Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Tobias_Moritz
Advisor
Jump to solution

Breaking IA change in R80.40 JHF T91 / R80.30 JHF T227 - sk170516

Very recently, sk170516 was published.

It is linked in R80.40 JHF T91 / R80.30 JHF T227

PRJ-18247,
PRJ-18124
Identity AwarenessNEW: Added Identity Sharing's performance and functionality improvements. Refer to sk170516.

 

The sk170516 tells us, that we need to clear the internal IA tables on all gateways after upgrading to JHFs that include this improvements:

We recommend to run the following command on all members of all clusters in the policy simultaneously and only after the Jumbo Hotfix upgrade was finished.
Running the following command will remove zombie entries from Identity Awareness kernel tables and will initiate a sync between all PDP and PEP Security Gateways.

Note: This procedure removes all identities that were learned, therefore perform it during the maintenance window.

The commands are the well-known ones, that do a complete purge of all IA data.

This sounds like there was some breaking change done here which is just incompatible with the old internal data structure.

This can be a little challenging in the field, because usually in customers environments, not all gateways are updated during the same maintenance window.

I would really appriciate getting some clarification here about when to do this procedure and if it is possible to mix old versions and new versions (regarding this change) together in Identity Sharing environment.

Example scenario:

  • GW1: PDP and PEP, R80.40 JHF T89 on SMS-1
  • GW2:  PEP only, R80.30 JHF T226 on SMS-2 (foreign IA-Trust: sk65404 )
  • GW3-n: PEP only, R80.40 JHF T89 on SMS-1
  • SMS-1: R80.40 JHF T89
  • SMS-2: R80.30 JHF T226

Now the customer wants to schedule different maintenance windows to update these boxes. What should we tell them?

  1. Not possible, because we have to update all of them at the same time.
  2. Possible, but we need to clear the tables after every update.
  3. Possible, but we need to clear the tables after update of GW2 (because only this one is a PDP).
  4. Some other.

Thank you for clarification 🙂

It would also good to know, what kind of "functionality improvements" were implemented here, but maybe Check Point does not want to disclose this.

7 Replies
This widget could not be displayed.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events