Who rated this post

cancel
Showing results for 
Search instead for 
Did you mean: 
PhoneBoy
Admin
Admin

To be clear: the certificates are actually on the secondary management.
Otherwise, you would not be able to promote the secondary to primary and “take over” this function in the event of a failure.

The problem is that the CRL points to the primary management IP only.
Anything that checks the CRL won’t know about the secondary management IP.
The only way to change that on remote gateways is a policy push.
VPN Peers not managed by your Check Point management may also need to reconfigure the CA used for authentication, which will need a different CRL URL. 

Perhaps you can work around this with NAT, but haven’t tried this myself.

(1)
Who rated this post