topic How does SMB gateway CRL fetching work? in Spark Firewall (SMB)

How does SMB gateway CRL fetching work?

FXB — Thu, 16 Nov 2023 14:19:59 GMT

Dear Checkmates,

we are currently planning the upgrade of our management server to R81.20.

While we understand that if the management server is down for too long, IP-Sec VPN gateways will start to go offline due to beeing unable to fetch the CRL from the management CA, we are not 100% sure on the exact details of this and how we can influence it.

According to sk100731 the gateways need to fetch the CRL every 24h, otherwise VPN will start to terminate.

We are not sure where the automatic fetching interval is configured. In the global properties of SmartConsole there is a "prefetch_crls_duration" setting that defaults to 2 hours while on the internal_ca object in the SmartConsole there is an advanced setting that states that the CRL will be cached on gateways and fetched every 120 hours.

Looking at the SMB gateways, there is a .crl file created at the "/pfrm2.0/config2/fw1/database/" path with the name ICA_<management name>_ <CA identifier>.crl. At first we thought according to the modify date of that file we could monitor when the last fetching of the CRL was done, however there are some modify times with >24h, which should not be possible since the VPN should go offline than.

Can anyone shed some light about where to configure the CRL fetching interval and how we can check at the SMB gateway when the last sucessfull CRL check was done?

Thanks for your help.

Re: How does SMB gateway CRL fetching work?

G_W_Albrecht — Thu, 16 Nov 2023 15:50:00 GMT

Here is a way to disable CRL fetch for the needed time: https://support.checkpoint.com/results/sk/sk21156

Configuration: https://community.checkpoint.com/t5/General-Topics/CRL-Fetching-recommendation/m-p/8011#M987

Re: How does SMB gateway CRL fetching work?

FXB — Fri, 17 Nov 2023 06:42:16 GMT

Thanks for your response, that seems like a good workaround for the upgrade process.

Still it would be nice if we get more information about the CRL fetching process.

Re: How does SMB gateway CRL fetching work?

G_W_Albrecht — Fri, 17 Nov 2023 11:26:14 GMT

You can open an informational SR# with CP TAC to get it explained.

Re: How does SMB gateway CRL fetching work?

CheckPointerXL — Fri, 17 Nov 2023 19:19:00 GMT

not sure if applicable to SMB : https://support.checkpoint.com/results/sk/sk108632

Re: How does SMB gateway CRL fetching work?

FXB — Mon, 20 Nov 2023 08:39:27 GMT

Thanks for mentioning this SK, the output is working on SMB gateways and we can see when the last CRL fetch and the next CRL fetch is happening.
However so far I didnt not find a way to modify those values e.g. forcing the GW to fetch the CRL now. Gonna look more into this.

Since the upgrade is scheduled for tomorrow, we gonna fall back to the SK @G_W_Albrecht mentioned and disable the CRL checking for the next 2 days.

Re: How does SMB gateway CRL fetching work?

PhoneBoy — Wed, 04 Sep 2024 21:00:53 GMT

Actually, you can force the local CRL cache to clear: https://support.checkpoint.com/results/sk/sk26628