9 December 2015

Check Point Software

Technologies LTD.
R77.30 Installation Guide
Version1.0
Classification: [Restricted]
© 2015 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and
distributed under licensing restricting their use, copying, distribution, and decompilation. No part of
this product or related documentation may be reproduced in any form or by any means without prior
written authorization of Check Point. While every precaution has been taken in the preparation of
this book, Check Point assumes no responsibility for errors or omissions. This publication and
features described herein are subject to change without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in
subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS
252.227-7013 and FAR 52.227-19.
TRADEMARKS:
Refer to the Copyright page http://www.checkpoint.com/copyright.html for a list of our trademarks.
Refer to the Third Party copyright notices http://www.checkpoint.com/3rd_party_copyright.html for a
list of relevant copyrights and third-party licenses.
Contents
Installing the Gaia Operating System ............................................................................ 4
Console Login ........................................................................................................... 8
Installing the Stand-alone Security Management Server ............................................... 8
Installing HFAs ........................................................................................................ 14
Installation Settings ................................................................................................. 15
Installing the Security Gateway ................................................................................... 15
Installing HFAs ........................................................................................................ 21
Installation Settings ................................................................................................. 22
Evaluation Configuration ............................................................................................. 22
CSfC Evaluation Configurations (enables IPSec protections for inter TOE
communication) ........................................................................................................... 26
General Guidance ....................................................................................................... 28
 Installing the Gaia Operating System

Installing the Gaia Operating System

1. Insert the Software Blades R77.30 CD into the CD drive and reboot. After rebooting, on Open
Server the Welcome to Check Point screen appears:

On a CheckPoint Appliance the following message appears:

For a CheckPoint Appliance, this step should take several minutes which in its end a reboot will
be required (reboot it by holding Ctrl+C):

After reboot, skip to step 13 (Console Login).

2. Select Enter to confirm the installation. If you do not press Enter within a pre-designated interval,
the computer will reboot from the hard disk. Wait while the installation program is loaded. The

Check Point Software Technologies LTD. R77.30 Installation Guide Version1.0 | 4

 Installing the Gaia Operating System

installation program checks the hardware platform to verify that it is compatible with Gaia
hardware requirements. If the hardware is suitable, the Welcome menu is displayed:

WARNING - Do not continue with the installation if the hardware is found to be

unsuitable.
3. The Welcome menu allows the administrator to request additional information on identified
hardware devices (Device List), to install additional hardware drivers from a diskette (Add
Driver), to abort installation (Cancel) or to proceed with normal installation (OK).
Driver installation may be required for some hardware platforms, as indicated in the hardware
configuration guidance. Only install drivers whose origin and integrity can be verified. This can
be determined where the drivers are received directly from the hardware vendor using verifiable
delivery procedures, or by calculating the driver MD5 or SHA-1 hash and verifying it against valid
hashes provided by Check Point or by the hardware vendor.
Note - In any case, do not install network interface card (NIC) drivers. NIC drivers
are critical to the correct operation of the evaluated security functionality;
installing unevaluated NIC driver code will take the product outside of its
evaluated configuration.
4. If the installation is performed using a directly-connected keyboard (instead of a terminal
connected to a console port), the Keyboard Selection menu is displayed:

Select keyboard type by using the up and down arrow keys, then use tab to navigate to the OK
button and press Enter.

Check Point Software Technologies LTD. R77.30 Installation Guide Version1.0 | 5

 Installing the Gaia Operating System

5. The Partitions Configuration menu allows you to change the default partitioning on machine.

6. The Account Configuration menu allows you to set your password.

7. The Networking Device menu is displayed if there are more than one connected network
devices. Select the network interface (link) by using the up and down arrow keys, then use tab to
navigate to the OK button and press Enter. Select the interface to which you will connect to for
later management and configuration of your machine. At this step you must be familiar with your
network configuration so you will configure the correct network device as your management
interface.

