Thank you, Ted and Matthew, for the replies. Now I understand.
Huiqi -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]] On Behalf Of Matthew Odendaal Sent: 09 November 2011 17:07 To: [email protected] Subject: Re: [FW-1] Management station downtime Having the management station offline is generally okay, but yes, certificate-based VPNs could be at risk. This is especially problematic if you have internal VPNs to other Check Point devices (including Edge devices) managed by the same management station. We had this happen to one of our customers. If memory serves, the gateway by default will cache the CRL for 24 hours, so it won't fail immediately. However, 24 hours after the gateway performed its last CRL check, the certificate-based VPNs fail if the management station isn't available. Definitely something work considering if you have internal Check Point - Check Point VPNs. Cheers Matthew -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]] On Behalf Of Ted Serreyn Sent: 09 November 2011 03:35 PM To: [email protected] Subject: Re: [FW-1] Management station downtime Counter question, what happens when a vpn key is exchanged for a certificate based vpn when the CA CRL can not be checked? If you have VPNs that are certificate based rather than pre-shared based (checkpoint to checkpoint internal primarily), you may see VPN drops when the CRL cannot be checked on the management station. Ted Serreyn On 11/9/11 8:24 AM, "Liu, Huiqi" <[email protected]> wrote: >Hello, > >Just want to check on this - as it has been a while since this occurred, >and I'm hearing different stories. > >We are planning to shut down the management station (as a DR exercise) >for 24 hours. Will this cause any problems with enforcements that are >managed by it, and any VPNs? We can't push any policies obviously, but >the enforcements should stay up, right? > >We are on R75.20, and a distributed environment. > >Many thanks, > >Huiqi > > >Scanned by Check Point Total Security Gateway. > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to [email protected] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[email protected] >================================================= > >Email secured by Check Point > Email secured by Check Point Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
