LDAP fingerprint not trusted-checkpoint-all

LDAP fingerprint not trusted-checkpoint-all
0

LDAP fingerprint not trusted-checkpoint-all

Vendor: checkpoint

OS: all

Description:
Alerts when the Active Directory SSL fingerprint does not match the one stored in Check Point. When the fingerprints do not match, the Check Point gateway will loose connection with the domain controller and cannot fetch data such as “Identity Awareness”.

Remediation Steps:
To update the fingerprint:
|1. Open SmartDashboard.
|2. Open the relevant LDAP account object.
|3. Go to the “Servers” tab.
|4. For each host in the list, click “Edit” and go to the “Encryption” tab. Then click “Fetch”.
|5. Save and push policy.

chkp-ldap-fingerprint-check

name: chkp-ldap-fingerprint-check
description: Check if the stored LDAP fingerprint is the same as the actual one for
    Identity Awareness
type: monitoring
monitoring_interval: 10 minutes
requires:
    vendor: checkpoint
    role-firewall: 'true'
comments:
    ldap-fingerprint-mismatch:
        why: |
            When a LDAP SSL connection is established from a Check Point gateway to a Active Directory server the certificate fingerprint is stored. If the certificate is updated on the server the fingerprint will not match, and connection to the Active Directory server will be lost. This means that no new identities for Identity Awareness can be collected.
        how: |
            By comparing the stored fingerprint with the actual current fingerprint, indeni can determine if they do not match.
        without-indeni: |
            Detecting it is hard. An administrator might notice that no new identities are collected, but knowing that it is the fingerprint that do not match is not easy. To solve the issue the administrator would need to login to SmartDashboard and manually refresh the certificate.
        can-with-snmp: false
        can-with-syslog: false
        vendor-provided-management: Fingerprint is refreshed via the SmartDashboard.
steps:
-   run:
        type: SSH
        command: nice -n 15 cat $FWDIR/conf/objects.C
    parse:
        type: AWK
        file: ldap-fingerprint-check.parser.1.awk
-   run:
        type: SSH
        file: ldap-fingerprint-check.remote.2.bash
    parse:
        type: AWK
        file: ldap-fingerprint-check.parser.2.awk

CheckPointLDAPFingerprintNotTrusted

// Deprecation warning : Scala template-based rules are deprecated. Please use YAML format rules instead.

package com.indeni.server.rules.library.templatebased.checkpoint

import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.templates.StateDownTemplateRule
import com.indeni.server.sensor.models.managementprocess.alerts.dto.AlertSeverity

/**
  * Created by Patrik J 2017-11-02.
  */

case class CheckPointLDAPFingerprintNotTrusted() extends StateDownTemplateRule(
  ruleName = "CheckPointLDAPFingerprintNotTrusted",
  ruleFriendlyName = "Check Point Firewalls: LDAP fingerprint not trusted",
  ruleDescription = "Alerts when the Active Directory SSL fingerprint does not match the one stored in Check Point. When the fingerprints do not match, the Check Point gateway will loose connection with the domain controller and cannot fetch data such as \"Identity Awareness\".",
  metricName = "ldap-integration-fingerprint-matched",
  applicableMetricTag = "name",
  alertItemsHeader = "Affected LDAP Objects",
  alertDescription = "When an LDAP SSL connection is established from a Check Point gateway to a Active Directory server the certificate fingerprint is stored. If the certificate is updated on the server the fingerprint will not match, and connection to the Active Directory server will be lost. This means that no new identities for \"Identity Awareness\" can be collected.",
  baseRemediationText = """To update the fingerprint: 
                          |1. Open SmartDashboard.
                          |2. Open the relevant LDAP account object.
                          |3. Go to the "Servers" tab.
                          |4. For each host in the list, click "Edit" and go to the "Encryption" tab. Then click "Fetch".
                          |5. Save and push policy.""".stripMargin)()