This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Christoph
Collaborator
‎2020-04-22 01:43 AM
Jump to solution

Cannot add Contracts

Hi,

I generated 3 licenses for a MGMT server and two gateways. I installed them via Smart Update, later again via CLI.

My problem is, I cannot get the contract file to work. I tried to install it via Smart Update, file and UserCenter. Usercenter downloads the file, merges it and no status change.

I tried using: contract_util update via CLI. I get an error:

Could not reach "https://productcoverage.checkpoint.com/ProductCoverageService". Check proxy configuration on the gateway.

Using telnet or using the script @https://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/sk83520-how-to-check-connectivity... I get no errors. There is no (but there was a) proxy configured. Proxy was removed from the CLI and the SmartConsole configuration.

Update: There was actually still a proxy configured. Now contract util works, but still contracts are not updated.

I have no idea what is going wrong, especially as adding a file has always worked in the past.

System is an R80.40 Management, running on VMware:

FW1 build number:
This is Check Point Security Management Server R80.40 - Build 150
This is Check Point's software version R80.40 - Build 685

Does anyone have an idea where to check? 

 

0 Kudos
1 Solution

Accepted Solutions
G_W_Albrecht
Legend Legend
Legend
‎2020-04-22 03:32 AM
In response to Christoph
Jump to solution

The most promising way is to instantly make a ticket with Account Services and have them check it - if Account Services confirms that all is correct in contracts and licenses, you will have to involve TAC.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

9 Replies
G_W_Albrecht
Legend Legend
Legend
‎2020-04-22 02:04 AM
Jump to solution

Please first download the contract file from UserCenter (MyCheckPoint > tools > Download Contract file).

Transfer it to the GW(s).

Install the Service Contract File on GW with CLI:

cplic contract put -o <file name>.xml

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Christoph
Collaborator
‎2020-04-22 02:19 AM
In response to G_W_Albrecht
Jump to solution

Thank you, unfortunately it doesn't work. I'm right now only licensing the MGMT, as the GWs are not set up.

[Expert@fwm:0]# cplic contract put -o contracts.xml
Host Expiration Features
10.10.10.10 never CPVP-SNX-5-NGX CPSB-SWB CPSB-ADNC-M CK-00-00-00-00-00-00
10.10.10.10 never CPVP-SNX-5-NGX CPSB-SWB CPSB-ADNC-M CK-00-00-00-00-00-00
10.10.10.10 never CPSM-C-5 CPSM-NGSM CPSB-WKFL-5 CPSB-NPM CPSB-EPM CPSB-LOGS CPSB-MNTR CPSB-MPTL CPSB-UDIR C PSB-PRVS CPSB-COMP-5 CPSB-COMP-5 CPSB-COMP-5 CPSB-COMP-5 CPSB-SME-5 CPSB-RPRT-N-C1000 CK-1234567890AB

[Expert@fwm:0]# cplic print
Host Expiration Features
10.10.10.10 never CPVP-SNX-5-NGX CPSB-SWB CPSB-ADNC-M CK-00-00-00-00-00-00
10.10.10.10 never CPVP-SNX-5-NGX CPSB-SWB CPSB-ADNC-M CK-00-00-00-00-00-00
10.10.10.10 never CPSM-C-5 CPSM-NGSM CPSB-WKFL-5 CPSB-NPM CPSB-EPM CPSB-LOGS CPSB-MNTR CPSB-MPTL CPSB-UDIR CPSB-PRVS CPSB-COMP-5 CPSB-COMP-5 CPSB-COMP-5 CPSB-COMP-5 CPSB-SME-5 CPSB-RPRT-N-C1000 CK-1234567890AB

(IP/CK altered)

There is no output after cplic print that starts with:

Contract Coverage:

# ID Expiration SKU
===+===========+============+====================

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2020-04-22 02:28 AM
In response to Christoph
Jump to solution

You wrote that you generated licenses - usually, those are bought and then show up in UserCenter with the Services and their license time. What should be in your contract ? 

If you do a fresh install, you have the PnP license active with all services enabled, and if you use a Eval you will have to activate the blades to be tested.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Christoph
Collaborator
‎2020-04-22 02:38 AM
In response to G_W_Albrecht
Jump to solution

> You wrote that you generated licenses - usually, those are bought and then show up in UserCenter with the Services and their license time.

Right, I went to the usercenter and selected the license and generated a license file for the management server and and the two undeployed gateways. The latter are undetached in the repository.

> What should be in your contract ? 

I.e. Smart Event, Compliance, coverage in general for the management. If I push the contract file, SmartUpdate, but also cplic as said before show nothing.

> If you do a fresh install, you have the PnP license active with all services enabled, and if you use a Eval you will have to activate the blades to be tested.

This was a fresh install. The PnP (? build in timed license) was replaced by the production license. I haven't tried an eval yet.

Somehow this feels like a software bug. Strange thing is, besides activating blades, installing the license and trying to install the contracts, proxy config and OS parameters, nothing was done until now.

Update: I will update the Management Server to release 294 first, before continuing.

Update: Was already at 294. Installed an Eval, now I have contract coverage, but only for the Eval:(

 

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2020-04-22 02:56 AM
In response to Christoph
Jump to solution

My findings with contracts, SmartUpdate and R80.xx is that it works best if you delete all contracts from SmartUpdate, then fetch, in SmartUpdate, the contractfile directly from the UserCenter.
Then leave it to establish itself fro a day.

From the gateway always run the Contract_util mgmt after updating the contracts and leave it for a day to settle.
Regards, Maarten
Christoph
Collaborator
‎2020-04-22 02:59 AM
In response to Maarten_Sjouw
Jump to solution

Hey Maarten,

that's what I said to a coworker a few minutes ago. Will check tomorrow otherwise open a ticket and call it a day for today.

Cheers

Christoph

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2020-04-22 03:32 AM
In response to Christoph
Jump to solution

The most promising way is to instantly make a ticket with Account Services and have them check it - if Account Services confirms that all is correct in contracts and licenses, you will have to involve TAC.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Christoph
Collaborator
‎2020-04-23 03:06 AM
In response to G_W_Albrecht
Jump to solution

Solved:

The maintenance and product coverage hasn't begun yet. Would've been nice to see the coverage, no matter what the start/end day is on the technical end is though 😀

First hint was, I couldn't open an SR on this issue with this account.

Thank you all for your help.

 

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2020-04-23 03:19 AM
In response to Christoph
Jump to solution

Pure licensing issue, then...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top