Policy installation failed on gateway - Error code...

mjovovic · ‎2021-08-23

Hello,

Environment:

R80.40 MGMT server (open server VMWare).
R80.40 Cluster XL (two GW's)

We faced today with error when we tried to install policy on CP cluster. We simply can not install security policy on cluster with an error:

Status: Failed - Policy installation failed on gateway. If the problem persists contact Check Point support (Error code: 1-2000245)

I can not find any official Check Point's SK regarding this particular error.

There is one SK with many R8X.XX errors, but not this particular one:

"Policy installation failed on gateway. If the problem persists contact Check Point support (Error c... In this SK there is following explanation under 34:

I opened SR along with policy report file from MGMT server (from picture above) but still no valid help from Check Point techical stuff.

We reverted back to one DB revision back (when all worked) - but an error is still in place, can not install policy.

We installed latest jumbo for r80.40 - take 120, but and an error is still there.

How to check if some object is locked in db for some strange reason? We tried with rebooting mgmt server no success.

We tried with rebooting both GW's and with failover, but again we made no success, an error is still in place.

Our GW's are with old jumbo, maybe it should be installed with take 120 too? I assume this is only MGMT side error.

All suggestions are welcome. Kindly feel free to comment this subject.

Regards,

Milos

mjovovic · ‎2021-08-23

This is MGMT server's policy install log file during policy install error:

23/08/21 14:13:06,815 INFO com.checkpoint.management.dleserver.coresvc.internal.LegacyPolicyLoader$PolicyLoadTask.doWork:151 [unboundedTaskExecutor-19]: Starting to loading policy 'Standard' for product 'Access' on 1 gateways. Calling thread: unboundedTaskExecutor-3 (id: 226)
23/08/21 14:13:54,111 INFO com.checkpoint.management.dleserver.coresvc.internal.PolicyLoaderTask.executeLoadCommands:231 [unboundedTaskExecutor-19]: Loader executions completed
23/08/21 14:13:54,112 INFO com.checkpoint.management.dleserver.coresvc.internal.PolicyLoaderTask.executeLoadCommands:171 [unboundedTaskExecutor-19]: Command's full output:
------------------------------------------------
**##MSG_IDENTIFY##**2&1&Layer 'Application': Rule 4 will not be enforced properly, because of deprecated application(s) : Sexy Insurance! , SharkTorrent &<NULL>&<NULL>&0&<NULL>
**##MSG_IDENTIFY##**2&1&Layer 'Application': Rule 5 will not be enforced properly, because of deprecated application(s) : Sexy Insurance! &<NULL>&<NULL>&0&<NULL>
**##PERF_MSG_IDENTIFY##** {"duration_data":[{"duration":7.289858238999983,"name":"duration_of_legacy_verification"}]}

Standard.W: Security Policy Script generated into Standard.pf&CURRENTVERCMP
**##MSG_IDENTIFY##**2&0&Verification was successful.&50&<NULL>&1&CURRENTVERCMP
export Standard.set:&CURRENTVERCMP
Compiled OK.&CURRENTVERCMP
Standard:&CURRENTVERCMP
Compiled OK.&CURRENTVERCMP
export Standard.set:&CURRENTVERCMP
Compiled OK.&CURRENTVERCMP
Standard:&CURRENTVERCMP
Compiled OK.&CURRENTVERCMP
**##MSG_IDENTIFY##**3&0&Compilation was successful&50&<NULL>&1&CURRENTVERCMP
Installing Security Gateway policy on: CP_ClusterXL ...&CURRENTVERCMP
**##MSG_IDENTIFY##**5&0&Transfer was successful.&GW2&<NULL>&1&CURRENTVERCMP
**##MSG_IDENTIFY##**5&0&Transfer was successful.&GW1&<NULL>&1&CURRENTVERCMP
**##MSG_IDENTIFY##**6&2&Policy installation failed on gateway. If the problem persists contact Check Point support (Error code: 1-2000245).&GW2&<NULL>&0&CURRENTVERCMP
Security Gateway policy installation failed for Security Gateway GW2 (member of CP_ClusterXL)...&CURRENTVERCMP
&CURRENTVERCMP
**##MSG_IDENTIFY##**6&2&&GW2&CP_ClusterXL&0&CURRENTVERCMP
**##MSG_IDENTIFY##**6&2&&GW2&<NULL>&1&CURRENTVERCMP
**##MSG_IDENTIFY##**8&2&&GW2&<NULL>&1&CURRENTVERCMP
**##MSG_IDENTIFY##**6&2&Policy installation failed on gateway. If the problem persists contact Check Point support (Error code: 1-2000245).&GW1&<NULL>&0&CURRENTVERCMP
Security Gateway policy installation failed for Security Gateway GW1 (member of CP_ClusterXL)...&CURRENTVERCMP
&CURRENTVERCMP
**##MSG_IDENTIFY##**6&2&&GW1&CP_ClusterXL&0&CURRENTVERCMP
**##MSG_IDENTIFY##**6&2&&GW1&<NULL>&1&CURRENTVERCMP
**##MSG_IDENTIFY##**8&2&&GW1&<NULL>&1&CURRENTVERCMP
&CURRENTVERCMP
Security Gateway policy Installation for all modules was stopped.&CURRENTVERCMP
Security Gateway policy installation failed for:&CURRENTVERCMP
GW2 (member of CP_ClusterXL) GW1 (member of CP_ClusterXL) &CURRENTVERCMP
**##PERF_MSG_IDENTIFY##** {"duration_data":[{"duration":0.4870699480000366,"name":"duration_of_code_generation#CP_ClusterXL"},{"duration":0.0,"name":"duration_of_policy_commit#CP_ClusterXL"},{"duration":0.8203237759999613,"name":"duration_of_policy_compilation#CP_ClusterXL"},{"duration":0.5117448279999466,"name":"duration_of_policy_transfer#CP_ClusterXL"}]}&CURRENTVERCMP
**##MSG_IDENTIFY##**10&0&&<NULL>&<NULL>&1&CURRENTVERCMP
------------------------------------------------

23/08/21 14:13:54,121 INFO com.checkpoint.management.dleserver.coresvc.internal.LegacyPolicyLoader$PolicyLoadTask.doWork:40 [unboundedTaskExecutor-19]: Completed to load legacy policy for product 'Access'
23/08/21 14:14:03,429 INFO com.checkpoint.management.dleserver.coresvc.internal.PolicyInstallationSvcImpl.doInstallPolicy:1302 [unboundedTaskExecutor-3]: Completed policy installation
23/08/21 14:14:03,430 INFO com.checkpoint.management.dleserver.coresvc.internal.PolicyInstallationSvcImpl$1AsyncRunner.call:6 [unboundedTaskExecutor-3]: Completed asynchronous policy installation task

mjovovic · ‎2021-08-23

Above latter subject update there are many statements in log file like following one (before this error):

23/08/21 14:13:00,266 INFO com.checkpoint.management.appi.internal.ConverterCpmiAppfwApplication.convert:11 [unboundedTaskExecutor-6]: Converting object: 'World Of Tanks' (uid: 02b38e7c-bd35-23b3-e053-08241dc279c2)
23/08/21 14:13:00,266 INFO com.checkpoint.management.appi.internal.ConverterCpmiAppfw.getArrayListWithWebBrowsingGroup:8 [unboundedTaskExecutor-6]: the services collection contains web browsing group.
23/08/21 14:13:00,266 INFO com.checkpoint.management.appi.internal.ConverterCpmiAppfw.getArrayListWithWebBrowsingGroup:5 [unboundedTaskExecutor-6]: the web browsing group changed.

the_rock · ‎2021-08-23

This is tricky one...I had seen few posts with very similar errors, but its never one specific solution. I have few questions, hopefully we can help you fix this...

1) When exactly did this happen? Any changes done to the policy (im specifically referring to possibly adding/modifying dynamic objects?)

2) Have you tried doing fwm load command on mgmt? So something like this...actually, nm, that does not work on R80+...so try mgmt_cli --help and it should give you options to try install policy from there

3) Does this mgmt only manages these gateways? If not, does policy work on any other firewalls?

4) what does cpwd_admin list show on your management server?

Andy

mjovovic · ‎2021-08-23

Hi Andy,

This MGMT only manages this cluster (2 GW's).

This happened when our customer created one object (host type) and put it in access policy layer in source colomn:

When we deleted this error did not dissapear, and policy revert did not solve the error.

Did not try with mgmt_cli and policy install option.

cpwd_admin list output:

APP PID STAT #START START_TIME MON COMMAND
CPVIEWD 8477 E 1 [16:13:38] 23/8/2021 N cpviewd
CPVIEWS 8482 E 1 [16:13:38] 23/8/2021 N cpview_services
CPD 8504 E 1 [16:13:38] 23/8/2021 Y cpd
TP_CONF_SERVICE 8531 E 1 [16:13:38] 23/8/2021 N tp_conf_service --conf=tp_conf.json --log=error
FWD 8575 E 1 [16:13:39] 23/8/2021 N fwd -n
FWM 8684 E 1 [16:13:41] 23/8/2021 N fwm
STPR 8690 E 1 [16:13:43] 23/8/2021 N status_proxy
SOLR 8883 E 1 [16:13:46] 23/8/2021 N java_solr /opt/CPrt-R80.40/conf/jetty.xml
RFL 8979 E 1 [16:13:47] 23/8/2021 N LogCore
SMARTVIEW 9065 E 1 [16:13:49] 23/8/2021 N SmartView
INDEXER 9279 E 1 [16:13:53] 23/8/2021 N /opt/CPrt-R80.40/log_indexer/log_indexer
SMARTLOG_SERVER 10017 E 1 [16:14:18] 23/8/2021 N /opt/CPSmartLog-R80.40/smartlog_server
EXPORTER.QRadar 10340 E 1 [16:14:33] 23/8/2021 N /opt/CPrt-R80.40/log_exporter/targets/QRadar/log_exporter -export /opt/CPrt-R80.40/log_exporter/targets/QRadar/targetConfiguration.xml
REPMAN 10391 E 1 [16:14:37] 23/8/2021 N java_repository_manager
DASERVICE 10438 E 1 [16:14:39] 23/8/2021 N DAService_script
AUTOUPDATER 10737 E 1 [16:14:43] 23/8/2021 N AutoUpdaterService.sh
CPM 17248 E 1 [16:15:16] 23/8/2021 N /opt/CPsuite-R80.40/fw1/scripts/cpm.sh -s
CPSM 12630 E 1 [16:18:03] 23/8/2021 N cpstat_monitor
LPD 24768 E 1 [16:19:35] 23/8/2021 N lpd

the_rock · ‎2021-08-24

Ok, interesting...so mgmt side shows all processes are running. Just wondering, do you get any errors if you do policy verification from dashboard?

mjovovic · ‎2021-08-24

The problem was software on GW side, there was some bug which solved installing latest Jumbo on both GW's.

Luckily it went that way, nothing was suspitious with GW's for us.

the_rock · ‎2021-08-24

Yeah, I hear ya, definitely you got lucky on that one. Im glad you got it working!

Are you a member of CheckMates?

Policy installation failed on gateway - Error code: 1-2000245