CheckPoint FW-1 NG AI Install Failing

[ahreece]

I have run into an exaperating problem involving a CheckPoint Enterprise install. The envrionment is a Sun Enterprise 450 multiprocessor with 3 Gigs of memory and running Solaris 8 (02/04 Edition). There are 7 quad ethernets (not my idea). There are two 36 gig hard drives that are mirrored using DiskSuite4.2.1. It is a locked down Solaris install using minimum packages based on Lance Spitzner's guidelines. I also installed the latest Sun Cluster patch (and yes, I have been burnt by that silly 110934 patch issue, but rolling it out doesn't seem to solve the problem).

I have tried to install the following versions of CheckPoint, all with no sucess:
- NG with AI R54 (this is the primary one)
- NG with AI R55 + HFA 14
- NG with AI R55 + HFA 15
- A manually modified version of R55 that included HFA16.
I have tried installing both the enforcement module and the enforcement module + logging module and it hangs at the same spot.

The SVN foundation installs fine, but when the install script attempts to install VPN-1 & Firewall-1, it gets so far then hangs. Specifically, it installs everything and then it tries to register the new compents into the CheckPoint registry. After a couple of minutes, the CPRegSvr process will hit 100% on one of the CPUs and just stay there. It's a good thing the box has four processors or I'd never be able to get on remotely.

I've sending hangup signals (HUP) to the process, but that just kills it. The funny thing is the script seems to continue after that. The R55 installs finish installing, but R54 hangs on the fw1 process while trying to generate the default filters. However, once the install completes, everything seems like it might work, but when I run the cpinfo script, it tells me that there are NO CheckPoint componets registered, so I don't really trust it, and this box eventually has to go into production.

There appears to be nothing in the CheckPoint knowledgebase about the CPRegSvr process and who thought it was a good idea to duplicate the Windows registry on Solaris anyway? (Sorry, *NIX-biased rant.) Or more accurately, why isn't it working on my system? Has anyone else seen this or a similar problem?

Adam.

[Tenchi-Man]

The latest Solaris patch cluster caused the problem.

By experience, the following patches should be removed.

Solaris 8:
- 109147-31 through 109147-37 or later (ld security update for Solaris 8)
- 110934-20 (pkgadd patch for Solaris 8)

Solaris 9:
- 112963-16 through 112963-23 or later (ld security update)
- 113713-17 (pkgadd patch)

[intehnet]

yes, this is a very common and annoying problem! i've lost count of how many times this has tricked me!
Remove the patches, install the product, then re-add the patches.

[ahreece]

That was the problem of course. Everything installed fine once the patches removed. And of course, once you know what the problem is, you can find the solution on Check Points knowledgebase.

Which brings up an intersting question. I've noticed that CheckPoint's stance on the patches seems to be "they aren't supported." Which brings up another question: Once the patches are removed, should they be re-applied?

[Lackie]

Below is a snip from a Nokia resolution. My suggestion is not to re-install the patches.

When Solaris patch 11963-22 is installed, a modification to the file ld.so.1 is made which will cause an existing Check Point installation to stop working. This also prevents Check Point from being installed.

Other patches that modify the file ld.so.1 are:

SPARC Platform
- Solaris 8 with patch 109147-37 or later
- Solaris 9 with patch 112963-22 or later
- Solaris 10 with patch 117461-04 or later

x86 Platform
- Solaris 8 with patch 109148-37 or later
- Solaris 9 with patch 113986-18 or later

[intehnet]

i'm not sure why you wouldn't re-install the patch.. it only affects the installation process as far as i've been told?

[Lackie]

I know that 11963-22 affects more than the install. Not sure about the rest.

[intehnet]

ah ok

113713-17 (pkgadd patch)

that's the patch that has given me issues before, i always put it back on after installing FW1, and have no problems

[begemot]

Official answer from our CheckPoint partner:

You should NOT use the following patches at all:

- Solaris 8 109147-37
- Solaris 9 112963-22
- Solaris 10 117461-04

Checkpoint product manager works this issue directly with SUN.
As soon as this issue will be solved you will see a note at Sun website.

PS. with this patches many CP services dumps core ( fwm, fwd, etc)

[blackberry]

I confirm for Solaris8 the rev 109147-38 causes same problems to Checkpoint NG FP3 HFA325 and you need to remove it in order to end the installation without errors.

Sun Microsystems released the 109147-39 but i didn't tried yet.

[blackberry]

109147-40 finally works! fine on MDS and NGFP3


# patchadd 109147-40

Checking installed patches...
Verifying sufficient filesystem capacity (dry run method)...
Installing patch packages...

Patch number 109147-40 has been successfully installed.
See /var/sadm/patch/109147-40/log for details

Patch packages installed:
SUNWcsl
SUNWcslx
SUNWcsr
SUNWcsu
SUNWcsxu


# fw ver
This is Check Point VPN-1(TM) & FireWall-1(R) NG Feature Pack 3 Build 53920

# fw stat
HOST POLICY DATE
localhost - - :

[intehnet]

nice! thanks for the update :)