Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
mjovovic
Contributor

Untrusted SSL on Cluster's outside interface

Hello,

I have managed to implement internal CA signed SSL cert for our Cluster (with multiportal enabled).

All platform portals are accessible by internal interfaces and SSL is trusted and okay.

Accessibility of platform portal is as in following picture:

1.png
 

 

I read that IPSec do not use SSL cert. If I remove checkbox for "Including VPN encrupted interfaces" will our S2S IPSec VPN and RAVPN be interrupted?

Our Check Point cluster public IP is not trusted. How to make cluster public IP not self signed/default  certificate?

When we scan our public cluster IP by ssl checker we get not trusted warning in browser and following default cert is used:

2.png

 

How to change this cert too? Will it affect our VPNs?

 

Thanks.

0 Kudos
17 Replies
PhoneBoy
Admin
Admin

The platform portal setting you picture should have no impact on IPsec VPN or SSL VPN.

As for the untrusted certificate you see, if you're using Mobile Access Blade, you can replace it using something like: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

mjovovic
Contributor

Hello PhoneBoy,

Thanks.

Customer is using  CPSB-EP-ACCESS-P-LICENSE for RAVPN not mobile access, but this untrusted cert is presented on outside interfaces in cluster (GW1, GW2 and VIP).

0 Kudos
PhoneBoy
Admin
Admin

If MAB isn't active, it's the legacy SNX portal.
If you're not using SNX at all, might as well disable it as shown here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

mjovovic
Contributor

Thanks PhoneBoy.

 

So just once more, we can exclude IPSec VPN (S2S and RAVPN) that it does not use this self signed SSL on outside interface?

Having that in mind, only two features that can use  self signed cert on outside interfaces are Mobile access blade or SNX legacy?

 

Is there a way to check it, to be sure what uses it (cli..)?

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Can you explain what the issue is with self signed certificates ? Usually, all portals use internal CA. You can replace the cert by a 3rd party 1 for MAB and SSL inspection, but there is no difference from a users viewpoint: If i want to access services, i would have to accept the self-signed certificate once. If i use a 3rd party certificate it also has to be accepted once. Looking at how certs are stolen or missused i prefer my own internal CA !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
mjovovic
Contributor

Hello Albrecht,

Customer wants to avoid SSL check tools to not show self-signed cert warnings. I agree with You that encryption is guaranteed and they know that system is theirs. But again they want that.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Sorry, but this demand is absolute nonsense in my eyes as it adds nothing to security at all - Customer wants to avoid that SSL check tools he uses himself show him that his FW has a self-signed cert ?

I would rather suggest to care for more important things like DDoS Protection, allowed Ciphers and TLS versions instead...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
mjovovic
Contributor

I  totally agree with You.

It is important to educate customers, but again if they want something so much what will make them happy (if it does not produce any consequence to system and security), it's okay.

0 Kudos
the_rock
Legend
Legend

The default web UI portal cert is good for 10 years and as far as vpn cert, that was changed recently to 1, rather than 5 years validity.

0 Kudos
mjovovic
Contributor

This cert is only valid until 7th May:

valid.png

0 Kudos
the_rock
Legend
Legend

Thats because it was created in 2017...if it was created recently, only good for 1 year.

0 Kudos
the_rock
Legend
Legend

It sounds like if they dont want that, in that case, you may need 3rd party CA cert.

mjovovic
Contributor

It is best just to disable this cert (mab or snx).

0 Kudos
PhoneBoy
Admin
Admin

IPSec VPN (either S2S or C2S) doesn't use this cert.

mjovovic
Contributor

Does this self signed cert by MGMT CA, auto renew? 

0 Kudos
mjovovic
Contributor

Hello PhoneBoy,

 

This cluster does not use mobile access blade (not active), nor it supports SSL Network Extender nor it Support Clientless VPN.

How to check what CP feature gives SSL client VPN cert on outside cluster interface?

Do I need to check this possible workaround:

Edit the 'index.html' file specifically for SNX. If SNX client connects to a cluster, then perform these changes on all cluster members (reboot / policy installation are not required).

[Expert@HostName]# cd $FWDIR/conf/extender
[Expert@HostName]# ls -la index*
[Expert@HostName]# cp index.html index.notworking
[Expert@HostName]# rm -i index.html
[Expert@HostName]# ls -la index*

 

 

0 Kudos
PhoneBoy
Admin
Admin

It may be active even if you've not explicitly enabled SNX, thus those steps might be appropriate.
However, it doesn't necessarily get rid of the initial TLS connection.
For that...you may need a TAC case, as I'm not sure how to change the certificate for (or better yet disable) the legacy SNX portal.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events