Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Us4r
Contributor

Checkpoint R80.30 - Find non ASCII Caracters in Rule / Objects

Hello,

 

I'm looking for a solution how I can find non ASCII caracters in Objects / in the Rulebase on R80.30 Management.

 

Since 9. November I have problems installing Policy on our Checkpoint 1400 - Appliances. I allways get  the Error "Failed to Load Security Policy: Bad address". I think this could be a issue because of NON-ASCII Caracters used in the ruleset.

 

I found an old SK - Article regarding this case on R77 (https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...) but the rule_check tools  doesn't work anymore.

 

Any useful tips / hints how I can verify this on R80?

 

Thanks

 

Regards

 

 

Florian

15 Replies
G_W_Albrecht
Legend
Legend

sk105708 speaks of characters in the rule name - how many rules do you have with target 1400 ? I would do a manual check if it is not >1200 😎

CCSE CCTE CCSM SMB Specialist
Us4r
Contributor

No in the mentioned policy we have currently ~300 Rules.

Perhaps it's correlated with the IPS - Update on the 9th. When I change the IPS profile from our "special" 1400 Profile to "optimized" or "basic" the we don't get any failures. But the error message confuse me.

Can there be a limitation on the count of the enabled IPS Rules. I did see about 5 additional rules were added on the 9th. there

 

Thanks

 

Florian

G_W_Albrecht
Legend
Legend

It is possible, i just thought 1400 have less troubles. I wrote about that here: Optimizing an IPS profile for SMB.

CCSE CCTE CCSM SMB Specialist
0 Kudos
Us4r
Contributor

Yes did read this article before and prepared the IPS Policy as mentioned there.

=> A lot of additional protections are disabled now but the failure exists anymore (see screenshot).

 

 

0 Kudos
G_W_Albrecht
Legend
Legend

And fw -d fetch <SMS IP> ? Best pipe it into a file !

CCSE CCTE CCSM SMB Specialist
0 Kudos
Us4r
Contributor

Hello, attached you find the output of the fw fetch -d command:

 

[ 13694 1736814592]@Gateway[16 Nov  8:26:56] opsec_send_datagram_e: SESSION ID:3 is sending DG_ID=3 DG_TYPE=0x1202(???)
[ 13694 1736814592]@Gateway[16 Nov  8:26:56] ckpSSL_do_write: write 14 bytes
[ 13694 1736814592]@Gateway[16 Nov  8:26:56] opsec_comm_notify: COM 0x3b7aba8 got signal 131074
[ 13694 1736814592]@Gateway[16 Nov  8:26:56] cpd_client_signal_handler: session=0x3cf51f0, event=135683
[ 13694 1736814592]@Gateway[16 Nov  8:26:56] ckpSSL_do_read: read 12 bytes
[ 13694 1736814592]@Gateway[16 Nov  8:26:56] demultiplex type=3 session-id=3
[ 13694 1736814592]@Gateway[16 Nov  8:26:56] Destroying session (3cf51f0) id 3 (ent=3b7aa40) reason=PEER_ENDED
[ 13694 1736814592]@Gateway[16 Nov  8:26:56] get_host_statedir : return state dir = /opt/fw1/state/__tmp
[ 13694 1736814592]@Gateway[16 Nov  8:26:56] get_cond_statedir : return state dir = /opt/fw1/state/__tmp/FW1 for hostname = __tmp, product = FW1
Fetching Security Policy Succeeded.
 Writing CMI cache (IPv4)...
 Continue with second iteration
 Failed to Load Security Policy: Bad address
[ 13699 1737232384]@Gateway[16 Nov  8:28:21]
sfw_load: Error loading security policy
sfw_fetch_callback: Failed to execute command '"/opt/fw1/bin/fw" fetchlocal -d "/opt/fw1/state/__tmp/FW1"'. rc=1, exit code =-1
 Unable to install the Security Policy on the appliance
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] cpd_close_addon_sessions> addon_id=[], addon_ver=[]
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] cpd_session_terminator> session=0x3cf51f0
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] opsec_end_session_e: scheduling the end of session 3
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] cpd_close_addon_sessions> addon_id=[], addon_ver=[]
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] The server doesn't run
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] Destroying entity 2 with 0 active comms
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] opsec_destroy_entity_sic: deleting sic rules for entity 0x3d04e80
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] SESSION ID:3 already resumed read
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] ckpSSL_InputPending 1 pending bytes
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] ckpSSL_InputPending 1 pending bytes
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] The server doesn't run
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] Destroying entity 1 with 1 active comms
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] destroying comm 0x3b7aba8
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] Destroying comm 0x3b7aba8 with 0 active sessions
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] pulling dgtype=ffffffff len=-1 to list=0x3b7abc4
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] opsec_destroy_entity_sic: deleting sic rules for entity 0x3b7aa40
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] sic_client_end_handler: for conn id = 14
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] fwasync_do_end_conn: 14: calling 0x87d755 to free opaque 0x3cf4f60
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] ckpSSL_fwasync_close: start shutdown
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] ckpSSL_ShutdownHandler: rc=0 (1) SSL negotiation finished successfully
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] ckpSSL_ShutdownTimeout: 0x3CF9D88
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] ckpSSL_Destroy: closed fd 14
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] T_event_mainloop_e: T_event_mainloop_iter returns 0
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] sic_sslca_Free: defs = 0x3b6bde0, references = 0
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] sic_sslca_Free: defs = 0x3b6d2e8, references = 0
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] sic_sslca_Free: defs = 0x3b6fd40, references = 0
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] sic_sslca_Free: defs = 0x3b6e818, references = 0
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] sic_sslca_Free: defs = 0x3b72798, references = 0
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] sic_sslca_Free: defs = 0x3b71270, references = 0
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] sic_sslca_Free: defs = 0x3b73cc8, references = 0
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] sic_sslca_Free: defs = 0x3b751d8, references = 0
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] sic_sslca_Free: defs = 0x3b77bf0, references = 0
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] sic_sslca_Free: defs = 0x3b766e0, references = 0
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] sic_sslca_Free: defs = 0x3b7a608, references = 0
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] sic_sslca_Free: defs = 0x3b790f8, references = 0
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] sic_sslca_Free: defs = 0x3b7bb10, references = 0
[ 13694 1736814592]@Gateway[16 Nov  8:28:21] PM_policy_destroy: finished successfully.
0 Kudos
G_W_Albrecht
Legend
Legend

Maybe the solution from sk167717:

  1. rm -rf /storage/* 
  2. /pfrm2.0/etc/restoreStorage.sh
  3. Push the policy.
CCSE CCTE CCSM SMB Specialist
0 Kudos
Tal_Paz-Fridman
Employee
Employee

Hi,

Why do you think it is related to special characters?

Did you try following sk103511:

"Failed to Load Security Policy: Bad address" error on policy installation failure

 

Thanks

Tal

0 Kudos
Us4r
Contributor

Hello Tal,

 

disable the Blades Antibot/Antivirus doesnt have an "postive" feedback:

 

 

[ 28695 1737011200]@Gateway[16 Nov 15:17:40] opsec_send_datagram_e: SESSION ID:3 is sending DG_ID=3 DG_TYPE=0x1202(???)
[ 28695 1737011200]@Gateway[16 Nov 15:17:40] ckpSSL_do_write: write 14 bytes
[ 28695 1737011200]@Gateway[16 Nov 15:17:40] opsec_comm_notify: COM 0x3b7ab88 got signal 131074
[ 28695 1737011200]@Gateway[16 Nov 15:17:40] cpd_client_signal_handler: session=0x3b5a9d8, event=135683
[ 28695 1737011200]@Gateway[16 Nov 15:17:40] ckpSSL_do_read: read 12 bytes
[ 28695 1737011200]@Gateway[16 Nov 15:17:40] demultiplex type=3 session-id=3
[ 28695 1737011200]@Gateway[16 Nov 15:17:40] Destroying session (3b5a9d8) id 3 (ent=3b7aa20) reason=PEER_ENDED
[ 28695 1737011200]@Gateway[16 Nov 15:17:40] get_host_statedir : return state dir = /opt/fw1/state/__tmp
[ 28695 1737011200]@Gateway[16 Nov 15:17:40] get_cond_statedir : return state dir = /opt/fw1/state/__tmp/FW1 for hostname = __tmp, product = FW1
Fetching Security Policy Succeeded.

Installing Security Policy...
[ 28699 1736871936]@Gateway[16 Nov 15:17:59] sfwd_read_if_info: failed to extract local.ifi file.
[ 28699 1736871936]@Gateway[16 Nov 15:17:59]
sfw_load: Error loading security policy

Error loading policy.
sfw_fetch_callback: Failed to execute command '"/opt/fw1/bin/fw" fetchlocal -d "/opt/fw1/state/__tmp/FW1"'. rc=1, exit code =-1
 Unable to install the Security Policy on the appliance
[ 28695 1737011200]@Gateway[16 Nov 15:18:00] cpd_close_addon_sessions> addon_id=[], addon_ver=[]
[ 28695 1737011200]@Gateway[16 Nov 15:18:00] cpd_session_terminator> session=0x3b5a9d8
[ 28695 1737011200]@Gateway[16 Nov 15:18:00] opsec_end_session_e: scheduling the end of session 3
[ 28695 1737011200]@Gateway[16 Nov 15:18:00] cpd_close_addon_sessions> addon_id=[], addon_ver=[]
[ 28695 1737011200]@Gateway[16 Nov 15:18:00] The server doesn't run
[ 28695 1737011200]@Gateway[16 Nov 15:18:00] Destroying entity 2 with 0 active comms
[ 28695 1737011200]@Gateway[16 Nov 15:18:00] opsec_destroy_entity_sic: deleting sic rules for entity 0x3b59fb8
[ 28695 1737011200]@Gateway[16 Nov 15:18:00] SESSION ID:3 already resumed read
[ 28695 1737011200]@Gateway[16 Nov 15:18:00] ckpSSL_InputPending 1 pending bytes

 

It needs to be some issue with the caracters or with the IPS policy.

 

 

0 Kudos
Tal_Paz-Fridman
Employee
Employee

Try running the fetch command with debug - perhaps it might give us additional information.

fw -d fetchlocal -d /opt/fw1/state/__tmp/FW1

 

 

0 Kudos
Us4r
Contributor

Hello all,

 

attached a short output of the debug regarding the local.ifi - error message:

 

[ 29107 1737170944]@Gateway[16 Nov 15:30:04] hash_do_resize: Resizing hash from 65536 to 131072 (n_elements=131072)
[ 29107 1737170944]@Gateway[16 Nov 15:30:05] ==>fwa_sfw_extract_file_ex file_name = local.ifi
[ 29107 1737170944]@Gateway[16 Nov 15:30:05] sfw_get_tmp_file_name: File name will be: /storage/local.ifi-2832814620-3488552331
[ 29107 1737170944]@Gateway[16 Nov 15:30:05] fwa_sfw_extract_file_ex: will execute '/bin/gunzip -c /opt/fw1/state/__tmp/FW1/local.ifi.gz > /storage/local.ifi-2832814620-3488552331'
[ 29107 1737170944]@Gateway[16 Nov 15:30:05] Error executing extraction command (error code 255, errno=12).
[ 29107 1737170944]@Gateway[16 Nov 15:30:05] ==>fwa_sfw_delete_tmp_file /storage/local.ifi-2832814620-3488552331
[ 29107 1737170944]@Gateway[16 Nov 15:30:05] fwa_sfw_delete_tmp_file: Error deleting file.
[ 29107 1737170944]@Gateway[16 Nov 15:30:05] <==fwa_sfw_delete_tmp_file (-1)
[ 29107 1737170944]@Gateway[16 Nov 15:30:05] <==fwa_sfw_extract_file_ex
[ 29107 1737170944]@Gateway[16 Nov 15:30:05] sfwd_read_if_info: failed to extract local.ifi file.
[ 29107 1737170944]@Gateway[16 Nov 15:30:05] ==>fwa_sfw_extract_file_ex file_name = local.cfp
[ 29107 1737170944]@Gateway[16 Nov 15:30:05] sfw_get_tmp_file_name: File name will be: /storage/local.cfp-4039710347-1791885011
[ 29107 1737170944]@Gateway[16 Nov 15:30:05] fwa_sfw_extract_file_ex: will execute '/bin/gunzip -c /opt/fw1/state/__tmp/FW1/local.cfp.gz > /storage/local.cfp-4039710347-1791885011'
[ 29107 1737170944]@Gateway[16 Nov 15:30:05] Error executing extraction command (error code 255, errno=12).
[ 29107 1737170944]@Gateway[16 Nov 15:30:05] ==>fwa_sfw_delete_tmp_file /storage/local.cfp-4039710347-1791885011
[ 29107 1737170944]@Gateway[16 Nov 15:30:05] fwa_sfw_delete_tmp_file: Error deleting file.
[ 29107 1737170944]@Gateway[16 Nov 15:30:05] <==fwa_sfw_delete_tmp_file (-1)
[ 29107 1737170944]@Gateway[16 Nov 15:30:05] <==fwa_sfw_extract_file_ex
[ 29107 1737170944]@Gateway[16 Nov 15:30:05] Failed to extract local.cfp file.
[ 29107 1737170944]@Gateway[16 Nov 15:30:05]
sfw_load: Error loading security policy
0 Kudos
Tal_Paz-Fridman
Employee
Employee

Can you please check the available space on the device?

0 Kudos
Tal_Paz-Fridman
Employee
Employee

Hi @Us4r 

Did you get a chance to test the available space on the device? I found some SRs that could be related to the failures you are seeing.

Thanks

Tal

0 Kudos
John_Fleming
Advisor

Assuming the compatibility directory still has to write out objects_5_0.c and rulebases_5_0.fws i would look there.

in vi

/[^\x00-\x7F]

will find each none-ascii in a file. Might work in 'less' also.

0 Kudos
JozkoMrkvicka
Mentor
Mentor

Check audit logs to find out who did what before last policy installation.

Or check policy revision which is currently installed.

Kind regards,
Jozko Mrkvicka
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events