The PhoneBoy Blog


Simplifying Telecom, Mobile Phones, Gadgets, and More!

FireWall-1 FAQ: Sample FireWall-1 4.1 with SecuRemote Configuration

Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.


I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.


If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)


Here is a sort of cookbook procedure for setting up your FireWall to support SecuRemote connections:

Licenses and Binaries

Make sure your firewall binaries support encryption. An 'fw ver' should net something like:

This is Check Point FireWall-1 Version 3.0b [VPN] (Build Number: 3083)

If it says 'VPN' anywhere, then you've got VPN binaries. Then make sure that your firewall has the encryption feature license. It may appear as pfmx. You can do that by running 'fw printlic -p'

Look for the word "pfmx" or "encryption" in a feature string. If you do not have a valid license with either of these features, you can not use encryption or VPN capabilities.

If you have encryption, you will find the features fwz and/or ike present in the output.

You will also need a SecuRemote-specific license to utilize SecuRemote. Currently, these can be requested from Check Point for free.

FWZ or IKE?

There are three basic choices for SecuRemote: FWZ without encapsulation, FWZ with encapsulation, and IKE (which uses encapsulation). Here is a list of why you might or might not want to use a particular method:

Use unencapsulated FWZ when:

  • You are using FireWall-1 3.0 or earlier.
  • The IP addresses behind the firewall use routable addresses without NAT.
  • The SecuRemote client is not subject to NAT.

Do NOT use unencapsulated FWZ, and instead use encapsulated FWZ when:

  • You are using FireWall-1 3.0 or later
  • NAT is necessary and you must use non-NAT friendly protocols via SecuRemote (Microsoft Networking)
  • Your clients must access machines behind the firewall via non-routable addresses

Use IKE when:

  • You are using FireWall-1 4.0 or later
  • You want strong encryption (3DES) support
  • NAT is necessary and you must use non-NAT friendly protocols via SecuRemote (Microsoft Networking)
  • Your clients must access machines behind the firewall via non-routable addresses
  • Your SecuRemote client systems are subject to NAT (HIDE or STATIC) before they reach the firewall

Do NOT use IKE if:

  • If you are using FireWall-1 4.0 or earlier and your security policy requires that remote access requires a one-time password like SecurID or S/Key.
  • You require a password to be entered every so often. FireWall-1 4.1 has support for this with ISAKMP if you have the appropriate Secure Client feature license.

Due to recent discoveries of problems with how Check Point handles FWZ encryption, I would strongly encourage only using IKE. IKE also offers stronger 3DES encryption wherease FWZ only offers DES. Also note that FWZ support is being deprecated in the NG release, so you should probably use IKE where it is reasonable to do so.

Local Gateway Setup

Before beginning, define your encryption domain. See What Should my Encryption Domain Be if you do not know how to do this.

Modify your gateway object. Make sure your firewall object is marked as "exportable" in the General tab. Also insure that the IP address listed for your firewall object is the external, routable IP address. Also make sure that this IP is resolvable in DNS or via your hosts file to the nodename IP address of your firewall.

In the encryption tab, make sure you select the group/network object that represents your encryption.

If FWZ is to be used:

  • Check FWZ encryption.
  • If FireWall-1 3.0 is being used, make sure you select "Encapsulate SecuRemote Connections" in this screen if you plan on using FWZ encapsulation.
  • Click on 'Edit'. You should see tabs for CA and DH key. On 4.0, you will also see an Encaspulation tab.
  • The CA key will be local. Click on button 'Generate' to generate a key.
  • The DH key will need to be defined. Click on 'Generate'.
  • If using FireWall-1 4.0 and you wish to use FWZ encapsulation, click on the Encapsulation tab and select Encapsulate SecuRemote Connections.
  • Make sure that "Respond to Unauthenticated Topology Requests" is checked in the Rulebase Properties, Encryption Tab.
  • Make sure the appropriate user objects are created and defined with FWZ encryption. In 3.0, this is the default. In 4.0, make sure 'FWZ' is checked in the Encryption tab. Make sure the appropriate options are configured.

If IIKE is to be used:

  • Check IKE encryption.
  • Click on 'Edit' to verify the IKE options are appropriate. The defaults are usually sufficient.
  • Make sure the appropriate user objects are created and defined with ISAKMP encryption. Make sure IKE is checked in the Encryption tab. Make sure the appropriate options are configured, especially the password.

On your firewall, add the following rules near the top:

Source Destination Service Action
any firewall RDP
IKE
Accept
[email protected] firewall-encdomain Any Client Encrypt

Note that if you have not disabled "Enable FireWall-1 Control Connections" in the Rulebase Properties, then the first rule is not needed.

If you are using FireWall-1 4.1 and later and are using SecurID or some other external scheme for authentication (outside of pre-shared secrets), then you must configure FireWall-1 according to the document: How to Configure Hybrid Mode IKE for SecuRemote Authentication.

Site retrieval for SecuRemote Client

On a system with SecuRemote installed, you will need to add a new site.

Your users will add the IP address of your firewall module or management console. If you have disabled FireWall-1 Control Connections via the Rulebase Properties, you will need to permit the service FW1 to your management console. If you use your management console and it has a non-routable IP address, you will need to set up a static address translation so external hosts can access it.

Version 4.0 or earlier cannot use the firewall module, in this case you must use the management console.

Alternatively, you can fetch the site information from a SecuRemote client inside the firewall and make a special installation with your site information already pre-configured for your users. See How to Automate SecuRemote Configuration for details.

C-List #Cybersecurity Celebrity, Podcaster, #noagenda Producer, Frequenter of shiny metal tubes, Expressor of personal opinions, and of course, a coffee achiever.