This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
pdn
Contributor
‎2024-04-01 11:07 AM

add-access-rule failed: no publish staging queue?

Recently I noticed that when we have multiple publishes, coming into the Checkpoint in fast succession, that have the same source OR same destination, Checkpoint chokes with the add-access-rule error (for all publish requests, except the first one).  If we pace the incoming publishes out, like at 30sec or more in between, we have no issue.  So, it seems that Checkpoint doesn't have any staging queue for the publishes.  Is that true?

 

Thanks.

0 Kudos
3 Replies
Amir_Senn
Employee
Employee
‎2024-04-02 03:34 AM

Can you perhaps share syntax?

Kind regards, Amir Senn
0 Kudos
pdn
Contributor
‎2024-04-02 04:34 AM
In response to Amir_Senn

I like to correct what I said earlier.  

So the api we’ve used  to add a rule, is the add-access-rule.  Then we send a publish.  It fails with the add-access-rule call, even before the publish.


An example that causes issue is.  Let’s say we have 3 add-access-rule calls coming into the checkpoint closely to each other, like within few seconds. All 3 have the different source, but the same destination (for example an Cisco ACI epg data center object that gets imported from Cisco ACI previously into Checkpoint).  In this case, from multiple processes (or multi threads).  The Checkpoint will choke, rejecting all access add requests except the first one.  I assume it’s because the firewall is processing the 1st request add, locking the epg object.  Hence, the 2 subsequent requests got rejected.  So it seems the firewall doesn't have a staging queue to hold for the 3 “concurrent” add requests.  When I paced out the 3 add requests, like 30sec or more, all 3 add requests were successful. Then their subsequent publish calls were also successful. 


I hope that helps clarify my question.   

0 Kudos
Amir_Senn
Employee
Employee
‎2024-04-03 02:26 AM
In response to pdn

Tested in my lab adding a locked network object as destination and publishing, didn't cause any issues.

A few thing that might help us understand if there's an issue here:

1) If you can add the response for the API calls we might see what is wrong more clearly.

2) If you cancel the publish after every add-access-rule and keep only the one at the end - will this succeed? Another way is to add sleep between commands

3) The way you run the commands are waiting for response?

Kind regards, Amir Senn
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events