Support Center > Search Results > SecureKnowledge Details
60000 / 40000 Appliances - Jumbo Hotfix Accumulator for R76SP.10_VSLS
Solution

Table of Contents:

  • Introduction
  • Availability
  • Important Notes
  • List of resolved issues per Take
  • Installation instructions
  • List of replaced files
  • Troubleshooting instructions
Click Here to Show Entire Article

 

Introduction

R76SP.10_VSLS Jumbo Hotfix Accumulator is an accumulation of stability and quality fixes resolving multiple issues on 61000 / 41000 products running R76SP.10_VSLS.

This Incremental Hotfix and this article are periodically updated with new fixes.

The list of resolved issues below describes each resolved issue and provides a Take number, in which the fix was included.
A resolved issue is included in the Incremental Hotfix starting from the Take number listed in this table (inclusive).
The date, when this take was made available is listed near the Take's number.

 

Availability

In order to receive the Jumbo Hotfix Accumulator, please contact the following mailing list
(it might take up to 24 hours to provide an answer, not including Fridays and Saturdays):
61000_41000_installation_forum@checkpoint.com

Latest available Take is:

Take Date
Take_18 21 Oct 2015

 

Important Notes

  • This Jumbo Hotfix Accumulator is suitable only for 61000 / 41000 running R76SP.10_VSLS take 36.
  • If you have previously installed any private hotfixes on top of your current version, then contact Check Point Support before applying this Jumbo Hotfix Accumulator to verify that it is compatible with your environment.

 

List of resolved issues per Take

ID Product Symptoms
Take 18 (21 Oct 2015)
01832366 General Improved "asg info" (do not use the "-f" flag in the "fw tab -t check_alive -u" command).
01841837 Threat Prevention Security Gateway might crash when Threat Prevention "Fail Mode" is set to "Block all connections (Fail-close)".
Refer to sk104866.
01841762 Identity Awareness, Application Control Security Gateway might crash when Identity sharing and Application Control rules (with access roles) are configured.
Refer to sk106420.
01834591 Identity Awareness Improved generation of new session ID (to make sure this ID is not assigned to some other basic or super session).
01841486 IPS, URL Filtering, Application Control, Anti-Bot Security Gateway might crash rarely when inspecting URLs.
Refer to sk104250.
01841461 IPS Security Gateway with enabled IPS blade might crash in "cmi_context_get_status ()" function.
Refer to sk104642.
01841387 Security Gateway Security Gateway might crash when working with Multi-Portal.
Refer to sk104698.
01841518 Security Gateway Security Gateway configured as Proxy occasionally stops processing all traffic.
Refer to sk102134.
01841363 Application Control Application Control policy with distributed Identity Awareness rules may cause Security Gateway to crash when processing a UDP domain connection.
01837210 Security Gateway Possible memory leak on Security Gateway when duplicate packets are received (e.g., during packet retransmission).
Refer to sk103077.
01816069 VSX VLAN interfaces (that belong to Virtual Systems) defined on Bond interface are no longer monitored after changing the Bond type (LACP/Round Robin/etc.).
01714277 VSX Local connections cannot be established from Virtual Systems on the Standby chassis.
01801779 Networking Port monitoring does not update the port's state correctly when the port's state is changed during chassis fail-over.
Take 15 (09 July 2015)
- General Support for NG 61000 Chassis.
01562399 General Added support for new 61000 Chassis ("N+N") - support and monitoring of redundant power supplies.
01564984 General Added new QSFP transceiver AFBR79EIDZ to the list of certified transceivers.
01579733;
01513576;
01507932;
01579728
General Check Point update and online services migration to SHA-256 based certificates.
Refer to sk103839.
01569780 General Check Point Response to CVE-2015-0235 (glibc - GHOST).
Refer to sk104443.
01639159 General Check Point response to the POODLE Bites vulnerability (CVE-2014-3566) - prevent Internal CA (ICA) Portal from using SSLv3.
Refer to sk102989.
01602960 General Check Point response to TLS FREAK Attack (CVE-2015-0204).
Refer to sk105062.
01649304 General Check Point response to Leap Second introduced in UTC on 30 June 2015.
Refer to sk104560.
01417320, 01582571 General

The following errors are displayed after initial installation:

  • When SGM completes the first boot:
    -bash: This: command not found
    clish -c "save config"
    change_chassis_type: line 18: 8081 Segmentation fault


  • When running "setup" command:
    [Expert@HostName]# setup
    Error: Cannot acquire config-lock for CliApi
01648924 General Degradation in system performance when using Jumbo frames.
01657653 General Improper exit of FWD daemon caused it to freeze, instead of crashing and restarting.
01656920 General synatk_alert_sent sends false alarms. Incorrect error messages were removed.
01608145 General Failure in pulling configuration from remote SGMs will automatically revert the setup to work in legacy mode of copy (scp instead of gcopy).
Refer to sk110427.
01445044, 01667259 General "load_fw_global_params" and "load_vs_global_params" in "cpha_blade_config" are reading $FWDIR/conf/fw_global_params.conf file and $FWDIR/conf/vs_global_params.conf file, but only support integer global varaiables.
Added other type of global parameters like strings (this will be useful, for example, for forwarding mgmt ports).
01577057 General Operations for Configuring Alerts for SGM and Chassis Events (asg alert) are not synchronized from the local SGM (where configuration was made) to other SGMs (e.g., SNMP Manager was configured and then deleted on one SGM).
01697051 General Output of "asg monitor" does not show the enabled software blades.
01464547, 01650143 Gaia OS Snapshot revert confirmation from Clish shows "You are about to perform snapshot revert <Name_of_Snapshot> on blades: All", even though the actual revert will be done only on local SGM.
01509167, 01564581 Gaia OS Incorrect count of slave interfaces in Bond Load Sharing (802.3ad LACP) after physical link on Slave interfaces goes down and back up.
Refer to sk98160.
01561362 Gaia OS Adding VLAN to port ethX-13 (40G) deletes all VLANs on the SSM.
01445415, 01445636, 01559480 Gaia OS SNMPv3 users are not deleted when using gclish.
Refer to sk101901.
01562008 Gaia OS Reduced the size of route cache table by merging all the entries with the same destination address (added option to apply a subnet mask to the source address before entering the route to the route cache).
01559380, 01560325 Gaia OS, ClusterXL RouteD neighbors are flapping under load while trying to obtain the cluster size.
01620557 Hardware Integrated new SSM160 firmware v2.4.C20.
Refer to sk105360.
01595964 Hardware CMM firmware 2.83 rev3 was added to SGM firmware database.
01583818 Hardware Output of "asg stat -v" reports incorrect number of "Power Supplies" on N+N chassis.
01440277, 01575096 Hardware Serial port IRQ's were assigned to CPU 0. As a result, under load, CPU 0 could not handle the serial port IRQ's properly, which leads to lack of connectivity through the serial port.
01653010 Hardware Added reference to SSM manual update documentation in the "asg_ssm_upgrade".
01493899, 01601432 VSX When the connection is templated on one Virtual System and the NAT happens on another Virtual System along the packet's path, the connection might be dropped as out of state on the Virtual System where it was templated.
Example topology:
  • SYN packet passes correctly:
    Client ---> VS1 {connection is templated here} ---> VSW ---> VS2 {NAT is applied here} ---> Server
  • SYN-ACK packet is dropped by VS1:
    Client --- VS1 {connection is dropped here} <--- VSW <--- VS2 {NAT is applied here} <--- Server
01573610 VSX Periodic pulling of cluster configuration for Virtual Systems is not working correctly (when a difference in VSX Configuration ID is detected).
01644854 VSX "asg_archive" command will collect the output of "fw ctl pstat" command per Virtual System.
01649317 VSX When exporting Static/Direct/RIP routes into OSPF without routemap, tag value set to unexpected value.
Refer to sk98415.
01612997 VSX Proxy ARP configuration (asg_local_arp_update) may fail when Virtual Switch is configured.
Refer to sk105180.
01657570 VSX Improved slow CCP handling rate that caused increased memory usage. Highest impact was on fully populated blades with Jumbo frames.
01667093 VSX fwk<X>_dev processes might crash with core dump file after running the cpstop command.
$FWDIR/log/fwk.elg file shows "fwk_dev_read: dev opaque magic is incorrect" error.
01552854 VSX Traffic outage might be caused by BMAC address being zero for all WRP interfaces, and no VLAN ports for all WRP interfaces on BFM module.
01648774 VSX "vspurge" fails when trying to delete Virtual Switch.
01578003 VSX

Added a new script asg_collect_vsx_logs to collect relevant files from all SGMs, from all Virtual Systems:

  • $FWDIR/log/blade_config.*
  • $FWDIR/log/fwk.elg.*
  • $FWDIR/log/cpha_policy.log.*
  • /var/log/messages
  • /var/log/blade_reboot_log
  • VSX NCS files
  • logs for 'fw vsx fetch_cpd' command
Refer to sk114792.
01574652 VSX If there are Virtual Systems in Bridge mode, then 'asg vsx_verify -v -a -c -i' script shows the following:
  • Mismatch: Name_of_Shadow_Bridge_Interface OS:  DB:  NCS: 0.0.0.0/0
    
  • Summary
    VSX Configuration Verification completed with the following errors:
    ... ... ...
    Found inconsistency between addresses in OS,DB and NCS of Name_of_Shadow_Bridge_Interface
    
01571872 VSX If a pnote on a Virtual System reports its status as "problem", and this pnote exists on all SGMs, then each SGM disables monitoring for this Virtual System (instead of only last SGM disabling the monitoring). As a consequence, state of a Virtual System on all SGMs might result in only SMO being in the "UP" state (i.e., problematic Virtual System affects the state of the SGMs even if it is not working on all SGMs).
01568066 VSX ConfdTask task (WatchDog for confd daemon) under CPD daemon runs in the context of Virtual Systems other than context of VSX Gateway itself (VS0).
01568066 VSX, ClusterXL If vsx_apply fails, the chassis will reboot 10 times before getting to "UP" state with configuration pnote. Behavior was changed to reboot the SGM only one time and to get to "UP" state with configuration failure.
01665122 VSX, ClusterXL Packets are not corrected, but forwarded between hosts in the following topology:
Internal Host - Internal chassis interface - [VS2 - Virtual Switch - VS1]- External chassis interface - External Host
01714277 VSX, ClusterXL Local connections cannot be established from non-VS0 on the Standby chassis because packets are not forwarded correctly to the Standby chassis.
01649614 VSX, Gaia OS Editing a route on Virtual System may cause duplicate next hops in Gaia Database. Now, previous destination will be removed from Gaia Database before pushing the new one.
01611451 ClusterXL SGM migth reboot itself when pulling cluster configuration for Virtual Systems.
01572617 ClusterXL After switching from Active Standby mode to Active Active mode, the Standby chassis still does not process the traffic.
01429770, 01555680 ClusterXL Deleting Unique IP address per Chassis (UIPC) causes system to be unreachable because corresponding routes are removed.
01568762 ClusterXL /var/log/messages file shows the following when Link Local Multicast Name Resolution (LLMNR) traffic arrives at chassis:
fwha_select_ip_packet: could not get other chassis VMAC
01539003, 01546273 ClusterXL The configured minimal number of Bond slave interfaces (Bond Min Slaves) did not survive reboot ('set chassis high-availability bond BOND_IF min_slaves N').
01583150, 01604638 Anti-Bot Security Gateway may crash when Anti-Bot is enabled.
Refer to sk95057.
01652648;
01619997
IPS DNS requests are dropped by IPS as "Non Compliant DNS".
Refer to sk97730.
01580342 IPS Security Gateway might crash while Pattern Matcher 2nd tier inspects the traffic (slow path - Regular Expression Matcher).
01652915 SNMP, Gaia OS SNMPD process crashes with core dump files.
Refer to sk100514.
01654537 SNMP, Gaia OS SNMPD process might crash after querying the 61000 / 41000 Security System over SNMP repeatedly for several days.
01606093 HTTPS Inspection Security Gateway with enabled HTTPS Inspection might crash during high traffic load.
Refer to sk105538.
01606096 HTTPS Inspection, URL Filtering Improvement in negotiation rate of HTTPS traffic through Security Gateway R76 and above.
Refer to sk103081.
01652963 URL Filtering, Application Control Random issues with HTTP web browsing - traffic latency increases, and at some point web browsing stops working.
Refer to sk64162 - Scenario 2
01650580 VPN VPND daemon might crash during SSL handshake.
Refer to sk104474.
01650521 VPN VPND daemon might crash when working with Multi-Portal.
01612313 VPN Kernel table "Robo_ranges" is not synchronized to all SGMs - only to SMO, causing VPN traffic from ROBO internal that is reaching non-SMO blade to being dropped.
Refer to sk106203 to obtain the complete fix for this issue.
01573964 VPN Security Gateway will stop maintaining new IKE negotiations if it fails to resolve VPN peers (the relevant negotiations for peers that were not resolved are not removed from the internal data structure, which causes the data structure to get full and not accept new negotiation to process).
01574139 Security Gateway Moving a blade from one slot to another results in endless reboot of the blade.
01524485 Security Gateway Output of asg resource command shows incorrect "Usage" values for "Memory".
01571114 Security Gateway, ClusterXL The value of the string kernel parameter fwha_mbs_policy_times_str (holds policy installation times for FireWall policy and for Threat Prevention (Anti-Malware) policy) is not set correctly during policy installation, policy revert, or policy fetch.
01562925 Identity Awareness SGMs might crash if the "Enforce IP spoofing protection (requires full identity agent)" is enabled in an Access Role properties.
01579389 FireWall, Threat Prevention

Improved the following string kernel parameters that hold the policy installation times:

  • fwha_mbs_policy_times_str - holds policy installation times for FireWall policy and for Threat Prevention (Anti-Malware) policy in the format "FW_policy_absolute_Unix_time;TP_policy_absolute_Unix_time"

  • fwha_mbs_policy_times_formated_str
  • - holds formatted policy installation times for FireWall policy and for Threat Prevention (Anti-Malware) policy in the format "FW_policy_local_time;TP_policy_local_time" (time is printed as "ddmmmyy hh:mm")

Code was improved:

  • The string kernel parameter fwha_mbs_policy_times_str was separated to these string kernel parameters:

    • fwha_mbs_fw_policy_time - holds FireWall policy installation time in the format "FW_policy_absolute_Unix_time"
    • fwha_mbs_amw_policy_time - holds Threat Prevention (Anti-Malware) policy installation time in the format "TP_policy_absolute_Unix_time"


  • The string kernel parameter fwha_mbs_policy_times_formated_str was separated to these string kernel parameters:

    • fwha_mbs_fw_policy_time_formated_str - holds formatted FireWall policy installation time in the format "FW_policy_local_time" (time is printed as "ddmmmyy hh:mm")
    • fwha_mbs_amw_policy_time_formated_str - holds formatted Threat Prevention (Anti-Malware) policy installation time in the format "TP_policy_local_time" (time is printed as "ddmmmyy hh:mm")

 

Installation instructions

  1. Perform Fresh Installation of R76SP.10_VSLS.

  2. Install the Jumbo Hotfix Accumulator.

    Prerequisites:

    For quick Disaster Recovery, take snapshots for all SGMs on the chassis:

    • Take snapshots during off-peak hours.
    • First, take snapshots on Standby chassis, then take snapshots on Active chassis.
    • Do not make any configuration changes on chassis from the time of taking the between snapshots and until the upgrade and hotfix installation are complete.
    • Do not make any configuration changes on the Security Management Server / Multi-Domain Security Management Server that manages the chassis until the upgrade and hotfix installation are complete.

    Important Note: The Jumbo Hotfix Accumulator can be installed in two ways:

    • Full Connectivity installation

      This type of installation keeps the current connections both in single and in dual chassis configurations.
      In dual chassis configurations, hotfixes are installed on Standby chassis, a fail-over is performed from Active chassis to Standby chassis, and then Hotfixes are installed on former Active chassis.

      Note: It is recommended to perform this type of installation via console.

      Show / Hide instructions for Full Connectivity installation

      1. Preparation:

        1. Transfer the Jumbo Hotfix Accumulator to your /home/admin/ directory on 61000/41000 appliance.

        2. Copy the Jumbo Hotfix Accumulator file to all SGMs:

          # asg_cp2blades Check_Point_R76SP_10_VSLS_jhf_T<number>.tgz
      2. Installation:

        Notes:

        • <Name_of_..._chassis> used in the syntax below means "chassis1" or "chassis2".
        • <ID_of_..._chassis> used in the syntax below means "1" or "2".

        Instructions:

        1. Set the state of Standby chassis to "down":

          # asg chassis_admin -c <ID_of_Standby_chassis> down
        2. Install the Jumbo Hotfix Accumulator on Standby chassis:

          1. Unpack the Jumbo Hotfix Accumulator (note the "-C" flag in the syntax):

            # mkdir /home/admin/temp
            # tar -zxvf /home/admin/Check_Point_R76SP_10_VSLS_jhf_T<number>.tgz -C /home/admin/temp/
            
          2. Install the Jumbo Hotfix Accumulator:

            # cd /home/admin/temp
            # ./AsgInstallScript -b <Name_of_Standby_chassis>
            
          3. Verify the installation of hotfixes:

            # ./AsgInstallScript verify

            Notes:

            • Active chassis Blades will note 'Failed' on the first chassis installation.
            • Upgraded SGMs on the Standby chassis should display the corresponding package number, post upgrade (it is expected that upgraded packages will be different).


          4. Upgrade the SSM firmware on Standby chassis:

            # asg_ssm_upgrade ssm all chassis <ID_of_Standby_chassis>

            Notes:

            • Perform this step only if SSM firware is lower than 2.4.C12 (you can run the 'asg_version -v' command).
            • Perform this step via console connection to upgraded chassis.


          5. Reboot the Standby chassis:

            # g_reboot -b <Name_of_Standby_chassis> -a
          6. Monitor the system until SGMs on the Standby chassis are UP and Enforcing security again:

            # asg monitor
        3. Set the state of Standby chassis to "up":

          # asg chassis_admin -c <ID_of_Standby_chassis> up
        4. Set the state on currently Active chassis to "down":

          Note: This will cause chassis fail-over from Active chassis to Standby chassis.

          # asg chassis_admin -c <ID_of_currently_Active_chassis> down
        5. Install the Jumbo Hotfix Accumulator on former Active chassis:

          1. Unpack the Jumbo Hotfix Accumulator (note the "-C" flag in the syntax):

            # mkdir /home/admin/temp
            # tar -zxvf /home/admin/Check_Point_R76SP_10_VSLS_jhf_T<number>.tgz -C /home/admin/temp/
            
          2. Install the Jumbo Hotfix Accumulator:

            # cd /home/admin/temp/
            # ./AsgInstallScript -b <Name_of_former_Active_chassis>
            
          3. Verify the installation of hotfixes:

            # ./AsgInstallScript verify
          4. Upgrade the SSM firmware on former Active chassis:

            # asg_ssm_upgrade ssm all chassis <ID_of_former_Active_chassis>
            Note: Perform this step only if SSM firware is lower than 2.4.C12 (you can run the 'asg_version -v' command).

          5. Reboot the former Active chassis:

            # g_reboot -b <Name_of_former_Active_chassis> -a
          6. Monitor the system until SGMs on the former Active chassis are UP and Enforcing security again:

            # asg monitor
        6. Set the state of former Active chassis to "up":

          Important Note: If your former Active chassis is configured as "Primary Up", an automatic fail-back will occur.

          # asg chassis_admin -c <ID_of_former_Active_chassis> up
        7. Verify the installation of hotfixes on both chassis:

          # asg_version -v
          Example of output:
          Installed HFA
          -------------
          -*- 4 blades: 1_01 1_02 2_01 2_02 -*-
          R76SP_10_VSLS_jhf take_15
          


    • Regular installation

      This type of installation requires reboot of entire chassis. Therefore, all current connections will be interrupted.

      Important Note: This type of installation can be performed only via console.

      Show / Hide instructions for regular installation

      1. Preparation:

        1. Transfer the Jumbo Hotfix Accumulator to your /home/admin/ directory on 61000/41000 appliance.

        2. Copy the Jumbo Hotfix Accumulator file to all SGMs:

          # asg_cp2blades Check_Point_R76SP_10_VSLS_jhf_T<number>.tgz
      2. Installation:

        1. Unpack the Jumbo Hotfix Accumulator (note the "-C" flag in the syntax):

          # mkdir /home/admin/temp
          # tar -zxvf /home/admin/Check_Point_R76SP_10_VSLS_jhf_T<number>.tgz -C /home/admin/temp/
          
        2. Install the Jumbo Hotfix Accumulator:

          # cd /home/admin/temp
          # ./AsgInstallScript -b all
          
        3. Verify the installation of hotfixes:

          # ./AsgInstallScript verify
        4. Upgrade the SSM firmware, if it is lower than 2.4.C12 (you can run the 'asg_version -v' command):

          # asg_ssm_upgrade ssm all chassis all
        5. Reboot:

          # g_reboot -a
        6. Verify the installation of hotfixes:

          # asg_version -v
          Example of output:
          Installed HFA
          -------------
          -*- 4 blades: 1_01 1_02 2_01 2_02 -*-
          R76SP_10_VSLS_jhf take_15
          

 

List of replaced files

List of files replaced by this Jumbo Hotfix Accumulator can be provided upon request by Check Point Support.

 

Troubleshooting instructions

Click Here to Show Entire List

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment