Certificate authority not accessible-checkpoint-False

error
false
checkpoint
ongoing-maintenance
Certificate authority not accessible-checkpoint-False
0

#1

Certificate authority not accessible-checkpoint-False

Vendor: checkpoint

OS: False

Description:
If the certificate authority is not accessible to a firewall, VPN tunnels relying on certificates may fail.

Remediation Steps:
Identify why the device cannot initiate a connection with the listed servers.

How does this work?
By checking the current connections on port 257 and then attempting to connect to the same IP on port 18264 the connection is verified.

Why is this important?
Devices that maintain VPN tunnels might authenticate using certificates, especially if both devices on either end of the tunnel are managed by the same management server. They would then need to connect to the management server to exchange certificates. If this communication is not working VPN tunnels could fail.

Without Indeni how would you find this?
An administrator could login and manually run the command.

chkp-tcp-test-18264

#! META
name: chkp-tcp-test-18264
description: Test connectivity to management server over the CA port 18264.
type: monitoring
monitoring_interval: 60 minutes
requires:
    vendor: checkpoint
    linux-based: true
    role-firewall: true

#! COMMENTS
ca-accessible:
    why: |
        Devices that maintain VPN tunnels might authenticate using certificates, especially if both devices on either end of the tunnel are managed by the same management server. They would then need to connect to the management server to exchange certificates. If this communication is not working VPN tunnels could fail.
    how: |
        By checking the current connections on port 257 and then attempting to connect to the same IP on port 18264 the connection is verified.
    without-indeni: |
        An administrator could login and manually run the command.
    can-with-snmp: false
    can-with-syslog: false
    vendor-provided-management: |
        The user must test connectivity manually to identify this issue.

#! REMOTE::SSH
${nice-path} -n 15 netstat -an | awk '{if ($NF == "ESTABLISHED" && match($(NF-2), ".*:18192$")) {split($(NF-1),splitArr,":"); print splitArr[1]}}' |uniq | while read ip ; do echo "echo > /dev/tcp/$ip/18264 && echo "$ip OK"" ; done | (while read cmd; do eval $cmd& sleep 0.1; CMD_PID=$! ; done ; sleep 20 ; kill $CMD_PID; )

#! PARSER::AWK

#10.3.3.75 OK
/ OK$/ {
	ip = $1
	caArr[ip] = 1
}

#-bash: /dev/tcp/10.3.3.75/18264: Connection refused
/tcp.*Connection refused/ {
	ip = $0
	
	#-bash: /dev/tcp/10.3.3.75/18264: Connection refused
	sub(/.*tcp\//, "", ip)
	
	#10.3.3.75/18264: Connection refused
	sub(/\/.*/, "", ip)

        #ignore 127.0.0.1 and 0.0.0.0
        if (length(ip) == 0 || ip == "127.0.0.1" || ip == "0.0.0.0") {
           next
        }
          
	caArr[ip] = 0
}


END {
	for (ip in caArr) {
		caTags["name"] = ip
		writeDoubleMetricWithLiveConfig("ca-accessible", caTags, "gauge", "3600", caArr[ip], "Certificate Authorities Accessible", "state", "name")
	}
}

check_point_ca_not_accessible

package com.indeni.server.rules.library.templatebased.checkpoint

import com.indeni.ruleengine.expressions.conditions.{Contains, EndsWithRepetition}
import com.indeni.ruleengine.expressions.core.ConstantExpression
import com.indeni.ruleengine.expressions.data.TimeSeriesExpression
import com.indeni.ruleengine.utility.LastNNonEmptyValues
import com.indeni.server.rules.RuleContext
import com.indeni.apidata.time.TimeSpan
import com.indeni.server.rules.library.templates.StateDownTemplateRule

/**
  *
  */
case class check_point_ca_not_accessible() extends StateDownTemplateRule(
  ruleName = "check_point_ca_not_accessible",
  ruleFriendlyName = "Check Point Firewalls: Certificate authority not accessible",
  ruleDescription = "If the certificate authority is not accessible to a firewall, VPN tunnels relying on certificates may fail.",
  metricName = "ca-accessible",
  applicableMetricTag = "name",
  alertItemsHeader = "Unreachable Certificate Authorities",
  alertDescription = "Some of the certificate authority servers which this device considers to be those to be used during authentication (for example - for VPN) are not accessible. The CA servers for which an issue has been found are listed below. If the connectivity issue remains for more than a few hours, some VPN tunnels may fail.\n\nThis alert was added per the request of Mart Khizner (Leumi Card).",
  baseRemediationText = "Identify why the device cannot initiate a connection with the listed servers.",
  historyLength = 3,
  generateStateDownCondition = (historyLength, tsToTestAgainst, stateToLookFor) =>
    Contains(LastNNonEmptyValues(tsToTestAgainst, historyLength), stateToLookFor)
)()