smarconsole changes (former workflow)

Luis_Miguel_Mig

We all know how helpful "smartconsole changes (former workflow)" is when you make changes. It gives confidence and totally awareness of what configuration changes you make in the firewalls when you install a policy.

I am facing an issue at the moment with this feature.
When I add a new cluster interface in smarconsole and I run the "changes" functionality, smartconsole shows me not only the new interface addition but also it shows me other interfaces (active clusterxl interfaces in production ) to delete.

So it is quite disturbing, because this functionality is supposed to give you confidence in your change management process however it shows you changes that have nothing to do with the real changes that you have just done.

We have tested it in the lab and push these configuration changes and apparently smartconsole doesn't remove these interfaces in the gateways, but it is still quite configusing.

I would like to know if someone has seen something similar and/or someone knows how to troubleshoot it and find the root cause of this misleading behaviour.

the_rock

I never had such a thing happen to me, either in R81.20 or R82. Can you send an example, ie screenshot? Just blur out any sensitive data.

Andy

PhoneBoy

It's consistent with the fact modifying gateway interfaces with the API requires you to add ALL interfaces to the gateway object if you make ANY interface changes.
SmartConsole does the same thing under the covers, which is why it shows in the Change Report the way it does.

On the plus side, R82 has APIs to manipulate individual interfaces associated with gateway objects.
When I tried to add an interface to an existing gateway on my system (and I also did a "Get Interfaces" without Topology), it did mention other interfaces were "edited" but only showed details about the one interface that WAS added.
It did note the other interfaces were "edited" with no details.

In short: this should be fixed in R82 for regular gateway objects only.
I suspect other types of gateways in R82 (Legacy VSX, SMB Gateways, ClusterXL gateways) will still have the same behavior that you asked about here, which appears to be expected behavior.

Luis_Miguel_Mig

pdf attached.

As you can see I add interface bond2.455 but it shows that interface bond3.3809 and bond3.2201 will be deleted for no reason.
Bond3.3809 and bond3.2201 are fully operational interfaces and therefore it is quite scary.

the_rock

Hey Luis,

Its barelvy visible what you attached, do you have regular screenshot?

Andy

Luis_Miguel_Mig

Have you zoomed in? You can see it very well, no?

the_rock

Cant see it...

Andy

Luis_Miguel_Mig

I have attached screenshots in the next post

PhoneBoy

I completely understand why this looks scary 🙂
Having said that, it's (very likely) expected in this case.

Luis_Miguel_Mig

Attached screenshots.
But it is a bit different to what you describe, isn't it?
It is the first time I have noticed it and I think it doesn't happen with other clusters.
I will test it and check the behaviour in a different environment/cluster.

the_rock

I would verify what could be different with other clusters.

Andy

PhoneBoy

Even if the behavior is somewhat different, the underlying cause is likely the same (namely how the backend handles updating interfaces in an existing gateway object).
You're in TAC case territory in any case.

Luis_Miguel_Mig

Interface edited is one thing but interface about to be deleted is more concerning 😉
I was hoping that a R&D engineer/manager could read this post.
TAC was happy to reproduce the case and see that interface wasn't removed. But to me it is quite disturbing to see random live interfaces about to be deleted every time I create a new one. I think Checkpoint should try to find root cause.

PhoneBoy

Ask the TAC to open a CFG task to have this issue investigated.

Are you a member of CheckMates?

smarconsole changes (former workflow)