We tested the Check Point VPN-1 Edge W firewall by taking a portion of our production network out from behind our firewall and moving the Edge W in its place to protect the network. We configured the firewall first using the Web-based GUI to give a typical policy for a branch office network, with outgoing access allowed and a small number of internal servers and services accessible from the outside. We did a few tests to evaluate whether the virus scanning was activated and working and to check the WAN failover capabilities of the Edge W.

For wireless testing, we first tested Wi-Fi Protected Access with pre-shared key authentication using two clients: a Windows built-in wireless driver on a Dell laptop running Windows XP; and, the Mac OS X built-in wireless driver on a PowerBook running OS X 10.3. Then, we used the Odyssey RADIUS server provided by Funk Software to test 802.1X authentication combined with Wi-Fi Protected Access.

For our VPN test, we downloaded the most recent versions of the Check Point VPN client (SecureClient) to the Dell and Mac laptops and attempted to connect from the Internet back to the network protected by the Edge W. For the site-to-site test, we initially tried to connect the Edge W firewall to our NetScreen and Cisco VPN gateways. This test was not successful because the Edge W could not bring up a fully functioning tunnel with either of these gateways using the GUI. We were able to bring up a tunnel to the NetScreen using command line interface (CLI) configuration and several hours of aggravation, but limitations in the Edge W configuration prevented this from working completely. Then we set up a Check Point NG R55 firewall on a Nokia IPSO system in front of the rest of our production network and brought up a secured VPN link between the Edge W and the new firewall without problems.

To evaluate the management capabilities of the Edge W, we created initial configurations with the GUI and then switched to CLI-based configuration, including a test of the disaster-recovery capabilities of the system by saving the configuration, clearing the device and restoring it.

To test VoIP traffic and QoS prioritization, we set up calls with Session Initiation Protocol-based phones from Cisco and an Asterisk SIP proxy. To provide rate limiting, we moved the Edge W behind an unloaded DSL circuit. We tested voice quality going across the Internet to another location across the country with no other services running, then with several simultaneous multi-megabyte downloads (from the Internet to the inside of the Edge W) running, both with and without QoS prioritization and bandwidth reservation enabled. We set the Edge W to reserve 64K for the IP address being used by the SIP phone. We used subjective evaluations of voice quality to determine whether the Edge W was successful in "protecting" the VoIP traffic from the downloads.