topic SSL SNX macos catalina support in SASE and Remote Access

SSL SNX macos catalina support

Help_Desk_Help_ — Wed, 09 Oct 2019 11:39:22 GMT

hello all ,

some users upgraded their macbook to the latest macos catalina , and since then they can no longer connect to ssl using their installed network extender.

We have gaia r77.30 take 317 and the mabda sk113410.

Any suggestion will be welcome. I assume Checkpoint will offer a new mabda version in the near future,

thank you

Re: SSL SNX macos catalina support

G_W_Albrecht — Wed, 09 Oct 2019 12:22:23 GMT

Then let your users return to the supported Mac OS High Sierra - at the moment, no CP RA VPN does support Catalina !

Re: SSL SNX macos catalina support

schoenf — Wed, 09 Oct 2019 13:39:27 GMT

I installed the latest client 80.89 on Catalina with a certificate stored in the Keychain. This works on one of my machines.

What causes problems:

Certificate in the file system
On one machine, the process of connection consumes 100% CPU.

On some configurations, it might work

I hope it helps ... downgrade to Mojave is not an option.

-werner

Re: SSL SNX macos catalina support

FedericoMeiners — Wed, 09 Oct 2019 13:56:15 GMT

Hello,

You may want to look into enabling SSL VPN within Mobile Access, altough you need newer GW version for a proper compatibility (R80.X).

Also you may want to try with other open source vpns clients that are supported on Catalina.

Re: SSL SNX macos catalina support

schoenf — Wed, 09 Oct 2019 15:11:56 GMT

Any suggestion for Open Source VPN clients?

Thanks

Werner

Re: SSL SNX macos catalina support

PhoneBoy — Wed, 09 Oct 2019 18:44:11 GMT

I doubt we will be providing an updated MABDA for R77.30 as this release went End of Support in September.
I assume we will for supported releases, though.

As far as I can tell, the "32-bit only" limit of SNX is not new.
While this SK references Windows, I assume Mac is no different.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk67141

As for third party clients, anything that supports L2TP can be made to work.
I haven't personally tested this on the Mac, though.

Re: SSL SNX macos catalina support

mdjmcnally — Thu, 10 Oct 2019 09:40:58 GMT

R80.10 Jumbo HotFix - Ongoing Take 185 adds 64 bit SNX Extender Support

R80.20 Jumbo HotFix - General Availability Take 33 adds 64 bit SNX Extender Support

These both came out January 2019

I would hope/believe that R80.30 which came out only this year already had the 64 bit SNX support.

As others stated then I doubt that there will be a patch for R77.30 to move to 64 bit SNX with it being End of Support.

What is your timescale for getting to R80.x or is there a reason that cannot upgrade to R80.x on the Gateway

Re: SSL SNX macos catalina support

George_Casper — Fri, 11 Oct 2019 23:18:22 GMT

Running R80.10 with take 203 & the latest MABDA hotfix. Received below temporary unofficial workaround from support. So far it enabled 3 Catalina Macbooks to function. Its only been a day so not sure how well it will work and your mileage may vary.

(•)After consulting with R&D, we provide

1. Open Safari and navigate to https://localhost:14186/id

2. “The connection is not private” message will appear

3. Click "Show Details", then "visit this webpage"

4. Confirm your action and enter the password

5.Re-open the mobile access portal in a new window and then try to connect to gw again

Re: SSL SNX macos catalina support

AlexBr — Sat, 12 Oct 2019 17:58:02 GMT

Hi, did you manage somehow to fix the 100% cpu issue? Im having the exact problem and i cant manage to fix it.

Re: SSL SNX macos catalina support

Martin_Loewe — Mon, 14 Oct 2019 09:17:43 GMT

Thanks alot for sharing.
All macbooks we tried on here it works on, helps alot 🙂

Re: SSL SNX macos catalina support

PhoneBoy — Wed, 16 Oct 2019 19:01:46 GMT

Just to clarify, it's available in R80.30.
It's also available in:
R80.20 jumbo take 21
R80.10 Jumbo take 179
R77.30 jumbo take 347

Re: SSL SNX macos catalina support

Steve_Spohn — Sun, 27 Oct 2019 14:55:30 GMT

So I see that this morning, sk113410 was updated to include support for Catalina, but the hotfix ID is the same as before. I checked my gateways, and there are no MABDA updates available. Is there something new that needs to be installed for Catalina to work properly?

Re: SSL SNX macos catalina support

Martin_Loewe — Mon, 28 Oct 2019 11:36:09 GMT

Just tested it and you have to uninstall the "old" MABDA hotfix and remove it from cpuse then import the new one and install it.

Seems to work fine so far in our tests

Just keep in mind to have a backup of the old MABDA files if you want to revert back to that version.

Re: SSL SNX macos catalina support

Steve_Spohn — Tue, 29 Oct 2019 13:19:19 GMT

So uninstalling and reinstalling the Hotfix worked in our environment - but the installer in the DMG gives a warning that Apple was unable to scan it for malicious content, so it wasn't allowed to execute. Obviously, if you right click the installer and select Open, it bypasses that check, and allows it to install, but that isn't necessarily intuitive to all end users. Did the same thing happen in your environment? I replicated it on a MacBook Pro and a Mac mini in my possession.

Re: SSL SNX macos catalina support

fablepd — Mon, 18 Nov 2019 14:16:35 GMT

Hello.
Same problem here . Tried in Catalina to disable SIP with csrutil disable then rebooted

tried to install snx from terminal but read-only file system error appears

MacBook:~ fabiofable$ sudo snx_install_osx.sh

Password:

install: /usr/bin/snx: Read-only file system

install: /usr/bin/SNX_Install_Tool: Read-only file system

install: /usr/bin/snx_uninstall: Read-only file system

MacBook:~ fabiofable$

Tried also the solution here ("https://localhost:14186/id") but I get no message and I get a web page with

{"id":"eaf18dbe-908c-43a3-8b77-3378c2550512"}

Any help ?

Re: SSL SNX macos catalina support

Howard_Gyton — Thu, 21 Nov 2019 17:21:45 GMT

We already had "Check_Point_R80.30_MABDA_sk113410_FULL.tgz" installed on our R80.30 firewalls, along with Take 50, and didn't need to touch that.

Simply visiting https://localhost:14186/id was enough to fix the issue.

Could anyone explain what visiting that page actually does to correct the fault? I didn't notice any explanation, so apologies if this has already been detailed.

Howard

Re: SSL SNX macos catalina support

AndreiR — Sun, 24 Nov 2019 17:37:09 GMT

With Catalina release we have encountered two issues: 1) Apple has changed requirements for self-signed certificates and 2) Apple has started to force using notarization procedure. Visiting https://localhost:14186/id page should pop-up certificate warning and once user trust our certificate he can continue to work with Mobile Access. Update of Check_Point_R80.30_MABDA_sk113410_FULL.tgz in the end of October has fixed this issue.

The second issue is notarization. All applications which are not installed through AppStore must be notarized by Apple. This is optional before January 2020 and then it will become mandatory. This is the reason why you may see a warning that Apple was unable to scan DMG file for malicious content. We will release notarized versions of all hotfixes from sk113410 including Check_Point_R80.30_MABDA_sk113410_FULL.tgz by end of 2019.

Re: SSL SNX macos catalina support

Howard_Gyton — Mon, 25 Nov 2019 09:25:08 GMT

Ah., so if we already have SK113410 installed, we should uninstall, reboot, then re-install?

Howard

Re: SSL SNX macos catalina support

Martin_Loewe — Mon, 25 Nov 2019 09:29:58 GMT

After the Sk113410 is uninstall you have to delete it from the cpuse repository, so you can import the new Sk113410 and install that one instead.