Troubleshooting and Managing VSX Gateway with CLI

Display the general VSX status

#fw vsx stat
#vsx stat

# fw vsx stat
VSX Gateway Status
==================
Name:            vsx_1
Security Policy: Test_1_VSX
Installed at:     30oct2016  9:44:50
SIC Status:      Trust
Number of Virtual Systems allowed by license:         100
Virtual Systems [active / configured]:                  1 / 1
Virtual Routers and Switches [active / configured]:     2 / 2
Total connections [current / limit]:                    3 / 32000

Display more details about the VSX status (Virtual Switch, Virtual Router, Virtual System, Secure Internal Communication(Sic ), Licenses and Policy Names)

#fw vsx stat -v
#vsx stat -v

# fw vsx stat -v

VSX Gateway Status
==================
Name: vsx_1
Security Policy: vsx_1
Installed at: 3Oct2016 9:44:50
SIC Status: Trust

Number of Virtual Systems allowed by license: 100
Virtual Systems [active / configured]: 1 / 1
Virtual Routers and Switches [active / configured]: 2 / 2
Total connections [current / limit]: 3 / 32000

Virtual Devices Status
======================
ID | Type & Name | Security Policy | Installed at | SIC Stat
-----+-------------------------+-------------------+-----------------+---------
 2 | W vsw | <Not Applicable> | | Trust
 3 | W vsw | <Not Applicable> | | Trust
 4 | S vs | Standard | 3Oct2016 10:03 | Trust

Type: S - Virtual System, B - Virtual System in Bridge mode,
 R - Virtual Router, W - Virtual Switch.

#vsx stat -v

Display the virtual device <vsid> status

#fw vsx stat -vs <vsid>
#fw vsx stat <vsid>

fw vsx stat -vs 2

VSID: 4
VRID: 4
Type: Virtual System
Name: vs
Security Policy: Standard
Installed at: 3Oct2016 10:10:59
SIC Status: Trust
Connections number: 0
Connections peak: 0
Connections limit: 15000

 

Display all Virtual System, Virtual Router (VR) and Virtual Swich (VSW) details

#vsx stat -l

vsx stat -l

VSID: 0
VRID: 0
Type: VSX Gateway
Name: vsx_1
Security Policy: vsx_1
Installed at: 3Oct2016 9:36:50
SIC Status: Trust
Connections number: 3
Connections peak: 7
Connections limit: 15000

VSID: 2
VRID: 2
Type: Virtual Switch
Name: vsw
Security Policy: <Not Applicable>
Installed at:
SIC Status: Trust
Connections number: 0
Connections peak: 0
Connections limit: 1000

Verify  the actual context on witch you are connected to

#fw vsx get
#vsx get

To set environment to a specific context

fw vsx set <vsid>
vsx set <vsid>

Display the Virtual System (VS ) security policy status.

fw –vs <vsid> stat
fw stat –vs <vsid>

# fw stat -vs 2
HOST POLICY DATE
localhost Standard 3Oct2016 20:11:59

Get FW-1 tables for a specific VS

#fw –vs <vsid> tab
#fw tab –vs <vsid>

# fw -vs 2 tab -t connections -s
HOST NAME ID #VALS #PEAK #SLINKS
localhost connections 9197 0 0 0

Unload policy of all VS

#fw vsx unloadall

# fw vsx unloadall
This will uninstall security policy from all the Virtual Devices.
Are you sure you wish to proceed? (y|n) [y] y
Uninstalling Security Policy from all.all@vs1 (VSID 1)
Uninstalling Security Policy from all.all@vs2 (VSID 2)
Uninstalling Security Policy from all.all@vs3 (VSID 3)
Uninstalling Security Policy from all.all@vsx

Unload the security policy of a specific VS

#fw –vs <vsid> unloadlocal
#fw unloadlocal –vs <vsid>

# fw unloadlocal -vs 4
Uninstalling Security Policy from all.all@vs (VSID 2)
Done.

Fetch Virtual System configurations and policies from localhost for all VS (from VSX Cluster member)

#fw vsx fetch local

# fw vsx fetch local
Fetching Virtual Systems configuration file (local.vsall)

Installing Security Policy InitialPolicy on all.all@vs (VSID 2)
 Successfully compiled file types magic file.
 Fetching Security Policy Succeeded
SecureXL device has been enabled for vsid 1
Installing Security Policy InitialPolicy on all.all@vs3 (VSID 3)
 Successfully compiled file types magic file.
 Fetching Security Policy Succeeded
SecureXL device has been enabled for vsid 2
Installing Security Policy Standard on all.all@vs4 (VSID 4)
 Successfully compiled file types magic file.
 Fetching Security Policy Succeeded
SecureXL device has been enabled for vsid 4

Fetch VS configurations and policies from Provider-1 Management for all VSs

#fw vsx fetch <management or main cma>

fw vsx fetch 192.10.190.1

Fetching VSX Configuration From: 192.10.190.1
 Local VSX Configuration is Up-To-Date.
 Cleaning un-used Virtual Systems entries (local.vskeep).
 Purge operation succeeded.
 Fetching Virtual Systems configuration file (local.vsall).
SecureXL device has been enabled for vsid 2
SecureXL device has been enabled for vsid 3
SecureXL device has been enabled for vsid 4
Virtual Systems configuration file installed successfully

Fetch the security policy from localhost for a specific VS

fw –vs <vsid> fetchlocal –d $FWDIR/CTX/CTXxxxxx/state/local/FW1
fw fetchlocal –vs <vsid> –d $FWDIR/CTX/CTXxxxxx/state/local/FW1

Note : xxxxx represents the VSID number ConTeXt

# fw -vs 4 fetchlocal -d $FWDIR/CTX/CTX00002/state/local/FW1/

Installing Security Policy Standard on all.all@vs-test (VSID 2)
Successfully compiled file types magic file.
Fetching Security Policy Succeeded

Fetch security policy from management for specific VS

fw –vs <vsid> fetch <CMA_master>
fw fetch –vs <vsid> <CMA_master>

# fw -vs 4 fetch 192.10.100.1

Fetching Security Policy From: 192.10.100.1
 Local Policy is Up-To-Date.
 Reinstalling Local Policy.
Installing Security Policy Standard on all.all@vs (VSID 2)
 Successfully compiled file types magic file.
 Fetching Security Policy Succeeded

CPinfo for specific VS

cpinfo –x <vsid> -o <output file>

 

 

 

 

 

 

EXAM BLUEPRINT F5 101 – APPLICATION DELIVERY FUNDAMENTALS

Hi ,

My Next  Goal this month is to complete F5 101 certification .I plan to take this exam at the end of December .Here are the study material that I will use to prepare it .

F5 101 blueprint 

F5 study Guide

F5 University 

F5 101 Bootcamp : You must be an F5 patner 

SECTION  1 : OSI

Objective 1.01 Explain, compare, and contrast the OSI layers

• Describe the function of each OSI layer
• Differentiate between the OSI layers
• Describe the purpose of the various address types at different OSI layers

Objective 1.02 Explain protocols and technologies specific to the data link layer

• Explain the purpose of a switch’s forwarding database
• Explain the purpose and functionality of ARP
• Explain the purpose and functionality of MAC addresses
• Explain the purpose and functionality of a broadcast domain
• Explain the purpose and functionality of VLANs
• Explain the purpose and functionality of link aggregation

Objective 1.03 Explain protocols and apply technologies specific to the network layer

• Explain the purpose and functionality of IP addressing and subnetting
• Given an IP address and net mask, determine the network IP and the broadcast IP
• Given a routing table and a destination IP address, identify which routing table entry the destination IP address will match
• Explain the purpose and functionality of Routing protocols
• Explain the purpose of fragmentation
• Given a fragment, identify what information is needed for reassembly
• Explain the purpose of TTL functionality Given a packet traversing a topology, document the source/destination IP address/MAC address changes at each hop

Objective 1.04 Explain the features and functionality of protocols and technologies specific to the transport layer

• Compare/Contrast purpose and functionality of MTU and MSS
• Explain the purpose and functionality of TCP Explain the purpose and functionality of UDP
• Explain the purpose and functionality of ports in general
• Explain how retransmissions occur
• Explain the purpose and process of a reset Describe various TCP options
• Describe a TCP checksum error Describe how TCP addresses error correction
• Describe how the flow control process occurs

Objective 1.05 Explain the features and functionality of protocols and technologies specific to the application layer

• Explain the purpose and functionality of HTTP
• Differentiate between HTTP versions
• Interpret HTTP status codes
• Determine an HTTP request method for a given use case
• Explain the purpose and functionality of HTTP keepalives, HTTP headers, DNS, SIP, FTP
• Differentiate between passive and active FTP
• Explain the purpose and functionality of SMTP
• Explain the purpose and functionality of a cookie
• Given a situation in which a client connects to a remote host, explain how the name resolution process occurs Explain the purpose and functionality of a URL

Section 2: F5 Solutions and Technology

Objective 2.01 Articulate the role of F5 products

Examples Explain the purpose, use, and benefits of APM, LTM, ASM, GTM

Objective 2.02 Explain the purpose, use, and advantages of iRules

• Explain the purpose of iRules
• Explain the advantages of iRules
• Given a list of situations, determine which would be appropriate for the use of iRules

Objective 2.03 Explain the purpose, use, and advantages of iApps

• Examples Explain the purpose of iApps
• Explain the advantages of iApps
• Given a list of situations, determine which would be appropriate for the use of iApps

Objective 2.04 Explain the purpose of and use cases for full proxy and packet forwarding/packet based architectures

• Describe a full proxy architecture
• Describe a packet forwarding/packet based architecture
• Given a list of situations, determine which is appropriate for a full proxy architecture
• Given a list of situations, determine which is appropriate for a packet based architecture

Objective 2.05 Explain the advantages and configurations of high availability (HA)

• Explain active/active
• Explain active/standby
• Explain the benefits of deploying BIG-IP devices in a redundant configuration

Section 3: Load Balancing Essentials

Objective 3.01 Discuss the purpose of, use cases for, and key considerations related to load balancing

• Examples Explain the purpose of distribution of load across multiple servers
• Given an environment, determine the appropriate load balancing algorithm that achieves a desired result
• Explain the concept of persistence

Objective 3.02 Differentiate between a client and server

• Given a scenario, identify the client/server
• Explain the role of a client
• Explain the role of a server

Section 4 : Security

Objective 4.01 Compare and contrast positive and negative security models

• Describe the concept of a positive security model
• Describe the concept of a negative security model
• Given a list of scenarios, identify which is a positive security model
• Given a list of scenarios, identify which is a negative security model
• Describe the benefits of a positive security model
• Describe the benefits of a negative security model

Objective 4.02 Explain the purpose of cryptographic services

• Describe the purpose of signing
• Describe the purpose of encryption
• Describe the purpose of certificates and the certificate chains
• Distinguish between private/public keys
• Compare and contrast symmetric/asymmetric encryption

Objective 4.03 Describe the purpose and advantages of authentication

• Explain the purpose of authentication
• Explain the advantages of single sign on
• Explain the concepts of multifactor authentication
• Describe the role authentication plays in AAA

Objective 4.04 Describe the purpose, advantages, and use cases of IPsec and SSL VPN

• Explain the purpose, advantages, and challenges associated with IPsec
• Explain the purpose, advantages, and challenges associated with SSL VPN
• Given a list of environments/situations, determine which is appropriate for an IPsec solution
• Given a list of environments/situations, determine which is appropriate for an SSL VPN solution

Section 5: Application Delivery Platforms

Objective 5.01 Describe the purpose, advantages, use cases, and challenges associated with hardware based application delivery platforms and virtual machines

