Monday, January 16, 2012

R7x to R75 upgrade - policy compilation issue

I have written already about some issues concerning upgrade and/or migration to R7x.

It is time to mention even more of them.

If you are upgrade or migrate your R65, R70 or R71 MGMT station to R75, brace yourself. In many cases you will not be able to compile policy anymore. The issue is related to incorrect handling of IPS configuration files.

Symptoms: you will get at least one of the error messages bellow:



  • The Converter failed to convert policy. Possibly wrong policy name. Policy_Name
  • INTERNAL ERROR in execval: optimization disabled: displacement too large
  • ERROR: function undefined Network Security cpp: line Line_Number Error: Redefining defined variable 'ADP_ENABLE_SLAMMER_PROT' /opt/CPNGXCMP-R7X/conf/updates.def



Sometimes policy compilation fails for existing FWs with "old" versions, R65, R70 or R71. In other situations the problem only surfaces when you lift your FWs to R75. To be absolutely sure your upgrade went well, and you do not have the described symptoms, create a dummy FW object with the target software version and try to push policy on it. If it fails on connectivity, you are the lucky one.

To fix the situation, according to SK61326, you will have to open a support request. Support engineer will provide you with "proper" files. You will then have to replace them manually, one by one.

Now, imagine you have this issue over multiple CMAs in Multi-Domain environment...


3 comments:

  1. Hi I've got a similar error with management server R75.40 after an upgrade from R71.40!
    I'm able to log on to the dashboard and the monitor is seeing the firewalls correctly, but when I try to install the policies a get this error
    C:\Program Files\Checkpoint\FLICMP\R75.40\conf\updates.def error, unkown macro or function Obj5ea36e2978bab8db8dbef1384bca3c.

    Do you happen to know anything about this error?
    Regards
    Ricardo Meireles
    decastromeireles@gmail.com

    ReplyDelete
  2. Try to get a new IPS update. If that does not help, open a support call with Check Point

    ReplyDelete