topic Re: 3950 - Host Access doesn't work for SSH in Firewall and Security Management

3950 - Host Access doesn't work for SSH

Exonix — Fri, 02 Jan 2026 14:35:13 GMT

Hello everyone and Happy New 2026 Year! 🥂

I've got a new toy - CheckPoint 3950 to replace a buggy 1900...

This is Check Point's software version R82.10 - Build 767 kernel: R82.10 - Build 768

Before connecting the gateway to the cloud management server, I want to restrict access to the firewall from the Internet. To do this, I use "System Management - Host Access". But this works only for the Web-Access and doesn't work for SSH-Access. I found the following in the /etc/ssh/sshd_config:

# Generated by /bin/sshd_template_xlate on Fri Jan 2 14:32:16 2026 # # DO NOT EDIT Match address 192.168.0.0/24 PermitRootLogin yes PasswordAuthentication yes Match all UseDNS no PasswordAuthentication no PermitRootLogin no

How can I make "Host Access" work for SSH as well?

Thank you in advance!

Re: 3950 - Host Access doesn't work for SSH

Lesley — Fri, 02 Jan 2026 15:02:54 GMT

Config should be like:

add allowed-client host ipv4-address 10.1.1.1
add allowed-client network ipv4-address 10.0.0.0 mask-length 24
set web ssl3-enabled off
set web daemon-enable on

please also share

[Expert@HostName]# cat /etc/hosts.allow
[Expert@HostName]# cat /etc/hosts.deny

ls -l /etc/hosts.*

Re: 3950 - Host Access doesn't work for SSH

the_rock — Fri, 02 Jan 2026 15:38:24 GMT

Can you please send output of /etc/ssh/sshd_config file?

Re: 3950 - Host Access doesn't work for SSH

Exonix — Fri, 02 Jan 2026 15:44:18 GMT

#ls -l /etc/hosts.* -rw-r--r-- 1 admin root 9 Dec 23 22:40 /etc/hosts.allow -rw-r--r-- 1 admin root 9 Dec 23 22:40 /etc/hosts.deny # cat /etc/hosts.allow ALL: ALL # cat /etc/hosts.deny ALL: ALL

Re: 3950 - Host Access doesn't work for SSH

Exonix — Fri, 02 Jan 2026 15:46:46 GMT

cat /etc/ssh/sshd_config # This file was AUTOMATICALLY GENERATED # Generated by /bin/sshd_template_xlate on Fri Jan 2 14:32:16 2026 # # DO NOT EDIT # # $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options override the # default value. # To modify the system-wide sshd configuration, create a *.conf file under # /etc/ssh/sshd_config.d/ which will be automatically included below #Include /etc/ssh/sshd_config.d/*.conf # If you want to change the port on a SELinux system, you have to tell # SELinux about this change. # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER # #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key #RekeyLimit default none # Logging #SyslogFacility AUTH #LogLevel INFO # Authentication: #LoginGraceTime 2m #PermitRootLogin prohibit-password StrictModes yes #MaxAuthTries 6 #MaxSessions 10 #PubkeyAuthentication yes # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 # but this is overridden so installations will only check .ssh/authorized_keys AuthorizedKeysFile .ssh/authorized_keys #AuthorizedPrincipalsFile none #AuthorizedKeysCommand none #AuthorizedKeysCommandUser nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # HostbasedAuthentication IgnoreUserKnownHosts yes # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PermitEmptyPasswords no # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ChallengeResponseAuthentication no # Change to no to disable s/key passwords #KbdInteractiveAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no #KerberosUseKuserok yes # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no #GSSAPIEnablek5users no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the KbdInteractiveAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via KbdInteractiveAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and KbdInteractiveAuthentication to 'no'. # WARNING: 'UsePAM no' is not supported in Fedora and may cause several # problems. UsePAM yes KbdInteractiveAuthentication no AllowAgentForwarding no AllowTcpForwarding no #GatewayPorts no X11Forwarding no #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes PrintMotd yes #PrintLastLog yes TCPKeepAlive yes #PermitUserEnvironment no #Compression delayed #ClientAliveCountMax 3 #PidFile /var/run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none #VersionAddendum none # no default banner path Banner /etc/issue # override default of no subsystems Subsystem sftp /usr/libexec/openssh/sftp-server DenyUsers root shutdown halt nobody ntp pcap rpm # ckp - CR00596011 #AllowGroups root # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # PermitTTY no # ForceCommand cvs server Match address 192.168.0.0/24 PermitRootLogin yes PasswordAuthentication yes Match all Ciphers aes128-ctr,aes192-ctr,aes256-ctr "and many others" UseDNS no PasswordAuthentication no PermitRootLogin no ClientAliveInterval 0 logingracetime 120

Re: 3950 - Host Access doesn't work for SSH

the_rock — Fri, 02 Jan 2026 15:47:09 GMT

@Exonix

For the context, this is what mine looks like in the lab (R82 jumbo 60)

[Expert@CP-GW:0]# more sshd_config
# This file was AUTOMATICALLY GENERATED
# Generated by /bin/sshd_template_xlate on Mon Dec 29 09:05:05 2025
#
# DO NOT EDIT
#
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/us
r/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

#RekeyLimit default none

# System-wide Crypto policy:
# This system is following system-wide crypto policy. The changes to
# effect here. They will be overridden by command-line options passed on
# the server start up.
# To opt out, uncomment a line with redefinition of CRYPTO_POLICY=
# variable in /etc/sysconfig/sshd to overwrite the policy.
# For more information, see manual page for update-crypto-policies(8).

# Logging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
IgnoreUserKnownHosts yes
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

# GSSAPI options
##GSSAPIAuthentication yes
#GSSAPICleanupCredentials no
##GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Fedora and may cause several
# problems.
UsePAM yes

AllowAgentForwarding no
AllowTcpForwarding no
#GatewayPorts no
X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes

# It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd,
# as it is more configurable and versatile than the built-in version.
PrintMotd yes

#PrintLastLog yes
TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveCountMax 3
#ShowPatchLevel no
#PidFile /var/run/sshd.pid
MaxStartups 10
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
Banner /etc/issue

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server

DenyUsers root shutdown halt nobody ntp pcap rpm
# ckp - CR00596011
#AllowGroups root

# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server

Match address 0::0/0,0.0.0.0/0
PermitRootLogin yes
PasswordAuthentication yes
Match all

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@ope
nssh.com
Macs umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openss
h.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.
com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp25
6,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,d
iffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-grou
p14-sha256,diffie-hellman-group14-sha1
hostkeyalgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384
-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cer
t-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@open
ssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,e
cdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
UseDNS no
PasswordAuthentication no
PermitRootLogin no
ClientAliveInterval 0
[Expert@CP-GW:0]#

Re: 3950 - Host Access doesn't work for SSH

the_rock — Fri, 02 Jan 2026 15:49:32 GMT

You just want to restrict to below?


Match address 192.168.0.0/24
PermitRootLogin yes
PasswordAuthentication yes
Match all

Re: 3950 - Host Access doesn't work for SSH

Lesley — Fri, 02 Jan 2026 18:48:56 GMT

This is not good, show me the relevant GAIA config. Or try to change it to any and then the ACL ip.

Re: 3950 - Host Access doesn't work for SSH

the_rock — Fri, 02 Jan 2026 18:51:13 GMT

I really believe Lesley that what you gave in the beginning is perfect.

Re: 3950 - Host Access doesn't work for SSH

Chris_Atkinson — Sat, 03 Jan 2026 02:20:02 GMT

Can we start with what the actual GAiA config looks like?

Re: 3950 - Host Access doesn't work for SSH

Exonix — Sat, 03 Jan 2026 10:12:36 GMT

@Lesley wrote:

This is not good, show me the relevant GAIA config. Or try to change it to any and then the ACL ip.

do you mean like this:

/etc/hosts.allow ALL: 192.168.0.0/24

Re: 3950 - Host Access doesn't work for SSH

Exonix — Sat, 03 Jan 2026 10:17:23 GMT

I want to allow only one internal network - so, restrict all, except this local network behind a local interface. Now SSH is open for external Interfaces too - I don't want this...

Re: 3950 - Host Access doesn't work for SSH

Exonix — Sat, 03 Jan 2026 10:15:40 GMT

which part of the Gaia config is needed?

Re: 3950 - Host Access doesn't work for SSH

Lesley — Sat, 03 Jan 2026 11:48:26 GMT

This is good config, network defined and any removed. Did this change update the files below or they remain default?

# cat /etc/hosts.allow
ALL: ALL
# cat /etc/hosts.deny
ALL: ALL

If you start SSH from outside the internal network what happens? Do you get loging prompt and then get kicked out? You should also make a firewall rule that blocks and allow traffic to the gateway itself (turn off implied rule for this for more control)

Re: 3950 - Host Access doesn't work for SSH

Exonix — Sat, 03 Jan 2026 12:19:19 GMT

in fact, I didn't test the connection because I wanted to make port 22 inaccessible from the external network altogether. Now I see that the Host Access is working properly and there is no any way to disable Port 22 on external Interface without Firewall? Is it still secure enough?

Re: 3950 - Host Access doesn't work for SSH

Lesley — Sat, 03 Jan 2026 13:02:06 GMT

Looks the same like my lab, next step is to make firewall rule to block ssh to the gateway itself and only allow the internal subnet.

Re: 3950 - Host Access doesn't work for SSH

Exonix — Sat, 03 Jan 2026 13:07:25 GMT

I can't create any rules yet, because the firewall isn't connected to the could management server. But is such security enough for now?

Re: 3950 - Host Access doesn't work for SSH

the_rock — Sat, 03 Jan 2026 13:10:39 GMT

Should be, yes.