This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Irek_Romaniuk
Participant
‎2017-08-01 06:10 AM

Disabling CRL checking for centrally managed VPNs

I have many 1100/1400 smart provisioned, centrally managed appliances which do CRL check with management server (fw1_ica_services port)  and if check fails tunnel is dropped with default of 24h. Is there a way to disable this check i.e. sk21156 ? I don't need CRL check because if I don't want appliance to have tunnel up I will terminate the provisioned object on mgmt server. Please advice

3 Replies
PhoneBoy
Admin
Admin
‎2017-08-01 08:24 PM

I don't see why you couldn't apply the SK you referenced to solve the issue, even if you're using SmartProvisioning. 

Irek_Romaniuk
Participant
‎2017-08-03 04:56 AM

Correct. It's not really an issue, CRL check is default (by design) but I think it creates Denial of Service risk because the port has to be opened on public IP.

0 Kudos
Mike922
Explorer
‎2022-02-23 11:31 AM

Thanks, killing the CRL check solved my problem. My management server is nat'd behind a firewall on a large private secondary network.   Support was sending me down the path of disabling all of my implied rules. That was not going to happen. 

0 Kudos