topic Re: VPN IPSec certificate - different expiration date between cluster object and physical node in General Topics

VPN IPSec certificate - different expiration date between cluster object and physical node

Mec — Tue, 01 Oct 2024 13:58:28 GMT

Hi,

we have a cluster of firewalls, composed of 2 nodes.

We are using Infinity Playblocks to monitor the expiration date of vpn IPSec certificate.

Infinity Playblocks informed us that the VPN certificate of the physical node-01 was expiring.

The certificate regarding the HA (the cluster object) was not about to expire. I am referring to the certificate we can see from smartconsole in the cluster object>IPSec>view certificate .

My questions are:

Is it normal that the VPN certificate of the phisical node has a different expiration date respect the HA VPN certificate?

If it is normal, which certificate is important? If we let the VPN certificate of the physical node expire, but the VPN certificate of cluster is still valid, the vpn will work?

Thank you.

Re: VPN IPSec certificate - different expiration date between cluster object and physical node

PhoneBoy — Tue, 01 Oct 2024 15:41:08 GMT

Yes, the certificates might be different as the cluster node wasn't part of the cluster at one time (namely when you created the object).

The cluster certificate is the most relevant here and will be used as long as the gateway is still part of the cluster.

Re: VPN IPSec certificate - different expiration date between cluster object and physical node

Mec — Tue, 01 Oct 2024 15:54:05 GMT

Hi,

thank you for the reply.

The cluster exist from at least 5 years. We already renew the certificate in the past, so i do not think that is the cause of the different dates.

If we know that the HA certificate is the relevant one, we will disable the alert regarding the expiration of the physical node certificate and we will let them expire .

Re: VPN IPSec certificate - different expiration date between cluster object and physical node

the_rock — Tue, 01 Oct 2024 16:03:58 GMT

Are you experiencing any issues or just wondering if its normal?

Andy

Re: VPN IPSec certificate - different expiration date between cluster object and physical node

Mec — Wed, 02 Oct 2024 06:54:29 GMT

We do not have any issues.

I was just wondering if it is normal having different expyring dates and if both certificate (physical node and cluster object) are important or if only the cluster certificate matter.

if the physical node certificate does not matter we don't want to receive alert from playblock regarding this certificate.

Since the physical node was expiring i renew the cluster certificate.

Let me add a question.

Renew the certificate of the cluster object from smartconsole, it also renew automatically the certificates of the physicals node?

Thank you all for the reply.

Re: VPN IPSec certificate - different expiration date between cluster object and physical node

PhoneBoy — Wed, 02 Oct 2024 13:58:04 GMT

Fairly certain the answer is no here.
As stated previously, the member's own certificate is not relevant when the gateway is in a cluster.