This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
AmerHarris
Explorer
4 weeks ago

Inquiries regarding sk158096

Hello,

We ran a vulnerability scanning and found that our ICA certificate was using SHA1.

Based on KBs such as sk103840 and sk108252, we determined that to resolve this issue, we would need to renew the ICA certificate to change the hash algorithm to SHA256, as stated in sk158096. Please feel free to correct me on my stance.

However we have some concerns we would like to address:

1. Our ICA certificate's expiry date is on 2027, and as it has not expired yet, Based on sk158096 there shouldnt be any downtime for this renewal process?

2. Our vulnerability scanning detected the vulnerability was detected on the security gateway, however the sk158096 only has the solutions (script) performed on the management server. How can we know whether this solution would be propagated/pushed to the gateway? Were hoping to have a bit of clarification of this process.

We welcome any feedback on our concerns and appreciate your time in reviewing them.


Regards,

0 Kudos
1 Reply
_Val_
Admin
Admin
3 weeks ago

Answers (although it is fairly documented in the SK already):

Let's start with the question 2.
The certificates are created and signed by your management, ICA that's why you need to generate new ICA certificate on your main management server (SMS or MDS). 

Also, GW IKE certificates will not be changed, until you generate new ones, quoting from the mentioned SK:

 

Question 1:


For general traffic filtering, there is no downtime, since your ICA has not expired yet. However, if you are using any of RAS VPN or Mobile VPN solutions, the site certificate fingerpèrints will be changed, and users may see "Trust this certificate" pop-up on reconnect. If you are using Identity Agents, they will also be affected.

This is what the SK says about the matter: 

  • Distribute the new fingerprint to all applicable VPN Clients and Identity Agents


0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events