Check Point – A look at SecureID Files

In order to to enable SecureID authentication you will need to generate an ‘sdconf.rec’ file from your ACE SERVER.
You will then need to copy this file to the the  ‘/var/ace directory of your Check Point Firewall (if the directory does not exsist create one).

At the point that your ACE SERVER and your ACE AGENT (Check Point Firewall) start communicating a ‘sdstatus.12’ file will be generated.
When the communication is deemed successful a ‘secureid’ file will be generated. It is worth noting that ‘secureid’ is the default name given for the node secret file. 

!! If no secureid file is generated you may want to check that the “Reset Node Secret” option was enabled at the point of the sdconf.rec file being generated on the ACE SERVER. !!

Once the sdstatus.12 and the secureid file have been generated encrypted communication between the ACE AGENT and SERVER can be established. 

Below is a summary of these files :

sdconf.recGenerated by the ACE SERVER and copied to the /var/ace directory
sdopts.recAllows you to force the ACE AGENT to use a specific IP address when generating its hash
sdstatus.12Automatically created at point of communication between the ACE AGENT and SERVER
securidAutomatically created at point of successful communication between the ACE AGENT and SERVER

Packet Capture Example :

14:44:49.619735 [FIREWALL].1117 > [ACE SERVER].5500: udp 124  - FIREWALL queries ACE SERVER
14:44:50.387343 [ACE SERVER].5500 > [FIREWALL].1117: udp 124  – ACE SERVER responds
14:44:57.954218 [FIREWALL].1117 > [ACE SERVER].5500: udp 124  – FIREWALL confirms response
14:45:00.733002 [ACE SERVER].5500 > [FIREWALL].1117: udp 124  – ACE SERVER responds

Issues

You may see authentication issues after the initial authentication along with the error message :

      [LOG_ERR] ACEAGENT: The message entry does not exist for message ID: 100x

This is down to the embedded hash of the Check Points IP address (that is sent to the ACE SERVER within the authentication request) being different the hash of the Check Point`s IP address that is generated by the ACE SERVER. This can be caused by multihomed or NAT configurations.

To resolve this :

  1. create the sdopts.rec file in the /var/ace directory
  2. using VI, edit the sdopts.rec file and insert the line: CLIENT_IP=[IP Address of the ACE AGENT (Check Point Firewall)]
  3. restart FW-1 using cpstop && cpstart

Note : it has been reported this will also correct issues using SecurID on Secure Platform.

Rick Donato

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial