FW-1  

Check Point Firewall-1 4.x FAQ

If you can't find what you need here, try a different FW-1 Version

Questions:

GENERAL
1) How do I register FW-1?
2) How do I modify my hash and connection tables? (from Phoneboy)
3) I try to sync my boxes, and authentication fails.
4) How can I tell if state sync is working?
5) How do I get Backward Compatibility to work (4.1->4.0)?
6) How do I change the state table timeout for a service?

INSTALL
1) What NT services should be running?
2) What rules should exist by default?
3) When I boot FW-1 on Solaris, the box hangs with FW-1 complaining about interface problems.
4) When running pkgadd on Solaris, I get a message about a "checkinstall" script failure, and the package does not install.

LDAP
1) How do I set up LDAP and use AMC client?

LOGGING
1) User Authenticated HTTP requests are not all logged. (from Check Point support)
2) How do I roll over my logs automatically?

DISTRIBUTED MANAGEMENT
1) How do I do putkeys for a management station that is statically NATed?
2) I can't get putkeys to work, or they only work sporadically.

NAT
1) NT FW-1 is not allowing DNS requests for certain sites to pass (eg. apple.com) (from Phoneboy)
2) I want to do hide and static xlation at the same time.

PROXIES/CVP/AUTHENTICATION
1) What is Implicit Client Authentication?
2) How do I do RADIUS authentication with Option Pack 4.0?
3) Can I import users from a text file?
4) Error "No Client Authentication Rules Available" (from Phoneboy)
5) HTTP connection dies with "Content-Disposition connections are not allowed"

RULE BASE
1) What do I do if I lose my rules and objects?
2) How do I do stateful ICMP?
3) FTP occasionally hangs during an automated process.
4) How do I view my rule base without connecting to the management station?
5) How does FW-1 handle ICMP?
6) FTP hangs only to certain sites (compaq).
7) When I install my policy, I get "magic number corrupted."

ENCRYPTION
1) How do I set up SKIP?
2) How do I set up IKE with Microsoft Certificate Authority certs?
3) How do I set up IKE shared secret tunnel to a PIX?
4) How do I integrate SecuRemote, PKI, and MS Active Directory?
5) How do I set up SDL for SecuRemote and browse Network Neighborhood?
6) How do I set up DNS for SecuRemote?
7) How do I set up Hybrid Mode Authentication for SecuRemote?
8) FW1 GUI connections through SecuRemote fail.
9) How do I set up UDP Encapsulation for SecuRemote?
10) How do I use UDP Encapsulation while doing SEP clustering?
11) Error: Peer is not responsible for src scheme: IKE

Answers:

GENERAL

1) How do I register FW-1?
Go to http://license.checkpoint.com and register your cert key to get a key.  If you have Gold Support and/or Software Support, you will be prompted for your registration number(s).

2) How do I modify my hash and connection tables?

Edit /etc/fw/lib/tables.def and make this change:

#if LIVE_CONNS == 1
connections = dynamic refresh sync expires TCP_START_TIMEOUT
expcall KFUNC_CONN_EXPIRE
implies tracked kbuf 1 intrap ADD_CONN outrap DEL_CONN
hashsize 8192;
#else
connections = dynamic refresh sync expires TCP_START_TIMEOUT
expcall KFUNC_CONN_EXPIRE
implies tracked kbuf 1 hashsize 8192;
#endif

On the line: hashsize 8192; change it to: hashsize 32768 limit 50000.  Limit is the connection table size (25,000 by default).  You can also decrease the TCP timeout from 3600 in Firewall Properties.

3) I try to sync my boxes, and authentication fails.
On both boxes, stop the firewall, redo your putkeys ("fw putkey -p <password> -n <my address> <partnerfirewall address>"), and restart the firewall.  If several repetitions of this procedure still give the same error, remove the file $FWDIR/database/authkeys.C and try the procedure again. 

4) How can I tell if state sync is working?
On NT, you will get logging in your NT Event Viewer.  On any other platform, take a look at the $FWDIR/log/fwd.elg file.  This file logs sync info, and on UNIX systems, you can "tail -f" on it.

5) How do I get Backward Compatibility to work (4.1->4.0)?
If moving from 4.0->4.1 and you need to manage 4.0 firewalls, do the following.  Upgrade all firewalls to the latest patch of 4.0.  Now, upgrade the management station to 4.1 without uninstalling 4.0.  You will be prompted if you want to keep the old 4.0 stuff.  Say yes.  Re-license the management station for 4.1, and reboot if prompted.  Log into the management station as if everything (including gui) is 4.1.  Your old policy should be there, and can be installed onto the 4.0 firewall object without modification.
    Couple things to think about: 1) your old defaults from 4.0 apply to 4.1 now (eg, policy\properties).  2) If you later decide to upgrade the firewall module, repeat the upgrade process for the management station on the firewall module and reboot the firewall.  In your GUI, change the object from 4.0 -> 4.1.

6) How do I change the state table timeout for a service?
   Version 4.1: Their is a global setting under "Policy/Properties" to set UDP or TCP timeout, but this is for ALL services of that protocol.  To set timeouts for individual services, edit $FWDIR/lib/init.def, and add:

ADD_TCP_TIMEOUT(0,0)
ADD_TCP_TIMEOUT(port,tout),

Tout = timeout in seconds and must be 7200 or less. To do more, use 6*3600.

   Version NG: directly in the GUI.  Edit the service, click on "Advanced", and edit the session timeout value (in seconds).

 

 

INSTALL

1) What NT services should be running?
SNMP
RPC remote procedure
Event Viewer
Protected Storage

2) What rules should exist by default?

No. Source Destination Service Action Comment
1 Control_Grp
Firewall		 Firewall
Control_Grp		 FW1
FW1_log		 Allow Allow control connections to firewall (uncheck in Properties)
2 Control_Grp Firewall FW1_snmp Allow ""
3 Any Firewall Any Drop Stealth Rule: deny connections to the firewall
Last Any Any Any Drop Explicit Drop: log anything that isn't allowed

3) When I boot FW-1 on Solaris, the box hangs with FW-1 complaining about interface problems.
    Probably you did something to modify the interface in question after initial boot.  For example, if you changed the interface's netmask with "ifconfig qfe0 -netmask 255.255.128.0" in a startup script instead of in /etc/netmasks.

4) When running pkgadd on Solaris, I get a message about a "checkinstall" script failure, and the package does not install.
    Try moving your package to a higher directory. It's running out of characters and need a shorter absolute patch to the filename. /tmp/<patch> is shorter than /opt/files/patches/<patch>.

 

LDAP

1) How do I set up LDAP to work with Secure Client?

Single Sign-On project

 

LOGGING

1) User Authenticated HTTP requests are not all logged.
    Well, of course!  You have to modify the file $FWDIR\conf\objects.C.  Go down to ":props" section and add the line: ":http_log_every_connection (true)".  Reinstall the policy (may have to restart fw).  From Check Point Support.

2) How do I roll over my logs automatically?
You will need to set up a cron job on UNIX or an "at" job on NT to run the command "fw logswitch".  For a cron job, your cron table will look something like:

5 0 * * * $FWDIR/bin/fw logswitch

This will roll the logs over 5 minutes after midnight every night.  Note: "$FWDIR" means where the firewall is installed.  Generally speaking, you will have to write out the path, not use an environmental variable.

For, NT, you will use the "at" utility (you must have the scheduler service running).  Run from the command line:

at 12:05AM /every:M,T,W,Th,F,S,Su "cmd /c fw logwitch"

Again, you may have to spell out the path to the "fw" executable in $FWDIR\bin.  Note: if you are running W2K, there is no "at" anymore.  It has been replaced with a "Scheduler Wizard" run from Control Panel\Scheduled Tasks.

 

DISTRIBUTED MANAGEMENT

1) How do I do putkeys for a management station that is statically NATed?

