Hi All,
VSX environment:
I wanted to upgrade our VSXHA cluster to recommended R81 version and an issue arose at the very first step 🙂
vsx_util tool on MGMT server failed to upgrade VS's configuration to wanted R81 version.
It failed at upgrading virtual router step. Final vsx_util upgrade result is - Policy compilation failed. Upgrade operaton (before this error) in first two steps, previously finished successfully (for another virtual devices (virtual firewall and for VS0/VSX context)).
In vsx_util upgrade log there were errors for one virtual device - virtual router:
The problematic output part is:
firewall_application Policy installation/compilation for External_vRouter: Invalid installation target received. Target gateway External_vRouter is not in the specific targets list for policy package Cluster_VSX_polisa( message from member VSX_FW2_External_vRouter ) firewall_application Policy installation/compilation for External_vRouter: Policy verification failed.( message from member VSX_FW2_External_vRouter ) firewall_application Policy installation/compilation for External_vRouter: Invalid installation target received. Target gateway External_vRouter is not in the specific targets list for policy package Cluster_VSX_polisa( message from member VSX_FW1_External_vRouter ) firewall_application Policy installation/compilation for External_vRouter: Policy verification failed.( message from member VSX_FW1_External_vRouter ) **** Policy compilation failed ---- Finished upgrade operation. ---- Regenerating VSs ---- Finished VSs regeneration. Database saved successfully. ===================== SUMMARY ===================== **** Upgrade operation finished with errors. **** Please resolve errors above. **** NOTE: If gateway/cluster member was upgraded using clean installation, run 'vsx_util upgrade' again in order to complete the operation. VS name: External_vRouter Errors: firewall_application Policy installation/compilation for External_vRouter: Invalid installation target received. Target gateway External_vRouter is not in the specific targets list for policy package Cluster_VSX_polisa( message from member VSX_FW2_External_vRouter ) firewall_application Policy installation/compilation for External_vRouter: Policy verification failed.( message from member VSX_FW2_External_vRouter ) firewall_application Policy installation/compilation for External_vRouter: Invalid installation target received. Target gateway External_vRouter is not in the specific targets list for policy package Cluster_VSX_polisa( message from member VSX_FW1_External_vRouter ) firewall_application Policy installation/compilation for External_vRouter: Policy verification failed.( message from member VSX_FW1_External_vRouter ) Logging details are available at /opt/CPsuite-R81.10/fw1/log/vsx_util_20210922_23_35.elg |
After failed vsx_util upgrade operation, status of GW/VS objects in Smart Dashboard was as in following picture:
It is strange that virtual route object was on new R81 version, even though virtual router was complying - policy compilation failed error log. This does not match with error log messages. Only VSX (VS0) context was on old R80.30 version.
I checked policy installation target colomn in Smart dash and it seems like Okay:
This part from logs - messages from VSX_FW1_External_vRouter and VSX_FW1_External_vRouter is not understandable. We do not have these object names defined in smart dash, for non of the GW's/objects under Gateways and Servers tab.
MGMT server is reverted from snapshot to state as was before vsx_util operation problems, and is working with defined objects as follows:
All policies are installed and all setup is AS-Before.
Any thoughts are welcome 🙂
Milos
| User | Count |
|---|---|
| 31 | |
| 14 | |
| 13 | |
| 10 | |
| 10 | |
| 7 | |
| 6 | |
| 5 | |
| 4 | |
| 3 |
Tue 03 Dec 2024 @ 10:00 AM (GMT)
UK Community CNAPP Training Day 1: Cloud Risk Management WorkshopTue 03 Dec 2024 @ 05:00 PM (CET)
Americas CM Session: Automated Collaborative Prevention with 3rd Party Endpoint SolutionsWed 04 Dec 2024 @ 10:00 AM (GMT)
UK Community CNAPP Training Day 2: Cloud Risk Management WorkshopThu 05 Dec 2024 @ 10:00 AM (CET)
Impactful Intelligence: Introducing Check Point Infinity External Risk Management - EMEATue 03 Dec 2024 @ 05:00 PM (CET)
Americas CM Session: Automated Collaborative Prevention with 3rd Party Endpoint SolutionsThu 05 Dec 2024 @ 10:00 AM (CET)
Impactful Intelligence: Introducing Check Point Infinity External Risk Management - EMEAThu 05 Dec 2024 @ 03:00 PM (CET)
Mastering Regulatory Compliance in Banking and Finance (EMEA)Tue 03 Dec 2024 @ 10:00 AM (GMT)
UK Community CNAPP Training Day 1: Cloud Risk Management WorkshopWed 04 Dec 2024 @ 10:00 AM (GMT)
UK Community CNAPP Training Day 2: Cloud Risk Management Workshop
