Checkpoint R76 VSX Restore İşlemleri
Checkpoint VSX Cluster işleminde restore etmek için GW Cluster çalışmasından farklı bir işlem yapılmaktadır. Yapılması kolay fakat bir kaç ufak dikkat edilmesi gereken noktayı dikkat etmek gerekiyor.
Aşağıda R76 MDS üzerinde VSX restore işlemin nasıl yapılması gerektiği bilgileri yer almaktadır.
Restore işlemi yapmak için Hostname, Interface isimleri ve Management Interface ve IP adresi aynı olması gerekiyor. Bu konuda yapılması gereken iki yol bulunmakta. Yeni kurduğumuz VSX sunucusunun Interface bilgileri eskisi ile aynı olacak yada mevcut Interface bilgilerini yeni Interface bilgilerine göre değiştirmek gerekir.
Yeni kurduğumuz VSX sunucusunun Interface isimi değiştirmek için /etc/udev/rules.d/00-OS-XX.rules dosyasındaki Interface Name’leri değiştirip reboot edilmesi gerekiyor.
vi /etc/udev/rules.d/00-OS-XX.rules
# PCI device 0x14e4:0x1680 (tg3)
SUBSYSTEM==”net”, ACTION==”add”, DRIVERS==”?*”, ATTR{address}==”b8:ac:6f:65:31:e5″, ATTR{dev_id}==”0x0″, ATTR{type}==”1″, KERNEL==”eth*”, NAME=”eth0″
# PCI device 0x14e4:0x1680 (tg3)
SUBSYSTEM==”net”, ACTION==”add”, DRIVERS==”?*”, ATTR{address}==”b8:ac:6f:65:31:e5″, ATTR{dev_id}==”0x0″, ATTR{type}==”1″, KERNEL==”eth*”, NAME=”wan0″
Mevcut Security management üzerindeki Interface bilgilerini görmek için CLI ortamında vsx_util show_interfaces komutu girilerek Management Ip adresi , username ve passwod bilgileri girilerek görülebilir.
[Expert@CPMGMT:0]# vsx_util show_interfaces
Enter Security Management Server/main Domain Management Server IP address (Hit ‘ENTER’ for ‘localhost’): 192.168.4.20
Enter Administrator Name: admin
Enter Administrator Password: **********
Enter VSX Gateway/cluster object name: MDCLSTR
Which interface would you like to display?
1) All Interfaces
2) All Physical Interfaces
3) All Warp Interfaces
4) A Specific Interface
Enter your choice:2 (All Physical Interfaces seçilir)
+——————-+———————+—-+———————————————-+
|Type & Interface | Virtual Device Name |VSID| IP / Mask length |
+——————-+———————+—-+———————————————-+
|A Mgmt | | | |
+——————-+———————+—-+———————————————-+
|S Sync |MDCLSTR |0 |v4 10.134.134.0/30 |
+——————-+———————+—-+———————————————-+
|A eth1-01 | | | |
+——————-+———————+—-+———————————————-+
|A eth1-02 | | | |
+——————-+———————+—-+———————————————-+
|A eth1-03 | | | |
+——————-+———————+—-+———————————————-+
|A eth1-04 | | | |
+——————-+———————+—-+———————————————-+
|A eth1-05 | | | |
+——————-+———————+—-+———————————————-+
|A eth1-06 | | | |
+——————-+———————+—-+———————————————-+
|A eth1-07 | | | |
+——————-+———————+—-+———————————————-+
|M eth1-08 |MDCLSTR |0 |v4 192.168.3.4.13/24 |
+——————-+———————+—-+———————————————-+
|A eth2-01 | | | |
+——————-+———————+—-+———————————————-+
|A eth2-02 | | | |
+——————-+———————+—-+———————————————-+
|A eth2-03 | | | |
+——————-+———————+—-+———————————————-+
|V eth2-04.3004 |TEST5_VSX |7 |v4 172.16.44.62/27 |
+——————-+———————+—-+———————————————-+
|V eth2-04.3005 |TEST2_VSX |4 |v4 192.168.50.1/27 |
+——————-+———————+—-+———————————————-+
|V eth3-01.3502 |TEST3_VSX |5 |v4 172.16.67.4/29 |
+——————-+———————+—-+———————————————-+
|V eth3-01.3501 |vsx_internet |6 | |
+——————-+———————+—-+———————————————-+
|V eth3-01.3500 |vsw_internet |1 | |
+——————-+———————+—-+———————————————-+
|V eth3-02.3006 |TEST3_VSX |5 |v4 10.1.253.132/29 |
+——————-+———————+—-+———————————————-+
|V eth3-02.67 |TEST4_VSX |2 |v4 10.10.34.223/24 |
+——————-+———————+—-+———————————————-+
|V eth3-02.3001 |TEST1_VSX |3 |v4 10.130.130.4/24 |
+——————-+———————+—-+———————————————-+
|V eth3-02.3003 |TEST2_VSX |4 |v4 10.1.138.33/28 |
+——————-+———————+—-+———————————————-+
#Type: M – Management Interface S – Synchronization Interface
# V – VLAN Interface W – Warp Interface
# U – Used Interface A – Available Interface
# X – Unknown Interface E – Error in Interface Properties
Değiştirmek için ise ;
vsx_util change_interfaces komutu girilerek mevcut Interafce ler değiştirilebilir.
[Expert@CPMGMT:0]# vsx_util change_interfaces
******************************************************************************************
* Note: the operation you are about to perform changes the information in the management *
* database. Back up the database before continuing. *
******************************************************************************************
Enter Security Management Server/main Domain Management Server IP address (Hit ‘ENTER’ for ‘localhost’): 192.168.4.20
Enter Administrator Name: ahmetselvi
Enter Administrator Password:
***************************************************************************************************************
* It is highly recommended that all relevant Domain Management Servers are unlocked during the entire operation *
*****************************************************************************************************************
Enter VSX Gateway/Cluster object name: MDCLSTR
Change Interfaces can operate in two modes:
1. Apply changes to the management database and to the VSX Gateway/Cluster members immediately
2. Apply changes to the management database only
* Choosing option 2 will require running ‘vsx_util reconfigure’
* on a newly installed VSX Gateway/Cluster members after operation has finished successfully
Please choose one of the above options (1|2) [1]: 2
Please select one of the following interfaces to be replaced:
1) eth1-02
2) eth1-04
3) eth1-06
4) eth1-08
5) eth2-01
6) eth2-03
7) eth2-04
8) eth3-01
9) eth3-02
10) Mgmt
11) Sync
Would you like to change another interface? (y|n) [n]: n
Would you like to remove the old interfaces from the database? (y|n) [n]: y
Old interfaces will be removed…
Change Interfaces operation is about to start. This may take a while…
Successfully generated new configuration scripts for MDCLSTR
Policy installation/compilation for MDCLSTR: Verification was successful.
Policy installation/compilation for MDCLSTR: Compilation was successful
Policy installation/compilation for MDCLSTR: Copy temporary state files to permanent directory.
Policy installation succeeded for MDCLSTR
Finished updating vsx object MDCLSTR.
Successfully generated new configuration scripts for MDCLSTR
=================================== SUMMARY ====================================
Operation changed between the following interfaces:
Old Interface: eth1-02 New Interface: eth1-04
Old Interface: eth1-06 New Interface: eth2-01
Old Interface: eth2-03 New Interface: Mgmt
Status of virtual devices involved in the Change Interfaces operation:
+——————-+———+
|Virtual Device Name| Cluster |
+——————-+———+
|MDCLSTR | OK |
+——————-+———+
Cluster : MDCLSTR
—————————————– Legend —————————————-
—————————————————————————————–
OK – Operation was successful
P – Push Configuration was successful, database update operation did not complete
I – Push Configuration was successful, database is updated,
Install Policy may still be needed
U – Operation was not performed
F – Operation failed in the initial stage of Push Configuration
E – Operation was not performed because interfaces required for change are
already used by another virtual device. Resume is not supported in this case.
It is the user’s responsibility to perform changes for this virtual device
? – Status is unclear, Please contact CheckPoint technical support for assistance
=========================================================================================
Operation was applied on the management database only.
To apply the changes you must run ‘vsx_util reconfigure’
on a newly installed VSX Gateway/Cluster members
=========================================================================================
Change Interfaces operation finished successfully.
IMPORTANT: When the Anti-Bot and Anti-Virus Software Blades are enabled,
you must manually install the Anti-Bot and Anti-Virus policy
for each applicable virtual device.
Interface bilgileri, Management Interface ve Ip bilgileri de eşitlendikten sonra
Vsx_util reconfigure komutu ile her bir VSX GW ‘ler güncellenmiş olur.
Cluster members sunucularından biri fail olduğunda yine aynı işlemler tekrarlanır.