This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ClaudiaPeter
Contributor
‎2020-11-09 10:24 AM
Jump to solution

R80.40 Policy install timeout, but new policy is active

Hi,

we recently updated from R80.10 to R80.40, Management Server and a Gateway Cluster of 5800 appliances.

We defined a new rule for HTTPS Inspection with Updatable Objects. Since then Policy Install fails with timeout. Deleting the new rule doesn't "repair" it.

- "fw stat" shows the new policy, and changes in the policy are effective.

- I don't think the install_policy_timeout value is the problem, the Management Server waits for a long time for the commit after "fw stat" already shows the new policy timestamp.

- Management Server $FWDIR/log/install_policy.elg:
...
Compiled OK.&CURRENTVERCMP
**##MSG_IDENTIFY##**3&0&Compilation was successful&50&<NULL>&1&CURRENTVERCMP
Installing Security Gateway policy on: gw-cluster ...&CURRENTVERCMP
**##MSG_IDENTIFY##**5&0&Transfer was successful.&gw2&<NULL>&1&CURRENTVERCMP
**##MSG_IDENTIFY##**5&0&Transfer was successful.&gw1&<NULL>&1&CURRENTVERCMP
Operation incomplete due to timeout.&CURRENTVERCMP
**##MSG_IDENTIFY##**8&2&Operation incomplete due to timeout.&<NULL>&<NULL>&1&CURRENTVERCMP

So the problems seems to be on gateway side.


- Gateway /opt/CPsuite-R80.40/fw1/state/__tmp/FW1/install_policy_report.txt
...
17:43:15 4000051 InternalMsg UPInstallPolicyApp INFO up_install_policy_app.cpp 364 postLoadCommit ====== UP install policy App post-load commit end ======
17:43:15 4000052 InternalMsg Install Policy MGR INFO install_policy_mgr.cpp 1133 postLoadCommit Usermode postLoadCommit of InstallPolicyApp: (UP) with appType: (1), appPosition: (2) succeeded

So just the last line with "====== Usermode post-load commit end =====" is missing.


- According sk114733 "du -k $FWDIR/state/__tmp/FW1/" on both Gateways should be the same, but they differs. The file local.upDB.sqlite differs.
Regrettably the sk do not mention what to do if the size of the directory differs.

I cannot find any sk how to "reset" the directory $FWDIR/state/__tmp/FW1/. Can I just delete the files and get fresh copies from the management server with "fw fetch"?

(It's a production environment and I don't want to kill the Gateway with careless deleting files...)

Best regards
Claudia

0 Kudos
1 Solution

Accepted Solutions
ClaudiaPeter
Contributor
‎2020-11-10 08:40 AM
In response to ClaudiaPeter
Jump to solution

The solution was "standard": reboot.

It took only some longer discussions with the customer to be allowed to reboot the maschines....

View solution in original post

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2020-11-09 01:29 PM
Jump to solution

You can generally just delete the content of $FWDIR/state safely, though you can take a backup if you want to be on the safe side.

0 Kudos
_Val_
Admin
Admin
‎2020-11-09 11:36 PM
Jump to solution

I suggest investigating this with TAC. 

Can you show how your "New HTTPS Inspection rule with Updatable Objects" looks, though?

0 Kudos
ClaudiaPeter
Contributor
‎2020-11-10 01:23 AM
In response to _Val_
Jump to solution

Actual the rule looks like:

Source: Any

Destination: Office365 Worldwide Services, Intune Services, Microsoft - recommended HTTPS bypass, Power B I Services, Webex Services

Services: https

Category/..: Any

Action: Bypass

Track: Log

Blade: All

Install On: one Gateway Cluster

Certificate: Outbound Certificate

0 Kudos
ClaudiaPeter
Contributor
‎2020-11-10 08:40 AM
In response to ClaudiaPeter
Jump to solution

The solution was "standard": reboot.

It took only some longer discussions with the customer to be allowed to reboot the maschines....

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events