SPLAT

#############################################################################
################
Splat expert mode tips
CP_ SPLAT_Expert_Mode_Tips_(NGX)_v1.0.pdf
CP_SPLAT_Expert_Mode_Tips_(NGX)_v1.0.pdf (link2)
Advanced-Troubleshooting-Techniques
#############################################################################
################
Search / Find
#cd /var/log/
#more boot.log | grep 'testo da cercare'
#more boot.log | grep 'only this text'
#more boot.log | grep -v 'without this text'


#find / -type f -size +100000 -ls find big files (>50MB)
#find / -name 'testo da cercare'

#du -h --max-depth=1 /var/opt | sort -n -r

#############################################################################
################
Enable user to use SCP on Splat

#chsh name_user -s /bin/bash


or


change shell in /etc/passwd file from /bin/cpshell to /bin/bash



Note: SCP is controlled by file /etc/scpusers



Restart ssh # service sshd restart


#############################################################################
################
Restart WebUI Splat (web interface)
# webui disable
# webui enable 4434
sk30634: Debugging SecurePlatform Web UI

#############################################################################
################


Changing keyboard-layout
edit the /etc/sysconfig/keyboard file, for standard US keyboard, it should look like this:

KEYBOARDTYPE="pc"
KEYTABLE="us"

Note: If the file doesn't exist it can be created

#####################################################################################
########
Syntax for Secure Copy (scp)
Copy the file "foobar.txt" from a remote host to the local host
$ scp your_username@remotehost.edu:foobar.txt /some/local/directory
Copy the file "foobar.txt" from the local host to a remote host
$ scp foobar.txt your_username@remotehost.edu:/some/remote/directory
Copy the directory "foo" from the local host to a remote host's
directory "bar"
$ scp -r foo your_username@remotehost.edu:/some/remote/directory/bar
Copy the file "foobar.txt" from remote host "rh1.edu" to remote
host "rh2.edu"
$ scp your_username@rh1.edu:/some/remote/directory/foobar.txt \
your_username@rh2.edu:/some/remote/directory/
Copying the files "foo.txt" and "bar.txt" from the local host to your home
directory on the remote host
$ scp foo.txt bar.txt your_username@remotehost.edu:~
Copy the file "foobar.txt" from the local host to a remote host using port
2264
$ scp -P 2264 foobar.txt your_username@remotehost.edu:/some/remote/directory
Copy multiple files from the remote host to your current directory on the
local host
$ scp your_username@remotehost.edu:/some/remote/directory/\{a,b,c\} .
$ scp your_username@remotehost.edu:~/\{foo.txt,bar.txt\} .
scp Performance
By default scp uses the Triple-DES cipher to encrypt the data being sent. Using the Blowfish
cipher has been shown to increase speed. This can be done by using option -c blowfish in the
command line.

$ scp -c blowfish some_file your_username@remotehost.edu:~
It is often suggested that the -C option for compression should also be used to increase speed.
The effect of compression, however, will only significantly increase speed if your connection is
very slow. Otherwise it may just be adding extra burden to the CPU. An example of using
blowfish and compression:

$ scp -c blowfish -C local_file your_username@remotehost.edu:~
#################################################################################
Recommended configuration of new ClusterXL
Enabling Core Dump
This will generate a core dump if a service crash or stop. Core dump allows us to understand why a crash happened.
1. Use the ulimit -c unlimited command to enable the core dump file.
2. Use the um_core enable command to enable the core dump file for processes.
See also sk27392 - Enabling core dump file generation on Linux and SecurePlatform .

Setting timer freeze
If the machine is overloaded during policy installation, the below procedure will prevent failover for 30 seconds
1. fw ctl set int fwha_freeze_state_machine_timeout 30
See also sk25971 - Failover occurs in the cluster during Security Policy installation .
Disable Advanced routing:
If advanced routing is enabled, the FIB service is part of the cluster health check. When no advanced routing is used, we are
activating agents that are not needed:
1. Run cpconfig
2. Select the Disable Advanced routing option

Change default Idle timeout to 60 minutes
Changing this function allows to have a longer sessions via SSH without timing out fast.
1. vi /etc/bashrc
2. Change the line
export TMOUT=180
to
export TMOUT=3600

Allow SCP files copy to the Firewall
Changing this function allows to use SCP to copy files to the gateway from a remote SCP client
1. Enter the Expert mode and run: chsh admin
2. Enter the path to the new shell, which will have to be the bash shell: /bin/bash
3. Once you hit 'Enter' the shell will be changed.
Confirm the shell change with command: grep admin /etc/passwd
4. The last word in the output should be 'bash' (and not cpshell).

