Solved: Re: There is no policy found

biskit · ‎2020-12-30

Hi all,

R77.30 Endpoint Management running on Windows (yes, I know...)

Everything was perfect just before Christmas. But today I've logged in to add a newer Endpoint client and push it out (because of the 1st Jan issue).

Today I have "There is no policy found" on a couple of my rules. Most are populated correctly, but a couple show "no policy". I'm also not sure why some actions are highlighted in bold as there have been no other changes made. Maybe it's related to the other problem?

I've done sk128052 and it didn't work - no change. I've seen sk137312 which says contact TAC for help. Which obviously I can't do as it's R77.30.

Does anyone have any thoughts on how to fix this? Obviously up against the clock a little with 1st Jan looming 🙄

Thanks,

Matt

Eyal_Magidish · ‎2020-12-31

No need to panic, older versions are not affected (epklib.sys doesn't exist).

If you want to fix FW policy, please open a service request to TAC so they will help you with the database corruption (best efforts).

View solution in original post

the_rock · ‎2020-12-30

Hi Matt,

Im definitely way more of a firewall guy that endpoint, but let me try my best to help you out. Yes, I know, R77.30, so totally understandable why you are apprehensive to contact TAC. By the way, please message me privately and we can certainly do remote session Thursday morning if you are free (Im EST time zone). So, looking at that error, Im 90% sure it has something to do with the corrupt files in $FWDIR/conf directory...Im assuming this is the same server managing your gateways as well? Not sure if you might have another R77.30 server that you can navigate to that directory and copy the whole content into the problematic one (after you back up all the files first, of course : ), because from what I recall, I had never seen an option in the endpoint server to do database revision control like you can in regular dashboard, but I will double check. Sadly, I dont have any R77.30 machines in my lab, as you cant even get the file on CP site any longer, since it has been unsupported for 1.5 years now.

PhoneBoy · ‎2020-12-30

TAC will generally still help you on R77.30 on a best-effort basis. Don’t expect new hotfixes, of course.

Eyal_Magidish · ‎2020-12-31

Hi,

It is a known issue with CPMI files corruption, see sk128052.

R77.30 is out of support, Our suggestion is to upgrade to R81.

See, https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doShowupgradewizard

BR,

Eyal

the_rock · ‎2020-12-31

Eyal, if you read Matt's post carefully, he already tried sk you mentioned and it did not work and yes, he knows R77.30 is not supported, thats why he probably came here first : )

biskit · ‎2020-12-31

Haha, yes, exactly.

To throw another spanner in the works, the customer is running client E80.32. The SK for the issue states clients E80.61 to E81.10 are affected. What about client versions older than E80.61???? Apparently the epklib.sys file doesn't even exist on those clients.

With the server screwed, the only slight hope I've got is a standalone package to run locally. But sk110420 says I can't go straight from E80.32 to E81.20. There are 3 hops. We're never going to get nearly 700 laptops done in time. Really panicking at the moment.

Eyal_Magidish · ‎2020-12-31

No need to panic, older versions are not affected (epklib.sys doesn't exist).

If you want to fix FW policy, please open a service request to TAC so they will help you with the database corruption (best efforts).

biskit · ‎2020-12-31

Thanks. We've done some testing, rolling the laptop date forwards and rebooting. The old client still works and logs in to VPN. Pheww!

So old that even a legacy bug doesn't affect them. They dodged a huge bullet.

the_rock · ‎2020-12-31

Awesome news Matt...well, as we discussed, I guess time for them to hopefully realize its time for upgrade, hehe. Happy New Year mate!!

Andy

Are you a member of CheckMates?

There is no policy found