Mirrors: [ USA (Main Site) | Denmark ]

This site has links, downloads, documents, and over 400 FAQs relating to FireWall-1/VPN-1, a software package written by Check Point Software Technologies, Ltd. See my copyright page for detailed copyright and disclaimer information. 

Did you know I've written a book on FireWall-1? Find out the details here.

If you have a technical question you would like me to answer,  please post it to the FireWall-1 Wizards  List, which is being served on freelists.org. You may wish to also post  your question to Check Point's FireWall-1  Mailing List, or the Check Point  newsgroups, but I do not monitor these forums. Suggestions, corrections, and contributions to this FAQ are welcome and can be emailed to fw1@phoneboy.com . I will ignore any technical questions directly emailed to me!

WARNING: Do not attempt to use a site sucker, an offline web browser (such as MSIE 5's "Make Available Offline" feature), or any sort of tool that automatically follows links. Anyone using these tools will have their IP blocked..

Contents

• About PhoneBoy
• PhoneBoy's Personal Homepage (offsite link)
• FireWall-1, SecuRemote, and IPSO Releases
• FireWall-1 Security Alerts
• What's New?
• Documents
• Downloads
• Links
• Search the FAQs (Complete List )
• Authentication
• Encryption
• GUI
• Licensing
• Linux
• Logging and Alerting
• Miscellaneous
• Network Address Translation (NAT)
• Nokia (IPSO)
• Old (Pre-4.1) FAQs
• Remote Management
• SecuRemote / Secure Client
• Security Servers
• Services
• Solaris
• Troubleshooting
• Windows NT

FireWall-1, SecuRemote, and IPSO OS Releases

• FireWall-1 NG Feature Pack 2 is shipping.
• FireWall-1 4.1 build 41617 (SP6, a.k.a. Check Point 2000 SP6) for all platforms (build 41618 for Windows).
• Secure Client NG FP2 hotfix 1 build 52057 and Secure Client 4.1 SP5 build 4199 is available for Windows 98, ME, NT, 2000, and XP. Either version can be downloaded from their Free Downloads page without a password. A MacOS 8.x and MacOS 9.x version is available for use with NG-based firewalls. It is available for download via the Software Subscription site. 
• IPSO 3.5 FCS7 (for 4.1 SP5a, 4.1 SP6, and NG FP2) is available.

FireWall-1 Security Alerts (Updated 14 October 2001)

NOTICE: FireWall-1 4.1 SP5 (and earlier SPs) on IPSO has a problem with SYNDefender in Active Gateway mode with NAT that causes packets with untranslated addresses to leak out. A hotfix for 4.1 SP5 is available on Check Point's Software Subscription page.

NOTICE: All versions of FireWall-1 (up to version 4.1 SP4) allow the service RDP (UDP Port 259) through the firewall by default. A hotfix is available from here. More information.

NOTICE: If you're not running FireWall-1 4.0 SP7 (Solaris, NT, AIX, HPUX, Linux), FireWall-1 4.0 SP5 build 13 (IPSO), or FireWall-1 4.1 SP2 (all platforms) or later, you are vulnerable to a number of security issues. These issues were revealed at the Black Hat 2000 conference and are extremely serious in nature. You can read all about the vulnerabilities here .

NOTICE: A vulnerability in FAST MODE was found to exist, which people could use to get around the security policy. Note that this is not the default behavior, so you should only be vulnerable if you've explicitly enabled this feature for a TCP service. Either disable FAST MODE, upgrade to 4.1 SP3 (now available) or upgrade to 4.0 SP8 (available for all platforms except Nokia). Note that Check Point will remove this feature in the next major release since recent performance enhancements have reduced the effectiveness of this feature.

(C)2002 Dameon D. Welch-Abernathy, All Rights Reserved.
Your corrections, suggestions, and submissions are welcome. Email to fw1@phoneboy.com.