R60_HFA05

[thebuffman]

Does anyone know of a script that can be used for .def file upgrades? I am not well stooped in Linux and it takes forever to replace those things, there are tons of them.

[mhinman]

I am new to CP and was hoping somone could tell me how I determine what HFA I have installed

[kva.kva]

Quote:

Originally Posted by mhinman

I am new to CP and was hoping somone could tell me how I determine what HFA I have installed

Use SmartUpdate console.

[melipla]

Quote:

Originally Posted by kva.kva

Use SmartUpdate console.

Or, if you can access the CLI, use "fw ver". If you have an HFA installed, it will be listed w/version number. If you're at the base version, hfa will not be listed.

Quote:

Does anyone know of a script that can be used for .def file upgrades? I am not well stooped in Linux and it takes forever to replace those things, there are tons of them.

I wish I did....at least you can be thankful that all the individual updates are now in one bundle. The next step is an intelligent .def updater. :)

[Tetaworx]

Quote:

Originally Posted by thebuffman

Does anyone know of a script that can be used for .def file upgrades? I am not well stooped in Linux and it takes forever to replace those things, there are tons of them.

First you should check, which files were updated:

# ls -al *HFA.def

Than I think, you have to copy them one by one...

i.e.:

cp snmp_HFA.def snmp.def

Don't forget to do a "cpstop" before and a "cpstart" afterwards. Than you have to reinstall the policy to push the changes to the enforcement points.

But take care, that when you had made manual changes to the .def-files you have to sync these changes manually with the updated files.

I think, there is no other way at the moment.

[Tetaworx]

Quote:

Originally Posted by melipla

Or, if you can access the CLI, use "fw ver". If you have an HFA installed, it will be listed w/version number. If you're at the base version, hfa will not be listed. [...]

fw ver -k shows even a bit more and you can compare the output with the expected output from the corresponding hfa-release notes.

[joeri]

Does anyone have an idea how you can get this activated:

R60_05-24:
Cannot globally allow out-of-state packets for a specific gateway.
Install On: Gateway

So we would be able to activate/de-activate out-of-state packets for each gateway seperately, any idea how this can be done ?

I don't see the option to change it in smartdashboard (after installing HFA05), there it's still globally only...

thanks !

[abusharif]

Quote:

Originally Posted by joeri

Does anyone have an idea how you can get this activated:

R60_05-24:
Cannot globally allow out-of-state packets for a specific gateway.
Install On: Gateway

So we would be able to activate/de-activate out-of-state packets for each gateway seperately, any idea how this can be done ?

I don't see the option to change it in smartdashboard (after installing HFA05), there it's still globally only...

thanks !

global properties, statefull inspection, "drop out of state tcp packets"

[joeri]

well, that's the problem ! it's still GLOBAL as before, not able to activate or de-activate it on a specific gateway...as the solution describes.

[abusharif]

Quote:

Originally Posted by joeri

well, that's the problem ! it's still GLOBAL as before, not able to activate or de-activate it on a specific gateway...as the solution describes.

ahh sorry missread it...

well dont have any hfa05 out yet, but since no changes are made to the gui part i would think its a guidbedit / dbedit change needed. So after smartcenter is upgraded to hfa05, connect with guidbedit /dbedit to it and check properties and values of your network_objects checkpoint gate......its a guess tho..

[joeri]

Not able to find it on dbedit specific for gateway, I would assume that the option is there - even when gateways are not running HFA05.
The global "out-of-state" is in there.

I still need to copy *HFA.def files over original ones, the new inspect code only gets activated when def files are replaced, so I'll give that a try...

[th3_jok3r]

can I after apply HFA05 if U get any problem back my instalation to restore point? before the instalation of HFA05 ?

This is my first update and I need know if applying HFAs I get some problem, because I already got problems updating for exampling Microsofts services packs... :)

[RayPesek]

I've never read of anyone having a problem uninstalling an HFA. Once I had to uninstall three of them in a row (rebooting between each one). An HFA caused an obscure issue and by the time we figured out what it was we were a couple of HFA's beyond it. It went perfectly.

This was a case where Check Point would have a custom hotfix available in two days, but I was leaving in an hour for a week's vacation, and now that we knew the cause, we didn't want people to keep having the issue for another week. That's why I elected to do the HFA uninstalls.

Ray

[melipla]

Quote:

Originally Posted by RayPesek

I've never read of anyone having a problem uninstalling an HFA.

Leave it to me....because I have. Lets just say that running out of disk space is a "bad thing", particularly when installing an HFA.

And no, you can't roll back the SPLAT portion of an HFA... But a snapshot and revert should CYA.

[RayPesek]

Ahhh, another lesson learned. I always thought it was dumb that the HFA's do not check for disk space first and I did not know about the SPLAT non-roll-back problem 'cause I'm using IPSO.

I, however, can confess to running a Nokia box out of disk space by trying to upload too many IPSO images. But only once. :-)

Thank you very much,

Ray