How to troubleshoot IPS update

Solution ID	sk112635
Product	IPS, SmartConsole / SmartDashboard
Version	All
OS	Gaia, SecurePlatform 2.6, Windows
Platform / Model	All
Date Created	27-Jul-2016
Last Modified	24-Jun-2017

Solution

How to troubleshoot IPS update [scheduled and manual] issues

If IPS update fails, the user needs to understand what kind of update is being performed, as troubleshooting steps are different for various kinds of update.

For manual IPS update issues

The client (Windows PC that runs SmartDashboard) is the one that initiates the connection towards the Check Point updates servers, and most troubleshooting has to be performed on the client PC.

In both cases (scheduled and manual), the following update server URLs should be reachable by DNS, HTTP and HTTPS (for example can be opened on a normal web browser, e.g. Google Chrome or Internet Explorer).
Open the browser on the client that is performing the IPS manual update, and verify connectivity to:

• http://cws.checkpoint.com
• https://updates.checkpoint.com
• https://dl3.checkpoint.com
• https://secureupdates.checkpoint.com

Notes:

• You might get a redirect to a page, a page with the words "It works!" or "File not found." 
• A blank page indicates an issue.

If there is no connectivity to the above servers, the issue is on the client connectivity side. For example; a proxy issue, routing issue, etc.

If there is connectivity (with or without proxy);

1. If the update is stuck at 99%, please refer to article sk111760.
2. If the update won't start at all, and fails, please collect the following information:
   
   1. Debug SmartConsole GUI client as per article sk112334.
   2. Download WireShark and install it on the client PC, collect a traffic capture file during the IPS manual update issue being replicated.
   3. Provide the output files from SmartConsole debug and traffic capture to Check Point Support.


3. If any other symptom, contact Check Point Support for additional troubleshooting.

For scheduled IPS update issues

The Security Management Server / Multi Domain Management Server (the Management or the relevant CMA) is the initiator of the connection towards Check Point updates servers, and most troubleshooting has to be performed on it.

1. Since the IP addresses of the update servers are changed according to geo-location, and are very dynamic, make sure that the /etc/hosts file under the Security Management Server does not contain any manual entry for the below servers:
   
   
   • cws.checkpoint.com
   • secureupdates.checkpoint.com
   • updates.checkpoint.com
   • dl3.checkpoint.com


2. Review article sk98781 and make sure that the checkbox for "Automatically download Contracts and other important data" is selected. If it is not selected, do so, and install the policy. Then try the update again.
3. Verify that the Security Management Server can reach and resolve the servers, as follows:
   
   
   1. If the Security Management Server is not using proxy, use:
      # nslookup cws.checkpoint.com
      Repeat the command for all servers and verify that there is an IP reply.
      Verify that the Security Management Server has HTTP/HTTPS access to CheckPoint update servers, using curl:
      (If R76 and lower, ca-bundle.crt is in $FWDIR/bin)
      # curl_cli -v -1 --cacert $CPDIR/conf/ca-bundle.crt https://updates.checkpoint.com
      # curl_cli -v -1 --cacert $CPDIR/conf/ca-bundle.crt https://dl3.checkpoint.com
      # curl_cli -v http://cws.checkpoint.com
      Note: Possible connectivity errors: Could not resolve host, fetch .crl failed, etc. (these indicate an Internet connection problem).
   
   
   2. If the Security Management Server is using proxy, use:
      # nslookup cws.checkpoint.com
      Repeat the command for all servers and verify that there is an IP reply.
      Verify that the Security Management Server has HTTP/HTTPS access to Check Point update servers, using curl:
      (If R76 and lower, ca-bundle.crt is in $FWDIR/bin)
      # curl_cli -v -1 --cacert $CPDIR/conf/ca-bundle.crt https://updates.checkpoint.com -x <proxyIP:proxyPORT>
      # curl_cli -v -1 --cacert $CPDIR/conf/ca-bundle.crt https://dl3.checkpoint.com -x <proxyIP:proxyPORT>
      # curl_cli -v http://cws.checkpoint.com -x <proxyIP:proxyPORT>
      Note: Change <proxyIP:proxyPORT> to the proxy IP address and port, removing the symbols. For example, if the proxy IP address and port is: 10.20.30.40:8080, the command will be:
      # curl_cli -v -1 --cacert $CPDIR/conf/ca-bundle.crt https://updates.checkpoint.com -x 10.20.30.40:8080

For scheduled IPS update:
If all of the above tests were performed and the issue persists, please review and perform FWM debug according to article sk86186, making sure the scheduled update will occur while the FWM debug is running.
FWM debug for scheduled IPS update can be run using a more focused debug:
# fw debug fwm on TDERROR_ALL_FWMAU=5
# fw debug fwm on TDERROR_ALL_FDT=5
Collect all files and outputs from troubleshooting steps above and Contact Check Point Support along with a screenshot of the update issue (Try to include the error that pops-up from the update)
For faster resolution and verification, collect CPinfo files from the Security Management and Security Gateways, involved in the case.