Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Matlu
Advisor

No access via SmartConsole, MDS environment.

Hello, everyone.

We have a MDS, in which, we have created 3 CMA.

Currently we can not access through SmartConsole, both by the IP of the MDS, as by the IP management of each CMA (except only 1 CMA that if we can access).

It is important to mention that the MDS can be accessed by CLI.

SMS_MDS -> 10.49.2.215
CMA_1  -> 10.49.2.218
CMA_2  -> 10.49.2.217
CMA_3  -> 10.49.2.216

MDS1.jpg

 

MDS2.jpg

Is there any way to recover the files (licenses) that were wrongly deleted by the CLI of a CMA?

Since these lines were deleted, the management of both the MDS and the CMAs has been lost through the SmartConsole.

Is there any way to fix this?

Thank you.

0 Kudos
18 Replies
Chris_Atkinson
Employee Employee
Employee

The licenses can be retrieved from Product Center by an authorised user and applied via SmartUpdate (SmartDistributor) or CLI (cplic commands).

CCSM R77/R80/ELITE
0 Kudos
Matlu
Advisor

Hello, Chris.

Can you explain why I can't "unlink" the GW licenses I have in this environment?

If you notice in the image, every time I click on the license that starts with the name "CPSB..." and I click on the "Detach" action, I get the red alert message.
I don't understand why.

MDS3.jpg

Greetings.

0 Kudos
the_rock
Legend
Legend

For quick resolution to this, I would get in touch with Account services and Im sure they could sort it out for you in 5 minutes.

0 Kudos
Matlu
Advisor

We are having a bad experience with the team that is in charge of the licenses, so far, they do not give us a timely attention, that is why I decided to move forward, reviewing and asking through this means. 😞

For some reason the final licenses that were purchased, when they are loaded from the SmartUpdate, and the contract is "called" from this same console, because the contract that appears, is a contract too old, and what it does is that I continue to appear the Cluster equipment "alerted" from the SmartConsole.

LIC1.jpgLIC2.jpgLIC3.jpg

Does anyone know how to correct this?

0 Kudos
the_rock
Legend
Legend

I will send you eval tomorrow to try and see if it works.

0 Kudos
Chris_Atkinson
Employee Employee
Employee

In Usercenter / Product Center are the licenses shown with valid expiry dates?

To clarify is it an internal or Check Point team that you are having difficulty with?

CCSM R77/R80/ELITE
0 Kudos
Matlu
Advisor

Hi Chris.

These are Checkpoint 5000 series appliances.
They are 2 GWs that are in a Cluster.

The "License" was apparently already loaded, because at least when I consult it through the CLI, with the "cplic print -x", I see the final licenses, but in one of the GWs of the Cluster (The primary), the command is also showing me information of the "contract", and the contract that shows me is very old "April/2021", it has no logic.

I tried to call the contract several times from the SmartUpdate, through "Licenses & Contacts -> Update Contacts -> From User Center", but when the process finishes running, it shows me again the same expired contracts from 2021.

This is super weird.

0 Kudos
KevinC
Employee
Employee

Hello.  I am one of our licensing experts.  Both of these issues can be resolved fairly quickly.

1.  You can use a permanent license or eval with the blade CPSB-NPM.  This will allow access to the Smart Console GUI.  The all-in-one eval is the easiest solution.

2.  The "object not found" error is being caused by a mismatch between the gateway command line and Smart Update.  When you try to delete the license from Smart Update it will check that signature key on the gateway and delete the correlating license.  When it cant find that signature key, you will get that error.  The solution is to launch GUIdbedit and delete the license from there.  

I would be happy to schedule a call and help with any of these issues.  Do you have the ticket # with the licensing team so I could investigate the interactions further?

(1)
Matlu
Advisor

Hi Kevin.

Yes, my ticket is 60003500792.

It currently generates the licenses, and I uploaded them to the computers.
This task was done in a "CENTRAL" way.

When you query the licenses on both machines, it shows like this.

GW01


LIC6.jpg

GW02

LIC7.jpg

You will notice, that only in the CLI of GW01, I have the result of the definitive license that has already been charged, but in addition I am also shown information of the "contract" that is too old (2021).
In the GW02 no additional information (contract) is shown.

And when you go to the SmartConsole, the Cluster is still "alerted".

LIC8.jpg

 

Is there any way to correct this?

These are definitive licenses that were purchased for our end customer, which last until June/2023.

Greetings.

0 Kudos
_Val_
Admin
Admin

why do you want to remove them in the first place?

0 Kudos
Matlu
Advisor

Hello,

We have definitive licenses that have just been acquired, until June/2023.

The problem is that the licensing partner did not charge them through Checkpoint's UC, and we are being forced to finish generating the licenses and charge them manually.

The problem is that having already generated the licenses, and also uploading them, it keeps calling me to very old "contracts", which I already "deleted" from the license repository from the SmartUpdate.

Then, from the SmartConsole, I still see the red alert, which emphasizes that the IPS is expired.

Any idea how to solve this scenario, please?

Thank you.

0 Kudos
KevinC
Employee
Employee

Thanks for the update.

There two things to consider in this scenario.  If the new contracts have already been uploaded to the management server there is a chance they were not automatically pushed down to the gateways.  You can fetch the contracts from the management server by running the below command on the gateway; 

#contract_util mgmt

Once this is successful you can run # cplic print -x to verify if the new contracts have been updated.

Second, does the gateway have access to the internet?  IPS requires a one time entitlement check against updates.checkpoint.com to verify the new contract.  If the gateway is in a closed environment this can prevent the new contract from being recognized.

You can run # cpstat os -f licensing and the output provided will be what is reflected on the Smart Console GUI "Device & License Information" page.

Let me know if any of this helps.

0 Kudos
Matlu
Advisor

Kevin,

Your recommendations were very good.

Already mitigated the alerts, and the updated contract is displayed from the command "cplic print -x".

Visually, from the SmartUpdate, I still see licenses "tied" to my GW, and this causes a bit of annoyance.

How can this be removed, so as not to "mess up" the view?

When I right click on the license object that is "tied" to my GW, and I say "DETACH", I get the alert (I share an image with you)

LIC9.jpg

Could you tell me how to remove it, from the perspective of GuiDBedit (I think I understood you, that this can be corrected from this manager).

Thanks for your support.

0 Kudos
Matlu
Advisor

Kevin,

I have tried to delete a certificate that should no longer appear "linked" to my GW (I leave you an image).

LIC11.jpg

I am trying to do it through GuiDBedit, but it is impossible to delete the 2 matches I found regarding the certificate I want to delete, and if possible it should not appear visually in the SmartUpdate.

LIC10.jpg

Is it possible to perform this task?

Greetings.

0 Kudos
KevinC
Employee
Employee

Glad things were able to update!  

I am not sure how to get the objects into read/write mode from read only.  Let me do some investigation.

0 Kudos
KevinC
Employee
Employee

In Smart Console check the below settings for your user

"Manage and Settings" > Permissions & Administrators.  I believe Common objects needs to be set to "write"

 

 

 

Matlu
Advisor

Hello, Kevin.

A query, is there a command similar to #contract_util mgmt, but applied from a Smart-1 box?

I have a Smart-1 box, which is dedicated for the SmartEvent blade, and it is already updated with the final license, but the "contract" is still showing a date too old.

LIC12.jpg

Is there any command that can help me to refresh the contract date?

Regards.

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Did you already try:

# cplic contract put -o <file name>.xml

Refer: sk43113

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events