This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Mec
Participant
‎2024-10-01 06:58 AM

VPN IPSec certificate - different expiration date between cluster object and physical node

Hi,

we have a cluster of firewalls, composed of 2 nodes.

We are using Infinity Playblocks to monitor the expiration date of vpn IPSec certificate.

Infinity Playblocks informed us that the VPN certificate of the physical node-01 was expiring.

The certificate regarding the HA (the cluster object) was not about to expire. I am referring to the certificate we can see from smartconsole in the cluster object>IPSec>view certificate .

My questions are:

Is it normal that the VPN certificate of the phisical node has a different expiration date respect the HA VPN certificate?

If it is normal, which certificate is important? If we let the VPN certificate of the physical node expire, but the VPN certificate of cluster is still valid, the vpn will work?

Thank you.

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2024-10-01 08:41 AM

Yes, the certificates might be different as the cluster node wasn't part of the cluster at one time (namely when you created the object).

The cluster certificate is the most relevant here and will be used as long as the gateway is still part of the cluster.

0 Kudos
Mec
Participant
‎2024-10-01 08:54 AM
In response to PhoneBoy

Hi,

thank you for the reply.

The cluster exist from at least 5 years. We already renew the certificate in the past, so i do not think that is the cause of the different dates.

If we know that the HA certificate is the relevant one, we will disable the alert regarding the expiration of the physical node certificate and we will let them expire .

the_rock
Legend
Legend
‎2024-10-01 09:03 AM
In response to Mec

Are you experiencing any issues or just wondering if its normal?

Andy

0 Kudos
Mec
Participant
‎2024-10-01 11:54 PM
In response to the_rock

We do not have any issues.

I was just wondering if it is normal having different expyring dates and if both certificate (physical node and cluster object) are important or if only the cluster certificate matter.

if the physical node certificate does not matter we don't want to receive alert from playblock regarding this certificate.

Since the physical node was expiring i renew the cluster certificate.

Let me add a question.

Renew the certificate of the cluster object from smartconsole, it also renew automatically the certificates of the physicals node?

Thank you all for the reply.

0 Kudos
PhoneBoy
Admin
Admin
‎2024-10-02 06:58 AM
In response to Mec

Fairly certain the answer is no here.
As stated previously, the member's own certificate is not relevant when the gateway is in a cluster.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events