Re: Update failed. Contract entitlement check fail...

AfterMath · ‎2025-04-24

Hi there

One of our Cluster comes with the error '

Update failed. Contract entitlement check failed. Gateway can not access internet ("https://updates.checkpoint.com/WebService/services/DownloadMetaDataService"). Check connectivity and proxy settings.

': Note that we are running R81.20 with the latest recomended hotfix, and we check dns and comunication, we can ping but we can note reach access..

Lesley · ‎2025-04-24

Is this a VSX setup? Is this a cluster and if so is this the stand-by member?

Do port 80 websites work? Traffic shows allowed in logging?

-------
If you like this post please give a thumbs up(kudo)! 🙂

AfterMath · ‎2025-04-24

Hi @Lesley

Not, its not! Yes its a cluster, both members, stand and active

dont work

the_rock · ‎2025-04-24

When did this happen, any idea? Does below work?

curl_cli -k google.com

Andy

AfterMath · ‎2025-04-24

Hi @the_rock

we though like was dns problem, because was not pinging updates.checkpoint.com we have set the valid dns server and know are pinging but still having problem to update.

the_rock · ‎2025-04-24

run ip r g 8.8.8.8 and please send the output

Also, check below files on the fw:

$FWDIR/appi/update/appi_statuc.C

$FWDIR/ips/update/ips_status.C

AfterMath · ‎2025-04-25

Hi @the_rock

the_rock · ‎2025-04-25

So you probably dont have app control enabled then, if 2nd command fails. Either way, looks like ips update is failing, for sure.

Question, did you try update it manually from smart console?

Andy

AfterMath · ‎2025-04-30

Hi @the_rock

App control! we dont use cp fw for urç filtering and app control..

We run 4 fw, in two cluster managed by one mgmt, everything is the same. we only have issue in first cluster,

We have tthinking that the issue may be related to the certificare, perahps!
first cluster with issue

second cluster

update manually!! i didn´t yet

the_rock · ‎2025-04-30

Well, it might be the case, but are you able to access that portal by the IP address? If yes, then I dont believe that would be causing this problem...

Andy

AfterMath · ‎2025-04-30

yes

the_rock · ‎2025-04-30

I would call TAC for this and do remote.

Andy

Henrik_J · ‎2025-04-25

Have you checked the logs to see if it is getting dropped?
If you haven't already, go into global properties and check the box that states to log implied rules.

Sometimes people deactivate these implied rules, which then can cause issues for the gateway to start its own sessions.

I have also noticed issues for gateway communications if you try to do any STATIC NAT on FWs public IP.
So double check NAT rules.

I would also check fw monitor in one seperate window when conducting tests...
See: https://tcpdump101.com/
You can use the new or old version, but old version requires to disable fwaccel / SecureXL, so if you can work with the new it's better.

There you will clearly see what and where it's sent out, and if it receives anything back at all.

the_rock · ‎2025-04-25

Glad to see my colleague's site getting "promoted" : - ). I told him about it and he said that makes him very happy, so he will definitely try spend some time to make it even better.

Anyd

Henrik_J · ‎2025-04-25

I think the site does its job perfectly.
It might look old and outdated, but to my eyes, it's simply effecient without any needless things.
Really like it.
I think it's the perfect site for people to go to to start with fw monitor, tell him thanks from me 🙂

the_rock · ‎2025-04-25

Will do! You can also contact him on twitter or whatever they call it these days...I was never big social media guy )quite frankly, never cared for it lol), but I will definitely tell him Monday when I see him.

Best,

Andy

the_rock · ‎2025-05-01

For what its worth, maybe verify below things, as per AI response.

Andy

****************************************

🔍 Error Summary:

Message:

✅ Troubleshooting Steps:

Test Internet Access from Gateway:
- Log into the CLI (via SSH or console).
- Run:
  
  bash
  
  curl -v https://updates.checkpoint.com
- Or, if curl isn't available:
  
  bash
  
  telnet updates.checkpoint.com 443
- If this fails, the gateway has no internet access or DNS resolution problems.
Check DNS Settings:
- Ensure /etc/resolv.conf has valid DNS entries.
- Test name resolution:
  
  bash
  
  nslookup updates.checkpoint.com
Check Proxy Configuration (if required):
- If you're behind a corporate proxy, you must configure it:
  - In SmartConsole: Go to Device > System Settings > Proxy.
  - Or CLI:
    
    bash
    
    dbset proxy:<proxy_address> dbset proxy_user:<username> # if required dbset proxy_password:<password> # if required
Verify Contract Entitlement:
- Ensure your gateway has a valid support contract.
- Log into your Check Point User Center account and verify your product entitlements.
Firewall Rules:
- Ensure the gateway or any upstream firewall allows outbound HTTPS (TCP 443) to:
  - updates.checkpoint.com
  - dl3.checkpoint.com
  - secureupdates.checkpoint.com
Check for Hotfixes:
- Some Check Point versions (especially older ones) may need a hotfix to support updated TLS protocols used by Check Point’s servers.
- Reference relevant SK articles (like SK83520 or SK113747) on Check Point’s support portal.

the_rock · ‎2025-04-25

By the way, since I offer this to everyone, if you are willing and allowed to do remote, happy to try and assist that way. let me know. Im in EST time zone (GMT -4)

Andy

G_W_Albrecht · ‎2025-04-24

On my SMS this works: I get a 301 moved

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Are you a member of CheckMates?

Update failed. Contract entitlement check failed. Gateway can not access internet

🔍 Error Summary:

✅ Troubleshooting Steps: