Hi All,

I need suggestions on closing an open vulnerability point in a Qualys scan for a Check Point R81.10  cluster. I would like to know if anyone else has come across this and how to fix it.

I have followed the article SK97648. The Gaia portal is set to custom port 4434. When I access the Gaia portal on port 4434 it shows the correct certificate signed by our internal CA. However when I access the firewall just using HTTPS it shows the self signed certificate. Qualys is scanning on port 443 and then detects this self-signed certificate.

For this, I imported the signed certificate bundle in .p12 format to the Platform portal page. Post this the SSL scan for one cluster member is cleared but for the other member we get CN does not match error even though the cluster member IP and hostname are part of the certificate's SAN field.

1] Is there a way to force even the HTTPS connection to firewall to use third party certificate when Gaia Portal is set to custom port?

2] After importing the .p12 certificate to the portal, is Qualys not correctly detecting the SAN field and just checking the CN?

3] Is there a workaround for this?

Details below:

Qualys QID: 38170 - SSL Certificate - Subject Common Name Does Not Match Server FQDN

Scan Result:

Certificate 0 CN=10.222.1.126,OU=BiTS,O=Acme,C=IN (KODC-CP-HA) doesn't resolve
(INKDC-CP-PRI) doesn't resolve
(INKDC-CP-SEC) doesn't resolve
(10.222.1.126) and IP (10.222.1.127) don't match