Security Gateways prior to R76 drop UDP traffic on non-standard ports after upgrading Security Management Server to R77

Security Gateways running version prior to R76 (R65 / R70.X / R71.X / R75.X) drop UDP traffic on non-standard ports after upgrading Security Management Server to R77.
SmartView Tracker shows:
Message_Info: Violated unidirectional connection
Kernel debug on Security Gateway shows:
fw_log_drop: Packet proto=17 ... dropped by fw_one_way_enforcement Reason: conn oneway violated
Affected Security Gateways: NGX R65 all HFAs / all R70.X / all R71.X / all R75.X
Note: VSX NGX R6X are not affected

Problem in handling of IPv6 macros when IPv6 is disabled on Security Gateways running versions prior to R76 (R65 / R70.X / R71.X / R75.X).

Note: Manual changes in base.def file will be overridden.

This problem was fixed. The fix is included in:

Check Point R77.10

Check Point recommends to always upgrade to the most recent version (upgrade Security Management Server / upgrade Multi-Domain Security Management Server).

Effective October 10, 2013, the R77 Gaia / SecurePlatform / Windows images have been replaced resolving sk95056 (Security Gateways prior to R76 drop UDP traffic on non-standard ports after upgrading Security Management Server to R77) and sk95245 (When using Threat Emulation to scan mail content, some files encoded in MIME may be incorrectly decoded causing a 'False-Negative' result of the emulated file).

By installing the new images of Gaia & SecurePlatform, the R77 machine will automatically install these hotfixes on top of the R77 installation.

For R77 version, Check Point provides a Hotfix.

Table of Contents:

Hotfix installation instructions
Workaround
How to uninstall the hotfix

Hotfix installation instructions

Show / Hide instructions

Note: In Management HA environment, this procedure must be performed on both Management Servers.

Show / Hide instructions - Gaia OS - Security Management Server - using CPUSE (Check Point Update Service Engine)
We recommend using CPUSE to install this hotfix.

Note: Hotfix has to be installed on Security Management Server.
- In Gaia Portal:
  1. Connect to the Gaia Portal on your machine.
  2. Obtain the lock over the configuration database (click on the lock icon at the top - near 'Sign Out').
  3. Navigate to the 'Software Updates' - 'Status and Actions' pane.
  4. Go to the 'Updates' tab to see the published hotfixes available for download.
  5. Select the Check_Point_R77_UDP_Hotfix_sk95056.tgz package - right-click on it - click on 'Download' (this will download the hotfix to your machine).
  6. Right-click on the Check_Point_R77_UDP_Hotfix_sk95056.tgz package - click on 'Install' (this will install the hotfix on the machine and display the installation status).
  7. When prompted for reboot (a pop up window appears), confirm to reboot the machine.
  8. Connect to R77 Security Management Server with SmartDashboard.
  9. Install policy onto all Security Gateways prior to R76 (R65 / R70.X / R71.X / R75.X).
  10. Important Step: Clear all entries from the Connections kernel table on all Security Gateways prior to R76 (R65 / R70.X / R71.X / R75.X):
    
    Connect to command line on Security Gateway.
    Note: Preferred way is to connect over console, because SSH connection will be disconnected when you clear all entries from the Connections kernel table.
    
    Log in to Expert mode.
    
    Clear all entries from the Connections kernel table:
    
    Note: This command does not prompt for any confirmation and its action is irreversible. All current connections will be lost!
    
    [Expert@HostName]# fw tab -t connections -x -y
- In Clish:
  1. Connect to Gaia command line (over SSH, or console).
  2. Log in to Clish shell.
  3. See the list of available packages for download:
    HostName> show installer available_packages
  4. Download this hotfix:
    HostName> installer download Check_Point_R77_UDP_Hotfix_sk95056.tgz
  5. Check the download progress by repeatedly running this command:
    HostName> show installer package_status
    Outputs for example:
    Check_Point_R77_UDP_Hotfix_sk95056.tgz - Downloading (2.95 MB/s) - Progress: 6% Check_Point_R77_UDP_Hotfix_sk95056.tgz - Available for install
  6. See the list of available packages for install:
    HostName> show installer available_local_packages
  7. Install this hotfix:
    HostName> installer install Check_Point_R77_UDP_Hotfix_sk95056.tgz
  8. Check the installation progress by repeatedly running this command:
    HostName> show installer package_status
    Outputs for example:
    Check_Point_R77_UDP_Hotfix_sk95056.tgz - Installing - Progress: 3% Check_Point_R77_UDP_Hotfix_sk95056.tgz - installed
  9. Machine will be rebooted automatically.
  10. Connect to R77 Security Management Server with SmartDashboard.
  11. Install policy onto all Security Gateways prior to R76 (R65 / R70.X / R71.X / R75.X).
  12. Important Step: Clear all entries from the Connections kernel table on all Security Gateways prior to R76 (R65 / R70.X / R71.X / R75.X):
    
    Connect to command line on Security Gateway.
    Note: Preferred way is to connect over console, because SSH connection will be disconnected when you clear all entries from the Connections kernel table.
    
    Log in to Expert mode.
    
    Clear all entries from the Connections kernel table:
    
    Note: This command does not prompt for any confirmation and its action is irreversible. All current connections will be lost!
    
    [Expert@HostName]# fw tab -t connections -x -y
Contact Check Point Support for any assistance.
Show / Hide instructions - Gaia / SecurePlatform / Linux OS - Security Management Server
Contact Check Point Support for any assistance.
1. Hotfix has to be installed on Security Management Server.
2. Download the relevant hotfix package:
  
  Platform R77
  
  Gaia / SecurePlatform / Linux (TGZ)
3. Transfer the hotfix package to the machine (into some directory, e.g., /some_path_to_fix/).
4. Unpack the hotfix package:
  
  [Expert@HostName]# cd /some_path_to_fix/
  [Expert@HostName]# tar zxvf Check_Point_R77_UDP_Hotfix_Linux_sk95056.tgz
5. Install the hotfix:
  
  [Expert@HostName]# ./UnixInstallScript
  
  Note: The script will stop all of Check Point services (cpstop) - read the output on the screen.
6. Reboot the machine.
7. Connect to R77 Security Management Server with SmartDashboard.
8. Install policy onto all Security Gateways prior to R76 (R65 / R70.X / R71.X / R75.X).
9. Important Step: Clear all entries from the Connections kernel table on all Security Gateways prior to R76 (R65 / R70.X / R71.X / R75.X):
  1. Connect to command line on Security Gateway.
    Note: Preferred way is to connect over console, because SSH connection will be disconnected when you clear all entries from the Connections kernel table.
  2. Log in to Expert mode.
  3. Clear all entries from the Connections kernel table:
    
    Note: This command does not prompt for any confirmation and its action is irreversible. All current connections will be lost!
    
    [Expert@HostName]# fw tab -t connections -x -y
Show / Hide instructions - Gaia / SecurePlatform / Linux OS - Multi-Domain Security Management Server
Contact Check Point Support for any assistance.
1. Hotfix has to be installed on Multi-Domain Security Management Server.
2. Download the relevant hotfix package:
  
  Platform R77
  
  Gaia / SecurePlatform / Linux (TGZ)
3. Transfer the hotfix package to the machine (into some directory, e.g., /some_path_to_fix/).
4. Unpack the hotfix package:
  
  [Expert@HostName]# cd /some_path_to_fix/
  [Expert@HostName]# tar zxvf Check_Point_R77_UDP_Hotfix_Linux_Multi_Domain_sk95056.tgz
5. Install the hotfix:
  
  [Expert@HostName]# ./UnixInstallScript
  
  Note: The script will stop all of Check Point services (cpstop) - read the output on the screen.
6. Reboot the machine.
7. Connect to each R77 Domain Management Server with SmartDashboard.
8. Install policy onto all Security Gateways prior to R76 (R65 / R70.X / R71.X / R75.X).
9. Important Step: Clear all entries from the Connections kernel table on all Security Gateways prior to R76 (R65 / R70.X / R71.X / R75.X):
  1. Connect to command line on Security Gateway.
    Note: Preferred way is to connect over console, because SSH connection will be disconnected when you clear all entries from the Connections kernel table.
  2. Log in to Expert mode.
  3. Clear all entries from the Connections kernel table:
    
    Note: This command does not prompt for any confirmation and its action is irreversible. All current connections will be lost!
    
    [Expert@HostName]# fw tab -t connections -x -y
Show / Hide instructions - IPSO OS - Security Management Server
Contact Check Point Support for any assistance.
1. Hotfix has to be installed on Security Management Server.
2. Download the relevant hotfix package:
  
  Platform R77
  
  IPSO (TGZ)
3. Transfer the hotfix package to the machine (into some directory, e.g., /some_path_to_fix/).
4. Unpack the hotfix package:
  
  [Expert@HostName]# cd /some_path_to_fix/
  [Expert@HostName]# tar zxvf Check_Point_R77_UDP_Hotfix_IPSO6_sk95056.tgz
5. Install the hotfix:
  
  [Expert@HostName]# ./UnixInstallScript
  
  Note: The script will stop all of Check Point services (cpstop) - read the output on the screen.
6. Reboot the machine.
7. Connect to R77 Security Management Server with SmartDashboard.
8. Install policy onto all Security Gateways prior to R76 (R65 / R70.X / R71.X / R75.X).
9. Important Step: Clear all entries from the Connections kernel table on all Security Gateways prior to R76 (R65 / R70.X / R71.X / R75.X):
  1. Connect to command line on Security Gateway.
    Note: Preferred way is to connect over console, because SSH connection will be disconnected when you clear all entries from the Connections kernel table.
  2. Log in to Expert mode.
  3. Clear all entries from the Connections kernel table:
    
    Note: This command does not prompt for any confirmation and its action is irreversible. All current connections will be lost!
    
    [Expert@HostName]# fw tab -t connections -x -y
Show / Hide instructions - Windows OS - Security Management Server
Contact Check Point Support for any assistance.
1. Hotfix has to be installed on Security Management Server.
2. Download the relevant hotfix package:
  
  Platform R77
  
  Windows (TGZ)
3. Transfer the hotfix package to the machine (into some directory, e.g., C:\some_path_to_fix\).
4. Use any archive program (WinZIP, WinRAR, 7-Zip, TUGZip, IZArc) to unpack the Check_Point_R77_UDP_Hotfix_Windows_sk95056.tgz.
5. Install the hotfix:
  
  Right-click on the Setup.exe file - select 'Run as administrator'.
6. Reboot the machine.
7. Connect to R77 Security Management Server with SmartDashboard.
8. Install policy onto all Security Gateways prior to R76 (R65 / R70.X / R71.X / R75.X).
9. Important Step: Clear all entries from the Connections kernel table on all Security Gateways prior to R76 (R65 / R70.X / R71.X / R75.X):
  1. Connect to command line on Security Gateway.
    Note: Preferred way is to connect over console, because SSH connection will be disconnected when you clear all entries from the Connections kernel table.
  2. Log in to Expert mode.
  3. Clear all entries from the Connections kernel table:
    
    Note: This command does not prompt for any confirmation and its action is irreversible. All current connections will be lost!
    
    [Expert@HostName]# fw tab -t connections -x -y

Workaround

Show / Hide instructions

If you cannot install the hotfix, then as a workaround, create a temporary Host object with IPv6 address:

Connect to R77 Security Management Server / Domain Management Server with SmartDashboard.
Go to 'Manage' menu - select 'Network Objects...'.
Click on 'New...' - go to 'Node' menu - select 'Host...'.
'Host Node' window opens - assign some name and an IPv6 address - click on 'OK'.
No need to use this temporary Host object in the rulebase.
Save the changes: go to 'File' menu - click on 'Save'.
Install policy onto all Security Gateways prior to R76 (R65 / R70.X / R71.X / R75.X).

How to uninstall the hotfix

Show / Hide instructions

Unpack the hotfix package:
- On Gaia / SecurePlatform / Linux OS:
  - Security Management Server:
    
    [Expert@HostName]# cd /some_path_to_fix/
    [Expert@HostName]# tar zxvf Check_Point_R77_UDP_Hotfix_Linux_sk95056.tgz
  - Multi-Domain Security Management Server:
    
    [Expert@HostName]# cd /some_path_to_fix/
    [Expert@HostName]# tar zxvf Check_Point_R77_UDP_Hotfix_Linux_Multi_Domain_sk95056.tgz
- On IPSO OS:
  
  [Expert@HostName]# cd /some_path_to_fix/
  [Expert@HostName]# tar zxvf Check_Point_R77_UDP_Hotfix_IPSO_sk95056.tgz
- On Windows OS:
  
  Use any archive program (WinZIP, WinRAR, 7-Zip, TUGZip, IZArc) to unpack the Check_Point_R77_UDP_Hotfix_Windows_sk95056.tgz.
Run the installation program with '-u' flag:
- On Gaia / SecurePlatform / Linux / IPSO OS:
  
  [Expert@HostName]# ./UnixInstallScript -u
- On Windows OS:
  1. Open the elevated Command Prompt:
    
    Start - Programs - Accessories - right-click on 'Command Prompt' icon - select 'Run as administrator'.
  2. Navigate to the folder where you unpacked the hotfix package:
    
    DISK:\> cd "path_to_unpacked_hotfix_package"
  3. Run the installation program with '-u' flag:
    
    DISK:\path_to_unpacked_hotfix_package\> Setup.exe -u

Should get the following text on the screen:

***********************************************************
Welcome to Check Point <HOTFIX_NAME> Uninstall Utility
***********************************************************

All <HOTFIX_NAME> packages will be uninstalled.
Uninstallation program is about to stop all Check Point processes.
Do you want to continue (y/n) ?

Reboot the machine.

This solution is about products that are no longer supported and it will not be updated

Applies To:

01230727 , 01230920 , 01230933 , 01230943 , 01230991 , 01230996 , 01234464 , 01240615 , 01247733 , 01256843 , 01259570 , 01374830

Give us Feedback

Please rate this document

[1=Worst,5=Best]

Comment
	Submitting rating