After upgrading your system
After upgrading to A32.60 or to a hotfix version of the build, follow the steps in this topic before running your ASMS system.
Check upgrade success
To make sure that the upgrade to A32.60 was successful, perform system sanity checks.
Do the following:
-
In the algosec_conf main menu, select 17 System health.
-
Select 1: Check services status to check that basic ASMS processes are running on your machines.
-
Select 2: Check system health and run a Full check.
Run all firewalls
Run a manual analysis to create an unscheduled report on all on individual devices, groups, and matrices defined in AFA. See Run a manual AFA analysis.
SSO integration (if applicable)
If you used custom UID parsers (in pre-existing SSO environments), you may need additional adjustments to your local code. See Configure a customized UID parser.
Existing open Change Requests for Panorama devices
If you did not close Change Requests for panorama devices before the upgrade (see Close any open Change Requests for Panorama devices ), note the following:
-
For each Change Request in the Implement stage: Recalculate the work order.
-
For Change Requests in the Validate stage: Since the Change Request from before the upgrade doesn't have a URL Category field but the matched rule does, if you recalculate the validation after the upgrade, the recommended compatibility check will incorrectly show a failure in the Destination/URL Category column.
For Check Point R80 device R80.30 and lower | configure SFTP
For an R80 device version R80.30 and lower, enable SFTP on the device. To enable SFTP, see Check Point SecureKnowledge article sk82281.
For Azure Subscriptions
Note: In A32.60, to see Azure topology in the ASMS map (used for Traffic Simulation Queries and FireFlow automation), you must onboard the Azure Subscription in both ASMS and CloudFlow.
Do the following:
Case | Do this |
---|---|
If you already have all your Azure subscription(s) onboarded to both CloudFlow and ASMS | |
If you have CloudFlow, but don't have all your Azure susbscriptions onboarded to both CloudFlow and ASMS |
|
If you don't have CloudFlow connected to ASMS |
|
Ensure compatibility of FireFlow customizations
The upcoming AlgoSec ASMS release A33.00 features an a significant operating system upgrade from CentOS 7, which is reaching end of life, to Rocky Linux 8. This change includes a shift to Perl version 5.26.3 from the currently used 5.16.
Some of our customers have created FireFlow customizations which are code or scripts in Perl that enable FireFlow customized workflows, integrations with external systems, and customized email responses. These may block the upgrade to A33.00 if the code is not compatible with the Perl version used by A33.00.
To ensure a smooth transition and maintain functionality of your FireFlow customizations in A33.00, it may be necessary to make some adjustments. To assist you in this process, we have introduced the Compatibility Check Tool as part of the latest HF build (A32.60 Build A32.60.300-140 (released May 13) and above). This tool is designed to efficiently identify and help you address potential Perl-related compatibility issues with your FireFlow customizations.
Tip: If you received this message at end of the upgrade to the latest HF build:
Compatibility issues were found in customization scripts on ip <node_ip> that will impact upgrade to ASMS version A33.00. These issues have no impact on A32.60 but must be fixed before upgrading to A33.00.
This indicates that your customizations will need to be modified prior to upgrading ASMS A33.00, to ensure that your custom solutions remain functional and optimized for the updated operating environment.
Following the upgrade to latest HF build, you can see details of the FireFlow customizations compatibility issues in /home/afa/customizations_check/check-perl-syntax.log.
Based on the results, when customizations compatibility issues are found:
-
Customer / Third party Customizations: If your team or a third party have implemented customizations that require adjustments independently, you will be responsible for updating or fixing these to ensure compatibility with Perl version 5.26.3 supported by Rocky Linux 8.
-
Customizations by AlgoSec Technical Services: AlgoSec Technical Services will update customizations implemented by them.
Do the following:
-
Following the upgrade to the latest A32.60 HF, see the details of the compatibility issues found in your system in /home/afa/customizations_check/check-perl-syntax.log.
-
Update AlgoSec with your current FireFlow compatibility status by filling out this ASMS A33.00 FireFlow Customizations Compatibility Questionnaire.
-
When compatibility issues are found, ensure you have backups and your current configurations are documented. This is critical to safeguard your customizations and to provide a fallback option, if needed.
-
For FireFlow customizations created by Customer / Third party :
-
Update your FireFlow customizations. For information how to do this, see below:
-
Validate your changes:
Once you have fixed the compatibility issues, use the Check Perl Syntax script (locally) to verify:
-
Locally on the ASMS machine (with latest A32.60 Build) run the command:
cd /home/afa/customizations_check/
/usr/share/fireflow/local/sbin/copy_fireflow_customization.pl --run -d -c(this creates a .tar file that contains all the customization data in the location where you ran the command. For example , /home/afa/customizations_check/user_customizations_2024-05-01-080420.tar.gz)
-
Backup the file /usr/share/fireflow/local/lib/algosec_perllibs.pm
-
Run the following:
sed -i 's#/opt/algosec/perl5/lib/perl5#/opt/algosec_perl526/perl5/lib/perl5#g' /usr/share/fireflow/local/lib/algosec_perllibs.pm
-
Then run:
/usr/bin/check_perl_syntax -f <Path to tar file>
For example, /usr/bin/check_perl_syntax -f /home/afa/customizations_check/user_customizations_2024-05-01-080420.tar.gz
-
Revert /usr/share/fireflow/local/lib/algosec_perllibs.pm by replacing it with the backup file (saved in step ii)
-
The output is written to the file /home/afa/customizations_check/check-perl-syntax.log. If errors are still found, fix them and verify again.
-
-
-
For FireFlow customizations created by AlgoSec Technical Services: AlgoSec Technical Services will update customizations implemented by them.
In the check-perl-syntax log, each file processed is introduced by the phrase "Processing file" followed by the file name. Any syntax issues detected are described along with their specific locations in the file. If no issues are found, the file is marked with "Syntax OK."
Processing file: myperl.pm
Can't use an array as a reference at myperl.pm line 640.
Processing file: Base.pm
Can't use 'defined(@array)' (Maybe you should just omit the defined()?) at Base.pm line 365.
Processing file: Scrips_ID_99_CustomCommitCode.pl
Smartmatch is experimental at /usr/share/fireflow/local/lib/RT/Tickets_Vendor.pm line 348.
Smartmatch is experimental at /usr/share/fireflow/local/lib/RT/Tickets_Vendor.pm line 354.
Scalar value @arrayOfDNs[0] better written as $arrayOfDNs[0] at /usr/share/fireflow/local/etc/site/lib/PS/PS_LDAP.pm line 47.
Can't use a hash as a reference at Scrips_ID_99_CustomCommitCode.pl line 25.
Processing file: Scrips_ID_99_CustomIsApplicableCode.pl
Scrips_ID_99_CustomIsApplicableCode.pl syntax OK
Processing file: Scrips_ID_99_CustomPrepareCode.pl
Scrips_ID_99_CustomPrepareCode.pl syntax OK
Reason | Code in Perl 5.16 | Code in Perl 5.26 |
---|---|---|
syntax error | foreach my $attr qw(id Creator Created LastUpdated TimeTaken LastUpdatedBy) { | foreach my $attr (qw(id Creator Created LastUpdated TimeTaken LastUpdatedBy)) { |
syntax error | foreach my $attr qw(id Creator Created LastUpdated LastUpdatedBy) { | foreach my $attr (qw(id Creator Created LastUpdated LastUpdatedBy)) { |
syntax error | foreach my $attr qw(TimeWorked TimeLeft TimeEstimated InitialPriority FinalPriority) | foreach my $attr (qw(TimeWorked TimeLeft TimeEstimated InitialPriority FinalPriority)) |
syntax error | foreach my $date qw(due starts started resolved) { | foreach my $date (qw(due starts started resolved)) { |
syntax error | foreach my $type qw(TimeEstimated TimeWorked TimeLeft) { | foreach my $type (qw(TimeEstimated TimeWorked TimeLeft)) { |
syntax error | foreach my $watcher_type qw(Requestors Cc AdminCc) { | foreach my $watcher_type (qw(Requestors Cc AdminCc)) { |
Unescaped left brace in regex is illegal here in regex; marked by <-- HERE in m/^(.*?)\.{ <-- HERE (.+)}$/ | elsif ( my ($mainkey, $subkey) = $args{'Name'} =~ /^(.*?)\.{(.+)}$/ ) { | elsif ( my ($mainkey, $subkey) = $args{'Name'} =~ /^(.*?)\.\{(.+)\}$/ ) { |
syntax error | foreach my $date qw(due starts started resolved) { | foreach my $date (qw(due starts started resolved)) { |
syntax error | foreach my $type qw(Requestor Cc AdminCc) { | foreach my $type (qw(Requestor Cc AdminCc)) { |
POSIX::isdigit has been removed as of Perl v5.24 | use POSIX; if ($paramType eq 'integer' && !isdigit($paramValue)) | # check if paramValue is not a digit if ($paramType eq 'integer' && $paramValue =~ /\D/) |
Can't use 'defined(@array)' (Maybe you should just omit the defined()?) | @RT::MessagesToLogInInit = () unless defined @RT::MessagesToLogInInit; | @RT::MessagesToLogInInit = () unless @RT::MessagesToLogInInit; |
"my" variable $ret masks earlier declaration | my ($ret, $msgs) = FireFlow::MultipleWorkflowsUtils::LoadWorkflowsConfig(...); | $ret, $msg = FireFlow::MultipleWorkflowsUtils::LoadWorkflowsConfig(); |
Unescaped left brace in regex is illegal here in regex; marked by <-- HERE in m/SERVICES { <-- HERE | if($line =~ /SERVICES {/){ | if($line =~ /SERVICES \{/){ |
Can't use a hash as a reference | ... scalar keys %$result->{ipApps} ne scalar @protocols | ... scalar (keys %{$result->{ipApps}}) ne scalar @protocols |
Experimental splice on scalar is now forbidden | splice($self->{$CONFIGURATIONS}->...->{$attribute_name3}, $index, 1); | splice(@{$self->{$CONFIGURATIONS}->...->{$attribute_name3}}, $index, 1); |
Experimental keys on scalar is now forbidden | foreach my $acl (keys $trafficLine->TrafficScope->InfoPerRelevantAcl) { | foreach my $acl (keys %{$trafficLine->TrafficScope->InfoPerRelevantAcl}) { |
Experimental push on scalar is now forbidden | push ($msoActiveChangeStatus->{messages},("..." . $manualPart)); | push (@{$msoActiveChangeStatus->{messages}},("..." . $manualPart)); |
Experimental push on scalar is now forbidden | push $messagesPerDevice{$messageObject->Device}, $messageObject->Message; | push @{$messagesPerDevice{$messageObject->Device}}, $messageObject->Message; |
Experimental each on scalar is now forbidden | while( my( $device, $messages ) = each $messagesPerDevice){ | while( my( $device, $messages ) = each %$messagesPerDevice){ |
"my" variable $appCF masks earlier declaration in same scope | my $appCF = $self->LoadCustomFieldByIdentifier($appCF); | $appCF = $self->LoadCustomFieldByIdentifier($appCF); |
Can't use a hash as a reference | my $templateName = %args->{"CustomField-".$templateCFId}->[0]->{Value}; | my $templateName = $args{"CustomField-".$templateCFId}->[0]->{Value}; |
Experimental keys on scalar is now forbidden | for my $currentApplication (keys $applicationsDefinitions) { | for my $currentApplication (keys %$applicationsDefinitions) { |
Smartmatch is experimental | if ($cf->Category ~~ @BASE_TICKET_CUSTOM_FIELDS_CATEGORIES_WHITE_LIST && ...){ | if ((any { $_ eq $cf->Category } @BASE_TICKET_CUSTOM_FIELDS_CATEGORIES_WHITE_LIST) && ...){ |
Smartmatch is experimental | next if ($cfName ~~ @CFBlackList); | next if (any { $_ eq $cfName } @CFBlackList); |
Experimental push on scalar is now forbidden | push $inputLines, $tickets[$i]->{$TRAFFIC_TAG}->{$INPUT_LINE_NUMBER_TAG}; | push @$inputLines, $tickets[$i]->{$TRAFFIC_TAG}->{$INPUT_LINE_NUMBER_TAG}; |
Experimental push on scalar is now forbidden | push $inputLines, $trafficTuples[$i]->{$INPUT_LINE_NUMBER_TAG}; | push @$inputLines, $trafficTuples[$i]->{$INPUT_LINE_NUMBER_TAG}; |
Can't use 'defined(@array)' (Maybe you should just omit the defined()?) | if (defined(@logContent) && scalar(@logContent) > 0) { | if (@logContent && scalar(@logContent) > 0) { |
"my" variable $addFirewalls masks earlier declaration in same scope | my ($newDevicesInExistingPerPolicyRequests, $addFirewalls, $deleteFirewalls); | my $newDevicesInExistingPerPolicyRequests; |
Scalar value @devicesToCreateArr[0] better written as $devicesToCreateArr[0] | @devicesToCreate = @{JSON::from_json(@devicesToCreateArr[0])}; | @devicesToCreate = @{JSON::from_json($devicesToCreateArr[0])}; |
-
Syntax errors reported in files Base.pm and TicketsFromXML.pm are false alarms. No modifications are required for these files.
-
Some users may experience a "symbol lookup error" during compilation if their custom Perl script includes the following line:
use /opt/algosec/perl5/lib/perl5;
To resolve this issue:
-
Replace the problematic line with:
use /opt/algosec_perl526/perl5/lib/perl5;
-
Re-run the 'Check Perl Syntax' script to test the file.
-
Important: After the validation check, revert the line back to its original state to avoid any disruptions in functionality.
-