fir3net
PPS-Firenetbanner-780.5x190-30-03-17

Check Point - A look at SecureID Files

In order to to enable SecureID authentication you will need to generate an 'sdconf.rec' file from your ACE SERVER.
You will then need to copy this file to the the  '/var/ace' directory of your Check Point Firewall (if the directory does not exsist create one).

At the point that your ACE SERVER and your ACE AGENT (Check Point Firewall) start communicating a 'sdstatus.12' file will be generated.
When the communication is deemed successful a 'secureid' file will be generated. It is worth noting that 'secureid' is the default name given for the node secret file. 

!! If no secureid file is generated you may want to check that the "Reset Node Secret" option was enabled at the point of the sdconf.rec file being generated on the ACE SERVER. !!

Once the sdstatus.12 and the secureid file have been generated encrypted communication between the ACE AGENT and SERVER can be established. 

Below is a summary of these files :

sdconf.rec Generated by the ACE SERVER and copied to the /var/ace directory
sdopts.rec Allows you to force the ACE AGENT to use a specific IP address when generating its hash
sdstatus.12 Automatically created at point of communication between the ACE AGENT and SERVER
securid Automatically created at point of successful communication between the ACE AGENT and SERVER

Packet Capture Example :

14:44:49.619735 [FIREWALL].1117 > [ACE SERVER].5500: udp 124  - FIREWALL queries ACE SERVER
14:44:50.387343 [ACE SERVER].5500 > [FIREWALL].1117: udp 124  – ACE SERVER responds
14:44:57.954218 [FIREWALL].1117 > [ACE SERVER].5500: udp 124  – FIREWALL confirms response
14:45:00.733002 [ACE SERVER].5500 > [FIREWALL].1117: udp 124  – ACE SERVER responds

Issues

You may see authentication issues after the initial authentication along with the error message :

      [LOG_ERR] ACEAGENT: The message entry does not exist for message ID: 100x

This is down to the embedded hash of the Check Points IP address (that is sent to the ACE SERVER within the authentication request) being different the hash of the Check Point`s IP address that is generated by the ACE SERVER. This can be caused by multihomed or NAT configurations.

To resolve this :

  1. create the sdopts.rec file in the /var/ace directory
  2. using VI, edit the sdopts.rec file and insert the line: CLIENT_IP=[IP Address of the ACE AGENT (Check Point Firewall)]
  3. restart FW-1 using cpstop && cpstart

Note : it has been reported this will also correct issues using SecurID on Secure Platform.

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001