The best practice is indeed the 'best' - and even though as a workaround we
had removed the patch cluster but we have still been trying to get check
point to confirm the problem patch in the current Recommended Patch Cluster
and yesterday, they did confirm 112963-22/23 a problem as you have found and
they recommended any revision from 11-19 to be ok. Check Point now is
creating a solution in their database. I shall provide the solution number
as soon as they create one.
Rajeev
On 8/29/05, Simon Ashford <Simon.Ashford AT npl.co DOT uk> wrote:
>
> BUT: all the "best practice" advice I've seen recommends to keep
> all critical systems fully patched with O/S and other software
> updates. This was the reason for using the Patch Manager utility
> in the first place.
>
> Also, presumably there will come a time when the version of Solaris
> distributed with new systems will include these patches anyway...
>
> I guess the answer to all this faff is use SPLAT instead - and
> relegate the Sun box to a more suitable role (doorstop or large
> paperweight for example) :-<
>
>
> Cheers.
>
>
> Simon Ashford.
>
>
> -----Original Message-----
> From: Rajeev Gupta [mailto:rgup14 AT GMAIL DOT COM]
> Sent: 29 August 2005 13:48
> To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Subject: Re: [FW-1] Firewall-1 failure after applying Solaris patches.
>
>
> Hmmm..........
> I wonder if you will ever get any repsonse from Check Point or Sun? Check
> Point will go with your results and say ok if that be it, that is what it
> is. I had R54 or R55 attempts to install on Solaris 9 last week - hfa's
> did
> not matter - it continued to core in case I had the Recommended Patch
> cluster installed. I just completely removed the patch cluster and left
> only
> one patch that Check Point recommeded - I got it from Check Point Support
> person who had kept it saved since eternity:-) Check Point Support kind of
> knows issues with some of the sun patches off and on and some of the techs
> at the Support therefore save these old patches in their personal
> repositories from the time when Check Point had originally tested its
> specific release.
>
> Rajeev
>
> On 8/27/05, Simon Ashford <Simon.Ashford AT npl.co DOT uk> wrote:
> >
> > In answer to my own question:
> >
> > It seems the following Solaris patches break Firewall-1:
> >
> > 115553-19:
> >
> > Causes an error during the initial Firewall-1 boot configuration:
> > immediately after the first set of "Autopushing over ..." messages
> > it gives "ioctl: out of streams reesources" followed by several
> > screens of verbose errors starting "ap: usage..."
> >
> > Backing out the patch does not fix the problem.
> >
> > Revision 15 of this patch was OK.
> >
> > 112963-23:
> >
> > Causes SEGV and core dump on several processes started by
> > /etc/rc3.d/S99cpboot.
> >
> > Backing out to revision 18 fixes the problem.
> >
> > This is on an E220R server, Solaris 9 64-bit, with R55 HFA-15.
> >
> > These patches were downloaded automatically by the PatchPro utility.
> > I guess they will also be present in the latest Recommended/Security
> > bundle.
> >
> > Anyone fromn Sun or CheckPoint reading this and care to comment?
> >
> >
> > Simon Ashford.
> >
> >
> > -----Original Message-----
> > From: Simon Ashford [mailto:Simon.Ashford AT npl.co DOT uk]
> > Sent: 25 August 2005 15:58
> > To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> > Subject: [FW-1] Firewall-1 failure after applying Solaris patches.
> >
> >
> > I recently applied the latest set of Solaris patches to our
> > firewall machine (using Solaris Managament Console + PatchPro).
> > But it then failed on reboot - verbose "usage" diagnostics from
> > (I think) the "ap" command during interface configuration,
> > other FW1 commands failing with Segmentation Fault + core
> > dumps.
> >
> > Tried backing out the likely suspects - kernel patch, TCP patch
> > and a couple of others. But made no difference so eventually had
> > to restore the entire system from a backup.
> >
> > Anyone else seen this? Is there a particular patch to blame?
> >
> > System details: E220R server, Solaris 9, NGAI R55 HFA-13 (but
> > have since installed HFA-15 - might improve things...?)
> >
> > Thanks in advance.
> >
> >
> > Simon Ashford.
> >
> > -------------------------------------------------------------------
> > This e-mail and any attachments may contain confidential and/or
> > privileged material; it is for the intended addressee(s) only.
> > If you are not a named addressee, you must not use, retain or
> > disclose such information.
> >
> > NPL Management Ltd cannot guarantee that the e-mail or any
> > attachments are free from viruses.
> >
> > NPL Management Ltd. Registered in England and Wales. No: 2937881
> > Registered Office: Serco House, 16 Bartley Wood Business Park,
> > Hook, Hampshire, United Kingdom RG27 9UY
> > -------------------------------------------------------------------
> >
> > =================================================
> > To set vacation, Out-Of-Office, or away messages,
> > send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > fw-1-owner AT ts.checkpoint DOT com
> > =================================================
> >
> > -------------------------------------------------------------------
> > This e-mail and any attachments may contain confidential and/or
> > privileged material; it is for the intended addressee(s) only.
> > If you are not a named addressee, you must not use, retain or
> > disclose such information.
> >
> > NPL Management Ltd cannot guarantee that the e-mail or any
> > attachments are free from viruses.
> >
> > NPL Management Ltd. Registered in England and Wales. No: 2937881
> > Registered Office: Serco House, 16 Bartley Wood Business Park,
> > Hook, Hampshire, United Kingdom RG27 9UY
> > -------------------------------------------------------------------
> >
> > =================================================
> > To set vacation, Out-Of-Office, or away messages,
> > send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > fw-1-owner AT ts.checkpoint DOT com
> > =================================================
> >
>
>
>
> --
> Rajeev Gupta
> CISSP, CCMSE+VSX
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
> -------------------------------------------------------------------
> This e-mail and any attachments may contain confidential and/or
> privileged material; it is for the intended addressee(s) only.
> If you are not a named addressee, you must not use, retain or
> disclose such information.
>
> NPL Management Ltd cannot guarantee that the e-mail or any
> attachments are free from viruses.
>
> NPL Management Ltd. Registered in England and Wales. No: 2937881
> Registered Office: Serco House, 16 Bartley Wood Business Park,
> Hook, Hampshire, United Kingdom RG27 9UY
> -------------------------------------------------------------------
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
--
Rajeev Gupta
CISSP, CCMSE+VSX
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
