Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Help_Desk_Help_
Explorer
Jump to solution

SSL SNX macos catalina support

hello all ,

some users upgraded their macbook to the latest macos catalina , and since then they can no longer connect to ssl using their installed network extender.

We have gaia r77.30 take 317 and the mabda sk113410.

Any suggestion will be welcome. I assume Checkpoint will offer a new mabda version in the near future,

thank you 

2 Solutions

Accepted Solutions
George_Casper
Contributor

Running R80.10 with take 203 & the latest MABDA hotfix.  Received below temporary unofficial workaround from support.  So far it enabled 3 Catalina Macbooks to function.  Its only been a day so not sure how well it will work and your mileage may vary.

 

(•)After consulting with R&D, we provide

1. Open Safari and navigate to https://localhost:14186/id

2. “The connection is not private” message will appear

3. Click "Show Details", then "visit this webpage"

4. Confirm your action and enter the password

5.Re-open the mobile access portal in a new window and then try to connect to gw again

View solution in original post

(1)
Martin_Loewe
Participant

After the Sk113410 is uninstall you have to delete it from the cpuse repository, so you can import the new Sk113410 and install that one instead.

View solution in original post

18 Replies
G_W_Albrecht
Legend
Legend

Then let your users return to the supported Mac OS High Sierra - at the moment, no CP RA VPN does support Catalina !

CCSE CCTE CCSM SMB Specialist
0 Kudos
schoenf
Participant

I installed the latest client 80.89 on Catalina with a certificate stored in the Keychain. This works on one of my machines. 

What causes problems:

  • Certificate in the file system
  • On one machine, the process of connection consumes 100% CPU.

On some configurations, it might work

I hope it helps ... downgrade to Mojave is not an option.

-werner

0 Kudos
schoenf
Participant

Any suggestion for Open Source VPN clients?

Thanks 

Werner

AlexBr
Explorer

Hi, did you manage somehow to fix the 100% cpu issue? Im having the exact problem and i cant manage to fix it. 

0 Kudos
FedericoMeiners
Advisor

Hello,

You may want to look into enabling SSL VPN within Mobile Access, altough you need newer GW version for a proper compatibility (R80.X).

Also you may want to try with other open source vpns clients that are supported on Catalina.

 

____________
https://www.linkedin.com/in/federicomeiners/
0 Kudos
PhoneBoy
Admin
Admin
I doubt we will be providing an updated MABDA for R77.30 as this release went End of Support in September.
I assume we will for supported releases, though.

As far as I can tell, the "32-bit only" limit of SNX is not new.
While this SK references Windows, I assume Mac is no different.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

As for third party clients, anything that supports L2TP can be made to work.
I haven't personally tested this on the Mac, though.
mdjmcnally
Advisor

R80.10 Jumbo HotFix - Ongoing Take 185 adds 64 bit SNX Extender Support

R80.20 Jumbo HotFix - General Availability Take 33 adds 64 bit SNX Extender Support

These both came out January 2019

I would hope/believe that R80.30 which came out only this year already had the 64 bit SNX support.

 

As others stated then I doubt that there will be a patch for R77.30 to move to 64 bit SNX with it being End of Support.

 

What is your timescale for getting to R80.x or is there a reason that cannot upgrade to R80.x on the Gateway

0 Kudos
George_Casper
Contributor

Running R80.10 with take 203 & the latest MABDA hotfix.  Received below temporary unofficial workaround from support.  So far it enabled 3 Catalina Macbooks to function.  Its only been a day so not sure how well it will work and your mileage may vary.

 

(•)After consulting with R&D, we provide

1. Open Safari and navigate to https://localhost:14186/id

2. “The connection is not private” message will appear

3. Click "Show Details", then "visit this webpage"

4. Confirm your action and enter the password

5.Re-open the mobile access portal in a new window and then try to connect to gw again

(1)
Martin_Loewe
Participant

Hi

Thanks alot for sharing.
All macbooks we tried on here it works on, helps alot 🙂

fablepd
Explorer

Hello. 
Same problem here . Tried in Catalina to disable SIP with csrutil disable then rebooted

tried to install snx from terminal but read-only file system error appears

MacBook:~ fabiofable$ sudo snx_install_osx.sh 

Password:

install: /usr/bin/snx: Read-only file system

install: /usr/bin/SNX_Install_Tool: Read-only file system

install: /usr/bin/snx_uninstall: Read-only file system

MacBook:~ fabiofable$ 

Tried also the solution here ("https://localhost:14186/id") but I get no message and I get a web page with 

"

{"id":"eaf18dbe-908c-43a3-8b77-3378c2550512"}

Any help ?

 

0 Kudos
PhoneBoy
Admin
Admin
Just to clarify, it's available in R80.30.
It's also available in:
R80.20 jumbo take 21
R80.10 Jumbo take 179
R77.30 jumbo take 347
Steve_Spohn
Participant

So I see that this morning, sk113410 was updated to include support for Catalina, but the hotfix ID is the same as before. I checked my gateways, and there are no MABDA updates available. Is there something new that needs to be installed for Catalina to work properly?

0 Kudos
Martin_Loewe
Participant

Just tested it and you have to uninstall the "old"  MABDA hotfix and remove it from cpuse then import the new one and install it.

Seems to work fine so far in our tests

 

Just keep in mind to have a backup of the old MABDA files if you want to revert back to that version.

0 Kudos
Steve_Spohn
Participant

So uninstalling and reinstalling the Hotfix worked in our environment - but the installer in the DMG gives a warning that Apple was unable to scan it for malicious content, so it wasn't allowed to execute. Obviously, if you right click the installer and select Open, it bypasses that check, and allows it to install, but that isn't necessarily intuitive to all end users. Did the same thing happen in your environment? I replicated it on a MacBook Pro and a Mac mini in my possession.

0 Kudos
Howard_Gyton
Advisor

We already had "Check_Point_R80.30_MABDA_sk113410_FULL.tgz" installed on our R80.30 firewalls, along with Take 50, and didn't need to touch that.

Simply visiting https://localhost:14186/id was enough to fix the issue.

Could anyone explain what visiting that page actually does to correct the fault?  I didn't notice any explanation, so apologies if this has already been detailed.

Howard

0 Kudos
AndreiR
Employee
Employee

With Catalina release we have encountered two issues: 1) Apple has changed requirements for self-signed certificates and 2) Apple has started to force using notarization procedure. Visiting https://localhost:14186/id page should pop-up certificate warning and once user trust our certificate he can continue to work with Mobile Access. Update of Check_Point_R80.30_MABDA_sk113410_FULL.tgz in the end of October has fixed this issue.

The second issue is notarization. All applications which are not installed through AppStore must be notarized by Apple. This is optional before January 2020 and then it will become mandatory. This is the reason why you may see a warning that Apple was unable to scan DMG file for malicious content. We will release notarized versions of all hotfixes from sk113410 including Check_Point_R80.30_MABDA_sk113410_FULL.tgz by end of 2019.

Howard_Gyton
Advisor

Ah., so if we already have SK113410 installed, we should uninstall, reboot, then re-install?

Howard

0 Kudos
Martin_Loewe
Participant

After the Sk113410 is uninstall you have to delete it from the cpuse repository, so you can import the new Sk113410 and install that one instead.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events