" fwlogsum is a perl script to summarise FW1 logs making it easier to see what services are being blocked or allowed through your firewall. It provides many sorting and filtering options and also handles address/port translation. In addition, it can also handle logs from other firewalls by using a converter. "
http://ginini.com/software/fwlogsum/
Sunday, August 28, 2011
Friday, August 26, 2011
Back to basics - Nokia-IPSO OS Installation
Below will show you how to install a IPSO image using the bootmgr, this can be useful if you have lost your password, or cannot get into the IPSO CLI for what ever reason.
1 Bootmgr
2 IPSO
Default: 1
Starting bootmgr
Loading boot manager..
Install the image
Type any character to enter command mode
BOOTMGR[1]> install
################### IPSO Full Installation ####################
You will need to supply the following information:
Client IP address/netmask, FTP server IP address and filename,
system serial number, and other license information.
This process will DESTROY any existing files and data on your disk.
#################################################################
Continue? (y/n) [n] y
Motherboard serial number is ###########.
The chassis serial number can be found on a
sticker on the back of the unit with the letters
S/N in front of the serial number.
Please enter the serial number: [serial number]
Please answer the following licensing questions.
Will this node be using IGRP ? [y] n
Will this node be using BGP ? [y] n
1. Install from anonymous FTP server.
2. Install from FTP server with user and password.
Choose an installation method (1-2): 2
Enter IP address of this client (0.0.0.0/24): [IP]/[NetMask]
Enter IP address of FTP server (0.0.0.0): [FTP IP]
Enter IP address of the default gateway (0.0.0.0): [GW IP]
Choose an interface from the following list:
1) eth1
2) eth2
3) eth3
4) eth4
Enter a number [1-4]: 1
Choose interface speed from the following list:
1) 10 Mbit/sec
2) 100 Mbit/sec
Enter a number [1-2]: 2
Half or full duplex? [h/f] [h] f
Enter user name on FTP Server : [username]
Enter password for "[username]": [password]
Enter path to ipso image on FTP server [~]: /
Enter ipso image filename on FTP server [ipso.tgz]:
1. Retrieve all valid packages, with no further prompting.
2. Retrieve packages one-by-one, prompting for each.
3. Retrieve no packages.
Enter choice [1-3] [1]: 2
Client IP address = [IP]/[Netmask]
Server IP address = [IP]
Default gateway IP address = [IP]
Network Interface = eth1, speed = 100M, full-duplex
Server download path = [/]
Package install type = prompting
Mirror set creation = no
Are these values correct? [y] y
Checking what packages are available on [FTP IP].
Hash mark printing on (1048576 bytes/hash mark).
Interactive mode off.
#
The following packages are available:
Building filesystems...
Making initial links...done.
Downloading compressed tarfile(s) from [IP].
Hash mark printing on (1048576 bytes/hash mark).
Interactive mode off.
100% 26157 KB 00:00 ETA
Checking validity of image...done.
No packages found in /, continuing.
Installing image...
Installing image...done.
Image version tag: IPSO-4.1.
Checking if bootmgr upgrade is needed...
No need to upgrade bootmgr.
Do you want to upgrade bootmgr anyway? [n]
Installation completed.
Reset system or hitto reboot.
Starting reboot.
After the reboot you will need to configure some basic settings,
Please choose the host name for this system. This name will be used
in messages and usually corresponds with one of the network hostnames
for the system. Note that only letters, numbers, dashes, and dots (.)
are permitted in a hostname.
Hostname? [enter hostname]
Hostname set to "ip350", OK? [y] y
Please enter password for user admin: [password]
Please re-enter password for confirmation: [password]
You can configure your system in two ways:
1) configure an interface and use our Web-based Voyager via a remote
browser
2) VT100-based Lynx browser
Please enter a choice [ 1-2, q ]: 1
Select an interface from the following for configuration:
1) eth1
2) eth2
3) eth3
4) eth4
5) quit this menu
Enter choice [1-5]: 1
Enter the IP address to be used for eth1: [IP]
Enter the masklength: [Netmask]
Do you wish to set the default route [ y ] ? y
Enter the default router to use with eth1: [IP]
This interface is configured as 10 mbs by default.
Do you wish to configure this interface for 100 mbs [ n ] ? y
This interface is configured as half duplex by default.
Do you wish to configure this interface as full duplex [ n ] ? y
You have entered the following parameters for the eth1 interface:
IP address: [IP]
masklength: [Netmask]
Default route: [GW IP]
Speed: 100M
Duplex: full
Is this information correct [ y ] ? y
Do you want to configure Vlan for this interface[ n ] ? n
You may now configure your interfaces with the Web-based Voyager by
typing in the IP address "[IP]" at a remote browser.
Monday, August 22, 2011
Friday, August 19, 2011
Android / iPhone / Windows - L2TP VPN Setup FAQ (Checkpoint R70)
Checkpoint Configuration
Prerequisites
1. A functional remote access VPN
2. Office Mode (for all users)
3. Remote access user (using a checkpoint password scheme)
In other words, if you currently have a set of remote access workers connecting using secure remote/client with office mode. The following guide should work!
1. Enable "Gateway support IKE over TCP"
Global Properties > Remote Access > VPN Basic
2. Enable "L2TP Support"
Firewall Object > Remote Access
3. Choose "MD5-Challenge" authentication
Firewall Object > Remote Access
4. Shared Secret (The tricky part)
a. Create a empty file called "l2tp.conf"
b. type in plain text a shared secret into the above file. There are no config items or tags, the file should only contain a single line of plain text.
e.g. mysharedsecret1234
c. Copy l2tp.conf to your Firewall "Gateway" (not the management station)
E.g. $FWDIR/conf/
this would resolve to the following if you are using a NOKIA gateway
/var/opt/CPsuite-R70/fw1/conf
5. Add UDP L2TP to your rulebase
You should have an existing "Any VPN" rule for your existing remote access users
Source > any
Destination > Firewall Object
VPN > any traffic
Service > L2TP (UDP)
Action > accept
6. Install the FW policy.
Android Configuration
1. Go to Settings -> Wireless & Networks -> VPN Settings
2. Tap Add VPN
3. Tap L2TP/IPSec PSK VPN
4. Set a VPN name (My Office VPN)
5. Set VPN Server to either DNS or IP of your firewall
6. Set IPSec pre-shared key (used in the l2tp.conf)
7. Tap the Menu Key, Tap Save
iPhone Configuration
1. From your iPhone home screen, go to Settings > General > Network > VPN > Settings
2. Server: Enter your VPN-1 server FQDN (DNS name) or IP address
3. Account: Enter you checkpoint username and password
4. RSA Secure ID: Off
5. Password: Ask Every Time
6. Secret: Enter the IPSec pre-shared key (used in the l2tp.conf)
7. Send all Traffic: On
Windows XP Configuration
1. Select Start > Settings > Control Panel > Network Connections > New Connection Wizard
2. Select “Connect to the network at my workplace”, click next
3. Select “Virtual Private Network Connection”, click next
4. Enter a Company Name “My Company”, click next
5. Select “Do not dial the initial connection”, click next
6. This setting could be used to invoke a 3G connection before the VPN connection
7. Enter the Host name or IP Address “”, click next
8. Select “Do not use my smart card”, click next
9. Select “Anyone’s use” if this is to be used by anyone who logs onto the laptop
10. Select the option to “Add a shortcut to this connection to my desktop”, click Finish
11. A Pop-up Window is displayed. “Connect My Company” Select “Properties”
12. Select the “Networking” tab
13. Change “Type of VPN” to “L2TP IPSec VPN”
14. Select the “Security” tab
15. Select “Advanced (custom settings)” Default is set to “Typical (recommended settings)”
16. Click “Settings”
17. Leave “Data Encryption” set as default “Require Encryption (disconnect if server declines)”
18. Select “Use Extensible Authentication Protocol (EAP)” and Change the Dropdown Box to “MD5-Challenge”
19. Select “OK” to save changes
20. Select “IPSec Settings”
21. Tick “Use pre-shared key for authentication” Enter the pre shared key
22. Click “OK” to save settings
Checkpoint Logs
This is what you should see in a working setup.
Depending on the connecting client, the logs will look different. Highlighted in Bold below.
iPhone
1. UDP IKE > Accept
2. UDP IKE_NA_Transversal > Accept
3. Login (authenticated by pre-shared secret)
4. Key Install (IKE: Main Mode completion [NAT-T])
5. Key Install (IKE: Quick Mode Sent Notification: Responder Lifetime)
6. Key Install (IKE: Quick Mode completion IKE IDs: host: and host: )
7. Login (VPN internal Source connected to gateway)
8. UDP L2TP > Accept
9. Login (PPP: Connection succeeded auth_method: MD5-Challenge machine: om_method: IP pools assigned_IP: )
10. Key Install (IKE: Informational Exchange Received Delete IPSEC-SA from Peer: SPIs: *********)
Windows XP
1. UDP IKE > Accept
2. UDP IKE_NA_Transversal > Accept
3. Login (authenticated by pre-shared secret)
4. Key Install (IKE: Main Mode completion [NAT-T])
5. Key Install (IKE: Quick Mode Sent Notification: Responder Lifetime)
6. Key Install (IKE: Quick Mode completion IKE IDs: host: and host: )
7. Login (VPN internal Source connected to gateway)
8. UDP L2TP > Accept
9. Login (PPP: Connection succeeded auth_method: MD5-Challenge machine: om_method: IP pools assigned_IP: )
Android
1. UDP IKE > Accept
2. UDP IKE_NA_Transversal > Accept
3. Login (authenticated by pre-shared secret)
4. Key Install (IKE: Main Mode completion [NAT-T])
5. key Install (IKE: Informational Exchange Received Notification from Peer: Initial Contact (phase1))
6. Key Install (IKE: Quick Mode Sent Notification: Responder Lifetime)
7. Key Install (IKE: Quick Mode completion IKE IDs: host: and host: )
8. Login (VPN internal Source connected to gateway)
9. UDP L2TP > Accept
10. Login (Session: PPP: Authenticated by FireWall-1 Password auth_method: Password Authentication Protocol (PAP) machine: om_method: IP pools assigned_IP: )
Reference :
Checkpoint L2TP Supplement Release Notes
http://www.checkpoint.com/iphone/downloads/release-notes.pdf
Prerequisites
1. A functional remote access VPN
2. Office Mode (for all users)
3. Remote access user (using a checkpoint password scheme)
In other words, if you currently have a set of remote access workers connecting using secure remote/client with office mode. The following guide should work!
1. Enable "Gateway support IKE over TCP"
Global Properties > Remote Access > VPN Basic
2. Enable "L2TP Support"
Firewall Object > Remote Access
3. Choose "MD5-Challenge" authentication
Firewall Object > Remote Access
4. Shared Secret (The tricky part)
a. Create a empty file called "l2tp.conf"
b. type in plain text a shared secret into the above file. There are no config items or tags, the file should only contain a single line of plain text.
e.g. mysharedsecret1234
c. Copy l2tp.conf to your Firewall "Gateway" (not the management station)
E.g. $FWDIR/conf/
this would resolve to the following if you are using a NOKIA gateway
/var/opt/CPsuite-R70/fw1/conf
5. Add UDP L2TP to your rulebase
You should have an existing "Any VPN" rule for your existing remote access users
Source > any
Destination > Firewall Object
VPN > any traffic
Service > L2TP (UDP)
Action > accept
6. Install the FW policy.
Android Configuration
1. Go to Settings -> Wireless & Networks -> VPN Settings
2. Tap Add VPN
3. Tap L2TP/IPSec PSK VPN
4. Set a VPN name (My Office VPN)
5. Set VPN Server to either DNS or IP of your firewall
6. Set IPSec pre-shared key (used in the l2tp.conf)
7. Tap the Menu Key, Tap Save
iPhone Configuration
1. From your iPhone home screen, go to Settings > General > Network > VPN > Settings
2. Server: Enter your VPN-1 server FQDN (DNS name) or IP address
3. Account: Enter you checkpoint username and password
4. RSA Secure ID: Off
5. Password: Ask Every Time
6. Secret: Enter the IPSec pre-shared key (used in the l2tp.conf)
7. Send all Traffic: On
Windows XP Configuration
1. Select Start > Settings > Control Panel > Network Connections > New Connection Wizard
2. Select “Connect to the network at my workplace”, click next
3. Select “Virtual Private Network Connection”, click next
4. Enter a Company Name “My Company”, click next
5. Select “Do not dial the initial connection”, click next
6. This setting could be used to invoke a 3G connection before the VPN connection
7. Enter the Host name or IP Address “
8. Select “Do not use my smart card”, click next
9. Select “Anyone’s use” if this is to be used by anyone who logs onto the laptop
10. Select the option to “Add a shortcut to this connection to my desktop”, click Finish
11. A Pop-up Window is displayed. “Connect My Company” Select “Properties”
12. Select the “Networking” tab
13. Change “Type of VPN” to “L2TP IPSec VPN”
14. Select the “Security” tab
15. Select “Advanced (custom settings)” Default is set to “Typical (recommended settings)”
16. Click “Settings”
17. Leave “Data Encryption” set as default “Require Encryption (disconnect if server declines)”
18. Select “Use Extensible Authentication Protocol (EAP)” and Change the Dropdown Box to “MD5-Challenge”
19. Select “OK” to save changes
20. Select “IPSec Settings”
21. Tick “Use pre-shared key for authentication” Enter the pre shared key
22. Click “OK” to save settings
Checkpoint Logs
This is what you should see in a working setup.
Depending on the connecting client, the logs will look different. Highlighted in Bold below.
iPhone
1. UDP IKE > Accept
2. UDP IKE_NA_Transversal > Accept
3. Login (authenticated by pre-shared secret)
4. Key Install (IKE: Main Mode completion [NAT-T])
5. Key Install (IKE: Quick Mode Sent Notification: Responder Lifetime)
6. Key Install (IKE: Quick Mode completion IKE IDs: host:
7. Login (VPN internal Source
8. UDP L2TP > Accept
9. Login (PPP: Connection succeeded auth_method: MD5-Challenge machine:
10. Key Install (IKE: Informational Exchange Received Delete IPSEC-SA from Peer:
Windows XP
1. UDP IKE > Accept
2. UDP IKE_NA_Transversal > Accept
3. Login (authenticated by pre-shared secret)
4. Key Install (IKE: Main Mode completion [NAT-T])
5. Key Install (IKE: Quick Mode Sent Notification: Responder Lifetime)
6. Key Install (IKE: Quick Mode completion IKE IDs: host:
7. Login (VPN internal Source
8. UDP L2TP > Accept
9. Login (PPP: Connection succeeded auth_method: MD5-Challenge machine:
Android
1. UDP IKE > Accept
2. UDP IKE_NA_Transversal > Accept
3. Login (authenticated by pre-shared secret)
4. Key Install (IKE: Main Mode completion [NAT-T])
5. key Install (IKE: Informational Exchange Received Notification from Peer: Initial Contact (phase1))
6. Key Install (IKE: Quick Mode Sent Notification: Responder Lifetime)
7. Key Install (IKE: Quick Mode completion IKE IDs: host:
8. Login (VPN internal Source
9. UDP L2TP > Accept
10. Login (Session:
Reference :
Checkpoint L2TP Supplement Release Notes
http://www.checkpoint.com/iphone/downloads/release-notes.pdf
Monday, July 25, 2011
Packet Flow Through the Check Point's INSPECT Engine
Internal user attempting to connect to the Internet through the firewall.
Physical layer - ingress interface
Data Link Layer/Ethernet
Inspect Driver [inspect Engine]
Network Layer/IP Routing
Inspect Driver
Data Link Layer/Ethernet
Physical layer - egress interface
Opening an SSH connection to the firewall itself
Physical layer - ingress interface
Data Link Layer/Ethernet
Inspect Driver
Network Layer/IP Routing
Transport Layer/TCP connectivity
Layers 5-7/SSHD process
Data Link Layer/Ethernet
Inspect Driver [inspect Engine]
Network Layer/IP Routing
Inspect Driver
Data Link Layer/Ethernet
Physical layer - egress interface
Opening an SSH connection to the firewall itself
Physical layer - ingress interface
Data Link Layer/Ethernet
Inspect Driver
Network Layer/IP Routing
Transport Layer/TCP connectivity
Layers 5-7/SSHD process
--------------------------------------------
Longer Version with more Functions Enabled on the FW module:
NIC hardware
-The network card receives electrical signalling from the link partner.
NIC driver
-Sanity checks
-The NIC hardware decodes the signal and passes it to the operating system's NIC driver via the PCI bus
-The frame is converted to an mbuf entry and the frame headers are stored for later use.
-NIC driver hands off the data to the operating system's mbuf memory space
Operating system IP protocol stack
-The OS performs sanity checks on the packet
-Hand off to SXL if enabled, or to Firewall Kernel if not
SecureXL (if enabled)
-SXL lookup is performed, if it matches, bypass the firewall kernel and proceed with (Operating system IP protocol stack, outbound side)
Firewall Kernel (inbound processing)
-FW Monitor starts here
-Connection state lookups, some protocol inspection, rulebase processing, antispoofing lookups etc
-Processing order can be seen via fw ctl chain
-Bypass complex inspection if not needed
Complex protocol inspection (AV is an example)
-Leave the kernel and process under userland.
-Enters back at this same stage if the traffic passed
(inbound processing stops here)
Firewall Kernel (outbound processing starts here)
-Route lookup
-Check Point sanity checks etc
-FW Monitor ends here
-Pass to operating system
Operating system IP protocol stack
-The OS performs sanity checks on the packet
-Pass the mbuf to the NIC driver for the appropriate outbound interface
NIC driver
-Tag the packet as an ethernet frame by adding MAC addresses for source and destination
NIC hardware
-The NIC hardware encodes the signal and transmits it via wire
----------
Between all the steps there are queues. These queues accumulate packets and on intervals flush them to the next step. All of this happens very very quickly in small CPU time slices.
The INSPECT engine itself is more to do specifically with protocol inspection rather than all of the other steps. INSPECT runs traffic against definitions, if the definitions match it usually means that it hit a protection and the appropriate action is to (drop, log) the traffic.
There are a LOT more steps in the sequence I posted above, for example any kind of VPN traffic gets different processing, which is done in chains. The chains look at the traffic type and determine the next step via a finite state machine.
Thursday, July 21, 2011
CLusterXL or Nokia VRRP ? Which one should I use ? What is the difference?
You can use Nokia VRRP or Nokia Clustering or Checkpoint ClusterXL.
ClusterXL requires licence.
ClusterXL is for SPLAT/Linux/UNIX ONLY.
With the Nokias you dont have to use ClusterXL just VRRP or IP Clustering.
If you use Nokia VRRP you can have HA but the other box will act as HOT/STANDBY i.e ACTIVE/PASSIVE
.
If you use Nokia cluster then you can configure the boxes in Active-Active or Active-Passive mode.
On the Nokia's you are only using ClusterXL for the Check Point synchronization NOT for the actual FAILOVER information.
with Nokia Active/active clustering, you will need two state networks. One for Checkpoint state (fw) and one for Nokia state (ipso). It is not recommended to use the same network for both states.
With Nokia's you should not tick ClusterXL. You should configure under 3rd Party and select Nokia VRRP is if you want an active-passive or IPSO Clustering if running IPSO Cluster and an active-active environment.
Do not use a crossover cable between the two firewalls for state networks. If one firewall goes down the other will see that interface go down and they both try to leave the cluster.
If you have a Cisco switch between the firewalls using Vlans, make sure multicast is TURNED ON on the switch. You can switch the Checkpoint state network to broadcast but not the Nokia state network. some Cisco switches would not listen to a gratuitous ARP from a VIP address.A simple static ARP entry i.e. MAC address of the firewalls VIP in to the switch ARP table will do the trick.
Check this link goo.gl/eua2R for CISCO swithes + multicast issues.
You setup the Nokia state network in Cluster voyager. You setup the checkpoint state network in smart dashboard.
(I think It is possible that IPSO 4.X allows you to switch from the default multicast to broadcast on the Nokia state network.) to be verfied.
ClusterXL requires licence.
ClusterXL is for SPLAT/Linux/UNIX ONLY.
With the Nokias you dont have to use ClusterXL just VRRP or IP Clustering.
If you use Nokia VRRP you can have HA but the other box will act as HOT/STANDBY i.e ACTIVE/PASSIVE
.
If you use Nokia cluster then you can configure the boxes in Active-Active or Active-Passive mode.
On the Nokia's you are only using ClusterXL for the Check Point synchronization NOT for the actual FAILOVER information.
with Nokia Active/active clustering, you will need two state networks. One for Checkpoint state (fw) and one for Nokia state (ipso). It is not recommended to use the same network for both states.
With Nokia's you should not tick ClusterXL. You should configure under 3rd Party and select Nokia VRRP is if you want an active-passive or IPSO Clustering if running IPSO Cluster and an active-active environment.
Do not use a crossover cable between the two firewalls for state networks. If one firewall goes down the other will see that interface go down and they both try to leave the cluster.
If you have a Cisco switch between the firewalls using Vlans, make sure multicast is TURNED ON on the switch. You can switch the Checkpoint state network to broadcast but not the Nokia state network. some Cisco switches would not listen to a gratuitous ARP from a VIP address.A simple static ARP entry i.e. MAC address of the firewalls VIP in to the switch ARP table will do the trick.
Check this link goo.gl/eua2R for CISCO swithes + multicast issues.
You setup the Nokia state network in Cluster voyager. You setup the checkpoint state network in smart dashboard.
(I think It is possible that IPSO 4.X allows you to switch from the default multicast to broadcast on the Nokia state network.) to be verfied.
Which Remote Access Client With Which Gateway?
The recent Remote Access Clients E75.10 release actually released three separate clients:
* Endpoint Security VPN (a.k.a. replacement for Secure Client)
* Check Point Mobile for Windows (essentially Secure Client without desktop firewall)
* SecuRemote (with 64-bit support)
All three clients are installed from the same MSI file.
Not every client is compatible with every version of Security Gateway/VSX/UTM-1 EDGE device. Currently none of these clients work with the SG80 device, but will be in the next software update.
The following is a definitive list of what will work with what and what licenses you will need.
Endpoint Security VPN (a.k.a. the next generation of Secure Client) is supported with the following security gateways (available today, unless otherwise noted):
* R65.70 + hotfix from sk61286
* R70.40 + hotfix from sk61286
* R71.30
* R75
* VSX R67.10 (to be released)
* Sofaware firmware 8.2.33
Endpoint Security VPN requires an Endpoint Container + Remote Access Blade to cover each user. Licensing is per-seat (i.e. each user that could connect with Endpoint Security VPN must be licensed).
Check Point Mobile for Windows is supported with the following security gateways –
* R75 + hotfix from sk60940
* Sofaware firmware 8.2.33
Check Point Mobile for Windows requires Mobile Access Blade licenses (CPSB-MOB), which are licensed by number of concurrent users that connect. It will also work with all gateways that support Endpoint Security VPN if you have a Endpoint Container + Remote Access Blade license to cover the user.
SecuRemote (for Windows 64-bit) is supported with the following security gateways -
* R65.70 + hotfix from sk61286
* R70.40 + hotfix from sk61286
* R71.30
* R75.10 (to be released)
* VSX R67.10 (to be released)
* Sofaware firmware 8.3 (to be released)
SecuRemote requires an IPSec VPN Blade license and has no per-user limits. It does not require a special license like it did in NGX and earlier.
credit:Phoneboy
* Endpoint Security VPN (a.k.a. replacement for Secure Client)
* Check Point Mobile for Windows (essentially Secure Client without desktop firewall)
* SecuRemote (with 64-bit support)
All three clients are installed from the same MSI file.
Not every client is compatible with every version of Security Gateway/VSX/UTM-1 EDGE device. Currently none of these clients work with the SG80 device, but will be in the next software update.
The following is a definitive list of what will work with what and what licenses you will need.
Endpoint Security VPN (a.k.a. the next generation of Secure Client) is supported with the following security gateways (available today, unless otherwise noted):
* R65.70 + hotfix from sk61286
* R70.40 + hotfix from sk61286
* R71.30
* R75
* VSX R67.10 (to be released)
* Sofaware firmware 8.2.33
Endpoint Security VPN requires an Endpoint Container + Remote Access Blade to cover each user. Licensing is per-seat (i.e. each user that could connect with Endpoint Security VPN must be licensed).
Check Point Mobile for Windows is supported with the following security gateways –
* R75 + hotfix from sk60940
* Sofaware firmware 8.2.33
Check Point Mobile for Windows requires Mobile Access Blade licenses (CPSB-MOB), which are licensed by number of concurrent users that connect. It will also work with all gateways that support Endpoint Security VPN if you have a Endpoint Container + Remote Access Blade license to cover the user.
SecuRemote (for Windows 64-bit) is supported with the following security gateways -
* R65.70 + hotfix from sk61286
* R70.40 + hotfix from sk61286
* R71.30
* R75.10 (to be released)
* VSX R67.10 (to be released)
* Sofaware firmware 8.3 (to be released)
SecuRemote requires an IPSec VPN Blade license and has no per-user limits. It does not require a special license like it did in NGX and earlier.
credit:Phoneboy
Subscribe to:
Posts (Atom)