Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Authority
Authority

Revisions Management in R80.x

There is a "tiny-not-a-lot-of-explanation" sk113615 about changes made between R77.x and R80.x.

And before you say Tim Hall‌ - there was not a lot in the new book Smiley Happy

Problem is that there are no automated means to control number of versions you keep so it keeps growing indefinitely (unless you remember to do manual purge) and also you cannot turn it off even if you wanted to. Due to the complexity of the network (MDS with many CMAs plus couple of VSX clusters and VSes stretching over multiple CMAs) I'd rather rely on good old MDS backup than revisions.

And now we have hit some wall where purge on MDS simply fails - it sits at stage 3/3 forever and eventually gets "server restart" error

I will raise an SR but would be great to have a bit more insight of R80 revision management / troubleshooting

I also wonder how much this will impact MDS backup size (as it has been growing like crazy)

19 Replies
Authority
Authority

Hej Tomer - as I mentioned, my problem is "manual" the handling. I'd rather see option to say save only last 20 revisions (or no revisions at all). Manual purge seems very old-school approach, who has time for manual tasks these days Smiley Happy

Also the fact it is failing now and there is no information available how to troubleshoot it (where are more detailed logs, what processes etc). I really dislike raising SRs that just says "it does not work", I'd rather send in some useful information that we have checked this and that before whinging Smiley Happy

0 Kudos
Reply

You are raising 2 things

- why is purge revisions manual: understood, and planned for our next releases. May I ask how many Management revisions do you have at the moment? Also, the IPS revisions purge, which might have larger impact on a Management Server size, is automatic. How can I control the size of my R80.10 Security Management Server? 

- Bug in purge which results in your inability to control the size of your security management server - SR is the way to go. Check Point Support should be able to investigate the root cause and prevent this from happening to others as well. I suppose export of the logs at $MDS_FWDIR/log/*.* should be enough for this case, but they may still ask for larger files. I agree with you - SR's are not fun, we definitely aim to give more self-help tools to our customers, but at the moment this issue seems to be unique at your end. 

0 Kudos
Reply
Authority
Authority

We 150+ revisions since last March there. That's visible on MDS level. Then on busy CMA it's 1000+. And then it's nearly 20 CMAs..

Regarding IPS we should be OK as we have take 42.

SR on it's way Smiley Happy thanks for looking into it

0 Kudos
Reply

please keep us in the loop (if you have time) and something new this look  very interesting in a not funny way Smiley Happy

0 Kudos
Reply
Champion
Champion

Hi Kaspars,

You are correct that there wasn't much in the new book about revision control as it is not directly related to gateway performance.  Covering that would have opened a can of worms as far as documenting management procedures, SMS performance and such.  There were a couple of areas where I diverged off from the book main's goal of gateway performance (such as how to properly do ClusterXL failovers and testing Access Control/Threat Prevention policies) but doing that too often would have caused the book to rapidly grow beyond a manageable point. 

Still, I do have some detailed notes about all the ins and outs of sessions/revisions/reverting/installation history in R80+ that I present when teaching CCSA R80.10, will see if I can type that up into something presentable.

Edit: For future reference my revision control notes were rolled up into this guide: https://community.checkpoint.com/docs/DOC-2467-r80-change-control-a-visual-guide 

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gaia 3.10 Immersion Self-paced Video Series
now available at http://www.maxpowerfirewalls.com

0 Kudos
Reply
Authority
Authority

Already liked and downloaded Tomer!

0 Kudos
Reply
Authority
Authority

I was just pulling your leg of course since your book comes up in every second post Tim (I bought it! ) Smiley Happy but I would be really grateful if you could share some info! Still lot to learn with R80.. 

0 Kudos
Reply
Employee
Employee

Sounds like an opportunity for another book for you!

0 Kudos
Reply
Employee
Employee

AZW-730-61299 - Schedule automatic purge of revision DB

RFE should be in progress since last year.

Best

Joe

0 Kudos
Reply
Employee Alumnus
Employee Alumnus

We have added a new Management API command to automate purging of database revisions (published sessions).

It should be available in the upcoming R80.20 GA release.

Robert.

It is there Smiley Happy

From audit point of view, it would be better to choose "sessions-older-than-days" ... Simply say that delete all sessions older than XY days. For example delete all session older than 3 months.

I know that it can be done using "date" and after that "preserve-to-date" argument ... just an idea how to tune this command Smiley Happy

And the argument to be used at the moment for "preserve-to-date" will be the output of following:

date --iso-8601=seconds -d "-3 months"

It will print date exactly 3 months ago in ISO 8601 format.

Kind regards,
Jozko Mrkvicka
Employee
Employee

Hi all,

I'm Ran and I'm a manger in the R&D of Check Point, responsible for I/S in the Management Server, specifically Revisions.

I would like to raise the awareness again to the above API.

It is available since version R80.20 GA and can be used easily to implement a scheduled automatic Purge in your environment.

Note that it is important to use Purge once in a while, to keep your Management size small, both for better disk space usage and better general performance of the Management.

Employee
Employee

Hi all,

I'm happy to update that we are in the last phase of developing a new "automatic purge" API.
Our target is to include it in one of the next Jumbo HFs for versions R80.20 , R80.30 and R80.40.

If any of you would like to deploy and use it before it is officially released, please send me an email with your environment details, specifically which version you are using and we will prepare this private HF on top of it for you.


Thanks,
Ran

 

Contributor

Will this be inculded as feature in the GUI or cli ?

0 Kudos
Reply
Employee
Employee

Hi,

For start the feature will available from the API only. (no GUI) 

Thanks,
Ran 

0 Kudos
Reply
Participant

I see this new ability was just added to jumbo 217 for 80.30. How is this accomplished based on user configuration?

0 Kudos
Reply
Contributor

I saw the new API allows this, I guess there should be a conf file as well.

But please be aware that you can purge away, but 'object deletes' from revision sessions are not deleted.

Please see sk166555 which is still not integrated in JHF.

It took us a while to find this, and we were happy to lose the 250.000 stale entries in the db....

/Henrik

0 Kudos
Reply