This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
T_L
Contributor
‎2024-04-18 10:47 AM

SMB IPSec VPN Certs - Internal CA

Good Afternoon --

Does anyone have any scripts or scripting mojo that would allow the IPSec VPN certs to be renewed on a bunch of 1400/1500 centrally managed SMB gateways all at once?

We have a large number of SMBS (R77.20 - R81.x)  centrally managed by a physical 3150 SMS_r81.10.  All the gateways are configured in permanent tunnels utilizing the local CP internal CA on each. We have had to renew the certs manually/ individually on all of them.

The majority of the GWs are 1400 series on the R77.20 code so scripting from the SMS is a no go -- but something we could run from the local CLI - that we could could pipe to all our SSH sessions at once would work.

Thanks!

 

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2024-04-22 07:13 AM

How are you using the ICA of the SMB device if the devices are centrally managed?
The ICA, in this case, would be on your Smart-1.

The good news is that we're about to release a script that will assist with this task.
It does require being on a specific R81.10/R81.20 JHF level at time of writing.

0 Kudos
Lesley
Mentor Mentor
Mentor
‎2024-04-22 08:46 AM

I am not aware of a script. But the renewal takes places on the mgmt. There you renew the cert and push it out via policy push.

That is why I don't think you can run a script on the box itself.

Now the steps are not to bad, if I assume you renew it on the fw object in Smart Console and press the renew button, correct?

You can also think about to extend to cert time from 1 year to 3 year: https://support.checkpoint.com/results/sk/sk176527

This will save a bit of work until there is something new as PhoneBoy posted.

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
T_L
Contributor
‎2024-04-22 09:52 AM
In response to Lesley

Yes - the ICA is used from the object on the SMS - I misspoke. My intention was to indicate there was no type of external/ 3rd party cert being utilized.

SK176527_31539 - this is the procedure used - it just takes a long time if you have you hundreds!

But I think we will be ok increasing the cert time in the SMS.

Thanks!

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top