topic Re: Only one chassis receives the policy after making changes on SmartProvisioning in Hyperscale Firewall (Maestro)

Only one chassis receives the policy after making changes on SmartProvisioning

kamilazat — Fri, 18 Apr 2025 09:43:44 GMT

Hello everyone.

We have a dual site setup with R81.10 JHF Take 172.

We noticed that when we make a change on SmartProvisioning and install the policy, only the active chassis receives the policy and updates the policy singature.

For example,

[Global] clish > asg policy verify -a

+----------------------------------------------------------------------+
|Policy Verification |
+-------+-------------------+---------------+-----------------+--------+
|SGM |Policy Name |Policy Date |Policy Signature |Status |
+-------+-------------------+---------------+-----------------+--------+
|1_01 |Standard |14Apr25 09:44 |49c54a3e2 |Failed |
|2_01 |Standard |14Apr25 09:44 |e96b2c0b7 |Failed |
+-------+-------------------+---------------+-----------------+--------+

But when we install a policy without making any changes on SmartProvisioning, everything works, all gateways receive policy, same policy signatures. Example,

+----------------------------------------------------------------------+
|Policy Verification |
+-------+-------------------+---------------+-----------------+--------+
|SGM |Policy Name |Policy Date |Policy Signature |Status |
+-------+-------------------+---------------+-----------------+--------+
|1_01 |Standard |17Apr25 01:17 |fde3508f3 |Success |
|2_01 |Standard |17Apr25 01:17 |fde3508f3 |Success |
+-------+-------------------+---------------+-----------------+--------+

We have been consistently able to replicate this. We thought it may be some sync problems, but policy installation without SP works perfectly fine, so it doesn't look like a sync issue. At leasst not when a normal policy is pushed.

asg diag verify only shows "Policy signature doesn't match on all SGMs" error and everything else is just "Passed". And we see that only after a policy push that contains a change in SP.

I'm not experienced in SmartProvisioning, maybe it has its own policy push mechanism besides SmartConsole or SmartUpdate. But I stand corrected here.

As always, any ideas are deeply appreciated.

Cheers!

Re: Only one chassis receives the policy after making changes on SmartProvisioning

Dario_Perez — Tue, 22 Apr 2025 14:46:31 GMT

Note - SmartProvisioning is not available for members of SmartLSM cluster

.https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SmartProvisioning_AdminGuide/Topics-SPROVG/Introduction-to-SmartProvisioning.htm

Re: Only one chassis receives the policy after making changes on SmartProvisioning

kamilazat — Wed, 23 Apr 2025 07:55:06 GMT

@Dario_Perez Thank you for pointing to that note. Now I have more questions 🙂

If I understand that statement correctly, I can manage a cluster via SmartLSM, but I can't manage individual members in a cluster. But even if that's the case, I'm having hard time understanding the difference between installing policy on a cluster and a single security group. Maybe I'm wrong in assuming that policy gets installed on a single object with a single IP (like the active member of a cluster or SMO in a security group).

In our case both chassis have the same security group, so it appears as a single gateway on SmartConsole (even simpler than a cluster).

Does that limitation really apply to security groups distributed to two chassis as well?

Re: Only one chassis receives the policy after making changes on SmartProvisioning

Wolfgang — Wed, 23 Apr 2025 08:09:18 GMT

I believe SmartProvisioning (aka SmartLSM) is not supported with Maestro until R82

sk148074 - Known Limitations for Scalable Platforms R80.20SP - R81.20 (Maestro Appliances and Chassis)

ID	Product	Description	Found in	Resolved In
SmartProvisioning
01511158	All	Scalable Platforms do not support SmartProvisioning management.	R76SP	R82

Re: Only one chassis receives the policy after making changes on SmartProvisioning

kamilazat — Wed, 23 Apr 2025 08:34:58 GMT

Interesting. I will confirm with TAC whether this is related to our case.