• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3898
  • Last Modified:

Installing a firewall rule on a Checkpoint firewall

Hi,

We use a Checkpoint appliance with version R75.10. I want to do a simple thing as applying a new firewall rule. I've made the rule, saved and clicked on the "Install policies" button in the SmartDashBoard. Somehow the rule will not install, because when I verify by clicking File --> Installed policies it isn't there. I get some warnings when installing the policy but no errors.

EDIT: Now when I checked "File --> Installed policies" the rule is there but it doesn't work. Seems like the firewall is just skipping my line and hits a line futher down below.
0
scorpius78
Asked:
scorpius78
  • 15
  • 14
3 Solutions
 
Zephyr ICTCloud ArchitectCommented:
Did you do a "Verify Policies" to see if that gives you more information or errors?
0
 
scorpius78Author Commented:
Hi,

It gives me nothing because nothing really happens when I chose to verify policies. A windows containing the text "Status: Verifying Policy..." has been showing for 10 minutes now. Nothing more happens. See the atteched file.
verifying-policy.jpg
0
 
Zephyr ICTCloud ArchitectCommented:
What warnings do you get when saving the policy, something of value there? It might just take a long time verifying the policy, 10 minutes is long ... But yeah...

Can you delete the policy and remake it? What are you trying to add as rule (doesn't have to be in detail, just to get the general idea).
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
scorpius78Author Commented:
I don't know what happened but now the firewall seem in install my rule (I checked under "File --> Installed policies"). But it does not use it.

What I am trying to do can be seen in the-rule.jpg. I have verified the VPN-connection, so I know it works just fine. When I issue a ping or a http connection from ServerA to ServerB and watch the logs in SmartView Tracker, I can see that another firewall rule is beeing used, a rule with a higher number. It is a temporarily rule (number 90) from ServerA to Any to let ServerA reach the Internet. NAT has been chosen for the host ServerA with the translation method "hide behind gateway".

I'm not up to speed on any NAT specifics of Checkpoint, but I don't think that part of the configuration has anything to do with it. Rules between number 68 (the one in the attatched picture) and 90 that includes ServerA seem to work just fine. I just want ServerA to be able to contact ServerB according to the rule I've made.
warnings.jpg
the-rule.jpg
0
 
Zephyr ICTCloud ArchitectCommented:
Regarding the warnings for the services port conflict, uncheck "match for any" checkbox in the "advanced" dialogue for one of them....

But be careful, it's possible this setting is already in place, in that case make sure it's a unique service, these warnings happen when someone added a new version of an already defined service or used a similar port for something else and selected match for any...

Regarding the rule, it's difficult to help you on that, if rule 90 seems to be taking instead of rule 68, it means rule 68 gets bypassed, meaning it's either redundant, or the firewall doesn't know which rule to take (similar rules).
0
 
scorpius78Author Commented:
I don't want to touch the warnings. I can't see reason how it could have a positive effect in this case.

In what way do you mean that the rule could be redundant?

About which rule to take, isn't it always the first match?
0
 
Zephyr ICTCloud ArchitectCommented:
Well, the warnings could have effect on the rule working well or not if ports aren't conflicting with other rules ...

The first rule that is taken is the one where something matches the ports, if there is a rule or port mismatch it will ignore the rule you've made and continue on to the next one, in this case rule 90.
0
 
scorpius78Author Commented:
Sorry, I didn't make much sence out of that answer.

Anyhow, now I can't install any rules at all. I'm given the message:

Installation failed. Reason: Load on Module failed - no memory.   ( message from member FW02 )

I've tried changing a setting in Policy -> Global Properties -> SmartDashboard Customization -> Configure -> Firewall-1 -> General ->rulebase_uids_in_logs as many other has proposed, but without any positive effects. I've also read some superhacky answers I don't understand. I'm new to Checkpoint and am really cautious to try out things in the command line I really don't understand.

We have a cluster of FW01 and FW02.
0
 
Zephyr ICTCloud ArchitectCommented:
Are you using any special characters in the policy name? (non-ASCII)

To troubleshoot the installation of the policy you could try and log what happens when you try to install this policy:

- On the active SG do: fw ctl zdebug filter > /var/log/debug.txt.
- Now try to install the policy in SmartDashboard.
- Check /var/log/debug.txt

That should give us more information, hopefully ...
0
 
scorpius78Author Commented:
I've attached the output. Can you make any sence out of it?
fw-ctl-zdebug-filter.txt
0
 
Zephyr ICTCloud ArchitectCommented:
Hmmm, nothing really pops-out to me ...

Are you using URL filtering at all on this FW?

Do you still have enough disk space?
0
 
scorpius78Author Commented:
URL filtering is enabled and the disk usage is well below 50 % on each partition (checked with df -h). HTTP inspection is also enabled on non standard ports. Besides that I can't see any customizations. I believe it's just a standard URL filtering policy. No URLs/IPs are specifically allowed or blocked.
0
 
Zephyr ICTCloud ArchitectCommented:
I've read a case where someone had this issue when using url filtering ... And I found it again:
http://www.shanekillen.com/2012/01/load-on-module-failed-failed-to-load.html

Could you try that?
0
 
scorpius78Author Commented:
About special characters. I'm pretty sure I've not put in any special charachters anywhere. I've read about that special characters can give this error message. I've also manually removed all configuration to restore it so a prevoius working state but I'm given the same error message.

I've also read about rebooting the hardware as some form of temporarily solution. I will try that off hours if I can't find another solution erlier.
0
 
Zephyr ICTCloud ArchitectCommented:
Yes, reboot sometimes solves these errors as well, but I kept that for last, as during production hours it's difficult to reboot a Firewall :)
0
 
scorpius78Author Commented:
Fortunatly there are two firewalls load sharing, so I should be fine. But I will still do it off hours. :)

When viewing the general properties for a cluster member, I see that URL filtering acctually is disabled. Guess I interpreted some other box incorrectly.. Anyhow, the problem that happened to Shane Killen is not the same I have. His error message also said "Installation failed:  Reason: Load on Module failed - failed to load Security Policy." while mine says "Installation failed. Reason: Load on Module failed - no memory.   ( message from member FW02 )".
no-url-filtering.jpg
0
 
Zephyr ICTCloud ArchitectCommented:
You're correct, my bad ... Hmmm I think we'll have to wait until the reboot ... The only other thing that might be an issue is that in the new rule an IP-address is configured that is the same as the SG according to a KB.
0
 
scorpius78Author Commented:
Yes I've read that one too, but that's not the case either...
0
 
scorpius78Author Commented:
Allright! The reboot of FW01 went all fine. But when I rebooted FW02 and it came up, FW01 stopped to forward my test pings and FW02 was not responding to its management IP. Under "Policy --> Management High Availability" in the SmartDashBoard on FW01, it said that the peer (FW02) was in an "Advanced state". I searched for some info on it and it seems to mean that FW02 has a new configuration then the active FW01. So, I did a nonsense change to the access rules of FW01 (disabling an access rule just to make something different) and installed the policy (which worked!), and then my test pings started to work and the management IP of FW02 also started to respond.

Then I noticed in "Policy --> Management High Availability" that status was "Collision State" for the peer. It turned ut that FW02 had an access rule that FW01 didn't have. It was a rule I wanted to get rid of anyway so a changed FW02 to standby, started the SmartDashBoard on FW01 and performed a synchronization - which was successful.

Since I don't know what state each firewall was in before the reboot, I don't know for sure if the reboot was the solution to the problem, but it worked out and that's good enough for me.

Now back to the problem of access rule 68 where ServerA can't reach ServerB. Is it possible that I have to do any changes to the VPN configuration to make it work? I know ServerB (the destination) is within the range of network addresses added to the VPN domain.
0
 
Zephyr ICTCloud ArchitectCommented:
Now back to the problem of access rule 68 where ServerA can't reach ServerB. Is it possible that I have to do any changes to the VPN configuration to make it work? I know ServerB (the destination) is within the range of network addresses added to the VPN domain.

Lets start with the basics again, if you don't mind ...

You say the destination is within the range of the network addresses added to the VPN domain ... How is the routing?

If you perform a traceroute (or perhaps a pathping: http://technet.microsoft.com/en-us/library/cc958876.aspx) from the one end of the VPN to the other, does it take the correct path?

You establish the VPN tunnel, perform a ping, and it doesn't arrive at destination or ...?
0
 
scorpius78Author Commented:
If I do a tracert from ServerA to ServerB I only get to the default gateway. For comparision, I have an old access rule (number 67) that makes it possible to reach ServerB through the VPN tunnel (lets say from networkX). If I do a tracert from a client on networkX I get to the default gateway, to our side of the tunnel, to the other side of the tunnel, to their router and to the final destination. So the tunnel and routing is fine. (Besides, if there was some new problem with that tunnel we would have major issues and alarms going off everywhere).

If I create yet another rule, from networkX to ServerB though the tunnel allowing http and https, I can see in the SmartView Tracker that the traffic hits my new rule. My client on networkX does not recieve any http traffic back, but that has perhaps to do with firewall settings on the other side of the tunnel? What annoys me is that the rule 68 never get a hit when trying to communicate from ServerA to ServerB.
0
 
Zephyr ICTCloud ArchitectCommented:
So basically rule 67 is almost the same as rule 68, what happens when you put rule 68 in front of rule 67 (switch places in other words)?

Sometime overlapping rules can act strange, you could also test disabling rule 67.
0
 
scorpius78Author Commented:
Hi again. Now I've tried both switching the places of the rules and disabling rule 67. Same result as before.
0
 
Zephyr ICTCloud ArchitectCommented:
Crap ... This is getting ridiculous :)

Well, I guess I'm at the end of my ideas, maybe if I could take a look at the environment and the firewall setup, but for now ... I'm fresh out of ideas.
0
 
scorpius78Author Commented:
Tell me about it! :)

Well, I'd love to let you in to take a look, but then I would get the CSO on my back and I would probably lose my job...
0
 
Zephyr ICTCloud ArchitectCommented:
We wouldn't want that happening ...

If you still get stuck and you think I can possibly help, don't hesitate to contact me, I'm not hard to find ;)
0
 
scorpius78Author Commented:
Problem solved! The destination address was added to the VPN domain earlier, but what I didn't know was that there is a VPN domain for my side too where I had to add the source. In addition to that, in the other end of the tunnel, they had to add my source address to their VPN domain (and probably also my destionation address to their other VPN domain).
0
 
Zephyr ICTCloud ArchitectCommented:
Interesting ... Thanks for the information, I'm glad it's finally solved :)
0
 
scorpius78Author Commented:
It was the only suggested solution that worked.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 15
  • 14
Tackle projects and never again get stuck behind a technical roadblock.
Join Now