Re: Unable to install policy after gateway upgrade...

ha · ‎2023-03-21

Hello,

After upgrading one of our firewalls from R80.40 to R81.10 we are unable to install a policy on the firewall.

We have performed the upgrade both from Gaia and SmartConsole, but get the same error after the upgrade.

When installing the policy from SmartConsole the task progress stops at step 'Preparing the policy for the upgraded target (5/11)'.

History:

R80.40 SMS and R80.40 GW, both running om VMware
R80.40 DB previously migrated to new, clean installed SMS on R81.10
Then GW was successfully upgraded via Gaia CPUSE to R81.10 T335
When installing policy to the GW first time it fails with error message (see output from cpm.elg)
The GW VM was rolled back and a new upgrade was done via SmartConsole GUI using Actions > Version Upgrade, to R81.10 T355
This upgrade fails on task 5/10 with error message:cpp:line 5409: error inside #ifdef block at end of input, depth = 1
1 error in preprocessor
Error compiling IPv6 flavor.
Then the SMS was upgraded to R81.20 T631, but the policy fails with the same error message

We have searched for relevant support articles and some of them related to errors or changing in different .def files. As a noted we have not changed any .def files or other linux files directly on either SMS or GW.

IPv6 is disabled on the gateway.

Any suggestions as to what the cause of this error might be?

Thanks!

PhoneBoy · ‎2023-03-21

Just to clarify, this is failing while doing an upgrade to R81.10 from SmartConsole on a gateway running R80.40, correct?
Note this exact error is mentioned here: https://support.checkpoint.com/results/sk/sk139174
If you're absolutely certain you haven't modified any .def files, then this Expect command should restore them to defaults: update_inspect_files -f
If the issue still persists after doing that, I recommend a TAC case: https://help.checkpoint.com

ha · ‎2023-03-22

Thank you both for your replies. I first tried TheRocks's suggestion, but could still not install the policy (same error as before).

Then I tried to run the update_inspect_files command, but got this error message:

[Expert@mgt:0]# update_inspect_files -f

Wrong usage: missing '-index' flag

Help text:

update_inspect_files --help

Please run with the following parameters: [-index <HFA_INDEX>] [-list <input file> (list of .def files)] [-path <path to the .def/_HFA.def files> (if different than $FWDIR/lib)] [-f (to force override)] [-mode <upgrade or export>]

To restore changed files run with -restore [-index <HFA index>].

Do I need to refer to a specific hotfix in order do restore the .def files?

PhoneBoy · ‎2023-03-22

Not sure.
Best to engage the TAC here.

the_rock · ‎2023-03-22

I dont think that would be related to specific jumbo, honestly. As the guys said, TAC is your best bet at this point to solve this faster. Clearly, there is syntax missing somewhere, which is whats preventing policy push.

Best,
Andy

ha · ‎2023-03-23

Thank you all for your suggestions. We will open a TAC case.

the_rock · ‎2023-03-23

In the spirit of the community, please do share how it gets fixed, as that always helps other folks.

Cheers mate.

Best,
Andy

ha · ‎2023-03-28

Yes, I will do that. I have a remote session with TAC scheduled this week.

Olavi_Lentso · ‎2023-09-04

What was the solution to the problem?

ha · ‎2023-09-05

There was a syntax error in the file: /opt/CPsuite-R81.20/fw1/lib/user_early.def
After adding #endif at the end of the file, we could successfully push the policy again.

the_rock · ‎2023-03-21

Here is what you need to do to fix this problem. IF mgmt is on R81.10 and gateway on R80.40, do below on your management server and Im fairly confident it will work.

# cd $FWDIR/conf

# cp user.def.FW1 user.def.R8040CMP

Thats it. Then push the policy.

Make sure to backup all those files first.

Best,
Andy

_Val_ · ‎2023-03-22

Please open a TAC case: https://help.checkpoint.com

Are you a member of CheckMates?

Unable to install policy after gateway upgrade to R81.10