Certificate authority not accessible-checkpoint-all

Knowledge
, , ,
#1

Certificate authority not accessible-checkpoint-all

Vendor: checkpoint

OS: all

Description:
If the certificate authority is not accessible to a firewall, VPN tunnels relying on certificates may fail.

Remediation Steps:
Identify why the device cannot initiate a connection with the listed servers.

How does this work?
By checking the current connections on port 257 and then attempting to connect to the same IP on port 18264 the connection is verified.

Why is this important?
Devices that maintain VPN tunnels might authenticate using certificates, especially if both devices on either end of the tunnel are managed by the same management server. They would then need to connect to the management server to exchange certificates. If this communication is not working VPN tunnels could fail.

Without Indeni how would you find this?
An administrator could login and manually run the command.

chkp-tcp-test-18264

name: chkp-tcp-test-18264
description: Test connectivity to management server over the CA port 18264.
type: monitoring
monitoring_interval: 60 minutes
requires:
    vendor: checkpoint
    os.name:
        neq: gaia-embedded
    role-firewall: true
comments:
    ca-status:
        why: |
            Devices that maintain VPN tunnels might authenticate using certificates, especially if both devices on either
            end of the tunnel are managed by the same management server. They would then need to connect to the
            management server to exchange certificates. If this communication is not working VPN tunnels could fail.
        how: |
            By checking the current connections on port 18192 and then attempting to connect to the same IP on
            port 18264 the connection is verified.
        can-with-snmp: false
        can-with-syslog: false

    ca-accessible:
        why: |
            Devices that maintain VPN tunnels might authenticate using certificates, especially if both devices on either
            end of the tunnel are managed by the same management server. They would then need to connect to the management
            server to exchange certificates. If this communication is not working VPN tunnels could fail.
        how: |
            By checking the current connections on port 18192 and then attempting to connect to the same IP on port 18264 the connection is verified.
        can-with-snmp: false
        can-with-syslog: false
steps:
-   run:
        type: SSH
        file: tcp-test-18264.remote.1.bash
    parse:
        type: AWK
        file: tcp-test-18264.parser.1.awk

check_point_ca_not_accessible

Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/rules/templatebased/checkpoint/check_point_ca_not_accessible.scala