Hi 

From the issue described it seems like IPS global database wasn't updated correctly while local ips database is up to date. 

first, can you please describe what is the propose of using schedule update on both CMA and Global domain level ? 

in order to overcome this issue, I would suggest the following: 

1) we need to understand if there were IPS update failures in global level - can you please check the logs and look for failures? 

2) in order to overcome global policy reassignment issue, please follow the sk: 

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

if any further assistance is needed, please feel free to send me PM and I will be glad to assist. 

Appreciate your responses PhoneBoy, Omri

Just to clarify from the Global Assignments, Reassign part was failling, in the Task Progress list I get:

1) "Global Domain Assignment Failed: Global domain IPS version (635210151) is an earlier version than the local domain IPS version (635210225).
Update the global domain IPS version to the same or higher version than the local domain IPS."

The error is self explanatory, however I could not workout why the global policy intermittently doesnt update or why the gateway had somehow updated when it is configured
not to update automatically but to "Use IPS management updates" as per gateway IPS properties, which is what was then causing local IPS version to be more recent then the global.

I am also getting this second error intermittently when I am the only admin using the global policy, however logging out and back in sometimes fixes this issue so no biggie.

2) Global Domain Assignment Failed: Global Assignment settings are locked for editing by another administrator and need to be published or discarded before the operation can take place.

Omri, in summary we were trying to simplify the IPS updates so that the Global Policy updates are scheduled to check and download the latest protections then to push that out to
all the gateways in each CMA. The gateways are configured to "Use IPS management updates" via the GW IPS profile. However there are clearly different ways of configuring/pushing
IPS updates and I might have "over configured" judging by your reply.

Omri you make a good point "what is the purpose of using schedule update on both CMA and Global domain level ?"
This is probably where I went wrong and over-configured, so I will remove CMA level IPS update and just leave the global policy IPS update schedule, on the gateways will say "Use IPS management updates"
That should hopefully do the job and make sure local IPS update is never more recent then the global scheduled update, so the reassign wont then fail.

Now I got Global Policy / threal prevention / Update / Schedule Update / ticked "Enable IPS scheduled updates on Server and Gateway" / configure - update daily at 22:00
Questions - There is no option to automatically install TP policy to propagate the new protections to the gateways post global scheduled update, does this happen automatically in the background?
Or do I need to manaully reasign at the domain level? Is there any way to automate "Global Assignments" so that post Global IPS scheduled update assigments are upto date with no manual intervention?

Gents, thanks for your help and patience. Tx Dario

@Dario1, can you share the motivation of using the "Use Management updates" option?

Starting from R80.20, gateways can fetch IPS updates independently. This is the recommended way of using IPS updates since it provides much faster protection on the gateways from new threats, without waiting for a policy installation.

Another significant benefit is that the Management doesn't need to push the protections to all gateways during policy installation, and you don't need to perform assign-global-policy after every IPS update in the global level.

You can continue to manage exceptions and granular activation in the global policy, but those changes are usually much less frequent than IPS updates.