The PhoneBoy Blog

Simplifying Telecom, Mobile Phones, Gadgets, and More!

FireWall-1 FAQ: How Do I Configure $FWDIR/conf/fwopsec.conf?

Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.

I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.

If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)

The following comes from Check Point's OPSEC API Specificiation. The configuration information establishing how VPN-1/FireWall-1 will communicate with other OPSEC applications is defined in the file fwopsec.conf, located in the $FWDIR/conf directory.

To configure VPN-1/FireWall-1 as an OPSEC Client, define its connection with the OPSEC Server in fwopsec.conf using the following syntax:

server <ip address> <port number> <connection-type>

The parameters are explained in the table below.

Value Meaning
server Literally "server"
<ip address> The server's IP address in dot format
<port number> The port number
<connection-type> One of the following:
Value Meaning
opsec Authenticated only by IP address (clear)
auth_opsec Authenticated with putkeys
ssl_opsec Authenticated and encrypted with SSL


server 18182 ssl_opsec

This means that the Server on port 18182 at IP address uses SSL, which provides authenticated and encrypted connections.

Configuring VPN-1/FireWall-1 as an OPSEC Server

To configure VPN-1/FireWall-1 as an OPSEC Server, define its connection with OPSEC Clients in fwopsec.conf using the following syntax:

<server name> <port type> <port number>

For an authenticated connection, use the following format:

<server name> <port type> <port number> 
<server name> auth_type <authentication>

The parameters are explained in the table below.

Value Meaning
<server name> Of the form XXX_server where XXX is an OPSEC service (LEA, SAM, etc).
<port type> Either port for an unauthenticated, unencrypted communication or auth_port for an authenticated and/or encrypted.
<port number> Port number.
<authentication> Either auth_opsec for an authenticated connection or ssl_opsec for authentication and encryption.


lea_server auth_port 18184 
lea_server auth_type ssl_opsec

This means that VPN-1/FireWall-1 is configured as a LEA Server that communicates with the LEA Client on port 18184. The connection between Server and Client is authenticated and encrypted.

SAM Server as Proxy

A SAM Client's request for action is addressed to one or more FireWalled hosts through which a given connection should be inhibited or closed.

A SAM Server may act in agent mode or in proxy mode. When in agent mode, the SAM Server inhibits or closes the given connection through its local VPN\FireWall Module. When in proxy mode, the SAM Server passes the request on to other SAM Servers as appropriate. These Servers may in turn pass the requests on to other SAM Servers, until the action request reaches all the specified hosts.

A SAM Server that is located on a VPN-1/FireWall-1 Management Station always functions in proxy mode. By default, a SAM Server that is not located on a Management Station functions in agent mode. That is, it can only process the action requests that are directly addressed to itself. To change the mode of a SAM Server that is not located on a Management Station from agent to proxy, modify $FWDIR/conf/fwopsec.conf so that the value of is set to , as follows:

fw_allow_remote_requests yes

C-List #Cybersecurity Celebrity, Podcaster, #noagenda Producer, Frequenter of shiny metal tubes, Expressor of personal opinions, and of course, a coffee achiever.