30 June 2019

60000/40000 SECURITY
SYSTEMS
R76SP.50

Administration Guide
Classification: [Protected]
CHAPTE R 1

2019 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and
distributed under licensing restricting their use, copying, distribution, and decompilation. No part
of this product or related documentation may be reproduced in any form or by any means without
prior written authorization of Check Point. While every precaution has been taken in the
preparation of this book, Check Point assumes no responsibility for errors or omissions. This
publication and features described herein are subject to change without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in
subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS
252.227-7013 and FAR 52.227-19.
TRADEMARKS:
Refer to the Copyright page https://www.checkpoint.com/copyright/ for a list of our trademarks.
Refer to the Third Party copyright notices
https://www.checkpoint.com/about-us/third-party-trademarks-and-copyrights/ for a list of
relevant copyrights and third-party licenses.
Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-date
with the latest functional improvements, stability fixes, security enhancements and
protection against new and evolving attacks.

Check Point R76SP.50

For more about this release, see the R76SP.50 home page
http://supportcontent.checkpoint.com/solutions?id=sk115735.

Latest Version of this Document

Open the latest version of this document in a Web browser
https://sc1.checkpoint.com/documents/R76SP.50/CP_R76SP.50_Security_System_Ad
minGuide/html_frameset.htm.
Download the latest version of this document in PDF format
http://downloads.checkpoint.com/dc/download.htm?ID=54146.

Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments
mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on 60000/40000
Security Systems R76SP.50 Administration Guide.

Revision History
Date Description
30 June 2019 Updated:
• Packet Drop Monitoring (asg_drop_monitor) (on page 205).
01 June 2019 Updated:
• Using the Fast Accelerator (on page 304).
• Configuring Alerts for SGM and Chassis Events (on page 164).
Added:
• Configuring Severity for an Event Alert (on page 167).
19 February 2019 Updated:
• Multiple Security Groups (on page 350).
18 February 2019 Added:
• Multiple Security Groups (on page 350).
Updated:
• IPS Cluster Failover Management (on page 374).
Date Description
08 January 2019 Updated:
• CMM Slot IDs (on page 378).
• Using the Fast Accelerator (on page 304).
• Changing the Management Interface (on page 38).
• Backup and Restore (on page 86).
• Port Mirroring (SPAN Port) (on page 93).
Added:
• ISP Redundancy (on page 42).
26 August 2018 • Updated the section title from "Destination-Based Routing" to "Route
Cache Optimization (on page 66)".
• Updated the command for Layer4 CoreXL (on page 334).
• General formatting updates.
09 August 2018 Updated:
• Synchronizing SGM Time (on page 83) - removed the reference to the
asg_ntp_update_time command, because it is not relevant
anymore.
26 July 2018 Added:
• Backup configuration instructions (on page 86).
• Disabling Port Mirroring instructions for Security Gateway.
Improved information about the blade-range (on page 92) command.
28 June 2018 Updated:
• General updates.
Added:
• Unified MAC for Data Ports (on page 348).
17 June 2018 Updated:
• General updates.
• Services and changed example for Port Forwarding on Management
Servers (on page 371).
Added:
• Example for Active/Standby (on page 230).
29 April 2018 Added:
• Using an Alias IP (on page 17).
10 April 2018 Updated:
• Known Limitations for MAGG (on page 255).
• Vendor recommendation for Switch configuration (on page 254).
Date Description
14 March 2018 Updated:
• Known Limitations for MAGG (on page 255).
• Commands for asymmetric traffic.
Added:
• Commands for Destination Based Routing (on page 67).
• Known Limitation for fastaccel (on page 304).
• Configuring Port Speed (on page 48).
• SNMP Virtual System Mode (on page 226).
21 January 2018 Added:
• Requirement of a license for SSM440 (on page 48).
17 January 2018 Updated:
• Supported fanouts (on page 48).
12 November 2017 Updated:
• SGM information (on page 387).
25 October 2017 Added:
• Configuring Non-IP Bridge in VSX mode (on page 31).
Updated:
• Configuring IPv6 Static Routes - CLI (set ipv6 static-route) (on
page 21)
• Working with Jumbo Frames (on page 323)
• Unique MAC Identifier Utility Options (on page 36)
• Destination-Based Routing (on page 66)
• Setting Blade-Range (on page 92)
• Known Limitations of asg diag Verification Tests (on page 170)
• Working with Management Aggregation (on page 255)
02 August 2017 Updated:
• Adding/Removing SSMs (on page 384).
25 June 2017 Updated:
• Validating Chassis ID (on page 390)
• Serial Over LAN Forwarding (on page 82)
23 April 2017 First release of this document.
Contents
Important Information................................................................................................... 3
Terms .......................................................................................................................... 12
Introduction ................................................................................................................. 16
Syntax Notation ....................................................................................................... 16
Licensing ................................................................................................................. 16
Managing the Network ................................................................................................ 17
Alias IP .................................................................................................................... 17
Adding and Removing an Alias IP in gClish ....................................................................18
Adding and Removing an Alias IP in SmartDashboard ...................................................19
Working with IPv6 ................................................................................................... 20
Enabling/Disabling IPv6 Support (ipv6-state) ................................................................20
Configuring IPv6 Static Routes - CLI (set ipv6 static-route) ...........................................21
Configuring the 6in4 Internet Transition Mechanism.............................................. 25
Working with Bridge Mode ...................................................................................... 27
Working with Chassis High Availability in Bridge Mode .................................................27
MAC tables ....................................................................................................................27
Special Advertisement Packets .....................................................................................28
Active/Active Bridge Mode .............................................................................................28
Working with Link State Propagation...................................................................... 33
Configuring a Unique MAC Identifier ....................................................................... 35
Unique MAC Identifier Utility Options ............................................................................36
Set Host Name With Unique MAC ..................................................................................36
Apply Unique MAC From Current Host Name ................................................................36
Revert to Unique MAC Factory Default ..........................................................................36
Manual Set Unique MAC ................................................................................................36
Configuring VLANs .................................................................................................. 37
Changing the Management Interface ...................................................................... 38
Working with ECMP ................................................................................................. 39
Enhanced Failover of ECMP Static Routes .....................................................................40
ISP Redundancy ...................................................................................................... 42
Working with the ARP Table (asg_arp) ................................................................... 44
Sample Output for Verbose Mode ..................................................................................45
Sample Output for Verifying MAC Addresses .................................................................45
Verifying ARP Entries ....................................................................................................45
Sample Output for Legacy Mode ....................................................................................46
Working with Proxy ARP for Manual NAT ............................................................... 47
Configuring Port Speed ........................................................................................... 48
Configuring SSM Port Speed .........................................................................................48
Management Port Speed Configuration .........................................................................51
Configuring Multicast Routing ................................................................................ 53
Multicast Restrictions....................................................................................................54
Multicast Acceleration ...................................................................................................54
Working with Routing Tables (asg_route)......................................................................55
Managing Scalable Platforms ..................................................................................... 69
Administration ........................................................................................................ 69
Working with Global Commands....................................................................................69
Check Point Global Commands ......................................................................................70
 Global Commands Generated by CMM ...........................................................................74
General Global Commands ............................................................................................75
Serial Over LAN (sol) .....................................................................................................82
Synchronizing SGM Time......................................................................................... 83
Configuring SGMs (asg_blade_config) .................................................................... 84
Backup and Restore ................................................................................................ 86
Configuring SGM State (asg sgm_admin)................................................................ 87
Image Management................................................................................................. 89
Global Image Management ............................................................................................89
Image Management for Specified SGMs (g_snapshot) ...................................................91
Setting Blade-Range .....................................................................................................92
Port Mirroring (SPAN Port) ..................................................................................... 93
Configuring Port Mirroring on a Scalable Platform in Gateway Mode............................93
Configuring Port Mirroring on a Scalable Platform in VSX Mode ...................................95
Additional Port Mirroring Configuration Steps ..............................................................97
Security ................................................................................................................... 98
Resetting the Administrator Password ..........................................................................98
Generic Routing Encapsulation - GRE (asg_gre)............................................................98
Role Based Administration (RBA) ................................................................................101
RADIUS Authentication ................................................................................................102
Logging and Monitoring ............................................................................................ 109
CPView .................................................................................................................. 109
Overview of CPView .....................................................................................................109
Using CPView...............................................................................................................110
CPView User Interface .................................................................................................111
Network Monitoring .............................................................................................. 112
Monitoring Service Traffic (asg profile) .......................................................................112
Monitoring the Scalable Platform (asg_archive) .........................................................115
Working with Interface Status (asg if)..........................................................................117
Showing Bond Interfaces (asg_bond).................................................................... 121
Viewing a Global List of all Bonds (asg_bond) .............................................................121
Viewing a Specific Bond Interface (asg_bond -i) ..........................................................122
Bond Verification Test (asg_bond -v) ...........................................................................122
Setting the Minimum Number of Slaves in a Bond .......................................................122
Showing Traffic Information (asg_ifconfig) ..................................................................123
VPN Packet Tracking (bcstats) .............................................................................. 126
Monitoring VPN Tunnels ....................................................................................... 127
Showing SSM Traffic Statistics (asg_traffic_stats) ............................................... 128
Showing SGM Forwarding Statistics (asg_blade_stats) ........................................ 129
Traceroute (asg_tracert)....................................................................................... 130
Multi-blade Capture -tcpdump -mcap -view ......................................................... 130
Showing Multicast Traffic Information .................................................................. 132
Showing Multicast Routing (asg_mroute) ....................................................................132
Showing PIM Information (asg_pim) ............................................................................133
Showing IGMP Information (asg_igmp) .......................................................................135
Monitoring Management Interfaces Link State ..................................................... 138
Hardware Monitoring and Control ........................................................................ 139
Showing Chassis and Component States (asg stat)......................................................139
Global Operating System Commands ..........................................................................154
Monitoring SGM Resources (asg resource)..................................................................158
Searching for a Connection (asg search) .....................................................................160
Configuring Alerts for SGM and Chassis Events (asg alert) ......................................... 164
 Creating or Changing an Alert for SGM and Chassis Events ........................................ 165
Configuring Severity for an Event Alert .......................................................................167
Alert Modes .................................................................................................................169
Collecting System Diagnostics (smo verifiers).............................................................171
Monitoring Hardware Components (asg hw_monitor) .................................................187
Chassis Control (asg_chassis_ctrl) .............................................................................191
Monitoring CPU Utilization (asg_cores_util) ................................................................193
Security Monitoring .....................................................................................................194
System Monitoring ................................................................................................ 209
Showing System Serial Numbers ................................................................................209
Redirecting Alerts and Logs to External syslog server (asg_syslog) ........................... 210
Log Server Distribution (asg_log_servers) ..................................................................213
Configuring a Dedicated Logging Port .........................................................................214
Command Auditing (asg log audit) ...............................................................................216
Showing the Scalable Platform Version (ver) ..............................................................217
Viewing the Audit Log File (show smo log auditlog) .....................................................218
Working with the Firewall Database Configuration (asg config) .................................. 219
Showing Software and Firmware Versions (asg_version)............................................ 220
Showing System Messages ..........................................................................................222
Viewing a Log File (asg log) .........................................................................................223
Monitoring Virtual Systems (cpha_vsx_util monitor) ...................................................225
Working with SNMP .....................................................................................................226
Working with Active/Standby High Availability.......................................................... 230
How Active/Standby Works ................................................................................... 230
Synchronizing Clusters on a Wide Area Network.........................................................231
Configuring Active/Standby High Availability ........................................................ 232
Setting Chassis Weights (Chassis High Availability Factors)........................................ 232
Setting the Chassis ID ..................................................................................................233
Setting the Quality Grade Differential ..........................................................................234
Setting the Failover Freeze Interval ............................................................................235
Advanced Features ............................................................................................... 236
Working with Link Preemption ....................................................................................236
Chassis High Availability - Sync Lost Mechanism ........................................................236
Managing Connection Synchronization (asg_sync_manager) ...................................... 237
Working with SyncXL............................................................................................. 240
Setting Admin DOWN on First Join........................................................................ 241
Configuring a Unique IP Address For Each Chassis (UIPC) ................................... 242
VSX Active/Active Layer 2 Mode ............................................................................ 244
Working with Link Aggregation (Interface Bonds) .................................................... 245
Configuring Link Aggregation ............................................................................... 246
Creating a New Bond and Adding Slave Interfaces ......................................................248
Setting a Bonding Mode ...............................................................................................248
Setting the Polling interval ..........................................................................................249
Setting a Bond Interface On or Off ...............................................................................250
Removing Slave Interfaces.................................................................................... 251
Deleting a Bond ..................................................................................................... 252
Working with the ABXOR Bonds ............................................................................ 253
Configuring ABXOR ......................................................................................................254
Working with Management Aggregation ............................................................... 255
Converting MAGG in VSX Mode ....................................................................................256
Working with Sync Bonds ...................................................................................... 258
Sync Lost .....................................................................................................................259
 Connecting Physical Cables .........................................................................................259
Working with VSX ...................................................................................................... 260
Provisioning VSX ................................................................................................... 260
Configuring 64-bit Virtual System Support ..................................................................260
Creating a new VSX Gateway .......................................................................................261
Reconfigure (vsx_util reconfigure) ..............................................................................264
Working with VSLS ................................................................................................ 265
Activating Chassis VSLS ..............................................................................................265
Selecting the Active Chassis for a Virtual System ........................................................265
Virtual System Failover ...............................................................................................266
SGM Failover ...............................................................................................................266
Configuring the VSLS Primary Chassis ........................................................................266
Monitoring VSLS ..........................................................................................................268
Monitoring and Logging in VSX.............................................................................. 275
VSX Functionality .........................................................................................................275
Monitoring Hardware Utilization for VSX (hw_utilization) ............................................ 275
Monitoring VSX Memory Resources (vsxmstat) ...........................................................276
Monitoring VSX Configuration (vsx stat) ................................................................ 280
VSX Legacy Bridge Mode ....................................................................................... 285
Working with LTE Features ....................................................................................... 286
Enabling LTE Support ........................................................................................... 287
VPN Sticky SA ........................................................................................................ 288
Troubleshooting .................................................................................................... 289
Collecting System Information (asg_info)....................................................................289
Verifiers.......................................................................................................................293
Resetting SIC (g_cpconfig sic init) ...............................................................................298
Debug files ..................................................................................................................301
Configuring SCTP NAT on SGMs............................................................................ 302
System Optimization ................................................................................................. 303
Firewall Connections Table Size for VSX Gateway ................................................ 303
Using the Fast Accelerator (sim fastaccel) ........................................................... 304
Reserved Connections .......................................................................................... 307
Policy Acceleration - SecureXL Keep Connections ............................................... 310
VPN Performance Enhancements ......................................................................... 311
SPI Distribution ...........................................................................................................311
SPI Affinity (asg_spi_affinity) .......................................................................................311
VPN Templates (cphwd_offload_vpn_templates) ........................................................312
Using Third Party VPN Peers with Many External Interfaces ....................................... 313
SCTP Acceleration .......................................................................................................314
Configuring DNS Session Rate.....................................................................................315
Accelerated Drop Enhancement ..................................................................................318
Configuring Hyper-Threading ......................................................................................320
Configuring CoreXL (g_cpconfig) .................................................................................320
Working with Jumbo Frames .......................................................................................323
TCP MSS Adjustment ...................................................................................................326
Working with Session Control (asg_session_control) .................................................327
Acceleration Not Disabled Because of Traceroute Rule (asg_tmpl_special_svcs)331
Improving Inbound HTTPS Performance .............................................................. 332
Supported SSL Ciphers................................................................................................332
Layer 4 CoreXL Overview ...................................................................................... 333
Configuring Layer4 CoreXL (g_cpconfig) .....................................................................334
VSX Affinity Commands (fw ctl affinity-s -d) ................................................................335
 Setting Affinities ..........................................................................................................335
Setting Affinities for all Virtual Systems (fw ctl affinity-s -d -fwkall) ........................... 337
Monitoring Process Affinity (fw ctl affinity -l -x) ..........................................................338
System Under Load ............................................................................................... 339
60000/40000 Security Platforms ............................................................................... 340
Single Management Object and Policies ............................................................... 340
Installing and Uninstalling Policies .............................................................................341
Working with Policies (asg policy) ...............................................................................341
SGM Policy Management ....................................................................................... 344
Synchronizing Policy and Configuration between SGMs ..............................................344
Understanding the Configuration File List ...................................................................344
MAC Addresses and Bit Conventions ...........................................................................346
MAC Address Resolver (asg_mac_resolver) ...............................................................348
Unified MAC for Data Ports ..........................................................................................348
Security Group ...................................................................................................... 349
Multiple Security Groups....................................................................................... 350
Description ..................................................................................................................350
Enabling Multiple Security Groups ..............................................................................351
Security Group ID ........................................................................................................351
Adding SGMs to a Security Group ................................................................................352
Removing SGMs from a Security Group .......................................................................352
Creating Another Security Group .................................................................................352
Working with a Shared VLAN Trunk Interface .............................................................353
Global Configuration....................................................................................................355
Viewing the Configuration............................................................................................355
Deleting a Security Group ............................................................................................356
Disabling Multiple Security Groups .............................................................................357
Working with the Distribution Mode ...................................................................... 358
Automatic Distribution Configuration (Auto-Topology) ................................................358
Manual Distribution Configuration (Manual-General) ..................................................360
Setting and Showing the Distribution Configuration ....................................................360
Configuring the Interface Distribution Mode (set distribution interface) ..................... 361
Configuring Distribution Matrix Maximal Size (set distribution matrix-max-size) ....... 362
Showing Distribution Status (show distribution status) ...............................................363
Running a Verification Test (show distribution verification) ......................................... 364
Configuring the Layer 4 Distribution Mode and Masks (set distribution l4-mode) ....... 365
NAT and the Correction Layer on a Scalable Platform ......................................... 367
NAT and the Correction Layer on a VSX Gateway .................................................. 368
Working with the GARP Chunk Mechanism ........................................................... 369
Port Forwarding on Management Servers ............................................................ 371
Threat Emulation .................................................................................................. 372
IPS Bypass Under Load ......................................................................................... 373
IPS Cluster Failover Management ........................................................................ 374
Optimizing IPS (asg_ips_enhance) ........................................................................ 375
Advanced Hardware Configuration ........................................................................... 376
Chassis Management Module (CMM) CLI .............................................................. 376
CMM Commands..........................................................................................................377
Security Switch Module (SSM) .....................................................................................380
Security Gateway Modules .................................................................................... 387
Identifying SGMs in the Chassis (asg_detection) .........................................................387
Software Blades Update Verification (asg_swb_update_verifier) ................................ 388
Replacing Hardware Components............................................................................. 390
Replacing the CMM ............................................................................................... 390
Adding or Replacing an SGM ................................................................................. 393
Using Snapshot to Add a New or Replacement SGM ....................................................393
Installing a New SGM Using a CD/DVD.........................................................................397
Mounting and Dismounting a USB Disk........................................................................398
 Cluster

Terms
1. Two or more Security Gateways that work
together in a redundant configuration - High
Availability or Load Sharing.
Active/Standby Mode 2. In a virtualized environment - a set of
See High Availability Mode. VMware ESX/i hosts used for High Availability
or Load Sharing.
Administrator
Cluster Member
A SmartDashboard or SmartDomain
Manager user with permissions to manage A Security Gateway that is part of a cluster.
Check Point security products and the
ClusterXL
network environment.
Cluster of Check Point Security Gateways
Affinity that work together in a redundant
The assignment of a specified CoreXL configuration.
Firewall instance, VSX Virtual System, These Check Point Security Gateways are
interface, user space process, or IRQ to one installed on Gaia OS, SecurePlatform OS,
or more specified CPU cores. X-Series XOS, IPSO OS, or Windows OS:

Alias IP • Up to 8 cluster members are supported in

ClusterXL running on Gaia OS and
Alias IP directs traffic to one single interface. SecurePlatform OS.
Bond • Up to 5 cluster members are supported in
3rd party cluster (IP Series or X-Series
A virtual interface that contains (enslaves) appliances running R77.30 and below).
two or more physical interfaces for
• Up to 5 cluster members are supported in
redundancy and load sharing. The physical
ClusterXL running on Windows OS.
interfaces share one IP address and one MAC
address. See Link Aggregation. • Up to 2 cluster members are supported in
VRRP cluster running on Gaia OS.
BPDU Notes:
Bridge Protocol Data Unit. Data messages • In ClusterXL Load Sharing mode,
that are sent between switches in an configuring more than 4 members
extended LAN that uses a Spanning Tree significantly decreases cluster
Protocol (STP) topology. performance due to amount of Delta Sync

Bridge Mode • In X-Series chassis, configuring more than

4 members (APMs) significantly decreases
A Security Gateway or Virtual System that cluster performance due to amount of
works as a Layer 2 bridge device for easy Delta Sync.
deployment in an existing topology.
• In X-Series DBHA configuration, the above
requirement applies to a single chassis
CCP
(Check Point software is not aware of
Cluster Control Protocol. Proprietary Check DBHA).
Point protocol that manages synchronization
CMM
between High Availability between cluster
members. Chassis Monitoring Module. Hardware
component that controls and monitors
Chassis Chassis operation such as, fan speed,
The container that contains the all the Chassis and module temperature, and
components of a Scalable Platform. component hot-swapping.
CoreXL
Multi-Domain Security Management
A performance-enhancing technology for
A centralized management solution for
Security Gateways on multi-core processing
large-scale, distributed environments with
platforms. Multiple Check Point Firewall
many different Domain networks.
instances are running in parallel on multiple
CPU cores. Multi-Domain Server
CoreXL Firewall Instance A computer that runs Check Point software
to host virtual Security Management Servers
On a Security Gateway with CoreXL enabled,
called Domain Management Servers.
the Firewall kernel is copied multiple times.
Each replicated copy, or firewall instance, Packet
runs on one processing CPU core. These
firewall instances handle traffic at the same A formatted unit of data that moves on
time, and each firewall instance is a computer networks.
complete and independent firewall
inspection kernel. PEM
Power Entry Module. Hardware component
Failover that supplies DC power to the Chassis with
Also, Fail-over. Transferring of a control over EMC filtering and over-current protection.
traffic (packet filtering) from a Cluster
Member that suffered a failure to another Permission Profile
Cluster Member (based on internal cluster A predefined group of SmartConsole access
algorithms). permissions assigned to Domains and
administrators. With this feature you can
Firewall configure complex permissions for many
The software and hardware that protects a administrators with one definition.
computer network by analyzing the incoming
and outgoing network traffic (packets). Policy
A collection of rules that control network
GARP traffic and enforce organization guidelines
Gratuitous Address Resolution Protocol. An for data protection and access to resources
ARP request or reply that is not normally with packet inspection.
required by the ARP specification (RFC 826).
PSU
Link Aggregation Power Supply Unit. Hardware component
A technology that joins multiple physical that supplies AC power to the Chassis with
interfaces together into one virtual interface, filtering and over-current protection.
known as a bond interface. Also known as
Interface Bonding. Security Gateway
A computer that runs Check Point software
Management Server to inspect traffic and enforces Security
A Check Point Security Management Server Policies for connected network resources.
or a Multi-Domain Server.
Security Management Server
Multi-Domain Log Server
A computer that runs Check Point software
A computer that runs Check Point software to manage the objects and policies in Check
to store and process logs in Multi-Domain Point environment.
Security Management environment. The
Multi-Domain Log Server consists of Domain SGM
Log Servers that store and process logs from
Security Gateway Module. Scalable Platform
Security Gateways that are managed by the
hardware component that operates as a
corresponding Domain Management Servers.
physical Security Gateway. A Chassis occurs. Counters are typically used as
contains many Security Gateway Modules performance metrics, such as network
that work together as a single, high throughput, dropped packets, or error
performance Security Gateway or VSX events.
Gateway.
SNMP Trap
SIC
A notification of an event generated by an
Secure Internal Communication. The Check SNMP-enabled device and sent to the SNMP
Point proprietary mechanism with which server.
Check Point computers that run Check Point
software authenticate each other over SSL, SSM
for secure communication. This Security Switch Module. A hardware
authentication is based on the certificates component that manages the flow of network
issued by the ICA on a Check Point traffic to and from the Security Gateway
Management Server. Modules.

SmartDashboard Standby Multi-Domain Server

A Check Point client used to create and All Multi-Domain Servers in a Management
manage the security policy. High Availability deployment that cannot
manage global policies and global objects.
SmartUpdate
Standby Multi-Domain Servers are
A Legacy SmartDashboard client used to synchronized with the Active Multi-Domain
centrally upgrade and manage Check Point Server.
software and licenses.
Traffic
SMO
The flow of data between network devices.
Single Management Object. A Check Point
technology that manages the Scalable Virtual Device
Platform as one large Security Gateway with A logical object that emulates the
one management IP address. All functionality of a type of physical network
management tasks are handled by one SGM object.
(the SMO Master), which updates all other
SGMs. All management tasks such as Virtual Switch
Security Gateway configuration, policy
Also vSwitch. A software abstraction of a
installation, remote connections and logging
physical Ethernet switch. It can connect to
are handled by the SMO master.
physical switches through physical network
SMO Master adapters to join virtual networks with
physical networks. It can also be a
The physical SGM that handles management Distributed Virtual Switch (dvSwitch), for
tasks for all SGMs in a Scalable Platform definition and use on multiple ESXi hosts.
environment. By default, the SGM with the
lowest ID number is assigned this role. Virtual System

SNMP A Virtual Device that implements the

functionality of a Security Gateway.
Simple Network Management Protocol. A
protocol used to monitor the activity of Virtual System Context
hardware and software in a network.
An independent VSX routing domain.
SNMP Counter
VLAN
An SNMP object with an integer value that
Virtual Local Area Network. Open servers or
increases by one when a specified event
appliances connected to a virtual network,
which are not physically connected to the
same network.

VLAN Trunk
A connection between two switches that
contains multiple VLANs.

VPN
Virtual Private Network. A secure, encrypted
connection between networks and remote
clients on a public infrastructure, to give
authenticated remote users and sites
secured access to an organization's network
and resources.

VSX
Virtual System Extension. Check Point virtual
networking solution, hosted on a computer
or cluster with virtual abstractions of Check
Point Security Gateways and other network
devices. These Virtual Devices provide the
same functionality as their physical
counterparts.

VSX Gateway
Physical server that hosts VSX virtual
networks, including all Virtual Devices that
provide the functionality of physical network
devices. It holds at least one Virtual System,
which is called VS0.

Warp Link
An interface between a Virtual System and a
Virtual Switch or Virtual Router that is
created automatically in a VSX topology.
CHAPTE R 2

Introduction
In This Section:
Syntax Notation .............................................................................................................16
Licensing .......................................................................................................................16

Introducing the Check Point Scalable Platform, the world's fastest Threat Prevention platforms.
The carrier-class next generation Threat Prevention and Firewall solutions, provide the security
you need today and into the future.
Already supporting fast networking connectivity such as 40 GbE and 100 GbE, the 64000 and 44000
can be integrated with new and advanced solutions, both on premises or in the cloud.
These scalable platforms enable you to continue to grow your business, so when traffic volume or
security requirements increase, you can easily scale up the system capacity.
Welcome to the future of Cyber Security!

Syntax Notation
This table shows the syntax characters.

Character Name Description

| Pipe OR
{} Curly brackets Set of OR or AND operators
[] Square brackets Optional parameter
<variable> Angle brackets Variable
> Right angle Prompt: Run command in Clish or gClish (use in
bracket procedures or examples only)
# Hashtag Prompt: Run command in the Expert mode (Use in
procedures or examples only)
none Required parameter or option

Licensing
For information on how to monitor and administer licenses, see the License section of the R76
Gaia Administration Guide http://downloads.checkpoint.com/dc/download.htm?ID=22928.
Run all licensing commands in Global Clish.

60000/40000 Security Systems Administration Guide R76SP.50 | 16

 Managing the Network
CHAPTE R 3

Managing the Network

In This Section:
Alias IP...........................................................................................................................17
Working with IPv6 .........................................................................................................20
Configuring the 6in4 Internet Transition Mechanism.................................................25
Working with Bridge Mode ...........................................................................................27
Working with Link State Propagation ..........................................................................33
Configuring a Unique MAC Identifier ...........................................................................35
Configuring VLANs .......................................................................................................37
Changing the Management Interface ..........................................................................38
Working with ECMP ......................................................................................................39
ISP Redundancy ............................................................................................................42
Working with the ARP Table (asg_arp) ........................................................................44
Working with Proxy ARP for Manual NAT ...................................................................47
Configuring Port Speed ................................................................................................48
Configuring Multicast Routing .....................................................................................53

Alias IP
If you have traffic going to different IP addresses, you can use Alias IP to direct that traffic to one
single interface. Use the commands below to add and delete any of those IP addresses. This
enables any packet you generate from different routers, or from different IP addresses, to be
directed to the same interface. The maximum number of IP addresses that you can add to one
interface is 256.
You can add secondary IP addresses (aliases) to physical interfaces, VLANs, and Bonds.
Alias IP is also referred to as Secondary IP.

60000/40000 Security Systems Administration Guide R76SP.50 | 17

 Managing the Network

Adding and Removing an Alias IP in gClish

To add an alias:
> set interface <interface> state on
> add interface <interface> alias <alias_ip>/<alias_ip_mask>

Example:
gclish -c "add interface eth1-01 alias 172.16.16.14/24"
gclish -c "add interface eth1-01 alias 172.16.16.15/24"
gclish -c "add interface eth1-01 alias 172.16.16.16/24"

Show Interface Aliases:

gclish -c "show interface eth1-01 aliases"

1_01:

Aliases
eth1-01:1 172.16.16.14/24
eth1-01:2 172.16.16.15/24
eth1-01:3 172.16.16.16/24

To remove an alias:
> delete interface <interface> alias <interface>:<alias_id>

Example:
gclish -c "delete interface eth1-01 alias eth1-01:2" // removing alias
172.16.16.15/24

Note - The Alias IDs do not change for the rest of the Aliases.

60000/40000 Security Systems Administration Guide R76SP.50 | 18

 Managing the Network

Adding and Removing an Alias IP in SmartDashboard

To add an Alias IP:
1. From SmartDashboard, double-click the network object.
The General Properties window shows.
2. From the menu, click Topology > Get > Interfaces with Topology -> OK.
3. After all the interfaces load, double-click an interface that has an alias. The Interface
Properties window shows.
From the Topology tab, select:
• External
An interface can receive packets for any of the IP addresses, regular or alias, that are
configured on it.
OR
• Internal
Select one of these options:
 Not Defined
 Network defined by the interface IP and Net Mask
This enables the interface to receive any packet destined for any alias in the same
subnet of the interface.
• Specific:
Click on the icon and select New > Group OR Network.
 Network
This is the subnet of an alias interface. The interface receives packets destined for the
alias IP.
 Group
This adds several alias subnets (networks) to one group and the interface can receive
packets for several aliases (several networks).
4. Select the Network or Group after you have configured the alias on the gateway.
5. Install policy.

To delete an Alias IP:

1. From SmartDashboard, double click on the network object.
The General Properties window shows.
2. From the menu, click Topology > Get > Interfaces with Topology -> OK.
3. After all the interfaces load, double-click on an interface that has an alias.
The Interface Properties window shows.
4. From the Topology tab, select Internal > Specific.
5. Select another Group or Network from the list which does not have the alias network.
This action automatically deletes the Alias.
6. Install policy.

60000/40000 Security Systems Administration Guide R76SP.50 | 19

 Managing the Network

Working with IPv6

IPv6 support is disabled by default. You must enable IPv6 support on the Scalable Platform before
you can configure IPv6 addresses and static routes.

To prepare your Scalable Platform to work with IPv6:

1. Enable IPv6 support.
2. Install and activate an IPv6 license on the Security Management Server.
3. Create IPv6 objects in SmartDashboard.
4. Create IPv6 rules for Firewall and other Check Point Software Blades.
5. Reboot all SGMs.

On-screen commands:
[Global] MyChassis-ch01-01 > set ipv6-state on
1_01:
In order to fully enable IPv6, you also need to reboot.
The changces will be applied after reboot. This step is mandatory.

1_02:
In order to fully enable IPv6, you also need to reboot.
The changes will be applied after reboot. This step is mandatory.

1_03:
In order to fully enable IPv6, you also need to reboot.
The changes will be applied after reboot. This step is mandatory.

Enabling/Disabling IPv6 Support (ipv6-state)

Description
Use the ipv6-state command to:
• Enable IPv6 support for the all SGMs in the Scalable Platform.
• Disable IPv6 support for the all SGMs in the Scalable Platform.
• Show the IPv6 support status for all SGMs in the Scalable Platform.
To complete the configuration you must reboot all SGMs at the same time. If you have a Chassis
High Availability environment, you can enable IPv6 and reboot the SGMs one Chassis at a time.
This feature enables network traffic to continue during the configuration procedure.

Syntax
> set ipv6-state {on | off}
> show ipv6-state

Parameters
Parameter Description
on Enables IPv6 support
off Disables IPv6 support

60000/40000 Security Systems Administration Guide R76SP.50 | 20

 Managing the Network

To Enable IPv6 support on a Single Chassis system:

1. Log into the Scalable Platform.
2. Run:
> set ipv6-state on
3. Reboot all SGMs:
> reboot -b all
4. Follow the on-screen instructions.
5. Run:
> show ipv6-state
Make sure that IPv6 is enabled for all SGMs.

To Enable IPv6 support on a Dual Chassis system:

With this procedure you can reboot one Chassis at a time to prevent unnecessary downtime.
1. Log into the Scalable Platform.
2. Run:
> set ipv6-state on
3. Reboot all SGMs on the Standby Chassis:
> reboot -b <standby_chassis_name>
4. When the reboot completes, fail over to the Standby Chassis:
> set chassis id <active_chassis_id> admin-state down
The failover closes all active connections. The connections must be re-established.
5. Reboot all SGMs on the newly designated Standby Chassis:
> reboot -b <new_standby_chassis_name>

Configuring IPv6 Static Routes - CLI (set ipv6 static-route)

Description
Use the set ipv6 static-route command to add, change, or delete IPv6 static routes.

Syntax
> set ipv6 static-route <source_ip> nexthop gateway <gw_ip> [priority <p_val>] {on
| off} [interface <gw_if> [priority <p_val>]] on
> set ipv6 static-route <source_ip> nexthop [<gw_ip>] {blackhole | reject | off}

Parameters
Parameter Description
gateway Defines the next hop path.

<source_ip> Defines the source IPv6 IP address and subnet.

<gw_ip> Identifies the next hop gateway by its IP address.
<gw_if> Identifies the next hop gateway by the interface that connects to it. Use this
option only if the next hop gateway has an unnumbered interface.

60000/40000 Security Systems Administration Guide R76SP.50 | 21

 Managing the Network

Parameter Description
priority Assigns a path priority when there are many different paths. The available
path with the lowest priority value is selected. The gateway with the lowest
priority value is selected.
interface Identifies the next hop gateway by the interface that connects to it. Use this
option only if the next hop gateway has an unnumbered interface.
<p_val> Priority value for a route or interface. Valid values are integers between 1 and
8. Default = 1

on Enables the specified route or next hop.

off Deletes the specified route or next hop.
If you specify a next hop, only the specified path is deleted. If no next hop is
specified, the route and all related paths are deleted.
blackhole Drops packets but does not send an error message.
reject Drops packets and sends an error message to the traffic source.

Note - There are no add or show commands for the static route feature.

Troubleshooting:
Symptoms:
• You cannot configure the VPN Software Blade.
• This message shows: VPN blade demands gateway's IP address corresponding to
the interface's IP addresses
Cause:
IPv6 is active, but the main IPv6 address is not configured.
Solution:
Configure the main IPv6 address in General Properties.

60000/40000 Security Systems Administration Guide R76SP.50 | 22

 Managing the Network

Using the CLI to Manage Static Routes

Syntax to show IPv6 static routes:
> show ipv6 route static

Example output:
Codes: C - Connected, S - Static, B - BGP, Rg - RIPng, A - Aggregate,
O - OSPFv3 IntraArea (IA - InterArea, E - External),
K - Kernel Remnant, H - Hidden, P - Suppressed

S 3100:55::1/64 is directly connected

S 3200::/64 is a blackhole route
S 3300:123::/64 is a blackhole route
S 3600:20:20:11::/64 is directly connected, eth3

Syntax to add an IPv6 static route:

> set ipv6 static-route <dest_ip> nexthop gateway <gw_ip> on
> set ipv6 static-route <dest_ip> nexthop gateway <gw_ip> interface <gw_if> on

Parameters
Parameter Description
<dest_ip> Destination IPv6 address.
<gw_ip> Next hop gateway IPv6 address.
<gw_if> Next hope gateway interface name.

Examples:
> set ipv6 static-route 3100:192::0/64 nexthop gateway 3900:172::1 on
> set ipv6 static-route 3100:192::0/64 nexthop gateway 3900:172::1 interface eth3
on

Syntax to add an IPv6 static route with paths and priorities:

> set static-route <dest_ip> nexthop gateway <gw_ip> priority <p_val>

Parameters
Parameter Description
<dest_ip> Destination IP address.
<gw_ip> Next hop gateway IP address.
<p_val> Integer between 1 and 8, default is 1.

Run this command for each path and assign a priority value to each. Two or more paths can have
the same priority. This creates a backup path with the same priority.

Example:
> set ipv6 static-route 3100:192::0/64 nexthop gateway 3900:172::1 priority 3 on

60000/40000 Security Systems Administration Guide R76SP.50 | 23

 Managing the Network

Syntax to add an IPv6 static route where packets are dropped:

> set ipv6 static-route <dest_ip> nexthop <mess_option>

Parameters
Parameter Description
<dest_ip> Destination IP address
<mess_option> Message option - Drop packet sends one of these message:
• Reject - Drops packets and sends an error message to the traffic source.
• Blackhole - Drops packets but does not send an error message.

Examples:
> set ipv6 static-route 3100:192::0/64 nexthop reject
> set ipv6 static-route 3100:192::0/64 nexthop blackhole

Syntax to delete an IPv6 route and all related paths:

> set ipv6 static-route <dest_ip> off

Example:
> set ipv6 static-route 3100:192::0/64 off

Syntax to delete a path only:

> set static-route <dest_ip> nexthop gateway <gw_ip> off

Parameters
Parameter Description
<dest_ip> Destination IP address
<gw_ip> Next hop gateway IP address or interface name.

Example:
> set ipv6 static-route 3100:192::0/64 nexthop gateway 3900:172::1 off

60000/40000 Security Systems Administration Guide R76SP.50 | 24

 Managing the Network

Configuring the 6in4 Internet Transition Mechanism

Description
Use these commands to move IPv6 traffic over a network that does not support IPv6.
The commands use the 6in4 Internet transition protocol to encapsulate IPv6 traffic for IPv4 links.

Syntax to add a 6in4 virtual interface:

> add interface <physical_if> 6in4 <6in4_id> remote <remote_ipv4> [ttl <ttl>]

Syntax to configure an existing 6in4 virtual interface:

> set interface <sit_if_name> ipv6-address <ipv6_address> mask-length 64

Parameters
Parameter Description
<physical_if> From where the physical interface traffic leaves the system.
Example: eth1-01
<6in4_id> A numerical identifier for the 6in4 virtual interface.

<remote_ipv4_ip> IPv4 address of the remote peer.

<ttl> Time-to-live - The number of router hops before packets are discarded

Example:
> add interface eth1-01 6in4 999 remote 50.50.50.10
1_01:
Success

The virtual sit_6in4_ interface is created for eth1-01 on all SGMs even though you specified a
single physical interface, eth1-01 in the command line.
To see the virtual interfaces for each SGM, run: show interface eth1-01 6in4s

Syntax to set the interface:

> set interface <sit_if_name> ipv6-address <ipv6_address> mask-length 64

Parameters
Parameter Description
<ipv6_address> IPv6 address

Example:
> set interface sit_6in4_999 ipv6-address 30:30:30::1 mask-length 64
1_01:
Success

60000/40000 Security Systems Administration Guide R76SP.50 | 25

 Managing the Network

Syntax to delete the 6in4 Virtual Interface:

> delete interface <physical_if> 6in4 <6in4_id>

Example:
> delete interface eth1-01 6in4 999
1_01:
success

Notes about asg search and 6in4:

• On IPv4, asg search confirms if the SGM connection is active or backup and which Chassis
has more than one SGM.
• On IPv6, asg search addresses shows one SGM on the Active Chassis and one SGM on the
Standby Chassis.

60000/40000 Security Systems Administration Guide R76SP.50 | 26

 Managing the Network

Working with Bridge Mode

Check Point security devices support bridge interfaces that implement native Layer 2 bridging.
Bridge interfaces let network administrators deploy security devices in an existing topology
without reconfiguring the IP routing scheme. This is an important advantage for large-scale,
complex environments.
Configure Ethernet interfaces (with aggregated interfaces) on your Check Point security device to
work like ports on a physical bridge. The interfaces then send traffic with Layer 2 addresses. You
can configure some interfaces as bridge interfaces, while other interfaces on the same device
work as Layer 3 devices. Traffic between bridge interfaces is inspected at Layer 2.

Limitations:
• Bridge Mode is only supported with two interfaces.
• BPDU forwarding is not supported with VLAN tagging (on page 31).
• The Scalable Platform does not generate BPDU (STP) frames.
• The Scalable Platform forwards BPDUs between bridge slave interfaces.
• Bridge group must use an IP address on the same subnet as clients or routers that connect to
the Scalable Platform. This lets UserCheck work properly.
• Bridge setup supports only the manual-general distribution mode.

Working with Chassis High Availability in Bridge Mode

When a Dual Chassis Scalable Platform deployment is in the Active/Standby Mode, only the Active
Chassis handles traffic. The Scalable Platform maintains a MAC shadow table that caches MAC
addresses handled by the system. When a Chassis failover occurs, the new Active Chassis
generates advertisement packets with the cached MAC addresses.
This causes the remote switches to forward traffic through a different interface, due to the
updated MAC address table. The chassis in Standby Mode stops forwarding BPDU frames of the
spanning tree. Only the Active Chassis forwards these frames.

MAC tables
The OS table is not synchronized across SGMs. The firewall table is synchronized across SGMs.
To show the OS MAC table:
In Expert Mode, run:
# brctl showmacs <bridge_name>
To show the Firewall MAC table:
In Clish, run:
> fw tab –t fdb_shadow

60000/40000 Security Systems Administration Guide R76SP.50 | 27

 Managing the Network

Special Advertisement Packets

When a Chassis fails over, Special Advertisement Packets are sent. They have this structure:
• Source IP - 8.7.6.5
• Destination IP - 4.3.2.1
• Destination port - 8116

Active/Active Bridge Mode

By default, Active/Active Bridge Mode does not support asymmetric traffic between Chassis. When
asymmetric traffic is enabled client-to-server traffic is handled by one Chassis and
server-to-client traffic is handled by the other Chassis.

To enable asymmetric traffic:

In Expert Mode, run:
# g_update_conf_file $FWDIR/modules/fwkern.conf fwha_both_chassis_pass_traffic=1
# g_fw ctl set int fwha_both_chassis_pass_traffic 1

To confirm the parameter is set to 1, run:

#g_fw ctl get int fwha_both_chassis_pass_traffic

Important - Setting the value of the kernel parameter fwha_both_chassis_pass_traffic to

1 can decrease performance.

Active/Active Bridge Mode Topologies

Active/Active Bridge Mode supports these topologies:
• Layer 2 connectivity between Chassis.
This topology requires Spanning Tree Protocol (STP) on the switches. STP is a network
protocol that confirms a loop-free topology for Ethernet networks. It sends special data frames
called Bridge Protocol Data Units (BPDUs). The BPDUs help the switches select which port to
block if there is a loop detection. The BPDUs get to the switch from a different interface when
they pass through the bridge interface of the gateway. This results in a successful blockage.

60000/40000 Security Systems Administration Guide R76SP.50 | 28

 Managing the Network

• No Layer 2 connectivity between Chassis

This topology does not require STP on the switches. It is usually a router-based topology where
a dynamic routing protocol selects through which segment to route the traffic.

BPDU
Description
The BDPU maximum age timer controls the maximum length of time that passes before a bridge
port saves its configuration BPDU information. The default time is set to 20 seconds, the time it
takes to reach failover. It can be configured between 6-40 seconds.
For example, on Cisco switches use spanning-tree vlan on each VLAN to configure the BDPU
maximum age timer.

Syntax
> spanning-tree vlan <vlan_id> max-age <age>

Parameters
Parameter Description
<vlan_id> VLAN ID
<age> BDPU maximum age in seconds
Allowed values: 6-40

For more information, see Cisco documentation.

60000/40000 Security Systems Administration Guide R76SP.50 | 29

 Managing the Network

Active/Standby Bridge Mode

To enable Active/Standby Bridge Mode:
In gClish, run:
# add bridging group <bridge_if_name>
# add bridging group <bridge_if_name> interface <if_1_ID>
# add bridging group <bridge_if_name> interface <if_2_ID>

Configuring Bridge Interfaces in SGW Mode

Description
Use these commands to work with Bridge interfaces.

Syntax
> add bridging group <group_id> interface <if_name>
> delete bridging group <group_id> interface <if_name>
> show bridging group <group_id>

Parameters
Parameter Description
<group_id> Integer that identifies the bridging group.
<if_name> Interface name as configured on the system.

Example
> add bridging group 2 interface eth1-03
> show bridging group 2
Bridge Configuration
Bridge Interfaces
eth1-03

To add the VLAN to the physical interface, enter:

> add interface <if_name> vlan <vlan_id>

To add the interface VLAN to the bridging group, enter:

> add bridging group <group_id> interface <if_name>.<vlan_id>

Configuring Bridge Interfaces in VSX Mode

Configure a Virtual System in Bridge Mode when you first create the object.

To configure Active/Standby Bridge Mode in a Virtual System:

1. In Virtual System General Properties, select Bridge Mode.
2. Click Next.
The Virtual System Network Configuration window opens.
3. Configure the external and internal interfaces for the Virtual System.
4. Click Next.
5. Click Finish.

60000/40000 Security Systems Administration Guide R76SP.50 | 30

 Managing the Network

Configuring Non-IP Bridge in VSX Mode

To enable Non-IP protocols to forward in Virtual Systems in Bridge Mode, create the following file
on all SGMs before you create these Virtual Systems:
# g_all touch $FWDIR/conf/enable_non_ip_protocols

Disabling BPDU Forwarding

When VLAN translation is configured, BPDU frames can send the incorrect VLAN number to
switch ports through the bridge. This mismatch can cause the switch port to block traffic.
To resolve this, disable BPDU forwarding in a way that survives reboot. This solution also works
well for Layer 2 Virtual Systems.

To permanently disable BPDU forwarding:

1. Run in the Expert mode:
vi /etc/rc.d/init.d/network
2. Search for this line:
./etc/init.d/functions
3. Add this new line:
/sbin/sysctl -w net.bridge.bpdu_forwarding=0
4. Save the file and exit the Vi editor.
5. Copy the modified file to all SGMs:
asg_cp2blades /etc/rc.d/init.d/network
6. Reboot the system.
If you are using a dual Chassis Scalable Platform, reboot the Standby Chassis first and then
reboot the Active Chassis. To learn more, see sk98927
http://supportcontent.checkpoint.com/solutions?id=sk98927.

60000/40000 Security Systems Administration Guide R76SP.50 | 31

 Managing the Network

IPv6 Neighbor Discovery

Neighbor discovery works over the ICMPv6 Neighbor Discovery protocol, which is the functional
equivalent of the IPv4 ARP protocol. ICMPv6 Neighbor Discovery Protocol must be explicitly
allowed for all bridged networks in your Firewall rules. This is different from ARP, for which traffic
is always allowed regardless of the Rule Base.
This is an example of a rule that allows ICMPv6 Neighbor Discovery protocol:

Source Destination Service Action

Bridged Bridged neighbor-advertisement accept
Network Network neighbor-solicitation
object object router-advertisement
router-solicitation
redirect6

60000/40000 Security Systems Administration Guide R76SP.50 | 32

 Managing the Network

Working with Link State Propagation

Background
You can use the Link State Propagation (LSP) to bind physical interfaces together on an SSM. This
causes all bound interfaces to go DOWN when one interface goes DOWN. After a predefined period
time (default is 190 seconds), all interfaces go back to the UP state. This feature makes sure that
third party devices connected to Scalable Platform fail over quickly, when using dynamic routing.
The Link State Propagation is disabled by default.

Defining LSP Port Groups

Define LSP Port Groups in the /etc/lsp_groups.conf file.
Each line in this file defines one LSP Port Group with one or more interface groups, delimited by a
comma.
An interface group has one or more interfaces, delimited by a plus sign (+).

Configuration file syntax

Item Description
1 LSP Port Group (full syntax)
2 Interface Group
<if> Physical Interface

Example 1:
eth1-01+eth2-01,eth3-01+eth4-01

In this example, the LSP Port Group has two interface groups with two interfaces:
• Interface Group 1 contains eth1-01 and eth2-01
• Interface Group 2 contains eth3-01 and eth4-01
Example 2:
eth1-02+eth1-03+eth1-04+eth1-05,eth3-02+eth4-02,eth3-03+eth4-03

In this example, the LSP port Group has three interface groups.
One group with four interfaces and two other groups with two interfaces each.

60000/40000 Security Systems Administration Guide R76SP.50 | 33

 Managing the Network

To add an LSP Port Group:

1. Connect to the command line on an SGM.
2. Edit the /etc/lsp_groups.conf file in Vi editor.
# vi /etc/lsp_groups.conf
Note - If the lsp_groups.conf file does not exist, create it now with this command: # touch
/etc/lsp_groups.conf
3. Add one line for each LSP Port Group in the file.
4. Save the changes and exit from Vi editor.
5. Copy the file to all SGMs:
# asg_cp2blades /etc/lsp_groups.conf
6. Restart the LSP mechanism with these two commands:
# asg_lsp_util disable
# asg_lsp_util enable
This step in necessary for the system to detect the change.

To delete an LSP Port Group:

Important - If you do not use the LSP, disable it (with the asg_lsp_util disable command).
Do not delete the configuration file, or the only LSP port group line in the file.
1. Edit the /etc/lsp_groups.conf file in Vi editor.
# vi /etc/lsp_groups.conf
2. Delete the applicable LSP Port Group line from the file.
3. Save the changes and exit from Vi editor.
4. Copy the file to all SGMs:
# asg_cp2blades /etc/lsp_groups.conf
5. Restart the LSP mechanism with these two commands:
# asg_lsp_util disable
# asg_lsp_util enable
This step in necessary for the system to detect the change.

60000/40000 Security Systems Administration Guide R76SP.50 | 34

 Managing the Network

Configuring a Unique MAC Identifier

When there are more than one Scalable Platform or ClusterXL systems on a Layer 2 segment, the
Unique MAC Identifier must be different for each system. The Unique MAC Identifier is assigned by
default during the initial setup. The last octet of the management interface MAC address is the
Unique MAC Identifier.
The last octet of the management interface MAC address is set for these data interface types:
• Interfaces with names in the ethX-YZ format
• Bond interfaces
• VSX wrp interfaces
• VLAN interfaces
If there is no configured management interface, the Unique MAC Identifier is assigned the default
value 254.
You can use the asg_unique_mac_utility to set:
• Data interface Unique MAC Identifier
• Host name

To manually set the Unique MAC Identifier:

1. Run:
> asg_unique_mac_utility
2. Select an option from the menu.
3. Follow the instructions on the screen.
----------------------------------------------
| Unique MAC Utility |
----------------------------------------------
| HOSTNAME [61000_GW] |
| Unique MAC [254] |
----------------------------------------------

Choose one of the following options:

------------------------------------
1) Set Hostname with Unique MAC wizard
2) Apply Unique MAC from current HOSTNAME
3) Manual set Unique MAC
4) Revert to Unique MAC Factory Default
5) Exit

Note - You must reboot the system to apply the new Unique MAC Identifier.

60000/40000 Security Systems Administration Guide R76SP.50 | 35

 Managing the Network

Unique MAC Identifier Utility Options

The options for setup are:
• Set Host name with Unique MAC wizard (on page 36)
• Apply Unique MAC from current Host name (on page 36)
• Revert to Unique MAC Factory Default (on page 36)
• Manual Set Unique MAC (on page 36)

Set Host Name With Unique MAC

The _asg suffix and the setup number, between 1 and 254, are added to the setup name.
Example:

Setup Name Suffix Setup number

61000_GW _asg 22

This creates a new host name with a Unique MAC Identifier of 22. The setup number replaces the
Unique MAC Identifier default value of 254.

New Host Name Unique MAC Identifier

61000_GW_asg22 22

After reboot, all data interface MAC addresses have the new Unique MAC Identifier value 16.
Example:
eth1-01 00:1C:7F:XY:ZW:16
Note - The last octet for eth1-01 (shown in bold) is 16 hex (22 decimal).

Apply Unique MAC From Current Host Name

Assign a new Unique MAC Identifier to the interfaces.
The new Unique MAC Identifier is created from the setup number in the host name.
The current host name must first comply with the setup name number convention:
/asg suffix/setup

Revert to Unique MAC Factory Default

You can configure the Unique MAC Identifier with your own information without changing the host
name value. The existing host name does not have to comply with the setup name number
convention:
/asg suffix/setup

Manual Set Unique MAC

Set the Unique MAC Identifier to the default value of 254.

60000/40000 Security Systems Administration Guide R76SP.50 | 36

 Managing the Network

Configuring VLANs
Description
Use these commands to configure VLANs. These commands do not work in a VSX environment.

Syntax
> add interface <if_name> vlan <vlan_id>
> set interface <if_name>.<vlan_id> ip-address <ip_addr> mask-length <mask-len>
> delete interface <if_name> vlan <vlan_id>

Parameters
Parameter Description
<if_name> Name of the physical interface
<vlan_id> VLAN ID number
<ip_addr> VLAN IPv4 or IPv6 address
<mask-len> Network mask length

Actions and Syntax

Action Syntax Output
1_01:
Adding a VLAN interface > add interface eth2-03 vlan 444 success
1_01:
Configuring a VLAN > set interface eth2-03.444 success
interface ipv4-address 203.0.113.1
mask-length 24
1_01:
Deleting a VLAN interface > delete interface eth2-03 vlan 444 success
1_01:
Show the VLAN interface on > show interface <interface> vlans eth2-03.444
a physical interface > show interface eth2-03 vlans

Example - Bond Interface:

[Global] SofBon-ch01-01 > add interface bond1 vlan 55
1_01:
success
1_02:
success
1_03:

60000/40000 Security Systems Administration Guide R76SP.50 | 37

 Managing the Network

Changing the Management Interface

Use this command to change the management interface for the SGMs.
Note - This procedure is applicable for Security Gateway environments only. Management
interface changes are not supported for VSX.

To change the Management Interface:

1. Make sure the management interface cable is connected to the network.
2. Run these commands in the order specified below:
• > set management interface <new_mng_if>
• > delete interface <old_mng_if> ipv4-address
• > set interface <new_mng_if> ipv4-address <ip> mask-length <length>
• > set interface <new_mng_if> state on|off
Note - Do these commands through a console connection to confirm connectivity when you
change the interfaces.
3. In SmartDashboard, get the new topology for the Scalable Platform object.
4. Install the policy.
5. To enable management traffic redirections to the Single Management Object (SMO):
• To enable temporarily, run:
> g_fw ctl set int fwha_mgmt_over_data_forwarding_enabled 1
• To enable permanently, run:
> g_update_conf_file fwkern.conf
fwha_mgmt_over_data_forwarding_enabled=1
Use case - Redirect SSH connections to the SMO.

Parameters
Parameter Description
<new_mng_if> Name of the new management interface
For example: eth1-Mgmt3
<old_mng_if> Name of the existing management interface to be changed or
deleted. For example: eth1-Mgmt2.
<ip> Interface IPv4 address
<length> Interface net mask

state Interface state (on/off)

60000/40000 Security Systems Administration Guide R76SP.50 | 38

 Managing the Network

Working with ECMP

Description
Use Equal-Cost Multi-Path Routing (ECMP) to manually define a static route to next-hop
gateways. To have the destination network defined in the static route, load-balance traffic over
multiple paths. Load balancing may offer substantial increases in bandwidth.

Syntax
> set static-route <network> nexthop gateway address <gw_ip> on

Parameters
Parameter Description
<network> IP address of the destination network

<gw_ip> IP address of the next-hop gateway

Example:
> set static-route 50.50.50.0/24 nexthop gateway address 20.20.20.101 on
> set static-route 50.50.50.0/24 nexthop gateway address 20.20.20.102 on
> set static-route 50.50.50.0/24 nexthop gateway address 20.20.20.103 on

Notes:
• To get to addresses on the 50.50.50.0/24 network, packets must first be forwarded to one of
these gateways:
• 20.20.20.101
• 20.20.20.102
• 20.20.20.103

• To confirm that static routes to the next-hop gateways are being enforced:
Run:
> show route static
Example output that shows that the static route to 50.50.50.0/24 is through three next-hop
gateways:
1_01:
Codes: C - Connected, S - Static, R - RIP, B - BGP,O - OSPF IntraArea (IA -
InterArea, E - External, N - NSSA)A - Aggregate, K - Kernel Remnant, H - Hidden,
P - Suppressed

S 0.0.0.0/0 via 192.168.33.1, eth2-01, cost 0, age 2092

5.5.5.0/24 via 20.20.20.101, eth1-01, cost 0, age 322
via 20.20.20.102, eth1-01
via 20.20.20.103, eth1-01

60000/40000 Security Systems Administration Guide R76SP.50 | 39

 Managing the Network

Enhanced Failover of ECMP Static Routes

Description
The SGM of every gateway of a static route is pinged to detect its availability. Make sure the ping is
on and every few seconds there is a ping request on the interface with the static route.
On detection of an unreachable Next Hop gateway, the enhanced routing feature automatically
starts failover and it is deleted from the routing table. When the gateway is again reachable, it is
re-added to the routing table.
Syntax
> set static-route <network>/<subnet_len> ping on

Note - You can configure enhanced ECMP failover after you configure an ECMP static route.

Parameters
Parameter Description
<network> IP address of the destination network.
<subnet_len> Subnet length of the destination network.

To adjust ping behavior:

> set ping count <val>
> set ping interval <val>

Parameters
Parameter Description
count <val> Number of packets to be sent before next hop is declared dead.

interval <val> Time in seconds to wait between two consecutive pings.

Example 1 - Set ECMP for destination 5.5.5.0/24

> set static-route 5.5.5.0/24 nexthop gateway address 10.33.85.2 on
> set static-route 5.5.5.0/24 nexthop gateway address 10.33.85.4 on
> set static-route 5.5.5.0/24 nexthop gateway address 10.33.85.100 on
> show route
1_01:
Codes: C - Connected, S - Static, R - RIP, B - BGP,
O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA)
A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed

S 0.0.0.0/0 via 192.168.33.1, eth2-01, cost 0, age 2092

5.5.5.0/24 via 10.33.85.2, eth1-01, cost 0, age 322
via 10.33.85.4, eth1-01
via 10.33.85.100, eth1-01

Example 2 - Enable failover ECMP on all static routes configured for destination 5.5.5.0/24
> set static-route 5.5.5.0/24 ping on

60000/40000 Security Systems Administration Guide R76SP.50 | 40

 Managing the Network

Example 3 - Make sure the configuration is correct

When next-hop 10.33.85.2 is unreachable (no ICMP replies), after 3 pings (by default) it is removed
from the routing table:
[Expert@MyChassis-ch02-01]# tcpdump -nepi eth1-01 host 10.33.85.2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1-01, link-type EN10MB (Ethernet), capture size 96 bytes
14:40:48.388032 00:1c:7f:a1:01:55 > 00:50:56:a7:7f:f5, ethertype IPv4 (0x0800), length 62: 10.33.85.1
>10.33.85.2: ICMP echo request, id 53007, seq 43981, length 28
14:40:58.388425 00:1c:7f:a1:01:55 > 00:50:56:a7:7f:f5, ethertype IPv4 (0x0800), length 62: 10.33.85.1
>10.33.85.2: ICMP echo request, id 53007, seq 43981, length 28
14:41:08.387895 00:1c:7f:a1:01:55 > 00:50:56:a7:7f:f5, ethertype IPv4 (0x0800), length 62: 10.33.85.1
>10.33.85.2: ICMP echo request, id 53007, seq 43981, length 28
The route is deleted from the routing table.
01 > show route
1_01:
Codes: C - Connected, S - Static, R - RIP, B - BGP,
O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA)
A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed

0.0.0.0/0 via 192.168.33.1, eth2-01, cost 0, age 2511

S 5.5.5.0/24 via 10.33.85.4, eth1-01, cost 0, age 52
via 10.33.85.100, eth1-01

When 10.33.85.2 is reached, tcpdump shows that it replies to the ping requests, and it is re-added
to the routing table:
[Expert@MyChassis-ch02-01]# tcpdump -nepi eth1-01 host 10.33.85.2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1-01, link-type EN10MB (Ethernet), capture size 96 bytes
14:38:08.388224 00:1c:7f:a1:01:55 > 00:50:56:a7:7f:f5, ethertype IPv4 (0x0800), length 62: 10.33.85.1
>10.33.85.2: ICMP echo request, id 53007, seq 43981, length 28
14:38:08.388462 00:50:fc:58:80:0a > 00:1c:7f:0f:00:fe, ethertype IPv4 (0x0800), length 62: 10.33.85.2
>10.33.85.1: ICMP echo reply, id 53007, seq 43981, length 28
14:38:18.387762 00:1c:7f:a1:01:55 > 00:50:56:a7:7f:f5, ethertype IPv4 (0x0800), length 62: 10.33.85.1
>10.33.85.2: ICMP echo request, id 53007, seq 43981, length 28
14:38:18.387980 00:50:fc:58:80:0a > 00:1c:7f:0f:00:fe, ethertype IPv4 (0x0800), length 62: 10.33.85.2
>10.33.85.1: ICMP echo reply, id 53007, seq 43981, length 28
14:38:28.388161 00:1c:7f:a1:01:55 > 00:50:56:a7:7f:f5, ethertype IPv4 (0x0800), length 62: 10.33.85.1
>10.33.85.2: ICMP echo request, id 53007, seq 43981, length 28
14:38:28.388382 00:50:fc:58:80:0a > 00:1c:7f:0f:00:fe, ethertype IPv4 (0x0800), length 62: 10.33.85.2
>10.33.85.1: ICMP echo reply, id 53007, seq 43981, length 28

> show route

1_01:
Codes: C - Connected, S - Static, R - RIP, B - BGP,
O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA)
A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed

S 0.0.0.0/0 via 192.168.33.1, eth2-01, cost 0, age 2092

5.5.5.0/24 via 10.33.85.2, eth1-01, cost 0, age 322
via 10.33.85.4, eth1-01
via 10.33.85.100, eth1-01

Validation:
1. In gClish, run:
> show route
Make sure that only ECMP static routes with reachable next hops show.
2. Run:
tcpdump
Note - Make sure the ping is on. Every few seconds there must be a ping request on the interface
with the static route.

60000/40000 Security Systems Administration Guide R76SP.50 | 41

 Managing the Network

ISP Redundancy
Background
ISP Redundancy feature ensures reliable outbound Internet connectivity for a Scalable Platform. It
enables connection through redundant ISP Links.

Prerequisites
• To support ISP Redundancy in R76SP.50, you must install R76SP.50 Jumbo Hotfix Accumulator
Take 105 and above on your Scalable Platform. See sk117633
http://supportcontent.checkpoint.com/solutions?id=sk117633.
Note - These Takes of the R76SP.50 Jumbo Hotfix Accumulator support from two to ten ISP
Links.
• To configure from three to ten ISP Links, you must:
• Manage your R76SP.50 Scalable Platform with the R80.10 Management Server, and
• Install the required hotfix on this R80.10 Management Server from sk140512
http://supportcontent.checkpoint.com/solutions?id=sk140512

To configure ISP Redundancy with two ISP Links

1. Connect the Scalable Platform to two external links, one for each of the ISPs.
2. In SmartDashboard or SmartConsole, configure the Scalable Platform object with two external
links, one for each of the ISPs.
See these:
• For Management Servers R76:
R76 Security Gateway Technical Administration Guide
https://sc1.checkpoint.com/documents/R76/CP_R76_SGW_WebAdmin/html_frameset.htm
- Chapter ISP Redundancy
• For Management Servers R77.X:
R77 Security Gateway Technical Administration Guide
https://sc1.checkpoint.com/documents/R77/CP_R77_SecurityGatewayTech_WebAdmin/ht
ml_frameset.htm - Chapter ISP Redundancy
• For Management Servers R80.X:
Pre-R80 Security Gateway Technical Administration Guide on R80 Administration Guide
https://sc1.checkpoint.com/documents/R80/CP_R80BC_SecurityGateway/html_frameset.h
tm - Chapter ISP Redundancy
• How To Guide:
How to Configure ISP Redundancy in NGX R65 - R77.30 versions
http://downloads.checkpoint.com/dc/download.htm?ID=12314

60000/40000 Security Systems Administration Guide R76SP.50 | 42

 Managing the Network

To configure ISP Redundancy with three to ten ISP Links

Follow the instructions in sk140512 http://supportcontent.checkpoint.com/solutions?id=sk140512:
1. Install the required hotfix on the R80.10 Management Server.
2. Enable ISP Redundancy Enhancements on the R80.10 Management Server.
3. Configure the first and the second ISP Links in SmartDashboard or SmartConsole.
4. Configure the third and more ISP Links in the GuiDBedit Tool
http://supportcontent.checkpoint.com/solutions?id=sk13009.

Monitoring of ISP Redundancy Links

ISP Redundancy on Scalable Platforms monitors the health of the ISP Links in two ways:
• ICMP probing of hosts associated with the ISP Link, including the next hop itself.
• Link state of the interface leading to the ISP.
On Scalable Platforms, the ICMP probing is performed by a new task named MISP, which runs in
each chassis on an SGM with the lowest ID.
The SGM that holds the MISP task performs the ICMP probing and updates the rest of the SGMs in
the local chassis with the status of all ISP Links. Upon SGM failover, the new SGM that takes over
the MISP task, resumes the ICMP probing seamlessly.
The state of the ISP Links is maintained per chassis, much like the link state of interfaces. This is
because both chassis are often placed in different racks or even sites, and the physical path to the
ISP from each chassis is different.
Upon detection of an ISP Link failure, a special script is invoked to update the default route, if
necessary, on the relevant chassis.
An Administrator can use the new asg_misp_verifier command to monitor and validate
consistency of the ISP status across the Security Group.
Syntax
> asg_misp_verifier {full | routing}

Parameters

Parameter Description
full Verifies each SGM. Default is only for MISP masters.
routing Verifies default route installed in the routing table.

Known Limitations
See sk140512 http://supportcontent.checkpoint.com/solutions?id=sk140512.

60000/40000 Security Systems Administration Guide R76SP.50 | 43

 Managing the Network

Working with the ARP Table (asg_arp)

Description
The asg_arp command shows the ARP cache for the whole Scalable Platform or for the specified
SGM, interface, MAC address, and Host name. You can show summary or verbose information. You
can also run MAC address verification on both Chassis.

Syntax
# asg_arp -h
# asg_arp [-b <SGM_IDs>] [-v] [--verify] [-i <if>] [-m <mac>] [<hostname>]
# asg_arp --legacy

Parameters
Parameter Description
-h Shows the command syntax and help information
-v Verbose mode that shows detailed SGM cache information
-b <SGM_IDs> Works with SGMs and/or Chassis as specified by <SGM_IDs>.
<SGM_IDs> can be:
• No <SGM_IDs> specified, or all - Applies to all SGMs and Chassis
• One SGM (for example, 1_1)
• A comma-separated list of SGMs (for example, 1_1,1_4)
• A range of SGMs (for example, 1_1-1_4)
• One Chassis (chassis1, or chassis2)
• The active Chassis (chassis_active)
-i <if> Shows the ARP cache for the specified interface
-m <mac> Shows the ARP cache for the specified MAC address
<hostname> Shows the ARP cache for the specified host name
--verify Runs MAC address verification on both Chassis and shows the results
--legacy Shows the ARP cache for each SGM in the legacy format

60000/40000 Security Systems Administration Guide R76SP.50 | 44

 Managing the Network

Sample Output for Verbose Mode

This example shows the ARP cash in the Verbose Mode for the Active Chassis.
# asg_arp -v
Address HWtype HWaddress Flags Iface SGMs
172.23.9.198 ether 00:0C:29:87:AF:15 C eth1-Mgmt1 1_1, 1_3, 1_4, 1_5
192.0.2.5 ether 00:1C:7F:05:04:FE C Sync 1_1, 1_3, 1_4
172.23.9.4 ether 00:17:65:3C:30:43 C eth1-Mgmt1 1_1
192.0.2.3 ether 00:1C:7F:03:04:FE C Sync 1_1, 1_5
192.0.2.4 ether 00:1C:7F:04:04:FE C Sync 1_1, 1_3, 1_5
192.0.2.1 ether 00:1C:7F:01:04:FE C Sync 1_3, 1_4, 1_5
24.24.24.1 ether 00:04:23:C0:0E:98 C eth2-01 1_3, 1_5
14.14.14.3 ether 00:04:23:C0:0F:5B C eth1-01 1_3, 1_5
198.51.100.32 ether 00:A0:12:99:E6:22 C eth1-CIN 1_5
198.51.100.232 ether 00:A0:12:99:65:E2 C eth2-CIN 1_5
198.51.100.33 ether 00:18:49:01:B3:82 C eth1-CIN 1_5

Sample Output for Verifying MAC Addresses

This example shows the output of the MAC address verification on the Active Chassis.
# asg_arp --verify
Address HWtype HWaddress Flags Mask Iface SGMs
172.23.9.4 ether 00:17:65:3C:30:43 C eth1-Mgmt4 2_02
192.0.2.16 ether 00:1C:7F:10:04:FE C Sync 2_03,2_04
192.0.2.17 ether 00:1C:7F:11:04:FE C Sync 2_02,2_04
192.0.2.18 ether 00:1C:7F:12:04:FE C Sync 2_02,2_03
cmm ether 00:18:49:01:6D:89 C eth1-CIN 2_02
ssm1 ether 00:A0:12:A4:63:41 C eth1-CIN 2_02
ssm2 . (incomplete) . eth2-CIN 2_02

Starting mac address verification on local chassis... (Chassis 2)

No inconsistency found on local chassis

Verifying ARP Entries

Use these commands to confirm that the Unique MAC value has changed.
For the Unique MAC database value, in the Expert mode run:
# g_allc dbget chassis:private:magic_mac
# g_allc dbget chassis:private:magic_mac
-*- 4 sgms: 1_01 1_02 2_02 2_03 -*-
22

For the Unique MAC Kernel value, in gClish run:

fw ctl get int fwha_mac_magic
> fw ctl get int fwha_mac_magic
-*- 4 sgms: 1_01 1_02 2_02 2_03 -*-
fwha_mac_magic = 22

You can show the magic attribute within type ethX-YZ interfaces with the ifconfig command:
# ifconfig eth1-01
eth1-01 Link encap:Ethernet HWaddr 00:1C:7F:81:01:16
inet6 addr: fe80::21c:7fff:fe81:116/64 Scope:Link
UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1
RX packets:154820 errors:0 dropped:0 overruns:0 frame:0
TX packets:23134 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0 RX bytes:15965660 (15.2 MiB)
TX bytes:2003398 (1.9 MiB)

60000/40000 Security Systems Administration Guide R76SP.50 | 45

 Managing the Network

Sample Output for Legacy Mode

This example shows the Legacy Mode output for each SGM.
# asg_arp --legacy
1_01:
Address HWtype HWaddress Flags Mask Iface
172.23.9.198 ether 00:0C:29:87:AF:15 C eth1-Mgmt1
192.0.2.5 ether 00:1C:7F:05:04:FE C Sync
172.23.9.4 ether 00:17:65:3C:30:43 C eth1-Mgmt1
192.0.2.3 ether 00:1C:7F:03:04:FE C Sync
192.0.2.4 ether 00:1C:7F:04:04:FE C Sync
1_03:
Address HWtype HWaddress Flags Mask Iface
192.0.2.5 ether 00:1C:7F:05:04:FE C Sync
24.24.24.1 ether 00:04:23:C0:0E:98 C eth2-01
192.0.2.4 ether 00:1C:7F:04:04:FE C Sync
192.0.2.1 ether 00:1C:7F:01:04:FE C Sync
172.23.9.198 ether 00:0C:29:87:AF:15 C eth1-Mgmt1
14.14.14.3 ether 00:04:23:C0:0F:5B C eth1-01
1_04:
Address HWtype HWaddress Flags Mask Iface
192.0.2.1 ether 00:1C:7F:01:04:FE C Sync
172.23.9.198 ether 00:0C:29:87:AF:15 C eth1-Mgmt1
192.0.2.5 ether 00:1C:7F:05:04:FE C Sync
1_05:
Address HWtype HWaddress Flags Mask Iface
ssm1 ether 00:A0:12:99:E6:22 C eth1-CIN
192.0.2.3 ether 00:1C:7F:03:04:FE C Sync
172.23.9.198 ether 00:0C:29:87:AF:15 C eth1-Mgmt1
14.14.14.3 ether 00:04:23:C0:0F:5B C eth1-01
192.0.2.4 ether 00:1C:7F:04:04:FE C Sync
ssm2 ether 00:A0:12:99:65:E2 C eth2-CIN
192.0.2.1 ether 00:1C:7F:01:04:FE C Sync
cmm ether 00:18:49:01:B3:82 C eth1-CIN
24.24.24.1 ether 00:04:23:C0:0E:98 C eth2-01

60000/40000 Security Systems Administration Guide R76SP.50 | 46

 Managing the Network

Working with Proxy ARP for Manual NAT

A gateway can respond to an ARP request on behalf of other hosts with Proxy ARP. See sk30197
http://supportcontent.checkpoint.com/solutions?id=sk30197.

To configure the proxy ARP mechanism on the Scalable Platform:

1. On the local SGM, add the addresses below to the $FWDIR/conf/local.arp file.
Example:
To reply to an ARP request on:
IP - 192.168.10.100
On interface - eth2-01
MAC address - 00:1C:7F:82:01:FE
Add 192.168.10.100 00:1C:7F:82:01:FE to the file.
Notes:
• The IP addresses that the Scalable Platform are required to answer for ARP requests.
• The respective MAC addresses to be advertised.
• When working on a Dual Chassis setup, the interface VMAC is different between the
Chassis.
• When editing local.arp, MAC values must be taken from the local SGM.
2. Distribute the updated local.arp file to all the SGMs in the system. Run:
# local_arp_update
This distributes the local.arp file to all SGMs in the system and automatically changes the
MAC values for SGMs on another Chassis.
3. Enable the Merge manual proxy ARP configuration option in SmartDashboard > Global
Properties > NAT.
4. Install the policy to apply the updated proxy ARP entries.
Notes:
• When you add an SGM to a system with the Proxy ARP configured, the local.arp file is
automatically copied to the new SGM from the SMO.
• When you change the local.arp file on a Virtual System, the changes apply to that Virtual
System only.
• Proxy ARP is also required when configuring Connect Control on the Scalable Platform.

Verification:
To make sure that all the entries in the local.arp file are applied correctly on the system, run:
# asg_local_arp_verifier
To compare the entries manually, run:
# g_fw ctl arp

60000/40000 Security Systems Administration Guide R76SP.50 | 47

 Managing the Network

Configuring Port Speed

Configure Port Speed as follows.

Configuring SSM Port Speed

The SSM data ports speed can be set as follows:
• Ports 1-7 speed can be set manually to Auto, 1G, or 10G speed.
• Port 8 on each SSM is the Sync port. The speed is always 10G.
• Ports 9-16 on SSM160, and ports 9-40 on SSM440 are the QSFP ports.
Their speeds are set according to the SSM QSFP ports mode.
• A license is required to use the 100GB ports on SSM440.
Supported Fanouts on SSM440

Option Ports 01-08 Ports 09-24 Ports 25-40

1 8 x 10G 4 x 40G 2 x 100G
2 8 x 10G 16 x 10G 2 x 100G
3 8 x 10G 4 x 40G 2 x 40G
4 8 x 10G 16 x 10G 8 x 10G

Configuring speed on the SSM ports 1-7

Description
Use this command in gClish to configure and show the speed of the SSM data ports.
Configuration will be saved to the database on all SGMs.

Syntax
> set interface <ifn> link-speed <speed>

For more information, see the R76SP.50 Scalable Platforms Gaia Administration Guide
https://sc1.checkpoint.com/documents/R76/CP_R76_Gaia_WebAdmin/html_frameset.htm -
Chapter Network Management - Section Network Interfaces.

Parameters
Parameter Description
<ifn> Interface name with the ethX-YZ format
Example: eth1-01
<speed> Interface speed:
• auto - Automatically selected based on the hardware
detected
• 1G - 1 Gbit/second
• 10G - 10 Gbit/second

60000/40000 Security Systems Administration Guide R76SP.50 | 48

 Managing the Network

Example
[Expert@MyChassis-ch01-01:0]# gclish
[Global] MyChassis-ch01-01 > set interface eth1-01 link-speed 1G
1_01:
success

[Global] MyChassis-ch01-01 > show interface eth1-01 speed

1_01:
speed 1G
[Global] MyChassis-ch01-01 >

Configuring the QSFP Ports Mode on the SSM

Description
Use this command in gClish to configure and show the QSFP ports mode on the SSM.
Configuration will be saved to the database on all SGMs.
Important - This procedure causes SSM reboot and can lead to traffic outage.

Syntax
> set ssm id <ssm_id> qsfp-ports-mode <qsfp_mode>

Parameters
Parameter Description
<ssm_id> SSM identification number.
<qsfp_mode> Specifies the QSFP ports mode.
For SSM160:
• 4x10G
Ports 9-16 work in 10G mode
• 40G
Ports 9,13 work in 40G mode
For SSM440:
• 2x100G_4x40G
Ports 9,13,17,21 work in 40G mode
Ports 25,33 work in 100G mode
• 6x40G
Ports 9,13,17,21,25,33 work in 40G mode
• 32x10G
Ports 9-40 work in 10G mode
• 2x100G_16x10G
Ports 9-24 work in 10G mode
Ports 25,33 work in 100G mode

60000/40000 Security Systems Administration Guide R76SP.50 | 49

 Managing the Network

Example
[Expert@MyChassis-ch01-01:0]# gclish
[Global] MyChassis-ch01-01 > set ssm id 2 qsfp-ports-mode 2x100G_16x10G
You are about to perform SSM QSFP ports mode configuration on SSM: 2 on blades: all

After this action SSM will be rebooted automatically.

It might cause performance hit or outage for a period of time.

Are you sure? (Y - yes, any other key - no) y

SSM QSFP ports mode configuration on SSM: 2 requires auditing

Enter your full name: admin
Enter reason for SSM QSFP ports mode configuration on SSM: 2 [Maintenance]: Maintenance
WARNING: SSM QSFP ports mode configuration on SSM: 2 on blades: all, User: admin, Reason: Maintenance
Please wait...
1_01:
success
[Global] MyChassis-ch01-01 >

Showing the Configured Port Settings

Description
This command confirms that:
• SSMs port speed is configured as defined in the database.
• SSMs QSFP ports mode is configured as defined in the database.

Syntax
> show smo verifiers print name Port_Speed

Example
> show smo verifiers print name Port_Speed
==============================
Port Speed:
==============================

+--------------------------------------------------------------------+
|Port speed verifier |
+---------------+-------------+-------------+-------------+----------+
|Interface |DB |Chassis1 |Chassis2 |Result |
+---------------+-------------+-------------+-------------+----------+
|eth1-01 |10G |10G |10G |OK |
+---------------+-------------+-------------+-------------+----------+
|eth1-02 |10G |10G |10G |OK |
+---------------+-------------+-------------+-------------+----------+
|eth1-03 |10G |10G |10G |OK |
+---------------+-------------+-------------+-------------+----------+
|eth1-04 |10G |10G |10G |OK |
+---------------+-------------+-------------+-------------+----------+
|eth1-05 |10G |10G |10G |OK |
+---------------+-------------+-------------+-------------+----------+
|eth1-06 |10G |10G |10G |OK |
+---------------+-------------+-------------+-------------+----------+
|eth1-07 |10G |10G |10G |OK |
+---------------+-------------+-------------+-------------+----------+
|eth1-09 |40G |40G |40G |OK |
+---------------+-------------+-------------+-------------+----------+
|eth1-10 |auto |auto |auto |OK |
+---------------+-------------+-------------+-------------+----------+
|eth1-11 |auto |auto |auto |OK |
+---------------+-------------+-------------+-------------+----------+
|eth1-12 |auto |auto |auto |OK |
+---------------+-------------+-------------+-------------+----------+
|eth1-13 |40G |40G |40G |OK |
+---------------+-------------+-------------+-------------+----------+
|eth1-14 |auto |auto |auto |OK |
+---------------+-------------+-------------+-------------+----------+
|eth1-15 |auto |auto |auto |OK |
+---------------+-------------+-------------+-------------+----------+

60000/40000 Security Systems Administration Guide R76SP.50 | 50

 Managing the Network

|eth1-16 |auto |auto |auto |OK |

+---------------+-------------+-------------+-------------+----------+
|eth2-01 |10G |10G |10G |OK |
+---------------+-------------+-------------+-------------+----------+
|eth2-02 |10G |10G |10G |OK |
+---------------+-------------+-------------+-------------+----------+
|eth2-03 |10G |10G |10G |OK |
+---------------+-------------+-------------+-------------+----------+
|eth2-04 |10G |10G |10G |OK |
+---------------+-------------+-------------+-------------+----------+
|eth2-05 |10G |10G |10G |OK |
+---------------+-------------+-------------+-------------+----------+
|eth2-06 |10G |10G |10G |OK |
+---------------+-------------+-------------+-------------+----------+
|eth2-07 |10G |10G |10G |OK |
+---------------+-------------+-------------+-------------+----------+
|eth2-09 |40G |40G |40G |OK |
+---------------+-------------+-------------+-------------+----------+
|eth2-10 |auto |auto |auto |OK |
+---------------+-------------+-------------+-------------+----------+
|eth2-11 |auto |auto |auto |OK |
+---------------+-------------+-------------+-------------+----------+
|eth2-12 |auto |auto |auto |OK |
+---------------+-------------+-------------+-------------+----------+
|eth2-13 |40G |40G |40G |OK |
+---------------+-------------+-------------+-------------+----------+
|eth2-14 |auto |auto |auto |OK |
+---------------+-------------+-------------+-------------+----------+
|eth2-15 |auto |auto |auto |OK |
+---------------+-------------+-------------+-------------+----------+
|eth2-16 |auto |auto |auto |OK |
+---------------+-------------+-------------+-------------+----------+
|SSM1 QSFP mode |40G |40G |40G |OK |
+---------------+-------------+-------------+-------------+----------+
|SSM2 QSFP mode |40G |40G |40G |OK |
+---------------+-------------+-------------+-------------+----------+
Comparing SSMs configuration with DB... [ OK ]

-------------------------------------------------------------------------------
| Tests Status |
-------------------------------------------------------------------------------
| ID | Title | Result | Reason |
-------------------------------------------------------------------------------
| Networking |
-------------------------------------------------------------------------------
| 39 | Port Speed | Passed | |
-------------------------------------------------------------------------------
| Tests Summary |
-------------------------------------------------------------------------------
| Passed: 1/1 test |
| Setting MOTD... |
| Output file: /var/log/verifier_sum.39.2017-03-26_18-21-32.txt |

Management Port Speed Configuration

Set the speed of a management port on a Dual Chassis configuration.

To set the speed on both Chassis:

1. Connect to the SSM CLI.
2. Run these commands:
# config
# port <port>
# speed <speed>
# commit
# end
3. Make sure the port speed is correct:
# show port <port>

60000/40000 Security Systems Administration Guide R76SP.50 | 51

 Managing the Network

Parameters
Parameter Description
<port> In SSM160 use:
1/5/3 for ethX-Mgmt3
1/5/4 for ethX-Mgmt4
In SSM440 use:
1/6/1 for ethX-Mgmt3
1/6/2 for ethX-Mgmt4
<speed> Speed in Mbps
Valid values:
10000 (only on SSM440)
1000
100

Example
> T-HUB4# config
Entering configuration mode terminal
---T-HUB4(config)# port 1/5/4
T-HUB4(config-port-1/5/4)# speed 100
T-HUB4(config-port-1/5/4)# commit
Commit complete.
T-HUB4(config-port-1/5/4)# end

T-HUB4# show port 1/5/4

============================================================================
Ethernet Interface
============================================================================
Interface : 1/5/4
Description :
Admin State : up Port State : up
Config Duplex : auto Operational Duplex : full
Config Speed : 100 Operational Speed(Mbps) : 100
-------------------------------------------------------------------------------
Flow Control : disabled
Dual Port : No Active Link : RJ45
-------------------------------------------------------------------------------
Default VLAN : 1 MTU[Bytes] : 1544
MAC Learning :
LAG ID : N/A
============================================================================
T-HUB4#

60000/40000 Security Systems Administration Guide R76SP.50 | 52

 Managing the Network

Configuring Multicast Routing

Multicast groups are addresses or address ranges. A multicast group address receives messages
from different sources. Each source sends one multicast IP datagram that is replicated where it is
needed. It is replicated by multicast-capable routers to deliver it to different receivers. This saves
bandwidth by not requiring a separate datagram to be sent to each receiver. Sources use the
group address as the IP destination in their data packets. Receivers use the group address to
receive packets sent to the group by sending IGMP membership reports that are processed by
their default routers.
For example, if data packets have content for group 239.1.1.1, the source sends the data packets
to group 239.1.1.1. The receiver joins group 239.1.1.1 to receive that data packet.

Configure Dynamic Multicast Routing (PIM Dense Mode):

• For each interface that uses PIM Dense Mode, run
> set pim interface <if_name> on
• Set PIM Mode to Dense, run:
> set pim mode dense

To change the PIM Multicast Routing Mode between dense and sparse:
1. For each applicable interface, run:
> set pim interface <if_name> off
2. For Dense Mode, run:
> set pim mode dense
For Spare Mode. run:
> set pim mode sparse
3. For each applicable interface, run:
> set pim interface <if_name> on
Important - You must use this procedure to change the mode. Failure to do so can cause
unexpected behavior.
Validation:
Run:
> show pim interfaces
Example:
> set pim interface eth1-01 on
1_01:
success
> set pim interface eth1-02 on
1_01:
success
> set pim interface eth2-01 on
1_01:
success
> set pim mode dense
1_01:
success
> show pim interfaces
1_01:
Status flag: V - virtual address option enabled
Mode flag: SR - state refresh enabled
Interface Status State Mode DR Address DR Pri NumNbrs
eth2-01 Up DR dense 2.2.2.10 1 0
eth1-01 Up DR dense 12.12.12.10 1 0
eth1-02 Up DR dense 22.22.22.10 1 0

60000/40000 Security Systems Administration Guide R76SP.50 | 53

 Managing the Network

Multicast Restrictions
Multicast access restrictions can be defined on each interface to allow or block multicast groups.

Configuration:
In SmartDashboard edit the Gateway Properties > Topology > Add or Edit interface > Multicast
Restrictions tab.

Field Description
Drop multicast packets whose Specifies that outgoing packets from this interface to the
destination is in the list listed multicast destinations are dropped

Drop all multicast packets Specifies that outgoing packets from this interface to all
except those whose destination multicast destinations except those listed, are dropped
is in the list

Add Adds a Multicast address or address range to the list

Remove Removes a Multicast address or address range from the
list
Tracking Track when Multicast packets are dropped

Limitation - Multicast restrictions are not supported on bridge interfaces.

Multicast Acceleration
Multicast Acceleration allows SecureXL to accelerate multicast flow in fan-out scenarios as well.

Configuration:
Multicast Acceleration is enabled by default. Use these commands to enable or disable it:
> sim feature mcast_route_v2 {on|off}
> fwaccel off
> fwaccel on

Limitations:
Multicast Acceleration supports IPv4 only.

Validation and Debugging:

> fwaccel stat
-*- 4 blades: 1_01 1_02 2_01 2_02 -*-
Accelerator Status : on
Accept Templates : enabled
Drop Templates : disabled
NAT Templates : enabled
Accelerator Features : Accounting, NAT, Cryptography, Routing,
HasClock, Templates, Synchronous, IdleDetection,
Sequencing, TcpStateDetect, AutoExpire,
DelayedNotif, TcpStateDetectV2, CPLS,McastRouting,
WireMode, DropTemplates, NatTemplates,
Streaming, MultiFW, AntiSpoofing, DoS Defender,
ViolationStats, Nac, AsychronicNotif, McastRoutingV2,
ConnectionsLimit
Cryptography Features : Tunnel, UDPEncapsulation, MD5, SHA1, NULL,
3DES, DES, CAST, CAST-40, AES-128, AES-256,
ESP, LinkSelection, DynamicVPN, NatTraversal,
EncRouting, AES-XCBC, SHA256

60000/40000 Security Systems Administration Guide R76SP.50 | 54

 Managing the Network

Actions and Syntax:

Action Syntax
Show accelerator connections table > fwaccel conns

Show multicast statistics > fwaccel stats –m

Enable SIM debug > sim dbg -m drv + routing

Example:
This example disables the feature.
> sim feature mcast_route_v2 off
-*- 4 blades: 1_01 1_02 1_03 1_04 -*-
Feature will be disabled the next time acceleration is started/restarted

> fwaccel off

-*- 4 blades: 1_01 1_02 1_03 1_04 -*-
SecureXL device disabled.

> fwaccel on
-*- 4 blades: 1_01 1_02 1_03 1_04 -*-
SecureXL device is enabled.

> fwaccel stat

-*- 4 blades: 1_01 1_02 1_03 1_04 -*-
Accelerator Status : on
Accept Templates : enabled
Drop Templates : disabled
NAT Templates : enabled
Accelerator Features : Accounting, NAT, Cryptography, Routing,
HasClock, Templates, Synchronous, IdleDetection,
Sequencing, TcpStateDetect, AutoExpire,
DelayedNotif, TcpStateDetectV2, CPLS, McastRouting,
WireMode, DropTemplates, NatTemplates,
Streaming, MultiFW, AntiSpoofing, DoS Defender,
ViolationStats, Nac, AsychronicNotif
Cryptography Features : Tunnel, UDPEncapsulation, MD5, SHA1, NULL,
3DES, DES, CAST, CAST-40, AES-128, AES-256,
ESP, LinkSelection, DynamicVPN, NatTraversal,
EncRouting, AES-XCBC, SHA256

Working with Routing Tables (asg_route)

The asg_route is an advanced utility that collects and shows routing information on all SGMs.
The asg_route confirms:
• The route information in the Security System database matches the information in the
operating system routing table. If they do not match there can be routing errors.
• The routing information is the same on all SGMs.
Filter and customize the route information you collect with the criteria that follow:
• Specified SGMs or Chassis
• Virtual Systems
• IPv4 and IPv6 addresses
• Dynamic routing protocols
• Static routes
• Source-based routes
• Inactive routes

60000/40000 Security Systems Administration Guide R76SP.50 | 55

 Managing the Network

Run a summary report to see the number of routes in different categories and protocols. The
summary report confirms that the routing information is the same on all SGMs.

Basic Syntax
Syntax
> asg_route -h
> asg_route -v
> asg_route [-a] [-b <SGM_IDs>] [-6] [-vs <VS_IDs>] --inactive [<filter>]
> asg_route [-a] [-b <SGM_IDs>] [-6] [-vs <VS_IDs>] --comp_os_db

Parameters
Parameter Description
-h Shows the command syntax, help information and examples.
-v Collects route information from all SGMs, and saves it to a file at:
/var/log/asg_route/all_routes
-b <SGM_IDs> Works with SGMs and/or Chassis as specified by <SGM_IDs>.
<SGM_IDs> can be:
• No <SGM_IDs> specified, or all - Applies to all SGMs and Chassis
• One SGM (for example, 1_1)
• A comma-separated list of SGMs (for example, 1_1,1_4)
• A range of SGMs (for example, 1_1-1_4)
• One Chassis (chassis1, or chassis2)
• The active Chassis (chassis_active)
-6 Shows IPv6 routes only (default shows IPv4 routes only).
-a Shows all SGMs, including those that are in the Admin DOWN state.
--vs <VS_IDs> Shows the routing table only for the specified Virtual Systems.
<VS_IDs> can be:
• No <VS_IDs> (default) - Uses the current Virtual System context
• One Virtual System
• A comma-separated list of Virtual Systems (1, 2, 4, 5)
• A range of Virtual Systems (VS 3-5)
• all - Shows all Virtual Systems
Note - This parameter is only applicable in a VSX environment.

-inactive Optional inactive route filter parameters (on page 59).

<filter> Optional advanced routing parameters (on page 59).
--compare-os-db Compares the routing data in the database with the operating system and
shows:
• All routes in the database that are in the operating system routing table
• All routes in the operating system routing table that are not in the
database

60000/40000 Security Systems Administration Guide R76SP.50 | 56

 Managing the Network

Note - You can put many basic options together on one line, but you can use only one
advanced_filter option.

Using an SGM Filter

Example 1:
This example shows a simple filter for one SGM. The route type is a one letter code in the left
column and the route type codes are at the end of the list.
> asg_route -b 1_01
Collecting routing information, may take few seconds...
==============================================================================

Fetching Routes info from SGMs:

1_01

Routes:
C 127.0.0.0/8 is directly connected, lo
C 130.0.0.0/24 is directly connected, eth1-CIN
C 172.23.9.0/24 is directly connected, eth1-Mgmt4
C 192.0.2.0/24 is directly connected, Sync
S 0.0.0.0/0 via 172.23.9.4, eth1-Mgmt4, cost 0

Types: C - Connected, S - Static, R - RIP, B - BGP,

O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA)
A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed
SBR - Source-Based Routes

Example 2:
This example shows a complex SGM filter that includes 4 SGMs. The results show route
inconsistencies between the Scalable Platform and the operating system.
> asg_route -b 1_1,2_1-2_3
Collecting routing information, may take few seconds...
==============================================================================

Fetching Routes info from SGMs:

1_01,2_01,2_02,2_03

-------------------------------------------------------
Status: DB Routes info is NOT identical on all SGMs
OS Routes info is NOT identical on all SGMs
-------------------------------------------------------

Identical DB Routes: (21 records)

C 10.33.86.0/24 is directly connected, bond2.160
C 10.33.87.0/24 is directly connected, bond2.163
C 10.33.89.0/24 is directly connected, bond2.165
C 127.0.0.0/8 is directly connected, lo
C 192.0.2.0/24 is directly connected, Sync
C 192.168.15.128/25 is directly connected, eth1-Mgmt4
C 192.168.33.0/24 is directly connected, bond1.33
C 192.168.34.0/24 is directly connected, bond1.34
C 198.51.100.0/25 is directly connected, eth1-CIN
C 198.51.100.128/25 is directly connected, eth2-CIN
C 2.2.2.0/24 is directly connected, bond2.166
S 0.0.0.0/0 via 192.168.33.1, bond1.33, cost 0
S 16.0.0.0/24 via 10.33.86.16, bond2.160, cost 0
S 16.0.1.0/24 via 10.33.86.16, bond2.160, cost 0
S 16.0.2.0/24 via 10.33.86.16, bond2.160, cost 0
S 16.0.3.0/24 via 10.33.86.16, bond2.160, cost 0
S 16.0.4.0/24 via 10.33.86.16, bond2.160, cost 0
S 16.0.5.0/24 via 10.33.86.16, bond2.160, cost 0
S 16.0.6.0/24 via 10.33.86.16, bond2.160, cost 0
S 16.0.8.0/24 via 10.33.86.16, bond2.160, cost 0
S 194.29.40.138/32 via 192.168.15.254, eth1-Mgmt4, cost 0

Inconsistent DB Routes:
1_01:
-

2_01:
R 10.33.96.0/24 via 192.168.33.96, bond1.33, cost 2, tag 13142
R 15.0.2.0/24 via 192.168.33.96, bond1.33, cost 2, tag 13142
60000/40000 Security Systems Administration Guide R76SP.50 | 57
 Managing the Network

2_02:
-

2_03:
R 10.33.96.0/24 via 192.168.33.96, bond1.33, cost 2, tag 13142
R 15.0.2.0/24 via 192.168.33.96, bond1.33, cost 2, tag 13142

Types: C - Connected, S - Static, R - RIP, B - BGP,

O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA)
A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed
SBR - Source-Based Routes

Using the Summary Option (--summary)

The --summary parameter shows this summary information:
• Total number of routes by route type
• Summary of routes that are the same on the database and the operating system routing table
• Summary of routes where the database and the operating system are different
• OSPF interfaces and neighbors
• BGP peers

Example:
> asg_route --summary
Collecting routing information, may take few seconds...
OSPF interfaces -
-*- 6 blades: 1_02 1_03 1_04 2_01 2_02 2_03 -*-
Name IP Address Area ID State DR Interface BDR Interface
bond1.34 192.168.34.86 0.0.0.86 DR 192.168.34.86 0.0.0.0
bond2.163 10.33.87.1 0.0.0.91 BDR 10.33.87.88 10.33.87.1

Status: OK
==============================================================================
OSPF neighbors -
-*- 6 blades: 1_02 1_03 1_04 2_01 2_02 2_03 -*-
Neighbor Pri State Address Interface
10.33.87.88 1 FULL/DR 10.33.87.88 10.33.87.1

Status: OK
==============================================================================
BGP peers -
-*- 1 blade: 1_02 (DR Manager) -*-
PeerID AS State ActRts Routes InUpds OutUpds Uptime
192.168.33.96 86 Active 0 0 0 0 00:00:00

-*- 5 blades: 1_03 1_04 2_01 2_02 2_03 -*-

PeerID AS State
92.168.33.96 86 Idle
192.168.34.33 161 Idle
192.168.33.94 162 Idle
192.168.34.94 162 Idle

Status: OK
==============================================================================

Fetching Summary info from SGMs:

1_02,1_03,1_04,2_01,2_02,2_03

-------------------------------------------------------
Status: DB Summary info is NOT identical on all SGMs
OS Summary info is identical on all SGMs
-------------------------------------------------------

Identical DB Summary: (7 records)

Total 628
aggregate 0
connected 11
igrp 0
ospf 602
rip 2
static 10

60000/40000 Security Systems Administration Guide R76SP.50 | 58

 Managing the Network

-------------------------------------------------------
Identical OS Summary: (649 records)

Comparing the OS Routing Table with the Database (--compare-os-db)

Use the --compare-os-db option to compare the routing data in the database with the operating
system routing table. The output shows:
• All routes in the database that are in the operating system routing table
• All routes in the operating system routing table that are not in the database

Example:
> asg_route --compare-os-db
Collecting routing information, may take few seconds...
==============================================================================

Fetching Routes info from SGMs:

1_01

>> Found inconsistency between routes in DB & OS

DB Routes that does not exists in OS: (7 records)

O E 10.33.92.0/24 via 10.33.87.88, bond2.163, cost 2:0
O E 12.1.145.0/24 via 10.33.87.88, bond2.163, cost 2:0
O E 12.1.146.0/24 via 10.33.87.88, bond2.163, cost 2:0
O E 12.1.147.0/24 via 10.33.87.88, bond2.163, cost 2:0
O E 12.1.148.0/24 via 10.33.87.88, bond2.163, cost 2:0
O E 12.1.149.0/24 via 10.33.87.88, bond2.163, cost 2:0
O E 12.1.150.0/24 via 10.33.87.88, bond2.163, cost 2:0

OS Routes that does not exist in DB: (6 records)

9.9.9.9 via 10.33.87.88 dev bond2.163 proto gated
12.3.0.0/24 via 10.33.87.88 dev bond2.163 proto gated
12.3.1.0/24 via 10.33.87.88 dev bond2.163 proto gated
12.3.2.0/24 via 10.33.87.88 dev bond2.163 proto gated
12.3.3.0/24 via 10.33.87.88 dev bond2.163 proto gated
12.3.4.0/24 via 10.33.87.88 dev bond2.163 proto gated

Using the Advanced Filters

You can customize the routing table with Advanced Filters to show only the routes that you want to
see.

Advanced Filter Criterion Description

--route Shows active routes filtered by a specified parameter.
--inactive Shows inactive routes filtered by a specified parameter.
--dyn-route Shows specified OSPF and BGP route information and confirms
there are no inconsistencies between SGMs.

Each Advanced Filter has many different parameters. You can use the filter to show a precisely
filtered route list.

Advanced Filter Syntax and Parameters

You can combine many basic options on one line.
You can only use one Advanced Filter option at a time.
Syntax
> asg_route [<basic_options>] -n | --dyn-route <dyn_route_par>

60000/40000 Security Systems Administration Guide R76SP.50 | 59

 Managing the Network

Parameters

<dyn_route_par> Description
ospf Shows OSPF interfaces and neighbors
rip Shows RIP interfaces and neighbors
bgp Shows BGP peers

Syntax
> asg_route [<basic_options>] -r | --route <adv_par>

Parameters

<adv_par> Description
aggregate Shows active aggregate routes
bgp Shows BGP peers
destination <ip_addr> Shows routes to the specified destination
direct Shows directly connected routes

exact <ip_addr/mask> Shows a route from the specified IP address

subnets <ip_addr/mask> Shows routes to the specified network and subnets

ospf Shows OSPF interfaces and neighbors
static Shows static routes
rip Shows RIP interfaces and neighbors
all Shows all routes (including inactive routes)

Syntax
> asg_route [<basic_options>] -i | --inactive <inact_route_par>

Parameters

<inact_route_par> Description
aggregate Shows active aggregate routes
bgp Shows BGP routes
direct Shows directly connected routes
ospf Shows routes received from OSPF
static Shows static routes
rip Shows RIP Routes
all Shows all routes (including inactive routes)

60000/40000 Security Systems Administration Guide R76SP.50 | 60

 Managing the Network

Advanced Filter Examples

Example 1 - BGP routes for all SGMs:

> asg_route -b all --route bgp
Collecting routing information, may take few seconds...

===============================================================================
Fetching Routes info from SGMs:
1_01

Routes:
B 10.33.88.0/24 via 192.168.34.33, bond1.34, cost -1
B 10.33.94.0/24 via 192.168.33.94, bond1.33, cost -1
B 10.34.94.0/24 via 192.168.34.94, bond1.34, cost -1

Types: C - Connected, S - Static, R - RIP, B - BGP,

O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA)
A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed
SBR - Source-Based Routes

-------------------------------------------------------
==============================================================================
=

Example 2 - Dynamic Routing filter for OSPF neighbors:

> asg_route --dyn-route ospf
Collecting routing information, may take few seconds...
OSPF neighbors -
-*- 1 blade: 1_01 -*-
Neighbor Pri State Address Interface
10.33.94.1 1 FULL/BDR 192.168.33.94 192.168.33.86
10.33.87.88 1 FULL/BDR 10.33.87.88 10.33.87.1

Status: OK

Example 3 - Inactive OSPF Routes:

> asg_route --inactive ospf
Collecting routing information, may take few seconds...
===============================================================================

Fetching Routes info from SGMs:

1_01

Routes:
O H i 10.33.87.0/24 is an unusable route
O H i 192.168.33.0/24 is an unusable route
O H i 192.168.34.0/24 is an unusable route
O E i 194.29.40.138/32 via 10.33.87.88, bond2.163, cost 2:0

Types: C - Connected, S - Static, R - RIP, B - BGP,

O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA)
A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed
SBR - Source-Based Routes

-------------------------------------------------------
===============================================================================

Note - Do not use -v with an advanced filter. Otherwise, the command ignores the advanced filter
and shows all the routes.

60000/40000 Security Systems Administration Guide R76SP.50 | 61

 Managing the Network

Dynamic Routing
When you enable Dynamic Routing, one SGM becomes the dynamic routing peer and is called the
Dynamic Routing Manager (DR Manager). The DR Manager communicates with its dynamic
routing peers and updates the dynamic routing information on the SGMs. Before an SGM goes to
the UP state, it updates its dynamic routing information with the information it receives from the
DR Manager.
There are Unicast Routing packets and Multicast Routing packets. The SSM sends dynamic
routing packets to an arbitrary SGM based on the distribution decision of the SSM. The DR
Manager does not necessarily make the distribution decision. If the SGM is not the DR Manager,
the packets are forwarded to the DR Manager.

Unicast Routing
When an SGM that is not the DR Manager gets unicast IP routing packets, the SGM forwards them
to the DR Manager. Use asg_route to run Unicast Routing.

Multicast Routing
When the SGM gets Multicast Routing packets, the SGM forwards them to each of the SGMs. Each
SGM handles its own packets. Use asg_pim, asg_pim_neighbors, and asg_igmp to run
Multicast Routing.

To identify which SGM is the DR Manager:

> asg stat -i tasks
Chassis ID: 1
-------------
Task (Task ID) SGM ID

SMO (0) 1(local)

DR Manager (4) 1(local)
UIPC (5) 1(local)
General (1) 2
LACP (2) 3
CH Monitor (3) 4

Chassis ID: 2
-------------
Task (Task ID) SGM ID

UIPC (5) 1
General (1) 2
LACP (2) 3
CH Monitor (3) 4

Limitation - Only IPv4 routing protocols are supported.

Multiple OSPFv2 Instances

You can configure as many multiple OSPF instances as necessary. Each instance contains a fully
independent OSPF database. The routes from one instance are not disclosed to other instances.
Note - In some cases, show commands refer to the vrf instance and not the OSPF instance ID.

60000/40000 Security Systems Administration Guide R76SP.50 | 62

 Managing the Network

Prerequisites
• If you use a Virtual System only for connectivity between Virtual Systems with Per Virtual
System High Availability or VSLS, you must connect an interface to the Virtual System. See
sk36980 http://supportcontent.checkpoint.com/solutions?id=sk36980 for details.
• Make sure the router ID is the same for all SGMs, but unique for each Virtual System in the
network.
• Make sure the OSPF configuration is the same on all SGMs.
Enabling and Disabling OSPFv2 Multiple Instances
Make sure the default OSPF instance is configured on at least one interface:
> set ospf ospf-instance default on
> set ospf ospf-instance default area backbone on
> set ospf ospf-instance default interface <interface_name> area backbone on

You can use routemaps for route redistribution between instances. You can use the same
procedure as redistribution between protocols.

Example - Enable Multiple OSPFv2 instances:

> set ospf ospf-instance default on
> set ospf ospf-instance default area backbone on
> set ospf ospf-instance default interface bond0.173 area backbone on
> set ospf ospf-instance default interface eth1-05 area backbone on
> set ospf ospf-instance default export-routemap <ROUTEMAP_NAME> preference 1 on
> set ospf ospf-instance 174 on
> set ospf ospf-instance 174 area backbone on
> set ospf ospf-instance 174 area 255.1.1.1 on
> set ospf ospf-instance 174 interface bond0.174 area 255.1.1.1 on

Example - Redistribute network between instances and restrict specified network:

> set routemap <ROUTEMAP_NAME> id 1 on
> set routemap <ROUTEMAP_NAME> id 1 restrict
> set routemap <ROUTEMAP_NAME> id 1 match protocol ospf2
> set routemap <ROUTEMAP_NAME> id 1 match ospf-instance 174 on
> set routemap <ROUTEMAP_NAME> id 1 match network 75.75.12.0/24 all
> set routemap <ROUTEMAP_NAME> id 3 on
> set routemap <ROUTEMAP_NAME> id 3 allow
> set routemap <ROUTEMAP_NAME> id 3 match ospf-instance 174 on
> set routemap <ROUTEMAP_NAME> id 3 match network 75.75.0.0/16 all
> set routemap <ROUTEMAP_NAME> id 3 match protocol ospf2

To disable OSPF multiple interfaces, run:

> set ospf ospf-instance <id> interface <interface_name> area backbone off
> set ospf ospf-instance <id> area backbone off
> set ospf ospf-instance <id> off

60000/40000 Security Systems Administration Guide R76SP.50 | 63

 Managing the Network

Monitoring

To see the OSPF interfaces, run:

> show ospf interfaces

Example output:
OSPF instance default:
Name IP Address Area ID State NC DR Interface BDR Interface Errors
eth3.19 10.99.12.100 0.0.0.0 DR 0 10.99.12.100 0.0.0.0
30649
OSPF instance 1:
Name IP Address Area ID State NC DR Interface BDR Interface Errors
eth5.2011 10.95.0.161 0.0.0.0 BDR 1 10.95.0.164 10.95.0.161 8434
eth1 10.99.12.70 0.0.0.0 BDR 1 10.99.12.67 10.99.12.70 5
eth3.25 10.99.26.1 0.0.0.0 DR 1 10.99.26.1 10.99.26.2 471
eth5.29 10.99.26.130 0.0.0.0 BDR 1 10.99.26.133 10.99.26.130 0

To see the neighbors of an instance, run:

> show ospf ospf-instance <instance_id> neighbors

Example output:
> show ospf ospf-instance 1 neighbors
OSPF instance 1
Neighbor state flag: G - graceful restart
Instance Neighbor ID Pri State Dead Address Interface Errors
1 1.1.201.201 252 FULL/DR 33 10.95.0.164 10.95.0.161 0
1 1.1.11.11 1 FULL/DR 33 10.99.12.67 10.99.12.70 5
1 10.99.26.2 1 FULL/BDR 35 10.99.26.2 10.99.26.1 0
1 165.10.10.57 1 FULL/DR 39 10.99.26.133 10.99.26.130 0

To enable logging, run:

> set trace ospf all on

To see logs, examine these files:

/var/log/routed.log*
/var/log/messages*

Known Limitations
• OSPF Multiple Instances are not supported with IPv6.
• There is only one Router-ID for the entire Security Gateway/Virtual System.
• Up to 12 OSPF instances are supported.
• When doing OSPF calculations, the routing daemon can be busy and not respond to the CLI
commands. This can result in unexpected output. Repeat the command if there is no response
after two or more seconds.
• If you create a static route in SmartDashboard, it must have a valid and available IP address.
Otherwise, redistribution results can be inconsistent and the router-ID process can be
unstable.
• If the OSPF database on a Virtual System has two or more of the same route prefixes with
equal cost, it adds the route with the lowest next hop IP address to the routing table.

60000/40000 Security Systems Administration Guide R76SP.50 | 64

 Managing the Network

Configuring DHCP Relay (set bootp)

Description
Use BOOTP/DHCP to configure DHCP Relay for a specified interface.
BOOTP/DHCP Relay extends BOOTP and DHCP operations across multiple hops in a routed
network. With standard BOOTP, all LAN interfaces are loaded from one configuration server on
the LAN. BOOTP Relay sends configuration requests to and from configuration servers located
outside the LAN.
BOOTP/DHCP Relay has these advantages over standard BOOTP/DHCP:
• Relay client configuration requests
Configure an interface on the Check Point system to relay requests to multiple servers. This
provides redundancy.
Configuration requests are sent to all configured relay servers simultaneously.
• Load balancing.
Configure interfaces to relay client configuration requests to different relay servers.
• Centrally manage client configuration over multiple LANs.
This is very useful in large enterprise environments.

Syntax
> set bootp interface <if_name> [primary default|<ip>] [wait-time <seconds>]
[relay-to <ip1>,<ip2>...] on|off

Parameters
Parameter Description
interface <if_name> The interface name as defined by the system. Press the Tab key after
you enter this parameter to see a list of valid interface names.

primary <ip> The IP address of the Security Gateway interface that always gets
OR requests from the DHCP client. If you do not define a Primary IP
primary default address, the system automatically uses the IP address of the
interface that the DHCP request comes from.
You can use the default value instead of an IP address. This forces
the system to use the IP address of the interface that the DHCP
request comes from. This is useful when you want to change the
wait-time parameter, but not define a Primary IP address.
wait-time <seconds> The minimum wait time, in seconds, before a BOOTP request can be
sent. This includes the elapsed time after the client starts to boot.
This delay lets a local configuration server reply, before it sends the
relay to a remote server.
The wait-time keyword is optional. The system assumes that an
integer after the primary value is the wait-time value.
Valid values: 0 - 65535
Default - 60
relay-to <ip> The IP address of the relay server to which BOOTP requests are sent.
You can specify more than one server.

60000/40000 Security Systems Administration Guide R76SP.50 | 65

 Managing the Network

Parameter Description
on|off Enables or disables BOOTP on the specified interface.

Example 1:
This example enables DHCP Relay on eth0-04 with default values and no Primary IP. The IP
address is automatically assigned by the DHCP server.
> set bootp interface eth0-04 on

Example 2:
This example activates DHCP Relay on eth0-04 and defines the Primary IP address as
30.30.30.1. The wait time is the default value (60 seconds).
> set bootp interface eth0-04 primary 30.30.30.1 wait-time default on

Example 3:
This example activates DHCP Relay on eth1-04 and sends BOOTP requests to the relay server at
20.20.20.200
> set bootp interface eth1-04 relay-to 20.20.20.200 on

Verification:
Use this command to monitor and troubleshoot the BOOTP implementation:
> show bootp {interface <if_name> | interfaces | stats}

Parameters

Parameter Description
interface Shows BOOTP/DHCP Relay for the specified interface
interfaces Shows BOOTP/DHCP Relay for all interfaces
stats Shows BOOTP/DHCP Relay statistics

Route Cache Optimization

Route Cache Optimization has advantages over Source-Based Routing.

Advantages
• Protects against cache pollution by an attack.
• Better performance.

Limitations
• ECMP requires Source-Based Routing.
• If you use Policy-Based Routing in a FROM rule, Route Cache Optimization is disabled.

60000/40000 Security Systems Administration Guide R76SP.50 | 66

 Managing the Network

Configuring Route Cache Optimization

Description
You can enable Route Cache Optimization permanently or temporarily. Use asg_dst_route to
manage Route Cache Optimization.

Syntax
> asg_dst_route [-e|-d|-a|-v][-b <SGM_IDs>] [--g {increase | decrease}]

Parameters
Parameter Description
-b <SGM_IDs> Works with SGMs and/or Chassis as specified by <SGM_IDs>.
<SGM_IDs> can be:
• No <SGM_IDs> specified, or all - Applies to all SGMs and Chassis
• One SGM (for example, 1_1)
• A comma-separated list of SGMs (for example, 1_1,1_4)
• A range of SGMs (for example, 1_1-1_4)
• One Chassis (chassis1, or chassis2)
• The active Chassis (chassis_active)
-g {increase | Increase or decrease route cache garbage aggressiveness
decrease}
-e Enable Route Cache Optimization
-d Disable Route Cache Optimization
-a Restore Route Cache Optimization to the default
-v Show the current and persistent status of Route Cache Optimization

Example:
> asg_dst_route -v
+------------------------------------------------------------------------------+
| SGM | Current Status | Persistency |
+------------------------------------------------------------------------------+
| 1_01 | Source+Dest based route | Source+Dest based (due to pbr rule) |
| 1_02 | Source+Dest based route | Source+Dest based (due to pbr rule) |
+------------------------------------------------------------------------------+

You can enable or disable Route Cache Optimization by using asg_dst_route:

Command Description
asg_dst_route -d Disable Route Cache Optimization

asg_dst_route -e Enable Route Cache Optimization

60000/40000 Security Systems Administration Guide R76SP.50 | 67

 Managing the Network

Route Cache Optimization Statistics

Description
Use the asg_dst_route -s command to show summary Route Cache Optimization statistics.

Syntax
> asg_dst_route -s

Example output
+------------------------------------------------+
| SGM | Cache load | Hit rate | Effectiveness |
+------------------------------------------------+
| 2_01 | 4 % | 58 % |100 % |
| 2_02 | 4 % | 50 % |100 % |
+------------------------------------------------+

Output description
Column Description
SGM SGM ID.
Cache load Calculated percentage of how hard the route cache works.
The route cache starts to clean when this exceeds 100%.
Hit rate Percent of total lookups found in the route cache in the last three seconds.
Effectiveness Estimate of the effectiveness of the route cache.
This values drops if the cache load increases or hit rate decreases.

60000/40000 Security Systems Administration Guide R76SP.50 | 68

 Managing Scalable Platforms
CHAPTE R 4

Managing Scalable Platforms

In This Section:
Administration ..............................................................................................................69
Synchronizing SGM Time..............................................................................................83
Configuring SGMs (asg_blade_config) ........................................................................84
Backup and Restore .....................................................................................................86
Configuring SGM State (asg sgm_admin) ...................................................................87
Image Management ......................................................................................................89
Port Mirroring (SPAN Port) ..........................................................................................93
Security .........................................................................................................................98

Administration
The Scalable Platform operating system includes a set of global commands that apply to all or
specified SGMs in a system.

Working with Global Commands

Commands that apply to all or specified SGMs in a system.
• gClish commands apply globally to all SGMs, by default.
• Some gClish commands are applicable to the 60000/40000 Security System and its
components.
• gClish commands do not apply to SGMs that are DOWN. If you run a set command while an
SGM is DOWN, the command does not update that SGM. The SGM synchronizes its database
during startup and applies the changes after reboot.
• Clish commands are documented in the R76 Gaia Administration Guide
http://downloads.checkpoint.com/dc/download.htm?ID=22928. Most of these commands are
also available in the 60000/40000 Security System.
Note - Documentation for the Chassis feature is found in the Hardware Monitoring and Chassis
High Availability (on page 230) sections.

60000/40000 Security Systems Administration Guide R76SP.50 | 69

 Managing Scalable Platforms

Global Commands:
• auditlog
• Enabled by default.
• All commands are recorded in the audit log.
To learn more about the audit log, see Looking at the Audit Log (on page 218).
• config-lock
• Protects the gClish database by locking it. Each SGM has a single lock.
• To set gClish operations for an SGM, the SGM must hold the config-lock.
• To set config-lock, run:
> set config-lock on override
• gClish traffic runs on the Sync interface, TCP port 1129.
• blade-range
• Runs commands on specified SGMs.
• Runs gClish embedded commands only on this subset of SGMs.
• We do not recommend that you use the blade-range command, because all SGMs must
have identical configurations.

Check Point Global Commands

Check Point product-related commands include:
• fw
• sim
• fwaccel
• cpconfig

fwaccel, fwaccel6
Description
The fwaccel and fwaccel6 commands dynamically enable or disable acceleration for IPv4 and
IPv6 traffic, while the Scalable Platform is in operation.
The fwaccel6 command is used for IPv6 traffic and resets to the default value of fwaccel after
reboot.
When you run fwaccel and fwaccel6 from gClish, they show combined information from all
SGMs, for most parameters.
The fwaccel stats command shows aggregated statistics from all SGMs.

Syntax
> fwaccel {on|off|stat|stats [-s} [-d] |conns [-s] -m <max_entries> [-b <SGM_IDs>]
> fwaccel templates[-s] [-m <max_entries>] [-b <SGM_IDs>]

> fwaccel6 {on|off|stat|stats [-s} [-d] |conns [-s] -m <max_entries> [-b <SGM_IDs>]
> fwaccel6 templates[-s] [-m <max_entries>] [-b <SGM_IDs>]

60000/40000 Security Systems Administration Guide R76SP.50 | 70

 Managing Scalable Platforms

Parameters
Parameter Description
-b <SGM_IDs> Works with SGMs and/or Chassis as specified by <SGM_IDs>.
<SGM_IDs> can be:
• No <SGM_IDs> specified, or all - Applies to all SGMs and Chassis
• One SGM (for example, 1_1)
• A comma-separated list of SGMs (for example, 1_1,1_4)
• A range of SGMs (for example, 1_1-1_4)
• One Chassis (chassis1, or chassis2)
• The active Chassis (chassis_active)
Note - You can only select SGMs from one Chassis with this option.
on Starts acceleration.
off Stops acceleration.
stat Shows the acceleration device status and the status of the Connection
Templates on the local Security Gateway.
stats Shows acceleration statistics.
stats -s Shows more summarized statistics.
stats -d Shows dropped packet statistics.
conns Shows all connections.
conns -s Shows the number of connections defined in the accelerator.
conns -m Limits the number of connections shown by conns to <max_entries>.
<max_entries>
templates Shows all connection templates.
templates -m Limits the number of templates shown by the templates to <max_entries>.
<max_entries>
templates -s Shows the number of templates currently defined in the accelerator.
stats -r Resets statistics.
stats -l Shows multicast traffic statistics.
stats -p Shows SecureXL violations (F2F packets) statistics.

Example:
> fwaccel stats
Displaying aggregated data from blades: all

Name Value Name Value

-------------------- --------------- -------------------- --------------
Accelerated Path
-----------------------------------------------------------------------------
accel packets 6518 accel bytes 870476
conns created 38848 conns deleted 38043
C total conns 801 C templates 0
C TCP conns 493 C delayed TCP conns 0
C non TCP conns 308 C delayed nonTCP con 0
conns from templates 0 temporary conns 0
nat conns 0 C nat conns 0
dropped packets 0 dropped bytes 0
nat templates 0 port alloc templates 0
60000/40000 Security Systems Administration Guide R76SP.50 | 71
 Managing Scalable Platforms

conns from nat tmpl 0 port alloc conns 0

Policy deleted tmpl 0 C Policy deleted tmp 0

Accelerated VPN Path

-----------------------------------------------------------------------------
C crypt conns 0 enc bytes 0
dec bytes 0 ESP enc pkts 0
ESP enc err 0 ESP dec pkts 0
ESP dec err 0 ESP other err 0
AHenc pkts 0 AHenc err 0
AHdec pkts 0 AHdec err 0
AH other err 0 espudp enc pkts 0
espudp enc err 0 espudp dec pkts 0
espudp dec err 0 espudp other err 0

Medium Path
-----------------------------------------------------------------------------
PXL packets 0 PXL async packets 0
PXL bytes 0 PXL conns 0
C PXL conns 0 C PXL templates 0

Firewall Path
-----------------------------------------------------------------------------
F2F packets 10077862 F2F bytes 1185051123
F2F conns 38839 C F2F conns 800
TCP violations 0 C partial conns 0
C anticipated conns 0

General
-----------------------------------------------------------------------------
memory used 0 free memory 0

(*) Statistics marked with C refer to current value, others refer to total value

Monitor Mode
fwaccel_m continuously monitors fwaccel output in real time. In Monitor Mode, the screen
shows changes in parameters as highlighted text. You cannot run commands or other operations
while in Monitor Mode.
To close Monitor Mode, press CTRL-C.
Example:
> fwaccel_m stats -p
Displaying aggregated data from blades: all

F2F packets:
--------------
Violation Packets Violation Packets
-------------------- --------------- -------------------- ---------------
pkt is a fragment 0 pkt has IP options 19286
ICMP miss conn 33 TCP-SYN miss conn 28713
TCP-other miss conn 125290 UDP miss conn 95373635
other miss conn 268865 VPN returned F2F 0
ICMP conn is F2Fed 5390 TCP conn is F2Fed 73812
UDP conn is F2Fed 9131 other conn is F2Fed 4827
unidirectional viol 0 possible spoof viol 0
TCP state viol 0 out if not def/accl 0
bridge, src=dst 0 routing decision err 82
sanity checks failed 0 temp conn expired 0
fwd to non-pivot 0 broadcast/multicast 0
cluster message 0 partial conn 1
PXL returned F2F 0 cluster forward 0
chain forwarding 0 general reason 0
port alloc f2f 0 sticky SA F2F 0
>

60000/40000 Security Systems Administration Guide R76SP.50 | 72

 Managing Scalable Platforms

fw, fw6
Description
The fw and fw6 commands are global scripts that run the fw and fw6 commands on each SGM.
Example 1:
[Expert@MyChassis-ch01-01:0]# gclish
[Global] MyChassis-ch01-01 > fw ctl
-*- 2 blades: 1_01 1_02 -*-
Usage: fw ctl command args...

Commands: install, uninstall, pstat, iflist, arp, debug, kdebug, bench

chain, conn, multik, conntab, fwghtab_bl_stats

>

Example 2:
[Expert@MyChassis-ch01-01:0]# gclish
[Global] MyChassis-ch01-01 > fw ctl iflist
-*- 6 blades: 1_01 1_02 1_03 2_01 2_02 2_03 -*-
0 : BPEth0
1 : BPEth1
2 : eth1-Mgmt4
3 : eth2-Mgmt4
4 : eth1-01
5 : eth1-CIN
6 : eth2-CIN
8 : eth2-01
16 : Sync
17 : eth1-Mgmt1
18 : eth2-Mgmt1
>

fw dbgfile
Description
Use the fw dbgfile commands to debug the system.

Syntax
> fw dbgfile collect -f <debug_file_path> [-buf <buf_size>] [-m <debug_module_1>
<debug_flags_1> [-m <debug_module_2> <debug_flags_2>] ... [-m <debug_module_N>
<debug_flags_N>]]
> fw dbgfile view [<debug_file_path>] [-o <agg_file_path>]

Parameters
Parameter Description
collect Collects Security Gateway debug information.
view Shows the collected debug information.
<debug_file_path> Full path of the debug file.
-buf <buf_size> Debug buffer size.
Always set the maximal size 32000.

60000/40000 Security Systems Administration Guide R76SP.50 | 73

 Managing Scalable Platforms

Parameter Description
-m <debug_module> Specifies Security Gateway debug module and debug flags in
<debug_flags> that module.
You can specify more than one debug module.
-o <agg_file_path> Uses an aggregate debug file.
<agg_file_path> - Full path of the aggregate debug file.

Example - Collect debug information:

> fw dbgfile collect -f /var/log/debug.txt -buf 32000 -m fw + conn -m kiss + pmdump

Example - Show the collected debug information:

> fw dbgfile view /var/log/debug.txt

Global Commands Generated by CMM

The CMM monitors and controls Chassis components and activates and shuts down SGMs and
SSMs.
Users can activate and shut down SGMs in serious situations. For example, when the Sync
Interface cannot access the SGM. In that case, the reboot command does not work.

Commands that control SGM power from the CMM:

Command Description
asg_reboot <global_command_flags> Restarts SGMs
asg_hard_shutdown Turns off SGMs
<global_command_flags>
asg_hard_start <global_command_flags> Tursn on SGMs

You can run global commands from gClish and the Expert mode. See Global Operating System
Commands (on page 154).

Example:
[Expert@MyChassis-ch01-01:0]# asg_reboot -b 1_03,2_05
You are about to perform hard reboot on SGMs: 1_03,2_05
It might cause performance hit for a period of time

Are you sure? (Y - yes, any other key - no) Y

Hard reboot requires auditing

Enter your full name: User1
Enter reason for hard reboot [Maintenance]:
WARNING: Hard reboot on SGMs: 1_03,2_05, User: User1, Reason: Maintenance

Rebooting SGMs: 1_03,2_05

Notes:
• At least one SGM must be UP and running on the remote Chassis to run these commands.
• To learn how to restart an SSM from the CMM, run asg_chassis_ctrl (on page 191).

60000/40000 Security Systems Administration Guide R76SP.50 | 74

 Managing Scalable Platforms

General Global Commands

Global commands run commands on more than one SGM. The global commands syntax is shown
in Global Operating System Commands.
These commands are available in Clish and gClish :

In gClish In the Expert mode

update_conf_file g_update_conf_file
global global_help
asg_cp2blades asg_cp2blades
asg_clear_table asg_clear_table
asg_blade_stats asg_blade_stats

Update Configuration Files (update_conf_file)

Description
Use the update_conf_file command to add, update, and remove variables from configuration
files. If the file does not exist, this command creates it.

Syntax
> update_conf_file <file_name> <variable>=<value>

Parameters

Parameter Description
<file_name> Full path and name of the configuration file to update
You do not need to specify the path for these files:
• $FWDIR/boot/modules/fwkern.conf
• $PPKDIR/boot/modules/simkern.conf
<variable> Name of the variable to update

<value> New value for the variable

Examples:
> update_conf_file /home/admin/MyConfFile.txt var1=hello
> cat /home/admin/MyConfFile.txt
-*- 3 blades: 2_01 2_02 2_03 -*-
var1=hello

> update_conf_file /home/admin/MyConfFile.txt var2=24h

> cat /home/admin/MyConfFile.txt
-*- 3 blades: 2_01 2_02 2_03 -*-
var2=24h
var1=hello

> update_conf_file /home/admin/MyConfFile.txt var1=goodbye

> cat /home/admin/MyConfFile.txt
-*- 3 blades: 2_01 2_02 2_03 -*-
var2=24h
var1=goodbye

> update_conf_file /home/admin/MyConfFile.txt var2=

> cat /home/admin/MyConfFile.txt
-*- 3 blades: 2_01 2_02 2_03 -*-
var1=goodbye

60000/40000 Security Systems Administration Guide R76SP.50 | 75

 Managing Scalable Platforms

This command works with configuration files in a specified format. It is composed of lines where
each line defines one variable.
<variable>=<value>

Notes:
• The fwkern.conf and simkern.conf files use this format.
• Variable name must not include an equal sign (=).

Setting SecureXL SIM Kernel Parameters

Description
Use the sim_param command to change or show the values of the SecureXL SIM parameter.
Run these commands in Expert Mode.

Syntax
> sim_param show [<filter>]
> sim_param get <parameter>
> sim_param set <parameter> <value>
> sim_param save <file_name>

Parameters
Parameter Description
show Shows a detailed list of all SIM parameters
<filter> Shows only those SIM parameters that contain the specified text string
get Shows the value of the specified SIM parameter
set Set the specified SIM parameter to the specified value
<parameter> Name of the SIM parameter to set or show
<value> Value of the SIM parameter
save Save the SIM parameter to the specified file name
<file_name> Path and name of the file with SIM parameters

Note - For the configuration to survive reboot, manually edit the applicable parameters in the
$PPKDIR/boot/modules/simkern.conf file. Use the g_update_conf_file command.

sim_param Example
This example shows a list of all the applicable SecureXL SIM kernel parameters and their current
values.
This command shows all of the correct parameter names for use with the sim_param show
command.
# sim_param show
+------------------------------------------+-----------------+----------+-----------+
|Name |Value |Default |Permission |
+------------------------------------------+-----------------+----------+-----------+
|sim_reuse_tcp_conn |1 |Identical |R/W |
|sim_gtp_inner_frag_accel |1 |Identical |R/W |

60000/40000 Security Systems Administration Guide R76SP.50 | 76

 Managing Scalable Platforms

|sim_drop_percentage_to_check_overall_drops|35 |Identical |R/W |

|sim_bond_refresh_interval_ha |1 |Identical |R/W |
|sim_aff_min_accel_pkts_rate |250000 |Identical |R/W |
| • | | | |
| • | | | |
|sim_ntquota_pxl_only |0 |Identical |R/W |
|sim_mcast_silent_spoof |1 |Identical |R/W |
|sim_hlqos_log_interval |2 |Identical |R/W |
+------------------------------------------+-----------------+----------+-----------+

Setting Firewall Kernel Parameters (g_fw ctl set)

Description
Use these commands to set or show specified Firewall kernel parameters.
Run these commands in Expert Mode.
Syntax
# g_fw ctl get <type> <parameter_name>
# g_fw ctl set <type> <parameter_name> <value>

Parameters
Parameter Description
get Shows the specified parameter and its value.
set Change the parameter value to the specified value.
<type> Type of parameter value:
int - Integer value
string - String value
Note - You must enter the correct parameter type or the command
returns an error message.
Run this command to see a list of valid parameters:
# modinfo $FWDIR/modules/fwmod.2.6.18.cp.x86_64.o
<parameter_name> Parameter name.
<value> Parameter value.

Note - To make changes persistent, you must manually edit the applicable parameters in
$FWDIR/boot/modules/fwkern.conf. Use the g_update_conf_file command to do this.

Copying Files Between SGMs (asg_cp2blades)

Description
Use the asg_cp2blades command in gClish or Expert mode to copy files from the current SGM
to other SGMs.

Syntax
asg_cp2blades [-b <SGM_IDs>][-s] <source_path> [<dest_path>]

60000/40000 Security Systems Administration Guide R76SP.50 | 77

 Managing Scalable Platforms

Parameters
Parameter Description
-b <SGM_IDs>
Works with SGMs and/or Chassis as specified by <SGM_IDs>.
<SGM_IDs> can be:
• No <SGM_IDs> specified, or all - Applies to all SGMs and
Chassis
• One SGM (for example, 1_1)
• A comma-separated list of SGMs (for example, 1_1,1_4)
• A range of SGMs (for example, 1_1-1_4)
• One Chassis (chassis1, or chassis2)
• The active Chassis (chassis_active)
-r Copy folders and directories that contain files.
-s Save a local copy of the old file on each SGM
The copy is saved in the same directory as the new file. The old
file has the same name with this at the end:
*.bak.<date>.<time>
<source_path> Full path and name of the file to copy

<dest_path> Full path of the destination

If not specified, the command copies the file to the relative
source file location.

Example
[Expert@MyChassis-ch01-01:0]# gclish
[Global] MyChassis-ch01-01 > asg_cp2blades /home/admin/note.txt
Operation completed successfully
[Global] MyChassis-ch01-01 >
[Global] MyChassis-ch01-01 > cat /home/admin/note.txt
-*- 3 blades: 2_01 2_02 2_03 -*-
hello world
[Global] MyChassis-ch01-01 >

global help
Description
The global help command shows the list of global commands you can use in gClish and how
they are generally used.
Syntax
> global help

Example output:
> global help
Usage: <command_name> [-b SGMs] [-a -l -r --] <native command arguments>
Executes the specified command on specified blades.

Optional Arguments:
-b blades: in one of the following formats
1_1,1_4 or 1_1-1_4 or 1_01,1_03-1_08,1_10
all (default)
chassis1
60000/40000 Security Systems Administration Guide R76SP.50 | 78
 Managing Scalable Platforms

chassis2
chassis_active
-a : Force execution on all SGMs (incl. down SGMs).
-l : Execute only on local blade.
-r : Execute only on remote SGMs.

Command list:
arp cat cp cpconfig cplic cpstart cpstop dmesg ethtool fw fw6 fwaccel fwaccel6 fwaccel6_m fwaccel_m
ls md5sum mv netstat reboot sim sim6 snapshot_recover snapshot_show_current tail tcpdump top unlock
update_conf_file vpn asg

Deleting Connections from the Connections Table (asg_clear_table)

Description
Use the asg_clear_table command in gClish or Expert mode to delete connections from the
Security Gateway Connections table.
The command runs up to 15 times, or until there are less than 50 connections left.

Syntax
asg_clear_table [-b <SGM_IDs>]

Parameters
Parameter Description
-b <SGM_IDs> Works with SGMs and/or Chassis as specified by <SGM_IDs>.
<SGM_IDs> can be:
• No <SGM_IDs> specified, or all - Applies to all SGMs and Chassis
• One SGM (for example, 1_1)
• A comma-separated list of SGMs (for example, 1_1,1_4)
• A range of SGMs (for example, 1_1-1_4)
• One Chassis (chassis1, or chassis2)
• The active Chassis (chassis_active)
Note: With this option, you can only select SGMs from one Chassis.

Note - If you connected to the machine with SSH, your connection is disconnected.

Viewing Information About Interfaces on SGMs (show interface)

Description
Use the show interface command in gClish to view information about the interfaces on the
SGMs.
For more information, see the R76SP.50 Scalable Platforms Gaia Administration Guide
https://sc1.checkpoint.com/documents/R76/CP_R76_Gaia_WebAdmin/html_frameset.htm -
Chapter Network Management - Section Network Interfaces.

Syntax
> show interfaces all
> show interface <options>

60000/40000 Security Systems Administration Guide R76SP.50 | 79

 Managing Scalable Platforms

Example
[Expert@MyChassis-ch01-01:0]# gclish
[Global] MyChassis-ch01-01 > show interface eth1-01 ipv4-address
1_01:
ipv4-address 4.4.4.10/24

1_02:
ipv4-address 4.4.4.10/24

1_03:
ipv4-address 4.4.4.10/24

1_04:
ipv4-address 4.4.4.10/24

1_05:
Blade 1_05 is down. See "/var/log/messages".

2_01:
ipv4-address 4.4.4.10/24

2_02:
ipv4-address 4.4.4.10/24

2_03:
ipv4-address 4.4.4.10/24

2_04:
ipv4-address 4.4.4.10/24

2_05:
ipv4-address 4.4.4.10/24
[Global] MyChassis-ch01-01 >

Configuring Chassis State (set chassis id ... admin-state, asg

chassis_admin)
Description
Use these commands in gClish to put a Chassis in the administrative UP or DOWN state. You must
have administrator permission to do this.
When a Chassis is in the Administrative DOWN state:
• Backup connections for SGMs are lost.
• New connections are not synchronized with the DOWN Chassis.

Syntax
> set chassis id <chassis_id> admin-state {up | down}
> asg chassis_admin -c <chassis_id> {up | down}

Parameters
Parameter Description
<chassis_id> Chassis identification number (1 or 2)
{up | down} Chassis state

60000/40000 Security Systems Administration Guide R76SP.50 | 80

 Managing Scalable Platforms

Example 1 - Setting the state of Chassis 2 to DOWN:

[Expert@MyChassis-ch01-01:0]# gclish
[Global] MyChassis-ch01-01 > asg chassis_admin -c 2 down

Example 2 - Setting the state of Chassis 2 to UP:

[Expert@MyChassis-ch01-01:0]# gclish
[Global] MyChassis-ch01-01 > asg chassis_admin -c 2 up

Example output:
[Expert@MyChassis-ch01-01:0]# gclish
[Global] MyChassis-ch01-01 > set chassis id 1 admin-state down
You are about to perform Chassis admin-state down on chassis: 1
Are you sure? (Y - yes, any other key - no) y
Chassis admin-state down requires auditing
Enter your full name: John
Enter reason for Chassis admin-state down [Maintenance]: Test
WARNING: Chassis admin-state down on Chassis: 2, User: John, Reason: Test
Chassis 2 is going DOWN...
Chassis 2 state is DOWN
[Global] MyChassis-ch01-01 >

Notes:
• The set chassis and asg chassis_admin commands are audited in the asg log audit
• Run one of these commands to see the Chassis state:
> asg stat
> asg monitor
• In a Dual Chassis environment, a Chassis in the administrative DOWN state causes
degradation of the system performance

60000/40000 Security Systems Administration Guide R76SP.50 | 81

 Managing Scalable Platforms

Serial Over LAN (sol)

Description
Serial over LAN (SOL), lets you transmit serial data through a LAN.
With SOL, users can connect to a virtual serial console from a remote SGM.
You can use SOL on the SGMs for serial-based OS and pre-OS communications over LAN.

Syntax
# gclish
> sol [parameter]

Parameters
Parameter Description
-h Shows the built-in help
-b <SGM_ID> Initiates the SOL session to the selected SGM.
-d Only deactivates any active SOL session.
-f Forces an SOL session.
Deactivates any active session.
-k Keeps the session alive.
The session does not break after 60 seconds.
~. Terminates the connection.

SOL Limitations
• Supported on SGM400 only.
• Supported only internally within the Chassis.
• Can initiate one SOL session simultaneously to each SGM.
• When SOL is active, no input from the RJ-45 console front panel is available. Only output is
available.
• Must have connectivity to one SGM in the Chassis (SSH/Console).
• Must have at least one Active SSM and one Active CMM.

60000/40000 Security Systems Administration Guide R76SP.50 | 82

 Managing Scalable Platforms

Synchronizing SGM Time

Description
Use this command to configure and troubleshoot the Network Time Protocol (NTP). Configure the
NTP server to synchronize the local time for all SGMs and the CMM.

Syntax
> set ntp server primary <NTP Server> version <NTP Version>
> set ntp server secondary <NTP Server> version <NTP Version>
> show ntp servers
> delete ntp server <NTP Server>

Parameters
Parameter Description
set ntp server primary Configures the primary NTP server.
The system uses this NTP server by default.
set ntp server secondary Configures the secondary NTP server.
The system uses this if the primary NTP server is not
available.
show ntp servers Shows the NTP configuration.

delete ntp server Deletes the primary or secondary NTP server.

<NTP Server> Specifies the IP address or host name of the NTP server.

<NTP Version> Specifies the version of the NTP (default is NTPv4).

Validation
To confirm that the time is the same on all SGMs enter:
> show time
To confirm that all SGMs start NTP connections, run tcpdump on UDP port 123 for the applicable
interfaces.

60000/40000 Security Systems Administration Guide R76SP.50 | 83

 Managing Scalable Platforms

Configuring SGMs (asg_blade_config)

Description
Manage SGMs with the asg_blade_config:
• Copy the SGM configuration from a different SGM
• Change the synchronization start IP address
• Reset the system uptime value
• Get a policy from the Management Server

Syntax
# asg_blade_config pull_config
# asg_blade_config full_sync <ip>
# asg_blade_config set_sync_start_ip <ip>
# asg_blade_config reset_uptime
# asg_blade_config reset_uptime_user
# asg_blade_config get_smo_ip
# asg_blade_config is_in_security_group
# asg_blade_config {is_in_pull_conf_group | config} fetch_smc
# asg_blade_config upgrade_start <new_version> [cu]
# asg_blade_config {upgrade_stat | upgrade_stop | upgrade_cu}

Parameters
Parameter Description
pull_config Copies the configuration from another SGM.
full_sync <ip> Runs a full synchronization from another SGM.
<ip> - Synchronization interface on remote SGM
set_sync_start_ip <ip> Changes the synchronization start IP address from the
local SGM to the specified IP address.
reset_uptime Resets the system uptime value on all SGMs to the
current time.
reset_uptime_user An interactive command that resets the uptime for all
SGMs to a user configured time.
get_smo_ip Returns the synchronization IP address of the Single
Management Object, as defined in SmartDashboard.
This address is not shown in SmartDashboard.
is_in_security_group Confirms that the local SGM is in the Security Group.
is_in_pull_conf_group Confirms that the local SGM is in the Pulling
Configuration Group.
If it is not, the SGM cannot copy the configuration and
policy.
config fetch_smc Gets the policy from the Security Management Server,
and send it to all SGMs.

60000/40000 Security Systems Administration Guide R76SP.50 | 84

 Managing Scalable Platforms

Parameter Description
upgrade_start <new_version> Starts the upgrade procedure.
[cu] <new_version> - New version name.
[cu] - Specifies the Connectivity upgrade.
upgrade_stop Stops the upgrade procedure.
upgrade_stat Shows the upgrade procedure and policy status.
upgrade_cu Changes from Zero Downtime upgrade to Connectivity
upgrade.
reset_sic -reboot_all Starts a SIC cleanup.
<activation_key>

Troubleshooting the asg_blade_config:

To troubleshoot problems related with the asg_blade_config command, examine the logs
stored in the /$FWDIR/log/blade_config.
For example, if the SGM unexpectedly reboots, you can search the log file for the word reboot to
learn why.

60000/40000 Security Systems Administration Guide R76SP.50 | 85

 Managing Scalable Platforms

Backup and Restore

Best Practice - Back up your Scalable Platform operating system configuration periodically and
before you upgrade or make major changes to the system. You can always restore a saved
configuration as necessary. The backup is saved to a *.tgz file.

Backing up a configuration:
• To create and save a backup locally, run:
> add backup local
• To create and save a backup on a remote FTP server, run:
> add backup ftp ip <ip_address> path <path> username <name> password
<password>
• To create and save a backup on a remote TFTP server, run:
> add backup tftp ip <ip_address>
• To create and save a backup on a remote SCP server, run:
> add backup scp ip <ip_address> path <path> username <name> password
<password> <file>

Restoring a configuration:
• To restore a backup from a locally stored file, run:
> set backup restore local <file>
• To restore a backup from a remote FTP server, run:
> set backup restore ftp <ip_address> path <path> file <file> username <name>
password <password>
• To restore a backup from a remote TFTP server, run:
> set backup restore tftp <ip_address> file <file>
• To restore a backup from a remote SCP server, run:
> set backup restore scp ip <ip_address> path <path> file <file> username <name>
password <password>

Parameters
Parameter Description
<path> Absolute path on the remote server to the folder where the backup file is
stored
<file>
Name of the backup file including the .tgz extension
<ip_address> The IP address of the remote server
<name> User name to log in to the remote server
<password> Password to log in to the remote server

Example:
> set backup restore ftp ip 192.0.2.24 path /mybackups/ file
backup_gw-24_17_4_2012_11_07.tgz username user1 password pass1

Restoring from backup package. Use the command 'show backups' to monitor restoring progress.
Please reboot the machine when it's finished.
60000/40000 Security Systems Administration Guide R76SP.50 | 86
 Managing Scalable Platforms

Configuring SGM State (asg sgm_admin)

Description
Use the asg sgm_admin command to change the state manually, UP or DOWN, for one or more
SGMs.

Syntax
> asg sgm_admin -h
> asg sgm_admin -b <SGM_IDs> {up | down [-a]} [-p]

Parameters

Parameter Description
-h Show the command syntax and help information.
-b <SGM_IDs> Works with SGMs and/or Chassis as specified by <SGM_IDs>.
<SGM_IDs> can be:
• No <SGM_IDs> specified, or all - Applies to all SGMs and Chassis
• One SGM (for example, 1_1)
• A comma-separated list of SGMs (for example, 1_1,1_4)
• A range of SGMs (for example, 1_1-1_4)
• One Chassis (chassis1, or chassis2)
• The active Chassis (chassis_active)
-p Makes the configuration persistent (the setting is kept after reboot).
-a Synchronizes accelerated connections to other SGMs.

Example
> asg sgm_admin -b 2_03 -p
You are about to perform blade_admin up on blades: 2_03

Are you sure? (Y - yes, any other key - no) y

Blade_admin up requires auditing

Enter your full name: Fred
Enter reason for blade_admin up [Maintenance]: test
WARNING: Blade_admin up on blades: 2_03, User: Fred, Reason: test

Performing blade_admin up on blades: 2_03

[2_03]Setting blade to normal operation ...
[2_03]pulling configuration from: 192.0.2.16 (may take few seconds)
[2_03]Blade current state is ACTIVE

60000/40000 Security Systems Administration Guide R76SP.50 | 87

 Managing Scalable Platforms

Notes:
• When an SGM is in the Administrative DOWN state:
• gClish commands do not run on this SGM.
• Traffic is not sent to this SGM.
• asg stat shows the SGM as DOWN (admin).
• When an SGM is changed to Administrative UP, it automatically synchronizes the configuration
from a different SGM that is in the UP state.
• This command generates log entries.
Run:
> asg log audit
• This command is useful for debugging.
Best Practice - Do not use this command in production environments because it can cause
performance degradation.

60000/40000 Security Systems Administration Guide R76SP.50 | 88

 Managing Scalable Platforms

Image Management
Use these commands to manage Image Management.
• Revert to a saved image. This restores the system, including the configuration of the installed
products.
• Delete an image from the local system.
• Export an existing image. This creates a compressed version of the image. You can download
the exported image to a different computer and delete the exported image from the Gaia
computer. This saves disk space. You must not rename the exported image. If you rename a
snapshot image, it is not possible to revert to it.
• Import an exported image.
• See a list of saved images.

Global Image Management

Cloning management
You can use image cloning as a tool for cloning SMO images by remote SGM. In addition to cloning
the SMO version, it clones all installed hotfixes and private fixes, if there are any. We recommend
that you use this tool when you add a new SGM to the setup, such as when you receive a
replacement SGM.
When you activate Auto-clone, each SGM updates the local image MD5 on reboot, Admin UP state
or hotfix installation. If image MD5 is different from the SMO image MD5, then the local SGM will
clone the SMO image.
Before you add an SGM to a Security Group that has a lower version than R76SP.50, add:
global_context /etc/upgrade_pkg-0.1-cp989000001.i386.rpm "rpm -U --force --nodeps
/etc/upgrade_pkg-0.1-cp989000001.i386.rpm" to the beginning of
/etc/xfer_file_list

Parameters
Parameter Description
> show smo image auto-clone state Shows the current auto-clone state.

> set smo image auto-clone state Sets auto-cloning to on/off.

{on|off}
> show smo image md5sum Shows image's MD5.
> set smo image md5sum Updates image md5sum
This is done automatically on reboot , Admin UP and
hotfix installation.

Note - Image cloning does not support snapshot (included fcd).

60000/40000 Security Systems Administration Guide R76SP.50 | 89

 Managing Scalable Platforms

Snapshot management
Syntax Description
> add snapshot <snapshot_name> Creates a new image.
desc <description>
> show snapshots Monitors the snapshot creation process or view a list
of existing snapshots.
> delete snapshot <snapshot_name> Deletes an image.

> set snapshot import|export Imports and exports images.

<snapshot_name> path <path>
> set snapshot revert Reverts an image.
<snapshot_name>

To show image information:

Enter: > show snapshot <snapshot_name> all|date|desc|size to show image information.

Syntax Description
snapshot <snapshot_name> Name of the image

desc <desc> Description of the image

snapshot export Name of the image to export

<snapshot_name>
snapshot import Name of the image to import
<snapshot_name>
path <path> Location for the exported image
For example: /var/log
all All image details

date Date the image was made

desc Description of the image

size Size of the image

Notes:
• You must have sufficient available space on the backup partition to create snapshot images for
all SGMs.
The required available disk space is the actual size of the root partition, multiplied by 1.15.
• The available space required in the export file storage location is the size of the snapshot
multiplied by two.
• The minimum size of a snapshot is 2.5G. Therefore, the minimum available space necessary in
the export file storage location is 5G.

60000/40000 Security Systems Administration Guide R76SP.50 | 90

 Managing Scalable Platforms

Image Management for Specified SGMs (g_snapshot)

Description
Show and revert snapshots for specified SGMs or Chassis.
This is different from snapshot, which works for all SGMs together.
You must run this command from Expert Mode.

Syntax
# g_snapshot [-b <SGM_IDs>] show|[revert <snapshot_name>]

Parameters
Parameter Description
show Shows saved snapshots for the specified SGMs or Chassis.
revert Restores specified SGMs or Chassis to the specified snapshot.
<snapshot_name> Snapshot file name.
-b <SGM_IDs> Works with SGMs and/or Chassis as specified by <SGM_IDs>.
<SGM_IDs> can be:
• No <SGM_IDs> specified, or all - Applies to all SGMs and
Chassis
• One SGM (for example, 1_1)
• A comma-separated list of SGMs (for example, 1_1,1_4)
• A range of SGMs (for example, 1_1-1_4)
• One Chassis (chassis1, or chassis2)
• The active Chassis (chassis_active)

Examples:
• # g_snapshot -b 1_1,1_4 revert My_Snapshot
This example restores SGMs 1_1 and 1_4 to My_Snapshot
• # g_snapshot –b chassis2 revert My_Snapshot
This example restores Chassis2 to My_Snapshot
• # g_snapshot -b chassis1 show
This example shows the saved snapshots for all SGMs on Chassis1.

60000/40000 Security Systems Administration Guide R76SP.50 | 91

 Managing Scalable Platforms

Setting Blade-Range
Description
Use the set blade-range command to configure which SGMs are part of the range.

Syntax

> set blade-range <Chassis-ID>_<Blade-ID> - <Chassis-ID>_<Blade-ID>

Parameters
Parameter Description
<Chassis-ID> Valid values:
• 1
• 2
<Blade-ID> Valid values:
• 1 to 12
• all (does not work on VSX)

60000/40000 Security Systems Administration Guide R76SP.50 | 92

 Managing Scalable Platforms

Port Mirroring (SPAN Port)

With Port Mirroring a gateway can listen to traffic on a mirror port or SPAN port, on a switch. The
mirror port on a Check Point gateway is typically configured to monitor and analyze network traffic
with no effect on the physical network. The mirror port duplicates the network traffic and records
the activity in logs.
You can use mirror ports to:
• Monitor the use of applications in your organization, as a permanent part of your deployment
• Evaluate the capabilities of the Application Control and IPS Software Blades before you
purchase them
The mirror port does not enforce a policy. You can only use it to see the monitoring and detection
capabilities of the blades.
Benefits of a mirror port include:
• No risk to your production environment.
• Requires minimal set-up configuration.
• Does not require expensive TAP equipment.

Configuring Port Mirroring on a Scalable Platform in Gateway

Mode
Workflow:
1. Configure a new bridge interface on a Scalable Platform.
2. Configure Stateful Inspection settings in SmartDashboard.
3. Configure a Security Policy in SmartDashboard.
4. Configure a new bridge interface as a SPAN port on a Scalable Platform.

To create a new bridge interface:

1. Connect to the Scalable Platform command line and log in to Gaia Clish.
2. Create a new bridge interface:
> add bridging group <br_group_number>
3. Add one interface to bridging group <br_group_number>:
> add bridging group <br_group_number> interface <if_name>
4. In SmartDashboard:
a) Open the Scalable Platform gateway object properties.
b) From the left tree, click Topology.
c) Manually add the new bridge interface.
d) Click OK.

60000/40000 Security Systems Administration Guide R76SP.50 | 93

 Managing Scalable Platforms

To configure Stateful Inspection:

1. In SmartDashboard, click Policy menu > Global Properties.
2. From the left tree, click Stateful Inspection and refer to the section Out of state packets.
3. Clear the Drop out of state TCP packets option.
4. Clear the Drop out of state ICMP packets option.
5. Click Exceptions and add the Scalable Platform object.
6. Click OK.

To configure a Security Policy:

1. Configure a Firewall policy with one rule that allows all traffic:
• Source = Any
• Destination= Any
• Service= Any
• Action = Accept
• Install On = Scalable Platform gateway object
2. Install the policy on the Scalable Platform gateway object.

Configure the new bridge interface as a SPAN port:

1. Connect to the Scalable Platform command line and log in to Expert mode.
2. Configure the new bridge interface as a SPAN port:
# asg_span_port set <bridge_if_name>
3. Reboot all SGMs:
# g_reboot -a
Best Practice - Run show interfaces to make sure that the bridge interface and its related
slave interface are up and running.

Disabling Port Mirroring on a Scalable Platform in Gateway Mode

To disable port mirroring on a Scalable Platform in Gateway Mode:
1. Connect to the Scalable Platform command line and log in to Expert mode.
2. Remove the SPAN port configuration from the bridge interface:
# asg_span_port unset <bridge_if_name>
3. Remove the slave interface from the bridge interface:
> delete bridging group <group_id> interface <if_name>
4. Delete the bridge interface:
> delete bridging group <group_id>

60000/40000 Security Systems Administration Guide R76SP.50 | 94

 Managing Scalable Platforms

Best Practice:
1. In SmartDashboard, click Policy menu > Global Properties.
2. From the left tree, click Stateful Inspection and refer to the section Out of state packets.
3. Select the Drop out of state TCP packets option.
4. Select the Drop out of state ICMP packets option.
5. Click Exceptions and remove the Scalable Platform object.
6. Click OK.
7. Open the Scalable Platform object properties.
8. From the left tree, click Topology > Get > Interfaces without Topology.
9. Click OK.
10. Configure an applicable Firewall policy.
11. Install policy on the Scalable Platform object.
12. Reboot all SGMs on the Scalable Platform. Run from the Expert mode:
# g_reboot -a

Configuring Port Mirroring on a Scalable Platform in VSX Mode

Workflow:
1. Configure a new Virtual System in the Bridge Mode in SmartDashboard.
2. Configure Stateful Inspection settings in SmartDashboard.
3. Configure a Security Policy in SmartDashboard.
4. Configure a SPAN port on a Scalable Platform.

To configure a new Virtual System in the Bridge Mode:

1. In SmartDashboard, create a new Virtual System in the Bridge Mode.
2. Add an interface for the SPAN port that is connected to the physical port of the SSM.
For more information, see the R76 VSX Administration Guide
https://sc1.checkpoint.com/documents/R76/CP_R76_VSX_AdminGuide/html_frameset.htm.

To configure Stateful Inspection:

1. Click Policy menu > Global Properties.
2. From the left tree, click Stateful Inspection and refer to the section Out of state packets.
3. Clear the Drop out of state TCP packets option.
4. Clear the Drop out of state ICMP packets option.
5. Click Exceptions and add the Scalable Platform and the Virtual System objects.
6. Click OK.

60000/40000 Security Systems Administration Guide R76SP.50 | 95

 Managing Scalable Platforms

To configure a Security Policy:

1. Configure a Firewall policy with one rule that allows all traffic:
• Source = Any
• Destination= Any
• Service= Any
• Action = Accept
• Install On = Virtual System object
2. Install the policy on the Virtual System object.

To configure a SPAN port:

1. Connect to the Scalable Platform command line and log in to Expert mode.
2. Examine the VSX configuration:
# vsx stat -v
3. Go to the context of the new Virtual System:
# vsenv <VS_ID>
4. Examine the Virtual System interfaces:
# ifconfig -a
5. Configure the SPAN port:
# asg_span_port set <bridge_if_name>
6. Reboot all SGMs:
# g_reboot -a

Disabling Port Mirroring on a Scalable Platform in VSX Mode

To disable port mirroring on a Scalable Platform in VSX Mode:
1. Connect to the Scalable Platform command line and log in to Expert mode.
2. Examine the VSX configuration:
# vsx stat -v
3. Go to the context of the new Virtual System:
# vsenv <VS_ID>
4. Examine the Virtual System interfaces:
# ifconfig -a
5. Remove the SPAN port configuration:
# asg_span_port unset <bridge_if_name>

60000/40000 Security Systems Administration Guide R76SP.50 | 96

 Managing Scalable Platforms

Best Practice:
1. In SmartDashboard, click Policy menu > Global Properties.
2. From the left tree, click Stateful Inspection and refer to the section Out of state packets.
3. Select the Drop out of state TCP packets option.
4. Select the Drop out of state ICMP packets option.
5. Click Exceptions and remove the Scalable Platform and the Virtual System objects.
6. Click OK.
7. Configure an applicable Firewall policy.
8. Install the policy on the Virtual System object.
9. Reboot all SGMs on the Scalable Platform. Run from the Expert mode:
# g_reboot -a

Additional Port Mirroring Configuration Steps

Best practice - Use these additional steps for the specified scenarios.
1. In Application & URL Filtering policies, change the destination default settings from Internet
to Any.
2. For IPS, turn off the Sequence Verifier.

60000/40000 Security Systems Administration Guide R76SP.50 | 97

 Managing Scalable Platforms

Security
Make sure to add security settings to your system.

Resetting the Administrator Password

If you forget your administrator password, you can use the Emergendisk utility to restore the
initial system administrator username and password (admin/admin). Run Emergendisk on the
Single Management Object (SMO).

To reset the administrator password:

1. Make sure that the SMO is in the Admin UP state, and then set all other SGMs to Admin DOWN.
2. Pull these Admin DOWN SGMs out from the Chassis.
3. Insert the Emergendisk device into a USB port on the SMO.
4. Do a hard reboot to the SMO, by pulling out the SMO, and then placing it back in.
5. From the Emergendisk menu, select:
Reset Admin Password
When this message shows, remove the USB device:
Admin password successfully reset
Please remove disk or any other media and press enter to restart
6. Press Enter to reboot.
The administrator username/password is now set to admin/admin.
7. Change the administrator password.
8. Replace the SGMs into the Chassis and put them in the Admin UP state.
The system automatically copies the new password from the SMO to the other SGMs.
Note - This procedure is relevant for SGM220 only, and not for SGM260.
For more information about the Emergendisk utility, see the Emergendisk section in the R76 Gaia
Administration Guide http://downloads.checkpoint.com/dc/download.htm?ID=22928.

Generic Routing Encapsulation - GRE (asg_gre)

Description
Generic Routing Encapsulation (GRE) is a tunneling protocol that can encapsulate several network
layer protocols inside virtual point-to-point links over an IP network.

Syntax
# asg_gre {load | stat | verify}

To configure GRE, edit the $FWDIR/conf/gre_loader.conf file.

Tunnel configuration
tunnel=<tunnel_ifname> local_tun_addr=<local_tunnel_ip>
remote_tun_addr=<remote_tunnel_ip> phy_ifname=<physical_ifname>
local_addr=<local_physical_addr> remote_addr=<remote_physical_addr> ttl=<ttl>

60000/40000 Security Systems Administration Guide R76SP.50 | 98

 Managing Scalable Platforms

Route configuration
tunnel_route=<tunnel_ifname> remote_tun_addr=<remote_tunnel_ip>
network=<network>

Parameters
Parameter Description
<tunnel_ifname> Tunnel interface name.
<local_tunnel_ip> Local tunnel IP address.
<physical_ifname> Physical interface name.
<local_physical_addr> Local physical address.
<remote_physical_addr> Remote physical address.
<ttl> Time To Live.
<remote_tunnel_ip> Remote tunnel IP address.
<network> IP address and subnet mask that define the network for the route.

Configuration file example

tunnel=GREtun local_tun_addr=10.0.0.3 remote_tun_addr=10.0.0.4
phy_ifname=eth2-01 local_addr=40.40.40.1 remote_addr=40.40.40.2 ttl=64
tunnel_route=GREtun remote_tun_addr=10.0.0.4 network=50.50.50.0/24

Tunnel interface name: GREtun

• Local tunnel address: 10.0.0.3
• Remote tunnel address: 10.0.0.4
• Physical interface: eth2-01
• Local address: 40.40.40.1
• Remote address: 40.40.40.2
• TTL: 64
Note - All parameters are required.
To load the new configuration, run: # asg_gre

60000/40000 Security Systems Administration Guide R76SP.50 | 99

 Managing Scalable Platforms

Example output
# asg_gre load
Copying configuration file to all blades... done
1_01:
Clearing existing GRE tunnels...
Loading GRE module... Done
Loading tunnel interface: GREtun
Loading route: 50.50.50.11/32 via 10.0.0.4 (GREtun)
Loading tunnel interface: GREtuA
Loading tunnel interface: GREtuB
Loading tunnel interface: GREtuC
Configuration loaded
1_02:
Clearing existing GRE tunnels...
Loading GRE module... Done
Loading tunnel interface: GREtun
Loading route: 50.50.50.11/32 via 10.0.0.4 (GREtun)
Loading tunnel interface: GREtuA
Loading tunnel interface: GREtuB
Loading tunnel interface: GREtuC
Configuration loaded
1_03:
Clearing existing GRE tunnels...
Loading GRE module... Done
Loading tunnel interface: GREtun
Loading route: 50.50.50.11/32 via 10.0.0.4 (GREtun)
Loading tunnel interface: GREtuA
Loading tunnel interface: GREtuB
Loading tunnel interface: GREtuC
Configuration loaded
1_04:
Clearing existing GRE tunnels...
Loading GRE module... Done
Loading tunnel interface: GREtun
Loading route: 50.50.50.11/32 via 10.0.0.4 (GREtun)
Loading tunnel interface: GREtuA
Loading tunnel interface: GREtuB
Loading tunnel interface: GREtuC
Configuration loaded

60000/40000 Security Systems Administration Guide R76SP.50 | 100

 Managing Scalable Platforms

Role Based Administration (RBA)

The access to gClish features is controlled by Role Based Administration (RBA). Each user is
assigned a role. Each role has a set of read-only features and read-write features. The user is not
exposed to any features other than the ones assigned to his role.
RBA configuration and properties for the Scalable Platform are the same as for Gaia. See the R76
Gaia Administration Guide
http://supportcontent.checkpoint.com/documentation_download?ID=22928 for more details.
Notes:
• Extended commands have no read/write notion. But, when you add an extended command to a
role, add it as a write. The users assigned to this role can execute it, regardless of its
implications.
• Each extended command should be separately added to role. Because asg is the entrance to
the Scalable Platform, it is usually necessary to add to all roles.
• A user's UID must be zero to run extended commands. This property is enforced when adding
new users.
• Do not edit the /etc/passwd file. Only do RBA configuration with gClish.

Example:
> add rba role myRole domain-type System readonly-features chassis,interface readwrite-features route
> add user myUser uid 0 homedir /home/myUser
> set user myUser password
> add rba user myUser roles myRole
> show rba role myRole

60000/40000 Security Systems Administration Guide R76SP.50 | 101

 Managing Scalable Platforms

RADIUS Authentication
RADIUS (Remote Authentication Dial-In User Service) is a client/server authentication system that
supports remote-access applications. User profiles are kept in a central database on a RADIUS
authentication server. Client computers or applications connect to the RADIUS server to
authenticate users.
You can configure the Scalable Platform to work as a RADIUS client. The Scalable Platform does
not include RADIUS server functionality. You can configure the Scalable Platform to authenticate
users even when they are not defined locally (on page 103).
You can configure your Scalable Platform computer to connect to multiple RADIUS servers. If the
first server in the list is unavailable, the next RADIUS server in the priority list connects.
You can delete a server at any time.
Set the Scalable Platform as a RADIUS client. Use the aaa radius-servers commands to add,
configure, and delete RADIUS authentication servers.

To configure RADIUS for use in a single authentication profile:

> add aaa radius-servers priority <priority> host <host> [port <port>]
prompt-secret timeout <timeout>
> add aaa radius-servers priority <priority> host <host> [port <port>] secret
<secret> timeout <timeout>

To add a new RADIUS server 1.1.1.1 which listens on port 1812:

> add aaa radius-servers priority 1 host 1.1.1.1 port 1812 prompt-secret
timeout 3

To delete a RADIUS configuration:

> delete aaa radius-servers priority <priority>

To change the configuration of a RADIUS entry:

> set aaa radius-servers priority <priority> host <host>
> set aaa radius-servers priority <priority> new-priority <priority>
> set aaa radius-servers priority <priority> port <port>
> set aaa radius-servers priority <priority> prompt-secret
> set aaa radius-servers priority <priority> secret <secret>
> set aaa radius-servers priority <priority> timeout <timeout>

Note - The configuration is done based on priority and not the server ID or name.

To see a list of all servers associated with an authentication profile:

> show aaa radius-servers list

To see the RADIUS server configuration:

> show aaa radius-servers priority <priority > host
> show aaa radius-servers priority <priority> port
> show aaa radius-servers priority <priority> timeout

60000/40000 Security Systems Administration Guide R76SP.50 | 102

 Managing Scalable Platforms

Parameters
Parameter Description
priority <priority> RADIUS server priority as an integer between 0 and 999 (default=0).
When there two or more RADIUS servers, Gaia connects to the server
with the highest priority. Low numbers have the higher priority.

new-priority New RADIUS server priority as an integer between 0 and 999

<priority> (default=0). When there are two or more RADIUS servers, Gaia
connects to the server with the highest priority. Low numbers have the
higher priority.

host <host> RADIUS server IP address in dot-delimited format.

port <port> UDP port on the RADIUS server. This value must match the port as
configured on the RADIUS server. Typically this 1812 (default) or 1645
(non-standard but a commonly used alternative).

prompt secret Shared secret (password) text string. The system prompts you to enter
the value.

timeout <timeout> The number of seconds to wait for the server to respond. (Default = 3
seconds).

secret <secret> The shared secret used to authenticate the RADIUS server and the local
client. You must define this value on your RADIUS server.

Note - After RADIUS client configuration, every authentication request is forwarded to the RADIUS
server. Therefore, every account that is configured locally must be configured on the RADIUS
server as well.

Configuring Non-local RADIUS Users

Description
To allow login with non-local users to the Scalable Platform, you must define a default role for all
non-local users that are configured in the RADIUS server.
The default role can include a combination of:
• Administrative (read/write) access to some features
• Monitoring (read-only) access to other features
• No access to other features.

Syntax
> add rba role radius-group-any domain-type System readonly-features <list>
readwrite-features <list>

60000/40000 Security Systems Administration Guide R76SP.50 | 103

 Managing Scalable Platforms

Parameters
Parameter Description
readonly-features <list> Comma separated list of Gaia features that have read-only
permissions in the specified role
readwrite-features <list> Comma separated list of Gaia features that have read and
write permissions in the specified role

Example:
> add rba role radius-group-any domain-type System readonly-features arp

Verification:
Connect to the Scalable Platform with a non-local user:
MyLaptop > ssh my_radius_user@my_61k_server

After successful authentication, the user my_radius_user is assigned the role radius-group-any
given all the privileges defined in the radius-group-any role.

60000/40000 Security Systems Administration Guide R76SP.50 | 104

 Managing Scalable Platforms

Configuring Local RADIUS Users With Specified Role

You can configure users to have different roles by creating new users on the Scalable Platform
and assigning them the required role.
Best Practice - Keep the local user’s password blank.

Adding a New RADIUS User (add user)

Syntax to add new RADIUS users:

> add user <username> uid 0 homedir <path>

Parameters
Parameter Description
<username> Login name of the user
<path> Full path for the user home directory

Example:
> add user local uid 0 homedir /home/local

Assigning a User Roll (add rba user)

Description
You can select a role from pre-existing roles, or create a new role and give it custom permissions.

Syntax
> add rba user <username> roles <rolename>

Parameters
Parameter Description
<username> User name

<rolename> Role to assign to the user

60000/40000 Security Systems Administration Guide R76SP.50 | 105

 Managing Scalable Platforms

Adding a Role

Description
You can add new roles and give them custom permissions.

Syntax
> add rba role <rolename> domain-type System readonly-features <readonly_list>
readwrite-features <readwrite_list>

Parameters
Parameter Description
<rolename> Role name
<readonly_list> Comma separated list of features to grant read only permissions.
<readwrite_list> Comma separated list of features to grant read/write permissions.

Example
> add rba role radius domain-type System readonly-features Chassis,configuration
readwrite-features aaa-servers

60000/40000 Security Systems Administration Guide R76SP.50 | 106

 Managing Scalable Platforms

Configuring TACACS + Servers - CLI (aaa)

Use aaa tacacs-servers to configure one or more TACACS+ authentication servers.

Action Syntax
To add a TACACS+ server add aaa tacacs-servers priority VALUE
server VALUE key VALUE timeout VALUE
set aaa tacacs-servers priority VALUE
To change the configuration of a TACACS+ key VALUE
server entry new-priority VALUE
server VALUE
timeout VALUE
set aaa tacacs-servers state VALUE
To delete TACACS+ server from the list of delete aaa tacacs-servers priority
servers VALUE
show aaa tacacs-servers
To see the configuration of the TACACS+ list
servers priority VALUE server
priority VALUE timeout
state

Parameters
Parameter Description
priority VALUE The priority value of the TACACS+ server. The value must be unique
for this operating system.
The priority value is used to determine the order in which Gaia
connects to the servers. The server with the lowest priority number
is first.
Example - If three TACACS+ servers have a priority of 1, 5, and 10
respectively, Gaia connects to the servers in that order, and uses
the first server that responds.
The priority value identifies the server in commands. A command
with priority 1 applies to the server with priority 1.
• Range - Integers 1 - 20
• Default - No default
server VALUE The TACACS+ server IPv4 address.
• Default - No default
key VALUE The shared secret used for authentication between the
authentication server and the Gaia client. Enter the shared secret
text string without a backslash. Make sure that the shared string
defined on the Gaia client matches that which is defined on the
authentication server.
• Range - Text strings up to 256 characters, without any
whitespace characters
• Default - No default
timeout VALUE The maximum number of seconds to wait for the server to respond.
• Range - 1-45
• Default - 5
60000/40000 Security Systems Administration Guide R76SP.50 | 107
 Managing Scalable Platforms

Parameter Description
new-priority VALUE The new priority.
state VALUE Range:
On - Enable TACACS+ authentication for all servers.
Off - Disable TACACS+ authentication for all servers.

list The list of TACACS+ servers that the system is configured to use.

Example
> set aaa tacacs-servers priority 2 server 10.10.10.99 key MySharedSecretKey
timeout 10

60000/40000 Security Systems Administration Guide R76SP.50 | 108

 Logging and Monitoring
CHAPTE R 5

Logging and Monitoring

In This Section:
CPView.........................................................................................................................109
Network Monitoring ....................................................................................................112
Showing Bond Interfaces (asg_bond) ........................................................................121
VPN Packet Tracking (bcstats) ..................................................................................126
Monitoring VPN Tunnels ............................................................................................127
Showing SSM Traffic Statistics (asg_traffic_stats)...................................................128
Showing SGM Forwarding Statistics (asg_blade_stats) ...........................................129
Traceroute (asg_tracert) ............................................................................................130
Multi-blade Capture -tcpdump -mcap -view ............................................................130
Showing Multicast Traffic Information ......................................................................132
Monitoring Management Interfaces Link State ........................................................138
Hardware Monitoring and Control .............................................................................139
System Monitoring ......................................................................................................209

CPView
CPView is a text based utility that runs on Check Point Gateways.
It collects and shows statistical data from the Gateways.
The data it collects contains general system information and information for each Virtual System.
The data updates on a regular basis and is easily accessible and readable. Use cpview to show
information on each Virtual System.

Overview of CPView
Description
The views in cpview show statistics related to a specific area of the Security Gateway.

Syntax
cpview
[-c <conf_file>]
[-p]

Parameters
Parameter Description
-c <conf_file> Use a custom configuration file.
-p Print all statistics to the screen.

60000/40000 Security Systems Administration Guide R76SP.50 | 109

 Logging and Monitoring

Using CPView
Use these keys to navigate the CPView:

Key Description
Arrow keys Moves between menus and views.
Scrolls in a view.
Home Returns to the Overview view.
Enter Switches to view mode.
On a menu with sub-menus, Enter moves you to the lowest level sub-menu.
Esc Returns to menu mode.
Q Quit CPView.

Use these keys to change CPView interface options:

Key Description
R Opens a window where you can change the refresh rate.
The default refresh rate is 2 seconds.
W Switches between wide and normal display modes.
In wide mode, CPView fits the screen horizontally.
S Manually sets the number of rows or columns.
M Switches the mouse on or off.
P Pauses and resumes the collection of statistics.

Use these keys to save statistics, show help, and refresh statistics:

Key Description
C Saves the current page to a file.
The file name format is:
cpview_<cpview process ID>.cap<number of captures>

H Shows a tooltip with CPView options.

Space bar Immediately refreshes the statistics.

60000/40000 Security Systems Administration Guide R76SP.50 | 110

 Logging and Monitoring

CPView User Interface

The CPView user interface has three sections:

Section Description
Header The Header shows the time the statistics in the third view are collected.
It updates when you refresh the statistics.

Navigation The Navigation menu bar is interactive.

Move between menus with the arrow keys and mouse.
A menu can have sub-menus and they show under the menu bar.

View The View shows the statistics collected in that view.

These statistics update at the refresh rate.

60000/40000 Security Systems Administration Guide R76SP.50 | 111

 Logging and Monitoring

Network Monitoring
You can monitor and log traffic and settings.

Monitoring Service Traffic (asg profile)

Description
Use the asg profile command to monitor traffic for each service that passes through the
60000/40000 Security System.
This information is equivalent to SmartView Monitor traffic monitoring.
This command has a minimal performance hit.

Syntax
> asg profile --help
> asg profile [ --delay <timeout>] [ -b <SGM_IDs> ] [-v | -p | -g] [--rel] [--tcp
| --udp] [--ipv6 | --ipv4]
> asg profile -m
> asg profile --enable
> asg profile --disable

Parameters
Parameter Description
--delay <timeout> Information refresh interval (seconds).
-b <SGM_IDs> Works with SGMs and/or Chassis as specified by <SGM_IDs>.
<SGM_IDs> can be:
• No <SGM_IDs> specified, or all - Applies to all SGMs and Chassis
• One SGM (for example, 1_1)
• A comma-separated list of SGMs (for example, 1_1,1_4)
• A range of SGMs (for example, 1_1-1_4)
• One Chassis (chassis1, or chassis2)
• The active Chassis (chassis_active)
-v | -p | -g The default view (with none of these options) shows values for each
service - throughput, packet rate, connection rate and the number of
concurrent connections. As an alternative, you can select one of these
options:
• -v - Shows verbose service statistics.
• -p - Shows service statistics for these paths:
• Accelerated (SecureXL)
• Medium
• Slow (Firewall)
• -g - Shows graph view of BPS per service
--rel Shows the results as a percentage for the -v, –p, and default views.

60000/40000 Security Systems Administration Guide R76SP.50 | 112

 Logging and Monitoring

Parameter Description
--tcp | --udp Select one of these options:
• --tcp - Show TCP statistics only
• --udp - Show UDP statistics only
--ipv6 | --ipv4 Select one of these options:
• --ipv4 - Show ipv4 statistics only
• --ipv6 - Show ipv6 statistics only
-m Run in a convenient interactive menu mode.
--enable Enable statistics collection.
--disable Disable statistics collection.
--help Shows the command syntax and help information.

60000/40000 Security Systems Administration Guide R76SP.50 | 113

 Logging and Monitoring

Example:
> asg profile -m
Aggregated statistics of SGMs: 1_1 Virtual Systems: 0
+--------------------------------------------------------------------+
|Service distribution summary |
+-------------------------+----------+-------+-----------+-----------+
|Service |Throughput|Packet |Connection |Concurrent |
+ + +rate +rate |connections|
+-------------------------+----------+-------+-----------+-----------+
|8116/udp cp-cluster |116.2 K |112 |0 |0 |
+-------------------------+----------+-------+-----------+-----------+
|22/tcp ssh |4.5 K |5 |0 |0 |
+-------------------------+----------+-------+-----------+-----------+
|33628/tcp |2.0 K |1 |0 |0 |
+-------------------------+----------+-------+-----------+-----------+
|33635/tcp |1.2 K |0 |0 |0 |
+-------------------------+----------+-------+-----------+-----------+
|33624/tcp |1.2 K |0 |0 |0 |
+-------------------------+----------+-------+-----------+-----------+
|33630/tcp |400 |0 |0 |0 |
+-------------------------+----------+-------+-----------+-----------+
|33626/tcp |400 |0 |0 |0 |
+-------------------------+----------+-------+-----------+-----------+
|33632/tcp |336 |0 |0 |0 |
+-------------------------+----------+-------+-----------+-----------+
|67/udp bootps |288 |0 |0 |0 |
+-------------------------+----------+-------+-----------+-----------+
|257/tcp set |48 |0 |0 |2 |
+-------------------------+----------+-------+-----------+-----------+

+-------------------------+----------+-------+-----------+-----------+
|Totals |
+-------------------------+----------+-------+-----------+-----------+
|Total tcp |10.2 K |9 |0 |8 |
|Total udp |116.5 K |112 |0 |0 |
|Total other |0 |0 |0 |2 |
+-------------------------+----------+-------+-----------+-----------+
|System |126.7 K |121 |0 |10 |
+-------------------------+----------+-------+-----------+-----------+

Time: Sun Jul 07 14:34:30 IDT 2013

SGMs: 1_1 1_2
VSs: 0 1
Choose one of the following option:(Bold options are current view)
n) Normal View
a) Absolute Values
r) Relative Values
v) Verbose View
V) Move to a different Virtual System
p) Path View
g) Graph View
O) Online
H) History
S) Move to next sgm
b) Back one menu
e) Exit

Note - This example shows the normal (not verbose) view with absolute values. The highest
throughput and packet rate is from the service 8116/udp cp-cluster. To show this view, type:
a

60000/40000 Security Systems Administration Guide R76SP.50 | 114

 Logging and Monitoring

Monitoring the Scalable Platform (asg_archive)

Description
The asg_archive utility:
• Collects Scalable Platform status and activity information in real-time, which is periodically
saved to a history file.
The system refreshes the data and saves history files automatically, based on predefined time
intervals for each status information type. You can change the refresh time intervals based on
your requirements.
• Shows the most current and historical statistics for each SGM or VSX Virtual System.
You can easily change the SGM and/or Virtual System that shows. You can enable or disable
data collection globally for all status types or for specified status types. You can also assign
the data collection process to a specified CPU to help prevent negative performance impact.

Syntax
> asg_archive <parameter>

Parameters
Parameter Description
Command without Shows the system status and the Options menu.
a parameter
--height Sets the maximum number of lines in the output.
--enable Starts all data collectors with asg_archive –config (except those that
were manually disabled).
--disable Disables all information collectors.
--status Shows if asg_archive is enabled or disabled.
--config Shows or sets the configuration of information collectors.
<collector> - Name of the information collector, as shown in the
asg_archive --config output. Enclose the name in double quotes.
<seconds> - Enter a refresh period, in seconds, for the specified collector. If
you do not enter a refresh, the default value is applied automatically.
--refresh Shows or sets the default refresh time, in seconds, which applies when no
<timeout> value is specified with the --config parameter.
--cpu <cpu_id> Shows or selects the default CPU assigned to the data collection process.
This can help prevent unnecessary performance impact caused by this
command.
--remote Reads archive files from a specified remote Security Gateway.
<path> Specifies the path to this Security Gateway.
--help Shows the command syntax and help text.
This option automatically closes the interactive mode and goes back to the
command line.

60000/40000 Security Systems Administration Guide R76SP.50 | 115

 Logging and Monitoring

Working with Interactive Mode

When you run asg_archive, the system enters Interactive Mode and shows a menu. Select an
option and the applicable status information shows on the upper portion of the screen. Some
menu items have sub-menus with more choices. Use the arrow keys to scroll through the status
information. The menu is always available on the lower portion of the screen. This example shows
the memory status (option 3-m).
+--------------------------------------------------------------------------+
|Resource Table |
+------------+----------------+------------+------------+------------------+
|SGM ID |Resource Name |Usage |Threshold |Total |
+------------+----------------+------------+------------+------------------+
|1_01 |Memory |20% |50% |31.3G |
| |HD: / |22% |80% |19.4G |
| |HD: /var/log |1% |80% |58.1G |
| |HD: /boot |19% |80% |288.6M |
+------------+----------------+------------+------------+------------------+

Time: Tue Jan 14 12:13:30 IST 2014

SGMs: 1_1 1_2 1_3 1_4 1_5 2_1 2_2 2_3 2_4 2_5
VSs: 0 1 2
Choose one of the following option:(Bold options are current view)
1) System Status
2) Performance
3) Hardware & Resources
m) Memory
f) FW Memory Allocation
c) CPU Usage
t) Top Process
h) Hardware
4) SXL Statistics
5) Diagnostic
6) Logs
7) SYN Attack
8) Network
O) Online
H) History
S) Move to next SGM
V) Move to next VS
b) Back one menu
e) Exit

• To select a menu item, enter the number or letter to the left of the item.
• The letters are case sensitive.
• If there is a sub-menu, the first option automatically shows in the upper section of the screen.
• To select a different option, enter the applicable letter.
Some options can open an additional sub-menu.
The numbered options show status and system information. The letter options, at the bottom of
the menu, are operations that control the information display.

Menu Option Description

O Online - Shows the current status for the selected item.
H History - Shows historical status information saved in the history files. Select the
sub-menu item to show the specified history file.
S Move to next SGM - Use this option to show the SGMs in sequential order.
V Move to next VS - Use this option to show the different Virtual Systems in
sequential order.
b Back one menu - Go back to the main menu or a higher sub-menu.
e Exit - Close the Interactive Mode and go back to the command line.

60000/40000 Security Systems Administration Guide R76SP.50 | 116

 Logging and Monitoring

Working with Interface Status (asg if)

Description
The command allows for the enable and disable of interfaces, and shows information for
interfaces for the Scalable Platform.
• IPv4, IPv6, and MAC address
• Interface type
• State
• Currently defined interface speed
• MTU
• Duplex status

Syntax
> asg if -h
> asg if [-i interface [-v] [enable] [disable]] [-ip ]

Parameters
Parameter Description
-h Shows the command syntax and help information.
-i <interface> Interface status for the specified interface or a comma-separated list of
interfaces. If this parameter is not specified, the status for all interfaces
shows.
-v Verbose - Shows detailed output.
Note - This view is not supported for logical interfaces.
enable | disable Enables or disables the specified interface.
-ip Interface IPv4 or IPv6 address.

Global view of all interfaces (asg if)

Use show interfaces to show the current status of all defined interfaces on the system.
> show interfaces
+---------------------------------------------------------------------------------------+
|Interfaces Data |
+---------------------------------------------------------------------------------------+
|Interface |IPv4 Address |Info |State |Speed |MTU |Duplex |
| |MAC Address | |(ch1) | | | |
+------------------------------+------------+-------------+---------+----------+--------+
|bond1 |17.17.17.10 |Bond Master |(down) |NA |NA |NA |
| |00:1c:7f:81:05:fe | |slaves: | | | |
| | | |eth1-05(down)| | | |
| | | |eth2-05(down)| | | |
+-----------+------------------+------------+-------------+---------+----------+--------+
| eth1-05 |- |Bond slave |(down) |10G |1500 |Full |
| |00:1c:7f:81:05:fe | |master: | | | |
| | | |bond1(down) | | | |
+-----------+------------------+------------+-------------+---------+----------+--------+
| eth2-05 |- |Bond slave |(down) |10G |1500 |Full |
| |00:1c:7f:81:05:fe | |master: | | | |
| | | |bond1(down) | | | |
+-----------+------------------+------------+-------------+---------+----------+--------+
|bond1.201 |18.18.18.10 |Vlan |(down) |NA |NA |NA |

60000/40000 Security Systems Administration Guide R76SP.50 | 117

 Logging and Monitoring

| |00:1c:7f:81:05:fe | | | | | |
+-----------+------------------+------------+-------------+---------+----------+--------+
|br0 |- |Bridge Mast |(up) |NA |NA |NA |
| |00:1c:7f:81:07:fe | |ports: | | | |
| | | |eth2-07(down)| | | |
| | | |eth1-07(down)| | | |
+-----------+------------------+------------+-------------+---------+----------+--------+
| eth1-07 |- |Bridge port |(down) |10G |1500 |Full |
| |00:1c:7f:81:07:fe | |master: | | | |
| | | |br0(up) | | | |
+-----------+------------------+------------+-------------+---------+----------+--------+
| eth2-07 |- |Bridge port |(down) |10G |1500 |Full |
| |00:1c:7f:82:07:fe | |master: | | | |
| | | |br0(up) | | | |
+-----------+------------------+------------+-------------+---------+----------+--------+
|eth1-01 |15.15.15.10 |Ethernet |(up) |10G |1500 |Full |
| |00:1c:7f:81:01:fe | | | | | |
+-----------+------------------+------------+-------------+---------+----------+--------+
|eth1-Mgmt4 |172.23.9.67 |Ethernet |(up) |10G |1500 |Full |
| |00:d0:c9:ca:c7:fa | | | | | |
+-----------+------------------+------------+-------------+---------+----------+--------+
|eth2-01 |25.25.25.10 |Ethernet |(up) |10G |1500 |Full |
| |00:1c:7f:82:01:fe | | | | | |
+-----------+------------------+------------+-------------+---------+----------+--------+
|Sync |192.0.2.1 |Bond Mas |(up) |NA |NA |NA |
| |00:1c:7f:01:04:fe | |slaves: | | | |
| | | |eth1-Sync(up)| | | |
| | | |eth2-Sync(up)| | | |
+-----------+------------------+------------+-------------+---------+----------+--------+
| eth1-Sync|- |Bond slave |(up) |10G |1500 |Full |
| |00:1c:7f:01:04:fe | |master: | | | |
| | | |Sync(up) | | | |
+-----------+------------------+------------+-------------+---------+----------+--------+
| eth2-Sync|- |Bond slave |(up) |10G |1500 |Full |
| |00:1c:7f:01:04:fe | |master: | | | |
| | | |Sync(up) | | | |
+-----------+------------------+------------+-------------+---------+----------+--------+
>

Notes:
• This sample output shows that this Sync interface is a Bond-Master and if the interfaces are
UP or DOWN.
• To add a comment to an interface, run:
> set interface <if_name> comment <comment_text>

Verbose Mode (asg if -v)

The Verbose Mode shows extended information, including information retrieved from the switch.
You can use the Verbose Mode for one interface or a comma-separated list of interfaces (without
spaces).
This operation can take a few seconds for each interface.
Example output:
[Expert@MyChassis-ch01-01:0]# asg if -i eth1-01 -v
Collecting information, may take few seconds
+----------------------------------------------------------------------------------------+
|Interfaces Data |
+----------------------------------------------------------------------------------------+
|Interface|IPv4 Address |Info |State |Speed |MTU |Duplex |
| |MAC Address | |(ch1)/(ch2) | | | |
| |IPv6 Address (global)| | | | | |
| |IPv6 Address (local) | | | | | |
+---------+---------------------+------------+--------------+--------+----------+--------+
|eth1-01 |- |Bond slave |(up)/(up) |10G |1500 |Full |
| |00:1c:7f:a1:01:0 | |master: | | | |
| |- | |bond1(up)/(up)| | | |
| |- | | | | | |
+---------+---------------------+------------+--------------+--------+----------+--------+
|Comment |
+----------------------------------------------------------------------------------------+
|internal interface |
60000/40000 Security Systems Administration Guide R76SP.50 | 118
 Logging and Monitoring

+----------------------------------------------------------------------------------------+
|Traffic |
+----------------------------------------------------------------------------------------+
|media |In traffic |In pkt(uni/mul/brd)|Out traffic |Out pkt(uni/mul/brd) |
+-----------------+-----------+-------------------+---------------+----------------------+
|FTLF8528P2BNV-EM |28.8Kbps |0pps/38pps/5pps |4.1Mbps |0pps/355pps/0pps |
+----------------------------------------------------------------------------------------+
|Errors (total/pps) |
+----------------------------------------------------------------------------------------+
|OutDiscards |InDiscards |InErrors |OutErrors |
+-----------------------------+-------------------+---------------+----------------------+
|0/0 |0/0 |0/0 |0/0 |
+-----------------------------+-------------------+---------------+----------------------+
[Expert@MyChassis-ch01-01:0]#

Enabling/Disabling Interface Ports

Use the asg if command to enable or disable a physical interface only. For example, eth1-01.
You cannot use this command for bonds, VLANs, or other virtual interfaces. This command works
on the SSM level.
To disable an interface port, enter:
# asg if -i eth1-01 disable
You are about to perform port state disable on eth1-01 on blades: all

Are you sure? (Y - yes, any other key - no) y

Port state disable on eth1-01 requires auditing

Enter your full name: y
Enter reason for port state disable on eth1-01 [Maintenance]: y
WARNING: Port state disable on eth1-01 on blades: all, User: y, Reason: y
interface eth1-01 is disabled

To enable an interface port, enter:

# asg if -i eth1-01 enable
You are about to perform port state enable on eth1-01 on blades: all

Are you sure? (Y - yes, any other key - no) y

Port state disable on eth1-01 requires auditing

Enter your full name: y
Enter reason for port state disable on eth1-01 [Maintenance]: y
WARNING: Port state enable on eth1-01 on blades: all, User: y, Reason: y
interface eth1-01 is enabled

60000/40000 Security Systems Administration Guide R76SP.50 | 119

 Logging and Monitoring

Connecting to a Specific SGM Blade

Description
When you connect to the Scalable Platform, you are actually connected to one of the SGMs. You
can use the blade command to open a connection to a different Security Gateway Module.
You must run the blade command in Expert Mode, which establishes a new SSH connection over
the Sync interface.
Syntax
# blade [<chassis_id>_]<sgm_id>

Example:
# blade 1_03
Moving to blade 1_3

Notes:
• When you only enter the SGM ID, the default Chassis is assumed.
• To go back to the last SGM, run:
exit
• You can run more than one blade command to open many SSH sessions.

60000/40000 Security Systems Administration Guide R76SP.50 | 120

 Logging and Monitoring

Showing Bond Interfaces (asg_bond)

Description
The asg_bond command in gClish or Expert mode shows bond interfaces and runs LACP packet
tests:
• MAC address consistency for each Chassis
• Slave state consistency for all SGMs
• Database consistency for all SGMs
• Confirms the LACP aggregator ID between bond and slaves are compatible
• Verifies that the LACP packet between neighbors and key comparison
You can run this command for specified bonds or for all bonds.

Syntax
asg_bond {-h | --help}
asg_bond [-v] [ -i <filter>]

Parameters
Parameter Description
-h | --help Shows the built-in help.
-i <filter> Filters the output for the specified bond name or text string.
The output shows all bonds that match the bond name, or those names
that contain the text string.
-v Runs LACP packet test for the specified interfaces.

Viewing a Global List of all Bonds (asg_bond)

Use the asg_bond command in gClish or Expert mode without parameters to show all currently
defined bonds.
Example:
[Expert@MyChassis-ch01-01:0]# asg_bond
+------+-------------------------------------------+---------+--------+------------------+
|Name |Address |Mode |Slaves |Result |Comments |
+------+------------------------+------------------+---------+--------+------------------+
|bond1 |(MAC) 00:1c:7f:81:02:fe|LACP 802.3ad |eth1-02 |OK | |
| |(IPv4) 13.13.1.10 |Load Sharing |eth1-03 | | |
| | | |eth2-03 | | |
| | | |eth2-02 | | |
+------+------------------------+------------------+---------+--------+------------------+
|bond3 |(MAC) 00:1c:7f:82:04:fe|XOR |eth2-04 |OK | |
| |(IPv4) 23.23.1.10 |Load Sharing |eth1-04 | | |
+------+------------------------+------------------+---------+--------+------------------+
|bond5 |(MAC) 00:1c:7f:81:07:fe|Round-Rubin |eth1-07 |OK | |
| |(IPv4) 33.33.1.10 |Load Sharing |eth2-07 | | |
+------+------------------------+------------------+---------+--------+------------------+
|bond7 |(MAC) 00:00:00:00:00:fe|Active-Backup | |OK |- No slaves exist |
| | |High Availability | | | |
+------+------------------------+------------------+---------+--------+------------------+
[Expert@MyChassis-ch01-01:0]#

60000/40000 Security Systems Administration Guide R76SP.50 | 121

 Logging and Monitoring

Viewing a Specific Bond Interface (asg_bond -i)

This example shows the command output for the specified bond.
Example:
[Expert@MyChassis-ch01-01:0]# asg_bond -i bond5
+--------+-------------------------------+--------------+---------+--------+---------+
|Name |Address |Mode |Slaves |Result |Comments |
+--------+-------------------------------+--------------+---------+--------+---------+
|bond5 |(MAC) 00:1c:7f:81:07:fe |Round-Rubin |eth1-07 |OK | |
| |(IPv4) 33.33.1.10 |Load Sharing |eth2-07 | | |
+--------+-------------------------------+--------------+---------+--------+---------+
[Expert@MyChassis-ch01-01:0]#

Note - You can also specify a substring that is part of a bond name to show all bonds that contain
the substring.

Bond Verification Test (asg_bond -v)

This example shows the verification test results for all bonds, including one with an error.
[Expert@MyChassis-ch01-01:0]# asg_bond -v
Listening for LACP packets [...............................] [ OK ]

+-----+------------------------+-----------------+-------+------+-------------------------+
|Name |Address |Mode |Slaves |Result|Comments |
+-----+------------------------+-----------------+-------+------+-------------------------+
|bond1|(MAC) 00:1c:7f:81:02:fe |LACP 802.3ad |eth1-02|Failed|eth1-02 missing LACP pkts|
| |(IPv4)13.13.1.10 |Load Sharing |eth1-03| |eth1-03 missing LACP pkts|
| | | |eth2-03| |eth2-03 missing LACP pkts|
| | | |eth2-02| |eth2-02 missing LACP pkts|
+-----+------------------------+-----------------+-------+------+-------------------------+
|bond3|(MAC) 00:1c:7f:82:04:fe|XOR |eth2-04|OK | |
| |(IPv4) 23.23.1.10 |Load Sharing |eth1-04| | |
+-----+------------------------+-----------------+-------+------+-------------------------+
|bond5|(MAC) 00:1c:7f:81:07:fe|Round-Rubin |eth1-07|OK | |
| |(IPv4) 33.33.1.10 |Load Sharing |eth2-07| | |
+-----+------------------------+-----------------+-------+------+-------------------------+
|bond7|(MAC) 00:00:00:00:00:fe|Active-Backup | |OK | - No slaves exist |
| | |High Availability| | | |
+-----+------------------------+-----------------+-------+------+-------------------------+
[Expert@MyChassis-ch01-01:0]#

Notes:
• The comments column shows a description of problems detected by the verification tests.
• Bond7 shows an incomplete definition with no slaves configured.

Setting the Minimum Number of Slaves in a Bond

Description
You can monitor bond interfaces with the asg stat command.
A bond interface is considered DOWN when the number of slaves in the bond that are UP, are less
than the min_slaves value.
You can change the min_slaves value in gClish.

Syntax
> set chassis high-availability bond <bond_port> min_slaves <number>

Example
> set chassis high-availability bond bond1 min_slaves 2

60000/40000 Security Systems Administration Guide R76SP.50 | 122

 Logging and Monitoring

Notes:
• The default value for min_slaves is 1.
• The bond is considered DOWN if the number of slaves in the UP state, is below the
min_slaves value.

Showing Traffic Information (asg_ifconfig)

Description
The asg_ifconfig command collects traffic statistics from all or a specified range of SGMs.
The combined output shows the traffic distribution between SGMs and their interfaces (calculated
during a certain period).
The asg_ifconfig command has these modes:
• Native
This is the default setting. When the analyze or banalyze option is not specified the
command behaves almost the same as the native Linux ifconfig command. However, the
output shows statistics for all interfaces on all SGMs, and for interfaces on the local SGM.
• Analyze
Shows accumulated traffic information and traffic distribution between SGMs.
• Banalyze
Shows accumulated traffic information and traffic distribution between interfaces.
Notes:
• The analyze and banalyze parameters cannot be used together.
• If you run this command in a Virtual System context, you can only see the output that applies to
that context.

Syntax
> asg_ifconfig [-b <SGM_IDs>] [<interface>] [analyze|banalyze] [-d <delay>] [-v]
[-a]

Parameters
Parameter Description
Interface The name of the interface
-b <SGM_IDs> Works with SGMs and/or Chassis as specified by <SGM_IDs>.
<SGM_IDs> can be:
• No <SGM_IDs> specified, or all - Applies to all SGMs and
Chassis
• One SGM (for example, 1_1)
• A comma-separated list of SGMs (for example, 1_1,1_4)
• A range of SGMs (for example, 1_1-1_4)
• One Chassis (chassis1, or chassis2)
• The active Chassis (chassis_active)
-d delay Delay, in seconds, between data samples. Default = 5.

60000/40000 Security Systems Administration Guide R76SP.50 | 123

 Logging and Monitoring

Parameter Description
-vLogging and verbose mode - Shows traffic distribution between interfaces.
Monitoring
-a Shows total traffic volume.
By default (without -a), the average traffic volume per second
shows.
-h Shows help information and exit.
analyze Shows accumulated traffic information.
Use the -v, -a, and -d <delay> parameters to show traffic
distribution between interfaces.
banalyze Shows accumulated traffic information.
Use the -v, -a, and -d <delay> parameters to show traffic
distribution between interfaces.
You can use these parameters to sort the traffic distribution table:
-rp X packets
-rb X bytes
-rd X dropped packets
-tp X packets
-tb X bytes
-td X dropped packets
For example, if you sort with the -rb option, the higher values
appear at the top of the RX bytes column in the traffic
distribution table:
SGM ID RX packets RX bytes RX dropped
1_03 70%
1_02 20%
1_01 10%

By default, the traffic distribution table is not sorted.

Native Usage
This example shows the total traffic sent and received by eth2-01 for all SGMs on Chassis1
(Active Chassis). By default, the average traffic volume per second shows.
> asg_ifconfig -b chassis1 eth2-01

as1_02:
eth2-01 Link encap:Ethernet HWaddr 00:1C:7F:81:01:EA
UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1
RX packets:94 errors:0 dropped:0 overruns:0 frame:0
TX packets:63447 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:5305 (5.1 KiB) TX bytes:5688078 (5.4 MiB)

1_03:
eth2-01 Link encap:Ethernet HWaddr 00:1C:7F:81:01:EA
UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1
RX packets:137 errors:0 dropped:0 overruns:0 frame:0
TX packets:26336 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:7591 (7.4 KiB) TX bytes:2355386 (2.2 MiB)

1_04:
eth2-01 Link encap:Ethernet HWaddr 00:1C:7F:81:01:EA
UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1
RX packets:124 errors:0 dropped:0 overruns:0 frame:0

60000/40000 Security Systems Administration Guide R76SP.50 | 124

 Logging and Monitoring

TX packets:3098 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0
RX bytes:6897 (6.7 KiB) TX bytes:378990 (370.1 KiB)

1_05:
eth2-01 Link encap:Ethernet HWaddr 00:1C:7F:81:01:EA
UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1
RX packets:79 errors:0 dropped:0 overruns:0 frame:0
TX packets:26370 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4507 (4.4 KiB) TX bytes:2216546 (2.1 MiB)

Using the Analyze Option

This example shows accumulated traffic volume statistics for eth2-Sync per SGM and the total
for all SGMs.
The traffic distribution for each SGM also shows.
The -a option shows the total traffic volume instead of the average volume per second.
[Expert@MyChassis-ch01-01:0]# gclish
[Global] MyChassis-ch01-01 > asg_ifconfig eth2-Sync analyze -v -a
Command is executed on SGMs: chassis_active

1_01:
eth2-Sync Link encap:Ethernet HWaddr 00:1C:7F:01:04:FE
UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1
RX: packets:225018 bytes:36970520 (37.0 MiB) dropped:0
TX: packets:3522445 bytes:1381032583 (1.4 GiB) dropped:0

1_02:
eth2-Sync Link encap:Ethernet HWaddr 00:1C:7F:02:04:FE
UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1
RX: packets:221395 bytes:35947248 (35.9 MiB) dropped:0
TX: packets:4674143 bytes:1850315554 (1.9 GiB) dropped:0

1_03:
eth2-Sync Link encap:Ethernet HWaddr 00:1C:7F:03:04:FE
UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1
RX: packets:10 bytes:644 (644.0 b) dropped:0
TX: packets:67826313 bytes:7345458105 (7.3 GiB) dropped:0

1_04:
eth2-Sync Link encap:Ethernet HWaddr 00:1C:7F:04:04:FE
UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1
RX: packets:13 bytes:860 (860.0 b) dropped:0
TX: packets:68489217 bytes:7487476060 (7.5 GiB) dropped:0

1_05:
eth2-Sync Link encap:Ethernet HWaddr 00:1C:7F:05:04:FE
UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1
RX: packets:203386 bytes:19214238 (19.2 MiB) dropped:0
TX: packets:7164109 bytes:2740761091 (2.7 GiB) dropped:0

=*= Accumulative =*=

eth2-Sync Link encap:Ethernet
UP BROADCAST RUNNING SLAVE MULTICAST MTU:1500 Metric:1
RX: packets:649822 bytes:92133510 (92.1 MiB) dropped:0
TX: packets:151676227 bytes:20805043393 (20.8 GiB) dropped:0

=*= Traffic Distribution =*=

-----------------------------------------------------------------------------
SGM ID RX packets RX bytes RX dropped TX packets TX bytes TX dropped
-----------------------------------------------------------------------------
1_01 34.6% 40.1% 0.0% 2.3% 6.6% 0.0%
1_02 34.1% 39.0% 0.0% 3.1% 8.9% 0.0%
1_03 0.0% 0.0% 0.0% 44.7% 35.3% 0.0%
1_04 0.0% 0.0% 0.0% 45.2% 36.0% 0.0%
1_05 31.3% 20.9% 0.0% 4.7% 13.2% 0.0%
-----------------------------------------------------------------------------
[Global] MyChassis-ch01-01 >

60000/40000 Security Systems Administration Guide R76SP.50 | 125

 Logging and Monitoring

VPN Packet Tracking (bcstats)

You can run these commands to monitor the IPSEC packet flow.

Field Run:
Source and destination IP addresses • For Site-to-Site VPN
# g_tcpdump for ip proto 50
• For Remote Access VPN clients
# g_tcpdump for UDP port 4500
Which SGM encrypted packets are # bcstats vpn -v
forwarded
Which SGM holds the outbound SA # g_fw tab -t outbound_SPI -f
Search for MSPI in the output. MSPI is the Meta SA,
and shows which SGM holds the outbound SA.

Example:
#g_fw tab -t outbound_SPI -f
using cptfmt
Formatting table’s data — this might take a while...
local host:
Date: Nov 14, 2011
12:37:15 172.16.6.171 > : (+)====================================(÷); Table_Name: outbound_sPi; : (÷);
Attributes: dynamic, id 285,
attributes: keep, sync, kbuf 6 7, expires 3600, limit 20400, hashsize 32768; product: VPN—1 & Firewall—1;
12:37:15 1172.16.6.171 >1 : (+); peer: 172.16.6.189; ,sPi: fs9baoec; CPTFMT_sep: sPI: 1; Ic00MB1:
c5364f5e6414aad9; ,cookieR:
95a478b10f9544a6; Expires: 3540/3610; product: VPN—1 & Firewall—1;

The output can include Security Associations (SAs) with an MSPI of 0. These are dummy SAs and
can safely be ignored.

60000/40000 Security Systems Administration Guide R76SP.50 | 126

 Logging and Monitoring

Monitoring VPN Tunnels

Because VPN tunnels synchronize between all SGMs, use traditional tools to monitor tunnels. This
gives you a better selection of monitoring tools as compared to the native Scalable Platform
capabilities.

SmartView Monitor
You must not activate the Monitoring Blade on the Scalable Platform. But, you can still use the
tunnels information in SmartView Monitor to see VPN tunnel status and details.

SNMP
• You can use the tunnelTable sub-tree in Check Point MIB .1.3.6.1.4.1.2620.500.9002 to see
VPN status with SNMP.
• For VSX environments, search for the SNMP Monitoring section in the R76 VSX Administration
Guide http://supportcontent.checkpoint.com/documentation_download?ID=22932 for VSX
related SNMP information.

CLI Tools
Use these CLI commands:
• To see VPN statistics per SGM, in Expert Mode run:
# cpstat -f all vpn
• To monitor VPN tunnels per SGM, in Expert Mode run:
# vpn tu
VPN tunnels are synchronized to all SGMs, therefore you can use run this command from the
scope of one SGM.
• To monitor VPN tunnels in the non-interactive mode, in gClish run:
> vpn shell tu
Note - In a VSX environment, you must run these commands from the applicable Virtual System
context.

60000/40000 Security Systems Administration Guide R76SP.50 | 127

 Logging and Monitoring

Showing SSM Traffic Statistics (asg_traffic_stats)

Description
Use the asg_traffic_stats command to show traffic statistics, for SSM ports during a
specified time period.
• Throughput (bits per second)
• Packet rate (packets per second)
Packet rate statistics are divided to four categories:
• Unicast
• Multicast
• Broadcast
• Total packets per second

Syntax
# asg_traffic_stats {<ssm_id> | <if_name>} [<delay>]

Parameters
Parameter Description
<ssm_id> SSM ID (1 - 4)
Shows the traffic statistics for the specified SSM
<if_name> The interface name: eth1-04 or eth1-Sync
Shows the total traffic statistics for a specified SSM
<delay> Length of time, in seconds, that traffic statistics are collected
Default = 5 seconds

Example - Traffic over one interface:

# asg_traffic_stats eth1-04
Processing traffic statistics for 5 seconds...

eth1-04 statistics
---------------------
Incoming traffic:
------------------
Throughput: 164.9 Kbps
Packet rate: [Total: 252 pps], [Unicast: 14 pps], [Multicast: 161 pps], [Broadcast: 76 pps]

Outgoing traffic:
------------------
Throughput: 4.0 Kbps
Packet rate: [Total: 2 pps], [Unicast: 2 pps], [Multicast: 0 pps], [Broadcast: 0 pps]

60000/40000 Security Systems Administration Guide R76SP.50 | 128

 Logging and Monitoring

Example - Traffic over one SSM:

# asg_traffic_stats 1
Processing traffic statistics for 5 seconds...

Summary on SSM1
----------------
Incoming traffic:
------------------
Throughput: 319.1 Kbps
Packet rate: [Total: 409 pps], [Unicast: 167 pps], [Multicast: 166 pps], [Broadcast: 75 pps]

Outgoing traffic:
------------------
Throughput: 408.2 Kbps
Packet rate: [Total: 156 pps], [Unicast: 156 pps], [Multicast: 0 pps], [Broadcast: 0 pps]

Showing SGM Forwarding Statistics (asg_blade_stats)

Description
Use the asg_blade_stats command to show detailed packet forwarding statistics.

Syntax
> asg_blade_stats [-6] corr [[-p [-v]] [-a] | [-reset]]
> asg_blade_stats [-6] iterator
> asg_blade_stats [-6] smo
> asg_blade_stats [-6] vpn [-v]
> asg_blade_stats [-6] 6in4 [-v]
> asg_blade_stats [-6] gre [-v]
> asg_blade_stats [-6] icmp_error [-v]
> asg_blade_stats [-6] all
> asg_blade_stats -h | Help

Parameters
Parameter Description
-6 Shows only IPv6 traffic.
corr Shows correction layer statistics (for predefined services) for each SGM.
-p Shows correction layer statistics for each service (for predefined services)
for each SGM. Use with corr
-reset Resets correction layer statistics. Use with corr
-a Shows aggregate statistics. Use with corr
-v Shows verbose statistics.
iterator Shows information about the last iterator process.
smo Shows statistics for SMO task, and logs for each SGM.
vpn Shows statistics for VPN forwarded packets.
6in4 Shows statistics for 6in4 tunnel forwarded packets.
gre Shows statistics for GRE forwarded packets.
icmp_error Shows statistics for ICMP ERROR forwarded packets.
vs Show Virtual System stateless correction layer statistics (VSX mode only).
arp_forw Shows statistics for ARP forwarded packets.
60000/40000 Security Systems Administration Guide R76SP.50 | 129
 Logging and Monitoring

Parameter Description
all Shows all correction layer statistics mentioned above.
help Shows help information.

Traceroute (asg_tracert)
Description
Use this enhanced command to show correct tracert results on the Scalable Platform.
The native tracert cannot handle tracert pings correctly because of the stickiness
mechanism used in the Scalable Platform firewall.
The asg_tracert command supports all native tracert command options and parameters.

Syntax
> asg_tracert <ip> [<tracert_options>]

Parameters
Parameter Description
<ip> IP address
<tracert_options> Native tracert command options

Example:
> asg_tracert 100.100.100.99
traceroute to 100.100.100.99 (100.100.100.99), 30 hops max, 40 byte packets
1 (20.20.20.20) 0.722 ms 0.286 ms 0.231 ms
2 (100.100.100.99) 1.441 ms 0.428 ms 0.395 ms
>

Multi-blade Capture -tcpdump -mcap -view

Description
Use this command to see TCP/IP and other packets sent and received by the Scalable Platform.
This release includes these Scalable Platform-specific enhancements to the standard tcpdump
utility:
• tcpdump –mcap - Gets packets from specified SGMs and saves them to a capture file.
• tcpdump –view - Shows packets in the specified capture file, including the SGM ID from the
packet captured packet.

Syntax
tcpdump [-b <SGM_IDs>] -mcap -w <capture_path> [<tcpdump_ops>]
tcpdump -view -r <capture_path> [<tcpdump_ops>]

Note - To stop the capture and save the data to the capture file, enter CTRL-C at the prompt.

60000/40000 Security Systems Administration Guide R76SP.50 | 130

 Logging and Monitoring

Parameters
Parameter Description
-b <SGM_IDs> Works with SGMs and/or Chassis as specified by <SGM_IDs>.
<SGM_IDs> can be:
• No <SGM_IDs> specified, or all - Applies to all SGMs and Chassis
• One SGM (for example, 1_1)
• A comma-separated list of SGMs (for example, 1_1,1_4)
• A range of SGMs (for example, 1_1-1_4)
• One Chassis (chassis1, or chassis2)
• The active Chassis (chassis_active)
-w <capture_path>
Saves full file path.
In addition to the merged capture file, per SGM capture files are
created in the same directory, suffixed by their SGM ID.
-r <capture_path>
Read full file path.
Regular tcpdump output, prefixed by SGM ID of the processing SGM.

Example - Capture traffic on all SGMs:

> tcpdump –mcap –w /tmp/capture
Capturing packets…
Write "stop" and press enter to stop the packets capture process.
1_01:
tcpdump: listening on eth1-Mgmt4, link-type EN10MB (Ethernet), capture size 96 bytes
stop
Received user request to stop the packets capture process.

Copying captured packets from all SGMs...

Merging captured packets from SGMs to /tmp/capture...
Done.

Example - Capture packets from specified SGMs and interfaces:

> tcpdump –b 1_1,1_3,2_1 –mcap –w /tmp/capture –nnni eth1-Mgmt4

Example - Show captured packets from file:

> tcpdump -view -r /tmp/capture
Reading from file /tmp/capture, link-type EN10MB (Ethernet)
[1_3] 14:11:57.971587 IP 0.0.0.0.cp-cluster > 172.16.6.0.cp-cluster: UDP, length 45
[2_3] 14:12:07.625171 IP 0.0.0.0.cp-cluster > 172.16.6.0.cp-cluster: UDP, length 45
[2_3] 14:12:09.974195 IP 0.0.0.0.cp-cluster > 172.16.6.0.cp-cluster: UDP, length 37
[2_1] 14:12:09.989745 IP 0.0.0.0.cp-cluster > 172.16.6.0.cp-cluster: UDP, length 45
[2_3] 14:12:10.022995 IP 0.0.0.0.cp-cluster > 172.23.9.0.cp-cluster: UDP, length 32

60000/40000 Security Systems Administration Guide R76SP.50 | 131

 Logging and Monitoring

Showing Multicast Traffic Information

Use these commands to show Multicast traffic information.

Showing Multicast Routing (asg_mroute)

Description
The asg_mroute command in gClish or Expert mode shows this multicast routing information in
a tabular format:
• Source - Source IP address
• Dest - Destination address
• Iif - Source interface
• Oif - Outbound interface
You can filter the output for specified interfaces and SGMs.

Syntax
asg_mroute -h
asg_mroute [-d <dest_route>] [-s <src_route>] [-i <src_if>][-b <SGM_IDs>]

Parameters
Parameter Description
-h Shows the built-in help.
-d <dest_route> Destination multicast group IP address.
-s <src_route> Source IP address.
-i <src_if> Source interface name.
-b <SGM_IDs> Works with SGMs and/or Chassis as specified by <SGM_IDs>.
<SGM_IDs> can be:
• No <SGM_IDs> specified, or all - Applies to all SGMs and Chassis
• One SGM (for example, 1_1)
• A comma-separated list of SGMs (for example, 1_1,1_4)
• A range of SGMs (for example, 1_1-1_4)
• One Chassis (chassis1, or chassis2)
• The active Chassis (chassis_active)

60000/40000 Security Systems Administration Guide R76SP.50 | 132

 Logging and Monitoring

Example - Shows all multicast routes for all interfaces and SGMs:
[Expert@MyChassis-ch01-01:0]# gclish
[Global] MyChassis-ch01-01 > asg_mroute
+-----------------------------------------------------------------------------------+
|Multicast Routing (All SGMs) |
+-----------------------------------------------------------------------------------+
|Source |Dest |Iif |Oif |
+-------------------------+-------------------------+---------------+---------------+
|12.12.12.1 |225.0.90.90 |eth1-01 |eth1-02 |
+-------------------------+-------------------------+---------------+---------------+
|22.22.22.1 |225.0.90.90 |eth1-02 |eth1-01 |
+-------------------------+-------------------------+---------------+---------------+
|22.22.22.1 |225.0.90.91 |eth1-02 |eth1-01 |
+-------------------------+-------------------------+---------------+---------------+
[Global] MyChassis-ch01-01 >

When no optional parameters are specified, all routes, interfaces and SGMs are shown.

Example - Shows only specific IP address, interfaces, destination IP address, or SGMs:

[Expert@MyChassis-ch01-01:0]# asg_mroute -s 22.22.22.1 -i eth1-02 -d 225.0.90.91
+-----------------------------------------------------------------------------------+
|Multicast Routing (All SGMs) |
+-----------------------------------------------------------------------------------+
|Source |Dest |Iif |Oif |
+-------------------------+-------------------------+---------------+---------------+
|22.22.22.1 |225.0.90.91 |eth1-02 |eth2-01 |
+-------------------------+-------------------------+---------------+---------------+
[Expert@MyChassis-ch01-01:0]#

Showing PIM Information (asg_pim)

Description
The asg_pim command in gClish or Expert mode shows this PIM information in a tabular format:
• Source - Source IP address
• Dest - Destination IP address
• Mode - Both Dense Mode and Sparse Mode are supported
• Flags - Local source and MFC state indicators
• In. intf - Source interface
• RPF - Reverse Path Forwarding indicator
• Out int - Outbound interface
• State - Outbound interface state
You can filter the output for specified interfaces and SGMs.

Syntax
asg_pim -h
asg_pim [-b <SGM_IDs>] [-i <if>]
asg_pim neighbors [-n <neighbor>]

60000/40000 Security Systems Administration Guide R76SP.50 | 133

 Logging and Monitoring

Parameters
Parameter Description
-h Shows the built-in help.
-b <SGM_IDs> Works with SGMs and/or Chassis as specified by <SGM_IDs>.
<SGM_IDs> can be:
• No <SGM_IDs> specified, or all - Applies to all SGMs and Chassis
• One SGM (for example, 1_1)
• A comma-separated list of SGMs (for example, 1_1,1_4)
• A range of SGMs (for example, 1_1-1_4)
• One Chassis (chassis1, or chassis2)
• The active Chassis (chassis_active)
-i <if> Shows only the specified source interface.
neighbors Runs verification tests to make sure that PIM neighbors are the same on
all SGMs and shows this information:
• Verification - Results of verification test
• Neighbor - PIM neighbor
• Interface - Interface name
• Holdtime - Time in seconds to hold a connection open during peer
negotiation
• Expires - Minimum and Maximum expiration values for all SGMs
-n <neighbor> Shows only the specified PIM neighbor.

Example 1 - Shows PIM information and multicast routes for all interfaces and SGMs
[Expert@MyChassis-ch01-01:0]# gclish
[Global] MyChassis-ch01-01 > asg_pim
+--------------------------------------------------------------------------------------+
|PIM (All SGMs) |
+--------------------------------------------------------------------------------------+
|source |dest |Mode |Flags|In. intf |RPF |Out. intf |State |
+-----------+------------+----------+-----+---------+----------+------------+----------+
|12.12.12.1 |225.0.90.90 |Dense-Mode|L|M |eth1-01 |none | | |
+-----------+------------+----------+-----+---------+----------+------------+----------+
|22.22.22.1 |225.0.90.90 |Dense-Mode|L|M |eth1-02 |none |eth1-01 |Forwarding|
+-----------+------------+----------+-----+---------+----------+------------+----------+
|22.22.22.1 |225.0.90.91 |Dense-Mode|L|M |eth1-02 |none |eth1-01 |Forwarding|
| | | | | | |eth2-01 |Forwarding|
+-----------+------------+----------+-----+---------+----------+------------+----------+
Flags: L - Local source, M - MFC State
[Global] MyChassis-ch01-01 >

• When no optional parameters are specified, all routes, interfaces and SGMs are shown.
• In this version, both the Dense Mode and the Sparse Mode are supported.

60000/40000 Security Systems Administration Guide R76SP.50 | 134

 Logging and Monitoring

Example 2 - Shows PIM Information for the specific interface on all SGMs
[Expert@MyChassis-ch01-01:0]# asg_pim -i eth1-02 -b all
+--------------------------------------------------------------------------------------+
|PIM (All SGMs) |
+--------------------------------------------------------------------------------------+
|SGM 1_01 |
+--------------------------------------------------------------------------------------+
|source |dest |Mode |Flags|In. intf |RPF |Out. intf |State |
+-----------+------------+----------+-----+---------+----------+------------+----------+
|22.22.22.1 |225.0.90.90 |Dense-Mode|L|M |eth1-02 |none |eth1-01 |Forwarding|
+-----------+------------+----------+-----+---------+----------+------------+----------+
|22.22.22.1 |225.0.90.91 |Dense-Mode|L |eth1-02 |none |eth1-01 |Forwarding|
| | | | | | |eth2-01 |Forwarding|
+-----------+------------+----------+-----+---------+----------+------------+----------+
|SGM 1_02 |
+--------------------------------------------------------------------------------------+
|source |dest |Mode |Flags|In. intf |RPF |Out. intf |State |
+-----------+------------+----------+-----+---------+----------+------------+----------+
|22.22.22.1 |225.0.90.90 |Dense-Mode|L|M |eth1-02 |none |eth1-01 |Forwarding|
+-----------+------------+----------+-----+---------+----------+------------+----------+
|22.22.22.1 |225.0.90.91 |Dense-Mode|L|M |eth1-02 |none |eth1-01 |Forwarding|
| | | | | | |eth2-01 |Forwarding|
+-----------+------------+----------+-----+---------+----------+------------+----------+
[Expert@MyChassis-ch01-01:0]#

Example 3 - Shows PIM neighbors

[Expert@MyChassis-ch01-01:0]# gclish
[Global] MyChassis-ch01-01 > asg_pim neighbors
+--------------------------------------------------------------------------------------+
|PIM Neighbors (All SGMs) |
+--------------------------------------------------------------------------------------+
|Verification: |
|Neighbors Verification: Passed - Neighbors are identical on all blades |
+--------------------+--------------------+--------------------+-----------------------+
|Neighbor |Interface |Holdtime |Expires(min-max) |
+--------------------+--------------------+--------------------+-----------------------+
|11.1.1.1 |bond1 |105 |11:36:45-11:37:59 |
+--------------------+--------------------+--------------------+-----------------------+
[Global] MyChassis-ch01-01 >

Showing IGMP Information (asg_igmp)

Description
Use the asg_igmp command in gClish or Expert mode to show IGMP information in a tabular
format.
You can filter the output for specified interfaces and SGMs. If no SGM is specified, the command
runs a verification to make sure that IGMP data is the same on all SGMs:
• Group verification - Confirms the groups exist on all SGMs. If a group is missing on some
SGMs, a message shows which group is missing on which blade.
• Global properties - Confirms the flags, address and other information are the same on all
SGMs.
• Interfaces - Confirms that all blades have the same interfaces and that they are in the same
state (UP or DOWN). If inconsistencies are detected, a warning message shows.

Syntax
asg_igmp -h
asg_igmp [-i <interface>] [-b <SGM_IDs>]

60000/40000 Security Systems Administration Guide R76SP.50 | 135

 Logging and Monitoring

Parameters
Parameter Description
-h Shows the built-in help.
-i <interface> Source interface name.
-b <SGM_IDs> Works with SGMs and/or Chassis as specified by <SGM_IDs>.
<SGM_IDs> can be:
• No <SGM_IDs> specified, or all - Applies to all SGMs and Chassis
• One SGM (for example, 1_1)
• A comma-separated list of SGMs (for example, 1_1,1_4)
• A range of SGMs (for example, 1_1-1_4)
• One Chassis (chassis1, or chassis2)
• The active Chassis (chassis_active)

Example 1 - Shows IGMP information and multicast routes for all interfaces and SGMs
Note - In this example, the verification detected an interface inconsistency.
[Expert@MyChassis-ch01-01:0]# gclish
[Global] MyChassis-ch01-01 > asg_igmp

Collecting IGMP information, may take few seconds...

+------------------------------------------------------------------------------------------+
|IGMP (All SGMs) |
+------------------------------------------------------------------------------------------+
|Interface: eth1-01
+------------------------------------------------------------------------------------------+
|Verification: |
|Group Verification: Passed - Information is identical on all blades |
|Global Properties Verification: Passed - Information is identical on all blades |
+------------------------------------------------------------------------------------------+
|Group |Age |Expire |
+--------------------+----------+----------------------------------------------------------+
|225.0.90.91 |2m |4m |
+--------------------+----------+----------------------------------------------------------+
|Flags |IGMP Ver |Query Interval |Query Response Interval |protocol |Advertise Address|
+----------+---------+---------------+-------------------------+---------+-----------------+
|Querier |2 |125 |10 |PIM |12.12.12.10 |
+------------------------------------------------------------------------------------------+

+------------------------------------------------------------------------------------------+
|Interface: eth1-02 |
+------------------------------------------------------------------------------------------+
|Verification: |
|Group Verification: Failed - Found inconsistency between blades |
| -Group 225.0.90.92: missing in blades 1_02 |
|Global Properties Verification: Passed - Information is identical on all blades |
+------------------------------------------------------------------------------------------+
|Group |Age |Expire |
+--------------------+----------+----------------------------------------------------------+
|225.0.90.92 |2m |3m |
+--------------------+----------+----------------------------------------------------------+
|Flags |IGMP Ver |Query Interval |Query Response Interval |protocol |Advertise Address|
+----------+---------+---------------+-------------------------+---------+-----------------+
|Querier |2 |125 |10 |PIM |22.22.22.10 |
+------------------------------------------------------------------------------------------+

+------------------------------------------------------------------------------------------+
|Interface: eth2-01 |
+------------------------------------------------------------------------------------------+
|Verification: |
|Group Verification: Passed - Information is identical on all blades |
|Global Properties Verification: Passed - Information is identical on all blades |
+------------------------------------------------------------------------------------------+
|Group |Age |Expire |
+--------------------+----------+----------------------------------------------------------+
|225.0.90.90 |2m |3m |
+--------------------+----------+----------------------------------------------------------+

60000/40000 Security Systems Administration Guide R76SP.50 | 136

 Logging and Monitoring

|Flags |IGMP Ver |Query Interval |Query Response Interval |protocol |Advertise Address|
+----------+---------+---------------+-------------------------+---------+-----------------+
|Querier |2 |125 |10 |PIM |2.2.2.10 |
+------------------------------------------------------------------------------------------

NOTE: Inconsistency found in interfaces configuration between blades

Inconsistent interfaces: eth1-02
[Global] MyChassis-ch01-01 >

Example 2 - Shows IGMP Information for a specified interface

[Expert@MyChassis-ch01-01:0]# asg_igmp -i bond1.3
Collecting IGMP information, may take few seconds...
+------------------------------------------------------------------------------------------+
|IGMP (All SGMs) |
+------------------------------------------------------------------------------------------+
|Interface: bond1.3 |
+------------------------------------------------------------------------------------------+
|Verification |
|Group Verification: Passed - Information is identical on all blades |
|Global Properties Verification: Passed - Information is identical on all blades |
+------------------------------------------------------------------------------------------+
|Group |Age |Expire |
--------------------+----------+-----------------------------------------------------------+
|225.0.90.90 |46m |3m |
+--------------------+----------+----------------------------------------------------------+
|Flags |IGMP Ver |Query Interval |Query Response Interval |protocol |Advertise Address|
+----------+---------+---------------+-------------------------+---------+-----------------+
|Querier |2 |125 |10 |PIM |12.12.12.11 |
+------------------------------------------------------------------------------------------+
[Expert@MyChassis-ch01-01:0]#

60000/40000 Security Systems Administration Guide R76SP.50 | 137

 Logging and Monitoring

Monitoring Management Interfaces Link State

By default, Scalable Platform monitors the link state only on data ports (ethX-YZ). The
Management Monitor feature lets SNMP monitor management ports for the SSM160 components.
The link state is sent to all SGMs and is integrated with the Chassis High Availability mechanism.
Management ports show in the asg stat -v output when they are enabled. See the Ports > Mgmt
line in the output example below.
Monitored management ports are included in the Chassis grade mechanism, according to
predefined factors. Default = 11. In addition, show interfaces shows the link state of
management interfaces based on the feature mechanism.
> asg stat -v
--------------------------------------------------------------------------------
| VSX System Status - 64000 |
--------------------------------------------------------------------------------
| Chassis Mode | Active Up |
| Up time | 2 days, 08:05:15 hours |
| SGMs | 18/18 |
| Virtual Systems | 38 |
| Version | R76SP.50 (Build Number 84) |
--------------------------------------------------------------------------------
| VS ID: 0 VS Name: NA-Core-GW |
--------------------------------------------------------------------------------
| Chassis 1 STANDBY |
--------------------------------------------------------------------------------
| SGM ID State Process FW Policy Date |
| 1 UP Enforcing Security 14Sep17 18:18 |
| 2 UP Enforcing Security 14Sep17 18:18 |
| 3 UP Enforcing Security 14Sep17 18:18 |
| 4 UP Enforcing Security 14Sep17 18:18 |
| 5 UP Enforcing Security 14Sep17 18:18 |
| 6 UP Enforcing Security 14Sep17 18:18 |
| 7 UP Enforcing Security 14Sep17 18:18 |
--------------------------------------------------------------------------------
| Chassis 2 ACTIVE |
--------------------------------------------------------------------------------
| SGM ID State Process FW Policy Date |
| 1 (local) UP Enforcing Security 14Sep17 18:18 |
| 2 UP Enforcing Security 14Sep17 18:18 |
| 3 UP Enforcing Security 14Sep17 18:18 |
| 4 UP Enforcing Security 14Sep17 18:18 |
| 5 UP Enforcing Security 14Sep17 18:18 |
| 6 UP Enforcing Security 14Sep17 18:18 |
| 7 UP Enforcing Security 14Sep17 18:18 |
| 8 UP Enforcing Security 14Sep17 18:18 |
| 9 UP Enforcing Security 14Sep17 18:18 |
| 10 UP Enforcing Security 14Sep17 18:18 |
| 11 UP Enforcing Security 14Sep17 18:18 |
--------------------------------------------------------------------------------
| Chassis Parameters |
--------------------------------------------------------------------------------
| Unit | Chassis 1 | Chassis 2 | Unit Weight |
--------------------------------------------------------------------------------
| | UP / Required | UP / Required | |
| SGMs | 11 / 11 | 11 / 11 | 6 |
| Ports | | | |
| Standard | 7 / 7 | 5 / 7 | 11 |
| Bond | 6 / 6 | 6 / 6 | 11 |
| Mgmt | 0 / 0 | 0 / 0 | 11 |
| Mgmt Bond | 1 / 1 | 1 / 1 | 11 |
| Other | 0 / 0 | 0 / 0 | 6 |
| Sensors | | | |
| Fans | 9 / 9 | 9 / 9 | 0 |
| SSMs | 2 / 2 | 2 / 2 | 11 |
| CMMs | 2 / 2 | 2 / 2 | 6 |
| Power Supplies | 5 / 5 | 6 / 6 | 3 |
| | | | |
| Chassis Grade | 272 / 272 | 272 / 272 | - |
--------------------------------------------------------------------------------
| Minimum grade gap for chassis failover: 11 |
| Synchronization |
| Within Chassis: Enabled (Default) |
| Between chassis: Enabled (Default) |
| Exception Rules: (Default) |
--------------------------------------------------------------------------------
>

60000/40000 Security Systems Administration Guide R76SP.50 | 138

 Logging and Monitoring

Hardware Monitoring and Control

You can monitor the hardware components of your system.

Showing Chassis and Component States (asg stat)

Description
Use this command to show the Chassis and hardware component state for single and
Dual-Chassis configurations. The command shows system:
• Uptime
• Chassis Mode
• Number of Virtual Systems
• System Version
Use the Verbose Mode to show SGM state, process and policy.
Syntax
> asg stat [-v] [-vs <VS_IDs>] [-l]

Note - If you run this command in a VSX context, the output is for the applicable Virtual System.

Parameters
Parameter Description
-v Shows detailed Chassis status (Verbose Mode).
-vs <VS_IDs> Shows the Chassis status of Virtual Systems.
<VS_IDs> can be:
• No <VS_IDs> (default) - Uses the current Virtual System context
• One Virtual System
• A comma-separated list of Virtual Systems (1, 2, 4, 5)
• A range of Virtual Systems (VS 3-5)
• all - Shows all Virtual Systems
Note - This parameter is only applicable in a VSX environment.
If <VS_IDs> is omitted, output shows the information for the current Virtual
System context.
For a Chassis with more than 3 SGMs, the output uses abbreviations to make
the output more compact.
-l Show the meaning of the abbreviations in the output for a Chassis with more
than 3 SGMs.

60000/40000 Security Systems Administration Guide R76SP.50 | 139

 Logging and Monitoring

Chassis Status Summary

Syntax
> asg stat

Example output:
> asg stat
-----------------------------------------------------------------------------
| VSX System Status |
-----------------------------------------------------------------------------
| Up time | 1 day, 20:04:39 hours |
-----------------------------------------------------------------------------
| Current CPUs load average | N/A |
| Concurrent connections | 400 |
| Health | SGMs 1 Inactive |
| | Power Supplies 2 Down |
| | Virtual Systems 6 / 6 |
-----------------------------------------------------------------------------
|Chassis 1 | STANDBY UP / Required |
| | SGMs 3 / 4 (!) |
| | Ports 2 / 2 |
| | Fans 6 / 6 |
| | SSMs 2 / 2 |
| | CMMs 2 / 2 |
| | Power Supplies 3 / 5 (!) |
-----------------------------------------------------------------------------
|Chassis 2 | ACTIVE UP / Required |
| | SGMs 4 / 4 |
| | Ports 2 / 2 |
| | Fans 6 / 6 |
| | SSMs 2 / 2 |
| | CMMs 2 / 2 |
| | Power Supplies 5 / 5 |
-----------------------------------------------------------------------------
>

The output shows:

• Chassis1 is in the Standby state.
• Only three out of the required four SGMs in Chassis1 are UP.
• One SGM and two power supplies in Chassis1 do not run.

Chassis Status Details

Syntax
> asg stat -v

Example output (top section):

-----------------------------------------------------------------------------
| VSX System Status |
-----------------------------------------------------------------------------
| VS ID: 0 VS Name: Athens |
-----------------------------------------------------------------------------
| Chassis 1 STANDBY |
-----------------------------------------------------------------------------
| SGM ID State Process Policy Date |
| 1 (local) UP Enforcing Security 09Jan14 11:30 |
| 2 UP Enforcing Security 09Jan14 11:30 |
| 3 DOWN Inactive NA |
| 4 UP Enforcing Security 09Jan14 11:30 |
| 5 UP Enforcing Security 09Jan14 11:30 |
| 6 UP Enforcing Security 09Jan14 11:30 |
-----------------------------------------------------------------------------
| Chassis 2 ACTIVE |
-----------------------------------------------------------------------------
| SGM ID State Process Policy Date |
| 1 UP Enforcing Security 09Jan14 11:30 |
| 2 UP Enforcing Security 09Jan14 11:30 |
| 3 UP Enforcing Security 09Jan14 11:30 |

60000/40000 Security Systems Administration Guide R76SP.50 | 140

 Logging and Monitoring

| 4 UP Enforcing Security 09Jan14 11:30 |

| 5 UP Enforcing Security 09Jan14 11:30 |
| 6 UP Enforcing Security 09Jan14 11:30 |
-----------------------------------------------------------------------------
... ... ...

This output shows:

• Chassis1 is Standby with 5 SGMs UP
• Chassis2 is Active with 6 SGMs UP
Explanation about the output:

Field Description
SGM ID Identifier of the SGM.
(local) is the SGM, on which you ran the command.
State State of the SGM:
• UP - The SGM is processing traffic
• DOWN - The SGM is not processing traffic
• Detached - No SGM is detected in a slot
To manually change the state of an SGM, use the asg sgm_admin command. This
command administratively changes the state to UP or DOWN. An SGM that is DOWN
because of a software or hardware problem cannot be changed to UP with this
command.
Process Status of the SGM security enforcement:
• Enforcing Security - UP and works properly
• Inactive - DOWN and is experiencing a problem. It is not handling traffic.
• Initial policy - The SGM is UP but the policy is not installed on the SGM.
Example output (bottom section):
... ... ...
--------------------------------------------------------------------------------
| Chassis Parameters |
--------------------------------------------------------------------------------
| Unit Chassis 1 Chassis 2 Unit Weight |
| |
| SGMs 5 / 6 (!) 6 / 6 (!) 6 |
| Ports |
| Standard 0 / 0 0 / 0 11 |
| Bond 2 / 2 2 / 2 11 |
Other 0 / 0 0 / 0 6 |
| Sensors |
| Fans 9 / 9 9 / 9 5 |
| SSMs 2 / 2 2 / 2 11 |
| CMMs 2 / 2 2 / 2 6 |
| Power Supplies 4 / 4 3 / 3 6 |
| |
| Chassis Grade 133 / 139 139 / 139 - |
--------------------------------------------------------------------------------
| Minimum grade gap for chassis failover: 11 |
| Synchronization |
| Within chassis: Enabled (Default) |
| Between chassis: Enabled (Default) |
| Exception Rules: (Default) |
--------------------------------------------------------------------------------

Note - The X/X notation shows the number of components that are UP and the components must
be UP. For example, on the SGMs line, 6/6 means that 6 SGMs are UP and 6 must be UP.

60000/40000 Security Systems Administration Guide R76SP.50 | 141

 Logging and Monitoring

Field Description
Chassis Grade The sum of the grades of all components. In a Dual-Chassis deployment,
the Chassis with a higher grade (by at least the Minimum grade gap)
becomes ACTIVE. The grade of each component is the unit weight
multiplied by the number of components that are UP.
You can configure the unit weight of each component to show the
importance of the component in the system.
To configure the unit weight run:
> set chassis high-availability factors <sensor_name>
For example, to change the weight of the SGM to 12, run:
> set chassis high-availability factors sgm 12
If you run asg stat -v, the output shows a higher unit weight and
Chassis grade
Minimum grade gap Chassis failover occurs to the Chassis with the higher grade only if its
for chassis failover grade is greater than the other Chassis by more than the minimum gap.
Minimum threshold for traffic processing - The minimum grade
required for the Chassis to become Active.
Synchronization Status of synchronization:
• Within chassis - Between SGMs located in the same Chassis
• Between chassis - Between SGMs located in different Chassis
• Exception Rules - User configured exception rules. To configure, run:
g_sync_exception

Compact Output for Selected Virtual Systems

Syntax
> asg stat -v -vs <VSID1>,<VSID2>,<VSID3>,...,<VSIDn>

Example output:
> asg stat -v -vs 0,1,2
------------------------------------------------------------------------------
| Chassis 1 STANDBY |
------------------------------------------------------------------------------
|SGM |1 |2 |3 |4 | - | - | - | - | - | - | - | -|
------------------------------------------------------------------------------
|State | UP | UP |DOWN | UP | - | - | - | - | - | - | - | -|
------------------------------------------------------------------------------
| VS ID |
------------------------------------------------------------------------------
| 0 | ES | ES | ES | ES | - | - | - | - | - | - | - | -|
------------------------------------------------------------------------------
| 1 | ES | ES | ES | ES | - | - | - | - | - | - | - | -|
------------------------------------------------------------------------------
| 2 | ES | ES | ES | ES | - | - | - | - | - | - | - | -|
------------------------------------------------------------------------------
| Chassis 2 ACTIVE |
------------------------------------------------------------------------------
|SGM |1 (l)|2 |3 |4 | - | - | - | - | - | - | - | -|
------------------------------------------------------------------------------
|State | UP | UP | UP | UP | - | - | - | - | - | - | - | -|
------------------------------------------------------------------------------
| VS ID |
------------------------------------------------------------------------------
| 0 | ES | ES | ES | ES | - | - | - | - | - | - | - | -|
------------------------------------------------------------------------------
| 1 | ES | ES | ES | ES | - | - | - | - | - | - | - | -|
------------------------------------------------------------------------------
| 2 | ES | ES | ES | ES | - | - | - | - | - | - | - | -|
------------------------------------------------------------------------------
60000/40000 Security Systems Administration Guide R76SP.50 | 142
 Logging and Monitoring

| Chassis Parameters
------------------------------------------------------------------------------
| Unit Chassis 1 Chassis 2 Unit Weight |
| |
| SGMs 3 / 4 (!) 4 / 4 6 |
| Ports |
| Standard 0 / 0 0 / 0 50 |
| Other 0 / 0 0 / 0 6 |
| Sensors |
| Fans 6 / 6 6 / 6 5 |
| SSMs 2 / 2 2 / 2 11 |
| CMMs 2 / 2 2 / 2 6 |
| Power Supplies 6 / 6 6 / 6 6 |
| |
| Chassis Grade 118 / 124 124 / 124 - |
------------------------------------------------------------------------------
| Minimum grade gap for chassis failover: 11 |
| Synchronization |
| Within chassis: Enabled (Default) |
| Between chassis: Enabled (Default) |
| Exception Rules: (Default) |
| Distribution |
| Control Blade: Disabled (Default) |
| Chassis HA mode: Active Up |
------------------------------------------------------------------------------

Output State Acronyms

To see a list of the acronyms that show in the reports, run:
> asg stat -l

Example output:
> asg stat -l
Legend:

SGM States:

ACT - ACTIVE DTC - DETACHED

DWN - DOWN NSG - NOT IN SECURITY GROUP

VS States:

ES - Enforcing Security FSC - FullSync Client

FSS - FullSync Server IAC - Inactive
IF - Iteration Finished IPO - Initial Policy
IS - Iteration Started NPO - No Policy
PC - Policy Completed PRF - Policy Ready2Finish
PS - Policy Started
>

60000/40000 Security Systems Administration Guide R76SP.50 | 143

 Logging and Monitoring

Monitoring Chassis and Component Status (asg monitor)

Description
Use the asg monitor command to continuously monitor Chassis and component status.
This command shows the same information as asg stat, but the information stays on the screen
and refreshes at user-specified intervals (default = 1 second). To stop the monitor session, press
CTRL-C.
Note - If you run this command in a Virtual System context, you only see the output for that Virtual
System. You can also specify the Virtual System as a command parameter.

Syntax
> asg monitor -h
> asg monitor
> asg monitor [-v|-all] [-amw] [-vs <VS_IDs>] <Interval>
> asg monitor -l

Parameters
Parameter Description
No Parameters Shows the SGM status.
-h Shows the command syntax and help information.
-amw Shows the Anti-Malware policy date instead of the Firewall policy
date.
-v Shows only Chassis component status.
-all Shows both SGM and Chassis component status.
<Interval> Sets the data refresh interval (in seconds) for this session.
-vs <VS_IDs> Shows the component status for one or more Virtual Systems.
<VS_IDs> can be:
• No <VS_IDs> (default) - Uses the current Virtual System context
• One Virtual System
• A comma-separated list of Virtual Systems (1, 2, 4, 5)
• A range of Virtual Systems (VS 3-5)
• all - Shows all Virtual Systems
Note - This parameter is only applicable in a VSX environment.
If <VS_IDs> is omitted, output shows the information for the current
Virtual System context.
For a Chassis with more than 3 SGMs, the output has abbreviations
to make the output more compact
-l Shows legend of column title abbreviations

60000/40000 Security Systems Administration Guide R76SP.50 | 144

 Logging and Monitoring

Example 1- Shows the SGM status with the Anti-Malware policy date:
> asg monitor -amw
---------------------------------------------------------------------------
| Chassis 1 ACTIVE |
---------------------------------------------------------------------------
| SGM ID State Process AMW Policy Date |
| 1 UP Enforcing Security 10Feb14 19:56 |
| 2 (local) UP Enforcing Security 10Feb14 19:56 |
| 3 UP Enforcing Security 10Feb14 19:56 |
| 4 UP Enforcing Security 10Feb14 19:56 |
---------------------------------------------------------------------------
| Chassis 2 STANDBY |
---------------------------------------------------------------------------
| SGM ID State Process AMW Policy Date |
| 1 UP Enforcing Security 10Feb14 19:56 |
| 2 UP Enforcing Security 10Feb14 19:56 |
| 3 UP Enforcing Security 10Feb14 19:56 |
| 4 UP Enforcing Security 10Feb14 19:56 |
---------------------------------------------------------------------------
| Chassis HA mode: Active Up |
---------------------------------------------------------------------------
>

Example 2 - Shows the Chassis component status:

> asg monitor -v
-----------------------------------------------------------------------------
| Chassis Parameters |
-----------------------------------------------------------------------------
| Unit Chassis 1 Chassis 2 Unit Weight |
| |
| SGMs 4 / 4 3 / 4 (!) 6 |
| Ports |
| Standard 2 / 2 2 / 2 11 |
| Bond 2 / 2 2 / 2 11 |
| Mgmt 1 / 1 1 / 1 11 |
| Other 0 / 0 0 / 0 6 |
| Sensors |
| Fans 4 / 6 (!) 6 / 6 5 |
| SSMs 2 / 2 2 / 2 11 |
| CMMs 2 / 2 2 / 2 6 |
| Power Supplies 3 / 5 (!) 3 / 5 (!) 6 |
| |
| Chassis Grade 157 / 173 155 / 173 - |
-----------------------------------------------------------------------------
| Minimum grade gap for chassis failover: 200 |
| Synchronization |
| Within chassis: Enabled (Default) |
| Between chassis: Enabled (Default) |
| Exception Rules: (Default) |
-----------------------------------------------------------------------------
| Chassis HA mode: Primary Up (Chassis 1) |
-----------------------------------------------------------------------------
>

Example 3 - Shows the status of the SGMs and Virtual System 3:

> asg monitor –vs 3
--------------------------------------------------------------------------------
| Chassis 1 ACTIVE |
--------------------------------------------------------------------------------
|SGM |1 (l)|2 |3 |4 | - | - | - | - | - | - | - | - |
--------------------------------------------------------------------------------
|State | UP | UP | UP | DWN | - | - | - | - | - | - | - | - |
--------------------------------------------------------------------------------
| VS ID |
--------------------------------------------------------------------------------
| 3 | ES | ES | ES | IAC | - | - | - | - | - | - | - | - |
--------------------------------------------------------------------------------
>

60000/40000 Security Systems Administration Guide R76SP.50 | 145

 Logging and Monitoring

Monitoring Performance (asg perf)

Description
Use asg perf to continuously monitor key performance indicators and load statistics. There are
different commands for IPv4 and IPv6. You can show the performance statistics for IPv4 traffic,
IPv6 traffic or for all traffic.
When you run asg perf, the statistics show on the screen. The output automatically updates after
a predefined interval (default = 10 seconds). To stop asg perf and return to the command line,
press: e

Syntax
> asg perf -h
> asg perf [-b <SGM_IDs>] [-vs <VS_IDs>] [-k] [-v] [-vv] [-p] [-4 | -6] [-c]
> asg perf [-b <SGM_IDs>] [-vs <VS_IDs>] [-k] [--peak_hist | --perf_hist] [-e]
[--delay <seconds>]
> asg perf [-b <SGM_IDs>] [-vs <VS_IDs>] [-v] [-vv [ mem [fwk | cpd | fwd |
all_daemons] | cpu [1m | 1h | 24h]]]

Parameters
Parameter Description
-h Shows the command syntax and help information.
-b <SGM_IDs> Works with SGMs and/or Chassis as specified by <SGM_IDs>.
<SGM_IDs> can be:
• No <SGM_IDs> specified, or all - Applies to all SGMs and Chassis
• One SGM (for example, 1_1)
• A comma-separated list of SGMs (for example, 1_1,1_4)
• A range of SGMs (for example, 1_1-1_4)
• One Chassis (chassis1, or chassis2)
• The active Chassis (chassis_active)
-vs <VS_IDs> Shows the Chassis status of Virtual Systems.
<VS_IDs> can be:
• No <VS_IDs> (default) - Uses the current Virtual System context
• One Virtual System
• A comma-separated list of Virtual Systems (1, 2, 4, 5)
• A range of Virtual Systems (VS 3-5)
• all - Shows all Virtual Systems
Note - This parameter is only applicable in a VSX environment.
If <VS_IDs> is omitted, output shows the information for the current Virtual
System context.
-v Shows statistics for each SGM.
-vv Shows statistics for each Virtual System.
Note - This parameter is only relevant in a VSX environment.
60000/40000 Security Systems Administration Guide R76SP.50 | 146
 Logging and Monitoring

mem Shows memory usage for each daemon.

Use this with -vv.
Possible values:
• fwk (Default)
• fwd
• cpd
• all_daemons
cpu Shows CPU usage for a specified period of time.
Use this with -vv.
Possible values:
• 1m (default) - The last 60 seconds
• 1h - The last hour
• 24h - The last 24 hours
-p Show detailed statistics and traffic distribution between these paths on the
Active Chassis:
• Acceleration path (SecureXL)
• Medium path (PXL)
• Slow path (Firewall)
-4 | -6 • -4 - Shows IPv4 information only.
• -6 - Shows IPv6 information only.
If no value is specified, the combined performance information for both IPv4
and IPv6 shows.
-c Shows percentages instead of absolute values.
-k Shows peak (maximum) system performance values.

--peak_hist Creates an exportable text file that contains all data saved in the peak
performance files. You must use this parameter together with -k.
--perf_hist Creates exportable text files that contain all performance data saved in the
history files. You must use this parameter together with -k.
-e Resets peak values and deletes all peaks files and system history files.
--delay Temporarily changes the update interval for the current asg perf session.
<seconds> Enter a delay value in seconds. Default = 10 seconds.

Notes:
• The -b <SGM_IDs> and -vs <VS_IDs> parameters must be at the start of the command.
If both parameters are used, -b <SGM_IDs> must be first.
• If your 60000/40000 Security System is not configured for VSX, the VSX related commands are
not available.
They do not show when you run the asg perf -h command.

60000/40000 Security Systems Administration Guide R76SP.50 | 147

 Logging and Monitoring

Summary without Parameters (asg perf)

Example:
[Expert@MyChassis-ch01-01:0]# gclish
[Global] MyChassis-ch01-01 > asg perf
Thu May 21 08:17:24 IDT 2015
Aggregated statistics (IPv4 Only) of SGMs: chassis_active VSs: 0
+--------------------------------------------------------------+
|Performance Summary |
+----------------------------------------------+---------------+
|Name |Value |
+----------------------------------------------+---------------+
|Throughput |751.6 K |
|Packet rate |733 |
|Connection rate |3 |
|Concurrent connections |142 |
|Load average |2% |
|Acceleration load (avg/min/max) |1%/0%/4% |
|Instances load (avg/min/max) |2%/0%/8% |
|Memory usage |10% |
+----------------------------------------------+---------------+
* Instances / Acceleration Cores: 8 / 4
* Activated SWB: FW,IPS
[Global] MyChassis-ch01-01 >

Notes:
• By default, absolute values are shown.
• Unless otherwise specified, the combined statistics for IPv4 and IPv6 are shown.
• When no SGMs are specified, performance statistics are shown for the Active SGM only.

Output with Performance Summary (asg perf -v)

The -v parameter adds a performance summary for each SGM.
Example:
[Expert@MyChassis-ch01-01:0]# gclish
[Global] MyChassis-ch01-01 > asg perf -vs all -v -vv cpu 24h
Tue Oct 22 07:23:37 IST 2013
Aggregated statistics (IPv4 and IPv6) of SGMs: chassis_active Virtual Systems: 0
+-------------------------------------------------------------------------+
|Performance Summary |
+---------------------------------------------+-------------+-------------+
|Name |Value |IPv4% |
+---------------------------------------------+-------------+-------------+
|Throughput |10.2 K |100% |
|Packet rate |11 |100% |
|Connection rate |0 |N/A |
|Concurrent connections |22 |100% |
|Load average |7% | |
|Acceleration load (avg/min/max) |6%/6%/6% | |
|Instances load (avg/min/max) |5%/4%/9% | |
|Memory usage |55% | |
+---------------------------------------------+-------------+-------------+

+-------------------------------------------------------------------------+
|Per SGM Distribution Summary |
+-----+-----------+--------+--------+--------+----------+----------+------+
|SGM |Throughput |Packet |Conn. |Concu. |Accel. |Instances |Mem. |
|ID | |Rate |Rate |Conn |Cores% |Cores% |Usage%|
+-----+-----------+--------+--------+--------+----------+----------+------+
|1_01 |10.2 K |11 |0 |22 |6/6/6 |5/4/9 |55% |
+-----+-----------+--------+--------+--------+----------+----------+------+
|Total|10.2 K |11 |0 |22 |6/6/6 |5/4/9 |55% |
+-----+-----------+--------+--------+--------+----------+----------+------+

+-----------------------------------+
|Per VS CPU Usage Summary |
+-----+---------+---------+---------+
|VS ID|Avg. Cpu%|Min. Cpu%|Max. Cpu%|
| | |(SGM id) |(SGM id) |
+-----+---------+---------+---------+
| 0 |2 |1 (1_02)|2 (1_01)|
60000/40000 Security Systems Administration Guide R76SP.50 | 148
 Logging and Monitoring

| 1 |0 |0 (1_01)|0 (1_04)|
+-----+---------+---------+---------+
* CPU stats is aggregated over the last 24hrs
[Global] MyChassis-ch01-01 >

Make sure that resource control monitoring is enabled on all SGMs.

To enable resource control monitoring, in the Expert mode run:
# g_fw vsx resctrl monitor enable
By default, absolute values are shown.

Notes:
• Average, minimum and maximum values are calculated across all active SGMs.
• The SGM ID with the minimum and maximum value shows in brackets for each SGM.
• Unless otherwise specified, the combined statistics for both IPv4 and IPv6 are shown.
• When no SGMs are specified, performance statistics are shown for the active SGM only.

Virtual System Memory Summary with Performance Summary (asg perf -vs
all -vv mem)
The -vv mem parameter shows memory usage for each Virtual System across all Active SGMs.
Example:
[Expert@MyChassis-ch01-01:0]# gclish
[Global] MyChassis-ch01-01 > asg perf -vs all -vv mem
Tue Jul 29 16:05:44 IDT 2014
Aggregated statistics (IPv4 Only) of SGMs: chassis_active VSs: all
+--------------------------------------------------------------+
|Performance Summary |
+----------------------------------------------+---------------+
|Name |Value |
+----------------------------------------------+---------------+
|Throughput |684.5 K |
|Packet rate |700 |
|Connection rate |3 |
|Concurrent connections |144 |
|Load average |2% |
|Acceleration load (avg/min/max) |0%/0%/1% |
|Instances load (avg/min/max) |2%/0%/12% |
|Memory usage |10% |
+----------------------------------------------+---------------+
* Instances / Acceleration Cores: 8 / 4
+--------------------------------------------------------------------------+
|Per VS Memory Summary |
+--------+-------------+-------------+-------------+-------------+---------+
| VS ID | User Space | Memory in | FWK memory | Total memory| CPU |
| | memory | Kernel | | | Usage % |
+--------+-------------+-------------+-------------+-------------+---------+
| 0 max|222.3M (1_01)|1.658G (1_04)|47.11M (1_04)|1.880G (1_04)| N/A |
| min|215.8M (1_03)|1.213G (1_01)|45.55M (1_03)|1.249G (1_01)| N/A |
+--------+-------------+-------------+-------------+-------------+---------+
| 1 max|56.34M (1_02)| 0K (1_04) |31.16M (1_02)|56.34M (1_02)| N/A |
| min|54.24M (1_01)| 0K (1_04) |29.52M (1_03)|54.24M (1_01)| N/A |
+--------+-------------+-------------+-------------+-------------+---------+
* Maximum and minimum values are calculated across all active SGMs
[Global] MyChassis-ch01-01 >

Notes:
• The SGM that uses the most user space memory on Virtual System 1 is SGM 1_01
• The SGM that uses the least fwk daemon memory on Virtual System 3 is SGM 1_02
• This information shows only if vsxmstat is enabled for perfanalyze use
• Make sure that the vsxmstat feature is enabled (vsxmstat status_raw)

60000/40000 Security Systems Administration Guide R76SP.50 | 149

 Logging and Monitoring

Per Path Statistics (asg perf -p -v)

This example shows detailed performance information for each SGM and traffic distribution
between different paths. It also shows VPN throughput and connections.
Example:
[Expert@MyChassis-ch01-01:0]# gclish
[Global] MyChassis-ch01-01 > asg perf -p -v
Tue Oct 22 07:31:31 IST 2013
Aggregated statistics (IPv4 and IPv6) of SGMs: chassis_active Virtual Systems: 0
+-------------------------------------------------------------+
|Performance Summary |
+----------------------------------------+--------------------+
|Name |Value |
+----------------------------------------+--------------------+
|Throughput |3.3 G |
|Packet rate |6.2 M |
|Connection rate |0 |
|Concurrent connections |3.4 K |
|Load average |54% |
|Acceleration load (avg/min/max) |58%/48%/68% |
|Instances load (avg/min/max) |3%/1%/5% |
|Memory usage |18% |
+----------------------------------------+--------------------+

+---------------------------------------------------------------------------------------+
|Per SGM Distribution Summary |
+-------+------------+------------+-----+-----------+-------------+--------------+------+
|SGM ID |Throughput |Packet rate |Conn.|Concurrent |Core usage |Core Instances|Memory|
| | | |Rate |Connections|avg/min/max %|avg/min/max % |Usage |
+-------+------------+------------+-----+-----------+-------------+--------------+------+
|1_01 |644.3 M |1.2 M |0 |520 |52/44/62 |6/3/10 |18% |
|1_02 |526.7 M |997.1 K |0 |512 |61/51/68 |2/0/5 |18% |
|1_03 |526.6 M |997.0 K |0 |512 |62/53/73 |2/1/3 |18% |
|1_04 |526.7 M |997.0 K |0 |804 |54/48/60 |2/1/3 |18% |
|1_05 |526.7 M |997.1 K |0 |512 |59/45/76 |3/1/5 |18% |
|1_06 |526.7 M |997.1 K |0 |512 |61/52/70 |4/4/5 |18% |
+-------+------------+------------+-----+-----------+-------------+--------------+------+
|Total |3.3 G |6.2 M |0 |3.4 K |58/48/68 |3/1/5 |18% |
+-------+------------+------------+-----+-----------+-------------+--------------+------+

+-----------------------------------------------------------------------------------+
|Per Path Distribution Summary |
+-------------------------+------------+------------+------------+------------------+
| |Acceleration|Medium |Firewall |Dropped |
+-------------------------+------------+------------+------------+------------------+
|Throughput |3.2 G |0 |2.1 M |117.6 M |
|Packet rate |6.0 M |0 |1.4 K |222.8 K |
|Connection rate |0 |0 |0 | |
|Concurrent connections |3.2 K |0 |156 | |
+-------------------------+------------+------------+------------+------------------+

+----------------------------------------+--------------------+
|VPN Performance |
+----------------------------------------+--------------------+
|VPN throughput |2.9 G |
|VPN connections |3.1 K |
+----------------------------------------+--------------------+
[Global] MyChassis-ch01-01 >

Showing Peak Values (asg perf -p)

This example shows peak values for one Virtual System.
[Expert@MyChassis-ch01-01:0]# gclish
[Global] MyChassis-ch01-01 > asg perf -vs 0-1 -p
Aggregated statistics (IPv4 and IPv6) of SGMs: all Virtual Systems: 0-1
+-------------------------------------------------------------------------+
|Performance Summary |
+--------------------------------------------+---------------+------------+
|Name |Value |IPv4% |
+--------------------------------------------+---------------+------------+
|Throughput |1.7 K |100% |
|Packet rate |2 |100% |
|Connection rate |0 |N/A |
|Concurrent connections |20 |100% |
|Load average |6% | |
60000/40000 Security Systems Administration Guide R76SP.50 | 150
 Logging and Monitoring

|Acceleration load (avg/min/max) |5%/5%/5% | |

|Instances load (avg/min/max) |5%/3%/10% | |
|Memory usage |57% | |
+--------------------------------------------+---------------+------------+
=+------------------------------------------------------------------------+
|Per Path Distribution Summary |
+------------------+------------+--------------+--------------+-----------+
| |Acceleration|Medium |Firewall |Dropped |
+------------------+------------+--------------+--------------+-----------+
|Throughput |0 |0 |1.7 K |0 |
|Packet rate |0 |0 |2 |0 |
|Connection rate |0 |0 |0 | |
|Concurrent conn. |10 |0 |10 | |
+------------------+------------+--------------+--------------+-----------+
[Global] MyChassis-ch01-01 >

Showing History and Peak Value Files

The Scalable Platform periodically saves historical system performance and peak value data. New
history files are created based on a predefined interval (Default is every 4 hours). New peak value
files are created whenever a new peak value is detected. You can find these files in the
/var/log/asgstats/ directory.
The system saves these files until a predefined maximum number of files is reached. When the
maximum number of files is reached, files are deleted on an oldest-first basis. You can also delete
all history and peak value files manually.
System performance data includes these parameters:
• Throughput
• Packet rate
• Connection rate
• Concurrent connections
• Acceleration load
• Firewall load
• Memory consumption
You can collect the data contained in the historical peak value files and save them into two
comma-separated-value text files. There is one combined file for historical system performance
data and another for peak values. You can export these files and analyze them in a spreadsheet or
statistical analysis application. The combined files are saved in the
$FWDIR/conf/asgpeaks.conf file.
To create the combined text files, run:
> asg perf -k -peak_hist
> asg perf -k -perf_hist

To delete the history and peak value files, run:

> asg perf -k -e

60000/40000 Security Systems Administration Guide R76SP.50 | 151

 Logging and Monitoring

Configuring Alert Thresholds (set chassis alert_threshold)

Description
You can configure alert thresholds for performance and hardware monitoring alerts.
Run these commands from gClish to:
• Set the hardware and performance alert thresholds.
• Show the alert configuration

Syntax
> set chassis alert_threshold <threshold_name> <value>
> show chassis alert_threshold <threshold_name>

Parameters
Parameter Description
<threshold_name Threshold name as specified in the table below
>
<value> High or low value for the applicable threshold

Example - Set the memory utilization high limit to 70% of installed memory:
[Expert@MyChassis-ch01-01:0]# gclish
[Global] MyChassis-ch01-01 > set chassis alert_threshold
mem_util_threshold_perc_high 70
[Global] MyChassis-ch01-01 >

Working with Alert Thresholds

Performance Alert Thresholds:

Threshold Name Scope Description

concurr_conn_threshold_high SGM Concurrent connections - High
limit
concurr_conn_threshold_low_ratio SGM Concurrent connections - Low
limit
(% of high limit)
concurr_conn_total_threshold_high System Concurrent connections - High
limit
concurr_conn_total_threshold_low_ratio System Concurrent connections - Low
limit
(% of high limit)
conn_rate_threshold_high SGM Connection rate per second -
High limit
conn_rate_threshold_low_ratio SGM Connection rate per second -
Low limit
(% of high limit)

60000/40000 Security Systems Administration Guide R76SP.50 | 152

 Logging and Monitoring

Threshold Name Scope Description

conn_rate_total_threshold_high System Connection rate per second -
High limit
conn_rate_total_threshold_low_ratio System Connection rate per second -
Low limit
(% of high limit)
cpu_load_threshold_perc_high SGM CPU load (%) - High limit
cpu_load_threshold_perc_low_ratio SGM CPU load (%) - Low limit (% of
high limit)
hd_util_threshold_perc_high SGM Disk utilization (%) - High limit
hd_util_threshold_perc_low_ratio SGM Disk utilization (%) - Low limit
(% of high limit)
mem_util_threshold_perc_high SGM Memory utilization (%) - High
limit
mem_util_threshold_perc_low_ratio SGM Memory utilization (%) - Low
limit
(% of high limit)
packet_rate_threshold_high SGM Packet rate per second - High
limit
packet_rate_threshold_low_ratio SGM Packet rate per second - Low
limit
(% of high limit)
packet_rate_total_threshold_high System Packet rate per second - High
limit
packet_rate_total_threshold_low_ratio System Packet rate per second - Low
limit
(% of high limit)
throughput_threshold_high SGM Throughput (bps) - High limit
throughput_threshold_low_ratio SGM Throughput (bps) - Low limit
(% of high limit)
throughput_total_threshold_high System Throughput (bps) - High limit
throughput_total_threshold_low_ratio System Throughput (bps) - Low limit
(% of high limit)

60000/40000 Security Systems Administration Guide R76SP.50 | 153

 Logging and Monitoring

Global Operating System Commands

Global operating system commands are standard Linux commands that run on all or specified
SGMs. When you run a global command in the gClish shell, the operating system runs a global
script that is the standard Linux command on the SGMs. When you run a command in Expert
Mode, it works as a standard Linux command. To use the global command in Expert Mode, run the
global command script version as shown in this table:

gClish Command Global Command - Expert Mode

arp g_arp
cat g_cat
cp g_cp
dmesg g_dmesg
ethtool g_ethtool
ls g_ls
md5sum g_md5sum
Mv g_mv
Netstat g_netstat
Reboot g_reboot
tail g_tail
tcpdump g_tcpdump
ifconfig asg_ifconfig
top g_top

The parameters and options for the standard Linux command are available for the global
command. You can use the -b parameter to select some or all SGMs for the global command.

Syntax
{<gClish_command> | <global_command>} [-b <SGM_IDs>] <command_options>]

Parameters
Parameter Description
-b <SGM_IDs> Works with SGMs and/or Chassis as specified by <SGM_IDs>.
<SGM_IDs> can be:
• No <SGM_IDs> specified, or all - Applies to all SGMs and
Chassis
• One SGM (for example, 1_1)
• A comma-separated list of SGMs (for example, 1_1,1_4)
• A range of SGMs (for example, 1_1-1_4)
• One Chassis (chassis1, or chassis2)
• The active Chassis (chassis_active)
Note - You can only select SGMs from one Chassis with this option.
<gClish_command> Standard command in gClish.

60000/40000 Security Systems Administration Guide R76SP.50 | 154

 Logging and Monitoring

Parameter Description
<global_command> Global command as shown in the table in Expert Mode.
<command_options> Standard command options for the specified command.

Note - You can use one or more flags. However, do not use the –l and –r flags together.

Global 'ls'
Description
This command shows the file in the specified directory on all SGMs.

Syntax
# g_ls [-b <SGM_IDs>] <command_options>]
> ls [-b <SGM_IDs>] <command_options>]

Example
This example runs the 'g_ls' command in the Expert mode on SGMs 1_1, 1_2, and 1_3.
The example output shows the combined results for these SGMs.
[Expert@MyChassis-ch01-01:0]# g_ls –b 1_1-1_3,2_1 /var/
-*- 4 blades: 1_01 1_02 1_03 -*-
CPbackup ace crash lib log opt run suroot
CPsnapshot cache empty lock mail preserve spool tmp
[Expert@MyChassis-ch01-01:0]#

Global 'reboot'
Description
This command reboots all SGMs.

Syntax
# g_reboot [-a]
> reboot [-a]

Parameters
Parameter Description
No Parameter Reboots all SGMs that are in the UP state only.
-a Reboots all SGMs in both the DOWN and UP states.

Global 'top'
Description
The global top command shows SGM processor activity in real time.
The default output also shows a list of the most processor-intensive processes.
The global top command relies on the user configuration for the local top utility.

60000/40000 Security Systems Administration Guide R76SP.50 | 155

 Logging and Monitoring

The command uses the local SGM configuration file for configuring the output on the remote
SGMs.
With the standard functionality of the Linux top command, the global top command adds these
features for the Scalable Platform.

Syntax
# g_top -h
# g_top [local] [-f [-o <filename>] [-n <iter>] | -s <filename>] -b <SGM_IDs>
[<top_params>]

Parameters
Parameter Description
-h Shows the built-in help.
local Use the local configuration file.
-f Export the output to a file.
-o <filename> File and path of the output file.
Default = /vat/log/gtop.<time>
Use with -f
-n <iter> Number of iterations.
Default = 1
Use with -f
-b <SGM_IDs> Works with SGMs and/or Chassis as specified by <SGM_IDs>.
<SGM_IDs> can be:
• No <SGM_IDs> specified, or all - Applies to all SGMs and
Chassis
• One SGM (for example, 1_1)
• A comma-separated list of SGMs (for example, 1_1,1_4)
• A range of SGMs (for example, 1_1-1_4)
• One Chassis (chassis1, or chassis2)
• The active Chassis (chassis_active)
<top_params> Parameters of the standard top command.
For more information, see the top command documentation.
-s <filename> Shows the content of the output file <filename>.

The top command uses a configuration file to manage output display. By default it copies and
uses this configuration file from the local blade (usually located in the ~/.toprc). This file is
copied to all SGMs and is used when the top is run.

60000/40000 Security Systems Administration Guide R76SP.50 | 156

 Logging and Monitoring

To manage the 'g_top' display:

1. Run:
#top
2. Set the desired display view (press h to see the built-in help).
3. Press Shift+W to save the configuration.
4. Run:
# g_top

To send output to a file

At times, it is more convenient to send g_top output to a file, for example, when there are more
SGMs than the screen can handle.
To enable File Mode, run:
# g_top -f

Global 'arp'
Description
This command shows the ARP cache table on all SGMs.

Syntax
# g_arp [-b <SGM_IDs>] <command_options>]
> arp [-b <SGM_IDs>] <command_options>]

Example - ARP table on all interfaces of all SGMs

[Expert@MyChassis-ch01-01:0]# gclish
[Global] MyChassis-ch01-01 > arp
1_01:
Address HWtype HWaddress Flags Mask Iface
192.0.2.2 ether 00:1C:7F:02:04:FE C Sync
172.23.9.28 ether 00:14:22:09:D2:22 C eth1-Mgmt4
192.0.2.3 ether 00:1C:7F:03:04:FE C Sync
1_02:
Address HWtype HWaddress Flags Mask Iface
192.0.2.3 ether 00:1C:7F:03:04:FE C Sync
172.23.9.28 ether 00:14:22:09:D2:22 C eth1-Mgmt4
192.0.2.1 ether 00:1C:7F:01:04:FE C Sync
1_03:
Address HWtype HWaddress Flags Mask Iface
192.0.2.1 ether 00:1C:7F:01:04:FE C Sync
172.23.9.28 ether 00:14:22:09:D2:22 C eth1-Mgmt4
192.0.2.2 ether 00:1C:7F:02:04:FE C Sync
[Global] MyChassis-ch01-01 >

60000/40000 Security Systems Administration Guide R76SP.50 | 157

 Logging and Monitoring

Monitoring SGM Resources (asg resource)

Description
Use the asg resource command to show SGM resource usage and thresholds for the
60000/40000 Security System.

Syntax
> asg resource -h
> asg resource [-b <SGM_IDs>]

Parameters
Parameter Description
-b <SGM_IDs> Works with SGMs and/or Chassis as specified by <SGM_IDs>.
<SGM_IDs> can be:
• No <SGM_IDs> specified, or all - Applies to all SGMs and Chassis
• One SGM (for example, 1_1)
• A comma-separated list of SGMs (for example, 1_1,1_4)
• A range of SGMs (for example, 1_1-1_4)
• One Chassis (chassis1, or chassis2)
• The active Chassis (chassis_active)
-h Shows usage and exits

Example:
> asg resource
+-------------------------------------------------------------------------+
|Resource Table |
+------------+-------------------------+------------+------------+--------+
|SGM ID |Resource Name |Usage |Threshold |Total |
+------------+-------------------------+------------+------------+--------+
|1_01 |Memory |14% |50% |31.3G |
| |HD: / |22% |80% |19.4G |
| |HD: /var/log |1% |80% |58.1G |
| |HD: /boot |19% |80% |288.6M |
+------------+-------------------------+------------+------------+--------+
|1_02 |Memory |9% |50% |62.8G |
| |HD: / |23% |80% |19.4G |
| |HD: /var/log |1% |80% |58.1G |
| |HD: /boot |19% |80% |288.6M |
+------------+-------------------------+------------+------------+--------+
|1_03 |Memory |9% |50% |62.8G |
| |HD: / |23% |80% |19.4G |
| |HD: /var/log |1% |80% |58.1G |
| |HD: /boot |19% |80% |288.6M |
+------------+-------------------------+------------+------------+--------+
|2_01 |Memory |9% |50% |62.8G |
| |HD: / |23% |80% |19.4G |
| |HD: /var/log |1% |80% |58.1G |
| |HD: /boot |19% |80% |288.6M |
+------------+-------------------------+------------+------------+--------+
|2_02 |Memory |9% |50% |62.8G |
| |HD: / |23% |80% |19.4G |
| |HD: /var/log |1% |80% |58.1G |
| |HD: /boot |19% |80% |288.6M |
+------------+-------------------------+------------+------------+--------+
|2_03 |Memory |9% |50% |62.8G |
| |HD: / |23% |80% |19.4G |
| |HD: /var/log |1% |80% |58.1G |
| |HD: /boot |19% |80% |288.6M |
+------------+-------------------------+------------+------------+--------+
>
60000/40000 Security Systems Administration Guide R76SP.50 | 158
 Logging and Monitoring

Output description

Column Description
SGM Shows the SGM ID.
Resource Identifies the resource. There are four types of resources:
• Memory
• HD – Hard drive space (/)
• HD: /var/log – Space on hard drive committed to log files
• HD: /boot - Location of the kernel
Usage Shows the percentage of the resource in use
Threshold Indicates the health and functionality of the component. When the value of the
resource is greater than the threshold, an alert is sent. The threshold can be
modified in gClish.
Total Total absolute value in units.
For example, the first row shows that SGM1 on Chassis1 has 31.3 GB of
memory, 14% of which is used. An alert is sent if the usage is greater than
50%.

60000/40000 Security Systems Administration Guide R76SP.50 | 159

 Logging and Monitoring

Searching for a Connection (asg search)

Use the asg search command in gClish or Expert mode to:
• Search for a connection or a filtered list of connections.
• See which SGM handles the connection, actively or as backup, and on which Chassis.
You can run this command directly or in Interactive Mode. In the Interactive Mode, you can enter
the parameters in the correct sequence.
The asg search command also runs a consistency test between SGMs.
This command supports both IPv4 and IPv6 connections.

Searching with the Command Line

Syntax
> asg search -help
> asg search [-v] [-vs <VS_IDs>] [<source_ip> <dest_ip> <dest_port> <protocol>]

Parameters
Parameter Description
-help Shows the command syntax and help text.
Without parameters Runs in the interactive mode.
-vs <VS_IDs> Shows connections for the specified Virtual System.
<VS_IDs> can be:
• No <VS_IDs> (default) - Uses the current Virtual System context
• One Virtual System
• A comma-separated list of Virtual Systems (1, 2, 4, 5)
• A range of Virtual Systems (VS 3-5)
• all - Shows all Virtual Systems
Note - This parameter is only applicable in a VSX environment.

<source_ip> Source IPv4 or IPv6 address.

<dest_ip> Destination IPv4 or IPv6 address.

<dest_port> Destination port number.

<protocol> IP Protocol.

<source_port> Source port number.

60000/40000 Security Systems Administration Guide R76SP.50 | 160

 Logging and Monitoring

Parameter Description
-v Shows connection indicators for
• A - Active SGM
• B - Backup SGM
• F - Firewall connection table
• S - SecureXL connection table
• C - Correction Layer table
This is in addition to the indicators for Active and Backup SGM.

Notes:
• You must enter the all parameters in the sequence shown in the above syntax.
• You can enter \* as a parameter to show all values for that parameter.
• The -vs parameter is only available for a Scalable Platform running VSX.
Command Line Examples

One IPv4 source and destination for the TCP protocol:

[Expert@MyChassis-ch01-01:0]# gclish
[Global] MyChassis-ch01-01 > asg search -v 192.0.2.4 192.0.2.15 \* tcp
Lookup for conn: <192.0.2.4, 192.0.2.15, *, tcp>, may take few seconds...

<192.0.2.4, 1130, 192.0.2.15, 49829, tcp> -> [2_01 A, 1_04 A]

<192.0.2.4, 36323, 192.0.2.15, 1130, tcp> -> [2_01 A, 1_04 A]
<192.0.2.4, 1130, 192.0.2.15, 49851, tcp> -> [2_01 A, 1_04 A]
<192.0.2.4, 36308, 192.0.2.15, 1130, tcp> -> [2_01 A, 1_04 A]
<192.0.2.4, 36299, 192.0.2.15, 1130, tcp> -> [2_01 A, 1_04 A]
<192.0.2.4, 1130, 192.0.2.15, 49835, tcp> -> [2_01 A, 1_04 A]
<192.0.2.4, 1130, 192.0.2.15, 49856, tcp> -> [2_01 A, 1_04 A]
<192.0.2.4, 36331, 192.0.2.15, 1130, tcp> -> [2_01 A, 1_04 A]
<192.0.2.4, 1130, 192.0.2.15, 49857, tcp> -> [2_01 A, 1_04 A]
<192.0.2.4, 1130, 192.0.2.15, 49841, tcp> -> [2_01 A, 1_04 A]
<192.0.2.4, 36315, 192.0.2.15, 1130, tcp> -> [2_01 A, 1_04 A]
<192.0.2.4, 1130, 192.0.2.15, 49859, tcp> -> [2_01 A, 1_04 A]
<192.0.2.4, 36300, 192.0.2.15, 1130, tcp> -> [2_01 A, 1_04 A]
<192.0.2.4, 36301, 192.0.2.15, 1130, tcp> -> [2_01 A, 1_04 A]

Legend:
A - Active SGM
B - Backup SGM
C - Correction Layer table
F - Firewall connection table
S - SecureXL connection table
[Global] MyChassis-ch01-01 >

One IPv6 source, all destinations, source port 8080, and TCP protocol:
[Expert@MyChassis-ch01-01:0]# gclish
[Global] MyChassis-ch01-01 > asg search 2620:0:2a03:16:2:33:0:1 \* 8080 tcp

<2620:0:2a03:16:2:33:0:1, 52117, 951::69cb:e42d:eac0:652f, 8080, tcp> -> [1_01 A, 2_01 B]

<2620:0:2a03:16:2:33:0:1, 62775, 951::69cb:e42d:eac0:652f, 8080, tcp> -> [1_01 A, 2_01 B]
<2620:0:2a03:16:2:33:0:1, 54378, 951::69cb:e42d:eac0:652f, 8080, tcp> -> [1_01 A, 2_01 B]
Legend:
A - Active SGM
B - Backup SGM
[Global] MyChassis-ch01-01 >

60000/40000 Security Systems Administration Guide R76SP.50 | 161

 Logging and Monitoring

All sources, destinations, ports and protocols for VS0:

[Expert@MyChassis-ch01-01:0]# gclish
[Global] MyChassis-ch01-01 > asg search -vs 0 \* \* \* \* \*.
Lookup for conn: <*, *, *, *, *>, may take few seconds...

<172.23.9.130, 18192, 172.23.9.138, 43563, tcp> -> [1_01 A]

<172.23.9.130, 32888, 172.23.9.138, 257, tcp> -> [1_01 A]
<172.23.9.130, 22, 194.29.47.14, 52120, tcp> -> [1_01 A]
<172.23.9.138, 257, 172.23.9.130, 32963, tcp> -> [1_01 A]
<172.23.9.130, 22, 194.29.47.14, 52104, tcp> -> [1_01 A]
<255.255.255.255, 67, 0.0.0.0, 68, udp> -> [1_01 A]
<172.23.9.138, 257, 172.23.9.130, 32864, tcp> -> [1_01 A]
<172.23.9.138, 257, 172.23.9.130, 32888, tcp> -> [1_01 A]
<172.23.9.138, 257, 172.23.9.130, 33465, tcp> -> [1_01 A]
<172.23.9.130, 22, 194.29.40.23, 65515, tcp> -> [1_01 A]
<172.23.9.130, 22, 194.29.47.14, 52493, tcp> -> [1_01 A]
<172.23.9.130, 18192, 172.23.9.138, 49059, tcp> -> [1_01 A]
<172.23.9.130, 18192, 172.23.9.138, 33356, tcp> -> [1_01 A]
<172.23.9.138, 33356, 172.23.9.130, 18192, tcp> -> [1_01 A]
<172.23.9.138, 43563, 172.23.9.130, 18192, tcp> -> [1_01 A]
<172.23.9.130, 32864, 172.23.9.138, 257, tcp> -> [1_01 A]
<0.0.0.0, 68, 255.255.255.255, 67, udp> -> [1_01 A]
<172.23.9.130, 32963, 172.23.9.138, 257, tcp> -> [1_01 A]
<172.23.9.130, 33465, 172.23.9.138, 257, tcp> -> [1_01 A]
<194.29.47.14, 52120, 172.23.9.130, 22, tcp> -> [1_01 A]
<194.29.47.14, 52104, 172.23.9.130, 22, tcp> -> [1_01 A]
<fe80::d840:5de7:8dbe:2345, 546, ff02::1:2, 547, udp> -> [1_01 A]
<194.29.47.14, 52493, 172.23.9.130, 22, tcp> -> [1_01 A]
<172.23.9.138, 49059, 172.23.9.130, 18192, tcp> -> [1_01 A]
<194.29.40.23, 65515, 172.23.9.130, 22, tcp> -> [1_01 A]
Legend:
A - Active SGM
B - Backup SGM
[Global] MyChassis-ch01-01 >

Searching with Interactive Mode

With Interactive Mode, you can enter connection search parameters interactively in the required
sequence.
You can use this as an alternative to the command line syntax.

To run 'asg search' in Interactive Mode:

1. Run:
> asg search [-vs <VS_IDs>] [-v]
2. Enter these parameters in order:
• Source IPv4 or IPv6 address
• Destination IPv4 or IPv6 address
• Destination port number
• IP protocol
• Source port number
You can enter * to show all values for any parameter.

60000/40000 Security Systems Administration Guide R76SP.50 | 162

 Logging and Monitoring

Interactive Mode Example - One IPv4 source and destination with '-v'
[Expert@MyChassis-ch01-01:0]# gclish
[Global] MyChassis-ch01-01 > asg search -v

Please enter conn's 5 tuple:

----------------------------
Enter source IP (press enter for wildcard):
>192.0.2.4
Enter destination IP (press enter for wildcard):
>192.0.2.15
Enter destination port (press enter for wildcard):
>
Enter IP protocol ('tcp', 'udp', 'icmp' or enter for wildcard):
>tcp
Enter source port (press enter for wildcard):
>
Lookup for conn: <192.0.2.4, *, 192.0.2.15, *, tcp>, may take few seconds...
<192.0.2.4, 37408, 192.0.2.15, 1130, tcp> -> [2_01 AF, 1_04 AF]
<192.0.2.4, 1130, 192.0.2.15, 49670, tcp> -> [2_01 AF, 1_04 AF]
<192.0.2.4, 1130, 192.0.2.15, 49653, tcp> -> [2_01 AF, 1_04 AF]
<192.0.2.4, 37406, 192.0.2.15, 1130, tcp> -> [2_01 AF, 1_04 AF]
<192.0.2.4, 1130, 192.0.2.15, 49663, tcp> -> [2_01 AF, 1_04 AF]
<192.0.2.4, 1130, 192.0.2.15, 49658, tcp> -> [2_01 AF, 1_04 AF]
<192.0.2.4, 37407, 192.0.2.15, 1130, tcp> -> [2_01 AF, 1_04 AF]

Legend:
A - Active SGM
B - Backup SGM
C - Correction Layer table
F - Firewall connection table
S - SecureXL connection table

Example 2 - One IPv6 source with any Destination on port 8080 and TCP:
[Global] MyChassis-ch01-01 >
[Global] MyChassis-ch01-01 > asg search 2620:0:2a03:16:2:33:0:1 \* 8080 tcp
Enter source IP (press enter for wildcard):
> 2620:0:2a03:16:2:33:0:1
Enter destination IP (press enter for wildcard):
>
Enter destination port (press enter for wildcard):
>8080
Enter IP protocol ('tcp', 'udp', 'icmp' or enter for wildcard):
>tcp
Enter source port (press enter for wildcard):
>

Lookup for conn: <2620:0:2a03:16:2:33:0:1, *, *, 8080, tcp>, may take few seconds...
<2620:0:2a03:16:2:33:0:1, 52117, 951::69cb:e42d:eac0:652f, 8080, tcp> -> [1_01 A, 2_01 B]
<2620:0:2a03:16:2:33:0:1, 62775, 951::69cb:e42d:eac0:652f, 8080, tcp> -> [1_01 A, 2_01 B]
<2620:0:2a03:16:2:33:0:1, 54378, 951::69cb:e42d:eac0:652f, 8080, tcp> -> [1_01 A, 2_01 B]

A - Active SGM
B - Backup SGM
[Global] MyChassis-ch01-01 >

60000/40000 Security Systems Administration Guide R76SP.50 | 163

 Logging and Monitoring

Configuring Alerts for SGM and Chassis Events (asg alert)

The asg alert command is an interactive wizard you can use to configure alerts for SGM and
Chassis events.
Chassis events include hardware failure, recovery, and performance related events. You can
create other general events.
An alert is sent when an event occurs, for example, when the value of a hardware resource is
greater than the threshold.
The alert message includes the Chassis ID, SGM ID, and/or unit ID.
The wizard has these options:

Option Description
Full Configuration Wizard Create a new alert.
Edit Configuration Change an existing alert.
Show Configuration Show existing alert configurations.
Configure events severity Configure severity for events.
Run Test Run a test simulation to make sure that the alert works correctly.

60000/40000 Security Systems Administration Guide R76SP.50 | 164

 Logging and Monitoring

Creating or Changing an Alert for SGM and Chassis Events

To create or change an alert:
1. Run:
> asg alert
2. Select and configure these parameters as prompted by the wizard:
• Alert Type
• Event Type
• Alert Mode

SMS Alert Parameters

SMS Alert Parameters Description
SMS provider URL Fully qualified URL to your SMS provider.
HTTP proxy and port Optional. Necessary only if the Security Gateway requires a
proxy server to reach the SMS provider.
SMS rate limit Maximum number of SMS messages sent per hour. If there are
too many messages, they can be combined together.
SMS user text Custom prefix for SMS messages.

Email Aler Parameters

Email Alert Parameters Description
SMTP server IP One or more SMTP servers to which the email alerts are sent.
Email recipient addresses One or more recipient email address for each SMTP server.
Periodic connectivity checks Tests run periodically to confirm connectivity with the SNMP
servers. If there is no connectivity, alert messages are saved
and sent in one email when connectivity is restored.
Interval Interval, in minutes, between connectivity tests.
Sender email address Email address of the sender for alerts.
Subject Subject header text for the email alert.
Body text User defined text for the alert message.

Define one or more SNMP managers to get SNMP traps sent from the Security Gateway. For each
manager, configure these parameters.

SNMP Alert Parameters Description

SNMP manager name Unique name for the SNMP manager
SNMP manager IP Manager IP address (trap receiver)
SNMP version SNMP version (v2cv3)
SNMP v3 user name Configure for SNMP v3 authentication
SNMP v3 engine ID Unique SNMP v3 engine ID used by your system. The default is
[0x80000000010203EA]

60000/40000 Security Systems Administration Guide R76SP.50 | 165

 Logging and Monitoring

SNMP Alert Parameters Description

SNMP v3 authentication MD5 or SHA
protocol

SNMP v3 authentication Privacy password

password

SNMP v3 privacy protocol DES or AES

SNMP v3 privacy password Privacy password

SNMP user text Custom text for SNMP trap messages

SNMP community string Community string for the SNMP manager.

Note - Based on the settings, some parameters do not show.

There are no configurable parameters for log alerts.

Event type parameters

You can select one or more event types:
• One event type.
• A comma-delimited list of more than one event type.
• all event types:
-----------------------------------
1 | SGM State
2 | Chassis State
3 | Port State
4 | Pingable Hosts State
5 | System Monitor Daemon
6 | Route State
7 | Diagnostics
Hardware Monitor events:
8 | Fans
9 | SSM
10 | CMM
11 | Power Supplies
12 | CPU Temperature
Performance events:
13 | Concurrent Connections
14 | Connection Rate
15 | Packet Rate
16 | Throughput
17 | CPU Load
18 | Hard Drive Utilization
19 | Memory Utilization

60000/40000 Security Systems Administration Guide R76SP.50 | 166

 Logging and Monitoring

Configuring Severity for an Event Alert

For each event, you can set the severity level and receive an alert message according to your
choice.
Note - To support this functionality, it is mandatory to install R76SP.50 Jumbo Hotfix Accumulator
Take 187 and above. See sk117633 http://supportcontent.checkpoint.com/solutions?id=sk117633.

Configuring severity for an event alert

1. Run:
> asg alert
2. Enter the number of this option:
4) Configure events severity
3. Enter the number of the applicable event category:
1) System events
2) Hardware Monitor events
3) Performance events
4. Enter the number of the applicable event, for which you change the severity:
1) Concurrent Connections
2) Connection Rate
3) Packet Rate
4) Throughput
5) CPU Load
6) Hard Drive Utilization
7) Memory Utilization
8) NAT Monitor CoreXL utilization
9) NAT Monitor SecureXL utilization
10) NAT Monitor SecureXL pool state
5. Enter the number of the applicable severity level:
1) Low
2) Medium
3) High
4) Critical

Severity Levels in received Event Alerts

For SNMP-based alerts, the severity value is sent as the numeric value (integer).
For other alert types, the severity value is sent as the description string.

Severity Value Description

0 The event is cleared
1 Low
2 Medium
3 High
4 Critical

60000/40000 Security Systems Administration Guide R76SP.50 | 167

 Logging and Monitoring

Example
>asg alert
(Main Menu)
Choose one of the following options:
----------------------------------------
1) Full Configuration Wizard
2) Edit Configuration
3) Show Configuration
4) Configure events severity
5) Run Test
e) Exit
>4

Event Categories:
------------------
1) System events
2) Hardware Monitor events
3) Performance events
b) Back
>1

Events:
--------------------
1) Concurrent Connections
2) Connection Rate
3) Packet Rate
4) Throughput
5) CPU Load
6) Hard Drive Utilization
7) Memory Utilization
8) NAT Monitor CoreXL utilization
9) NAT Monitor SecureXL utilization
10) NAT Monitor SecureXL pool state
b) Back
>1

Event: BladeStateEvent
Description: SGM State
SNMP Alert OID: 1.3.6.1.4.1.2620.1.2001.1.2
Severity: 1
Choose one of the following options:
---------------------------------------------------
1) Low
2) Medium
3) High
4) Critical
b) Back
> 3
The new severity of BladeStateEvent event is 3 "High"
Press enter to continue...

60000/40000 Security Systems Administration Guide R76SP.50 | 168

 Logging and Monitoring

Alert Modes
The Alert Modes are:
• Enabled - An alert is sent for the selected events
• Disabled - No alert is sent for the selected events
• Monitor - A log entry is generated instead of an alert

Diagnostic Events
Best Practice - Run the smo verifiers (or show smo verifiers report) command on a
regular basis.
If the test fails, an alert shows. The alerts continue to show on Message of the Day (MOTD) until
the issues resolve. When the issues resolve, a Clear Alert message shows the next time the test
runs. You can manually run the smo verifiers (show smo verifiers report) to confirm the
issue is resolved.
• The tests run at 01:00 each day by default. You can manually reset the default time.
• The test automatically runs all tests but you can select the tests you do not want to include.
• When you manually run the show smo verifiers report command, the complete set of
tests run, even those you de-selected.
• All failed tests show in the MOTD, but you can disable this feature.

To change the default time:

1. Edit the $FWDIR/conf/asgsnmp.conf file:
# vi $FWDIR/conf/asgsnmp.conf
2. Change the asg_diag_alert_wrapper line.
3. Copy this file to all other SGMs:
# asg_cp2blades $FWDIR/conf/asgsnmp.conf

To disable the MOTD:

1. Edit the $FWDIR/conf/asg_diag_config file:
# vi $FWDIR/conf/asg_diag_config
2. Set the motd parameter to off.
3. Copy this file to all other SGMs:
# asg_cp2blades $FWDIR/conf/asg_diag_config
4. Enforce the change. Run in gClish:
> show smo verifiers report
You can also wait for the next time the smo verifiers run automatically.

60000/40000 Security Systems Administration Guide R76SP.50 | 169

 Logging and Monitoring

To exclude specific tests from the automatic daily run:

1. Run:
$FWDIR/conf/asg_diag_config
2. Add this line to the file:
excluded_tests=[<Test1>][,<Test2>,...]
3. Copy this file to all other SGMs:
# asg_cp2blades $FWDIR/conf/asg_diag_config

To exclude failed test notifications in the MOTD:

1. Run:
$FWDIR/conf/asg_diag_config
2. Set the failed_tests_motd parameter to off
3. Copy this file to all other SGMs:
# asg_cp2blades $FWDIR/conf/asg_diag_config
4. Enforce the change. Run in gClish:
> show smo verifiers report
You can also wait for the next time the smo verifiers run automatically.

Known Limitations of the SMO Verifiers Test

By default, the smo verifiers only show a warning about resource mismatches between SGMs.
If the verification test results show as Passed in the output, no more steps are necessary.

To change the default behavior:

1. Edit the $FWDIR/conf/asg_diag_config file:
# vi $FWDIR/conf/asg_diag_config
2. Search for MismatchSeverity.
3. Change the parameter to one of these values:
• fail - Verification test result is set to Failed
• warn - Verification test result is set to Passed and a warning shows
• ignore - Verification test result is set to Ignore and no errors show

60000/40000 Security Systems Administration Guide R76SP.50 | 170

 Logging and Monitoring

Collecting System Diagnostics (smo verifiers)

Description
The smo verifiers commands in gClish run a specific set of diagnostic tests.
The full set of tests run by default. but you can manually select the tests you want to run.
The output shows the result of the test, Passed or Failed, and the location of the output log file.

Syntax
> show smo verifiers list
[id <TestId1>,<TestId2>,...]
[section <SectionName>]
> show smo verifiers report [except]
[id <TestId1>,<TestId2>,...]
[name <TestName>]
[section <SectionName>]
> show smo verifiers print [except]
[id <TestId1>,<TestId2>,...]
[name <TestName>]
[section <SectionName>]
> show smo verifiers
periodic
last-run report
print
> delete smo verifiers purge [save <Num_Logs>]

Parameters
Parameter Description
list Shows the list of tests to run.
report Runs tests and shows a summary of the test results.
print Runs tests and shows the full output and summary of the test
results.
except Runs all tests except the specified tests.
Shows the requested results.
id <TestId1>,<TestId2>,... Specifies the tests by their IDs (comma separated list).
To see a list of test IDs, run:
> show smo verifiers list
name <TestName> Specifies the tests by their names.
Press the Tab key to see a full list of verifiers names.

section <SectionName> Specifies the verifiers section by its name.

Press the Tab key to see a full list of the existing sections.
purge Deletes the old smo verifiers logs.
Keeps the newest log.
save <Num_Logs> Number of logs to save from the smo verifiers log files.
Default = 5.
periodic Shows the latest periodic run results.
60000/40000 Security Systems Administration Guide R76SP.50 | 171
 Logging and Monitoring

Parameter Description
last-run Shows the latest run results.

Showing Last Run Diagnostic Tests on VSX Setup

> show smo verifiers last-run report
--------------------------------------------------------------------------------
| Tests Status |
--------------------------------------------------------------------------------
| ID | Title | Result | Reason |
--------------------------------------------------------------------------------
| System Components |
--------------------------------------------------------------------------------
| 1 | System Health | Failed (!) | (1)Chassis 1 error |
| 2 | Hardware | Passed | |
| 3 | Resources | Passed | |
| 4 | Software Versions | Failed (!) | |
| 5 | Software Provision | Passed | |
| 6 | CPU Type | Passed | |
| 7 | Media Details | Failed (!) | (1)SSM 1 on chassis 1 |
| | | | (2)SSM 2 on chassis 1 |
| 8 | Chassis ID | Passed | |
--------------------------------------------------------------------------------
| Policy and Configuration |
--------------------------------------------------------------------------------
| 9 | Distribution Mode | Failed (!) | (1)DXL error |
| | | | (2)None optimize br conf |
--------------------------------------------------------------------------------
| VSX Configuration |
--------------------------------------------------------------------------------
| 10 | USER KERNEL Dist | Passed | |
--------------------------------------------------------------------------------
| Policy and Configuration |
--------------------------------------------------------------------------------
| 11 | DXL Balance | Passed | |
| 12 | Policy | Passed | |
| 13 | AMW Policy | Passed | (1)Not configured |
| 14 | SWB Updates | Passed | (1)Not configured |
--------------------------------------------------------------------------------
| VSX Configuration |
--------------------------------------------------------------------------------
| 15 | VSX Configuration | Failed (!) | (1)Mistmatch between VSX stat |
| 16 | HW Utilization | Failed (!) | (1)Total instances count is too low |
| 17 | BMAC VMAC verify | Passed | |
--------------------------------------------------------------------------------
| Policy and Configuration |
--------------------------------------------------------------------------------
| 18 | Installation | Passed | |
| 19 | Security Group | Passed | |
| 20 | Cores Distribution | Passed | |
| 21 | SPI Affinity | Passed | |
| 22 | Clock | Passed | |
| 23 | Licenses | Failed (!) | (1)SSM 100G license is missing |
| 24 | Hide NAT range | Passed | (1)Not configured |
| 25 | LTE | Passed | (1)Not configured |
| 26 | IPS Enhancement | Passed | (1)Not configured |
| 27 | Configuration File | Failed (!) | (1)Database inconsistent |
--------------------------------------------------------------------------------
| Networking |
--------------------------------------------------------------------------------
| 28 | MAC Setting | Passed | |
| 29 | ARP Consistency | Passed | |
| 30 | Interfaces | Passed | |
| 31 | Bond | Failed (!) | |
| 32 | Bridge | Passed | |
| 33 | IPv4 Route | Passed | |
| 34 | IPv6 Route | Failed (!) | (1)Inconsistent routes |
| 35 | OS Route Cache | Passed | |
| 36 | Dynamic Routing | Passed | (1)Not configured |
| 37 | Local ARP | Passed | (1)Not configured |
| 38 | Port Speed | Failed (!) | (1)Inconsistency between chassis and |
| | | | conf file |
| 39 | SSM QoS | Passed | |
| 40 | IGMP Consistency | Passed | (1)Not configured |
| 41 | PIM Neighbors | Passed | (1)Not configured |
| 42 | ACL Filter | Passed | |
--------------------------------------------------------------------------------

60000/40000 Security Systems Administration Guide R76SP.50 | 172

 Logging and Monitoring

| DoS |
--------------------------------------------------------------------------------
| 43 | SYN Defender | Passed | |
| 44 | F2F Quota | Passed | |
--------------------------------------------------------------------------------
| Misc |
--------------------------------------------------------------------------------
| 45 | Core Dumps | Passed | |
| 46 | Syslog | Passed | (1)Log server is not configured |
| 47 | Processes | Passed | |
| 48 | Performance hogs | Passed | |
--------------------------------------------------------------------------------
| Tests Summary |
--------------------------------------------------------------------------------
| Passed: 37/48 tests |
| Run: "show smo verifiers list id 1,4,7,9,15,16,23,27,31,34,38" to view a complete list of |
| failed tests |
| Output file: /var/log/alert_verifier_sum.1-48.2017-02-05_01-00-02.txt |
--------------------------------------------------------------------------------
>

Note - The show smo verifiers last-run print shows the verbose output.

Showing the Tests

This example shows the full list of diagnostic tests. The list shows the test ID, test Title (name)
and the command that are run by the smo verifiers
Run:
> show smo verifiers list
Example:
> show smo verifiers list
----------------------------------------------------------------------
| ID | Title | Command |
----------------------------------------------------------------------
| System Components |
----------------------------------------------------------------------
| 1 | System Health | asg stat -v |
| 2 | Hardware | asg hw_monitor -v |
| 3 | Resources | asg resource |
| 4 | Software Versions | asg_version verify -v |
| 5 | Software Provision | asg_provision |
| 6 | CPU Type | cpu_socket_verifier -v |
| 7 | Media Details | transceiver_verifier -v |
| 8 | Chassis ID | verify_chassis_id |
----------------------------------------------------------------------
| Policy and Configuration |
----------------------------------------------------------------------
| 9 | Distribution Mode | distutil verify -v |
| 10 | DXL Balance | dxl stat |
| 11 | Policy | asg policy verify -a |
| 12 | AMW Policy | asg policy verify_amw -a |
| 13 | SWB Updates | asg_swb_update_verifier -v |
| 16 | Security Group | asg security_group diag |
| 17 | SPI Affinity | spi_affinity_verifier -v |
| 18 | Clock | clock_verifier -v |
| 19 | Licenses | asg_license_verifier -v |
| 20 | Hide NAT range | asg_hide_behind_range -v |
| 21 | LTE | lte_verifier -v |
| 22 | IPS Enhancement | asg_ips_enhance status |
| 23 | Configuration File | config_verify -v |
----------------------------------------------------------------------
| Networking |
----------------------------------------------------------------------
| 24 | MAC Setting | mac_verifier -v |
| 25 | ARP Consistency | asg_arp -v |
| 26 | Interfaces | interface_verifier -v |
| 27 | Bond | asg_bond -v |
| 28 | Bridge | asg_brs_verifier -v |
| 29 | IPv4 Route | asg_route |
| 30 | IPv6 Route | asg_route -6 |
| 31 | OS Route Cache | asg_dst_route --diag |
| 32 | Dynamic Routing | asg_dr_verifier |
| 33 | Local ARP | asg_local_arp_verifier -v |
| 34 | Port Speed | asg_port_speed verify |

60000/40000 Security Systems Administration Guide R76SP.50 | 173

 Logging and Monitoring

| 35 | SSM QoS | asg_qos_verify |

| 36 | IGMP Consistency | asg_igmp |
| 37 | PIM Neighbors | asg_pim_neighbors |
| 38 | ACL Filter | acl_filter_verifier |
----------------------------------------------------------------------
| DoS |
----------------------------------------------------------------------
| 39 | SYN Defender | asg_synatk |
| 40 | F2F Quota | asg_f2fq |
----------------------------------------------------------------------
| Misc |
----------------------------------------------------------------------
| 41 | Core Dumps | core_dump_verifier -v |
| 42 | Syslog | asg_syslog verify |
| 43 | Processes | asg_process_verifier -v |
| 44 | Performance hogs | asg_perf_hogs |
----------------------------------------------------------------------
| Run "show smo verifiers print id <TestNum>" to display test output |
----------------------------------------------------------------------
>

Running all Diagnostic Tests

Syntax
> show smo verifiers report

This example output shows the summary output for all diagnostic tests.
When a test fails, the reasons for failure show in the Reason column.
> show smo verifiers report
Duration of the tests can vary and can take a few minutes to complete.

---------------------------------------------------------------------------------
| Tests Status |
---------------------------------------------------------------------------------
| ID | Title | Result | Reason |
---------------------------------------------------------------------------------
| System Components |
---------------------------------------------------------------------------------
| 1 | System Health | Failed (!) | (1)Chassis 2 error |
| 2 | Hardware | Failed (!) | (1)Power unit is missing |
| | | | (2)Power consumption exceeds threshold |
| 3 | Resources | Failed (!) | (1)Memory capacity |
| | | | (2)Memory capacity mismatch |
| 4 | Software Versions | Failed (!) | |
| 5 | Software Provision | Passed | |
| 6 | CPU Type | Failed (!) | (1)Non-compliant CPU type |
| 7 | Media Details | Failed (!) | (1)SSM 1 on chassis 2 |
| 8 | Chassis ID | Passed | |
---------------------------------------------------------------------------------
| Policy and Configuration |
---------------------------------------------------------------------------------
| 9 | Distribution Mode | Passed | |
| 10 | DXL Balance | Passed | |
| 11 | Policy | Passed | |
| 12 | AMW Policy | Passed | |
| 13 | SWB Updates | Passed | |
| 16 | Security Group | Failed (!) | (1)DB error |
| 17 | SPI Affinity | Passed | (1)Not configured |
| 18 | Clock | Passed | |
| 19 | Licenses | Passed | (1)Trial license installed |
| 20 | Hide NAT range | Passed | (1)Not configured |
| 21 | LTE | Passed | (1)Not configured |
| 22 | IPS Enhancement | Passed | (1)Not configured |
| 23 | Configuration File | Passed | |
---------------------------------------------------------------------------------
| Networking |
---------------------------------------------------------------------------------
| 24 | MAC Setting | Passed | |
| 25 | ARP Consistency | Passed | |
| 26 | Interfaces | Failed (!) | (1)RX drop |
| 27 | Bond | Passed | (1)Not configured |
| 28 | Bridge | Passed | (1)Not configured |
| 29 | IPv4 Route | Passed | |
| 30 | IPv6 Route | Passed | (1)Not configured |
| 31 | OS Route Cache | Passed | |
60000/40000 Security Systems Administration Guide R76SP.50 | 174
 Logging and Monitoring

| 32 | Dynamic Routing | Passed | (1)Not configured |

| 33 | Local ARP | Passed | (1)Not configured |
| 34 | Port Speed | Passed | |
| 35 | SSM QoS | Passed | |
| 36 | IGMP Consistency | Passed | (1)Not configured |
| 37 | PIM Neighbors | Passed | (1)Not configured |
| 38 | ACL Filter | Passed | |
---------------------------------------------------------------------------------
| DoS |
---------------------------------------------------------------------------------
| 39 | SYN Defender | Passed | |
| 40 | F2F Quota | Passed | |
---------------------------------------------------------------------------------
| Misc |
---------------------------------------------------------------------------------
| 41 | Core Dumps | Passed | |
| 42 | Syslog | Passed | (1)Log server is not configured |
| 43 | Processes | Passed | |
| 44 | Performance hogs | Passed | |
---------------------------------------------------------------------------------
| Tests Summary |
---------------------------------------------------------------------------------
| Passed: 36/44 tests |
| Run: "show smo verifiers list id 1,2,3,4,6,7,16,26" to view a complete list |
| of failed tests |
| Output file: /var/log/verifier_sum.1-44.2017-01-29_14-19-16.txt |
| Run "show smo verifiers last-run print" to display verbose output |
---------------------------------------------------------------------------------
>

Running Specific Diagnostic Tests

Syntax to show a report by a test name:
> show smo verifiers report name <Test Name>

Note - Press the Tab key after the name parameter to see a full list of verifiers names.
This example collects diagnostic information for specified test.
> show smo verifiers report name System_Health
Duration of tests vary and may take a few minutes to complete

--------------------------------------------------------------------------------
| Tests Status |
--------------------------------------------------------------------------------
| ID | Title | Result | Reason |
--------------------------------------------------------------------------------
| System Components |
--------------------------------------------------------------------------------
| 1 | System Health | Failed (!) | (1)Chassis 1 error |
--------------------------------------------------------------------------------
| Tests Summary |
--------------------------------------------------------------------------------
| Passed: 0/1 test |
| Run: "show smo verifiers list id 1" to view a complete list of failed tests |
| Output file: /var/log/verifier_sum.1.2017-02-20_19-58-03.txt |
| Run "show smo verifiers last-run print" to display verbose output |
--------------------------------------------------------------------------------
>

Syntax to show a report by a test ID:

> show smo verifiers report id <TestID1>,<TestID2>,...,<TestIDn>

Note - To see a list of test IDs, run: show smo verifiers list
This example collects diagnostic information for specified tests 1, 2, 3, 4, 5, and 30.
> show smo verifiers report id 1,2,3,4,5,30
Duration of tests can vary and can take a few minutes to complete.

--------------------------------------------------------------------------------
| Tests Status |
--------------------------------------------------------------------------------
| ID | Title | Result | Reason |

60000/40000 Security Systems Administration Guide R76SP.50 | 175

 Logging and Monitoring

--------------------------------------------------------------------------------
| System Components |
--------------------------------------------------------------------------------
| 1 | System Health | Failed (!) | (1)Verifier error - Check raw output |
| 2 | Hardware | Passed | |
| 3 | Resources | Failed (!) | (1)Memory capacity |
| | | | (2)Primary HD capacity |
| | | | (3)Primary HD exceed threshold |
| | | | (4)Log HD capacity |
| | | | (5)Boot HD capacity |
| 4 | Software Versions | Failed (!) | |
| 5 | Software Provision | Failed (!) | |
--------------------------------------------------------------------------------
| Networking |
--------------------------------------------------------------------------------
| 30 | IPv6 Route | Passed | (1)Not configured |
--------------------------------------------------------------------------------
| Tests Summary |
--------------------------------------------------------------------------------
| Passed: 2/6 tests |
| Run: "show smo verifiers list id 1,3,4,5" to view a complete list of failed |
| tests |
| Setting MOTD... |
| Output file: /var/log/verifier_sum.1-5.30.2017-01-29_11-42-13.txt |
| Run "show smo verifiers last-run print" to display verbose output |
--------------------------------------------------------------------------------
>

Collecting Diagnostic Information for a Specified Section

> show smo verifiers report section System_Components
Duration of tests can vary and can take a few minutes to complete.
--------------------------------------------------------------------------------
| Tests Status |
--------------------------------------------------------------------------------
| ID | Title | Result | Reason |
--------------------------------------------------------------------------------
| System Components |
--------------------------------------------------------------------------------
| 1 | System Health | Failed (!) | (1)Verifier error - Check raw output |
| 2 | Hardware | Failed (!) | (1)Power unit is missing |
| | | | (2)Power consumption exceeds threshol |
| | | | d |
| 3 | Resources | Passed | |
| 4 | Software Versions | Failed (!) | |
| 5 | Software Provision | Failed (!) | |
| 6 | CPU Type | Failed (!) | (1)Verifier error - Check raw output |
| 7 | Media Details | Failed (!) | (1)Verifier error - Check raw output |
| 8 | Chassis ID | Failed (!) | (1)Verifier error - Check raw output |
--------------------------------------------------------------------------------
| Tests Summary |
--------------------------------------------------------------------------------
| Passed: 1/8 tests |
| Run: "show smo verifiers list id 1,2,4,5,6,7,8" to view a complete list of f |
| ailed tests |
| Setting MOTD... |
| Output file: /var/log/verifier_sum.1-8.2017-02-05_10-46-17.txt |
| Run "show smo verifiers last-run print" to display verbose output |
--------------------------------------------------------------------------------
>

60000/40000 Security Systems Administration Guide R76SP.50 | 176

 Logging and Monitoring

Performance Hogs (asg_perf_hogs)

Description
You can run asg_perf_hogs by itself or as part of smo verifiers
When you run the asg_perf_hogs command by itself, you can get the full details of all the tests
it runs.
When you run the smo verfiers (show smo verifiers report name Performance_hogs)
command, it shows a general result of asg_perf_hogs test output.

Syntax
> asg_perf_hogs

Example output
> asg_perf_hogs
-----------------------------------------------------------------
| Status | Test performed |
-----------------------------------------------------------------
| [PASSED] | Long running processes |
| [PASSED] | SecureXL status |
| [PASSED] | PPACK debug flags |
| [PASSED] | FW1 debug flags |
| [PASSED] | Local logging |
| [PASSED] | Templates disabled from rule |
| [PASSED] | Correction table entries |
| [PASSED] | Delayed notifications |
| [PASSED] | Routing cache entries |
| [PASSED] | Swap saturation |
| [PASSED] | Neighbour table overflow |
| [PASSED] | Soft lockups |
-----------------------------------------------------------------
>

Notes:
• If all of the asg_perf_hogs tests pass, smo verifiers shows Passed.
• If even one of the asg_perf_hogs tests fails, smo verifiers shows Failed.
Configuration
You can configure asg_perf_hogs with the $FWDIR/conf/performance_hogs.conf file.
[tests]
long_running_procs=1
accel_off=1
sim_debug_flags=1
fw1_debug_flags=1
local_logging=1
templates_disabled_from_rule=1
correction_table_entries=1
routing_cache_entries=1
swap_saturation=1
delayed_notifications=1
neighbour_table_overflow=1
soft_lockups=1
[correction_table_entries]
threshold=10

[long_running_procs]
elapsed_time=60
processes_to_check=("fw ctl zdebug" "fw ctl debug" "fw ctl kdebug" "fw monitor" "sim dbg" "tcpdump")

[routing_cache_entries]
threshold=90

[swap_saturation]
threshold=50

60000/40000 Security Systems Administration Guide R76SP.50 | 177

 Logging and Monitoring

[neighbour_table_overflow]
timeout=3600

[soft_lockups]
timeout=3600

The tests section lets you enable and disable which tests to run.

To enable or disable a test:

In the tests section of $FWDIR/conf/performance_hogs.conf, set the parameter value:
• 1 = enable
• 0 = disable

To configure a test:
1. Find the configuration section for the test in $FWDIR/conf/performance_hogs.conf. If it
does not exist, add the section with this format:
[<test_name>]
2. Change or add the parameters for the test. See the tables below for allowed parameters.
Note - Not all the tests can be configured.

long_running_procs
The long_running_procs test confirms that certain processes do not run longer than the
configured time.
Note - This test runs in contexts of all Virtual Systems.
Parameters:

Parameter Description
elapsed_time Longest time in seconds a process should run
Default = 60 seconds
Minimum recommended value = 30
processes_to_check List of processes to check:
Each process must be in quotes. Put a space between each test.
Default: "fw ctl zdebug" "fw ctl debug" "fw ctl kdebug"
"fw monitor" "sim dbg" "tcpdump"
Example: processes_to_check=("fw ctl zdebug" "fw ctl
debug" "fw ctl kdebug" "fw monitor" "sim dbg"
"tcpdump")

Example:
-----------------------------------------------------------------
| Status | Test performed |
-----------------------------------------------------------------
| [FAILED] | Long running processes |
| [PASSED] | SecureXL status |
| [PASSED] | PPACK debug flags |
| [PASSED] | FW1 debug flags |
| [PASSED] | Local logging |
| [PASSED] | Templates disabled from rule |
| [PASSED] | Correction table entries |
| [PASSED] | Delayed notifications |
| [PASSED] | Routing cache entries |
| [PASSED] | Swap saturation |
| [PASSED] | Neighbour table overflow |
-----------------------------------------------------------------
60000/40000 Security Systems Administration Guide R76SP.50 | 178
 Logging and Monitoring

Found potential CPU hogging processes:

-----------------------------------------------------------------
Blade PID ELAPSED TIME CMD
[1_01] 1484 03:48 00:00:00 tcpdump -nnni eth1-01

Found the following issues:

-----------------------------------------------------------------
[ All] The process 'tcpdump' is running for more than 60 seconds

accel_off
The accel_off test confirms that SecureXL is working.
Notes:
• This test has no configuration options.
• The test runs in the context of the current Virtual System only.
Example:
-----------------------------------------------------------------
| Status | Test performed |
-----------------------------------------------------------------
| [PASSED] | Long running processes |
| [FAILED] | SecureXL status |
| [PASSED] | PPACK debug flags |
| [PASSED] | FW1 debug flags |
| [PASSED] | Local logging |
| [PASSED] | Templates disabled from rule |
| [PASSED] | Correction table entries |
| [PASSED] | Delayed notifications |
| [PASSED] | Routing cache entries |
| [PASSED] | Swap saturation |
| [PASSED] | Neighbour table overflow |
-----------------------------------------------------------------
Found the following issues:
-----------------------------------------------------------------
[ All] SecureXL acceleration is disabled!

sim_debug_flags
The sim_debug_flags test confirms that the PPACK debug flags that are not enabled by default,
stay in the not-enabled position.
This test runs on contexts of all Virtual Systems. This test has no configuration options.
Example:
-----------------------------------------------------------------
| Status | Test performed |
-----------------------------------------------------------------
| [PASSED] | Long running processes |
| [PASSED] | SecureXL status |
| [FAILED] | PPACK debug flags |
| [PASSED] | FW1 debug flags |
| [PASSED] | Local logging |
| [PASSED] | Templates disabled from rule |
| [PASSED] | Correction table entries |
| [PASSED] | Delayed notifications |
| [PASSED] | Routing cache entries |
| [PASSED] | Swap saturation |
| [PASSED] | Neighbour table overflow |
-----------------------------------------------------------------
Found the following issues:
-----------------------------------------------------------------
[ All] PPACK debug flags are set: Module: vpn; ; Flags: vpnpkt
s

fw1_debug_flags
The fw1_debug_flags test confirms that Firewall debug flags that are not enabled by default,
stay in the disabled position.
Notes:
• This test has no configuration options.
60000/40000 Security Systems Administration Guide R76SP.50 | 179
 Logging and Monitoring

• This test runs in contexts of all Virtual Systems.

Example:
-----------------------------------------------------------------
| Status | Test performed |
-----------------------------------------------------------------
| [PASSED] | Long running processes |
| [PASSED] | SecureXL status |
| [PASSED] | PPACK debug flags |
| [FAILED] | FW1 debug flags |
| [PASSED] | Local logging |
| [PASSED] | Templates disabled from rule |
| [PASSED] | Correction table entries |
| [PASSED] | Delayed notifications |
| [PASSED] | Routing cache entries |
| [PASSED] | Swap saturation |
| [PASSED] | Neighbour table overflow |
-----------------------------------------------------------------
Found the following issues:
-----------------------------------------------------------------
[ All] FW1 debug flags are set:; Module: fw; ; Flags: error warning packet

local_logging
The local_logging test confirms that logs are written to a Log Server and not locally.
Notes:
• This test has no configuration options.
• This test runs in the context of the current Virtual System only.
Example:
-----------------------------------------------------------------
| Status | Test performed |
-----------------------------------------------------------------
| [PASSED] | Long running processes |
| [PASSED] | SecureXL status |
| [PASSED] | PPACK debug flags |
| [PASSED] | FW1 debug flags |
| [FAILED] | Local logging |
| [PASSED] | Templates disabled from rule |
| [PASSED] | Correction table entries |
| [PASSED] | Delayed notifications |
| [PASSED] | Routing cache entries |
| [PASSED] | Swap saturation |
| [PASSED] | Neighbour table overflow |
-----------------------------------------------------------------
Found the following issues:
-----------------------------------------------------------------
[ All] Local logging is active: No connection with log server!

templates_disabled_from_rule
The templates_disabled_from_rule test confirms that SecureXL templates are not disabled
because of the specific Firewall rules.
Notes:
• This test has no configuration options.
• This test runs regardless of the Virtual System context.
Example:
-----------------------------------------------------------------
| Status | Test performed |
-----------------------------------------------------------------
| [PASSED] | Long running processes |
| [PASSED] | SecureXL status |
| [PASSED] | PPACK debug flags |
| [PASSED] | FW1 debug flags |
| [PASSED] | Local logging |
| [FAILED] | Templates disabled from rule |
| [PASSED] | Correction table entries |
| [PASSED] | Delayed notifications |
60000/40000 Security Systems Administration Guide R76SP.50 | 180
 Logging and Monitoring

| [PASSED] | Routing cache entries |

| [PASSED] | Swap saturation |
| [PASSED] | Neighbour table overflow |
-----------------------------------------------------------------
Found the following issues:
-----------------------------------------------------------------
[ All] Templates are being disabled from rule(s): Accept Templates : disabled by Firewall; disabled
from rule #1; NAT Templates: disabled by Firewall; disabled from rule #1

correction_table_entries
The correction_table_entries test confirms that the size ratio between Corrections table
and the Connections table is not above the threshold.
Threshold is the size ratio allowed between the Corrections table and the Connections table.
Recommended range is 5 - 95.
Note - This test runs in the context of the current Virtual System only.
Example:
-----------------------------------------------------------------
| Status | Test performed |
-----------------------------------------------------------------
| [PASSED] | Long running processes |
| [PASSED] | SecureXL status |
| [PASSED] | PPACK debug flags |
| [PASSED] | FW1 debug flags |
| [PASSED] | Local logging |
| [PASSED] | Templates disabled from rule |
| [FAILED] | Correction table entries |
| [PASSED] | Delayed notifications |
| [PASSED] | Routing cache entries |
| [PASSED] | Swap saturation |
| [PASSED] | Neighbour table overflow |
-----------------------------------------------------------------
Found the following issues:
-----------------------------------------------------------------
[ All] Correction table has 5 entries and is larger than 10% of connections table (20 entries)

delayed_notifications
The delayed_notifications test confirms that delayed notifications are enabled. The output
shows if delayed notifications are disabled for all services, or only for HTTP.
Notes:
• This test has no configuration options.
• The test runs in contexts of all Virtual Systems.
Example:
-----------------------------------------------------------------
| Status | Test performed |
-----------------------------------------------------------------
| [PASSED] | Long running processes |
| [PASSED] | SecureXL status |
| [PASSED] | PPACK debug flags |
| [PASSED] | FW1 debug flags |
| [PASSED] | Local logging |
| [PASSED] | Templates disabled from rule |
| [PASSED] | Correction table entries |
| [FAILED] | Delayed notifications |
| [PASSED] | Routing cache entries |
| [PASSED] | Swap saturation |
| [PASSED] | Neighbour table overflow |
-----------------------------------------------------------------
Found the following issues:
-----------------------------------------------------------------
[ All] Delayed notifications for http is disabled.

routing_cache_entries
The routing_cache_entries test confirms that the IPv4 route cache capacity is not above a
certain threshold.
60000/40000 Security Systems Administration Guide R76SP.50 | 181
 Logging and Monitoring

Threshold is the percent capacity of the IPv4 route cache that should not be exceeded:
• Default = 90
• Recommended range = 75 - 95
Note - This test runs in the context of the current Virtual System only.
Example:
-----------------------------------------------------------------
| Status | Test performed |
-----------------------------------------------------------------
| [PASSED] | Long running processes |
| [PASSED] | SecureXL status |
| [PASSED] | PPACK debug flags |
| [PASSED] | FW1 debug flags |
| [PASSED] | Local logging |
| [PASSED] | Templates disabled from rule |
| [PASSED] | Correction table entries |
| [PASSED] | Delayed notifications |
| [FAILED] | Routing cache entries |
| [PASSED] | Swap saturation |
| [PASSED] | Neighbour table overflow |
-----------------------------------------------------------------
Found the following issues:
-----------------------------------------------------------------
[ All] Routing cache is 93% full (983731 out of 1048576 entries).

swap_saturation
The swap_saturation test confirms that swap file usage is not above the threshold.
Threshold is the percent use of the swap file allowed. Recommended range is 75 - 99.
Note - This test runs regardless of the Virtual System context.
Example:
-----------------------------------------------------------------
| Status | Test performed |
-----------------------------------------------------------------
| [PASSED] | Long running processes |
| [PASSED] | SecureXL status |
| [PASSED] | PPACK debug flags |
| [PASSED] | FW1 debug flags |
| [PASSED] | Local logging |
| [PASSED] | Templates disabled from rule |
| [PASSED] | Correction table entries |
| [PASSED] | Delayed notifications |
| [PASSED] | Routing cache entries |
| [FAILED] | Swap saturation |
| [PASSED] | Neighbour table overflow |
-----------------------------------------------------------------
Found the following issues:
-----------------------------------------------------------------
[ All] Swap saturation is 90%. Total swap space: 1044216 bytes, used: 950000 bytes.

neighbour_table_overflow
The neighbour_table_overflow test confirms that the ARP cache did not overflow.
Timeout is the number of seconds that specifies for how long to look in the /var/log/messages
file for ARP cache overloaded messages. Recommended range is 300 - 86400.
Notes:
• To learn how to adjust the ARP cache, see sk43772
http://supportcontent.checkpoint.com/solutions?id=sk43772.
• This test runs regardless of the Virtual System context.
Example:
-----------------------------------------------------------------
| Status | Test performed |

60000/40000 Security Systems Administration Guide R76SP.50 | 182

 Logging and Monitoring

-----------------------------------------------------------------
| [PASSED] | Long running processes |
| [PASSED] | SecureXL status |
| [PASSED] | PPACK debug flags |
| [PASSED] | FW1 debug flags |
| [PASSED] | Local logging |
| [PASSED] | Templates disabled from rule |
| [PASSED] | Correction table entries |
| [PASSED] | Delayed notifications |
| [PASSED] | Routing cache entries |
| [PASSED] | Swap saturation |
| [FAILED] | Neighbour table overflow |
-----------------------------------------------------------------
Found the following issues:
-----------------------------------------------------------------
[ All] Neighbour table overflow occurred during the last 3600 seconds. Please see solution SK43772 for
information how to configure arp cache size.

soft_lockups
The soft_lockups test confirms there are no kernel soft lockups during the timeout period.
Timeout is the number of seconds to look back in the /var/log/messages file for kernel soft
lockup messages:
• Default = 3600
• Recommended range = 300 - 86400
Note - This test runs regardless of the Virtual System context.
Example:
-----------------------------------------------------------------
| Status | Test performed |
-----------------------------------------------------------------
| [PASSED] | Long running processes |
| [PASSED] | SecureXL status |
| [PASSED] | PPACK debug flags |
| [PASSED] | FW1 debug flags |
| [PASSED] | Local logging |
| [PASSED] | Templates disabled from rule |
| [PASSED] | Correction table entries |
| [PASSED] | Delayed notifications |
| [PASSED] | Routing cache entries |
| [PASSED] | Swap saturation |
| [PASSED] | Neighbour table overflow |
| [FAILED] | Soft lockups |
-----------------------------------------------------------------
Found the following issues:
-----------------------------------------------------------------
[1_01] Soft lockup occurred during the last 3600 seconds.

Setting Port Priority

Description
For each Chassis port, use the set chassis high-availability port ... priority ...
command in gClish to set a port priority (high or standard) for each port.

Syntax
> set chassis high-availability port <if_name> priority <priority>

60000/40000 Security Systems Administration Guide R76SP.50 | 183

 Logging and Monitoring

Parameters
Parameter Description
<if_name> Interface name
<priority> Port grade
Valid values:
• 1 - Standard priority
• 2 - Other priority
Use the set chassis high-availability port ... priority ... command together with
the set chassis high-availability factors port ... command:
• Set the port grade as standard or high.
For example:
> set chassis high-availability factors port standard 50
This sets the standard grade at 50.
• Set the port to high grade or standard grade.
For example:
> set chassis high-availability port eth1-01 priority 1
This assigns to eth1-01 the standard port grade.

Troubleshooting Failures
Use the smo verifiers command to troubleshoot a failed diagnostic test.
In the example below, the test shows that two fans are down and the CPU temperature exceeds its
threshold. The output identifies the failed components.
[Expert@MyChassis-ch01-01:0]# gclish
[Global] MyChassis-ch01-01 > show smo verifiers report id 2
[Global] MyChassis-ch01-01 >
[Global] MyChassis-ch01-01 > show smo verifiers report id 2
--------------------------------------------------------------------------------
| Tests Status |
--------------------------------------------------------------------------------
| ID | Title | Result | Reason |
--------------------------------------------------------------------------------
| System Components |
--------------------------------------------------------------------------------
| 2 | Hardware | Failed (!) | (1)Chassis fan is down |
| | | | (2)Chassis fan exceeds threshold |
| | | | (3)CPU exceeds threshold |
--------------------------------------------------------------------------------
| Tests Summary |
--------------------------------------------------------------------------------
| Passed: 0/1 test |
| Run: "show smo verifiers list id 2" to view a complete list of failed tests |
| Output file: /var/log/verifier_sum.2.2017-01-29_15-46-58.txt |
| Run "show smo verifiers last-run print" to display verbose output |
--------------------------------------------------------------------------------
[Global] MyChassis-ch01-01 >

60000/40000 Security Systems Administration Guide R76SP.50 | 184

 Logging and Monitoring

[Global] MyChassis-ch01-01 > show smo verifiers print id 2

-----------------------------------------------------------------------------
| Hardware Monitor |
-----------------------------------------------------------------------------
| Sensor | Location | Value | Threshold | Units | State |
-----------------------------------------------------------------------------
| Chassis 1 |
-----------------------------------------------------------------------------
| CMM | bay 1 | 1 | 0 | <S,D>/<A> | 1 |
| CMM | bay 2 | 0 | 0 | <S,D>/<A> | 1 |
| CPUtemp | blade 1, CPU0 | 0 | 65 | Celsius | 1 |
| CPUtemp | blade 1, CPU1 | 0 | 65 | Celsius | 1 |
| CPUtemp | blade 2, CPU0 | 44 | 65 | Celsius | 1 |
| CPUtemp | blade 2, CPU1 | 41 | 65 | Celsius | 1 |
| CPUtemp | blade 3, CPU0 | 44 | 65 | Celsius | 1 |
| CPUtemp | blade 3, CPU1 | 40 | 65 | Celsius | 1 |
| CPUtemp | blade 4, CPU0 | 47 | 65 | Celsius | 1 |
| CPUtemp | blade 4, CPU1 | 43 | 65 | Celsius | 1 |
| CPUtemp | blade 5, CPU0 | 46 | 65 | Celsius | 1 |
| CPUtemp | blade 5, CPU1 | 42 | 65 | Celsius | 1 |
| Fan | bay 1, fan 1 | 0 | 11 | Speed Level | 0 |
| Fan | bay 1, fan 2 | 0 | 11 | Speed Level | 0 |
| Fan | bay 2, fan 1 | 15 | 11 | Speed Level | 1 |
| Fan | bay 2, fan 2 | 15 | 11 | Speed Level | 1 |
| Fan | bay 3, fan 1 | 15 | 11 | Speed Level | 1 |
| Fan | bay 3, fan 2 | 15 | 11 | Speed Level | 1 |
| PowerConsumption | N/A | 2471 | 4050 | Watts | 1 |
| PowerUnit(AC) | bay 1 | 0 | 0 | NA | 1 |
| PowerUnit(AC) | bay 2 | 0 | 0 | NA | 1 |
| PowerUnit(AC) | bay 3 | 0 | 0 | NA | 1 |
| PowerUnit(AC) | bay 4 | 0 | 0 | NA | 0 |
| PowerUnit(AC) | bay 5 | 0 | 0 | NA | 0 |
| PowerUnitFan | bay 1, fan 1 | 0 | 0 | NA | 1 |
| PowerUnitFan | bay 1, fan 2 | 0 | 0 | NA | 1 |
| PowerUnitFan | bay 2, fan 1 | 0 | 0 | NA | 1 |
| PowerUnitFan | bay 2, fan 2 | 0 | 0 | NA | 1 |
| PowerUnitFan | bay 3, fan 1 | 0 | 0 | NA | 1 |
| PowerUnitFan | bay 3, fan 2 | 0 | 0 | NA | 1 |
| PowerUnitFan | bay 4, fan 1 | 0 | 0 | NA | 0 |
| PowerUnitFan | bay 4, fan 2 | 0 | 0 | NA | 0 |
| PowerUnitFan | bay 5, fan 1 | 0 | 0 | NA | 0 |
| PowerUnitFan | bay 5, fan 2 | 0 | 0 | NA | 0 |
| SSM | bay 1 | 136 | 0 | Mbps | 1 |
| SSM | bay 2 | 128 | 0 | Mbps | 1 |
-----------------------------------------------------------------------------
| Chassis 2 |
-----------------------------------------------------------------------------
| CMM | bay 1 | 1 | 0 | <S,D>/<A> | 1 |
| CMM | bay 2 | 0 | 0 | <S,D>/<A> | 1 |
| CPUtemp | blade 1, CPU0 | 50 | 65 | Celsius | 1 |
| CPUtemp | blade 1, CPU1 | 64 | 65 | Celsius | 1 |
| CPUtemp | blade 2, CPU0 | 48 | 65 | Celsius | 1 |
| CPUtemp | blade 2, CPU1 | 64 | 65 | Celsius | 1 |
| CPUtemp | blade 3, CPU0 | 48 | 65 | Celsius | 1 |
| CPUtemp | blade 3, CPU1 | 64 | 65 | Celsius | 1 |
| CPUtemp | blade 4, CPU0 | 47 | 65 | Celsius | 1 |
| CPUtemp | blade 4, CPU1 | 74 | 65 | Celsius | 1 |
| CPUtemp | blade 5, CPU0 | 84 | 65 | Celsius | 1 |
| CPUtemp | blade 5, CPU1 | 71 | 65 | Celsius | 1 |
| Fan | bay 1, fan 1 | 4 | 11 | Speed Level | 1 |
| Fan | bay 1, fan 2 | 4 | 11 | Speed Level | 1 |
| Fan | bay 2, fan 1 | 4 | 11 | Speed Level | 1 |
| Fan | bay 2, fan 2 | 4 | 11 | Speed Level | 1 |
| Fan | bay 3, fan 1 | 4 | 11 | Speed Level | 1 |
| Fan | bay 3, fan 2 | 4 | 11 | Speed Level | 1 |
| . |
| . |
-----------------------------------------------------------------------------
[Global] MyChassis-ch01-01 >

60000/40000 Security Systems Administration Guide R76SP.50 | 185

 Logging and Monitoring

Error Types
Errors detected by smo verifiers:

Error Type Error Description

System Chassis <X> error The Chassis quality grade is less than the defined
health threshold. We recommend that you correct this
issue immediately.
Hardware <Component> is The component is not installed in the Chassis.
missing
<Component> is down The component is installed in the Chassis, but is
inactive.
Resources <Resource> capacity The specified resource capacity is not sufficient.
You can change the defined resource capacity.
<Resource> exceed The resource usage is greater than the defined
threshold threshold.
CPU type Non compliant CPU At least one SGM CPU type is not configured in the
type list of compliant CPUs. You can define the
compliant CPU types.
Security <Source> error The information collected from this source is
group different between the SGMs.
<Sources> differ The information collected from many sources is
different.

Changing Compliance Thresholds

You can change some compliance thresholds that define a healthy, working system. In
$FWDIR/conf/asg_diag_config, change the threshold values.
These are the resources you can control:

Resource Description
Memory RAM memory capacity in GB
HD: / Disk capacity in GB for <disk> - the root (/) partition
HD:/var/log Disk capacity in GB for the /var/log partition
HD: /boot Disk capacity in GB for the /boot partition
Skew The maximum permissible clock difference, in seconds, between the SGMs
and CMMs
Certified cpu Each line represents one compliant CPU type

60000/40000 Security Systems Administration Guide R76SP.50 | 186

 Logging and Monitoring

Monitoring Hardware Components (asg hw_monitor)

Description
Use the asg hw_monitor command in gClish or Expert mode to show and monitor hardware
information and thresholds for monitored components:
• SGM - CPU temperature for each socket
• Chassis fan speeds
• SSM - Throughput rates
• Power consumption for each Chassis
• Power Supply Unit - Installed or not installed, and the PSU fan speed
• CMM - Installed, Active or Standby

Syntax
> asg hw_monitor [-v] [-f <filter>]

Parameters
Parameter Description
-v Show detailed component status report (verbose)
-f Show status of one or more specified (filtered) components
<filter> One or more of these component types, in a comma separated list:
• CMM
• CPUtemp
• Fan
• PowerConsumption
• PowerUnit
• SSM

Example output for the 61000 N+N:

[Expert@MyChassis-ch01-01:0]# gclish
[Global] MyChassis-ch01-01 > asg hw_monitor -v
------------------------------------------------------------------------------
| Hardware Monitor |
------------------------------------------------------------------------------
| Sensor | Location | Value | Threshold | Units | State|
------------------------------------------------------------------------------
| Chassis 1 |
------------------------------------------------------------------------------
| CMM | bay 1 | 1 | 0 | <S,D>/<A> | 1 |
| CMM | bay 2 | 0 | 0 | <S,D>/<A> | 1 |
| CPUtemp | blade 1, CPU0 | 45 | 65 | Celsius | 1 |
| CPUtemp | blade 1, CPU1 | 39 | 65 | Celsius | 1 |
| CPUtemp | blade 2, CPU0 | 44 | 65 | Celsius | 1 |
| CPUtemp | blade 2, CPU1 | 39 | 65 | Celsius | 1 |
| CPUtemp | blade 3, CPU0 | 44 | 65 | Celsius | 1 |
| CPUtemp | blade 3, CPU1 | 38 | 65 | Celsius | 1 |
| CPUtemp | blade 4, CPU0 | 47 | 65 | Celsius | 1 |
| CPUtemp | blade 4, CPU1 | 42 | 65 | Celsius | 1 |
| CPUtemp | blade 5, CPU0 | 0 | 65 | Celsius | 1 |
| CPUtemp | blade 5, CPU1 | 0 | 65 | Celsius | 1 |
| CPUtemp | blade 6, CPU0 | 0 | 65 | Celsius | 0 |
| CPUtemp | blade 6, CPU1 | 0 | 65 | Celsius | 0 |
| CPUtemp | blade 7, CPU0 | 0 | 65 | Celsius | 0 |

60000/40000 Security Systems Administration Guide R76SP.50 | 187

 Logging and Monitoring

| CPUtemp | blade 7, CPU1 | 0 | 65 | Celsius | 0 |

| CPUtemp | blade 8, CPU0 | 0 | 65 | Celsius | 0 |
| CPUtemp | blade 8, CPU1 | 0 | 65 | Celsius | 0 |
| CPUtemp | blade 9, CPU0 | 0 | 65 | Celsius | 0 |
| CPUtemp | blade 9, CPU1 | 0 | 65 | Celsius | 0 |
| CPUtemp | blade 10, CPU0 | 0 | 65 | Celsius | 0 |
| CPUtemp | blade 10, CPU1 | 0 | 65 | Celsius | 0 |
| CPUtemp | blade 11, CPU0 | 0 | 65 | Celsius | 0 |
| CPUtemp | blade 11, CPU1 | 0 | 65 | Celsius | 0 |
| CPUtemp | blade 12, CPU0 | 0 | 65 | Celsius | 0 |
| CPUtemp | blade 12, CPU1 | 0 | 65 | Celsius | 0 |
| Fan | bay 1, fan 1 | 3 | 11 | Speed Level | 1 |
| Fan | bay 1, fan 2 | 3 | 11 | Speed Level | 1 |
| Fan | bay 2, fan 1 | 3 | 11 | Speed Level | 1 |
| Fan | bay 2, fan 2 | 3 | 11 | Speed Level | 1 |
| Fan | bay 3, fan 1 | 3 | 11 | Speed Level | 1 |
| Fan | bay 3, fan 2 | 3 | 11 | Speed Level | 1 |
| PowerConsumption | N/A | 2711 | 4050 | Watts | 1 |
| PowerUnit(AC) | bay 1 | 0 | 0 | NA | 1 |
| PowerUnit(AC) | bay 2 | 0 | 0 | NA | 1 |
| PowerUnit(AC) | bay 3 | 0 | 0 | NA | 1 |
| PowerUnit(AC) | bay 4 | 0 | 0 | NA | 0 |
| PowerUnit(AC) | bay 5 | 0 | 0 | NA | 0 |
| PowerUnitFan | bay 1, fan 1 | 0 | 0 | NA | 1 |
| PowerUnitFan | bay 1, fan 2 | 0 | 0 | NA | 1 |
| PowerUnitFan | bay 2, fan 1 | 0 | 0 | NA | 1 |
| PowerUnitFan | bay 2, fan 2 | 0 | 0 | NA | 1 |
| PowerUnitFan | bay 3, fan 1 | 0 | 0 | NA | 1 |
| PowerUnitFan | bay 3, fan 2 | 0 | 0 | NA | 1 |
| PowerUnitFan | bay 4, fan 1 | 0 | 0 | NA | 0 |
| PowerUnitFan | bay 4, fan 2 | 0 | 0 | NA | 0 |
| PowerUnitFan | bay 5, fan 1 | 0 | 0 | NA | 0 |
| PowerUnitFan | bay 5, fan 2 | 0 | 0 | NA | 0 |
| SSM | bay 1 | 0 | 0 | Mbps | 1 |
| SSM | bay 2 | 0 | 0 | Mbps | 1 |
------------------------------------------------------------------------------
| Chassis 2 |
------------------------------------------------------------------------------
| CMM | bay 1 | 1 | 0 | <S,D>/<A> | 1 |
| CMM | bay 2 | 0 | 0 | <S,D>/<A> | 1 |
| CPUtemp | blade 1, CPU0 | 46 | 65 | Celsius | 1 |
| CPUtemp | blade 1, CPU1 | 46 | 65 | Celsius | 1 |
| CPUtemp | blade 2, CPU0 | 48 | 65 | Celsius | 1 |
| CPUtemp | blade 2, CPU1 | 49 | 65 | Celsius | 1 |
| CPUtemp | blade 3, CPU0 | 46 | 65 | Celsius | 1 |
| CPUtemp | blade 3, CPU1 | 47 | 65 | Celsius | 1 |
| CPUtemp | blade 4, CPU0 | 46 | 65 | Celsius | 1 |
| CPUtemp | blade 4, CPU1 | 50 | 65 | Celsius | 1 |
| CPUtemp | blade 5, CPU0 | | 65 | Celsius | 1 |
| CPUtemp | blade 5, CPU1 | | 65 | Celsius | 1 |
| CPUtemp | blade 6, CPU0 | 0 | 65 | Celsius | 0 |
| CPUtemp | blade 6, CPU1 | 0 | 65 | Celsius | 0 |
| CPUtemp | blade 7, CPU0 | 0 | 65 | Celsius | 0 |
| CPUtemp | blade 7, CPU1 | 0 | 65 | Celsius | 0 |
| CPUtemp | blade 8, CPU0 | 0 | 65 | Celsius | 0 |
| CPUtemp | blade 8, CPU1 | 0 | 65 | Celsius | 0 |
| CPUtemp | blade 9, CPU0 | 0 | 65 | Celsius | 0 |
| CPUtemp | blade 9, CPU1 | 0 | 65 | Celsius | 0 |
| CPUtemp | blade 10, CPU0 | 0 | 65 | Celsius | 0 |
| CPUtemp | blade 10, CPU1 | 0 | 65 | Celsius | 0 |
| CPUtemp | blade 11, CPU0 | 0 | 65 | Celsius | 0 |
| CPUtemp | blade 11, CPU1 | 0 | 65 | Celsius | 0 |
| CPUtemp | blade 12, CPU0 | 0 | 65 | Celsius | 0 |
| CPUtemp | blade 12, CPU1 | 0 | 65 | Celsius | 0 |
| Fan | bay 1, fan 1 | 5 | 11 | Speed Level | 1 |
| Fan | bay 1, fan 2 | 5 | 11 | Speed Level | 1 |
| Fan | bay 2, fan 1 | 5 | 11 | Speed Level | 1 |
| Fan | bay 2, fan 2 | 5 | 11 | Speed Level | 1 |
| Fan | bay 3, fan 1 | 5 | 11 | Speed Level | 1 |
| Fan | bay 3, fan 2 | 5 | 11 | Speed Level | 1 |
| PowerConsumption | N/A | 2711 | 4050 | Watts | 1 |
| PowerUnit(AC) | bay 1 | 0 | 0 | NA | 1 |
| PowerUnit(AC) | bay 2 | 0 | 0 | NA | 1 |
| PowerUnit(AC) | bay 3 | 0 | 0 | NA | 1 |
| PowerUnit(AC) | bay 4 | 0 | 0 | NA | 0 |
| PowerUnit(AC) | bay 5 | 0 | 0 | NA | 0 |
| PowerUnitFan | bay 1, fan 1 | 0 | 0 | NA | 1 |
| PowerUnitFan | bay 1, fan 2 | 0 | 0 | NA | 1 |
| PowerUnitFan | bay 2, fan 1 | 0 | 0 | NA | 1 |
| PowerUnitFan | bay 2, fan 2 | 0 | 0 | NA | 1 |
| PowerUnitFan | bay 3, fan 1 | 0 | 0 | NA | 1 |
60000/40000 Security Systems Administration Guide R76SP.50 | 188
 Logging and Monitoring

| PowerUnitFan | bay 3, fan 2 | 0 | 0 | NA | 1 |

| PowerUnitFan | bay 4, fan 1 | 0 | 0 | NA | 0 |
| PowerUnitFan | bay 4, fan 2 | 0 | 0 | NA | 0 |
| PowerUnitFan | bay 5, fan 1 | 0 | 0 | NA | 0 |
| PowerUnitFan | bay 5, fan 2 | 0 | 0 | NA | 0 |
| SSM | bay 1 | 0 | 0 | Mbps | 1 |
| SSM | bay 2 | 0 | 0 | Mbps | 1 |
------------------------------------------------------------------------------
[Global] MyChassis-ch01-01 >

Example output on a 60000/40000 Security System 41000:

[Expert@MyChassis-ch01-01:0]# gclish
[Global] MyChassis-ch01-01 > asg hw_monitor -v
------------------------------------------------------------------------------
| Hardware Monitor |
------------------------------------------------------------------------------
| Sensor | Location | Value | Threshold | Units | State|
------------------------------------------------------------------------------
| Chassis 1 |
------------------------------------------------------------------------------
| CMM | bay 1 | 0 | 0 | <S,D>/<A> | 1 |
| CMM | bay 2 | 1 | 0 | <S,D>/<A> | 1 |
| CPUtemp | blade 1, CPU0 | 47 | 65 | Celsius | 1 |
| CPUtemp | blade 1, CPU1 | 46 | 65 | Celsius | 1 |
| CPUtemp | blade 2, CPU0 | 46 | 65 | Celsius | 1 |
| CPUtemp | blade 2, CPU1 | 44 | 65 | Celsius | 1 |
| CPUtemp | blade 3, CPU0 | 46 | 65 | Celsius | 1 |
| CPUtemp | blade 3, CPU1 | 45 | 65 | Celsius | 1 |
| CPUtemp | blade 4, CPU0 | 45 | 65 | Celsius | 1 |
| CPUtemp | blade 4, CPU1 | 46 | 65 | Celsius | 1 |
| Fan | bay 1, fan 1 | 4 | 11 | Speed Level | 1 |
| Fan | bay 1, fan 2 | 4 | 11 | Speed Level | 1 |
| Fan | bay 1, fan 3 | 4 | 11 | Speed Level | 1 |
| Fan | bay 1, fan 4 | 4 | 11 | Speed Level | 1 |
| Fan | bay 1, fan 5 | 4 | 11 | Speed Level | 1 |
| Fan | bay 1, fan 6 | 4 | 11 | Speed Level | 1 |
| Fan | bay 1, fan 7 | 4 | 11 | Speed Level | 1 |
| Fan | bay 1, fan 8 | 4 | 11 | Speed Level | 1 |
| Fan | bay 1, fan 9 | 4 | 11 | Speed Level | 1 |
| Fan | bay 1, fan 10 | 4 | 11 | Speed Level | 1 |
| Fan | bay 2, fan 1 | 4 | 11 | Speed Level | 1 |
| Fan | bay 2, fan 2 | 4 | 11 | Speed Level | 1 |
| Fan | bay 2, fan 3 | 4 | 11 | Speed Level | 1 |
| Fan | bay 2, fan 4 | 4 | 11 | Speed Level | 1 |
| Fan | bay 2, fan 5 | 4 | 11 | Speed Level | 1 |
| Fan | bay 2, fan 6 | 4 | 11 | Speed Level | 1 |
| Fan | bay 2, fan 7 | 4 | 11 | Speed Level | 1 |
| Fan | bay 2, fan 8 | 4 | 11 | Speed Level | 1 |
| Fan | bay 2, fan 9 | 4 | 11 | Speed Level | 1 |
| Fan | bay 2, fan 10 | 4 | 11 | Speed Level | 1 |
| PowerConsumption | N/A | 1894 | 4050 | Watts | 1 |
| PowerUnit(AC) | bay 1 | 0 | 0 | NA | 1 |
| PowerUnit(AC) | bay 2 | 0 | 0 | NA | 1 |
| PowerUnit(AC) | bay 3 | 0 | 0 | NA | 1 |
| PowerUnitFan | bay 1, fan 1 | 0 | 0 | NA | 1 |
| PowerUnitFan | bay 1, fan 2 | 0 | 0 | NA | 1 |
| PowerUnitFan | bay 2, fan 1 | 0 | 0 | NA | 1 |
| PowerUnitFan | bay 2, fan 2 | 0 | 0 | NA | 1 |
| PowerUnitFan | bay 3, fan 1 | 0 | 0 | NA | 1 |
| PowerUnitFan | bay 3, fan 2 | 0 | 0 | NA | 1 |
| SSM | bay 1 | 40 | 0 | Mbps | 1 |
| SSM | bay 2 | 0 | 0 | Mbps | 1 |
------------------------------------------------------------------------------
| Chassis 2 |
------------------------------------------------------------------------------
| CMM | bay 1 | 1 | 0 | <S,D>/<A> | 1 |
| CMM | bay 2 | 0 | 0 | <S,D>/<A> | 1 |
| CPUtemp | blade 1, CPU0 | 47 | 65 | Celsius | 0 |
| CPUtemp | blade 1, CPU1 | 51 | 65 | Celsius | 0 |
| CPUtemp | blade 2, CPU0 | 46 | 65 | Celsius | 1 |
| CPUtemp | blade 2, CPU1 | 56 | 65 | Celsius | 1 |
| CPUtemp | blade 3, CPU0 | 49 | 65 | Celsius | 1 |
| CPUtemp | blade 3, CPU1 | 51 | 65 | Celsius | 1 |
| CPUtemp | blade 4, CPU0 | 0 | 65 | Celsius | 0 |
| CPUtemp | blade 4, CPU1 | 0 | 65 | Celsius | 0 |
| Fan | bay 1, fan 1 | 3 | 11 | Speed Level | 1 |
| Fan | bay 1, fan 2 | 3 | 11 | Speed Level | 1 |
| Fan | bay 1, fan 3 | 3 | 11 | Speed Level | 1 |
| Fan | bay 1, fan 4 | 3 | 11 | Speed Level | 1 |

60000/40000 Security Systems Administration Guide R76SP.50 | 189

 Logging and Monitoring

| Fan | bay 1, fan 5 | 3 | 11 | Speed Level | 1 |

| Fan | bay 1, fan 6 | 3 | 11 | Speed Level | 1 |
| Fan | bay 1, fan 7 | 3 | 11 | Speed Level | 1 |
| Fan | bay 1, fan 8 | 3 | 11 | Speed Level | 1 |
| Fan | bay 1, fan 9 | 3 | 11 | Speed Level | 1 |
| Fan | bay 1, fan 10 | 3 | 11 | Speed Level | 1 |
| Fan | bay 2, fan 1 | 3 | 11 | Speed Level | 1 |
| Fan | bay 2, fan 2 | 3 | 11 | Speed Level | 1 |
| Fan | bay 2, fan 3 | 3 | 11 | Speed Level | 1 |
| Fan | bay 2, fan 4 | 3 | 11 | Speed Level | 1 |
| Fan | bay 2, fan 5 | 3 | 11 | Speed Level | 1 |
| Fan | bay 2, fan 6 | 3 | 11 | Speed Level | 1 |
| Fan | bay 2, fan 7 | 3 | 11 | Speed Level | 1 |
| Fan | bay 2, fan 8 | 3 | 11 | Speed Level | 1 |
| Fan | bay 2, fan 9 | 3 | 11 | Speed Level | 1 |
| Fan | bay 2, fan 10 | 3 | 11 | Speed Level | 1 |
| PowerConsumption | N/A | 1624 | 4050 | Watts | 1 |
| PowerUnit(AC) | bay 1 | 0 | 0 | NA | 1 |
| PowerUnit(AC) | bay 2 | 0 | 0 | NA | 1 |
| PowerUnit(AC) | bay 3 | 0 | 0 | NA | 0 |
| PowerUnitFan | bay 1, fan 1 | 0 | 0 | NA | 1 |
| PowerUnitFan | bay 1, fan 2 | 0 | 0 | NA | 1 |
| PowerUnitFan | bay 2, fan 1 | 0 | 0 | NA | 1 |
| PowerUnitFan | bay 2, fan 2 | 0 | 0 | NA | 1 |
| PowerUnitFan | bay 3, fan 1 | 0 | 0 | NA | 0 |
| PowerUnitFan | bay 3, fan 2 | 0 | 0 | NA | 0 |
| SSM | bay 1 | 2 | 0 | Mbps | 1 |
| SSM | bay 2 | 0 | 0 | Mbps | 1 |
------------------------------------------------------------------------------
[Expert@MyChassis-ch01-01:0]#

Output description:
Column Description
Location Front panel location.
Value Threshold Units Most components have a defined threshold value. The threshold
gives an indication of the health and functionality of the component.
When the value of the resource is greater than the threshold, an alert
is sent (on page 164).
State • 0 = Component not installed
• 1 = Component is installed

60000/40000 Security Systems Administration Guide R76SP.50 | 190

 Logging and Monitoring

Chassis Control (asg_chassis_ctrl)

Description
Use the Chassis Control utility to monitor and configure SSMs and CMMs with different commands
and parameters.
Chassis Control is based on SNMP communication between the different Chassis and
components.

