This may be due to a lof ot different causes.
In one occasion I opened a case with CP TAC and they provided a useful document (How To Troubleshoot Policy Installation Issues) that can also be found in sk65385.
Policy installation can fail for a number of reasons and for most of them an SK can help:
Operation incompleted due to timeout
sk34377 (http://supportcontent.checkpoint.com/solutions?id=sk34377)
sk32973 (http://supportcontent.checkpoint.com/solutions?id=sk32973)
sk34785 (http://supportcontent.checkpoint.com/solutions?id=sk34785)
sk34274 (http://supportcontent.checkpoint.com/solutions?id=sk34274)
sk38893 (http://supportcontent.checkpoint.com/solutions?id=sk38893)
Load on Mudule failed - no memory
sk40768 (http://supportcontent.checkpoint.com/solutions?id=sk40768)
sk32080 (http://supportcontent.checkpoint.com/solutions?id=sk32080)
sk32970 (http://supportcontent.checkpoint.com/solutions?id=sk32970)
sk33893 (http://supportcontent.checkpoint.com/solutions?id=sk33893)
sk34289 (http://supportcontent.checkpoint.com/solutions?id=sk34289)
Compatibility package is not properly installed or configured
sk37720 (http://supportcontent.checkpoint.com/solutions?id=sk37720)
sk44294 (http://supportcontent.checkpoint.com/solutions?id=sk44294)
Database conversion failed
sk34834 (http://supportcontent.checkpoint.com/solutions?id=sk34834)
Policy installation is made of several steps that are summarized as follows:
Initiation - Policy installation is initiated with dedicated dialog window from SmartDashboard GUI (or from CLI). The information is passed from Smart Dashboard to the SmartCenter.
Verification - The information in the database is verified to comply with a number of rules specific to the application and package, for which policy installation is requested. If this verification fails, the process ends here and an error message is passed to the initiator.
Conversion - The information in the database is converted from its initial format to the format,
understandable by further participants (GUI, SmartCenter, GWs, etc.). During conversion, rules that
constitute security policy are put into result file named <policy_name>.W. This file, like the rest of
converted and waiting for code generation data, resides in the conf sub-directory of the relevant
compatibility package
Code generation and compilation - Policy is translated to the INSPECT language and compiled with INSPECT compiler. The result of the code generation is a long string, containing resulting INSPECT source code, which is added into file named <policy name>.pf, which also resides in the conf sub-directory of the relevant compatibility package.
The next step is creating "state directories" which is a file system directory where files are ready to be
transferred to the module. A dedicated process compiles the $FWDIR/conf/*.pf with all the relevant
$FWDIR/lib/*.def files and create a temporary file called *.cpp which is transferred to the "state
directories".
CPTA – Policy files are transferred (from the temporary state directories) and saved on the gateway side in the gateway's temporary state directory. Policy is transferred to the firewall gateway using SIC. It reads files from state directories into internal buffers and starts policy transfer to all the involved gateways.
Commit – When all the files are transferred successfully, process called "commit" is initiated – firewall software is instructed to read the new security policy and start to use it. If everything went OK, cpd process on the gateway side saves the policy in the gateway's permanent state directory.
One piece of information that I found useful is the meaning of the various percentages while policy is being installed.
Here they are:
0%-30%: Policy is verified by the management station and then compiled and converted before being pushed to the gateway. (Initiation, Verification, Conversion, and Code generation and compilation Portion from the SK)
30%-70%: Policy is being pushed to the gateway. (CPTA portion from the SK)
70%-100%: Atomic load process where the gateway has the compiled policy and is implementing the changes to the existing policy. (Commit portion from the SK)
No comments:
Post a Comment