Thursday, December 27, 2012

Installation / Upgrade Wizard

I am not sure if it is a Christmas miracle, but it's definitely a great present from Check Point.

We now have Upgrade Wizard on Check Point Support Portal, a tool that helps you choosing your upgrade path and installation sources fro bot appliances and open platform.

Great job, Check Point!!!

Tuesday, December 4, 2012

No memory policy installation failure - resolved

I have faced a nasty issue lately with one of my VSX customers. After a certain IPS update the customer has lost ability to push policy to one of Virtual Systems. There was an error: "Load on Module failed - no memory". Strangely, it was just a single VS amont tens of others managed by the same CMA.

They have rebooted the VSX cluster hoping to fix the situation, but it only made it much worse. On the standby physical member the problematic VS was not even loaded, as pushed policy could not be anymore fetched. The cluster was broken, and the member went to "down" state.

Surprisingly, the first case one can find in SecureKnowledge, sk40768, has saved the day. There is a parameter related to showing rule's UUID in the logs, one has to switch it off as the solution case describes.

Once we have applied the solution, policy could be pushed without a problem. The second cluster member was still down, with weird interface probing errors and VS failed to run. We have had to reboot it, and after that everything came back to normal.

Lessongs learned:

1. Do no believe policy installation errors, they can be extremely misleading.
2. Do not rush into rebooting VSX cluster members, that could back-fire.
3. Do DB Revision Control before updating IPS, that would allow you to roll back quickly, if any issue with policy installation.