 | ||
 Policy installation fails | ||
| CPUG | |
| The Check Point User Group | |
| A Resource For The Check Point Community. Fast. Useful. Independent. | |
|
| |||||||
 |
| | LinkBack | Thread Tools | Display Modes |
 2007-03-30 | |||
| |||
 Policy installation fails Hi All, I'm new to this forum so was wondering if anyone can help me with an issue I'm experiancing. I have a SPLAT smartcenter NGXR60 HFA_05 with a Nokia IP330 NGX R60 HFA_05 When I try to install the policy I get the following message:- Load on Module failed - failed to load Security Policy From the Nokia if I run the fw fetch command it attempts to fetch the policy but then errors with the following:- "/opt/CPsuite-R60/fw1/state/__tmp/FW1/local.ft" line 65 duplicate entry in table... No matter what I try I always get this error. Any help would be much appreciated as it is extremly urgent as currently we cannot apply new policies to our live firewall. Regards, Gavin  |
| 2007-03-30 | |||
| |||
| Re: Policy installation fails Quote:
Check for SPLAT compatibility: http://www.checkpoint.com/products/s...ngx/index.html http://www.checkpoint.com/products/s...ting_tool.html Quote:
Do you use auto-NAT? If so, do you have anything like this: host: HOST1 (has internal IP and AUTO-NAT IP) host: NAT_HOST1 (has only the external IP for the same host above?) Since my NGX was upgraded from an older version, I had this type of host situation and that is what caused the same scenario you describe for me. I only had the 2 DNS servers that caused the issue ONLY BECAUSE of SmartDefense, but hundreds of the NAT paired objects have existed in my db for well over a year without issue until then. It played hell with my state table on HA firewalls and I got the same error message and symptoms. Your issue could be solely the inadequate Nokia hardware, but here is the case summary of my issue: ----------------------------- With the article regarding the duplicate entries pointing to NAT as an issue, I thought that there might be an issue with how SmartDefense was implementing the DNS protection with an object that has automatic NAT enabled. John made mention of the fact that he also has objects that specifies the public IP address of the DNS servers and that he was really only trying to implement the protection. It turns out that, even though he had unchecked "DNS server" from each of the objects, the change wasn't taking. The change only took if John unchecked the automatic NAT (to get rid of the relationship between the objects), unchecked DNS server on the manual NAT object (opening it up again to verify and make sure that it would take effect), unchecked DNS server on the original private IP objects for the DNS servers, and then re-enabled automatic NAT (since it had been enabled and working prior to the new changes). After making all those changes and saving policy, the DNS servers no longer showed up in the SmartDefense protection and John was able to push policy. The long and short of it is that the firewalls were checking for this duplicate object relationship in the inspect code (thus the errors) whereas the SmartCenter was not (no errors). ---------------------------- __________________ There's no place like 127.0.0.1 |
| 2007-04-02 | |||
| |||
| Re: Policy installation fails Hi Thanks for the response, I have now resolved the issue, while it was exactly the same resoloution as yours, the advice you gave pointed me in the right direction. Basically I had defined two hosts as web servers to be protected by web defense with the same IP address... Typo on my part... Thanks again for your reply it has helped me resolve a very urgent issue. Best Regards, Gavin |
|
| Thread Tools | |
| Display Modes | |
| |
Linear Mode
