Solved: Re: VSX and VS restart

nooni · ‎2023-03-01

Hi,

I hope someone can help me clarify how it is possible to restart an VS to make changes in fwkern.conf for that VS effective ?

I know it is possible to make changes on the fly, but in this SK it can only understand that it does not work when SecureXL is enabled ?

This is the SK where i want to enable this feature for only one VS: sk19746

Thanks!

Wolfgang · ‎2023-03-01

@nooni kernel parameters set via „fw ctl set ….“ are set for all VS on a host. You can‘t set these kernel parameters only for one VS.

Regarding your mentioned article How to force a Security Gateway to send a TCP [RST] packet upon TCP connection expiration you can set your needed parameter for a specific system via GUIdbedit tool. If you only need the change from sk19746 this will be a better solution then setting kernel parameters via fwkern.conf.

View solution in original post

G_W_Albrecht · ‎2023-03-01

Ask TAC - the sk19746 does not state that it is valid for VSX at all !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Chris_Atkinson · ‎2023-03-01

For such changes the machine must be rebooted (for it to be permanent).

In a cluster properly sized for failover scenarios this should be manageable within a maintenance window.

In other situations there is this process:

sk169472: How to restart a specific VSX Virtual System in R80.30 and higher

CCSM R77/R80/ELITE

nooni · ‎2023-03-01

Hi,

Thanks for the SK. If the VS runs in a high availability setup, for example VSLS.

Will this cpstop/cpstart procedure change the behaviour on the current host the VS resides on ?

If the VS is active on host1 and you do cpstop it will be considered as down and startup at host2 ?

_Val_ · ‎2023-03-01

No, you only stop one residing on the physical member you are connected to.

the_rock · ‎2023-03-01

I always do below option now if I have to do this, as it does NOT need cpstop;cpstart or reboot, applies right away and it actually takes care of the file on its own.

Connect to the command line on the Security Gateway / each Cluster Member.
Run this command:

fw ctl set -f int <Name_of_Kernel_Parameter> <Value_of_Kernel_Parameter>

Notes:
- This command works in Gaia Clish and Expert mode.
- This command applies immediately.
- This command changes the value of the kernel parameter on-the-fly and adds the required line in the $FWDIR/boot/modules/fwkern.conf file for permanent configuration.
Reboot when possible.

https://support.checkpoint.com/results/sk/sk26202

Andy

Best,
Andy

nooni · ‎2023-03-01

Hi

Thanks, yes i am aware of that possibility but the SK stated that when using SecureXL a change in fwkern.conf was neccesary.

the_rock · ‎2023-03-01

I never ever had to do that on regular fw, its possible might be different for VSX.

Best,
Andy

JozkoMrkvicka · ‎2023-03-01

nice to know that there is newer way how to modify fwkern.conf 😄 I am still always updating fwkern.conf manually using vi 😄 Wondering if such a action is even supported (modify the fwkern file by your own) ...

Kind regards,
Jozko Mrkvicka

the_rock · ‎2023-03-01

That method works fine, never an issue, sometimes old school way is the best, haha : - )

Best,
Andy

Wolfgang · ‎2023-03-01

@nooni kernel parameters set via „fw ctl set ….“ are set for all VS on a host. You can‘t set these kernel parameters only for one VS.

Regarding your mentioned article How to force a Security Gateway to send a TCP [RST] packet upon TCP connection expiration you can set your needed parameter for a specific system via GUIdbedit tool. If you only need the change from sk19746 this will be a better solution then setting kernel parameters via fwkern.conf.

Are you a member of CheckMates?

VSX and VS restart