Policy install fails after creating Edge object

[Porter]

When we create an Edge objekt on our Smartcenter we're not longer able to install the policy on our gateways. We made shure that we have the current libsw and all needed settings done to make shure that a Edge device can be managed through Smartcenter, e.g. sk31690
After removing the object policy install works fine again.

Error mesage:

Failed to run fw comp: no error
Compilation falid


Anyone ever hat such problems?
Thanks!

[abusharif]

Smartcenter version? R55 or NGX?
If R55 install HFA15 or later.

[Porter]

we use ngx r60 hfa03, was the same problem with hfa02
we have other r55 installations, there it works fine

[abusharif]

Hmm ok

1. Do you have any other Edge objects defined in policy which work?
2. If answer is No to question 1, are you sure libsw files are on right place and not damaged (uploaded in strange way or something) ?
3. Version on Edge object you create is the one box actually has (w,x etc) (dont really know if this one can actually mess things up or not but worth checking).
4. *BC* hotfix package applyed as well?

[Porter]

thanks for your fast reply!

1. there is no other object defined, some as interoperable device because ther was no need yet to manage through martcenter

2. libsw is fine, currently 6.0.76, we use mgmt ha, on both ok

3. it's an x and also so definded, the funny thing is that I just create the object, nothing else, no rules for it what ever and policy install fails.

4. I alreday installed the BC with HFA02, when I tried to install that one thats was delieverd with hfa03 I recieved on both smartcenters that this version is alreday installed. Maybe it's broken?

[abusharif]

Quote:

Originally Posted by Porter

thanks for your fast reply!

1. there is no other object defined, some as interoperable device because ther was no need yet to manage through martcenter

2. libsw is fine, currently 6.0.76, we use mgmt ha, on both ok

3. it's an x and also so definded, the funny thing is that I just create the object, nothing else, no rules for it what ever and policy install fails.

4. I alreday installed the BC with HFA02, when I tried to install that one thats was delieverd with hfa03 I recieved on both smartcenters that this version is alreday installed. Maybe it's broken?

Hmm "4" was very strange. Now in my case i only installed couple of HFA03 on secureplatform and i had to install 'bc' package in both cases (secureplatform package, fw1 package, bc package). I would try digging arround this first, unless someone else can come with better sugestion.

[Porter]

I just deinstalled the bc and installed the new one, but no changes

thanks for help!

[melipla]

For your VPN-1 Edge/Embedded Gateway object's properties, what is your "General Properties" -> "Type" set to?

[Porter]

type is set to VPN-1 EdgeX-Series

looks like that I know now what causes the error
when I run fwm vdb after cpstop on the smartcenter I recieve about 30 error messages like this one:


Error: Object Validation Failed for '##Traffic_Alert' @ 'slp_policies_pr
edefined': Validation error in field 'collection' at object '##Traffic_Alert' @
'Predefined SLP Policies' --> The referenced object 'Traffic_Alert' from table '
policies_collections' does not exist in the database

I migrated last year from R55 to R60, it looks like that the migration went not fine for all services or reference objects, finally I think we have a corrupt database

[abusharif]

Quote:

Originally Posted by Porter

I migrated last year from R55 to R60, it looks like that the migration went not fine for all services or reference objects, finally I think we have a corrupt database

seems so :(
dont know how to solve it tho. You could check sk16476 if it can point you in right direction :s

[Porter]

thanks abusharif! I'll check this out :)

[Mendax]

Hi, we also have a clustered NGX R60 HFA03 and use EDGE devices. When running 'fwm vdb' I get 4 errors including the one Porter mentioned, all of them appear to refer to missing objects within the 'policies_collections' table. If I create new emtpy policies through the Dashboard, calling them the names of the missing objects, the 'fwm vdb' command lists no errors.... which is great, except that I am guessing that the missing references are default policies that should not be empty?!

Our R60 install is not an upgrade from R55, it was a fresh install then gradually upgraded thru from HFA01, HFA02 and recently HFA03. How would I go about fixing this? (maybe there is a way of restoring the default policies?)

I see that abusharif refers to sk16476 but I can't find it on SecureKnowledge when I search for that number, nor can I find any reference to the "fwm vdb" command! Can anyone help please?

[melipla]

Error: "SmartDashboard cannot be loaded since a rulebase was found without a matching policy collection object." when trying to open the SmartDashboard
Solution ID: #sk16476

Product: SmartCenter
Version: NG
Last Modified: 17-Dec-2004
Symptoms

* After moving the Rule Bases and objects files from one management console to another management console, the following error message is received when trying to open SmartDashboard: "SmartDashboard cannot be loaded since a rulebase was found without a matching policy collection object".

Solution
The relationship between policies and policies_collections is as follows:
- Each policy must point to a policies_collection
- There should be up to one policy of each type pointing to the same
policies_collection. NOTE: There can not be two security policies
pointing to the same policies_collection but there can be two policies, one
security and the other QoS, pointing to the same policies_collection).
- There should be exactly one policies_collection marked as the default
policies_collection

In general, there is no dependency between the name of the policies and the name of the policies_collection.

NOTE: The name of the policy collections (Policy Packages in SmartDashboard) and not the name of the policies is what is shown in SmartDashboard.

Download CP Database Tool according to the version of the Management.
for FP2:
http://www.checkpoint.com/techsuppor...dit_b52016.zip

for FP3:
http://www.checkpoint.com/techsuppor...dit_ng_fp3.zip

For NG with Application Intelligence R54 & R55:
http://www.checkpoint.com/techsuppor...dit_ng_r54.zip


1) Connect with GUI DbEdit to the management server and open the "Policies" branch in the left pane.

2) Under "Policies", choose 'fw_policies', the right pane will show all security policies.

3) Go through each policy. Select a policy, and verify that it has a policies_collection associated:
a) Select a policy
b) Look in the "Field Properties" pane at the bottom, the field "collection" must have a value.
c) Make a list of the policies that do not have a value in this field.

4) Choose 'policies_collection' under 'Policies' in the left pane.

5) Create a policies_collection for each policy in the list:
a)Go to the right pane, right click and choose 'New'.
b)Leave the class name as it is, and enter the name for the policies_collection in the "Object" field.

NOTE: Best Practice is to name the object with the name of the policy.
For example, the name of the policy is 'Standard', and appears in the Database Tool as "##Standard".
The policies_collection name should be 'Standard'.

6) Go back to the 'fw_policies' branch.

7) For each policy in the list, double click the 'collection' field. In the 'Edit Element' dialog, choose the proper policies_collection (this should have the same name as the policy).

8) If there are policies of other products , such as fg_policies for QoS, slp_policies for Desktop Security, repeat steps 4-7 for
them; Log Consolidator policies do not need this done.

9) In the 'policies_collection' branch, go through the policies_collection objects and verify that only one policies_collection object has the value '1' for the field 'default'. If there is more than one, change the others to have '0' and leave only one with the value '1'.
10) Choose "File->Save All".
Applies To:

* SmartDashboard NG with Application Intelligence R54
* SmartDashboard NG with Application Intelligence R55
* SmartDashboard NG FP3
* VPN-1/FireWall-1 NG with Application Intelligence R54
* VPN-1/FireWall-1 NG with Application Intelligence R55
* VPN-1/FireWall-1 NG FP3
* VPN-1/FireWall-1 NG FP2
* policy collection object
* policies collection
* Policy Packages
* FireWall-1 policies
* rulebase

[Mendax]

Thanks for that, I'll give it a go.

[Porter]

our problem still exists, we changed and tried so many things but without success, today we openend a call at CP, I'll let you know the results

[Porter]

we had some rules where the NAT installation was set to "Policy Targets" that caused the error, now it's gone! Still have the problem that the policy could not be installed on a edge -> Db conversion failed, still waiting for reply from CP

[Porter]

in the meantime were're able to create a edge and install the policy afterwards on our gws without any error message..wow :D

But, if we try to install into a edge profil we recieve following error message:

Failure while copying files compatibillity package directory

CP has no solution for that and they can't recreate the error, recommendations are to reinstall our mgmgt servers....hmpf :(

[Porter]

does anyone know where the policy installation process copies the files for the egde profiles to? thanks :x

[Porter]

files that are touched on a splat r61 while installing into edge profile:

/opt/CPEdgecmp-R61
/opt/CPEdgecmp-R61/bin
/opt/CPEdgecmp-R61/bin/SofaWare
/opt/CPEdgecmp-R61/bin/SofaWareC
/opt/CPEdgecmp-R61/bin/SofaWareCompile.sh
/opt/CPEdgecmp-R61/bin/SofaWareG
/opt/CPEdgecmp-R61/bin/SofaWareGenerate.sh
/opt/CPEdgecmp-R61/bin/SofaWareP
/opt/CPEdgecmp-R61/bin/SofaWarePostHex.sh
/opt/CPEdgecmp-R61/bin/SofaWarePostPack.sh
/opt/CPEdgecmp-R61/bin/SofaWareT
/opt/CPEdgecmp-R61/bin/SofaWareTopology.sh
/opt/CPEdgecmp-R61/bin/SofaWareV
/opt/CPEdgecmp-R61/bin/SofaWareViaRules.sh
/opt/CPEdgecmp-R61/bin/SofawareL
/opt/CPEdgecmp-R61/bin/SofawareLoader
/opt/CPEdgecmp-R61/bin/fw
/opt/CPEdgecmp-R61/bin/fwc
/opt/CPEdgecmp-R61/bin/fwcomp
/opt/CPEdgecmp-R61/bin/fwcpp
/opt/CPEdgecmp-R61/conf
/opt/CPEdgecmp-R61/conf/SofawareLoader.ini
/opt/CPEdgecmp-R61/conf/Standard
/opt/CPEdgecmp-R61/conf/Standard.FE
/opt/CPEdgecmp-R61/conf/Standard.W
/opt/CPEdgecmp-R61/conf/asm_edge.C
/opt/CPEdgecmp-R61/conf/asm_profiles.C
/opt/CPEdgecmp-R61/conf/content_security.C
/opt/CPEdgecmp-R61/conf/cp-gui-clients
/opt/CPEdgecmp-R61/conf/cp.license
/opt/CPEdgecmp-R61/conf/cp.macro
/opt/CPEdgecmp-R61/conf/cpmi-schema.properties
/opt/CPEdgecmp-R61/conf/fwauth.NDB
/opt/CPEdgecmp-R61/conf/gui-clients
/opt/CPEdgecmp-R61/conf/inspect_logs_profiles.C
/opt/CPEdgecmp-R61/conf/logger.ini
/opt/CPEdgecmp-R61/conf/magic
/opt/CPEdgecmp-R61/conf/node_timestamp.C
/opt/CPEdgecmp-R61/conf/objects.C
/opt/CPEdgecmp-R61/conf/sofaware_mso_priv.key
/opt/CPEdgecmp-R61/conf/spii_profiles.C
/opt/CPEdgecmp-R61/conf/xlate.conf
/opt/CPEdgecmp-R61/lib/setup.C
/opt/CPEdgecmp-R61/lib/user.def
/opt/CPEdgecmp-R61/lib/wellfleet.C
/opt/CPEdgecmp-R61/libsw/../conf/xlate.conf
/opt/CPEdgecmp-R61/libsw/auth.def
/opt/CPEdgecmp-R61/libsw/base.def
/opt/CPEdgecmp-R61/libsw/code.def
/opt/CPEdgecmp-R61/libsw/cp_algs.def
/opt/CPEdgecmp-R61/libsw/crypt.def
/opt/CPEdgecmp-R61/libsw/dcerpc.def
/opt/CPEdgecmp-R61/libsw/dcom.def
/opt/CPEdgecmp-R61/libsw/dup.def
/opt/CPEdgecmp-R61/libsw/exchange.def
/opt/CPEdgecmp-R61/libsw/formats.def
/opt/CPEdgecmp-R61/libsw/fwconn.h
/opt/CPEdgecmp-R61/libsw/fwui_head.def
/opt/CPEdgecmp-R61/libsw/fwui_trail.def
/opt/CPEdgecmp-R61/libsw/h323.def
/opt/CPEdgecmp-R61/libsw/init.def
/opt/CPEdgecmp-R61/libsw/kerntabs.h
/opt/CPEdgecmp-R61/libsw/policy.ini
/opt/CPEdgecmp-R61/libsw/s
/opt/CPEdgecmp-R61/libsw/snmp.def
/opt/CPEdgecmp-R61/libsw/sofaware.def
/opt/CPEdgecmp-R61/libsw/sofaware.h
/opt/CPEdgecmp-R61/libsw/sofaware_base.def
/opt/CPEdgecmp-R61/libsw/sw
/opt/CPEdgecmp-R61/libsw/sw_conn_helpers.def
/opt/CPEdgecmp-R61/libsw/sw_ftp.def
/opt/CPEdgecmp-R61/libsw/sw_nat.def
/opt/CPEdgecmp-R61/libsw/sw_p2p_block.def
/opt/CPEdgecmp-R61/libsw/sw_proxy.def
/opt/CPEdgecmp-R61/libsw/sw_record_conn.def
/opt/CPEdgecmp-R61/libsw/sw_sd.def
/opt/CPEdgecmp-R61/libsw/sw_sd_functions.def
/opt/CPEdgecmp-R61/libsw/sw_skinny.def
/opt/CPEdgecmp-R61/libsw/sw_tunneling.def
/opt/CPEdgecmp-R61/libsw/sw_user_rules.def
/opt/CPEdgecmp-R61/libsw/sw_vpn.def
/opt/CPEdgecmp-R61/libsw/sw_vpn_helpers.def
/opt/CPEdgecmp-R61/libsw/swalgs.def
/opt/CPEdgecmp-R61/libsw/swh323_in.def
/opt/CPEdgecmp-R61/libsw/swh323_out.def
/opt/CPEdgecmp-R61/libsw/table.def
/opt/CPEdgecmp-R61/libsw/tcpip.def
/opt/CPEdgecmp-R61/libsw/traps.def
/opt/CPEdgecmp-R61/libsw/traps.h
/opt/CPEdgecmp-R61/libsw/user.def
/opt/CPEdgecmp-R61/libsw/xtreme.def
/opt/CPEdgecmp-R61/tmp
/opt/CPEdgecmp-R61/tmp/
/opt/CPEdgecmp-R61/tmp//Standard.via
/opt/CPEdgecmp-R61/tmp/Edge
/opt/CPEdgecmp-R61/tmp/Edge_W.c
/opt/CPEdgecmp-R61/tmp/Edge_W.cf
/opt/CPEdgecmp-R61/tmp/Edge_W.cfz
/opt/CPEdgecmp-R61/tmp/Edge_W.cp
/opt/CPEdgecmp-R61/tmp/Edge_W.cpp
/opt/CPEdgecmp-R61/tmp/Edge_W.errors
/opt/CPEdgecmp-R61/tmp/Edge_W.fc
/opt/CPEdgecmp-R61/tmp/Edge_W.ft
/opt/CPEdgecmp-R61/tmp/Edge_W.lg
/opt/CPEdgecmp-R61/tmp/Edge_W.pf
/opt/CPEdgecmp-R61/tmp/Edge_W.pft
/opt/CPEdgecmp-R61/tmp/Edge_W.pfz
/opt/CPEdgecmp-R61/tmp/Edge_W.set
/opt/CPEdgecmp-R61/tmp/Edge_W.to
/opt/CPEdgecmp-R61/tmp/Edge_W.topo
/opt/CPEdgecmp-R61/tmp/Edge_W.tp
/opt/CPEdgecmp-R61/tmp/Edge_W.tpz
/opt/CPEdgecmp-R61/tmp/Standard.
/opt/CPEdgecmp-R61/tmp/Standard.errors
/opt/CPEdgecmp-R61/tmp/Standard.via
/opt/CPEdgecmp-R61/tmp/code.def
/opt/CPEdgecmp-R61/tmp/fwui_head.def
/opt/CPEdgecmp-R61/tmp/fwui_trail.def
/opt/CPEdgecmp-R61/tmp/init.def
/opt/CPEdgecmp-R61/tmp/user.def

[Porter]

finally I got it running, there where also wrong permissions set on folders lib and bin, so the policy installation process was not able to install into the edges profil(s)...I'm very glad now :x