cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Revisions Management in R80.x

There is a "tiny-not-a-lot-of-explanation" sk113615 about changes made between R77.x and R80.x.

And before you say Tim Hall‌ - there was not a lot in the new book Smiley Happy

Problem is that there are no automated means to control number of versions you keep so it keeps growing indefinitely (unless you remember to do manual purge) and also you cannot turn it off even if you wanted to. Due to the complexity of the network (MDS with many CMAs plus couple of VSX clusters and VSes stretching over multiple CMAs) I'd rather rely on good old MDS backup than revisions.

And now we have hit some wall where purge on MDS simply fails - it sits at stage 3/3 forever and eventually gets "server restart" error

I will raise an SR but would be great to have a bit more insight of R80 revision management / troubleshooting

I also wonder how much this will impact MDS backup size (as it has been growing like crazy)

13 Replies

Re: Revisions Management in R80.x

Hi Kaspars, see  

Re: Revisions Management in R80.x

Hej Tomer - as I mentioned, my problem is "manual" the handling. I'd rather see option to say save only last 20 revisions (or no revisions at all). Manual purge seems very old-school approach, who has time for manual tasks these days Smiley Happy

Also the fact it is failing now and there is no information available how to troubleshoot it (where are more detailed logs, what processes etc). I really dislike raising SRs that just says "it does not work", I'd rather send in some useful information that we have checked this and that before whinging Smiley Happy

0 Kudos

Re: Revisions Management in R80.x

You are raising 2 things

- why is purge revisions manual: understood, and planned for our next releases. May I ask how many Management revisions do you have at the moment? Also, the IPS revisions purge, which might have larger impact on a Management Server size, is automatic. How can I control the size of my R80.10 Security Management Server? 

- Bug in purge which results in your inability to control the size of your security management server - SR is the way to go. Check Point Support should be able to investigate the root cause and prevent this from happening to others as well. I suppose export of the logs at $MDS_FWDIR/log/*.* should be enough for this case, but they may still ask for larger files. I agree with you - SR's are not fun, we definitely aim to give more self-help tools to our customers, but at the moment this issue seems to be unique at your end. 

0 Kudos

Re: Revisions Management in R80.x

We 150+ revisions since last March there. That's visible on MDS level. Then on busy CMA it's 1000+. And then it's nearly 20 CMAs..

Regarding IPS we should be OK as we have take 42.

SR on it's way Smiley Happy thanks for looking into it

0 Kudos

Re: Revisions Management in R80.x

please keep us in the loop (if you have time) and something new this look  very interesting in a not funny way Smiley Happy

0 Kudos

Re: Revisions Management in R80.x

Hi Kaspars,

You are correct that there wasn't much in the new book about revision control as it is not directly related to gateway performance.  Covering that would have opened a can of worms as far as documenting management procedures, SMS performance and such.  There were a couple of areas where I diverged off from the book main's goal of gateway performance (such as how to properly do ClusterXL failovers and testing Access Control/Threat Prevention policies) but doing that too often would have caused the book to rapidly grow beyond a manageable point. 

Still, I do have some detailed notes about all the ins and outs of sessions/revisions/reverting/installation history in R80+ that I present when teaching CCSA R80.10, will see if I can type that up into something presentable.

Edit: For future reference my revision control notes were rolled up into this guide:  

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
Highlighted

Re: Revisions Management in R80.x

also, there's this one  

0 Kudos

Re: Revisions Management in R80.x

Already liked and downloaded Tomer!

0 Kudos

Re: Revisions Management in R80.x

I was just pulling your leg of course since your book comes up in every second post Tim (I bought it! ) Smiley Happy but I would be really grateful if you could share some info! Still lot to learn with R80.. 

0 Kudos
Employee+
Employee+

Re: Revisions Management in R80.x

Sounds like an opportunity for another book for you!

0 Kudos
Employee
Employee

Re: Revisions Management in R80.x

AZW-730-61299 - Schedule automatic purge of revision DB

RFE should be in progress since last year.

Best

Joe

0 Kudos
Employee++
Employee++

Re: Revisions Management in R80.x

We have added a new Management API command to automate purging of database revisions (published sessions).

It should be available in the upcoming R80.20 GA release.

Robert.

Re: Revisions Management in R80.x

It is there Smiley Happy

From audit point of view, it would be better to choose "sessions-older-than-days" ... Simply say that delete all sessions older than XY days. For example delete all session older than 3 months.

I know that it can be done using "date" and after that "preserve-to-date" argument ... just an idea how to tune this command Smiley Happy

And the argument to be used at the moment for "preserve-to-date" will be the output of following:

date --iso-8601=seconds -d "-3 months"

It will print date exactly 3 months ago in ISO 8601 format.

Kind regards,
Jozko Mrkvicka