Our Checkpoint Products are stilling sitting at R77.10. Checkpoint has release Jumbo Hotfix Accumulator for R77.10 (gypsy_hf_base_021).

The installation procedures from Command Line is quite simple:

  1. Transfer the Jumbo Hotfix Accumulator to the machine /var/tmp folder
  2. Unpack the Jumbo Hotfix Accumulator:

    [[email protected]]# cd /var/tmp
    [[email protected]]# tar zxvf Check_Point_R77.10.linux.tgz

  3. Install the Jumbo Hotfix Accumulator:
    [[email protected]]# ./UnixInstallScript

    Note: The script will stop all of Check Point services (cpstop) – read the output on the screen.

  4. Reboot the machine.
  5. Verify Installation with Command “cpinfo -y all”

Symptoms: 

I followed those steps and installed this Jumbo Hotfix on both cluster members at the same time also rebooted them at the same time. But after waited a couple of minutes, one of cluster members shows disconnected from Smartview Monitor.

20440305469_504f4dc853_b.jpg?resize=400%2C75&ssl=120440305469_504f4dc853_b.jpg?resize=400%2C75&ssl=1
When I ssh-ed into device and checked cluster status it shows ok. Also I were able to reach management server interface from problem cluster member. From the output of “cpinfo -y all ” also shows the hotfix has been installed correctly. 
[[email protected]:0]# cpinfo -y all
————————
Hotfix versions
————————
[FW1] 
  HOTFIX_R77_10 
  HOTFIX_R77_HF_HA10_005 
  HOTFIX_GYPSY_HF_BASE_021 

[SecurePlatform] 
  HOTFIX_R77_10_GAIA_GHOST_833 
  HOTFIX_GYPSY_HF_BASE_021 

[SPSHARED] 
  No hotfixes..

[CVPN] 
  HOTFIX_R77_10 
  HOTFIX_GYPSY_HF_BASE_021 

[PPACK] 
  HOTFIX_R77_10 
  HOTFIX_GYPSY_HF_BASE_021 

[CPinfo] 
  No hotfixes..

[SmartLog] 
  HOTFIX_R77_10 

[rtm] 
  No hotfixes..

Troubleshooting:

I went back to SmartDashboard and checked SIC status and found it was out of SIC. I was confusing what could cause the SIC lost from this cluster member. Should I reset SIC?

SmartView Tracker saved me this time. There is one log shows firewall policy inconsistencies existing between cluster members.

Number:             7250420
Date:                 16Aug2015
Time:                 10:09:07
Origin:               CP-DMZ-1
Type:                 Log
Action:              
Information:       sync: Inconsistencies exist between policies installed on the cluster members. Please reinstall the policy on the cluster.
Product:             Security Gateway/Management
Product Family: Network
Policy Info:         Policy Name: defaultfilter
                          Created at: Sun Aug 16 07:12:25 2015
                          Installed from: CP-Management

Solutions:

I quickly pushed policy to cluster and it was failed because SIC error as shown below.
20626993265_b0fd4a77f7_b.jpg?resize=400%2C303&ssl=120626993265_b0fd4a77f7_b.jpg?resize=400%2C303&ssl=1
Amazing thing is this firewall policy push resolved SIC issue. Both firewall cluster members show green and OK status in Smartview Monitor.