Support Center > Search Results > SecureKnowledge Details
VSX Virtual System might be left without any policy, if installation of policy fails after running 'cpstop;cpstart' commands Technical Level
Symptoms
  • VSX Virtual System might be left without any policy, if installation of policy fails after running 'cpstop ; cpstart' commands:

    • The following error will appear on the screen:
      Fetching Security Policy from localhost failed

    • Output of 'vsx stat -v' command will show <No Policy> instead of 'defaultfilter' for the problematic Virtual System.


  • Vulnerable versions are R75.40VS in VSX mode and R76 in VSX mode.
Cause

Policy installation failure.


Solution

Check Point offers the following solutions for this issue:

  • Hotfix package
  • Manual workaround

Procedure:

  • Hotfix package

    1. Hotfix has to be installed on Security Gateway.

    2. On R76 only: Download and install the updated version of the Gaia Software Updates Agent:

      1. Download the package with updated version of Gaia Software Updates Agent from sk92449: CPUSE - Gaia Software Updates (including Gaia Software Updates Agent) - section "(3) Latest build of CPUSE and What's New".

      2. Transfer the updated Gaia Software Updates Agent ;package (DeploymentAgent_<version>.tgz) to Security Gateway into /some_path_to_updated_DA/ directory.

      3. UnPack the Gaia Software Updates Agent package:

        [Expert@HostName]# cd /some_path_to_updated_DA/
        [Expert@HostName]# tar xvfz DeploymentAgent_<version>.tgz

      4. Stop the Gaia Software Updates Agent service:

        [Expert@HostName]# $DADIR/bin/dastop
        [Expert@HostName]# dbget installer:stop

      5. Install the Gaia Software Updates Agent RPM:

        [Expert@HostName]# rpm -Uhv --force CPda-00-00.i386.rpm

      6. Start the Gaia Software Updates Agent:

        [Expert@HostName]# $DADIR/bin/dastart


    3. Download the hotfix package for Security Gateway:

      Platform R75.40VS R76
      Gaia OS (TGZ) (TGZ)
      Crossbeam XOS (TGZ) (TGZ)


    4. Transfer the hotfix package to the machine (e.g., into /some_path_to_fix/ directory).

    5. Unpack the hotfix package:

      [Expert@HostName]# cd /some_path_to_fix/
      [Expert@HostName]# tar xvfz fw1_wrapper_HOTFIX_NAME.tgz

    6. Install the hotfix:

      [Expert@HostName]# ./fw1_wrapper_HOTFIX_NAME

    7. Reboot the machine.


  • Manual workaround

    Table of Contents:

    • Important Notes
    • Procedure
    • Rollback

     

    Important Notes

    The steps given below require a knowledge of shell scripting. A mistake in the $FWDIR/scripts/fwk_start shell script will cause issues with initialization and configuration of Check Point software. If you are not sure how to implement this workaround, then download the Hotfix package.

     

    Procedure

    1. Backup the current $FWDIR/scripts/fwk_start shell script:

      [Expert@HostName:0]# cp -v  $FWDIR/scripts/fwk_start  $FWDIR/scripts/fwk_start_ORIGINAL

    2. Edit the current $FWDIR/scripts/fwk_start shell script:

      [Expert@HostName:0]# vi $FWDIR/scripts/fwk_start

    3. Add the following lines into the $FWDIR/scripts/fwk_start shell script:

      • declaration for FW_BOOT_DIR variable
      • declaration for FW1_BOOTSEC variable
      • "$FW_BOOT_DIR/fwboot default $FW1_BOOTSEC" "fn_true"

      The new lines have to be added as follows (refer to bold lines):

      • R75.40VS

        ...........................................
        
        DBGET="/bin/dbget"
        ARPING="/sbin/arping"
        VRF="/usr/sbin/vrf"
        
        if [ -z "$FW_BOOT_DIR" ]
        then
        	FW_BOOT_DIR=/etc/fw.boot
        fi
        bootconf="${FW_BOOT_DIR}/fwboot bootconf"
        FW1_BOOTSEC=`$bootconf get_def`
        
        LOG_PATH=$FWDIR/log/fwk.elg
        EXEC_OUTPUT_PATH=$FWDIR/tmp/fn_exec.out
        
        ...........................................
        
        	"$FWDIR/bin/vpn drv on" "fn_true"
        	"$FWDIR/bin/fwaccel on" "fn_is_securexl"
        	"$FW_BOOT_DIR/fwboot default $FW1_BOOTSEC" "fn_true"
        	"$FWDIR/bin/fw fetch localhost -fwstart" "fn_true"
        	"$FWDIR/bin/fw amw fetch localhost -nu" "fn_true"
        
        ...........................................
        


      • R76

        ...........................................
        
        DBGET="/bin/dbget"
        ARPING="/sbin/arping"
        VRF="/usr/sbin/vrf"
        
        if [ -z "$FW_BOOT_DIR" ]
        then
        	FW_BOOT_DIR=/etc/fw.boot
        fi
        bootconf="${FW_BOOT_DIR}/fwboot bootconf"
        FW1_BOOTSEC=`$bootconf get_def`
        
        LOG_PATH=$FWDIR/log/fwk.elg
        EXEC_OUTPUT_PATH=$FWDIR/tmp/fn_exec.out
        
        ...........................................
        
        	"$FWDIR/bin/fwaccel on" "fn_is_securexl"
        	"$FWDIR/bin/fwaccel6 on" "fn_is_securexl6"
        	"/etc/fw.boot/fwboot ha_conf" "fn_is_cluster"
        	"$FW_BOOT_DIR/fwboot default $FW1_BOOTSEC" "fn_true"
        	"$FWDIR/bin/fw fetch localhost" "fn_true"
        	"$FWDIR/bin/fw amw fetch localhost -nu" "fn_true"
        	"$POST_STATE_STR" "N/A"
        
        ...........................................
        

     

    Rollback

    In case this workaround implemented, but Check Point software does not load correctly, perform the following steps:

    1. Reboot the machine.

    2. Press any key to get into 'Boot Menu'.

    3. Choose 'Start in maintenance mode'.

    4. Enter the Administrator password when prompted.

    5. Restore the original $FWDIR/scripts/fwk_start shell script:

      sh-3.1# cp -v -f  /opt/CPsuite-Rxx/fw1/bin/scripts/fwk_start_ORIGINAL  /opt/CPsuite-Rxx/fw1/bin/scripts/fwk_start

    6. Reboot the machine:

      sh-3.1# reboot
Applies To:
  • 01139922 , 01153656 , 01186444 , 01200020 , 01153645 , 01232850 , 01241189 , 01152668 , 01162710 , 01153681 , 01153650 , 01162713

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment