This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Rui_Gomes_PT
Contributor
‎2020-02-28 02:45 AM

R80.40 - Issues

Hi,

 

Deployed R80.40 on 2 clusters and these are the issues I'm facing:

 

  • Some times when installing a policy I get the error "Installation failed. Reason: Load on Module failed - problem with the Commit Function." on one of the nodes. On second (or third) try the policy is installed;
  • Currently we have one management machine that is also the Smart Event server and correlation unit.  On this version if I enable the SmartEvent I get multiple issues.. Several processes (SmartLog_Server, SmartView,etc) do several restarts. The logs are not displayed in real time. etc
  • Custom Intelligence Feeds (based on sk132193) the feeds are configured correctly, but after some time I get "Feed log External IOC - Failed to load indicators". On some nodes this problem is fixed with no intervention, but after some time it returns;
  • On rare occasions after a reboot one of the nodes loads the initial policy (this started occurring only after upgrade to R80.40

 

Hope this helps with the first R80.40 hotfix

20 Replies
Danny
Champion
Champion
‎2020-02-28 04:32 AM

Which Check Point Appliances are you using?

0 Kudos
Rui_Gomes_PT
Contributor
‎2020-02-28 04:34 AM
In response to Danny

@Danny  15400, with management on vmware

Benedikt_Weissl
Advisor
‎2020-02-28 07:43 AM

Is IPS enabled? Any drops between SMS and Cluster Nodes in the log? How high is the load on your active Gateways?
0 Kudos
Rui_Gomes_PT
Contributor
‎2020-02-28 07:46 AM
In response to Benedikt_Weissl

IPS is enabled.. Regarding the load.. The same load we had on R80.30 and previous..
0 Kudos
PhoneBoy
Admin
Admin
‎2020-02-28 08:06 AM

You have any TAC cases on these issues?
0 Kudos
Rui_Gomes_PT
Contributor
‎2020-02-28 08:13 AM
In response to PhoneBoy

@PhoneBoy  not yet. Will open one next week.. Just posted this issues here to see if there was anyone with the same issues...

0 Kudos
Daniel_Kavan
Advisor
‎2020-06-10 12:05 PM
In response to Rui_Gomes_PT

What does everyone think about this idea?

Run one clusterXL gateway node with R80.40 (3.10) XFS (re-formatted, re-built), but the other R80.40 (3.10) node will still be running with ext3 exclusively.   Would that be supported?   

0 Kudos
PhoneBoy
Admin
Admin
‎2020-06-10 08:04 PM
In response to Daniel_Kavan

Assuming otherwise same hardware, I don't believe it will be an issue.
0 Kudos
Ilya_Yusupov
Employee
Employee
‎2020-06-11 12:06 AM
In response to PhoneBoy

hi @Rui_Gomes_PT ,

 

It might be crazy or funny but i encounter such case where i had duplicate IP and on the Duplicated IP i had initial policy.

so each reboot i saw initial_policy instead of real policy.

 

Any chance that you have Duplicate IP?

If not do you see any failure messages in dmesg post boot?

0 Kudos
Daniel_Kavan
Advisor
‎2020-06-12 11:28 AM
In response to Ilya_Yusupov

It would be nice if when you did a fresh install of R80.40 for example in CPUSE it would ask for your formatting size, and IP addresses so you could do a fresh install from CPUSE, rather than mounting an ISO.

Boaz_Orshav
Employee
Employee
‎2020-06-13 09:14 PM
In response to Daniel_Kavan

Hi
CPUSE is for version clean installation while iso is for machine clean installation.
There are many differences such as CPUSE does not re-install the log partition, logs from previous installations are kept etc.
Most important - CPUSE creates a snapshot during installation which makes the revert easy and if the installation fails it automatically reverts.
Such features are not supported on iso installation where you can change partition size, file system (xfs/ext3) and others.
PhoneBoy
Admin
Admin
‎2020-06-14 12:55 AM
In response to Daniel_Kavan

Installing from ISO completely reformats the hard drive, which is necessary in certain circumstances (e.g. changing from ext3 to xfs, which also changes the partitioning scheme).
This is not possible when upgrading from CPUSE.
Daniel_Kavan
Advisor
‎2020-07-22 08:04 AM
In response to PhoneBoy

Hi!

Has anyone run into issues with trouble getting to hosted http2 websites behind R80.40.  I have a TAC issue for this as well.   Traffic comes into DMZ#1 to hit an Apache reverse proxy then is terminated and sent to DMZ#2 webservers.  HTTPS inspection is turned off on this gateway.


This shows in not working with http2
curl --http2 -k https://new-sterling.mydomain.com <html><body><h1>400 Bad request</h1>
Your browser sent an invalid request.

 

This shows it working with http 1.1
curl --http1.1 -k https://new-sterling-mydomain.com
<html>
<body bgcolor=white>
<center>Hello World!</center>

 

UPDATE: This working now, it was NOT an issue with HTTP/2 or R80.40.  

0 Kudos
PhoneBoy
Admin
Admin
‎2020-07-22 08:52 AM
In response to Daniel_Kavan

My understanding is that HTTPS Inspection is required for HTTP/2 support.

0 Kudos
Ilya_Yusupov
Employee
Employee
‎2020-07-22 08:52 AM
In response to Daniel_Kavan

hi @Daniel_Kavan ,

 

i will take it offline with you.

 

Thanks,

Ilya 

0 Kudos
Daniel_Kavan
Advisor
‎2020-08-24 10:33 AM

Subject: R80.40 or R81

Does anyone know if Check Point is working on or has the capability to upgrade to a new major version of Check Point with out getting a new AMI from AWS.  For example if I have a firewall with a R80.30 AMI up and running can I update to R80.40 with out needing to get a new AMI?   Or is that capability not until R81?   Could I upgrade from R80.30 to R81 with the current AMI or do I still need a new AMI?

0 Kudos
PhoneBoy
Admin
Admin
‎2020-08-24 03:16 PM
In response to Daniel_Kavan

As far as I know, this isn't possible currently.
Will it be in the future? Don't know.
I do know prior to R80.40, the AMI versions weren't exactly maintrain as they were on the 3.10 kernel, which was not maintrain on gateways.
There are a few other differences as well.
That suggests it may be possible in the future, but there may be some technical reason why we can't do it.

Daniel_Kavan
Advisor
‎2020-08-25 07:09 AM

I can send Gaia OS syslogs (/var/log/messages)  to smartlog, but I can't search and sort on the message itself.   IOW, the messages aren't indexed.    Blade:Syslog shows the logs in R80.30.  I can then see the messages if I open up each log.   However, I can't search or sort the messages.  It would be nice to combine all the like messages or even create a report on them.   Is there any additional capability for syslog in R80.40 or in the plans for R81?

0 Kudos
PhoneBoy
Admin
Admin
‎2020-08-25 10:25 AM
In response to Daniel_Kavan

The specific field used for syslog messages is not indexed.
That means you can't search or run reports on it. 
That hasn't changed in R80.40 and don't believe that's changed in R81 either.

Understanding your precise use cases may be useful here, as we'd also probably have to parse the syslog messages more than we do currently (something that's not currently done, either).

0 Kudos
Daniel_Kavan
Advisor
‎2020-08-25 10:49 AM
In response to PhoneBoy

Searching by kernel Alert.

Searching by warning

search by informational

grouping all like messages together.

searching messages on keyword

It would save admins time from logging on to each server /var/log/messages each day.

Running a daily report thru smartevent or sending alerts out in real time RE: system health

0 Kudos
Labels