CRL Fetching recommendation

Us4r · ‎2019-02-28

Hi @ all,

this week I reinstalled our Management Node with a fresh installation of R80.20.M2.

During the installation / configuration the mangement Node was down for some hours.

During this time we lost connection to different IPSec tunnels between our Checkpoint Appliances (SMB 1400 / 1100).

After the management node was up again, they came all back after some time.

I think this Problem is caused, because CRL - Fetching ist set to fetch new CRL after 24h.

My question would be now, if it could cause a Problem when I set CRL - Fetching to a higher value (for example: 5 days). In case of a big management issue (hardware fault, big configuration issues,...) I think we could run there into a big issue if all of our tunnels will go down within 24h.

So does anybody know if this cold have any side effects when I set CRL Fetching to 120h?

Thanks.

Florian

PhoneBoy · ‎2019-02-28

The most obvious thing is your gateways will accept certificates that are revoked for longer than they would normally.

Simo-94 · ‎2024-09-03

hi Phoneboy, Hi @the_rock

if you yall could help me out with this please.

how can we check when the CRL cache will expire on the gateway please ? because we have some maintenance to do on the SMS and we are afraid that the gateway cache will expire just right when the SMS is down.

by default the cache expiry is set to 24 hours but when will that 24h begin and end ?

the command :

vpn crlview -obj <MyObj> -cert <MyCert>

does not show the cache expiry on the gateway but rather fetches the CRL from the CA.

the output of the above command gives the impression that the cache expiry is 7 days when we actually set to 24 so I doubt that those dates are for the cache expiry.

output :

[Expert@G2:0]# vpn crlview -obj GW-194 -cert defaultCert
1 X509 CRLs
        Issuer: O=Reporter-196..7ddn8g
        This update: Sun Jun 21 14:05:10 2015 Local Time
        Next update: Sun Jun 28 14:05:10 2015 Local Time
        Extensions:
                Issuing distribution points (Critical):
                        URI: http://Reporter-196:18264/ICA_CRL1.crl
                        DN: CN=ICA_CRL1,O=Reporter-196..7ddn8g

thank you.

the_rock · ‎2024-09-03

I dont believe you would have that issue, but since Gaia is based on Linux, this link may help.

Andy

https://stackoverflow.com/questions/20918695/how-to-check-expiration-date-of-crl-file

Simo-94 · ‎2024-09-03

hi Andy,

thank you for your response.

the command in the link specify to locate the certificate file which is actually located on the management server and not the gateway. nonetheless I ran taht command on the gateway

openssl crl -in ICA_CRL1.crl -text

but has returned "command not found"

PhoneBoy · ‎2024-09-03

I believe the 24 hours is from the last VPN rekey.
In any case, if you're looking for a precise answer here, I suggest TAC.

the_rock · ‎2024-09-03

What version? Works fine in my lab.

Andy

[Expert@CP-GW:0]# vpn crlview -obj CP-GW -cert defaultCert
1 X509 CRLs
Issuer: O=CP-MANAGEMENT..pi6w5j
This update: Mon Sep 2 05:41:23 2024 Local Time
Next update: Mon Sep 9 05:41:23 2024 Local Time
Extensions:
Issuing distribution points (Critical):
URI: http://CP-MANAGEMENT:18264/ICA_CRL1.crl
DN: CN=ICA_CRL1,O=CP-MANAGEMENT..pi6w5j
Certificate #80817
Revoked at Sat Aug 31 11:41:23 2024 Local Time
Certificate #17845
Revoked at Sat Aug 31 11:41:23 2024 Local Time
Certificate #53551
Revoked at Sat Aug 31 11:41:23 2024 Local Time
Certificate #56088
Revoked at Sat Aug 31 11:41:23 2024 Local Time
Certificate #98453
Revoked at Sat Aug 31 11:41:23 2024 Local Time
Certificate #96337
Revoked at Sat Aug 31 11:41:23 2024 Local Time
Certificate #68546
Revoked at Sat Aug 31 11:41:23 2024 Local Time
Certificate #79661
Revoked at Sat Aug 31 11:41:23 2024 Local Time
Certificate #83554
Revoked at Sat Aug 31 11:41:23 2024 Local Time

[Expert@CP-GW:0]#

velo · ‎2024-09-04

Hi Simo

I just came across this post. It seems this doesn't show the CRL cache, it shows the CRL lifetime which is 7 days. The CRL cache is normally set to 24 hours. Do you know how to check the CRL cache on the gateway?

Thanks

the_rock · ‎2024-09-04

I will check later myself in the lab too.

Andy

velo · ‎2024-09-04

Thank you.

the_rock · ‎2024-09-04

@Simo-94 @velo

Sorry guys, was super busy with Fortinet stuff, will check this shortly.

Andy

the_rock · ‎2024-09-04

I will enable ICA mgmt tool on my mgmt server, as I had to build new lab recently, but below does give some info, its not perfect, but appears to be accurate.

Andy

https://support.checkpoint.com/results/sk/sk34926

velo · ‎2024-09-05

Thanks, I tried that. It downloads the CRL file which shows the 7 day timeout as well. the same as the command:

vpn crlview -obj CP-GW -cert defaultCert

Simo-94 · ‎2024-09-05

hi @the_rock @velo

I could not find how to check the current validity of the CRL cache on the gateway. but we can reset the cache on the gateway meaning that we can reset that 24h and would then know when it begins and when it ends.

the below command would clear the cache on the gateway and the other one would fetch it

# vpn crl_zap

to fetch the CRL from SMS and start the 24h

# vpn crlview -obj CP-GW -cert defaultCert

the_rock · ‎2024-09-05

Correct, you are 100% right. I will continue to check in the lab.

Best,

Andy

Us4r · ‎2019-03-04

OK thank your for that information. So nothing else should happen when this option will changed but when management server will be down I will have more time to solve the problem before all tunnels go down. Is this right?

PhoneBoy · ‎2019-03-05

As I undertstand it, you are correct.

JozkoMrkvicka · ‎2024-09-03

Following article describes what is the flow and the reason of VPN outages if CRL cannot be fetched from management:

VPNs go down within 24 hours after primary Security Management server goes down.

Do you have only one management without HA ?

I suspect that VPN outage was between gateways managed from the same management server / domain. These gateways use certificates (somehow related to CRL), instead of Shared Secret.

Kind regards,
Jozko Mrkvicka

velo · ‎2024-09-04

Thanks. I have seen this article. We only have one SMS. The issue is the VPNs went down after only a few hours of it being down.

After some troubleshooting I have noticed that they started going down roughly at the time shown in output of the command listed above:

(vpn crlview -obj CP-GW -cert defaultCert)

Specifically the time shown as "Revoked at" :

Revoked at Sat Aug 31 11:41:23 2024 Local Time

Output copied from post above:

[Expert@CP-GW:0]# vpn crlview -obj CP-GW -cert defaultCert
1 X509 CRLs
Issuer: O=CP-MANAGEMENT..pi6w5j
This update: Mon Sep 2 05:41:23 2024 Local Time
Next update: Mon Sep 9 05:41:23 2024 Local Time
Extensions:
Issuing distribution points (Critical):
URI: http://CP-MANAGEMENT:18264/ICA_CRL1.crl
DN: CN=ICA_CRL1,O=CP-MANAGEMENT..pi6w5j
Certificate #80817
Revoked at Sat Aug 31 11:41:23 2024 Local Time
Certificate #17845
Revoked at Sat Aug 31 11:41:23 2024 Local Time

the_rock · ‎2024-09-04

Hey mate,

I will do little more digging, but after I enabled ICA mgmt tool, I tested below.

Andy

[Expert@CP-GW:0]# vpn crlview -obj CP-GW
Error: certificate object name is missing
Usage: vpn crlview -obj <network object> -cert <certobj>
or: vpn crlview -f <certfile>
or: vpn crlview -view <crlfile>
[Expert@CP-GW:0]# vpn crlview -obj CP-GW -cert defaultCert
1 X509 CRLs
Issuer: O=CP-MANAGEMENT..pi6w5j
This update: Wed Sep 4 14:47:58 2024 Local Time
Next update: Wed Sep 11 14:47:58 2024 Local Time
Extensions:
Issuing distribution points (Critical):
URI: http://CP-MANAGEMENT:18264/ICA_CRL1.crl
DN: CN=ICA_CRL1,O=CP-MANAGEMENT..pi6w5j
Certificate #56088
Revoked at Wed Sep 4 14:47:58 2024 Local Time
Certificate #53551
Revoked at Wed Sep 4 14:47:58 2024 Local Time
Certificate #96337
Revoked at Wed Sep 4 14:47:58 2024 Local Time
Certificate #79661
Revoked at Wed Sep 4 14:47:58 2024 Local Time
Certificate #80817
Revoked at Wed Sep 4 14:47:58 2024 Local Time
Certificate #68546
Revoked at Wed Sep 4 14:47:58 2024 Local Time
Certificate #83554
Revoked at Wed Sep 4 14:47:58 2024 Local Time
Certificate #17845
Revoked at Wed Sep 4 14:47:58 2024 Local Time
Certificate #98453
Revoked at Wed Sep 4 14:47:58 2024 Local Time

[Expert@CP-GW:0]#

velo · ‎2024-09-05

Thanks, that looks handy, how did you do that? Unfortunately from the screenshot it only shows the lifetime of the cert (in years)

Thanks

the_rock · ‎2024-09-05

There is an sk to enable ICA tool on mgmt, it takes literally 5 mins, super easy. Once you log in on port 18265, you see that menu, but Im trying to figure out if there is a setting to see the crl validity.

Andy

https://support.checkpoint.com/results/sk/sk30501

the_rock · ‎2024-09-05

I downloaded 2 .crl files from ica mgmt tool, so trying to see if I can "extract" anything from there. @velo , since I cant attach them here, if you want, we can connect offline and I can share them, see if we can figure something out. Its a lab anyway, so nothing secretive haha

Andy

velo · ‎2024-09-06

Thanks, sent a DM 🙂

the_rock · ‎2024-09-06

Just responded.

Are you a member of CheckMates?

CRL Fetching recommendation