Support Center > Search Results > SecureKnowledge Details
Important certificate update to CloudGuard Controller, Cloud Management Extension (CME), and Azure HA Security Gateways Technical Level
Solution
Microsoft Azure will update its TLS certificate chain during January 2021 as part of a phased plan that began in the summer of 2020. 

While the final revocation will not occur until February 2021, the new intermediate CA being rolled out in January cannot service the old certificates.  

As a result, users must follow the procedures explained below before January 2021 to prevent connectivity outage with Azure. See Microsoft's notification here.

Important Notes:
  • The relevant environments must be updated before January 2021.
  • R81 includes the correct certificates and is not affected.
The following solution applies to:
  • SmartConsole Servers or Multi-Domain Management running CloudGuard Controller or CME and provisioning Azure environments.
    • On Management high availability environments, you must apply the remediation steps on all members.
  • All CloudGuard IaaS HA environments on Azure.
Note: If the automatic remediations below are not applicable, follow the manual remediation steps below.

Automatic Remediation for CME Users

CME Take 126 (released on 29 November 2020) already includes the fix. To verify which take you have, run the following command:

# autoprov_cfg -v

If you have an older Take, you must follow sk157492 to update to CME Take 126 or newer. Check Point recommends enabling CME Automatic Updates as explained in sk157492.

Automatic Remediation for CloudGuard Controller Users

The latest Jumbo Hotfix Accumulator includes a fix. Update the Quantum Security Management  server, the Multi-Domain Management, or the Azure HA environments with the latest Jumbo Hotfix Accumulator:
Version Fix is included in Jumbo take Jumbo release date Download from
R80.40 Take 89 01 December 2020 sk165456
R80.30 Take 226 29 November 2020 sk153152
R80.20 Take 188 08 December 2020 sk137592
R80.10 Take 287 17 December 2020 sk116380


Automatic Remediation for CloudGuard IaaS HA or Cluster Users

The latest Jumbo Hotfix Accumulator includes a fix. Update the SmartConsole Server or the Multi-Domain Management or the Azure high availability and cluster environments with the latest Jumbo Hotfix Accumulator:
Version Fix is included in Jumbo take Jumbo release date Download from
R80.40 Take 89 01 December 2020 sk165456
R80.30 Follow the manual procedure
R80.20 Follow the manual procedure
R80.10 Take 287 17 December 2020 sk116380


Remediation for a New Deployment of Management with CloudGuard Controller Provisioning Azure Environments

Version Platform Instructions More information
R81 On-premises, AWS, Azure, GCP The fix is included in the latest image. sk166715 or the cloud vendor market place. 
R80.40 On-premises You must install the latest Jumbo Hotfix Accumulator sk165456
AWS The fix is included in the latest image. sk125252
Azure The fix is included in the latest image. sk132192
GCP The fix is included in the latest image. sk147032
R80.30 On-premises  You must install the latest Jumbo Hotfix Accumulator. sk153152
AWS The fix is included in the latest image. sk125252
Azure The fix is included in the latest image. sk132192
GCP The fix is included in the latest image. sk147032


Remediation for a New Deployment of CloudGuard IaaS Azure HA Environments

Version Platform Instructions More information
R81 Azure The fix is included in the latest image. sk132192 
R80.40 Azure The fix is included in the latest image.
R80.30 Azure The fix is included in the latest image.

Note
: Images with a build above 710 contain the updated certificate.


Manual Remediation Steps

Download the new certificate from here and follow these instructions:
  1. Upload the certificate to the Security Management Server / Multi-Domain Management Server / Security Gateway (each Gateway in ClusterXL).

  2. Confirm that the existing certificate does not contain the updated CA.

    Run the following command:

    • On Security Management Server:

      grep -i DigiCert $CPDIR/conf/ca-bundle-public-cloud.crt

    • On Multi-Domain Management Server:

      grep -i DigiCert $MDS_CPDIR/conf/ca-bundle-public-cloud.crt

    • On Security Gateway:

      grep -i DigiCert $CPDIR/conf/ca-bundle-public-cloud.crt

    The output should look like this:

       ##      - Digicert
       DigiCert Global Root CA
       Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA
       Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA

  3. Copy the new certificate to the following directory:

    • On Security Management Server:

      $CPDIR/conf/public-cloud

    • On Multi-Domain Management Server:

      $MDS_CPDIR/conf/public-cloud

    • On Security Gateway:

      $CPDIR/conf/public-cloud

  4. Confirm that the certificate was properly copied. To do this, run the following command:

    less $CPDIR/conf/public-cloud/public-cloud-991000749.crt

    The newest value should contain the value #20201110

  5. Run the following command to import/merge the new certificate:

    • On Security Management Server:

      $FWDIR/scripts/merge-bundle.sh

    • On Multi-Domain Management Server:

      $MDS_FWDIR/scripts/merge-bundle.sh

    • On Security Gateway:

      $FWDIR/scripts/merge-bundle.sh

    Note: You can safely ignore the following error "cat: /opt/CPsuite-R8XX.X /fw1/scripts/version: No such file or directory". 

  6. Confirm that the content of the certificate was imported correctly:

    • On Security Management Server:

      grep -i DigiCert $CPDIR/conf/ca-bundle-public-cloud.crt

    • On Multi-Domain Management Server:

      grep -i DigiCert $MDS_CPDIR/conf/ca-bundle-public-cloud.crt

    • On Security Gateway:

      grep -i DigiCert $CPDIR/conf/ca-bundle-public-cloud.crt

    Expected output:

       ##      - Digicert
       DigiCert Global Root CA
       Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA
       Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA
       Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
       Subject: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2

  7. You may need to restart some services:

    • On Security Management Server/Multi-Domain Management Server with installed Cloud Management Extension (CME):

      To test the CME service, run service cme test and see if the connection succeeds. If it does not, restart the CME. To restart the CME, run the following command: service cme restart

    • On Security Management Server/Multi-Domain Management Server with enabled CloudGuard Controller connected to an Azure account:

      Test the connection and see if it succeeds. If it does not, restart the controller with the following command: vsec stop; vsec start

    • On Cluster HA:

      You do not need to restart services. Confirm with the following command: azure_ha_test.py

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment