Will try this one. Does this issue only not reaching the checkpoint cloud via CPuse or the other updates are included like for the IPS and App Control? TIA

I recall all else worked fine, no issues...updates, pings, curl_cli, routing, etc...ONLY issue was exactly what you had mentioned.

Hello @emmap. At first that is my initial assumption, but after installing the CRL fix, it does not disappear and still can't check for updates. 

iam running r82 management with take 60 and CRL_VALIDATION Hotfix Take 5. cpuse is working without any problems.

which dns servers you are using? check your logs if you can reach them.

@Daniel_Hainich I am using google dns since it is only a lab environment. My gateway currently running take 44, maybe I'll try to install JHF take 60 then CRL Hotfix. 

as @emmap wrote, check your network settings. dns should work also with take 44 / without hotfix. whats on with the log? does your policy allow dns to google?

Based on logs, looks like it is intermittent, I already installed the Take 44 CRL Hotfix since it includes that Check Point Updates and Services issue may occur, but it does not resolve the issue.

What is the full error in the installer logs?

Does it contain "Connection Error, FDT - Unexpected error code"?

Please be aware that you will need to remove the hotfix of take 44 before moving to take 60 otherwise you will get a conflict.

I am using google DNS since it is only a lab environment.

I think you need to troubleshoot this DNS problem before worrying about making CPUSE work. What devices are in path that might be blocking it?

@emmap actullay there is still no conenected device in the gateway. I just finished the First time Wizard Configuration and trying to install hotfix using cpuse, btw my policy is set to any-any since it is only a lab environment.

What do you mean there are no connected devices, how is it getting internet access to ping out?

Ohh what I mean is my lab is only in VM, but the next-hop is the firewall here in my working space, but I verified that the connection from my lab going to the internet is allowed. 

Hello @Martijn Yes, the DA is updated. I attached the result of the curl command.

Same issue here. With the -k option it's ok, with -v not.

CRL_VALIDATION Hotfix for R82 is installed on both Gateways and the Management Server (R82 Take 60).

Is there a solution for this available ?

did you installed the crl patch? https://support.checkpoint.com/results/sk/sk184766

Nope. we would like to wait until its included in future jhf.

Funny thing is that they were up to date after upgrade. 

Upon upgrading is it renewing the IPsec and internal certificates automatically ?
Checking ipsec certificate it still the old generated before upgrade. Or is this not relevant ?

Hi,

I would advice to install the hotfix. Just as a test to see if this solves your issue.

Martijn

Would this hotfix make a workaround for future installations of release JHF ?

Mike,

I assume this hotfix will be merged into any future JHF is this is needed.

Sometimes you can install a new JHF directly on a system with a seperate hotfix. But sometimes you need to uninstall the hotfix before installing a new JHF.

Always perform a verify before installing a hotfix/JHF and read the release notes.

Martijn 

Thanks!

It depends if issue fixed in private portfix is already included in JHF you are trying to install.

If yes, you will not get any warning/error during CPUSE update of JHF, since issue is already part of JHF. The private portfix will be removed from cpinfo -y all output.

If issue in private portfix is not yet included in JHF, you get warning and installation of JHF will be blocked.

@Mar 

Just an update. The CPuse is now working.  I installed the Recommended JHF take 60 and the relevat CRL for this take. I don't know if the CRL fix fix the issue, because it does not take effect immediately after installing the CRL fix, but it is the only thing I've done in my gateway. Anyways, it is working now. Thanks to everyone for your help.