Mastering Compliance
Unveiling the power of Compliance Blade
SASE Masters:
Deploying Harmony SASE for a 6,000-Strong Workforce
in a Single Weekend
May the 4th (+4)
Navigating Paradigm Shifts in Cyber
CPX 2024 Content
is Here!
Harmony SaaS
The most advanced prevention
for SaaS-based threats
CheckMates Go:
CPX 2024 Recap
|
6 SG's and 3 SMS's has at this very time same error - anyone else has it just now or something has happened on the CP Clould side?
would appreciate heads up.
|
||||||||||
|
cheers
To sum up
1. Indeed there was a CRL (Certificate revocation list) challenge (Certificate is naturally 3rd party certificate and therefore CRL check is also dependent on the same 3rd party) that caused failure on updates downloads
2. Indeed the response took more than desired
3. During the incident, we did identify the issue fast but it was not as easy to resolve and one would have hoped
4. We take this incident seriously and I am confident that we will avoid this single point of failure in the future.
Thank you for the feedback and collaboration
Dorit
BTW Its also opportunity for other IT leaders in the forum to leverage the same lesson and check if there is critical service that is dependent on CRL check.
Hello @Jerry , it seems there is a issue with the update services from checkpoint. multiple customers complains about this issue and we are facing it as well.
After askning TAC I receved an feedback: "currently having an issue with our cloud and this is the reason for the issue"
I hope it will be solved soon.
Best regards
Posted workaround for the problem earlier today if you are interested:
Any chance this is resolving the cloud emulation problem also ??
Probably not but has anyone tried it??
@_Val_ remind us this morning ...
Wolfgang
No worries. Happy it works for you as well 😀
All back to normal
Services are restored. It was an third party issue, just FYI
Third-party is involved in delivering updates? Should I be worried ? 🤔
Yes, that command will re-enable CRL checks in curl_cli. But it is 1 0 1 and not 1 01, sorry I fixed it in my post.
You may run curl_cli -v ... after that to test it.
I am personally going to leave it disabled. Don't care too much if CheckPoint certificates are revoked as long as updates are working 🙂
I was joking about the third-party... Think, even your ISP is such one. 😀
There was as CRL issue with signing CA. Which is public, third party. Jerry kinda hinted to in the comments below
we did know that from the start. you point is?
@_Val_ My point is that investigation started in the morning and notification it is identified and fix implemented came in the evening.
@Jerry Here's output when it is enabled:
* servercert: crl_disable from registry: 0
* servercert: crl_download_timeout: 10
* servercert: crl_weak_validation: 1
* servercert: Calling cp_verify_certificate
* servercert: cp_verify_certificate returned: CURLE_OK
I believe Dorit has addressed this point already.
Thank you for your feedback.
because it is now fixed, AFAIK.
@Jerry Look what it says:
* servercert: crl_disable from registry: 1
* servercert: CRL validation was disabled
|
6 SG's and 3 SMS's has at this very time same error - anyone else has it just now or something has happened on the CP Clould side?
would appreciate heads up.
|
|||||||
|
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
| User | Count |
|---|---|
| 20 | |
| 18 | |
| 12 | |
| 11 | |
| 6 | |
| 5 | |
| 5 | |
| 4 | |
| 4 | |
| 4 |
Thu 02 May 2024 @ 04:00 PM (CEST)
CheckMates Live DACH - Keine Kompromisse - Sicheres SD-WANThu 02 May 2024 @ 05:00 PM (CEST)
SASE Masters: Deploying Harmony SASE for a 6,000-Strong Workforce in a Single WeekendAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY
.png "Wolfgang"){kind=avatar}
