Old dogs new tricks – New MDS log directory

Never hear of this one before…. Thought I knew where all the logs were kept.

# cd $MDS_TEMPLATE/log
# pwd
/opt/CPsuite-R75.40VS/fw1/log

In Search of the Max Disk Size

[ FYI, this is work in progress I haven’t found the answer yet. Just sharing info]

So we got Smart-1 appliances with 12 TB on them and I noticed GAIA only can see 2TB. Hmmmmmm I says to myself. Called a friend and they are having same problem. Hmmmm.

Well our lab is limited and I lost our Smart-1 to production so I can’t run tests as I would like, but here is the information I have.

The problem is that GAIA can only recognize 1K block sizes:

[Expert@smartlog]# fdisk -l

Disk /dev/cciss/c0d0: 513.6 GB, 513618945024 bytes 255 heads, 63 sectors/track, 62443 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot      Start         End      Blocks   Id  System

/dev/cciss/c0d0p1   *           1          19      152586   83  Linux

/dev/cciss/c0d0p2              20        2303    18346230   82  Linux swap /Solaris

/dev/cciss/c0d0p3            2304       62443   483074550   8e  Linux LVM

[Expert@smartlog]# dumpe2fs /dev/cciss/c0d0p1
dumpe2fs 1.39 (29-May-2006)
Filesystem volume name:   /boot
Last mounted on:          <not available>
Filesystem UUID:          25910e70-451a-4d36-bf0f-0914c002b582
Filesystem magic number:  0xEF53
Filesystem revision #:    1 (dynamic)
Filesystem features:      has_journal resize_inode dir_index filetype needs_recovery sparse_super
Default mount options:    user_xattr acl
Filesystem state:         clean
Errors behavior:          Continue
Filesystem OS type:       Linux
Inode count:              38152
Block count:              152584
Reserved block count:     7629
Free blocks:              128672
Free inodes:              38101
First block:              1
Block size:               1024
Fragment size:            1024
Reserved GDT blocks:      256
Blocks per group:         8192
Fragments per group:      8192
Inodes per group:         2008
Inode blocks per group:   251

and according to Wiki: http://en.wikipedia.org/wiki/Ext3

You can only get 2TB disks partitions.

Good news bad news.

Good news: You can use LVM to manually build up a 16TB disks by installing GAIA on the 2TB partition and then manually creating another 12TB partion with LVM and expanding the 2TB to include the 12 TB. Haven’t tried it…One site just made 6 2TB partitions and linked them with lvm.

Bad news: If I’m paying $1 gazillion for a Smart-1, it should see all the disk  and memory I can physically jam into the box. Disaster recovery, build cycles, upgrades, migrations will be a nightmare with manually having to custom build the box every time.

RUMOR: I hear a rumor that if you re-install on this same platform, GAIA does not wipe out some unique UID on the disk pack and it will crash. You have to use the RAID tools to wipe the disk. Email me for more info. I just got this via the grapevine.

Set VSX environment in /bin/sh scripts

One time a Unix demigod yelled at me in public because I was writing my shell script in bash instead of /bin/sh. You’d think I drew a comic strip of {can’t speak of this religious figure because it has incited wars}. I mean it was like religion. I’ve been damaged goods ever since. Now I write my scripts in sh just because I’m afraid he’ll be lurking around the corner.

So in VSX and maybe its a GAIA thing, if you write your scripts in /bin/sh, you’ll notice you can’t access ‘vsenv’. The reason is the profile didn’t execute the /etc/profile.d/vsenv.sh script that inserts VSX functions into your /bin/sh environment.

So your scripts need to include:

#!/bin/sh

./etc/profile.d/CP.sh

. /etc/profile.d/vsenv.sh

Forgive me for my sins,

dreez

new GAIA admin user can’t execute native commands

clishFound out that a new GAIA admin user in adminRole cannot execute external SPLAT commands in expert OR GAIA mode (cpstat, fwstat, tcpdump).

Pingtool saved my bacon.

Adding new admin user to CheckPoint Gaia with expert permissions

Make sure you ‘save config’

NOTE: you can add mutiple users with the duplicate UID 0 and it works.

So thats how you can create a raw admin mirror account.

If you need to create a read-only GAIA admin account that has SOME limited admin access this is the secret sauce to add to the above admin ( with UID 0 and GUID 0):

GAIA:

1. show rba role adminRole
   Copy and past to notepad
2. Isolate the GAIA commands from the ‘ext’ commands. You can also use ‘show extended commands’. Make sure you only have about 7 commands on each line (GAIA has limits on line length)arp,backup,clock-date,cluster_ha,command…….ext commandsext_cphastop,ext_cpinfo,ext_cplic,ext_cpshared_ver……
3. Hard Part: Look at the commands and commands and filter out those that you don’t want people to access: expert, cpconfig, expert-password, config_system,cpstop/start
4. create a new readonly feature set and new role for the GAIA specific commands
   

   add rba role minirole domain-type System readonly-features domain arp,backup,clock-date,cluster_ha,command
   add rba role minirole domain-type System readonly-features high-avail-group,host
   add rba role minirole domain-type System readonly-features host-access,hostname,hw-monitor,interface,interface-group,iphelper,ipv6-state,license

5. add to new role with a readwrite feature set for the ext commands (do NOT give them expert or show expert password). Also make sure not to make your lines too long or you will get an error:
   

   add rba role minirole domain-type System readwrite-features ext_cphaprob,ext_cphastart
   add rba role minirole domain-type System readwrite-features  ext_cphastop,ext_cpinfo,ext_cplic,ext_cpshared_ver,ext_cpstart,ext_cpstat,ext_cpstop,ext_diag

6. Create your own commands from Unix
   

   add command tcpdump path /usr/sbin/tcpdump description “network sniff”
   add command ls path /bin/ls  description “list  directory”
   add command pwd path  /bin/pwd description “where am i”
   add command cat path  /bin/cat description “dump file ”
   add command more path /bin/more description “scroll file”
   add command find path /usr/bin/find description “find file”
   save config

7. log out
8. log back in
9. Add the new commands to the minirole (have to prefix the ‘ext’)
   

   add rba role minirole domain-type System readwrite-features  ext_tcpdump, ext_ls, ext_pwd, ext_cat
   add rba role minirole domain-type System readwrite-features  ext_more, ext_find

10. VSX only
    

    add rba role adminRole virtual-system-access 0,1,2,3,4……

11. Attach role to user
    

    add rba  user miniadmin role minirole

12. Save config
13. NOTE: add/delete new features will have immediate impact on logged in users. Except for external commands, they will only kick in when a user logs in.
    

After reading this you can ‘role’ your own admin!

PS: Note if you:

add rba role testrole domain-type System all-features

You CANNOT delete individual features. Weird. You have to delete the whole role. Only if you add individual features you can take out one at a time.

THanks again!

dreez

Updated my cheat sheet and random notes

Welcome back from the holidays people.

Here in Minneapolis its 40’s and raining and ugly. Kinda like London fog. It is suppose to be -30F below and 20 inches of snow!

So I decided to sit inside and work on updates to my cheat sheet. I now have GAIA and VSX in my sheet.

Midpoint Training Directory

Check Point cheat sheet

Notice that I rarely use GAIA unless I have to. I’m a died in wool SPLAT person. So my GAIA commands are limited. The only reason to use GAIA is if you are a routing geek and do dynamic routing on the firewall….which is insane in my opinion….but to each their own.

VSX on the other hand is really cool. I’m thinking everything will be in VSX someday.

I’m trying to build this uber SmartLog server. Running into problems that I hope to resolve and share. I’ve crashed R75.45 and found really obvious bugs where the counters don’t work. They sent me patches so maybe in R75.60??? you’ll get them too. Just a heads up.

Have a great 2013!!!

dreez