topic Re: Policy installation and verification question in Firewall and Security Management

Policy installation and verification question

Don_Paterson — Sat, 09 Dec 2017 17:10:59 GMT

Hello,

I am hoping someone can give me more detailed or background information (or a link to an SK) to learn more about the steps below. Especially step 2.

Verification & Compilation

The Verification & Compilation stage of policy installation occurs on the management side. It involves the following steps:

1.Initiation — Policy installation is initiated either from SmartConsole or from the command line.

2.Database Dump — A database dump from postgres to old file formats for cpmitable only if changes occurred. A dump from non cpmi will occur any time.

3.Verification — Information in the database is verified to comply with a number of rules specific to the application and package for which policy installation is requested.

4.Conversion — The information in the database is converted from its initial format to the format understandable by later participants in the flow, such as code generation and gateway.

5.Fwm rexec — Fwm loader takes a lot of memory. To release memory after verification and conversion, fwm state is saved to a file located in the $FWDIR/tmp/ directory. fwm is then re-executed as a fwm load command to push the files for code generation and compilation.

6.Code Generation and Compilation — Policy is translated to the INSPECT language and compiled with the INSPECT compiler.

Thanks,

Don

Re: Policy installation and verification question

KennyManrique — Sat, 09 Dec 2017 19:13:33 GMT

Hello Don,

I was trying to find the documentation mentioned on your request, but i wasnt able to do it. Do you have the source of this information?

However, you can verify the following SK solution for policy install:

sk60347: How To Troubleshoot Policy Installation Issues (for R75 - R77)

Regards.

Re: Policy installation and verification question

Don_Paterson — Sat, 09 Dec 2017 19:34:35 GMT

Thanks Kenny,

It's from the CCSE R80.10 training.

I couldn't find anything on it either.

There is another SK that goes through the older version policy install steps but it's not as descriptive and I have asked for it to be reviewed and versions corrected.

I am thinking that the answer may come from HQ where the info might have originated.

Regards,

Don

Re: Policy installation and verification question

KennyManrique — Sat, 09 Dec 2017 20:31:22 GMT

Thanks for the clarification Don.

I think we have to wait some time for Secure Knowledge updates on R80 internal processes flow (in adition to already existent R80.x Security Management server main processes debugging) and new functionalities in the architecture (like inspection points "e" and "E" for encrypt mentionen in another post, UnifiedPolicy chain, etc.).

Re: Policy installation and verification question

Dan_Zaidman — Sun, 10 Dec 2017 07:00:16 GMT

Hi Don.

Regarding Database dump,

The fwm loader expects the get its input as files.

the database may have change since the last install policy.

Therefore, we dump the postgres database to a temporary file structure, for every install policy, or install database command.

Dan

Re: Policy installation and verification question

Don_Paterson — Sun, 10 Dec 2017 13:36:09 GMT

Thanks Dan. Can you share any information on the term cpmi table?

I would also be interested to know the key differences or responsibilities of fw_loader and fwm_loader?

I will do an analysis to understand the processes and files involved but their tasks may not be so easy for me to understand (debug).

Regards,

Don

Re: Policy installation and verification question

Dan_Zaidman — Sun, 10 Dec 2017 14:51:04 GMT

Hi Don.

CPMI tables are related to the old database (not Java) such as in R77.

when running fwm with the argument "load",

the fwm does not act as a server, it is running as a command.

fw_loader is the binary spawned from the fwm load command.

fwm load is running the conversion and verification.

fw_loader is running the the code generation and compilation.

Dan