The PhoneBoy Blog


Simplifying Telecom, Mobile Phones, Gadgets, and More!

FireWall-1 FAQ: Authentication and Content Security for Outbound HTTPS

Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.


I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.


If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)


(Relevant to FireWall-1 4.0 and above)

Due to the nature of HTTPS, it is only possible to authenticate or provide Content Security for HTTPS when the client specifies the firewall as the proxy for HTTPS (Called "Security" in recent versions of Netscape). Some other steps must be performed as well.

  1. Ensure the following line exists in $FWDIR/conf/fwauthd.conf: 443 in.ahttpd wait 0 If it's not there or it's commented out, add/uncomment it and bounce FireWall-1.

  2. Modify the pre-defined service https. In FireWall-1 4.1 and earlier, change the protocol type from "None" to "URI."

You may now use HTTPS for authentication or content security as appropriate. In pre-4.1 SP2 versions of FireWall-1, the client may need to be configured to use the firewall as a proxy for HTTPS requests.

C-List #Cybersecurity Celebrity, Podcaster, #noagenda Producer, Frequenter of shiny metal tubes, Expressor of personal opinions, and of course, a coffee achiever.