Check Point FireWall-1 only allows IP addresses in the access list $FWDIR/conf/gui-clients to use the Management Console. Unfortunately, this file does not accept ranges of IP addresses. What if you want to connect to the Management Console from different locations without having to manually edit this file?
The best (and most secure) way to connect
to the Management Console is to use ssh port forwarding with an ssh
Instructions on how to configure the ssh tunnel using OpenSSH are also
listed below. Using ssh port forwarding of course requires an ssh
installed on your Management Console.
Using ssh port forwarding, the Management Console believes your network traffic is originating from localhost, which is always allowed to connect to the Management Console. In this example, I'll use firewall to as the hostname of the Management Console.
1. Click on SSH/Tunnels
2. Enter 258 in the Source port dialog box.
3. Enter firewall:258 in the Destination
4. Leave the Local radio
5. Click Add.
6. Click Session and connect to firewall with the ssh protocol.
7. After entering your username and password through PuTTY, startup the Check Point FireWall-1 Management Console. Your Check Point Username: and Password: will be the same. However, you must enter localhost for Management Server:
If you using OpenSSH, make sure you have the environment variable DISPLAY=localhost:0 set, and issue the following command:
ssh -L 258:firewall:258 UNIX_user_ID@firewall
You should be now be able to access the Check Point FireWall-1 Management Console from anywhere (assuming you can reach the Management Console via TCP ports 22 and 258).
Back to brandonhutchinson.com.