Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Participant

Disaster after Management Server Upgrade from R80.20 to R80.40

After an successful(…) upgrade of an R80.20 Managment Server to R80.40 with CPUSE we installed policy to the main gateway/cluster. After that we had a major outage for many  server communications.

 

What happened:

The Checkpoint upgrade process (re)created an object named “CP_default_Office_Mode_addresses_pool” with IP range 172.16.10.0/24  and “Automatic HIDE NAT” turned on.

( this object was deleted (long time) ago because it was not needed (no VPN) and in conflict with the “server” network)

The result:

Because this new/(“Default”) network object  included IPs from the "server" network  important communication from these servers where  stuck because of turned on "Automatic hide NAT" ( there was no NAT before )

These broke a lot of important services immediately.

 

I know, this is not a new behavior  – I know from experiences in the past for deleted “Default” objects/rulebases.  I also found similar  references (e.g. R75.30 - see end of page )

https://www.security-portal.cz/clanky/how-fix-problems-after-upgrade-check-point-multi-domain-manage...


I do not understand, why CheckPoint is (re)creating this network object – including Automatic NAT - during an Upgrade?
At least I expect  a warning or notice ( e.g. "pre_upgrade_verifiyer" …) !

With a decission to create this object R&D forces the customer to  have big outages !

CheckPoint – please explain, why you need to create this object ?

 

Thanks

Martin

2 Replies
Highlighted
Employee+
Employee+

Hi @Martin_Hofbauer, my name is Eran and I'm a Group Manager in R&D, my team is responsible for the Management upgrade process. I'm sorry for your bad experience and for the business impact you had, and I'm taking it very seriously. I will sync with my team and with my colleagues in R&D to understand better what was the expected outcome and what went wrong. If you already opened a ticket to TAC please share it with me (privately). I will update you offline when we conclude the discussion, and afterwards I will share more info on this thread with everyone.

0 Kudos
Reply
Highlighted
Employee+
Employee+

Hi,

I would like to update that a fix to this issue has been released.

The fix included in the following upgrade tools packages (or newer) :

R80.40 upgrade tools package 994000325

R81 upgrade tools package 995000409 

Please follow sk135172 to download the upgrade tools package.

 

Thanks, 

Itai