This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
CaseyB
Advisor
‎2022-09-30 01:03 PM

Moving cert based VPNs to third-party cert

We currently utilize certificate based VPNs between our main cluster and some 1430 SMB DAIP appliances, everything is Centrally Managed. These VPNs currently work great with no issues. We fail certain compliance scans because the IPsec certificate being used by the firewall cluster is a self-signed certificate which is an automatic fail. Since we utilize certificate based VPNs, we now have the task of replacing the self-signed VPN certificate with a trusted certificate from a third-party CA.

Replacing the internal VPN certificate with a third-party certificate seems pretty straight forward. My problem is I do not understand what steps are needed to move the 1430 SMB DAIP appliances to using the new third-party certificate and how to test it.

Based off what I know this is where I am stuck in this process.

  • Load Trusted CA third-party Root & Intermediate servers
  • Edit cluster -> Add new certificate using the new third-party CA / do the CSR process
  • Internal & third-party certs now show in IPsec certificate repo
  • Edit cluster -> IPsec VPN
    • Under traditional mode I would assume I want to make this change during the transition:
      • When negotiating with a locally managed peer gateway:
        The gateway can use any of its certificates. (currently set to internal_ca)
  • Then ???

At this point I would assume both internal_ca & third-party certificates would be presented to the SMB appliances to be used for a certificate VPN, but how do I tell it to use the third-party and how do I verify it is? I would assume this process would be needed every year for the renewal process.

I've looked over this article (Setup Cert VPN ), which is basically what we are doing now and looking over the Site to Site VPN admin guide mentions "CA Certificate Rollover" but doesn't offer the insight I am looking for.

The cluster is running R81.10 Take 66 & the SMB 1430 DAIP appliances are running R77.20.87 (990173120).

Thoughts?

0 Kudos
5 Replies
_Val_
Admin
Admin
‎2022-10-01 02:12 AM

May I ask a side question? If all your GWs are centrally managed, why would you need a third-party certificate in the first place? It is usually done to get VPN working with externally managed VPN GWs.

0 Kudos
CaseyB
Advisor
‎2022-10-01 07:59 AM
In response to _Val_

Sure, I can elaborate on that more.

All of our public IP addresses get scanned for compliance reasons. We would like to pass these compliance scans. If you navigate to the public IP of our cluster https://<public_ip>/   - you will be presented with an SSL certificate. When examining said certificate it is the same one that is listed in the IPsec certificate repository. That is a self-signed certificate from the internal_ca of the Check Point. This fails the compliance scan because it is seen as a self-signed certificate and therefore it is not trusted. Compliance says we need a valid certificate so our option is to replace the internal_ca certificate with a trusted third-party certificate, doing that would effect the certificate based VPNs with our 1430 SMB DAIP appliances.

Unless I am missing something and there is a better way to navigate this issue.

TL;DR - Self-signed certificates are bad for certain compliance scans. Self-signed certificates need to be replaced with trusted certificates to not fail compliance scans.

0 Kudos
_Val_
Admin
Admin
‎2022-10-08 06:57 AM
In response to CaseyB

Portal GW certificates are not your VPN certificates. On which port do you see then when running the compliance scan? If on 443, then dig into changing portal certificates, not VPN certs. 

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2022-10-02 01:37 AM

See CP Site to Site VPN R81.10 Administration Guide p. 40f !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
CaseyB
Advisor
‎2022-10-02 06:22 AM
In response to G_W_Albrecht

That appears to be for externally manged gateways, I do not see how to apply any of that to centrally manged gateways.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events