This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
velo
Contributor
yesterday
Jump to solution

Central management and certificate based VPNs

I have a Star IPSEC VPN setup with all gateways managed centrally. Recently, I encountered a problem when the management server was offline for a few hours. During that time, all of the VPNs dropped when they re-keyed, even though the certificates still had years left before expiration. This behavior was unexpected and quite concerning, as it seems to present a single point of failure.

Does anyone know why this happened? I couldn't find any information about this in the documentation.

My understanding was that central management would only be an issue if a VPN certificate expired, as we wouldn't be able to generate a new certificate with the management server down.

I'm going to take a guess and assume that maybe when the VPN re-keys, it checks with the CA to see if the certificate is still valid. Is there any way around this? It's pretty bad if the management server is so critical to VPN re-keying.

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
yesterday
Jump to solution

VPN certificates are validated against the CA on rekey, whether it be the internal CA or an external one (depending on configuration).
Extended outages of management when ICA is used for VPN certificates will cause VPN issues like you experienced.

Having said that, this usually doesn’t happen for about 24 hours (not just a few, as you experienced).
The CRL should be cached, in fact, and you may want to check this sk: https://support.checkpoint.com/results/sk/sk116340

You can disable CRL checking, of course, but checking the CRL is an important security feature that should not be disabled.
See: https://community.checkpoint.com/t5/General-Topics/Failure-to-fetch-updates-from-CheckPoint-servers/...

View solution in original post

(1)
3 Replies
PhoneBoy
Admin
Admin
yesterday
Jump to solution

VPN certificates are validated against the CA on rekey, whether it be the internal CA or an external one (depending on configuration).
Extended outages of management when ICA is used for VPN certificates will cause VPN issues like you experienced.

Having said that, this usually doesn’t happen for about 24 hours (not just a few, as you experienced).
The CRL should be cached, in fact, and you may want to check this sk: https://support.checkpoint.com/results/sk/sk116340

You can disable CRL checking, of course, but checking the CRL is an important security feature that should not be disabled.
See: https://community.checkpoint.com/t5/General-Topics/Failure-to-fetch-updates-from-CheckPoint-servers/...

(1)
velo
Contributor
yesterday
In response to PhoneBoy
Jump to solution

Thank you for the response. I had a suspicion it might be something like that.

Where do I need to check the settings listed in sk116340? I can't see that section in Smart Console.

Thank you

0 Kudos
PhoneBoy
Admin
Admin
yesterday
In response to velo
Jump to solution

In the object list, you find it under Servers > Trusted CA > internal_ca
This was taken from R82, but it should be the same in previous releases. 
I've submitted feedback on the SK to ensure instructions for finding in R8x are included.

image.png

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events