Certificate authority not accessible-checkpoint-all

Certificate authority not accessible-checkpoint-all
0

Certificate authority not accessible-checkpoint-all

Vendor: checkpoint

OS: all

Description:
If the certificate authority is not accessible to a firewall, VPN tunnels relying on certificates may fail.

Remediation Steps:
Identify why the device cannot initiate a connection with the listed servers.

How does this work?
By checking the current connections on port 257 and then attempting to connect to the same IP on port 18264 the connection is verified.

Why is this important?
Devices that maintain VPN tunnels might authenticate using certificates, especially if both devices on either end of the tunnel are managed by the same management server. They would then need to connect to the management server to exchange certificates. If this communication is not working VPN tunnels could fail.

Without Indeni how would you find this?
An administrator could login and manually run the command.

chkp-tcp-test-18264

name: chkp-tcp-test-18264
description: Test connectivity to management server over the CA port 18264.
type: monitoring
monitoring_interval: 60 minutes
requires:
    vendor: checkpoint
    linux-based: true
    role-firewall: true
comments:
    ca-accessible:
        why: |
            Devices that maintain VPN tunnels might authenticate using certificates, especially if both devices on either end of the tunnel are managed by the same management server. They would then need to connect to the management server to exchange certificates. If this communication is not working VPN tunnels could fail.
        how: |
            By checking the current connections on port 257 and then attempting to connect to the same IP on port 18264 the connection is verified.
        without-indeni: |
            An administrator could login and manually run the command.
        can-with-snmp: false
        can-with-syslog: false
        vendor-provided-management: The user must test connectivity manually to identify
            this issue.
steps:
-   run:
        type: SSH
        file: tcp-test-18264.remote.1.bash
    parse:
        type: AWK
        file: tcp-test-18264.parser.1.awk

check_point_ca_not_accessible

// Deprecation warning : Scala template-based rules are deprecated. Please use YAML format rules instead.

package com.indeni.server.rules.library.templatebased.checkpoint

import com.indeni.ruleengine.expressions.conditions.{Contains, EndsWithRepetition}
import com.indeni.ruleengine.expressions.core.ConstantExpression
import com.indeni.ruleengine.expressions.data.TimeSeriesExpression
import com.indeni.ruleengine.utility.LastNNonEmptyValues
import com.indeni.server.rules.RuleContext
import com.indeni.apidata.time.TimeSpan
import com.indeni.server.rules.library.templates.StateDownTemplateRule

/**
  *
  */
case class check_point_ca_not_accessible() extends StateDownTemplateRule(
  ruleName = "check_point_ca_not_accessible",
  ruleFriendlyName = "Check Point Firewalls: Certificate authority not accessible",
  ruleDescription = "If the certificate authority is not accessible to a firewall, VPN tunnels relying on certificates may fail.",
  metricName = "ca-accessible",
  applicableMetricTag = "name",
  alertItemsHeader = "Unreachable Certificate Authorities",
  alertDescription = "Some of the certificate authority servers which this device considers to be those to be used during authentication (for example - for VPN) are not accessible. The CA servers for which an issue has been found are listed below. If the connectivity issue remains for more than a few hours, some VPN tunnels may fail.\n\nThis alert was added per the request of Mart Khizner (Leumi Card).",
  baseRemediationText = "Identify why the device cannot initiate a connection with the listed servers.",
  historyLength = 3,
  generateStateDownCondition = (historyLength, tsToTestAgainst, stateToLookFor) =>
    Contains(LastNNonEmptyValues(tsToTestAgainst, historyLength), stateToLookFor)
)()