8. Once the correct link was selected you will be prompted to enter additional data for the network
interface configuration. In the Network Interface Configuration menu, specify the Management
Interface IP address, netmask and default gateway of the network interface, and select OK.
 IP address - The IP address assigned to the network interface.
 Netmask - The network mask for the IP address.

Check Point Software Technologies LTD. R77.30 Installation Guide Version1.0 | 6

 Installing the Gaia Operating System

 Default gateway IP - The IP address of the default Gateway assigned to your machine's IP
address.

9. The Confirmation screen is displayed. Select OK to proceed:

10. The following installation operations are performed:

 Hard drive formatting
 Software package installation
 File copying procedure

This step can take several minutes, after which the Installation Complete screen is displayed.
Select OK to complete the installation:

11. The system will now reboot. Make sure to remove the CD, or diskette that you used during the
installation process. On most systems the CD will be ejected automatically after selecting OK in
the Installation Complete menu.
12. During the boot process, an option is presented to display a boot menu. There is no need to
select this option. If the boot menu is displayed, select the Start in normal mode option.

Check Point Software Technologies LTD. R77.30 Installation Guide Version1.0 | 7

 Installing the Stand-alone Security Management Server

Console Login
1. Login to the Gaia console interface:
 First Time Login - If you are logging on for the first time, use admin and your chosen
password or admin as both username and password in case of a Check Point Appliance.

Note - The password for the admin account is only used for the installation
process. Do not perform a console login once the evaluated configuration is
operational.

The password must conform to the following operating system-enforced complexity

requirements:
 At least 6 characters, in length
 A mixture of alphabetic and numeric characters
 At least four different characters
 Does not use simple dictionary words, or common strings such as “qwerty”
2. On Check Point Appliances there is a need to configure set its IPv4 address:
 Type - “set interface <interface> ipv4-address <ip4_address> subnet-mask <netmask>”

3. In order to continue the installation process, we’ll have to define the Gaia Portal on specific port:
 Type “set web ssl-port <port_number>”
 Type “y” and press “enter” to confirm.

4. Run “save config” and reboot the system.

Installing the Stand-alone Security

Management Server
The Security Management Server and Security Gateway are installed on the same server in this
stand-alone deployment.
The Gaia Portal is a Check Point utility used to configure the Gaia operating system. After
connecting to the Gaia Portal, the first time wizard is running after installation, it guides the
administrator through the various menus.

Check Point Software Technologies LTD. R77.30 Installation Guide Version1.0 | 8

 Installing the Stand-alone Security Management Server

1. Connect the Gaia portal using HTTPS on the defined port (disregard the security certificate
warning if displayed):

The following screen is displayed:

2. Type the user name and password. Click Log In.

Note - The Check Point Appliance default admin password is admin.

Check Point Software Technologies LTD. R77.30 Installation Guide Version1.0 | 9

 Installing the Stand-alone Security Management Server

3. The Welcome window is displayed and the platform is displayed. Click Next.

4. The Deployment windows is displayed:

Click Next.
5. The Management Connection window is displayed:

Click Next.

Check Point Software Technologies LTD. R77.30 Installation Guide Version1.0 | 10

 Installing the Stand-alone Security Management Server

6. The Connection to UserCenter window is displayed:

Click Next.
7. The Device Name window is displayed:

Type the desired host name, domain name, and DNS servers. Click Next to continue.
8. The Date and Time Settings window is displayed:

Set the current Date, Time and Time Zone. Click Next.

Check Point Software Technologies LTD. R77.30 Installation Guide Version1.0 | 11

 Installing the Stand-alone Security Management Server

9. The Installation Type window is displayed:

Click Next.
10. The Products window is displayed:

Select both the Security Gateway and Security Management product. Click Next.
11. The Alert window is displayed:

Click Yes.

Check Point Software Technologies LTD. R77.30 Installation Guide Version1.0 | 12

 Installing the Stand-alone Security Management Server

12. For the Primary Management server, the Security Management Administrator window is
displayed:

Type the Administrator Name and its password. Click Next.

