Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Rui_Gomes_PT
Contributor

R80.40 - Issues

Hi,

 

Deployed R80.40 on 2 clusters and these are the issues I'm facing:

 

  • Some times when installing a policy I get the error "Installation failed. Reason: Load on Module failed - problem with the Commit Function." on one of the nodes. On second (or third) try the policy is installed;
  • Currently we have one management machine that is also the Smart Event server and correlation unit.  On this version if I enable the SmartEvent I get multiple issues.. Several processes (SmartLog_Server, SmartView,etc) do several restarts. The logs are not displayed in real time. etc
  • Custom Intelligence Feeds (based on sk132193) the feeds are configured correctly, but after some time I get "Feed log External IOC - Failed to load indicators". On some nodes this problem is fixed with no intervention, but after some time it returns;
  • On rare occasions after a reboot one of the nodes loads the initial policy (this started occurring only after upgrade to R80.40

 

Hope this helps with the first R80.40 hotfix

20 Replies
Danny
Champion Champion
Champion

Which Check Point Appliances are you using?

0 Kudos
Rui_Gomes_PT
Contributor

@Danny  15400, with management on vmware

Benedikt_Weissl
Advisor

Is IPS enabled? Any drops between SMS and Cluster Nodes in the log? How high is the load on your active Gateways?
0 Kudos
Rui_Gomes_PT
Contributor

IPS is enabled.. Regarding the load.. The same load we had on R80.30 and previous..
0 Kudos
PhoneBoy
Admin
Admin

You have any TAC cases on these issues?
0 Kudos
Rui_Gomes_PT
Contributor

@PhoneBoy  not yet. Will open one next week.. Just posted this issues here to see if there was anyone with the same issues...

0 Kudos
Daniel_Kavan
Advisor

What does everyone think about this idea?

Run one clusterXL gateway node with R80.40 (3.10) XFS (re-formatted, re-built), but the other R80.40 (3.10) node will still be running with ext3 exclusively.   Would that be supported?   

0 Kudos
PhoneBoy
Admin
Admin

Assuming otherwise same hardware, I don't believe it will be an issue.
0 Kudos
Ilya_Yusupov
Employee
Employee

hi @Rui_Gomes_PT ,

 

It might be crazy or funny but i encounter such case where i had duplicate IP and on the Duplicated IP i had initial policy.

so each reboot i saw initial_policy instead of real policy.

 

Any chance that you have Duplicate IP?

If not do you see any failure messages in dmesg post boot?

0 Kudos
Daniel_Kavan
Advisor

It would be nice if when you did a fresh install of R80.40 for example in CPUSE it would ask for your formatting size, and IP addresses so you could do a fresh install from CPUSE, rather than mounting an ISO.

Boaz_Orshav
Employee
Employee

Hi
CPUSE is for version clean installation while iso is for machine clean installation.
There are many differences such as CPUSE does not re-install the log partition, logs from previous installations are kept etc.
Most important - CPUSE creates a snapshot during installation which makes the revert easy and if the installation fails it automatically reverts.
Such features are not supported on iso installation where you can change partition size, file system (xfs/ext3) and others.
PhoneBoy
Admin
Admin

Installing from ISO completely reformats the hard drive, which is necessary in certain circumstances (e.g. changing from ext3 to xfs, which also changes the partitioning scheme).
This is not possible when upgrading from CPUSE.
Daniel_Kavan
Advisor

Hi!

Has anyone run into issues with trouble getting to hosted http2 websites behind R80.40.  I have a TAC issue for this as well.   Traffic comes into DMZ#1 to hit an Apache reverse proxy then is terminated and sent to DMZ#2 webservers.  HTTPS inspection is turned off on this gateway.


This shows in not working with http2
curl --http2 -k https://new-sterling.mydomain.com <html><body><h1>400 Bad request</h1>
Your browser sent an invalid request.

 

This shows it working with http 1.1
curl --http1.1 -k https://new-sterling-mydomain.com
<html>
<body bgcolor=white>
<center>Hello World!</center>

 

UPDATE: This working now, it was NOT an issue with HTTP/2 or R80.40.  

0 Kudos
PhoneBoy
Admin
Admin

My understanding is that HTTPS Inspection is required for HTTP/2 support.

0 Kudos
Ilya_Yusupov
Employee
Employee

hi @Daniel_Kavan ,

 

i will take it offline with you.

 

Thanks,

Ilya 

0 Kudos
Daniel_Kavan
Advisor

Subject: R80.40 or R81

Does anyone know if Check Point is working on or has the capability to upgrade to a new major version of Check Point with out getting a new AMI from AWS.  For example if I have a firewall with a R80.30 AMI up and running can I update to R80.40 with out needing to get a new AMI?   Or is that capability not until R81?   Could I upgrade from R80.30 to R81 with the current AMI or do I still need a new AMI?

0 Kudos
PhoneBoy
Admin
Admin

As far as I know, this isn't possible currently.
Will it be in the future? Don't know.
I do know prior to R80.40, the AMI versions weren't exactly maintrain as they were on the 3.10 kernel, which was not maintrain on gateways.
There are a few other differences as well.
That suggests it may be possible in the future, but there may be some technical reason why we can't do it.

Daniel_Kavan
Advisor

I can send Gaia OS syslogs (/var/log/messages)  to smartlog, but I can't search and sort on the message itself.   IOW, the messages aren't indexed.    Blade:Syslog shows the logs in R80.30.  I can then see the messages if I open up each log.   However, I can't search or sort the messages.  It would be nice to combine all the like messages or even create a report on them.   Is there any additional capability for syslog in R80.40 or in the plans for R81?

0 Kudos
PhoneBoy
Admin
Admin

The specific field used for syslog messages is not indexed.
That means you can't search or run reports on it. 
That hasn't changed in R80.40 and don't believe that's changed in R81 either.

Understanding your precise use cases may be useful here, as we'd also probably have to parse the syslog messages more than we do currently (something that's not currently done, either).

0 Kudos
Daniel_Kavan
Advisor

Searching by kernel Alert.

Searching by warning

search by informational

grouping all like messages together.

searching messages on keyword

It would save admins time from logging on to each server /var/log/messages each day.

Running a daily report thru smartevent or sending alerts out in real time RE: system health

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events