Check Point Firewall – Interfaces Reordered Upon Upgrade

Check Point IAS M6 FireflyA few days ago, one of our Check Point IAS M6 Firefly equiped, R70.20 Splat clusters, had a member fail due to “PLANAR VOLTAGE FAILURE”, so says the IBM iLO event log. Since this is not solved by a simple power supply replacement, so an RMA replacement unit from Check Point was obtained. The new device came pre-loaded with R65 and no HFA’s or hotfixes. So we distributed R70 Splat to the box via Provider-1, upgraded and everything was happy, with us seemingly cruising along on a smooth replacement. After the upgrade to R70 Splat, we used the ‘revert’ command to install our most recent snapshot. Upon reboot we found that all of our interfaces reordered and were flip-flopped 180 degrees.

PRE FAIL  - card 1 >[eth2 | eth3 | eth4 | eth5] --- card 2 >[eth6 | eth7 | eth8 | eth9]
                   onboard >[eth0 | eth1 | iLO]

POSTFAIL - card 1 >[eth9 | eth8 | eth7 | eth6] --- card 2 >[eth5 | eth4 | eth3 | eth2]
                   onboard >[eth0 | eth1 | iLO]

The official Check Point stance on the subject is to not attempt to upgrade and then run your snapshot, but have the same OS, same Check Point version, same patch level as the failed unit, prior to running the snapshot. So as I explained, our RMA replacement box was preinstalled with R65, we did not heed their warning, and continued along. Had we just started fresh by laying a clean copy of R70 (not an upgrade), we should have been better off, prior to running our snapshot.

The interface ordering issue is a difference of the function of the linux kernel that handles hardware detection/discovery. The 2.4 and 2.6 linux kernels perform hardware discovery in a bit different ways. Modifying /etc/sysconfig/ethtab will help you enforce your required interface order. /etc/sysconfig/ethtab contains a list of the devices interfaces and related MAC addresses. When you prepare to do an upgrade, make sure this file does not get overwritten, deleted, or modified from it’s current state (make a backup). Any interface re-ordering can be fixed here and not in netconf.C. After ethtab has been modified, be sure to do cpha_restore_macs before the reboot.

To manually associate an interface name with a particular NIC MAC address on SecurePlatform 2.4/2.6, proceed as follows:

Backup the files: 

For each interface run: 
ifdown eth 

In Expert Mode, access /etc/sysconfig/ethtab. The file contains the strings (eth0, eth1, ...) and their matching MAC addresses. 
Edit /etc/sysconfig/ethtab. Arrange the order of the interfaces as necessary. 
Edit /etc/sysconfig/netconf.C 

Change the interface values in the lines containing: 
:ifname (eth) 

These lines should be present in the 'conn' section, one 'conn' section per interface. 

This section also lists the hardware address. Edit the interface name to match what you want associated with that hardware address. 

Note: Do not edit the loopback interface. 


Related information:
Check Point SK35274
CPUG – SPLAT upgrade interface re-ordering