I have been working on this issue for some time now, and today, after escalating this to someone higher in Check Point TAC, we finally got some resolution to this.  We have a pair of clustered Check Point 5075 appliances, with a distributed management station.  We started out running R75.20.  Everything was fine, until we added URL filtering. So, when we would push policy to the cluster, we would get the following error:

Installation failed:  Reason: Load on Module failed – failed to load Security Policy.”

Now, what changed?  Well, we added URL filtering.  So, when we unchecked URL filtering, we can push policy.  See below where I mean when we “unchecked” URL Filtering.  This is added on the Properties of our clustered Check Points:

urlfiltering
So, after some trials and pain, we finally upgraded to R75.30, to try to fix this issue.  We were told by Check Point that R75.30 fixed a ton of issues.  So, we were pro-active and we did the upgrade.  Well, it didn’t fix the issue, although according to Check Point, we did get a little further into the policy push.  Im glad we did the upgrade, even though it didn’t fix completely the issue.

What we found was that on the “Application and URL Filtering” page, we had “URLs are defined as Regular Expression” checked.  We also had in our URL List *.myspace.com that we put in.  Well, it turns out that the “*” was keeping us from pushing policy.  CP cant determine that the * is not a regular expression, and because of this, it wont allow you to push policy.  * is a wildcard, and not an expression.  When we unchecked this, we can push policy, and we still have URL Filtering capability.  See below the screenshot of where Im talking about in this:

screenshot