 | ||
 UTM-1 Edges - FAQ | ||
| CPUG | |
| The Check Point User Group | |
| A Resource For The Check Point Community. Fast. Useful. Independent. | |
|
| |||||||
 |
| | LinkBack | Thread Tools | Display Modes |
 2007-11-12 | |||
| |||
 UTM-1 Edges - FAQ Code: Yyy yyY
YYYYYYYyyyyyyyYYYYYYY
YYYYY#########YYYYY
YYY# ??? #YYY
YY# ( O) #YY
Y# ~~ #Y
YY#########YY
@@@ YYYYYYYYYYYYY @@@
@@@@ YYYYYYYYYYYYY @@@@
@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@
VVV@@@@@@@@@@@@@VVV
VV VV
V V
SofaWare Embedded!
UMT-1 EDGE FAQ by CPUG CCSA/CCSE/CCSE+/CPSC  Q: What is the official product site? A: Check Point Software: UTM-1 Edge Appliance Q: Where can I find a general description? A: Product Highlight: UTM-1 Edge Appliance Q: Where can I find some detailed specs? A: SofaWare Technologies - UTM-1 Edge X ADSL Q: Where can I subscribe to the SofaWare feed? A: SofaWare news and updates blog  Q: Where can I find related discussion forums? A: At SofaWare, CPUG or Check Point. Q: What is the capacity of an UTM-1 Edge appliance? A: SPI Firewall throughput: 190 Mbps A: VPN throughput: 35 Mbps A: Concurrent connections: 5.000 A: RemoteAccess User Profiles: 25 (Local Management), Unlimited (Centralized Management) A: Security Associations (SAs): max. 100 (Remote Access and Site-to-Site VPN) Q: Who uses UTM-1 Edges? A: Companies using a Wireless Distribution System (WDS) with roaming for their in-house wifi connectivity. A: ISPs to provide broadband, IP TV and VoIP services. A: Stadiums collect bets with handheld wifi devices roaming around the stadium. A: Car manufacturers using industrial Edges, utilizing bridge mode protecting mission critical computers. A: Remote & Branch Offices with backup internet connections. A: Home- and Teleworkers (Network access control and remote administration) A: Managed Services Providers with Large Scale Management A: Banks who connect their branch offices A: Companies who connect ATMs either to a GPRS modem or to an Ethernet connection. Q: How many UTM-1 Edges were sold last year? A: SofaWare sold around 50.000 embedded devices in 2007. Q: Where should I start managing my UTM-1 Edge? A: Check point offers an Admin Guide for your first steps in UTM-1 Edge management. Q: Which model should I buy? A: That depends on your requirements. ALWAYS buy a model that has USB ports. These models do: # VPN-1 Edge W # VPN-1 Edge W ADSL # VPN-1 Edge X ADSL # VPN-1 Edge X Industrial Q: Which firmware is recent? - December 12, 2008 A: 8.0.36 (General Availability) Q: Which variants does the recent firmware version consist of? A: x8.0.36x.img is for regular units uploaded via GUI A: 8.0.36x.tftp is for regular units uploaded via TFTP A: a8.0.36a.firm is for ADSL units uploaded via GUI A: a8.0.36a_backup.firm is for ADSL units uploaded via TFTP A: 8.0.36_debug_x.img is for regular units uploaded via GUI A: 8.0.36_debug_a.firm is for ADSL units uploaded via GUI Q: Are there different firmwares available? A: Yes. Edges which have an ADSL-modem integrated require a different firmware. Q: Require Safe@Office appliances another firmware as UTM-1 Edges? A: No. Both are using the same firmware. Q: Any extra special firmwares? A: Yes. 7.5.55_w6x.img has the long awaited WLAN-Client functionality. This function will be officially implemeted in firmware version 9. Q: Which DSL-modem firmware is recent? A: SW2.0.11 (General Availability) Q: Which variants does the recent DSL-modem firmware version consist of? A: SW2.0.11ab_pri.firm is for all ADSL units uploaded via GUI (installs as primary firmware) A: SW2.0.11a_pri.firm is for ADSL (Annex A) units uploaded via GUI (installs as primary firmware) A: SW2.0.11b_pri.firm is for ADSL (Annex B) units uploaded via GUI (installs as primary firmware) A: SW2.0.11a_sec.firm is for ADSL (Annex A) units uploaded via GUI or TFTP (also installs as backup firmware) A: SW2.0.11b_sec.firm is for ADSL (Annex B) units uploaded via GUI or TFTP (also installs as backup firmware) Q: Are there different DSL-firmwares available? A: Yes. There is one firmware for Annex A and one for Annex B. Also there is a SW2.0.*_pri.firm (primary) and a SW2.0.*_sec.firm (secondary) firmware. Both can be installed via the Web-GUI. The primary firmware will update the firmware the UTM-1 Edge is using at startup. The secondary firmware will update the backup firmware to which the UTM-1 Edge reverts after a factory reset. Q: Any important things to know about when working with an ADSL-Edge? A: Enter the following command on your ADSL-Edge before using it: set port adsl auto-sra mode disabled This will prevent it from reestablishing the DSL connection every 1h14sec. (sk32922) Q: My UTM-1 Edge ADSL is fully configured and connected to the DSL line. It still shows "No sync" and the DSL light is continuously blinking. A: Make sure that your primary internet connection is correctly configured for your ADSL port. Choose PPPoE as connection type and ADSL2/ADSL2+ as DSL standard. Ask your ISP for correct VPI/VCI numbers and the encapsulation type. If your DSL splitter doesn't come with RJ-11 outputs, use a RJ-11 line socket adapter which has a microfilter built-in. In some cases SofaWare already packages ADSL appliances with RJ-11 line socket adapters. Check the contents of your package for it. Always use the original cables from SofaWare to connect your appliance. Q: My UTM-1 Edge ADSL is working just fine. After updating the firmware of my UTM-1 Edge ADSL the appliance is restarting, however it can't establish the DSL-connection anymore and says 'DSL modem could not be initialized'. Sometimes it even reverts back to its backup firmware after trying for too long to establish a DSL-connection. What is the problem? A: The newer firmware has updated routines to talk to the integrated DSL modem. A simple restart of the appliance after a firmware update may sometimes result in this issue. Just power down your UTM-1 Edge appliance for 20 seconds after the firmware update is completed. Power it up again and your DSL connection issue should be gone. Q: Any important things to know about when working with Edges in general? A: Always make sure that your libsw libraries are at the same or higher version of your UTM-1 Edge firmwares. Q: The PWR/SEC LED on my UTM-1 Edge is sometimes blinking red. Is my firewall appliance damaged? A: No. It's probably just showing you that it successfully blocked an unwanted connection. PWR/SEC LED Statuses: On (Green) > Normal operation On (Red) > Error Flashing quickly (Green) > System is booting up Flashing slowly (Green) > Establishing Internet connection Flashing (Red) > Blocked connection Off > UTM-1 Edge is powered off Q: If I hard-reset my UTM-1 Edge, will I also loose my DSL-firmware? A: Yes. It will be reset to factory-default. Q: Can I avoid this? A: Yes. All firmwares are available as primary and secondary (e.g. backup) firmware. Usually you only install the primary firmware. Installing the backup firmware will set this one as backup instead of the factory default when you do a reset. Q: What are the TFTP firmwares good for? A: They can be used to update the UTM-1 Edge locally and update the backup firmware. To do this just power down your Edge. Power it up while the reset button is pressed. The PWR/SEC light will now be continuously red. Change the IP address of your host to 192.168.10.2/24. Now you should be able to ping the UTM-1 Edge via 'ping 192.168.10.1'. If that works, you can start to transfer the .tftp firmware via 'tftp -i 192.168.10.1 put filename.tftp'. The PWR/SEC light will start blinking red. After your UTM-1 Edge restarted successfully your appliance will be updated to the new firmware, which is also the new default firmware. Q: Where do I get these firmwares? A: From your official support sites. Either Check Point or SofaWare. Q: How does an UTM-1 Edge look like? A:  Q: Some of my Edges are heating-up and become quite hot. A: SofaWare's appliances don't come with a built-in cooling fan. It's intended to place Edges in cooler places like server rooms with no incident solar radiation. If you can't provide this, buy an external cooling fan to keep your Edge at a normal temperature. Otherwise you might run into issues with outages of your network ports. You can use the built-in USB ports to connect external cooling fans like this one.  