This article is not relevant for R80.x.
Background
When text is copied from advanced text editors (e.g. Microsoft Word) and pasted into the SmartDashboard in a rule, certain non-ASCII characters are pasted as well. These non-ASCII characters (such as "à", "Ö", "ç") will cause the policy installation to fail with various errors like "Internal error", "Load on module error", etc.
Kernel debug on the gateway in this case will show: fwloghandle_check_string: invalid char in string (ascii XXX)
The rulename_check tool
Check Point provides a special Tool for checking Check Point objects and rules for non-ASCII characters that detects the problematic rules in a more convenient way.
This Tool also prints the rule numbers, but the numbers may be incorrect in case there are VPN automatic rules
Usage:
- Download and unpack the rulename_check tool
- Log in to Expert mode.
- Run : [Expert@Hostname]# ./rulename_check
The tool will scan the $FWDIR/conf/rulebases_5_0.fws file and when it finds the rule with an invalid name, it adds the comment in the string --INVALID RULE NAME--.
After running the tool open SmartDashboard, search for this string and fix all names.
Additional Options:
-f - path to a specific file
-d - delete the rulename to fix the problem. it will also mark all those rule ("--CLEAN RULE NAME--")
-r - read only mode it will only print the result of the scan, but won't do any modification to the database.
CLI Procedure
- Connect to the command line on the Security Management Server / Multi-Domain Security Management Server.
- Log in to Expert mode.
-
On Multi-Domain Security Management Server - switch to the context of the involved Domain Management Server:
[Expert@HostName]# mdsenv <Domain_Name>
-
Check whether any of the defined Network Objects contains non-ASCII characters:
[Expert@HostName]# grep -P -n "[\x80-\xFF]" $FWDIR/conf/objects_5_0.C
-
Check whether any of the defined Security Rules contains non-ASCII characters:
[Expert@HostName]# grep -n -e "name.*(.*" -e "##.*" $FWDIR/conf/rulebases_5_0.fws -o | grep -e "["$'\x80'"-"$'\x9F'"]" -e [[:cntrl:]] -e "##"
- [Expert@HostName]# grep -n -e "comments.*(.*" -e "##.*" $FWDIR/conf/rulebases_5_0.fws -o | grep -e "["$'\x80'"-"$'\x9F'"]" -e [[:cntrl:]] -e "##"
-
If Network Objects / Security Rules indeed contain non-ASCII characters then delete the non-ASCII characters:
- Collect a complete backup of the Management Server (refer to section "How to Backup" below).
At least, backup these files:
- $FWDIR/conf/objects_5_0.C
- $FWDIR/conf/rulebases_5_0.fws
-
Login to SDB and search for the object/rule name/comments that contains the non-ASCII character based on the above command output. Delete non-ASCII character and then push policy. "OR"
-
Stop Check Point services:
- Edit the relevant file in Vi editor ($FWDIR/conf/objects_5_0.C and/or $FWDIR/conf/rulebases_5_0.fws)
- Delete the non-ASCII characters in the relevant lines (refer to the output of the '
grep' command).
- Save the changes in the file and exit from the Vi editor.
-
Start Check Point services:
- Connect with SmartDashboard to Security Management Server / Domain Management Server.
- Install the policy onto the relevant Security Gateway / Cluster object.
|
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.
|
|
This solution is about products that are no longer supported and it will not be updated
|
