Checkpoint: The case of the missing policy

I recently had an issue with a new Checkpoint R71.30 cluster where the secondary cluster member would randomly lose its policy (fw stat would show initial policy). Upon rebooting, SIC would break and whenever I would run "cpconfig" I would get the following error:



[admin]# cpconfig
cpinst Error: Host name resolution for .
                   Local host name resolution is required for normal Check Point Security Gateway operation
                   Please correct this error and run cpstart again:

I then made the mistake of updating the /etc/hosts file with the host name of the firewall, which would resolve the error temporarily. However the next time the firewall would reboot, it would lose its host name again.

It was discovered that the issue was 2 fold.
#1- The firewall was shipped with R70, R71, and R75 packages. And even through clish and Voyager showed that only the desired R71 packages were loaded, the dbget command showed that they were all active. Removing the unnecessary packages solved the policy issue.



dbget -v dynamic:pkgadd
dynamic:pkgadd:CPNGXCMP-R70-00 t
dynamic:pkgadd:CPNGXCMP-R71-00 t
dynamic:pkgadd:CPNGXCMP-R75-00 t
dynamic:pkgadd:CPR71CMP-R75-00 t
dynamic:pkgadd:CPSG80CMP-R75-00 t
dynamic:pkgadd:CPV40Cmp-R70-00 t
dynamic:pkgadd:CPV40Cmp-R71-00 t
dynamic:pkgadd:CPV40Cmp-R75-00 t
dynamic:pkgadd:CPinfo-10-00 t
dynamic:pkgadd:CPsuite-R70-00 t
dynamic:pkgadd:CPsuite-R71-00 t
dynamic:pkgadd:CPsuite-R75-00 t
dynamic:pkgadd:CPuag-R70-00 t
dynamic:pkgadd:CPuag-R71-00 t
dynamic:pkgadd:CPuag-R75-00 t
dynamic:pkgadd:CPvsxngxcmp-R70-00 t
dynamic:pkgadd:Nokinstall6.0-6.0-00 t

#2- The firewall was losing its host name because the host name was never configured in Voyager. Using the linux method will cause the device to lose its config upon reboot.