Q: Which webbrowser should I use to manage my UTM-1 Edges? A: Internet Explorer only, where applicable. Firefox still has some issue, especially when you export the configuration to a .cfg file. Q: Where to look on my Edge to troubleshoot it? A: http://my.firewall/pop/Diagnostics.html A: http://my.firewall/vpntopob.html Older firmwares (7.0.x and below) use http://my.firewall/vpntopo.html A: https://my.firewall/dnstopo.html Not available in newer firmwares (7.5+) A: http://my.firewall/Log.html A: http://my.firewall/Ports.html Q: Any further troubleshooting guidelines? A: Sure. Check Point offers a VPN-1 UTM Edge ATRG (Revised: October 22, 2007). Q: How to connect to the serial console of my UTM-1 Edge appliance? A: Connect the RJ-45 (RS-232) port of your appliance to the COM port of your host. A RJ-45 to DB9 converter is part of your appliance. Use the following settings for your terminal client. Baud rate: 57600, Data: 8 Bit, Parity: None, Stop: 1 bit, Flow control: None Q: Can I disable SmartDefense checks on my UTM-1 Edge? A: Not all of it. You can go through the Smartdefense wizard and set it to Minimal or go through all settings and set them to 'None'. In centralized management you can also check 'Do not apply SmartDefense on this gateway' within 'SmartDefense > Profile Assignment' of your VPN-1 UTM Edge Gateway object. Q: Any in-depth debugging options? A: Sure. Check Point also offers a debugging firmware. It will provide you with the 'debug' command at the command shell of your UTM-1 Edge. The 'debug' command let's you activate more logging features. Set up an internal syslog server and configure it on your UTM-1 Edge appliance. Recreate the issue you want to debug. Check the log of your syslog server. The WebGUI also provides you with a packet sniffer. It will generate an output file which can be analyzed in Wireshark (formerly known as Ethereal). Q: Any hidden/undocumented pages? A: Yes. http://my.firewall/pub/test.html Q: I've upgraded my SmartCenter Server to NGX (R65). Now policy installation on the Embedded Edge Connector fails. A: Install the latest libsw (SofaWare Libraries) and read this SecureKnowledge Base article: (sk33821) Q: I can't create an Embedded Edge object (Edge Profile) within SmartDashboard? A: On your SmartCenter Server change the attribute of support_sofaware_profiles in $FWDIR/conf/objects_5_0.C to true and read this SecureKnowledge Base article: sk30389 Q: My UTM-1 Edge is set up for centralized management. However, when connecting it to the Service Center it says: Connection Refused: This UTM-1 Edge is not registered to the Service Center. What's the issue? A: Your are most likely using an UTM-1 Edge X ADSL or another series of the standard UTM-1 Edge X appliance. In SmartDashboard the default type of your VPN-1 UTM Edge Gateway object is 'VPN-1 UTM Edge X Series'. Make sure the type matches the series of your appliance. Q: My UTM-1 Edge is set up for centralized management and Service Center is Connected. It does not establish any of the centrally configured VPN tunnels and 'Reports > Tunnels > VPN Topology' is empty. Why? A: Navigate to 'VPN > VPN Site' and enable your Enterprise Site-to-Site VPN. Now your VPN topology should contain an Enterprise folder. Q: I can install the Security Policy for my UTM-1 Edge on SmartCenter Server. However, it takes some time until the policy is active. A: This is the normal behaviour. You are installing the policy to the Embedded Edge Connector on your SCS. Per Default, the Edge asks every 20 minutes for an updated policy, firmware version and other settings. This can be changed in SmartDashboard > Global Properties on your SCS. Q: I want to push a Security Policy directly onto my UTM-1 Edge. Is this possible? A: Yes. Purchase Check Point SmartLSM (Large Scale Manager). Q: SmartView Monitor does not show the correct status of my UTM-1 Edge appliance? A: This is caused by design of the product. Your UTM-1 Edge appliance connects to the Service Center every 20 minutes (default). If authentication to the Service Center was successful it will start to retrieve available firmware or policy updates. For UTM-1 Edge appliances with dynamic IP addresses the Service Center also remembers the last known IP (for handling VPN connections configured in Simplified Mode and for use with SmartView Monitor and SmartLSM). So SmartView Monitor does not check your UTM-1 Edge appliance for availability, instead it asks the Service Center if the UTM-1 Edge has connected recently (within the last 60 minutes). If it has, SmartView Monitor will show 'OK' as status for your appliance, even if it's just unreachable or disconnected. As long as an UTM-1 Edge appliance did not even connect to the Service Center for the first time its status is 'Disconnected'. Q: After setting up Management-HA I'm receiving an error 'Failed to obtain Edge packages' when I want to manually synchronize my primary SmartCenter Server with my secondary one? A: Just open SmartUpdate and delete all firmware packages from the package repository. Manual synchronisation should then succeed. Afterwards add the firmware packages to the package repository again.  Q: After upgrading my SmartCenter server or adjusting host entries on it, the SMS process/Embedded Edge Connector fails to load, displaying the error: "Can't contact database". A: Move/Add the following entry to the last line of /etc/hosts. (sk33168) 127.0.0.1 localhost.localdomain localhost  Q: My exported UTM-1 Edge configuration file just contains the following line: [700002] object not found A: Set your UTM-1 Edge appliance via 'Setup > Tools > Factory Settings' back to factory defaults. Then manually enter your configuration data again. Q: How can a firmware update be performed? A: Either locally via the WebGUI of your UTM-1 Edge or centrally within SmartUpdate of your Edge. Just upload a firmware to the package repository and attach it to your Edge. It will then retrieve this firmware directly from your SCS when it checks for updates the next time. Q: After I upgraded the firmware locally my UTM-1 Edge reverts back to the old one? A: If the UTM-1 Edge is centrally managed it will always try to install the firmware that was distributed for it within SmartUpdate. Upload the firmware to the package repository of SmartUpdate instead and distribute it for your UTM-1 Edge. It will then install the new firmware automatically. Q: How may I check if my UTM-1 Edge is retrieving a firmware update? A: In the 'Setup' menu, goto 'Tools > Diagnostics'. A diagnostics window will pop up. Scroll down to the 'Downloading firmware' row. If a firmware is just being downloaded you'll see a percentage of the data received. Q: Since using UTM-1 Edges I encounter high latencies. Users are complaining. A: You are most likely using a central security policy that is not Edge-conform. This means that every security policy with an UTM-1 Edge as policy installation target will be converted into a binary by your Embedded Edge connector. This binary is retrieved by the Edge and contains the compiled security and NAT policy. The Embedded Edge connector works different than the INSPECT Engine by Check Point. Therefore you should be very careful with centrally configured rules for UTM-1 Edges. Create a policy just for all your UTM-1 Edges alone. Make sure all rules in your security and NAT policy contain a specific policy installation target. Also always choose specific policy installation targets unter "Policy > Policy Installation Target" of your SmartDashboard. Don't use 'Any' in any of your rules for your Edges. Use negated objects instead. Try to use manual NAT rules only for your Edges. Automatic NAT rules may not be compiled correctly. Port mappings are even better than manual NAT rules. After you installed a policy to your Edge, check locally on your Edge that the NAT rules are installed exactly as you configured it centrally. If not, change your NAT rules and install the policy again. Use dynamic objects where possible and avoid groups by all means. This is simply to prevent your Embedded Edge Connector from doing something wrong. If your latency is still high, check if it gets better when diconnecting the Edge from its Service Center. If it does, try to manage your Edge locally where possible. Q: Where can I see which rules are applied by the UTM-1 Edge in centralized management? A: Enter this command at the console or under 'Setup > Tools > Command' in the GUI: info fw rules Q: What should I define for Management Access (Setup > Management) ? A: 'Internal Networks' or 'Internal Networks + IP Range' only. Never set it to 'ANY'. Never. Otherwise malicious scripts will soon try to work off password lists on your UTM-1 Edge. Even on the management port 981! Q: Why is it so different to configure and manage UTM-1 Edges centrally, compared to other Check Point firewall gateways. A: Always bear in mind that UTM-1 Edges were primarily designed as standalone firewall gateways. They will not change into a fully enterprise managed firewall when connected to a Service Center. The 'Service Center' is a so called Embedded Edge Connector that is running on your SmartCenter Server. It's a different process with a different compiler (SofaWare engine) that runs in a different process. All this results in a unique behaviour that is 'by design' of the product and by experiece of the programmers and end users. UTM-1 Edges are a product of SofaWare, a Check Point company. However, they are developed with another focus, receive functionality upgrades und changes faster than Check Point can reflect this in their firewall management software. Also they are the only centrally managed firewall gateways to which you can't apply configuration settings (like interface configurations). Newer functions of recent firmwares (such as dynamic routing) can't be configured and managed centrally at all. Also local security rules take precedence over rules configured by the central management. Q: Are the default rules configured by the security levels of the UTM-1 Edge appliance still applied when it is connected to SmartCenter Server? A: No. When your appliance is managed by SmartCenter, the centrally configured security policy replaces the local default security policy. The local security level is set to 'High' and cannot be changed. Q: While using a centrally configured security policy my UTM-1 Edge appliance behaves like the local default rules would still apply? A: This is a default setting on the SmartCenter Server. Go to 'Global Properties > SmartDashboard Customization > Configure... > VPN-1 UTM Edge/Embedded Gateway' and uncheck 'sofaware_stealth'. This will prevent that connections from internal networks to the SofaWare Gateway are accepted by default. Q: Why do VPN connections to remote sites using UTM-1 Edges (configured as DAIP gateways with dynamic IP address) sometimes fail? A: When a UTM-1 Edge changes its IP address, the Corporate Office gateway does not detect the IP address change until the UTM-1 Edge reports it to the Service Center. The default value for this periodic status update is 20 minutes (SmartDashboard > Policy > Global Properties > VPN-1 UTM Edge Gateway > General Configuration). Check Point recommends to configure permanent VPN tunnels for each VPN community containing DAIP UTM-1 Edges. This ensures that in case the IP address changes your UTM-1 Edge will automatically re-establish the VPN tunnel again. (sk31477, sk33238) Q: Why is my permanent VPN tunnel between a Nokia or 3rd party VRRP cluster and UTM-1 Edge shown as down, though it is actually up? A: Because you are using an old version of Nokia API to determine which cluster member is active or you are using a 3rd party active/active cluster solution. Check Point is providing a HotFix and always recommends to upgrade to the latest firewall version. (sk32515) Q: My Edge is so great, I want to cluster it. Can I? A: Sure. WAN-HA and Gateway-HA is supported since firmware version 7.x. In central management you should still stay with WAN-HA only. Many tests have been done and WAN-HA can be confirmed working quite well in reallife scenarios. Q: What to put into