topic Re: Identity Collector does not trust gateway certificate in Firewall and Security Management

Identity Collector does not trust gateway certificate

kadar2 — Thu, 15 Jun 2023 12:45:17 GMT

Dear community,

recently we faced the following issue in our infrastructure.

We have two identity collectors running on WindowsServer 2012R2. The certificate under Mobile Access --> Portal Settings on one of our gateways was changed to a new wildcard certificate. The previous certificate was also a wildcard. The gateway is R81.10.

As a result of the change, both identity collectors displayed "Gateway Certificate Untrusted", until we performed an update certificate info. The "update" action was performed two weeks after the certificate replacement!

IA rules on the gateway were functioning normally for the two weeks period! We are trying to understand why we did not face any service disruption during this time. Identity awareness logs on the gateway show that AD user/group information was updated to the firewall. If the trust between identity collector/firewall is broken, how is this possible?

Re: Identity Collector does not trust gateway certificate

AkosBakos — Thu, 15 Jun 2023 13:46:03 GMT

Hi kada2,

Does the new cert contain the IP in the SAN field?
If not, the create one with the IP

Re: Identity Collector does not trust gateway certificate

kadar2 — Thu, 15 Jun 2023 16:45:16 GMT

After updating the certificate info in the collectors, the issue is resolved. We would like to understand why we didn't face any issues with the IA rules on the firewall, given the fact that the certificate was untrusted for two whole weeks! Is it possible that the gateway learnt about the user/group info, by some other means?

Re: Identity Collector does not trust gateway certificate

CheckPointerXL — Thu, 08 Feb 2024 20:39:21 GMT

Did you solve this mistery?