topic Re: VSX and VS restart in Firewall and Security Management

VSX and VS restart

nooni — Wed, 01 Mar 2023 08:58:09 GMT

Hi,

I hope someone can help me clarify how it is possible to restart an VS to make changes in fwkern.conf for that VS effective ?

I know it is possible to make changes on the fly, but in this SK it can only understand that it does not work when SecureXL is enabled ?

This is the SK where i want to enable this feature for only one VS: sk19746

Thanks!

Re: VSX and VS restart

G_W_Albrecht — Wed, 01 Mar 2023 09:10:39 GMT

Ask TAC - the sk19746 does not state that it is valid for VSX at all !

Re: VSX and VS restart

Chris_Atkinson — Wed, 01 Mar 2023 14:53:51 GMT

For such changes the machine must be rebooted (for it to be permanent).

In a cluster properly sized for failover scenarios this should be manageable within a maintenance window.

In other situations there is this process:

sk169472: How to restart a specific VSX Virtual System in R80.30 and higher

Re: VSX and VS restart

nooni — Wed, 01 Mar 2023 14:30:11 GMT

Hi,

Thanks for the SK. If the VS runs in a high availability setup, for example VSLS.

Will this cpstop/cpstart procedure change the behaviour on the current host the VS resides on ?

If the VS is active on host1 and you do cpstop it will be considered as down and startup at host2 ?

Re: VSX and VS restart

_Val_ — Wed, 01 Mar 2023 14:33:42 GMT

No, you only stop one residing on the physical member you are connected to.

Re: VSX and VS restart

the_rock — Wed, 01 Mar 2023 14:39:51 GMT

I always do below option now if I have to do this, as it does NOT need cpstop;cpstart or reboot, applies right away and it actually takes care of the file on its own.

Connect to the command line on the Security Gateway / each Cluster Member.
Run this command:

fw ctl set -f int <Name_of_Kernel_Parameter> <Value_of_Kernel_Parameter>

Notes:
- This command works in Gaia Clish and Expert mode.
- This command applies immediately.
- This command changes the value of the kernel parameter on-the-fly and adds the required line in the $FWDIR/boot/modules/fwkern.conf file for permanent configuration.
Reboot when possible.

https://support.checkpoint.com/results/sk/sk26202

Andy

Re: VSX and VS restart

nooni — Wed, 01 Mar 2023 18:51:35 GMT

Thanks, yes i am aware of that possibility but the SK stated that when using SecureXL a change in fwkern.conf was neccesary.

Re: VSX and VS restart

the_rock — Wed, 01 Mar 2023 18:55:29 GMT

I never ever had to do that on regular fw, its possible might be different for VSX.

Re: VSX and VS restart

Wolfgang — Wed, 01 Mar 2023 19:15:37 GMT

@nooni kernel parameters set via „fw ctl set ….“ are set for all VS on a host. You can‘t set these kernel parameters only for one VS.

Regarding your mentioned article How to force a Security Gateway to send a TCP [RST] packet upon TCP connection expiration you can set your needed parameter for a specific system via GUIdbedit tool. If you only need the change from sk19746 this will be a better solution then setting kernel parameters via fwkern.conf.

Re: VSX and VS restart

JozkoMrkvicka — Wed, 01 Mar 2023 21:55:49 GMT

nice to know that there is newer way how to modify fwkern.conf 😄 I am still always updating fwkern.conf manually using vi 😄 Wondering if such a action is even supported (modify the fwkern file by your own) ...

Re: VSX and VS restart

the_rock — Wed, 01 Mar 2023 22:07:00 GMT

That method works fine, never an issue, sometimes old school way is the best, haha : - )