Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Hugo_vd_Kooij
Advisor

R80.20 M1, first impressions

Right, On the 27th of june we got R80.20 M1 (sk123473) which is intended for the brave of hearts only.

I went in feet first and upgraded my SmartCenter from R80.10 to R80.20 M1. Or so I intended but I used the wrong CLI command so I got a brand new SmartCenter instead. Not a big thing. I just wrote a small policy so I could manage everything and keep my email flow going. Thanks to that wonderful article sk86521 I got things back.

But I ran into another issue directly after I did my first "install database" to my SmartCenter. I now get a 404 error where my GAIA pages used to be in my browser and in the SmartConsole I also get a similar issue for every other TAB I try top open at logging.

I opened a TAC case for this and I had my first remote session but we did not resolve the issue. But it seems we now have 2 HTTP daemons and the second one is running on port 4434. So something was changed in R80.20 but the dots are not yet connected. I hope we can resolve this but I have a gut feeling I managed to find another bug by doing things just slightly differently.

I will let you know how this works out.

But int he GUI I can build my policies as I want and do the basic stuff. But I may hold of on testing the Endpoint stuff until the issue with the webservices has been resolved.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
20 Replies
Tomer_Sole
Mentor
Mentor

I have a gut feeling I managed to find another bug by doing things just slightly differently.

Seems like it, because this version went out after extensive testing and a long running Production Early Availability program. We will follow up on your TAC cases. 

Hugo_vd_Kooij
Advisor

Tomer, I have a degree in "breaking things, by doing them slightly different" 😉

In this case I managed to type in "installer install" in clish where I should have used "installer upgrade".

But then I knew I had created an issue before by another typo where I blew away some GAIA files in R80.10 trying to fix the CSS issue.

So I might never have seen this if my R80.10 box was clean or I had use the ISO file to install completely from scratch.

A sure way to break things is to cut and past directly from you browser.

If you first do it to a notepad you might find the odd set of "" being shown with different characters due to your language settings.

But then again by breaking things and fixing them I get to know things pretty good. Much better then well designed classroom exercises.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
Brandon_Cholode
Participant

I've upgraded to R80.20.M1 and everything has been very smooth in the upgrade process including SmartEvent. Thanks Check Point!

Luca_Filippi1
Participant

Hugo,

I am not sure about it, but my guess is that I think it's normal that the Gaia webui has been moved from port 443 to port 4434 because the R80.20.M1 should contain also the Endpoint management and the Endpoints should be able to reach their management on port 443 to send logs and update their policies.

Perhaps you enabled also the endpoint blade during the installation?

0 Kudos
Hugo_vd_Kooij
Advisor

Luca,

I can't reach the GAIA web interface on port 4434 either. That was where TAC actualy decided this is slightly more complicated.

But after I disabled the Endpoint management I can get back in on port 443.

So it seems the port is changed by enabling Endpoint management but the new port is not working as it should as far as I can test now. I will do some additional testing.

Thanks, Hugo.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
Hugo_vd_Kooij
Advisor

I found some reference to port 4434 in the R80.20 M1 Endpoint Security Admin Guide => Capsule Docs => Prerequisites for Capsule Docs => Prepari... manual but not where I was expecting things. And also not describing the actual behaviour I see.

When I enable the Endpoint management I get 404 errors on port 443. Even when I use the suggested /gaia path.

The error in SmartConsole still remains with Endpoint management switched off.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
Oren_Shalgi
Employee Alumnus
Employee Alumnus

Hi Hugo,

Gaia Web UI working on port 4434 when activating the Endpoint Management feature is the normal behavior, as port 443 is being used by another service for the Endpoint Security Clients communication.

You should be able to reach the Gaia portal by going to https://<management IP>:4434

If you still encounter an issue, I would be happy to get your Service Request number so I can follow up on your case.

Thanks,

Oren.

0 Kudos
Hugo_vd_Kooij
Advisor

Oren,

At this moment my main concern is that it is not mentioned anywhere in the R80.20 Endpoint documentation.

So the documentation could be improved in this regard.

From a practical point port 443 is much easier to use then port 4434. And no option is given to move that service to another port beside putting in the right clish commands. A feature request might be to put it in the GUI somewhere.

Regards, Hugo.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
Sven_Glock
Advisor

After several Jumbo Hotfix installations in the last weeks I had the same experience...

I used "installer install" instead of "installer upgrade". This caused a nice clean fresh installation.

It was only a lab environment - so I don't care...

But in generell Check Point should remember customers, that this package will behave in a different way when using "installer install" than a normal HFA.

Albert_Wilkes
Collaborator

Found a snag with R80.20M1: loopback interfaces can't be deleted nor used (other than "lo") after upgrade from R80.10 to R80.20.

I've cloned my VM management and upgraded to R80.20 only to find out the hard time that I can't use the loop00 interface which was assigned my lab license

Even more odd is that you can add loop00 and the like but not delete them through neither clish not the webui AND creating them does not have any effect in terms of ifconfig/ip address. They don't get "activated" in the OS it seems

As I needed an active interface for the license to kick into life I needed to remove the loop00. For this I adapted and followed How to delete entries from Gaia configuration database to get rid of the loopback interface like this ... 

grep 'loop0' /config/db/initial | cut -d \  -f 1 | xargs -n 1 dbset

Be aware that the article currently suggests to use a forward slash rather than a backslash followed by two spaces.

PS: As a side note R80.20M1 doesn't have a menu for cloning groups anymore(see second option in "System Management" menu

Hugo_vd_Kooij
Advisor

I think I found an odd issue with sessions. Each time you have to do something with your licenses it adds another session and there is no GUI way of getting rid of those.

It starts to look like:

Can someone verify they see the same behaviour?

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
Ran_Kopelman
Employee
Employee

Hi Hugo,

 

I'm a team leader at Check Point responsible for the 'sessions' feature.

This issue was fixed and will be a part of R80.20.M2

 

Meanwhile, as a temporary workaround you can remove (discard) these sessions manually with the following API commands:

 

mgmt_cli show sessions details-level "full" --format json

 

locate uid for application name raly-gui

 

mgmt_cli discard uid '<raly-gui’s uid>'

             

let me know if you have any issues

 

thanks,

Ran

Hugo_vd_Kooij
Advisor

I tried to group Countries together. My policy rule was:

But I found no way to group these together at the moment.

I tried the common way:

(Select them and use "Group Selected Objects" from the right mouse click menu)

But it gives me an error:

Not sure how I can group these lists myself in a useful manner.

Is there a smart way to do this without a list that spans multiple pages?

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
Shay_Sofer
Employee Alumnus
Employee Alumnus

Hi,

Grouping updatable objects are not supported in this version and in 80.20 as well.

We'll support it on the future. 

Shay.

0 Kudos
Ryan_St__Germai
Advisor

How were you able to use Countries? I do not see this feature included in my 80.20-M1 install. Dynamic objects you setup?

Thx,

Ryan

0 Kudos
Hugo_vd_Kooij
Advisor

It's a bit difficult to find them. There is a R80.20 M1 video and it shows you exactly how you can use it.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
Tomer_Sole
Mentor
Mentor

We will release more material for this once R80.20 (the version that has a gateway that can enforce this feature) gets out.

Jerry
Mentor
Mentor

excellent topic guys, nice to see some of you have already played with R80.20.

on the side note may I ask you all one thing - is it me or eSXI 6.5 still having issues with int's for simple 2-nic gaia with R80.20? Noticed a topic here: https://www.cpug.org/forums/showthread.php/22381-80-10-problems-on-ESXi-6-5

but not sure it is relevant to my case. My eSXI 6.5 is playing fool with me when I'm trying to set brand new ISO (no upgrade, just fresh install of MGMT only).

have you noticed any cluthes whilst spinning new VM on eSXI 5.5 or newer? Do let me know please as unfortunately in my case the only way to "lab" R80.20 would be my brand new 6.5 build of VMWare eSXI - I just cannot roll back to 6.0 or 5.5 ... too late Smiley Sad hence my concerns if that underlayer OS isn't too new for so fresh R80.20M1.

Cheers and thx. in advance.

Jerry

Jerry
0 Kudos
Hugo_vd_Kooij
Advisor

I haven tried a clean install from ISO. Mine was running R80.10 and I upgraded to R80.20 M1.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
Hugo_vd_Kooij
Advisor

The most interresting feature might be the wildcard object.

Like in a large network where a silent drop on 10.0.0.255/0.255.255.0 will drop all local broadcasts with a single object for all of 10.0.0.0/224 to 10.255.255.0 networks.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events