Checkpoint Firewall Upgrade from R67 VSX to R77.10 VS & CIFS Resources
I have some Crossbeam X80 hardware running R67 VSX for some virtual firewalls. Life is good and everything worked fine. I planned and executed an upgrade plan for these blades to move to Checkpoint R77.10 VS. The policy upgrade process and software upgrade process went with zero errors. When we tried to push the policy to the firewalls, it would fail. The errors, during a debug, were ambiguous at best.
What was the eventual issue? CIFS Resources with greater then 25 file shares. It seems the IPS in R77 has a hard limit of 25 shares in CIFS resources. We use CIFS resources as an extra level of protection when 3rd Parties access our Windows File Shares.
Most of our CIFS resources had less then 25 file shares, so they needed no change. But, a single 3rd party accessed quite a few shares. So, the revert back to a straight CIFS service group on these rules and removal of the CIFS resource in the firewall policy allowed a successful push of the policy to the gateway.
NOTE TO SELF: Keep that one in your back pocket.
Fun with MAC Addresses and Crossbeam X80s
We had a fun little gotcha a few weeks ago while upgrading a Crossbeam X80 CPM from XOS 9.5.X to 9.6.6. As part of security controls we have in place in the perimeter, we implement MAC address filtering on the border switches. We implement very basic ACLs for the MAC addresses.
mac access-list extended mac_gi26
permit host 0003.d2e0.0101 any
switchport access vlan 901
switchport mode access
mac access-group mac_gi26 in
So, post upgrade to XOS 9.6.6 we lost access to many of our zones that previously worked. After some digging around, we noted that the MAC addresses on the Crossbeam NPMs changed post upgrade. This change was not noted in the Release Notes (at least I couldn’t find it).
The good news is that Crossbeam allows for the manual changing of MAC addresses on the X-Series Platform. A simple change of the MAC address cleaned everything up.
[no] mac-addr <MAC_address>