Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 

R82 Public EA Program

Naor_Nassi
Employee
Employee
4 92 12.2K

R82 logo.png

 

Introducing Check Point Software Technologies' groundbreaking release, R82. This cutting-edge software marks a pivotal moment in cybersecurity with many innovative features. R82 ushers in a new era of web security, offering complete protection for HTTP/3 over QUIC, setting an industry precedent. Moreover, it presents the world's first firewall tailored for effortless HTTPS Inspection deployment while maintaining exceptional performance. Not stopping there, R82 delivers an enhanced operational experience with simplified cluster deployment through ElasticXL and a versatile new VSX mode. The software, in addition, boasts a new version of the operating system with superior networking and routing capabilities. Additionally, R82 takes automation to new heights, allowing full dynamic policy layer configuration through API calls directly to the Security Gateway.

Stay ahead of the curve with R82 and experience the future of cybersecurity management and protection.

 

Enrollment | Public EA Check Point Public EA is designed for lab and sandbox deployments only.

UserCenter:

Register to the Public EA release via - usercenter.checkpoint.com -> TRY OUR PRODUCTS -> Early Availability Programs -> CPEA-EVAL-R82

PartnerMAP:

Register to the Public EA release via - usercenter.checkpoint.com -> CUSTOMER ACQUISITIONS-> Early Availability Programs -> CPEA-EVAL-R82

or connect via this link https://usercenter.checkpoint.com/ucapps/ea-programs

IMPORTANT NOTE 

  • Check Point Public EA is designed for lab and sandbox deployments only.
  • Public EA version upgrade to GA is not supported

 

New in this release

 

 

Quantum Security Gateway and Gaia

Web Security

  • Added support of HTTP/3 protocol over QUIC transport (UDP) for Network Security, Threat Prevention and Sandboxing.

 

HTTPS Inspection

This release brings a significant milestone in performance, simplicity, and deployment of HTTPS Inspection. These capabilities allow customers to implement HTTPS Inspection without compromising performance and user experience.

 

  • Full Fail-open mode - A new capability that automatically detects a failure in the HTTPS Inspection process because of client-side issues such as pinned certificates. When detected, the connection is automatically added to an exception list, ensuring zero connectivity issues for end-users.
  • Deployment assessment - Allows customers to gradually deploy HTTPS to a portion of the traffic (up to 30%), predicts the performance, and automatically detects and resolves connectivity issues.
  • Bypass under load - Optionally bypass HTTPS Inspection in case of high CPU load.
  • HTTPS Inspection monitoring - Inspection status overview and detailed advanced HTTPS Inspection statistics.
  • Enhanced HTTPS Inspection policy - An improved HTTPS policy with a default recommended inspection policy, separate inbound and outbound rules, and multiple outbound certificate support.

 

Automatic Zero Phishing Configuration

Introducing a new addition to the Zero Phishing Software Blade - the Automatic mode.
The Automatic mode significantly simplifies the configuration process, providing a seamless experience. With the Automatic mode, the blade configuration is now effortless: simply enable the Software Blade, and you are ready to go

 

Improved Threat Prevention Capabilities

  • Added configuration granularity for advanced DNS protections in Threat Prevention.
  • Added Advanced DNS protection against NXNS Attack.
  • Added support for DNS over HTTPS Inspection.
  • New Zero-Day prevention engine integrated into the Anti-Bot Blade. This engine detects and blocks advanced malware Zero-Day variants by automatically analyzing and identifying communication patterns.
  • Added Advanced DNS capability to block DNS queries to newly created domains.
  • DNS Security statistics are now available in the SmartView Dashboard.
  • It is now possible to load SNORT rules file as Custom Intelligence Feed automatically with 5-minute intervals to enforce them as IPS protections.

New Clustering Technology

  • ElasticXL - a new clustering technology delivering simplified operations with a Single Management Object and automatic sync of configuration and software between all cluster members

Dynamic Policy Layer

  • Fully automated, API-controlled policy layer that allows dynamic policy changes to be implemented directly to the Security Gateway in seconds without involving Security Management.

Unified Configuration

  • Kernel parameters configuration is now performed in centralized database with Gaia Clish commands and Gaia REST API calls instead of fwkern.conf and simkern.conf files.

See:

Identity Awareness

  • Quantum Gateways can now use Identity Providers defined in the Check Point Infinity Portal, allowing customers to centrally manage identities across multiple Check Point products.
  • Introducing a new mode for Identity Awareness Blade - "PDP-Only", where the Security Gateway acts only as Policy Decision Point (PDP) for identity acquisition and distribution and does not enforce the identity-based policy. The new mode improves scalability for PDPs and Identity Broker. To enable the "PDP-Only" mode, see sk181605.
  • Introduced Identity Sharing cache mode to improve resiliency in case of connectivity loss with the PDP.

IPsec VPN

  • Automatically detect configuration changes in AWS, Azure, and GCP public clouds and adjust the VPN settings ensuring connection stability.
  • Introducing the Advanced VPN Monitoring tool that shows information on each VPN Tunnel and tracks its health and performance.
  • Enhanced Link Selection:
    • Interoperability:
      • Uses the endpoint IP addresses of the VPN tunnel to improve interoperability with other software vendors
      • Uses Dead Peer Detection (DPD) as the link probing protocol instead of the proprietary "Reliable Data Protocol" (RDP).
    • Redundancy:
      • Allows redundancy of VPN tunnels including third-party and native cloud VPN peers.
    • Granularity:
      • Ability to configure the Security Gateway to use different VPN interfaces in different VPN communities.

Remote Access VPN

Security Gateway now supports the IKEv2 protocol for connections from Remote Access VPN Clients (E87.70 and higher for Windows OS and E87.80 and higher for macOS).

Mobile Access

  • Mobile Access Policy and Capsule Workspace configurations are now available in SmartConsole.
  • SAML authentication support for Mobile Access clients that allows seamless integration with third-party Identity Providers.
  • New Management API calls for Capsule Workspace configuration.
    See the Local Management API Reference at "https:/<IP Address of Gaia Management Interface on Management Server>/api_docs/" > section "Mobile Access"

Gaia Operating System

This release boosts Gaia OS with a new OS kernel and multiple new configuration options for better security, enhanced networking and a simpler experience.

The new capabilities are:

  • Enhance Gaia OS with:
    • Support for VSX mode in Gaia Link Layer Discovery Protocol (LLDP).
    • DHCPv6 server, DHCPv6 client, and DHCPv6 client for prefix-delegation.
    • Ability to configure the order of the "AAA" authentication (TACACS, RADIUS, Local authentication) in Gaia Portal and Gaia Clish.
    • DNS Proxy forwarding domains, which allows configuring specific DNS servers per DNS suffix.
  • New Gaia Clish and Gaia Portal configuration items:
    • Two-Factor Authentication for Gaia OS login using time-based authenticator apps (Google Authenticator and Microsoft Authenticator).
    • NTP pools and a larger number of NTP servers.
    • NFSv4 configuration.
    • Keyboard layout.
  • Support for storing a Gaia OS backup in and restoring it from Amazon S3 and Microsoft Azure.

Dynamic Routing

Added support for new Dynamic Routing capabilities:

  • BGP Extended Communities (RFC 4360).
  • BGP Conditional Route Advertisement and Injection.
  • Routing Table Monitor for Event Triggers.
  • IPv4 and IPv6 Router Discovery on cluster members.
  • Router Preference and Route Information option.
  • IPv4 PIM-SSM with non-default prefixes.
  • IPv4 PIM with BFD.
  • IPv4 PIM neighbor filtering.
  • IPv6 Protocol Independent Multicast (PIM) and Multicast Listener Discovery (MLD).
  • REST API calls for BGP, PIM, Multicast Listener Discovery (MLD).
  • REST API calls for Route Redistribution, Inbound Route Filters, and NAT Pools.
  • REST API calls for IGMP.

See the Local Gaia API Reference at https://<IP Address of Gaia Management Interface>/gaia_docs/#introduction > section "Networking".

Performance and Infrastructure

  • HyperFlow acceleration of elephant flows for the SMB/CIFS service.
  • Quantum Security Gateway multi-core utilization for sending inspection logs, improving log output capacity by up to 100%.
  • SecureXL acceleration of traffic over VxLAN and GRE tunnels.

Maestro Hyperscale

This release features improvements in managing and monitoring Maestro Hyperscale clusters, which include:

  • Support for SNMP Queries on each Security Group Member.
  • REST API on Quantum Maestro Orchestrator and ElasticXL Cluster Members:
    • New Quantum Maestro Orchestrator API calls for configuration and monitoring of Security Groups, Gateways, Sites, and Ports.
    • Support Gaia REST APIs for Quantum Maestro Security Group Members and ElasticXL Cluster Members.

