Hello PhoneBoy,

Thanks.

Customer is using  CPSB-EP-ACCESS-P-LICENSE for RAVPN not mobile access, but this untrusted cert is presented on outside interfaces in cluster (GW1, GW2 and VIP).

If MAB isn't active, it's the legacy SNX portal.
If you're not using SNX at all, might as well disable it as shown here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

Thanks PhoneBoy.

So just once more, we can exclude IPSec VPN (S2S and RAVPN) that it does not use this self signed SSL on outside interface?

Having that in mind, only two features that can use  self signed cert on outside interfaces are Mobile access blade or SNX legacy?

Is there a way to check it, to be sure what uses it (cli..)?

Can you explain what the issue is with self signed certificates ? Usually, all portals use internal CA. You can replace the cert by a 3rd party 1 for MAB and SSL inspection, but there is no difference from a users viewpoint: If i want to access services, i would have to accept the self-signed certificate once. If i use a 3rd party certificate it also has to be accepted once. Looking at how certs are stolen or missused i prefer my own internal CA !

Hello Albrecht,

Customer wants to avoid SSL check tools to not show self-signed cert warnings. I agree with You that encryption is guaranteed and they know that system is theirs. But again they want that.

Sorry, but this demand is absolute nonsense in my eyes as it adds nothing to security at all - Customer wants to avoid that SSL check tools he uses himself show him that his FW has a self-signed cert ?

I would rather suggest to care for more important things like DDoS Protection, allowed Ciphers and TLS versions instead...

I  totally agree with You.

It is important to educate customers, but again if they want something so much what will make them happy (if it does not produce any consequence to system and security), it's okay.

The default web UI portal cert is good for 10 years and as far as vpn cert, that was changed recently to 1, rather than 5 years validity.

This cert is only valid until 7th May:

Thats because it was created in 2017...if it was created recently, only good for 1 year.

It sounds like if they dont want that, in that case, you may need 3rd party CA cert.

It is best just to disable this cert (mab or snx).

IPSec VPN (either S2S or C2S) doesn't use this cert.

Does this self signed cert by MGMT CA, auto renew? 

Hello PhoneBoy,

This cluster does not use mobile access blade (not active), nor it supports SSL Network Extender nor it Support Clientless VPN.

How to check what CP feature gives SSL client VPN cert on outside cluster interface?

Do I need to check this possible workaround:

Edit the 'index.html' file specifically for SNX. If SNX client connects to a cluster, then perform these changes on all cluster members (reboot / policy installation are not required).

[Expert@HostName]# cd $FWDIR/conf/extender
[Expert@HostName]# ls -la index*
[Expert@HostName]# cp index.html index.notworking
[Expert@HostName]# rm -i index.html
[Expert@HostName]# ls -la index*

It may be active even if you've not explicitly enabled SNX, thus those steps might be appropriate.
However, it doesn't necessarily get rid of the initial TLS connection.
For that...you may need a TAC case, as I'm not sure how to change the certificate for (or better yet disable) the legacy SNX portal.