This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Agent_Smith
Contributor
‎2023-07-13 06:51 AM

Patch install investigation

We have one firewall running on r80.40 180 and r80.40 173 is there a way to verify the date when one of the firewalls was patched. We'd like to see if one firewall downgraded or if one never got patched.

0 Kudos
18 Replies
Chris_Atkinson
Employee Employee
Employee
‎2023-07-13 07:16 AM

Should be some logs here /opt/CPInstLog/

CCSM R77/R80/ELITE
0 Kudos
Agent_Smith
Contributor
‎2023-07-13 07:45 AM
In response to Chris_Atkinson

Thanks I went there in WinSCP is there something specific to look for? There are a lot of folders and files there. I uploaded a screenshot from each of the directories on both firewalls. One that is at 180 an one that is 173.

Preview file
106 KB
Preview file
104 KB
0 Kudos
the_rock
Legend
Legend
‎2023-07-13 07:59 AM
In response to Agent_Smith

You can grep for that take, something like grep -i T180 /opt/CPInstLog/*

Andy

0 Kudos
Agent_Smith
Contributor
‎2023-07-13 08:07 AM
In response to the_rock

Thanks what would that accomplish, to see if there are files related to 180?

I tried that and got CLINFR0329 Invalid command:'grep -i T180 /opt/CPInstLog/*'.

 

Basically we need to see if this rolled back on its own from 180 to 173, if so that's a big problem.

or

If one was never upgraded. (unlikely but possible)

0 Kudos
the_rock
Legend
Legend
‎2023-07-13 08:28 AM
In response to Agent_Smith

To see if there are any lines containing T180...command definitely works, I just did it on my lab

 

[Expert@CP-FW-1:0]# grep -i T180 /opt/CPInstLog/*

Agent_Smith
Contributor
‎2023-07-13 10:05 AM
In response to the_rock

I got it to work in expert.

Is there something specific I should be looking for, there is a lot of info related to 180 yet the gateway is on 173, quite the mystery.

the_rock
Legend
Legend
‎2023-07-13 10:59 AM
In response to Agent_Smith

Thats a good question. I would try run same command, but something that may give more insightful info needed. So, below is from my lab, not sure if it would help.

Andy

 

Its R81.20, but version makes no difference, its linux command, so worked the same even in R55 lol

 

/opt/CPInstLog/install_CPUpdates_BUNDLE_R81_20_JUMBO_HF_MAIN_1.log:[2023-06-03 - 07:42:15][17603 18782]:Testing file: /opt/CPda/repository/CheckPoint#CPUpdates#All#6.0#5#4#BUNDLE_R81_20_JUMBO_HF_MAIN#14/Check_Point_R81_20_JUMBO_HF_MAIN_Bundle_T14_FULL.tgz >>> tar=yes, gzipped=yes
/opt/CPInstLog/install_CPUpdates_BUNDLE_R81_20_JUMBO_HF_MAIN_1.log:[2023-06-03 - 07:42:15][17603 18782]:About to execute command: nice -n 19 gtar --use-compress-program=pigz -xvf /opt/CPda/repository/CheckPoint#CPUpdates#All#6.0#5#4#BUNDLE_R81_20_JUMBO_HF_MAIN#14/Check_Point_R81_20_JUMBO_HF_MAIN_Bundle_T14_FULL.tgz -C /var/log/tmp/bundle_tmpdir_CheckPoint#CPUpdates#All#6.0#5#4#BUNDLE_R81_20_JUMBO_HF_MAIN#14_XAdauc
/opt/CPInstLog/install_CPUpdates_BUNDLE_R81_20_JUMBO_HF_MAIN_1.log:[2023-06-03 - 07:42:33][17603 18782]:Starting install of Check_Point_R81_20_JUMBO_HF_MAIN_Bundle_T14_FULL.tgz
grep: /opt/CPInstLog/progressFiles: Is a directory
grep: /opt/CPInstLog/registry_backup: Is a directory
grep: /opt/CPInstLog/svn: Is a directory

 

Also, its easy to see from web UI when it was installed, see below.

 

Screenshot_1.png

Agent_Smith
Contributor
‎2023-07-13 11:05 AM
In response to the_rock

The webgui is unavailable atm. I think something unrelated to do with ciphers.

The install date was Feb 4


/opt/CPInstLog/DeploymentAgent.log.1:[2023-02-04 - 09:53:53][5722 14498][HIGH MSG_INSTALL_INITIATING]: Initiating install of fw1_wrapper_HOTFIX_R80_40_JHF_T180_653_MAIN_GA_FULL.tgz
/opt/CPInstLog/DeploymentAgent.log.1:[2023-02-04 - 09:53:54][5722 14498]:isDeplAllowed:: Pre isHFA path: /opt/CPda/repository/CheckPoint#fw1#All#6.0#5#1#HOTFIX_R80_40_JHF_T180_653_MAIN#99400
/opt/CPInstLog/DeploymentAgent.log.1:[2023-02-04 - 09:54:20][5722 14498][HIGH DALOG_NORMAL]: Setting current time as installation time for the package: fw1_wrapper_HOTFIX_R80_40_JHF_T180_653
/opt/CPInstLog/DeploymentAgent.log.1:[2023-02-04 - 09:54:24][5722 14498][HIGH DALOG_NORMAL]: Found recommendation for Check_Point_R80_40_JUMBO_HF_Bundle_T180_sk165456_FULL.tgz.
/opt/CPInstLog/DeploymentAgent.log.1:[2023-02-04 - 09:54:26][5722 14498][HIGH MSG_INSTALL_SUCCEEDED]: Package fw1_wrapper_HOTFIX_R80_40_JHF_T180_653_MAIN_GA_FULL.tgz was installed successful
/opt/CPInstLog/DeploymentAgent.log.1:[2023-02-04 - 09:54:42][5722 14498][HIGH DALOG_NORMAL]: Found recommendation for Check_Point_R80_40_JUMBO_HF_Bundle_T180_sk165456_FULL.tgz.
/opt/CPInstLog/DeploymentAgent.log.1:[2023-02-04 - 09:54:44][5722 14498][HIGH DALOG_NORMAL]: Received request for collecting external tools logs after fw1_wrapper_HOTFIX_R80_40_JHF_T180_653_
/opt/CPInstLog/DeploymentAgent.log.1:[2023-02-04 - 10:01:27][5099 5099][HIGH DALOG_NORMAL]: Found recommendation for Check_Point_R80_40_JUMBO_HF_Bundle_T180_sk165456_FULL.tgz.
/opt/CPInstLog/DeploymentAgent.log.1:[2023-02-04 - 10:01:28][5099 5099][HIGH DALOG_NORMAL]: Package CheckPoint#fw1#All#6.0#5#1#HOTFIX_R80_40_JHF_T180_653_MAIN#994000002 is compatible to inst
/opt/CPInstLog/DeploymentAgent.log.1:[2023-02-04 - 10:01:29][5099 5099][HIGH DALOG_NORMAL]: Found recommendation for Check_Point_R80_40_JUMBO_HF_Bundle_T180_sk165456_FULL.tgz.

 

0 Kudos
Agent_Smith
Contributor
‎2023-07-13 11:05 AM
In response to Agent_Smith

I also found this.

/opt/CPInstLog/DeploymentAgent.log.1:[2023-02-26 - 11:42:43][5099 14487][HIGH DALOG_NORMAL]: Deleting file /opt/CPda/repository/CheckPoint#Major#All#6.0#5#1#BLINK_R80_40_T294_JHF_T180_GW and#All#6.0#5#1#BLINK_R80_40_T294_JHF_T180_GW,/opt/CPda/backup/CheckPoint#Major#All#6.0#5#1#BLINK_R80_40_T294_JHF_T180_GW
/opt/CPInstLog/DeploymentAgent.log.1:[2023-02-26 - 11:42:43][5099 14487][HIGH DALOG_NORMAL]: Failed to remove /opt/CPda/repository/CheckPoint#Major#All#6.0#5#1#BLINK_R80_40_T294_JHF_T180_GW
/opt/CPInstLog/DeploymentAgent.log.1:[2023-02-26 - 11:42:43][5099 14487][HIGH MSG_PKG_REMOVED_FROM_CLOUD]: Package <b>[Latest] R80.40 Security Gateway + JHF T180 for Appliances and Open Servnt cloud. Removing the package from your list.

0 Kudos
the_rock
Legend
Legend
‎2023-07-13 11:08 AM
In response to Agent_Smith

Thats promising...appears someone was working on it Feb 4th 2023, or if you look at it from European standards, April 2nd ; )

Agent_Smith
Contributor
‎2023-07-13 11:10 AM
In response to the_rock

But it doesn't explain why its on 173 when it was in theory upgraded to 180 on feb 4.

0 Kudos
the_rock
Legend
Legend
‎2023-07-13 11:16 AM
In response to Agent_Smith

Well...not really. There is no concrete proof it was upgraded on Feb 26th, is there? Do we see log stating so? Sorry, I said Feb 4th, I looked at my logs by mistake. Yours show Feb 26th...do this command

 

[Expert@CP-FW-1:0]# grep -i 2023-02-26 /opt/CPInstLog/* > /var/log/installlog.txt

Dont worry about errors, you will get the file. Go to winscp, get it, open in notepadd++ and check carefully all the logs.

0 Kudos
Agent_Smith
Contributor
‎2023-07-13 11:18 AM
In response to the_rock

Ours were supposed to be upgraded on 2/4/2023.

0 Kudos
the_rock
Legend
Legend
‎2023-07-13 11:21 AM
In response to Agent_Smith

Then do exact same command I gave, but put 2023-02-04 instead : - )

Agent_Smith
Contributor
‎2023-07-13 12:07 PM
In response to the_rock

This is what was returned. Why would it say r77.30? 

grep -i 2023-02-04 /opt/CPInstLog/* > /var/log/installlog.txt
grep: /opt/CPInstLog/AutoUpdateLogs: Is a directory
grep: /opt/CPInstLog/DIlogs: Is a directory
grep: /opt/CPInstLog/collectors: Is a directory
grep: /opt/CPInstLog/install_CPUpdates_BUNDLE_R77_30_JUMBO_HF_3.logDir: Is a directory
grep: /opt/CPInstLog/install_CPUpdates_BUNDLE_R77_30_JUMBO_HF_4.logDir: Is a directory
grep: /opt/CPInstLog/install_CPUpdates_BUNDLE_R77_30_JUMBO_HF_5.logDir: Is a directory
grep: /opt/CPInstLog/install_CPUpdates_BUNDLE_R77_30_JUMBO_HF_6.logDir: Is a directory
grep: /opt/CPInstLog/progressFiles: Is a directory
grep: /opt/CPInstLog/registry_backup: Is a directory
grep: /opt/CPInstLog/svn: Is a directory

 

on the other cluster member that has the correct r80.40 180 version this is what shows

 

grep -i 2023-02-04 /opt/CPInstLog/* > /var/log/installlog.txt
grep: /opt/CPInstLog/AutoUpdateLogs: Is a directory
grep: /opt/CPInstLog/DIlogs: Is a directory
grep: /opt/CPInstLog/collectors: Is a directory
grep: /opt/CPInstLog/install_CPUpdates_BUNDLE_R80_40_JUMBO_HF_MAIN_2.logDir: Is a directory
grep: /opt/CPInstLog/install_CPUpdates_BUNDLE_R80_40_JUMBO_HF_MAIN_3.logDir: Is a directory
grep: /opt/CPInstLog/install_CPUpdates_BUNDLE_R80_40_JUMBO_HF_MAIN_4.logDir: Is a directory
grep: /opt/CPInstLog/progressFiles: Is a directory
grep: /opt/CPInstLog/registry_backup: Is a directory
grep: /opt/CPInstLog/svn: Is a directory

0 Kudos
the_rock
Legend
Legend
‎2023-07-13 12:10 PM
In response to Agent_Smith

Most likely something left off from old days, but its weird other one does not have it. I would verify for sure with TAC.

Agent_Smith
Contributor
‎2023-08-10 08:55 AM
In response to the_rock

I'd like to say thank you your command and help was superior to all of tac

0 Kudos
the_rock
Legend
Legend
‎2023-08-10 09:47 AM
In response to Agent_Smith

Glad we can help. Is issue solved?

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events