Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
ashah
Explorer

Checkpoint Security Gateway applies "Initial Policy" after the firmware Upgrade

Hello All,

I ran in to an issue where, when i Upgrade checkpoint security gateway from R80.10 to R80.30 via CPUSE method it applies "Initial Policy" and removed existing policy after reboots. And we loss access to this gateway from remote sites (as all sites are connected through MPLS). i have to access this Gateway Locally and apply "fw unloadlocal" and then install policy from management server to gain access again from remote sites. 

is there any reason behind firewall applies initial policy? and how to make it sop doing that? because that stops management of the firewall. 

0 Kudos
7 Replies
PhoneBoy
Admin
Admin

Yes, because the policy must be installed from the Security Management after an upgrade compiled against the new Security Gateway version.
Installing the policy is listed as part of the required steps in the Install and Upgrade Guide: https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_Installation_and_Upgrade_Gui...

The InitialPolicy should permit the policy to be installed from the management without doing an fw unloadlocal.

0 Kudos
ashah
Explorer

Thanks a lot for your reply sir, I faced an issue where checkpoint gateway stopped advertising OSPF as well after the upgrade. We have 5 sites connected with MPLS. and without OSPF, upgraded site is not reachable from the remote site. 

everything works well after installing policy from management server.

0 Kudos
Chris_Atkinson
Employee
Employee

If you have explicit rules in your policy for the OSPF traffic per sk39960 those won't be loaded allowing neighbors to form until after policy installation occurs.

0 Kudos
the_rock
Advisor

That is totally normal behavior actually. If you are doing an upgrade, it will by default apply initial policy until policy is pushed to newly upgraded gateway again. As far as OSPF, cant say for sure what the issue is, maybe if you can provide more details, we can try assist.

0 Kudos
Vincent_Bacher
Advisor

I remember,  many years ago there was a way to modify the initial policy rules and there was a sk explaining that.

As it was at IPSO era I  can not tell if it is still valid.

and now to something completely different
PhoneBoy
Admin
Admin

Guess who wrote that SK? 🙂
There are actually two filters:

  • Initial policy, which comes up before the gateway has a valid policy installed to it (or the license expires)
  • Default filter, which comes up when the gateway is (re)booted before the real policy is loaded. 

Note that changing the default filter or initial policy is not formally supported.
Also, sadly, the sk describing the process is now internal.
Whether it even still works is a separate question entirely.

0 Kudos
ashah
Explorer

So far i have noticed that, after successful firmware upgrade, if i dont install policy form the management server, i dont have accebility of checkpoint site over MPLS and that most likely says that OSPF is not advertising routes. as soon as i install policy, this site is reachable form other sites. so, my guess is initial policy has to do something with OSPF as well. (we dont have implicate policy for OSPF)

hope i could explain the scenario, but thanks a lot for your help here. 

0 Kudos