- Products
- Learn
- Local User Groups
- Partners
- More
Firewall Uptime, Reimagined
How AIOps Simplifies Operations and Prevents Outages
Introduction to Lakera:
Securing the AI Frontier!
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
SharePoint CVEs and More!
Hi @ all,
this week I reinstalled our Management Node with a fresh installation of R80.20.M2.
During the installation / configuration the mangement Node was down for some hours.
During this time we lost connection to different IPSec tunnels between our Checkpoint Appliances (SMB 1400 / 1100).
After the management node was up again, they came all back after some time.
I think this Problem is caused, because CRL - Fetching ist set to fetch new CRL after 24h.
My question would be now, if it could cause a Problem when I set CRL - Fetching to a higher value (for example: 5 days). In case of a big management issue (hardware fault, big configuration issues,...) I think we could run there into a big issue if all of our tunnels will go down within 24h.
So does anybody know if this cold have any side effects when I set CRL Fetching to 120h?
Thanks.
Florian
The most obvious thing is your gateways will accept certificates that are revoked for longer than they would normally.
hi Phoneboy, Hi @the_rock
if you yall could help me out with this please.
how can we check when the CRL cache will expire on the gateway please ? because we have some maintenance to do on the SMS and we are afraid that the gateway cache will expire just right when the SMS is down.
by default the cache expiry is set to 24 hours but when will that 24h begin and end ?
the command :
vpn crlview -obj <MyObj> -cert <MyCert>
does not show the cache expiry on the gateway but rather fetches the CRL from the CA.
the output of the above command gives the impression that the cache expiry is 7 days when we actually set to 24 so I doubt that those dates are for the cache expiry.
output :
[Expert@G2:0]# vpn crlview -obj GW-194 -cert defaultCert
1 X509 CRLs
Issuer: O=Reporter-196..7ddn8g
This update: Sun Jun 21 14:05:10 2015 Local Time
Next update: Sun Jun 28 14:05:10 2015 Local Time
Extensions:
Issuing distribution points (Critical):
URI: http://Reporter-196:18264/ICA_CRL1.crl
DN: CN=ICA_CRL1,O=Reporter-196..7ddn8g
thank you.
I dont believe you would have that issue, but since Gaia is based on Linux, this link may help.
Andy
https://stackoverflow.com/questions/20918695/how-to-check-expiration-date-of-crl-file
hi Andy,
thank you for your response.
the command in the link specify to locate the certificate file which is actually located on the management server and not the gateway. nonetheless I ran taht command on the gateway
openssl crl -in ICA_CRL1.crl -text
but has returned "command not found"
I believe the 24 hours is from the last VPN rekey.
In any case, if you're looking for a precise answer here, I suggest TAC.
What version? Works fine in my lab.
Andy
[Expert@CP-GW:0]# vpn crlview -obj CP-GW -cert defaultCert
1 X509 CRLs
Issuer: O=CP-MANAGEMENT..pi6w5j
This update: Mon Sep 2 05:41:23 2024 Local Time
Next update: Mon Sep 9 05:41:23 2024 Local Time
Extensions:
Issuing distribution points (Critical):
URI: http://CP-MANAGEMENT:18264/ICA_CRL1.crl
DN: CN=ICA_CRL1,O=CP-MANAGEMENT..pi6w5j
Certificate #80817
Revoked at Sat Aug 31 11:41:23 2024 Local Time
Certificate #17845
Revoked at Sat Aug 31 11:41:23 2024 Local Time
Certificate #53551
Revoked at Sat Aug 31 11:41:23 2024 Local Time
Certificate #56088
Revoked at Sat Aug 31 11:41:23 2024 Local Time
Certificate #98453
Revoked at Sat Aug 31 11:41:23 2024 Local Time
Certificate #96337
Revoked at Sat Aug 31 11:41:23 2024 Local Time
Certificate #68546
Revoked at Sat Aug 31 11:41:23 2024 Local Time
Certificate #79661
Revoked at Sat Aug 31 11:41:23 2024 Local Time
Certificate #83554
Revoked at Sat Aug 31 11:41:23 2024 Local Time
[Expert@CP-GW:0]#
Hi Simo
I just came across this post. It seems this doesn't show the CRL cache, it shows the CRL lifetime which is 7 days. The CRL cache is normally set to 24 hours. Do you know how to check the CRL cache on the gateway?
Thanks
I will check later myself in the lab too.
Andy
Thank you.
I will enable ICA mgmt tool on my mgmt server, as I had to build new lab recently, but below does give some info, its not perfect, but appears to be accurate.
