Welcome

Welcome to the Safe@Office Online Help.

For technical support and additional documentation, refer to http://www.sofaware.com/support

Status Bar

The status bar at the bottom of the page indicates the following:

Your Internet connection status (Connected/Connected - Probing OK/Connected

Internet [Primary]   - Probing Failed/Not Connected/Establishing Connection/Contacting Gateway/ Disabled/No Link Detected/No Sync)

Internet [Secondary]Your backup Internet connection status (Connected/Not Connected/Establishing

Connection/Contacting Gateway/Disabled/No Link Detected)
Your connection status to the service provider (Not Subscribed/Connection

Service Center

Failed/Connecting/Connected)

Initial Login

This page enables you to set your password.

Login

Log on to the Safe@Office Portal using your password.

Reports

Reports > Event Log

The event log displays the most recent events in four different categories, color coded as follows:

Blue          Changes in your setup

Red           A connection attempt blocked by the firewall

Orange       A connection attempt blocked by your security rules

Green        Traffic accepted by the firewall

This page offers the following options:

Save         Saves the displayed logs to an *.xls (Microsoft Excel) file

Refresh      Refreshes the display

Clear        Clears the display

Reports > Traffic Monitor

This page allows you to view incoming and outgoing traffic for selected network interfaces and QoS classes.

Reports > Traffic Monitor > Settings

This page allows you to configure the interval at which the appliance should collect traffic data for network traffic reports.

Reports > Active Computers

This page allows you to view the computers and IP addresses in your network, and marks them as follows:

StaticIndicates the IP address was not assigned by the Safe@Office appliance
DHCPIndicates the IP address was dynamically assigned by the Safe@Office appliance

This page offers the following options:

Add
Edit
Remote Desktop
Refresh
Node Limit

Allows you to add a network object representing a computer
Allows you to edit the network object representing a computer
Allows you to access a computer's desktop remotely
Refreshes the display
Displays your configured product versus the number of active nodes

If HotSpot mode is enabled for some networks, each computer's HotSpot status is displayed next to it.

Reports > Connections

You can view active connections between you network and external networks.

Reports > VPN Tunnels

You can view the established VPN tunnels. The following information is displayed for each VPN tunnel:

Type          The currently active security protocol (IPSEC)

Source        The IP address or address range of the entity from which the tunnel originates
DestinationThe IP address or address range of the entity to which the tunnel is connected
Security      The security methods used by the tunnel

EstablishedThe tunnel creation time

This page offers the following options:

View Topology
Save IKE Trace
Clear IKE Trace
Refresh

Shows a tree based view of the current topology
Saves a trace of IKE (Internet Key Exchange) negotiations to an *.elg file
 Clears all currently-stored IKE traces
Refreshes the display

Reports > VPN Topology

This page shows a tree based view of the current topology of the Safe@Office.

Security

Security > Firewall

You can control the firewall security level.

Low security
Medium security
High security
Block All

Provides basic firewall security
The default security level (recommended)
Enforces strict control on incoming and outgoing traffic
Blocks all access between Safe@Office networks

Security > Servers

You can allow network traffic from known applications into your network. Select the check boxes to allow traffic from an application into your network.

Select VPN Onlyto allow only connections made through a VPN.

Security > Rules

You can create your own custom firewall rules for services not on the "Servers" list, by specifying their port ranges and protocols. You can also create rules defining a type of traffic and assigning it to a QoS class. Note that Traffic Shaper must be enabled for the direction of traffic specified in the rule.

Rules are processed in the order they appear in the Rules table. Use the arrows next to a rule to move the

rule up or down in the table. You can enable/disable rules by clicking on the

Enabled column.

Security > SmartDefense

Check Point SmartDefense Services provides a combination of attack safeguards and attack-blocking tools to protect your network. It also aids proper usage of Internet resources.

Click the  icons to expand the SmartDefense categories, then click on the desired nodes and

configure the fields.

Security > My HotSpot

You can enable the Safe@Office appliance as a public Internet access hotspot for specific networks, by selecting the desired networks. Users on those networks will be automatically re-directed to the My HotSpot page, upon attempting to access the Internet.

You can specify My HotSpot terms of use and require users to log on using their Safe@Office username and password. To preview the My HotSpot page, click Preview.

Security > NAT

You can view current policy Network Translation (NAT) rules and create your own custom NAT rules.

 

Antivirus

Antivirus > Status

VStream Antivirus scans files for malicious content on the fly, without downloading the files into intermediate storage. You can view current VStream Antivirus database information. The following options are also available:

On/Off                    Enables/disables VStream Antivirus

Update Now              Updates the VStream Antivirus databases

Antivirus > Policy

You can create your own custom VStream Antivirus rules to define exactly which traffic should be scanned. Rules are processed in the order they appear in the Antivirus Policy table. Use the arrows next

to a rule to move the rule up or down in the table. You can enable/disable rules by clicking on the

 icon in the Enabled column.

Antivirus > Advanced

This page enables you to specify which file types should be scanned or passed, and how VStream Antivirus should handle archive files.

You can view lists of safe and unsafe file types by clicking the Showlinks in the File Typesarea.

Services

Services > Account

This page provides information on the services available in your service plan, as well as the status of each service. It also enables you to manage your security services by offering the following options:

ConnectConfigures and starts your security services subscription, which can include policy and

firmware updates, Email Antivirus, Web Filtering and other services

RefreshReconnects you to your Service Center and refreshes your services' settings

ConfigureAccesses your service provider's portal, if available. This portal will offer additional

configuration options for your account

Services > Software Updates

The system automatically checks for software and security updates. If your Safe@Office is locally managed, you can check for updates manually, as well.

Network

Network > Internet

This page displays information regarding your network's setup and activity. It offers the following options:

Connect / Disconnect
Internet Wizard
Connection Edit

Refresh

Establishes (or terminates) the Internet connection
Launches the Safe@Office Internet Wizard
Allows configuring advanced Internet options
Allows temporarily enabling/disabling the Internet connection
Refreshes the display

Network > Internet > Internet Setup

This page enables you to configure your Internet connection:

If you are connected to a LAN, fill in the following fields:

Select the port to use for the

Port

Internet connection.

Select LAN (Local Area

Connection Type

Network)

If you do not want the

Obtain IP address automatically   Safe@Office appliance to obtain

(using DHCP)                        an IP address automatically using

DHCP, clear this check box

LAN (Local Area Network)

Obtain Domain Name Servers
automatically

Obtain WINS Server
automatically

IP Address

Subnet Mask

Default Gateway

Primary DNS Server

Secondary DNS Server

WINS Server

Shape Upstream: Link Rate

Shape Downstream: Link Rate

MTU

If you do not want the
Safe@Office appliance to
automatically configure DNS
servers, clear this check box
If you want the Safe@Office
appliance to obtain an IP address
automatically using DHCP, but
not to automatically configure the
WINS server, clear this check box.
Your Safe@Office appliance's
static IP address
The subnet mask that applies to
your Safe@Office appliance's
static IP address
The IP address of your ISP's
default gateway
The IP address of the primary
DNS server
The IP address of the secondary
DNS server (optional)
The WINS server IP address
(optional)
To enable Traffic Shaper for
outgoing traffic, select this option,
and then type a rate (in kilobits/
second) slightly lower than your
Internet connection's maximum
measured upstream speed in the
field provided.
To enable Traffic Shaper for
incoming traffic, select this option,
and then type a rate (in kilobits/
second) slightly lower than your
Internet connection's maximum
measured downstream speed in the
field provided.
The maximum transmission unit
size (optional; use only if supplied
by your ISP)

 

 

Host Name

MAC Cloning: Cloned MAC
Address

Do not connect if this gateway is
in passive state

Probe Next Hop

Connection Probing Method

1,2,3

The hostname for authentication
(optional; use only if supplied by
your ISP)
If your ISP restricts connections to
specific, recognized MAC
addresses, you must select this
option and then specify the desired
MAC address in the field
provided.
If you are using High Availability
(HA), select this option to specify
that the gateway should connect to
the Internet only if it is the Active
Gateway in the HA cluster. This
field is only enabled if High
Availability is configured.
To automatically detect loss of
connectivity to the default
gateway, select this option.
To detect Internet failures that are
more than one hop away, select a
connection probing method.
Type the IP addresses or DNS
names of the desired servers or
VPN gateways for connection
probing.

 

If you are connected to the Internet through a cable modem, fill in the
following fields:

Select the port to use for the Internet connection.

Port

This can be either WANor WAN2.

Connection TypeSelect Cable Modem.

Cable Modem

Obtain Domain Name Servers automatically
Obtain WINS Server automatically
Primary DNS Server
Secondary DNS Server
WINS Server
Shape Upstream: Link Rate
Shape Downstream: Link Rate
MTU
Host Name
MAC Cloning: Cloned MAC Address

PPPoE (Ethernet-based
connection)

Do not connect if this gateway is in passive state
Probe Next Hop
Connection Probing Method
1,2,3
(See above for details.)

If you are connected to the Internet through an Ethernet-based PPPoE
connection, fill in the following fields:

PortSelect the port to use for the Internet connection.

Connection TypeSelect PPPoE (PPP over Ethernet).
UsernameYour ISP user name.

PasswordYour ISP password.

Confirm passwordYour ISP password.

The service name (optional; use only if supplied by

Service

your ISP).

Obtain Domain Name Servers automatically
Primary DNS Server
Secondary DNS Server
WINS Server
Shape Upstream: Link Rate
Shape Downstream: Link Rate
External IPThe IP address of the PPPoE client (optional; use only if

supplied by your ISP).
MTU
Do not connect if this gateway is in passive state
Probe Next Hop
Connection Probing Method
1,2,3
(See above for details.)
If you are connected to the Internet through an Ethernet-based PPTP
connection, fill in the following fields:

PortSelect the port to use for the Internet connection.

Connection TypeSelect PPTP.
Username
Password
Confirm password
Service
Server IPThe PPTP server IP address, as given by your ISP.
Obtain IP address automatically (using DHCP)
Obtain Domain Name Servers automatically
IP Address
Subnet Mask

PPTP

Telstra (BPA)

Default Gateway
Primary DNS Server
Secondary DNS Server
WINS Server
Shape Upstream: Link Rate
Shape Downstream: Link Rate
External The IP address of the PPTP client as given by your ISP

IP (optional).
MTU
Do not connect if this gateway is in passive state
Probe Next Hop
Connection Probing Method
1,2,3
(See above for details.)
If you are subscribed to Telstra® BigPond™ Internet, fill in the
following fields:

PortSelect the port to use for the Internet connection.

Connection TypeSelect Telstra (BPA).
Username
Password
Confirm password
Server IPThe Telstra authentication server IP address as given by

Telstra.

Obtain Domain Name Servers automatically
Obtain WINS Servers automatically
Primary DNS Server
Secondary DNS Server
WINS Server
Shape Upstream: Link Rate
Shape Downstream: Link Rate
Shape Upstream: Link Rate
Shape Downstream: Link Rate
MTU
Do not connect if this gateway is in passive state
Probe Next Hop
Connection Probing Method
1,2,3
Do not connect if this gateway is in passive state
Probe Next Hop
Connection Probing Method
1,2,3
(See above for details.)

Dialup

If you are connected to the Internet through a dialup connection, fill in
the following fields:

Select the port to which the dialup modem is

Portconnected. This can be either Serial(for an RS232
modem) or USB Modem(for a USB modem)

Connection TypeSelect Dialup.
Username
Password
Confirm password

The phone number that the modem should dial, as

Phone Number

given by your ISP
If you do not want the dialup modem to be

Connect on demandconstantly connected to the Internet, select this
option

Obtain Domain Name Servers automatically

To specify that the dialup modem
should only dial a connection if no

When no other higher priority other connection exists, and the

connection is availableSafe@Office appliance is not acting
as a Passive gateway, select this
option.
To specify that the dialup modem
should only dial a connection if no

On outgoing activity

other connection exists, and there is
outgoing activity, select this option
The amount of time (in minutes) that

Idle timeoutthe connection can remain idle before
timing out

Primary DNS Server
Secondary DNS Server
WINS Server
Shape Upstream: Link Rate
Shape Downstream: Link Rate
External IP
MTU
Do not connect if this gateway is in passive state
Probe Next Hop
Connection Probing Method
1,2,3
(See above for details.)

Dialup

If you are connected to the Internet through a dialup connection, fill in
the following fields:

Select the port to which the dialup modem is

Portconnected. This can be either Serial(for an RS232
modem) or USB Modem(for a USB modem)

Connection TypeSelect Dialup.
Username
Password
Confirm password

The phone number that the modem should dial, as

Phone Number

given by your ISP
If you do not want the dialup modem to be

Connect on demandconstantly connected to the Internet, select this
option

Obtain Domain Name Servers automatically

To specify that the dialup modem
should only dial a connection if no

When no other higher priority other connection exists, and the

connection is availableSafe@Office appliance is not acting
as a Passive gateway, select this
option.
To specify that the dialup modem
should only dial a connection if no

On outgoing activity

other connection exists, and there is
outgoing activity, select this option
The amount of time (in minutes) that

Idle timeoutthe connection can remain idle before
timing out

Primary DNS Server
Secondary DNS Server
WINS Server
Shape Upstream: Link Rate
Shape Downstream: Link Rate
External IP
MTU
Do not connect if this gateway is in passive state
Probe Next Hop
Connection Probing Method
1,2,3
(See above for details.)

Bridged

If you want to add an Internet connection to an existing bridge, fill in the
following fields:

PortSelect the port to use for the Internet connection.

Connection TypeSelect Bridged.
Assign to BridgeSelect the bridge to which the connection should be

assigned.

Port CostType the port's STP cost.

Port PrioritySelect the port's STP priority.

Default Gateway
Primary DNS Server
Secondary DNS Server
WINS Server
Shape Upstream: Link Rate
Shape Downstream: Link Rate
Shape Upstream: Link Rate
Shape Downstream: Link Rate MTU
Do not connect if this gateway is in passive state
Probe Next Hop
Connection Probing Method
1,2,3
Do not connect if this gateway is in passive state
Probe Next Hop
Connection Probing Method
1,2,3
(See above for details.)

Network > My Network

This page displays network settings for your internal networks. It offers the following options:

Edit                 Allows you to edit the settings of an internal network or bridge

Add Network      Allows you to add a network.

Add Bridge        Allows you to add a bridge

Erase               Allows you to delete a network or bridge.

Erase               Allows you to delete a network or bridge.

Network > My Network > Bridge Configuration

You can configure a bridge's settings by doing any of the following:

Set the name of the bridge.

Enable/Disable the firewall between bridge members.

Pass/Block non-IP traffic.

Enable/Disable Spanning Tree Protocol (STP).

Set the bridge's STP priority.

Change the range of IP addresses in the internal network, by changing the IP Address and the Subnet Mask values.

Network > My Network > Edit Network Settings

You can configure an internal network's settings by doing any of the following:

Enable/Disable the internal network.

Assign the internal network to a bridge.

Configure bridge anti-spoofing and the allowed IP address range for the network.

Set the port's STP cost and priority.

Enable/Disable the Safe@Office DHCP server.

Set the Safe@Office DHCP server to relay mode. The appliance will relay information from an external DHCP server to the devices on your network.

Configure custom DHCP options.

Change your Safe@Office appliance's IP address.

Change the range of IP addresses in the internal network, by changing the IP Address and the Subnet Mask values.

Enable/Disable Hide Network Address Translation (NAT).

Set a VLAN network's name and type.

Network > My Network > DHCP Server Options

This page allows you to configure custom DHCP server options.

Network > Ports

This page displays information about the Safe@Office appliance's ports. The following options are also available:

Reset 802.1x      Resets all 802.1x enabled ports to the "Unauthenticated" state

Reset 802.1x      Resets all 802.1x enabled ports to the "Unauthenticated" state

Refresh            Refreshes the display

Edit                Allows you to configure a port's settings

Default            Resets the ports to their default settings

Network > Ports > Port Setup

This page allows you to configure a port's assignment and link configuration. For DMZ/WAN2 port, you can also configure a 802.1x port-based security scheme. For DMZ/WAN2 port, you can also configure a 802.1x port-based security scheme.

The following options are also available:

Default             Resets the port to its default settings

Network > Ports > Port Setup > USB/Dialup Modem Setup

You can configure a USB/dialup modem.

If you select the Customoption in the Modem Typelist, then you must provide a modem initialization string. Otherwise, a pre-configured modem is used.

The following options are also available:

Test      Checks that the values you entered are correct

Network > Traffic Shaper

You can use bandwidth policies to control the flow of communication, by defining QoS classes (on this page), and then using Allow rules to assign different types of connections to the QoS classes (on the Security > Rulespage). Note that Traffic Shaper must be enabled for the direction of traffic specified in the rule. The following options are available:

Add               Adds a new QoS class

Restore DefaultsResets the Traffic Shaper bandwidth policy to use the four predefined classes, and

restore the QoS classes to their default settings

Network > Network Objects

You can add individual computers or networks as network objects. This enables you to configure the

following settings for the computer or network represented by the network object:

Map Internet IP addresses or address ranges to hosts inside the internal network.

Assign the network object's IP address to a MAC address.

Exclude the network object from Secure HotSpot enforcement.

Exclude the network object from Web Filtering.

Network > Network Services

You can create new custom services to be used in the network. The following options are available:

New          Allows you to add a new network service.

Edit          Allows you to edit a network service.

Erase        Allows you to delete a network service.

Network > Routes

You can specify the route for packets originating in a certain subnet and/or destined for a certain subnet. Packets with a source or destination that does not match any defined static route will be routed to the default gateway. The following options are available:

New Route
Edit
Erase
Refresh

Allows you to add a new route.
Allows you to edit a route.
Allows you to delete a route.
Refreshes the display.

Setup

Setup > Firmware

You can view the current firmware version and details. The following options are as available:

Firmware Update

Upgrade Product

Allows you to load an updated firmware file to the Safe@Office appliance
Install a product key to upgrade your Safe@Office appliance and/or
register your product

Restart                        Reboots the Safe@Office appliance

Safe@Office Setup WizardGuides you through the Safe@Office appliance's setup, step by step

Setup > High Availability

You can create High Availability clusters consisting of two or more Safe@Office appliances. If the Active Gateway fails (the default gateway), a Passive Gateway automatically and transparently takes over all the roles of the Active Gateway.

You can do any of the following:

Enable/Disable High Availability for this gateway.

Enable High Availability for internal networks and bridges and bridges .

Enable High Availability for Internet connections.

Specify which network /bridge /bridge should be the synchronization interface. This can be any internal network /bridge /bridge existing on both gateways .

Specify this gateway's priority.

Configure Internet connection tracking for this gateway.

Assign this gateway to a specific cluster.

Setup > Logging

You can configure the Safe@Office appliance to send the event logs to a Syslog server residing in your internal network or on the Internet.

Setup > Remote Desktop

The Safe@Office Remote Desktop allows you to remotely control your Windows PC, using Microsoft Terminal Services. This page enables you to configure Remote Desktop settings.

Setup > Management

You can configure the following management protocols:

When HTTPS Remote Access is enabled, Safe@Office users can securely access the Safe@Office Portal from the Internet, by accessing the URL https://X.X.X.X:981, where X.X. 
X.X is the Safe@Office Internet IP address.

HTTPS

Note that the URL https://my.firewall is always accessible from the Internal Network, even when the HTTPS Remote Access is disabled.

When SSH Remote Access is enabled, Safe@Office users can securely connect to the

SSH

Safe@Office appliance from the Internet and configure the appliance using CLI shell.

When SNMP Remote Access is enabled, a SNMP manager can access and monitor the Safe@Office appliance from the Internet. After configuring SNMP access settings, you can set the following SNMP settings:

SNMP

SNMP CommunityThe community string to access the SNMP agent in Safe@Office device

from the SNMP manager.

Advanced           Click to configure advanced SNMP settings.

You can grant access to the Safe@Office appliance or portal from any of the following:

Internal Network         Access to the services allowed from Internal Network

Internal Network + VPNAccess to the services allowed from Internet using VPN, or from Internal

Network

IP Address Range        Access to the services allowed from only the specified IP address range

ANY                        Unrestricted access

Disabled                   The service is disabled

Setup > Management > SNMP Configuration

This page enables you to configure the following advanced SNMP settings:

System LocationThe string to be displayed in the sysLocation mib variable of the system MIB group
System ContactThe string to be displayed in the sysContact mib variable of the system MIB group
SNMP Port       The UDP port on which the SNMP agent should run

Setup > Tools

This page offers the following options:

Allows you to set the date/time on your Safe@Office appliance:

You computer's clock    Sets the Safe@Office clock to the computer's clock

Keep the current settingsSets the Safe@Office clock to the current setting

Automatically sets the Safe@Office clock to a specific

Use a Time Server

Set Time                                        time server's clock (NTP Server)

Automatically sets the Safe@Office clock to a specific

Use a Time Server

time server's clock (NTP Server)

Allows you to manually set the correct time for your

Specify date and time

location

A set of tools for troubleshooting Internet connectivity:

Checks that a specific IP address or DNS name can be reached through

Ping

the Internet

IP Tools          TracerouteDisplays a list of all routers used to connect from the Safe@Office

appliance to a specific IP address or DNS name

Displays the name and contact information of the entity to whom a

WHOIS

specific IP address or DNS name is registered

Command       Allows you to control your appliance via the command line interface

Sniffer           Captures packets from a network or port.

Exports the Safe@Office appliance's configuration to a file. You can use this file to

Export

backup and restore Safe@Office settings, as needed.

Import           Imports a Safe@Office configuration file

Factory SettingsResets the Safe@Office appliance to its factory-defined settings and firmware. You

will lose all your saved settings.

Diagnostics      Displays troubleshooting information

Setup > Tools > Command Line

You can control your appliance via the command line interface.

Users

Users > Internal Users

You can view, add, edit, and delete users.

A user can be assigned an expiration time and granted following permissions:

Administrator Level    Determines the user's level of access to the Safe@Office Portal
Allows the user to remotely connect to your network using their Remote

VPN Remote Access

Access VPN Client

Web Filtering OverrideAllows the user to override family filters (if you are subscribed to this service)
HotSpot Access          Allows the user to log on to the My HotSpot page

The following options are also available:

New User        Adds a new user

Quick Guest     Quickly adds a temporary guest user and enables printing the user's details

Edit               Allows you to edit a user

Erase             Allows you to delete a user

Clear ExpiredRemoves all expired users from the table

Users > RADIUS

You can configure RADIUS authentication. The RADIUS server will authenticate both Safe@Office users and Remote Access VPN Clients trying to connect to the Safe@Office appliance.

Address                   The IP address of the computer that will run the RADIUS service.

Port                       The port number of the RADIUS server.

Shared Secret            The shared secret used to access the RADIUS server.

The realm to append to RADIUS requests. This field is relevant if your

Realm

organization uses RADIUS realms.

The interval of time in seconds between attempts to communicate with the

Timeout

RADIUS server.

Administrator Level    The level of access to assign to all users authenticated by the RADIUS server.
Select this option to allow all users authenticated by the RADIUS server to

VPN Remote Access

remotely connect to your network using their VPN client.

Web Filtering OverrideSelect this option to allow all users authenticated by the RADIUS server to

override Web Filtering.

Select this option to allow all users authenticated by the RADIUS server to

HotSpot Access

log on to the My HotSpot page.

The following options are also available:

Default       Resets the RADIUS servers to their default settings