This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Vladimir
Champion
Champion
‎2018-01-14 07:54 AM
Jump to solution

Policy Installation Stages

Can someone describe what exactly status "Finalizing Installation" referring to?

1 Solution

Accepted Solutions
Tomer_Sole
Mentor
Mentor
‎2018-01-17 12:26 PM
Jump to solution

I reached out to the Install Policy experts and got this out:

The “Finalizing Installation” phase is when we update the log server with the resolved objects, so that logs will show Check Point objects rather than IP’s, ports etc.

Technically, by the time you see "Finalizing...", the policy is already applied on your gateway. This is only a completing step for the sake of logs data.

Few things that I'd like to point out:

Perhaps the 99% delay is the SMS putting/committing a copy of the successfully installed policy into the "Installation History" list of the SmartConsole

One word which we no longer use in R80 is "copy". Things are pointed to, not duplicated. The Installation History is simply references revision ID's which were sent to a Gateway. I know that when we sell R80 Management we start with the things which are easier to explain (multi-admins, publish mode, locks) but I am hoping with this community we'll be able to discuss the hidden architectural benefits in more detail.

View solution in original post

20 Replies
EdesLC
Collaborator
‎2018-01-15 04:02 AM
Jump to solution

Hi Vladimir, take a look at this guide, it is very helpful to understand how policy installation works.

sk101226: Policy installation flow process | 

AND

http://dl3.checkpoint.com/paid/0b/How-To-Troubleshoot-Policy-Installation-Issues.pdf?HashKey=1516024... 

Thanks,

Edes Leandro Cardoso

Vladimir
Champion
Champion
‎2018-01-15 05:51 AM
In response to EdesLC
Jump to solution

Edes,

Thank you for comprehensive information.  It does not, however, answer the question of what is "finalizing installation" stage in R80.X actually does.

The status of the installation on individual gateways changes to "Succeeded", long before "Finalizing Installation" 99% turns to "Completed".

Something happening in that window that takes fairly long time.

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2018-01-15 07:24 AM
In response to Vladimir
Jump to solution

My guess is that the "rematch" of connections is occurring at 99% which can certainly take a moment to complete on a busy firewall.  This setting is located on the gateway object under Other...Connection Persistence.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
Vladimir
Champion
Champion
‎2018-01-15 08:15 AM
In response to Timothy_Hall
Jump to solution

Thanks Tim. It makes sense, but I've seen it taking a while in my lab environment as well as in production at different clients. In production this is likely the case, but in the lab I would expect this to happen almost instantaneously, but I have just timed it and it took 45 seconds on the unit with hardly any connections:

So it may be something different.

0 Kudos
EdesLC
Collaborator
‎2018-01-15 09:14 AM
In response to Vladimir
Jump to solution

It is helpful to understand how is the flow.

I guess that this step "Finalizing" is related with "cpd waits for fw_fetchlocal to complete the process and then informs the Management server of the command's status (installation succeeded or failed)."

Thanks

0 Kudos
Vladimir
Champion
Champion
‎2018-01-15 09:21 AM
In response to EdesLC
Jump to solution

Do not think so: the effects of the policy installation are already visible when per-gateway status is "Succeeded" but "Finalizing Installation" is at 99%.

It may just be a communication lag or some-kind of commit stage on the management server acknowledging the success of the installation on the gateways: i.e. query gateway to confirm that there were no errors loading the policy before completing the process. 

0 Kudos
EdesLC
Collaborator
‎2018-01-15 09:39 AM
In response to Vladimir
Jump to solution

I got it, If you run a Policy Installation Debug to try to see something into the logs? 

Maybe you can see where it is getting longer time and try figure it out.

 

How to debug policy installation on R80.x Security Management Server / Multi-Domain Security Managem... 

Thanks,

0 Kudos
rajendra_bandil
Explorer
‎2018-01-16 09:29 AM
In response to EdesLC
Jump to solution

Hi Edes,

                  I am not able to view the solution mentioned in this URL. Please guide me how to get the access.

How to debug policy installation on R80.x Security Management Server / Multi-Domain Security Managem...

Regards

Rajendra

0 Kudos
EdesLC
Collaborator
‎2018-01-16 10:09 AM
In response to rajendra_bandil
Jump to solution

Hi, how are you? I hope good.

I am able to open this link with no problem. Try to search for this sk112111.

0 Kudos
rajendra_bandil
Explorer
‎2018-01-16 08:55 PM
In response to EdesLC
Jump to solution

Hi Edes,

             I am fine.Thank you for the information

0 Kudos
PhoneBoy
Admin
Admin
‎2018-01-16 03:36 PM
In response to rajendra_bandil
Jump to solution

This SK requires "Advanced" access, which anyone with a support agreement in place should be able to access.

rajendra_bandil
Explorer
‎2018-01-16 08:56 PM
In response to PhoneBoy
Jump to solution

Ya,Thank you Dameon

0 Kudos
pattymcpherson
Explorer
‎2023-06-26 02:01 PM
In response to PhoneBoy
Jump to solution

When installing a policy on clusterXL gateways,   does the management server send the policy via the management interfaces of the Gateways or does is get send to the ClusterXL IP Address (VIP)?

 

 

 

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2018-01-15 10:09 AM
In response to Vladimir
Jump to solution

Perhaps the 99% delay is the SMS putting/committing a copy of the successfully installed policy into the "Installation History" list of the SmartConsole?  Would make sense that the SMS would have to wait for the firewall to acknowledge the atomic load (fw stat would show the firewall has applied the new policy) at which point the SMS would have to do some heavy database operations.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
Vladimir
Champion
Champion
‎2018-01-15 10:13 AM
In response to Timothy_Hall
Jump to solution

I suspect that you are correct. It would be consistent with the observed behavior.

Would be nice to get CP to chime-in on this to confirm.

0 Kudos
Tomer_Sole
Mentor
Mentor
‎2018-01-17 12:26 PM
Jump to solution

I reached out to the Install Policy experts and got this out:

The “Finalizing Installation” phase is when we update the log server with the resolved objects, so that logs will show Check Point objects rather than IP’s, ports etc.

Technically, by the time you see "Finalizing...", the policy is already applied on your gateway. This is only a completing step for the sake of logs data.

Few things that I'd like to point out:

Perhaps the 99% delay is the SMS putting/committing a copy of the successfully installed policy into the "Installation History" list of the SmartConsole

One word which we no longer use in R80 is "copy". Things are pointed to, not duplicated. The Installation History is simply references revision ID's which were sent to a Gateway. I know that when we sell R80 Management we start with the things which are easier to explain (multi-admins, publish mode, locks) but I am hoping with this community we'll be able to discuss the hidden architectural benefits in more detail.

Vladimir
Champion
Champion
‎2018-01-17 12:40 PM
In response to Tomer_Sole
Jump to solution

Thank you Tomer!

Nice to get a definitive answer Smiley Happy

0 Kudos
MikaelJohnsson
Contributor
‎2019-05-23 07:43 AM
In response to Tomer_Sole
Jump to solution

@Tomer_Sole  Do you know (or can you check) if this procedure has changed in R80.20?

I have started seeing more and more policy-installations stuck at 99% for a couple of clients.

Some of them hang for hours (or until we have to get the SMS working again and do a cpstop && cpstart).

 

0 Kudos
Heath
Collaborator
‎2019-06-11 03:36 PM
In response to MikaelJohnsson
Jump to solution

We are seeing this same issue after moving to R80.20 management. I ran a policy install on a cluster just now that took 3 minutes to go to the finalizing stage at 99% and it's still finalizing after 30 minutes. I've attached a screenshot showing the start time and the current time. This management and gateway are located at the same site...

image.png

0 Kudos
Heath
Collaborator
‎2019-06-11 03:44 PM
In response to Heath
Jump to solution

Creating a new thread since this OP is solved.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events