Andy
Thanks, I tried that. It downloads the CRL file which shows the 7 day timeout as well. the same as the command:
vpn crlview -obj CP-GW -cert defaultCert
I could not find how to check the current validity of the CRL cache on the gateway. but we can reset the cache on the gateway meaning that we can reset that 24h and would then know when it begins and when it ends.
the below command would clear the cache on the gateway and the other one would fetch it
# vpn crl_zap
to fetch the CRL from SMS and start the 24h
# vpn crlview -obj CP-GW -cert defaultCert
Correct, you are 100% right. I will continue to check in the lab.
Best,
Andy
OK thank your for that information. So nothing else should happen when this option will changed but when management server will be down I will have more time to solve the problem before all tunnels go down. Is this right?
As I undertstand it, you are correct.
Following article describes what is the flow and the reason of VPN outages if CRL cannot be fetched from management:
VPNs go down within 24 hours after primary Security Management server goes down.
Do you have only one management without HA ?
I suspect that VPN outage was between gateways managed from the same management server / domain. These gateways use certificates (somehow related to CRL), instead of Shared Secret.
Thanks. I have seen this article. We only have one SMS. The issue is the VPNs went down after only a few hours of it being down.
After some troubleshooting I have noticed that they started going down roughly at the time shown in output of the command listed above:
(vpn crlview -obj CP-GW -cert defaultCert)
Specifically the time shown as "Revoked at" :
Revoked at Sat Aug 31 11:41:23 2024 Local Time
Output copied from post above:
[Expert@CP-GW:0]# vpn crlview -obj CP-GW -cert defaultCert
1 X509 CRLs
Issuer: O=CP-MANAGEMENT..pi6w5j
This update: Mon Sep 2 05:41:23 2024 Local Time
Next update: Mon Sep 9 05:41:23 2024 Local Time
Extensions:
Issuing distribution points (Critical):
URI: http://CP-MANAGEMENT:18264/ICA_CRL1.crl
DN: CN=ICA_CRL1,O=CP-MANAGEMENT..pi6w5j
Certificate #80817
Revoked at Sat Aug 31 11:41:23 2024 Local Time
Certificate #17845
Revoked at Sat Aug 31 11:41:23 2024 Local Time
Hey mate,
I will do little more digging, but after I enabled ICA mgmt tool, I tested below.
Andy
[Expert@CP-GW:0]# vpn crlview -obj CP-GW
Error: certificate object name is missing
Usage: vpn crlview -obj <network object> -cert <certobj>
or: vpn crlview -f <certfile>
or: vpn crlview -view <crlfile>
[Expert@CP-GW:0]# vpn crlview -obj CP-GW -cert defaultCert
1 X509 CRLs
Issuer: O=CP-MANAGEMENT..pi6w5j
This update: Wed Sep 4 14:47:58 2024 Local Time
Next update: Wed Sep 11 14:47:58 2024 Local Time
Extensions:
Issuing distribution points (Critical):
URI: http://CP-MANAGEMENT:18264/ICA_CRL1.crl
DN: CN=ICA_CRL1,O=CP-MANAGEMENT..pi6w5j
Certificate #56088
Revoked at Wed Sep 4 14:47:58 2024 Local Time
Certificate #53551
Revoked at Wed Sep 4 14:47:58 2024 Local Time
Certificate #96337
Revoked at Wed Sep 4 14:47:58 2024 Local Time
Certificate #79661
Revoked at Wed Sep 4 14:47:58 2024 Local Time
Certificate #80817
Revoked at Wed Sep 4 14:47:58 2024 Local Time
Certificate #68546
Revoked at Wed Sep 4 14:47:58 2024 Local Time
Certificate #83554
Revoked at Wed Sep 4 14:47:58 2024 Local Time
Certificate #17845
Revoked at Wed Sep 4 14:47:58 2024 Local Time
Certificate #98453
Revoked at Wed Sep 4 14:47:58 2024 Local Time
[Expert@CP-GW:0]#
Thanks, that looks handy, how did you do that? Unfortunately from the screenshot it only shows the lifetime of the cert (in years)
Thanks
There is an sk to enable ICA tool on mgmt, it takes literally 5 mins, super easy. Once you log in on port 18265, you see that menu, but Im trying to figure out if there is a setting to see the crl validity.
Andy
I downloaded 2 .crl files from ica mgmt tool, so trying to see if I can "extract" anything from there. @velo , since I cant attach them here, if you want, we can connect offline and I can share them, see if we can figure something out. Its a lab anyway, so nothing secretive haha
Andy
Thanks, sent a DM 🙂
Just responded.
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
14 | |
12 | |
11 | |
9 | |
8 | |
7 | |
5 | |
5 | |
5 | |
5 |
Tue 07 Oct 2025 @ 10:00 AM (CEST)
Cloud Architect Series: AI-Powered API Security with CloudGuard WAFThu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Thu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Wed 22 Oct 2025 @ 11:00 AM (EDT)
Firewall Uptime, Reimagined: How AIOps Simplifies Operations and Prevents OutagesAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY