This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
kamilazat
Collaborator
3 weeks ago

Policy installation failure due to expired time objects

Hello all!

In R81.10 JHF Take 150, the policy package that gets installed on a cluster fails with the error message below.

"Some Access rules have time objects that are expited at least 2 days ago and were not loaded to the GW. See sk155253 for more details."

Policy debug script did not give us anything other than the same message. sk155253 suggests cleaning the relevant rules, understandably.

After several installation trials the policy gets installed. Until the successful installation, no changes are being made other than repeatedly trying to install policy.

I tried replicating the issue on a lab with the same version and hotfix, but I can install policy with expired rules successfully every single time. So I have 2 questions at this point.

1. Is policy installation failure when there are expired rules an expected behavior, or should I look deeper into the system for other issues that may have caused the failure?

2. We plan to delete the time objects and disable the relevant rules temporarily, do expired time objects render a rule as if it is disabled, or are there nuances to it?

 

Cheers!

 

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
3 weeks ago

Unlikely that expired Time objects are the cause of the issue.

Having one or more rules with expired Time objects should not cause a policy installation failure unless EVERY rule in the policy has an expired Time object (which sk155253 states).
Rules with expired Time objects will function similar to how "Disabled" rules behave (i.e. they'll be ignored).

0 Kudos
the_rock
Legend
Legend
3 weeks ago

That should be easy to fix. Just navigate to below and delete whats expired, install policy, will work 100% 🙂

Andy

 

whatever is in red, make sure its not used, delete, install policy

 

Screenshot_1.png

 

 

Screenshot_2.png

 

 

Screenshot_3.png

0 Kudos
kamilazat
Collaborator
3 weeks ago
In response to the_rock

@the_rock thank you for the answer. Right now what's more important is to understand why the policy installation fails. I tried messing with the rules in my lab to make it fail, but it turned out to be pretty resilient 🙂

For what it's worth, we opened a TAC ticket to investigate further.

0 Kudos
the_rock
Legend
Legend
3 weeks ago
In response to kamilazat

Hey bro,

I believe from the sk, its fairly clear why it would fail. For sure sounds like its because of the expired time object. I even replicated this in R81.20 and R82 labs myself.

Andy

0 Kudos
kamilazat
Collaborator
2 weeks ago
In response to the_rock

Wait, how on earth did you manage to get an error? I've been trying very hard to get that failure (on 81.10 specifically) but failed.

Maybe it's something specific to 81.10?

0 Kudos
the_rock
Legend
Legend
2 weeks ago
In response to kamilazat

Maybe, I have no clue. I dont have R81.10 lab any longer.

Andy

0 Kudos
Chris_Atkinson
Employee Employee
Employee
2 weeks ago
In response to kamilazat

Can you share a screenshot of the actual error / failure?

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events