Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
AlJo
Contributor

R81.20 Policy verify error via API

We're in the process of moving from R80.40 to R81.20 and our devs are testing their existing code and running into this error when performing a policy verify with API 1.9

{"code"=>200, "hash"=>{"tasks"=>[{"task-id"=>"01234567-89ab-cdef-9cd1-9545bae0a64e", "task-name"=>"Verify policy operation", "status"=>"failed", "progress-percentage"=>100, "suppressed"=>false, "task-details"=>[{"fault-message"=>"Failed to create dir hierarchy"}]}]}}

Anyone have an insight into what be causing this?  This looks like API back-end code might not have permissions to create a directory tree but I have no idea where to look or if that is even on the right track.

 

Thanks,

 

12 Replies
the_rock
Legend
Legend

Never seen that before...let me check in a bit and see what could be an issue.

0 Kudos
Matt_Tuma
Explorer

I'm one of the devs. I just want to make note that this does not always happen. Maybe like 1 out of 4 completes successfully.

0 Kudos
_Val_
Admin
Admin

Please elaborate

Matt_Tuma
Explorer

I replied in another thread but we are using the web api. 1 out of 4 verifies complete successfully, but the others fail with that error message in the original post.

 

0 Kudos
the_rock
Legend
Legend

Can you please send command you ran? Blur out any sensitive info.

Andy

Example from my lab:

 

[Expert@QUANTUM-MANAGEMENT:0]# mgmt_cli verify-policy policy-package "LAB-POLICY" --format json
Username: admijn
Password:
code: "err_login_failed"
message: "Authentication to server failed."

[Expert@QUANTUM-MANAGEMENT:0]#
[Expert@QUANTUM-MANAGEMENT:0]# mgmt_cli verify-policy policy-package "LAB-POLICY" --format json
Username: admin
Password:


---------------------------------------------
Time: [15:35:02] 25/4/2023
---------------------------------------------
"Verify policy operation" in progress (20%)


---------------------------------------------
Time: [15:35:12] 25/4/2023
---------------------------------------------
"Verify policy operation" in progress (40%)


---------------------------------------------
Time: [15:35:22] 25/4/2023
---------------------------------------------
"Verify policy operation" succeeded (100%)
{
"tasks" : [ {
"task-id" : "01234567-89ab-cdef-824e-d9e93d4a17ff",
"task-name" : "Verify policy operation",
"status" : "succeeded",
"progress-percentage" : 100,
"suppressed" : false,
"task-details" : [ {
"workSession" : "1b5fbea5-325d-4c31-9f3c-e5c2de32a2ef",
"title" : "Verification of policy 'LAB-POLICY' succeeded",
"notifications" : [ " Security and Address Translation Policy Verification 'LAB-POLICY'", " Rules Verified OK!" ],
"warnings" : [ ],
"errors" : [ ]
} ]
} ]
}


---------------------------------------------
Time: [15:35:23] 25/4/2023
---------------------------------------------
"Publish operation" succeeded (100%)
[Expert@QUANTUM-MANAGEMENT:0]#

0 Kudos
Matt_Tuma
Explorer

Hello,

So we are actually using the web api. 

We are simply doing a POST on the /verify-policy endpoint, with a body including the 'policy_package':

{

  "policy-package": "<policy_name>"

}

Maybe 1 out of 4 verifies actually complete successfully, the rest return that error that was shared.

Thanks,

0 Kudos
the_rock
Legend
Legend

Im with Phoneboy on this, may need TAC help to confirm why thats the case.

0 Kudos
PhoneBoy
Admin
Admin

I suspect this will require a TAC case to investigate: https://help.checkpoint.com 

AlJo
Contributor

I've opened a support case for this issue... We'll provide an updates once we know more.

Thanks for digging in.

the_rock
Legend
Legend

Definitely let us know what they say, as we always like to update the solutions in the community, since it helps others.

Cheers!

0 Kudos
AlJo
Contributor

Circling back to update on the solution.

 

Unfortunately, we did not find the root cause of this issue.

The MDS was deployed from the Check Point provided R81.20-Management OVA

We then patched to Take 8 - We're not sure if the issue existing prior to Take 8 or not since Take 8 was recommended at the time.

We had a failure rate on policy verify via API calls of approximately 75%

While our TAC engineer was trying to replicate the environment and the issue (he was never able to reproduce the issue) I installed Take 10.

After a Take 10 install, the MDS main CMA would not start so we had a 100% failure rate on API calls.

I uninstalled Take 10

We now have a 100% success rate on API policy verifies.

Since the initial error messages on the API policy verify calls indicated a file permissions issue (just not which file/directory) we suspect that Take 10 fixed the file permissions issue and those changes remained after the Take 10 uninstall.

 

I wish I had a better answer to this issue.

the_rock
Legend
Legend

Yea, I can see that can be little frustrating, though happy it works again.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events