LDAP fingerprint not trusted-checkpoint-all

LDAP fingerprint not trusted-checkpoint-all

LDAP fingerprint not trusted-checkpoint-all

Vendor: checkpoint

OS: all

Alerts when the Active Directory SSL fingerprint does not match the one stored in Check Point. When the fingerprints do not match, the Check Point gateway will loose connection with the domain controller and cannot fetch data such as “Identity Awareness”.

Remediation Steps:
To update the fingerprint:
|1. Open SmartDashboard.
|2. Open the relevant LDAP account object.
|3. Go to the “Servers” tab.
|4. For each host in the list, click “Edit” and go to the “Encryption” tab. Then click “Fetch”.
|5. Save and push policy.


name: chkp-ldap-fingerprint-check
description: Check if the stored LDAP fingerprint is the same as the actual one for
    Identity Awareness
type: monitoring
monitoring_interval: 10 minutes
    vendor: checkpoint
    role-firewall: 'true'
      why: |
        To check the md5 sum of the Active Directory LDAP SSL certificate in DER format "fingerprint" is same as
        stored "fingerprint"
      how: |
        By by parsing the C files in Checkpoint and following the multistep process of following processes:
        1. For each AD account unit, get the fingerprint as well as which object is used for address
        2. Get the IP of each object used
        3. Connect to AD server to get fingerprint
        4. Compare stored fingerprint with actual one.

      can-with-snmp: false
      can-with-syslog: false
   -  run:
          type: SSH
          command: nice -n 15 cat $FWDIR/conf/objects.C
          type: AWK
          file: ldap-fingerprint-check.parser.1.awk
   -  run:
          type: SSH
          file: ldap-fingerprint-check.remote.2.bash
          type: AWK
          file: ldap-fingerprint-check.parser.2.awk


Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/rules/templatebased/checkpoint/CheckPointLDAPFingerprintNotTrusted.scala