Archive for the ‘VPN-1’ Category

Using 3rd party certificates for your SSL VPN

Tuesday, June 8th, 2010

With Check Point software it’s very easy to configure client authentication over https or SSL VPN with the SSL Network Extender (SNX).

But unfortunately, Check Point presents a self-signed certificate from the internal CA to the users.

This warning message can be confusing for the users and even might not work, depending on the company policy and settings in the browser.

The better way is to have a certificate on the gateway that was issued from one of the big CA like Verisign, Thawte etc. and present this to the users.

Because these CAs are known to the browser as trustworthy, no error message appears while connecting.

I’m going to show you how to configure your gateway with a certificate from a 3rd party CA.

1. First, we need to create a trusted CA object under the Servers and OPSEC Applications section.

Creating a trusted CA object

2. Then we give a name to the CA object and choose OPSEC PKI as CA type.

CA properties

3. On the next tab you can import the CA certificate from a file.

OPSEC PKI properties

Here you can also choose to do an automatic enrollment for certificate renewal over three different protocols. However, this isn’t supported by all CA. Personally I don’t do automatic renewals but do it by hand instead every time.

If you uncheck CRL retrieval from HTTP servers, all certificates will be trusted, wether revoked or not. For our purpose it’s ok to have this unchecked.

4. While importing the CA certificate you have to approve it.

Accept CA certificate

5. Now we’re done with the CA object and can actually go to the gateway object.

Gateway properties

6. Click on Add to create a new certificate. You’re asked for a Nickname of the certificate which is used in various places in the GUI and in config files. I would suggest to keep it short and descriptive. Choose to enroll this certificate from the CA created in the steps before.

Certificate properties

7. At this point a CSR (certificate signing request) is going to be generated. The DN (Distinguished Name) has to be correct for the certificate to be created by the CA, so take good care here!

Generate CSR

In our example we sign the certificate by United Internet CA and we have to use this DN for a gateway with the DNS name of fw.test.de

CN=fw.test.de,OU=Comodo InstantSSL,OU=Authorized by United SSL,OU=Authorized by United SSL,O=TEST GmbH,STREET=Test Straße 90,L=Hamburg,ST=Hamburg,OID.2.5.4.17=22159,C=DE
Alternatives DNS are defined as FQDN.

8. After filling in the details a CSR is presented. Copy it to the clipboard are save it to a file and hand it over to the CA you chose for signing. Make sure that the text is copied completely.

CSR view

9. When the CA give you back your signed certificate, complete the process by selecting the appropriate nickname and click on Complete.

Gateway properties

10. Load the certificate, accept it and attach it to the gateway.

Accept certificate

11. Now you can choose this certificate to be presented when connecting to SSL Network Extender etc.

Clientless VPN configuration


VPN Clients configuration

To use this certificate in client authentication you have to configure the file $FWDIR/conf/fwauthd.conf.

Change the entry to

900 fwssd in.ahclientd wait 900 ssl:fw.test.de

Tobias Lachmann

Posted in General, SSL Network Extender, UTM-1, VPN-1 | Comments Off

R71 released

Friday, April 30th, 2010

The version R71 was released. See this article for details. The release notes can be found here.

I will test the upgrade from R70.30 to R71 today and get back to you with more feedback.

Tobias Lachmann

Posted in General, Secure Platform, Software Blades, UTM-1, VPN-1 | Comments Off

“It’s Christmas, Theo. It’s the time of miracles, so be of good cheer…” – Hans Gruber in Die Hard

Wednesday, December 23rd, 2009

Since Christmas is the time for kids making their wishlists, I will also give it a try and make my personal wishlist to Check Point. And as Christmas is also the time for miracles, maybe some of my wishes will come true in the next year…. we’ll see.

SecurePlatform
Image Management / Snapshots
Well, we have Gaia coming sooner or later. What I really would like to see in there is the Image Management of the UTM-1 Appliances. Better to handle as Snapshots for most tasks. A really great evolution would be a combination of both. Being able to create and store images locally, as well as taking snaphots/images and storing them over the net using SSH.
Could make data recovery even more easy.
Why not add a dialog during SPLAT installation, where you can choose to use Image Management with LVM or stay with the old partitioning. If Image Management is chosen, you should decide for yourself, how the space should be divided between /var and the image partition.

Time and Date settings
Why can I set NTP parameters together with the GMT in the WebUI, but need to go to the CLI to set time zone?
This should also appear in the WebUI.

Administrator Accounts
I’d like to choose on creation which shell the accounts should use (bash or cpshell) and what the idle timeout of a session should be. Also the ability to scp something to the box using this account should be an option to enable here.

SNMP
The SNMP settings should be configured using the WebUI. Also I’d like to have a download link to the current MIB on the box.

SmartConsole
Adding objects
The new icon with the “+” sign on each cell is very helpful for quick-adding of objects. I’d like to have the opportunity to add a new object, too

Window resizing
Some dialog boxes can’t be resized. Normally these fixed size dialog boxes have too much content and you must use scroll bars to see the content. Examples: Global Properties, Firewall object page, network object page. All windows should be resizable.

Gateway Topology
I have to maintain a gateway cluster with more then 150 interfaces. Whenever I need to make a change to the interface configuration, I have to scroll to the entire list to find the right entry, since the list is unsorted. Not funny.
I’d like to have the ability to sort the list by clicking on the column header.

Troubleshooting
InfoView
We really need a more up to date and stable version of InfoView. Normally I need to try 2-3 times before I can open a cpinfo file because the tool crashes. As far as I known it’s not maintained any longer, but all support partner really need this!

Endpoint Security
SecureClient / Endpoint Connect
Endpoint Connect should be the successor of SecureClient, but it isn’t really. EC lacks the personal firewall feature. For most SME customers the old SecureClient Desktop Policy feature was all they needed. Check Point should understand that Endpoint Security is not the answer to all demands.

Licensing
Check Point does not offer a maintained, up to date VPN client without any costs. For using Endpoint Connect, a Endpoint Security Secure Access license is necessary if you want to use OfficeMode.
Like Cisco, also Check Point should give away a full blown VPN-Client for free!

OS support
Parts of Endpoint Security run on Windows 7? Congratulations. But why do we still have to struggle with VPN clients for MacOS or Linux? Why do we have to use an actual OS like Snow Leopard with a very, very old VPN client like SecureClient?
I think that before integrating new features into Endpoint Security and all other products that have to be installed on clients, you should make sure that you have support for all common OS. Windows XP, Vista, 7 as well as MacOS 10.4, 10.5 and 10.6. Also a client for Linux (Debian, RedHat/CentOS, Ubuntu) should be available.

Version numbering
I nearly lost it with the Endpoint Security version numbers, since it’s not any longer corresponding to the other products. Keep the version numbering more simple.

That’s it for now, but for sure I will extend my wish list in the next days… so much things CP needs to take care of.

Happy XMAS, everybody.

Tobias Lachmann

Posted in General, Secure Platform, Software Blades, VPN-1 | Comments Off

Check Point R70.20 is now available

Sunday, December 20th, 2009

The release R70.20 is now available. I checked the documentation and found that it contains many important fixes as well as new features. Especially it takes care of the new multicore licensing scheme, that has been introduced by Check Point.

Check out the What’s new page, the Release Notes, the Known Limitations and the Resolved Issues.

R70.20 is like the HFA60 for NGX R65 from the bugfixing side plus some added features.
Highly recommended for installation.

Tobias Lachmann

Posted in General, Secure Platform, Software Blades, UTM-1, VPN-1 | Comments Off

ETA for NGX R65 HFA60

Wednesday, October 21st, 2009

Today I was informed that HFA60 for NGX R65 will be available at the end of this quarter.

I expected this HFA earlier, but for some reasons the deployment was postponed again :(

Tobias Lachmann

Posted in General, VPN-1 | Comments Off

Presentations from Check Point User Group Conference (CPUGCON) 2009

Wednesday, October 21st, 2009

I think I get started with this blog by posting links to the presentations I held on the Check Point User Group Conference in Chur, Switzerland.

The first presentation is purely for beginners:  Troubleshooting in the Check Point environment, Part I

The second one, which was more liked by the crowd at CPUGCON, is really advanced troubleshooting: Troubleshooting in the Check Point environment, Part II

I benefit from my daily work with a Check Point Collaborative Support Provider (CCSP) for these two presentations, as they reflect the things I’m constantly facing.

From the project side, I did lot’s of migrations from distributed Check Point installations to Check Point UTM-1 Full-Cluster. This means that the firewall / vpn part is working in active/standby cluster and we have also Management High Availability with the two SmartCenters. This is described in the presentation: Migration from a Distributed Environment to a UTM-1 Cluster

Best regards

Tobias Lachmann

Posted in CPUG, Secure Platform, Troubleshooting, UTM-1, UTM-1 Edge, VPN-1 | Comments Off