Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
RS_Daniel
Collaborator

R81 policy installation fails

Jump to solution

Hello CheckMates,

 

I am facing a problem with one customer. We have a management in R81 JHA Take 36. When we send accelerated policy installation it fails with error "Layer 'XXX 'Application': No active rules found in the Security Policy "Policy verification failed".

The error in our case shows three inline layers, because of sk168364, we verified that the three inline layers have active rules, also our application layer has a lot of active rules, so the sk does not apply here. If we send policy installation with acceleration disabled the tasks is completed successfully. 

Any help is appreciated. Thanks in advance.

Regards

1 Solution

Accepted Solutions
Micky_Michaeli
Employee
Employee

The issue will be resolved once you add a rule relevant for GW3 and GW4.

Since Accelerated policy installation is more efficient, GW3 and GW4 see only the rules installed on them.

So for them, there are no rules at all on this layer.

I believe it's also more safe and improving the visibility once you create a relevant rule for GW3 and GW4 (or all other GWs than GW1 and GW2).

Thanks,

Micky

View solution in original post

0 Kudos
14 Replies
the_rock
Authority
Authority

Can you please send a screenshot of it? I know I fixed issue like this before, but I really need to see the actual error.

0 Kudos
RS_Daniel
Collaborator

error_obf.png

0 Kudos
the_rock
Authority
Authority

See if below applies, if not, be free to message me privately and I'd be happy to do remote with you (Im fairly open today).

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Cheers,

Andy

0 Kudos
Chris_Atkinson
Employee
Employee

What version are the corresponding gateways and what is populated in the install on column of the rules?

0 Kudos
RS_Daniel
Collaborator

Hello, the problem appears in two recently upgraded clusters to version R81 JHA Take 36 as well. The other gateways are in R80.40 so accelerated policy intall is not possible and does not present the problem. The three inline layers have two clusters on install on column, these two clusters are still on R80.40 and are not the policy installation target in the problem.

 

Regards

0 Kudos
PhoneBoy
Admin
Admin

Recommend opening a TAC case on this.

0 Kudos
RS_Daniel
Collaborator

Yes, we already have a case for this. TAC confirmed our configuration is ok and ran a policy installation debug. Will share the solution when the problem is solved. Thanks all for your replies.

Micky_Michaeli
Employee
Employee

Hi @RS_Daniel,

Is it possible that in the "problematic" layer all the rules are marked as 'install on' specific GW and and you are trying to install policy on a different GW?

0 Kudos
RS_Daniel
Collaborator

Hello,

Yes, the problematic layers have gw1 and gw2 (both in R80.40) in the install on column. But the problem appears only when we push policy on gw3 and gw4 (both in R81).

0 Kudos
Micky_Michaeli
Employee
Employee

The issue will be resolved once you add a rule relevant for GW3 and GW4.

Since Accelerated policy installation is more efficient, GW3 and GW4 see only the rules installed on them.

So for them, there are no rules at all on this layer.

I believe it's also more safe and improving the visibility once you create a relevant rule for GW3 and GW4 (or all other GWs than GW1 and GW2).

Thanks,

Micky

View solution in original post

0 Kudos
RS_Daniel
Collaborator

That makes a lot of sense to me. I have a couple questions regarding this please. Inline layers have the parent rule with GW1 and GW2 in the install on column, the child rules have also specific gateways defined, but the cleanup rule is set to any. Is it enough if we add a single child rule with GW3 and GW4 and leaving the parent rule as is?

From my perspective it is a bug, because these inline layers deal with traffic not relevant to GW3 and GW4 and it shouldn't be necessary to add them on the rules. Is it going to be fixed in a future release?

Thanks for your help.

Micky_Michaeli
Employee
Employee

Hi @RS_Daniel ,

I want to be sure I understand.

You have a parent rule for the inline layer with GW1 and GW2 and inside the inline layer you have a cleanup rule with any, is that correct?

If this is the case, I would like to take a look on it.

Can you send me a screenshot of this inline layer (including the parent) directly to my mail? mickym@checkpoint.com

Thanks.

0 Kudos
RS_Daniel
Collaborator

Hello @Micky_Michaeli,

After my last post i double checked the install on column of problematic layers, you were rigth, we were using specific gateways, after we changed clean up rule to any, accelerated policy installation worked ok. If you don't care i have the doubt if this behavior will be changed in the future? Because this forces to always have your clean up rule with any or to create a child rule with all the gateways as target. Thanks a lot for your help.

 

Regards

the_rock
Authority
Authority

You make a very logical point there, though I believe official CP recommendation in case like this would probably be to have separate policy packages if you have multiple firewalls. Just my 2 cents.

0 Kudos