https://community.checkpoint.com/t5/General-Topics/PSA-implied-rules-HFA-def/m-p/197846#M33135 <P>It has to be this one?</P> <P>Andy</P> <P>[Expert@CP-management:0]# find / -name *_HFA.def*<BR />/opt/CPSFWR80CMP-R81.20/lib/implied_rules_HFA.def<BR />[Expert@CP-management:0]#</P> Mon, 13 Nov 2023 17:39:42 GMT the_rock 2023-11-13T17:39:42Z https://community.checkpoint.com/t5/General-Topics/PSA-implied-rules-HFA-def/m-p/197844#M33134 <P>Hey all,</P> <P>Just a PSA here, something even I never ran into before:</P> <P>In $FWDIR/lib on the management server, you know about those *_HFA.def files that the HFA updates create so as to not blow up your own edits. &nbsp;IIRC, historically, those weren't needed by fw_loader to compile the policy. &nbsp;Well, apparently, in R81(.20?), they now need to exist! &nbsp;I dunno how they get handled vis a vis a customized file (i.e.: implied_rules.def).</P> <P>I had a server where I needed the new implied rules list (cxld, iked, etc.) so I did the usual steps: check a diff between the current file and the _HFA.def file, made a backup of the current file, renamed the necessary _HFA.def to the main file (if needed), do any necessary edits, check it, and install policy.</P> <P>Whoooaaaaa, not so fast! &nbsp;A policy install with mgmt_cli (or API remotely) worked just fine. &nbsp;However, when I did the policy install from SmartConsole, I got "Internal Error", and it died. &nbsp;I ran a cpm_debug on the management server for the "Access_Install" topic, and it showed error exceptions:</P> <LI-CODE lang="markup">13/11/23 12:13:35,283 ERROR com.checkpoint.management.dleserver.coresvc.internal.PolicyInstallationSvcImpl.installPolicy:890 [qtp-882154951-34077]: Failed to install policy due to unexpected exception java.nio.file.NoSuchFileException: /opt/CPsuite-R81.20/fw1/lib/implied_rules_HFA.def </LI-CODE> <P>&nbsp;That's...odd.... I just did a "cp implied_rules.def implied_rules_HFA.def" and the SmartConsole policy install worked again!&nbsp;</P> <P><STRONG>PSA: don't remove those _HFA.def files just yet!</STRONG>&nbsp;</P> <P>(yes, i have R81.20 gateways under management as well)</P> <P>&nbsp;</P> Mon, 13 Nov 2023 17:34:42 GMT https://community.checkpoint.com/t5/General-Topics/PSA-implied-rules-HFA-def/m-p/197844#M33134 Duane_Toler 2023-11-13T17:34:42Z https://community.checkpoint.com/t5/General-Topics/PSA-implied-rules-HFA-def/m-p/197846#M33135 <P>It has to be this one?</P> <P>Andy</P> <P>[Expert@CP-management:0]# find / -name *_HFA.def*<BR />/opt/CPSFWR80CMP-R81.20/lib/implied_rules_HFA.def<BR />[Expert@CP-management:0]#</P> Mon, 13 Nov 2023 17:39:42 GMT https://community.checkpoint.com/t5/General-Topics/PSA-implied-rules-HFA-def/m-p/197846#M33135 the_rock 2023-11-13T17:39:42Z https://community.checkpoint.com/t5/General-Topics/PSA-implied-rules-HFA-def/m-p/197848#M33136 <P>Yeah my particular error here was the implied_rules_HFA.def. &nbsp;It didn't seem to care about any others:</P> <LI-CODE lang="markup">[Expert@mgmt:0]# grep -o 'lib\/.*HFA.def' cpm.elg |sort|uniq lib/implied_rules_HFA.def </LI-CODE> <P>&nbsp;</P> Mon, 13 Nov 2023 17:44:14 GMT https://community.checkpoint.com/t5/General-Topics/PSA-implied-rules-HFA-def/m-p/197848#M33136 Duane_Toler 2023-11-13T17:44:14Z https://community.checkpoint.com/t5/General-Topics/PSA-implied-rules-HFA-def/m-p/197849#M33137 <P>I can sort of see that, makes total sense.</P> <P>Andy</P> Mon, 13 Nov 2023 17:46:03 GMT https://community.checkpoint.com/t5/General-Topics/PSA-implied-rules-HFA-def/m-p/197849#M33137 the_rock 2023-11-13T17:46:03Z