- CheckMates
- :
- Products
- :
- Quantum
- :
- Management
- :
- Re: Installation Policy Error 0-2000259
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Installation Policy Error 0-2000259
Hello everyone,
I've just added Appliance 1900 R81.10.15 to a virtual Management Server R81.20 via Internet.
The Status of the Connection is ✅Connected
The Status in Management Console "➖" and I can't install any policies: Installation Policy Error 0-2000259.
Unfortunately I didn't find any Information about this Error.
Very appreciate any help!
- Labels:
-
Policy Installation
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
check this one out:
How to configure Management behind NAT in Security Gateway - special for SPARK
https://support.checkpoint.com/results/sk/sk66381
If you like this post please give a thumbs up(kudo)! 🙂
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What I found in a TAC case, which seems reasonable: When you click on Install Policy in the Smart Console, while selecting the Policy installation Targets, right click on the Gateway and select the "Do not use Install Policy Acceleration for all targets" option and then install the policy.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunately didn't help
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What Phoneboy said is literally first thing I tell anyone who has policy install error that starts with what you posted. However, if for some reason that does not work, then you may need to do policy debug.
https://community.checkpoint.com/t5/Management/R80-x-Debug-policy-installation-on-gateway/td-p/49828
Or, you can navigate to $FWDIR/scripts dir on mgmt and run ./policy_debug.sh
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Error opening file /opt/CPshrd-R81.20/database//authkeys.C:: No such file or directory
cpcrypto_get_registry_value: could not query value of key 'Get_Disable_RC4'.
cpcrypto_get_registry_value_with_default: not found in registry: SOFTWARE\CheckPoint\FW1\Get_Disable_RC4. value is set to default : 1
cpIsDir: Calling cpIsDirEx: No such file or directory
Failed to read database files.
destroy_rand_mutex: destroy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe open TAC case to see if they can figure out those messages.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Additional to what @the_rock and @PhoneBoy said, I also would try fetching policy on the gateway. I remember dealing with a policy installation error with an unknown (to us) code and when I fetched the policy on the gateway it told me what was wrong with a simple sentence. Interestingly enough, policy_debug.sh didn't give me that simple sentence (well, probably it tried to tell me indirectly, but I failed to see it).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
maybe my gateway is not fully added to the management server?
I still can't see him properly, moreover, I don't see any logs from his public IP.
But status in the Appliance is OK:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SIC is still working (test connection status) and how about SIC test on Smart Console?
Are you sure all required ports are open between mgmt and firewall? Check for drops.
It is waiting for its policy, gaia embedded fetches it and mgmt put's it 'ready'
Hardware is also set to 'other' and should be 19XX
If you like this post please give a thumbs up(kudo)! 🙂
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I second all the points, except "other". I had seen people do that cant even count how many times for different hardware appliances and was never an issue.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SMBs need special files - so other might be working for GAiA installations, but not here. SMB needs files from /opt/CPSFWR81CMP-R82/lib/ for policy compilation and will only get it when the correct HW & SW version is selected in Dashboard...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
for some reason i don't have Appliance 1900
Status is OK:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hm, just checked my lab and I do see the option there, but again, Im 100% positive that would not make any difference.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Other will never work for SMB - are the basics installed ?
-
R81.20 Jumbo Hotfix Accumulator - Take 43 and higher
-
R81.20 SmartConsole Releases - Build 646 and higher
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
after installing Take 92, the desired device model appeared in the management console with the OK status.
Moreover, the policy has fetched by itself once. But manual installation of the policy is not working yet because the gateway has been disconnected...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you establish SIC again ? sk161532: How to reset SIC on a Centrally Managed Quantum Spark Appliance
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
no, i didn't, shall I?
after restarting the gateway, the policy was fetched again, but manual fetch still does not work, and the status always remains "unavailable".
Sometimes I see drops for Ports: 64155 and 46851
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes. Better remove the SMB object, create a new one, establish SIC and try policy install again.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've reset the SIC, it worked but then I got again 👇
I will recreate the Object
Policy Name: ****_2025
Last policy installation failed: Warning: Attemped to fetch policy from an IP address that is different than the one used to fetch the certificate. Please check the management object's IP address in the SmartDashboard.
Security Policy date: Feb 19, 2025 17:04:10
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I recall working with client few years ago before they switched to another fw vendor and they used to have lots of SMB devices and probably half of them were set as "other" hardware in smart console (all managed) and they never had problems pushing the policy.
Maybe its diffferent now, not sure.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Strange - never did work for me....
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This was almost 3 years ago, so it definitely worked back then. Cant recall now what version they were on, though.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the best course of an action would be to open a ticket with TAC.
In another TAC case the issue was a corruption in the Security Gateway object (in SmartConsole).
The W/A was to delete the object and create a new one.
I do not know if this is something you are able or willing to do. In any case, if you do, it is important to have a snapshot of the Security Management before hand.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes, I can recreate the Object, because this Node is empty. I am just at the beginning of setting up the product system.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For what its worth, here is what AI Copilot provided.
Andy
************************************************
The error code "0-2000259" typically indicates a policy installation failure on Quantum Spark appliances. Here are some steps you can take to troubleshoot and resolve this issue:
-
Check the Policy Configuration:
- Ensure that the policy configuration is correct and does not contain any errors.
- Verify that all objects and rules referenced in the policy are properly defined.
-
Verify Appliance Compatibility:
- Make sure that the Quantum Spark appliance firmware version is compatible with the Security Management Server version.
- Check if there are any known issues or hotfixes required for the specific firmware version.
-
Review Logs:
- Check the logs on the Security Management Server and the Quantum Spark appliance for any specific error messages or warnings that could provide more details about the failure.
- Use the
fw fetchlocal
command to fetch the policy locally and review the output for any errors.
-
Check for Jumbo Hotfix Accumulator:
- Ensure that the appropriate Jumbo Hotfix Accumulator is installed on the Security Management Server.
- If you recently uninstalled a Jumbo Hotfix Accumulator, follow the steps to remove changes from the management database as described in SK178509.
-
Re-establish SIC:
- If there are issues with Secure Internal Communication (SIC), reset and re-establish SIC between the Security Management Server and the Quantum Spark appliance.
-
Contact Support:
- If the issue persists, contact Check Point Support for further assistance. Provide them with CPinfo files from the Security Management Server and the Quantum Spark appliance.
For more detailed troubleshooting steps, you can refer to the relevant SecureKnowledge articles or contact Check Point Support directly.
- sk178509 - After uninstalling R81.10 Jumbo Hotfix Accumulator, policy installation fails with "inter...
- sk173495 - Firewall rules with IoT assets are not enforced on Quantum Spark Appliances
- sk181784 - "Policy installation failed on gateway" error after upgrading Centrally Managed Quantum S...
- sk176713 - "Policy installation failed on gateway" error message appears when the policy is pushed t...
- sk175705 - Establishing SIC with a Quantum Spark appliance fails with error message: "Security Polic...
- sk182229 - Policy installation fails on Quantum Spark Appliances managed by SmartProvisioning
- sk179647 - An "Internal error has occurred" message appears when configuring an Outgoing Policy Rule...
- sk178945 - SmartProvisioning loses multiple dynamic objects after installing policy on a Quantum Spa...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ensure that the policy configuration is correct and does not contain any errors.
Right now I have ony default Drop Policy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One other thing to consider is running cpm doctor script on mgmt.
cd $FWDIR/scripts; ./runcpm_doc.sh
check the output it generates.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the command ist a bit different: run_cpmdoc.sh
*******************************************************
* CPM Doctor *
*******************************************************
Feb 19, 2025 02:36:34 PM Starting CPM Doctor
Feb 19, 2025 02:36:34 PM Initializing....ERROR StatusLogger Reconfiguration failed: No configuration found for '5b7b3878' at 'null' in 'null'
....14:36:36.896 [main] ERROR com.checkpoint.cpm_doctor.SetupCheckContext - Failed to identify product version. Please contact support for additional help.
Feb 19, 2025 02:36:37 PM CPM Doctor failed to initialize
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yup, correct, just checked the lab, my bad.
[Expert@CP-MANAGEMENT:0]# cd /opt/CPsuite-R81.20/fw1/scripts/
[Expert@CP-MANAGEMENT:0]# ./run_cpmdoc.sh
Just wondering, can you see if you can find that string in guidbedit -> 5b7b3878
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
my Management Server is behind NAT, that's why the IP address in the certificate doesn't match.
when I try to add my public IP, it asks me for some credentials:
mgmt_cli set management-interface ipv4-address XXX.XXX.XXX.XXX --domain "System Data"
Username:
