This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
L180rMal35
Participant
Friday

Policy Verification - "Too many errors"

Hi Everyone,

I'm working on  policy audit and I'm trying to identify shadowed and redundant rules.

The management server in scope is Check Point Multi Domain Server R81.20 Jumbo HFA Take:92

I decided to enable RHR as per sk161574 to be able to identify hidden rules.

My question is:

Whenever I run Policy verification from Smart Console or using mgmt_cli I got only limited output ending with "Too many errors". (see below). I believe, this is most likely related to the buffer limit (sk138153), however SK says version R80.10 only.

Is there any way to get a full list? I tried to debug policy verification, but I'm unable too see those errors. (sk44338)

"Verify policy operation" failed (100%)
tasks:
- task-id: "01234567-89ab-cdef-9a3c-406faee92d10"
task-name: "Verify policy operation"
status: "failed"
progress-percentage: 100
suppressed: false
task-details:
- workSession: "381bb463-4f9f-44bc-ac0c-5e9241ff8cd6"
title: "Verification of policy 'Standard' completed with errors"
notifications: []
warnings: []
errors:
- "Error: Layer Standard Network: Rule 2 (Testing rules for Cloud pee...) Hides rule 4 (AZURE TUNNEL ICMP/ALL) for Services & Applications: echo-request ."
- " Layer Standard Network: Rule 2 (Testing rules for Cloud pee...) Hides rule 6 for Services & Applications: domain-udp ,domain-tcp ."
- " Layer Standard Network: Rule 2 (Testing rules for Cloud pee...) Hides rule 9 for Services & Applications: domain-udp ,domain-tcp ."
- " Layer Standard Network: Rule 2 (Testing rules for Cloud pee...) Hides rule 15 for Services & Applications: domain-udp ,domain-tcp ."
- " Layer Standard Network: Rule 2 (Testing rules for Cloud pee...) Hides rule 64 for Services & Applications: domain-udp ."
- " Layer Standard Network: Rule 2 (Testing rules for Cloud pee...) Hides rule 67 for Services & Applications: domain-tcp ."
- " Layer Standard Network: Rule 2 (Testing rules for Cloud pee...) Hides rule 68 for Services & Applications: domain-tcp ."
- " Layer Standard Network: Rule 2 (Testing rules for Cloud pee...) Hides rule 74 for Services & Applications: domain-udp ,domain-tcp ."
- " Layer Standard Network: Rule 2 (Testing rules for Cloud pee...) Hides rule 75 for Services & Applications: domain-udp ,domain-tcp ."
- " Layer Standard Network: Rule 71 Hides rule 77 for Services & Applications: TCP-9996 ,TCP-9999 ,TCP_9997 ."
- " Layer Standard Network: Rule 95 (GOOGLE CLOUD) Hides rule 96 (GOOGLE CLOUD) for Services & Applications: https ."
- " Layer Standard Network: Rule 2 (Testing rules for Cloud pee...) Hides rule 110 (Cloud-AZURE EMEA - Azure t...) for Services & Applications: domain-udp ,domain-tcp ."
- " Layer Standard Network: Rule 2 (Testing rules for Cloud pee...) Hides rule 111 (Cloud-AZURE EMEA- Internal...) for Services & Applications: domain-udp ,domain-tcp ."
- " Layer Standard Network: R"
- " Too many errors."

 

0 Kudos
13 Replies
the_rock
Legend
Legend
Friday

Does it match with what you see in smart console?

Andy

0 Kudos
L180rMal35
Participant
Sunday
In response to the_rock

Yes, it does.

0 Kudos
PhoneBoy
Admin
Admin
Friday

I suspect it's the same underlying issue and you'll have to request the relevant fix to be ported to your version.

0 Kudos
Tal_Paz-Fridman
Employee
Employee
Saturday
In response to PhoneBoy

I'll ask R&D owner if there is a way to see all the errors.

Tal_Paz-Fridman
Employee
Employee
Sunday
In response to Tal_Paz-Fridman

According to the R&D owner, there is no way to view all errors. Open an SR and ask for a task to be opened for CFG to create an HF for the customer.

the_rock
Legend
Legend
Sunday
In response to Tal_Paz-Fridman

Thanks for that update Tal, good to know.

