- CheckMates
- :
- Products
- :
- Developers
- :
- API / CLI Discussion
- :
- DBedit issue
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DBedit issue
Hello guys,
Right now I am trying to create script for automatic VLAN creation within cluster deployment (2 gateways).
What I want to achieve is to add new VLAN as it is done via SmartConsole (Dashboard):
As there is no support for manipulation of Cluster objects via API yet, the only solution is to use dbedit tool.
So I played with dbedit for a while and I am getting into one strange issue. I am using following extract to create new Cluster interface and update it with all relevant data, attaching all the commands as example:
addelement network_objects GWC interfaces cluster_interface
modify network_objects GWC interfaces:4:ifindex 4
modify network_objects GWC interfaces:4:member_network:ipaddr 10.20.150.0
modify network_objects GWC interfaces:4:member_network:netmask 255.255.255.0
modify network_objects GWC interfaces:4:officialname eth10.150
modify network_objects GWC interfaces:4:ipaddr 10.20.150.1
modify network_objects GWC interfaces:4:netmask 255.255.255.0
modify network_objects GWC interfaces:4:monitored_by_cluster true
modify network_objects GWC interfaces:4:security:netaccess:access this
modify network_objects GWC interfaces:4:security:netaccess:perform_anti_spoofing true
addelement network_objects GW1 interfaces interface
modify network_objects GW1 interfaces:4:ifindex 4
modify network_objects GW1 interfaces:4:officialname eth10.150
modify network_objects GW1 interfaces:4:ipaddr 10.20.150.2
modify network_objects GW1 interfaces:4:netmask 255.255.255.0
modify network_objects GW1 interfaces:4:monitored_by_cluster true
modify network_objects GW1 interfaces:4:security:netaccess:access this
modify network_objects GW1 interfaces:4:security:netaccess:perform_anti_spoofing true
addelement network_objects GW2 interfaces interface
modify network_objects GW2 interfaces:4:ifindex 4
modify network_objects GW2 interfaces:4:officialname eth10.150
modify network_objects GW2 interfaces:4:ipaddr 10.20.150.3
modify network_objects GW2 interfaces:4:netmask 255.255.255.0
modify network_objects GW2 interfaces:4:monitored_by_cluster true
modify network_objects GW2 interfaces:4:security:netaccess:access this
modify network_objects GW2 interfaces:4:security:netaccess:perform_anti_spoofing true
update_all
savedb
I am using procedure mentioned in sk30383, together with "dos2unix", "sed -i 's/[[:space:]]*$//' <filename>" and at the end executing input file using "dbedit -local -globallock -f <filename>"
Basically all is fine (no errors), cluster and both gateways are updated with correct data (checked with "print network_objects GWC") but in fact in SmartConsole I cannot see this new interface in Network Management.
I have tried also install database and policy, without any difference.
What I am doing wrong ? What else must be updated/modified in order to see this new interface in Network Management tab ?
Thanks everyone who can check it.
Jozko Mrkvicka
- Labels:
-
Object Management
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Jozko,
I've just talked with a team member that is responible for Network Management view development in R80.X GUI, and as I suspected in my post above, the code in R80.X was changed.
dbedit tool will not help in this case. You have to wait for the new API for handling this stuff.
Robert.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Don't know if possible as troubleshooting step consider to cpstart ; cpstop management server seems at least to me the quickest things to do before going through check point support
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As I am trying it in "lab" using VMware, every time I turn off management
One strange thing is that once I didnt modify antispoofing for this new interface (using dbedit), during policy installation I see warning message for this new interface (that antispoofing should be allowed).
Maybe it is working just not showing it in Network Management tab ?
I will check it with both cluster members and let you know.
Jozko Mrkvicka
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
okay, so the conclusion is:
with R77.30 it is working like described above. (VLAN is perfectly added into Topology tab)
with R80.10 it is not working at all.
Lets wait for updated API for cluster handling...
Jozko Mrkvicka
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, did you try to reset sic?
Robert.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Robert,
No, but I just want to add new VLAN in Topology tab. It shouldnt have any relation to SIC, since I am working only on Management.
In R77.30 there is all fine, on R80.10 looks like some fields were added/modified into Interfaces subtree of cluster and members.
For example "monitored_by_cluster" is by default set to false (in R77.30), but in R80.10 it is set to true.
Jozko Mrkvicka
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Jozko,
The network management view's source code was changed in R80.X release and maybe the things work now differently compared to R77.X.
Try the sic reset, maybe you will be surprised...
Robert.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In addition, I'll check the difference in DB schema between interface created in GUI and interface created in dbedit.
Maybe something is missing...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Jozko,
I've just talked with a team member that is responible for Network Management view development in R80.X GUI, and as I suspected in my post above, the code in R80.X was changed.
dbedit tool will not help in this case. You have to wait for the new API for handling this stuff.
Robert.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Robert,
Thank you very much for your effort and time !
Glad to have clear and confirmed statement for this issue.
Lets wait for new version of API...
Jozko Mrkvicka
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Jozko,
To be accurate, there is a way to manipulate cluster object and cluster interfaces using management API's undocumented and unsupported "generic-objects" API.
Here is a link to our SE's excellent post - https://community.checkpoint.com/docs/DOC-2625.
Please pay attention to my caveat there.
Hope this helps.
Robert.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When we can FINALLY expect such a basic feature like manipulating Cluster objects within R80 ? R80.30 is GA, without any single API command for this purpose. What a shame.
Jozko Mrkvicka