R81.20 Jumbo Hotfix Accumulator take #38 has been released today

Will test it in the lab today and report back once installed.

Please be safe!

Andy

Upgraded everything in my lab to latest jumbo, weird thing is, access policy works fine, BUT, no matter what I do, cant install TP poloicy, always comes back with below error. I rebooted all gateways, mgmt (3 times actually), tried few sks about it I found on support site, but no luck.

Not sure why this comes up, as there were no changes done in the policy since last week.

Andy

Does it happen even if you create another Policy Package?

Can you send me the cpm.elg output for the flow at tfridman@checkpoint.com?

Thanks!

Thanks @Tal_Paz-Fridman , will send soon and try another policy. Just on Fortinet call atm, as soon as its done, will do it.

Hope you are well and safe!

Andy

Interesting to read about the new 19K-29K series.

Also, I wonder what's behind the new memory architecture that's mentioned and if there are commands and documentation to know about or if it's just something internal to the OS.

@Tal_Paz-Fridman Just emailed you. As I stated in my email, based on cpm.elg errors, I have a gut feeling its something with the licenses. Just generating brand new eval ones, lets see what happens.

Andy

@Alex- 

Apologies, this documentation is wrong – we will fix it.

We’ve migrated IDA daemons to use modern (and existing) memory allocator (it in used since ~80.40)

Note:

Under "Important Notes" section, the documentation should be updated for this line item:

• "After an upgrade, CloudGuard Central Licenses may be removed from the CloudGuard Central License pool on the Security Management and from the Security Gateways."

Per the 'Take 38 - Latest' section and within the reference SK for this issue (SK181500), this was listed as fixed in this latest release.  

Hi @Scottc98 

Thanks for bringing it to our attention 

We will adjust the important note accordingly as indeed this issue was fix in take 38

Thanks 

Matan.

Just a quick comment based on initial issue I reported...if anyone out there is using P2P file sharing category for their url filtering rulebase, you may want to wait a little to install jumbo 38, as it turns out from my remote session with R&D guys, that category was causing the issue, therefore causing threat prevention policy to fail every time (all else was fine).

Now, not saying it was caused by jumbo itself, but worked fine before installing it. My other lab where I did not use that category was fine. Anyway, just "throwing" that out there...something to consider.

Kind regards,

Andy

Any other issues being reported to Checkpoint R&D or TAC we need to be aware about that might not be documented?   Mainly concerned on a management/log/smartevent perspective as I really want to get this latest fix on our Smart-1 servers. 

Well, keep in mind one thing @Scottc98 . As I stated, this totally might NOT be even related to jumbo 38, the issue I experienced. It could have been a "freak acccident", for the lack of a better term. What I always do in my labs is I download jumbo to be installed and install it at the same time on all entities (mgmt, cluster, smart event, single gw). I know thats probably not the right way, but since its a lab, just for the sake of saving time, I do it like that. Never really had any issues before, but as R&D discovered, this supposedly had to do with p2p peer sharing category, as seen in the debugs one of the guys did over zoom remote.

They told me would try to replicate, but obviously, if it cant be replicated, then its not jumbo 38 related. Actually, now that I think about it, I also may try to reproduce this in eve-ng, should not take long and then report back the results.

Andy

Alright...did a test as below:

-installed R81.20 mgmt, applied eval, put on jumbo 26

-rebooted

-installed R81.20 gw, jumbo 26

-policy worked fine with p2p peer sharing category in urlf+appc layer

-upgraded all to jumbo 38, all still works fine, including threat prevention

This tells us 100% its NOT the jumbo issue and I dont know what in the world happened the other day in my lab, but seems jumbo is fine

Andy

Another quick update. I had an issue today where both my R81.20 jhf 38 labs could not install regular policy, but TP policy was fine. I ended up rebooting everything and its good now. Not real sure if this is jumbo related, but will monitor and update if any other issues.

I ended up rebooting both mgmt servers and now it all works again fine.

Its worth pointing out that none of this ever used to happen in any older takes on R81.20 jumbos.

Andy

Hi Andy @the_rock 

As of now, we have dozens of installations with take 38 and we have not heard anything on policy installation issues nor any other issues with the take. 

I know you already talked with lya Yusupov and he gave you some points to look for in the next time this event happens in your lab environment, so we can continue the investigation 

We will keep working with you offline 

Thanks 

Matan.

@MatanYanay Thats totally fair. I am 99.99% confident now in saying this is not jumbo 38 issue, I just find it super odd that all the issues I had started happening after I installed it, never before. As I mentioned to Ilya, I will keep monidoring and reach out to him if any changes.

Thanks a lot for following up, very grateful mate.

Please stay safe and well 🙌🙌

Kind regards,

Andy

Just a quick update @MatanYanay ...my sincere apologies, it was 100% fault in the lab. I never realized that office mode subnet was changed (not sure when, probably before jumbo 38 install) and it was conflicting with our lab subnet, thus causing issues. I have since changed it and all is well.

Sorry again for the trouble and all the help mate 🙌🙌. As stated, I have Ilya's email, so can always message him if anything arises.

Cheers and please stay safe.

Best regards,

Andy