- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- IA Captive Portal missing after upgrade to R80.40 ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IA Captive Portal missing after upgrade to R80.40 Take 91
Just wondering if anyone else has noticed or know something about Captive Portal totally missing in R80.40 T91?
Upgraded from R80.30 T111 using Blink to R80.40 T91 and portal content is totally gone, nothing in directories:
[Expert@fw1:0]# ls -l /opt/CPNacPortal/htdocs/nac/
total 4
drwxrwxr-x 2 admin root 4096 Feb 15 23:41 nacclients
Comparing to R80.30:
[Expert@fw1:0]# ls -l /opt/CPNacPortal/htdocs/nac/
total 140
drwxr-xr-x 4 admin root 4096 Mar 11 2019 3rdp
-rw-r--r-- 1 admin root 1176 Mar 11 2019 Access
-rw-r--r-- 1 admin root 654 Mar 11 2019 AgentConnected
-rw-r--r-- 1 admin root 671 Mar 11 2019 AgentDownload
-rw-r--r-- 1 admin root 779 Mar 11 2019 AgentSettings
-rw-r--r-- 1 admin root 417 Mar 11 2019 Agreement
-rw-r--r-- 1 admin root 794 Mar 11 2019 AgreementFrame
-rw-r--r-- 1 admin root 668 Mar 11 2019 AgreementText
-rw-r--r-- 1 admin root 0 Mar 11 2019 AuthNTLM
-rw-r--r-- 1 admin root 540 Mar 11 2019 Authentication
-rw-r--r-- 1 admin root 827 Mar 11 2019 GetAttributes
-rw-r--r-- 1 admin root 934 Mar 11 2019 GetStateAndView
-rw-r--r-- 1 admin root 532 Mar 11 2019 GetViewData
-rw-r--r-- 1 admin root 645 Mar 11 2019 KeepAlive
-rw-r--r-- 1 admin root 636 Mar 11 2019 Login
-rw-r--r-- 1 admin root 530 Mar 11 2019 LoginSettings
-rw-r--r-- 1 admin root 817 Mar 11 2019 Logoff
-rw-r--r-- 1 admin root 895 Mar 11 2019 PortalMain
-rw-r--r-- 1 admin root 35 Mar 11 2019 ROOT
-rw-r--r-- 1 admin root 532 Mar 11 2019 RSASettings
-rw-r--r-- 1 admin root 435 Mar 11 2019 Reset
-rw-r--r-- 1 admin root 681 Mar 11 2019 SkipAgentInstallation
-rw-r--r-- 1 admin root 615 Mar 11 2019 VerifyAgreement
drwxr-xr-x 2 admin root 4096 Mar 11 2019 css
drwxr-xr-x 2 admin root 4096 Mar 11 2019 html
drwxr-xr-x 2 admin root 4096 Jan 19 09:48 images
drwxr-xr-x 2 admin root 4096 Mar 11 2019 img
drwxr-xr-x 2 admin root 4096 Mar 11 2019 js
drwxrwxr-x 2 admin root 4096 Jan 10 2020 nacclients
-rw-r--r-- 1 admin root 9622 Mar 11 2019 saml
-rw-r--r-- 1 admin root 1697 Mar 11 2019 saml.js
lrwxrwxrwx 1 admin root 4 Jan 10 2020 samlerror -> saml
lrwxrwxrwx 1 admin root 4 Jan 10 2020 samllogout -> saml
lrwxrwxrwx 1 admin root 4 Jan 10 2020 samlspnegodone -> saml
drwxr-xr-x 2 admin root 4096 Mar 11 2019 transparent
drwxr-xr-x 2 admin root 4096 Mar 11 2019 viewManager
drwxr-xr-x 2 admin root 4096 Mar 11 2019 ws
Nor any running httpd processes for multiportal obviously.
Strangely enough it worked OK with VSX upgrade last year but we didn't use Blink and it was T78
@Royi_Priov could you have a quick look pls my friend? 🙂
- Tags:
- kz
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's confirmed now - upgrade using Blink image kills Captive Portal. If important, run upgrade to base R80.40 first and then install Txx manually.
I have upgraded one more cluster old school way and all is working with IA Captive Portal
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Kaspars_Zibarts - check sk170433 🙂
Let me know if it works
Royi Priov
R&D Group manager, Infinity Identity
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm afraid these are regular GWs not VSX 😞 I'll build a new VM in a lab and see if I can copy missing files accross
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually issue is somewhat similar to VSX - NAC portal creation obviously has failed during upgrade process. @Royi_Priov do you know if I can re-run nacportal_post_install.sh if I can find the nacportal.tgz archive somewhere? 🙂 seems like that script should copy files to correct locations and set correct soflinks and file attributes
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's confirmed now - upgrade using Blink image kills Captive Portal. If important, run upgrade to base R80.40 first and then install Txx manually.
I have upgraded one more cluster old school way and all is working with IA Captive Portal
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @Kaspars_Zibarts - I'm taking this offline to understand and resolve.
Royi Priov
R&D Group manager, Infinity Identity
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Finally managed to reverse engineer the process of restoring Captive Portal
1. Collect /opt/CPsuite-R80.40/fw1/nacportal/wrapper/* and /opt/CPNacPortal/* from a working firewall (or ask me), i.e.
tar cvzf portal.tgz /opt/CPsuite-R80.40/fw1/nacportal/wrapper/* /opt/CPNacPortal/*
2. Transfer archive to broken firewall and unpack it, but make sure you unpack it from root dir
tar xvzf portal.tgz
3. Run install script
/opt/CPsuite-R80.40/fw1/nacportal/wrapper/scripts/nacportal_post_install.sh
4. Check that multiportal is running
ps aux | grep multiportal
@Royi_Priov maybe R&D wants to publish an SK for it?...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello all,
The same situation. After upgrade R80.10 to R80.40 blink Captive portal died. Thank you!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I'd like to summarize the issue -
Captive portal is not loaded after upgrade or clean install using Blink to R80.40 Blink Take # 91/94 or R80.30 Blink Take # 228
There is a WA to solve the issue after the installation- please follow the procedure in sk172475.
The issue will be fixed in the upcoming Jumbo of R80.30 and R80.40.
For more information, please refer to sk172475.
Thanks,
Adi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great to have an SK! Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We had the same issue with Blink on ClusterXL R81.10 --> R81.20 T84. After the update, the captive portal was deleted.
We could change to another policy approach for this setup but it might be interesting to know in environments where it is mandatory.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Alex,
Please refer to https://support.checkpoint.com/results/sk/sk172324
Best regards,
Basel - Identity Solutions Team Leader
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It seems we have the same issue with R81.10 T169 blink image.
Firewall which is working fine:
# ls -l /opt/CPNacPortal
total 0
drwxr-xr-x 2 admin root 203 Oct 23 08:34 conf
drwxr-xr-x 2 admin root 6 Oct 1 2022 coredump
drwxr-xr-x 3 admin root 17 Jun 25 2021 htdocs
drwxrwxrwx 2 admin root 87 Nov 26 09:17 logs
drwxr-xr-x 11 admin root 176 Oct 1 2022 phpincs
drwxrwxrwx 2 admin root 6 Jun 25 2021 save1
drwxr-xr-x 2 admin root 81 Oct 1 2022 scripts
drwxrwxrwx 2 admin root 51 Nov 26 11:21 session
Firewall with the issue:
# ls -l /opt/CPNacPortal
total 0
drwxrwxr-x 3 admin root 17 Nov 1 09:30 htdocs
#
Considering that sk172475 is written for R80.30/R80.40, is the procedure still applicable for R81.10 (and R81.20)?
Thank you
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Netanel_Cohen do you guys want to check?
@Srdjan_B - I would open a TAC case just to be sure
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For my customer, these gateways are freshly reinstalled boxes and not in production yet, so I will revert them to factory defaults and start over (without blink). We don't want to risk anything, as they are going to be most important firewalls for this customer.