R81.10.17 Advanced Settings

G_W_Albrecht

35 new parameters have been added - marked red - in R81.10.17 compared to R81.10.10. VPN Remote Access group has been renamed to Remote Access VPN group 😉

Attribute Name	Type	Value	Description
APPI policy - Bypass Check Point products	bool	TRUE	Bypass Check Point products for Application Control default rules
Acceleration Settings - Acceleration state enabled	bool	true	Indicates whether acceleration is enabled
Admin Lockout - Mobile application session timeout	int	30	Allowed mobile application session before automatic logout is executed (in days)
Admin Lockout - Mobile seamless login session timeout	int	1	Allowed mobile application seamless login session before automatic logout is executed (in days)
Administrators RADIUS authentication - Default Shell	options	Clish	Default shell for super administrators. To enable this feature, contact Check Point support.
Administrators RADIUS authentication - Local authentication (RADIUS inaccessible)	bool	false	Perform local administrator authentication only if RADIUS server is not configured or is inaccessible.
Aggressive aging - Aggressive aging enforcement method	options	Both	Choose when aggressive aging timeouts are enforced
Aggressive aging - Connection table percentage limit	int	80
Aggressive aging - Enable aggressive aging of connections	bool	true
Aggressive aging - Enable reduced timeout for ICMP connections	bool	true
Aggressive aging - Enable reduced timeout for TCP handshake	bool	true
Aggressive aging - Enable reduced timeout for TCP session	bool	true
Aggressive aging - Enable reduced timeout for TCP termination	bool	true
Aggressive aging - Enable reduced timeout for UDP connections	bool	true
Aggressive aging - Enable reduced timeout for non TCP/UDP/ICMP connections	bool	false
Aggressive aging - Enable reduced timeout for non TCP/UDP/ICMP connections	bool	false
Aggressive aging - ICMP connections reduced timeout	int	3
Aggressive aging - Memory consumption percentage limit	int	80
Aggressive aging - Other IP protocols reduced timeout	int	15
Aggressive aging - Pending Data connections reduced timeout	int	15
Aggressive aging - TCP handshake reduced timeout	int	5
Aggressive aging - TCP session reduced timeout	int	600
Aggressive aging - TCP termination reduced timeout	int	3
Aggressive aging - Tracking options for aggressive aging	options	Log
Aggressive aging - UDP connections reduced timeout	int	15
Anti-Spam policy - All mail track	options	None	Indicates the tracking options for non-spam emails
Anti-Spam policy - Allowed mail track	options	None	Indicates the tracking options for emails that were explicitly allowed in the Exceptions page
Anti-Spam policy - Bypass timeout	int	0	Indicates the timeout (in seconds) of a POP3 inspection bypass mechanism. Bypass will be activated in case the inspection daemon is unavailable for the indicated time period. Relevant for POP3 and for Anti-Virus, Anti-Spam and Threat Emulation inspection. A value of zero means bypass is disabled.
Anti-Spam policy - Content based Anti-Spam timeout	int	10	Indicates the timeout (in seconds) to wait for an answer from the cloud during content-based Anti-Spam inspection
Anti-Spam policy - Email size scan	int	8	Indicates the maximal size of an email's content to scan (in KB)
Anti-Spam policy - IP reputation fail open	bool	true	Use Anti-Spam IP reputation fail-open mode upon internal error
Anti-Spam policy - IP reputation timeout	int	10	Indicates the timeout (in seconds) to wait for an IP reputation test result
Anti-Spam policy - Scan outgoing emails	bool	false	Scan the content of emails which are sent from the local network to the Internet
Anti-Spam policy - Transparent proxy	bool	true	Use a transparent proxy for inspected email connections
Anti-spoofing - Enable global anti-spoofing	bool	true	Indicates if anti-spoofing is enabled automatically on all interfaces according to their zone
Application Control and URL Filtering - Block when service is unavailable	bool	false	Block web requests traffic when the Check Point categorization and widget definitions online web service is unavailable
Application Control and URL Filtering - Categorize cached and translated pages	bool	true	Perform URL categorization of cached pages and translated pages created by search engines
Application Control and URL Filtering - Custom app over HTTPS	bool	false	Indicates whether custom URLs and applications will be matched over HTTPS traffic using SNI field. Important note: as SNI field in HTTPS traffic is browser-dependent and promiscuous, it does not guarantee 100% match.
Application Control and URL Filtering - Encrypt RAD communication	bool	false	Indicates if the communication with the RAD cloud is encrypted
Application Control and URL Filtering - Enforce safe search	bool	false	Force filtering explicit content in search engines results
Application Control and URL Filtering - Fail mode	options	Block all requests	Indicates the action to take on traffic in case of an internal system error or overload
Application Control and URL Filtering - Non-standard HTTP ports	bool	true	Enable HTTP inspection on non-standard ports for the Application Control or URLF blade
Application Control and URL Filtering - Track browse time	bool	true	Indicates if the total time that users are connected to different sites and applications in an HTTP session will be shown in relevant logs
Application Control and URL Filtering - Use HTTP referer header	bool	true	Indicates if the HTTP referer header is used by the inspection engine to improve application identification
Application Control and URL Filtering - UserCheck portal address	string		Configure this parameter only when locally managed GW is configured in bridge mode and tag based VLAN traffic is passing through it. Use local address which isn't under the bridge
Application Control and URL Filtering - Web site categorization mode	options	Background	Indicates the categorization mode: Background - requests are allowed until categorization is complete, Hold - requests are blocked until categorization is complete
Bypass CRL - CRL bypass limit	long	10000	Bypass CRL if the list exceeds the defined limit
Capacity Optimization - Connections hash table size	int	131072	Indicates the size in bytes of the connections hash table
Capacity Optimization - Maximum concurrent connections	int	150000	Indicates the overall maximum number of concurrent connections
Cloud Services firmware upgrade - Check for new firmware	bool	false	Perform checks for new recommended firmware
Cloud Services firmware upgrade - Service access maximum retries	int	3	Indicates the maximum number of retries when failing to upgrade using the service
Cloud Services firmware upgrade - Service access timeout until retry	int	180	Indicates the time to wait when a connection failure to the service before the next retry
Cluster - Different number of interfaces	bool	false	Indicates that the number of interfaces is not the same for cluster members
Cluster - Disable all non-synced interfaces	bool	TRUE	When a cluster is configured, disable all non-synced interfaces on the gateway
Cluster - Disable failover due to probing failures	bool	TRUE	Indicates whether a cluster failover will occur due to probing failures
Cluster - High Availability mode	options	Active up	Changing the High Availability method may cause a cluster failover. You must configure the same High Availability mode on each cluster member. This field configures the cluster member recovery method - which cluster member to select as active during a cluster fallback.
Cluster - Process RA (Router Advertisement) on standby	bool	false	Indicates if RA packets are processed on standby
Cluster - Restart the routed process upon failover	bool	false	Indicates if the main routing process is restarted upon cluster failover. This is more stable behavior but it prevents some features like graceful-restart for BGP and OSPF. Cluster must be re-configured for this setting to take effect. After re-configuring the cluster, all local cluster settings are reset to their defaults.
Cluster - Synchronization	bool	false	Indicates if the synchronization mechanism is enabled. Switching the flag from false to true may cause failover
Cluster - Use virtual MAC	bool	false	Indicates if a virtual MAC address will be used by all cluster members to allow a quicker failover by the network's switch
DDNS - iterations	int	2	Number of DNS updates
DHCP bridge - MAC assignment	options	Use internal interfaces mac	Indicates whether the MAC address for the DHCP bridge is taken from an internal (LAN) or external port (WAN, DMZ).
DHCP relay - Use internal IP addresses as source	bool	false	Indicates if DHCP relay packets from the appliance will originate from internal IP addresses
DNS - Enable primary DNS only	bool	TRUE	Enable forwarding DNS requests only to the primary DNS
Dr. Spark job - Run Dr. Spark night job	bool	false	Indicates if the Dr. Spark night job runs every night at 2 AM.
Firewall Policy - Connection Persistence	bool	false	Handling established connections when installing a new policy
Firewall Policy - Firewall route multicast external bridge	bool	FALSE	Allow the multicast traffic that arrives on a bridge interface to reach all subordinate interfaces
Firewall Policy - Limit the Access Policy size	bool	TRUE	Configure a maximum of 100 rules in the Access Policy. To override this setting and allow more than 100 rules, set the default to false.
Firewall Policy - Log implied rules	bool	false	Produce log records for connections that match implied rules
Hardware options - Reset to factory defaults timeout	int	12	Indicates the amount of time (in seconds) that you need to press and hold the factory defaults button on the back panel to restore to the factory defaults image
Hit Count Settings - Hit Count cache hit interval	int	1	Time (in minutes) before flushing one line from the Hit Count cache
Hotspot - Enable portal	options	Enabled	Select 'Disabled' to disable the hotspot feature entirely
Hotspot - Prevent simultaneous logins by the same user	bool	false	The same user will not be allowed to login via hotspot portal from more than one machine in parallel
IP Resolving - IP Resolving Activation	options	Enabled	Enable / Disable IP Resolving logs enrichment
IP Resolving - IP Resolving TTL	int	1800	The time (in seconds) for which the hostname resolution will be used
IP fragments parameters - Action	options	Allow	Indicates if IP fragments will be allowed or dropped by default
IP fragments parameters - Maximum fragments	int	200	Indicates how many IP fragments can arrive before discarding incomplete packets
IP fragments parameters - Minimum fragments size	int	0	IP Fragments minimum fragment size
IP fragments parameters - Packet Capture	bool	false	IP Fragments packet capture settings
IP fragments parameters - Timeout	int	1	Indicates the timeout (in seconds) before discarding incomplete packets
IP fragments parameters - Track options	options	Log	Indicates if and how to log IP fragments
IPS additional parameters - Max Ping Limit	int	1400	Indicates the maximal ping packet size that will be allowed when the 'Max Ping Size' protection is active
IPS additional parameters - Non-standard HTTP ports	bool	true	Enable HTTP inspection on non-standard ports for the IPS blade
IPS engine settings - Allow protocol unknown commands	bool	false	Indicates whether protocol commands, that are not completely supported by the inspection module, will be blocked or not
IPS engine settings - Apply filter	bool	true	Filter IPS protections to improve performance
IPS engine settings - Bypass under load legacy	bool	true	Indicates if only the IPS engine moves to bypass mode when the appliance is under heavy load
IPS engine settings - Description	comments	Access denied due to IPS policy violation	A configured string to show in the error page if configured
IPS engine settings - Error page for supported web protections	options	Show predefined HTML error page	Indicates if IPS protections supporting an error page will show it upon attack prevention
IPS engine settings - HTML error page configuration	bool	false	Indicates if the error page will contain an error code
IPS engine settings - Logo URL	bool	false	Optionally enter a URL that leads to your company logo.
IPS engine settings - Logo URL address	urlv6		An accessible URL that leads to a logo file to show in the error page
IPS engine settings - Send detailed error code	bool	true	indicates if the error page will contain a configured string
IPS engine settings - Send error code	bool	false	Indicates if an error code will be sent to the other URL as a parameter
IPS engine settings - URL for redirection	urlv6		Users will be redirected to this URL upon detection of an attack
Internal Certificates configure - Internal CA certificate expiration	int	20	The number of years the internal CA certificate is valid
Internet - Path MTU Discovery Mode	options	Path MTU Discovery Mode - Disabled	Set Path MTU Discovery Mode (disabled, oneshot or daemon) for the active Internet connections
Internet - Reset Sierra USB on LSI error	bool	true	Indicates whether Sierra type USB modems will be reset when they send an Invalid LSI signal
IoT Stats - Enable IoT monitoring	bool	FALSE	Indicates if IoT monitoring is turned on
IoT Stats - IoT Stats Activation	options	Disabled	Enable / Disable IoT collecting statistics
IoT Stats - IoT device monitoring time (seconds)	int	120	IoT device monitoring timeout (in seconds). If no pings are answered within this timeframe, the device is marked as disconnected.
IoT Stats - IoT monitoring cycle (seconds)	int	30	IoT monitoring check cycle in seconds (you must restart your appliance for the changes to take effect).
IoT protection policy - General practices for IoT printers	bool	TRUE	Enable / Disable general practices for IoT printers
Logs configuration - Write logs to RAM	bool	TRUE	Indicates if logs are written to RAM
MAC Filtering settings - Log blocked MAC addresses	options	Enabled	Indicates if blocked MAC addresses should be logged or not
MAC Filtering settings - Log suspension	int	1	Indicates the suspension time (in seconds) between logs for blocked MAC addresses
Managed services - Allow seamless administrator access from remote Management Server	bool	true	Indicates if an administrator can access the appliance from a remote Security Management Server without the need to enter an administrator username and password
Managed services - Disable logging to SD	bool	true	Disable logging to SD when Spark Management is on
Managed services - Show device details in Login	bool	true	Indicates if appliance details are shown when an administrator accesses the appliance
Mobile settings - Connect to the gateway from the following mobile app	options	Watch Tower	Which mobile app is used for this Security Gateway
Mobile settings - Enable seamless login	bool	true	Allow users to do seamless login through the mobile app
Mobile settings - Mobile notification cloud server URL	urlv6	https://smbcloud-api-gateway.iaas.checkpoint.com/notifications/mobile/send	Cloud server URL used for sending mobile notifications
Mobile settings - Pairing code expiration	int	1	Time left before pairing code expires (in hours)
Mobile settings - Verify SSL certificate	bool	true	Verify SSL certificate when sending mobile notifications to cloud server
Multiple ISP Route Refresh - Multiple ISP Route Refresh mode	bool	false	Indicates whether acceleration will refresh route in multiple ISPs configuration
NAT - ARP manual file merge	bool	false	Indicates, when automatic ARP detection is enabled, if ARP definitions are used in a local file with higher priority
NAT - Address allocation and release tracking	options	None	Specifies whether to log each allocation and release of an IP address from the IP Pool
NAT - Address exhaustion tracking	options	Log	Indicates whether or not to log and/or alert on exhaustion of IP pool
NAT - Automatic ARP detection	bool	true	Automatically detect ARP requests for external IP addresses of internal devices to be answered by the device
NAT - IP Pool NAT	options	Do not use IP pool NAT	IP pool NAT mode
NAT - IP pool per interface	bool	false	Uses an IP address pool for NAT per interface
NAT - Increase hide capacity	bool	true	Indicates if hide-NAT capacity is given additional space
NAT - NAT cache expiration	int	30	Indicates the expiration time in minutes for NAT cache entries
NAT - NAT cache number of entries	int	10000	Indicates the maximum number of NAT cache entries
NAT - NAT enable	bool	true	Indicates if the device's NAT capabilities are enabled
NAT - NAT hash size	int	0	Indicates the hash bucket size of NAT tables
NAT - NAT limit	int	0	Indicates the maximum number of connections with NAT
NAT - Prefer IP Pool NAT over hide NAT	bool	true	Overrides hide NAT with IP pool NAT
NAT - Return unused addresses to IP Pool NAT after	int	60	Return unused addresses to IP pool NAT
NAT - Reuse IP addresses from the Pool for different destinations	bool	false	Allows NAT to re-use IP addresses for different destinations
NAT - Translate destination on client side	bool	true	Translates destination IP addresses on client side (for automatically generated NAT rules)
NAT - Translate destination on client side (manual rules)	bool	true	Translates destination IP addresses on client side (for manually configured NAT rules)
NAT - Use IP Pool NAT for VPN clients connections	bool	false	Uses IP Pool NAT for VPN clients connections
NAT - Use IP Pool NAT for gateway to gateway connections	bool	false	Uses IP pool NAT for gateway to gateway connections
NAT - Use cluster hide fold	bool	true	Indicates if local IP addresses are hidden behind the cluster IP address when applicable
Notifications policy -	bool	true
Notifications policy - Include the administrator's contact information in login notifications	bool	true	Determines if the administrator's phone and email are added to login alert notifications
Notifications policy - License expiration threshold	int	30	Defines the minimum number of days below which the license notification is sent
Notifications policy - Notification cloud server URL	urlv6	https://smbcloud-api-gateway.iaas.checkpoint.com/notifications-service/send	Cloud server URL used to send notifications
Notifications policy - Partition capacity threshold	int	95	Define the percentage for the partition capacity threshold (notifies when the partition is full)
Notifications policy - Send push notifications for WatchTower	bool	true	Indicates whether notifications are sent to mobile application
Notifications policy - The maximum number of notifications sent per hour	int	60	The maximum number of notifications sent to mobile devices per hour
OS advanced settings - Cellular Backoff Algorithm Mode	options	Auto	Set cellular backoff algorithm mode (auto, force-disable or force-enable). When in auto mode, backoff algorithm will only work for Rogers cellular carrier.
OS advanced settings - Cellular Network	options	Auto	Select the preferred cellular network mode - Auto, 4G only or 3G only
OS advanced settings - Cellular connection establish timeout	int	60	Indicates the timeout in seconds to wait for cellular connection to succeed
OS advanced settings - Cellular modem detection timeout	int	120	Indicates the timeout in seconds to wait for the cellular modem to be detected
OS advanced settings - Change ARP timeout	int	60	Specifies time (seconds) to keep resolved dynamic ARP entries
OS advanced settings - Default route rank	int	60	The rank of the default route gives it preference against other default routes from different protocols.
OS advanced settings - Delay before switching SIMs after drop below threshold	int	0	Indicates the time in seconds before switching SIMs after the cellular network technology drops below threshold
OS advanced settings - Disable WiFi association logs	bool	FALSE	Disable sending logs for WiFi associations
OS advanced settings - Disable transfer of DHCP options from WAN to LAN	bool	false	Specifies whether transfer of DHCP options from WAN to LAN is disabled
OS advanced settings - Drop cellular outbound packets if the source IP is mismatched	bool	false	Drop cellular outbound packets if their source IP is not the interface IP
OS advanced settings - Duplicate MAC detection switch ports	lanPortsList	none	Activate duplicate MAC detection on these switch ports.
OS advanced settings - Enable GPS	bool	false	Enable GPS receiver
OS advanced settings - Enable GPS logs	bool	FALSE	Enable GPS logs to remote server
OS advanced settings - Enable Jumbo frames	bool	false	Enable Jumbo frames to configure an MTU higher than 1500.
OS advanced settings - Enable LAN on WAN	bool	false	Specifies whether LAN-on-WAN feature is on
OS advanced settings - Enable WiFi Monitors	bool	false	Specifies whether WiFi monitors are on
OS advanced settings - Enable automatic WiFi channel change	bool	false	Specifies whether WiFi switches channels automatically during operation
OS advanced settings - Enable destination check on PPPoE	bool	false	Specifies whether PPPoE destination check is enabled
OS advanced settings - Enable flow-control for network switch	bool	false	Indicates if flow-control is enabled for network switch
OS advanced settings - Enable probing in cluster	bool	FALSE	Enable probing of the Internet connections in the cluster
OS advanced settings - Enable probing on the standby member	bool	FALSE	Enable probing of the Internet connections on the standby member in the cluster
OS advanced settings - GPS log IP address	ipv4OrIpv6		IP address for the GPS logs remote server for UDP protocol
OS advanced settings - GPS log host name	hostName		The host name of the GPS log remote server for TCP protocol
OS advanced settings - GPS log interval	int	60	Interval in seconds between GPS logs
OS advanced settings - GPS log port	port	514	Port of the GPS log remote server
OS advanced settings - GPS log protocol	options	UDP	Protocol for the GPS log remote server
OS advanced settings - IPv6 prefix selection mode	options	Router preference - oldest	Set the IPv6 prefix selection mode - in dynamic IPv6 Internet connections.
OS advanced settings - Minimum allowed cellular network connection	options	CELLULAR_LOWEST_ALLOWED_TECH.4G	Indicates the minimum allowed cellular connection threshold. If the cellular network connection drops below this value, the cellular network switches to the second SIM.
OS advanced settings - Reset cellular modem if not detected	bool	true	Indicates whether to reset the cellular modem if it fails to be detected
OS advanced settings - Switch SIM when cellular network data usage exceeds the threshold	bool	FALSE	Switch to the second SIM when the cellular network data usage exceeds the threshold
OS advanced settings - Switch SIM when cellular network technology drops below threshold	bool	FALSE	Switch to the second SIM when the cellular network technology drops below threshold
OS advanced settings - Use secondary MCCMNC file	bool	false	Set the use of the secondary MCCMNC file to automatically configure the APN from the extended secondary list.
OS advanced settings - Use unique ICMP ID	bool	false	Use unique ICMP ID per destination in connection monitoring
Operating system - General temporary directory size	int	20	Controls the size (in MB) of the temporary directory that is used by the system
Operating system - System temporary directory size	int	40	Controls the size (in MB) of the temporary directory that is used by the system
Privacy settings - Help us improve product experience by sending data to Check Point	bool	true	Privacy statement: Check Point does not upload data that contains private or sensitive information. For more information, refer to sk120332.
Privacy settings - Help us improve product experience by sending events data to Check Point for analytics	bool	false	Privacy statement: Check Point does not upload data that contains private or sensitive information. For more information, refer to sk120332.
Privacy settings - Help us improve product stability by getting critical updates from Check Point	bool	true	Privacy statement: Using the SOS service requires access to the Check Point cloud.
Privacy settings - Location service requires sending your IP address to 3rd party	bool	false	Using automatic timezone feature requires sending your IP address to 3rd party.
Privacy settings - Proactive collection of device details	bool	true	Proactively collect information on devices connected to the local network, which will be displayed in the Active Devices page
Privacy settings - Share device information with IoT cloud	bool	false	Share device information with IoT cloud in order to enforce policy based on IoT profiles
Privacy settings - The batch size for sending event data to Check Point for analytics	int	10	Privacy statement: Check Point does not upload data that contains private or sensitive information. For more information, refer to sk120332.
QoS blade - Enable limit per host	bool	TRUE	If true, traffic can be limited per host
QoS blade - Logging	bool	true	Indicates if the appliance logs QoS events when the QoS blade is enabled
QoS blade - The maximum number of hosts enforced with a limit per host	int	255	The maximum number of hosts enforced with a limit per host action under one QoS rule
REST API - REST API mode	bool	FALSE	Indicates whether REST API is enabled
Reach My Device - Ignore SSL certificate	bool	false	Ignore SSL certificate when running Reach My Device
Reach My Device - Server address	urlv6	smbrelay.checkpoint.com	Indicates the address of the remote server that allows administration access to the appliance from the Internet even when behind NAT
Remote Access VPN - Allow clear traffic while disconnected	bool	TRUE	Indicates how traffic to the VPN domain is handled when the Remote Access VPN client is not connected to the site; sent in clear or dropped
Remote Access VPN - Allow simultaneous login	bool	TRUE	If disabled, a user who logs in again is disconnected from the existing session
Remote Access VPN - Authentication timeout	int	120	Indicates for how much time (in minutes) the remote client's password remains valid if timeout is enable
Remote Access VPN - Auto-disconnect in VPN domain	bool	TRUE	Indicates if the client disconnects automatically to save resources when it connects from inside the secured internal network (local encryption domain)
Remote Access VPN - Back connections enable	bool	FALSE	Enable back connections from the encryption domain behind the gateway to the client
Remote Access VPN - Back connections keep-alive interval	int	20	Indicates the interval (in seconds) between keep-alive packets to the gateway required for gateway to client back connections
Remote Access VPN - Enable Office Mode with multiple interfaces	bool	FALSE	Indicates if a mechanism is enabled to improve connectivity between a Remote Access client and an appliance with multiple external interfaces.
Remote Access VPN - Enable Visitor Mode on all interfaces	options	All	Indicates if Visitor Mode is enabled on all interfaces, or on a specific interface
Remote Access VPN - Enable Visitor Mode on this interface	ipv4addr	0.0.0.0	The IP address on which Visitor Mode is enabled
Remote Access VPN - Encrypt DNS traffic	bool	TRUE	Indicates if DNS queries sent by the remote client to a DNS server located in the encryption domain are passed through the VPN tunnel
Remote Access VPN - Encryption Method	options	IKEv1	Indicates which IKE encryption method (version) is used for IKE phase 1 and 2
Remote Access VPN - Endpoint Connect re-authentication timeout	int	480	Indicates the time (in minutes) until the Endpoint Connect user's credentials are resent to the gateway to verify authorization
Remote Access VPN - IKE IP Compression Support	bool	FALSE	Indicates if IPSec packets from Remote Access clients will be compressed
Remote Access VPN - IKE Over TCP	bool	FALSE	Enables support of IKE over TCP
Remote Access VPN - IKE restart recovery	bool	TRUE	Indicates that the gateway will save tunnel details so it can cause the remote client to discard the old SA and re-initiate IKE upon gateway crash or restart
Remote Access VPN - Ignore the RADIUS attribute	int	80	Ignore the specified attribute in a RADIUS message. Press 0 to disable this setting.
Remote Access VPN - Legacy NAT traversal	bool	TRUE	Indicates if the Check Point proprietary NAT traversal mechanism (UDP encapsulation) is enabled for SecureClient
Remote Access VPN - Match on Internal Rule Base only	bool	FALSE	Traffic from Remote Access clients is always matched on the Incoming/Internal/VPN Rule Base, including traffic to the Internet
Remote Access VPN - Minimum TLS version support in the SSL VPN portal	options	TLS 1.2	Indicates the minimum TLS protocol version which the SSL VPN portal supports. For security reasons, it's recommended to support TLS 1.2 and above.
Remote Access VPN - Office Mode allocate from RADIUS	bool	FALSE	Indicates if the Office Mode allocated IP addresses will be taken from the RADIUS server used to authenticate the user
Remote Access VPN - Office Mode disable	bool	FALSE	Indicates if Office Mode (allocating IP addresses for Remote Access clients) is disabled. This is not recommended.
Remote Access VPN - Office Mode performs Anti-Spoofing	bool	FALSE	Office Mode - Perform Anti-Spoofing on Office Mode addresses
Remote Access VPN - Prevent IP NAT Pool	bool	FALSE	Prevent IP Pool NAT configuration from being applied to Office Mode users. This is needed when using SecureClient as well as other VPN clients.
Remote Access VPN - RADIUS groups attribute	int	25	RADIUS groups attribute class for authentication
Remote Access VPN - RADIUS retransmit timeout	int	5	Timeout interval (in seconds) for each RADIUS server connection attempt
Remote Access VPN - Remote Access port	port	443	Select the port used by the SSL VPN Network extender portal and to which the Remote Access clients connect
Remote Access VPN - Reserve port 443 for port forwarding	bool	FALSE	Reserving port 443 for port forwarding (port 443 will not be used for Remote Access and SSL VPN Network extender)
Remote Access VPN - SNX and mobile (Capsule) re-authentication timeout	int	480	Indicates the time (in minutes) between re-authentication of SSL Network Extender Remote Access users and Check Point Mobile VPN users
Remote Access VPN - SNX keep-alive interval	int	20	Indicates the time (in seconds) between the SSL Network Extender client keep-alive packets
Remote Access VPN - SNX support 3DES	bool	TRUE	Indicates if the 3DES encryption algorithm will be supported in SSL clients as well as the default algorithms
Remote Access VPN - SNX support RC4	bool	TRUE	Indicates if the RC4 encryption algorithm will be supported in SSL clients as well as the default algorithms
Remote Access VPN - SNX uninstall	options	Do not uninstall	Indicates when and if the SSL Network Extender client will uninstall itself upon disconnection
Remote Access VPN - SNX upgrade	options	Ask user	Indicates when and if the SSL Network Extender client will upgrade itself upon connection
Remote Access VPN - Single Office Mode per site	bool	FALSE	Use first allocated Office Mode IP Address for all connections to the Gateways of the site
Remote Access VPN - Topology updates manual interval	int	168	Indicates the manually configured interval (in hours) for topology updates to the clients. Will be applicable only if the override settings is set to true.
Remote Access VPN - Topology updates override	bool	FALSE	Indicates if the configured topology updates settings will override the default 'once a week' policy
Remote Access VPN - Topology updates upon startup only	bool	TRUE	Indicates if topology updates will occur only when the client starts. Will be applicable only if the override settings is set to true.
Remote Access VPN - Verify device certificate	bool	TRUE	Client will verify the device's certificate against revocation list
Remote Access VPN - block user if belongs to at least one group without permission	bool	FALSE	Indicates if strict group permissions are enabled. Users do not have Remote Access permissions if they belong to at least one group without Remote Access permissions.
Remote Access VPN Two-Factor Authentication - Enable selection of target where to send the passcode (SMS/email)	bool	FALSE	If set to true, the target selection (SMS/email) is displayed to the user
Report Settings - Max period	options	Monthly	Maximum period to collect and monitor data in local management. You must reboot your appliance to apply changes.
Report Settings - Reports cloud server URL	urlv6	https://smbcloud-api-gateway.iaas.checkpoint.com/reports/pdf	Reports cloud server URL used to generate report PDF
Report Settings - Send empty report	bool	false	Indicates if the report should be sent even if it is empty
SSL Inspection policy - Additional HTTPS ports	port-range	8080,3128	Additional HTTPS ports for SSL Inspection (a comma separated list of ports/ranges)
SSL Inspection policy - Enable ICA Portal	bool	true	Indicates if ICA Portal is enabled
SSL Inspection policy - Log empty SSL connections	bool	false	Log connections that were terminated by the client before data was sent - might indicate the client did not install CA certificate
SSL Inspection policy - Retrieve intermediate CA certificates	bool	true	Indicates if the SSL Inspection mechanism performs its validations on all intermediate CA certificates in the certificate chain
SSL Inspection policy - SSL Inspection categorization mode	options	Hold	Indicates the categorization mode of SSL Inspection: Background - Requests are allowed until categorization is complete, Hold - Requests are blocked until categorization is complete
SSL Inspection policy - The trusted CA auto-update is enabled	bool	true	Indicates if automatic updates are enabled
SSL Inspection policy - Track validation errors	options	Log	Select if the SSL Inspection validations are tracked
SSL Inspection policy - Validate CRL	bool	true	Indicates if the SSL Inspection mechanism will drop connections that present a revoked certificate
SSL Inspection policy - Validate expiration	bool	false	Indicates if the SSL Inspection mechanism will drop connections that present an expired certificate
SSL Inspection policy - Validate unreachable CRL	bool	false	Indicates if the SSL Inspection mechanism will drop connections that present a certificate with an unreachable CRL
SSL Inspection policy - Validate untrusted certificates	bool	false	Indicates if the SSL Inspection mechanism will drop connections that present an untrusted server certificate
Self-serve Settings - Threat Prevention action	options	Inactive	Threat Prevention action for the Self-serve Portal security policy
Serial port - Enable serial port	options	Enabled	Indicates if the serial port is enabled
Serial port - Port speed	options	115200	Indicates the port speed (Baud Rate) of the serial connection
Smart Accel Services - Security logs enabled	bool	false	Indicates whether Smart Accel security logs are enabled
Smart Accel Settings - Accel Trusted HTTPS Domains Only	bool	true	Indicates whether to accel only trusted HTTPS domains
Smart Accel Settings - Ignore Errors	bool	false	Ignore conflicts related to Smart Accel and firewall policy rules
Stateful Inspection - Accept out of state TCP packets	int	1	Indicates if TCP packets which are not consistent with the current state of the TCP connection are dropped (when set to 0) or accepted (when set to any other value)
Stateful Inspection - Accept stateful ICMP errors	bool	true	Accept ICMP error packets which refer to another non-ICMP connection that was accepted by the Rule Base
Stateful Inspection - Accept stateful ICMP replies	bool	true	Accept ICMP reply packets for ICMP requests that were accepted by the Rule Base
Stateful Inspection - Accept stateful UDP replies for unknown services	bool	true	Accept UDP reply packets for USP requests for unknown services
Stateful Inspection - Accept stateful other IP protocols replies for unknown services	bool	true	Accept stateful non TCP/UDP protocols replies for unknown services
Stateful Inspection - Allow ICMP Redirect packets	bool	FALSE	Allow ICMP Redirect packets in environments where network configuration cannot be easily fixed
Stateful Inspection - Allow IPv6 packets	bool	false	Allow IPv6 traffic to pass without inspection
Stateful Inspection - Drop out of state ICMP packets	bool	true	Drop ICMP packets which are not in the context of a virtual session
Stateful Inspection - ICMP virtual session timeout	int	30	Indicates the timeout (in seconds) for ICMP virtual sessions
Stateful Inspection - Log dropped out of state ICMP packets	int	1
Stateful Inspection - Log dropped out of state TCP packets	int	1
Stateful Inspection - Other IP protocols virtual session timeout	int	60	Indicates the timeout (in seconds) for other IP protocols virtual sessions (non TCP/UDP/ICMP)
Stateful Inspection - Perform deep packet inspection on LAN to LAN traffic	bool	false
Stateful Inspection - Perform deep packet inspection on traffic between LAN and DMZ networks	bool	false
Stateful Inspection - TCP end timeout	int	20	Indicates the timeout (in seconds) for TCP session end
Stateful Inspection - TCP session timeout	int	3600	Indicates the timeout (in seconds) for TCP sessions
Stateful Inspection - TCP start timeout	int	25	Indicates the timeout (in seconds) for TCP session start
Stateful Inspection - UDP virtual session timeout	int	40	Indicates the timeout (in seconds) for UDP virtual sessions
Stateful Inspection - traceroute maximal TTL	int	29	Maximal value for TTL field for a packet to be considered as a traceroute
Streaming engine settings - Stream inspection timeout action	options	Prevent	Stream inspection timeout activation mode
Streaming engine settings - Stream inspection timeout tracking	options	Log
Streaming engine settings - TCP SYN modified retransmission action	options	Prevent	TCP SYN modified retransmission activation mode
Streaming engine settings - TCP SYN modified retransmission tracking	options	Log
Streaming engine settings - TCP invalid checksum action	options	Prevent	TCP invalid checksum activation mode
Streaming engine settings - TCP invalid checksum tracking	options	None
Streaming engine settings - TCP invalid retransmission action	options	Prevent	TCP invalid retransmission activation mode
Streaming engine settings - TCP invalid retransmission tracking	options	Log
Streaming engine settings - TCP out of sequence action	options	Prevent	TCP out of sequence activation mode
Streaming engine settings - TCP out of sequence tracking	options	None
Streaming engine settings - TCP segment limit enforcement action	options	Prevent	TCP segment limit enforcement activation mode
Streaming engine settings - TCP segment limit enforcement tracking	options	Log
Streaming engine settings - TCP urgent data enforcement action	options	Prevent	TCP urgent data enforcement activation mode
Streaming engine settings - TCP urgent data enforcement tracking	options	Log
System settings - Allow access from any IP address	bool	TRUE	Allow/block administrator access to the gateway from any (non-specified) IP address
System settings - Check Point Web Services Geo restriction	options	No restrictions	Restrict Check Point Web Services URL and file reputation checks to a specific country
System settings - Minimize storage partition usage	bool	FALSE	If true, minimize storage partition usage by blade updates
Threat Prevention Anti-Bot policy - Resource classification mode	options	Hold	Indicates the classification mode for the Anti-Bot engine: Background - connections are allowed until classification is complete, Hold - connections are blocked until classification is complete
Threat Prevention Anti-Virus policy - File scan size limit	int	0	Indicates the size limit (in KB) of a file scanned by the Anti-Virus engine. To specify no limit, set to 0.
Threat Prevention Anti-Virus policy - MIME maximum nesting level	int	7	Indicates the maximum number of levels in nested MIME content that the ThreatSpect engine scans in mail traffic
Threat Prevention Anti-Virus policy - MIME nesting level exceeded action	options	Block	Indicates if an email should be blocked or accepted if there are more nested levels of MIME content than the configured amount
Threat Prevention Anti-Virus policy - Priority scanning	bool	true	Scan according to security and performance priorities for maximum optimization
Threat Prevention Anti-Virus policy - Resource classification mode	options	Hold	Indicates the classification mode for the Anti-Virus engine: Background - connections are allowed until classification is complete, Hold - connections are blocked until classification is complete
Threat Prevention Threat Emulation policy - Emulation connection handling mode - IMAP	options	Background - connections are allowed until emulation handling is complete	Indicates the strictness mode of the Threat Emulation engine over IMAP: Background - connections are allowed while the file emulation runs (if needed), Hold - connections are blocked until the file emulation is completed
Threat Prevention Threat Emulation policy - Emulation connection handling mode - POP3	options	Background - connections are allowed until emulation handling is complete	Indicates the strictness mode of the Threat Emulation engine over POP3: Background - connections are allowed while the file emulation runs (if needed), Hold - connections are blocked until the file emulation is completed
Threat Prevention Threat Emulation policy - Emulation connection handling mode - SMTP	options	Background - connections are allowed until emulation handling is complete	Indicates the strictness mode of the Threat Emulation engine over SMTP: Background - connections are allowed while the file emulation runs (if needed), Hold - connections are blocked until the file emulation is completed
Threat Prevention Threat Emulation policy - Emulation location	options	Emulation is done on Public Threat Cloud	Indicates if emulation is done on Public Threat Cloud or on remote (private) SandBlast
Threat Prevention Threat Emulation policy - Primary Emulation gateway	ipv4addr		The IP address of the primary remote emulation gateway
Threat Prevention policy - Allow IP address information in attack statistics	bool	false	Allow IP address information in attack statistics sent to my User Center account
Threat Prevention policy - Allow me to view attack statistics in my User Center account	bool	false	Allow me to view attack statistics in my User Center account. Note that privacy settings should be set to allow sending data to Check Point
Threat Prevention policy - Block when service is unavailable	bool	false	Block web requests traffic when the Check Point ThreatCloud online web service is unavailable
Threat Prevention policy - Fail mode	options	Allow all requests	Indicates the action to take on traffic in case of an internal system error or overload
Threat Prevention policy - File inspection size limit	int	0	Indicates the size limit (in KB) of a file inspected by Threat Prevention engines. Note: A limit too low may have an impact on the functionality of the Application Control blade. To specify no limit, set to 0.
