The PhoneBoy Blog


Simplifying Telecom, Mobile Phones, Gadgets, Health, and More!

FireWall-1 FAQ: No Client Auth Rules Available

Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.


I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.


If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)


Client Authentication rules generally look like this:

Source Destination Service Action
UserGroup@AllowedSources AllowedDestinations AllowedServices Client Auth

A particular client auth rule applies when all of the following are true:

  • The username specified during the client authentication attempt is in the group User-Group
  • The source IP address of your connection to the firewall is in the group Allowed-Sources
  • The source IP address of your connection is specified in the username’s allowed source (i.e. “Source” under the “Location” tab in the User Properties).

If you are getting the error message, it means that none of the client authentication rules meet all of the above criteria. If you can’t figure out why, the latter is usually the culprit.

If nothing is listed in the user’s allowed sources, then the user will generally not be able to authenticate from anywhere unless “Ignore User Database” is specified in the Client Authentication Properties. “Any” should be specified here, or at the very least, the desired allowed sources should.

#Cybersecurity Evangelist, Podcaster, #noagenda Producer, Frequenter of shiny metal tubes, Expressor of personal opinions, and of course, a coffee achiever.