Hey all,

Just a PSA here, something even I never ran into before:

In $FWDIR/lib on the management server, you know about those *_HFA.def files that the HFA updates create so as to not blow up your own edits.  IIRC, historically, those weren't needed by fw_loader to compile the policy.  Well, apparently, in R81(.20?), they now need to exist!  I dunno how they get handled vis a vis a customized file (i.e.: implied_rules.def).

I had a server where I needed the new implied rules list (cxld, iked, etc.) so I did the usual steps: check a diff between the current file and the _HFA.def file, made a backup of the current file, renamed the necessary _HFA.def to the main file (if needed), do any necessary edits, check it, and install policy.

Whoooaaaaa, not so fast!  A policy install with mgmt_cli (or API remotely) worked just fine.  However, when I did the policy install from SmartConsole, I got "Internal Error", and it died.  I ran a cpm_debug on the management server for the "Access_Install" topic, and it showed error exceptions:

13/11/23 12:13:35,283 ERROR com.checkpoint.management.dleserver.coresvc.internal.PolicyInstallationSvcImpl.installPolicy:890 [qtp-882154951-34077]: Failed to install policy due to unexpected exception java.nio.file.NoSuchFileException: /opt/CPsuite-R81.20/fw1/lib/implied_rules_HFA.def

 That's...odd.... I just did a "cp implied_rules.def implied_rules_HFA.def" and the SmartConsole policy install worked again! 

PSA: don't remove those _HFA.def files just yet! 

(yes, i have R81.20 gateways under management as well)