Product Announcements

@the_rockI tried to delete all files from the "archive" folder, but the alert persist.

I truly believe this is a visual error being generated by SmartConsole, so we will have to wait for a new version.

Something I have noticed also, is the fact that, the Service column from logs doesn't present anymore the number of the port:

And also the Kernel version has not yet been adjusted in some files within Linux, as the cpinfo -y all shows:

These are just points that I believe are mentioned here, but that will definitely be adjusted in the GA version.

@fabionfsc I see what you mean about version, I get the same, but no issue with log thing you raised or hcp.

Andy

Yeah @the_rock, I'm checking your post right now you had done about the E1000, found it interesting...

https://community.checkpoint.com/t5/Security-Gateways/R82-feedback/td-p/218111

Yea, totally forgot about that...DOH haha

I would say change to vmxnet3 if you can, that may fix it.

Andy

@fabionfsc , like below

Andy

I always use VMXNET3, because it was made by VMware precisely for virtual machines. The E1000/E1000e is a virtualized NIC that, like it or not, uses more resources and has stability problems.

I agree, but, for testing, you can flip back and forth to see if it makes any difference. Cause, in the beginning, when I built R82 lab, I was using e1000e and was having hcp and some other issues, but as soon as I switched to vmxnet3, all worked fine.

Andy

At this moment I am already using VMXNET3 (SMS; GW all interfaces), unless I switch to E1000e and see the behavior. But in your post that I mentioned, you also had the same hcp problem.

@fabionfsc Lets do remote if you are allowed to and possible, Im sure we can figure this out...the hcp error I mean.

Andy

@the_rock Sure! I'll send you a PM.

Just to update quick, Fabio  @fabionfsc  and I did zoom meeting, we tried so many things, deleted all from hcp folder, then I sent him hcp folder from my working lab, we rebooted, hcp warning always stays there. Im not 100% sure at this point what issue could be, as mgmt server does NOT show it, only the gateway.

@Naor_Nassi  if you have any suggestions/ideas, please be free to share. Im happy to test anything needed in my lab and truth be told, I dont care if it breaks, easy to spin up new one in even ng : - )

Andy

@the_rock Thank you for having a session with me and trying to resolve the HCP alert. I also have the R82 version in the lab (ESXi) but it has a public IP and is fully available on the Internet.

I also don't care if it breaks, and if you @Naor_Nassi have any script or something that we can do or test, we can do it right away, no problem at all

@fabionfsc If that lab has public access, are you willing to give me access? Im happy to try and fix it on my own time. I dont sadly have script for it, but Im very persistent dude, I dont give up easily on things : - )

Let me know.

Andy

Yes, I will send you the VPN access information in a private message.

Sounds good, as soon as I get the info, will check it and see if we can fix the issue.

Andy

@fabionfsc 

Thanks brother for sending me all the details. I am not giving up on fixing it, but had enough for tonite LOL

Anyway, I will try to see logically tomorrow WHY whenever you click to disable hcp and then go back, there is never enable option there, it always reverts back to disable.

Andy

I'm going to try right now to do a Fresh Install of R82, and a Migrate Import of my current Management, because all my database came from version R81.20, and I hadn't installed any R82 Jumbo Take before performing this Migrate Import.

So I'm going to create a new VM and install Take 40 Jaguar, and then do a Migrate Import, and see if the behavior is the same. Thank you @the_rock 

Not a bad idea.

@fabionfsc 

I am not giving up yet, but man, this is really peculiar, for the lack of thje better word lol. I mean, how in the world can HCP be considered a blade?? Makes no logical sense, so first off, wording is totally wrong and 2nd of all, I even went as far as comparing the files in hcp dir on your end to mine, exactly the same.

Andy

@fabionfsc 

Message me on whatsapp, lets connect there again, I think I found a way to do this, but since I lost access to the fw even when connected via ssl vpn, if you give me upload link, I will send you files you need to dump into below folder on your fw and then run script I indicated. 

Andy

[Expert@R82-TEST-FW:0]# cd /var/log/AutoUpdater/metadata/HealthCheck_Point/hcp/hcp_AutoUpdate/73/product_scripts/
[Expert@R82-TEST-FW:0]# la
-bash: la: command not found
[Expert@R82-TEST-FW:0]# ls
backup hcp_post_verify_action.sh hcp_register.sh
hcp_log.sh hcp_pre_action.sh hcp_unregister.sh
hcp_post_action.sh hcp_pre_revert.sh
[Expert@R82-TEST-FW:0]#

[Expert@R82-TEST-FW:0]# ./hcp_unregister.sh
[LOG] - #####################################################
[LOG] - Start preremove script...
[LOG] - Set umask for this session...
[LOG] - 1. Check Dependent Packages
[LOG] - There are no packages dependent on:
[LOG] - HealthCheck Point.
[SUCCESS] - Finish running hcp_unregister.sh
[Expert@R82-TEST-FW:0]#

@fabionfsc Man, I feel terrible I could not fix it for you, BUT, I am NOT giving up. I remember once customer asked me if I was willing to help them with something regarding Fortinet and it took me a week, but I fixed it, since TAC was not able to.

