This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
FXB
Contributor
‎2023-11-16 06:17 AM

How does SMB gateway CRL fetching work?

Dear Checkmates,

we are currently planning the upgrade of our management server to R81.20. 

While we understand that if the management server is down for too long, IP-Sec VPN gateways will start to go offline due to beeing unable to fetch the CRL from the management CA, we are not 100% sure on the exact details of this and how we can influence it.

According to sk100731 the gateways need to fetch the CRL every 24h, otherwise VPN will start to terminate.

We are not sure where the automatic fetching interval is configured. In the global properties of SmartConsole there is a "prefetch_crls_duration" setting that defaults to 2 hours while on the internal_ca object in the SmartConsole there is an advanced setting that states that the CRL will be cached on gateways and fetched every 120 hours.

Looking at the SMB gateways, there is a .crl file created at the "/pfrm2.0/config2/fw1/database/" path with the name ICA_<management name>_ <CA identifier>.crl. At first we thought according to the modify date of that file we could monitor when the last fetching of the CRL was done, however there are some modify times with >24h, which should not be possible since the VPN should go offline than. 

Can anyone shed some light about where to configure the CRL fetching interval and how we can check at the SMB gateway when the last sucessfull CRL check was done?

Thanks for your help.

 

 

 

Preview file
2 KB
Preview file
22 KB
Preview file
8 KB
0 Kudos
6 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2023-11-16 07:50 AM

Here is a way to disable CRL fetch for the needed time: https://support.checkpoint.com/results/sk/sk21156

Configuration: https://community.checkpoint.com/t5/General-Topics/CRL-Fetching-recommendation/m-p/8011#M987

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
FXB
Contributor
‎2023-11-16 10:42 PM
In response to G_W_Albrecht

Thanks for your response, that seems like a good workaround for the upgrade process. 

Still it would be nice if we get more information about the CRL fetching process.

G_W_Albrecht
MVP Silver
MVP Silver
‎2023-11-17 03:26 AM
In response to FXB

You can open an informational SR# with CP TAC to get it explained.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
(1)
CheckPointerXL
Advisor
Advisor
‎2023-11-17 11:19 AM
In response to FXB

not sure if applicable to SMB : https://support.checkpoint.com/results/sk/sk108632

FXB
Contributor
‎2023-11-20 12:39 AM
In response to CheckPointerXL

Thanks for mentioning this SK, the output is working on SMB gateways and we can see when the last CRL fetch and the next CRL fetch is happening. 
However so far I didnt not find a way to modify those values e.g. forcing the GW to fetch the CRL now. Gonna look more into this.

Since the upgrade is scheduled for tomorrow, we gonna fall back to the SK @G_W_Albrecht mentioned and disable the CRL checking for the next 2 days.

0 Kudos
PhoneBoy
Admin
Admin
‎2024-09-04 02:00 PM
In response to FXB

Actually, you can force the local CRL cache to clear: https://support.checkpoint.com/results/sk/sk26628 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events