Check Point FireWall-1 Management Console port forwarding

Check Point FireWall-1 only allows IP addresses in the access list $FWDIR/conf/gui-clients to use the Management Console. Unfortunately, this file does not accept ranges of IP addresses. What if you want to connect to the Management Console from different locations without having to manually edit this file?

The best (and most secure) way to connect to the Management Console is to use ssh port forwarding with an ssh client like PuTTY. Instructions on how to configure the ssh tunnel using OpenSSH are also listed below. Using ssh port forwarding of course requires an ssh server installed on your Management Console.

Using ssh port forwarding, the Management Console believes your network traffic is originating from localhost, which is always allowed to connect to the Management Console. In this example, I'll use firewall to as the hostname of the Management Console.

PuTTY configuration:

1. Click on SSH/Tunnels

2. Enter 258 in the Source port dialog box.

3. Enter firewall:258 in the Destination dialog box.

4. Leave the Local radio button checked.

5. Click Add.

6. Click Session and connect to firewall with the ssh protocol.

7. After entering your username and password through PuTTY, startup the Check Point FireWall-1 Management Console. Your Check Point Username: and Password: will be the same. However, you must enter localhost for Management Server:


OpenSSH configuration

If you using OpenSSH, make sure you have the environment variable DISPLAY=localhost:0 set, and issue the following command:

ssh -L 258:firewall:258 UNIX_user_ID@firewall

You should be now be able to access the Check Point FireWall-1 Management Console from anywhere (assuming you can reach the Management Console via TCP ports 22 and 258).

Back to brandonhutchinson.com.

Last modified: 06/08/2004