cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Vladimir
Pearl

Policy Installation Stages

Jump to solution

Can someone describe what exactly status "Finalizing Installation" referring to?

Tags (1)
1 Solution

Accepted Solutions

Re: Policy Installation Stages

Jump to solution

I reached out to the Install Policy experts and got this out:

The “Finalizing Installation” phase is when we update the log server with the resolved objects, so that logs will show Check Point objects rather than IP’s, ports etc.

Technically, by the time you see "Finalizing...", the policy is already applied on your gateway. This is only a completing step for the sake of logs data.

Few things that I'd like to point out:

Perhaps the 99% delay is the SMS putting/committing a copy of the successfully installed policy into the "Installation History" list of the SmartConsole

One word which we no longer use in R80 is "copy". Things are pointed to, not duplicated. The Installation History is simply references revision ID's which were sent to a Gateway. I know that when we sell R80 Management we start with the things which are easier to explain (multi-admins, publish mode, locks) but I am hoping with this community we'll be able to discuss the hidden architectural benefits in more detail.

19 Replies
EdesLC
Copper

Re: Policy Installation Stages

Jump to solution

Hi Vladimir, take a look at this guide, it is very helpful to understand how policy installation works.

sk101226: Policy installation flow process | 

AND

http://dl3.checkpoint.com/paid/0b/How-To-Troubleshoot-Policy-Installation-Issues.pdf?HashKey=1516024... 

Thanks,

Edes Leandro Cardoso

Vladimir
Pearl

Re: Policy Installation Stages

Jump to solution

Edes,

Thank you for comprehensive information.  It does not, however, answer the question of what is "finalizing installation" stage in R80.X actually does.

The status of the installation on individual gateways changes to "Succeeded", long before "Finalizing Installation" 99% turns to "Completed".

Something happening in that window that takes fairly long time.

0 Kudos

Re: Policy Installation Stages

Jump to solution

My guess is that the "rematch" of connections is occurring at 99% which can certainly take a moment to complete on a busy firewall.  This setting is located on the gateway object under Other...Connection Persistence.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
0 Kudos
Vladimir
Pearl

Re: Policy Installation Stages

Jump to solution

Thanks Tim. It makes sense, but I've seen it taking a while in my lab environment as well as in production at different clients. In production this is likely the case, but in the lab I would expect this to happen almost instantaneously, but I have just timed it and it took 45 seconds on the unit with hardly any connections:

So it may be something different.

0 Kudos
EdesLC
Copper

Re: Policy Installation Stages

Jump to solution

It is helpful to understand how is the flow.

I guess that this step "Finalizing" is related with "cpd waits for fw_fetchlocal to complete the process and then informs the Management server of the command's status (installation succeeded or failed)."

Thanks

0 Kudos
Vladimir
Pearl

Re: Policy Installation Stages

Jump to solution

Do not think so: the effects of the policy installation are already visible when per-gateway status is "Succeeded" but "Finalizing Installation" is at 99%.

It may just be a communication lag or some-kind of commit stage on the management server acknowledging the success of the installation on the gateways: i.e. query gateway to confirm that there were no errors loading the policy before completing the process. 

0 Kudos
EdesLC
Copper

Re: Policy Installation Stages

Jump to solution

I got it, If you run a Policy Installation Debug to try to see something into the logs? 

Maybe you can see where it is getting longer time and try figure it out.

 

How to debug policy installation on R80.x Security Management Server / Multi-Domain Security Managem... 

Thanks,

0 Kudos

Re: Policy Installation Stages

Jump to solution

Hi Edes,

                  I am not able to view the solution mentioned in this URL. Please guide me how to get the access.

How to debug policy installation on R80.x Security Management Server / Multi-Domain Security Managem...

Regards

Rajendra

0 Kudos
Highlighted
EdesLC
Copper

Re: Policy Installation Stages

Jump to solution

Hi, how are you? I hope good.

I am able to open this link with no problem. Try to search for this sk112111.

0 Kudos

Re: Policy Installation Stages

Jump to solution

Hi Edes,

             I am fine.Thank you for the information

0 Kudos
Admin
Admin

Re: Policy Installation Stages

Jump to solution

This SK requires "Advanced" access, which anyone with a support agreement in place should be able to access.

Re: Policy Installation Stages

Jump to solution

Ya,Thank you Dameon

0 Kudos

Re: Policy Installation Stages

Jump to solution

Perhaps the 99% delay is the SMS putting/committing a copy of the successfully installed policy into the "Installation History" list of the SmartConsole?  Would make sense that the SMS would have to wait for the firewall to acknowledge the atomic load (fw stat would show the firewall has applied the new policy) at which point the SMS would have to do some heavy database operations.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
Vladimir
Pearl

Re: Policy Installation Stages

Jump to solution

I suspect that you are correct. It would be consistent with the observed behavior.

Would be nice to get CP to chime-in on this to confirm.

0 Kudos

Re: Policy Installation Stages

Jump to solution

I reached out to the Install Policy experts and got this out:

The “Finalizing Installation” phase is when we update the log server with the resolved objects, so that logs will show Check Point objects rather than IP’s, ports etc.

Technically, by the time you see "Finalizing...", the policy is already applied on your gateway. This is only a completing step for the sake of logs data.

Few things that I'd like to point out:

Perhaps the 99% delay is the SMS putting/committing a copy of the successfully installed policy into the "Installation History" list of the SmartConsole

One word which we no longer use in R80 is "copy". Things are pointed to, not duplicated. The Installation History is simply references revision ID's which were sent to a Gateway. I know that when we sell R80 Management we start with the things which are easier to explain (multi-admins, publish mode, locks) but I am hoping with this community we'll be able to discuss the hidden architectural benefits in more detail.

Vladimir
Pearl

Re: Policy Installation Stages

Jump to solution

Thank you Tomer!

Nice to get a definitive answer Smiley Happy

0 Kudos

Re: Policy Installation Stages

Jump to solution

@Tomer_Sole  Do you know (or can you check) if this procedure has changed in R80.20?

I have started seeing more and more policy-installations stuck at 99% for a couple of clients.

Some of them hang for hours (or until we have to get the SMS working again and do a cpstop && cpstart).

 

0 Kudos
Heath_Mote
Copper

Re: Policy Installation Stages

Jump to solution

We are seeing this same issue after moving to R80.20 management. I ran a policy install on a cluster just now that took 3 minutes to go to the finalizing stage at 99% and it's still finalizing after 30 minutes. I've attached a screenshot showing the start time and the current time. This management and gateway are located at the same site...

image.png

0 Kudos
Heath_Mote
Copper

Re: Policy Installation Stages

Jump to solution

Creating a new thread since this OP is solved.

0 Kudos