This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
RasmusH
Participant
‎2021-05-03 05:26 AM

Removing Blades from Offline gatway

Hi Checkmates! 

We have an issue with our management(MDS) when an Identity Awareness -blade is not disabled/removed before the gate is taken offline.
ex:
One of our gateways was taken offline. And all gates in our environment has IA-blade enabled for the sake of being able to handle network tags from AWS and Azure. (Data Center Objects).

But when a gate with IA is not responsive you get a time out in the round robin update of data center objects/tags

Checkpoint management server error:
"
03/05/21 11:16:27,565 ERROR datacenter.util.CommandExec [gateway-updater_<GATEWAYNAME>]: Command '[/opt/CPshrd-R80.40/bin/cprid_util, -server, <GW-IP>, putfile, -local_file, /opt/CPmds-R80.40/customers/cma2/CPsuite-R80.40/fw1/tmp/GATEWAYNAME_vsecUpdate.sh, -remote_file, /tmp/GATEWAYNAME_vsecUpdate.sh]' failed with code 3. Stdout=''. Stderr=''.
"
"
03/05/21 12:03:04,605 ERROR ida.api.IDACpridRequestSenderClient [gateway-updater_GATEWAYNAME]: Failure 1/5 to send script file to gateway ip: <GW-IP>
"


During the period the server tries to update this gateway, all other updates is at a standstill. So with our AWS environment that is constantly changing IP's the deploys etc get slowed down with about 1 minute every 60 sec. (def update interval.) 


When like in this case a gate is offline and have IA activated. You can't simply uncheck the IA blade and install, since you can't install a offline GW. We have had other cases when gates is decommissioned and we missed to disable IA before it was shut down. Then we solved it; removing the cluster completely from the management. 

Is there a solution to disable the blade on a Offline Gateway in the management config or a better workaround for this issue? 

 

 

0 Kudos
3 Replies
Tobias_Moritz
Advisor
‎2021-05-04 08:34 AM

Have you tried disabling IA blade in the offline gateways and do an "Install database" afterwards?

I guess this would inform management about disabled IA blade for this gateway.

I've never tested this, so this is just a wild guess.

 

RasmusH
Participant
‎2021-05-07 01:04 AM
In response to Tobias_Moritz

Thanks Tobias, I will try this out, I think we might have tested it. But since our aws production is suffering during the delay period we did not have much time to test.  I will recreate the issue in a lab env en try it. 

0 Kudos
RasmusH
Participant
‎2021-12-09 01:29 AM
In response to Tobias_Moritz

Unfortunately this did not help. Even disabling IA blade and installing database, did not help our issue. 
Still get: 

779 ERROR ida.api.IDACpridRequestSenderClient [gateway-updater_GATEWAYNAME]: Failure 3/3 to send script file to gateway ip: GATEWAY-IP

 

780 ERROR ida.requests.IDARequestsSender [gateway-updater_GATEWAYNAME]: Error while attempt to connect to server: GATEWAY-IP

Making slow update/deploys on new instances in aws. Since the TAG's don't update in the management the instances don't get the correct access. Like a auto-scaled service and we get interruptions in or services. 

We are now looking (since R81) on changing the timeouts and retires in the cloud_proxy config. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events