Thanks Matan, so if that product is running R81.20 take 631, how do we get onto the "634" if any take currently available for that setup cannot be installed? any hints? any custom hotfix in order to get "634"?

You will certainly need to format the system.

From https://support.checkpoint.com/results/sk/sk173903:

If you use Bootable USB device, see instructions:

so that means folks that the "634" is only for "brand new installations" therefore Take 65 and 70 are also only for BRAND NEW installations utilizing "634". So as long as the appliance runs R81.20 take 631 there would be NO WAY to install either Take 65 or 70 - am I thinking that right?

@Jerry  you are correct and it applies to any future jumbo we will release...

ok. cheers

so does it mean that any applice or VM gaia R81.20 running 631 already, won't be able to bump up to the 634 without a full reinstall of the entire device from USB image? am I correct though?

It seems to. Although I checked one my appliances still in R81.10 and the Blink with Take 65 refers to the 631 baseline.

Display name: R81.20 Security Gateway + JHF T65 for Appliances and Open Servers
File name: Blink_image_1.1_Check_Point_R81.20_T631_JHF_T65_SecurityGateway.tgz
Description: Blink Image for R81.20 Take 631 including Take 65 of R81.20 Jumbo Hotfix Accumulator - Security Gateway only
Size: 7.949 GB
Type: Blink Version
Status: Downloaded

yup, have had the same but that is the case with R81.10 already running.

I do have anothe vsx on 15000 series which runs just now take 70 on 

Deployment Agent build: 2432  |  R81.20 take 631

and all works fab!

so seems this is something what CP did not explain well on the latest CPX 😄 

@Jerry  and all 

I'm deeply sorry I was confused with the scenario 😞 

The scenario which I referred to was if you have R81.20 take 634 you can't install any jumbo below take 65 in order not to lose the CVE-2024-24919

The Jumbos can be installed on top R81.20 take 631 

please open TAC case on it so they will investigate your issue 

Thanks 

and sorry again about the confusion  

Thanks a lot for the clarification, indeed it is all about installing TAKES on the top of the R81.20 631 running already Take 54. No other (higher) takes can be installed hence my post. 

I would have opened the SR with the TAC if I could believe it can be sorted out otherwise R&D will keep that case as the least important and in about 1 month one email will end up in my inbox asking for the Remote Session. I was there, I'm with CP since 1999 abd believe I just don't think this can be sorted as quickly as my customer expect. Neverthanless I'd like someone to look at this so I'm happy to provide cpinfo if needed and do the remote session if required.

ps. that CP5800 is a standalone installation (meaning that FWM is also running on it) but runs perfectly fine. Just no new takes cane be installed hence I don't believe anyone would have assume it is critical, indeed it isn't but would be great to know why and if those new TAKES could be installed normally (tried cpuse webUI, cpuse clish, bash tgz - same result or rather no result).

Cheers

Hi Jerry,

Using DA 2432
The Flow is 5800 as a Stand Alone with 81.20 take 631 -> upgrade to JHF T65/70? No JHF or hotfix already installed on the machine?

The warnings you added in your original post, only appear if someone has the original hotfix for the VPN CVE installed on their machine. The warning appears because the initial fix  was changed in the jumbo so the DDR gives the user a heads-up saying this behavior is now changed.

@Below 

R81.20 Jumbo Hotfix Accumulator Recommended Jumbo Take 65
Package is available for installation (1 warnings)
● It was found that a hotfix (HF) preventing internal users from connecting to the Remote-Access VPN has been installed. Note that the behavior of the new Jumbo HF has changed: Remote Access VPN for local accounts authenticated only with Check Point password created in R80.20 or earlier, and not updated after R80.30 will be blocked until they reset their password.

R81.20 631 running already Take 54 and DA 2432.

Please send here cpinfo -y all

Also please share what you see in this file
/opt/CPInstLog/CRs_conflict_summary.txt

This is Check Point CPinfo Build 914000239 for GAIA
[MGMT]
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 54
[IDA]
No hotfixes..
[CPFC]
No hotfixes..
[FW1]
HOTFIX_R81_20_JHF_T53_BLOCK_PORTAL_MAIN Take: 2
HOTFIX_R81_20_JHF_T53_BLOCK_INT_MAIN
HOTFIX_GOT_MGMT_AUTOUPDATE
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 54
HOTFIX_VCE_R81_20_AUTOUPDATE
HOTFIX_NGM_DOCTOR_AUTOUPDATE
HOTFIX_WEBCONSOLE_AUTOUPDATE
HOTFIX_GOT_TPCONF_MGMT_AUTOUPDATE
HOTFIX_PUBLIC_CLOUD_CA_BUNDLE_AUTOUPDATE
HOTFIX_GOT_TPCONF_AUTOUPDATE

FW1 build number:
This is Check Point Security Management Server R81.20 - Build 011
This is Check Point's software version R81.20 - Build 025
kernel: R81.20 - Build 033
[SecurePlatform]
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 54
HOTFIX_ENDER_V17_AUTOUPDATE
[CPinfo]
No hotfixes..
[PPACK]
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 54
[AutoUpdater]
HOTFIX_INFRA_CONFIG_AUTOUPDATE
[DIAG]
No hotfixes..
[CVPN]
HOTFIX_ESOD_CSHELL_AUTOUPDATE
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 54
[SmartLog]
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 54
[Reporting Module]
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 54
[CPuepm]
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 54
[VSEC]
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 54
[CPDepCon]
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 54
[CPRepMan]
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 54
[R7540CMP]
No hotfixes..
[R76CMP]
No hotfixes..
[SFWR77CMP]
HOTFIX_R81_20_JHF_COMP Take: 54
[SFWR80CMP]
HOTFIX_R81_20_JHF_COMP Take: 54
[SFWR81CMP]
HOTFIX_R81_20_JHF_COMP Take: 54
[R77CMP]
No hotfixes..
[R8040CMP]
HOTFIX_R81_20_JHF_COMP Take: 54
[MGMTAPI]
No hotfixes..
[CPUpdates]
BUNDLE_R81_20_JHF_T53_BLOCK_PORTAL_MAIN Take: 2
BUNDLE_INFRA_CONFIG_AUTOUPDATE Take: 3
BUNDLE_CPOTLPAGENT_AUTOUPDATE Take: 26
BUNDLE_GENERAL_AUTOUPDATE Take: 21
BUNDLE_QUID_AUTOUPDATE Take: 14
BUNDLE_ESOD_CSHELL_AUTOUPDATE Take: 20
BUNDLE_R81_20_JUMBO_HF_MAIN Take: 54
BUNDLE_GOT_MGMT_AUTOUPDATE Take: 129
BUNDLE_CORE_FILE_UPLOADER_AUTOUPDATE Take: 21
BUNDLE_VCE_R81_20_AUTOUPDATE Take: 15
BUNDLE_ENDER_V17_AUTOUPDATE Take: 26
BUNDLE_MINMUS_AUTOUPDATE Take: 23
BUNDLE_KERBIN_AUTOUPDATE Take: 47
BUNDLE_TUNNEL_AUTOUPDATE Take: 117
BUNDLE_DANA_AUTOUPDATE Take: 170
BUNDLE_CPSDC_AUTOUPDATE Take: 34
BUNDLE_HCP_AUTOUPDATE Take: 73
BUNDLE_CPVIEWEXPORTER_AUTOUPDATE Take: 34
BUNDLE_CPOTELCOL_AUTOUPDATE Take: 97
BUNDLE_NGM_DOCTOR_AUTOUPDATE Take: 23
BUNDLE_WEBCONSOLE_AUTOUPDATE Take: 114
BUNDLE_GOT_TPCONF_MGMT_AUTOUPDATE Take: 39
BUNDLE_DC_CONTENT_AUTOUPDATE Take: 20
BUNDLE_DC_INFRA_AUTOUPDATE Take: 30
BUNDLE_PUBLIC_CLOUD_CA_BUNDLE_AUTOUPDATE Take: 21
BUNDLE_INFRA_AUTOUPDATE Take: 67
BUNDLE_DEP_INSTALLER_AUTOUPDATE Take: 27
BUNDLE_GOT_TPCONF_AUTOUPDATE Take: 128
[itp_wrapper]
HOTFIX_GOT_MGMT_AUTOUPDATE
[CPotelcol]
HOTFIX_OTLP_GA
[CPviewExporter]
HOTFIX_OTLP_GA
[core_uploader]
HOTFIX_CHARON_HF
[hcp_wrapper]
HOTFIX_HCP_AUTOUPDATE
[cpsdc_wrapper]
HOTFIX_CPSDC_AUTOUPDATE
[sho_wrapper]
HOTFIX_DANA_AUTOUPDATE
[infinity_onprem_wrapper]
HOTFIX_TUNNEL_AUTOUPDATE
[diff_report_wrapper]
HOTFIX_KERBIN_AUTOUPDATE
HOTFIX_MINMUS_AUTOUPDATE
[CPDepInst]
No hotfixes..
[CPquid]
HOTFIX_QUID_AUTOUPDATE
[CPotlpAgent]
HOTFIX_OTLP_GA

***

# cat /opt/CPInstLog/CRs_conflict_summary.txt
cat: /opt/CPInstLog/CRs_conflict_summary.txt: No such file or directory

Hi you have Take 54 JHF  without a hotfix installed on top of take 53 JHF  with the hotfix for VPN

Please try to uninstall take 54 JHF and then try to install JHF Take 65/70

Thanks Max, are you sure it is safe to uninstall 54 then reboot and install 65 then 70 ? I would be left on that box with Take 53 I presume. Please confirm and I'll proceed as recommended. 

Uninstall_Last_Take Failed
There are hotfixes installed on top of R81.20 Jumbo Hotfix Accumulator Take 54.
Uninstall the hotfix(es) HOTFIX_R81_20_JHF_T53_BLOCK_INT_MAIN, HOTFIX_R81_20_JHF_T53_BLOCK_PORTAL_MAIN and try again.

The issue here is that you have installed hotfixes which are meant for take 53 on top of take 54 and this is why you are running into issues.

Please try to uninstall the hotfixes and then move to take 65/70 (these jumbos include the VPN fixes inside of them)

I was just about to say the same thing, makes total logical sense to me.

Andy

and then this:

Uninstall_Last_Take of package Check_Point_R81_20_JHF_T53_BLOCK_PORTAL_MAIN_Bundle_T2_FULL.tgz Failed

Backup file not found.

Contact Check Point Technical Services for further assistance.

Since your system has hotfixes which were based on T53 and you had JHF 54 there are some issues. In general this should not have worked from the get go -I'll look into that.

Regardless since now you are unable to uninstall the hotfixes which would solve the issue, let's schedule a remote session on Sunday please.

maxfr@checkpoint.com 

Please reach out and we will schedule to help remove the hotfixes from your env and let you upgrade to take 65/70

email sent Max. thanks a bunch for your help here!

Cheers

Hey m8,

If you need me to build brand new VM with exact version you require of R81.20 jumbo, please let me know or hit me up on teams, HAPPY to do it and send you any files needed. Man, eve-ng is GOLD, takes literally 10 mins to do this, 5 for Fortinet, I think took less than 3 mins for Palo Alto haha

Best,

Andy

Cheers mate I really appreciate that but hold on, I'm going on the session with Max this sunday and we'll see how it goes. I guess we do need to do some housekeeping with that box and uninstall/install JHF/s as they've been installed apparently in a wrong order. So all in all I will let you know next week but so far - many many thanks as always. you guys all ROCK! 🙂

Cheerio!

Thats what SHE said m8 😉

Just kidding, no one ever said that 😂😂

Hope all goes well! Btw, truth be told, every time I did remote with anyone from Israel office, issue got fixed right then and there, so I have no doubt you are in good hands.

And finally, thank you for NOT being stroppy with me...;)

Just teasing you, always pleasure to help my friend.

Andy

Never knew of that file, thats super helpful @Max_Frankl ...thank you!

Andy

R81.20 lab:

[Expert@CP-GW:0]# more /opt/CPInstLog/CRs_conflict_summary.txt
Package: R81.20 Take 53 Hotfix for CVE-2024-24919
conflicts with the following hotfixes:

R81.20 Jumbo Hotfix Accumulator Take 70

For more information - see log files:
/opt/CPInstLog/CRSValidator_fw1_wrapper_R81_20_JHF_T53_BLOCK_PORTAL_MAIN
.log
[Expert@CP-GW:0]

I'm looking into this thank you

Broooooo, nice to see you here again 🙂

Glad you had not been STROPPY with me lately 😉

Anywho, sorry, did not read the whole thing, but did you try installer install from clish?

Andy

hey maaaatey yes I did, still the same 🙂  read above pls.