This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
FirewallGyaan
Contributor
‎2022-08-29 09:14 AM
Jump to solution

Today I have discovered Interesting issue with Check Point GAIA R81.10 OS

Observed interesting Issue in GAIA R81.10 OS regarding access rules:  Policy Verification succeed from Menu option but Policy verification failed when install Policy, Does That Mean Access Rules are not get verified from Menu option(Policy verification)

https://youtu.be/e81XjWM2WGQ 

3 Solutions

Accepted Solutions
PhoneBoy
Admin
Admin
‎2022-08-29 04:22 PM
In response to FirewallGyaan
Jump to solution

The policy verification only looks for inconsistencies with the access policy itself.
It does not check for errors in the configuration outside of that (for example, if you're using an Access Role in the policy and don't have Identity Awareness enabled).

This is expected behavior, I believe.

View solution in original post

0 Kudos
_Val_
Admin
Admin
‎2022-08-30 12:06 AM
In response to FirewallGyaan
Jump to solution

I see where your confusion is coming from.

Policy verification only looks at the rules logic and nothing else. 

The error during policy installation results from your incorrect blade settings on the target GW. It can only be discovered during a pre-compilation stage when the policy is being prepared for a specific GW, and the GW's blade settings are fetched.

This is how it is supposed to work, there is nothing wrong here. You just need more knowledge about management procedures. 

View solution in original post

0 Kudos
_Val_
Admin
Admin
‎2022-08-30 01:33 AM
In response to FirewallGyaan
Jump to solution

Just in case you are still missing the point.

Explicit policy validation only checks your policy rules logic, without relations to GWs this policy can be installed on. Pre-compilation process looks deeper and catches further errors.

Imagine your rulebase is to be installed on two gateways. GW1 has Identity Awareness enabled, GW2 does not. Rulebase itself is fine, but when installed, it will fail on GW2 and pass on GW1. This can only be detected during installation process, when a specific GW config is being verified.

Both are policy verifications, one just much deeper than the other. 

View solution in original post

0 Kudos
(1)
17 Replies
PhoneBoy
Admin
Admin
‎2022-08-29 11:21 AM
Jump to solution

The policy verification changed as of R80.40: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

What is the precise error that you see when you install policy?

0 Kudos
FirewallGyaan
Contributor
‎2022-08-29 11:42 AM
In response to PhoneBoy
Jump to solution

Thank You Sir for quick response , If you check my YouTube video(Today I have discover Interesting issue with GAIA R81.10 OS of Check Point Firewall - YouTube)

I have detailed what is problem , As per sk161574 , 

  • Policy verification does not alert about rules that hide other rules.
    Only conflicting rules are verified as part of policy verification.
    Specifically, policy verification does not alert about rules that hide other rules with the same action.

---- But In my example when I do verification from Menu option (As shown in Video) Verification succeeded and same config  When Verify before Policy installation(As shown in Video) we receive error about access rule (This is expected Behaviors as I have not enable IA) So My concern is how verification acts differently here?  Please see video for more clarity . Thanks

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2022-08-29 12:04 PM
In response to FirewallGyaan
Jump to solution

I will check it after and see what it does.

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2022-08-29 01:34 PM
In response to FirewallGyaan
Jump to solution

I get what you are doing in a video, but I also believe CP wording is totally wrong. Here is why I say that...so when you push policy, error says policy verification failed, BUT, thats not true, it does not mean policy verification failed, it simply complains that certain blade settings / layer options are wrong.

So, all in all, I agree with you 100%, R&D should fix it, because it is a bit convoluted, to put it bluntly. By the way, its not a bug, its been doing that since early days of R80 : - )

0 Kudos
PhoneBoy
Admin
Admin
‎2022-08-29 04:22 PM
In response to FirewallGyaan
Jump to solution

The policy verification only looks for inconsistencies with the access policy itself.
It does not check for errors in the configuration outside of that (for example, if you're using an Access Role in the policy and don't have Identity Awareness enabled).

This is expected behavior, I believe.

0 Kudos
FirewallGyaan
Contributor
‎2022-08-29 05:59 PM
In response to PhoneBoy
Jump to solution

Hello Sir if you see My video https://youtu.be/e81XjWM2WGQ my concern is why policy verification behaviour is not same when we do from Menu Option and when we it happens when we install policy. Results are different why so?

 

 

 

 

 

_Val_
Admin
Admin
‎2022-08-30 12:06 AM
In response to FirewallGyaan
Jump to solution

I see where your confusion is coming from.

Policy verification only looks at the rules logic and nothing else. 

The error during policy installation results from your incorrect blade settings on the target GW. It can only be discovered during a pre-compilation stage when the policy is being prepared for a specific GW, and the GW's blade settings are fetched.

This is how it is supposed to work, there is nothing wrong here. You just need more knowledge about management procedures. 

0 Kudos
FirewallGyaan
Contributor
‎2022-08-30 12:54 AM
In response to _Val_
Jump to solution

I would agree with you if error only talks about IA blade in gateway , However Error also mentioned Policy Verification Failed which means to me policy verification also involved here. this appears to me policy verification for Preparing GW install is different and Verification from Menu is different In that case why we need option from Menu which dont detect/verify indepth. Pls watch my video for better clarity

https://youtu.be/e81XjWM2WGQ

 

Preview file
204 KB
0 Kudos
_Val_
Admin
Admin
‎2022-08-30 01:27 AM
In response to FirewallGyaan
Jump to solution

I did watch your video before commenting. This does not change what I have said already.

Also, an admin note, soliciting clicks on your youtube video is really unnecessary. 

0 Kudos
_Val_
Admin
Admin
‎2022-08-30 01:33 AM
In response to FirewallGyaan
Jump to solution

Just in case you are still missing the point.

Explicit policy validation only checks your policy rules logic, without relations to GWs this policy can be installed on. Pre-compilation process looks deeper and catches further errors.

Imagine your rulebase is to be installed on two gateways. GW1 has Identity Awareness enabled, GW2 does not. Rulebase itself is fine, but when installed, it will fail on GW2 and pass on GW1. This can only be detected during installation process, when a specific GW config is being verified.

Both are policy verifications, one just much deeper than the other. 

0 Kudos
(1)
FirewallGyaan
Contributor
‎2022-08-30 02:10 AM
In response to _Val_
Jump to solution

Hello Sir,  Please refer me to documentation from CP talking about two different approach of policy verification so I can use future reference.

0 Kudos
_Val_
Admin
Admin
‎2022-08-30 02:49 AM
In response to FirewallGyaan
Jump to solution

Please just drop "sir" in this community, we are equal peers. 

Please look into sk101226, sk112111, and sk179626. The last one is an illustration that during the installation phase, there are some advanced "policy verification" errors that may appear.

0 Kudos
FirewallGyaan
Contributor
‎2022-08-30 03:36 AM
In response to _Val_
Jump to solution

Thank You for sharing SKs , I saw in organization engineers dependent on Verification of Policy a lot due to they configure policy and Verify it and install during maintenance time . Hoping There will be more improvement on policy verification feature .

Thanks for all support and guidance!

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2022-08-30 06:56 AM
In response to FirewallGyaan
Jump to solution

I still stand by what I said yesterday, wording could definitely be more clear...something along the lines when you click verify from menu, that says blades are misconfigured or inline layer is placed wrongly. something like that. For anyone brand new to CP, it sure can be confusing / convoluted. So, Im glad you made that video @FirewallGyaan 

0 Kudos
FirewallGyaan
Contributor
‎2022-08-30 07:05 AM
In response to the_rock
Jump to solution

@the_rock Thanks for Your All your support

the_rock
MVP Gold
MVP Gold
‎2022-08-30 07:07 AM
In response to FirewallGyaan
Jump to solution

Here is my corny joke of the day...for you, no charge, except iphone charge and if you dont use iphone, then you get coffee and a donut ; - )

G_W_Albrecht
MVP Silver
MVP Silver
‎2022-08-30 02:36 AM
Jump to solution

sk101226: Policy installation flow

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events