This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
MaheshCheck
Explorer
‎2024-11-20 03:10 AM

Checkpoint Management Server(Open) is not getting App & URL updates

Hello Everyone,

 

Could you please anyone help us to resolve App & URL updates issue in checkpoint management server.

 

Attached Error image.

Preview file
86 KB
0 Kudos
11 Replies
AkosBakos
MVP Silver
MVP Silver
‎2024-11-20 03:50 AM

Did you try with tls 1.2 too?

----------------
\m/_(>_<)_\m/
0 Kudos
MaheshCheck
Explorer
‎2024-11-20 03:56 AM
In response to AkosBakos

Thanks but we cann't go back to TLS 1.2 as per security reasons

0 Kudos
AkosBakos
MVP Silver
MVP Silver
‎2024-11-20 04:00 AM
In response to MaheshCheck

If you do a tcpdump for this connection, what can you see in answer for hello? Maybe the server side does not answer in tls 1.3?

tls 1.3 is enabled on the gateway or on the mgmt?

akos

 

----------------
\m/_(>_<)_\m/
0 Kudos
MaheshCheck
Explorer
‎2024-11-21 01:39 AM
In response to AkosBakos

 

 

Preview file
20 KB
0 Kudos
MaheshCheck
Explorer
‎2024-11-21 01:39 AM
In response to MaheshCheck

I don't understand that Why logs are updating on TLS v1.3 but I see TLS v1.2 is enabled on MGMT sever

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2024-11-20 04:58 AM
In response to MaheshCheck

What do you see if you run below command?

Andy

 

[Expert@CP-MANAGEMENT:0]# curl_cli -k updates.checkpoint.com
Page not found![Expert@CP-MANAGEMENT:0]#

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
AkosBakos
MVP Silver
MVP Silver
‎2024-11-20 09:10 AM
In response to MaheshCheck

What do you see here:

show ssl tls enabled

 Akos

----------------
\m/_(>_<)_\m/
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2024-11-20 06:59 PM
In response to MaheshCheck

I also tested command @PhoneBoy ran in the lab in R81.20 and R82 lab and it answered on tls 1.3, so definitely no issues with updates site. 

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
PhoneBoy
Admin
Admin
‎2024-11-20 10:18 AM

What version/JHF are you attempting this on?
I can assure you that updates.checkpoint.com is answering on TLS 1.3, which suggests the problem is something specific to your environment.
See attached, run from an R82 gateway:

[Expert@R82-SA:0]# curl_cli -v -l --cacert /opt/CPshrd-R82/conf/ca-bundle.crt https://updates.checkpoint.com
* Rebuilt URL to: https://updates.checkpoint.com/
*   Trying 23.197.2.122...
* TCP_NODELAY set
* Connected to updates.checkpoint.com (23.197.2.122) port 443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /opt/CPshrd-R82/conf/ca-bundle.crt
  CApath: none
* *** Current date is: Wed Nov 20 12:15:29 2024
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* err is -1, detail is 2
* *** Current date is: Wed Nov 20 12:15:29 2024
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, [no content] (0):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* servercert: Activated
* servercert: crl_download_timeout: 10
* servercert: crl_weak_validation: 1
* servercert: Calling cp_verify_certificate
* servercert: cp_verify_certificate returned: CURLE_OK
* Server certificate:
*  subject: CN=*.checkpoint.com
*  start date: Dec 31 11:43:57 2023 GMT
*  expire date: Jan 31 11:43:56 2025 GMT
* verifyhost: No 'trusted CN' provided.
*  subjectAltName: host "updates.checkpoint.com" matched cert's "*.checkpoint.com"
* verifyhost: Alternative name '*.checkpoint.com' matches the destination hostname.
*  issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign GCC R3 DV TLS CA 2020
*  SSL certificate verify ok.
* servercert: Finished
* TLSv1.3 (OUT), TLS app data, [no content] (0):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS app data, [no content] (0):
< HTTP/1.1 404 Not Found
< Content-Type: text/plain; charset=utf-8
< Content-Length: 15
< Server: awselb/2.0
< Date: Wed, 20 Nov 2024 18:16:07 GMT
< Connection: keep-alive
< 
* Connection #0 to host updates.checkpoint.com left intact
Page not found![Expert@R82-SA:0]#

 

0 Kudos
MaheshCheck
Explorer
‎2024-11-21 01:34 AM
In response to PhoneBoy

R81.20 Jumbo Hotfix Take 84

0 Kudos
Lesley
MVP Gold
MVP Gold
‎2024-11-21 05:22 AM
In response to MaheshCheck

Traffic not blocked on a firewall in front of mgmt? You see the traffic allowed there? NAT all good? System can access other URLs?

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events