LDAP fingerprint not trusted-checkpoint-all
Alerts when the Active Directory SSL fingerprint does not match the one stored in Check Point. When the fingerprints do not match, the Check Point gateway will loose connection with the domain controller and cannot fetch data such as “Identity Awareness”.
To update the fingerprint:
|1. Open SmartDashboard.
|2. Open the relevant LDAP account object.
|3. Go to the “Servers” tab.
|4. For each host in the list, click “Edit” and go to the “Encryption” tab. Then click “Fetch”.
|5. Save and push policy.
name: chkp-ldap-fingerprint-check description: Check if the stored LDAP fingerprint is the same as the actual one for Identity Awareness type: monitoring monitoring_interval: 10 minutes requires: vendor: checkpoint role-firewall: 'true' comments: ldap-integration-fingerprint-matched: why: | To check the md5 sum of the Active Directory LDAP SSL certificate in DER format "fingerprint" is same as stored "fingerprint" how: | By by parsing the C files in Checkpoint and following the multistep process of following processes: 1. For each AD account unit, get the fingerprint as well as which object is used for address 2. Get the IP of each object used 3. Connect to AD server to get fingerprint 4. Compare stored fingerprint with actual one. can-with-snmp: false can-with-syslog: false steps: - run: type: SSH command: nice -n 15 cat $FWDIR/conf/objects.C parse: type: AWK file: ldap-fingerprint-check.parser.1.awk - run: type: SSH file: ldap-fingerprint-check.remote.2.bash parse: type: AWK file: ldap-fingerprint-check.parser.2.awk
Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/rules/templatebased/checkpoint/CheckPointLDAPFingerprintNotTrusted.scala