cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
General Management Topics

This space is the place to ask questions about Check Point's Security Management Appliances, Security Compliance, Upgrading your Security Management to R80.x, and more!

Moving Full HA R77.30 to R80.30 distributed on new gateways and open server management

Hi Community,One of my clients currently has a Full HA environment running R77.30 on 4600 appliances. They have now purchased two 5100 appliances and a single open server to migrate from the full HA environment to the distributed environment on R80.30.Has anyone got experience with this or a recommended method? I was thinking to do a migrate export/import however would this also pull the gateway configuration given the HA setup or not? If it doesn't pull the gateway configuration then I guess I could use this export to get the new management server up and running. Then extract the clish configuration from the 4600 appliances relating to the gateways specifically to build the new 5100 gateways?Also they have a 3200 standalone appliance on R77.30 which also needs to be upgraded to R80.30, anyone know if they operate okay on R80.30 as standalone. Thanks in advance..
Jerry
Jerry inside General Management Topics an hour ago
views 140 20 1

Security Management Server is not running (after migration 77.30->80.30)

any clues what steps to take in order to bring CPM/FWM live again? few facts:   Product Name: Check Point Security Management ServerMajor version: 6Minor version: 0Build number: 993000001Is started: 0Active status: activeStatus: Security Management Server is not running [Expert@cpm:0]# cpwd_admin listAPP PID STAT #START START_TIME MON COMMANDCPVIEWD 21947 E 1 [10:56:04] 11/11/2019 N cpviewdCPVIEWS 21950 E 1 [10:56:04] 11/11/2019 N cpview_servicesCPD 21965 E 1 [10:56:04] 11/11/2019 N cpdFWD 22054 E 1 [10:56:05] 11/11/2019 N fwd -nFWM 0 T 1 [10:56:05] 11/11/2019 N fwmSTPR 22071 E 1 [10:56:05] 11/11/2019 N status_proxyCLOUDGUARD 22104 E 1 [10:56:05] 11/11/2019 N vsec_controller_startCPM 22451 E 1 [10:56:06] 11/11/2019 N /opt/CPsuite-R80.30/fw1/scripts/cpm.sh -sSOLR 22505 E 1 [10:56:06] 11/11/2019 N java_solr /opt/CPrt-R80.30/conf/jetty.xmlRFL 22560 E 1 [10:56:06] 11/11/2019 N LogCoreSMARTVIEW 22608 E 1 [10:56:06] 11/11/2019 N SmartViewINDEXER 22684 E 1 [10:56:06] 11/11/2019 N /opt/CPrt-R80.30/log_indexer/log_indexerSMARTLOG_SERVER 22730 E 1 [10:56:06] 11/11/2019 N /opt/CPSmartLog-R80.30/smartlog_serverDASERVICE 23082 E 1 [10:56:07] 11/11/2019 N DAService_script   1. migration from 77.30 to 80.30 was done based on https://community.checkpoint.com/t5/General-Management-Topics/R77-30-to-R80-10-SMS-Migration/td-p/36384  2. new SMS is on different IP address than the old one - we need to remain with new SMS on new IP address as the old one is still up&running and serves 77.30 clusters 3. goal is to have new SMS with content from old one with new Cluster. 4. wanted to reach out to TAC but 1st I believe is the so called "best practice" to ask your mates ... so I did 🙂   thanks for all your hints   Jerry
Niko
Niko inside General Management Topics 4 hours ago
views 120 2

Amazon Web Services Dynamic IP-Adress

Hello everyone,is there any feature for the Firewall Blade, where I can add a dynamic object for a link??Issue: A programm needs a connection to Amazon Web Services, but AWS is changing the IP-Adress about every 2 days. I´m using SmartDashboard R77.30.Thank you in advance 
Chinmaya_Naik
Chinmaya_Naik inside General Management Topics yesterday
views 9747 13 3

Check Point Security Gateway freezes, crashes, or reboots randomly, core dump files are not created

CheckMates Admin Note: This document is an extract of sk31511 SecureKnowledge Article. Please refer to the SK for more details and full view of the procedure***************************************************************************************************************************************CheckPoint Security gateway freezes, crashes, or reboots randomly, core dump files are not created****************************************************************************************************************************************Due to some various cause , the security gateway may freeze or crash or during the policy installation also gateway may freeze or crash and also in such cases no such relevant information can be found on system logs.As we know that  GAIA OS can be configured to dump core file.The work of the core dump file or core file is to records the memory images of running processes and its process status like register value, etc.So whenever any failure happens then automatically core dump file is generated.But some time failure may so hard that core dump file not be generated.So to find out the root cause we need to extract the necessary information from the operating system (memory stack).NOTE :- The below procedure is not impact on performance because we simply change in the configuration of Linux Kernel.  I only demonstrated for GAIA OS (R75.40 or above) running on 32 bit or 64 bit by in proper step by step procedure.Please refer the sk31511 for below platform. NGX SecurePlatform 2.6 (R70 and above) NGX SecurePlatform 2.6 (R65 ENFv26)NGX SecurePlatform 2.4 (R60 - R65)VSX NGX R67 SecurePlatform 2.6VSX NGX R65 SecurePlatform 2.4VSX NGX Scalability Pack SecurePlatform 2.4VSX NGX SecurePlatform 2.4NG AI SecurePlatform 2.4NOTE : This procedure only supported on GAIA and SecurePlatform OS.Scenario 01 :-  Some time issue may occur on both of the Gateway.Scenario 02 :- Some time issue may occur on only one Gateway. REQUIREMENT:Serial Cable (RS232)Laptop with AdapterSHH Client for console access (PUTTY /Secure CRT/HyperTerminal/TeraTerm/ETC)NOTE :- Before we run the below procedure as I recommended to run the HARDWARE DIAGNOSTIC on problematic Gateway.Refer sk97251 for more details and also I recommended to run Interface test as well when running Hardware Diagnostics (loopback cable is required for interface test).If Hardware Diagnostics is successfully test and no issue found like all test passed then processed for the below procedure.IMP NOTE: 1. Before you start to debug mode reboot is required on the problematic security gateway and that gateway is going to Active after the gateway come up.                    2. If I do on Standby Member then Standby become Active. STEP 01 :- Need to check the Serial Terminal (ttyS0 or ttyS1)Take console access to the gateway by using serial cable and type ''w'' command in expert mode then we able to find out the output its either (ttyS0 or ttyS1)Note down serial terminal output. STEP 02 :- Check the GAIA OS  edition (32 bit or 64 bit)Now take SSH to the problematic Gateway.In CLISH mode run "show version all" and we able to find out (32 bit or 64 bit)Note down the output. STEP 03 :- Backup the  "grub.conf"file.Now take SSH to the problematic Gateway .Go to EXPERT Mode and type  "cp /boot/grub/grub.conf /boot/grub/grub.conf_backup"   3. Verify the backup file is exit or not by "ls" command on "/boot/grub/" location. STEP 04 :- Need to modify the value of  "console=" parameter  by editing the "grub.conf" file. Example: "console=ttyS0" or"console=ttyS1"Base on the 32bit or 64bit OS edition we find out below output when editing the "grub.conf" file. Example:-For Gaia OS 64-bit (R75.40 and above)title Start in 64bit online debug mode    root (hd0,0)    kernel /vmlinuz-x86_64 ro  root=/dev/vg_splat/lv_current vmalloc=256M  panic=15 console=CURRENT kdb=on crashkernel=128M@16M 3    initrd /initrd-x86_64  4. Now change the console parameter to "console=ttyS0" or "console=ttyS1"For Example:-title Start in 64bit online debug mode    root (hd0,0)    kernel /vmlinuz-x86_64 ro  root=/dev/vg_splat/lv_current vmalloc=256M  panic=15 console=ttyS0 kdb=on crashkernel=128M@16M 3    initrd /initrd-x86_64NOTE :- For 32bit OS  edition refer  "title Start in 32bit online debug mode" and rest of process are same as above.  5. Save the "grub.conf" file and type"wq!"NOTE :- In some case when we run KDB mode then sometimes we see the message like "Oops" because  USB drivers can cause conflict with KDB.So  for that please add the "nousb".Example:-title Start in 64bit online debug mode    root (hd0,0)    kernel /vmlinuz-x86_64 ro  root=/dev/vg_splat/lv_current vmalloc=256M  panic=15 console=ttyS0 kdb=on nousb crashkernel=128M@16M 3    initrd /initrd-x86_64 STEP 05 :- Connect the Laptop to the Security Gateway using a serial cable.(RS-232) Open SSH client (PUTTY /Secure CRT/Hyperterminal/Tera Term/ETC) Below is the pre-configuration before we take SSH.Data bits: 8Baud rate: Default 9600 / Depend upon the Hardware (Follow sk108095)Parity: NoneStop bits : 1Flow Control (Enable)       7.1. DTR/DSR       7.2. RTS/CTS       7.3. XON/XOFF STEP 06 :- Increase the "Scrollback buffer" size because it required for record the more information. "Scrollback buffer = 32000" STEP 07 :- Need to save the logs before you start the session.For Example:-Using Putty :- Go to Session ----   Logging -----  Select All session Output (Select the location to save the logs) NOTE :- You can also save the logs later once you run the all relevant command but I recommended to do the above step (STEP 07) before run any command to collect the logs. STEP 08 :- Reboot the Security Gateway. In Expert mode run command "reboot" and type "y" STEP 09 :- Need to enter into the Boot menu. Once we reboot the problematic security Gateway then after some time we able to see the below prompt."Press any key to see the boot menu..." [Booting in 5 seconds]At this time we need to press any key to open into the boot menu. STEP 10 :- Now we need to start the machine into the Debugging Mode. On the boot menu we able to see some option.Now base on the changes that we have done by modifying the value in "grub.conf" [refer the STEP 4]       So as per the STEP 4 , I change the value in "title Start in 64bit online debug mode" where we change the value to console=ttyS0. So I start the debug               mode by selecting the option"Start in 64bit online debug mode "   3. After start in debug mode waiting some time to load and then we able to see the login prompt then we put the login details and password for login.   4. After the login now the Problematic security gateway become Active. (Previously that gateway may be active or standby) STEP 11 :- Enable online Kernel Debugger by "echo" command.[Expert@HostName]# echo 1 > /proc/sys/kernel/kdb[Expert@HostName]# cat /proc/sys/kernel/kdb (we able to see "1" as output) STEP 12 :- Need to test that we able communicate with the kernel Debugger or not. For that we need to enter kernel debugger prompt so press one of the below command.      "Ctrl + A" , "Ctrl + C" , "Ctrl + AA" , " ESC +K+D+B" , Send a Break SignalNOTE:- Make sure that the Keyboard layout must be English, otherwise Gateway will freeze.   2. Now we able to see the kernel prompt like "kdb>" and below messages.   "Entering kdb (current=0xXXXXXXXX, pid 0) due to Keyboard Entry" NOTE :- Make sure that when we are in "kdb" prompt and no other process is running. STEP 13 :- Need to check Memory stack is display or not.Run the command "bt".For Example :-EBP        EIP         Function(args)0x8194beac 0x8011eca1 context_switch+0x81 (0x803e3980, 0x8194a000, 0x803b4000, 0x43fc, 0x8194bef4)                               kernel .text 0x80100000 0x8011ec20 0x8011ecf0 OR like this below EBP        EIP         Function(args)0x807adf80 0x80405deb apic_timer_interrupt+0x1f (0x0, 0x807ac000, 0x80403e10) STEP 14 :- Exit the on-line kernel debugger mode and enter into the regular prompt. Run the command "kdb>go" . After we able to see the regular prompt like "[Expert@HostName]#".Now on this stage, all functionality on the problematic  Security  Gateway is normal. STEP 15 :- Now we need to wait for the next freeze or crash to happen.: - Try to install the policy multiple time to check whether the gateway is going to freeze or not. IMP NOTE :- Make sure that the security gateway is connected to Laptop through the console port.:- It required because if Gateway will freeze then we directly run the required command by entering to the "kdb" mode.:- Because during the issue we have a limited time to run the required command so better we connect the laptop to the security gateway.:- If we not connect any laptop to the security Gateway then during the issue we need console access to the security gateway and run the required command and that takes some time to do so I recommended to connect the laptop still the next issue to happen. STEP 16 :- Once we face the issue like gateway freeze or crash then below command need to run. kdb>ps (Complete list of process that running in the Gateway) kdb>dmesg (To display the syslog buffer) (NOTE: Press"ENTER" till the end output because we need to copy the complete output).kdb>summery (To run kernel version memory summery)NOTE: If you have multiple CPU then need to perform the below command in the context of each CPU core.STEP 17 :-  kdb>cpu  (To check the available CPU contexts)For Example :- If we have a 4 CPU core thenkdb>cpuOutput :-Currently on cpu 0          Available cpus: 0 , 1 , 2 , 3As  we already  on  CPU 0 and need to run the below command for rest of CPU core.kdb>cpu 1 (NOTE : After  put cpu 1 command below line we able to see a message like  "Entering kdb (current0xb7c4e530, pid 0) on processor 1 due to cpu switch")kdb>bt-----------------------------kdb>cpu2kdb>bt-----------------------------kdb>cpu3kdb>bt-----------------------------STEP 18 :- Now copy all the log and save to any Notepad application for safer side and also we already configure to save the logs to a particular file location.(STEP 07) STEP 19 :- Return to normal shell kdb>go IMP NOTE :- Some time maybe you got an output like below "Catastrophic error detected""kdb_continue_catastrophic=0, type go a second time if you really want to continue""kdb_continue_catastrophic=0, attempting to continue""Kernel panic - not syncing:- In this CASE may be KDB prompt is stuck or maybe crash so in this scenario reboot the Security Gateway manually or wait some time to the gateway to crash and reboot automatically.:- Also if sometimes "bt" command does not run then go to normal mode (follow the STEP:12) and run the "bt" command again. STEP 20 :- Disable the on-line kernel debugger.[Expert@HostName]# echo 0 > /proc/sys/kernel/kdb[Expert@HostName]# cat /proc/sys/kernel/kdbNOTE :- Output show as "0" STEP 21 :- Now reboot the Security Gateway for start the machine on Normal Mode.I.[Expert@HostName]#reboot (type "y" ) STEP 22 :- Follow the STEP 09 to enter into the boot menu.Now we need the start problematic Gateway as "Normal Mode" so select "Start in Normal Mode" FINAL STEP :- Need to analyze the output (ps,bt and dmesg command) to find out the root cause.  #Chinmaya NaikNetwork Security Engineer , QOS Technology PVT LTD. , INDIA
Bjoern_Baumann
Bjoern_Baumann inside General Management Topics yesterday
views 362 3 2

Where can I find more information on Check Points integration to Arista MSS solution?

I just found the solution brief (https://www.checkpoint.com/downloads/Partners/arista-solution-brief.pdf) and this YouTube video (https://www.youtube.com/watch?v=WEoC7ezPbVY).
Blason_R
Blason_R inside General Management Topics yesterday
views 263 6

Failed to upgrade R77.30 to R80.30 on Smart-1 210 appliance

Hi Guys,Sometime back I tried upgrading Smart-1 210 from R77.30 to R8.10. PUV showed no warning.However, it failed at POST upgrade and here are the logs I am seeing.Return code = 0Output =[2019-11-05 - 17:57:01][3233 7021]:about to copy file /etc/fstab to /etc/fstab.orig[2019-11-05 - 17:57:06][3233 7021]:/bin/dbset :save command summary:Return code = 0Output =[2019-11-05 - 17:57:06][3233 7021]:About to execute command: /bin/bash -x /mnt/fcd/post.sh upgrade /mnt/fcd >> /var/log/install_Major_R80.30_Mgmt_T200_1_detailed.log 2>&1[2019-11-05 - 17:57:06][3233 7021]:Command /bin/bash -x /mnt/fcd/post.sh upgrade /mnt/fcd >> /var/log/install_Major_R80.30_Mgmt_T200_1_detailed.log 2>&1 execution failed, exit code=1[2019-11-05 - 17:57:06][3233 7021]:Failed on Major_Post_Install_Script[2019-11-05 - 17:57:06][3233 7021]:About to execute command: /bin/mount | /bin/grep -w "/mnt/fcd" | awk '{print $1}'[2019-11-05 - 17:57:06][3233 7021]:/bin/mount | /bin/grep -w "/mnt/fcd" | awk '{print $1}' command summary:Return code = 0Output = /dev/mapper/vg_splat-lv_fcd_new[2019-11-05 - 17:57:06][3233 7021]:About to execute command: /bin/umount -l /mnt/fcd[2019-11-05 - 17:57:06][3233 7021]:/bin/umount -l /mnt/fcd command summary:Return code = 0Output =[2019-11-05 - 17:57:06][3233 7021]:About to execute command: /usr/sbin/lvremove -fvv /dev/mapper/vg_splat-lv_fcd_new[2019-11-05 - 17:57:06][3233 7021]:Command /usr/sbin/lvremove -fvv /dev/mapper/vg_splat-lv_fcd_new execution failed, exit code=5[2019-11-05 - 17:57:06][3233 7021]:Command output: Setting global/locking_type to 1File-based locking selected.Setting global/locking_dir to /var/lock/lvmUsing logical volume(s) on command lineLocking /var/lock/lvm/V_vg_splat WB/dev/ramdisk: No label detected/dev/sda: size is 3907029168 sectors/dev/md0: size is 0 sectors/dev/vg_splat/lv_fcd_GAIA: No label detected/dev/ram: No label detected/dev/sda1: No label detected/dev/vg_splat/lv_fcd_NGSE: No label detected/dev/ram2: No label detected/dev/sda2: No label detected/dev/vg_splat/lv_fcd_R75.47sg: No label detected/dev/ram3: No label detected/dev/sda3: lvm2 label detected/dev/vg_splat/hwdiag: No label detected/dev/ram4: No label detected/dev/vg_splat/lv_log: No label detected/dev/ram5: No label detected/dev/root: No label detected/dev/ram6: No label detected/dev/vg_splat/lv_SNAPSHOT_8APR17: No label detected/dev/ram7: No label detected/dev/vg_splat/lv_B4R8030: No label detected/dev/ram8: No label detected/dev/vg_splat/lv_fcd_new: No label detected/dev/ram9: No label detected/dev/ram10: No label detected/dev/ram11: No label detected/dev/ram12: No label detected/dev/ram13: No label detected/dev/ram14: No label detected/dev/ram15: No label detected/dev/sda3: lvm2 label detected/dev/sda3: lvm2 label detectedCan't remove open logical volume "lv_fcd_new"Unlocking /var/lock/lvm/V_vg_splat[2019-11-05 - 17:57:06][3233 7021]:About to execute command: lsof | grep $( dmsetup info -c | awk '/vg_splat-lv_fcd_new/ {printf("%d,%d\n",$2,$3)}') | awk '{print($2)}' | sort -u | while read pid; do kill -9 $pid; done[2019-11-05 - 17:57:17][3233 7021]:About to execute command: /usr/sbin/lvremove -fvv /dev/mapper/vg_splat-lv_fcd_new[2019-11-05 - 17:57:17][3233 7021]:Command /usr/sbin/lvremove -fvv /dev/mapper/vg_splat-lv_fcd_new execution failed, exit code=5[2019-11-05 - 17:57:17][3233 7021]:Command output: Setting global/locking_type to 1File-based locking selected.Setting global/locking_dir to /var/lock/lvmUsing logical volume(s) on command lineLocking /var/lock/lvm/V_vg_splat WB/dev/ramdisk: No label detected/dev/sda: size is 3907029168 sectors/dev/md0: size is 0 sectors/dev/vg_splat/lv_fcd_GAIA: No label detected/dev/ram: No label detected/dev/sda1: No label detected/dev/vg_splat/lv_fcd_NGSE: No label detected/dev/ram2: No label detected/dev/sda2: No label detected/dev/vg_splat/lv_fcd_R75.47sg: No label detected/dev/ram3: No label detected/dev/sda3: lvm2 label detected/dev/vg_splat/hwdiag: No label detected/dev/ram4: No label detected/dev/vg_splat/lv_log: No label detected/dev/ram5: No label detected/dev/root: No label detected/dev/ram6: No label detected/dev/vg_splat/lv_SNAPSHOT_8APR17: No label detected/dev/ram7: No label detected/dev/vg_splat/lv_B4R8030: No label detected/dev/ram8: No label detected/dev/vg_splat/lv_fcd_new: No label detected/dev/ram9: No label detected/dev/ram10: No label detected/dev/ram11: No label detected/dev/ram12: No label detected/dev/ram13: No label detected/dev/ram14: No label detected/dev/ram15: No label detected/dev/sda3: lvm2 label detected/dev/sda3: lvm2 label detectedCan't remove open logical volume "lv_fcd_new"Unlocking /var/lock/lvm/V_vg_splat[2019-11-05 - 17:57:17][3233 7021]:volume cleanup failed.[2019-11-05 - 17:57:17][3233 7021]:remaining open files:[2019-11-05 - 17:57:17][3233 7021]:failed to remove partition

Block emal to recipient in CheckPoint MTA

Hi.In our previous "Mail Gateway" I had the ability to block incoming mail to specific recipients, like inactive mailboxes and so.Doing so, the mail gateway did not need to scan the mail or relay it to the exchange server.It just dropped the mail.We are now using CheckPoint as MTA.Is there a way to do that in CheckPoint?Like a "Black List" but for internal recipients.Thanks./Tobias
Vladimir
Vladimir inside General Management Topics yesterday
views 104 3

R80++ upgrade replacing topology definitions

Encountered this at one of my clients: In R77.30 they had multiple interfaces defined as "External" in topology. I do not want to debate how and if it was wrong to do so, but the fact remains that the upgrade process changed those to "this network":  
Tobias_Moritz
Tobias_Moritz inside General Management Topics yesterday
views 196 3

TCP start timeout per gateway / service - override global properies

Hello community,there are various timeouts set for the firewall state machine in global properties of the management domain.TCP startTCP sessionTCP endUDP virtual sessionICMP virtual sessionOther IP virtual sessionSCTP startSCTP sessionSCTP endI know that we can override the session timeouts for TCP, UDP, ICMP, other IP and SCTP by modifying the advanced properties of the service object used in the relevant firewall rule.I have a specific usecase, where I want to override the TCP start timeout, without changing it for all gateways in this management domain. Override per gateway would be nice, override per service object even better.As far as I know, this is not possible. Am I right with that? Does anyone know a way to do so?R80.30 T200 Jumbo HFA T50Thank you for your thoughts!
Al_Marti
Al_Marti inside General Management Topics Sunday
views 985 8 2

R80.20 install on Power-1 5070

For various reasons we would like to get more life out of a pair of Power-1 5070 appliances and run R80.20 on them. Officially Checkpoint does not support R80.20 on the hardware which is understandable. But there is still a lot of life left the hardware and I would like to just run it as an open server hardware gateway cluster since it is really just x64 server hardware.When booting from the R80.20 gateway fresh install ISO it recognizes that it is a 5070 and aborts the install as per the attached screen shot.    I was hoping that some configuration in the BIOS was allowing the installation package to determine the hardware was a 5070,  so I obtained the BOIS ROM password and booted into the BIOS.  Unfortunately after scouring the BIOS I don't see anything that would refer to a 5070 or P-10-00.Does anyone have any other ideas on how the installation package is identifying the hardware as a 5070?I have taken apart the installation package and think I have found the file that triggers the installation abort condition:./hwdiag/system/base/appliance_configuration.xmland can just change the following:<model manufacturer="CheckPoint" type="P-10-00" blocked="true"><name>Power-1 5070</name> </model>to<model manufacturer="CheckPoint" type="P-10-00" blocked="false"> <name>Power-1 5070</name> </model>and then just rebuild the installation package with mkisofs,  but that is more of a hack rabbit hole than I want to go down.Anyways if anyone else some ideas please let me know.Thanks,Al
Maria_Pologova
Maria_Pologova inside General Management Topics Friday
views 6686 6 3

Install database process

Hello.I'm struggling to find information about what "Install Database" in R77.30 actually does. I understand that it is necessary to install database after configuring Mail Alerts, Log servers, something that is related to management components. Is it the same process that happens when Management Servers are being synchronized upon policy installation?I hope you could give me some insight or share links where I could read about this.Thank you in advance.

R80.10 to R80.30 upgrade

Hello, How can i upgrade from CPUSE R80.10 to R80.30 on COUSE. Is this just only Clean install option after downloading "R80.30 Fresh Install and Upgrade for Security Gateway file"?

IPS update- error occured while checking update in R80.10

Earlier in my environment IPS update was working fine.I have one console server which is connected to my internal(HA mode) and external(HA mode) firewall.When I installed some duplicate policies on my external firewall, I observed IPS is getting error like- error occurred while checking update on both internal and external firewall. I run Manual update still getting the same error. Any suggestion to resolve this. 

R80.20 CDT Versus SmartUpdate (FIGHT!)

Hello all,First post so please take it easy on me...Why can't we upgrade managed firewalls (Service Packs and various updates) through a SmartUpdate-like utility?  Forgive me if this has been asked before. >AntiSpoofing