Re: Installation Policy Error 0-2000259

Exonix

Hello everyone,

I've just added Appliance 1900 R81.10.15 to a virtual Management Server R81.20 via Internet.
The Status of the Connection is ✅Connected
The Status in Management Console "➖" and I can't install any policies: Installation Policy Error 0-2000259.

Unfortunately I didn't find any Information about this Error.

Very appreciate any help!

PhoneBoy

What I found in a TAC case, which seems reasonable: When you click on Install Policy in the Smart Console, while selecting the Policy installation Targets, right click on the Gateway and select the "Do not use Install Policy Acceleration for all targets" option and then install the policy.

Exonix

Unfortunately didn't help

the_rock

What Phoneboy said is literally first thing I tell anyone who has policy install error that starts with what you posted. However, if for some reason that does not work, then you may need to do policy debug.

https://community.checkpoint.com/t5/Management/R80-x-Debug-policy-installation-on-gateway/td-p/49828

Or, you can navigate to $FWDIR/scripts dir on mgmt and run ./policy_debug.sh

Andy

Exonix

Error opening file /opt/CPshrd-R81.20/database//authkeys.C:: No such file or directory
cpcrypto_get_registry_value: could not query value of key 'Get_Disable_RC4'.
cpcrypto_get_registry_value_with_default: not found in registry: SOFTWARE\CheckPoint\FW1\Get_Disable_RC4. value is set to default : 1
cpIsDir: Calling cpIsDirEx: No such file or directory
Failed to read database files.
destroy_rand_mutex: destroy

the_rock

Maybe open TAC case to see if they can figure out those messages.

kamilazat

Additional to what @the_rock and @PhoneBoy said, I also would try fetching policy on the gateway. I remember dealing with a policy installation error with an unknown (to us) code and when I fetched the policy on the gateway it told me what was wrong with a simple sentence. Interestingly enough, policy_debug.sh didn't give me that simple sentence (well, probably it tried to tell me indirectly, but I failed to see it).

https://sc1.checkpoint.com/documents/SMB_R81.10.X/CLI/EN/Content/Topics/fetch-policy.htm?Highlight=f...

Exonix

maybe my gateway is not fully added to the management server?

I still can't see him properly, moreover, I don't see any logs from his public IP.

But status in the Appliance is OK:

Lesley

SIC is still working (test connection status) and how about SIC test on Smart Console?

Are you sure all required ports are open between mgmt and firewall? Check for drops.

It is waiting for its policy, gaia embedded fetches it and mgmt put's it 'ready'

Hardware is also set to 'other' and should be 19XX

-------
If you like this post please give a thumbs up(kudo)! 🙂

the_rock

I second all the points, except "other". I had seen people do that cant even count how many times for different hardware appliances and was never an issue.

Andy

G_W_Albrecht

SMBs need special files - so other might be working for GAiA installations, but not here. SMB needs files from /opt/CPSFWR81CMP-R82/lib/ for policy compilation and will only get it when the correct HW & SW version is selected in Dashboard...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Exonix

for some reason i don't have Appliance 1900

Status is OK:

the_rock

Hm, just checked my lab and I do see the option there, but again, Im 100% positive that would not make any difference.

Andy

G_W_Albrecht

Other will never work for SMB - are the basics installed ?

R81.20 Jumbo Hotfix Accumulator - Take 43 and higher
R81.20 SmartConsole Releases - Build 646 and higher

SEe https://sc1.checkpoint.com/documents/SMB_R81.10.X/RN/EN/Content/Topics-RN/Supported-Management-Serve...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Exonix

after installing Take 92, the desired device model appeared in the management console with the OK status.

Moreover, the policy has fetched by itself once. But manual installation of the policy is not working yet because the gateway has been disconnected...

G_W_Albrecht

Did you establish SIC again ? sk161532: How to reset SIC on a Centrally Managed Quantum Spark Appliance

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Exonix

no, i didn't, shall I?
after restarting the gateway, the policy was fetched again, but manual fetch still does not work, and the status always remains "unavailable".

Sometimes I see drops for Ports: 64155 and 46851

G_W_Albrecht

Yes. Better remove the SMB object, create a new one, establish SIC and try policy install again.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Exonix

I've reset the SIC, it worked but then I got again 👇
I will recreate the Object

Policy Name: ****_2025

    Last policy installation failed: Warning: Attemped to fetch policy from an IP address that is different than the one used to fetch the certificate. Please check the management object's IP address in the SmartDashboard.

Security Policy date: Feb 19, 2025 17:04:10

the_rock

I recall working with client few years ago before they switched to another fw vendor and they used to have lots of SMB devices and probably half of them were set as "other" hardware in smart console (all managed) and they never had problems pushing the policy.

Maybe its diffferent now, not sure.

Andy

G_W_Albrecht

Strange - never did work for me....

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

the_rock

This was almost 3 years ago, so it definitely worked back then. Cant recall now what version they were on, though.

Andy

Tal_Paz-Fridman

the best course of an action would be to open a ticket with TAC.

In another TAC case the issue was a corruption in the Security Gateway object (in SmartConsole).

The W/A was to delete the object and create a new one.

I do not know if this is something you are able or willing to do. In any case, if you do, it is important to have a snapshot of the Security Management before hand.

Exonix

yes, I can recreate the Object, because this Node is empty. I am just at the beginning of setting up the product system.

the_rock

For what its worth, here is what AI Copilot provided.

Andy

************************************************

The error code "0-2000259" typically indicates a policy installation failure on Quantum Spark appliances. Here are some steps you can take to troubleshoot and resolve this issue:

Check the Policy Configuration:
- Ensure that the policy configuration is correct and does not contain any errors.
- Verify that all objects and rules referenced in the policy are properly defined.
Verify Appliance Compatibility:
- Make sure that the Quantum Spark appliance firmware version is compatible with the Security Management Server version.
- Check if there are any known issues or hotfixes required for the specific firmware version.
Review Logs:
- Check the logs on the Security Management Server and the Quantum Spark appliance for any specific error messages or warnings that could provide more details about the failure.
- Use thefw fetchlocalcommand to fetch the policy locally and review the output for any errors.
Check for Jumbo Hotfix Accumulator:
- Ensure that the appropriate Jumbo Hotfix Accumulator is installed on the Security Management Server.
- If you recently uninstalled a Jumbo Hotfix Accumulator, follow the steps to remove changes from the management database as described in SK178509.
Re-establish SIC:
- If there are issues with Secure Internal Communication (SIC), reset and re-establish SIC between the Security Management Server and the Quantum Spark appliance.
Contact Support:
- If the issue persists, contact Check Point Support for further assistance. Provide them with CPinfo files from the Security Management Server and the Quantum Spark appliance.

For more detailed troubleshooting steps, you can refer to the relevant SecureKnowledge articles or contact Check Point Support directly.

BE AWARE

Important - To prevent negative impact on your production environment, double-check the provided information in the Administration Guide for the involved product.

Learn more:

Exonix

Ensure that the policy configuration is correct and does not contain any errors.

Right now I have ony default Drop Policy

the_rock

One other thing to consider is running cpm doctor script on mgmt.

cd $FWDIR/scripts; ./runcpm_doc.sh

check the output it generates.

Andy

Exonix

the command ist a bit different: run_cpmdoc.sh

*******************************************************
*                     CPM Doctor                      *
*******************************************************
Feb 19, 2025 02:36:34 PM Starting CPM Doctor
Feb 19, 2025 02:36:34 PM Initializing....ERROR StatusLogger Reconfiguration failed: No configuration found for '5b7b3878' at 'null' in 'null'
....14:36:36.896 [main] ERROR com.checkpoint.cpm_doctor.SetupCheckContext - Failed to identify product version. Please contact support for additional help.
Feb 19, 2025 02:36:37 PM CPM Doctor failed to initialize

the_rock

Yup, correct, just checked the lab, my bad.

[Expert@CP-MANAGEMENT:0]# cd /opt/CPsuite-R81.20/fw1/scripts/
[Expert@CP-MANAGEMENT:0]# ./run_cpmdoc.sh

Just wondering, can you see if you can find that string in guidbedit -> 5b7b3878

Andy

Are you a member of CheckMates?

Installation Policy Error 0-2000259