R65 HFA02 released

[Porter]

other question about the dynamic ips with edges...is there a open issue?

thanks again!

[Porter]

CP mentioned that the installation issue of the edges could be resolved if Smartdefense will be updated. I already have the 7.5.33 in use so I won't be able to find out if that will work, someone around who can confirm this?

[Thorpuse]

Quote:

Originally Posted by RayPesek

>> VPN-1 Embedded Connector 7.0.1.2 starting


Personally I have no issues with requiring certs for managed Edge VPN's. They are far more secure than pre-shared keys and allow the use of DHCP Internet connections on the Edge's.

Ray

The problem comes when you need to use the Edge devices in a community that includes non-Check Point or externally managed devices that don't use a cert issued from your CA. It's a real pain....

[Porter]

Quote:

Originally Posted by Porter

CP mentioned that the installation issue of the edges could be resolved if Smartdefense will be updated. I already have the 7.5.33 in use so I won't be able to find out if that will work, someone around who can confirm this?

did a test in the lab, issues still exists, only difference is the error message itself

[joris]

We are having the same problems with our edge devices after installing HFA02
Don't have them with HFA01 though.

Porter, you say that installing libsw version 7.5.33 solved your problem?
I also can't find them, is it possible that you mail me those files?


thx.
----> problem solved, thx <-----

[Olivn]

upgrade_export does not work anymore after upgrade to HFA02.

upgrade_export -d /var/opt/tmp/fwconf
....
Building configuration file...
[ 21506 1]@[2 Nov 16:21:49] WriteToFile: Error >> Got NULL argument
[ 21506 1]@[2 Nov 16:21:49] BuildConfigurationFile: Error >> Failed to write 'Plugins' to configuration file
Error: Failed to read local configuration info

[chuachongchee]

Using it for a local customer.... no problems so far?

[dantro]

The HFA_02 has been revised today. Please download it again. Sorry for any inconvenience this may cause you.

[abusharif]

for problems related to pushing policy to edge devices with hfa_02 check KB sk33821. There is a hotfix for this.

[melipla]

Quote:

Originally Posted by abusharif

for problems related to pushing policy to edge devices with hfa_02 check KB sk33821. There is a hotfix for this.

If I use the revised HFA will I also need to install this HF?

[abusharif]

Quote:

Originally Posted by melipla

If I use the revised HFA will I also need to install this HF?

to be honest no idea, since checkpoint publish modified hfa packages without really explaining what they modified in them. RN for revised hfa still point to that kb article so I guess patch is still needed or they forgot to update RN :(

[melipla]

And to answer my own question, the download for HFA2 has this notation below it:

Users of VPN-1 Edge/Embedded, please refer to sk33821

Given that it appears HFA2 does not include it. The HFA listed shows a date of Oct 21 which was the original release date, so I'm not sure what you mean by revised Dantro--it appears to be the same.

*Edit* Dang Abusharif you're fast to respond...you bet me to it!

[pat13b]

looks like this was revised. The release notes have a date of Nov. 7th

yet, same revision level and the file has a date of Oct 21st. What the hell is up with that ????


What’s New
• DCERPC traffic is enabled in Monitor-Only mode.
• Enhanced memory usage during automatic Anti-Virus updates.
• On SecurePlatform, monitoring system load by using the uptime command has been improved.
• VPN-1 Edge Firmware 7.5.29 is now supported.

[Thorpuse]

My spies advised me that a new HFA_02 was being published at the end of the week, to fix Edge installation problems and a few other issues. Why they don't call this HFA_03 and confuse us all with varying HFA_02 release numbers is beyond me, but not without precedent.

A post HFA_02 hotfix for people who have already installed HFA_02 and need the fix is supposed to be available - see sk33821 in SecureKnowledge.

I'm going to wait until a formal HFA_03 release - it seems like CP have been a bit too hasty on the QA process on this one. Reminds me a bit of NG FP2.... :P

[Porter]

Quote:

Originally Posted by Thorpuse

My spies advised me that a new HFA_02 was being published at the end of the week, to fix Edge installation problems and a few other issues. Why they don't call this HFA_03 and confuse us all with varying HFA_02 release numbers is beyond me, but not without precedent.

A post HFA_02 hotfix for people who have already installed HFA_02 and need the fix is supposed to be available - see sk33821 in SecureKnowledge.

I'm going to wait until a formal HFA_03 release - it seems like CP have been a bit too hasty on the QA process on this one. Reminds me a bit of NG FP2.... :P

you're right! typicall CP behavior of the last time...can't understand why they work in this manner

[RayPesek]

Check Point recently revised the HFA02 release notes to add a note about a new article:

Installing VPN-1 Pro NGX R65 HFA_02 causes install policy failure on VPN-1 Edge device - Solution ID: #sk33821

There's a hotfix attached to it.

Ray

[ennerr]

Has somebody gotten HFA02 (with hf229) to work with centrally managed Nokia IP60w edge devices? I´d like to know if somebody has managed to stabilize (ie policy install works every time without devices crashing randomly) this setup somehow.

[Tommo]

Hi All,

Just for info, did an install on a customer site the other day. 2 things to be aware of (plus solutions ;-) )

Edge / Embedded gateway issues - you can break policy push to your Edges with R65 HFA02

CP mailed this to us:

Hi,

This Email is relevant to you only if you are using VPN-1 Edge/Embedded and installed R65 HFA02.

R65 HFA02 released recently includes a problem which may cause policy installation on VPN-1 Edge/Embedded devices to fail. The problem does not have any implications on users of other types of gateways.

For customers who already downloaded and deployed R65 HFA02, we have released a hotfix that can be installed on top of the R65 HFA02 installation. Instructions for installing the hotfix can be found in sk33821.

Next week we will release a replacement for HFA02 that will eliminate this problem.

We are sorry for the inconvenience created by this problem.


Secondly, there's the upgrade toolsthat may break too. I got a new copy of upgrade_import/export form one of the guys in Israel I'm working with at the mo, so if anyone else gets Error: Failed to read local configuration info., I've got an updated one if you need ;-)

[hotice_]

Can anyone post a link as to where I can get the new upgrade_export tool?

[chuachongchee]

I'm using the one downloaded from the usercenter? Have tried to use that to upgrade_export/import without any problems? Tried on RHEL3.0 and SPLAT..

Also tried to import using the upgrade_import from the system itself.. ok soo far to..