Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Dhilip_dj
Contributor
Jump to solution

Reg: policy installation failed on gateway

@Chen @PhoneBoy 

We are facing a issue in our environment that we couldn't able to install a policy in firewall from mgmt server and local gateway too

We are getting below erro code while installing and TAC said it's new to checkpoint and unknown issue also moved to r&d team.

Please help someone if any resolution for that.

 

 

Error code: 0-3-2000173-1

 

Note: gateway model :6400 / mgmt server: VM

Version:R81.10 and take 87

0 Kudos
1 Solution

Accepted Solutions
JulzorenSen
Contributor

Just in case, I've confirmation that R&D identified and pushed the fix directly in the latest IPS package.

As expected that was an issue with some signatures.

 

Here is the tl;dr from TAC : 

I have an update from the R&D team regarding the Error code, the fix has been provided on the new IPS Package Today.
No need to install any port fix.


Please, install Latest IPS package first and later Install policy for Threat Prevention and Access separately.

View solution in original post

15 Replies
_Val_
Admin
Admin

If the error is unknown in TAC, and R&D is involved, it is very unlikely that you can get someone else to assist. Please follow the support process and let us know when it is resolved.

0 Kudos
Bryan-Smith
Employee
Employee

@Dhilip_dj First for the record I agree with @_Val_ . However, if you are looking to poke around in the meantime here are some addtional resources:

https://www.youtube.com/watch?v=bhD9lHrL7fE 

How to debug the CPD daemon

https://support.checkpoint.com/results/sk/sk86320 

'Installation failed. Reason: Load on Module failed - failed to load security policy' error during policy installation

https://support.checkpoint.com/results/sk/sk33893 

Policy installation flow  

https://support.checkpoint.com/results/sk/sk101226  

 

 

Dhilip_dj
Contributor

@_Val_   @Bryan-Smith thanks for the hope, the issue is resolved as of now without root cause, and looking for a permanent solution for it, since we have spotted this issue 3rd time in a month. 

0 Kudos
_Val_
Admin
Admin

Do you have a support case for this?

0 Kudos
Matlu
Advisor

Hello, my friend.

I have the same problem as you.

Can you tell me, if you managed to solve your event?

What action plan corrected your problem?

Thank you.

dimas_aji
Explorer

hii Friend,

 

I have same too the problem.

Policy: xxxxxx-Policy
Status: Failed
        - Policy installation failed on bash: Gateway:: command not found
gateway. If the problem persists contact Check Point support (Error code: 0-3-2000173-1).

 

our environment which cluster gw, my step

- cpstop;cpstart on standby member (FW2)--> doing install access policy (with uncheck do not instal....) --> status succeded

- cpstop;cpstart on active member (FW1)--> doing install access policy --> status succeded for all gw

- trying to switch over again at active member FW2 but make new issue the error at GW "HA module not started" , reboot device not affected, doing reset SIC and install policy then all FW1 & FW2 normally active, for several time trying to install access policy, unfortunately  the error become back again with same error .....(Error code: 0-3-2000173-1)

 

thank you

 

0 Kudos
Dhilip_dj
Contributor

@dimas_aji 

Hello Friend,

the same way we tried to troubleshoot the issue on first time, but after that, we changed the IPS profile as mentioned above reply now we can install a policy, and  if you are facing an issue even after the IPS profile change create a new profile as mirror and try map into policy then install 

0 Kudos
Dhilip_dj
Contributor

@Matlu 

 

I have just changed the IPS profile performance impact: high to medium and low confidence: detect to inactive now we can able to install a policy. but the R&D team is working on creating a specific hotfix for this issue.

 

 

 

 

 

 

 

JulzorenSen
Contributor

Did you have any update from TAC ?

We are experiencing the same issue this morning, and can not push any policy, sale error code.

I didn't find any way to workaround the issue, I've tried some things that I read in this post but without success.

 

I opened a case but it will take time as always...

0 Kudos
SteveMad
Explorer

Same issue here.

Our environment is R81.20 JHF26
Affected clusters are 6600 and 260000 .... 

Possible Workaround is "fw amw unload" - but this leaves you without any Threat Prevention ...

0 Kudos
Matlu
Advisor

Hello,

Follow these recommendations, and comment on your results.

TAC is working on a FIX for the error code, but in the version 81.10

It is good to know that it is also occurring in 81.20, so that Check Point is aware of it, and can also apply a FIX for this version.

 

https://community.checkpoint.com/t5/Management/Policy-installation-failed-on-gateway-Error-code-1-40...

0 Kudos
SteveMad
Explorer

On 6600 we are running Autonomous Profile "Strict"; Installing the "perimeter" profile does change the behavior to error code "0-1-2000184" -> sk178687; After applying the solution, policy install is OK again

On 26000 I've set the IPS profile parameters like mentioned (only on IPS profile, we have a different one for AV / antibot) -> policy install is OK again

0 Kudos
JulzorenSen
Contributor

Just in case, I've confirmation that R&D identified and pushed the fix directly in the latest IPS package.

As expected that was an issue with some signatures.

 

Here is the tl;dr from TAC : 

I have an update from the R&D team regarding the Error code, the fix has been provided on the new IPS Package Today.
No need to install any port fix.


Please, install Latest IPS package first and later Install policy for Threat Prevention and Access separately.

Thomas_Eichelbu
Advisor
Advisor

Hello, 

just got the same message on a customer ...
Switching the ISP profiles and installing the policy worked as described ...

or use this SK 181532

https://support.checkpoint.com/results/sk/sk181532

best regards

 

0 Kudos
ladeko
Participant
Participant

I met the issue with failed Access Control policy and Error code: 0-3-2000173-1 today on R81.10 HFA#110 VSX + MDS.

We needed to install the policy immediately, so before installing the newer jumbo (as is mentioned in the SK 181532), we just changed these two options:

Performance impact to :Medium and Lower and

Low confidence to : Inactive

After that, the policy installation was successful. It reduced the number of signatures used, which is the root cause according to the SK. The next steps will be to install the latest jumbo and undo the changes. This was just a quick workaround to install the policy.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events