This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Don_Paterson
Advisor
Advisor
‎2017-12-09 09:10 AM
Jump to solution

Policy installation and verification question

Hello,

I am hoping someone can give me more detailed or background information (or a link to an SK) to learn more about the steps below. Especially step 2.

Verification & Compilation

The Verification & Compilation stage of policy installation occurs on the management side. It involves the following steps:

 

1.Initiation — Policy installation is initiated either from SmartConsole or from the command line. 

2.Database Dump — A database dump from postgres to old file formats for cpmitable only if changes occurred. A dump from non cpmi will occur any time.

3.Verification — Information in the database is verified to comply with a number of rules specific to the application and package for which policy installation is requested. 

4.Conversion — The information in the database is converted from its initial format to the format understandable by later participants in the flow, such as code generation and gateway.

5.Fwm rexecFwm loader takes a lot of memory. To release memory after verification and conversion, fwm state is saved to a file located in the $FWDIR/tmp/ directory. fwm is then re-executed as a fwm load command to push the files for code generation and compilation.

6.Code Generation and Compilation — Policy is translated to the INSPECT language and compiled with the INSPECT compiler. 

Thanks,

Don

1 Solution

Accepted Solutions
Dan_Zaidman
Employee
Employee
‎2017-12-09 11:00 PM
Jump to solution

Hi Don.

Regarding Database dump,

The fwm loader expects the get its input as files.

the database may have change since the last install policy.

Therefore, we dump the postgres database to a temporary file structure, for every install policy, or install database command.

Dan

View solution in original post

6 Replies
KennyManrique
Advisor
‎2017-12-09 11:13 AM
Jump to solution

Hello Don,

I was trying to find the documentation mentioned on your request, but i wasnt able to do it. Do you have the source of this information?

However, you can verify the following SK solution for policy install:

sk60347: How To Troubleshoot Policy Installation Issues (for R75 - R77)

Regards.

0 Kudos
Don_Paterson
Advisor
Advisor
‎2017-12-09 11:34 AM
In response to KennyManrique
Jump to solution

Thanks Kenny,

It's from the CCSE R80.10 training. 

I couldn't find anything on it either. 

There is another SK that goes through the older version policy install steps but it's not as descriptive and I have asked for it to be reviewed and versions corrected. 

I am thinking that the answer may come from HQ where the info might have originated. 

Regards,

Don

KennyManrique
Advisor
‎2017-12-09 12:31 PM
In response to Don_Paterson
Jump to solution

Thanks for the clarification Don.

I think we have to wait some time for Secure Knowledge updates on R80 internal processes flow (in adition to already existent R80.x Security Management server main processes debugging) and new functionalities in the architecture (like inspection points "e" and "E" for encrypt mentionen in another post, UnifiedPolicy chain, etc.).

0 Kudos
Dan_Zaidman
Employee
Employee
‎2017-12-09 11:00 PM
Jump to solution

Hi Don.

Regarding Database dump,

The fwm loader expects the get its input as files.

the database may have change since the last install policy.

Therefore, we dump the postgres database to a temporary file structure, for every install policy, or install database command.

Dan

Don_Paterson
Advisor
Advisor
‎2017-12-10 05:36 AM
In response to Dan_Zaidman
Jump to solution

Thanks Dan. Can you share any information on the term cpmi table?

I would also be interested to know the key differences or responsibilities of fw_loader and fwm_loader?

I will do an analysis to understand the processes and files involved but their tasks may not be so easy for me to  understand (debug).

Regards,

Don

0 Kudos
Dan_Zaidman
Employee
Employee
‎2017-12-10 06:51 AM
In response to Don_Paterson
Jump to solution

Hi Don.

CPMI tables are related to the old database (not Java) such as in R77.

when running fwm with the argument  "load",

the fwm does not act as a server, it is running as a command.

fw_loader is the binary spawned from the fwm load command.

fwm load is running the conversion and verification.

fw_loader is running the the code generation and compilation.

Dan

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events