This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
sorinstf
Contributor
‎2024-05-17 12:35 PM
Jump to solution

Anti-Bot update failed. Update failed. Contract entitlement check failed.

Hello Check mates, 

I've generated and installed 2 evaluation licenses on 2x 3600 on R81.20 JHA T41 to test AntiBot feature. 

There is an error message in MDS : Error: Update failed. Contract entitlement check failed. Could not establish SSL connection to "updates.checkpoint.com". Problem with local certificate.

This cluster accessing the internet via Zscaler.  Is this error due to Zscaler doing MITM ? 

Expert@pugw01:0]# curl_cli -v -k https://updates.checkpoint.com/WebService/Monitor
*   Trying 23.62.161.196...
* TCP_NODELAY set
* Connected to updates.checkpoint.com (23.62.161.196) port 443 (#0)
* ALPN, offering http/1.1
* *** Current date is: Fri May 17 19:18:48 2024
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* err is -1, detail is 2
* *** Current date is: Fri May 17 19:18:48 2024
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* err is -1, detail is 2
* *** Current date is: Fri May 17 19:18:48 2024
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS handshake, [no content] (0):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* servercert: Activated
* servercert: CRL validation was disabled
* Server certificate:
*  subject: CN=*.checkpoint.com
*  start date: May 11 04:24:57 2024 GMT
*  expire date: May 25 04:24:57 2024 GMT
*  issuer: C=XX; L=XYZ; ST=ABC; O=ZscalerCloud; OU=ZscalerCloud; CN=ZscalerCloud (t)
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* servercert: Finished
* TLSv1.3 (OUT), TLS app data, [no content] (0):
* TLSv1.3 (IN), TLS app data, [no content] (0):
< HTTP/1.1 200 OK
< Content-Type: text/html
< Server: Apache-Coyote/1.1
< Content-Length: 10
< Date: Fri, 17 May 2024 19:18:48 GMT
< Connection: keep-alive
<
status=OK
* Connection #0 to host updates.checkpoint.com left intact
0 Kudos
1 Solution

Accepted Solutions
Lesley
Advisor
‎2024-05-17 12:51 PM
Jump to solution

This traffic should be bypassed as stated in this sk:

https://support.checkpoint.com/results/sk/sk98655

In this case the inspection takes place on the gateway itself but i think you get the point. 

-------
If you like this post please give a thumbs up(kudo)! 🙂

View solution in original post

(1)
2 Replies
Lesley
Advisor
‎2024-05-17 12:51 PM
Jump to solution

This traffic should be bypassed as stated in this sk:

https://support.checkpoint.com/results/sk/sk98655

In this case the inspection takes place on the gateway itself but i think you get the point. 

-------
If you like this post please give a thumbs up(kudo)! 🙂
(1)
sorinstf
Contributor
‎2024-05-22 02:43 AM
In response to Lesley
Jump to solution

I first added gw Ip addresses, but they were using VIP to access updates.checkpoint.com. Once I added cluster VIP  address it worked. 

I would have expected updates to be received from MDS the same way IPS updates are received, but it looks like this is a missing feature. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events