https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-IPSec-VPN-Certs-Internal-CA/m-p/211976#M10544 <P>Yes - the ICA is used from the object on the SMS - I misspoke. My intention was to indicate there was no type of external/ 3rd party cert being utilized.</P><P>SK176527_31539 - this is the procedure used - it just takes a long time if you have you hundreds!</P><P>But I think we will be ok increasing the cert time in the SMS.</P><P>Thanks!</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 22 Apr 2024 16:52:16 GMT T_L 2024-04-22T16:52:16Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-IPSec-VPN-Certs-Internal-CA/m-p/211770#M10533 <P>Good Afternoon --</P><P>Does anyone have any scripts or scripting mojo that would allow the IPSec VPN certs to be renewed on a bunch of 1400/1500 centrally managed SMB gateways all at once?</P><P>We have a large number of SMBS (R77.20 - R81.x)&nbsp; centrally managed by a physical 3150 SMS_r81.10.&nbsp; All the gateways are configured in permanent tunnels utilizing the local CP internal CA on each. We have had to renew the certs manually/ individually on all of them.</P><P>The majority of the GWs are 1400 series on the R77.20 code so scripting from the SMS is a no go -- but something we could run from the local CLI - that we could could pipe to all our SSH sessions at once would work.</P><P>Thanks!</P><P>&nbsp;</P> Thu, 18 Apr 2024 17:47:52 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-IPSec-VPN-Certs-Internal-CA/m-p/211770#M10533 T_L 2024-04-18T17:47:52Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-IPSec-VPN-Certs-Internal-CA/m-p/211966#M10542 <P>How are you using the ICA of the SMB device if the devices are centrally managed?<BR />The ICA, in this case, would be on your Smart-1.</P> <P>The good news is that we're about to release a script that will assist with this task.<BR />It does require being on a specific R81.10/R81.20 JHF level at time of writing.</P> Mon, 22 Apr 2024 14:13:27 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-IPSec-VPN-Certs-Internal-CA/m-p/211966#M10542 PhoneBoy 2024-04-22T14:13:27Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-IPSec-VPN-Certs-Internal-CA/m-p/211973#M10543 <P>I am not aware of a script. But the renewal takes places on the mgmt. There you renew the cert and push it out via policy push.</P> <P>That is why I don't think you can run a script on the box itself.</P> <P>Now the steps are not to bad, if I assume you renew it on the fw object in Smart Console and press the renew button, correct?</P> <P>You can also think about to extend to cert time from 1 year to 3 year:&nbsp;<A href="https://support.checkpoint.com/results/sk/sk176527" target="_blank">https://support.checkpoint.com/results/sk/sk176527</A></P> <P>This will save a bit of work until there is something new as PhoneBoy posted.</P> Mon, 22 Apr 2024 15:46:53 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-IPSec-VPN-Certs-Internal-CA/m-p/211973#M10543 Lesley 2024-04-22T15:46:53Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-IPSec-VPN-Certs-Internal-CA/m-p/211976#M10544 <P>Yes - the ICA is used from the object on the SMS - I misspoke. My intention was to indicate there was no type of external/ 3rd party cert being utilized.</P><P>SK176527_31539 - this is the procedure used - it just takes a long time if you have you hundreds!</P><P>But I think we will be ok increasing the cert time in the SMS.</P><P>Thanks!</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 22 Apr 2024 16:52:16 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/SMB-IPSec-VPN-Certs-Internal-CA/m-p/211976#M10544 T_L 2024-04-22T16:52:16Z