Expired VPN certificate

The other day we had an issue at our company headquarter. Suddenly almost all VPN tunnels went down.

I started investigating and noticed that the down tunnels had something in common. They were tunnels between two gateways managed by the same management server.


That led me to check the certificate used for VPN and alas, it turned out it had expired.

I renewed it and after pushing a policy, all tunnels came back up again.


It is a bit scary that this certificate expires once every 5 years, and when doing so can cause major issues.

So how do Check Point warn the administrator that this is about to happen?


Well first off, if you do not regulary push policy to the cluster you will not be warned at all, as any warning only appears after pushing policy in SmartDashboard.

But lets say you do push policy regulary to the cluster, how does it look?

It depends if you are using R80, or R77.


R77:

When you push policy you will have a clear message that there are warnings after pushing. These warnings usually include service objects overlapping etc, but also if the certificate is about to expire within something like 30 or 90 days.


R80

Here the policy installation will minimize and you will not see warnings unless you open the policy installation window.

If you only look at the small icon on the lower left corner after installation you might think there are no warnings, as none are shown. But that is because that icon does not display any info about warnings.

To see this you need to click "Details" and only then would you see if there were any warnings.

There will be a tiny spec of orange color next to the cluster object in the policy installation dialog showing this.

After expanding that section you might need to click "Show more" to show this warning. In R80 it is not severity: warning but instead severity: informational for some reason.



So to summarize, not easy to know this will happen, it will happen every five years, and it will probably cause a lot of issues.

So what is the solution? Well, to monitor the gateway with Indeni of course.

Indeni checks the expiration of all certificates on the gateway, ranging from VPN to SIC and warns before they expire.

Agreed, this is one of the things that won me over about Indeni too. Certificate management in general is a tricky things since it typically involves more than one or two groups (admin, engineers, procurement, etc). These are the kinds of things that lurk silently in the background and for something so simply addressed can cause a complete outage if no proactive action taken. Who puts a 5 year reminder in their calendar to check all certificates for each firewall? And to your point Johnathan, as much as it's not best practice to ignore, it's far too easy to get into a habit of ignoring policy install warnings.