CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 12 of 12

Thread: Upgrade Provider-1 R77.30 to R80.10 issue (is R80.10 ready for prime time).

  1. #1
    Join Date
    2006-09-26
    Posts
    3,068
    Rep Power
    15

    Default Upgrade Provider-1 R77.30 to R80.10 issue (is R80.10 ready for prime time).

    Scenario: a single Provider-1 R77.30 with JHFA 216 with a single CMA managing about 14 gateway clusters (mixture of R75.47 and R77.30). There are also two stand-alone log servers, also R77.30 with JHFA 216.

    There are also splunk to extract the log via LEA and Tufin to manage the environment.

    When I tried to upgrade the Provider-1 box to R80.10 using "mds_setup" and run the check, I get these errors:

    * Description: The database contains objects with non-Unicode characters. Remove the non-Unicode characters or follow the
    instructions in sk114739 before running the upgrade process.


    Title: Log Server on Domain Management Server
    -----
    * Description: Log Servers on Domain Management Server level are not yet supported in R80.10. We aim to support this feature soon. See sk117159 for details.

    To resolve, before you continue with upgrade, remove these objects:
    vafwlogoc002
    mdfwlogoc002



    1- I thought the R80.10 fixes the issue when you have "non-ASCII" characters in the "comments" fields
    2- My log servers are also R77.30, why is not supported? I guess R80.10 is not ready for prime time.

    My environment is so simple that I wouldn't expect issues upgrading from R77.30 to R80.10, and yet it is there.

    thoughts?


    ************************************************** *****************************

    Welcome to the Check Point setup center for Multi-Domain Security Management.
    This utility will guide you through the installation or upgrade process.

    Version: R80.10

    ************************************************** *****************************


    Checking for installed components. This may take a few seconds.
    Please wait...


    mds_setup has detected that your system has:
    Multi-Domain Security Management R77.30 installed


    Please choose one of the following:

    (1) Run Pre-upgrade verification only [recommended before upgrade]
    (2) Upgrade to R80.10
    (3) Backup current Multi-Domain Server
    (4) Export current Multi-Domain Server
    Or 'Q' to quit.

    Please enter your choice: 1

    Pre Upgrade verification tools will now run.
    No modifications to your existing installation will be made.
    A file containing all the messages will be available when the
    verification process completes.
    The messages generated by the verification tools will be available in:
    /opt/CPInstLog/verification_tools_report


    Hit Return to continue


    Performing verifications on currently installed version
    ================================================== ====================
    >>> Executing Source Version Upgrade Path Checker

    ================================================== ====================
    >>> Executing Domains Without Management Servers Test

    ================================================== ====================
    >>> Executing Domains With No Hosting Multi Domain Servers Test

    ================================================== ====================
    >>> Executing Domains With Out Of Date Global Policies Test

    ================================================== ====================
    >>> Executing Enable For Global Use Feature Test

    ================================================== ====================
    >>> Executing Global IPS Modes Detector

    ================================================== ====================
    >>> Executing Renamed Global Objects Detector

    ================================================== ====================
    >>> Executing Assign Only Used Global Objects Feature Detector

    ================================================== ====================
    >>> Executing Multiple Domain Management Servers with the same ICA Keys Detector

    ================================================== ====================
    >>> Executing Domain Servers Missing From Database

    ================================================== ====================
    >>> Executing Missing Domain Server Directories

    ================================================== ====================
    >>> Executing Non Existent Assigned Global Policies Test

    ================================================== ====================
    >>> Executing Security Management Server Pre Upgrade Verifier
    === Running for: global database ... Ended successfully.
    === Running for: cma-192.168.1.10 ... Ended with messages. Please check the log file.

    Error: Some errors were found for at least one Domain Management Server. Please check the log file.
    ----------------------------------------------------------------------
    Security Management Server Pre Upgrade Verifier completed with errors.








    Error: Multi-Domain Server PRE-UPGRADE VERIFICATION FAILED. PLEASE CORRECT THE ABOVE ERRORS.

    The messages generated by the verification tools are saved in the following formats:
    /opt/CPInstLog/verification_tools_report (text file)
    /opt/CPInstLog/verification_tools_report.html
    /opt/CPInstLog/verification_tools_report.xls
    Would you like to view it now using "/bin/more" [yes/no] ? yes
    Multi-Domain Server Pre Upgrade Log File
    ================================================== ====================
    >>> Executing Source Version Upgrade Path Checker

    ================================================== ====================
    >>> Executing Domains Without Management Servers Test

    ================================================== ====================
    >>> Executing Domains With No Hosting Multi Domain Servers Test

    ================================================== ====================
    >>> Executing Domains With Out Of Date Global Policies Test

    ================================================== ====================
    >>> Executing Enable For Global Use Feature Test

    ================================================== ====================
    >>> Executing Global IPS Modes Detector

    ================================================== ====================
    >>> Executing Renamed Global Objects Detector

    ================================================== ====================
    >>> Executing Assign Only Used Global Objects Feature Detector

    ================================================== ====================
    >>> Executing Multiple Domain Management Servers with the same ICA Keys Detector

    ================================================== ====================
    >>> Executing Domain Servers Missing From Database

    ================================================== ====================
    >>> Executing Missing Domain Server Directories

    ================================================== ====================
    >>> Executing Non Existent Assigned Global Policies Test

    ================================================== ====================
    >>> Executing Security Management Server Pre Upgrade Verifier
    === Running for: global database ... Ended successfully.
    === Running for: cma-192.168.1.10 ... Ended with messages. Please check the log file.
    The following messages were received for Domain Management Server: cma-192.168.1.10:


    ================================
    Action items before upgrade:
    ================================

    Errors found! To create a working environment, the errors must be corrected.
    ================================================== ============================


    Title: Objects with non-Unicode characters
    -----
    * Description: The database contains objects with non-Unicode characters. Remove the non-Unicode characters or follow the
    instructions in sk114739 before running the upgrade process.

    These tables contain objects with non-Unicode characters:

    fw_policies
    network_objects



    Title: Log Server on Domain Management Server
    -----
    * Description: Log Servers on Domain Management Server level are not yet supported in R80.10. We aim to support this feat
    ure soon. See sk117159 for details.

    To resolve, before you continue with upgrade, remove these objects:
    vafwlogoc002
    mdfwlogoc002



    Warnings: It is recommended to resolve the following problems.
    ================================================== ============


    Title: INSPECT manual changes
    -----
    * Description: Some changes in Security Gateway behavior require manual changes in INSPECT files. These files are overwri
    tten with new versions when you upgrade. Sometimes, you must apply the changes again on the new INSPECT files. In other c
    ases, there are new GUI options to set.
    * Impacts: If changes are lost after the upgrade, the Security Gateway might not work as expected.
    * To Do: Check if changes are needed in the new version, if so, merge them manually to the relevant file.

    This problem will occur in the following files:

    R80 Gateways (/opt/CPmds-R77/customers/cma-192.168.1.10/CPsuite-R77/fw1/lib)
    "dcerpc.def"


    Title: Names conflicts with new default objects
    -----
    * Description: Check Point has added 36 protocols and 33 services to the default database. A number of these new default
    objects conflict with existing user objects.

    To resolve the issue, rename these objects:
    Services:
    RDP

    Comment: if you choose to leave objects as is, during upgrade process "_" will be added as suffix to each object name whi
    ch conflicts default database.


    ================================================== ============
    Action items after upgrade, before first installation:
    ================================================== ============


    Warnings: It is recommended to resolve the following problems.
    ================================================== ============


    Title: OPSEC was modified in R80.
    -----
    * Description: The Database includes one or more OPSEC applications.

    Please check your OPSEC vendor documentation for the following applications:

    SplunkLEA-VA
    SplunkLEA-MD
    SplunkLEA-CA
    tufnc001
    SplunkLEA-FL




    Error: Some errors were found for at least one Domain Management Server. Please check the log file.
    ----------------------------------------------------------------------
    Security Management Server Pre Upgrade Verifier completed with errors.


    A log file was created: /opt/CPInstLog/mds_setup_05_22_15_35.log

  2. #2
    Join Date
    2016-06-26
    Posts
    3
    Rep Power
    0

    Default Re: Upgrade Provider-1 R77.30 to R80.10 issue (is R80.10 ready for prime time).

    Hi,

    You can complete the upgrade without removing the non-Unicode chars by following the guidelines in the sk.
    https://supportcenter.checkpoint.com...t=Multi-Domain

    As the Pre Upgrade Verifier says, we work to resolve the log servers on domain management server issue.
    Meanwhile, if you are using Multi-Domain Log Server, you can use Domain Log Server.

    We would be glad to assist with any upgrade issue to R80.10.
    We would appreciate your further feedback about the upgrade to R80.10 and the experience after completing the upgrade.

    Regards,
    Arik

  3. #3
    Join Date
    2006-09-26
    Posts
    3,068
    Rep Power
    15

    Default Re: Upgrade Provider-1 R77.30 to R80.10 issue (is R80.10 ready for prime time).

    Quote Originally Posted by arikgold View Post
    Hi,

    You can complete the upgrade without removing the non-Unicode chars by following the guidelines in the sk.
    https://supportcenter.checkpoint.com...t=Multi-Domain

    As the Pre Upgrade Verifier says, we work to resolve the log servers on domain management server issue.
    Meanwhile, if you are using Multi-Domain Log Server, you can use Domain Log Server.

    We would be glad to assist with any upgrade issue to R80.10.
    We would appreciate your further feedback about the upgrade to R80.10 and the experience after completing the upgrade.

    Regards,
    Arik
    basically what you're saying is that upgrading to R80.10 is not possible given my current scenario. running stand-alone log along with Provider-1.

    Furthermore, why doesn't checkpoint just ignore the Unicode thing? Why do I have to go through that trouble just for a simple upgrade?

  4. #4
    Join Date
    2007-06-04
    Posts
    3,247
    Rep Power
    15

    Default Re: Upgrade Provider-1 R77.30 to R80.10 issue (is R80.10 ready for prime time).

    Quote Originally Posted by arikgold View Post
    Hi,

    You can complete the upgrade without removing the non-Unicode chars by following the guidelines in the sk.
    https://supportcenter.checkpoint.com...t=Multi-Domain

    As the Pre Upgrade Verifier says, we work to resolve the log servers on domain management server issue.
    Meanwhile, if you are using Multi-Domain Log Server, you can use Domain Log Server.

    We would be glad to assist with any upgrade issue to R80.10.
    We would appreciate your further feedback about the upgrade to R80.10 and the experience after completing the upgrade.

    Regards,
    Arik
    Can we just clarify that understood this properly around the Log Server.

    If reading correctly then I am seeing that as you cannot use the Log Server functionality on the Domain Management Server, ie where the DMS itself is also a Log Server. Instead you have to deploy an MDLM and then define a separate Log Server on the MDLM.

    Is this true of clean installs, or just when performing an upgrade.

    Unfortunately experience in the SK and the exams has tended to leave me wanting to clarify as frequently find out with wording like that then I haven't understood what it is was trying to say.

    Thanks

  5. #5
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,398
    Rep Power
    15

    Default Re: Upgrade Provider-1 R77.30 to R80.10 issue (is R80.10 ready for prime time).

    Quote Originally Posted by cciesec2006 View Post
    basically what you're saying is that upgrading to R80.10 is not possible given my current scenario. running stand-alone log along with Provider-1.
    Right now, that seems to be correct.
    Hopefully this issue will be resolved soon.

    Quote Originally Posted by cciesec2006 View Post
    Furthermore, why doesn't checkpoint just ignore the Unicode thing? Why do I have to go through that trouble just for a simple upgrade?
    Because we need to know what non-Unicode encoding was used in the pre-R80.10 database for non-ASCII characters.
    There is no "one size fits all" answer to this question, thus a manual step as described in sk114739 is required.
    R80.10 and above will only use Unicode going forward.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  6. #6
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,398
    Rep Power
    15

    Default Re: Upgrade Provider-1 R77.30 to R80.10 issue (is R80.10 ready for prime time).

    Quote Originally Posted by mcnallym View Post
    If reading correctly then I am seeing that as you cannot use the Log Server functionality on the Domain Management Server, ie where the DMS itself is also a Log Server. Instead you have to deploy an MDLM and then define a separate Log Server on the MDLM.

    Is this true of clean installs, or just when performing an upgrade.
    Clean installs as well.
    Note this has been the case since R80, per sk110519.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  7. #7
    Join Date
    2006-09-26
    Posts
    3,068
    Rep Power
    15

    Default Re: Upgrade Provider-1 R77.30 to R80.10 issue (is R80.10 ready for prime time).

    Quote Originally Posted by PhoneBoy View Post
    Right now, that seems to be correct.
    Hopefully this issue will be resolved soon.
    So basically what you're saying is that Checkpoint is releasing a "half-baked" product? I am sure that I am not the only customer with this scenario. This is a typical deployment.



    Quote Originally Posted by PhoneBoy View Post
    Because we need to know what non-Unicode encoding was used in the pre-R80.10 database for non-ASCII characters.
    There is no "one size fits all" answer to this question, thus a manual step as described in sk114739 is required.
    R80.10 and above will only use Unicode going forward.
    it seem like the sk114739 requires that I have to export the database. Does it mean that I can NOT perform an "in-place" upgrade in this scenario? That's what it looks like from reading the SK

  8. #8
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,398
    Rep Power
    15

    Default Re: Upgrade Provider-1 R77.30 to R80.10 issue (is R80.10 ready for prime time).

    Quote Originally Posted by cciesec2006 View Post
    So basically what you're saying is that Checkpoint is releasing a "half-baked" product? I am sure that I am not the only customer with this scenario. This is a typical deployment.
    Most of the customers I am familiar with that are using MDM are also using MLM.
    Which one is more prevalent, I can't say.

    Quote Originally Posted by cciesec2006 View Post
    it seem like the sk114739 requires that I have to export the database. Does it mean that I can NOT perform an "in-place" upgrade in this scenario? That's what it looks like from reading the SK
    The procedure for specifying which encoding is used changed in R80.10 specifically to better support in-place upgrades with CPUSE.
    (In R80, you set the environment variable CHECKPOINT_DB_ENCODING instead of creating $FWDIR/conf/db_encoding.txt)
    I'll confirm this and get the SK updated to make this clearer.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  9. #9
    Join Date
    2006-09-26
    Posts
    3,068
    Rep Power
    15

    Default Re: Upgrade Provider-1 R77.30 to R80.10 issue (is R80.10 ready for prime time).

    Quote Originally Posted by PhoneBoy View Post
    The procedure for specifying which encoding is used changed in R80.10 specifically to better support in-place upgrades with CPUSE.
    (In R80, you set the environment variable CHECKPOINT_DB_ENCODING instead of creating $FWDIR/conf/db_encoding.txt)
    I'll confirm this and get the SK updated to make this clearer.
    If you can get more clarification on this, that will be great. Some how, I feel like things get lost in translation from Hebrew to English :-(

    Quote Originally Posted by PhoneBoy View Post
    Most of the customers I am familiar with that are using MDM are also using MLM.
    Which one is more prevalent, I can't say.
    The concept of Provider-1 is well known among MSSP such Manager, Container, MDS, Customer Managed Add-on (CMA), Multi-domain Log Module (MLM), Customer Log Module (CLM). For an enterprise environment, having MLM/CLM is over killed. Enterprise customers usually have an MDS-5 and stand-alone Log servers.

