Solved

Checkpoine Firewall SSL cert not working

Posted on 2014-04-21
8
1,252 Views
Last Modified: 2014-09-05
I installed an SSLCert from Digicert on my Checkpoint Firewall running R77 GAIA.  Everything seems to have gone well but my clients still use the built-in cert when they connect up using the SSL Network Extender  Is there something that I need to do via command line to get this cert "active"?

Thanks
0
Comment
Question by:Relay700
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 63

Expert Comment

by:btan
ID: 40014653
need to push it down to the client as well - pse see below DigiCert sharing on "Push this policy to devices and clients" in SmartCenter.
http://www.digicert.com/ssl-certificate-installation-checkpoint.htm

Likewise, though the Checkpoint pdf is using MS CA fro the SSL n/w extender, it is useful to check out the the steps for installing the user cert and use of browser to validate the choice of user cert installed. Primarily the new user cert must reside in the user personal certstore (else the browser will not find it)
http://dl3.checkpoint.com/paid/24/How_to_Connect_with_SSL_Network_Extender_using_a_Certificate.pdf?HashKey=1398174943_aa2ece62b3f2aa349d1cda26ef7f7f87&xtn=.pdf

jsut to make sure as well which I assume you have already validate, there are limitation on the browser and OS end
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk65210

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk65669
0
 
LVL 16

Expert Comment

by:gurutc
ID: 40014795
One thing you can do is to remove the old cert from the clients.  

- gurutc
0
 

Author Comment

by:Relay700
ID: 40015957
@breadtan - all set with all of that except the dl3.checkpoint download says I am not authorized.  I am logged into my user center.  All the other steps checked out.

@gurutc - When I look at my certificates, I do not see one issued by my firewall.  When I view the cert in my browser it says it was issued by firewall.domain.com but there are no certs in my browser that came from that.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 40016484
Saw the new release in R77.1 resolution on bugs - better to get latest version and republish

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk97620&js_peid=P-114a7ba5fd7-10001&partition=General&product=All%22

In a heavy-load cluster environment, Remote Access VPN Clients that are authenticated by LDAP are not able to connect due to VPN certificate validation errors.

With a certificate signed by a sub-CA, object settings are ignored in a Site-To-Site VPN with a 3rd party peer.

"Bad certificate chain in the response" error when trying to validate a 3rd party certificate with a critical extension of CertificatePolicies in a chain.

Past Advisory -

> SNX access with CA authentication fails
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk33319&js_peid=P-114a7ba5fd7-10001&partition=Advanced&product=Security

> Authentication with an internal certificate fails with Error occurred - User does not support public key authentication.
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk86621&js_peid=P-114a7ba5fd7-10001&partition=Advanced&product=Check
0
 
LVL 63

Expert Comment

by:btan
ID: 40016495
This how-to also comes in handy

How To Troubleshoot VPN Issues with Endpoint Connect (see the any match in error msg)
http://dl3.checkpoint.com/paid/24/How-To-Troubleshoot-VPN-issues-with-Endpoint-Connect.pdf?HashKey=1398222968_9eaafcf8f18b59cdcc4023531bbc5edd&xtn=.pdf
0
 

Author Comment

by:Relay700
ID: 40037109
No luck.  Still using self-signed cert.  I read somewhere a while back that you needed to issue a command through command line but I can't seem to find anything on it.
0
 
LVL 63

Expert Comment

by:btan
ID: 40037135
There is a list and specific interest in "snx -c <certificate file>"
ref - https://sc1.checkpoint.com/documents/R77/CP_R77_VPN_AdminGuide/14702.htm

snx -f <configuration file>
Run SSL Network Extender using parameters defined in a configuration file other than the default name or location.

snx -d
Disconnect from Mobile Access

snx -s <server>
Specify server IP or hostname

snx -u <username>
Specify a valid user

snx -c <certificate file>
Specify which certificate is used to authenticate.

snx -l <CA directory>
Define the directory where CA's certificates are stored.

snx -p <port>
Change the HTTPS port. (default port is TCP 443).

snx -g
Enable debugging. snx.elg log file is created.

snx -e <cipher>
Force a specific encryption algorithm. Valid values - RC4 and 3DES.

Also it is possible to predefine SSL Network Extender attributes by using a configuration file (.snxrc) located in the users home directory. When the SSL Network Extender command SSL Network Extender is executed, the attributed stored in the file are used by the SSL Network Extender command. To run a file with a different name execute the command snx -f <filename>.

server
Change the HTTPS port. (default port is TCP 443).

sslport
Change the HTTPS port. (default port is TCP 443).

username
Specify a valid user

certificate
Specify which certificate is used to authenticate

calist
Define the directory where CA's certificates are stored.
reauth
Enable reauthentication. Valid values -{yes, no}

debug
Enable debugging. snx.elg log file is created. Valid values {yes, no}. To activate debugging when running java, create a .snxrc file with the line debug yes in the home directory.

cipher
Force a specific encryption algorithm. Valid values: RC4 and 3DES

proxy_name
Define a Proxy hostname

proxy_port
Define a proxy port

proxy_user
Define a proxy user

proxy_pass
Define a password for proxy authentication
0
 

Author Closing Comment

by:Relay700
ID: 40305730
after upgrading, I was able to get the 3rd party cert working.
0

Featured Post

How to Defend Against the WCry Ransomware Attack

On May 12, 2017, an extremely virulent ransomware variant named WCry 2.0 began to infect organizations. Within several hours, over 75,000 victims were reported in 90+ countries. Learn more from our research team about this threat & how to protect your organization!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
NAT Public IP through a VPN 17 87
Configure IP on Sonicwall 2 41
VPN Server Configuration in windows 7 7 75
Help on choosing VPN for personal use and if possible free 7 105
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question