This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
AK2
Collaborator
‎2023-02-14 12:01 PM
Jump to solution

"Not a valid FQDN or IP address" when changing FQDN of SAML portal

Hi,

In gateway settings -> Remote Access clients -> SAML Portal, when I change the SAML portal URL from https://workingdomain.co.nz/saml-vpn to https://not-workingdomain.com/saml-vpn I get the error "not a valid FQDN or IP address" even though workingdomain.co.nz and not-workingdomain.com both point to the same IP address. 

1. what is doing the domain lookup for this, is it the gateway?

2. other than forward lookup fqdn -> ip address, what other "validity" checks are being performed before returning the error?

Cheers,

Andrew

0 Kudos
1 Solution

Accepted Solutions
AK2
Collaborator
‎2023-02-18 11:38 PM
Jump to solution

Hi, Thanks for the help. Unfortunately the actual domains are a bit sensitive so can't post a screenshot. Sorry for delayed reply. I did raise a TAC case and it turns out that there needs to be two "."s in the FQDN.

Won't work (will trigger the error not a valid FQDN):

not-workingdomain.com (only one .)

anything.com (only one .)

Will work:

workingdomain.co.nz (two .) <- this one is misleading, for this case, but it works!

vpn.not-workingdomain.com (two .)

The hint is on page 41 of the Identity Awareness admin guide where it says it has to be "ID.mycompany.com".

Cheers,

Andrew

 

View solution in original post

0 Kudos
7 Replies
the_rock
Legend
Legend
‎2023-02-14 12:09 PM
Jump to solution

I believe for 1) it is gateway and 2) I dont know for sure what other checks are done, but here is what I do know. If I look up my portal on that gateway tab, it shows the following -> https://172.16.10.205/saml-vpn

That would be by default, as my main gateway IP is set as 172.16.10.205 and the rest is always there. 

Can you show how yours is set? I would think as long as fqdn resolves to the same IP, there would be no reason for that error.

0 Kudos
AK2
Collaborator
‎2023-02-14 06:28 PM
In response to the_rock
Jump to solution

Hi,

Thanks. In my case the gateway's external interface is private RFC 1918, NAT-ed behind a public IP (by a separate firewall)

Both workingdomain.co.nz and not-workingdomain.com (which are "made up" public domains) both resolve (using Google DNS 8.8.8.8) to the same public IP address which is then static-NAT-ed to the external address of the gateway.

Both the gateway and the manager are configured to use Google DNS and can successfully resolve both workingdomain.co.nz and not-workingdomain.com to the correct IP (same, public) IP address.

I am wondering what else it checks. 

Cheers,

 

Andrew

 

 

 

0 Kudos
the_rock
Legend
Legend
‎2023-02-14 06:59 PM
In response to AK2
Jump to solution

As phoneboy said, SAML fqdns must be resolvable for this to work by the client, otherwise it will not work. My colleague and I did this with 3rd party identity provider in our lab and worked like a charm. Key is really name being resolvable.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-02-15 09:11 AM
In response to AK2
Jump to solution

Can you provide a screenshot of the error message in question?
In any case, I recommend opening a TAC case on this if you haven’t already.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-02-14 02:06 PM
Jump to solution

For SAML to work properly, the DNS names for the SAML portal must be resolvable by your clients.
This generally means the DNS name needs to be globally resolvable.
In this case, I believe the management is doing the name resolution check.

0 Kudos
AK2
Collaborator
‎2023-02-18 11:38 PM
Jump to solution

Hi, Thanks for the help. Unfortunately the actual domains are a bit sensitive so can't post a screenshot. Sorry for delayed reply. I did raise a TAC case and it turns out that there needs to be two "."s in the FQDN.

Won't work (will trigger the error not a valid FQDN):

not-workingdomain.com (only one .)

anything.com (only one .)

Will work:

workingdomain.co.nz (two .) <- this one is misleading, for this case, but it works!

vpn.not-workingdomain.com (two .)

The hint is on page 41 of the Identity Awareness admin guide where it says it has to be "ID.mycompany.com".

Cheers,

Andrew

 

0 Kudos
PhoneBoy
Admin
Admin
‎2023-02-20 12:08 PM
In response to AK2
Jump to solution

I wonder if .example.com might work?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top