When a user tries to renew/enroll a certificate, the Request is being sent to the Gateway from the client.
The Gateway receives the client's request and authorizes it. When the authorization is successful, the Gateway will open a new request to the ICA (Active Management) with "FW1_ica_services" service on port 18264.
- In some scenarios, when the Check Point Gateway is not located on the same network segment as the Security Management, and another security device is located on the network, between the Gateway and the Management, blocking requests between the Gateway and the Security Management on port 18264, the certificate enrollment will fail and a timeout error will be displayed on the Gateway and Endpoint client.
- In another scenario, "Accept control connection" and "Accept outgoing packets originating from the Gateway" is not selected, and traffic towards the Security Management is not allowed according to the rule base. Consequently, traffic on service "FW1_ica_services" is dropped on the Gateway, causing the certificate enrollment/renewal to fail.