Gateway Cannot Access Certificate Authority: Check Point Alert Guide
This is a real life sample alert from the indeni alert guide for Check Point Firewalls for Proactive Network Management
Some of the certificate authority servers which this device considers to be those to be used during authentication (for example – for VPN) are not accessible. The CA servers for which an issue has been found are listed below. This may result in VPN tunnel failure (according to SK100731).
Unreachable Certificate Authorities
Manual Remediation Steps:
Identify why the device cannot initiate a connection with the listed certificate authorities and correct as soon as possible.
How does this alert work?
Indeni connects to all gateways and management servers and determines which gateways are configured to connect to which certificate authorities. In most cases, these are the internal certificate authorities (ICA) running on the SmartCenter/Provider-1/Multi-Domain-Manager. Then, for each gateway, indeni will test connectivity from the gateway itself to certain ports (such as 18264) on the certificate authority server. If the test fails, an alert is issued.