Support Center > Search Results > SecureKnowledge Details
Rare failure in the Identity Sharing network registration may potentially result in incorrect policy actions Technical Level
Symptoms
  • When using Identity Sharing with SmartPull, the PDP publishes a network to the PEP, but the PEP fails to register to this network later.
  • Using Access Roles in the rule base might cause incorrect policy actions on Security Gateways running R80.10.
  • The rule that is enforced is not the one with the Access Role (as should be the case), but rather a different, irrelevant rule.
  • On kernel debug, D_HOLD action returned multiple times for the same packet (Hold loop):
    up_manager_fw_handle_first_packet: after POST_SYN context - hold was requested by one of the classifiers;
    up_manager_fw_handle_first_packet: returning D_HOLD;
    
  • In SmartLog, after a while, the following Identity Awareness log may appear:
    “Peer closed connection”.
Cause

The connection is handled by the PEP Gateway, but no identity is found on the PEP for the connection’s IPs.
With smart pull Identity sharing, the PEP Gateway will hold the connection if:

  1. The Access Role is used in the policy and required for the final rulebase match.
  2. There is a remote PDP Gateway that previously published this network to the PEP Gateway.

The PEP Gateway will try to register to the network (to get identities on these IPs) by sending a request to the remote PDP Gateway. If there is well timed outage between the PDP and PEP, and between the publish and the registration phases (for example, a connectivity issue between PDP-PEP), the PEP Gateway will try to hold the packet repeatedly. As a result, the hold operation may fail because of a limit on concurrent possible holds. Such a failure will cause connections to be accepted.


Solution

This problem was fixed. The fix is included in:

The Hotfix should be installed on Security Gateway with R80.10 Jumbo Hotfix Take_121.
It also include a fix to SegmentSmack (CVE-2018-5390) and FragmentSmack (CVE-2018-5391).


It is highly recommended to use CPUSE for downloading and installing the hotfix:

Click Here to Show the Entire Section
  • Show / Hide instructions for CPUSE in Gaia Portal
    • Online Installation

      1. CPUSE Software Updates Policy should be configured to allow self-update of CPUSE Agent.
        Otherwise, users should manually install the latest build of CPUSE Agent from sk92449.
      2. Connect to the Gaia Portal on your Check Point machine.
      3. Navigate to Upgrades (CPUSE) pane - click on Status and Actions.
      4. In the upper right corner, click the Add hotfixes from the cloud button and search for: Check_Point_R80.10_Hotfix_sk134054_FULL.tgz
      5. When the package is found, click the link to add the package to the list of available packages.
      6. Select the hotfix package R80.10 hotfix for sk134054 - click the Download button on the toolbar.
      7. Verify the package - check whether this package can be installed without conflicts:
        Select the hotfix package R80.10 hotfix for sk134054 - click the More button on the toolbar - click Verifier.
      8. Select the hotfix package R80.10 Hotfix for sk134054 - click the Install Update button in the toolbar.
      9. Reboot is required.

      Note - The machine will automatically reboot after installation!
    • Offline Installation

      1. Install the latest build of CPUSE Agent from sk92449.
      2. Download the Gaia CPUSE Offline package:
        OS R80.10
        Gaia - CPUSE Offline
      3. Connect to the Gaia Portal on your Check Point machine.
      4. Navigate to Upgrades (CPUSE) pane - click on Status and Actions.
      5. On the toolbar, click on the More button - select Import Package - browse for the CPUSE Offline package (TGZ file) - click on the Upload.
      6. Verify the package - check whether this package can be installed without conflicts:
        Select the hotfix package R80.10 Hotfix for sk134054 - click on the More button on the toolbar - click on the Verifier.
      7. Select the hotfix package R80.10 Hotfix for sk134054 - click on the Install Update button on the toolbar.
      8. Reboot is required.

    Notes:

  • Show / Hide instructions for CPUSE in Gaia Clish
    • Offline Installation

      1. Download the Gaia CPUSE Offline package:
        OS R80.10
        Gaia - CPUSE Offline
      2. Install the latest build of CPUSE Agent from sk92449.
      3. Transfer the offline package to the target Gaia machine (into some directory, e.g., /some_path_to_fix/).
      4. Connect to the command line on target Gaia OS.
      5. Log in to Clish.
      6. Acquire the lock over Gaia configuration database:
        HostName> lock database override
      7. Import the package from the hard disk:
        HostName> installer import local <Full_Path>/Check_Point_R80.10_Hotfix_sk134054_FULL.tgz
      8. Show the imported packages:
        HostName> show installer packages imported
      9. Verify that this package can be installed without conflicts:
        HostName> installer verify <Package_Number>
      10. Install the imported package:
        HostName> installer install <Package_Number>
      11. Reboot is required.

    Notes:



Uninstall Instructions

Click Here to Show the Entire Section
  • Show / Hide instructions for CPUSE in Gaia Portal
    1. CPUSE Software Updates Policy should be configured to allow self-update of CPUSE Agent.
      Otherwise, users should manually install the latest build of CPUSE Agent from sk92449.
    2. Connect to the Gaia Portal on your Check Point machine.
    3. Navigate to Upgrades (CPUSE) pane - click on Status and Actions.
    4. Select the hotfix package R80.10 Hotfix for sk134054 - click on the Uninstall button on the toolbar.
    5. Reboot is required.

    Notes:

  • Show / Hide instructions for CPUSE in Gaia Clish
    1. Install the latest build of CPUSE Agent from sk92449.
    2. Connect to the command line on target Gaia OS.
    3. Log in to Clish.
    4. Acquire the lock over Gaia configuration database:
      HostName> lock database override
    5. Show the installed packages:
      HostName> show installer packages installed
    6. Uninstall the hotfix package:
      HostName> installer uninstall <Package_Number>
    7. Reboot is required.

    Notes:



Note that the fix is also included in:

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment