This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
LazarusG
Advisor
Advisor
a week ago
Jump to solution

VMSS has vpn cert expiry warning but manual says s2s vpn is not supported.

A customer has an issue where the Azure scale set is showing a VPN cert expiry and points to SK178304.

The customer doubts the accuracy of this SK as it doesnt include scalesets in the scope.

However the manual says site to site vpn is not supported for scalesets;

Limitations of CloudGuard Network for Azure VMSS

  • Site to Site VPN is not supported.

  • Remote Access VPN is not supported

The customer has also asked how to disable the vpn blade: would this have to be redeployed?

I know with cloudguard vpn is enabled by default and you can disable it if not needed, so I assume this is related.

But it seems a pointless blade is enabled in deployment - any thoughts?

 

 

 

0 Kudos
2 Solutions

Accepted Solutions
Nir_Shamir
Employee Employee
Employee
a week ago
Jump to solution

That warning  will come up in any GW , no matter if it’s using VPN or not. 
The thing is that that certificate is used for other features like identity awareness and others. 
Your customer can just renew it on the working GW’s or redeploy ( better just to renew) and that alarm will go away. 

View solution in original post

(1)
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
Wednesday
In response to LazarusG
Jump to solution

Did you also try sk182616?

CCSM R77/R80/ELITE

View solution in original post

(1)
11 Replies
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
a week ago
Jump to solution

sk182616 may also be helpful for you, if unsure please consult TAC for further assistance.

CCSM R77/R80/ELITE
0 Kudos
Nir_Shamir
Employee Employee
Employee
a week ago
Jump to solution

That warning  will come up in any GW , no matter if it’s using VPN or not. 
The thing is that that certificate is used for other features like identity awareness and others. 
Your customer can just renew it on the working GW’s or redeploy ( better just to renew) and that alarm will go away. 

(1)
LazarusG
Advisor
Advisor
a week ago
In response to Nir_Shamir
Jump to solution

Thanks Nir! I have checked their estate and on this mgmt server there is no gateway with the vpn blade enabled - so its even more mysterious. As such there is no option in the gateway object to renew the cert as the vpn section isnt present (I assume thats what you mean). I guess Ill need to engage TAC. 

0 Kudos
the_rock
MVP Gold
MVP Gold
a week ago
In response to LazarusG
Jump to solution

That should not matter...I had customer once re-enable vpn blade, do the steps, disable, push policy...done.

Andy

AB
LazarusG
Advisor
Advisor
a week ago
In response to Nir_Shamir
Jump to solution

thanks - they have no vpn blade in the estate at all. So the VPN screen that shows the cert isnt present. A colleague said there was an old SK that is no longer available explaining to follow the processes decribed here. So I went into each VMSS instance, enabled the vpn blade - this made the vpn section available in left column. The cert was indeed going to expire in november, we renewed it (default 2026) - deselected the vpn blade and pressed ok. The customer cant push policy till out of hours so at the moment they are still showing the yellow alert. Also its bothersome he will have to do this every year despite not using site to site vpns... Ill let you know the outcome of policy push and thanks to all for advice!

LazarusG
Advisor
Advisor
Wednesday
In response to LazarusG
Jump to solution

Hi, Unfortunately the customer says the warning is still present in device settings after pushing policy. As its a VMSS from tempate (which doesnt support vpn) and no other gateways have vpn blade enabled I cant uderstand how this has happened. I will log to TAC. Thanks for advice.

0 Kudos
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
Wednesday
In response to LazarusG
Jump to solution

Did you also try sk182616?

CCSM R77/R80/ELITE
(1)
LazarusG
Advisor
Advisor
Wednesday
In response to Chris_Atkinson
Jump to solution

Ah yes my bad!

We have followed the process but we must wait till tomorrow as the policy can only be pushed out of hours.

0 Kudos
LazarusG
Advisor
Advisor
Thursday
In response to Chris_Atkinson
Jump to solution

yes that nailed it thanks

Lesley
MVP Gold
MVP Gold
a week ago
Jump to solution

Are you able to enable the VPN blade at all? If so enable it, do not press OK but stay in the firewall object window. Renew the certificate and disable the blade. Then press OK and policy push. 

-------
Please press "Accept as Solution" if my post solved it 🙂
the_rock
MVP Gold
MVP Gold
a week ago
Jump to solution

@Nir_Shamir is absolutely correct, thats EXACTLY how it works.

Andy

AB
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
UPCOMING CLOUDMATES EVENTS
    All CloudMates Events