This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
cosmos
Advisor
‎2023-03-21 06:00 PM

SmartConsole Responsiveness / stability

I've posted about this before, want to know if I am alone or Check Point have acknowledged these issues and addressed the root cause(s).

Unfortunately many environments I'm tasked with either maintaining or upgrading are still on R80.40, some still on 77.30 with extended maintenance. I realise these are old versions but have seen similar behaviour in R81.10 so it appears these issues follow the product upgrades...

  1. Console unresponsive
    1. During normal operations (e.g. opening a gateway, opening a new policy, switching tabs) the console takes its sweet time and often becomes unresponsive, with either a spinning wheel or entire window washout
    2. If an admin clicks on the console while this happens, one of two things will happen
      1. Windows will report the application is unresponsive and ask to wait or kill (waiting usually works)
      2. The console exits immediately with no error
    3. When in full screen, the app window will expand and take the entire screen (including taskbar) rendering the machine running the app unusable while the console is thinking...
    4. This is probably my biggest gripe and I echo my customer's concerns
      1. I've heard some quietly say "please don't crash" while they perform a normal function even in an R81 console
      2. This aligns with my theory you must get out of bed on the right side, or the planets must be aligned before you even think about doing ugprades
      3. I get this consistently in 81.10.9600.410 on opening a specific gateway's topology
  2. Console steals focus from other applications
    1. There is no need to explain, it just shouldn't happen
  3. Inconsistent policy / object searches
    1. Searches in policy for matching say src & dst IP are wildly inconsistent - at times the search won't display rules where the IPs are used in objects in groups in those rules
    2. Partial searches for objects containing a string in the sidebar and Object Explorer don't yield objects names that contain the search string
  4. Impossible to sort Gateways by clusters & members in the Policy Installation window once the sort order is changed
    1. This seems to have been fixed in recent builds both R80 and 81
  5. Policy installation process takes a while to appear in task list, at times when it is nearly complete
    1. As if what the console is drawing is read from a table in a database that hasn't updated yet...
  6. No consistency with window behaviour
    1. Some windows allow you to click on the console window behind it, which can lead to all sorts of issues if you make changes, other windows prevent you from doing so
    2. Case in point: when clicking outside a VSX operation window, the publish did not complete and left the VS on the VSX gateway but no object in the CMA

These functionality issues are not new, and make using the console a frustrating experience. To get these issues addressed by TAC is painful especially when they are blocking or delaying normal operations - it's not the responsibility of the customer. While some of these issues may be a result of very old databases that have been subject to multiple upgrades over decades, others (focus stealing, crashing) have persisted throughout several generations of console.

(1)
11 Replies
the_rock
Legend
Legend
‎2023-03-21 06:33 PM

I can only speak for myself here and share my own experience. I read your post very carefully and I totally see where you are coming from. I experienced very similar issues in literally EVERY version of smart console, starting from R80.10.

Now, it gets better when there is smart console update, but sadly, its not constant. 

Finally, ever since I had been testing brand new R81.20 smart console, had not seen this problem in 4 months, so fingers crossed, thats a positive sign. Not sure if anyone is running R81.20 in production, maybe they can share their own experience.

I truly hope that one day, web smart console will have same capabilities as standalone client, because every time I used it, its been very responsive.

Thats my honest feedback.

Andy

PhoneBoy
Admin
Admin
‎2023-03-21 08:36 PM

I believe a lot of the issues you’re describing are related to gateway objects of all kinds, all of which use legacy APIs to varying degrees.
This is also why web-based SmartConsole doesn’t offer certain functionality (yet).
Major changes are expected in R82 in all these areas.

Tomer_Noy
Employee
Employee
‎2023-03-23 05:27 AM

Hi,

I wanted to provide more feedback on these issues.
Warning: this is a bit long 😉

How do we release fixes to various versions?

In general, we have made many quality fixes over the past few years, both in SmartConsole (UI) and the Management server. I believe that the quality has greatly improved, especially when looking at R81.10 and above.

Some fixes originate from issues reported from the field. These fixes are delivered to a server JHF or a new SmartConsole build. When possible, and depending on the severity of the issue, we also try to deliver them to JHFs of previous versions. 
Many other fixes are handled during our new version development (such as the recently released R81.20). These fixes originate from QA or a backlog of items that we've wanted to handle for a while. Since a new release includes a lot of content and rigorous testing, we feel comfortable to include hundreds of fixes there. Based on the severity and frequency of an issue, we also consider each fix as a candidate for earlier versions. Dozens of fixes are ported to JHFs or SmartConsole builds through this flow.

However, there are also many fixes that do not get ported back, due to considerations of severity, effort and risk.

Due to the above, over time existing versions will get many fixes, but it is possible that a newer version will have even more fixes, especially around cosmetic (which may still be annoying) and infrequently occurring issues.

Importance of running the latest code

Starting from R81, SmartConsole will automatically update if your desktop has an internet connection. Due to Windows permissions, you will get a prompt and need to authorize the update. Note that the update happens in the background into a new sub directory, so you can keep working and relaunch when you are ready.

I noticed that you are using an older R81.10 SmartConsole build, so you are not getting the latest fixes.

For the best experience, it's also very important to install the latest JHF on your management. From this post, we can't tell how updated your environments are.
Many issues that manifest in the UI are actually rooted in the server. The latest JHF includes many fixes that will improve your experience. For example, freezes to the UI are sometimes caused by a bug in the server side that returns a delayed response or an unexpected error.

You mentioned that you are using multiple environments and versions. It's best to upgrade all at least to R81.10, but definitely make sure all are running with the latest recommended SmartConsole build and latest server-side JHF on the Management.
BTW, there is no dependency between client build and server build, so you can update one without the other, or in whatever order you choose.

Environmental considerations

A management server or desktop client running SmartConsole might behave poorly if it doesn't have enough resources. We've seen many cases of clients not having enough RAM, or even graphics cards that have old drivers or too little memory that caused SmartConsole issues.

Also, a good network connection between the SmartConsole client and the Management server is also important. Very high latency (over 250ms) may give a poorer experience as there are many requests from the SmartConsole to the server.

Specific mentioned issues

Relating to the numbered items in your post:

  1. Console unresponsiveness
    1. Opening the gateway editor for the first time will take a longer time than other dialogs since it relies on some older I/S. We are working on modernizing this for future versions.
      The policy page might be slow if your policy is huge. If that isn't the case, it might also be impacted by server speed and latency.
    2. Clicking on "busy" UI will show a Windows "unresponsive" dialog. This is standard Windows behavior. In many cases, we try to perform calculations off the UI thread to avoid it, but it's not always possible.
    3. I remember a fix for this issue. It's worth checking with the latest version and build.
    4. We have fixes for this on the way. Currently in private HF and will soon reach JHF.
  2. I'd need an example on latest version to better understand...
  3. Searches
    1. There are two types of searches in the policy: regular and packet mode. Make sure that you are using the right one for your needs as some will "drill down" into groups and subnets and some will not.
    2. When searching the object tree / explorer, the search is done by breaking up object names into tokens. For example: "tomer-noy" will be broken up into two tokens so that I can find them by searching "tom" or "noy" as the prefix. However, if I try to search for "mer" it will not find the object as that is not a prefix of a token. Since R81, it's possible to "force" the search mechanism to do a full search (which is less efficient) by adding "*" at the beginning of the search text. So searching for "*mer" will find the desired object.
  4. This is indeed an open item that we haven't gotten around to fix yet.
  5. I'm not familiar with this issue, but it is possible that R81.10 with the many DB changes has improved upon this.
  6. We do try to be "logical" and some popup windows are intentionally non-modal such as "Where Used" and "Object Explorer". This is to allow the admin to work in parallel with the popup and the view behind it, even with drag & drop. Anyway, clicking outside a window should not cause an operation to fail. If this still happens in R81.10 and above, we should investigate.

Regards,
Tomer

the_rock
Legend
Legend
‎2023-03-23 05:34 AM
In response to Tomer_Noy

@Tomer_Noy ...very nice post indeed. I will say this...I had been around CP since R55 days and I can tell you, all the issues @cosmos had mentioned, NEVER used to happen until R80 came around, well, expect maybe in everyone's least favorite version R76. Anywho, thats another tale for another day...😇

Here is something I think would be nice to have...I hope one day (with future releases), customer will be able to see whats fixed in new build of smart console. By same token, it would be nice to see that in web UI for jumbo hotfixes, rather than having to read it from the sk.

Just my honest suggestion.

Cheers mate.

Andy

Dorit_Dor
Employee
Employee
‎2023-03-23 12:54 PM
In response to the_rock

Before R80, the UI was self contained (all objects were copied to the ui upon login). 

This had one advantage that slowness on the server didnt slow down ui clicks. But it had many disadvantages (two reminders):

1. With large objects use it was very slow to open / start / save / etc

2. By definition there was no multiple admin with read/write because each ui held all objects at the same time 

In r80 there is server that holds the objects and manage all api’s. Slowness between server and client, will impact ui clicks but … there is much better scale of objects, support for large number of objects, and there is support for many admins snd operations with read/write. 

Therefore, i suggest to look forward at the fundamental advantages rather than discussing the old design (that had many limitations that were important to solve for modern usage).

Please report to CP specific issues (like Tomer asked) so that we can fix them.

Dorit 

 

the_rock
Legend
Legend
‎2023-03-23 01:00 PM
In response to Dorit_Dor

Hey Dorit,

One thing I see fairly constantly thats really somewhat annoying issue with smart console is that when you edit any fw object, in my experience, about 70% of the time, at least, when you go to network topology and edit any given interface (to lets say change anti spoofing settings), it would cause smart console to totally lock up and you have to force close it from task manager. IF you are lucky enough, it may work once reopened, it may not, its super random.

Now, so far, had not seen that happen in R81.20, so thats good sign, but lots of customers are on R81 or R81.10, where this does sadly happen.

Cheers,

Andy

PhoneBoy
Admin
Admin
‎2023-03-23 03:03 PM
In response to the_rock

I suspect this issue is related to the legacy infrastructure that we are working to modernize.
And yes, there have been some minor improvements in R81.20.

(1)
the_rock
Legend
Legend
‎2023-03-23 03:13 PM
In response to PhoneBoy

I hope one day there is CP version where changes to sxl and user.def/crypt.def can be all done via smart console, thats my wish @PhoneBoy 

WishDotComGIF.gif

Timothy_Hall
Legend Legend
Legend
‎2023-03-23 04:03 PM
In response to the_rock

This behavior when working with gateway objects (and the need for the legacy SmartConsole in R80+, and the need to dump contents of the postgres database back into legacy flat files objects_5_0.C and rulebases_5_0.fws which slows down policy installations) can be summed up in one daemon process name: fwm

fwm was the primary management server process in R77.30 and earlier and is very old, dating back to the 1990's.  It is single threaded.  It crashed quite a bit thus kicking administrators out of the pre-R80 SmartDashboard, sometimes losing rulebase edits in the process.  fwm is still around in R80+ but thankfully is on the way out with its functions slowly being replaced by other daemons in every release, but is primarily being replaced by the cpm daemon which is implemented in java and is heavily multi-threaded; cpm can utilize many CPUs at once.  With every release more and more functions are moved out of fwm, at some point I hope it will go away completely.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-03-23 03:54 PM
In response to the_rock

Maybe I misunderstand your post but we document fixes in SmartConsole releases and publish them e.g. 

https://sc1.checkpoint.com/documents/Jumbo_HFA/R81.10_SC/Default.htm

CCSM R77/R80/ELITE
0 Kudos
the_rock
Legend
Legend
‎2023-03-23 04:28 PM
In response to Chris_Atkinson

Hey Chris,

I said it wrong, my bad :). What I meant was what you pasted in that link, BUT, more in a sense that those fixes would be listed BEFORE you click to update smart console from the actual client itself, so customers could see what is indeed fixed right from smart dashboard window in a new version. By the same token, it would be nice to have something similar in web UI before someone decides to upgrade to a new jumbo.

Cheers,

Andy

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events