Overview Prerequisites Installation Instructions Availability

Documentation List of Resolved issues and New Features Known Limitations Installation Troubleshooting

Overview

The Cloud Management Extension (CME) is a utility that runs on Check Point Security Management Servers and Multi-Domain Security Management Servers that are deployed in a cloud or on-premises.

This utility allows integration between Check Point CloudGuard IaaS solutions and cloud platforms such as AWS (Amazon Web Services), Azure, and GCP (Google Cloud Platform).

Important Notes:

• It is important to keep CME up to date with Automatic Updates. To get CME with Automatic Updates, remove any CME installation you did with CPUSE (refer to sk92449 for detailed uninstall instructions).
• Before installing the package, check Known Limitations.

Prerequisites

• For Security Management versions lower than R80.40, CME requires:

  Version	Requirement
  R80.30	R80.30 Jumbo Hotfix Accumulator Take 71 and higher
  R80.20	R80.20 Jumbo Hotfix Accumulator Take 117 and higher
  R80.10	R80.10 Jumbo Hotfix Accumulator Take 249 and higher

• R80.20 Auto Scaling solutions can be managed by R80.10 with R80.10 Jumbo Hotfix Accumulator Take 169 and higher.

• R80.30 Security Gateway can be managed by:

  • R80.20 with R80.20 Jumbo Hotfix Accumulator Take 91 and higher
  • R80.10 with R80.10 Jumbo Hotfix Accumulator Take 225 and higher

• Install the latest Take of AutoUpdater.

Installation Instructions

Availability

	Take	Release Date	Offload Package Link
Recommended Take	222	11 Dec 2022	(TAR)

Documentation

• Cloud Management Extension (CME) R80.10 and Higher Administration Guide

List of Resolved issues and New Features per CME Update

Enter the string to filter this table:

ID	Description
Take 222 (11 Dec 2022)
VSECPC-6056	Increased CME schema to v1.1.0. For more details about CME schema versions, refer to Cloud Management Extension R80.10 and Higher Administration Guide.
VSECPC-5424	Upgraded the CME Password Encryption method.
VSECNSX-1838	NIC order in CloudGuard Gateways for NSX-T Manager v3 and higher may be incorrect.
PRHF-26808	Enhanced the stability of the V2T tool (NSXT to NSXV).
Take 219 (6 November 2022)
VSECPC-6043	After a CME update, CME may fail to initiate SIC with new Security Gateways.
Take 216 (19 October 2022)
VSECPC-5663	Added support for Quantum R81.20 (Titan).
VSECPC-6029	Solved SIC initialization issue.
VSECPC-6031	Enhanced stability of the CME Network Group feature.
VSECNSX-1820 VSECNSX-1822 VSECNSX-1826	Enhanced stability of the V2T tool (NSXT to NSXV).
Take 212 (6 October 2022)
VSECPC-5990	Added support for Jakarta and UAE AWS regions.
VSECPC-5827	Added support for CME configuration schema versioning. Current configurations supported by this CME Take are defined as schema version v1. Refer to Cloud Management Extension Administration Guide.
VSECPC-5953	Added several Autonomous Threat Prevention stability fixes.
VSECPC-5879	The CME Network Group names were renamed: When "prefix-name" flag is enabled For AWS Autoscale Groups
Take 205 (8 August 2022)
VSECPC-5694	Added support for Network Group management object. Refer to Cloud Management Extension Administration Guide.
Take 200 (6 July 2022)
VSECPC-5769	It is no longer possible to change CME configuration on the Standby Management Server.
VSECNSX-1822	NSX-V to NSX-T (V2T) migration related fixes.
VSECPC-5658	Added support for Autonomous Threat Prevention.
Take 194 (2 June 2022)
VSECPC-5735	Added AWS Cross Accounts support for GWLB endpoints.
VSECPC-5351	The “-sg” (sync gateways) flag of the "autoprov-cfg" command will no longer be supported.
VSECPC-5245	Automatic Hotfix Deployment may not perform as expected on the Multi-Domain Server HA when the Active Domain is not in the primary server.
VSECPC-5642	The “missing IPv4 Gateway address” error may be displayed.
VSECNSX-1818	While creating a new NSX-T template for R81.10+ versions, the OVF name may appear incompatible and another version may be added.
VSECNSX-1813	N/S Cluster HA NICs order change for R81.10+ versions, following a change in VMware vcenter 7.0+ infrastructure.
VSECPC-4660	Removed a limitation. The CME feature is now supported when the Endpoint Policy Management Software Blade is enabled on the Security Management Server.
Take 186 (20 April 2022)
VSECPC-4941	When CME tries to login to standby Domains, the "KeyError: uid" error is shown.
VSECPC-5118	Added AWS GWLB subnets for Health Check IP range instead of VPC CIDR.
VSECPC-5613	Added timeout for http/https requests requests.
VSECPC-5655	Log Collector may not recognize available memory.
Take 181 (8 February 2022)
VSECPC-5556	An auto-HF deployment issue may occur when using Multi-Domain Server.
VSECPC-5353	A post-customize failure is shown in the CME log.
Take 179 (24 January 2022)
VSECPC-4935	Added CME logs to Smart Console. Refer to the CME-Monitoring section in Cloud Management Extension R80.10 and Higher Administration Guide.
VSECPC-5537	Added support for Instance Metadata service (IMDSv2) in AWS.
VSECPC-5312	CME Log Collector update.
VSECPC-5359	Added missing validations for CME API parameters.
Take 175 (23 December 2021)
VSECPC-5359	CME API validations improvement.
VSECPC-5312	Log collector enhancements.
VSECPC-5255	Added Azure Gateway Load Balancer automatic support for scenarios when implied rules are disabled.
VSECPC-5339	Added internal diagnostic support.
Take 168 (02 November 2021)
VSECPC-5214	Added support for Azure Gateway Load Balancer automatic configuration. For additional information, refer to CloudGuard Network for Azure VMSS Gateway Load Balancer Public Preview R81.10 Administration Guide.
VSECNSX-1740	Added ability to migrate Check Point Security Management NSX-V objects to NSX-T security policy objects.
VSECPC-5116	Remote Access VPN code limitation that blocked the configuration of DNS suffixes.
VSECPC-5031	Improved the CME log collector mechanism.
VSECPC-5029, VSECPC-5228, VSECPC-4987	CME API code improvements.
Take 164 (13 October 2021)
VSECPC-4971	Added support for configuring "Content Awareness" blade via autoprov_cfg.
VSECPC-4921	For AWS: Added support for configuring GWLB Health Check IP range via autoprov_cfg
VSECPC-4942	In Multi-Domain HA, CME configurations are blocked for not primary domains.
VSECPC-4977	Custom gateway script fails to run with arguments.
Take 157 (14 July 2021)
VSECPC-4894	Added CME API validations improvement.
Take 155 (07 July 2021)
VSECPC-4530	CME API integration. Refer to the Cloud Management Extension Administration Guide.
VSECPC-4628	Added support for CPDiag.
VSECPC-4682	Added GCP MIG Health Check reply support (for R81.10 only).
MAAS-1836	Added support to R81 VMSS, MIG and ASG in Smart-1 Cloud environments.
VSECPC-4820	post-customize script fails when CME runs on secondary Multi-Domain Management.
VSECPC-4781	CME for Azure does not work due to upper/lower cases inconsistency in Azure REST API responses.
VSECPC-4747	Added the Log collector for CME.
VSECPC-4835	In some scenarios, a memory leak may occur on CME.
VSECPC-4800	In some scenarios on in R80.30 and below, CME fails to add access and NAT rules.
VSECPC-4661	CME installation fails when the autoprovision.json file is empty.
Take 147 (09 May 2021)
VSECPC-4697	The x-chkp-topology tag on CloudGuard AWS instance does not affect interface configuration in SmartConsole instance object.
VSECPC-4698	Azure Controller fails to poll resources when Scale Set tag x-chkp-template value is set to template that is missing from the CME Configuration Templates.
Take 144 (22 April 2021)
VSECPC-4346	Added an Exception handling when creating an Azure Instance with IPv6.
VSECPC-4630	Repeated Access and NAT rules may be created for AWS Auto Scaling solution.
VSECPC-4617	CME performs publish every cycle and creates management revisions.
Take 138 (15 March 2021)
VSECPC-4565, ODU-96	Added support for CME Auto-Configuration of cloud_balancer_ip1&ip2 and cloud_balancer_port parameters in fwkern.conf file.
Take 137 (09 March 2021)
VSECPC-4032	Added CME as CPM session description. CME will not disconnect other CPM root sessions.
VSECPC-4127	Added XFF support to CME.
VSECPC-4218	Added support for AWS Security Hub. See the Cloud Management Extension Administration Guide for more details.
VSECPC-4588	Added support for Auto NAT in Azure. See the Cloud Management Extension Administration Guide for more details.
VSECPC-4346	Added IPv6 support for Azure VMSS. Refer to sk170760.
VSECPC-4514	Added validation for not using CDT 1.9 because this version is not compatible with the CME Automatic HF deployment feature.
Take 133 (07 February 2021)
VSECPC-4197	Added support for AWS Gateway Load Balancer (GWLB). See this page for more details about CloudGuard Network Security integration with AWS Gateway Load Balancer.
Take 126 (29 November 2020)
VSECPC-4289	Updated Azure certificate bundle correlated to Microsoft announcement on Azure TLS certificate change. For details, refer to this Microsoft article.
Take 125 (24 November 2020)
VSECPC-4284	In some scenarios, provisioning issues may appear for environments with AWS Gateway Load Balancer.
Take 122 (13 October 2020)
VSECPC-4083	Added support for GCP Multi-Domain Management.
VSECPC-3711	Added CSCC fixes.
Take 121 (25 August 2020)
VSECPC-4050, VSECPC-3889	Added support for Azure VMSS with Scalable Remote Access VPN. Main Features: Public Cloud-oriented Remote Access solution. Remote Access Client connectivity for AutoScaling Gateways. Integration with Azure DNS using Azure function: Azure function updates DNS according to available Scale Set instances. For more information, see Scalable Remote Access VPN with CloudGuard IaaS: Video, Slides, and Q&A.
Take 119 (12 July 2020)
-	Improved AWS provisioning cycle duration
-	Added new AWS Regions
-	Added option to provision R81 Gateways
Take 108 (25 May 2020)
-	Automatic Updates support - CME now has the ability to update itself with the release of any new version automatically without interfering with the customers' work.
Take 83 (19 Mar 2020)
-	Migration from Py2 to Py3
-	With this new CME take, CME requires Jumbo Hotfix installed with minimum version R80.10 - Jumbo HFA Take 249 R80.20 - Jumbo HFA Take 117
Take 79 (5 Jan 2020)
-	Minor code improvements.
Take 76 (18 Dec 2019)
-	Added support for NSX-T 2.5
-	CME service does not come up after reboot.
Take 66 (22 Oct 2019)
-	For all platforms: Set a prefix to all SmartConsole objects created by the CME. For more information run 'autoprov_cfg set template -h' and look under '-pn'. Added the CME take number to version's information (through 'autoprov-cfg -v' and cme_menu).
-	For Azure: Improved handling of API request throttling
-	For AWS: Autoscaling: integration with Network Load Balancer new listeners: UDP and UDP_TCP Transit VPC: spoke-routes and export-routes are now configured via the autoprov_cfg tool. TGW: The Gateway can be configured to re-advertise desired spoke routes over BGP back to the TGW (for Direct Connect). TGW: Gateways can be configured to automatically set static routes on their instance route table.
-	Fixed degradation inserted in Take 55 - Custom Gateway script (-cg Flag) is now supported on AWS and GCP, not just Azure.
Take 55 (06 Aug 2019)
-	Added support for Security Management Servers and Multi-Domain Security Management Servers deployed in Azure and AWS.
-	Added support for NSX-T. For more information, refer to sk139213.
-	First release of Automatic Hotfix Deployment for autoscaling solutions in Azure, AWS, and GCP. CME Automatic Hotfix Deployment allows automatic deployment of Hotfixes and Jumbo Hotfix Accumulators on scaled-out instances. Refer to the Cloud Management Extension Administration Guide for more information.
-	Minor fixes and stability improvements.
Take 45 (05 Jul 2019)
-	First release of CME (Cloud Management Extension). Supports only GCP MIG (Multi Instance Group) solution. Supports Security Management Servers deployed in Google Cloud Platform only.

Known Limitations

Note: Refer to the Cloud Management Extension Administration Guide for limitations regarding specific CME features.

ID	Description
1	CME cannot work in parallel to Autoprovision Add-On. When you install CME on a Security Management Server with Autoprovision Add-On deployed, the Autoprovision Add-On is disabled. The configuration for the old service remains the same, and the new CME service uses it. Reverting to the Autoprovision Add-On is not supported.
2	On a Multi-Domain Server, CME works on the configured Domains sequentially (and not on all Domains in parallel).
3	When you install a new CME package on the Security Management Server, you might need to re-log into the shell before you can use the package.
4	Automatic Hotfix deployment and setting a prefix to all SmartConsole objects features cannot be activated in parallel for the same controller.
5	CME cannot be installed on a Multi-Domain Log Server.
6	In Management High Availability environments, future installation does not happen automatically. You must run the script cme_installation.sh each time you wish to install a new version of CME. Refer to Installation Procedure for Online Package.

Installation Troubleshooting

Issues described below may occur when you run the CME installation script. Error messages may be similar to those listed below.

• Issue 1: "Failed to download latest CME package. If you have no internet access please follow the instructions for offline installation in sk157492."
  

  Solution: CME package failed to download. Make sure there is a connection to the Internet, or follow these steps for offline installation:

  1. Connect to the command line on the Management Server.

  2. Log in to the Expert mode.

  3. Get the AutoUpdater Build Number:

     cpvinfo /opt/AutoUpdater/latest/bin/AutoUpdater | grep "Build Number"

     If the value of the "Build Number" in the output is lower than 990180162, do the procedure for Issue # 3 and only then continue with the next steps below.

  4. Get the latest CME version from the "Availability" section.

  5. Transfer the CME package to the Management Server (to some directory).

  6. Run:

     autoupdatercli install /<Full Path>/<Name of Package>

  
  
  
• Issue 2: "A version of CME is already installed via AutoUpdater..."
  

  Solution: CME has already been installed for the first time and is configured to receive updates automatically. If you have no internet access, follow the instructions for offline installation as described in the solution to Issue # 1 above.

  
  
  
• Issue 3: "AutoUpdater is not installed on the machine - please install the minimal JHF version as described in sk157492 and try again."
  

  Solution: Install the correct Jumbo Hotfix Accumulator as described in the beginning of the Known Limitations section. If the correct Jumbo Hotfix Accumulator is installed, but the issue persists, the follow these steps and then try again:

  1. Get this AutoUpdater RPM.

  2. Transfer the package to your Management Server (to some directory).

  3. Connect to the command line on the Management Server.

  4. Log in to the Expert mode.

  5. Updated the current RPM package:

     rpm -Uhv --force <Full Path to AutoUpdater RPM>

  6. Stop the AutoUpdater service:

     autoupdatercli stop

  
  
  
• Issue 4: "Failed to verify if CME installation completed successfully..."
  

  The installation could not verify if CME has been successfully downloaded and installed.

  Solution: Contact Check Point Support and attach these log files:

  • /opt/CPInstLog/AutoUpdateLogs/CME
  • /var/log/CPcme/cme_installation.log

  
  
  
• Issue 5: When you run the script you get an output that instructs you to contact Check Point Support.
  

  Solution: Contact Check Point Support and attach these log files:

  • /opt/CPInstLog/AutoUpdateLogs/CME
  • /var/log/CPcme/cme_installation.log

  
  
  
• Issue 6: I want to return to previous version of CME
  

  Solution: It is highly recommended that you use the latest take of CME.

  If you still want to revert to the previous take, run this command in the Expert mode on the Management Server:

  autoupdatercli revert CME

  The revert takes up to 1 minute.

  To make sure CME was reverted to the previous take, run this command in the Expert mode on the Management Server:

  cpinfo -y CPUpdates 2>&1 | grep BUNDLE_CME_AUTOUPDATE

  The take number in the output must be the one to which you reverted.

  Notes:

  • CME is upgraded automatically each time a new take is released.
  • You can revert only to the previous version. A revert to older versions reverts CME completely and removes it from the Management Server.

  
  
  
• Issue 7: I want to totally remove CME
  

  Solution: Run this command in the Expert mode on the Management Server:

  autoupdatercli revert-completely CME

  The revert takes up to 1 minute.

  To make sure the CME was reverted completely, run this command in the Expert mode on the Management Server:

  cpinfo -y CPUpdates 2>&1 | grep -c BUNDLE_CME_AUTOUPDATE

  The output must show "0".

  If you also wish to stop receiving future updates of CME after the removal, run this command in the Expert mode on the Management Server:

  autoupdatercli disable CME

  
  
  
• Issue 8: CME cannot start or cannot revert to an old CME take
  

  Symptoms:
  1) "Starting cme: failed to run" error appears during CME revert.
  2) CME installation fails after CME revert-completely.
  3) CME fail to start, and /var/log/CPcme/cme.log contains "bad decrypt" or "Failed to load CME configuration due to incompatible schema" error.
  4) CME from take 212 or higher is installed only on the active server, and CME on the standby member fails to start.
  
  Cause:
  1) Starting CME take 212 CME configuration has a schema version
  2) The schema version attribute ensures that only compatible CME runs with the given CME configuration.
  3) CME does not run when the CME configuration schema version is incompatible.
  4) Example scenarios that can cause incompatibility:
  
  a. Revert to older CME take.
  b. Upgrade – export configuration and import it on a server with an older CME take.
  c. High Availability Management/Multi-Domain servers where the CME on the two members is not from the same take.
     
  Note - CME configuration file is not reverted.
  
  High Availability Scenario:
  
  1) CME configuration file is synchronized between the members.
  2) CME loads the configuration during CME boot.
  3) If the CME on the standby member is from an older take, it will fail to start because CME is not compatible with the schema version.
     
  Notes:
  

  • Because CME configurations are stored in $MDSDIR/conf, the active server is the member with the active global domain.
  • CME must not run on the standby member of a Security Management Server.

  
  Downgrade scenario:
  When reverting to old CME take (revert or revert-completely + install) and the old CME is not compatible with the schema version, CME does not start.
  
  Solution:
  
  High Availability scenario:
  Install the same CME take in all the High Availability servers.
  
  Downgrade scenario:
  

  • Option 1 - install supported CME take (recommended):
    
    1. Run "autoprov_cfg show all" and examine the schema version value.
    2. Install a CME that supports the existing schema version value.
       
       
  • Option 2 - Init CME:
    Run "autoprov_cfg init" According to CME R80.10 and Higher Administration Guide > Using the autoprov_cfg Command Line Configuration Utility.
    Note: This command overrides the existing configuration. If the "init" command fails and the error message contains "bad decrypt" , contact Check Point support.

  
  
  

If your issue could not be resolved by any of the above solutions, contact Check Point Support and attach these log files:

• /opt/CPInstLog/AutoUpdateLogs/CME
• /var/log/CPcme/cme_installation.log