Support Center > Search Results > SecureKnowledge Details
Install policy on R80.x Security Gateway fails with verification error messages
Symptoms
  • Install policy on R80.x Security Gateway fails with one of the following verification error messages:
    • Rules with Service with Resource object (Rule X) cannot be combined with Application objects (Rule Y)
    • Rules with Service with Resource object (Rule X) cannot be combined with Domain objects, which are marked as FQDN (Rule Y)
    • Rules with Service with Resource object (Rule X) cannot be combined with Security Zone objects (Rule Y)
    • Rules with Service with Resource object (Rule X) cannot be combined with Data objects (Rule Y)
    • Rules with Service with Resource object (Rule X) cannot be combined with Service objects, which are using protocol signature (Rule Y)
    • Rules with Service with Resource object (Rule X) cannot be combined with Internet object (Rule Y)
    • Rules with Service with Resource object (Rule X) must be placed above rules with Application objects (Rule Y)
    • Rules with Service with Resource object (Rule X) must be placed above rules with Domain objects, which are marked as FQDN (Rule Y)
    • Rules with Service with Resource object (Rule X) must be placed above rules with Security Zone objects (Rule Y)
    • Rules with Service with Resource object (Rule X) must be placed above rules with Data objects (Rule Y)
    • Rules with Service with Resource object (Rule X) must be placed above rules with Service objects, which are using protocol signature (Rule Y)
    • Rules with Service with Resource object (Rule X) must be placed above rules with Internet object (Rule Y)
    • Rules with User Auth or Client Auth action (Rule X) cannot be combined with Application objects (Rule Y)
    • Rules with User Auth or Client Auth action (Rule X) cannot be combined with Domain objects, which are marked as FQDN (Rule Y)
    • Rules with User Auth or Client Auth action (Rule X) cannot be combined with Security Zone objects (Rule Y)
    • Rules with User Auth or Client Auth action (Rule X) cannot be combined with Data objects (Rule Y)
    • Rules with User Auth or Client Auth action (Rule X) cannot be combined with Service objects, which are using protocol signature (Rule Y)
    • Rules with User Auth or Client Auth action (Rule X) cannot be combined with Internet object (Rule Y)
    • Rules with User Auth or Client Auth action (Rule X) must be placed above rules with Application objects (Rule Y)
    • Rules with User Auth or Client Auth action (Rule X) must be placed above rules with Domain objects, which are marked as FQDN (Rule Y)
    • Rules with User Auth or Client Auth action (Rule X) must be placed above rules with Security Zone objects (Rule Y)
    • Rules with User Auth or Client Auth action (Rule X) must be placed above rules with Data objects (Rule Y)
    • Rules with User Auth or Client Auth action (Rule X) must be placed above rules with Service objects, which are using protocol signature (Rule Y)
    • Rules with User Auth or Client Auth action (Rule X) must be placed above rules with Internet object (Rule Y)
    • Rules with Logical Server objects (Rule X) cannot be combined with Application objects (Rule Y)
    • Rules with Logical Server objects (Rule X) cannot be combined with Domain objects, which are marked as FQDN (Rule Y)
    • Rules with Logical Server objects (Rule X) cannot be combined with Security Zone objects (Rule Y)
    • Rules with Logical Server objects (Rule X) cannot be combined with Data objects (Rule Y)
    • Rules with Logical Server objects (Rule X) cannot be combined with Service objects, which are using protocol signature (Rule Y)
    • Rules with Logical Server objects (Rule X) cannot be combined with Internet object (Rule Y)
    • Rules with Logical Server objects (Rule X) must be placed above rules with Application objects (Rule Y)
    • Rules with Logical Server objects (Rule X) must be placed above rules with Domain objects, which are marked as FQDN (Rule Y)
    • Rules with Logical Server objects (Rule X) must be placed above rules with Security Zone objects (Rule Y)
    • Rules with Logical Server objects (Rule X) must be placed above rules with Data objects (Rule Y)
    • Rules with Logical Server objects (Rule X) must be placed above rules with Service objects, which are using protocol signature (Rule Y)
    • Rules with Logical Server objects (Rule X) must be placed above rules with Internet object (Rule Y)
    • User Auth or Client Auth action (Rule X) cannot be used in inline layer
    • User Auth or Client Auth action (Rule X) can only be used on the first layer
    • Logical Server objects (Rule X) cannot be used in inline layer
    • Logical Server objects (Rule X) can only be used on the first layer
    • Service with Resource object (Rule X) cannot be used in inline layer
    • Service with Resource objects (Rule X) can only be used on the first layer
  • If the policy is misconfigured as described below, HTTPS traffic might be dropped for the following reason:"dropped by fw_send_log_drop Reason: Rulebase - ERROR;"
Cause

Legacy objects (Logical Server objects, Service with Resource objects, Client auth / User auth actions) are running the rulebase using security servers. Security servers are a legacy mode of rulebase execution and do not support new features* that are integrated in the new unified policy.

* New Features: Security zones, Application objects, Internet object, Data objects, Domain objects that are marked as FQDN, Service objects that are using protocol signature, Inline layers.


Solution
Note: To view this solution you need to Sign In .