Hello, dear readers of the TS Solution blog, we continue the series of articles for NGFW CheckPoint solutions for the SMB segment. For convenience, you can familiarize yourself with the model range, study the characteristics and capabilities in , then we suggest referring to unpacking and initial configuration using the example of real Check Point 1590 equipment in .
For those who are just getting acquainted with the SMB model range - suitable for small offices or branches up to 200 people (when choosing model 1590). One of the features of this family is support for wireless communication, this can be useful when there are devices in the infrastructure that have a WiFi adapter or NGFW needs Internet access using a mobile connection. For these tasks, you will need technologies: WiFi, LTE. This is what this article is about:
- Enabling and configuring the NGFW WiFi mode.
- Enabling and configuring the NGFW LTE mode of operation.
- General conclusions about wireless technologies for NGFW.
NGFW and WiFi
If we return to part 2 of our cycle, then we left the option for wireless connection of users turned off, so you need to go to the tab Device → Network → Wireless
In the screenshot I provided, there are two possible modes of WiFi operation:
- 2.4 GHz is a frequency that is supported by most generations of various wireless devices.
- 5 GHz is the frequency that is the modern standard for working with wireless devices, support is available in all modern smartphones, tablets and laptops.
Also from the screenshot (above) it can be noted that I have already enabled the 5 GHz operating mode, let's set up 2.4 GHz together, to do this, click on the button "Configure".
In the window for creating an access point, we are prompted to specify a standard set of parameters. You can use a password or a Radius server as an authentication method. The “Allow access from this network to local networks” option is responsible for the access of your wireless clients to internal resources that are behind Check Point NGFW. Once your point is configured, you can change more options.
Available settings
After the device under test has connected to your access point, we can make sure that it is in our network, go to the tab: Logs & Monitoring → Status → Wireless Active Devices
If you click on the object with the name, then we will see the properties of the connected client:
In addition to information about the device, I consider useful options:
- save object for use in rules (1);
- block access to this client (2).
Further, based on our settings for the Application Blade (in the terminology of CheckPoint, one of the modules), the transition to potentially dangerous links is prohibited.
We are trying to open one of the categories on a mobile device by connecting via WiFi to the NGFW Check Point and, accordingly, accessing the Internet through it.
Conclusion: The user was unable to access a site that belongs to the Anonymizer category.
Thus, we have considered the basic setup for connecting users using WiFi, which is convenient in small offices where there are a lot of wireless devices. At the same time, the Check Point NGFW solution allows you to protect your users from vulnerabilities and malicious content, you have flexible options for controlling wireless hosts. I will separately mention administration using a mobile application, the method was described in one of our .
NGFW and LTE
Models 1570, 1590 come with an LTE modem that allows you to use Micro / Nano SIM and establish a 4G connection due to this. For the curious, under the spoiler, we leave a brief memo.
Instructions for installing SIM
So you have installed the SIM, after that you need to return to the Gaia Portal and go to the next section Device → Network → Internet. By default, you will have one WAN connection, you need to create a new connection by clicking on the red arrow.
Where we will need to set the connection name, define the interface type (in our case, Cellular)
Additionally, open a tab connection monitoring, here it is possible to automatically send: ARP request to the default route, ICMP packets to the specified sources, I note that you can specify your resources for monitoring.
Tab Cellular responsible for selecting priorities between SIMs, entering authentication data if required (APN, PIN).
In the "Advanced" it is possible to set network settings:
- interface settings ( MTU, MAC)
- QOS
- ISP Redundancy
- NAT
- DHCP
After you create a new connection type, you will find an Internet connection table in Device → Network → Internet:
In the screenshot above, we see a new connection “LTE_TELE2”, as you may have guessed, this is a SIM from the Tele2 provider. The table contains information about the signal level, shows the percentage of losses and the delay time. Additionally, it is possible to open the option connection monitoring.
In the monitoring window, we see the results of sending requests to three servers, one of them is custom (ya.ru). Displayed here:
- percentage of packet loss;
- percentage of network errors;
- response time (average, minimum and maximum);
- jitter.
If you are interested in system information about the LTE modem on NGFW Check Point, then you should go to Logs & Monitoring → Diagnostics → Tools → Monitor Cellular Modem:
Next, we analyzed the speed of Internet access for the end host, which is connected to NGFW via WiFi (5 GHz), and the gateway itself uses an LTE connection to send packets to the global network. We compared the obtained values with the situation when the same geographic location is used, but the phone connects directly to the Internet. For convenience, the results are hidden under the spoiler.
Speedtest results
Of course, these indicators have an error and their own characteristics, let's put forward a hypothesis: NGFW 1590 amplifies the power of the incoming cellular signal due to two external antennas. Indirectly, this statement is confirmed by the results of SpeedTest, carried out in the same conditions and show a decrease in Ping and delay time to the same resource.
Object
NGFW+LTE
Mobile+LTE
Ping (ms)
30
34
jitter (ms)
7.2
5.2
Download speed (Mbp/s)
16.1
12
Upload speed (Mbp/s)
10.9
2.97
In order to evaluate the effectiveness of the NGFW Check Point 1590 external antennas, we measured the signal reception level, after which, using the engineering menu, we perform a similar measurement for the phone. The results are presented below:
Accordingly, the signal reception power level is considered to be the best when its negative value tends to 0. The value obtained for the phone is (-109 dBm), for the modem (-61 dBm). In general, this confirms our hypothesis and indicates the stability of the LTE connection of the NGFW of the SMB family.
General conclusions
Summing up today's part, two WiFi and LTE technologies were considered, which are supported by Check Point models 1570, 1590.
For small offices and branches, it is not always possible to install separate wireless access points, so NGFW will help organize a wireless network, and most importantly, protect such users.
As for the NGFW-based LTE modem, in my opinion the following use cases will be in demand:
- Lack of wired connection to access the Internet. In this case, you will be forced to use a mobile connection to provide an Internet connection. Also, this scenario is relevant for specific companies whose line of business requires “mobile” placement of their network infrastructure, regardless of the conditions (location, availability of wired communications, etc.).
- Reservation of the main wired access channel. Let me remind you that NGFW supports dual SIM, this increases the fault tolerance of your infrastructure in the event of an accident with one of the wired links. You can also manually turn on the LTE connection, depending on the use case.
. Stay tuned (, , , , ).
Source: habr.com
