- CheckMates
- :
- Products
- :
- Quantum
- :
- Management
- :
- Re: How to debug Policy Installation Errors
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to debug Policy Installation Errors
I get some BETA Dejavu experiences. Where I would break the EA version by activating the DNS server on the object for my Active Directory server.
Ia noe have this gracefull error "Policy installation failed on gateway. If the problem persists contact Check Point support (Error code: 0-2000040)." But I can't even recall having put anything as naughty as a DNS server in my policy.
..... Checking myself again ....
Guess what. I actually did enable the DNS server on my Domain Controller. So what is the logic of this failure?
- Tags:
- shit hits the fan
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I got the exact same error on R80.20 standalone just now.
It appeared after specifying internal DNS server under Malware DNS Trap on the IPS Profile.
I managed to solve the policy installation error by modifying the DNS server host objects as follows.
On the host object, DNS Server/Configuration/Protection, change Protected by: from All to the gateway object that the host actually resides behind.
Hope this helps for you as well @Hugo_vd_Kooij
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is this an object setting in SmartConsole?
Because it doesn't sound familiar and I don't see a setting for it offhand.
Can you post a screenshot?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's this simple to break your policy. And the error is not giving any clues.
There is a note in SK110519:
02496239 | Policy installation fails with "Policy installation failed on gateway 0-2000040" error and log: "fw_atomic_add_spii_parameter: Failed to get object named <object_name>".
| R80.10 |
So there is a workaround and the issue is known. But it seems be part of the list "unresolved bugs".
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This feature is an artifact that goes back several versions and was necessary for some IPS Protections to be applied to the correct hosts only.
In R80.x, these options are no longer necessary.
That said, policy compilation would ideally handle this situation, or at least print a more clear error message.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is a way you can set it in R80.10 that makes it even more odd.
Let's face it. This question makes a lot of sense to most people. Doesn't it?
But it will change the host object:
And I am back to a time and place where brown stuff collides at high velocity with rotating blades.
I think that Check Point could do a lot better. It invites people to make sens of their policy and then you end up with a policy that will not install.
There is a lot to fix yet in R80.10!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for pointing me to SK110519. Turning on DNS server, publish, and turn off DNS server, publish fixed the problem I had pushing policy. Interesting that I could fetch policy from the gateway, just could not push it from the Smartconsole.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I've had exactly the same problem with that exact error message, where the policy would verify fine but fail to install. I've logged a TAC case and the engineer fixed it by doing this on the Secure Management server
[Expert@MGMT:0]# cd $FWDIR/conf
[Expert@MGMT:0]# grep -e $'^\t\t: (' objects_5_0.C -e "is_mail_server (false)" -e mail_server_prop | grep -v "mail_server_prop ()" | grep mail_server_prop -B 2 | grep ":is_mail_server (false)" -B 1 | grep -e $'^\t\t: ('
This will list objects that are configured as servers. Go through each object and un-tick everything under Servers. Once that is done, publish changes and push policy. The policy should install fine.
Marcel.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The error message "Policy installation failed on gateway" and its predecessor "Load on module failed" indicate that the policy passed SMS verification and was compiled & successfully transferred to the gateway, but the atomic load of the policy into the running firewall kernel failed. These are frustratingly generic error messages for the simple reason that the SMS has no idea why the load failed, only the gateway does. Debugging of this problem needs to take place on the gateway. The linked SK below lays out some of the different situations that can cause this, but in my experience it generally boils down to one of the following:
1) Memory or other resource shortage on the gateway, in the case of a long-term memory leak a reboot of the gateway may help
2) The compiled policy is "corrupt" and should not have passed verification in the first place on the SMS. This can be caused by damaged files referenced during policy compilation on the SMS, or the user being improperly allowed to enable settings/features that the target gateway software version cannot understand or support
3) Error in policy compilation not caught by the SMS such as the same variable getting included in the compiled policy more than once, or conflicting settings for the same object
4) Possible corruption on the gateway, once again a reboot may help
--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com
Exclusively at CPX 2025 Las Vegas Tuesday Feb 25th @ 1:00pm
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I got the exact same error on R80.20 standalone just now.
It appeared after specifying internal DNS server under Malware DNS Trap on the IPS Profile.
I managed to solve the policy installation error by modifying the DNS server host objects as follows.
On the host object, DNS Server/Configuration/Protection, change Protected by: from All to the gateway object that the host actually resides behind.
Hope this helps for you as well @Hugo_vd_Kooij