PDA

View Full Version : IPS Blade Crashes Since R71 Upgrade



kaydo
2011-03-07, 18:26
Hi all,

I am running SmartCenter on SPLAT, using version R71 which I upgraded from NGX R65 to R71.10 and then to R71.20. Whenever I go to the IPS tab, the overview page loads fine, but if I click on "Protections", a screen pops up saying "Please wait while IPS settings are loaded for the first time in this session", and then it stays for a few minutes and then SmartDashboard crashes. If I run a top during this I see fwm is spiking the CPU usage to 35% but halfway through, fwm stops doing anything and the "please wait" dialogue stays up for a few more minutes before it crashes. Can anyone help?

I can expand the "By Type", "By Protocol" sections just fine, albeit they are very slow to load. Clicking on the "protections" section though never works. The same behavior is exhibited on my coworker's client as well.

chillyjim
2011-03-07, 20:11
I have seen similar problems that were fixed by doing an IPS update (I gather it ends up replacing corrupted HTML files).

kaydo
2011-03-08, 11:02
Sorry I forgot to mention, I did an update as well and that didn't resolve the issue.

ShadowPeak.com
2011-03-08, 11:28
Since the same behavior is seen on a different SmartConsole system, that would seem to imply that the issue is located on the SmartCenter with the fwm process. Time for some debugging:

- Open the SmartDashboard and get right before the point that causes the issue

- On the SmartCenter, run "fw debug fwm on TDERROR_ALL_ALL=5"

- In the SmartDashboard click Protections and let it fail

- Back on the SmartCenter run "fw debug fwm off TDERROR_ALL_ALL=0"

- Check the file $FWDIR/log/fwm.elg on the SmartCenter and look for strings like "error", "can't", "failure"

kaydo
2011-03-09, 17:18
Thank you for your response. I tried the debugging but got nowhere so checkpoint had me delete all my protections and load the default configuration. It involved deleting a bunch of files from $FWDIR/conf and replacing with files that I was provided. After that I was good to go...albeit with all of my former configuration lost.

Eros_G
2011-03-09, 20:10
Thank you for your response. I tried the debugging but got nowhere so checkpoint had me delete all my protections and load the default configuration. It involved deleting a bunch of files from $FWDIR/conf and replacing with files that I was provided. After that I was good to go...albeit with all of my former configuration lost.


That means it only works with default configuration?

Just another question, how did you upgrade.....your management server?.
Because I am thinking on loading OS (SPLAT 71.30) clean and then "upgrade import" the database.
I always run into issues directly migrating from major version into another, without a clean install.
Just wondering, if how we upgrade is where more issues are surfacing.
Thanks

kaydo
2011-03-09, 23:42
If you can get away with doing a clean install and importing your configuration, I think you are better off doing so, but you may still run into policy incompatibility issues like I did.

As for me, I upgraded using the R71.10 disc, using "patch add cd". I think dropped the R71.20 upgrade to the box via the WEBUI.

So my IPS blade works now, I just have to reconfigure all my protections. I do not have to leave it at the default configuration. Hope this answers your questions.

abusharif
2011-03-10, 09:29
can confirm that exact behaviour on upgraded r65->r71.10 system (splat).
Smartconsole will eat memory until it reaches ~2gb ram and then crash.
No other profile can be chosen but Default one (from upgrade) otherwise you get errors trying to push policy to gateway. Creating new profile doesnt help either.

phlegm
2011-08-16, 10:08
Same problem here as well. No fix found yet. We have a lot of customizations and I don't want to recreate them all. This happened after our upgrade from R65 to R71.30

PhoneBoy
2011-08-18, 11:15
For those of you are having this issue, please contact me at my CPUG user @ checkpoint.com.

phlegm
2011-11-21, 11:53
Tried the Checkpoint fix after upgrading our external firewalls to R71.30

Performed the following
Stop Check Point Servers with 'cpstop' command
Backup and then remove the following files from the $FWDIR/conf/ directory:

asm.C*
ips_attribute_extensions.C*
ips_classes.C*
ips_contexts.C*
ips_db_cfg.C*
ips_exceptions_table.C*
ips_protections_override_table.C* =====> Can also be
ips_protections_per_profile_table.C*
ips_signatures.C*
profiles.C*
ips_tables.sqlite*
applications.C*
CPMILinksMgr.db*

UnTar the package (tar xzf <filename>.tgz ) in the $FWDIR/conf/ directory on the Managment Server.

Start Check Point Servers with 'cpstart' command

Update IPS signatures in SmartDashboard

Install Policy onto involved Gateway(s)


The update of signatures worked and I was now able to quickly browse through the various IPS screens without hanging or slowing down the console.
When I tried to push policy I received the following errors though.

Policy Version Type Details
Network Security R70/R71 HCM_External_Gateway_Policy:
Network Security R70/R71 "/opt/CPsuite-R71/fw1/conf/updates.def", line 7505: ERROR: syntax error
Network Security R70/R71 "/opt/CPsuite-R71/fw1/conf/updates.def", line 7517: ERROR: syntax error
Network Security R70/R71 "/opt/CPsuite-R71/fw1/conf/updates.def", line 7536: ERROR: cannot find <bf_detect_HTTP_BF_DOS> anywhere
Network Security R70/R71 "/opt/CPsuite-R71/fw1/conf/updates.def", line 7537: ERROR: syntax error
Network Security R70/R71 "/opt/CPsuite-R71/fw1/conf/updates.def", line 7538: ERROR: syntax error
Network Security R70/R71 "/opt/CPsuite-R71/fw1/conf/updates.def", line 7539: ERROR: syntax error
Network Security R70/R71 "/opt/CPsuite-R71/fw1/conf/updates.def", line 7540: ERROR: cannot find <bf_detect_SSL_BF_DOS> anywhere
Network Security R70/R71 "/opt/CPsuite-R71/fw1/conf/updates.def", line 7544: ERROR: syntax error
Network Security R70/R71 "/opt/CPsuite-R71/fw1/conf/updates.def", line 7546: ERROR: syntax error
Network Security R70/R71 "/opt/CPsuite-R71/fw1/conf/updates.def", line 7548: ERROR: syntax error
Network Security R70/R71 "/opt/CPsuite-R71/fw1/conf/updates.def", line 7552: ERROR: syntax error
Network Security R70/R71 "/opt/CPsuite-R71/fw1/conf/updates.def", line 7556: ERROR: syntax error
Network Security R70/R71 "/opt/CPsuite-R71/fw1/conf/updates.def", line 7560: ERROR: syntax error
Network Security R70/R71 "/opt/CPsuite-R71/fw1/conf/updates.def", line 7565: ERROR: syntax error
Network Security R70/R71 "/opt/CPsuite-R71/fw1/conf/updates.def", line 10720: ERROR: cannot find <ADP_CVE_2010_0043> anywhere
Network Security R70/R71 "/opt/CPsuite-R71/fw1/conf/updates.def", line 13017: ERROR: cannot find <ADP_EXCEL_FNGROUP> anywhere
Network Security R70/R71 "/opt/CPsuite-R71/fw1/conf/updates.def", line 13022: ERROR: cannot find <ADP_EXCEL_FNGROUP> anywhere
Network Security R70/R71 "/opt/CPsuite-R71/fw1/conf/updates.def", line 13026: ERROR: syntax error
Network Security R70/R71 "/opt/CPsuite-R71/fw1/conf/updates.def", line 13028: ERROR: cannot find <ADP_EXCEL_FNGROUP> anywhere
Network Security R70/R71 "/opt/CPsuite-R71/fw1/conf/updates.def", line 13121: ERROR: cannot find <ADP_EXCEL_MDXES> anywhere
Network Security R70/R71 "/opt/CPsuite-R71/fw1/conf/updates.def", line 15980: ERROR: cannot find <ADP_EXCEL_BOUND> anywhere
Network Security R70/R71 "/opt/CPsuite-R71/fw1/conf/updates.def", line 15988: ERROR: syntax error
Network Security R70/R71 "/opt/CPsuite-R71/fw1/conf/updates.def", line 15992: ERROR: syntax error
Network Security R70/R71 "/opt/CPsuite-R71/fw1/conf/updates.def", line 15994: ERROR: cannot find <ADP_EXCEL_BOUND> anywhere
Network Security R70/R71 "/opt/CPsuite-R71/fw1/conf/updates.def", line 16011: ERROR: syntax error
Network Security R70/R71 "/opt/CPsuite-R71/fw1/conf/updates.def", line 16020: ERROR: cannot find <ADP_EXCEL_BOUND> anywhere
Network Security R70/R71 "/opt/CPsuite-R71/fw1/conf/updates.def", line 31392: ERROR: cannot find <ADP_MS_ENTEX> anywhere
Network Security R70/R71 "/opt/CPsuite-R71/fw1/conf/updates.def", line 31409: ERROR: syntax error

Backed out by replacing the files I had copied out.

We now have another ticket open with Checkpoint. I'll keep you updated.

phlegm
2011-12-06, 11:00
Finally got it working. I had to perform the procedure above but with a different package of good files supplied by Checkpoint.
After this I had to do an IPS update but an offline one using a file provided by Checkpoint. This fixed everything upand I can now browse quickly through all of the IPS protections. Unfortunately it also means that we lost all of our customizations so I'm in the process of building and trying to implement a new profile.