This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Durin
Contributor
‎2020-07-06 04:04 AM

Find out if fingerprint has changed on LDAPS server

Hi,

 

I am looking for a way to find out if the fingerprint on an LDAPS server has changed (an LDAP account unit).

Currently when the fingerprint is changed authentication stops working since the management server notices that the fingerprint has changed and one have to manually fetch and install the gateways so it reflects the new changes.

So i am looking for a way to detect this, for example where can i find the current fingerprint so i can compare ?

Management server is running R80.30

Thanks in advance

 

0 Kudos
11 Replies
Dor_Marcovitch
Advisor
‎2020-09-24 02:59 AM

you can try to connect to the DC and check if it has a "new" certificate issued to it

cpopenssl s_client -connect <IP>:636

if you have some other monitoring systems, then you can raise an event on the DC by monitoring the event log to see if a new certificate was enrolled

i am also looking for a solution for next re-authentication, not sure why CP uses the server's fingerprint and not just relaying on the PKI infrastructure

0 Kudos
JozkoMrkvicka
Authority
Authority
‎2022-02-11 11:23 AM
In response to Dor_Marcovitch

The certificate on the LDAP has to be changed by someone - it is not done automatically. Someone responsible for LDAP should (or have to ?) inform all consumers (firewall team) that the certificate is going to be changed.

Kind regards,
Jozko Mrkvicka
Durin
Contributor
‎2022-02-12 09:31 AM
In response to JozkoMrkvicka

Yes that is if routines is working as it should. But in a larger enterprise it can be a challenge.

Dor_Marcovitch
Advisor
‎2022-02-12 09:38 AM
In response to JozkoMrkvicka

If the ca is an enterprise ca and the dc has permissions this procedure happanes automaticly with auto enrollment. 

I still dont understand why they are using certificate pinning and not just trusting a root ca as pki is designed to.work.

(1)
Daniel_Westlund
Collaborator
Collaborator
‎2023-11-14 08:37 AM
In response to JozkoMrkvicka

I'm not sure that this doesn't happen automatically. I had a customer who had an ISP scheduled outage last night. When it came back up, they had intermittent issues which we ended up solving by refreshing the DCs fingerprints in the LDAP Account Unit in SmartConsole. I've had this issue come up several times with different customers in the past year, and never had it happen before. In every case, it doesn't seem like anyone updated this manually. I'm trying to find out why it changes, if there's a way to monitor it, and if there's a way to make it not break all authentication on the firewall when it does change?

0 Kudos
JozkoMrkvicka
Authority
Authority
‎2023-11-21 01:41 PM
In response to Daniel_Westlund

You can also leave the fingerprint for all DCs blank. With that, the Check Point will not check the fingerprints, instead will accept everything. It is not the best security solution, but some organizations can accept that risk.

Kind regards,
Jozko Mrkvicka
JozkoMrkvicka
Authority
Authority
‎2023-11-23 11:37 AM
In response to Daniel_Westlund

With R82 version, following feature should be available:

  • The LDAP Account Unit object now uses the LDAP server name and CA certificate for LDAP trust. The trust is automatically renewed if an administrator renews or replaces the LDAP server certificate. As a result, Check Point servers keep their connectivity to the LDAP server.
Kind regards,
Jozko Mrkvicka
Roman_Niewiado1
Contributor
‎2020-09-24 05:05 AM

You can also let the fingerprint field empty. Then it doesn´t matter, if the fingerprint changes.

Dor_Marcovitch
Advisor
‎2020-09-24 05:29 AM
In response to Roman_Niewiado1

and if i remove the fingerprint, does the FW perform validity checks on the certificate ? 

if the CA is an internal CA.. where do i put it's certificate to be trusted?

0 Kudos
XavierBens
Employee
Employee
‎2022-02-11 10:19 AM

The way to do so is:

cpopenssl s_client -connect <host>:<port> < /dev/null 2>/dev/null | cpopenssl x509 -fingerprint -md5 -noout -in /dev/stdin

(found here and just adapted to cpopenssl) 

Cybersecurity Evangelist, CISSP, CCSP, CCSM Elite
0 Kudos
David_C1
Advisor
‎2022-02-12 01:17 PM
In response to XavierBens

You can also use the "test_ad_connectivity" command (at least in R80.40, I assume it is available in R80.30). Details are in the Identity Awareness Administration Guide in the Command Line Reference section. You can specify the fingerprint in the test. I used this to verify which DCs in our environment had different fingerprints than what I had configured in SmartConsole.

Dave

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events