CHECK POINT SOFTWARE TECHNOLOGIES Check Point 1100 Appliances Frequently Asked Questions Table of Contents Overview:... 2 Ordering Information:... 3 Technology:... 4 Hardware:... 6 Performance:... 6 Updated April 8, 2013 2013 Check Point Software Technologies Ltd. All rights reserved. P. 1
Overview: Q. Who is the target customer for the 1100 Appliance? A. The target customers are enterprises with small remote or branch offices with from 1 to 50 employees; it can also be suitable for similar-sized small businesses: Small offices who want a simple, intuitive web-based local management interface Enterprises who have standardized on managing their entire security infrastructure including remote locations from a headquarters location using Single or Multi-Domain Security Three 1100 Appliance models are available. 1120: Ideal for remote offices with up to 10 users 1140: Ideal for remote offices with up to 25 users 1180: Ideal for remote offices with up to 50 users Q. What are differences between the Safe@, UTM-1 Edge, Series 80 and 1100 appliances? A. The following table best represents the differences: Safe@ UTM-1 Edge Series 80 1100 Network Interface Ports 6 GbE 6 GbE 10 GbE 10 GbE ADSL Yes Yes No Yes Wi-Fi Yes Yes No Yes Target Market Consumer and small office Small office Centrally managed branch office Small office and centrally managed branch office Security Architecture NGX Embedded Software Blades Software Blades NA R71.45: FW, VPN, IPS, AV, ASPM, URLF R75.20: FW, VPN, IPS, AV, ASPM, URLF, APCTL, IA Web UI Web UI & central Security Central Security Web UI & central Security Deployment Standalone Standalone & distributed Distributed Standalone & distributed High Availability None Active-Passive
Large Scale SMP (Security Portal) SmartProvisioning Q. Does this replace the Series 80 Appliance? A. Yes. Q. Does this replace the UTM-1 Edge and Safe@Office Appliances? A. No. The 1100 Appliance is targeted for enterprises with remote branch offices, where the UTM-1 Edge and Safe@Office Appliances are targeted for small businesses. However, there may be some interest in this product from the small business market segment. Q. I recently purchased a Series 80 Appliance; can I upgrade the image to get the functionality of the 1100 Appliance? A. Yes. Upgrade the license as well to benefit from Software Blades introduced with the 1100 Appliance, e.g. Identity Awareness and Application Control. Ordering Information: Q. What bundled software blade SKUs are available? A. Two are available for the 1120 model; one with Firewall and VPN and the other with Threat Prevention. The 1140 and 1180 models are available in the Threat Prevention bundle only. Q. Can I buy the 1120 Appliance Firewall package and then add additional blades? A. Yes, you can add Threat Prevention package to the 1120 Appliance. Q. I purchased an 1120 Appliance. Can I upgrade to an 1140 or 1180 Appliance? A. Yes. Q. I purchased a Threat Prevention package. Can I add additional Software Blades? A. This isn t needed as all available Threat Prevention Software Blade licenses are included in the Threat Prevention package. Q. Do I have to renew the Threat Prevention blades to get updated signatures? A. Yes. The service blades are for 1 year, two or three years. When this period ends, they must be renewed to get updates. Q. Is it possible to house 1100 Appliances side-by-side on a 19 wide rack? A. Yes, the system has been designed to accommodate this and we will add the rack mount kit accessory to the price list shortly. Q. Can I add the Advanced Networking & Clustering blade to the 1100 appliance? A. The Advanced Networking & Clustering is included. Q. Does the 1100 appliance support dynamic routing? A. Yes. Q. Will DLP and Anti-Bot be supported on the 1100? A. Anti-Bot support is on the roadmap. Currently there is no target date for DLP support.
Q. What ADSL type is available? A. ADSL2 Annex A (POTS) and ADSL2 Annex B (ISDN). Q. What are the differences between the Wi-Fi-FCCA and Wi-Fi-WORLD SKUs and which should I order? A. The FCCA SKU is for the United States. The WORLD SKU is for the rest of the world. Technology: Q. Is a management hotfix needed to manage the 1100 Appliance? A. Yes, initially for some features. See the 1100 Appliance page on the Check Point Support website for more information. The Security Server versions that operate with Check Point 1100 Appliance are versions R75.46, R76 and higher. Q. Why is the connection to the Check Point management server called asynchronous for the 1100 appliance? A. It is possible to first define the 1100 gateway on the management server without having to first establish connection between the two. This includes installing the policies on the management server even before the Series 80 gateway is actually deployed. At this point the policy is in pending mode waiting for the 1100 to pull it once it comes online. This is why we call the process asynchronous. Subsequently, periodic fetching of security policies can be done by the 1100 Appliances, in addition to standard policy push which can be set up from the management server. Q. Does the 1100 appliance support local management? A. Yes. A simplified web-based interface for local management is available. See the Administration Guide and Release Notes for more details. Q. Is GAiA the OS running on the 1100 appliance? A. Yes. But, it is an embedded version of it to allow it to run on the smaller footprint of processing power and memory. Q. Are all the standard security features in R75.20 supported on the 1100 appliance? A. Not all. For instance DLP and HTTPS inspection are not supported. Please refer to the Release Notes for updates on features and functions. Q. What is the difference in the high availability feature between the 1100 and the UTM-1 Edge appliance? A. The 1100 appliance supports full system level high availability set up between two systems in activepassive mode using Check Point ClusterXL technologies. The UTM-1 Edge appliance allows two or more systems to be set up in a chain. Each UTM device then works in a master-slave mode to send their internet (WAN) bound traffic to the master system via the Ethernet port connecting the two appliances. In the event the slave appliance loses its own WAN connection, this master-slave set up provides for a back-up. Q. Is it possible to implement ISP Redundancy on the 1100? A. Yes, an Ethernet network interface, a 3G connection using an Express Card/USB modem or a serial connection with USB or serial modem may be used to set up ISP redundancy. Q. Is SSL VPN supported on the 1100 appliance? A. Yes. The Appliance includes a Mobile Access license for 5 users. A Mobile Access license for more users is available.
