CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


CPUG Challenge 2018?? We will be holding another CPUG Challenge for 2018.
The plan is to time it around CPX again (earlier this year), but not necessarily limit it to those in attendance.
I'll provide more details as we get a bit closer, but be ready! -E

 

Results 1 to 18 of 18

Thread: After upgrading to R80.10 lost access to ssh and web UI

  1. #1
    Join Date
    2017-07-17
    Posts
    19
    Rep Power
    0

    Default After upgrading to R80.10 lost access to ssh and web UI

    Hello All,

    I have upgraded a cluster which was in R77.30 to R80.10 through CLI, upgrade was successful.

    #fw ver

    now its R80.10 version

    but the problem i lost access to ssh and web UI is not launched.

    Any suggestions would be appreciated.

  2. #2
    Join Date
    2014-09-02
    Posts
    318
    Rep Power
    10

    Default Re: After upgrading to R80.10 lost access to ssh and web UI

    First, welcome to the community.

    Second, check your "Platform Portal" setting on the cluster object in SmartConsole. By default, the Main URL should be https://main_IP_address/. This binds SSL via port 443 to the GAiA WebUI. It's possible that this ends in something else, like ":4434", binding the WebUI to port 4434, so as to not conflict with other SSL services, like the Mobile Access Blade.

    Make sure that you are using the correct port in the browser, and that you have a rule in your policy (before the Stealth Rule) that allows the correct service. While 4434 is a common/semi-standard port for GAiA (and SPLAT) WebUI, it's not a predefined service.

    As always, check your logs to see what's happening. If the connection is being blocked by the Stealth Rule (or any rule), then you need to do as above and put an explicit rule allowing the SSL (or SSL-4434) access. If the traffic is being accepted, make sure you're using the correct port in the browser.

    The WebUI port can also be verified (or even changed) via console CLI with "[show|set] web ssl-port".

    I know that's a lot, but hopefully you can find the answer up there somewhere. Let us know.

    -E

  3. #3
    Join Date
    2017-07-17
    Posts
    19
    Rep Power
    0

    Default Re: After upgrading to R80.10 lost access to ssh and web UI

    Thanks Eric for the reply and suggestion.

    The webUI port is 443 , checked

    prod-fire-1> show we
    prod-fire-1> show web ssl-port
    web-ssl-port 443

    what would be the reason that i can't get ssh and webui access after upgrade, while i was in 77.30 i have ssh and webUI, if I downgrade one of firewall i got access to webUI and ssh, but when upgrade to R80.10 no i can't access, is there something to do when we upgrade to R80.10

  4. #4
    Join Date
    2017-04-26
    Posts
    16
    Rep Power
    0

    Default Re: After upgrading to R80.10 lost access to ssh and web UI

    Quote Originally Posted by Sneha View Post
    Thanks Eric for the reply and suggestion.

    The webUI port is 443 , checked

    prod-fire-1> show we
    prod-fire-1> show web ssl-port
    web-ssl-port 443

    what would be the reason that i can't get ssh and webui access after upgrade, while i was in 77.30 i have ssh and webUI, if I downgrade one of firewall i got access to webUI and ssh, but when upgrade to R80.10 no i can't access, is there something to do when we upgrade to R80.10
    Please verify access to the device with captures and if you do see traffic ensure it isn't being dropped with a light debug. Replace <srcip> with the IP you are connecting from and <interface> with the interface you are trying to connect to.

    #tcpdump -nni <interface> port 22 and host <srcip>
    #tcpdump -nni <interface> port 443 and host <srcip>

    #fw ctl zdebug drop | grep <srcip>

  5. #5
    Join Date
    2014-09-02
    Posts
    318
    Rep Power
    10

    Default Re: After upgrading to R80.10 lost access to ssh and web UI

    Quote Originally Posted by Sneha View Post
    what would be the reason that i can't get ssh and webui access after upgrade, while i was in 77.30 i have ssh and webUI, if I downgrade one of firewall i got access to webUI and ssh, but when upgrade to R80.10 no i can't access, is there something to do when we upgrade to R80.10
    Shouldn't be any difference in WebUI/CLI access after upgrade...as long as everything else is the same. What was the upgrade method? Are routes intact? Can you ping the client machine from the CLI via console connection?

    There are so many areas we could look at, so trying a few things to zero in on it makes sense:
    - themadhatterz suggestion above to tcpdump will tell us if the traffic is reaching the box
    - you could try "fw unloadlocal" and try accessing again, to eliminate policy issues
    - you can try to get to a shell via the Gateways & Servers section of SmartConsole - right-click a member, and select "Actions", "Open Shell..."
    - you could even try changing the Platform Portal setting by adding ":4434", adding a service and rule above Stealth to allow it, and seeing if that makes a difference.

    -E

  6. #6
    Join Date
    2016-10-19
    Posts
    24
    Rep Power
    0

    Default Re: After upgrading to R80.10 lost access to ssh and web UI

    Quote Originally Posted by Sneha View Post
    Hello All,

    I have upgraded a cluster which was in R77.30 to R80.10 through CLI, upgrade was successful.

    #fw ver

    now its R80.10 version

    but the problem i lost access to ssh and web UI is not launched.

    Any suggestions would be appreciated.
    Hello Sneha

    This is what you can try:

    Get console access to the server
    Create new user using cpconfig in CLI
    Add the user's IP range/ static IP to the GUI clients list (Check in WebUI and CLI as well)
    Launch smart console and go to permissions&admins tab and check if the user is defined there
    Also, in WebUI-> users -> see if you have your "admin" or "custom" user is defined and if defined, has access to clish/bash.

    Thanks.

  7. #7
    Join Date
    2006-09-26
    Posts
    3,055
    Rep Power
    15

    Default Re: After upgrading to R80.10 lost access to ssh and web UI

    Quote Originally Posted by Sneha View Post
    what would be the reason that i can't get ssh and webui access after upgrade, while i was in 77.30 i have ssh and webUI, if I downgrade one of firewall i got access to webUI and ssh, but when upgrade to R80.10 no i can't access, is there something to do when we upgrade to R80.10
    I am running into the same issue after I upgraded to R80.10.

    Before: R77.30. Firewall rules any any accept log
    I can ssh and webUI into each gateways without any issues.

    After upgrading from R77.30 to R80.10 I can no longer ssh/https into the gateways. I can confirm that both https and ssh are running on the gateways with "netstat -an | grep 443" and "netstat -an | grep 22" and tcpdump showed that that traffics from my windows is seen on the gateways but it does not reply. From the gateways, I can ping my windows hosts and vice versa which rule out network issue.

    If you're running R80.10 in production environment, you're a brave soul. I don't think I want to be "the one" :-(

  8. #8
    Join Date
    2014-09-02
    Posts
    318
    Rep Power
    10

    Default Re: After upgrading to R80.10 lost access to ssh and web UI

    Quote Originally Posted by cciesec2006 View Post
    After upgrading from R77.30 to R80.10 I can no longer ssh/https into the gateways. I can confirm that both https and ssh are running on the gateways with "netstat -an | grep 443" and "netstat -an | grep 22" and tcpdump showed that that traffics from my windows is seen on the gateways but it does not reply. From the gateways, I can ping my windows hosts and vice versa which rule out network issue.
    Hmmm...good info. Only thing you left out is whether you see anything in logs and/or [the much maligned] "fw monitor". Since the traffic is reaching the box (as seen in tcpdump), either the services aren't working right, or the fw is blocking it (this is where logs and "fw monitor" could help quite a bit).

    I haven't seen this on R80.10 gateways (yet), and I've done quite a few upgrades as well (admittedly, mostly in labs and teaching). I may have to poke around a bit more and try to re-create. Any details you can give on upgrade methodology?

    -E

  9. #9
    Join Date
    2014-09-02
    Posts
    318
    Rep Power
    10

    Default Re: After upgrading to R80.10 lost access to ssh and web UI

    Another thought: Has anyone seen this problem on a management server, or just gateways? (hopefully obvious implications)

    -E

  10. #10
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,482
    Rep Power
    8

    Default Re: After upgrading to R80.10 lost access to ssh and web UI

    fw stat
    and
    fw ctl zdebug drop

    would be useful from gateways.

    maybe also a

    cplic print -x

    to make sure the license is still installed.

  11. #11
    Join Date
    2006-09-26
    Posts
    3,055
    Rep Power
    15

    Default Re: After upgrading to R80.10 lost access to ssh and web UI

    Quote Originally Posted by EricAnderson View Post
    Another thought: Has anyone seen this problem on a management server, or just gateways? (hopefully obvious implications)-E
    Well, I couldn't upgrade my Provider-1 R77.30 to R80.10 due to multiple issues. Therefore, haven't had a chance to do so

  12. #12
    Join Date
    2017-07-17
    Posts
    19
    Rep Power
    0

    Default Re: After upgrading to R80.10 lost access to ssh and web UI

    Today I am upgrading the management server to R80.10

  13. #13
    Join Date
    2006-09-26
    Posts
    3,055
    Rep Power
    15

    Default Re: After upgrading to R80.10 lost access to ssh and web UI

    Quote Originally Posted by Sneha View Post
    Today I am upgrading the management server to R80.10
    You're a brave person. I have a Provider-1 R77.30 with JHFA 216 that I can NOT upgrade to R80.10 because of these:

    Title: Log Server on Domain Management Server
    -----
    * Description: Log Servers on Domain Management Server level are not supported in R80.10.

    To resolve, before you continue with upgrade, remove these objects:
    denverfwlog
    miamifwlog

    Warnings: It is recommended to resolve the following problems.
    ================================================== ============


    Title: OPSEC was modified in R80.
    -----
    * Description: The Database includes one or more OPSEC applications.

    Please check your OPSEC vendor documentation for the following applications:

    splunkLEA1
    splunkLEA2
    splunkLEA3
    fwtufin1
    splunkLEA4

    that's why I said one should wait until R80.30, next year may be, to be sure that the software is stable.

    When checkpoint first came out with SPLAT FP0, FP1 and FP2. it was full of bugs and issue. It was not until Feature Pack 3 that you have a somewhat stable product. If history is a guide, the same will be true for R80.10

  14. #14
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,388
    Rep Power
    15

    Default Re: After upgrading to R80.10 lost access to ssh and web UI

    We already discussed the "can't use MDM as a log server in R80.10" issue in a different thread, no need to rehash again.

    Quote Originally Posted by cciesec2006 View Post
    Title: OPSEC was modified in R80.
    -----
    * Description: The Database includes one or more OPSEC applications.

    Please check your OPSEC vendor documentation for the following applications:
    This warning is because LEA Connections now require SHA-256.
    Third party OPSEC applications such as Tufin and Splunk may need to be updated to maintain compatibility.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  15. #15
    Join Date
    2017-07-17
    Posts
    19
    Rep Power
    0

    Default Re: After upgrading to R80.10 lost access to ssh and web UI

    Management Server upgrade to R80.10 was successful

  16. #16
    Join Date
    2013-05-06
    Posts
    20
    Rep Power
    0

    Default Re: After upgrading to R80.10 lost access to ssh and web UI

    I've been performing a number of 80.10 upgrades and I strongly suggest clean install as the method of upgrading if at all possible.

  17. #17
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,482
    Rep Power
    8

    Default Re: After upgrading to R80.10 lost access to ssh and web UI

    what kind of issues are you seeing with upgrades (besides this thread which seems to be happening a lot from the looks of it)?

  18. #18
    Join Date
    2013-05-06
    Posts
    20
    Rep Power
    0

    Default Re: After upgrading to R80.10 lost access to ssh and web UI

    In many cases, in place upgrades fail in CPUSE, whether via WebUI or CLI. If you mean after the upgrade, I've had less issues there, though I have had problems with 3rd part vendors hwo haven't updated their software for R80 compatibility.

Similar Threads

  1. Lost access after cpconfig
    By netgus in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 1
    Last Post: 2012-11-30, 23:46
  2. Upgrading a UTM 270 from R65 to R7x = Lost interfaces
    By banduraj in forum Installing And Upgrading
    Replies: 3
    Last Post: 2011-01-15, 09:45
  3. Lost Management
    By skipper in forum Security Management Server (Formerly SmartCenter Server ((Formerly Management Server))
    Replies: 9
    Last Post: 2010-03-09, 18:27
  4. Firewall lost its SIC
    By infrared013 in forum Miscellaneous
    Replies: 2
    Last Post: 2007-12-27, 12:13
  5. Upgrading & Remote Access Communities
    By rubber_chicken in forum Installing And Upgrading
    Replies: 0
    Last Post: 2006-10-18, 20:36

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •