topic Re: How to debug Policy Installation Errors in Firewall and Security Management

How to debug Policy Installation Errors

Hugo_vd_Kooij — Mon, 14 Aug 2017 09:59:04 GMT

I get some BETA Dejavu experiences. Where I would break the EA version by activating the DNS server on the object for my Active Directory server.

Ia noe have this gracefull error "Policy installation failed on gateway. If the problem persists contact Check Point support (Error code: 0-2000040)." But I can't even recall having put anything as naughty as a DNS server in my policy.

..... Checking myself again ....

Guess what. I actually did enable the DNS server on my Domain Controller. So what is the logic of this failure?

Re: How to debug Policy Installation Errors

PhoneBoy — Mon, 14 Aug 2017 16:30:57 GMT

Is this an object setting in SmartConsole?

Because it doesn't sound familiar and I don't see a setting for it offhand.

Can you post a screenshot?

Re: How to debug Policy Installation Errors

Hugo_vd_Kooij — Tue, 15 Aug 2017 07:50:19 GMT

It's this simple to break your policy. And the error is not giving any clues.

There is a note in SK110519:

02496239

Policy installation fails with "Policy installation failed on gateway 0-2000040" error and log: "fw_atomic_add_spii_parameter: Failed to get object named <object_name>".

Workaround: for all hosts with a server configuration, unselect the servers. Publish. Select the servers again, and publish again.

R80.10

So there is a workaround and the issue is known. But it seems be part of the list "unresolved bugs".

Re: How to debug Policy Installation Errors

PhoneBoy — Tue, 15 Aug 2017 16:45:34 GMT

This feature is an artifact that goes back several versions and was necessary for some IPS Protections to be applied to the correct hosts only.

In R80.x, these options are no longer necessary.

That said, policy compilation would ideally handle this situation, or at least print a more clear error message.

Re: How to debug Policy Installation Errors

Hugo_vd_Kooij — Fri, 22 Sep 2017 12:55:10 GMT

There is a way you can set it in R80.10 that makes it even more odd.

Let's face it. This question makes a lot of sense to most people. Doesn't it?

But it will change the host object:

And I am back to a time and place where brown stuff collides at high velocity with rotating blades.

I think that Check Point could do a lot better. It invites people to make sens of their policy and then you end up with a policy that will not install.

There is a lot to fix yet in R80.10!

Re: How to debug Policy Installation Errors

Marcel_Talos — Thu, 03 May 2018 02:54:58 GMT

Hi,

I've had exactly the same problem with that exact error message, where the policy would verify fine but fail to install. I've logged a TAC case and the engineer fixed it by doing this on the Secure Management server

[Expert@MGMT:0]# cd $FWDIR/conf
[Expert@MGMT:0]# grep -e $'^\t\t: (' objects_5_0.C -e "is_mail_server (false)" -e mail_server_prop | grep -v "mail_server_prop ()" | grep mail_server_prop -B 2 | grep ":is_mail_server (false)" -B 1 | grep -e $'^\t\t: ('

This will list objects that are configured as servers. Go through each object and un-tick everything under Servers. Once that is done, publish changes and push policy. The policy should install fine.

Marcel.

Re: How to debug Policy Installation Errors

Timothy_Hall — Thu, 10 May 2018 23:46:03 GMT

The error message "Policy installation failed on gateway" and its predecessor "Load on module failed" indicate that the policy passed SMS verification and was compiled & successfully transferred to the gateway, but the atomic load of the policy into the running firewall kernel failed. These are frustratingly generic error messages for the simple reason that the SMS has no idea why the load failed, only the gateway does. Debugging of this problem needs to take place on the gateway. The linked SK below lays out some of the different situations that can cause this, but in my experience it generally boils down to one of the following:

1) Memory or other resource shortage on the gateway, in the case of a long-term memory leak a reboot of the gateway may help

2) The compiled policy is "corrupt" and should not have passed verification in the first place on the SMS. This can be caused by damaged files referenced during policy compilation on the SMS, or the user being improperly allowed to enable settings/features that the target gateway software version cannot understand or support

3) Error in policy compilation not caught by the SMS such as the same variable getting included in the compiled policy more than once, or conflicting settings for the same object

4) Possible corruption on the gateway, once again a reboot may help

sk33893: 'Installation failed. Reason: Load on Module failed - failed to load security policy' error during policy installation

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Re: How to debug Policy Installation Errors

Johan_Hillstrom — Wed, 26 Jun 2019 14:39:45 GMT

I got the exact same error on R80.20 standalone just now.

It appeared after specifying internal DNS server under Malware DNS Trap on the IPS Profile.

I managed to solve the policy installation error by modifying the DNS server host objects as follows.

On the host object, DNS Server/Configuration/Protection, change Protected by: from All to the gateway object that the host actually resides behind.

Hope this helps for you as well @Hugo_vd_Kooij

Re: How to debug Policy Installation Errors

John_Tomasetti — Thu, 15 Aug 2019 15:03:52 GMT

Thank you for pointing me to SK110519. Turning on DNS server, publish, and turn off DNS server, publish fixed the problem I had pushing policy. Interesting that I could fetch policy from the gateway, just could not push it from the Smartconsole.