Now, this you cant open TAC case for, but dont despair, I made notes about what does NOT work, so will continue tomorrow, as I will have more time.

I will keep you posted on whatsapp : - )

Thanks again for being so kind to give me access to that lab, I appreciate it, you are a good dude.

Andy

@the_rock

I would like to thank you for all the support you have given me in resolving this alert. Yesterday I also spent until 3:40 AM trying to resolve this problem. I saw that there are some HCP folders that are in R81.20 but not in R82, something related to backup.

I also became aware of these register and unregister scripts. I ran them all, reinstalled the hcp package, and nothing...

As I said in our today's session, I have another installer for SmartConsole R82 Build 82.0.9800.550 (instead of 82.0.9800.850), and in this build, there is no option to Disable HealthCheck Alert, so I assume that the R&D team is aware of this problem.

All we can do at this point is wait for the next Take or the GA version. I've already racked my brains with this alert so much that for me, the normal alert now is this yellow alert. 

Im sure we will figure something out my friend, some issues take longer : - )

@fabionfsc 

Bro, I really feel Im getting closer to solving this and here is why. I went to that dir /var/log/autoupdate/healthcheck something or other, then /product_scripts for hcp and ran EVERY single script and 2 of them showed there was folder missing called /hcp in /etc dir, so I copied it over from my R82 gateway and once I gave right permissions in /usr/bin for hcp, now hcp commands do work, so thats huge improvement, even though error is the same.

Anyway, I will check it again Tuesday, Now, I have to get some sleep, working on large Fortinet project, so need to be rested : - )

Best my friend.

Andy

@fabionfsc 

So I examined the logs, and below is what I see brother. I think at this point, lets see if someone from CP can figure this out, as I feel like you and I tried everything humanly LOGICALLY possible

Andy

Logs:

- Machine's configuration is 'Security Gateway'

This hotfix is only supported on Management machines
*N* %07-30 09:21:59% : Adding event. Error code=55 Critical error code=0 External Error code=0
*N* %07-30 09:21:59% : Error for ngm_doctor:ngm_doctor_AutoUpdate:23:55 already reported, skipping.
*N* %07-30 09:21:59% : Metadata found for component sho
*E* %07-30 09:22:00% : DDR verification failed for metadata directory /var/log/AutoUpdater/metadata/SharedObjects/sho/dana_AutoUpdate/170/More info: The following results are not compatible with the package:

- Machine's configuration is 'Security Gateway'

This is a global conditions set
*N* %07-30 09:22:00% : Adding event. Error code=55 Critical error code=0 External Error code=0
*N* %07-30 09:22:00% : Error for sho:dana_AutoUpdate:170:55 already reported, skipping.
*N* %07-30 09:22:00% : Metadata found for component tp_conf_mgmt
*E* %07-30 09:22:01% : DDR verification failed for metadata directory /var/log/AutoUpdater/metadata/itp/tp_conf_mgmt/GOT_TPCONF_MGMT_AutoUpdate/39/More info: The following results are not compatible with the package:

- Machine's configuration is 'Security Gateway'

This package is not supported on:
- Gateway Machines
- CP version prior to R80.40
*N* %07-30 09:22:01% : Adding event. Error code=55 Critical error code=0 External Error code=0
*N* %07-30 09:22:01% : Error for tp_conf_mgmt:GOT_TPCONF_MGMT_AutoUpdate:39:55 already reported, skipping.
*N* %07-30 09:22:01% : Metadata found for component web_console
*E* %07-30 09:22:02% : DDR verification failed for metadata directory /var/log/AutoUpdater/metadata/mwc/web_console/webconsole_AutoUpdate/114/More info: The following results are not compatible with the package:

- Machine's configuration is 'Security Gateway'

This hotfix is only supported on Management based on versions R81 JHF take 57, R81.10 JHF take 33, R81.20 and above
*N* %07-30 09:22:02% : Adding event. Error code=55 Critical error code=0 External Error code=0
*N* %07-30 09:22:02% : Error for web_console:webconsole_AutoUpdate:114:55 already reported, skipping.
*N* %07-30 09:22:02% : Installing all packages allowed in this maintenance window
*N* %07-30 09:44:58% : No package installed for hcp. Not reverting.
*N* %07-30 09:48:33% : No package installed for hcp. Not reverting.
*N* %07-30 10:04:16% : No package installed for hcp. Not reverting.
[Expert@Eternatus:0]#

Btw, I reached out to our local SE about this and was pretty much told that since its EA, obviously TAC cant support it and it will most likely be fixed in GA. Thats totally valid reasoning, just odd how come eror is there and not on my lab, considering everything is EXACTLY THE SAME.

O well, some things in this life cant be explained, I guess : - )

Andy

Just to update, I sent Fabio output of my R82 lab for df -h and he advised would rebuild the lab using the same settings, so fingers crossed it works for hcp, cause works fine on my end.

Andy

@fabionfsc I believe you indicated all is good now after the rebuild? You just ended up using what I sent in df -h output, right?

Best,

Andy

@the_rock

No problem, today I woke up with a red HealthCheck alert on the Firewall, I rebooted and it came back with the yellow alert.
Honestly, we tried everything and it didn't work, I think it's a programming problem or something like that.
I asked for the output of the df -h command, because my Firewall/SMS has an NVMe controller instead of a standard SCSI controller, I thought that could be the problem, but it isn't.

@fabionfsc Man, thats disappointing : - (

O well, I think you are 100% right, we tried literally everything. Lets chat on whatsapp about something more fun than HCP, no offense haha

Andy

I also identified a problem with the External Interface on R82, which was experiencing a LOT of rx drops, which was impacting some HTTPS Inspection Inbound (packet drops) that I had configured.

I followed sk61922 but without success. I believe that this is the reason why R82 is not yet officially supported in virtualized environments. There may be some incompatibility with the virtualized NIC drivers (vmxnet3; e1000e, etc.) with this new R82 Kernel version.

I reinstalled my entire environment on R81.20, and everything is working perfectly, without any rx drops.

@fabionfsc I had done lots more testing too brother. My whatsapp went quiet, no messages from you...just kidding, hehe.

Glad you got it working.

Andy

attempting to test the dynamic layer feature but the SK that is supposed to have the documentation sk182252 doesn't seem to exist. 

Not all SKs are visible to the public. As far as I understand it, most SKs start to exist as an internal article, and once they are tested and verified to actually help some customers, they are made public.

Just seems strange that in the public/EA documentation they would reference an SK that either doesn't exist or is not publicly available.

In this case, sk182252 is internal because it's about a feature in an unreleased version.
However, the most relevant parts of the documentation by reviewing the Gaia API docs on your own system.
See: https://mgmt-ip/gaia_docs/#web/set-dynamic-content~v1.8%20

Other relevant information:

Starting from R82, it is possible to configure Access Control rules directly on the Security Gateway with the Gaia API call "set-dynamic-content". This saves time and helps automate various tasks.

On the Management Server, you configure a new Policy Layer (and configure it as a Dynamic Layer). On the Security Gateway, this Dynamic Layer works as a container for all Access Control rules you configure with the Gaia API call "set-dynamic-content".
The rules you define for the relevant dynamic layer in SmartConsole are placeholders until you use the set-dynamic-content Gaia API to change the content.

^ this is what I was doing. However it seems that the dynamic layer is not making it to the gateways, as neither the set nor the show command recognize any dynamic layers on the gateway. I was hoping that I was missing a step somewhere but it seems like that may not be the case and something else may be wrong. Perhaps this is not working as expected in the EA?

A couple other notes from the internal SK:

1. The dynamic layer can be either an Ordered or an Inline layer
2. Only Firewall and App Control/URL Filtering blades are supported in Dynamic Layers
3. The layer should have rules configured in it that apply prior to using set-dynamic-content using the Gaia (not management) API
4. The Gaia API user must have adminRole configured to use set-dynamic-content

Other limitations:

• VSNext Virtual Gateways not currently supported
• Legacy VSX Virtual Systems / Routers are not supported

I have been playing with the dynamic layers now for a while since I got it working. I did notice that in the management API when the packages and policies are retrieved there is no field that shows this layer as a dynamic layer so looking at the return from the managment API it just appears like any other layer. in the actual release will there be a field that notes that these are dynamic layers?

According to the API documentation for R82, the show-access-layer API endpoint should include this indication (dynamic-layer: true).
Is this not happening for you @fly1ng_circus ?

Is there any information regarding VSnext and Maestro? The R82 documentation makes it seem like elasticXL and VSnext are directly intertwined. There is no VSnext without enabling elasticXL. elasticXL looks to be based on the same logic as Maestro/Scalable Platform. Does this mean VSnext will be supported by Maestro by default, or is this something that will happen down the line in R82.10 or something?

Would be interesting to know if VSnext is something to even consider to be an upcoming thing for Maestro VSX projects or not.

ElasticXL is basically Maestro without the external load balancer (i.e. the Orchestrator).
If it works with ElasticXL, it'll work with Maestro (and vice versa).
Likewise, you can expect the existing Maestro limitations to apply to ElasticXL as well.