be sent to the other URL as a parameter |
| IPS engine settings - URL for redirection |
urlv6 |
|
Users will be redirected to this URL upon detection of an attack |
|
Internal Certificates configure - Internal CA certificate expiration
|
int |
20 |
The number of years the internal CA certificate is valid |
| Internet - Path MTU Discovery Mode |
options |
Path MTU Discovery Mode - Disabled |
Set Path MTU Discovery Mode (disabled, oneshot or daemon) for the active Internet connections |
| Internet - Reset Sierra USB on LSI error |
bool |
true |
Indicates whether Sierra type USB modems will be reset when they send an Invalid LSI signal |
| IoT Stats - IoT Stats Activation |
options |
Disabled |
Enable / Disable IoT collecting statistics |
| IoT Stats - IoT device monitoring time (seconds) |
int |
120 |
IoT device monitoring timeout (in seconds). If no pings are answered within this timeframe, the device is marked as disconnected. |
| IoT Stats - IoT monitoring cycle (seconds) |
int |
30 |
IoT monitoring check cycle in seconds (you must restart your appliance for the changes to take effect). |
| MAC Filtering settings - Log blocked MAC addresses |
options |
Enabled |
Indicates if blocked MAC addresses should be logged or not |
| MAC Filtering settings - Log suspension |
int |
1 |
Indicates the suspension time (in seconds) between logs for blocked MAC addresses |
| Managed services - Allow seamless administrator access from remote Management Server |
bool |
true |
Indicates if an administrator can access the appliance from a remote Security Management Server without the need to enter an administrator username and password |
| Managed services - Disable logging to SD |
bool |
true |
Disable logging to SD when Spark Management is on |
| Managed services - Show device details in Login |
bool |
true |
Indicates if appliance details are shown when an administrator accesses the appliance |
| Mobile settings - Connect to the gateway from the following mobile app |
options |
Watch Tower |
Which mobile app is used for this Security Gateway |
| Mobile settings - Enable seamless login |
bool |
true |
Allow users to do seamless login through the mobile app |
| Mobile settings - Mobile notification cloud server URL |
urlv6 |
https://smbcloud-api-gateway.iaas.checkpoint.com/notifications/mobile/send |
Cloud server URL used for sending mobile notifications |
| Mobile settings - Pairing code expiration |
int |
1 |
Time left before pairing code expires (in hours) |
| Mobile settings - Verify SSL certificate |
bool |
true |
Verify SSL certificate when sending mobile notifications to cloud server |
| Multiple ISP Route Refresh - Multiple ISP Route Refresh mode |
bool |
false |
Indicates whether acceleration will refresh route in multiple ISPs configuration |
| NAT - ARP manual file merge |
bool |
false |
Indicates, when automatic ARP detection is enabled, if ARP definitions are used in a local file with higher priority |
| NAT - Address allocation and release tracking |
options |
None |
Specifies whether to log each allocation and release of an IP address from the IP Pool |
| NAT - Address exhaustion tracking |
options |
Log |
Indicates whether or not to log and/or alert on exhaustion of IP pool |
| NAT - Automatic ARP detection |
bool |
true |
Automatically detect ARP requests for external IP addresses of internal devices to be answered by the device |
| NAT - IP Pool NAT |
options |
Do not use IP pool NAT |
IP pool NAT mode |
| NAT - IP pool per interface |
bool |
false |
Uses an IP address pool for NAT per interface |
| NAT - Increase hide capacity |
bool |
true |
Indicates if hide-NAT capacity is given additional space |
| NAT - NAT cache expiration |
int |
30 |
Indicates the expiration time in minutes for NAT cache entries |
| NAT - NAT cache number of entries |
int |
10000 |
Indicates the maximum number of NAT cache entries |
| NAT - NAT enable |
bool |
true |
Indicates if the device's NAT capabilities are enabled |
| NAT - NAT hash size |
int |
0 |
Indicates the hash bucket size of NAT tables |
| NAT - NAT limit |
int |
0 |
Indicates the maximum number of connections with NAT |
| NAT - Prefer IP Pool NAT over hide NAT |
bool |
true |
Overrides hide NAT with IP pool NAT |
| NAT - Return unused addresses to IP Pool NAT after |
int |
60 |
Return unused addresses to IP pool NAT |
| NAT - Reuse IP addresses from the Pool for different destinations |
bool |
false |
Allows NAT to re-use IP addresses for different destinations |
| NAT - Translate destination on client side |
bool |
true |
Translates destination IP addresses on client side (for automatically generated NAT rules) |
| NAT - Translate destination on client side (manual rules) |
bool |
true |
Translates destination IP addresses on client side (for manually configured NAT rules) |
| NAT - Use IP Pool NAT for VPN clients connections |
bool |
false |
Uses IP Pool NAT for VPN clients connections |
| NAT - Use IP Pool NAT for gateway to gateway connections |
bool |
false |
Uses IP pool NAT for gateway to gateway connections |
| NAT - Use cluster hide fold |
bool |
true |
Indicates if local IP addresses are hidden behind the cluster IP address when applicable |
| Notifications policy - |
bool |
true |
|
| Notifications policy - Include the administrator's contact information in login notifications |
bool |
true |
Determines if the administrator's phone and email are added to login alert notifications |
| Notifications policy - License expiration threshold |
int |
30 |
Defines the minimum number of days below which the license notification is sent |
| Notifications policy - Notification cloud server URL |
urlv6 |
https://smbcloud-api-gateway.iaas.checkpoint.com/notifications-service/send |
Cloud server URL used to send notifications |
| Notifications policy - Partition capacity threshold |
int |
95 |
Define the percentage for the partition capacity threshold (notifies when the partition is full) |
| Notifications policy - Send push notifications for WatchTower |
bool |
true |
Indicates whether notifications are sent to mobile application |
| Notifications policy - The maximum number of notifications sent per hour |
int |
60 |
The maximum number of notifications sent to mobile devices per hour |
| OS advanced settings - Cellular Backoff Algorithm Mode |
options |
Auto |
Set cellular backoff algorithm mode (auto, force-disable or force-enable). When in auto mode, backoff algorithm will only work for Rogers cellular carrier. |
| OS advanced settings - Cellular Network |
options |
Auto |
Select the preferred cellular network mode - Auto, 4G only or 3G only |
| OS advanced settings - Cellular connection establish timeout |
int |
60 |
Indicates the timeout in seconds to wait for cellular connection to succeed |
| OS advanced settings - Cellular modem detection timeout |
int |
120 |
Indicates the timeout in seconds to wait for the cellular modem to be detected |
| OS advanced settings - Default route rank |
int |
60 |
The rank of the default route gives it preference against other default routes from different protocols. |
| OS advanced settings - Disable transfer of DHCP options from WAN to LAN |
bool |
false |
Specifies whether transfer of DHCP options from WAN to LAN is disabled |
| OS advanced settings - Drop cellular outbound packets if the source IP is mismatched |
bool |
false |
Drop cellular outbound packets if their source IP is not the interface IP |
| OS advanced settings - Duplicate MAC detection switch ports |
lanPortsList |
none |
Activate duplicate MAC detection on these switch ports. |
| OS advanced settings - Enable GPS |
bool |
false |
Enable GPS receiver |
| OS advanced settings - Enable Jumbo frames |
bool |
false |
Enable Jumbo frames to configure an MTU higher than 1500. |
| OS advanced settings - Enable LAN on WAN |
bool |
false |
Specifies whether LAN-on-WAN feature is on |
| OS advanced settings - Enable WiFi Monitors |
bool |
false |
Specifies whether WiFi monitors are on |
| OS advanced settings - Enable automatic WiFi channel change |
bool |
false |
Specifies whether WiFi switches channels automatically during operation |
| OS advanced settings - Enable destination check on PPPoE |
bool |
false |
Specifies whether PPPoE destination check is enabled |
| OS advanced settings - Enable flow-control for network switch |
bool |
false |
Indicates if flow-control is enabled for network switch |
| OS advanced settings - IPv6 prefix selection mode |
options |
Router preference - oldest |
Set the IPv6 prefix selection mode - in dynamic IPv6 Internet connections. |
| OS advanced settings - Reset cellular modem if not detected |
bool |
true |
Indicates whether to reset the cellular modem if it fails to be detected |
| OS advanced settings - Use secondary MCCMNC file |
bool |
false |
Set the use of the secondary MCCMNC file to automatically configure the APN from the extended secondary list. |
| OS advanced settings - Use unique ICMP ID |
bool |
false |
Use unique ICMP ID per destination in connection monitoring |
| Operating system - General temporary directory size |
int |
20 |
Controls the size (in MB) of the temporary directory that is used by the system |
| Operating system - System temporary directory size |
int |
40 |
Controls the size (in MB) of the temporary directory that is used by the system |
| Privacy settings - Analytics batch size |
int |
10 |
|
| Privacy settings - Help us improve product experience by sending data to Check Point |
bool |
true |
Privacy statement: Check Point does not upload data that contains private or sensitive information. For more information, refer to sk120332. |
| Privacy settings - Help us improve product experience by sending events data to Check Point for analytics |
bool |
false |
Privacy statement: Check Point does not upload data that contains private or sensitive information. For more information, refer to sk120332. |
| Privacy settings - Help us improve product stability by getting critical updates from Check Point |
bool |
true |
Privacy statement: Using the SOS service requires access to the Check Point cloud. |
| Privacy settings - Location service requires sending your IP address to 3rd party |
bool |
false |
Using automatic timezone feature requires sending your IP address to 3rd party. |
| Privacy settings - Proactive collection of device details |
bool |
true |
Proactively collect information on devices connected to the local network, which will be displayed in the Active Devices page |
| Privacy settings - Share device information with IoT cloud |
bool |
false |
Share device information with IoT cloud in order to enforce policy based on IoT profiles |
| QoS blade - Logging |
bool |
true |
Indicates if the appliance logs QoS events when the QoS blade is enabled |
| Reach My Device - Ignore SSL certificate |
bool |
false |
Ignore SSL certificate when running Reach My Device |
| Reach My Device - Server address |
urlv6 |
smbrelay.checkpoint.com |
Indicates the address of the remote server that allows administration access to the appliance from the Internet even when behind NAT |
| Report Settings - Max period |
options |
Monthly |
Maximum period to collect and monitor data in local management. You must reboot your appliance to apply changes. |
| Report Settings - Reports cloud server URL |
urlv6 |
https://smbcloud-api-gateway.iaas.checkpoint.com/reports/pdf |
Reports cloud server URL used to generate report PDF |
| Report Settings - Send empty report |
bool |
false |
Indicates if the report should be sent even if it is empty |
| Rest API - Rest API mode |
bool |
false |
Indicates whether REST API is enabled |
| SSL Inspection policy - Additional HTTPS ports |
port-range |
8080,3128 |
Additional HTTPS ports for SSL Inspection (a comma separated list of ports/ranges) |
| SSL Inspection policy - Enable ICA Portal |
bool |
true |
Indicates if ICA Portal is enabled |
| SSL Inspection policy - Log empty SSL connections |
bool |
false |
Log connections that were terminated by the client before data was sent - might indicate the client did not install CA certificate |
| SSL Inspection policy - Retrieve intermediate CA certificates |
bool |
true |
Indicates if the SSL Inspection mechanism performs its validations on all intermediate CA certificates in the certificate chain |
| SSL Inspection policy - SSL Inspection categorization mode |
options |
Hold |
Indicates the categorization mode of SSL Inspection: Background - Requests are allowed until categorization is complete, Hold - Requests are blocked until categorization is complete |
| SSL Inspection policy - The trusted CA auto-update is enabled |
bool |
true |
Indicates if automatic updates are enabled |
| SSL Inspection policy - Track validation errors |
options |
Log |
Select if the SSL Inspection validations are tracked |
| SSL Inspection policy - Validate CRL |
bool |
true |
Indicates if the SSL Inspection mechanism will drop connections that present a revoked certificate |
| SSL Inspection policy - Validate expiration |
bool |
false |
Indicates if the SSL Inspection mechanism will drop connections that present an expired certificate |
| SSL Inspection policy - Validate unreachable CRL |
bool |
false |
Indicates if the SSL Inspection mechanism will drop connections that present a certificate with an unreachable CRL |
| SSL Inspection policy - Validate untrusted certificates |
bool |
false |
Indicates if the SSL Inspection mechanism will drop connections that present an untrusted server certificate |
| Self-serve Settings - Threat Prevention action |
options |
Inactive |
Threat Prevention action for the Self-serve Portal security policy |
| Serial port - Enable serial port |
options |
Enabled |
Indicates if the serial port is enabled |
| Serial port - Port speed |
options |
115200 |
Indicates the port speed (Baud Rate) of the serial connection |
| Smart Accel Services - Security logs enabled |
bool |
false |
Indicates whether Smart Accel security logs are enabled |
| Smart Accel Settings - Accel Trusted HTTPS Domains Only |
bool |
true |
Indicates whether to accel only trusted HTTPS domains |
| Smart Accel Settings - Ignore Errors |
bool |
false |
Ignore conflicts related to Smart Accel and firewall policy rules |
| Stateful Inspection - Accept out of state TCP packets |
int |
1 |
Indicates if TCP packets which are not consistent with the current state of the TCP connection are dropped (when set to 0) or accepted (when set to any other value) |
| Stateful Inspection - Accept stateful ICMP errors |
bool |
true |
Accept ICMP error packets which refer to another non-ICMP connection that was accepted by the Rule Base |
| Stateful Inspection - Accept stateful ICMP replies |
bool |
true |
Accept ICMP reply packets for ICMP requests that were accepted by the Rule Base |
| Stateful Inspection - Accept stateful UDP replies for unknown services |
bool |
true |
Accept UDP reply packets for USP requests for unknown services |
| Stateful Inspection - Accept stateful other IP protocols replies for unknown services |
bool |
true |
Accept stateful non TCP/UDP protocols replies for unknown services |
| Stateful Inspection - Allow IPv6 packets |
bool |
false |
Allow IPv6 traffic to pass without inspection |
| Stateful Inspection - Drop out of state ICMP packets |
bool |
true |
Drop ICMP packets which are not in the context of a virtual session |
| Stateful Inspection - ICMP virtual session timeout |
int |
30 |
Indicates the timeout (in seconds) for ICMP virtual sessions |
| Stateful Inspection - Log dropped out of state ICMP packets |
int |
1 |
|
| Stateful Inspection - Log dropped out of state TCP packets |
int |
1 |
|
| Stateful Inspection - Other IP protocols virtual session timeout |
int |
60 |
Indicates the timeout (in seconds) for other IP protocols virtual sessions (non TCP/UDP/ICMP) |
| Stateful Inspection - Perform deep packet inspection on LAN to LAN traffic |
bool |
false |
|
| Stateful Inspection - Perform deep packet inspection on traffic between LAN and DMZ networks |
bool |
false |
|
| Stateful Inspection - TCP end timeout |
int |
20 |
Indicates the timeout (in seconds) for TCP session end |
| Stateful Inspection - TCP session timeout |
int |
3600 |
Indicates the timeout (in seconds) for TCP sessions |
| Stateful Inspection - TCP start timeout |
int |
25 |
Indicates the timeout (in seconds) for TCP session start |
| Stateful Inspection - UDP virtual session timeout |
int |
40 |
Indicates the timeout (in seconds) for UDP virtual sessions |
| Stateful Inspection - traceroute maximal TTL |
int |
29 |
Maximal value for TTL field for a packet to be considered as a traceroute |
| Streaming engine settings - Stream inspection timeout action |
options |
Prevent |
Stream inspection timeout activation mode |
| Streaming engine settings - Stream inspection timeout tracking |
options |
Log |
|
| Streaming engine settings - TCP SYN modified retransmission action |
options |
Prevent |
TCP SYN modified retransmission activation mode |
| Streaming engine settings - TCP SYN modified retransmission tracking |
options |
Log |
|
| Streaming engine settings - TCP invalid checksum action |
options |
Prevent |
TCP invalid checksum activation mode |
| Streaming engine settings - TCP invalid checksum tracking |
options |
None |
|
| Streaming engine settings - TCP invalid retransmission action |
options |
Prevent |
TCP invalid retransmission activation mode |
| Streaming engine settings - TCP invalid retransmission tracking |
options |
Log |
|
| Streaming engine settings - TCP out of sequence action |
options |
Prevent |
TCP out of sequence activation mode |
| Streaming engine settings - TCP out of sequence tracking |
options |
None |
|
| Streaming engine settings - TCP segment limit enforcement action |
options |
Prevent |
TCP segment limit enforcement activation mode |
| Streaming engine settings - TCP segment limit enforcement tracking |
options |
Log |
|
| Streaming engine settings - TCP urgent data enforcement action |
options |
Prevent |
TCP urgent data enforcement activation mode |
| Streaming engine settings - TCP urgent data enforcement tracking |
options |
Log |
|
| System settings - Check Point Web Services Geo restriction |
options |
No restrictions |
Restrict Check Point Web Services URL and file reputation checks to a specific country |
| Threat Prevention Anti-Bot policy - Resource classification mode |
options |
Hold |
Indicates the classification mode for the Anti-Bot engine: Background - connections are allowed until classification is complete, Hold - connections are blocked until classification is complete |
| Threat Prevention Anti-Virus policy - File scan size limit |
int |
0 |
Indicates the size limit (in KB) of a file scanned by the Anti-Virus engine. To specify no limit, set to 0. |
| Threat Prevention Anti-Virus policy - MIME maximum nesting level |
int |
7 |
Indicates the maximum number of levels in nested MIME content that the ThreatSpect engine scans in mail traffic |
| Threat Prevention Anti-Virus policy - MIME nesting level exceeded action |
options |
Block |
Indicates if an email should be blocked or accepted if there are more nested levels of MIME content than the configured amount |
| Threat Prevention Anti-Virus policy - Priority scanning |
bool |
true |
Scan according to security and performance priorities for maximum optimization |
| Threat Prevention Anti-Virus policy - Resource classification mode |
options |
Hold |
Indicates the classification mode for the Anti-Virus engine: Background - connections are allowed until classification is complete, Hold - connections are blocked until classification is complete |
| Threat Prevention Threat Emulation policy - Emulation connection handling mode - IMAP |
options |
Background - connections are allowed until emulation handling is complete |
Indicates the strictness mode of the Threat Emulation engine over IMAP: Background - connections are allowed while the file emulation runs (if needed), Hold - connections are blocked until the file emulation is completed |
| Threat Prevention Threat Emulation policy - Emulation connection handling mode - POP3 |
options |
Background - connections are allowed until emulation handling is complete |
Indicates the strictness mode of the Threat Emulation engine over POP3: Background - connections are allowed while the file emulation runs (if needed), Hold - connections are blocked until the file emulation is completed |
| Threat Prevention Threat Emulation policy - Emulation connection handling mode - SMTP |
options |
Background - connections are allowed until emulation handling is complete |
Indicates the strictness mode of the Threat Emulation engine over SMTP: Background - connections are allowed while the file emulation runs (if needed), Hold - connections are blocked until the file emulation is completed |
| Threat Prevention Threat Emulation policy - Emulation location |
options |
Emulation is done on Public Threat Cloud |
Indicates if emulation is done on Public Threat Cloud or on remote (private) SandBlast |
| Threat Prevention Threat Emulation policy - Primary Emulation gateway |
ipv4addr |
|
The IP address of the primary remote emulation gateway |
| Threat Prevention policy - Allow IP address information in attack statistics |
bool |
false |
Allow IP address information in attack statistics sent to my User Center account |
| Threat Prevention policy - Allow me to view attack statistics in my User Center account |
bool |
false |
Allow me to view attack statistics in my User Center account. Note that privacy settings should be set to allow sending data to Check Point |
| Threat Prevention policy - Block when service is unavailable |
bool |
false |
Block web requests traffic when the Check Point ThreatCloud online web service is unavailable |
| Threat Prevention policy - Fail mode |
options |
Allow all requests |
Indicates the action to take on traffic in case of an internal system error or overload |
| Threat Prevention policy - File inspection size limit |
int |
0 |
Indicates the size limit (in KB) of a file inspected by Threat Prevention engines. Note: A limit too low may have an impact on the functionality of the Application Control blade. To specify no limit, set to 0. |
| Threat Prevention policy - Method for skipping HTTP inspection |
options |
Default |
When changed from the default value, and file size inspection limit is used, HTTP inspection will be fully skipped instead of skipping only a single session. This is not recommended due to a high security impact as the following sessions will not be inspected at all following a large file sent via HTTP on a single connection. |
| Threat Prevention policy - Update Threat Prevention With Full Packages |
bool |
false |
Update Threat Prevention with the most up to date Packages |
| USB modem watchdog - Interval |
int |
5 |
Indicates how often the USB modem watchdog probes the Internet |
| USB modem watchdog - Mode |
options |
Disabled |
Indicates if the USB modem watchdog is enabled when Internet probing is enabled, and the reset type (either hard-reset to shut down the power for the USB modem or gateway-reset to reboot the gateway). |
| USB modem watchdog - USB only |
bool |
false |
Monitor only USB modem connection |
| Update Services Schedule - Maximum number of retries |
int |
3 |
Indicates the maximum number of retries for a single update when the cloud is unavailable until the next scheduled update |
| Update Services Schedule - Timeout until retry |
int |
180 |
Indicates the timeout (in seconds) until update retry |
| User Awareness - Active Directory association timeout |
int |
720 |
Indicates the timeout (in minutes) for caching an association between a user and an IP address |
| User Awareness - Allow DNS for unknown users |
bool |
true |
The default is to allow DNS for unknown users even when configured to be blocked in Browser Based Portal settings |
| User Awareness - Assume single user per IP address |
bool |
true |
Indicates a mode where per IP address, only the last user who logged is identified |
| User Awareness - Log blocked unknown users |
bool |
true |
Indicates if a log should be issued when unknown users are blocked (see Browser Based Portal settings) |
| User Awareness - Use NTLMv2 protocol for Active Directory Queries |
bool |
false |
NTLMv2 mode - true for using NTLMv2, false for using NTLMv1 |
| User Management - Automatically delete expired local users |
bool |
false |
Automatically delete all expired local users every 24 hours (after midnight) |
| VPN Remote Access - Allow clear traffic while disconnected |
bool |
true |
Indicates how traffic to the VPN domain is handled when the Remote Access VPN client is not connected to the site; sent in clear or dropped |
| VPN Remote Access - Allow simultaneous login |
bool |
true |
If disabled, and the same user logs in for a second time, it will disconnect his existing session |
| VPN Remote Access - Authentication timeout |
int |
120 |
Indicates for how much time (in minutes) the remote client's password remains valid if timeout is enabled |
| VPN Remote Access - Auto-disconnect in VPN domain |
bool |
true |
Indicates if the client disconnects automatically to save resources when it connects from inside the secured internal network (local encryption domain) |
| VPN Remote Access - Back connections enable |
bool |
false |
Enable back connections from the encryption domain behind the gateway to the client |
| VPN Remote Access - Back connections keep-alive interval |
int |
20 |
Indicates the interval (in seconds) between keep-alive packets to the gateway required for gateway to client back connections |
| VPN Remote Access - Enable Office Mode with multiple interfaces |
bool |
false |
Indicates if a mechanism (with a performance impact) to improve connectivity between Remote Access client and an appliance with multiple external interfaces is enabled |
|
VPN Remote Access - Enable Visitor Mode on All Interfaces
|
options |
All |
Enable visitor mode on all interfaces |
| VPN Remote Access - Enable Visitor Mode on This Interface |
ipv4addr |
0.0.0.0 |
Support visitor mode on this interface |
| VPN Remote Access - Encrypt DNS traffic |
bool |
true |
Indicates if DNS queries sent by the remote client to a DNS server located in the encryption domain are passed through the VPN tunnel |
| VPN Remote Access - Encryption Method |
options |
IKEv1 |
Indicates which IKE encryption method (version) is used for IKE phase 1 and 2 |
| VPN Remote Access - Endpoint Connect re-authentication timeout |
int |
480 |
Indicates the time (in minutes) until the Endpoint Connect user's credentials are resent to the gateway to verify authorization |
| VPN Remote Access - IKE IP Compression Support |
bool |
false |
Indicates if IPSec packets from Remote Access clients will be compressed |
| VPN Remote Access - IKE Over TCP |
bool |
false |
Enables support of IKE over TCP |
| VPN Remote Access - IKE restart recovery |
bool |
true |
Indicates that the gateway will save tunnel details so it can cause the remote client to discard the old SA and re-initiate IKE upon gateway crash or restart |
| VPN Remote Access - Legacy NAT traversal |
bool |
true |
Indicates if the Check Point proprietary NAT traversal mechanism (UDP encapsulation) is enabled for SecureClient |
| VPN Remote Access - Match on Internal Rule Base only |
bool |
false |
Traffic from Remote Access clients is always matched on the Incoming/Internal/VPN Rule Base, including traffic to the Internet |
| VPN Remote Access - Minimum TLS version support in the SSL VPN portal |
options |
TLS 1.2 |
Indicates the minimum TLS protocol version which the SSL VPN portal supports. For security reasons, it's recommended to support TLS 1.2 and above. |
| VPN Remote Access - Office Mode allocate from RADIUS |
bool |
false |
Indicates if the Office Mode allocated IP addresses will be taken from the RADIUS server used to authenticate the user |
| VPN Remote Access - Office Mode disable |
bool |
false |
Indicates if Office Mode (allocating IP addresses for Remote Access clients) is disabled. This is not recommended. |
| VPN Remote Access - Office Mode performs Anti-Spoofing |
bool |
false |
Office Mode - Perform Anti-Spoofing on Office Mode addresses |
| VPN Remote Access - Prevent IP NAT Pool |
bool |
false |
Prevent IP Pool NAT configuration from being applied to Office Mode users. This is needed when using SecureClient as well as other VPN clients. |
| VPN Remote Access - RADIUS retransmit timeout |
int |
5 |
Timeout interval (in seconds) for each RADIUS server connection attempt |
| VPN Remote Access - Remote Access port |
port |
443 |
Select the port used by the SSL VPN Network extender portal and to which the Remote Access clients connect |
| VPN Remote Access - Reserve port 443 for port forwarding |
bool |
false |
Reserving port 443 for port forwarding (port 443 will not be used for Remote Access and SSL VPN Network extender) |
| VPN Remote Access - SNX and mobile (Capsule) re-authentication timeout |
int |
480 |
Indicates the time (in minutes) between re-authentication of SSL Network Extender Remote Access users and Check Point Mobile VPN users |
| VPN Remote Access - SNX keep-alive interval |
int |
20 |
Indicates the time (in seconds) between the SSL Network Extender client keep-alive packets |
| VPN Remote Access - SNX support 3DES |
bool |
true |
Indicates if the 3DES encryption algorithm will be supported in SSL clients as well as the default algorithms |
| VPN Remote Access - SNX support RC4 |
bool |
true |
Indicates if the RC4 encryption algorithm will be supported in SSL clients as well as the default algorithms |
| VPN Remote Access - SNX uninstall |
options |
Do not uninstall |
Indicates when and if the SSL Network Extender client will uninstall itself upon disconnection |
| VPN Remote Access - SNX upgrade |
options |
Ask user |
Indicates when and if the SSL Network Extender client will upgrade itself upon connection |
| VPN Remote Access - Single Office Mode per site |
bool |
false |
Use first allocated Office Mode IP Address for all connections to the Gateways of the site |
| VPN Remote Access - Topology updates manual interval |
int |
168 |
Indicates the manually configured interval (in hours) for topology updates to the clients. Will be applicable only if the override settings is set to true. |
| VPN Remote Access - Topology updates override |
bool |
false |
Indicates if the configured topology updates settings will override the default 'once a week' policy |
| VPN Remote Access - Topology updates upon startup only |
bool |
true |
Indicates if topology updates will occur only when the client starts. Will be applicable only if the override settings is set to true. |
| VPN Remote Access - Verify device certificate |
bool |
true |
Client will verify the device's certificate against revocation list |
| VPN Remote Access - block user if belongs to at least one group without permission |
bool |
false |
Indicates if strict group permissions are enabled - user will not have Remote Access permission if belongs to at least one group without Remote Access permission |
| VPN Remote Access Two-Factor Authentication - Enable selection of target where to send the passcode (SMS/email) |
bool |
false |
If set to true, the target selection (SMS/email) is displayed to the user |
| VPN Site to Site global settings - Accept NAT Traversal |
bool |
true |
Indicates if industry standard NAT traversal (UDP encapsulation) is enabled. This enables VPN tunnel establishment even when the remote site is behind a NAT device. |
| VPN Site to Site global settings - Administrative notifications |
options |
Log |
Indicates how to log an administrative event (for example, when a certificate is about to expire) |
| VPN Site to Site global settings - Bypass PSL inspection for VPN traffic |
bool |
false |
Indicates if PSL inspection (Application Control, URL Filtering, IPS, Anti-Virus, Anti-Bot, Threat Prevention, Threat Emulation) is bypassed for VPN traffic |
| VPN Site to Site global settings - Check if Harmony Connect Branch is in use by another SMB gateway |
bool |
false |
True if the branch is in use by another Quantum Spark Gateway (MAC address) |
| VPN Site to Site global settings - Check if Harmony Connect subnet is synchronized |
bool |
false |
True if subnet is synchronized with branch. Return error if false. |
| VPN Site to Site global settings - Check validity of IPSec reply packets |
bool |
false |
|
| VPN Site to Site global settings - Cluster SA sync packets threshold |
long |
200000 |
Sync SA with other cluster members when packets number reaches this threshold |
| VPN Site to Site global settings - Collect VPN monitoring data for Spark Management |
bool |
true |
Applies only to a Cloud Services managed appliance. Collecting VPN monitoring data to a dedicated file for Spark Management heartbeat |
| VPN Site to Site global settings - Copy DiffServ mark from encrypted/decrypted IPSec packet |
bool |
false |
|
| VPN Site to Site global settings - Copy DiffServ mark to encrypted/decrypted IPSec packet |
bool |
true |
|
| VPN Site to Site global settings - DPD triggers new IKE negotiation |
bool |
true |
|
| VPN Site to Site global settings - Delete IKE SAs from a dead peer |
bool |
true |
|
| VPN Site to Site global settings - Delete IPsec SAs on IKE SA delete |
bool |
false |
|
| VPN Site to Site global settings - Delete tunnel SAs when Tunnel Test fails |
bool |
true |
When permanent VPN tunnels are enabled and a Tunnel Test fails, delete the relevant peer's tunnel SAs. Not supported in High Availability Cluster mode |
| VPN Site to Site global settings - Do not encrypt connections originating from the local gateway |
bool |
false |
Exclude the Internet connection's IP address from the local encryption domain. Packets whose original source or destination IP address is the local gateway's Internet connection IP address will not go through a VPN tunnel. This parameter may be useful when the gateway is behind hide NAT. |
| VPN Site to Site global settings - Do not encrypt local DNS requests |
bool |
false |
When enabled, DNS requests originating from the appliance will not be encrypted. Relevant when a configured DNS server is in a VPN peer's encryption domain. |
| VPN Site to Site global settings - Enable encrypted packets rerouting |
bool |
true |
Indicates if encrypted packets will be rerouted through the best interface according to the peer's IP address or probing. It is not recommended to change this value to false. |
| VPN Site to Site global settings - Grace period after CRL is no longer valid |
int |
1800 |
Indicates the time (in seconds) after which a revoked certificate of a remote site remains valid, to allow wider window for CRL validity in case of clock mismatch |
| VPN Site to Site global settings - Grace period before CRL is valid |
int |
7200 |
Indicates the time window (in seconds) where a certificate is considered valid prior to the time set by the CA, to allow wider window for CRL validity in case of clock mismatch |
| VPN Site to Site global settings - Harmony Connect Residency |
options |
HARMONY_CONNECT_RESIDENCY.US |
Harmony Connect Data Residency. You can see the value on the Harmony Connect portal: Global Settings > Account Settings > Account Details (Data Residency). |
| VPN Site to Site global settings - Harmony Connect VPN High Availability timeout (sec) |
int |
30 |
Timeout - The amount of idle time (sec) before switching to another Harmony Connect VPN (0 to disable High Availability) |
| VPN Site to Site global settings - IKE DoS from known sites protection |
options |
None |
Indicates if the IKE DoS from known IP addresses protection is active and the method by which it detects potential attackers |
| VPN Site to Site global settings - IKE DoS from unknown sites protection |
options |
None |
Indicates if the IKE DoS from unidentified IP addresses protection is active and the method by which it detects potential attackers |
| VPN Site to Site global settings - IKE reply from Same IP |
bool |
true |
Indicates if the source IP address used in IKE session will be according to destination when replying to incoming connections, or according to the general source IP address link selection configuration |
| VPN Site to Site global settings - IKEv2 Key Type |
options |
Key ID |
Key type used for IKEv2 communication |
| VPN Site to Site global settings - Indicates the interval in which a VPN tunnel down summary notification is sent |
options |
1 Hour |
Applies only when collecting VPN monitoring data for Spark Management heartbeat is enabled |
| VPN Site to Site global settings - Join adjacent subnets in IKE Quick Mode |
bool |
true |
|
| VPN Site to Site global settings - Keep DF flag on packet |
bool |
false |
Indicates if the 'Don't Fragment' flag is kept on the packet during encryption/decryption |
