CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


I'd like to thank everyone involved for making "The CPUG Challenge" a great success.
We helped a lot of people see and learn a bit more about R80.10, while having some fun.
We will be using this success to try and bring more events to more locations soon. -E

 

Results 1 to 13 of 13

Thread: After upgrading to R80.10 lost access to ssh and web UI

  1. #1
    Join Date
    2017-07-17
    Posts
    3
    Rep Power
    0

    Default After upgrading to R80.10 lost access to ssh and web UI

    Hello All,

    I have upgraded a cluster which was in R77.30 to R80.10 through CLI, upgrade was successful.

    #fw ver

    now its R80.10 version

    but the problem i lost access to ssh and web UI is not launched.

    Any suggestions would be appreciated.

  2. #2
    Join Date
    2014-09-02
    Posts
    270
    Rep Power
    10

    Default Re: After upgrading to R80.10 lost access to ssh and web UI

    First, welcome to the community.

    Second, check your "Platform Portal" setting on the cluster object in SmartConsole. By default, the Main URL should be https://main_IP_address/. This binds SSL via port 443 to the GAiA WebUI. It's possible that this ends in something else, like ":4434", binding the WebUI to port 4434, so as to not conflict with other SSL services, like the Mobile Access Blade.

    Make sure that you are using the correct port in the browser, and that you have a rule in your policy (before the Stealth Rule) that allows the correct service. While 4434 is a common/semi-standard port for GAiA (and SPLAT) WebUI, it's not a predefined service.

    As always, check your logs to see what's happening. If the connection is being blocked by the Stealth Rule (or any rule), then you need to do as above and put an explicit rule allowing the SSL (or SSL-4434) access. If the traffic is being accepted, make sure you're using the correct port in the browser.

    The WebUI port can also be verified (or even changed) via console CLI with "[show|set] web ssl-port".

    I know that's a lot, but hopefully you can find the answer up there somewhere. Let us know.

    -E

  3. #3
    Join Date
    2017-07-17
    Posts
    3
    Rep Power
    0

    Default Re: After upgrading to R80.10 lost access to ssh and web UI

    Thanks Eric for the reply and suggestion.

    The webUI port is 443 , checked

    prod-fire-1> show we
    prod-fire-1> show web ssl-port
    web-ssl-port 443

    what would be the reason that i can't get ssh and webui access after upgrade, while i was in 77.30 i have ssh and webUI, if I downgrade one of firewall i got access to webUI and ssh, but when upgrade to R80.10 no i can't access, is there something to do when we upgrade to R80.10

  4. #4
    Join Date
    2017-04-26
    Posts
    15
    Rep Power
    0

    Default Re: After upgrading to R80.10 lost access to ssh and web UI

    Quote Originally Posted by Sneha View Post
    Thanks Eric for the reply and suggestion.

    The webUI port is 443 , checked

    prod-fire-1> show we
    prod-fire-1> show web ssl-port
    web-ssl-port 443

    what would be the reason that i can't get ssh and webui access after upgrade, while i was in 77.30 i have ssh and webUI, if I downgrade one of firewall i got access to webUI and ssh, but when upgrade to R80.10 no i can't access, is there something to do when we upgrade to R80.10
    Please verify access to the device with captures and if you do see traffic ensure it isn't being dropped with a light debug. Replace <srcip> with the IP you are connecting from and <interface> with the interface you are trying to connect to.

    #tcpdump -nni <interface> port 22 and host <srcip>
    #tcpdump -nni <interface> port 443 and host <srcip>

    #fw ctl zdebug drop | grep <srcip>

  5. #5
    Join Date
    2014-09-02
    Posts
    270
    Rep Power
    10

    Default Re: After upgrading to R80.10 lost access to ssh and web UI

    Quote Originally Posted by Sneha View Post
    what would be the reason that i can't get ssh and webui access after upgrade, while i was in 77.30 i have ssh and webUI, if I downgrade one of firewall i got access to webUI and ssh, but when upgrade to R80.10 no i can't access, is there something to do when we upgrade to R80.10
    Shouldn't be any difference in WebUI/CLI access after upgrade...as long as everything else is the same. What was the upgrade method? Are routes intact? Can you ping the client machine from the CLI via console connection?

    There are so many areas we could look at, so trying a few things to zero in on it makes sense:
    - themadhatterz suggestion above to tcpdump will tell us if the traffic is reaching the box
    - you could try "fw unloadlocal" and try accessing again, to eliminate policy issues
    - you can try to get to a shell via the Gateways & Servers section of SmartConsole - right-click a member, and select "Actions", "Open Shell..."
    - you could even try changing the Platform Portal setting by adding ":4434", adding a service and rule above Stealth to allow it, and seeing if that makes a difference.

    -E

  6. #6
    Join Date
    2016-10-19
    Posts
    12
    Rep Power
    0

    Default Re: After upgrading to R80.10 lost access to ssh and web UI

    Quote Originally Posted by Sneha View Post
    Hello All,

    I have upgraded a cluster which was in R77.30 to R80.10 through CLI, upgrade was successful.

    #fw ver

    now its R80.10 version

    but the problem i lost access to ssh and web UI is not launched.

    Any suggestions would be appreciated.
    Hello Sneha

    This is what you can try:

    Get console access to the server
    Create new user using cpconfig in CLI
    Add the user's IP range/ static IP to the GUI clients list (Check in WebUI and CLI as well)
    Launch smart console and go to permissions&admins tab and check if the user is defined there
    Also, in WebUI-> users -> see if you have your "admin" or "custom" user is defined and if defined, has access to clish/bash.

    Thanks.

  7. #7
    Join Date
    2006-09-26
    Posts
    2,958
    Rep Power
    13

    Default Re: After upgrading to R80.10 lost access to ssh and web UI

    Quote Originally Posted by Sneha View Post
    what would be the reason that i can't get ssh and webui access after upgrade, while i was in 77.30 i have ssh and webUI, if I downgrade one of firewall i got access to webUI and ssh, but when upgrade to R80.10 no i can't access, is there something to do when we upgrade to R80.10
    I am running into the same issue after I upgraded to R80.10.

    Before: R77.30. Firewall rules any any accept log
    I can ssh and webUI into each gateways without any issues.

    After upgrading from R77.30 to R80.10 I can no longer ssh/https into the gateways. I can confirm that both https and ssh are running on the gateways with "netstat -an | grep 443" and "netstat -an | grep 22" and tcpdump showed that that traffics from my windows is seen on the gateways but it does not reply. From the gateways, I can ping my windows hosts and vice versa which rule out network issue.

    If you're running R80.10 in production environment, you're a brave soul. I don't think I want to be "the one" :-(

  8. #8
    Join Date
    2014-09-02
    Posts
    270
    Rep Power
    10

    Default Re: After upgrading to R80.10 lost access to ssh and web UI

    Quote Originally Posted by cciesec2006 View Post
    After upgrading from R77.30 to R80.10 I can no longer ssh/https into the gateways. I can confirm that both https and ssh are running on the gateways with "netstat -an | grep 443" and "netstat -an | grep 22" and tcpdump showed that that traffics from my windows is seen on the gateways but it does not reply. From the gateways, I can ping my windows hosts and vice versa which rule out network issue.
    Hmmm...good info. Only thing you left out is whether you see anything in logs and/or [the much maligned] "fw monitor". Since the traffic is reaching the box (as seen in tcpdump), either the services aren't working right, or the fw is blocking it (this is where logs and "fw monitor" could help quite a bit).

    I haven't seen this on R80.10 gateways (yet), and I've done quite a few upgrades as well (admittedly, mostly in labs and teaching). I may have to poke around a bit more and try to re-create. Any details you can give on upgrade methodology?

    -E

  9. #9
    Join Date
    2014-09-02
    Posts
    270
    Rep Power
    10

    Default Re: After upgrading to R80.10 lost access to ssh and web UI

    Another thought: Has anyone seen this problem on a management server, or just gateways? (hopefully obvious implications)

    -E

  10. #10
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,275
    Rep Power
    7

    Default Re: After upgrading to R80.10 lost access to ssh and web UI

    fw stat
    and
    fw ctl zdebug drop

    would be useful from gateways.

    maybe also a

    cplic print -x

    to make sure the license is still installed.

  11. #11
    Join Date
    2006-09-26
    Posts
    2,958
    Rep Power
    13

    Default Re: After upgrading to R80.10 lost access to ssh and web UI

    Quote Originally Posted by EricAnderson View Post
    Another thought: Has anyone seen this problem on a management server, or just gateways? (hopefully obvious implications)-E
    Well, I couldn't upgrade my Provider-1 R77.30 to R80.10 due to multiple issues. Therefore, haven't had a chance to do so

  12. #12
    Join Date
    2017-07-17
    Posts
    3
    Rep Power
    0

    Default Re: After upgrading to R80.10 lost access to ssh and web UI

    Today I am upgrading the management server to R80.10

  13. #13
    Join Date
    2006-09-26
    Posts
    2,958
    Rep Power
    13

    Default Re: After upgrading to R80.10 lost access to ssh and web UI

    Quote Originally Posted by Sneha View Post
    Today I am upgrading the management server to R80.10
    You're a brave person. I have a Provider-1 R77.30 with JHFA 216 that I can NOT upgrade to R80.10 because of these:

    Title: Log Server on Domain Management Server
    -----
    * Description: Log Servers on Domain Management Server level are not supported in R80.10.

    To resolve, before you continue with upgrade, remove these objects:
    denverfwlog
    miamifwlog

    Warnings: It is recommended to resolve the following problems.
    ================================================== ============


    Title: OPSEC was modified in R80.
    -----
    * Description: The Database includes one or more OPSEC applications.

    Please check your OPSEC vendor documentation for the following applications:

    splunkLEA1
    splunkLEA2
    splunkLEA3
    fwtufin1
    splunkLEA4

    that's why I said one should wait until R80.30, next year may be, to be sure that the software is stable.

    When checkpoint first came out with SPLAT FP0, FP1 and FP2. it was full of bugs and issue. It was not until Feature Pack 3 that you have a somewhat stable product. If history is a guide, the same will be true for R80.10

Similar Threads

  1. Lost access after cpconfig
    By netgus in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 1
    Last Post: 2012-11-30, 23:46
  2. Upgrading a UTM 270 from R65 to R7x = Lost interfaces
    By banduraj in forum Installing And Upgrading
    Replies: 3
    Last Post: 2011-01-15, 09:45
  3. Lost Management
    By skipper in forum Security Management Server (Formerly SmartCenter Server ((Formerly Management Server))
    Replies: 9
    Last Post: 2010-03-09, 18:27
  4. Firewall lost its SIC
    By infrared013 in forum Miscellaneous
    Replies: 2
    Last Post: 2007-12-27, 12:13
  5. Upgrading & Remote Access Communities
    By rubber_chicken in forum Installing And Upgrading
    Replies: 0
    Last Post: 2006-10-18, 20:36

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •