This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
AlJo
Contributor
‎2023-04-25 10:08 AM

R81.20 Policy verify error via API

We're in the process of moving from R80.40 to R81.20 and our devs are testing their existing code and running into this error when performing a policy verify with API 1.9

{"code"=>200, "hash"=>{"tasks"=>[{"task-id"=>"01234567-89ab-cdef-9cd1-9545bae0a64e", "task-name"=>"Verify policy operation", "status"=>"failed", "progress-percentage"=>100, "suppressed"=>false, "task-details"=>[{"fault-message"=>"Failed to create dir hierarchy"}]}]}}

Anyone have an insight into what be causing this?  This looks like API back-end code might not have permissions to create a directory tree but I have no idea where to look or if that is even on the right track.

 

Thanks,

 

12 Replies
the_rock
MVP Platinum
MVP Platinum
‎2023-04-25 11:12 AM

Never seen that before...let me check in a bit and see what could be an issue.

Best,
Andy
0 Kudos
Matt_Tuma
Explorer
‎2023-04-25 11:17 AM
In response to the_rock

I'm one of the devs. I just want to make note that this does not always happen. Maybe like 1 out of 4 completes successfully.

0 Kudos
_Val_
Admin
Admin
‎2023-04-25 12:56 PM
In response to Matt_Tuma

Please elaborate

Matt_Tuma
Explorer
‎2023-04-25 01:35 PM
In response to _Val_

I replied in another thread but we are using the web api. 1 out of 4 verifies complete successfully, but the others fail with that error message in the original post.

 

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2023-04-25 12:35 PM

Can you please send command you ran? Blur out any sensitive info.

Andy

Example from my lab:

 

[Expert@QUANTUM-MANAGEMENT:0]# mgmt_cli verify-policy policy-package "LAB-POLICY" --format json
Username: admijn
Password:
code: "err_login_failed"
message: "Authentication to server failed."

[Expert@QUANTUM-MANAGEMENT:0]#
[Expert@QUANTUM-MANAGEMENT:0]# mgmt_cli verify-policy policy-package "LAB-POLICY" --format json
Username: admin
Password:


---------------------------------------------
Time: [15:35:02] 25/4/2023
---------------------------------------------
"Verify policy operation" in progress (20%)


---------------------------------------------
Time: [15:35:12] 25/4/2023
---------------------------------------------
"Verify policy operation" in progress (40%)


---------------------------------------------
Time: [15:35:22] 25/4/2023
---------------------------------------------
"Verify policy operation" succeeded (100%)
{
"tasks" : [ {
"task-id" : "01234567-89ab-cdef-824e-d9e93d4a17ff",
"task-name" : "Verify policy operation",
"status" : "succeeded",
"progress-percentage" : 100,
"suppressed" : false,
"task-details" : [ {
"workSession" : "1b5fbea5-325d-4c31-9f3c-e5c2de32a2ef",
"title" : "Verification of policy 'LAB-POLICY' succeeded",
"notifications" : [ " Security and Address Translation Policy Verification 'LAB-POLICY'", " Rules Verified OK!" ],
"warnings" : [ ],
"errors" : [ ]
} ]
} ]
}


---------------------------------------------
Time: [15:35:23] 25/4/2023
---------------------------------------------
"Publish operation" succeeded (100%)
[Expert@QUANTUM-MANAGEMENT:0]#

Best,
Andy
0 Kudos
Matt_Tuma
Explorer
‎2023-04-25 01:12 PM
In response to the_rock

Hello,

So we are actually using the web api. 

We are simply doing a POST on the /verify-policy endpoint, with a body including the 'policy_package':

{

  "policy-package": "<policy_name>"

}

Maybe 1 out of 4 verifies actually complete successfully, the rest return that error that was shared.

Thanks,

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2023-04-26 07:46 AM
In response to Matt_Tuma

Im with Phoneboy on this, may need TAC help to confirm why thats the case.

Best,
Andy
0 Kudos
PhoneBoy
Admin
Admin
‎2023-04-26 07:38 AM

I suspect this will require a TAC case to investigate: https://help.checkpoint.com 

AlJo
Contributor
‎2023-04-26 08:28 AM
In response to PhoneBoy

I've opened a support case for this issue... We'll provide an updates once we know more.

Thanks for digging in.

the_rock
MVP Platinum
MVP Platinum
‎2023-04-26 08:30 AM
In response to AlJo

Definitely let us know what they say, as we always like to update the solutions in the community, since it helps others.

Cheers!

Best,
Andy
0 Kudos
AlJo
Contributor
‎2023-05-26 06:59 AM

Circling back to update on the solution.

 

Unfortunately, we did not find the root cause of this issue.

The MDS was deployed from the Check Point provided R81.20-Management OVA

We then patched to Take 8 - We're not sure if the issue existing prior to Take 8 or not since Take 8 was recommended at the time.

We had a failure rate on policy verify via API calls of approximately 75%

While our TAC engineer was trying to replicate the environment and the issue (he was never able to reproduce the issue) I installed Take 10.

After a Take 10 install, the MDS main CMA would not start so we had a 100% failure rate on API calls.

I uninstalled Take 10

We now have a 100% success rate on API policy verifies.

Since the initial error messages on the API policy verify calls indicated a file permissions issue (just not which file/directory) we suspect that Take 10 fixed the file permissions issue and those changes remained after the Take 10 uninstall.

 

I wish I had a better answer to this issue.

the_rock
MVP Platinum
MVP Platinum
‎2023-05-26 07:15 AM
In response to AlJo

Yea, I can see that can be little frustrating, though happy it works again.

Andy

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events