CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 5 of 5

Thread: Help on understanding why cant do nothing on the fw Virtual systems

  1. #1
    Join Date
    2017-12-07
    Posts
    6
    Rep Power
    0

    Default Help on understanding why cant do nothing on the fw Virtual systems

    Hi to all, this is my first post, I use CP everyday though their multiple GUI apps (smartconsole etc) but now I need to go further and use the command line for troubleshootings and more specific configurations

    This is a resume of our installation, I never had any formal training on the product besides a small workshop so sorry if i make some dumb questions or assumptions

    |---VSX R77 Cluster-------physical member1 10.0.0.18
    | 10.0.0.40 |
    | | |--------Physical member2 10.0.0.19
    | |
    | |-- Virtual System Cluster Fwscml01 fw
    | |
    | |-- Virtual System Cluster Fwscml02 fw + vpn
    | |
    | |-- Virtual System Cluster Fwscml03 fw
    | |
    | |-- Virtual System Cluster Fwscml04 fw
    | |
    | |-- Virtual Switch
    |
    |--- fwmgm (Management) 10.0.0.47

    My main objective is command line debugging the vpn features on Virtual system 2, but I am having some problems in doing anything usefull at all!

    I try to explain with this example:

    ssh user@10.0.0.40

    [Expert@fwcml1:0]#
    [Expert@fwcml1:0]# clish
    fwcml1:0> cpstat fw
    fwcml1:0>
    fwcml1:0> set virtual-system 2
    Context is set to vsid 2
    fwcml1:2>
    fwcml1:2> cpstat fw
    fwcml1:2>
    fwcml1:2> fw tab -t subnet_for_range_and_peer
    fwcml1:2>
    fwcml1:2> exit
    fwcml1:2> exit
    fwcml1:2> exit
    fwcml1:0> exit
    [Expert@fwcml1:0]# fw tab -t subnet_for_range_and_peer
    -bash: fw: command not found
    [Expert@fwcml1:0]# exit
    logout

    ssh user@10.14.255.47

    [Expert@fwmgm:0]# fw tab -t subnet_for_range_and_peer
    Local host is not a FireWall-1 module
    [Expert@fwmgm:0]# fw ver -k
    Local host is not a FireWall-1 module
    This is Check Point's software version R77.30 - Build 503
    [Expert@fwmgm:0]# exit


    The majority of commands I give on the cluster machines, doing or not a context switch do one of the Virtual machines, does NOTHING
    The commands I do on the management machine, are accepted, but does nothing as well as it is not a firewall module (I think that makes sense)

    So basically, I cant do nothing on the blades because all the commands returns nothing, null, empty.
    I cant also access directly the virtual systems, only first entering the blade gateway (via his Virtual IP or via his two real blades IP) and trying a context switch to one of the virtual fws

    What I am missing here?.... any clues?
    Luis

  2. #2
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,637
    Rep Power
    9

    Default Re: Help on understanding why cant do nothing on the fw Virtual systems

    From expert can you run
    echo $SHELL
    export
    source /etc/profile
    export

  3. #3
    Join Date
    2017-12-07
    Posts
    6
    Rep Power
    0

    Default Re: Help on understanding why cant do nothing on the fw Virtual systems

    Thats part of the solution! thanks!. But then found out that my user didnt had any permissions on OS commands, even trying to source the environment variables returned "permission denied". I then created another user uid and gid 0 and everything is fine now, and I enter now on the machine and the environment is already set also, great

    BUT..... now another problem... I cannot enter anymore the second vsx blade. ssh returns permission denied. I enter everyday on the 2 blades and today a cannot anymore, just on 1 of them. damm what happened here now?...

    is there a way to enter directly on a blade from another one? without using ssh? or some unconventional or emergency way to access one?

    Luis

  4. #4
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    270
    Rep Power
    12

    Default Re: Help on understanding why cant do nothing on the fw Virtual systems

    Quote Originally Posted by luisneves View Post
    Thats part of the solution! thanks!. But then found out that my user didnt had any permissions on OS commands, even trying to source the environment variables returned "permission denied". I then created another user uid and gid 0 and everything is fine now, and I enter now on the machine and the environment is already set also, great

    BUT..... now another problem... I cannot enter anymore the second vsx blade. ssh returns permission denied. I enter everyday on the 2 blades and today a cannot anymore, just on 1 of them. damm what happened here now?...

    is there a way to enter directly on a blade from another one? without using ssh? or some unconventional or emergency way to access one?

    Luis
    Typically, you don't connect to the VSs, you connect to the physical members then set environment to a particular VS. For example, I SSH to my physical box, then 'vsenv 8' to set the environment to VSID 8.

    Most commands take a switch (typically '-v <VSID>', but sometimes '-vs <VSID>') to run in the context of a particular VS.
    Zimmie

  5. #5
    Join Date
    2017-12-07
    Posts
    6
    Rep Power
    0

    Default Re: Help on understanding why cant do nothing on the fw Virtual systems

    Quote Originally Posted by Bob_Zimmerman View Post
    Typically, you don't connect to the VSs, you connect to the physical members then set environment to a particular VS. For example, I SSH to my physical box, then 'vsenv 8' to set the environment to VSID 8.

    Most commands take a switch (typically '-v <VSID>', but sometimes '-vs <VSID>') to run in the context of a particular VS.
    Thats correct, but it is the physical blade (cluster member) that I WAS unable to enter, I used a colleage account to reset my password so its solved
    Thanks!

Similar Threads

  1. Failing over virtual systems question
    By jmillercw in forum VPN-1 VSX
    Replies: 4
    Last Post: 2015-01-25, 12:23
  2. using bonding interfaces in Virtual Systems
    By zenitt in forum Check Point VSX/VSX-1 Appliances
    Replies: 1
    Last Post: 2012-10-04, 05:53
  3. Understanding Qos (resources)
    By vbavbalist in forum QoS (Quality of Service) (Formerly FloodGate-1)
    Replies: 2
    Last Post: 2010-01-07, 10:43
  4. Timeout setting on vsx and virtual systems
    By eduardw in forum VPN-1 VSX
    Replies: 6
    Last Post: 2008-10-25, 11:24
  5. Understanding licensing
    By yogi_ccse in forum Licensing
    Replies: 9
    Last Post: 2007-07-22, 15:26

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •