This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
okatsladz454
Contributor
‎2024-10-17 07:42 AM
Jump to solution

Adding a standalone log server to the Algosec installation

Hello,

We are using Algosec to analyze our devices through Lea + CMI on an MDS installation, and everything was working fine until we needed to add a separate CMA + gateways in new domain. In this case, log collection from gateway devices occurs not on a MLM or CMA server, but on a standalone log server that is located in our new domain.

During the log analysis process, Algosec tries to access the standalone server directly via LEA using a previously generated certificate (which was created in the OpsSec application object). Although Algosec can correctly identify the log server, when trying to access it via the LEA API, an error message is displayed: "ERROR: SIC ERROR 301 - SIC Error for lea: Certificate chain is inconsistent". The corresponding errors are not observed if the analysis is run from a gateway whose log server is specified as MLM.

I have consulted this knowledge base article, but on the standalone server, it does not allow any operations with the cpca_client: https://support.checkpoint.com/results/sk/sk181527.

Therefore, my question is: Is it possible to allow access to the standalone log server through LEA using the certificate?

Version Take 84 R81 20

 

 

0 Kudos
2 Solutions

Accepted Solutions
okatsladz454
Contributor
‎2024-10-23 01:48 AM
In response to PhoneBoy
Jump to solution

@PhoneBoy @the_rock 
Good afternoon 

We found out that the problem is on the side of Algosec.

Algosec considers the certificate issued by CMA is root certificate for the Standalone log server and refuses to process the certificate issued by ICA MDS.

[ 2773 4147275584]@Algosec[22 Oct 10:32:23] fwKeyHolder:
[ 2773 4147275584]@Algosec[22 Oct 10:32:23] Root CAs
[ 2773 4147275584]@Algosec[22 Oct 10:32:23] 1: O=MDS..chjwvb
[ 2773 4147275584]@Algosec[22 Oct 10:32:23] O=MDS..chjwvb
[ 2773 4147275584]@Algosec[22 Oct 10:32:23] Certified keys
[ 2773 4147275584]@Algosec[22 Oct 10:32:23] 1: algosec
[ 2773 4147275584]@Algosec[22 Oct 10:32:23] Has Private
[ 2773 4147275584]@Algosec[22 Oct 10:32:23] CN=algosec,O=MDS..chjwvb
[ 2773 4147275584]@Algosec[22 Oct 10:32:23] O=MDS..chjwvb
[ 2773 4147275584]@Algosec[22 Oct 10:32:23] Root: O=MDS..chjwvb
[ 2773 4147275584]@Algosec[22 Oct 10:32:23] fwCert_FixChain_do: didn't find root ca in chain top
[ 2773 4147275584]@Algosec[22 Oct 10:32:23] fwCert_FixChain_do: Can't find the chains' root CA in my token
[ 2773 4147275584]@Algosec[22 Oct 10:32:23] ckpSSL_VerifyCallback: failed to fixed chain
[ 2773 4147275584]@Algosec[22 Oct 10:32:23] SSL e stack
[ 2773 4147275584]@Algosec[22 Oct 10:32:23] 2773:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:902

View solution in original post

0 Kudos
okatsladz454
Contributor
‎2024-10-23 05:01 AM
In response to the_rock
Jump to solution

no because it s not a check point problem as i expected

View solution in original post

11 Replies
PhoneBoy
Admin
Admin
‎2024-10-17 11:18 AM
Jump to solution

The command here is relevant for running on management only (i.e. the Internal CA).
I suspect you'll need to regenerate the certificate for the log server in question.
I suggest involving TAC here.

0 Kudos
okatsladz454
Contributor
‎2024-10-18 01:58 AM
In response to PhoneBoy
Jump to solution

Good afternoon. I don't see any problems with algosec here. For some reason, the log server itself rejects the CMMI certificate, despite the fact that it received it according to global policies. The re-creation of the CPMI certificate did not give any result

0 Kudos
PhoneBoy
Admin
Admin
‎2024-10-18 11:57 AM
In response to okatsladz454
Jump to solution

I suggest involving TAC, as stated previously: https://help.checkpoint.com 

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-10-19 06:17 AM
In response to okatsladz454
Jump to solution

I would also open TAC case. It might be tricky to get this done with standalone, if its even possible.

Andy

0 Kudos
okatsladz454
Contributor
‎2024-10-21 01:50 AM
In response to the_rock
Jump to solution

Good morning. Thanks for your reply. I am interested in which of the demons is responsible for obtaining a certificate for LEA and CPMI, and if it is CPCA, then the question of its functionality on not MGMT devices (standalone log, MLM)

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-10-21 04:33 AM
In response to okatsladz454
Jump to solution

Just search for LEA

Andy

https://support.checkpoint.com/results/sk/sk97638

0 Kudos
PhoneBoy
Admin
Admin
‎2024-10-21 01:26 PM
In response to the_rock
Jump to solution

And the answer is, in fact, cpca.

0 Kudos
okatsladz454
Contributor
‎2024-10-23 01:48 AM
In response to PhoneBoy
Jump to solution

@PhoneBoy @the_rock 
Good afternoon 

We found out that the problem is on the side of Algosec.

Algosec considers the certificate issued by CMA is root certificate for the Standalone log server and refuses to process the certificate issued by ICA MDS.

[ 2773 4147275584]@Algosec[22 Oct 10:32:23] fwKeyHolder:
[ 2773 4147275584]@Algosec[22 Oct 10:32:23] Root CAs
[ 2773 4147275584]@Algosec[22 Oct 10:32:23] 1: O=MDS..chjwvb
[ 2773 4147275584]@Algosec[22 Oct 10:32:23] O=MDS..chjwvb
[ 2773 4147275584]@Algosec[22 Oct 10:32:23] Certified keys
[ 2773 4147275584]@Algosec[22 Oct 10:32:23] 1: algosec
[ 2773 4147275584]@Algosec[22 Oct 10:32:23] Has Private
[ 2773 4147275584]@Algosec[22 Oct 10:32:23] CN=algosec,O=MDS..chjwvb
[ 2773 4147275584]@Algosec[22 Oct 10:32:23] O=MDS..chjwvb
[ 2773 4147275584]@Algosec[22 Oct 10:32:23] Root: O=MDS..chjwvb
[ 2773 4147275584]@Algosec[22 Oct 10:32:23] fwCert_FixChain_do: didn't find root ca in chain top
[ 2773 4147275584]@Algosec[22 Oct 10:32:23] fwCert_FixChain_do: Can't find the chains' root CA in my token
[ 2773 4147275584]@Algosec[22 Oct 10:32:23] ckpSSL_VerifyCallback: failed to fixed chain
[ 2773 4147275584]@Algosec[22 Oct 10:32:23] SSL e stack
[ 2773 4147275584]@Algosec[22 Oct 10:32:23] 2773:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:902

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-10-23 03:59 AM
In response to okatsladz454
Jump to solution

Did you end up opening TAC case about it?

Andy

0 Kudos
okatsladz454
Contributor
‎2024-10-23 05:01 AM
In response to the_rock
Jump to solution

no because it s not a check point problem as i expected

the_rock
MVP Gold
MVP Gold
‎2024-10-23 05:05 AM
In response to okatsladz454
Jump to solution

Fair enough

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events