https://community.checkpoint.com/t5/Spark-Firewall-SMB/Disabling-CRL-checking-for-centrally-managed-VPNs/m-p/4883#M76 <HTML><HEAD></HEAD><BODY><P>I don't see why you couldn't apply the SK you referenced to solve the issue, even if you're using SmartProvisioning.&nbsp;</P></BODY></HTML> Wed, 02 Aug 2017 03:24:20 GMT PhoneBoy 2017-08-02T03:24:20Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Disabling-CRL-checking-for-centrally-managed-VPNs/m-p/4882#M75 <HTML><HEAD></HEAD><BODY><P>I have many 1100/1400 smart provisioned, centrally managed appliances which do CRL check with management server (fw1_ica_services port)&nbsp;&nbsp;and if check fails tunnel is dropped with default of 24h. Is there a way to disable this check i.e. sk21156 ? I don't need CRL check&nbsp;because if I don't want appliance to have tunnel up I will terminate the provisioned object on mgmt server. Please advice</P></BODY></HTML> Tue, 01 Aug 2017 13:10:30 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Disabling-CRL-checking-for-centrally-managed-VPNs/m-p/4882#M75 Irek_Romaniuk 2017-08-01T13:10:30Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Disabling-CRL-checking-for-centrally-managed-VPNs/m-p/4883#M76 <HTML><HEAD></HEAD><BODY><P>I don't see why you couldn't apply the SK you referenced to solve the issue, even if you're using SmartProvisioning.&nbsp;</P></BODY></HTML> Wed, 02 Aug 2017 03:24:20 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Disabling-CRL-checking-for-centrally-managed-VPNs/m-p/4883#M76 PhoneBoy 2017-08-02T03:24:20Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Disabling-CRL-checking-for-centrally-managed-VPNs/m-p/4884#M77 <HTML><HEAD></HEAD><BODY><P>Correct. It's not really an issue, CRL check is default (by design) but I think it creates&nbsp;Denial of Service risk because the port has to be opened on public IP.</P></BODY></HTML> Thu, 03 Aug 2017 11:56:07 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Disabling-CRL-checking-for-centrally-managed-VPNs/m-p/4884#M77 Irek_Romaniuk 2017-08-03T11:56:07Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Disabling-CRL-checking-for-centrally-managed-VPNs/m-p/142341#M6459 <P>Thanks, killing the CRL check solved my problem. My management server is nat'd behind a firewall on a large private secondary network.&nbsp; &nbsp;Support was sending me down the path of disabling all of my implied rules. That was not going to happen.&nbsp;</P> Wed, 23 Feb 2022 19:31:03 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Disabling-CRL-checking-for-centrally-managed-VPNs/m-p/142341#M6459 Mike922 2022-02-23T19:31:03Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Disabling-CRL-checking-for-centrally-managed-VPNs/m-p/193399#M9535 <P>Is anyone aware of an emergency procedure to disable this check on the gateways only?&nbsp; Say the primary and secondary management is down (assuming there is even a secondary).&nbsp; It would be great to have a way to disable the check on the gateway itself without deploying policy.&nbsp; This would allow the use of CRL check but just in case of that 1 big disaster that takes out&nbsp; management and it isn't recovered in 24 hours, you can keep your other gateways communicating through their managed VPN (certificates only work for that).</P> Sat, 23 Sep 2023 02:29:36 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Disabling-CRL-checking-for-centrally-managed-VPNs/m-p/193399#M9535 stat4299 2023-09-23T02:29:36Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Disabling-CRL-checking-for-centrally-managed-VPNs/m-p/193456#M9541 <P>You can disable CRL verification for VPNs on the management side, but I do not think there is a way to do that on the GW side, let alone on SBM appliances.&nbsp;</P> Mon, 25 Sep 2023 06:49:55 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Disabling-CRL-checking-for-centrally-managed-VPNs/m-p/193456#M9541 _Val_ 2023-09-25T06:49:55Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Disabling-CRL-checking-for-centrally-managed-VPNs/m-p/194701#M9589 <P>I think the following will work on the gateway, see <A href="https://community.checkpoint.com/t5/General-Topics/Failure-to-fetch-updates-from-CheckPoint-servers/m-p/87250#M17515" target="_self">here</A></P> <P><STRONG><CODE>cpprod_util CPPROD_SetValue "CPshared//6.0//reserved//libCurl" crl_disable 1 1 1</CODE></STRONG></P> Tue, 10 Oct 2023 17:34:27 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Disabling-CRL-checking-for-centrally-managed-VPNs/m-p/194701#M9589 Timothy_Hall 2023-10-10T17:34:27Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Disabling-CRL-checking-for-centrally-managed-VPNs/m-p/264641#M13488 <P>Hello Timothy<BR /><BR />I used the command you shared in order to d<SPAN class="">isabling CRL checking with success.<BR />The&nbsp; CRL checking was preventing to work a VPN tunnel between to Check Point CAs (SMSs). The link to the issue bellow:</SPAN></P><P><SPAN class=""><A href="https://community.checkpoint.com/t5/Security-Gateways/R82-Site-to-site-VPN-authentication-issue-when-using/m-p/262264/thread-id/51492#M52035" target="_blank">https://community.checkpoint.com/t5/Security-Gateways/R82-Site-to-site-VPN-authentication-issue-when-using/m-p/262264/thread-id/51492#M52035</A><BR /></SPAN></P><P><SPAN class="">Thanks for your help</SPAN></P><P><SPAN class="">Miguel</SPAN></P><P>&nbsp;</P> Sat, 06 Dec 2025 13:17:07 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Disabling-CRL-checking-for-centrally-managed-VPNs/m-p/264641#M13488 patones1 2025-12-06T13:17:07Z