Q. What remote access clients are supported? A. These clients are supported in the GA release in April: SecureClient (all versions). The 1100 Appliance does not, however, run a Policy Server. (It will work with a multi-gateway site, where another gateway is the Policy Server.) SNX (Network Mode only) L2TP (running on Windows, ios, and Mac OS X) This client support is on the roadmap: Endpoint Connect (all versions except "Endpoint Security VPN") Q. Does the concept of security servers exist in the 1100 appliance? A. No, all protections that required the concept of security servers are now supported natively in the kernel. Q. Is there any difference in the UTM functions running on 2012 Model Appliances in comparison to the 1100 appliance? A. There are a few differences. AV support is based on Stream mode only. Proactive mode is not supported. Email Security is based on IP Reputation only. Content based Anti-Spam is not supported. Please refer to the user documentation for additional details. Q. Do the 1100 Appliances support IPv6? A. IPv6 is not supported in the GA release in April. Support for IPv6 is on the roadmap. Q. What appliance configuration can be set with the USB deployment? A. The hostname, interface configuration, time zone, ntp (Network Time Protocol) configuration, SIC (Secure Internal Communication) password, Security address and the administrator user password. Q. Is the Monitoring Blade supported on the 1100 Appliance? A. When centrally managed, the 1100 Appliances are monitored like any other gateway using the Monitoring Software Blade. Q. What monitoring and tools are available in the Local Web UI? A. Security and system logs, CPU, memory and disk usage, routing, DNS lookups, ping, traceroute, packet capture and a cpinfo to provide system diagnostics to Check Point support. Q. Does the device support SNMP? A. Yes, SNMP v1/v2/v3 and sending SNMP traps. SNMP Traps settings can also be centrally managed using the Security Server using the thresholds_config utility. Q. What network connection types are available? A. Static IP, DHCP, PPPoE, PPTP, L2TP, bridge or layer 2, 3G cellular or analog modem and ADSL. Q. What DHCP options are supported? A. DNS server, default gateway, WINS, time servers, call manager, TFTP server, TFTP boot file, X-Windows display manager, Avaya IP phone, Nortel IP phone, Thomson IP phone and custom. Q. Is Hotspot captive web portal supported?
A. Yes, when enabled any user browsing from the configured interfaces will be directed to a Hotspot portal. Q. What authentication methods does the 1100 Appliance support for administrative and captive portal access? A. Users and groups that are locally defined or are defined on a remote RADIUS or Active Directory server. Hardware: Q. Can the 8 LAN ports be set up as a switch? A. Yes and they can also be set up as multiple switched groups. All of the 8 ports do not have to belong to the same group. Configuring up to 4 distinct switch groups is possible. Q. Are there any moving parts in the 1100 Appliance? A. No. There is no fan or hard disk drive, which results in a very quiet desktop security appliance. Q. Can I use the rack mount kit for just one 1100 appliance that I want housed in my rack? A. Yes. Middle mount is provided for just one appliance. Refer to the instructions in the rack mount kit for additional details. Performance: Q. What are the published performance numbers for the 1100 Appliance family? A. The performance results using just one any-any firewall policy is as follows. See the datasheet for more information. 1120 1140 1180 Recommended Users Up to 10 Up to 25 Up to 50 Firewall, 1518 byte UDP (Mbps) 750 1,000 1,500 VPN, AES-128 (Mbps) 140 175 220 Q. When customers exceed the recommended users limit, what will happen? For instance the 1120 is recommended for 10 users, so will the 11 th or 12 th user be blocked? A. No, this is a recommended number of users based upon the appliance performance capabilities and customer requirements for performance. Q. One user may generate a lot of traffic and exceed the recommended performance limit of the appliance. When the bandwidth limit is reached what will happen? Will connections still be allowed? A. Connections will still be allowed, but slower connection speeds may be noticed until the overall bandwidth drops.