Authentication feature of checkpoint ensures the users trying to access resources in your network are actually authorized to do so.With this feature instead of simply allowing a client access a device, the administrator can request the client to authenticate first before permitting access.
Checkpoint supports the following three types of authentication methods:
Checkpoint User Authentication:
In this type of authentication, for every traffic that passes through the firewall, the client user needs to first authenticate.
This ensures that only valid authenticated users only are able to access the destination resources. The limitation is user authentication
only supports Telnet, HTTP, FTP and RLOGIN attempts.
Checkpoint Client Authentication:
In this type of authentication, the user needs to first telnet to the firewall on port 259 or http to port 900, once the user is authenticated the client IP is then permitted. The advantage of using client authentication over user authentication is that in this case all the protocols are permitted. The disadvantage is that its less secure since its based on client IP.
Checkpoint Session Authentication:
In this type of authentication, a session agent is installed on client machine, this agent communicates with the firewall on port 261 for user authentication. The advantage of using this authentication is that it works for all protocols, the disadvantage over the earlier types is that the session agent needs to be installed on every client which in turn leads to more support overhead.
The placement of authentication rules is also critical, make sure the authentication rule is placed above the stealth rule since the client needs to authenticate against the firewall.