R81.20 Gateways with CME not supported?

Doeschi — Wed, 25 Jan 2023 13:35:14 GMT

Hi all,

we tried to deploy some new R81.20 gateways in a GWLB setup and failed with the CME setup. We've got the following setup:

Version of the MDS Server:

CheckPoint R81.10 JHF 66

autoprov_cfg -v
CME Version: Build: 991592204 Take: 222

parts of: autoprov_cfg show all
controllers:
"aws_island":
access-key: xxxxxxxxxxxxxxxxxxxxxxx
class: AWS
regions:
- eu-central-1
- eu-south-1
secret-key: "__protected__autoprovision/controllers/xxxxxxxxxxxxxxxxxx/secret-key"
sync:
gateway: true
templates:
- "aws_island_R8040"
- "aws_island_R8120"

templates:
"aws_island_R8120":
application-control: true
health-check-ip-range: "10.123.0.0,10.123.255.255"
identity-awareness: true
ips: true
one-time-password: "__protected__autoprovision/xxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxx/one-time-password"
policy: "AWS_Integration"
send-alerts-to-server: fwlogxxxxxxxxxxxx
send-logs-to-server: fwlogxxxxxxxxxxxxxx
url-filtering: true
version: "R81.20"

----------------------------

cme.log shows:

2023-01-24 15:30:56,437 CME_SERVICE INFO aws_island--i-000bbdec1f6babbd2--eu-central-1 state is changed to: ADDING
2023-01-24 15:30:56,469 CME_SERVICE ERROR Failed to provision the Security Gateway instance aws_island--i-000bbdec1f6babbd2--eu-central-1.
Error details: Management API failure (add-simple-gateway)..
2023-01-24 15:30:56,480 CME_SERVICE ERROR Error traceback: Traceback (most recent call last):
File "/opt/CPcme/service/cme_service.py", line 536, in sync
instance, gw, auto_hf)
File "/opt/CPcme/cp_handlers/mgmt_autoprovision_handler.py", line 1755, in set_gateway
args = self.establish_gateway(instance, gw)
File "/opt/CPcme/cp_handlers/mgmt_autoprovision_handler.py", line 198, in establish_gateway
simple_gateway=simple_gateway)
File "/opt/CPcme/cp_handlers/mgmt_autoprovision_handler.py", line 244, in configure_gateway_metadata
remove_if_ip_exists_in_cpm=True)
File "/opt/CPcme/cp_handlers/mgmt_autoprovision_handler.py", line 286, in add_gateway_to_cpm
self.management(CPMCommand.ADD_SIMPLE_GATEWAY, gw)
File "/opt/CPcme/cp_handlers/mgmt_handler.py", line 177, in __call__
silent=silent)
File "/opt/CPcme/cp_handlers/mgmt_api_handler.py", line 126, in __call__
CMEExceptionCodes.MGMT_API, command=command)
cme_exceptions.cme_exceptions.ManagementApiException: Error Code: Management API error

API call failed with command: add-simple-gateway
Payload: {'name': 'aws_island--i-000bbdec1f6babbd2--eu-central-1', 'ip-address': '10.123.242.12', 'interfaces': [{'name': 'eth0', 'ipv4-address': '10.123.242.12', 'ipv4-mask-length': 28, 'anti-spoofing': False, 'topology': 'internal'}],
*****, 'version': 'R81.20', 'comments': '{tags=managed-virtual-gateway}'}
Error details: {'code': 'generic_err_invalid_parameter', 'message': 'Invalid parameter for [version]. The invalid value [R81.20] should be replaced by one of the following values: [R75.40 and above]'}

While R81.10 seems to work as version string, R81.20 does not ;-). Any ideas?

Re: R81.20 Gateways with CME not supported?

natanelm — Wed, 25 Jan 2023 20:18:54 GMT

Hi @Doeschi,

Please see Jumbo Hotfix Accumulator for R81.10.

JHF take 82 note: Added ability for R81.10 Security Management and Multi-Domain Security Management Server to manage R81.20 Security Gateways. It Requires R81.10 SmartConsole Build 412 (or higher).

You mentioned that your MDS version is R81.10 JHF 66, so you probably need to install JHF take 82 or higher.

Thanks,
Natanel

Re: R81.20 Gateways with CME not supported?

Doeschi — Thu, 26 Jan 2023 08:17:18 GMT

Thanks, must have missed that... will give it a try, upgrading our mds isn't a small task tho 😅

Re: R81.20 Gateways with CME not supported?

Amir_Senn — Sun, 29 Jan 2023 09:33:32 GMT

We started supporting CPUSE upgrade for MDS/MGMT in AWS.

Try with this:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk177714

topic Re: R81.20 Gateways with CME not supported? in Cloud Firewall

R81.20 Gateways with CME not supported?

Re: R81.20 Gateways with CME not supported?

Re: R81.20 Gateways with CME not supported?

Re: R81.20 Gateways with CME not supported?