FireWall-1 FAQ: Partially Automatic Client Authentication (i.e. Implicit Client Authentication, or Session Auth of HTTP is slow)
Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.
I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.
If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)
Using Session Authentication for HTTP will result in performance problem, at least in the standard way. The browser opens HTTP connection for each item in the page, so an authentication session will be done for each item. Even if you cache the passwords, there is still a significant overhead for each connection. There are two standard ways to provide efficient user-level authentication for HTTP:
- Standard HTTP User Authentication
- Client Authentication
There is another way to do this called "Implicit Client Auth," or Partially Automatic Client Auth. In FireWall-1 4.0 and later, you perform the following steps:
- Create a rule like so:
|[email protected]||Any||http||Client Auth|
- Edit the properties on the Client Auth action and change the Sign-On Method to Fully Automatic Sign-On
So what does this do for you?
- The first time a user tries HTTP through the firewall, the "Client Auth" rule will not be available because the user has not authenticated. FireWall-1 will then attempt to authenticate the user via Session Authentication.
- After the user successfully authenticates, the firewall will "mimic" a Client Auth for the user, i.e. performing a "standard sign-on" for all Client Auth rules that apply for that user.
- Future HTTP sessions will hit the "Client Auth" rule. FireWall-1 will remember that it has already authenticated you.
- If you want the user to reauthenticate every 15 minutes or after so many accesses, you can set the Client Auth timeouts accordingly. When the user has reached his timeout value, new connections will not succeed until a successful Session Authentication has been performed.
Note that you can also do this with Session Auth as well. Set the sign-on method to "Fully Automatic" (uses User Auth for supported services, Session Auth for other services) or "Agent Automatic" (Session Authentication used for all services) instead of "Partially Automatic."