Threat Prevention policy - Method for skipping HTTP inspection	options	Default	When changed from the default value, and file size inspection limit is used, HTTP inspection will be fully skipped instead of skipping only a single session. This is not recommended due to a high security impact as the following sessions will not be inspected at all following a large file sent via HTTP on a single connection.
Threat Prevention policy - Update Threat Prevention With Full Packages	bool	false	Update Threat Prevention with the most up to date Packages
USB modem watchdog - Interval	int	5	Indicates how often the USB modem watchdog probes the Internet
USB modem watchdog - Mode	options	Disabled	Indicates if the USB modem watchdog is enabled when Internet probing is enabled, and the reset type (either hard-reset to shut down the power for the USB modem or gateway-reset to reboot the gateway).
USB modem watchdog - USB only	bool	false	Monitor only USB modem connection
Update Services Schedule - Maximum number of retries	int	3	Indicates the maximum number of retries for a single update when the cloud is unavailable until the next scheduled update
Update Services Schedule - Timeout until retry	int	180	Indicates the timeout (in seconds) until update retry
User Awareness - Active Directory association timeout	int	720	Indicates the timeout (in minutes) for caching an association between a user and an IP address
User Awareness - Allow DNS for unknown users	bool	true	The default is to allow DNS for unknown users even when configured to be blocked in Browser Based Portal settings
User Awareness - Assume single user per IP address	bool	true	Indicates a mode where per IP address, only the last user who logged is identified
User Awareness - Log blocked unknown users	bool	true	Indicates if a log should be issued when unknown users are blocked (see Browser Based Portal settings)
User Awareness - Use NTLMv2 protocol for Active Directory Queries	bool	false	NTLMv2 mode - true for using NTLMv2, false for using NTLMv1
User Management - Automatically delete expired local users	bool	false	Automatically delete all expired local users every 24 hours (after midnight)
VPN Site to Site global settings - Accept NAT Traversal	bool	true	Indicates if industry standard NAT traversal (UDP encapsulation) is enabled. This enables VPN tunnel establishment even when the remote site is behind a NAT device.
VPN Site to Site global settings - Administrative notifications	options	Log	Indicates how to log an administrative event (for example, when a certificate is about to expire)
VPN Site to Site global settings - Bypass PSL inspection for VPN traffic	bool	false	Indicates if PSL inspection (Application Control, URL Filtering, IPS, Anti-Virus, Anti-Bot, Threat Prevention, Threat Emulation) is bypassed for VPN traffic
VPN Site to Site global settings - Check if Harmony Connect Branch is in use by another SMB gateway	bool	false	True if the branch is in use by another Quantum Spark Gateway (MAC address)
VPN Site to Site global settings - Check if Harmony Connect subnet is synchronized	bool	false	True if subnet is synchronized with branch. Return error if false.
VPN Site to Site global settings - Check validity of IPSec reply packets	bool	false
VPN Site to Site global settings - Cluster SA sync packets threshold	long	200000	Sync SA with other cluster members when packets number reaches this threshold
VPN Site to Site global settings - Collect VPN monitoring data for Spark Management	bool	true	Applies only to a Cloud Services managed appliance. Collecting VPN monitoring data to a dedicated file for Spark Management heartbeat
VPN Site to Site global settings - Copy DiffServ mark from encrypted/decrypted IPSec packet	bool	false
VPN Site to Site global settings - Copy DiffServ mark to encrypted/decrypted IPSec packet	bool	true
VPN Site to Site global settings - DPD triggers new IKE negotiation	bool	true
VPN Site to Site global settings - Delete IKE SAs from a dead peer	bool	true
VPN Site to Site global settings - Delete IPsec SAs on IKE SA delete	bool	false
VPN Site to Site global settings - Delete tunnel SAs when Tunnel Test fails	bool	true	When permanent VPN tunnels are enabled and a Tunnel Test fails, delete the relevant peer's tunnel SAs. Not supported in High Availability Cluster mode
VPN Site to Site global settings - Do not encrypt connections originating from the local gateway	bool	false	Exclude the Internet connection's IP address from the local encryption domain. Packets whose original source or destination IP address is the local gateway's Internet connection IP address will not go through a VPN tunnel. This parameter may be useful when the gateway is behind hide NAT.
VPN Site to Site global settings - Do not encrypt local DNS requests	bool	false	When enabled, DNS requests originating from the appliance will not be encrypted. Relevant when a configured DNS server is in a VPN peer's encryption domain.
VPN Site to Site global settings - Enable encrypted packets rerouting	bool	true	Indicates if encrypted packets will be rerouted through the best interface according to the peer's IP address or probing. It is not recommended to change this value to false.
VPN Site to Site global settings - Grace period after CRL is no longer valid	int	1800	Indicates the time (in seconds) after which a revoked certificate of a remote site remains valid, to allow wider window for CRL validity in case of clock mismatch
VPN Site to Site global settings - Grace period before CRL is valid	int	7200	Indicates the time window (in seconds) where a certificate is considered valid prior to the time set by the CA, to allow wider window for CRL validity in case of clock mismatch
VPN Site to Site global settings - Harmony Connect Residency	options	HARMONY_CONNECT_RESIDENCY.US	Harmony Connect Data Residency. You can see the value on the Harmony Connect portal: Global Settings > Account Settings > Account Details (Data Residency).
VPN Site to Site global settings - Harmony Connect VPN High Availability timeout (sec)	int	30	Timeout - The amount of idle time (sec) before switching to another Harmony Connect VPN (0 to disable High Availability)
VPN Site to Site global settings - IKE DoS from known sites protection	options	None	Indicates if the IKE DoS from known IP addresses protection is active and the method by which it detects potential attackers
VPN Site to Site global settings - IKE DoS from unknown sites protection	options	None	Indicates if the IKE DoS from unidentified IP addresses protection is active and the method by which it detects potential attackers
VPN Site to Site global settings - IKE reply from Same IP	bool	true	Indicates if the source IP address used in IKE session will be according to destination when replying to incoming connections, or according to the general source IP address link selection configuration
VPN Site to Site global settings - IKEv2 Key Type	options	Key ID	Key type used for IKEv2 communication
VPN Site to Site global settings - Indicates the interval in which a VPN tunnel down summary notification is sent	options	1 Hour	Applies only when collecting VPN monitoring data for Spark Management heartbeat is enabled
VPN Site to Site global settings - Join adjacent subnets in IKE Quick Mode	bool	true
VPN Site to Site global settings - Keep DF flag on packet	bool	false	Indicates if the 'Don't Fragment' flag is kept on the packet during encryption/decryption
VPN Site to Site global settings - Keep IKE SA Keys	options	Automatic
VPN Site to Site global settings - Key exchange error tracking	options	Log	Indicates how to log VPN configuration errors or key exchange errors
VPN Site to Site global settings - Match Internet traffic on the Outgoing Rule Base	bool	false	Traffic to the Internet from VPN peers that route all their traffic through this gateway. This traffic will be matched on the Outgoing Rule Base.
VPN Site to Site global settings - Maximum concurrent IKE negotiations	int	200	Indicates the maximum number of concurrent VPN IKE negotiations
VPN Site to Site global settings - Maximum concurrent tunnels	int	10000	Indicates the maximum number of concurrent VPN tunnels
VPN Site to Site global settings - Maximum number of VPN tunnel down notifications per hour	int	5	Applies only when collecting VPN monitoring data for Spark Management heartbeat is enabled
VPN Site to Site global settings - Open SAs limit	int	20	Indicates the maximum number of open SAs per VPN peer
VPN Site to Site global settings - Outgoing link tracking	options	None	Logging of the outgoing VPN link: Log, don't log or alert
VPN Site to Site global settings - Override 'Route all traffic to remote VPN site' configuration for admin access to the device	bool	true	Exclude admin access traffic to the gateway from being routed to remote VPN site even if all traffic should be routed to it
VPN Site to Site global settings - Packet handling errors tracking	options	Log	Logging for VPN packet handling errors: Log, don't log or alert
VPN Site to Site global settings - Perform Tunnel Tests using an internal IP address	bool	false	Perform Tunnel Tests using an internal IP address which is part of the local encryption domain.
VPN Site to Site global settings - Permanent tunnel down tracking	options	Log	Logging for when the tunnel goes down: Log, don't log or alert
VPN Site to Site global settings - Permanent tunnel up tracking	options	Log	Logging for when the tunnel goes up: Log, don't log or alert
VPN Site to Site global settings - RDP packet reply timeout	int	10	Timeout (in seconds) for an RDP packet reply
VPN Site to Site global settings - Reply from incoming interface	bool	false	When tunnel is initiated from remote site, reply from the same incoming interface when applicable (IKE and RDP sessions)
VPN Site to Site global settings - Set gateway as static multi ISP	bool	false	Indicates that ISAKMP and IPSEC SAs are protected against deletion in the event of a failover or failback.
VPN Site to Site global settings - Set life sign timeout	int	120	Maximum time (in seconds) before the tunnel switches to 'down'
VPN Site to Site global settings - Set life sign transmitter interval	int	10	Interval (in seconds) between the tunnel test and when the DPD life sign requests packets
VPN Site to Site global settings - Set resolver session interval	int	25	Interval (in seconds) between RDP life sign packets. This increases/decreases the resolver session timeout (timeout default is 45 seconds).
VPN Site to Site global settings - Successful key exchange tracking	options	Log	Logging for VPN successful key exchange: Log, don't log or alert
VPN Site to Site global settings - The interval to resolve the VPN peers	int	30	The interval to resolve the VPN peers. The default is 30 seconds.
VPN Site to Site global settings - Use cluster IP address for IKE	bool	true	Indicates if IKE is performed using cluster IP address (when applicable)
VPN Site to Site global settings - Use internal IP address for encrypted connections from local gateway	bool	false	Encrypted connections originating from the local gateway will use an internal interface's IP address as the connection source
VPN Site to Site global settings - VPN Tunnel Sharing	options	subnets	Indicates under what conditions new tunnels are created, controlling the number of tunnels: per host pair, per subnet (Industry Standard) or a single tunnel per remote site/gateway
VPN Site to Site global settings - VPN passthrough status	bool	false	Indicates whether or not VPN passthrough is active. Both IPSec VPN and Remote Access VPN Blades must be disabled.
VoIP - Accept MGCP connections to registered ports	bool	false	Indicates if deep inspection over MGCP traffic will automatically accept MGCP connections to registered ports
VoIP - Accept SIP connections to registered ports	bool	false	Indicates if deep inspection over SIP traffic will automatically accept SIP connections to registered ports
VoIP - Extend SIP service timeout	bool	true	Indicates whether SIP service timeout is extended when disabling service inspection
WebUI settings and customizations - Close Firewall rule modal on outside click	bool	TRUE	Indicates whether to close the modal dialog when the user clicks in the area outside the modal
Web Interface Settings and Customizations - Company URL	urlv6WithHttp		Clicking the company logo in the web interface opens this URL
WebUI settings and customizations - Enable where in use	bool	FALSE	If enabled, you can see where objects are used in the Rule Bases
WebUI settings and customizations - Show security alerts	bool	FALSE	If enabled, security alerts are displayed upon login
Web Interface Settings and Customizations - Use a company logo in the appliance's web interface	bool	false	The company logo is displayed on the appliance's web interface and on its log-in page. The customized logo should follow th

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Are you a member of CheckMates?

R81.10.17 Advanced Settings