topic Re: R80.20 missing basic/critical rootCA's is there any public CA bundle from checkpoint? in Spark Firewall (SMB)

R80.20 missing basic/critical rootCA's is there any public CA bundle from checkpoint?

elicro — Tue, 19 Jan 2021 11:39:59 GMT

I have tried to access https://www.clalit.co.il and from this it appears that the R80.20.20 is missing the basic RootCA certificates update.

For this specific domain the the relevant RootCA is:

DigiCert Global Root G2

Fri Jan 1 14:00:00 2038

the ones in the R80.20 are:

DigiCert High Assurance EV Root CA

11/10/2031 12:00:00 AM

DigiCert Global Root CA

11/10/2031 12:00:00 AM

DigiCert Assured ID Root CA

11/10/2031 12:00:00 AM

So, is there a global bundle that CheckPoint supply or I need to download one from Firefox or Chrome or Windows?

Thanks,
Eliezer

Re: R80.20 missing basic/critical rootCA's is there any public CA bundle from checkpoint?

MartinTzvetanov — Tue, 19 Jan 2021 12:08:18 GMT

In HTTPS inspection settings in SmartConsole there is Trusted CAs menu. Check if this certificate is listed and if not, you can download the predefined ca-bundle from CheckPoint using the Automatic update menu in the bottom. Otherwise you can upload it by yourself.

Re: R80.20 missing basic/critical rootCA's is there any public CA bundle from checkpoint?

elicro — Tue, 19 Jan 2021 12:26:49 GMT

I want to install the ca-bundle from CheckPoint since I do not have that automatic update menu.
If I had it I wouldn't ask...

Is there any specific place this ca-bundle can be downloaded from manually?

I can ... add trusted CA's however it's weird that an update to R80.20.20 doesn't contain these.
If the browser and the OS has this I assume that the NGFW 1530 should have it in the firmware upgrade.

Re: R80.20 missing basic/critical rootCA's is there any public CA bundle from checkpoint?

G_W_Albrecht — Tue, 19 Jan 2021 16:04:39 GMT

Just ask TAC in a quick chat !

Re: R80.20 missing basic/critical rootCA's is there any public CA bundle from checkpoint?

elicro — Tue, 19 Jan 2021 16:27:30 GMT

You wouldnt believe me what is their level of Chutzpa even if I would have qutoted their response in the chat.

And believe me I didn't wanted to write what i am writing here...

Re: R80.20 missing basic/critical rootCA's is there any public CA bundle from checkpoint?

PhoneBoy — Tue, 19 Jan 2021 17:22:32 GMT

Please send me the SR in a private message.

Re: R80.20 missing basic/critical rootCA's is there any public CA bundle from checkpoint?

PhoneBoy — Wed, 20 Jan 2021 02:26:48 GMT

The CA bundle is probably part of the firmware.
I doubt it can be updated outside of a firmware update or manually adding the relevant missing CA keys manually here:

Having the CA bundle auto-update is most likely an RFE.

Re: R80.20 missing basic/critical rootCA's is there any public CA bundle from checkpoint?

elicro — Wed, 20 Jan 2021 06:44:39 GMT

OK then, auto-update but I'm stuck with the device that cannot be auto-updated.

And the firmware currently doesn't contain these.

My most best solution to resolve this issue to allow traffic is to use Debian or RHEL or SLES or Firefox pem CA bundles in one file.
I would like to get a practical solution from TAC or R&D.

Re: R80.20 missing basic/critical rootCA's is there any public CA bundle from checkpoint?

elicro — Wed, 20 Jan 2021 14:05:49 GMT

OK So I have verified, CP wants a subscription and support contract to operate the device.
Not enough I have paid a really lot of money for the device and the support I need to pay monthly for extra something.

Sorry But it's too much investment and above my poor pocket, If someone wants my 1530 let me know.

Re: R80.20 missing basic/critical rootCA's is there any public CA bundle from checkpoint?

G_W_Albrecht — Wed, 20 Jan 2021 14:14:43 GMT

There is no such thing as a free lunch 8) Subscription and Support are needed for any CP product, so your sales contact should have told you so when you bought it. If not, you could ask for your money back, anyway...

Re: R80.20 missing basic/critical rootCA's is there any public CA bundle from checkpoint?

John_Fleming — Wed, 20 Jan 2021 16:45:36 GMT

Going your own... so ..uh... could it be one of these? Should you do a firmware upgrade these will most likely get over written, but it sounds like you're in no danger of that.

[Expert@1500]# find / -name "*bundle*" | grep -v chroot
/pfrm2.0/opt/fw1/bin/ca-bundle.crt
/pfrm2.0/opt/fw1/database/ca_bundle.pem
/pfrm2.0/config1/fw1/conf/te_remote_gw_ca_bundle.pem
/pfrm2.0/config1/fw1/database/ca_bundle.pem
[Expert@1500]#

Re: R80.20 missing basic/critical rootCA's is there any public CA bundle from checkpoint?

PhoneBoy — Wed, 20 Jan 2021 22:54:16 GMT

I'm curious what is the issue with simply adding the needed CA keys into the device as shown?
Have you actually tried it?

Re: R80.20 missing basic/critical rootCA's is there any public CA bundle from checkpoint?

elicro — Thu, 21 Jan 2021 04:22:27 GMT

First, I would have expected from an Israeli company to release a firmware with the 2021 relevant ca bundle and not 2016..

If you don't understand this then I cannot answer other questions.

We have a saying: לא תשנא אחיך בלבבך

it's ridiculously amazing to even ask me your question.

the number of updated ca's since 2016 is not something that should be left for any admin.

If checkpoint tech support do not understand the issue with this i assume the certificate blinds their eyes from the real world.

In what world MS windows version do not contain/include a ca bundle, do you think .gov.il domain will use such a product?

also let say they will, if they expect me to use such a product then they are missing something in their brain.

Re: R80.20 missing basic/critical rootCA's is there any public CA bundle from checkpoint?

PhoneBoy — Thu, 21 Jan 2021 06:54:34 GMT

Thank you for bringing the issue to our attention, we appreciate the feedback.
I feel pretty confident this will be addressed in a future firmware build.
I’ll check if there is a different workaround in the meantime.

Re: R80.20 missing basic/critical rootCA's is there any public CA bundle from checkpoint?

elicro — Sun, 24 Jan 2021 16:14:52 GMT

I tried to reburn he image and it seems that the list of certificates was updated.
It's a bit weird for me that this was the only solution I had tried and worked.

Re: R80.20 missing basic/critical rootCA's is there any public CA bundle from checkpoint?

Amir_Ayalon — Mon, 25 Jan 2021 08:03:41 GMT

Hi All

CA list gets frequently updates, and actually, was just updated in our last release, so the issue was not an outdated CA list, but an issue in the upgrade code.

clean install get the list updated, and thanks to your feedback, the issue in the upgrade code is now fixes - so CA list gets updated also in upgrade.

will be release soon as GA. for those who needs it now, you can contact support.

thanks!

Re: R80.20 missing basic/critical rootCA's is there any public CA bundle from checkpoint?

elicro — Tue, 02 Feb 2021 16:30:51 GMT

@Amir_AyalonJust to verify, I have checked what have changed and it seems that the Root CA which Lets Encrypt is using was changed in the last month or more.

Due to this every site which updated the certificate was un-reachable.

It includes many many sites behind sni.cloudflare.com

For example:
https://www.sefaria.org.il/

Re: R80.20 missing basic/critical rootCA's is there any public CA bundle from checkpoint?

Amir_Ayalon — Wed, 03 Feb 2021 09:48:11 GMT

Hi Elicro,

not sure i understand what you meant.

have you used clean install and still experience an issue ?

(BTW, an official R80.20.20 firmware with some important fixes (including this), will be released today)

Re: R80.20 missing basic/critical rootCA's is there any public CA bundle from checkpoint?

G_W_Albrecht — Wed, 03 Feb 2021 10:01:00 GMT

@Amir_Ayalon Please explain which clean install you are thinking of - including reset to factory settings ?

Re: R80.20 missing basic/critical rootCA's is there any public CA bundle from checkpoint?

Chris_Atkinson — Wed, 03 Feb 2021 11:18:32 GMT

For a new SMB image this would be via USB I expect.