Re: Smart Console and Proxy PAC?

VikingsFan

Finally decided to try and figure out why automatic updates checking has never worked for us. I found this SK: https://support.checkpoint.com/results/sk/sk171315 and in the file it shows: <UpdateCheckError>FDT_COULD_NOT_CONNECT</UpdateCheckError>

I tried excluding updates.checkpoint.com from SSL inspection on our web proxy but that didn't help. I then excluded updates.checkpoint.com from the Proxy PAC file and confirmed that browsing to it from a browser does not show the proxy cert. Update check still shows FDT_COULD_NOT_CONNECT.

But if I disable the proxy PAC on my machine (everything goes straight out), Smart Console checks fine and displays the version. Is Smart Console not compatible with a Proxy PAC or am I doing something wrong?

PhoneBoy

Possible something like this could be used to force an explicit proxy in this case: https://support.checkpoint.com/results/sk/sk89920

VikingsFan

Looks promising but I don't want to change the gateway or mgmt server behavior and it sounds like this setting might? I just need Smart Console to get out direct or honor the proxy pac.

VikingsFan

Very strange but did a little more playing around with the PAC file and not sure if Smart Console has some odd issue it can't read a PAC file but this is what I found out...

Get the error:

(dnsDomainIs(host, ".updates.checkpoint.com")) ||
(host == "updates.checkpoint.com") ||

Worked:

(dnsDomainIs(host, ".checkpoint.com")) ||

On the firewall, I only see a single connection out during the update check time and it's to updates.checkpoint.com. Unsure why I had to exclude the entire domain for it to function.

PhoneBoy

Seems like a bug of some sort for sure.

Are you a member of CheckMates?

Smart Console and Proxy PAC?