|
Version | Platform | Instructions | More information |
R81 | Azure | The fix is included in the latest image. | sk132192 |
R80.40 | Azure | The fix is included in the latest image. | |
R80.30 | Azure | The fix is included in the latest image. |
Note: Images with a build above 710 contain the updated certificate.
Manual Remediation Steps
Download the new certificate from here and follow these instructions:
-
Upload the certificate to the Security Management Server / Multi-Domain Management Server / Security Gateway (each Gateway in ClusterXL).
-
Confirm that the existing certificate does not contain the updated CA.
Run the following command:
-
On Security Management Server:
grep -i DigiCert $CPDIR/conf/ca-bundle-public-cloud.crt
-
On Multi-Domain Management Server:
grep -i DigiCert $MDS_CPDIR/conf/ca-bundle-public-cloud.crt
-
On Security Gateway:
grep -i DigiCert $CPDIR/conf/ca-bundle-public-cloud.crt
The output should look like this:
## - Digicert
DigiCert Global Root CA
Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA
Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA -
-
Copy the new certificate to the following directory:
-
On Security Management Server:
$CPDIR/conf/public-cloud
-
On Multi-Domain Management Server:
$MDS_CPDIR/conf/public-cloud
-
On Security Gateway:
$CPDIR/conf/public-cloud
-
-
Confirm that the certificate was properly copied. To do this, run the following command:
less $CPDIR/conf/public-cloud/public-cloud-991000749.crt
The newest value should contain the value #20201110
-
Run the following command to import/merge the new certificate:
-
On Security Management Server:
$FWDIR/scripts/merge-bundle.sh
-
On Multi-Domain Management Server:
$MDS_FWDIR/scripts/merge-bundle.sh
-
On Security Gateway:
$FWDIR/scripts/merge-bundle.sh
Note: You can safely ignore the following error "
cat: /opt/CPsuite-R8XX.X /fw1/scripts/version: No such file or directory
". -
-
Confirm that the content of the certificate was imported correctly:
-
On Security Management Server:
grep -i DigiCert $CPDIR/conf/ca-bundle-public-cloud.crt
-
On Multi-Domain Management Server:
grep -i DigiCert $MDS_CPDIR/conf/ca-bundle-public-cloud.crt
-
On Security Gateway:
grep -i DigiCert $CPDIR/conf/ca-bundle-public-cloud.crt
Expected output:
## - Digicert
DigiCert Global Root CA
Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA
Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA
Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
Subject: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2 -
-
You may need to restart some services:
-
On Security Management Server/Multi-Domain Management Server with installed Cloud Management Extension (CME):
To test the CME service, run
service cme test
and see if the connection succeeds. If it does not, restart the CME. To restart the CME, run the following command:service cme restart
-
On Security Management Server/Multi-Domain Management Server with enabled CloudGuard Controller connected to an Azure account:
Test the connection and see if it succeeds. If it does not, restart the controller with the following command:
vsec stop; vsec start
-
On Cluster HA:
You do not need to restart services. Confirm with the following command:
azure_ha_test.py
-
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios. |
Give us Feedback | |