topic Re: Notify when certificate expired in Firewall and Security Management

Notify when certificate expired

raquinog — Wed, 22 Jul 2020 18:46:22 GMT

Yesterday I had an incident with my IPSEC tunnels with branches (they are established by certificate) because the virtual firewall certificate expired.

Attached the image of the Gw, had to renew the certificate to restore the service

The question is: The Firewall can send a notification warning that a certificate is about to expire?, ¿What configuration is required for the Firewall could send the notification?

thanks for your help

Re: Notify when certificate expired

MarioB_1 — Thu, 23 Jul 2020 08:39:32 GMT

Acording to SK102092, gateway does not alert about certificates expiration without installing a Security policy

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk102092

Re: Notify when certificate expired

G_W_Albrecht — Thu, 23 Jul 2020 09:11:41 GMT

...and sk31539 tells us that

The Security Management server generates a report, per Security Gateway, warning about those certificates that will expire within 60 days time from the current date. This functionality is always enabled and the 60 days is a fixed warning period.

...

Certificate expiration warning messages are not recorded in any log by the Security Management server.
Warnings are generated and presented anew with each Policy installation.

You could check on CLI using sk104400:

# cpca_client lscert -stat Valid -kind IKE
Operation succeeded. rc=0.
1 certs found.

Subject = CN=cpmodule VPN Certificate,O=Example_Management_Server.checkpoint.com.d2hitj
Status = Valid Kind = IKE Serial = 91912 DP = 1
Not_Before: Wed Jan 14 14:19:02 2015 Not_After: Tue Jan 14 14:19:02 2020

Re: Notify when certificate expired

G_W_Albrecht — Thu, 23 Jul 2020 09:26:40 GMT

There is an interesting topic on CheckMates with a lot of valuable information about this: Third Parties Certificate details

Re: Notify when certificate expired

Peter_Baumann — Mon, 01 Mar 2021 15:23:06 GMT

Hi @raquinog ,

A customer of us had the same problem, no indication when instaling the policy about the expired certificate.
The feature should be always activated but it seems that it is not working.

Nobody knows why, so we will open a case for it.

Thanks,
Peter

Re: Notify when certificate expired

Anthony_Vita — Sun, 25 Jul 2021 23:58:31 GMT

Just had the same issue. We're you able to figure out why the feature doesn't work?

Re: Notify when certificate expired

Peter_Baumann — Mon, 26 Jul 2021 07:15:14 GMT

Hi @Anthony_Vita ,

We opened a case and there was a lot of troubleshooting involved. Unfortunately it leads not to a solution and was closed by check point/customer.

Re: Notify when certificate expired

matangi — Thu, 19 Aug 2021 06:38:03 GMT

Hi @raquinog , @Peter_Baumann , @Anthony_Vita

Nowadays the firewall is sending notification that a certificate is about to expire in two places
1. 'info' status as part of policy installation:

2. In VPN log:

As @G_W_Albrecht mentioned, You can also monitor VPN certificates of all Virtual systems / Security gateways from Security Management via single CLI command:

cpca_client search "VPN certificate"

We are about to Improve the alert during Policy installation – to Changing from ‘info’ to ‘warning‘

The improvement will be released in R81.20 and also be ported to all R8X.XX JHFs

We are looking for other ways to alert about VPN certificate expiry, such as red “X” for the Gateway object when the VPN certificate is expired / Yellow Warning sign when the certificate is about to expire soon (e.g 60 days or less)

Thanks,
Matan

Re: Notify when certificate expired

Igor_Demchenko — Fri, 09 Sep 2022 11:02:38 GMT

I made this simple script for crontab. It may be usefull for you

#!/bin/sh
source /etc/profile.d/CP.sh

CERTIFICATE=`cpca_client lscert -stat Valid -dn <SubString>`

#get string with expiration date from certificate info
CERT_INFO=`cpca_client lscert -stat Valid -dn <SubString> | grep Not_After`

#make list with expiration date, month and year
EXPIRED=$(python -c "lst='$CERT_INFO'.split('Not_After:'); print(lst[1].split())")

#get expiration day
EXPIRED_DATE=$( python -c "print($EXPIRED[2])" )
#get expiration month
EXPIRED_MONTH=$( python -c "print($EXPIRED[1])" )
#get expiration year
EXPIRED_YEAR=$( python -c "print($EXPIRED[-1])" )

DIFF=$(python -c "from datetime import (date, datetime); print date(2023, datetime.strptime('$EXPIRED_MONTH','%b').month, 11).toordinal() - date.today().toordinal()")

if [ $DIFF -lt 30 ];
then
echo -e "Subject: CheckPoint VPN certificate expiration\r\n\r\nVPN certificate will be expired in $DIFF days.\r\n\n\n $CERTIFICATE.\r\n " | sendmail --domain=<domain name> -f <from_email> -v <to_email> --host=<smtp_server>
fi

Re: Notify when certificate expired

Heath — Tue, 13 Feb 2024 00:01:34 GMT

Sorry to resurrect such an old post but we are running R81.10 mgmt/gateway, which I see in the screenshots, and I'm not seeing any of these expiring cert messages in my logs on the key installs. We should have some recently because we had a VPN cert expire this weekend which went un-noticed. I'd like to incorporate these logs into an alerting mechanism in our SIEM.

Do you know when this became available or did this get pushed to R81.20?

Re: Notify when certificate expired

matangi — Tue, 13 Feb 2024 07:43:02 GMT

Hi @Heath
Sorry for the inconvenient.
By checking the code, it seems that the log exist at least since R80.30.
In case you can't find it, you may open a ticket to Check Point support.