Checkpoint - A look at SecureID Files

Tuesday, 25 May 2010 11:04

Firewalls - Checkpoint

In order to to enable SecureID authentication you will need to generate an 'sdconf.rec' file from your ACE SERVER.
You will then need to copy this file to the the  '/var/ace' directory of your Checkpoint Firewall (if the directory does not exsist create one).

At the point that your ACE SERVER and your ACE AGENT (Checkpoint Firewall) start communicating a 'sdstatus.12' file will be generated.
When the communication is deemed successful a 'secureid' file will be generated. It is worth noting that 'secureid' is the default name given for the node secret file. 

!! If no secureid file is generated you may want to check that the "Reset Node Secret" option was enabled at the point of the sdconf.rec file being generated on the ACE SERVER. !!

Once the sdstatus.12 and the secureid file have been generated encrypted communication between the ACE AGENT and SERVER can be established. 

Below is a summary of these files :

Packet Capture Example :

14:44:49.619735 [FIREWALL].1117 > [ACE SERVER].5500: udp 124  - FIREWALL queries  ACE SERVER
14:44:50.387343 [ACE SERVER].5500 > [FIREWALL].1117: udp 124  – ACE SERVER responds
14:44:57.954218 [FIREWALL].1117 > [ACE SERVER].5500: udp 124  – FIREWALL confirms response
14:45:00.733002 [ACE SERVER].5500 > [FIREWALL].1117: udp 124  – ACE SERVER responds

Issues

You may see authentication issues after the initial authentication along with the error message :

[LOG_ERR] ACEAGENT: The message entry does not exist for message ID: 100x

To resolve this :

1. create the sdopts.rec file in the /var/ace directory
2. using VI, edit the sdopts.rec file and insert the line: CLIENT_IP=[IP Address of the ACE AGENT (Checkpoint Firewall)]
3. restart FW-1 using cpstop && cpstart