The PhoneBoy Blog


Simplifying Telecom, Mobile Phones, Gadgets, and More!

FireWall-1 FAQ: URIs for FireWall-1 to Proxy

Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.


I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.


If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)


Any URI filtering, virus scanning or authentication causes the connection to be folded into the HTTP Security Server. This means the HTTP Security Server opens the connection on behalf of the user. There is a diagram in the 4.0 documentation discussing how transparent telnet connections are authenticated. It that has the following note: "(The client) sees this connection as originating from (the firewall)." The 3.0 documentation has no such note, but has the same diagram. It would make sense they would do it the same way for all the other protocols as they do for telnet. In practice, it does.

The NG release does not "proxy" connections that go through the Security Servers any longer, i.e. the source address should be the client's IP address, unless NAT is applied. To change the behaviour back to the pre-NG behaviour, you can make a modification with dbedit on the management console as follows (fw-module is the name of your firewall object). Only execute the "modify" command for the security server you wish to change the behaviour for.

    dbedit> modify network-objects fw-module firewall_settings:http_transparent_server_connection false
    dbedit> update properties network-objects

You can also do this for telnet, rlogin, and ftp (e.g. telnet_transparent_server_connection, rlogin_transparent_server_connection, and ftp_transparent_server_connection). Refer to Editing objects.C for more information.

C-List #Cybersecurity Celebrity, Podcaster, #noagenda Producer, Frequenter of shiny metal tubes, Expressor of personal opinions, and of course, a coffee achiever.