This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Bryan_Lee
Employee Alumnus
Employee Alumnus
‎2020-05-06 06:18 AM

CDT failed with API error - Fingerprint change

Hi,

 

I working with my customer to use the CDT tool to upgrade hundreds of gateway. In my test environment version 1.8 works fine albeit with some import error occasionally but nothing deadly, just need to re-run the CDT.

 

However when my customer does it in his MDM production environment, he encountered the strange error, while trying to upgrade from R77.30 to R80.30. The CDT stopped at "Prepare new post policy" after importing the upgrade package, and 3 hours later it exited with API call error, stating fingerprint change. 

 

Re-run of the CDT tool produce the same result. Any advice from the expert?  

 

*** LOG ***  

Tue May  5 14:36:37 2020 *N* [cdt_fw]: Finished executing action #2 Import Package on cdt_fw

Tue May  5 14:36:37 2020 *N* [cdt_fw]: Executing Action - Install Package

Tue May  5 14:36:37 2020 *N* [cdt_fw]: Executing stage - Prepare new post policy

Tue May  5 18:21:20 2020 *E* [cdt_fw]:

************************************************

An error has occurred in stage Prepare new post policy of machine cdt_fw:

 

Error code 43 - Failed to prepare and compile new firewall policy for the target machine's version. Make sure that the policy is saved and that no SmartDashboard sessions are connected to this server or update the policy manually via SmartDashboard and try again.

 

Additional Information:

-----------------------

 

        ************************************************

        DB Operations error has occurred:

 

        Error code 19 - Error querying the management database.

        Make sure that the policy is saved and that no SmartDashboard sessions are connected to this server.

 

        Details:

        --------

        Failed to parse json from mgmt_cli

 

        Additional Information:

        -----------------------

 

                Command Summary:

                Command = mgmt_cli show api-versions -r true --format json

                Return code = 1

                Output = Fingerprint of server 127.0.0.1 was changed

 

                To protect against impersonation, compare the following fingerprint with the one displayed by the api management tool (api fingerprint).

 

                SHA1 Fingerprint=D9:98:DC:E0:CF:F6:1E:F9:19:AE:5A:EC:9B:93:DB:CA:50:8B:B3:AD

                English Fingerprint=SETS OBOE ROB IVAN CADY FACE HE DICE MILE REP SOW SUNG

 

                Do you accept the fingerprint? (y/n) [n] ? Do you accept the fingerprint? (y/n) [n] ? Peer certificate cannot be authenticated with given CA certificates

                Fingerprint of server 127.0.0.1 was changed

 

                To protect against impersonation, compare the following fingerprint with the one displayed by the api management tool (api fingerprint).

 

                SHA1 Fingerprint=D9:98:DC:E0:CF:F6:1E:F9:19:AE:5A:EC:9B:93:DB:CA:50:8B:B3:AD

                English Fingerprint=SETS OBOE ROB IVAN CADY FACE HE DICE MILE REP SOW SUNG

 

                Do you accept the fingerprint? (y/n) [n] ? Logout failed

 

        ************************************************

 

 

0 Kudos
4 Replies
Martin_Valenta
Advisor
‎2020-05-06 08:44 AM

This is content for TAC case and not for forum.
0 Kudos
PhoneBoy
Admin
Admin
‎2020-05-08 01:01 PM

What happens if you run (from the CLI of the MDM): mgmt_cli show api-versions -r true --format json
And you accept all the warnings…and try with CDT again?

Of course a seperate question would be why did the certificate change. Which implies the ICA may have been regenerated recently.
0 Kudos
mahmods
Employee
Employee
‎2020-05-10 01:14 AM

Hi, 

Looks like the certificate on the machine changed and the API command cannot run until the new fingerprint is accepted.

you need to run the following command to accept the new fingerprint

 

mgmt_cli show api-versions -r true --format json --unsafe-auto-accept true

 

0 Kudos
Bryan_Lee
Employee Alumnus
Employee Alumnus
‎2020-05-10 06:05 PM
In response to mahmods

Thanks, Mahmods and Phoneboy. This solve the problem. The ICA was reset a couple of months ago, prior to the MDS being upgraded to R80. I thought this Mgmt_cli was a R80 thing.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events