Configuring the warning for an imminent certificate expiry

Whenever the certificate of an SN firewall is close to expiry, the health status of the firewall switches to Not critical Not critical icon in the firewall monitoring window.

Firewall monitoring screen

Once the certificate has expired, the firewall's health status will become Critical Critical icon.

The firewall will start displaying a Not critical status by default 30 days before the expiry of the certificate.

The environment variable FWADMIN_SNS_CERTS_PROBE_EXPIRATION_DELAY allows this period to be configured. The lowest value allowed is one day.

To change the default 30-day period:

  1. Log in to the SMC server via the console port or in SSH using the “root” account.
  2. Change the value of the environment variable FWADMIN_SNS_CERTS_PROBE_EXPIRATION_DELAY. For example: FWADMIN_SNS_CERTS_PROBE_EXPIRATION_DELAY = 20
  3. Restart the server with the command nrestart fwadmin-server
  4. Deploy the configuration again on the firewalls.

The imminent expiry of certificates is also indicated in the Configuration > Certificates panel.

If you have changed the warning period, but have not yet redeployed the configuration on the firewalls, the status of certificates indicated in the Certificates panel (information provided by the SMC server) may not immediately match the firewall health status indicated in the monitoring panel (information provided by firewalls).

For further information regarding the Certificates panel, refer to the section Managing certificates and certification authorities.