Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Matlu
Advisor
Jump to solution

Policy Installation Failure

Hello, everyone. 🙂

I have a ClusterXL, in R81.10 version.

I have created a host object, to add it to a group that I already had created, which in turn, belongs to a policy of blocking malicious IPs.

I have changed the "color" of the group object, to make it more "visible", but at the time of installing policies, I "splashed" the installation failure error.

Error.png

No more changes appear neither pending, nor to discard.

I have closed the SmartConsole, and I have opened it again, and "apparently" my changes were executed.

Is this possible?

How can I be 100% sure, that my changes were applied, in spite of the error message in the installation of policies.

Thank you for your support.

0 Kudos
1 Solution

Accepted Solutions
Matlu
Advisor

Hello, my friend.

 

The problem has been solved.

 

It turns out that the customer is "implementing" a new Firewall, in a new site, and is going to integrate it to the SMS, but by "ignorance", they seem to have created the Firewall object, and hooked it to the SMS, but the PROBLEM is that this Firewall "not even" has interfaces configured, and that began to generate problems with the installation of policies, which mentioned that the "New" Firewall did not have "not even" the Antispoofing configured.

 

We have deleted that Firewall Object from the SMS, and can now install policies again, quite an experience, hahahaha.

 

What remains as a question is, if even having failed the installation of policies, the changes can take effect?

Because when we had the error, we checked the SMARTCONSOLE and "apparently" the changes were executed well.

 

Greetings.

View solution in original post

0 Kudos
24 Replies
the_rock
Legend
Legend

You can go to smart console ->  manage & settings -> reivions and see changes there. Im little confused though...were you able to apply policy again or still failing?

Andy

0 Kudos
Matlu
Advisor

Hello, my friend.

 

The problem has been solved.

 

It turns out that the customer is "implementing" a new Firewall, in a new site, and is going to integrate it to the SMS, but by "ignorance", they seem to have created the Firewall object, and hooked it to the SMS, but the PROBLEM is that this Firewall "not even" has interfaces configured, and that began to generate problems with the installation of policies, which mentioned that the "New" Firewall did not have "not even" the Antispoofing configured.

 

We have deleted that Firewall Object from the SMS, and can now install policies again, quite an experience, hahahaha.

 

What remains as a question is, if even having failed the installation of policies, the changes can take effect?

Because when we had the error, we checked the SMARTCONSOLE and "apparently" the changes were executed well.

 

Greetings.

0 Kudos
just13pro
Collaborator

I think because of the publish, despite policy installation failed the publish normally will always successful.

0 Kudos
the_rock
Legend
Legend

Thats true, but someone not familiar with Check Point may simply assume that changes took effect, which is actually NOT the case,until successful policy install.

Andy

0 Kudos
the_rock
Legend
Legend

It happens, all good : - )

Now you know for the next time, hehe.

Andy

0 Kudos
Matlu
Advisor

Buddy 😄

 

If the "Install Policies" fails, but I see my changes in the SmartConsole, can I assume that everything "went well"?
If, for example, my change is to add an IP to block it, will the GW start blocking it, even though the policy installation failed?

Greetings.

0 Kudos
the_rock
Legend
Legend

No you can NOT assume that lol. What happens is this...say IF changes were published, but policy fails, changes wont apply and same old policy will still be enforced on the gateway, which easily can be verified by running either fw stat OR fw stat -b AMW

example in my lab:

quantum-firewall> exit
[Expert@quantum-firewall:0]# fw stat -b AMW
Anti Bot: Disabled (network signatures=0 behavioral=0)
Anti Virus: Disabled (network signatures=0 behavioral=0)
IPS: Enabled (use "ips stat")
Threat Emulation: Disabled
Threat Extraction: Disabled
Mail policy: Off
Zero Phishing: Off
files: http=0 ftp=0 smb=0 smtp=0 pop3=0
more: fileapp_ctx_enabled=0 ifi=1 http_dynamic_enabled=0 icap_server_enabled=0 min_severity=2 min_confidence=0
Policy: LAB-POLICY Mon May 29 09:39:08 2023 (traditional=1)
[Expert@quantum-firewall:0]#

0 Kudos
Matlu
Advisor

I understand.

 

One more doubt, I understand that there is an option in the SmartConsole, which is to "verify" the installation of policies, right?

I could use it, to validate, if there will be no problem, when I use the option to install policies, right?

 

🙂

0 Kudos
the_rock
Legend
Legend

Yup, I usually do that when I make lots of changes. Also, maybe enable below, so you can see changes there as well.

Andy

 

Screenshot_1.png

0 Kudos
Matlu
Advisor

Do you recommend using the "Verify policy installation", before clicking on the "Install policy" button, as a security measure?

If I decide to apply this good practice, I should hit the "Verify" option after I "publish" the new changes I intend to send to my computers, right?

If the "verification" is successful, I can have the "peace of mind" to just send to Install policies, right?

 

Am I right in the flow?

 

🙂

the_rock
Legend
Legend

You are right, BUT...there is always a but haha. So here is the thing...policy verification ONLY verifies changes made within the policy and NOT any changes made on the objects themselves, so as long as you only made policy changes, then I would say its not a bad idea to do so, as verifying will also do the publish as well.

Hope that helps.

Andy

0 Kudos
Matlu
Advisor

Haaaa,

 

Imagine I have a policy in place to block malicious IPs.

 

And in this policy as DST, I have a group of IPs, named "Blacklist_IPs", and constantly, we add IPs to this group, to be blocked.

 

In this scenario, there is no need to do a "Policy Check" ????

 

😕

0 Kudos
the_rock
Legend
Legend

If I were you, I would not bother doing policy verify in that case. Chances it would fail are very small (I would say less than 1%), specially given the fact you simply keep adding bad IPs. We dod that for multiple customers and never had any issues.

Cheers,

Andy

0 Kudos
the_rock
Legend
Legend

Btw, there are other way to add bad IPs...one is also mgmt_cli and you can also create generic data center object and point to the file on mgmt server (can send you the file). I tested in the lab and it contains all know bad IP addresses you can use then those objects in the policy.

See example below in my lab.

Andy

 

mgmt_cli example:

mgmt_cli add host name "BAD_185.206.27.13" ip-address "185.206.27.13" --format json

 

Generic data center example:

 

Screenshot_1.png

 

 

Screenshot_2.png

 

 

 

Screenshot_3.png

0 Kudos
Matlu
Advisor

Andy,

Where can I find the "Generic Data Center" object?

I am interested in deploying this solution in my environment.

What is the URL to put in this object?

Greetings.

0 Kudos
the_rock
Legend
Legend

Just for you bro, I put screenshots below...NO CHARGE ; - )

Andy

 

Screenshot_1.png

 

 

Screenshot_2.png

 

 

 

Screenshot_3.png

  

0 Kudos
Matlu
Advisor

HAHAHA 😄

I understand that the "malicious" IPs that you add are "hosted" in the SMS itself, right?
To use this option, is it advisable to validate HARDWARE issues of the equipment?

Cheers. 😄

0 Kudos
the_rock
Legend
Legend

No sir, I use VM in the lab, works like a charm ;). Btw, if interested, happy to send you the 3 files I use, "slap" them in any dir on mgmt, say create dir called ios in /var/log, then move them to /var/log/ioc, then you enter whole path in the data center object, once done, right click, import and you will get bunch of data center objects you can use in the rules. Again, see screenshots (next time, I may start charging 10$ per screenshot...for now, I take USA money, not Canadian, unless they default, then our money might be worth more LOL)

Andy

 

Screenshot_1.png

 

 

Screenshot_2.png

 

 

Screenshot_3.png

  

0 Kudos
Matlu
Advisor

HAHAHAHA.

It is very expensive for me to convert my currency to American or Canadian currency, HAHAHAHA.

Maybe a traditional "Ceviche" from my country. 😄

Can you share those lab files you mention?

I have to enter by CLI or WinSCP to my MGMT, and create the directory, that you mentioned as an example, right?

Greetings.

the_rock
Legend
Legend

Well, if you have some Kuwaiti dinars, thats strogest currency in the world...embarrassed to say I never knew that until I went there haha. Anyway, I emailed you the files and YES, you just move the files to dir on mgmt server and follow the screenshots I sent. It will work, guaranteed!

Andy

0 Kudos
the_rock
Legend
Legend

My bad, could not attach them via private message. Here they are.

Cheers,

Andy

0 Kudos
the_rock
Legend
Legend

Also, keep in mind, this has been available since R81

Accelerated policy install 

Andy

0 Kudos
Matlu
Advisor

It is becoming clearer to me.

So, this "Verify" option, it is better to use it when you make changes directly in the security policies (like deleting/adding, new objects in source, target, services, type of logs), right?

You told me, that this option also sends you to "Publish" the changes you intend to send, right?

So, if I change the SRC OBJECT of my policy, I click on "Verify", and this will do its job, plus the fact of "publishing" that change, right?

Thanks for your help, Buddy.

the_rock
Legend
Legend

EXACTLY 🙂

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events