Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Irek_Romaniuk
Participant

Disabling CRL checking for centrally managed VPNs

I have many 1100/1400 smart provisioned, centrally managed appliances which do CRL check with management server (fw1_ica_services port)  and if check fails tunnel is dropped with default of 24h. Is there a way to disable this check i.e. sk21156 ? I don't need CRL check because if I don't want appliance to have tunnel up I will terminate the provisioned object on mgmt server. Please advice

6 Replies
PhoneBoy
Admin
Admin

I don't see why you couldn't apply the SK you referenced to solve the issue, even if you're using SmartProvisioning. 

Irek_Romaniuk
Participant

Correct. It's not really an issue, CRL check is default (by design) but I think it creates Denial of Service risk because the port has to be opened on public IP.

0 Kudos
Mike922
Explorer

Thanks, killing the CRL check solved my problem. My management server is nat'd behind a firewall on a large private secondary network.   Support was sending me down the path of disabling all of my implied rules. That was not going to happen. 

0 Kudos
stat4299
Explorer

Is anyone aware of an emergency procedure to disable this check on the gateways only?  Say the primary and secondary management is down (assuming there is even a secondary).  It would be great to have a way to disable the check on the gateway itself without deploying policy.  This would allow the use of CRL check but just in case of that 1 big disaster that takes out  management and it isn't recovered in 24 hours, you can keep your other gateways communicating through their managed VPN (certificates only work for that).

0 Kudos
_Val_
Admin
Admin

You can disable CRL verification for VPNs on the management side, but I do not think there is a way to do that on the GW side, let alone on SBM appliances. 

0 Kudos
Timothy_Hall
Champion
Champion

I think the following will work on the gateway, see here

cpprod_util CPPROD_SetValue "CPshared//6.0//reserved//libCurl" crl_disable 1 1 1

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events