This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Oliver_Marzok
Explorer
‎2019-03-06 01:06 AM

Access to Gaia Portal (WebUI) after R80.20 upgrade

Hello,


after upgrading the gateway cluster, consisting of two SG5400HPP, from R80.10 with Jumbo Hotfix Take 154 to R80.20 (with jumbo hotfix take 33) we couldn't reach the GAiA Portal (Admin WebGUI) anymore. We got a certificate error like before, because of a private certificate (from the ICA), but the certificate error now said that it's for a different system. Afterwards, we renewed the certificate by the ICA (gateway cluster object properties --> IPSec VPN) and even added additional informationen like other IPs an the DNS name, but this didn't solved the problem. We could only reach the GAiA Portal via the external IP, but because it's not facing towards the internal side, the standby member isn't reachable. The cluster members still weren't reachbable from the mgmt interface by the admin server (same network as mgmt interface --> mgmt network). Only access via SSH was possible.
We had to fallback via snapshot to R80.10 and afterwards the GAiA Portal was reachable immediately from the mgmt network again.

Are there any differences in the configuration (needed) in R80.20 comparing to R80.10 to solve this issue?

Best regards

0 Kudos
7 Replies
Jerry
Mentor
Mentor
‎2019-03-06 01:20 AM

tellpm process:httpd2
tellpm process:httpd2 t

works now?

Jerry
0 Kudos
Oliver_Marzok
Explorer
‎2019-03-06 01:24 AM
In response to Jerry

Hello Jerry,

yes, the processes were running. The portal was accessible from the external site like described.
It's seems there're differences in the configuration and dependencies of the certificate in R80.20.

0 Kudos
Jerry
Mentor
Mentor
‎2019-03-06 02:03 AM
In response to Oliver_Marzok

httpd2 is equally the same on R80.20 afaik. guys, can you please confirm that?

when you set the WebUI what ports have you specified for it?

Jerry
0 Kudos
Oliver_Marzok
Explorer
‎2019-03-06 02:18 AM
In response to Jerry

The service is the same, yes.

We didn't changed the Port. It's still the default one 443, only added a path (.../admin).

On R80.10 it's working, and worked immediatly after the fallback to R80.10, but on R80.20 (even after certifcate renewal) it's not working.

0 Kudos
Jerry
Mentor
Mentor
‎2019-03-06 03:07 AM
In response to Oliver_Marzok

ok.now I gotcha. change the port from 443 to 4434 and restart the daemon:

tellpm process:httpd2
tellpm process:httpd2 t

make sure that there are no more sockets on tcp/443 running on the same GW.

I had this before and by customizing port it has solved itself plus, bear in mind that tcp/443 is shared on GAIA and for WebUI should be rather NOT USED (my own experience sorry).

is the MAB running there too? if yes - you've got all the answers, if not - please change port to any custom one but 443 and restart httpd2. Cert is another story, easy to re-deploy Smiley Happy 

Jerry
Oliver_Marzok
Explorer
‎2019-03-06 05:40 AM
In response to Jerry

Thank you very much, Jerry. That's sounds realy good.

MAB isn't running, but I think that on R80.20 based on new features, there're more shared services with tcp/443. That would explain why on R80.10 everything is fine and on R80.20 we have issues.

I will first try this at other customers in a few weeks and come back to this one when R80.20 works fine on the others.

0 Kudos
Jerry
Mentor
Mentor
‎2019-03-06 07:24 AM
In response to Oliver_Marzok

great stuff. let us know please.

best

J.

Jerry
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events