See the Local Gaia API Reference at https://<IP Address of Gaia Management Interface>/gaia_docs/#introduction > section "Maestro".

VSX

Check Point VSX is enhanced with a new mode, allowing simpler configuration, easier provisioning, and a similar experience to a physical Security Gateway.

The benefits of the new VSX mode are:

  • Unified management experience between Check Point physical Security Gateways and Virtual Gateways, including the capability to manage each Virtual Gateway from a different Management Server.
  • Improves VSX provisioning performance and provisioning experience - creating, modifying, and deleting Virtual Gateways and Virtual Switches in Gaia Portal, Gaia Clish, or with Gaia REST API.
  • Management feature and API parity between Virtual Gateways (VGW) and physical Security Gateways.

Tools and Utilities

  • ConnView - a new consolidated troubleshooting tool for viewing connections information on the Security Gateway that works in the User Space Firewall (USFW).
    See the Local Gaia API Reference at https://<IP Address of Gaia Management Interface>/gaia_docs/#introduction > section "Diagnostics" > section"Connections" > command "show-connections".
    In the Expert mode, run the "connview" command.
  • Improved policy advisory tool "fw up_execute" (in the Expert mode), which performs virtual Access / NAT Rule Base execution. Given inputs based on logs or connections, the execution provides detailed information such as matched rules and classification information.

Quantum Security Management

Security Management Server Enhancements

  • The LDAP Account Unit object now uses the LDAP server name and CA certificate for LDAP trust.
    The trust is automatically renewed if an administrator renews or replaces the LDAP server certificate. As a result, Check Point servers keep their connectivity to the LDAP server.
  • Support for Management API to run the "vsx_provisioning_tool" operations to configure VSX Gateway and VSX Cluster objects.
    See the Local Management API Reference at https://<IP Address of Gaia Management Interface on Management Server>/api_docs/ > section "VSX" > command "vsx-provisioning-tool".
  • Support for Management API to configure the "Data Type" objects for the Data Loss Prevention and Content Awareness Software Blades.
    See the Local Management API Reference at https://<IP Address of Gaia Management Interface on Management Server>/api_docs/ > section "Data Types".
  • Security Gateways can now be managed by a Security Management Server hosted behind a public cloud or third-party NAT device.

Central Deployment of Hotfixes and Version Upgrades in SmartConsole

Central Software Deployment through SmartConsole was enhanced and now supports:

  • Uninstall of Jumbo Hotfix Accumulators.
  • Installation of packages on ClusterXL High Availability mode in the "Switch to higher priority Cluster Member" configuration ("Primary Up").
  • Installation of packages on Secondary Management Servers.
  • Installation of packages on Dedicated Log Servers..
  • Installation of packages on Dedicated SmartEvent Servers.
  • Installation of packages on Clusters of Quantum Spark and Quantum Rugged Appliances.
  • Installation of packages from Standalone Servers.
  • Package Repository per Domain on a Multi-Domain Security Management Server.

SmartProvisioning

  • Star VPN Community now supports Quantum Maestro Security Groups, VSX Gateways, and VSX Clusters as Center Gateways (Corporate Office Gateway).

Multi-Domain Security Management Server

  • Ability to clone an existing Domain on the same Multi-Domain Security Management Server. See sk180631.
  • Improved upgrade time of large Multi-Domain Security Management Server environments by up to 50%.
  • New Management API for setting IPv6 address of Multi-Domain Security Management Server.

Compliance

  • Added support for Quantum Maestro and Quantum Spark Appliances:
    • Gaia OS Best Practice support for Maestro Security Groups by checking each Security Group Member individually and presenting a consolidated Best Practices status.
    • Applying relevant Gaia OS Best Practices on Quantum Spark Appliances.
  • Added Gaia OS Best Practice support for Log Servers.
  • Added new regulations:
    • Cyber Essentials v3.1 regulation
    • Israeli Cyber Defense Methodology 2.0

CloudGuard Network Security

CloudGuard Controller

  • CloudGuard Controller support for Identity Awareness PDP (Identity Sharing).
  • CloudGuard Controller for VMware NSX-T now uses Policy Mode APIs to import objects from an NSX-T Manager.
  • CloudGuard Controller for VMware NSX-T can import Virtual Machines and Tags from an NSX-T Manager.
  • Multi-Domain Security Management Server now supports Data Center objects and Data Center Query objects in the Global Policy.

CloudGuard Network

  • New Management API for CloudGuard Central License utility.

Harmony Endpoint

Harmony Endpoint Web Management enhancements:

  • Client optimization for Windows servers - Harmony Endpoint allows you to easily optimize the Endpoint Security clients for Windows servers, such as Exchange servers, Active Directory servers, Database servers, and so on, by manually assigning Windows server roles.
  • Run Diagnostics:
    • Runs performance checks on endpoint clients using Push Operation.
    • The performance report presents each client's CPU and RAM utilization, including the configurable threshold.
    • Harmony Endpoint presents suggested exclusion for performance improvements.
    • You can easily add an exclusion as part of "Global Exclusion" or "Exclusion per Rule":
      • Exclusion description - You can now add comments for new or existing exclusions.
      • Global Exclusion - You can now easily add global exclusion that applies to all rules.
  • Application Control for macOS - Control which applications can run or use networking.
  • New Asset Management view:
    • Filters - A brand new look and functionality for filters that enhances operation and productivity, while using the Asset Management view.
    • Asset Management Table - Bigger asset management table to see all relevant data easily.
    • Columns reorder - New Column reorder option to customize the asset management table based on their specific needs by changing columns location.
  • Linux Offline Package - Supports upload and export package for Linux OS clients.
  • Added Harmony Endpoint Management API to support on-premises Endpoint Security Management Server.

The API is disabled by default for on-premises deployments. See the Harmony Endpoint Management API article.

92 Comments
fabionfsc
Contributor

@the_rockI tried to delete all files from the "archive" folder, but the alert persist.

I truly believe this is a visual error being generated by SmartConsole, so we will have to wait for a new version.

Something I have noticed also, is the fact that, the Service column from logs doesn't present anymore the number of the port:

MGMT.png

And also the Kernel version has not yet been adjusted in some files within Linux, as the cpinfo -y all shows:

Kernel3.png

Kernel2.png

Kernel.png

These are just points that I believe are mentioned here, but that will definitely be adjusted in the GA version.

the_rock
Legend
Legend

@fabionfsc I see what you mean about version, I get the same, but no issue with log thing you raised or hcp.

Andy

fabionfsc
Contributor

Yeah @the_rock, I'm checking your post right now you had done about the E1000, found it interesting...

https://community.checkpoint.com/t5/Security-Gateways/R82-feedback/td-p/218111

the_rock
Legend
Legend

Yea, totally forgot about that...DOH haha

I would say change to vmxnet3 if you can, that may fix it.

Andy

the_rock
Legend
Legend

@fabionfsc , like below

Andy

 

Screenshot_1.png

fabionfsc
Contributor

I always use VMXNET3, because it was made by VMware precisely for virtual machines. The E1000/E1000e is a virtualized NIC that, like it or not, uses more resources and has stability problems.

Management.png

the_rock
Legend
Legend

I agree, but, for testing, you can flip back and forth to see if it makes any difference. Cause, in the beginning, when I built R82 lab, I was using e1000e and was having hcp and some other issues, but as soon as I switched to vmxnet3, all worked fine.

Andy

fabionfsc
Contributor

At this moment I am already using VMXNET3 (SMS; GW all interfaces), unless I switch to E1000e and see the behavior. But in your post that I mentioned, you also had the same hcp problem.

the_rock
Legend
Legend

@fabionfsc Lets do remote if you are allowed to and possible, Im sure we can figure this out...the hcp error I mean.

Andy

fabionfsc
Contributor

@the_rock Sure! I'll send you a PM.

the_rock
Legend
Legend

Just to update quick, Fabio  @fabionfsc  and I did zoom meeting, we tried so many things, deleted all from hcp folder, then I sent him hcp folder from my working lab, we rebooted, hcp warning always stays there. Im not 100% sure at this point what issue could be, as mgmt server does NOT show it, only the gateway.

@Naor_Nassi  if you have any suggestions/ideas, please be free to share. Im happy to test anything needed in my lab and truth be told, I dont care if it breaks, easy to spin up new one in even ng : - )

Andy

fabionfsc
Contributor

@the_rock Thank you for having a session with me and trying to resolve the HCP alert. I also have the R82 version in the lab (ESXi) but it has a public IP and is fully available on the Internet.

