topic Re: CheckPoint denies connection even after Push Approval in Firewall and Security Management

CheckPoint denies connection even after Push Approval

Exonix — Mon, 24 Apr 2023 15:14:20 GMT

Hello all,

we are implementing DUO MFA für CheckPoint 80.40 (we can't upgrade to the last version right now).

In our test environment everythig works good, but in the production environment we faced an issue: even after connection was Approved in DUO App the CheckPorint VPN Client tells us: access denied - wrong credentials

In DUO Proxy we don't see any denies:

2023-04-24T15:20:59.251297+0200 [duoauthproxy.lib.log#info] Sending request from CheckPoint_10.10.10.1 to radius_server_auto 2023-04-24T15:20:59.252485+0200 [duoauthproxy.lib.log#info] Received new request id 170 from ('CheckPoint_10.10.10.1', 47357) 2023-04-24T15:20:59.252921+0200 [duoauthproxy.lib.log#info] (('CheckPoint_10.10.10.1', 47357), test.vpn.mfa, 170): login attempt for username 'test.vpn.mfa' 2023-04-24T15:20:59.253716+0200 [duoauthproxy.lib.log#info] Sending request for user 'test.vpn.mfa' to ('NPS_10.20.20.2', 1812) with id 106 2023-04-24T15:20:59.263847+0200 [duoauthproxy.lib.log#info] Got response for id 106 from ('NPS_10.20.20.2', 1812); code 2 2023-04-24T15:20:59.265053+0200 [duoauthproxy.lib.log#info] http POST to https://*****.duosecurity.com:443/rest/v1/preauth 2023-04-24T15:20:59.267428+0200 [duoauthproxy.lib.http._DuoHTTPClientFactory#info] Starting factory <_DuoHTTPClientFactory: b'https://*****.duosecurity.com:443/rest/v1/preauth'> 2023-04-24T15:20:59.395863+0200 [duoauthproxy.lib.log#info] (('CheckPoint_10.10.10.1', 47357), test.vpn.mfa, 170): Got preauth result for: 'auth' 2023-04-24T15:20:59.396312+0200 [duoauthproxy.lib.log#info] User IP not provided. Authorized Networks policies will not work for this authentication. 2023-04-24T15:20:59.396768+0200 [duoauthproxy.lib.log#info] http POST to https://*****.duosecurity.com:443/rest/v1/auth 2023-04-24T15:20:59.398511+0200 [duoauthproxy.lib.http._DuoHTTPClientFactory#info] Starting factory <_DuoHTTPClientFactory: b'https://*****.duosecurity.com:443/rest/v1/auth'> 2023-04-24T15:20:59.399225+0200 [duoauthproxy.lib.http._DuoHTTPClientFactory#info] Stopping factory <_DuoHTTPClientFactory: b'https://*****.duosecurity.com:443/rest/v1/preauth'> 2023-04-24T15:21:03.566848+0200 [duoauthproxy.lib.log#info] (('CheckPoint_10.10.10.1', 47357), test.vpn.mfa, 170): Duo authentication returned 'allow': 'Success. Logging you in...' 2023-04-24T15:21:03.568360+0200 [duoauthproxy.lib.log#info] (('CheckPoint_10.10.10.1', 47357), test.vpn.mfa, 170): Returning response code 2: AccessAccept 2023-04-24T15:21:03.568630+0200 [duoauthproxy.lib.log#info] (('CheckPoint_10.10.10.1', 47357), test.vpn.mfa, 170): Sending response 2023-04-24T15:21:03.568928+0200 [duoauthproxy.lib.http._DuoHTTPClientFactory#info] Stopping factory <_DuoHTTPClientFactory: b'https://*****.duosecurity.com:443/rest/v1/auth'> 2023-04-24T15:21:04.250528+0200 [duoauthproxy.lib.log#info] Sending request from CheckPoint_10.10.10.1 to radius_server_auto 2023-04-24T15:21:04.250895+0200 [duoauthproxy.lib.log#info] (('CheckPoint_10.10.10.1', 47357), test.vpn.mfa, 170): Received duplicate request 2023-04-24T15:21:04.251783+0200 [duoauthproxy.lib.log#info] (('CheckPoint_10.10.10.1', 47357), test.vpn.mfa, 170): Sending response 2023-04-24T15:21:09.250644+0200 [duoauthproxy.lib.log#info] Sending request from CheckPoint_10.10.10.1 to radius_server_auto 2023-04-24T15:21:09.250987+0200 [duoauthproxy.lib.log#info] (('CheckPoint_10.10.10.1', 47357), test.vpn.mfa, 170): Received duplicate request 2023-04-24T15:21:09.252491+0200 [duoauthproxy.lib.log#info] (('CheckPoint_10.10.10.1', 47357), test.vpn.mfa, 170): Sending response

TCP Dump shows that Radius answeres:

14:50:29.972117 IP DUO_10.10.10.22.datametrics > CheckPoint_10.10.10.1.57779: RADIUS, Access-Accept (2), id: 0xa4 length: 222 14:50:30.484452 IP CheckPoint_10.10.10.1.57779 > DUO_10.10.10.22.datametrics: RADIUS, Access-Request (1), id: 0xa4 length: 128 14:50:30.485961 IP DUO_10.10.10.22.datametrics > CheckPoint_10.10.10.1.57779: RADIUS, Access-Accept (2), id: 0xa4 length: 222 14:50:35.484615 IP CheckPoint_10.10.10.1.57779 > DUO_10.10.10.22.datametrics: RADIUS, Access-Request (1), id: 0xa4 length: 128 14:50:35.485912 IP DUO_10.10.10.22.datametrics > CheckPoint_10.10.10.1.57779: RADIUS, Access-Accept (2), id: 0xa4 length: 222

We have already tried following, but nothing helped:

Users defined for both LDAP and RADIUS fail to authenticate via RADIUS and their connection is dropped with a "wrong username or password" error (checkpoint.com)

One Time Password (OTP) authentication fails with session timeout for Radius (checkpoint.com)

sk112933 is no more avaliable...

very appreciated for any ideas!

Re: CheckPoint denies connection even after Push Approval

Exonix — Mon, 24 Apr 2023 15:17:58 GMT

additional Info: CP FW has several Interfaces.

10.10.10.1 interface there the Duo Server is connected to.

172.16.16.1 interface we use for FW management...

I've collected a tcpdump and found follwing:

why in AVP we see mangt-IP? this IP isn't configured in DUO and it will never answer to this IP

Re: CheckPoint denies connection even after Push Approval

the_rock — Mon, 24 Apr 2023 16:51:05 GMT

Can you try zdebug ONLY for port 1812 and see if anything comes up?

fw ctl zdebug + drop | grep "1812"

Andy

Re: CheckPoint denies connection even after Push Approval

PhoneBoy — Mon, 24 Apr 2023 23:24:27 GMT

The IP of the interface which is needed to communicate with the RADIUS server will be used to originate the connections.
That won’t necessarily be your management IP.

Having said that, I am curious: what precise IP are you using in SmartConsole for the relevant gateway?
Does it match the NAS IP in your tcpdump?

Re: CheckPoint denies connection even after Push Approval

Chris_Atkinson — Tue, 25 Apr 2023 01:34:38 GMT

Which endpoint vpn client version are you using out of interest and what Jumbo for R80.40?

Does the following link work for you?

sk112933: Endpoint Security VPN client timeout reached during the time that a third-party server is handling Multifactor Authentication (MFA)

Re: CheckPoint denies connection even after Push Approval

Exonix — Tue, 25 Apr 2023 06:24:00 GMT

Management IP: 172.16.16.1
Interface IP (Gateway for DUO Server): 10.10.10.1

It matches in the fields SRC/DST, but doesn't in RADIUS Data

Re: CheckPoint denies connection even after Push Approval

_Val_ — Tue, 25 Apr 2023 07:23:45 GMT

Did you disable some of the implied rules, by any chance?

Re: CheckPoint denies connection even after Push Approval

Exonix — Tue, 25 Apr 2023 08:00:29 GMT

no, we don't see any drops. Will do debug right now

Re: CheckPoint denies connection even after Push Approval

Exonix — Tue, 25 Apr 2023 08:08:49 GMT

on the MNGT Server Jumbo ist 180, and there is no Jumbo on Security Gateway

We changed timeouts, now we receive two Duo Pushes, but still no connection

Re: CheckPoint denies connection even after Push Approval

Chris_Atkinson — Tue, 25 Apr 2023 09:08:04 GMT

Running without a jumbo isn't best practice given the age of R80.40 and how about the clients?

Did you already allow/configure the NAS IP that you see in DUO?

Which interface is the DUO server routed via?

Re: CheckPoint denies connection even after Push Approval

Exonix — Tue, 25 Apr 2023 08:13:09 GMT

neither fw ctl zdebug + drop | grep "1812" nor fw ctl zdebug + drop | grep "1645" dropps anything

Re: CheckPoint denies connection even after Push Approval

Exonix — Tue, 25 Apr 2023 08:14:44 GMT

I found this article: set global-radius-conf (checkpoint.com)

but how can check what is set right now?

Re: CheckPoint denies connection even after Push Approval

Chris_Atkinson — Tue, 25 Apr 2023 08:17:52 GMT

First to confirm relevance of that document, what model is your gateway?

Re: CheckPoint denies connection even after Push Approval

_Val_ — Tue, 25 Apr 2023 08:18:26 GMT

Try doing the same with grepping by the Radius server IP address. Also, check that the communication is actually getting back to the FW from your server. To do so, run fw monitor -e "host(Radius IP);"

Re: CheckPoint denies connection even after Push Approval

Exonix — Tue, 25 Apr 2023 08:36:07 GMT

not Quantum Spark... Just a VM on VMWare

Re: CheckPoint denies connection even after Push Approval

Exonix — Tue, 25 Apr 2023 08:38:15 GMT

I don't see anything!

[Expert@fw-outside:0]# fw monitor -e "host(10.10.10.22);" PPAK 0: Get before set operation succeeded of fwmonitor_kiss_enable PPAK 0: Get before set operation succeeded of simple_debug_filter_off PPAK 0: Get before set operation succeeded of kiss_debug_force_kdprintf_enable PPAK 0: Get before set operation succeeded of fwmonitorfreebufs ************************************************************** NOTE ************************************************************** *** Using "-e" filter will not monitor accelerated traffic. To monitor and filter accelerated traffic please use the "-F" filter *** ************************************************************************************************************************************ FW monitor will record only ip & transport layers in a packet For capturing the whole packet please do -w PPAK 0: Get before set operation succeeded of fwmonitor_ppak_all_position monitor: getting filter (from command line) monitor: compiling monitorfilter: Compiled OK. monitor: loading monitor: monitoring (control-C to stop) PPAK 0: Get before set operation succeeded of fwmonitormaxpacket PPAK 0: Get before set operation succeeded of fwmonitormask PPAK 0: Get before set operation succeeded of fwmonitorallocbufs PPAK 0: Get before set operation succeeded of printuuid ^C monitor: caught sig 2 monitor: unloading PPAK 0: Get before set operation succeeded of fwmonitor_kiss_enable PPAK 0: Get before set operation succeeded of simple_debug_filter_off PPAK 0: Get before set operation succeeded of kiss_debug_force_kdprintf_enable PPAK 0: Get before set operation succeeded of fwmonitorfreebufs

Re: CheckPoint denies connection even after Push Approval

Exonix — Tue, 25 Apr 2023 09:02:26 GMT

VPN Client 86.50

What do you mean "NAS IP that you see in DUO?"

Now we found something else: even if we set MS NPS as the RAIDUS (avoiding DUO) - it also doesn't work, even MS NPS allowed access...

Re: CheckPoint denies connection even after Push Approval

Chris_Atkinson — Tue, 25 Apr 2023 09:45:28 GMT

The NAS IP in the AVP shown in the captures versus (or in addition to) whichever you have configured it to currently accept messages from. Though I think at this point you have two options:

1. Engage TAC for a debug plan to investigate further.

2. Apply a Jumbo to the Gateway to eliminate known issues such as:

Re: CheckPoint denies connection even after Push Approval

_Val_ — Tue, 25 Apr 2023 09:45:58 GMT

Mmmm, this is a bit odd, considering you do observe it on TCP dump.

run the following:
fw monitor -F "10.10.10.22,0,10.10.10.1,0,0"

Re: CheckPoint denies connection even after Push Approval

_Val_ — Tue, 25 Apr 2023 09:46:58 GMT

BTW, all traces and debugging should be done in parallel with the authentication request. Just a reminder.