This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Martin_Hofbauer
Contributor
Contributor
‎2020-08-26 06:34 AM

Disaster after Management Server Upgrade from R80.20 to R80.40

After an successful(…) upgrade of an R80.20 Managment Server to R80.40 with CPUSE we installed policy to the main gateway/cluster. After that we had a major outage for many  server communications.

 

What happened:

The Checkpoint upgrade process (re)created an object named “CP_default_Office_Mode_addresses_pool” with IP range 172.16.10.0/24  and “Automatic HIDE NAT” turned on.

( this object was deleted (long time) ago because it was not needed (no VPN) and in conflict with the “server” network)

The result:

Because this new/(“Default”) network object  included IPs from the "server" network  important communication from these servers where  stuck because of turned on "Automatic hide NAT" ( there was no NAT before )

These broke a lot of important services immediately.

 

I know, this is not a new behavior  – I know from experiences in the past for deleted “Default” objects/rulebases.  I also found similar  references (e.g. R75.30 - see end of page )

https://www.security-portal.cz/clanky/how-fix-problems-after-upgrade-check-point-multi-domain-manage...


I do not understand, why CheckPoint is (re)creating this network object – including Automatic NAT - during an Upgrade?
At least I expect  a warning or notice ( e.g. "pre_upgrade_verifiyer" …) !

With a decission to create this object R&D forces the customer to  have big outages !

CheckPoint – please explain, why you need to create this object ?

 

Thanks

Martin

2 Replies
Eran_Habad
Employee
Employee
‎2020-08-26 07:55 AM

Hi @Martin_Hofbauer, my name is Eran and I'm a Group Manager in R&D, my team is responsible for the Management upgrade process. I'm sorry for your bad experience and for the business impact you had, and I'm taking it very seriously. I will sync with my team and with my colleagues in R&D to understand better what was the expected outcome and what went wrong. If you already opened a ticket to TAC please share it with me (privately). I will update you offline when we conclude the discussion, and afterwards I will share more info on this thread with everyone.

0 Kudos
Itai_Minuhin
Employee
Employee
‎2020-11-22 05:51 AM
In response to Eran_Habad

Hi,

I would like to update that a fix to this issue has been released.

The fix included in the following upgrade tools packages (or newer) :

R80.40 upgrade tools package 994000325

R81 upgrade tools package 995000409 

Please follow sk135172 to download the upgrade tools package.

 

Thanks, 

Itai

 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events