Weird, dont see it in their environment either...

Andy

FWIW, when I ran cpwd_admin list in my lab, I noticed 3 processes for log exporter as down, so removed them all, rebooted, now all shows E and 1, but apache still down...

Andy

Did the original server have Endpoint policy management enabled? Looks like this new VM is looking for the Endpoint management pieces from the migrate import, but they're not installed.  Did you do the Gaia First Time Wizard via the initial install WebUI, via config_system, or through the Azure Marketplace setup?  Again, looks like one of those didn't get the correct product selection for installation.

This is bit of a stupid question, but:  Did you run the Gaia First Time Wizard yet, before running migrate_server import? 🙂

The multiple "grep" command errors are also interesting.  That's a series of sequential words that is likely from an improperly defined (or missing) Bash variable resulting in that kind of erroneous output.  The error sequence in question is in the "start_apache()" function of the "uepm_functions" shell library.   However, the expected UEPM log file doesn't exist, likely because the paths don't exist, again, because the UEPM product isn't installed/configured.

You're also using HFA 96 which is rather bleeding edge.  I'd suggest re-doing this VM with HFA 92 instead, "just because".

Hope some of this helps.

Oh, and another possibly stupid question:  Is the IP of this new VM the same as the IP of the original, for the license to be activated?

Hey Duane,

Totally different IP and yes, I 100% made sure license was indeed correct.

Andy

Glad you mentioned licences, since it made me realize we need to verify what they are currently using. Im fairly sure when it comes to VMSS infrastructure, it all has to be centrallly licenced.

Andy

Yeah VMSS has to use vsec_lic_cli just as all CloudGuard licenses, plus you need to use CME to bootstrap those scale-out instances, and torch the scale-in ones when that time comes.

I think thats what we may need to do once converted.

If that's the case, then sounds like the default web port was changed on the original server.  That's in CLISH ("show web ssl-port").  I'd be concerned if this happens again on the next reboot, tho.  That httpd.conf file is generated dynamically by /bin/httpd_xlate and based on the contents of the CONFD configuration.  I say reboot that server and make sure it comes back up correctly! 🤞

Im glad I was able to fix it by copying the file I mentioned, but nothing was changed on original server Duane. That environment has been around for 4 years now and I could literally count number of changes done to it on both hands. 

Cheers,

Andy

Also something else I wanted to mention, in case anyone else has this issue 🙂

So, when I copied httpd2.conf from working mgmt to lab, it all worked after doing api restart, but after reboot, it did NOT work, so had to run chattr +i httpd2.conf command, then rebooted again, now apache shows started as below and all still works fine.

Thanks guys!

Andy

API Settings:
---------------------
Accessibility: Require all granted
Automatic Start: Enabled

Processes:

Name State PID More Information
-------------------------------------------------
API Started 5952
CPM Started 5952 Check Point Security Management Server is running and ready
FWM Started 5509
APACHE Started 4354

Port Details:
-------------------
JETTY Internal Port: 53910
JETTY Documentation Internal Port: 53314
APACHE Gaia Port: 443

Profile:
-------------------
Machine profile: Large SMC env resources profile without SME
CPM heap size: 1280m

Apache port retrieved from: dbget http:ssl_port

--------------------------------------------
Overall API Status: Started
--------------------------------------------

API readiness test SUCCESSFUL. The server is up and ready to receive connections

Notes:
------------
To collect troubleshooting data, please run 'api status -s <comment>'

Hmm that's concerning.  You shouldn't have to chattr +i the httpd config.  Seems like something is amiss in the CONFD (clish) config, or.... you have a Jumbo HFA 96 bug.  Can you remove that and try JHF 92 instead to compare?

I would usually try that just for my own testing, but since its such a small ruleset, wont bother, since lab is functional now. I just want to have lab "alive", until we do the full cutover 🙂

Andy

Compare content of "working" httpd2.conf with not working using linux "diff" command and lets see what is difference.

Great idea, but I already replaced the file. Im sure difference was significant, since original was 1K in size and one I copied from client's azure mgmt was 21K.

Andy

I recall CP PS guy did work for Azure vmss back in the day, though whole idea was to eventually use it for vpn/remote access, which was supported back in 2021, but I think it was not some time in 2022, so thats the reason why they wish to integrate all this with S1C now.

Andy