LDAP fingerprint not trusted-checkpoint-all

LDAP fingerprint not trusted-checkpoint-all
0

LDAP fingerprint not trusted-checkpoint-all

Vendor: checkpoint

OS: all

Description:
Alerts when the Active Directory SSL fingerprint does not match the one stored in Check Point. When the fingerprints do not match, the Check Point gateway will loose connection with the domain controller and cannot fetch data such as “Identity Awareness”.

Remediation Steps:
To update the fingerprint:
|1. Open SmartDashboard.
|2. Open the relevant LDAP account object.
|3. Go to the “Servers” tab.
|4. For each host in the list, click “Edit” and go to the “Encryption” tab. Then click “Fetch”.
|5. Save and push policy.

chkp-ldap-fingerprint-check

name: chkp-ldap-fingerprint-check
description: Check if the stored LDAP fingerprint is the same as the actual one for
    Identity Awareness
type: monitoring
monitoring_interval: 10 minutes
requires:
    vendor: checkpoint
    role-firewall: 'true'
comments:
    ldap-integration-fingerprint-matched:
      why: |
        To check the md5 sum of the Active Directory LDAP SSL certificate in DER format "fingerprint" is same as
        stored "fingerprint"
      how: |
        By by parsing the C files in Checkpoint and following the multistep process of following processes:
        1. For each AD account unit, get the fingerprint as well as which object is used for address
        2. Get the IP of each object used
        3. Connect to AD server to get fingerprint
        4. Compare stored fingerprint with actual one.

      can-with-snmp: false
      can-with-syslog: false
steps:
   -  run:
          type: SSH
          command: nice -n 15 cat $FWDIR/conf/objects.C
      parse:
          type: AWK
          file: ldap-fingerprint-check.parser.1.awk
   -  run:
          type: SSH
          file: ldap-fingerprint-check.remote.2.bash
      parse:
          type: AWK
          file: ldap-fingerprint-check.parser.2.awk

CheckPointLDAPFingerprintNotTrusted

// Deprecation warning : Scala template-based rules are deprecated. Please use YAML format rules instead.

package com.indeni.server.rules.library.templatebased.checkpoint

import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.templates.StateDownTemplateRule
import com.indeni.server.sensor.models.managementprocess.alerts.dto.AlertSeverity

/**
  * Created by Patrik J 2017-11-02.
  */

case class CheckPointLDAPFingerprintNotTrusted() extends StateDownTemplateRule(
  ruleName = "CheckPointLDAPFingerprintNotTrusted",
  ruleFriendlyName = "Check Point Firewalls: LDAP fingerprint not trusted",
  ruleDescription = "Alerts when the Active Directory SSL fingerprint does not match the one stored in Check Point. When the fingerprints do not match, the Check Point gateway will loose connection with the domain controller and cannot fetch data such as \"Identity Awareness\".",
  metricName = "ldap-integration-fingerprint-matched",
  applicableMetricTag = "name",
  alertItemsHeader = "Affected LDAP Objects",
  alertDescription = "When an LDAP SSL connection is established from a Check Point gateway to a Active Directory server the certificate fingerprint is stored. If the certificate is updated on the server the fingerprint will not match, and connection to the Active Directory server will be lost. This means that no new identities for \"Identity Awareness\" can be collected.",
  baseRemediationText = """To update the fingerprint: 
                          |1. Open SmartDashboard.
                          |2. Open the relevant LDAP account object.
                          |3. Go to the "Servers" tab.
                          |4. For each host in the list, click "Edit" and go to the "Encryption" tab. Then click "Fetch".
                          |5. Save and push policy.""".stripMargin)()