This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
LeeBingKang
Advisor
‎2023-08-01 07:46 PM
Jump to solution

Question regarding RMA a firewall that diagnostic tool show all OK

Hi all,

 

Recently, I had a client faced an issue whereby one of their FULL HA firewalls suddenly hangs and this issue happened more than 2 times within few months.

 

The 1st hang is on around 30 May 2023 and the firewall is working fine as usual after reboot. Meanwhile, we do hardware diagnostic via command "diagMain" and found out the diagnostic result show OK. With that, we opened a case with TAC on this and TAC suggested to install the latest recommended Jumbo Hotfix (take 197) as it resolves some memnory related issues. After that, we installed the Jumbo Hotfix take 197 on both FULL HA firewall member successfully on 22 July 2023.

 

The 2nd hang is on 1/8/2023 and this hang happened on the same firewall when it acts as active firewall and management (since 22 July 2023). The firewall is booted up after a reboot and the diagnostic result (via command diagMain) also show all OK. However, we monitor it more than 30 minutes and aware that its CPU utilization is inconsistent (somehow will reach more than 100% for Java process). Moreover, we tried to move the active management 

 

Hence, I would like seek all of your advice whereby is this hang happened more than 2 times within these few months can become the reason to do RMA?

 

Thank you.

 

 

 

0 Kudos
41 Replies
the_rock
Legend
Legend
‎2023-09-06 05:08 AM
In response to LeeBingKang
Jump to solution

Keep us posted how it goes.

Andy

0 Kudos
LeeBingKang
Advisor
‎2023-09-29 01:23 AM
In response to the_rock
Jump to solution

Here is the update on this matter after few weeks... the RMA still in the progress.....

 

However, the problematic firewall is up and running until now under the condition that it is act as active management server only.

 

Its consider weird for me. I will update again if any.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2023-09-29 02:15 AM
In response to LeeBingKang
Jump to solution

This is what i  found as a best practice with Management HA - active node that takes all the load is secondary Management only, Standby node is primary management. But i rather do not suggest this kind of deployment at all...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
LeeBingKang
Advisor
‎2023-09-29 02:26 AM
In response to G_W_Albrecht
Jump to solution

I'm agree with the best practice mentioned in your post (split active modules (firewall and management) to both members).

 

However, there is a scenario (FULL HA enabled remote access blade with "certificate + username password" authentication method) where we can't split it.

 

It is because of the user vpn certificate renewal required the active management and firewall are in the same firewall member. 

0 Kudos
the_rock
Legend
Legend
‎2023-09-29 03:15 AM
In response to LeeBingKang
Jump to solution

Full HA...whenever I think of it, reminds me of those things in life that when they work well, its heaven, but when they do break, to say its a nightmare would be an understatement of the century lol

Anyway, when you say RMA is in progress, you are still waiting for new appliance?

Andy

0 Kudos
LeeBingKang
Advisor
‎2023-10-31 03:46 AM
In response to the_rock
Jump to solution

The new appliance just arrived today and we are doing configuration on the firewall and find a suitable date to do the replacement.

LeeBingKang
Advisor
‎2023-11-05 05:29 PM
In response to the_rock
Jump to solution

The RMA unit replaced on 4/11/2023, 12am (Malaysia time), Meanwhile, the new unit become active on both firewall and management module. We will monitor for 2 weeks start from now to ensure everything is fine.

0 Kudos
LeeBingKang
Advisor
‎2023-11-15 08:29 PM
In response to LeeBingKang
Jump to solution

It is almost 2 weeks and the new device is working fine with active status on both modules (firewall and management).

 

Looks like RMA is the solution for this matter.

0 Kudos
LeeBingKang
Advisor
‎2024-01-18 12:14 AM
In response to LeeBingKang
Jump to solution

Dear All,

 

Latest update here whereby the firewalls are working after RMA (round 3 months).

 

Hence, I believe RMA is the solution for this kind of issue.

 

Please give comments if you guys have any.

 

Thank you.

the_rock
Legend
Legend
‎2024-01-18 04:47 AM
In response to LeeBingKang
Jump to solution

Sounds like that would be the case, glad its fixed.

Andy

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2023-09-29 05:19 AM
In response to LeeBingKang
Jump to solution

A user vpn certificate renewal happens every couple of years only - it is CRL on active SMS that causes an issue. You can disable that as internal certs are not rewoked.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top