When upgrading Check Point Management, MDS or CMA from R77.x to R80.x it seems quite easy to upgrade it in SecureTrack, too. Just go to Menu > Settings > Monitoring and select the device that has been upgraded. The Menu on the right side shows the option "Upgrade to R80", you select it and provide the credentials for the API user at the Check Point Management. After that, the device monitoring has been changed to R80 and everything runs fine.

 

Problem

What happens if "st stat" or Menu > Admininstration > Status shows an error:

myDevice        10.1.1.1  14   CMA  1001   valid        Error: Upgrade device to R80 in Settings > Manage Devices > Monitored Devices

The situation seems a little bit confusing - the upgrade has been done in Check Point as well as Tufin SecureTrack, but the status shows an error as if the Management Server has not been upgraded in SecureTrack.

 

Reason for this error

The reason for this error is a change of the management type in the data base - and the change has not taken place in the data base. This is not the "normal way", but it might happen that the change is not recognized in SecureTrack. The differences are:

SmartCenter R77.x is referred as cp_smrt_cntr
SmartCenter R80.x is referred as cp_smc_r80plus

CMA R77.x is referred as cp_cma
CMA R80.x is referred as cp_domain_r80plus

 

Solution

First - as every time you work on the data base: Perform a backup (!)
For a Check Point CMA the necessary next procedure looks like this:

  • Check the ID of the device using "st stat". This example uses the Management ID 14
  • Check the current status of the device:
    [root@TufinOS]# psql -Upostgres securetrack -xc "select cp_type from managements where management_id=14"
    -[ RECORD 1 ]---
    cp_type | cp_cma
    [root@TufinOS ~]
  • Update the variable in the data base and re-check the status
    [root@TufinOS ~]# psql -Upostgres securetrack -xc "update managements set cp_type='cp_domain_r80plus' where management_id=14"
    UPDATE 1
    [root@TufinOS ~]# psql -Upostgres securetrack -xc "select cp_type from managements where management_id=14"
    -[ RECORD 1 ]--------------
    cp_type | cp_domain_r80plus
    [root@TufinOS ~]
  • Restart the monitored device
    [root@TufinOS~]# st restart 14
    Stopping SecureTrack process for server myDevice - 10.1.1.1 (Id: 14)
    SecureTrack process stopped for server 10.1.1.1 (Id: 14)
    SecureTrack for myDevice - 10.1.1.1 (Id: 14) was started successfully
    [root@TufinOS ~]

 

After some seconds the status should have been changed - this can be checked either "st stat" or the WebUI.
The error shown above should not be shown any more. If other errors are shown, you need to continue troubleshooting. Maybe these links help:
https://www.tufin.club/index.php/24-securetrack/52-check-point-api-client-error
https://www.tufin.club/index.php/24-securetrack/73-check-point-api-client-error-part-2