- Products
- Learn
- Local User Groups
- Partners
-
More
Celebrate the New Year
With CheckMates!
Value of Security
Vendor Self-Awareness
Join Us for CPX 360
23-24 February 2021
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
How to Remediate Endpoint & VPN
Issues (in versions E81.10 or earlier)
Mobile Security
Buyer's Guide Out Now
Important! R80 and R80.10
End Of Support around the corner (May 2021)
Hello,
I am hoping someone can give me more detailed or background information (or a link to an SK) to learn more about the steps below. Especially step 2.
Verification & Compilation
The Verification & Compilation stage of policy installation occurs on the management side. It involves the following steps:
1.Initiation — Policy installation is initiated either from SmartConsole or from the command line.
2.Database Dump — A database dump from postgres to old file formats for cpmitable only if changes occurred. A dump from non cpmi will occur any time.
3.Verification — Information in the database is verified to comply with a number of rules specific to the application and package for which policy installation is requested.
4.Conversion — The information in the database is converted from its initial format to the format understandable by later participants in the flow, such as code generation and gateway.
5.Fwm rexec — Fwm loader takes a lot of memory. To release memory after verification and conversion, fwm state is saved to a file located in the $FWDIR/tmp/ directory. fwm is then re-executed as a fwm load command to push the files for code generation and compilation.
6.Code Generation and Compilation — Policy is translated to the INSPECT language and compiled with the INSPECT compiler.
Thanks,
Don
Dan_Zaidman
Hi Don.
Regarding Database dump,
The fwm loader expects the get its input as files.
the database may have change since the last install policy.
Therefore, we dump the postgres database to a temporary file structure, for every install policy, or install database command.
Dan
Hello Don,
I was trying to find the documentation mentioned on your request, but i wasnt able to do it. Do you have the source of this information?
However, you can verify the following SK solution for policy install:
sk60347: How To Troubleshoot Policy Installation Issues (for R75 - R77)
Regards.
Thanks Kenny,
It's from the CCSE R80.10 training.
I couldn't find anything on it either.
There is another SK that goes through the older version policy install steps but it's not as descriptive and I have asked for it to be reviewed and versions corrected.
I am thinking that the answer may come from HQ where the info might have originated.
Regards,
Don
Thanks for the clarification Don.
I think we have to wait some time for Secure Knowledge updates on R80 internal processes flow (in adition to already existent R80.x Security Management server main processes debugging) and new functionalities in the architecture (like inspection points "e" and "E" for encrypt mentionen in another post, UnifiedPolicy chain, etc.).
Dan_Zaidman
Hi Don.
Regarding Database dump,
The fwm loader expects the get its input as files.
the database may have change since the last install policy.
Therefore, we dump the postgres database to a temporary file structure, for every install policy, or install database command.
Dan
Thanks Dan. Can you share any information on the term cpmi table?
I would also be interested to know the key differences or responsibilities of fw_loader and fwm_loader?
I will do an analysis to understand the processes and files involved but their tasks may not be so easy for me to understand (debug).
Regards,
Don
Dan_Zaidman
Hi Don.
CPMI tables are related to the old database (not Java) such as in R77.
when running fwm with the argument "load",
the fwm does not act as a server, it is running as a command.
fw_loader is the binary spawned from the fwm load command.
fwm load is running the conversion and verification.
fw_loader is running the the code generation and compilation.
Dan
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY