topic Re: File-System read-only on 1530 in Spark Firewall (SMB)

File-System read-only on 1530

Oliver_Fink — Thu, 02 May 2024 12:48:35 GMT

Hi.

We have a customer running about 60 SMB appliances, all of them using R77.20.x (1430) or R81.10.x (1530).

(Yes, the customer knows that the 1430s have to be replaced in the next months. 😉)

My problem is with the 1530s. At the moment I have 4 of them where I cannot install policy. If I do a "fw fetch" on them I get this:

[Expert@cp-xxx01]# fw fetch
ndb_open : failed for /opt/fw1/database/fwauth.NDB: Read-only file system
fwa_db_init: fwdab_init failed
fwd_reload_database: Error loading from fwauth.NDB
Fetching Security Policy from 'aaa.bbb.ccc.ddd'

Local Security Policy is Up-To-Date.

Error: Failed to run policy installation wrapper.
sfw_fetch_callback: Failed to execute command '"/opt/fw1/bin/fw" fetchlocal -d "/opt/fw1/state/local/FW1"'. rc=1, exit code =-1
Unable to install the Security Policy on the appliance
[Expert@cp-xxx01]#

All of these appliances are running R81.10.00 - Build 575. I know that R81.10.08 - Build 683 is recommended release. Update is planned but it will take a serious amount of time, because update has to be coordinated with every single location.

So, at the moment I have to deal with R81.10.00. I found out that other 1530s with this version have no problems. And I know that there exists a problem with partition /pfrm2.0 filled above 85 % on R77.20.x (sk126372). I cannot find a SK with this limitation for R81.10.x.

But I found that all 1530s with problems have /pfrm2.0 filled above 85 %, the ones working are below this watermark. Since I have problems to get reboot clearance for the systems I would like to know…

… if anybody there had the same problem with R81.10.x on SMB and solved the problem with reboot – and if only for the moment.
… if anybody knows if the workaround from sk105217 (fiddeling with IPS protections) will do the job. I have little doubt on this because other 1530s are running without implementing the workaround and I do not want to weaken IPS.
… if anybody knows if the workaround from sk126372 (setting a link for $FWDIR/state/__tmp/FW1 to /storage partition) will also work for R81.10.x. The parameter in the advanced settings exists but the SK only mentions R77.20. I implemented this to all 1430s.

Any help will be appreciated.

Thanks in advance,

Oliver

Re: File-System read-only on 1530

the_rock — Thu, 02 May 2024 14:13:38 GMT

Hey Oliver,

Personally, I would call TAC and ask them to confirm, because that sk126372 states that if running R77.20.80 or higher, it would apply. Let me build quick SMB lab and see if the option is even there, will let you know.

Best,

Andy

Re: File-System read-only on 1530

the_rock — Thu, 02 May 2024 14:33:41 GMT

Just spun up R81.10.10 smb lab and I dont see the option from sk126372 there at all.

Andy

Re: File-System read-only on 1530

Oliver_Fink — Fri, 03 May 2024 06:56:35 GMT

Got a possibility to reboot one of the failing appliances. That fixes the problem. Now /pfrm2.0 is at 81 % and writable again. So I am looking for a permanent fix…

Re: File-System read-only on 1530

Oliver_Fink — Fri, 03 May 2024 07:11:10 GMT

Maybe it is the correct way to ask TAC. In the past, I got faster answers here from Check Point employees several times.

You are right that sk126372 states that you do not need a customer hotfix for R77.20.80 and higher. But the SK ist limited to R77.20. Such, I guess they are talking about the version up to R77.20.87.

Re: File-System read-only on 1530

Oliver_Fink — Fri, 03 May 2024 07:27:22 GMT

I have no R81.10.10 avaible, but where still able to find this option in R81.10.08. I did some more research an found this in the R81.10.x Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances CLI Reference Guide:

set additional-management-settings install-temporary-policy-to-storage

In the R81.10.X releases, this command is available starting from the R81.10.00 version.

Description

Configure additional management settings.

Syntax

set additional-management-settings advanced-settings install-temporary-policy-to-storage { true | false }

I think, I will give this a try.

Re: File-System read-only on 1530

Oliver_Fink — Fri, 03 May 2024 07:35:15 GMT

Seems to be the same as in Web GUI and is also available in R77.20.87…

(But I do not see any hint that a reboot is necessary.)

Re: File-System read-only on 1530

the_rock — Fri, 03 May 2024 11:31:23 GMT

Yes, does not hurt to attempt it.

Re: File-System read-only on 1530

the_rock — Fri, 03 May 2024 11:32:58 GMT

Check out this post where TAC advised of a fix for it in R81.10.10

Andy

https://community.checkpoint.com/t5/SMB-Gateways-Spark/Could-not-set-administrator-password-Field-must-have-a-value/m-p/212951#M10562

I logged a call and support kindly pointed me at : https://support.checkpoint.com/results/sk/sk181134

Where it states from Build 996002845 of R81.10.10:

SMBGWY-7083

General

The Quantum Spark appliance automatically removes files from the "/tmp" partition if the file becomes full.