topic Re: VPN Certificate renewal in Firewall and Security Management

VPN Certificate renewal

Timothy_Shover — Thu, 21 May 2020 14:18:49 GMT

Hi All,

I'm wondering if anyone has a creative way to monitor/manage VPN and SIC certificate renewal. I manage a large environment and most of the equipment outlives its 5 year life cycle which is the default length of the IKE certificates. I have been bitten by the certificate expiration and VPN tunnel drops causing an outage. I have developed a process to run the cpca_client lscert -kind IKE and comb the data for expirations but its currently a manual process. Wondering if we can use the mgmt_cli to do something more automated. Any ideas?

Re: VPN Certificate renewal

PhoneBoy — Sun, 24 May 2020 04:02:27 GMT

You can call that specific command using the run-script API but beyond that, there aren't any APIS for this.
Of course, if you're using the ICA, certificates should auto-renew on their own.

Re: VPN Certificate renewal

Vincent_Bacher — Wed, 08 Jul 2020 15:06:19 GMT

I am sorry, i just wanted to click on reply and clocked on solution by mistake.

@PhoneBoy: I have a question regarding VPN certificate renewal.

You wrote that when using ICA, IKE certificates should be renewed automatically. So far so good.
My question is: When is this performed? Directly after the time of expiry? Or earlier?

I have a customer here with ~300 SMB appliances (1100 series) where round about 150 certificates will expire in the next weeks.
All gateways are managed by SmartProvisioning except central gateway which is not a smb of course.

So for them it's really important to know this exactly. Where can we get a proof explanation of that?

Will open a SR in addition to this reply as soon as i have necessary rights in uc for that customer account.

Cheers

Vincent

Re: VPN Certificate renewal

PhoneBoy — Wed, 08 Jul 2020 16:33:14 GMT

For SIC in particular, it looks like that does not auto-renew on SMB per: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk158333
For VPN certificates, if we didn't support it, you wouldn't have an SK like: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk108064
I believe it starts the auto-renewal process 60 days before.

Re: VPN Certificate renewal

Vincent_Bacher — Wed, 08 Jul 2020 19:06:17 GMT

In this case, the next certificates will expire at 12th of July. So here something is going wrong, right?

Re: VPN Certificate renewal

PhoneBoy — Wed, 08 Jul 2020 22:17:23 GMT

Agreed and it might be good to get the TAC involved.

Re: VPN Certificate renewal

Vincent_Bacher — Thu, 09 Jul 2020 09:08:59 GMT

tnx, sr is created

Re: VPN Certificate renewal

Duane_Toler — Thu, 09 Jul 2020 13:35:00 GMT

Like you, I've been seeing IKE certificates [SmartCenter-managed] not getting auto-renewed like they should. Not sure what's failing, but something certainly is amiss. This seems to be some R80-specific issue; I certainly don't recall this error with R77 and earlier.

Re: VPN Certificate renewal

Vincent_Bacher — Thu, 09 Jul 2020 13:49:20 GMT

Interesting. I think it's not relevant if it's SmartProvisioning or SmartCenter as it's the same internal ca.

Opened a high prio sr 6 hours ago and had to press escalate to get the first update "is this internal or external ca" 😁

Re: VPN Certificate renewal

Vincent_Bacher — Mon, 13 Jul 2020 05:33:07 GMT

Now i received mail from tac:

I wanted to update you that this option is not available and the certificates on the GW will need to be renewed manually.

As we are talking about round about 250 certificates, I am not really amused.

Re: VPN Certificate renewal

JozkoMrkvicka — Mon, 13 Jul 2020 05:50:29 GMT

well, someone from your team will be very happy to do this monkey job...

But at least, he/she will get a lot of overtimes 😄

Re: VPN Certificate renewal

Vincent_Bacher — Mon, 13 Jul 2020 06:59:51 GMT

In our case customer will have to do it. Would be bit expensive paying for that nonsense

Re: VPN Certificate renewal

Duane_Toler — Mon, 13 Jul 2020 13:21:38 GMT

That's particularly disturbing, as it worked in R77 and earlier. Plus it also defeats the purpose of a centralized certificate and key management server.

I suspect someone at TAC is either A) wrong, or B) not realizing they have a bug. Might could contact your SE and escalate (annoying, I know). I say it's a bug.

Re: VPN Certificate renewal

JozkoMrkvicka — Mon, 13 Jul 2020 15:39:41 GMT

There are dozens of features which were available in R77, but are missing in R80. In most of cases, you are asked to create RFE...

Re: VPN Certificate renewal

Vincent_Bacher — Mon, 13 Jul 2020 19:24:26 GMT

To be honest, I agree. But.
Before getting absolute certainty, my customer has already revoked all certs manually and nobody cares what will be in five years.

Re: VPN Certificate renewal

Duane_Toler — Thu, 08 Jul 2021 19:47:17 GMT

Now another case of customer's gateway VPN certificates expiring. My customer is already asking about switching to Meraki. They already did it for some smaller sites. If Check Point isn't going to fix auto-renewal of VPN certificates, you'll be losing more customers. What's the point of the FW1_ica_pull and FW1_ica_push services if certificates aren't being auto-renewed? I never had to do this manually in R77 and lower.

The next time my customer(s) mention "Meraki" or "Firepower", I'm not going to stop them. Esp. as I'm CCNP R/S, CCDP, and CCNP Security, too.

Re: VPN Certificate renewal

Don_Sudom — Fri, 22 Oct 2021 20:17:20 GMT

You could use this as a cron job from the management server:
1 1 * * * . /opt/CPshared/5.0/tmp/.CPprofile.sh; cpca_client lscert -stat Valid | tail -n +4 | awk 'BEGIN {RS="\n\n"; FS="\n";} {print $1,$2,$3;}' | logger -t lscert

And then here is a nice splunk alert:

index=gaia process=lscert
| rex field=_raw "lscert:\s+Subject\s+=\s+(?<dn>.*)\s+Status\s+=.*Not_After:\s+(?<expiry>.*)"
| eval expiry=strptime(expiry, "%a %B %d %H:%M:%S %Y")
| dedup dn,Kind
| where expiry < relative_time(_time, "+90d")
| eval days_left=floor((expiry-now())/86400)
| eval expiry=strftime(expiry,"%Y-%m-%dT%H:%M:%S%z")
| table _time,dn,Kind,expiry,days_left

Re: VPN Certificate renewal

CheckPointerXL — Thu, 03 Aug 2023 09:46:19 GMT

Hi all

any update on auto-renewal VPN Certificates feature?

any API Script?

thanks

Re: VPN Certificate renewal

Hugo_vd_Kooij — Thu, 03 Aug 2023 11:22:38 GMT

From what I recall the autorenewal should work on most recent versions that are on the latest GA JHF. In the JHF release notes you will find some references into which things were fixed in which release.

If you still have issues after the fact not listed in Secure Knowledge I strongly recommend a TAC case.

Re: VPN Certificate renewal

CheckPointerXL — Thu, 03 Aug 2023 12:26:15 GMT

autorenewal in latest JHF is related to ICA Root CA not certificates for vpn, multiportal etc. from what i know