- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Why do Hackers Love IoT Devices so Much?
Join our TechTalk on Aug 17, at 5PM CET | 11AM EST
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Hello All,
I am facing a detect messages in the logs with certificate validation issue. After investigations we are not able to determine why the certificate validation is failing, certificates are valid, the CA is trusted etc. Checking SK159872 there is command to do some debugging that might help "fw ctl set int appi_urlf_ssl_certficate_validation_log_enabled 1", but this is not working on our gateways (R80.40), we get a "set operation failed: failed to get parameter appi_urlf_ssl_certficate_validation_log_enabled"
Is there another way to get more information about why the certificates are being logged as "Untrusted Certificate"
Many thanks,
Michael
Hello All,
Issue solved. The affected clients were not using a proxy and the site was not using the local Internet access. Both of these points may need to be addressed soon. The traffic was passing through the local network segmentation firewall and then through perimeter firewall. Both firewalls were doing HTTPS inspection of this traffic. I forgot to mention that we had just replace the certificate for the HTTPS inspection as the old one had expired. The local network segmentation security gateway was see the HTTPS signed by the HTTPS inspection certificate by the perimeter security gateway. the local network segmentation gateway was not trusting HTTPS traffic signed by the HTTPS inspection certificate (that it was also using itself for HTTP inspection). We made sure that the customer root CA and that the customer intermediate CA used by the HTTPS inspection certificate were also a trusted CA. Neither of these solved the issue. We had to add the HTTPS inspection certificate itself as a trusted CA. After that the issue was solved.
Let me see if I can do some tests in my lab with this...you are right about kernel value, its definitely wrong. I get same error if I do it in R81.10 as well.
Andy
I've seen cases where if the trust chain is not in the correct order, then Check Point will not accept it as valid, ensure that the Certificate is correctly crafted.
IPS/WSTLSD is sensitive to discrepancies that we might not notice initially reviewing the certificate details.
If this does not yield answers, and you need more information, a WSTLSD Debug would be more aligned, the command you mentioned is not recommended.
If you don't see more information under "More - Description" I recommend raising a case with TAC to assist with gathering more info.
https://sc1.checkpoint.com/sc/SolutionsStatics/sk159872/expired_cert1909100631.PNG
Those are all good points, true.
Hello All,
Issue solved. The affected clients were not using a proxy and the site was not using the local Internet access. Both of these points may need to be addressed soon. The traffic was passing through the local network segmentation firewall and then through perimeter firewall. Both firewalls were doing HTTPS inspection of this traffic. I forgot to mention that we had just replace the certificate for the HTTPS inspection as the old one had expired. The local network segmentation security gateway was see the HTTPS signed by the HTTPS inspection certificate by the perimeter security gateway. the local network segmentation gateway was not trusting HTTPS traffic signed by the HTTPS inspection certificate (that it was also using itself for HTTP inspection). We made sure that the customer root CA and that the customer intermediate CA used by the HTTPS inspection certificate were also a trusted CA. Neither of these solved the issue. We had to add the HTTPS inspection certificate itself as a trusted CA. After that the issue was solved.
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY