This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
AyGit
Contributor
‎2020-05-05 06:57 AM
Jump to solution

CloudGuard GCP auto-provisioning error

Hi guys

I'm trying to launch auto-provisioning of the GWs ceratd in GCP environment, however I cannot see the GWs in the SMS and I have an error following the command 'service cme test'.

I'll be pleased for your help.

The autoprov command:

autoprov_cfg init GCP -mn check-point-mgt -tn my-configuration-template -otp AZERTY1234 -ver R80.30 -po ProdPolicy -cn GCP-PRod -proj xxxxxx -cr $FWDIR/conf/xxxxxx-yyyyyyyy.json

service cme test output:

provisioned gateways:

Testing management configuration...
Testing management connectivity...
run_local Executing: ['mgmt_cli', '--root', 'true', '--format', 'json', 'login'] with:
data=None
env=None
Return code= 0
Output={
"api-server-version" : "1.5",
"last-login-was-at" : {
"iso-8601" : "2020-05-04T15:08+0000",
"posix" : 1588604896
},
"read-only" : false,
"session-timeout" : 600,
"sid" : "aaaaa",
"standby" : false,
"uid" : "bbbbb",
"url" : "https://127.0.0.1:443/web_api"
}
New management session: bbbbb
The take-over-session API failed: : Unrecognized parameter [__no_such_parameter__]
Discarding management session: ccccc
The get-interfaces-sync API failed: : Unrecognized parameter [__no_such_parameter__]
**********
All tests passed successfully
**********

0 Kudos
1 Solution

Accepted Solutions
AyGit
Contributor
‎2020-05-14 03:06 AM
In response to Shay_Levin
Jump to solution

Thanks Shay

Issue resolved through the 2 actions:

  1. Activate API & Services in GCP
  2. Add a Data Center object in order to retrieve the components in GCP 
    New >> Servers >> Data Centers >> name 'GCP' >> Import Service Account json file >> Test Connection

Then the autoprov command is a success! 
A reminder of the command:
         autoprov_cfg init GCP -mn check-point-mgt -tn my-template -otp AZERY1234 -ver R80.30 -po Standard -cn GCP -proj AAAAAAA -cr $FWDIR/conf/AAAAAAA-BBBBBBB.json

View solution in original post

7 Replies
Dmitry_Gorn
Employee
Employee
‎2020-05-06 08:37 AM
Jump to solution

Hi,
There are no actual errors in the output. The following lines can be ignored (this is a known issue that will be fixed in future CME versions):
New management session: bbbbb
The take-over-session API failed: : Unrecognized parameter [__no_such_parameter__]
Discarding management session: ccccc
The get-interfaces-sync API failed: : Unrecognized parameter [__no_such_parameter__]

In order to check the exact issue please open a support ticket to have a support engineer confirm correct CME configurations.

Regards,
Dmitry
Shay_Levin
Admin
Admin
‎2020-05-06 11:09 AM
Jump to solution

Hi,

where is the SMS ? ( network topology)

what did you choose in the cloudguard MIG template, configure the gateways with the public ip or private ip ?

 

0 Kudos
AyGit
Contributor
‎2020-05-06 05:13 PM
In response to Shay_Levin
Jump to solution

Hi Shay

The architecture is the same as the document. I put the SMS in a dedicated VPC named 'mng', subnet 10.2.0.0/24.
The peering is established between 'External VPC' security-subnet (10.1.0.0./24) and 'mng' VPC. So internal flow is OK.

I choosed public IP for SMS and GWs.
The template is include in the attached file.

Regards

Preview file
14 KB
0 Kudos
Shay_Levin
Admin
Admin
‎2020-05-07 09:46 AM
In response to AyGit
Jump to solution

Hi Again, 

Few comments:

1. In the auto-provisioning command, you used sic:  AZERTY1234  , which I believe that you choose.

On GCP, After you start deployment of CloudGuard AutoScale Template , on the deployment manager output you will see a SIC key that was generated automatically, you will need to take the value and use it on the template.

You can create new template easily 

autoprov-cfg add template -tn my-configuration-template-2 -otp <SIC-Value-You-Got-After-AutoScale-Depoyment> -ver R80.30 -po ProdPolicy

 ** On AWS and Azure , you have a filed to put your own SIC when you fill the template parameters for AutoScaling 

      In GCP you don't have this option.

 

2. Regarding the Management, When you deploy Management on GCP , you don't have the option to choose if you want that the management object would use the public IP. ( it always use the private IP)

On the Autoscaling template for the gateways you choose to use for managing the public IP

In this case, when you will open SmatConsole, you will see that the Management object has private IP and the gateways objects have public ip.

The management will access the GW from outside to the public IP of the GW and the gateways know only the private IP of the Management so they will access the private IP of the Management.

It will not work.

A workaround would be to edit the Management object and to replace the private ip with the public ip.

3. Also, On the management, did you install the latest CME ?  https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

      

 

 

0 Kudos
AyGit
Contributor
‎2020-05-08 12:06 PM
In response to Shay_Levin
Jump to solution

Hey,

1. Indeed, I retrieved in the deployment manger section the correct SIC and put the value in the command injected in the SMS.

2. I will use the workaround, as soon as I can retrieve the GWs I created in GCP. Tried again but still nothing ...

2020-05-08_20h51_53.png

3.Done also

2020-05-08_21h03_50.png

Hope, I'll have a solution 🙂

0 Kudos
Shay_Levin
Admin
Admin
‎2020-05-08 12:11 PM
In response to AyGit
Jump to solution

Pls drop me an email when you are available next week.
Let’s look on it together.
shayl@checkpoint.com
0 Kudos
AyGit
Contributor
‎2020-05-14 03:06 AM
In response to Shay_Levin
Jump to solution

Thanks Shay

Issue resolved through the 2 actions:

  1. Activate API & Services in GCP
  2. Add a Data Center object in order to retrieve the components in GCP 
    New >> Servers >> Data Centers >> name 'GCP' >> Import Service Account json file >> Test Connection

Then the autoprov command is a success! 
A reminder of the command:
         autoprov_cfg init GCP -mn check-point-mgt -tn my-template -otp AZERY1234 -ver R80.30 -po Standard -cn GCP -proj AAAAAAA -cr $FWDIR/conf/AAAAAAA-BBBBBBB.json

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
UPCOMING CLOUDMATES EVENTS
    All CloudMates Events