This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Us4r
Contributor
‎2020-11-13 01:54 AM

Checkpoint R80.30 - Find non ASCII Caracters in Rule / Objects

Hello,

 

I'm looking for a solution how I can find non ASCII caracters in Objects / in the Rulebase on R80.30 Management.

 

Since 9. November I have problems installing Policy on our Checkpoint 1400 - Appliances. I allways get  the Error "Failed to Load Security Policy: Bad address". I think this could be a issue because of NON-ASCII Caracters used in the ruleset.

 

I found an old SK - Article regarding this case on R77 (https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...) but the rule_check tools  doesn't work anymore.

 

Any useful tips / hints how I can verify this on R80?

 

Thanks

 

Regards

 

 

Florian

15 Replies
G_W_Albrecht
Legend Legend
Legend
‎2020-11-13 02:11 AM

sk105708 speaks of characters in the rule name - how many rules do you have with target 1400 ? I would do a manual check if it is not >1200 😎

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Us4r
Contributor
‎2020-11-13 02:56 AM
In response to G_W_Albrecht

No in the mentioned policy we have currently ~300 Rules.

Perhaps it's correlated with the IPS - Update on the 9th. When I change the IPS profile from our "special" 1400 Profile to "optimized" or "basic" the we don't get any failures. But the error message confuse me.

Can there be a limitation on the count of the enabled IPS Rules. I did see about 5 additional rules were added on the 9th. there

 

Thanks

 

Florian

G_W_Albrecht
Legend Legend
Legend
‎2020-11-13 04:27 AM
In response to Us4r

It is possible, i just thought 1400 have less troubles. I wrote about that here: Optimizing an IPS profile for SMB.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Us4r
Contributor
‎2020-11-13 04:57 AM
In response to G_W_Albrecht

Yes did read this article before and prepared the IPS Policy as mentioned there.

=> A lot of additional protections are disabled now but the failure exists anymore (see screenshot).

 

 

Preview file
37 KB
0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2020-11-13 05:08 AM
In response to Us4r

And fw -d fetch <SMS IP> ? Best pipe it into a file !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Us4r
Contributor
‎2020-11-15 11:55 PM
In response to G_W_Albrecht

Hello, attached you find the output of the fw fetch -d command:

 

[ 13694 1736814592]@Gateway[16 Nov  8:26:56] opsec_send_datagram_e: SESSION ID:3 is sending DG_ID=3 DG_TYPE=0x1202(???)
[ 13694 1736814592]@Gateway[16 Nov  8:26:56] ckpSSL_do_write: write 14 bytes
[ 13694 1736814592]@Gateway[16 Nov  8:26:56] opsec_comm_notify: COM 0x3b7aba8 got signal 131074
[ 13694 1736814592]@Gateway[16 Nov  8:26:56] cpd_client_signal_handler: session=0x3cf51f0, event=135683
[ 13694 1736814592]@Gateway[16 Nov  8:26:56] ckpSSL_do_read: read 12 bytes
[ 13694 1736814592]@Gateway[16 Nov  8:26:56] demultiplex type=3 session-id=3
[ 13694 1736814592]@Gateway[16 Nov  8:26:56] Destroying session (3cf51f0) id 3 (ent=3b7aa40) reason=PEER_ENDED
[ 13694 1736814592]@Gateway[16 Nov  8:26:56] get_host_statedir : return state dir = /opt/fw1/state/__tmp
[ 13694 1736814592]@Gateway[16 Nov  8:26:56] get_cond_statedir : return state dir = /opt/fw1/state/__tmp/FW1 for hostname = __tmp, product = FW1
Fetching Security Policy Succeeded.
 Writing CMI cache (IPv4)...
 Continue with second iteration
 Failed to Load Security Policy: Bad address
[ 13699 1737232384]@Gateway[16 Nov  8:28:21]
sfw_load: Error loading security policy
sfw_fetch_callback: Failed to execute command '"/opt/fw1/bin/fw" fetchlocal -d "/opt/fw1/state/__tmp/FW1"'. rc=1, exit code =-1
 Unable to install the Security Policy on the appliance
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] cpd_close_addon_sessions> addon_id=[], addon_ver=[]
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] cpd_session_terminator> session=0x3cf51f0
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] opsec_end_session_e: scheduling the end of session 3
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] cpd_close_addon_sessions> addon_id=[], addon_ver=[]
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] The server doesn't run
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] Destroying entity 2 with 0 active comms
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] opsec_destroy_entity_sic: deleting sic rules for entity 0x3d04e80
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] SESSION ID:3 already resumed read
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] ckpSSL_InputPending 1 pending bytes
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] ckpSSL_InputPending 1 pending bytes
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] The server doesn't run
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] Destroying entity 1 with 1 active comms
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] destroying comm 0x3b7aba8
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] Destroying comm 0x3b7aba8 with 0 active sessions
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] pulling dgtype=ffffffff len=-1 to list=0x3b7abc4
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] opsec_destroy_entity_sic: deleting sic rules for entity 0x3b7aa40
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] sic_client_end_handler: for conn id = 14
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] fwasync_do_end_conn: 14: calling 0x87d755 to free opaque 0x3cf4f60
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] ckpSSL_fwasync_close: start shutdown
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] ckpSSL_ShutdownHandler: rc=0 (1) SSL negotiation finished successfully
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] ckpSSL_ShutdownTimeout: 0x3CF9D88
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] ckpSSL_Destroy: closed fd 14
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] T_event_mainloop_e: T_event_mainloop_iter returns 0
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] sic_sslca_Free: defs = 0x3b6bde0, references = 0
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] sic_sslca_Free: defs = 0x3b6d2e8, references = 0
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] sic_sslca_Free: defs = 0x3b6fd40, references = 0
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] sic_sslca_Free: defs = 0x3b6e818, references = 0
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] sic_sslca_Free: defs = 0x3b72798, references = 0
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] sic_sslca_Free: defs = 0x3b71270, references = 0
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] sic_sslca_Free: defs = 0x3b73cc8, references = 0
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] sic_sslca_Free: defs = 0x3b751d8, references = 0
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] sic_sslca_Free: defs = 0x3b77bf0, references = 0
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] sic_sslca_Free: defs = 0x3b766e0, references = 0
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] sic_sslca_Free: defs = 0x3b7a608, references = 0
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] sic_sslca_Free: defs = 0x3b790f8, references = 0
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] sic_sslca_Free: defs = 0x3b7bb10, references = 0
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] PM_policy_destroy: finished successfully.
0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2020-11-16 12:13 AM
In response to Us4r

Maybe the solution from sk167717:

  1. rm -rf /storage/* 
  2. /pfrm2.0/etc/restoreStorage.sh
  3. Push the policy.
CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Tal_Paz-Fridman
Employee
Employee
‎2020-11-16 03:28 AM
In response to Us4r

Hi,

Why do you think it is related to special characters?

Did you try following sk103511:

"Failed to Load Security Policy: Bad address" error on policy installation failure

 

Thanks

Tal

0 Kudos
Us4r
Contributor
‎2020-11-16 06:19 AM
In response to Tal_Paz-Fridman

Hello Tal,

 

disable the Blades Antibot/Antivirus doesnt have an "postive" feedback:

 

 

[ 28695 1737011200]@Gateway[16 Nov 15:17:40] opsec_send_datagram_e: SESSION ID:3 is sending DG_ID=3 DG_TYPE=0x1202(???)
[ 28695 1737011200]@Gateway[16 Nov 15:17:40] ckpSSL_do_write: write 14 bytes
[ 28695 1737011200]@Gateway[16 Nov 15:17:40] opsec_comm_notify: COM 0x3b7ab88 got signal 131074
[ 28695 1737011200]@Gateway[16 Nov 15:17:40] cpd_client_signal_handler: session=0x3b5a9d8, event=135683
[ 28695 1737011200]@Gateway[16 Nov 15:17:40] ckpSSL_do_read: read 12 bytes
[ 28695 1737011200]@Gateway[16 Nov 15:17:40] demultiplex type=3 session-id=3
[ 28695 1737011200]@Gateway[16 Nov 15:17:40] Destroying session (3b5a9d8) id 3 (ent=3b7aa20) reason=PEER_ENDED
[ 28695 1737011200]@Gateway[16 Nov 15:17:40] get_host_statedir : return state dir = /opt/fw1/state/__tmp
[ 28695 1737011200]@Gateway[16 Nov 15:17:40] get_cond_statedir : return state dir = /opt/fw1/state/__tmp/FW1 for hostname = __tmp, product = FW1
Fetching Security Policy Succeeded.

Installing Security Policy...
[ 28699 1736871936]@Gateway[16 Nov 15:17:59] sfwd_read_if_info: failed to extract local.ifi file.
[ 28699 1736871936]@Gateway[16 Nov 15:17:59]
sfw_load: Error loading security policy

Error loading policy.
sfw_fetch_callback: Failed to execute command '"/opt/fw1/bin/fw" fetchlocal -d "/opt/fw1/state/__tmp/FW1"'. rc=1, exit code =-1
 Unable to install the Security Policy on the appliance
[ 28695 1737011200]@Gateway[16 Nov 15:18:00] cpd_close_addon_sessions> addon_id=[], addon_ver=[]
[ 28695 1737011200]@Gateway[16 Nov 15:18:00] cpd_session_terminator> session=0x3b5a9d8
[ 28695 1737011200]@Gateway[16 Nov 15:18:00] opsec_end_session_e: scheduling the end of session 3
[ 28695 1737011200]@Gateway[16 Nov 15:18:00] cpd_close_addon_sessions> addon_id=[], addon_ver=[]
[ 28695 1737011200]@Gateway[16 Nov 15:18:00] The server doesn't run
[ 28695 1737011200]@Gateway[16 Nov 15:18:00] Destroying entity 2 with 0 active comms
[ 28695 1737011200]@Gateway[16 Nov 15:18:00] opsec_destroy_entity_sic: deleting sic rules for entity 0x3b59fb8
[ 28695 1737011200]@Gateway[16 Nov 15:18:00] SESSION ID:3 already resumed read
[ 28695 1737011200]@Gateway[16 Nov 15:18:00] ckpSSL_InputPending 1 pending bytes

 

It needs to be some issue with the caracters or with the IPS policy.

 

 

0 Kudos
Tal_Paz-Fridman
Employee
Employee
‎2020-11-16 06:24 AM
In response to Us4r

Try running the fetch command with debug - perhaps it might give us additional information.

fw -d fetchlocal -d /opt/fw1/state/__tmp/FW1

 

 

0 Kudos
Us4r
Contributor
‎2020-11-16 06:35 AM
In response to Tal_Paz-Fridman

Hello all,

 

attached a short output of the debug regarding the local.ifi - error message:

 

[ 29107 1737170944]@Gateway[16 Nov 15:30:04] hash_do_resize: Resizing hash from 65536 to 131072 (n_elements=131072)
[ 29107 1737170944]@Gateway[16 Nov 15:30:05] ==>fwa_sfw_extract_file_ex file_name = local.ifi
[ 29107 1737170944]@Gateway[16 Nov 15:30:05] sfw_get_tmp_file_name: File name will be: /storage/local.ifi-2832814620-3488552331
[ 29107 1737170944]@Gateway[16 Nov 15:30:05] fwa_sfw_extract_file_ex: will execute '/bin/gunzip -c /opt/fw1/state/__tmp/FW1/local.ifi.gz > /storage/local.ifi-2832814620-3488552331'
[ 29107 1737170944]@Gateway[16 Nov 15:30:05] Error executing extraction command (error code 255, errno=12).
[ 29107 1737170944]@Gateway[16 Nov 15:30:05] ==>fwa_sfw_delete_tmp_file /storage/local.ifi-2832814620-3488552331
[ 29107 1737170944]@Gateway[16 Nov 15:30:05] fwa_sfw_delete_tmp_file: Error deleting file.
[ 29107 1737170944]@Gateway[16 Nov 15:30:05] <==fwa_sfw_delete_tmp_file (-1)
[ 29107 1737170944]@Gateway[16 Nov 15:30:05] <==fwa_sfw_extract_file_ex
[ 29107 1737170944]@Gateway[16 Nov 15:30:05] sfwd_read_if_info: failed to extract local.ifi file.
[ 29107 1737170944]@Gateway[16 Nov 15:30:05] ==>fwa_sfw_extract_file_ex file_name = local.cfp
[ 29107 1737170944]@Gateway[16 Nov 15:30:05] sfw_get_tmp_file_name: File name will be: /storage/local.cfp-4039710347-1791885011
[ 29107 1737170944]@Gateway[16 Nov 15:30:05] fwa_sfw_extract_file_ex: will execute '/bin/gunzip -c /opt/fw1/state/__tmp/FW1/local.cfp.gz > /storage/local.cfp-4039710347-1791885011'
[ 29107 1737170944]@Gateway[16 Nov 15:30:05] Error executing extraction command (error code 255, errno=12).
[ 29107 1737170944]@Gateway[16 Nov 15:30:05] ==>fwa_sfw_delete_tmp_file /storage/local.cfp-4039710347-1791885011
[ 29107 1737170944]@Gateway[16 Nov 15:30:05] fwa_sfw_delete_tmp_file: Error deleting file.
[ 29107 1737170944]@Gateway[16 Nov 15:30:05] <==fwa_sfw_delete_tmp_file (-1)
[ 29107 1737170944]@Gateway[16 Nov 15:30:05] <==fwa_sfw_extract_file_ex
[ 29107 1737170944]@Gateway[16 Nov 15:30:05] Failed to extract local.cfp file.
[ 29107 1737170944]@Gateway[16 Nov 15:30:05]
sfw_load: Error loading security policy
0 Kudos
Tal_Paz-Fridman
Employee
Employee
‎2020-11-16 06:54 AM
In response to Us4r

Can you please check the available space on the device?

0 Kudos
Tal_Paz-Fridman
Employee
Employee
‎2020-11-17 10:52 PM
In response to Us4r

Hi @Us4r 

Did you get a chance to test the available space on the device? I found some SRs that could be related to the failures you are seeing.

Thanks

Tal

0 Kudos
John_Fleming
Advisor
‎2020-11-13 10:47 AM

Assuming the compatibility directory still has to write out objects_5_0.c and rulebases_5_0.fws i would look there.

in vi

/[^\x00-\x7F]

will find each none-ascii in a file. Might work in 'less' also.

0 Kudos
JozkoMrkvicka
Mentor
Mentor
‎2020-11-14 06:21 AM

Check audit logs to find out who did what before last policy installation.

Or check policy revision which is currently installed.

Kind regards,
Jozko Mrkvicka
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events