This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Elmoki
Explorer
Thursday

Using Certificate Authentication for S2S VPN in Full HA standalone setup

Hi Everyone,

Scenario:
I have a banking client, they have standalone setup (Sec GW+ Sec MGMT, 6400). They have 4 S2S VPN using certificate for authentication and signed by BCS.
They want to add a new device (6400) to form Full HA Cluster (I followed sk104699) and will keep the old firewall IP as the clustered IP.

Queries:
1. Will there be a problem with S2S VPN after forming Full HA cluster?
2. Is the existing certificate will still be valid after creation of the cluster?
3. If #2 is not valid anymore do I need to generate individual cert for each device or 1 only?

Hoping for response and guidance.

Thanks in Advance!

0 Kudos
2 Replies
Lesley
Advisor
Advisor
Thursday

Have you already added the new gateway as firewall object to SmartConsole?

If so, maybe just try to create a new cluster object. In this object add the current firewall and new one.

Then see what will happen in the VPN section if you see a new certificate or the current one you use.

Then make sure to cancel all changes and do not publish. Also make snapshot of mgmt to be sure. 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
AkosBakos
Advisor
Thursday

Hi @Elmoki 

  1. The S2S settings are stored in the Policy Package (PSK etc.:) so if you don't change the policy there were no issues.
  2. The new GW will have a new certificate
  3. The certificate generation happens automatically, and the issuer is the Internal CA

This is my basic findings, but why do you want to cretate a new certificate? You will (want) sign in with the Bank's PKI?

A short advise:

When you create the the new cluster object, compare the object settings with the simple cluster settings (eg.: Connection Persistence). This step could avoid of a lot of inconvience. 🙂

Akos

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events