topic Re: Azure cloudguard VMSS health probes on 8117 and monitorrestrictive policy in Cloud Firewall

Azure cloudguard VMSS health probes on 8117 and monitorrestrictive policy

Razotevs — Tue, 15 Feb 2022 18:45:41 GMT

Hello,

I am hitting the following problem with R81.10 management and R81.10 VMSS on Azure. Applying "__Monitor__RestrictivePolicy" out of nowhere.

Cme.log shows "API call failed:set package. Message:: requested object not found" but pushing manually the very same policy is working every time.

On top of that the image of the security gateways is missing "cloud_balancer_port=8117" in fwkern.conf and newly provisioned instances are not returning the health probes, respectively azure load balancer is not sending traffic because thinks they are unhealthy. Adding it manually works for the minimum count of the VMSS but is not scalable automatic solution.

Autoprov_cfg show all seems correct with the right policy and vSec controller is working fine. API status is ready, CME test is passing as also.

Any idea how to proceed? I've opened SR with Checkpoint TAC, but it's been 10 days and no development.

Thanks

Re: Azure cloudguard VMSS health probes on 8117 and monitorrestrictive policy

Martin_Valenta — Wed, 16 Feb 2022 05:31:30 GMT

how do you have configured policy package for Restrictive policy? This must be assigned to "all Gateway" and in case if you have global policy, this policy must be without global rules.

Re: Azure cloudguard VMSS health probes on 8117 and monitorrestrictive policy

Shay_Levin — Wed, 16 Feb 2022 07:25:38 GMT

HI,

What is the CME version you are running? Please run on the management 'cpinfo -y all'

Re: Azure cloudguard VMSS health probes on 8117 and monitorrestrictive policy

Razotevs — Wed, 16 Feb 2022 07:48:53 GMT

It should be up to date. I've applied the latest jumbo fix. Nothing fancy with the management. Just a standalone 81.10 from the Azure marketplace without multi-domain. The __Monitor__resctrictive_policy is WEB API created with Cleanup rule only and applied to all gateways

[Expert@cpmngmweu:0]# cpinfo -y all

This is Check Point CPinfo Build 914000219 for GAIA
[IDA]
No hotfixes..

[MGMT]
HOTFIX_R81_10_JUMBO_HF_MAIN Take: 30

[CPFC]
No hotfixes..

[FW1]
HOTFIX_NGM_DOCTOR_AUTOUPDATE
HOTFIX_PUBLIC_CLOUD_CA_BUNDLE_AUTOUPDATE
HOTFIX_R81_10_JUMBO_HF_MAIN Take: 30
HOTFIX_GOT_MGMT_AUTOUPDATE
HOTFIX_WEBCONSOLE_AUTOUPDATE
HOTFIX_GOT_TPCONF_MGMT_AUTOUPDATE

FW1 build number:
This is Check Point Security Management Server R81.10 - Build 002
This is Check Point's software version R81.10 - Build 006

[SecurePlatform]
HOTFIX_R81_10_JUMBO_HF_MAIN Take: 30

[AutoUpdater]
No hotfixes..

[CPinfo]
No hotfixes..

[DIAG]
No hotfixes..

[Reporting Module]
HOTFIX_R81_10_JUMBO_HF_MAIN Take: 30

[CPuepm]
HOTFIX_R81_10_JUMBO_HF_MAIN Take: 30

[VSEC]
HOTFIX_R81_10_JUMBO_HF_MAIN Take: 30

[CPDepCon]
No hotfixes..

[CPRepMan]
No hotfixes..

[SmartLog]
No hotfixes..

[SFWR77CMP]
No hotfixes..

[SFWR80CMP]
No hotfixes..

[R77CMP]
No hotfixes..

[R8040CMP]
No hotfixes..

[MGMTAPI]
No hotfixes..

[CPUpdates]
BUNDLE_CPSDC_AUTOUPDATE Take: 19
BUNDLE_GENERAL_AUTOUPDATE Take: 12
BUNDLE_INFRA_AUTOUPDATE Take: 52
BUNDLE_CME_AUTOUPDATE Take: 181
BUNDLE_R81.10_SC Take: 335
BUNDLE_NGM_DOCTOR_AUTOUPDATE Take: 15
BUNDLE_R81_10_JUMBO_HF_MAIN_SC Take: 14
BUNDLE_CORE_FILE_UPLOADER_AUTOUPDATE Take: 11
BUNDLE_DEP_INSTALLER_AUTOUPDATE Take: 23
BUNDLE_PUBLIC_CLOUD_CA_BUNDLE_AUTOUPDATE Take: 14
BUNDLE_R81_10_JUMBO_HF_MAIN Take: 30
BUNDLE_DC_CONTENT_AUTOUPDATE Take: 12
BUNDLE_GOT_MGMT_AUTOUPDATE Take: 95
BUNDLE_DC_INFRA_AUTOUPDATE Take: 26
BUNDLE_WEBCONSOLE_AUTOUPDATE Take: 48
BUNDLE_HCP_AUTOUPDATE Take: 49
BUNDLE_GOT_TPCONF_MGMT_AUTOUPDATE Take: 34

[hcp_wrapper]
HOTFIX_HCP_AUTOUPDATE

[itp_wrapper]
HOTFIX_GOT_MGMT_AUTOUPDATE

[core_uploader]
HOTFIX_CHARON_HF

[CME]
HOTFIX_CME_AUTOUPDATE

[cpsdc_wrapper]
HOTFIX_CPSDC_AUTOUPDATE

Re: Azure cloudguard VMSS health probes on 8117 and monitorrestrictive policy

Shay_Levin — Wed, 16 Feb 2022 08:09:33 GMT

@arielto Can you please take a look?

Re: Azure cloudguard VMSS health probes on 8117 and monitorrestrictive policy

Razotevs — Wed, 16 Feb 2022 11:35:21 GMT

This might point you in the right direction. Tried those errors on Google, but none of the solutions suggested seems to work in my scenario.

[Expert@cpmngmweu:0]# tail -n 50 /var/log/CPcme/cme.log
2022-02-16 13:31:40,712 CME_SERVICE INFO Configuration was not complete
2022-02-16 13:31:40,712 CME_SERVICE INFO Azure--CPNorthVMSS_0--HUB-NORTHBOUND-WEU state is changed to: UPDATING
2022-02-16 13:31:40,712 CME_SERVICE INFO SIC has successfully been established between management CPmngm-weu and gateway Azure--CPNorthVMSS_0--HUB-NORTHBOUND-WEU
2022-02-16 13:31:40,713 CME_SERVICE INFO Resetting gateway Azure--CPNorthVMSS_0--HUB-NORTHBOUND-WEU
2022-02-16 13:31:41,463 CME_SERVICE INFO Setting policy None on gateway Azure--CPNorthVMSS_0--HUB-NORTHBOUND-WEU
2022-02-16 13:31:46,042 CME_SERVICE INFO Init IDA blade for gateway: Azure--CPNorthVMSS_0--HUB-NORTHBOUND-WEU
2022-02-16 13:31:46,742 CME_SERVICE INFO IDA IAAPI portal already configured. skip to next step
2022-02-16 13:31:46,742 CME_SERVICE INFO IDA authorized clients (local host) already configured. skip to next step
2022-02-16 13:31:48,895 CME_SERVICE INFO Identity awareness software blade has been successfully added for gateway Azure--CPNorthVMSS_0--HUB-NORTHBOUND-WEU
2022-02-16 13:31:53,674 CME_SERVICE INFO HTTPS Inspection was successfully set
2022-02-16 13:32:00,960 CME_SERVICE INFO Setting policy Standart on gateway Azure--CPNorthVMSS_0--HUB-NORTHBOUND-WEU
2022-02-16 13:32:00,990 CME_SERVICE INFO Resetting gateway Azure--CPNorthVMSS_0--HUB-NORTHBOUND-WEU
2022-02-16 13:32:02,708 CME_SERVICE INFO Setting policy None on gateway Azure--CPNorthVMSS_0--HUB-NORTHBOUND-WEU
2022-02-16 13:32:02,708 CME_SERVICE ERROR Failed to provision the gateway instance Azure--CPNorthVMSS_0--HUB-NORTHBOUND-WEU.
Error details: Management API failure (set-package)..
2022-02-16 13:32:02,712 CME_SERVICE ERROR Error traceback: Traceback (most recent call last):
File "/opt/CPcme/service/cme_service.py", line 524, in sync
instance, gw, auto_hf)
cme_exceptions.cme_exceptions.ManagementApiException: Error Code: Management API error

API call failed: set-package. Message: : Requested object [Standart] not found
2022-02-16 13:32:02,712 CME_SERVICE INFO Configuration was not complete
2022-02-16 13:32:02,712 CME_SERVICE INFO Azure--CPNorthVMSS_1--HUB-NORTHBOUND-WEU state is changed to: UPDATING
2022-02-16 13:32:02,712 CME_SERVICE INFO SIC has successfully been established between management CPmngm-weu and gateway Azure--CPNorthVMSS_1--HUB-NORTHBOUND-WEU
2022-02-16 13:32:02,712 CME_SERVICE INFO Resetting gateway Azure--CPNorthVMSS_1--HUB-NORTHBOUND-WEU
2022-02-16 13:32:03,461 CME_SERVICE INFO Setting policy None on gateway Azure--CPNorthVMSS_1--HUB-NORTHBOUND-WEU
2022-02-16 13:32:08,167 CME_SERVICE INFO Init IDA blade for gateway: Azure--CPNorthVMSS_1--HUB-NORTHBOUND-WEU
2022-02-16 13:32:09,246 CME_SERVICE INFO IDA IAAPI portal already configured. skip to next step
2022-02-16 13:32:09,246 CME_SERVICE INFO IDA authorized clients (local host) already configured. skip to next step
2022-02-16 13:32:11,484 CME_SERVICE INFO Identity awareness software blade has been successfully added for gateway Azure--CPNorthVMSS_1--HUB-NORTHBOUND-WEU
2022-02-16 13:32:16,060 CME_SERVICE INFO HTTPS Inspection was successfully set
2022-02-16 13:32:22,954 CME_SERVICE INFO Setting policy Standart on gateway Azure--CPNorthVMSS_1--HUB-NORTHBOUND-WEU
2022-02-16 13:32:22,984 CME_SERVICE INFO Resetting gateway Azure--CPNorthVMSS_1--HUB-NORTHBOUND-WEU
2022-02-16 13:32:23,998 CME_SERVICE INFO Setting policy None on gateway Azure--CPNorthVMSS_1--HUB-NORTHBOUND-WEU
2022-02-16 13:32:23,999 CME_SERVICE ERROR Failed to provision the gateway instance Azure--CPNorthVMSS_1--HUB-NORTHBOUND-WEU.
Error details: Management API failure (set-package)..
2022-02-16 13:32:24,002 CME_SERVICE ERROR Error traceback: Traceback (most recent call last):
File "/opt/CPcme/service/cme_service.py", line 524, in sync
instance, gw, auto_hf)
cme_exceptions.cme_exceptions.ManagementApiException: Error Code: Management API error

API call failed: set-package. Message: : Requested object [Standart] not found
2022-02-16 13:32:24,002 CME_SERVICE INFO
2022-02-16 13:32:25,689 CME_SERVICE INFO
2022-02-16 13:32:25,689 CME_SERVICE INFO The gateways known by the management at the end of the iteration are:
2022-02-16 13:32:25,689 CME_SERVICE INFO 1: Azure--CPNorthVMSS_0--HUB-NORTHBOUND-WEU managed-virtual-gateway|__once__ - None
2022-02-16 13:32:25,689 CME_SERVICE INFO 2: Azure--CPNorthVMSS_1--HUB-NORTHBOUND-WEU managed-virtual-gateway|__once__ - None
2022-02-16 13:32:25,689 CME_SERVICE INFO
2022-02-16 13:32:25,690 CME_SERVICE INFO ********** End of the iteration number 7 for gateway instances. Iteration time: 0:00:52.196951 **********
2022-02-16 13:32:25,690 CME_SERVICE INFO

Re: Azure cloudguard VMSS health probes on 8117 and monitorrestrictive policy

Martin_Valenta — Wed, 16 Feb 2022 11:39:16 GMT

per log it's looking for package called "Standard", but it cannot find it..

Re: Azure cloudguard VMSS health probes on 8117 and monitorrestrictive policy

Roman_Kats — Wed, 16 Feb 2022 11:41:17 GMT

Hi @Razotevs
Can you please verify the Standart package exists in the SmartConsole?
The default policy package we have is Standard and not Standart

Thanks,

Roman

Re: Azure cloudguard VMSS health probes on 8117 and monitorrestrictive policy

Razotevs — Wed, 16 Feb 2022 12:52:34 GMT

Thank you for the help all. All the Standart/StandarD got me thinking about it. Now my policy was "Standart" and was manually created by me. Apparently you have StandarD as stated.

After all all those names seems reserved or default or something like that, so I just decided to change the name to something far less controversial and harder to make a mistake. Jut changing the policy to MyName_TEST and all of a sudden CME extension is adding load balancer port = 8117 and pushing __Monitor__restrictive, but few seconds later pushing and the right one from the Autoprovision.json.

Have a great day ahead and thanks

Svetozar

topic Re: Azure cloudguard VMSS health probes on 8117 and __monitor__restrictive policy in Cloud Firewall

Azure cloudguard VMSS health probes on 8117 and __monitor__restrictive policy

Re: Azure cloudguard VMSS health probes on 8117 and __monitor__restrictive policy

Re: Azure cloudguard VMSS health probes on 8117 and __monitor__restrictive policy

Re: Azure cloudguard VMSS health probes on 8117 and __monitor__restrictive policy

Re: Azure cloudguard VMSS health probes on 8117 and __monitor__restrictive policy

Re: Azure cloudguard VMSS health probes on 8117 and __monitor__restrictive policy

Re: Azure cloudguard VMSS health probes on 8117 and __monitor__restrictive policy

Re: Azure cloudguard VMSS health probes on 8117 and __monitor__restrictive policy

Re: Azure cloudguard VMSS health probes on 8117 and __monitor__restrictive policy

topic Re: Azure cloudguard VMSS health probes on 8117 and monitorrestrictive policy in Cloud Firewall

Azure cloudguard VMSS health probes on 8117 and monitorrestrictive policy

Re: Azure cloudguard VMSS health probes on 8117 and monitorrestrictive policy

Re: Azure cloudguard VMSS health probes on 8117 and monitorrestrictive policy

Re: Azure cloudguard VMSS health probes on 8117 and monitorrestrictive policy

Re: Azure cloudguard VMSS health probes on 8117 and monitorrestrictive policy

Re: Azure cloudguard VMSS health probes on 8117 and monitorrestrictive policy

Re: Azure cloudguard VMSS health probes on 8117 and monitorrestrictive policy

Re: Azure cloudguard VMSS health probes on 8117 and monitorrestrictive policy

Re: Azure cloudguard VMSS health probes on 8117 and monitorrestrictive policy