PDA

View Full Version : R60 VSX rebuild



sisu-up
2007-06-11, 22:02
Has anyone recovered a vsx gateway successfully? I am building a lab to understand and document the process and wonder if anyone has notes or tips on doing so.

Thanks.

mohankumar
2007-06-14, 04:55
Hi we need a help from you.

Do you have vsx ngx secureplatform cd with you


Has anyone recovered a vsx gateway successfully? I am building a lab to understand and document the process and wonder if anyone has notes or tips on doing so.

Thanks.

sisu-up
2007-06-14, 11:25
I do have the ngx vsx cd.

kva.kva
2007-06-15, 06:04
VSX NGX has vsx_util command for recovery inoperable gateways:
1. Reinstall the gateway.
2. Perform local configuration: IP addresses, network mask, default gateway.
3. Verify that the interfaces have the same IP addresses as before.
4. Perform SIC with the SmartCenter server.
5. From a command line interface on the SmartCenter server, run “vsx_util reconfigure” to restore.

Also you can use backup/restore commands.

sisu-up
2008-03-09, 19:21
After the longest time, I finally had the time to test. Yes it was very easy, once I installed the lic on the new build before running the util. If you fail to install a valid lic this process will fail.

atare01
2008-04-21, 21:03
Hi Sisu-up

Any chance you could let us know how you did the backup? Was it via vsx_util command or regular backup commands?

Many Thanks

sisu-up
2008-05-29, 08:29
Actually rebuild the vsx gateway is very easy. You can use backup to collect your gw files, I don't use the restore.

You re-install the software on the gw, get the DMI interface up and running, set sic, and install the lic. Important to install a valid lic. I had failures in the lab using the 15 day lic.

Once the gw can ping the management server your ready to run the vsx_util reconfigure command. This will rebuild all the vsx gateway. If you use a router as I do you'll need the gated config installed and re-enable the router. You need to point this to your smartcenter or cma that manages the vsx gw.

This is pretty easy once you do it a couple of times. I have documented the process, send me a private note and I can sent it to you.

sisu-up
2009-08-28, 13:09
I had a few people ask about this. Here is a cheap and dirty process for rebuilding a VSX gateway or cluster member from CD. If you find any flaws in this, let me know. This works for R60 and R65 versions.

VSX Reconfiguration Utility

This is one method to recover from a broken cluster member or gateway. I have done this many times in the lab and in production without issue. This document is for Secure Platform but Iím sure it will work on other products.
If you have a recent backup file using CPbackup you can extract most files needed to restore a cluster member or reconfigure these via the CLI. If you didnít backup and you do use gated, you have lost your routing configurations. When configuring the interface, it is the DMI ip address you use.
------------------------------------------
Here are the files I used for rebuilding the gateway/member.
Kernel Changes you made.
opt/CPfw1-V30/modules/fwkern.conf
NTP Conf
/etc/sysconfig/ntp
DNS Conf
/etc/resolve.conf
SNMP Conf
/etc/snmp/snmpd.users.conf
GATED Conf
/etc/gated$.ami (you will have one conf file per VR)
Check Point License File
(You must have this file installed on new gateway or the reconfigure will fail)
opt/CPshrd-V30/conf/cp.license
------------------------------------------
Process
Rebuild the gateway or cluster member.
Add any HF/HFA you need.
Install the CP license file.
Copy the configuration files or use CLI to reconfigure your features, can be done afterwards.
On the P1 or Smart Center perform a backup, as the reconfigure does make changes to the database.
Run the following command on the P1 or Smart Center. You will need to know the following; the IP address of the CMA or Smart Center that runs this gateway and then the gateway or cluster member object name you are planning to run this utility on. You will see the dialog shown below when you run the vsx_util reconfigure.
$ vsx_util reconfigure
************************************************** ****************************************
* Note: the operation you are about to perform changes the information in the management *
* database. Back up the database before continuing. *
************************************************** ****************************************
Enter SmartCenter Server/main CMA IP address (Hit 'ENTER' for 'localhost'): 10.1.1.10
Enter Administrator Name: admin
Enter Administrator Password: xxxxxx
Enter VSX gateway/member object name to reconfigure: fw1-primary
Enter Activation Key: xxxxxx
Retype Activation Key: xxxxxx
Certificate revocation started for fw1-primary.
Certificate revocation succeeded for fw1-primary.
Certificate creation succeeded for fw1-primary.
Checking connectivity with fw1-primary ...
Connectivity test for fw1-primary succeeded.
Fetching configuration information from fw1-primary ...
Configuration information from fw1-primary fetched successfully.
Verifying configuration information for fw1-primary ...
Configuration information for fw1-primary successfully verified.
Installing security policy on FW1-Gateway ...

Once this is done reboot the gateway/member and install at least one policy and you should be all set.

northlandboy
2009-08-28, 14:27
Just wondering, but if you've got a backup file, then why not just restore from backup, reboot and be done with it?

Isn't that easier than extracting individual files, and running vsx_util reconfigure? I would have thought vsx_util was for situations where you didn't have a valid backup.

sisu-up
2009-08-31, 07:24
A good point, and one way I have not tried, since I haven't had a need to do a restore (yet) , this method was created for an upgrade from R60 to R65, I left the upgrade portion out but this would certainly apply to a trashed disk on a enforcement module. Thanks for pointing this out.