consideration when working with UTM-1 Edge clusters? WAN-HA PRO no IP address conflicts because only one GW is connected to Internet only 2 SA's (Security Associations) are required for one VPN tunnel only one object needs to be defined and managed in firewall policy works with static IP addresses has been successfully tested working in different environments WAN-HA CONTRA the passive node is not connected to internet and can't receive updates Gateway-HA PRO all cluster nodes are always connected to internet all cluster nodes receive policy and firmware updates Gateway-HA CONTRA poor documentation and support by Check Point requires 4 SA's for one VPN tunnel (only 100 can be managed per community)? two objects need to be defined and managed in firewall policy objects cannot work with static IP addresses; only dynamic IP's therefore each node must have a correct DNS entry to get the VPN working both cluster nodes issue the virtual cluster IP > risk of IP conflicts Q: How to establish synchronisation between UTM-1 Edge devices? A: Select a Sync-Interface under 'Setup > High Availability > Gateway High Availability' and connect the interfaces with a crossover cable. (sk31992) Q: My primary Edge-Clusternode goes down but my secondary Edge won't get active? A: This is most likely caused by a Sync-problem. Check the HA-settings and cables. Q: My primary Edge-Clusternode goes down and my secondary Edge becomes active. However, I cannot connect to Internet. A: This can be caused by your ISP-Router which retrieves a different MAC-Address that pretends to work at the same external IP address. If your ISP-Router is causing an issue, use the MAC-Cloning feature to hide the secondary Edge behind the MAC address of the primary one. Q: My UTM-1 Edge is working behind a NAT device or UMTS router. Which ports do I need to open? A: Open the following ports in the NAT device: UDP 9281/9282, UDP 500, UDP 2746, TCP 256, TCP 264, ESP IP protocol 50, TCP 981. Q: Which license models are available for UTM-1 Edges? A: X8 (8 Nodes), X16 (16 Nodes), X32 (32 Nodes), XU (Unlimited Nodes). Q: Does the hardware differ between these licenses? A: No. It doesn't even differ between Safe@'s and Edges. The old S8 and X16 models had less memory though. Q: How will I know if I have reached my node limit? A: The UTM-1 Edge will show the following message on its Web-GUI: Warning: You are exceeding your node limit! To purchase product upgrades, contact your reseller or service provider. Get an EVAL license (30 days) to provide a solution fast and then order a license upgrade. Q: I have exceeded my node limit. What does this mean? What should I do? A: Your Product Key specifies a maximum number of nodes that you may connect to the UTM-1 appliance. The UTM-1 appliance tracks the cumulative number of nodes on the internal network that have communicated through the firewall. When the UTM-1 appliance encounters an IP address that exceeds the licensed node limit, the My Computers page displays a warning message and marks nodes over the node limit in red. These nodes will not be able to access the Internet through the UTM-1 appliance, but will be protected. The Event Log page also warns you that you have exceeded the node limit. To upgrade your UTM-1 appliance to support more nodes, purchase a new Product Key. Contact your reseller for upgrade information. Q: How are nodes counted? A: Nodes are counted based on the number of concurrent IP addresses generating traffic through the firewall. An IP node will generate traffic traffic through the firewall when it sends packets to resources outside its own network (such as the Internet, DMZ, secondary logical network etc.). As a result, devices like network printers, switches or access points will not be counted as licensed nodes. Q: When are nodes released from the node limit counter? A: An IP node will release its license after 60 minutes of not generating traffic through the firewall. An IP node which released its license is displayed in blue color in the Active Computers page. Q: The time setting on my Edge is always wrong and there are VPN issues. A: A known problem. Always use a public timeserver to sync your UTM-1 Edge with. Q: I encounter problems with persistent internet disconnects while using Verizon's FiOS Internet or a Time Warner cable modem. My log shows "Primary Local Area Network (LAN) connection terminated after 1 hour(s), 55 minute(s), 3 second(s)". Is there a solution? A: Update to the latest available firmware version. Disable "Probe Next Hop" under Dead Connection Detection in the Internet setup options. Older firmwares showed a strange behavior when it came to RENEWING the DHCP lease. Since FiOS has a DHCP lease time of 2 hours, for some reason it causes the UTM-1 Edge to drop all connections for a second every 1 hour, 55 minutes, 3 seconds. DHCP RENEWAL requests simply have been ignored. As soon as 50% of the DHCP leases have been expired (one hour), the UTM-1 Edge was sending DHCP RENEWAL requests every 8 seconds. It continued to do this until the least was just about to expire. At that point, the UTM-1 Edge was sending out a DHCP REBINDING sequence. So it went through the complete process of requesting a new IP address (Discover/Offer/Request/Accept). During this rebinding sequence, Verizon's DHCP server reponded. But this REBINDING sequence is what was causing the disconnections. If you were to have received a new IP address, it would obviously have to disconnect the external connections. Q: After importing a config file to my UTM-1 Edge VPN doesn't work anymore. A: You are most likely using an exported config file from a centrally managed UTM-1 Edge appliance. The config file then contains the Enterprise Site-to-Site VPN connection as configured on your SmartCenter Server. As this one doesn't match with the VPN configuration on your new UTM-1 Edge appliance you may want to delete this setting. Q: My UTM-1 Edge says it's successfully connected to a Service Center. It receives new policies but the Enterprise VPN configuration is always missing. A: A simple connection refresh via 'Services > Refresh your Service Center connection' won't help. Make sure your network range is allowed to access the UTM-1 Edge, even without a centrally configured security policy. Create an explicit access rule directly on your UTM-1 Edge appliance or define your network range as a management network via 'Setup > Management'. Then disconnect your UTM-1 Edge via 'Services > Connect > Uncheck Service Center connection'. In some rare cases it was additionally required to delete the Edge object from the central VPN configuration, push the policy and add it back into the VPN configuration/communities again. Connect your Edge back to the Service Center again. Therefore just enable the checkbox for your Service Center connection. Done. Now your Enterprise Site-to-Site VPN connection should be working again. Q: I have a few spare Edges around me. How can I use them quickly? A: Get into the SofaWare chat and ask for a 30-day EVAL license. Q: Are there cheaper models available if I just want to use them at our own company? A: Yes. There is a NFR (not for resale) model. You can activate it at sofaware.com and use it as an unlimited NFR appliance at your company. Q: How can I configure remote scripting via SSH? Make sure you've installed 'expect' and use this bash script to run any command you like. Name the script run_cmd.sh and run it via: expect edge_cmd.sh Code: #!/usr/bin/expect
set HOST "192.168.10.1"
set LOGIN "admin"
set PASSWORD "123456"
set COMMAND "info device"
set timeout 60
spawn ssh -C -x -l $LOGIN $HOST
expect {
"fingerprint" {
send "yes\n"
expect "word: $"
send "$PASSWORD\n"
}
"word: $" {
send "$PASSWORD\n"
}
}
expect ">"
send "$COMMAND\n"
expect ">"
send "exit\n" A: From your service provider. Check Point also maintains a Chat for simple support questions. If you ask SofaWare politely (and if you are not using a centrally managed Edge) you might also get support within their Chat system. Q: How do I make sure that my UTM-1 Edge is authentic? A: Verify that it has one of these SofaWare tags on top of its case:  Q: Can I add more features to my UTM-1 Edge? A: Yes. SofaWare offers these accessories. Q: I want to put two UTM-1 Edges into a 19" rackmount kit and work with them like a pro. How to do this at best? A: Buy the official SofaWare Rackmount Kit, two Industrial Edges and two 12V DC Power Supplies.  Q: The WebGUI of two Edges at the same firmware shows different settings (like stats for LAN ports) ? A: This is most likely caused by a different hardware revision. The first rev. was 1.0T, followed by 1.2T to the most recent revision 1.3T. While 1.0T didn't have ADSL features and was quite vulnerable to current fluctuations the latest revision appears to be quite stable. Q: Which hardware types are available? A: SBox-200, SBox-200-A (UTM-1 Edge X ADSL Annex A) and SBox-200-B (UTM-1 Edge X ADSL Annex B). Q: OK, I'm set up and safe. Now how do I protect against phishing? A: Erez provides a best practice: Anti Phishing Q: What is on the Roadmap for this year? A: CLM support for R65, SmartDefense Profile Support for R62 and above. ADSL Dual-VC Support, Enhanced Log Viewer (Firmware 8.x), USB Config (Firmware 8.x), Central management of local configuration settings (Firmware 9.X) Last edited by dantro; 2 Weeks Ago at 10:04.  |
| 2007-11-12 | |||
| |||
| Re: UTM-1 Edges - FAQ There is a https://my.firewall/dnstopo.html also |
| 2007-11-14 | |||
| |||
| Re: UTM-1 Edges - FAQ Hey Dantro, Bloody good work! We need to have a word to Mr Stiefel and get a "reward beer through the internet" system working. You definitly deserve one for this masterpiece! :-) |
| 2007-11-15 | |||
| |||
| Re: UTM-1 Edges - FAQ Quote:
Good work with the FAQ! Sticky please! |
| 2007-11-19 | |||
| |||
| Re: UTM-1 Edges - FAQ Quote:
Yes, in true meaning of push, that policy is sent to the device and not retrieved by it, LSM is needed. In other way, by doing policy install on the edge object from standard smartcenter, will result in an event that triggers edge to connect to smartcenter and download new policy and install it. So yes, this is in true meaning of "push" not real push, but an update event. However, in my own experience, push is a very so-so word when it comes to these things and can be interpreted differently, kind of like push mail (in most of softwares i tried) where you dont get actual mail pushed to your device but an event that triggers your client to go check for update. Anyway hope its clarified now. |
| 2007-11-19 | |||
| |||
| Re: UTM-1 Edges - FAQ Quote:
|
| 2007-11-19 | |||
| |||
| Re: UTM-1 Edges - FAQ Quote:
Interesting and true, but not quite? I am able to recreate the behaviour over and over again according to following: By doing policy->install and choosing the edge/ip4x object it triggers the update function on the edge device _regardless_ of the timer of 20 minutes. I've just tried it on 2 boxes which had long time left till "auto update" (15 min and 9 min) and within 50 seconds of policy installation i did, they triggered auto update and downloaded the policy. I know what documentation says about 20 min, and that if u want to force policy download that you should do "refresh" on the edge/nokia ipx device, but as mentioned above after testing they always initiate download withing 50 sec's of policy->install. If this is strange, non documented or something else, i let other to judge :P Last edited by abusharif; 2007-11-19 at 07:20. |
| 2007-11-19 | |||
| |||
| Re: UTM-1 Edges - FAQ Quote:
tcpdump and logs confirm it as well. As soon as i initiate policy install smartcenter sends the packet to the ip4x device. 15:50:28.482899 O smartcenter.9282 > ip4x-node.9281: udp 64 15:50:28.791103 I ip4x-node.9281 > smartcenter.9282: udp 96 15:50:28.794852 I ip4x-node.9281 > smartcenter.9282: udp 456 15:50:29.486071 O smartcenter.9282 > ip4x-node.9281: udp 224 15:50:29.802843 I ip4x-node.9281 > smartcenter: udp 120 Few secs later following appears in Nokia log Installed updated security policy (downloaded) Ah, well, doesnt really matter, got a bit offtopic from the original post. But ill try to verify this to CP SE as soon as i can. |
|
| Thread Tools | |
| Display Modes | |
| |
Linear Mode