| VPN Site to Site global settings - Keep IKE SA Keys |
options |
Automatic |
|
| VPN Site to Site global settings - Key exchange error tracking |
options |
Log |
Indicates how to log VPN configuration errors or key exchange errors |
| VPN Site to Site global settings - Match Internet traffic on the Outgoing Rule Base |
bool |
false |
Traffic to the Internet from VPN peers that route all their traffic through this gateway. This traffic will be matched on the Outgoing Rule Base. |
| VPN Site to Site global settings - Maximum concurrent IKE negotiations |
int |
200 |
Indicates the maximum number of concurrent VPN IKE negotiations |
| VPN Site to Site global settings - Maximum concurrent tunnels |
int |
10000 |
Indicates the maximum number of concurrent VPN tunnels |
| VPN Site to Site global settings - Maximum number of VPN tunnel down notifications per hour |
int |
5 |
Applies only when collecting VPN monitoring data for Spark Management heartbeat is enabled |
| VPN Site to Site global settings - Open SAs limit |
int |
20 |
Indicates the maximum number of open SAs per VPN peer |
| VPN Site to Site global settings - Outgoing link tracking |
options |
None |
Logging of the outgoing VPN link: Log, don't log or alert |
| VPN Site to Site global settings - Override 'Route all traffic to remote VPN site' configuration for admin access to the device |
bool |
true |
Exclude admin access traffic to the gateway from being routed to remote VPN site even if all traffic should be routed to it |
| VPN Site to Site global settings - Packet handling errors tracking |
options |
Log |
Logging for VPN packet handling errors: Log, don't log or alert |
| VPN Site to Site global settings - Perform Tunnel Tests using an internal IP address |
bool |
false |
Perform Tunnel Tests using an internal IP address which is part of the local encryption domain. |
| VPN Site to Site global settings - Permanent tunnel down tracking |
options |
Log |
Logging for when the tunnel goes down: Log, don't log or alert |
| VPN Site to Site global settings - Permanent tunnel up tracking |
options |
Log |
Logging for when the tunnel goes up: Log, don't log or alert |
| VPN Site to Site global settings - RDP packet reply timeout |
int |
10 |
Timeout (in seconds) for an RDP packet reply |
| VPN Site to Site global settings - Reply from incoming interface |
bool |
false |
When tunnel is initiated from remote site, reply from the same incoming interface when applicable (IKE and RDP sessions) |
| VPN Site to Site global settings - Set gateway as static multi ISP |
bool |
false |
Indicates that ISAKMP and IPSEC SAs are protected against deletion in the event of a failover or failback. |
| VPN Site to Site global settings - Set life sign timeout |
int |
120 |
Maximum time (in seconds) before the tunnel switches to 'down' |
| VPN Site to Site global settings - Set life sign transmitter interval |
int |
10 |
Interval (in seconds) between the tunnel test and when the DPD life sign requests packets |
| VPN Site to Site global settings - Set resolver session interval |
int |
25 |
Interval (in seconds) between RDP life sign packets. This increases/decreases the resolver session timeout (timeout default is 45 seconds). |
| VPN Site to Site global settings - Successful key exchange tracking |
options |
Log |
Logging for VPN successful key exchange: Log, don't log or alert |
| VPN Site to Site global settings - The interval to resolve the VPN peers |
int |
30 |
The interval to resolve the VPN peers. The default is 30 seconds. |
| VPN Site to Site global settings - Use cluster IP address for IKE |
bool |
true |
Indicates if IKE is performed using cluster IP address (when applicable) |
| VPN Site to Site global settings - Use internal IP address for encrypted connections from local gateway |
bool |
false |
Encrypted connections originating from the local gateway will use an internal interface's IP address as the connection source |
| VPN Site to Site global settings - VPN Tunnel Sharing |
options |
subnets |
Indicates under what conditions new tunnels are created, controlling the number of tunnels: per host pair, per subnet (Industry Standard) or a single tunnel per remote site/gateway |
| VPN Site to Site global settings - VPN passthrough status |
bool |
false |
Indicates whether or not VPN passthrough is active. Both IPSec VPN and Remote Access VPN Blades must be disabled. |
| VoIP - Accept MGCP connections to registered ports |
bool |
false |
Indicates if deep inspection over MGCP traffic will automatically accept MGCP connections to registered ports |
| VoIP - Accept SIP connections to registered ports |
bool |
false |
Indicates if deep inspection over SIP traffic will automatically accept SIP connections to registered ports |
| VoIP - Extend SIP service timeout |
bool |
true |
Indicates whether SIP service timeout is extended when disabling service inspection |
| Web Interface Settings and Customizations - Company URL |
urlv6WithHttp |
|
Clicking the company logo in the web interface opens this URL |
| Web Interface Settings and Customizations - Use a company logo in the appliance's web interface |
bool |
false |
The company logo is displayed on the appliance's web interface and on its log-in page. The customized logo should follow th |
