topic Re: Gateway update IPS failed in Firewall and Security Management

Gateway update IPS failed

leangm — Thu, 01 Dec 2022 06:37:57 GMT

Hi community

Checkpoint 6900 Gaia R81.10 JHF Take 44

firewall running as HA active/standby

test connection from both firewall to https://updates.checkpoint.com look connection is okay

firewall standby IPS can retrieve the update

for firewall active IPS update failed reference check the attached screenshot. Does anyone knows the solution how to fix it update fails?

[Expert@dcfw01:0]# curl_cli -v -k https://updates.checkpoint.com
* Rebuilt URL to: https://updates.checkpoint.com/
* Trying 23.193.221.184...
* TCP_NODELAY set
* Connected to updates.checkpoint.com (23.193.221.184) port 443 (#0)
* ALPN, offering http/1.1
* *** Current date is: Wed Nov 30 14:36:11 2022
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* err is -1, detail is 2
* *** Current date is: Wed Nov 30 14:36:11 2022
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, [no content] (0):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* servercert: Activated
* servercert: CRL validation was disabled
* Server certificate:
* subject: CN=*.checkpoint.com
* start date: Dec 7 13:19:55 2021 GMT
* expire date: Jan 8 13:19:55 2023 GMT
* issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign GCC R3 DV TLS CA 2020
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* servercert: Finished
* TLSv1.3 (OUT), TLS app data, [no content] (0):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS app data, [no content] (0):
< HTTP/1.1 404 Not Found
< Content-Type: text/plain; charset=utf-8
< Content-Length: 15
< Server: awselb/2.0
< Date: Wed, 30 Nov 2022 07:36:11 GMT
< Connection: keep-alive
<
* Connection #0 to host updates.checkpoint.com left intact
[Expert@dcfw01:0]#

Re: Gateway update IPS failed

the_rock — Thu, 01 Dec 2022 12:51:16 GMT

I will tell you 3 times I encountered this scenario and how it was fixed, twice in lab and once with customer. Personally, I dont see much logic in it, but it did work, so take it for what its worth ; - )

scenario 1 -> In my lab back in R81 base (cant recall jumbo), had mgmt + single gateway, same problem as you, kept refreshing monitor option few times in dashboard for the object, no luck, pushed policy 3-4 times and finally turned green. Since upgraded to R81.10, no issues

scenario 2 -> R81.10 lab (same distrib config as scenario 1), had to reboot the gateway when this happened and worked fine after

scenario 3 -> Customer had an issue with backup gateway as you, so we issues clusterXL_admin down and clusterXL_admin up on current active, which caused failover to member 2 (one with the issue), we pushed policy and then all worked. Once cluster got upgraded later to newer version, all still worked fine

So, to conclude, its still puzzling to me why this would happen in the first place, since I confirmed in all 3 cases that licenses/contracts were 100% fine.

Re: Gateway update IPS failed

Lesley — Thu, 01 Dec 2022 12:55:24 GMT

Hello,

Run 'ips stat' on both gateways and compare output. Sometimes Smartview monitor can give wrong ouput.

Re: Gateway update IPS failed

the_rock — Thu, 01 Dec 2022 12:59:16 GMT

Good point @Lesley