topic Untrusted SSL on Cluster's outside interface in Firewall and Security Management

Untrusted SSL on Cluster's outside interface

mjovovic — Fri, 11 Mar 2022 14:29:41 GMT

Hello,

I have managed to implement internal CA signed SSL cert for our Cluster (with multiportal enabled).

All platform portals are accessible by internal interfaces and SSL is trusted and okay.

Accessibility of platform portal is as in following picture:

I read that IPSec do not use SSL cert. If I remove checkbox for "Including VPN encrupted interfaces" will our S2S IPSec VPN and RAVPN be interrupted?

Our Check Point cluster public IP is not trusted. How to make cluster public IP not self signed/default certificate?

When we scan our public cluster IP by ssl checker we get not trusted warning in browser and following default cert is used:

How to change this cert too? Will it affect our VPNs?

Thanks.

Re: Untrusted SSL on Cluster's outside interface

PhoneBoy — Mon, 14 Mar 2022 15:39:05 GMT

The platform portal setting you picture should have no impact on IPsec VPN or SSL VPN.

As for the untrusted certificate you see, if you're using Mobile Access Blade, you can replace it using something like: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk69660&partition=Advanced&product=Mobile

Re: Untrusted SSL on Cluster's outside interface

mjovovic — Mon, 14 Mar 2022 19:23:32 GMT

Hello PhoneBoy,

Thanks.

Customer is using CPSB-EP-ACCESS-P-LICENSE for RAVPN not mobile access, but this untrusted cert is presented on outside interfaces in cluster (GW1, GW2 and VIP).

Re: Untrusted SSL on Cluster's outside interface

PhoneBoy — Mon, 14 Mar 2022 20:56:05 GMT

If MAB isn't active, it's the legacy SNX portal.
If you're not using SNX at all, might as well disable it as shown here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk86680&partition=Advanced&product=SSL

Re: Untrusted SSL on Cluster's outside interface

mjovovic — Tue, 15 Mar 2022 07:03:48 GMT

Thanks PhoneBoy.

So just once more, we can exclude IPSec VPN (S2S and RAVPN) that it does not use this self signed SSL on outside interface?

Having that in mind, only two features that can use self signed cert on outside interfaces are Mobile access blade or SNX legacy?

Is there a way to check it, to be sure what uses it (cli..)?

Re: Untrusted SSL on Cluster's outside interface

G_W_Albrecht — Tue, 15 Mar 2022 08:15:21 GMT

Can you explain what the issue is with self signed certificates ? Usually, all portals use internal CA. You can replace the cert by a 3rd party 1 for MAB and SSL inspection, but there is no difference from a users viewpoint: If i want to access services, i would have to accept the self-signed certificate once. If i use a 3rd party certificate it also has to be accepted once. Looking at how certs are stolen or missused i prefer my own internal CA !

Re: Untrusted SSL on Cluster's outside interface

mjovovic — Tue, 15 Mar 2022 08:56:32 GMT

Hello Albrecht,

Customer wants to avoid SSL check tools to not show self-signed cert warnings. I agree with You that encryption is guaranteed and they know that system is theirs. But again they want that.

Re: Untrusted SSL on Cluster's outside interface

G_W_Albrecht — Tue, 15 Mar 2022 09:30:29 GMT

Sorry, but this demand is absolute nonsense in my eyes as it adds nothing to security at all - Customer wants to avoid that SSL check tools he uses himself show him that his FW has a self-signed cert ?

I would rather suggest to care for more important things like DDoS Protection, allowed Ciphers and TLS versions instead...

Re: Untrusted SSL on Cluster's outside interface

PhoneBoy — Tue, 15 Mar 2022 22:11:21 GMT

IPSec VPN (either S2S or C2S) doesn't use this cert.

Re: Untrusted SSL on Cluster's outside interface

the_rock — Tue, 15 Mar 2022 23:54:17 GMT

It sounds like if they dont want that, in that case, you may need 3rd party CA cert.

Re: Untrusted SSL on Cluster's outside interface

mjovovic — Wed, 16 Mar 2022 11:57:44 GMT

I totally agree with You.

It is important to educate customers, but again if they want something so much what will make them happy (if it does not produce any consequence to system and security), it's okay.

Re: Untrusted SSL on Cluster's outside interface

mjovovic — Wed, 16 Mar 2022 11:58:33 GMT

Does this self signed cert by MGMT CA, auto renew?

Re: Untrusted SSL on Cluster's outside interface

mjovovic — Wed, 16 Mar 2022 12:03:28 GMT

It is best just to disable this cert (mab or snx).

Re: Untrusted SSL on Cluster's outside interface

the_rock — Wed, 16 Mar 2022 12:56:28 GMT

The default web UI portal cert is good for 10 years and as far as vpn cert, that was changed recently to 1, rather than 5 years validity.

Re: Untrusted SSL on Cluster's outside interface

mjovovic — Wed, 16 Mar 2022 13:12:22 GMT

This cert is only valid until 7th May:

Re: Untrusted SSL on Cluster's outside interface

the_rock — Wed, 16 Mar 2022 13:16:18 GMT

Thats because it was created in 2017...if it was created recently, only good for 1 year.

Re: Untrusted SSL on Cluster's outside interface

mjovovic — Mon, 21 Mar 2022 08:49:55 GMT

Hello PhoneBoy,

This cluster does not use mobile access blade (not active), nor it supports SSL Network Extender nor it Support Clientless VPN.

How to check what CP feature gives SSL client VPN cert on outside cluster interface?

Do I need to check this possible workaround:

Edit the 'index.html' file specifically for SNX. If SNX client connects to a cluster, then perform these changes on all cluster members (reboot / policy installation are not required).

[Expert@HostName]# cd $FWDIR/conf/extender
[Expert@HostName]# ls -la index*
[Expert@HostName]# cp index.html index.notworking
[Expert@HostName]# rm -i index.html
[Expert@HostName]# ls -la index*

Re: Untrusted SSL on Cluster's outside interface

PhoneBoy — Mon, 21 Mar 2022 16:11:10 GMT

It may be active even if you've not explicitly enabled SNX, thus those steps might be appropriate.
However, it doesn't necessarily get rid of the initial TLS connection.
For that...you may need a TAC case, as I'm not sure how to change the certificate for (or better yet disable) the legacy SNX portal.