This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Steve_Marouchoc
Explorer
‎2020-09-18 10:47 AM

R77.30 w/gaia using TLSv1 for LDAPS

Hello. 

The short:

I need LDAPS to use tlsv1.2 instead of tlsv1 in my R77.30 gateway clsuter.  Has anyone else had to manually change this?

The long:

 I have an R77.30 JHF 351 two node cluster that has LDAPS configured for Identity Awareness.   I have all the thumbprints, and have the encryption min and max set to "Strong."   In global properties, we have min/max version of TLSv1.2.  We have gone into GuiDBedit and change the "other" ssl min and max to tlsv1.2.

All this, and when the firewall makes an LDAP request of our active directory DC's, it uses TLSv1.   I have packet captures from the gateways showing that they are using tlsv1, and the AD logs basically say that the client has no compatible ciphers.

I have a TAC case open, but after several hours in a remote session yesterday, we were unable to figure out how to made LDAPS use TLSv1.2. 

Even stranger, I have another R77.30 jhf 345 solution, two clusters of two 23500's each running VSX.  All the VS's that are configured to use the same DC's for IA work fine.   The VSX management, however, also tries TLSv1 and fails. All other services are using TLSv1.2 successfully.  

TAC is currently comparing the cpinfo output from both solutions to see if they can find why the VS's are working and why VSX and straight up Gaia are not. 

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2020-09-20 05:23 PM

Maybe @Royi_Priov knows but I don’t think there is anything specific requires to tell IDA to use TLS 1.2.
You might also compare hotfixes between the two systems.

That said R77.30 has been End of Support for a year now and you should really look at upgrading.

0 Kudos
Royi_Priov
Employee
Employee
‎2020-09-21 01:10 AM
In response to PhoneBoy

Hi,

It's in a layer "below" IDA 🙂

@Liel_Shaish , do you know?

Thanks,
Royi Priov
R&D Group manager, Infinity Identity
0 Kudos
Steve_Marouchoc
Explorer
‎2020-09-21 05:05 AM
In response to PhoneBoy

Thank you.  I am aware of the eos, but scheduling a window where all out backup products may be at risk for the transition has been more than a little difficult. And yes, TOC is comparing the cpinfo from both boxes to see if we can find why  the difference.  But I thought I'd ask the community to see if anyone else has had experience.  Thanks again!

0 Kudos
John_Fleming
Advisor
‎2020-09-21 11:29 AM

This may not be super helpful and maybe tac has already done this with you, but if it was me I would find the process that is making the tls call and figure out how to put it in debug mode. There should be something indicating what its doing any why. I always forget if its pep or pdp but my guess is its one of those making the tls call.

0 Kudos
PhoneBoy
Admin
Admin
‎2020-09-21 12:28 PM
In response to John_Fleming

pdp is responsible for doing the LDAP lookups.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events