Tuesday, November 24, 2015

CheckPoint - DHCP objects from R77.20 and AddOns

Starting in R77.20, a new and improved handling of DHCP was introduced so that new services have been created to handle DHPC traffic with stateful inspection.
A specific SK (sk98839) has been published by Checkpoint to help with correct setup as it is important to perform specific steps based on the mix of versions that you are managing from your Smartcenter.

 I have used this sk in the past and and I have had one interesting issue that I would like to describe.



I installed the R77.20 Add-Ons some time in the past. Later I upgraded to R77.30 
by issuing the command fwm ver I found that the R77.20 Add-ons were installed. 
As I needed to perform an Install database on an external Log server I found out that this operation failed because the installed plugins were different. What are we talking about?

 We are talking about the R77.20 Add-On! 
So I thought. Ok , I will remove. 

 Wrong. You can do it because it is in use in some policy. Yes I was using the new dhcp-request and dhcp-reply services. 

 here is the output from my attempts at uninstalling the AddOn.

 [Expert@management:0]# rpm -e CPPItpi-R77-00
There are no packages dependent on:
Check Point R77.20 Add-on.
*********************************************************************************
Please run "/opt/CPPItpi-R77/bin/uacRunner -p PItpi -preuninstall", before trying to uninstall this package.
*********************************************************************************

error: %preun(CPPItpi-R77-00.i386) scriptlet failed, exit status 1
[Expert@management:0]# /opt/CPPItpi-R77/bin/uacRunner -p PItpi -preuninstall

Warning: object 'dhcp-reply' cannot be deleted from the database
because it is referenced by the following objects:

Table name: 'fw_policies', Object name: '##FWPOLICY'1
Warning: object 'dhcp-request' cannot be deleted from the database
because it is referenced by the following objects:

Table name: 'fw_policies', Object name: '##FWPOLICY'1Table name: 'fw_policies', Object name: '
##FWPOLICY'1
Warning: object 'DHCP-reply' cannot be deleted from the database
because it is referenced by the following objects:

Table name: 'services', Object name: 'dhcp-reply'1
Warning: object 'DHCP-request' cannot be deleted from the database
because it is referenced by the following objects:

Table name: 'services', Object name: 'dhcp-request'1
Plug-in uninstall verification has failed. Uninstallation is not allowed. See log file '/opt/CPshrd-R77/log/PItpi-preuninstall.elg' for further details
Execution has finished


So how did I fix this?

 modified the FWPOLICY by removing the objects dhcp-request/reply. 
Uninstalled the R77.20 Addon 
Recreated the objects using the command line 

dhcp_objects create


No AddOns are installed for this and you have no issue with external Management containers



Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)