Change Magic MAC number
This will allow more then one checkpoint cluster to operate on the same VLAN
On each of the Cluster Member
1. Run cd $FWDIR/boot/modules
2. Create the fwkern.conf file by running vi fwkern.conf
3. Add the required parameters and values as given below:
# fwha_mac_magic = 250
# fwha_mac_forward_magic = 251
4. Save the fwkern.conf
5. Verify the fwkern.conf file is correctly configured by running more fwkern.conf
6. Reboot the Cluster Member
7. Verify the new mac magic setups correctly configured by:
# fw ctl get int fwha_mac_magic
# fw ctl get int fwha_mac_forward_magic
8. Verify the Cluster Member status by running cphaprob stat
Note: the 250/251 should be the SAME on both cluster members, but should be DIFFERENT for each different clusters
Disable the IPSEC/VPN blade
When no VPN is used on the gateway it is recommended to disable the VPN function
1. Open the SmartDashboard
2. Double click on the Cluster object
3. Clear the "IPSEC/VPN" checkbox
4. Save and install the Security policy

Forward local logs
When and if firewall logs locally due to loss of communication, activating this function will offload the local logs back to
the CMA/CLM
1. Open the SmartDashboard
2. Go to Log and masters -> Additional logging view
3. Select "Forward log files to log server"
4. Choose the Primary CMA/CLM for the logs
5. Choose a time object to perform the option once every X
6. Select "Perform Log switch before log forwarding"
7. Save and install the Security policy

Increase messages file capacity
In order to preserve additional logging and avoid overwriting the messages files can be resized and the number of files
being saved can be increased.

To change the max size and number of backlogs for a file, run the following command:
[Expert@HostName]# log limit <log-index> <max-size> <backlog-copies>

Example for /var/log/messages:
[Expert@HostName]# log limit 0 2000000 10

This will allow /var/log/messages to grow to 2MB before rotating. It will also allow up to 10 instances of this log.
See also sk36798 - /var/log/messages files on SecurePlatform OS are limited to 4 rotated backups with a
maximum size of 65 kB

Stop ntpdate from overfilling /var/log/messages
Every ntp date/time update will be recorded in the /var/log/messages .
In some cases the log get overfilled with the messages which can cause overwriting of important log entries.
It is possible to disable the recording of a log entry for every ntp update .

1. In Expert mode, open the /usr/sbin/ntpstart script in vi editor and
2. remove the "-s" flag in these two lines:
a. cmd="/usr/sbin/ntpdate -s -f $md5...
b. /usr/sbin/ntpdate -s -b -f $md5...
3. Save the file.
4. Run: ntpstop
5. Run: ntpstart
6. Run: ntpstat (verify that ntp is running) .
See also sk67740 - How to stop 'ntpdate[PID]: adjust time server' logs in /var/log/messages

############
Snmp monitoring Splat/Nokia
http://www.oidview.com
http://www.iana.org/assignments
http://docstore.mik.ua

Warnings

some of the steps in this procedure are taken from sk53161 (not visible)
a lot of things seem related to the specific patch/release: test every step
paths provided are from different versions/machines, do not copy and paste blindly

Edit snmpd.users.conf file
[Expert@shpalman]# vi /etc/snmp/snmpd.users.conf
rouser public noauth
rocommunity community_name

#Allow check of partitions infos
#includeAllDisks 10%
disk / 10%
disk /var 10%
disk /boot 10%
disk /opt 10%
disk /sysimg 10%
disk entries should be verified with a df -h command



Edit snmp.C file
Warning: skip this step on Nokia/IP appliances.
[Expert@shpalman]# vi $FWDIR/conf/snmp.C
:snmp_community (
:read (community_name)
:write ()
)

Enable CP snmp extension or via CPconfig
cp_conf snmp deactivate (required cpstop)
cp_conf snmp activate

Restart splat snmpd
service snmpd restart
chkconfig snmpd on

Edit rc.local file
[Expert@shpalman]# vi /etc/rc.local
cp_conf snmp deactivate (required cpstop)
cp_conf snmp activate
service snmpd restart
chkconfig snmpd on

These lines should be added at the end of the file.

