FireWall-1 FAQ: Policy Install Logs Out Client Auth Users
Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.
I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.
If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)
A policy re-install flushes certain tables, of which the client_auth table is one of. You can go into $FWDIR/lib/table.def on the management console and modify the following entry:
client_auth = dynamic sync expires AUTH_TIMEOUT;
A ‘keep’ needs to be added to the end of this line. It should read:
client_auth = dynamic sync keep expires AUTH_TIMEOUT;
You will need to re-install the security policy from the management console for this to take effect.
The ‘keep’ (which generally should be added after ‘sync’) will prevent the client_auth table from being flushed on a policy re-install. The only way to flush this table is to bounce FireWall-1 (fwstop; fwstart).