View Full Version : Policy push fails after IPS update

2011-02-01, 05:42
Just wondering if anyone has come across the issue I am having.
IPS has an issue automatically updating, but AV/AS doesn't, but thats not the issue, well not the main one.
So when I enter Smart Dashboard I get the warning IPS failed to update and then at the bottom right a popup appears saying do you want to update IPS or remind me later. If I chose update now it will download the latest IPS sigs and then install them. All seems fine and the first policy push I perform works without an issue. But if I try to install a policy a second time it fails with the unable to push policy not enough memory error, which from the checkpoint forums has nothing to do with a lack of memory instead it's just a general error message.
The only way to resolve the issue is to perform a restore from a version before the IPS update. This started happening after the 24/01/2011 IPS updates, and still happens with the current 30/01/2011 version.
Anyone have any thoughts or come across this?
Version R71.20
Power-1 9075
Smart-1 25

2011-02-07, 04:44
Hi, i've been running into the same problems...

Running Splat 70.4 on IBM X-3650...
BUT: A second Cluster running 70.4 on old Fujitsu Hardware doesn't have the problem

Installing the policy on this Fujitsu Cluster works without Problems with the new IPS-Definitions,
installing the policy on the IBM X-3650 cluster is not possible...

The 2 Clusters are managed by the same Managementserver :-(

2011-02-09, 05:30
New IPS Build 634110208
--> Problems still the same!

2011-02-09, 12:22
installing the policy on the IBM X-3650 cluster is not possible...

What error message are you getting? Not enough memory?

"Not enough memory" generally indicates some kind of circular reference between two objects that cycles infinitely during policy compilation. The most common culprits are Node...Host objects that reference an IP address in use by a cluster object/firewall. Do you have any objects like that? It also might be interesting to right click Network Objects and choose Query...Refine By...Duplicates; try cleaning up duplicate objects and try again.

2011-02-10, 12:07

yes, not enough memory is the error message....

but this wasn't the problem :-(
I cleaned up all the duplicates, replaced nodes that were in use by the cluster but the problem is still there...

2011-02-10, 13:09
Open up the Dashboard, and get right to the screen where you are going to install policy by clicking OK. Before starting the policy load, type this from a command prompt on the SmartCenter:

fw debug fwm on TDERROR_ALL_ALL=5

Start the policy push and wait for it to fail. Once it does, run this command immediately on the SmartCenter:

fw debug fwm off TDERROR_ALL_ALL=0

Check out the $FWDIR/log/fwm.elg file for the debug output. Not the easiest reading, but you should see something towards the bottom of the output that will indicate the objects involved in the circular reference.

2011-02-11, 06:26

yes, not enough memory is the error message....

but this wasn't the problem :-(
I cleaned up all the duplicates, replaced nodes that were in use by the cluster but the problem is still there...

I had a memory issue during ips install on IPSO cluster, but managed to circumvent it by dropping the ips to default level, installing and then rising it again to my settings and installing again. Now I have some memory chips waiting to be installed since the memory was actually too low during the install.

To my understanding your SPLAT uses swap while my flash IPSO doesn't, so don't know the root cause, but you could try the workaround until getting it to work.

2011-02-16, 09:16
Actually I've logged a TAC Case with Checkpoint via our reseller!
I'll keep you up to date

Thanx for your help!

2011-02-21, 11:36
I apologise for not responding to the replies people were leaving. So far I haven't found a fix for this issue. I have disabled IPS updates and tell the warning message to, "Remind me late", but it will get the same answer then as well.

I'm raising this with my supplier today. As soon as I get a response with a possible fix/reason for the error I'll update the post.

A virtual pint for the user with a permanent solution. Turning off IPS doesn't count. ;)

2011-02-25, 11:40
My supplier recieved a suggestion from Check point to fix the issue:

1. Open the SmartDashboard.
2. Go to Global Properties > SmartDashboard Customization > Advanced Configuration > Configure > FireWall-1 > General > rulebase_uids_in_log.
3. Set the property to 'false'.
4. Install the security policy

But unfortunatley, it didn't work. CPinfos, debugs are now on there way to Check Point.
I'll keep you informed of any updates.

2011-02-28, 04:18

I've recieved the same suggestion from Checkpoint --> didn't work

A second suggestion was removing the content of this kernel table in the Firewall enforcement module via "fw tab -t string_dictionary_table -x" but this didn't work as well...

2011-03-01, 09:46
Hi YerMa,

maybe you'll have a look at this thread:


I've tried changing the parameters in the grub.conf and now pushing policy works fine to our IBM X-3650 Servers in our testenvironment...

I've send the possible solution to our supplier to let it have checked by checkpointsupport!

Updates will follow...

2011-03-01, 10:14
Just made the change to the file, but will have to wait till tonight to reboot the gateway.
All sorted.
Thanks for the fix Georg.schwab. Cheers to you. :)