topic Re: Check Point Supposed Vulnerabilities in Firewall and Security Management

Check Point Supposed Vulnerabilities

Bernardes — Tue, 03 Jan 2023 19:49:11 GMT

Hello Mates!

I have a case that I would like your help to know what I can do about it...

I have a customer that is a Financial Corporate. They have a GW in their environment with the latest updates (R81.10 T81 (a VM)).

A few days ago a company did some tests (I'm not sure about how this was done) and sent us a sheet with some "vulnerabilities" found in the gateway.

But the part that I was in doubt about was those recommendations below:

How can I "install a server certificate" on gateway? What does it mean exactly?

Thank you for your support!

Re: Check Point Supposed Vulnerabilities

the_rock — Tue, 03 Jan 2023 20:58:54 GMT

Is customer using https inspection?

Re: Check Point Supposed Vulnerabilities

Lloyd_Braun — Tue, 03 Jan 2023 21:07:01 GMT

It probably does not like a self-signed certificate on the gaia admin portal. How to create and configure certificate for Gaia Portal (checkpoint.com)

Re: Check Point Supposed Vulnerabilities

the_rock — Tue, 03 Jan 2023 21:16:22 GMT

Excellent point indeed.

Re: Check Point Supposed Vulnerabilities

Bernardes — Wed, 04 Jan 2023 00:57:38 GMT

Hello @the_rock that feature is disabled on this gateway.

Re: Check Point Supposed Vulnerabilities

Bernardes — Wed, 04 Jan 2023 00:59:19 GMT

hello, @Lloyd_Braun there's no certificate to access gaia portal indeed. Can it be the cause for these vulnerabilities found ?

Re: Check Point Supposed Vulnerabilities

the_rock — Wed, 04 Jan 2023 01:50:02 GMT

I am pretty sure @Lloyd_Braun got it right, makes perfect sense.

Re: Check Point Supposed Vulnerabilities

Timothy_Hall — Wed, 04 Jan 2023 03:26:55 GMT

Implied rules will always allow port 80 and 443 connections to the firewall itself via multiportal, even if there is no feature enabled to actually talk to and exploit. If this is unacceptable you can do the following, but bear in mind this will break any kind of Remote Access VPN access:

1) Create an indefinite SAM rule from the SmartView Monitor or via the fw sam command blocking connections with a destination of the firewall's outside IP on ports 80 and 443

2) See sk165937: How to disable the connection to Security Gateway on TCP Port 80 and on TCP Port 443 to disable the implied rule completely

Re: Check Point Supposed Vulnerabilities

Wolfgang — Wed, 04 Jan 2023 07:39:36 GMT

@Bernardes the gateways runs MultiPortal mentioned by @Timothy_Hall. There are several places to replace the default self signed certificates to one trusted by a known CA.

Here you can change the supported TLS version:

Re: Check Point Supposed Vulnerabilities

Bernardes — Wed, 04 Jan 2023 13:33:34 GMT

@Wolfgang thank you for your advice!

Re: Check Point Supposed Vulnerabilities

Bernardes — Wed, 04 Jan 2023 13:34:22 GMT

@Timothy_Hall thank you very much for the tip!

Re: Check Point Supposed Vulnerabilities

Bernardes — Wed, 04 Jan 2023 14:16:19 GMT

@Wolfgang just a question... All these portals require a different certificate for each one or can it be the same SSL certificate for all?

Re: Check Point Supposed Vulnerabilities

Wolfgang — Thu, 05 Jan 2023 13:49:52 GMT

@Bernardes from a technical point of view you can use the same certificate for all if it matches the names/ip-addresses. But it's used for different needs. One for MobileAccessPortal, one for GAiA WebUI the platform portal and one for UserCheck webpage. Typically we are using different certificates.

Re: Check Point Supposed Vulnerabilities

the_rock — Thu, 05 Jan 2023 14:03:07 GMT

Agree with @Wolfgang . Yes, you can use same cert, but its probably better practise to use different ones.

Re: Check Point Supposed Vulnerabilities

Bernardes — Thu, 05 Jan 2023 14:12:25 GMT

@Wolfgang Thank you for all! You help me a lot!

Re: Check Point Supposed Vulnerabilities

the_rock — Thu, 05 Jan 2023 14:14:39 GMT

We are here to help...happy new year!!