R75.40 MDS rumors and rumblings

I culled this from my various MDS contacts upgrading to R75.40VS. All rumors.

– Upgraded to R75.40 and when did push firewall CPUs went to 100%
– MDS may corrupt rulebase file and put binary characters into the comment or name field. Have
  to write awk script to parse out
– SDM tries to generate error message and aborts
– SmartLog index can never be culled, it only grows. If it gets too big you have to delete and re-index

Stay tuned.

dreez

 

Getting a list of MDS admin names

I know there is probably a command for this but I wanted to do some awk’ing. I know fwm dbexport will work on smartcenters.

This awk script will export and print the login names of MDS/P1 administrators

cd $MDSDIR/conf/mdsdb/

cat cp-admins.C | awk ‘{ x[NR] = $0} END {for(i=1;i<=NR;i++) {if (x[i] ~ /AdminInfo/ && x[i-1] ~ /[[:alnum:]]/ && x[i-1] !~ /sic/) {$d=x[i-1];gsub(/[^[:alnum:]]/,””,$d);print $d}    }}’ | more

As a side note:

$MDSDIR/conf  — Holds the data from the global policy database
$MDSDIR/conf/mdsdb – Holds the data that supports the MDM environment.

 

 

Addition: For printing out names that are in the comments

header_id (1) is the name field and (2), (3), etc are the contact, URL, etc

cat $MDSDIR/conf/mdsdb/cp-admins.C | awk ‘{ x[NR] = $0} END {for(i=1;i<=NR;i++) {if (x[i] ~ /header_id \(1\)/) print x[i+1];}}’ | awk -F\” ‘{print  $2  }’

 

 

Real vs Reported SPLAT Free Memory Usage

OK, so you can ignore ‘top’ command. Boned.

I’m doing some sizing on our MDS boxes and came across this. I was using the GAIA memory usage tool and it reported different stats than top.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk32206&js_peid=P-114a7bc3b09-10006&partition=Advanced&product=Security

You have to use ‘free’ command and add up “free + buffers + cached” and then you get the right free memory

Example:

# free -k -t

total             used              free         shared    buffers     cached

Mem:                               1295840      1272788      23052          0      51200     996336
-/+ buffers/cache:     225252       1070588
Swap:                                1028120     179912        848208
Total:                                2323960    1452700     871260
In the example above, the system is mostly idling, with only OS processes running (‘cpstop‘ed the kernel). The OS reports “1272788” of “1295840” used.  However, we see that the ‘free’ + ‘buffers’ + ‘cached’ = “23052” + “51200” + “996336” = “1070588”, which is ‘logically’ free for applications to use, and will be handed out by the kernel appropriately. So in reality there is more than 23052 of free memory, there is 1070588 of free memory.

 

SmartLog – OK so it has one flaw

I heard about this and thought I’d flag it.

SmartLog has one minor flaw. The index never gets smaller, it only grows. Ooooops. Even if you delete the log files, SmartLog index will continue to grow and grow.

Oh well, Version 1 what can I say.

You have to delete the whole data directory and let it re-index.

Here are some workarounds, but not sure they work…

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk73640&js_peid=P-114a7bc3b09-10006&partition=General&product=Other%22

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk73362&js_peid=P-114a7bc3b09-10006&partition=Advanced&product=Other%22

MDS Containers – Spreading domains over multiple MDS units

 

 

 

Check Point MDS Containers

You don’t have to go tooo far to see how Check Point has changed its container architecture in R75 and I love it. Prior to this you had a choice of

 

– Mgt + container
– Container only
– MLM

Now everything is a Mgt + container. So if you have 1000 domains on a single P1 and its all blowing up because 32 bit just doesn’t handle things like backup, then you need to spread things around a bit. So you buy a couple more MDS servers and import/export the domains from the primary down to the secondaries.

HOW??

1) Well, the secret is create just 1 ONE primary MDS. Then create all secondary OR MLM MDSs after that. This is how you get a SIC so you can register them with the primary.

2) In the SDM, include the secondary units into the MDS list using the SICs to verify

3) Make sure you sync the global database after registering or by hand

4) Manually migrate domain, delete old domain and then re-import into new secondary MDS. **** NOTE: You can also host domains inside an MLM

Easy Peasy.

If you need HA, then create a secondary MDS and use the mdscmd mirrormanagement command to mirror the source MDS server. This MDS unit will only contain mirror domains, you can’t create unique instances of domains, they will get mirrored/synced to the source MDS.

Oh yeah, did I tell you the documentation is all horked? Just throw it away and do what I tell you.

So there….I admit I was wrong but I figured out the real deal.

Thanks to Check Point Support and Ofer Orr at Check Point for the tips. You people rock.

dreez

 

 

 

 

 

 

 

 

 

 

MDS containers are gone – OOOPS Now they are back – Mea Culpa

MDS Gods,

Did you ever shoot yourself in the foot? Publish something on the web that was totally false?

R75 got rid of specifying containers, vs mgt+containers vs mgt standalone on install. So Dreezman goes and shoots his mouth off the containers are gone.

Stop the presses.

Containers are back and its cool. In reality all MDS installations are both MGT and Containers. As you add MDS units, they join the MDS cluster and synch the global database. Almost like VMotion….Well, not quite but 10% the way there. Very cool.

So I am cancelling the end of the world. You can have infinite domains once again. And you might want to do that because backing up over 50’ish domains will blow up tar.

Over and out. So very wrong,

dreez