000025400 - Simplified Nokia Check Point NG configuration

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000025400
Applies ToRSA ACE/Server
Nokia
Check Point Firewall
IssueSimplified Nokia Check Point NG configuration
Check Point NG Setup
Error: "Node verification failed"
Passcode / Password Incorrect
CauseThe Nokia is using an IP address for encryption that is different than the one defined in ACE
ResolutionTo correct this issue, determine the Firewall interface/IP that is on the same subnet as the ACE Server, or that is used to transmit data to the ACE Server.

Example Setup
Interface that routes to ACE = 10.1.1.1
Directory with sdconf.rec = /var/ace
Hostname=Nokiabox
ACE Server resolves Nokiabox to 10.1.1.1 using hosts file or DNS

Create file on Firewall named /var/ace/sdopts.rec
content of file:
CLIENT_IP=10.1.1.1

ACE Server Agent Host definition
Nokiabox
10.1.1.1
Communication Server
Open to all locally known users enabled (at least for testing)

What the above sdopts.rec does:

Instead of Nokiabox trying to determine its own identity/IP that it will use to encrypt traffic to the ACE/Server, our API grabs the identity from the sdopts.rec file instead.
Secondary Nodes are not necessary in this configuration because the client identifies itself with the same identity as the packet that is entering the ACE Server's 5500 port.

NOTE: The same solution above works for Windows, the location of the sdopts.rec file is in the Windows System32 directory.
NotesUpdate:  Newer versions of Check Point may NOT use sdopts.rec .  From the 2013 guide for Check Point R77:
RSA SecurID Authentication Files
Files          Location 
sdconf.rec     /var/ace, %SystemRoot%\system32\ 
Node Secret    /var/ace, System Registry 
sdstatus.12    /var/ace
sdopts.rec     Not implemented
Legacy Article IDa17105

Attachments

    Outcomes