13. The Security Management GUI Clients displayed:

Set the desired GUI clients. Click Next.

Check Point Software Technologies LTD. R77.30 Installation Guide Version1.0 | 13

 Installing the Stand-alone Security Management Server

14. A Summary window is displayed:

Check that the Summary is OK. Click Finish and approve it by clicking Yes.
15. Run: "fw unloadlocal"

Installing HFAs
1. Install the required addon/HF:
a) Copy the Check_Point_R77_30_T204_Add-on_Gaia.tgz to the machine.
b) Run: “tar xvfz Check_Point_R77_30_Add-on_linux.tgz”
c) Run: “./UnixInstallScript”
d) Reboot
2. Install the required HF:
a) Copy the fw1_wrapper_HOTFIX_R77_30_CERT_HF.tgz to the machine.
b) Run: “tar xvfz fw1_wrapper_HOTFIX_R77_30_CERT_HF.tgz”
c) Run: “./fw1_wrapper_HOTFIX_R77_30_CERT_HF_990050004_1”
d) Reboot
3. Install the required HF:
a) Copy the sim_HOTFIX_R77_30_CERT_HF.tgz to the machine.
b) Run: “tar xvfz sim_HOTFIX_R77_30_CERT_HF.tgz”
c) Run: “./sim_HOTFIX_R77_30_CERT_HF_990050002_1”
d) Reboot
4. Install the required HF:
a) Copy the SecurePlatform_HOTFIX_GEYSER_HF_BASE_095.tgz to the machine.
b) Run: “tar xvfz SecurePlatform_HOTFIX_GEYSER_HF_BASE_095.tgz”
c) Run: “./SecurePlatform_HOTFIX_GEYSER_HF_BASE_095.tgz”
d) Reboot

Check Point Software Technologies LTD. R77.30 Installation Guide Version1.0 | 14

 Installing the Security Gateway

Installation Settings
1. Enter the following commands from the console in expert mode to disable functionality that is not
available in the evaluated configuration (optional):
cpd_config –d avsu
cpd_config –d RemoteLic
cpd_config –d SicUpgrade
cpd_config –d RoamingAdmin
cpd_config –d dlpSync
cpd_config –d PAServerAddon
cpd_config –d PAHBServerAddon
cpd_config –d LSMServerAddon
2. You may now perform any or all of the configuration steps described in the Installation Settings
that require Security Management Server console access before you move on to the next step.
These steps describe installation settings that have been documented and evaluated as being
compatible with the evaluated security policy.

Installing the Security Gateway

The Gaia Portal is Check Point utility used to configure the Gaia operating system. After connecting
to the Gaia Portal, the first time wizard is running after installation, it guides the administrator
through the various menus.
1. Connect the Gaia portal using HTTPS on the defined port (disregard the security certificate
warning if displayed):

Check Point Software Technologies LTD. R77.30 Installation Guide Version1.0 | 15

 Installing the Security Gateway

The following screen is displayed:

2. Type the user name and password. Click Log In.

Note - The Check Point Appliance default admin password is admin.

3. The Welcome window is displayed and the platform is displayed. Click Next.

Check Point Software Technologies LTD. R77.30 Installation Guide Version1.0 | 16

 Installing the Security Gateway

4. The Deployment windows is displayed:

Click Next.
5. If the Security Gateway is a Check Point Power Appliance, the Authentication Details window
is displayed:

Enter your desired password in the fields. Click Next.

6. If the Security Gateway is on an Open Server, the Network Connection window is displayed:

Check Point Software Technologies LTD. R77.30 Installation Guide Version1.0 | 17

 Installing the Security Gateway

Use the Network Connection menu to configure your management network connection.
Configure its IP address, netmask and default GW. Click Next.
7. If the Security Gateway is on an Open Server, the Date and Time Settings window is displayed:

Set the current Date, Time and Time Zone. Click Next.
8. The•Device Name windows is displayed:

Type the desired host name, domain name and DNS servers. Click Next to continue.

Check Point Software Technologies LTD. R77.30 Installation Guide Version1.0 | 18

 Installing the Security Gateway

9. The Products window is displayed:

Select only the Security Gateway product. Click Next.

10. An Alert window is displayed:

Click Yes.
11. The Dynamically Assigned IP window is displayed:

Click Next.

Check Point Software Technologies LTD. R77.30 Installation Guide Version1.0 | 19

 Installing the Security Gateway

12. The Secure Internal Communication (SIC) window is displayed:

Type the Activation Key and confirm it. Click Next.

13. For Check Point appliances, the License Activation window is displayed:

Choose Activate later. Click Next.

14. The Summary window is displayed:

15. Check that the Summary is OK. Click Finish and approve it by clicking Yes.
16. Run: "fw unloadlocal"

Check Point Software Technologies LTD. R77.30 Installation Guide Version1.0 | 20

 Installing the Security Gateway

17. A confirmation window is displayed:

For appliances:

For Open Servers:

Press OK for both cases.

18. Run: "fw unloadlocal"

Installing HFAs
1. Install the required HF:
a) Copy the fw1_wrapper_HOTFIX_R77_30_CERT_HF.tgz to the machine.
b) Run: “tar xvfz fw1_wrapper_HOTFIX_R77_30_CERT_HF.tgz”
c) Run: “./fw1_wrapper_HOTFIX_R77_30_CERT_HF_990050004_1”
d) Reboot
2. Install the required HF:
a) Copy the sim_HOTFIX_R77_30_CERT_HF.tgz to the machine.
b) Run: “tar xvfz sim_HOTFIX_R77_30_CERT_HF.tgz”
c) Run: “./sim_HOTFIX_R77_30_CERT_HF_990050002_1”
d) Reboot
Check Point Software Technologies LTD. R77.30 Installation Guide Version1.0 | 21
 Evaluation Configuration

3. Install the required HF:

a) Copy the SecurePlatform_HOTFIX_GEYSER_HF_BASE_095.tgz to the machine.
b) Run: “tar xvfz SecurePlatform_HOTFIX_GEYSER_HF_BASE_095.tgz”
c) Run: “./SecurePlatform_HOTFIX_GEYSER_HF_BASE_095.tgz”
d) Reboot

Installation Settings
1. Enter the following commands to disable functionality that is not available in the evaluated
configuration using expert mode:
cpd_config –d avsu
cpd_config –d RemoteLic
cpd_config –d SicUpgrade
cpd_config –d dlpSync
cpd_config –d LSMAgentAddon
cpd_config –d simplePA
sed –i –e 's/.*stormd.*//' $FWDIR/conf/fwauthd.conf
sed –i –e 's/.*sdsd.*//' $FWDIR/conf/fwauthd.conf
sed –i –e 's/.*dlp*.*//' $FWDIR/conf/fwauthd.conf
2. It is highly recommended (though not required) to set up an NTP client on all Security Gateways
and on the Security Management Server in order to synchronize clocks with an NTP time server:
# ntp <secret> <interval> <server1> [<server2> [<server3>]]
# ntpstart
(Where <secret> is the NTP server MD5 shared secret, <interval> is the polling interval in
seconds, and server1, server2, server3 are IP addresses for NTP servers that are to be polled.)
Note - If you configure NTP, specify a shared secret <secret> to protect NTP
communication. Secrets should be chosen out of a sufficiently large range (at least 16
random octets) in order to provide protection against exhaustive search attacks. It is also
recommended to periodically change shared secrets.

3. Exit expert mode. Execute the following shell command to disable WebUI:
set web daemon-enable off
4. You may now also perform any or the entire configuration steps described in Installation Settings
that require Security Gateway console access before you move on to the next step. These steps
describe additional installation settings that have been documented and evaluated as being
compatible with the evaluated security policy.

Evaluation Configuration
1. Set routes on the GW, SA and windows machines.
2. Run: "set web daemon-enable off".
3. For automation:
Install the Automation Agent:
a) On /var: tar- zxf SPLAT_AIG_PACKAGE_516.tgz
b) Chsh –s /bin/tcsh root
c) Export LC_ALL=C

Check Point Software Technologies LTD. R77.30 Installation Guide Version1.0 | 22

 Evaluation Configuration

d) ./install_splat.csh
e) Edit $FWDIR/conf/defaultfilter.pf file and add below entry:
f) all@all
g) accept (tcp, inbound, (dport = 12321 or sport = 12321) , DEFAULT_RECORD());
h) Run $FWDIR/bin/comp_init_policy to recomplile new initial policy
i) Change /etc/init.d/aigagent
j) Chmod 777 /etc/init.d/aigagent
k) /etc/init.d/aigagent stop; /etc/init.d/aigagent start
l) On /tmp: tar –xvzf FireBall-Agent-0.37.tar.tar
m) Perl install_AIG.pl
n) reboot
o) Fw ver –f check
p) Cat check
q) Mkdir $FWDIR/conf_<build number>
r) Chmod 777 $FWDIR/conf_<build number>
s) Cp –rf $FWDIR/conf/* $FWDIR/conf_<build number>/
t) Touch $FWDIR/conf_<build number>/finishedcopy
4. On the SA run: "fips_mgmt on"
5. For automation: Add to /etc/ntp/keys: 45 M hello
6. For automation: Edit the $FWDIR/conf/fwauthd.conf accordingly:
 21 fwssd in.aftpd wait -1.
 23 fwssd in.atelnetd wait -1.
 25 fwssd in.asmtpd wait -1.
7. Using CLI, execute "expert" and type the administrator password.
8. Run the command "echo export PASSWORD_MIN_LENGTH=15 > /etc/environment".
9. Open GUIDBEdit > set the "enable_internal_user_password_validation" to true, save and exit.
10. Enable GUI timeout on the GUI machine:
a) Run "regedit".
b) HKEY_CURRENT_USER > Software > CheckPoint > Management Clients > 6.4.3 >
R77.30 > Check Point Smart Dashboard > General Settings.
c) Create new DWORD entry, name it ExitOnTimeout, set its value to 1 and exit.
11. Uncomment the line below from the $FWDIR/lib/table.def file on both SA and GW:
allowed_ipv6_extension_headers = { <EXTHDR_ROUTING>, <EXTHDR_HOPOPTS>,
<EXTHDR_DSTOPTS>, <EXTHDR_AH>, <EXTHDR_MOBILE> };
12. Set host names on the GW, SA and windows machines (CA hostname) using the command:
" echo >> /etc/hosts '10.90.49.202 w2k8ca' "
13. Add an environment variable by editing $CPDIR/tmp/.CPprofile.sh and adding the following
line:
"USE_ONLY_GOOD_ENTROPY=1 ; export USE_ONLY_GOOD_ENTROPY"
14. Open Smart Dashboard and edit the SA object (Right Click > Edit), set the IPsec VPN, IPS, and
Monitoring blades.

Check Point Software Technologies LTD. R77.30 Installation Guide Version1.0 | 23

 Evaluation Configuration

15. Open the Topology tab > Get > Interface with Topology… > Yes > Accept.

16. Create new Security GW object (Right click on Check Point > Security
Gateway/Management… > Classic Mode), set the IPsec VPN, IPS, and Monitoring blades.
17. Establish SIC.
18. Create a new Security GW object (Right click on Check Point > Security
Gateway/Management… > Classic Mode), set the IPsec VPN, and Monitoring blades.

Check Point Software Technologies LTD. R77.30 Installation Guide Version1.0 | 24

 Evaluation Configuration

19. Name it opsec_gw.

20. Establish SIC.

21. Configure and install the (any any any accept log) policy (with access to the CA).
22. Edit the /bin/fips files on SA, GW and opsechost from expert mode > comment the if condition for
management, securexl and rtm.
23. Run "fips on" on both GW and SA.
24. Install the policy on the SA1.

Check Point Software Technologies LTD. R77.30 Installation Guide Version1.0 | 25

 CSfC Evaluation Configurations (Enables IPSec protections for inter TOE communication)

25. Define the CA retrieve the certificates from it according to the external CA documentation
(disable CRL caching): Global properties > disable: "accept control connections" and "Accept
outgoing packets originating from Gateway"

CSfC Evaluation Configurations

(Enables IPSec protections for inter TOE
communication)
1. Add a rule to the policy:
 Any CAWin2K8 Any HTTP Accept Log.
 Any Firewalled_gateways Any IKE, IKE_tcp, IKE_NAT_TRAVERSAL, FW1_ica_services,
CPMI, CP_rtm, CPD, CPD_amon, tunnel_test, FW1_topo, FW1_amon, FW1_ela, FW1_lea,
FW1_log, FW1_ica_pull , FW1_ICA_push and https Accept None.
2. Launch Menu > Manage > Network Objects > New > Network:
 Name: Net_10.37.49.x, Network Address: 10.37.49.0, Netmask: 255.255.255.0.
 Name: Net_10.37.89.x, Network Address: 10.37.89.0, Netmask: 255.255.255.0.
3. Create these groups: Launch Menu > Manage > Network Objects > New > Group > Simple
Group:
 Name: encryption_net and add network Net_10.37.49.x.
 Name: excluded_net and add host CAWin2k8.
Check Point Software Technologies LTD. R77.30 Installation Guide Version1.0 | 26
 CSfC Evaluation Configurations (Enables IPSec protections for inter TOE communication)

 Launch Menu > Manage > Network Objects > New > Group > Group with Exclusion: Name:
VPN_Group. In Objects In, select encryption_net. In except, select excluded_net.
4. Issue external certificates for each of the gateways/clusters/VS (according to the External CA
documentation).
5. Configure VPN topology with a Site to Site star community topology:
a) Gateway A (SA1): center gateway.
b) Gateway B (GW1): remote gateway (Satellite gateway).
Gateway A is a Central Gateway of a simple star community.
Gateways B is Satellite Gateway member of the same community
6. Click on Manage > VPN Communities > New > Site To Site > Star. In Name, enter
Star_Community.
7. Behind gateway A is host A (fw_host), behind gateway B is host B (gw1_host) Create a network
object group named Common_Group. Put all gateways and hosts in it.
8. Encryption > select Custom Encryption
The community VPN parameters:
 IKE Properties:
 Key Exchange Encryption: AES-256.
 Data Integrity: SHA-256.
 IPSec Properties:
 IPSec Data Encryption: AES-256.
 Data Integrity: SHA-256.
9. Change the DH group into group 14.
10. Excluded services tab > add the IKE service to the list.
11. Edit the SA1 object: In Topology, under VPN Domain, selects the Manually defined check-box
and Select the VPN_Group.
12. Install the policy on the remote member.
13. Check on the remote member that the policy was installed using "fw stat".
14. Install the policy on the SA1.
---GW SIC established—
15. Edit the GW properties > "IPSec VPN" > add the RA community > "VPN Clients" > set only the
"Endpoint Security VPN" and pick the relevant certificate > "Office Mode" > check the "Allow
Office Mode to all users" > OK.
16. In Global Properties > Authentication, clear the Authenticate internal users with this suffix only
check-box.
17. Assign the SA to the Remote Access community: in IPSec VPN tab > Communities > Right click
on Remote Access community > Edit > Participating Gateways tab> Add the Stand Alone
Management machine (SA1).
18. Before running the next step (creating external CA) verify that the signature algorithm of your CA
server is ECDSA SHA256/SHA384
19. (Optional) Go to your CA machine > open certificate authority client > right click on your CA >
properties > general tab > select the certificate #0 > view certificate > Details > make sure
signature algorithm value is ECDSA SHA256/SHA384
20. Configure the Stand Alone Management (SA1) to work with the external CA according to the
External CA Guide.
21. On the Stand Alone Management (SA1) properties:
a) VPN Clients > Office Mode > Check the box Allow Office Mode for all users and select the
default pool.
b) (Optional) Add route on SA1: default office mode network -> connecting machine
(192.168.90.202)
Check Point Software Technologies LTD. R77.30 Installation Guide Version1.0 | 27
 General Guidance

22. Enable Visitor Mode on the SA: VPN Clients > Remote Access > Select the Support visitor mode
check-box. In Machine Interface drop-down list, select All Interfaces, (Optional) check the
Allow Secure Client to route traffic through this gateway
23. In VPN Clients tab, select both EndPoint Security VPN and SSL Network Extender checkboxes.
24. In Global Properties > Authentication, clear the Authenticate internal users with this suffix only
check-box.
25. Open Launch menu > Manage > Users and Administrators > New > User Group to create a user
group named allow_group > OK
26. Open Launch menu > Manage > Users and Administrators > New > User by Template > Default
> Define the User Name as admin_user > Groups tab > Add it to allow_group > OK > Close.
27. IPSec VPN tab> Communities > Right click on RemoteAccess community > Edit > Participant
User Groups tab > Add > Select the allow_group user group > OK.
28. "Remote Access" > "VPN - Authentication" > "Edit" > "IKE" tab > set the "Use encryption
algorithm" to "AES-128", the "Use Data Integrity" to "SHA256" and the "Diffie-Hellman groups" to
"Group 14 (2048 bit)" > "IPSEC Security Association (Phase 2)" tab > set "Encryption Algorithm"
to "AES-128" and "Data Integrity" to "SHA-256" > OK , OK.
29. Define and install the policy:
 Source= Any, Destination= Any, VPN= Any, Service= IKE, Any Firewalled_gateways Any
IKE, IKE_tcp, IKE_NAT_TRAVERSAL, FW1_ica_services, CPMI, CP_rtm, CPD,
CPD_amon, tunnel_test, FW1_topo, FW1_amon, FW1_ela, FW1_lea, FW1_log,
FW1_ica_pull , FW1_ICA_push and https Accept None.
 Allow_group@any Any RemoteAccess Any Accept Log.
 Any CAWin2K8 Any HTTP, LDAP Accept Log.
 Any Firewalled_gateways Any FW1_topo Accept None.
30. Connect to the SA according to the instructions in the Endpoint_security_guide.
31. Connect using the Smart Dashboard to the SA internal IP address.
---Client SIC established---

General Guidance
1. In order to DISCARD traffic, use a "drop" rule, In order to BYPASS traffic use "accept rule, In
order to PROTECT traffic create a VPN community.
2. For creating a rule, use the "add rule" buttons:

3. In order to change the VPN configuration and algorithms do as follows:

 Edit the VPN community > Encryption > select Encryption Method > Select IKEv2 >select
Custom Encryption or pick one from the pre-defined list >
 The community VPN parameters:
 IKE Properties:
 Key Exchange Encryption: AES-128/256.
 Data Integrity: SHA-256/384.
 IPSec Properties:
 IPSec Data Encryption: AES-128/256/AES-GCM-128/256.
 Data Integrity: SHA-256.

Check Point Software Technologies LTD. R77.30 Installation Guide Version1.0 | 28

 General Guidance

4. For changing the Phase 1 and Phase 2 rekey edit the VPN community > Advanced Settings >
Advanced VPN Properties > change renegotiation for IKE and IPSec.

Check Point Software Technologies LTD. R77.30 Installation Guide Version1.0 | 29