Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
TeamNetwork
Explorer

Antibot cosmetic issue Smart Console

Hello everybody,

I'm currently facing a problem with our SMB appliance :

we have a gateway (1430 Appliance R77.20.87 - Build 120) managed by SmartConsole, recently the site where the appliance is located got an ISP problem which made it unreachable, after everything was fixed the firewall started working again and it's correctly reachable but under the SmartConsole status I see it red, checking the status under Device Information I see the following error on  the Anti-Bot blade : 

Error: Update failed. Contract entitlement check failed. Could not resolve "updates.checkpoint.com". Check DNS and Proxy configuration on the gateway.

 

the strange thing is that opening the antibot / virus status show me that they are up to date, I'm also able to execute a curl on the URL reported in the error. We did see this problem a couple o months ago on a different gateway and we solved it rebooting the appliance but this time this is not an option.

I already tried to reboot the smartconsole without any success, i also tried to remove the affected blade -> install -> enable them again -> install, but again no succes.

I'll leave a couple of screenshot in the description. And here is the output of "cpstat antimalware -f update_status"

 

AB Update status: up-to-date
AB Update description: Gateway is up to date. Database version: 2305031050. Package date: Sun May 7 01:00:00 2023
.
AB Next update description: The next update will be run as scheduled.
AB DB version: 2305031050
AV Update status: up-to-date
AV Update description: Gateway is up to date. Database version: 2305120417. Package date: Thu May 11 01:00:00 2023
.
AV Next update description: The next update will be run as scheduled.
AV DB version: 2305120417

 

Does anyone ever faced similiar problem? do you have any suggestion on how to fix this errror?

 

 

Thanks a lot for your time

 

0 Kudos
8 Replies
the_rock
Legend
Legend

Some ways I fixed this in the past...I wont even BS you when I say this, in all honesty, from my experience, 90% of the time, I have no clue in the world why this error comes up, as it always shows out of the blue :- )

-reboot mgmt

-run contract_util mgmt on gateway

-cpstop/cpstart mgmt

-disable/re-enable affected blade, repush policy

-get licenses in smart update

Hope that helps.

Andy

0 Kudos
TeamNetwork
Explorer

Hello,

thanks for the answer, so I tried : 

-reboot the management server -> still have the issue

-remove the blades and install -> still have the issue

-get licenses on the gateway -> still have the issue

-run contract_util mgmt -> it seems like this command doesn't exist on my SMB appliance

-cpstart / cpstop mgmt -> still have the issue

honestly I still think it is a cosmetic issue which i really want to solve. Do you know if any process can be restarted on the gateway (without production impact) to reinizialize the status information on the smart console?

In the past I was used to reboot the SMB once the error appeared but at the moment I cannot proceed and I was looking for a more consistent solution

 

 

0 Kudos
the_rock
Legend
Legend

On the gateway, command is -> contract_util mgmt

Not 100% sure if it works on SMB, but will try it later.

Well, rebooting the gateway is not really a good solution, maybe somewhat of a workaround, specially given the fact the problem will come back...eventually.

Andy

0 Kudos
the_rock
Legend
Legend

[Expert@CP-FW-1:0]# contract_util mgmt
fetching contracts data from managment
download from management result: Contract verification succeeded. Your gateway is eligible for upgrade according to Check Point licensing agreement.
[Expert@CP-FW-1:0]#

0 Kudos
TeamNetwork
Explorer

Hello,

I agree, rebooting the device is not a solution.

By the way it seems like my firewall don't have the said command, when I try to launch it from Expert mode I get "bash: contract_util: command not found"

 

thanks again for your time 

0 Kudos
the_rock
Legend
Legend

Interesting...I even ran it on locally managed smb box and worked fine, let me try it again later.

Andy

0 Kudos
the_rock
Legend
Legend

So sorry @TeamNetwork , my apologies, I must have confused it with another device, just ran the command on locally managed one and it does not work. As @Tom_Hinoue said, it might be worth upgrading the firmware, as thats probably the first thing TAC would tell you anyway. By the way, have you opened the support case to verify all this?

Cheers,

Andy

0 Kudos
Tom_Hinoue
Advisor
Advisor

Have you tried upgrading the firmware to a newer build than B3120?

You can either try:
R77.20.87 Build 990173127 (https://support.checkpoint.com/results/sk/sk176148)
or a newer 
R77.20.87 Build 990173139 (https://support.checkpoint.com/results/sk/sk180271)

...which should include other general stability fixes as well, but you would need to contact TAC to receive these builds.

Or maybe you can try refreshing the components by upgrading to the same version (B3120) which is also possible.

Note in the future, if you're using IPS then you will need to upgrade management as well to be compatible with IPS package changes. (Changes in IPS packages )

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events