LDAP fingerprint not trusted-checkpoint-all
Vendor: checkpoint
OS: all
Description:
Alerts when the Active Directory SSL fingerprint does not match the one stored in Check Point. When the fingerprints do not match, the Check Point gateway will loose connection with the domain controller and cannot fetch data such as “Identity Awareness”.
Remediation Steps:
To update the fingerprint:
|1. Open SmartDashboard.
|2. Open the relevant LDAP account object.
|3. Go to the “Servers” tab.
|4. For each host in the list, click “Edit” and go to the “Encryption” tab. Then click “Fetch”.
|5. Save and push policy.
chkp-ldap-fingerprint-check
name: chkp-ldap-fingerprint-check
description: Check if the stored LDAP fingerprint is the same as the actual one for
Identity Awareness
type: monitoring
monitoring_interval: 10 minutes
requires:
vendor: checkpoint
role-firewall: 'true'
comments:
ldap-integration-fingerprint-matched:
why: |
To check the md5 sum of the Active Directory LDAP SSL certificate in DER format "fingerprint" is same as
stored "fingerprint"
how: |
By by parsing the C files in Checkpoint and following the multistep process of following processes:
1. For each AD account unit, get the fingerprint as well as which object is used for address
2. Get the IP of each object used
3. Connect to AD server to get fingerprint
4. Compare stored fingerprint with actual one.
can-with-snmp: false
can-with-syslog: false
steps:
- run:
type: SSH
command: nice -n 15 cat $FWDIR/conf/objects.C
parse:
type: AWK
file: ldap-fingerprint-check.parser.1.awk
- run:
type: SSH
file: ldap-fingerprint-check.remote.2.bash
parse:
type: AWK
file: ldap-fingerprint-check.parser.2.awk
CheckPointLDAPFingerprintNotTrusted
Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/rules/templatebased/checkpoint/CheckPointLDAPFingerprintNotTrusted.scala