Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Rabindra_Khadka
Contributor

threat emulation, anti-virus and anti-bot update issue(only on standby cluster)

Hello Team,

 

I faced this issue very long time ago and still has not been solved, there is 5600 series checkpoint appliance in cluster HA and the gateway OS version is r80.30.

What i was facing is that whenever i keep the firewall to active cluster all the updates are successful and only the standby cluster has always the same issue given below.

Threat Emulation
Error: Communication error: could not connect to cloud.


Anti-bot and Anti-virus
Error: Update failed. Contract entitlement check failed. Could not reach "updates.checkpoint.com". Check proxy configuration on the gateway.

 

i have tried rebooting both the firewall also but still the problem is the same and in the SmartLog i can see that there is update failed logs for only standby firewall IP and gateway object is fetched in the management server from the internal network IP.

Is there any difference while fetching fetching gateway object for internal network IP or External Network IP regarding the update.

 

 

Hope you have any suggestion for this.

 

Thank You

 

0 Kudos
3 Replies

The IP address for updates.checkpoint.com seems to be "hardcoded" in the appliance and is returning "Connection closed by foreign host" when I try 'telnet updates.checkpoint.com 443'

On the other hand when I try it from any host behind the gateway it works fine but the IPs that are returned are completely different and change from time to time (cloud service).

You choice is how to fix it 🙂

0 Kudos
mdjmcnally
Advisor

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

addresses this directly

 

I find that is random whether experience this and not all Clusters that deploy experience the issue.

Either this SK or I find that NoNAT Rules from the Cluster Members with the Services http, https will do the job if don't want to manipulate the files.

 

 

0 Kudos
Rabindra_Khadka
Contributor

Thanks mdjmcnally,

let me check this and update you. I hope you have already tested this.

 

 

On the Security Management Server, modify the relevant "table.def" file per sk98339 - Location of 'table.def' files on Security Management Server.

The following should be added to the 'no_hide_services_ports' configuration if traffic can not be synchronized:

Traffic
Name
Traffic
Port
Configuration in
no_hide_services_ports
HTTPTCP port 80<80, 6>
HTTPSTCP port 443<443, 6>
DNSUDP port 53<53, 17>
0 Kudos