• Explain when a hardware based application deliver platform solution is appropriate
• Explain when a virtual machine solution is appropriate
• Explain the purpose, advantages, and challenges associated with hardware based application deliver platform solutions
• Explain the purpose, advantages, and challenges associated with virtual machines
• Given a list of environments/situations, determine which is appropriate for a hardware based application deliver platform solution
• Given a list of environments/situations, determine which is appropriate for a virtual machine solution
• Explain the advantages of dedicated hardware (SSL card, compression card)

Objective 5.02 Describe the purpose of the various types of advanced acceleration techniques

• Describe the purpose of TCP optimization
• Describe the purpose of HTTP keepalives, caching, compression, and pipelining

How to add Sophos XG image on unetlab

Sophos XG Image work properly on Unetlab . Before using it you should be able to create a custum Sophos template by using checkpoint template .I will show you how to do that quickly , juste follow this steps

Creating a custom node for SOPHOS XG node definition to initialization file /opt/unetlab/html/includes/init.php.

 vi /opt/unetlab/html/includes/init.php    

if (!isset($node_templates)) {
        $node_templates = Array(
           'a10'                 =>      'A10 vThunder',
           'clearpass'           =>      'Aruba ClearPass',
           'timos'               =>      'Alcatel 7750 SR',
           'veos'                =>      'Arista vEOS',
           'brocadevadx'         =>      'Brocade vADX',
           'cpsg'                =>      'CheckPoint Security Gateway VE',
           'sophos'              =>      'sophos XG Firewall',

             

Create a new sophos  node template based on existing checkpoint node template

$ cp /opt/unetlab/html/templates/cpsg.php /opt/unetlab/html/templates/sophos.php

• Edit the template file replacing all occurences of ‘cpsg and CP’ with ‘sophos’

$ sed -i 's/cpsg/sophos/g; s/cpsg/sophos/g' /opt/unetlab/html/templates/sophos.php
$ sed -i 's/CP/sophos/g; s/CP/sophos/g' /opt/unetlab/html/templates/sophos.php

Create a new directory for Sophos VM

mkdir -p /opt/unetlab/addons/qemu/sophos-1

• converte image from vdmk to Qemu 

# /opt/qemu/bin/qemu-img convert -f vmdk -O qcow2 sf_virtual-disk1.vmdk hda.qcow2
# mv hda.qcow2 /opt/unetlab/addons/qemu/sophos-1
# /opt/unetlab/wrappers/unl_wrapper -a fixpermissions

 

 

How to migrate all configuration from 2 different F5 appliance

Migrate F5 configuration like VIP , pool , Certificates .. from two different F5 hardware is simple when we are on version 11.5.4 HF1 . I did it easly this week for my customer the last week   . Before doing that you should know what F5 masterKey is used for .

The BIG-IP system uses a hardware-key encrypted master key to encrypt and decrypt passphrases contained in the configuration file. These hardware-key encrypted passwords can be identified with a prefix of $M$.(SOL9420) .Prior to BIG-IP 11.5.0, only the passphrases used for SSL private keys are stored in encrypted format. In BIG-IP 11.5.0 and later, passphrases used for other configuration objects, such as monitors and profiles, are also stored in encrypted format.

Important: Once encrypted, passphrases can be decrypted only by the same key that encrypted them. To ensure that you can restore a user configuration set (UCS) configuration archive when the original master key is not available, F5 recommends that you retain a record of each passphrase (and the private key it protects) in a secure location on a system other than the BIG-IP system that uses the passphrase.

In our case , we need to restore a UCS on a different hardware with the same masterkey and a different Licences .For Doing  that juste follow this steps .

1.  Verify if the licence had been properly activated .If not activate it
2. Log in to the peer BIG-IP system command line.
3. From the active peer BIG-IP system, obtain the master key by typing the following command:
   

   f5mku -K
   The command output appears similar to the following example: oruIVCHfmVBnwGaSR/+MAA==

4. Copy the output.
5. Log in to the peer BIG-IP system command line.
6. From the active peer BIG-IP system, obtain the master key by typing the following command:#f5mku -K
   #oruIVCHfmVBnwGaSR/+MAA==
7. Copy the output.
   Note: The output is the master key that you will install on the RMA BIG-IP system.
8. Log in to the  NEW F5  BIG-IP system command line.
9. Install the master key that you copied in step 3 to the RMA BIG-IP system using the following command syntax:
   f5mku -r <key_value>For example:
   f5mku -r oruIVCHfmVBnwGaSR/+MAA==
10. Verify that the master key is the same on the active peer BIG-IP system and the RMA BIG-IP system by typing the following command from the command lines of both systems:
    f5mku -K
11. Restore the UCS file to the RMA BIG-IP system using the following command syntax
    #tmsh load sys ucs [ucs file name] no-license no-plateform

 

How to ADD more disk space on Unetlab

Hi ,

Today I’m going to show you how to add more disk space on your UnetLAB Virtual Machin .It’s very simple but don’t forget to make a snapshoot before any action .

1- Identify the device name,

# fdisk -l

2- Create a new primary partition

Run the command:
# fdisk /dev/sda (depending the results of the step 4)

Press p to print the partition table to identify the number of partitions.
By default, there are 2: sda1 and sda2.
Press n to create a new primary partition.
Press p for primary.
Press 3 for the partition number, depending on the output of 
the partition table print.
Press Enter two times.
Press t to change the system's partition ID.
Press 3 to select the newly creation partition.
Type 8e to change the Hex Code of the partition for Linux LVM.
Press w to write the changes to the partition table.

3- Restart the virtual machine.

#reboot

4 – Run this command to verify the state of this disk

# fdisk -l

6- Run this command to verify how many physical extents are available to the Volume Group

# vgdisplay VolGroup00 | grep "Free »
#fdisk -l | grep "contain a valid partition table"

7- Added disk is /dev/sdc. Let’s configure it for LVM and expand the volume group:

#echo -e "n\np\n1\n\n\n\t\n8e\nw\n" | fdisk /dev/sda > /dev/null
#pvcreate /dev/sda3
#vgextend rootvg /dev/sda3

8-Now let’s say we want to extend filesystem of 50GB only

#lvextend -L +50G /dev/rootvg/rootvol
#resize2fs /dev/rootvg/rootvol

How to Creat a custom node type in UNL

Every node on Unetlab have their own template . So if you want to create a custom template for an other image like infoblox or Mcafee , simply use this tutorial.

• Creating a custom node for infoblox VM Add infoblox node definition to initialization file /opt/unetlab/html/includes/init.php.

     'linux'            =>      'Linux',
     ‘infloblox’        =>      ‘infoblox’,
      ‘Mcafee’          =>      ‘Mcafee’,
      'mikrotik'        =>      'MikroTik RouterOS',

•  Create a new Mcafee / infoblox / lamp  node template based on existing linu node template

$ cp /opt/unetlab/html/templates/linux.php /opt/unetlab/html/templates/infoblox.php
$ cp /opt/unetlab/html/templates/linux.php /opt/unetlab/html/templates/Mcafee.php
$ cp /opt/unetlab/html/templates/lamp.php /opt/unetlab/html/templates/lamp.php

• Edit the template file replacing all occurences of ‘Linux’ with ‘mcafee’/ ‘infoblox’/ ‘lamp’

$ sed -i 's/Linux/Mcafee/g; s/linux/Mcafee/g' /opt/unetlab/html/templates/Mcafee.php
$ sed -i 's/Linux/lamp/g; s/linux/lamp/g’ /opt/unetlab/html/templates/lamp.php
$ sed -i 's/Linux/lamp/g; s/linux/lamp/g’ /opt/unetlab/html/templates/lamp.php

• Edit the template file to double the RAM and CPU and pass all host’s CPU instructions to Mcafee ,  infoblox  , lamp nodes

$ sed -i 's/2048/4096/; s/(cpu.*) = 1/\1 = 2/; s/(order=)dc/\1cd -cpu host/' /opt/unetlab/html/templates/Mcafee.php
$ sed -i 's/2048/4096/; s/(cpu.*) = 1/\1 = 2/; s/(order=)dc/\1cd -cpu host/' /opt/unetlab/html/templates/infoblox.php

• Create a new directory for Mcafee infoblox and lamp image

mkdir -p /opt/unetlab/addons/qemu/infoblox-1
mkdir -p /opt/unetlab/addons/qemu/Mcafee-1
mkdir -p /opt/unetlab/addons/qemu/lamp

• converte image from vdmk to qcow2

tar -xvf McAfee_SecureWebGateway.ova
/opt/qemu/bin/qemu-img convert -f vmdk -O qcow2 McAfee_SecureWebGateway-disk1.vmdk virtioa.qcow2
mv virtioa.qcow2 /opt/unetlab/addons/qemu/Mcafee
/opt/unetlab/wrappers/unl_wrapper -a fixpermissions

UnetLab : How to install F5 , checkpoint and Fortinet Image on unetLab

To install F5 bigip image on unetlab simply you should simply folow this steps .

Download BIGIP-12.0.0.1.0.628.LTM.qcow2.zip from F5 website here

# mkdir -p /opt/unetlab/addons/qemu/bigip-12.0/
 scp BIGIP-12.0.0.1.0.628.LTM.qcow2.zip into /opt/unetlab/addons/qemu/bigip-12.0/
 # cd /opt/unetlab/addons/qemu/bigip-12.0/
 # unzip BIGIP-12.0.0.1.0.628.LTM.qcow2.zip
 # rm BIGIP-12.0.0.1.0.628.LTM.qcow2.zip
 # mv BIGIP-12.0.0.1.0.628.LTM.qcow2 hda.qcow2
# /opt/unetlab/wrappers/unl_wrapper -a fixpermissions

 Install fortinet image on unetlab follow this steps

# mkdir -p /opt/unetlab/addons/qemu/fortinet-5.2.3b670
scp fortios_5-2-3.qcow2 into /opt/unetlab/addons/qemu/fortinet-5.2.3b670
# cd /opt/unetlab/addons/qemu/fortinet-5.2.3b670
# mv fortios_5-2-3.qcow2 virtioa.qcow2
# /opt/unetlab/wrappers/unl_wrapper -a fixpermissions

Install Checkpoint Image

# mkdir -p /opt/unetlab/addons/qemu/cpsg-r7730
scp cpsg-r7730.ova into /opt/unetlab/addons/qemu/cpsg-r7730
# tar xf cpsg-r7730.ova
# /opt/qemu/bin/qemu-img convert -f vmdk -O qcow2 cpsg-r7730-disk1.vmdk hda.qcow2
# /opt/unetlab/wrappers/unl_wrapper -a fixpermissions

How to backup and restore VSX configuration

According to sk100395 starting in R77, Gaia OS backup also collects VSX configuration.It’s Also possible to restore a node from the MDSM server using the “vsx_util reconfigure” command. The second method is also applicable on VSX version prior to R77. For Example if you have a VSX node with R67.10 version you must use the vsx_util reconfigure  methode .

I- Gaia Backup/Restor Method

With this method, VSX Gateways , backups are used to restore entirely VSX configuration. But the current VSX configuration must be the same on VSX Gateway side and Management Server side, it is recommed  to collect VSX Gateways and Management Server backups on the same time to be able to restore them, keeping consistency.

Ps : If you have a VSX environment in your checkpoint gateways, you should notice that you don’t have web UI.

When a VSX backup is restored, it is also mandatory to restore the MDS backup, ensuring VSX configuration consistency.

It is recommended to restore the VSX configuration from a local backup file, stored in /var/log/CPbackup/backups/ for Check Point appliances.

set backup restore local <backup_file_name>

Note: Restored VSX will be applied after a reboot and a security policy installation.

II- vsx_util reconfigure Method

Another restore method is to rebuild completely the VSX gateway and reconfigure it through DMS. This method is longer than the previous one but avoid reverting the entire MDS.

1. Connect with console access to VSX Gateway

2. Disconnect VSX Gateway, starting from production interfaces to Sync and Mgmt interfaces

3. Fresh install R77.20 Gaia, Jumbo Hotfix Accumulator and additional hotfixes if needed

4. Configure R77.20 Gaia

• Expert Account
• Network Management
  • Bond, Network and Disconnected Interfaces

Note: Logical interfaces names must be exactly the same on physical VSX gateway side and VSX gateway object in SmartDashboard.

• Default IPv4 Static Route
• System Management
  • SNMP / Banner Message/ System Kernel Mode (64-bit) / Syslog

• User Managemen / User Accounts / Authentication Servers
• ClusterXL Mode / CCP Transport Mode / SecureXL /Kernel Parameters / LOM Interface/ Scheduled Backup

1. After R77.20 configuration, reconnect management interface of VSX Gateway

2. Close all SmartConsole tools on DMS managing VSX Gateway

• Connect in CLI on DMS
  In Expert commands, for DMS:

  vsx_util reconfigure

3. Provide the following information:

• VSX cluster’s DMS IP address
• VSX cluster’s DMS admin name
• VSX cluster’s DMS admin password
• VSX cluster member object name to reconfigure
• VSX cluster member activation code
• Additional Configuration
  • Memory Monitoring per VS / CPU Monitoring per VS / CoreXL & Instances Affinity / Proxy ARP
• Reboot VSX Gateway
• Provide the following information:
• Reboot VSX
• Verify  VSX
• Reconnect VSX Gateway, starting from synchronization interface to production interfaces

“Migration of secondary database in not supported” error

If you get this error when trying to migrate export a checkpoint configuration from a management server use this tutorial .

To verify the Primary/Secondary state of the server, run

# cpprod_util FwIsPrimary

• returns ‘1’ if the server is the Primary
• returns ‘0’ if the server is Secondary

So the workaround is to trick the ‘migrate export/upgrade_export’ tool into believing that its running on the Primary and not on a Secondary.

To do this, run this command.

# cpprod_util FwSetPrimary 1

Verify this change by running the “cpprod_utill FwIsPrimary” command again. Once this parameter is set to ‘1’, you should be able to run ‘migrate export’ or ‘upgrade_export’ (depending on the version) without it causing an issue.

Once the upgrade_export is complete, change the setting back to ‘0’ by running the following command

# cpprod_util FwSetPrimary 0

 

How to reset SIC without restarting All Checkpoint Process

CPD is the process on the mgt and gateway that maintain SIC.

ON THE GATEWAY

1- cp_conf sic init abc123 norestart – This will reset the private keys on the gateway without restarting anything.
2- cpwd_admin stop -name CPD -path “$CPDIR/bin/cpd_admin” -command “cpd_admin stop” – THIS WILL STOP CPD
3- cpwd_admin start -name CPD -path “$CPDIR/bin/cpd” -command “cpd” —– THIS WILL START CPD with the new keys installed
4- cpwd_admin list – will list the CP processes that are watched by the watcher daemon (restart in case they die)
5 -cpwd_admin -? — will give you tons of choices to choose from

So at this point the gateway is ready to be re-SIC’d with the management using the secret password “abc123″
(only used one time and not used again, can be simple just used for setup and exchanging key material).
AND – The gateway has not reloaded the initial policy.it is still running with the old policy
so if it was a standby member you can fail over to it if you wanted.

ON THE MGT:
In the communication window for the gateway, enter the secret key ‘abc123′.
This will allow the MGT and the GATEWAY to exchange key information and setup the SIC tunnel.