This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Heath
Collaborator
‎2019-06-11 03:54 PM

R80.20.M2 Management - Finalizing Stuck at 99% During Policy Installs

Setup is 2x Management Server 5150 with dedicated SmartEvent server all running R80.20.M2 pushing policy to a single 5800 HA ClusterXL setup all running R80.10. The management and cluster are located at the same site. The access/threat policy takes less than 3 minutes to succeed on the cluster but the 99% finalizing status takes a very long time to complete. I've just pushed a policy and it again finished in 3 minutes but has been stuck at 99% finalizing for the past 45 minutes...

 

 image.png

 

Is anyone else experiencing this after updating your management to R80.20.M2 or R80.20 in general?

14 Replies
PhoneBoy
Admin
Admin
‎2019-06-11 04:03 PM

I would open a TAC case so we can investigate.
Overall with R80.20, the policy push time should take around 2 minutes.
While times above 2 minutes are not uncommon in some scenarios, 45 minutes of "finalizing" time is definitely unusual.
Tomer_Sole
Mentor
Mentor
‎2019-06-11 10:48 PM

Finalizing step is for post-policy installation activities, most notably Install Database at the log server in order to ensure that names of hosts are displayed instead of IP addresses at the log cards. So by the time that you see Finalizing, the enforcement already happens.

Heath
Collaborator
‎2019-06-12 06:29 AM
In response to Tomer_Sole

That 99% finalizing finished after almost exactly 2 hours. This time of finalizing aligns with what another employee is experiencing when pushing to this same cluster. Yet another employee says he does not have these same issues:

 

image.png

 

I updated the version above because it's R80.20.M2 for the management. After talking with my team, we are also seeing these issues:

 

- SmartConsole > Gateways & Servers clicking on a gateway or cluster will open up a, seemingly, random gateway object. This is not resolved until you close and re-open the SmartConsole

- SmartConsole > Logs & Monitor sometimes this tab is unresponsive and it will have to be opened in the top menu

- SmartConsole login sessions using RADIUS get hung where we cannot login. Rebooting the management does not help the situation but it clears randomly after time where we can login. Local logins still work during this time.

 

Heath
Collaborator
‎2019-06-12 06:35 AM
In response to Heath

We have opened a TAC case and will update this ticket with the resolution.

0 Kudos
Tal_Paz-Fridman
Employee
Employee
‎2019-06-17 12:36 AM

Hi 

 

Is this something that is happens every time or at least frequently? 

If so please contact me directly at tfridman@checkpoint.com so that we can collect the relevant debug information and analyze with R&D.

 

Best wishes

Tal

Heath
Collaborator
‎2019-06-17 06:29 AM
In response to Tal_Paz-Fridman

After working through some troubleshooting with support we narrowed it down to this happening on a certain gateway. I think it was amplified because this is one of our more active environments. I believe we gave some debugs to support last week. I'll include you on the messages with support. Thanks for following up!

Tal_Paz-Fridman
Employee
Employee
‎2019-06-17 06:40 AM
In response to Heath

Great. If you still want me to have R&D look at it directly please send me the following files for the install policy that is stuck:

$MDS_FWDIR/log/cpm.elg

$MDS_FWDIR/log/install_policy.elg

 

Also from the first message this is a Security Management Server?

 

Best wishes

Tal

 

Heath
Collaborator
‎2019-06-18 07:28 AM
In response to Tal_Paz-Fridman

Will do. Our admin is going to include you in the ticket we have opened. Thanks!

0 Kudos
Julie_Paul
Employee
Employee
‎2019-07-12 08:59 AM
In response to Heath

Any updates or fixes on This?
0 Kudos
Tal_Paz-Fridman
Employee
Employee
‎2019-07-15 08:02 AM
In response to Julie_Paul

Hi @Julie_Paul 

This issue was also handled by TAC and resolved with a W/A.

The problem was related to the policy that was installed on the gateway (please refer to SR 6-0001670596 for further information).

Tal

0 Kudos
Heath
Collaborator
‎2019-07-15 08:15 AM
In response to Tal_Paz-Fridman

We have yet to apply the suggestions from TAC. We will update after this is resolved on our side here and via the ticket.

0 Kudos
Tal_Paz-Fridman
Employee
Employee
‎2019-07-15 08:17 AM
In response to Heath

Thanks for update!

Tal

0 Kudos
Heath
Collaborator
‎2019-08-09 07:45 AM
In response to Tal_Paz-Fridman

Still trying to capture the correct debugs for support...

0 Kudos
Vladimir
Champion
Champion
‎2019-08-09 11:23 AM
In response to Heath

I have observed this behavior when IPS updates were performed during policy installation and the TP profile called for them NOT to be in Staging mode.

The longer the period between IPS updates, the longer the installation of the policy takes.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events