CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Page 1 of 3 123 LastLast
Results 1 to 20 of 54

Thread: Check Point 1100 Appliance - FAQ

  1. #1
    Join Date
    2007-02-07
    Posts
    162
    Rep Power
    18

    Default Check Point 1100 Appliance - FAQ




    Author: Danny Jung

    Want more Check Point info? Read our tech blog!



    Q: What's the official product site ?
    A: Check Point 1100 Appliance | Datasheet | Support Center

    Q: Which Sales Tools are available ?
    A: Sales Guide | Customer Presentation | FAQ



    Q: What's new ?
    A: The Check Point 1100 Appliance series was introduced at the Check Point Experience 2013 in Barcelona and is the successor to the UTM-1 Edge and the SG80 Appliance series. As such it features the best All-In-One NGF Enterprise-Class Security solution for Branch Offices. The 1100 Appliance integrates an 8-Port Switch (Layer 3, managed), DSL modem (Annex A/B), Next Generation Firewall (including a NAT Router, Threat Prevention, IPS, Anti-Virus, Anti-Spam, Application Control & URL Filtering), Identity Awareness, Mobile Access, WLAN Router, Wi-Fi Hotspot and more. It also offers dynamic routing, quick deployment functions, 3G connectivity using a USB or Express Card support, multiple Internet connections, Policy Based Routing, DDNS (DynDns, No-IP), and more is planned with the upcoming firmware releases.

    Q: How does it look like ?
    Front:


    Back:


    Q: Which 1100 Appliance license models are available ?
    A: 1120 Appliance -> replaces UTM-1 Edge N
    A: 1140 Appliance -> replaces UTM-1 Edge N
    A: 1180 Appliance -> replaces UTM-1 Edge N and SG80 (Model 80)

    Q: Can I upgrade the licensed model later on (1120 -> 1140/1180 or 1140 -> 1180) ?
    A: At the moment you can trade-in your 1100 Appliance to get the higher model for 20% off. This is possible in form of a license or hardware upgrade.

    Q: What are differences between the Safe@Office, UTM-1 Edge, Series 80, 1100 and 1200R appliances ?
    A:
    Safe@Office N UTM-1 Edge N Series 80 1100 Appliance 1200R Rugged Appliance
    Market Consumer Small Office Branch Office Small & Branch Offices Idustrial
    Network Ports 6x GbE 6x GbE 10x GbE 10x GbE 6x GbE; 2x GbE Fiber
    ADSL Yes Yes - Yes -
    Wi-Fi Yes Yes - Yes -
    Architecture NGX Embedded NGX Embedded Software Blades (R71.45: FW, VPN, IPS, AV, ASPM, URLF) Software Blades (R75.20: FW, VPN, IPS, AV, ASPM, URLF, APCTL, IA) Software Blades (R77.20: FW, VPN, IPS, AV, ASPM, ABOT, URLF, APCTL, IA)
    Management Web UI Web UI & Central Security Management Central Security Management Web UI & Central Security Management Web UI & Central Security Management
    Deployment Standalone Standalone & Distributed Distributed Standalone & Distributed Standalone & Distributed
    High Availability Yes Yes Yes Yes Yes
    Large Scale Management Security Management Portal SmartProvisioning SmartProvisioning SmartProvisioning SmartProvisioning

    Q: Which 1100 Appliance hardware models are available ?
    A: Initial Product Name: SG-80A
    A: Model: L-50 Check Point 1100 Appliances (formerly: Check Point Security Gateway 80 WIFI Appliance)
    A: Model: L-50D Check Point 1100 Appliances with ADSL annex A/B
    A: Model: L-50W Check Point 1100 Appliances, WIFI WORLD (formerly: Check Point Security Gateway 80 WIFI Appliance)
    A: Model: L-50WD Check Point 1100 Appliances with ADSL annex A/B, WIFI WORLD

    Each model can be ordered with ADSL2 Annex A (POTS) or B (ISDN) and with WiFi 802.11n integrated.

    The hardware doesn't differ between a 1120, 1140 or 1180 model. It's the license that limits the appliance and locks it down to the licensed system qualities.

    The 1120 Appliance can be ordered as a classic Firewall appliance with a Software Blades bundle consisting of 5 blades (FW, VPN, ADNC, IA, MOB-5) or, just like the 1140 and 1180 Appliance models, as a fully featured Next Generation Firewall with a Software Blades bundle consisting of 10 blades (FW, VPN, ADNC, IA, MOB-5, IPS for 1 year, APCL for 1 year, URLF for 1 year, AV for 1 year, ASPM for 1 year).

    Q: What are the differences between the Wi-Fi-FCCA and Wi-Fi-WORLD SKUs and which should I order ?
    A: The FCCA SKU is for the United States. The WORLD SKU is for the rest of the world.

    Q: What is the sizing recommendation ?
    A: The sizing recommendation is based on number of users.
    A: 1120 Appliance -> Up to 10 Users, 28 SPU (SecurePower Units)
    A: 1140 Appliance -> Up to 25 Users, 34 SPU (SecurePower Units)
    A: 1180 Appliance -> Up to 50 Users, 37 SPU (SecurePower Units)

    Q: Can I just buy the 1120 Appliance Firewall package and later purchase the Threat Prevention package ?
    A: Yes, you can add Threat Prevention package to the 1120 Appliance.

    Q: Do I have to renew the Threat Prevention blades to get updated signatures ?
    A: Yes. The service blades are for 1 year, two or three years. When this period ends, they must be renewed to get updates.

    Q: What are the throughput rates when used in production ?
    A: 350 Mbps - Firewall
    A: 50 Mbps - Firewall & IPS

    Q: How do the 600 Appliance models differ from the 1100 Appliance models ?
    A: The 600 Appliance models are technically identical to the 1100 Appliance models. They even use the same firmware. However, they are branded and sold as an All-In-One solution for the SMB market and therefore cannot be managed centrally by a Check Point SmartCenter Server, just like the Check Point Safe@Office Appliance line they replaced.

    Q: How do I get started ?
    A: Check Point provides this Getting Started Guide.

    Q: How is it delivered ?
    A: Let's start unpacking it.




    Q: What CPU is working inside ?
    A: ARM926EJ-S rev 1 (v5l)

    Q: What operating system is it running on ?
    A: The 1100 Appliance says: Check Point SecurePlatform Embedded R75.20 (Linux Kernel 2.6.22.18)
    A: Check Point says: "We officially call the OS on the SG1100 Embedded Gaia." However, the Check Point websites name the OS "Gaia Embedded", so there is still some confusion whether it's Embedded Gaia or Gaia Embedded. sk92741 lists the Gaia Embedded OS features.

    Q: What are the features of Check Point Gaia Embedded OS ?
    A: Check Point lists it right here.

    Q: What does this mean compared to an UTM-1 Edge ?
    A: You'll work with a real Linux OS that is hardened and optimized by Check Point for the Embedded 1100 Appliance and behaves almost just like GAiA. That means you can login to Expert Mode and access all typical Linux and Check Point commands (including tcpdump, fw monitor, fw ctl pstat, cpinfo, vpn debug etc.)

    Q: How much RAM does it feature ?
    A: 512MB RAM

    Q: Which MAC adressing scheme is used for the 1100 Appliance series ?
    A: 00:1C:7F:__:__:__

    Q: From which SmartCenter version upwards can it be managed centrally ?
    A: R75.46 for R75.20 based firmwares.
    A: R77.30 for R77.20 based firmwares.

    Q: What is the most recent firmware version ?
    A: Check Point lists it's 1100 firmwares in sk97766.

    R75.20

    Release Build Date Firmware
    R75.20 (983002888) [Apr 10 2013] fw1_dep_R75_983002888_20.img
    R75.20 (983002910) [May 01 2013] fw1_dep_R75_983002910_20.img | Release Notes (PDF) | Known Limitations
    R75.20 (983003174) [May 23 2013] fw1_dep_R75_983003174_20.img | Release Notes | Mirror
    R75.20 (983003532) [Jun 20 2013] fw1_dep_R75_983003532_20.img
    R75.20 (983003552) [Jul 15 2013] fw1_dep_R75_983003552_20.img | Release Notes | SmartUpdate Package
    R75.20 (983003571) [Jul 16 2013] fw1_dep_R75_983003571_20.img | Fixes a nasty VPN issue when IP is changed by ISP on DAIP device.
    R75.20.25 (983003634) [Aug 21 2013] fw1_dep_R75_983003634_20.img | Release Notes | SmartUpdate Package
    R75.20.26 (983003690) [Sep 29 2013] fw1_dep_R75_983003690_20.img | Release Notes | SmartUpdate Package
    R75.20.30 (983003757) [Oct 31 2013] fw1_dep_R75_983003757_20.img | Release Notes | SmartUpdate Package
    R75.20.40 (983003847) [Jan 05 2014] fw1_dep_R75_983003847_20.img | Release Notes | SmartUpdate Package
    R75.20.41 (983003857) [Jan 13 2014] fw1_dep_R75_983003857_20.img | Release Notes | SmartUpdate Package
    R75.20.42 (983003858) [Jan 26 2014] fw1_dep_R75_983003858_20.img | Release Notes | SmartUpdate Package
    R75.20.50 (983003911) [Feb 24 2014] fw1_dep_R75_983003911_20.img | Release Notes | SmartUpdate Package
    R75.20.60 (983003984) [May 29 2014] fw1_dep_R75_983003984_20.img | Release Notes | SmartUpdate Package
    R75.20.65 (983004042) [Sep 07 2014] fw1_dep_R75_983004042_20.img | Release Notes | SmartUpdate Package
    R75.20.66 (983004045) [Sep 30 2014] fw1_dep_R75_983004045_20.img | Release Notes | SmartUpdate Package
    R75.20.67 (983004051) [Nov 02 2014] fw1_dep_R75_983004051_20.img | Release Notes | SmartUpdate Package
    R75.20.69 (983004056) [Dez 17 2014] fw1_dep_R75_983004056_20.img | Release Notes | SmartUpdate Package
    R75.20.70 (983004110) [Jul 06 2015] fw1_dep_R75_983004110_20.img | Release Notes | SmartUpdate Package
    R75.20.71 (983004120) [Oct 11 2015] fw1_dep_R75_983004120_20.img | Release Notes | SmartUpdate Package

    R77.20
    Known Limitations

    Release Build Date Firmware
    R77.20.00 (990171289) [May 26 2015] fw1_dep_R77_990171289_20.img | Release Notes | SmartUpdate Package
    R77.20.10 (990171468) [Sep 07 2015] fw1_dep_R77_990171468_20.img | Release Notes | SmartUpdate Package
    R77.20.11 (990171471) [Oct 13 2015] fw1_dep_R77_990171471_20.img | Release Notes | SmartUpdate Package
    R77.20.20 (990170830) [Apr 14 2016] fw1_dep_R77_990170830_20.img | Release Notes (PDF) | SmartUpdate Package
    R77.20.31 (990170952) [Aug 01 2016] fw1_dep_R77_990170952_20.img | Release Notes (PDF) | SmartUpdate Package
    R77.20.40 (990171107) [Oct 06 2016] fw1_dep_R77_990171107_20.img | Release Notes (PDF) | SmartUpdate Package
    R77.20.51 (990171302) [Feb 05 2017] fw1_dep_R77_990171302_20.img | Release Notes (PDF) | SmartUpdate Package
    R77.20.60 (990171654) [Jul 12 2017] fw1_dep_R77_990171654_20.img | Release Notes (PDF) | SmartUpdate Package
    R77.20.70 (990171995) [Jan 24 2018] fw1_dep_R77_990171995_20.img | Release Notes (PDF)
    R77.20.75 (990172286) [Jan 30 2018] fw1_dep_R77_990172286_20.img | Release Notes (PDF) | SmartUpdate Package

    Final Version

    R77.20.80 (990172392) [Jul 10 2018] fw1_dep_R77_990172392_20.img | Release Notes (PDF) | SmartUpdate Package

    Q: Which is the default management port ?
    A: Port 4434/tcp (https://192.168.1.1:4434)

    Q: Which browser should I use to manage it ?
    A: Only use the latest version of Google Chrome for Windows 7/8. There are some issues known when using Microsoft Internet Explorer to export VPN certificates and when using any Web browser on Apple Mac OS X.

    Q: How can I find things quickly ?
    A: Use the search form at the upper right corner.



    Q: Where can I find the sitemap for quick access to all available configuration pages ?
    A: Right under "Home > Site Map".



    Q: Where can I quickly view my 1100 Appliance's status in the Web UI ?
    A: Right at the status bar. Mouse-overs provide you with quick status overviews, clicks forward you to the specific configuration pages.



    Q: How are the LED statuses of my Check Point 1100 Appliance described ?
    A:
    LED Description
    Power Green when the appliance is turned on
    Notice Blinking Green during boot; Red when the appliance has a resource problem, such as memory shortage
    LAN1-LAN8, DMZ, WAN Link Indicator [Port Speed]: Orange (1000 Mbps), Green (100 Mbps), Off (10 Mbps); Activity Indicator: Blinking Green when encountering traffic
    WLAN Blinking Green when encountering traffic
    DSL Link Indicator: Green (DSL connection established), Blinking Green (Establishing DSL connection), Off (DSL connection not established); Activity Indicator: Blinking Green when encountering traffic, Off (DSL line is idle
    Internet Green when connected to Internet; Blinking red when Internet connection is configured but fails to connect
    USB1, USB2 Orange when a USB device is connected

    Q: Which SD card types are supported ?
    A: SD-HC card types up to 32GB only. If inserted the 1100 Appliance will automatically format them. Logs can then be saved to the card.

    Q: Which 3G and 4G/LTE Modems are supported with Check Point 600 / 1100 appliances ?
    A: Check Point lists all supported cellular modems in sk92809 and in the firmware release notes. Therefore the following two tables provide a more specific overview.

    Q: Which 3G modems are supported ?
    A: Check Point lists all supported modems in sk92809.

    Model Type Port Support Reference Check Point Store
    Huawei K4605 USB sk92809
    Huawei Ec1561 USB sk92809
    Huawei E372 USB sk92809
    Huawei E177 USB sk92809
    Huawei K4605 USB sk92809
    Huawei E173 USB sk101972
    Huawei E177 USB sk92809
    MobiData MBD-200HU USB sk92809
    Novatel Merlin X950D Express Card sk92809
    Novatel MC547 USB sk92809
    Pantech (Verizon) UMW190 USB sk92809
    ProLific PL2303 USB sk93586
    Radicom MB-U (Embedded NGX Connectivity Module) USB sk92809 Buy
    Smartbro (ZTE) MF667 USB sk94227
    Sprint U301 USB sk92809
    Vodafone (Huawei) K3806 USB sk92809
    ZTE AC2726 USB sk92809
    ZTE MF120 USB sk101972
    ZTE MF190 USB sk94227
    ZTE MF669 USB sk98404, sk92809
    ZTE WM 320 USB sk101972

    Q: Which 4G/LTE modems are supported ?
    A: Check Point lists all supported modems in sk92809.

    Model Type Port Support Reference
    Huawei (Vodafone) k5150 USB sk101972
    Netgear 340U USB sk101972
    Netgear 341U USB sk101972
    Novatel 551L Vendor Id: 1410 Product Id: b001 USB sk92809
    Pantec UML290 USB sk92809, sk100442
    Sierra 313U USB sk95589
    Sierra 320U USB sk95589

    Q: The 1100 appliance type is missing in R75.46 / R76 SmartDashboard ?
    A: sk92732 provides an automatic and a manual procedure to add it.

    Q: Why does a policy installation onto my Check Point 1100 Appliance fail with *** glibc detected *** errors ?
    A: sk93385 provides a hotfix and installation instructions.

    Q: Why do I have issues changing the filtering list of allowed MAC addresses for wireless connections ?
    A: This is a known issue in current releases. Only change wireless settings when you are directly connected to your 1100 Appliance. Changing wireless settings, such as the MAC address filtering list, when connected per WLAN (via Wi-Fi) leads to a permanent error in the configuration that won't even be resolved by connecting directly later on. Only a complete reset of the 1100 Appliance will currently help fixing this issue.

    Q: Why does my 1100 Appliance not perform as fast as my previous UTM-1 Edge N Appliance ?
    A: The 1100 Appliance performs far more security functions than a UTM-1 Edge N, thus why you are seeing differences in performance. By disabling blades you are not using in Home > Security Dashboard, performance should improve. Always keep in mind that a 1100 Appliance is Check Points smallest NGF Appliance, designed for the best security even at small and home office environments. Since it's an Embedded Appliance running on an ARM CPU it's by design of the product that it's performance assets are quite limited. The more blades it has to run, the less the overall performance will be.

    Q: Why do I get an error when activating my Check Point 1100 Appliance ?
    A: It's always recommended to activate the Check Point 1100 Appliance manually. Therefore just generate and download the activation file in your Check Point UserCenter account. Then activate your 1100 Appliance with the downloaded activation file. Backup the activation file for later activations.
    A: As described in sk93382, doing the activation online can cause several errors, like 'Maximal number of activations exceeded.' or 'Cannot find registration information for the appliance in the Check Point User Center. Currently using trial license.'

    Q: Does the 1100 Appliance support clustering ?
    A: Of course. You'll have to use High Availability (Active/Standby) clustering mode as Load Sharing mode is not supported yet (known limitation).

    Q: How can I create a custom boot script / disable SecureXL permanently ?
    A: sk65015 describes a solution where a custom userScript can be created that will be loaded after each reboot. It's actually as simple as putting your commands or scripts containing full paths in /pfrm2.0/etc/userScript
    Code:
    [Expert@fw]# cd /pfrm2.0/etc/
    [Expert@fw]# vi userScript
    [Expert@fw]# chmod 777 userScript
    Q: How is synchronization configured in a 1100 Appliance cluster ?
    A: The Sync interface is usually configured on LAN2. Using the wireless interface as the Sync interface is not supported.
    A: Before configuring a local cluster, make sure that the sync interface is unassigned by checking the Device > Local Network page in the WebUI.
    A: sk52500 describes how to configure a Sync interface other than LAN2.

    Q: How can I quickly check the top firewall policy rule hits ?
    A: Login to your 1100 Appliance via SSH. Enter the command: show rule-hits

    Q: How can I securely copy files via scp to/from my 1100 Appliance ?
    A: Just enable Scp access with this expert-mode command: bashUser on
    Code:
    [Expert@fw]# bashUser on
    user: admin
    
    Bash login enabled.
    Scp access enabled.
    
    Note:
            Your default shell will now be bash,
            and when you login you will enter expert mode.
            We recommend that you use clish as your default shell,
            and move to expert mode only when necessary.
            You can move from bash to clish using the "clish" command.
            To restore your default shell to clish run "bashUser off"
    A: Disable Scp access after copying your files via: bashUser off
    Code:
    [Expert@fw]# bashUser off
    user: admin
    
    Bash login disabled.
    Scp access disabled.
    Cpshell enabled.
    A: sk52763 describes the same procedure for using WinSCP.

    Q: Can I run my own scripts on the 1100 Appliance ?
    A: Yes. They will not survive a firmware upgrade though, so keep track of your additions/modifications and recreate them after upgrading.

    Q: How can I save local backups most easily ?
    A: Just connect a standard FAT-formatted USB stick to the back or front USB port of your 1100 Appliance as a local storage device for backups.
    Code:
    clish> backup settings to usb
    Creating backup...
    Uploading backup_filename.zip to the USB device
    Upload complete
    Your settings have been successfully backed up and saved on your USB drive
    A: Please note: An empty backup file will be created if the 1100 Appliance just runs with a trial license. To overcome this issue, you'd need to backup the specific files manually.

    Q: Is dynamic routing supported ?
    A: Of course.

    Q: Which ports do I need to allow in order for my 1100 Appliance to be able to talk to my Check Point Security Management / Log Server ?
    A: sk93566 lists the ports that need to be allowed. Usually it's:

    1: Src - Any, Dst - Security Management server IP, TCP port 18210 (service FW1_ica_pull)
    2: Src - Any, Dst - Security Management server IP, TCP port 18191 (service CPD)
    3: Src - Any, Dst - Log Server server IP, TCP port 257 (service FW1_log)

    Q: How can I set up a certificate based VPN on my 1100 Appliance ?
    A: Danny Jung has written an article about Certificate based VPNs with Check Point appliances.

    Q: How can I troubleshoot VPN issues on my 1100 Appliance ?
    # Web UI
    A: Check for any related VPN log entries at Logs & Monitoring > Security Logs
    A: Check the status of your VPN tunnels at VPN > VPN Tunnels
    A: Test your VPN configuration at VPN > VPN Sites

    # Console
    A: You can do a full IKE debug in Expert Mode via these steps:
    Step 1: Turn on VPN debug mode: vpn debug tunc; vpn debug on TDERROR_ALL_ALL=5
    Step 2: Recreate the VPN issue
    Step 3: Turn off VPN debug mode: vpn debug off; vpn debug ikeoff
    Step 4: Copy $FWDIR/log/ike.elg to your PC and inspect it with IKEView

    Q: How can I disable the First Time Configuration Wizard ?
    A: The First Time Configuration Wizard will be disabled by default after completing it.
    A: You might also disable it manually by executing the following command at the console: set property first-time-wizard off
    Code:
    $ ssh -l admin 192.168.1.1
    admin@192.168.1.1's password: 
    > Welcome to CLISH. The First Time Configuration wizard was not completed yet
    > NOTE: The First Time Configuration wizard may delete or override some of the settings you set in CLISH
    > To disable the First Time Configuration wizard (and USB automatic configuration) please run "set property first-time-wizard off"
    
    clish>
    Q: How can I run the First Time Configuration Wizard again ?
    A: You can run it once by entering the following command at the console: set property first-time-wizard once

    Q: How do I successfully establish a VPN connection with a locally managed 1100 Appliance using certificates ?
    A: While the Check Point 1100 Appliance was primarily designed to be centrally managed in corporate enterprise networks it is also possible that there is a locally (i.e. externally managed) 1100 Appliance that needs to be configured for a VPN connection to your corporate Check Point VPN gateway / cluster. Even dynamically assigned IP address (DAIP) gateway solutions which have to keep up a permanent VPN tunnel to the corporate office are possible. sk94028 describes the full configuration procedure.

    Q: How do I set up certificate based VPNs with my Check Point 1100 appliance ?
    A: Please read my article about how to set up certificate based VPNs.

    Q: Why do I get an "invalid certificate" error when trying to establish a Site-to-site VPN with my 1100 Appliance using an internal certificate ?
    A: Check Point provides a detailed description of the cause and a working solution here.

    Q: Why does no traffic pass through the VPN tunnel between my 1100 Appliances and an interoperable device ?
    A: You probably forgot to mark the interoperable device as a Check Point gateway as described here.

    Q: Which clustering modes are supported by Check Point 1100 Appliances ?
    A: High Availability (HA) only. Load Sharing mode is not supported (yet) as noted in the Known Limitations.

    Q: Which clustering technology is being used by the Check Point 1100 Appliances ?
    A: Check Point ClusterXL.

    Q: Can I configure a Check Point 1100 Appliance cluster by using two different 1100 models ?
    A: Yes. However, clusters should be always configured using identical cluster nodes for better consistency, stability and reliability.

    Q: Can I configure a Check Point 1100 Appliance cluster with cluster nodes running on different firmwares ?
    A: No. This would lead into the following error:


    Q: Can I configure a Check Point 1100 Appliance cluster with more than two cluster nodes ?
    A: Check Point officially says: "A Check Point 1100 Appliance security gateway cluster is a group of 2 members each representing a separate Check Point 1100 Appliance". So this is the only supported solution. However, more than two cluster nodes can be configured centrally when editing the cluster properties in classic mode. In local management just two cluster nodes (primary, secondary) can be configured.

    Q: Is there any other limitation when considering to run Check Point 1100 Appliances in clustering mode ?
    A: Yes, you can't neither use switches nor bridges in the local configuration of your 1100 Appliances.


    Q: How do I know if my inactive cluster node became active when running Check Point 1100 Appliances in clustering mode ?
    A: In centralized management just check SmartView Monitor. In local management you'll receive a notification in the WebUI.


    Q: How do I know if my active cluster node became inactive when running Check Point 1100 Appliances in clustering mode ?
    A: In centralized management just check SmartView Monitor. In local management you'll receive a notification in the WebUI.


    Q: When running Check Point 1100 Appliances in clustering mode, how can I manually change the activity of the cluster nodes ?
    A: In centralized management just change the priority of the cluster nodes in the cluster object properties and install the security policy.
    A: In local management you can force a member down by hitting the button 'Force Member Down' in the WebUI of the specific cluster node.
    A: You can always use the typical ClusterXL commands at the console to control your Check Point 1100 Appliance cluster. (i.e. clusterXL_admin up/down)

    Q: I configured a Check Point 1100 Appliance cluster but still keep getting errors ?
    A: Don't forget to reboot your Check Point 1100 Appliances right after the cluster configuration in order to get the cluster working. Otherwise you might see blocked connections for the service 'CP_Cluster_sync' in your log files.


    Q: I keep getting an 'Error during OS sync' at the end of my Check Point 1100 Appliance cluster configuration ?
    A: To overcome this issue just reboot your Check Point 1100 Appliance without closing the error window shown below.


    Q: Why are connections to TCP port 443 blocked on my 1100 Appliance ?
    A: Because this port is already being used by the Visitor Mode functionality for Remote Access users. sk93746 provides a solution.

    Q: Why is my VoIP phone not working behind my locally managed 1100 Appliance ? Why does my IPS blade still blocks SIP traffic with the error message 'IPS - SIP data malformed or Error with SIP data.' even after I turned it off ?
    A: Because on Check Point 1100 Appliances that are locally manged, the implicit policy rules of the IPS blade are working, even if the blade is turned off or an exception rule is created. sk93200 provides a solution by changing the default port (5060) of the SIP_TCP and SIP_UDP objects and creating two new ones. This circumvents the content inspection engine and therefore will allow your VoIP phone to work.

    Q: How do I to create an "Allow and Forward" rule on my locally managed 1100 Appliance ?
    A: sk93588 describes how to make use of the server types for this.

    Q: What's on the road map ?
    A: A new 1100 Industrial Appliance will be available in Q1/2015.
    A: IPv6 support is planned to be integrated in future releases.
    A: A rack mount kit accessory will be added to the price list shortly to allow housing 1100 Appliances side-by-side or centered in a 19” wide rack.

    Q: What's missing ?
    A: The integrated Terminal Console Window that the GAiA Portal features.
    A: An online demo of the Check Point 1100 Appliance's WebUI, similar to the old UTM-1 Edge Demo.
    A: A visual overview about all ports and their connection status, similar to what the UTM-1 Edge offered under Network > Ports.
    A: More information on the System Information page. Like cluster status, VPN status, connected USB sticks or SD cards etc.
    A: An option to allow two or more Admins to login to the WebUI at the same time.

    Q: Is SandBlast supported by version R77.20.51 ?
    A: Yes, the 700 / 1400 / 1200R appliances support the Threat Emulation Blade.
    A: Locally managed appliances emulate their files in the ThreatCloud.
    A: Centrally manged appliances have the additional option to emulate their files in a remote SandBlast appliance.
    A: Threat Emulation support for centrally managed appliances will be available on R80.10 Security Management Server
    N: An additional license is needed for the Threat Emulation Blade.
    N: Further information can be found in the following sk's: sk114815, sk115616.
    Last edited by danjun; 2018-10-30 at 07:25.

  2. #2
    Join Date
    2007-06-04
    Posts
    3,314
    Rep Power
    22

    Default Re: Check Point 1100 Appliance - FAQ

    I thought the 1100 was a successor to the SG80 series. Is it also replacing the UTM-1 Edge as well?
    I thought the 600 series was replacing the UTM-1 Edge
    Last edited by mcnallym; 2013-05-07 at 09:04.

  3. #3
    Join Date
    2005-08-11
    Location
    San Francisco, CA
    Posts
    1,395
    Rep Power
    21

    Default Re: Check Point 1100 Appliance - FAQ

    Excellent! Let me know if you need anything special here on the discussion board.
    Barry J. Stiefel ("Stee-ful" or "Shtee-ful")
    B.S., MBA, CCSA/CCSE/CCSE+/CCSI
    Resilience RCSE/RCSI, Fortinet FCSE
    CISSP, MCSE, NSA ISM
    Founder of CPUG
    Founder of CPUG University

  4. #4
    Join Date
    2007-02-07
    Posts
    162
    Rep Power
    18

    Default Re: Check Point 1100 Appliance - FAQ

    Quote Originally Posted by mcnallym View Post
    I thought the 1100 was a successor to the SG80 series. Is it also replacing the UTM-1 Edge as well?
    I thought the 600 series was replacing the UTM-1 Edge
    Yes, it is replacing the SG80 and the UTM-1 Edge at the same time.
    The 600 series replaces the Save@Office models and cannot be managed centrally by a Check Point SmartCenter Server.

    @Barry: I'd recommend renaming this forum from "Series 80" to "1100 Appliances" and making this FAQ sticky.

  5. #5
    Join Date
    2005-08-11
    Location
    San Francisco, CA
    Posts
    1,395
    Rep Power
    21

    Default Re: Check Point 1100 Appliance - FAQ

    Quote Originally Posted by dantro View Post
    Yes, it is replacing the SG80 and the UTM-1 Edge at the same time.
    The 600 series replaces the Save@Office models and cannot be managed centrally by a Check Point SmartCenter Server.

    @Barry: I'd recommend renaming this forum from "Series 80" to "1100 Appliances" and making this FAQ sticky.
    Now it's sticky and I've renamed the forum. Let me know what else I can do to help.
    Barry J. Stiefel ("Stee-ful" or "Shtee-ful")
    B.S., MBA, CCSA/CCSE/CCSE+/CCSI
    Resilience RCSE/RCSI, Fortinet FCSE
    CISSP, MCSE, NSA ISM
    Founder of CPUG
    Founder of CPUG University

  6. #6
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,252
    Rep Power
    19

    Default Re: Check Point 1100 Appliance - FAQ

    On Gaia Embedded does the administrator have access to a full command shell (like expert mode on regular Gaia) and the ability to run a tcpdump from the command line?

    --
    My book "Max Power: Check Point Firewall Performance Optimization"
    now available via http://maxpowerfirewalls.com.
    Last edited by ShadowPeak.com; 2015-12-05 at 00:43.

  7. #7
    Join Date
    2007-06-04
    Posts
    3,314
    Rep Power
    22

    Default Re: Check Point 1100 Appliance - FAQ

    Quote Originally Posted by ShadowPeak.com View Post
    On Gaia Embedded does the administrator have access to a full command shell (like expert mode on regular Gaia) and the ability to run a tcpdump from the command line?
    I can confirm from a box we had in for demoing to customers that fw monitor and tcpdump are both available on the 1100 series via the console. Made my day that did that can start doing the basic debug checks that used to doing.

  8. #8
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,500
    Rep Power
    22

    Default Re: Check Point 1100 Appliance - FAQ

    This is excellent stuff. A couple of minor corrections/additions.

    1. We officially call the OS on the SG1100 Embedded Gaia.

    2. clish on the SG1100 is very similar to Gaia on the regular appliances, though there are some differences.

    3. When you drop to expert mode, you get a full Unix-type shell with most of the usual commands (fw monitor, tcpdump, etc). If you're interested in knowing if specific commands are available, I can check.

    4. SG80s can be upgraded to SG1100s by loading the new firmware (surprised no one asked this yet) but because we have less ram in the SG80, the max concurrent connections attainable on the SG80 will be a bit lower than on the SG1100.

    5. The main difference between the SG600 and SG1100 is the color of the chassis (the SG600 is Orange like the old Safe@) and the type of central management allowed. Both types support local management. The SG600 can be centrally managed by Check Point's SMB Management Cloud service. The SG1100 can be managed by standard Check Point management running R75.46 or above. Neither unit can be managed by the old Sofaware SMP product.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  9. #9
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,252
    Rep Power
    19

    Default Re: Check Point 1100 Appliance - FAQ

    Quote Originally Posted by mcnallym View Post
    I can confirm from a box we had in for demoing to customers that fw monitor and tcpdump are both available on the 1100 series via the console. Made my day that did that can start doing the basic debug checks that used to doing.
    Excellent, this was one of my major beefs with the Edge boxes.

    --
    My book "Max Power: Check Point Firewall Performance Optimization"
    now available via http://maxpowerfirewalls.com.
    Last edited by ShadowPeak.com; 2015-12-05 at 00:43.

  10. #10
    Join Date
    2013-05-22
    Posts
    2
    Rep Power
    0

    Default Check Point 1100 Appliance Speed

    Hello,
    I am using 1140 appliance and manage it locally. I am having problem with internet speed since I have started using it. My speed is cut in half of what I used to get with 1000n appliance with cloud service. With 1140 appliance speed stays between 25-26 mbps.
    Service provider provides 50 mbps. I was getting over 50 mbps before I started using 1140. I am using all the default settings it came with. QOS is default too. Using it at home. I would appreciate any help to fix it.

  11. #11
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,500
    Rep Power
    22

    Default Re: Check Point 1100 Appliance Speed

    Quote Originally Posted by Sonny View Post
    Hello,
    I am using 1140 appliance and manage it locally. I am having problem with internet speed since I have started using it. My speed is cut in half of what I used to get with 1000n appliance with cloud service. With 1140 appliance speed stays between 25-26 mbps.
    The 600/1100 performs far more security functions than a Safe@ 1000n, thus why you are seeing differences in performance. By disabling blades you are not using in Home > Security Dashboard, performance should improve.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  12. #12
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,500
    Rep Power
    22

    Default Re: Check Point 1100 Appliance - FAQ

    One other correction to this:

    To upgrade between one model and another, no hardware trade-in is required. You simply pay the difference in cost between the old and new SKU (i.e. it's a 100% trade-in credit). The SKU for your appliance will be updated in User Center and you install the updated license.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  13. #13
    Join Date
    2012-07-10
    Posts
    27
    Rep Power
    0

    Default Re: Check Point 1100 Appliance - FAQ

    so what are your guys real life experiences with the 1100 series? we already had one who had performance issues with his 1140. Could you provide the info which blades were running? I assume every blade was on ;) Would have been interested what the speed gain would be if you enable only the 5 standard blades.

    need a 1120/620 (without APPCTRL, IPS ...) for a 30/4 VDSL Line with a small DMZ (only some small http transactions in there) and fear that the 1120 will a bottleneck.

  14. #14
    Join Date
    2013-05-22
    Posts
    2
    Rep Power
    0

    Default Re: Check Point 1100 Appliance - FAQ

    Hello,
    I have turned off two blades under VPN, QoS is off, user awareness is off. Still no improvement in speed. Anti-spam is not scanning email (POP 3, Port 110). Any suggestion...........

  15. #15
    Join Date
    2012-07-10
    Posts
    27
    Rep Power
    0

    Default Re: Check Point 1100 Appliance - FAQ

    Quote Originally Posted by Sonny View Post
    Hello,
    I have turned off two blades under VPN, QoS is off, user awareness is off. Still no improvement in speed. Anti-spam is not scanning email (POP 3, Port 110). Any suggestion...........
    woa, that looks kinda bad :( Which Blades are remaining now in your config? And how do you measure your speed? How many Clients behind the firewall? can you run a "top" command (if available) while testing and poste the output and explaining you test method?

    br
    Andy
    Last edited by aueberbacher; 2013-07-09 at 16:18.

  16. #16
    Join Date
    2007-02-07
    Posts
    162
    Rep Power
    18

    Default Re: Check Point 1100 Appliance - FAQ

    This is a public static FAQ. Please reply only if you have something interesting to add. For anything else please open another thread.

  17. #17
    Join Date
    2010-08-20
    Posts
    10
    Rep Power
    0

    Default Re: Check Point 1100 Appliance - FAQ

    About the security logs: you wrote:

    Q: Which SD card types are supported ?
    A: SD-HC card types up to 32GB only. If inserted the 1100 Appliance will automatically format them. Logs can then be saved to the card.

    But I was told by someone working at Checkpoint that logs are deleted form the SD Card if there is an electric failure or shutdown.
    He suggests to put them on a USB stick.

    Simple question: is this possible to decide where to write the logs (SD Card or USB Stick). All I want is to keep them on the device (or an external memory) even in the case of an electrical failure.

    Thanks.

  18. #18
    Join Date
    2010-11-10
    Posts
    19
    Rep Power
    0

    Default Re: Check Point 1100 Appliance - FAQ

    Hello,

    new release out for 1100/600/SG80.

    https://supportcenter.checkpoint.com...tionid=sk94227

    It solved for me a rather annoying bug. The S2S VPN's wasn't displayed in the VPN tunnels menu.

  19. #19
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,500
    Rep Power
    22

    Default Re: Check Point 1100 Appliance - FAQ

    Quote Originally Posted by ypetiot View Post
    About the security logs: you wrote:

    Q: Which SD card types are supported ?
    A: SD-HC card types up to 32GB only. If inserted the 1100 Appliance will automatically format them. Logs can then be saved to the card.

    But I was told by someone working at Checkpoint that logs are deleted form the SD Card if there is an electric failure or shutdown.
    He suggests to put them on a USB stick.

    Simple question: is this possible to decide where to write the logs (SD Card or USB Stick). All I want is to keep them on the device (or an external memory) even in the case of an electrical failure.

    Thanks.
    First of all you can't really control where the logs go.
    Second, your "source" is correct, but only if there is no SD card.
    With an SD card, the logs are kept between reboots, power cycles, etc.

    I have logs on my unit from since the end of July.
    The unit was rebooted a few times since then, including to apply R75.20 HFA 25.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  20. #20
    Join Date
    2015-02-13
    Posts
    3
    Rep Power
    0

    Default Re: Check Point 1100 Appliance - FAQ

    Hello guys

    I just need to upgrade version from Gaia r75.20.50 to Gaia r75.20.69, but the only archive that i found on the checkpoint.com its with the extencion .img i worked with gaia r75.40, and all fine with the extension .iso, but in this case i doesnt see the archives of the .img, i tried to open with clone drive virtual and dont work i check the file with the md5 checker and its ok, i need to know how is the process for the upgrade version in this appliance, or if somebody has done

    i appreciate to you help

    regards

Page 1 of 3 123 LastLast

Similar Threads

  1. For Sale: Check Point UTM-1 3070 Appliance
    By David_ in forum Announcements From Check Point Administrators, For Sale/Wanted, Etc.
    Replies: 4
    Last Post: 2012-09-07, 10:39
  2. Check Point Power-1 5077 - Security Appliance 4 units available
    By Vic@techvf in forum Announcements From Check Point Administrators, For Sale/Wanted, Etc.
    Replies: 2
    Last Post: 2012-05-21, 17:17
  3. This new forum about Check Point IAS (Integrated Appliance Solution)
    By Barry J. Stiefel in forum Check Point IAS (Integrated Appliance Solution)
    Replies: 0
    Last Post: 2011-12-01, 05:48
  4. Check Point (Nokia) IP Appliance Pricing
    By virtualfw in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 2
    Last Post: 2009-06-25, 02:57
  5. It's Official: Nokia Security Appliance Business part of Check Point
    By PhoneBoy in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 9
    Last Post: 2009-04-14, 18:34

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •