LDAP fingerprint not trusted-checkpoint-all
Alerts when the Active Directory SSL fingerprint does not match the one stored in Check Point. When the fingerprints do not match, the Check Point gateway will loose connection with the domain controller and cannot fetch data such as “Identity Awareness”.
To update the fingerprint:
|1. Open SmartDashboard.
|2. Open the relevant LDAP account object.
|3. Go to the “Servers” tab.
|4. For each host in the list, click “Edit” and go to the “Encryption” tab. Then click “Fetch”.
|5. Save and push policy.
name: chkp-ldap-fingerprint-check description: Check if the stored LDAP fingerprint is the same as the actual one for Identity Awareness type: monitoring monitoring_interval: 10 minutes requires: vendor: checkpoint role-firewall: 'true' comments: ldap-integration-fingerprint-matched: why: | To check the md5 sum of the Active Directory LDAP SSL certificate in DER format "fingerprint" is same as stored "fingerprint" how: | By by parsing the C files in Checkpoint and following the multistep process of following processes: 1. For each AD account unit, get the fingerprint as well as which object is used for address 2. Get the IP of each object used 3. Connect to AD server to get fingerprint 4. Compare stored fingerprint with actual one. can-with-snmp: false can-with-syslog: false steps: - run: type: SSH command: nice -n 15 cat $FWDIR/conf/objects.C parse: type: AWK file: ldap-fingerprint-check.parser.1.awk - run: type: SSH file: ldap-fingerprint-check.remote.2.bash parse: type: AWK file: ldap-fingerprint-check.parser.2.awk
// Deprecation warning : Scala template-based rules are deprecated. Please use YAML format rules instead. package com.indeni.server.rules.library.templatebased.checkpoint import com.indeni.server.rules.RuleContext import com.indeni.server.rules.library.templates.StateDownTemplateRule import com.indeni.server.sensor.models.managementprocess.alerts.dto.AlertSeverity /** * Created by Patrik J 2017-11-02. */ case class CheckPointLDAPFingerprintNotTrusted() extends StateDownTemplateRule( ruleName = "CheckPointLDAPFingerprintNotTrusted", ruleFriendlyName = "Check Point Firewalls: LDAP fingerprint not trusted", ruleDescription = "Alerts when the Active Directory SSL fingerprint does not match the one stored in Check Point. When the fingerprints do not match, the Check Point gateway will loose connection with the domain controller and cannot fetch data such as \"Identity Awareness\".", metricName = "ldap-integration-fingerprint-matched", applicableMetricTag = "name", alertItemsHeader = "Affected LDAP Objects", alertDescription = "When an LDAP SSL connection is established from a Check Point gateway to a Active Directory server the certificate fingerprint is stored. If the certificate is updated on the server the fingerprint will not match, and connection to the Active Directory server will be lost. This means that no new identities for \"Identity Awareness\" can be collected.", baseRemediationText = """To update the fingerprint: |1. Open SmartDashboard. |2. Open the relevant LDAP account object. |3. Go to the "Servers" tab. |4. For each host in the list, click "Edit" and go to the "Encryption" tab. Then click "Fetch". |5. Save and push policy.""".stripMargin)()