Dear @_Val_
1. You need to access the Client machine, open MMC => Certificate => Personal tab and request certificate.
2. Now there will be a certificate on the local machine and export it.
3. Finally go to Smart Dashboard and import it into trust ca server of checkpoint at https inspection.
*Note: Remember to create Trust CA object in Smartconsole with CA certificate first. After completing the above, just create an Access Role with the information you want.
I’m not sure if what i am doing below is correct? i am still trying to lab it before asking customer to do it. If you have step by step, could you share with about that?
Much respect to anyone who has adopted this configuration and shared it with me. Is it necessary to use User login and AD user? or any user is fine?
I have created a CA named mtech-lab.local and created a Trust Server CA on Check Point.
Next, I go to IPsec in Object GW and create an enroll cert, then put it in CA issue and complete on GW.
I have installed the machine and CA certificates on the local machine and in the Personal & Trusted Root Certification Authorities folders.
Next, I enabled cert authen and created a policy. I use local user created on Check Point to authenticate VPN and machine is on AD.
As a result, when VPN we still cannot connect to internal resources. When we switch Auhen Machine to Mandatory and VPN, we get an error message "Machine Certificate Is Required". This means that the Import Cert is still incorrect.
I track the log file trac.log and I see it not found the cert between root CA and SMS, how can create that certificate?
Now the certificate part is passed, however. I still don't understand because no traffic still doesn't match Access Roles.I tested with 2 Test cases as follows:
Case 1:
I configure the access role with:
- Nework: 172.168.100.0/24
- User: Internal Group
- Machine: choose device from LDAP CN=DESKTOP-B1L79C9,CN=Computers,DC=mtech-lab,DC=local
After VPN we used command pdp monitor and see, it's not work if IP not match access role
Case 2:
I configure the access role with:
- Nework: 172.168.100.0/24
- User: Internal Group
- Machine: Any
After VPN we used command pdp monitor and see, this time the IP match role and traffic pass.
I'm not sure why when specific machine it doesn't match role
Dear @_Val_
1. You need to access the Client machine, open MMC => Certificate => Personal tab and request certificate.
2. Now there will be a certificate on the local machine and export it.
3. Finally go to Smart Dashboard and import it into trust ca server of checkpoint at https inspection.
*Note: Remember to create Trust CA object in Smartconsole with CA certificate first. After completing the above, just create an Access Role with the information you want.
Tue 10 Sep 2024 @ 03:00 PM (AEST)
No Suits, No Ties - MDR and Incident Response - Going Equipped to Compromise (APAC)Tue 10 Sep 2024 @ 10:00 AM (CEST)
No Suits, No Ties - MDR and Incident Response - Going Equipped to Compromise (EMEA)Tue 10 Sep 2024 @ 05:00 PM (CEST)
No Suits, No Ties - MDR and Incident Response - Going Equipped to Compromise (Americas)Wed 11 Sep 2024 @ 10:00 AM (CEST)
CheckMates Live Norway - Network Troubleshooting Best PracticesTue 10 Sep 2024 @ 03:00 PM (AEST)
No Suits, No Ties - MDR and Incident Response - Going Equipped to Compromise (APAC)Tue 10 Sep 2024 @ 10:00 AM (CEST)
No Suits, No Ties - MDR and Incident Response - Going Equipped to Compromise (EMEA)Tue 10 Sep 2024 @ 05:00 PM (CEST)
No Suits, No Ties - MDR and Incident Response - Going Equipped to Compromise (Americas)Wed 11 Sep 2024 @ 10:00 AM (CEST)
CheckMates Live Norway - Network Troubleshooting Best PracticesTue 01 Oct 2024 @ 10:00 AM (CEST)
CheckMates Live Salzburg - Maintenance and Upgrade Best PracticesThu 03 Oct 2024 @ 10:00 AM (CEST)
CheckMates Live Vienna - Identity Awareness Best Practices and Harmony Sase Updates
.png "Wolfgang"){kind=avatar}
