This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
CP_SA
Participant
3 weeks ago

Message Banner Not Functioning - SMB - R81.10.10

Good Afternoon - I have another weird one I am hoping someone may have some insight regarding.

We upgraded a group of 1570s from R81.10.08 to R81.10.10 and lost our message banner - revert to .08 and the banner returns.

The syntax used seems to have changed  - which is ultimately not an issue - but the banner will not present on .10.  It is there when you do a < show configuration > and there if you do a < show message type banner >, and it is present in the /etc/issue file. *But it does not show up. There does not seem to be a way to stop/start the sshd services in Embedded GAIA , similar to GAIA - (we cannot even access /etc/ssh). We tried rebooting, factory defaults/ clean installs, etc - and we tried 3-4 different units. In .08 we just configure from Clish with the set commands and it presents at next login.

Anybody got any tricks?

Example R81.10.08

set message banner msgvalue "Test Banner for R81.10.08" on
set message banner msgvalue "Used Only for Testing 4-24-2025" line on

to

Example R81.10.10

set message type banner msgvalue "Test Banner for R81.10.10" on
set message type banner line msgvalue "Used Only for Testing 4-24-2025" line on

 

< show configuration >

# Message for the SSH and serial login
set message type "banner" "on" msgvalue "Test Banner for R81.10.10
Used Only for Testing 4-24-2025
"

< show message type banner >

FWSMB1570> show message type banner
msgvalue: Test Banner for R81.10.10
Used Only for Testing 4-24-2025

status: true

0 Kudos
9 Replies
Chris_Atkinson
Employee Employee
Employee
3 weeks ago

Which specific build of R81.10.10 is used , have you tested the more recent R81.10.15 / 17 for the same behavior?

https://sc1.checkpoint.com/documents/SMB_R81.10.X/CLI/EN/Content/Topics/set-message-type-banner.htm

CCSM R77/R80/ELITE
0 Kudos
CP_SA
Participant
3 weeks ago
In response to Chris_Atkinson

Build 993

Current image name: R81_996002993_10_10
Current image version: 993
Previous image name: <Undefined>
Previous image version: <Undefined>
Default image name: R81_996002993_10_10

Default image version: 993
Bootloader version: 992000129
HW version: 110

 

Same result - the syntax in your link works - also tabs out exactly the same - we even tried just cut and pasting - that works too. Shows as expected in < show message type banner >, as well as in the < show configuration > = just does not show up at login.

I also tried the syntax for versions below 945 -- We have not tried .17 yet.

 

0 Kudos
the_rock
Legend
Legend
3 weeks ago
In response to CP_SA

I would definitely open TAC case for this.

Andy

0 Kudos
CP_SA
Participant
Thursday
In response to CP_SA

Just in case anyone else runs into this problem, i hope not, here is what we came up with - and it is weird.

TAC confirmed the issue on our systems - they said they were unable to recreate the issue in their lab - and that was then end of that.

We ended up testing on another dozen 1555/1570's - straight out of the plastic. Our normal process is to do a clean install prior to deployment - and that is what we did with an initial group of 20. They came with R81.10.10_945 -- we pulled down a new image and did the clean install. You can see in thread that it was R81.10.10_993 - since that is what is presented as GA. No matter what we did/ tried with those 20 the banner would not show up when connected via SSH (*but it would when connected to the console port). We tried upgrades to R81.10.15, R81.10.17, clean installs to R81.10.15/ R81.10.17 - nothing.

But, then we had success when we upgraded from a new one -  R81.10.10_945 to .17?! A clean install from R81.10.10_945 to .17 also worked. *But NOTHING worked if _993 was ever present on the gateway?! Even with the clean installs to other latest versions.

Here is the weirdest part - we did a clean install BACK to R81.10.10_945 on the original 20 - and they worked. We tested clean install to .15 and .17, as well as upgrades and roll backs - all worked.  If _993 was ever on the gateway it would not work as is and would not work with any upgrades or clean installs moving forward.

And now we are going to hold off on the entire project for a while - see if .17 or something else goes GA.

 

0 Kudos
G_W_Albrecht
Legend Legend
Legend
yesterday
In response to CP_SA

TAC often is unable to replicate the issue in their lab as they do not use SMB hardware but VMs for testing. Sometimes this makes much difference...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
G_W_Albrecht
Legend Legend
Legend
yesterday
In response to CP_SA

1. So you write:

But NOTHING worked if _993 was ever present on the gateway?! Even with the clean installs to other latest versions.

2. Then:

we did a clean install BACK to R81.10.10_945 on the original 20 - and they worked. We tested clean install to .15 and .17, as well as upgrades and roll backs - all worked.

3. Finally again:

If _993 was ever on the gateway it would not work as is and would not work with any upgrades or clean installs moving forward.

So either 1. and 3. is true or 2. ! As the first batch of twenty has been freed of the issue i would think 2. is the solution, clean firmware install from USBv!

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
CP_SA
Participant
yesterday
In response to G_W_Albrecht

Correct - i went of the rails a little because of all the things we tried!

#2 is correct - but it has to be from a starting point of 945.

Here is the salient part: "...would not work with any upgrades or clean installs moving forward." -- [ Moving Forward] -- we would have thought that doing clean installs to 15 or 17 from 993 would have done trick - apparently not as clean as expected.

 

 

0 Kudos
the_rock
Legend
Legend
yesterday
In response to CP_SA

Sounds like you put a lot of work into testing that...amazing job. To me, logically, appears to be version related, but hard to be 100% sure.

Andy

0 Kudos
PhoneBoy
Admin
Admin
3 weeks ago

Best bet is to involve TAC here

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 20 May 2025 @ 11:30 AM (PDT)

    Las Vegas: Check Point Hybrid Mesh
    In-Person

    Wed 21 May 2025 @ 11:30 AM (MST)

    Tempe, AZ: Check Point Hybrid Mesh
    In-Person

    Tue 03 Jun 2025 @ 09:00 AM (CEST)

    CheckMates LIve France - Workshop Check Point Quantum
    In-Person

    Tue 03 Jun 2025 @ 06:00 PM (EDT)

    Montreal: CPX Recap
    In-Person

    Tue 10 Jun 2025 @ 06:00 PM (EDT)

    Quebec City: CPX Recap
    CheckMates Events