We had the same issue.  We edited a Native application in the Legacy dashboard. After we were seeing Policy installation failed on gateway - (Error code: 1-4000018).  We created a new Native Application in Smart Console and updated the object in the Legacy Dashboard policy and was able to push.  This was random though.  We updated the Native application in Legacy dashboard a few times and wasn't seeing the policy actually update or getting the Policy installation fail.  It wasn't until after 5 or 6 pushes we started seeing the Policy Installation fail.  What we were seeing though is if you edit the object in Legacy dashboard it wasn't applying the new access to the gateway policy after a successful policy push to the gateway.  Once we recreated the object in Smart Console and added the additional access everything worked as expected.

We are running R80.30 Gateway with Jumbo 214 with R80.40 Mgmt running jumbo 87

Agree 100%...I did something very similar and it worked. Though one time, I just modified something trivial in policy and then it also worked. I thought this is stricvtly R81 issue, but I also saw it in R80.xx as well. 

Andy

Yea, it seems to me like it could be random, as not everyone has this problem...maybe worth checking with TAC.

Hello,

Has anyone "dealt" with this message when installing policies?

Policy installation failed on gateway - (Error code: 0-3-2000173-1)

I can't find the error code in the Check Point documentation.

Any idea how to solve it?

Hey bro,

Never seen that exact error, but follow basic steps to check...SIC, routing, ping between gw and mgmt?

https://community.checkpoint.com/t5/General-Topics/Reg-policy-installation-failed-on-gateway/m-p/193...

Andy

I opened a case with the TAC.

Apparently, it is an "incompatibility" error between a MGMT R81.20 and GW which are in version R81.10.

I will wait for them to confirm if this is something common or new that is happening.

What exactly do you mean "incompatibility"? Can you copy the response here?

Andy

It was a comment made in a phone call.

I will have a remote session tomorrow.

I will update this post, so that it can be of help in the future.

In my opinion, such a statement is very broad and does not really explain as to what they were referring to. Anyway, keep us posted how remote goes bro.

Cheers,

Andy

Hello, Check Point Lovers 8)

Check Point, confirms that they have detected from several customers, an issue with R81.10.

The issue is about the installation of policies, and the error code that I exposed in this post.

Policy installation failed on gateway - (Error code: 0-3-2000173-1)

The temporary solution: Modify the IPS profiles you are working with in the GWs you have in production.

I leave the TAC instructions for this.:

1.fisrt of all we need to check if the gateway has a policy -

# fw stat

-check if it has the old policy/ Initial policy

If it has the old policy-

Change the IPS profile (on the profile section in TP policy) to -

Performance impact to :Medium and Lower and

Low confidence to : Inactive

After that please check you also change it in the custom policy.

Push the Policy.

If it don’t have policy-

1.Remove all the files from below directories on problematic gateway.
#rm -v $FWDIR/ips/update/0/*
#rm -v $FWDIR/ips/update/1/*
#rm -v $FWDIR/ips/update/2/*

2.Upload file "sd_updates.upf" under $FWDIR/ips/update/cur/ on problematic gateway from the case attachment ( sd_updates.udf)

3.Change IPS profile same as the first scenario.

4.Install access control policy and install TP policy.
Solution Description: 1.fisrt of all we need to check if the gateway has a policy -

# fw stat

-check if it has the old policy/ Initial policy

If it has the old policy-

Change the IPS profile (on the profile section in TP policy) to -

Performance impact to :Medium and Lower and

Low confidence to : Inactive

After that please check you also change it in the custom policy.

Check Point confirmed that its development area is working on a FIX to correct this problem.

At the moment, they have it "mapped" only in version R81.10.

I hope this will help you in the future.

Cheers 🙂

Thats good to know bro! I will say that ever since R80 came out, I always keep telling customers to ONLY enable IPS blade in the ips profile they want to use, if they are not using any other features listed there.

Thanks for sharing the update...GRACIAS 🙌

Andy

I met the issue with failed Access Control policy and Error code: 0-3-2000173-1 today on R81.10 VSX + MDS and based on your post I just changed these two options:

Performance impact to :Medium and Lower and

Low confidence to : Inactive

That way I was able to install the AC policy, but when I revert the IPS changes, installation fails again with the same error. So there is probably some broken IPS signature or something like that.

Yea, that would make sense.