Page 1 28 March 2024 QUANTUM SPARK 1500, 1600, 1800, 1900, 2000 APPLIANCES R81.10.X Centrally Managed Administration Guide...
Page 2 Download the latest version of this document in PDF format. Feedback Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments. | 2 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 3 "Configuring the Routing Table" on page 208 06 March 2023 Merged the information about R81.10.00 and R81.10.05 into a single document 24 January 2023 First release of this document | 3 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 4: Table Of Contents
Deployment Types Small-Scale Deployment Installation Configuring Gateway and Cluster Objects Defining a Gateway Object Establishing SIC on the Quantum Spark Gateway Defining a Gateway Cluster Object | 4 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 5 Viewing the Policy Installation Status SmartProvisioning Creating a Gateway General Properties More Information Communication Properties VPN Properties Finish Updating the Corporate Office Gateway Creating a SmartLSM Appliance Cluster General Properties | 5 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 6 Managing Active Devices Blocking a Device Manually Toobar Buttons Revoking the Hotspot Access Viewing Reports Using System Tools Managing the Device Configuring Internet Connectivity Getting Started | 6 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 7 Mirror Port Physical Interfaces Bridge VLANs Alias IP VPN Tunnel (VTI) Virtual Access Point (VAP) BOND Configuring a Hotspot User Authentication Disabling the Hotspot Configuring MAC Filtering | 7 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 8 Configuring DDNS and Access Service DDNS Reach My Device Remote Access to the WebUI Remote Access to the CLI Using System Tools Advanced Routing OSPF Inbound Route Filters | 8 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 9 Restoring Default Values Clarifications Managing the Access Policy Working with User Awareness AD Query Identity Collector Identity Broker Managing Users and Objects Configuring Local Users and User Groups | 9 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 10 Revoking the Hotspot Access Wireless Active Devices Viewing VPN Tunnels Viewing Active Connections Access Points Viewing Reports Dr. Spark Offline installation procedure Using System Tools SNMP SNMP Traps Receivers | 10 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 11 Boot Loader Upgrade Using Boot Loader Restoring Factory Defaults Custom Default Image Fonic Bypass Configuring Bypass mode in the WebUI Configuring Bypass mode in Gaia Clish | 11 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 12: Overview Of Quantum Spark 1500, 1600, 1800, 1900 And 2000 Appliance Series
Appliance Series 1500 Appliances Quantum Spark 1500 appliance series includes the 1530, 1550, 1570, 1590, and 1570R appliances. These appliances support the Check Point Software Blade architecture and provide independent modular and centrally managed security building blocks. You can quickly enable and configure the Software Blades to meet your specific security needs.
Page 13: 1600 And 1800 Appliances
V91, V91W, V91WC, V91WLTE sk157412 1570 / 1590 V-81 Wired, V-81W WiFi, V-81WL sk157412 WiFi-LTE, V-81WD WiFi-DSL 1535 / 1555 V91, V91W, V91WC sk157412 V-80*, V90W | 13 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 14 - Quantum Spark R81.10.X Known Limitations sk181134 - Quantum Spark R81.10.X Resolved Issues Small Business Cyber Security video channel Note - Some topics only apply to specific appliances or models. | 14 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 15: Getting Started With 1500, 1600, And 1800 Appliance Series
"Managing Users and Objects" on page 227 5. Configure required appliance settings. "Managing the Device" on page 107 6. In SmartConsole, configure and install the required Security Policies. See: | 15 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 16 Getting Started with 1500, 1600, and 1800 Appliance Series "Small-Scale Deployment Installation" on page 31 "Large-Scale Deployment Installation" on page 55 7. Make sure the appliance works as required. "Logs and Monitoring" on page 258 | 16 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 17: Setting Up The Quantum Spark Appliance
DSL as an internet connection. 3. Connect the standard network cable to the LAN1 port on the appliance and to the network adapter on your PC. | 17 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 18: Using Default Wifi
Note - If you were connected to WiFi: After the One Touch script finishes running, the WiFi network you were connected to is deleted. As a result, you are disconnected from the appliance. | 18 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 19: First Time Deployment Options
"Zero Touch Cloud Service" on page 20 "Deploying from a USB Drive or SD Card" on page 22 Note - SD card deployment is supported only in 1570 / 1590 appliances. | 19 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 20: Zero Touch Cloud Service
When you reconnect to the WebUI or click Refresh, the browser opens to show the status of the installation process. After the gateway downloads and successfully applies the settings, it does not connect to the Zero Touch server again. | 20 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 21 Zero Touch Cloud Service R80.20 ZeroTouch For more information on how to use Zero Touch, see sk116375 and the Web Portal Administration Guide | 21 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 22: Deploying From A Usb Drive Or Sd Card
LAN2 disable set interface LAN2 ipv4-address 192.168.254.254 subnet-mask 255.255.255.248 set interface LAN2 state on set admin-access interfaces WAN access allow set hostname DEMOgw01 | 22 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 23: Preparing The Configuration Files
If there is a configuration file with the same MAC address as the gateway, that file is loaded second. Use the # symbol to add comments to the configuration file. | 23 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 24: Deploying The Configuration File - Initial Configuration
Note - The USB LED is red when there is a problem running the configuration script. Turn off the Quantum Spark Appliance and confirm that the configuration files are formatted correctly. | 24 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 25: Deploying The Configuration File - Existing Configuration
After the Quantum Spark Appliance is successfully configured from a USB drive, a log is created. The log file is called: autonconf.<MAC Address>.<timestamp>.<log> The log file is created in the USB root directory and in /tmp on the appliance. | 25 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 26: Troubleshooting Configuration Files
Web UI. However, not all of the settings from the failed configuration file show in the First Time Configuration Wizard. Best Practice - Check Point recommends that you do not use the First Time Configuration Wizard to configure an appliance when the configuration file fails. Restore the default settings to a partially configured appliance before you use the First Time Configuration Wizard to ensure that the appliance is configured correctly.
Page 27: Suggested Workflow - Configuration File Error
1. Remove the USB drive. 2. Run the CLI command: restore default-settings 3. Connect to the Web UI and use the First Time Configuration Wizard to configure the appliance. | 27 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 28: Sample Configuration Log With Error
The appliance only runs the next configuration script from a USB drive. set property USB_auto_configuration always The appliance always runs configuration scripts from a USB drive. | 28 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 29: Predefining A Centrally Managed Deployment
Security Policy in SmartConsole For large-scale deployments - Configure a SmartLSM profile and Security Policy in SmartConsole, and manage the Quantum Spark Appliances in the SmartProvisioning GUI client | 29 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 30: Deployment Types
SmartLSM profile and SmartProvisioning, or using a configuration file that is stored on a USB drive. For both deployment types, you must configure objects and other elements in SmartConsole and in SmartProvisioning. | 30 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 31: Small-Scale Deployment Installation
First Time Configuration Wizard. For more details, see "Deploying from a USB Drive or SD Card" on page 22 3. In SmartProvisioning, manage the gateway object settings. | 31 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 32 2. From the left navigation panel, click Gateways & Servers. 3. From the top toolbar, click (New) > Gateway. 4. In the Check Point Security Gateway Creation window, click Wizard Mode. | 32 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 33 Select Static IP address and enter the IP address. Select Dynamic IP address to get the gateway's IP address from a DHCP server. f. Click Next. | 33 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 34 Important - This password must be identical to the one-time password you define for the appliance in the First Time Configuration Wizard. | 34 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 35 If it is a star community, this gateway becomes a VPN satellite gateway. QoS - Select the applicable inbound and outbound bandwidth rates. | 35 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 36 11. The General Properties window of the newly defined object opens. Configure the applicable settings and click OK. 12. Install the Security Policy on the gateway object. | 36 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 37: Establishing Sic On The Quantum Spark Gateway
SmartConsole or SmartProvisioning. The policy installation from the Security Management Server alerts the gateways that they are configured as cluster members. | 37 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 38: Workflow
Quantum Spark appliance. The configuration procedure consists of two parts: 1. Initial configuration of two new Quantum Spark appliance gateways 2. Creating and configuring a cluster object | 38 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 39 4. Connect your computer to the first Quantum Spark appliance to the LAN1 interface. 5. Configure your computer to get an IP address automatically. 6. In a web browser on your computer, connect to: http://my.firewall | 39 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 40 11. Connect your computer to the second Quantum Spark appliance to the LAN1 interface. 12. Renew the dynamic IP address on your computer. 13. In a web browser on your computer connect to: http://my.firewall | 40 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 41 2. From the Objects menu, click More object types > Network Object > Gateways and Servers > New Small Office Cluster. The Check Point Security Gateway Cluster Creation window opens. 3. Click Wizard Mode. | 41 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 42 6. On the Cluster Interface Configuration page, define if a network interface on the Quantum Spark appliance is part of the cluster: This window appears for each network interface that was configured on the Quantum Spark appliance. | 42 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 43 SYNC interface. Make sure a cable is connected between the two LAN2/SYNC ports of both appliances. Note - The LAN2/SYNC interface supports only IPv4 addresses. | 43 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 44 10. Renew the dynamic IP address on the computer connected to a one of the Cluster Members. You can then access the Active Cluster Member in a web browser at: http://my.firewall | 44 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 45: Converting An Existing Quantum Spark Appliance To A Cluster
It is recommended to assign a static IP address for the sync interface. 4. Do not fetch the policy from the Security Management Server. | 45 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 46 2. Reconfigure the IP addresses of the clustered interfaces with the actual IP addresses that is used by the gateway as a member of the cluster. Important - Downtime starts. | 46 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 47: Viewing Cluster Status In The Webui
For example, a sub-policy can manage a network segment or branch office. Policy layers and sub-policies can be managed by specific administrators, according to their permission profiles. | 47 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 48: Working With Security Zone Objects
5. Optional - If you want to create a new Security Zone, click New, enter the details, and click OK. 6. Click OK to close the Interface Properties window. 7. Click OK to close the object window. | 48 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 49 7. In the Action column of the new rule, select Accept. 8. In the Install On column of the new rule, click the + icon and select the applicable object. 9. Publish the SmartConsole session. | 49 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 50: Working With Updatable Objects
These lists are dynamically updated. Updatable objects derive their contents from these published lists of the providers, which Check Point uploads to the Check Point cloud. The updatable objects are updated automatically on the Security Gateway each time the provider changes a list.
Page 51: Installing A Security Policy
Installation completed successfully. This means that the policy is successfully prepared for installation. Continue tracking the status of the Security Policy installation with the Policy Installation and the status bar. | 51 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 52: Viewing The Policy Installation Status
If a policy is not prepared , the Policy Type column shows "No Policy Prepared." When the gateway is first connected, only trust is established. | 52 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 53 From the status bar - Click Failed or Pending. The contents of the Policy Installation Status window are shown filtered according to the link clicked. From notification balloons - Click See Details in the balloon. | 53 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 54: Setting The Management Server Ip Address Behind A 3Rd Party Nat Device
First Time Configuration Wizard - Security Management Server Connection page (select Always use this IP address and enter the IP address) or from the WebUI Home > Security Management page. | 54 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 55: Large-Scale Deployment Installation
Use a USB drive to quickly configure multiple appliances without the First Time "Deploying from a USB Drive or SD Card" Configuration Wizard. For more details, see on page 22 5. Manage the appliance settings in SmartProvisioning. | 55 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 56: Defining A Smartlsm Gateway Profile For A Large-Scale Deployment
4. Click OK. 5. Install the applicable Security Policy on the Gateway SmartLSM profile. 6. Click Menu > SmartProvisioning. Continue the configuration in the SmartProvisioning GUI. | 56 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 57: Defining A Smartlsm Appliance Cluster Profile
For each SmartLSM cluster, you must define at least 3 networks: External: one interface for each Cluster Member and shared virtual IP address Internal: one interface for each Cluster Member and shared virtual IP address | 57 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 58: Deploying With Smartprovisioning
Configuration Wizard or a USB drive configuration file before you manage them with SmartProvisioning. For more information about large-scale deployment using SmartProvisioning, see the SmartProvisioning Administration Guide for your Management Server version. | 58 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 59: Configuring Security Policy
"Installation completed successfully". This means that the policy is successfully prepared for installation. Continue tracking the status of the Security Policy installation with the Policy Installation and the status bar. | 59 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 60: Viewing The Policy Installation Status
If a policy is not prepared , the Policy Type column shows "No Policy Prepared." When the gateway is first connected, only trust is established. | 60 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 61 From the status bar - Click Failed or Pending. The contents of the Policy Installation Status window are shown filtered according to the link clicked. From notification balloons - Click See Details in the balloon. | 61 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 62: Smartprovisioning
1. Enter a Name for the SmartLSM Security Gateway. It cannot contain spaces or non- alphanumeric characters. 2. Enter an option Comment that identifies the SmartLSM Security Gateway. 3. Click Next. | 62 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 63: More Information
The two Activation Key fields show the new key in hidden text. You cannot view it in clear text again. If you click Cancel, the generated key is discarded. | 63 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 64: Vpn Properties
VPN Properties 1. Select how to create a VPN certificate: For a CA certificate from the Internal Check Point CA, select I wish to create a VPN Certificate from the Internal CA. For a CA certificate from a third party (for example, if your organization already has certificates from an external CA for other devices), clear this checkbox and request the certificate from the appropriate CA server.
Page 65: Finish
Security Gateways are added, deleted, or modified (such as the generation of a new IKE key, a Push Policy action, or a Push Dynamic Objects action). | 65 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 66: Creating A Smartlsm Appliance Cluster
5. In Provisioning Profile, select the provisioning profile to assign to this gateway, from the list of profiles created in SmartProvisioning. 6. Click Next. Cluster Names The cluster members' names are shown with the configured prefix. Click Next. | 66 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 67: More Information
VPN Properties 1. Select how to create a VPN certificate: For a CA certificate from the Internal Check Point CA, select I wish to create a VPN Certificate from the Internal CA. For a CA certificate from a third party (for example, if your organization already has certificates from an external CA for other devices), clear this checkbox and request the certificate from the appropriate CA server.
Page 68: Defining Smartlsm Gateways Using Lsm Cli
<Activation Key> <IP> The IP address to use to initiate a SIC connection. For more information, see the SmartProvisioning Administration Guide for your Management Server version. | 68 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 69: Managing Device Settings
SmartProvisioning Administration Guide for your Management Server version. These device settings are unique to the Check Point appliance. They can be defined directly on the device or through the profile. Their tabs are:...
Page 70 For more information about override profile settings, see "Configuring RADIUS" on page 72 below. 5. In Firmware image, click Select to select a firmware image that was uploaded through SmartUpdate. | 70 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 71 9. Click Show profile settings - To see the settings of the Provisioning Profile that this gateway references. 10. Click OK. | 71 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 72: Configuring Radius
Allowed Denied Mandatory 2. Select RADIUS is activated on device to enable RADIUS on the Check Point appliance. 3. Click Add to add RADIUS servers that were defined in SmartConsole, select a RADIUS server from the list and click OK.
Page 73: Configuring Hotspot
Allow users from specific group - Select to allow access to a specific user group and not all users. Enter the group's name in the text box. 7. Click Apply | 73 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 74: Configuring A Configuration Script
4. If you selected to manage settings centrally, click Advanced. The Profile Settings window opens. 5. Select an option for Overriding profile settings on device level is: | 74 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 75 Manage settings locally on the device - Mange these settings on this gateway locally. Use the following settings - Manage these settings on this gateway individually with the values given here. | 75 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 76 Warning - If you select Use the following settings and do not enter values for a specified topic, the current settings on the device are deleted. | 76 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 77: Introduction To The Webui
Note - If the locale of a user matches a localized WebUI, the Login window automatically loads in the specified language. Only English is supported as the input language. | 77 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 78: The Home Tab
Configuration Wizard, the Sending Data to Check Point pop up window appears, with these checkboxes: Help us improve product experience by sending data to Check Point - The data sent includes session durations, how long the system is running, logs, etc.
Page 79: Controlling And Monitoring Software Blades
If you change other policy settings, the change is temporary. Any changes made locally are overridden in the next synchronization between the gateway and Cloud Services. | 79 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 80 Click View demo to see an example of the statistics shown Click the X icon to close the demo. To view an alert: 1. Hover over the alert triangle. 2. Click the applicable link. | 80 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 81: Setting The Management Mode
(for example, when in a lab setting). Click Next. 3. In the Security Management Server Connection page, select a connection method: | 81 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 82 This feature is configured in the Infinity Portal. Go here to register the new Security Gateway and get the authentication token to enable Quantum Smart-1 Cloud on the gateway WebUI. | 82 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 83 Change Token – When the service is disabled, there is an option to reconnect with a new activation token. To generate a new activation token, go to the Infinity Portal. Quantum Smart-1 Cloud Administration Guide | 83 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 84 Setting the Management Mode Internet To test connectivity, click Test Connection Status. A status message shows the results of the test. You can click Settings to configure Internet connections. | 84 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 85: Managing Licenses
Managing Licenses The Home > License page shows the license state for the Software Blades. From this page, the appliance can connect to the Check Point User Center with its credentials to pull the license information and activate the appliance.
Page 86 When the country and wireless region match, you see the full settings. | 86 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 87: Viewing The Site Map
Name - Name of the device. The vendor icons appear next to the name. IP Address Interface Vendor Device Type For each asset, click one of these options: | 87 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 88 IoT - Access from the Internet (domains allowed to access your device) and Policy. If these options are grayed out, you cannot make any changes. Otherwise select from the pulldown menu). | 88 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 89 IoT device. Override 5. Click the arrow to expand the Functions section. 6. Click the arrow to expand the Interface section. | 89 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 90: Managing Active Devices
Interface - Name of the appliance interface, to which the device is connected. Blocking a Device Manually Click the device to select it and click Block. | 90 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 91: Toobar Buttons
Start/Stop Traffic Monitor - Gather upload and download packet rates for active devices. This operation may affect performance. To stop, click Stop Traffic Monitoring. Revoke Certificate - Revokes the certificate assigned to the device. | 91 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 92: Revoking The Hotspot Access
This page is available from the Home and Logs & Monitoring tabs. If there is no IPv6 activity in a dual stack host, the Active devices do not show the IPv6 address. | 92 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 93: Viewing Reports
AM. The generated time derives from the delta of the first applicable pair hour which is 02:00 and the added 2 hours. The total wait is 2 hours. | 93 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 94 The table of contents contains links to the network analysis, security analysis, and infected devices reports. Click a link to go directly to the selected section. | 94 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 95 Report Pages Each report page shows a detailed graph, table, and descriptions. Note - This page is available from the Home and Logs & Monitoring tabs. | 95 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 96: Using System Tools
Click the names of column to sort the output. Show Routing R81.10.00 Opens a popup window that shows this information for Table each route: Source Destination Service Gateway Metric Interface Origin | 96 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 97 Opens a popup window that shows the result of the Services Ports Cloud Services Connectivity Test (the output of the Gaia Clish command "test cloud- connectivity"). | 97 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 98 Opens a popup window, in which you can capture traffic that passes through appliance interfaces. Warning - When you use this tool, the CPU load increases. Schedule a maintenance window. | 98 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 99 Using System Tools Available Action Description From | 99 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 100 The appliance captures traffic only on interfaces with a configured IP address. The packet capture stops automatically if the WebUI session ends. Procedure: | 100 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 101 Click Save to download the file. b. Your web browser saves this file (fw_ monitor.log) in the default download folder. | 101 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 102 Note - If you entered a "grep" filter, then the saved file contains only the relevant lines you see on the screen. a. Click Save to download the file. | 102 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 103 Using System Tools Available Action Description From b. Your web browser saves this file (fw_ctl_ zdebug_drop.log) in the default download folder. | 103 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 104 Site to Site VPN connection to / from this appliance. 6. Click the Stop Debugging button. 7. Click Download File to download the archive with the required log files. | 104 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 105 Opens a popup window that shows the result of the DNS lookup for the specified IP address / hostname (the output of the Gaia Clish command "nslookup"). | 105 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 106 When the mini-USB is used as a console connector, Windows OS does not automatically detect and download the driver needed for serial communication. You must manually install the driver. For more information, see sk182035. | 106 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 107: Managing The Device
3. Configure an Internet connection. a. Click New or Add an IPv4 Internet connection. The New Internet Connection window opens. b. Configure the required setting on the Configuration tab: | 107 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 108 Internet connections supplied by ISPs are unreliable and experience multiple disconnections, you can connect your appliances to multiple Internet connections from different ISPs. | 108 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 109 Based on the selected connection type, additional fields may appear. Connection Type Additional Fields DHCP None VXLAN Peer address Destination port Internet connection Static IP IP address Subnet mask Default gateway | 109 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 110 ARP requests (pinging) to the default gateway and expecting responses. Important - If you use Dynamic Routing, you must clear this option to prevent probing of the default gateway. | 110 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 111 Configures how this Internet connection (PPTP or L2TP) gets its WAN IP address - automatically or uses the configured IP address, Subnet mask, and Default gateway. | 111 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 112 You cannot apply an MTU on: Interfaces assigned to switches or bonds. Bridges - Configure the MTU separately for each of their children. Aliases Virtual Access Points | 112 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 113 Dashboard page > in the QoS section, move the slider to the right position (enabled green). Enable QoS (download) Enables and configures the restriction for the inbound traffic (download on the internal networks behind the appliance). | 113 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 114 The appliance uses an Internet connection with a lower priority only if an Internet connection with a higher priority failed. Load Balancing > Weight Configures how to share the traffic between the Internet connections. | 114 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 115 In the DHCP Settings section, configure the applicable settings. Configuration Hostname via DHCP Controls whether the appliance gets its hostname from your DHCP server. | 115 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 116 For example, Cellular networks have a plan, and if you exceed your limit it can be costly. In the MPLS network, you pay per use. 4. Click Save. | 116 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 117: Ipv4 Connection Types
4G network. For this option, select the USB/Serial option in the Interface name. Notes: Only one cellular modem is supported. Only customers with an approved RFE will be supported with the external modem specified in the RFE. | 117 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 118: Ipv6 Connection Types
The New Internet Connection window opens in the Configuration tab. 2. For Interface, select DMZ. For a DSL over DMZ Connection, select SFP-DSL. For a non-DSL connection, select RJ45/SFP-Fiber. 3. Click Save. | 118 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 119: Ipv6 Configuration
Addresses are provided via Stateless Address Auto Configuration, according to SLAAC rules. The prefix and subnet are provided. DHCPv6 Address range is set according to the prefix and subnet. | 119 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 120 7. Expand the NAT Settings section and select the Do not hide internal networks behind this Internet connection checkbox. 8. Make sure Prefix Delegation is disabled: | 120 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 121 Static IP - WAN, DMZ or unassigned LAN port. The DS-Lite master WAN connection type must be one of these: Dynamic IPv6 Static IPv6 PPPoEv6 Bridge IPv6 | 121 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 122 DS-Lite – The gateway address is non-globally-routable and automatically selected from the subnet 192.0.0.0/32. IPIP - The gateway address is globally-routable and you configure it manually. | 122 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 123 VNE is an added service that enables you to send an HTTP(S) request to your provider's server and update them that your IPv6 address changed. For Service name, select one of these: | 123 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 124 Configure the default MTU of the IPIP interface to 1460 (IPv4 default = 1500). The size of the IPv6 header is 40. 9. Click Apply. | 124 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 125: Other Configuration Types
Layer2 - Based on the XOR of hardware MAC addresses. Layer2+3 - Based on the XOR of hardware MAC addresses and IP addresses. Layer3+4 - Based on the IP addresses and Ports. 9. Click Apply. | 125 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 126: Cellular Connections
6. For Connection Type, select one of these values: IPv4 – Both SIMs are configured to IPv4 only IPv6 – Both SIMs are configured to IPv6 only | 126 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 127 7. Configure the required values. Format: [<SIM ID Number (MCC/MNC)>] apn=<STRING> carrier_package=<STRING> Example: [302220] apn=isp.telus.com carrier_package=TELUS 8. Save the changes in the file and exit Vi editor. | 127 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 128 Some carriers require the module to run a specific carrier configuration file, and may also request this for the certification process. In addition, the carrier configuration file ensures the use of carrier-specific parameters when you register with that carrier. | 128 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 129 PTM: Use connection as VLAN - Select this checkbox to add a virtual Internet interface. VLAN ID - Enter a VLAN ID between 1 and 4094. | 129 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 130: Monitoring
On the Internet Connectivity page, click Connection monitoring... Procedure The Monitoring Servers table shows the configured connections: Connection - Name. For example, Internet1. Server Name IP address Packet Loss Failures | 130 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 131 4. Under Advanced Probing Settings, use the default values or enter new ones for: Recovery time (in seconds) Max latency allowed (milliseconds) Probing frequency (seconds) Window size (pings) Failover pings (percent failures) 5. Click Apply. | 131 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 132 Click the Monitor cellular modem link to see this information in the Cellular Modem Monitoring window: Cellular radio Cellular modem Operator SIM cards - Which SIM is active, primary or disabled. | 132 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 133: Configuring The Wireless Network
1. Select the Radio band (4GHz or 5GHz) and make sure the slider button is turned to ON. 2. For a new network, click Configure. The New Wireless Network window opens in the Configuration tab. 3. For an existing network, click Edit Settings. | 133 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 134 Hide the Network Name (SSID) - When selected, this wireless network name is not automatically shown to users scanning for them. Connecting to the wireless network can be done manually by adding the specified network name. | 134 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 135: Dynamic Frequency Selection (Dfs)
1. Double click the relevant VAP or select the VAP name and click Edit. The Edit window opens. Note - The wireless radio transmitter is the main VAP. 2. In the Configuration tab, select the Wireless Security: | 135 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 136: Additional Configurations
1. For these fields, select options from the pull-down menu: Operation mode Channel width Channel Transmitter power 2. In the Advanced section, select the Guard Interval from the pull-down menu. | 136 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 137 IP address - IPv4 and IPv6 addresses Subnet mask - for IPv4 addresses Prefix length - for IPv6 addresses DHCPv4 Server Select one of the options: | 137 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 138 Note - In IPv4-only mode, this tab is called DHCPv4 Settings. The values for the DHCP options configured on this tab will be distributed by the DHCP server to the DHCP clients. | 138 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 139 You can optionally configure these additional parameters so they will be distributed to DHCP clients: Time servers Call manager TFTP server TFTP boot file X Window display manager | 139 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 140: Wireless Scheduler
Level of interference from other Wi-Fi networks on the current Wi-Fi channel. Signal level for the Wi-Fi clients connected to this appliance. | 140 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 141 Please consult the following table regarding the individual clients connected to the appliance ExampleClient1 mac=XX:XX:XX:XX:XX:XX: rssi = 55, very good quality ExampleClient2 mac=XX:XX:XX:XX:XX:XX: rssi = 21, good quality | 141 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 142: Configuring The Local Network
You can also use unassigned LAN ports to create an internet connection. In the table, these ports have the status Assigned to Internet. | 142 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 143 Physical interfaces - Shows cable connection status of each physical interface that is enabled. Otherwise, it shows disabled. Wireless networks - Shows if the wireless network is up or disabled. | 143 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 144: Reserved Ip Address For Specific Mac
3. Choose the IP address and Subnet mask the switch uses. 4. Use Hotspot - Select this checkbox to redirect users to the Hotspot portal before allowing access from this interface. | 144 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 145: Wan As Lan
BOND network. The WAN port (like the DMZ port), can only be used for a BOND network as part of an internet (external) network. The WAN as LAN feature is disabled by default. | 145 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 146: Monitor Mode
1. Go to Device > Local Network. 2. Select an interface and double-click. The Edit window opens in the Configuration tab. 3. In the Assigned To drop-down menu, select Monitor Mode. | 146 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 147 3. To configure Monitor Mode with user-defined networks: add monitor-mode-network ipv4-address <IP Address> subnet-mask <Mask> set monitor-mode-configuration use-defined-networks true 4. To see user-defined Internal networks: show monitor-mode-network | 147 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 148 Configuring the Local Network 5. To disable Anti-Spoofing: set antispoofing advanced-settings global-activation false | 148 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 149: Mirror Port
3. In the Port Mirroring section of the Advanced tab, select the checkbox Assign to mirror port. 4. In the Port field, select the mirror port from the drop-down menu. | 149 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 150: Physical Interfaces
Relay - Enter the DHCP server IP address. Disabled Note - When you create a switch, you cannot remove the first interface inside unless you delete the switch. | 150 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 151: Bridge
If you add three or more subordinate interface, then the appliance drops the traffic through this Bridge interface with the message "IP routing failed (bridge routing failure)". To create/edit a bridge, configure the fields in the tabs: | 151 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 152 Users & Objects > Network Objects page. Reserving specific IP addresses requires the MAC address of the device. Relay - Enter the DHCP server IP address. Disabled | 152 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 153: Vlans
Use Hotspot - Select this checkbox to redirect users to the Hotspot portal before allowing access from this interface. You define the Hotspot configuration in the Device > Hotspot page. | 153 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 154: Alias Ip
2. Select the Local network port. 3. Add IP address 4. Add subnet mask 5. Click Apply You can configure a total of 64 aliases for a LAN connection. | 154 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 155: Vpn Tunnel (Vti)
IP addresses. You define a local interface to use as the source IP address for outbound traffic. Internet connection - Select from the list. Local bridge interface - Select the local interface from the list. | 155 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 156: Virtual Access Point (Vap)
Use the WINS servers configured for the internet connection Use the following WINS servers - Enter the IP addresses of the First and Second WINS servers. | 156 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 157: Gre
Do not create the GRE tunnel over LAN. To create a GRE tunnel: 1. In the WebUI, go to Device > Local Network and click New. 2. From the drop-down menu, select GRE. | 157 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 158: Bond
2. In the Configuration tab, under BOND configuration, select a minimum of 2 LANs that are unassigned and disabled. Note - You cannot select LAN interfaces that have a VLAN assigned to them. 3. Select the Operation mode: | 158 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 159 7. If you selected 802.3ad or XOR as your operation mode, select the Hash policy from the dropdown menu (Layer2 or Layer3+4). 8. Click Apply To create a WAN BOND, see "Configuring Internet Connectivity" on page 107 | 159 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 160: Configuring A Hotspot
A hotspot is an area that offers a wireless local area network with Internet access, through a router connected to a link to an Internet service provider. Hotspot is automatically activated in the system. | 160 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 161 Define specified IP addresses, IP ranges or networks to exclude from the Hotspot. 1. Click Manage Exceptions. The Manage Hotspot Network Objects Exceptions window opens. 2. Select the objects to add as exceptions. | 161 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 162: User Authentication
1. In Session timeout, enter the number of minutes that defines how long a user stays logged in to the session before it is ends. 2. Click Apply | 162 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 163: Disabling The Hotspot
3. Select Disabled. 4. Click Apply On the Active Devices page (available from the Home and Logs & Monitoring tabs), you can revoke Hotspot access for connected users. | 163 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 164: Configuring Mac Filtering
4. Select Disable MAC filtering. To enable, clear this option. 5. Click Apply Note - MAC filtering is not supported on external, DMZ, and port bonding interfaces. | 164 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 165: 802.1X Authentication Protocol
3. For Assigned to: select the LAN ID. 4. In the Advanced tab, select Activate 802.1x authentication. 5. Enter a time for Re-authentication frequency (in seconds). 6. Click Apply | 165 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 166 To reduce the number of logs, specify the value of the MAC Filtering settings - Log suspension attribute in seconds. To show all logs, set the value to "0". Note - Traffic dropped in the WiFi driver is not logged. | 166 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 167: Configuring The Dns Server
Note - Syntax guidelines: The domain name must start and end with an alphanumeric character. The domain name can contain periods, hyphens, and alphanumeric characters. 4. Click Apply | 167 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 168: Configuring The Proxy Server
Point update and license servers. 1. Select Use a proxy server. 2. Enter a Host name or IP address. 3. Enter a Port. 4. Click Apply | 168 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 169: Backup, Restore, Upgrade, And Other System Operations
Note - This does not change the software image. Only the settings are restored to their default values (IP address 192.168.1.1, WebUI address https://192.168.1.1:4434, the username admin and the password admin). | 169 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 170 If the gateway is configured by Cloud Services, automatic firmware upgrades are locked. They can only be set by Cloud Services. | 170 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 171 To restore a backed up configuration: 1. Click Restore. The Restore Settings page appears. 2. Browse to the location of the backed up file. 3. Click Upload File. | 171 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 172: Using The Software Upgrade Wizard
Follow the instructions in each page of the Software Upgrade Wizard. Click Cancel to quit the wizard. Welcome Click the Check Point Download Center link to download an upgrade package as directed. If you already downloaded the file, you can skip this step. Upload Software Click Browse to select the upgrade package file.
Page 173: Upgrading
1. In Device > System Operations > Backup and Restore System Settings, click Settings. The Periodic Backup Settings window opens. 2. Click Enable scheduled backups. 3. Configure the file storage destination: | 173 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 174 Monthly - Select day of month and time of day. Note - If a month does not include the selected day, the backup is executed on the last day of the month. 6. Click Apply | 174 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 175: Configuring Local And Remote System Administrators
Authentication of those remotely defined administrators is done by the same RADIUS server. Note - This page is available from the Device and Users & Objects tabs. | 175 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 176: Administrator Roles
If you continue the login process, the first administrator session ends automatically. The correct Administrator Role must be configured to perform the operations listed below. If not, a Permission Error message shows. Local Administrators | 176 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 177 To edit the details of locally defined administrators: 1. Select the administrator from the table and click Edit. 2. Make the relevant changes. 3. Click Apply | 177 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 178: Remote Administrators
8. Click Next to proceed to the Login page. Remote Administrators Note - In R81.10.10, Two-Factor Authentication is not supported when RADIUS or TACACS is configured for administrator access. | 178 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 179 Networking Admin Mobile Admin 7. To define groups, click Use specific RADIUS groups only and enter the RADIUS groups separated by a comma. 8. Click Apply | 179 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 180: Configuring A Radius Server For Non-Local Quantum Spark Appliance Users
Configuring a Steel-Belted RADIUS server for non-local appliance users 1. Create the dictionary file checkpoint.dct on the RADIUS server, in the default dictionary directory (that contains radius.dct). Add these lines in the checkpoint.dct file: | 180 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 181 = per-port-type help-id = 2000 3. Add this line in the dictiona.dcm file: "@checkpoint.dct" 4. Add this Check Point Vendor-Specific Attribute to users in your RADIUS server user configuration file: CP-Gaia-User-Role = <role> Where <role> allowed values are: Administrator Role...
Page 182 CheckPoint 2. Add this line in the /etc/freeradius/dictionary file "$INCLUDE dictionary.checkpoint" 3. Add this Check Point Vendor-Specific Attribute to users in your RADIUS server user configuration file: CP-Gaia-User-Role = <role> Where <role> is the name of the administrator role that is defined in the WebUI.
Page 183 2. Add this line in the /etc/openradius/dictionaries file immediately after dict.ascend: $include subdicts/dict.checkpoint 3. Add this Check Point Vendor-Specific Attribute to users in your RADIUS server user configuration file: CP-Gaia-User-Role = <role> Where <role> is the name of the administrator role that is defined in the WebUI.
Page 184 To configure the Expert mode (Bash) as the default shell, run this command (not recommended): bashUser on To configure the Gaia Clish as the default shell, run this command (recommended): bashUser off | 184 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 185: Configuring Administrator Access
To allow administrator access from specified IP addresses 1. Select the Specified IP addresses only option. 2. Click New. The IP Address Configuration page appears. 3. Select Type: | 185 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 186 5. Enter the IP address or click Get IP from My Computer. 6. Click Save. The IP address is added to the table. 7. Change the WEB Port (HTTPS) and/or SSH port if necessary. | 186 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 187: Two-Factor Authentication (2Fa)
Note - In R81.10.10, Two-Factor Authentication is not supported when RADIUS or TACACS is configured for administrator access. Important - When Two-Factor Authentication is enabled, it is always required for login. | 187 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 188 7. In the Authenticator app, add a new account in one of these ways: Scan the QR code you received in the email. Enter the one-time verification code you received in the email. | 188 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 189 4. Enter the verification code you received and click Next. 5. If you did not receive a code, click Resend code or Try another way to receive the code by another method. | 189 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 190 The new keys are sent to the email address of the selected administrator. Verify that you received the email and set the Authenticator app with the new secret key to allow login via the Authenticator app. | 190 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 191: Managing Device Details
The list of uploaded certificates shows. 2. Select the desired certificate. Note - You cannot select the default VPN certificate. 3. Click Apply 4. Reload the page. | 191 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 192: Managing Date And Time
1. From the Local Time Zone list, select the correct time zone option. 2. Select the Automatically adjust clock for daylight saving changes checkbox to enable automatic daylight saving changes. 3. Click Apply | 192 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 193: Configuring Ddns And Access Service
NAT device or firewall, and cannot be reached directly. In addition, the feature makes it easier to access an appliance with a dynamically assigned IP address. | 193 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 194: Remote Access To The Webui
How to access the gateway with the Reach My Device service: When registration is complete, an outgoing tunnel to the Check Point Cloud Service is established with the appliance's IP address. Remote Access to the WebUI Web Link - Use this URL in a browser to remotely access the appliance.
Page 195: Using System Tools
Click the names of column to sort the output. Show Routing R81.10.00 Opens a popup window that shows this information for Table each route: Source Destination Service Gateway Metric Interface Origin | 195 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 196 Opens a popup window that shows the result of the Services Ports Cloud Services Connectivity Test (the output of the Gaia Clish command "test cloud- connectivity"). | 196 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 197 Opens a popup window, in which you can capture traffic that passes through appliance interfaces. Warning - When you use this tool, the CPU load increases. Schedule a maintenance window. | 197 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 198 Configuring DDNS and Access Service Available Action Description From | 198 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 199 The appliance captures traffic only on interfaces with a configured IP address. The packet capture stops automatically if the WebUI session ends. Procedure: | 199 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 200 Click Save to download the file. b. Your web browser saves this file (fw_ monitor.log) in the default download folder. | 200 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 201 Note - If you entered a "grep" filter, then the saved file contains only the relevant lines you see on the screen. a. Click Save to download the file. | 201 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 202 Configuring DDNS and Access Service Available Action Description From b. Your web browser saves this file (fw_ctl_ zdebug_drop.log) in the default download folder. | 202 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 203 Site to Site VPN connection to / from this appliance. 6. Click the Stop Debugging button. 7. Click Download File to download the archive with the required log files. | 203 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 204 Opens a popup window that shows the result of the DNS lookup for the specified IP address / hostname (the output of the Gaia Clish command "nslookup"). | 204 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 205: Advanced Routing
(BGP) dynamic routing settings. Quantum Spark R81.10.X For WebUI and Gaia Clish configuration instructions, see the Dynamic Routing CLI Guide for 1500, 1600, 1800, 1900, 2000 Appliances | 205 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 206: Pim
Dynamic Routing CLI Guide for 1500, 1600, 1800, 1900, 2000 Appliances Routing Options Note - In the R81.10.X releases, this feature is available starting from the R81.10.05 version. | 206 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 207: Routing Monitor
For WebUI and Gaia Clish configuration instructions, see the Quantum Spark R81.10.X Dynamic Routing CLI Guide for 1500, 1600, 1800, 1900, 2000 Appliances | 207 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 208: Configuring The Routing Table
(usually, to the default route). You cannot edit, delete, enable, and disable routes created by the operating system for directly attached networks or by dynamic routing protocols. | 208 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 209: Routing Table Columns
Notes: You can configure this parameter only in Gaia Clish. Static routes have a constant rank of 60 (cannot be changed). | 209 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 210: Limitations
Click the value Any. b. Select Specified IP Address. c. Configure the required IP Address. d. Configure the required Subnet Mask. e. Click OK. 5. In the Source column: | 210 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 211 In the bottom right corner, you can click New > Service, or Service group to create a custom service or a group of services. c. Click OK. 7. In the Next Hop column: | 211 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 212 10. Optional: In the Rank field, enter a value between 1 and 255 to define priority between routes with the same destination but for different routing protocols. | 212 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 213 Off - To disable the route probing (this is the default). On - To enable the route probing. Configure the applicable probing servers. For example: dns.google.com dns.cloudflare.com dns.opendns.com | 213 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 214: Adding A Default Ipv4 Static Route
Click Apply. Adding a Default IPv4 Static Route This procedure adds a default static route to send traffic from any source, to any destination, for any protocol. | 214 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 215 5. In the Source column: Leave the default value Any. 6. In the Service column: Leave the default value Any. 7. In the Next Hop column: | 215 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 216 10. Optional: In the Probing method field, select the applicable option: Off - route probing is disabled. On - route probing is enabled. Configure the applicable nexthop servers to probe. For example: | 216 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 217 12. Save the changes: In R81.10.10 and higher versions: Click Save. In R81.10.08 and lower versions: Click Apply. | 217 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 218: Editing An Existing Static Route
2. In the Advanced Routing section, click the Routing Table page. 3. In the routing table, click the route. 4. Above the routing table, click Enable or Disable. | 218 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 219: Route Monitoring
(with the exception of the Default certificate). The new certificate must be configured on the Installed Certificates page first. Installed certificates are used in the Web portal. To export the signing request: Click Export. | 219 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 220 To upload a P12 file: 1. Click Upload P12 Certificate. 2. Browse to the file. 3. Edit the Certificate name if necessary. 4. Enter the certificate password. 5. Click Apply | 220 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 221: Configuring High Availability
Configuration Wizard and remove the switch on both appliances. No additional configuration is required on the members. Best Practice - Designate the same LAN port for the Sync interface. The default Sync interface is LAN2/SYNC. | 221 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 222 Bond ports on the appliances and the corresponding ports on a switch between the appliances. Note - A cluster in a Bridge Active/Standby mode is supported. | 222 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 223: Advanced Settings
1. Above the table with attributes, click Restore Defaults. The Confirm window opens. 2. Click Yes. 3. All appliance attributes are reset to the default settings. | 223 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 224: Clarifications
VDSL2 standard, the VPI, the VCI, and the starts with encapsulation options still appear, even though they are not used to open "DSL an Internet connection. globals" | 224 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 225: Managing The Access Policy
Quantum Spark appliances support Identity Collector as an Identity Source in the versions R81.10.00 and higher. Identity Awareness Clients Administration Guide For configuration instructions, see the | 225 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 226: Identity Broker
Management Server that runs R81.10 Jumbo Hotfix Accumulator Take 66 and higher, or R81.20 and higher. Identity Awareness Administration Guide For configuration instructions, see the for your version. | 226 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 227: Managing Users And Objects
Managing Users and Objects Managing Users and Objects This section describes how to set up and manage users (User Awareness, users, administrators, and authentication servers) and network resources. | 227 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 228: Configuring Local Users And User Groups
5. To remove a user, click the X next to the user name. 6. Click Apply The group is added to the table on the page. | 228 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 229 To delete a user or group: 1. Select the user or group from the list. 2. Click Delete. 3. Click OK in the confirmation message. The user or group is deleted. | 229 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 230: Configuring Local And Remote System Administrators
Authentication of those remotely defined administrators is done by the same RADIUS server. Note - This page is available from the Device and Users & Objects tabs. | 230 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 231: Administrator Roles
If you continue the login process, the first administrator session ends automatically. The correct Administrator Role must be configured to perform the operations listed below. If not, a Permission Error message shows. Local Administrators | 231 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 232 To edit the details of locally defined administrators: 1. Select the administrator from the table and click Edit. 2. Make the relevant changes. 3. Click Apply | 232 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 233: Remote Administrators
8. Click Next to proceed to the Login page. Remote Administrators Note - In R81.10.10, Two-Factor Authentication is not supported when RADIUS or TACACS is configured for administrator access. | 233 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 234 Networking Admin Mobile Admin 7. To define groups, click Use specific RADIUS groups only and enter the RADIUS groups separated by a comma. 8. Click Apply | 234 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 235: Configuring A Radius Server For Non-Local Quantum Spark Appliance Users
Configuring a Steel-Belted RADIUS server for non-local appliance users 1. Create the dictionary file checkpoint.dct on the RADIUS server, in the default dictionary directory (that contains radius.dct). Add these lines in the checkpoint.dct file: | 235 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 236 = per-port-type help-id = 2000 3. Add this line in the dictiona.dcm file: "@checkpoint.dct" 4. Add this Check Point Vendor-Specific Attribute to users in your RADIUS server user configuration file: CP-Gaia-User-Role = <role> Where <role> allowed values are: Administrator Role...
Page 237 CheckPoint 2. Add this line in the /etc/freeradius/dictionary file "$INCLUDE dictionary.checkpoint" 3. Add this Check Point Vendor-Specific Attribute to users in your RADIUS server user configuration file: CP-Gaia-User-Role = <role> Where <role> is the name of the administrator role that is defined in the WebUI.
Page 238 2. Add this line in the /etc/openradius/dictionaries file immediately after dict.ascend: $include subdicts/dict.checkpoint 3. Add this Check Point Vendor-Specific Attribute to users in your RADIUS server user configuration file: CP-Gaia-User-Role = <role> Where <role> is the name of the administrator role that is defined in the WebUI.
Page 239 To configure the Expert mode (Bash) as the default shell, run this command (not recommended): bashUser on To configure the Gaia Clish as the default shell, run this command (recommended): bashUser off | 239 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 240: Managing Authentication Servers
In the R81.10.X releases, this feature is available starting from the R81.10.05 version. The VPN view > Remote Access section > Authentication Servers page does not show the section TACACS+ Servers. | 240 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 241: Radius Server
1. Click the Users & Objects view > Users Management section > Authentication Servers page. 2. Click the IP address link of the RADIUS server you want to edit. 3. Make the necessary changes. 4. Click Apply | 241 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 242 Enter the applicable RADIUS groups. 5. Click Apply 6. Configure the remote access permissions for RADIUS users in the VPN view > Remote Access section > Remote Access Users page. | 242 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 243: Tacacs+ Server
1. Click the Users & Objects view > Users Management section > Authentication Servers page. 2. Next to the TACACS+ server you want to delete, click the Remove link. | 243 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 244 4. Select one of these: Use roles defined on TACACS+ server Use default role for TACACS+ users In the Default Administrators Role, select the applicable role. 5. Click Apply | 244 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 245: Managing Applications & Urls
URLs. What is a category? Each URL is inspected by the Check Point Cloud using the URL Filtering and can be matched to one or more built in categories (for example, phishing sites, high bandwidth, gambling, or shopping, etc.).
Page 246 7. Click the Additional Categories tab to select more categories if necessary. 8. Click Apply You can use the application in a rule. | 246 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 247 4. If necessary, click New to add a custom application or URL to the list. For information on creating a custom application, see above. 5. Click Apply You can use the custom application group in a rule. | 247 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 248: Managing System Services
Disable inspection for this service – Select this checkbox to disable deep inspection of traffic matching this service. This option is only available for built-in services. 3. Click Apply | 248 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 249 1. In the Type to filter box, enter the service name or part of it. 2. As you enter text, the list is filtered and shows matching results. | 249 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 250: Managing Service Groups
1. Select the group from the list. Note that you can only delete a user defined service group. 2. Click Delete. 3. Click Yes in the confirmation message. | 250 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 251 1. In the Type to filter box, enter the service group name or part of it. 2. As you enter text, the list is filtered and shows matching results. | 251 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 252: Managing Network Objects
Domain Name - Represents a Domain. Device - Represents a device. Note - In the R81.10.X releases, this feature is available starting from the R81.10.05 version. | 252 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 253 Exclude from DHCP service - The internal DHCP service does not distribute the configured IP range to anyone. 6. Click Apply Note - Wildcard network objects that represent a series of non-sequential IP addresses are supported. | 253 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 254 4. Click OK. To edit a network object: 1. Select a network object from the list. 2. Click Edit. 3. Make the necessary changes. 4. Click Apply | 254 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 255 5. In Object name, enter the applicable text. 6. Click Apply Note - You can also do this on the Home > Active Devices page. Click Save as and select Device type Network Object. | 255 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 256: Managing Network Object Groups
The network object group is added to the list of groups. To edit a network object group: 1. Select a group from the list. 2. Click Edit. 3. Make the necessary changes. 4. Click Apply | 256 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 257 1. In the Type to filter box, enter the network object group name or part of it. 2. As you enter text, the list is filtered and shows matching results. | 257 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 258: Logs And Monitoring
The Logs & Monitoring > Logs > Security Logs page shows the last 100 log records. To load more records, continue scrolling down the page. The log table is automatically refreshed. | 258 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 259 2. In the Security Logs Settings window, select the checkbox Limit the number of logs to search. 3. In the Maximum number of logs to search field, use the arrows to select the desired number. 4. Click Save. | 259 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 260 1. Select Actions > Stop local logging. 2. To resume, select Actions > Resume local logging. Note - In version R81.10.08 and lower, select Options instead of Actions. | 260 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 261 Note - Logs are deleted from the external SD card (if inserted) or from the local logs storage. Logs are not deleted from the remote logs server. The logs are deleted, and the logs grid reloads automatically. | 261 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 262: Viewing System Logs
1. Click Clear Logs. 2. Click OK in the confirmation message. To search system logs table: Enter keyword for the log in the text search field. | 262 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 263: Managing Active Devices
Interface - Name of the appliance interface, to which the device is connected. Blocking a Device Manually Click the device to select it and click Block. | 263 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 264: Toobar Buttons
Start/Stop Traffic Monitor - Gather upload and download packet rates for active devices. This operation may affect performance. To stop, click Stop Traffic Monitoring. Revoke Certificate - Revokes the certificate assigned to the device. | 264 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 265: Revoking The Hotspot Access
This page is available from the Home and Logs & Monitoring tabs. If there is no IPv6 activity in a dual stack host, the Active devices do not show the IPv6 address. | 265 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 266: Wireless Active Devices
Note - In the R81.10.X releases, this feature is available starting from the R81.10.05 version. Channel Frequency Signal Strength RSSI – Received Signal Strength Bandwidth IP Address MAC address | 266 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 267: Viewing Vpn Tunnels
The number of connections associated with the tunnel per instance. This Per Instance lets you know if a tunnel is over-utilized. To filter the list: In the Type to filter box, enter the filter criteria. | 267 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 268 To delete all Security associations for a selected peer: Click Delete all SAs for the selected peer. Note - This page is available from the Logs & Monitoring tab. | 268 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 269: Viewing Active Connections
To filter the list: In the Type to filter box, enter the filter criteria. The list is filtered. To refresh the list: Click the Refresh link. | 269 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 270: Access Points
Use this information to decide which network to connect to, and change based on your needs. In addition, this page displays the current wireless radio frequency and channel in use and the wireless networks configured. | 270 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 271: Viewing Reports
- The appliance passed this test. - The appliance failed this test. - General information for the administrator. - This test was not applicable to this appliance. | 271 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 272 Viewing Reports Action Description Download Last Prints the last report generated. Report Note - In the R81.10.X releases, this feature is available starting from the R81.10.08 version. | 272 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 273 VPN-S2S is enabled but no tunnels are up NGTP is active ----CPU and Memory---- Available CPU: 99.61% Available memory on the Gateway: 3943320 KB Fw1 memory consumption: 11% SFWD memory consumption: 181648 KB | 273 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 274: Offline Installation Procedure
<option> For the syntax, refer to Quantum Spark R81.10.X CLI Reference Guide for 1500, 1600, 1800, 1900, 2000 Appliances > chapter "Working with Dr. Spark." | 274 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 275: Using System Tools
Click the names of column to sort the output. Show Routing R81.10.00 Opens a popup window that shows this information for Table each route: Source Destination Service Gateway Metric Interface Origin | 275 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 276 Opens a popup window that shows the result of the Services Ports Cloud Services Connectivity Test (the output of the Gaia Clish command "test cloud- connectivity"). | 276 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 277 Opens a popup window, in which you can capture traffic that passes through appliance interfaces. Warning - When you use this tool, the CPU load increases. Schedule a maintenance window. | 277 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 278 Viewing Reports Available Action Description From | 278 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 279 The appliance captures traffic only on interfaces with a configured IP address. The packet capture stops automatically if the WebUI session ends. Procedure: | 279 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 280 Click Save to download the file. b. Your web browser saves this file (fw_ monitor.log) in the default download folder. | 280 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 281 Note - If you entered a "grep" filter, then the saved file contains only the relevant lines you see on the screen. a. Click Save to download the file. | 281 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 282 Viewing Reports Available Action Description From b. Your web browser saves this file (fw_ctl_ zdebug_drop.log) in the default download folder. | 282 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 283 Site to Site VPN connection to / from this appliance. 6. Click the Stop Debugging button. 7. Click Download File to download the archive with the required log files. | 283 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 284 Opens a popup window that shows the result of the DNS lookup for the specified IP address / hostname (the output of the Gaia Clish command "nslookup"). | 284 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 285 When the mini-USB is used as a console connector, Windows OS does not automatically detect and download the driver needed for serial communication. You must manually install the driver. For more information, see sk182035. | 285 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 286: Snmp
To edit an existing SNMP v3 user, select the user from the list and click Edit. To delete an SNMP v3 user, select the user from the list and click Delete. | 286 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 287: Snmp Traps Receivers
Indicators are success or failure. These traps are on by default when SNMP traps are enabled and cannot be individually turned off or configured by the user. | 287 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 288 2. Select the Enable trap option to enable the trap or clear it to disable the trap. 3. If the trap contains a value, you can edit the threshold value when necessary. 4. Click Apply | 288 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 289: Managing Threat Prevention
Managing Threat Prevention This chapter discusses configuring Threat Prevention through SmartConsole. SSH Authentication Starting from R81.10.00, you can use RSA key authorization instead of password-based authentication when you log in with SSH. Warning - This configuration does not survive a firmware upgrade.
Page 290 On a Linux OS, you can use openssl or any other tool.
Page 291 On Check Point Gaia OS (not Gaia Embedded) use this command: ssh-keygen -t rsa -b 4096 Example from a Gaia OS server: Note - In this example, the /home/admin/MyKey file is the RSA Private Key, and the /home/admin/MyKey.pub file is the RSA Public Key.
Page 292 XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX :XX:XX admin@HostName [Expert@HostName:0]# Notes: https://linux.die.net/man/1/ssh-keygen https://www.ssh.com/academy/ssh/keygen When prompted, enter a path and a file name, in which to save the RSA private key When prompted, enter a passphrase - this becomes the user's password You can append several keys in this file. These keys are valid for all administrators configured on the appliance.
Page 293 7. Move the file with the public key to the new directory and change the file's name to " authorized_keys ": mv /storage/MyKey.pub /storage/.ssh/authorized_keys 8. Configure the required permissions on the file with the public key: chmod 600 /storage/.ssh/authorized_keys 9. Edit file /pfrm2.0/etc/sshd_config : a.
Page 294: Ssh Dpi
SSH DPI You can use the SSH Deep Packet Inspection ("SSH DPI") feature to decrypt and encrypt SSH traffic and let the Threat Prevention solution protect against advanced threats, bots, and other malware. The SSH Deep Packet Inspection (DPI) was integrated as part of the Quantum Spark alignment to R81.10, starting in R81.10.05.
Page 295 To see the current SSH DPI status: 1. Connect to the command line on the Security Gateway. 2. Log in to the Expert mode: expert 3. Examine the current SSH DPI status: cpssh_config istatus To enable SSH DPI: Note - The SSH DPI is disabled by default. 1.
Page 296 cpssh_config -s -g <IP_Address_or_FQDN_of_ SSH_Server> -e </Path/To/Public_Key_File_of_ SSH_Server> Where: < IP_Address_or_FQDN_of_SSH_Server > is the IP address or the FQDN (for example: my_ssh_ server.com ) of the SSH server. < /Path/To/Public_Key_File_of_SSH_Server > is the path on the Security Gateway to the public key file from the SSH server (for example: /home/admin/ssh_host_rsa_ key.pub ) 6.
Page 297 To disable SSH DPI: 1. Connect to the command line on the Security Gateway. 2. Log in to the Expert mode: expert 3. Disable SSH DPI: cpssh_config ioff To show the SSH public keys: 1. Connect to the command line on the Security Gateway. 2.
Page 298 a. fw ctl debug 0 b. fw ctl debug -buf 8200 c. fw ctl debug -m fw + cpsshi d. fw ctl debug -m CPSSH all 4. Examine the kernel debug options: a. fw ctl debug -m fw b. fw ctl debug -m CPSSH 5.
Page 299: Advanced Configuration
7. In the Hotfix/Jumbo section, select Install a Specific Hotfix/Jumbo. 8. In the Gateways section, you see the targets for the selected package. 9. In the Advanced section, select Automatic. | 299 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 300: Upgrading In Smartupdate
Appliance > click Distribute Package > select the applicable firmware package. In the Package Repository window, right-click the firmware package > click Distribute > select the applicable Quantum Spark Appliances. 9. Close the SmartUpdate GUI client. | 300 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 301: Accessing Smartupdate
Note - A USB storage device used for clean installation of a new image on the 1500 series must be formatted with the FAT32 file-system. | 301 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 302 Installing a new firmware image from a USB drive Check Point releases new firmware images every so often. You can install the new default image on the appliance using the image file and a USB drive. Note that you can also upgrade through the WebUI.
Page 303: Upgrade Using An Sd Card
When the installation is complete, the Power LED is solid blue. The appliance is ready for your input. Restore your settings. For more information, see "Backup, Restore, Upgrade, and Other System Operations" on page 169 | 303 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 304 If there is a configuration file with the same MAC address as the gateway, that file is loaded second. Use the # symbol to add comments to the configuration file. | 304 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 305: Boot Loader
"Restoring Factory Defaults" on page 308 4. Restore to Factory Defaults (local) "Upgrade Using Boot Loader" on page 307 5. Install/Update Image/Boot-Loader from Network | 305 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 306 6. Restart Boot-Loader Runs the hardware diagnostics on the appliance. 7. Run Hardware diagnostics 8. Install DSL Uploads a preset configuration file. Firmware/Upload preset configuration file | 306 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 307: Upgrade Using Boot Loader
When the upgrade is successfully completed, the Power LED is solid blue, and the appliance waits for you to press a key. Error in the upgrade process is indicated if the Power LED is red. | 307 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 308: Restoring Factory Defaults
3. While factory defaults are restored, the Power LED blinks blue to show progress. This takes some few minutes. When this completes, the appliance reboots automatically. | 308 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 309 To disable the reset to default: Use this Gaia Clish command: set additional-hw-settings reset-timeout 0 To enable the reset to default: Use this Gaia Clish command: set additional-hw-settings reset-timeout 12 | 309 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 310: Custom Default Image
LAN4 port connection and traffic bypasses the appliance. Force-bypass - "Bypass". The connection between the DMZ and LAN4 port is forcibly bypassed and the traffic bypasses the appliance regardless of the software status. | 310 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...
Page 311: Configuring Bypass Mode In The Webui
Configuring Bypass mode in Gaia Clish To display the current (Fonic) Bypass configured mode: show fonic-settings advanced-settings To switch between Active and Bypass mode: set fonic-settings advanced-settings mode | 311 R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Centrally Managed Administration Guide...

This manual is also suitable for:

Quantum spark 1600 Quantum spark 1800 Quantum spark 1900 Quantum spark 2000 Quantum spark 1570r Quantum spark 1595r ... Show all

Check Point QUANTUM SPARK 1500 Administration Manual

Quick Links

Need help?

Questions and answers

Related Manuals for Check Point QUANTUM SPARK 1500

Summary of Contents for Check Point QUANTUM SPARK 1500