MGMT |----| FW A |---------[ Internet ]-----| FW B |----| Other Network
PVT Addrs. |-------------- Public Addrs ------------------| PVT Addrs

MGMT IP: 10.0.0.2 (Static NAT to: 1.2.3.5)
FW A IP: 10.0.0.1
    : 1.2.3.4
FW B IP: 5.6.7.8
    : 172.16.0.1

  1. Statically NAT the MGMT to a public addr on the firewall (1.2.3.5)
  2. On both firewalls set the masters file to both the public and private address of the Management station
  3. On the management station, set the remote modules ($FWDIR\conf\clients) to contain the public IP addresses of the firewalls
  4. Make sure the firewall objects are defined in the general tab as the public IP addresses
  5. Bounce the firewalls
  6. Do the putkeys like this:

On the management station: 

On Firewall A: 

On Firewall B: 

In this scenario, even though the packets have the source address of 1.2.3.5 when sent to Firewall B, the first packet's payload contains the information that the management station believes that it is 10.0.0.2, regardless of the IP on the packet.

The masters file tells firewall B to contact 1.2.3.5 when it needs to fetch a policy and also to let the machine 10.0.0.2 install policies. The file is parsed sequentially when a fwstart is done, so order it public then private except for the firewall local the management station.  Firewall A will always talk to the management station on its private address coming from the firewall's public address.

Even though the public IP address is not used for authentication when talking to the firewalls, for debugging purposes it helps to give all the IP addresses for the management station. It also helps to use all the interface addresses on the firewall when setting putkeys on the management station to make sure it can authenticate with the remote firewalls on whatever address it comes out as.

Once this has been all setup, and policies have been both pulled (fw fetch) and pushed (Policy->Install or fw load), the entries in $FWDIR\database\authkeys.C that have "password" defined, one would believe, are the ones that are not used and can be removed. THIS IS NOT TRUE! If you remove these entries, you will start getting "Authentication for command fetch failed" or "Authentication for command load failed". In short, don't mess with the authkeys.C file once it's working.

2) I can't get putkeys to work, or they only work sporadically.

  1. never putkey to a VRRP address
  2. fwstop the management station (might want to backup $FWDIR/conf directory)
  3. management: go to $FWDIR/conf and delete serverkeys.db and fwauthkeys* (sp?, but NOT fwauth.NDB*)
  4. go to $FWDIR/database and remove all files (not directories)
  5. fwstop the firewall module(s).
  6. on both modules, repeat steps 3&4
  7. on the management station:
    fw putkey -p <password> <ip of fw-1> <ip of fw-2>
  8. on fw-1:
    fw putkey -p <password> -n <ip of fw-1> <ip of management>
  9. on fw-2:
    fw putkey -p <password> -n <ip of fw-2> <ip of management>
    *NOTE: make sure that <ip of fw-x> is CONSISTENT! Use either the internal or external or dmz, etc, but DO NOT mix and match. Also, make sure there is only one path from the management to that fw address. eg, in a VRRP environment, use the INTERNAL NIC, because if you use the external IP, the route to the dead fw is out through the live firewall.
  10. fwstart the management station
  11. fwstart both firewalls. When they come up they should try fetching the policy. If they fail, try a manual fetch:
    fw fetch <ip of management>
  12. try pushing policies from management... Pay close attention to push errors:
    "command timeout" means you probably can't connect or you policy is too big
    "authentication/authorization failed" means redo putkeys
    "tried to exchange key but has one" means the firewall has an old key that needs to be deleted before you can do a new putkey (see steps 3&4).

 

NAT

1) NT FW-1 is not allowing DNS requests for certain sites to pass (eg. apple.com)
    Phoneboy says: DNS queries from DNS servers usually come from source port 53 to destination port 53. By default, FireWall-1 will translate this to a "low" (below 1024) unused port. Some authoritative DNS servers have a problem with this. There are two ways to fix this problem:

The steps are as follows:

  1. Stop the firewall (fwstop)
  2. On Solaris: echo "fwx_udp_hide_high ?W35" | adb -w -k /dev/ksyms /dev/mem
    To make this change permanent add the following to /etc/system: set fw:fwx_udp_hide_high=0x35
  3. On SunOS: echo "fwx_udp_hide_high ?W35" | adb -w $FWDIR/modules/fwmod.4.1.x.o
  4. On HP/UX: echo "fwx_udp_hide_high ?W35" | adb -w /hp-ux
  5. Start the firewall (fwstart)

To fix an NT DNS server to use > 1023 port, you need to set the SendOnNonDnsPort registry key, to get non-53 sends. If you set this to a specific port > 1024, you actually run on that port, any < 1024 true value means you bind to any port.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters

Value Name: SendOnNonDnsPort Data Type : REG_DWORD Data : Desired Port#(53 is default, but try something over say 2000).

2) I want to do hide and static xlation at the same time.
    Make a rule that was "Any - ValidAddressOfWebServer ** Translate to ** InternalInterfaceOfFirewall (static) - InternalAddressOfWebServer (static)" -- However this did not compile because "Any" in the Original Source requires "Original" as the Translated Source. I eventually side-stepped this by creating a network object named "EntireInternet" with a network number of 0.0.0.0 and a netmask of 0.0.0.0 and used this object in place of "Any". This seemed to translate and work correctly.

PROXIES/CVP/AUTHENTICATION

1) What is Implicit Client Authentication?


After the user authenticates himself or herself under a User Authentication or Session Authentication rule, then FireWall-1 knows which user is on the Client machine, and the user does not need to telnet to port 259, because he is considered to have at the same time successfully performed Client Authentication.
Appropriate sequence of Rules in Rule Base:
1.User Authentication rules for HTTP (in case you want it)
2.Client Authentication rules for all the desired services
3.User and Session Authentication rules for non-HTTP services (if any)

In this way, the first time through, the User Authentication and Session Authentication rules are applied, but the second time through, the Client Authentication rules are applied. However, for HTTP, the User Authentication rules are always applied, preventing the browser from sending the authentication password to the HTTP server (this would happen because the Client Authentication rules do not use the FireWall-1 Security Servers).
If the Client Authentication is configured to timeout after a certain amount of time, the User and Session Authentication
rules will then start again to take effect, and the user will be prompted again for authentication, rather than rejected.

To enable implicit Client Authentication, change the line:
:automatically_open_ca_rules (false)
in objects.C to:
:automatically_open_ca_rules (true)
The new value will take effect after you install the Security Policy.

2) How do I do RADIUS authentication with Option Pack 4.0?

  1. Load an NT server with RAS + IIS 4.0. When you load IIS4, make sure you select "Internet Connection Services for RAS." There will be a RADIUS plug-in in the MMC. It will not start until you configure it by right clicking on it. You will have to define the client (firewall).
  2. On the firewall, make sure the firewall object supports RADIUS authentication, then define a user group with the user generic* in it, with auth scheme of RADIUS.
  3. Define a Server (RADIUS) under Manage/Servers. Do not use key words to define the name, like "radius."
  4. Create a user authentication rule with the user group from step 2. Install and test.

This will authenticate any user in the domain, although you may have to autheticate with DOMAIN\USERNAME instead of just USERNAME. Also, this will authenticate ALL users. If you want to lock it down, the only way I can tell you is to substitute usernames for generic*.

3) Can I import users from a text file?

Yes.  Do a "fw dbexport -f <file>".   This will export existing users to <file> in the %FWDIR%/conf directory. Open with a text editor. The first line is a header that describes all of the fields of the file. Subsequent lines are the user definitions.  Now modify the file (you can remove existing users and replace with your own, might want to keep a copy of orig. database dump).
     Next, do a "fw dbimport -f <file>".  This will ADD all the users you defined.

4) Error "No Client Authentication Rules Available"


One of the following has not been set up correctly:

5) HTTP connection dies with "Content-Disposition connections are not allowed"

Since release of SP5 for FW1-41, attachments can not be downloaded anymore.  To disable this behavior:

 

RULE BASE

1) What do I do if I lose my rules and objects?

At a bare minimum, you will need your objects.C and <policy>.W files.

Stop the firewall, and delete any newer objects.C, bak, or sav files from $FWDIR/conf.  Copy your objects.C to the conf directory (alternately, you could try merging C files: 'fw confmerge file1.C file2.C > objects.C').  At this point, if you start the firewall, you should be able to see your objects, if not your rules.

Next, append your <policy>.W file to $FWDIR/conf/rulebases.fws.  This file is required for your GUI to see the policy rules.  Your policy will start like this:

(
    :rule (

You must change this in rulebases.fws to look like:

(
    :rule-base ("##<policy name>"
        :rule (

and dont forget the extra ")" at the end of the policy.  If you now try to reopen your GUI, you should be able to open your policy.
  If hand edits aren't your thing, recreate the rulebases.fws file from your .W files by using the "fwm -g" command:

fwm -g *.W

will append all .W files to the rulebases.fws file.

2) How do I do stateful ICMP?

a) check "Accept ICMP' in Policy/Properties, set to "Last" rule, so that nothing is ever accepted by this option (if you leave "Before Last", packets can be allowed through without logging).  This enables stateful inspection.
b) edit $FWDIR\lib\fwui_head.def.  Uncomment the line "#define STATEFUL_ICMP_LOG".  This logs stateful violations.
c) Have rules for ICMP outbound and inbound (inbound being more restrictive, eg: icmp_replys only).
Stateful inspection does not allow one-way rules, it only denies inbound packets after 60 seconds inactivity on the outbound rule.  Packets will be dropped by Rule 0.

3) FTP occasionally hangs during an automated process.


The FTP data port is NOT 21, that is only for control (sending the "ls" command, eg).  The data port is a random port over 1023 that is agreed upon by the client/server.  Occasionally, this high port overlaps with a service that uses a high port (>1023).  These are defined to be "bad" ports (NOTSERVER_TCP_PORT), and the connection freezes.  Users don't see this, because a retry will pick a different port, and away they go, but processes aren't that smart and will not retry.
    To fix, edit the base.def file by deleting the section defining NOTSERVER... as "p in tcpservices".  Leave p < 1024, though.  See phoneboy for more details.

4) How do I view my rule base without connecting to the management station?
    Similar to 3.x question, with a few mods.  Copy the following files from $FWDIR/conf to the "Program" subdirectory where you installed the GUI client.  Rename in the process.

objects.C -> objects.fws
rulebases.fws -> rules.fws

Now open the GUI client with any username/password.  Use "*local" as the Management IP.

5) How does FW-1 handle ICMP?

Here's a quick (depending on how much you like to read) how-to on how ping and traceroute work and how to configure the rules in CheckPoint FW-1 to allow pings and traceroutes from your internal networks to the outside but not in, and how to handle traceroute.

How Ping Works:

Ping uses ICMP, which is connection-less. A machine (we'll call it "client") sends an echo request (ICMP type 8) out, destined for another machine (we'll call this one "server"). If the ICMP echo request gets to the server (It isn't blocked by a firewall or router) it will respond back with an echo reply (ICMP type 0). So, to allow this to work, we'd need the following rules in our rule base:

Rule Source Destination Service Action
1 Internal Any echo-request Accept
2 Any Internal echo-reply Accept

* Note, Rule number is only being shown to discern that they are different rules, not necessarily placement in the rulebase.

Well, this all works fine and dandy as long as all the routers are doing what they're supposed to.. What if they're not? We'll address this issue in the Traceroute section.

Traceroute

First some quick definitions:

TTL = Time To Live. The TTL defines how many router hops a packet can traverse before it must be killed. Each time a packet passes through a router, the TTL is decreased by one. When a packet's TTL reaches zero a message is sent back to the IP address saying that this has happened and that the packet did not reach the destination. This packet is an ICMP type 11 packet -- also called TTL Exceeded, or time-exceeded.

When one does a traceroute, the client computer sends out a packet destined to the server it's tracerouting to with a TTL of zero. The first router (the computer's default router, in this case) responds back with time-exceeded ICMP packet from the router's IP address, destined to the client computer. Next, the traceroute program sends out the same packet with a TTL of one. This gets to the first router, the first router decrements the TTL by one (to zero) and sends it along to the next which responds back with the time-exceeded message. The client continues to increment the TTL on each packet until the destination machine responds back, or a router responds back with a message saying that it cannot contact the next network. When a router cannot forward the packet on because it does not have a route or it cannot contact the next-hop-router, it will send back a destination-unreachable message (ICMP type 3).

MS Tracert

Microsoft's traceroute command ("tracert" from a command prompt) uses ICMP echo-request packets as the packets it sends out. When it reaches the destination machine, it responds back with an echo-reply (just like ping, described above) and the traceroute if finished. So, to allow your Microsoft OS based machines to ping and traceroute, your rules would look like this:

Rule Source Destination Service Action
1 Internal Any echo-request Accept
2 Any Internal echo-reply
time-exceeded
dest-unreach		 Accept

* Note, Rule number is only being shown to discern that they are different rules, not necessarily placement in the rulebase.

Unix Traceroute

UNIX traceroute works just like the Microsoft implementation with the exception that the type of packet it sends out with the decremented TTL is a UDP packet, specifically one with a random port higher than 33,000. When the TTL reaches zero at each router, the router sends back the time-exceeded message. When the packet actually reaches the destination computer, (UNIX traceroute assumes that no daemon will be listening on the random UDP port above 33,000) it sends back a port-unreachable message. This message is a specific type of destination-unreachable ICMP error message. So, if we have UNIX machines, we'll have to allow outgoing UDP packets with a destination port higher than 33,000, and ones with a TTL less than 30. CheckPoint has conveniently already added this to the services, and named it "traceroute". In reality, it should be named "unix-traceroute". Now assuming that we have some Unix machines that need to traceroute out, our rulebase would look like this.

Rule Source Destination Service Action
1 Internal Any echo-request
traceroute		 Accept
2 Any Internal echo-reply
time-exceeded
dest-unreach		 Accept

* Note, Rule number is only being shown to discern that they are different rules, not necessarily placement in the rulebase.

References:
-----------
How to allow _only_ outbound ping and traceroute requests? http://www.phoneboy.com/
INSPECT script to make FW-1 do stateful ICMP inspection (ping, UNIX traceroute, and MS traceroute) http://people.netscape.com/shadow/work/inspect/index.html

6) FTP hangs only to certain sites (eg, compaq).
Check Point by default forces you to have a newline character at the end of PORT commands.  Some web sites like ftp.compaq.com do not have them, and will hang when you try to ftp to them.  To disable newline enforcement:

  1. stop the firewall
  2. edit $FWDIR/lib/base.def
  3. comment out "#define FTP_ENFORCE_NL"  (if you have an older firewall, this might look like: #define FTPPORT(match) (call KFUNC_FTPPORT <(match), [110,b]>)   )
  4. start the firewall and reinstall the policy

There are a few other conditions that might cause similar problems:

  1. SYN defender is blocking latent sessions
  2. DNS resolution hangs.  If you DNS server which is responsible for your reverse DNS lookups (i.e., the IP address of your FTP client) is unreachable (down or blocked), the FTP server can't look you up and will hang.  This issue may also affect some SMTP servers.

7) When I install my policy, I get "magic number corrupted."
You have a corrupted user database. Stop the firewall, and delete $FWDIR/conf/fwauth.NDB*, and all extraneous references to fwauth* in $FWDIR/database.  Then start the firewall.  Reinstall.

 

ENCRYPTION

1) How do I set up SKIP?

2) How do I set up IKE with Microsoft Certificate Authority certs?
    We assume you have the CA set up and a root certificate is installed.  Also, this solution was implemented with Windows 2000 Server, SP1.  FW-1 is CP 2000 sp2.
  1. On a FW-1 GUI client machine, open IE and go to http://<certserver>/certsrv (Netscape may have problems).
  2. Retrieve the root certificate to a file on your disk.
  3. Open the FW-1 GUI and create a CA server object.  CA type is OPSEC PKI.  On the OPSEC PKI tab, uncheck both LDAP and HTTP CRL retrieval (can't seem to get CRL retrieval to work sucessfully), and hit "Get" Certificate.
  4. You will be prompted for the path to the root CA certificate from step 2.  You can view if you want, but eventually hit "OK".
  5. Next, go to your firewall object and click "Certificates" tab.
  6. Click "Add" to begin fw cert request.
  7. Give a nickname and pull down to select your CA you created in steps 3-4.
  8. Hit "Generate" to generate the request, and view it.  Copy the request to the clipboard.
  9. Go back to the browser at http://<certserver>/certsrv and this time "request a certificate."
  10. Choose "Advanced Request" and then "Submit a request using a base64...".
  11. Paste your request under "Saved Request" and Submit.
  12. Issue the pending cert on the CA.
  13. Go back to the browser at http://<certserver>/certsrv and "check on a pending cert".  Save the cert to the hard disk.
  14. Go back to the GUI and "Get" the file you just saved.  This will add a cert to you firewall object.
  15. Now you need a client cert.  Go to http://<certserver>/certsrv with NETSCAPE (IE has some problems exporting the private key) and request another cert.  This time you will choose a "Web Browser Certificate".  Generate the request.
  16. On the CA, issue the client cert.
  17. Still in Netscape, go back to http://<certserver>/certsrv and "check pending cert."  Install the web cert to you browser.
  18. Go to the Security Icon on Netscape's tool bar, choose "Yours" under certificates, and export to a file (you will be prompted to password protect the cert; remember the password).
  19. Copy the client cert to SecuRemote and under "Certificates/Import", enter the file and the password from step 18.  This will import the web cert into Entrust format.  You will be prompted to enter a new cert password.  This will be your login password.
  20. Try to connect to your encryption domain.  Click "Use Certificate" and put in the password from step 19.  
  21. PS: don't forget to set up the SecuRemote stuff as always.  The SR user definition should have "Public Key" checked under IKE encryption.

3) How do I set up IKE shared secret tunnel to a PIX?
    FW-1 v 4.1sp2 (Solaris 2.6) <-> PIX 515 v 5.3beta and v 5.1.2

Check Point FW-1 side:

1) define network objects for both PIX and FW-1 as you normally would
2) define local and remote encryption domains.  Encryption domains MUST have the same subnet masks on both the PIX and the FW-1.  Additionally, I also made sure my networks are all 'internal' and remote nets are 'external', although I don't think this part matters.
3) On FW-1 object/VPN tab, check IKE and edit.
    -check ONLY ONE encryption scheme (eg 3DES)
    -check only one auth scheme (MD5), although this isn't as important as previous step
    -check pre-shared secret
  *NOTE: doesn't seem to matter if aggressive mode and or subnets is on. I implemented with both on.
4) On PIX object, same as above holds true for the FW-1 object. Doesn't matter if it is defined as a FW-1 or just a regular gateway.
5) Next, go to "Policy/properties" and click the "Encryption" tab. Note the IKE renegotiation time. By default it is 10080 minutes (1 week). PIX defaults to I believe 86400 secs (1 day). This must be consistent with the PIX, so change to the PIX lifetime value. Unfortunately, I don't remember what we set that to on the PIX. May have to call and get config info from IMR.
  *NOTE: I also tested this change FW-1 to FW-1 and it doesn't appear to break Check Point tunnels regardless of values. Also, you will have to change FW-1, not PIX, because PIX has a MAX of 1 day.
    If these values are not the same, you will get "Configured expiration time and sent time differ" when running "fwd -d" debug. This will result in "no proposal chosen."
6) build rule as is normal for ISAKMP. Right click on "Encrypt" and choose IKE. Edit properties and choose 3DES and MD5. No PFS.

The PIX config looks like this: (keep in mind, IPs are different)

access-list 102 permit ip 192.168.5.0 255.255.255.0 192.168.4.0 255.255.255.0
nat (inside) 0 access-list 102
route outside 192.168.4.0 255.255.255.0 204.32.38.104 1
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto map mymap2 10 ipsec-isakmp
crypto map mymap2 10 match address 102
crypto map mymap2 10 set peer 204.32.38.104
crypto map mymap2 10 set transform-set myset
crypto map mymap2 interface outside
isakmp enable outside
isakmp key abc123 address 204.32.38.104 netmask 255.255.255.255
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400

5) How do I set up SDL for SecuRemote and browse Network Neighborhood?

6) How do I set up DNS for SecuRemote?

On the FW-1 Management Station (v4.1), create a file called $FWDIR/conf/dnsinfo.C.  This is a DNS topology file that will be downloaded to the client during key sucking.  This file will look like (VERY important not to typo, as this file will not give you any errors, and instead just not work):

(
    :dns_servers (
        : (<object name of DNS server>.<object name of firewall>
        :obj (
            : (<IP of DNS server>)
        )
        :topology (
            : (
                :ipaddr (<IP of internal net>)
                :ipmask (<mask of internal net>)
            )
        )
        :domain (
            : (
                :dns_label_count (4)
                :domain (<.secev.com or your own domain>)
            )
        )
        )
)
:encrypt_dns (true)
)

dnsinfo.C will cause the client to do internal lookups for specified domains, but allow normal resolution for all other domains; in effect, giving you a "split" DNS.  If you want ALL DNS to resolve through the internal DNS server, use just:

)
:encrypt_dns (true)
)

Once this is done, reinstall your policy and suck the keys on the client.  The info added to dnsinfo.C should now appear in your userc.c file on the SecuRemote client.  If it does not, you may have typos in dnsinfo.C.
    Incidentally, if you want to auto-populate your LMHOSTS file from dnsinfo.C, add:

)
:encrypt_dns (true)
:LMdata (
    : (
        :ipaddr (6.6.6.6)
        :name (pdc)
        :domain (NTDOMAIN)
    )
    : (
        :ipaddr (6.6.6.6)
        :name ("NTDOMAIN")
    )
)
)

after ":encrypt_dns (true)".  In this case, 6.6.6.6 is the PDC for the NT domain NTDOMAIN.
    There is also a whitepaper at Check Point that tells you how this all works with FW-1 v4.0 (4.1 is not quite this complicated):

7) How do I set up Hybrid Mode Authentication for SecuRemote?

8) FW1 GUI connections through SecuRemote fail.

The GUI is encrypted as well as SecuRemote connections, and that "double encryption" screws up the client.  Force SecuRemote to NOT encrypt FW1_mgmt traffic either in the rules, or by doing the following:

1) Add fwm_encrypt (true) to Secure Remote options in userc.C

2) Modify $FWDIR/lib/crypt.def on the Management Server by commenting out the following line:
    not(dport = FWM_SVC_PORT, tcp),

3) Reinstall Policy.

9) How do I set up UDP Encapsulation for SecuRemote?

You must have v4.1sp2 or higher.  Add the following lines to your firewall object definition in your Management's objects.C (after isakmp.authmethods section):

:isakmp.udpencapsulation (
   :resource (
      :type (refobj)
      :refname ("#_VPN1_IPSEC_encapsulation")
   )
   :active (true)
)

If you have sp2 of the SecuRemote client, add a line like: "force_udp_encapsulation (true)" to the options section of userc.c.  Service pack 4 does not require this.

10) How do I use UDP Encapsulation while doing SEP clustering?

You must be running 4.1 sp4 or higher.  Yet another $FWDIR/conf/objects.C edit on the Management station.  Add:

 :IPSec_cluster_nat (true)

to the "props" section.  Install your policy to the firewalls.  Will not work well in load balanced scenarios.

11) Error: Peer is not responsible for src scheme: IKE

Go to your encryption rule, right-click on action "Encrypt", and go to "Edit Properties."  Most likely, you have defined the peer gateway incorrectly.  Worst case scenario, set the peer to "Any."

Home | Services | Training | Support | Contact Us | Search

Copyright 2006, Security Evolution, Inc.