Syntax
# asg_chassis_ctrl <option> <parameters>

You can run command in gClish or Expert mode.

Options and Parameters

Options and Parameters Description
active_sgms Shows all installed SGMs.
active_ssm Shows active SSMs. An SSM that is not installed or is down
does not show as Active.
get_fans_status Shows the health status of the Chassis fans.
get_lb_dist <ssm_id> Shows the current distribution matrix from the specified
SSM. The matrix is a table containing SGM IDs and used to
determine to which other SGMs a packet should be
forwarded.
get_ssm_firmware <ssm_id> Shows the firmware version of the specified SSM.
get_ssm_type <ssm_id> Shows the model of the specified SSM.
get_psu_status Shows the current status of the PSUs.
get_pems_status Shows the current status of the Chassis PEMs.
get_cmm_status Shows the current status of the CMMs.
get_cpus_temp <sgm_id> Shows temperatures of the specified SGM CPUs.
get_dist_md5sum Shows the md5sum of the distribution matrix for the given
SSM. Comparing this checksum against the checksum on
other SSMs verifies that they are synchronized.
get_ports_stat <ssm_id> Prints the port status for the specified SSM.
get_dist_mode <ssm_id> Shows the port Distribution Mode for the specified SSM.
get_dist_mask <ssm_id> Shows a summary of the distribution masks in the
different modes.
get_matrix_size <ssm_id> Shows the size, in bytes, of the SSM distribution matrix.
get_sel_info <cmm_id> Shows data from the specified CMM event. This
information is useful for troubleshooting and system
forensics.
restart_ssm <ssm_id> Restarts the specified SSM.
60000/40000 Security Systems Administration Guide R76SP.50 | 191
 Logging and Monitoring

Options and Parameters Description

restart_cmm <cmm_id> Restarts the specified CMM.
start_ssm <ssm_id> Starts the specified SSM.
shutdown_ssm <smm_id> Shuts down the specified SSM.
mib2_stats <ssm_id> <port_id> Shows MIB2 statistics for the specified SSM and port.
[<err>] <err> = Error type.

get_bmac <ssm_id> Shows SGM MAC addresses from the SSM.

get_power_type Shows the Chassis input power type (AC or DC).
get_ac_power_type Shows the AC power type.
jumbo_frames {enable | Enables, disables or shows Jumbo Frames on an
disable | show} <ssm_id> SSM160/SSM440.
set_port_mtu <ssm_id> Sets the port MTU size for the specified SSM and port.
<port_id> <mtu_size> <ssm_id> - SSM identifier (1 - 4, or all)
<port_id> - Port number
<mtu_size> - This MTU size can be one of these values:
• Integer value up to 12,288
• max - Maximum supported MTU size
• default - System default MTU size (typically 1544)
get_port_mtu <ssm_id> Shows the MTU for the specified SSM and port.
<port_id>
get_port_media_details Shows port information.
<ssm_id>
get_pem_cb_status Shows PEM status.

help [-v] Shows help messages in Verbose Mode.

enable_port Enables the port.
disable_port Disables the port.

Notes
• To see the full syntax for an option, run the command and option without parameters.
• To make sure the Chassis Control commands work correctly, run this command on both
Chassis:

Example
[Expert@MyChassis-ch01-01:0]# asg_chassis_ctrl get_cmm_status
Getting CMM(s) status
CMM #1 -> Health: 1, Active: 1
CMM #2 -> Health: 1, Active: 0
Active CMM firmware version: 2.83
[Expert@MyChassis-ch01-01:0]#

60000/40000 Security Systems Administration Guide R76SP.50 | 192

 Logging and Monitoring

Monitoring CPU Utilization (asg_cores_util)

Description
Use the asg_cores_util command to monitor CPU utilization on all SGMs.

Syntax
# asg_cores_util

Example output
# asg_cores_util
+---------------------+
|CPUs Utilization |
+-----------+----+----+
|CPU \ Blade|2_3 |2_4 |
+-----------+----+----+
|cpu0 |29% |2% |
+-----------+----+----+
|cpu1 |0% |0% |
+-----------+----+----+
|cpu2 |0% |1% |
+-----------+----+----+
|cpu3 |37% |25% |
+-----------+----+----+
|cpu4 |0% |0% |
+-----------+----+----+
|cpu5 |1% |18% |
+-----------+----+----+
|cpu6 |0% |0% |
+-----------+----+----+
|cpu7 |0% |0% |
+-----------+----+----+
|cpu8 |0% |0% |
+-----------+----+----+
|cpu9 |0% |1% |
+-----------+----+----+
|cpu10 |0% |0% |
+-----------+----+----+
|cpu11 |0% |0% |
+-----------+----+----+
|cpu12 |0% |0% |
+-----------+----+----+
|cpu13 |1% |1% |
+-----------+----+----+
|cpu14 |1% |0% |
+-----------+----+----+
|cpu15 |0% |0% |
+-----------+----+----+
#

60000/40000 Security Systems Administration Guide R76SP.50 | 193

 Logging and Monitoring

Security Monitoring
Use these features to monitor your system security.

SYN Defender (sim synatk, sim6 synatk, asg synatk)

A SYN flood attack occurs when a host, typically with a forged address, sends a flood of TCP/SYN
packets. Each of these packets is handled as a connection request, which causes the server to
create a half-open connection. This occurs because the gateway sends a TCP/SYN-ACK
(Acknowledge) packet, and waits for a response packet that does not arrive. These half-open
connections eventually exceed the maximum available connections and that causes a denial of
service condition. SYN defender protects the gateway by dropping excessive half-open
connections.
Use these commands to:
• Configure a defense against an IPv4 SYN Flood attack (sim synatk)
• Configure a defense against an IPv6 SYN Flood attack (sim6 synatk)
• Monitor the system during attacks and normal system operation (asg synatk)
• Simulate a SYN attack on the specified interfaces (asg synatk state -i <interface_name>
-a)
This protection works with Performance Pack.

Syntax
> g_sim synatk [-e] [-d] [-m] [-g] [-t <threshold>] [-a] [monitor] [monitor -v]
> g_sim6 synatk [-e] [-d] [-m] [-g] [-t <threshold>] [-a] [monitor] [monitor -v]
> g_sim synatk state -i <interface_name> -a
> g_sim6 synatk -a
> g_asg synatk [-b <SGM_IDs>] [-4 | -6]

Parameters
Parameter Description
-e Enable SYN defender. This engages the system when it
recognizes an attack on an external interface. External interfaces
are defined in SmartDashboard. Internal interfaces are always in
Monitor Mode.
-d Disable SYN Defender.
-m Set Monitor Mode. SYN defender only sends a log when it
recognizes an attack.
-g Enforce on all interfaces.
-t <threshold> Set the SYN Defender threshold number of half-opened
connections.
-i state <interface_name> Simulate a SYN attack on the specified interface.
-a Use configuration from the $PPKDIR/conf/synatk.conf file.
monitor Show the attack monitoring tool.

60000/40000 Security Systems Administration Guide R76SP.50 | 194

 Logging and Monitoring

Parameter Description
monitor -v Show the attack monitoring tool with extra (verbose) information.
-b <SGM_IDs> Works with SGMs and/or Chassis as specified by <SGM_IDs>.
<SGM_IDs> can be:
• No <SGM_IDs> specified, or all - Applies to all SGMs and
Chassis
• One SGM (for example, 1_1)
• A comma-separated list of SGMs (for example, 1_1,1_4)
• A range of SGMs (for example, 1_1-1_4)
• One Chassis (chassis1, or chassis2)
• The active Chassis (chassis_active)
-6 Shows the IPv6 status only.
-4 Shows the IPv4 status only.

SYN Defender Configuration File

The SYN Defender configuration file (default $PPKDIR/conf/synatk.conf) has two sections:
• Configuration fields
• Interface list
The configuration fields section consists of single lines with a field, an equal sign, and the value.

Field Description Default

enabled • 0 - Enable SYN Defender 1
• 1 - Disable SYN Defender
enforce • 0 - Interfaces use Monitor Mode only 1
• 1 - Enforce rules on external interfaces
only
• 2 - Enforce rules on internal and external
interfaces
global_high_threshold Maximum number of unestablished 10,000
connections.
periodic_updates • 0 - Enable periodic updates of hit counters 1
for rule enforcement
• 1 - Disable periodic updates of hit counters
for rule enforcement
cookie_lifetime Maximum cookie lifetime in seconds. 10
total_max_held_pkts Maximum number of cached packets. -1 -1
means no limit.
min_frag_sz Minimum size of packets that are not dropped 80
during an attack.
nr_saved_pkt_on_activate Maximum number of packets saved to 100
syslog when an attack starts.

60000/40000 Security Systems Administration Guide R76SP.50 | 195

 Logging and Monitoring

Field Description Default

high_threshold Maximum number of unestablished 10,000
connections per external interface.
low_threshold Minimum number of unestablished 5000
connections per external interface before
connections are dropped.
internal_high_threshold Maximum number of unestablished 20,000
connections per internal interface.
internal_low_threshold Minimum number of unestablished 10,00
connections per internal interface before
connections are dropped.
score_alpha Number between 1 and 127 that represents 100
how likely SYN Defender is to drop packets.
1 is least likely and 127 is most likely.
conn_max_held_pkts Maximum number of held packets for a 1
connection from before SYN Defender
engages.
monitor_log_interval Number of milliseconds between log 60,000
warnings.
grace_timeout Maximum number of milliseconds SYN 30,000
Defender stays in Grace Mode.
min_time_in_active Minimum number of milliseconds SYN 60,000
Defender stays in Active Mode.
clear_route_cache_on_activ • 1 - Clear the route cache when SYN 1
ate Defender activates
• 0 - Do not clear the route cache when SYN
Defender activates
revalidate_suspicious_syns Deletes a connection and sends a validation 1
SYN+ACK packet back.
This is useful to clean up spoofed connections
made before SYN Defender engaged.

Example:
enabled = 1
enforce = 1

The interface section consists of lines in this format:

interface <if_name> state = <state>

Field Description
<if_name> Interface name
<state> • disabled - SYN Defender does not protect or monitor
the interface
• monitor- SYN Defender monitors but does not protect
the interface
• enforce - SYN Defender protects the interface

60000/40000 Security Systems Administration Guide R76SP.50 | 196

 Logging and Monitoring

Example:
interface eth1-01 state = enforce
interface eth2-01 state = disabled

Monitoring a SYN Attack - Standard Output

This example shows standard output. It shows that there are two interfaces under attack.
Interface eth2-03 was attacked three seconds ago and interface eth2-04 is recovering from an
attack that ended 24 seconds ago.
> sim synatk monitor -b all -4
+-----------------------------------------------------------------------------+
| SYN Defender status |
+-----------------------------------------------------------------------------+
| Configuration Enforcing |
| Status Under Attack (!) |
| Non established connections 3 |
| Threshold 1000 |
+-----------------------------------------------------------------------------+
| IF | Topology | Enforce | State (sec) | Non-established conns |
| | | | | Peak | Current |
+-----------------------------------------------------------------------------+
| eth1-Mgmt4 | External | Prevent | Monitor | 7 | 3 |
| eth1-01 | Internal | Detect | Monitor | 0 | 0 |
| eth2-01 | External | Prevent | Monitor | 0 | 0 |
| eth2-02 | External | Prevent | Monitor | 0 | 0 |
| eth2-03 (!) | External | Prevent | Active( 3) | - | - |
| eth2-04 (!) | External | Prevent | Grace ( 24) | 0 | 0 |
+-----------------------------------------------------------------------------+
>

Output:

Field Description
IF Interface name.
Topology Topology as defined in SmartDashboard.
Enforce Action taken by SYN Defender:
Prevent - Detects attacks and enforces protection.
Detect - Detects attacks, but only generates log entries. Does not
enforce protection.
Disabled - Protection is disabled.
State Current SYN Defender state:
Disabled - SYN Defender is disabled for this interface.
Monitor - The interface is not under attack and SYN Defender
monitors connections.
Active - The interface is under attack and SYN Defender enforces
protections.
Grace - The attack on the interface ended and the normal service is
restored.
non-established conns Peak - The highest number of half-opened connections for this
interface. This can help you to configure the correct threshold.
Current - The number of half-opened connections at this time.

Monitoring a SYN Attack - Verbose Output

This example shows the verbose output.
> sim synatk monitor –v
+-----------------------------------------------------------------------------+
| SYN Defender statistics |

60000/40000 Security Systems Administration Guide R76SP.50 | 197

 Logging and Monitoring

+-----------------------------------------------------------------------------+
| Status Under Attack (!) |
| Spoofed SYN/sec 534000 |
+-----------------------------------------------------------------------------+
| IF | Topology | Defend (sec) | SYN cookie rate |
| | | | Sent | BAU (cps) | Spoofed |
+-----------------------------------------------------------------------------+
| eth2-01 | External | 28 | 345345 | 40 | 95 % |
| eth2-02 | External | 12 | 150 | 50 | 33 % |
+-----------------------------------------------------------------------------+
| Sum | 345495 | 90 | 93 % |
+-----------------------------------------------------------------------------+
>

Output:

Column Description
IF The interface name
Topology The interface topology as defined in SmartDashboard
Defend The attack duration in seconds
Sent SYN cookie rate Number of SYN packets received per second
BAU Business as usual - Number of legitimate connections handled per
second
Spoofed The percentage of spoofed SYN packets out of all traffic

Showing SYN Defender Status

This example shows the status of SYN flood attack protection for all SGMs for Blade 2-02:
• There are 3 half-open connections
• Received 10,000 spoofed SYN packets per second
• Currently, is under attack
Example:
> asg synatk
+------------------------------------------------------------------------------+
| SYN Defender status |
+------------------------------------------------------------------------------+
| Blade | IP | Config | Status | Non est. conns | Spoofed / sec |
+------------------------------------------------------------------------------+
| 2_01 | IPv4 | Enforcing | Normal | 6 | 0 |
| 2_01 | IPv6 | Enforcing | Normal | 0 | 0 |
| 2_02 | IPv4 | Enforcing | Normal | 0 | 0 |
| 2_02 | IPv6 | Enforcing | Under Attack | 3 | 10000 |
+------------------------------------------------------------------------------+
| All | 9 | 10000 |
+------------------------------------------------------------------------------+
>

F2F Quota
Description
F2F detects traffic floods and intelligently prevents performance degradation on the Scalable
Platform. It assigns a high priority to known, important packets from Performance Pack and drops
those suspected of being part of a DDoS attack.
• asg f2fq
• fwaccel f2fq stats
• fwaccel6 f2fq stats

60000/40000 Security Systems Administration Guide R76SP.50 | 198

 Logging and Monitoring

Two examples of known F2F flood attacks are UDP floods and fragmentation attacks. These
attacks cause too much resource allocation when they try to put the packet fragments together.
• Use fwaccel for IPv4 information
• Use fwaccel6 for IPv6 information

Syntax
> fwaccel f2fq stats [–v]
> fwaccel f2fq -c <file>
> fwaccel f2fq -a
> fwaccel6 f2fq stats [–v]
> fwaccel6 f2fq -c <file>
> fwaccel6 f2fq -a
> asg f2fq [-b <SGM_IDs> ] [-6 | -4]

Parameters
Parameter Description
-v Shows detailed (verbose) statistics.
-b <SGM_IDs> Works with SGMs and/or Chassis as specified by <SGM_IDs>.
<SGM_IDs> can be:
• No <SGM_IDs> specified, or all - Applies to all SGMs and Chassis
• One SGM (for example, 1_1)
• A comma-separated list of SGMs (for example, 1_1,1_4)
• A range of SGMs (for example, 1_1-1_4)
• One Chassis (chassis1, or chassis2)
• The active Chassis (chassis_active)
-6 Shows the IPv6 status only.
-4 Shows the IPv4 status only.
-c <file> Uses the parameters in <file>.
-a Uses the parameters in the $FWDIR/conf/f2fq.conf file.

Example
This example shows details of IPv4 activity for all Firewall instances.
> fwaccel f2fq stats -v
+---------------------------------------------------------------------------+
| DDOS Mitigation |
+---------------------------------------------------------------------------+
| Mode: Enforcing |
| Status Normal |
| Last 10 seconds drops 13146 |
+---------------------------------------------------------------------------+
| Instance | Reason | Drops / Hits |
+---------------------------------------------------------------------------+
| FW 0 | CONN_MISS_TCP_SYN | 103365 / 104629 |
+---------------------------------------------------------------------------+
| FW 1 | FRAG | 6232 / 13816 |
| | CONN_MISS_TCP_SYN | 101096 / 102203 |
| | CONN_MISS_TCP_OTHER | 13146 / 14359 |
+---------------------------------------------------------------------------+
| FW 2 | FRAG | 1339 / 1339 |
| | CONN_MISS_TCP_SYN | 101087 / 102143 |
+---------------------------------------------------------------------------+
| All | FRAG | 7571 / 15155 |
| | CONN_MISS_TCP_SYN | 305548 / 308975 |
| | CONN_MISS_TCP_OTHER | 13146 / 14359 |
60000/40000 Security Systems Administration Guide R76SP.50 | 199
 Logging and Monitoring

+---------------------------------------------------------------------------+
>

Output description
Item Description
Last 10 seconds drops The number of dropped packets during the last 10 seconds.
Instance The verbose output shows a historical aggregate of the results, for
each Firewall instance.
Drops / Hits The number of dropped packets out of the total number of
packets, grouped by the attack type.

Example - asg f2fq:

This output shows how the protection mitigates the DDoS attack, for each SGM.
> asg f2fq
+-------------------------------------------------------------------------+
| DDOS Mitigation |
+-------------------------------------------------------------------------+
| Blade | Protocol | Config | Status | Last 10 sec drops |
+-------------------------------------------------------------------------+
| 1_01 (!) | IPv4 | Enforcing | Under Attack | 151130 |
| 1_01 | IPv6 | Enforcing | Normal | 0 |
| 1_02 | IPv4 | Enforcing | Normal | 0 |
| 1_02 | IPv6 | Enforcing | Normal | 0 |
| 1_03 | IPv4 | Enforcing | Normal | 0 |
| 1_03 | IPv6 | Enforcing | Normal | 0 |
| 1_04 | IPv4 | Enforcing | Normal | 0 |
| 1_04 | IPv6 | Enforcing | Normal | 0 |
+-------------------------------------------------------------------------+
>

F2F Configuration File

The default F2F configuration file $FWDIR/conf/f2fq.conf, has two sections:
• Global options
• Packet priority table

Global Options
Option Description Default
enabled • 1: F2F Quota is enabled 1
• 0: F2f Quota is disabled
enforce • 1: Drops packets 1
• 0: Does not drop packets, log in the
/var/log/messages
snapshots_interval Milliseconds between F2F calculations. 1000
load_threshold Percent capacity used of the queue load before F2F 80
activates.
Range: 0 -100
dynamic_prio_threshol Dynamic priority threshold. 20
d
F2F drops packets whose dynamic priorities are lower
than dynamic_prio_threshold.

60000/40000 Security Systems Administration Guide R76SP.50 | 200

 Logging and Monitoring

Option Description Default

print_syslog_interval Milliseconds between writes to the 30,000
/var/log/messages.
config_version Configuration file version. 1

default_priority Priority for a packet that does not match any rule. 100

Packet Priority
Field Description
# Interface The interface name.
Use the asterisk * for all interfaces.
proto The transport layer protocol. Use the asterisk * for all protocols.
service Port number or port range (applicable to TCP and UDP only).
Use the asterisk * for all ports.
ip The destination IP and subnet.
Use the asterisk * for all IP addresses.
reason Reason why this packet is rejected.
Use the asterisk * for all reasons.
priority • 0 - 100 - Priority for a packet that matches this rule. Packets
with a higher priority have a lower chance of being dropped.
• Exception - Packets that match this rule are never dropped.

Example:
enabled = 1
enforce = 1
config_version = 1
default_priority = 100
dynamic_prio_threshold = 20
snapshots_interval = 1000
load_threshold = 80

# Interface proto service ip reason priority

eth1-01 * 1-1024 1.1.1.0/24 * Exception
* TCP * * FRAG 10
* UDP * * FRAG 60

F2F Rejection Reasons

Name Description
FRAG
Packet is a fragment.
IP_OPT
Packet has IP options.
CONN_MISS_ICMP
No connection found for an ICMP packet.
CONN_MISS_TCP_SYN
No connection found for a TCP SYN packet.
CONN_MISS_TCP_OTHER
No connection found for a TCP non-SYN packet.
CONN_MISS_UDP
No connection found for a UDP packet.

60000/40000 Security Systems Administration Guide R76SP.50 | 201

 Logging and Monitoring

CONN_MISS_OTHER
No connection found for a packet of any other type.
VPN_F2F
VPN connection.
F2F_IS_ON_ICMP
ICMP packet set by the firewall to be rejected.
F2F_IS_ON_TCP
TCP packet set by the firewall to be rejected.
F2F_IS_ON_UDP
UDP packet set by the firewall to be rejected.
F2F_IS_ON_OTHER
Other type of packet set by the firewall to be rejected.
UNIDIR_VIOL
Unidirectional violation.
SPOOF_VIOL
Possible spoof violation.
TCP_STATE
Possible TCP state violation.
OUT_IF
Outbound Interface is not defined or accelerated.
XMT_EQ_RCV
Incoming interface is the same as the outgoing interface.
ROUTING_ERR
Routing decision error.
SANITY_CHECKS
Sanity checks failed.
TEMP_CONN
Temporary connection expired.
FWD_NON_PIVOT
Device cannot forward to non-pivot member.
BROADCAST
Broadcast / multicast in pivot member.
CLUSTER_MSG
Source address is of FWHA protocol or LS forwarding layer.
PARTIAL_CONN
Partial connection.
PXL_F2F
PXL connection.
CLUSTER_FORWARD
Packet forwarded from another cluster member.
CHAIN_FORWARD
Packet reinjection by the chain forwarding mechanism.
SPORT_ALLOC_F2F
Packet rejected due to port allocation failure.
GENERAL
Packet rejected for a reason not listed above.

60000/40000 Security Systems Administration Guide R76SP.50 | 202

 Logging and Monitoring

Showing the Number of Firewall and SecureXL Connections (asg_conns)

Description
Use the asg_conns command in gClish or Expert mode to show the number of firewall and
SecureXL connections on each SGM.

Syntax
asg_conns -h
asg_conns [-b <SGM_IDs>]

Parameters
Parameter Description
-h Shows the built-in help.
-b <SGM_IDs> Works with SGMs and/or Chassis as specified by <SGM_IDs>.
<SGM_IDs> can be:
• No <SGM_IDs> specified, or all - Applies to all SGMs and Chassis
• One SGM (for example, 1_1)
• A comma-separated list of SGMs (for example, 1_1,1_4)
• A range of SGMs (for example, 1_1-1_4)
• One Chassis (chassis1, or chassis2)
• The active Chassis (chassis_active)
-6 Shows only IPv6 connections.

60000/40000 Security Systems Administration Guide R76SP.50 | 203

 Logging and Monitoring

Example
[Expert@MyChassis-ch01-01:0]# gclish
[Global] MyChassis-ch01-01 > asg_conns
1_01:
#VALS #PEAK #SLINKS
246 1143 246
1_02:
#VALS #PEAK #SLINKS
45 172 45
1_03:
#VALS #PEAK #SLINKS
45 212 45
1_04:
#VALS #PEAK #SLINKS
223 624 223
1_05:
#VALS #PEAK #SLINKS
45 246 45

Total (fw1 connections table): 604 connections

1_01:
There are 60 conn entries in SecureXL connections table
Total conn entries @ DB 0: 4
Total conn entries @ DB 3: 2
.
.
Total conn entries @ DB 26: 4
Total conn entries @ DB 30: 2
1_02:
There are 16 conn entries in SecureXL connections table
Total conn entries @ DB 0: 2
Total conn entries @ DB 1: 2
.
.
Total conn entries @ DB 26: 2
1_03:
There are 16 conn entries in SecureXL connections table
Total conn entries @ DB 0: 2
Total conn entries @ DB 5: 2
.
.
Total conn entries @ DB 30: 2
1_04:
There are 260 conn entries in SecureXL connections table
Total conn entries @ DB 0: 10
Total conn entries @ DB 1: 6
.
.
Total conn entries @ DB 31: 94
1_05:
There are 16 conn entries in SecureXL connections table
Total conn entries @ DB 2: 2
.
.
Total conn entries @ DB 26: 2

Total (SecureXL connections table): 368 connections

[Global] MyChassis-ch01-01 >

60000/40000 Security Systems Administration Guide R76SP.50 | 204

 Logging and Monitoring

Packet Drop Monitoring (asg_drop_monitor)

Description
Use the asg_drop_monitor command in the Expert mode to monitor dropped packets and see
detailed statistics from NICs and SSM ports in real time.
Drop statistics come from these modules:
• NICs
• CoreXL
• PSL
• SecureXL
Notes:
• This command opens a monitor session and shows data for each SGM, aggregated data from
all SGMs, and, optionally, from SSMs. To stop an open session, press CTRL-C.
• By default, the command shows drop statistics for IPv4 traffic.

Syntax
# asg_drop_monitor -h
# asg_drop_monitor [-d] [-v] [-m <SGM_IDs>] [-i <interfaces>] [-v6] [-f
<refresh_rate>] [-sf <SSM_refresh_rate>] [-le] [-e] [-dm] [-ds] [-r] [-s]

Parameters
Parameter Description
-h Shows the built-in help.
-d Runs the command in debug mode.
--debug
-v Shows detailed drop statistics - for each member and all
--verbose SecureXL statistics.
-m <SGM_IDs> Works with SGMs and/or Chassis as specified by
--members <SGM_IDs> <SGM_IDs>.
<SGM_IDs> can be:
• No <SGM_IDs> specified, or all - Applies to all SGMs
and Chassis
• One SGM (for example, 1_1)
• A comma-separated list of SGMs (for example,
1_1,1_4)
• A range of SGMs (for example, 1_1-1_4)
• One Chassis (chassis1, or chassis2)
• The active Chassis (chassis_active)
Default - Runs on all SGMs that are in the UP state.

60000/40000 Security Systems Administration Guide R76SP.50 | 205

 Logging and Monitoring

Parameter Description
-i <interfaces> Shows drop statistics for the specified network interfaces.
--interfaces <interfaces> Enter a comma-separated list of the interface names.
By default, shows drop statistics only for the backplane
interfaces.
-f <refresh_rate> Specifies the refresh rate in seconds.
--refresh-rate <refresh_rate> The default is 2 seconds.

-sf <SSM_refresh_rate> Specifies the SSM query timeout in seconds.

--ssms-refresh-rate The default is 60 seconds.
<SSM_refresh_rate>
-v6 Shows drop statistics for IPv6 traffic.
--ipv6

-le Exports drop statistics for local member in JSON format.

--local-export
-e Exports drop statistics for all members in JSON format.
--global-export
-dm Shows drop statistics for each member in addition to the
--detailed-members total drop statistics.
-ds Shows detailed drop statistics for SecureXL.
--detailed-securexl
-r Resets statistics to 0 before collecting data.
--reset Note:
• Drop statistics are reset for CoreXL, PSL, SecureXL,
and backplane interfaces.
• Drop statistics for SSMs are not reset.
-s Shows drop statistics for local SSMs only.
--include-ssms-stats Only data links, management links, and downlinks are
supported.

60000/40000 Security Systems Administration Guide R76SP.50 | 206

 Logging and Monitoring

Example 1 - Default output

# asg_drop_monitor
2019-06-26 10:36:56

Dropped packets statistics of network interfaces, CoreXL, SecureXL and PSL

+----------+------------------+-------+
| Category | Statistics | Total |
+----------+------------------+-------+
+----------+------------------+-------+
| | RX Dropped | 0 |
| NIC | TX Dropped | 0 |
| | Qdisc Dropped | 0 |
+----------+------------------+-------+
| | Outbound Dropped | 0 |
| CoreXL | Inbound Dropped | 0 |
| | F2P Dropped | 0 |
+----------+------------------+-------+
| | Total Dropped | 0 |
| PSL | UDP Dropped | 0 |
| | Rejected | 0 |
+----------+------------------+-------+
| SecureXL | Total drops | 0 |
+----------+------------------+-------+
* Network drop values presented are for BPEth1,BPEth0 interfaces.

Example 2 - Verbose output

# asg_drop_monitor -v
2019-06-26 10:37:04

Dropped packets statistics of network interfaces, CoreXL, SecureXL and PSL

+----------+----------------------+------+------+-------+
| Category | Statistics | 1_01 | 1_02 | Total |
+----------+----------------------+------+------+-------+
+----------+----------------------+------+------+-------+
| | RX Dropped | 0 | 0 | 0 |
| NIC | TX Dropped | 0 | 0 | 0 |
| | Qdisc Dropped | 0 | 0 | 0 |
+----------+----------------------+------+------+-------+
| | Outbound Dropped | 0 | 0 | 0 |
| CoreXL | Inbound Dropped | 0 | 0 | 0 |
| | F2P Dropped | 0 | 0 | 0 |
+----------+----------------------+------+------+-------+
| | Total Dropped | 0 | 0 | 0 |
| PSL | UDP Dropped | 0 | 0 | 0 |
| | Rejected | 0 | 0 | 0 |
+----------+----------------------+------+------+-------+
| | XMT error | 0 | 0 | 0 |
| | general reason | 0 | 0 | 0 |
| | Syn Defender | 0 | 0 | 0 |
| | Attack mitigation | 0 | 0 | 0 |
| | VPN forwarding | 0 | 0 | 0 |
| | corrupted packet | 0 | 0 | 0 |
| | hl - spoof viol | 0 | 0 | 0 |
| | encrypt failed | 0 | 0 | 0 |
| | cluster error | 0 | 0 | 0 |
| | anti spoofing | 0 | 0 | 0 |
| | monitored spoofed | 0 | 0 | 0 |
| | hl - new conn | 0 | 0 | 0 |
| | hl - TCP viol | 0 | 0 | 0 |
| | F2F not allowed | 0 | 0 | 0 |
| SecureXL | fragment error | 0 | 0 | 0 |
| | Session rate exceed | 0 | 0 | 0 |
| | PXL decision | 0 | 0 | 0 |
| | template quota | 0 | 0 | 0 |
| | drop template | 0 | 0 | 0 |
| | sanity error | 0 | 0 | 0 |
| | outb - no conn | 0 | 0 | 0 |
| | clr pkt on vpn | 0 | 0 | 0 |
| | partial conn | 0 | 0 | 0 |
| | decrypt failed | 0 | 0 | 0 |
| | Connections Limit by | 0 | 0 | 0 |
| | Source IP exceed its | 0 | 0 | 0 |
| | local spoofing | 0 | 0 | 0 |
| | interface down | 0 | 0 | 0 |
+----------+----------------------+------+------+-------+
* Network drop values presented are for BPEth1,BPEth0 interfaces.

60000/40000 Security Systems Administration Guide R76SP.50 | 207

 Logging and Monitoring

Example 3 - Drop statistics for specific members and SSMs

# asg_drop_monitor -m 1_01,1_02 -dm -s
2019-06-26 10:43:47

Dropped packets statistics of network interfaces, CoreXL, SecureXL and PSL

+----------+------------------+------+------+-------+
| Category | Statistics | 1_01 | 1_02 | Total |
+----------+------------------+------+------+-------+
+----------+------------------+------+------+-------+
| | RX Dropped | 0 | 0 | 0 |
| NIC | TX Dropped | 0 | 0 | 0 |
| | Qdisc Dropped | 0 | 0 | 0 |
+----------+------------------+------+------+-------+
| | Outbound Dropped | 0 | 0 | 0 |
| CoreXL | Inbound Dropped | 0 | 0 | 0 |
| | F2P Dropped | 0 | 0 | 0 |
+----------+------------------+------+------+-------+
| | Total Dropped | 0 | 0 | 0 |
| PSL | UDP Dropped | 0 | 0 | 0 |
| | Rejected | 0 | 0 | 0 |
+----------+------------------+------+------+-------+
| SecureXL | Total drops | 0 | 0 | 0 |
+----------+------------------+------+------+-------+
* Network drop values presented are for BPEth1,BPEth0 interfaces.

SSMs drop statistics

+---------+-----+-----------------+----------------+---------------+---------------+
| Chassis | SSM | Output Discards | Input Discards | Input Errors | Output Errors |
+---------+-----+-----------------+----------------+---------------+---------------+
+---------+-----+-----------------+----------------+---------------+---------------+
| 1 | 1 | 0 | 1003268 | 1081 | 0 |
| | 2 | 0 | 9617 | 4 | 0 |
+---------+-----+-----------------+----------------+---------------+---------------+
* SSMs network drop values presented are for data interfaces.

60000/40000 Security Systems Administration Guide R76SP.50 | 208

 Logging and Monitoring

System Monitoring
Use these features to monitor your system status.

Showing System Serial Numbers

Description
These commands show and save serial numbers for Scalable Platform hardware components:
• asg_sgm_serial - Shows serial numbers for SGMs in the UP state that belong to the
Security Group only.
• asg_serial_info - Shows CMM, SSM, and Chassis serial numbers.
The information is saved in the gasginfo archive file.

Syntax
# asg_sgm_serial [-a]
# asg_serial_info [-a]

Parameters
Parameter Description
-a Apply command on all SGMs in the Security Group

Example 1 - asg_sgm_serial:
# asg_sgm_serial
1_01:
Board Serial : AKO0769153
1_02:
Board Serial : AKO0585533
2_01:
Board Serial : AKO0462069
2_02:
Board Serial : AKO0447878

Example 2 - asg_serial_info:
# asg_serial_info
chassis 1 CMM1 serial: 1163978/005
chassis 1 CMM2 serial: 1157482/001
chassis 1 SSM1 serial: 0011140011
chassis 1 SSM2 serial: 0011140012
chassis 1 serial: 1159584/016
chassis 2 CMM1 serial: 1163090/041
chassis 2 CMM2 serial: 1155519/014
chassis 2 SSM1 serial: 0311310621
chassis 2 SSM2 serial: 0311310626
chassis 2 serial: 0831232/001

Note - To show CMM, SSM and Chassis serial numbers, one of the SGMs on each Chassis must be
UP. For example, if no SGM in the UP position is found on Chassis-2, the serial numbers for
components in the Chassis are not shown or saved.

60000/40000 Security Systems Administration Guide R76SP.50 | 209

 Logging and Monitoring

Redirecting Alerts and Logs to External syslog server (asg_syslog)

Description
Use the asg_syslog command to redirect alert messages and firewall logs to remote syslog
servers.
Note - The asg_syslog command is available only in the Expert Mode.
• Configure remote syslog servers to log all alert messages by:
• IPv4 address
• Hostname
• Disable/Enable firewall logs to be sent to the Log Server.
• Log server is configured from SmartDashboard:
Right-click gateway object > Edit > Logs > Additional Logging Configuration.
• Make sure the configuration is consistent on all SGMs.
• Recover configuration on all the SGMs by forcing the current SGM configuration on all SGMs.

Syntax
# asg_syslog {verify | print [ -v ] | recover}

Parameters
Parameter Description
verify Verify configuration consistency on all SGMs
print [-v] Print remote syslog servers configuration
-v - Verbose Mode
recover Recover configuration files on all SGMs and restart syslog service

Example 1:
# asg_syslog verify
------------------------------------------------------------------
|Service |Path |Result |
------------------------------------------------------------------
|CPLog |/etc/syslog_servers_list.conf |Passed |
------------------------------------------------------------------
|Alert |/etc/syslog.conf |Passed |
------------------------------------------------------------------

Note - Configuration files on all SGMs are identical.

Example 2:
# asg_syslog print
---------------------------------------
|Service |Server IP |Status |
----------------------------------------
|alert |5.5.5.5 |disable |
----------------------------------------
|alert |6.6.6.6 |enable |
----------------------------------------
* Firewall logging is disabled

60000/40000 Security Systems Administration Guide R76SP.50 | 210

 Logging and Monitoring

Syntax to configure remote syslog servers for alerts:

# asg_syslog {disable | enable | set | delete alert <ip> | <host_name>}

Syntax to configure remote syslog server for firewall logs:

# asg_syslog {disable | enable | set[-s <status>] | delete cplog <ip> | <host_name>}

Note - When you configure alert syslog servers, the syslog service restarts on all SGMs.
Parameters

Parameter Description
set Set remote syslog server
-s <status> Set connection status
Valid values:
• enable
• disable
disable Disable firewall logs and alerts to be sent to a remote syslog
server defined by IP address or host name.
Note - This does not remove the configuration. You can enable it
again using enable
enable Enable firewall logs and alerts to be sent to a remote syslog server
defined by IP address or host name.
You can use this parameter after the remote server has been
configured.
delete Delete the remote syslog server
<ip>|<host_name> IPv4 address or hostname of the remote syslog server.

Example 1
# asg_syslog set alert 5.5.5.5
Writing new configuration
Updating all SGMs with new configuration
Restarting syslog service on all SGMs
syslog alert server 5.5.5.5 configured successfully
----------------------------------------
|Service |Server IP |Status |
----------------------------------------
|alert |5.5.5.5 |enable |
----------------------------------------
Firewall logging is disabled

Example 2
# asg_syslog disable alert 5.5.5.5
Updating all SGMs with new configuration
Restarting syslog service on all SGMs
syslog alert server 5.5.5.5 status changed to disable

----------------------------------------
|Service |Server IP |Status |
----------------------------------------
|alert |5.5.5.5 |disable |
----------------------------------------
* Firewall logging is disabled

60000/40000 Security Systems Administration Guide R76SP.50 | 211

 Logging and Monitoring

Example 3
#asg_syslog set cplog 6.6.6.6 -s disable
Writing new configuration
Updating all SGMs with new configuration
syslog cplog server 6.6.6.6 configured successfully

----------------------------------------
|Service |Server IP |Status |
----------------------------------------
|alert |5.5.5.5 |disable |
----------------------------------------
|cplog |6.6.6.6 |disable |
----------------------------------------
* Firewall logging is disabled

Syntax to disable or enable firewall logs to be sent to the firewall Log Server:
# asg_syslog {disable | enable} log_server

Parameters
Parameter Description
disable Disable sending firewall logs to the Log Server.
The Log Server is configured in SmartDashboard.
enable Enable sending firewall logs to the Log Server.
The Log Server is configured in SmartDashboard.

Example
# asg_syslog disable log_server
# asg_syslog print -v

-------------------------------------------------------------------------------------
|Service |Server IP |Port |Protocol# |RFC version |Status |
-------------------------------------------------------------------------------------
* Firewall logging is disabled

60000/40000 Security Systems Administration Guide R76SP.50 | 212

 Logging and Monitoring

Log Server Distribution (asg_log_servers)

Description
In SmartDashboard, you can configure multiple log servers for each gateway object. In this
environment, the gateway sends its logs to all of its configured log servers. If the gateway object is
a Scalable Platform that consists of many SGMs, each SGM sends its logs to all log servers in the
configuration. To reduce the load on the log servers, use asg_log_servers to enable log
distribution (load sharing).
When enabled, each SGM sends its logs to one log server only. The Scalable Platform
automatically decides which log server is assigned to which SGM. This cannot be defined by the
user.

Syntax to configure the log server:

> asg_log_servers

Example output:
+-------------------------------------------------+
| Log Servers Distribution |
+-------------------------------------------------+
Log Servers Distribution Mode: Disabled

Available Log Servers:

* logServer
* Gaia
* LogServer2

Logs will be sent to all available servers.

Choose one of the following options:

------------------------------------
1) Configure Log Servers Distribution mode
2) Exit

>1
+-------------------------------------------------+
| Log Servers Distribution |
+-------------------------------------------------+

Log Servers Distribution Mode: Disabled

Choose the desired option:

--------------------------
1) Enable Log Servers Distribution mode
2) Disable Log Servers Distribution mode
3) Back

If Log Server distribution is already enabled, the command shows which Log Servers are assigned
to each SGM:
+-------------------------------------------------+
| Log Servers Distribution |
+-------------------------------------------------+

Log Servers Distribution Mode: Enabled

Available Log Servers:

* LogServer
* Gaia
* LogServer2

Log Servers Distribution:

+--------------------------------------------------------------+
| Blade id | Chassis 1 | Chassis 2 |
|--------------------------------------------------------------|
| 1 | Gaia | Gaia |
| 2 | LogServer2 | LogServer2 |
| 3 | LogServer | LogServer |

60000/40000 Security Systems Administration Guide R76SP.50 | 213

 Logging and Monitoring

| 4 | Gaia | - |
| 5 | - | - |
| 6 | LogServer | - |
| 7 | - | Gaia |
| 8 | - | LogServer2 |
| 9 | LogServer | LogServer |
| 10 | Gaia | - |
| 11 | LogServer2 | - |
| 12 | - | - |
+--------------------------------------------------------------+

("-" - Blade is not in Security Group)

Choose one of the following options:

------------------------------------
1) Configure Log Servers Distribution mode
2) Exit

Note - You cannot configure an SGM to send its logs to a particular log server. Distribution takes
place automatically.

Configuring a Dedicated Logging Port

The Scalable Platform logging mechanism lets each SGM forward logs directly to a logging server
over the SSM's management ports. However, the SSM's management ports can experience a high
load when SGMs generate a large number of logs.
To reduce the load on the SSM management ports:
1. Configure a dedicated SSM port for logging
2. Configure the Scalable Platform to send the logs to the dedicated Log Server

To configure a dedicated SSM port for logging:

1. Install a dedicated Log Server with two physical interfaces:
• One physical interface connects to the Management Server.
• One physical interface connects to a management port on the SSM.
2. In SmartDashboard, create the corresponding object for the Log Server and establish SIC with
it.
3. Connect the Log Server directly to a management port on the SSM.
Important - Do not use the same port on the SSM, to which the Management Server connects.

60000/40000 Security Systems Administration Guide R76SP.50 | 214

 Logging and Monitoring

4. In gClish, configure the SSM port, to which the Log Server connects:
> set interface <if_name> ipv4-address <ip> mask-length <length>

Parameters
Parameter Description
<if_name> The interface that connects directly to the log server
<ip> IPv4 address of the logging server
<length> Subnet mask length
Example
> set interface eth1-Mgmt2 ipv4-address 2.2.2.10 mask-length 24
1_0l:
success

1_02:
success

1_03:
success

2_01:
success

2_02:
success

2_03:
success

>

Notes:
• Each SGM uses the interface eth1-Mgmt2 as a dedicated logging interface.
• 2.2.2.0/24 is the dedicated logging network.

To configure the Scalable Platform to send the logs to the dedicated Log Server
1. In SmartDashboard, open the Single Management Object (SMO) for the Scalable Platform.
2. From the left tree, click Logs and Masters > Log Servers.
3. Select Define Log Servers.
4. Select the dedicated Log Server object.
5. Click OK.
6. Install the policy on the SMO.
Note - The SMO in SmartDashboard makes sure that return traffic from the Log Server reaches
the correct SGM.

60000/40000 Security Systems Administration Guide R76SP.50 | 215

 Logging and Monitoring

Command Auditing (asg log audit)

Use commands auditing to:
• Notify users about critical actions they are about to do
• Obtain confirmation for critical actions
• Create forensic logs
If users confirm the action, it is necessary to supply their names and provide a reason for running
the command.
If the command affects a critical device or a process (pnote) a second confirmation can be
required.
For example, if you use administrative privileges to change the state of the SGM to DOWN, the
output looks like this:
# asg_sgm_admin -b 2_01 down
You are about to perform sgm_admin down on blades: 2_01

Are you sure? (y — yes, any other key — no) y

sgm_admin down requires auditing

Enter your full name: John Smith
Enter reason for sgm_admin down [Maintenance]:
WARNING: sgm_admin down on SGM: 2_01, User: John Smith, Reason: Maintenance

To see the audit logs, run: # asg log audit

Example:
# asg log audit
Aug 11 14:14:21 2_01 WARNING: Chassis admin-state up on chassis: 1, User:
susan, Reason: Maintenance
Aug 11 16:45:15 2_01 WARNING: Reboot on blades:
1_01,1_02,1_03,1_04,1_05,2_02,2_03,2_04,2_05, User: susan, Reason:
Maintenance
Aug 18 14:28:57 2_01 WARNING: Chassis admin-state down on chassis: 2, User:
susan, Reason: Maintenance
Aug 18 14:31:08 2_01 WARNING: Chassis admin-state up on chassis: 1, User:
Peter, Reason: Maintenance
Aug 18 14:32:32 2_01 WARNING: Chassis admin-state down on chassis: 2, User:
O, Reason: Maintenance
Aug 20 15:38:58 2_01 WARNING: Blade_admin down on blades:
2_02,2_03,2_04,2_05, User: Paul, Reason: Maintenance
Aug 21 10:00:05 2_01 CRITICAL: Reboot on blades: all, user: ms, Reason:
Maintenance
#

60000/40000 Security Systems Administration Guide R76SP.50 | 216

 Logging and Monitoring

Showing the Scalable Platform Version (ver)

Description
Use this command to show the Scalable Platform version. For a list of official Scalable Platform
versions, see the R76SP.50 Scalable Platform home page
http://supportcontent.checkpoint.com/solutions?id=skTBD.

Syntax
> ver

Example output for a 61000 Security System:

1_01:
Product version Check Point 61000 R76
OS build 106
OS kernel version 2.6.18-92cpx86_64
OS edition 64-bit

Example output for a 41000 Security System:

1_04:
Product version Check Point Gaia 41000 R76
OS build 105
OS kernel version 2.6.18-92cpx86_64
OS edition 64-bit

60000/40000 Security Systems Administration Guide R76SP.50 | 217

 Logging and Monitoring

Viewing the Audit Log File (show smo log auditlog)

Description
Use the show smo auditlog filter command in gClish to see the contents of the auditlog
file.
This log file contains an entry for each change made to the SGM configuration database with
gClish or other commands.
The auditlog file for each SGM is located in the /var/log/ directory.
The log contains two types of activities:
• Permanent - The activity permanently changes the configuration database on the SGM hard
disk.
• Transient - The activity changes the configuration database in SGM memory, which does not
survive reboot.

Syntax
> show smo log auditlog [filter <string>] [from [<n>]] [to [<n>]] [tail [<x>]]

Parameters
Parameter Description
filter <string> Specifies a word or phrase, for which to filter the output.
from <n> Shows logs filtered by time range (number of seconds).
to <n> Shows logs filtered by time range (number of seconds).
tail <x> Shows only the last x lines of the log file for each SGM.
For example, -tail 3 shows only the last three lines of the
specified log file. Default = 10 lines.

Notes:
• p + = Permanent action that added or changed an item in the configuration database
• p - = Permanent action that deleted an item in the configuration database
• t + = Transient action that added or changed an item in the configuration database in memory
only
• t - = Transient action that deleted an item in the configuration database in memory only

Example filter
This example shows only permanent configuration save actions.
[Expert@MyChassis-ch01-01:0]# gclish
[Global] MyChassis-ch01-01 > show smo log auditlog filter update_status
Oct 19 03:19:30 1_02 admin localhost p +installer:update_status -1
Oct 19 03:19:32 1_02 admin localhost p -installer:update_status -1
Oct 19 03:19:32 1_02 admin localhost p +installer:update_status 0
Oct 19 03:19:45 1_06 admin localhost p +installer:update_status -1
Oct 19 03:19:46 1_06 admin localhost p -installer:update_status -1
Oct 19 03:19:46 1_06 admin localhost p +installer:update_status 0
Oct 19 03:20:00 1_07 admin localhost p +installer:update_status -1
Oct 19 03:20:01 1_07 admin localhost p -installer:update_status -1
[Global] MyChassis-ch01-01 >

60000/40000 Security Systems Administration Guide R76SP.50 | 218

 Logging and Monitoring

Working with the Firewall Database Configuration (asg config)

Description
Use this command to show the newest firewall database configuration.
You can also save the newest configuration to a file.
The output and saved file include configuration information for all SGMs.
The asg config command is useful to:
• Copy the firewall configuration to a different system. For example, you can use the saved
configuration from an existing Scalable Platform to set up the new Scalable Platform.
• Quickly re-configure a system that was reverted to factory defaults. Before reverting to the
factory default image, save the existing configuration. Then use it to override the factory
settings.

Syntax
> asg config {show | save} [-t] [<file_path>]

Parameters
Parameter Description
show Show the existing database configuration
save Save the current configuration to a file
Note: If you do not include a path, the file is saved to: /home/admin
-t Add a timestamp to the file name. (save only)
<file_path> Name and path of the saved configuration file. If you do not enter a
path, the configuration is saved to: /home/admin

Example
> asg config save -t mycongfig

This example saves the current configuration to: /home/admin/myconfig

60000/40000 Security Systems Administration Guide R76SP.50 | 219

 Logging and Monitoring

Showing Software and Firmware Versions (asg_version)

Description
Use the asg_version command in gClish or Expert mode to:
• Retrieve system configuration
• Retrieve software versions:
• Check Point software (Firewall and SecureXL versions)
• Firmware versions for SGMs, SSMs, and CMMs
• Make sure that system hardware components are running approved software and firmware
versions

Syntax
> asg_version -h
> asg_version [verify] [-v] [-i] [-b <SGM_IDs>]

Parameters
Parameter Description
-h Shows the built-in help.
verify Makes sure that system hardware components run approved software and
firmware versions.
-i Shows Active and Standby SGMs.

-b <SGM_IDs> Works with SGMs and/or Chassis as specified by <SGM_IDs>.

<SGM_IDs> can be:
• No <SGM_IDs> specified, or all - Applies to all SGMs and Chassis
• One SGM (for example, 1_1)
• A comma-separated list of SGMs (for example, 1_1,1_4)
• A range of SGMs (for example, 1_1-1_4)
• One Chassis (chassis1, or chassis2)
• The active Chassis (chassis_active)
-v Shows verbose version information.

Showing a List of Two SGMs

Example:
[Expert@MyChassis-ch01-01:0]# gclish
[Global] MyChassis-ch01-01 > asg_version -b 1_01,1_03
SGMs
======

----------
-*- 2 SGMs: 1_01 1_03 -*-
OS build 42, OS kernel version 2.6.18-92cpx86_64, OS edition 64-bit

Hardware
--------
-*- 1 blade: 1_01 -*-
BIOS: 1.30 BL: 1.52 IPMC: 1.52 FPGA: 2.40 FPGARE: 2.40
-*- 1 blade: 1_03 -*-
BIOS: 0.54 BL: 1.42 IPMC: 1.42 FPGA: 2.38 FPGARE: 2.38
60000/40000 Security Systems Administration Guide R76SP.50 | 220
 Logging and Monitoring

OS version
----------
BIOS: 0.54 BL: 1.42 IPMC: 1.42 FPGA: 2.38 FPGARE: 2.
[Global] MyChassis-ch01-01 >

Showing Verbose Mode

Example:
> asg_version -v

+----------------------------------------------------------------------------+
| Hardware Versions |
+----------------------------------------------------------------------------+
| Component | Type | Configuration | Firmware |
+----------------------------------------------------------------------------+
| Chassis 2 |
+----------------------------------------------------------------------------+
| SSM1 | SSM160 | N/A | 2.4.C7 |
| SSM2 | N/A | N/A | N/A |
| CMM | N/A | N/A | 2.83 |
+----------------------------------------------------------------------------+

SGMs
======
Type
----------
-*- 2 blades: 2_02 2_03 -*-
SGM220

OS version
----------
-*- 2 blades: 2_02 2_03 -*-
OS build 80, OS kernel version 2.6.18-92cpx86_64, OS edition 64-bit

FireWall-1 version
------------------
-*- 2 blades: 2_02 2_03 -*-
This is Check Point VPN-1(TM) & FireWall-1(R) 61000_R76 - Build 083
kernel: 61000_R76 - Build 083

Performance Pack version

------------------------
-*- 2 blades: 2_02 2_03 -*-
This is Check Point Performance Pack version: 61000_R76 - Build 083
Kernel version: 61000_R76 - Build 083

Hardware
--------
-*- 1 blade: 2_02 -*-
BIOS: 1.30 BL: 1.42 IPMC: 1.52 FPGA: 2.40 FPGARE: 2.40
-*- 1 blade: 2_03 -*-
BIOS: 1.30 BL: 1.52 IPMC: 1.54 FPGA: 2.40 FPGARE: 2.40

SSD
---
-*- 1 blade: 2_02 -*-
Firmware Version: 2CV102M3
-*- 1 blade: 2_03 -*-
Firmware Version: 4PC10362

Number of cores
---------------
-*- 1 blade: 2_02 -*-
8
-*- 1 blade: 2_03 -*-
12

Number of CoreXL instances

--------------------------
-*- 2 blades: 2_02 2_03 -*-
4

CPUs frequency
--------------
-*- 1 blade: 2_02 -*-
2.13GHz
-*- 1 blade: 2_03 -*-
2.4GHz

60000/40000 Security Systems Administration Guide R76SP.50 | 221

 Logging and Monitoring

Showing System Messages

Description
Use the show smo log command to show the output of log files aggregated from all SGMs.
The output shows in chronological sequence.
Each line shows the SGM that created the log entry.

Syntax
> show smo log <log file> [filter <string>] [from <date>] [to <date>] [tail <n>]

Parameters
Parameter Description
tail <n> Show only the last n lines of the log file for each SGM.
For example, tail 3 shows only the last three lines of the specified log file.
filter <string> Word or phrase to use as an output filter.
For example, filter ospf shows only OSPF messages.
from <date> Shows only the log from a given date and above.
to <date> Shows only the log until the given date.
log file Enter the name of the common log file or the full path of the file.

Example:
This example shows messages on Chassis1 containing the word Restarted:
> show smo log messages filter Restarted
Feb 5 12:40:07 1_03 Athens-ch01-03 pm[8465]: Restarted /bin/routed[8489], count=1
Feb 5 12:40:09 1_04 Athens-ch01-04 pm[8449]: Restarted /bin/routed[9995], count=1
Feb 5 12:40:09 1_04 Athens-ch01-04 pm[8449]: Restarted /opt/CPsuite-R76/fw1/bin/cmd[11291], count=1
Feb 5 12:40:09 1_04 Athens-ch01-04 pm[8449]: Restarted /usr/libexec/gexecd[11292], count=1
Feb 5 12:40:10 1_03 Athens-ch01-03 pm[8465]: Restarted /usr/libexec/gexecd[9701], count=1
Feb 5 12:40:10 1_03 Athens-ch01-03 pm[8465]: Restarted /bin/routed[11328], count=2
Feb 5 12:40:10 1_05 Athens-ch01-05 pm[8458]: Restarted /bin/routed[9734], count=1
Feb 5 12:40:10 1_05 Athens-ch01-05 pm[8458]: Restarted /usr/libexec/gexecd[11331], count=1
Feb 5 12:40:11 1_01 Athens-ch01-01 pm[8463]: Restarted /bin/routed[12253], count=3
Feb 5 12:40:11 1_04 Athens-ch01-04 pm[8449]: Restarted /bin/routed[11378], count=2
Feb 5 12:40:11 1_04 Athens-ch01-04 pm[8449]: Restarted /opt/CPsuite-R76/fw1/bin/cmd[11379], count=2

60000/40000 Security Systems Administration Guide R76SP.50 | 222

 Logging and Monitoring

Viewing a Log File (asg log)

Description
Use the asg log command to see the contents of a specified log file.

Syntax
> asg log [-b <SGM_IDs>] <log_name> [-tail [<n>]] [-f <filter>]

Parameters
Parameter Description
-b <SGM_IDs> Works with SGMs and/or Chassis as specified by <SGM_IDs>.
<SGM_IDs> can be:
• No <SGM_IDs> specified, or all - Applies to all SGMs and Chassis
• One SGM (for example, 1_1)
• A comma-separated list of SGMs (for example, 1_1,1_4)
• A range of SGMs (for example, 1_1-1_4)
• One Chassis (chassis1, or chassis2)
• The active Chassis (chassis_active)
<log_name> Enter the log file:
• audit - shows the audit logs in /var/log/
For example: /var/log/asgaudit.log.1
• ports - shows the ports logs in /var/log/
For example: /var/log/ports
• dist_mode - shows the logs for Distribution Mode activity.
-tail [<n>] Show only the last n lines of the log file for each SGM. For example, -tail
3 shows only the last three lines of the specified log file. Default = 10 lines.
-f <filter> Word or phrase use as a filter. For example: -f debug

Example - Audit logs:

> asg log audit
Feb 02 17:36:12 1_01 WARNING: Blade_admin up on blades: 1_02,1_03,1_04,1_05,2_01,2_02,2_03,2_04,2_05,
User: y, Reason: y
Feb 03 08:16:17 1_01 WARNING: Blade_admin down on blades:
1_02,1_03,1_04,1_05,2_01,2_02,2_03,2_04,2_05, User: y, Reason: y
Feb 03 08:17:40 1_01 WARNING: Blade_admin up on blades: 1_02,1_03,1_04,1_05,2_01,2_02,2_03,2_04,2_05,
User: y, Reason: y
Feb 03 08:19:53 1_01 WARNING: Blade_admin down on blades:
1_02,1_03,1_04,1_05,2_01,2_02,2_03,2_04,2_05, User: y, Reason: y
Feb 03 08:22:33 1_01 WARNING: Blade_admin up on blades: 1_02,1_03,1_04,1_05,2_01,2_02,2_03,2_04,2_05,
User: y, Reason: y
Feb 03 08:23:30 1_01 WARNING: Reboot on blades: 1_02,1_03,1_04,1_05,2_01,2_02,2_03,2_04_05, User: y,
Reason: y
Feb 03 08:38:16 1_01 WARNING: Reboot on blades: 1_02,1_03,1_04,1_05,2_01,2_02,2_03,2_04,2_05, User:
y, Reason: y
Feb 03 09:21:09 1_01 WARNING: Reboot on blades: 1_02,1_03,1_04,1_05,2_01,2_02,2_03,2_04,2_05, User:
y, Reason: y
Feb 03 11:07:08 1_01 WARNING: Reboot on blades: 1_02,1_03,1_04,1_05,2_01,2_02,2_03,2_04,2_05, User:
y, Reason: y
Feb 03 11:16:56 1_01 WARNING: Reset sic on blades: all, User: y, Reason: y

60000/40000 Security Systems Administration Guide R76SP.50 | 223

 Logging and Monitoring

Feb 03 11:33:10 1_01 WARNING: Reset sic on blades: all, User: y, Reason: y
Feb 03 11:50:08 1_01 WARNING: Reset sic on blades: all, User: y, Reason: y
Feb 03 13:32:32 1_01 WARNING: Reset sic on blades: all, User: y, Reason: y
Feb 03 14:30:26 1_01 WARNING: Reset sic on blades: all, User: johndoe, Reason: test
Feb 03 14:48:03 1_01 WARNING: Reset sic on blades: all, User: johndoe, Reason: test
Feb 03 15:34:11 1_01 WARNING: Reset sic on blades: all, User: y, Reason: y
Feb 03 17:55:23 1_01 WARNING: Reboot on blades: 1_02,1_03,1_04,1_05,2_01,2_02,2_03,2_04,2_05, User:
y, Reason: y

Example - Port logs (last 12 lines):

> asg log ports-tail 12
Feb 3 18:01:40 2_05 Athens-ch02-05 cmd: Chassis 2 eth2-09 link is down
Feb 3 18:01:40 2_05 Athens-ch02-05 cmd: Chassis 2 eth2-10 link is down
Feb 3 18:01:40 2_05 Athens-ch02-05 cmd: Chassis 2 eth2-11 link is down
Feb 3 18:01:40 2_05 Athens-ch02-05 cmd: Chassis 2 eth2-12 link is down
Feb 3 18:01:40 2_05 Athens-ch02-05 cmd: Chassis 2 eth2-13 link is down
Feb 3 18:01:40 2_05 Athens-ch02-05 cmd: Chassis 2 eth2-14 link is down
Feb 3 18:01:40 2_05 Athens-ch02-05 cmd: Chassis 2 eth2-15 link is down
Feb 3 18:01:40 2_05 Athens-ch02-05 cmd: Chassis 2 eth2-16 link is down
Feb 3 18:01:40 2_05 Athens-ch02-05 cmd: Chassis 2 eth2-Mgmt1 link is down
Feb 3 18:01:40 2_05 Athens-ch02-05 cmd: Chassis 2 eth2-Mgmt2 link is down
Feb 3 18:01:40 2_05 Athens-ch02-05 cmd: Chassis 2 eth2-Mgmt3 link is down
Feb 3 18:01:40 2_05 Athens-ch02-05 cmd: Chassis 2 eth2-Mgmt4 link is down

Example - Using a filter:

> asg log -b 1_01,1_04 dist_mode -f bridge
Feb 2 18:10:30 1_01 Athens-ch01-01 distutil:0: initialize_environment: vs-ids-bridges = 4
Feb 2 18:10:30 1_01 Athens-ch01-01 distutil:0: initialize_environment: vs-ids-vsbridges = 4
Feb 2 18:12:31 1_01 Athens-ch01-01 distutil:0: initialize_environment: vs-ids-bridges = 4
Feb 2 18:12:31 1_01 Athens-ch01-01 distutil:0: initialize_environment: vs-ids-vsbridges = 4
Feb 2 18:14:14 1_01 Athens-ch01-01 distutil:0: initialize_environment: vs-ids-bridges = 4
Feb 2 18:14:14 1_01 Athens-ch01-01 distutil:0: initialize_environment: vs-ids-vsbridges = 4
Feb 2 18:14:30 1_01 Athens-ch01-01 distutil:0: initialize_environment: vs-ids-bridges = 4
Feb 2 18:14:30 1_01 Athens-ch01-01 distutil:0: initialize_environment: vs-ids-vsbridges = 4
Feb 2 18:16:19 1_01 Athens-ch01-01 distutil:0: initialize_environment: vs-ids-bridges = 4

60000/40000 Security Systems Administration Guide R76SP.50 | 224

 Logging and Monitoring

Monitoring Virtual Systems (cpha_vsx_util monitor)

Description
Use the cpha_vsx_util monitor command in the Expert mode to stop or start monitoring of
Virtual Systems.
The state of the SGM is not affected by an unmonitored Virtual Systems. For example, an
unmonitored Virtual System in problem state (pnote) is ignored. The SGM state does change to
DOWN.
A Virtual System that is not monitored is useful, if you want the SGM to be UP, even if a specific
Virtual System is DOWN or does not have a Policy (for example, after you unload the local policy).

Syntax
# cpha_vsx_util monitor show
# cpha_vsx_util monitor {start | stop} <VS_IDs>

Parameters
Parameter Description
show Show all unmonitored Virtual Systems.
stop Stop monitoring the Virtual Systems.
start Start monitoring the Virtual Systems.
<VS_IDs> <VS_IDs> can be:
• No <VS_IDs> (default) - Uses the current Virtual System context
• One Virtual System
• A comma-separated list of Virtual Systems (1, 2, 4, 5)
• A range of Virtual Systems (VS 3-5)
• all - Shows all Virtual Systems
Note - This parameter is only applicable in a VSX environment.

Note - When you stop Virtual System monitoring, you must run the cpha_vsx_util monitor
start command to start it again. Monitoring does not start automatically after reboot.

60000/40000 Security Systems Administration Guide R76SP.50 | 225

 Logging and Monitoring

Working with SNMP

You can use SNMP to monitor different aspects of the 60000/40000 Security System, including:
• Software versions
• Hardware status
• Key performance indicators
• Chassis high availability status
To monitor the system using SNMP, upload the Check Point MIB to your third-party SNMP
monitoring software. The SNMP MIB is located on each SGM in:
$CPDIR/lib/snmp/chkpnt.mib
To monitor Scalable Platforms, the supported OIDs are in
iso.org.dod.internet.private.enterprise.checkpoint.products.asg (OID
1.3.6.1.4.1.2620.1.48).
1. Enable the SNMP agent on the 60000/40000 Security System.
2. In gClish, run:
> set snmp agent on

SNMP Traps
The 60000/40000 Security System supports this SNMP trap only:
iso.org.dod.internet.private.enterprise.checkpoint.products.asgTrap
(OID 1.3.6.1.4.1.2620.1.2001)

The SNMP traps MIB is located on each SGM in:

$CPDIR/lib/snmp/chkpnt-trap.mib
Note - The set snmp traps command is not supported. You must use the asg alert
configuration wizard for this purpose.
See Configuring Alerts for SGM and Chassis Events (on page 164), to learn more about SNMP.

SNMP in a VSX Gateway

There are two SNMP modes for a Scalable Platform configured as a VSX Gateway:
• Default - Monitors global SNMP data from the Scalable Platform. Data is accumulated from all
SGMs for all Virtual Systems.
• Virtual Systems Mode - Monitors each Virtual System separately.
Note - SNMP traps are supported for VS0 only.

Supported SNMP Versions

The SNMP Virtual Systems Mode uses SNMP version 3 to query the Virtual Systems. You can run
remote SNMP queries on each Virtual System in the VSX Gateway.
For systems that only support SNMP versions 1 and 2:
• You cannot run remote SNMP queries for each Virtual System. You can only run a remote
SNMP query on VS0.
• You can use gClish to change the Virtual System context and then run a local SNMP query on
it.

60000/40000 Security Systems Administration Guide R76SP.50 | 226

 Logging and Monitoring

Enabling the SNMP Virtual System Mode

To use SNMP for each Virtual System:
• Configure an SNMP V3 user:
> add snmp usm user johndoe security-level authNoPriv authpass-phrase
VALUE
• Set the SNMP Mode to work per VSX Mode:
> set snmp mode vs
• Start SNMP agent:
> set snmp agent on
Notes:
• To run SNMP queries per Virtual System, add this flag:
-n ctxname vsid<VSID>
• Per VS0, use the regular syntax without '-n ctxname vsid<VSID>' flag

To see Virtual System throughput from a Linux host:

For non-VS0:
# snmpwalk -m $CPDIR/lib/snmp/chkpnt.mib -n ctxname_vsid1 -v 3 -l authNoPriv -u
johndoe -A mypassword 192.0.2.72 asgThroughput

For VS0:
# snmpwalk -m $CPDIR/lib/snmp/chkpnt.mib -v 3 -l authNoPriv -u johndoe -A mypassword
192.0.2.72 asgThroughput

To query Virtual System throughput, from its context:

1. Go to Expert Mode.
2. Change to the applicable Virtual System:
# vsenv <VS_ID>
3. Run:
# snmpwalk -m $CPDIR/lib/snmp/chkpnt.mib -v 2c -c public localhost
asgThroughput

60000/40000 Security Systems Administration Guide R76SP.50 | 227

 Logging and Monitoring

Common SNMP OIDs

This table shows frequently used SNMP OIDs that are applicable to the Scalable Platform.
Note -<IPver_index>= 20 for IPv4 or 21 for IPv6

Name Type OID Comments

System Throughput String 1.3.6.1.4.1.2620.1.48.
<IPver_index>.1
System Connection String 1.3.6.1.4.1.2620.1.48.
Rate (cps) <IPver_index>.2
System Packet String 1.3.6.1.4.1.2620.1.48.
Rate(pps) <IPver_index>.3
System Concurrent String 1.3.6.1.4.1.2620.1.48.
conn. <IPver_index>.4
System Accelerated cps String 1.3.6.1.4.1.2620.1.48.
<IPver_index>.6
System String 1.3.6.1.4.1.2620.1.48.
non-accelerated cps <IPver_index>.7
System Accelerated String 1.3.6.1.4.1.2620.1.48.
Concurrent conn. <IPver_index>.8
System String 1.3.6.1.4.1.2620.1.48.
Non-accelerated <IPver_index>.9
concurrent conn.
System CPU load AVG. String 1.3.6.1.4.1.2620.1.48.
<IPver_index>.10
System Acceleration String 1.3.6.1.4.1.2620.1.48.
CPU load AVG <IPver_index>.11
System FW instances String 1.3.6.1.4.1.2620.1.48.
load AVG <IPver_index>.14
System VPN String 1.3.6.1.4.1.2620.1.48.
Throughput <IPver_index>.17
System Path Table 1.3.6.1.4.1.2620.1.48. Path distribution of:
distribution (fast, <IPver_index>.24 • Throughput
medium, slow, drops).
• PPS
• CPS
• Concurrent conn

60000/40000 Security Systems Administration Guide R76SP.50 | 228

 Logging and Monitoring

Name Type OID Comments

Per SGM counters Table 1.3.6.1.4.1.2620.1.48. Counters of:
<IPver_index>.25 • Throughput
• cps
• pps
• concurrent conn
• sxl CPU usage
(avg/min/max)
• fw CPU usage
(avg/min/max)
Performance peaks Table 1.3.6.1.4.1.2620.1.48.
<IPver_index>.26
Sensors Per Chassis Table 1.3.6.1.4.1.2620.1.48.22.1.1 Status details of:
• Fans
• SSMs
• CPU temp
• CMM
• PSUs
• PSU Fans
Resources Per SGM Table 1.3.6.1.4.1.2620.1.48.23 Memory and HD
utilization
CPU Utilization Per Table 1.3.6.1.4.1.2620.1.48.29
SGM

60000/40000 Security Systems Administration Guide R76SP.50 | 229

CHAPTE R 6

Working with Active/Standby High

Availability
In This Section:
How Active/Standby Works ........................................................................................230
Configuring Active/Standby High Availability ............................................................232
Advanced Features .....................................................................................................236
Working with SyncXL ..................................................................................................240
Setting Admin DOWN on First Join ............................................................................241
Configuring a Unique IP Address For Each Chassis (UIPC) .....................................242
VSX Active/Active Layer 2 Mode .................................................................................244

How Active/Standby Works

Chassis Active/Standby High Availability is based on two fully synchronized Chassis for
redundancy, with seamless failover. The Active Chassis handles all traffic, while the Standby
Chassis is continuously synchronized with the Active Chassis. Traffic continues uninterrupted
during Chassis failover.
This release supports these Active/Standby High Availability modes:

Mode ID Description
0 Active/Standby - Active Up
The currently Active Chassis stays Active unless it goes DOWN, or the Standby
Chassis has a higher Chassis quality grade.
1 Active/Standby - Primary Up Chassis 1
Chassis 1 always stays Active unless it goes DOWN, or the Standby Chassis has a
higher Chassis quality grade.
2 Active/Standby - Primary Up Chassis 2
Chassis 2 is always Active unless it goes DOWN, or the Standby Chassis has a
higher Chassis quality grade.

Syntax
> set chassis high-availability mode <0-4>
0 - No primary Chassis (Active Up Mode)
1 - Chassis 1 is Primary Chassis
2 - Chassis 2 is Primary Chassis
3 - Active Active Mode
4 - Chassis VSLS

Example:
To configure Chassis 2 to be Primary Up:
> set chassis high-availability mode 2

60000/40000 Security Systems Administration Guide R76SP.50 | 230

 Working with Active/Standby High Availability

To make sure that the most reliable Chassis is always Active, and to prevent unnecessary failover,
the Scalable Platform calculates a quality grade for each Chassis. This is based on continuous
monitoring of critical components and traffic characteristics. Setting the Chassis Weights (on page
232), gives a detailed explanation of the quality grade system.
Chassis High Availability works on the principle that the Chassis with the highest quality grade
becomes the Active Chassis. A configurable minimum grade differential prevents unnecessary
failover, which can cause performance degradation. Automatic failover occurs only when the
Standby Chassis quality grade is greater than the Active Chassis quality grade, plus the minimum
differential. For quality grade differential details (on page 234).
Each Chassis data port has a unique MAC address. The MAC addresses for the Chassis SGMs are
the same. A Chassis failover event sends GARP/ICMPv6 packets to each interface. This informs
the network to use the other interfaces (on page 369).
You can use gClish commands to configure these High Availability parameters:
• Active/Standby Mode (Active UP/Primary UP)
• Chassis quality grade factors
• Failover grade difference for failover
• Failover freeze interval
• Port priority

Synchronizing Clusters on a Wide Area Network

You can install your Chassis at two different remote sites as a geographically distributed cluster.
There are two limitations to this capability:
1. The synchronization network must guarantee no more than 100ms latency and no more than
5% packet loss.
2. The synchronization network can include switches and hubs. Routers cannot be installed on
the synchronization network because they drop Cluster Control Protocol packets.

60000/40000 Security Systems Administration Guide R76SP.50 | 231

 Working with Active/Standby High Availability

Configuring Active/Standby High Availability

Use these settings to configure Active/Standby.

Setting Chassis Weights (Chassis High Availability Factors)

Each component in a Chassis has a quality weight factor, which sets its relative importance to
overall Chassis health. For example, ports are more important than fans and are typically
assigned a higher weight value. The Chassis grade is the sum of all component weight values. In a
High Availability environment, the Chassis with the higher grade becomes Active and handles
traffic.
The grade for each component is calculated based on this formula:
(Unit Weight) x (Number of UP components)

To see the weight of each component, run: > asg stat -v

Description
Use the set chassis high-availability factors command to configure a component's
weight.

Syntax
> set chassis high-availability factors sgm <sgm_factor>
> set chassis high-availability factors port {other <port_other_factor> | standard
<port_standard_factor> | mgmt <port_mgmt_factor> | bond <port_bond_factor>}
> set chassis high-availability factors sensor {cmm <cmm_factor> | fans
<fans_factor> | power_supplies <psu_factor> | ssm <ssm_factor>}
> set chassis high-availability factors pnote pingable_hosts <ping_factor>

Parameters
Parameter Description
<sgm_factor> Weight factor for an SGM
Valid range: Integer between 0 and 1000
<port_other_factor> High grade port factor
Valid range: Integer between 0 and 1000
<port_standard_factor> Standard grade port factor
Valid range: Integer between 0 and 1000
<cmm_factor> Weight factor for a CMM
Valid range: Integer between 0 and 1000

<fans_factor> Fan unit factor

Valid range: Integer between 0 and 1000

<psu_factor> Weight factor for an Power Supply Unit

Valid range: Integer between 0 and 1000

60000/40000 Security Systems Administration Guide R76SP.50 | 232

 Working with Active/Standby High Availability

Parameter Description
<ssm_factor> Weight factor for an SSM
This factor applies to all SSMs
Valid range: Integer between 0 and 1000
<ping_factor> Weight factor for a pingable hosts test, which shows if they are
properly connected to their hosts
Valid range: Integer between 0 and 1000
<port_mgmt_factor> Valid range: Integer between 0 and 1000

<port_bond_factor> Valid range: Integer between 0 and 1000

Examples:
> set chassis high-availability factors sgm 100
> set chassis high-availability factors port other 70
> set chassis high-availability factors port standard 50
> set chassis high-availability factors sensor cmm 40
> set chassis high-availability factors sensor fans 30
> set chassis high-availability factors sensor power_supplies 20
> set chassis high-availability factors sensor ssm 45
> set chassis high-availability factors pnote pingable_hosts 99

Setting the Chassis ID

You must make sure that the Chassis IDs are different before you start to configure the software.
Chassis IDs are configured on the CMM and should be <1> for the first Chassis and <2> for the
second Chassis.
Note - If the Scalable Platform is up and running, change the Chassis ID on the Standby Chassis.
You must perform Chassis failover.

To set the Chassis ID on the 61000 Security System:

1. Remove the top CMM from the Chassis.
2. Log in to the remaining CMM.
3. Connect the serial cable to the console port on the CMM.
4. Connect to the CMM with a terminal emulation application.
5. Make sure that the Speed (baud rate) is set to 9600.
No IP address is necessary.
6. Log in with user name and password: admin/admin
7. In a text editor, open /etc/shmm.cfg
8. Search for and set SHMM_CHASSID= to the correct Chassis ID:
Chassis ID
SHMM_CHASSID=<Chassis_id>
9. Remove the lower CMM, which you just reconfigured, from the Chassis.
10. Insert the top CMM into the Chassis.
11. Do steps 2 - 8 on the top CMM.
12. Remove the top CMM from the Chassis.
13. Insert both CMMs into the Chassis.
14. Attach the correct identification labels to the Chassis and CMMs.

60000/40000 Security Systems Administration Guide R76SP.50 | 233

 Working with Active/Standby High Availability

This step is required if the Chassis has already been configured (after the First Time
Configuration Wizard).
15. Remove all SGMs from the Chassis and then reinsert them.
This step causes a hard reboot of the system.

To set the Chassis ID on the 41000 Security System

1. Remove the right CMM from the Chassis.
2. Log in to the remaining CMM.
3. Connect the serial cable to the console port on the CMM.
4. Connect to the CMM with a terminal emulation application.
5. Make sure that the Speed (baud rate) is set to 9600.
No IP address is necessary.
6. Log in with user name and password: admin/admin
7. Edit the /etc/shmm.cfg file in Vi editor.
Search for and set SHMM_CHASSID= to the correct Chassis ID:
Chassis ID
SHMM_CHASSID=<Chassis_id>
8. Remove the left CMM from the Chassis.
9. Insert the right CMM into the Chassis.
10. Do steps 2 - 8 on the right CMM.
11. Remove the right CMM from the Chassis.
12. Insert both CMMs into the Chassis.
13. Attach the correct identification labels to the Chassis and CMMs.
This step is required if the Chassis has already been configured (after the First Time
Configuration Wizard).
14. Remove all SGMs from the Chassis and then reinsert them.
This step causes a hard reboot of the system.

Setting the Quality Grade Differential

Description
Use the set chassis high-availability failover command in gClish to set the minimum
quality grade differential that causes failover.

Syntax
> set chassis high-availability failover <trigger>

Parameters
Parameter Description
<trigger> Minimum difference in Chassis quality grade to trigger failover
Valid values: 1 - 100

60000/40000 Security Systems Administration Guide R76SP.50 | 234

 Working with Active/Standby High Availability

Setting the Failover Freeze Interval

Description
A Chassis cannot failover a second time until the specified failover freeze interval expires. The
default failover freeze interval is:
• For Primary Up - 150 seconds
• For Active Up - 30 seconds
• For VSLS - 150 seconds
If the Standby Chassis grade changes to a value greater than the minimum quality grade gap for
failover, the Standby Chassis fails over and becomes Active. The failover does not start until the
freeze interval expires. This confirms that the Chassis quality grade is stable, before it becomes
Active.
For example, a Chassis quality grade can become unstable if a fan goes Up and Down frequently.

Syntax in gClish
> set chassis high-availability freeze_interval <freeze_interval>

Parameters
Parameter Description
<freeze_interval> Minimum time in seconds to wait until the next Chassis failover
Valid range: 1 - 1000

Note - When you run the asg stat command after Chassis failover, the output shows the freeze
time.

60000/40000 Security Systems Administration Guide R76SP.50 | 235

 Working with Active/Standby High Availability

Advanced Features
Below are some advanced features of the Scalable Platform.

Working with Link Preemption

The Link Preemption Mechanism prevents constant Chassis failover and failback when there is
interface link flapping. When you enable this feature, an interface state that changes from DOWN
to UP, is only included in the Chassis grade if the link state is Up for "x" seconds. The default is 10
seconds.
Configuration:
The Link Preemption Mechanism is enabled by default with a preemption time of 10 seconds.
To configure the preemption time, run:
# fw ctl set int fwha_ch_if_preempt_time <preemp_time>
# update_conf_file fwkern.conf fwha_ch_if_preempt_time=<preemp_time>

Parameters

Parameter Description
<preemp_time> Link Preemption Mechanism time
Default: 10 seconds

Example:
[Expert@MyChassis-ch01-01:0]# fw ctl set int fwha_ch_if_preempt_time 20
[Expert@MyChassis-ch01-01:0]# update_conf_file fwkern.conf
fwha_ch_if_preempt_time=20

To disable Link Preemption Mechanism, run:

[Expert@MyChassis-ch01-01:0]# fw ctl set int fwha_ch_if_preempt_time 0
[Expert@MyChassis-ch01-01:0]# update_conf_file fwkern.conf
fwha_ch_if_preempt_time=0

To make sure the preemption time value is correct, run:

[Expert@MyChassis-ch01-01:0]# fw ctl get int fwha_ch_if_preempt_time

Chassis High Availability - Sync Lost Mechanism

The Scalable Platform uses the Check Point proprietary Cluster Control Protocol (CCP) to send
UDP control packets between two High Availability Chassis. When a Sync interface fails, it is
necessary to send sync_lost to the other Chassis. The sync_lost mechanism handles the loss
of connectivity between two Chassis on the Sync network.
To prevent the two Chassis from changing their states to Active, a sync_lost CCP is sent over
the non-sync interface (the Data Ports and Management interfaces) to the other Chassis. This
causes the two Chassis to freeze their current states until connectivity between the two Chassis is
restored. During the Sync Loss, the Standby Chassis does not change its state to Active until it
stops receiving sync_lost packets from the other Chassis.
The Scalable Platform sends sync_lost messages in this manner:
• For VSX environments - All interfaces of the VS0 context only
• For non-VSX environments - All Chassis interfaces
60000/40000 Security Systems Administration Guide R76SP.50 | 236
 Working with Active/Standby High Availability

Sync Lost Mechanism is enabled by default.

To disable Sync Lost Mechanism, run:

> fw ctl set int fwha_ch_sync_lost_mechanism_enabled 0
> update_conf_file fwkern.conf fwha_ch_sync_lost_mechanism_enabled=0

To enable Sync Lost Mechanism, run:

> fw ctl set int fwha_ch_sync_lost_mechanism_enabled 1
> update_conf_file fwkern.conf fwha_ch_sync_lost_mechanism_enabled=1

To check whether the mechanism is enabled, run:

> fw ctl get int fwha_ch_sync_lost_mechanism_enabled
(1 - enabled, 0 - disabled)

Managing Connection Synchronization (asg_sync_manager)

Use the asg_sync_manager utility to manage connection synchronization for High Availability.
The configuration parameters include global settings and Sync Exception rules that control
connection synchronization. Global synchronization settings apply to all connections, while Sync
Exception rules apply only to specified connections.
This utility also controls SecureXL delayed synchronization parameters. When a connection is
created from a SecureXL template, asg_sync_manager can set the period until it synchronizes
to the Firewall.

To define the Synchronization level:

> asg_sync_manager

Please choose one of the following:

-----------------------------------
1) Print sync exceptions table
2) Add new sync exceptions rule
3) Delete old sync exception rule
4) Set sync between Chassis flag on / off
5) Set sync within local Chassis on / off
6) Configure sync between Chassis blades ratio
7) Set default delay notifications
8) Enable / Disable unicast sync
e) Exit

Press e to return to main menu.

To show synchronization properties, run:
> asg stat -v

60000/40000 Security Systems Administration Guide R76SP.50 | 237

 Working with Active/Standby High Availability

Working with Sync Rules

Sync exceptions are rules contained in the Sync Exception Table that define how synchronization
works for specified connections or connection types. A Sync exception rule applies and the
specified action occurs if the connection matches all parameters in the rule definition. Rules are
examined in sequence. The first matching rule applies.

These are the parameters of a Sync exception rule:

Syntax Description
Idx Rule sequence number. Rules are applied in sequence, starting with rule 1.
VS One or more Virtual System contexts.
Source Source IP address and subnet mask.
Destination Destination IP address and subnet mask.
DPort Destination port.
Ipp IP protocol number - typically HTTP (6) or UDP (17).
Sync Synchronization action:
0 = No synchronization
1 = Synchronize only to the local Chassis
2 = Synchronize only to the other (remote) Chassis
3 = Synchronize both Chassis
4 = Synchronize all SGMs
Delay Time that it takes for connections created from templates to synchronize.

60000/40000 Security Systems Administration Guide R76SP.50 | 238

 Working with Active/Standby High Availability

Sync Rule Options

Option Description
Print Sync exceptions table Shows the Sync exception table.
Each entry in this table has these parameters:
1. <5-tuple, including wild cards>
2. Synchronization Mode (none, within Chassis only,
between Chassis only, both within, between Chassis
and to all SGMs).
3. SecureXL delayed synchronization value.
In addition, global synchronization values are shown.
Add new Sync exceptions rule Adds a new rule to the sync exceptions table.
The user can hit enter at any stage to apply the default
value. Specific rules allow the use of wildcards within
5-tuple. The new rule applies to new connections.
Delete old Sync exception rule Deletes a rule from the Sync exceptions table.
Set Sync between Chassis flag on / Global system setting - Enables synchronization
off connections to the Standby Chassis.
Set Sync within local Chassis flag on / Global system setting - Enables synchronization
off connections to the Active Chassis.
Configure Sync between Chassis Minimal SGM ratio between Active and Backup Chassis
SGMs ratio for synchronization to occur.
If the number of UP SGMs in Standby Chassis is
significantly low, compared to Active Chassis,
synchronization might overload them. Default ratio for
synchronization is 70% and it can be re-configured here.
After configuration, the user can also choose to restore
default settings.
Set default delay notifications Default delayed synchronization setting are divided to
HTTP related services (30) and all other services (5).
You can reconfigure these settings here.
Note - When you configure service delayed
synchronization in SmartDashboard overrides these
settings.
Enable / Disable unicast Sync Enables or disables unicast Sync (correction layer is
enabled and disabled accordingly) and returns to the
legacy synchronization scheme (synchronize connections
to all SGMs).
If you change this setting, you musts reboot of all SGMs.

60000/40000 Security Systems Administration Guide R76SP.50 | 239

 Working with Active/Standby High Availability

Working with SyncXL

SyncXL is a Check Point technology that makes sure that active connections are only synchronized
to one SGM each on the Active Chassis and the Standby Chassis.
When an SGM or Chassis state changes, all SGMs update their counterpart SGMs. Synchronization
is triggered automatically by these events:
• SGM Failure - Connections with a backup connection on an SGM are synchronized to a backup
SGM
• SGM Recovery - The newly recovered SGM can be:
• A backup for connections that are active on other SGMs
• Active for connections before SGM failure
• Chassis High Availability failover - When the Active Chassis fails over to the Standby Chassis,
a backup entry is defined for each connection it handles.
Use asg_sync_manager to configure the SyncXL mechanism. To learn more about the
asg_sync_manager command, see SGM Forwarding Statistics (on page 129).
Standby Chassis / Active SGMs ratio:
• To handle load and capacity, the Standby Chassis must have at least 50% of its SGMs in the UP
state, compared with the Active Chassis. For example, if there are 10 SGMs that are UP on the
Active Chassis, there must be at least five UP SGMs on the Standby Chassis. SyncXL is
automatically disabled if this condition is not successful. You can change the ratio parameter.
• To make sure that each active connection has backups on both Chassis in a Dual Chassis
system, run:
# asg_sync_manager
• To see the last connection backup operation, run:
# asg_blade_stats

Last Iterator Statistics:

---------------------------------------------
Start time: Thu Sep 13 10:48:18 2012
Running time: 0 Seconds
Status: Finished
Reason: Chassis ID 2 state was changed to STANDBY
Total connections iterated 38
Connections w/ sync action 0

Go to Showing SGM Forwarding Statistics to learn more about the asg_blade_stats command
(on page 129).

Notes:
• VoIP connections are synchronized to all SGMs
• Local connections (to/from the Scalable Platform pseudo IP) are not synchronized
• SyncXL does not work on the Sync interface or the Management interface

60000/40000 Security Systems Administration Guide R76SP.50 | 240

 Working with Active/Standby High Availability

Setting Admin DOWN on First Join

Description
You can configure the Scalable Platform to automatically set a newly installed SGM in a Security
Group, to the Admin DOWN state.
The administrator can confirm that the SGM is configured correctly before it handles traffic.

Syntax
> set chassis high-availability down_on_first_join <first_join>

Parameters
Parameter Description
<first_join> Sets whether Admin DOWN on first join is enabled
0 - Admin DOWN on first join is disabled
1 - Admin DOWN on first join is enabled

To add a new SGM to a Security Group with Admin DOWN:

1. Run:
> set chassis high-availability down_on_first_join 1
2. Install the new SGM and add it to the Security Group.
3. Set the SGM to the UP state. Run:
> asg sgm_admin -b <SGM_IDs> up -p

60000/40000 Security Systems Administration Guide R76SP.50 | 241

 Working with Active/Standby High Availability

Configuring a Unique IP Address For Each Chassis

(UIPC)
In Dual-Chassis deployment:
• A heavy load on the Active Chassis can prevent you from creating a network connection to the
SMO and working with management tasks.
• It can be necessary to have direct access to the Standby Chassis to troubleshoot a problem,
such as a DOWN SGM. You cannot use the SMO to connect to the Standby Chassis.
You can assign a unique IP address to each Chassis to help resolve these issues. This adds an
extra alias IP to the management interfaces on all SGMs.
• When there is a high load on the SMO, connect using the unique IP assigned to the Standby
Chassis. The SGMs on the Standby Chassis are always UP and available to run gClish
management commands.
• To connect directly to the Standby Chassis, use the Standby Chassis unique IP address.

Notes:
• Only one SGM "owns" the UIPC task.
• The UIPC feature is disabled by default.
• If the Scalable Platform is not managed by a management port, you can add the unique IP to
one of the data ports. The connection to the unique IP reaches a specific blade based on the
distribution configuration.

Description
Use the set chassis id command to assign a unique IP address to a Chassis.

Syntax
> set chassis id <chassis_id> general unique_ip <ip>
> delete chassis id <chassis_id> general unique_ip
> show chassis id <chassis_id> general unique_ip

60000/40000 Security Systems Administration Guide R76SP.50 | 242

 Working with Active/Standby High Availability

Parameters
Parameter Description
<chassis_id> Chassis ID
Valid values:
• 1
• 2
• all
<ip> An alias IP address on the same network as one of the SGMs interfaces

UIPC is automatically enabled after you run the configuration commands. You can also manually
enable or disable it.
To manually enable UIPC, run:
> g_fw ctl set int fwha_uipc_enabled 1
To manually disable UIPC, run:
> g_fw ctl set int fwha_uipc_enabled 0

Example - Adding a UIPC:

> set chassis id 1 general unique_ip 172.16.6.186
Adding alias IP: 172.16.6.186 to chassis 1
Alias IP was added successfully

Example - Deleting a UIPC:

> delete chassis id 1 general unique_ip
Deleting alias IP 172.16.6.186 of chassis 1
Alias IP was deleted successfully

60000/40000 Security Systems Administration Guide R76SP.50 | 243

 Working with Active/Standby High Availability

VSX Active/Active Layer 2 Mode

In the VSX Active/Active Layer 2 Mode, both Chassis in a Dual Chassis deployment handle
connections. Connections between both Chassis are synchronized. Active/Active High Availability
supports Layer 2 topologies.
Select High Availability Active/Active Layer 2 Mode when:
• An external device or protocol sends connections to both Chassis and makes the decision as to
which Chassis is Active.
• Routing to Chassis is not symmetric. Packets for some connections can be sent to both
Chassis.

60000/40000 Security Systems Administration Guide R76SP.50 | 244

CHAPTE R 7

Working with Link Aggregation

(Interface Bonds)
In This Section:
Configuring Link Aggregation ..................................................................................246
Removing Slave Interfaces .......................................................................................251
Deleting a Bond ..........................................................................................................252
Working with the ABXOR Bonds ................................................................................253
Working with Management Aggregation ...................................................................255
Working with Sync Bonds ...........................................................................................258

Link Aggregation combines multiple physical interfaces into a virtual interface called a bond.
Bonded interfaces (known as slaves) add redundancy to a connection and increase the connection
throughput to a level beyond what is possible with a single physical interface.

To create an interface bond:

1. Create a bonding group:
> add bonding group <bond_id>
2. Set a bonding mode:
• 802.3ad (LAPC):
> set bonding group <bond_id> mode 8023AD
• XOR:
> set bonding group <bond_id> mode XOR
3. Set the slave interface to on:
> set interface <if_name> state on
4. Enslave the interfaces to the bond:
> add bonding group <bond_id> interface <if_name>
If you use VSX:
1. Add the interface bond to the physical interfaces of VS0.
2. Delete the slave interfaces of VS0.
3. Note - Before you run the Link Aggregation commands, make sure that the slave interfaces do
not have an IP address already assigned.

60000/40000 Security Systems Administration Guide R76SP.50 | 245

 Working with Link Aggregation (Interface Bonds)

Configuring Link Aggregation

Description
Use the add bonding group command to create new bond and add slave interfaces to it.
Use set bonding group to configure parameters for an existing bond.
This section shows the full syntax for these commands. The other sections in this chapter show
only the syntax for the specified activities.

Syntax
> add bonding group <bond_id>
> add bonding group <bond_id> interface <slave_interface>
> set bonding group <bond_id>
[primary <slave_interface>]
[mii-interval <value>]
[up-delay <value>]
[down-delay <value>]
[mode <value>]
[lacp-rate <value> ]
[xmit-hash-policy <value>]
[abxor-threshold <value>]

Parameters
Parameter Description
<bond_id> Bond identifier, an integer between 1 and 1024.
interface <slave_interface> Slave interface name.
primary <slave_interface> Sets the primary slave interface. This parameter is
applicable to the active-backup mode only.
mii-interval <interval> Frequency (in ms) that the system polls the Media
Independent Interface (MII) to get status.
Valid values = 1-5000 ms. Default = 100 ms.
up-delay <value> Wait time (in ms) before the system confirms that a slave
down-delay <value> interface is UP or DOWN.
Valid values = 1-5000 ms. Default = 200 ms.

60000/40000 Security Systems Administration Guide R76SP.50 | 246

 Working with Link Aggregation (Interface Bonds)

Parameter Description
mode <value> Bond interface mode:
• active-backup - Selects the Primary slave interface as
the Active slave interface. If the Primary slave interface
goes down, it fails over to a different slave interface.
• xor - All UP slave interfaces are Active for Load Sharing.
Traffic is assigned to Active interfaces based on the
transmit hash policy (Layer2 or Layer3+4).
• 8023AD - Dynamically uses Active slave interfaces to
share the traffic load based on the LACP protocol. This
protocol uses full interface monitoring between the
Security Gateway and a switch.
• ABXOR - Slave interfaces are assigned to sub-groups
called bundles. Only one bundle is active at a time. All
slave interfaces in the active bundle share the traffic
load. The system assigns traffic to all interfaces in the
active bundle based on the defined transmit hash policy.
Note - The Round-Robin option is not supported on the
Scalable Platform.
lacp-rate <value> LACPDU packet transmission rate:
slow - Request LACPDU every 30 seconds.
fast - Request LACPDU every 1 second.
This parameter is applicable to the 8023AD mode only.
xmit-hash-policy <value> Methodology for slave interface selection based on the
TCP/IP layer.
layer2 - Use XOR of hardware MAC addresses.
layer 3+4 - Use upper layer protocol information.
This parameter is applicable to the XOR and ABXOR Modes
only.
abxor-threshold <value> Minimum number of slave interfaces that must be UP for a
bundle to be Active.
Valid values = 1-8 interfaces. Default = 3 interfaces.
This parameter is applicable to the ABXOR Mode only.

Example 1 - Create a new Bond (bond4) with one slave interface eth1-03:
> add bonding group 4 interface eth1-03

Example 2 - Add another slave interface eth2-03 to bond4:

> add bonding group 4 interface eth2-03

Example 3 - Change the mode, down-delay and mii_interval parameters for

bond4:

> set bonding group 4 mode xor down-delay 300 mii-interval 100

60000/40000 Security Systems Administration Guide R76SP.50 | 247

 Working with Link Aggregation (Interface Bonds)

Creating a New Bond and Adding Slave Interfaces

Description
Use the add bonding group command to create a new Bond and to add slave interfaces to an
existing Bond.
You must run this command once for each slave that you add to a Bond.

Syntax
> add bonding group <bond_id> [interface <slave_interface>]

Parameters
Parameter Description
<bond_id> Bond identifier, an integer between 1 and 1024.
<slave_interface> Slave interface name.

Example 1 - Create a new bond4 with one slave interface eth1-02:

> add bonding group 4 interface eth1-02

Example 2 - Add another slave interface eth2-02 to bond4:

> add bonding group 4 interface eth2-02

Setting a Bonding Mode

Description
Use the set bonding group command to change the Bond Mode. This section shows only the
options related to interface Bond modes.

Syntax
> set bonding group <bond_id> mode <bond_mode>

Parameters
Parameter Value
<bond_id> Bond identifier, an integer between 0 and 1024.

60000/40000 Security Systems Administration Guide R76SP.50 | 248

 Working with Link Aggregation (Interface Bonds)

Parameter Value
<bond_mode> Bond interface mode:
• active-backup - Selects the Primary slave interface as the Active slave
interface. If the Primary slave interface goes down, it fails over to a different
slave interface.
• xor - All UP slave interfaces are Active for Load Sharing. Traffic is assigned
to Active interfaces based on the transmit hash policy (Layer2 or Layer3+4).
• 8023AD -Dynamically uses Active slave interfaces to share the traffic load
based on the LACP protocol. This protocol uses full interface monitoring
between the Security Gateway and a switch.
• ABXOR - Slave interfaces are assigned to sub-groups called bundles. Only
one bundle is active at a time. All slave interfaces in the active bundle share
the traffic load. The system assigns traffic to all interfaces in the active
bundle based on the defined transmit hash policy.
Note - The Round-Robin option is not supported on the Scalable Platform.

Example:
> set bonding group 4 mode 8023AD
1_01:
success
1_02:
success
1_03:
success
2_01:
success
2_03:
success

Setting the Polling interval

Description
Use the set bonding group command to set the polling interval for a Bond.
This section shows only the parameters related to the polling interval.

Syntax
> set bonding group <bond_id> mii-interval <interval>

Parameters
Parameter Description
<bond_id> Bond ID
mii-interval<interval> Frequency in ms, that the system polls the Media Independent
Interface (MII) to get status
Valid values = 1-5000 ms. Default = 200 ms.

60000/40000 Security Systems Administration Guide R76SP.50 | 249

 Working with Link Aggregation (Interface Bonds)

Setting a Bond Interface On or Off

Description
Use the set interface command to turn the Bond interface on or off after you create and
configure it.

Syntax
> set interface <bond_interface> state on
<bond_interface> is the slave interface name

Example
> set interface bond4 state on

60000/40000 Security Systems Administration Guide R76SP.50 | 250

 Working with Link Aggregation (Interface Bonds)

Removing Slave Interfaces

Description
Use the delete bonding group command to remove a slave interface from a Bond.

Syntax
> delete bonding group <bond_id> interface <slave_interface>

Parameters
Parameter Description
<bond_id> Bond identifier, an integer between 0 and 1024.
<slave_interface> Slave interface name.

Example
> delete bonding group 1 interface eth1-02

60000/40000 Security Systems Administration Guide R76SP.50 | 251

 Working with Link Aggregation (Interface Bonds)

Deleting a Bond
Description
Use the delete bonding group command to delete a Bond.
Important - You must delete all slave interfaces in a Bond before you can delete that Bond.

Syntax
> delete bonding group <bond_id>

Parameters
Parameter Description
<bond_id> Bond identifier, an integer between 0 and 1024.

60000/40000 Security Systems Administration Guide R76SP.50 | 252

 Working with Link Aggregation (Interface Bonds)

Working with the ABXOR Bonds

R76SP.50 supports ABXOR Bonds which provide slave interface redundancy and load sharing. An
ABXOR Bond is divided into two or more sub-groups, known as bundles. Each bundle can have up
to eight slave interfaces.
Bundles provide Active/Backup redundancy, where only one bundle is active at any given time. The
system selects the active bundle based on these rules:
• The active bundle (bundle 1) has the lowest index and at least as many active (UP) slave
interfaces as the abxor threshold defined for the Bond. The abxor threshold is the minimum
number of active slave interfaces necessary for a bundle to become active. You define an abxor
threshold for each Bond.
• If no bundle has the minimum number of active slave interfaces, the bundle with the most
active slave interfaces becomes the active bundle.
For example, a bundle has four slave interfaces and the Bond has an abxor threshold of three. The
active bundle must have at least three active interfaces. If no bundle has the minimum quantity of
active interfaces, the bundle with the most UP interfaces becomes active.

You can use abxor bonds with a different switch connected to each bundle. This provides both SSM
and switch redundancy with Load Sharing. In the example above, each bundle connects to a
different switch and has slave interfaces from both SSMs. If one of the switches and/or one of the
SSMs fail, there is no traffic interruption.

60000/40000 Security Systems Administration Guide R76SP.50 | 253

 Working with Link Aggregation (Interface Bonds)

Configuring ABXOR
To create an ABXOR Bond:
1. Create a new Bond (on page 246).
2. Add slave interfaces to the new Bond (on page 248).
3. Create the bundles.
Run:
> add bonding group <bond_id> bundle <bundle_id>
Note - The Bundle ID cannot be 0. The legal values are 1..2
4. Assign slave interfaces to each bundle. For each interface, run:
> add bonding group <bond_id> bundle <bundle_id> interface <slave_interface>
5. Set the Bond Mode to ABXOR:
> set bonding group <bond_id> mode abxor
6. Set the ABXOR threshold:
> set bonding group <bond_id> abxor-threshold <value>
The <value> can be from 1 - 8. Default value is 3.
7. Set the minimum number of slave interfaces in a bond:
> set chassis high-availability bond bond1 min_slaves 2
Notes:
• The default value for min_slaves is 1.
• In order to keep standard throughput, the number of slave interfaces has to equal the
ABXOR threshold.
• Configure the Switch with the XOR algorithm. Consult with your switch vendor for the
relevant configuration instructions.
Important - You must delete all slave interfaces in a Bond before you can delete that bond.

Syntax to delete an ABXOR Bond:

> delete bonding group <bond_id> bundle <bundle_id> interface <slave_interface>
> delete bonding group <bond_id> bundle <bundle_id>
> delete bonding group <bond_id> interface <slave_interface>
> delete bonding group <bond_id>

Parameters
Parameter Description
<bond_id> Bond identifier, an integer between 1 and 1024.
<slave_interface> Name of slave interface.
<bundle_id> Bundle identifier, an integer between 1 and 2.

60000/40000 Security Systems Administration Guide R76SP.50 | 254

 Working with Link Aggregation (Interface Bonds)

Working with Management Aggregation

Management Aggregation (MAGG) is a High Availability and Load Sharing solution for
management interfaces. You can create bonds that link physical management interfaces together
as one virtual interface.

To create a new Management Bond, run one of these commands:

• add bonding group <bond_id> mgmt

• add bonding group <bond_id> mgmt interface <mgmt_interface_name>
The second command creates the Management Bond and adds a slave management interface in
one step.

Notes:
• Only use the mgmt parameter when you create a new management bond. For all other
configurations, use the standard commands and parameters without the mgmt parameter. For
more information, see Configuring Link Aggregation (on page 245).
• A bond is created for data or management, but not for both.
Best Practice - Do not mix 1G and 10G management interfaces in a bond.

Limitations:
• eth<x>Mgmt4 cannot be used for MAGG configuration
• Only XOR / High Availability configurations are supported
• VLAN configuration is not supported

Example:
This example creates a management bond with two slaves:
> add bonding group 7 mgmt
> add bonding group 7 mgmt interface eth1-Mgmt1
> add bonding group 7 mgmt interface eth2-Mgmt1
> set bonding group 7 mode xor
> set interface magg7 state on
> set interface magg7 ipv4-address X.X.X.X mask-length X

> show bonding group 7

1_01:
Bond Configuration
xmit-hash-policy layer2
down-delay 200
primary Not configured
lacp-rate Not configured
mode xor
up-delay 200
mii-interval 100
abxor-threshold 3
type mgmt
Bond Interfaces
eth1-Mgmt1
eth2-Mgmt1

1_02:
Bond Configuration
xmit-hash-policy layer2
down-delay 200
primary Not configured
lacp-rate Not configured
mode xor

60000/40000 Security Systems Administration Guide R76SP.50 | 255

 Working with Link Aggregation (Interface Bonds)

up-delay 200
mii-interval 100
abxor-threshold 3
type mgmt
Bond Interfaces
eth1-Mgmt1
eth2-Mgmt1

Example:
This example creates a new interface name:
> set interface magg4 state on
> set interface magg4 ipv4-address X.X.X.X mask-length X

Converting MAGG in VSX Mode

To convert to MAGG in VSX Mode:
1. Close all SmartDashboard windows.
2. Connect to a command line on a Management Server.
3. Log in to the Expert Mode.
4. Run the vsx_util tool:
[Expert@HostName_MGMT:0]# vsx_util change_interfaces
Enter the IP address of the Domain Management Server that manages the VSX Gateway object.
Enter the management administrator password.
5. Change the current management interface to the new management interface.
6. Select option 2: Apply changes to the management database only.

To use the VSX Mode:

1. On the Scalable Platform Chassis, log in to Expert Mode.
2. Go to the context of the VSX Gateway (VS0):
HostName_VSX> vsenv 0
3. In gClish, temporarily disable the VSX Mode:
HostName_VSX> set vsx off
4. Delete the IPv4 address from the current management interface.
Note - The management interface is not available after you have completed Step 4.
HostName_VSX> delete interface eth<X>-Mgmt<N> ipv4-address
5. Configure the IPv4 address on the new management interface:
HostName_VSX> set interface eth<X>-Mgmt<N> ipv4-address <IPv4_Address>
{mask-length<Subnet_Mask_Length> | subnet-mask <Subnet_Mask>}
6. Enable the new management interface:
HostName_VSX> set interface eth<X>-Mgmt<N> state on
Note - The new management interface is now active.
7. In gClish, re-enable the VSX Mode:
HostName_VSX> set vsx on

60000/40000 Security Systems Administration Guide R76SP.50 | 256

 Working with Link Aggregation (Interface Bonds)

To confirm the changes to the management interface:

1. Reconnect the cables from the previous management interface to the new management
interface.
2. Connect with SmartDashboard to the Management Server.
3. Open the VSX Gateway object and go to the Physical Interfaces window.
Make sure your changes show in the management interface.
4. Click OK and a window shows.
Confirm the VSX configuration pushed successfully.
5. Install the policy only on the VSX Gateway object.
Notes:
• gClish commands apply globally to all SGMs by default.
• gClish commands do not apply to SGMs that are DOWN. Use the asg stat command.

60000/40000 Security Systems Administration Guide R76SP.50 | 257

 Working with Link Aggregation (Interface Bonds)

Working with Sync Bonds

The Sync interface is a special Bond used for these and other synchronization and control tasks:
• To send CCP packets to other SGMs
• To share policies and configuration files amongst SGMs
• Connection state synchronization
• Packet forwarding
• Firewall synchronization
• Daemon synchronization
• Monitor and control commands (gclish, asg) that get information from many SGMs
A Sync interface has one or two slave interfaces, based on the number of SSMs in each Chassis.
The system automatically creates the slave interfaces based on this algorithm:

Notes:
• A Chassis with one SSM always uses eth1-Sync. The eth2-Sync is not assigned.
• A chassis with two or more SSMs always uses these slave interfaces:
• eth1-Sync
• eth2-Sync
• Sync ports on SSM3 and SSM4 are not used when there are more than two SSMs
• The system automatically creates the Sync Bond during installation and assigns these IP
addresses:
• SGM1_1 - 192.0.2.1
• SGM1_12 - 192.0.2.14
• SGM2_1 - 192.0.2.15
• SGM2_12 - 192.0.2.28
No manual configuration is necessary.
• The system automatically assigns the Sync slave to port 8 on SSM1 and SSM2.
• The system sets the Sync slave port speed to 10 Gb by default. We recommend that your do not
change this parameter.
• Sync Bonds support both LR and SR transceivers.
• The Sync Bond uses the XOR Mode (on page 248).
• The default network (192.0.2.X) is defined by the applicable RFC as a private network for
documentation. It is unlikely to cause collisions with user networks.

Limitations:
• LACP is not supported.
• VLANs are not supported for Sync slave interfaces.
• A Sync Bond can have up to two slave interfaces.
• Sync ports cannot be changed to data ports. This is true for both Single and Dual Chassis
systems.
60000/40000 Security Systems Administration Guide R76SP.50 | 258
 Working with Link Aggregation (Interface Bonds)

Sync Lost
Sync Lost is a Check Point feature that makes sure that both Chassis do not become Active if the
Sync network fails. The system sends special sync_lost packets to the other Chassis over the
data and management interfaces. This action prevents a state change on both Chassis until the
Sync network is restored.
The Sync Lost mechanism is enabled by default.

Connecting Physical Cables

Single Chassis Systems:
It is not necessary to connect Sync ports in a single Chassis system. Communication between
SGMs is handled internally by the Chassis infrastructure.

Dual Chassis system with a cross cable:

• eth1-Sync in Chassis1 connects to eth1-Sync in Chassis2
• eth2-Sync in Chassis1 connects to eth2-Sync in Chassis2

Dual Chassis system with the Sync Bond on the switch:

• Configure all ports in the switch in the same VLAN broadcast domain
• Each switch configures a bond for its Chassis

Dual Chassis system without a Sync Bond on the switch:

• eth1-Sync communicates over VLAN X
• eth2-Sync communicates over VLAN Y
• Configure switches for VLAN access on each related port.
Configure Link State Tracking (Cisco), or an equivalent mechanism, so that Sync port peers go
down on both Chassis after a failure on one Chassis. If you do not do this, and the Sync port
fails on one Chassis, the related peer Sync port stays UP.

60000/40000 Security Systems Administration Guide R76SP.50 | 259

 Working with VSX
CHAPTE R 8

Working with VSX

In This Section:
Provisioning VSX .......................................................................................................260
Working with VSLS ....................................................................................................265
Monitoring and Logging in VSX ..................................................................................275
Monitoring VSX Configuration (vsx stat) ....................................................................280
VSX Legacy Bridge Mode ............................................................................................285

Provisioning VSX
Create VSX objects with one of these procedures:
• Create new Security Gateways, Virtual Systems and other virtual objects in SmartDashboard.
• Run the vsx_util reconfigure command on the Management Server.

Notes:
• The SMO reboots automatically when you create a new Virtual System.
• Before you start one of these procedures, make sure that the SMO is the only SGM in the
Security Group. After successful configuration, you can add more SGMs to the Security Group.

Configuring 64-bit Virtual System Support

Description
You can configure the Scalable Platform to run the fwk as a 64-bit process. This lets VSX Virtual
Systems use more than 4 GB of RAM, which significantly increases the concurrent connection
capacity for each Virtual System.
Use the vs_bits command to configure the fwk to run in the 64-bit or 32-bit mode.
Important - This configuration requires maintenance windows because a full reboot is required
for both Chassis. The system automatically reboots when you run the command.

Syntax
> vs_bits [-stat | 32 | 64 ]

Parameters
Parameter Description
stat Shows the current mode
32 Configures the 32-bit mode
64 Configures the 64-bit mode

Known limitation:
This feature only works if Gaia runs the 64-bit kernel edition.
60000/40000 Security Systems Administration Guide R76SP.50 | 260
 Working with VSX

Creating a new VSX Gateway

You can create a new VSX Gateway with the VSX Gateway Wizard. After you complete the VSX
Gateway Wizard, you can configure the VSX Gateway definition with SmartDashboard. For
example, you can add or delete interfaces, or configure existing interfaces to support VLANs.
Before starting, you must make sure that the SMO is the only SGM in the group.

To start the VSX Gateway Wizard:

1. Connect with SmartDashboard to the Management Server.
2. From the Network Objects tree, right-click on Check Point and select VSX > Gateway.
The General Properties page opens.
3. The instructions are on the screen.

Configuring VSX Gateway General Properties

The General Properties page contains basic identification properties for VSX Gateways.
• VSX Gateway Name: Unique, alphanumeric for the VSX Gateway. The name cannot contain
spaces or special characters except the underscore.
• VSX Gateway IP Address: Management interface IP address.
• VSX Gateway Version: Select the VSX version installed on the VSX Gateway from the
drop-down list.

Selecting Virtual Systems Creation Templates

The Creation Templates page lets you provision predefined, default topology and routing
definitions to Virtual Systems. This confirms that Virtual Systems are consistent and makes the
definition process faster. You can always override the default creation template when you create
or change a Virtual System.
The creation templates are:
• Shared Interface - Not supported for the Scalable Platform.
• Separate Interfaces: Virtual Systems use their own separate internal and external interfaces.
This template creates a Dedicated Management Interface (DMI) by default.
• Custom Configuration: Define Virtual System, Virtual Switch, and Interface configurations.

60000/40000 Security Systems Administration Guide R76SP.50 | 261

 Working with VSX

Establishing SIC Trust

Initialize Secure Internal Communication (SIC) trust between the VSX Gateway and the
Management Server. The gateway and server cannot communicate without trust.

Initializing SIC Trust

To initialize SIC trust:

1. Enter and confirm the activation key from the installation wizard setup program.
2. Click Initialize.
If you entered the correct activation key, the Trust state changes to Trust established.
Note - To reset SIC trust for a VSX Gateway or Virtual System, you must use a console connection.
Do not use an SSH client.

Troubleshooting SIC Trust Initialization Problems

If SIC trust did not successfully connect, click Check SIC Status. The most common reasons for an
unsuccessful connection are:
• Entering an incorrect activation key
• Connectivity problems between the Management Server and the VSX Gateway

To troubleshoot and resolve SIC initialization problems:

• Re-enter and re-confirm the activation key.
• Confirm that the IP address defined in General Properties is correct.
• Ping the Management Server to verify connectivity. Resolve connectivity issues.
• From the VSX Gateway command line, use cpconfig to re-initialize SIC. When this has
finished, click Reset in the wizard and re-enter the activation key.
For more about resolving SIC initialization, see sk65385
http://supportcontent.checkpoint.com/solutions?id=sk65385.

Defining Physical Interfaces

In the VSX Gateway Interfaces window, you can define physical interfaces as VLAN trunks. The
page shows the interfaces currently defined on the VSX Gateway.
To define an interface as a VLAN trunk, select VLAN Trunk for the interface.
You can define VLAN trunks another time. For this example, select Next.

Virtual Network Device Configuration

If you choose the Custom Configuration option, the Virtual Network Device Configuration window
opens. Click Next.
The options in this window are not supported for the Scalable Platform.

60000/40000 Security Systems Administration Guide R76SP.50 | 262

 Working with VSX

VSX Gateway Management

In the VSX Gateway Management window, define security policy rules that protect the VSX
Gateway. This policy is installed automatically on the new VSX Gateway.
Note - This policy applies only to traffic destined for the VSX Gateway. Traffic destined for Virtual
Systems, other virtual devices, external networks, and internal networks, is not affected by this
policy.

The security policy consists of predefined rules for these services:

• UDP - SNMP requests
• TCP - SSH traffic
• ICMP - Echo-request (ping)
• TCP - HTTPS traffic
You can modify and configure the Gateway Security Policy.
• Select Allow to pass traffic on the selected services, or clear this option to block traffic. By
default, all services are blocked.
For example, to ping the gateway from the Management Server, Allow ICMP echo-request
traffic.
• Click the arrow and select a Source Object from the list or New Source Object for a new
source.
The default value is *Any
You can modify security policy rules that protect the VSX Gateway at any time.

To complete the Virtual System wizard:

1. Click Next.
2. Click Finish.
It can take several minutes to complete.
If this ends unsuccessfully, click View Report to see the error messages.
After the VSX wizard has finished successfully, other SGMs can be added to Security Group.

Virtual System
After you create a Virtual System on a Scalable Platform, we recommend that you limit the
maximum number of concurrent connections to no more than 500,000.

To limit the maximum number of concurrent connections:

1. In SmartDashboard, double-click Virtual System.
2. Click Optimizations > Calculate the maximum limit for concurrent connections.
3. Select Manually.
4. Enter 500000.
5. Click OK.

60000/40000 Security Systems Administration Guide R76SP.50 | 263

 Working with VSX

Reconfigure (vsx_util reconfigure)

Description
Use the vsx_util reconfigure command on the Management Server to restore a VSX
configuration to a newly installed gateway.

Syntax
> vsx_util reconfigure

Input
• VSX Gateway name
• SIC activation key assigned to the Management Server
• Retype to confirm the SIC activation key

Notes:
• This command is also useful for restoring a gateway or cluster member after a system failure.
• Run the command and follow the instructions on the screen.
• A new gateway must have the same hardware specifications and configuration as its
replacement and other cluster members. Most importantly, it must have the same number of
interfaces (or more) and the same management IP address.
• The new or replacement machine must be a new installation. You cannot use a machine with a
previous VSX configuration.

60000/40000 Security Systems Administration Guide R76SP.50 | 264

 Working with VSX

Working with VSLS

VSLS is a Virtual System Load Sharing solution for the Scalable Platform that uses both Chassis to
handle traffic. Each Virtual System works as an independent cluster. For each Virtual System, one
Chassis is Active and the other Chassis becomes the Standby. The selection of the Active Chassis
is based on interface availability, SGM availability, and Virtual System stability.
A Virtual System in the DOWN state fails over to the Standby Virtual System in the other Chassis.
By default, a Virtual System in the DOWN state does not put the SGM in the DOWN state. Because
of this, there is no effect on other Virtual System states.
The SGM continues to receive traffic from the SSM. This behavior is different from Chassis High
Availability, where a Virtual System in the DOWN state causes the SGM to go DOWN.
Notes:
• If VS0 goes DOWN, its related SGM also goes DOWN.
In gClish, run this command to change the VSLS behavior:
> g_update_conf_file fwkern.conf fwha_mbs_vsls_only_vs0_decide_state=0
A Virtual System in the DOWN state causes the SGM to go DOWN.
Reboot the Chassis.
This behavior is now the same as for standard Chassis High Availability.
• When an SGM contains a DOWN Virtual System, the SMO and Chassis Monitor tasks move to a
different valid SGM. Because these tasks can move to a different SGM, connections to the
Virtual Systems can become disconnected.
• We recommend that you work with UIPC. This is because the UIPC task does not move to a
different SGM.

Activating Chassis VSLS

To use Chassis VSLS features, you must first activate the Chassis VSLS Mode.
To activate Chassis VSLS, run:
> set chassis high-availability mode 4
Note - This command can cause Chassis failover.

Selecting the Active Chassis for a Virtual System

VSLS dynamically assigns an Active Chassis to each Virtual System based on criteria in this order
of priority:
1. Availability of functional interfaces for the Virtual System
VSLS selects the Chassis with the most connected interfaces to be the Active Chassis.
2. Availability of UP SGMs
If both Chassis have the same number of connected interfaces, VSLS uses this ratio to select
the Active Chassis:
SGM Ratio = Fewest_UP_SGMS/Most_UP_SGMS
If the SGM Ratio is less than the predefined threshold (default=50%), VSLS selects the Chassis
with the most available SGMs. If the SGM Ratio is greater or equal to the threshold, VSLS does
not select an Active Chassis based on SGM availability.

60000/40000 Security Systems Administration Guide R76SP.50 | 265

 Working with VSX

Example:
Chassis1 has two UP SGMs and Chassis 2 has five UP SGMs. The ratio is 2/5 (40%), which is
less that the default threshold of 50%. VSLS selects Chassis 2 as the Primary Chassis.
3. Virtual System with a problem
When a Virtual System fails, VSLS automatically fails over to the related Virtual System on the
other Chassis, which becomes the Active Chassis.
4. Primary Chassis
If none of the above criteria causes VSLS to select an Active Chassis, the Primary Chassis
automatically becomes the Active Chassis.
To change the SGM threshold value, run:
> set chassis vsls sgm_ratio <percent_value>

Virtual System Failover

With VSLS, a Virtual System can fail over to the Standby Chassis independently of the other Virtual
Systems. When VSLS selects a different Chassis for a Virtual System based on the selection
criteria, only that Virtual System fails over. There is no effect on the other Virtual Systems.
Virtual System failover works the same way as a regular Layer2/Layer3 failover. The Virtual
System sends GARP/NDS packets in Layer3, and MAC learning packets in Layer2.
Example:
For VS1, Chassis2 is both the Active and the Primary Chassis. If an interface used by VS1 on
Chassis2 is disconnected, VS1 fails over to Chassis1 based on the dynamic selection procedure.
When the port is reconnected, VS1 fails back to Chassis2.

SGM Failover
When an SGM fails, it no longer receives traffic. When a single Virtual System fails on an SGM, this
Virtual System can do a Virtual System Chassis Failover. If a Virtual System Chassis failover does
not occur, the failed Virtual System on the SGM continues to receive traffic.

Configuring the VSLS Primary Chassis

When you create a new Virtual System, VSLS automatically assigns a Primary Chassis based on
the system default. You can change the default Primary Chassis when it is necessary. When you
change the default Primary Chassis, it changes for all Virtual Systems that do not have a manually
defined Primary Chassis. This can cause Virtual Systems to failover to a different Active Chassis.
You can manually define the Primary Chassis for specified Virtual Systems. Manually defined
Virtual Systems do not change their Primary Chassis when you change the default Primary
Chassis.

60000/40000 Security Systems Administration Guide R76SP.50 | 266

 Working with VSX

To change the system default Primary Chassis:

1. Change the context to VS0. Run:
> set virtual-system 0
2. Run:
> set chassis vsls system primary_chassis <option>
<option> is an integer between 0 and 2.
0 - Automatic (VSLS automatically assigns the Primary Chassis)
1 - Define Chassis1 as the default Primary Chassis
2 - Define Chassis2 as the default Primary Chassis

To manually define a Primary Chassis for a Virtual System:

1. Go to the Virtual System context to be changed. Run:
> set virtual-system <VS_ID>
2. Run:
> set chassis vsls vs primary_chassis <option>
<option> is an integer between 0 and 2
0 - Use the system default Primary Chassis
1 - Define Chassis1 as the Primary Chassis
2 - Define Chassis2 as the Primary Chassis

To show the Primary Chassis for all Virtual Systems:

> show configuration vsls
-------------------------------------------------
| Default Mode: Automatic |
| Virtual Systems: 10 |
-------------------------------------------------
| VS | VS-Name | Chassis 1 | Chassis 2 |
-------------------------------------------------
| 0 | 61000-VSLS | Default | |
| 1 | VS1 | Manual | |
| 2 | VS2 | Default | |
| 3 | VS3 | | Default |
| 4 | VS4 | Default | |
| 5 | VS5 | | Default |
| 6 | VS6 | Default | |
| 7 | VS7 | | Default |
| 8 | VS8 | Default | |
| 9 | VS9 | | Manual |
-------------------------------------------------
| Total: | 6 | 4 |
-------------------------------------------------

This example shows that:

• The default Primary Chassis Mode is Automatic (0)
• The deployment has 10 Virtual Systems including VS0
• VS1 and VS9 have manually assigned Primary Chassis (Chassis1 and Chassis2 respectively)
• All others use the default Primary Chassis, which are assigned to different Chassis to
effectively distribute the traffic load
• Chassis1 is configured as the Primary Chassis for VS0, VS1, VS2, VS4, VS6, and VS8
• Chassis2 is configured as the Primary Chassis for VS3, VS5, VS7, and VS9

60000/40000 Security Systems Administration Guide R76SP.50 | 267

 Working with VSX

Monitoring VSLS
Monitor VSLS with the asg_stat command.

Using 'asg stat'

Use asg stat without arguments to see general VSX and system information.
You can run this command in gClish or Expert Mode.
Example:
> asg stat
--------------------------------------------------------------------------------
| VSX System Status - 64000 |
--------------------------------------------------------------------------------
| Chassis Mode | VSLS |
| Up time | 2 days, 08:09:33 hours |
| SGMs | 18/18 |
| Virtual Systems | 38 |
| Version | R76SP.50 (Build Number 84) |
--------------------------------------------------------------------------------
| VS ID: 0 VS Name: NA-Core-GW |
--------------------------------------------------------------------------------
| Chassis 1 ACTIVE |
--------------------------------------------------------------------------------
| SGM ID State Process FW Policy Date |
| 1 (local) UP Enforcing Security 14Sep17 18:18 |
| 2 UP Enforcing Security 14Sep17 18:18 |
| 3 UP Enforcing Security 14Sep17 18:18 |
| 4 UP Enforcing Security 14Sep17 18:18 |
| 5 UP Enforcing Security 14Sep17 18:18 |
| 6 UP Enforcing Security 14Sep17 18:18 |
| 7 UP Enforcing Security 14Sep17 18:18 |
--------------------------------------------------------------------------------
| Chassis 2 STANDBY |
--------------------------------------------------------------------------------
| SGM ID State Process FW Policy Date |
| 1 UP Enforcing Security 14Sep17 18:18 |
| 2 UP Enforcing Security 14Sep17 18:18 |
| 3 UP Enforcing Security 14Sep17 18:18 |
| 4 UP Enforcing Security 14Sep17 18:18 |
| 5 UP Enforcing Security 14Sep17 18:18 |
| 6 UP Enforcing Security 14Sep17 18:18 |
| 7 UP Enforcing Security 14Sep17 18:18 |
| 8 UP Enforcing Security 14Sep17 18:18 |
| 9 UP Enforcing Security 14Sep17 18:18 |
| 10 UP Enforcing Security 14Sep17 18:18 |
| 11 UP Enforcing Security 14Sep17 18:18 |
--------------------------------------------------------------------------------
| Chassis Parameters |
--------------------------------------------------------------------------------
| Unit | Chassis 1 | Chassis 2 | Unit Weight |
--------------------------------------------------------------------------------
| | UP / Required | UP / Required | |
| SGMs | 11 / 11 | 11 / 11 | - |
| Ports | | | |
| Standard | 7 / 7 | 7 / 7 | - |
| Bond | 6 / 6 | 6 / 6 | - |
| Mgmt | 0 / 0 | 0 / 0 | - |
| Mgmt Bond | 1 / 1 | 1 / 1 | - |
| Other | 0 / 0 | 0 / 0 | - |
| Sensors | | | |
| Fans | 9 / 9 | 9 / 9 | - |
| SSMs | 2 / 2 | 2 / 2 | - |
| CMMs | 2 / 2 | 2 / 2 | - |
| Power Supplies | 5 / 5 | 6 / 6 | - |
--------------------------------------------------------------------------------
| VSID | VS Type & Name | Chassis 1 | Chassis 2 | Health |
--------------------------------------------------------------------------------
| 0 | V na-core-gw | ACTIVE | STANDBY | Freeze |
| 1 | S MEX-T2-VS | STANDBY | ACTIVE | OK |
| 2 | S EQU-T2-VS | ACTIVE | STANDBY | OK |
| 3 | S CAN-T2-VS | STANDBY | ACTIVE | OK |
| 4 | S SHR-T2-VS | ACTIVE | STANDBY | OK |

60000/40000 Security Systems Administration Guide R76SP.50 | 268

 Working with VSX

| 5 | S EQU-T3-VS | STANDBY | ACTIVE | OK |

| 6 | S EXTRANET-VS | ACTIVE | STANDBY | OK |
| 7 | S MEX-T3-VS | STANDBY | ACTIVE | OK |
| 8 | S SHR-T3-VS | ACTIVE | STANDB | OK |
| 9 | S FUSION-VS | STANDBY | ACTIVE | OK |
| 10 | S IPT-VS | ACTIVE | STANDBY | OK |
| 11 | S JP-T3-VS | STANDBY | ACTIVE | OK |
| 12 | S AB-T3-VS | ACTIVE | STANDBY | OK |
| 13 | S MGMT-VS | STANDBY | ACTIVE | OK |
| 14 | S VENDOR-VS | ACTIVE | STANDBY | OK |
| 15 | S ALM-T3-VS | STANDBY | ACTIVE | OK |
| 16 | B VSB_1_TAP | ACTIVE | STANDBY | OK |
| 19 | B VSB_2_Access | STANDBY | ACTIVE | OK |
| 22 | S VS_Barakeo | ACTIVE | STANDBY | OK |
| 25 | B VSB_Packet_Bro | STANDBY | ACTIVE | OK |
| 26 | B VSB_Packet_Bro | ACTIVE | STANDBY | OK |
| 27 | S VS027 | STANDBY | ACTIVE | OK |
| 29 | S VS029 | STANDBY | ACTIVE | OK |
| 30 | B VSB-Persistant | ACTIVE | STANDBY | OK |
| 31 | S VS-Persistant- | STANDBY | ACTIVE | OK |
| 32 | B VSB_Packet_Bro | ACTIVE | STANDBY | OK |
| 34 | S VS_BOB | ACTIVE | STANDBY | OK |
| 36 | S Avalanche_Test | ACTIVE | STANDBY | OK |
| 37 | S VS_FTP | STANDBY | ACTIVE | OK |
--------------------------------------------------------------------------------
| Active Virtual Systems | 15 | 14 | |
--------------------------------------------------------------------------------
| Synchronization |
| Within chassis: Enabled (Default) |
| Between chassis: Enabled (Default) |
| Exception Rules: (Default) |
--------------------------------------------------------------------------------
>

The output shows that:

• System is running in VSLS Mode
• System has 10 Virtual Systems configured, including VS0
• System has eight SGMs in the Security Group
• System has five SGMs in UP state
• All SGMs on Chassis1 are UP
• Only one SGM on Chassis 2 is UP

60000/40000 Security Systems Administration Guide R76SP.50 | 269

 Working with VSX

Using 'asg stat vs all'

Use asg stat vs all to see which Virtual Systems are Active on each Chassis and the status of
their health.
You can run this command in gClish or Expert Mode.
Example:
> asg stat vs all

Output: VSLS
-----------------------------------------------------------------------
| VSX System Status - 61000 |
-----------------------------------------------------------------------
| Chassis Mode | VSLS |
| Up time | 4 days, 16:05:08 hours |
| SGMs | 1 / 3 (!) |
| Virtual Systems | 4 |
| Version | R76SP.50 (Build Number 2) |
-----------------------------------------------------------------------
| VSID | VS Type & Name | Chassis 1 | Chassis 2 | Health |
-----------------------------------------------------------------------
| 0 | V 61000-VSLS | DOWN (P) | ACTIVE | Problem |
| 1 | S VS1 | DOWN | ACTIVE (P) | Problem |
| 2 | S VS2 | DOWN (P) | ACTIVE | Problem |
-----------------------------------------------------------------------
| Active Virtual Systems | 0 | 3 | |
-----------------------------------------------------------------------
| Errors: |
| VSID's not on Primary chassis: 0 2 |
-----------------------------------------------------------------------
| Synchronization |
| Within chassis: Enabled (Default) |
| Between chassis: Disabled (Auto) |
| Reason: Chassis states doesn't allow Sync between chassis |
| Exception Rules: (Default) |
-----------------------------------------------------------------------

(P) - VS Primary Chassis

Output: Virtual System HA

------------------------------------------------------------------------
| VSX System Status - 61000 |
------------------------------------------------------------------------
| Chassis Mode | Active Up |
| Up time | 4 days, 12:04:35 hours |
| SGMs | 19/24 (!) |
| Virtual Systems | 103 |
| Version | R76SP.40 (Build Number 53) |
------------------------------------------------------------------------
| VSID | VS Type & Name | Chassis 1 | Chassis 2 | Health |
------------------------------------------------------------------------
| 0 | V na-core-gw | STANDBY | ACTIVE | Problem |
| 1 | S MEX-T2-VS | STANDBY | ACTIVE | Problem |
| 2 | S EQU-T2-VS | STANDBY | ACTIVE | Problem |
| 3 | S CAN-T2-VS | STANDBY | ACTIVE | Problem |
| 4 | S SHR-T2-VS | STANDBY | ACTIVE | Problem |
| 5 | S EQU-T3-VS | STANDBY | ACTIVE | Problem |
| 6 | S EXTRANET-VS | STANDBY | ACTIVE | Problem |
| 7 | S MEX-T3-VS | STANDBY | ACTIVE | Problem |
| 8 | S SHR-T3-VS | STANDBY | ACTIVE | Problem |
| 9 | S FUSION-VS | STANDBY | ACTIVE | Problem |
| 10 | S IPT-VS | STANDBY | ACTIVE | Problem |
| 11 | S JP-T3-VS | STANDBY | ACTIVE | Problem |
| 12 | S AB-T3-VS | STANDBY | ACTIVE | Problem |
| 13 | S MGMT-VS | STANDBY | ACTIVE | Problem |
| 14 | S VENDOR-VS | STANDBY | ACTIVE | Problem |
| 15 | S ALM-T3-VS | STANDBY | ACTIVE | Problem |
| 16 | B VSB_1_TAP | STANDBY | ACTIVE | Problem |
| 19 | B VSB_2_Access | STANDBY | ACTIVE | Problem |
| 22 | S VS_Barakeo | STANDBY | ACTIVE | Problem |
| 25 | B VSB_Packet_Bro | STANDBY | ACTIVE | Problem |
| 26 | B VSB_Packet_Bro | STANDBY | ACTIVE | Problem |
| 27 | S VS027 | STANDBY | ACTIVE | Problem |
| 28 | S VS028 | STANDBY | ACTIVE | Problem |
| 29 | S VS029 | STANDBY | ACTIVE | Problem |
| 30 | S VS030 | STANDBY | ACTIVE | Problem |

60000/40000 Security Systems Administration Guide R76SP.50 | 270

 Working with VSX

| 31 | S VS031 | STANDBY | ACTIVE | Problem |

| 32 | S VS032 | STANDBY | ACTIVE | Problem |
| 33 | S VS033 | STANDBY | ACTIVE | Problem |
| 34 | S VS034 | STANDBY | ACTIVE | Problem |
| 35 | S VS035 | STANDBY | ACTIVE | Problem |
| 36 | S VS036 | STANDBY | ACTIVE | Problem |
| 37 | S VS037 | STANDBY | ACTIVE | Problem |
| 38 | S VS038 | STANDBY | ACTIVE | Problem |
| 39 | S VS039 | STANDBY | ACTIVE | Problem |
| 40 | S VS040 | STANDBY | ACTIVE | Problem |
| 41 | S VS041 | STANDBY | ACTIVE | Problem |
| 42 | S VS042 | STANDBY | ACTIVE | Problem |
| 43 | S VS043 | STANDBY | ACTIVE | Problem |
| 44 | S VS044 | STANDBY | ACTIVE | Problem |
| 45 | S VS045 | STANDBY | ACTIVE | Problem |
| 46 | S VS046 | STANDBY | ACTIVE | Problem |
| 47 | S VS047 | STANDBY | ACTIVE | Problem |
| 48 | S VS048 | STANDBY | ACTIVE | Problem |
| 49 | S VS049 | STANDBY | ACTIVE | Problem |
| 50 | S VS050 | STANDBY | ACTIVE | Problem |
| 51 | S VS051 | STANDBY | ACTIVE | Problem |
| 52 | S VS052 | STANDBY | ACTIVE | Problem |
| 53 | S VS053 | STANDBY | ACTIVE | Problem |
| 54 | S VS054 | STANDBY | ACTIVE | Problem |
| 55 | S VS055 | STANDBY | ACTIVE | Problem |
| 56 | S VS056 | STANDBY | ACTIVE | Problem |
| 57 | S VS057 | STANDBY | ACTIVE | Problem |
| 58 | S VS058 | STANDBY | ACTIVE | Problem |
| 59 | S VS059 | STANDBY | ACTIVE | Problem |
| 60 | S VS060 | STANDBY | ACTIVE | Problem |
| 61 | S VS061 | STANDBY | ACTIVE | Problem |
| 62 | S VS062 | STANDBY | ACTIVE | Problem |
| 63 | S VS063 | STANDBY | ACTIVE | Problem |
| 64 | S VS064 | STANDBY | ACTIVE | Problem |
| 65 | S VS065 | STANDBY | ACTIVE | Problem |
| 66 | S VS066 | STANDBY | ACTIVE | Problem |
| 67 | S VS067 | STANDBY | ACTIVE | Problem |
| 68 | S VS068 | STANDBY | ACTIVE | Problem |
| 69 | S VS069 | STANDBY | ACTIVE | Problem |
| 70 | S VS070 | STANDBY | ACTIVE | Problem |
| 71 | S VS071 | STANDBY | ACTIVE | Problem |
| 72 | S VS072 | STANDBY | ACTIVE | Problem |
| 73 | S VS073 | STANDBY | ACTIVE | Problem |
| 74 | S VS074 | STANDBY | ACTIVE | Problem |
| 75 | S VS075 | STANDBY | ACTIVE | Problem |
| 76 | S VS076 | STANDBY | ACTIVE | Problem |
| 77 | S VS077 | STANDBY | ACTIVE | Problem |
| 78 | S VS078 | STANDBY | ACTIVE | Problem |
| 79 | S VS079 | STANDBY | ACTIVE | Problem |
| 80 | S VS080 | STANDBY | ACTIVE | Problem |
| 81 | S VS081 | STANDBY | ACTIVE | Problem |
| 82 | S VS082 | STANDBY | ACTIVE | Problem |
| 83 | S VS083 | STANDBY | ACTIVE | Problem |
| 84 | S VS084 | STANDBY | ACTIVE | Problem |
| 85 | S VS085 | STANDBY | ACTIVE | Problem |
| 86 | S VS086 | STANDBY | ACTIVE | Problem |
| 87 | S VS087 | STANDBY | ACTIVE | Problem |
| 88 | S VS088 | STANDBY | ACTIVE | Problem |
| 89 | S VS089 | STANDBY | ACTIVE | Problem |
| 90 | S VS090 | STANDBY | ACTIVE | Problem |
| 91 | S VS091 | STANDBY | ACTIVE | Problem |
| 92 | S VS092 | STANDBY | ACTIVE | Problem |
| 93 | S VS093 | STANDBY | ACTIVE | Problem |
| 94 | S VS094 | STANDBY | ACTIVE | Problem |
| 95 | S VS095 | STANDBY | ACTIVE | Problem |
| 96 | S VS096 | STANDBY | ACTIVE | Problem |
| 97 | S VS097 | STANDBY | ACTIVE | Problem |
| 98 | S VS098 | STANDBY | ACTIVE | Problem |
| 99 | S VS099 | STANDBY | ACTIVE | Problem |
| 100 | S VS100 | STANDBY | ACTIVE | Problem |
| 102 | B VSB_Packet_Bro | STANDBY | ACTIVE | Problem |
| 251 | S PROV_VS1 | STANDBY | ACTIVE | Problem |
------------------------------------------------------------------------
| Active Virtual Systems | 0 | 97 | |
------------------------------------------------------------------------
| Synchronization |
| Within chassis: Enabled (Default) |
| Between chassis: Enabled (Default) |
| Exception Rules: (Default) |
------------------------------------------------------------------------
>
60000/40000 Security Systems Administration Guide R76SP.50 | 271
 Working with VSX

Using 'asg stat vs'

Use asg stat vs to show status information, SGM states, and problems for a specified Virtual
System.
Select the Virtual System context before you run this command.
You can run this command in gClish or Expert Mode.
In gClish, run these commands:
> set virtual_system <VS_ID>
> asg stat vs

In Expert Mode, run these commands:

# vsenv <VS_ID>
# asg stat vs

Example:
# vsenv 1
# asg stat vs
--------------------------------------------------------------------------
| VSX System Status - 61000 |
--------------------------------------------------------------------------
| VS ID 1 |
| VS Name VS1 |
| Chassis Mode VSLS |
| FW Policy Date 09Jun14 19:12 |
--------------------------------------------------------------------------
| Chassis 1 (Primary) STANDBY |
--------------------------------------------------------------------------
| SGM ID State Process Health |
| 1 DOWN Inactive fwk |
| 2 (local) UP Enforcing Security OK |
| 3 UP Enforcing Security OK |
| 4 UP Enforcing Security OK |
--------------------------------------------------------------------------
| Chassis 2 ACTIVE |
--------------------------------------------------------------------------
| SGM ID State Process Health |
| 1 UP Enforcing Security OK |
| 2 UP Enforcing Security OK |
| 3 UP Enforcing Security OK |
| 4 UP Enforcing Security OK |
--------------------------------------------------------------------------
| Active Chassis: 2 |
| Primary chassis has a problem. Secondary chassis health is better. |
--------------------------------------------------------------------------
| Chassis 1 Chassis 2 |
| Ports 1 / 1 1 / 1 |
| Bonds 0 / 0 0 / 0 |
| FWKs 3 / 4 4 / 4 |
| SGMs 4 / 4 4 / 4 |
--------------------------------------------------------------------------
#

The example above shows:

• VS1 on Chassis1- SGM1 is DOWN.
• The Primary Chassis for this Virtual System (Chassis1) has a problem with the Firewall, but is
otherwise working properly.
• VS1 failed over to Chassis2, which is not the defined Primary Chassis for this Virtual System.
• All other SGMs are working properly.

60000/40000 Security Systems Administration Guide R76SP.50 | 272

 Working with VSX

SGM health status:

• OK - This SGM does not have problems.
• SGM - The SGM has a problem.
• fwk - The Firewall kernel has a problem.
• Policy - The policy date for this SGM is different from the Firewall policy date.
• Interface - The number of interfaces on this SGM is different from the related SGM on the
other Chassis.
• Problem - This SGM has one or more problems.
• Pnote - This SGM has a problem that generated a pnote.
The bottom section shows the Active Chassis and the reason why the Primary Chassis is not
Active, if applicable. Possible reasons:
• Primary Chassis health is good.
• Primary Chassis has a problem. Secondary Chassis health is better.
• Primary Chassis is above Active SGM threshold.
• Primary Chassis is below Active SGM threshold.
• Both Chassis have fwk problems. Continue using the Primary Chassis.
• Both Chassis have fwk problems. Primary Chassis health is better.
• Both Chassis have fwk problems. Secondary Chassis health is better.
• Both Chassis have interface problems. Continue using the Primary Chassis.
• Both Chassis have interface problems. Primary Chassis health is better.
• Both Chassis have interface problems. Secondary Chassis health is better.
• Both Chassis have problems. Continue using the Primary Chassis.
• Both Chassis have problems. Secondary Chassis health is better.

60000/40000 Security Systems Administration Guide R76SP.50 | 273

 Working with VSX

Using SNMP
SNMP information for VSLS is located in:
iso.org.dod.internet.private.enterprise.checkpoint.products.asg.asgVSX.asgVsls
Info (OID 1.3.6.1.4.1.2620.1.48.30.20)

VSLS SNMP monitors:

• SGM ratio threshold value
• System Primary Chassis
• Active Chassis for each Virtual System
• Primary Chassis for each Virtual System
• Number of configured interfaces for each Virtual System
• Number of UP interfaces for each Virtual System
• Number of working FWK instances for each Virtual System
• Total number of FWK instances for each Virtual System
SNMP for VSLS supports these modes:
• Default - SNMP collects data from all SGMs for all Virtual Systems
• Virtual Systems - SNMP monitors each Virtual System separately

60000/40000 Security Systems Administration Guide R76SP.50 | 274

 Working with VSX

Monitoring and Logging in VSX

Use these features to monitor and log your system in VSX.

VSX Functionality
The VSX commands run only on a VSX machine.

Syntax Description
stat Prints information about the VSX environment
verify Verifies integrity and correctness of the configurations on all the
blades
logs Collects VSX related logs
hw_utilization Hardware utilization
mstat Prints VSX memory related information

Monitoring Hardware Utilization for VSX (hw_utilization)

Description
Use the hw_utilization command to monitor system CPU configuration connection capacity
and CoreXL status on VS0. This set of tests runs as part of the smo verifiers utility (show smo
verifiers) for VSX environments only. The results show in the VSX Configuration section.
You can also run hw_utilization, in Expert Mode, as an independent command.

Syntax
# hw_utilization <parameter>

Parameters
Parameter Description
cpu Shows alerts for CPU configuration issues.
conn Shows alerts for connection capacity issues.
wizard Shows recommendations for optimum CPU distribution between
Multi-Queue and fwk instances. Shows recommendations for the optimal
number of CoreXL instances for each Virtual System.
configure Changes the default parameter values for this command.
set_suppress Toggle display of alerts that show if CoreXL is enabled for VS0.

Examples:
# hw_utilization cpu
CPU utilization:
================
FWK cores: 0 1 10 11 2 20 21 22 23 24 25 26 27 28 29 3 31 39 4 5 6 7 8 9
MQ cores: 12 13 14 15 16 17 18 19 32 33 34 35 36 37 38 39
No overlapping CPU/s
Unused CPU ID/s: 30
Overlapping CPU ID/s:39
60000/40000 Security Systems Administration Guide R76SP.50 | 275
 Working with VSX

# hw_utilization conn
Connection capacity utilization:
=================================
+------+---------+-----------------+-----------------+---------------+-------------+
| VSID | Type | Name | [SGM_ID] | [SGM_ID] | Conn. limit |
| | | | Max Conn. | Max Conn. | |
| | | | Number | Peak | |
+------+---------+-----------------+-----------------+---------------+-------------+
| 0 | VSX | Guru-T3-127 | [1_05] 572 | [1_02] 9312 | 31800 |
| 1 | VS | vs1-T3 | [1_02] 4900 | [1_08] 95 | 49800 |
| 3 | VS | vs2-T3 | [1_11] 8 | [1_03] 540 | 1999900 |
| 4 | VS | vs3-T3 | [2_03] 9 | [1_02] 530 | 999900 |
| 5 | VS | vs4-T3 | [1_02] 19502 | [1_02] 0 | 24900 |
| 7 | VSB | vsb1-T3 | [1_03] 350 | [1_05] 0 | 49800 |
+------+---------------------------+-----------------+----------------+------------+
All virtual devices are above the minimum connection capacity limit (24000)
**Concurrent connections amount almost exceeds connection limit**
Virtual devices 1 5 are close to their connection limit (less than 25000 new connections can be opened)

# hw_utilization wizard
How much traffic is accelerated (in percentage)?
Give the traffic distribution for each configured VS (in percentage).

According to the given information a recommended CPU tuning for the system is presented. For example:
How much traffic is accelerated (in percentage)?
40
How much traffic is distributed to the following 7 VSs (in percentage):

vs1-T3: 10
vs2-T3: 10
vs3-T3: 10
vs4-T3: 10
vs5-T3: 10
vsb1-T3: 40

Recommended optimization:
=========================
4 cores for Multi-queue
8 cores for VSs
Instances per VSs:
1 instance for Gruffalo-T3-127
1 instance for vs1-T3
1 instance for vs2-T3
1 instance for vs3-T3
1 instance for vs4-T3
1 instance for vs5-T3
4 instances for vsb1-T3
Please note that the number of recommended assigned FWK instances (10) is higher by 2 than the number
of CPUs that are available for FWK (8)
Hence, there will be maximum 2 CPUs that will run more than 1 fwk instance simultaneously
**The instances per VS recommendation assumes that all VSs are handling traffic simultaneously
Connections Capacity
According to pre-defined values: MIN_CONN_LIMIT and CONN_DIFF_FROM_LIMIT the following checks will be
performed and the user will be alerted:
1. connections limit < MIN_CONN_LIMIT
2. connections number + CONN_DIFF_FROM_LIMIT >= connections limit

Monitoring VSX Memory Resources (vsxmstat)

Use the vsxmstat command to enable memory monitoring for the VSX Gateway. This command
shows an overview of the memory that the system and each Virtual Device is using. These are the
global memory resources that are shown:

Parameter Description
Memory Total Total physical memory on the VSX Gateway
Memory Free Available physical memory
Swap Total Total of swap memory
Swap Free Available swap memory
Swap-in rate Total memory swaps per second

60000/40000 Security Systems Administration Guide R76SP.50 | 276

 Working with VSX

The Virtual Devices are listed according to the VSIDs. Run the vsx stat -v command to show the
VSID for the Virtual Devices.
You must be in Expert Mode to run the vsxmstat command.

Using 'vsxmstat'
Description
Use the vsxmstat command to enable or disable memory information collection on the VSX
Gateway.

Syntax
# vsxmstat {enable_raw | disable_raw | status_raw}

Parameters
Parameter Description
enable_raw Enables memory resource monitoring for perfanalyze use.
disable_raw Disables memory resource monitoring for perfanalyze use.
status_raw Shows if memory resource monitoring is enabled or disabled for perfanalyze
use.

Example:
# vsxmstat disable_raw
VSX memory resource control is disabled for perfanalyze use

Memory Resources for Each Virtual Device

Description
Use the vsxmstat command to show memory usage for each Virtual Device.
You can use the -vs parameter to show specified Virtual Devices only.

Syntax
# vsxmstat [-vs <VS_ID>] [unit <unit>] [sort <top>]

Parameters
Parameter Description
-vs Shows the memory usage of the specified Virtual Devices.
<VS_ID> Virtual Device identification.
To show multiple devices:
• Put a space between each VSID: -vs 1 3 5
• List a range of VSIDs: -vs 1-4
Note - You can combine VSID ranges together with single VSIDs.
unit Change the memory measurement unit shown in the command output.

60000/40000 Security Systems Administration Guide R76SP.50 | 277

 Working with VSX

Parameter Description
<unit> The memory measurement unit. The default value is megabytes.
Use with the unit parameter.
The values are:
• B - bytes
• K, KB - kilobytes
• M, MB - megabytes (default)
• G, GB - gigabytes
sort Sort the results according to the Virtual Devices that use the most memory.
<top> Maximum number of Virtual Devices to show. Only those Virtual Devices that use
the most memory are shown.
Use with the sort parameter.
Use all to show all Virtual Devices.

Example - both commands will show the same results:

# vsxmstat -vs 0 1 3 5-8 unit MB sort 5
# vsxmstat sort 5

Example output:
VSX Memory Status
=================
Memory Total: 997.22 MB
Memory Free: 232.56 MB
Swap Total: 2047.34 MB
Swap Free: 2047.16 MB
Swap-in rate: 0.00 MB
VSID | Memory Consumption
======+====================
0 | 133.50 MB
8 | 92.41 MB
3 | 43.81 MB
6 | 42.47 MB
1 | 42.47 MB

Configuring Swap-in Sample Rate

Description
The swap-in rate measures how much memory per second that the system swaps-in from the
disk. You can configure how frequently the system calculates the swap-in rate. For example, a
sample rate of 5 means that the system calculates the swap-in rate at five minute intervals.

Syntax
# vsxmstat swap <minutes>

<minutes> is the amount of time, in minutes, that the system measures memory swaps to
determine the swap-in rate. Only integers are valid values. The default swap-in sample rate is 10.

Example:
# vsxmstat swap 5
Swap-in sample rate was changed successfully to 5 minutes.

60000/40000 Security Systems Administration Guide R76SP.50 | 278

 Working with VSX

Notes:
• Swap-in sample rate is a system wide Linux setting. When you change the value for memory
monitoring, all the swap-in rates are calculated according to the new value.
• When you enable the monitoring memory resources feature, the swap-in rate setting is saved.
When you disable the feature, the system restores the saved setting.

Using Debug Mode

Description
Use the debug command to show more data about the memory use of the VSX Gateway.
Notes:
• You cannot use the -vs, unit, and sort parameters in debug mode.
• By default, the memory is shown in kilobytes.

Syntax
# vsxmstat debug

Example output
VSX Memory Status
=================
Memory Total: 1021152.00 KB
Memory Free: 324788.00 KB
Swap Total: 2096472.00 KB
Swap Free: 2096404.00 KB
Swap-in rate: 375.34 KB

VSID | Private_Clean | Private_Dirty | DispatcherGConn

======+====================+====================+====================+
0 | 13544.00 KB | 144268.00 KB | 0.00 KB |
1 | 1740.00 KB | 46276.00 KB | 0.00 KB |
2 | 1720.00 KB | 46868.00 KB | 0.00 KB |
3 | 1720.00 KB | 46644.00 KB | 0.00 KB |
4 | 1712.00 KB | 45144.00 KB | 0.00 KB |
5 | 1712.00 KB | 45836.00 KB | 0.00 KB |
6 | 1720.00 KB | 45000.00 KB | 0.00 KB |
7 | 1720.00 KB | 45044.00 KB | 0.00 KB |

Output description:
Field Description
Private_Clean Clean private pages (/proc/[pid]/smaps)
Private_Dirty Dirty private pages (/proc/[pid]/smaps)
DispatcherHTab Hash table for each Virtual System
DispatcherGConn Global connections for each Virtual System
SecureXL SecureXL memory each Virtual System uses

60000/40000 Security Systems Administration Guide R76SP.50 | 279

 Working with VSX

Monitoring VSX Configuration (vsx stat)

This tool runs only on VSX.
Syntax
vsx stat [parameter]

Parameters

Parameter Description
--version Shows program version number and exit
-h, --help Shows this help message and exits
-p, --policy Prints policies on Virtual Systems
-v, --v Legacy prints policies on Virtual Systems
-s, --sw_blades Prints Software Blades on Virtual Systems
-c, --processes Prints processes on Virtual Systems
-t, --topology Prints topology on Virtual Systems
-r, --routes Prints routes on Virtual Systems
-i, --interfaces Prints interfaces and distributions on Virtual Systems
-u, --cores Prints core allocations on Virtual Systems
-n, --conn_vmems Prints connections and virtual memory on Virtual Systems
-a, --all Prints all the information on Virtual Systems

Example
> vsx stat
Policy Table
=============
+----+-----------+-----------------+--------------+--------------+
| ID | Type & Name | Security Policy | Installed at SIC State |
+----+-------------+-----------------+---------------+-----------+
| 0 | S Cost | NA-Core-GW_VSX | 2016-04-03 17:30:54 | Trust |
| 1 | S MEX-T2-VS | MEX-T2 | 2016-04-03 17:36:47 | Trust |
| 2 | S EQU-T2-VS | EQU-T2 | 2016-04-10 10:47:38 | Trust |
| 3 | S CAN-T2-VS | CAN-T2 | 2016-04-10 10:38:26 | Trust |
| 4 | S SHR-T2-VS | SHARED-T2 | 2016-04-03 17:46:34 | Trust |
| 5 | S EQU-T3-VS | EQU-T3 | 2016-04-03 17:33:46 | Trust |
| 6 | S EXTRANET-VS | EXTRANET | 2016-04-03 17:54:09 | Trust |
| 7 | S MEX-T3-VS | MEX-T3 | 2016-04-03 17:37:56 | Trust |
| 8 | S SHR-T3-VS | SHARED-T3 | 2016-04-03 17:47:40 | Trust |
| 9 | S FUSION-VS | FUSION | 2016-04-03 17:51:28 | Trust |
| 10 | S IPT-VS | IPT | 2016-04-03 17:35:55 | Trust |
| 11 | S JP-T3-VS | JP-T3 | 2016-04-03 17:42:27 | Trust |
| 12 | S AB-T3-VS | AB-T3 | 2016-04-03 17:45:34 | Trust |
| 13 | S MGMT-VS | MGMT | 2016-04-03 17:50:08 | Trust |
| 14 | S VENDOR-VS | VENDOR | 2016-04-03 17:49:02 | Trust |
| 15 | S ALM-T3-VS | ALM-T3 | 2016-04-03 17:43:23 | Trust |
| 16 | B VSB_1_TAP | <Not Applicable> | | Trust |
| 17 | W VSW1 | <Not Applicable> | | Trust |
| 18 | W VSW2 | <Not Applicable> | | Trust |
| 19 | B VSB_2_Access | <Not Applicable> | | Trust |
| 20 | W VSW_Share_identities | <Not Applicable> | | Trust |
| 21 | W VSW_Barakeo1 | <Not Applicable> | | Trust |
| 22 | S VS_Barakeo | Big_Policia1 | 2016-04-10 10:43:31 | Trust |
| 23 | W DMZ_VSW | <Not Applicable> | | Trust |
| 24 | W VPN_DMZ_VSW | <Not Applicable> | | Trust |
| 25 | B VSB_Packet_Brocker | <Not Applicable> | | Trust |
| 26 | S VS026 | Standard | 2016-04-03 17:53:16 | Trust |
| 27 | S VS027 | Standard | 2016-04-03 17:53:36 | Trust |

60000/40000 Security Systems Administration Guide R76SP.50 | 280

 Working with VSX

| 28 | S VS028 | Standard | 2016-04-03 17:53:56 | Trust |

+----+----------------+---------------+------------------+-------+

Software Blades Table

======================
+-----+----------------+------------------------------------------+
| ID | Type & Name | Software Blades |
+----+----------------+-------------------------------------------+
| 0 | S Cost | FW |
| 1 | S MEX-T2-VS | FW VPN URLF AV APPI IPS IDENTITYSERVER ANTI_BOT |
| 2 | S EQU-T2-VS | FW VPN URLF AV APPI IPS IDENTITYSERVER ANTI_BOT |
| 3 | S CAN-T2-VS | FW VPN URLF AV APPI IPS IDENTITYSERVER ANTI_BOT |
| 4 | S SHR-T2-VS | FW VPN |
| 5 | S EQU-T3-VS | FW VPN URLF AV APPI IPS IDENTITYSERVER ANTI_BOT |
| 6 | S EXTRANET-VS | FW VPN APPI IDENTITYSERVER |
| 7 | S MEX-T3-VS | FW URLF APPI IDENTITYSERVER |
| 8 | S SHR-T3-VS | FW AV ANTI_BOT |
| 9 | S FUSION-VS | FW |
| 10 | S IPT-VS | FW |
| 11 | S JP-T3-VS | FW |
| 12 | S AB-T3-VS | FW IDENTITYSERVER |
| 13 | S MGMT-VS | FW VPN IPS |
| 14 | S VENDOR-VS | FW |
| 15 | S ALM-T3-VS | FW VPN |
| 16 | B VSB_1_TAP | FW URLF AV APPI IPS SSL_INSPECT ANTI_BOT |
| 19 | B VSB_2_Access | FW URLF AV APPI SSL_INSPECT ANTI_BOT |
| 22 | S VS_Barakeo | FW IPS |
| 25 | B VSB_Packet_Brocker | FW URLF AV APPI IPS ANTI_BOT |
| 26 | S VS026 | FW IPS |
| 27 | S VS027 | FW IPS |
+----+----------------+-------------------------------------------+

Processes Table
================
+-----+------------------------+-------+-------+-------+--------+
| ID | Type & Name | FWK | FWD | CPD | ROUTED |
+-----+------------------------+-------+-------+-------+--------+
| 0 | S Cost | 9095 | 23132 | 18466 | 8153 |
| 1 | S MEX-T2-VS | 6899 | 6912 | 6901 | 20694 |
| 2 | S EQU-T2-VS | 5313 | 5308 | 5306 | 1220 |
| 3 | S CAN-T2-VS | 31757 | 31818 | 30765 | 7084 |
| 4 | S SHR-T2-VS | 27556 | 27567 | 27563 | 21253 |
| 5 | S EQU-T3-VS | 15792 | 14992 | 14889 | 8155 |
| 6 | S EXTRANET-VS | 10289 | 10298 | 10288 | 31735 |
| 7 | S MEX-T3-VS | 12681 | 11924 | 11915 | 25467 |
| 8 | S SHR-T3-VS | 28849 | 28876 | 28833 | 21163 |
| 9 | S FUSION-VS | 29471 | 29470 | 29440 | 15220 |
| 10 | S IPT-VS | 7530 | 7545 | 7536 | 15307 |
| 11 | S JP-T3-VS | 15126 | 15149 | 15127 | 20674 |
| 12 | S AB-T3-VS | 4063 | 4045 | 4036 | 7480 |
| 13 | S MGMT-VS | 12592 | 13018 | 13003 | 1001 |
| 14 | S VENDOR-VS | 18563 | 18576 | 18567 | 20665 |
| 15 | S ALM-T3-VS | 23961 | 22049 | 22009 | 7972 |
| 16 | B VSB_1_TAP | 28033 | 28055 | 28040 | - |
| 17 | W VSW1 | 13577 | 13560 | 13540 | - |
| 18 | W VSW2 | 13638 | 13767 | 13704 | - |
| 19 | B VSB_2_Access | 25870 | 25876 | 25868 | - |
| 20 | W VSW_Share_identities | 13670 | 13763 | 13691 | - |
| 21 | W VSW_Barakeo1 | 13630 | 13685 | 13639 | - |
| 22 | S VS_Barakeo | 32648 | 32656 | 32637 | 12980 |
| 23 | W DMZ_VSW | 5952 | 5948 | 5938 | - |
| 24 | W VPN_DMZ_VSW | 13516 | 13538 | 13528 | - |
| 25 | B VSB_Packet_Brocker | 9757 | 9773 | 9756 | - |
| 26 | S VS026 | 14382 | 14306 | 14111 | 29379 |
| 27 | S VS027 | 14485 | 14465 | 14440 | 29381 |
| 28 | S VS028 | 14308 | 14612 | 14463 | 29384 |
| 29 | S VS029 | 7669 | 7733 | 7671 | 25901 |
| 30 | S VS030 | 9471 | 9454 | 9447 | 28496 |
| 31 | S VS031 | 14680 | 14709 | 14691 | 5603 |
| 32 | S VS032 | 14584 | 14697 | 14519 | 29397 |
| 33 | S VS033 | 14502 | 14609 | 14523 | 5616 |
| 34 | S VS034 | 16692 | 18837 | 16815 | 5630 |
| 35 | S VS035 | 21622 | 22052 | 22038 | 5641 |
+-----+------------------------+-------+-------+-------+--------+

Topology Table
===============
+------+------------------+------+--------------------+-----------+
| VSID | Type & Name | VSID | Type & Name | Interface |
+------+------------ -----+------+--------------------+-----------+
| 10 | S IPT-VS | 23 | W DMZ_VSW | wrpj640 |
60000/40000 Security Systems Administration Guide R76SP.50 | 281
 Working with VSX

+------+------------------+------+--------------------+-----------+
| 100 | S MyVS | 17 | W VSW1 | wrpj6400 |
+------+------------------+------+--------------------+-----------+
| 12 | S AB-T3-VS | 17 | W VSW1 | wrpj768 |
| | S AB-T3-VS | 20 | W VSW_Share_identities | wrpj769 |
| | S AB-T3-VS | 23 | W DMZ_VSW | wrpj770 |
+------+-----------------+------+---------------------+-----------+
| 17 | W VSW1 | 100 | S MyVS | | wrp6400 |
| | W VSW1 12 | S AB-T3-VS | | wrp768 |
| | W VSW1 3 | S CAN-T2-VS | wrp193 |
+------+-----------------+------+---------------------+-----------+
| 2 | S EQU-T2-VS | 23 | W DMZ_VSW | wrpj130 |
| | S EQU-T2-VS | 24 | W VPN_DMZ_VSW | wrpj131 |
+------+-----------------+------+---------------------+-----------+
| 20 | W VSW_Share_identities | 12 | S AB-T3-VS | wrp769 |
| | W VSW_Share_identities | 3 | S CAN-T2-VS | wrp192 |
+------+------------------------+------+--------------+-----------+
| 23 | W DMZ_VSW | 10 | S IPT-VS | wrp640 |
| | W DMZ_VSW | 12 | S AB-T3-VS | wrp770 |
| | W DMZ_VSW | 2 | S EQU-T2-VS | wrp130 |
| | W DMZ_VSW | 3 | S CAN-T2-VS | wrp194 |
| | W DMZ_VSW | 4 | S SHR-T2-VS | wrp257 |
| | W DMZ_VSW | 5 | S EQU-T3-VS | wrp322 |
| | W DMZ_VSW | 6 | S EXTRANET-VS | wrp384 |
| | W DMZ_VSW | 7 | S MEX-T3-VS | wrp448 |
+------+------------------------+------+---------------+----------+
| 24 | W VPN_DMZ_VSW | 2 | S EQU-T2-VS | wrp131 |
| | W VPN_DMZ_VSW | 4 | S SHR-T2-VS | wrp256 |
| | W VPN_DMZ_VSW | 5 | S EQU-T3-VS | wrp321 |
+------+------------------------+------+---------------+----------+
| 3 | S CAN-T2-VS | 17 | W VSW1 | wrpj193 |
| | S CAN-T2-VS | 20 | W VSW_Share_identities | wrpj192 |
| | S CAN-T2-VS | 23 | W DMZ_VSW | wrpj194 |
+------+------------------+----+------------------------+---------+
| 4 | S SHR-T2-VS | 23 | W DMZ_VSW | wrpj257 |
| | S SHR-T2-VS | 24 | W VPN_DMZ_VSW | wrpj256 |
+------+------------------+----+------------------------+---------+
| 5 | S EQU-T3-VS | 23 | W DMZ_VSW | wrpj322 |
| | S EQU-T3-VS | 24 | W VPN_DMZ_VSW | wrpj321 |
+------+------------------+----+------------------------+---------+
| 6 | S EXTRANET-VS | 23 | W DMZ_VSW | wrpj384 |
+------+------------------+----+------------------------+---------+
| 7 | S MEX-T3-VS | 23 | W DMZ_VSW | wrpj448 |
+------+------------------+----+------------------------+---------+

Routes Table
=============
+----+-------------+----------------+----------------+------------+
| ID | Type & Name | Destination | Gateway | Interface |
+----+-------------+----------------+----------------+------------+
| 1 | S MEX-T2-VS | 120.100.1.96 | 11.1.1.3 | bond2.120 |
| | | 120.100.1.97 | 11.1.1.3 | bond2.120 |
| | | 120.100.1.98 | 11.1.1.3 | bond2.120 |
| | | 120.100.1.99 | 11.1.1.3 | bond2.120 |
| | | 120.100.1.100 | 11.1.1.3 | bond2.120 |
| | | 120.100.1.88 | 11.1.1.3 | bond2.120 |
| | | 120.100.1.91 | 11.1.1.3 | bond2.120 |
| | | 120.100.1.90 | 11.1.1.3 | bond2.120 |
| | | 120.100.1.93 | 11.1.1.3 | bond2.120 |
| | | 120.100.1.92 | 11.1.1.3 | bond2.120 |
| | | 120.100.1.95 | 11.1.1.3 | bond2.120 |
| | | 120.100.1.94 | 11.1.1.3 | bond2.120 |
| | | 120.100.1.87 | 11.1.1.3 | bond2.120 |
| | | 120.100.1.86 | 11.1.1.3 | bond2.120 |
| | | 5.5.5.5 | 10.133.252.27 | bond3.48 |
| | | 120.100.1.58 | 11.1.1.3 | bond2.120 |
| | | 120.100.1.59 | 11.1.1.3 | bond2.120 |
| | | 81.81.81.1 | 11.1.1.4 | bond2.120 |
| | | 120.100.1.60 | 11.1.1.3 | bond2.120 |
| | | 120.100.1.48 | 11.1.1.3 | bond2.120 |
| | | 120.100.1.42 | 11.1.1.3 | bond2.120 |
| | | 120.100.1.43 | 11.1.1.3 | bond2.120 |
| | | 120.100.1.40 | 11.1.1.3 | bond2.120 |
| | | 120.100.1.41 | 11.1.1.3 | bond2.120 |
| | | 120.100.1.46 | 11.1.1.3 | bond2.120 |
| | | 120.100.1.47 | 11.1.1.3 | bond2.120 |
| | | 120.100.1.44 | 11.1.1.3 | bond2.120 |
+-----+------------+-----------------+---------------+------------+

Interfaces Table
=================
60000/40000 Security Systems Administration Guide R76SP.50 | 282
 Working with VSX

+----+-------------+-----------+----------+---------+--------------+
| ID | Type & Name | Interface | Address | Netmask | Distribution |
+----+-------------+-----------+----------+---------+--------------+
| | | | | | |
| 1 | S MEX-T2-VS | bond1.2303 | 10.133.242.215 | 28 | policy-internal |
| | | | - | - | |
| | | bond2.2025 | 81.81.81.97 | 30 | policy-external |
| | | | - | - | |
| | | bond2.2024 | 81.81.81.93 | 30 | policy-internal |
| | | | - | - | |
| | | bond2.2021 | 81.81.81.81 | 30 | policy-internal |
| | | | - | - | |
| | | bond2.2020 | 81.81.81.77 | 30 | policy-internal |
| | | | - | - | |
| | | bond2.2023 | 81.81.81.89 | 30 | policy-external |
| | | | - | - | |
| | | bond2.2022 | 81.81.81.85 | 30 | policy-internal |
| | | | - | - | |
| | | bond1.252 | 10.133.242.100 | 28 | policy-external |
| | | | - | - | |
| | | bond2.120 | 11.1.1.1 | 8 | policy-internal |
| | | | - | - | |
| | | bond2.2011 | 81.81.81.41 | 30 | policy-external |
| | | | - | - | |
| | | bond2.2015 | 81.81.81.57 | 30 | policy-internal |
| | | | - | - | |
| | | bond6.562 | 171.171.251.11 | 24 | policy-internal |
| | | | - | - | |
| | | bond1.120 | 111.1.1.1 | 8 | policy-external |
| | | | - | - | |
| | | bond2.2010 | 81.81.81.37 | 30 | policy-internal |
| | | | - | - | |
| | | bond2.2012 | 81.81.81.45 | 30 | policy-internal |
| | | | - | - | |
| | | bond2.2013 | 81.81.81.49 | 30 | policy-internal |
| | | | - | - | |
| | | bond2.2014 | 81.81.81.53 | 30 | policy-internal |
| | | | - | - | |
| | | bond2.2018 | 81.81.81.69 | 30 | policy-external |
| | | | - | - | |
| | | bond2.2019 | 81.81.81.73 | 30 | policy-internal |
| | | | - | - | |
| | | bond3.120 | 1.1.1.1 | 8 | policy-internal |
| | | | - | - | |
| | | bond2.2016 | 81.81.81.61 | 30 | policy-internal |
| | | | - | - | |
| | | bond2.2017 | 81.81.81.65 | 30 | policy-external |
| | | | - | - | |
| | | bond6.3000 | 31.0.0.1 | 8 | policy-internal |
| | | | - | - | |
| | | bond4.120 | 21.0.0.1 | 8 | policy-external |
| | | | - | - | |
| | | bond2.2007 | 81.81.81.25 | 30 | policy-internal |
| | | | - | - | |
| | | bond2.2006 | 81.81.81.21 | 30 | policy-internal |
| | | | - | - | |
+---+-------------+------------+--------------+-----+-----------------+

Core Allocations Table

=======================
+---+--------------+------------+-------+------------------------------+
| ID | Type & Name | CoreXL IPv(4/6) | Type | CPUs |
+----+-------------+-----------------+-------+-------------------------+
| 0 | S Cost | -/- | | |
| | | | P FWK | 0 1 2 3 4 5 6 7 8 9 10 11 20 21 22 23 24 25 26 27 28 29 30 31 |
| | | | P FWD | 0 1 2 3 4 5 6 7 8 9 10 11 20 21 22 23 24 25 26 27 28 29 30 31 |
| | | | P CPD | 0 1 2 3 4 5 6 7 8 9 10 11 20 21 22 23 24 25 26 27 28 29 30 31 |
| 1 | S MEX-T2-VS | 8/0 | |
| | | | P FWK | 0 1 2 3 4 5 6 7 8 9 10 11 20 21 22 23 24 25 26 27 28 29 30 31 |
| | | | P FWD | 0 1 2 3 4 5 6 7 8 9 10 11 20 21 22 23 24 25 26 27 28 29 30 31 |
| | | | P CPD | 0 1 2 3 4 5 6 7 8 9 10 11 20 21 22 23 24 25 26 27 28 29 30 31 |
| 2 | S EQU-T2-VS | 8/0 | | |
| | | | P FWK | 0 1 2 3 4 5 6 7 8 9 10 11 20 21 22 23 24 25 26 27 28 29 30 31 |
| | | | P FWD | 0 1 2 3 4 5 6 7 8 9 10 11 20 21 22 23 24 25 26 27 28 29 30 31 |
| | | | P CPD | 0 1 2 3 4 5 6 7 8 9 10 11 20 21 22 23 24 25 26 27 28 29 30 31 |
| 3 | S CAN-T2-VS | 8/0 | | |
| | | | P FWK | 0 1 2 3 4 5 6 7 8 9 10 11 20 21 22 23 24 25 26 27 28 29 30 31 |
| | | | P FWD | 0 1 2 3 4 5 6 7 8 9 10 11 20 21 22 23 24 25 26 27 28 29 30 31 |
| | | | P CPD | 0 1 2 3 4 5 6 7 8 9 10 11 20 21 22 23 24 25 26 27 28 29 30 31 |
| 4 | S SHR-T2-VS | 8/0 | | |
| | | | P FWK | 0 1 2 3 4 5 6 7 8 9 10 11 20 21 22 23 24 25 26 27 28 29 30 31 |
60000/40000 Security Systems Administration Guide R76SP.50 | 283
 Working with VSX

| | | | P FWD | 0 1 2 3 4 5 6 7 8 9 10 11 20 21 22 23 24 25 26 27 28 29 30 31 |
| | | | P CPD | 0 1 2 3 4 5 6 7 8 9 10 11 20 21 22 23 24 25 26 27 28 29 30 31 |
| 5 | S EQU-T3-VS | 3/0 | | |
| | | | P FWK | 0 1 2 3 4 5 6 7 8 9 10 11 20 21 22 23 24 25 26 27 28 29 30 31 |
| | | | P FWD | 0 1 2 3 4 5 6 7 8 9 10 11 20 21 22 23 24 25 26 27 28 29 30 31 |
| | | | P CPD | 0 1 2 3 4 5 6 7 8 9 10 11 20 21 22 23 24 25 26 27 28 29 30 31 |
| 6 | S EXTRANET-VS | 4/0 | | |
| | | | P FWK | 0 1 2 3 4 5 6 7 8 9 10 11 20 21 22 23 24 25 26 27 28 29 30 31 |
| | | | P FWD | 0 1 2 3 4 5 6 7 8 9 10 11 20 21 22 23 24 25 26 27 28 29 30 31 |
| | | | P CPD | 0 1 2 3 4 5 6 7 8 9 10 11 20 21 22 23 24 25 26 27 28 29 30 31 |
+---+---+---+-------+--------------------------------------------------+

Connections and Virtual memory Table

=====================================
+-----+------------------------+-------------+---------------------+
| ID | Type & Name | Virtual Mem | Connections |
+-----+------------------------+-------------+---------------------+
| 0 | S Cost | 789/62994 | 3973/7043/16900 |
| 1 | S MEX-T2-VS | 3042/62994 | 1427/151559/4999900 |
| 2 | S EQU-T2-VS | 2376/62994 | 4576/189922/1999900 |
| 3 | S CAN-T2-VS | 2245/62994 | 141/193912/999900 |
| 4 | S SHR-T2-VS | 1864/62994 | 10/982133/999900 |
| 5 | S EQU-T3-VS | 1330/62994 | 13/521/999900 |
| 6 | S EXTRANET-VS | 1319/62994 | 310/1038/999900 |
| 7 | S MEX-T3-VS | 2249/62994 | 13/406/1999900 |
| 8 | S SHR-T3-VS | 989/62994 | 18/38/1499900 |
| 9 | S FUSION-VS | 719/62994 | 15/17/299900 |
| 10 | S IPT-VS | 1706/62994 | 19/509/4999900 |
| 11 | S JP-T3-VS | 743/62994 | 33/47/19900 |
| 12 | S AB-T3-VS | 750/62994 | 15/39/14900 |
| 13 | S MGMT-VS | 801/62994 | 0/0/149900 |
| 14 | S VENDOR-VS | 741/62994 | 0/0/14900 |
| 15 | S ALM-T3-VS | 1483/62994 | 0/0/499900 |
| 16 | B VSB_1_TAP | 1878/62994 | 2835/6372/999900 |
| 17 | W VSW1 | 723/62994 | 0/0/900 |
| 18 | W VSW2 | 659/62994 | 0/0/900 |
| 19 | B VSB_2_Access | 1129/62994 | 0/0/14900 |
| 20 | W VSW_Share_identities | 659/62994 | 0/0/900 |
| 21 | W VSW_Barakeo1 | 723/62994 | 0/0/900 |
| 22 | S VS_Barakeo | 747/62994 | 0/0/14900 |
| 23 | W DMZ_VSW | 659/62994 | 0/0/900 |
| 24 | W VPN_DMZ_VSW | 659/62994 | 0/0/900 |
| 25 | B VSB_Packet_Brocker | 2148/62994 | 24797/40281/99900 |
| 26 | S VS026 | 670/62994 | 0/0/14900 |
| 27 | S VS027 | 734/62994 | 0/0/14900 |
| 28 | S VS028 | 670/62994 | 0/0/14900 |
| 29 | S VS029 | 734/62994 | 0/0/14900 |
| 30 | S VS030 | 734/62994 | 0/0/14900 |
| 31 | S VS031 | 734/62994 | 0/0/14900 |
| 32 | S VS032 | 734/62994 | 0/0/14900 |
| 33 | S VS033 | 734/62994 | 0/0/14900 |
| 34 | S VS034 | 734/62994 | 0/0/14900 |
| 35 | S VS035 | 670/62994 | 0/0/14900 |
| 36 | S VS036 | 734/62994 | 0/0/14900 |
| 37 | S VS037 | 734/62994 | 0/0/14900 |
| 38 | S VS038 | 670/62994 | 0/0/14900 |
+-----+------------------------+-------------+---------------------+
>

60000/40000 Security Systems Administration Guide R76SP.50 | 284

 Working with VSX

VSX Legacy Bridge Mode

Description
VSX Legacy Bridge Mode lets Virtual Systems in Bridge Mode ignore tagged packets.
Use the fw -i k ctl set int fw_vsx_legacy_bridge_mode <mode> command to manage
VSX Legacy Bridge Mode.

Syntax
> fw -i k ctl set int fw_vsx_legacy_bridge_mode <mode>

Parameters
Parameter Description
<mode> Sets the VSX Legacy Bridge Mode
Valid values:
• 0 (Default) - Disable VSX Legacy Bridge Mode
• 1 - Enable VSX Legacy Bridge Mode

60000/40000 Security Systems Administration Guide R76SP.50 | 285

CHAPTE R 9

Working with LTE Features

In This Section:
Enabling LTE Support .................................................................................................287
VPN Sticky SA .............................................................................................................288
Troubleshooting ..........................................................................................................289
Configuring SCTP NAT on SGMs ................................................................................302

The Scalable Platform includes features that support advanced LTE telecommunication. Most of
these features are configured with SmartDashboard or on the Management Server. See the R76
LTE Release Notes http://downloads.checkpoint.com/dc/download.htm?ID=29339 for detailed
information and configuration procedures. Configuration procedures for SGMs are included in this
section for your convenience.
These LTE features include:
• LTE S1 VPN
• Firewall-1 GX support
• GTPv2 support
• GTP CoreXL support
• GTP Signaling rate limit
• SCTP support
• Diameter inspection
• Third-Party Syslog
• MSS adjustment
• CGNAT
• Stateless NAT46 translation
• NAT64
• Large Scale VPN

60000/40000 Security Systems Administration Guide R76SP.50 | 286

 Working with LTE Features

Enabling LTE Support

LTE configuration includes hundreds or thousands of eNodeB VPN peers. Each eNodeB has its
own IPsec tunnel to the Scalable Platform. eNodeB encrypts GTP traffic from mobile clients
behind the eNodeB.
You must enable LTE support to use LTE features and S1 VPN.

To enable LTE support for all SGMs:

On the Scalable Platform, run:
> asg_lte_config enable
> reboot -b all

Note: Hyper-threading must be disabled for LTE.

To disable hyper-threading:
1. Enter:
#g_cpconfig ht disable
2. Reboot.
Limitations:
• Connections are synchronized to all SGMs, not just the Standby SGM.
• You must not enable SPI distribution.

60000/40000 Security Systems Administration Guide R76SP.50 | 287

 Working with LTE Features

VPN Sticky SA
By default, the VPN Sticky Security Association (SA) feature is enabled. This feature confirms that
the Scalable Platform has only one outgoing SA to remote peers. This is a requirement for some
network device manufacturers to minimize security vulnerabilities.
Important - Make sure that SPI distribution and Sticky SA are not enabled at the same time.
Configuring VPN Sticky SA:
• To disable VPN Sticky SA, run this command in Expert Mode:
# g_update_conf_file $FWDIR/modules/fwkern.conf
fwha_vpn_sticky_tunnel_enabled=0
• To re-enable VPN Sticky SA, run this command in Expert Mode:
# g_update_conf_file $FWDIR/modules/fwkern.conf
fwha_vpn_sticky_tunnel_enabled=1
• Reboot all SGMs:
# reboot –b all
Verification:
To see the VPN Sticky SA status, run this command in Expert Mode and check the value of the
fwha_vpn_sticky_tunnel_enabled (0 means disabled, 1 means enabled):
# g_fw ctl get int fwha_vpn_sticky_tunnel_enabled
-*- 12 blades: 1_01 1_02 1_03 1_04 1_05 1_06 2_01 2_02 2_03 2_04 2_05 2_06 -*-
fwha_vpn_sticky_tunnel_enabled = 0

Notes:
• Only outbound Sticky SA connections are synchronized.
• Connections are not synchronized to all SGMs.
To synchronize connections to all SGMs, run:
asg_lte_config enable

60000/40000 Security Systems Administration Guide R76SP.50 | 288

CHAPTE R 10

Troubleshooting
In This Section:
Collecting System Information (asg_info) .................................................................289
Verifiers .......................................................................................................................293
Resetting SIC (g_cpconfig sic init) .............................................................................298
Debug files ..................................................................................................................301

Collecting System Information (asg_info)

Description
Use the asg_info command to collect information from the systems that generate data files and
command line output.
The information is collected from these areas:
• Log files
• Configuration files
• System status
• System diagnostics
The information is saved in the /var/log/asg_info.<hostname>.<date>.tar file. By default,
information is collected from all SGMs / Virtual Systems.

Commands
The asg_info executes commands with this granularity:
• SGMs
• All SGMs
• Single SGM for each Chassis
• Selective SGMs
• VSX
• Per-Virtual System
• VS0 only
• Selective Virtual System
• CMM

Files
The asg_info collects a predefined list of files from the SGM and Virtual Systems. A global file is
located in the global folder.

60000/40000 Security Systems Administration Guide R76SP.50 | 289

 Working with LTE Features

Examples
1. latest_policy.policy.tgz is collected as a global file, and is located in
\global\VS0\var\CPbackup\asg_backup\
2. dist_mode.log is collected from the SGM and Virtual System folders, and is located in
\SGM_1_01\VS1\var\log\dist_mode.log\
3. start_mbs.log is collected from the SGM folder and not from the Virtual System folder, and
is located in \SGM_1_01\VS0\var\log\start_mbs.log\

Syntax
> asg_info [-b <SGM_IDs>] [--vs <VS_IDs>] <collect_flags> [options]
> asg_info [-b <SGM_IDs>] [--vs <VS_IDs>] [--user_conf <xml_filename>] [options]

Parameters
Parameter Description
-b <SGM_IDs> Works with SGMs and/or Chassis as specified by <SGM_IDs>.
<SGM_IDs> can be:
• No <SGM_IDs> specified, or all - Applies to all SGMs and
Chassis
• One SGM (for example, 1_1)
• A comma-separated list of SGMs (for example, 1_1,1_4)
• A range of SGMs (for example, 1_1-1_4)
• One Chassis (chassis1, or chassis2)
• The active Chassis (chassis_active)
Default - All SGMs in the UP state.
-vs <VS_IDs> <VS_IDs> can be:
• No <VS_IDs> (default) - Uses the current Virtual System
context
• One Virtual System
• A comma-separated list of Virtual Systems (1, 2, 4, 5)
• A range of Virtual Systems (VS 3-5)
• all - Shows all Virtual Systems
Note - This parameter is only applicable in a VSX environment.

60000/40000 Security Systems Administration Guide R76SP.50 | 290

 Working with LTE Features

Parameter Description
Collect Flags
Flag Description
--all Collects all log files and commands output
-q Collects major log files and commands output
-f Collects comprehensive log files and commands output
-c Collects core dump information
-i Collects cpinfo output
-m Collects CMM log files
-s Collects setup information
-a Collects archive files
-h Shows the built-in help
--user_conf Adds xml configuration file with files and commands

Options
Option Description
--list Shows all the files and commands to be collected without
collecting them in practice
-h Shows this help message and exit
-v Shows verbose output
-u Uploads asg_info output file to the Check Point User Center
-t Uploads asg_info output file using SFTP only. Default is
HTTPS and SFTP
-uk Uploads result file using cp_uploader-k
-e Semicolon separated list of email addresses for upload
notifications

Configuration Files:
• Default
$FWDIR/conf/asg_info_config.xml
Files and commands are defined automatically
• User defined
The user can define files and commands following the same standard
The user can configure any command and/or file for collection and it is used with the
--user_conf option.
Note - Run the asg_info command and run the user-defined file or the default file. They cannot
be run together.

60000/40000 Security Systems Administration Guide R76SP.50 | 291

 Working with LTE Features

User-defined XML configuration file example:

<configurations>
<collect_file_list>
<upgrade_wizard>
<collect_mode>-f</collect_mode>
<path>/var/log/upgrade_wizard.log*</path>
<per_vs>0</per_vs>
<per_sgm>1</per_sgm>
<delete_after_collect>0</delete_after_collect>
</upgrade_wizard>
<active_cmm_debug>
<collect_mode>-m</collect_mode>
<path>/var/log/active_cmm_debug.log</path>
<per_vs>0</per_vs>
<per_sgm>1</per_sgm>
<delete_after_collect>1</delete_after_collect>
</active_cmm_debug>
</collect_file_list>
<cmd_list>
<asg_stat_vs>
<mode>-f</mode>
<pre_command></pre_command>
<command>asg stat vs</command>
<ipv6>0</ipv6>
<esx>1</esx>
<per_chassis>1</per_chassis>
<per_vs>1</per_vs>
<per_sgm>0</per_sgm>
<vsx_only>1</vsx_only>
<dest_file_name>asg_info</dest_file_name>
</asg_stat_vs>
<asg_if>
<mode>-f</mode>
<pre_command>g_all</pre_command>
<command>asg if</command>
<ipv6>0</ipv6>
<esx>1</esx>
<per_chassis>0</per_chassis>
<per_vs>1</per_vs>
<per_sgm>0</per_sgm>
<vsx_only>0</vsx_only>
<dest_file_name>asg_info</dest_file_name>
</asg_if>
</cmd_list>
</configurations>

60000/40000 Security Systems Administration Guide R76SP.50 | 292

 Working with LTE Features

Verifiers
Below are the verifiers.

MAC Verification (mac_verifier)

Description
Each MAC address contains information about the Chassis ID, SGM ID and interfaces.
Use this command to make sure that the virtual MAC addresses on physical and bond interfaces
are the same for all SGMs on each Chassis.
You must run this command in the Expert mode.

Syntax
# mac_verifier -h
# mac_verifier [-l] [-v]

Parameters
Parameter Description
-h Shows the built-in help.
-l Shows MAC address consistency on the Active Chassis.
-v Shows information for each interface MAC Address.

Example
[Expert@MyChassis-ch01-01:0]# mac_verifier
Starting mac address verification on local chassis... (Chassis 1)
No inconsistency found on local chassis

Starting mac address verification on remote chassis... (Chassis 2)

MAC address inconsistency found on interface eth2-11
[Expert@MyChassis-ch01-01:0]#

Layer 2 Bridge Verifier (asg_br_verifier)

Description
Use the asg_br_verifier command to confirm that there are no bridge configuration
problems. The command also confirms that the fdb_shadow tables are the same.

Syntax
> asg_br_verifier [-v]

Parameters
Parameter Description
-v Verbose Mode

60000/40000 Security Systems Administration Guide R76SP.50 | 293

 Working with LTE Features

Example 1
> asg_br_verifier
================================================================================

Number of entries in fdb_shadow table:

-*- 10 blades: 1_01 1_02 1_03 1_04 1_05 2_01 2_02 2_03 2_04 2_05 -*-
11

Status: OK

================================================================================

In the example below there is a misconfiguration.

Example 2
> asg_br_verifier -v
================================================================================

Number of entries in fdb_shadow table:

-*- 9 blades: 1_01 1_03 1_04 1_05 2_01 2_02 2_03 2_04 2_05 -*-
11
-*- 1 blade: 1_02 -*-
0

Status: number of entries is different

================================================================================

Collecting table info from all SGMs. This may take a while.

Table entries in fdb_shadow table:

-*- 9 blades: 1_01 1_03 1_04 1_05 2_01 2_02 2_03 2_04 2_05 -*-
address="00:00:00:00:00:00" Interface="eth1-07"
address="00:10:AA:7D:08:81" Interface="eth2-07"
address="00:1E:9B:56:08:81" Interface="eth1-07"
address="00:23:FA:4E:08:81" Interface="eth1-07"
address="00:49:DC:58:08:81" Interface="eth2-07"
address="00:7E:60:77:08:81" Interface="eth1-07"
address="00:80:EA:55:08:81" Interface="eth1-07"
address="00:8D:86:52:08:81" Interface="eth2-07"
address="00:9E:8C:7F:08:81" Interface="eth1-07"
address="00:E5:DB:78:08:81" Interface="eth2-07"
address="00:E5:F7:78:08:81" Interface="eth2-07"
-*- 1 blade: 1_02 -*-
fdb_shadow table is empty
Status: Table entries in fdb_shadow table is different between SGMs

================================================================================

60000/40000 Security Systems Administration Guide R76SP.50 | 294

 Working with LTE Features

Verifying VSX Gateway Configuration (asg vsx_verify)

Description
The asg vsx_verify command replaces the old verifier in the smo verifiers and runs on a
VSX system only. Use this command to confirm that all SGMs have the same VSX configurations -
Interfaces, Routes, and Virtual Systems configurations.
• The same MD5 for configuration files that must be identical between SGMs.
• Similarity in configuration files that must be identical but not necessarily written that way (like
/config/active). The command uses the db_cleanup report to do this.
• VSX configuration among SGMs.
• Similarity of VMAC and BMAC addresses.
Use output when there is an inconsistency in the configuration.
The differences are compared in two ways:
• The return value of the command run on the SGMs with gexec_inner_command
• The output of the commands
Example of difference in the command output:
Difference between blade: 1_01 and blade: 2_01 found.
====================================================
--- 1_01
+++ 2_01
-73b4c20e598d6b495de7515ad4ea2fdc /opt/CPsuite-R76/fw1/conf/fwha_vsx_conf_id.conf
+b21dfa3feab817c3640bbb984346cdf1 /opt/CPsuite-R76/fw1/conf/fwha_vsx_conf_id.conf

When a command fails, the output contains: Command "asg xxx" failed to run on blade
"2_01"

Syntax
> asg vsx_verify [-a | -c | -v]

Parameters
Parameter Description
-a Includes SGMs in the Administrative DOWN state
-c Compares:
• Database configuration between SGMs
• Operating system and database configuration on each SGM
-v Includes Virtual Systems configuration verification table

60000/40000 Security Systems Administration Guide R76SP.50 | 295

 Working with LTE Features

Example 1
> asg vsx_verify –v
+------------------------------------------------------------------------------+
|Chassis 1 SGMs: |
|1_01 1_02 1_03 |
+------------------------------------------------------------------------------+
+------------------------------------------------------------------------------+
|Chassis 2 SGMs: |
|2_01* 2_02 2_03 |
+------------------------------------------------------------------------------+

+-------------------------------------------------------------------+
|VSX Global Configuration Verification |
+------+---------------------------------+------------------+-------+
|SGM |VSX Configuration Signature |Virtual Systems |State |
| |VSX Configuration ID |Installed\Allowed | |
+------+---------------------------------+------------------+-------+
|all |8ef02b3e73386afd6e044c78e466ea82 |5\25 |UP |
| |9 | | |
+------+---------------------------------+------------------+-------+

+--------------------------------------------------------------------------+
|Virtual Systems Configuration Verification |
+----+-----+-----------+---------------+----------------+---------+--------+
|VS |SGM |VS Name |VS Type |Policy Name |SIC State|Status |
+----+-----+-----------+---------------+----------------+---------+--------+
|0 |all |VSX_OBJ |VSX Gateway |Standard |Trust |Success |
+----+-----+-----------+---------------+----------------+---------+--------+
|1 |all |VSW-INT |Virtual Switch |<Default Policy>|Trust |Success |
+----+-----+-----------+---------------+----------------+---------+--------+
|2 |all |VSW-INT |Virtual Switch |<Not Applicable>|Trust |Success |
+----+-----+-----------+---------------+----------------+---------+--------+
|3 |all |VS-1 |Virtual System |Standard |Trust |Success |
+----+-----+-----------+---------------+----------------+---------+--------+
|4 |all |VS-2 |Virtual System |Standard |Trust |Success |
+----+-----+-----------+---------------+----------------+---------+--------+
Comparing Routes DB & OS. This procedure may take some time...
Press 'y' to skip this procedure...
Comparing..

+--------------------------------------------------------------------------+
|Summary |
+--------------------------------------------------------------------------+
|VSX Configuration Verification completed successfully |
+--------------------------------------------------------------------------+

All logs collected to /var/log/vsx_verify.1360846320.log

60000/40000 Security Systems Administration Guide R76SP.50 | 296

 Working with LTE Features

Example 2
> asg vsx_verify -v -a
Output
+--------------------------------------------------------------------------+
|Chassis 1 SGMs: |
|1_01* 1_02 1_03 1_04 |
+--------------------------------------------------------------------------+
+--------------------------------------------------------------------------+
|Chassis 2 SGMs: |
|2_01 2_02 2_03 2_04 |
+--------------------------------------------------------------------------+

+-------------------------------------------------------------------+
|VSX Global Configuration Verification |
+------+---------------------------------+------------------+-------+
|SGM |VSX Configuration Signature |Virtual Systems |State |
| |VSX Configuration ID |Installed\Allowed | |
+------+---------------------------------+------------------+-------+
|1_01 |8ef02b3e73386afd6e044c78e466ea82 |5\25 |UP |
| |9 | | |
+------+---------------------------------+------------------+-------+
|1_02 |8ef02b3e73386afd6e044c78e466ea82 |5\25 |UP |
| |9 | | |
+------+---------------------------------+------------------+-------+
|1_03 |8ef02b3e73386afd6e044c78e466ea82 |5\25 |UP |
| |9 | | |
+------+---------------------------------+------------------+-------+
|1_04 |8ef02b3e73386afd6e044c78e466ea82 |5\25 |DOWN |
| |9 | | |
+------+---------------------------------+------------------+-------+
|2_01 |8ef02b3e73386afd6e044c78e466ea82 |5\25 |UP |
| |9 | | |
+------+---------------------------------+------------------+-------+
|2_02 |8ef02b3e73386afd6e044c78e466ea82 |5\25 |UP |
| |9 | | |
+------+---------------------------------+------------------+-------+
|2_03 |8ef02b3e73386afd6e044c78e466ea82 |5\25 |UP |
| |9 | | |
+------+---------------------------------+------------------+-------+
|2_04 |8ef02b3e73386afd6e044c78e466ea82 |5\25 |UP |
| |9 | | |
+------+---------------------------------+------------------+-------+

+--------------------------------------------------------------------------+
|Virtual Systems Configuration Verification |
+----+-----+-----------+---------------+----------------+---------+--------+
|VS |SGM |VS Name |VS Type |Policy Name |SIC State|Status |
+----+-----+-----------+---------------+----------------+---------+--------+
|0 |all |VSX_OBJ |VSX Gateway |Standard |Trust |Success |
+----+-----+-----------+---------------+----------------+---------+--------+
|1 |all |VSW-INT |Virtual Switch |<Default Policy>|Trust |Success |
+----+-----+-----------+---------------+----------------+---------+--------+
|2 |all |VSW-INT |Virtual Switch |<Not Applicable>|Trust |Success |
+----+-----+-----------+---------------+----------------+---------+--------+
|3 |all |VS-1 |Virtual System |Standard |Trust |Success |
+----+-----+-----------+---------------+----------------+---------+--------+
|4 |all |VS-2 |Virtual System |Standard |Trust |Success |
+----+-----+-----------+---------------+----------------+---------+--------+
Comparing Routes DB & OS. This procedure may take some time...
Press 'y' to skip this procedure...
Comparing..

+--------------------------------------------------------------------------+
|Summary |
+--------------------------------------------------------------------------+
|VSX Configuration Verification completed with the following errors: |
|1. [1_02:1] eth1-06 operating system address doesn't match |
|2. [1_02:1] eth1-06 DB address doesn't match |
|3. [1_01:1] Found inconsistency between addresses in operating system ,DB and NCS ofeth1-06 |
| |
+--------------------------------------------------------------------------+
All logs collected to /var/log/vsx_verify.1360886320.log

60000/40000 Security Systems Administration Guide R76SP.50 | 297

 Working with LTE Features

Resetting SIC (g_cpconfig sic init)

Use g_cpconfig sic init to reset Secure Internal Communication (SIC) between the Scalable
Platform and the Management Server. For example, if you replace the Management Server, you
must reset the SIC.
Important - This procedure causes downtime traffic outage for the system because all SGMs are
rebooted.

Resetting SIC on a Scalable Platform

Workflow to reset SIC on a Scalable Platform:
1. Initialize SIC on the Scalable Platform.
2. Initialize SIC in SmartDashboard.
3. Make sure that Trust is established on the Scalable Platform.

To initialize SIC on the Scalable Platform:

1. Use a serial console to connect to the gateway.
2. Enter Expert Mode.
3. Run:
> asg stat –i tasks
This tells you which SGM is the SMO.
4. Run:
# g_cpconfig sic init <activation_key>
Note - SIC reset takes 3 to 5 minutes.
During the SIC reset procedure on a Security Gateway, all SGMs other than the SMO reboot.

To initialize SIC in SmartDashboard:

1. Open the Scalable Platform object.
2. Go to the General Properties > Communication window.
3. Click Reset.
4. Enter the same activation key, you used when you initialized SIC on the Scalable Platform.
5. Click Initialize.
6. On a VSX Gateway:
a) Install the policy on the VSX Gateway.
b) At the serial console connection to the Scalable Platform, press c to complete the
procedure.
Note - At this stage, all SGMs reboot, except for the SMO.

To make sure that Trust is established on the Scalable Platform:

Run:
# g_cpconfig sic state

60000/40000 Security Systems Administration Guide R76SP.50 | 298

 Working with LTE Features

Example output:
-*- 6 blades: 1_01 1_02 1_03 2_01 2_02 2_03 -*-
Trust State: Trust established

Resetting SIC on a VSX Gateway (VS0)

To reset SIC on a VSX Gateway (VS0):
1. Initialize SIC on the gateway.
2. Initialize SIC in SmartDashboard.
3. Make sure that Trust is established on the gateway.

To initialize SIC on the Gateway:

1. Use a serial console to connect to the gateway.
2. Enter Expert Mode.
3. Enter:
> asg stat –i tasks
This tells you which SGM is the SMO.
4. Run:
# g_cpconfig sic init <activation_key>
Note - SIC Reset takes 3 to 5 minutes.
Important - Do the next steps immediately.

To initialize SIC in SmartDashboard:

1. On the gateway object, open the General Properties > Communication window.
2. Click Reset.
3. Enter the same activation key you used when you initialized SIC on the gateway.
4. Click Initialize.
5. On a VSX Gateway:
a) Install the policy on the VSX Gateway.
b) At the serial console connection to the gateway, press c to complete the procedure.
Note - At this stage, all SGMs except for the SMO, reboot.

To make sure that Trust is established on the Gateway:

Run:
# g_cpconfig sic state
-*- 6 blades: 1_01 1_02 1_03 2_01 2_02 2_03 -*-
Trust State: Trust established

60000/40000 Security Systems Administration Guide R76SP.50 | 299

 Working with LTE Features

Resetting SIC for Non-VS0 Virtual Systems

To reset SIC on Virtual Systems that are not VS0:
1. Log into the SMO with an SSH client.
2. Go to Expert Mode.
3. Go to the applicable context ID:
# vsenv <VS_ID>
4. Initialize SIC:
# g_cpconfig sic init
5. Revoke the Virtual Systems certificate defined in the Management Server.
For the detailed procedure, see Part II of sk34098
http://supportcontent.checkpoint.com/solutions?id=sk34098 .
6. In SmartDashboard, open and save the Virtual System object.
This pushes the configuration to the Management Server and re-establishes SIC trust with the
SMO.
7. Install a policy on the Virtual System.

Troubleshooting SIC reset

SIC reset takes 3-5 minutes. If SIC reset was interrupted (for example by loss of network
connectivity), run g_cpconfig sic state to get the SIC state. If the SIC State is:

SIC state Do this

Trust established Repeat the SIC reset procedure.
Initialized, but Trust 1. Reboot all SGMs.
was not established 2. In SmartDashboard > General Properties > Communication,
initialize SIC.
3. Install the policy.

SIC Cleanup
To resolve other SIC issues, do a SIC cleanup. There are two ways to do a SIC cleanup:
Either run:
# asg_blade_config reset_sic -reboot_all <activation_key>

OR
1. Use the ccutil in the Expert Mode to shut down all SGMs (except the SMO).
2. Connect to the SMO using a serial console.
3. Initialize SIC in SmartDashboard > Security Gateway object > General Properties >
Communication.
4. Install policy on the SMO.
5. Turn on all SGMs.

60000/40000 Security Systems Administration Guide R76SP.50 | 300

 Working with LTE Features

Debug files
Below are the Scalable Platform debug files:

Feature Debug File

FWK $FWDIR/log/fwk.elg.*

Policy $FWDIR/log/cpha_policy.log.*

SGM Configuration / Pull Configuration $FWDIR/log/blade_config.*

Alerts /var/log/send_alert.*

Distribution $FWDIR/log/dist_mode.log.*

Installation – OS /var/log/anaconda

Installation – Scalable Platform /var/log/start_mbs.log

Installation – Scalable Platform /var/log/mbs.log

Dynamic Routing /var/log/routed.log

CPD $CPDIR/log/cpd.elg

FWD $FWDIR/log/fwd.elg

General /var/log/messages*

Log servers /var/log/log_servers*

Pingable hosts /var/log/pingable_hosts*

Clish auditing /var/log/auditlog*

Command auditing /var/log/asgaudit.log*

VPND $FWDIR/log/vpnd.elg*

Reboot logs /var/log/blade_reboot_log

60000/40000 Security Systems Administration Guide R76SP.50 | 301

 Working with LTE Features

Configuring SCTP NAT on SGMs

SCTP NAT overrides the currently defined NAT policy. When this feature is not activated, SCTP
connections do not use NAT.
To configure the SCTP NAT on-the-fly (does not survive reboot):
• To activate SCTP NAT, run:
fw ctl set int fwx_enable_sctp_nat 1
• To deactivate SCTP NAT, run:
fw ctl set int fwx_enable_sctp_nat 0
To configure the SCTP NAT permanently (survives reboot):
• To activate SCTP NAT, run:
g_update_conf_file $FWDIR/modules/fwkern.conf fwx_enable_sctp_nat=1
reboot –b all
• To deactivate SCTP NAT, run:
g_update_conf_file $FWDIR/modules/fwkern.conf fwx_enable_sctp_nat=0
reboot –b all

60000/40000 Security Systems Administration Guide R76SP.50 | 302

CHAPTE R 11

System Optimization
In This Section:
Firewall Connections Table Size for VSX Gateway ...................................................303
Using the Fast Accelerator (sim fastaccel) ...............................................................304
Reserved Connections ................................................................................................307
Policy Acceleration - SecureXL Keep Connections ..................................................310
VPN Performance Enhancements .............................................................................311
Acceleration Not Disabled Because of Traceroute Rule (asg_tmpl_special_svcs) 331
Improving Inbound HTTPS Performance ................................................................332
Layer 4 CoreXL Overview ...........................................................................................333
System Under Load ....................................................................................................339

Firewall Connections Table Size for VSX Gateway

Configure the Firewall connections table for VSX Gateway, Virtual Systems and other VSX Virtual
Devices in SmartDashboard.

To configure the Firewall Connections table:

1. Open the Virtual Device object in SmartDashboard.
2. Select the applicable Virtual Device.
3. In the Navigation Tree, select Optimizations.
4. On the Optimizations page, select Manually in the Calculate the maximum limit for
concurrent connections.
5. Enter or select a value.

60000/40000 Security Systems Administration Guide R76SP.50 | 303

 System Optimization

Using the Fast Accelerator (sim fastaccel)

Description
The Fast Accelerator lets you define trusted connections to allow bypassing of Medium Pass
inspection (of Application Control, URL Filtering, Anti-Bot, Anti-Virus, and Threat Emulation
connections).
Those connections are handled in the regular way by SecureXL, while bypassing Medium Pass
inspection, which requires forwarding to the Firewall.
This feature significantly improves throughput for these trusted high volume connections and
reduces CPU consumption.
Important - Starting in Jumbo Hotfix Accumulator Take 180 (sk117633
http://supportcontent.checkpoint.com/solutions?id=sk117633), the syntax of the sim fastaccel
command changed.

Syntax for IPv4

# sim fastaccel -h
# sim fastaccel show
# sim fastaccel {add | delete} <Source_IPv4> <Source_Port> <Dest_IPv4> <Dest_Port>
<Protocol>}
# sim fastaccel delete <Rule_Number>

Syntax for IPv6

# sim6 fastaccel -h
# sim6 fastaccel show
# sim6 fastaccel {add | delete} <Source_IPv6> <Source_Port> <Dest_IPv6> <Dest_Port>
<Protocol>}
# sim6 fastaccel delete <Rule_Number>

Parameters
Parameter Description
-h Shows the built-in help information.
show Shows all trusted connections.
add Adds a new trusted connection.
delete Deletes a trusted connection.
<Source_IP> Connection source IP address and optional subnet.
<Source_Port> Connection source port. See IANA - Port Numbers
https://www.iana.org/assignments/service-names-port-numbers/service-na
mes-port-numbers.xhtml.
<Dest_IP> Connection destination IP address and optional subnet.
<Dest_Port> Connection destination port. See IANA - Port Numbers
https://www.iana.org/assignments/service-names-port-numbers/service-na
mes-port-numbers.xhtml.

60000/40000 Security Systems Administration Guide R76SP.50 | 304

 System Optimization

Parameter Description
<Protocol> IP Protocol Number. See IANA - Protocol Numbers
https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xht
ml (for example, TCP=6, UDP=17).
<Rule_Number> Number of the rule in the list of configured trusted connections.

Notes:
• On a VSX Gateway, you must run the sim fastaccel and sim6 fastaccel commands from
the context of each applicable Virtual System.
Run the vsenv <VS_ID> command and then the sim fastaccel and sim6 fastaccel
commands.
Each Virtual System context has its own independent table.
• You can use the @ character as a wildcard to represent a valid parameter value.
• Enter the subnet in the /nn format. If you do not define a subnet, connection is defined as one,
specified IP address.

Example 1 - Add a new trusted IPv4 connection:

# sim fastaccel add 1.1.1.0/24 @ 2.2.2.2 80 6

• The source is defined as all IPv4 addresses in the 1.1.1.0/24 subnet and all valid ports.
• The destination is defined as the IPv4 address 2.2.2.2 and port 80.
• The connection is over TCP.

Example 2 - Add a new trusted IPv4 connection:

# sim fastaccel add 192.168.0.0/16 @ @ 123 17

• The source is defined as all IPv4 addresses in the 192.168.0.0/16 subnet and all valid ports.
• The destination is defined as all IPv4 addresses and port 123.
• The connection is over UDP.

Example 3 - Add a new trusted IPv6 connection:

# sim6 fastaccel add 2001::/64 @ 2002::2 80 6

• The source is defined as all IPv6 addresses in the 2001::/64 subnet and all valid ports.
• The destination is defined as the IPv6 address 2002::2 and port 80
• The connection is over TCP.

Example 4 - Add a new trusted IPv6 connection:

# sim6 fastaccel add 3002::/16 @ @ 123 17

• The source is defined as all IPv6 addresses in the 3002::/16 subnet and all valid ports.
• The destination is defined as all IPv6 addresses and port 123.
• The connection is over UDP.

60000/40000 Security Systems Administration Guide R76SP.50 | 305

 System Optimization

Example 5 - Show all configured trusted IPv4 connections:

# sim fastaccel show

### Source SPort Destination DPort PR

------------------- ----- --------------- ----- ---
1) 1.1.1.0 @ 2.2.2.2 80 6
2) 192.168.0.0 @ @ 123 17

Example 6 - Show all configured trusted IPv6 connections:

# sim6 fastaccel show

### Source SPort Destination DPort PR

--------------------------- ----- ---------------------- ----- ---
1) 2001:0:0:0:0:0:0:0 @ 2002:0:0:0:0:0:0:2 80 6
2) 3002:0:0:0:0:0:0:0 @ @ 123 17

Example 7 - Delete a trusted IPv4 connection:

# sim fastaccel delete 1.1.1.0 @ 2.2.2.2 80 6
# sim fastaccel delete 1

Example 8 - Delete a trusted IPv6 connection:

# sim6 fastaccel delete 3002::/16 @ @ 123 17
# sim6 fastaccel delete 2

Known Limitation:
• Connections can only be added or deleted. They cannot be enabled or disabled.

60000/40000 Security Systems Administration Guide R76SP.50 | 306

 System Optimization

Reserved Connections
Description
Normally, when the connection table limit is reached, no more connections are allowed, even ones
critical for operating and managing the Security Gateway. Use the reserved connections feature to
allow the Security Gateway to process these critical connections, even after the connections table
limit is reached. There is a user defined amount of space that is reserved in the connections table
for these critical connections. If the rule base allows these connections, they are allowed even if
no other connections can be accepted.
For example, when the connections table limit is reached, the administrator is limited. He cannot
install a new policy that increases the connections limit or open other necessary connections,
such as an SSH to the Security Gateway.

Enforcing the reserved connections limit

By default, the number of reserved connections is limited to 2000. The actual limit of the
connections table is increased by this amount.
Before a new connection is recorded, the system makes sure that there is sufficient space in the
connections table. If connections table limit is reached, the connection is still recorded if it
satisfies these conditions:
• The limit is below the limit sum of the connections table limit and reserved connections limit.
• Connection matches one of the rules in the reserved connections table
If it does not meet these conditions, the connection is not recorded.
In VSX, reserved connections are supported for VS0 only.

Syntax
# asg_reserved_conns
Please choose one of the following:
-----------------------------------
1) Print reserved connections table
2) Add new reserved connection rule
3) Delete reserved connection rule
4) Exit
>

To show the reserved connections table, enter: 1

Example output
Idx Source Mask Destination Mask DPort Ipp Interface
--- --------------- ---- --------------- ---- ----- ----- ------------
1) 0.0.0.0 0 0.0.0.0 0 1129 6 Sync
2) 0.0.0.0 0 0.0.0.0 0 1130 6 Sync
3) 0.0.0.0 0 0.0.0.0 0 4444 6 Sync
4) 0.0.0.0 0 0.0.0.0 0 22 6 Sync
5) 0.0.0.0 0 0.0.0.0 0 8888 6 Sync
6) 0.0.0.0 0 0.0.0.0 0 2010 6 Sync
7) 0.0.0.0 0 0.0.0.0 0 1131 6 Sync
8) 0.0.0.0 0 0.0.0.0 0 1132 6 Sync
9) 0.0.0.0 0 0.0.0.0 0 256 6 Sync
10) 0.0.0.0 0 0.0.0.0 0 0 1 Sync
11) 0.0.0.0 0 0.0.0.0 0 8116 17 Sync
12) 0.0.0.0 0 0.0.0.0 0 0 1 eth1-CIN
13) 0.0.0.0 0 0.0.0.0 0 22 6 eth1-CIN
14) 0.0.0.0 0 0.0.0.0 0 23 6 eth1-CIN
15) 0.0.0.0 0 0.0.0.0 0 161 17 eth1-CIN
16) 0.0.0.0 0 0.0.0.0 0 623 17 eth1-CIN
17) 0.0.0.0 0 0.0.0.0 0 0 1 eth2-CIN

60000/40000 Security Systems Administration Guide R76SP.50 | 307

 System Optimization

18) 0.0.0.0 0 0.0.0.0 0 22 6 eth2-CIN

19) 0.0.0.0 0 0.0.0.0 0 23 6 eth2-CIN
20) 0.0.0.0 0 0.0.0.0 0 161 17 eth2-CIN
21) 0.0.0.0 0 0.0.0.0 0 623 17 eth2-CIN
22) 0.0.0.0 0 0.0.0.0 0 22 6 Any
23) 0.0.0.0 0 0.0.0.0 0 256 6 Any
24) 0.0.0.0 0 0.0.0.0 0 18191 6 Any
25) 0.0.0.0 0 0.0.0.0 0 18192 6 Any
Press enter to continue

Output description
Field Description
Idx Rule number
Source Source IP
If the IP is 0.0.0.0, all IPs are allowed
Mask Subnet mask for the Source
Destination Destination IP
If the IP is 0.0.0.0, all IPs are allowed
Mask Subnet mask for the Destination
DPort TCP/UDP Port
This is ignored with non-TCP/UDP traffic
Ipp IP protocol number
Interface Interface for this rule

To add a reserved connection rule, enter 2, and follow the directions on the screen.
Enter source IP [0.0.0.0]:
>10.10.10.10
Enter source IP mask length [0]:
>24
Enter destination IP [0.0.0.0]:
>20.20.20.0
Enter destination IP mask length [0]:
>24
Enter destination port [0]:
>0
Enter IP protocol number (for example: tcp = 6, udp = 17):
>6
Enter interface number [0 = Any]:
0: Any
1: eth1-Mgmt4
2: eth2-Mgmt4
3: BPEth0
4: BPEth1
5: eth1-Mgmt1
6: eth1-CIN
7: eth1-01
8: eth2-Mgmt1
9: eth2-CIN
10: eth2-01
11: Sync
>0
OK to insert new reserved conn rule: <10.10.10.10/24, 20.20.20.0/24, 0, 6, Any> ? (y/n)
>y
entry inserted, rule will apply when new connection will be opened
Press enter to continue

60000/40000 Security Systems Administration Guide R76SP.50 | 308

 System Optimization

To make sure that the feature is configured correctly:

1. Confirm that the value of the kernel global parameter fwconn_reserved_conn_active is
set to 1.
2. Run:
asg_reserved_conns
3. Enter:
1
4. Run:
fw tab -t reserved_conns_table
5. Confirm that the table contains the entries for the rules above.
6. Confirm that the contents of $FWDIR/bin/reserved_conns_table has rules of this
feature.

To debug the feature:

1. Set the kernel global parameter fwreserved_conns_debug to 1
2. Use the conn kernel debug flag in the fw kernel debug module to see reserved connections
related debugs.

To troubleshoot the feature:

1. Run:
# fw tab -t reserved_conns_table
2. Confirm that the table contains the entries for the rules in this feature.
3. Confirm that the contents of $FWDIR/bin/reserved_conns_table has rules of this
feature.
Important - Do not make changes to this file.
Delete all current rules from the kernel and reload the rules from
$FWDIR/bin/reserved_conns_tab:
# asg_reserved_conns -f
It is useful if there were changes in network interface names or if
$FWDIR/bin/reserved_conns_table was edited directly.

Configuration
The feature works after installation without additional configuration.
The rules are stored in $FWDIR/bin/reserved_conns_table
The feature uses these kernel global variables:

Variable Description
fwconn_reserved_conn_active Enables or disables the feature
Valid values:
• 1 - Enabled
• Any other integer: Disabled
fwconn_reserved_limit Maximum allowed number of entries in
$FWDIR/bin/reserved_conns_table
Default: 2000

60000/40000 Security Systems Administration Guide R76SP.50 | 309

 System Optimization

Policy Acceleration - SecureXL Keep Connections

To allow flow acceleration while a policy is pushed to the system"
1. From SmartDashboard, from the menu at the left, select Gateways & Servers.
2. Select your Gateway object.
The Security Gateway Properties window shows.
3. Select Other > Connection Persistence > Keep all connections.
4. Click OK.
Note - This is enabled if SecureXL and only the firewall Software Blade is enabled.
5. Publish the session.
6. Install Policy.

Legacy Mode:
To allow Keep all connections while disabling SecureXL keep connections, in
$FWDIR/boot/modules/fwkern.conf, set cphwd_policy_accel to 0

Verification:
After policy installation, delete the old policy templates.

To make sure the templates of the old policy were deleted:

1. Run:
# g_fwaccel stats
2. Save the old value of the Policy deleted tmpl statistics.
3. Install the policy.
4. Run:
# g_fwaccel stats
5. Confirm that the templates were deleted.

60000/40000 Security Systems Administration Guide R76SP.50 | 310

 System Optimization

VPN Performance Enhancements

These VPN performance enhancements are included in this release:
• SPI Based Traffic Distribution for SSM160 - Uses all SGMs to handle VPN traffic based on the
SPI instead of the IP address
• SPI affinity - Better traffic assignment to SGM CPU cores
• VPN Templates - Accelerates the session rate by adding VPN Templates to the SecureXL
technology

SPI Distribution
By default, the SSM160 distributes traffic to SGMs based on the IP address in the packet header.
This methodology can be inefficient when working with a small number of remote peers in a
Site-to-Site VPN topology. The SSM160 only sees the VPN tunnel IP address and causes
distribution only to some SGMs.
To resolve this issue, you can enable SPI distribution for VPN traffic. Run this command in gClish:
# set distribution spi mode on|off
Important - You must not enable SPI distribution for the LTE Mode (on page 286) or when working
with 3rd party VPN peers.
Enabling SPI Distribution
When you enable SPI distribution, you must also run:
# g_update_conf_file fwha_vpn_sticky_tunnel_enabled=0
Disabling SPI Distribution
When you disable SPI distribution in LTE Mode or with a 3rd party peer, you must also run:
# g_update_conf_file fwha_vpn_sticky_tunnel_enabled=1
Note - SPI Distribution Mode is disabled by default.

SPI Affinity (asg_spi_affinity)

Description
The asg_spi_affinity command helps improve VPN performance with more efficient traffic
assignment to SGMs and SGM cores. Typically, most VPN traffic goes to the same tunnel IP
addresses. Because traffic is usually assigned to SGMs based on the destination IP address, VPN
traffic is frequently assigned to the same SGMs. The solution is to assign VPN traffic to SGMs
based on the SPI field in the packet header as an alternative to the IP address.
A related issue occurs with Multi-core VLAN traffic, where traffic is assigned to CPU cores based
on IP addresses. As with VPN traffic, asg_spi_affinity can also assign VLAN traffic to CPU
cores based on the SPI field.
Run this command in the Expert mode.

Syntax
# asg_spi_affinity mode <ssm_id> {on | off}
# asg_spi_affinity vlan <ssm_id> {on | off}
# asg_spi_affinity verify

60000/40000 Security Systems Administration Guide R76SP.50 | 311

 System Optimization

Parameters
Parameter Description
mode Configures VPN affinity for the specified SSMs.
vlan Configures VLAN affinity for all interfaces of the specified SSMs.
verify Shows SPI affinity status.
<ssm_id> SSM ID
Valid values:
• Integer between 1 and 4
• all - All SSMs
on | off Enables (on) or disables (off) SPI affinity.
You must enable VLAN and mode (VPN) affinity separately.

Notes:
• If some SSM interfaces are not configured as VLANs, we recommend that you enable VLAN
affinity only if most traffic passes through VLAN interfaces.
• SPI affinity can affect the distribution of clear packets. We recommend that you use SPI affinity
only if most of the inbound traffic is VPN traffic.

Example - Enable VPN affinity for SSM1:

# asg_spi_affinity mode 1 on

Example - Disable VPN affinity for SSM2:

# asg_spi_affinity mode 2 off

Example - Enable VLAN affinity for all interfaces of all SSMs:

# asg_spi_affinity vlan all on

Example - Disables VLAN affinity for all interfaces of all SSMs:

# asg_spi_affinity vlan all off

VPN Templates (cphwd_offload_vpn_templates)

VPN templates accelerate the session rate, particularly for short connections (HTTP, DNS). These
templates, which are part of the SecureXL template set, let you create new connections in the
acceleration layer. They only send a notification to the Firewall layer if the connection is too long
or if an F2F attack is detected. VPN templates are disabled by default.

To enable VPN templates:

1. Change the value of the kernel parameter cphwd_offload_vpn_templates to 1:
> update_conf_file fwkern.conf cphwd_offload_vpn_templates=1
2. Reboot all SGMs:
> reboot -b all

60000/40000 Security Systems Administration Guide R76SP.50 | 312

 System Optimization

To disable VPN templates:

1. Change the value of the kernel parameter cphwd_offload_vpn_templates to 0:
> update_conf_file fwkern.conf cphwd_offload_vpn_templates=0
2. Reboot all SGMs:
> reboot -b all

Using Third Party VPN Peers with Many External Interfaces

When you use third-party VPN peers and have multiple external interfaces on the Scalable
Platform, you must configure the SGMs and the Management Server.

To configure the Scalable Platform:

1. Run this command on the SMO:
# g_update_conf_file $FWDIR/modules/vpnkern.conf ipsec_use_p1_src_ip=1
2. Reboot all SGMs:
# g_reboot -a

To configure the Management Server:

1. Edit the applicable vpn_table.def file. See sk92332
http://supportcontent.checkpoint.com/solutions?id=sk92332.
2. Add this line to the configuration file:
dynamic_ipsec_source_address = dynamic sync keep expires EX_INFINITE;
3. In SmartDashboard, install policy.

60000/40000 Security Systems Administration Guide R76SP.50 | 313

 System Optimization

SCTP Acceleration
To enable SCTP Acceleration:
1. In SmartDashboard, create SCTP as Other using IP protocol 132.
2. Enable Accept Replies in the Advanced tab of the SCTP service.
3. On the Scalable Platform, connect to the SMO in Expert Mode: > shell
4. Edit the $FWDIR/boot/modules/fwkern.conf file.
If the file does not exist, create it.
5. Add sxl_accel_proto_list=132 to the file.
6. Edit the $PPKDIR/boot/modules/simkern.conf file.
If the file does not exist, create it.
7. Add sim_accel_non_tcpudp_proto=1 to the file.
8. Copy the files to all SGMs:
# g_cp2blades $FWDIR/boot/modules/fwkern.conf
# g_cp2blades $PPKDIR/boot/modules/simkern.conf
9. Reboot all SGMs:
# g_reboot -a

60000/40000 Security Systems Administration Guide R76SP.50 | 314

 System Optimization

Configuring DNS Session Rate

To improve the DNS session rate, the Scalable Platform includes these enhancements:
• Delayed Connection - When a DNS connection matches a SecureXL template, the Scalable
Platform firewall is not immediately notified. The notification is delayed using the global
parameter cphwd_udp_selective_delay_ha. After a delay is set, the connection is
handled fully by the acceleration device.
Note - If the acceleration device does not handle, or has closed the connection during the set
delay period, the firewall is notified in the usual manner.
• Delete on Reply - After you receive the DNS reply, the connection is immediately deleted from
the gateway instead of being kept for an additional 40 seconds (the UDP connection default
timeout). Use fwkern.conf to make the enhancements permanent.
Run:
> update_conf_file fwkern.conf cphwd_udp_selective_delay_ha=<delay>

Extending Session Rate Enhancements to other UDP Services:

You can extend the benefits of these two DNS session rate enhancements to other services. Use
cphwd_delayed_udp_ports in fwkern.conf to change the value.
For example, to add UDP service 100 to the list, run:
> update_conf_file fwkern.conf cphwd_delayed_udp_ports=53,100,0,0,0,0,0,0

Notes:
• This is the only way to extend the DNS session rate enhancements to other UDP services.
• The number of services is limited to 8. The command must contain 8 values. If you have to
configure less than 8 services, enter 0 for the others.
• The fw ctl set int command is not supported.
• The configuration takes effect only after reboot.

Improving the DNS Session Rate

To improve the speed of the DNS session, run:
> fw ctl set int cphwd_udp_selective_delay_ha <delay_secs>
> fwaccel off
> fwaccel on

60000/40000 Security Systems Administration Guide R76SP.50 | 315

 System Optimization

Delaying DNS Connections

• To confirm Delayed Connections by a set value, open DNS connections from one client to one
server. Run:
> fwaccel templates
Source SPort Destination DPort PR Flags Conns Open LCT DLY
--------------- ----- --------------- ----- -- --------- ------ ------ ---- ---
10.33.87.12 * 192.168.15.31 53 17 ......... 25 0 2 30
The number for DLY has to match <delay_secs>.
Note – The default value in seconds for this parameter is 30. The maximum value is 60.
• To disable both Delayed Connection and Delete on Reply:
• To turn off:
fw ctl set int cphwd_udp_selective_delay_ha 0
• To remove all services:
cphwd_delayed_udp_ports

Enabling Delete on Reply

To enable Delete on Reply for R77.xx Management Server:
1. Make sure SmartDashboard is disconnected.
2. Open the GuiDBedit Tool http://supportcontent.checkpoint.com/solutions?id=sk13009.
3. Go to Services > domain-udp.
4. In domain-udp, change the value of the attribute delete_on_reply from false to true.
5. From the File menu, click Save All.
6. Close the GuiDBedit Tool.
7. Connect with SmartDashboard to your Management Server.
8. Install Policy.

To enable Delete on Reply for R80.xx Management Server:

1. Connect with SmartConsole to your Management Server.
2. Go to the Objects menu > Object Explorer > Services.
3. Select UDP and find the domain-udp service.
4. Right-click the domain-udp service and select Clone.
The New UDP Service window shows.
a) From the General tab:
Enter the desired name.
In the Protocol field, select DNS_UDP.
b) From the Advanced tab, configure the applicable settings.
5. Click OK.
6. Close the Object Explorer.
7. From the menu at the left, click Security Policies.
8. In the Access Control section, click Policy.
9. Configure policy rules for the new cloned service.
10. Publish the session.
11. Install Policy.

60000/40000 Security Systems Administration Guide R76SP.50 | 316

 System Optimization

To disable both Delayed Connection and Delete on Reply:

• To turn off:
g_fw ctl set int cphwd_udp_selective_delay_ha 0
• To remove all services:
cphwd_delayed_udp_ports

Extending Session Rate Enhancements to Other UDP Services

Extending Session Rate Enhancements to other UDP Services
You can extend the benefits of these two DNS session rate enhancements to other services. Add
the cphwd_delayed_udp_ports parameter to the $FWDIR/boot/modules/fwkern.conf
file to change the value.
For example, to add UDP service 100 to the list, run:
> update_conf_file fwkern.conf cphwd_delayed_udp_ports=53,100,0,0,0,0,0,0

The number of services is limited to 8. The command must contain 8 values. If you have to
configure less than 8 services, enter 0 for the others.

Notes:
• The fw ctl set int command will not work. The parameter is set to read-only.
• Changes in the $FWDIR/boot/modules/fwkern.conf file take effect only after reboot.
This is the only way to extend the DNS session rate enhancements to other UDP services.

60000/40000 Security Systems Administration Guide R76SP.50 | 317

 System Optimization

Accelerated Drop Enhancement

Use Accelerated Drop Enhancement to enforce drop rules in SecureXL on new or accelerated
connections, without policy installation.

To configure Accelerated Drop Enhancement:

1. From Expert Mode, edit $PPKDIR/conf/sim_drop_rules.conf
2. On the local SGM, run:
asg_sim_dropcfg

Limitations:
• Accelerated Drop Enhancement does not support IPv6.
• Accelerated Drop Enhancement and the sim template quota exclude list (sim
tmplquota –f) cannot be enabled at the same time.
• Accelerated Drop Enhancement enforces rules only if SecureXL is on. For example, it does not
enforce rules during policy installation.
• Accelerated Drop Enhancement is not supported for VSX environments.

Configuration File
Add the drop rules in this file only for the local SGM. Each line must contain one rule, and each
rule must contain one or more parameters.

Syntax Description
src <Source IP> [<Subnet>] Subnet of the source is optional
dst <Destination IP> [<Subnet>] Subnet of the destination is optional
dport <Destination port> Valid port number
proto <IP protocol> An integer that represents a protocol, according to the IANA -
Protocol Numbers
https://www.iana.org/assignments/protocol-numbers/protoco
l-numbers.xhtml

Example:
src 1.1.1.0/24 dst 2.2.0.0/16 dport 53 proto 17

60000/40000 Security Systems Administration Guide R76SP.50 | 318

 System Optimization

Control Commands
To send commands to the local SGM in command-line mode:
# asg_sim_dropcfg [enforce [-before | -ext | -nolog] | disable] [status] [conf
[-comp]] [stats] [fix]

Parameters
Parameter Description
enforce Applies configuration to SecureXL to start rule enforcement.
enforce -before Tests packets against drop rules, and then against a connection or a
template.
Use this option to apply drop rules to a new or an existing connection.
enforce -ext Enforces drop rules only on external interfaces.
Default is enforce rules on all interfaces.
enforce -nolog Disables automatic log sent to Management Server.
disable Disables enforcement of rules.
status Shows configuration file and SecureXL configuration status.
conf Shows configuration file settings.
conf -comp Compares configuration files between SGMs.
stats Shows drop counters for each SGM.
fix Sets a consistent configuration across SGMs.
If this fails, disable Accelerated Drop Enhancement.
Use this option for error recovery.

Example
To enforce drop rules in the configuration file on external interfaces of new and existing
connections:
# asg_sim_dropcfg enforce -before -ext
To disable enforcement, run:
# asg_sim_dropcfg disable

60000/40000 Security Systems Administration Guide R76SP.50 | 319

 System Optimization

Configuring Hyper-Threading
Description
Hyper-Threading lets a compatible operating system run more than one process at the same time
on a CPU core. A Hyper-Threading processor adds one or more logical processors, which the
operating system sees as independent processors.
To enable hyper-threading from Expert Mode, run:
# g_cpconfig

Syntax
# g_cpconfig ht stat
# g_cpconfig ht enable
# g_cpconfig ht disable
# g_cpconfig ht show stat

Parameters
Parameter Description
stat Shows whether Hyper-Threading is enabled for the Scalable Platform
enable Enable Hyper-Threading
disable Disable Hyper-Threading
show stat Shows the Hyper-Threading status for all SGMs

Important
• Hyper-Threading is enabled by default on the SGM260.
• You must reboot all SGMs after you enable or disable Hyper-Threading.

Configuring CoreXL (g_cpconfig)

Description
Use the g_cpconfig command to configure CoreXL on the Scalable Platform.
The number of instances for the VSX Gateway is limited to the physical number of CPU cores on
the Scalable Platform.
Note – If you run this command in a Virtual System, the output applies to VS0.

Syntax
> g_cpconfig corexl stat
> g_cpconfig corexl enable <n> [-6 <k>]
> g_cpconfig corexl disable
> g_cpconfig corexl instances <n> [-6 <k>]
> g_cpconfig corexl show instances
> g_cpconfig corexl show stat

60000/40000 Security Systems Administration Guide R76SP.50 | 320

 System Optimization

Parameters
Parameter Description
stat Shows current status and number of instances on all SGMs.
enable <n> [-6 <k>] Enables CoreXL
<n> - Number of IPv4 Firewall instances
-6 <k> - Number of IPv6 Firewall instances
Valid values: 2 - 32
Default - 16
disable Disables CoreXL.

instances <n> [-6 <k>] Changes the number instances

<n> - Number of IPv4 Firewall instances
-6 <k> - Number of IPv6 Firewall instances
Valid values: 2 - 32
Default - 16
show instances Shows the number of instances on each blade

show stat Shows the status on each blade

60000/40000 Security Systems Administration Guide R76SP.50 | 321

 System Optimization

Example - Enabling CoreXL:

> g_cpconfig corexl enable 8 -6 8
-*- 5 blades: 1_01 1_02 2_01 2_02 2_04 -*-
rx_num for ixgbe interfaces was set to: 16

CoreXL was successfully enabled with 8 IPv4 and 8 IPv6 firewall instances.

Important: This change will take effect after rebooting all blades.

Example - Showing CoreXL status for each SGM:

> g_cpconfig corexl show stat
blade 1_01 corexl is enabled
blade 1_02 corexl is enabled
blade 1_03 corexl is enabled

CoreXL configuration on a Virtual System:

When you change the number of CoreXL instances in a Security Gateway environment, all CPUs
not assigned to CoreXL are assigned to SecureXL. When you change the number of CoreXL
instances in a VSX Gateway environment, you only change the number of user-mode threads. This
has no effect on SecureXL affinity. The number of CPUs assigned to SecureXL does not change.
This example shows a system with 12 CPUs and 3 Virtual Systems:
> g_cpconfig corexl instances 3

• Each Virtual Systems has 1 CoreXL instance

• CPUs 0 - 7 are assigned to Firewall packet inspection
• CPUs 8 - 11 are assigned to Performance Pack
• The number of CoreXL instances (user-mode threads) changes from 1 to 3. Each Virtual
System still has one CoreXL instance

60000/40000 Security Systems Administration Guide R76SP.50 | 322

 System Optimization

Working with Jumbo Frames

The Scalable Platform supports Jumbo Frames with a total size of:
• Up to 12,200 bytes for the SSM160
• Up to 9,416 bytes for the SSM440
• Up to 9,702 bytes for the SGM400
Note - Carefully calculate the MTU. For example: IPsec or GRE traffic adds bytes to the header
and this leaves fewer bytes for the data payload.

Configuring Jumbo Frames on Scalable Platform

Configuring SGMs (set interface):
Use set interface <if_name> mtu <size> to configure Jumbo Frames for each applicable
interface on an SGM.
To enable Jumbo Frames, you must set the MTU on at least one interface, to more than 1500. In a
Dual Chassis environment, this enables Jumbo Frames on both Chassis.
Note – This command can take several seconds to work.

Syntax
> set interface <if_name> mtu <size>

Parameters
Parameter Description
<if_name> Interface name as defined in the operating system
<size> MTU size
Allowed values:
• 68 - 12,200 for SSM160
• 68 - 9,416 for SSM440
• 68 - 9,702 for SGM400

Example
> set interface eth1-01 mtu 9000
1_02:
Note: MTU changes are propagated to the SSMs. Use "asg_jumbo_conf show" to validate
changes

Confirming Jumbo Frames Configuration on SSM160/SSM440

To run the validation test on the SSM:
1. Show the Jumbo Frames configuration on the specified SSM:
> asg_chassis_ctrl jumbo_frames show <ssm_id>
2. Show the configured MTU on the specified port:
> asg_chassis_ctrl get_port_mtu <ssm_id> <port_id>

60000/40000 Security Systems Administration Guide R76SP.50 | 323

 System Optimization

Example:
# asg_chassis_ctrl jumbo_frames show 1
Jumbo frames are enabled on SSM1
# asg_chassis_ctrl get_port_mtu 1 1
MTU of port 1 on SSM1 is 1544

Confirming Jumbo Frames on SGMs and SGM Interfaces (asg_jumbo_conf

show)
Description
You can confirm configuration on SGMs and SGM interfaces.
Use the asg_jumbo_conf show command in the Expert mode to:
• Make sure that Jumbo Frames are enabled on the SGMs
• See the configured MTU values on SGM interfaces configured for Jumbo Frames

Syntax
# asg_jumbo_conf show [-v]

Parameters
Parameter Description
-v Detailed report (verbose)

Example
[Expert@MyChassis-ch01-01:0]# asg_jumbo_conf show -v
Jumbo frames are enabled on SGMs (SSM1 max MTU: 12288 SSM2 max MTU: 12288 )
Retrieving SSMs Jumbo frames configuration
Chassis1
SSMs:
Jumbo frames are enabled on SSM1
Jumbo frames are enabled on SSM2
Interfaces MTU configuration:
interface:BPEth0:mtu 12288
interface:BPEth1:mtu 12288
The MTU of all the interfaces which are not in the list is 1500
[Expert@MyChassis-ch01-01:0]#

Configuring Jumbo Frames on VSX

1. Connect with SmartDashboard to the Management Server.
2. Open the Scalable Platform Chassis object.
3. Click Topology.
4. Edit the relevant interface.
5. On the General tab, configure valid MTU value.
6. Click OK.
7. Install the policy on the Scalable Platform object.

60000/40000 Security Systems Administration Guide R76SP.50 | 324

 System Optimization

Disabling Jumbo Frames

Description
Use the Gaia gClish command set interface to disable Jumbo Frames and change the MTU of
each interface to 1500 or lower.

Syntax
> set interface <interface> mtu {1500..1}

Example
> set interface eth1-01 mtu 1500
1_02:

Note - MTU changes are propagated to the SSMs. Use asg_jumbo_conf show to validate
changes.

To disable Jumbo Frames on a VSX:

1. Open SmartDashboard and connect to the Management Server.
2. Open the Scalable Platform Chassis Object.
3. Open Topology.
4. Edit the interface.
5. On the General tab, set MTU.

60000/40000 Security Systems Administration Guide R76SP.50 | 325

 System Optimization

TCP MSS Adjustment

Description
TCP MSS Adjustment allows MSS (Maximum Segment Size) clamping of TCP traffic. This enables
the configuration of the MSS that is part of OPTIONS in the TCP header.
This feature provides a method to prevent fragmentation when the MTU value on the
communication path is lower than the MSS value.

Syntax
> fw ctl set int clamp_mss|mss_value <num>

Parameters
Parameter Description
clamp_mss <num>
Enables or Disables MSS Adjustment:
• 0 - Disable (default)
• 1 - Enable
mss_value <num>
MSS Value
If the value is set to 0, the MSS value is based on the
interface's MTU.

Notes:
• If you want the modified parameters including state (ON/OFF), to be persistent, use the
g_update_conf command in the Expert Mode to add them to
$FWDIR/boot/modules/fwkern.conf file.
• Verification - You can use Packet Sniffers to make sure that MSS is clamped when the feature
is enabled according to the configuration.
• MSS value is applied on all interfaces, including Management.

Debugging:
1. Enable SIM debug:
> sim dbg -m pkt + pkt
2. Start fw debugging:
> fw ctl zdebug + packet
3. Look for output that contains the string:
MSS

60000/40000 Security Systems Administration Guide R76SP.50 | 326

 System Optimization

Working with Session Control (asg_session_control)

Description
Based on a predefined set of rules, use the asg_session_control command in the Expert
mode to set the rate at which new communication sessions are opened.
This command is also known as Session Rate Throttling.
Create session control rules in the $FWDIR/conf/control_rules file.
Note - Session rate control is disabled by default.

Syntax
# asg_session_control {apply | disable | stats | verify}

Parameters
Parameter Description
No Parameters Shows the command syntax and help information
apply Applies session rate rules to all SGMs
disable Disables session rate rules for all SGMs
stats Shows all session rate rules and dropped traffic statistics

Syntax
Syntax
# asg_session_control {apply | disable | stats | verify}

Parameters
Parameter Description
No Parameters Shows the command syntax and help information
apply Applies session rate rules to all SGMs
disable Disables session rate rules for all SGMs
stats Shows all session rate rules and dropped traffic statistics
verify Confirms that the session rate rules are the same on all SGMs

60000/40000 Security Systems Administration Guide R76SP.50 | 327

 System Optimization

Defining Session Control Rules

Define session rate rules in the $FWDIR/conf/control_rules file. Use one line for each rule.
Each rule must contain the limit parameter. The other parameters are optional.
Important - Define rules as specifically as possible so that more than one rule cannot apply to the
same traffic. Overlapping rules can cause unpredictable results.
Best Practice - Explicitly define all parameters in each rule.

Rule Syntax
[src <ip>/<mask>] [dst <ip>/<mask>] [dport <port>] [proto <protocol_id>] [limit
<rate>] [limit_ongoing 0|1]

Parameters
Parameter Description
src <ip>/<mask> Source IP address and net mask
dst <<ip>/<mask> Destination IP address and net mask
dport <port> Destination port
proto Protocol code, typically 6 (TCP) or 17 (UDP)
<protocol_id> To learn more about protocol codes, see IANA protocol codes
https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xh
tml.
limit <rate> Maximum number of new connections allowed per second
limit_ongoing • 0 - Do not limit the number of packets on an established connection
0|1
• 1 - Limit the number of packets on an established connection

Rule Example 1:
src * dst 1.1.1.0/24 dport 67 proto 17 limit 20 limit_ongoing 1

This rule defines a limit of 20 new connections per second for traffic going from all sources to:
• Network 1.1.1.0/24
• Port 67
• Using protocol 17 (UDP)
• Including current connections

Rule Example 2:
dst 1.1.1.1/32 dport 80 proto 6 limit 13

This rule defines a limit of 13 new connections per second for traffic going from all sources to:
• Network 1.1.1.1/32
• Port 80
• Using protocol 6 (TCP)

60000/40000 Security Systems Administration Guide R76SP.50 | 328

 System Optimization

Notes:
• New connections above the specified limit are dropped.
• If you do not include a parameter, the rule applies to all values for that parameter.
For example, if you do not include the src parameter, the rule applies to all servers.
• The * character as a parameter value explicitly means that a rule applies to all values.

Disabling Session Control

Description
This command disables the session control rules.

Syntax
asg_session_control disable

Example
-*- 2 blades: 1_01 1_02 -*-
Resetting session rate entries
Session rate entries configured successfully

Applying Session Control Rules

Description
This command applies the session control rules.

Syntax
asg_session_control apply

Example
-*- 2 blades: 1_01 1_02 -*-
Rule ID Source Destination DPort PR Limit Ongoing
------- ------------------ ------------------ ----- --- ----- -------
1 * 1.1.1.0/24 67 17 20 1
2 * 2.2.2.2/32 80 6 13 0

60000/40000 Security Systems Administration Guide R76SP.50 | 329

 System Optimization

Showing Session Control Statistics

Description
This command shows the session control rules.

Syntax
asg_session_control stats

Example
1_01:
Rule ID Source Destination DPort PR Limit Drops Attempts
------- ------------------ ------------------ ----- --- ----- ------------- -------------
1 * 1.1.1.0/24 67 17 20 3 19
2 * 2.2.2.2/32 80 6 13 0 12

1_02:
Rule ID Source Destination DPort PR Limit Drops Attempts
------- ------------------ ------------------ ----- --- ----- ------------- -------------
1 * 1.1.1.0/24 67 17 20 0 19
2 * 2.2.2.2/32 80 6 13 2 13

The output shows the session control rules for each SGM and the connections dropped by each
rule.

60000/40000 Security Systems Administration Guide R76SP.50 | 330

 System Optimization

Acceleration Not Disabled Because of Traceroute Rule

(asg_tmpl_special_svcs)
Description
This feature safely prevents security policy rules with the Traceroute service from disabling
acceleration for all subsequent rules.

Syntax
> asg_tmpl_special_svcs {on | off}

Parameters
Parameter Description
on Acceleration is not disabled because of Traceroute rules
off Acceleration is disable because of Traceroute rules

Example
> asg_tmpl_special_svcs on

• This feature requires a hotfix on the R76 Management Server. For this hotfix, contact Check
Point Support https://www.checkpoint.com/support-services/contact-support/.
• For this feature to work correctly, the Traceroute service object in SmartDashboard must
remain with default settings and not be customized.

60000/40000 Security Systems Administration Guide R76SP.50 | 331

 System Optimization

Improving Inbound HTTPS Performance

You can improve the performance of inbound HTTPS traffic from outside the organization.
To improve the performance of inbound HTTPS, run:
> fw ctl set int choose_active_streaming 0
To restore the default HTTPS performance settings, run:
> fw ctl set int choose_active_streaming 1

Supported SSL Ciphers

These SSL ciphers are supported on internal HTTPS servers when the parameter
choose_active_streaming is set to 0:
• RSA+AES
• RSA+RC4
• RSA+3DES
You must update the list of supported SSL ciphers on the protected HTTPS servers.

60000/40000 Security Systems Administration Guide R76SP.50 | 332

 System Optimization

Layer 4 CoreXL Overview

Layer 4 CoreXL improves the Firewall instance distribution by adding Layer 4 ports to the instance
selection hash method. The additional source port and destination port parameters are proven to
be very useful for elephant flow cases (when all the connections are between a very small amount
of clients and servers).

Example of live CoreXL FW instance distribution:

> fw ctl multik stat

ID | Active | CPU | Connections | Peak

----------------------------------------------
0 | Yes | 0 | 47 | 25406
1 | Yes | 20 | 52 | 25723
2 | Yes | 1 | 51 | 25459
3 | Yes | 21 | 45 | 25702
4 | Yes | 2 | 57 | 25978
5 | Yes | 22 | 47 | 25895
6 | Yes | 3 | 46 | 25680
7 | Yes | 23 | 54 | 25586
8 | Yes | 4 | 45 | 25643
9 | Yes | 24 | 50 | 25697
10 | Yes | 5 | 40 | 25757
11 | Yes | 25 | 49 | 25888
12 | Yes | 6 | 49 | 25643
13 | Yes | 26 | 50 | 25826
14 | Yes | 7 | 43 | 25670
15 | Yes | 27 | 50 | 25879
16 | Yes | 8 | 42 | 26051
17 | Yes | 28 | 36 | 25999
18 | Yes | 9 | 59 | 25464
19 | Yes | 29 | 52 | 25764
>

Example of simulated instance distribution:

> fw ctl multik get_instance_dist sip=88.88.88.100 dip=87.87.87.100 sport=10000-60000 dport=8080
proto=6

Instance distribution when feature is disabled

+------+----------+
| Inst | Count |
+------+----------+
| 0 | 0 |
| 1 | 0 |
| 2 | 0 |
| 3 | 0 |
| 4 | 50001 |
| 5 | 0 |
| 6 | 0 |
| 7 | 0 |
| 8 | 0 |
| 9 | 0 |
+------+----------+

Instance distribution when feature is enabled

+------+----------+
| Inst | Count |
+------+----------+
| 0 | 4983 |
| 1 | 5022 |
| 2 | 4975 |
| 3 | 5014 |
| 4 | 5012 |
| 5 | 5059 |
| 6 | 4983 |
| 7 | 4917 |
| 8 | 4997 |
| 9 | 5039 |
+------+----------+
>

60000/40000 Security Systems Administration Guide R76SP.50 | 333

 System Optimization

Important - See sk116693 http://supportcontent.checkpoint.com/solutions?id=sk116693 for

information about HTTPS Inspection limitations in Layer 4 Distribution Mode (SPD).

Configuring Layer4 CoreXL (g_cpconfig)

Description
Use the g_cpconfig command to configure Layer4 CoreXL.

Syntax
# g_cpconfig corexl layer4 enable
# g_cpconfig corexl layer4 disable
# g_cpconfig corexl layer4 stat

Parameters
Parameter Description
enable Enables Layer4 CoreXL
CoreXL instance decision function uses:
• Source and destination ports
• Source and destination IPs
• IP protocol
disable Disable Layer4 CoreXL
CoreXL instance decision function uses:
• Source and destination IPs
• IP protocol
stat Shows current status of Layer4 CoreXL on all SGMs

Example - Enabling Layer4 CoreXL:

From Expert:
[Expert@MyChassis-ch01-01]# g_cpconfig corexl layer4 enable
From Global:
[Global] MyChassis-ch01-01 > cpconfig corexl layer4 enable
Command completed successfully.
CoreXL layer4 distribution was enabled.
This change will take effect after reboot, it is possible to reboot one chassis
at a time.

Important - This change will take effect after reboot. It is possible to reboot one chassis at a time.

Example - Disabling Layer4 CoreXL:

From Expert:
[Expert@MyChassis-ch01-01]# g_cpconfig corexl layer4 disable
From Global:
[Global] MyChassis-ch01-01 > cpconfig corexl layer4 disable
Command completed successfully.
CoreXL layer4 distribution was disabled.
This change will take effect after reboot, it is possible to reboot one chassis at a time.

60000/40000 Security Systems Administration Guide R76SP.50 | 334

 System Optimization

Important - This change will take effect after reboot. It is possible to reboot one chassis at a time.

Example - Showing Layer4 CoreXL status for each SGM:

From Expert:
[Expert@MyChassis-ch01-01]# g_cpconfig corexl layer4 stat
From Global:
[Global] MyChassis-ch01-01 > cpconfig corexl layer4 stat
blade 1_01 layer4 distribution mode is enabled
blade 1_02 layer4 distribution mode is enabled
blade 1_03 layer4 distribution mode is enabled

VSX Affinity Commands (fw ctl affinity-s -d)

Use fw ctl affinity to set affinities in a VSX environment. When you run this command, the
system automatically creates or updates the affinity configuration files. All affinity configurations
are kept after reboot.
You can define specified processes as affinity exceptions. Affinity commands do not apply to these
processes. To define an exception, add the process name to the
$FWDIR/conf/vsaffinity_exception.conf file. You cannot add kernel threads as affinity
exceptions.
Important - Do not add Check Point processes to the exception list. This can cause system
instability.

Affinity Priorities
When a CPU core has more than one affinity, the affinity is applied based on these priorities:
1. Firewall instance
2. Process
3. Virtual System

Setting Affinities
Description
Use the fw ctl affinity-s -d command to set CPU affinities.
• Firewall instance
• Process
• Virtual System
You can set a Firewall instance affinity to one or more CPUs on each Virtual System individually.

Syntax
> fw ctl affinity-s -d
> fw ctl affinity-s -d [-vsid <VS_IDs>] -cpu <CPU_ID>
> fw ctl affinity-s -d -pname <process> [-vsid <ranges>] -cpu <CPU_ID>
> fw ctl affinity-s -d -inst <Instance_ID> -cpu <CPU_ID>

60000/40000 Security Systems Administration Guide R76SP.50 | 335

 System Optimization

Parameters
Parameter Description
-s -d Sets affinity for a VSX environment.
-vsid <VS_IDs>
<VS_IDs> can be:
• No <VS_IDs> (default) - Uses the current Virtual System context
• One Virtual System
• A comma-separated list of Virtual Systems (1, 2, 4, 5)
• A range of Virtual Systems (VS 3-5)
• all - Shows all Virtual Systems
Note - This parameter is only applicable in a VSX environment.

-cpu <CPU_ID> One or more CPU cores.

You can define a range from which the system selects the instances.
The format for a range is:
<from_cpu_id>-<to_cpu_id>.
-pname <process> Configures affinity for the specified process.
-inst <Instance_ID> One or more Firewall instances.
You can define a range from which the system selects the instances.
The format for a range is:
<from_instance_id>-<to_instance_id>.

Setting affinities for all SGMs from the SMO:

In gClish, run:
> fw ctl affinity-s -d <options>

In the Expert Mode, run:

# g_fw ctl affinity-s -d <options>

To set affinities for a specific SGM, run:

> blade <SGM_ID>
> fw ctl affinity-s -d <options>

Setting Firewall instance affinity with ranges:

This example creates two Firewall instance affinities for the Virtual System 1. One affinity is
assigned to instance 0 and the other is automatically assigned from the range of instances 2 - 4.
These instances are automatically assigned to CPU cores in the range of 0 - 2.
MyChassis-ch01-02:0> vsenv 1
MyChassis-ch01-02:1> fw ctl affinity-s -d -inst 0 2-4 -cpu 0-2

VDevice 0: CPU 0 1 2 - set successfully

Note: If there were previously configured processes/FWK instances, this operation

has overridden them and deleted their configuration files
MyChassis-ch01-02:1>

60000/40000 Security Systems Administration Guide R76SP.50 | 336

 System Optimization

Setting VSX processes affinity (-pname):

Set the affinity of processes to one or more CPUs. You can use -vsid to set the affinity for a
process to Virtual Systems in any context. If you do not use -vsid, the affinity of the current
context is set.
> fw ctl affinity-s -d -pname cpd -vsid 0-1 -cpu 0 2

VDevice 0-1 : CPU 0 2 - set successfully

Virtual System affinity (-vsid):

Use -vsid to define an affinity for specified Virtual Systems. This example sets the affinity for
Virtual System contexts 0 and 1 to CPU cores 0 and 2. If you do not use -vsid, this command
sets the affinity for the current VSX context.
> fw ctl affinity-s -d -vsid 0-1 -cpu 0 2
VDevice 0-1 : CPU 0 2 - set successfully

Setting Affinities for all Virtual Systems (fw ctl affinity-s -d -fwkall)
Description
Use the fw ctl affinity-s -d -fwkall command to assign the specified number of CPU
cores to all Virtual Systems at one time.

Effect on Multi-Queue settings for interfaces that use the IXGBE driver
The use of this command to change the number of cores assigned to Virtual Systems, changes the
number of cores available for ixgbe interface rx queues. Conversely, when you change the
number of cores assigned to ixgbe interface queues, you also change the number of cores
assigned to Virtual Systems.
For example, if your SGM has 16 cores, and you assign 9 cores to Virtual Systems, the remaining 7
cores are available to the ixgbe interfaces.

Syntax
> fw ctl affinity-s -d -fwkall <cores>

Parameters
Parameter Description
-s -d
Set affinity for a VSX environment.

-fwkall <cores> Defines the number of cores assigned to all Virtual Systems.

Example
This example assigns three cores to Firewall instances for all Virtual Systems.
> fw ctl affinity-s -d -fwkall 3
VDevice 0-2 : CPU 0 1 2 - set successfully

Note - You can run this command from the VS0 context only.

60000/40000 Security Systems Administration Guide R76SP.50 | 337

 System Optimization

Monitoring Process Affinity (fw ctl affinity -l -x)

Description
You can monitor the affinity of processes and Virtual Systems on a VSX Gateway. You can use the
-vsid parameter to show the affinity for a process to the specified Virtual Systems.

Syntax
> fw ctl affinity -l -x [-vsid <VS_ID>] [-flags {e | h | k | n | t | o}]

Parameters
Parameter Description
<VS_ID>
Shows the affinity for processes for these Virtual System IDs.
Note - Use a dash to set a range of Virtual Systems.
e Does not show processes that are affinity exceptions.
Defines affinity exceptions in:
$FWDIR/conf/vsaffinity_exception.conf
h Shows CPU affinity mask in hexadecimal format.
k Does not show kernel threads.
n Shows the process name instead of /proc/<PID>/cmdline
t Shows information about process threads.
o Prints the list to a file.

Example
> fw ctl affinity -l -x -vsid 1 -flags tn
-----------------------------------------------------------------------
|PID |VSID | CPU |SRC|V|KT |EXC| NAME
-----------------------------------------------------------------------
| 4756 | 0 | all | | | | | pm
| 4773 | 0 | all | | | | | confd
| 4774 | 0 | all | | | | | searchd
| 5008 | 0 | all | | | | | |---searchd
| 4780 | 0 | all | | | | | httpd2
| 4781 | 0 | all | | | | | monitord
| 24700 | 0 | 0 1 | P | | | | |---cpd
| 24704 | 0 | 0 1 | P | | | | |---cpd
| 24705 | 0 | 0 1 | P | | | | |---cpd
| 22800 | 0 | all | | | | | mpdaemon
| 24523 | 0 | all | | | | | fwk_forker
| 24525 | 0 | all | | | | | fwk_wd
| 24573 | 0 | 1 3 4 6 | P | | | | fw
| 24667 | 0 | 1 3 4 6 | P | | | | |---fw
| 24668 | 0 | 1 3 4 6 | P | | | | |---fw
| 24670 | 0 | 1 3 4 6 | P | | | | |---fw
| 24671 | 0 | 1 3 4 6 | P | | | | |---fw
| 25412 | 0 | 1 3 4 6 | P | | | | |---fw
| 24642 | 0 | 2 3 4 5 6 7 | P | | | | fwk0_dev
| 24643 | 0 | 2 3 4 5 6 7 | P | | | | |---fwk0_0
| 30186 | 0 | all | | | | | clishd
-----------------------------------------------------------------------
>

60000/40000 Security Systems Administration Guide R76SP.50 | 338

 System Optimization

System Under Load

The System Under Load (SUL) feature delays SGM failover for a specified time during periods of
high system CPU utilization. Default is 10 seconds. This helps to prevent unnecessary SGM
failovers caused by CCP packet transmission delays.
The system automatically turns on SUL when at least one SGM has CPU kernel usage above the
specified threshold. Default is 80%. SUL turns off automatically when no SGM has high CPU
utilization for at least 10 seconds or when SUL was active for more than three minutes.

Logs:
A log entry is generated for every SUL state change (ON/OFF). Only the SMO sends messages to
the log server. This example shows SUL logs in SmartView Tracker.

SUL log entries are typically a symptom of intensive CPU activity. To learn how to resolve these
issues, see Hardware Monitoring and Control (on page 139).

60000/40000 Security Systems Administration Guide R76SP.50 | 339

 60000/40000 Security Platforms
CHAPTE R 12

60000/40000 Security Platforms

In This Section:
Single Management Object and Policies ...................................................................340
SGM Policy Management ...........................................................................................344
Security Group ............................................................................................................349
Multiple Security Groups ............................................................................................350
Working with the Distribution Mode ..........................................................................358
NAT and the Correction Layer on a Scalable Platform ............................................367
NAT and the Correction Layer on a VSX Gateway ...................................................368
Working with the GARP Chunk Mechanism ..............................................................369
Port Forwarding on Management Servers ................................................................371
Threat Emulation ........................................................................................................372
IPS Bypass Under Load ..............................................................................................373
IPS Cluster Failover Management .............................................................................374
Optimizing IPS (asg_ips_enhance) ............................................................................375

Single Management Object and Policies

Single Management Object (SMO) is a Check Point technology that manages the Scalable Platform
as one large Security Gateway with one management IP address. All management tasks are
handled by one SGM (the SMO Master), which updates all other SGMs. All management tasks,
such as Security Gateway configuration, policy installation, remote connections and logging are
handled by the SMO master. The Active SGM with the lowest ID number is automatically assigned
to be the SMO.
Use this command to identify the SMO and see how tasks are distributed on the SGMs:
> asg stat –i tasks
Chassis ID: 1
-------------
Task (Task ID) SGM ID

General (1) 3
LACP (2) 4
CH Monitor (3) 5

Chassis ID: 2
-------------
Task (Task ID) SGM ID

SMO (0) 2(local)

DR Manager (4) 2(local)
General (1) 3
LACP (2) 4
CH Monitor (3) 5
>

60000/40000 Security Systems Administration Guide R76SP.50 | 340

 60000/40000 Security Platforms

Installing and Uninstalling Policies

To install a policy on the Scalable Platform, select Policy > Install in SmartDashboard. The
installation procedure includes these steps:
1. The Security Management Server installs the policy on the SMO Master.
2. The SMO copies the policy to all SGMs.
3. Each SGM installs the policy locally.
During the installation, each SGM sends and receives policy status updates to/from the other
SGMs. This is because the SGMs must install their policies in a synchronized manner. Policy
installation has these stages:
• Policy Started - Policy installation started on the SGM.
• Policy Ready2Finish - Policy installation is complete, but the SGM is waiting for other SGMs to
reach the same stage.
• Policy Completed - The policy is synchronized with the other SGMs.
• Enforcing Security - The SGM enforces the new policy.
Note - When installing the Scalable Platform, SGMs enforce an initial policy where only the
implied rules necessary for management are enforced.
To uninstall a policy, open a serial connection to the Scalable Platform and run:
> asg policy unload

Notes:
• You cannot uninstall policies with SmartDashboard.
• To learn more about the working with policies, see asg policy below.

Working with Policies (asg policy)

Description
Use the asg policy command in gClish or Expert mode to perform policy-related actions.

Syntax
asg policy -h
asg policy {verify | verify_amw} [-vs <VS_IDs>] [-a] [-vs] [-v]
asg policy unload [--disable_pnotes] [-a]
asg policy unload --ip_forward

Best Practice
Run these commands over a serial connection.

Parameters
Parameter Description
-h Shows the built-in help.
verify Confirms that the correct policies are installed on all SGMs.
verify_amw Confirms that the correct Anti-Malware policies are installed on all
SGMs.
60000/40000 Security Systems Administration Guide R76SP.50 | 341
 60000/40000 Security Platforms

Parameter Description
unload Uninstalls the policy from the SGMs.
-vs <VS_IDs> Shows verification results for each Virtual System.
<VS_IDs> can be:
• No <VS_IDs> (default) - Uses the current Virtual System context
• One Virtual System
• A comma-separated list of Virtual Systems (1, 2, 4, 5)
• A range of Virtual Systems (VS 3-5)
• all - Shows all Virtual Systems
Note - This parameter is only applicable in a VSX environment.

-v Shows detailed verification results for SGMs in each Virtual System.

-a Runs the verification on SGMs in both UP and DOWN states.
--disable_pnotes SGMs stay in the UP state without an installed policy.
Important - If you omit this option, SGMs go into DOWN state until the
policy is installed again!
--ip_forward Enables IP forwarding.

Example - Detailed Virtual System Output:

[Expert@MyChassis-ch01-01:0]# asg policy verify -vs all -v
+------------------------------------------------------------------------------+
|Policy Verification |
+-------+-------+-------------------+---------------+-----------------+--------+
|VS |SGM |Policy Name |Policy Date |Policy Signature |Status |
+-------+-------+-------------------+---------------+-----------------+--------+
|0 |1_01 |Standard |26Nov12 21:11 |996eee5e6 |Success |
| |1_03 |Standard |26Nov12 21:11 |996eee5e6 |Success |
| |1_04 |Standard |26Nov12 21:11 |996eee5e6 |Success |
| |1_05 |Standard |26Nov12 21:11 |996eee5e6 |Success |
| |1_06 |Standard |26Nov12 21:11 |996eee5e6 |Success |
| |1_11 |Standard |26Nov12 21:11 |996eee5e6 |Success |
| |1_12 |Standard |26Nov12 21:11 |996eee5e6 |Success |
+-------+-------+-------------------+---------------+-----------------+--------+
|1 |1_01 |Standard |27Nov12 13:03 |836fa2ec1 |Success |
| |1_03 |Standard |27Nov12 13:03 |836fa2ec1 |Success |
| |1_04 |Standard |27Nov12 13:03 |836fa2ec1 |Success |
| |1_05 |Standard |27Nov12 13:03 |836fa2ec1 |Success |
| |1_06 |Standard |27Nov12 13:03 |836fa2ec1 |Success |
| |1_11 |Standard |27Nov12 13:03 |836fa2ec1 |Success |
| |1_12 |Standard |27Nov12 13:03 |836fa2ec1 |Success |
+-------+-------+-------------------+---------------+-----------------+--------+
|2 |1_01 |Standard |26Nov12 21:11 |10eef9ced |Success |
| |1_03 |Standard |26Nov12 21:11 |10eef9ced |Success |
| |1_04 |Standard |26Nov12 21:11 |10eef9ced |Success |
| |1_05 |Standard |26Nov12 21:11 |10eef9ced |Success |
| |1_06 |Standard |26Nov12 21:11 |10eef9ced |Success |
| |1_11 |Standard |26Nov12 21:11 |10eef9ced |Success |
| |1_12 |Standard |26Nov12 21:11 |10eef9ced |Success |
+-------+-------+-------------------+---------------+-----------------+--------+

+------------------------------------------------------------------------------+
|Summary |
+------------------------------------------------------------------------------+
|Policy Verification completed successfully |
+------------------------------------------------------------------------------+
[Expert@MyChassis-ch01-01:0]#

60000/40000 Security Systems Administration Guide R76SP.50 | 342

 60000/40000 Security Platforms

Example - Uninstall Policy:

[Expert@MyChassis-ch01-01:0]# asg policy unload
You are about to perform unload policy on blades: all
All SGMs will be in DOWN state, beside local SGM. It is recommended to run the procedure
via serial connection

Are you sure? (Y - yes, any other key - no) y

Unload policy requires auditing

Enter your full name: John Doe
Enter reason for unload policy [Maintenance]:
WARNING: Unload policy on blades: all, User: John Doe, Reason: Maintenance
+-------------------------------+
|Unload policy |
+---------------+---------------+
|SGM |Status |
+---------------+---------------+
|1_3 |Success |
+---------------+---------------+
|1_2 |Success |
+---------------+---------------+
|1_1 |Success |
+---------------+---------------+
|2_3 |Success |
+---------------+---------------+
|2_2 |Success |
+---------------+---------------+
|2_1 |Success |
+---------------+---------------+

+------------------------------------------------------------------------------+
|Summary |
+------------------------------------------------------------------------------+
|Unload policy completed successfully |
+------------------------------------------------------------------------------+
[Expert@MyChassis-ch01-01:0]#

60000/40000 Security Systems Administration Guide R76SP.50 | 343

 60000/40000 Security Platforms

SGM Policy Management

Because the Scalable Platform works as one large Security Gateway, all SGMs are configured with
the same policy. When you install a policy from the Management Server, it first installs the policy
on the SMO. The SMO copies the policy and SGM configuration to all SGMs in the UP state. When
an SGM enters the UP state, it automatically gets the installed policy and configurations that are
installed, from the SMO. When there is only one SGM in the UP state, it is possible there is no
SMO. Then, that SGM uses its local policy and configuration.
If there are problems with the policy or configuration on an SGM, you can manually copy the
information from a different SGM.
An SGM configuration has these components:
• Firewall policy, which includes the Rule Base
• Set of configuration files defined in the /etc/xfer_files_list file. This file contains the
location of all related configuration files. It also defines the action to take if the copied file is
different from the one on the local SGM.

Synchronizing Policy and Configuration between SGMs

Use asg_blade_config pull_config to manually synchronize policies. Optionally it can
configure files from a specified source SGM to the target SGM.
The target SGM is the SGM you use to run this command. To manually synchronize SGMs:
1. Run:
asg_blade_config pull_config
2. Reboot the target SGM, or run these commands:
• cpstart
• asg sgm_admin up
Note - You can run asg stat -i all_sync_ips to get a list of all SGM synchronization IP
addresses.

Understanding the Configuration File List

The xfer_file_list file contains pointers to the related configuration files on an SGM. Each
record defines the path to a configuration file, followed by the action to take if the imported file is
different from the local file. This table shows an example of the record structure.

Context File name and path Action

global_context $FWDIR/modules/fwkern.conf /bin/false

The context field defines the type of configuration file:

• global_context - Security Gateway configuration file
• all_vs_context - Virtual Systems configuration file

60000/40000 Security Systems Administration Guide R76SP.50 | 344

 60000/40000 Security Platforms

The action field defines the action to take when the imported (copied) file is different than the local
file:
• /bin/true - Reboot is required
• /bin/false - No reboot is required
• String enclosed in double quotes - Name of a "callback script" that selects the applicable
action.
Example - Configuration file list:
global_context $PPKDIR/boot/modules/sim_aff.conf "sim affinityload"
global_context $PPKDIR/boot/modules/simkern.conf /bin/false
global_context $FWDIR/modules/fwkern.conf /bin/false
all_vs_context $FWDIR/conf/fwauthd.conf /bin/false
all_vs_context $FWDIR/conf/discntd.if /bin/false
global_context /var/opt/fw.boot/ha_boot.conf /bin/false
all_vs_context $FWDIR/conf/sync_exceptions_tab "g_sync_exception -f"
all_vs_context $FWDIR/bin/reserved_conns_tab "g_reserved_conns -f"
global_context /config/active /usr/bin/confd_clone /config/db/cloned_db
global_context /tmp/sms_rate_limit.tmp /bin/true
global_context /tmp/sms_history.tmp /bin/true
global_context /home/admin/.ssh/known_hosts /bin/true
global_context /etc/passwd /bin/true
global_context /etc/shadow /bin/true
all_vs_context $FWDIR/bin/iproute.load /bin/true
all_vs_context $FWDIR/conf/gre_loader.conf /bin/true
global_context $FWDIR/conf/fwha_ch_uptime /bin/true
global_context $FWDIR/modules/mq_aff.conf "mq_affinity -s"
global_context $FWDIR/conf/pingable_hosts.conf "pingable_hosts local on"
all_vs_context $FWDIR/conf/pingable_hosts.ips /bin/true
global_context $FWDIR/conf/alert.conf /bin/true
all_vs_context $FWDIR/conf/asg_log_servers.conf "log_servers_util refresh"
global_context $FWDIR/modules/vlan_mq.conf "vlan_perf_enhancement -c"
global_context $FWDIR/conf/fw_global_params.conf "cpha_blade_config fw_global_params_changed"
global_context $FWDIR/boot/mq.conf "cpmq reconfigure"
global_context /etc/modprobe.conf asg_update_modprobe_conf /tmp/modprobe.conf.new
global_context $FWDIR/boot/modules/vpnkern.conf /bin/false
global_context /etc/ssm_port_speed.conf /bin/asg_update_port_speed /tmp/ssm_port_speed.conf.new
all_vs_context $FWDIR/conf/selective_template_exclude.conf /bin/true
global_context /etc/syslog_servers_list.conf asg_syslog_helper
global_context $FWDIR/conf/vsaffinity_exception.conf /bin/false
all_vs_context $FWDIR/conf/manual.affinity.conf "check_smo_affinity_files manual"
global_context $FWDIR/conf/fwkall.affinity.conf "check_smo_affinity_files fwdir" $FWDIR/tmp/
all_vs_context $CPDIR/conf/*.affinity.conf "check_smo_affinity_files cpdir" $CPDIR/tmp/
global_context $FWDIR/conf/resctrl "$FWDIR/bin/fw vsx resctrl load_configuration"

60000/40000 Security Systems Administration Guide R76SP.50 | 345

 60000/40000 Security Platforms

MAC Addresses and Bit Conventions

MAC addresses are divided into these types:

Type Description
BMAC A MAC address assigned to all interfaces with the BPEthX naming convention.
This is unique for each SGM.
It does not rely on the interface index number.
VMAC A MAC address assigned to all interfaces with the ethX-YZ naming convention.
This is unique for each Chassis.
It does not rely on the interface index number.
SMAC A MAC address assigned to Sync interfaces.
This is unique for each SGM.
It does not rely on the interface index number.

Bit convention for BMAC:

Bit range Description

1 Distinguishes between VMAC and other MAC addresses.
This is used to prevent possible collisions with VMAC space.
Possible values:
• 0 - BMAC or SMAC
• 1 - VMAC
2-8 SGM ID (starting from 1).
This is limited to 127.
9-13 Always zero
14 Distinguishes between BMAC and SMAC addresses.
This is used to prevent possible collisions with SMAC space.
Possible values:
• 0 - BMAC
• 1 - SMAC
15-16 Absolute interface number. This is taken from the interface name.
When the BPEthX format is used, X is the interface number.
This is limited to four interfaces.

Bit convention for VMAC:

Bit range Description

1 Distinguishes between VMAC and other MAC addresses.
This is used to prevent possible collisions with VMAC space.
Possible values:
• 0 - BMAC or SMAC
• 1 - VMAC
2-3 Chassis ID.
Limited to 4 Chassis.

60000/40000 Security Systems Administration Guide R76SP.50 | 346

 60000/40000 Security Platforms

Bit range Description

4-8 Switch number.
Limited to 32 switches.
9-16 Port number.
Limited to 256 for each switch.

Bit convention for SMAC:

Bit range Description

1 Distinguishes between VMAC and other MAC addresses.
This is used to prevent possible collisions with VMAC space.
Possible values:
• 0 - BMAC or SMAC
• 1 - VMAC
2-8 SGM ID (starting from 1).
This is limited to 127.
9-13 Always zero.
14 Distinguishes between BMAC and SMAC addresses.
This is used to prevent possible collisions with SMAC space.
Possible values:
• 0 - BMAC
• 1 - SMAC
15 Always zero.
16 Sync interface.
Possible values:
• 0 - Sync1
• 1 - Sync2

60000/40000 Security Systems Administration Guide R76SP.50 | 347

 60000/40000 Security Platforms

MAC Address Resolver (asg_mac_resolver)

Description
Use the asg_mac_resolver command in gClish or Expert mode to make sure that all types of
MAC addresses, BMAC, VMAC, and SMAC, are correct.
From the MAC address you provide, the asg_mac_resolver command determines the:
• MAC type
• Chassis ID
• SGM ID
• Assigned interface

Syntax
asg_mac_resolver <MAC address>

Example
[Expert@MyChassis-ch01-01:0]# asg_mac_resolver 00:1C:7F:01:00:FE
[00:1C:7F:01:00:FE, BMAC] [Chassis ID: 1] [SGM ID: 1] [Interface: BPEth0]
[Expert@MyChassis-ch01-01:0]#

Notes:
• The specified MAC Address comes from BPEth0 on SGM1 on Chassis1.
• 00:1C:7F:01:00:FE is the Magic MAC attribute, which is identified by FE.
• The index length is 16 bits (2 Bytes) identified by 01:00 x x x x x x x x x x x x x x x x.

Unified MAC for Data Ports

This feature allows the same VMAC address for the data ports, regardless of a Chassis failover.
The one exception is with local connections, when a private, local VMAC is used with the old
behavior.
From Expert Mode you can enable and disable Unified MAC for data ports.
To enable:
toggle_same_vmac on
To disable:
toggle_same_vmac off
To check status:
toggle_same_vmac stat
Notes:
• You must reboot when you enable and disable.
• Does not support VSX configuration.

60000/40000 Security Systems Administration Guide R76SP.50 | 348

 60000/40000 Security Platforms

Security Group
To be part of a Security Gateway, an SGM must belong to a Security Group. Use the add smo
security_group command to add SGM. In the initial installation procedure, run the setup
command in the Expert mode to select the SGMs you want to add. When the first SGM completes
installation, the other SGMs are automatically installed. The SGMs automatically join the SMO of
the Security Gateway, and then reboot.
Use gClish commands to change the SGM.

Syntax Description
add smo security-group Adds the selected SGMs to the current
Security Group
delete smo security-group Removes the selected SGMs from the
current Security Group

Important - All SGMs in the current Security Group and not part of the new Security Group must
be in DOWN state or the command will fail.

Syntax Output
> New Security Group is:
> add smo security-group 1_1-1_3,2_1-2_3 > Chassis 1: 1-3
> Chassis 2: 1-3
> New Security Group is:
> show smo security-group > Chassis 1: 1-3
> Chassis 2: 1-3

Notes:
• Before you remove an SGM from the Security Gateway, make sure that is it in the DOWN state.
• To optimize connection distribution among the SGMs, update the Security Group with the
correct number of the SGMs in the appliance.
Important - Run the show smo verifiers print name Security_Group command to confirm
that the Security Group is correctly configured.

60000/40000 Security Systems Administration Guide R76SP.50 | 349

CHAPTE R 13

Multiple Security Groups

In This Section:
Description ..................................................................................................................350
Enabling Multiple Security Groups ............................................................................351
Security Group ID ........................................................................................................351
Adding SGMs to a Security Group ..............................................................................352
Removing SGMs from a Security Group ....................................................................352
Creating Another Security Group ..............................................................................352
Working with a Shared VLAN Trunk Interface ..........................................................353
Global Configuration ...................................................................................................355
Viewing the Configuration ..........................................................................................355
Deleting a Security Group ..........................................................................................356
Disabling Multiple Security Groups ...........................................................................357

Description
The Multiple Security Groups feature lets you configure more than one Security Group on the
same Scalable Platform.
• Up to 12 Security Groups are supported.
• All configured Security Groups share the same chassis resources.
• Each configured Security Group runs an independent SMO.
• Each configured Security Group runs as a Security Gateway or VSX Gateway.
• Different Security Groups can run with different types of SGMs.
Example:
• SecurityGroup1: SGM260
• SecurityGroup2: SGM400
• Different Security Groups can have different Chassis High Availability modes.
Example:
• SecurityGroup1: Active UP
• SecurityGroup2: VSLS
• Different Security Groups can share the same Trunk interface with different VLANs.
• Each Security Group uses its own independent license.
To support Multiple Security Groups in R76SP.50, it is mandatory to install these on your Scalable
Platform:
1. R76SP.50 Take 148 and above. See sk115735
http://supportcontent.checkpoint.com/solutions?id=sk115735.
2. R76SP.50 Jumbo Hotfix Accumulator Take 161 and above. See sk117633
http://supportcontent.checkpoint.com/solutions?id=sk117633.

60000/40000 Security Systems Administration Guide R76SP.50 | 350

 60000/40000 Security Platforms

Important - Multiple Security Groups feature is not supported in R76SP.50 Build 84 and R76SP.50
Jumbo Hotfix Accumulator Takes 16 - 105. It is mandatory to re-image the SGMs with the required
R76SP.50 Take and install the required Jumbo Hotfix Accumulator Take. If you only install the
required Jumbo Hotfix Accumulator on top of R76SP.50 Build 84, attempt to enable Multiple
Security Groups is blocked.

Enabling Multiple Security Groups

Procedure:
1. Connect to the command line on the Scalable Platform.
2. Log in to the gClish.
3. Enable the Multiple Security Groups feature:
> set smo multiple-security-groups state on

Notes:
• You need to run this command only once.
• The system scans for other active Security Groups to pull the resource configuration from
them.
• If there are no other active Security Groups, the system asks the administrator to confirm.
Example:
> set smo multiple-security-groups state on
Analyzing the system...
No active Security Groups were detected in the system.
Is this the first Security Group in the system?(Y/N)[N]
y

1_01:
success

1_02:
success

Security Group was registered successfully, Security Group ID 1.

Security Group ID
When you create a Security Group, the system automatically assigns a Security Group ID to it.
The Security Group ID is an integer between 1 (default) and 12.
The system uses these Security Group IDs internally to represent the Security Groups.
The Security Group ID is not fixed and may change during the system life cycle.
To see the Security Group IDs, run:
> show smo multiple-security-groups id

Example output:
> show smo multiple-security-groups id
1_01:
Security Group ID: 1

1_02:
Security Group ID: 1

60000/40000 Security Systems Administration Guide R76SP.50 | 351

 60000/40000 Security Platforms

Adding SGMs to a Security Group

You can add SGMs to a Security Group locally.
See the Security Group (on page 349) section.
Procedure:
1. Connect to the command line on the Scalable Platform.
2. Log in to the gClish.
3. Add SGMs to the specified Security Group:
> add smo security-group [Press the Tab key]

Example output:
> add smo security-group [Press the Tab key]

1_3 1_4 1_5 1_6 1_8 1_9 1_10 1_11 1_12

Notes:
• The command shows the lists of the available slots in the system (slots not used by other
Security Groups).
• You cannot use the same slot by different Security Groups.

Removing SGMs from a Security Group

You can remove SGMs from a Security Group locally.
See the Security Group (on page 349) section.
Procedure:
1. Connect to the command line on the Scalable Platform.
2. Log in to the gClish.
3. Remove the SGMs from the specified Security Group:
> delete smo security-group [Press the Tab key]

Note - The command shows the lists of the slots used by the local Security Groups.

Creating Another Security Group

Procedure:
1. Connect to the command line on the Scalable Platform.
2. Log in to the gClish.
3. Make sure at least one Security Group is up and running with the Multiple Security Groups
feature enabled:
> show smo multiple-security-groups id

4. Install the new SGM in the chassis.

5. Complete the initial setup wizard on the newly installed SGM.
6. After the new SGM reboots, the Multiple Security Groups feature is enabled automatically on
the SGM during boot.
7. Check the state of the Multiple Security Groups feature on the new SGM:
> show smo multiple-security-groups state

60000/40000 Security Systems Administration Guide R76SP.50 | 352

 60000/40000 Security Platforms

Example output:
1_07:
Multiple Security Groups feature is Enabled

Notes:
When you run the setup command on the new Security Group, the system tries to detect other
active Security Groups. If the system detects a configured Security Group with the Multiple
Security Groups feature disabled on it, it shows the warning on the screen:
# setup
Trying to detect other configured Security Groups on the system...

You are about to perform system setup on blades: local

Another configured Security Group was detected in this system that doesn't have
MSG enabled. Running another system configuration on this SGM may disable the setup

In such case, cancel the operation and manually enable the Multiple Security Groups feature (on
page 351) on the current Security Group. Otherwise, the new SGM boots with the Multiple Security
Groups feature disabled.

Working with a Shared VLAN Trunk Interface

Different Security Groups share the same chassis hardware. This includes the physical ports on
the SSM.
Different Security Groups cannot share the same physical interface, unless you configure that
interface as VLAN Trunk.
Note - This section applies equally to Bonding groups.
Procedure:

Step Description
1 Add the interface you need to share to the topology:
Procedure for Gateway mode:
a) Connect to the command line on the Scalable Platform.
b) Log in to the gClish.
c) Change the state of the interface to on:
set interface <if_name> state on
Procedure for VSX mode:
a) Connect with SmartDashboard or SmartConsole to the Management Server that
manages the applicable Virtual System object.
b) Open the applicable Virtual System object.
c) Add the interface to the Virtual System topology.
d) Click OK to push the VSX Configuration.
e) Install the policy on the Virtual System object.

2 Configure at least one VLAN ID on the shared VLAN Trunk interface.

60000/40000 Security Systems Administration Guide R76SP.50 | 353

 60000/40000 Security Platforms

Step Description
3 Create the same shared VLAN Trunk interface on the other Security Group.
Example:
> add bonding group 1
1_07:
INFO: bond1 was detected as shared, the configuration will be derived
from other Security Groups

Notes:
• You can add the VLAN Trunk interface to another Security Group only if there is at least one
VLAN ID configured on the VLAN Trunk interface. Otherwise, the operation fails with error:
KERLAG0029 Resource Manager: Operation not permitted, bond1 is already
used by a different Security Group (1)
• You can only use different VLAN IDs on the same shared VLAN Trunk interface between
different Security Groups.
• When you add the shared VLAN Trunk interface to another Security Group, the system
automatically derives the configuration from Security Groups that use the shared VLAN Trunk
interface.
• The system automatically clones the shared VLAN Trunk interface configuration to all Security
Groups that use the same shared VLAN Trunk interface.
Example: The shared VLAN Trunk interface is Bonding Group 1 (bond1). There are two
Security Groups - Security Group 1 and Security Group 2. When you add a new slave interface X
to this Bonding Group 1 in the Security Group 1, the system automatically adds the same slave
interface X to the same Bonding Group 1 in the Security Group 2.
The system clones this shared VLAN Trunk interface configuration:
• For a Bonding Group:
configuration of slave interfaces
mode
abxor-threshold
lacp-rate
mii-interval
up-delay
xmit-hash-policy
• For a Physical Interface:
MTU
Auto-negotiation
• To delete a Bonding Group from a specific Security Group, use the flag with-interfaces:
> delete bonding group <Bond_Group_ID> with-interfaces

Example output:
> delete bonding group 1 with-interfaces
1_07:
INFO: bond1 was detected as shared, deletion will be applied on local Security
Group only

60000/40000 Security Systems Administration Guide R76SP.50 | 354

 60000/40000 Security Platforms

Global Configuration
The system applies this configuration to all configured Security Groups:
• Distribution matrix maximal size
When you change the distribution matrix maximal size (on page 358), it triggers the change on
all Security Groups. All Security Groups start an iteration for distribution recalculation.
• Distribution IPv6 mode
When you enable IPv6 mode (on page 20) on the Scalable Platform, it triggers an iteration for
distribution recalculation on all configured Security Groups.
• QSFP Mode
The system propagates the QSFP mode (on page 49) configuration to all configured Security
Groups.
Note: Change of the QSFP mode requires the SSM reboot.

Viewing the Configuration

System Security Groups Overview
Syntax:
> show smo multiple-security-groups overview system

Example output:
System Security Groups Overview:

+----+------------------+------------+----------------------------+
| ID | Mode | SGMs | Interfaces (Physical only) |
+----+------------------+------------+----------------------------+
| 1 | Security Gateway | 1_1, 1_2 | eth1-01[s,m], eth2-01[s,m] |
+----+------------------+------------+----------------------------+
| 2 | VSX | 1_7 | eth1-01[s,m], eth2-01[s,m] |
+----+------------------+------------+----------------------------+
| 3 | Security Gateway | 1_11, 1_12 | eth1-10[t] |
+----+------------------+------------+----------------------------+

Interfaces Flags:
(s) - Interface is shared
(t) - Interface is trunk
(m) - Interface is member of bonding group

System Interfaces Overview

Syntax:
> show smo multiple-security-groups overview interfaces

60000/40000 Security Systems Administration Guide R76SP.50 | 355

 60000/40000 Security Platforms

Example output:
System Interfaces Overview:

+--------------------------+---------+-------+
| Interface | Used By | Trunk |
+--------------------------+---------+-------+
| bond1 (eth2-01, eth1-01) | 1, 2 | Yes |
+--------------------------+---------+-------+
| bond1.1561 | 1 | - |
+--------------------------+---------+-------+
| bond1.1562 | 2 | - |
+--------------------------+---------+-------+
| eth1-10 | 3 | Yes |
+--------------------------+---------+-------+
| eth1-10.2300 | 3 | - |
+--------------------------+---------+-------+

SSM Global Configuration

Syntax:
> show smo multiple-security-groups overview ssm-conf

Example output:
SSM Global Configuration:

+------------------+-------+
| Feature | State |
+------------------+-------+
| IPv6 | off |
+------------------+-------+
| L4 Distribution | off |
+------------------+-------+
| SPI Distribution | off |
+------------------+-------+
| Max Matrix Size | 2k |
+------------------+-------+
| SSM1 QSFP Mode | 4x10G |
+------------------+-------+
| SSM2 QSFP Mode | 4x10G |
+------------------+-------+

Deleting a Security Group

To free a Security Group resources, you must delete the Security Group.
Procedure:
1. Connect to the command line on the Scalable Platform.
2. Log in to the gClish.
3. Examine the Security Group IDs:
> show smo multiple-security-groups id

4. Delete the specified Security Group:

> delete smo multiple-security-groups id <Security Group ID>

Important:
• You can delete only the Security Group, to which you are connected.

60000/40000 Security Systems Administration Guide R76SP.50 | 356

 60000/40000 Security Platforms

• Before you add SGMs that were part of a deleted Security Group to another Security Group, we
recommend to reset those SGMs to factory default.
Example:
> delete smo multiple-security-groups id 1
You are about to delete Security Group 1, This will remove all SGMs
Are you sure?(Y/N)[N]
y
1_01:
SGM has been removed from the Security Group.
2_01:
SGM has been removed from the Security Group.
Unregistering Security Group from SGRM...
Security Group ID 1 was unregistered successfully
Done.

Disabling Multiple Security Groups

Procedure:
1. Connect to the command line on the Scalable Platform.
2. Log in to the gClish.
3. Remove SGMs from all Security Groups. (on page 352)
4. Delete all Security Groups. (on page 356)
5. Disable the Multiple Security Groups feature:
> set smo multiple-security-groups state off

Notes:
• You can disable the Multiple Security Groups feature only on the last Security Group.
Example:
> set smo multiple-security-groups state off
Multiple Security Groups can be disabled on the last and only Security Group

• You need to run this command only once on the last and only Security Group.
Example:
> set smo multiple-security-groups state off
1_01:
success

1_02:
success

Security Group ID 1 was unregistered successfully

60000/40000 Security Systems Administration Guide R76SP.50 | 357

 60000/40000 Security Platforms

Working with the Distribution Mode

The SSM uses the Distribution Mode to assign incoming traffic to the SGMs. By default, the
Scalable Platform automatically configures the Distribution Mode.

Supported Distribution Modes

Mode Description Applies to
User Packets are assigned to an SGM based on the packet One SSM
destination IP address.
If Layer 4 distribution is enabled, packets are assigned to an
SGM based on the packet source port and the destination IP
address.
Network Packets are assigned to an SGM based on the packet source One SSM
IP address.
If Layer 4 distribution is enabled, packets are assigned to an
SGM based on the packet source IP address and destination
port.
General Packets are assigned to an SGM based on both the packet All SSMs in the
source and the destination. Scalable Platform
If Layer 4 is enabled, packets are assigned to an SGM based
on the packet source IP address, source port, destination IP
address, and destination port.
Per-Port Each SSM data interface is configured separately as the User SSM data interface
Mode or Network mode.

User and Network Modes

The User and Network Modes always work together and are known as the User/Network Mode.

General Mode
Note - There can be some scenarios where you must manually assign the General Mode.

Automatic Distribution Configuration (Auto-Topology)

By default, the Scalable Platform automatically configures the Distribution Mode. The best
Distribution Mode is selected based on the Gateway topology as defined in SmartDashboard.
The Distribution Mode is automatically based on these interface types:
• Physical interfaces, except for management and synchronization interfaces
• VLAN
• Bond
• VLAN over Bond
These examples show how the Distribution Mode can be automatically configured for each
interface.

60000/40000 Security Systems Administration Guide R76SP.50 | 358

 60000/40000 Security Platforms

Physical Interfaces:
In this example, all ports on each SSM are Internal or External. The Distribution Mode for the two
SSMs is automatically configured as User or Network.

Physical Interface Topology SSM Distribution Mode

eth1-01 Internal 1 User
eth1-02 Internal
eth2-01 External 2 Network
eth2-02 External

Physical Interfaces:
On at least one of the SSMs, some ports are Internal and others are External. The Distribution
Mode for the SSMs is automatically configured as Per Port.

Interface Topology SSM Port Distribution Mode

eth1-01 Internal 1 1 User
eth1-02 External 1 2 Network
eth2-01 External 2 1 Network
eth2-02 External 2 2 Network

Physical and VLAN Interfaces:

Three VLANs are defined on one SSM port. On at least one of the SSMs, some VLANs are Internal
and others are External. Therefore, the SSM Distribution Mode is automatically configured as
Per-Port.

Interface Topology SSM Port VLAN Distribution Mode

eth1-01 External 1 1 NA Network
eth1-01.100 Internal 1 1 100 User
eth1-01.200 External 1 1 200 Network
eth1-01.300 Internal 1 1 300 User

VSX Virtual Systems:

A Virtual Switch does not have topology. Therefore, the Distribution Mode is calculated based on
the topologies of the WRP interfaces connected to the Virtual Systems, as shown. In this example,
the Distribution Mode is calculated as Network.

Interface Topology Distribution Mode

eth1-01 External N/A
wrp64 Internal Network
wrp128 Internal Network
wrp192 Internal User

60000/40000 Security Systems Administration Guide R76SP.50 | 359

 60000/40000 Security Platforms

Bond Interfaces:
In this example, both interfaces on each Bond are configured with the same Distribution Mode.
Both bond interfaces are configured with one port for SSM1 and one port for SSM2. On both SSMs,
one port is Internal and the other is External. The SSM Distribution Mode is automatically
configured as Per-Port.

Interface Topology Slaves SSM Port Distribution Mode

bond1 Internal eth1-01 1 1 User
eth2-01 2 1 User
bond2 External eth1-02 1 2 Network
eth2-02 2 2 Network

VLAN Over Bond Interfaces:

The automatic Distribution Mode configuration is based on the VLAN topology. In this example,
both interfaces on each VLAN are configured with the same Distribution Mode. Both bond
interfaces are configured on port 1 for each SSM. The SSM Distribution Mode is automatically
configured as Per-Port.

Interface Topology Slaves SSM Port VLAN Distribution Mode

bond1.100 Internal eth1-01 1 1 100 User
eth2-01 2 1 100 User
bond1.200 External eth1-01 1 1 200 Network
eth2-01 2 1 200 Network

Manual Distribution Configuration (Manual-General)

In some deployments, you must manually configure a Distribution Mode to the General. In other
cases, it may be necessary to force the system to work in General Mode.
When the Distribution Mode is manually configured (Manual-General Mode), the Distribution
Mode of each SSM is General. In this configuration, the topology of the interfaces is irrelevant.
Best Practice - Do not manually change the Distribution Mode of a Virtual System. This can cause
performance degradation.

Setting and Showing the Distribution Configuration

Use these gClish commands to set and show the distribution configuration.

Syntax Notes
> set distribution
configuration <mode>
<mode> can be Auto-topology or Manual-General
> set distribution
configuration <mode>
<version> can be one of the following: ipv4, ipv6, or all
ip-version <version> <mask> must be suitable for the matrix size and in Hex format
ip-mask <mask>
> show distribution
configuration
Shows the configuration

If the system is a VSX Gateway, configure the commands below on VS0 only. It applies immediately
to all Virtual Systems.
60000/40000 Security Systems Administration Guide R76SP.50 | 360
 60000/40000 Security Platforms

Command Syntax Result

> set distribution 1_01:
To change the Distribution configuration manual-general configuration update
Mode to Manual-General completed successfully

> set distribution 1_01:

To change the mask of configuration update
configuration auto-topology
Auto-Topology distribution ip-version all ip-mask 7FF
completed successfully

> show distribution 1_01:

To show the distribution: configuration Distribution Mode:
auto-topology
ipv4 Distribution mask:
0x000007ff
ipv6 Distribution mask:
0x00000000000000000000000000
0007ff

Configuring the Interface Distribution Mode (set distribution

interface)
Description
Use these commands in gClish to:
• Set the interface Distribution Mode - For an interface when the system is not working in the
General Mode
• Show the interface Distribution Mode - If it is assigned by Auto-Topology, or is manually
configured
Note - In VSX mode, you must go to the context of the applicable Virtual System before you can
change the interface Distribution Mode. Run the set virtual-system <VS_ID> command.

Syntax to set the interface Distribution Mode

> set distribution interface <if_name> configuration {user | network | policy}

Syntax to show the interface Distribution Mode

> show distribution interface <if_name> configuration

Parameters
Parameter Description
<if_name> Interface name as assigned by the operating system.
user Manually assign the User Distribution Mode.
network Manually assign the Network Distribution Mode.
policy Use Auto-Topology to automatically assign the Distribution Mode
according to the policy.

Example
[Expert@MyChassis-ch01-01:0]# gclish
[Global] MyChassis-ch01-01 > set distribution interface eth1-01 configuration
network
configuration update completed successfully
[Global] MyChassis-ch01-01 >
[Global] MyChassis-ch01-01 > set distribution interface eth1-01 configuration
policy
configuration update completed successfully
60000/40000 Security Systems Administration Guide R76SP.50 | 361
 60000/40000 Security Platforms

[Global] MyChassis-ch01-01 >

The example above shows how to:

• Manually change the Distribution Mode for interface eth1-01 from policy to network
• Change the Distribution Mode on interface eth1-01 from network to policy

Configuring Distribution Matrix Maximal Size (set distribution

matrix-max-size)
Description
Use these commands to configure and show the distribution matrix size.

Syntax to set the maximal size for the distribution matrix

> set distribution matrix-max-size <max size>

Syntax to show the maximal size for the distribution matrix

> show distribution matrix-max-size

Syntax to show the current size for the distribution matrix

> show distribution matrix-size

Syntax to show the matrix size with different configurations

> show distribution matrix-size mode <mode> ipv6 {on | off} spi {on | off} l4-mode
{on | off} mtx-max-size <max size>

Parameters
Parameter Description
<max size> Specifies the maximal size to configure
<mode> Specifies the mode. One of these:
• general
• user-network
• per-port

Example 1 - Set the maximal size for the distribution matrix to 2000 bytes
> set distribution matrix-max-size 2k
2_01:
initialization completed successfully

Example 2 - Show the maximal size for the distribution matrix

> show distribution matrix-size
2_01:
2048

Example 3 - Show the matrix size with different configurations

> show distribution matrix-size mode user-network ipv6 off spi off l4-mode on mtx-max-size 2k
2_01:
512

60000/40000 Security Systems Administration Guide R76SP.50 | 362

 60000/40000 Security Platforms

Showing Distribution Status (show distribution status)

Description
Use this command to show a summary or verbose status report of the Distribution Mode.
Verbose mode shows a detailed report for all SGMs and SSMs.

Syntax
> show distribution status [verbose]

Example output
Topic: Configuration:
distribution mode user-network
policy mode on
ssm 1 mode user
ssm 2 mode network
ipv6 mode off
spi mode off
l4 mode off
40g mode on
matrix max_size 2k
matrix size 2048
mask ipv4 general destination 0000001f
mask ipv4 general source 0000001f
mask ipv4 l4 ip 000001ff
mask ipv4 l4 port 00000003
mask ipv4 user-network destination 000007ff
mask ipv4 user-network source 000007ff
mask ipv6 general destination 0000000000000000000000000000001f
mask ipv6 general source 0000000000000000000000000000001f
mask ipv6 user-network destination 000000000000000000000000000007ff
mask ipv6 user-network source 000000000000000000000000000007ff
mask spi 000007ff

Per interface distribution legend:

Internal (User) - Destination IP based
External (Network) - Source IP based
General - Source and Destination IP based

Explanation about the output

Field Description
distribution mode Currently configured Distribution Mode.
policy mode Auto-Topology assignment:
• on - Auto-topology
• on - Manual override
• off - Manual-General
ssm mode Distribution Mode assignment for each SSM.
ipv6 mode Shows if IPv6 is enabled for this system.
spi mode Shows if SPI affinity is enabled for this system.
L4 mode Shows if L4 distribution is enabled for this system.
40g mode Shows if QSFP ports are working at 40GbE (on) or at 4 x 10GbE
(off).
matrix size Size of the distribution matrix.
The distribution matrix is a table that contains SGM IDs that are
used for traffic assignment.

60000/40000 Security Systems Administration Guide R76SP.50 | 363

 60000/40000 Security Platforms

Field Description
interface Shows the Distribution Mode assignment for each interface.

Running a Verification Test (show distribution verification)

Description
Use the show distribution verification command to run a verification test of the
Distribution Mode configuration.
This test compares the SGM and SSM configurations with the actual results.
You can see a summary or a verbose report of the test results.
Verbose mode shows detailed reports for all SGMs and SSMs.

Syntax
> show distribution verification [verbose]

Example
Note - This example shows only a small sample of the data. The checksums are truncated to fit on
the page.
> show distribution verification verbose
Test: Configuration:
Verification: Result:
chassis 2 blade 1 dxl-general-mode off off
Passed
chassis 2 blade 1 dxl-md5sum 9aad1d05e8dc2b4911a1e6a77a790a55
9aad1d05e8dc2b4911a1e6a77a790a55 Passed
chassis 2 blade 1 dxl-size 512 512
Passed
chassis 2 blade 2 dxl-general-mode off off
Passed
chassis 2 blade 2 dxl-md5sum 9aad1d05e8dc2b4911a1e6a77a790a55
9aad1d05e8dc2b4911a1e6a77a790a55 Passed
chassis 2 blade 2 dxl-size 512 512
Passed
chassis 2 blade 3 dxl-general-mode off off
Passed
chassis 2 blade 3 dxl-md5sum 9aad1d05e8dc2b4911a1e6a77a790a55
9aad1d05e8dc2b4911a1e6a77a790a55 Passed
chassis 2 blade 3 dxl-size 512 512
Passed
chassis 2 ssm 1 ipv6-mode off off
Passed
chassis 2 ssm 1 l4-mode on on
Passed
chassis 2 ssm 1 mask ipv4 general destination 0000000f 0000000f
Passed
chassis 2 ssm 1 mask ipv4 general source 0000000f 0000000f
Passed
chassis 2 ssm 1 mask ipv4 l4 ip 0000007f 0000007f
Passed
chassis 2 ssm 1 mask ipv4 l4 port 00000003 00000003
Passed
chassis 2 ssm 1 mask ipv4 user-network destination 000001ff 000001ff
Passed
chassis 2 ssm 1 mask ipv4 user-network source 000001ff 000001ff
Passed
chassis 2 ssm 1 mask ipv6 general destination 00000000000000000000000000000f
00000000000000000000000000000f Passed
chassis 2 ssm 1 mask ipv6 general source 00000000000000000000000000000f
00000000000000000000000000000f Passed
chassis 2 ssm 1 mask ipv6 user-network destination 0000000000000000000000000001ff
0000000000000000000000000001ff Passed
chassis 2 ssm 1 mask ipv6 user-network source 0000000000000000000000000001ff
0000000000000000000000000001ff Passed
chassis 2 ssm 1 mask spi 000001ff 000001ff

60000/40000 Security Systems Administration Guide R76SP.50 | 364

 60000/40000 Security Platforms

Passed
chassis 2 ssm 1 matrix-max_size 2k 2k
Passed
chassis 2 ssm 1 matrix-size 512 512
Passed
chassis 2 ssm 1 mode user user
Passed
chassis 2 ssm 1 signature 1b4608265544a62eaec709c0ee4f4689
1b4608265544a62eaec709c0ee4f4689 Passed
chassis 2 ssm 1 spi-mode off off
Passed
chassis 2 ssm 2 ipv6-mode off off
Passed
chassis 2 ssm 2 l4-mode on on
Passed
chassis 2 ssm 2 mask ipv4 general destination 0000000f 0000000f
Passed
chassis 2 ssm 2 mask ipv4 general source 0000000f 0000000f
Passed
chassis 2 ssm 2 mask ipv4 l4 ip 0000007f 0000007f
Passed
chassis 2 ssm 2 mask ipv4 l4 port 00000003 00000003
Passed
chassis 2 ssm 2 mask ipv4 user-network destination 000001ff 000001ff
Passed
chassis 2 ssm 2 mask ipv4 user-network source 000001ff 000001ff
Passed
chassis 2 ssm 2 mask ipv6 general destination 00000000000000000000000000000f
00000000000000000000000000000f Passed
chassis 2 ssm 2 mask ipv6 general source 00000000000000000000000000000f
00000000000000000000000000000f Passed
chassis 2 ssm 2 mask ipv6 user-network destination 0000000000000000000000000001ff
0000000000000000000000000001ff Passed
chassis 2 ssm 2 mask ipv6 user-network source 0000000000000000000000000001ff
0000000000000000000000000001ff Passed
chassis 2 ssm 2 mask spi 000001ff 000001ff
Passed
chassis 2 ssm 2 matrix-max_size 2k 2k
Passed
chassis 2 ssm 2 matrix-size 512 512
Passed
chassis 2 ssm 2 mode network network
Passed
chassis 2 ssm 2 signature 1b4608265544a62eaec709c0ee4f4689
1b4608265544a62eaec709c0ee4f4689 Passed
chassis 2 ssm 2 spi-mode off off
Passed

Summary:
verification passed successfully
>

Configuring the Layer 4 Distribution Mode and Masks (set

distribution l4-mode)
Description
Use these commands in gClish o:
• Enable Layer 4 distribution and set new masks for the IP address and the port
• Disable Layer 4 distribution
• Show Layer 4 Distribution Mode and masks
Note - When working with a Virtual System, you must go to the context of the applicable Virtual
System context before you can change the Distribution Mode. Run the set virtual-system
<VS_ID> command.

Syntax
> set distribution l4-mode enabled [ip-mask <IP mask> [port-mask <port mask>]]

60000/40000 Security Systems Administration Guide R76SP.50 | 365

 60000/40000 Security Platforms

> set distribution l4-mode disabled

> show distribution l4-mode

Note - Mask configuration is applicable to SSM160.

Example 1 - Configure the Layer 4 Distribution Mode

[Expert@MyChassis-ch01-01:0]# gclish
[Global] MyChassis-ch01-01 > set distribution l4-mode enabled ip-mask 7F port-mask 3
2_01:
masks update completed successfully
[Global] MyChassis-ch01-01 >

Example 2 - Disable the Layer 4 Distribution Mode

[Expert@MyChassis-ch01-01:0]# gclish
[Global] MyChassis-ch01-01 > set distribution l4-mode disabled
2_01:
success
[Global] MyChassis-ch01-01 >

Example 3 - Show the current Layer 4 Distribution Mode and Masks

[Expert@MyChassis-ch01-01:0]# gclish
[Global] MyChassis-ch01-01 > show distribution l4-mode
2_01:
L4 Distribution: Enabled
L4 Distribution IP mask: 0x0000007f
L4 Distribution port mask: 0x00000003
[Global] MyChassis-ch01-01 >

60000/40000 Security Systems Administration Guide R76SP.50 | 366

 60000/40000 Security Platforms

NAT and the Correction Layer on a Scalable Platform

For optimal system performance, one SGM handles all traffic for a session. With NAT, packets
sent from the client to the server can be distributed to a different SGM than packets from the
same session sent from the server to the client. The system correction layer must then forward
the packet to the correct SGM.
Correctly configuring the Distribution Mode keeps correction situations to a minimum and
optimizes system performance. To achieve optimal distribution between SGMs on the Scalable
Platform:
• When not using NAT rules
• Set to the General Distribution Mode.
• When using NAT rules
• Set the hidden networks to User Mode
• Set the destination networks to Network Mode

60000/40000 Security Systems Administration Guide R76SP.50 | 367

 60000/40000 Security Platforms

NAT and the Correction Layer on a VSX Gateway

In a VSX Gateway, the guidelines in NAT and the correction layer on a Security Gateway apply to
each Virtual System individually. For best results, manage an entire session by the same SGM by a
specified Virtual System. When a Virtual Switch (junction) connects several Virtual Systems, the
same session can be handled by one Virtual System on one SGM, and by another Virtual System on
a different SGM.
When a packet reaches a Virtual System from a junction, the system VSX Stateless Correction
Layer rechecks the distribution according to the WRP interface’s Distribution Mode. It can decide
to forward the packet to a different SGM.
In addition, on each Virtual System the system's correction layer, which is stateful, can forward
session packets, similar to the Security Gateway.
All forwarding operations have a performance impact. Therefore, the Distribution Mode
configuration should minimize forwarding operations.

To achieve optimal distribution between SGMs on the VSX Gateway:

• If you do not use NAT rules on any Virtual System, set the General Distribution Mode.
• If you use NAT rules on at least one Virtual System, set the hidden networks to User Mode, and
the destination networks to Network Mode.
• On the remaining Virtual Systems that do not use NAT rules, set internal networks to User
Mode, and the external networks to Network Mode.

60000/40000 Security Systems Administration Guide R76SP.50 | 368

 60000/40000 Security Platforms

Working with the GARP Chunk Mechanism

When Proxy ARP is enabled, the Firewall responds to ARP requests for hosts other than itself.
When Chassis failover occurs, the new Active Chassis sends Gratuitous ARP (GARP) Requests with
its own (new) MAC address to update the network ARP tables.
To prevent network congestion during Chassis failover, GARP Requests are sent in user defined
groups called chunks. Each chunk contains a predefined number of GARP Requests based on
these parameters:
• The number of GARP Requests in each chunk.
• High Availability Time Unit (HTU) - Time interval (1 HTU = 0.1 sec), after which a chunk is sent.
• The chunk mechanism iterates on the proxy ARP IP addresses, and each time sends GARP
Requests only for some of them until it completes the full list.
When the iteration sends the full list, it waits N HTUs and sends the list again.
Configuration:
For example, to send 10 GARP Requests each second, set the value of the kernel parameter
fwha_refresh_arps_chunk to 1:
# g_fw ctl set int fwha_refresh_arps_chunk 1

To send 50 GARP Requests each second, set the value of the kernel parameter
fwha_refresh_arps_chunk to 5:
# g_fw ctl set int fwha_refresh_arps_chunk 5

Whenever the iteration is finished sending GARP Requests for the entire list, it waits N HTUs and
sends the GARP Requests again.
The time between the iterations can be configured with these kernel parameters:

Kernel Parameter Description

fwha_periodic_send_garps_interval1 The default value is 1 HTU (0.1 second).
The Scalable Platform sends the GARP
immediately after failover.
Do not change this value.
fwha_periodic_send_garps_interval2 The default value is 10 HTUs (1 second).
fwha_periodic_send_garps_interval3 The default value is 20 HTUs (2 seconds).
fwha_periodic_send_garps_interval4 The default value is 50 HTUs (5 seconds).
fwha_periodic_send_garps_interval5 The default value is 100 HTUs (10 seconds).

In the above (default) configuration, after the iteration sends the list:
• Waits 1 second and sends again
• Waits 2 seconds and sends again
• Waits 5 seconds and sends again
• Waits 10 seconds and sends again

60000/40000 Security Systems Administration Guide R76SP.50 | 369

 60000/40000 Security Platforms

To change an interval, run:

# g_fw ctl set int fwha_periodic_send_garps_interval<N> <Value>

To apply the intervals, run:

# g_fw ctl set int fwha_periodic_send_garps_apply_intervals 1

Verification:
To manually send GARP Requests, on the Chassis monitor blade, run:
# fw ctl set int test_arp_refresh 1

This causes GARP Requests to be sent (same as was failover).

Debug:
# g_fw ctl zdebug -m cluster + ch_conf | grep fw_refresh_arp_proxy_on_failover

Important - To make the above configuration permanent (to survive reboot), add the applicable
kernel parameters to the $FWDIR/modules/fwkern.conf file with the command:
update_conf_file fwkern.conf <parameter>=<value>

60000/40000 Security Systems Administration Guide R76SP.50 | 370

 60000/40000 Security Platforms

Port Forwarding on Management Servers

Initiating traffic from an SGM that is not the SMO through the management interface , such as
eth1-mgmt4, only works with UDP and TCP.
• UDP: RADIUS, TACACS, SYSLOG, DNS, NTP
• TCP: TE server (18194), DNS (53), CRL, URLF proxy, URLF no proxy, LDAP, TACACS, CPD,
SMTP, SSH

To add new services to the list:

1. Edit the $FWDIR/conf/fw_global_params.conf file:
# vi $FWDIR/conf/fw_global_params.conf
2. Add this line:
mgmt_forwarding_tcp_ports_list_string="<Port1>,<Port2>,....,<PortN>"
Example:
mgmt_forwarding_tcp_ports_list_string="55010,55011,55012"
3. Save the changes in the file and exit the Vi editor.
4. Copy the modified file to all SGMs:
# g_cp2blades $FWDIR/conf/fw_global_params.conf
5. Apply the new configuration:
# g_all cpha_blade_config fw_global_params_changed

60000/40000 Security Systems Administration Guide R76SP.50 | 371

 60000/40000 Security Platforms

Threat Emulation
R76SP.50 supports the Threat Emulation Software Blade installed on the Scalable Platform. The
Threat Emulation and Threat Prevention Software Blades are supported on a Security
Management Server which has the latest Jumbo Hotfix installed.
To learn how to install Threat Emulation on the Scalable Platform, see sk111405
http://supportcontent.checkpoint.com/solutions?id=sk111405. To learn how to work with Threat
Emulation, see the R77 versions Threat Emulation Administration Guide
https://sc1.checkpoint.com/documents/R77/CP_R77_ThreatPrevention_WebAdmin/html_framese
t.htm.

60000/40000 Security Systems Administration Guide R76SP.50 | 372

 60000/40000 Security Platforms

IPS Bypass Under Load

Bypass Under Load allows the administrator to define a gateway resource load level at which IPS
inspection suspends temporarily until the gateway's resources return to satisfactory levels.
IPS inspection can make a difference in connectivity and performance. Usually, the time it takes to
inspect packets is not noticeable. However, under heavy loads it can be a critical issue.
You have the option to temporarily stop IPS inspection on a gateway if it experiences heavy load.

60000/40000 Security Systems Administration Guide R76SP.50 | 373

 60000/40000 Security Platforms

IPS Cluster Failover Management

You can configure how IPS is managed during a cluster failover.
This occurs when one Cluster Member takes over for a different Cluster Member to supply High
Availability.
You must run this command in the Expert mode.

Syntax to configure the IPS cluster failover behavior

# asg_ips_failover_behavior {connectivity | security}

Parameters
Parameter Description
connectivity Prefer connectivity - Closes connections, for which IPS inspection cannot
be guaranteed.
security Prefer security - Keeps connections alive, even if IPS inspection cannot be
guaranteed.

Syntax to view the configured IPS cluster failover behavior

# fw ctl get int fwha_ips_reject_on_failover

• If the output shows fwha_ips_reject_on_failover = 0, it means the connectivity is

preferred.
• If the output shows fwha_ips_reject_on_failover = 1, it means the security is
preferred.

60000/40000 Security Systems Administration Guide R76SP.50 | 374

 60000/40000 Security Platforms

Optimizing IPS (asg_ips_enhance)

Description
R76SP.50 supports HyperSpect optimization for IPS on systems that use the SGM260. HyperSpect
uses adaptive traffic inspection to focus on the most important parts of each connection. This can
give up to a 50% improvement for IPS inspection in real-life traffic scenarios.
From Expert Mode, run the asg_ips_enhance command to:
• Enable or disable HyperSpect
• Show HyperSpect status and enforce consistency across SGMs
• Synchronize the configuration

Syntax
# asg_ips_enhance [enable | disable] [status] [sync]

Parameters
Parameter Description
enable Enables HyperSpect on all SGMs
disable Disables HyperSpect on all SGMs
status Shows HyperSpect status and consistency for all SGMs
sync Synchronizes the HyperSpect configuration file across all SGMs

Example - Enable HyperSpect on all SGMs:

# asg_ips_enhance enable

60000/40000 Security Systems Administration Guide R76SP.50 | 375

 Advanced Hardware Configuration
CHAPTE R 14

Advanced Hardware Configuration

In This Section:
Chassis Management Module (CMM) CLI .................................................................376
Security Gateway Modules .........................................................................................387

Chassis Management Module (CMM) CLI

The Chassis Management Module (CMM) monitors and controls all hardware components in the
Chassis. The CMM communicates with a dedicated SGM using SNMP. If a hardware sensor reports
a problem, the CMM automatically takes action or sends a report. CMMs also have a Command
Line Interface.

To connect to the Active CMM:

1. Connect to the serial port on the front panel of the CMM.
2. In your terminal emulation program, set the baud rate to 9600.
3. Enter admin for the user name and password.
4. Open a telnet or SSH session from one of the SGMs.
5. Ping these addresses:
• 198.51.100.33
• 198.51.100.233
6. Telnet or SSH from the SGM to the Active CMM.
7. Enter admin for the user name and password.

To connect to the Standby CMM:

1. Connect to the Active CMM.
2. At the command prompt, run:
ifconfig
3. Record the IP Address for the USB interface.
Telnet or SSH from the Active CMM to the Standby CMM with the IP address from the table
below.

IP address of Active CMM IP address of Standby CMM

192.168.1.131 192.168.1.130
192.168.1.131 192.168.1.130
192.168.1.2 192.168.1.3
192.168.1.3 192.168.1.2

60000/40000 Security Systems Administration Guide R76SP.50 | 376

 Advanced Hardware Configuration

CMM Commands
Use the CMM CLI commands to monitor and manage the CMM.

Logging CMM Diagnostic Information

To log CMM diagnostic information:
1. Log into the Active CMM.
2. Run:
> /etc/summary
This command can take several minutes to run.
3. Run:
> cat /tmp/debug.log
> cat /etc/shmm.cfg
> clia fruinfo 20 0
> clia fruinfo 20 1
> clia fruinfo 20 2
> clia fruinfo 20 3
> clia fruinfo 20 4
> clia fruinfo 20 5
> clia fruinfo 20 6
> clia fruinfo 20 7
> clia fruinfo 20 8
> clia fruinfo 20 9

4. On 61000 N + N, run:
> clia fruinfo 20 10
> clia fruinfo 20 11
> clia fruinfo 20 12
> clia fruinfo 20 13
> clia fruinfo 20 14
> clia fruinfo 20 15
> clia fruinfo 20 16

5. On Scalable Platform, run:

> clia fruinfo y 10
> clia fruinfo y 12
> clia fruinfo y 82
> clia fruinfo y 84
> clia fruinfo y 86
> clia fruinfo y 88
> clia fruinfo y 8a
> clia fruinfo y 8c
> clia fruinfo y 8e
> clia fruinfo y 90
> clia fruinfo y 92
> clia fruinfo y 94
> clia fruinfo y 96
> clia fruinfo y 98
> clia fruinfo y 9a
> clia fruinfo y 9c

The logs are stored in /tmp/debug.log on the CMM.

Changing the CMM Administrator Password

To change the CMM Administrator Password:
1. In the Expert mode, run:
# passwd admin
2. Enter and confirm the new password.

60000/40000 Security Systems Administration Guide R76SP.50 | 377

 Advanced Hardware Configuration

Changing the Chassis Configuration

To change the Chassis configuration, edit this file:
/etc/shmm.cfg

CMM Slot IDs

Some commands use SGM and SSM IDs, or Slot IPMB Addresses.
Use these tables to find the correct SGM and SSM ID or Slot IPMB Address.

64000 Scalable Platform

Physical Slot Number Slot IPMB Address SGM Number SSM Number
1 0x9A SGM1

2 0x96 SGM2

3 0x92 SGM3

4 0x8E SGM4

5 0x8A SGM5

6 0x86 SGM6

7 0x82 SSM1

8 0x84 SSM2

9 0x88 SGM7

10 0x8C SGM8

11 0x90 SGM9

12 0x94 SGM10

13 0x98 SGM11

14 0x9C SGM12

61000 Scalable Platform

Physical Slot Number Slot IPMB Address SGM Number SSM Number
1 0x9A SGM1

2 0x96 SGM2

3 0x92 SGM3

4 0x8E SGM4

5 0x8A SGM5

6 0x86 SGM6 (or SSM3) SSM3 (or SGM6)

7 0x82 SSM1

8 0x84 SSM2

9 0x88 SGM7 (or SSM4) SSM4 (or SGM7)

10 0x8C SGM8
60000/40000 Security Systems Administration Guide R76SP.50 | 378
 Advanced Hardware Configuration

Physical Slot Number Slot IPMB Address SGM Number SSM Number
11 0x90 SGM9

12 0x94 SGM10

13 0x98 SGM11

14 0x9C SGM12

44000 Scalable Platform

Physical Slot Number Slot IPMB Address SGM Number SSM Number
1 0x82 SSM1

2 0x84 SGM6 (or SSM2) SSM2 (or SGM6)

3 0x86 SGM5

4 0x88 SGM4

5 0x8A SGM3

6 0x8C SGM2

7 0x8E SGM1

41000 Scalable Platform

Physical Slot Number Slot IPMB Address SGM Number SSM Number
1 0x82 SSM1

2 0x84 SSM2

3 0x86 SGM4

4 0x88 SGM3

5 0x8A SGM2

6 0x8C SGM1

For additional information, see the R76SP.50 Scalable Platforms Getting Started Guide
https://sc1.checkpoint.com/documents/R76SP.50/CP_R76SP.50_for_40000_60000_SecuritySyste
ms_GettingStartedGuide/html_frameset.htm - Chapter Hardware Components.

60000/40000 Security Systems Administration Guide R76SP.50 | 379

 Advanced Hardware Configuration

Security Switch Module (SSM)

The Security Switch Module (SSM):
• Distributes network traffic to the Security Gateway Modules (SGMs)
• Forwards traffic from the SGMs to the network
• Shares the load amongst the SGMs
The SSMs and SGMs communicate automatically through SNMP requests. You can also connect
directly to the SSM and run commands.
You can connect to the SSM CLI through:
• A serial port on the front panel of the SSM
• An SSH session from one of the SGMs

SSM CLI
The SSM is the networking module of the gateway. The SSM transmits traffic to and from the SGM
and performs the load distribution among the SGMs.
The SSM includes two modules:
• Fabric switch - Includes the data ports
• Base switch - Includes the management ports
The SSM communicates with the SGM through SNMP, but sometimes it is necessary to connect
directly to the SSM.

Configuration:
You can connect to the SSM CLI:
• With a serial console to the CLI port on the SSM front panel (baud rate 9600)
• From one of the SGMs over SSH
To show the SSM IP addresses in Clish or gClish, run:
> show Chassis id 1|2|all module SSM{1|2} ip
Note - The password for the SSM is admin.

Syntax Description
# show running-config [<feature_name>] Shows the current configuration.

# show port Shows the current port status.

# show port <port_id> Shows detailed port information such as

speed, administrative state, link state and
so on.
# show port <port_id> statistics Shows interface statistics

Best Practice - Because the full configuration is very long, we recommended that you specify the
feature you want to see. For example, run the show running-config load-balance
command to see the load balance configuration. Press the Tab key to see a full list of the features.

60000/40000 Security Systems Administration Guide R76SP.50 | 380

 Advanced Hardware Configuration

Example:
# show port 1/3/1 statistics
===============================================================================
Port Statistics
===============================================================================
Input Output
-------------------------------------------------------------------------------
Unicast Packets 5003 7106
Multicast Packets 568409 1880
Broadcast Packets 122151 1972
Flow Control 0 0
Discards 16 0
Errors 0 0
-------------------------------------------------------------------------------
Total 695563 10958
===============================================================================

===============================================================================
Ethernet Statistics in Packets
===============================================================================
RX CRC Errors 0 TX Collisions 0
RX Undersize 0
-------------------------------------------------------------------------------
Input Output
-------------------------------------------------------------------------------
Fragments 0 0
Oversize 0 0
Jabbers 0 0
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Packets Input and Output
-------------------------------------------------------------------------------
Octets 71085491
Packets 706521
Packets of 64 Octets 2290
Packets of 65 to 127 Octets 689951
Packets of 128 to 255 Octets 4122
Packets of 256 to 511 Octets 6009
Packets of 512 to 1023 Octets 258
Packets of 1024 to 1518 Octets 994
Packets of 1519 or more Octets 0
-------------------------------------------------------------------------------
Total 695563 10958
===============================================================================

===============================================================================
Rates in Bytes per Second
===============================================================================
Input Output
Rate for last 10 sec 1477 25
Rate for last 60 sec 1435 50
===============================================================================
#

Pay special intention to the Discards and Errors fields which can show a problem if they
constantly increase.

To view the SSM logs:

Run:
# unhide private
The default password is private.
# show private shell
# tail /var/log/messages

To change the load distribution on SGM groups:

Run:
# configure terminal
(config)# load-balance mtx-bucket 1 buckets
[<SGM_ID1><SGM_ID2>:<SGM_ID3><SGM_ID4>…]
60000/40000 Security Systems Administration Guide R76SP.50 | 381
 Advanced Hardware Configuration

(config)# commit
(config)# exit
#load-balance apply

Note - Provide a full list of the SGMs when you use this command or traffic might be dropped on
the SSM.
To see the current version information, run: # show version
To log out from current session, run: # logout

To change the SSM admin password:

1. Use SSH or a serial console to log in to an SGM on the Chassis.
2. In Expert Mode, log in to one of the SSMs in the Chassis: ssh admin@ssm<ssm_id>
3. Enter the admin password when prompted.
4. Run these commands:
# conf t
# system security user admin
# password
5. Enter the new password.
6. Run these commands:
# commit
# end
# logout

Note - This procedure should be done separately on each SSM in the system. It does not cause any
traffic interruption.

Example:
# ssh ssm2
admin@ssm2's password:
BATM T-HUB4
admin connected from 198.51.100.215 using ssh on T-HUB4
T-HUB4#conf t
Entering configuration mode terminal
T-HUB4(config)#system security user admin
T-HUB4(config-user-admin)#password
(<MD5 digest string>): *****
T-HUB4(config-user-admin)#commit
Commit complete.
T-HUB4(config-user-admin)#end
T-HUB4#log
Connection to ssm2 closed.

Each port ID on the SGM maps to a port on the SSM. The table below maps SSM port IDs to SGM
port IDs.
Note - This table is for SSM1. For SSM2 replace eth1-X with eth2-X.

SGM SSM160 SSM440

eth1-01 1/3/1 1/1/1
eth1-02 1/3/2 1/1/2
eth1-03 1/3/3 1/1/3
eth1-04 1/3/4 1/1/4
eth1-05 1/3/5 1/1/5
eth1-06 1/3/6 1/1/6
eth1-07 1/3/7 1/1/7

60000/40000 Security Systems Administration Guide R76SP.50 | 382

 Advanced Hardware Configuration

SGM SSM160 SSM440

eth1-Sync 1/3/8 1/1/8
eth1-09 1/1/1 1/4/1
eth1-10 1/1/2 1/4/2
eth1-11 1/1/3 1/4/3
eth1-12 1/1/4 1/4/4
eth1-13 1/2/1 1/4/5
eth1-14 1/2/2 1/4/6
eth1-15 1/2/3 1/4/7
eth1-16 1/2/4 1/4/8
eth1-17 N/A 1/4/9
eth1-18 N/A 1/4/10
eth1-19 N/A 1/4/11
eth1-20 N/A 1/4/12
eth1-21 N/A 1/4/13
eth1-22 N/A 1/4/14
eth1-23 N/A 1/4/15
eth1-24 N/A 1/4/16
eth1-25 N/A 1/2/1
eth1-26 N/A 1/2/2
eth1-27 N/A 1/2/3
eth1-28 N/A 1/2/4
eth1-29 N/A 1/2/5
eth1-30 N/A 1/2/6
eth1-31 N/A 1/2/7
eth1-32 N/A 1/2/8
eth1-33 N/A 1/3/1
eth1-34 N/A 1/3/2
eth1-35 N/A 1/3/3
eth1-36 N/A 1/3/4
eth1-37 N/A 1/3/5
eth1-38 N/A 1/3/6
eth1-39 N/A 1/3/7
eth1-40 N/A 1/3/8
eth1-Mgmt1 1/5/1 N/A
eth1-Mgmt2 1/5/2 N/A
eth1-Mgmt3 1/5/3 1/6/1
eth1-Mgmt4 1/5/4 1/6/2

60000/40000 Security Systems Administration Guide R76SP.50 | 383

 Advanced Hardware Configuration

Confirm that you have connectivity to the SSMs from the SGMs.
1. Ping IP addresses of all the SSM modules.
2. Run:
> asg_chassis_ctrl get_ssm_firmware all

Adding/Removing SSMs After Initial Setup

If you add or remove SSMs after the initial installation, the system can show an incorrect number
of installed SSMs or show some SSMs in the DOWN state. Run the asg_ssm_amount command
to define the correct number of SSMs in the Chassis.
You can change the number of SSMs with one of two procedures.
Procedure 1
• The first procedure is simple but requires a longer down time because the whole setup will be
rebooted at the same time.
Procedure 2
• The second procedure requires minimum down time because the Chassis is rebooted one at a
time. However, this procedure requires disconnecting Sync and Data ports.

Procedure 1
Moving from 1 SSM to 2 SSMs
1 Make sure all SGMs are in the UP state.
2 Using a console connection, in Expert Mode, run this command on the SMO:
asg_ssm_amount 2

3 Reboot the setup (all SGMs) and wait for all the SGMs to be in the UP state.
Note - An additional reboot is expected. The utility prompts you for auto-reboot.
4 Insert the new SSM. Use a console connection to monitor the booting process.
Note - In the case of a setup with more than one Chassis, make sure the new sync slave is
connected.
5 On the SMO in Expert Mode run:
asg_port_speed create_conf
6 Verify the setup integrity. Run:
asg diag verify
Note - When you change the number of SSMs, the setup requires reboot. This results in
traffic interruption.

All Other Scenarios

1 Make sure all SGMs besides the local are physically pulled out.
2 Using a console connection, In Expert Mode run this command on the SMO:
asg_ssm_amount 2/4

3 When deleting - Remove excess SSMs and delete the corresponding interface IPs
OR
When adding - Insert new SSMs and monitor their booting process with a console
connection.

60000/40000 Security Systems Administration Guide R76SP.50 | 384

 Advanced Hardware Configuration

All Other Scenarios

4 Reboot the local SGM. The utility prompts you for auto-reboot.
5 After the local SGM is UP (an additional auto-reboot is expected), restart all the other SGMs
(another additional auto-reboot is expected).
6 When the setup is in the UP state, verify the setup integrity. Run:
asg diag verify
Note - When you change the number of SSMs, the setup requires reboot. This results in
traffic interruption.

Procedure 2
Note - For all SSM amount changes scenarios.

Step Operation Command Notes

1 Disconnect the Standby Chassis
Sync and Data ports
2 Physically pull out all the SGMs
except the SMO
3 Physically install or remove the
additional SSMs
4 Using a console cable, connect
to the individual SMO
5 Update the number of desired # asg_ssm_amount
SSMs
6 Reboot the individual SMO # reboot

7 When the SGM is UP, run the Example: For verification, see Setting
following verification commands # ccutil active_ssm the Chassis ID (on page 233).
to make sure it matches the SSM1 ACTIVE
SSM2 ACTIVE
desired number of SSMs
SSM3 ACTIVE
SSM4 ACTIVE

# asg stat –v
Make sure the system has
eth3-xx and eth4-xx ports.
# ifconfig
8 Add the rest of the disconnected
SGMs
9 When the Standby Chassis This will cause a traffic
SGMs are UP, disconnect the outage.
Active Chassis Sync and Data
ports
10 Reconnect the Sync and Data The Standby Chassis is now
ports in the Standby Chassis the Active Chassis and will
allow traffic.
11 In the previously Active Chassis,
which is now disconnected, do
Steps 2 - 8
60000/40000 Security Systems Administration Guide R76SP.50 | 385
 Advanced Hardware Configuration

Step Operation Command Notes

12 Reconnect the Sync and Data
ports
13 Monitor the system health and
run verification - see Step 7

Syntax:
asg_ssm_amount <ssm_quantity>
• For 64000, <ssm_quantity> can be 2 or 4
• For 44000, <ssm_quantity> can be 1 or 2
• For 61000 N + N, <ssm_quantity> can be 2 or 4
• For 61000, <ssm_quantity> can be 2 or 4
• For 41000 Security System, <ssm_quantity> can be 1 or 2
Run asg_ssm_amount in Expert Mode. You must run this command if you add or remove SSMs in
your Chassis.
Note - Make sure that only one SGM is turned on when you run this command.

Examples:
[expert@gw:0] # asg_ssm_amount 1
[expert@gw:0] # asg_ssm_amount 2
[expert@gw:0] # asg_ssm_amount 4

60000/40000 Security Systems Administration Guide R76SP.50 | 386

 Advanced Hardware Configuration

Security Gateway Modules

The Security Gateway Modules (SGMs) in the Chassis work together as a single, high performance
Security Gateway or VSX Gateway. You can add SGMs and it scales the performance of the system.
An SGM can be added and removed without losing connections. If an SGM is removed or fails,
traffic is distributed to the other active SGMs.
These SGM versions are available:
• SGM400
• SGM260 - Supports configuration with 4 SSMs
• SGM220
For SGMs supported by appliance type, see sk93332
http://supportcontent.checkpoint.com/solutions?id=sk93332.

Identifying SGMs in the Chassis (asg_detection)

Description
Use this command to flash the LEDs of an SGM. This lets you identify a specified SGM.

Syntax
# asg_detection [ -b <SGM_IDs> ] [ -t <time> | off ]

Parameters
Parameter Description
-b <SGM_IDs> Works with SGMs and/or Chassis as specified by <SGM_IDs>.
<SGM_IDs> can be:
• No <SGM_IDs> specified, or all - Applies to all SGMs and
Chassis
• One SGM (for example, 1_1)
• A comma-separated list of SGMs (for example, 1_1,1_4)
• A range of SGMs (for example, 1_1-1_4)
• One Chassis (chassis1, or chassis2)
• The active Chassis (chassis_active)
Default is local SGM.

-t <time> Time in seconds the LEDs flash

Default is 60 seconds
-t off Stops LED flashes if they continue after the time in -t <time>

For more information, see the R76SP.50 Getting Started Guide

http://downloads.checkpoint.com/dc/download.htm?ID=54148.

60000/40000 Security Systems Administration Guide R76SP.50 | 387

 Advanced Hardware Configuration

Software Blades Update Verification (asg_swb_update_verifier)

Description
Use the asg_swb_update_verifier command in gClish or Expert mode to make sure that the
signatures are up to date for these products:
• Anti-Virus
• Anti-Bot
• Application Control
• URL Filtering

Syntax
asg_swb_update_verifier [-v] [-b <SGM_IDs> [-m <product>] [-n [-p <ip>:<port>]]
] [-u <product>]

Parameters
Parameter Description
-v Shows verbose output.
-b <SGM_IDs> Works with SGMs and/or Chassis as specified by <SGM_IDs>.
<SGM_IDs> can be:
• No <SGM_IDs> specified, or all - Applies to all SGMs and
Chassis
• One SGM (for example, 1_1)
• A comma-separated list of SGMs (for example, 1_1,1_4)
• A range of SGMs (for example, 1_1-1_4)
• One Chassis (chassis1, or chassis2)
• The active Chassis (chassis_active)
-m <product> Forces a manual update for SGMs specified with -b
Valid values:
• all - All products on the SGM
• Anti-Bot
• Anti-Virus
• APPI
• URLF
-n Forces an update download from the Internet
Use with -m.
-p <ip>:<port> Forces an update download from the Internet and uses a specific
HTTP proxy. Use with -m.
• <ip> - IP of the HTTP proxy
• <port> - TCP port to use on the HTTP proxy

60000/40000 Security Systems Administration Guide R76SP.50 | 388

 Advanced Hardware Configuration

Parameter Description
-u <product> Forces a database update for a specific product
Valid values:
• all - All products on the SGM
• Anti-Bot
• Anti-Virus
• APPI
• URLF

Example
[Expert@MyChassis-ch01-01:0]# gclish
[Global] MyChassis-ch01-01 > asg_swb_update_verifier
+------------------------------------------------------------------------------+
| product | sgm | status | DB version | next update check |
+------------------------------------------------------------------------------+
| APPI | 2_01 | failed | 14061202 | Thu Jun 12 10:32:55 2014 |
| APPI | 2_02 | failed | 14061202 | Thu Jun 12 10:32:41 2014 |
| Anti-Bot | 2_01 | up-to-date | 1405220911 | Thu Jun 12 09:28:34 2014 |
| Anti-Bot | 2_02 | up-to-date | 1405220911 | Thu Jun 12 09:28:45 2014 |
| Anti-Virus | 2_01 | up-to-date | 1406121233 | Thu Jun 12 09:28:12 2014 |
| Anti-Virus | 2_02 | new | 1406121234 | Thu Jun 12 09:28:10 2014 |
| URLF | 2_01 | not-installed | N/A | N/A |
| URLF | 2_02 | not-installed | N/A | N/A |
+------------------------------------------------------------------------------+

Report:
------------------------------ APPI --------------------------------------------
DB versions verification [ OK ]
statuses verification [ FAILED ]

------------------------------ URLF --------------------------------------------

DB versions verification [ OK ]
statuses verification [ OK ]

------------------------------ Anti-Bot ----------------------------------------

DB versions verification [ OK ]
statuses verification [ OK ]

------------------------------ Anti-Virus --------------------------------------

DB versions verification [ OK ]
statuses verification [ OK ]
[Global] MyChassis-ch01-01 >

Output description
Field Description
product Name of the product.
sgm SGM ID.
status Update status.
DB version Product database version.
next update check Date and time for the next automatic update.
DB versions verification • OK - The database version is correct.
• FAILED - The database version is incorrect.
statuses verification • OK - The update installed correctly or no update is needed.
• FAILED - The update did not install correctly.

60000/40000 Security Systems Administration Guide R76SP.50 | 389

 Replacing Hardware Components
CHAPTE R 15

Replacing Hardware Components

In This Section:
Replacing the CMM.....................................................................................................390
Adding or Replacing an SGM ......................................................................................393

Replacing the CMM

Install the replacement CMM that you received in the Return Merchandise Authorization (RMA).
These steps are for CMM installation on a Standby Chassis in a Dual-Chassis environment.

Before you begin:

1. Make sure you have a supported Chassis type.
The supported Chassis types for the 61000 Security System are:
• DC Chassis
• AC Telkoor: The AC Chassis has two rows of three Telkoor power supplies in each row.
• AC Lambda: The AC Chassis has one row of five Lambda power supplies
The supported Chassis types for the 61000 N + N Security Systems are:
• DC Chassis
• AC Lambda: The AC Chassis has one row of four Lambda power supplies
The supported Chassis types for the 41000 Security System are:
• AC Telkoor: Three Telkoor power supplies
• DC Chassis
2. Get the label from the CMM box.

60000/40000 Security Systems Administration Guide R76SP.50 | 390

 Replacing Hardware Components

To replace the CMM:

1. Install the replacement CMM to the Standby Chassis.
2. Make sure that all CMMs in the environment have the same firmware version:
> asg_version -i
+-------------------------------------------------------------------+
| Hardware Versions |
+-------------------------------------------------------------------+
| Component | Type | Configuration | Firmware |
+-------------------------------------------------------------------+
| Chassis 1 |
+-------------------------------------------------------------------+
| SSM1 | SSM160 | N/A | 5.5.x |
| SSM2 | SSM160 | N/A | 5.5.x |
| CMM(active) | N/A | N/A | 2.83 |
| CMM(standby) | N/A | N/A | 2.83 |
+-------------------------------------------------------------------+
+-------------------------------------------------------------------+
| Hardware Versions |
+-------------------------------------------------------------------+
| Component | Type | Configuration | Firmware |
+-------------------------------------------------------------------+
| Chassis 2 |
+-------------------------------------------------------------------+
| SSM1 | SSM160 | N/A | 5.5.x |
| SSM2 | SSM160 | N/A | 5.5.x |
| CMM(active) | N/A | N/A | 2.83 |
| CMM(standby) | N/A | N/A | 2.83 |
+-------------------------------------------------------------------+
>

The output must be the same as the box label.

• If the firmware versions are not the same, upgrade the CMM Firmware.
• If the Chassis IDs are not the same, change the RMA CMM Chassis ID (on page 233).
• If the Chassis Types are not the same, run the next procedure.

To fix an incorrect Chassis Type:

1. Put the Chassis in Standby state:
> set chassis id <Chassis_id> admin-state down
2. Remove all CMMs from the Chassis.
3. Insert the replacement CMM in the Chassis.
4. Open a console connection to the CMM:
a) Connect one end of a serial cable to the serial port on the CMM front panel.
b) Connect the other end of the serial cable to a computer.
c) Open a console window. Use the default serial connection parameters: 9600, 8, N, 1
5. Start the installation:
# install.sh
6. For the 61000 N + N, select the applicable Chassis type.
The menu can be different based on the CMM firmware. This menu shows for firmware 2.74.
-----------------------------------------------------------------
| Select one of following options. |
| 1: Press 1 for 13U chassis (Telkoor PSU). |
| 2: Press 2 for 14U chassis (Telkoor PSU). |
| 3: Press 3 for 14U chassis (Lambda PSU). |
| Q: Press Q for to skip. |
-----------------------------------------------------------------

• If the Chassis type is AC Telkoor PSU or a DC Chassis, enter: 2

• If the Chassis type is AC Lambda, enter: 3
7. Insert the second CMM.
60000/40000 Security Systems Administration Guide R76SP.50 | 391
 Replacing Hardware Components

8. For the 41000 Security System: When the option to upgrade EEprom shows, select option 1
------------------------------------------------------
| EEprom upgrading |
| 1: Press 1 for EEProm upgrading. |
| 2. Press 2 to skip. |
------------------------------------------------------

Note - In the Scalable Platform, there is no need to update EEprom.

9. Return the 61000 Chassis to Standby state:
> set chassis id <chassis_id> admin-state up

Validating the Chassis ID

Make sure that the Chassis ID on the label on the outside of the CMM packaging box is the same
as the label on the Chassis. If the Standby Chassis ID is different from the RMA CMM Chassis ID,
change the RMA CMM Chassis ID. See Setting the Chassis ID.

60000/40000 Security Systems Administration Guide R76SP.50 | 392

 Replacing Hardware Components

Adding or Replacing an SGM

You can perform an operating system upgrade on a new or replacement SGM.
There are two methods to update operating system versions:
• Create a snapshot image from one of the Standby SGMs and revert the new SGM to this
snapshot.
• Install from the distribution media. Please contact Check Point Support
https://www.checkpoint.com/support-services/contact-support/ for more information.

Using Snapshot to Add a New or Replacement SGM

Use snapshot as a backup. Confirm that the latest hotfixes are installed on a new or replacement
SGM (or if an SGM is sent for service as an RMA).

To create and export a snapshot of the existing configuration:

Step Procedure Description Notes
1 Connect to the command
line on the 60000/40000
Security Platform, over
an SSH or console
connection.
2 Log in to Expert Mode. expert

3 Switch to the SGM on the [Expert@HostName]# blade Example:

Standby Chassis. <Standby_Chassis_ID>_<Blade_ID> [Expert@HostName
]# blade 2_3
4 Set the global mode to gHostName> set global-mode off This makes sure that
off. the new snapshot
image is created on
this SGM only.
5 Create a new snapshot HostName> add snapshot
image. <Snapshot_Name> desc
<Snapshot_Description>
6 Monitor the snapshot HostName> show snapshots Run this command
image creation progress. repeatedly. The
process can take 15 -
20 minutes.

60000/40000 Security Systems Administration Guide R76SP.50 | 393

 Replacing Hardware Components

Step Procedure Description Notes

7 Insert a USB removable 1. Find the device name for the USB In the R75.05x 61000
disk in the USB port of removable disk in the messages log Security System
the SGM, and mount it to file or with the fdisk –l command Command Line
the /mnt/usb directory. Example - /dev/sdb1 Reference Guide
Expert@HostName]# tail http://downloads.chec
/var/log/messages kpoint.com/dc/downlo
OR ad.htm?ID=18161, see
Expert@HostName]# fdisk -l Software Upgrade and
2. Create the /mnt/usb directory:
Hardware
Replacement:
[Expert@HostName]# mkdir
/mnt/usb
RMA/Add New SGM
Procedure - Mounting
3. Mount the USB removable disk to USB
your /mnt/usb directory:
[Expert@HostName]# mount
/dev/sdb1 /mnt/usb

8 When the image creation HostName> set snapshot export This file will be copied
is complete, export the <Snapshot_Image_File_Name_Without to the USB later.
snapshot image file to a _the_.TAR> path /home/admin
TAR file on the local
SGM.

9 Monitor the snapshot HostName> show snapshots Run this command

image file creation repeatedly. The
progress. process can take 15 -
20 minutes.

10 Copy the snapshot file to [Expert@HostName]# cp

/home/admin/filename.tar
the USB removable disk.
/mnt/usb/

11 Check the snapshot [Expert@HostName]# ls -l

/mnt/usb/
image TAR file on the
USB removable disk.

12 Unmount the USB [Expert@HostName]# umount

/mnt/usb
removable disk from the
/usb/mnt directory.

13 Remove the USB

removable disk from the
SGM.

14 Insert the replacement asg security_group If all the slots are

SGM into a slot that is not being used,
part of the Security reconfigure the
Group. Security Group and
remove one of the
SGM modules from it:
HostName> asg
security_group

60000/40000 Security Systems Administration Guide R76SP.50 | 394

 Replacing Hardware Components

Step Procedure Description Notes

15 Connect to the SGM and gHostName> set global-mode off This makes sure that
set the global mode to the new snapshot
off. image is created on
this SGM only.

16 Connect to the
replacement SGM over a
console connection.

17 Connect a USB 1. Find the device name for the USB In the R75.05x 61000
removable disk to the removable disk in the messages log Security System
USB port of the file or with the fdisk –l Command Line
replacement SGM and command. Reference Guide
mount it to the Example - /dev/sdb1 http://downloads.chec
/mnt/usb/ directory. [Expert@HostName]# tail kpoint.com/dc/downlo
/var/log/messages ad.htm?ID=18161, see
OR Software Upgrade and
[Expert@HostName]# fdisk -l Hardware
2. Create
Replacement:
RMA/Add New SGM
the /mnt/usb directory:
Procedure - Mounting
[Expert@HostName]# mkdir
/mnt/usb
USB

3. Mount the USB to your /mnt/usb

directory:
[Expert@HostName]# mount
/dev/sdb1 /mnt/usb

18 Copy the snapshot file cp /mnt/usb/filename.tar

/home/admin/
from the USB removable
disk to the SGM.

19 Import the snapshot HostName> set snapshot import

Snapshot_Image_File_Name_With
image file.
out_the_.TAR path /home/admin/

20 Monitor the snapshot HostName> show snapshots Run this command

image file import repeatedly. The
progress. process can take 15 -
20 minutes.

21 Unmount the USB [Expert@HostName]# umount

/mnt/usb
removable disk from the
/mnt/usb directory.

22 Remove the USB

removable disk from the
SGM.

60000/40000 Security Systems Administration Guide R76SP.50 | 395

 Replacing Hardware Components

Step Procedure Description Notes

23 Revert the snapshot HostName> set snapshot revert Revert can take 15 -
image. <Snapshot_Name> 20 minutes and can
include more than one
reboot. Proceed to the
next step after it is
complete

24 Connect to the command

line on the 60000/40000
Security Platform, over
an SSH or console
connection.

25 Log in to Expert mode. expert

26 Update the Security [Expert@HostName]# asg

security_group
Group to include the
replacement SGM.

27 Confirm that the [Expert@HostName]# asg monitor

replacement SGM is up
and enforcing the latest
policy.

28 Confirm that all the SGM [Expert@HostName]# asg_

version
modules have the same
OS version.

Best practice - In a Dual-Chassis configuration, create a snapshot on the Standby Chassis.

Example:
> set global-mode off
> add snapshot rma_62 desc rma
Taking snapshot. You can continue working normally.
You can use the command ‘show snapshots’ to monitor creation progress,
> show sna
snapshot - show snapshot data
snapshots — list of local snapshots
> show snapshots
Restore points:
---------------
armdilo62_2
Restore point now under creation:
riua_62 (19%)

Creation of an additional restore point will need 2.624G

Amount of space available for restore points is il.41G
test-chO2—03> show snapshots
Restore points:
----------------
rma_62
armdi 1062_2

Creation of an additional restore point will need 2.624G

Amount of space available for restore points is 41.53G
test-chO2—03> set snapshot export rma_62 path /mnt/usb/
Exporting snapshot. You can continue working normally.
You can use the command ‘show snapshots’ to monitor exporting progress.

# blade 2_3
Moving to blade 2_3

60000/40000 Security Systems Administration Guide R76SP.50 | 396

 Replacing Hardware Components

This system is for authorized use only.

Last login: Wed Jun 20 08:43:28 2012 from test—chO2—03
CLINFRO771 This gclish instance cannot run “set” operations. To allow running “
set” operations, run “set config—lock omm Override”
> shell
# cd /mnt/usb
# ls
rzna_62.tar

> exit
Connection to 192.0.2.17 closed.
# umount /uint/usb

To import the snapshot to the new or replacement SGM:

1. Select the Standby Chassis. Insert the new or replacement SGM in a slot that is not part of the
Security Group.
If all the slots are used, reconfigure the Security Group and remove one of the SGMs.
2. Run:
> delete smo security-group {$SGM_ID}
3. Insert the removable disk to the RMA and mount it (on page 398) to the /mnt/usb directory.
4. Use a console to connect to the SGM. Import the snapshot file. Run:
> set snapshot import <filename_without_.tar> path /mnt/usb/
5. To monitor the process, run:
> show snapshots
6. Unmount and remove the disk:
# umount /mnt/usb
7. Revert the RMA to the snapshot image. Run:
> set snapshot revert <snapshotname>
The revert procedure can take a long time. When it is complete, the system reboots.
8. Update the Security Group to include the new or replacement SGM. Run:
>add smo security_group {$NEW_SGM_ID}
Notes:
• Use > asg monitor command to confirm the new or replacement SGM is UP and enforces the
latest policy.
• Use # asg_version command to confirm the SGMs have the same operating system version.

Installing a New SGM Using a CD/DVD

To install an SGM:
1. Install the new SGM into an unoccupied slot in the Standby Chassis.
2. If necessary, reconfigure the Security Group to include the new SGM.
3. Connect to the new SGM with a console connection.
4. Remove the SGM boot sector:
# eraseboot
5. Insert the CD.
6. Reboot the SGM.

60000/40000 Security Systems Administration Guide R76SP.50 | 397

 Replacing Hardware Components

Mounting and Dismounting a USB Disk

Follow these steps in the Expert mode.

To mount a USB disk:

1. Insert the USB storage device into the USB port.
2. Find the USB device name in the message log file:
# shell run tail /var/log/messages
Example:
:SCSI device sdb: 7827392 512-byte hdwr sectors (4008 MB)
sdb: Write Protect is off
sdb: assuming drive cache: write through
SCSI device sdb: 7827392 512-byte hdwr sectors (4008 MB)
sdb: Write Protect is off
sdb: assuming drive cache: write through
sdb: sdb1
sd 9:0:0:0: Attached scsi removable disk sdb
sd 9:0:0:0: Attached scsi generic sg1
3. If necessary, create the /mnt/usb directory.
4. Mount the USB device to your directory:
# mount /dev/sdb1 /mnt/usb

To unmount the USB disk:

1. Unmount the USB device:
# umount /mnt/usb
2. Remove the USB device.

60000/40000 Security Systems Administration Guide R76SP.50 | 398