CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it yet again - That's right, the 3rd edition is here!
You can read his announcement post here.
It's a massive upgrade focusing on current versions, and well worth checking out. -E

 

Results 1 to 5 of 5

Thread: Issues with SMS running R80.20M1

  1. #1
    Join Date
    2014-11-23
    Posts
    45
    Rep Power
    0

    Default Issues with SMS running R80.20M1

    Hi All, Hoping that you are enjoying the Festive Season.

    We have the following environment:
    A cluster of 4 x Gateways (Open Servers) running Gaia R80.20
    A Primary and a Secondary Security Management Server (Open Servers) running Gaia R80.20M1.
    (We discovered that this is not a supported configuration as we should not use R80.20M1 management servers
    to manage R80.20 gateways. However this configuration has been working OK for around a year).

    We had an issue whereby we couldn't connect to the Primary SMS via Smart Console.
    We opened a TAC case with Checkpoint but they made the issue worse by making a change to the Secondary so that it no longer Synchs with the Primary.
    (I'm not exactly sure what they did, they made the change without asking me if I'd taken a Snapshot and unfortunately I hadn't).

    So I'm now in a position where I've got:
    A Primary R80.20M1 SMS (which I can't connect via Smart Console but can connect to with SSH) to with an out of date rulebase.
    A Secondary R80.20M1 SMS which is working OK with an up to date rulebase.
    I've built two completely NEW open servers and installed Gaia R80.20 on them. I've built one as Primary and one as a secondary
    (with the same IP addresses as the existing SMS's).
    I have tried taking a migrate export from the existing R80.20M1 Primary SMS (albeit with an out of date rulebase) and importing this onto the new server
    which I built as an R80.20 Primary SMS. However this produces error messages which Checkpoint's R+D department are still investigating.

    So anyway my question is, can I do the following? :
    1) Upgrade the existing R80.20M1 Secondary server to R80.20M2.
    2) Upgrade the new server which I've built as a Secondary SMS from R80.20 to R80.20M2.
    3) Export the database from the old Secondary SMS to the new Secondary SMS.
    4) Promote this new Secondary SMS to be the primary.
    5) Install the other new server as an R80.20M2 SMS secondary and synch it to the new primary.
    (I have put this idea to Checkpoint but they say they don't recommend it because R80.20M2 is apparently "unstable").
    I would very much welcome any ideas. Perhaps you would recommend a completely different course of action but please let me know your opinion.
    Many thanks in advance.

  2. #2
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    314
    Rep Power
    13

    Default Re: Issues with SMS running R80.20M1

    Who said managing R80.20 firewalls from an R80.20M1 SmartCenter isn't supported? That doesn't sound right at all. Last I heard, managing R80.20 firewalls from R80 (no dot) is supported, you just don't get any of the new R80.20 firewall features.

    R80.20M1 is a later feature release than R80.20, so it doesn't surprise me that the configuration can't be imported from M1 onto R80.20.

    I would try to stabilize the existing primary SmartCenter. If the change to your secondary SmartCenter was not your doing, you're almost certainly safe to just overwrite the secondary with the database from the primary once you get it back up.



    What does SmartConsole do when you try to connect?

    Are you able to connect with the API locally on the box? 'mgmt_api login -r true | tee sessionCookie.txt' should tell you. If it doesn't throw an error, you can log out afterwards with 'mgmt_api -s sessionCookie.txt logout'.

    What does 'cpwd_admin list' say?

    Do you see any core dumps in /var/log/dump/usermode?
    Zimmie

  3. #3
    Join Date
    2014-11-23
    Posts
    45
    Rep Power
    0

    Default Re: Issues with SMS running R80.20M1

    Firstly thanks very much for taking the time to reply.
    I was told by one of my senior colleagues that R80.20 was a later version than R80.20m1 but it seems this isn't actually the case from what you say.
    I'm surprised that the three Checkpoint TAX engineers that I've been speaking to couldn't tell me that as it would have saved me a lot of time.

    Anyway I logged onto the primary R80.20M1 management server to run the troubleshooting commands which you mentioned. However, to my surprise, I find that I actually CAN now connect to this R80.20M1 management server using Smart Console, so it seems to have rectified itself without any intervention (although I don't know how stable the server is).

    So I've now got a slightly different issue: I've got an out of date primary management server (R80.20M1) and an up to date secondary management server (R80.20M2).
    Checkpoint have made some changes to the secondary management server so that there is no longer a trust relationship between the primary and the secondary.
    As soon as the primary comes online it seems to revoke the certificate of the secondary. The secondary then goes down and I have to shut down the primary and revert to a snapshot on the secondary to get it working again.

    Do you know if there's any way to restore the trust relationship between the primary and the secondary and then to replicate the up-to-date database from the secondary to the out-of-date primary?
    I suspect there isn't and I will therefore have to reset sic the secondary and then replicate the out-of-date database from the primary to the secondary and then bring the database up to date manually which will take a long time. If you know of a better way then this would be much appreciated!
    Thanks again.

  4. #4
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    314
    Rep Power
    13

    Default Re: Issues with SMS running R80.20M1

    Sounds like at this point, your best bet is to treat it as a completely failed primary SmartCenter. I don't know the process for R80-family management off the top of my head, but support should definitely be able to help. This is a much simpler problem than fixing a broken thing in-place.
    Zimmie

  5. #5
    Join Date
    2014-09-02
    Posts
    357
    Rep Power
    10

    Default Re: Issues with SMS running R80.20M1

    Just for kicks (and possibly a "solution"), can you take a successful export with R80.30 tools?

    -E

Similar Threads

  1. Hotfix for R80.20M1
    By PeterSmith78 in forum Security Management Server (Formerly SmartCenter Server ((Formerly Management Server))
    Replies: 3
    Last Post: 4 Weeks Ago, 06:23
  2. R65 SKU's running on R70?
    By Any-Any-Any-Accept in forum Licensing
    Replies: 1
    Last Post: 2009-07-28, 04:13
  3. cpd running at 99%
    By Valefor in forum Check Point SecurePlatform (SPLAT)
    Replies: 2
    Last Post: 2007-01-25, 14:02
  4. Desktop Security/Policy Server logon failure issues issues
    By Clon32 in forum SecureClient/SecuRemote
    Replies: 3
    Last Post: 2006-10-25, 06:32
  5. Integrity Client Issues when running as Standard user
    By patrickdarcy in forum Secure Access
    Replies: 2
    Last Post: 2006-03-16, 01:01

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •