Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Advisor

Policy installation and verification question

Jump to solution

Hello,

I am hoping someone can give me more detailed or background information (or a link to an SK) to learn more about the steps below. Especially step 2.

Verification & Compilation

The Verification & Compilation stage of policy installation occurs on the management side. It involves the following steps:

 

1.Initiation — Policy installation is initiated either from SmartConsole or from the command line. 

2.Database Dump — A database dump from postgres to old file formats for cpmitable only if changes occurred. A dump from non cpmi will occur any time.

3.Verification — Information in the database is verified to comply with a number of rules specific to the application and package for which policy installation is requested. 

4.Conversion — The information in the database is converted from its initial format to the format understandable by later participants in the flow, such as code generation and gateway.

5.Fwm rexecFwm loader takes a lot of memory. To release memory after verification and conversion, fwm state is saved to a file located in the $FWDIR/tmp/ directory. fwm is then re-executed as a fwm load command to push the files for code generation and compilation.

6.Code Generation and Compilation — Policy is translated to the INSPECT language and compiled with the INSPECT compiler. 

Thanks,

Don

Labels (2)
1 Solution

Accepted Solutions
Highlighted
Employee+
Employee+

Hi Don.

Regarding Database dump,

The fwm loader expects the get its input as files.

the database may have change since the last install policy.

Therefore, we dump the postgres database to a temporary file structure, for every install policy, or install database command.

Dan

View solution in original post

6 Replies
Highlighted

Hello Don,

I was trying to find the documentation mentioned on your request, but i wasnt able to do it. Do you have the source of this information?

However, you can verify the following SK solution for policy install:

sk60347: How To Troubleshoot Policy Installation Issues (for R75 - R77)

Regards.

0 Kudos
Highlighted
Advisor

Thanks Kenny,

It's from the CCSE R80.10 training. 

I couldn't find anything on it either. 

There is another SK that goes through the older version policy install steps but it's not as descriptive and I have asked for it to be reviewed and versions corrected. 

I am thinking that the answer may come from HQ where the info might have originated. 

Regards,

Don

Highlighted

Thanks for the clarification Don.

I think we have to wait some time for Secure Knowledge updates on R80 internal processes flow (in adition to already existent R80.x Security Management server main processes debugging) and new functionalities in the architecture (like inspection points "e" and "E" for encrypt mentionen in another post, UnifiedPolicy chain, etc.).

0 Kudos
Highlighted
Employee+
Employee+

Hi Don.

Regarding Database dump,

The fwm loader expects the get its input as files.

the database may have change since the last install policy.

Therefore, we dump the postgres database to a temporary file structure, for every install policy, or install database command.

Dan

View solution in original post

Highlighted
Advisor

Thanks Dan. Can you share any information on the term cpmi table?

I would also be interested to know the key differences or responsibilities of fw_loader and fwm_loader?

I will do an analysis to understand the processes and files involved but their tasks may not be so easy for me to  understand (debug).

Regards,

Don

0 Kudos
Highlighted
Employee+
Employee+

Hi Don.

CPMI tables are related to the old database (not Java) such as in R77.

when running fwm with the argument  "load",

the fwm does not act as a server, it is running as a command.

fw_loader is the binary spawned from the fwm load command.

fwm load is running the conversion and verification.

fw_loader is running the the code generation and compilation.

Dan