Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
mhebert
Participant

R80.40 Inbound Inspection Issue - Client gets download file instead of site

We upgraded our environment from R80.30 to R80.40 this weekend.

 

After the upgrade, our inbound https inspection rule for our site stopped working. Instead of receiving the webpage, the client gets an error "Page cannot be reached" and get an automatic download of a file called "download" which contains the letter "D" as it's content.

 

We've tried rebuilding the rule, re-importing the certificate and so far no luck in making it work.

 

Is anyone aware of any changes in inspection for R80.40.... Is there anything I am missing?

 

It was pretty straighforward to make it work in R80.30. Not sure why it's failing here.

0 Kudos
7 Replies
PhoneBoy
Admin
Admin

Have you opened a TAC case?

0 Kudos
mhebert
Participant

Hey, Yeah I have a case opened with TAC

I figured I'd ask the community in case someone had already experienced something similar and had the answer

0 Kudos
Alla_Krylova
Employee
Employee

Hi, was this issue resolved? Could you please share a case number or a solution?

Thanks

0 Kudos
mhebert
Participant

Hi,

Check Point has provided me with a hotfix that has fixed the issue. It will be released as part of one of the upcoming R80.40 jumbo. 

Everything is now working great.

Alla_Krylova
Employee
Employee

Hello Mhebert,

Good that it is solved the issue.

I would appreciate if you will share with me what was a hotfix / any identification of this fix or if you have information that it is included in the next Jumbo HF Take_83?

Thanks a lot!

0 Kudos
Alla_Krylova
Employee
Employee

sk169375.

This issue fixed in R81 and a fix will be integrated to the jumbo R80.40 soon.

G_W_Albrecht
Legend
Legend

I just have learned about the current status:

There is a project to integrate the hotfix into the next Jumbo, but right now it is only a development build. There is an available port for Jumbo Hotfix take 78 - a bit dated, but still should be usable.

By the way, there is also a workaround to Disable HTTP2 so that it behaves similar to R80.30 or lower:

# ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 IGNORE_ALPN_EXTENSION 1

# fw fetch local

To re-enable HTTP2:

# ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 IGNORE_ALPN_EXTENSION 0

# fw fetch local

So Jumbo Hotfix take 78 and the HF fw1_wrapper_HOTFIX_R80_40_JHF_T78_810_MAIN_GA_FULL.tgz for sk169375 are the current solution apart from R81.

I hope it is correct to share this here - i will remove it if not 😎

0 Kudos