topic Re: R80.40 policy install diff changes breaks the network in General Topics

R80.40 policy install diff changes breaks the network

Bogdan_Tatomir1 — Fri, 14 Aug 2020 17:32:09 GMT

Hello,

It looks like R80.40 introduces a new policy install "differential" or "incremental" only way of pushing policy to the gateways. While this was announced for R80.10 and never made it in, we believe it was silently introduced in this new version.

Unfortunately this creates far more issues that it helps with policy installation speeds.

We currently have multiple critical SRs open and support is clueless on how to fix this.

A few examples of what is happening:

- IPS exceptions under the "global exceptions" are not pushed or only sometimes pushed : the IPS exceptions file is missing from the gateways after policy install

- converting a gateway from single gateway to cluster results in the cluster dropping its own traffic because the implied rules (which supposedly allow that traffic out) are not updated after cluster policy install (e.g. gateway had IP 1.2.3.4; after cluster member 1 has 1.2.3.5, member 2 has 1.2.3.6, and interface VIP is 1.2.3.4 - all traffic NAT-ed to src 1.2.3.4 (former single IP) is allowed outbound; all traffic originated on the local FWs - for example AV updates, https categorization, etc, is dropped on cleanup rule and is clearly seen on fw ctl zdebug drop as matching cleanup rule)

We feel that for the past few years we are constantly doing QA for CheckPoint, as we keep having constant basic issues with every major upgrade.

We would surely appreciate a better tested GA version when this comes out.

Is there any attention we can get on this? Can we tag @PhoneBoy @Dorit_Dor and look into this with priority ?

/rant out

Edit: rephrased some unnecessary negative attitude in the message.

Re: R80.40 policy install diff changes breaks the network

Dorit_Dor — Fri, 14 Aug 2020 15:39:53 GMT

Thank you for reporting issues but your assumption is incorrect. The policy does not operate by diff. You are probably facing a specific different issue causing the issues you described. Since we are not aware of any degradation regarding management of R80.40 with the recommended Jumbo's and certainly not something that will cause what you describe, please provide more data so that we can trace the issue and share root cause. Can you share more details? Is there service request open that you can share in private?

More generally, we are committed to quality and we have many thousands of management servers running R80.40 (plus more multi domains than previous releases) without degradations and issues. We appreciate the open dialog with Checkmates and we leverage this dialog to improve quality and adjust our roadmap.

Thank you all for your ongoing feedback

Dorit

Re: R80.40 policy install diff changes breaks the network

Bogdan_Tatomir1 — Fri, 14 Aug 2020 17:32:42 GMT

Hello,

Thank you for casting your attention to this issue.

The problems seem related to gateways that were in-place upgraded from R80.10 to R80.40, and are reproducible consistently.

We never had these issues when we were on R80.10 (we had plenty others).

Thank you for annulling our assumptions on policy install delta/diff/incremental, that's at least one step forward. Nevertheless, most of the time it seems that during policy install files being pushed to the gateways are missing or incomplete, which triggered our initial thought.

I do have 3 SR numbers I can share. Should this be directly to you or someone else?

Much appreciated,

Bogdan

Re: R80.40 policy install diff changes breaks the network

John_Fleming — Fri, 14 Aug 2020 18:21:59 GMT

I'm sure you will, but please keep everyone posted on the issue. Would like to know what caused and what fixed it.

Re: R80.40 policy install diff changes breaks the network

PhoneBoy — Fri, 14 Aug 2020 19:44:03 GMT

Please PM me the SRs, will make sure the right people are engaged.

Re: R80.40 policy install diff changes breaks the network

Bogdan_Tatomir1 — Fri, 14 Aug 2020 23:07:50 GMT

Hello,

I just messaged you with the details. Looking forward to some support.

Best regards,

Bogdan

Re: R80.40 policy install diff changes breaks the network

Dorit_Dor — Sat, 15 Aug 2020 06:24:17 GMT

Interim update

(1) Case #1 - cant push policy. The case was closed with root cause (which based on our support records was understood by them - so as side note, if you want root cause and one was not communicated, please do ask our support). Anyway, in this case the root cause: Putting domain objects in https inspection rule base was not supported pre R80.40 but wasn't enforced before the upgrade.
The issue was opened with R&D to see if we can improve the error/message etc

(2) Case #2 & case #3 are both handled still with both support and R&D (case 3 may even be a GW behavior that just so happen to be triggered by policy install, not sure yet)

We are committed to quality and while from time to time we will have issues, we see excellent indications of quality in R80.40. Our recommended releases today are R80.40 and R80.30 (where GW R80.30 is still the GW most used version so it may serve conservative customers).

More updates will follow

Dorit

Re: R80.40 policy install diff changes breaks the network

Bogdan_Tatomir1 — Sat, 15 Aug 2020 08:42:04 GMT

Thank you very much for the update.

As a side note for case #1 - as we have communicated to support as well - we do *NOT* have domain objects in the HTTPS inspection policy, but only "Custom application" with regex domain (e.g. ".*abc.com.*") . Policy install fails even if Domain Objects are used in regular FW Access Policy on gateways with no HTTPS inspection turned on.

Best regards,

Bogdan

Re: R80.40 policy install diff changes breaks the network

Ilya_Yusupov — Mon, 17 Aug 2020 11:12:34 GMT

Hi @Bogdan_Tatomir1 ,

First of all i want to share that indeed domain objects are not allowed to be used in HTTPSi RB prior to R80.40.

Second we found an issue in R80.10 when you have a Network Group that contain domain object in HTTPSi RB then push policy succeed while it should fail.

Post upgrade to R80.40 you will get a failure in push policy.

I would like to get your confirmation that indeed this is the case in your system, you can validate it by looking on the error you got, you should get a referral to Rule Number that contain domain object, can you please check if this rule contain a network object with domain object inside?

If you find that indeed this is the case so in R80.40 such configuration is not allowed on GW's prior R80.40 and the bug is in R80.10 and not in R80.40.

Thanks,

Ilya

Re: R80.40 policy install diff changes breaks the network

Bogdan_Tatomir1 — Mon, 17 Aug 2020 13:08:04 GMT

Hello Ilya,

Thank you for looking into this. So we are talking about case #1. I can confirm we do *NOT* use any domain object in the network groups used for SSLi RB. As I mentioned before, R80.40 manager push policy to R80.10 gateways fails even for gateways that have HTTPS inspection turned off completely, if the FW RB uses domain objects.

Best regards,

Bogdan

Re: R80.40 policy install diff changes breaks the network

Ilya_Yusupov — Mon, 17 Aug 2020 14:21:57 GMT

@Bogdan_Tatomir1 - i will continue with you offline for further discussion, will update the thread once we have conclusions.

Re: R80.40 policy install diff changes breaks the network

Ilya_Yusupov — Tue, 18 Aug 2020 05:59:06 GMT

Hello @Bogdan_Tatomir1 ,

Following our conversation via email you confirm that indeed the case is same as i explained above.

The issue is in R80.10 only when push policy succeed while should be failed, we are working to find best solution to that with RnD.

Regarding why the policy is still failing while SSLi disabled, i explained to you that this is by design as your GW is under "installed-on" column of the problematic rule,

In such case no matter if the SSLi is disable we are trying to push policy due to installed-on column and failing in verification stage, in order to succeed you need to disable SSLi and remove the GW from installed-on column.

if any further assistance is required please contact me directly.

Thanks,

Ilya

Re: R80.40 policy install diff changes breaks the network

Dorit_Dor — Sat, 05 Sep 2020 07:32:17 GMT

As promised (when the thread started) I return to this thread to share the outcomes and action items

1. As explained R80,40 does not have policy install diff. In R81 we dramatically improved policy install times by accelerating it for daily/small policy changes (we moved away from plan to do diff and instead we did full install policy, accelerating the whole experience and reaching around 10 seconds when diff is small - without the need to install diff). You are welcome to join the EA

2. The issues reported in this thread were mapped to problems in R80.10 (missing errors on things that didnt work back then), some usability / simplicity in errors as well as one case of cluster upgrade issue when cluster member name was not well handled (still trying to find the exact scenario where this happens but if it does happen, the solution is simple). We are investing a lot in diagnostics tools to improve experience and self-handling (in management its centered around CPM Doctor and in GW we add more capabilities to CPView)

3. R80.40 is our recommended version - some of our large scale users already use it (and it resolve past issues for them) and we have large portion of multi domain users (leveraging improvements as well large scale features like multi domain migration that were added). While R80.40 is ramping fast, R80.30 is still our most used version and is a very good version too. R80.10 lacks many of the goodies added later and many of the quality improvements done on later versions and we do recommend to upgrade to later versions. With the recent versions improvements, we do also see a significant decrease in number of service requests & bugs per "Check Point" (management or GW) in R80.40 and in R80.30.

Last but not least, as always we appreciate the open direct dialog with CheckMates. We do try to provide transparency and visibility to action items and changes done as result of this dialog

Thank you CheckMates, Dorit

Re: R80.40 policy install diff changes breaks the network

Bogdan_Tatomir1 — Thu, 17 Sep 2020 12:20:47 GMT

Hello everyone,

Again, thank you for the assistance and attention brought to these cases. I am nevertheless a little sad that we had to make so much noise until someone finally was able to take a look at our issues.

Still, after 1 month of starting this thread, our perspective seems a little different than the ones you have mentioned Dorit.

1. R80.40 manager simply cannot manage / push policy on R80.10 gateways. That is a hard fact. No matter how much we progressed on solving errors and unchecking feature blades, policy simply does not install. We ended up giving up and closing out that case, because engineers kept insisting it was due to dynamic objects used in SSL inspection and TP policies, where policy wouldn't install even with FW blade-only turned on. We just took the hard way of upgrading our 60+ gateways to R80.40. I have to say, upgrading Cloudguard IAAS on Azure and AWS from R80.10 to R80.40 is a nightmare, there is little to no documentation available from CheckPoint and we had to guess almost every step. Once we have everything running R80.40 the policy install issues are gone, can surely confirm that.

2. The gateway that was dropping its own traffic after the upgrade to R80.40 was solved by seeing as file "myown.C" was containing a wrong value, which was resulting in incorrect implied rules being generated. Nevertheless, engineers are still looking into what caused that fail.

3. The case where IPS exceptions do not work on R80.40 is still not solved. Actually we opened the case on July 23rd 2020, it took until around mid of August for engineers to acknowledge there is an issue with it, and around 2 weeks ago until they could replicate it. We are closing up on the 2 months mark that this critical ticket is opened, where we have to take our IPS offline for legitimate systems to work, and basically renouncing an important protection layer. This is beyond any words and nowhere near aligned with CheckPoint's top security and zero risk approach.

4. Recently we are running into an another issue on R80.40, where the the firewall is responding with SYN-ACK packets from its own MAC for other (thousands of) IPs completely messing network traffic and three-way-handshakes and asset detection systems. We have just opened a case with support, but we don't have high hopes of this being fixed any time soon.

5. We have started migrating our edge security (internet facing) to another firewall vendor, and we are extremely delighted, where everything actually works, and we are getting the premium support we are paying for. We of course ran into some issues with those as well, as we have all feature blades enabled, like we do on the CheckPoints, but the average resolution time was below 7 days. Hopefully by the end of the year we will be able to completely move away from CheckPoint after 5 hellish years.

I'm sorry for being so negative, but the quality of products is only going down, and support's approach and quality is not helping. I do understand CheckPoint trying to tackle all security aspects, but having resolutions such as "you have too many blades enabled" or "blade X doesnt work when blade Y is enabled" is not a proper answer. We bought a product to secure our data and if we payed for the whole lot, of course we want to enable and use it all, especially when sizing was done for the entirety of blades turned on.

Best regards,

Bogdan

Re: R80.40 policy install diff changes breaks the network

cezar_varlan1 — Fri, 13 Nov 2020 07:58:29 GMT

+Discovered an additional issue where CPD crashes - according to sk170256 it is fixed. I added the HF and it still doesn't work.

I could also see R81 is on the maps - sk166715

I would like to take this opportunity to wish everyone a lucky upgrade! If R80.40 doesn't work let's by all means go R81. Maybe that works out better. Engineering and IT isn't what it used to be, things now are more "metaphysical" and based on luck. "If we know it doesn't work - we fix it". "If we don't know if it works - we test it".

How come we are now at "If we don't know if it works or not, let's just upgrade it anyway"?

Re: R80.40 policy install diff changes breaks the network

Dorit_Dor — Fri, 13 Nov 2020 09:09:46 GMT

Thank you for the feedback.

We fix issues in jumbo’s and do not ask to upgrade for fixes.
Some problems are fundamentally handled in new release (new releases are used by us to introduce bigger changes that are not solvable in incremental fixes). If you face issue like that, you should be able to get clear explanation of the root cause why its differently handled by new release. This should be limited to rare cases. if you are asked to upgrade without sufficient reason, you are welcome to approach me in private for both answers and for process improvement.

We release jumbo’s on regular basis so that problems will be solved without upgrade. The specific problem you pointed out is supposed to be solved from jumbo 87 of r80.40. If you tried it and it didnt work, it may mean that there was mistake in identifying your issue and wrongly associated it w this sk. Notice that crash can happen for different reason so there may be a reason we missed and isnt included in the fix. If you have a TAC case please send it to me in private and if not please open one and send it in private.

R81 is targeted to improve functionality and experience - bugs are fixed in jumbo׳’s

Again, we appreciate the open dialog and take feedback seriously so help us get the details and we will publish the outcome for transparency and continues dialog

Dorit

Re: R80.40 policy install diff changes breaks the network

cezar_varlan1 — Fri, 13 Nov 2020 12:06:12 GMT

Appreciate the reply. We have found the root cause and this time CPD was broken, but by a custom script that ran in a loop. So i attempted to remove this post earlier, it looks like my connection to community.checkpoint.com had timed out or there was already a reply that prevented me from removing the post.

So what had happened is that without the Jumbo + custom HF we would not see the real error crashing CPD. This was resolved after a support call when we debugged CPD again after applying the JHF+custom patch and this time it showed additional error messages pointing exactly what it was running and where it crashed. This cpd_sched_config added custom blocking script that had a frequency of 49 days but was running in a loop and loading cpd to the point where watchdog was killing it for not responding. Either CPD is trying to run scheduled scripts in a loop if "$? is 1 " or there is some other mechanism making it behave like this. So my custom script had an issue and CPD was obsessively trying to run it and kept getting $? of 1 which is ERROR.

Therefore this last post i made was an error and i am sorry for that.

Re: R80.40 policy install diff changes breaks the network

Bogdan_Tatomir1 — Tue, 05 Jan 2021 20:05:28 GMT

Hello,

This is my final update on this thread. I have screenshotted this response as it will probably get deleted/not approved by the censorship machine that CheckPoint runs. It is pretty clear at this point that this Security Vendor is nothing of what it used to be back in the 1990s with great security products and great support. Today ChekcPoint is just a marketing, propaganda and censorhip giant, and no other comparisons are needed..

Following up on the issues raised on this thread, we still have production-breaking issues and severe- and critical-issues with service requests being opened with CheckPoint opened for as long as 110 days, with no progress since 90+ days, and no response for 7+ days. Moreover, on tickets that we have requested assistance from engineers, they had the audacity to mark the tickets as "Pending Customer" and simply ignore our requests, refusing to assign engineers to critical issues.

We have been approached by high levels of CheckPoint's Support organization to be "silenced" and asked to stop publicly commenting in forums such as this in rewards of getting better support levels. This was only a mere illusion, as we are still struggling with production issues, with production flows being blocked, IPS getting bypassed by attackers, and support recommending disablement of blades for functionality improvement. This is precisely what you do *NOT* want from a security vendor.

At this point we have had enough of the bad treatment and complete indiference from Checkpoint as an organisation. We respect their R&D, products and effort towards making the work a better and safer place, but they lack the vision, understanding, and competency to understanding what real life differs from a laboratory.

We have taken the decision to move our final CheckPoint gateway clusters to the vendor we have already been slowly migrating to and strongly recommend the same for anyone that is looking for a proper security posture, and not just checking checkboxes in a compliance list with features that simply do not work.

We thank CheckPoint for all their inexistent effort to keep us as a customer, and wish them good luck in their endeavours. Out of the 25+ Security vendors that resided in our portfolio in 2020, this was by far our worst customer experience.

I strongly believe that facts and evidence always prevails, at least in the Information Security sector, and can only hope that such a wake up call will only motivate Checkpoint to close the gap they currently hold towards their competition in the market right now, and that 2021 will be a push towards research rather than marketing campaigns.

The strong words in this statement reflect my personal opinion of an 8+ years CheckPoint expert and CCSE certified engineer and are not directly related to my employer which simply targets its own wellbeing and a strong Information Security stance.

Best regards,
Bogdan

Re: R80.40 policy install diff changes breaks the network

Bogdan_Tatomir1 — Tue, 05 Jan 2021 20:26:36 GMT

@Dorit_Dor @PhoneBoy @Sharon Elmashaly for visibility and awareness. I can provide e-mails, screenshots and meeting recordings to support any and all of my statements above.

Re: R80.40 policy install diff changes breaks the network

PhoneBoy — Wed, 06 Jan 2021 02:07:53 GMT

I'll reach out to you privately to get the relevant details on this.