Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
sorinstf
Contributor
Jump to solution

Anti-Bot update failed. Update failed. Contract entitlement check failed.

Hello Check mates, 

I've generated and installed 2 evaluation licenses on 2x 3600 on R81.20 JHA T41 to test AntiBot feature. 

There is an error message in MDS : Error: Update failed. Contract entitlement check failed. Could not establish SSL connection to "updates.checkpoint.com". Problem with local certificate.

This cluster accessing the internet via Zscaler.  Is this error due to Zscaler doing MITM ? 

Expert@pugw01:0]# curl_cli -v -k https://updates.checkpoint.com/WebService/Monitor
*   Trying 23.62.161.196...
* TCP_NODELAY set
* Connected to updates.checkpoint.com (23.62.161.196) port 443 (#0)
* ALPN, offering http/1.1
* *** Current date is: Fri May 17 19:18:48 2024
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* err is -1, detail is 2
* *** Current date is: Fri May 17 19:18:48 2024
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* err is -1, detail is 2
* *** Current date is: Fri May 17 19:18:48 2024
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS handshake, [no content] (0):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* servercert: Activated
* servercert: CRL validation was disabled
* Server certificate:
*  subject: CN=*.checkpoint.com
*  start date: May 11 04:24:57 2024 GMT
*  expire date: May 25 04:24:57 2024 GMT
*  issuer: C=XX; L=XYZ; ST=ABC; O=ZscalerCloud; OU=ZscalerCloud; CN=ZscalerCloud (t)
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* servercert: Finished
* TLSv1.3 (OUT), TLS app data, [no content] (0):
* TLSv1.3 (IN), TLS app data, [no content] (0):
< HTTP/1.1 200 OK
< Content-Type: text/html
< Server: Apache-Coyote/1.1
< Content-Length: 10
< Date: Fri, 17 May 2024 19:18:48 GMT
< Connection: keep-alive
<
status=OK
* Connection #0 to host updates.checkpoint.com left intact
0 Kudos
1 Solution

Accepted Solutions
Lesley
Leader Leader
Leader

This traffic should be bypassed as stated in this sk:

https://support.checkpoint.com/results/sk/sk98655

In this case the inspection takes place on the gateway itself but i think you get the point. 

-------
If you like this post please give a thumbs up(kudo)! 🙂

View solution in original post

(1)
2 Replies
Lesley
Leader Leader
Leader

This traffic should be bypassed as stated in this sk:

https://support.checkpoint.com/results/sk/sk98655

In this case the inspection takes place on the gateway itself but i think you get the point. 

-------
If you like this post please give a thumbs up(kudo)! 🙂
(1)
sorinstf
Contributor

I first added gw Ip addresses, but they were using VIP to access updates.checkpoint.com. Once I added cluster VIP  address it worked. 

I would have expected updates to be received from MDS the same way IPS updates are received, but it looks like this is a missing feature. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events