This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Exonix
Advisor
‎2025-02-17 10:51 AM
Jump to solution

Installation Policy Error 0-2000259

Hello everyone,

I've just added Appliance 1900 R81.10.15 to a virtual Management Server R81.20 via Internet.
The Status of the Connection is Connected
The Status in Management Console "" and I can't install any policies: Installation Policy Error 0-2000259.

Unfortunately I didn't find any Information about this Error.

Very appreciate any help!

Labels
0 Kudos
1 Solution

Accepted Solutions
Lesley
MVP Gold
MVP Gold
‎2025-02-24 12:23 PM
In response to Exonix
Jump to solution

check this one out:

How to configure Management behind NAT in Security Gateway - special for SPARK

https://support.checkpoint.com/results/sk/sk66381

-------
If you like this post please give a thumbs up(kudo)! 🙂

View solution in original post

39 Replies
PhoneBoy
Admin
Admin
‎2025-02-17 04:10 PM
Jump to solution

What I found in a TAC case, which seems reasonable: When you click on Install Policy in the Smart Console, while selecting the Policy installation Targets, right click on the Gateway and select the "Do not use Install Policy Acceleration for all targets" option and then install the policy.

Exonix
Advisor
‎2025-02-18 12:57 AM
In response to PhoneBoy
Jump to solution

Unfortunately didn't help

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-02-17 05:32 PM
Jump to solution

What Phoneboy said is literally first thing I tell anyone who has policy install error that starts with what you posted. However, if for some reason that does not work, then you may need to do policy debug.

https://community.checkpoint.com/t5/Management/R80-x-Debug-policy-installation-on-gateway/td-p/49828

Or, you can navigate to $FWDIR/scripts dir on mgmt and run ./policy_debug.sh

Andy

0 Kudos
Exonix
Advisor
‎2025-02-18 03:21 AM
In response to the_rock
Jump to solution 

Error opening file /opt/CPshrd-R81.20/database//authkeys.C:: No such file or directory
cpcrypto_get_registry_value: could not query value of key 'Get_Disable_RC4'.
cpcrypto_get_registry_value_with_default: not found in registry: SOFTWARE\CheckPoint\FW1\Get_Disable_RC4. value is set to default : 1
cpIsDir: Calling cpIsDirEx: No such file or directory
Failed to read database files.
destroy_rand_mutex: destroy
0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-02-18 04:14 AM
In response to Exonix
Jump to solution

Maybe open TAC case to see if they can figure out those messages.

0 Kudos
kamilazat
Advisor
‎2025-02-17 10:30 PM
Jump to solution

Additional to what @the_rock and @PhoneBoy said, I also would try fetching policy on the gateway. I remember dealing with a policy installation error with an unknown (to us) code and when I fetched the policy on the gateway it told me what was wrong with a simple sentence. Interestingly enough, policy_debug.sh didn't give me that simple sentence (well, probably it tried to tell me indirectly, but I failed to see it).

https://sc1.checkpoint.com/documents/SMB_R81.10.X/CLI/EN/Content/Topics/fetch-policy.htm?Highlight=f...

0 Kudos
Exonix
Advisor
‎2025-02-18 01:03 AM
Jump to solution

central_managed_gw.pngmaybe my gateway is not fully added to the management server?

I still can't see him properly, moreover, I don't see any logs from his public IP.

But status in the Appliance is OK:

Appliance_status.png

 

0 Kudos
Lesley
MVP Gold
MVP Gold
‎2025-02-18 11:52 AM
In response to Exonix
Jump to solution

SIC is still working (test connection status) and how about SIC test on Smart Console?

Are you sure all required ports are open between mgmt and firewall? Check for drops.

It is waiting for its policy, gaia embedded fetches it and mgmt put's it 'ready' 

Hardware is also set to 'other' and should be 19XX

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-02-18 11:56 AM
In response to Lesley
Jump to solution

I second all the points, except "other". I had seen people do that cant even count how many times for different hardware appliances and was never an issue.

Andy

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2025-02-19 07:58 AM
In response to the_rock
Jump to solution

SMBs need special files - so other might be working for GAiA installations, but not here. SMB needs files from /opt/CPSFWR81CMP-R82/lib/ for policy compilation and will only get it when the correct HW & SW version is selected in Dashboard...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Exonix
Advisor
‎2025-02-19 05:30 AM
In response to Lesley
Jump to solution

for some reason i don't have Appliance 1900
 Appliance 1900.png

 

Status is OK:
Appliance_status2.png

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-02-19 05:36 AM
In response to Exonix
Jump to solution

Hm, just checked my lab and I do see the option there, but again, Im 100% positive that would not make any difference.

Andy

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2025-02-19 05:59 AM
In response to Exonix
Jump to solution

Other will never work for SMB - are the basics installed ?

  1. R81.20 Jumbo Hotfix Accumulator - Take 43 and higher

  2. R81.20 SmartConsole Releases - Build 646 and higher

SEe https://sc1.checkpoint.com/documents/SMB_R81.10.X/RN/EN/Content/Topics-RN/Supported-Management-Serve...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Exonix
Advisor
‎2025-02-19 06:54 AM
In response to G_W_Albrecht
Jump to solution

after installing Take 92, the desired device model appeared in the management console with the OK status.

Moreover, the policy has fetched by itself once. But manual installation of the policy is not working yet because the gateway has been disconnected...

 

policy_2025.png

G_W_Albrecht
MVP Silver
MVP Silver
‎2025-02-19 07:08 AM
In response to Exonix
Jump to solution

Did you establish SIC again ? sk161532: How to reset SIC on a Centrally Managed Quantum Spark Appliance

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Exonix
Advisor
‎2025-02-19 07:14 AM
In response to G_W_Albrecht
Jump to solution

no, i didn't, shall I?
after restarting the gateway, the policy was fetched again, but manual fetch still does not work, and the status always remains "unavailable".

 

Sometimes I see drops for Ports: 64155 and 46851

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2025-02-19 07:47 AM
In response to Exonix
Jump to solution

Yes. Better remove the SMB object, create a new one, establish SIC and try policy install again.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Exonix
Advisor
‎2025-02-19 08:09 AM
In response to G_W_Albrecht
Jump to solution

I've reset the SIC, it worked but then I got again 👇
I will recreate the Object

Policy Name: ****_2025

    Last policy installation failed: Warning: Attemped to fetch policy from an IP address that is different than the one used to fetch the certificate. Please check the management object's IP address in the SmartDashboard.

Security Policy date: Feb 19, 2025 17:04:10

 

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-02-19 07:58 AM
In response to G_W_Albrecht
Jump to solution

I recall working with client few years ago before they switched to another fw vendor and they used to have lots of SMB devices and probably half of them were set as "other" hardware in smart console (all managed) and they never had problems pushing the policy.

Maybe its diffferent now, not sure.

Andy

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2025-02-19 07:59 AM
In response to the_rock
Jump to solution

Strange - never did work for me....

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-02-19 08:11 AM
In response to G_W_Albrecht
Jump to solution

This was almost 3 years ago, so it definitely worked back then. Cant recall now what version they were on, though.

Andy

0 Kudos
Tal_Paz-Fridman
Employee
Employee
‎2025-02-18 04:30 AM
Jump to solution

the best course of an action would be to open a ticket with TAC.

In another TAC case the issue was a corruption in the Security Gateway object (in SmartConsole).

The W/A was to delete the object and create a new one.

I do not know if this is something you are able or willing to do. In any case, if you do, it is important to have a snapshot of the Security Management before hand.

 

Exonix
Advisor
‎2025-02-18 05:37 AM
In response to Tal_Paz-Fridman
Jump to solution

yes, I can recreate the Object, because this Node is empty. I am just at the beginning of setting up the product system.

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-02-18 10:38 AM
Jump to solution

For what its worth, here is what AI Copilot provided.

Andy

************************************************

 

The error code "0-2000259" typically indicates a policy installation failure on Quantum Spark appliances. Here are some steps you can take to troubleshoot and resolve this issue:

  1. Check the Policy Configuration:

    • Ensure that the policy configuration is correct and does not contain any errors.
    • Verify that all objects and rules referenced in the policy are properly defined.

  2. Verify Appliance Compatibility:

    • Make sure that the Quantum Spark appliance firmware version is compatible with the Security Management Server version.
    • Check if there are any known issues or hotfixes required for the specific firmware version.

  3. Review Logs:

    • Check the logs on the Security Management Server and the Quantum Spark appliance for any specific error messages or warnings that could provide more details about the failure.
    • Use thefw fetchlocalcommand to fetch the policy locally and review the output for any errors.

  4. Check for Jumbo Hotfix Accumulator:

    • Ensure that the appropriate Jumbo Hotfix Accumulator is installed on the Security Management Server.
    • If you recently uninstalled a Jumbo Hotfix Accumulator, follow the steps to remove changes from the management database as described in SK178509.

  5. Re-establish SIC:

    • If there are issues with Secure Internal Communication (SIC), reset and re-establish SIC between the Security Management Server and the Quantum Spark appliance.

  6. Contact Support:

    • If the issue persists, contact Check Point Support for further assistance. Provide them with CPinfo files from the Security Management Server and the Quantum Spark appliance.

For more detailed troubleshooting steps, you can refer to the relevant SecureKnowledge articles or contact Check Point Support directly.

BE AWARE
Important - To prevent negative impact on your production environment, double-check the provided information in the Administration Guide for the involved product.
Learn more:
  1. sk178509 - After uninstalling R81.10 Jumbo Hotfix Accumulator, policy installation fails with "inter...
  2. sk173495 - Firewall rules with IoT assets are not enforced on Quantum Spark Appliances
  3. sk181784 - "Policy installation failed on gateway" error after upgrading Centrally Managed Quantum S...
  4. sk176713 - "Policy installation failed on gateway" error message appears when the policy is pushed t...
  5. sk175705 - Establishing SIC with a Quantum Spark appliance fails with error message: "Security Polic...
  6. sk182229 - Policy installation fails on Quantum Spark Appliances managed by SmartProvisioning
  7. sk179647 - An "Internal error has occurred" message appears when configuring an Outgoing Policy Rule...
  8. sk178945 - SmartProvisioning loses multiple dynamic objects after installing policy on a Quantum Spa...
0 Kudos
Exonix
Advisor
‎2025-02-19 05:34 AM
In response to the_rock
Jump to solution 

Ensure that the policy configuration is correct and does not contain any errors.

Right now I have ony default Drop Policy

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-02-18 04:15 PM
Jump to solution

One other thing to consider is running cpm doctor script on mgmt.

cd $FWDIR/scripts; ./runcpm_doc.sh

check the output it generates.

Andy

0 Kudos
Exonix
Advisor
‎2025-02-19 05:37 AM
In response to the_rock
Jump to solution

the command ist a bit different: run_cpmdoc.sh

*******************************************************
*                     CPM Doctor                      *
*******************************************************
Feb 19, 2025 02:36:34 PM Starting CPM Doctor
Feb 19, 2025 02:36:34 PM Initializing....ERROR StatusLogger Reconfiguration failed: No configuration found for '5b7b3878' at 'null' in 'null'
....14:36:36.896 [main] ERROR com.checkpoint.cpm_doctor.SetupCheckContext - Failed to identify product version. Please contact support for additional help.
Feb 19, 2025 02:36:37 PM CPM Doctor failed to initialize

 

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-02-19 05:40 AM
In response to Exonix
Jump to solution

Yup, correct, just checked the lab, my bad.

[Expert@CP-MANAGEMENT:0]# cd /opt/CPsuite-R81.20/fw1/scripts/
[Expert@CP-MANAGEMENT:0]# ./run_cpmdoc.sh

Just wondering, can you see if you can find that string in guidbedit -> 5b7b3878

Andy

0 Kudos
Exonix
Advisor
‎2025-02-21 10:56 AM
Jump to solution

my Management Server is behind NAT, that's why the IP address in the certificate doesn't match.

when I try to add my public IP, it asks me for some credentials:

mgmt_cli set management-interface ipv4-address XXX.XXX.XXX.XXX --domain "System Data"
Username:

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events