    Even in MSSP space, sometimes you have customers demand to have their own stand-alone log servers in addition to the MLM/CLM managed by the MSSPs. That's why I am surprised that Checkpoint didn't see this coming :-(

  10. #10
    Join Date
    2007-06-04
    Posts
    3,247
    Rep Power
    15

    Default Re: Upgrade Provider-1 R77.30 to R80.10 issue (is R80.10 ready for prime time).

    Quote Originally Posted by PhoneBoy View Post
    Clean installs as well.
    Note this has been the case since R80, per sk110519.
    Thanks for the Clarification.

  11. #11
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,398
    Rep Power
    15

    Default Re: Upgrade Provider-1 R77.30 to R80.10 issue (is R80.10 ready for prime time).

    Quote Originally Posted by cciesec2006 View Post
    If you can get more clarification on this, that will be great. Some how, I feel like things get lost in translation from Hebrew to English :-(
    The SK has been updated and now says the following:

    Before exporting the management database with R80.10 migration tools, or before starting the in-place upgrade using CPUSE, create a new file named db_encoding.txt in the $FWDIR/conf/ directory (in case of Security Management Server) or $MDSDIR/conf/ directory (in case of Multi-Domain Server) and write in it the value of the encoding used for non-English characters.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  12. #12
    Join Date
    2011-03-29
    Posts
    28
    Rep Power
    0

    Default Re: Upgrade Provider-1 R77.30 to R80.10 issue (is R80.10 ready for prime time).

    Hi,

    My name is Yaelle and I am leading the technical product management group in Check Point management area.
    I would like to reply to few of the points raised by this thread:

    1. R80.10 was released after extensive quality process including thousands of Managements in R80 and over 150 in R80.10 running in production. Everyone that successfully pass pre-upgrade verifier is expected to get high quality experience. If you did not pass PUV (as will be explained below), your upgrade is prevented to avoid undesired problems.

    2. We have given careful attention to quality and developed a pre-upgrade verifier that will check and work the user thru every challenge in R80.10 (from bad historical data in the database, thru obsolete features thru features that are still in progress). The version upgrade works automatically thru in-place upgrade by CPUSE but even the in place upgrade will not start if the validation fail. During the EA we received excellent feedback on the new in-place upgrade experience with CPUSE.

    3. In R80 we re-developed many parts of the server to make it future ready (including strong APIs & automation and many more). When adding back all the functionality, we decided to delay few features that are less (by the number of users impacted) used (like dedicated, not-domain, log servers mixed with multi domain) in favor of increased quality of the content we do deliver. In parallel we work to completion of the missing features and they will be delivered over the coming months. Specifically we expect to enable the dedicated log server scenario as a priority for this year and as we do believe that its important scenario, we will continue and maintain it “built in” after we add it back once.

    4. User that are using these features, will not be mislead by the upgrade as the PUV (Pre upgrade verifier) will stop them before upgrade

    5. Part of what we do with R80.10 is clean up historical scenario and one of them is handling non-ASCII characters. After we sort it out once, we will not need to deal with it in future releases and we can be confident that we give the users smooth experience from the upgrade point, onward

    We are open for further dialog and appreciate the feedback

    Yaelle and the product team

Similar Threads

  1. Time to upgrade! I am available for contracts to upgrade your Check Point Software.
    By security4it in forum Employment/Consulting Opportunities For Check Point Administrators
    Replies: 0
    Last Post: 2015-10-04, 12:58
  2. TCP-1825_24hr time out issue
    By ACREMAKETU in forum SmartDashboard
    Replies: 2
    Last Post: 2010-07-02, 09:21
  3. Cluster states is ready
    By memory_kai in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 7
    Last Post: 2009-10-01, 13:21
  4. Provider R61 to R65 - CMA version issue
    By Dom c in forum Provider-1 (Multi-Domain Management)
    Replies: 1
    Last Post: 2008-09-17, 10:34
  5. ClusterXL 'ready' state
    By dys152 in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 0
    Last Post: 2007-09-15, 07:36

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •