Solved: Re: Installation Policy Error 0-2000259 - Page 2

Exonix · ‎2025-02-17

Hello everyone,

I've just added Appliance 1900 R81.10.15 to a virtual Management Server R81.20 via Internet.
The Status of the Connection is ✅Connected
The Status in Management Console "➖" and I can't install any policies: Installation Policy Error 0-2000259.

Unfortunately I didn't find any Information about this Error.

Very appreciate any help!

the_rock · ‎2025-02-21

Thats expected, since its mgmt cli command.

Andy

Best,
Andy

Exonix · ‎2025-02-24

and what should I do? I have other firewalls that were configured before me and there is no such problem there.

Exonix · ‎2025-02-24

When I try to fetch the policy in the CLI, it really tries to fetch it from the local IP address. So, somehow I need to tell FW to fetch from Public IP. I didn't find any keys for "fw fetch" to specify a remote server...

fw fetch
Fetching Security Policy from '10.10.XXX.XXX'

Reason: TCP connectivity failure ( port = 18191 )( IP = 10.10.XXX.XXX )[ error no. 10 ].
Security Policy Fetch Failed.
Unable to fetch the Security Policy from the Management Server
Warning: Attemped to fetch policy from an IP address that is different than the one used to fetch the certificate. Please check the management object's IP address in the SmartDashboard.

PhoneBoy · ‎2025-02-24

This points to a connectivity issue.
Confirm you can open a TCP connection on port 18191 (netcat "nc" can be used for this) from the gateway to the management.
Also, what is the relation between the IP listed in the error message versus the one listed in the Main tab of the Management object?

Exonix · ‎2025-02-24

Yes, port is open. Do you see the destination IP?

the_rock · ‎2025-02-24

Personally, ever since I been around CP back from R55 days, I had NEVER seen that error not be related to SIC issue. Now, here is the thing. Say you do SIC reset and it works and then you try push policy and it fails, its usually route missing somewhere along the lines, if you will.

Hope that helps.

Andy

Best,
Andy

Exonix · ‎2025-02-24

Sure it is routing problem, because the security server in Internet tries to connect to another server in Internet via private IP... why?

the_rock · ‎2025-02-24

Maybe verify NATing, as well as current routes. For example, do ip r g command to "affected" ip address. Something like ip r g 8.8.8.8, just change the IP address, to confirm if its correct.

Andy

Best,
Andy

Lesley · ‎2025-02-24

check this one out:

How to configure Management behind NAT in Security Gateway - special for SPARK

https://support.checkpoint.com/results/sk/sk66381

-------
Please press "Accept as Solution" if my post solved it 🙂

Exonix · ‎2025-02-25

thank you! it did help!

Are you a member of CheckMates?

Installation Policy Error 0-2000259