The PhoneBoy Blog


Simplifying Telecom, Mobile Phones, Gadgets, and More!

FireWall-1 FAQ: Policy Install Logs Out Client Auth Users

Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.


I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.


If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)


A policy re-install flushes certain tables, of which the client_auth table is one of. You can go into $FWDIR/lib/table.def on the management console and modify the following entry:

client_auth = dynamic sync expires AUTH_TIMEOUT;

A 'keep' needs to be added to the end of this line. It should read:

client_auth = dynamic sync keep expires AUTH_TIMEOUT;

You will need to re-install the security policy from the management console for this to take effect.

The 'keep' (which generally should be added after 'sync') will prevent the client_auth table from being flushed on a policy re-install. The only way to flush this table is to bounce FireWall-1 (fwstop; fwstart).

C-List #Cybersecurity Celebrity, Podcaster, #noagenda Producer, Frequenter of shiny metal tubes, Expressor of personal opinions, and of course, a coffee achiever.