The PhoneBoy Blog


Simplifying Telecom, Mobile Phones, Gadgets, and More!

FireWall-1 FAQ: FireWall-1 as a Reverse HTTP Proxy

Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.


I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.


If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)


You can sort of do this, though it's not as extensive as Netscape's Proxy server and will require you to use Authentication. HTTPS is not supported until FireWall-1 4.0.

If you go to Policy Properties and go to the "Security Servers" tab, you will see "HTTP Servers". Users will specify the firewall as the "host" part of the URL and, depending on what "logical server" they reference as the "path" part of the URL, they will be automagically be redirected to another internal server. To the user, it looks like one big site requiring authentication.

Let's say my firewall has the DNS name firewall.foo.com and I create three "logical server" definitions:

Logical Server URL Port
main(N) http://internal.foo.com 80
graphics http://graphics.foo.com 80
cgi http://cgi.foo.com 8000

The (N) here siginifies that I've checked the checkbox entitled "Server for Null Requests" in the Logical Server definition.

This means the following:

  1. http://firewall.foo.com/index.html will be fetched from http://internal.foo.com/index.html ("Internal" is the server for Null Requests and will take everything that is not under /graphics or /cgi).
  2. http://firewall.foo.com/graphics/dots/red-blinker.gif will be fetched from http://graphics.foo.com/dots/red-blinker.gif
  3. http://firewall.foo.com/cgi/process-form.pl will be fetched from http://cgi.foo.com:8000/process-form.pl

Assuming your web pages use relative links, it should all be transparent to the end user and look like one, big, happy site.

The rule to enable this access is:

Source Destination Service Action
[email protected] InternalHTTPServers HTTP User Auth

In the properties for User Auth, you should specify "allow pre-defined servers only" and also insure that the HTTP Security Server is enabled in $FWDIR/conf/fwauthd.conf.

C-List #Cybersecurity Celebrity, Podcaster, #noagenda Producer, Frequenter of shiny metal tubes, Expressor of personal opinions, and of course, a coffee achiever.