Check Point Chaos Quick Troubleshooting

Symptom:

Some incredibly odd issues, clears up with a policy install, services restart, or reboot.

Problem:

As IT support professionals, we consistently chant the mantra “Have you tried to turn it off, and turn it back on?” But do you know why that works? No!?! Me neither… However, I will speculate that it is likely due to the millions of calculations / components involved in a computer’s functioning. Of course, first you must factor in the human variable into this equation, which almost guarantees imperfect coding thus illogical calculation occurring, but beyond that you can’t tell me that it is impossible for some electrical anomaly occurring in all of this, which could confuse a small part of computational code. Once corrupted such unexpected computational code will almost certainly corrupt others, eventually causing noticeable effects on the device in question, as it tries its damnedest to make sense of it all. The Chaos Theory in affect.

Why I say Check Point proves the Chaos Theory is because, other than memory leaks which F5 is king, Check Point has ownership of the oddest, unexplained, behavioral issues. So you take the normal expected fault of a system (which is far less on a Linux platform, which most CP firewalls are installed on), then add convoluted databases, service components and process interactions, and POW you’ve got the king of chaos. Even comparing apples to applesauce: A Cisco or Juniper firewall can do something with a dozen lines of configuration, but this same function would require hundreds of lines in a CP configuration database. So its additional convolution equates to additional computation, and additional computation (if Chaos Theory is correct) equals a multiplication of the chance for unexplainable fault. CP DOES have higher, unexplained fault; therefore, Chaos Theory proven… 😀 😀

Solution:

How to battle Chaos.

First, assume the unexplained issue (IE undocumented as a known issue, or other documents and thorough troubleshooting has not revealed the issue) is in the “active” configuration DB of the Security Gateway (SG), as these configurations are interacted with by the SG, corruption may occur. The “prospective” configurations that reside on the Security Management Server, are only interacted with when using a SmartConsole client, so are FAR less likely to have the same corruption, so in order to resolve this, RE INSTALL POLICY. Even if no changes occur it still overwrites the SG’s DBs. See “SMART Explained” FAQ for more details.

If that doesn’t work, then assume it is in the CP process, so issue the commands ‘cpstop’ and ‘cpstart’. This will cause all firewall components to stop, so keep that in mind if you are connected to it via a NATted IP address (IE if the NAT is on the firewall it will become unresponsive).

Finally, try a reboot. Some admin’s may prefer this to a services restart, which is their call…

Reserved for Level-2++: Re-image.

Was this article helpful?

Related Articles

Leave A Comment?

You must be logged in to post a comment.