I posted a series of messages in the last month about some problems
we encountered with Checkpoint's Firewall-1. In an effort to present
everyone with a complete picture, I'd like to state that I am now
much more comfortable with Firewall-1, Checkpoint, and the reseller
that we are working with.
Here are the three problems we encountered, and their resolution:
* FW-1 would state that it had loaded the default filter and would show
that the firewall was active when in fact the firewall was wide
open, passing all traffic.
This turned out to be a configuration problem with the /etc/hosts file.
Most people I talked to didn't encounter this problem, but at least
one other person did. The documentation doesn't clearly specify how
to set up your host file and if you get it wrong you could have a problem.
Solution: Make sure you work with your reseller on getting this right
if you have any questions.
* The system running FW-1 would freeze, forcing us to reboot.
Solution: Don't use domain objects. This may have been fixed in
* The system continued to freeze, requiring a reboot.
We determined that this was happening whenever someone used rcp to
copy a file between two particular hosts. This appears to be a problem
with SunOS 4.1.3 and not with FW-1.
Solution: r* commands are bad news anyhow. Shut them down. We're
waiting to hear back from Sun on this one.
We also had a problem with the way that FW-1 is supported. Despite
the fact that the documentation and the startup screen tell you to
contact Checkpoint for support, they really want you to work with your
reseller. This would work well if *all* of the resellers were
completely up to speed on bugs and solutions, but it appeared that
this was not the case. We felt that Checkpoint had information that
they'd not passed onto the reseller and thus caused us, and eventually
Checkpoint, a lot of aggravation. I talked with Checkpoint about this
and they said that they would work on solving this problem.
It appears that they are making an effort in this direction
because I received, via the reseller, a message explaining how to
update FW-1 to address the latest CERT advisory and the related
problems. They did this without my asking for it and in a relatively
timely fashion, which is as it should be.
The documentation is still substandard and I do not know if they
are planning on doing anything about it. Sun will be reselling FW-1
and I've been informed that they will be substantially rewriting the
We are going to continue to use FW-1 at the current site and will
be considering it for use at other sites. FW-1 seems to do a good
job of filling the area between a router with static filters and
a custom made application level firewall. It's logging facilities,
well designed GUI, and ability to work with Cisco routers are all
I believe that most of the problems we encountered were teething
problems which Checkpoint has grown out of, or will soon.
FW-1, like any other security measure, is not for the unsure. If you
have questions about your configuration, ask your reseller. If they
don't satisfy you, get them to talk to Checkpoint. This holds true
for any firewall product, not just FW-1. If your reseller offers
to sell you a few hours of time to help you configure FW-1 and
familiarize you with it, take them up on it. Consider it a good
If you have any questions about our experiences with FW-1, please
don't hesitate to contact me and I will be happy to discuss it with