Support Center > Search Results > SecureKnowledge Details
Warning during upgrade of Security Management Server to R80 / R80.10, or during policy installation that Other Services are not supported Technical Level
Symptoms
  • Warning during upgrade of Security Management Server to R80 / R80.10 that Other Services are not supported:

    • "At least one of the services contains invalid Match expression"
    • "To resolve, fix the Match expression of the unsupported service(s) (Other Service Properties > Advanced) or delete them"
  • Error during policy installation on R80.10 Security Gateway:

    • "Error: Rule <Number of Rule> in Network Security policy will not be enforced, because service <Name of Service> has unknown match/action.
      To learn more, see sk109195
      "

    • "The Match expression is unknown for service(s):
      <Name of Service>
      For more information, please refer to sk109195
      "

    • "The Match expression is unknown for service(s):
      <Name of Service>
      Some of the unsupported services are members of the following group(s):
      <Name of Group>
      For more information, please refer to sk109195.
      "

    • "The Match expression is unknown for service(s):
      <Name of Service>
      Some of the unsupported service(s) are members of the following rulebase(s):
      <Name of Policy>
      For more information, please refer to sk109195.
      "

    • "The Match expression is unknown for service(s):
      <Name of Service>
      Some of the unsupported services are members of the following group(s):
      <Name of Group>
      Some of the unsupported service(s) / group(s) are members of the following rulebase(s):
      <Name of Policy>
      For more information, please refer to sk109195.
      "

Cause

The database contains Other Service objects with non-empty 'Match' field, which are not part of Check Point default services.

In R80 and above, the Other Service object definition has been modified - the 'Match' field has been split to two fields: 'Match' and 'Action'.

Conversion of objects from R77 (and lower) to R80 (and above) is done automatically, but for user-defined services it may be in-correct. Therefore, the user is warned.


Solution

 

Follow these steps:

  1. After a successful upgrade, manually convert the user-defined Other Service objects.

    • Introduction

      The new object consists of the following fields (in "Advanced" section).

      Field Explanation Example
      Match

      Contains an INSPECT expression that defines the matching criteria.

      The connection is examined against the expression during the first packet.
      tcp, dport = 21, direction = 0
      would match to incoming FTP control connections.
      Action Contains an INSPECT expression that defines the actions that should be taken once the rule containing this service is matched. set r_mhandler &open_ssl_handler
      would set a handler on the connection.

      Example:

    • Conversion Tips

      # Conversion Tip Examples
      A Expression for TCP/UDP that only contains dport (Destination Port) and sport (Source Port) criteria can and should be converted to simple TCP Service / UDP Service object for performance reasons.
      • tcp, dport > 1520, dport < 1541
      • udp, sport=111
      B Expression that contains only ip_p (Protocol Number) criteria should be converted to Other Service object without any expressions in the 'Match' and 'Action' fields.
      • ip_p=1
      • ip_p=6
      • ip_p=11
      C Carefully examine the old 'Match' expression.
      In most cases, it would be pure matching expression that should be copied to the new 'Match' field (leaving the 'Action' field empty).
      • udp, uh_dport > 4100, ip_ttl < 30
      • (tcp and dport=11629 and ([28,b]=0x10))
      • tcp,<dst,0> in userc_rules
      • ip_p=47, ([20:2,b] & 0xEF7F)=0x2001, [22:2,b]=0x880B
      D Old expressions that contain the words 'set', 'record', or 'call', are suspected to contain an 'Action' phrase that should be placed in the 'Action' field.

      This expression:
      dport=port, set r_scvres SCV_DONT_VERIFY

      should be converted to:
      • Match: dport=port
      • Action: set r_scvres SCV_DONT_VERIFY



  2. Finally, clear the box Show Install Policy verification warning in Other Service Properties -> 'Advanced', which will remove the errors when installing policy on R80.X Security Gateway. Leaving it checked means that the expression was not converted by the administrator, and therefore errors on possible security issue will be presented during policy installation.

 

Related documentation

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment