This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ha
Explorer
‎2023-03-21 11:01 AM

Unable to install policy after gateway upgrade to R81.10

Hello,

 

After upgrading one of our firewalls from R80.40 to R81.10 we are unable to  install a policy on the firewall.

We have performed  the upgrade both from Gaia and SmartConsole, but get the same error after the upgrade.

When installing the policy from SmartConsole the task progress stops at step 'Preparing the policy for the upgraded target (5/11)'.

 

History:

  • R80.40 SMS and R80.40 GW, both running om VMware
  • R80.40 DB previously migrated to new, clean installed SMS on R81.10
  • Then GW was successfully upgraded via Gaia CPUSE to R81.10 T335
  • When installing policy to the GW first time it fails with error message  (see output from cpm.elg)
  • The GW VM was rolled back and a new upgrade was done via SmartConsole GUI using Actions > Version Upgrade, to R81.10 T355
  • This upgrade fails on task 5/10 with error message:cpp:line 5409: error inside #ifdef block at end of input, depth = 1
    1 error in preprocessor
    Error compiling IPv6 flavor.
  • Then the SMS was upgraded to R81.20 T631, but the policy fails with the same error message

 

We have searched for relevant support articles and some of them related to errors or changing in different .def files. As a noted we have not changed any .def files or other linux files directly on either SMS or GW.

IPv6 is disabled on the gateway.

Any suggestions as to what the cause of this error might be?

 

Thanks!

 

Labels
policyinstall.txt
35 KB
0 Kudos
11 Replies
PhoneBoy
Admin
Admin
‎2023-03-21 11:51 AM

Just to clarify, this is failing while doing an upgrade to R81.10 from SmartConsole on a gateway running R80.40, correct?
Note this exact error is mentioned here: https://support.checkpoint.com/results/sk/sk139174
If you're absolutely certain you haven't modified any .def files, then this Expect command should restore them to defaults: update_inspect_files -f 
If the issue still persists after doing that, I recommend a TAC case: https://help.checkpoint.com 

0 Kudos
ha
Explorer
‎2023-03-22 07:21 AM
In response to PhoneBoy

Thank you both for your replies. I first tried TheRocks's suggestion, but could still not install the policy (same error as before).

Then I tried to run the update_inspect_files command, but got this error message:

[Expert@mgt:0]# update_inspect_files -f

Wrong usage: missing '-index' flag

 

Help text:

update_inspect_files --help

Please run with the following parameters: [-index <HFA_INDEX>] [-list <input file> (list of .def files)] [-path <path to the .def/_HFA.def files> (if different than $FWDIR/lib)] [-f (to force override)] [-mode <upgrade or export>]

To restore changed files run with -restore [-index <HFA index>].

 

Do I need to refer to a specific hotfix in order do restore the .def files?

 

0 Kudos
PhoneBoy
Admin
Admin
‎2023-03-22 01:52 PM
In response to ha

Not sure.
Best to engage the TAC here.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2023-03-22 01:54 PM
In response to ha

I dont think that would be related to specific jumbo, honestly. As the guys said, TAC is your best bet at this point to solve this faster. Clearly, there is syntax missing somewhere, which is whats preventing policy push.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
ha
Explorer
‎2023-03-23 01:02 AM
In response to the_rock

Thank you all for your suggestions. We will open a TAC case.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2023-03-23 02:44 AM
In response to ha

In the spirit of the community, please do share how it gets fixed, as that always helps other folks.

Cheers mate.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
ha
Explorer
‎2023-03-28 05:32 AM
In response to the_rock

Yes, I will do that. I have a remote session with TAC scheduled this week.

 

 

0 Kudos
Olavi_Lentso
Contributor
‎2023-09-04 07:25 AM
In response to ha

What was the solution to the problem?

0 Kudos
ha
Explorer
‎2023-09-05 12:53 AM
In response to Olavi_Lentso

There was a syntax error in the file: /opt/CPsuite-R81.20/fw1/lib/user_early.def
After adding #endif at the end of the file, we could successfully push the policy again. 

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2023-03-21 12:42 PM

Here is what you need to do to fix this problem. IF mgmt is on R81.10 and gateway on R80.40, do below on your management server and Im fairly confident it will work.

# cd $FWDIR/conf
# cp user.def.FW1 user.def.R8040CMP
 
Thats it. Then push the policy.
 
Make sure to backup all those files first.
Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
_Val_
Admin
Admin
‎2023-03-22 07:38 AM

Please open a TAC case: https://help.checkpoint.com

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events