This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
LazarusG
Contributor
Contributor
3 weeks ago

Relating Azure registered apps to smartconsole configuration.

Hi

I hope you can help.

Over time environments end up with many registered applications in Azure and sometimes they have expired secrets/certificates.

However I'm having trouble trying to relate the registered app to smartconsole configuration - eg an app id: 

d6d2284d-2e02-462b-aab3-482aafxxxxx

Cant be searched for in smartconsole and I haven't been able to find it searching within values in guidbedit - but I know that this is related to the Azure AD object in my lab.

Is there a way to work out why registered apps exist in azure, what there function is/was and what they relate to in smartconsole?

Is this a silly question or do others have the same issue?

Thanks!

0 Kudos
11 Replies
the_rock
Legend
Legend
3 weeks ago

Are you able to locate it using API?

0 Kudos
LazarusG
Contributor
Contributor
3 weeks ago
In response to the_rock

dunno - looks like my lab is broke.

[Expert@MANAGEMENT:0]# mgmt_cli --4434 show hosts filter d6d2284d-2e02-462b-aab3-482aaf76xxxx
Username: admin
Password:
message: "Error 404. The Management API service is not available. Please check that the Management API server is up and running."
code: "generic_error"

[Expert@MANAGEMENT:0]# api status

API Settings:
---------------------
Accessibility: Require local
Automatic Start: Enabled

Processes:

Name State PID More Information
-------------------------------------------------
API Started 14637
CPM Started 14637 Check Point Security Management Server is running and ready
FWM Started 14131
APACHE Started 3901

Port Details:
-------------------
JETTY Internal Port: 62093
JETTY Documentation Internal Port: 57437
APACHE Gaia Port: 4434 (a non-default port)
When running mgmt_cli commands add '--port 4434'
When using web-services, add port 4434 to the URL

Profile:
-------------------
Machine profile: Medium env resources profile
CPM heap size: 1280m

Apache port retrieved from: dbget http:ssl_port


--------------------------------------------
Overall API Status: Started
--------------------------------------------

API readiness test SUCCESSFUL. The server is up and ready to receive connections

Notes:
------------
To collect troubleshooting data, please run 'api status -s <comment>'

0 Kudos
the_rock
Legend
Legend
3 weeks ago
In response to LazarusG

Thats odd, shows api is ready and all services started. You can log into smart console?

0 Kudos
PhoneBoy
Admin
Admin
3 weeks ago
In response to LazarusG

You did not enter a valid command, which is why it failed.
Try: mgmt_cli --port 4434 -r true show hosts filter d6d2284d-2e02-462b-aab3-482aaf76xxxx

0 Kudos
LazarusG
Contributor
Contributor
2 weeks ago
In response to PhoneBoy

o wow - thanks for the clarification! yes this doesn't error out but is also doesn't find the app-id unfortunately;

[Expert@MANAGEMENT:0]# mgmt_cli --port 4434 -r true show hosts filter d6d2284d-2e02-462b-aab3-482aaf76d131
objects: []
total: 0

[Expert@MANAGEMENT:0]#

 

I guess the registered app can only be associated with data center functions, so there is a limited amount of config in smart console we can check?

The customer has problems with azure cloudguard failover and their $FWDIR/scripts/azure_ha_test.py is failing due to an expired certificate/key for a registered app, but registered apps arent deployed as part of the template so I cant understand how it can be a factor. But also we cant identify what the registered app was created for...

Thank you though for the guidance on mgmt_cli

0 Kudos
PhoneBoy
Admin
Admin
2 weeks ago
In response to LazarusG

@Shay_Levin can you find the right resources to assist here?
You might want to also open a TAC case in parallel.

0 Kudos
Shay_Levin
Admin
Admin
2 weeks ago
In response to LazarusG

After you deploy a Check Point Cluster, the automatic credentials can be found in Azure Portal > Resource groups > cluster_resource_group > Access control (IAM).

There are two service principals for each Cluster Member, each with a Contributor role

0 Kudos
LazarusG
Contributor
Contributor
a week ago
In response to Shay_Levin

Thank you Shay, I appreciate the response.

In this case I did check the contributor roles and they were ok. However the python script seemed to be failing due to 403 for a uuid of an app registered at;

#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade/All Applications

Unless the app was well named I cant tell what it was created for, and also was having issues correlating it to any configuration in smartconsole. 

As such I found it difficult to tell them if this was indeed impacting HA failover (as its a registered app) or if they could safely delete the app (you would assume so if the certificate/key had expired).

But I no longer have access to their environment and cant progress.

Thanks

 

 

0 Kudos
LazarusG
Contributor
Contributor
a week ago
In response to LazarusG

is it possible they created their own SPN in the past? Would that show as a registered app?

0 Kudos
LazarusG
Contributor
Contributor
a week ago
In response to LazarusG

yes it does..

I imagine the customer followed this process to create a service principal;

Workflow for Setting Up a High Availability Cluster in Azure (checkpoint.com)

"The Check Point Cluster template automatically deploys the Virtual Machine with a system-assigned managed identity and assigns a Contributor role to the Cluster resource group. Therefore, you do not have to create your own service principal. For more information, see What is managed identities for Azure resources?

After you deploy a Check Point Cluster, the automatic credentials can be found in Azure Portal > Resource groups > cluster_resource_group > Access control (IAM). There are two service principals for each Cluster Member, each with a Contributor role."

I created a service principle in my dev tenant and this does create a registered app - also in my lab its failing  in the same way as the customer's environment.

[Expert@exampleclus2:0]# $FWDIR/scripts/azure_ha_test.py
Setting api versions for "ha" solution
ARM versions are: {
"resources": "?api-version=2019-07-01"
}
Testing if DNS is configured...
- Primary DNS server is: 168.63.129.16
Testing if DNS is working...
- DNS resolving test was successful
Testing connectivity to login.microsoftonline.com:443...
Testing ClusterXL parameters...
Testing cluster interface configuration...
Testing credentials...
Error:
HTTP/1.1 401 Unauthorized
b'{"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app \'05c984e8-bff8-48c6-a761-b1ff7cb75f62\'. Trace ID: fecc30d7-326c-4f36-8d7b-4a9adab17100 Correlation ID: f5692817-2085-4f73-b84b-03e6f4237e55 Timestamp: 2024-07 -19 08:55:03Z","error_codes":[7000215],"timestamp":"2024-07-19 08:55:03Z","trace_id":"fecc30d7-326c-4f36-8d7b-4a9adab17100","correlation_id":"f5692817-2085-4f73-b84b-03e6f4237e55","error_uri ":"https://login.microsoftonline.com/error?code=7000215"}'

 

05c984e8-bff8-48c6-a761-b1ff7cb75f62 is the application/client-ID in azure.

 

So this wouldn't show in smartconsole and explains why I couldn't find it.

As its an optional step I take it this is no longer needed? I guess we should follow the process to revert(?);

seemed to work in my dev tenant;

[Expert@exampleclus2:0]# $FWDIR/scripts/azure_ha_test.py
Setting api versions for "ha" solution
ARM versions are: {
"resources": "?api-version=2019-07-01"
}
Testing if DNS is configured...
- Primary DNS server is: 168.63.129.16
Testing if DNS is working...
- DNS resolving test was successful
Testing connectivity to login.microsoftonline.com:443...
Testing ClusterXL parameters...
Testing cluster interface configuration...
Testing credentials...
Error:
HTTP/1.1 401 Unauthorized
b'{"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app \'05c984e8-bff8-48c6-a761-b1ff7cb75f62\'. Trace ID: fecc30d7-326c-4f36-8d7b-4a9adab17100 Correlation ID: f5692817-2085-4f73-b84b-03e6f4237e55 Timestamp: 2024-07 -19 08:55:03Z","error_codes":[7000215],"timestamp":"2024-07-19 08:55:03Z","trace_id":"fecc30d7-326c-4f36-8d7b-4a9adab17100","correlation_id":"f5692817-2085-4f73-b84b-03e6f4237e55","error_uri ":"https://login.microsoftonline.com/error?code=7000215"}'
[Expert@exampleclus2:0]# azure-ha-conf --system-assigned --force
[Expert@exampleclus2:0]# $FWDIR/scripts/azure_ha_test.py
Setting api versions for "ha" solution
ARM versions are: {
"resources": "?api-version=2019-07-01"
}
Testing if DNS is configured...
- Primary DNS server is: 168.63.129.16
Testing if DNS is working...
- DNS resolving test was successful
Testing connectivity to login.microsoftonline.com:443...
Testing ClusterXL parameters...
Testing cluster interface configuration...
Testing credentials...
Getting information about the environment...
Getting information about the VM exampleclus2...
Id : /subscriptions/9ec20cba-d227-45c9-a6d4-b72690a15358/resourceGroups/examplerg/providers/Microsoft.Network/networkInterfaces/exampleclus2-eth0
Subscription : 9ec20cba-d227-45c9-a6d4-b72690a15358
Resource group: examplerg
Type : Microsoft.Network/networkInterfaces
Name : exampleclus2-eth0
Attempting to read - [OK]
Attempting to write - [OK]
Getting information about the VM exampleclus1...
Id : /subscriptions/9ec20cba-d227-45c9-a6d4-b72690a15358/resourceGroups/examplerg/providers/Microsoft.Network/networkInterfaces/exampleclus1-eth0
Subscription : 9ec20cba-d227-45c9-a6d4-b72690a15358
Resource group: examplerg
Type : Microsoft.Network/networkInterfaces
Name : exampleclus1-eth0
Attempting to read - [OK]
Attempting to write - [OK]
Testing cluster public IP address...
Id : /subscriptions/9ec20cba-d227-45c9-a6d4-b72690a15358/resourcegroups/examplerg/providers/Microsoft.Network/publicIPAddresses/exampleclus
Subscription : 9ec20cba-d227-45c9-a6d4-b72690a15358
Resource group: examplerg
Type : Microsoft.Network/publicIPAddresses
Name : exampleclus
Attempting to read - [OK]
Verifying Azure interface configuration...
- Interface eth1: local IP address = 172.16.1.6, peer IP address = 172.16.1.5
- Interface eth0: local IP address = 172.16.0.5, peer IP address = 172.16.0.4

All tests were successful!

 

0 Kudos
LazarusG
Contributor
Contributor
yesterday
In response to LazarusG

A colleague points out there is also a process to refresh the SPN app credentials in sk182336 step 9

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events