This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Duane_Toler
Advisor
‎2023-11-13 09:34 AM

PSA: implied_rules_HFA.def

Hey all,

Just a PSA here, something even I never ran into before:

In $FWDIR/lib on the management server, you know about those *_HFA.def files that the HFA updates create so as to not blow up your own edits.  IIRC, historically, those weren't needed by fw_loader to compile the policy.  Well, apparently, in R81(.20?), they now need to exist!  I dunno how they get handled vis a vis a customized file (i.e.: implied_rules.def).

I had a server where I needed the new implied rules list (cxld, iked, etc.) so I did the usual steps: check a diff between the current file and the _HFA.def file, made a backup of the current file, renamed the necessary _HFA.def to the main file (if needed), do any necessary edits, check it, and install policy.

Whoooaaaaa, not so fast!  A policy install with mgmt_cli (or API remotely) worked just fine.  However, when I did the policy install from SmartConsole, I got "Internal Error", and it died.  I ran a cpm_debug on the management server for the "Access_Install" topic, and it showed error exceptions:

13/11/23 12:13:35,283 ERROR com.checkpoint.management.dleserver.coresvc.internal.PolicyInstallationSvcImpl.installPolicy:890 [qtp-882154951-34077]: Failed to install policy due to unexpected exception java.nio.file.NoSuchFileException: /opt/CPsuite-R81.20/fw1/lib/implied_rules_HFA.def

 That's...odd.... I just did a "cp implied_rules.def implied_rules_HFA.def" and the SmartConsole policy install worked again! 

PSA: don't remove those _HFA.def files just yet! 

(yes, i have R81.20 gateways under management as well)

 

0 Kudos
3 Replies
the_rock
Legend
Legend
‎2023-11-13 09:39 AM

It has to be this one?

Andy

[Expert@CP-management:0]# find / -name *_HFA.def*
/opt/CPSFWR80CMP-R81.20/lib/implied_rules_HFA.def
[Expert@CP-management:0]#

0 Kudos
Duane_Toler
Advisor
‎2023-11-13 09:44 AM
In response to the_rock

Yeah my particular error here was the implied_rules_HFA.def.  It didn't seem to care about any others:

[Expert@mgmt:0]# grep -o 'lib\/.*HFA.def' cpm.elg |sort|uniq
lib/implied_rules_HFA.def

 

0 Kudos
the_rock
Legend
Legend
‎2023-11-13 09:46 AM
In response to Duane_Toler

I can sort of see that, makes total sense.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top