R81.20 Jumbo Hotfix Accumulator take #26 has been released today

FYI....you have have some duplicates under "List of All Resolved Issues and New Features"

Installed it already, so far, so good! Btw, love new update page tab in web ui 🙂

Hi the_rock

Thank you for your feedback!

The issue has been fixed.

Gadi 

Thanks @gadt 

Anyone else have an error installing HFA 26 with their CloudGuard license controller on the management server dropping the VE licenses from the pool?  I updated 2 customers SmartCenters today and both of their CloudGuard license pools were deleted!  I manually re-added the licenses and re-ran distribution, and they're back online now.

This didn't happen on previous HFA updates.

Seems way to many problems with this take, considering known BGP issue mentioned in another post, I would stay away, for now, at least.

Andy

Hi @the_rock and all 

We found the RC for the BGP issue 

it will be fixed as part of the next jumbo we plan to release by early October 

Thanks 

Matan.

Good news @MatanYanay 👍

Likewise, TAC has been alerted to the vsec_lic_cli issue after JHF 26 install.  They have an internal SK for it now (sk181500).  I notified our Check Point SE, who forwarded it over to the internal teams.  I got a reply back quickly with the R&D update.

As @the_rock indicated, "caveat emptor quo JHF 26".

(content filter did not appreciate pure Latin; apologies for the slight deviation)

@Duane_Toler Content filter BLEEPED your terms mate LOL

But, I feel your "pain"...Im actually glad I saw the post from Perry in that other thread, and even though sounds like BGP issue did not affect the cluster, it was way too much of a risk to even bother installing take 26 to find that out.

Andy

Hello,

we are facing a problem using several web service api requests after installation of R81.20 Jumbo Hotfix Accumulator take #26 on our management server.

When using "show access-rulebase" combined with using a filter to search for a particular host, the server response produces an error 500 when finding the host inside of the rulebase. When the rulebase does not include the host, the error dow not occur.

Same happens when using "where-used".

error message below:

anyone else facing this issue?

thanks in advance 

I can test in my lab mgmt, can you give example of command you used @Felix_Hoffmann1 ?

Andy

Hi all and @Duane_Toler 

as mentioned by @the_rock  we do aware of the  "CloudGuard Central Licenses"

• Issue is relevant only to R81.20 JHF take 26 
• How to identify?
  • CloudGuard Licenses removed from security management and security gateways.
• What to do in this case?
  • Using vsec_lic_cli:
    • vsec_lic_cli add <license string>
    • vsec_lic_cli distribute
• For more information, please refer to sk181500

we are working on a fix that will be included as well in th upcoming jumbo we plan to release by early October 

Thanks 

Matan.

@MatanYanay Is that sk internal? When I search it, nothing comes up...

Andy

@the_rock 

AFAIK the sk should be visible to everyone

maybe it's still need some time to be sync with the systems  

Maybe, but this is all I get @MatanYanay 

Andy

@the_rock 

should be ok now

Yes sir, thank you @MatanYanay 🙌👍

Andy

@the_rock Regarding the problem @Felix_Hoffmann1 has mentioned:

The issue occurs only, when the session is read-only:

[Expert@SMS:0]# mgmt_cli login read-only true
Username: user
Password:
uid: "whatever_uid"
sid: "whatever_sid"
url: "https://127.0.0.1:443/web_api"
session-timeout: 600
read-only: true
api-server-version: "1.9"
user-name: "user"
user-uid: "whatever_uid"

[Expert@SMS:0]# curl_cli -k -X POST https://192.168.1.1/web_api/where-used --user-agent mgmt_cli -H "Content-Type: application/json" -H "Accept: text/plain" -H "connection: keep-alive" -H "X-chkp-sid: whatever_sid" -d '{"name":"server1"}'
code: "generic_error"
message: "Null Pointer exception: null"


[Expert@SMS:0]# mgmt_cli login read-only false
Username: user
Password:
uid: "whatever_uid"
sid: "whatever_sid"
url: "https://127.0.0.1:443/web_api"
session-timeout: 600
api-server-version: "1.9"
user-name: "user"
user-uid: "whatever_uid"

[Expert@SMS:0]# curl_cli -k -X POST https://192.168.1.1/web_api/where-used --user-agent mgmt_cli -H "Content-Type: application/json" -H "Accept: text/plain" -H "connection: keep-alive" -H "X-chkp-sid: whatever_sid" -d '{"name":"server1"}'
used-directly:
  total: 4
  objects:
...

This is reproducable even with SmartConsole. When SmartConsole Session Login is readonly, a where-used failed also there. Not only in SmartConsole CLI but also in Object explorer.

The error log in $FWDIR/log/api.elg is always the same, as Felix posted.

Can anybody who is already at T26 try this? Maybe just simply with SmartConsole in read-only mode? Just to see if really everybode is affected or only a few.

Thank you!

Hi @the_rock @Felix_Hoffmann1 @Tobias_Moritz,

This is indeed an unfortunate issue that was inserted with a huge performance improvement for policy installation. Hotfixes are already created for this issue, on top of the last takes of both R81.10 and R81.20 JHFs. 

An SK has been created for this issue, and TAC can provide the relevant HF. See sk181471.

A new JHF that contains the fix should be released next month. 

We are truly sorry for the inconvenience and working to improve the process.

Natan Chamilevski,

Management CFG 

Is this issue from sk181471 relevant to every R81.10/20 version or only starting from specific JHF? Because there are no details in the SK about this, which would mean every version!

Thank you, Natan, for confirming.

@Norbert: Based on our own experience, its only R81.20 JHF T26. It was working in T24. And based on what Natan says, it makes sense, because the major performance improvement in policy installation was introduced in T26 release notes. The same is mentioned in R81.10 JHF T110 release notes, so T110 and T113 should be affected.

I thought so, but the SK should be updated then, because it might confuse others finding the SK without knowing about this thread.

@Natan_Chamilevs , things happen mate, all good...as long as they get fixed, no sweat.

@Norbert_Bohusch Thats an excellent point you made about the sk ✔

Andy

Thank you for the comments, the SK is now updated with the specific takes that contain the issue.

Great news @Natan_Chamilevs 

Any idea, why TAC does not offer the hotfix from sk181471 quickly? We opened a SR on the same day (6 days ago). @Natan_Chamilevs informed us here about that sk, but still did not got the hotfix . Case is "Pending Check Point"...

In regards to sk181500, can Checkpoint confirm if there is a pending hotfix coming this month to resolve this?   

The SK shows a workaround but would rather get a fix in place than have any affect to my cloud gateways.  

Only thing on R81.20 today is management (Take 14) and want to shore up.....but very concerned with this note here about moving to GA take 26.  

Is there also a list of 'whats coming' in the R81.10 JHF release notes?   It seems like checkpoint keeps taking that section away 😞

@Scottc98 Someone from Israel responded to me in another post that next R81.20 jumbo will be released in October. Whether all these issues will be fixed, I have no clue.

Andy

Thanks @the_rock    

I really wished they kept up with the list of the upcoming fixes.   At least that would provide customers with some understandings....even if it doesn't mean its going to be in the exact next release.

And....w/o knowing what else is coming, it kinda puts customers like myself in bind.   Totally willing to wait ~2weeks here to patch this if this fix and possibly others are in place for management than to seek out business windows multiple times 

@Scottc98 I agree 100%, it should be more transparent, for sure.

Andy

@the_rock  and @Scottc98 

Thanks for your feedback on our "upcoming resolved issues" 

I will take it internally to check what did happen with our process 

we indeed support transparently for our upcoming fixes 

@Scottc98  for your question regarding sk181500, I can confirm, the fix of this issue will be part of our next jumbo we will release during October 

Thanks 

Matan.

@MatanYanay Looking forward to next jumbo.

Andy

Just want to update, that we got the hotfix for sk181471 finally yesterday after two weeks TAC case (Check_Point_R81_20_JHF_T26_772_MAIN_Bundle_T1_FULL.tar) and it fixed the issue with searches in read-only-mode.

@MatanYanay if you have been aware of this issue for two weeks - why is the important notes not updated???

https://sc1.checkpoint.com/documents/Jumbo_HFA/R81.20/R81.20/Important-Notes.htm

Is this not the whole idea of 'important notes' ? I see it is listed as 'upcoming fix' - but still

/Henrik

@Henrik_Noerr1 You took the words out of my mouth as they say. I was wondering the same thing, which is too logical...WHY are notes not updated with this? Hard to imagine this would not be considered important notes...at least, in my opinion.

Andy

@Henrik_Noerr1  and @the_rock 

As you know we are doing the best we can to be transpertae as possible with all our known issues. 

I agree, this issue is important and need to be add to our important note section,  therefore we will adjust it early nest week.

Thanks for brining it to my attention  ( that we are missing it 😞 ) 

Matan  

No big deal @MatanYanay , all things can be corrected, its just that us customers need to know about it, since we use the product ; - )

Its sort of as if say you drive Kia car and there is a recall and they never tell you about it...transparency is key!

Andy