topic Re: Generic Datacenter object push interval to gateway in Firewall and Security Management

Generic Datacenter object push interval to gateway

SPM — Fri, 04 Oct 2024 17:35:11 GMT

In settings of Generic Datacenter object you can specify the pull interval, how often management server should update object from the source URL.

But what is push interval to the gateways where this object used in policy rules?

From my experiments on R81 Take92 management server

I am getting around 15 minutes(!) delay between change of the object on management server and enforcement of the change on gateway.

cloud_proxy.elg shows no errors

Is it by design such interval or where to look for issue or how to change that interval?

Re: Generic Datacenter object push interval to gateway

the_rock — Fri, 04 Oct 2024 18:09:50 GMT

I believe from memory its 300 seconds = 5 mins

Re: Generic Datacenter object push interval to gateway

SPM — Fri, 04 Oct 2024 21:01:06 GMT

It looks like it is not 5min but 15min

here is from cloud_proxy.elg end of one request to push changes to gateway and start of the other

04/10/24 18:39:36,063 INFO ida.api.IDACpridRequestSenderClient [gateway-updater_CP1]: Response from gw xx.xxx.xxx.xxx is 'OK'
04/10/24 19:43:35,344 INFO ida.api.IDACpridRequestSenderClient [gateway-updater_CP1]: Sending update to gw xx.xxx.xxx.xxx: #!/bin/bash

one set of objects were changed at 04/10/24 19:29, and the other at 04/10/24 19:35

(there were no more changes since last push at 04/10/24 18:39)

Where can I look for this push interval value?

Re: Generic Datacenter object push interval to gateway

the_rock — Sat, 05 Oct 2024 01:13:40 GMT

I thought there was command to check it, but I could be wrong.

Andy

Re: Generic Datacenter object push interval to gateway

Chris_Atkinson — Sat, 05 Oct 2024 14:44:16 GMT

How many gateways are involved in the environment with these objects in the policy?

vsec.conf otherwise holds relevant parameters.

Re: Generic Datacenter object push interval to gateway

SPM — Sat, 05 Oct 2024 18:31:51 GMT

there are only 2 gateways where these objects used in the policy rules

here is from vsec.conf

# delay time between GW update cycles
enforcementUpdateIntervalTime=10

# TTL (mins) for objects expiration on GW in case
# there are no updates from the Controller
enforcementSessionTimeoutInMinutes=10080

autoUpdateIntervalInSeconds=30

# max number of GWs to update concurrently
enforcementThreadPool=5

# Generic Data Center scanner config
ctf.scannerInterval=60
ctf.deleteTemporaryFiles=true
ctf.ignoreInvalidContent=false
ctf.scanningLogsOn=false
ctf.scanFlatListFiles=false

I suppose this parameter ( ctf.scannerInterval=60 ) determines push interval. So it should be 1min.

here is a full timeline from another test:

05/10/24 20:23 - Object changed, 1 IP address (lets say it 192.0.2.2) added

05/10/24 20:38 - Object changed, IP address removed (the same as was added 15min ago, i.e. 192.0.2.2)

05/10/24 20:40 - Changes detected and pushed to gateways but with IP address 192.0.2.2 that was added 17min ago and removed 2 min ago

05/10/24 20:49 - Changes detected and pushed to the gateway with IP address 192.0.2.2 removed

No other Generic Datacenter objects where changed during that period, so no interference from other changes.