Solved: Cannot add Contract

NghiTran · ‎2019-09-30

Hi guys.

A little back story. My company have just received the new 5600 appliance, and the task of migrating the existing 4600 is in my hand. As the actual site of the firewall (let's call that site B) is quite far, I did the Migrate Import/Export in my office (HQ), check for things, so the only task on site B is mount the 5600 on the rack, turn on the power and leave. Simple right.

And I believe the problem start here. When configuring at HQ, I can't install policy the firewall have no license (I haven't receive the actual licensing account on those days), I used my own account, generate the All In One Evaluation key and added it on the firewall (no Internet connectivity yet).

On the rack mount day, after everything is good, I added the actual license into the firewall, but some how adding the Contract file didn't work. I tried everything: UserCenter auto download, manually added with SmartUpdate, even cplic contract put - there is no error, the operation status is Succeeded, but nothing happen. \

Output of cplic print -x show that the trial license Signature is axxxxxxxxxxxx, so I cannot delete it. I wonder would that be the case? I added the screenshot of SmartUpdate and cplic print -x output in the post as well.

Please give me some advice on this.

A million thanks,

Nghi Tran.

Dorit_Dor · ‎2019-09-30

1. Contract is for annual services and it comes on top of license. license is for permanent use. Fw lic error is missing license and not contract and since you dont have the license inserted, you wont get the contracts that come with the license.

2. So leave aside contract data and look at lic commands only. I havent done this for a while but i think that if you give any product a license file, it will upload the lic’s that fit (fits the right ip or by mac) and if there wasnt an error, nothing fit.
i think that you can also try to enter by cplic one license and then if it wont fit, it will tell you (but i am not sure)

3. So look at the fit of the license you created to the machine (mac or ip) and/or call support to help you

View solution in original post

NghiTran · ‎2019-10-30

Hi everyone

Yesterday, as the "stucked" trial lic would expired on 4/11 - while the trial that my distributor generate end at 31/10, I asked him to generate another trial lic for me, waiting past the 4/11 date and try adding the licensed lic again. But when logged into SmartLicense - the licensed lics and contracts were all there.

In the time since this thread, Check Point released some HFA (I believed 2 or 3) - the appliance now stand at R80.30 Take 200. So I think one of those HFA resolved the issue.

So yeah, the problem didn't involve wrong contracts/license adding technique or anything, just some weird bug that were fixed by HFA.

Anyway, thank you everyone. Good day to you all! 🙂

View solution in original post

_Val_ · ‎2019-09-30

Trial license does not prevent adding contracts. Take a look here, this might help: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Maarten_Sjouw · ‎2019-09-30

To see if the contracts are loaded properly look at the repository in SmartUpdate.
If all shows ok there, from expert run: contract_util mgmt
before and after look at cplic print and you should see a difference.

Regards, Maarten

FedericoMeiners · ‎2019-09-30

Do you have a distributed enviroment? Based on the output it seems that your license is not properly installed.

I would suggest to generate a central trial license where you have the IP of the management server and then deploy it with SmartUpdate (Import license from file). From here right click on the gateway and attach the corresponding license (You will have only one to attach in theory).

If successful you should be able to see the license on the gateway, after that add contracts from file with SmartUpdate (Make sure to download the correct contracts from the trial product center).

Finally use the command that Maarten provieded (contract_util mgmt) from the gateway.

Hope it helps

_____

____________
https://www.linkedin.com/in/federicomeiners/

NghiTran · ‎2019-09-30

Sorry about not mentioning the deployment model. This is a Standalone gateway.

As I mentioned, and in the attached screenshot, you can see that the there is only the license listed, not the contract. So contract_util mgmt does not help.

PhoneBoy · ‎2019-09-30

contract_util can also fetch this information from UserCenter or a local file with the correct arguments.
Type contract_util to see the various arguments it supports.
I would do this over trying to using SmartUpdate.

Maarten_Sjouw · ‎2019-09-30

contract_util is the tool that adds the contracts to the gateway module and pulls this info from the management or the usercenter., that both run on the same box has nothing to do with it, point there is that they are 2 separate things running next to each other.
When you do see the contract in the repository, which I did not see in your picture, but not on the gateway contract_util is your friend.

Regards, Maarten

NghiTran · ‎2019-09-30

Thanks a lot to everyone's advice. You all had been a great help.

As for the problem, some guys from our country's Check Point distributor had been trying a lot. Apparently only the trial licenses and contract work as normal, so we are thinking that this is the problem of the license and contract itself. We are contacting Check Point to look into this, probably try generating another license and contract for us.

So yeah, we'll have to wait and see if it helps. I'll get back to you guys as soon as there is any development for this problem.

And again, thanks everyone.

Dorit_Dor · ‎2019-09-30

1. Contract is for annual services and it comes on top of license. license is for permanent use. Fw lic error is missing license and not contract and since you dont have the license inserted, you wont get the contracts that come with the license.

2. So leave aside contract data and look at lic commands only. I havent done this for a while but i think that if you give any product a license file, it will upload the lic’s that fit (fits the right ip or by mac) and if there wasnt an error, nothing fit.
i think that you can also try to enter by cplic one license and then if it wont fit, it will tell you (but i am not sure)

3. So look at the fit of the license you created to the machine (mac or ip) and/or call support to help you

View solution in original post

_Val_ · ‎2019-10-01

@Dorit_Dor is spot on. You cannot add contracts without the permanent license. Start with it, and the contracts should be fine afterwards

NghiTran · ‎2019-10-30

Hi everyone

Yesterday, as the "stucked" trial lic would expired on 4/11 - while the trial that my distributor generate end at 31/10, I asked him to generate another trial lic for me, waiting past the 4/11 date and try adding the licensed lic again. But when logged into SmartLicense - the licensed lics and contracts were all there.

In the time since this thread, Check Point released some HFA (I believed 2 or 3) - the appliance now stand at R80.30 Take 200. So I think one of those HFA resolved the issue.

So yeah, the problem didn't involve wrong contracts/license adding technique or anything, just some weird bug that were fixed by HFA.

Anyway, thank you everyone. Good day to you all! 🙂

View solution in original post