One more thing missing in GAiA is DVD/CD mount point. If you try to do mount /mnt/cdrom on GAiA, you get an error, because of the two reasons:
1. There is not mount point
2. fstab does not have corresponding info.
Let's make it work again.
1. Open fstab to edit with "vi /etc/fstab" and add there the following:
/dev/cdrom /mnt/cdrom udf,iso9660 noauto,owner,kudzu,ro 0 0
2. create /mnt/cdrom folder for using as a mount point: mkdir /mnt/cdrom
Now you are ready to mount your DVD or CD to the machine.
Wednesday, August 22, 2012
Sunday, August 19, 2012
GAiA tricks - enabling sftp
GAiA is supposed to be more superior and generally better OS than SPLAT. In some aspects it is. But for someone used to work with SPLAT it may also be a hustle. A lot of things are done differently there. I am starting series of posts for GAiA tricks.
Today let's make SFTP work.
If you have ever tried SFTP with GAiA, it does not work for a very simple reason: it is disabled. To enable it, you have to do the following:
Today let's make SFTP work.
If you have ever tried SFTP with GAiA, it does not work for a very simple reason: it is disabled. To enable it, you have to do the following:
- Create a new user for SFTP access with default bash shell. Alternatively change admin shell to bash. If you do not know how to do that, check chsh command.
- Access Expert mode and open to edit sshd_config file: vi /etc/ssh/sshd_config
- Uncomment the following string:
#Subsystem sftp /usr/libexec/openssh/sftp-server
and save the file. - Run /etc/init.d/sshd restart
Now enjoy SFTP working again.
Update: As Dameon D. Welch-Abernathy tells me on FB, there is SK for that: SK82281
Update 2: After some rather intensive discussion in one of LinkedIn groups, I have to make a clarification. SCP is working on GAiA same way it was with SPLAT. If you are using WinSCP client, it tries SFTP but falls back to SCP if there is a problem. That means, to transfer files with WinSCP client, you only need to perform step 1 from above. With WinSCP it is not so different from SPLAT.
But if you are not using Windows and/or want to run explicitly SFTP and not SCP, you still have to perform the whole procedure.
Update: As Dameon D. Welch-Abernathy tells me on FB, there is SK for that: SK82281
Update 2: After some rather intensive discussion in one of LinkedIn groups, I have to make a clarification. SCP is working on GAiA same way it was with SPLAT. If you are using WinSCP client, it tries SFTP but falls back to SCP if there is a problem. That means, to transfer files with WinSCP client, you only need to perform step 1 from above. With WinSCP it is not so different from SPLAT.
But if you are not using Windows and/or want to run explicitly SFTP and not SCP, you still have to perform the whole procedure.
Friday, August 17, 2012
Check Point User Group conference 2012 - come along!
Annual CPUG conference will start on 17th of September. It is not yet too late to register, so hurry up and come along!
If you come, check out our intensive classes. I will be happy to see you on my Check Point Best Practices course.
See you there.
Friday, August 10, 2012
MDM R75.40 GAiA based - some gotchas
I have installed a new MDM server (a.k.a Provider-1 MDS) today, and it is R75.40 GAiA based thing.
It was quite interesting experience, considering this is the first GAiA version of MDM. There are some minor things you may want to know.
1. Idle timeout can only be set from WebUI. But even there, it does not seem to work. It did not work for me, although I might be doing something wrong.
2. mds commands are ONLY available from expert shell and not from CLISH. That is a shame, considering, timeout is not exactly OK.
3. Said that, the first configuration and MDS roles are both done from WebUI now.
4. Expert password can only be saved if you set in in CLISH and then log off. If you just reboot, as I did, it is lost, and you have to re-define it again. Such an ugly bug.
5. SmartLog is complaining about having not enough space to start. It might be just my lab server, but I have an impression it reads free space on /opt wrongly.
Feel free to share your own experience.
Update: MDS commands are actually working from CLISH after reboot. What's a relief...
It was quite interesting experience, considering this is the first GAiA version of MDM. There are some minor things you may want to know.
1. Idle timeout can only be set from WebUI. But even there, it does not seem to work. It did not work for me, although I might be doing something wrong.
2.
3. Said that, the first configuration and MDS roles are both done from WebUI now.
4. Expert password can only be saved if you set in in CLISH and then log off. If you just reboot, as I did, it is lost, and you have to re-define it again. Such an ugly bug.
5. SmartLog is complaining about having not enough space to start. It might be just my lab server, but I have an impression it reads free space on /opt wrongly.
Feel free to share your own experience.
Update: MDS commands are actually working from CLISH after reboot. What's a relief...
Monday, July 16, 2012
Check Point announces R75.40VS - new VSX
You may know already that long waited VSX with Software Blades support is finally out.
It is called now Check Point Virtual Systems. It is based on GAiA R75.40 and supports almost all Software Blades, except for Mobile Access Portal.
There are many other interesting features, such as physical-to-virtual conversion wizard and SNMP monitoring per VS.
Mind while it is GAiA based, clustering is only ClusterXL.
UPDATE: apparently it is not exactly OUT yet, nothing is available for download...
Tuesday, July 10, 2012
How to reset SIC for a Virtual System
In a very rare occasion you may have SIC issues with a VSX-based security system. In most of the cases it surfaces as a communication failure for one or several Virtual Systems.
It would be quite easy to fix failing SIC in case of a physical FW: you just need to reset in on both MGMT and GW side and to re-initialize it from the SmartDashboard.
In case of VS it is not that easy. You should follow the procedure, explained in SK34098. But before I will give you a short overview of the procedure, there are three important points to mention:
1. Do not try to reset SIC with the physical members of your VSX cluster. It will lead to even bigger problems, and will not help to restore SIC on a particular VS.
2. Follow the procedure bellow only if you are absolutely sure these is no communication problems, and local time settings on both GW and MGMT are fine. Remember, this procedure is the last resort, and if you do not follow it carefully, you may cause even more damage.
3. If any of the mentioned bellow does not seem familiar to you or if you have any doubt, call your support contact and ask them for help.
Said that, let's fix the issue.
Step 1: Identify ID number of the failing VS.
Step 2: Reset SIC for this VS on GW side. To do that, run the following command:
Step 3: SIC reset on MGMT side. Go to the target CMA (one managing the problematic VS) by typing the following command on MDS console:
Identify SIC name for the VS. To do that, run
Note: the SK mentioned above describes an alternative way involving ICA Management tool Web-UI. You can do that, it does not matter. I believe my way is faster.
Once you get the full SIC name, run the following command:
Step 4: Recreating SIC. Open SmartDashboart to target CMA and double-click on the problematic VS. Press OK button. On this step SIC should be re-created successfully.
You may want to install policy on this VS once all's done.
It would be quite easy to fix failing SIC in case of a physical FW: you just need to reset in on both MGMT and GW side and to re-initialize it from the SmartDashboard.
In case of VS it is not that easy. You should follow the procedure, explained in SK34098. But before I will give you a short overview of the procedure, there are three important points to mention:
1. Do not try to reset SIC with the physical members of your VSX cluster. It will lead to even bigger problems, and will not help to restore SIC on a particular VS.
2. Follow the procedure bellow only if you are absolutely sure these is no communication problems, and local time settings on both GW and MGMT are fine. Remember, this procedure is the last resort, and if you do not follow it carefully, you may cause even more damage.
3. If any of the mentioned bellow does not seem familiar to you or if you have any doubt, call your support contact and ask them for help.
Said that, let's fix the issue.
Step 1: Identify ID number of the failing VS.
Step 2: Reset SIC for this VS on GW side. To do that, run the following command:
fw vsx sic reset {VS_ID}
Step 3: SIC reset on MGMT side. Go to the target CMA (one managing the problematic VS) by typing the following command on MDS console:
mdsenv {CMA_NAME}
Identify SIC name for the VS. To do that, run
cpca_dbutil print InternalCA | grep {Virtual_System_Name}
Note: the SK mentioned above describes an alternative way involving ICA Management tool Web-UI. You can do that, it does not matter. I believe my way is faster.
Once you get the full SIC name, run the following command:
cpca_client revoke_cert -n CN={VS_SIC_Name}
Step 4: Recreating SIC. Open SmartDashboart to target CMA and double-click on the problematic VS. Press OK button. On this step SIC should be re-created successfully.
You may want to install policy on this VS once all's done.
Wednesday, July 4, 2012
CPUG Europe materials are available online
All materials are now available online and can be found over here.
I hope to see this year in Switzerland.
Sincerely yours,
Valeri Loukine
Subscribe to:
Comments (Atom)