I also don't care if it breaks, and if you @Naor_Nassi have any script or something that we can do or test, we can do it right away, no problem at all

HCP2.png

HCP.png

the_rock
Legend
Legend

@fabionfsc If that lab has public access, are you willing to give me access? Im happy to try and fix it on my own time. I dont sadly have script for it, but Im very persistent dude, I dont give up easily on things : - )

Let me know.

Andy

fabionfsc
Contributor

Yes, I will send you the VPN access information in a private message.

the_rock
Legend
Legend

Sounds good, as soon as I get the info, will check it and see if we can fix the issue.

Andy

the_rock
Legend
Legend

@fabionfsc 

Thanks brother for sending me all the details. I am not giving up on fixing it, but had enough for tonite LOL

Anyway, I will try to see logically tomorrow WHY whenever you click to disable hcp and then go back, there is never enable option there, it always reverts back to disable.

Andy

fabionfsc
Contributor

I'm going to try right now to do a Fresh Install of R82, and a Migrate Import of my current Management, because all my database came from version R81.20, and I hadn't installed any R82 Jumbo Take before performing this Migrate Import.

So I'm going to create a new VM and install Take 40 Jaguar, and then do a Migrate Import, and see if the behavior is the same. Thank you @the_rock 

the_rock
Legend
Legend

Not a bad idea.

the_rock
Legend
Legend

@fabionfsc 

I am not giving up yet, but man, this is really peculiar, for the lack of thje better word lol. I mean, how in the world can HCP be considered a blade?? Makes no logical sense, so first off, wording is totally wrong and 2nd of all, I even went as far as comparing the files in hcp dir on your end to mine, exactly the same.

Andy

 

Screenshot_1.png

the_rock
Legend
Legend

@fabionfsc 

Message me on whatsapp, lets connect there again, I think I found a way to do this, but since I lost access to the fw even when connected via ssl vpn, if you give me upload link, I will send you files you need to dump into below folder on your fw and then run script I indicated. 

Andy

 

[Expert@R82-TEST-FW:0]# cd /var/log/AutoUpdater/metadata/HealthCheck_Point/hcp/hcp_AutoUpdate/73/product_scripts/
[Expert@R82-TEST-FW:0]# la
-bash: la: command not found
[Expert@R82-TEST-FW:0]# ls
backup hcp_post_verify_action.sh hcp_register.sh
hcp_log.sh hcp_pre_action.sh hcp_unregister.sh
hcp_post_action.sh hcp_pre_revert.sh
[Expert@R82-TEST-FW:0]#

 

[Expert@R82-TEST-FW:0]# ./hcp_unregister.sh
[LOG] - #####################################################
[LOG] - Start preremove script...
[LOG] - Set umask for this session...
[LOG] - 1. Check Dependent Packages
[LOG] - There are no packages dependent on:
[LOG] - HealthCheck Point.
[SUCCESS] - Finish running hcp_unregister.sh
[Expert@R82-TEST-FW:0]#

the_rock
Legend
Legend

@fabionfsc Man, I feel terrible I could not fix it for you, BUT, I am NOT giving up. I remember once customer asked me if I was willing to help them with something regarding Fortinet and it took me a week, but I fixed it, since TAC was not able to.

Now, this you cant open TAC case for, but dont despair, I made notes about what does NOT work, so will continue tomorrow, as I will have more time.

I will keep you posted on whatsapp : - )

Thanks again for being so kind to give me access to that lab, I appreciate it, you are a good dude.

Andy

fabionfsc
Contributor

@the_rock

I would like to thank you for all the support you have given me in resolving this alert. Yesterday I also spent until 3:40 AM trying to resolve this problem. I saw that there are some HCP folders that are in R81.20 but not in R82, something related to backup.

I also became aware of these register and unregister scripts. I ran them all, reinstalled the hcp package, and nothing...

As I said in our today's session, I have another installer for SmartConsole R82 Build 82.0.9800.550 (instead of 82.0.9800.850), and in this build, there is no option to Disable HealthCheck Alert, so I assume that the R&D team is aware of this problem.

All we can do at this point is wait for the next Take or the GA version. I've already racked my brains with this alert so much that for me, the normal alert now is this yellow alert. 🤣

the_rock
Legend
Legend

Im sure we will figure something out my friend, some issues take longer : - )

the_rock
Legend
Legend

@fabionfsc 

Bro, I really feel Im getting closer to solving this and here is why. I went to that dir /var/log/autoupdate/healthcheck something or other, then /product_scripts for hcp and ran EVERY single script and 2 of them showed there was folder missing called /hcp in /etc dir, so I copied it over from my R82 gateway and once I gave right permissions in /usr/bin for hcp, now hcp commands do work, so thats huge improvement, even though error is the same.

Anyway, I will check it again Tuesday, Now, I have to get some sleep, working on large Fortinet project, so need to be rested : - )

Best my friend.

Andy

the_rock
Legend
Legend

@fabionfsc 

So I examined the logs, and below is what I see brother. I think at this point, lets see if someone from CP can figure this out, as I feel like you and I tried everything humanly LOGICALLY possible 🤣🤣

Andy

Logs:

 


- Machine's configuration is 'Security Gateway'


This hotfix is only supported on Management machines
*N* %07-30 09:21:59% : Adding event. Error code=55 Critical error code=0 External Error code=0
*N* %07-30 09:21:59% : Error for ngm_doctor:ngm_doctor_AutoUpdate:23:55 already reported, skipping.
*N* %07-30 09:21:59% : Metadata found for component sho
*E* %07-30 09:22:00% : DDR verification failed for metadata directory /var/log/AutoUpdater/metadata/SharedObjects/sho/dana_AutoUpdate/170/More info: The following results are not compatible with the package:

- Machine's configuration is 'Security Gateway'


This is a global conditions set
*N* %07-30 09:22:00% : Adding event. Error code=55 Critical error code=0 External Error code=0
*N* %07-30 09:22:00% : Error for sho:dana_AutoUpdate:170:55 already reported, skipping.
*N* %07-30 09:22:00% : Metadata found for component tp_conf_mgmt
*E* %07-30 09:22:01% : DDR verification failed for metadata directory /var/log/AutoUpdater/metadata/itp/tp_conf_mgmt/GOT_TPCONF_MGMT_AutoUpdate/39/More info: The following results are not compatible with the package:

- Machine's configuration is 'Security Gateway'


This package is not supported on:
- Gateway Machines
- CP version prior to R80.40
*N* %07-30 09:22:01% : Adding event. Error code=55 Critical error code=0 External Error code=0
*N* %07-30 09:22:01% : Error for tp_conf_mgmt:GOT_TPCONF_MGMT_AutoUpdate:39:55 already reported, skipping.
*N* %07-30 09:22:01% : Metadata found for component web_console
*E* %07-30 09:22:02% : DDR verification failed for metadata directory /var/log/AutoUpdater/metadata/mwc/web_console/webconsole_AutoUpdate/114/More info: The following results are not compatible with the package:

- Machine's configuration is 'Security Gateway'


This hotfix is only supported on Management based on versions R81 JHF take 57, R81.10 JHF take 33, R81.20 and above
*N* %07-30 09:22:02% : Adding event. Error code=55 Critical error code=0 External Error code=0
*N* %07-30 09:22:02% : Error for web_console:webconsole_AutoUpdate:114:55 already reported, skipping.
*N* %07-30 09:22:02% : Installing all packages allowed in this maintenance window
*N* %07-30 09:44:58% : No package installed for hcp. Not reverting.
*N* %07-30 09:48:33% : No package installed for hcp. Not reverting.
*N* %07-30 10:04:16% : No package installed for hcp. Not reverting.
[Expert@Eternatus:0]#

the_rock
Legend
Legend

Btw, I reached out to our local SE about this and was pretty much told that since its EA, obviously TAC cant support it and it will most likely be fixed in GA. Thats totally valid reasoning, just odd how come eror is there and not on my lab, considering everything is EXACTLY THE SAME.

O well, some things in this life cant be explained, I guess : - )

Andy

the_rock
Legend
Legend

Just to update, I sent Fabio output of my R82 lab for df -h and he advised would rebuild the lab using the same settings, so fingers crossed it works for hcp, cause works fine on my end.

Andy

 

 
 

thumbnail_image.png

the_rock
Legend
Legend

@fabionfsc I believe you indicated all is good now after the rebuild? You just ended up using what I sent in df -h output, right?

Best,

Andy

fabionfsc
Contributor

@the_rock

No problem, today I woke up with a red HealthCheck alert on the Firewall, I rebooted and it came back with the yellow alert.
Honestly, we tried everything and it didn't work, I think it's a programming problem or something like that.
I asked for the output of the df -h command, because my Firewall/SMS has an NVMe controller instead of a standard SCSI controller, I thought that could be the problem, but it isn't.

Sem título.png

the_rock
Legend
Legend

@fabionfsc Man, thats disappointing : - (

O well, I think you are 100% right, we tried literally everything. Lets chat on whatsapp about something more fun than HCP, no offense haha

 

Andy

fabionfsc
Contributor

I also identified a problem with the External Interface on R82, which was experiencing a LOT of rx drops, which was impacting some HTTPS Inspection Inbound (packet drops) that I had configured.

I followed sk61922 but without success. I believe that this is the reason why R82 is not yet officially supported in virtualized environments. There may be some incompatibility with the virtualized NIC drivers (vmxnet3; e1000e, etc.) with this new R82 Kernel version.

I reinstalled my entire environment on R81.20, and everything is working perfectly, without any rx drops.

the_rock
Legend
Legend

@fabionfsc I had done lots more testing too brother. My whatsapp went quiet, no messages from you...just kidding, hehe.

Glad you got it working.

Andy

fly1ng_circus
Contributor

attempting to test the dynamic layer feature but the SK that is supposed to have the documentation sk182252 doesn't seem to exist. 

 

Arne_Boettger
Collaborator

Not all SKs are visible to the public. As far as I understand it, most SKs start to exist as an internal article, and once they are tested and verified to actually help some customers, they are made public.

fly1ng_circus
Contributor

Just seems strange that in the public/EA documentation they would reference an SK that either doesn't exist or is not publicly available.

PhoneBoy
Admin
Admin

In this case, sk182252 is internal because it's about a feature in an unreleased version.
However, the most relevant parts of the documentation by reviewing the Gaia API docs on your own system.
See: https://mgmt-ip/gaia_docs/#web/set-dynamic-content~v1.8%20

Other relevant information:

Starting from R82, it is possible to configure Access Control rules directly on the Security Gateway with the Gaia API call "set-dynamic-content". This saves time and helps automate various tasks.

On the Management Server, you configure a new Policy Layer (and configure it as a Dynamic Layer). On the Security Gateway, this Dynamic Layer works as a container for all Access Control rules you configure with the Gaia API call "set-dynamic-content".
The rules you define for the relevant dynamic layer in SmartConsole are placeholders until you use the set-dynamic-content Gaia API to change the content.

fly1ng_circus
Contributor

^ this is what I was doing. However it seems that the dynamic layer is not making it to the gateways, as neither the set nor the show command recognize any dynamic layers on the gateway. I was hoping that I was missing a step somewhere but it seems like that may not be the case and something else may be wrong. Perhaps this is not working as expected in the EA?

PhoneBoy
Admin
Admin

A couple other notes from the internal SK:

  1. The dynamic layer can be either an Ordered or an Inline layer
  2. Only Firewall and App Control/URL Filtering blades are supported in Dynamic Layers
  3. The layer should have rules configured in it that apply prior to using set-dynamic-content using the Gaia (not management) API
  4. The Gaia API user must have adminRole configured to use set-dynamic-content

Other limitations:

  • VSNext Virtual Gateways not currently supported
  • Legacy VSX Virtual Systems / Routers are not supported
fly1ng_circus
Contributor

I have been playing with the dynamic layers now for a while since I got it working. I did notice that in the management API when the packages and policies are retrieved there is no field that shows this layer as a dynamic layer so looking at the return from the managment API it just appears like any other layer. in the actual release will there be a field that notes that these are dynamic layers?

PhoneBoy
Admin
Admin

According to the API documentation for R82, the show-access-layer API endpoint should include this indication (dynamic-layer: true).
Is this not happening for you @fly1ng_circus ?

RamGuy239
Advisor
Advisor

Is there any information regarding VSnext and Maestro? The R82 documentation makes it seem like elasticXL and VSnext are directly intertwined. There is no VSnext without enabling elasticXL. elasticXL looks to be based on the same logic as Maestro/Scalable Platform. Does this mean VSnext will be supported by Maestro by default, or is this something that will happen down the line in R82.10 or something?

Would be interesting to know if VSnext is something to even consider to be an upcoming thing for Maestro VSX projects or not.

PhoneBoy
Admin
Admin

ElasticXL is basically Maestro without the external load balancer (i.e. the Orchestrator).
If it works with ElasticXL, it'll work with Maestro (and vice versa).
Likewise, you can expect the existing Maestro limitations to apply to ElasticXL as well. 

Labels