Checkpoint Gateway Lost SIC After Jumbo Hotfix Installed - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Sunday, August 16, 2015

Checkpoint Gateway Lost SIC After Jumbo Hotfix Installed

Our Checkpoint Products are stilling sitting at R77.10. Checkpoint has release Jumbo Hotfix Accumulator for R77.10 (gypsy_hf_base_021).

The installation procedures from Command Line is quite simple:
  1. Transfer the Jumbo Hotfix Accumulator to the machine /var/tmp folder
  2. Unpack the Jumbo Hotfix Accumulator:

    [Expert@CP-1]# cd /var/tmp
    [Expert@CP-1]# tar zxvf Check_Point_R77.10.linux.tgz
  3. Install the Jumbo Hotfix Accumulator:
    [Expert@CP-1]# ./UnixInstallScript

    Note: The script will stop all of Check Point services (cpstop) - read the output on the screen.
  4. Reboot the machine.
  5. Verify Installation with Command "cpinfo -y all"


Symptoms: 


I followed those steps and installed this Jumbo Hotfix on both cluster members at the same time also rebooted them at the same time. But after waited a couple of minutes, one of cluster members shows disconnected from Smartview Monitor.


When I ssh-ed into device and checked cluster status it shows ok. Also I were able to reach management server interface from problem cluster member. From the output of "cpinfo -y all " also shows the hotfix has been installed correctly. 

[Expert@CP-DMZ-1:0]# cpinfo -y all
------------------------
Hotfix versions
------------------------
[FW1] 
  HOTFIX_R77_10 
  HOTFIX_R77_HF_HA10_005 
  HOTFIX_GYPSY_HF_BASE_021 

[SecurePlatform] 
  HOTFIX_R77_10_GAIA_GHOST_833 
  HOTFIX_GYPSY_HF_BASE_021 

[SPSHARED] 
  No hotfixes..

[CVPN] 
  HOTFIX_R77_10 
  HOTFIX_GYPSY_HF_BASE_021 

[PPACK] 
  HOTFIX_R77_10 
  HOTFIX_GYPSY_HF_BASE_021 

[CPinfo] 
  No hotfixes..

[SmartLog] 
  HOTFIX_R77_10 

[rtm] 
  No hotfixes..

Troubleshooting:


I went back to SmartDashboard and checked SIC status and found it was out of SIC. I was confusing what could cause the SIC lost from this cluster member. Should I reset SIC?

SmartView Tracker saved me this time. There is one log shows firewall policy inconsistencies existing between cluster members.


Number:             7250420
Date:                 16Aug2015
Time:                 10:09:07
Origin:               CP-DMZ-1
Type:                 Log
Action:              
Information:       sync: Inconsistencies exist between policies installed on the cluster members. Please reinstall the policy on the cluster.
Product:             Security Gateway/Management
Product Family: Network
Policy Info:         Policy Name: defaultfilter
                          Created at: Sun Aug 16 07:12:25 2015
                          Installed from: CP-Management

Solutions:

I quickly pushed policy to cluster and it was failed because SIC error as shown below.


Amazing thing is this firewall policy push resolved SIC issue. Both firewall cluster members show green and OK status in Smartview Monitor. 

No comments:

Post a Comment