- Products
- Learn
- Local User Groups
- Partners
- More
Firewall Uptime, Reimagined
How AIOps Simplifies Operations and Prevents Outages
Introduction to Lakera:
Securing the AI Frontier!
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
SharePoint CVEs and More!
Hello everyone,
I've just added Appliance 1900 R81.10.15 to a virtual Management Server R81.20 via Internet.
The Status of the Connection is ✅Connected
The Status in Management Console "➖" and I can't install any policies: Installation Policy Error 0-2000259.
Unfortunately I didn't find any Information about this Error.
Very appreciate any help!
check this one out:
How to configure Management behind NAT in Security Gateway - special for SPARK
https://support.checkpoint.com/results/sk/sk66381
What I found in a TAC case, which seems reasonable: When you click on Install Policy in the Smart Console, while selecting the Policy installation Targets, right click on the Gateway and select the "Do not use Install Policy Acceleration for all targets" option and then install the policy.
Unfortunately didn't help
What Phoneboy said is literally first thing I tell anyone who has policy install error that starts with what you posted. However, if for some reason that does not work, then you may need to do policy debug.
https://community.checkpoint.com/t5/Management/R80-x-Debug-policy-installation-on-gateway/td-p/49828
Or, you can navigate to $FWDIR/scripts dir on mgmt and run ./policy_debug.sh
Andy
Error opening file /opt/CPshrd-R81.20/database//authkeys.C:: No such file or directory
cpcrypto_get_registry_value: could not query value of key 'Get_Disable_RC4'.
cpcrypto_get_registry_value_with_default: not found in registry: SOFTWARE\CheckPoint\FW1\Get_Disable_RC4. value is set to default : 1
cpIsDir: Calling cpIsDirEx: No such file or directory
Failed to read database files.
destroy_rand_mutex: destroy
Maybe open TAC case to see if they can figure out those messages.
Additional to what @the_rock and @PhoneBoy said, I also would try fetching policy on the gateway. I remember dealing with a policy installation error with an unknown (to us) code and when I fetched the policy on the gateway it told me what was wrong with a simple sentence. Interestingly enough, policy_debug.sh didn't give me that simple sentence (well, probably it tried to tell me indirectly, but I failed to see it).
maybe my gateway is not fully added to the management server?
I still can't see him properly, moreover, I don't see any logs from his public IP.
But status in the Appliance is OK:
SIC is still working (test connection status) and how about SIC test on Smart Console?
Are you sure all required ports are open between mgmt and firewall? Check for drops.
It is waiting for its policy, gaia embedded fetches it and mgmt put's it 'ready'
Hardware is also set to 'other' and should be 19XX
I second all the points, except "other". I had seen people do that cant even count how many times for different hardware appliances and was never an issue.
Andy
SMBs need special files - so other might be working for GAiA installations, but not here. SMB needs files from /opt/CPSFWR81CMP-R82/lib/ for policy compilation and will only get it when the correct HW & SW version is selected in Dashboard...
for some reason i don't have Appliance 1900
Status is OK:
Hm, just checked my lab and I do see the option there, but again, Im 100% positive that would not make any difference.
Andy
Other will never work for SMB - are the basics installed ?
R81.20 Jumbo Hotfix Accumulator - Take 43 and higher
R81.20 SmartConsole Releases - Build 646 and higher
after installing Take 92, the desired device model appeared in the management console with the OK status.
Moreover, the policy has fetched by itself once. But manual installation of the policy is not working yet because the gateway has been disconnected...
Did you establish SIC again ? sk161532: How to reset SIC on a Centrally Managed Quantum Spark Appliance
no, i didn't, shall I?
after restarting the gateway, the policy was fetched again, but manual fetch still does not work, and the status always remains "unavailable".
Sometimes I see drops for Ports: 64155 and 46851
Yes. Better remove the SMB object, create a new one, establish SIC and try policy install again.
I've reset the SIC, it worked but then I got again 👇
I will recreate the Object
Policy Name: ****_2025
Last policy installation failed: Warning: Attemped to fetch policy from an IP address that is different than the one used to fetch the certificate. Please check the management object's IP address in the SmartDashboard.
Security Policy date: Feb 19, 2025 17:04:10
I recall working with client few years ago before they switched to another fw vendor and they used to have lots of SMB devices and probably half of them were set as "other" hardware in smart console (all managed) and they never had problems pushing the policy.
Maybe its diffferent now, not sure.
Andy
Strange - never did work for me....
This was almost 3 years ago, so it definitely worked back then. Cant recall now what version they were on, though.
Andy
the best course of an action would be to open a ticket with TAC.
In another TAC case the issue was a corruption in the Security Gateway object (in SmartConsole).
The W/A was to delete the object and create a new one.
I do not know if this is something you are able or willing to do. In any case, if you do, it is important to have a snapshot of the Security Management before hand.
yes, I can recreate the Object, because this Node is empty. I am just at the beginning of setting up the product system.
For what its worth, here is what AI Copilot provided.
Andy
************************************************
The error code "0-2000259" typically indicates a policy installation failure on Quantum Spark appliances. Here are some steps you can take to troubleshoot and resolve this issue:
Check the Policy Configuration:
Verify Appliance Compatibility:
Review Logs:
fw fetchlocal
command to fetch the policy locally and review the output for any errors.Check for Jumbo Hotfix Accumulator:
Re-establish SIC:
Contact Support:
For more detailed troubleshooting steps, you can refer to the relevant SecureKnowledge articles or contact Check Point Support directly.
Ensure that the policy configuration is correct and does not contain any errors.
Right now I have ony default Drop Policy
One other thing to consider is running cpm doctor script on mgmt.
cd $FWDIR/scripts; ./runcpm_doc.sh
check the output it generates.
Andy
the command ist a bit different: run_cpmdoc.sh
*******************************************************
* CPM Doctor *
*******************************************************
Feb 19, 2025 02:36:34 PM Starting CPM Doctor
Feb 19, 2025 02:36:34 PM Initializing....ERROR StatusLogger Reconfiguration failed: No configuration found for '5b7b3878' at 'null' in 'null'
....14:36:36.896 [main] ERROR com.checkpoint.cpm_doctor.SetupCheckContext - Failed to identify product version. Please contact support for additional help.
Feb 19, 2025 02:36:37 PM CPM Doctor failed to initialize
Yup, correct, just checked the lab, my bad.
[Expert@CP-MANAGEMENT:0]# cd /opt/CPsuite-R81.20/fw1/scripts/
[Expert@CP-MANAGEMENT:0]# ./run_cpmdoc.sh
Just wondering, can you see if you can find that string in guidbedit -> 5b7b3878
Andy
my Management Server is behind NAT, that's why the IP address in the certificate doesn't match.
when I try to add my public IP, it asks me for some credentials:
mgmt_cli set management-interface ipv4-address XXX.XXX.XXX.XXX --domain "System Data"
Username:
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
26 | |
16 | |
4 | |
4 | |
3 | |
3 | |
3 | |
3 | |
3 | |
2 |
Tue 07 Oct 2025 @ 10:00 AM (CEST)
Cloud Architect Series: AI-Powered API Security with CloudGuard WAFThu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Thu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Wed 22 Oct 2025 @ 11:00 AM (EDT)
Firewall Uptime, Reimagined: How AIOps Simplifies Operations and Prevents OutagesAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY