FireWall-1 FAQ: WARNING: Using S/Key Authentication instead of FWA1: No Encryption License
Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.
I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.
If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)
I am getting the following WARNING message upon starting up. What does it mean and how can I get rid of it?
WARNING: Using S/Key Authentication instead of FWA1: No Encryption License
That message indicates that FireWall-1 is using skey instead of fwa1 as the authentication method for the load and fetch operations between the client (pfm) and its master (control). Why isn’t it possible to use method fwa1? fwa1 requires the ‘encryption’ feature and FireWall-1 has detected that such feature does not exist on the current machine. To check for the ‘encryption’ feature, run the following command on both your management console and your firewall(s):
fw printlic -k
If you don’t have either “encryption”, “pfmx”, or “controlx” license, then you have no encryption.
To get rid of the warning,
- Make a backup of $FWDIR/lib/control.map
- Change all occurances of fwa1 in control.map to skey (If 3.0 or later, you can also use fwn1)
- fwstop ; fwstart
In FireWall-1 4.0, there is a NON-ENCRYPTED line you can edit instead of changing all occurances of fwa1 to skey. On your management console, add all your firewall module IP addresses. On your firewall module, put the IP(s) of your management console.