Andy

0 Kudos
L180rMal35
Participant
yesterday
In response to Tal_Paz-Fridman

Thanks a lot. I'm going to raise SR.

0 Kudos
L180rMal35
Participant
yesterday
In response to Tal_Paz-Fridman

According to the TAC engineer, it is not possible to view full list of errors. (SR#6-0004235685 Policy Verification - "Too many errors" ) I'm waiting for an official statement.

0 Kudos
AkosBakos
Mentor Mentor
Mentor
Saturday

Hi @L180rMal35 

As I remember, when I had this error, the solution was to solve the problems one by one. And it was R81.20.

I hope it helps.

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
L180rMal35
Participant
yesterday
In response to AkosBakos

Hi @AkosBakos,

I'm doing audit, not fixing problematic rules, hence I need a full list of the conflicting rules.

Thanks for advise.

Libor

0 Kudos
AkosBakos
Mentor Mentor
Mentor
yesterday
In response to L180rMal35

Ahhh, this is bad news. And what if you temporarily disable rule 2. Are thre a lof of hides too?

 

----------------
\m/_(>_<)_\m/
0 Kudos
L180rMal35
Participant
yesterday
In response to AkosBakos

That removes rule 2 errors and gives me another rule errors 🙂

"Verify policy operation" failed (100%)
tasks:
- task-id: "01234567-89ab-cdef-af1f-d592e809e970"
task-name: "Verify policy operation"
status: "failed"
progress-percentage: 100
suppressed: false
task-details:
- workSession: "6bb0202b-2d8b-4fd5-9e04-e8677051d17d"
title: "Verification of policy 'Standard' completed with errors"
notifications: []
warnings: []
errors:
- "Error: Layer Standard Network: Rule 71 Hides rule 77 for Services & Applications: TCP-9999 ,TCP_9997 ,TCP-9996 ."
- " Layer Standard Network: Rule 95 (GOOGLE CLOUD) Hides rule 96 (GOOGLE CLOUD) for Services & Applications: https ."
- " Layer Standard Network: Rule 122 (Cloud-AZURE EMEA) Hides rule 123 (Cloud-AZURE EMEA) for Services & Applications: https ."
- " Layer Standard Network: Rule 130 (Cloud-AZURE EMEA) Hides rule 133 (Cloud-AZURE EMEA) for Services & Applications: MS-SQL-Server ."
- " Layer Standard Network: Rule 122 (Cloud-AZURE EMEA) Hides rule 146 for Services & Applications: https ."
- " Layer Standard Network: Rule 137 (Cloud-AZURE EMEA) Hides rule 161 (Cloud-AZURE EMEA) for Services & Applications: Remote_Desktop_Protocol ."
- " Layer Standard Network: Rule 145 Hides rule 176 for Services & Applications: https ,smtp ."
- " Layer Standard Network: Rule 122 (Cloud-AZURE EMEA) Hides rule 177 for Services & Applications: https ."
- " Layer Standard Network: Rule 146 Hides rule 177 for Services & Applications: https ,smtp ."
- " Layer Standard Network: Rule 147 Hides rule 178 for Services & Applications: smtp ."
- " Layer Standard Network: Rule 181 Hides rule 191 for Services & Applications: LSA-SAM-Netlogon ,TCP_135 ."
- " Layer Standard Network: Rule 181 Hides rule 195 for Services & Applications: TCP_135 ."
- " Layer Standard Network: Rule 187 Hides rule 196 for Services & Applications: UDP_5723 ,TCP_5723 ."
- " Layer Standard Network: Rule 209 (SAPHEC) Hides rule 223 (SAPHEC) for Services & Applications: TCP_9000 ,TCP_4304 ."
- " Layer Standard Network: Rule 221 (SAPHEC) Hides rule 223 (SAPHEC) for Services & Applications: TCP_9000 ,TCP_4304 ."
- " Layer Standard Network: Rule 99 (GOOGLE CLOUD) Hides rule 233 (SAPHEC) for Services & Applications: htt"
- " Too many errors."

Executed command failed. Changes are discarded.

AkosBakos
Mentor Mentor
Mentor
yesterday
In response to L180rMal35

**bleep** happens  😕 I ran out of ideas.

Maybe the best solution would be to rebuild the policy in a new package, then make the audit.

Akos 

----------------
\m/_(>_<)_\m/
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events