topic Re: CA Issues on AWS R81.20 Manager in Cloud Firewall

CA Issues on AWS R81.20 Manager

cdav — Wed, 21 Feb 2024 22:22:37 GMT

I have deployed an EC2 manager from market place image in AWS. I keep running into an issue where it would appear the CA services on the host are not running. Connecting via SmartConsole errors with "Failed to download CRLs". No service appears to be listening on 18264. For example if i attempt to curl google I cannot validate TLS. The same completes if i ignore TLS errors.

The instance is deployed via terraform albeit not directly from the CheckPoint supplied template. It has been extracted but gets passed all the correct and relevant parameters. The cloud_config.log and var/log/messages indicate boot and auto config ok.

[Expert@CP-Management:0]# curl_cli https://www.google.ocm
curl: (6) Couldn't resolve host 'www.google.ocm'
[Expert@CP-Management:0]# curl_cli https://www.google.com
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Does anyone have any suggestions?

Thanks

Re: CA Issues on AWS R81.20 Manager

Chris_Atkinson — Wed, 21 Feb 2024 22:28:48 GMT

Is it the base R81.20 or with some Jumbo take applied?

Re: CA Issues on AWS R81.20 Manager

cdav — Wed, 21 Feb 2024 22:44:38 GMT

No hot fixes applied. Booted straight from AMI R81.20-BYOL Management. Runs first time wizard with config from cloud-init/cloud_config

Re: CA Issues on AWS R81.20 Manager

the_rock — Thu, 22 Feb 2024 00:36:57 GMT

I did this twice on aws, but mind you from actual cp template and all worked fine. Not sure, but seems the way you did it definitely differs.

Best,

Andy

Re: CA Issues on AWS R81.20 Manager

Chris_Atkinson — Thu, 22 Feb 2024 01:00:21 GMT

I'd suggest applying the latest recommended JHF and if the problem persists consulting TAC.

Re: CA Issues on AWS R81.20 Manager

the_rock — Thu, 22 Feb 2024 01:40:31 GMT

Agree, good point.

Best,

Andy

Re: CA Issues on AWS R81.20 Manager

cdav — Fri, 23 Feb 2024 18:29:28 GMT

To add to this I have now deployed from the CheckPoint provided TF template for management instance and run into the same error.

Re: CA Issues on AWS R81.20 Manager

the_rock — Fri, 23 Feb 2024 18:30:59 GMT

If thats the case, may need to open TAC case to check.

Andy

Re: CA Issues on AWS R81.20 Manager

Lesley — Fri, 23 Feb 2024 21:11:18 GMT

You need to open more ports. Check it out here:

https://support.checkpoint.com/results/sk/sk119134

Re: CA Issues on AWS R81.20 Manager

cdav — Sat, 24 Feb 2024 11:30:22 GMT

Hi Lesly,

I have looked at this article but it doesnt fit. Security groups for the mgmt ec2 are deployed as per template and have the 3 required ports open. Instance used to connect via SC is in the same subnet as Mgmt EC2 and has access on all ports to Mgmt host.

[Expert@mgmt-tf:0]# ss -ntlp | grep '18264\|19009\|18190'
LISTEN 0 20 *:18190 *:* users:(("fwm",pid=5517,fd=42))
LISTEN 0 5 *:18264 *:* users:(("cpca",pid=8137,fd=11))
LISTEN 0 50 *:19009 *:* users:(("java",pid=5802,fd=462))

[Expert@mgmt-tf:0]# curl_cli https://checkpoint.com
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html