Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Thomas_Eichelbu
Advisor
Advisor

Policy is not applied on gateway, but install says successfully?

Hey Chechmates,

following problem,

we have a R80.10 SMS and a 1450 Appliance with DAIP.

when we try to push a policy its all fine, policy installations is succeeding but the policy is not applied to the appliance.

when we check the /opt/CPsuite-R80/fw1/state directory, all firewall are well up to date, but this specific appliance has an a very outdated directory...

we have also encountered problems with the SIC, it is not possible to test the SIC from the Dashboard, but it says OK in SMS and OK on the appliance as well.

Due the fact people are working 24x7 on this location we are afraid to reset SIC, and we have nobody on site who cas assist us in the case are lockedout after reseting the SIC ...

any ideas how to solve it ?

why is a policy install not updating the /opt/CPsuite-R80/fw1/state directory?

can if tbe forced, or renamed, deleted?

every ideas are welcome.

best regards
Thomas.

4 Replies
PhoneBoy
Admin
Admin

The way policy installation works on gateways with a dynamic IP is different than in gateways that have a static IP.

Specifically, the policy is only compiled and "saved" to the management station so that the gateway can fetch it.

This is why policy installation succeeds in your case--it's not actually talking to your gateway Smiley Happy

If you can get to the CLI of your gateway (it sounds like you can), then you can force the issue using the CLI command fw fetch management-ip

If you get errors during this process, then you will have something to work with.

There is a procedure for resetting SIC without interrupting traffic flow, but I haven't tried it on the SMB appliances.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Did you already try to fetch policy in GAiA Embedded WebGUI ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Thomas_Eichelbu
Advisor
Advisor

Hello Günther,

sorry for my late replay, but we solved it finally, and the solution was too easy ;-(

but regarding your question, yes we did. we did fetched the policy from the GAiA Embedded Web UI several times. All was fine, also the connection to the SMS Server was shown as "green"

but after trying a SIC test from SMS we saw that is was NOT successfull. So we said it might be a connectivty issue.

the firewall is placed behind a NAT device receiving a 192.168.x.x IP from this device.

we discovered that somehow the IP adress on the NAT device used for the portforwarding was wrong.
So incoming connections where not forwarded to the firewall ... this was the cause.

so a simple solution.

but altough we were surprised that a policy install was shown as successfull, the policy directory on the SMS was not updated.

so finally its solved ...

thank you for your input.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Now it is solved, that is the most important think - and we have learned something new again 😉

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events