Support Center > Search Results > SecureKnowledge Details
CME (Cloud Management Extension) for CloudGuard - Latest Updates Technical Level
Solution
  • Overview
  • Prerequisites
  • Installation Instructions
  • Availability
  • Documentation
  • List of Resolved issues and New Features
  • Known Limitations
  • Installation Troubleshooting

Overview

The Cloud Management Extension (CME) is a utility that runs on Check Point Security Management Servers and Multi-Domain Security Management Servers that are deployed in a cloud or on-premises.

This utility allows integration between Check Point CloudGuard IaaS solutions and cloud platforms such as AWS (Amazon Web Services), Azure, and GCP (Google Cloud Platform).

Important Notes:
  • It is important to keep CME up to date with Automatic Updates. To get CME with Automatic Updates, remove any CME installation you did with CPUSE (refer to sk92449 for detailed uninstall instructions).
  • Before installing the package, check Known Limitations.

Prerequisites



Installation Instructions

Show / Hide the Installation Procedure for Online Package

Procedure

The CME package should be installed only one time on your Management Server. After the first installation, the CME package is updated automatically with the release of any new version (as long there is Internet connectivity).

  1. Use the installation script for the first-time installation of CME.

    Download the cme_installation.sh script.

  2. Transfer the script to the Management Server (to some directory).

  3. Connect to the command line on the Management Server.

  4. Log in to the Expert mode.

  5. Go to the directory with the script:

    cd /<Full Path>/

  6. Assign the executable permission to the script:

    chmod -v +x cme_installation.sh

  7. Run the script without any parameters and wait for it to finish:

    ./cme_installation.sh

During the installation, the script updates on the process and reports success/failure when it finishes executing.

Note - The installation process may take up to 5 minutes. If you experience issues with installing the package, refer to Installation Troubleshooting.

Important Notes for Management High Availability:

  • In Management High Availability environments, future installation does not happen automatically. You must run the script cme_installation.sh each time you wish to install a new version of CME.
  • It is mandatory to install the CME package on all servers in the Management High Availability environment at the same time (one after the other), so that all servers use the same version.
  • At the end of the installation, we recommend to make sure that all servers use the same version. Run the command "autoprov-cfg -v" on each server with CME installed.

Show / Hide the Installation Procedure for Offline Package

Procedure

  1. Transfer the offline package to your Management Server (to some directory).

  2. Connect to the command line on the Management Server.

  3. Log in to the Expert mode.

  4. Run:

    autoupdatercli install /<Full Path>/<Name of Package>

    Example:

    [Expert@Host]# autoupdatercli install /var/log/Check_Point_CME_AUTOUPDATE_Bundle_T144_AutoUpdate.tar

  5. Examine this log file to make sure the installation was successful:

    /opt/CPInstLog/AutoUpdateLogs/CME


Availability

  Take Release Date Offload Package Link
Recommended Take 219 06 Nov 2022 (TAR)

Documentation



List of Resolved issues and New Features per CME Update

Enter the string to filter this table:

ID Description
Take 219 (6 November 2022)
VSECPC-6043 After a CME update, CME may fail to initiate SIC with new Security Gateways.
Take 216 (19 October 2022)
VSECPC-5663 Added support for Quantum R81.20 (Titan).
VSECPC-6029 Solved SIC initialization issue.
VSECPC-6031 Enhanced stability of the CME Network Group feature.
VSECNSX-1820
VSECNSX-1822
VSECNSX-1826 
Enhanced stability of the V2T tool (NSXT to NSXV).
Take 212 (6 October 2022)
VSECPC-5990 Added support for Jakarta and UAE AWS regions.
VSECPC-5827 Added support for CME configuration schema versioning. Current configurations supported by this CME Take are defined as schema version v1. Refer to Cloud Management Extension Administration Guide.
VSECPC-5953 Added several Autonomous Threat Prevention stability fixes.
VSECPC-5879 The CME Network Group names were renamed:
  1. When "prefix-name" flag is enabled
  2. For AWS Autoscale Groups
Take 205 (8 August 2022)
VSECPC-5694 Added support for Network Group management object. Refer to Cloud Management Extension Administration Guide.
Take 200 (6 July 2022)
VSECPC-5769 It is no longer possible to change CME configuration on the Standby Management Server.
VSECNSX-1822 NSX-V to NSX-T (V2T) migration related fixes.
VSECPC-5658 Added support for Autonomous Threat Prevention.
Take 194 (2 June 2022)
VSECPC-5735 Added AWS Cross Accounts support for GWLB endpoints.
VSECPC-5351 The “-sg” (sync gateways) flag of the "autoprov-cfg" command will no longer be supported.
VSECPC-5245 Automatic Hotfix Deployment may not perform as expected on the Multi-Domain Server HA when the Active Domain is not in the primary server.
VSECPC-5642 The “missing IPv4 Gateway address” error may be displayed.
VSECNSX-1818 While creating a new NSX-T template for R81.10+ versions, the OVF name may appear incompatible and another version may be added.
VSECNSX-1813 N/S Cluster HA NICs order change for R81.10+ versions, following a change in VMware vcenter 7.0+ infrastructure.
VSECPC-4660 Removed a limitation. The CME feature is now supported when the Endpoint Policy Management Software Blade is enabled on the Security Management Server.
Take 186 (20 April 2022)
VSECPC-4941 When CME tries to login to standby Domains, the "KeyError: uid" error is shown.
VSECPC-5118 Added AWS GWLB subnets for Health Check IP range instead of VPC CIDR.
VSECPC-5613 Added timeout for http/https requests requests.
VSECPC-5655 Log Collector may not recognize available memory.
Take 181 (8 February 2022)
VSECPC-5556 An auto-HF deployment issue may occur when using Multi-Domain Server.
VSECPC-5353 A post-customize failure is shown in the CME log.
Take 179 (24 January 2022)
VSECPC-4935 Added CME logs to Smart Console. Refer to the CME-Monitoring section in Cloud Management Extension R80.10 and Higher Administration Guide.
VSECPC-5537 Added support for Instance Metadata service (IMDSv2) in AWS.
VSECPC-5312 CME Log Collector update.
VSECPC-5359 Added missing validations for CME API parameters.
Take 175 (23 December 2021)
VSECPC-5359 CME API validations improvement.
VSECPC-5312 Log collector enhancements.
VSECPC-5255 Added Azure Gateway Load Balancer automatic support for scenarios when implied rules are disabled.
VSECPC-5339 Added internal diagnostic support.
Take 168 (02 November 2021)
VSECPC-5214 Added support for Azure Gateway Load Balancer automatic configuration.
For additional information, refer to CloudGuard Network for Azure VMSS Gateway Load Balancer Public Preview R81.10 Administration Guide.
VSECNSX-1740 Added ability to migrate Check Point Security Management NSX-V objects to NSX-T security policy objects.
VSECPC-5116 Remote Access VPN code limitation that blocked the configuration of DNS suffixes.
VSECPC-5031 Improved the CME log collector mechanism.
VSECPC-5029,
VSECPC-5228,
VSECPC-4987
CME API code improvements.
Take 164 (13 October 2021)
VSECPC-4971 Added support for configuring "Content Awareness" blade via autoprov_cfg.
VSECPC-4921 For AWS: Added support for configuring GWLB Health Check IP range via autoprov_cfg
VSECPC-4942 In Multi-Domain HA, CME configurations are blocked for not primary domains.
VSECPC-4977 Custom gateway script fails to run with arguments.
Take 157 (14 July 2021)
VSECPC-4894 Added CME API validations improvement.
Take 155 (07 July 2021)
VSECPC-4530 CME API integration. Refer to the Cloud Management Extension Administration Guide.
VSECPC-4628 Added support for CPDiag.
VSECPC-4682 Added GCP MIG Health Check reply support (for R81.10 only).
MAAS-1836 Added support to R81 VMSS, MIG and ASG in Smart-1 Cloud environments.
VSECPC-4820 post-customize script fails when CME runs on secondary Multi-Domain Management.
VSECPC-4781 CME for Azure does not work due to upper/lower cases inconsistency in Azure REST API responses.
VSECPC-4747 Added the Log collector for CME.
VSECPC-4835 In some scenarios, a memory leak may occur on CME.
VSECPC-4800 In some scenarios on in R80.30 and below, CME fails to add access and NAT rules.
VSECPC-4661 CME installation fails when the autoprovision.json file is empty.
Take 147 (09 May 2021)
VSECPC-4697 The x-chkp-topology tag on CloudGuard AWS instance does not affect interface configuration in SmartConsole instance object.
VSECPC-4698 Azure Controller fails to poll resources when Scale Set tag x-chkp-template value is set to template that is missing from the CME Configuration Templates.
Take 144 (22 April 2021)
VSECPC-4346 Added an Exception handling when creating an Azure Instance with IPv6.
VSECPC-4630 Repeated Access and NAT rules may be created for AWS Auto Scaling solution.
VSECPC-4617 CME performs publish every cycle and creates management revisions.
Take 138 (15 March 2021)
VSECPC-4565,
ODU-96
Added support for CME Auto-Configuration of cloud_balancer_ip1&ip2 and cloud_balancer_port parameters in fwkern.conf file.
Take 137 (09 March 2021)
VSECPC-4032 Added CME as CPM session description. CME will not disconnect other CPM root sessions.
VSECPC-4127 Added XFF support to CME.
VSECPC-4218 Added support for AWS Security Hub. See the Cloud Management Extension Administration Guide for more details.
VSECPC-4588 Added support for Auto NAT in Azure. See the Cloud Management Extension Administration Guide for more details.
VSECPC-4346 Added IPv6 support for Azure VMSS. Refer to sk170760.
VSECPC-4514 Added validation for not using CDT 1.9 because this version is not compatible with the CME Automatic HF deployment feature.
Take 133 (07 February 2021)
VSECPC-4197 Added support for AWS Gateway Load Balancer (GWLB).
See this page for more details about CloudGuard Network Security integration with AWS Gateway Load Balancer.
Take 126 (29 November 2020)
VSECPC-4289 Updated Azure certificate bundle correlated to Microsoft announcement on Azure TLS certificate change. For details, refer to this Microsoft article.
Take 125 (24 November 2020)
VSECPC-4284 In some scenarios, provisioning issues may appear for environments with AWS Gateway Load Balancer.
Take 122 (13 October 2020)
VSECPC-4083 Added support for GCP Multi-Domain Management.
VSECPC-3711 Added CSCC fixes.
Take 121 (25 August 2020)
VSECPC-4050,
VSECPC-3889
Added support for Azure VMSS with Scalable Remote Access VPN. Main Features:
  • Public Cloud-oriented Remote Access solution.
  • Remote Access Client connectivity for AutoScaling Gateways.
  • Integration with Azure DNS using Azure function: Azure function updates DNS according to available Scale Set instances.
For more information, see Scalable Remote Access VPN with CloudGuard IaaS: Video, Slides, and Q&A.
Take 119 (12 July 2020)
- Improved AWS provisioning cycle duration
- Added new AWS Regions
- Added option to provision R81 Gateways
Take 108 (25 May 2020)
- Automatic Updates support - CME now has the ability to update itself with the release of any new version automatically without interfering with the customers' work.
Take 83 (19 Mar 2020)
- Migration from Py2 to Py3
- With this new CME take, CME requires Jumbo Hotfix installed with minimum version
  • R80.10 - Jumbo HFA Take 249
  • R80.20 - Jumbo HFA Take 117
Take 79 (5 Jan 2020)
- Minor code improvements.
Take 76 (18 Dec 2019)
- Added support for NSX-T 2.5
- CME service does not come up after reboot.
Take 66 (22 Oct 2019)
- For all platforms:
  • Set a prefix to all SmartConsole objects created by the CME. For more information run 'autoprov_cfg set template -h' and look under '-pn'.
  • Added the CME take number to version's information (through 'autoprov-cfg -v' and cme_menu).
- For Azure: Improved handling of API request throttling
- For AWS:
  • Autoscaling: integration with Network Load Balancer new listeners: UDP and UDP_TCP
  • Transit VPC: spoke-routes and export-routes are now configured via the autoprov_cfg tool.
  • TGW: The Gateway can be configured to re-advertise desired spoke routes over BGP back to the TGW (for Direct Connect).
  • TGW: Gateways can be configured to automatically set static routes on their instance route table.
- Fixed degradation inserted in Take 55 - Custom Gateway script (-cg Flag) is now supported on AWS and GCP, not just Azure.
Take 55 (06 Aug 2019)
- Added support for Security Management Servers and Multi-Domain Security Management Servers deployed in Azure and AWS.
- Added support for NSX-T. For more information, refer to sk139213.
- First release of Automatic Hotfix Deployment for autoscaling solutions in Azure, AWS, and GCP.
CME Automatic Hotfix Deployment allows automatic deployment of Hotfixes and Jumbo Hotfix Accumulators on scaled-out instances. Refer to the Cloud Management Extension Administration Guide for more information.
- Minor fixes and stability improvements.
Take 45 (05 Jul 2019)
- First release of CME (Cloud Management Extension).
  • Supports only GCP MIG (Multi Instance Group) solution.
  • Supports Security Management Servers deployed in Google Cloud Platform only.

Known Limitations

Note: Refer to the Cloud Management Extension Administration Guide for limitations regarding specific CME features.

ID Description
1 CME cannot work in parallel to Autoprovision Add-On. When you install CME on a Security Management Server with Autoprovision Add-On deployed, the Autoprovision Add-On is disabled. The configuration for the old service remains the same, and the new CME service uses it.
Reverting to the Autoprovision Add-On is not supported.
2 On a Multi-Domain Server, CME works on the configured Domains sequentially (and not on all Domains in parallel).
3 When you install a new CME package on the Security Management Server, you might need to re-log into the shell before you can use the package.
4 Automatic Hotfix deployment and setting a prefix to all SmartConsole objects features cannot be activated in parallel for the same controller.
5 CME cannot be installed on a Multi-Domain Log Server.

Installation Troubleshooting

Issues described below may occur when you run the CME installation script. Error messages may be similar to those listed below.

  • Issue 1: "Failed to download latest CME package. If you have no internet access please follow the instructions for offline installation in sk157492."

    Solution: CME package failed to download. Make sure there is a connection to the Internet, or follow these steps for offline installation:

    1. Connect to the command line on the Management Server.

    2. Log in to the Expert mode.

    3. Get the AutoUpdater Build Number:

      cpvinfo /opt/AutoUpdater/latest/bin/AutoUpdater | grep "Build Number"

      If the value of the "Build Number" in the output is lower than 990180162, do the procedure for Issue # 3 and only then continue with the next steps below.

    4. Get the latest CME version from the "Availability" section.

    5. Transfer the CME package to the Management Server (to some directory).
    6. Run:

      autoupdatercli install /<Full Path>/<Name of Package>



  • Issue 2: "A version of CME is already installed via AutoUpdater..."

    Solution: CME has already been installed for the first time and is configured to receive updates automatically. If you have no internet access, follow the instructions for offline installation as described in the solution to Issue # 1 above.



  • Issue 3: "AutoUpdater is not installed on the machine - please install the minimal JHF version as described in sk157492 and try again."

    Solution: Install the correct Jumbo Hotfix Accumulator as described in the beginning of the Known Limitations section. If the correct Jumbo Hotfix Accumulator is installed, but the issue persists, the follow these steps and then try again:

    1. Get this AutoUpdater RPM.

    2. Transfer the package to your Management Server (to some directory).

    3. Connect to the command line on the Management Server.

    4. Log in to the Expert mode.

    5. Updated the current RPM package:

      rpm -Uhv --force <Full Path to AutoUpdater RPM>

    6. Stop the AutoUpdater service:

      autoupdatercli stop



  • Issue 4: "Failed to verify if CME installation completed successfully..."

    The installation could not verify if CME has been successfully downloaded and installed.

    Solution: Contact Check Point Support and attach these log files:

    • /opt/CPInstLog/AutoUpdateLogs/CME
    • /var/log/CPcme/cme_installation.log


  • Issue 5: When you run the script you get an output that instructs you to contact Check Point Support.

    Solution: Contact Check Point Support and attach these log files:

    • /opt/CPInstLog/AutoUpdateLogs/CME
    • /var/log/CPcme/cme_installation.log


  • Issue 6: I want to return to previous version of CME

    Solution: It is highly recommended that you use the latest take of CME.

    If you still want to revert to the previous take, run this command in the Expert mode on the Management Server:

    autoupdatercli revert CME

    The revert takes up to 1 minute.

    To make sure CME was reverted to the previous take, run this command in the Expert mode on the Management Server:

    cpinfo -y CPUpdates 2>&1 | grep BUNDLE_CME_AUTOUPDATE

    The take number in the output must be the one to which you reverted.

    Notes:

    • CME is upgraded automatically each time a new take is released.
    • You can revert only to the previous version. A revert to older versions reverts CME completely and removes it from the Management Server.


  • Issue 7: I want to totally remove CME

    Solution: Run this command in the Expert mode on the Management Server:

    autoupdatercli revert-completely CME

    The revert takes up to 1 minute.

    To make sure the CME was reverted completely, run this command in the Expert mode on the Management Server:

    cpinfo -y CPUpdates 2>&1 | grep -c BUNDLE_CME_AUTOUPDATE

    The output must show "0".

    If you also wish to stop receiving future updates of CME after the removal, run this command in the Expert mode on the Management Server:

    autoupdatercli disable CME



If your issue could not be resolved by any of the above solutions, contact Check Point Support and attach these log files:

  • /opt/CPInstLog/AutoUpdateLogs/CME
  • /var/log/CPcme/cme_installation.log

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment