This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Moudar
MVP Silver
MVP Silver
‎2024-03-05 07:53 AM

Identity collector

Hi

I am using IDC to collect identities from AD, but it works only on port 389:

idc1.JPG

 

If we try to use port 636 on the LDAP-AU then we get this when trying to show the AD on an Access role:

idc2.JPG

The certificate on AD servers have a purpose of "Server Authentication" (OID 1.3.6.1.5.5.7.3.1) and Client Authentication, but still get the same result.

any ideas?!

 

0 Kudos
12 Replies
Lesley
MVP Gold
MVP Gold
‎2024-03-05 08:11 AM

How does your LDAP account unit config looks like? Have you enabled LDAPS there? Able to retreive fingerprints? 

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
Moudar
MVP Silver
MVP Silver
‎2024-03-06 12:17 AM
In response to Lesley

We are able to retrieve fingerprints.

ldap1.JPG

ldap2.JPG

 

ldap3.JPG

 

ldap4.JPG

ldap5.JPG

ldap6.JPG

0 Kudos
Lesley
MVP Gold
MVP Gold
‎2024-03-06 05:12 AM
In response to Moudar

Config looks good.

2 things:

Can you fetch branches? 

Do you see drops from the machine where you are running Smartconsole? I recall that this search is done from the Smartconsole software itself. Maybe compare the allowed 389 traffic with 636 traffic. 

So check traffic from:

Smartcenter itself (fwmgt)

And machine on what the Smartconsole software is placed

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
Moudar
MVP Silver
MVP Silver
‎2024-03-06 06:57 AM
In response to Lesley

The fetching process seems to be working correctly. Once it's finished, I receive a long MD5 hash.

I cannot see any drop between these machines!

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-03-06 05:45 AM
In response to Moudar

As @Lesley asked, can you fetch the branches? Thats super important, mind you would not work in S1C instance, but if its on prem mgmt, 100% has to work.

Best,

Andy

Best,
Andy
0 Kudos
Moudar
MVP Silver
MVP Silver
‎2024-03-06 06:38 AM
In response to the_rock

The fetching process seems to be working correctly. Once it's finished, I receive a long MD5 hash

when running this command:

[Expert@fw01:0]# cpopenssl s_client -connect 10.8.0.12:636 2>&1 </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | cpopenssl x509 -noout -md5 -fingerprint

I get the same MD5 hash that shows on the LDAP-AU

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-03-06 07:01 AM
In response to Moudar

If thats the case, may need some more debugging...I would open TAC case if you have not done so already.

Best,

Andy

Best,
Andy
0 Kudos
Moudar
MVP Silver
MVP Silver
‎2024-03-06 07:16 AM
In response to the_rock

If I run this on Wireshark:

ip.addr == 192.168.12.12 and tcp.port == 636

where 192.168.12.12 is AD, Wireshark is running on Windows machine that runs SmartConsole and IDC.

Should that show any packets? Because it does not show anything now! 

How and where should I run Wireshark to see if 636 traffic is flowing ?

0 Kudos
Lesley
MVP Gold
MVP Gold
‎2024-03-06 07:29 AM
In response to Moudar

Not needed anymore has been changed:

https://support.checkpoint.com/results/sk/sk115677

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
Moudar
MVP Silver
MVP Silver
‎2024-03-06 01:33 PM
In response to Lesley

checking the logs $FWDIR/log/cpm.elg

ldap7.JPG

some Error is happening, any ideas

0 Kudos
Lesley
MVP Gold
MVP Gold
‎2024-03-06 07:29 AM
In response to Moudar

can you check:

https://support.checkpoint.com/results/sk/sk167159

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
Moudar
MVP Silver
MVP Silver
‎2024-03-06 12:59 PM
In response to Lesley

My certificates are signed with sha256RSA!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events