Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Prashan_Attanay
Collaborator

Issues we faced after R77.30 update

Hi Team,

I would like to share one of my experience in here.Recently we update our checkpoint cluster 77.20 to 77.30. Then worked fine for few months.

Suddenly cluster got freeze, we didn't able to get log for specific time slots, because we restarted affected firewall manually. According to Checkpoint support engineer we weren't install the hotfix to get core dumps. So in case you don't have core dumps they won't able to proceed further. Since support engineer guided us to install the new hotfix.

It was "Check_Point_R77_30_JUMBO_HF_1_Bundle_T286_FULL". Before install that hotfix you need to install latest Deployment agent "DeploymentAgent_000001298_1"

**Note - these packages need install to all security management appliance and firewalls

Please find the steps as follows

Install process

Install the Deployment Agent (cpuse agent):

   1.   SSH to the machine.

   2.   [Expert@Hostname] # cd /home/admin

   3.   [Expert@Hostname] # tar -zxvf DeploymentAgent_000001298_1.tgz

   4.   [Expert@Hostname] # rpm -Uhv --force CPda-00-00.i386.rpm

Install the general availability Jumbo Hotfix Take 286:

   1.   Enter the WebUI of the machine.

   2.   Under 'Upgrades (CPUSE)' go to 'Status and Actions' page.

   3.   At the top right of the page press 'Import Package'.    

   4.   Browse for the - Check_Point_R77_30_JUMBO_HF_1_Bundle_T286_FULL.tgz file

After install those packages you will have core dumps, but in my case I got another problem too. After install those packages we got increase our virtual memory around 80%, Sometimes it increased to 90%

So we again contact support engineer solve this issue. Then he suggest us to install another hotfix for mitigate high usage of virtual memory.

hotfix - fw1_wrapper_HOTFIX_R77_30_JHF_T286_994_GA_FULL

**Note - This hotfix only for firewalls

Please find attachment for memory difference.

Thank you all, Hope this will help at-least few people in here

5 Replies
PhoneBoy
Admin
Admin

Thanks for sharing your experience and the steps you took to resolve it.

Iain_King
Collaborator

Yeah,

I had to use this exact same process recently when upgrading a gateway from R77.10 to R77.30.. upgrade packages (CPUSE etc) where not successful until the new DA version was manually forced install (rpm -uvvh --force). I remember remarking on the fact that many checkpoint / network people are not unix litterate and probably wouldn't be able to accomplish this without checkpoint support help.

If you require manual command line action and a support ticket to update the software on a relatively recent device.. something is amiss. Checkpoint has really struggled for over a decade with automated updates and package management and distribution, the stupid package registry and so on. If you're going to run your own O/S.. this is something that's very important and hard to do. Gaia is so old and antiquated that it's embarrassing how poorly it can be integrated.

We are in the days of ansible, puppet, docker, github and mature automated linux management.. yum, apt and so on are very mature and work exceptionally well. Writing your own package management system doesn't make a lot of sense.. it's never going to be as good as yum or apt.

When I was responsible for many gaia boxes (part of a group of teams handling large fleet / 5000 physicals), I was a strong advocate of dumping gaia and moving to redhat.

It's supported.. and at least then you have tshark, AD/SAM, tripwire, rootkit detectors and all the hundreds of supported automated administration and operations tools. Alas, I wasn't listened to then and I'm sure there are are many booring checkpoint puritans on here with their blah blah blah 'supported' blah blah blah 'standards' blah blah blah hats on (and pennyloafers, fedoras, sock suspenders and tweed jackets with the stupid elbow patches).

But that's my rant for the day.

Iain_King
Collaborator

Forgot to note, there's an sk for this:

Check Point Upgrade Service Engine (CPUSE) - Gaia Deployment Agent 

Hidden in there is the link for deployment agent rpm/packages etc.

Iain

Iain_King
Collaborator

And another thing..

If after installing the Deployment Agent.. the CPUSE / Status and Actions section gets stuck "

"Please wait while updating the Deployment Agent" pop-up is stuck in Gaia Portal after CPUSE Agent update:

", despite the rpm -Uvvh --force finishing.. then run this:

"Please wait while updating the Deployment Agent" pop-up is stuck in Gaia Portal after CPUSE Agent u... 

Log in to Expert mode. 

Disable the notification for Gaia Portal that CPUSE self-update is in progress:

  1. [Expert@HostName:0]# dbset installer:self_update_in_progress

    [Expert@HostName:0]# dbset :save

Prashan_Attanay
Collaborator

Thanks Ian, 

I forget to mention that in my writing

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events