The PhoneBoy Blog


Simplifying Telecom, Mobile Phones, Gadgets, and More!

FireWall-1 FAQ: Failed to Load Security Policy on gateway: Resource temporarily unavailable

Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.


I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.


If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)


I have seen this message when attempting to install a policy from a management station to a firewall module and the remote firewall was unreachable. Make sure the site is up. Also make sure the current rule base installed on 'gateway' is not blocking packets from the 'control' machine. See the following URL for information on how to get around that problem: Install an 'accept all' policy on the firewall module.

Mike Barkett makes the following suggestion: Make sure the following three IPs are the same:

  1. fw module IP in $FWDIR/conf/clients
  2. Licensed IP of the FW module
  3. Main IP (General Tab) of the FireWall Module object in the rulebase editor

You'll need to make sure that the fw putkey was executed properly, and that the corresponding masters IP is off of the same interface and licensed as such. If all of this is in place, and you are not installing over a 32k connection, you should be fine.

The connection between the management console and the firewall module could also be timing out. In this case, the "Resource Temporarily Unavailable" message may be a red herring. Look at the output of an 'fw stat' on the remote firewall. You may be surprised to find the security policy did load. Whether it worked or not, follow the steps discussed in the following FAQ: Operation would block.

If you have multiple firewalls in an HA configuration, they are the "default route" to the Internet, and you define the firewalls with the external IP as you should, the primary firewall will succeed, the secondary will fail. To resolve this, explicit static routes are necessary. For example, if you have two firewalls and a management console as so (192.168.0.x are external for this example):

mgmt: 10.0.0.162
firewall-a: 10.0.0.1/192.168.0.1
firewall-b: 10.0.0.2/192.168.0.2 

Two explicit routes should be added to your management console (the following is Solaris, modify syntax as appropriate for your platform). This will ensure packets destined for the firewall's external IP go to the specific firewall:

route add 192.168.0.1 10.0.0.1
route add 192.168.0.2 10.0.0.2

If there's an intermediary router between the management console and firewall, these static routes go on the interior router(s) closest to the firewalls instead of the management console.

C-List #Cybersecurity Celebrity, Podcaster, #noagenda Producer, Frequenter of shiny metal tubes, Expressor of personal opinions, and of course, a coffee achiever.