This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Bernardes
Advisor
Advisor
‎2023-01-03 11:49 AM
Jump to solution

Check Point Supposed Vulnerabilities

Hello Mates!

 

I have a case that I would like your help to know what I can do about it...

 

I have a customer that is a Financial Corporate. They have a GW in their environment with the latest updates (R81.10 T81 (a VM)).

A few days ago a company did some tests (I'm not sure about how this was done) and sent us a sheet with some "vulnerabilities" found in the gateway.

But the part that I was in doubt about was those recommendations below:

How can I "install a server certificate" on gateway? What does it mean exactly?

 

Thank you for your support!

Preview file
60 KB
0 Kudos
3 Solutions

Accepted Solutions
Timothy_Hall
Legend Legend
Legend
‎2023-01-03 07:26 PM
Jump to solution

Implied rules will always allow port 80 and 443 connections to the firewall itself via multiportal, even if there is no feature enabled to actually talk to and exploit.  If this is unacceptable you can do the following, but bear in mind this will break any kind of Remote Access VPN access:

1) Create an indefinite SAM rule from the SmartView Monitor or via the fw sam command blocking connections with a destination of the firewall's outside IP on ports 80 and 443

2) See sk165937: How to disable the connection to Security Gateway on TCP Port 80 and on TCP Port 443 to disable the implied rule completely

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

View solution in original post

(1)
Wolfgang
Authority
Authority
‎2023-01-03 11:39 PM
In response to Bernardes
Jump to solution

@Bernardes the gateways runs MultiPortal mentioned by @Timothy_Hall. There are several places to replace the default self signed certificates to one trusted by a known CA.

2023-01-04 08_26_50-Check Point Gateway - Corporate-GW.png

2023-01-04 08_26_13-Check Point Gateway - Corporate-GW.png

2023-01-04 08_25_25-Check Point Gateway - Corporate-GW.png

Here you can change the supported TLS version:

2023-01-04 08_28_27-AdvancedConfiguration.png

 

View solution in original post

(1)
Wolfgang
Authority
Authority
‎2023-01-05 05:49 AM
In response to Bernardes
Jump to solution

@Bernardes from a technical point of view you can use the same certificate for all if it matches the names/ip-addresses. But it's used for different needs. One for MobileAccessPortal, one for GAiA WebUI the platform portal and one for UserCheck webpage. Typically we are using different certificates.

View solution in original post

15 Replies
the_rock
Legend
Legend
‎2023-01-03 12:58 PM
Jump to solution

Is customer using https inspection?

0 Kudos
Bernardes
Advisor
Advisor
‎2023-01-03 04:57 PM
In response to the_rock
Jump to solution

Hello @the_rock that feature is disabled on this gateway.

0 Kudos
Lloyd_Braun
Advisor
‎2023-01-03 01:07 PM
Jump to solution

It probably does not like a self-signed certificate on the gaia admin portal. How to create and configure certificate for Gaia Portal (checkpoint.com)  

(1)
the_rock
Legend
Legend
‎2023-01-03 01:16 PM
In response to Lloyd_Braun
Jump to solution

Excellent point indeed.

0 Kudos
Bernardes
Advisor
Advisor
‎2023-01-03 04:59 PM
In response to Lloyd_Braun
Jump to solution

hello, @Lloyd_Braun there's no certificate to access gaia portal indeed. Can it be the cause for these vulnerabilities found ?

the_rock
Legend
Legend
‎2023-01-03 05:50 PM
In response to Bernardes
Jump to solution

I am pretty sure @Lloyd_Braun got it right, makes perfect sense.

Wolfgang
Authority
Authority
‎2023-01-03 11:39 PM
In response to Bernardes
Jump to solution

@Bernardes the gateways runs MultiPortal mentioned by @Timothy_Hall. There are several places to replace the default self signed certificates to one trusted by a known CA.

2023-01-04 08_26_50-Check Point Gateway - Corporate-GW.png

2023-01-04 08_26_13-Check Point Gateway - Corporate-GW.png

2023-01-04 08_25_25-Check Point Gateway - Corporate-GW.png

Here you can change the supported TLS version:

2023-01-04 08_28_27-AdvancedConfiguration.png

 

(1)
Bernardes
Advisor
Advisor
‎2023-01-04 05:32 AM
In response to Wolfgang
Jump to solution

@Wolfgang  thank you for your advice!

0 Kudos
Bernardes
Advisor
Advisor
‎2023-01-04 06:16 AM
In response to Wolfgang
Jump to solution

@Wolfgang just a question... All these portals require a different certificate for each one or can it be the same SSL certificate for all?

0 Kudos
Wolfgang
Authority
Authority
‎2023-01-05 05:49 AM
In response to Bernardes
Jump to solution

@Bernardes from a technical point of view you can use the same certificate for all if it matches the names/ip-addresses. But it's used for different needs. One for MobileAccessPortal, one for GAiA WebUI the platform portal and one for UserCheck webpage. Typically we are using different certificates.

Bernardes
Advisor
Advisor
‎2023-01-05 06:12 AM
In response to Wolfgang
Jump to solution

@Wolfgang Thank you for all! You help me a lot!

the_rock
Legend
Legend
‎2023-01-05 06:14 AM
In response to Bernardes
Jump to solution

We are here to help...happy new year!!

0 Kudos
the_rock
Legend
Legend
‎2023-01-05 06:03 AM
In response to Bernardes
Jump to solution

Agree with @Wolfgang . Yes, you can use same cert, but its probably better practise to use different ones.

Timothy_Hall
Legend Legend
Legend
‎2023-01-03 07:26 PM
Jump to solution

Implied rules will always allow port 80 and 443 connections to the firewall itself via multiportal, even if there is no feature enabled to actually talk to and exploit.  If this is unacceptable you can do the following, but bear in mind this will break any kind of Remote Access VPN access:

1) Create an indefinite SAM rule from the SmartView Monitor or via the fw sam command blocking connections with a destination of the firewall's outside IP on ports 80 and 443

2) See sk165937: How to disable the connection to Security Gateway on TCP Port 80 and on TCP Port 443 to disable the implied rule completely

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
(1)
Bernardes
Advisor
Advisor
‎2023-01-04 05:34 AM
In response to Timothy_Hall
Jump to solution

@Timothy_Hall thank you very much for the tip!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events