This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Jerry
Mentor
Mentor
‎2020-06-04 03:29 AM
Jump to solution

Error: Update failed. Contract entitlement check failed. Gateway can not access internet

Error: Update failed. Contract entitlement check failed. Gateway can not access internet ("https://updates.checkpoint.com/WebService/services/DownloadMetaDataService"). Check connectivity and proxy settings.

 

6 SG's and 3 SMS's has at this very time same error - anyone else has it just now or something has happened on the CP Clould side?

would appreciate heads up. 

  Anti-Bot Update Status  
Name Value
Status
 

 

Failed
Description Update failed. Contract entitlement check failed. Gateway can not access internet ("https://updates.checkpoint.com/WebService/services/DownloadMetaDataService"). Check connectivity and proxy settings.
Next update The next try will be within one hour.
Version 2006022334

 

cheers

Jerry
0 Kudos
1 Solution

Accepted Solutions
Dorit_Dor
Employee
Employee
‎2020-06-05 01:23 AM
In response to Jerry
Jump to solution

To sum up 

1. Indeed there was a CRL (Certificate revocation list) challenge (Certificate is naturally 3rd party certificate and therefore CRL check is also dependent on the same 3rd party) that caused failure on updates downloads 

2. Indeed the response took more than desired 

3. During the incident, we did identify the issue fast but it was not as easy to resolve and one would have hoped 

4. We take this incident seriously and I am confident that we will avoid this single point of failure in the future.

Thank you for the feedback and collaboration 

Dorit 

BTW Its also opportunity for other IT leaders in the forum to leverage the same lesson and check if there is critical service that is dependent on CRL check. 

 

 

View solution in original post

42 Replies
Ilya_Avetisyan
Contributor
‎2020-06-04 03:33 AM
Jump to solution

Hi
I see the same with our 4 appliances
0 Kudos
Jerry
Mentor
Mentor
‎2020-06-04 03:34 AM
In response to Ilya_Avetisyan
Jump to solution

meaning we've got an issues with AntiBot Contract(s) entitlement on the CP side - anyone else ?
Jerry
0 Kudos
moritz_r
Participant
Participant
‎2020-06-04 03:36 AM
Jump to solution

Hello @Jerry , it seems there is a issue with the update services from checkpoint. multiple customers complains about this issue and we are facing it as well.
After askning TAC I receved an feedback: "currently having an issue with our cloud and this is the reason for the issue"

I hope it will be solved soon.

Best regards

0 Kudos
Jerry
Mentor
Mentor
‎2020-06-04 03:38 AM
In response to moritz_r
Jump to solution

awesome, would be great if such circumstances could be announced on CheckMates as well in a form of TABLE of the "SERVICE STATUS" or something - don't you think chaps?
@PhoneBoy
@Heiko
@TimHall
@Danny

cheers
Jerry
Wolfgang
Authority
Authority
‎2020-06-04 03:49 AM
In response to Jerry
Jump to solution

https://status.checkpoint.com/

 

Wolfgang

Jerry
Mentor
Mentor
‎2020-06-04 03:50 AM
In response to Wolfgang
Jump to solution

oh sugar, sorry forgot about that one, cheers Wolfgang! spot on 🙂
Jerry
0 Kudos
HristoGrigorov
Mentor
Mentor
‎2020-06-04 03:51 AM
In response to Jerry
Jump to solution

Posted workaround for the problem earlier today if you are interested:

https://community.checkpoint.com/t5/General-Topics/Failure-to-fetch-updates-from-CheckPoint-servers/...

Jerry
Mentor
Mentor
‎2020-06-04 03:53 AM
In response to HristoGrigorov
Jump to solution

awesome! works like a charm, cheers!
Jerry
0 Kudos
anstelios
Collaborator
‎2020-06-04 05:06 AM
In response to HristoGrigorov
Jump to solution

Any chance this is resolving the cloud emulation problem also ??

Probably not but has anyone tried it??

0 Kudos
Wolfgang
Authority
Authority
‎2020-06-04 03:54 AM
In response to Jerry
Jump to solution

@_Val_  remind us this morning ...

https://community.checkpoint.com/t5/General-Topics/All-updates-and-Upgrade-Checks-are-failing/m-p/87...

Wolfgang

Jerry
Mentor
Mentor
‎2020-06-04 03:56 AM
In response to Wolfgang
Jump to solution

my apology, overlooked that post sorry 😞 but now all is crystal clear.

cheers to all ! EOT and awaiting a "fix" 😛
Jerry
0 Kudos
HristoGrigorov
Mentor
Mentor
‎2020-06-04 03:58 AM
In response to Jerry
Jump to solution

No worries. Happy it works for you as well 😀

0 Kudos
_Val_
Admin
Admin
‎2020-06-04 10:21 PM
In response to Wolfgang
Jump to solution

All back to normal

0 Kudos
_Val_
Admin
Admin
‎2020-06-04 10:22 PM
Jump to solution

Services are restored. It was an third party issue, just FYI

0 Kudos
HristoGrigorov
Mentor
Mentor
‎2020-06-04 10:24 PM
In response to _Val_
Jump to solution

Third-party is involved in delivering updates? Should I be worried ? 🤔

0 Kudos
Jerry
Mentor
Mentor
‎2020-06-05 12:01 AM
In response to HristoGrigorov
Jump to solution

time for

#cpprod_util CPPROD_SetValue "CPshared//6.0//reserved//libCurl" crl_disable 1 01

am I right Hristo? 🙂

reg. 3rd Party - that's how you call it but in fact it is usually someone called "Supplier" and that isn't anything to worry about 🙂
Jerry
0 Kudos
HristoGrigorov
Mentor
Mentor
‎2020-06-05 12:06 AM
In response to Jerry
Jump to solution

Yes, that command will re-enable CRL checks in curl_cli. But it is 1 0 1 and not 1 01, sorry I fixed it in my post.

You may run curl_cli -v ... after that to test it.

I am personally going to leave it disabled. Don't care too much if CheckPoint certificates are revoked as long as updates are working 🙂

I was joking about the third-party... Think, even your ISP is such one. 😀

0 Kudos
Jerry
Mentor
Mentor
‎2020-06-05 12:12 AM
In response to HristoGrigorov
Jump to solution

[Expert@cp:0]# curl_cli -v -k https://updates.checkpoint.com/WebService/services/DownloadMetaDataService
* Trying 23.217.5.127...
* Connected to updates.checkpoint.com (23.217.5.127) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: HIGH:!RC4:!LOW:!EXP:!aNULL:!SSLv2:!MD5:!aECDH:!EDH
* *** Current date is: Fri Jun 5 08:12:04 2020
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* err is -1, detail is 2
* *** Current date is: Fri Jun 5 08:12:04 2020
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* err is -1, detail is 2
* *** Current date is: Fri Jun 5 08:12:04 2020
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* err is -1, detail is 2
* *** Current date is: Fri Jun 5 08:12:04 2020
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* servercert: Activated
* servercert: crl_disable from registry: 1
* servercert: CRL validation was disabled
* Server certificate:
* subject: CN=*.checkpoint.com
* start date: Jun 4 13:23:27 2020 GMT
* expire date: Sep 7 13:23:27 2022 GMT
* issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign RSA DV SSL CA 2018
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* servercert: Finished
< HTTP/1.1 200 OK
< Content-Type: text/xml;charset=UTF-8
< Content-Length: 410
< Server: Apache-Coyote/1.1
< Date: Fri, 05 Jun 2020 07:12:05 GMT
< Connection: keep-alive
<
* Connection #0 to host updates.checkpoint.com left intact
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><checkpoint:BusinessFault xmlns:checkpoint="urn:downloadcenter"><checkpoint:BusinessFault><checkpoint:code>002</checkpoint:code><checkpoint:message>Request Invalid</checkpoint:message><checkpoint:details>XML Translation Failed</checkpoint:details></checkpoint:BusinessFault></checkpoint:BusinessFault></soap:Body></soap:Envelope>
Jerry
0 Kudos
_Val_
Admin
Admin
‎2020-06-05 12:22 AM
In response to HristoGrigorov
Jump to solution

There was as CRL issue with signing CA. Which is public, third party. Jerry kinda hinted to in the comments below

0 Kudos
HristoGrigorov
Mentor
Mentor
‎2020-06-05 12:25 AM
In response to _Val_
Jump to solution

@_Val_ I posted yesterday in the morning that there is an issue with CRL validation in curl_cli. I don't know why it took you so long to realize that in CheckPoint 🙂

@Jerry CRL check is still disabled?

0 Kudos
_Val_
Admin
Admin
‎2020-06-05 12:26 AM
In response to HristoGrigorov
Jump to solution

we did know that from the start. you point is?

0 Kudos
HristoGrigorov
Mentor
Mentor
‎2020-06-05 12:49 AM
In response to _Val_
Jump to solution

@_Val_ My point is that investigation started in the morning and notification it is identified and fix implemented came in the evening.

0 Kudos
HristoGrigorov
Mentor
Mentor
‎2020-06-05 12:52 AM
In response to HristoGrigorov
Jump to solution

@Jerry Here's output when it is enabled:

* servercert: crl_disable from registry: 0
* servercert: crl_download_timeout: 10
* servercert: crl_weak_validation: 1
* servercert: Calling cp_verify_certificate
* servercert: cp_verify_certificate returned: CURLE_OK

0 Kudos
Jerry
Mentor
Mentor
‎2020-06-05 12:54 AM
In response to HristoGrigorov
Jump to solution

yes, I did notice but I'm on a different topic now so sorry for my late answer - I bet they'll get into the bottom of that, am I right @Valerie ?

cheers guys!
Jerry
0 Kudos
_Val_
Admin
Admin
‎2020-06-07 11:50 PM
In response to HristoGrigorov
Jump to solution

I believe Dorit has addressed this point already. 

Thank you for your feedback.

0 Kudos
Jerry
Mentor
Mentor
‎2020-06-05 12:27 AM
In response to HristoGrigorov
Jump to solution

CRL checks enabled and all works like a charm - why? 🙂
Jerry
0 Kudos
_Val_
Admin
Admin
‎2020-06-05 12:40 AM
In response to Jerry
Jump to solution

because it is now fixed, AFAIK.

0 Kudos
Jerry
Mentor
Mentor
‎2020-06-05 12:42 AM
In response to _Val_
Jump to solution

@Val - my reply was to Hristo asking me if it is still disabled on my side 😄
Jerry
HristoGrigorov
Mentor
Mentor
‎2020-06-05 12:47 AM
In response to Jerry
Jump to solution

@Jerry Look what it says:

* servercert: crl_disable from registry: 1
* servercert: CRL validation was disabled

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events