Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Lijo_mathai
Contributor
Jump to solution

Unable to clone policy package in R80.20

Hi, after upgrading to R80.20 and applying take 47, i am unable to clone the existing policy package. Is there anything i am missing. I checked there is no validation error for the name i used to clone, but still i am unable to clone the policy. Attached is the error i faced.

 

Error in policy package.JPG

0 Kudos
3 Solutions

Accepted Solutions
Lijo_mathai
Contributor

Hi, I got update from TAC mentioning there was a special character in one of the policy in the policy package which they found using some proprietary tool, after removing that i was able to clone the policy package. Checkpoint should provide us a way  to validate such errors locally so we can fix it without waiting for the solution.

This is just a suggestion.

Thanks

View solution in original post

0 Kudos
Douglas_Fujita
Explorer

Hello,

I faced this issue today and as workaround I did the steps:

1 - Create a new temporary policy
2 - Select all rules on the original polic(the one that you want to clone) and copy it.
3 - Paste all rules on the temporary policy.

It will start to paste the rules and it will stop on the rule that has an issue. It will show the message "The object name must not contain whitespace characters at the beginning or the end". In my case, I had a poliy base of 390 rules and on rule 176, there was french character on the name of the rule.

I renamed the rule, published it, and after that I was able to clone the original policy.

View solution in original post

Norbert_Bohusch
Advisor

As this would work, with a big policy package (some 1000 rules), this becomes unusable.

So I opened an SR an got this:

 

# psql_client cpm postgres
# select replace(rule_dref.name, chr(10), '<br />') as "Rule name", rule_dref.objid as "Rule UUID", owner_dref.name as "Policy name / Layer name" from dleobjectderef_data rule_dref join rulebaseentitylocalinstance_data rlb_entity on (rlb_entity.entity = rule_dref.objid) join dleobjectderef_data owner_dref on (owner_dref.objid = rlb_entity.owner) where rule_dref.dlesession >= 0 and not rule_dref.deleted and (rule_dref.name like ('%'||chr(10)||'%') OR rule_dref.name like ' %' OR rule_dref.name like '% ');

 

You will get an output with the rules containing the whitespace in the name. And compared to your method its very fast.

 

View solution in original post

0 Kudos
18 Replies
PhoneBoy
Admin
Admin
We're you able to clone the package prior to installing Take 47?
0 Kudos
Tal_Paz-Fridman
Employee
Employee

Hi 

Can you please try removing the suggested Clone name (before starting the Clone process) and selecting something very generic, e.g. POLICY1

 

Tal

Lijo_mathai
Contributor
Hi,I tried already, but still facing the same error
0 Kudos
Lijo_mathai
Contributor

Hi, I got update from TAC mentioning there was a special character in one of the policy in the policy package which they found using some proprietary tool, after removing that i was able to clone the policy package. Checkpoint should provide us a way  to validate such errors locally so we can fix it without waiting for the solution.

This is just a suggestion.

Thanks

0 Kudos
PhoneBoy
Admin
Admin
Can you send me in a private message the SR in question?
0 Kudos
Tal_Paz-Fridman
Employee
Employee

Please send it to me as well.

Thanks

Tal

0 Kudos
Tal_Paz-Fridman
Employee
Employee

Hi 

Can you check if sk153833 applies in your case?

sk153833  "The object name must not contain whitespace characters at the beginning or the end" message in SmartConsole

 

Tal

0 Kudos
JanPokorny
Explorer

Hello,

 I am facing the same issue. Version R80.20 running in VMware. Any progress with this issue?

Tal_Paz-Fridman
Employee
Employee

Hi 

 

Seems there is a specific tool that needs to be used to find the problematic location.

I suggest contacting TAC asking the same process to be followed (you can point them to this issue or SR 6-0001665721)

I will also ask for a dedicated SK for this issue.

Tal

0 Kudos
Lijo_mathai
Contributor

Hi, this is the same case ID that was raised for my issue by my vendor. Actually support have confirmed that in future this tool will be available for public use 

Thanks

genisis__
Leader Leader
Leader

I have a similar issue.

We have R80.20 Provider with HFA103 installed.  When attempting to clone a policy I get the following error message:

"Execution error during clone policy package"

 

0 Kudos
JanPokorny
Explorer

Hi, I resolved the issues with support. You need to get the latest version of cpdoctor and run a check. The check will output rules where is the problem. After renaming the rules everything is OK.

Be sure you get the latest version of CPdoctor. In the older version, it won't show you exactly which rule cause the problems.

genisis__
Leader Leader
Leader

Thanks will try this.

0 Kudos
Colin_Tucker
Participant

Slightly late to the party on this one but just had the same error on R80.30. Client engaged TAC and ran cpdoctor, apparently didn't find any issues. Tried to check for non-unicode characters but also didn't see anything odd.

Using some of the other posts on here I created the following API command that could be useful for a quick check against policy;

 

[Expert@SMS01:0]# mgmt_cli show access-rulebase name "POLICY_NAME Network" limit 500 --root true --format json | $CPDIR/jq/jq '.rulebase[].rulebase[] | .["name"], .["comments"]' | -E '^"\s|\s"$'
"Site AP1450 SIC/Policy access "
"Monitoring (Videowalls) to FMS "

 

I've sanitised some of the output but run on our SMS the output shows several comments or rulenames that have whitespace characters at the end  of lines.

I'm still waiting on confirmation that the policy can be cloned now. Will update again if any issues.

0 Kudos
Douglas_Fujita
Explorer

Hello,

I faced this issue today and as workaround I did the steps:

1 - Create a new temporary policy
2 - Select all rules on the original polic(the one that you want to clone) and copy it.
3 - Paste all rules on the temporary policy.

It will start to paste the rules and it will stop on the rule that has an issue. It will show the message "The object name must not contain whitespace characters at the beginning or the end". In my case, I had a poliy base of 390 rules and on rule 176, there was french character on the name of the rule.

I renamed the rule, published it, and after that I was able to clone the original policy.

Oliver_Fink
Advisor
Advisor

Thanks very much, @Douglas_Fujita. That helped me to get away without contacting TAC.

0 Kudos
Mgdonata
Explorer

Thanks Douglas, this was all i needed to do. Your methodology  worked like a charm. I was starting to think "am i really going  to open a case with Tac just to help me look for a space in between rule names? 

So....

4 - I renamed the rule, published it, and after that I was able to clone the original policy.

5 - Delete the new temporary policy once you find that culprit

And its all good!!!

Thanks again 

0 Kudos
(1)
Norbert_Bohusch
Advisor

As this would work, with a big policy package (some 1000 rules), this becomes unusable.

So I opened an SR an got this:

 

# psql_client cpm postgres
# select replace(rule_dref.name, chr(10), '<br />') as "Rule name", rule_dref.objid as "Rule UUID", owner_dref.name as "Policy name / Layer name" from dleobjectderef_data rule_dref join rulebaseentitylocalinstance_data rlb_entity on (rlb_entity.entity = rule_dref.objid) join dleobjectderef_data owner_dref on (owner_dref.objid = rlb_entity.owner) where rule_dref.dlesession >= 0 and not rule_dref.deleted and (rule_dref.name like ('%'||chr(10)||'%') OR rule_dref.name like ' %' OR rule_dref.name like '% ');

 

You will get an output with the rules containing the whitespace in the name. And compared to your method its very fast.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events