Solved

Installing a firewall rule on a Checkpoint firewall

Posted on 2013-07-01
29
3,133 Views
Last Modified: 2013-07-17
Hi,

We use a Checkpoint appliance with version R75.10. I want to do a simple thing as applying a new firewall rule. I've made the rule, saved and clicked on the "Install policies" button in the SmartDashBoard. Somehow the rule will not install, because when I verify by clicking File --> Installed policies it isn't there. I get some warnings when installing the policy but no errors.

EDIT: Now when I checked "File --> Installed policies" the rule is there but it doesn't work. Seems like the firewall is just skipping my line and hits a line futher down below.
0
Comment
Question by:scorpius78
  • 15
  • 14
29 Comments
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 39289562
Did you do a "Verify Policies" to see if that gives you more information or errors?
0
 
LVL 1

Author Comment

by:scorpius78
ID: 39289628
Hi,

It gives me nothing because nothing really happens when I chose to verify policies. A windows containing the text "Status: Verifying Policy..." has been showing for 10 minutes now. Nothing more happens. See the atteched file.
verifying-policy.jpg
0
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 39289645
What warnings do you get when saving the policy, something of value there? It might just take a long time verifying the policy, 10 minutes is long ... But yeah...

Can you delete the policy and remake it? What are you trying to add as rule (doesn't have to be in detail, just to get the general idea).
0
 
LVL 1

Author Comment

by:scorpius78
ID: 39290040
I don't know what happened but now the firewall seem in install my rule (I checked under "File --> Installed policies"). But it does not use it.

What I am trying to do can be seen in the-rule.jpg. I have verified the VPN-connection, so I know it works just fine. When I issue a ping or a http connection from ServerA to ServerB and watch the logs in SmartView Tracker, I can see that another firewall rule is beeing used, a rule with a higher number. It is a temporarily rule (number 90) from ServerA to Any to let ServerA reach the Internet. NAT has been chosen for the host ServerA with the translation method "hide behind gateway".

I'm not up to speed on any NAT specifics of Checkpoint, but I don't think that part of the configuration has anything to do with it. Rules between number 68 (the one in the attatched picture) and 90 that includes ServerA seem to work just fine. I just want ServerA to be able to contact ServerB according to the rule I've made.
warnings.jpg
the-rule.jpg
0
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 39290232
Regarding the warnings for the services port conflict, uncheck "match for any" checkbox in the "advanced" dialogue for one of them....

But be careful, it's possible this setting is already in place, in that case make sure it's a unique service, these warnings happen when someone added a new version of an already defined service or used a similar port for something else and selected match for any...

Regarding the rule, it's difficult to help you on that, if rule 90 seems to be taking instead of rule 68, it means rule 68 gets bypassed, meaning it's either redundant, or the firewall doesn't know which rule to take (similar rules).
0
 
LVL 1

Author Comment

by:scorpius78
ID: 39292602
I don't want to touch the warnings. I can't see reason how it could have a positive effect in this case.

In what way do you mean that the rule could be redundant?

About which rule to take, isn't it always the first match?
0
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 39292672
Well, the warnings could have effect on the rule working well or not if ports aren't conflicting with other rules ...

The first rule that is taken is the one where something matches the ports, if there is a rule or port mismatch it will ignore the rule you've made and continue on to the next one, in this case rule 90.
0
 
LVL 1

Author Comment

by:scorpius78
ID: 39301448
Sorry, I didn't make much sence out of that answer.

Anyhow, now I can't install any rules at all. I'm given the message:

Installation failed. Reason: Load on Module failed - no memory.   ( message from member FW02 )

I've tried changing a setting in Policy -> Global Properties -> SmartDashboard Customization -> Configure -> Firewall-1 -> General ->rulebase_uids_in_logs as many other has proposed, but without any positive effects. I've also read some superhacky answers I don't understand. I'm new to Checkpoint and am really cautious to try out things in the command line I really don't understand.

We have a cluster of FW01 and FW02.
0
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 39301466
Are you using any special characters in the policy name? (non-ASCII)

To troubleshoot the installation of the policy you could try and log what happens when you try to install this policy:

- On the active SG do: fw ctl zdebug filter > /var/log/debug.txt.
- Now try to install the policy in SmartDashboard.
- Check /var/log/debug.txt

That should give us more information, hopefully ...
0
 
LVL 1

Author Comment

by:scorpius78
ID: 39301549
I've attached the output. Can you make any sence out of it?
fw-ctl-zdebug-filter.txt
0
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 39301582
Hmmm, nothing really pops-out to me ...

Are you using URL filtering at all on this FW?

Do you still have enough disk space?
0
 
LVL 1

Author Comment

by:scorpius78
ID: 39301623
URL filtering is enabled and the disk usage is well below 50 % on each partition (checked with df -h). HTTP inspection is also enabled on non standard ports. Besides that I can't see any customizations. I believe it's just a standard URL filtering policy. No URLs/IPs are specifically allowed or blocked.
0
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 39301644
I've read a case where someone had this issue when using url filtering ... And I found it again:
http://www.shanekillen.com/2012/01/load-on-module-failed-failed-to-load.html

Could you try that?
0
 
LVL 1

Author Comment

by:scorpius78
ID: 39301658
About special characters. I'm pretty sure I've not put in any special charachters anywhere. I've read about that special characters can give this error message. I've also manually removed all configuration to restore it so a prevoius working state but I'm given the same error message.

I've also read about rebooting the hardware as some form of temporarily solution. I will try that off hours if I can't find another solution erlier.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 25

Assisted Solution

by:Zephyr ICT
Zephyr ICT earned 100 total points
ID: 39301693
Yes, reboot sometimes solves these errors as well, but I kept that for last, as during production hours it's difficult to reboot a Firewall :)
0
 
LVL 1

Author Comment

by:scorpius78
ID: 39301822
Fortunatly there are two firewalls load sharing, so I should be fine. But I will still do it off hours. :)

When viewing the general properties for a cluster member, I see that URL filtering acctually is disabled. Guess I interpreted some other box incorrectly.. Anyhow, the problem that happened to Shane Killen is not the same I have. His error message also said "Installation failed:  Reason: Load on Module failed - failed to load Security Policy." while mine says "Installation failed. Reason: Load on Module failed - no memory.   ( message from member FW02 )".
no-url-filtering.jpg
0
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 39301844
You're correct, my bad ... Hmmm I think we'll have to wait until the reboot ... The only other thing that might be an issue is that in the new rule an IP-address is configured that is the same as the SG according to a KB.
0
 
LVL 1

Author Comment

by:scorpius78
ID: 39301880
Yes I've read that one too, but that's not the case either...
0
 
LVL 1

Assisted Solution

by:scorpius78
scorpius78 earned 0 total points
ID: 39306502
Allright! The reboot of FW01 went all fine. But when I rebooted FW02 and it came up, FW01 stopped to forward my test pings and FW02 was not responding to its management IP. Under "Policy --> Management High Availability" in the SmartDashBoard on FW01, it said that the peer (FW02) was in an "Advanced state". I searched for some info on it and it seems to mean that FW02 has a new configuration then the active FW01. So, I did a nonsense change to the access rules of FW01 (disabling an access rule just to make something different) and installed the policy (which worked!), and then my test pings started to work and the management IP of FW02 also started to respond.

Then I noticed in "Policy --> Management High Availability" that status was "Collision State" for the peer. It turned ut that FW02 had an access rule that FW01 didn't have. It was a rule I wanted to get rid of anyway so a changed FW02 to standby, started the SmartDashBoard on FW01 and performed a synchronization - which was successful.

Since I don't know what state each firewall was in before the reboot, I don't know for sure if the reboot was the solution to the problem, but it worked out and that's good enough for me.

Now back to the problem of access rule 68 where ServerA can't reach ServerB. Is it possible that I have to do any changes to the VPN configuration to make it work? I know ServerB (the destination) is within the range of network addresses added to the VPN domain.
0
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 39306552
Now back to the problem of access rule 68 where ServerA can't reach ServerB. Is it possible that I have to do any changes to the VPN configuration to make it work? I know ServerB (the destination) is within the range of network addresses added to the VPN domain.

Lets start with the basics again, if you don't mind ...

You say the destination is within the range of the network addresses added to the VPN domain ... How is the routing?

If you perform a traceroute (or perhaps a pathping: http://technet.microsoft.com/en-us/library/cc958876.aspx) from the one end of the VPN to the other, does it take the correct path?

You establish the VPN tunnel, perform a ping, and it doesn't arrive at destination or ...?
0
 
LVL 1

Author Comment

by:scorpius78
ID: 39307321
If I do a tracert from ServerA to ServerB I only get to the default gateway. For comparision, I have an old access rule (number 67) that makes it possible to reach ServerB through the VPN tunnel (lets say from networkX). If I do a tracert from a client on networkX I get to the default gateway, to our side of the tunnel, to the other side of the tunnel, to their router and to the final destination. So the tunnel and routing is fine. (Besides, if there was some new problem with that tunnel we would have major issues and alarms going off everywhere).

If I create yet another rule, from networkX to ServerB though the tunnel allowing http and https, I can see in the SmartView Tracker that the traffic hits my new rule. My client on networkX does not recieve any http traffic back, but that has perhaps to do with firewall settings on the other side of the tunnel? What annoys me is that the rule 68 never get a hit when trying to communicate from ServerA to ServerB.
0
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 39307670
So basically rule 67 is almost the same as rule 68, what happens when you put rule 68 in front of rule 67 (switch places in other words)?

Sometime overlapping rules can act strange, you could also test disabling rule 67.
0
 
LVL 1

Author Comment

by:scorpius78
ID: 39307786
Hi again. Now I've tried both switching the places of the rules and disabling rule 67. Same result as before.
0
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 39307798
Crap ... This is getting ridiculous :)

Well, I guess I'm at the end of my ideas, maybe if I could take a look at the environment and the firewall setup, but for now ... I'm fresh out of ideas.
0
 
LVL 1

Author Comment

by:scorpius78
ID: 39307915
Tell me about it! :)

Well, I'd love to let you in to take a look, but then I would get the CSO on my back and I would probably lose my job...
0
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 39307967
We wouldn't want that happening ...

If you still get stuck and you think I can possibly help, don't hesitate to contact me, I'm not hard to find ;)
0
 
LVL 1

Accepted Solution

by:
scorpius78 earned 0 total points
ID: 39320415
Problem solved! The destination address was added to the VPN domain earlier, but what I didn't know was that there is a VPN domain for my side too where I had to add the source. In addition to that, in the other end of the tunnel, they had to add my source address to their VPN domain (and probably also my destionation address to their other VPN domain).
0
 
LVL 25

Expert Comment

by:Zephyr ICT
ID: 39320422
Interesting ... Thanks for the information, I'm glad it's finally solved :)
0
 
LVL 1

Author Closing Comment

by:scorpius78
ID: 39332596
It was the only suggested solution that worked.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now