CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


I'd like to thank everyone involved for making "The CPUG Challenge" a great success.
We helped a lot of people see and learn a bit more about R80.10, while having some fun.
We will be using this success to try and bring more events to more locations soon. -E

 

Results 1 to 5 of 5

Thread: policy installation blocked by secureXL

  1. #1
    Join Date
    2014-09-23
    Location
    Austin, TX
    Posts
    136
    Rep Power
    4

    Default policy installation blocked by secureXL

    Has/Does anyone know why I would not be able to install policy on my gateway with SecureXL turned on, when attempting to install policy it just times out but when disabled we are able to install with no issue? I am on R77.20 and installed the jumbo on both my gateway and management server.

  2. #2
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,367
    Rep Power
    15

    Default Re: policy installation blocked by secureXL

    I've never heard of SecureXL blocking a policy installation before.
    If I were trying to figure it out, I might use something like fw load -d $FWDIR/conf/policy.W gateway-cluster-object from the management station to try and see what's going on.
    I would recommend engaging with the TAC also.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  3. #3
    Join Date
    2014-09-23
    Location
    Austin, TX
    Posts
    136
    Rep Power
    4

    Default Re: policy installation blocked by secureXL

    Thanks PhoneBoy, I'm checking with them as to why/what would cause this would happen

  4. #4
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,050
    Rep Power
    12

    Default Re: policy installation blocked by secureXL

    Quote Originally Posted by Cory Webb View Post
    Has/Does anyone know why I would not be able to install policy on my gateway with SecureXL turned on, when attempting to install policy it just times out but when disabled we are able to install with no issue? I am on R77.20 and installed the jumbo on both my gateway and management server.
    The only normal way I could see that happening is if one of the following is active:

    • SecureXL drop template: what does "sim dropcfg -l" show? Do you have optimized drops enabled?
    • SecureXL penalty box: "cat /proc/ppk/erdos" to see if penalty box is active
    • SecureXL rate-limiting: check for rate-limiting by running "fw samp get"

    "fwaccel stats" might be interesting too, look for packet drops that rapidly increment under "Accelerated Path" when you try to push policy. Control traffic bound for the firewall itself should be exempt from any SecureXL acceleration.
    Last edited by ShadowPeak.com; 2015-04-28 at 22:12.
    --
    My book "Max Power: Check Point Firewall Performance Optimization"
    now available via http://maxpowerfirewalls.com.

  5. #5
    Join Date
    2014-09-23
    Location
    Austin, TX
    Posts
    136
    Rep Power
    4

    Default Re: policy installation blocked by secureXL

    Thanks shadowpeak, nice ideas, I'll have a look

Similar Threads

  1. Replies: 2
    Last Post: 2013-08-14, 02:04
  2. Policy installation error
    By vbavbalist in forum Check Point on Open Servers
    Replies: 0
    Last Post: 2012-08-01, 02:51
  3. SecureXL: Connection templates are not possible for the installed policy.
    By arnolde in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 5
    Last Post: 2012-02-09, 05:02
  4. Policy installation bug for R65/R70/R71
    By serlud in forum Versions Of Firewall-1/VPN-1
    Replies: 0
    Last Post: 2010-07-08, 09:56
  5. SecureXL - No Policy installation
    By aenima in forum Miscellaneous
    Replies: 5
    Last Post: 2009-02-28, 20:24

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •