Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
FirewallGyaan
Contributor

Today I have discovered Interesting issue with Check Point GAIA R81.10 OS

Jump to solution

Observed interesting Issue in GAIA R81.10 OS regarding access rules:  Policy Verification succeed from Menu option but Policy verification failed when install Policy, Does That Mean Access Rules are not get verified from Menu option(Policy verification)

https://youtu.be/e81XjWM2WGQ 

3 Solutions

Accepted Solutions
PhoneBoy
Admin
Admin

The policy verification only looks for inconsistencies with the access policy itself.
It does not check for errors in the configuration outside of that (for example, if you're using an Access Role in the policy and don't have Identity Awareness enabled).

This is expected behavior, I believe.

View solution in original post

0 Kudos
_Val_
Admin
Admin

I see where your confusion is coming from.

Policy verification only looks at the rules logic and nothing else. 

The error during policy installation results from your incorrect blade settings on the target GW. It can only be discovered during a pre-compilation stage when the policy is being prepared for a specific GW, and the GW's blade settings are fetched.

This is how it is supposed to work, there is nothing wrong here. You just need more knowledge about management procedures. 

View solution in original post

0 Kudos
_Val_
Admin
Admin

Just in case you are still missing the point.

Explicit policy validation only checks your policy rules logic, without relations to GWs this policy can be installed on. Pre-compilation process looks deeper and catches further errors.

Imagine your rulebase is to be installed on two gateways. GW1 has Identity Awareness enabled, GW2 does not. Rulebase itself is fine, but when installed, it will fail on GW2 and pass on GW1. This can only be detected during installation process, when a specific GW config is being verified.

Both are policy verifications, one just much deeper than the other. 

View solution in original post

0 Kudos
(1)
17 Replies
PhoneBoy
Admin
Admin

The policy verification changed as of R80.40: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

What is the precise error that you see when you install policy?

0 Kudos
FirewallGyaan
Contributor

Thank You Sir for quick response , If you check my YouTube video(Today I have discover Interesting issue with GAIA R81.10 OS of Check Point Firewall - YouTube)

I have detailed what is problem , As per sk161574 , 

  • Policy verification does not alert about rules that hide other rules.
    Only conflicting rules are verified as part of policy verification.
    Specifically, policy verification does not alert about rules that hide other rules with the same action.

---- But In my example when I do verification from Menu option (As shown in Video) Verification succeeded and same config  When Verify before Policy installation(As shown in Video) we receive error about access rule (This is expected Behaviors as I have not enable IA) So My concern is how verification acts differently here?  Please see video for more clarity . Thanks

0 Kudos
the_rock
Champion
Champion

I will check it after and see what it does.

0 Kudos
the_rock
Champion
Champion

I get what you are doing in a video, but I also believe CP wording is totally wrong. Here is why I say that...so when you push policy, error says policy verification failed, BUT, thats not true, it does not mean policy verification failed, it simply complains that certain blade settings / layer options are wrong.

So, all in all, I agree with you 100%, R&D should fix it, because it is a bit convoluted, to put it bluntly. By the way, its not a bug, its been doing that since early days of R80 : - )

0 Kudos
PhoneBoy
Admin
Admin

The policy verification only looks for inconsistencies with the access policy itself.
It does not check for errors in the configuration outside of that (for example, if you're using an Access Role in the policy and don't have Identity Awareness enabled).

This is expected behavior, I believe.

0 Kudos
FirewallGyaan
Contributor

Hello Sir if you see My video https://youtu.be/e81XjWM2WGQ my concern is why policy verification behaviour is not same when we do from Menu Option and when we it happens when we install policy. Results are different why so?

 

 

 

 

 

_Val_
Admin
Admin

I see where your confusion is coming from.

Policy verification only looks at the rules logic and nothing else. 

The error during policy installation results from your incorrect blade settings on the target GW. It can only be discovered during a pre-compilation stage when the policy is being prepared for a specific GW, and the GW's blade settings are fetched.

This is how it is supposed to work, there is nothing wrong here. You just need more knowledge about management procedures. 

0 Kudos
FirewallGyaan
Contributor

I would agree with you if error only talks about IA blade in gateway , However Error also mentioned Policy Verification Failed which means to me policy verification also involved here. this appears to me policy verification for Preparing GW install is different and Verification from Menu is different In that case why we need option from Menu which dont detect/verify indepth. Pls watch my video for better clarity

https://youtu.be/e81XjWM2WGQ

 

0 Kudos
_Val_
Admin
Admin

I did watch your video before commenting. This does not change what I have said already.

Also, an admin note, soliciting clicks on your youtube video is really unnecessary. 

0 Kudos
_Val_
Admin
Admin

Just in case you are still missing the point.

Explicit policy validation only checks your policy rules logic, without relations to GWs this policy can be installed on. Pre-compilation process looks deeper and catches further errors.

Imagine your rulebase is to be installed on two gateways. GW1 has Identity Awareness enabled, GW2 does not. Rulebase itself is fine, but when installed, it will fail on GW2 and pass on GW1. This can only be detected during installation process, when a specific GW config is being verified.

Both are policy verifications, one just much deeper than the other. 

0 Kudos
(1)
FirewallGyaan
Contributor

Hello Sir,  Please refer me to documentation from CP talking about two different approach of policy verification so I can use future reference.

0 Kudos
_Val_
Admin
Admin

Please just drop "sir" in this community, we are equal peers. 

Please look into sk101226, sk112111, and sk179626. The last one is an illustration that during the installation phase, there are some advanced "policy verification" errors that may appear.

0 Kudos
FirewallGyaan
Contributor

Thank You for sharing SKs , I saw in organization engineers dependent on Verification of Policy a lot due to they configure policy and Verify it and install during maintenance time . Hoping There will be more improvement on policy verification feature .

Thanks for all support and guidance!

0 Kudos
the_rock
Champion
Champion

I still stand by what I said yesterday, wording could definitely be more clear...something along the lines when you click verify from menu, that says blades are misconfigured or inline layer is placed wrongly. something like that. For anyone brand new to CP, it sure can be confusing / convoluted. So, Im glad you made that video @FirewallGyaan 

0 Kudos
FirewallGyaan
Contributor

@the_rock Thanks for Your All your support

the_rock
Champion
Champion

Here is my corny joke of the day...for you, no charge, except iphone charge and if you dont use iphone, then you get coffee and a donut ; - )

sk101226: Policy installation flow

CCSE CCTE CCSM SMB Specialist
0 Kudos