Troubleshooting Firewall Management Problems
Installation failure on MGNT server occurs in verification or
complication stage of the installation. To troubleshoot this failure, follow these
steps:
1.
Install policy from the CLI
fwm
–d load $FWDIR/conf/PolicyName.W <target>
2.
Install the policy from the SmartDashboard
a. Clean
the old log files
cd $FWDIR/log
rm fwm.elg
echo ‘ ‘> fwm.elg
enable the fwm debug
fw debug fwm on TDERROR_ALL_ALL=5
fw debug fwm on OPSEC_DEBUG_LEVEL=9
.
Replicate the problem by installing
the policy from the Dashboard GUI
Stop
the fwm debug on the FWMGMT server
fw debug fwm off TDERROR_ALL_ALL=1
fw debug fwm off OPSEC_DEBUG_LEVEL=1
Debug output are stored in fwm.elg, located under $FWDIR/log.
Policy Installation failure could be result of SIC, Misconfigured rules, GUI
client connectivity problems or improper
entered information, expired license. Evaluate output file fwm.elg to determine with of these may
have cause the failure.
Lab Troubleshoot SIC - Policy Installation failure
From A-SMS (FW Management Server)
1.
cpca_client
lscert (use this command to
validate certificate)
2.
fw debug
fwm on Establish
3.
from Client GUI DashBoard, attempt to restablish
SIC
4.
from A-SMS
fw debug fwm off
5.
review debug log output less
$FWDIR/log/fwm.elg
6.
WinSCP to transfer fwm.elg file and view in Test Editor to identity source of
problem from debug file
Lab Troubleshoot MisConfigured Rules - Policy Installation Failure
From A-SMS (FW Management Server)
1.
In Expert mode
cd $FWDIR/log
echo >fwm.elg
fw debug fwm on
2.
fw debug
fwm on
TDERROR_ALL_ALL
fwm –d load $FWDIR/conf/standard.W A-GW
Note: you will see the output on
the screen and fwm.elg. you can see additional info if you do a TDERROR_ALL_ALL=5
Stop the debugs
fw debug fwm
off
unset
TDERROR_ALL_ALL
view
fwm.elg less $FWDIR/conf/fwm.elg
Lab Troubleshoot GUI Client Connectivity
Problem
Look at less $FWDIR/con/gui-client file for allowed
IP address
From A-SMS (FW Management Server)
cpconfig command
At the prompt type 3 and enter
Type Y and Enter , Type D and Enter (delete your IP to test failure)
Enter 10.20.59.250
(your IP address)
Exit cpconfig option 9 enter
From the command prompt type
fw debug fwm on
TDERROR_ALL_ALL=5
from your Client 10.20.59.250 Dashboard, launch the GUI
from the FWM stop the debug and view logs of the GUI client
IP
fw debug fwm off
grep 10.20.59.250
$FWDIR/log/fwm.elg | less
How to uninstall and install another policy on firewall
ISSUE
There may be a time where you install the wrong policy onto
a Check Point Firewall. This can block your connections, and screw which
traffic is allowed through the firewall.
RESOLUTION
These steps will show you how to remove and reinstall the
correct policy via the CLI on the manager (SCS),
1. First of all we
look at the policy history, so we can find out the name of the policy we need
to reinstall.
fw stat -l [firewall ip]
2. Next we remove
the security policy from the firewall.
fwm unload [fwname]
3. Finally we
install the correct policy back onto the Firewall.
Note : Note how we add the .W to the policy name as it has
yet to be be compiled into a .cf file (which is what is installed onto the
Firewall/Gateway)
[PolicyName].W
is uncompelled policy
[PolicyName].CF
is compiled Policy
fwm load
[PolicyName].W [fwname]
fwm load
RuleBaseName.W TargetGatewayName
[Expert@MYFWM01]# fwm
load Standard samplegw
Installing policy on
R77 compatible targets:
Standard.W: Security
Policy Script generated into CustomerPolicy.pf
Standard:
Compiled OK.
Installing Security Gateway
policy on: examplegw . ..
Security Gateway
policy installed successfully on examplegw. ..
Security Gateway
policy installation complete
Security Gateway
policy installation succeeded for: examplegw
Installation failed; reason – load on module failed, failed
to load security policy
Recently I tried a policy installation on a Security Gateway
appliance which failed with the message: Installation failed; reason - load on
module failed, failed to load security policy
From my experience I know that a cpstop ; cpstart normaly
solves this problem.
But since I was dealing with a remote site gateway which
also was stand-alone installation, issuing cpstop was no option since it would
interrupt the service.
So I utilized the cpwd_admin command for stopping and
restarting FWM and CPD.
cpwd_admin stop -name FWM -path "$FWDIR/bin/fw"
-command "fw kill fwm"
cpwd_admin start -name FWM -path "$FWDIR/bin/fwm"
-command "fwm"
cpwd_admin stop -name CPD -path
"$CPDIR/bin/cpd_admin" -command "cpd_admin stop"
cpwd_admin start -name CPD -path "$CPDIR/bin/cpd"
-command "cpd"
Then I checked the status of all my services with cpwd_admin
list.
All services were up and I tried policy installation again,
which worked as expected.
I was able to solve the issue using the following steps i
stumbled on while surfing the net:
1. tellpm
process:monitord
2. ps aux |
grep cpd
3. kill -15
4. tellpm
process:monitord t
5. cpwd_admin
start -name CPD -path “$CPDIR/bin/cpd” -command “cpd”
Here is the expected output:
[Expert@CP-DMZ:0]# tellpm process:monitord
[Expert@CP-DMZ:0]#
Message from syslogd@ at Tue Sep 16 10:27:42 2014 …
CP-M-DMZ monitord[4129]: monitord got killed
[Expert@CP-DMZ:0]#
[Expert@CP-DMZ:0]# ps aux | grep cpd
admin 4461 0.0 0.3 212412 3196 ? Dsl Aug06 42:47 cpd
admin 6905 0.0 0.0 1816 492 pts/2 S+ 10:27 0:00 grep cpd
[Expert@CP-DMZ:0]# kill -15 4461
[Expert@CP-DMZ:0]#
[Expert@CP-DMZ:0]# tellpm process:monitord t
[Expert@CP-DMZ:0]#
[Expert@CP-DMZ:0]# cpwd_admin start -name CPD -path
“$CPDIR/bin/cpd” -command “cpd”
cpwd_admin:
Process CPD started successfully (pid=7030)
[Expert@CP-DMZ:0]#
So the problem was solved without service interruption.
