SPLAT Tips

SPLAT

#############################################################################################

•  Splat expert mode tips

CP_ SPLAT_Expert_Mode_Tips_(NGX)_v1.0.pdf

CP_SPLAT_Expert_Mode_Tips_(NGX)_v1.0.pdf (link2)

Advanced-Troubleshooting-Techniques

############################################################################################# 

•  Search / Find

#cd /var/log/

#more boot.log | grep 'testo da cercare' 

#more boot.log | grep 'only this text' 

#more boot.log | grep -v  'without this text'  

#find / -type f -size +100000 -ls     find big files (>50MB)

#find / -name 'testo da cercare'

#############################################################################################

•  Enable user to use SCP on Splat

#chsh name_user -s /bin/bash


or


change shell in /etc/passwd file from /bin/cpshell to /bin/bash



Note: SCP is controlled by file /etc/scpusers



Restart ssh # service sshd restart

#############################################################################################

•  Restart WebUI Splat (web interface)

# webui disable

# webui enable 4434

sk30634: Debugging SecurePlatform Web UI

#############################################################################################

•  Changing keyboard-layout

edit the /etc/sysconfig/keyboard file, for standard US keyboard, it should look like this:

KEYBOARDTYPE="pc"
KEYTABLE="us"

Note: If the file doesn't exist it can be created

#############################################################################################

• Syntax for Secure Copy (scp)

Copy the file "foobar.txt" from a remote host to the local host

$ scp [email protected]:foobar.txt /some/local/directory

Copy the file "foobar.txt" from the local host to a remote host

$ scp foobar.txt [email protected]:/some/remote/directory

Copy the directory "foo" from the local host to a remote host's directory "bar"

$ scp -r foo [email protected]:/some/remote/directory/bar

Copy the file "foobar.txt" from remote host "rh1.edu" to remote host "rh2.edu"

$ scp [email protected]:/some/remote/directory/foobar.txt \ [email protected]:/some/remote/directory/

Copying the files "foo.txt" and "bar.txt" from the local host to your home directory on the remote host

$ scp foo.txt bar.txt [email protected]:~

Copy the file "foobar.txt" from the local host to a remote host using port 2264

$ scp -P 2264 foobar.txt [email protected]:/some/remote/directory

Copy multiple files from the remote host to your current directory on the local host

$ scp [email protected]:/some/remote/directory/\{a,b,c\} .

$ scp [email protected]:~/\{foo.txt,bar.txt\} .

scp Performance

By default scp uses the Triple-DES cipher to encrypt the data being sent. Using the Blowfish cipher has been shown to increase speed. This can be done by using option -c blowfish in the command line.

$ scp -c blowfish some_file [email protected]:~

It is often suggested that the -C option for compression should also be used to increase speed. The effect of compression, however, will only significantly increase speed if your connection is very slow. Otherwise it may just be adding extra burden to the CPU. An example of using blowfish and compression:

$ scp -c blowfish -C local_file [email protected]:~

#################################################################################

Recommended configuration of new ClusterXL Enabling Core Dump This will generate a core dump if a service crash or stop. Core dump allows us to understand why a crash happened. Use the ulimit -c unlimited command to enable the core dump file. Use the um_core enable command to enable the core dump file for processes. See also sk27392 - Enabling core dump file generation on Linux and SecurePlatform. Setting timer freeze If the machine is overloaded during  policy installation, the below procedure will prevent failover for 30 seconds fw ctl set int fwha_freeze_state_machine_timeout 30 See also sk25971 - Failover occurs in the cluster during Security Policy installation. Disable Advanced routing: If advanced routing is enabled, the FIB service is part of the cluster health check. When no advanced routing is used, we are activating agents that are not needed: Run cpconfig Select the Disable Advanced routing option Change default Idle timeout to 60 minutes Changing this function allows to have a longer sessions via SSH without timing out fast. vi /etc/bashrc Change the line export TMOUT=180  to export TMOUT=3600 Allow SCP files copy to the Firewall Changing this function allows to use SCP to copy files to the gateway from a remote SCP client Enter the Expert mode and run: chsh admin Enter the path to the new shell, which will have to be the bash shell: /bin/bash Once you hit 'Enter' the shell will be changed. Confirm the shell change with command: grep admin /etc/passwd The last word in the output should be 'bash' (and not cpshell). Change Magic MAC number This will allow more then one checkpoint cluster to operate on the same VLAN On each of the Cluster Member Run cd $FWDIR/boot/modules Create the fwkern.conf file by running vi fwkern.conf Add the required parameters and values as given below: # fwha_mac_magic = 250 # fwha_mac_forward_magic = 251 Save the fwkern.conf Verify the fwkern.conf file is correctly configured by running more fwkern.conf Reboot the Cluster Member Verify the new mac magic setups correctly configured by: # fw ctl get int fwha_mac_magic # fw ctl get int fwha_mac_forward_magic Verify the Cluster Member status by running cphaprob stat Note: the 250/251 should be the SAME on both cluster members, but should be DIFFERENT for each different clusters  Disable the IPSEC/VPN blade When no VPN is used on the gateway it is recommended to disable the VPN function Open the SmartDashboard Double click on the Cluster object Clear the "IPSEC/VPN" checkbox Save and install the Security policy Forward local logs When and if firewall logs locally due to loss of communication, activating this function will offload the local logs back to the CMA/CLM Open the SmartDashboard Go to Log and masters -> Additional logging view Select "Forward log files to log server" Choose the Primary CMA/CLM for the logs Choose a time object to perform the option once every X Select "Perform Log switch before log forwarding" Save and install the Security policy Increase messages file capacity In order to preserve additional logging and avoid overwriting the messages files can be resized and the number of files being saved can be increased. To change the max size and number of backlogs for a file, run the following command: [Expert@HostName]# log limit <log-index> <max-size> <backlog-copies> Example for /var/log/messages: [Expert@HostName]# log limit 0 2000000 10 This will allow /var/log/messages to grow to 2MB before rotating. It will also allow up to 10 instances of this log. See also sk36798 - /var/log/messages files on SecurePlatform OS are limited to 4 rotated backups with a maximum size of 65 kB Stop ntpdate from overfilling /var/log/messages Every ntp date/time update will be recorded in the /var/log/messages .  In some cases the log get overfilled with the messages which can cause overwriting of important log entries. It is possible to disable the recording of a log entry for every ntp update .  1. In Expert mode, open the /usr/sbin/ntpstart script in vi editor and 2. remove the "-s" flag in these two lines: a. cmd="/usr/sbin/ntpdate -s -f $md5... b. /usr/sbin/ntpdate -s -b -f $md5... 3. Save the file. 4. Run: ntpstop 5. Run: ntpstart 6. Run: ntpstat (verify that ntp is running) .  See also sk67740 - How to stop 'ntpdate[PID]: adjust time server' logs in /var/log/messages

############

• Snmp monitoring Splat/Nokia/Mds

http://www.oidview.com http://www.iana.org/assignments http://docstore.mik.ua

Warnings

• some of the steps in this procedure are taken from sk53161 (not visible)
• a lot of things seem related to the specific patch/release: test every step
• paths provided are from different versions/machines, do not copy and paste blindly

Edit snmpd.users.conf file

[Expert@shpalman]# vi /etc/snmp/snmpd.users.conf

rouser public noauth
rocommunity community_name

#Allow check of partitions infos
#includeAllDisks 10%
disk / 10%
disk /var 10%
disk /boot 10%
disk /opt 10%
disk /sysimg 10%

disk entries should be verified with a df -h command

Copy snmp.C file from CMA level to MDS level

mdsenv ^CMA^
cd $FWDIR/conf
cp snmp.C /opt/CPmds-R70/conf
mdsenv

Edit snmp.C file

Warning: skip this step on Nokia/IP appliances.

[Expert@shpalman]# vi $FWDIR/conf/snmp.C

:snmp_community (
    :read (community_name)
    :write ()
)

Enable CP snmp extension

cp_conf snmp deactivate
cp_conf snmp activate

Restart splat snmpd

service snmpd restart
chkconfig snmpd on

Edit rc.local file

[Expert@shpalman]# vi /etc/rc.local

cp_conf snmp deactivate
cp_conf snmp activate
service snmpd restart
chkconfig snmpd on

These lines should be added at the end of the file.

Tests

snmpwalk -v2c -c NGifimon localhost 1.3.6.1.4.1.2620

[Expert@shpalman]# snmpwalk -v2c -c comunity_name localhost 1.3.6.1.4.1.2620 | more
SNMPv2-SMI::enterprises.2620.1.6.1.0 = STRING: "SVN Foundation"
SNMPv2-SMI::enterprises.2620.1.6.2.0 = INTEGER: 6
SNMPv2-SMI::enterprises.2620.1.6.3.0 = INTEGER: 2
SNMPv2-SMI::enterprises.2620.1.6.4.1.0 = STRING: "NGX (R65) HFA_50, Hotfix 650"
SNMPv2-SMI::enterprises.2620.1.6.4.2.0 = INTEGER: 620650036
SNMPv2-SMI::enterprises.2620.1.6.5.1.0 = STRING: "SecurePlatform"
SNMPv2-SMI::enterprises.2620.1.6.5.7.0 = STRING: "NGX R65"
[...]

ps aux | grep snmp

[Expert@shpalman]# ps aux | grep snmp
root     29549  0.0  0.0 11624 4920 ttyp0    S    12:30   0:00 /opt/CPshrd-R65/bin/cpsnmpd -p 260
root     30032  0.0  0.0  8324 4576 ?        S    12:38   0:00 /usr/sbin/snmpd -Lsd -Lf /dev/null -p /var/run/snmpd -a -c /etc/snmp/snmpd.users.conf 161
root     30037  0.2  0.0 37452 11832 ttyp0   S    12:38   0:00 /usr/sbin/cpsnmpagentx
root     30247  0.0  0.0  1580  468 ttyp0    S    12:41   0:00 grep snmp

version snmp

rpm -qa | grep snmp 

[Expert@shpalman]# rpm -qa | grep snmp
net-snmp-5.0.9-2.30.000000042cp

to install new version 

rpm -Uvh net-*

http://www.cpug.org/forums/snmp/12821-splat-r65-snmptrap-possible.html

snmp for interface  

[Expert@]# chkconfig --list

[Expert@]# chkconfig --list | grep snmp

snmpd           0:off   1:off   2:on    3:on    4:on    5:on    6:off

[Expert@fw]# chkconfig --level 2345 snmpd on

[Expert@fw]# service snmpd restart

SNMP CUSTOM CONFIG WITH SCRIPT


[Expert@fwtest]# more /etc/snmp/snmpd.users.conf
#############################################################################
#
# This file contains snmp daemon's users definitions
# This file updated automatically by snmp configuration script
# So be very careful when making changes to this file
#
#############################################################################
rouser public noauth
rocommunity name_community

#Allow check of partitions infos
#includeAllDisks 10%
disk / 10%
disk /var 10%
disk /boot 10%
disk /opt 10%
disk /sysimg 10%

exec .1.3.6.1.4.1.2021.74(2021 PRIVATE SNMP UID) numRAusers(NAMEFUNCTION) /usr/local/bin/test(PATH SCRIPT)

[Expert@fwtest]# more /usr/local/bin/test

#!/bin/sh

fw tab -t userc_users -s | grep localhost | awk '{printf $4"\n"}'

test

[Expert@fwtest]# snmpwalk -v2c -c name_community localhost .1.3.6.1.4.1.2021.74
UCD-SNMP-MIB::ucdavis.74.1.1 = INTEGER: 1
UCD-SNMP-MIB::ucdavis.74.2.1 = STRING: "numRAusers"
UCD-SNMP-MIB::ucdavis.74.3.1 = STRING: "/usr/local/bin/test"
UCD-SNMP-MIB::ucdavis.74.100.1 = INTEGER: 0
UCD-SNMP-MIB::ucdavis.74.101.1 = STRING: "0"
UCD-SNMP-MIB::ucdavis.74.102.1 = INTEGER: 0

[Expert@fwtest]# snmpwalk -v2c -c name_community localhost .1.3.6.1.4.1.2021.74.101.1
UCD-SNMP-MIB::ucdavis.74.101.1 = STRING: "0"
  
SNMP CUSTOM CONFIG WITH FILE
 [Expert@fw1]# more /etc/snmp/snmpd.users.conf


#############################################################################
#
# This file contains snmp daemon's users definitions
# This file updated automatically by snmp configuration script
# So be very careful when making changes to this file
#
#############################################################################

rouser public noauth
rocommunity name_community

file /opt/CPsuite-R71/fw1/log/fw.log 10

[Expert@fw2]# snmpwalk -v2c -c name_community localhost .1.3.6.1.4.1.2021.15.1

UCD-SNMP-MIB::fileIndex.1 = INTEGER: 1 (1)

UCD-SNMP-MIB::fileName.1 = STRING: /opt/CPsuite-R71/fw1/log/fw.log (2)

UCD-SNMP-MIB::fileSize.1 = INTEGER: 16060 kB (3)

UCD-SNMP-MIB::fileMax.1 = INTEGER: 10 kB (4)

UCD-SNMP-MIB::fileErrorFlag.1 = INTEGER: true(1) (100)

UCD-SNMP-MIB::fileErrorMsg.1 = STRING: /opt/CPsuite-R71/fw1/log/fw.log: size exceeds 10kb (= 16060kb) (1) (101)

[Expert@fw1]# snmpwalk -v2c -c name_community localhost 1.3.6.1.4.1.2021.15.1.3
UCD-SNMP-MIB::fileSize.1 = INTEGER: 16060 kB

[Expert@fw1]# snmpwalk -v2c -c name_community localhost 1.3.6.1.4.1.2021.15.1.100
UCD-SNMP-MIB::fileErrorFlag.1 = INTEGER: 0
 

"fileIndex"   "1.3.6.1.4.1.2021.15.1.1"
"fileName"   "1.3.6.1.4.1.2021.15.1.2"
"fileSize"   "1.3.6.1.4.1.2021.15.1.3"
"fileMax"   "1.3.6.1.4.1.2021.15.1.4"
"fileErrorFlag"   "1.3.6.1.4.1.2021.15.1.100"
"fileErrorMsg"   "1.3.6.1.4.1.2021.15.1.101"

 http://www.oidview.com/mibs/2620/CHECKPOINT-MIB.html

http://doc.elcat.kg/SNMP/oids/UCD-SNMP-MIB.oid 

http://www.mibdepot.com/cgi-bin/getmib3.cgi?abc=0&n=UCD-SNMP-MIB&r=f5&f=UCD-SNMP-MIB&t=tree&v=v2&i=0&obj=osf

On PRTG

As today (20101108) the fastest way to have consistent views on all our MDSs is: clone from a working MDS the whole set of sensors.
Take into account that:

• some sensors refer to OIDs that are part of tables so will likely not work and will require a re-discovery.
• some sensors are version specific (i.e.: temperature sensor is not available in R65).

To be done

Create a custom library with choosed sensors.

############################################################################################# 

• Password User 

sk32576: When running the passwd command to change the password, the Expert Mode password is changed  

#cpshell (change shell from expert to normal )

file
usr/sbin/passwd nome_utente


#passwd (change password expert in expert shell )  
#passwd (change password expert in normal  shell )    


############################################################################################# 

•  /etc/dhcpd.conf

[Expert@fw]# more /etc/dhcpd.conf
# Define Custom Options
option option-150 code 150 = ip-address;
option wpad-curl        code 252 = text;
ddns-update-style ad-hoc;
subnet 172.31.40.0 netmask 255.255.254.0
{
 range 172.31.41.11 172.31.41.254;
 default-lease-time 1200;
 max-lease-time 1800;
 option routers 172.31.40.1;
 option domain-name-servers 172.19.11.31, 172.19.11.32;
 option domain-name "dominio.local";
 option wpad-curl "http://nameserver.local:80/wpad.dat";
}
subnet 172.31.42.0 netmask 255.255.255.0
{
 range 172.31.42.11 172.31.42.254;
 default-lease-time 1200;
 max-lease-time 1800;
 option routers 172.31.42.1;
 option domain-name-servers 172.19.11.31, 172.19.11.32;
 option domain-name "dominio.local";
 option wpad-curl "http://nameserver.local:80/wpad.dat";
}
subnet 172.31.44.0 netmask 255.255.255.0
{
 range 172.31.44.11 172.31.44.254;
 default-lease-time 1200;
 max-lease-time 1800;
 option routers 172.31.44.1;
 option domain-name-servers 172.19.11.31, 172.19.11.32;
 option domain-name "dominio.local";
 option option-150 172.19.64.4;
 next-server 172.19.64.4;
}
subnet 172.31.46.0 netmask 255.255.255.0
{
 range 172.31.46.11 172.31.46.254;
 default-lease-time 1200;
 max-lease-time 1800;
 option routers 172.31.46.1;
 option domain-name-servers 83.242.139.10, 83.242.140.10;
}
############################################################################################# 

• NTP 

ntp <MD5_secret> <interval> <server1> [<server2>[<server3>]]
ntp -n <interval> <server1> [<server2>[<server3>]] 


/etc/sysconfig/ntp
##