Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Us4r
Contributor

CRL Fetching recommendation

Hi @ all,

this week I reinstalled our Management Node with a fresh installation of R80.20.M2.

During the installation / configuration the mangement Node was down for some hours.

During this time we lost connection to different IPSec tunnels between our Checkpoint Appliances (SMB 1400 / 1100).

After the management node was up again, they came all back after some time.

I think this Problem is caused, because CRL - Fetching ist set to fetch new CRL after 24h.

My question would be now, if it could cause a Problem when I set CRL - Fetching to a higher value (for example: 5 days). In case of a big management issue (hardware fault, big configuration issues,...) I think we could run there into a big issue if all of our tunnels will go down within 24h.

So does anybody know if this cold have any side effects when I set CRL Fetching to 120h?

Thanks.

Florian

0 Kudos
24 Replies
PhoneBoy
Admin
Admin

The most obvious thing is your gateways will accept certificates that are revoked for longer than they would normally.

0 Kudos
Simo-94
Participant

hi Phoneboy,  Hi  @the_rock 

if you yall could help me out with this please.

how can we check when the CRL cache will expire on the gateway please ? because we have some maintenance to do on the SMS and we are afraid that the gateway cache will expire just right when the SMS is down.

by default the cache expiry is set to 24 hours but when will that 24h begin and end ?

the command :

vpn crlview -obj <MyObj> -cert <MyCert>

does not show the cache expiry on the gateway but rather fetches the CRL from the CA.

the output of the above command gives the impression that the cache expiry is 7 days when we  actually set to 24 so I doubt that those dates are for the cache expiry.

 

output :

[Expert@G2:0]# vpn crlview -obj GW-194 -cert defaultCert
1 X509 CRLs
        Issuer: O=Reporter-196..7ddn8g
        This update: Sun Jun 21 14:05:10 2015 Local Time
        Next update: Sun Jun 28 14:05:10 2015 Local Time
        Extensions:
                Issuing distribution points (Critical):
                        URI: http://Reporter-196:18264/ICA_CRL1.crl
                        DN: CN=ICA_CRL1,O=Reporter-196..7ddn8g

thank you.

0 Kudos
the_rock
Legend
Legend

I dont believe you would have that issue, but since Gaia is based on Linux, this link may help.

Andy

https://stackoverflow.com/questions/20918695/how-to-check-expiration-date-of-crl-file

0 Kudos
Simo-94
Participant

hi Andy,

 

thank you for your response.

 

the command in the link specify to locate the certificate file which is actually located on the management server and not the gateway. nonetheless I ran taht command on the gateway

openssl crl -in ICA_CRL1.crl -text

but has returned "command not found"

0 Kudos
PhoneBoy
Admin
Admin

I believe the 24 hours is from the last VPN rekey.
In any case, if you're looking for a precise answer here, I suggest TAC.

0 Kudos
the_rock
Legend
Legend

What version? Works fine in my lab.

Andy

[Expert@CP-GW:0]# vpn crlview -obj CP-GW -cert defaultCert
1 X509 CRLs
Issuer: O=CP-MANAGEMENT..pi6w5j
This update: Mon Sep 2 05:41:23 2024 Local Time
Next update: Mon Sep 9 05:41:23 2024 Local Time
Extensions:
Issuing distribution points (Critical):
URI: http://CP-MANAGEMENT:18264/ICA_CRL1.crl
DN: CN=ICA_CRL1,O=CP-MANAGEMENT..pi6w5j
Certificate #80817
Revoked at Sat Aug 31 11:41:23 2024 Local Time
Certificate #17845
Revoked at Sat Aug 31 11:41:23 2024 Local Time
Certificate #53551
Revoked at Sat Aug 31 11:41:23 2024 Local Time
Certificate #56088
Revoked at Sat Aug 31 11:41:23 2024 Local Time
Certificate #98453
Revoked at Sat Aug 31 11:41:23 2024 Local Time
Certificate #96337
Revoked at Sat Aug 31 11:41:23 2024 Local Time
Certificate #68546
Revoked at Sat Aug 31 11:41:23 2024 Local Time
Certificate #79661
Revoked at Sat Aug 31 11:41:23 2024 Local Time
Certificate #83554
Revoked at Sat Aug 31 11:41:23 2024 Local Time

[Expert@CP-GW:0]#

0 Kudos
velo
Collaborator

Hi Simo

I just came across this post. It seems this doesn't show the CRL cache, it shows the CRL lifetime which is 7 days. The CRL cache is normally set to 24 hours. Do you know how to check the CRL cache on the gateway?

Thanks

the_rock
Legend
Legend

I will check later myself in the lab too.

Andy

0 Kudos
(1)
velo
Collaborator

Thank you.

0 Kudos
the_rock
Legend
Legend

@Simo-94 @velo 

Sorry guys, was super busy with Fortinet stuff, will check this shortly.

Andy

0 Kudos
the_rock
Legend
Legend

I will enable ICA mgmt tool on my mgmt server, as I had to build new lab recently, but below does give some info, its not perfect, but appears to be accurate.

Andy

https://support.checkpoint.com/results/sk/sk34926

0 Kudos
velo
Collaborator

Thanks, I tried that. It downloads the CRL file which shows the 7 day timeout as well. the same as the command:

vpn crlview -obj CP-GW -cert defaultCert

0 Kudos
Simo-94
Participant

hi @the_rock  @velo 

 

I could not find how to check the current validity of the CRL cache on the gateway. but we can reset the cache on the gateway meaning that we can reset that 24h and would then know when it begins and when it ends.

 

the below command would clear the cache on the gateway and the other one would fetch it

# vpn crl_zap

to fetch the CRL from SMS and start the 24h

vpn crlview -obj CP-GW -cert defaultCert

0 Kudos
the_rock
Legend
Legend

Correct, you are 100% right. I will continue to check in the lab.

Best,

Andy

0 Kudos
Us4r
Contributor

OK thank your for that information. So nothing else should happen when this option will changed but when management server will be down I will have more time to solve the problem before all tunnels go down. Is this right?

0 Kudos
PhoneBoy
Admin
Admin

As I undertstand it, you are correct.

0 Kudos
JozkoMrkvicka
Authority
Authority

Following article describes what is the flow and the reason of VPN outages if CRL cannot be fetched from management:

VPNs go down within 24 hours after primary Security Management server goes down.

Do you have only one management without HA ?

I suspect that VPN outage was between gateways managed from the same management server / domain. These gateways use certificates (somehow related to CRL), instead of Shared Secret.

Kind regards,
Jozko Mrkvicka
velo
Collaborator

Thanks. I have seen this article. We only have one SMS. The issue is the VPNs went down after only a few hours of it being down. 

After some troubleshooting I have noticed that they started going down roughly at the time shown in output of the command listed above:

(vpn crlview -obj CP-GW -cert defaultCert)

Specifically the time shown as "Revoked at" :

Revoked at Sat Aug 31 11:41:23 2024 Local Time

 

 

Output copied from post above:

[Expert@CP-GW:0]# vpn crlview -obj CP-GW -cert defaultCert
1 X509 CRLs
Issuer: O=CP-MANAGEMENT..pi6w5j
This update: Mon Sep 2 05:41:23 2024 Local Time
Next update: Mon Sep 9 05:41:23 2024 Local Time
Extensions:
Issuing distribution points (Critical):
URI: http://CP-MANAGEMENT:18264/ICA_CRL1.crl
DN: CN=ICA_CRL1,O=CP-MANAGEMENT..pi6w5j
Certificate #80817
Revoked at Sat Aug 31 11:41:23 2024 Local Time
Certificate #17845
Revoked at Sat Aug 31 11:41:23 2024 Local Time

0 Kudos
the_rock
Legend
Legend

Hey mate,

I will do little more digging, but after I enabled ICA mgmt tool, I tested below.

Andy

 

Screenshot_1.png

 

[Expert@CP-GW:0]# vpn crlview -obj CP-GW
Error: certificate object name is missing
Usage: vpn crlview -obj <network object> -cert <certobj>
or: vpn crlview -f <certfile>
or: vpn crlview -view <crlfile>
[Expert@CP-GW:0]# vpn crlview -obj CP-GW -cert defaultCert
1 X509 CRLs
Issuer: O=CP-MANAGEMENT..pi6w5j
This update: Wed Sep 4 14:47:58 2024 Local Time
Next update: Wed Sep 11 14:47:58 2024 Local Time
Extensions:
Issuing distribution points (Critical):
URI: http://CP-MANAGEMENT:18264/ICA_CRL1.crl
DN: CN=ICA_CRL1,O=CP-MANAGEMENT..pi6w5j
Certificate #56088
Revoked at Wed Sep 4 14:47:58 2024 Local Time
Certificate #53551
Revoked at Wed Sep 4 14:47:58 2024 Local Time
Certificate #96337
Revoked at Wed Sep 4 14:47:58 2024 Local Time
Certificate #79661
Revoked at Wed Sep 4 14:47:58 2024 Local Time
Certificate #80817
Revoked at Wed Sep 4 14:47:58 2024 Local Time
Certificate #68546
Revoked at Wed Sep 4 14:47:58 2024 Local Time
Certificate #83554
Revoked at Wed Sep 4 14:47:58 2024 Local Time
Certificate #17845
Revoked at Wed Sep 4 14:47:58 2024 Local Time
Certificate #98453
Revoked at Wed Sep 4 14:47:58 2024 Local Time

[Expert@CP-GW:0]#

0 Kudos
velo
Collaborator

Thanks, that looks handy, how did you do that? Unfortunately from the screenshot it only shows the lifetime of the cert (in years)

Thanks

0 Kudos
the_rock
Legend
Legend

There is an sk to enable ICA tool on mgmt, it takes literally 5 mins, super easy. Once you log in on port 18265, you see that menu, but Im trying to figure out if there is a setting to see the crl validity.

Andy

https://support.checkpoint.com/results/sk/sk30501

0 Kudos
the_rock
Legend
Legend

I downloaded 2 .crl files from ica mgmt tool, so trying to see if I can "extract" anything from there. @velo , since I cant attach them here, if you want, we can connect offline and I can share them, see if we can figure something out. Its a lab anyway, so nothing secretive haha

Andy

0 Kudos
(1)
velo
Collaborator

Thanks, sent a DM 🙂

0 Kudos
the_rock
Legend
Legend

Just responded.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events