Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
biskit
Advisor

SmartEvent Upgrade Issue

Hi,

Last week I upgraded a SmartCenter from R77.30 to R80.20.  The pre-upgrade verifier returned a long list of errors first, which I overcame, and the upgrade worked perfectly.

Today I'm trying to upgrade the SmartEvent appliance for the same customer.  The pre-upgrade verifier is failing with exactly the same errors as the SmartCenter - word for word.

I'm puzzled because the errors mostly related to either old policy packages (which I deleted from the SmartCenter before that upgrade would work), or other typical rulebase things - DHCP services, etc.  Nothing that should apply to a SmartEvent server.

The SmartEvent server is defined only as a Log server and SmartEvent server.  Not Network Policy Management.

SmartEvent.PNG

I've installed the Database to SmartEvent but still get the same errors.

Obviously as it's SmartEvent I can't log in with Read/Write from SmartDashboard to delete the old policy packages, etc.  They shouldn't be on there anyway, which is why I'm confused.

Any ideas how to overcome this lot so that I can perform the upgrade?  I need to keep the previous log files and config, and I'm presuming an upgrade will do this "nicely" rather than doing a fresh install and having to copy Gb's of log files back on, and set up all the policy etc. again?

I'll paste the PUV output below for reference.  It's quite long.

Thanks,

Matt

 

[Expert@SmartEvent:0]# cat /var/log/DA_puv_Check_Point_R80.20_T101_Fresh_Install_and_Upgrade_Security_Management.tgz.log


================================
Action items before upgrade:
================================

Errors found! To create a working environment, the errors must be corrected.
==============================================================================


Title: Unsupported NAT Rules
-----
* Description: NAT rulebase contains unsupported address fields

To resolve the issue, correct:
Policy AG-17May2005_1_1_1:
Rule 11 missing a destination address
Rule 11 missing a source address
Rule 5 missing a destination address
Rule 5 missing a source address
Rule 8 missing a destination address
Rule 8 missing a source address
Rule 9 missing a destination address
Rule 9 missing a source address
Policy DJ-05Oct2006-1_With_Sbox_tpl:
Rule 10 missing a source address
Rule 11 missing a destination address
Rule 14 missing a destination address
Rule 14 missing a source address
Rule 15 missing a destination address
Rule 15 missing a source address
Rule 17 missing a destination address
Rule 17 missing a source address
Rule 7 missing a destination address
Rule 7 missing a source address
Rule 8 missing a source address
Rule 9 missing a destination address
Policy DJ-05Oct2006-1_With_Sbox_tpl_1:
Rule 10 missing a source address
Rule 11 missing a destination address
Rule 14 missing a destination address
Rule 14 missing a source address
Rule 15 missing a destination address
Rule 15 missing a source address
Rule 17 missing a destination address
Rule 17 missing a source address
Rule 7 missing a destination address
Rule 7 missing a source address
Rule 8 missing a source address
Rule 9 missing a destination address
Policy DJ-09May2005_1_1:
Rule 6 missing a destination address
Rule 6 missing a source address
Rule 7 missing a destination address
Rule 7 missing a source address
Policy DJ-14April2005_1:
Rule 6 missing a destination address
Rule 6 missing a source address
Rule 7 missing a destination address
Rule 7 missing a source address
Policy DJ-27Aug2006:
Rule 10 missing a destination address
Rule 10 missing a source address
Rule 12 missing a destination address
Rule 12 missing a source address
Rule 6 missing a destination address
Rule 6 missing a source address
Rule 9 missing a destination address
Rule 9 missing a source address
Policy DJ-306Dec2003_1:
Rule 3 missing a destination address
Rule 3 missing a source address
Rule 4 missing a destination address
Rule 4 missing a source address
Policy MD-05April2005:
Rule 6 missing a destination address
Rule 6 missing a source address
Rule 7 missing a destination address
Rule 7 missing a source address
Policy MD-28Sept2006:
Rule 10 missing a destination address
Rule 10 missing a source address
Rule 12 missing a destination address
Rule 12 missing a source address
Rule 6 missing a destination address
Rule 6 missing a source address
Rule 9 missing a destination address
Rule 9 missing a source address
Policy MD_03Jan07_Simplified:
Rule 10 missing a source address
Rule 11 missing a destination address
Rule 14 missing a destination address
Rule 14 missing a source address
Rule 15 missing a destination address
Rule 15 missing a source address
Rule 17 missing a destination address
Rule 17 missing a source address
Rule 7 missing a destination address
Rule 7 missing a source address
Rule 8 missing a source address
Rule 9 missing a destination address
Policy MD_16Dec2003:
Rule 1 missing a destination address
Rule 1 missing a source address



Title: Objects with non-Unicode characters
-----
* Description: The database contains objects with non-Unicode characters. Remove the non-Unicode characters or follow the instructions in sk114739 before running the upgrade process.

These tables contain objects with non-Unicode characters:

users



Title: Firewall policies with Traditional VPN mode
-----
* Description: 

Traditional mode refers to legacy VPN policy, which was replaced by Simplified VPN (first introduced at 2002 in version NG FP3). Please change the below policies by using one of the methods:
1. Convert your Firewall policies: In SmartConsole, go to Policy > Convert To > Simplified VPN, and follow the wizard instructions.
2. In your Firewall policy, delete rules that contain the actions Encrypt or Client Encrypt.

If you have a specific case in which you have to use Traditional VPN mode, please contact Check Point support.


These are the Traditional VPN policies or rules that must be converted or deleted:
Policy Package 'AG-17May2005_1_1_1': rules numbers: 10, 11, 12, 13, 14, 15, 22, 23, 24, 25
Policy Package 'DJ-05Oct2006-1_With_Sbox_tpl': rules numbers: 1, 8, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 31, 32, 33, 34
Policy Package 'DJ-05Oct2006-1_With_Sbox_tpl_1': rules numbers: 1, 8, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 31, 32, 33, 34
Policy Package 'DJ-09May2005_1_1': rules numbers: 9, 10, 11, 12, 13, 14, 19, 20, 21, 22
Policy Package 'DJ-14April2005_1': rules numbers: 9, 10, 11, 12, 13, 14, 19, 20, 21, 22
Policy Package 'DJ-27Aug2006': rules numbers: 6, 13, 14, 15, 16, 17, 18, 25, 26, 27, 28
Policy Package 'DJ-306Dec2003_1': rules numbers: 10, 11, 27, 31, 32, 33, 34, 35, 36, 38
Policy Package 'MD-05April2005': rules numbers: 9, 10, 11, 12, 13, 14, 19, 20, 21, 22
Policy Package 'MD-28Sept2006': rules numbers: 7, 14, 15, 16, 17, 18, 19, 26, 27, 28, 29
Policy Package 'MD_03Jan07_Simplified': rules numbers: 9, 16, 17, 18, 19, 20, 21, 22, 29, 30, 31, 32
Policy Package 'MD_16Dec2003': rules numbers: 19, 20, 21



Warnings: It is recommended to resolve the following problems.
==============================================================


Title: Legacy DHCP Relay Services - Change in behavior in R80 and higher.
-----
* Description: Legacy DHCP Relay services were found in the security rule base. Action is required in order for DHCP Relay to function properly post-upgrade.

Two possible options to solve the problem:
1). Remove legacy DHCP Relay services and add new DHCP Relay services. See sk104114 for instructions. This is the recommended action if managing only R77.20 gateways and above.
2). Keep legacy DHCP Relay services and make changes to the Gateways and the Security Management Servers. See sk98839 for instructions. Do this if managing any gateways which are older than R77.20.

Legacy DHCP Relay service(s):
bootp, dhcp-relay, dhcp-rep-localmodule, dhcp-req-localmodule
 
Some of the legacy DHCP Relay service(s) are members of the following rulebase(s):
Policy ##AG-17May2005_1_1_1, rules: 49.
Policy ##DJ-05Oct2006-1_With_Sbox_tpl, rules: 60.
Policy ##DJ-05Oct2006-1_With_Sbox_tpl_1, rules: 60.
Policy ##DJ-09May2005_1_1, rules: 42.
Policy ##DJ-14April2005_1, rules: 42.
Policy ##DJ-27Aug2006, rules: 53.
Policy ##DJ-306Dec2003_1, rules: 57.
Policy ##GS-27March2014, rules: 5, 6, 259.
Policy ##MD-05April2005, rules: 42.
Policy ##MD-28Sept2006, rules: 54.
Policy ##MD_03Jan07_Simplified, rules: 58.
Policy ##MD_16Dec2003, rules: 33.

For more information, see sk104114 or sk98839.


Title: Legacy Default Profiles are not supported
-----
* Description: The Database has Legacy Default Profiles.

They will be deleted:
Endpoint_Full_Access,
Endpoint_Helpdesk,
Endpoint_ReadOnly,
Endpoint_RemoteHelpAndMediaRecovery,
RainWall_Permissions,
Read_Only_All,
SecureTrack_ReadOnly


Title: Threat Prevention permission profiles conflicts
-----
* Description: As part of IPS integration into Threat Prevention in R80, IPS permissions will be unified with Threat Prevention permissions.
To resolve permissions conflicts between IPS and Threat Prevention, during upgrade the more strict permission will be applied.

Conflicts were found in the following permission profiles :
Endpoint_Full_Access,
Endpoint_Helpdesk,
Read_Only_All,
SecureTrack_ReadOnly


==============================================================
Action items after upgrade, before first installation:
==============================================================


Warnings: It is recommended to resolve the following problems.
==============================================================


Title: OPSEC was modified in R80.
-----
* Description: The Database includes one or more OPSEC applications.

Please check your OPSEC vendor documentation for the following applications:

Tufin_SecureTrack_OPSEC



Information:
============


Title: LTE Services are not supported yet
-----
* Description: Database contains LTE services that are not yet supported in R80.20

These LTE services will be deleted during the upgrade to R80.20:

Unsupported LTE services are:
gtp_v2_default
gtp_mm_v2_default
gtp_additional_v2_default

 

0 Kudos
3 Replies
Maarten_Sjouw
Champion
Champion

Did you install database to the log server when you had resolved the errors?
Regards, Maarten
0 Kudos
biskit
Advisor

Hi Maarten,

Yes - database installed to Event, but it made no difference.

I opened an SR and two TAC enginners are stumped.  If I open SmartDashboard on the Event server, obviously it has limited tabs as it's not full NPM, but if you go File > Open it lists all of the old policies (the ones I deleted from the Mgmt server). 

File > Delete is greyed out, as you can only log in to Dashboard on Event in Read Only.

TAC kept trying to log in Read/Write, which of course you can't.  They've told me to do a clean install.  That's all very well but now I need to manually write down all the policy settings and manually recreate them again in R80.20.  I suspect I've got the TAC trainee division on my case 😞

Matt

 

 

0 Kudos
G_W_Albrecht
Legend
Legend

In sk110267: R80.20 Upgrade Verification and Environment Simulation service we read:

Dedicated SmartEvent is not supported (refer to sk115056)

Also, sk110173: How to migrate the events database from SmartEventserver R7x to SmartEventR80 and above se... might be usefull.

I would assume that you need to do an Advanced Upgrade, no CPUSE upgrade....

CCSE CCTE CCSM SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events