cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

A simple and reliable way to make sure your management is up

When working with R80.X (both R80.10 and R80.20.m1) management servers, one of the issues is that you cannot connect to SMS with your SmartConsole, although the machine seems to be started and running fine.

There are several scenarios where it might be important: upgrade in place from a previous version, migrate import operation or even a reboot of your running machine.

With migrates and upgrades, it takes a significant effort after the fact to update MGMT DB, and it is usually hart to guess if the process is finally complete.

When you perform a maintenance operation or even reboot your production server, loading DB and bringing CPM process to a ready position may also take time.

However, there is a small trick that can save you some time and efforts in figuring out whether your management is finally in ready to receive a SmartConsole connection. 

From a console or SSH run $CPMDIR/scripts/check_cpm_status.sh script.

When it shows CPM server started, you are good to go.

UPDATE: As Tomer Sole‌ mentions in comments, you can alternatively use
$MDS_FWDIR/scripts/cpm_status.sh which works properly in both MDSM and SMS environments. 

19 Replies

Re: A simple and reliable way to make sure your management is up

MDS version is

$MDS_FWDIR/scripts/cpm_status.sh

with results like

Check Point Security Management Server is running and ready

or

Check Point Security Management Server is during initialization

Re: A simple and reliable way to make sure your management is up

And $FWDIR/scripts/cpm_status.sh

Re: A simple and reliable way to make sure your management is up

Tip #2: $MDS_FWDIR maps to the correct folder in both SmartCenter ($FWDIR) and Multi-Domain environments ($MDS_TEMPLATE) J

So just use $MDS_FWDIR/scripts/cpm_status.sh anywhere J

Re: A simple and reliable way to make sure your management is up

Good point, I will update accordingly

Re: A simple and reliable way to make sure your management is up

Right. Now spot a difference between $FWDIR and $CPMDIR or SMS :-)

Jerry
Gold

Re: A simple and reliable way to make sure your management is up

sleep 30
    $MDS_FWDIR/scripts/cpm_status.sh no_print
    let stat=$?

Jerry
0 Kudos
Jerry
Gold

Re: A simple and reliable way to make sure your management is up

[Expert@SMS:0]# $CPMDIR/scripts/check_cpm_status.sh
CPM server started
[Expert@SMS:0]#

Jerry
0 Kudos

Re: A simple and reliable way to make sure your management is up

that means the game is ON! :-)

Jerry
Gold

Re: A simple and reliable way to make sure your management is up

oh yes, never been off  have a fab day mate!

Jerry
0 Kudos
Maarten_Sjouw
Platinum

Re: A simple and reliable way to make sure your management is up

What happended to mdsstat? On an MDS gives me all the info I need.

It would even be nicer if you could see that all domains are up and ready in de Smartconsole MDS view.

In R77.30 you could even start/stop a DMS, will this come back in the final version of R80.20?

Regards, Maarten
0 Kudos

Re: A simple and reliable way to make sure your management is up

Absolutely. This was more of having one-liner Smiley Happy I use mdsstat but hey, sometimes short answers are better Smiley Happy

Re: A simple and reliable way to make sure your management is up

mdsstat is still there. However, it does not show the status for CPM processes of each instance, which is the main MGMT process with R80.X

More, even if it did show that the process is up, that would not give you a reliable indication that a Domain Server is ready for work, as CPM takes some time to be fully ready to receive SmartConsole connections

0 Kudos

Re: A simple and reliable way to make sure your management is up

Of if you can't remember the path, simply use:

watch "netstat -an | grep 19009"

When it shows a listening port the server is up and ready for client connections.

For R77.x replace 19009 with 18190

0 Kudos

Re: A simple and reliable way to make sure your management is up

Great tip.

I used to monitor this by: tail -f  $FWDIR/log/fwm.elg (even in R80.x).

When process is fully up a message like "Security Management server is alive" shows up. I think it was changed to CPM server started in R80.x. Then you know you were ready to go.

Re: A simple and reliable way to make sure your management is up

CPM is the main Security Management process in R80 and above. FWM is still out there for things such as Legacy SmartDashboard (not SmartConsole) interaction but it is not the main one. Relying on CPM is better.

Re: A simple and reliable way to make sure your management is up

CPM is replacing FWM in R80 and above ?

As per my knowledge smart dashboard connects to FWM on 18190 using CPMI.

Now in R80, SmartConsole connect to CPM using CPMI ,  no need for FWM ? Is it right ?

Please clear this doubt.

0 Kudos

Re: A simple and reliable way to make sure your management is up

CPMI is the data representation between pre-R80 Management Server and pre-R80 SmartDashboard.

FWM is the server-side process for pre-R80 security management. In R80, R80.10 and R80.20, FWM is used for interaction from the UI parts that are within SmartDashboard, for example: HTTPS Inspection, Gateway Editor, but it is only a bridge as it sends the requests as they were to CPM, which does all the work. FWM also contains some functionality related to Multi-Domain. It is gradually being phased out and replaced by CPM.

So please do not kill FWM in your local environment just yet J

Re: A simple and reliable way to make sure your management is up

why not just to use "api status" to see if CPM is up + api and other services?

0 Kudos

Re: A simple and reliable way to make sure your management is up

CPM is serving API calls. Before it is up you do not get a response. Also, the mentioned script is the simplest way to check