This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Danny
Champion Champion
Champion
‎2019-03-22 06:23 AM
Jump to solution

R80.20 Issue : Monitoring standby cluster members via VPN

As a Check Point Partner we are monitoring the Check Point systems of our customers via SNMPv3 over VPN.

When monitoring standby cluster nodes via VPN this of course leads to a "Clear text packet should be encrypted" error in ClusterXL as the active cluster node already decrypts the SNMP packets and forwards it in clear text to the standby member which expects the packets to be encrypted.

The solution always was sk42733:

[Expert@node1:0]# cat $FWDIR/boot/modules/fwkern.conf
fwha_forw_packet_to_not_active=1

[Expert@node2:0]# cat $FWDIR/boot/modules/fwkern.conf
fwha_forw_packet_to_not_active=1

Check Point stopped supporting this option in R80.20.

It works in all versions prior to R80.20. The official statement is that it's by design of the product as mentioned in Scenario 1 of sk93204. The interesting point is that initially Check Point Support tried to fix it by providing us with a hotfix which didn't work and only then started to argue about the product design.

This means for all Check Point users out there:

  • You cannot directly login to standby cluster nodes via VPN anymore (SSH, GAiA WebUI)
  • You cannot securely monitor the standby cluster nodes via VPN (ICMP, SNMP)
  • You need to create workarounds that make troubleshooting times longer and raise complexity

 

1 Solution

Accepted Solutions
Danny
Champion Champion
Champion
‎2019-05-28 03:15 PM
In response to Danny
Jump to solution

Check Point has addressed this issue in R80.20 Jumbo Hotfix (Take 80).

CP is no longer recommending changing the flag fwha_forw_packet_to_not_active flag, as described in sk93204.

View solution in original post

13 Replies
PhoneBoy
Admin
Admin
‎2019-03-22 06:36 AM
Jump to solution

Can you send me the related SR privately? Let me ask around in R&D.
0 Kudos
Kim_Moberg
Advisor
‎2019-03-22 06:44 AM
Jump to solution

Hi Danny

I tried the same fwkern.conf change but didn't work too.

Heard about a work-around to create a no-nat rule to each secure gateway.

Else I installed JHF43 which had a fix to this issue, but I am not sure if this solved SNMP issue you are describing.

 

Best Regards
Kim
0 Kudos
Danny
Champion Champion
Champion
‎2019-05-03 01:44 PM
In response to Kim_Moberg
Jump to solution

Check Point support provided a working hotfix to R80.20 JHF (Take 43). However, it's not working from Take 47 anymore. Waiting for a new hotfix..

Vladimir
Champion
Champion
‎2019-05-03 07:00 PM
In response to Danny
Jump to solution

This really shouldn't be a hotfix.

I'd expect this to be a part of the JHFAs and version releases as a prerequisite.

Norbert_Bohusch
Advisor
‎2019-05-04 01:03 AM
In response to Vladimir
Jump to solution

I already told my colleagues to open as many SRs as possible for this issue (so for each customer we upgrade to R80.20), so TAC has awareness this should be part of JHF
PhoneBoy
Admin
Admin
‎2019-05-05 12:39 PM
In response to Vladimir
Jump to solution

There are specific requirements that hotfixes have to meet before they are rolled into a jumbo.
Not knowing anything about the specific hotfixes, I can't comment what the specific issues are in this case.
That said, awareness of a widespread issue is definitely a factor, so open those SRs 🙂
0 Kudos
Kim_Moberg
Advisor
‎2019-05-04 01:10 AM
Jump to solution

Hi Danny
i just solved this with R&D.
Yes fwha_forw_packet_to_not_active=1 will not do any difference.
You need a jhf with both accpck and fw_wrapper.
Last part have been to use kernel command fwha_cluster_hide_ip=1 instead.

But again you need to have 2 hotfixed installed on top of r80.20 take 47 GA

Best regards
Kim
Best Regards
Kim
Kim_Moberg
Advisor
‎2019-05-15 11:32 PM
In response to Kim_Moberg
Jump to solution

Hi @Danny 

A small update.

Found the SK related to this issue.

SK147493: Unable to connect to the Standby Cluster member from a non-local subnet via SSH or WebUI

SK93204: ClusterXL: Accessing Standby member through IPSec VPN

 

When using R80.20 GA Take 47 I had to upgrade these hotfix before getting it to work.

accel_HOTFIX_R80_20_JHF_T47_001_MAIN_GA_FULL.tgz
fw1_wrapper_HOTFIX_R80_20_JHF_T47_001_MAIN_GA_FULL.tgz

I had to use fwkern settings fwha_cluster_hide_active_only=1.


Yesterday I did a CPUSE in-place upgrade to R80.30 T200 Official GA release.
fwkern settings was saved due to upgrade but I cannot access SSH and Web UI over VPN after. Ping work.

Back to same issue again. Opened a new case and linked to the original case. 

I will keep you updated if anything new happens 🙂

Best Regards
Kim
Martin_Valenta
Advisor
‎2019-05-16 12:08 AM
Jump to solution

We've also wanted in past to monitor firewall clusters on internet via VPN, but it doesn't make sense to send it to tunnel when using ssh, snmpv3 and restricted source IP access.

Danny
Champion Champion
Champion
‎2019-05-16 12:16 AM
In response to Martin_Valenta
Jump to solution

It makes perfect sense to monitor the status of standby cluster members in order to known if they are available in cases of cluster failovers. Check Point provides working solutions also for the latest JHF take. I hope they'll include it with the next JHF take in order to avoid having to install an additional hotfix.

Danny
Champion Champion
Champion
‎2019-05-28 03:15 PM
In response to Danny
Jump to solution

Check Point has addressed this issue in R80.20 Jumbo Hotfix (Take 80).

CP is no longer recommending changing the flag fwha_forw_packet_to_not_active flag, as described in sk93204.

Kim_Moberg
Advisor
‎2019-05-28 09:25 PM
In response to Danny
Jump to solution

Hi Danny
Thats the one I have been refering to.
PMTR-33209, PMTR-30582

If you upgrade to R80.30 it is not released in the first version. Wait for the first GA take or ask for JHF that solves this issue.
Best Regards
Kim
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top