cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

Checkpoint VMSS deployment - Auto-provision test fails

Hi Guys ,

 

I am deploying the Checkpoint VMSS solution in Azure .

For some reason the autoprovison test is failing with the below error -

.
Traceback (most recent call last):
File "/opt/CPsuite-R80.20/fw1/scripts/autoprovision/monitor.py", line 4160, in <module>
rc = main(sys.argv)
File "/opt/CPsuite-R80.20/fw1/scripts/autoprovision/monitor.py", line 4135, in main
test()
File "/opt/CPsuite-R80.20/fw1/scripts/autoprovision/monitor.py", line 4047, in test
cls.test(cls, name=name, management=config['management']['name'], **c)
File "/opt/CPsuite-R80.20/fw1/scripts/autoprovision/monitor.py", line 1995, in test
'GET', '/subscriptions/' + options['subscription'])
File "/opt/CPsuite-R80.20/fw1/scripts/autoprovision/azure.py", line 411, in arm
with self.get_token() as token:
File "/etc/fw/Python/lib/python2.7/contextlib.py", line 17, in __enter__
return self.gen.next()
File "/opt/CPsuite-R80.20/fw1/scripts/autoprovision/azure.py", line 355, in get_token
headers=headers, pool=self.pool, max_time=self.max_time)
File "/opt/CPsuite-R80.20/fw1/scripts/autoprovision/azure.py", line 108, in request
max_time)
File "/opt/CPsuite-R80.20/fw1/scripts/autoprovision/azure.py", line 190, in request_curl
raise CurlException(headers, args_no_auth)
CurlException: curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: http://curl.haxx.se/docs/sslcerts.html

 

Any idea what could be the issue ? I am using the latest autoprovision.cfg - version 509

 

0 Kudos
5 Replies

Re: Checkpoint VMSS deployment - Auto-provision test fails

Have you triple checked the syntax of your autoprovision script (to include your Subscription ID, App Registration/clientID , Tenant ID and your Secret phrase)?

We had to go through the script building process several times.  It's best that you don't tinker with the XML file and use the autoprov-cfg command to build the script out.

You mess one character up in the XML file and it's game over and you'll be scratching your head forever.

 

0 Kudos

Re: Checkpoint VMSS deployment - Auto-provision test fails

Yes, i am checked the syntax, everything looks perfect. 

Also, with autoprovision-cfg show all, I can see the proper settings. 

It's only when I run the service test command I get this error . 

I have not touched any settings anywhere else. 

 

Btw what version of autoprovisioning you ran, may be the latest ( version -509 ) is buggy... Thoughts? 

0 Kudos

Re: Checkpoint VMSS deployment - Auto-provision test fails

I have re-initialised the autoprovision service multiple times in different management servers as well but with no luck. 

 

@PhoneBoy - Is this a known bug for the autoprovision (ver-509) on R80.30 ?? 

I have raised a SR on this with TAC  , just wanted to know if you have any info or relevant folks that can look on this in priority. 

 

Issue recap - 

Checkpoint VMSS in Azure setup - Autoprovision issue

Installed the latest autoprovision (version - 509) and initialized the autoprovision service with the initial syntax successfully.

 

The autoprovision show all - display all the correct values for mn, tn, controllers, etc.

However, the "services autoprovision test " Commanda fails with some ssl error. Refer the attachment. 

0 Kudos

Re: Checkpoint VMSS deployment - Auto-provision test fails

So it turns out the SMS is behind a Gateway firewall , which has HTTPS inspection enabled . Causing the SSL error on the test script.

 

After adding a temporary bypass rule , I am enable to get the test run successfully.

 

I wonder why the Checkpoint autoprovison script is not compatible with HTTPS inspection on Checkpoint . Sounds funny .

@PhoneBoy  - Worth raising this with the R&D .

0 Kudos
Admin
Admin

Re: Checkpoint VMSS deployment - Auto-provision test fails

The CA store used by the autoprovisioning process does not include the CA key used for HTTPS Inspection on managed gateways.
As a result, it's unable to validate the TLS certificate presented by the gateway when the connection is inspected, causing the connection to fail.
I suppose this could be automatically updated somehow, but that'd be an RFE.
0 Kudos