https://community.checkpoint.com/t5/Firewall-and-Security-Management/Significance-of-Gateway-Certificate-when-we-have-Pre-shared-Keys/m-p/201500#M37951 <P>Hello Team,&nbsp;</P><P>If someone can help me understanding the Certificate significance in case we are not using it for S2S VPN:--</P><P>&nbsp;</P><P>Issue: S2S VPNs between Checkpoint gateways weren't working; identified expired certificates. Renewing them resolved the problem.&nbsp; We renewed the certificate on both the gateways. Its a Mesh Topology and in Hub and Spoke deployment. Only Checkpoint gateways are affected. Other Spokes are working fine in the community which are not the checkpoint gateways.&nbsp;</P><P>Queries:</P><OL><LI>In Pre-shared key VPN deployment (Meshed/Star topology), is a certificate necessary? If yes why ? what is the significance of this certificate ?</LI><LI>Are the renewed certificates signed by the CMA ?</LI><LI>The current certificate is renewed for a year. Is there a provision for extending the renewal period or adjusting the expiration date?</LI><LI>Can you share the SNMP traps so that we can actively monitor it.</LI></OL> Tue, 26 Dec 2023 04:48:18 GMT bSingh 2023-12-26T04:48:18Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Significance-of-Gateway-Certificate-when-we-have-Pre-shared-Keys/m-p/201500#M37951 <P>Hello Team,&nbsp;</P><P>If someone can help me understanding the Certificate significance in case we are not using it for S2S VPN:--</P><P>&nbsp;</P><P>Issue: S2S VPNs between Checkpoint gateways weren't working; identified expired certificates. Renewing them resolved the problem.&nbsp; We renewed the certificate on both the gateways. Its a Mesh Topology and in Hub and Spoke deployment. Only Checkpoint gateways are affected. Other Spokes are working fine in the community which are not the checkpoint gateways.&nbsp;</P><P>Queries:</P><OL><LI>In Pre-shared key VPN deployment (Meshed/Star topology), is a certificate necessary? If yes why ? what is the significance of this certificate ?</LI><LI>Are the renewed certificates signed by the CMA ?</LI><LI>The current certificate is renewed for a year. Is there a provision for extending the renewal period or adjusting the expiration date?</LI><LI>Can you share the SNMP traps so that we can actively monitor it.</LI></OL> Tue, 26 Dec 2023 04:48:18 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Significance-of-Gateway-Certificate-when-we-have-Pre-shared-Keys/m-p/201500#M37951 bSingh 2023-12-26T04:48:18Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Significance-of-Gateway-Certificate-when-we-have-Pre-shared-Keys/m-p/201670#M37952 <P>Some answers:</P> <OL> <LI>The default VPN authentication for S2S VPN is certificate-based. Pre-Shared is considered less secure and is only supported for cases when your VPN peer belongs to another security domain.</LI> <LI>GW VPN certificates, like all other internal certificates, are signed by your domain CA</LI> <LI>The default expiration period for VPN certificates is one year for all supported versions. You can extend it to three years, see&nbsp;<SPAN class="css-13y3t3g"><SPAN class="css-vy7rm">sk176527.</SPAN></SPAN></LI> <LI><SPAN class="css-13y3t3g"><SPAN class="css-vy7rm">AFAIK, there are no SNMP traps for certificates. However, there are multiple other means to follow up and check the validity of GW VPN certificates. Look into&nbsp;<SPAN>sk104400,&nbsp;sk178304,&nbsp;sk102092,&nbsp;sk97792. In essence, you will have either SmartConsole warning, or you can run a CLI command to check.</SPAN></SPAN></SPAN></LI> </OL> Thu, 28 Dec 2023 08:17:32 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Significance-of-Gateway-Certificate-when-we-have-Pre-shared-Keys/m-p/201670#M37952 _Val_ 2023-12-28T08:17:32Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Significance-of-Gateway-Certificate-when-we-have-Pre-shared-Keys/m-p/202487#M38102 <P>Thanks Val for sharing the information..&nbsp;</P> Mon, 08 Jan 2024 14:26:25 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Significance-of-Gateway-Certificate-when-we-have-Pre-shared-Keys/m-p/202487#M38102 bSingh 2024-01-08T14:26:25Z