This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
cdav
Collaborator
‎2024-02-21 02:03 PM

CA Issues on AWS R81.20 Manager

I have deployed an EC2 manager from market place image in AWS. I keep running into an issue where it would appear the CA services on the host are not running. Connecting via SmartConsole errors with "Failed to download CRLs". No service appears to be listening on 18264. For example if i attempt to curl google I cannot validate TLS. The same completes if i ignore TLS errors.

The instance is deployed via terraform albeit not directly from the CheckPoint supplied template. It has been extracted but gets passed all the correct and relevant parameters. The cloud_config.log and var/log/messages indicate boot and auto config ok.

[Expert@CP-Management:0]# curl_cli https://www.google.ocm
curl: (6) Couldn't resolve host 'www.google.ocm'
[Expert@CP-Management:0]# curl_cli https://www.google.com
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Does anyone have any suggestions?

Thanks

 

0 Kudos
9 Replies
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2024-02-21 02:28 PM

Is it the base R81.20 or with some Jumbo take applied?

CCSM R77/R80/ELITE
0 Kudos
cdav
Collaborator
‎2024-02-21 02:44 PM
In response to Chris_Atkinson

No hot fixes applied. Booted straight from AMI R81.20-BYOL Management. Runs first time wizard with config from cloud-init/cloud_config 

0 Kudos
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2024-02-21 05:00 PM
In response to cdav

I'd suggest applying the latest recommended JHF and if the problem persists consulting TAC.

CCSM R77/R80/ELITE
0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-02-21 05:40 PM
In response to Chris_Atkinson

Agree, good point.

Best,

Andy

Best,
Andy
0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-02-21 04:36 PM

I did this twice on aws, but mind you from actual cp template and all worked fine. Not sure, but seems the way you did it definitely differs.

Best,

Andy

Best,
Andy
0 Kudos
cdav
Collaborator
‎2024-02-23 10:29 AM

To add to this I have now deployed from the CheckPoint provided TF template for management instance and run into the same error.

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-02-23 10:30 AM
In response to cdav

If thats the case, may need to open TAC case to check.

Andy

Best,
Andy
0 Kudos
Lesley
MVP Gold
MVP Gold
‎2024-02-23 01:11 PM

You need to open more ports. Check it out here:

https://support.checkpoint.com/results/sk/sk119134

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
cdav
Collaborator
‎2024-02-24 03:30 AM
In response to Lesley

Hi Lesly,

 

I have looked at this article but it doesnt fit. Security groups for the mgmt ec2 are deployed as per template and have the 3 required ports open. Instance used to connect via SC is in the same subnet as Mgmt EC2 and has access on all ports to Mgmt host.

[Expert@mgmt-tf:0]# ss -ntlp | grep '18264\|19009\|18190'
LISTEN 0 20 *:18190 *:* users:(("fwm",pid=5517,fd=42))
LISTEN 0 5 *:18264 *:* users:(("cpca",pid=8137,fd=11))
LISTEN 0 50 *:19009 *:* users:(("java",pid=5802,fd=462))

[Expert@mgmt-tf:0]# curl_cli https://checkpoint.com
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.



Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
UPCOMING CLOUDMATES EVENTS
    All CloudMates Events