Support Center > Search Results > SecureKnowledge Details
Reassign of Global Policy fails with an error after reverting a database revision in Global Policy to a previous state
Symptoms
  • Reassign of Global Policy fails with an error after reverting a database revision in Global Policy to a previous state (in Global SmartDashboard, go to File menu - click on Database Revision Control... - select a database revision - click on Action... button - click on Restore Version...), which contains Global IPS profiles that were deleted since database revision was taken:

    • Action in progress... Please wait ...
      Active Domain Management Server for Domain <Name of Domain> is <Name of Domain Management Server> on Multi-Domain Server <Name of Multi-Domain Server>
      <Name of Domain Management Server> error: Error while mapping IPS Protection classes of Domain Management Server.
      <Name of Domain Management Server> error: Disconnected from Domain Management Server. Check Domain Management Server status. Operation failed.

    • An ERROR occurred on CMA <Name of Domain Management Server> during the Global Policy Installation. ERROR: <Name of Domain Management Server> error: A local profile by the name '<Name of IPS Profile>' already exists on the Domain Management Server. Rename the profile in the Global SmartDashboard, or on the Domain Management Server.
      <Name of Domain Management Server> error: Error while assigning Global IPS profiles to Domain <Name of Domain Management Server>
      <Name of Domain Management Server> error: Disconnected from Domain Management Server. Check Domain Management Server status. Operation failed..  A second attempt at Global Policy Installation will be run.

  • The following warning in displayed in SmartDashboard, when trying to restore a previous database revision
    (go to File menu - click on Database Revision Control... - select a database revision - click on Action... button - click on Restore Version...):

    Restoring to a previous database revision is not recommended in global database.
    Prior to restoring, each domain must be updated according to sk37324.
    
    Are you sure you want to continue?
    

    Example:

    (Note: As of July 2016, this warning appears only after installing an improved SmartConsole, which is available via Check Point Support.)

Cause

If reverting to an older revision of the Global Database, and a Global Policy is assigned to a Domain with a Global IPS subscription, then the Global IPS objects (profiles, exceptions, patterns, etc.) will not be updated properly.
This may result in an unexpected behavior, such as failure to assign a Global Policy, or inconsistency in Domain database.

The "Assign Global Policy" process compares the current global object timestamp to the last time when the "Assign Global Policy" or "Reassign" action was performed, in order to check if those objects must be updated.

If administrator reverts to an earlier Database Revision, the comparison will incorrectly identify the Global IPS objects as older, when compared to the last global policy assignment. Therefore, it will not update these objects on the Domain Management Servers.


Solution

Important Note: Perform the following procedure every time you restore a global database revision, prior to assigning the Global Policy to a Domain.

Follow any one of the following procedures to update the time stamps of global policy assignment and global IPS assignment:

  • Using a shell script

    1. Download this shell script to your computer.

    2. Transfer the downloaded shell script (sk37324.tar) to Multi-Domain Security Management Server (into some directory, e.g., /some_path_to_fix/).

    3. Connect to command line on Multi-Domain Security Management Server.

    4. Log in to Expert mode.

    5. Unpack the shell script:

      [Expert@HostName:0]# cd /some_path_to_fix/
      [Expert@HostName:0]# tar xvf sk37324.tar
    6. Assign the execute permission to the shell script:

      [Expert@HostName:0]# chmod u+x sk37324.sh
    7. Close all SmartConsole GUI clients in "Write" mode that are connected to this Multi-Domain Security Management Server.

      Notes:

      • Shell script would fail for those Domains, to which a SmartConsole GUI client in "Write" mode is currently connected.
      • Verify by running the "cpstat mg" command in the context of each Domain Management Server.

         

    8. Verify that all Domains are up:

      [Expert@HostName:0]# mdsstat

      Note: Shell script would fail for those Domains, whose processes are currently Down.

    9. Execute the shell script and refer to the output of the screen:

      [Expert@HostName:0]# ./sk37324.sh

      Example output:

    10. If shell script failed to update some of the Domains (e.g., a Domain was down / locked by SmartDashboard), then:

      • either execute this shell script again
      • or manually update those Domains (using either DBedit Tool, or GuiDBedit Tool as described below)
    11. In SmartDomain Manager, assign/reassign the Global Policy to the Domain Management Servers.



  • Manually using DBedit Tool

    Note: This procedure must be performed for each configured Domain Management Server.

    1. Connect to command line on Multi-Domain Security Management Server.

    2. Log in to Expert mode.

    3. Switch to the context of Domain Management Server:

      [Expert@HostName:0]# mdsenv <Name of Domain Management Server>
    4. Close all SmartConsole GUI clients in "Write" mode that are connected to this Multi-Domain Security Management Server.

      Note: Refer to the output of cpstat mg command in the context of each Domain Management Server.

    5. Connect with DBedit Tool to each Domain Management Server:

      [Expert@HostName]# dbedit
    6. Update the time stamps of global policy assignment and global IPS assignment:

      dbedit> modify properties firewall_properties gp_assign_time ""
      dbedit> modify properties firewall_properties gp_sd_assign_time ""
    7. Save the changes and exit:

      dbedit> update_all
    8. Exit from the tool:

      dbedit> quit
    9. In SmartDomain Manager, assign/reassign the Global Policy to the Domain Management Servers.



  • Manually using GuiDBedit Tool

    Note: This procedure must be performed for each configured Domain Management Server.

    1. Close all SmartConsole GUI clients in "Write" mode that are connected to this Multi-Domain Security Management Server.

      Note: Refer to the output of cpstat mg command.

    2. Connect with GuiDBedit Tool to each Domain Management Server.

    3. In the upper left pane, go to Table - Global Properties - properties.

    4. In the upper right pane, click on firewall_properties.

    5. Press CTRL+F (or go to Search menu - Find) - paste gp_assign_time - click on Find Next.

    6. In the lower pane, right-click on the gp_assign_time - select Reset.

    7. In the upper right pane, click on firewall_properties.

    8. Press CTRL+F (or go to Search menu - Find) - paste gp_sd_assign_time - click on Find Next.

    9. In the lower pane, right-click on the gp_sd_assign_time - select Reset.

    10. Save the changes: go to File menu - click on Save All.

    11. Close the GuiDBedit Tool.

    12. In SmartDomain Manager, assign/reassign the Global Policy to the Domain Management Servers.

 


 

Note:

If an administrator has reverted to an older database revision in the Global Database and has performed "Assign Global Policy" before the updating the time stamps (as described above), then one or more global IPS profiles might appear as regular profiles that have been defined at the Domain level (i.e., these IPS profiles may be edited and altered just like any other local IPS profile).
In such a case:

  1. Delete the problematic Global IPS profile using the Domain's SmartDashboard
  2. Update the time stamps as described above.

Failing to do so may result in a failure to assign or remove Global Policy later on.

Applies To:
  • 00443644
  • 01955854 , 01960801 , 01957167 , 01960795
  • 01957505

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment