Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Sarvem
Explorer

Qualys Scan of Gaia Portal Certificate for R81.10 Cluster

Jump to solution

Hi All,

I need suggestions on closing an open vulnerability point in a Qualys scan for a Check Point R81.10  cluster. I would like to know if anyone else has come across this and how to fix it.

I have followed the article SK97648. The Gaia portal is set to custom port 4434. When I access the Gaia portal on port 4434 it shows the correct certificate signed by our internal CA. However when I access the firewall just using HTTPS it shows the self signed certificate. Qualys is scanning on port 443 and then detects this self-signed certificate.

For this, I imported the signed certificate bundle in .p12 format to the Platform portal page. Post this the SSL scan for one cluster member is cleared but for the other member we get CN does not match error even though the cluster member IP and hostname are part of the certificate's SAN field.

1] Is there a way to force even the HTTPS connection to firewall to use third party certificate when Gaia Portal is set to custom port?

2] After importing the .p12 certificate to the portal, is Qualys not correctly detecting the SAN field and just checking the CN?

3] Is there a workaround for this?

Details below:

Qualys QID: 38170 - SSL Certificate - Subject Common Name Does Not Match Server FQDN

Scan Result:

Certificate 0 CN=10.222.1.126,OU=BiTS,O=Acme,C=IN (KODC-CP-HA) doesn't resolve
(INKDC-CP-PRI) doesn't resolve
(INKDC-CP-SEC) doesn't resolve
(10.222.1.126) and IP (10.222.1.127) don't match

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

Because you've changed the Gaia portal to a different port, you cannot update the Gaia portal certificate by using SmartConsole.
That along with the alternate procedure for changing the certificate is documented here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

View solution in original post

0 Kudos
1 Reply
PhoneBoy
Admin
Admin

Because you've changed the Gaia portal to a different port, you cannot update the Gaia portal certificate by using SmartConsole.
That along with the alternate procedure for changing the certificate is documented here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

0 Kudos