- CheckMates
- :
- Products
- :
- CloudMates Products
- :
- Cloud Network Security
- :
- Discussion
- :
- Re: Checkpoint VMSS deployment - Auto-provision te...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Checkpoint VMSS deployment - Auto-provision test fails
Hi Guys ,
I am deploying the Checkpoint VMSS solution in Azure .
For some reason the autoprovison test is failing with the below error -
.
Traceback (most recent call last):
File "/opt/CPsuite-R80.20/fw1/scripts/autoprovision/monitor.py", line 4160, in <module>
rc = main(sys.argv)
File "/opt/CPsuite-R80.20/fw1/scripts/autoprovision/monitor.py", line 4135, in main
test()
File "/opt/CPsuite-R80.20/fw1/scripts/autoprovision/monitor.py", line 4047, in test
cls.test(cls, name=name, management=config['management']['name'], **c)
File "/opt/CPsuite-R80.20/fw1/scripts/autoprovision/monitor.py", line 1995, in test
'GET', '/subscriptions/' + options['subscription'])
File "/opt/CPsuite-R80.20/fw1/scripts/autoprovision/azure.py", line 411, in arm
with self.get_token() as token:
File "/etc/fw/Python/lib/python2.7/contextlib.py", line 17, in __enter__
return self.gen.next()
File "/opt/CPsuite-R80.20/fw1/scripts/autoprovision/azure.py", line 355, in get_token
headers=headers, pool=self.pool, max_time=self.max_time)
File "/opt/CPsuite-R80.20/fw1/scripts/autoprovision/azure.py", line 108, in request
max_time)
File "/opt/CPsuite-R80.20/fw1/scripts/autoprovision/azure.py", line 190, in request_curl
raise CurlException(headers, args_no_auth)
CurlException: curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: http://curl.haxx.se/docs/sslcerts.html
Any idea what could be the issue ? I am using the latest autoprovision.cfg - version 509
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you triple checked the syntax of your autoprovision script (to include your Subscription ID, App Registration/clientID , Tenant ID and your Secret phrase)?
We had to go through the script building process several times. It's best that you don't tinker with the XML file and use the autoprov-cfg command to build the script out.
You mess one character up in the XML file and it's game over and you'll be scratching your head forever.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, i am checked the syntax, everything looks perfect.
Also, with autoprovision-cfg show all, I can see the proper settings.
It's only when I run the service test command I get this error .
I have not touched any settings anywhere else.
Btw what version of autoprovisioning you ran, may be the latest ( version -509 ) is buggy... Thoughts?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have re-initialised the autoprovision service multiple times in different management servers as well but with no luck.
@PhoneBoy - Is this a known bug for the autoprovision (ver-509) on R80.30 ??
I have raised a SR on this with TAC , just wanted to know if you have any info or relevant folks that can look on this in priority.
Issue recap -
Checkpoint VMSS in Azure setup - Autoprovision issue
Installed the latest autoprovision (version - 509) and initialized the autoprovision service with the initial syntax successfully.
The autoprovision show all - display all the correct values for mn, tn, controllers, etc.
However, the "services autoprovision test " Commanda fails with some ssl error. Refer the attachment.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So it turns out the SMS is behind a Gateway firewall , which has HTTPS inspection enabled . Causing the SSL error on the test script.
After adding a temporary bypass rule , I am enable to get the test run successfully.
I wonder why the Checkpoint autoprovison script is not compatible with HTTPS inspection on Checkpoint . Sounds funny .
@PhoneBoy - Worth raising this with the R&D .
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As a result, it's unable to validate the TLS certificate presented by the gateway when the connection is inspected, causing the connection to fail.
I suppose this could be automatically updated somehow, but that'd be an RFE.