This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
bSingh
Participant
‎2023-12-25 08:48 PM
Jump to solution

Significance of Gateway Certificate when we have Pre-shared Keys based S2S VPNS

Hello Team, 

If someone can help me understanding the Certificate significance in case we are not using it for S2S VPN:--

 

Issue: S2S VPNs between Checkpoint gateways weren't working; identified expired certificates. Renewing them resolved the problem.  We renewed the certificate on both the gateways. Its a Mesh Topology and in Hub and Spoke deployment. Only Checkpoint gateways are affected. Other Spokes are working fine in the community which are not the checkpoint gateways. 

Queries:

  1. In Pre-shared key VPN deployment (Meshed/Star topology), is a certificate necessary? If yes why ? what is the significance of this certificate ?
  2. Are the renewed certificates signed by the CMA ?
  3. The current certificate is renewed for a year. Is there a provision for extending the renewal period or adjusting the expiration date?
  4. Can you share the SNMP traps so that we can actively monitor it.
Preview file
64 KB
0 Kudos
1 Solution

Accepted Solutions
_Val_
Admin
Admin
‎2023-12-28 12:17 AM
Jump to solution

Some answers:

  1. The default VPN authentication for S2S VPN is certificate-based. Pre-Shared is considered less secure and is only supported for cases when your VPN peer belongs to another security domain.
  2. GW VPN certificates, like all other internal certificates, are signed by your domain CA
  3. The default expiration period for VPN certificates is one year for all supported versions. You can extend it to three years, see sk176527.
  4. AFAIK, there are no SNMP traps for certificates. However, there are multiple other means to follow up and check the validity of GW VPN certificates. Look into sk104400, sk178304, sk102092, sk97792. In essence, you will have either SmartConsole warning, or you can run a CLI command to check.

View solution in original post

(1)
2 Replies
_Val_
Admin
Admin
‎2023-12-28 12:17 AM
Jump to solution

Some answers:

  1. The default VPN authentication for S2S VPN is certificate-based. Pre-Shared is considered less secure and is only supported for cases when your VPN peer belongs to another security domain.
  2. GW VPN certificates, like all other internal certificates, are signed by your domain CA
  3. The default expiration period for VPN certificates is one year for all supported versions. You can extend it to three years, see sk176527.
  4. AFAIK, there are no SNMP traps for certificates. However, there are multiple other means to follow up and check the validity of GW VPN certificates. Look into sk104400, sk178304, sk102092, sk97792. In essence, you will have either SmartConsole warning, or you can run a CLI command to check.
(1)
bSingh
Participant
‎2024-01-08 06:26 AM
In response to _Val_
Jump to solution

Thanks Val for sharing the information.. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events