Tests

snmpwalk -v2c -c NGifimon localhost 1.3.6.1.4.1.2620
[Expert@shpalman]# snmpwalk -v2c -c comunity_name localhost
1.3.6.1.4.1.2620 | more
SNMPv2-SMI::enterprises.2620.1.6.1.0 = STRING: "SVN Foundation"
SNMPv2-SMI::enterprises.2620.1.6.2.0 = INTEGER: 6
SNMPv2-SMI::enterprises.2620.1.6.3.0 = INTEGER: 2
SNMPv2-SMI::enterprises.2620.1.6.4.1.0 = STRING: "NGX (R65) HFA_50, Hotfix
650"
SNMPv2-SMI::enterprises.2620.1.6.4.2.0 = INTEGER: 620650036
SNMPv2-SMI::enterprises.2620.1.6.5.1.0 = STRING: "SecurePlatform"
SNMPv2-SMI::enterprises.2620.1.6.5.7.0 = STRING: "NGX R65"
[...]

ps aux | grep snmp
[Expert@shpalman]# ps aux | grep snmp
root 29549 0.0 0.0 11624 4920 ttyp0 S 12:30 0:00 /opt/CPshrd-
R65/bin/cpsnmpd -p 260
root 30032 0.0 0.0 8324 4576 ? S 12:38 0:00
/usr/sbin/snmpd -Lsd -Lf /dev/null -p /var/run/snmpd -a -c
/etc/snmp/snmpd.users.conf 161
root 30037 0.2 0.0 37452 11832 ttyp0 S 12:38 0:00
/usr/sbin/cpsnmpagentx
root 30247 0.0 0.0 1580 468 ttyp0 S 12:41 0:00 grep snmp

version snmp
rpm -qa | grep snmp

[Expert@shpalman]# rpm -qa | grep snmp
net-snmp-5.0.9-2.30.000000042cp
to install new version
rpm -Uvh net-*

http://www.cpug.org/forums/snmp/12821-splat-r65-snmptrap-possible.html

snmp for interface

[Expert@]# chkconfig --list

[Expert@]# chkconfig --list | grep snmp
snmpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off

[Expert@fw]# chkconfig --level 2345 snmpd on

[Expert@fw]# service snmpd restart


SNMP CUSTOM CONFIG WITH SCRIPT


[Expert@fwtest]# more /etc/snmp/snmpd.users.conf
#############################################################################
#
# This file contains snmp daemon's users definitions
# This file updated automatically by snmp configuration script
# So be very careful when making changes to this file
#
#############################################################################
rouser public noauth
rocommunity name_community

#Allow check of partitions infos
#includeAllDisks 10%
disk / 10%
disk /var 10%
disk /boot 10%
disk /opt 10%
disk /sysimg 10%

exec .1.3.6.1.4.1.2021.74(2021 PRIVATE SNMP
UID) numRAusers(NAMEFUNCTION) /usr/local/bin/test(PATH SCRIPT)

[Expert@fwtest]# more /usr/local/bin/test
#!/bin/sh
fw tab -t userc_users -s | grep localhost | awk '{printf $4"\n"}'

test

[Expert@fwtest]# snmpwalk -v2c -c name_community localhost .1.3.6.1.4.1.2021.74
UCD-SNMP-MIB::ucdavis.74.1.1 = INTEGER: 1
UCD-SNMP-MIB::ucdavis.74.2.1 = STRING: "numRAusers"
UCD-SNMP-MIB::ucdavis.74.3.1 = STRING: "/usr/local/bin/test"
UCD-SNMP-MIB::ucdavis.74.100.1 = INTEGER: 0
UCD-SNMP-MIB::ucdavis.74.101.1 = STRING: "0"
UCD-SNMP-MIB::ucdavis.74.102.1 = INTEGER: 0

[Expert@fwtest]# snmpwalk -v2c -c name_community localhost .1.3.6.1.4.1.2021.74.101.1
UCD-SNMP-MIB::ucdavis.74.101.1 = STRING: "0"

SNMP CUSTOM CONFIG WITH FILE
[Expert@fw1]# more /etc/snmp/snmpd.users.conf


###################################################################
##########
#
# This file contains snmp daemon's users definitions
# This file updated automatically by snmp configuration script
# So be very careful when making changes to this file
#
###################################################################
##########

rouser public noauth
rocommunity name_community

file /opt/CPsuite-R71/fw1/log/fw.log 10




[Expert@fw2]# snmpwalk -v2c -c name_community localhost
.1.3.6.1.4.1.2021.15.1
UCD-SNMP-MIB::fileIndex.1 = INTEGER: 1 (1)
UCD-SNMP-MIB::fileName.1 = STRING: /opt/CPsuite-R71/fw1/log/fw.log (2)
UCD-SNMP-MIB::fileSize.1 = INTEGER: 16060 kB (3)
UCD-SNMP-MIB::fileMax.1 = INTEGER: 10 kB (4)
UCD-SNMP-MIB::fileErrorFlag.1 = INTEGER: true(1) (100)
UCD-SNMP-MIB::fileErrorMsg.1 = STRING: /opt/CPsuite-R71/fw1/log/fw.log:
size exceeds 10kb (= 16060kb) (1) (101)

[Expert@fw1]# snmpwalk -v2c -c name_community localhost 1.3.6.1.4.1.2021.15.1.3
UCD-SNMP-MIB::fileSize.1 = INTEGER: 16060 kB

[Expert@fw1]# snmpwalk -v2c -c name_community localhost
1.3.6.1.4.1.2021.15.1.100
UCD-SNMP-MIB::fileErrorFlag.1 = INTEGER: 0

"fileIndex" "1.3.6.1.4.1.2021.15.1.1"
"fileName" "1.3.6.1.4.1.2021.15.1.2"
"fileSize" "1.3.6.1.4.1.2021.15.1.3"
"fileMax" "1.3.6.1.4.1.2021.15.1.4"
"fileErrorFlag" "1.3.6.1.4.1.2021.15.1.100"
"fileErrorMsg" "1.3.6.1.4.1.2021.15.1.101"




http://www.oidview.com/mibs/2620/CHECKPOINT-MIB.html

http://doc.elcat.kg/SNMP/oids/UCD-SNMP-MIB.oid

http://www.mibdepot.com/cgi-bin/getmib3.cgi?abc=0&n=UCD-SNMP-
MIB&r=f5&f=UCD-SNMP-MIB&t=tree&v=v2&i=0&obj=osf

On PRTG
As today (20101108) the fastest way to have consistent views on all our MDSs is: clone from a
working MDS the whole set of sensors.
Take into account that:

some sensors refer to OIDs that are part of tables so will likely not work and will require a re-
discovery.
some sensors are version specific (i.e.: temperature sensor is not available in R65).

To be done
Create a custom library with choosed sensors.
#############################################################################
################


Password User
sk32576: When running the passwd command to change the password, the
Expert Mode password is changed


#cpshell (change shell from expert to normal )

file
usr/sbin/passwd nome_utente


#passwd (change password expert in expert shell )
#passwd (change password expert in normal shell )


#############################################################################
################


/etc/dhcpd.conf


[Expert@fw]# more /etc/dhcpd.conf
# Define Custom Options
option option-150 code 150 = ip-address;
option wpad-curl code 252 = text;
ddns-update-style ad-hoc;
subnet 172.31.40.0 netmask 255.255.254.0
{
range 172.31.41.11 172.31.41.254;
default-lease-time 1200;
max-lease-time 1800;
option routers 172.31.40.1;
option domain-name-servers 172.19.11.31, 172.19.11.32;
option domain-name "dominio.local";
option wpad-curl "http://nameserver.local:80/wpad.dat";
}
subnet 172.31.42.0 netmask 255.255.255.0
{
range 172.31.42.11 172.31.42.254;
default-lease-time 1200;
max-lease-time 1800;
option routers 172.31.42.1;
option domain-name-servers 172.19.11.31, 172.19.11.32;
option domain-name "dominio.local";
option wpad-curl "http://nameserver.local:80/wpad.dat";
}
subnet 172.31.44.0 netmask 255.255.255.0
{
range 172.31.44.11 172.31.44.254;
default-lease-time 1200;
max-lease-time 1800;
option routers 172.31.44.1;
option domain-name-servers 172.19.11.31, 172.19.11.32;
option domain-name "dominio.local";
option option-150 172.19.64.4;
next-server 172.19.64.4;
}
subnet 172.31.46.0 netmask 255.255.255.0
{
range 172.31.46.11 172.31.46.254;
default-lease-time 1200;
max-lease-time 1800;
option routers 172.31.46.1;
option domain-name-servers 83.242.139.10, 83.242.140.10;
}
#############################################################################
################


NTP

ntp <MD5_secret> <interval> <server1> [<server2>[<server3>]]
ntp -n <interval> <server1> [<server2>[<server3>]]


/etc/sysconfig/ntp
#############################################################################
################