Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
raquinog
Participant
Jump to solution

Notify when certificate expired

Yesterday I had an incident with my IPSEC tunnels with branches (they are established by certificate) because the virtual firewall certificate expired.

Attached the image of the Gw, had to renew the certificate to restore the service

The question is: The Firewall can send a notification warning that a certificate is about to expire?,  ¿What configuration is required for the Firewall could send the notification?

Screenshot_2.png

thanks for your help

 

3 Solutions

Accepted Solutions
G_W_Albrecht
Legend
Legend

...and  sk31539 tells us that

The Security Management server generates a report, per Security Gateway, warning about those certificates that will expire within 60 days time from the current date. This functionality is always enabled and the 60 days is a fixed warning period.

...

  • Certificate expiration warning messages are not recorded in any log by the Security Management server.
  • Warnings are generated and presented anew with each Policy installation.

You could check on CLI using sk104400:

# cpca_client lscert -stat Valid -kind IKE
Operation succeeded. rc=0.
1 certs found.

Subject = CN=cpmodule VPN Certificate,O=Example_Management_Server.checkpoint.com.d2hitj
Status = Valid Kind = IKE Serial = 91912 DP = 1
Not_Before: Wed Jan 14 14:19:02 2015 Not_After: Tue Jan 14 14:19:02 2020

CCSE CCTE CCSM SMB Specialist

View solution in original post

0 Kudos
matangi
Employee
Employee

Hi @raquinog , @Peter_Baumann , @Anthony_Vita 

Nowadays the firewall is sending notification that a certificate is about to expire in two places
1. 'info' status as part of policy installation:

info_in_policy_install.jpg

2. In VPN log:

vpn_logs.jpg

As @G_W_Albrecht  mentioned, You can also monitor VPN certificates of all Virtual systems / Security gateways from Security Management via single CLI command:

cpca_client search "VPN certificate"

 

We are about to Improve the alert during Policy installation – to Changing from ‘info’ to ‘warning‘

The improvement will be released in R81.20 and also be ported to all R8X.XX JHFs

We are looking for other ways to alert about VPN certificate expiry, such as red “X” for the Gateway object when the VPN certificate is expired / Yellow Warning sign when the certificate is about to expire soon (e.g 60 days or less)

Thanks,
Matan

View solution in original post

0 Kudos
Igor_Demchenko
Participant

I made this simple script for crontab. It may be usefull for you

#!/bin/sh
source /etc/profile.d/CP.sh

CERTIFICATE=`cpca_client lscert -stat Valid -dn <SubString>`

#get string with expiration date from certificate info
CERT_INFO=`cpca_client lscert -stat Valid -dn <SubString> | grep Not_After`

#make list with expiration date, month and year
EXPIRED=$(python -c "lst='$CERT_INFO'.split('Not_After:'); print(lst[1].split())")

#get expiration day
EXPIRED_DATE=$( python -c "print($EXPIRED[2])" )
#get expiration month
EXPIRED_MONTH=$( python -c "print($EXPIRED[1])" )
#get expiration year
EXPIRED_YEAR=$( python -c "print($EXPIRED[-1])" )

DIFF=$(python -c "from datetime import (date, datetime); print date(2023, datetime.strptime('$EXPIRED_MONTH','%b').month, 11).toordinal() - date.today().toordinal()")

if [ $DIFF -lt 30 ];
then
echo -e "Subject: CheckPoint VPN certificate expiration\r\n\r\nVPN certificate will be expired in $DIFF days.\r\n\n\n $CERTIFICATE.\r\n " | sendmail --domain=<domain name> -f <from_email> -v <to_email> --host=<smtp_server>
fi

View solution in original post

(1)
10 Replies
MarioB_1
Participant

Acording to SK102092, gateway does not alert about certificates expiration without installing a Security policy

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

0 Kudos
G_W_Albrecht
Legend
Legend

...and  sk31539 tells us that

The Security Management server generates a report, per Security Gateway, warning about those certificates that will expire within 60 days time from the current date. This functionality is always enabled and the 60 days is a fixed warning period.

...

  • Certificate expiration warning messages are not recorded in any log by the Security Management server.
  • Warnings are generated and presented anew with each Policy installation.

You could check on CLI using sk104400:

# cpca_client lscert -stat Valid -kind IKE
Operation succeeded. rc=0.
1 certs found.

Subject = CN=cpmodule VPN Certificate,O=Example_Management_Server.checkpoint.com.d2hitj
Status = Valid Kind = IKE Serial = 91912 DP = 1
Not_Before: Wed Jan 14 14:19:02 2015 Not_After: Tue Jan 14 14:19:02 2020

CCSE CCTE CCSM SMB Specialist
0 Kudos
G_W_Albrecht
Legend
Legend

There is an interesting topic on CheckMates with a lot of valuable information about this: Third Parties Certificate details

CCSE CCTE CCSM SMB Specialist
0 Kudos
Peter_Baumann
Contributor

Hi @raquinog ,

A customer of us had the same problem, no indication when instaling the policy about the expired certificate.
The feature should be always activated but it seems that it is not working.

Nobody knows why, so we will open a case for it.

Thanks,
Peter

0 Kudos
Anthony_Vita
Participant

Just had the same issue.  We're you able to figure out why the feature doesn't work?

0 Kudos
Peter_Baumann
Contributor

Hi @Anthony_Vita ,

We opened a case and there was a lot of troubleshooting involved. Unfortunately it leads not to a solution and was closed by check point/customer.

0 Kudos
matangi
Employee
Employee

Hi @raquinog , @Peter_Baumann , @Anthony_Vita 

Nowadays the firewall is sending notification that a certificate is about to expire in two places
1. 'info' status as part of policy installation:

info_in_policy_install.jpg

2. In VPN log:

vpn_logs.jpg

As @G_W_Albrecht  mentioned, You can also monitor VPN certificates of all Virtual systems / Security gateways from Security Management via single CLI command:

cpca_client search "VPN certificate"

 

We are about to Improve the alert during Policy installation – to Changing from ‘info’ to ‘warning‘

The improvement will be released in R81.20 and also be ported to all R8X.XX JHFs

We are looking for other ways to alert about VPN certificate expiry, such as red “X” for the Gateway object when the VPN certificate is expired / Yellow Warning sign when the certificate is about to expire soon (e.g 60 days or less)

Thanks,
Matan

0 Kudos
Heath_Mote
Collaborator

Sorry to resurrect such an old post but we are running R81.10 mgmt/gateway, which I see in the screenshots, and I'm not seeing any of these expiring cert messages in my logs on the key installs. We should have some recently because we had a VPN cert expire this weekend which went un-noticed. I'd like to incorporate these logs into an alerting mechanism in our SIEM.

Do you know when this became available or did this get pushed to R81.20?

0 Kudos
matangi
Employee
Employee

Hi @Heath_Mote 
Sorry for the inconvenient. 
By checking the code, it seems that the log exist at least since R80.30.
In case you can't find it, you may open a ticket to Check Point support.

0 Kudos
Igor_Demchenko
Participant

I made this simple script for crontab. It may be usefull for you

#!/bin/sh
source /etc/profile.d/CP.sh

CERTIFICATE=`cpca_client lscert -stat Valid -dn <SubString>`

#get string with expiration date from certificate info
CERT_INFO=`cpca_client lscert -stat Valid -dn <SubString> | grep Not_After`

#make list with expiration date, month and year
EXPIRED=$(python -c "lst='$CERT_INFO'.split('Not_After:'); print(lst[1].split())")

#get expiration day
EXPIRED_DATE=$( python -c "print($EXPIRED[2])" )
#get expiration month
EXPIRED_MONTH=$( python -c "print($EXPIRED[1])" )
#get expiration year
EXPIRED_YEAR=$( python -c "print($EXPIRED[-1])" )

DIFF=$(python -c "from datetime import (date, datetime); print date(2023, datetime.strptime('$EXPIRED_MONTH','%b').month, 11).toordinal() - date.today().toordinal()")

if [ $DIFF -lt 30 ];
then
echo -e "Subject: CheckPoint VPN certificate expiration\r\n\r\nVPN certificate will be expired in $DIFF days.\r\n\n\n $CERTIFICATE.\r\n " | sendmail --domain=<domain name> -f <from_email> -v <to_email> --host=<smtp_server>
fi

(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events