Re: fwkern.conf is missing on device standby

rochim · ‎2021-01-12

Hi All,

i have HA Checkpoint 16000 using VSX mode. i found this difference file fwkern.conf is exist on active device but not on standby device. this is mandatory by design or not?

any some one else same this issue?

[Expert@Active_Device-03:0]# cat /opt/CPsuite-R80.30/fw1/boot/modules/fwkern.conf

fwha_enable_state_machine_by_vs=0

[Expert@Active_Device-03:0]#

[Expert@Standby_Device-03:0]# less /opt/CPsuite-R80.30/fw1/boot/modules/fwkern.conf

/opt/CPsuite-R80.30/fw1/boot/modules/fwkern.conf: No such file or directory

thanks.

Vincent_Bacher · ‎2021-01-12

This file is created/modified manually. This does not exist after clean-installation. All kernel values have to be set on both nodes.
So just create it on second node and add the same values as already given in node 1

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite

G_W_Albrecht · ‎2021-01-12

According to sk26202, fwkern.conf does not exist - it has to be created manually if used. Kernel parameter fwha_enable_state_machine_by_vs can not be found in any documentation / sk, so i assume you would need CP to know why it was used here at all, and only on one cluster node...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

rochim · ‎2021-01-12

thanks for your reply.

do you know function fwkern.conf? any document explain it?

firewall1-gx · ‎2021-01-12

Rochim,

Fwkern.conf is a file created manually. In your case, just create the file on missing cluster member.

More details you can see on: Changing the kernel global parameters for Check Point Security Gateway

Regards,

Alisson Lima

rochim · ‎2021-01-12

hi

thanks for your reply, i want to know what function fwker and what means attribute "fwha_enable_state_machine_by_vs=0"

Václav_Brožík · ‎2022-01-19

@firewall1-gx wrote:
...Fwkern.conf is a file created manually...

That is not completely true. To my knowledge the file could be created by cpconfig.

fwha_enable_state_machine_by_vs indicates if VSLS is enabled or not which is a property controllable by cpconfig.

Alex- · ‎2021-01-12

Could it be something linked to the 16K series though? I operate some in VSX (R80.40) and fwkern.conf exists with fwha_enable_state_machine_by_vs set to 1.

Edit: might be a Kernel 3.10 or something linked to some HFA thing. I checked another cluster of high-end VSX appliances running up-to-date R80.30 and the file is also there with the value set to 1.

rochim · ‎2021-01-12

hi,

the file existing on both device? i only missing on standby device.

Vincent_Bacher · ‎2021-01-12

@Alex- Just had a look on a 23k device on our side running R80.10 and this value is present here as well. Don't have the function of this value in mind as well.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite

Vincent_Bacher · ‎2021-01-12

When kernel values to be set, file has to exist on both nodes to be effective as well when failover node gets active.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite

G_W_Albrecht · ‎2021-01-12

I would assume this to be about machine state - active or standby - being different per VS, a feature that sounds more like VSLS, not HA VSX...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Vincent_Bacher · ‎2021-01-12

Yes, agree. The key message was just to have it not just on one side 🙂

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite

Are you a member of CheckMates?

fwkern.conf is missing on device standby