Policy server install

[eldo37]

Hi all,

I would like to know if with NGX R60 we have to install the policy server add-on module with Nokia ipso firewall or if this module is now integrated with NGX.

Thanks,
eldo.

[kva.kva]

For NGX SecureClient Policy Server is a part of VPN-1 Pro/Power package.

[eldo37]

Thanks kva,

My problem is that we try to push the desktop security policy from management server to the gateway but it failed with error:

"installation failed, reason memory allocation problem in policy installation function"

it seems that dtpsd is not running on Nokia cluster.
how to activate the policy server on Nokia cluster in order to push the desktop security policy ?

eldo

[kva.kva]

Did you see errors in $FWDIR/log/fwd.elg and dtps.elg (smth like "cannot run server dtpsd")?
Do you see dtpsd from "ps eax" command?
Try to debug - "dtps debug on", log file $FWDIR/log/dtps.elg

[eldo37]

In fwd.elg I have the following error message :

" get_active_policy_name: Failed to get Security Policy information "

On active cluster member I have no dtps process running.

On backup cluster member I have add in fwauthd.conf this line :
" 0 dtps dtpsd respawn 0 "
but I still got this error message :

" user_count_not_ok: Desktop Security was not installed on the Policy Server.
cpfile_copy: failed to open /opt/CPsuite-R61/fw1/state/local/PS/local.dt: No such file or directory
cpfile_copy: failed to open /opt/CPsuite-R61/fw1/state/local/PS/local.scv: No such file or directory "

When I debug the backup cluster member I got :

Policy Server daemon: starting debug
psd_msg_installation_failed: Policy file installation failed.
fwasync_conn_get: get max buffer size (1048576) .
signals_handler: dispatched signal 30 to handler 0x2370


eldo.

[kva.kva]

Quote:

Originally Posted by eldo37

" user_count_not_ok:

Hmm, may be problem with licenses

[eldo37]

On on gateway cluster member I have this license
CPVP-VFM-U-3DES-NGX CPVP-VPS-1-NGX CPMP-PPK-1-NGX CK-435BDF47C2C

On this other cluster member I have :
CPVP-VEE-U-3DES-MODULE-NGX CPVP-VPS-1-NGX CPMP-PPK-1-NGX CK-FCE582090585

on the management server I have :
CPVP-VSC-25-NGX CK-56144FA4A0B4
CPVP-VSR-1000-NGX CK-83EAC83861E1
CPVP-VEE-U-3DES-MGMT-NGX CPMP-DBVR-U-NGX CK-FCE582090585

when I put one evaluation licence on the management server the problem still exist.

Any idea ?

[Acidio]

The policy server components need to be installed. And then configured in smart dashboard (which you have probably done).

[eldo37]

Hi,

yes I have done all that but the problem still exist.

Any suggestions,

eldo

[kva.kva]

I don't have good ideas about resolving your problem. May be we need to return to message "installation failed, reason memory allocation problem in policy installation function". May be problem with some system parameters...

[jvalenzuela]

Hi

I'm on the same problem at this time. I have a pair of nokia appl. in vrrp. I installed and enabled the policy server but the service never ups.

I also tried reinstalling and activating it before running the first cpconfig but it didn't work. Have anyone solved this?

Thanks

Jorge

[abusharif]

memory allocation problems can often be caused by "comments" in rules or rule names that contain strange characters and letters. For this use always enligsh only without "local" letters.

you can also check stats on memory allocation with 'fw ctl pstat'

Also depending on hfa build, you should use hfa_04 if u already dont on r60. It contains some important dtpsd fixes.

[jvalenzuela]

It's not a hardware problem. The boxes has 2GB ram and it's on a lab enviroment yet so it's not a resourses issue.

Something else I found is that the SmartView Status says the Policy Server is down on both fws.

Howevere, I'll check the hfa's.

Please let me know if you have more ideas.

Regards

Jorge

[abusharif]

memory allocations problems doesnt necessarily mean hw problem, instead checkpoints application that has the problems. fw ctl pstat shows the firewalls mem allocs from the reserved pool. These can be tweaked tho in capacity optimizations done from smartdashboard on the gateway objects. Had couple of these before and adjusting the values helped. Automatic calculation mode which is enabled by default is not that automatic nor intelligent it seems. These are ofc my observations and tests made on some gateways.

[jvalenzuela]

I'm sorry. Would you mind tell me how to manually changes these values?

[jvalenzuela]

I found the option. I'll try moving the values.

Thx.

Jorge

[abusharif]

Quote:

Originally Posted by jvalenzuela

I found the option. I'll try moving the values.

Thx.

Jorge

Please note, u dont have to change this values unless fw ctl pstat is showing you allocation failures. If it does and u decide to tweak the values there is a document on secureknowledge on how this should be done (formula for getting correct values)

[jvalenzuela]

The policy server never started on the gateways. Even installing a newer version. However, this is the way i solved:

1. Upgrade the SmartCenter to R60 HFA3 (y HFA3?, just 'cause those where the cd's I had)
2. Upgrade the Checkpoint products version on the Nokia's to R60
3. Upgrade the licenses
4. Apply the policy (both policies)
5. Lab.

Everything ran OK.

Notes:

- R55 is not supported for IPSO 4.x (it doesn't say it's so I think it's not)
- Nokia IP390 does not suppor earlier versions of IPSO 4.x
- R60 gateways does not have Policy Server (it's embeued) ^_^

I don't know if this will help u guys, but it's a possible solution.

Thanks to everyone who wrote here.

Regards

Jorge