LDAP server’s SSL fingerprint doesn’t match saved fingerprint: Check Point Firewalls Configuration Alert Guide

Copyright: djordjer / 123RF Stock Photo

This is a real life sample alert from indeni, the World leader in Proactive Network Management for Check Point Firewalls

Description:

Some of the LDAP servers with which an integration has been set up have changed their SSL certificate’s fingerprint lately. This is usually a result of the certificate expiring and being renewed on an Active Directory server. This may impact user authentication using LDAP (such as VPN users or Identity Awareness). The LDAP servers for which an issue has been found are:
us8301.mycompany.com (192.168.100.105)

Manual Remediation Steps:

Edit the LDAP server’s settings in the firewall management and make sure the server’s SSL certificate’s fingerprint is up to date. This can easily be done by clicking on the Fetch button in the LDAPS Encryption tab.

How does this alert work?

indeni analyzes the management server’s database files to look for LDAP Encryption configurations. If a fingerprint is stored in them, indeni asks the management server to connect to the LDAP server over LDAPS and retrieve the certificate being used by the server (usually an Active Directory domain controller). Then indeni calculates the fingerprint of the certificate and checks whether it matches the certificate stored on the management server. If not, indeni alerts.

Leave a Reply