Q: What's the official product site ?
A: Check Point 1100 Appliance | Datasheet | Support Center
Q: Which Sales Tools are available ?
A: Sales Guide | Customer Presentation | FAQ
Q: What's new ?
A: The Check Point 1100 Appliance series was introduced at the Check Point Experience 2013 in Barcelona and is the successor to the UTM-1 Edge and the SG80 Appliance series. As such it features the best All-In-One NGF Enterprise-Class Security solution for Branch Offices. The 1100 Appliance integrates an 8-Port Switch (Layer 3, managed), DSL modem (Annex A/B), Next Generation Firewall (including a NAT Router, Threat Prevention, IPS, Anti-Virus, Anti-Spam, Application Control & URL Filtering), Identity Awareness, Mobile Access, WLAN Router, Wi-Fi Hotspot and more. It also offers dynamic routing, quick deployment functions, 3G connectivity using a USB or Express Card support, multiple Internet connections, Policy Based Routing, DDNS (DynDns, No-IP), and more is planned with the upcoming firmware releases.
Q: How does it look like ?
Front:
Back:
Q: Which 1100 Appliance license models are available ?
A: 1120 Appliance -> replaces UTM-1 Edge N
A: 1140 Appliance -> replaces UTM-1 Edge N
A: 1180 Appliance -> replaces UTM-1 Edge N and SG80 (Model 80)
Q: Can I upgrade the licensed model later on (1120 -> 1140/1180 or 1140 -> 1180) ?
A: At the moment you can trade-in your 1100 Appliance to get the higher model for 20% off. This is possible in form of a license or hardware upgrade.
Q: What are differences between the Safe@Office, UTM-1 Edge, Series 80, 1100 and 1200R appliances ?
A:
|
Safe@Office N |
UTM-1 Edge N |
Series 80 |
1100 Appliance |
1200R Rugged Appliance |
Market |
Consumer |
Small Office |
Branch Office |
Small & Branch Offices |
Idustrial |
Network Ports |
6x GbE |
6x GbE |
10x GbE |
10x GbE |
6x GbE; 2x GbE Fiber |
ADSL |
Yes |
Yes |
- |
Yes |
- |
Wi-Fi |
Yes |
Yes |
- |
Yes |
- |
Architecture |
NGX Embedded |
NGX Embedded |
Software Blades (R71.45: FW, VPN, IPS, AV, ASPM, URLF) |
Software Blades (R75.20: FW, VPN, IPS, AV, ASPM, URLF, APCTL, IA) |
Software Blades (R77.20: FW, VPN, IPS, AV, ASPM, ABOT, URLF, APCTL, IA) |
Management |
Web UI |
Web UI & Central Security Management |
Central Security Management |
Web UI & Central Security Management |
Web UI & Central Security Management |
Deployment |
Standalone |
Standalone & Distributed |
Distributed |
Standalone & Distributed |
Standalone & Distributed |
High Availability |
Yes |
Yes |
Yes |
Yes |
Yes |
Large Scale Management |
Security Management Portal |
SmartProvisioning |
SmartProvisioning |
SmartProvisioning |
SmartProvisioning |
Q: Which 1100 Appliance hardware models are available ?
A: Initial Product Name: SG-80A
A: Model: L-50 Check Point 1100 Appliances (formerly: Check Point Security Gateway 80 WIFI Appliance)
A: Model: L-50D Check Point 1100 Appliances with ADSL annex A/B
A: Model: L-50W Check Point 1100 Appliances, WIFI WORLD (formerly: Check Point Security Gateway 80 WIFI Appliance)
A: Model: L-50WD Check Point 1100 Appliances with ADSL annex A/B, WIFI WORLD
Each model can be ordered with ADSL2 Annex A (POTS) or B (ISDN) and with WiFi 802.11n integrated.
The hardware doesn't differ between a 1120, 1140 or 1180 model. It's the license that limits the appliance and locks it down to the licensed system qualities.
The 1120 Appliance can be ordered as a classic Firewall appliance with a Software Blades bundle consisting of 5 blades (FW, VPN, ADNC, IA, MOB-5) or, just like the 1140 and 1180 Appliance models, as a fully featured Next Generation Firewall with a Software Blades bundle consisting of 10 blades (FW, VPN, ADNC, IA, MOB-5, IPS for 1 year, APCL for 1 year, URLF for 1 year, AV for 1 year, ASPM for 1 year).
Q: What are the differences between the Wi-Fi-FCCA and Wi-Fi-WORLD SKUs and which should I order ?
A: The FCCA SKU is for the United States. The WORLD SKU is for the rest of the world.
Q: What is the sizing recommendation ?
A: The sizing recommendation is based on number of users.
A: 1120 Appliance -> Up to 10 Users, 28 SPU (SecurePower Units)
A: 1140 Appliance -> Up to 25 Users, 34 SPU (SecurePower Units)
A: 1180 Appliance -> Up to 50 Users, 37 SPU (SecurePower Units)
Q: Can I just buy the 1120 Appliance Firewall package and later purchase the Threat Prevention package ?
A: Yes, you can add Threat Prevention package to the 1120 Appliance.
Q: Do I have to renew the Threat Prevention blades to get updated signatures ?
A: Yes. The service blades are for 1 year, two or three years. When this period ends, they must be renewed to get updates.
Q: What are the throughput rates when used in production ?
A: 350 Mbps - Firewall
A: 50 Mbps - Firewall & IPS
Q: How do the 600 Appliance models differ from the 1100 Appliance models ?
A: The 600 Appliance models are technically identical to the 1100 Appliance models. They even use the same firmware. However, they are branded and sold as an All-In-One solution for the SMB market and therefore cannot be managed centrally by a Check Point SmartCenter Server, just like the Check Point Safe@Office Appliance line they replaced.
Q: How do I get started ?
A: Check Point provides this Getting Started Guide.
Q: How is it delivered ?
A: Let's start unpacking it.
Q: What CPU is working inside ?
A: ARM926EJ-S rev 1 (v5l)
Q: What operating system is it running on ?
A: The 1100 Appliance says: Check Point SecurePlatform Embedded R75.20 (Linux Kernel 2.6.22.18)
A: Check Point says: "We officially call the OS on the SG1100 Embedded Gaia." However, the Check Point websites name the OS "Gaia Embedded", so there is still some confusion whether it's Embedded Gaia or Gaia Embedded. sk92741 lists the Gaia Embedded OS features.
Q: What are the features of Check Point Gaia Embedded OS ?
A: Check Point lists it right here.
Q: What does this mean compared to an UTM-1 Edge ?
A: You'll work with a real Linux OS that is hardened and optimized by Check Point for the Embedded 1100 Appliance and behaves almost just like GAiA. That means you can login to Expert Mode and access all typical Linux and Check Point commands (including tcpdump, fw monitor, fw ctl pstat, cpinfo, vpn debug etc.)
Q: How much RAM does it feature ?
A: 512MB RAM
Q: Which MAC adressing scheme is used for the 1100 Appliance series ?
A: 00:1C:7F:__:__:__
Q: From which SmartCenter version upwards can it be managed centrally ?
A: R75.46 for R75.20 based firmwares.
A: R77.30 for R77.20 based firmwares.
Q: What is the most recent firmware version ?
A: Check Point lists it's 1100 firmwares in sk97766.
R75.20
R77.20
Known Limitations
Final Version
Q: Which is the default management port ?
A: Port 4434/tcp (https://192.168.1.1:4434)
Q: Which browser should I use to manage it ?
A: Only use the latest version of Google Chrome for Windows 7/8. There are some issues known when using Microsoft Internet Explorer to export VPN certificates and when using any Web browser on Apple Mac OS X.
Q: How can I find things quickly ?
A: Use the search form at the upper right corner.
Q: Where can I find the sitemap for quick access to all available configuration pages ?
A: Right under "Home > Site Map".
Q: Where can I quickly view my 1100 Appliance's status in the Web UI ?
A: Right at the status bar. Mouse-overs provide you with quick status overviews, clicks forward you to the specific configuration pages.
Q: How are the LED statuses of my Check Point 1100 Appliance described ?
A:
LED |
Description |
Power |
Green when the appliance is turned on |
Notice |
Blinking Green during boot; Red when the appliance has a resource problem, such as memory shortage |
LAN1-LAN8, DMZ, WAN |
Link Indicator [Port Speed]: Orange (1000 Mbps), Green (100 Mbps), Off (10 Mbps); Activity Indicator: Blinking Green when encountering traffic |
WLAN |
Blinking Green when encountering traffic |
DSL |
Link Indicator: Green (DSL connection established), Blinking Green (Establishing DSL connection), Off (DSL connection not established); Activity Indicator: Blinking Green when encountering traffic, Off (DSL line is idle |
Internet |
Green when connected to Internet; Blinking red when Internet connection is configured but fails to connect |
USB1, USB2 |
Orange when a USB device is connected |
Q: Which SD card types are supported ?
A: SD-HC card types up to 32GB only. If inserted the 1100 Appliance will automatically format them. Logs can then be saved to the card.
Q: Which 3G and 4G/LTE Modems are supported with Check Point 600 / 1100 appliances ?
A: Check Point lists all supported cellular modems in sk92809 and in the firmware release notes. Therefore the following two tables provide a more specific overview.
Q: Which 3G modems are supported ?
A: Check Point lists all supported modems in sk92809.
Q: Which 4G/LTE modems are supported ?
A: Check Point lists all supported modems in sk92809.
Q: The 1100 appliance type is missing in R75.46 / R76 SmartDashboard ?
A: sk92732 provides an automatic and a manual procedure to add it.
Q: Why does a policy installation onto my Check Point 1100 Appliance fail with *** glibc detected *** errors ?
A: sk93385 provides a hotfix and installation instructions.
Q: Why do I have issues changing the filtering list of allowed MAC addresses for wireless connections ?
A: This is a known issue in current releases. Only change wireless settings when you are directly connected to your 1100 Appliance. Changing wireless settings, such as the MAC address filtering list, when connected per WLAN (via Wi-Fi) leads to a permanent error in the configuration that won't even be resolved by connecting directly later on. Only a complete reset of the 1100 Appliance will currently help fixing this issue.
Q: Why does my 1100 Appliance not perform as fast as my previous UTM-1 Edge N Appliance ?
A: The 1100 Appliance performs far more security functions than a UTM-1 Edge N, thus why you are seeing differences in performance. By disabling blades you are not using in Home > Security Dashboard, performance should improve. Always keep in mind that a 1100 Appliance is Check Points smallest NGF Appliance, designed for the best security even at small and home office environments. Since it's an Embedded Appliance running on an ARM CPU it's by design of the product that it's performance assets are quite limited. The more blades it has to run, the less the overall performance will be.
Q: Why do I get an error when activating my Check Point 1100 Appliance ?
A: It's always recommended to activate the Check Point 1100 Appliance manually. Therefore just generate and download the activation file in your Check Point UserCenter account. Then activate your 1100 Appliance with the downloaded activation file. Backup the activation file for later activations.
A: As described in sk93382, doing the activation online can cause several errors, like 'Maximal number of activations exceeded.' or 'Cannot find registration information for the appliance in the Check Point User Center. Currently using trial license.'
Q: Does the 1100 Appliance support clustering ?
A: Of course. You'll have to use High Availability (Active/Standby) clustering mode as Load Sharing mode is not supported yet (known limitation).
Q: How can I create a custom boot script / disable SecureXL permanently ?
A: sk65015 describes a solution where a custom userScript can be created that will be loaded after each reboot. It's actually as simple as putting your commands or scripts containing full paths in /pfrm2.0/etc/userScript
Code:
[Expert@fw]# cd /pfrm2.0/etc/
[Expert@fw]# vi userScript
[Expert@fw]# chmod 777 userScript
Q: How is synchronization configured in a 1100 Appliance cluster ?
A: The Sync interface is usually configured on LAN2. Using the wireless interface as the Sync interface is not supported.
A: Before configuring a local cluster, make sure that the sync interface is unassigned by checking the Device > Local Network page in the WebUI.
A: sk52500 describes how to configure a Sync interface other than LAN2.
Q: How can I quickly check the top firewall policy rule hits ?
A: Login to your 1100 Appliance via SSH. Enter the command: show rule-hits
Q: How can I securely copy files via scp to/from my 1100 Appliance ?
A: Just enable Scp access with this expert-mode command: bashUser on
Code:
[Expert@fw]# bashUser on
user: admin
Bash login enabled.
Scp access enabled.
Note:
Your default shell will now be bash,
and when you login you will enter expert mode.
We recommend that you use clish as your default shell,
and move to expert mode only when necessary.
You can move from bash to clish using the "clish" command.
To restore your default shell to clish run "bashUser off"
A: Disable Scp access after copying your files via: bashUser off
Code:
[Expert@fw]# bashUser off
user: admin
Bash login disabled.
Scp access disabled.
Cpshell enabled.
A: sk52763 describes the same procedure for using WinSCP.
Q: Can I run my own scripts on the 1100 Appliance ?
A: Yes. They will not survive a firmware upgrade though, so keep track of your additions/modifications and recreate them after upgrading.
Q: How can I save local backups most easily ?
A: Just connect a standard FAT-formatted USB stick to the back or front USB port of your 1100 Appliance as a local storage device for backups.
Code:
clish> backup settings to usb
Creating backup...
Uploading backup_filename.zip to the USB device
Upload complete
Your settings have been successfully backed up and saved on your USB drive
A: Please note: An empty backup file will be created if the 1100 Appliance just runs with a trial license. To overcome this issue, you'd need to backup the specific files manually.
Q: Is dynamic routing supported ?
A: Of course.
Q: Which ports do I need to allow in order for my 1100 Appliance to be able to talk to my Check Point Security Management / Log Server ?
A: sk93566 lists the ports that need to be allowed. Usually it's:
1: Src - Any, Dst - Security Management server IP, TCP port 18210 (service FW1_ica_pull)
2: Src - Any, Dst - Security Management server IP, TCP port 18191 (service CPD)
3: Src - Any, Dst - Log Server server IP, TCP port 257 (service FW1_log)
Q: How can I set up a certificate based VPN on my 1100 Appliance ?
A: Danny Jung has written an article about Certificate based VPNs with Check Point appliances.
Q: How can I troubleshoot VPN issues on my 1100 Appliance ?
# Web UI
A: Check for any related VPN log entries at Logs & Monitoring > Security Logs
A: Check the status of your VPN tunnels at VPN > VPN Tunnels
A: Test your VPN configuration at VPN > VPN Sites
# Console
A: You can do a full IKE debug in Expert Mode via these steps:
Step 1: Turn on VPN debug mode: vpn debug tunc; vpn debug on TDERROR_ALL_ALL=5
Step 2: Recreate the VPN issue
Step 3: Turn off VPN debug mode: vpn debug off; vpn debug ikeoff
Step 4: Copy $FWDIR/log/ike.elg to your PC and inspect it with IKEView
Q: How can I disable the First Time Configuration Wizard ?
A: The First Time Configuration Wizard will be disabled by default after completing it.
A: You might also disable it manually by executing the following command at the console: set property first-time-wizard off
Code:
$ ssh -l admin 192.168.1.1
admin@192.168.1.1's password:
> Welcome to CLISH. The First Time Configuration wizard was not completed yet
> NOTE: The First Time Configuration wizard may delete or override some of the settings you set in CLISH
> To disable the First Time Configuration wizard (and USB automatic configuration) please run "set property first-time-wizard off"
clish>
Q: How can I run the First Time Configuration Wizard again ?
A: You can run it once by entering the following command at the console: set property first-time-wizard once
Q: How do I successfully establish a VPN connection with a locally managed 1100 Appliance using certificates ?
A: While the Check Point 1100 Appliance was primarily designed to be centrally managed in corporate enterprise networks it is also possible that there is a locally (i.e. externally managed) 1100 Appliance that needs to be configured for a VPN connection to your corporate Check Point VPN gateway / cluster. Even dynamically assigned IP address (DAIP) gateway solutions which have to keep up a permanent VPN tunnel to the corporate office are possible. sk94028 describes the full configuration procedure.
Q: How do I set up certificate based VPNs with my Check Point 1100 appliance ?
A: Please read my article about how to set up certificate based VPNs.
Q: Why do I get an "invalid certificate" error when trying to establish a Site-to-site VPN with my 1100 Appliance using an internal certificate ?
A: Check Point provides a detailed description of the cause and a working solution here.
Q: Why does no traffic pass through the VPN tunnel between my 1100 Appliances and an interoperable device ?
A: You probably forgot to mark the interoperable device as a Check Point gateway as described here.
Q: Which clustering modes are supported by Check Point 1100 Appliances ?
A: High Availability (HA) only. Load Sharing mode is not supported (yet) as noted in the Known Limitations.
Q: Which clustering technology is being used by the Check Point 1100 Appliances ?
A: Check Point ClusterXL.
Q: Can I configure a Check Point 1100 Appliance cluster by using two different 1100 models ?
A: Yes. However, clusters should be always configured using identical cluster nodes for better consistency, stability and reliability.
Q: Can I configure a Check Point 1100 Appliance cluster with cluster nodes running on different firmwares ?
A: No. This would lead into the following error:
Q: Can I configure a Check Point 1100 Appliance cluster with more than two cluster nodes ?
A: Check Point officially says: "A Check Point 1100 Appliance security gateway cluster is a group of 2 members each representing a separate Check Point 1100 Appliance". So this is the only supported solution. However, more than two cluster nodes can be configured centrally when editing the cluster properties in classic mode. In local management just two cluster nodes (primary, secondary) can be configured.
Q: Is there any other limitation when considering to run Check Point 1100 Appliances in clustering mode ?
A: Yes, you can't neither use switches nor bridges in the local configuration of your 1100 Appliances.
Q: How do I know if my inactive cluster node became active when running Check Point 1100 Appliances in clustering mode ?
A: In centralized management just check SmartView Monitor. In local management you'll receive a notification in the WebUI.
Q: How do I know if my active cluster node became inactive when running Check Point 1100 Appliances in clustering mode ?
A: In centralized management just check SmartView Monitor. In local management you'll receive a notification in the WebUI.
Q: When running Check Point 1100 Appliances in clustering mode, how can I manually change the activity of the cluster nodes ?
A: In centralized management just change the priority of the cluster nodes in the cluster object properties and install the security policy.
A: In local management you can force a member down by hitting the button 'Force Member Down' in the WebUI of the specific cluster node.
A: You can always use the typical ClusterXL commands at the console to control your Check Point 1100 Appliance cluster. (i.e. clusterXL_admin up/down)
Q: I configured a Check Point 1100 Appliance cluster but still keep getting errors ?
A: Don't forget to reboot your Check Point 1100 Appliances right after the cluster configuration in order to get the cluster working. Otherwise you might see blocked connections for the service 'CP_Cluster_sync' in your log files.
Q: I keep getting an 'Error during OS sync' at the end of my Check Point 1100 Appliance cluster configuration ?
A: To overcome this issue just reboot your Check Point 1100 Appliance without closing the error window shown below.
Q: Why are connections to TCP port 443 blocked on my 1100 Appliance ?
A: Because this port is already being used by the Visitor Mode functionality for Remote Access users. sk93746 provides a solution.
Q: Why is my VoIP phone not working behind my locally managed 1100 Appliance ? Why does my IPS blade still blocks SIP traffic with the error message 'IPS - SIP data malformed or Error with SIP data.' even after I turned it off ?
A: Because on Check Point 1100 Appliances that are locally manged, the implicit policy rules of the IPS blade are working, even if the blade is turned off or an exception rule is created. sk93200 provides a solution by changing the default port (5060) of the SIP_TCP and SIP_UDP objects and creating two new ones. This circumvents the content inspection engine and therefore will allow your VoIP phone to work.
Q: How do I to create an "Allow and Forward" rule on my locally managed 1100 Appliance ?
A: sk93588 describes how to make use of the server types for this.
Q: What's on the road map ?
A: A new 1100 Industrial Appliance will be available in Q1/2015.
A: IPv6 support is planned to be integrated in future releases.
A: A rack mount kit accessory will be added to the price list shortly to allow housing 1100 Appliances side-by-side or centered in a 19” wide rack.
Q: What's missing ?
A: The integrated Terminal Console Window that the GAiA Portal features.
A: An online demo of the Check Point 1100 Appliance's WebUI, similar to the old UTM-1 Edge Demo.
A: A visual overview about all ports and their connection status, similar to what the UTM-1 Edge offered under Network > Ports.
A: More information on the System Information page. Like cluster status, VPN status, connected USB sticks or SD cards etc.
A: An option to allow two or more Admins to login to the WebUI at the same time.
Q: Is SandBlast supported by version R77.20.51 ?
A: Yes, the 700 / 1400 / 1200R appliances support the Threat Emulation Blade.
A: Locally managed appliances emulate their files in the ThreatCloud.
A: Centrally manged appliances have the additional option to emulate their files in a remote SandBlast appliance.
A: Threat Emulation support for centrally managed appliances will be available on R80.10 Security Management Server
N: An additional license is needed for the Threat Emulation Blade.
N: Further information can be found in the following sk's: sk114815, sk115616.
Bookmarks