The PhoneBoy Blog

Simplifying Telecom, Mobile Phones, Gadgets, and More!

FireWall-1 FAQ: How Secure is communication between the modules?

Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.

I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.

If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)

In the NG release of FireWall-1, SSL with certificates is used between all components, including the management GUIs. This is described in more detail in sk101269

In earlier releases, it is as follows:

  • Prior to 4.1 SP2: fwa1 (supposedly 192bit) between modules if encryption license is present, otherwise authenticated with S/Key
  • 4.1 SP2 and future versions of 4.1: fwa1 (192bit)

Note that I do not recommend using your VPN rules to allow management traffic between the firewall and management console. You could very easily get yourself into a bind where the VPN breaks and have a hell of a time getting things working again because your security policy only permits policy loads through the VPN rules.

C-List #Cybersecurity Celebrity, Podcaster, #noagenda Producer, Frequenter of shiny metal tubes, Expressor of personal opinions, and of course, a coffee achiever.