The PhoneBoy Blog


Simplifying Telecom, Mobile Phones, Gadgets, Health, and More!

FireWall-1 FAQ: Site Says It Is Not a Certificate Authority

Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.


I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.


If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)


When you try and add a firewall as a site in SecuRemote, you see the following error message:

Error: Site xxx.xxx.xxx.xxx says that it is not a Certificate Authority. Check whether you have got the right IP address for xxx.xxx.xxx.xxx, and check with the FW-1 system manager there whether xxx.xxx.xxx.xxx is indeed a FW-1 control station.

If the management console and firewall module are on separate boxes, you add the IP address of the management console for the firewall in question. You can use the firewall module only if you have SecuRemote licenses installed on the firewall module. Conversely:

  1. The management console must have a routable address. If it does not have a routable address, you will need to set up a static address translation for it.
  2. SecuRemote Clients must be able to access the management console or firewall via the “FW1_topo” service (TCP port 264) if you are using Secure Client 4.1 (4110 and above builds of SecuRemote) with FireWall-1 4.1. You must allow the ‘FW1’ service (TCP port 256) if you are using a SecuRemote 4.0 client or using FireWall-1 4.0.
  3. Your Certificate Authority must have an FWZ CA key generated or be configured with IKE. Look at your firewall object, ensure FWZ or IKE is checked in the encryption tab, and make sure a CA key is generated for FWZ.
  4. If you are using Secure Client 4.1 with FireWall-1 4.0, you must have FWZ checked in your VPN tab and have encryption keys defined even if you only intend on using ISAKMP. What the user will actually use for encryption is determined in his user record in FireWall-1. Note you can get around this limitation if you uncheck the “Respond to Cleartext Topology Requests” in Policy Properties, Encryption tab.
  5. In 4.1 SP5 and above, you will want to ensure that “Respond to Unauthenticated Topology Requests” is disabled. In NG, this option is not present.

If you just recently installed your SecuRemote licenses, you will need to restart FireWall-1 before the licenses will take effect.

#Cybersecurity Evangelist, Podcaster, #noagenda Producer, Frequenter of shiny metal tubes, Expressor of personal opinions, and of course, a coffee achiever.