After upgrade to R70 can no longer install policy

[rji479]

Hi, I have a R70.20 Smartcenter server. I had a working R65 HFA40 UTM1 firewall which I upgraded to R70, the upgraded was sucessful and the firewall works fine until I come to install a policy, it then just hangs on verifying and timesout. I am then unable to install a policy on any firewall until i reboot the smartcenter.

I can however fetch a policy from the firewall directly. All of the existing R65 firewalls still work and I can install a policy on these firewalls as and when required.

I made sure after I upgraded the UTM that change the version from R65 to
R70, the license used is an R70. I then upgraded to R70.20 which made no difference.

Any ideas why i cannot install a policy?

thanks

[Routerkid1]

Try This

Open a Command Line Interface.


Run the cpstop command, to stop all Check Point services.


Change to the $FWDIR/conf directory.


Remove or rename the following files from the $FWDIR/conf directory:


applications.C
applications.C.backup
CPMILinksMGR.db
CPMILinksMGR.db.private



Run the cpstart command to start all Check Point services.

[rji479]

on the gateway or the smartcenter? I'll try this on monday morning.
thanks

[Routerkid1]

Quote:

Originally Posted by rji479

on the gateway or the smartcenter? I'll try this on monday morning.
thanks

Smart Center

[rji479]

I moved these files from the Smartcenter server and it did not work. I even deleted and recreated the firewall object, it still hangs when attempting to install a policy.

Any other ideas?

[Routerkid1]

Try to copy the current policy to a new policy via file>copy policy to package.

[rji479]

just tried that, still no luck pushing a policy. I can stil fetch the new policy though

[Routerkid1]

Well the last thing I can think of is maybe the state is corrupt.

To properly clear the $FWDIR/state directory, apply the steps below for your product installation.

Note: You must have local console access to the firewalls during this procedure. It cannot be done remotely.
Note: DO NOT delete the DATABASE DIRECTORY on the MANAGEMENT SERVER.

Clearing the $FWDIR/state and database directory contents, and reinstalling the Security Policy (The Management Server and Enforcement Module are on separate machines.)

Close all GUI Clients.
Issue cpstop on the Enforcement Module.
Issue cpstop on the Management Server.
Make a backup of the $FWDIR/state directory contents on the Enforcement Module.
Make a backup of the $FWDIR/database directory contents on the Enforcement Module.
Make a backup of the $FWDIR/state directory contents on the Management Server.
Remove all contents in the $FWDIR/state directory on the Enforcement Module. (Do not remove the $FWDIR/state directory itself.)
Remove all contents in the $FWDIR/database directory on the Enforcement Module. (Do not remove the $FWDIR/database directory itself.)
Remove all the contents in the $FWDIR/state directory on the Management Server. (Do not remove the $FWDIR/state directory itself. And do not remove the local.arp file, if it exists.)
Issue cpstart on the Management Server.
Issue cpstart on the Enforcement Module.

Note:
A message stating that the Enforcement Module cannot get/fetch a Security Policy will be displayed. This is a indication that the contents of the $FWDIR/state directory on both the Management
Server and Enforcement Module have been cleared properly.

Caution:
This is why you must have local console access. The Enforcement Module will invoke a default Policy, which will block traffic from passing through the network interface cards (NICs). You must run "fw unloadlocal" on the Enforcement Module from the command line before Policy installation. The Enforcement Module is vulnerable to attack, until the Policy is installed.

Open the GUI Client.
Install the Security Policy.

If you experience adverse affects after implementing this procedure, simply restore your backed up state to recover. (It is highly unlikely that you will need to do this)

Run cpstop
Remove all contents in the $FWDIR/state directory on the Enforcement Module. (Do not remove the $FWDIR/state directory itself.)
Remove all contents in the $FWDIR/database directory on the Enforcement Module. (Do not remove the $FWDIR/state directory itself.)
Remove all the contents in the $FWDIR/state directory on the Management Server. (Do not remove the $FWDIR/state directory itself. And do not remove the local.arp file, if it exists.)
Copy the contents of your backed up state and database directories on both the Enforcement and Management Server to their original locations.
Run cpstart

[rji479]

thanks for this. I will have to make an onsite visit to do this. It may well be easier to restore to factory defaults and upgrade. I'll let you know.
thanks

[Routerkid1]

Quote:

Originally Posted by rji479

thanks for this. I will have to make an onsite visit to do this. It may well be easier to restore to factory defaults and upgrade. I'll let you know.
thanks

Yea that may be an option as well, Good luck let us know what final fix is.


Thanks

Bobby

[skipper]

I have the same issue last week. Why does it fail ??
If you get the message "Database Convertion Failed" it's because the SmartDefense database is corrupted and cannot be converted to R70 IPS.

Try this:
On Smart Center Server
cpstop
expert mode
$FWDIR/conf
remove and backup applications.C*
remove and backup CPMILinksMgr.db*
cpstart

Open Smart Dashboard, and update IPS from the Tab IPS.
You have to sign in with a valid account to download updates. If you dont have, before all this, put a Trial License.
After the upgrades are done, check that the firewall object is R70 and the feature IPS is marked. Clic SAVE, and try to install policies again.

It worked for me. I have upgraded an R65 installation to R70.

Lucas S. Garcia
CCSA

[rji479]

I found sometime to dedicate to this issue so I deleted the gateway node from the Smartcenter and then reset the UTM to factory default which was
R65. I immediately upgraded to R70 before adding it as a new gateway on the smartcenter. I was able to create the object define, topology etc.....but still could not push a policy. Arrrgh.

I did recreate this gateway using the same name and ip address as before. I am thinking perhaps this could be the problem.

I had a look on the Smartcenter and I could see under the /conf folder subfolders for each of the gateways including live and previously deleted gateways. I assume the configuration for these gateways are included in these subfolders. Correct? Is there a safe way to remove all trace of the gateways from the Smartcenter?

thank you.

[Routerkid1]

Quote:

Originally Posted by rji479

I found sometime to dedicate to this issue so I deleted the gateway node from the Smartcenter and then reset the UTM to factory default which was
R65. I immediately upgraded to R70 before adding it as a new gateway on the smartcenter. I was able to create the object define, topology etc.....but still could not push a policy. Arrrgh.

I did recreate this gateway using the same name and ip address as before. I am thinking perhaps this could be the problem.

I had a look on the Smartcenter and I could see under the /conf folder subfolders for each of the gateways including live and previously deleted gateways. I assume the configuration for these gateways are included in these subfolders. Correct? Is there a safe way to remove all trace of the gateways from the Smartcenter?

thank you.

Take an upgrade_export of the smartcenter and then use guidbedit to remove all old info,