This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Soeren_Rothe
Collaborator
‎2020-04-06 04:40 AM

Azure VMSS - Gaia Certificates

In Azure we use a VMSS with several FW Instances and we would like to configure the scale up and scale down process completely automatically. 

For this we use the autoprov-cfg script (-cg) and add a configuration file with all necessary routes etc. for the FW Instances:

It looks more or less like this:

 

 

 

#!/bin/bash
#
. /tmp/.CPprofile.sh
#
# clish
clish -c 'add host name host.test.org ipv4-address 10.30.10.58'
clish -c 'add host name hist2.tes.org ipv4-address 10.30.10.59'
clish -c 'set static-route 4.4.0.0/16 nexthop gateway address 10.26.0.241 on'
clish -c 'set ntp active on'
clish -c 'set ntp server primary 10.30.0.248 version 1'
clish -c 'set ntp server secondary 10.30.0.249 version 1'
clish -c 'add syslog log-remote-address 10.30.0.205 level all'
clish -c 'set expert-password-hash $1234567890'
clish -c 'save config'
#
#
# SecureXL Fast Access
echo "SAP" | fw ctl fast_accel add 1.1.1.1/32 10.10.10.10/32 50000 6
fw ctl fast_accel enable
#
#
# fw ctl set
fw ctl set int fw_reuse_established_conn 3299
#
#
# fwkern.conf
echo "fw_reuse_established_conn=3299" >> $FWDIR/boot/modules/fwkern.conf
#
#
# change sshd
sed -i 's/ChallengeResponseAuthentication yes/ChallengeResponseAuthentication no/g' /etc/ssh/sshd_config
service sshd restart
#
#
# change Gaia WebUI SSLCipher
cp /web/templates/httpd-ssl.conf.templ /web/templates/httpd-ssl.conf.templ.ORIGINAL
chmod -v u+w /web/templates/httpd-ssl.conf.templ
sed -i 's/SSLCipherSuite HIGH:!RC4:!LOW:!EXP:!aNULL:!SSLv2:!MD5/SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:!ADH:!EXP:RSA:+HIGH:+MEDIUM:!MD5:!LOW:!NULL:!SSLv2:!eNULL:!aNULL:!RC4:!SHA1:!3DES/g' /web/templates/httpd-ssl.conf.templ
sed -i 's/SSLProtocol -ALL {ifcmp = $httpd:ssl3_enabled 1}+{else}-{endif}SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2/SSLProtocol -ALL {ifcmp = $httpd:ssl3_enabled 1}+{else}-{endif}SSLv3 +TLSv1.1 +TLSv1.2/g' /web/templates/httpd-ssl.conf.templ
chmod -v u-w /web/templates/httpd-ssl.conf.templ
#

 

 

 

 

Problem:

The Gaia Web Certificate contains all VMSS DNS Names and IP Addresses as Subject Alternate Name and we would like to roll it out using the same script which is shown above. 

But the Multi Portal is active and the sk95064 doesn't work (change certificate files in /web/conf). The only option would be to change the Portal Port to 4434 for example. 

Can we somehow change the WebUI Gaia Port using CLI? "set web ssl-port 4434" is not an option, because it will be overwritten by a policy push.

Therefore we need a command like "mgmt_cli" or something else which is able to change the Portal Port from 443 to 4434.  

0 Kudos
8 Replies
PhoneBoy
Admin
Admin
‎2020-04-06 09:55 PM

There's no official API to change the gateway object platform portal port.
However, it can probably be done with the generic-object API.
That said, it does not appear to be simple.
Hoping @Omer_Kleinstern has an idea how to accomplish this.

0 Kudos
Omer_Kleinstern
Employee
Employee
‎2020-04-07 02:25 AM
In response to PhoneBoy

An official API to change the gateway object platform portal port is in development and planned for the next release.

Unfortunately, it cannot be done with the generic-object API.

0 Kudos
Soeren_Rothe
Collaborator
‎2020-04-07 06:26 AM
In response to Omer_Kleinstern

Thanks. Do you think there is something available using dbebit?
0 Kudos
PhoneBoy
Admin
Admin
‎2020-04-07 12:57 PM
In response to Soeren_Rothe

Looks like something like the following might work:

modify network_objects gw_object portals:0:main_url https://your-ip:4434

You will need to verify in objects_5_0.C that the platform portal is listed first in the portals stanza.
It was in my case, but I'm not sure that's universally true or not.
Soeren_Rothe
Collaborator
‎2020-04-08 04:13 AM
In response to PhoneBoy

Looks good, my colleague @Matthias_Haas tried it and it seems to work fine 🙂

 

dbedit> modify network_objects gwr8030v2 portals:0:main_url https://10.0.0.1:4455

dbedit> quit -update_all
network_objects::gwr8030v2 Updated Successfully

[Expert@mngr8030:0]#

 

0 Kudos
Christian_Riede
Collaborator
‎2020-04-08 02:30 AM
In response to Omer_Kleinstern

Hello Omer,

same challenge here, see https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Generic-API-List-Index/m-p/81217/...

when will that new release come out that implements that imho very basic feature in the API?

Regards, Christian Riede

0 Kudos
Martin_Valenta
Advisor
‎2020-04-07 04:30 AM

why don't you simply drop all https traffic to gateway and allow just certain source ip's?
0 Kudos
Soeren_Rothe
Collaborator
‎2020-04-07 06:27 AM
In response to Martin_Valenta

This is because of PCI regulation. This option is not allowed. 😉
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
UPCOMING CLOUDMATES EVENTS
    All CloudMates Events