Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Hugo_vd_Kooij
Advisor
Jump to solution

How to debug Policy Installation Errors

I get some BETA Dejavu experiences. Where I would break the EA version by activating the DNS server on the object for my Active Directory server.

Ia noe have this gracefull error "Policy installation failed on gateway. If the problem persists contact Check Point support (Error code: 0-2000040)." But I can't even recall having put anything as naughty as a DNS server in my policy.

..... Checking myself again ....

Guess what. I actually did enable the DNS server on my Domain Controller. So what is the logic of this failure?

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
1 Solution

Accepted Solutions
Johan_Hillstrom
Contributor

I got the exact same error on R80.20 standalone just now.

It appeared after specifying internal DNS server under Malware DNS Trap on the IPS Profile.

I managed to solve the policy installation error by modifying the DNS server host objects as follows.

On the host object, DNS Server/Configuration/Protection, change Protected by: from All to the gateway object that the host actually resides behind.

Hope this helps for you as well @Hugo_vd_Kooij 

View solution in original post

8 Replies
PhoneBoy
Admin
Admin

Is this an object setting in SmartConsole?

Because it doesn't sound familiar and I don't see a setting for it offhand.

Can you post a screenshot?

Hugo_vd_Kooij
Advisor

Object for Active Directory

It's this simple to break your policy. And the error is not giving any clues.

There is a note in SK110519:

02496239

Policy installation fails with "Policy installation failed on gateway 0-2000040" error and log: "fw_atomic_add_spii_parameter: Failed to get object named <object_name>".

  • Workaround: for all hosts with a server configuration, unselect the servers. Publish. Select the servers again, and publish again.
R80.10

So there is a workaround and the issue is known. But it seems be part of the list "unresolved bugs".

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
PhoneBoy
Admin
Admin

This feature is an artifact that goes back several versions and was necessary for some IPS Protections to be applied to the correct hosts only.

In R80.x, these options are no longer necessary.

That said, policy compilation would ideally handle this situation, or at least print a more clear error message.

0 Kudos
Hugo_vd_Kooij
Advisor

There is a way you can set it in R80.10 that makes it even more odd.

Let's face it. This question makes a lot of sense to most people. Doesn't it?

But it will change the host object:

And I am back to a time and place where brown stuff collides at high velocity with rotating blades.

I think that Check Point could do a lot better. It invites people to make sens of their policy and then you end up with a policy that will not install.

There is a lot to fix yet in R80.10!

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
John_Tomasetti
Participant

Thank you for pointing me to SK110519. Turning on DNS server, publish, and turn off DNS server, publish fixed the problem I had pushing policy. Interesting that I could fetch policy from the gateway, just could not push it from the Smartconsole.

Marcel_Talos
Explorer

Hi,

I've had exactly the same problem with that exact error message, where the policy would verify fine but fail to install. I've logged a TAC case and the engineer fixed it by doing this on the Secure Management server

[Expert@MGMT:0]# cd $FWDIR/conf
[Expert@MGMT:0]# grep -e $'^\t\t: (' objects_5_0.C -e "is_mail_server (false)" -e mail_server_prop | grep -v "mail_server_prop ()" | grep mail_server_prop -B 2 | grep ":is_mail_server (false)" -B 1 | grep -e $'^\t\t: ('

This will list objects that are configured as servers. Go through each object and un-tick everything under Servers. Once that is done, publish changes and push policy. The policy should install fine.

Marcel.

Timothy_Hall
Legend Legend
Legend

The error message "Policy installation failed on gateway" and its predecessor "Load on module failed" indicate that the policy passed SMS verification and was compiled & successfully transferred to the gateway, but the atomic load of the policy into the running firewall kernel failed.  These are frustratingly generic error messages for the simple reason that the SMS has no idea why the load failed, only the gateway does.  Debugging of this problem needs to take place on the gateway.  The linked SK below lays out some of the different situations that can cause this, but in my experience it generally boils down to one of the following:

1) Memory or other resource shortage on the gateway, in the case of a long-term memory leak a reboot of the gateway may help

2) The compiled policy is "corrupt" and should not have passed verification in the first place on the SMS.  This can be caused by damaged files referenced during policy compilation on the SMS, or the user being improperly allowed to enable settings/features that the target gateway software version cannot understand or support

3) Error in policy compilation not caught by the SMS such as the same variable getting included in the compiled policy more than once, or conflicting settings for the same object

4) Possible corruption on the gateway, once again a reboot may help

sk33893: 'Installation failed. Reason: Load on Module failed - failed to load security policy' error...

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Johan_Hillstrom
Contributor

I got the exact same error on R80.20 standalone just now.

It appeared after specifying internal DNS server under Malware DNS Trap on the IPS Profile.

I managed to solve the policy installation error by modifying the DNS server host objects as follows.

On the host object, DNS Server/Configuration/Protection, change Protected by: from All to the gateway object that the host actually resides behind.

Hope this helps for you as well @Hugo_vd_Kooij 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events