Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 

SmartConsole Extension - VPN Certificate Dashboard

SmartEvent Type: Certificate, ike, ikev1, ikev2, ipsec, SmartConsole, VPN,

HeikoAnkenbrand
MVP Diamond
MVP Diamond


VPN Certificate Dashboard

Extension URL:  https://www.checkpoint.tips/ex/cert.json

Installation:        SmartConsole > Manage & Settings > Preferences > SmartConsole Extensions

Displays all VPN IKE certificates from the selected Check Point Management Server.

- including validity status
- expiration dates
- remaining lifetime
- certificate statistics
- certificate expiration alert  (expired,   expires in 30 days,   ok)
- includes filters to search across all gateways
- shows raw output

Expired a

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free

Disclaimer: Check Point does not provide maintenance services or technical or customer support for third party content provided on this Site, including in CheckMates Toolbox. See also our Third Party Software Disclaimer.




(1)
12 Replies

wust
Explorer

A really cool tool.

Finally, you can see all your VPN certificates at a glance and immediately see when they expire.

Great!

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Ulf_K
Explorer

Awesome extensions!

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Sven_Ott
Participant

👍

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Ralf_Erzinger
Explorer

Do we have a way to filter VPN gateways? We currently have more than 100 VPN gateways in use, and it is difficult to work with the full list when all gateways are displayed.

---
CCSM/CCVS

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

HeikoAnkenbrand
MVP Diamond
MVP Diamond

@Ralf_Erzinger
There is a "Filter by Gateway" option. Here, you can filter by gateways or clusters and display only the gateways that match the selected filter criteria.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Claudio_Bolcato
Collaborator

HI  @HeikoAnkenbrand,
I noticed the extension shows only the first 50 GWs and doesn't work with MDS.
It returns:  Error: This operation is supported for MGMT only.
This is a great idea and a very useful tool.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


HeikoAnkenbrand
MVP Diamond
MVP Diamond

Hi  @Claudio_Bolcato 

Currently, this only works with SMS and not with MDS.
I will migrate it to MDS within the next few days.

Thanks for the tip.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

HeikoAnkenbrand
MVP Diamond
MVP Diamond


@Claudio_Bolcato 

I currently don't have an SMS with more than 50 certificates available for testing.  I believe that "cpca_client lscert -kind IKE -stat Valid" does not return more than 50 certificates.

Could you please run the following command on your Management Server and send me the result? Then I can verify whether the issue is related to cpca_client.

cpca_client lscert -kind IKE -stat Valid | wc -l

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Claudio_Bolcato
Collaborator

@HeikoAnkenbrand  
the command returns 550

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


HeikoAnkenbrand
MVP Diamond
MVP Diamond

Hi  @Claudio_Bolcato

To find the Management Server, there is a function that uses show gateways-and-servers.

If the command output contains too many entries, limit and offset must be used to retrieve all systems.

After a bit of tinkering, I added this logic to the code.

Everything should work correctly now (see screenshot).

Fg_grteghnergkheru.jpg

 

 

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Claudio_Bolcato
Collaborator

image.png

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

HeikoAnkenbrand
MVP Diamond
MVP Diamond

Hi @Claudio_Bolcato ,

Current certificates are retrieved using cpca_client lscert -kind IKE. Unfortunately, expired certificates are not returned by this command, which is why the raw output only contains valid certificates.

To identify expired certificates, all gateways are read from the SmartConsole object database using show gateways-and-servers. If VPN is enabled on a gateway and no certificate is found via cpca_client lscert -kind IKE, the certificate is treated as expired

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos