Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Admin
Admin

A simple and reliable way to make sure your management is up

When working with R80.X (both R80.10 and R80.20.m1) management servers, one of the issues is that you cannot connect to SMS with your SmartConsole, although the machine seems to be started and running fine.

There are several scenarios where it might be important: upgrade in place from a previous version, migrate import operation or even a reboot of your running machine.

With migrates and upgrades, it takes a significant effort after the fact to update MGMT DB, and it is usually hart to guess if the process is finally complete.

When you perform a maintenance operation or even reboot your production server, loading DB and bringing CPM process to a ready position may also take time.

However, there is a small trick that can save you some time and efforts in figuring out whether your management is finally in ready to receive a SmartConsole connection. 

From a console or SSH run $CPMDIR/scripts/check_cpm_status.sh script.

When it shows CPM server started, you are good to go.

UPDATE: As Tomer Sole‌ mentions in comments, you can alternatively use
$MDS_FWDIR/scripts/cpm_status.sh which works properly in both MDSM and SMS environments. 

21 Replies
Highlighted
Authority
Authority

MDS version is

$MDS_FWDIR/scripts/cpm_status.sh

with results like

Check Point Security Management Server is running and ready

or

Check Point Security Management Server is during initialization
Highlighted
Advisor

And $FWDIR/scripts/cpm_status.sh

Highlighted

Tip #2: $MDS_FWDIR maps to the correct folder in both SmartCenter ($FWDIR) and Multi-Domain environments ($MDS_TEMPLATE) J

So just use $MDS_FWDIR/scripts/cpm_status.sh anywhere J

Highlighted
Admin
Admin

Good point, I will update accordingly

Highlighted
Champion
Champion

I added this check to our ccc script.

0 Kudos
Highlighted
Admin
Admin

Right. Now spot a difference between $FWDIR and $CPMDIR or SMS 🙂

Highlighted
Leader
Leader

sleep 30
    $MDS_FWDIR/scripts/cpm_status.sh no_print
    let stat=$?

Jerry
0 Kudos
Highlighted
Leader
Leader

[Expert@SMS:0]# $CPMDIR/scripts/check_cpm_status.sh
CPM server started
[Expert@SMS:0]#

Jerry
0 Kudos
Highlighted
Admin
Admin

that means the game is ON! 🙂

Leader
Leader

oh yes, never been off  have a fab day mate!

Jerry
0 Kudos
Highlighted
Champion
Champion

What happended to mdsstat? On an MDS gives me all the info I need.

It would even be nicer if you could see that all domains are up and ready in de Smartconsole MDS view.

In R77.30 you could even start/stop a DMS, will this come back in the final version of R80.20?

Regards, Maarten
0 Kudos
Highlighted
Authority
Authority

Absolutely. This was more of having one-liner Smiley Happy I use mdsstat but hey, sometimes short answers are better Smiley Happy

Highlighted
Admin
Admin

mdsstat is still there. However, it does not show the status for CPM processes of each instance, which is the main MGMT process with R80.X

More, even if it did show that the process is up, that would not give you a reliable indication that a Domain Server is ready for work, as CPM takes some time to be fully ready to receive SmartConsole connections

0 Kudos
Highlighted
Contributor

Of if you can't remember the path, simply use:

watch "netstat -an | grep 19009"

When it shows a listening port the server is up and ready for client connections.

For R77.x replace 19009 with 18190

0 Kudos
Highlighted
Employee
Employee

Great tip.

I used to monitor this by: tail -f  $FWDIR/log/fwm.elg (even in R80.x).

When process is fully up a message like "Security Management server is alive" shows up. I think it was changed to CPM server started in R80.x. Then you know you were ready to go.

Highlighted

CPM is the main Security Management process in R80 and above. FWM is still out there for things such as Legacy SmartDashboard (not SmartConsole) interaction but it is not the main one. Relying on CPM is better.

Highlighted
Contributor

CPM is replacing FWM in R80 and above ?

As per my knowledge smart dashboard connects to FWM on 18190 using CPMI.

Now in R80, SmartConsole connect to CPM using CPMI ,  no need for FWM ? Is it right ?

Please clear this doubt.

0 Kudos
Highlighted

CPMI is the data representation between pre-R80 Management Server and pre-R80 SmartDashboard.

FWM is the server-side process for pre-R80 security management. In R80, R80.10 and R80.20, FWM is used for interaction from the UI parts that are within SmartDashboard, for example: HTTPS Inspection, Gateway Editor, but it is only a bridge as it sends the requests as they were to CPM, which does all the work. FWM also contains some functionality related to Multi-Domain. It is gradually being phased out and replaced by CPM.

So please do not kill FWM in your local environment just yet J

Highlighted

why not just to use "api status" to see if CPM is up + api and other services?

0 Kudos
Highlighted
Admin
Admin

CPM is serving API calls. Before it is up you do not get a response. Also, the mentioned script is the simplest way to check

Highlighted
Explorer

If the prerequisite API is not running, the CPM service will not start. It will be in "initialization state"

Try the following steps:  (Ver: R80.30)

Step 1

[Expert@cpfw-mds:0]# api status

API Settings:
---------------------
Accessibility: Require ip 127.0.0.1
Automatic Start: Enabled

Processes:

Name State PID More Information
-------------------------------------------------
API Stopped
CPM Starting 7434            Check Point Security Management Server is during initialization
FWM Started 10759
APACHE Started 4571

Port Details:
-------------------
JETTY Internal Port: 50276
APACHE Gaia Port: 443
Apache port retrieved from: httpd-ssl.conf


--------------------------------------------
Overall API Status: The API Server Is Not Running!
--------------------------------------------

Notes:
------------
To collect troubleshooting data, please run 'api status -s <comment>'

Step 2

[Expert@cpfw-mds:0]# mdsstop

Step 3

[Expert@cpfw-mds:0]# api start
2019-Nov-05 10:09:10 - Starting API...
. . . . . . . . . . . . . . . . . . . . . . . . . . . .
2019-Nov-05 10:11:38 - API started successfully.

Step 4

[Expert@cpfw-mds:0]# mdsstart

Optional

[Expert@cpfw-mds:0]# api status

API Settings:
---------------------
Accessibility: Require ip 127.0.0.1
Automatic Start: Enabled

Processes:

Name State PID More Information
-------------------------------------------------
API Started 73002
CPM Started 74142                      Check Point Security Management Server is running and ready
APACHE Started 4571

Port Details:
-------------------
JETTY Internal Port: 50277
APACHE Gaia Port: 443


--------------------------------------------
Overall API Status: Started
--------------------------------------------

API readiness test SUCCESSFUL. The server is up and ready to receive connections

Notes:
------------
To collect troubleshooting data, please run 'api status -s <comment>'

0 Kudos