PDA

View Full Version : SmartDefense upgrade breaks policy install



andreworg
2009-09-16, 09:16
I am experiencing a problem with SmartDefense signature upgrade on


[Expert@fw]# fw ver
This is Check Point VPN-1(TM) & FireWall-1(R) NGX (R65) HFA_02, Hotfix 602 - Build 006

After updating the SmartDefense service to the purported latest release, I am getting the following errors when executing Policy -> Install:


Policy Version Type Details
Advanced Security NGX Standard:
Advanced Security NGX "/opt/CPsuite-R65/fw1/conf/updates.def", line 21054: ERROR: unknown macro or function <INSPECT_STRSTR_1>
Advanced Security NGX "/opt/CPsuite-R65/fw1/conf/updates.def", line 21063: ERROR: cannot find <Scirpt> anywhere
Advanced Security NGX "/opt/CPsuite-R65/fw1/conf/Standard.pf", line 21469: ERROR: function <block_script_block_code> undefined
Advanced Security NGX "/opt/CPsuite-R65/fw1/conf/Standard.pf", line 21470: ERROR: syntax error
Advanced Security NGX "/opt/CPsuite-R65/fw1/conf/Standard.pf", line 21471: ERROR: syntax error
Advanced Security NGX "/opt/CPsuite-R65/fw1/conf/Standard.pf", line 21472: ERROR: syntax error
[… several lines all alike]
Advanced Security NGX "/opt/CPsuite-R65/fw1/conf/Standard.pf", line 21679: ERROR: syntax error
Advanced Security NGX "/opt/CPsuite-R65/fw1/conf/Standard.pf", line 21680: ERROR: syntax error
Advanced Security NGX "/opt/CPsuite-R65/fw1/conf/Standard.pf", line 21681: ERROR: syntax error
Advanced Security NGX Compilation failed.

Choosing not to apply SmartDefense on the gateway results in the policy being installed correctly.
This is a single-host installation (SCS and enforcement point are on the same host).

There appears to be something unusual about the latest update.
In the “SmartDefense Services” tab, the update is marked “Unknown Date (Build 618090910)”. The former update was marked “Sep 10, 2009 (Build 602090910)”, but the referenced list of updates looks exactly the same for both updates.
Also, the tray balloon advertising the 618090910 update (popping up from the SmartDashboard client) carries a link that reads “Version Information”, leading to:
http://www.checkpoint.com/defense/advisories/public/updates/r602/update_info.html.
It is also interesting to note that http://www.checkpoint.com/defense/advisories/public/updates/r618/update_info.html exists and looks exactly the same as the above.

I tried to push back the current SmartDefense Build number (as described in sk24756). I succeeded in triggering a new SmartDefense upgrade, but the problem persists.

I have a full backup but it is quite old. Would it be possible to identify the files involved in the SmartDefense upgrade and selectively restore them from the old backup?

Is there a way to downgrade SmartDefense to a specific release (maybe using the dbedit trick from sk24756)?

I was thinking that applying the latest HFA could solve this issue. CP support thinks otherwise, their take is that this should be a database issue, and as such it won't be fixed by applying a HFA. What do you think?

Thanks,

andreworg
2009-09-18, 09:52
Update

Check Point official support provided me with a solution.

Looks like there was a dependency problem in one of the defense definitions.

Web Intelligence -> HTTP client protections -> Microsoft Internet Explorer Vulnerabilities -> Block Script Error Memory Corruption (MS06-072)

should be dependent on

Web Intelligence -> HTTP client protections -> Microsoft Internet Explorer Vulnerabilities -> Block Microsoft agent remote code execution (MS06-068)

Installing the latest SmartDefense db update and disabling defense for MS06-072, as instructed, fixed the issue.

Interesingly enough, the new update is marked 618090917 ; same build progressive number (618) as my former latest update, datestamp updated. I'd like to understand what happened exactly. In the meantime, kudos to CP support!