Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Bernardes
Advisor
Jump to solution

Check Point Supposed Vulnerabilities

Hello Mates!

 

I have a case that I would like your help to know what I can do about it...

 

I have a customer that is a Financial Corporate. They have a GW in their environment with the latest updates (R81.10 T81 (a VM)).

A few days ago a company did some tests (I'm not sure about how this was done) and sent us a sheet with some "vulnerabilities" found in the gateway.

But the part that I was in doubt about was those recommendations below:

How can I "install a server certificate" on gateway? What does it mean exactly?

 

Thank you for your support!

0 Kudos
3 Solutions

Accepted Solutions
Timothy_Hall
Champion
Champion

Implied rules will always allow port 80 and 443 connections to the firewall itself via multiportal, even if there is no feature enabled to actually talk to and exploit.  If this is unacceptable you can do the following, but bear in mind this will break any kind of Remote Access VPN access:

1) Create an indefinite SAM rule from the SmartView Monitor or via the fw sam command blocking connections with a destination of the firewall's outside IP on ports 80 and 443

2) See sk165937: How to disable the connection to Security Gateway on TCP Port 80 and on TCP Port 443 to disable the implied rule completely

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

View solution in original post

(1)
Wolfgang
Authority
Authority

@Bernardes the gateways runs MultiPortal mentioned by @Timothy_Hall. There are several places to replace the default self signed certificates to one trusted by a known CA.

2023-01-04 08_26_50-Check Point Gateway - Corporate-GW.png

2023-01-04 08_26_13-Check Point Gateway - Corporate-GW.png

2023-01-04 08_25_25-Check Point Gateway - Corporate-GW.png

Here you can change the supported TLS version:

2023-01-04 08_28_27-AdvancedConfiguration.png

 

View solution in original post

(1)
Wolfgang
Authority
Authority

@Bernardes from a technical point of view you can use the same certificate for all if it matches the names/ip-addresses. But it's used for different needs. One for MobileAccessPortal, one for GAiA WebUI the platform portal and one for UserCheck webpage. Typically we are using different certificates.

View solution in original post

15 Replies
the_rock
Legend
Legend

Is customer using https inspection?

0 Kudos
Bernardes
Advisor

Hello @the_rock that feature is disabled on this gateway.

0 Kudos
Lloyd_Braun
Collaborator

It probably does not like a self-signed certificate on the gaia admin portal. How to create and configure certificate for Gaia Portal (checkpoint.com)  

(1)
the_rock
Legend
Legend

Excellent point indeed.

0 Kudos
Bernardes
Advisor

hello, @Lloyd_Braun there's no certificate to access gaia portal indeed. Can it be the cause for these vulnerabilities found ?

the_rock
Legend
Legend

I am pretty sure @Lloyd_Braun got it right, makes perfect sense.

Wolfgang
Authority
Authority

@Bernardes the gateways runs MultiPortal mentioned by @Timothy_Hall. There are several places to replace the default self signed certificates to one trusted by a known CA.

2023-01-04 08_26_50-Check Point Gateway - Corporate-GW.png

2023-01-04 08_26_13-Check Point Gateway - Corporate-GW.png

2023-01-04 08_25_25-Check Point Gateway - Corporate-GW.png

Here you can change the supported TLS version:

2023-01-04 08_28_27-AdvancedConfiguration.png

 

(1)
Bernardes
Advisor

@Wolfgang  thank you for your advice!

0 Kudos
Bernardes
Advisor

@Wolfgang just a question... All these portals require a different certificate for each one or can it be the same SSL certificate for all?

0 Kudos
Wolfgang
Authority
Authority

@Bernardes from a technical point of view you can use the same certificate for all if it matches the names/ip-addresses. But it's used for different needs. One for MobileAccessPortal, one for GAiA WebUI the platform portal and one for UserCheck webpage. Typically we are using different certificates.

Bernardes
Advisor

@Wolfgang Thank you for all! You help me a lot!

the_rock
Legend
Legend

We are here to help...happy new year!!

0 Kudos
the_rock
Legend
Legend

Agree with @Wolfgang . Yes, you can use same cert, but its probably better practise to use different ones.

Timothy_Hall
Champion
Champion

Implied rules will always allow port 80 and 443 connections to the firewall itself via multiportal, even if there is no feature enabled to actually talk to and exploit.  If this is unacceptable you can do the following, but bear in mind this will break any kind of Remote Access VPN access:

1) Create an indefinite SAM rule from the SmartView Monitor or via the fw sam command blocking connections with a destination of the firewall's outside IP on ports 80 and 443

2) See sk165937: How to disable the connection to Security Gateway on TCP Port 80 and on TCP Port 443 to disable the implied rule completely

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
(1)
Bernardes
Advisor

@Timothy_Hall thank you very much for the tip!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events