This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Chris_Van_Kriek
Contributor
‎2023-12-07 05:48 AM
Jump to solution

Rules with GCP Datacenter objects (tags) dropped on the instances of Cloudguard MiG

We successfully connected CME to GCP, all is done per the process. Identity Awareness API enabled and configured. Datacenter object are visible on the Management server. Now, the rules with GCP Datacenter objects (tags) are not being hit. If we enter the subnet manually, the rule is hit. How to troubleshoot this issue, specifically on the gateways in GCP ?

version: R81.20

 

 

 

0 Kudos
1 Solution

Accepted Solutions
Chris_Van_Kriek
Contributor
‎2024-01-17 08:43 AM
In response to the_rock
Jump to solution

I had some sessions with TAC. It was the TTL set in vsec.conf that was too high, so the datacenter objects were not updated correctly.

View solution in original post

0 Kudos
9 Replies
tomlev
Employee
Employee
‎2023-12-07 08:12 AM
Jump to solution

Hi, did you see any errors in SmartConsole logs (blade:"CloudGuard IaaS") or in $FWDIR/log/cloud_proxy.elg?

(1)
the_rock
Legend
Legend
‎2023-12-07 08:18 AM
Jump to solution

Filter @tomlev mentioned is very useful, I got similar issue solved before with it.

Andy

0 Kudos
Chris_Van_Kriek
Contributor
‎2023-12-07 09:01 AM
In response to the_rock
Jump to solution

Thanks for the useful info.

I had already checked the blade='Cloudguard IAAS" filter and it shows that "Mapping of DataCenter GCP finished.. Mapping took 52 seconds etc..."

Also the $FWDIR/log/cloud_proxy.elg reflects the same.

Is there any log on the gateway instances I can check ?

0 Kudos
the_rock
Legend
Legend
‎2023-12-07 09:04 AM
In response to Chris_Van_Kriek
Jump to solution

Not certain, but maybe see if there are any other files with names that include words proxy or cloud in $FWDIR/log or /var/log dir

Andy

0 Kudos
Chris_Van_Kriek
Contributor
‎2023-12-09 11:38 PM
In response to the_rock
Jump to solution

There seems to be a file on the gateways: cloud_config.log, but apart from this:

2023-10-12 05:29:22,864::INFO::run_cmd Executing: dbget installer:self_update_in_progress with:
data=None
env=None
expected_return_codes=(0,)
2023-10-12 05:29:22,872::INFO::Handling error:
Output:
Retry number 1 out of 3

happening twice (it seems the third time it was successfull )

There is also a file, which is a symbolic link cloud-user-data -> /opt/CPcge/log/user_data, but that file doesn't exist.

 

tomlev
Employee
Employee
‎2023-12-10 12:05 AM
In response to Chris_Van_Kriek
Jump to solution

Under the same filter, are there any errors related to the GW update?
Try adding to the filter "AND severity:Critical"

 

0 Kudos
Chris_Van_Kriek
Contributor
‎2023-12-10 12:42 AM
In response to tomlev
Jump to solution

I see errors with that filter from a couple of weeks ago:

Failed to update Data Center objects on gateway gcp-controller--vm-checkpoint-gateway-szrc

And this for all three instances of the GCP MiG.

But when I look at the logs of today, I see that the instances have updated the Data Center objects successfully:

Data Center objects were successfully updated on gateway gcp-controller--vm-checkpoint-gateway-szrc. 1 IPs updated, 0 IPs removed.

Still, the rules with the data center object is not hit. I have put a rule under it, with explicit IP (manually created) of the object, and that one is hit.

0 Kudos
the_rock
Legend
Legend
‎2023-12-10 06:07 AM
In response to Chris_Van_Kriek
Jump to solution

I would try do remote with TAC to see if there is something we might be missing here...

Cheers,

Andy

0 Kudos
Chris_Van_Kriek
Contributor
‎2024-01-17 08:43 AM
In response to the_rock
Jump to solution

I had some sessions with TAC. It was the TTL set in vsec.conf that was too high, so the datacenter objects were not updated correctly.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
UPCOMING CLOUDMATES EVENTS
    Sort by:
    All CloudMates Events