cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

How to debug Policy Installation Errors

I get some BETA Dejavu experiences. Where I would break the EA version by activating the DNS server on the object for my Active Directory server.

Ia noe have this gracefull error "Policy installation failed on gateway. If the problem persists contact Check Point support (Error code: 0-2000040)." But I can't even recall having put anything as naughty as a DNS server in my policy.

..... Checking myself again ....

Guess what. I actually did enable the DNS server on my Domain Controller. So what is the logic of this failure?

Tags (1)
6 Replies
Admin
Admin

Re: How to debug Policy Installation Errors

Is this an object setting in SmartConsole?

Because it doesn't sound familiar and I don't see a setting for it offhand.

Can you post a screenshot?

0 Kudos

Re: How to debug Policy Installation Errors

Object for Active Directory

It's this simple to break your policy. And the error is not giving any clues.

There is a note in SK110519:

02496239

Policy installation fails with "Policy installation failed on gateway 0-2000040" error and log: "fw_atomic_add_spii_parameter: Failed to get object named <object_name>".

  • Workaround: for all hosts with a server configuration, unselect the servers. Publish. Select the servers again, and publish again.
R80.10

So there is a workaround and the issue is known. But it seems be part of the list "unresolved bugs".

0 Kudos
Admin
Admin

Re: How to debug Policy Installation Errors

This feature is an artifact that goes back several versions and was necessary for some IPS Protections to be applied to the correct hosts only.

In R80.x, these options are no longer necessary.

That said, policy compilation would ideally handle this situation, or at least print a more clear error message.

0 Kudos

Re: How to debug Policy Installation Errors

There is a way you can set it in R80.10 that makes it even more odd.

Let's face it. This question makes a lot of sense to most people. Doesn't it?

But it will change the host object:

And I am back to a time and place where brown stuff collides at high velocity with rotating blades.

I think that Check Point could do a lot better. It invites people to make sens of their policy and then you end up with a policy that will not install.

There is a lot to fix yet in R80.10!

Re: How to debug Policy Installation Errors

Hi,

I've had exactly the same problem with that exact error message, where the policy would verify fine but fail to install. I've logged a TAC case and the engineer fixed it by doing this on the Secure Management server

[Expert@MGMT:0]# cd $FWDIR/conf
[Expert@MGMT:0]# grep -e $'^\t\t: (' objects_5_0.C -e "is_mail_server (false)" -e mail_server_prop | grep -v "mail_server_prop ()" | grep mail_server_prop -B 2 | grep ":is_mail_server (false)" -B 1 | grep -e $'^\t\t: ('

This will list objects that are configured as servers. Go through each object and un-tick everything under Servers. Once that is done, publish changes and push policy. The policy should install fine.

Marcel.

Re: How to debug Policy Installation Errors

The error message "Policy installation failed on gateway" and its predecessor "Load on module failed" indicate that the policy passed SMS verification and was compiled & successfully transferred to the gateway, but the atomic load of the policy into the running firewall kernel failed.  These are frustratingly generic error messages for the simple reason that the SMS has no idea why the load failed, only the gateway does.  Debugging of this problem needs to take place on the gateway.  The linked SK below lays out some of the different situations that can cause this, but in my experience it generally boils down to one of the following:

1) Memory or other resource shortage on the gateway, in the case of a long-term memory leak a reboot of the gateway may help

2) The compiled policy is "corrupt" and should not have passed verification in the first place on the SMS.  This can be caused by damaged files referenced during policy compilation on the SMS, or the user being improperly allowed to enable settings/features that the target gateway software version cannot understand or support

3) Error in policy compilation not caught by the SMS such as the same variable getting included in the compiled policy more than once, or conflicting settings for the same object

4) Possible corruption on the gateway, once again a reboot may help

sk33893: 'Installation failed. Reason: Load on Module failed - failed to load security policy' error...

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
0 Kudos