Can not find where to check the time

Giannis Danatzis 0

Hello team,

I have an issue where I can not seam to find an answer.
I configured SAML authentication with my checkpoint firewalls.
After encountering an issue and opening a case to Checkpoint they told me that the issue most probably is with the not synced Azure and Gateway clocks.
I have tried to find out where the portal clock is set or shown in order to be able to agree or disagree with the support's indication with no luck.
Does someone have an idea on how I can check this?

1 answer

Luis Arias 6,061 Reputation points

2024-03-11T10:59:18.04+00:00
Hi Giannis Danatzis,

As you already now you need to compare the time of components involve in your SAML configuration If it's Azure VMs and Checkpoint Firewall:

Azure hosts are synchronized to internal Microsoft time servers(time.windows.com). However VM can be modify to have another NTP server or time configured. (https://learn.microsoft.com/en-us/azure/virtual-machines/windows/time-sync)

Date on Linux by shell: date

Date on Windows by Powershell: Get-Date

After get the time of your service on azure verify the time on checkpoint firewall you can use: ntpdate -q <IP Checkpoint FW>

Besides one clarification the time at Azure portal level is not typically relevant for SAML authentication. The important thing is that the clocks on the systems involved in the SAML authentication (in this case, your Azure service and your Checkpoint firewall) are synchronized. This is because the timestamps in the SAML assertions generated by the identity provider (Azure) need to match up with the time on the service provider (Checkpoint firewall).

If the information helped address your question, please Accept the answer.

Luis
Please sign in to rate this answer.
Giannis Danatzis 0 Reputation points

2024-03-11T11:20:27.41+00:00

Hello Luis,

Just to clarify if I have understood it correctly.
I need to compare the time between the Azure service and my CheckPoint firewall which are the two that are involved in the SAML process. The thing that gets me confused is where should I search in azure because in order to build the SAML service you need to more that one components. For example you need to build a custom application in order to build the trust between Checkpoint Gateway and Azure entraid and one enterprise which is used as an identity provider.

The time for these application and the entire entraid will be the same and it will be enough to open a powershell on azure and go through the entraid time setup?

Luis Arias 6,061 Reputation points

2024-03-11T13:35:25.51+00:00

Hello Again Giannis, yes you need to compare your components involve in the SAML process. If you elaborate a bit in your SAML configuration with more details might I help you.

Giannis Danatzis 0 Reputation points

2024-03-14T13:14:33.2233333+00:00

Hello Luis,

Let me try to elaborate with the steps that I have created and worked on all other occassion
               1. Open EntraID

               2. Go to enterprise applications

               3. Click new application on the top

               4. Select create your own application at the top

               5. On the right slide over menu select "Integrate any other application you don't find in the gallery (Non-gallery)"

               6. Name it "Check Point "AzureAD" connection"

               7. Click Create

               8. Go back to azure portal home

               9. On azure portal select Microsoft EntraID

               10. On the left menu go to app registrations

               11. Navigate to all applications

               12. Select your newly created app

               13. Select API permissions on the left menu

               14. Click "Add a permission"

               15. Select Microsoft Graph

               16. Select Application permission

               17. Add the below permissions

                              a. Device.Read.All

                              b. Group.Read.All

                              c. User.Read.All

               18. Click the "Grant admin consent for your company" to grant admin consent

               19. On the left menu select certificates & secrets

               20. On the "Client secrets" section

               21. Select "New client secret"

               22. Give it a description i.e. "Check Point SAML authentication"

               23. Select the "Expires" field based on your preference

               24. Copy the Value and keep it on a notepad, this will be lost if you refresh the page

                              a. This is the "Application key"

               25. On the left menu select Overview and copy the values below on a notepad

                              a. Application (client) ID

                              b. Directory (tenant) ID

After that:

Open EntraID

               2. Go to enterprise applications

               3. Create or select the app that connects to the gateway

                              a. To create the app

                              b. Go to enterprise applications

                              c. Click on "New application" on the top left

                              d. Search for "Check point"

                              e. Select the app named "Check Point Remote Secure Access VPN"

                              f. Give it a name "Check Point Remote Secure Access VPN_EntApp"

                              g. Click "Create"

                              h. Done

               4. On the same app, go to the Users and Groups and add the group that you want to allow for VPN

                              a. Copy the group's name, you will need it on the next step

               5. Create the App Roles (if you want to add more than one groups you need one app role for each group)

                              a. Open EntraID (go back to Home)

                              b. Select App Registrations

                              c. Go to the app "Check Point Remote Secure Access VPN_EntApp"

                              d. Select App Roles

                              e. Select Create app role

                                             i. Input the group name (this is the group that allows users to VPN. Also used in the enterprise app on the previous step) on every field

                                             ii. Select Users/Groups

               6. Go back Home -> Enterprise applications -> "Check Point Remote Secure Access VPN_EntApp" -> Users and Groups

               7. Select each group and click "Edit assignment" on the top menu

               8. Select the roles you created earlier, match the names

               9. Save

Based on these you apply the config on the Checkpoint gateway which is corresponding to those two applications.

Unfortunately I really can not find a way to check the time and where to check it :-/

Luis Arias 6,061 Reputation points

2024-03-15T09:09:59.3733333+00:00

Hi Giannis now I got it in that case you might need to adjust the time settings on your Checkpoint firewall to match the time used by Azure services: UTC TIME

https://stackoverflow.com/questions/15430368/azure-now-returns-invalid-value-of-coordinated-universal-time-for-timezoneinfo

Let me know if this fix your error.

Giannis Danatzis 0 Reputation points

2024-03-15T09:53:43.5333333+00:00

Hello Luis,

Thank you very much for your help.
I am sorry for the spam and really being agnostic but I am trying to understand and provide the best solution possible.
Changing the timezone on the firewall most probably is not acceptable because this will mess up the logs in cooperation with our SIEM team who will see a log coming up now but with a time of 5-6 hours before.

I am really trying to understand how I can check this on Azure, if the timezone on our tenant is setup.

Just to give you another clue, the AzureAD licenses were bought a couple of years before from USA and were configured there. Our company is based in Greece so our Firewalls are set in Greece timezone and I just want to crosscheck on which timezone the Azure and I can not figure it out.
Sign in to comment

Share via

Can not find where to check the time

1 answer