This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
_Val_
Admin
Admin
‎2018-08-07 07:22 AM

A simple and reliable way to make sure your management is up

When working with R80.X (both R80.10 and R80.20.m1) management servers, one of the issues is that you cannot connect to SMS with your SmartConsole, although the machine seems to be started and running fine.

There are several scenarios where it might be important: upgrade in place from a previous version, migrate import operation or even a reboot of your running machine.

With migrates and upgrades, it takes a significant effort after the fact to update MGMT DB, and it is usually hart to guess if the process is finally complete.

When you perform a maintenance operation or even reboot your production server, loading DB and bringing CPM process to a ready position may also take time.

However, there is a small trick that can save you some time and efforts in figuring out whether your management is finally in ready to receive a SmartConsole connection. 

From a console or SSH run $CPMDIR/scripts/check_cpm_status.sh script.

When it shows CPM server started, you are good to go.

UPDATE: As Tomer Sole‌ mentions in comments, you can alternatively use
$MDS_FWDIR/scripts/cpm_status.sh which works properly in both MDSM and SMS environments. 

21 Replies
Kaspars_Zibarts
Employee Employee
Employee
‎2018-08-07 08:23 AM

MDS version is

$MDS_FWDIR/scripts/cpm_status.sh‍

with results like

Check Point Security Management Server is running and readyorCheck Point Security Management Server is during initialization‍‍‍‍‍
Gomboragchaa
Advisor
‎2018-08-07 09:39 PM

And $FWDIR/scripts/cpm_status.sh

Tomer_Sole
Mentor
Mentor
‎2018-08-07 11:28 PM
In response to Gomboragchaa

Tip #2: $MDS_FWDIR maps to the correct folder in both SmartCenter ($FWDIR) and Multi-Domain environments ($MDS_TEMPLATE) J

So just use $MDS_FWDIR/scripts/cpm_status.sh anywhere J

_Val_
Admin
Admin
‎2018-08-08 01:47 AM
In response to Tomer_Sole

Good point, I will update accordingly

Danny
Champion Champion
Champion
‎2019-05-03 01:29 PM
In response to Tomer_Sole

I added this check to our ccc script.

0 Kudos
_Val_
Admin
Admin
‎2018-08-08 12:55 AM
In response to Gomboragchaa

Right. Now spot a difference between $FWDIR and $CPMDIR or SMS 🙂

Jerry
Mentor
Mentor
‎2018-08-08 12:57 AM
In response to _Val_

sleep 30
    $MDS_FWDIR/scripts/cpm_status.sh no_print
    let stat=$?

Jerry
0 Kudos
Jerry
Mentor
Mentor
‎2018-08-08 12:43 AM

[Expert@SMS:0]# $CPMDIR/scripts/check_cpm_status.sh
CPM server started
[Expert@SMS:0]#

Jerry
0 Kudos
_Val_
Admin
Admin
‎2018-08-08 01:50 AM
In response to Jerry

that means the game is ON! 🙂

Jerry
Mentor
Mentor
‎2018-08-08 02:03 AM
In response to _Val_

oh yes, never been off  have a fab day mate!

Jerry
0 Kudos
Maarten_Sjouw
Champion
Champion
‎2018-08-08 02:38 AM

What happended to mdsstat? On an MDS gives me all the info I need.

It would even be nicer if you could see that all domains are up and ready in de Smartconsole MDS view.

In R77.30 you could even start/stop a DMS, will this come back in the final version of R80.20?

Regards, Maarten
0 Kudos
Kaspars_Zibarts
Employee Employee
Employee
‎2018-08-08 03:17 AM
In response to Maarten_Sjouw

Absolutely. This was more of having one-liner Smiley Happy I use mdsstat but hey, sometimes short answers are better Smiley Happy

_Val_
Admin
Admin
‎2018-08-08 11:33 PM
In response to Maarten_Sjouw

mdsstat is still there. However, it does not show the status for CPM processes of each instance, which is the main MGMT process with R80.X

More, even if it did show that the process is up, that would not give you a reliable indication that a Domain Server is ready for work, as CPM takes some time to be fully ready to receive SmartConsole connections

0 Kudos
Paul_Hagyard
Advisor
‎2018-08-08 02:20 PM

Of if you can't remember the path, simply use:

watch "netstat -an | grep 19009"

When it shows a listening port the server is up and ready for client connections.

For R77.x replace 19009 with 18190

0 Kudos
CGraffe
Employee
Employee
‎2018-08-09 11:48 AM

Great tip.

I used to monitor this by: tail -f  $FWDIR/log/fwm.elg (even in R80.x).

When process is fully up a message like "Security Management server is alive" shows up. I think it was changed to CPM server started in R80.x. Then you know you were ready to go.

Tomer_Sole
Mentor
Mentor
‎2018-08-11 11:08 PM
In response to CGraffe

CPM is the main Security Management process in R80 and above. FWM is still out there for things such as Legacy SmartDashboard (not SmartConsole) interaction but it is not the main one. Relying on CPM is better.

JASPAL_SINGH
Contributor
‎2018-12-26 05:35 AM
In response to Tomer_Sole

CPM is replacing FWM in R80 and above ?

As per my knowledge smart dashboard connects to FWM on 18190 using CPMI.

Now in R80, SmartConsole connect to CPM using CPMI ,  no need for FWM ? Is it right ?

Please clear this doubt.

0 Kudos
Tomer_Sole
Mentor
Mentor
‎2018-12-26 10:40 PM
In response to JASPAL_SINGH

CPMI is the data representation between pre-R80 Management Server and pre-R80 SmartDashboard.

FWM is the server-side process for pre-R80 security management. In R80, R80.10 and R80.20, FWM is used for interaction from the UI parts that are within SmartDashboard, for example: HTTPS Inspection, Gateway Editor, but it is only a bridge as it sends the requests as they were to CPM, which does all the work. FWM also contains some functionality related to Multi-Domain. It is gradually being phased out and replaced by CPM.

So please do not kill FWM in your local environment just yet J

Martin_Valenta
Advisor
‎2018-12-27 02:35 AM

why not just to use "api status" to see if CPM is up + api and other services?

0 Kudos
_Val_
Admin
Admin
‎2018-12-27 03:53 AM
In response to Martin_Valenta

CPM is serving API calls. Before it is up you do not get a response. Also, the mentioned script is the simplest way to check

femi
Explorer
‎2019-11-05 03:33 AM
In response to _Val_

If the prerequisite API is not running, the CPM service will not start. It will be in "initialization state"

Try the following steps:  (Ver: R80.30)

Step 1

[Expert@cpfw-mds:0]# api status

API Settings:
---------------------
Accessibility: Require ip 127.0.0.1
Automatic Start: Enabled

Processes:

Name State PID More Information
-------------------------------------------------
API Stopped
CPM Starting 7434            Check Point Security Management Server is during initialization
FWM Started 10759
APACHE Started 4571

Port Details:
-------------------
JETTY Internal Port: 50276
APACHE Gaia Port: 443
Apache port retrieved from: httpd-ssl.conf


--------------------------------------------
Overall API Status: The API Server Is Not Running!
--------------------------------------------

Notes:
------------
To collect troubleshooting data, please run 'api status -s <comment>'

Step 2

[Expert@cpfw-mds:0]# mdsstop

Step 3

[Expert@cpfw-mds:0]# api start
2019-Nov-05 10:09:10 - Starting API...
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
2019-Nov-05 10:11:38 - API started successfully.

Step 4

[Expert@cpfw-mds:0]# mdsstart

Optional

[Expert@cpfw-mds:0]# api status

API Settings:
---------------------
Accessibility: Require ip 127.0.0.1
Automatic Start: Enabled

Processes:

Name State PID More Information
-------------------------------------------------
API Started 73002
CPM Started 74142                      Check Point Security Management Server is running and ready
APACHE Started 4571

Port Details:
-------------------
JETTY Internal Port: 50277
APACHE Gaia Port: 443


--------------------------------------------
Overall API Status: Started
--------------------------------------------

API readiness test SUCCESSFUL. The server is up and ready to receive connections

Notes:
------------
To collect troubleshooting data, please run 'api status -s <comment>'

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top