Check Point VPN-1/FireWall-1

Configuring SSL starts like the configuration of "normal" Client Authentication:
- Define a User Template, create a user and a User Group
Usually a rule with Client Authentication looks like this:

The Ports for authenticating have to be accessible from the Internet, therefore the Banner should be changed as well as the ports themselves.

NOTES
- For configuring the Client Authentication using SSL, you will need a license for VPN-1 Pro, and not just FireWall-1! This license is absolutely necessary for this when using Next Generation Feature Pack 3 and above. When using NG AI or NGX a license for VPN is included by default.
- Check Point recommends to put the rule for Client Authentication above the Stealth Rule. If done so, access to the Firewall for authentication is accepted by default. In our case, it's recommended to split these two rules - because only access to 259/tcp and 900/tcp is accepted by the Firewall.

- For using SSL first of all create a new TCP service, e.g. My1234 (port 1234/tcp).

- Have a look at your Firewall object and find the nickname of the certificate issued by the Internal Certificate Authority. You find the nickname of this certificate under the VPN tab.
- Keep this name in mind, you need to know it in the next step.

- Now modify the file $FWDIR/conf/fwauthd.conf at the Firewall. It should contain a new line like the bold one:

- Then, save this file and restart the Firewall by using cpstop and cpstart.
You might also use an official certificate.
- The rulebase should looks like this:

After installing you may contact the Firewall with https to port 1234/tcp. If you use "defaultCert" as shown in the example above, you will have to accept this certificate explicitely to your browser. Then, you can authenticate as usual, but encrypted: