Friday, February 8, 2013

SPLAT Tips


#############################################################################################
  •  Splat expert mode tips
############################################################################################# 
  •  Search / Find
#cd /var/log/
#more boot.log | grep 'testo da cercare' 
#more boot.log | grep 'only this text' 
#more boot.log | grep -v  'without this text'  


#find / -type f -size +100000 -ls     find big files (>50MB)
#find / -name 'testo da cercare'

#############################################################################################
  •  Enable user to use SCP on Splat

#chsh name_user -s /bin/bash


or


change shell in /etc/passwd file from /bin/cpshell to /bin/bash



Note: SCP is controlled by file /etc/scpusers



Restart ssh # service sshd restart



#############################################################################################
  •  Restart WebUI Splat (web interface)
# webui disable
# webui enable 4434

#############################################################################################

  •  Changing keyboard-layout
edit the /etc/sysconfig/keyboard file, for standard US keyboard, it should look like this:

KEYBOARDTYPE="pc"
KEYTABLE="us"

Note: If the file doesn't exist it can be created


#############################################################################################
  • Syntax for Secure Copy (scp)

Copy the file "foobar.txt" from a remote host to the local host

Copy the file "foobar.txt" from the local host to a remote host

Copy the directory "foo" from the local host to a remote host's directory "bar"

Copy the file "foobar.txt" from remote host "rh1.edu" to remote host "rh2.edu"

Copying the files "foo.txt" and "bar.txt" from the local host to your home directory on the remote host

Copy the file "foobar.txt" from the local host to a remote host using port 2264

Copy multiple files from the remote host to your current directory on the local host

scp Performance

By default scp uses the Triple-DES cipher to encrypt the data being sent. Using the Blowfish cipher has been shown to increase speed. This can be done by using option -c blowfish in the command line.
It is often suggested that the -C option for compression should also be used to increase speed. The effect of compression, however, will only significantly increase speed if your connection is very slow. Otherwise it may just be adding extra burden to the CPU. An example of using blowfish and compression:
#################################################################################
  • Recommended configuration of new ClusterXL

Enabling Core Dump

This will generate a core dump if a service crash or stop. Core dump allows us to understand why a crash happened.
  1. Use the ulimit -c unlimited command to enable the core dump file.
  2. Use the um_core enable command to enable the core dump file for processes.

Setting timer freeze

If the machine is overloaded during  policy installation, the below procedure will prevent failover for 30 seconds
  1. fw ctl set int fwha_freeze_state_machine_timeout 30
Disable Advanced routing:
If advanced routing is enabled, the FIB service is part of the cluster health check. When no advanced routing is used, we are activating agents that are not needed:
  1. Run cpconfig
  2. Select the Disable Advanced routing option

Change default Idle timeout to 60 minutes

Changing this function allows to have a longer sessions via SSH without timing out fast.
  1. vi /etc/bashrc
  2. Change the line
    export TMOUT=180 
    to
    export TMOUT=3600

Allow SCP files copy to the Firewall

Changing this function allows to use SCP to copy files to the gateway from a remote SCP client
  1. Enter the Expert mode and run: chsh admin
  2. Enter the path to the new shell, which will have to be the bash shell: /bin/bash
  3. Once you hit 'Enter' the shell will be changed.
    Confirm the shell change with command: grep admin /etc/passwd
  4. The last word in the output should be 'bash' (and not cpshell).

Change Magic MAC number

This will allow more then one checkpoint cluster to operate on the same VLAN
On each of the Cluster Member
  1. Run cd $FWDIR/boot/modules
  2. Create the fwkern.conf file by running vi fwkern.conf
  3. Add the required parameters and values as given below:
    # fwha_mac_magic = 250
    # fwha_mac_forward_magic = 251
  4. Save the fwkern.conf
  5. Verify the fwkern.conf file is correctly configured by running more fwkern.conf
  6. Reboot the Cluster Member
  7. Verify the new mac magic setups correctly configured by:
    # fw ctl get int fwha_mac_magic
    # fw ctl get int fwha_mac_forward_magic
  8. Verify the Cluster Member status by running cphaprob stat
Note: the 250/251 should be the SAME on both cluster members, but should be DIFFERENT for each different clusters 

Disable the IPSEC/VPN blade

When no VPN is used on the gateway it is recommended to disable the VPN function
  1. Open the SmartDashboard
  2. Double click on the Cluster object
  3. Clear the "IPSEC/VPN" checkbox
  4. Save and install the Security policy

Forward local logs

When and if firewall logs locally due to loss of communication, activating this function will offload the local logs back to the CMA/CLM
  1. Open the SmartDashboard
  2. Go to Log and masters -> Additional logging view
  3. Select "Forward log files to log server"
  4. Choose the Primary CMA/CLM for the logs
  5. Choose a time object to perform the option once every X
  6. Select "Perform Log switch before log forwarding"
  7. Save and install the Security policy

Increase messages file capacity

In order to preserve additional logging and avoid overwriting the messages files can be resized and the number of files being saved can be increased.

To change the max size and number of backlogs for a file, run the following command:
[[email protected]]# log limit <log-index> <max-size> <backlog-copies>

Example for /var/log/messages:
[[email protected]]# log limit 0 2000000 10

This will allow /var/log/messages to grow to 2MB before rotating. It will also allow up to 10 instances of this log.

Stop ntpdate from overfilling /var/log/messages

Every ntp date/time update will be recorded in the /var/log/messages . 
In some cases the log get overfilled with the messages which can cause overwriting of important log entries.
It is possible to disable the recording of a log entry for every ntp update . 

1. In Expert mode, open the /usr/sbin/ntpstart script in vi editor and
2. remove the "-s" flag in these two lines:
a. cmd="/usr/sbin/ntpdate -s -f $md5...
b. /usr/sbin/ntpdate -s -b -f $md5...
3. Save the file.
4. Run: ntpstop
5. Run: ntpstart
6. Run: ntpstat (verify that ntp is running) . 


############

  • Snmp monitoring Splat/Nokia/Mds
http://www.oidview.com
http://www.iana.org/assignments
http://docstore.mik.ua

Warnings
  • some of the steps in this procedure are taken from sk53161 (not visible)
  • a lot of things seem related to the specific patch/release: test every step
  • paths provided are from different versions/machines, do not copy and paste blindly

Edit snmpd.users.conf file

[[email protected]]# vi /etc/snmp/snmpd.users.conf
rouser public noauth
rocommunity community_name

#Allow check of partitions infos
#includeAllDisks 10%
disk / 10%
disk /var 10%
disk /boot 10%
disk /opt 10%
disk /sysimg 10%
disk entries should be verified with a df -h command

Copy snmp.C file from CMA level to MDS level

mdsenv ^CMA^
cd $FWDIR/conf
cp snmp.C /opt/CPmds-R70/conf
mdsenv

Edit snmp.C file

Warning: skip this step on Nokia/IP appliances.

[[email protected]]# vi $FWDIR/conf/snmp.C
:snmp_community (
 :read (community_name)
 :write ()
)

Enable CP snmp extension

cp_conf snmp deactivate
cp_conf snmp activate

Restart splat snmpd

service snmpd restart
chkconfig snmpd on

Edit rc.local file

[[email protected]]# vi /etc/rc.local
cp_conf snmp deactivate
cp_conf snmp activate
service snmpd restart
chkconfig snmpd on

These lines should be added at the end of the file.

Tests


snmpwalk -v2c -c NGifimon localhost 1.3.6.1.4.1.2620

[[email protected]]# snmpwalk -v2c -c comunity_name localhost 1.3.6.1.4.1.2620 | more
SNMPv2-SMI::enterprises.2620.1.6.1.0 = STRING: "SVN Foundation"
SNMPv2-SMI::enterprises.2620.1.6.2.0 = INTEGER: 6
SNMPv2-SMI::enterprises.2620.1.6.3.0 = INTEGER: 2
SNMPv2-SMI::enterprises.2620.1.6.4.1.0 = STRING: "NGX (R65) HFA_50, Hotfix 650"
SNMPv2-SMI::enterprises.2620.1.6.4.2.0 = INTEGER: 620650036
SNMPv2-SMI::enterprises.2620.1.6.5.1.0 = STRING: "SecurePlatform"
SNMPv2-SMI::enterprises.2620.1.6.5.7.0 = STRING: "NGX R65"
[...]

ps aux | grep snmp

[[email protected]]# ps aux | grep snmp
root 29549 0.0 0.0 11624 4920 ttyp0 S 12:30 0:00 /opt/CPshrd-R65/bin/cpsnmpd -p 260
root 30032 0.0 0.0 8324 4576 ? S 12:38 0:00 /usr/sbin/snmpd -Lsd -Lf /dev/null -p /var/run/snmpd -a -c /etc/snmp/snmpd.users.conf 161
root 30037 0.2 0.0 37452 11832 ttyp0 S 12:38 0:00 /usr/sbin/cpsnmpagentx
root 30247 0.0 0.0 1580 468 ttyp0 S 12:41 0:00 grep snmp
 

version snmp

rpm -qa | grep snmp 
 
[[email protected]]# rpm -qa | grep snmp
net-snmp-5.0.9-2.30.000000042cp
to install new version 
rpm -Uvh net-*
 
http://www.cpug.org/forums/snmp/12821-splat-r65-snmptrap-possible.html
 
snmp for interface  

[[email protected]]# chkconfig --list

[[email protected]]# chkconfig --list | grep snmp
snmpd           0:off   1:off   2:on    3:on    4:on    5:on    6:off

[[email protected]]# chkconfig --level 2345 snmpd on

[[email protected]]# service snmpd restart


SNMP CUSTOM CONFIG WITH SCRIPT


[[email protected]]# more /etc/snmp/snmpd.users.conf
#############################################################################
#
# This file contains snmp daemon's users definitions
# This file updated automatically by snmp configuration script
# So be very careful when making changes to this file
#
#############################################################################
rouser public noauth
rocommunity name_community

#Allow check of partitions infos
#includeAllDisks 10%
disk / 10%
disk /var 10%
disk /boot 10%
disk /opt 10%
disk /sysimg 10%

exec .1.3.6.1.4.1.2021.74(2021 PRIVATE SNMP UID) numRAusers(NAMEFUNCTION) /usr/local/bin/test(PATH SCRIPT)

[[email protected]]# more /usr/local/bin/test
#!/bin/sh
fw tab -t userc_users -s | grep localhost | awk '{printf $4"\n"}'

test

[[email protected]]# snmpwalk -v2c -c name_community localhost .1.3.6.1.4.1.2021.74
UCD-SNMP-MIB::ucdavis.74.1.1 = INTEGER: 1
UCD-SNMP-MIB::ucdavis.74.2.1 = STRING: "numRAusers"
UCD-SNMP-MIB::ucdavis.74.3.1 = STRING: "/usr/local/bin/test"
UCD-SNMP-MIB::ucdavis.74.100.1 = INTEGER: 0
UCD-SNMP-MIB::ucdavis.74.101.1 = STRING: "0"
UCD-SNMP-MIB::ucdavis.74.102.1 = INTEGER: 0

[[email protected]]# snmpwalk -v2c -c name_community localhost .1.3.6.1.4.1.2021.74.101.1
UCD-SNMP-MIB::ucdavis.74.101.1 = STRING: "0"
  
SNMP CUSTOM CONFIG WITH FILE
 [[email protected]]# more /etc/snmp/snmpd.users.conf


#############################################################################
#
# This file contains snmp daemon's users definitions
# This file updated automatically by snmp configuration script
# So be very careful when making changes to this file
#
#############################################################################

rouser public noauth
rocommunity 
name_community

file /opt/CPsuite-R71/fw1/log/fw.log 10






[[email protected]]# snmpwalk -v2c -c name_community localhost .1.3.6.1.4.1.2021.15.1
UCD-SNMP-MIB::fileIndex.1 = INTEGER: 1 (1)
UCD-SNMP-MIB::fileName.1 = STRING: /opt/CPsuite-R71/fw1/log/fw.log (2)
UCD-SNMP-MIB::fileSize.1 = INTEGER: 16060 kB (3)
UCD-SNMP-MIB::fileMax.1 = INTEGER: 10 kB (4)
UCD-SNMP-MIB::fileErrorFlag.1 = INTEGER: true(1) (100)
UCD-SNMP-MIB::fileErrorMsg.1 = STRING: /opt/CPsuite-R71/fw1/log/fw.log: size exceeds 10kb (= 16060kb) (1) (101)

[[email protected]]# snmpwalk -v2c -c name_community localhost 1.3.6.1.4.1.2021.15.1.3
UCD-SNMP-MIB::fileSize.1 = INTEGER: 
16060 kB

[[email protected]]# snmpwalk -v2c -c name_community localhost 1.3.6.1.4.1.2021.15.1.100
UCD-SNMP-MIB::fileErrorFlag.1 = INTEGER: 0
 


"fileIndex"   "1.3.6.1.4.1.2021.15.1.1"
"fileName" "1.3.6.1.4.1.2021.15.1.2"
"fileSize" "1.3.6.1.4.1.2021.15.1.3"
"fileMax" "1.3.6.1.4.1.2021.15.1.4"
"fileErrorFlag" "1.3.6.1.4.1.2021.15.1.100"
"fileErrorMsg" "1.3.6.1.4.1.2021.15.1.101"




 http://www.oidview.com/mibs/2620/CHECKPOINT-MIB.html

http://doc.elcat.kg/SNMP/oids/UCD-SNMP-MIB.oid 

http://www.mibdepot.com/cgi-bin/getmib3.cgi?abc=0&n=UCD-SNMP-MIB&r=f5&f=UCD-SNMP-MIB&t=tree&v=v2&i=0&obj=osf

On PRTG

As today (20101108) the fastest way to have consistent views on all our MDSs is: clone from a working MDS the whole set of sensors.
Take into account that:
  • some sensors refer to OIDs that are part of tables so will likely not work and will require a re-discovery.
  • some sensors are version specific (i.e.: temperature sensor is not available in R65).

To be done

Create a custom library with choosed sensors.
############################################################################################# 

  • Password User 
sk32576: When running the passwd command to change the password, the Expert Mode password is changed  

    #cpshell (change shell from expert to normal )

    file
    usr/sbin/passwd nome_utente


    #passwd (change password expert in expert shell )  
    #passwd (change password expert in normal  shell )    


    ############################################################################################# 

    •  /etc/dhcpd.conf


    [[email protected]]# more /etc/dhcpd.conf
    # Define Custom Options
    option option-150 code 150 = ip-address;
    option wpad-curl        code 252 = text;
    ddns-update-style ad-hoc;
    subnet 172.31.40.0 netmask 255.255.254.0
    {
     range 172.31.41.11 172.31.41.254;
     default-lease-time 1200;
     max-lease-time 1800;
     option routers 172.31.40.1;
     option domain-name-servers 172.19.11.31, 172.19.11.32;
     option domain-name "dominio.local";
     option wpad-curl "http://nameserver.local:80/wpad.dat";
    }
    subnet 172.31.42.0 netmask 255.255.255.0
    {
     range 172.31.42.11 172.31.42.254;
     default-lease-time 1200;
     max-lease-time 1800;
     option routers 172.31.42.1;
     option domain-name-servers 172.19.11.31, 172.19.11.32;
     option domain-name "dominio.local";
     option wpad-curl "http://nameserver.local:80/wpad.dat";
    }
    subnet 172.31.44.0 netmask 255.255.255.0
    {
     range 172.31.44.11 172.31.44.254;
     default-lease-time 1200;
     max-lease-time 1800;
     option routers 172.31.44.1;
     option domain-name-servers 172.19.11.31, 172.19.11.32;
     option domain-name "dominio.local";
     option option-150 172.19.64.4;
     next-server 172.19.64.4;
    }
    subnet 172.31.46.0 netmask 255.255.255.0
    {
     range 172.31.46.11 172.31.46.254;
     default-lease-time 1200;
     max-lease-time 1800;
     option routers 172.31.46.1;
     option domain-name-servers 83.242.139.10, 83.242.140.10;
    }
    ############################################################################################# 

    • NTP 

    ntp <MD5_secret> <interval> <server1> [<server2>[<server3>]]
    ntp -n <interval> <server1> [<server2>[<server3>]] 



    /etc/sysconfig/ntp
    ##

    No comments: