The PhoneBoy Blog

Simplifying Telecom, Mobile Phones, Gadgets, Health, and More!

FireWall-1 FAQ: How to Integrate SecurID with FireWall-1

Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.

I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.

If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)

Note: This document assumes that the ACE/Server installation is functioning correctly; that the FW-1 is already enforcing a valid security policy, with whatever address translation is required for internal users to access the Internet; and that network connectivity between the ACE/Server and the FW-1 is unimpeded. You may need to explicitly define a rule on your FW-1 allowing SecurID traffic to and from the ACE/Server.

  1. On ACE/Server, define your firewall as a communications server within the “Add Client” menu of the administrative tool. 2, On ACE/Server, be sure that the client hostname and IP address of the firewallagree with firewall’s own definitions. This means that the nodename (as defined by the command “hostname”) and the IP that name resolves to match that which is configured on the ACE/Server.
  2. On ACE/Server, list the other interfaces of the firewall under Secondary Nodes in the client configuration field. These must be listed in order for the ACE/Server to accept authentication requests from the firewall.
  3. On ACE/Server, go to “Assign Acting Servers” and specify primary and secondary ACE servers. Also generate sdconf.rec file from this screen and push to firewall. (Note that you might not need to Assign Acting Servers, though you likely will on IPSO)
  4. From FW-1 Management GUI, define a user group called SecurIDUsers. (From the “Manage” menu, select Users, New, Group.)
  5. From FW-1 Management GUI, define a new user (using the default template) named generic. If NG FP3 and above, create a User Profile. Add this user to the group SecurIDUsers. Under properties for this user, define SecurID as the authentication method. [Note that only one generic user can be configured on a FW-1 at any given time.]
  6. Add a FW-1 security rule with a source of SecurIDUsers@any, whatever destination and service you want to authenticate, and an action of UserAuth. Save, verify and install the security policy.
  7. Check the Network Address Translation rules on the FW-1 GUI to be sure that communications between the firewall and the ACE/Server are not address translated (address translation will really complicate the node secret exchange between the two boxes).
  8. On a Unix or IPSO platform, create the directory /var/ace.
  9. Copy /opt/ace/data/sdconf.rec from the ACE/Server (via FTP or disk) to /var/ace/sdconf.rec (on NT, this should be %SystemRoot%\system32\sdconf.rec).
  10. Bounce FireWall-1 (cprestart or fwstop; fwstart)
  11. Test authentication by initiating a connection to whatever destination and service you defined in your rule.

#Cybersecurity Evangelist, Podcaster, #noagenda Producer, Frequenter of shiny metal tubes, Expressor of personal opinions, and of course, a coffee achiever.