Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
raquinog
Participant

Notify when certificate expired

Jump to solution

Yesterday I had an incident with my IPSEC tunnels with branches (they are established by certificate) because the virtual firewall certificate expired.

Attached the image of the Gw, had to renew the certificate to restore the service

The question is: The Firewall can send a notification warning that a certificate is about to expire?,  ¿What configuration is required for the Firewall could send the notification?

Screenshot_2.png

thanks for your help

 

2 Solutions

Accepted Solutions
G_W_Albrecht
Legend
Legend

...and  sk31539 tells us that

The Security Management server generates a report, per Security Gateway, warning about those certificates that will expire within 60 days time from the current date. This functionality is always enabled and the 60 days is a fixed warning period.

...

  • Certificate expiration warning messages are not recorded in any log by the Security Management server.
  • Warnings are generated and presented anew with each Policy installation.

You could check on CLI using sk104400:

# cpca_client lscert -stat Valid -kind IKE
Operation succeeded. rc=0.
1 certs found.

Subject = CN=cpmodule VPN Certificate,O=Example_Management_Server.checkpoint.com.d2hitj
Status = Valid Kind = IKE Serial = 91912 DP = 1
Not_Before: Wed Jan 14 14:19:02 2015 Not_After: Tue Jan 14 14:19:02 2020

CCSE CCTE SMB Specialist

View solution in original post

0 Kudos
matangi
Employee
Employee

Hi @raquinog , @Peter_Baumann , @Anthony_Vita 

Nowadays the firewall is sending notification that a certificate is about to expire in two places
1. 'info' status as part of policy installation:

info_in_policy_install.jpg

2. In VPN log:

vpn_logs.jpg

As @G_W_Albrecht  mentioned, You can also monitor VPN certificates of all Virtual systems / Security gateways from Security Management via single CLI command:

cpca_client search "VPN certificate"

 

We are about to Improve the alert during Policy installation – to Changing from ‘info’ to ‘warning‘

The improvement will be released in R81.20 and also be ported to all R8X.XX JHFs

We are looking for other ways to alert about VPN certificate expiry, such as red “X” for the Gateway object when the VPN certificate is expired / Yellow Warning sign when the certificate is about to expire soon (e.g 60 days or less)

Thanks,
Matan

View solution in original post

0 Kudos
7 Replies
MarioB_1
Participant

Acording to SK102092, gateway does not alert about certificates expiration without installing a Security policy

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

0 Kudos
G_W_Albrecht
Legend
Legend

...and  sk31539 tells us that

The Security Management server generates a report, per Security Gateway, warning about those certificates that will expire within 60 days time from the current date. This functionality is always enabled and the 60 days is a fixed warning period.

...

  • Certificate expiration warning messages are not recorded in any log by the Security Management server.
  • Warnings are generated and presented anew with each Policy installation.

You could check on CLI using sk104400:

# cpca_client lscert -stat Valid -kind IKE
Operation succeeded. rc=0.
1 certs found.

Subject = CN=cpmodule VPN Certificate,O=Example_Management_Server.checkpoint.com.d2hitj
Status = Valid Kind = IKE Serial = 91912 DP = 1
Not_Before: Wed Jan 14 14:19:02 2015 Not_After: Tue Jan 14 14:19:02 2020

CCSE CCTE SMB Specialist
0 Kudos
G_W_Albrecht
Legend
Legend

There is an interesting topic on CheckMates with a lot of valuable information about this: Third Parties Certificate details

CCSE CCTE SMB Specialist
0 Kudos
Peter_Baumann
Contributor

Hi @raquinog ,

A customer of us had the same problem, no indication when instaling the policy about the expired certificate.
The feature should be always activated but it seems that it is not working.

Nobody knows why, so we will open a case for it.

Thanks,
Peter

0 Kudos
Anthony_Vita
Participant

Just had the same issue.  We're you able to figure out why the feature doesn't work?

0 Kudos
Peter_Baumann
Contributor

Hi @Anthony_Vita ,

We opened a case and there was a lot of troubleshooting involved. Unfortunately it leads not to a solution and was closed by check point/customer.

0 Kudos
matangi
Employee
Employee

Hi @raquinog , @Peter_Baumann , @Anthony_Vita 

Nowadays the firewall is sending notification that a certificate is about to expire in two places
1. 'info' status as part of policy installation:

info_in_policy_install.jpg

2. In VPN log:

vpn_logs.jpg

As @G_W_Albrecht  mentioned, You can also monitor VPN certificates of all Virtual systems / Security gateways from Security Management via single CLI command:

cpca_client search "VPN certificate"

 

We are about to Improve the alert during Policy installation – to Changing from ‘info’ to ‘warning‘

The improvement will be released in R81.20 and also be ported to all R8X.XX JHFs

We are looking for other ways to alert about VPN certificate expiry, such as red “X” for the Gateway object when the VPN certificate is expired / Yellow Warning sign when the certificate is about to expire soon (e.g 60 days or less)

Thanks,
Matan

0 Kudos