 | ||
 Policy install fails | ||
| CPUG | |
| The Check Point User Group | |
| A Resource For The Check Point Community. Fast. Useful. Independent. | |
|
| |||||||
 |
| | LinkBack | Thread Tools | Display Modes |
 2006-04-27 | |||
| |||
 Policy install fails I have FW-1/VPN-1 NG FP3 on RedHat Linux 7.3. Management and enforcement on the same box. SmartDashboard on Windows PC. I can create and save policy rulebases. When I try to install the policy from SmartDashboard it hangs. A SmartDashboard policy install runs fwm load on the managemnet server so I tried it from the command line but it seg faults: [root@ozicomfw01 conf]# fwm load 25072005_DW1.pf ozicomfw01 25072005_DW1: Compiled OK. Installing CPMAD Policy On: localhost Segmentation fault When I do a cpstop/cpstart it seems to be able to load and fetch the policy just fine: #cpstart cpstart: Start Product - SVN Foundation SVN Foundation: Starting cpWatchDog SVN Foundation: Starting cpd SVN Foundation: Started cpstart: Start Product - FireWall-1 FireWall-1: Startinf external VPN module -- OK FireWall-1: Starting fwd FireWall-1: Starting fwm (SmartCenter Server) Installing Security Policy 25072005_DW1 on all.all@ozicomfw01 Fetching Security Policy from localhost succeeded FireWall-1 Started # I ran strace on fwm load and noticed that it dies just after creating a bunch of temp files in /opt/CPfw1-50-03/state/local/CPMAD.tmp and opening a CPMAD related file. Don't know if this is useful or not... open("/opt/CPfw1-50-03/state/local/CPMAD.tmp/policy.map", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 12 fstat64(12, {st_mode=S_IFREG|0664, st_size=0, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x49257000 --- SIGSEGV (Segmentation fault) --- +++ killed by SIGSEGV +++ Looking at the logs in SmartView Tracker, the enforcement module appears to be working. I used to be able to install policies but now I can't. I *think* the problem began after I mucked around with the Certificate Authority. In cpconfig option 7, I changed the FQDN setting from localhost@localdomain to its real FQDN so I could issue a certificate for a SecureRemote user. Changing it back to localhost@localdomain had no effect on the problem. I'm not sure if doing this caused the policy install to start seg faulting. I have 3 questions: Q1. Has anyone else had this problem and if so what did you do to fix it/what was the casue? Q2. The fwm load says "Installing CPMAD Policy" and cpstart says "Installing Security Policy". Are they same thing or something different? Does it matter for this problem? Q3. What is the difference between the install and the fetch stages of the startup during cpstart? Does cpstart run fwm load or does it install the policy some other way? Any other suggestions welcome. Thanks.  |
| 2006-04-30 | |||
| |||
| Re: Policy install fails I've got 7.5G free. Any thoughts on the 3 questions at the end of my orginial post? Thanks, David |
| 2006-05-07 | |||
| |||
| Re: Policy install fails For those interested, the problem here was an incorrect /etc/hosts file. My hosts file had the firewall name, FQDN and "localhost" allocated to the loopback address, but nothing for the external IP address. Once I moved the hostname and FQDN to the external IP address, the policy install worked. |
|
| Thread Tools | |
| Display Modes | |
| |
Linear Mode
