Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
svori
Collaborator
Collaborator
Jump to solution

VSX and VS restart

Hi,

 

I hope someone can help me clarify how it is possible to restart an VS to make changes in fwkern.conf for that VS effective ?

I know it is possible to make changes on the fly, but in this SK it can only understand that it does not work when SecureXL is enabled ?

This is the SK where i want to enable this feature for only one VS: sk19746

Thanks!

 

 

0 Kudos
1 Solution

Accepted Solutions
Wolfgang
Authority
Authority

@svori kernel parameters set via „fw ctl set ….“ are set for all VS on a host. You can‘t set these kernel parameters only for one VS.

Regarding your mentioned article How to force a Security Gateway to send a TCP [RST] packet upon TCP connection expiration you can set your needed parameter for a specific system via GUIdbedit tool. If you only need the change from sk19746 this will be a better solution then setting kernel parameters via fwkern.conf.

View solution in original post

10 Replies
G_W_Albrecht
Legend Legend
Legend

Ask TAC - the sk19746 does not state that it is valid for VSX at all !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Chris_Atkinson
Employee Employee
Employee

For such changes the machine must be rebooted (for it to be permanent).

In a cluster properly sized for failover scenarios this should be manageable within a maintenance window.

 

In other situations there is this process:

sk169472: How to restart a specific VSX Virtual System in R80.30 and higher

CCSM R77/R80/ELITE
svori
Collaborator
Collaborator

Hi,

 

Thanks for the SK. If the VS runs in a high availability setup, for example VSLS.

Will this cpstop/cpstart procedure change the behaviour on the current host the VS resides on ?

If the VS is active on host1 and you do cpstop it will be considered as down and startup at host2 ?

 

 

0 Kudos
_Val_
Admin
Admin

No, you only stop one residing on the physical member you are connected to. 

0 Kudos
the_rock
Legend
Legend

I always do below option now if I have to do this, as it does NOT need cpstop;cpstart or reboot, applies right away and it actually takes care of the file on its own.

  1. Connect to the command line on the Security Gateway / each Cluster Member.

  2. Run this command:

    fw ctl set -f int <Name_of_Kernel_Parameter> <Value_of_Kernel_Parameter>

    Notes:

    • This command works in Gaia Clish and Expert mode.
    • This command applies immediately.
    • This command changes the value of the kernel parameter on-the-fly and adds the required line in the $FWDIR/boot/modules/fwkern.conf file for permanent configuration.
  3. Reboot when possible.

https://support.checkpoint.com/results/sk/sk26202

Andy

0 Kudos
svori
Collaborator
Collaborator

Hi

Thanks, yes i am aware of that possibility but the SK stated that when using SecureXL a change in fwkern.conf was neccesary.

0 Kudos
the_rock
Legend
Legend

I never ever had to do that on regular fw, its possible might be different for VSX.

0 Kudos
JozkoMrkvicka
Authority
Authority

nice to know that there is newer way how to modify fwkern.conf 😄 I am still always updating fwkern.conf manually using vi 😄 Wondering if such a action is even supported (modify the fwkern file by your own) ...

Kind regards,
Jozko Mrkvicka
the_rock
Legend
Legend

That method works fine, never an issue, sometimes old school way is the best, haha : - )

Wolfgang
Authority
Authority

@svori kernel parameters set via „fw ctl set ….“ are set for all VS on a host. You can‘t set these kernel parameters only for one VS.

Regarding your mentioned article How to force a Security Gateway to send a TCP [RST] packet upon TCP connection expiration you can set your needed parameter for a specific system via GUIdbedit tool. If you only need the change from sk19746 this will be a better solution then setting kernel parameters via fwkern.conf.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events