Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 

R81.20 Jumbo Hotfix Accumulator take #26 has been released today

gadt
Employee
Employee
0 38 5,576

gadt_0-1692023302233.jpeg

 

Hi All

 

R81.20 Jumbo Hotfix Accumulator take #26 has been released today, and is available for download.

 

Please note the following:

  •        Availability:

o   Available to download the via Jumbo documentation R81.20 

o   Available for download via CPUSE by using package identifier.

o   Can be provided by customer support

 

Content included in this take:

 

  • List of resolved issues in this take can be found in the Jumbo documentation R81.20 

 

New: Starting from R80.40, Central Deployment allows you to perform a batch deployment of Hotfixes on your Security Gateways and clusters from SmartConsole!!

For more information, see sk168597.

 

Thanks,

Release Operations Group

38 Comments
Scottc98
Advisor

FYI....you have have some duplicates under "List of All Resolved Issues and New Features"

 

PRJ-44719,

PRHF-22566

SecureXL

UPDATE: Added a new kernel parameter allowing to control the size of fragments table in SecureXL. To use it, set the kernel parameter "sim_frag_limit_override" with the new value and install policy. This can prevent fragment drops when having multiple instances in the Firewall.

PRJ-43926,
PRHF-27357

CloudGuard Network

UPDATE: Added support for sending Data Center updates from the CloudGuard Controller to the main IP address of Active member on the Management Plane instead of the cluster VIP address on the Data Plane. Refer to the "updateClusterMemberAndNotVip" section in CloudGuard Controller R81.10 Administration Guide > Configuration Parameters. This change prevents scenarios when CloudGuard Controller fails to connect to Cluster with MDPS enabled (sk180981).

the_rock
Legend
Legend

Installed it already, so far, so good! Btw, love new update page tab in web ui 🙂

gadt
Employee
Employee

Hi the_rock

Thank you for your feedback!

The issue has been fixed.

Gadi 

the_rock
Legend
Legend

Thanks @gadt 

Duane_Toler
Advisor

Anyone else have an error installing HFA 26 with their CloudGuard license controller on the management server dropping the VE licenses from the pool?  I updated 2 customers SmartCenters today and both of their CloudGuard license pools were deleted!  I manually re-added the licenses and re-ran distribution, and they're back online now.

This didn't happen on previous HFA updates.

the_rock
Legend
Legend

Seems way to many problems with this take, considering known BGP issue mentioned in another post, I would stay away, for now, at least.

Andy

MatanYanay
Employee
Employee

Hi @the_rock and all 

We found the RC for the BGP issue 

it will be fixed as part of the next jumbo we plan to release by early October 

Thanks 

Matan.

the_rock
Legend
Legend

Good news @MatanYanay 👍

Duane_Toler
Advisor

Likewise, TAC has been alerted to the vsec_lic_cli issue after JHF 26 install.  They have an internal SK for it now (sk181500).  I notified our Check Point SE, who forwarded it over to the internal teams.  I got a reply back quickly with the R&D update.

As @the_rock indicated, "caveat emptor quo JHF 26".

(content filter did not appreciate pure Latin; apologies for the slight deviation)

 

 

the_rock
Legend
Legend

@Duane_Toler Content filter BLEEPED your terms mate LOL

 

But, I feel your "pain"...Im actually glad I saw the post from Perry in that other thread, and even though sounds like BGP issue did not affect the cluster, it was way too much of a risk to even bother installing take 26 to find that out.

Andy

Felix_Hoffmann1
Participant

Hello,

we are facing a problem using several web service api requests after installation of R81.20 Jumbo Hotfix Accumulator take #26 on our management server.

When using "show access-rulebase" combined with using a filter to search for a particular host, the server response produces an error 500 when finding the host inside of the rulebase. When the rulebase does not include the host, the error dow not occur.

Same happens when using "where-used".

error message below:

Click to Expand
2023-09-21 16:40:24,577 ERROR com.checkpoint.management.web_api_is.utils.WebApiCommandExceptionUtils.getErrorReply:95 [qtp-2147137859-99] - java.lang.NullPointerException
at java.util.concurrent.ConcurrentHashMap.get(ConcurrentHashMap.java:947)
at com.checkpoint.management.access.dle.beans.LayersManager.getCachedData(LayersManager.java:539)
at com.checkpoint.management.access.dle.beans.LayersManager.extendSearchMatchInfo(LayersManager.java:538)
at com.checkpoint.management.dleserver.coresvc.internal.LinksManagerSvcImpl.getExtendedSearchMatchInfo(LinksManagerSvcImpl.java:749)
at com.checkpoint.management.dleserver.coresvc.internal.LinksManagerSvcImpl.buildResultListFromUsageMap(LinksManagerSvcImpl.java:677)
at com.checkpoint.management.dleserver.coresvc.internal.LinksManagerSvcImpl.whereUsedInternal_aroundBody74(LinksManagerSvcImpl.java:321)
at com.checkpoint.management.dleserver.coresvc.internal.LinksManagerSvcImpl$AjcClosure75.run(LinksManagerSvcImpl.java:1)
at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)
at com.checkpoint.management.dleserver.coresvc.internal.TransactionRetrySvcImpl.proceed(TransactionRetrySvcImpl.java:174)
at com.checkpoint.management.dle.aspects.TransactionRetryAspect.aroundOperation(TransactionRetryAspect.java:16)
at com.checkpoint.management.dleserver.coresvc.internal.LinksManagerSvcImpl.whereUsedInternal(LinksManagerSvcImpl.java:1841)
at com.checkpoint.management.dleserver.coresvc.internal.LinksManagerSvcImpl.whereUsed_aroundBody76(LinksManagerSvcImpl.java:782)
at com.checkpoint.management.dleserver.coresvc.internal.LinksManagerSvcImpl$AjcClosure77.run(LinksManagerSvcImpl.java:1)
at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)
at com.checkpoint.management.dleserver.coresvc.internal.TransactionRetrySvcImpl.proceed(TransactionRetrySvcImpl.java:174)
at com.checkpoint.management.dle.aspects.TransactionRetryAspect.aroundOperation(TransactionRetryAspect.java:16)
at com.checkpoint.management.dleserver.coresvc.internal.LinksManagerSvcImpl.whereUsed(LinksManagerSvcImpl.java:2082)
at com.checkpoint.management.dleserver.coresvc.internal.rulebase.RulebaseCrudSvcImpl.whereUsed_aroundBody140(RulebaseCrudSvcImpl.java:917)
at com.checkpoint.management.dleserver.coresvc.internal.rulebase.RulebaseCrudSvcImpl$AjcClosure141.run(RulebaseCrudSvcImpl.java:1)
at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)
at com.checkpoint.management.dleserver.coresvc.internal.TransactionRetrySvcImpl.proceed(TransactionRetrySvcImpl.java:174)
at com.checkpoint.management.dle.aspects.TransactionRetryAspect.aroundOperation(TransactionRetryAspect.java:16)
at com.checkpoint.management.dleserver.coresvc.internal.rulebase.RulebaseCrudSvcImpl.whereUsed(RulebaseCrudSvcImpl.java:790)
at com.checkpoint.management.web_api.utils.RemoteRulebaseCrudManager.filterRulebaseRules(RemoteRulebaseCrudManager.java:289)
at com.checkpoint.management.web_api.core.handler.query.ApiQueryRulebaseHandler.query_aroundBody0(ApiQueryRulebaseHandler.java:1)
at com.checkpoint.management.web_api.core.handler.query.ApiQueryRulebaseHandler$AjcClosure1.run(ApiQueryRulebaseHandler.java:1)
at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)
at com.checkpoint.management.web_api_is.aspects.logging.WebApiMethodLoggerAspect.aroundMethodLoggerTest(WebApiMethodLoggerAspect.java:16)
at com.checkpoint.management.web_api.core.handler.query.ApiQueryRulebaseHandler.query(ApiQueryRulebaseHandler.java:2)
at com.checkpoint.management.web_api.core.handler.query.accessctrl_rule.v1_1.QueryAccessRulebaseHandler.query(QueryAccessRulebaseHandler.java:2)
at sun.reflect.GeneratedMethodAccessor3443.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
at java.lang.reflect.Method.invoke(Method.java:508)
at com.checkpoint.management.web_api_is.utils.WebApiReflectionUtils.invoke(WebApiReflectionUtils.java:1)
at com.checkpoint.management.web_api.web_services.WebApiEntryPoint.invokeWebApiCommandTransactionalRO_aroundBody4(WebApiEntryPoint.java:567)
at com.checkpoint.management.web_api.web_services.WebApiEntryPoint$AjcClosure5.run(WebApiEntryPoint.java:1)
at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)
at com.checkpoint.management.dleserver.coresvc.internal.TransactionRetrySvcImpl.proceed(TransactionRetrySvcImpl.java:174)
at com.checkpoint.management.dle.aspects.TransactionRetryAspect.aroundOperation(TransactionRetryAspect.java:16)
at com.checkpoint.management.web_api.web_services.WebApiEntryPoint.invokeWebApiCommandTransactionalRO(WebApiEntryPoint.java:104)
at com.checkpoint.management.web_api.web_services.WebApiEntryPoint.postEntryPoint(WebApiEntryPoint.java:299)
at sun.reflect.GeneratedMethodAccessor1707.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
at java.lang.reflect.Method.invoke(Method.java:508)
at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:180)
at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:96)
at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:191)
at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:101)
at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:59)
at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:96)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:309)
at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:267)
at org.apache.cxf.transport.http_jetty.JettyHTTPDestination.doService(JettyHTTPDestination.java:234)
at org.apache.cxf.transport.http_jetty.JettyHTTPHandler.handle(JettyHTTPHandler.java:76)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1129)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1065)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at org.eclipse.jetty.server.Server.handle(Server.java:497)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:310)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
at java.lang.Thread.run(Thread.java:825)

anyone else facing this issue?

 

thanks in advance 

the_rock
Legend
Legend

I can test in my lab mgmt, can you give example of command you used @Felix_Hoffmann1 ?

Andy

MatanYanay
Employee
Employee

Hi all and @Duane_Toler 

 

as mentioned by @the_rock  we do aware of the  "CloudGuard Central Licenses"

  • Issue is relevant only to R81.20 JHF take 26 
  • How to identify?
    • CloudGuard Licenses removed from security management and security gateways.
  • What to do in this case?
    • Using vsec_lic_cli:
      • vsec_lic_cli add <license string>
      • vsec_lic_cli distribute
  • For more information, please refer to sk181500

we are working on a fix that will be included as well in th upcoming jumbo we plan to release by early October 

Thanks 

Matan.

 

the_rock
Legend
Legend

@MatanYanay Is that sk internal? When I search it, nothing comes up...

Andy

MatanYanay
Employee
Employee

@the_rock 

AFAIK the sk should be visible to everyone

 

maybe it's still need some time to be sync with the systems  

the_rock
Legend
Legend

Maybe, but this is all I get @MatanYanay 

Andy

 

Screenshot_1.png

MatanYanay
Employee
Employee

@the_rock 

should be ok now

the_rock
Legend
Legend

Yes sir, thank you @MatanYanay 🙌👍

Andy

Tobias_Moritz
Advisor

@the_rock Regarding the problem @Felix_Hoffmann1 has mentioned:

The issue occurs only, when the session is read-only:

[Expert@SMS:0]# mgmt_cli login read-only true
Username: user
Password:
uid: "whatever_uid"
sid: "whatever_sid"
url: "https://127.0.0.1:443/web_api"
session-timeout: 600
read-only: true
api-server-version: "1.9"
user-name: "user"
user-uid: "whatever_uid"

[Expert@SMS:0]# curl_cli -k -X POST https://192.168.1.1/web_api/where-used --user-agent mgmt_cli -H "Content-Type: application/json" -H "Accept: text/plain" -H "connection: keep-alive" -H "X-chkp-sid: whatever_sid" -d '{"name":"server1"}'
code: "generic_error"
message: "Null Pointer exception: null"


[Expert@SMS:0]# mgmt_cli login read-only false
Username: user
Password:
uid: "whatever_uid"
sid: "whatever_sid"
url: "https://127.0.0.1:443/web_api"
session-timeout: 600
api-server-version: "1.9"
user-name: "user"
user-uid: "whatever_uid"

[Expert@SMS:0]# curl_cli -k -X POST https://192.168.1.1/web_api/where-used --user-agent mgmt_cli -H "Content-Type: application/json" -H "Accept: text/plain" -H "connection: keep-alive" -H "X-chkp-sid: whatever_sid" -d '{"name":"server1"}'
used-directly:
  total: 4
  objects:
...

 

This is reproducable even with SmartConsole. When SmartConsole Session Login is readonly, a where-used failed also there. Not only in SmartConsole CLI but also in Object explorer.

The error log in $FWDIR/log/api.elg is always the same, as Felix posted.

Can anybody who is already at T26 try this? Maybe just simply with SmartConsole in read-only mode? Just to see if really everybode is affected or only a few.

Thank you!

Natan_Chamilevs
Employee
Employee

Hi @the_rock @Felix_Hoffmann1 @Tobias_Moritz,

This is indeed an unfortunate issue that was inserted with a huge performance improvement for policy installation. Hotfixes are already created for this issue, on top of the last takes of both R81.10 and R81.20 JHFs. 

An SK has been created for this issue, and TAC can provide the relevant HF. See sk181471.

A new JHF that contains the fix should be released next month. 

 

We are truly sorry for the inconvenience and working to improve the process.

 

Natan Chamilevski,

Management CFG 

Norbert_Bohusch
Advisor

Is this issue from sk181471 relevant to every R81.10/20 version or only starting from specific JHF? Because there are no details in the SK about this, which would mean every version!

Tobias_Moritz
Advisor

Thank you, Natan, for confirming.

@Norbert: Based on our own experience, its only R81.20 JHF T26. It was working in T24. And based on what Natan says, it makes sense, because the major performance improvement in policy installation was introduced in T26 release notes. The same is mentioned in R81.10 JHF T110 release notes, so T110 and T113 should be affected.

Norbert_Bohusch
Advisor

I thought so, but the SK should be updated then, because it might confuse others finding the SK without knowing about this thread.

the_rock
Legend
Legend

@Natan_Chamilevs , things happen mate, all good...as long as they get fixed, no sweat.

@Norbert_Bohusch Thats an excellent point you made about the sk ✔

Andy

Natan_Chamilevs
Employee
Employee

Thank you for the comments, the SK is now updated with the specific takes that contain the issue.

 

the_rock
Legend
Legend

Great news @Natan_Chamilevs 

Tobias_Moritz
Advisor

Any idea, why TAC does not offer the hotfix from sk181471 quickly? We opened a SR on the same day (6 days ago). @Natan_Chamilevs informed us here about that sk, but still did not got the hotfix . Case is "Pending Check Point"...

 

Scottc98
Advisor

In regards to sk181500, can Checkpoint confirm if there is a pending hotfix coming this month to resolve this?   

The SK shows a workaround but would rather get a fix in place than have any affect to my cloud gateways.  

Only thing on R81.20 today is management (Take 14) and want to shore up.....but very concerned with this note here about moving to GA take 26.  

Is there also a list of 'whats coming' in the R81.10 JHF release notes?   It seems like checkpoint keeps taking that section away 😞

the_rock
Legend
Legend

@Scottc98 Someone from Israel responded to me in another post that next R81.20 jumbo will be released in October. Whether all these issues will be fixed, I have no clue.

Andy

Scottc98
Advisor

Thanks @the_rock    

I really wished they kept up with the list of the upcoming fixes.   At least that would provide customers with some understandings....even if it doesn't mean its going to be in the exact next release.

And....w/o knowing what else is coming, it kinda puts customers like myself in bind.   Totally willing to wait ~2weeks here to patch this if this fix and possibly others are in place for management than to seek out business windows multiple times 

 

the_rock
Legend
Legend

@Scottc98 I agree 100%, it should be more transparent, for sure.

Andy

MatanYanay
Employee
Employee

@the_rock  and @Scottc98 

Thanks for your feedback on our "upcoming resolved issues" 

I will take it internally to check what did happen with our process 

we indeed support transparently for our upcoming fixes 

@Scottc98  for your question regarding sk181500, I can confirm, the fix of this issue will be part of our next jumbo we will release during October 

Thanks 

Matan.

the_rock
Legend
Legend

@MatanYanay Looking forward to next jumbo.

Andy

Tobias_Moritz
Advisor

Just want to update, that we got the hotfix for sk181471 finally yesterday after two weeks TAC case (Check_Point_R81_20_JHF_T26_772_MAIN_Bundle_T1_FULL.tar) and it fixed the issue with searches in read-only-mode.

Henrik_Noerr1
Advisor

@MatanYanay if you have been aware of this issue for two weeks - why is the important notes not updated???

https://sc1.checkpoint.com/documents/Jumbo_HFA/R81.20/R81.20/Important-Notes.htm

Is this not the whole idea of 'important notes' ? I see it is listed as 'upcoming fix' - but still

 

/Henrik

the_rock
Legend
Legend

@Henrik_Noerr1 You took the words out of my mouth as they say. I was wondering the same thing, which is too logical...WHY are notes not updated with this? Hard to imagine this would not be considered important notes...at least, in my opinion.

Andy

MatanYanay
Employee
Employee

@Henrik_Noerr1  and @the_rock 

As you know we are doing the best we can to be transpertae as possible with all our known issues. 

I agree, this issue is important and need to be add to our important note section,  therefore we will adjust it early nest week.

Thanks for brining it to my attention  ( that we are missing it 😞

Matan  

the_rock
Legend
Legend

No big deal @MatanYanay , all things can be corrected, its just that us customers need to know about it, since we use the product ; - )

Its sort of as if say you drive Kia car and there is a recall and they never tell you about it...transparency is key!

Andy

Labels