CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


I'd like to thank everyone involved for making "The CPUG Challenge" a great success.
We helped a lot of people see and learn a bit more about R80.10, while having some fun.
We will be using this success to try and bring more events to more locations soon. -E

 

Results 1 to 20 of 20

Thread: UTM-1 Edges - FAQ

  1. #1
    Join Date
    2007-02-07
    Posts
    157
    Rep Power
    11

    Default UTM-1 Edge - FAQ by Danny Jung


    Code:
    Yyy yyY YYYYYYYyyyyyyyYYYYYYY YYYYY#########YYYYY YYY# ??? #YYY YY# ( O) #YY Y# ~~ #Y YY#########YY @@@ YYYYYYYYYYYYY @@@ @@@@ YYYYYYYYYYYYY @@@@ @@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@ VVV@@@@@@@@@@@@@VVV VV VV V V SofaWare Embedded! UTM-1 EDGE FAQ
    Author: Danny Jung

    Want more Check Point info? Read our tech blog!



    !! ATTENTION !!
    UTM-1 Edge Appliances are no longer actively developed! The new 1100 Appliance is it's successor as Check Point's new entry level enterprise NGF appliance.


    Q: What is the official product site?
    A: Check Point Software: UTM-1 Edge Appliance

    Q: Where can I find the partner resources?
    A: Product Highlight: UTM-1 Edge Appliance

    Q: Where can I find the official datasheets?
    A: Check Point UTM-1 Edge N Datasheet
    A: Check Point UTM-1 Edge N Industrial Datasheet

    Q: Where can I find a demo setup?
    A: Check Point UTM-1 Edge W ADSL DEMO

    Q: Where can I find related discussion forums?
    A: At SofaWare, CPShared or Check Point.

    Q: Where can I find the SofaWare FAQ?
    A: Check Point SofaWare FAQ

    Q: Where can I find the online help system?
    A: At UTM-1 Online Help 8.2.

    Q: What is the capacity of an UTM-1 Edge X appliance?
    A: SPI Firewall throughput: 190 Mbps
    A: VPN throughput: 35 Mbps
    A: Concurrent connections: 5.000
    A: Normal User Profiles (None-VPN): No limitation in numbers but in memory usage (Can use Radius for more users)
    A: RemoteAccess VPN Profiles: 25
    A: Site-to-Site VPN Profiles: up to 15
    A: Security Associations (SAs): max. 100 (Remote Access and Site-to-Site VPN)

    Q: What is the capacity of an UTM-1 Edge N appliance?
    A: SPI Firewall throughput: 1000 Mbps
    A: VPN throughput: 200 Mbps
    A: Concurrent connections: 60.000
    A: Normal User Profiles (None-VPN): No limitation in numbers but in memory usage (Can use Radius for more users)
    A: RemoteAccess VPN Profiles: Unlimited
    A: Site-to-Site VPN Profiles: up to 15
    A: Security Associations (SAs): max. 400 (Remote Access and Site-to-Site VPN)

    Q: Which series should I buy?
    A: The UTM-1 Edge N Series replaces the UTM-1 Edge and Safe@ X Series for the Unlimited/32/16 user models. The last order date for the X Series product will be January 1, 2011. (sk55061)
    Last Order Date: January 1st 2011 only for models 16/32/Unlimited. UTM-1 Edge X series for 8 users will continue to sell after January 1st, 2011.

    Q: What is the End of Support date for the X series?
    A: May 31st, 2015.

    Q: Who uses UTM-1 Edges?
    A: Companies using a Wireless Distribution System (WDS) with roaming for their in-house wifi connectivity.
    A: ISPs to provide broadband, IP TV and VoIP services.
    A: Stadiums collect bets with handheld wifi devices roaming around the stadium.
    A: Car manufacturers using industrial Edges, utilizing bridge mode protecting mission critical computers.
    A: Remote & Branch Offices with backup internet connections.
    A: Home- and Teleworkers (Network access control and remote administration)
    A: Managed Services Providers with Large Scale Management
    A: Banks who connect their branch offices
    A: Companies who connect ATMs either to a GPRS modem or to an Ethernet connection.

    Q: Who should NOT use UTM-1 Edges?
    A: Admins looking for good traffic performance rates.
    A: Admins that have to build complex VPN setups.
    A: Admins that are looking for advanced monitoring capabilities.
    A: Admins that need to manage advanced RemoteAccess situations or that are looking for Desktop Security Policies.
    A: Admins that want to configure customized scripts or behaviours on their firewall appliance.
    A: Simply everyone who expects a simple and cheap embedded all-in-one appliance could act like a real server.

    Q: How many UTM-1 Edges are sold per year?
    A: SofaWare sold around 50.000 embedded devices in 2007.

    Q: Which VPN Clients are supported to remotely connect to UTM-1 Edges?
    A: Check Point SecuRemote/SecureClient and Check Point Endpoint Discovery VPN Client (EA).
    A: Firmware version 8.1 also introduced support for Check Point's Endpoint Connect™ VPN client.

    Q: Where should I start managing my UTM-1 Edge?
    A: Check Point offers an Admin Guide for your first steps in UTM-1 Edge management.

    Q: Which model should I buy?
    A: That depends on your requirements. ALWAYS buy a model that has USB ports. These models do:
    # UTM-1 Edge XW
    # UTM-1 Edge NW
    # UTM-1 Edge X ADSL
    # UTM-1 Edge N ADSL
    # UTM-1 Edge XW ADSL
    # UTM-1 Edge NW ADSL
    # UTM-1 Edge X Industrial
    # UTM-1 Edge N Industrial

    Q: Which firmware is recent? - August 5, 2014
    A: 8.2.64 (General Availability)

    Q: Are there different firmwares available?
    A: Yes. UTM-1 Edges X appliances which have an ADSL-modem integrated require a different firmware.

    Q: Which variants does the recent firmware version consist of?
    A: n8.2.64n.img is for regular units of the recent N-series to be uploaded via GUI
    A: x8.2.64x.img is for regular units of the old X-series to be uploaded via GUI
    A: 8.2.64x.tftp is for regular units of the old X-series to be uploaded via TFTP (turn Windows Firewall off)
    A: 8.2.64n.tftp is for regular units of the recent N-series to be uploaded via TFTP (turn Windows Firewall off)
    A: a8.2.64.firm is for ADSL and Industrial units of the old X-series to be uploaded via GUI
    A: a8.2.64_backup.firm is for ADSL and Industrial units of the old X-series to be uploaded via TFTP (turn Windows Firewall off)
    A: ab8.2.64ab_backup.firm is for ADSL units of the old X-series to be uploaded via TFTP (turn Windows Firewall off)
    A: 8.2.64_debug_x.img is for regular units of the old X-series to be uploaded via GUI
    A: 8.2.64_debug_a.firm is for ADSL and Industrial units of the old X-series to be uploaded via GUI
    A: 8.2.64_debug_n.firm is for regular units of the recent N-series to be uploaded via GUI

    Q: Do Safe@Office appliances require a different firmware than UTM-1 Edges?
    A: No. Both are using the same firmware.

    Q: Any extra special firmwares?
    A: 7.5.55_w6x.img has the long awaited WLAN-Client functionality. This function will be officially implemeted in firmware version 9.
    A: SofaWare offeres a unique firmware on request if you want to use BGP (see release notes).

    Q: Which DSL-modem firmware is recent?
    A: SW2.0.11 (General Availability)

    Q: Which variants does the recent DSL-modem firmware version consist of?
    A: SW2.0.11ab_pri.firm is for all ADSL units uploaded via GUI (installs as primary firmware)
    A: SW2.0.11a_pri.firm is for ADSL (Annex A) units uploaded via GUI (installs as primary firmware)
    A: SW2.0.11b_pri.firm is for ADSL (Annex B) units uploaded via GUI (installs as primary firmware)
    A: SW2.0.11a_sec.firm is for ADSL (Annex A) units uploaded via GUI or TFTP (also installs as backup firmware)
    A: SW2.0.11b_sec.firm is for ADSL (Annex B) units uploaded via GUI or TFTP (also installs as backup firmware)

    Q: Are there different DSL-firmwares available?
    A: Yes. There is one firmware for Annex A and one for Annex B. Also there is a SW2.0.*_pri.firm (primary) and a SW2.0.*_sec.firm (secondary) firmware. Both can be installed via the Web-GUI. The primary firmware will update the firmware the UTM-1 Edge is using at startup. The secondary firmware will update the backup firmware to which the UTM-1 Edge reverts after a factory reset.

    Q: Any important things to know about when working with an ADSL-Edge?
    A: Enter the following command on your ADSL-Edge before using it: set port adsl auto-sra mode disabled
    This will prevent it from reestablishing the DSL connection every 1h14sec. (sk32922)

    Q: My UTM-1 Edge ADSL is fully configured and connected to the DSL line. It still shows "No sync" and the DSL light is continuously blinking.
    A: Make sure that your primary internet connection is correctly configured for your ADSL port. Choose PPPoE as connection type and ADSL2/ADSL2+ as DSL standard. Ask your ISP for correct VPI/VCI numbers and the encapsulation type. If your DSL splitter doesn't come with RJ-11 outputs, use a RJ-11 line socket adapter which has a microfilter built-in. In some cases SofaWare already packages ADSL appliances with RJ-11 line socket adapters. Check the contents of your package for it. Always use the original cables from SofaWare to connect your appliance.

    Q: My UTM-1 Edge ADSL is working just fine. After updating the firmware of my UTM-1 Edge ADSL the appliance is restarting, however it can't establish the DSL-connection anymore and says 'DSL modem could not be initialized'. Sometimes it even reverts back to its backup firmware after trying for too long to establish a DSL-connection. What is the problem?
    A: The newer firmware has updated routines to talk to the integrated DSL modem. A simple restart of the appliance after a firmware update may sometimes result in this issue. Just power down your UTM-1 Edge appliance for 20 seconds after the firmware update is completed. Power it up again and your DSL connection issue should be gone.

    Q: Any important things to know about when working with Edges in general?
    A: Always make sure that your libsw libraries are at the same or higher version of your UTM-1 Edge firmwares. Don't install your security policy to more than ten Edges a time.

    Q: How do I backup and restore using a USB Flash Drive?
    A: Embedded NGX 8.x allows backing up the appliance configuration, security policy, and certificate to USB flash drives. You can then restore the appliance settings from the USB flash drive as needed. Backup and restore operations are performed by inserting the USB flash drive into the Embedded NGX appliance’s USB port, and then running the Backup/Restore Wizard in the Setup > Tools page.

    Q: How does Rapid Reployment using a USB Flash Drive work?
    A: Embedded NGX appliances are shipped with a specific firmware and group of settings that represent the appliance's default state. When installing a new appliance, you can configure different settings and install new firmware versions as needed; however, this can be time-consuming. Embedded NGX 8.0 rapid deployment avoids this hassle, by allowing you to load the desired firmware, configuration, security policy, and certificate from a USB flash drive during product initialization. Rapid deployment can be used on individual appliances at the customer site, or on multiple appliances before they leave the warehouse. Before performing a rapid deployment, it is necessary to prepare the USB flash drive. For each appliance you want to deploy, you must create a folder named after the appliance’s MAC address, and then add the desired configuration files to the folder. Rapid deployment is performed by pressing the RESET button at the back of the appliance, and then inserting the USB flash drive into the Embedded NGX appliance’s USB port. The appliance will automatically load the settings from the relevant folder on the USB flash drive.

    Q: The PWR/SEC LED on my UTM-1 Edge is sometimes blinking red. Is my firewall appliance damaged?
    A: No. It's probably just showing you that it successfully blocked an unwanted connection.

    PWR/SEC LED Statuses:
    On (Green) .. Normal operation
    On (Red) .. Error
    Flashing quickly (Green) .. System is booting up
    Flashing slowly (Green) .. Establishing Internet connection
    Flashing (Red) .. Blocked connection
    Off .. UTM-1 Edge is powered off

    Q: If I hard-reset my UTM-1 Edge, will I also loose my DSL-firmware?
    A: Yes. It will be reset to factory-default.

    Q: Can I avoid this?
    A: Yes. All firmwares are available as primary and secondary (e.g. backup) firmware. Usually you only install the primary firmware. Installing the backup firmware will set this one as backup instead of the factory default when you do a reset.

    Q: What are the TFTP firmwares good for?
    A: They can be used to update the UTM-1 Edge locally and update the backup firmware. To do this just power down your Edge. Power it up while the reset button is pressed. The PWR/SEC light will now be continuously red. Change the IP address of your host to 192.168.10.2/24. Now you should be able to ping the UTM-1 Edge via 'ping 192.168.10.1'. If that works, you can start to transfer the .tftp firmware via 'tftp -i 192.168.10.1 put filename.tftp'. The PWR/SEC light will start blinking red. After your UTM-1 Edge restarted successfully your appliance will be updated to the new firmware, which is also the new default firmware.

    Q: Where do I get these firmwares?
    A: From your official support sites. Either Check Point or SofaWare.

    Q: How does an UTM-1 Edge look like?
    A:

    Q: Some of my Edges are heating-up and become quite hot.
    A: SofaWare's appliances don't come with a built-in cooling fan. It's intended to place Edges in cooler places like server rooms with no incident solar radiation. If you can't provide this, buy an external cooling fan to keep your Edge at a normal temperature. Otherwise you might run into issues with outages of your network ports. You can use the built-in USB ports to connect external cooling fans.


    Q: Which webbrowser should I use to manage my UTM-1 Edges?
    A: Internet Explorer only, where applicable. Firefox still has some issues, especially when you export the configuration to a .cfg file. Safari has a problem with uploading new firmware images.

    Q: Where to look on my Edge to troubleshoot it?
    A: http://my.firewall/pop/Diagnostics.html
    A: http://my.firewall/vpntopob.html Older firmwares (7.0.x and below) use http://my.firewall/vpntopo.html
    A: https://my.firewall/dnstopo.html Not available in newer firmwares (7.5+)
    A: http://my.firewall/Log.html
    A: http://my.firewall/Ports.html

    Q: Any further troubleshooting guidelines?
    A: Sure. Check Point offers a VPN-1 UTM Edge ATRG (Revised: October 22, 2007).

    Q: What is the correct UTM-1 Edge RMA (Return Material Authorization) procedure?
    A: Please check this official site and troubleshooting steps first. (sk31919)

    Q: How to connect to the serial console of my UTM-1 Edge X appliance?
    A: Connect the RJ-45 (RS-232) port of your appliance to the COM port of your host. A RJ-45 to DB9 converter is part of your appliance. Use the following settings for your terminal client.

    Baud rate: 57600
    Data: 8 Bit
    Parity: None
    Stop: 1 bit
    Flow control: None

    Q: How to connect to the serial console of my UTM-1 Edge N appliance?
    A: Connect the RJ-45 (RS-232) port of your appliance to the COM port of your host. Use the following settings for your terminal client.

    Baud rate: 115200
    Data: 8 Bit
    Parity: None
    Stop: 1 bit
    Flow control: None

    Q: Can I disable SmartDefense checks on my UTM-1 Edge?
    A: Not all of it. You can go through the Smartdefense wizard and set it to Minimal or go through all settings and set them to 'None'. In centralized management you can also check 'Do not apply SmartDefense on this gateway' within 'SmartDefense > Profile Assignment' of your VPN-1 UTM Edge Gateway object.

    Q: Any in-depth debugging options?
    A: Sure. Check Point also offers a debugging firmware. It will provide you with the 'debug' command at the command shell of your UTM-1 Edge. The 'debug' command let's you activate more logging features. Set up an internal syslog server and configure it on your UTM-1 Edge appliance. Recreate the issue you want to debug. Check the log of your syslog server. The WebGUI also provides you with a packet sniffer. It will generate an output file which can be analyzed in Wireshark (formerly known as Ethereal).

    On your SmartCenter Server (which also runs the Service Center for your Edges) edit the SofawareLoader.ini file. Find the DebugLevel line in the [LOG] section and change it to either Debug or Info. To run SofaWareLoader manually and compile the Policy on Commandline, run: fwm load -S -M -l41 policy_name.W <Edge>
    After you finished debugging roll back the debug level.

    Q: Any hidden/undocumented pages?
    A: Yes. http://my.firewall/pub/test.html

    Q: I've upgraded my SmartCenter Server to NGX (R65). Now policy installation on the Embedded Edge Connector fails.
    A: Install the latest libsw (SofaWare Libraries) and read this SecureKnowledge Base article: (sk33821)

    Q: I can't create an Embedded Edge object (Edge Profile) within SmartDashboard?
    A: On your SmartCenter Server change the attribute of support_sofaware_profiles in $FWDIR/conf/objects_5_0.C to true and read this SecureKnowledge Base article: (sk30389)

    Q: My UTM-1 Edge is set up for centralized management. However, when connecting it to the Service Center it says:
    Connection Refused: This UTM-1 Edge is not registered to the Service Center.
    A: Your are most likely using an UTM-1 Edge X ADSL or another series of the standard UTM-1 Edge X appliance. In SmartDashboard the default type of your VPN-1 UTM Edge Gateway object is 'VPN-1 UTM Edge X Series'. Make sure the type matches the series of your appliance.

    Q: My UTM-1 Edge does not establish any of the centrally configured VPN tunnels and 'Reports > Tunnels > VPN Topology' is empty. It is set up for centralized management and Service Center is: Connected
    A: Navigate to 'VPN > VPN Site' and enable your Enterprise Site-to-Site VPN. Now your VPN topology should contain an Enterprise folder.

    Q: I can install the Security Policy for my UTM-1 Edge on SmartCenter Server. However, it takes some time until the policy is active.
    A: This is the normal behaviour. You are installing the policy to the Embedded Edge Connector on your SCS. Per Default, the Edge asks every 20 minutes for an updated policy, firmware version and other settings. This can be changed in SmartDashboard > Global Properties on your SCS.

    Q: How can I stop/start the Embedded Edge Connector on my SmartCenter Server?
    A: smsstop/smsstart will do that for you.

    Q: I want to push a Security Policy directly onto my UTM-1 Edge. Is this possible?
    A: Yes. Purchase Check Point SmartLSM (Large Scale Manager).

    Q: SmartView Monitor does not show the correct status of my UTM-1 Edge appliance?
    A: This is caused by design of the product. Your UTM-1 Edge appliance connects to the Service Center every 20 minutes (default). If authentication to the Service Center was successful it will start to retrieve available firmware or policy updates. For UTM-1 Edge appliances with dynamic IP addresses the Service Center also remembers the last known IP (for handling VPN connections configured in Simplified Mode and for use with SmartView Monitor and SmartLSM). So SmartView Monitor does not check your UTM-1 Edge appliance for availability, instead it asks the Service Center if the UTM-1 Edge has connected recently (within the last 60 minutes). If it has, SmartView Monitor will show 'OK' as status for your appliance, even if it's just unreachable or disconnected. As long as an UTM-1 Edge appliance did not even connect to the Service Center for the first time its status is 'Disconnected'.

    Q: After setting up Management-HA I'm receiving an error 'Failed to obtain Edge packages' when I want to manually synchronize my primary SmartCenter Server with my secondary one?
    A: Just open SmartUpdate and delete all firmware packages from the package repository. Manual synchronisation should then succeed. Afterwards add the firmware packages to the package repository again.


    Q: After upgrading my SmartCenter server or adjusting host entries on it, the SMS process/Embedded Edge Connector fails to load, displaying the error: "Can't contact database".
    A: Move/Add the following entry to the last line of /etc/hosts. (sk33168)
    127.0.0.1 localhost.localdomain localhost


    Q: My exported UTM-1 Edge configuration file just contains the following line: [700002] object not found
    A: Set your UTM-1 Edge appliance via 'Setup > Tools > Factory Settings' back to factory defaults. Then manually enter your configuration data again.

    Q: How can a firmware update be performed?
    A: Either locally via the WebGUI of your UTM-1 Edge or centrally within SmartUpdate of your Edge. Just upload a firmware to the package repository and attach it to your Edge. It will then retrieve this firmware directly from your SCS when it checks for updates the next time.

    Q: After I upgraded the firmware locally my UTM-1 Edge reverts back to the old one?
    A: If the UTM-1 Edge is centrally managed it will always try to install the firmware that was distributed for it within SmartUpdate. Upload the firmware to the package repository of SmartUpdate instead and distribute it for your UTM-1 Edge. It will then install the new firmware automatically.

    Q: How may I check if my UTM-1 Edge is retrieving a firmware update?
    A: In the 'Setup' menu, goto 'Tools > Diagnostics'. A diagnostics window will pop up. Scroll down to the 'Downloading firmware' row. If a firmware is just being downloaded you'll see a percentage of the data received.

    Q: Since using UTM-1 Edges I encounter high latencies and a bad network performance. Users are complaining.
    A: You are most likely using a central security policy that is not Edge-conform. This means that every security policy with an UTM-1 Edge as policy installation target will be compiled into a binary file by your Embedded Edge connector. The binary file is then retrieved by the Edge and contains the compiled security and NAT policy. The Embedded Edge connector works different than the INSPECT Engine by Check Point. Therefore you should be very careful with centrally configured rules for UTM-1 Edges. Create a new policy just for all your UTM-1 Edges. Make sure all rules in your security and NAT policy contain a specific policy installation target. Also always choose specific policy installation targets under "Policy > Policy Installation Target" of your SmartDashboard. Don't use 'Any' in any of your rules for your Edges. Use negated objects instead. Try to use manual NAT rules only for your Edges. Automatic NAT rules may not be compiled correctly. Port mappings are even better than manual NAT rules. Uncheck "Support IP compression" in the advanced VPN properties of your VPN community. Check "One VPN tunnel per Gateway pair" in the tunnel management settings of your VPN community to keep the required Security Associations (SA's) as low as possible. After you installed a policy to your Edge, check locally on your Edge that the NAT rules are installed exactly as you configured it centrally. If not, change your NAT rules and install the policy again. Use dynamic objects where possible and avoid groups by all means. This is simply to prevent your Embedded Edge Connector from doing something wrong. If your latency is still high, check if it gets better when diconnecting the Edge from its Service Center. If it does, try to manage your Edge locally where applicable.

    Q: Where can I see which rules are applied by the UTM-1 Edge in centralized management?
    A: Enter this command at the console or under 'Setup > Tools > Command' in the GUI: info fw rules

    Q: What should I define for Management Access (Setup > Management) ?
    A: 'Internal Networks' or 'Internal Networks + IP Range' only. Never set it to 'ANY'. Never. Otherwise malicious scripts will soon try to work off password lists on your UTM-1 Edge. Even on the management port 981!

    Q: Why is it so different to configure and manage UTM-1 Edges centrally, compared to other Check Point firewall gateways.
    A: Always bear in mind that UTM-1 Edges were primarily designed as standalone firewall gateways. They will not turn into a fully enterprise managed firewall when connected to a Service Center. The 'Service Center' is a so called Embedded Edge Connector that is running on your SmartCenter Server. It's a different process with a different compiler (SofaWare engine). All this results in a unique behaviour that is 'by design' of the product and by experiece of the programmers and end users. UTM-1 Edges are a product of SofaWare, a Check Point company. However, they are developed with another focus, receive functionality upgrades und changes faster than Check Point can reflect this in their firewall management software. Also they are the only centrally managed firewall gateways to which you can't apply configuration settings (like interface configurations). Newer functions of recent firmwares (such as dynamic routing) can't be configured and managed centrally at all. Also local security rules take precedence over rules configured by the central management.

    Q: Are the default rules configured by the security levels of the UTM-1 Edge appliance still applied when it is connected to SmartCenter Server?
    A: No. When your appliance is managed by SmartCenter, the centrally configured security policy replaces the local default security policy. The local security level is set to 'High' and cannot be changed.

    Q: While using a centrally configured security policy my UTM-1 Edge appliance behaves like the local default rules would still apply?
    A: This is a default setting on the SmartCenter Server. Go to 'Global Properties > SmartDashboard Customization > Configure... > VPN-1 UTM Edge/Embedded Gateway' and uncheck 'sofaware_stealth'. This will prevent that connections from internal networks to the SofaWare Gateway are accepted by default.

    Q: I can't seem to manage my UTM-1 Edges on my Nokia IPSO based SmartCenter Server?
    A: That's not supported as the Embedded Edge Connector doesn't run on IPSO. [Link]
    Check Point writes "UTM-1 Edge devices cannot be managed from a SmartCenter server running on a Nokia IPSO platform."

    Q: Why do VPN connections to remote sites using UTM-1 Edges (configured as DAIP gateways with dynamic IP address) sometimes fail?
    A: When an UTM-1 Edge changes its IP address, the Corporate Office gateway does not detect the IP address change until the UTM-1 Edge reports it to the Service Center. The default value for this periodic status update is 20 minutes (SmartDashboard > Policy > Global Properties > VPN-1 UTM Edge Gateway > General Configuration). Check Point recommends to configure permanent VPN tunnels for each VPN community containing DAIP UTM-1 Edges. This ensures that in case the IP address changes your UTM-1 Edge will automatically re-establish the VPN tunnel again. (sk31477, sk33238)

    Q: Why is my permanent VPN tunnel between a Nokia or 3rd party VRRP cluster and UTM-1 Edge shown as down, though it is actually up?
    A: Because you are using an old version of Nokia API to determine which cluster member is active or you are using a 3rd party active/active cluster solution. Check Point is providing a HotFix and always recommends to upgrade to the latest firewall version. (sk32515)

    Q: Why doesn't my UTM-1 Edge support DynDNS?
    A: The missing native support of DynDNS is one of the most mentioned downsides of SofaWare's products. However, Check Point/SofaWare has officially declared that they don't want to compete with Linksys and the likes in this field. Their public target is the soho user who looks for an all-in-one solution at a valuable price. A single UTM-1 Edge appliance at the latest firmware replaces the following hardware:
    - a 4-port switch
    - a dsl modem
    - a firewall (including a nat router)
    - a viruswall
    - a printserver
    - a wlan router
    - a wlan hotspot
    - a dns server
    - a web filter
    - anti-spam solution

    All this on Check Point's scanning engine and with a straightforward management GUI. You haven't seen anything else that competes to this solution, don't you?. Also UTM-1 Edges are rack-mountable, come with two USB-ports to connect cooling fans, printers, led-lights, clocks whatsoever without the need for a dedicated power supply. Not to forget the switching-mode power supply that's main advantage is a greater efficiency because the switching transistor dissipates little power in the saturated state and the off state compared to the semiconducting state (active region).

    Check Point/SofaWare are offering instant help, 24 hours a day within their chat system.

    And for using DynDNS..there are free DynDNS clients available you could just install on an internal host that updates your external ip address. So don't decide against UTM-1 Edges just because of this single function.

    Q: My Edge is so great, I want to cluster it. Can I?
    A: Sure. WAN-HA and Gateway-HA is supported since firmware version 7.x. In central management you should still stay with WAN-HA only. Many tests have been done and WAN-HA can be confirmed working quite well in reallife scenarios.

    Q: What to put into consideration when working with UTM-1 Edge clusters?
    WAN-HA PRO
    no IP address conflicts because only one GW is connected to Internet
    only 2 SA's (Security Associations) are required for one VPN tunnel
    only one object needs to be defined and managed in firewall policy
    works with static IP addresses
    has been successfully tested working in different environments

    WAN-HA CONTRA
    the passive node is not connected to internet and won't receive updates
    (it will receive the most recent security policy and firmware as soon as it gets active though. that means it's not that much of a downside)

    Gateway-HA PRO
    all cluster nodes are always connected to internet
    all cluster nodes receive policy and firmware updates

    Gateway-HA CONTRA
    poor documentation and support by Check Point
    requires 4 SA's for one VPN tunnel (only 100 can be managed per community)?
    two objects need to be defined and managed in firewall policy
    objects cannot work with static IP addresses; only dynamic IP's
    therefore each node must have a correct DNS entry to get the VPN working
    both cluster nodes issue the virtual cluster IP > risk of IP conflicts
    Q: How to establish synchronisation between UTM-1 Edge devices?
    A: Select a Sync-Interface under 'Setup > High Availability > Gateway High Availability' and connect the interfaces with a crossover cable. (sk31992)

    Q: My primary Edge-Clusternode goes down but my secondary Edge won't get active?
    A: This is most likely caused by a Sync-problem. Check the HA-settings and cables.

    Q: My primary Edge-Clusternode goes down and my secondary Edge becomes active. However, I cannot connect to Internet.
    A: This can be caused by your ISP-Router which retrieves a different MAC-Address that pretends to work at the same external IP address. If your ISP-Router is causing an issue, use the MAC-Cloning feature to hide the secondary Edge behind the MAC address of the primary one.

    Q: My UTM-1 Edge is working behind a NAT device or UMTS router. Which ports do I need to open?
    A: Open the following ports in the NAT device: UDP 9281/9282, UDP 500, UDP 2746, TCP 256, TCP 264, ESP IP protocol 50, TCP 981.

    Q: Which license models are available for UTM-1 Edges?
    A: X8 (8 Nodes), X16 (16 Nodes), X32 (32 Nodes), XU (Unlimited Nodes).

    Q: Does the hardware differ between these licenses?
    A: No. It doesn't even differ between Safe@'s and Edges. The old S8 and X16 models had less memory though.

    Q: How will I know if I have reached my node limit?
    A: The UTM-1 Edge will show the following message on its Web-GUI: Warning: You are exceeding your node limit! To purchase product upgrades, contact your reseller or service provider. Get an EVAL license (30 days) to provide a quick solution and then order a license upgrade.

    Q: I have exceeded my node limit. What does this mean? What should I do?
    A: Your Product Key specifies a maximum number of nodes that you may connect to the UTM-1 appliance. The UTM-1 appliance tracks the cumulative number of nodes on the internal network that have communicated through the firewall. When the UTM-1 appliance encounters an IP address that exceeds the licensed node limit, the My Computers page displays a warning message and marks nodes that are exceeding the node limit in red. These nodes will not be able to access the Internet through the UTM-1 appliance, but will be protected. The Event Log page also warns you that you have exceeded the node limit. To upgrade your UTM-1 appliance to support more nodes, purchase a new Product Key. Contact your reseller for upgrade information.

    Q: Besides the positive rule numbers for the rules that are downloaded from the SmartCenter or embedded in the default policy, there are some rules that are implied, and logged. These rules have negative rule numbers. What do they stand for?
    A: Starting in version 6.0, along with the rule numbers, a "log reason" will also be sent to the SmartView Tracker, thus allowing generating reports based on rule numbers while still displaying a textual description. Below is the complete list of these numbers with the corresponding rules (sk32680):
    Rule -1: Stateless ICMP (also in 5.0 versions) ICMP replies that don't match to any request, ICMP errors that don't match any of the active connections, etc.
    Rule -5: Connection matched by a custom rule (a.k.a. "user rule"). This number will appear in logs sent to the SmartTracker starting version 6.0.
    Rule -4: Anti-Spoofing (also in 5.0 versions) The connection was dropped due to the automatic anti-spoofing rules.
    Rule -9: HotSpot Connection dropped because the user is not yet authenticated on a hotspot enabled network.
    Rule -10: Encryption mismatch (also in 5.0 versions) Dropped clear text packet that should have been encrypted.
    Rule -11: TCP out of state rule (also in 5.0 versions) Logs or drops packets that try to open a connection without the full 3 way handshake.
    Rule -12: Land Attack
    Rule -13: Ping size exceed maximum allowed size
    Rule -14: ICMP with null payload
    Rule -15: Welchia ICMP worm
    Rule -16: Christmas packet (also in 5.0 versions) Packets that have to many flags lit in them. For instance, SYN and FIN, SYN and RST, etc.
    Rule -17: Cisco IOS DoS attack
    Rule -18: Connection exceeds allowed network quota
    Rule -19: FTP bounce
    Rule -20: FTP port command overflow
    Rule -21: FTP port command tried to open a known port
    Rule -22: FTP illegal command
    Rule -23: KaZaa traffic
    Rule -24: Skype traffic
    Rule -25: BitTorrent traffic
    Rule -26: eMule traffic
    Rule -27: Gnutella traffic
    Rule -28: ICQ traffic
    Rule -29: Yahoo traffic
    Rule -30: Short IGMP packet
    Rule -31: IGMP packet with bad TTL
    Rule -32: IGMP packet not sent to a multicast address
    Rule -33: Vertical Port Scan traffic
    Rule -34: Horizontal Por tScan traffic
    Rule -35: FTP data traffic
    Rule -36: ICMP replay attack
    Rule -37: TCP reset replay attack
    Rule -38: Winny traffic
    Rule -39: Packet should not have been encrypted
    Rule -40: Msn Messenger traffic
    Q: How are nodes counted?
    A: Nodes are counted based on the number of concurrent IP addresses generating traffic through the firewall. An IP node will generate traffic traffic through the firewall when it sends packets to resources outside its own network (such as the Internet, DMZ, secondary logical network etc.). As a result, devices like network printers, switches or access points will not be counted as licensed nodes.

    Q: When are nodes released from the node limit counter?
    A: An IP node will release its license after 60 minutes of not generating traffic through the firewall. An IP node which released its license is displayed in blue color in the Active Computers page.

    Q: The time setting on my Edge is always wrong and there are VPN issues.
    A: A known problem. Always use a public timeserver to sync your UTM-1 Edge with.

    Q: I encounter problems with persistent internet disconnects while using Verizon's FiOS Internet or a Time Warner cable modem. My log shows "Primary Local Area Network (LAN) connection terminated after 1 hour(s), 55 minute(s), 3 second(s)". Is there a solution?
    A: Update to the latest available firmware version. Disable "Probe Next Hop" under Dead Connection Detection in the Internet setup options. Older firmwares showed a strange behavior when it came to RENEWING the DHCP lease. Since FiOS has a DHCP lease time of 2 hours, for some reason it causes the UTM-1 Edge to drop all connections for a second every 1 hour, 55 minutes, 3 seconds. DHCP RENEWAL requests simply have been ignored. As soon as 50% of the DHCP leases have been expired (one hour), the UTM-1 Edge was sending DHCP RENEWAL requests every 8 seconds. It continued to do this until the least was just about to expire. At that point, the UTM-1 Edge was sending out a DHCP REBINDING sequence. So it went through the complete process of requesting a new IP address (Discover/Offer/Request/Accept). During this rebinding sequence, Verizon's DHCP server reponded. But this REBINDING sequence is what was causing the disconnections. If you were to have received a new IP address, it would obviously have to disconnect the external connections.

    Q: After importing a config file to my UTM-1 Edge VPN doesn't work anymore.
    A: You are most likely using an exported config file from a centrally managed UTM-1 Edge appliance. The config file then contains the Enterprise Site-to-Site VPN connection as configured on your SmartCenter Server. As this one doesn't match with the VPN configuration on your new UTM-1 Edge appliance you may want to delete this setting.

    Q: My UTM-1 Edge says it's successfully connected to a Service Center. It receives new policies but the Enterprise VPN configuration is always missing.
    A: A simple connection refresh via 'Services > Refresh your Service Center connection' won't help. Make sure your network range is allowed to access the UTM-1 Edge, even without a centrally configured security policy. Create an explicit access rule directly on your UTM-1 Edge appliance or define your network range as a management network via 'Setup > Management'. Then disconnect your UTM-1 Edge via 'Services > Connect > Uncheck Service Center connection'. In some rare cases it was additionally required to delete the Edge object from the central VPN configuration, push the policy and add it back into the VPN configuration/communities again. Connect your Edge back to the Service Center again. Therefore just enable the checkbox for your Service Center connection. Done. Now your Enterprise Site-to-Site VPN connection should be working again.

    Q: I have a few spare Edges around me. How can I use them quickly?
    A: Login to the SofaWare chat and ask for a 30-day EVAL license.

    Q: Are there cheaper models available if I just want to use them at our own company?
    A: Yes. There is a NFR (not for resale) model. You can activate it at sofaware.com and use it as an unlimited NFR appliance at your company.

    Q: How can I configure remote scripting via SSH?
    Make sure you've installed 'expect' and use this bash script to run any command you like.
    Name the script edge_script.sh and run it via: expect edge_script.sh

    Code:
    #!/usr/bin/expect
    
    set HOST     "192.168.10.1"
    set LOGIN    "admin"
    set PASSWORD "123456"
    set COMMAND  "info device"
    set timeout  60
    
    spawn ssh -C -x -l $LOGIN $HOST
    expect {
     "fingerprint" {
        send "yes\n"
        expect "word: $"
        send "$PASSWORD\n"
        }
     "word: $" {
        send "$PASSWORD\n"
        }
    }
    expect ">"
    send "$COMMAND\n"
    expect ">"
    send "exit\n"
    Q: Where do I get support?
    A: From your service provider. Check Point also maintains a Chat for simple support questions. If you ask SofaWare politely (and if you are not using a centrally managed Edge) you might also get support within their Chat system.

    Q: Can I add more features to my UTM-1 Edge?
    A: Yes. SofaWare offers these accessories.

    Q: I want to put two UTM-1 Edges into a 19" rackmount kit and work with them like a pro. How to do this at best?
    A: Buy the official SofaWare Rackmount Kit, two Industrial Edges and two 12V DC Power Supplies.

    Q: The WebGUI of two Edges at the same firmware shows different settings (like stats for LAN ports) ?
    A: This is most likely caused by a different hardware revision. The first rev. was 1.0T, followed by 1.2T to the most recent revision 1.3T. While 1.0T didn't have ADSL features and was quite vulnerable to current fluctuations the latest revision appears to be quite stable.

    Q: Which hardware types are available?
    A: SBox-200, SBox-200-A (UTM-1 Edge X ADSL Annex A) and SBox-200-B (UTM-1 Edge X ADSL Annex B).

    Q: OK, I'm set up and safe. Now how do I protect against phishing?
    A: Erez provides a best practice: Anti Phishing

    Q: What's the meaning of all those log messages?
    10001 Error - too many established connections
    The web filtering service connection table is full.
    10011 - DHCP server got unknown message type (<MessageType>)
    The DHCP server received an invalid DHCP request.
    10012 DHCP server found no free IP addresses
    There are no free IP addresses. Consider increasing the size of the DHCP address range.
    10013 DHCP server can't add more leases
    The DHCP server has reached the maximum amount of supported DHCP leases.
    10014 Gateway started up
    The gateway has been powered up or restarted.
    10015 Assigned <IP> to <MAC Address> via DHCP
    An IP address has been assigned to a host.
    10016 Detected static IP
    A host is assigned with a static IP.
    10019 Failed to lease reserved IP <IP Address>, IP already used
    A DHCP client tried to request an IP address that is already in use.
    10020 An IP conflict was detected: The IP <IP Address> is in use by a device with MAC address <MAC Address>
    Two devices on the network are configured to use the same IP address.
    10021 A MAC address conflict was detected: The MAC address <MAC Address> is in use by another device
    Two devices on the network are using the same MAC address.
    10022 WAN received DHCP IP overlaps the LAN\DMZ network
    The WAN IP address must not belong to one the internal networks.
    10023 WAN received DHCP network that intersects with internal network
    The WAN IP subnet mask must not intersect with an internal network.
    10024 WAN received bad DHCP IP
    Your ISP assigned an invalid IP address to this gateway.
    10026 WLAN client: <MAC Address>, connected to network
    A wireless station has connected to the network.
    10027 WLAN client: <MAC Address>, disconnected from network
    A wireless station has disconnected from the network.
    10028 WLAN client: <MAC Address, failed to authenticate to network
    A wireless station has failed to authenticate to the network.
    10029 WLAN client: <MAC Address>, associated to network
    A wireless station has associated with the network.
    10030 WLAN client: <MAC Address>, disassociated from network
    A wireless station has disassociated with the network.
    10031 WLAN client: <MAC Address>, re-associated to network
    A wireless station has re-associated with the network.
    10032 DHCP relay: server on <Network Name> network failed over from <IP Address> to <IP Address>
    The main DHCP relay server is not responding, the secondary DHCP relay server was used instead.
    30001 Policy error - trap <id> called with too many arguments
    May indicate a mismatch between the SmartCenter policy version (libsw) and the current firmware version.
    30004 Kernel hook failed
    May indicate a mismatch between the SmartCenter policy version (libsw) and the current firmware version.
    30005 <Operation Type> operation on table <table id> failed
    May indicate a mismatch between the SmartCenter policy version (libsw) and the current firmware version.
    30009 Table <table id> not found
    May indicate a mismatch between the SmartCenter policy version (libsw) and the current firmware version.
    30011 Failed to install updated security policy
    The security policy installation has failed. This may indicate a mismatch between the SmartCenter policy version (libsw) and the current firmware version.
    30012 Failed to install policy - invalid policy file
    The security policy received from the service center is corrupt.
    30013 Policy version is incompatible with the appliance firmware.
    The security policy received from the service center is incompatible with the current firmware version.
    30015 Policy is incompatible with appliance type
    The security policy received from the service center is incompatible with the current appliance type.
    30016 Wrong update version in policy.
    The security policy received from the service center is incompatible with the current firmware version.
    30021 Failed to install updated user interface
    The downloaded GUI update file is invalid or incompatible with this firmware version.
    30024 Failed to install updated firmware
    The downloaded firmware update file is corrupt or not compatible with the current hardware type.
    30025 Failed to install policy
    Failed to install an updated INSPECT security policy
    30026 Failed to install updated configuration-set file
    The configuration-set received from the service center is invalid.
    30027 Failed to install configuration-set file
    Failed to install an updated configuration set file
    30028 Downloaded <n> dynamic objects. Only the first <n> are installed.
    Too many dynamic objects were received from the service center.
    40015 Failed to install config item
    The configuration-set received from the service center is invalid.
    60000 Packet logged
    A packet was logged or dropped. See also the Connection Log Reasons table below.
    60001 Password changed
    The user has changed the password.
    60002 Security level changed from <x> to <y> (<change requested by>)
    The firewall security level has been changed.
    60003 filtering mode changed <mode>
    Web filtering was enabled or disabled.
    60004 Mail filtering mode changed <mode>
    Mail filtering was enabled or disabled.
    60005 User interface updated
    The firewall GUI has been updated.
    60009 Firmware changed
    The appliance firmware has been updated.
    60011 Update now command was issued
    The user requested an immediate update of settings from the service center.
    60020 site <operation>: <name>
    A VPN site was created or modified.
    60021 to establish VPN Tunnel with <server>: <error>
    Failed to establish a phase-1 or phase-2 IKE SA, due to a specified reason.
    60022 You are exceeding your node limit (Node Limit <count>, Used Nodes <count>)
    You are exceeding the node count allowed by your license. Please contact your Check Point reseller for a license upgrade.
    60024 VPN mode changed <site>
    The VPN mode has changed for the specified site.
    60025 URL filtering override
    The user requested to temporarily override web filtering.
    60026 User <name> <operation>
    A user was created or modified in the local user database.
    60028 VPN Server <mode>
    VPN server enabled/disabled.
    60031 User database changed.
    A user has logged in to the appliance.
    60032 Updated configuration from Service Center
    A new configuration was received from the service center.
    60033 Software Updates mode changed to <mode>
    The software updates service was enabled or disabled
    60034 Automatic updates interval (seconds) changed to <interval>
    The automatic updates interval was modified.
    60035 Mail Filtering override
    Mail filtering was temporarily overridden by the user
    60037 Closed VPN Tunnel with <peer> OR: VPN Tunnel established with <peer>
    A VPN tunnel was shut down or established.
    60038 Internet connection terminated after <time> OR: Internet connection established, IP <IP Address> was assigned
    An Internet connection was shut down or established.
    60040 Logging was disabled
    Logging was set: Syslog IP Address is <IP Address> and Syslog Port is <port>. Syslog logging was configured by the administrator.
    60041 Management protocol mode changed
    HTTPS, SSH, or SNMP configuration was changed.
    60042 RADIUS server mode changed
    RADIUS configuration was modified.
    60043 Warning; Topology overlapping
    The VPN topology conflicts with one of the internal networks.
    60044 Dialup Modem configuration changed
    The dialup modem configuration was changed.
    60045 Topology overlapping: Range <range> overlaps with internal/DMZ IP
    The VPN topology conflicts with one of the internal networks.
    60046 PPP Connection failed
    A PPP connection has failed.
    60047 Network settings updated
    The settings for an internal network were modified.
    60048 PFS mismatch: Peer <IP Address> configured without PFS support
    Perfect Forward Secrecy is enabled, but the VPN peer does not support it.
    60052 to point connection failed to connect <reason>
    A PPP error has been detected on connection.
    60054 QoS Classes were reset to defaults
    The traffic Shaper QoS Classes were reset to defaults.
    60055 RADIUS permissions saved
    RADIUS permissions were modified.
    60057 Internal Error
    An internal error has occurred.
    60058 Firmware changed from version <version> to version <version>
    The firmware was updated.
    60059 The reserved IP <IP Address> is used with the wrong MAC <MAC Address>
    An IP address with a MAC reservation has been used by a different MAC.
    60060 A security certificate was generated for subject: <subject>
    A new certificate was created.
    60061 Printer: <type>, S/N:<serial>, connected and attached to port <port number>
    A new printer was attached to the print server, and a TCP port has been allocated.
    60062 Printer: <type>, S/N:<serial >, was disconnected
    A printer was disconnected from the print server.
    60063 Printer: <type>, S/N:<serial >, starting print job from <IP Address>
    A print job was sent to the print server.
    60064 Printer: <type>, S/N:<serial>, failed print job from <IP Address>, <reason>
    A print job has failed.
    60065 Printer: <type>, S/N:<serial>, <message>
    A printer has encountered a technical error.
    60067 New configuration was saved to High Availability module.
    The HA configuration was updated.
    60068 High Availability module changed state from <state> to <state>
    The HA module state has changed.
    60069 Gateway changed status from <status> to <status>
    HA failed over to the secondary gateway, or back to the primary gateway.
    60070 Printer: <type>, S/N:<serial> finished print job from <IP Address>, size <size> Kbyte
    A print job was successfully completed.
    60071 Printer: <type>, S/N:<serial> , reattached to port <port number>
    A known printer has reconnected to the USB port.
    60072 Can't attach port to printer: <type>, S/N:<serial>, only 4 printers are supported
    You attempted to connect more than four printers to the print server at the same time.
    60073 Successfully authenticated user <username> connecting from IP <IP Address>
    The specified user has logged in to the VPN server.
    60074 Printer: <type>, S/N:<serial> , is ready
    The printer is ready to accept print jobs.
    60075 IKE Phase1: Completed successfully with VPN peer <peer> [Security: <encryption>/<digest>] Expire Time: <time> NAT-T: <NAT-T mode>
    IKE phase 1 has completed successfully with the specified peer and has negotiated the specified security methods, SA expiration time, and NAT Traversal mode.
    60076 IKE Phase2: Completed successfully with VPN peer <peer> [Security: <encryption>/<digest>] Expire Time: <time> NAT-T: <NAT-T mode>
    IKE phase 2 has completed successfully with the specified peer and has negotiated the specified security methods, SA expiration time, and NAT Traversal mode.
    60077 IKE Phase1: The VPN Peer <peer> is behind a NAT device: NAT-T mode enabled
    NAT Traversal (NAT-T) has been automatically enabled, since the peer gateway is behind NAT.
    60078 IKE Phase1: This VPN gateway is behind a NAT device: NAT-T mode enabled for VPN peer <peer>
    NAT Traversal (NAT-T) has been automatically enabled since this gateway is behind NAT.
    60079 Disconnected from Service Center
    The gateway has disconnected from the service center.
    60080 New configuration was saved to WLAN module.
    The wireless LAN configuration was updated.
    60081 Printer: <name>, S/N:<serial>, was reset, all running print jobs were terminated
    A printer was reset, and all the remaining print jobs in the print server for this printer were terminated.
    60082 Resolved peer IP for <peer> is: <IP Address>
    VPN Interface resolving has resolve the specified IP as the reachable interface of a VPN peer.
    60083 Warning: Your certificate is about to expire. Expiry date is <date>
    This is a reminder that the currently installed security certificate of this gateway is nearly expired.
    60084 Warning: Your CA certificate is about to expire. Expiry date is <date>
    This is a reminder that the currently installed CA (Certificate Authority) security certificate is nearly expired.
    60085 Swapped user rules at indexes <n> and <n>
    The specified firewall rule has been reordered in the local security policy.
    60086 Internet connection probing status change
    Internet probing has detected that a specified Internet connection is in non operational or operational status.
    60087 Firmware check failed: unrecognized image
    Attempted to install an invalid firmware image.
    60088 Firmware check failed: firmware version is not compatible with the hardware revision of this gateway
    Attempted to install a firmware version incompatible with the hardware revision of this gateway.
    60089 Mail AntiSpam mode changed <mode>
    E-Mail AntiSpam mode has changed to enabled or disabled.
    60090 New configuration was saved to HotSpot module.
    The HotSpot configuration has been updated.
    60091 HotSpot user <username> <action> <source>
    A user has logged in or logged out from a Secure HotSpot enabled network.
    60092 HotSpot user <username> <action> <source>
    A user has logged in or logged out from a Secure HotSpot enabled network that does not require user authentication.
    60093 NTP updated time by <n> seconds
    Synchronization of time with the NTP (Network Time Protocol) server has caused time to be updated.
    60094 Received invalid SofaWare specific RADIUS attribute
    The RADIUS server can instruct the gateway to override the default permission set for a user, by sending a vendor specific attribute in the response.
    For the list of RADIUS vendor specific attributes supported by Embedded NGX and their allowed values, refer to the whitepaper “Configuring the RADIUS Vendor-Specific Attribute”
    60095 Received invalid SofaWare specific RADIUS value (<name>) for <name> attribute
    The RADIUS server can instruct the gateway to override the default permission set for a user, by sending a vendor specific attribute in the response.
    For the list of RADIUS vendor specific attributes supported by Embedded NGX and their allowed values, refer to the whitepaper “Configuring the RADIUS Vendor-Specific Attribute”
    60096 Received invalid SofaWare specific RADIUS attribute type: <name>
    The RADIUS server can instruct the gateway to override the default permission set for a user, by sending a vendor specific attribute in the response.
    For the list of RADIUS vendor specific attributes supported by Embedded NGX and their allowed values, refer to the whitepaper “Configuring the RADIUS Vendor-Specific Attribute”
    60097 Internet connection probe status changed
    The status of the specified Internet connection probing IP address has changed.
    60098 Swapped antivirus rules at indexes <index> and <index>
    The specified antivirus rule has been reordered in the local AV policy.
    60099 Start sniffing <n> network
    The packet capture tool was started by the user.
    60100 Failed to start sniffer
    An internal error occurred – packet capture cannot be performed.
    60101 Sniffer was stopped, <n> packets were captured
    The packet capturing session has been stopped by the user.
    60102 Sniffer was cancelled
    The packet capturing session has been cancelled by the user.
    60103 blocked by VStream
    A connection has been blocked by VStream antivirus.
    60104 VStream antivirus <new status>
    VStream antivirus scanning has been enabled or disabled.
    60105 Warning: No signatures database is installed. VStream antivirus scanning will not be performed.
    No antivirus signatures database is installed; therefore antivirus scanning will not be performed.
    60106 Your certificate has expired. Expiry date is <date>
    The currently installed certificate is no longer valid. It should be renewed.
    60107 Your CA certificate has expired. Expiry date is <date>
    The currently installed CA certificate is no longer valid. It should be renewed.
    60108 Sniffer buffer is full, <n> packets were captured
    The packet capture has been stopped, since the capture buffer is full.
    60109 Sniffer stopped
    The packet capture has been stopped by the user.
    60110 Failed to load VStream signatures databases
    An invalid signatures database was received from the service center.
    60117 VStream Error: <message>
    An Error has occurred in VStream Antivirus processing.
    60118 Low free memory (User:<n> Kb, Kernel:<n> Kb, FW:<n> Kb)
    The gateway is low on memory resources. If this warning message appears frequently, please contact support.
    60119 VStream database was installed successfully
    The antivirus signatures database has been updates.
    60120 Warning: Some of the QoS settings are invalid, therefore QoS is temporarily disabled
    Invalid QoS settings were received from the service center.

    Q: What's the reason of all those connection logs?
    0 Policy rule
    A connection has been logged by an INSPECT firewall policy rule on your gateway. This may be the default security policy shipped with your appliance, or a customized policy downloaded from your service center.
    1 Custom rule
    A connection has been logged by a custom firewall rule defined locally your gateway.
    To view your custom policy, connect to the “My Firewall” web interface, and click Security > Rules.
    2 Short fragment
    SmartDefense: An IP fragment is too short.
    When an IP packet is too big to be transported on a given network, it is split into several smaller IP packets and transmitted in fragments. In an attempt to conceal an attack or exploit, an attacker might break the data section of a single packet into several fragmented packets.
    This log message indicates that a fragment was found that is too short to be valid according to the IP protocol specifications.
    3 Long fragment
    SmartDefense: An IP fragment is too long.
    When an IP packet is too big to be transported on a given network, it is split into several smaller IP packets and transmitted in fragments. In an attempt to conceal an attack or exploit, an attacker might break the data section of a single packet into several fragmented packets.
    This log message indicates that a fragment was found that is too long to be valid according to the IP protocol specifications.
    4 Ping of Death
    SmartDefense: Ping of Death detected
    PING [ICMP echo request]; is a program that uses ICMP protocol to check whether a remote machine is up.
    The “Ping of Death” is a malformed PING request that some operating systems are unable to correctly process. The attacker sends a fragmented PING request that exceeds the maximum IP packet size (64KB), causing vulnerable systems to crash.
    5 LAND Attack
    SmartDefense: LAND Attack detected
    Some implementations of TCP/IP are vulnerable to SYN packets in which the source address and port are the same as the destination, i.e; spoofed. LAND is a widely available attack tool that exploits this vulnerability.
    6 Overlapping Fragment
    SmartDefense: Overlapping Fragments detected
    When an IP packet is too big to be transported on a given network, it is split into several smaller IP packets and transmitted in fragments.
    Some implementations of the TCP/IP protocol stack do not properly handle the reassembly of overlapping IP fragments. Sending two IP fragments, with one fragment entirely contained inside the other, causes these faulty implementations to allocate too much memory and crash the server on which they run.
    7 Teardrop
    SmartDefense: Teardrop Attack detected.
    When an IP packet is too big to be transported on a given network, it is split into several smaller IP packets and transmitted in fragments.
    Some implementations of the TCP/IP protocol stack do not properly handle the reassembly of overlapping IP fragments. Sending two IP fragments, with one fragment entirely contained inside the other, causes these faulty implementations to allocate too much memory and crash the server on which they run. TearDrop is a widely available attack tool that exploits this vulnerability.
    Because proper reassembly is required for normal network operation, SmartDefense blocks attacks based on overlapping IP fragments even if the checkbox is deselected. By default, blocked attacks will be logged as “Overlapping fragment”.
    8 Spoofed IP
    SmartDefense: IP Spoofing detected
    IP address spoofing is a technique by which an intruder attempts to gain unauthorized access by altering a packet’s source IP address to make it appear as though the packet originated in a part of the network with higher access privileges. For example, a packet originating on an external network may be disguised as a local packet. If undetected, this packet will be processed by the rule base as having originated inside the firewall (i.e., possibly circumventing access controls). As such, it is important to verify where the packets originated.
    Anti-spoofing verifies that packets are coming from, and going to, the correct interfaces on the gateway. It confirms that packets claiming to be from an internal network are actually coming from the internal network interface. It also verifies that, once a packet is routed, it is going through the proper interface.
    A Check Point enforcement point will block an illegal address. For example, an IP address from an external interface should not have a source address of an internal network. Legal addresses that are allowed to enter a Check Point enforcement point interface are determined by the topology of the network.
    10 HotSpot
    Secure HotSpot authentication is required
    Secure HotSpot facilitates the creation of managed guest access networks (either wireless or wired) with configurable Web-based authentication, temporary user accounts and RADIUS integration.
    A connection was block since Secure HotSpot mode is enabled for the selected network.
    11 TCP out of state
    SmartDefense: TCP connection without corresponding SYN.
    Strict TCP controls the way the firewall handles all out-of-state TCP packets. Out-of-state packets are SYN-ACK or data packets that arrive out of order, before the TCP SYN packet. If you wish to have an extra strict policy, set Strict TCP action to 'block'.
    12 SYN attack
    SmartDefense: A suspected SYN attack was detected.
    A TCP denial of service attack, which occurs when an attacker sends many SYN packets without finishing the TCP 3-way handshake. A successful SYN Attack will cause the attacked host to be unable to accept new connections.
    13 Duplicate fragments
    SmartDefense: Too many duplicate fragments were detected.
    When an IP packet is too big to be transported on a given network, it is split into several smaller IP packets and transmitted in fragments.
    Some implementations of the TCP/IP protocol stack do not properly handle the reassembly of a large amount of duplicate IP fragments. When SmartDefense detects an excessive amount of duplicate IP fragments, it logs this event as ‘Duplicate Fragments’.
    14 Too many incomplete packets
    SmartDefense: Virtual Defragmentation: Too many incomplete fragmented packets.
    When an IP packet is too big to be transported on a given network, it is split into several smaller IP packets and transmitted in fragments.
    In an attempt to conceal an attack or exploit, an attacker might break the data section of a single packet into several fragmented packets. Without reassembling the fragments, it is not always possible to detect such an attack. As a result, malicious content that is split across fragments can traverse some firewalls. In contrast, a Check Point enforcement point collects and reassembles all the fragments of a given IP packet, verifying that the options for the fragments are consistent (e.g. TTL is the same for all fragments), so that security checks can be run against the complete packet contents.
    An attacker may try to overload the defragmentation system by sending a large amount of incomplete packets. Such attempts are detected by SmartDefense and logged as “Too many incomplete packets”.
    15 Incomplete packet
    SmartDefense: A packet was dropped since not all the fragments were received.
    When an IP packet is too big to be transported on a given network, it is split into several smaller IP packets and transmitted in fragments.
    In an attempt to conceal an attack or exploit, an attacker might break the data section of a single packet into several fragmented packets.
    Without reassembling the fragments, it is not always possible to detect such an attack. As a result, malicious content that is split across fragments can traverse some firewalls. In contrast, a Check Point enforcement point collects and reassembles all the fragments of a given IP packet, verifying that the options for the fragments are consistent (e.g. TTL is the same for all fragments), so that security checks can be run against the complete packet contents.
    If some of the fragments of a certain fragmented packet are lost in transit, the packet is blocked by the firewall, and logged as an “Incomplete packet”.
    16 Ping too big
    SmartDefense: A Ping packet is too large.
    PING [ICMP echo request]; is a program that uses ICMP protocol to check whether a remote machine is up. A request is sent by the client, and the server responds with a reply echoing the client's data.
    An attacker might echo the client with a large amount of data, for example, causing a buffer overflow.
    17 Null payload
    SmartDefense: Null payload ping attack.
    PING [ICMP echo request]; is a program that uses ICMP protocol to check whether a remote machine is up.
    Some worms, such as Sasser, use ICMP echo request packets with null payload to detect potentially vulnerable hosts. When this protection is enabled, SmartDefense will identify and drop the null payload ping packets.
    18 Welchia
    SmartDefense: Welchia DoS attack detected.
    The Welchia worm uses the Microsoft DCOM vulnerability or a WebDAV vulnerability. After infecting a computer, the worm begins searching for other live computers to infect. It does so by sending a specific ping packet to a target and waiting for the reply that signals that the target is alive. This flood of pings may disrupt network connectivity.
    19 Christmas packet
    SmartDefense: Christmas packet attack detected.
    A Christmas packet is an IP packet with every single option set. Christmas Tree packets can be used as a method of collecting intelligence on a specific TCP/IP stack, by sending Christmas packets and performing analysis on the response. This can allow an attacker to detect the specific operating system in use. If a Christmas packet is detected by SmartDefense, it is automatically blocked and logged.
    20 Cisco IOS DoS
    SmartDefense: Cisco IOS denial of service attack.
    Cisco routers are configured to process and accept Internet Protocol version 4 [IPv4] packets by default. A specially-crafted sequence of IPv4 packets with protocol type 53 - SWIPE, 55 - IP Mobility, 77 - Sun ND, or 103 - Protocol Independent Multicast - PIM, which is handled by the processor on a Cisco IOS device, can cause the router to stop processing inbound traffic on that interface.
    21 Fragmented packet
    SmartDefense: Policy forbids fragmented packets.
    An attacker might break the data section of a single packet into several fragmented packets, trying to conceal known attacks and exploits. Without reassembling the fragments, it is not always possible to detect such an attack. Therefore, by default, Embedded NGX reassembles all fragments prior to inspecting the packets. However if you set “Forbid IP Fragments” to “True” in the SmartDefense > IP Fragments tab, all IP fragments will be forbidden and blocked.
    22 Network Quota
    SmartDefense: Network Quota exceeded.
    Network Quota enforces a limit upon the number of connections that are allowed from the same source IP address, to protect against Denial Of Service [DoS] attacks. When a certain source exceeds the number of allowed connections, Network Quota can either block all new connection attempts from that source, or track the event.
    23 Stateless ICMP
    SmartDefense: ICMP response with no ICMP request.
    ICMP allows one network node to ping, or send an echo request to, other network nodes to determine their operational status. This capability can be used to perpetrate a “Smurf” DoS attack. The Smurf attack is possible because standard ICMP does not match requests to responses.
    Therefore, an attacker can send a ping with a spoofed source IP address to an IP broadcast address. The IP broadcast address reaches all IP addresses in a given network. All machines within the pinged network send echo replies to the spoofed, and innocent, IP source. Too many pings and responses can flood the spoofed network and deny access for legitimate traffic. This type of attack can be blocked by dropping replies that don’t match requests, as performed by Check Point’s Stateful ICMP. These packets are logged as “Stateless ICMP”.
    24 FTP Bounce
    SmartDefense: FTP bounce attack.
    When connecting to an FTP server, the client sends a PORT command specifying the IP address and port to which the FTP server should connect and send data. An FTP Bounce attack is when an attacker sends a PORT command specifying the IP address of a third party instead of the attacker's own IP address. The FTP server then sends data to the victim machine.
    25 FTP port overflow
    SmartDefense: FTP port overflow attack.
    FTP clients send PORT commands when connecting to the FTP sever. A PORT command consists of a series of numbers between 0 and 255, separated by commas.
    Block Port Overflow rejects PORT commands that contain a number greater than 255.
    26 FTP known port
    SmartDefense: FTP known port attack.
    When connecting to an FTP server, the client sends a PORT command specifying the IP address and port to which the FTP server should connect and send data. An FTP Bounce attack is when an attacker sends a PORT command specifying the IP address of a third party instead of the attacker's own IP address. The FTP server then sends data to the victim machine.
    By enabling the “FTP Known Port” protection, you can specify whether to allow the FTP server to connect to well-known ports. This provides a second protection against certain FTP bounce attacks. The server will not let the bounce connect to any port running a known service.
    27 FTP Illegal command
    SmartDefense: Blocked FTP Command
    Using the “Blocked FTP Commands” SmartDefense protection, you can select which FTP commands are allowed to pass through the firewall. This log message indicates that SmartDefense detected an attempt to use an FTP command that was not in the list of allowed FTP commands configured by user.
    28 Non TCP flooding
    SmartDefense: Non TCP flooding attack.
    Hackers directly target security devices such as firewalls. In advanced firewalls, state information about connections is maintained in a State table. The State table includes connection-oriented TCP and connectionless non-TCP protocols. Hackers can send high volumes of non-TCP traffic, in an effort to fill up a firewall State table. This prevents the firewall from accepting new connections and results in a Denial of Service [DoS].
    SmartDefense can restrict non-TCP traffic from occupying more than a pre-defined percentage of a enforcement point’s state table. This eliminates the possibility of this type of attack.
    29 Small PMTU
    SmartDefense: Small PMTU DoS attack.
    Small PMTU is a bandwidth attack in which, the client fools the server into sending large amounts of data using small packets. Each packet has a large overhead that creates a "bottleneck" on the server.
    30 KaZaa
    SmartDefense: KaZaa blocked/logged due to user policy.
    SmartDefense can block or log Kazaa. Kazaa is a popular Peer to Peer file sharing Protocol, running over TCP port 1214 or over HTTP.
    31 Skype
    SmartDefense: Skype blocked/logged due to user policy.
    SmartDefense can block or log Skype traffic by identifying Skype fingerprints and HTTP headers. SmartDefense is able to detect instant messaging traffic regardless of the TCP port being used to initiate the peer to peer session. Skype uses UDP or TCP port 1024 and higher or HTTP for peer to peer telephony.
    32 BitTorrent
    SmartDefense: BitTorrent blocked/logged due to user policy.
    SmartDefense can block or log BitTorrent, a file distribution network using Peer to Peer connections. BitTorrent uses ports from within the TCP port 6881 - TCP port 6889 range for file transfer.
    33 eMule
    SmartDefense: eMule blocked/logged due to user policy.
    SmartDefense can block or log eMule, a popular Peer to Peer Protocol, used by various Peer to Peer clients, such as eMule, iMesh and others.
    34 SmartDefense: Gnutella blocked/logged due to user policy.
    SmartDefense can block or log Gnutella, one of the most popular Peer to Peer protocols, used by applications such as Gnutella, BearShare, Shareaza, Morpheus and iMesh.
    35 ICQ
    SmartDefense: ICQ blocked/logged due to user policy.
    SmartDefense can block or log ICQ traffic by identifying ICQ's fingerprints and HTTP headers. SmartDefense is able to detect instant messaging traffic regardless of the TCP port that is being used to initiate the peer to peer session. ICQ uses TCP port 5190 to connect. File transfer and sharing is done through TCP port 3574/7320.
    36 Messenger
    SmartDefense: Yahoo Messenger blocked/logged due to user policy.
    SmartDefense can block Yahoo! Messenger traffic by identifying fingerprints and HTTP headers. SmartDefense is able to detect instant messaging traffic regardless of the TCP port that is being used to initiate the peer to peer session. Yahoo! Messenger uses port TCP port 5050 and TCP port 80 for messaging, TCP port 5100 for video, TCP port 5000 for voice and TCP port 5010 for file transfer.
    37 Packet too small
    SmartDefense: IP packet is too small.
    SmartDefense packet sanity protection option performs several Layer 3 and Layer 4 sanity checks. These include verifying packet size, UDP and TCP header lengths, dropping IP options, and verifying the TCP flags. This log message indicates that packet sanity detected an IP packet that is too small to be valid.
    38 Length mismatch
    SmartDefense: IP packet validation failed due to wrong length.
    SmartDefense packet sanity protection option performs several Layer 3 and Layer 4 sanity checks. These include verifying packet size, UDP and TCP header lengths, dropping IP options, and verifying the TCP flags. This log message indicates that packet sanity detected a corrupt or invalid IP packet with an invalid length field.
    39 Port 0
    SmartDefense: Connection to Port 0.
    Port 0 is not a legitimate destination port for TCP and UDP packets. If SmartDefense detects a packet with the destination port of 0, the packet is dropped and logged as “Port 0”.
    40 Small TCP offset
    SmartDefense: Invalid TCP packet.
    SmartDefense packet sanity protection option performs several Layer 3 and Layer 4 sanity checks. These include verifying packet size, UDP and TCP header lengths, dropping IP options, and verifying the TCP flags. This log message indicates that packet sanity detected a TCP packet with an invalid TCP offset field.
    41 Large TCP offset
    SmartDefense: Invalid TCP packet.
    SmartDefense packet sanity protection option performs several Layer 3 and Layer 4 sanity checks. These include verifying packet size, UDP and TCP header lengths, dropping IP options, and verifying the TCP flags. This log message indicates that packet sanity detected a TCP packet with an invalid TCP offset field.
    42 source IP
    SmartDefense: Invalid source IP address.
    SmartDefense packet sanity protection option performs several Layer 3 and Layer 4 sanity checks. These include verifying packet size, UDP and TCP header lengths, dropping IP options, and verifying the TCP flags. This log message indicates that packet sanity detected a packet with an invalid source IP address, such as a multicast address, a broadcast address, or a loopback address.
    43 TCP options
    SmartDefense: TCP options are invalid.
    SmartDefense packet sanity protection option performs several Layer 3 and Layer 4 sanity checks. These include verifying packet size, UDP and TCP header lengths, dropping IP options, and verifying the TCP flags. This log message indicates that packet sanity detected a TCP packet with an invalid set of TCP options.
    44 IGMP packet
    SmartDefense: IGMP packet is truncated.
    IGMP is used by hosts and routers to dynamically register and discover multicast group membership. Attacks on the IGMP protocol usually target vulnerabilities in the multicast routing software/hardware used, by sending specially crafted IGMP packets. This log message indicates the detection of an IGMP packet that it too short to be valid.
    45 IGMP TTL is not 1
    SmartDefense: IGMP Time To Live must be 1.
    IGMP is used by hosts and routers to dynamically register and discover multicast group membership. Attacks on the IGMP protocol usually target vulnerabilities in the multicast routing software/hardware used, by sending specially crafted IGMP packets. This log message indicates an IGMP packet that had a TTL (Time to Live) value other than 1.
    46 IGMP to unicast IP
    SmartDefense: IGMP to Unicast IP addresses in invalid.
    IGMP is used by hosts and routers to dynamically register and discover multicast group membership. Attacks on the IGMP protocol usually target a vulnerabilities in the multicast routing software/hardware used, by sending specially crafted IGMP packets. This log message indicates that an IGMP packet was sent to a unicast IP address.
    47 mismatch
    VPN: A cleartext packet was received from an IP address in the encryption domain.
    This log message indicates that a packet was received in clear text, when it was expected to be encrypted. This may either indicate an unauthorized attempt to access your VPN network, or a problem in your VPN setup which caused the two peers in a VPN link to disagree on which packets should be encrypted.
    48 CIFS password buffer overrun
    SmartDefense: Microsoft File Sharing attack.
    A worm is a self-replicating malware malicious software that propagates by actively sending itself to new machines. CIFS, The Common Internet File System sometimes called SMB is a protocol for sharing files and printers. The protocol is implemented and widely used by Microsoft operating systems, as well as by Samba clients. Many worms, once they have infected a host, use CIFS as their means of propagation.
    58 Host port scan
    SmartDefense: Host Port Scan detected.
    This log message indicates that a Host Port Scan was detected. A host port scan is directed at a specific host or network. A scan can determine which services a host offers. For example, a host port scan could discover that
    a certain host has TCP ports 23, 25, and 110 open, meaning it offers the Telnet, SMTP, and
    POP3 services, respectively.
    59 IP sweep scan
    SmartDefense: IP Sweep scanning detected.
    This log message indicates that an IP address sweep Scan was detected. An IP Sweep Scan looks for a specific open port and determines which hosts are listening in
    on that port. For example, IP Sweep Scans are used by network worms trying to find machines that they can propagate themselves. For example, the Blaster worm looks for the RPC service—searching the entire network looking for that single open service.
    60 CIFS Worm
    SmartDefense: A worm is trying to spread via Microsoft File Sharing.
    A worm is a self-replicating malware malicious software that propagates by actively sending itself to new machines. CIFS, The Common Internet File System sometimes called SMB is a protocol for sharing files and printers. The protocol is implemented and widely used by Microsoft operating systems, as well as by Samba clients. Many worms, once they have infected a host, use CIFS as their means of propagation.
    63 HTTP Worm Catcher
    SmartDefense: A worm is trying to spread via HTTP.
    A worm is a self-replicating malware [malicious software] that propagates by actively sending itself to new machines. Some worms propagate by using security vulnerabilities in the HTTP protocol. This SmartDefense protection allows you to detect and block worms based on pre-defined patterns.
    Last edited by danjun; 2017-09-04 at 03:13.

  2. #2
    Join Date
    2005-12-16
    Posts
    35
    Rep Power
    0

    Default Re: UTM-1 Edges - FAQ

    very good FAQ.
    A lot of questions that I encountered during edge deployments are answered here.

    nice work

  3. #3
    Join Date
    2005-08-29
    Location
    Upstate NY
    Posts
    2,720
    Rep Power
    15

    Default Re: UTM-1 Edges - FAQ


  4. #4
    Join Date
    2006-03-08
    Location
    New Zealand
    Posts
    490
    Rep Power
    12

    Default Re: UTM-1 Edges - FAQ

    Hey Dantro,

    Bloody good work! We need to have a word to Mr Stiefel and get a "reward beer through the internet" system working. You definitly deserve one for this masterpiece!

    :-)

  5. #5
    Join Date
    2006-04-27
    Location
    Twillight zone
    Posts
    997
    Rep Power
    12

    Default Re: UTM-1 Edges - FAQ

    Q: I want to push a Security Policy directly onto my UTM-1 Edge. Is this possible?
    A: Yes. Purchase Check Point SmartLSM (Large Scale Manager).
    LSM is actually not needed to push out Security policy onto edge devices. You can do this with regular Smartcenter as long as you have correct license (Management for xx number of gateways).

    Good work with the FAQ! Sticky please!

  6. #6
    Join Date
    2006-04-27
    Location
    Twillight zone
    Posts
    997
    Rep Power
    12

    Default Re: UTM-1 Edges - FAQ

    Quote Originally Posted by abusharif View Post
    LSM is actually not needed to push out Security policy onto edge devices. You can do this with regular Smartcenter as long as you have correct license (Management for xx number of gateways).

    Good work with the FAQ! Sticky please!
    Ok since there obviously are "different interpretations" of the phrase "PUSH" i'll be more clear.

    Yes, in true meaning of push, that policy is sent to the device and not retrieved by it, LSM is needed.

    In other way, by doing policy install on the edge object from standard smartcenter, will result in an event that triggers edge to connect to smartcenter and download new policy and install it. So yes, this is in true meaning of "push" not real push, but an update event.

    However, in my own experience, push is a very so-so word when it comes to these things and can be interpreted differently, kind of like push mail (in most of softwares i tried) where you dont get actual mail pushed to your device but an event that triggers your client to go check for update.

    Anyway hope its clarified now.

  7. #7
    Join Date
    2006-04-27
    Location
    Twillight zone
    Posts
    997
    Rep Power
    12

    Default Re: UTM-1 Edges - FAQ

    Quote Originally Posted by dantro View Post
    By doing a policy install on the UTM-1 Edge object from a standard Smartcenter Server the Sofaware libraries (libsw) will verify and compile the policy. In Global Properties > VPN-1 UTM Edge Gateway the option 'Update configuration settings' specifies the time at which the VPN-1 UTM Edge device is updated with new configuration settings. Default is 20 minutes. This means that after a policy install has been made it may take up to 20 minutes until the Edge contacts the Embedded Edge Connector to retrieve the new policy. In my experience PUSH has a different meaning. This is why I recommend to buy SmartLSM in order to get a true PUSH procedure.
    OT:

    Interesting and true, but not quite? I am able to recreate the behaviour over and over again according to following:

    By doing policy->install and choosing the edge/ip4x object it triggers the update function on the edge device _regardless_ of the timer of 20 minutes. I've just tried it on 2 boxes which had long time left till "auto update" (15 min and 9 min) and within 50 seconds of policy installation i did, they triggered auto update and downloaded the policy.

    I know what documentation says about 20 min, and that if u want to force policy download that you should do "refresh" on the edge/nokia ipx device, but as mentioned above after testing they always initiate download withing 50 sec's of policy->install. If this is strange, non documented or something else, i let other to judge :P
    Last edited by abusharif; 2007-11-19 at 10:20.

  8. #8
    Join Date
    2006-04-27
    Location
    Twillight zone
    Posts
    997
    Rep Power
    12

    Default Re: UTM-1 Edges - FAQ

    Quote Originally Posted by dantro View Post
    I've seen hundreds of centrally managed UTM-1 Edges and can't report such a behaviour.
    Yepp indeed "strange".

    tcpdump and logs confirm it as well.

    As soon as i initiate policy install smartcenter sends the packet to the ip4x device.

    15:50:28.482899 O smartcenter.9282 > ip4x-node.9281: udp 64
    15:50:28.791103 I ip4x-node.9281 > smartcenter.9282: udp 96
    15:50:28.794852 I ip4x-node.9281 > smartcenter.9282: udp 456
    15:50:29.486071 O smartcenter.9282 > ip4x-node.9281: udp 224
    15:50:29.802843 I ip4x-node.9281 > smartcenter: udp 120

    Few secs later following appears in Nokia log

    Installed updated security policy (downloaded)



    Ah, well, doesnt really matter, got a bit offtopic from the original post. But ill try to verify this to CP SE as soon as i can.

  9. #9
    Join Date
    2006-06-13
    Location
    Netherlands
    Posts
    25
    Rep Power
    0

    Default Re: UTM-1 Edges - FAQ

    What happened to the rest of the FAQ?

  10. #10
    Join Date
    2008-07-31
    Location
    Netherlands, Europe
    Posts
    1,107
    Rep Power
    11

    Default Re: UTM-1 Edges - FAQ

    Just found a very interesting SK: sk32680 which explains the Negative Rule numbers which are implied rules and their explanations. Ie:
    Rule -40: Msn Messenger traffic

    Most interesting part of it is that they are Implied rules!!
    Last edited by msjouw; 2009-02-12 at 14:25.
    Regards, Maarten.
    Triple MDS on R77.30, MDS on R80.10, VSX, GAIA.

  11. #11
    Join Date
    2009-02-13
    Posts
    7
    Rep Power
    0

    Default Re: UTM-1 Edges - FAQ

    Dantro,

    First of all thank you for the very useful FAQ.

    In the answer to the question regarding high latencies, you state to "Make sure all rules in your security and NAT policy contain a specific policy installation target". By "specific policy installation target" are you referring to a single UTM Edge Gateway object defined as the policy target or can a group containing multiple Edge Gateway objects used as well?

    Also I have a few additions that you may want to include in the FAQ...

    After updating my management server from R60HFA7 to R65HFA30, the UTM-1 Edge devices I manage centrally suddenly started having high CPU and Kernel memory utilization. On R60HFA7, I had disabled all SmartDefense options locally on the Edge and on R65HFA30, I had configured them to not apply SmartDefense". After opening a case with Checkpoint, they confirmed that in certain circumstances SmartDefense is still applied on Edges that are centrally managed even if you have configured it otherwise on the management server. The fix for this issue was to disconnect from the service center, then locally disable all SmartDefense options on the Edge using the wizard and finally reconnecting to the service center.

    The support tech from Checkpoint also provided me with a quick explanation of what the different types of memory are used for:

    Firewall memory: table entry; ie. the arp and connections table
    User memory: For https connections to the box as well as security policy (downloaded from the SmartCenter) and VPN (IKE connections)
    Kernel memory: SmartDefense and Vstream (anti virus)

    Regards

  12. #12
    Join Date
    2008-07-31
    Location
    Netherlands, Europe
    Posts
    1,107
    Rep Power
    11

    Default Re: UTM-1 Edges - FAQ

    @Stretch: Yes you can use groups in the Install On column.

    Today I had an issue that required me to completely unload anything loaded from the Command Center. The only way to do that is not clear fw rules or any other clear command.
    The correct commend to disconnect and remove the policy and NAT rules fom execution:

    set smp connect disable
    for Nokia IP40/45 the command would be:
    set service-center connect disable

    This will totally clear the rulebase like the fw unloadlocal on a normal firewall.
    Last edited by msjouw; 2009-03-29 at 16:55.
    Regards, Maarten.
    Triple MDS on R77.30, MDS on R80.10, VSX, GAIA.

  13. #13
    Join Date
    2005-08-29
    Location
    Upstate NY
    Posts
    2,720
    Rep Power
    15

    Default Questions for the FAQ

    How many bridges can an Edge Support?
    How may VAPs can an edge support?

    I'll try to update with the answers unless someone finds it before me.

  14. #14
    Join Date
    2006-02-10
    Location
    Munich
    Posts
    41
    Rep Power
    0

    Default Re: UTM-1 Edges - FAQ

    Hi

    >First of all thank you for the very useful FAQ.
    100%ACK

    Also I have a few additions that you may want to include in the FAQ...
    1. Please don't list the official performance counters. To be honest, one should devide them with a value
    of 2 or 3. The official performance provided by CP can only be reached in case you switch of almost every
    security and run the box as normal DSL router.
    2. On firmware version 7.0.x and above, using negated objects can produce problems in case of using
    big groups. We have to switch over to IP ranges to define public-IPs for Internet access :-(.


    >After updating my management server from R60HFA7 to R65HFA30, the UTM-1 Edge devices I manage centrally
    >suddenly started having high CPU and Kernel memory utilization. On R60HFA7, I had disabled all SmartDefense
    >options locally on the Edge and on R65HFA30, I had configured them to not apply SmartDefense".
    We are having the same problem with EdgeOS 7.0+ and SmartCenter server on R65. Best thing is, that it
    disappeared after upgrading the our central gateway to R65HFA40.

    regards
    Roluf

  15. #15
    Join Date
    2008-01-26
    Posts
    2
    Rep Power
    0

    Default Re: UTM-1 Edges - FAQ

    Hi @all,

    First of all: thanks to dantro for this great FAQ!!

    There are backup firm wares for adsl modems mentioned, but I can't find them anywhere.
    1.) are they publicly available (as public as the normal firmwares I mean)
    2.) Is it possible to just rename the prim to get the sec?

    kind Regards
    Zoltan

  16. #16
    Join Date
    2008-01-26
    Posts
    2
    Rep Power
    0

    Default Re: UTM-1 Edges - FAQ

    Hi dantro,

    Quote Originally Posted by dantro View Post
    1.) It's all here.
    hmm maybe you have another access level to that page (I have Expert Access)
    but I don't see the dsl backup firmware just the primary.
    Quote Originally Posted by dantro View Post
    2.) That won't work.
    what a pitty *sigh*


    Thanks for your answer &
    kind regards,
    Zoltan

  17. #17
    Join Date
    2008-07-30
    Posts
    17
    Rep Power
    0

    Default Re: UTM-1 Edges - FAQ

    Pls. note that Firmware 8.1.37x is available for some weeks now.
    Last edited by Mattes57; 2010-06-17 at 05:07.

  18. #18
    Join Date
    2005-08-11
    Location
    San Francisco, CA
    Posts
    1,395
    Rep Power
    14

    Default Re: UTM-1 Edges - FAQ

    Test post by BJS:
    Q: What's the reason of all those connection logs?
    0 Policy rule
    A connection has been logged by an INSPECT firewall policy rule on your gateway. This may be the default security policy shipped with your appliance, or a customized policy downloaded from your service center.
    1 Custom rule
    A connection has been logged by a custom firewall rule defined locally your gateway.
    To view your custom policy, connect to the “My Firewall” web interface, and click Security > Rules.
    2 Short fragment
    SmartDefense: An IP fragment is too short.
    When an IP packet is too big to be transported on a given network, it is split into several smaller IP packets and transmitted in fragments. In an attempt to conceal an attack or exploit, an attacker might break the data section of a single packet into several fragmented packets.
    This log message indicates that a fragment was found that is too short to be valid according to the IP protocol specifications.
    3 Long fragment
    SmartDefense: An IP fragment is too long.
    When an IP packet is too big to be transported on a given network, it is split into several smaller IP packets and transmitted in fragments. In an attempt to conceal an attack or exploit, an attacker might break the data section of a single packet into several fragmented packets.
    This log message indicates that a fragment was found that is too long to be valid according to the IP protocol specifications.
    4 Ping of Death
    SmartDefense: Ping of Death detected
    PING [ICMP echo request]; is a program that uses ICMP protocol to check whether a remote machine is up.
    The “Ping of Death” is a malformed PING request that some operating systems are unable to correctly process. The attacker sends a fragmented PING request that exceeds the maximum IP packet size (64KB), causing vulnerable systems to crash.
    5 LAND Attack
    SmartDefense: LAND Attack detected
    Some implementations of TCP/IP are vulnerable to SYN packets in which the source address and port are the same as the destination, i.e; spoofed. LAND is a widely available attack tool that exploits this vulnerability.
    6 Overlapping Fragment
    SmartDefense: Overlapping Fragments detected
    When an IP packet is too big to be transported on a given network, it is split into several smaller IP packets and transmitted in fragments.
    Some implementations of the TCP/IP protocol stack do not properly handle the reassembly of overlapping IP fragments. Sending two IP fragments, with one fragment entirely contained inside the other, causes these faulty implementations to allocate too much memory and crash the server on which they run.
    7 Teardrop
    SmartDefense: Teardrop Attack detected.
    When an IP packet is too big to be transported on a given network, it is split into several smaller IP packets and transmitted in fragments.
    Some implementations of the TCP/IP protocol stack do not properly handle the reassembly of overlapping IP fragments. Sending two IP fragments, with one fragment entirely contained inside the other, causes these faulty implementations to allocate too much memory and crash the server on which they run. TearDrop is a widely available attack tool that exploits this vulnerability.
    Because proper reassembly is required for normal network operation, SmartDefense blocks attacks based on overlapping IP fragments even if the checkbox is deselected. By default, blocked attacks will be logged as “Overlapping fragment”.
    8 Spoofed IP
    SmartDefense: IP Spoofing detected
    IP address spoofing is a technique by which an intruder attempts to gain unauthorized access by altering a packet’s source IP address to make it appear as though the packet originated in a part of the network with higher access privileges. For example, a packet originating on an external network may be disguised as a local packet. If undetected, this packet will be processed by the rule base as having originated inside the firewall (i.e., possibly circumventing access controls). As such, it is important to verify where the packets originated.
    Anti-spoofing verifies that packets are coming from, and going to, the correct interfaces on the gateway. It confirms that packets claiming to be from an internal network are actually coming from the internal network interface. It also verifies that, once a packet is routed, it is going through the proper interface.
    A Check Point enforcement point will block an illegal address. For example, an IP address from an external interface should not have a source address of an internal network. Legal addresses that are allowed to enter a Check Point enforcement point interface are determined by the topology of the network.
    10 HotSpot
    Secure HotSpot authentication is required
    Secure HotSpot facilitates the creation of managed guest access networks (either wireless or wired) with configurable Web-based authentication, temporary user accounts and RADIUS integration.
    A connection was block since Secure HotSpot mode is enabled for the selected network.
    11 TCP out of state
    SmartDefense: TCP connection without corresponding SYN.
    Strict TCP controls the way the firewall handles all out-of-state TCP packets. Out-of-state packets are SYN-ACK or data packets that arrive out of order, before the TCP SYN packet. If you wish to have an extra strict policy, set Strict TCP action to 'block'.
    12 SYN attack
    SmartDefense: A suspected SYN attack was detected.
    A TCP denial of service attack, which occurs when an attacker sends many SYN packets without finishing the TCP 3-way handshake. A successful SYN Attack will cause the attacked host to be unable to accept new connections.
    13 Duplicate fragments
    SmartDefense: Too many duplicate fragments were detected.
    When an IP packet is too big to be transported on a given network, it is split into several smaller IP packets and transmitted in fragments.
    Some implementations of the TCP/IP protocol stack do not properly handle the reassembly of a large amount of duplicate IP fragments. When SmartDefense detects an excessive amount of duplicate IP fragments, it logs this event as ‘Duplicate Fragments’.
    14 Too many incomplete packets
    SmartDefense: Virtual Defragmentation: Too many incomplete fragmented packets.
    When an IP packet is too big to be transported on a given network, it is split into several smaller IP packets and transmitted in fragments.
    In an attempt to conceal an attack or exploit, an attacker might break the data section of a single packet into several fragmented packets. Without reassembling the fragments, it is not always possible to detect such an attack. As a result, malicious content that is split across fragments can traverse some firewalls. In contrast, a Check Point enforcement point collects and reassembles all the fragments of a given IP packet, verifying that the options for the fragments are consistent (e.g. TTL is the same for all fragments), so that security checks can be run against the complete packet contents.
    An attacker may try to overload the defragmentation system by sending a large amount of incomplete packets. Such attempts are detected by SmartDefense and logged as “Too many incomplete packets”.
    15 Incomplete packet
    SmartDefense: A packet was dropped since not all the fragments were received.
    When an IP packet is too big to be transported on a given network, it is split into several smaller IP packets and transmitted in fragments.
    In an attempt to conceal an attack or exploit, an attacker might break the data section of a single packet into several fragmented packets.
    Without reassembling the fragments, it is not always possible to detect such an attack. As a result, malicious content that is split across fragments can traverse some firewalls. In contrast, a Check Point enforcement point collects and reassembles all the fragments of a given IP packet, verifying that the options for the fragments are consistent (e.g. TTL is the same for all fragments), so that security checks can be run against the complete packet contents.
    If some of the fragments of a certain fragmented packet are lost in transit, the packet is blocked by the firewall, and logged as an “Incomplete packet”.
    16 Ping too big
    SmartDefense: A Ping packet is too large.
    PING [ICMP echo request]; is a program that uses ICMP protocol to check whether a remote machine is up. A request is sent by the client, and the server responds with a reply echoing the client's data.
    An attacker might echo the client with a large amount of data, for example, causing a buffer overflow.
    17 Null payload
    SmartDefense: Null payload ping attack.
    PING [ICMP echo request]; is a program that uses ICMP protocol to check whether a remote machine is up.
    Some worms, such as Sasser, use ICMP echo request packets with null payload to detect potentially vulnerable hosts. When this protection is enabled, SmartDefense will identify and drop the null payload ping packets.
    18 Welchia
    SmartDefense: Welchia DoS attack detected.
    The Welchia worm uses the Microsoft DCOM vulnerability or a WebDAV vulnerability. After infecting a computer, the worm begins searching for other live computers to infect. It does so by sending a specific ping packet to a target and waiting for the reply that signals that the target is alive. This flood of pings may disrupt network connectivity.
    19 Christmas packet
    SmartDefense: Christmas packet attack detected.
    A Christmas packet is an IP packet with every single option set. Christmas Tree packets can be used as a method of collecting intelligence on a specific TCP/IP stack, by sending Christmas packets and performing analysis on the response. This can allow an attacker to detect the specific operating system in use. If a Christmas packet is detected by SmartDefense, it is automatically blocked and logged.
    20 Cisco IOS DoS
    SmartDefense: Cisco IOS denial of service attack.
    Cisco routers are configured to process and accept Internet Protocol version 4 [IPv4] packets by default. A specially-crafted sequence of IPv4 packets with protocol type 53 - SWIPE, 55 - IP Mobility, 77 - Sun ND, or 103 - Protocol Independent Multicast - PIM, which is handled by the processor on a Cisco IOS device, can cause the router to stop processing inbound traffic on that interface.
    21 Fragmented packet
    SmartDefense: Policy forbids fragmented packets.
    An attacker might break the data section of a single packet into several fragmented packets, trying to conceal known attacks and exploits. Without reassembling the fragments, it is not always possible to detect such an attack. Therefore, by default, Embedded NGX reassembles all fragments prior to inspecting the packets. However if you set “Forbid IP Fragments” to “True” in the SmartDefense > IP Fragments tab, all IP fragments will be forbidden and blocked.
    22 Network Quota
    SmartDefense: Network Quota exceeded.
    Network Quota enforces a limit upon the number of connections that are allowed from the same source IP address, to protect against Denial Of Service [DoS] attacks. When a certain source exceeds the number of allowed connections, Network Quota can either block all new connection attempts from that source, or track the event.
    23 Stateless ICMP
    SmartDefense: ICMP response with no ICMP request.
    ICMP allows one network node to ping, or send an echo request to, other network nodes to determine their operational status. This capability can be used to perpetrate a “Smurf” DoS attack. The Smurf attack is possible because standard ICMP does not match requests to responses.
    Therefore, an attacker can send a ping with a spoofed source IP address to an IP broadcast address. The IP broadcast address reaches all IP addresses in a given network. All machines within the pinged network send echo replies to the spoofed, and innocent, IP source. Too many pings and responses can flood the spoofed network and deny access for legitimate traffic. This type of attack can be blocked by dropping replies that don’t match requests, as performed by Check Point’s Stateful ICMP. These packets are logged as “Stateless ICMP”.
    24 FTP Bounce
    SmartDefense: FTP bounce attack.
    When connecting to an FTP server, the client sends a PORT command specifying the IP address and port to which the FTP server should connect and send data. An FTP Bounce attack is when an attacker sends a PORT command specifying the IP address of a third party instead of the attacker's own IP address. The FTP server then sends data to the victim machine.
    25 FTP port overflow
    SmartDefense: FTP port overflow attack.
    FTP clients send PORT commands when connecting to the FTP sever. A PORT command consists of a series of numbers between 0 and 255, separated by commas.
    Block Port Overflow rejects PORT commands that contain a number greater than 255.
    26 FTP known port
    SmartDefense: FTP known port attack.
    When connecting to an FTP server, the client sends a PORT command specifying the IP address and port to which the FTP server should connect and send data. An FTP Bounce attack is when an attacker sends a PORT command specifying the IP address of a third party instead of the attacker's own IP address. The FTP server then sends data to the victim machine.
    By enabling the “FTP Known Port” protection, you can specify whether to allow the FTP server to connect to well-known ports. This provides a second protection against certain FTP bounce attacks. The server will not let the bounce connect to any port running a known service.
    27 FTP Illegal command
    SmartDefense: Blocked FTP Command
    Using the “Blocked FTP Commands” SmartDefense protection, you can select which FTP commands are allowed to pass through the firewall. This log message indicates that SmartDefense detected an attempt to use an FTP command that was not in the list of allowed FTP commands configured by user.
    28 Non TCP flooding
    SmartDefense: Non TCP flooding attack.
    Hackers directly target security devices such as firewalls. In advanced firewalls, state information about connections is maintained in a State table. The State table includes connection-oriented TCP and connectionless non-TCP protocols. Hackers can send high volumes of non-TCP traffic, in an effort to fill up a firewall State table. This prevents the firewall from accepting new connections and results in a Denial of Service [DoS].
    SmartDefense can restrict non-TCP traffic from occupying more than a pre-defined percentage of a enforcement point’s state table. This eliminates the possibility of this type of attack.
    29 Small PMTU
    SmartDefense: Small PMTU DoS attack.
    Small PMTU is a bandwidth attack in which, the client fools the server into sending large amounts of data using small packets. Each packet has a large overhead that creates a "bottleneck" on the server.
    30 KaZaa
    SmartDefense: KaZaa blocked/logged due to user policy.
    SmartDefense can block or log Kazaa. Kazaa is a popular Peer to Peer file sharing Protocol, running over TCP port 1214 or over HTTP.
    31 Skype
    SmartDefense: Skype blocked/logged due to user policy.
    SmartDefense can block or log Skype traffic by identifying Skype fingerprints and HTTP headers. SmartDefense is able to detect instant messaging traffic regardless of the TCP port being used to initiate the peer to peer session. Skype uses UDP or TCP port 1024 and higher or HTTP for peer to peer telephony.
    32 BitTorrent
    SmartDefense: BitTorrent blocked/logged due to user policy.
    SmartDefense can block or log BitTorrent, a file distribution network using Peer to Peer connections. BitTorrent uses ports from within the TCP port 6881 - TCP port 6889 range for file transfer.
    33 eMule
    SmartDefense: eMule blocked/logged due to user policy.
    SmartDefense can block or log eMule, a popular Peer to Peer Protocol, used by various Peer to Peer clients, such as eMule, iMesh and others.
    34 SmartDefense: Gnutella blocked/logged due to user policy.
    SmartDefense can block or log Gnutella, one of the most popular Peer to Peer protocols, used by applications such as Gnutella, BearShare, Shareaza, Morpheus and iMesh.
    35 ICQ
    SmartDefense: ICQ blocked/logged due to user policy.
    SmartDefense can block or log ICQ traffic by identifying ICQ's fingerprints and HTTP headers. SmartDefense is able to detect instant messaging traffic regardless of the TCP port that is being used to initiate the peer to peer session. ICQ uses TCP port 5190 to connect. File transfer and sharing is done through TCP port 3574/7320.
    36 Messenger
    SmartDefense: Yahoo Messenger blocked/logged due to user policy.
    SmartDefense can block Yahoo! Messenger traffic by identifying fingerprints and HTTP headers. SmartDefense is able to detect instant messaging traffic regardless of the TCP port that is being used to initiate the peer to peer session. Yahoo! Messenger uses port TCP port 5050 and TCP port 80 for messaging, TCP port 5100 for video, TCP port 5000 for voice and TCP port 5010 for file transfer.
    37 Packet too small
    SmartDefense: IP packet is too small.
    SmartDefense packet sanity protection option performs several Layer 3 and Layer 4 sanity checks. These include verifying packet size, UDP and TCP header lengths, dropping IP options, and verifying the TCP flags. This log message indicates that packet sanity detected an IP packet that is too small to be valid.
    38 Length mismatch
    SmartDefense: IP packet validation failed due to wrong length.
    SmartDefense packet sanity protection option performs several Layer 3 and Layer 4 sanity checks. These include verifying packet size, UDP and TCP header lengths, dropping IP options, and verifying the TCP flags. This log message indicates that packet sanity detected a corrupt or invalid IP packet with an invalid length field.
    39 Port 0
    SmartDefense: Connection to Port 0.
    Port 0 is not a legitimate destination port for TCP and UDP packets. If SmartDefense detects a packet with the destination port of 0, the packet is dropped and logged as “Port 0”.
    40 Small TCP offset
    SmartDefense: Invalid TCP packet.
    SmartDefense packet sanity protection option performs several Layer 3 and Layer 4 sanity checks. These include verifying packet size, UDP and TCP header lengths, dropping IP options, and verifying the TCP flags. This log message indicates that packet sanity detected a TCP packet with an invalid TCP offset field.
    41 Large TCP offset
    SmartDefense: Invalid TCP packet.
    SmartDefense packet sanity protection option performs several Layer 3 and Layer 4 sanity checks. These include verifying packet size, UDP and TCP header lengths, dropping IP options, and verifying the TCP flags. This log message indicates that packet sanity detected a TCP packet with an invalid TCP offset field.
    42 source IP
    SmartDefense: Invalid source IP address.
    SmartDefense packet sanity protection option performs several Layer 3 and Layer 4 sanity checks. These include verifying packet size, UDP and TCP header lengths, dropping IP options, and verifying the TCP flags. This log message indicates that packet sanity detected a packet with an invalid source IP address, such as a multicast address, a broadcast address, or a loopback address.
    43 TCP options
    SmartDefense: TCP options are invalid.
    SmartDefense packet sanity protection option performs several Layer 3 and Layer 4 sanity checks. These include verifying packet size, UDP and TCP header lengths, dropping IP options, and verifying the TCP flags. This log message indicates that packet sanity detected a TCP packet with an invalid set of TCP options.
    44 IGMP packet
    SmartDefense: IGMP packet is truncated.
    IGMP is used by hosts and routers to dynamically register and discover multicast group membership. Attacks on the IGMP protocol usually target vulnerabilities in the multicast routing software/hardware used, by sending specially crafted IGMP packets. This log message indicates the detection of an IGMP packet that it too short to be valid.
    45 IGMP TTL is not 1
    SmartDefense: IGMP Time To Live must be 1.
    IGMP is used by hosts and routers to dynamically register and discover multicast group membership. Attacks on the IGMP protocol usually target vulnerabilities in the multicast routing software/hardware used, by sending specially crafted IGMP packets. This log message indicates an IGMP packet that had a TTL (Time to Live) value other than 1.
    46 IGMP to unicast IP
    SmartDefense: IGMP to Unicast IP addresses in invalid.
    IGMP is used by hosts and routers to dynamically register and discover multicast group membership. Attacks on the IGMP protocol usually target a vulnerabilities in the multicast routing software/hardware used, by sending specially crafted IGMP packets. This log message indicates that an IGMP packet was sent to a unicast IP address.
    47 mismatch
    VPN: A cleartext packet was received from an IP address in the encryption domain.
    This log message indicates that a packet was received in clear text, when it was expected to be encrypted. This may either indicate an unauthorized attempt to access your VPN network, or a problem in your VPN setup which caused the two peers in a VPN link to disagree on which packets should be encrypted.
    48 CIFS password buffer overrun
    SmartDefense: Microsoft File Sharing attack.
    A worm is a self-replicating malware malicious software that propagates by actively sending itself to new machines. CIFS, The Common Internet File System sometimes called SMB is a protocol for sharing files and printers. The protocol is implemented and widely used by Microsoft operating systems, as well as by Samba clients. Many worms, once they have infected a host, use CIFS as their means of propagation.
    58 Host port scan
    SmartDefense: Host Port Scan detected.
    This log message indicates that a Host Port Scan was detected. A host port scan is directed at a specific host or network. A scan can determine which services a host offers. For example, a host port scan could discover that
    a certain host has TCP ports 23, 25, and 110 open, meaning it offers the Telnet, SMTP, and
    POP3 services, respectively.
    59 IP sweep scan
    SmartDefense: IP Sweep scanning detected.
    This log message indicates that an IP address sweep Scan was detected. An IP Sweep Scan looks for a specific open port and determines which hosts are listening in
    on that port. For example, IP Sweep Scans are used by network worms trying to find machines that they can propagate themselves. For example, the Blaster worm looks for the RPC service—searching the entire network looking for that single open service.
    60 CIFS Worm
    SmartDefense: A worm is trying to spread via Microsoft File Sharing.
    A worm is a self-replicating malware malicious software that propagates by actively sending itself to new machines. CIFS, The Common Internet File System sometimes called SMB is a protocol for sharing files and printers. The protocol is implemented and widely used by Microsoft operating systems, as well as by Samba clients. Many worms, once they have infected a host, use CIFS as their means of propagation.
    63 HTTP Worm Catcher
    SmartDefense: A worm is trying to spread via HTTP.
    A worm is a self-replicating malware [malicious software] that propagates by actively sending itself to new machines. Some worms propagate by using security vulnerabilities in the HTTP protocol. This SmartDefense protection allows you to detect and block worms based on pre-defined patterns.
    Barry J. Stiefel ("Stee-ful" or "Shtee-ful")
    B.S., MBA, CCSA/CCSE/CCSE+/CCSI
    Resilience RCSE/RCSI, Fortinet FCSE
    CISSP, MCSE, NSA ISM
    Founder of CPUG
    Founder of CPUG University

  19. #19
    Join Date
    2006-02-02
    Location
    Czech Republic
    Posts
    41
    Rep Power
    0

    Default Re: UTM-1 Edges - FAQ - VPN clients

    Dantro,

    thank you very much for the great FAQ!

    Could you please update the VPN clients question?
    Quote Originally Posted by dantro View Post
    Q: Which VPN Clients are supported to remotely connect to UTM-1 Edges?
    A: Check Point SecuRemote/SecureClient and Check Point Endpoint Discovery VPN Client (EA).
    Since version 8.1 the Check Point Embedded firmware supports also Check Point Endpoint Connect.
    On the other hand I did not know about support of the Discovery client. Is there a special build of Embedded firmware to support the Discovery VPN client?

    Edit:
    A while ago I discovered this post about Discovery by PhoneBoy:
    Quote Originally Posted by PhoneBoy View Post
    Discovery will also connect with gateways that support Endpoint Connect, though you will not get the Discovery-specific features unless you connect with a Discovery-enabled gateway (currently R65 HFA 60 with a patch). I confirmed with R&D their plans to expand support for additional gateway versions in the very near term.
    Is it the case of Embedded firmware?

    Regards, pabouk
    Last edited by pabouk; 2010-08-06 at 06:37. Reason: added new findings

  20. #20
    Join Date
    2005-08-11
    Location
    San Francisco, CA
    Posts
    1,395
    Rep Power
    14

    Default Re: UTM-1 Edges - FAQ - VPN clients

    Quote Originally Posted by dantro View Post
    Thanks, I added the endpoint connect client and referenced the 8.1 release notes. You could simply try out the Discovery client yourself. It's EA for a long time. Just download it.
    Thanks for the excellent FAQ, Danny.
    Barry J. Stiefel ("Stee-ful" or "Shtee-ful")
    B.S., MBA, CCSA/CCSE/CCSE+/CCSI
    Resilience RCSE/RCSI, Fortinet FCSE
    CISSP, MCSE, NSA ISM
    Founder of CPUG
    Founder of CPUG University

Similar Threads

  1. Remote management to webconsole of Edges not working on some edges
    By tuberider in forum Check Point UTM-1 Edge Appliances
    Replies: 4
    Last Post: 2009-09-20, 13:27
  2. Remote scripting for DYN-IP Edges
    By danjun in forum Check Point UTM-1 Edge Appliances
    Replies: 0
    Last Post: 2009-04-29, 05:32
  3. Moving Edges to a new Provider-1 System
    By Felix in forum Check Point UTM-1 Edge Appliances
    Replies: 4
    Last Post: 2008-10-10, 03:13
  4. 2 Edges HA Setup Problem
    By RPetry in forum Check Point UTM-1 Edge Appliances
    Replies: 10
    Last Post: 2007-08-30, 03:18
  5. anti-spoofing pushes me to the edges
    By jacobsen in forum Topology Issues
    Replies: 3
    Last Post: 2007-03-04, 16:49

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •