Solved: Re: IA Captive Portal missing after upgrade to R80...

Kaspars_Zibarts · ‎2021-02-16

Just wondering if anyone else has noticed or know something about Captive Portal totally missing in R80.40 T91?

Upgraded from R80.30 T111 using Blink to R80.40 T91 and portal content is totally gone, nothing in directories:

[Expert@fw1:0]# ls -l /opt/CPNacPortal/htdocs/nac/
total 4
drwxrwxr-x 2 admin root 4096 Feb 15 23:41 nacclients

Comparing to R80.30:

[Expert@fw1:0]# ls -l /opt/CPNacPortal/htdocs/nac/
total 140
drwxr-xr-x 4 admin root 4096 Mar 11  2019 3rdp
-rw-r--r-- 1 admin root 1176 Mar 11  2019 Access
-rw-r--r-- 1 admin root  654 Mar 11  2019 AgentConnected
-rw-r--r-- 1 admin root  671 Mar 11  2019 AgentDownload
-rw-r--r-- 1 admin root  779 Mar 11  2019 AgentSettings
-rw-r--r-- 1 admin root  417 Mar 11  2019 Agreement
-rw-r--r-- 1 admin root  794 Mar 11  2019 AgreementFrame
-rw-r--r-- 1 admin root  668 Mar 11  2019 AgreementText
-rw-r--r-- 1 admin root    0 Mar 11  2019 AuthNTLM
-rw-r--r-- 1 admin root  540 Mar 11  2019 Authentication
-rw-r--r-- 1 admin root  827 Mar 11  2019 GetAttributes
-rw-r--r-- 1 admin root  934 Mar 11  2019 GetStateAndView
-rw-r--r-- 1 admin root  532 Mar 11  2019 GetViewData
-rw-r--r-- 1 admin root  645 Mar 11  2019 KeepAlive
-rw-r--r-- 1 admin root  636 Mar 11  2019 Login
-rw-r--r-- 1 admin root  530 Mar 11  2019 LoginSettings
-rw-r--r-- 1 admin root  817 Mar 11  2019 Logoff
-rw-r--r-- 1 admin root  895 Mar 11  2019 PortalMain
-rw-r--r-- 1 admin root   35 Mar 11  2019 ROOT
-rw-r--r-- 1 admin root  532 Mar 11  2019 RSASettings
-rw-r--r-- 1 admin root  435 Mar 11  2019 Reset
-rw-r--r-- 1 admin root  681 Mar 11  2019 SkipAgentInstallation
-rw-r--r-- 1 admin root  615 Mar 11  2019 VerifyAgreement
drwxr-xr-x 2 admin root 4096 Mar 11  2019 css
drwxr-xr-x 2 admin root 4096 Mar 11  2019 html
drwxr-xr-x 2 admin root 4096 Jan 19 09:48 images
drwxr-xr-x 2 admin root 4096 Mar 11  2019 img
drwxr-xr-x 2 admin root 4096 Mar 11  2019 js
drwxrwxr-x 2 admin root 4096 Jan 10  2020 nacclients
-rw-r--r-- 1 admin root 9622 Mar 11  2019 saml
-rw-r--r-- 1 admin root 1697 Mar 11  2019 saml.js
lrwxrwxrwx 1 admin root    4 Jan 10  2020 samlerror -> saml
lrwxrwxrwx 1 admin root    4 Jan 10  2020 samllogout -> saml
lrwxrwxrwx 1 admin root    4 Jan 10  2020 samlspnegodone -> saml
drwxr-xr-x 2 admin root 4096 Mar 11  2019 transparent
drwxr-xr-x 2 admin root 4096 Mar 11  2019 viewManager
drwxr-xr-x 2 admin root 4096 Mar 11  2019 ws

Nor any running httpd processes for multiportal obviously.

Strangely enough it worked OK with VSX upgrade last year but we didn't use Blink and it was T78

@Royi_Priov could you have a quick look pls my friend? 🙂

Kaspars_Zibarts · ‎2021-02-18

It's confirmed now - upgrade using Blink image kills Captive Portal. If important, run upgrade to base R80.40 first and then install Txx manually.

I have upgraded one more cluster old school way and all is working with IA Captive Portal

View solution in original post

Royi_Priov · ‎2021-02-16

Hi @Kaspars_Zibarts - check sk170433 🙂

Let me know if it works

Thanks,
Royi Priov
R&D Group manager, Infinity Identity

Kaspars_Zibarts · ‎2021-02-16

I'm afraid these are regular GWs not VSX 😞 I'll build a new VM in a lab and see if I can copy missing files accross

Kaspars_Zibarts · ‎2021-02-16

Actually issue is somewhat similar to VSX - NAC portal creation obviously has failed during upgrade process. @Royi_Priov do you know if I can re-run nacportal_post_install.sh if I can find the nacportal.tgz archive somewhere? 🙂 seems like that script should copy files to correct locations and set correct soflinks and file attributes

Kaspars_Zibarts · ‎2021-02-18

It's confirmed now - upgrade using Blink image kills Captive Portal. If important, run upgrade to base R80.40 first and then install Txx manually.

I have upgraded one more cluster old school way and all is working with IA Captive Portal

Royi_Priov · ‎2021-02-18

Thanks @Kaspars_Zibarts - I'm taking this offline to understand and resolve.

Thanks,
Royi Priov
R&D Group manager, Infinity Identity

Kaspars_Zibarts · ‎2021-02-25

Finally managed to reverse engineer the process of restoring Captive Portal

1. Collect /opt/CPsuite-R80.40/fw1/nacportal/wrapper/* and /opt/CPNacPortal/* from a working firewall (or ask me), i.e.

tar cvzf portal.tgz /opt/CPsuite-R80.40/fw1/nacportal/wrapper/* /opt/CPNacPortal/*

2. Transfer archive to broken firewall and unpack it, but make sure you unpack it from root dir

tar xvzf portal.tgz

3. Run install script

/opt/CPsuite-R80.40/fw1/nacportal/wrapper/scripts/nacportal_post_install.sh

4. Check that multiportal is running

ps aux | grep multiportal

@Royi_Priov maybe R&D wants to publish an SK for it?...

Urri · ‎2021-03-02

Hello all,

The same situation. After upgrade R80.10 to R80.40 blink Captive portal died. Thank you!

Adi_Babai · ‎2021-03-15

Hi,

I'd like to summarize the issue -

Captive portal is not loaded after upgrade or clean install using Blink to R80.40 Blink Take # 91/94 or R80.30 Blink Take # 228

There is a WA to solve the issue after the installation- please follow the procedure in sk172475.

The issue will be fixed in the upcoming Jumbo of R80.30 and R80.40.

For more information, please refer to sk172475.

Thanks,

Adi

Kaspars_Zibarts · ‎2021-03-16

Great to have an SK! Thanks!

Alex- · ‎2024-10-22

We had the same issue with Blink on ClusterXL R81.10 --> R81.20 T84. After the update, the captive portal was deleted.

We could change to another policy approach for this setup but it might be interesting to know in environments where it is mandatory.

basels1 · ‎2024-12-16

Hi Alex,

Please refer to https://support.checkpoint.com/results/sk/sk172324

Best regards,

Basel - Identity Solutions Team Leader

Srdjan_B · ‎2024-11-26

It seems we have the same issue with R81.10 T169 blink image.

Firewall which is working fine:

# ls -l /opt/CPNacPortal
total 0
drwxr-xr-x 2 admin root 203 Oct 23 08:34 conf
drwxr-xr-x 2 admin root 6 Oct 1 2022 coredump
drwxr-xr-x 3 admin root 17 Jun 25 2021 htdocs
drwxrwxrwx 2 admin root 87 Nov 26 09:17 logs
drwxr-xr-x 11 admin root 176 Oct 1 2022 phpincs
drwxrwxrwx 2 admin root 6 Jun 25 2021 save1
drwxr-xr-x 2 admin root 81 Oct 1 2022 scripts
drwxrwxrwx 2 admin root 51 Nov 26 11:21 session

Firewall with the issue:

# ls -l /opt/CPNacPortal
total 0
drwxrwxr-x 3 admin root 17 Nov  1 09:30 htdocs
#

Considering that sk172475 is written for R80.30/R80.40, is the procedure still applicable for R81.10 (and R81.20)?

Thank you

Kaspars_Zibarts · ‎2024-11-26

@Netanel_Cohen do you guys want to check?

@Srdjan_B - I would open a TAC case just to be sure

Srdjan_B · ‎2024-11-27

For my customer, these gateways are freshly reinstalled boxes and not in production yet, so I will revert them to factory defaults and start over (without blink). We don't want to risk anything, as they are going to be most important firewalls for this customer.

Are you a member of CheckMates?

IA Captive Portal missing after upgrade to R80.40 Take 91