FMW and FWMHA down for CMA on Destination System ...

Steffen_Matouse · ‎2025-05-12

I'm looking for a solution to transfer the policy set of one DMS to another MDS. Both are R81.20 Take98

To do this, I exported the global policy from the production system according to point 1 in sk156072 and imported it into a lab system.

I then exported the desired DMS policy from the production system according to point 2 and imported it into a lab system.

This worked without errors according to the upgrade_report.html.

My result is that the FWM and FWMHA are terminating from the domain. There are no log files for these two services in the directory /opt/CPmds-R81.20/customers/"mydomain"Server/CPsuite-R81.20/fw1/

with cpwd_admin list I see the both CMA Services terminating.

Does anyone have any idea how to proceed here, or is there perhaps a completely different solution?

Ultimately, if this step works, I would also have to merge the policies of the other DMS.

Duane_Toler · ‎2025-05-13

Logs for FWM and FWMHA are in $FWDIR/log/fwm.elg and $FWDIR/log/fwmha.elg if you're in the DMS (the CMA) context

mdsenv <dms name>
mcd log
ls -l fwm*

You can stop/start a specific DMS, and get DMS-specific status, with:

mdsstop_customer <dms name>
mdsstart_customer <dms name>
mdsstat <dms name>

You may be running into this issue and need to recreate a SIC certificate:

https://support.checkpoint.com/results/sk/sk182415

You can debug FWM and FWMHA operations if you want to look into it further yourself:

fw debug fwm on TDERROR_ALL_ALL=5
fw debug fwmha on TDERROR_ALL_ALL=5

Debugs are in $FWDIR/log/fwm.elg and $FWDIR/log/fwmha.elg.

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack

Are you a member of CheckMates?

FMW and FWMHA down for CMA on Destination System after Migration DMS between MDSs