CPShared Forums

Follow CPShared on twitter! Forum Runner and Tapatalk mobile support.

 

Go Back   CPShared Forums > Check Point > UTM-1 Edge Series Platform

Reply
 
Thread Tools Display Modes
  #1  
Old 7th March 2011, 03:11 PM
danjun danjun is offline
Senior Members of the board
 
Join Date: Feb 2011
Location: Halle (Saale), Germany
Posts: 22
danjun is on a distinguished road
Post UTM-1 Edge FAQ


Code:
Yyy yyY YYYYYYYyyyyyyyYYYYYYY YYYYY#########YYYYY YYY# ??? #YYY YY# ( O) #YY Y# ~~ #Y YY#########YY @@@ YYYYYYYYYYYYY @@@ @@@@ YYYYYYYYYYYYY @@@@ @@@@@@@@@@@@@@@@@@@@@ @@@@@@@@@@@@@@@@@@@ VVV@@@@@@@@@@@@@VVV VV VV V V SofaWare Embedded! UTM-1 EDGE FAQ
Author: Danny Jung

CCSA/CCSE/CCSE+/CCMSE+VSX
CCEPA/CCEPE/CCMA Written
CCSI

Want more Check Point info? Read our tech blog!



!! ATTENTION !!
UTM-1 Edge Appliances are no longer actively developed! The new 1100 Appliance is it's successor as Check Point's new entry level enterprise NGF appliance.


Q: What is the official product site?
A: Check Point Software: UTM-1 Edge Appliance

Q: Where can I find the partner resources?
A: Product Highlight: UTM-1 Edge Appliance

Q: Where can I find the official datasheets?
A: Check Point UTM-1 Edge N Datasheet
A: Check Point UTM-1 Edge N Industrial Datasheet

Q: Where can I find a demo setup?
A: Check Point UTM-1 Edge W ADSL DEMO

Q: Where can I find related discussion forums?
A: At SofaWare, CPShared or Check Point.

Q: Where can I find the SofaWare FAQ?
A: Check Point SofaWare FAQ

Q: Where can I find the online help system?
A: At UTM-1 Online Help 8.2.

Q: What is the capacity of an UTM-1 Edge X appliance?
A: SPI Firewall throughput: 190 Mbps
A: VPN throughput: 35 Mbps
A: Concurrent connections: 5.000
A: Normal User Profiles (None-VPN): No limitation in numbers but in memory usage (Can use Radius for more users)
A: RemoteAccess VPN Profiles: 25
A: Site-to-Site VPN Profiles: up to 15
A: Security Associations (SAs): max. 100 (Remote Access and Site-to-Site VPN)

Q: What is the capacity of an UTM-1 Edge N appliance?
A: SPI Firewall throughput: 1000 Mbps
A: VPN throughput: 200 Mbps
A: Concurrent connections: 60.000
A: Normal User Profiles (None-VPN): No limitation in numbers but in memory usage (Can use Radius for more users)
A: RemoteAccess VPN Profiles: Unlimited
A: Site-to-Site VPN Profiles: up to 15
A: Security Associations (SAs): max. 400 (Remote Access and Site-to-Site VPN)

Q: Which series should I buy?
A: The UTM-1 Edge N Series replaces the UTM-1 Edge and Safe@ X Series for the Unlimited/32/16 user models. The last order date for the X Series product will be January 1, 2011. (sk55061)
Last Order Date: January 1st 2011 only for models 16/32/Unlimited. UTM-1 Edge X series for 8 users will continue to sell after January 1st, 2011.

Q: What is the End of Support date for the X series?
A: May 31st, 2015.

Q: Who uses UTM-1 Edges?
A: Companies using a Wireless Distribution System (WDS) with roaming for their in-house wifi connectivity.
A: ISPs to provide broadband, IP TV and VoIP services.
A: Stadiums collect bets with handheld wifi devices roaming around the stadium.
A: Car manufacturers using industrial Edges, utilizing bridge mode protecting mission critical computers.
A: Remote & Branch Offices with backup internet connections.
A: Home- and Teleworkers (Network access control and remote administration)
A: Managed Services Providers with Large Scale Management
A: Banks who connect their branch offices
A: Companies who connect ATMs either to a GPRS modem or to an Ethernet connection.

Q: Who should NOT use UTM-1 Edges?
A: Admins looking for good traffic performance rates.
A: Admins that have to build complex VPN setups.
A: Admins that are looking for advanced monitoring capabilities.
A: Admins that need to manage advanced RemoteAccess situations or that are looking for Desktop Security Policies.
A: Admins that want to configure customized scripts or behaviours on their firewall appliance.
A: Simply everyone who expects a simple and cheap embedded all-in-one appliance could act like a real server.

Q: How many UTM-1 Edges are sold per year?
A: SofaWare sold around 50.000 embedded devices in 2007.

Q: Which VPN Clients are supported to remotely connect to UTM-1 Edges?
A: Check Point SecuRemote/SecureClient and Check Point Endpoint Discovery VPN Client (EA).
A: Firmware version 8.1 also introduced support for Check Point's Endpoint Connect™ VPN client.

Q: Where should I start managing my UTM-1 Edge?
A: Check Point offers an Admin Guide for your first steps in UTM-1 Edge management.

Q: Which model should I buy?
A: That depends on your requirements. ALWAYS buy a model that has USB ports. These models do:
# UTM-1 Edge XW
# UTM-1 Edge NW
# UTM-1 Edge X ADSL
# UTM-1 Edge N ADSL
# UTM-1 Edge XW ADSL
# UTM-1 Edge NW ADSL
# UTM-1 Edge X Industrial
# UTM-1 Edge N Industrial

Q: Which firmware is recent? - September 10, 2013
A: 8.2.59 (General Availability)

Q: Are there different firmwares available?
A: Yes. UTM-1 Edges X appliances which have an ADSL-modem integrated require a different firmware.

Q: Which variants does the recent firmware version consist of?
A: n8.2.59n.img is for regular units of the recent N-series to be uploaded via GUI
A: x8.2.59x.img is for regular units of the old X-series to be uploaded via GUI
A: 8.2.59x.tftp is for regular units of the old X-series to be uploaded via TFTP (turn Windows Firewall off)
A: 8.2.59n.tftp is for regular units of the recent N-series to be uploaded via TFTP (turn Windows Firewall off)
A: a8.2.59.firm is for ADSL and Industrial units of the old X-series to be uploaded via GUI
A: a8.2.59_backup.firm is for ADSL and Industrial units of the old X-series to be uploaded via TFTP (turn Windows Firewall off)
A: ab8.2.59ab_backup.firm is for ADSL units of the old X-series to be uploaded via TFTP (turn Windows Firewall off)
A: 8.2.59_debug_x.img is for regular units of the old X-series to be uploaded via GUI
A: 8.2.59_debug_a.firm is for ADSL and Industrial units of the old X-series to be uploaded via GUI
A: 8.2.59_debug_n.firm is for regular units of the recent N-series to be uploaded via GUI

Q: Do Safe@Office appliances require a different firmware than UTM-1 Edges?
A: No. Both are using the same firmware.

Q: Any extra special firmwares?
A: 7.5.55_w6x.img has the long awaited WLAN-Client functionality. This function will be officially implemeted in firmware version 9.
A: SofaWare offeres a unique firmware on request if you want to use BGP (see release notes).

Q: Which DSL-modem firmware is recent?
A: SW2.0.11 (General Availability)

Q: Which variants does the recent DSL-modem firmware version consist of?
A: SW2.0.11ab_pri.firm is for all ADSL units uploaded via GUI (installs as primary firmware)
A: SW2.0.11a_pri.firm is for ADSL (Annex A) units uploaded via GUI (installs as primary firmware)
A: SW2.0.11b_pri.firm is for ADSL (Annex B) units uploaded via GUI (installs as primary firmware)
A: SW2.0.11a_sec.firm is for ADSL (Annex A) units uploaded via GUI or TFTP (also installs as backup firmware)
A: SW2.0.11b_sec.firm is for ADSL (Annex B) units uploaded via GUI or TFTP (also installs as backup firmware)

Q: Are there different DSL-firmwares available?
A: Yes. There is one firmware for Annex A and one for Annex B. Also there is a SW2.0.*_pri.firm (primary) and a SW2.0.*_sec.firm (secondary) firmware. Both can be installed via the Web-GUI. The primary firmware will update the firmware the UTM-1 Edge is using at startup. The secondary firmware will update the backup firmware to which the UTM-1 Edge reverts after a factory reset.

Q: Any important things to know about when working with an ADSL-Edge?
A: Enter the following command on your ADSL-Edge before using it: set port adsl auto-sra mode disabled
This will prevent it from reestablishing the DSL connection every 1h14sec. (sk32922)

Q: My UTM-1 Edge ADSL is fully configured and connected to the DSL line. It still shows "No sync" and the DSL light is continuously blinking.
A: Make sure that your primary internet connection is correctly configured for your ADSL port. Choose PPPoE as connection type and ADSL2/ADSL2+ as DSL standard. Ask your ISP for correct VPI/VCI numbers and the encapsulation type. If your DSL splitter doesn't come with RJ-11 outputs, use a RJ-11 line socket adapter which has a microfilter built-in. In some cases SofaWare already packages ADSL appliances with RJ-11 line socket adapters. Check the contents of your package for it. Always use the original cables from SofaWare to connect your appliance.

Q: My UTM-1 Edge ADSL is working just fine. After updating the firmware of my UTM-1 Edge ADSL the appliance is restarting, however it can't establish the DSL-connection anymore and says 'DSL modem could not be initialized'. Sometimes it even reverts back to its backup firmware after trying for too long to establish a DSL-connection. What is the problem?
A: The newer firmware has updated routines to talk to the integrated DSL modem. A simple restart of the appliance after a firmware update may sometimes result in this issue. Just power down your UTM-1 Edge appliance for 20 seconds after the firmware update is completed. Power it up again and your DSL connection issue should be gone.

Q: Any important things to know about when working with Edges in general?
A: Always make sure that your libsw libraries are at the same or higher version of your UTM-1 Edge firmwares. Don't install your security policy to more than ten Edges a time.

Q: How do I backup and restore using a USB Flash Drive?
A: Embedded NGX 8.x allows backing up the appliance configuration, security policy, and certificate to USB flash drives. You can then restore the appliance settings from the USB flash drive as needed. Backup and restore operations are performed by inserting the USB flash drive into the Embedded NGX appliance’s USB port, and then running the Backup/Restore Wizard in the Setup > Tools page.

Q: How does Rapid Reployment using a USB Flash Drive work?
A: Embedded NGX appliances are shipped with a specific firmware and group of settings that represent the appliance's default state. When installing a new appliance, you can configure different settings and install new firmware versions as needed; however, this can be time-consuming. Embedded NGX 8.0 rapid deployment avoids this hassle, by allowing you to load the desired firmware, configuration, security policy, and certificate from a USB flash drive during product initialization. Rapid deployment can be used on individual appliances at the customer site, or on multiple appliances before they leave the warehouse. Before performing a rapid deployment, it is necessary to prepare the USB flash drive. For each appliance you want to deploy, you must create a folder named after the appliance’s MAC address, and then add the desired configuration files to the folder. Rapid deployment is performed by pressing the RESET button at the back of the appliance, and then inserting the USB flash drive into the Embedded NGX appliance’s USB port. The appliance will automatically load the settings from the relevant folder on the USB flash drive.

Q: The PWR/SEC LED on my UTM-1 Edge is sometimes blinking red. Is my firewall appliance damaged?
A: No. It's probably just showing you that it successfully blocked an unwanted connection.

PWR/SEC LED Statuses:
On (Green) .. Normal operation
On (Red) .. Error
Flashing quickly (Green) .. System is booting up
Flashing slowly (Green) .. Establishing Internet connection
Flashing (Red) .. Blocked connection
Off .. UTM-1 Edge is powered off

Q: If I hard-reset my UTM-1 Edge, will I also loose my DSL-firmware?
A: Yes. It will be reset to factory-default.

Q: Can I avoid this?
A: Yes. All firmwares are available as primary and secondary (e.g. backup) firmware. Usually you only install the primary firmware. Installing the backup firmware will set this one as backup instead of the factory default when you do a reset.

Q: What are the TFTP firmwares good for?
A: They can be used to update the UTM-1 Edge locally and update the backup firmware. To do this just power down your Edge. Power it up while the reset button is pressed. The PWR/SEC light will now be continuously red. Change the IP address of your host to 192.168.10.2/24. Now you should be able to ping the UTM-1 Edge via 'ping 192.168.10.1'. If that works, you can start to transfer the .tftp firmware via 'tftp -i 192.168.10.1 put filename.tftp'. The PWR/SEC light will start blinking red. After your UTM-1 Edge restarted successfully your appliance will be updated to the new firmware, which is also the new default firmware.

Q: Where do I get these firmwares?
A: From your official support sites. Either Check Point or SofaWare.

Q: How does an UTM-1 Edge look like?
A:

Q: Some of my Edges are heating-up and become quite hot.
A: SofaWare's appliances don't come with a built-in cooling fan. It's intended to place Edges in cooler places like server rooms with no incident solar radiation. If you can't provide this, buy an external cooling fan to keep your Edge at a normal temperature. Otherwise you might run into issues with outages of your network ports. You can use the built-in USB ports to connect external cooling fans.


Q: Which webbrowser should I use to manage my UTM-1 Edges?
A: Internet Explorer only, where applicable. Firefox still has some issues, especially when you export the configuration to a .cfg file. Safari has a problem with uploading new firmware images.

Q: Where to look on my Edge to troubleshoot it?
A: http://my.firewall/pop/Diagnostics.html
A: http://my.firewall/vpntopob.html Older firmwares (7.0.x and below) use http://my.firewall/vpntopo.html
A: https://my.firewall/dnstopo.html Not available in newer firmwares (7.5+)
A: http://my.firewall/Log.html
A: http://my.firewall/Ports.html

Q: Any further troubleshooting guidelines?
A: Sure. Check Point offers a VPN-1 UTM Edge ATRG (Revised: October 22, 2007).

Q: What is the correct UTM-1 Edge RMA (Return Material Authorization) procedure?
A: Please check this official site and troubleshooting steps first. (sk31919)

Q: How to connect to the serial console of my UTM-1 Edge X appliance?
A: Connect the RJ-45 (RS-232) port of your appliance to the COM port of your host. A RJ-45 to DB9 converter is part of your appliance. Use the following settings for your terminal client.

Baud rate: 57600
Data: 8 Bit
Parity: None
Stop: 1 bit
Flow control: None

Q: How to connect to the serial console of my UTM-1 Edge N appliance?
A: Connect the RJ-45 (RS-232) port of your appliance to the COM port of your host. Use the following settings for your terminal client.

Baud rate: 115200
Data: 8 Bit
Parity: None
Stop: 1 bit
Flow control: None

Q: Can I disable SmartDefense checks on my UTM-1 Edge?
A: Not all of it. You can go through the Smartdefense wizard and set it to Minimal or go through all settings and set them to 'None'. In centralized management you can also check 'Do not apply SmartDefense on this gateway' within 'SmartDefense > Profile Assignment' of your VPN-1 UTM Edge Gateway object.

Q: Any in-depth debugging options?
A: Sure. Check Point also offers a debugging firmware. It will provide you with the 'debug' command at the command shell of your UTM-1 Edge. The 'debug' command let's you activate more logging features. Set up an internal syslog server and configure it on your UTM-1 Edge appliance. Recreate the issue you want to debug. Check the log of your syslog server. The WebGUI also provides you with a packet sniffer. It will generate an output file which can be analyzed in Wireshark (formerly known as Ethereal).

On your SmartCenter Server (which also runs the Service Center for your Edges) edit the SofawareLoader.ini file. Find the DebugLevel line in the [LOG] section and change it to either Debug or Info. To run SofaWareLoader manually and compile the Policy on Commandline, run: fwm load -S -M -l41 policy_name.W <Edge>
After you finished debugging roll back the debug level.

Q: Any hidden/undocumented pages?
A: Yes. http://my.firewall/pub/test.html

Q: I've upgraded my SmartCenter Server to NGX (R65). Now policy installation on the Embedded Edge Connector fails.
A: Install the latest libsw (SofaWare Libraries) and read this SecureKnowledge Base article: (sk33821)

Q: I can't create an Embedded Edge object (Edge Profile) within SmartDashboard?
A: On your SmartCenter Server change the attribute of support_sofaware_profiles in $FWDIR/conf/objects_5_0.C to true and read this SecureKnowledge Base article: (sk30389)

Q: My UTM-1 Edge is set up for centralized management. However, when connecting it to the Service Center it says:
Connection Refused: This UTM-1 Edge is not registered to the Service Center.
A: Your are most likely using an UTM-1 Edge X ADSL or another series of the standard UTM-1 Edge X appliance. In SmartDashboard the default type of your VPN-1 UTM Edge Gateway object is 'VPN-1 UTM Edge X Series'. Make sure the type matches the series of your appliance.

Q: My UTM-1 Edge does not establish any of the centrally configured VPN tunnels and 'Reports > Tunnels > VPN Topology' is empty. It is set up for centralized management and Service Center is: Connected
A: Navigate to 'VPN > VPN Site' and enable your Enterprise Site-to-Site VPN. Now your VPN topology should contain an Enterprise folder.

Q: I can install the Security Policy for my UTM-1 Edge on SmartCenter Server. However, it takes some time until the policy is active.
A: This is the normal behaviour. You are installing the policy to the Embedded Edge Connector on your SCS. Per Default, the Edge asks every 20 minutes for an updated policy, firmware version and other settings. This can be changed in SmartDashboard > Global Properties on your SCS.

Q: How can I stop/start the Embedded Edge Connector on my SmartCenter Server?
A: smsstop/smsstart will do that for you.

Q: I want to push a Security Policy directly onto my UTM-1 Edge. Is this possible?
A: Yes. Purchase Check Point SmartLSM (Large Scale Manager).

Q: SmartView Monitor does not show the correct status of my UTM-1 Edge appliance?
A: This is caused by design of the product. Your UTM-1 Edge appliance connects to the Service Center every 20 minutes (default). If authentication to the Service Center was successful it will start to retrieve available firmware or policy updates. For UTM-1 Edge appliances with dynamic IP addresses the Service Center also remembers the last known IP (for handling VPN connections configured in Simplified Mode and for use with SmartView Monitor and SmartLSM). So SmartView Monitor does not check your UTM-1 Edge appliance for availability, instead it asks the Service Center if the UTM-1 Edge has connected recently (within the last 60 minutes). If it has, SmartView Monitor will show 'OK' as status for your appliance, even if it's just unreachable or disconnected. As long as an UTM-1 Edge appliance did not even connect to the Service Center for the first time its status is 'Disconnected'.

Q: After setting up Management-HA I'm receiving an error 'Failed to obtain Edge packages' when I want to manually synchronize my primary SmartCenter Server with my secondary one?
A: Just open SmartUpdate and delete all firmware packages from the package repository. Manual synchronisation should then succeed. Afterwards add the firmware packages to the package repository again.


Q: After upgrading my SmartCenter server or adjusting host entries on it, the SMS process/Embedded Edge Connector fails to load, displaying the error: "Can't contact database".
A: Move/Add the following entry to the last line of /etc/hosts. (sk33168)
127.0.0.1 localhost.localdomain localhost


Q: My exported UTM-1 Edge configuration file just contains the following line: [700002] object not found
A: Set your UTM-1 Edge appliance via 'Setup > Tools > Factory Settings' back to factory defaults. Then manually enter your configuration data again.

Q: How can a firmware update be performed?
A: Either locally via the WebGUI of your UTM-1 Edge or centrally within SmartUpdate of your Edge. Just upload a firmware to the package repository and attach it to your Edge. It will then retrieve this firmware directly from your SCS when it checks for updates the next time.

Q: After I upgraded the firmware locally my UTM-1 Edge reverts back to the old one?
A: If the UTM-1 Edge is centrally managed it will always try to install the firmware that was distributed for it within SmartUpdate. Upload the firmware to the package repository of SmartUpdate instead and distribute it for your UTM-1 Edge. It will then install the new firmware automatically.

Q: How may I check if my UTM-1 Edge is retrieving a firmware update?
A: In the 'Setup' menu, goto 'Tools > Diagnostics'. A diagnostics window will pop up. Scroll down to the 'Downloading firmware' row. If a firmware is just being downloaded you'll see a percentage of the data received.

Q: Since using UTM-1 Edges I encounter high latencies. Users are complaining.
A: You are most likely using a central security policy that is not Edge-conform. This means that every security policy with an UTM-1 Edge as policy installation target will be compiled into a binary file by your Embedded Edge connector. The binary file is then retrieved by the Edge and contains the compiled security and NAT policy. The Embedded Edge connector works different than the INSPECT Engine by Check Point. Therefore you should be very careful with centrally configured rules for UTM-1 Edges. Create a new policy just for all your UTM-1 Edges. Make sure all rules in your security and NAT policy contain a specific policy installation target. Also always choose specific policy installation targets under "Policy > Policy Installation Target" of your SmartDashboard. Don't use 'Any' in any of your rules for your Edges. Use negated objects instead. Try to use manual NAT rules only for your Edges. Automatic NAT rules may not be compiled correctly. Port mappings are even better than manual NAT rules. Uncheck "Support IP compression" in the advanced VPN properties of your VPN community. Check "One VPN tunnel per Gateway pair" in the tunnel management settings of your VPN community to keep the required Security Associations (SA's) as low as possible. After you installed a policy to your Edge, check locally on your Edge that the NAT rules are installed exactly as you configured it centrally. If not, change your NAT rules and install the policy again. Use dynamic objects where possible and avoid groups by all means. This is simply to prevent your Embedded Edge Connector from doing something wrong. If your latency is still high, check if it gets better when diconnecting the Edge from its Service Center. If it does, try to manage your Edge locally where applicable.

Q: Where can I see which rules are applied by the UTM-1 Edge in centralized management?
A: Enter this command at the console or under 'Setup > Tools > Command' in the GUI: info fw rules

Q: What should I define for Management Access (Setup > Management) ?
A: 'Internal Networks' or 'Internal Networks + IP Range' only. Never set it to 'ANY'. Never. Otherwise malicious scripts will soon try to work off password lists on your UTM-1 Edge. Even on the management port 981!

Q: Why is it so different to configure and manage UTM-1 Edges centrally, compared to other Check Point firewall gateways.
A: Always bear in mind that UTM-1 Edges were primarily designed as standalone firewall gateways. They will not turn into a fully enterprise managed firewall when connected to a Service Center. The 'Service Center' is a so called Embedded Edge Connector that is running on your SmartCenter Server. It's a different process with a different compiler (SofaWare engine). All this results in a unique behaviour that is 'by design' of the product and by experiece of the programmers and end users. UTM-1 Edges are a product of SofaWare, a Check Point company. However, they are developed with another focus, receive functionality upgrades und changes faster than Check Point can reflect this in their firewall management software. Also they are the only centrally managed firewall gateways to which you can't apply configuration settings (like interface configurations). Newer functions of recent firmwares (such as dynamic routing) can't be configured and managed centrally at all. Also local security rules take precedence over rules configured by the central management.

Q: Are the default rules configured by the security levels of the UTM-1 Edge appliance still applied when it is connected to SmartCenter Server?
A: No. When your appliance is managed by SmartCenter, the centrally configured security policy replaces the local default security policy. The local security level is set to 'High' and cannot be changed.

Q: While using a centrally configured security policy my UTM-1 Edge appliance behaves like the local default rules would still apply?
A: This is a default setting on the SmartCenter Server. Go to 'Global Properties > SmartDashboard Customization > Configure... > VPN-1 UTM Edge/Embedded Gateway' and uncheck 'sofaware_stealth'. This will prevent that connections from internal networks to the SofaWare Gateway are accepted by default.

Q: I can't seem to manage my UTM-1 Edges on my Nokia IPSO based SmartCenter Server?
A: That's not supported as the Embedded Edge Connector doesn't run on IPSO. [Link]
Check Point writes "UTM-1 Edge devices cannot be managed from a SmartCenter server running on a Nokia IPSO platform."

Q: Why do VPN connections to remote sites using UTM-1 Edges (configured as DAIP gateways with dynamic IP address) sometimes fail?
A: When an UTM-1 Edge changes its IP address, the Corporate Office gateway does not detect the IP address change until the UTM-1 Edge reports it to the Service Center. The default value for this periodic status update is 20 minutes (SmartDashboard > Policy > Global Properties > VPN-1 UTM Edge Gateway > General Configuration). Check Point recommends to configure permanent VPN tunnels for each VPN community containing DAIP UTM-1 Edges. This ensures that in case the IP address changes your UTM-1 Edge will automatically re-establish the VPN tunnel again. (sk31477, sk33238)

Q: Why is my permanent VPN tunnel between a Nokia or 3rd party VRRP cluster and UTM-1 Edge shown as down, though it is actually up?
A: Because you are using an old version of Nokia API to determine which cluster member is active or you are using a 3rd party active/active cluster solution. Check Point is providing a HotFix and always recommends to upgrade to the latest firewall version. (sk32515)

Q: Why doesn't my UTM-1 Edge support DynDNS?
A: The missing native support of DynDNS is one of the most mentioned downsides of SofaWare's products. However, Check Point/SofaWare has officially declared that they don't want to compete with Linksys and the likes in this field. Their public target is the soho user who looks for an all-in-one solution at a valuable price. A single UTM-1 Edge appliance at the latest firmware replaces the following hardware:
- a 4-port switch
- a dsl modem
- a firewall (including a nat router)
- a viruswall
- a printserver
- a wlan router
- a wlan hotspot
- a dns server
- a web filter
- anti-spam solution

All this on Check Point's scanning engine and with a straightforward management GUI. You haven't seen anything else that competes to this solution, don't you?. Also UTM-1 Edges are rack-mountable, come with two USB-ports to connect cooling fans, printers, led-lights, clocks whatsoever without the need for a dedicated power supply. Not to forget the switching-mode power supply that's main advantage is a greater efficiency because the switching transistor dissipates little power in the saturated state and the off state compared to the semiconducting state (active region).

Check Point/SofaWare are offering instant help, 24 hours a day within their chat system.

And for using DynDNS..there are free DynDNS clients available you could just install on an internal host that updates your external ip address. So don't decide against UTM-1 Edges just because of this single function.

Q: My Edge is so great, I want to cluster it. Can I?
A: Sure. WAN-HA and Gateway-HA is supported since firmware version 7.x. In central management you should still stay with WAN-HA only. Many tests have been done and WAN-HA can be confirmed working quite well in reallife scenarios.

Q: What to put into consideration when working with UTM-1 Edge clusters?
WAN-HA PRO
no IP address conflicts because only one GW is connected to Internet
only 2 SA's (Security Associations) are required for one VPN tunnel
only one object needs to be defined and managed in firewall policy
works with static IP addresses
has been successfully tested working in different environments

WAN-HA CONTRA
the passive node is not connected to internet and won't receive updates
(it will receive the most recent security policy and firmware as soon as it gets active though. that means it's not that much of a downside)

Gateway-HA PRO
all cluster nodes are always connected to internet
all cluster nodes receive policy and firmware updates

Gateway-HA CONTRA
poor documentation and support by Check Point
requires 4 SA's for one VPN tunnel (only 100 can be managed per community)?
two objects need to be defined and managed in firewall policy
objects cannot work with static IP addresses; only dynamic IP's
therefore each node must have a correct DNS entry to get the VPN working
both cluster nodes issue the virtual cluster IP > risk of IP conflicts
Q: How to establish synchronisation between UTM-1 Edge devices?
A: Select a Sync-Interface under 'Setup > High Availability > Gateway High Availability' and connect the interfaces with a crossover cable. (sk31992)

Q: My primary Edge-Clusternode goes down but my secondary Edge won't get active?
A: This is most likely caused by a Sync-problem. Check the HA-settings and cables.

Q: My primary Edge-Clusternode goes down and my secondary Edge becomes active. However, I cannot connect to Internet.
A: This can be caused by your ISP-Router which retrieves a different MAC-Address that pretends to work at the same external IP address. If your ISP-Router is causing an issue, use the MAC-Cloning feature to hide the secondary Edge behind the MAC address of the primary one.

Q: My UTM-1 Edge is working behind a NAT device or UMTS router. Which ports do I need to open?
A: Open the following ports in the NAT device: UDP 9281/9282, UDP 500, UDP 2746, TCP 256, TCP 264, ESP IP protocol 50, TCP 981.

Q: Which license models are available for UTM-1 Edges?
A: X8 (8 Nodes), X16 (16 Nodes), X32 (32 Nodes), XU (Unlimited Nodes).

Q: Does the hardware differ between these licenses?
A: No. It doesn't even differ between Safe@'s and Edges. The old S8 and X16 models had less memory though.

Q: How will I know if I have reached my node limit?
A: The UTM-1 Edge will show the following message on its Web-GUI: Warning: You are exceeding your node limit! To purchase product upgrades, contact your reseller or service provider. Get an EVAL license (30 days) to provide a quick solution and then order a license upgrade.

Q: I have exceeded my node limit. What does this mean? What should I do?
A: Your Product Key specifies a maximum number of nodes that you may connect to the UTM-1 appliance. The UTM-1 appliance tracks the cumulative number of nodes on the internal network that have communicated through the firewall. When the UTM-1 appliance encounters an IP address that exceeds the licensed node limit, the My Computers page displays a warning message and marks nodes that are exceeding the node limit in red. These nodes will not be able to access the Internet through the UTM-1 appliance, but will be protected. The Event Log page also warns you that you have exceeded the node limit. To upgrade your UTM-1 appliance to support more nodes, purchase a new Product Key. Contact your reseller for upgrade information.

Q: Besides the positive rule numbers for the rules that are downloaded from the SmartCenter or embedded in the default policy, there are some rules that are implied, and logged. These rules have negative rule numbers. What do they stand for?
A: Starting in version 6.0, along with the rule numbers, a "log reason" will also be sent to the SmartView Tracker, thus allowing generating reports based on rule numbers while still displaying a textual description. Below is the complete list of these numbers with the corresponding rules (sk32680):
Rule -1: Stateless ICMP (also in 5.0 versions) ICMP replies that don't match to any request, ICMP errors that don't match any of the active connections, etc.
Rule -5: Connection matched by a custom rule (a.k.a. "user rule"). This number will appear in logs sent to the SmartTracker starting version 6.0.
Rule -4: Anti-Spoofing (also in 5.0 versions) The connection was dropped due to the automatic anti-spoofing rules.
Rule -9: HotSpot Connection dropped because the user is not yet authenticated on a hotspot enabled network.
Rule -10: Encryption mismatch (also in 5.0 versions) Dropped clear text packet that should have been encrypted.
Rule -11: TCP out of state rule (also in 5.0 versions) Logs or drops packets that try to open a connection without the full 3 way handshake.
Rule -12: Land Attack
Rule -13: Ping size exceed maximum allowed size
Rule -14: ICMP with null payload
Rule -15: Welchia ICMP worm
Rule -16: Christmas packet (also in 5.0 versions) Packets that have to many flags lit in them. For instance, SYN and FIN, SYN and RST, etc.
Rule -17: Cisco IOS DoS attack
Rule -18: Connection exceeds allowed network quota
Rule -19: FTP bounce
Rule -20: FTP port command overflow
Rule -21: FTP port command tried to open a known port
Rule -22: FTP illegal command
Rule -23: KaZaa traffic
Rule -24: Skype traffic
Rule -25: BitTorrent traffic
Rule -26: eMule traffic
Rule -27: Gnutella traffic
Rule -28: ICQ traffic
Rule -29: Yahoo traffic
Rule -30: Short IGMP packet
Rule -31: IGMP packet with bad TTL
Rule -32: IGMP packet not sent to a multicast address
Rule -33: Vertical Port Scan traffic
Rule -34: Horizontal Por tScan traffic
Rule -35: FTP data traffic
Rule -36: ICMP replay attack
Rule -37: TCP reset replay attack
Rule -38: Winny traffic
Rule -39: Packet should not have been encrypted
Rule -40: Msn Messenger traffic
Q: How are nodes counted?
A: Nodes are counted based on the number of concurrent IP addresses generating traffic through the firewall. An IP node will generate traffic traffic through the firewall when it sends packets to resources outside its own network (such as the Internet, DMZ, secondary logical network etc.). As a result, devices like network printers, switches or access points will not be counted as licensed nodes.

Q: When are nodes released from the node limit counter?
A: An IP node will release its license after 60 minutes of not generating traffic through the firewall. An IP node which released its license is displayed in blue color in the Active Computers page.

Q: The time setting on my Edge is always wrong and there are VPN issues.
A: A known problem. Always use a public timeserver to sync your UTM-1 Edge with.

Q: I encounter problems with persistent internet disconnects while using Verizon's FiOS Internet or a Time Warner cable modem. My log shows "Primary Local Area Network (LAN) connection terminated after 1 hour(s), 55 minute(s), 3 second(s)". Is there a solution?
A: Update to the latest available firmware version. Disable "Probe Next Hop" under Dead Connection Detection in the Internet setup options. Older firmwares showed a strange behavior when it came to RENEWING the DHCP lease. Since FiOS has a DHCP lease time of 2 hours, for some reason it causes the UTM-1 Edge to drop all connections for a second every 1 hour, 55 minutes, 3 seconds. DHCP RENEWAL requests simply have been ignored. As soon as 50% of the DHCP leases have been expired (one hour), the UTM-1 Edge was sending DHCP RENEWAL requests every 8 seconds. It continued to do this until the least was just about to expire. At that point, the UTM-1 Edge was sending out a DHCP REBINDING sequence. So it went through the complete process of requesting a new IP address (Discover/Offer/Request/Accept). During this rebinding sequence, Verizon's DHCP server reponded. But this REBINDING sequence is what was causing the disconnections. If you were to have received a new IP address, it would obviously have to disconnect the external connections.

Q: After importing a config file to my UTM-1 Edge VPN doesn't work anymore.
A: You are most likely using an exported config file from a centrally managed UTM-1 Edge appliance. The config file then contains the Enterprise Site-to-Site VPN connection as configured on your SmartCenter Server. As this one doesn't match with the VPN configuration on your new UTM-1 Edge appliance you may want to delete this setting.

Q: My UTM-1 Edge says it's successfully connected to a Service Center. It receives new policies but the Enterprise VPN configuration is always missing.
A: A simple connection refresh via 'Services > Refresh your Service Center connection' won't help. Make sure your network range is allowed to access the UTM-1 Edge, even without a centrally configured security policy. Create an explicit access rule directly on your UTM-1 Edge appliance or define your network range as a management network via 'Setup > Management'. Then disconnect your UTM-1 Edge via 'Services > Connect > Uncheck Service Center connection'. In some rare cases it was additionally required to delete the Edge object from the central VPN configuration, push the policy and add it back into the VPN configuration/communities again. Connect your Edge back to the Service Center again. Therefore just enable the checkbox for your Service Center connection. Done. Now your Enterprise Site-to-Site VPN connection should be working again.

Q: I have a few spare Edges around me. How can I use them quickly?
A: Login to the SofaWare chat and ask for a 30-day EVAL license.

Q: Are there cheaper models available if I just want to use them at our own company?
A: Yes. There is a NFR (not for resale) model. You can activate it at sofaware.com and use it as an unlimited NFR appliance at your company.

Q: How can I configure remote scripting via SSH?
Make sure you've installed 'expect' and use this bash script to run any command you like.
Name the script edge_script.sh and run it via: expect edge_script.sh

Code:
#!/usr/bin/expect

set HOST     "192.168.10.1"
set LOGIN    "admin"
set PASSWORD "123456"
set COMMAND  "info device"
set timeout  60

spawn ssh -C -x -l $LOGIN $HOST
expect {
 "fingerprint" {
    send "yes\n"
    expect "word: $"
    send "$PASSWORD\n"
    }
 "word: $" {
    send "$PASSWORD\n"
    }
}
expect ">"
send "$COMMAND\n"
expect ">"
send "exit\n"
Q: Where do I get support?
A: From your service provider. Check Point also maintains a Chat for simple support questions. If you ask SofaWare politely (and if you are not using a centrally managed Edge) you might also get support within their Chat system.

Q: Can I add more features to my UTM-1 Edge?
A: Yes. SofaWare offers these accessories.

Q: I want to put two UTM-1 Edges into a 19" rackmount kit and work with them like a pro. How to do this at best?
A: Buy the official SofaWare Rackmount Kit, two Industrial Edges and two 12V DC Power Supplies.

Q: The WebGUI of two Edges at the same firmware shows different settings (like stats for LAN ports) ?
A: This is most likely caused by a different hardware revision. The first rev. was 1.0T, followed by 1.2T to the most recent revision 1.3T. While 1.0T didn't have ADSL features and was quite vulnerable to current fluctuations the latest revision appears to be quite stable.

Q: Which hardware types are available?
A: SBox-200, SBox-200-A (UTM-1 Edge X ADSL Annex A) and SBox-200-B (UTM-1 Edge X ADSL Annex B).

Q: OK, I'm set up and safe. Now how do I protect against phishing?
A: Erez provides a best practice: Anti Phishing

Q: What's the meaning of all those log messages?
10001 Error - too many established connections
The web filtering service connection table is full.
10011 - DHCP server got unknown message type (<MessageType>)
The DHCP server received an invalid DHCP request.
10012 DHCP server found no free IP addresses
There are no free IP addresses. Consider increasing the size of the DHCP address range.
10013 DHCP server can't add more leases
The DHCP server has reached the maximum amount of supported DHCP leases.
10014 Gateway started up
The gateway has been powered up or restarted.
10015 Assigned <IP> to <MAC Address> via DHCP
An IP address has been assigned to a host.
10016 Detected static IP
A host is assigned with a static IP.
10019 Failed to lease reserved IP <IP Address>, IP already used
A DHCP client tried to request an IP address that is already in use.
10020 An IP conflict was detected: The IP <IP Address> is in use by a device with MAC address <MAC Address>
Two devices on the network are configured to use the same IP address.
10021 A MAC address conflict was detected: The MAC address <MAC Address> is in use by another device
Two devices on the network are using the same MAC address.
10022 WAN received DHCP IP overlaps the LAN\DMZ network
The WAN IP address must not belong to one the internal networks.
10023 WAN received DHCP network that intersects with internal network
The WAN IP subnet mask must not intersect with an internal network.
10024 WAN received bad DHCP IP
Your ISP assigned an invalid IP address to this gateway.
10026 WLAN client: <MAC Address>, connected to network
A wireless station has connected to the network.
10027 WLAN client: <MAC Address>, disconnected from network
A wireless station has disconnected from the network.
10028 WLAN client: <MAC Address, failed to authenticate to network
A wireless station has failed to authenticate to the network.
10029 WLAN client: <MAC Address>, associated to network
A wireless station has associated with the network.
10030 WLAN client: <MAC Address>, disassociated from network
A wireless station has disassociated with the network.
10031 WLAN client: <MAC Address>, re-associated to network
A wireless station has re-associated with the network.
10032 DHCP relay: server on <Network Name> network failed over from <IP Address> to <IP Address>
The main DHCP relay server is not responding, the secondary DHCP relay server was used instead.
30001 Policy error - trap <id> called with too many arguments
May indicate a mismatch between the SmartCenter policy version (libsw) and the current firmware version.
30004 Kernel hook failed
May indicate a mismatch between the SmartCenter policy version (libsw) and the current firmware version.
30005 <Operation Type> operation on table <table id> failed
May indicate a mismatch between the SmartCenter policy version (libsw) and the current firmware version.
30009 Table <table id> not found
May indicate a mismatch between the SmartCenter policy version (libsw) and the current firmware version.
30011 Failed to install updated security policy
The security policy installation has failed. This may indicate a mismatch between the SmartCenter policy version (libsw) and the current firmware version.
30012 Failed to install policy - invalid policy file
The security policy received from the service center is corrupt.
30013 Policy version is incompatible with the appliance firmware.
The security policy received from the service center is incompatible with the current firmware version.
30015 Policy is incompatible with appliance type
The security policy received from the service center is incompatible with the current appliance type.
30016 Wrong update version in policy.
The security policy received from the service center is incompatible with the current firmware version.
30021 Failed to install updated user interface
The downloaded GUI update file is invalid or incompatible with this firmware version.
30024 Failed to install updated firmware
The downloaded firmware update file is corrupt or not compatible with the current hardware type.
30025 Failed to install policy
Failed to install an updated INSPECT security policy
30026 Failed to install updated configuration-set file
The configuration-set received from the service center is invalid.
30027 Failed to install configuration-set file
Failed to install an updated configuration set file
30028 Downloaded <n> dynamic objects. Only the first <n> are installed.
Too many dynamic objects were received from the service center.
40015 Failed to install config item
The configuration-set received from the service center is invalid.
60000 Packet logged
A packet was logged or dropped. See also the Connection Log Reasons table below.
60001 Password changed
The user has changed the password.
60002 Security level changed from <x> to <y> (<change requested by>)
The firewall security level has been changed.
60003 filtering mode changed <mode>
Web filtering was enabled or disabled.
60004 Mail filtering mode changed <mode>
Mail filtering was enabled or disabled.
60005 User interface updated
The firewall GUI has been updated.
60009 Firmware changed
The appliance firmware has been updated.
60011 Update now command was issued
The user requested an immediate update of settings from the service center.
60020 site <operation>: <name>
A VPN site was created or modified.
60021 to establish VPN Tunnel with <server>: <error>
Failed to establish a phase-1 or phase-2 IKE SA, due to a specified reason.
60022 You are exceeding your node limit (Node Limit <count>, Used Nodes <count>)
You are exceeding the node count allowed by your license. Please contact your Check Point reseller for a license upgrade.
60024 VPN mode changed <site>
The VPN mode has changed for the specified site.
60025 URL filtering override
The user requested to temporarily override web filtering.
60026 User <name> <operation>
A user was created or modified in the local user database.
60028 VPN Server <mode>
VPN server enabled/disabled.
60031 User database changed.
A user has logged in to the appliance.
60032 Updated configuration from Service Center
A new configuration was received from the service center.
60033 Software Updates mode changed to <mode>
The software updates service was enabled or disabled
60034 Automatic updates interval (seconds) changed to <interval>
The automatic updates interval was modified.
60035 Mail Filtering override
Mail filtering was temporarily overridden by the user
60037 Closed VPN Tunnel with <peer> OR: VPN Tunnel established with <peer>
A VPN tunnel was shut down or established.
60038 Internet connection terminated after <time> OR: Internet connection established, IP <IP Address> was assigned
An Internet connection was shut down or established.
60040 Logging was disabled
Logging was set: Syslog IP Address is <IP Address> and Syslog Port is <port>. Syslog logging was configured by the administrator.
60041 Management protocol mode changed
HTTPS, SSH, or SNMP configuration was changed.
60042 RADIUS server mode changed
RADIUS configuration was modified.
60043 Warning; Topology overlapping
The VPN topology conflicts with one of the internal networks.
60044 Dialup Modem configuration changed
The dialup modem configuration was changed.
60045 Topology overlapping: Range <range> overlaps with internal/DMZ IP
The VPN topology conflicts with one of the internal networks.
60046 PPP Connection failed
A PPP connection has failed.
60047 Network settings updated
The settings for an internal network were modified.
60048 PFS mismatch: Peer <IP Address> configured without PFS support
Perfect Forward Secrecy is enabled, but the VPN peer does not support it.
60052 to point connection failed to connect <reason>
A PPP error has been detected on connection.
60054 QoS Classes were reset to defaults
The traffic Shaper QoS Classes were reset to defaults.
60055 RADIUS permissions saved
RADIUS permissions were modified.
60057 Internal Error
An internal error has occurred.
60058 Firmware changed from version <version> to version <version>
The firmware was updated.
60059 The reserved IP <IP Address> is used with the wrong MAC <MAC Address>
An IP address with a MAC reservation has been used by a different MAC.
60060 A security certificate was generated for subject: <subject>
A new certificate was created.
60061 Printer: <type>, S/N:<serial>, connected and attached to port <port number>
A new printer was attached to the print server, and a TCP port has been allocated.
60062 Printer: <type>, S/N:<serial >, was disconnected
A printer was disconnected from the print server.
60063 Printer: <type>, S/N:<serial >, starting print job from <IP Address>
A print job was sent to the print server.
60064 Printer: <type>, S/N:<serial>, failed print job from <IP Address>, <reason>
A print job has failed.
60065 Printer: <type>, S/N:<serial>, <message>
A printer has encountered a technical error.
60067 New configuration was saved to High Availability module.
The HA configuration was updated.
60068 High Availability module changed state from <state> to <state>
The HA module state has changed.
60069 Gateway changed status from <status> to <status>
HA failed over to the secondary gateway, or back to the primary gateway.
60070 Printer: <type>, S/N:<serial> finished print job from <IP Address>, size <size> Kbyte
A print job was successfully completed.
60071 Printer: <type>, S/N:<serial> , reattached to port <port number>
A known printer has reconnected to the USB port.
60072 Can't attach port to printer: <type>, S/N:<serial>, only 4 printers are supported
You attempted to connect more than four printers to the print server at the same time.
60073 Successfully authenticated user <username> connecting from IP <IP Address>
The specified user has logged in to the VPN server.
60074 Printer: <type>, S/N:<serial> , is ready
The printer is ready to accept print jobs.
60075 IKE Phase1: Completed successfully with VPN peer <peer> [Security: <encryption>/<digest>] Expire Time: <time> NAT-T: <NAT-T mode>
IKE phase 1 has completed successfully with the specified peer and has negotiated the specified security methods, SA expiration time, and NAT Traversal mode.
60076 IKE Phase2: Completed successfully with VPN peer <peer> [Security: <encryption>/<digest>] Expire Time: <time> NAT-T: <NAT-T mode>
IKE phase 2 has completed successfully with the specified peer and has negotiated the specified security methods, SA expiration time, and NAT Traversal mode.
60077 IKE Phase1: The VPN Peer <peer> is behind a NAT device: NAT-T mode enabled
NAT Traversal (NAT-T) has been automatically enabled, since the peer gateway is behind NAT.
60078 IKE Phase1: This VPN gateway is behind a NAT device: NAT-T mode enabled for VPN peer <peer>
NAT Traversal (NAT-T) has been automatically enabled since this gateway is behind NAT.
60079 Disconnected from Service Center
The gateway has disconnected from the service center.
60080 New configuration was saved to WLAN module.
The wireless LAN configuration was updated.
60081 Printer: <name>, S/N:<serial>, was reset, all running print jobs were terminated
A printer was reset, and all the remaining print jobs in the print server for this printer were terminated.
60082 Resolved peer IP for <peer> is: <IP Address>
VPN Interface resolving has resolve the specified IP as the reachable interface of a VPN peer.
60083 Warning: Your certificate is about to expire. Expiry date is <date>
This is a reminder that the currently installed security certificate of this gateway is nearly expired.
60084 Warning: Your CA certificate is about to expire. Expiry date is <date>
This is a reminder that the currently installed CA (Certificate Authority) security certificate is nearly expired.
60085 Swapped user rules at indexes <n> and <n>
The specified firewall rule has been reordered in the local security policy.
60086 Internet connection probing status change
Internet probing has detected that a specified Internet connection is in non operational or operational status.
60087 Firmware check failed: unrecognized image
Attempted to install an invalid firmware image.
60088 Firmware check failed: firmware version is not compatible with the hardware revision of this gateway
Attempted to install a firmware version incompatible with the hardware revision of this gateway.
60089 Mail AntiSpam mode changed <mode>
E-Mail AntiSpam mode has changed to enabled or disabled.
60090 New configuration was saved to HotSpot module.
The HotSpot configuration has been updated.
60091 HotSpot user <username> <action> <source>
A user has logged in or logged out from a Secure HotSpot enabled network.
60092 HotSpot user <username> <action> <source>
A user has logged in or logged out from a Secure HotSpot enabled network that does not require user authentication.
60093 NTP updated time by <n> seconds
Synchronization of time with the NTP (Network Time Protocol) server has caused time to be updated.
60094 Received invalid SofaWare specific RADIUS attribute
The RADIUS server can instruct the gateway to override the default permission set for a user, by sending a vendor specific attribute in the response.
For the list of RADIUS vendor specific attributes supported by Embedded NGX and their allowed values, refer to the whitepaper “Configuring the RADIUS Vendor-Specific Attribute”
60095 Received invalid SofaWare specific RADIUS value (<name>) for <name> attribute
The RADIUS server can instruct the gateway to override the default permission set for a user, by sending a vendor specific attribute in the response.
For the list of RADIUS vendor specific attributes supported by Embedded NGX and their allowed values, refer to the whitepaper “Configuring the RADIUS Vendor-Specific Attribute”
60096 Received invalid SofaWare specific RADIUS attribute type: <name>
The RADIUS server can instruct the gateway to override the default permission set for a user, by sending a vendor specific attribute in the response.
For the list of RADIUS vendor specific attributes supported by Embedded NGX and their allowed values, refer to the whitepaper “Configuring the RADIUS Vendor-Specific Attribute”
60097 Internet connection probe status changed
The status of the specified Internet connection probing IP address has changed.
60098 Swapped antivirus rules at indexes <index> and <index>
The specified antivirus rule has been reordered in the local AV policy.
60099 Start sniffing <n> network
The packet capture tool was started by the user.
60100 Failed to start sniffer
An internal error occurred – packet capture cannot be performed.
60101 Sniffer was stopped, <n> packets were captured
The packet capturing session has been stopped by the user.
60102 Sniffer was cancelled
The packet capturing session has been cancelled by the user.
60103 blocked by VStream
A connection has been blocked by VStream antivirus.
60104 VStream antivirus <new status>
VStream antivirus scanning has been enabled or disabled.
60105 Warning: No signatures database is installed. VStream antivirus scanning will not be performed.
No antivirus signatures database is installed; therefore antivirus scanning will not be performed.
60106 Your certificate has expired. Expiry date is <date>
The currently installed certificate is no longer valid. It should be renewed.
60107 Your CA certificate has expired. Expiry date is <date>
The currently installed CA certificate is no longer valid. It should be renewed.
60108 Sniffer buffer is full, <n> packets were captured
The packet capture has been stopped, since the capture buffer is full.
60109 Sniffer stopped
The packet capture has been stopped by the user.
60110 Failed to load VStream signatures databases
An invalid signatures database was received from the service center.
60117 VStream Error: <message>
An Error has occurred in VStream Antivirus processing.
60118 Low free memory (User:<n> Kb, Kernel:<n> Kb, FW:<n> Kb)
The gateway is low on memory resources. If this warning message appears frequently, please contact support.
60119 VStream database was installed successfully
The antivirus signatures database has been updates.
60120 Warning: Some of the QoS settings are invalid, therefore QoS is temporarily disabled
Invalid QoS settings were received from the service center.
Q: What's the reason of all those connection logs?
0 Policy rule
A connection has been logged by an INSPECT firewall policy rule on your gateway. This may be the default security policy shipped with your appliance, or a customized policy downloaded from your service center.
1 Custom rule
A connection has been logged by a custom firewall rule defined locally your gateway.
To view your custom policy, connect to the “My Firewall” web interface, and click Security > Rules.
2 Short fragment
SmartDefense: An IP fragment is too short.
When an IP packet is too big to be transported on a given network, it is split into several smaller IP packets and transmitted in fragments. In an attempt to conceal an attack or exploit, an attacker might break the data section of a single packet into several fragmented packets.
This log message indicates that a fragment was found that is too short to be valid according to the IP protocol specifications.
3 Long fragment
SmartDefense: An IP fragment is too long.
When an IP packet is too big to be transported on a given network, it is split into several smaller IP packets and transmitted in fragments. In an attempt to conceal an attack or exploit, an attacker might break the data section of a single packet into several fragmented packets.
This log message indicates that a fragment was found that is too long to be valid according to the IP protocol specifications.
4 Ping of Death
SmartDefense: Ping of Death detected
PING [ICMP echo request]; is a program that uses ICMP protocol to check whether a remote machine is up.
The “Ping of Death” is a malformed PING request that some operating systems are unable to correctly process. The attacker sends a fragmented PING request that exceeds the maximum IP packet size (64KB), causing vulnerable systems to crash.
5 LAND Attack
SmartDefense: LAND Attack detected
Some implementations of TCP/IP are vulnerable to SYN packets in which the source address and port are the same as the destination, i.e; spoofed. LAND is a widely available attack tool that exploits this vulnerability.
6 Overlapping Fragment
SmartDefense: Overlapping Fragments detected
When an IP packet is too big to be transported on a given network, it is split into several smaller IP packets and transmitted in fragments.
Some implementations of the TCP/IP protocol stack do not properly handle the reassembly of overlapping IP fragments. Sending two IP fragments, with one fragment entirely contained inside the other, causes these faulty implementations to allocate too much memory and crash the server on which they run.
7 Teardrop
SmartDefense: Teardrop Attack detected.
When an IP packet is too big to be transported on a given network, it is split into several smaller IP packets and transmitted in fragments.
Some implementations of the TCP/IP protocol stack do not properly handle the reassembly of overlapping IP fragments. Sending two IP fragments, with one fragment entirely contained inside the other, causes these faulty implementations to allocate too much memory and crash the server on which they run. TearDrop is a widely available attack tool that exploits this vulnerability.
Because proper reassembly is required for normal network operation, SmartDefense blocks attacks based on overlapping IP fragments even if the checkbox is deselected. By default, blocked attacks will be logged as “Overlapping fragment”.
8 Spoofed IP
SmartDefense: IP Spoofing detected
IP address spoofing is a technique by which an intruder attempts to gain unauthorized access by altering a packet’s source IP address to make it appear as though the packet originated in a part of the network with higher access privileges. For example, a packet originating on an external network may be disguised as a local packet. If undetected, this packet will be processed by the rule base as having originated inside the firewall (i.e., possibly circumventing access controls). As such, it is important to verify where the packets originated.
Anti-spoofing verifies that packets are coming from, and going to, the correct interfaces on the gateway. It confirms that packets claiming to be from an internal network are actually coming from the internal network interface. It also verifies that, once a packet is routed, it is going through the proper interface.
A Check Point enforcement point will block an illegal address. For example, an IP address from an external interface should not have a source address of an internal network. Legal addresses that are allowed to enter a Check Point enforcement point interface are determined by the topology of the network.
10 HotSpot
Secure HotSpot authentication is required
Secure HotSpot facilitates the creation of managed guest access networks (either wireless or wired) with configurable Web-based authentication, temporary user accounts and RADIUS integration.
A connection was block since Secure HotSpot mode is enabled for the selected network.
11 TCP out of state
SmartDefense: TCP connection without corresponding SYN.
Strict TCP controls the way the firewall handles all out-of-state TCP packets. Out-of-state packets are SYN-ACK or data packets that arrive out of order, before the TCP SYN packet. If you wish to have an extra strict policy, set Strict TCP action to 'block'.
12 SYN attack
SmartDefense: A suspected SYN attack was detected.
A TCP denial of service attack, which occurs when an attacker sends many SYN packets without finishing the TCP 3-way handshake. A successful SYN Attack will cause the attacked host to be unable to accept new connections.
13 Duplicate fragments
SmartDefense: Too many duplicate fragments were detected.
When an IP packet is too big to be transported on a given network, it is split into several smaller IP packets and transmitted in fragments.
Some implementations of the TCP/IP protocol stack do not properly handle the reassembly of a large amount of duplicate IP fragments. When SmartDefense detects an excessive amount of duplicate IP fragments, it logs this event as ‘Duplicate Fragments’.
14 Too many incomplete packets
SmartDefense: Virtual Defragmentation: Too many incomplete fragmented packets.
When an IP packet is too big to be transported on a given network, it is split into several smaller IP packets and transmitted in fragments.
In an attempt to conceal an attack or exploit, an attacker might break the data section of a single packet into several fragmented packets. Without reassembling the fragments, it is not always possible to detect such an attack. As a result, malicious content that is split across fragments can traverse some firewalls. In contrast, a Check Point enforcement point collects and reassembles all the fragments of a given IP packet, verifying that the options for the fragments are consistent (e.g. TTL is the same for all fragments), so that security checks can be run against the complete packet contents.
An attacker may try to overload the defragmentation system by sending a large amount of incomplete packets. Such attempts are detected by SmartDefense and logged as “Too many incomplete packets”.
15 Incomplete packet
SmartDefense: A packet was dropped since not all the fragments were received.
When an IP packet is too big to be transported on a given network, it is split into several smaller IP packets and transmitted in fragments.
In an attempt to conceal an attack or exploit, an attacker might break the data section of a single packet into several fragmented packets.
Without reassembling the fragments, it is not always possible to detect such an attack. As a result, malicious content that is split across fragments can traverse some firewalls. In contrast, a Check Point enforcement point collects and reassembles all the fragments of a given IP packet, verifying that the options for the fragments are consistent (e.g. TTL is the same for all fragments), so that security checks can be run against the complete packet contents.
If some of the fragments of a certain fragmented packet are lost in transit, the packet is blocked by the firewall, and logged as an “Incomplete packet”.
16 Ping too big
SmartDefense: A Ping packet is too large.
PING [ICMP echo request]; is a program that uses ICMP protocol to check whether a remote machine is up. A request is sent by the client, and the server responds with a reply echoing the client's data.
An attacker might echo the client with a large amount of data, for example, causing a buffer overflow.
17 Null payload
SmartDefense: Null payload ping attack.
PING [ICMP echo request]; is a program that uses ICMP protocol to check whether a remote machine is up.
Some worms, such as Sasser, use ICMP echo request packets with null payload to detect potentially vulnerable hosts. When this protection is enabled, SmartDefense will identify and drop the null payload ping packets.
18 Welchia
SmartDefense: Welchia DoS attack detected.
The Welchia worm uses the Microsoft DCOM vulnerability or a WebDAV vulnerability. After infecting a computer, the worm begins searching for other live computers to infect. It does so by sending a specific ping packet to a target and waiting for the reply that signals that the target is alive. This flood of pings may disrupt network connectivity.
19 Christmas packet
SmartDefense: Christmas packet attack detected.
A Christmas packet is an IP packet with every single option set. Christmas Tree packets can be used as a method of collecting intelligence on a specific TCP/IP stack, by sending Christmas packets and performing analysis on the response. This can allow an attacker to detect the specific operating system in use. If a Christmas packet is detected by SmartDefense, it is automatically blocked and logged.
20 Cisco IOS DoS
SmartDefense: Cisco IOS denial of service attack.
Cisco routers are configured to process and accept Internet Protocol version 4 [IPv4] packets by default. A specially-crafted sequence of IPv4 packets with protocol type 53 - SWIPE, 55 - IP Mobility, 77 - Sun ND, or 103 - Protocol Independent Multicast - PIM, which is handled by the processor on a Cisco IOS device, can cause the router to stop processing inbound traffic on that interface.
21 Fragmented packet
SmartDefense: Policy forbids fragmented packets.
An attacker might break the data section of a single packet into several fragmented packets, trying to conceal known attacks and exploits. Without reassembling the fragments, it is not always possible to detect such an attack. Therefore, by default, Embedded NGX reassembles all fragments prior to inspecting the packets. However if you set “Forbid IP Fragments” to “True” in the SmartDefense > IP Fragments tab, all IP fragments will be forbidden and blocked.
22 Network Quota
SmartDefense: Network Quota exceeded.
Network Quota enforces a limit upon the number of connections that are allowed from the same source IP address, to protect against Denial Of Service [DoS] attacks. When a certain source exceeds the number of allowed connections, Network Quota can either block all new connection attempts from that source, or track the event.
23 Stateless ICMP
SmartDefense: ICMP response with no ICMP request.
ICMP allows one network node to ping, or send an echo request to, other network nodes to determine their operational status. This capability can be used to perpetrate a “Smurf” DoS attack. The Smurf attack is possible because standard ICMP does not match requests to responses.
Therefore, an attacker can send a ping with a spoofed source IP address to an IP broadcast address. The IP broadcast address reaches all IP addresses in a given network. All machines within the pinged network send echo replies to the spoofed, and innocent, IP source. Too many pings and responses can flood the spoofed network and deny access for legitimate traffic. This type of attack can be blocked by dropping replies that don’t match requests, as performed by Check Point’s Stateful ICMP. These packets are logged as “Stateless ICMP”.
24 FTP Bounce
SmartDefense: FTP bounce attack.
When connecting to an FTP server, the client sends a PORT command specifying the IP address and port to which the FTP server should connect and send data. An FTP Bounce attack is when an attacker sends a PORT command specifying the IP address of a third party instead of the attacker's own IP address. The FTP server then sends data to the victim machine.
25 FTP port overflow
SmartDefense: FTP port overflow attack.
FTP clients send PORT commands when connecting to the FTP sever. A PORT command consists of a series of numbers between 0 and 255, separated by commas.
Block Port Overflow rejects PORT commands that contain a number greater than 255.
26 FTP known port
SmartDefense: FTP known port attack.
When connecting to an FTP server, the client sends a PORT command specifying the IP address and port to which the FTP server should connect and send data. An FTP Bounce attack is when an attacker sends a PORT command specifying the IP address of a third party instead of the attacker's own IP address. The FTP server then sends data to the victim machine.
By enabling the “FTP Known Port” protection, you can specify whether to allow the FTP server to connect to well-known ports. This provides a second protection against certain FTP bounce attacks. The server will not let the bounce connect to any port running a known service.
27 FTP Illegal command
SmartDefense: Blocked FTP Command
Using the “Blocked FTP Commands” SmartDefense protection, you can select which FTP commands are allowed to pass through the firewall. This log message indicates that SmartDefense detected an attempt to use an FTP command that was not in the list of allowed FTP commands configured by user.
28 Non TCP flooding
SmartDefense: Non TCP flooding attack.
Hackers directly target security devices such as firewalls. In advanced firewalls, state information about connections is maintained in a State table. The State table includes connection-oriented TCP and connectionless non-TCP protocols. Hackers can send high volumes of non-TCP traffic, in an effort to fill up a firewall State table. This prevents the firewall from accepting new connections and results in a Denial of Service [DoS].
SmartDefense can restrict non-TCP traffic from occupying more than a pre-defined percentage of a enforcement point’s state table. This eliminates the possibility of this type of attack.
29 Small PMTU
SmartDefense: Small PMTU DoS attack.
Small PMTU is a bandwidth attack in which, the client fools the server into sending large amounts of data using small packets. Each packet has a large overhead that creates a "bottleneck" on the server.
30 KaZaa
SmartDefense: KaZaa blocked/logged due to user policy.
SmartDefense can block or log Kazaa. Kazaa is a popular Peer to Peer file sharing Protocol, running over TCP port 1214 or over HTTP.
31 Skype
SmartDefense: Skype blocked/logged due to user policy.
SmartDefense can block or log Skype traffic by identifying Skype fingerprints and HTTP headers. SmartDefense is able to detect instant messaging traffic regardless of the TCP port being used to initiate the peer to peer session. Skype uses UDP or TCP port 1024 and higher or HTTP for peer to peer telephony.
32 BitTorrent
SmartDefense: BitTorrent blocked/logged due to user policy.
SmartDefense can block or log BitTorrent, a file distribution network using Peer to Peer connections. BitTorrent uses ports from within the TCP port 6881 - TCP port 6889 range for file transfer.
33 eMule
SmartDefense: eMule blocked/logged due to user policy.
SmartDefense can block or log eMule, a popular Peer to Peer Protocol, used by various Peer to Peer clients, such as eMule, iMesh and others.
34 SmartDefense: Gnutella blocked/logged due to user policy.
SmartDefense can block or log Gnutella, one of the most popular Peer to Peer protocols, used by applications such as Gnutella, BearShare, Shareaza, Morpheus and iMesh.
35 ICQ
SmartDefense: ICQ blocked/logged due to user policy.
SmartDefense can block or log ICQ traffic by identifying ICQ's fingerprints and HTTP headers. SmartDefense is able to detect instant messaging traffic regardless of the TCP port that is being used to initiate the peer to peer session. ICQ uses TCP port 5190 to connect. File transfer and sharing is done through TCP port 3574/7320.
36 Messenger
SmartDefense: Yahoo Messenger blocked/logged due to user policy.
SmartDefense can block Yahoo! Messenger traffic by identifying fingerprints and HTTP headers. SmartDefense is able to detect instant messaging traffic regardless of the TCP port that is being used to initiate the peer to peer session. Yahoo! Messenger uses port TCP port 5050 and TCP port 80 for messaging, TCP port 5100 for video, TCP port 5000 for voice and TCP port 5010 for file transfer.
37 Packet too small
SmartDefense: IP packet is too small.
SmartDefense packet sanity protection option performs several Layer 3 and Layer 4 sanity checks. These include verifying packet size, UDP and TCP header lengths, dropping IP options, and verifying the TCP flags. This log message indicates that packet sanity detected an IP packet that is too small to be valid.
38 Length mismatch
SmartDefense: IP packet validation failed due to wrong length.
SmartDefense packet sanity protection option performs several Layer 3 and Layer 4 sanity checks. These include verifying packet size, UDP and TCP header lengths, dropping IP options, and verifying the TCP flags. This log message indicates that packet sanity detected a corrupt or invalid IP packet with an invalid length field.
39 Port 0
SmartDefense: Connection to Port 0.
Port 0 is not a legitimate destination port for TCP and UDP packets. If SmartDefense detects a packet with the destination port of 0, the packet is dropped and logged as “Port 0”.
40 Small TCP offset
SmartDefense: Invalid TCP packet.
SmartDefense packet sanity protection option performs several Layer 3 and Layer 4 sanity checks. These include verifying packet size, UDP and TCP header lengths, dropping IP options, and verifying the TCP flags. This log message indicates that packet sanity detected a TCP packet with an invalid TCP offset field.
41 Large TCP offset
SmartDefense: Invalid TCP packet.
SmartDefense packet sanity protection option performs several Layer 3 and Layer 4 sanity checks. These include verifying packet size, UDP and TCP header lengths, dropping IP options, and verifying the TCP flags. This log message indicates that packet sanity detected a TCP packet with an invalid TCP offset field.
42 source IP
SmartDefense: Invalid source IP address.
SmartDefense packet sanity protection option performs several Layer 3 and Layer 4 sanity checks. These include verifying packet size, UDP and TCP header lengths, dropping IP options, and verifying the TCP flags. This log message indicates that packet sanity detected a packet with an invalid source IP address, such as a multicast address, a broadcast address, or a loopback address.
43 TCP options
SmartDefense: TCP options are invalid.
SmartDefense packet sanity protection option performs several Layer 3 and Layer 4 sanity checks. These include verifying packet size, UDP and TCP header lengths, dropping IP options, and verifying the TCP flags. This log message indicates that packet sanity detected a TCP packet with an invalid set of TCP options.
44 IGMP packet
SmartDefense: IGMP packet is truncated.
IGMP is used by hosts and routers to dynamically register and discover multicast group membership. Attacks on the IGMP protocol usually target vulnerabilities in the multicast routing software/hardware used, by sending specially crafted IGMP packets. This log message indicates the detection of an IGMP packet that it too short to be valid.
45 IGMP TTL is not 1
SmartDefense: IGMP Time To Live must be 1.
IGMP is used by hosts and routers to dynamically register and discover multicast group membership. Attacks on the IGMP protocol usually target vulnerabilities in the multicast routing software/hardware used, by sending specially crafted IGMP packets. This log message indicates an IGMP packet that had a TTL (Time to Live) value other than 1.
46 IGMP to unicast IP
SmartDefense: IGMP to Unicast IP addresses in invalid.
IGMP is used by hosts and routers to dynamically register and discover multicast group membership. Attacks on the IGMP protocol usually target a vulnerabilities in the multicast routing software/hardware used, by sending specially crafted IGMP packets. This log message indicates that an IGMP packet was sent to a unicast IP address.
47 mismatch
VPN: A cleartext packet was received from an IP address in the encryption domain.
This log message indicates that a packet was received in clear text, when it was expected to be encrypted. This may either indicate an unauthorized attempt to access your VPN network, or a problem in your VPN setup which caused the two peers in a VPN link to disagree on which packets should be encrypted.
48 CIFS password buffer overrun
SmartDefense: Microsoft File Sharing attack.
A worm is a self-replicating malware malicious software that propagates by actively sending itself to new machines. CIFS, The Common Internet File System sometimes called SMB is a protocol for sharing files and printers. The protocol is implemented and widely used by Microsoft operating systems, as well as by Samba clients. Many worms, once they have infected a host, use CIFS as their means of propagation.
58 Host port scan
SmartDefense: Host Port Scan detected.
This log message indicates that a Host Port Scan was detected. A host port scan is directed at a specific host or network. A scan can determine which services a host offers. For example, a host port scan could discover that
a certain host has TCP ports 23, 25, and 110 open, meaning it offers the Telnet, SMTP, and
POP3 services, respectively.
59 IP sweep scan
SmartDefense: IP Sweep scanning detected.
This log message indicates that an IP address sweep Scan was detected. An IP Sweep Scan looks for a specific open port and determines which hosts are listening in
on that port. For example, IP Sweep Scans are used by network worms trying to find machines that they can propagate themselves. For example, the Blaster worm looks for the RPC service—searching the entire network looking for that single open service.
60 CIFS Worm
SmartDefense: A worm is trying to spread via Microsoft File Sharing.
A worm is a self-replicating malware malicious software that propagates by actively sending itself to new machines. CIFS, The Common Internet File System sometimes called SMB is a protocol for sharing files and printers. The protocol is implemented and widely used by Microsoft operating systems, as well as by Samba clients. Many worms, once they have infected a host, use CIFS as their means of propagation.
63 HTTP Worm Catcher
SmartDefense: A worm is trying to spread via HTTP.
A worm is a self-replicating malware [malicious software] that propagates by actively sending itself to new machines. Some worms propagate by using security vulnerabilities in the HTTP protocol. This SmartDefense protection allows you to detect and block worms based on pre-defined patterns.

Last edited by danjun; 8th September 2013 at 11:50 PM.
Reply With Quote
  #2  
Old 26th May 2011, 01:49 PM
Salamandro Salamandro is offline
Member
 
Join Date: May 2011
Posts: 7
Salamandro is on a distinguished road
Default

Hi danjun

Great Post!

I've just encountered a problem I couldn't solve by looking it up in your FAQ, so I thought I'd share:

A freshly installed UTM-1 Edge that's being managed by a Smartcenter got a new VPN configuration through policy (Enterprise VPN). When trying to establish the connection, I got the following error:
failed to load the security certificate

Solution: The Edge's time configuration was wrong (it had the year 2008), so the certificate unter "VPN" was invalid, because the issue/start date of the certificate was not even reached
Fixed time, fixed VPN connection.

You might want to add this, because there were 0 Google hits on said error message.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 05:30 AM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.
(c) 2010 PureSecurity - All rights reserved