This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
rochim
Participant
‎2021-01-12 04:23 AM

fwkern.conf is missing on device standby

Hi All,

 

i have HA Checkpoint 16000 using VSX mode. i found this difference file fwkern.conf is exist on active device but not on standby device. this is mandatory by design or not? 

any some one else same this issue?

 

[Expert@Active_Device-03:0]# cat /opt/CPsuite-R80.30/fw1/boot/modules/fwkern.conf

fwha_enable_state_machine_by_vs=0

[Expert@Active_Device-03:0]#

 

[Expert@Standby_Device-03:0]# less /opt/CPsuite-R80.30/fw1/boot/modules/fwkern.conf

/opt/CPsuite-R80.30/fw1/boot/modules/fwkern.conf: No such file or directory

 

thanks.

0 Kudos
12 Replies
Vincent_Bacher
MVP Silver
MVP Silver
‎2021-01-12 06:03 AM

This file is created/modified manually. This does not exist after clean-installation. All kernel values have to be set on both nodes.
So just create it on second node and add the same values as already given in node 1

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2021-01-12 06:07 AM

According to sk26202, fwkern.conf does not exist - it has to be created manually if used. Kernel parameter fwha_enable_state_machine_by_vs can not be found in any documentation / sk, so i assume you would need CP to know why it was used here at all, and only on one cluster node...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
rochim
Participant
‎2021-01-12 06:34 AM
In response to G_W_Albrecht

thanks for your reply.

do you know function fwkern.conf? any document explain it?

 

0 Kudos
firewall1-gx
Contributor
‎2021-01-12 06:07 AM

Rochim,

Fwkern.conf is a file created manually. In your case, just create the file on missing cluster member.

More details you can see on: Changing the kernel global parameters for Check Point Security Gateway

Regards,

Alisson Lima

0 Kudos
rochim
Participant
‎2021-01-12 06:38 AM
In response to firewall1-gx

hi

thanks for your reply, i want to know what function fwker and what means attribute "fwha_enable_state_machine_by_vs=0"

0 Kudos
Václav_Brožík
Collaborator
‎2022-01-19 01:36 AM
In response to firewall1-gx

@firewall1-gx wrote:

...Fwkern.conf is a file created manually...

That is not completely true. To my knowledge the file could be created by cpconfig.

fwha_enable_state_machine_by_vs indicates if VSLS is enabled or not which is a property controllable by cpconfig.

(1)
Alex-
MVP Silver
MVP Silver
‎2021-01-12 06:15 AM

Could it be something linked to the 16K series though? I operate some in VSX (R80.40) and fwkern.conf exists with fwha_enable_state_machine_by_vs set to 1.

Edit: might be a Kernel 3.10 or something linked to some HFA thing. I checked another cluster of high-end VSX appliances running up-to-date R80.30 and the file is also there with the value set to 1.

0 Kudos
rochim
Participant
‎2021-01-12 06:36 AM
In response to Alex-

hi,

the file existing on both device? i only missing on standby device.

0 Kudos
Vincent_Bacher
MVP Silver
MVP Silver
‎2021-01-12 06:45 AM
In response to Alex-

@Alex- Just had a look on a 23k device on our side running R80.10 and this value is present here as well. Don't have the function of this value in mind as well.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
Vincent_Bacher
MVP Silver
MVP Silver
‎2021-01-12 06:42 AM

When kernel values to be set, file has to exist on both nodes to be effective as well when failover node gets active.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2021-01-12 07:57 AM
In response to Vincent_Bacher

I would assume this to be about machine state - active or standby - being different per VS, a feature that sounds more like VSLS, not HA VSX...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Vincent_Bacher
MVP Silver
MVP Silver
‎2021-01-12 08:00 AM
In response to G_W_Albrecht

Yes, agree. The key message was just to have it not just on one side 🙂

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events